IppSec delivers a masterclass in systematic exploitation, turning a complex WCF vulnerability into a clear, logical progression from discovery to domain admin. His methodical approach to .NET decompilation remains the gold standard for anyone serious about mastering Windows-based penetration testing.
Install our extension to search inside any video instantly.
HackTheBox - OverwatchAdded:
What's going on, YouTube? This is IPSC, and today we'll be doing Overwatch from Hack the Box, which is a pretty fun box that showcases the Windows communication foundation. But before we get into that, we find an open fileshare that has a.NET executable and config. Looking at the config leaks a Microsoft SQL password, and the executable lets us know the application has an endpoint configured in WCF and is vulnerable to command injection. The Microsoft SQL service is on a non-default port. But once we find that, we can log in and discover there's a dead linked server set up. We can hijack the DNS name and get another credential by using the linked server and that lets us onto the box through WinRM which we can use to hit the Windows communication foundation endpoint on port 8000 and perform the command injection to get root on the box. So with all that being said, let's just jump in. As always, we're going to start off with an end map. So - SC for default scripts, SV enumerate versions VV for double verose. This gives us things like the TTL OA output all formats in the end map directory and call it Overwatch. and then the IP address of 1012934.101.
This can take some time to run, so I've already ran it. Looking at the results, we have just 12 ports open. The first one is DNS on port 53. And then Banner tells us it's simple DNS plus, which is the default for Windows Active Directory. Scrolling down, the next thing is Kerros. And then, of course, we do have Windows Active Directory here.
I'm going to go ahead and copy this um domain name. So, I'm going to copy this.
We'll add it into a host file. So pseudo v etsy host then 1012934101 put this hurst name in or domain name I should say. Looking at things we have RPC net buyers LDAP uh SMB uh Windows RPC.
Here's LDAP. Then we have um RDP. So this is interesting. The target name is Overwatch. Uh the computer name looks like it's S20041.
So, let's just go ahead and add this into our file.
I always like putting the fully qualified domain name first. So, we can do this. And then at the end, we'll just put that. There we go. And I think that's it for the host names.
Looking at this, I'm also looking to make sure the TTL if I sold this was a TTL of 126, I would think, oh, this is a domain controller. It's got HyperV installed. and then is directing um it to a client VM or something like that, right? We could also potentially like compare the product version with um something else in end map, but we don't really see anything too interesting here. Looking at anything else, we don't have anything. So, all we have right now is it's a domain controller with RDP open. I didn't see any like web services or things like that to attack. So, I'm just going to start with NXC. So, we'll do SMB um Overwatch.htb and we'll see what this says. Um it is Windows 2022.
We have null authentication set to true.
So, I'm just going to give it a blank username and password. And then that's going to let us log in as guest. We can't really do that much. Maybe we can like list the users. We can see this.
And nope, we can uh maybe look at shares. So I'm going to do d-shares.
And there we go. We have a list of shares. There is a software share that is set to read. So I'm going to run the spider plus module. So we do dash capital M spider plus. And this is just going to get us a list of all the files on the share.
So let's see. We can cat this. Let's just do cat jq.
And let's see. We have the software share. And then we have some files. So there's a monitoring directory and it looks like we just have a probably a net file. I'm just thinking because of all these DLS it's loading. And then we have a.exe here with a config. So let's go ahead and download this. We could download with net exec or impact or things like that. But whenever I have the chance to do something with a native tool like SMB client, not to be confused with SMB client.pay which is in packets.
Um I always choose the native client and the whole logic behind that is um number one I think like the tools CIS admin uses are more uh stable. I also just like um using these tools because there's less signatures set right when you use impact how it um if you're doing kerros it has some specific things in the ticket that it puts in. So you can identify impact usage. Um you can identify like SMB client usage, but since admins also use it, um there's less chance of it flagging or anything like that. Right? I think I'd need to do HTTP there. There we go. And we'll just hit enter. And you may want to do dash capital u put the user as like administrator or something like that. Put it Well, you couldn't do that because if we change it to administrator. Hold on. We can share this real quick. Um, let's do net exec.
So, if I do IPSC here as my username, uh, we don't need spider plus. Oh well, that's fine. We see, let's just do this because it'd be easier to see with less text on the screen. We authenticated, right? If we do a user that exists like administrator and a blank password, it's going to fail, right? So, you have to make sure when you do this guest authentication, you're specifying a random user. Um, so login. Let's do diir. Let's go into monitoring.
And then I'm only going to bother downloading the overwatch.exe and the config.
And I guess I'll get the PDB.
The reason why I'm not bothering to get all those other DLS because those are just standard Windows things. So there's no need to go and look in these unless I actually want to. um run this tool myself, right? Uh we have s that looks standard Windows. So now we have Overwatch.exe config. I'm going to cat the config. So we can do Overwatch.exe config.
And let's see um this is reading to me the entity framework configuration. This may be like um Windows communication foundation. The big giveaway is using like contract I monitoring service. This is going to be somewhat specific to like like the contract verbiage is very common in Windows communication foundation. Uh WCF, right? So if I Google WCF, I'm just going to add Windows to it. You could read about it.
Um it's easiest in my mind to think of it just as like an RPC service. That's remote procedural call. Um but it's not exactly that. I just say it's easy to think of it because when you do the code, you create these um functions and then you register the function with the Windows communication foundation. And what that enables you to do is call these things remotely without having to worry about authentication, web servers, things like that. It's just using native Windows functionality to essentially handle all that. Right? So that'll be um talked about more later in this video.
The key thing we have is a port 8000.
However, this wasn't exposed to us in end mapap. Right? If I do a nc-zv overwatch htb on port 8000, we don't really get a connect. Um, so something is listening probably on localhost 8000 or there's a firewall blocking us. Looking at other things, um, I don't really see anything else, right? I guess the key thing is this is basic HTTP binding. There is no authentication here. So if we can hit this monitor service, then we can easily just execute anything that's within this contract. Um and this is not SSL or anything like that. So I'm also thinking maybe there's like a server side request forgery or something like that that we could do to hit this service. But there is no web service for us to hit. So um I'm going to do two things. I'm going to set some recon going in the background.
So, we'll do a nm mapap-pa end mapap overwatch-all ports and I'll end mapap overwatch.htb.
So, we're going to start this end mapap off because this could take a little while. And then while that goes, I'm going to uh decompile that overwatch.exe because most likely based upon all those DLS and everything, it is going to be a net assembly. Now to do this on Linux, um I like using IL Spy and there used to be a tool by I want to say Avalon that gave you like a compiled version of this where you had the nice guey on Linux.
They um stopped updating it and say use the Visual Studio studio studio extens Visual Studio Code extension, but I'm not exactly sure how to get that running. I went in favor of the IL Spy CMD with a net tool install. If you Google like install.net net and then the main OS. I'm using parrot which is based on Debian. you'll get instructions from Microsoft install the repository and then you can just do like a um apt update and then apt install uh net runtime right and then once you have that you'll have like a net binary on your computer and I just did net tool install did the global flag to install it for everyone and then ran like ilspy cmd and that installed this command so I'll do ilspy cmd You can give it a net file and then it will just give you the source code to it. Right? I'm going to make a directory called source and then I always like decompiling into a directory because sometimes exes will go into multiple files. It can be hard to read just on the standard out. In this case we just have one um file. So I can do a vim on this. And let's see these are all the libraries. And the key thing I see is this service model which is heavily used in WCF. There are other things that service model does provide but when it's combined with channels we know this is going to be the Windows communication foundation. So um seeing the service model channels is the dead giveaway there.
Let's see what else we have. So this is going to be the functions. So we can call start monitoring, stop monitoring, ink kill process.
And then we have a username and a password. So I'm going to It doesn't look like it wants to copy that. Let's see real quick. Let's go in source g connection string. And this will also tell us how where this is used. Um looks like we connect there.
I'm just going to put this in a file.
And it looks like it's using semicolon for the delimiter. So that's not part of the password.
SQL SVC like that. There we go.
And let's see.
Um going through start process log event.
One thing that stands out if we can call kill process. We give it the process name. We have some PowerShell here and then we just inject process name right here. There's no sanitization at all.
I'm assuming down here somewhere it's going to um run that command. So it looks like a relatively trivial command injection right here just because um kill process string process name and then stop process, right? And that kill process is part of the I monitoring service. So, we can't hit port 8000. Um, but soon as we can, I think we can put together some type of exploit, right? So, let's see what else do we have. Well, we just got credentials. So, I'm going to do nxc SMB. Actually, first let's cats.ext nxc SMB Overwatch.htbu http u SQL service p and we'll specify this and those creds do work. We could do d- users and see a list of users on the box.
And we have SQL Service SQL management there. A bunch of users. I'm seeing a lot of SQL stuff, but I don't know how to access it, right? Microsoft SQL is not listening on this box. Um, at least according to end map, right?
So, we can do um let's see, we could just try MSSQL, but uh we don't want dash users there.
And nothing seems to work. It's just hanging right there. Um I'm going to run rustound. So, we can do make dur rust hound.
And then I probably should call like bh or something, but oh well. uh rusttown-ce CE uh the domain overwatch.htb username SQL service password is that and then that will start harvesting things. Uh we could just grap-sql.
Uh let's do catar jq.gp- iql.
See what things we have. So we have a SQL 03.
I'm looking for maybe something that says how to access SQL here, right? And I don't really see anything. We could throw this into Blood Hound and look at it graphically, but we do have um end mapap results. So, let's take all these open ports and start looking at them.
So, let's do a um let's go vicat end mapap overwatch all ports. I like doing the grapable format. So we can GP for um 34101 and then open.
And I'm just doing this line. We don't really have to um but I'm showing because normally when you run this end map all ports, you may have multiple IPs here. And all I want to do is extract these numbers, right? So I'm just going to do that first grap that gets me on the host I want. And then I'm going to do another grip. And we'll do dash op. And there's probably a better way to do this. Um, just off the top of my head, I like doing digit open. And what that's going to do is get me a list of everything that is open. So after that, we can do a said, and I'm going to do that. I'm going to show it without Z real quick. We'll just say s and then we can take away the open and replace it with a comma. Uh we have to kill that.
There we go. Um I want to put this all on one line, right? If I do slashn here, it doesn't match. We could do like r doesn't match. We could say new line. It matches, but still things are like um one per line. I'm going to do a slash n.
And then I'm going to use dash z. forget what this flag stands for, but there we go. We have a list of all the ports nice on one line. So, what that enables us to do is a new um end map scan. So, we'll do pseudo end mapap- scv oa n map. We'll call it overwatch-cripts.
And then we'll say -p. Give it a list of all these ports. And then overwatch.htb.
So, this could take a little while to run, but all this is going to do is run a full um version and script scan against all the ports that are open. If we just did a full um SCSV on every single port, this would take ages. It would probably take like 30 minutes to run. But since we specified only the open ports, it won't take that long. So, I'm going to pause the video real quick and we'll come back once this end map is done. Okay, end map is done. It took 95 seconds, so around a minute and a half to complete. We can look at all the um new information we have. So, we knew about DNS and all that type of stuff. Let's see. 3389. This all looks standard. We do have WinRM. We could have checked if um we could access WinRM with the SQL Service user, but we do have a Microsoft SQL Server running on port 6520.
So I'm assuming SQL service can probably access um Microsoft SQL. So let's do a cat on creds.
Uh did I put that in like the source directory? Move source creds. Yep. Let's move that here. We can cat it.
And then nxe mssql overwatch.htb.
I'm going to guess the thing is -p for specifying port 65 20 user SQL service password is whatever this is. So copy paste and it looks like it is still hanging.
Let's see. NXE MSSQL-H.
Let's search back for port log dashport.
So if I do dashport, I wonder if this has to be before the domain name. Nope, doesn't look like it.
So there we go. We do get access here.
Um we could do dash h as well and then let's see there are some scripts u maybe it's dash capital L to list modules is we can do dash capital mssql let's see maybe priv I'm looking at it let's see yeah enumerate and exploit let's just try this so it's going to not really give us anything um at this point let's just try to run the Microsoft SQL client. So we can do this SQL client- SQL service-p put in this password.
Let's see how does it want it. It probably wants this this at overwatch.htb HTTP.
Is that how it wants it? And we may have to specify like use Windows off or something.
Oh, we need definitely need the port.
So, let's do -p.
What was that port? 6520 login failed. Dash Windows off.
What is it? Windows dash off.
There we go. We get logged in. Awesome.
So, we can do help. Um, we can try and like an XP dur. So, let's do pseudo responder I ton zero. This is almost always one of the first things I try.
Uh, so we can do our IP address, which is 101058.
And we see it's connecting back with a username that ends in a dollar. And whenever I see this, I generally don't even bother trying to crack it. Um because it's probably going to be either the Windows computer itself, in this case, this is the host name, or it's going to be like a group managed service account or something like that. That is going to be a completely random password. So cracking is kind of a waste of time. So let's see what else do we have.
So we could do like an db anume links.
Um, wait. An links. It did get us one. So, we have SQL07.
So, if I say was it like use link? Is that the command? Then SQL07.
It's taking a while.
And I'm guessing it's not going to be able to use it. We could go into like our my rust hound is also in source. I'm really bad about placing directories.
We see cannot open a connection to the SQL server. So if I look in Rusttown and let's just do a cat star and then GP- SQL07, we don't have this host. There was a SQL host, but I want to say that was like SQL04, right? Um catar jq.graph-sql uh SQL 03. So, it looks like there is a dead link on this box that has pointed to SQL 7, but um it doesn't exist anymore. So, what I'm going to do now is we're going to run um bloody ad to see what we can do as the SQL Service user.
So, let's do a um cat creds again. Get out of rustound creds.
And then I'm going to run bloody adhost overwatch.htb htb username SQL service-P copy this password and then I want to say get writable and I'm assuming blood hound may also show this but I always like running get writable with bloody ad because it does show some cool things right here we can see there is a DNS zone and we can create the child so we can create DNS records so I'm going to do a um add. And I think at this point you could do dash h to see what the options are. Um but I'm going to do DNS record.
And again you could do dash h to see options and things like that. But I'm going to specify um SQL07.
I'm going to point that to me. Right. So now when it tries to um use links SQL 7 it's going to come to my box and my box is going to run responder and normally when you do um linked servers you can specify different credentials. So there is a chance that this is using a different credential to talk to SQL07 and it looks it is we have SQL management. So, let's go ahead and um copy this.
And then I can do net exec smb overwatch.htb- sql management-p and we can put this password in.
See if that authenticates. It does. So, I'm going to exit this and we're going to try to authenticate with SQL management to see if this has anything else. So SQL MGMT password of that we are still guest so it doesn't really buy us too much. We do enume links nothing really new to us. Um we could try other authentication methods. So we could try like winrm and we see a pawned message. So SQL um service or SQL management has WinRM access. And again, if we did spend the five minutes to upload this Rust Hound, this would definitely tell us that this user can um WinRM. I'm just not showing the Blood Hound because we've seen that like 50 other times at least. So I'm assuming you know how to run Blood Hound. Um so let's do evil winrm i overwatch.htb-ql http- sql management-p specify this and we get logged in.
Awesome. So now that I have a shell, my very first step was going back and um we go in source looking at the wisd um what maybe it was the config actually that showed it. Um, let's go. Hopefully, it's here. I could have swore that was in the.exe, but I'm probably wrong. It's in the config. But yeah, there is a um service listening here. So, let's go ahead and cat this or copy that and then we can curl this.
And it wants us to use basic parsing.
There we go. So we get a page and um if it is WCF the Windows communication foundation it's going to have a wisd is equal to this and I'm going to do C as in content and we can say C.Owall content and that gets us the whole wisdull. If you don't know what wisdull is, it's um just a like file that explains how to use a service. I normally relate it in my head to um like open API and how you have this open API and then swagger reads that um JSON file and produces a fancy um thing. It's just telling services how to use it, right? So in this wisdom it is XML because Windows communication foundation talks via XML. Um and we do see like operations. So kill process. We can see it goes to this temp URI. I'm monitoring service kill process. It's going to tell us oh let's see um exactly how it's used. Tells us the arguments and things like that. There's a lot of data here that just tells Windows how to process something. Um but what I'm actually going to do is we'll just configure PowerShell to use this. So we can say um the URL is going to be uh do I still have it? I probably don't have my clipboard anymore. If I paste, it will probably go horribly. So, let's just do this.
WSDL.
Awesome.
I'm just going to just curl again. I just want to make sure I didn't typo anything.
Uh 404 not found.
So, I did typo something.
We will use copy and paste because I don't know what I typoed.
Okay, that looks better. Always test as you go because uh typos can definitely screw things up. So now that we have the URI or URL set up, we can just say I'm going to call this a client. I'm going to say new web service proxy. URI is the URI and the name space um WCF proxy.
And this will hit the wisdom and then register everything for us. So now I can just say client.killprocess kill process and kill process is the exported name of this service.
Right? So if we go here there is a string kill process. It has one argument which is process name and that's where the um what is it command injection was kill process right here where we're just injecting into this command. So, what I'm going to do is say kill process X and then I'm going to do ping 10 1058 and then we'll put another semicolon to end it.
And then I want to do a pseudo TCP dump- it ton0 um ICMP and we'll also do a dash N so we don't register um DNS.
I think this is fine. Let's do this. and we do get a ping. Windows will default to four pings and then stop. So now we have command execution here. So what I'm going to do, I'm going to take the lazy way and we're just going to do a um well before we do that we can do net local group administrators.
And we can see there's no administrators. So I'm going to say is um net user at ipsseack and the password will be please sub. We'll do one that and then slash add. I want to say slashlo because this is a domain controller. I don't know if we need the local um net user add local.
Is there a special way to do this?
I don't know. Um, we just did net user ad like this.
And then net user, does IPS exist?
Does not slash local.
Not sure exactly why that is not working.
Um, we will do the really lazy thing. We'll do net local group administrators.
Maybe this isn't running as admin, but I'm pretty sure it was because this is the it should be. Um, net local group administrators.
Um, SQL.
What user are we?
MGMT like that. and then slash add.
Okay, let's go run our net local group administrators again. And we can see SQL management is now a administrator. So now we can just redo our winrm connection.
And then if we do cd users administrator desktop, we can get root.ext.
So that is the box. Um there is one thing I kind of wanted to show. Um it doesn't matter that we're administrator here. You'll be able to do all this stuff from low privilege. But let's say um what was I going to say? We didn't know WCF was running. There's some enumeration we could be doing. If we just say um is it get service? Yeah, this will probably Oh, this that should have failed. Um let's see. Net user local group administrators SQL MGMT maybe delete remove let's see net local group remove user Net local group administrators domain users domain Oh, I have net user local group. My bad.
There we go.
Hold on. I just want to check something real quick.
So, that worked. I was hoping it wouldn't. Um maybe I needed a slashdomain flag in my command injection but that I don't think that's it. Um oh well.
So if we now connect we do get service um we can't do it because we don't have the privilege. We could look at the registry. So if I do cdhm colon now we're in local machines. I'm going to go into the systemhive and then current control set and then services.
So if we do GCI, we have a list of all the services on the box. So what I'm going to do is GCI star and then select image path.
Let's see.
Maybe it's case sensitive or I typoed select image path.
Oh man.
I don't know why that's not working.
Maybe it's not get child item. Maybe it's get item property.
And then we can say select image path.
And I did not finish the Y here. So I wonder if that is an issue. PowerShell is normally good about autocompleting, but doesn't look like in this case. Uh, can I control C and EQ to continue?
Let's try this.
There we go. This is what I want to see.
So, now we have the image paths. So, I'm going to copy all of this into a text file. And I know there's probably a way we could do this with like PowerShell itself. Um, just do like a wear object, but this is a quick way. And normally when I'm working, I do things like a quick hacky way, right? So we can paste all that.
I'm going to GP everything for a period.
So this gets like rid of all the empty lines. And then I generally don't care about let's say system 32. Right. And there we go. We have eliminated a lot of paths right away. And let's see does anything stick out? We have NSSM. And this is actually like non-sucking service manager. I always thought this was like a CTF thing but this is actually a legit program. It just converts normal binaries into Windows service binaries pretty easily. Um it's not that hard to make a Windows service.
You just got to export a few um functions like start service, end service, delete service, things like that. Um so the Windows service can interact with it. It's very similar to like WCF where we have a program and we export a few functions that WCF can use.
It's the same concept, but it's not going over um WCF. It's a different thing for Windows services that is archaic. But essentially, we have a service right here. So, what we want to do is um figure out this. So, let's just do a I wonder what if we search up for NSSM.
Is this in our T-Max history?
Doesn't look like it is.
Well, it would be in this in our PowerShell.
Here we go. So, that is going to be Overwatch. So, we could do just a get item property Overwatch.
And let's see that is here. Do we have anything interesting?
Current control set local system.
If I go into overwatch, we can see it is in C colon software monitoring. So we can see the full path of the binary here. If I did a cd backslash and we just do a diir. Uh we can do oh we have to go into the c we can do diir. We don't have any files there. If I add a dash force we can see there is a software directory. So we go into software. Let's do diir- force again. There is a monitoring directory.
And of course, we have to add dash force. And this is where we can get the binary that we got from um SMB. And then the process the same. We download this binary. We decompile it and we see the Windows communication foundation there.
But again, if we just did like netstat or saw this was listing on port 8000, we discovered that was actually WCF. we hit the wisd um we can see all the functionality there right we don't have to decompile this binary to see um there is a kill process um function right if we just hit that wisdom file that would tell us everything so with that being said that's going to be the video hope you guys enjoyed it take care and I'll see you all next time.
Related Videos
Agentforce NOW AMA: Build with React and Salesforce Multi-Framework
SalesforceDevs
490 views•2026-05-28
How agent o11y differs from traditional o11y — Phil Hetzel, Braintrust
aiDotEngineer
450 views•2026-05-28
WEB TECHNOLOGIES UNIT-2 | Degree 4th sem BCOM Computers web technologies unit-2 full explanation💯✅
LearnwithSahera
1K views•2026-05-29
More tests are always better? How to use AI to identify tests that bring little value
Alliance4Qualification
335 views•2026-05-29
Search Algorithms Explained in 60 Seconds! 🤖💨
samarthtuliofficial
218 views•2026-06-01
People of Game of Thrones using JavaScript DOM
AltCampus
296 views•2026-05-30
Introduction to Problem Solving Part - 1 | Lecture 1 | Intermediate DSA
ascensionix
107 views•2026-05-29
🚀 BCS613C Compiler Design | Module 1 to 5 Schema Evaluation 🔥 | VTU 6th Sem 💯 #VTU #bcs613c #exam
Pranavaa-y4y
104 views•2026-06-02
