Soulmate has a PHP-based dating website, as well as an instance of CrushFTP. I’ll showcase two different authentication bypass CVEs to get admin access to CrushFTP. From there I can upload a PHP webshell and get a foothold on the box. I’ll find hardcoded credentials in an Erlang SSH server, and use them to get to the next user. I’ll also use them to connect to this SSH server and navigate the Erlang console as root to solve the challenge.

0xdf hacks stuff

A walkthrough of exploiting a HackTheBox machine running CrushFTP and an Erlang SSH server. Two authentication bypass CVEs (CVE-2025-31161 and CVE-2025-54309) are demonstrated to gain admin access to CrushFTP. A PHP webshell is uploaded through the admin interface to achieve initial foothold. Hardcoded credentials are discovered in an Erlang SSH server script, enabling lateral movement to user 'ben'. Finally, the Erlang SSH daemon running as root is exploited through its REPL interface to execute commands with root privileges and complete the challenge.

HTB: Soulmate