Machine / Machines

VariaType

By Jennofrie Daguil · Cybersecurity and Red Team Operator

VariaType is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator

MediumPublished 2026-05-23Sanitized local writeup

Scenario

VariaType attack path

VariaType is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator

Objective

Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.

VariaType sanitized attack graph

Walkthrough flow

01

Scope and service discovery

02

Attack surface mapping

03

Initial foothold

04

Privilege escalation

05

Proof captured

Source coverage

Moderate source coverage

Status: partial. This article is generated from 2 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.

67% coverage
Evidence verdict

Moderate confidence: the page is useful for review, but it should be treated as partial because the available source material is thinner or less narrative-complete.

  • VariaType-Combined/IP-1st-stale-archive_<TARGET>_20260505-204510/walkthrough.md
  • HTB/VariaType-Combined/IP-1st-stale-archive_<TARGET>_20260505-204510/notes.md

Technical Walkthrough

VariaType Walkthrough

Overview

  • Target: <TARGET> (VariaType)
  • Difficulty: Medium
  • OS: Linux
  • Started: 2026-05-05 05:08:04 CDT

Reproducible Steps

Initial Recon — 2026-05-05 05:14:48 CDT

  • Pwnbox SSH verified and remote workspace created at .
  • Pwnbox VPN interface: observed as ; route to exists.
  • ICMP to returned unreachable from the HTB gateway.
  • Initial default TCP and full TCP scans with found no open TCP ports.
  • Targeted UDP scan returned only no-response states; no confirmed UDP service.

Current interpretation: either the target is not fully reachable/started, has a non-obvious filtering state, or requires a rescan after lifecycle/network stabilization. No web service is confirmed yet, so vhost testing is not justified by evidence.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

  • Target: VariaType
  • Difficulty: Medium
  • OS: Linux
  • Target IP: <TARGET>
  • Pwnbox IP: <TARGET>
  • Pwnbox SSH user: profex0r
  • Remote workspace: /home/profex0r/<TARGET>-VariaType
  • Started: 2026-05-05 05:08:04 CDT

Evidence Ledger

TimestampCommandOutput fileFindingConfidenceNext action
2026-05-05 05:14:48 CDTip -br addr; ip route; ping -c 4 -W 2 <TARGET>enum/connectivity-check.txtPwnbox SSH works; tun0 present as <TARGET>/23; route to <TARGET>/16 exists; ICMP returned Destination Host Unreachable from <TARGET>.MediumUse -Pn TCP scans to test whether ICMP is blocked or target is reachable on TCP.
2026-05-05 05:14:48 CDTnmap -Pn --reason --open -sS -sV -sC -oA nmap/initial <TARGET>nmap/initial.console.txtFailed because SYN scan requires root privileges.HighRerun as TCP connect scan without sudo.
2026-05-05 05:14:48 CDTnmap -Pn --reason --open -sT -sV -sC -oA nmap/initial <TARGET>nmap/initial.*, nmap/initial.console.txtHost treated as up with -Pn; no open default TCP ports reported.MediumRun full TCP port scan.
2026-05-05 05:14:48 CDTnmap -Pn -p<redacted> --min-rate 5000 --reason --open -oA nmap/allports <TARGET>nmap/allports.*, nmap/allports.console.txtHost treated as up with -Pn; no open TCP ports reported across all 65535 ports.MediumBecause TCP is thin, run targeted UDP.
2026-05-05 05:14:48 CDTsudo nmap -Pn -sU --min-rate 1000 -p 53,67,69,111,123,137,161,162,500,514,520,631,1434,1900,4500,5353 --reason --open -oA nmap/udp-targeted <TARGET>nmap/udp-targeted.*, nmap/udp-targeted.console.txtAll targeted UDP ports returned open/filtered/no-response; no confirmed UDP service yet.LowRecheck target lifecycle/reachability and rerun TCP with sudo SYN or slower timing.

External Research (Hypotheses Only — Not Yet Verified On Live Target)

Official Public Metadata

  • HTB machine page confirms: VariaType, Linux, Medium, free machine, released 2026-03-14, maker WackyH4cker, rating 3.8.
  • Official synopsis/hints were not publicly visible during research.

Recurring Public Claims Across Multiple Writeups

  • Likely hostnames/vhosts: variatype.htb, portal.variatype.htb.
  • Likely baseline services: SSH on 22/tcp and HTTP on 80/tcp. HTTPS on 443/tcp is mentioned in some sources but is not consistent enough to treat as likely.
  • Likely early foothold theme: exposed .git on a portal vhost, followed by repository recovery and deleted-commit/history review.
  • Likely application theme: variable-font or font-generation workflow with paths/features around /tools/variable-font-generator, /files, and download.php.
  • Likely web-to-user chain: credential recovery from Git history, portal access, path traversal/LFI-style file access, then fontTools abuse for arbitrary file write or code execution.
  • Likely user-to-root chain: FontForge-related command injection or malicious archive processing, then privileged Python/setuptools path traversal or arbitrary file write.

Likely CVE Cluster To Validate If Services Match

  • <secret redacted> — recurring claim for fontTools / varLib arbitrary file write via crafted designspace/font-processing input.
  • <secret redacted> / <secret redacted> — recurring but inconsistent FontForge command-injection/archive-processing claims. The FontForge stage appears likely; the exact CVE number needs live-path validation.
  • <secret redacted> — recurring claim for setuptools PackageIndex path traversal/arbitrary file write used in a sudo-assisted privesc path.

Contradictions / Low-Confidence Claims

  • Some sources mention 443/tcp; others show only 22/tcp and 80/tcp.
  • FontForge CVE numbering is inconsistent across public writeups.
  • A few claims seen in weaker sources look polluted by other HTB machines and should be ignored unless the live target proves them.

Research Use Rule

  • Treat all external findings above as hypotheses only.
  • Do not assume hostnames, paths, users, creds, or CVE applicability until the live target exposes matching evidence.
  • If the respawned target reveals web service, prioritize validating .git, vhosts, portal paths, and font-processing stack in that order.

Sources Used

  • Official HTB machine page: https://www.hackthebox.com/machines/variatype
  • Adrian Reatva: https://adrianreatva.com/blog/posts/hackthebox/season10/variatype
  • Logan Dawson: https://logandawson.com/writeups/season10/variatype/
  • HavocSec: https://havocsec.dev/pentesting/hackthebox/htb-variatype-complete-writeup
  • The CyberSec Guru: https://thecybersecguru.com/ctf-walkthroughs/mastering-variatype-beginners-guide-from-hackthebox/
  • KnightSec Global: https://knightsecglobal.com/writeups/variatype-htb
  • KeepAlive: https://blog.keepalive.sh/writeup/hackthebox/machine/variatype/
  • GitHub reference: https://github.com/stigsec/HTB-Season-10/tree/main/variatype

Related insights

MachinesArchetype Walkthrough - HTB Starting PointMachinesBaseMachinesBase