Difficulty: Medium
OS: Linux
Target IP: 10.129.7.246
Attacker IP: 10.10.14.209

Overview

VariaType is a Medium-difficulty Linux machine centred around a font-processing web application. The attack chain involves discovering an exposed Git repository on a subdomain, recovering hardcoded credentials from a deleted commit, exploiting CVE-2025-66034 (fontTools varLib arbitrary file write via XML injection) to land a webshell, abusing CVE-2024-25082 (FontForge ZIP filename command injection) to escalate to a local user, and finally exploiting a URL-encoded path traversal in a privileged Python script to write our public key to /root/.ssh/authorized_keys.

Reconnaissance

Nmap Port Scan

nmap -sC -sV -oN nmap.txt 10.129.7.246

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
80/tcp open  http    nginx 1.22.1

Two open ports: SSH and HTTP. Nmap reported a redirect to http://variatype.htb/, indicating virtual host routing is in use.

Virtual Host Setup

echo "10.129.7.246 variatype.htb portal.variatype.htb" | sudo tee -a /etc/hosts

Browsing to http://variatype.htb/ revealed a professional font tooling company website with a Variable Font Generator under /tools/variable-font-generator. The second vhost, portal.variatype.htb, served an internal validation dashboard protected by a login form.

Initial Access

Exposed Git Repository

Checking the portal subdomain for a common misconfiguration:

curl -s http://portal.variatype.htb/.git/HEAD
# ref: refs/heads/master

The .git directory was publicly accessible. We dumped the full repository using git-dumper:

pip3 install git-dumper --break-system-packages
git-dumper http://portal.variatype.htb/.git ./repo
cd repo

Recovering Deleted Credentials from Git History

The current HEAD showed a commit with message "security: remove hardcoded credentials". The previous state of auth.php contained a plaintext credential, which we recovered from unreachable commit objects:

git log --oneline --all
# 753b5f5 fix: add gitbot user for automated validation pipeline
# 5030e79 feat: initial portal implementation

🔐 PREMIUM WRITEUP - MEMBERSHIP REQUIRED

This machine is still active in HTB, so the full walkthrough, exploitation path, and flags cannot be publicly released.

But you can access the entire premium writeup right now.

🌟 Get Instant Access

Unlock the complete step-by-step solution, techniques used, notes, and exclusive insights by becoming a member.

Membership

Why Go Premium?

  • Early access to full detailed writeups

  • Passwords for active CTF solutions

  • Advanced exploitation techniques

Upgrade once - unlock everything instantly.

Keep hacking, keep learning, keep winning. 🎯

Keep Reading

© 2026 Andrés.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv