HackTheBox VariaType Exposed Git, Traversal Filter Bypass, f...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2026/06/13/htb-variatype.html
• Blog Title: HackTheBox VariaType: Exposed Git, Traversal Filter Bypass, fontTools File Write, FontForge Command Injection, and setuptools Root PrivEsc
• Suggested Section: HackTricks Main: Pentesting Web > File Inclusion/Path Traversal; Pentesting Web/File Upload or Network Services Pentesting > Flask/PHP; Linux Privilege Escalation > sudo/package installer abuse; optionally add a new note under web/file processing for fontTools/designspace arbitrary file write and FontForge filename command injection

🎯 Content Summary

Overview: The post is a HackTheBox VariaType Linux writeup chaining multiple realistic web and local escalation issues across two virtual hosts: variatype.htb, a Flask-based variable-font generator, and portal.variatype.htb, a PHP internal validation portal. The full chain is: exposed .git repository disclosure → recovery of portal credentials from Git history → authenticated arbitrary file read via a naive single-pass traversal filter bypass → local...

🔧 Technical Details

Exposed Git repository → historical secret recovery: If /.git/ is publicly reachable, reconstruct the repository with git-dumper, then inspect not only the current working tree but also commit history. Use git log --oneline to identify commits and git diff old new to recover deleted credentials, tokens, endpoints, or configuration. In this case, auth.php currently contained $USERS = [];, but the diff exposed 'gitbot' => 'G1tB0t_Acc3ss_2025!', which authenticated to the portal.

Single-pass path traversal sanitization bypass: A dangerous anti-pattern is sanitizing filenames with a single replacement such as $path = str_replace('../', '', $_GET['f']);. Overlapping payloads like ....// bypass this because the filter removes the inner ../, leaving a new ../ behind. Repeating the pattern...

🤖 Agent Actions

Done.

Updated:

• src/pentesting-web/file-inclusion/README.md

Added:

• a concise single-pass str_replace('../', '', ...) traversal bypass note using ....//
• a reminder to inspect Git history after dumping exposed /.git/ repos (git log, git show, git diff)
• a short post-file-read triage workflow (/etc/passwd → vhost config → document root source → creds/config/jobs)
• the blog link in References

Notes:

• I intentionally did not add the later fontTools / FontForge / setuptools stages because the provided material was too HTB-chain-specific / high-level for a clean reusable HackTricks entry without overfitting.
• Validation was done with git diff and file rereads.
• mdbook build could not be run because mdbook is not installed in this environment.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2026/06/13/htb-variatype.html

Content Categories: Based on the analysis, this content was categorized under "HackTricks Main: Pentesting Web > File Inclusion/Path Traversal; Pentesting Web/File Upload or Network Services Pentesting > Flask/PHP; Linux Privilege Escalation > sudo/package installer abuse; optionally add a new note under web/file processing for fontTools/designspace arbitrary file write and FontForge filename command injection".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0