Valenfind Walkthrough (TryHackMe): Love at First Breach CTF

This challenge is from the Love at First Breach Valentine event on TryHackMe.

Sahand Babali

~3 min read · February 13, 2026 (Updated: February 13, 2026) · Free: Yes

Challenge Title: Valenfind Category: Web Difficulty: Medium

The target web app is running on port "5000".

Before exploring the app, I ran an initial `nmap` scan to check for other exposed services.

The service fingerprint on port `5000` shows: `Server: Werkzeug/3.0.1 Python/3.12.3`

That strongly suggests a Flask application, and port `5000` is Flask's default dev port.

I then used Burp Suite proxy and started interacting with the web app.

I began with the signup flow.

After submitting credentials on `/register`, the app redirected me to `/complete_profile`.

After completing the profile, the app redirected me to `/dashboard`.

I tested profile actions like **Like** and **Send Valentine** while watching traffic in Burp.

On `/profile/cupid`, I found this JavaScript comment:

function loadTheme(layoutName) {
        // Feature: Dynamic Layout Fetching
        // Vulnerability: 'layout' parameter allows LFI
        fetch(`/api/fetch_layout?layout=${layoutName}`)
            .then(r => r.text())
            .then(html => {
                const bioText = "I keep the database secure. No peeking.";
                const username = "cupid";
                
                // Client-side rendering of the fetched template
                let rendered = html.replace('__USERNAME__', username)
                                   .replace('__BIO__', bioText);
                
                document.getElementById('bio-container').innerHTML = rendered;
            })
            .catch(e => {
                console.error(e);
                document.getElementById('bio-container').innerText = "Error loading theme.";
            });
    }