Soulmate
HackTheBox Soulmate machine writeup — reconnaissance and enumeration walkthrough.
1. Setting the Stage: Reconnaissance
You arrive at the doorstep of Soulmate (10.10.11.86), a digital love factory.
Naturally, you bring your trusty nmap bouquet to impress.
1
nmap -p- -sV --min-rate 1000 -oA scans/soulmate-full 10.10.11.86
🎶 Cue dramatic love song 🎶
Results reveal:
22/tcp SSH (OpenSSH 8.9p1)
80/tcp HTTP (nginx 1.18.0)
4369/tcp Erlang EPMD (Cupid’s creepy sidekick)
You add an alias because typing IPs on a date is rude:
1
echo "10.10.11.86 soulmate.htb" | sudo tee -a /etc/hosts
2. Crafting Your Profile: Web Enumeration
You strut into http://soulmate.htb, where love is supposedly just a click away.
You register as
you@example.com / Passw0rd!(classic).You log in and peek at the Profile → Edit page.
Options:
Name
Bio
Interests
Mobile
And the juiciest part: Profile Picture Upload
Your hacker intuition whispers: “File upload… the Tinder of vulnerabilities.”
3. Uncovering a Hidden Door: Subdomain Discovery
But no dating site is complete without a secret “ex” lurking in the background.
So you fire up ffuf:
1
ffuf -u http://soulmate.htb -H 'Host: FUZZ.soulmate.htb' -w /usr/share/seclists/Discovery/DNS/big.txt -fs 154
💔 Surprise! You find ftp.soulmate.htb—a CrushFTP instance.
1
echo "10.10.11.86 ftp.soulmate.htb" | sudo tee -a /etc/hosts
Premium Content
The full exploitation walkthrough, privilege escalation, and flags are available exclusively for members.
Unlock Full Writeup →