First we qill begin nmap 🔍
we got ssh adn http and epmd — lets enumerate subdomains now 🌐🔎
nice we got ftp — lets see it on the web site 📁🌍
as we can see it is CrushFTP — we will google it and found this PoC to add user and login (used): 🛠️
https://github.com/Immersive-Labs-Sec/CVE-2025-31161
now after adding user lets login 🔐✅
okay lets analyze the web and see 🧐
okay we can change password of users and login — lets try ben 🔁🔑
okay now we can see this is pages that was on soulmate.htb so lets try to upload malicious file.php 💣📤
okay lets try to execute it now
Boom we got it 🎉💥
now lets run linpeas and enumerate for creds / priv esc vectors 🧰🔎
we got this — lets try to see this file content, maybe it has ben password 📂🔑
and yes we got it — lets go get our user flag now 🏁🧾
after this we can see also port 2222 open locally (ssh) and it can be related to the EPMD we found in the nmap 🔁🔐
so lets try to connect with ben credentials to the local ssh on 2222 — attempt successful 🖥️➡️🔒
okay now we can see we are root 👑✅
okay now lets try to drop root shell on our attack IP (reverse shell) 🎯🔙
Boom — go get your flag hacker 🏴☠️🚩
