Setup

First, we need to connect to the HTB network. There are two different methods to do the same:

  1. Using Pwnbox
  2. Using OpenVPN

(Click here to learn to connect to HackTheBox VPN)

Introduction

This lab focuses on enumerating a Redis server remotely and then dumping its database in order to retrieve the flag. In this process, we will learn about some basic redis-cli commands, which are used to interact with the Redis service.

Redis is an ‘in-memory’ database. In-memory databases rely essentially on the primary memory (RAM) for data storage and since the primary memory is significantly faster than the secondary memory, in-memory databases are very efficient & have minimal response times. Redis and other in-memory databases are widely used to cache frequently requested data for rapid retrieval.

Scanning and enumeration

1 spawn machine.png

After our connection to the HTB network is successfully established, we can spawn the target machine from the Starting Point lab’s page by clicking on “SPAWN MACHINE” as show above. After spawning the machine, we can check if our packets reach their destination by using the ping command.

2 ip address.png

Grab the IP address of your current target and paste it into your terminal after typing in the ping command. After 4-5 successful replies from the target, we can confirm that our connection is formed and stable. We can cancel the ping command by pressing the Ctrl + C combination on our keyboard.

3 ping.png

Now let’s start scanning the target using nmap to find any open ports and services

We can use the following nmap command: sudo nmap -p- -sV {target_ip}

{target_ip} has to be replaced with the IP address of the Redeemer machine.

The -p- switch is used to scan all the ports. The -sV switch is used to display the version of the services running on the open ports.

After the completion of the scan, we can see that port 6379 is open and is running a Redis server.

Redis (REmote DIctionary Server) is an open-source advanced NoSQL key-value data store used as a database, cache, and message broker.

Foothold

We can use the Redis command-line interface to communicate with the Redis server. It can be installed using the following command: sudo apt install redis-tools

5 install redis tools.png

After the installation is completed, we can use the command redis-cli --help to see the available commands which can be used with redis-cli

6 redis cli help.png

We can see that we can use the -h switch to specify the hostname and connect to the Redis server. Let’s do that now using the following command: redis-cli -h {target_IP}

7 connect to redis server.png

After successful connection to the server, we can use the info command to see the information and statistics about the Redis server.

8 redis info.png

From the output, under keyspace section, we can see that there is only one database with index 0 and having 4 keys

We can select this database using the command select 0. Using keys * we can see all the keys present in the database. Now we can use the get command followed by the key name to see the contents of the key

9 get flag.png

Copy the flag value and paste it into the Starting Point lab’s page to complete your task.

10 submit flag.png

Congrats, you have just pwned Redeemer! 👏


Task answers

Task 1: Which TCP port is open on the machine?

6379

Task 2: Which service is running on the port that is open on the machine?

redis

Task 3: What type of database is Redis? Choose from the following options: (i) In-memory Database, (ii) Traditional Database

In-memory Database

Task 4: Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments.

redis-cli

Task 5: Which flag is used with the Redis command-line utility to specify the hostname?

-h

Task 6: Once connected to a Redis server, which command is used to obtain the information and statistics about the Redis server?

info

Task 7: What is the version of the Redis server being used on the target machine?What is the command we can use within the SMB shell to download the files we find?

5.0.7

Task 8: Which command is used to select the desired database in Redis?

select

Task 9: How many keys are present inside the database with index 0?

4

Task 10: Which command is used to obtain all the keys in a database?

keys *

🚩 Root flag:

03e1d2b376c37ab3f5319922053953eb