Andrew Kapaldo

Andrew Kapaldo

Security researcher & CTF enthusiast

ValenFind

2 minute read

🌐 Love at First Breach 2026 - Valenfind

Category Author
🌐 Web TryHackMe

Challenge Prompt

My Dearest Hacker,

There’s this new dating app called “Valenfind” that just popped up out of nowhere. I hear the creator only learned to code this year; surely this must be vibe-coded. Can you exploit it?

You can access it here: http://MACHINE_IP:5000

Problem Type

  • Web
  • LFI

Solve

We will start by running a quick nmap scan on the host and port to see what is running on the IP and port with
nmap -p 5000 -T4 -A <IP ADDRESS>:

image

This shows we have Python running, so maybe a Flask app.

Next we will visit the site as instructed. When we load it up, we see the ValenFind app: image

If we click the Start Your Journey button we can create an account: image

I used a for my username and password123, just so it was easy to remember. Then we are taken to complete our profile. We can fill that out and then click Finish Profile & Start Dating: image

On the next page, we are given Potential Matches. Scrolling through the list the Cupid user looks most interesting with 999 likes: image

If we click the Profile button, we can see this user “Keeps the Database Secure”. image

Let’s see if there is anything interesting here. If we right click and pick “View Page Source”, part way down in the JavaScript, there is a comment labeled Vulnerability. image

It seems the layout parameter allows for LFI (Local File Inclusion)! Let’s fire up Burpsuite and see if we can exploit that.

I use FoxyProxy in Firefox, but you can use the built in browser in Burp if you like. We will send a request and intercept it, then send that to repeater so we can modify it. image

Since I captured a POST request, I had to change mine over to a GET instead and the added the URL we want to try to abuse: /api/fetch_layout?layout=. I tested with the /etc/passwd file and as you can see this works and we are provided the file. image

The next thing I tried was to send something that shouldn’t work in this case, just 2 periods (..). This returns an error that it couldn’t load /opt/Valenfind/templates/components/.. with the .. being what we sent: image

Then we can take the file path we found and try to add app.py to the end since as we found at the start, this may be a Flask app. This results in a error that the file wasn’t found: image

I worked my way down the file path until I got to /opt/Valenfind/app.py and there we got a return! On line 17 we see an Admin API key too! image

As I read through the rest of the code, on line 229 I found an export_db API function. This function requires a special header (Line 231) X-Valentine-Token that must match the ADMIN_API_KEY (line 233) from above. image

Trying that gives us the flag! image

Tags: ,

Categories:

Updated:

You May Also Enjoy

Try Heart Me

1 minute read

🌐 Love at First Breach 2026 - TryHeartMe

Speed Chat

1 minute read

🌐 Love at First Breach 2026 - Speed Chat