VariaType — HackTheBox Medium Walkthrough

VariaType — HackTheBox Medium Walkthrough VariaType is a Linux medium that chains three real-world CVEs across font-processing tools to go from zero to root. What makes it compelling isn’t any single trick — it’s the discipline required to identify each vulnerability, understand why the sanitization fails, and stitch them together into a coherent attack path. Overview The box hosts a Flask-based variable font generator backed by fonttools, alongside a PHP validation portal with an exposed .git directory. The attack chain: dump git history for credentials → LFI to read source → exploit CVE-2025-66034 in fonttools varLib for a webshell → abuse CVE-2024-25082 in FontForge for lateral movement → leverage CVE-2025-47273 in setuptools for a cron-based root. Reconnaissance Port Scan Starting with the standard nmap service scan: Two ports: SSH and HTTP. The HTTP redirect tells us the box uses virtual-host routing, so we add variatype.htb to /etc/hosts and start enumerating from there. Web Enumeration The main site at variatype.htb is a Flask application built around variable font generation. The interesting endpoint is /tools/variable-font-generator, which accepts a .designspace XML file plus master font files (.ttf/.otf) and passes them to fonttools varLib via subprocess.run() on the server. Generated fonts land in the portal’s /files/ directory and are served via /download/. The Flask app alone doesn’t immediately offer much — it takes input and spits out fonts. Time to look for other attack surface. Running ffuf for virtual host enumeration turns up portal.variatype.htb: ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \ -u http://variatype.htb/ \ -H "Host: FUZZ.variatype.htb" \ -fc 301 Adding portal.variatype.htb to /etc/hosts and browsing to it reveals a PHP internal validation portal — a login page. Two things jump out immediately: the login form and a .git directory sitting in the web root. Git History Credential Leak A .git directory exposed over HTTP is almost always worth dumping. I used git-dumper to pull the entire repository: git-dumper http://portal.variatype.htb/.git ./portal-git cd portal-git git log --oneline The current HEAD has $USERS = [] — production credential store is empty. But commit 753b5f5 tells a different story. Checking that commit: git show 753b5f5 $USERS = [ 'gitbot' => 'G1tB0t_Acc3ss_2025!' ]; Classic case of “we removed the credentials from the codebase but forgot they live in git history forever.” Logging in as gitbot:G1tB0t_Acc3ss_2025! gets us into the dashboard, which lists all generated fonts — the shared /files/ directory linking the two applications. Foothold LFI via ....// Path Traversal Bypass The portal’s download.php has a ?f= parameter. Looking at the PHP source (we’ll read it shortly via LFI), the sanitization looks like: $file = str_replace("../", "", $_GET['f']); This is a single-pass replacement — a well-known bypass. The string ....// contains ../ starting at position 2, so stripping it once leaves ../. Stack four or five of these to break out of the web root: curl -s -b cookies.txt \ "http://portal.variatype.htb/download.php?f=....//....//....//....//....//etc/passwd" Using the same trick, we read the Flask application source at /opt/variatype/app.py. This confirms the exact subprocess.run() call: subprocess.run(['fonttools', 'varLib', 'config.designspace'], cwd=workdir) The cwd is a temp directory under /tmp/variatype_uploads// and the output font path is controlled by the attribute in the .designspace XML. That’s our next attack surface. Always validate assumptions by reading source when you can — this LFI just saved us significant guesswork about how varLib is invoked. The str_replace("../", "") bypass is a classic mistake; we covered a similar single-pass sanitization failure in Browsed. CVE-2025-66034 — fonttools varLib Arbitrary File Write fonttools varLib version 4.38.0 (shipped on Debian 12) uses the filename attribute of nodes directly as the output path when called via the CLI. There’s no os.path.basename() normalization — that fix came later. This means we can write the output font to an arbitrary path. The trick is turning a font file into a PHP webshell. PHP’s execution model is wonderfully permissive: it will execute tags regardless of surrounding binary content. We just need to embed our PHP payload somewhere in the font data that gets written to disk. The .designspace field accepts CDATA, and fonttools faithfully copies string data from designspace metadata into the output binary. Here’s the crafted .designspace file:

VariaType — HackTheBox Season 10 Walkthrough

VariaType — HackTheBox Medium Walkthrough

Overview

Full Writeup

VariaType — HackTheBox Medium Walkthrough#

Overview#

Full Writeup

VariaType — HackTheBox Medium Walkthrough

Overview