Target: Windows Server 2022 (Active Directory)
Difficulty: Medium
Domain: overwatch.htb
Target IP: 10.129.13.226
Attacker IP: 10.10.14.159

Initial Situation

The target exposes a full Active Directory footprint alongside MSSQL and WinRM.
This immediately frames the machine as an enterprise host, not a standalone server.
In such environments, exploitation rarely comes from a single vulnerability - instead, it emerges from trust relationships between services.

The objective is to locate those trust boundaries and force them to work against the system.

Phase 1 - Mapping the Attack Surface

A full TCP scan is performed to understand how the host is positioned within the domain.

nmap -sC -sV -p- 10.129.13.226

What the scan reveals

  • The host is a domain-joined Windows server\

  • Active Directory services (DNS, LDAP, Kerberos) are exposed\

  • SMB (445) is reachable\

  • WinRM (5985) is enabled\

  • MSSQL is listening on a non-default port (6520)

This combination strongly suggests:

  • Domain authentication is in use\

  • Service accounts likely exist\

  • Internal tooling may be deployed

SMB is chosen as the first entry point.

🔐 PREMIUM WRITEUP - MEMBERSHIP REQUIRED

This machine is still active in HTB, so the full walkthrough, exploitation path, and flags cannot be publicly released.

But you can access the entire premium writeup right now.

🌟 Get Instant Access

Unlock the complete step-by-step solution, techniques used, notes, and exclusive insights by becoming a member.

Membership

Why Go Premium?

  • Early access to full detailed writeups

  • Passwords for active CTF solutions

  • Advanced exploitation techniques

  • Priority help & faster support

Upgrade once - unlock everything instantly.

💬 Need help while solving?

I’ve got your back - reach out anytime:
Email: [email protected]

Keep hacking, keep learning, keep winning. 🎯

Keep Reading

No posts found
© 2026 Andrés.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv