Home

Writeups

YouTube Channel

Hack the Box - Redeemer

Redeemer, positioned as a very easy challenge within the tier 0 starting point, serves as an excellent entry point for newcomers venturing into the world of Capture The Flag (CTF) challenges. Tailored to provide a learning platform, Redeemer focuses on fundamental skills such as port scanning, searching techniques, and database knowledge. 

-> $ Tasks Overview

The tasks set the stage for Redis database exploration. Participants are tasked with identifying the type of database Redis represents, recognizing the Redis server, and understanding the usage of the redis-cli command-line utility. Additionally, challenges involve conducting a full port scan, establishing a connection to the Redis database using redis-cli, and executing queries within the Redis database.

-> $ Task 3: What type of database is Redis? Choose from the following options: (i) In-memory Database, (ii) Traditional Database - Redis is categorized as an in-memory database, meaning it stores data in the system's main memory (RAM) rather than on disk. This characteristic makes Redis exceptionally fast for data retrieval.

-> $ Task 4: Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments. - The command-line utility for interacting with the Redis server is redis-cli.

-> $ Task 5: Which flag is used with the Redis command-line utility to specify the hostname? -

The -h flag in redis-cli is utilized to specify the hostname when connecting to a Redis server. For instance, redis-cli -h <host_ip> establishes a connection to the Redis server located at the specified host IP address.

Now, let’s direct our attention to the intricacies of the machine to unravel the solutions for upcoming tasks.

-> $ Enumeration

-> $ Port Scanning

In the enumeration phase, our focus shifts to port scanning for a thorough exploration of the host. Initially, a fast scan using the command nmap 10.129.134.247 -F provides an overview, yet no open ports are immediately evident. Undeterred, a comprehensive scan unfolds with nmap 10.129.134.247 -p-, revealing an open port 6379 dedicated to the Redis service. Redis, in essence, is a powerful in-memory database, known for its speed and efficiency in data storage and retrieval. Now armed with this knowledge, we proceed to uncover more about the Redis server and its intricacies.

Advancing in our enumeration process, we delve into a more detailed analysis of port 6379 with the help of Nmap NSE scripts and a version scan:

				
					nmap <ip_adress> -p 6379 -sVC
The outcome unveils the version of Redis running on the target machine. Although no additional information surfaces at this stage, armed with this newfound knowledge, we are equipped to address the following tasks:

-> $ Task 1: Which TCP port is open on the machine? - The open TCP port on the machine is 6379.

-> $ Task 2: Which service is running on the port that is open on the machine? - The service running on the open port is Redis.

-> $ Task 7: What is the version of the Redis server being used on the target machine? - The version of the redis server is 5.0.7

-> $ Initial Access

-> $ Gaining Access to the Database

In the pursuit of initial access, our journey takes us to connecting to Redis using the redis-cli tool, employing the -h parameter to specify the host:

				
					redis-cli -h <host_ip>

This seamless connection marks our entry into the Redis server. Within Redis databases, all data resides in a singular instance without distinct databases. The selection of instances is facilitated by:

				
					SELECT <instance_number>
Unlike conventional databases, Redis forsakes columns in favor of keys. To list all keys within the Redis instance, the following command proves invaluable:
				
					KEYS *

Data retrieval is executed using the GET <key_name> command, providing direct access to specific keys of interest. Furthermore, to gain comprehensive insights into the server and database, the INFO command becomes our go-to, revealing additional layers of information:

Now we are navigating to Task 6 and Task 8.

-> $ Task 6: Once connected to a Redis server, which command is used to obtain the information and statistics about the Redis server?

- The relevant command for this task is INFO. Executing this command within the redis-cli provides a wealth of details about the server, aiding in a comprehensive understanding of its status and configuration.

-> $ Task 8: Which command is used to select the desired database in Redis?

- The command SELECT <instance_number> is employed for this purpose. Redis databases are indexed numerically, and by specifying the desired instance number, users can seamlessly switch between databases.

Let’s use these commands to retrieve flag and solve the task 8 and task 10.

-> $ Task 9: How many keys are present inside the database with index 0? - 4 keys named temp, stor, flag, numb.

-> $ Task 10: Submit the root flag

Now we retrieved it!

-> $ General Review

The Redeemer machine, positioned as a tier 0 starting point, serves as an introductory exploration into the domain of Capture The Flag challenges. Notably, it introduces participants to Redis, a less commonly utilized database, providing a unique learning opportunity. This challenge is particularly valuable, mirroring real-world scenarios where encounters with atypical ports and services necessitate meticulous research. It effectively demonstrates our proficiency in research methodology, thorough port scanning, and adept utilization of databases through the command line interface. Your visit to my website is sincerely appreciated, and I eagerly anticipate our continued exploration through other writeups. Until then, happy exploration!