HTB Zero .htaccess ErrorDocument LFI → credential reuse → ro...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2025/08/12/htb-zero.html
• Blog Title: HTB Zero: .htaccess ErrorDocument LFI → credential reuse → root via apache2ctl-from-pgrep cron abuse
• Suggested Section: Web Pentesting > Apache (.htaccess) LFI via ErrorDocument; Linux Privilege Escalation > Cron/Timers > pgrep argv spoofing (argv fakery)

🎯 Content Summary

Technical Summary: Ubuntu 20.04.6 Web/SFTP Tenant Assessment

Target and Surface

Platform: Ubuntu 20.04.6 (OpenSSH 8.2p1, Apache/2.4.41).

Open ports: TCP/22 and TCP/80 only; Linux TTL 63 observed on both ports.

Site stack: Apache + PHP.

Key pages: /, /index.php, /stats.php, /info.php, /signup.php, /g...

🔧 Technical Details

Apache .htaccess ErrorDocument file provider for LFI: If you can replace a directory’s .htaccess, set ErrorDocument 404 %{file:/absolute/target}. Any 404 under that path returns the target file in the response body, bounded by the webserver user’s read permissions. Example: ErrorDocument 404 %{file:/etc/passwd} then fetch /~user/anything.

Overcoming root-owned .htaccess in user dirs: Even when .htaccess is ro...

🤖 Agent Actions

I analyzed the blog and the HackTricks repository, and I’ve updated two relevant sections with the technical tricks from the post:

What I added

1. Web Pentesting > Apache: .htaccess LFI via ErrorDocument ap_expr file()

• Added a new section “LFI via .htaccess ErrorDocument file provider (ap_expr)” to the Apache page explaining how to abuse ErrorDocument with the ap_expr file() function in .htaccess to read arbitrary local files with the webserver’s privileges.
• Included:
  • Requirements (Apache 2.4, AllowOverride FileInfo, permissions).
  • Exact .htaccess payload using ErrorDocument 404 %{file:/absolute/path}.
  • Usage and limitations.
  • Practical note about replacing a root-owned .htaccess by renaming it if the tenant controls the parent directory.
• Updated References in that page...

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

• searchindex.js removed: This auto-generated file has been removed to prevent conflicts

The searchindex.js file is automatically generated and should not be included in manual commits.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2025/08/12/htb-zero.html

Content Categories: Based on the analysis, this content was categorized under "Web Pentesting > Apache (.htaccess) LFI via ErrorDocument; Linux Privilege Escalation > Cron/Timers > pgrep argv spoofing (argv fakery)".

Repository Maintenance:

• MD Files Formatting: 873 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge