VariaType
HackTheBox VariaType machine writeup — reconnaissance and enumeration walkthrough.
Overview
VariaType is a Medium-difficulty Linux machine centred around a font-processing web application. The attack chain involves discovering an exposed Git repository on a subdomain, recovering hardcoded credentials from a deleted commit, exploiting CVE-2025-66034 (fontTools varLib arbitrary file write via XML injection) to land a webshell, abusing CVE-2024-25082 (FontForge ZIP filename command injection) to escalate to a local user, and finally exploiting a URL-encoded path traversal in a privileged Python script to write our public key to /root/.ssh/authorized_keys.
Reconnaissance
Nmap Port Scan
1
nmap -sC -sV -oN nmap.txt 10.129.7.246
1
2
3
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
80/tcp open http nginx 1.22.1
Two open ports: SSH and HTTP. Nmap reported a redirect to http://variatype.htb/, indicating virtual host routing is in use.
Premium Content
The full exploitation walkthrough, privilege escalation, and flags are available exclusively for members.
Unlock Full Writeup →