Difficulty: Medium
Operating System: Linux
Executive Summary
VariaType is a Linux machine that rewards methodology over brute force. The attack chain combines virtual host discovery, source code analysis, vulnerability research, and multiple privilege escalation techniques to achieve full system compromise.
Rather than focusing on a list of commands, this writeup explains the reasoning process behind each step and how each discovery leads naturally to the next stage of the attack.
Attack Path
portal.variatype.htb
→ Exposed Git Repository
→ Credential Recovery
→ Local File Inclusion
→ Source Disclosure
→ CVE-2025-66034 (RCE)
→ CVE-2024-25082 (User Compromise)
→ Sudo Path Traversal
→ Root
Reconnaissance
Service Enumeration
Initial service enumeration revealed a very small attack surface:
- SSH (22)
- HTTP (80)
With only a web application exposed, the assessment naturally shifted toward web enumeration.
Virtual Host Discovery
The most important discovery during reconnaissance was the presence of an additional virtual host:
portal.variatype.htb
A smaller wordlist failed to identify this host initially. Rather than assuming there were no additional virtual hosts, the application context was used to guide further enumeration.
The machine theme revolves around typography and font processing. Applications of this type commonly expose endpoints such as:
- portal
- upload
- dashboard
- tools
- app
Using a larger VHOST wordlist eventually revealed the hidden portal.
Key Observation
When a wordlist fails, reconsider the context before increasing brute-force attempts. Wordlist selection is often more important than enumeration volume.
Initial Access
Exposed Git Repository
Directory enumeration of the portal immediately revealed an exposed Git repository.
.git/HEAD
An exposed repository often provides significantly more value than the application itself because it exposes development history rather than only the current version.
Credential Recovery
After reconstructing the repository, commit history analysis revealed sensitive information that had been removed from the active codebase.
Reviewing:
- Commit history
- Unreachable objects
- Deleted files
resulted in the recovery of valid credentials.
These credentials provided authenticated access to the application.
Why This Matters
Many developers remove secrets from source code and assume the problem is solved.
Git preserves history.
If secrets existed at any point, they may still be recoverable.
Source Disclosure
Local File Inclusion
Once authenticated, application functionality became the primary focus.
A download feature exposed a user-controlled file parameter.
This immediately suggested a possible file inclusion vulnerability.
Testing confirmed arbitrary file reads, allowing access to files outside the intended directory structure.
Application Analysis
The LFI vulnerability became the most important pivot point in the machine.
Rather than reading system files exclusively, the focus shifted toward:
- Application source code
- Configuration files
- Internal logic
- Third-party dependencies
Reviewing the application’s source code revealed how uploaded files were processed and exposed the technologies used by the backend.
Remote Code Execution
Identifying fontTools
Source code analysis showed that the application processed:
- Variable fonts
- TTF files
- OTF files
- Designspace files
This strongly suggested usage of the Python fontTools ecosystem.
At this point vulnerability research became the logical next step.
Vulnerability Research
Applications that process complex formats frequently rely on specialized third-party libraries.
These libraries often receive less scrutiny than traditional web frameworks and can contain critical vulnerabilities.
Research into fontTools revealed:
CVE-2025-66034
Exploitation
The vulnerability allowed attacker-controlled output paths during designspace processing.
By combining filename manipulation with crafted designspace content, arbitrary files could be written to web-accessible locations.
This provided remote code execution and a web shell running as:
www-data
Methodological Lesson
Whenever an application processes:
- Fonts
- Images
- Archives
- Media files
always investigate the underlying libraries and search for recent vulnerabilities.
Privilege Escalation
Enumerating the Host
With code execution established, standard Linux enumeration began.
Particular attention was paid to:
- Scheduled tasks
- Cron jobs
- Writable directories
- Automated processing pipelines
A scheduled task processing user-supplied ZIP archives was identified.
CVE-2024-25082
Further analysis revealed the task used FontForge.
Research identified:
CVE-2024-25082
The vulnerability stems from unsafe filename handling during archive processing.
User Compromise
The attack does not target the contents of files.
Instead, the payload is embedded directly within a filename contained inside the archive.
When FontForge processes the archive:
- The filename is expanded.
- Shell interpretation occurs.
- Arbitrary commands execute.
This behavior allowed insertion of an SSH public key into Steve’s account and resulted in a stable shell as the user.
Key Lesson
When investigating archive-processing systems, filenames and metadata can be more important than file contents.
Root Compromise
Sudo Enumeration
After obtaining access as Steve, the first step was reviewing sudo permissions.
A Python script could be executed as root without requiring a password.
Source Review
Rather than immediately attempting exploitation, the script was reviewed to understand its behavior.
The script:
- Accepted a URL.
- Downloaded remote content.
- Saved the resulting file locally.
This combination frequently introduces path validation issues.
Path Traversal
The script trusted path information derived from the provided URL.
By leveraging URL-encoded traversal sequences, it became possible to escape the intended destination directory and write files to arbitrary locations on the filesystem.
Obtaining Root
The final payload targeted:
/root/.ssh/authorized_keys
Because the attacker controlled both:
- The HTTP server
- The downloaded content
it was possible to write an SSH public key directly into the root account.
SSH authentication then provided full administrative access.
Lessons Learned
Virtual Host Discovery
Enumeration quality depends heavily on selecting appropriate wordlists.
Application context often provides better guidance than blind brute forcing.
Exposed Git Repositories
Git history frequently contains:
- Credentials
- Secrets
- Configuration files
- Development artifacts
Always inspect historical commits.
Local File Inclusion
LFI vulnerabilities should never be underestimated.
Even without immediate code execution, source disclosure frequently leads to complete compromise.
Third-Party Libraries
Complex file processing frameworks deserve additional scrutiny.
Vulnerabilities in auxiliary libraries often provide unexpected attack paths.
Cron Jobs
User-controlled files processed automatically by privileged services remain one of the most reliable privilege escalation vectors on Linux systems.
Sudo Misconfigurations
Always review sudo permissions immediately after obtaining a user shell.
Many Linux privilege escalation paths begin with a single overlooked sudo entry.
Conclusion
VariaType demonstrates how seemingly unrelated weaknesses can be combined into a complete attack chain.
No single vulnerability directly leads to root access.
Instead, success depends on:
- Effective reconnaissance
- Careful source code review
- Vulnerability research
- Linux enumeration
- Chaining multiple findings together
The machine is an excellent example of why understanding methodology is often more valuable than memorizing exploitation techniques.