Directory Traversal using Symlink

SMB can be susceptible to directory traversal attacks if the "wide links" option in the configuration file is set to "yes".

This essentially allows the user to create symlinks to any other folder within the filesystem and be able to access the files and folders within it.

In order to be able to achieve this, the SMB binary has to be compiled with certain modification to one of the C files. Details to get it working can be found in the following link,

GitHub - roughiz/Symlink-Directory-Traversal-smb-manually: SAMBA Symlink Directory Traversal Manual ExploitationGitHub

Once you have the executable compiled and ready to go, you can connect to the target system and carry out the following steps to access any folder,

symlink / rootfs
ls #should display the newly added rootfs pointing to the root directory

You can cd into this symlink directory and access all the files that are under the root folder.

PreviousFind Server Version NextEnable Passwordless SMB Access

Last updated 3 years ago