Redeemer HTB (Starting Point)

Rishabh Rai
4 min readMay 9, 2023

Hello everyone, We are onto our next machine today which is a Linux machine and it has implementation of Redis server and techniques used to pentest redis service. Let’s get started with the nmap scan on the machine IP.

After running the nmap scan we find this output showing us one service open at port ‘6379’ named “redis” and it’s version being 5.0.7

After gaining this information, if you are new to Redis you can google for the redis pentesting and you would find this site very helpful.

Coming forward in the blog, let’s look upon how to enumerate the service.

first of all you should have redis-cli on your machine if not then run this command:

sudo apt-get install redis-tools

after getting installed run this command to enumerate the host, and if you get connected anonymously then you can move forward by typing info in the prompt.

Like in this case I got connected anonymously, and I typed in the info command and I got all the information. Which is a green signal to approach for more specific enumerations.

Let us check the list of clients present on the server, using a simple “client list” command.

10.129.136.187:6379> client list
id=7 addr=10.10.14.103:59326 fd=8 name= age=53 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=26 qbuf-free=32742 obl=0 oll=0 omem=0 events=r cmd=client

we can also snoop around the config file and look for any flags, credentials etc. using this command

CONFIG GET *

Nothing found here so out last resort is keyspace which has all the keys if it is accessible.

To enumerate the keyspace

first type, INFO keyspace (this will show all the db and their number of keyspaces, expirydate and avg time to live)

next, select the db which you want to enumerate here i have only 0th db hence i typed “SELECT 0”

After getting the OK status, we can move forward to dumping all the key names by typing “KEYS *”

And then we finally see the interesting keyname “flag” which can be fetched by using GET command like this “ GET flag”

AND there you have it, the root hash of the machine.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

TASK 1

Which TCP port is open on the machine?

read the nmap scan output

TASK 2

Which service is running on the port that is open on the machine?

read the nmap scan output

TASK 3

What type of database is Redis? Choose from the following options: (i) In-memory Database, (ii) Traditional Database

TASK 4

Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments.

google it

TASK 5

Which flag is used with the Redis command-line utility to specify the hostname?

man redis-cli

TASK 6

Once connected to a Redis server, which command is used to obtain the information and statistics about the Redis server?

man redis-cli

TASK 7

What is the version of the Redis server being used on the target machine?

“info” command

TASK 8

Which command is used to select the desired database in Redis?

SELECT <db_index>

TASK 9

How many keys are present inside the database with index 0?

Read the output from “info keyspace”

TASK 10

Which command is used to obtain all the keys in a database?

keys *

SUBMIT FLAG

Submit root flag

Join me on various platforms to discuss Cybersecurity and Cloud-related topics. From security best practices to cloud infrastructure, let’s exchange ideas and insights and stay ahead of the curve..

CONNECT WITH ME 🔗💻

--

--

Rishabh Rai

4th year student exploring the world of cyber security with a knack for writing and always learning.