Hack The Box - Season 10 HTB VariaType Writeup - Medium- Weekly - March 15th, 2026
Difficulty: Medium | OS: Linux | Release: 2026
Box Summary
VariaType is a Linux medium box set around a font technology startup. Two web applications serve different roles within the company -- one public-facing and one restricted to internal staff. Gaining access requires understanding how
font tooling works under the hood and chaining together several web and application-level vulnerabilities. Privilege escalation involves abusing trust in a developer utility that doesn't fully validate its inputs.
Reconnaissance
Port Scanning
A targeted service scan reveals only two open ports:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian (protocol 2.0)
80/tcp open http nginx/1.22.1
Virtual Host Discovery
The main site at variatype.htb is a corporate page for a font technology company. Subdomain enumeration (or simply inspecting page content referencing portal.variatype.htb) reveals an internal validation portal on a second virtual host.
echo "TARGET_IP variatype.htb portal.variatype.htb" >> /etc/hosts
Web Application Fingerprinting
| Domain | Stack | Purpose |
|---|---|---|
variatype.htb |
Python / Flask (behind nginx reverse proxy) | Public variable font generator |
portal.variatype.htb |
PHP 8.2 / PHP-FPM (nginx) | Internal font validation dashboard |
The main site offers a tool at /tools/variable-font-generator that accepts .designspace XML files and master font uploads (.ttf/.otf), processes them with fonttools, and returns a generated variable font.
The portal presents a login form for authorized personnel.
Foothold
Exposed Git Repository
Directory enumeration on the portal reveals an accessible .git/ directory:
curl -s http://portal.variatype.htb/.git/HEAD
# ref: refs/heads/master
Dumping the repository with git-dumper:
git-dumper http://portal.variatype.htb/.git/ ./portal-repo/
The git history contains two commits. Examining the diff of the second commit reveals hardcoded credentials that were added for an automated pipeline:
git log --oneline
# xxxxxx fix: add gitbot user for automated validation pipeline
# xxxxxx feat: initial portal implementation
git log -p
+$USERS = [
+ 'gitbot' => 'G1tB0t_Acc3ss_2025!'
+];
Logging into the portal dashboard with gitbot / G1tB0t_Acc3ss_2025! grants access. The dashboard lists recently generated font files, each with View and Download links using view.php?f= and download.php?f= query parameters.