HackTheBox - VariaType
Key Takeaways
Exploits FontTools CVEs and enumerates a Flask-based website using nmap and error message analysis
Original Description
00:00 - Introduction
01:00 - Start of nmap
02:10 - Finding some CVE's in FontTools, but doing more recon on the site before we dive too deep
06:30 - Enumerating the website is flask based upon error message (cookie works too)
09:20 - Trying to create an error message which could leak information about the server like its local path
11:30 - Taking a look at portal.variatype.htb which shows it is PHP
13:50 - Gobuster found a .git, running git-dumper to get the source
15:30 - Finding a File Disclosure in the PHP App because the ../ removal was not recursive
20:30 - Updating the FontTools script to put a reverse shell in, then using it to upload a php reverse shell to the portal
22:00 - Reverse shell returned
22:30 - Looking at the sudoers file, we can't read it but the metadata is a treasure trove of information. Looking at timestamps, doing some filtering getting nothing
26:30 - Using docker to spin up a debian image quickly, looking at the size of the default sudoers file and then comparing it to the box to see it has likely been modified
28:00 - Using find to look for files owned by steve, finding a backup script. It uses FontForge which has a CVE. We can put a malicious archive file and get RCE
37:00 - Shell returned as Steve
39:00 - Looking at the validator python script, first thought with symlinks won't work because we don't own the plugin directory
41:30 - Finding a CVE within SetupTools, using it to write an SSH Key
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
More on: Backend Performance
View skill →Related Reads
Chapters (16)
Introduction
1:00
Start of nmap
2:10
Finding some CVE's in FontTools, but doing more recon on the site before we di
6:30
Enumerating the website is flask based upon error message (cookie works too)
9:20
Trying to create an error message which could leak information about the serve
11:30
Taking a look at portal.variatype.htb which shows it is PHP
13:50
Gobuster found a .git, running git-dumper to get the source
15:30
Finding a File Disclosure in the PHP App because the ../ removal was not recur
20:30
Updating the FontTools script to put a reverse shell in, then using it to uplo
22:00
Reverse shell returned
22:30
Looking at the sudoers file, we can't read it but the metadata is a treasure t
26:30
Using docker to spin up a debian image quickly, looking at the size of the def
28:00
Using find to look for files owned by steve, finding a backup script. It uses
37:00
Shell returned as Steve
39:00
Looking at the validator python script, first thought with symlinks won't work
41:30
Finding a CVE within SetupTools, using it to write an SSH Key
🎓
Tutor Explanation
DeepCamp AI