1. Preparation & Reconnaissance

Target IP: 10.129.17.168 Date: April 10, 2026

Method & Commands

Initial setup involves adding the target IP to the /etc/hosts file for easier access using the hostname variatype.htb.

echo "10.129.17.168 variatype.htb portal.variatype.htb" | sudo tee -a /etc/hosts

2. Web Enumeration & Source Code Analysis

Findings

During the enumeration phase, a subdomain portal.variatype.htb was discovered. Further directory fuzzing on this subdomain revealed an exposed .git repository directory.

Method & Commands

The repository was dumped locally to inspect the version history and source code:

gitdumper.sh <http://portal.variatype.htb/.git/> ./git-dump/
cd git-dump
git log -p

Vulnerability: Exposed .git Directory & Hardcoded Credentials

By reviewing the git commit history, hardcoded credentials were leaked in auth.php for a testing/automation account:

• User: gitbot
• Password: G1tB0t_Acc3ss_2025!

3. Initial Access (www-data)

Findings

A font generation tool located on the web application was vulnerable due to the use of an outdated fonttools Python library. This library (specifically related to CVEs such as GHSA-768j-98cg-p3fv) is vulnerable to XML injection when parsing .designspace XML files.

Method & Commands