HackTheBox - Soulmate

The video walks through the Hack The Box “Soulmate” challenge, emphasizing a disciplined, multitasked reconnaissance approach rather than a straight‑to‑code‑execution mindset. Ipsac begins with an Nmap sweep, discovers only SSH and HTTP, then adds a host entry for soulmate.htb and probes the web interface, quickly moving to virtual‑host fuzzing to reveal an overlooked FTP subdomain. Key insights include using tools like fuff for rapid vhost enumeration, running Nuclei scans in the background, and recognizing that the FTP service (Crush FTP) is vulnerable to CVE‑2025‑31161 – an authentication bypass that requires a valid username and a crafted cookie. The exploit script leverages this flaw to add a new user, effectively granting shell access without legitimate credentials. A notable example is the analysis of the profile‑picture upload mechanism, where the filename incorporates a timestamp and user ID, hinting at predictable paths for potential web‑shell placement. Ipsac also demonstrates manipulating the vulnerable endpoint by injecting the required cookie and observing inconsistent 502 responses, illustrating the quirks of the underlying bug. The walkthrough underscores that thorough, parallel reconnaissance can surface hidden services and obscure vulnerabilities, saving time and effort. For penetration testers, mastering such nuanced exploits and understanding application‑specific quirks—like predictable filenames and custom authentication logic—can be the difference between a stalled box and a full compromise.