Machine / Machines

VariaType Walkthrough — <TARGET>

By Jennofrie Daguil · Cybersecurity and Red Team Operator

The target is fully compromised from the refreshed Pwnbox at <TARGET>. Raw flags are stored only under loot/. 1. Confirmed 22/tcp SSH and 80/tcp HTTP. The HTTP service redirects to variatype.htb. 2. Added variatype.htb and portal.variatype.htb to Pwnbox hosts...

HardPublished 2026-06-07Sanitized local writeup

Scenario

VariaType Walkthrough — <TARGET> attack path

The target is fully compromised from the refreshed Pwnbox at . Raw flags are stored only under loot/. 1. Confirmed 22/tcp SSH and 80/tcp HTTP. The HTTP service redirects to variatype.htb. 2. Added variatype.htb and portal.variatype.htb to Pwnbox hosts...

Objective

Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.

VariaType Walkthrough — <TARGET> sanitized attack graph

Walkthrough flow

01

Main generator and portal vhosts validated.

02

Portal /.git leaked a usable portal credential from...

03

fontTools wrote a PHP payload into the portal public...

04

Steve's FontForge processing pipeline was abused with...

05

Steve's sudo rule for...

Source coverage

High source coverage

Status: complete. This article is generated from 2 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.

84% coverage
Evidence verdict

Good confidence: the page has enough source material to read as a complete walkthrough, but the supporting evidence set is smaller than the highest-confidence cases.

  • VariaType-Combined/IP-3rd-final_<TARGET>/walkthrough.md
  • HTB/VariaType-Combined/IP-3rd-final_<TARGET>/notes.md

Technical Walkthrough

VariaType Walkthrough — <TARGET>

Current State

The target is fully compromised from the refreshed Pwnbox at <TARGET>. Raw flags are stored only under loot/.

Chain

  1. Confirmed 22/tcp SSH and 80/tcp HTTP. The HTTP service redirects to variatype.htb.
  2. Added variatype.htb and portal.variatype.htb to Pwnbox hosts resolution.
  3. Confirmed the main generator at /tools/variable-font-generator accepts .designspace plus master font uploads.
  4. Confirmed portal.variatype.htb/.git/HEAD is exposed, dumped the repository, and recovered the removed portal credential from Git history.
  5. Logged into the portal and confirmed generated files are archived under the portal file area.
  6. Used <secret redacted> in fontTools.varLib to write a PHP-bearing generated font to /var/www/portal.variatype.htb/public/files/shell-portal-domain-public.php.
  7. Verified web command execution as www-data with cmd=id.
  8. Read /opt/process_client_submissions.bak, which revealed a Steve-owned FontForge processing pipeline watching /var/www/portal.variatype.htb/public/files.
  9. Created steve_payload.tar with an internal filename command injection for <secret redacted>. The payload installed our SSH public key for steve.
  10. SSH as steve succeeded. User flag was captured to loot/user.txt.
  11. sudo -l as Steve allowed NOPASSWD: /usr/bin/python3 /opt/font-tools/install_validator.py *.
  12. Confirmed vulnerable setuptools filename derivation for %2froot%2f.ssh%2fauthorized_keys.
  13. Served the root public key from Pwnbox and ran the allowed sudo command to write /root/.ssh/authorized_keys.
  14. SSH as root succeeded. Root flag was captured to loot/root.txt.

Key Artifacts

  • loot/portal-git-dump/
  • exploits/webshell-template.designspace
  • enum/shell-portal-domain-public.exec.full.txt
  • enum/webshell-processbak.txt
  • enum/webshell-stage-steve-tar.txt
  • loot/steve_id_ed25519
  • enum/steve-post-ssh-enum.txt
  • enum/root-setuptools-write.txt
  • loot/root_id_ed25519
  • loot/user.txt
  • loot/root.txt

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

  • Target: VariaType
  • Difficulty: Medium, possibly Medium/Hard
  • OS: Linux
  • Target IP: <TARGET>
  • Pwnbox public IP: <TARGET>
  • Pwnbox SSH user: profex0r
  • Attacker or VPN IP: <TARGET>/23 on tun0
  • Local workspace: <local workspace><TARGET>-VariaType
  • Remote workspace: /home/profex0r/<TARGET>-VariaType
  • Historical non-current workspaces: <local workspace><TARGET>-VariaType and <local workspace><TARGET>-VariaType
  • Started local: 2026-05-05 21:19:24 AEST
  • Started UTC: 2026-05-05 11:19:24 UTC

Authorization And Context Verification

  • Local authorization context was reviewed from scoped Markdown files under <local workspace>
  • High-level verification only: written red team authorization exists, the tester role is red team operator or penetration tester, the profile includes github.com/jennofrie, and offensive testing requires written client authorization before commencement.
  • Local LightRAG verification completed: the local technical LightRAG instance is healthy and has processed the four scoped Markdown credential files.
  • Constraint: treat LightRAG as index verification only for this HTB task, because retrieval can mix in other local red-team documents; direct scoped Markdown remains the source of truth.

Evidence Separation Rule

This workspace is for live evidence from <TARGET> only. Prior results from <TARGET> and <TARGET> are historical only and must not be used as current evidence. Public writeups and prior hypotheses remain advisory until validated against this live target.

Carry-Forward Hypotheses — Do Not Assume

  • Possible hostnames or vhosts: variatype.htb, portal.variatype.htb.
  • Possible services mentioned publicly: SSH on 22/tcp, HTTP on 80/tcp, HTTPS on 443/tcp inconsistently.
  • Possible early web theme: exposed .git, repository recovery, deleted history review.
  • Possible application theme: variable-font or font-generation workflow around /tools/variable-font-generator, /files, and download.php.
  • Possible exploit themes: fontTools arbitrary file write, FontForge command injection or archive processing, setuptools path traversal or arbitrary file write.
  • Validation rule: none of the above counts unless reproduced against <TARGET>.

Evidence Ledger

TimestampCommandOutput fileFindingConfidenceNext action
2026-05-05 21:19:24 AESTWorkspace initializationlocal filesystem and Pwnbox filesystemFresh local and remote workspaces created for target <TARGET>.HighVerify Pwnbox route and confirm reachability against the new IP.
2026-05-05 21:19:24 AESTAuthorization and LightRAG verificationlocal Markdown files and local LightRAG instanceScoped authorization Markdown reviewed and local LightRAG index presence confirmed without surfacing private identifiers.HighProceed with live target reachability checks only.
2026-05-05 21:20 AESTip -br addr; ip route; ping -c 4 -W 2 <TARGET>enum/connectivity-check.txtPwnbox SSH works; tun0 is <TARGET>/23; route to <TARGET>/16 exists; ICMP returns Destination Host Unreachable from <TARGET>.MediumRun minimal privileged SYN confirmation on SSH and web ports.
2026-05-05 21:20 AESTsudo nmap -Pn -n --reason --open -sS -p 22,80,443 -oA nmap/quick-ssh-web <TARGET>nmap/quick-ssh-web.*, nmap/quick-ssh-web.console.txtNo open SSH or web ports found in the first-pass SYN check.MediumTreat as likely reachability or lifecycle blocker until the host answers on a live service.
2026-05-05 21:39 AESTip -br addr; ip route; ping -c 4 -W 2 <TARGET> from refreshed Pwnbox <TARGET>enum/connectivity-check-pwnbox-<TARGET>.txtFresh Pwnbox has tun0 as <TARGET>/23; ICMP to target succeeds with 0 percent loss and about 1.18 ms average RTT.HighRe-run minimal SYN confirmation from the fresh Pwnbox.
2026-05-05 21:39 AESTsudo nmap -Pn -n --reason --open -sS -p 22,80,443 -oA nmap/quick-ssh-web-pwnbox-<TARGET> <TARGET>nmap/quick-ssh-web-pwnbox-<TARGET>.*, nmap/quick-ssh-web-pwnbox-<TARGET>.console.txtTarget is live from the fresh Pwnbox; 22/tcp and 80/tcp are open and 443/tcp is closed.HighResume normal VariaType enumeration from the fresh Pwnbox only.
2026-05-05 22:00-22:12 AESTHTTP/vhost enumeration and portal Git dumpenum/http-, loot/portal-git-dump/, enum/portal-gitbot-login.Confirmed variatype.htb main generator, portal.variatype.htb internal portal, exposed portal /.git, recovered portal credential from git history, and validated portal login. SSH credential reuse failed.HighUse portal file visibility plus generator behavior to validate fontTools write path.
2026-05-05 22:25 AESTfontTools <secret redacted> payload uploadenum/shell-portal-domain-public.*, exploits/webshell-template.designspaceWrote a PHP-bearing generated font to /var/www/portal.variatype.htb/public/files/; cmd=id executed through http://portal.variatype.htb/files/shell-portal-domain-public.php as www-data.HighEnumerate /opt and the Steve-owned font pipeline.
2026-05-05 22:27-22:28 AESTWebshell enumeration and FontForge archive payloadenum/webshell-processbak.txt, enum/webshell-stage-steve-tar.txt, enum/ssh-steve-check.txt/opt/process_client_submissions.bak processes /var/www/portal.variatype.htb/public/files with FontForge as Steve. A crafted TAR archive triggered <secret redacted> and installed an SSH key for steve.HighSSH as Steve, capture user flag, inspect sudo rights.
2026-05-05 22:28-22:30 AESTSteve SSH and setuptools root writeenum/steve-post-ssh-enum.txt, loot/user.txt, enum/root-setuptools-write.txt, loot/root-session.txt, loot/root.txtSSH as steve succeeded, user flag was captured and verified as 32 hex. sudo -l allowed install_validator.py; <secret redacted> wrote a root SSH authorized key and root SSH succeeded. Root flag was captured and verified as 32 hex.HighFinalize walkthrough and keep raw flags under loot/ only.

Synthesis

  • The original Pwnbox path used earlier in this workspace was stale or attached to the wrong lane for this VIP+ machine. From that box, the gateway <TARGET> returned Destination Host Unreachable.
  • A fresh Pwnbox at <TARGET> on the correct lane reaches the target normally; ICMP succeeds and a minimal SYN scan shows 22/tcp and 80/tcp open while 443/tcp is closed.
  • This confirms the earlier blocker was on the attacker-side Pwnbox attachment or routing, not on the target IP itself and not caused by aggressive scanning.
  • The live compromise chain is complete:

1. Main generator and portal vhosts validated.

2. Portal /.git leaked a usable portal credential from history.

3. fontTools <secret redacted> wrote a PHP payload into the portal public files path for www-data command execution.

4. Steve's FontForge processing pipeline was abused with <secret redacted> to install an SSH key for steve.

5. Steve's sudo rule for /opt/font-tools/install_validator.py was abused with setuptools <secret redacted> to write /root/.ssh/authorized_keys.

6. Both user and root flags were captured from the live target and stored under loot/.

Related insights

MachinesArchetype Walkthrough - HTB Starting PointMachinesBaseMachinesBase