Overwatch starts with anonymous SMB access to a software share that hosts a custom .NET monitoring binary. I’ll reverse engineer it to recover SQL Server credentials and identify a WCF service with a PowerShell command injection sink. With the SQL creds, I’ll find a linked server pointing to a non-resolving host and abuse CREATE_CHILD on the AD-integrated DNS zone to add a record pointing the hostname at my host, capturing cleartext SQL authentication with Responder when the linked server connects out. Those credentials provide WinRM as a user in Remote Management Users. From there, I’ll exploit the WCF KillProcess command injection on a localhost SOAP endpoint to get code execution as SYSTEM, demonstrating four different ways to interact with the WCF service. In Beyond Root, I’ll look at a log that captured the Windows Administrator password from an HTB pre-release cleanup script.

0xdf hacks stuff

A detailed walkthrough of the HackTheBox 'Overwatch' machine. The attack chain starts with anonymous SMB access to a software share containing a .NET monitoring binary. Reverse engineering the binary reveals hardcoded SQL Server credentials and a WCF service with a PowerShell command injection vulnerability in the KillProcess method. Using the SQL credentials, a linked server pointing to an unresolvable host is discovered. By abusing CREATE_CHILD permissions on the AD-integrated DNS zone, a DNS record is added pointing SQL07 to the attacker's machine, capturing cleartext SQL authentication via Responder. These credentials grant WinRM access. Finally, the WCF KillProcess command injection on a localhost SOAP endpoint is exploited to achieve SYSTEM-level code execution, demonstrated through four different methods: raw SOAP, WebServiceProxy, WCF inline client, and a compiled WCF binary client.

HTB: Overwatch