HackTheBox: Garfield

Written by

Arbaaz Jamadar

Cloud Security & Application Security Engineer · OSCP · AWS Security Specialty · Master’s in Cybersecurity, University of Maryland

Assumed Breach → j.arbuckle / Th1sD4mnC4t!@1978

Enumeration:

dc01.garfield.htb →

PORT      STATE    SERVICE       VERSION
53/tcp    open     domain        Simple DNS Plus
88/tcp    open     kerberos-sec  Microsoft Windows Kerberos (server time: 2026-04-05 06:48:05Z)
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open     ldap          Microsoft Windows Active Directory LDAP (Domain: garfield.htb, Site: Default-First-Site-Name)
445/tcp   open     microsoft-ds?
464/tcp   open     kpasswd5?
593/tcp   open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open     tcpwrapped
2179/tcp  open     vmrdp?
3268/tcp  open     ldap          Microsoft Windows Active Directory LDAP (Domain: garfield.htb, Site: Default-First-Site-Name)
3269/tcp  open     tcpwrapped
3389/tcp  open     ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2026-04-05T06:49:44+00:00; +7h59m03s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: GARFIELD
|   NetBIOS_Domain_Name: GARFIELD
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: garfield.htb
|   DNS_Computer_Name: DC01.garfield.htb
|   DNS_Tree_Name: garfield.htb
|   Product_Version: 10.0.17763
|_  System_Time: 2026-04-05T06:49:03+00:00
| ssl-cert: Subject: commonName=DC01.garfield.htb
| Not valid before: 2026-02-13T01:10:36
|_Not valid after:  2026-08-15T01:10:36
5985/tcp  open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open     mc-nmf        .NET Message Framing
49667/tcp open     msrpc         Microsoft Windows RPC
49670/tcp open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open     msrpc         Microsoft Windows RPC
49672/tcp filtered unknown
49673/tcp open     msrpc         Microsoft Windows RPC
49674/tcp open     msrpc         Microsoft Windows RPC
49899/tcp open     msrpc         Microsoft Windows RPC
59900/tcp open     msrpc         Microsoft Windows RPC

Feel free to reachout on LinkedIn or any of my socials in case you need help with the challenge. The full writeup will be released after the box is retired.

Wiz The Ultimate Cloud Security Championship: Split Horizon

Kubernetes CTF writeup: pivoting from a low-privilege bastion into a hidden cluster service by manually joining a Flannel VXLAN overlay network, bypassing pod network isolation, and discovering an internal endpoint via reverse DNS sweeps against CoreDNS.

HackTheBox: PingPong

HackTheBox Season 10 PingPong writeup: cross-forest Active Directory compromise from a low-privileged user to Domain Admin via ADCS ESC4, gMSA credential reading, RBCD, SeImpersonatePrivilege/GodPotato, DCSync, and JEA constrained-language bypass.

HackTheBox: Logging

HackTheBox Season 10 Logging writeup: unauthenticated AD enumeration, shadow-credential abuse to reset msa_health for the initial foothold, DLL hijacking on UpdateMonitor for lateral movement, and ADCS ESC1 + WSUS abuse for Domain Admin.

HackTheBox: DevArea HackTheBox: Silentium

HackTheBox: Garfield

Enumeration:

dc01.garfield.htb →

Related Articles