HackTheBox - VariaType

IppSec · Beginner ·🔧 Backend Engineering ·1mo ago

Key Takeaways

Exploits FontTools CVEs and enumerates a Flask-based website using nmap and error message analysis

Original Description

00:00 - Introduction 01:00 - Start of nmap 02:10 - Finding some CVE's in FontTools, but doing more recon on the site before we dive too deep 06:30 - Enumerating the website is flask based upon error message (cookie works too) 09:20 - Trying to create an error message which could leak information about the server like its local path 11:30 - Taking a look at portal.variatype.htb which shows it is PHP 13:50 - Gobuster found a .git, running git-dumper to get the source 15:30 - Finding a File Disclosure in the PHP App because the ../ removal was not recursive 20:30 - Updating the FontTools script to put a reverse shell in, then using it to upload a php reverse shell to the portal 22:00 - Reverse shell returned 22:30 - Looking at the sudoers file, we can't read it but the metadata is a treasure trove of information. Looking at timestamps, doing some filtering getting nothing 26:30 - Using docker to spin up a debian image quickly, looking at the size of the default sudoers file and then comparing it to the box to see it has likely been modified 28:00 - Using find to look for files owned by steve, finding a backup script. It uses FontForge which has a CVE. We can put a malicious archive file and get RCE 37:00 - Shell returned as Steve 39:00 - Looking at the validator python script, first thought with symlinks won't work because we don't own the plugin directory 41:30 - Finding a CVE within SetupTools, using it to write an SSH Key
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Related Reads

Chapters (16)

Introduction
1:00 Start of nmap
2:10 Finding some CVE's in FontTools, but doing more recon on the site before we di
6:30 Enumerating the website is flask based upon error message (cookie works too)
9:20 Trying to create an error message which could leak information about the serve
11:30 Taking a look at portal.variatype.htb which shows it is PHP
13:50 Gobuster found a .git, running git-dumper to get the source
15:30 Finding a File Disclosure in the PHP App because the ../ removal was not recur
20:30 Updating the FontTools script to put a reverse shell in, then using it to uplo
22:00 Reverse shell returned
22:30 Looking at the sudoers file, we can't read it but the metadata is a treasure t
26:30 Using docker to spin up a debian image quickly, looking at the size of the def
28:00 Using find to look for files owned by steve, finding a backup script. It uses
37:00 Shell returned as Steve
39:00 Looking at the validator python script, first thought with symlinks won't work
41:30 Finding a CVE within SetupTools, using it to write an SSH Key
Up next
Indian Express Editorial Analysis by Chandan Sharma - 1 JULY 2026 | UPSC Current Affairs 2026
StudyIQ IAS
Watch →