HTB-Soulmate - HackMD

# HTB-Soulmate ![image](https://hackmd.io/_uploads/rkFYS3D3ll.png) ![image](https://hackmd.io/_uploads/SJQkUnD2le.png) ![image](https://hackmd.io/_uploads/SkRpr2P2xg.png) ![image](https://hackmd.io/_uploads/rJBZI3P3ll.png) ![image](https://hackmd.io/_uploads/rJrruhP2ge.png) ![image](https://hackmd.io/_uploads/Syb2OhPhll.png) ![image](https://hackmd.io/_uploads/r1F692whxg.png) ![image](https://hackmd.io/_uploads/B1f3h2v3gx.png) ![image](https://hackmd.io/_uploads/S1lTnhD2ex.png) CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation https://github.com/Immersive-Labs-Sec/CVE-2025-31161 ![image](https://hackmd.io/_uploads/SkAT63Pnlx.png) ![image](https://hackmd.io/_uploads/BkXMR2Phlx.png) ![image](https://hackmd.io/_uploads/H1RE0hwnex.png) ![image](https://hackmd.io/_uploads/SkCZyTv2gg.png) change password user ben ![image](https://hackmd.io/_uploads/SkmllTvnxx.png) login to user ben, we can see the program for the web page was stored there. ![image](https://hackmd.io/_uploads/Bk-wxpw2ll.png) upload file and create revshell ![image](https://hackmd.io/_uploads/rJuTgawnex.png) ![image](https://hackmd.io/_uploads/BkilZaPnee.png) ![image](https://hackmd.io/_uploads/r1db-aD3xe.png) access to http://soulmate.htb/shell.php and get revshell ![image](https://hackmd.io/_uploads/r1ABbTPheg.png) ![image](https://hackmd.io/_uploads/SJhCGaP2el.png) ![image](https://hackmd.io/_uploads/Hk5JXTw2gg.png) Notice that root has previously run a login script ![image](https://hackmd.io/_uploads/Syypmpw3gx.png) got password ![image](https://hackmd.io/_uploads/HJvkEav3eg.png) ssh and get first flag ![image](https://hackmd.io/_uploads/Sk0HNpP3ee.png) The escript mentioned earlier is a program in Erlang that starts an SSH server (SSH daemon), and it is open on port 2222, so we will connect to it. Check the port opening status and find that the Erlang-based SSH service is running on port 2222 ![image](https://hackmd.io/_uploads/B1oOHTwnxl.png) ![image](https://hackmd.io/_uploads/BJnbUaP2le.png) use m() -- which modules are loaded ![image](https://hackmd.io/_uploads/Syzc8TD2lg.png) use os to get flag os:cmd(CommandString). ![image](https://hackmd.io/_uploads/H1GrwTvhgg.png)