The aim of this walkthrough is to provide help with the Redeemer machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.
It belongs to a series of tutorials that aim to help out complete beginners with finishing the Starting Point TIER 0 challenges.
SETUP
There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.
Once our connection is taken care of, we spawn the target machine.
Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $rhost=<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $ echo $rhost
<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
You could use the unset command to remove it after you no longer need it.
┌─[✗]─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $unset rhost
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
TASK 1
Question: Which TCP port is open on the machine?
Use the -p- option for nmap to scan all the ports, not just the top 1000(default scan). Be aware, it might take a while.
You could speed it up by either setting the –min-rate <number> option or by setting the -T<0-5> option (higher is faster).
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $nmap -p- $rhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-04 17:43 BST
Nmap scan report for 10.129.176.198
Host is up (0.0099s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT STATE SERVICE
6379/tcp open redis
Nmap done: 1 IP address (1 host up) scanned in 257.55 seconds
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $
6379
TASK 2
Question: Which service is running on the port that is open on the machine?
To determine the service and service version, use the -sV option with nmap.
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $nmap -sV -p 6379 $rhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-04 17:49 BST
Nmap scan report for 10.129.176.198
Host is up (0.012s latency).
PORT STATE SERVICE VERSION
6379/tcp open redis Redis key-value store 5.0.7
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.50 seconds
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $
redis
TASK 3
Question: What type of database is Redis? Choose from the following options: (i) In-memory Database, (ii) Traditional Database
Use the internet to read up on redis.
in-memory database
TASK 4
Question: Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments.
One thing you could do, is to search the man pages and descriptions to find a command that mentions redis.
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $apropos redis
redis: nothing appropriate.
No luck this time. One other thing we could do, is to use the which command to search through the installed command names. Once the word redis is typed in, we can use the autocomplete function to list all the available commands that start with the same name.
┌─[✗]─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $which redis-
redis-benchmark redis-check-aof redis-check-rdb redis-cli
┌─[✗]─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $which redis-
Then you can simply check out their man pages to find the correct command.
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $man redis-cli
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $
redis-cli
TASK 5
Question: Which flag is used with the Redis command-line utility to specify the hostname?
Use the built-in help option to get a better idea of how to use the redis-cli command.
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $redis-cli --help
redis-cli 7.0.10
Usage: redis-cli [OPTIONS] [cmd [arg [arg ...]]]
-h <hostname> Server hostname (default: 127.0.0.1).
-p <port> Server port (default: 6379).
-s <socket> Server socket (overrides hostname and port).
-a <password> Password to use when connecting to the server.
You can also use the REDISCLI_AUTH environment
variable to pass this password more safely
(if both are used, this argument takes precedence).
--user <username> Used to send ACL style 'AUTH username pass'. Needs -a.
--pass <password> Alias of -a for consistency with the new --user option.
--askpass Force user to input password with mask from STDIN.
If this argument is used, '-a' and REDISCLI_AUTH
environment variable will be ignored.
-u <uri> Server URI.
-r <repeat> Execute specified command N times.
-i <interval> When -r is used, waits <interval> seconds per command.
It is possible to specify sub-second times like -i 0.1.
This interval is also used in --scan and --stat per cycle.
and in --bigkeys, --memkeys, and --hotkeys per 100 cycles.
-n <db> Database number.
-2 Start session in RESP2 protocol mode.
-3 Start session in RESP3 protocol mode.
-x Read last argument from STDIN (see example below).
-X Read <tag> argument from STDIN (see example below).
-d <delimiter> Delimiter between response bulks for raw formatting (default: \n).
-D <delimiter> Delimiter between responses for raw formatting (default: \n).
-c Enable cluster mode (follow -ASK and -MOVED redirections).
-e Return exit error code when command execution fails.
--tls Establish a secure TLS connection.
--sni <host> Server name indication for TLS.
--cacert <file> CA Certificate file to verify with.
--cacertdir <dir> Directory where trusted CA certificates are stored.
If neither cacert nor cacertdir are specified, the default
system-wide trusted root certs configuration will apply.
--insecure Allow insecure TLS connection by skipping cert validation.
--cert <file> Client certificate to authenticate with.
--key <file> Private key file to authenticate with.
--tls-ciphers <list> Sets the list of preferred ciphers (TLSv1.2 and below)
in order of preference from highest to lowest separated by colon (":").
See the ciphers(1ssl) manpage for more information about the syntax of this string.
--tls-ciphersuites <list> Sets the list of preferred ciphersuites (TLSv1.3)
in order of preference from highest to lowest separated by colon (":").
See the ciphers(1ssl) manpage for more information about the syntax of this string,
and specifically for TLSv1.3 ciphersuites.
--raw Use raw formatting for replies (default when STDOUT is
not a tty).
--no-raw Force formatted output even when STDOUT is not a tty.
--quoted-input Force input to be handled as quoted strings.
--csv Output in CSV format.
--json Output in JSON format (default RESP3, use -2 if you want to use with RESP2).
--quoted-json Same as --json, but produce ASCII-safe quoted strings, not Unicode.
--show-pushes <yn> Whether to print RESP3 PUSH messages. Enabled by default when
STDOUT is a tty but can be overridden with --show-pushes no.
--stat Print rolling stats about server: mem, clients, ...
--latency Enter a special mode continuously sampling latency.
If you use this mode in an interactive session it runs
forever displaying real-time stats. Otherwise if --raw or
--csv is specified, or if you redirect the output to a non
TTY, it samples the latency for 1 second (you can use
-i to change the interval), then produces a single output
and exits.
--latency-history Like --latency but tracking latency changes over time.
Default time interval is 15 sec. Change it using -i.
--latency-dist Shows latency as a spectrum, requires xterm 256 colors.
Default time interval is 1 sec. Change it using -i.
--lru-test <keys> Simulate a cache workload with an 80-20 distribution.
--replica Simulate a replica showing commands received from the master.
--rdb <filename> Transfer an RDB dump from remote server to local file.
Use filename of "-" to write to stdout.
--functions-rdb <filename> Like --rdb but only get the functions (not the keys)
when getting the RDB dump file.
--pipe Transfer raw Redis protocol from stdin to server.
--pipe-timeout <n> In --pipe mode, abort with error if after sending all data.
no reply is received within <n> seconds.
Default timeout: 30. Use 0 to wait forever.
--bigkeys Sample Redis keys looking for keys with many elements (complexity).
--memkeys Sample Redis keys looking for keys consuming a lot of memory.
--memkeys-samples <n> Sample Redis keys looking for keys consuming a lot of memory.
And define number of key elements to sample
--hotkeys Sample Redis keys looking for hot keys.
only works when maxmemory-policy is *lfu.
--scan List all keys using the SCAN command.
--pattern <pat> Keys pattern when using the --scan, --bigkeys or --hotkeys
options (default: *).
--quoted-pattern <pat> Same as --pattern, but the specified string can be
quoted, in order to pass an otherwise non binary-safe string.
--intrinsic-latency <sec> Run a test to measure intrinsic system latency.
The test will run for the specified amount of seconds.
--eval <file> Send an EVAL command using the Lua script at <file>.
--ldb Used with --eval enable the Redis Lua debugger.
--ldb-sync-mode Like --ldb but uses the synchronous Lua debugger, in
this mode the server is blocked and script changes are
not rolled back from the server memory.
--cluster <command> [args...] [opts...]
Cluster Manager command and arguments (see below).
--verbose Verbose mode.
--no-auth-warning Don't show warning message when using password on command
line interface.
--help Output this help and exit.
--version Output version and exit.
Cluster Manager Commands:
Use --cluster help to list all available cluster manager commands.
Examples:
cat /etc/passwd | redis-cli -x set mypasswd
redis-cli -D "" --raw dump key > key.dump && redis-cli -X dump_tag restore key2 0 dump_tag replace < key.dump
redis-cli -r 100 lpush mylist x
redis-cli -r 100 -i 1 info | grep used_memory_human:
redis-cli --quoted-input set '"null-\x00-separated"' value
redis-cli --eval myscript.lua key1 key2 , arg1 arg2 arg3
redis-cli --scan --pattern '*:12345*'
(Note: when using --eval the comma separates KEYS[] from ARGV[] items)
When no command is given, redis-cli starts in interactive mode.
Type "help" in interactive mode for information on available commands
and settings.
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $
-h
TASK 6
Question: Once connected to a Redis server, which command is used to obtain the information and statistics about the Redis server?
Sadly, the redis-cli man page does not include any information about the commands that can be used once we are already connected. But it does mention a redis-doc, so you could use that string to search for on the internet… The results should be quite clear.
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $redis-cli -h $rhost
10.129.176.198:6379> info
# Server
redis_version:5.0.7
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:66bd629f924ac924
redis_mode:standalone
os:Linux 5.4.0-77-generic x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:9.3.0
process_id:752
run_id:a0e45127c878d291b58143aaa5720b13ce7be88b
tcp_port:6379
uptime_in_seconds:2374
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:5498843
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf
# Clients
connected_clients:1
client_recent_max_input_buffer:2
client_recent_max_output_buffer:0
blocked_clients:0
# Memory
used_memory:859624
used_memory_human:839.48K
used_memory_rss:6299648
used_memory_rss_human:6.01M
used_memory_peak:859624
used_memory_peak_human:839.48K
used_memory_peak_perc:100.00%
used_memory_overhead:846142
used_memory_startup:796224
used_memory_dataset:13482
used_memory_dataset_perc:21.26%
allocator_allocated:1562232
allocator_active:1937408
allocator_resident:11747328
total_system_memory:2084024320
total_system_memory_human:1.94G
used_memory_lua:41984
used_memory_lua_human:41.00K
used_memory_scripts:0
used_memory_scripts_human:0B
number_of_cached_scripts:0
maxmemory:0
maxmemory_human:0B
maxmemory_policy:noeviction
allocator_frag_ratio:1.24
allocator_frag_bytes:375176
allocator_rss_ratio:6.06
allocator_rss_bytes:9809920
rss_overhead_ratio:0.54
rss_overhead_bytes:-5447680
mem_fragmentation_ratio:7.70
mem_fragmentation_bytes:5482032
mem_not_counted_for_evict:0
mem_replication_backlog:0
mem_clients_slaves:0
mem_clients_normal:49694
mem_aof_buffer:0
mem_allocator:jemalloc-5.2.1
active_defrag_running:0
lazyfree_pending_objects:0
# Persistence
loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1683218970
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:0
rdb_current_bgsave_time_sec:-1
rdb_last_cow_size:421888
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
aof_last_cow_size:0
# Stats
total_connections_received:11
total_commands_processed:13
instantaneous_ops_per_sec:1
total_net_input_bytes:508
total_net_output_bytes:44867
instantaneous_input_kbps:0.03
instantaneous_output_kbps:7.05
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
expired_stale_perc:0.00
expired_time_cap_reached_count:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:542
migrate_cached_sockets:0
slave_expires_tracked_keys:0
active_defrag_hits:0
active_defrag_misses:0
active_defrag_key_hits:0
active_defrag_key_misses:0
# Replication
role:master
connected_slaves:0
master_replid:2f19a7a272aa0dce7bf3637824cfe276cda4df19
master_replid2:0000000000000000000000000000000000000000
master_repl_offset:0
second_repl_offset:-1
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0
# CPU
used_cpu_sys:2.039571
used_cpu_user:2.323492
used_cpu_sys_children:0.003026
used_cpu_user_children:0.000000
# Cluster
cluster_enabled:0
# Keyspace
db0:keys=4,expires=0,avg_ttl=0
10.129.176.198:6379>
info
TASK 7
Question: What is the version of the Redis server being used on the target machine?
You can find the redis server version in the info output under the server configuration information.
5.0.7
TASK 8
Question: Which command is used to select the desired database in Redis?
Once again, we can search the redis-doc website for the correct answer.
select
TASK 9
Question: How many keys are present inside the database with index 0?
One way to get to the answer is to take an other look at the info output that was generated before. There is some information about the keyspace located at the end.
# Keyspace
db0:keys=4,expires=0,avg_ttl=0
The number of keys for the database db0 is set to four, so we got our answer.
One other way to get to the answer is to list all the keys in the database with the keys command, but only after we already selected the database. Here, you could count the number of results.
10.129.176.198:6379> select 0
OK
10.129.176.198:6379> KEYS *
1) "flag"
2) "numb"
3) "stor"
4) "temp"
10.129.176.198:6379>
4
TASK 10
Question: Which command is used to obtain all the keys in a database?
We used the same command in the previous task. The * indicates the match-all pattern.
keys *
SUBMIT FLAG
Question: Submit root flag
We use the get command to view the keys. There is one particular key with the name flag. Check it out to get to the flag.
10.129.176.198:6379> get flag
"<flag>"
10.129.176.198:6379>
flag
Make sure to terminate the target box before you continue with the next machine!