VariaType Walkthrough — Current Respawned Instance
VariaType Walkthrough — Current Respawned Instance is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Scenario
VariaType Walkthrough — Current Respawned Instance attack path
VariaType Walkthrough — Current Respawned Instance is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Objective
Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.
Walkthrough flow
Scope and service discovery
Attack surface mapping
Initial foothold
Privilege escalation
Proof captured
Source coverage
Moderate source coverage
Status: partial. This article is generated from 2 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
Moderate confidence: the page is useful for review, but it should be treated as partial because the available source material is thinner or less narrative-complete.
- VariaType-Combined/IP-1st_<TARGET>/walkthrough.md
- HTB/VariaType-Combined/IP-1st_<TARGET>/notes.md
Technical Walkthrough
VariaType Walkthrough — Current Respawned Instance
Overview
- Target: VariaType
- Target IP: <TARGET>
- Difficulty: Medium, possibly Medium/Hard
- OS: Linux
- Pwnbox IP: <TARGET>
- Local workspace: <local workspace><TARGET>-VariaType
- Remote workspace: /home/profex0r/<TARGET>-VariaType
- Started local: 2026-05-05 20:45:26 AEST
- Started UTC: 2026-05-05 10:45:26 UTC
Evidence Handling
Prior workspaces were archived as stale/non-current. This walkthrough will include only reproducible evidence from the current respawned instance. External hypotheses are used only to prioritize validation after live services are confirmed.
Reproducible Steps
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Target: VariaType
- Difficulty: Medium, possibly Medium/Hard
- OS: Linux
- Target IP: <TARGET>
- Pwnbox IP: <TARGET>
- Pwnbox SSH user: profex0r
- Local workspace: <local workspace><TARGET>-VariaType
- Remote workspace: /home/profex0r/<TARGET>-VariaType
- Prior stale local archive: <local workspace><TARGET>-VariaType-stale-20260505-204510
- Prior stale remote archive: /home/profex0r/<TARGET>-VariaType-stale-20260505-204510
- Started local: 2026-05-05 20:45:26 AEST
- Started UTC: 2026-05-05 10:45:26 UTC
Evidence Separation Rule
This file is for live evidence from the current respawned instance at <TARGET> only. Prior scan results from the archived workspace are historical/non-current and must not be used as live evidence. External research remains hypothesis-only until validated against this live target.
External Research Hypotheses — Preserve, Do Not Assume
- Possible hostnames/vhosts: variatype.htb, portal.variatype.htb.
- Possible services mentioned publicly: SSH on 22/tcp and HTTP on 80/tcp; HTTPS on 443/tcp is inconsistent.
- Possible early web path: exposed .git on a portal vhost, repository recovery, deleted commit/history review.
- Possible application theme: variable-font/font-generation workflow with paths around /tools/variable-font-generator, /files, and download.php.
- Possible exploit themes: fontTools arbitrary file write, FontForge command injection/archive processing, and setuptools path traversal/arbitrary file write.
- Validation rule: none of these count unless reproduced against the live target.
Evidence Ledger
| Timestamp | Command | Output file | Finding | Confidence | Next action |
|---|---|---|---|---|---|
| 2026-05-05 20:45:26 AEST | Workspace archival/init | local filesystem and Pwnbox filesystem | Stale local/remote workspaces archived and fresh workspaces created for current respawn. | High | Verify Pwnbox connectivity and route, then run live reachability checks. |
| 2026-05-05 20:50:39 AEST | ip -br addr; ip route; ping -c 4 -W 2 <TARGET> | enum/connectivity-check.txt | Pwnbox SSH works; tun0 is <TARGET>/23; route to <TARGET>/16 exists; ICMP returns Destination Host Unreachable from <TARGET>. | Medium | Run privileged SYN confirmation scans to distinguish ICMP filtering from actual service absence. |
| 2026-05-05 20:51 AEST | sudo nmap -Pn -n --reason --open -sS -sV -sC -p 22,80,443,8000,8080,8443 -oA nmap/likely-web-ssh <TARGET> | nmap/likely-web-ssh.*, nmap/likely-web-ssh.console.txt | No open likely SSH/web ports found. | Medium | Run measured full TCP SYN scan. |
| 2026-05-05 20:51 AEST | sudo nmap -Pn -n --reason --open -sS -p<redacted> --min-rate 1000 -oA nmap/allports-syn <TARGET> | nmap/allports-syn.*, nmap/allports-syn.console.txt | No open TCP ports reported across all 65535 ports. | Medium | Run targeted UDP because TCP surface is empty. |
| 2026-05-05 20:54 AEST | sudo nmap -Pn -n --reason --open -sU --min-rate 1000 -p 53,67,69,111,123,137,161,162,500,514,520,631,1434,1900,4500,5353 -oA nmap/udp-targeted <TARGET> | nmap/udp-targeted.*, nmap/udp-targeted.console.txt | All targeted UDP ports return `open | filtered` with no response; no UDP service is confirmed. | Low |
Synthesis
- Fresh evidence trail initialized and live recon has now been run against the current respawned instance.
- Pwnbox connectivity and HTB VPN routing are present, but the gateway
<TARGET>still reportsDestination Host Unreachablefor<TARGET>. - Privileged SYN scans of likely SSH/web ports and a measured full TCP scan both found no open TCP ports.
- Targeted UDP produced only
open|filteredno-response states, which does not establish a usable UDP service. - None of the public web hypotheses (
variatype.htb,portal.variatype.htb, exposed.git, font-related paths) can be validated yet because no live web service is reachable. - Current blocker is infrastructure/lifecycle reachability, not target-specific enumeration depth.