Overwatch
HackTheBox Overwatch machine writeup — reconnaissance and enumeration walkthrough.
Domain: overwatch.htb
Target IP: 10.129.13.226
Attacker IP: 10.10.14.159
Initial Situation
The target exposes a full Active Directory footprint alongside MSSQL and WinRM.
This immediately frames the machine as an enterprise host, not a standalone server.
In such environments, exploitation rarely comes from a single vulnerability - instead, it emerges from trust relationships between services.
The objective is to locate those trust boundaries and force them to work against the system.
Phase 1 - Mapping the Attack Surface
A full TCP scan is performed to understand how the host is positioned within the domain.
1
nmap -sC -sV -p- 10.129.13.226
What the scan reveals
- The host is a domain-joined Windows server\
- Active Directory services (DNS, LDAP, Kerberos) are exposed\
- SMB (445) is reachable\
- WinRM (5985) is enabled\
- MSSQL is listening on a non-default port (6520)
This combination strongly suggests:
- Domain authentication is in use\
- Service accounts likely exist\
- Internal tooling may be deployed
SMB is chosen as the first entry point.
Premium Content
The full exploitation walkthrough, privilege escalation, and flags are available exclusively for members.
Unlock Full Writeup →