Exploitation

Hack The Box - HTB Soulmate Writeup - Easy - Weekly - September 6th, 2025

1337 Sheets
1337 Sheets
·
Hack The Box - HTB Soulmate Writeup - Easy - Weekly - September 6th, 2025

HackTheBox - Soulmate Writeup

Machine Information

  • Name: Soulmate
  • IP: [MACHINE_IP]
  • OS: Linux
  • Difficulty: Easy
  • Points: 20
  • Release Date: 06 Sep 2025
  • Domains: soulmate.htb, ftp.soulmate.htb

Summary

Soulmate is an easy Linux machine that hosts a dating website alongside a vulnerable CrushFTP server. The exploitation path involves leveraging CVE-2025-31161 in CrushFTP version 11.W.657 to bypass authentication and create an administrative user account. This access allows file uploads to the web directory, enabling PHP code execution for initial system access. Privilege escalation is achieved through discovering hardcoded credentials in an Erlang-based SSH service configuration, which provides root-level command execution capabilities.

Reconnaissance and Enumeration

Network Scanning

# Initial port scan
nmap -p- --min-rate 10000 [MACHINE_IP]

# Detailed service enumeration
nmap -sC -sV -p 22,80 -oA nmap/soulmate [MACHINE_IP]

Nmap Results:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|   256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Soulmate - Find Your Perfect Match
| http-methods:
|   Supported methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)

Host Configuration

Add discovered domains to /etc/hosts:

echo "[MACHINE_IP] soulmate.htb ftp.soulmate.htb" >> /etc/hosts

Web Application Analysis

Primary Domain: soulmate.htb

Accessing http://soulmate.htb reveals a dating website with the following features:

  • User registration and authentication system
  • Profile creation with personal information and photos
  • Dating profile browsing functionality
  • Member since dates and user interaction features

Registration Process: The application allows new user registration with fields:

  • Username and Full Name
  • Password and confirmation
  • Bio/description text area
  • Optional profile picture upload (supports JPG, PNG, GIF formats, max 3MB)

Initial Assessment: Standard web application functionality with no immediately obvious vulnerabilities. The dating site appears to be a decoy or secondary service.

Directory and File Discovery

feroxbuster -u http://soulmate.htb \
    -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
    -x php,html,js,json,txt,log \
    -t 50 \
    -e

Results:

  • Standard web directories found (/assets/, /css/, /js/)
  • No sensitive files or backup directories discovered
  • Standard HTTP response codes (200, 404)
  • No obvious attack vectors in the main application

Subdomain Enumeration

ffuf -u http://[MACHINE_IP] \
    -H "Host: FUZZ.soulmate.htb" \
    -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
    -fw 4

Discovery Results:

ftp                     [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 60ms]

Key Finding: ftp.soulmate.htb subdomain discovered

CrushFTP Service Analysis

Service Discovery

Accessing http://ftp.soulmate.htb results in an HTTP 302 redirect to:

http://ftp.soulmate.htb/WebInterface/login.html

This reveals a CrushFTP web interface with:

  • Professional login page design
  • Username/Email and Password fields
  • "Remember me" checkbox functionality
  • "Forgot your password?" recovery option

Version Identification

Examining the HTML source code reveals version information embedded in asset URLs:

<script type="module" crossorigin src="/WebInterface/new-ui/assets/app/components/loader2.js?v=11.W.657-2025_03_08_07_52"></script>
<link rel="stylesheet" crossorigin href="/WebInterface/new-ui/assets/css/app.css?v=11.W.657-2025_03_08_07_52">

Critical Discovery:

  • CrushFTP Version: 11.W.657
  • Build Date: March 8, 2025 (2025_03_08_07_52)
  • Version String Pattern: 11.W.657-2025_03_08_07_52

Vulnerability Research

Research for CrushFTP version 11.W.657 reveals multiple CVEs affecting this version:

  • CVE-2025-31161: Authentication bypass vulnerability
  • CVE-2025-54309: Zero-day exploitation potential
  • CVE-2025-32433: Unauthenticated remote code execution

Selected Exploit: CVE-2025-31161 due to available public exploit and authentication bypass nature.

Exploitation Phase

CVE-2025-31161 Exploitation

CVE-2025-31161 is a critical authentication bypass vulnerability in CrushFTP that allows attackers to create administrative user accounts without proper authentication.