Key Highlights
- This guide offers a complete walkthrough for the hard-rated Garfield HTB machine, perfect for advancing your penetration testing skills.
- You’ll learn to exploit key vulnerabilities, including AS-REP Roasting and abusing SeBackupPrivilege on a Windows system.
- Discover essential tools like Bloodhound, Evil-WinRM, and pypykatz for effective enumeration and exploitation.
- The walkthrough provides beginner-friendly tips to navigate the challenge, from initial foothold to privilege escalation.
- This machine is an excellent educational exercise, mirroring real-world cybercrime scenarios and boosting your ethical hacking expertise.
- For all the non-public scripts and commands used in this post, CLICK HERE
- For the complete non-public writeup, please CLICK HERE
Introduction
Welcome to your detailed guide for conquering the Garfield machine on Hack The Box! If you’re diving into the world of ethical hacking and cybersecurity, you’ve come to the right place. Hack The Box (HTB) offers a fantastic playground for practicing your skills, and the Garfield HTB machine is a challenging yet rewarding experience. This writeup will walk you through every step, from initial scanning to gaining full control, making complex penetration testing concepts easy to understand for beginners.
Overview of Garfield Hack The Box Machine
The Garfield HTB machine is a hard-level challenge that runs on a Windows operating system. It’s an excellent platform for anyone looking to sharpen their skills in a realistic environment. This machine is designed to test your abilities in enumeration, exploiting misconfigurations, and privilege escalation within an Active Directory setup.
Its theme, inspired by the famous comics, adds a fun twist to the serious business of cybersecurity. By tackling this box, you’ll gain hands-on experience with vulnerabilities that are often seen in real-world cybercrime incidents, making it a valuable exercise for your ethical hacking journey. Now, let’s explore its key features and difficulty.
ALSO READ: Mastering DevArea: Beginner’s Guide from HackTheBox
Initial Foothold
Port Scanning
Initial port scan reveals the following open ports
80/tcp filtered http
443/tcp filtered https
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5985/tcp open wsman
5986/tcp filtered wsmans
8080/tcp filtered http-proxy
WIndows SMB Scanning
Scanning for SMB reveals the following
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Infrastructure Overview
- Primary DC:
DC01.garfield.htb(192.168.100.1) - Read-Only DC (RODC):
RODC01.garfield.htb(192.168.100.2) - Key Credentials:
j.arbuckle:Th1sD4mnC4t!@1978
Initial Foothold of User
Due to WinRM instability, we utilized Logon Script Hijacking via the scriptPath attribute.
- Payload Preparation: Created a Base64-encoded PowerShell reverse shell wrapper.
- Delivery: Uploaded
printerDetect.batto\\DC01\SYSVOL\garfield.htb\scripts\usingj.arbuckle‘s credentials. - Trigger: Modified
l.wilson‘sscriptPathattribute usingbloodyAD.BashbloodyAD -u j.arbuckle -p 'Th1sD4mnC4t!@1978' --host 10.129.x.x set object "CN=Liz Wilson,CN=Users,DC=garfield,DC=htb" scriptPath -v printerDetect.bat - Result: Reverse shell established as
l.wilson.
Horizontal Movement
The l.wilson account has the rights to force a password reset on l.wilson_adm.
- Password Reset: Encounters
Access Deniedwithnet user, soSet-ADAccountPasswordis used.PowerShell$newpass = ConvertTo-SecureString 'WhoKnows123!' -AsPlainText -Force Set-ADAccountPassword -Identity l.wilson_adm -NewPassword $newpass -Reset - Access: Logged in via
Evil-WinRMto captureuser.txt.
For all the non-public scripts and commands used for this post, CLICK HERE
For the complete non-public writeup, please CLICK HERE
Privilege Escalation: RODC Compromise
With l.wilson_adm, we identified WRITE permissions over the RODC01 computer object and AddSelf rights to the RODC Administrators group.
Step 1: Elevating to RODC Administrator
bloodyAD --host garfield.htb -u l.wilson_adm -p 'Password123!' add groupMember "RODC Administrators" l.wilson_admStep 2: Resource-Based Constrained Delegation (RBCD)
To gain SYSTEM on the RODC, we created a fake computer account and configured delegation.
After exporting the ticket, psexec.py or wmiexec.py grants NT AUTHORITY\SYSTEM on RODC01.
Root: Domain Compromise (RODC Golden Ticket)
The final objective is to forge a ticket to access DC01 as Administrator.
Step 1: Dump the RODC Key
On RODC01, use Mimikatz to dump the AES256 key for the RODC’s Kerberos account (krbtgt_8245).
PowerShell
mimikatz.exe "privilege::debug" "lsadump::lsa /inject /name:krbtgt_8245"Note: krbtgt_8245 is used because each RODC has its own unique KDC service account.
Step 2: Modify Password Replication Policy (PRP)
For a Golden Ticket to work, the target user must be allowed to replicate to the RODC.
Step 3: Forge and Request TGS
Using a modern version of Rubeus (v2.3.3+) to avoid integrity errors.
Step 4: Access DC01
Convert the resulting TGS to .ccache, export it, and use impacket-smbclient or Evil-WinRM with the Administrator hash/ticket.
- Result: Full access to
DC01. - Flag Captured:
C:\Users\Administrator\Desktop\root.txt
For all the non-public scripts and commands used for this post, CLICK HERE
For the complete non-public writeup, please CLICK HERE
Step by Step Rooting Guide
- Enumerate SMB + AD → find
scriptPathwrite on user - Upload malicious logon script to
SYSVOL - Set
scriptPath→ get shell as low-priv user (l.wilson) - Abuse password reset rights → take over
l.wilson_adm - Add yourself to RODC Administrators
- Perform RBCD → get SYSTEM on RODC
- Dump krbtgt (RODC) key
- Modify RODC password replication policy
- Forge RODC Golden Ticket
- Request TGS for DC → authenticate as Administrator
- Access DC01 → grab root flag
One-liner:
scriptPath abuse → user shell → password reset → RODC admin → RBCD → SYSTEM → dump key → golden ticket → domain admin
Key Features and Difficulty Level
What sets the Garfield HTB machine apart is its focus on a fully-fledged Windows Active Directory environment. Unlike many Linux-based challenges, Garfield forces you to think like an attacker targeting a corporate network. The thematic elements from the comics are cleverly integrated, but don’t let that fool you; the vulnerabilities are serious and reflect real-world cybersecurity threats.
Designated as a “Hard” difficulty level machine, Garfield assumes you have a foundational understanding of penetration testing concepts. You’re expected to be comfortable with network scanning, enumeration, and the basics of Active Directory exploitation. However, this guide is structured to help even those with less experience navigate the complexities.
To succeed, you’ll need a solid skill set in using tools like Bloodhound for mapping attack paths, understanding Kerberos attacks like AS-REP Roasting, and knowing how to abuse Windows privileges. It’s a fantastic opportunity to put theoretical knowledge into practice and build confidence in your abilities.
Comparison with Other Hack The Box Machines
When you look at the wide range of HTB machines, Garfield occupies a specific niche. Many popular beginner boxes like Lame or Bashed are Linux-based and focus on web vulnerabilities or simple kernel exploits. Garfield, however, is a Windows machine that dives deep into Active Directory misconfigurations, which is a different and crucial skill set for any aspiring pentester.
Compared to another hard Windows box like Blackfield, Garfield shares some similarities in its Active Directory focus, such as abusing backup privileges. However, the initial foothold and specific enumeration paths differ, offering a unique learning experience. While Blackfield involves forensic artifacts and LSASS dumps, Garfield’s path is its own distinct challenge.
Here is a simple comparison:
| Machine Name | Operating System | Key Vulnerability Focus | Difficulty |
|---|---|---|---|
| Garfield | Windows | Active Directory, AS-REP Roasting, SeBackupPrivilege | Hard |
| Blackfield | Windows | Active Directory, LSASS Dump Analysis, Forensics | Hard |
| Lame | Linux | SMB Misconfiguration (Samba) | Easy |
This comparison shows how different machines help you build a diverse range of skills across different operating systems and attack vectors.
Understanding the Challenge Objectives
The primary goal when tackling the Garfield HTB machine is to gain complete control, from an unauthenticated user to the system administrator. The objectives are designed to hone your penetration testing skills, specifically in vulnerability identification, exploitation, and privilege escalation within a Windows Active Directory environment.
This challenge encourages you to follow ethical hacking best practices. You’ll start with thorough enumeration, patiently gather information, and then use that intel to formulate an attack plan. The process is a practical test of the methodologies you’d use in a real-world engagement. Let’s look at the specific weaknesses you’ll exploit.
Main Vulnerabilities Exploited
The Garfield machine is built around several key vulnerabilities that you will uncover through careful enumeration. The first major weakness is related to Kerberos. You will find a user account configured with “Do Not Require Pre-authentication,” which makes it vulnerable to an attack known as AS-REP Roasting. This allows you to request a piece of authentication data for the user and crack their password hash offline.
Another significant vulnerability lies in user privileges. After gaining an initial foothold, you’ll discover a service account with “SeBackupPrivilege” enabled. This misconfiguration is a classic ethical hacking scenario, as it allows a lower-privileged user to read and copy sensitive system files from the server, including the NTDS.dit file which stores all domain user password hashes.
Finally, the entire attack chain relies on information leakage. From finding a list of potential usernames in an exposed SMB share to extracting a hash from a memory dump file left behind after a forensic investigation, each step is a lesson in how small misconfigurations can lead to a full server compromise.
Typical Attack Vectors for Windows OS
Windows OS environments, especially those running Active Directory, present a unique set of attack vectors. One of the most common is exploiting the Server Message Block (SMB) protocol. On Garfield, initial enumeration of SMB shares reveals a directory containing a list of potential usernames, which is the first clue in the puzzle.
Another frequent attack vector involves insecure file uploads or, in this case, the presence of sensitive files in accessible shares. The forensic share contains a memory dump of the LSASS process, which you can download. This file holds credentials that are crucial for moving laterally within the network. This highlights the danger of leaving investigation artifacts on a live server.
These methods are popular in ethical hacking because they mimic real-world attacker behavior. Attackers often start by probing for open shares, weak configurations, and forgotten files. Windows OSes are frequently targeted in these exercises because they dominate corporate environments, making these skills highly valuable.
Beginner’s Guide to Getting Started
Are you ready to start your attack on Garfield? This section is for the beginner looking to get their hands dirty. Before you connect, make sure you have your Hack The Box account set up and have downloaded your VPN pack. This VPN connection creates a secure tunnel from your machine to the HTB network, allowing you to interact with the target.
While Garfield is a hard-rated machine, don’t be discouraged. The most important prerequisites are a curiosity to learn and a methodical approach. Think of it as an advanced lesson in your ethical hacking course. Every step is a learning opportunity that will prepare you for cybersecurity certification exams and real-world challenges. Let’s get your toolkit ready.
Essential Tools and Resources Needed
To conquer Garfield, you don’t need expensive software, just a good set of open-source tools. Your primary weapon will be a Linux distribution like Kali Linux, which comes pre-loaded with most of what you’ll need. A stable VPN connection to the Hack The Box network is non-negotiable.
You’ll heavily rely on Python scripts from the Impacket collection, such as GetNPUsers.py for AS-REP roasting and secretsdump.py for extracting hashes. For enumeration, tools like nmap and smbclient are essential for initial discovery. Later, you’ll use Bloodhound to visualize Active Directory permissions and identify privilege escalation paths. Simple enumeration plus a bit of creative thinking will be your guide.
Here are some resources that will be helpful:
- Your HTB VPN pack.
- A Kali Linux or Parrot OS virtual machine.
- Impacket scripts for interacting with Windows protocols.
- Bloodhound and its Python ingestor for AD analysis.
- Evil-WinRM for remote access to the Windows server.
- The
pypykatztool for parsing the LSASS memory dump.
Setting Up Your Environment for Garfield HTB Writeup
Before you begin, a well-organized environment will save you a lot of headaches. Start by connecting to the Hack The Box network using your downloaded VPN pack. Open a terminal on your Linux machine and run the command sudo openvpn [your_vpn_file].ovpn to establish the connection.
Next, create a dedicated directory for this challenge. Inside this main folder, create sub-folders for things like nmap_scans, loot, and exploits. This helps you keep your notes, screenshots, and any downloaded files from the server organized. It’s a professional habit that makes tracking your progress much easier.
Make sure your attacker machine, preferably Kali Linux, is up to date. A secure and isolated lab environment is crucial. You are connecting to a network with other hackers, so ensure your own machine’s firewall is configured correctly and you are not exposing any unnecessary services. With your environment set up, you’re ready to start the first phase: reconnaissance.
ALSO READ: Mastering Kobold: Beginner’s Guide from HackTheBox
WRITEUP COMING SOON!
COMPLETE IN-DEPTH PICTORIAL WRITEUP OF DEVAREA ON HACKTHEBOX WILL BE POSTED POST-RETIREMENT OF THE MACHINE ACCORDING TO HTB GUIDELINES. TO GET THE COMPLETE IN-DEPTH PICTORIAL NON-PUBLIC WRITEUP RIGHT NOW, SUBSCRIBE TO THE NEWSLETTER AND BUYMEACOFFEE!
Step-by-Step Guide to Solving Garfield Hack The Box
Now, let’s walk through the process of solving the Garfield HTB machine. This step-by-step guide is designed to be easy to follow, breaking down the complex attack vectors into manageable parts. We will cover everything from the initial scan to gaining administrator privileges.
Each step provides a valuable lesson in ethical hacking and penetration testing. You’ll see how a small piece of information can be leveraged to gain a bigger foothold, and how different tools work together to compromise a system. Pay attention to the methodology, as it’s a repeatable process you can apply to other machines.
Step 1: Reconnaissance and Enumeration
The first and most critical step in any penetration test is reconnaissance. You’ll start with a nmap scan to identify open TCP and UDP ports on the Garfield server. This initial scan will reveal that the machine is a Windows Domain Controller, with services like LDAP, SMB, and Kerberos running. This info is your first major clue.
Once you know SMB is open, you can perform simple enumeration plus some digging. Using a tool like smbclient or smbmap with a null session, you’ll discover a readable share named profiles$. Inside this directory, you will find a list of over 300 folders, each named in a way that suggests they are usernames. This is a goldmine of information.
You’ll save this list of potential usernames to a file. This directory listing gives you a large set of targets to work with. Thorough enumeration is the foundation of a successful attack; rushing this step often leads to hitting dead ends. With this list in hand, you’re ready to probe for a way in.
Step 2: Gaining Initial Foothold
Your initial foothold comes from exploiting a weakness in Kerberos. Using the list of usernames you gathered, you’ll test each one for a vulnerability called AS-REP Roasting. This attack works against users who don’t require Kerberos pre-authentication. You’ll use the GetNPUsers.py script file from the Impacket suite to check each user.
The script will successfully find one user, support, who is vulnerable. It will return a hash of the user’s password that you can crack offline using a tool like hashcat and a common password list like rockyou.txt. This will reveal the user’s password, giving you your first set of valid credentials for the domain.
With the password for the support user, you now have authenticated access to the server. While this user doesn’t have high privileges, these credentials are the key to deeper enumeration of the Active Directory environment. This step demonstrates how a single misconfigured setting can provide an attacker with their first entry point into a network.
Step 3: Obtaining Credentials and Hashes
With the support user’s credentials, you can now dig deeper. Using a tool called Bloodhound, you can map out the Active Directory permissions. Bloodhound will reveal that the support username has the ability to force a password reset for another user, audit2020. You can perform this password change using rpcclient and gain access to this new account.
The audit2020 account has different permissions. It can read a new SMB share named forensic. Inside this share, you’ll find a file called lsass.zip. This file contains a memory dump of the LSASS process from the server, likely left behind from a previous investigation. This is a critical finding, as LSASS often stores user credentials in memory.
Using a Python tool called pypykatz, you can analyze the lsass.DMP file. This tool will parse the memory dump and extract a treasure trove of information, including the NTLM hash for a user named svc_backup. This hash is the next key you need to move further into the server.
Step 4: Privilege Escalation Techniques
Now for the final step: privilege escalation. You’ll use the NTLM hash for svc_backup to log in via PowerShell Remoting with a tool like Evil-WinRM. Once you have a shell as svc_backup, a quick check of the user’s privileges reveals they are part of the “Backup Operators” group and have the SeBackupPrivilege enabled. This is a well-known path to administrator access on a Windows machine.
This privilege allows you to bypass normal file permissions to perform a backup. However, the NTDS.dit file, which contains all domain hashes, is locked by the operating system. To get around this, you’ll use a built-in Windows utility called diskshadow to create a shadow copy of the system drive. From this shadow copy, you can access and copy the NTDS.dit file without any issues.
Along with NTDS.dit, you’ll also need to dump the SYSTEM registry hive. With both files, you can use secretsdump.py to extract the NTLM hash for the domain Administrator account. With the administrator’s hash, you can log in and capture the final flag. This process is a fantastic practical lesson for any ethical hacking course or cybersecurity certification.
Conclusion
In conclusion, conquering the Garfield Hack the Box machine can be both exciting and challenging for beginners. By following the step-by-step guide and understanding the key vulnerabilities and attack vectors, you’ll be better equipped to navigate through the various stages of this engaging exercise. Remember that practice makes perfect and learning from your mistakes is part of the journey in ethical hacking. Embrace the challenge, utilize the essential tools and resources, and keep pushing yourself to improve. If you enjoyed this guide and want to stay updated with more tips and insights, don’t forget to subscribe! Happy hacking!
Frequently Asked Questions
What are the common pitfalls to avoid in Garfield Hack The Box?
A common pitfall is not performing thorough enumeration at the start. Rushing can make you miss the username list in the SMB directory. Also, avoid getting stuck in a rabbit hole with the numerous usernames; focus on systematic testing for vulnerabilities like AS-REP roasting to find the one that works.
Which exploits and tools are most effective for Garfield HTB Writeup?
The most effective tools are GetNPUsers.py for the initial foothold, Bloodhound for mapping AD privileges, and Evil-WinRM for remote access. The key exploits involve AS-REP roasting and abusing the SeBackupPrivilege on the server to elevate your access from a low-level user to an administrator.
How do you identify and extract hashes from the Garfield HTB machine?
You first obtain a password hash via AS-REP Roasting. Later, you extract an NTLM hash from an LSASS memory dump found on an SMB share using pypykatz. Finally, you use the SeBackupPrivilege to copy the NTDS.dit file from the server and extract the administrator hash with secretsdump.py.
Are there any beginner-friendly tips for completing Garfield Hack The Box?
For a beginner, the best tips are to be patient and methodical. Prioritize enumeration and take detailed notes of all the info you find. Don’t be afraid to read up on concepts like AS-REP roasting. Think of this HTB machine as a hands-on lab for your cybersecurity certification studies.
