Redeemer HTB (Starting Point)
Hello everyone, We are onto our next machine today which is a Linux machine and it has implementation of Redis server and techniques used to pentest redis service. Let’s get started with the nmap scan on the machine IP.
After running the nmap scan we find this output showing us one service open at port ‘6379’ named “redis” and it’s version being 5.0.7
After gaining this information, if you are new to Redis you can google for the redis pentesting and you would find this site very helpful.
Coming forward in the blog, let’s look upon how to enumerate the service.
first of all you should have redis-cli on your machine if not then run this command:
sudo apt-get install redis-tools
after getting installed run this command to enumerate the host, and if you get connected anonymously then you can move forward by typing info in the prompt.
Like in this case I got connected anonymously, and I typed in the info command and I got all the information. Which is a green signal to approach for more specific enumerations.
Let us check the list of clients present on the server, using a simple “client list” command.
10.129.136.187:6379> client list
id=7 addr=10.10.14.103:59326 fd=8 name= age=53 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=26 qbuf-free=32742 obl=0 oll=0 omem=0 events=r cmd=client
we can also snoop around the config file and look for any flags, credentials etc. using this command
CONFIG GET *
Nothing found here so out last resort is keyspace which has all the keys if it is accessible.
To enumerate the keyspace
first type, INFO keyspace (this will show all the db and their number of keyspaces, expirydate and avg time to live)
next, select the db which you want to enumerate here i have only 0th db hence i typed “SELECT 0”
After getting the OK status, we can move forward to dumping all the key names by typing “KEYS *”
And then we finally see the interesting keyname “flag” which can be fetched by using GET command like this “ GET flag”
AND there you have it, the root hash of the machine.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
TASK 1
Which TCP port is open on the machine?
read the nmap scan output
TASK 2
Which service is running on the port that is open on the machine?
read the nmap scan output
TASK 3
What type of database is Redis? Choose from the following options: (i) In-memory Database, (ii) Traditional Database
TASK 4
Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments.
google it
TASK 5
Which flag is used with the Redis command-line utility to specify the hostname?
man redis-cli
TASK 6
Once connected to a Redis server, which command is used to obtain the information and statistics about the Redis server?
man redis-cli
TASK 7
What is the version of the Redis server being used on the target machine?
“info” command
TASK 8
Which command is used to select the desired database in Redis?
SELECT <db_index>
TASK 9
How many keys are present inside the database with index 0?
Read the output from “info keyspace”
TASK 10
Which command is used to obtain all the keys in a database?
keys *
SUBMIT FLAG
Submit root flag
