0xdfSoulmate from HackTheBox features a PHP dating site and CrushFTP with two auth bypass CVEs (race condition and AWS4-HMAC abuse) for admin access, PHP webshell upload for foothold, and hardcoded credentials in an Erlang SSH server for root.
HTB: Soulmate
Soulmate has a PHP-based dating website, as well as an instance of CrushFTP. I’ll showcase two different authentication bypass CVEs to get admin access to CrushFTP. From there I can upload a PHP webshell and get a foothold on the box. I’ll find hardcoded credentials in an Erlang SSH server, and use them to get to the next user. I’ll also use them to connect to this SSH server and navigate the Erlang console as root to solve the challenge.