Hack The Box - Season 10 HTB Garfield Writeup - Hard - Weekly - April 4th, 2026
Box Info
| Property | Value |
|---|---|
| Name | Garfield |
| OS | Windows Server 2019 Build 17763 |
| Difficulty | Hard |
| Domain | garfield.htb |
| DC | DC01.garfield.htb (<TARGET_IP> / 192.168.100.1) |
| RODC | RODC01.garfield.htb (192.168.100.2, internal only) |
Phase 1: Reconnaissance
/etc/hosts Setup
<TARGET_IP> garfield.htb dc01.garfield.htb dc01
192.168.100.2 rodc01.garfield.htb rodc01
Initial Credentials (provided out-of-band)
j.arbuckle : Th1sD4mnC4t!@1978
Port Scan
nmap -sV -sC --top-ports 1000 --min-rate 5000 <TARGET_IP>
Results:
| Port | Service | Notes |
|---|---|---|
| 53 | DNS | Simple DNS Plus |
| 88 | Kerberos | Microsoft Windows Kerberos |
| 135 | MSRPC | Microsoft Windows RPC |
| 139 | NetBIOS | |
| 389 | LDAP | Domain: garfield.htb |
| 445 | SMB | Signing required |
| 464 | kpasswd | |
| 593 | RPC-HTTP | |
| 636 | LDAPS | |
| 2179 | vmrdp | Hyper-V - confirms RODC01 is a VM on DC01 |
| 3268 | LDAP GC | Global Catalog |
| 3269 | LDAPS GC | |
| 3389 | RDP | |
| 5985 | WinRM |
Key findings:
- Windows Server 2019 (Build 17763)
- Domain: GARFIELD, Computer: DC01
- Clock skew: +Numberh00m03s (Kerberos requires <5 min skew)
- Port 2179 (Hyper-V vmrdp) reveals DC01 hosts VMs (RODC01 is a VM)
- SMB signing enabled and required
Clock Skew Handling
# Option 1: Sync clock directly (may revert)
sudo ntpdate <TARGET_IP>
# Option 2: Use faketime prefix for all Kerberos tools (recommended)
faketime 'hours' <kerberos_command>
faketime need the hours of the skew so it will be faketime '+6 hours' or '+3 hours' it depends on your system time and timezone
Phase 2: Enumeration
Credential Validation
netexec smb <TARGET_IP> -u j.arbuckle -p 'Th1sD4mnC4t!@1978'
netexec winrm <TARGET_IP> -u j.arbuckle -p 'Th1sD4mnC4t!@1978'
netexec ldap <TARGET_IP> -u j.arbuckle -p 'Th1sD4mnC4t!@1978'
netexec rdp <TARGET_IP> -u j.arbuckle -p 'Th1sD4mnC4t!@1978'
| Protocol | Result |
|---|---|
| SMB | VALID |
| WinRM | INVALID (not in Remote Management Users) |
| LDAP | VALID |
| RDP | VALID |
BloodHound Collection
bloodhound-python -u j.arbuckle -p 'Th1sD4mnC4t!@1978' \
-d garfield.htb -dc DC01.garfield.htb -ns <TARGET_IP> -c All --zip
Found: 1 domain, 2 computers, 8 users, 55 groups, 2 GPOs, 1 OU.
Domain Users Enumerated
netexec smb <TARGET_IP> -u j.arbuckle -p 'Th1sD4mnC4t!@1978' --users
| User | Description | Notes |
|---|---|---|
| Administrator | Built-in admin | Target |
| krbtgt | KDC service account | |
| krbtgt_8245 | RODC KDC service account | RID 1603 |
| j.arbuckle | IT Support | Our initial user |
| l.wilson | Has WinRM, RDP | |
| l.wilson_adm | Has WinRM, RDP, Tier 1 group |