Browsing to `http://variatype.htb` shows **VariaType Labs** — a professional variable font generation service. The `/services` page mentions the backend uses **fonttools**, **fontmake**, and **gftools**.
nmap -sC -sV -p- 10.129.34.182
22/tcp open ssh OpenSSH 9.2p1 Debian
80/tcp open http nginx/1.22.1
echo "10.129.34.182 variatype.htb portal.variatype.htb" | sudo tee -a /etc/hosts
Browsing to http://variatype.htb shows VariaType Labs — a professional variable font generation service. The /services page mentions the backend uses fonttools, fontmake, and gftools.
The /tools/variable-font-generator accepts a .designspace file and .ttf/.otf master fonts.
gobuster vhost -u http://variatype.htb --append-domain \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -t 50
Found portal.variatype.htb — a PHP-based Internal Validation Portal with login page.
gobuster dir -u http://portal.variatype.htb \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt -t 50
Key findings:
download.php — redirects unauthenticated users, has a file parameter.git — exposed Git repositoryContact me on Discord or LinkedIn for the password.
Contact on DiscordHackTheBox policy restricts publishing walkthroughs for active-season machines. This writeup is password-protected to respect that policy while keeping the content available to those who already have access.