HackTheBox - Overwatch

The video walks through the Hack The Box "Overwatch" machine, illustrating how a seemingly innocuous SMB file share can expose a .NET executable and its configuration file, which inadvertently discloses a Microsoft SQL password. The author then discovers that the application hosts a Windows Communication Foundation (WCF) endpoint on port 8000 that lacks authentication and is vulnerable to command injection.

Key steps include enumerating the SMB share, downloading Overwatch.exe and its config, decompiling the binary with ILSpy to reveal WCF service contracts, and identifying a kill‑process function that accepts unsanitized input. The SQL service runs on an unusual port 6520; using the leaked credentials, the analyst gains database access, uncovers a dead linked server, hijacks its DNS name, and extracts additional privileged credentials. Those credentials enable WinRM access, which is then leveraged to invoke the vulnerable WCF endpoint and achieve full system compromise.

Notable techniques highlighted are the use of native SMB client tools to avoid detection, ILSpy for .NET decompilation, and scripting with NXC, Rusthound, and BloodHound to map privilege relationships. The kill‑process command injection is demonstrated by sending a crafted request to the WCF service, which executes arbitrary PowerShell commands on the host.

The chain underscores how a single configuration leak can cascade through multiple services—SMB, SQL, linked servers, WinRM, and WCF—culminating in root access. It serves as a cautionary example for organizations to harden WCF endpoints, enforce least‑privilege database accounts, and monitor for abnormal service interactions.