VariaType
VariaType is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Scenario
VariaType attack path
VariaType is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Objective
Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.
Walkthrough flow
Foothold
Privilege Escalation
Lessons Learned
Recon Summary
Source coverage
Moderate source coverage
Status: partial. This article is generated from 2 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
Moderate confidence: the page is useful for review, but it should be treated as partial because the available source material is thinner or less narrative-complete.
- VariaType-Combined/IP-2nd_<TARGET>/walkthrough.md
- HTB/VariaType-Combined/IP-2nd_<TARGET>/notes.md
Technical Walkthrough
VariaType Walkthrough
Scope
- Target: VariaType
- Target IP: <TARGET>
- Difficulty: Medium
- OS: Linux
Status
Initialized for fresh respawned target. No live exploitation performed yet.
Recon
Pending.
Foothold
Pending.
Privilege Escalation
Pending.
Lessons Learned
Pending.
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Target: VariaType
- Difficulty: Medium (possibly Medium/Hard per user impression)
- OS: Linux
- Target IP: <TARGET>
- Pwnbox IP: <TARGET>
- Pwnbox SSH user: profex0r
- Local workspace: <local workspace><TARGET>-VariaType
- Remote workspace: /home/profex0r/<TARGET>-VariaType
- Started: 2026-05-05
Operating Rule
- This workspace is for the respawned live target only. Do not mix stale scan results from <local workspace><TARGET>-VariaType/.
- Old public research is advisory only and must be validated against <TARGET> before being recorded as confirmed.
Evidence Ledger
| Timestamp | Command | Output file | Finding | Confidence | Next action |
|---|---|---|---|---|---|
| 2026-05-05 05:28 CDT | ip -br addr; ip route; ping -c 4 -W 2 <TARGET> | enum/connectivity-check.txt | Pwnbox SSH works; tun0 is <TARGET>/23; route to <TARGET>/16 exists; ICMP to target returns Destination Host Unreachable from <TARGET>. | Medium | Use -Pn TCP scans and confirm likely ports with SYN scan. |
| 2026-05-05 05:28 CDT | nmap -Pn --reason --open -sT -sV -sC -oA nmap/initial <TARGET> | nmap/initial.*, nmap/initial.console.txt | No open default TCP ports reported. | Medium | Run full TCP scan. |
| 2026-05-05 05:31 CDT | nmap -Pn -p<redacted> --min-rate 5000 --reason --open -oA nmap/allports <TARGET> | nmap/allports.*, nmap/allports.console.txt | No open TCP ports reported across all 65535 ports. | Medium | Run targeted UDP and root SYN confirmation scans. |
| 2026-05-05 05:32 CDT | sudo nmap -Pn -sU --min-rate 1000 -p 53,67,69,111,123,137,161,162,500,514,520,631,1434,1900,4500,5353 --reason --open -oA nmap/udp-targeted <TARGET> | nmap/udp-targeted.*, nmap/udp-targeted.console.txt | Targeted UDP ports all show `open | filtered/no-response`; no confirmed UDP service. | Low |
| 2026-05-05 05:33 CDT | sudo nmap -Pn --reason --open -sS -sV -sC -p 22,80,443,8000,8080,8443 -oA nmap/likely-web-ssh <TARGET> | nmap/likely-web-ssh.*, nmap/likely-web-ssh.console.txt | No open likely SSH/web ports found. | Medium | Validate target IP/spawn/VPN if expected services are absent. |
| 2026-05-05 05:33 CDT | sudo nmap -Pn --reason --open -sS --top-ports 1000 -oA nmap/top1000-syn <TARGET> | nmap/top1000-syn.*, nmap/top1000-syn.console.txt | No open top-1000 TCP ports found. | Medium | Treat as likely unreachable/not fully spawned until proven otherwise. |
Sanitized Public Research Hypotheses Only — Not Live Evidence
- Possible hostnames/vhosts to validate only if web evidence supports them:
variatype.htb,portal.variatype.htb. - Possible baseline services to validate: SSH on 22/tcp and HTTP on 80/tcp; HTTPS on 443/tcp is inconsistent in public sources.
- Possible early foothold theme: exposed
.giton a portal vhost, repository recovery, and deleted-commit/history review. - Possible application theme: variable-font/font-generation workflow with paths/features around
/tools/variable-font-generator,/files, anddownload.php. - Possible web-to-user chain: recovered credentials, portal access, path traversal/LFI-style file access, then fontTools abuse for arbitrary file write or code execution.
- Possible user-to-root chain: FontForge-related command injection or malicious archive processing, then privileged Python/setuptools path traversal or arbitrary file write.
- Possible CVE cluster to validate only if live stack matches:
<secret redacted>,<secret redacted>,<secret redacted>,<secret redacted>.
Recon Summary
- Pwnbox is reachable by SSH and has HTB VPN routing for
<TARGET>/16viatun0. - Live target
<TARGET>did not respond to ICMP; gateway<TARGET>returnedDestination Host Unreachable. - TCP connect scan (
-sT) found no open default ports. - Full TCP scan across all ports found no open TCP ports.
- Root SYN confirmation scans for likely SSH/web ports and top-1000 ports also found no open TCP ports.
- Targeted UDP gave only
open|filteredno-response states; no UDP service is confirmed. - Public hypotheses such as
variatype.htb,portal.variatype.htb, exposed.git, and font-related paths are not validated because no web service is currently reachable.
Synthesis
Current evidence suggests the target is not reachable/fully spawned from the Pwnbox despite a correct HTB route, or the provided IP may not currently host the expected VariaType services. Do not proceed to vhost or web-path testing until a live HTTP service is found.