March 14, 2026

Variatype HackTheBox Writeup - Season10

Adrian Reategui
Share
HackTheBox Variatype machine walkthrough

SUMMARY

This write-up covers the Variatype machine from HackTheBox Season 10, a creative and technically layered machine built around font processing tooling and web application enumeration. The web server on port 80 redirected to variatype.htb, hosting an interface for building variable fonts by uploading .designspace and .ttf files. This functionality was identified as vulnerable to CVE-2025-66034.

Virtual host enumeration uncovered a second subdomain, portal.variatype.htb, presenting a login page whose interface leaked what appeared to be a git tag. Directory fuzzing confirmed an exposed .git directory, and using git-dumper the repository history was extracted, revealing hardcoded user credentials in a prior commit. With portal access, further enumeration revealed another weakness: a Local File Inclusion (LFI) vulnerability in the download.php endpoint. The LFI was used to read the server’s configuration and resolve the absolute root directory of portal.variatype.htb. With this knowledge, a malicious .designspace file was crafted to write a web shell directly into the portal’s web root, establishing an initial foothold on the system.

Internal enumeration revealed a cronjob running FontForge with the -lang=py flag, executing Python scripts in the FontForge scripting engine. This version of FontForge is vulnerable to CVE-2025-15280, which allows arbitrary code execution through the scripting interface, yielding a shell as the user steve. Finally, as steve, a sudoers misconfiguration was identified linking to CVE-2025-47273 a path traversal vulnerability in pip’s PackageIndex component. This flaw allows writing files to arbitrary filesystem locations, which was abused to place a id_rsa.pub into /root/.ssh/authorized_keys, granting direct SSH access as root.

PATH TO FOLLOW

  1. Reconnaissance
  2. Web Enumeration (CVE-2025-66034)
  3. Virtual Host Discovery
  4. Git Tag Leak & Directory Fuzzing
  5. Repository Dumping & Credential Extraction
  6. Portal Login & Internal Enumeration
  7. LFI via download.php & Web Root Discovery
  8. Malicious .designspace Crafting
  9. Cronjob Discovery (CVE-2025-15280)
  10. Lateral Movement
  11. Sudoers Misconfiguration (CVE-2025-47273)
  12. SSH Public Key Injection

CONTENT WILL BE RELEASED ONCE THE MACHINE IS RETIRED

CVE-2025-66034 CVE-2025-15280 CVE-2025-47273 Hackthebox Season10

Table of Contents