{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreibhulycmzkdx6nwheutmg7elggqnqtelraagwmp5emxht6u3x4imi",
"uri": "at://did:plc:gc2nrf5j5b2po5huoyw6utr4/app.bsky.feed.post/3miqqlftve6n2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreih3hieou6bkhugqncrizeayyjdt44lr5zeazr4zba2vqfefz6bf74"
},
"mimeType": "image/jpeg",
"size": 151608
},
"description": "BOX INFO Property Value Name Garfield OS Windows Server 2019 Build 17763 Difficulty Hard Domain garfield.htb DC DC01.garfield.htb ( / 192.168.100.1) RODC RODC01.garfield.htb (192.168.100.2, internal only) PHASE 1: RECONNAISSANCE /ETC/HOSTS SETUP garfield.htb dc01.garfield.htb dc01 192.168.100.2 rodc01.garfield.htb rodc01 INITIAL CREDENTIALS (PROVIDED OUT-OF-BAND) j.arbuckle : Th1sD4mnC4t!@1978 PORT SCAN nmap -sV -sC --top-ports 1000...",
"path": "/hack-the-box-season-10-htb-garfield-writeup-hard-weekly-april-4th-2026/",
"publishedAt": "2026-04-04T23:09:26.000Z",
"site": "https://1337sheets.com",
"tags": [
"Subscribe now",
"@1978"
],
"textContent": "## Box Info\n\nProperty | Value\n---|---\nName | Garfield\nOS | Windows Server 2019 Build 17763\nDifficulty | Hard\nDomain | garfield.htb\nDC | DC01.garfield.htb (<TARGET_IP> / 192.168.100.1)\nRODC | RODC01.garfield.htb (192.168.100.2, internal only)\n\n* * *\n\n## Phase 1: Reconnaissance\n\n### /etc/hosts Setup\n\n\n <TARGET_IP> garfield.htb dc01.garfield.htb dc01\n 192.168.100.2 rodc01.garfield.htb rodc01\n\n\n### Initial Credentials (provided out-of-band)\n\n\n j.arbuckle : Th1sD4mnC4t!@1978\n\n\n### Port Scan\n\n\n nmap -sV -sC --top-ports 1000 --min-rate 5000 <TARGET_IP>\n\n\n**Results:**\n\nPort | Service | Notes\n---|---|---\n53 | DNS | Simple DNS Plus\n88 | Kerberos | Microsoft Windows Kerberos\n135 | MSRPC | Microsoft Windows RPC\n139 | NetBIOS |\n389 | LDAP | Domain: garfield.htb\n445 | SMB | Signing required\n464 | kpasswd |\n593 | RPC-HTTP |\n636 | LDAPS |\n2179 | vmrdp | Hyper-V - confirms RODC01 is a VM on DC01\n3268 | LDAP GC | Global Catalog\n3269 | LDAPS GC |\n3389 | RDP |\n5985 | WinRM |\n\n**Key findings:**\n\n * Windows Server 2019 (Build 17763)\n * Domain: GARFIELD, Computer: DC01\n * **Clock skew: +Numberh00m03s** (Kerberos requires <5 min skew)\n * Port 2179 (Hyper-V vmrdp) reveals DC01 hosts VMs (RODC01 is a VM)\n * SMB signing enabled and required\n\n\n\n### Clock Skew Handling\n\n\n # Option 1: Sync clock directly (may revert)\n sudo ntpdate <TARGET_IP>\n\n # Option 2: Use faketime prefix for all Kerberos tools (recommended)\n faketime 'hours' <kerberos_command>\n\n faketime need the hours of the skew so it will be faketime '+6 hours' or '+3 hours' it depends on your system time and timezone\n\n\n\n* * *\n\n## Phase 2: Enumeration\n\n### Credential Validation\n\n\n netexec smb <TARGET_IP> -u j.arbuckle -p 'Th1sD4mnC4t!@1978'\n netexec winrm <TARGET_IP> -u j.arbuckle -p 'Th1sD4mnC4t!@1978'\n netexec ldap <TARGET_IP> -u j.arbuckle -p 'Th1sD4mnC4t!@1978'\n netexec rdp <TARGET_IP> -u j.arbuckle -p 'Th1sD4mnC4t!@1978'\n\n\nProtocol | Result\n---|---\nSMB | VALID\nWinRM | INVALID (not in Remote Management Users)\nLDAP | VALID\nRDP | VALID\n\n### BloodHound Collection\n\n\n bloodhound-python -u j.arbuckle -p 'Th1sD4mnC4t!@1978' \\\n -d garfield.htb -dc DC01.garfield.htb -ns <TARGET_IP> -c All --zip\n\n\nFound: 1 domain, 2 computers, 8 users, 55 groups, 2 GPOs, 1 OU.\n\n### Domain Users Enumerated\n\n\n netexec smb <TARGET_IP> -u j.arbuckle -p 'Th1sD4mnC4t!@1978' --users\n\n\nUser | Description | Notes\n---|---|---\nAdministrator | Built-in admin | Target\nkrbtgt | KDC service account |\nkrbtgt_8245 | RODC KDC service account | RID 1603\nj.arbuckle | IT Support | Our initial user\nl.wilson | | Has WinRM, RDP\nl.wilson_adm | | Has WinRM, RDP, Tier 1 group\n\n### This post is for subscribers only\n\nBecome a member to get access to all content\n\nSubscribe now",
"title": "Hack The Box - Season 10 HTB Garfield Writeup - Hard - Weekly - April 4th, 2026",
"updatedAt": "2026-04-05T12:24:40.362Z"
}