April 9, 2026

Garfield HackTheBox Writeup - Season10

Adrian Reategui
Share
HackTheBox Garfield machine walkthrough

SUMMARY

This write-up covers the Garfield machine from HackTheBox Season 10, a Windows Active Directory scenario built around abusing a writable logon script in SYSVOL and chaining it into a full domain compromise through a Read-Only Domain Controller. The machine provides initial credentials that grant SMB access to the domain, where enumeration reveals write permissions over a printerDetect.bat logon script stored in SYSVOL.

Leveraging the WriteScriptPath, the scriptPath LDAP attribute of l.wilson is modified to point at the controlled batch file, coercing the user to execute it at logon. The script is then weaponized to reset the password of l.wilson_adm through ADSI, granting a WinRM shell on the victim host. Enumeration from that foothold exposes an internal 192.168.100.0/24 network and a second host, RODC01, reachable through a Chisel tunnel.

From there, BloodHound reveals l.wilson_adm can self-add into the RODC Administrators group and holds WriteAccountRestrictions over RODC01$. A new machine account is created and abused in an RBCD attack to obtain NT AUTHORITY\SYSTEM on the RODC. Before dumping secrets, the msDS-RevealOnDemandGroup and msDS-NeverRevealGroup attributes are tampered with so that the Administrator credentials are cacheable on the RODC. Mimikatz then extracts the krbtgt_XXXX AES256 key, which is used with Rubeus to forge an RODC Golden Ticket for the Domain Administrator. The ticket is converted to ccache and replayed against DC01 through psexec.py, yielding NT AUTHORITY\SYSTEM on the Domain Controller and full domain compromise.

PROOF OF COMPLETION

PATH TO FOLLOW

  1. Reconnaissance & SMB Enumeration
  2. BloodHound Collection & ACL Analysis
  3. WriteScriptPath Abuse
  4. Weaponizing .bat script
  5. Initial Shell via WinRM
  6. Internal Network Discovery & Chisel Pivot to RODC01
  7. Self-Adding to RODC Administrators Group
  8. Abusing WriteAccountRestrictions - RBCD Attack on RODC01$
  9. Modifying RODC Password Replication Policy
  10. SYSTEM on RODC01
  11. Dumping the krbtgt_XXXX Key with Mimikatz
  12. Forging an RODC Golden Ticket with Rubeus
  13. Authenticating to DC01 as Administrator
  14. Root Flag

CONTENT WILL BE RELEASED ONCE THE MACHINE IS RETIRED

Active Directory WriteScriptPath RBCD RODC Golden Ticket Kerberos Hackthebox Season10

Table of Contents