Abducted HackTheBox Writeup
SUMMARY
Abducted is a Linux machine with SSH and Samba exposed. SMB enumeration reveals anonymous write access to the HP-Reception share. That write access is the prerequisite for exploiting CVE-2026-4480, a Samba RCE vulnerability with a public PoC, which lands an initial shell as nobody.
From there, the /opt/offsite-backup/ directory contains an rclone.conf with an encrypted credential. Running rclone reveal decrypts it in cleartext. A check of local system users shows both scott and marcus exist, the credential works for scott over SSH.
As scott, the Samba configuration reveals a dangerous trio: wide links = yes, allow insecure wide links = yes, and unix extensions = no, with force user = marcus on a share scott can write to. Planting a symlink pointing to /home/marcus inside the share, then using smbclient to write an SSH public key into .ssh/authorized_keys, works because all file operations run as marcus. That gives a shell as marcus, who belongs to the operators group which has write access to smbd.service.d. A malicious drop-in config and a systemctl restart smbd deliver a root shell.
PATH TO FOLLOW
- Reconnaissance
- SMB Enumeration (anonymous write access)
- CVE-2026-4480 Exploitation - Samba RCE
- Shell as nobody
- rclone.conf Discovery in /opt/offsite-backup
- Credential Decryption with rclone reveal
- Shell as scott (SSH)
- Samba Misconfiguration Analysis
- Symlink Attack via Wide Links
- SSH Key Injection as marcus (force user abuse)
- Shell as marcus
- operators Group - smbd.service.d Write Access
- Root Shell via systemctl restart smbd
CONTENT WILL BE RELEASED ONCE THE MACHINE IS RETIRED