← Writeups
MediumLinuxHackTheBoxACTIVECVE-2025-66034CVE-2024-25082

VariaType — HackTheBox Writeup (Linux, Medium)

An exposed .git directory leaks hardcoded credentials, two CVEs in font processing libraries chain together for RCE as www-data then steve, and a sudo misconfiguration in setuptools lets you write an SSH key directly to /root/.ssh/authorized_keys.

2026-03-16

// Attack Chain

Exposed .git → hardcoded creds → CVE-2025-66034 (fontTools) → www-data → CVE-2024-25082 (FontForge) → steve → setuptools path traversal → Root

Attack Chain Overview

CODE
Exposed .git directory
        ↓
Recover deleted commit → hardcoded credentials
        ↓
CVE-2025-66034 (fontTools varLib)
XML injection + path traversal → PHP reverse shell (www-data)
        ↓
CVE-2024-25082 (FontForge ZIP filename injection)
Malicious ZIP → shell as steve
        ↓
sudo misconfig → setuptools PackageIndex path traversal
Write SSH pubkey → /root/.ssh/authorized_keys
        ↓
ROOT

Phase 1 — Reconnaissance & Git Object Recovery

What Was Found

The machine had an exposed .git directory on the subdomain portal. Initial files found:

CODE
HEAD    → ref: refs/heads/master
master  → 753b5f5957f2020480a19bf29a0ebc80267a4a3d

A loose object file was also present — a zlib compressed git object.

Why Git Objects Work This Way

Git stores everything as content-addressed objects compressed with zlib. The SHA1 hash of the content IS the filename. Objects live at:

CODE
.git/objects/<first 2 chars of hash>/<remaining 38 chars>

To read any object, you place it in the correct path inside a valid .git structure and use git cat-file -p <hash>.

🔒

Machine Still Active

This machine is currently live on HackTheBox. The full writeup unlocks automatically once it retires.

Preview ends before: Reconstructing the Repository

← Back to writeups