HackTheBox - Overwatch

IppSec · Beginner ·☁️ DevOps & Cloud ·2mo ago

Key Takeaways

Exploits null authentication in Overwatch using nmap, SMBClient, and ilSpycmd

Original Description

00:00 - Introduction 00:45 - Start of nmap 03:00 - Null Authentication lets us list open shares 05:30 - Using SMBClient and downloading the overwatch binary and config from the fileshare 08:40 - Using ilSpycmd to decompile the dotnet from Linux 10:04 - Looking at the overwatch source, which is a WCF (Windows Communication Foundation) Binary 14:00 - Taking nmap allports output, doing some bashful to get a list of open ports to do our normal nmap against the open ports 17:40 - Finding MSSQL on port 6520, we can login. The Enum_Links shows an SQL Server, it hangs and says the host SQL07 doesn't exist 21:45 - Using BloodyAD to show AD Attributes we can write to, discover we can create DNS Entries, then creating a DNS Entry for SQL07 to point back to us and then getting the SQLMGMT user credentials 25:00 - Looking at the WCF Endpoint, examining the WSDL and explaining it a little bit 26:30 - Executing endpoints in the WCF Endpoint from PowerShell with New-WebServiceProxy and getting RCE on the server 33:00 - Showing how we could have enumerated services from our first shell
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Related Reads

📰
Pinning GitHub Actions to a tag is mass negligence and we all just watched it happen
Pinning GitHub Actions to a tag can lead to mass negligence and supply chain issues, learn how to fix it
Medium · Programming
📰
Self-study day 5
Learn Linux basics by exploring online platforms and practicing navigation
Dev.to · Layne Walker
📰
Automating Spring Boot Deployments: A CI/CD Pipeline with GitHub Actions and AWS ECS
Automate Spring Boot deployments with a CI/CD pipeline using GitHub Actions and AWS ECS to streamline testing and deployment
Medium · DevOps
📰
Are you Facing ‘Docker Permission Denied’ error! Let’s fix it and get you started with your shipping! 😵😕🔍
Fix the 'Docker Permission Denied' error by configuring Docker to run without sudo, improving security and convenience
Dev.to · Khushal Sarode

Chapters (12)

Introduction
0:45 Start of nmap
3:00 Null Authentication lets us list open shares
5:30 Using SMBClient and downloading the overwatch binary and config from the files
8:40 Using ilSpycmd to decompile the dotnet from Linux
10:04 Looking at the overwatch source, which is a WCF (Windows Communication Foundat
14:00 Taking nmap allports output, doing some bashful to get a list of open ports to
17:40 Finding MSSQL on port 6520, we can login. The Enum_Links shows an SQL Server,
21:45 Using BloodyAD to show AD Attributes we can write to, discover we can create D
25:00 Looking at the WCF Endpoint, examining the WSDL and explaining it a little bit
26:30 Executing endpoints in the WCF Endpoint from PowerShell with New-WebServicePro
33:00 Showing how we could have enumerated services from our first shell
Up next
AWS, Azure, GCP: The One Thing Every Business Gets Wrong
AI Daily
Watch →