Machine Synopsis
`VariaType` is a medium-difficulty Linux machine that begins with web enumeration of a font-generation platform and an associated portal subdomain hosting a login page with an exposed `.git` directory. Dumping the repository and inspecting the commit history exposes hardcoded credentials, granting access to the portal dashboard. A path traversal vulnerability in the portal's download functionality allows reading arbitrary files from the server, including the Nginx configuration, which reveals the web root. Combined with a fonttools CVE-2025-66034 affecting the `.designspace` parser, a webshell is written to the `files` directory to obtain a foothold as `www-data`. Process monitoring reveals a cron job run by `steve` that processes uploaded font archives using `fontforge`. A command injection vulnerability in `fontforge`'s handling of malformed tar archives (CVE-2024-25082), is leveraged to pivot to `steve`. Privilege escalation is achieved by exploiting a path traversal vulnerability in `setuptools` (CVE-2025-47273), which is invoked by a script `steve` can run as root via `sudo`, allowing an attacker-controlled public SSH key to be written to `/root/.ssh/authorized_keys`.
Machine Matrix