Overview
Garfield is a hard-rated Active Directory machine on HackTheBox that simulates a realistic enterprise environment running a Read-Only Domain Controller (RODC) alongside a primary DC.
Reconnaissance
Nmap Full Port Scan
nmap -sC -sV -p- --min-rate 5000 -oN nmap_full.txt 10.129.20.216
Port | Service | Detail |
|---|---|---|
53 | DNS | Simple DNS Plus |
88 | Kerberos | Microsoft Windows Kerberos |
135 | RPC | Microsoft Windows RPC |
139 | NetBIOS-SSN | Microsoft Windows netbios-ssn |
389 | LDAP | Active Directory (Domain: garfield.htb) |
445 | SMB | microsoft-ds |
464 | kpasswd5 | Kerberos password change |
593 | ncacn_http | RPC over HTTP |
3268 | LDAP GC | Global Catalog |
3389 | RDP | Microsoft Terminal Services |
5985 | WinRM | Microsoft HTTPAPI httpd 2.0 |
9389 | mc-nmf | .NET Message Framing |
Key findings:
Domain:
garfield.htb| Hostname:DC01.garfield.htbOS: Windows Server 2019 Build 17763
Clock skew: +7h58m (critical for Kerberos - must sync before attacks)
SMB signing required (no relay attacks)
RODC01 DNS resolves to 192.168.100.2 (internal subnet, not directly reachable)
echo "10.129.20.216 garfield.htb DC01.garfield.htb" | sudo tee -a /etc/hosts
echo "192.168.100.2 RODC01.garfield.htb RODC01" | sudo tee -a /etc/hosts
Enumeration
SMB Anonymous Access
smbclient -L //10.129.20.216 -N
# Anonymous login successful - no shares returned
smbclient //10.129.20.216/SYSVOL -N
# Anonymous login successful
# tree connect failed: NT_STATUS_ACCESS_DENIED
Anonymous login succeeded for listing but SYSVOL access was denied without credentials. Domain garfield.htb confirmed.
CrackMapExec User Enum
crackmapexec smb 10.129.20.216 --users
# [*] Windows 10 / Server 2019 Build 17763
# Error: NTLM needs domain\username and password
Unauthenticated enumeration blocked. We need credentials first.
🔐 PREMIUM WRITEUP - MEMBERSHIP REQUIRED
This machine is still active in HTB, so the full walkthrough, exploitation path, and flags cannot be publicly released.
But you can access the entire premium writeup right now.
🌟 Get Instant Access
Unlock the complete step-by-step solution, techniques used, notes, and exclusive insights by becoming a member.
Why Go Premium?
Early access to full detailed writeups
Passwords for active CTF solutions
Advanced exploitation techniques
Upgrade once - unlock everything instantly.
Keep hacking, keep learning, keep winning. 🎯
