https://z3r0s6.github.io/tags/fonttools/Recent content in Fonttools on z3r0sHugoenTue, 05 May 2026 00:00:00 +0000https://z3r0s6.github.io/machines/variatype/Tue, 05 May 2026 00:00:00 +0000https://z3r0s6.github.io/machines/variatype/<table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Difficulty</td> <td>Medium</td> </tr> <tr> <td>OS</td> <td>Linux</td> </tr> <tr> <td>CVEs</td> <td>CVE-2025-66034 · CVE-2024-25082 · CVE-2025-47273</td> </tr> </tbody> </table> <hr> <h2 id="summary"> Summary <a class="heading-link" href="#summary"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>VariaType is a Linux medium box centered around a typography company's web infrastructure. The attack chain involves <strong>three distinct CVEs</strong>:</p> <ul> <li><strong>CVE-2025-66034</strong> - fonttools DesignSpace output path traversal → PHP webshell (<code>www-data</code>)</li> <li><strong>CVE-2024-25082</strong> - FontForge archive filename command injection → SSH as <code>steve</code> (user)</li> <li><strong>CVE-2025-47273</strong> - setuptools PackageIndex path traversal → SSH as <code>root</code></li> </ul> <hr> <h2 id="attack-chain-overview"> Attack Chain Overview <a class="heading-link" href="#attack-chain-overview"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <table> <thead> <tr> <th>#</th> <th>Stage</th> <th>Technique</th> <th>CVE/Tool</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>Recon</td> <td>Nmap + vhost fuzzing + <code>.git</code> dump</td> <td>-</td> </tr> <tr> <td>2</td> <td>Foothold</td> <td>DesignSpace filename path traversal</td> <td>CVE-2025-66034</td> </tr> <tr> <td>3</td> <td>User (steve)</td> <td>FontForge archive filename cmd injection</td> <td>CVE-2024-25082</td> </tr> <tr> <td>4</td> <td>Root</td> <td>setuptools PackageIndex path traversal</td> <td>CVE-2025-47273</td> </tr> </tbody> </table> <hr> <h2 id="01---reconnaissance"> 01 - Reconnaissance <a class="heading-link" href="#01---reconnaissance"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <div class="highlight"><pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>rustscan -a &lt;TARGET_IP&gt; --ulimit <span style="color:#a5d6ff">5000</span> -b <span style="color:#a5d6ff">1500</span> -- -sV -sC </span></span></code></pre></div><pre tabindex="0"><code>Port 22 OpenSSH 9.2p1 Port 80 nginx/1.22.1 </code></pre><h3 id="virtual-host-discovery"> Virtual Host Discovery <a class="heading-link" href="#virtual-host-discovery"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h3> <div class="highlight"><pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt <span style="color:#79c0ff">\ </span></span></span><span style="display:flex;"><span> -u http://&lt;TARGET_IP&gt; -H <span style="color:#a5d6ff">&#34;Host: FUZZ.variatype.htb&#34;</span> -fs &lt;default_size&gt; </span></span><span style="display:flex;"><span><span style="color:#8b949e;font-style:italic"># → portal.variatype.htb</span> </span></span></code></pre></div><h3 id="git-repository-leak"> Git Repository Leak <a class="heading-link" href="#git-repository-leak"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h3> <div class="highlight"><pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>curl -s http://portal.variatype.htb/.git/HEAD </span></span><span style="display:flex;"><span><span style="color:#8b949e;font-style:italic"># ref: refs/heads/master</span> </span></span></code></pre></div><p>Dumping the repository reveals hardcoded credentials in commit history:</p>