Garfield Writeup - HackTheBox
Discovery
Port Scan
PORT STATE SERVICE VERSION 53/tcp open domain (generic dns response: SERVFAIL) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: GARFIELD | NetBIOS_Domain_Name: GARFIELD | NetBIOS_Computer_Name: DC01 | DNS_Domain_Name: garfield.htb | DNS_Computer_Name: DC01.garfield.htb | Product_Version: 10.0.17763 |_ System_Time: 2026-04-05T03:04:09+00:00 | ssl-cert: Subject: commonName=DC01.garfield.htb 49673/tcp open msrpc Microsoft Windows RPC Host script results: | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required
This is a Windows Server 2019 Domain Controller (10.0.17763). SMB signing is required — relay attacks are blocked. RDP NTLM info exposes the machine name DC01 and domain garfield.htb. Add both to /etc/hosts:
UDP Scan
PORT STATE SERVICE VERSION
53/udp open domain (generic dns response: SERVFAIL)
88/udp open kerberos-sec Microsoft Windows Kerberos
123/udp open ntp NTP v3
389/udp open ldap Microsoft Windows Active Directory LDAP
(Domain: garfield.htb, Site: Default-First-Site-Name)
Kerberos on 88 and LDAP on 389 confirm this is the primary DC. NTP on 123 — sync clocks before any Kerberos work to avoid skew errors:
Port Overview
Port | Protocol | Service |
|---|---|---|
53 | TCP/UDP | DNS |
88 | UDP | Kerberos |
123 | UDP | NTP |
135 | TCP | RPC |
139 | TCP | NetBIOS |
389 | UDP | LDAP |
445 | TCP | SMB (signing required) |
3389 | TCP | RDP |
Protected Writeup
This writeup is password protected. Enter the root hash to view this writeup fully.
This machine has not been retired yet on HackTheBox. We only share writeups for retired machines. Once it retires, this writeup will become publicly accessible.