HackTheBox - Overwatch
Skills:
Network Security80%
Key Takeaways
Exploits null authentication in Overwatch using nmap, SMBClient, and ilSpycmd
Original Description
00:00 - Introduction
00:45 - Start of nmap
03:00 - Null Authentication lets us list open shares
05:30 - Using SMBClient and downloading the overwatch binary and config from the fileshare
08:40 - Using ilSpycmd to decompile the dotnet from Linux
10:04 - Looking at the overwatch source, which is a WCF (Windows Communication Foundation) Binary
14:00 - Taking nmap allports output, doing some bashful to get a list of open ports to do our normal nmap against the open ports
17:40 - Finding MSSQL on port 6520, we can login. The Enum_Links shows an SQL Server, it hangs and says the host SQL07 doesn't exist
21:45 - Using BloodyAD to show AD Attributes we can write to, discover we can create DNS Entries, then creating a DNS Entry for SQL07 to point back to us and then getting the SQLMGMT user credentials
25:00 - Looking at the WCF Endpoint, examining the WSDL and explaining it a little bit
26:30 - Executing endpoints in the WCF Endpoint from PowerShell with New-WebServiceProxy and getting RCE on the server
33:00 - Showing how we could have enumerated services from our first shell
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
More on: Network Security
View skill →Related Reads
📰
📰
📰
📰
Pinning GitHub Actions to a tag is mass negligence and we all just watched it happen
Medium · Programming
Self-study day 5
Dev.to · Layne Walker
Automating Spring Boot Deployments: A CI/CD Pipeline with GitHub Actions and AWS ECS
Medium · DevOps
Are you Facing ‘Docker Permission Denied’ error! Let’s fix it and get you started with your shipping! 😵😕🔍
Dev.to · Khushal Sarode
Chapters (12)
Introduction
0:45
Start of nmap
3:00
Null Authentication lets us list open shares
5:30
Using SMBClient and downloading the overwatch binary and config from the files
8:40
Using ilSpycmd to decompile the dotnet from Linux
10:04
Looking at the overwatch source, which is a WCF (Windows Communication Foundat
14:00
Taking nmap allports output, doing some bashful to get a list of open ports to
17:40
Finding MSSQL on port 6520, we can login. The Enum_Links shows an SQL Server,
21:45
Using BloodyAD to show AD Attributes we can write to, discover we can create D
25:00
Looking at the WCF Endpoint, examining the WSDL and explaining it a little bit
26:30
Executing endpoints in the WCF Endpoint from PowerShell with New-WebServicePro
33:00
Showing how we could have enumerated services from our first shell
🎓
Tutor Explanation
DeepCamp AI