Hack the Box – Redeemer

# Information:

Platform Name: Hack the Box

Machine Challenge: Redeemer

Machine Status: Starting Point

Challenge Level: Very Easy

# Used Tools:

  • Linux
  • nmap
  • Redis
  • terminal

# Challenge Description:

This challenge has a list of questions that need to be answered in order to retrieve the flag. We will answer every question.

# Writeup:

Task 1:

Which TCP port is open on the machine?

Answer: The TCP port that is open is the 6379 port

I performed a nmap scan with the switches -sV, -sC, -v and -p-. I was presented with the following:

command:
nmap -sV -sC -v -p- 10.129.184.94

Starting Nmap 7.80 ( https://nmap.org ) at 2023-07-17 10:17 CEST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:17
Completed NSE at 10:17, 0.00s elapsed
Initiating NSE at 10:17
Completed NSE at 10:17, 0.00s elapsed
Initiating NSE at 10:17
Completed NSE at 10:17, 0.00s elapsed
Initiating Ping Scan at 10:17
Scanning 10.129.184.94 [2 ports]
Completed Ping Scan at 10:17, 0.15s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:17
Completed Parallel DNS resolution of 1 host. at 10:17, 0.01s elapsed
Initiating Connect Scan at 10:17
Scanning 10.129.184.94 [65535 ports]
Increasing send delay for 10.129.184.94 from 0 to 5 due to max_successful_tryno increase to 4
Connect Scan Timing: About 1.60% done; ETC: 10:50 (0:31:51 remaining)
Connect Scan Timing: About 3.67% done; ETC: 10:45 (0:26:40 remaining)
Connect Scan Timing: About 6.48% done; ETC: 10:41 (0:21:54 remaining)
Connect Scan Timing: About 9.87% done; ETC: 10:40 (0:20:41 remaining)
Increasing send delay for 10.129.184.94 from 5 to 10 due to max_successful_tryno increase to 5
Connect Scan Timing: About 13.73% done; ETC: 10:40 (0:19:16 remaining)
Connect Scan Timing: About 18.16% done; ETC: 10:37 (0:16:04 remaining)
Connect Scan Timing: About 22.74% done; ETC: 10:35 (0:13:49 remaining)
Connect Scan Timing: About 27.30% done; ETC: 10:34 (0:12:10 remaining)
Connect Scan Timing: About 31.87% done; ETC: 10:33 (0:10:50 remaining)
Connect Scan Timing: About 36.45% done; ETC: 10:32 (0:09:42 remaining)
Discovered open port 6379/tcp on 10.129.184.94
Connect Scan Timing: About 40.73% done; ETC: 10:32 (0:08:50 remaining)
Connect Scan Timing: About 45.08% done; ETC: 10:32 (0:08:00 remaining)
Connect Scan Timing: About 50.10% done; ETC: 10:32 (0:07:14 remaining)
Connect Scan Timing: About 55.21% done; ETC: 10:32 (0:06:28 remaining)
Connect Scan Timing: About 59.77% done; ETC: 10:31 (0:05:42 remaining)
Connect Scan Timing: About 64.77% done; ETC: 10:31 (0:04:58 remaining)
Connect Scan Timing: About 69.47% done; ETC: 10:31 (0:04:15 remaining)
Connect Scan Timing: About 74.41% done; ETC: 10:31 (0:03:32 remaining)
Connect Scan Timing: About 79.47% done; ETC: 10:31 (0:02:49 remaining)
Connect Scan Timing: About 84.49% done; ETC: 10:31 (0:02:06 remaining)
Connect Scan Timing: About 89.53% done; ETC: 10:31 (0:01:24 remaining)
Connect Scan Timing: About 94.54% done; ETC: 10:31 (0:00:44 remaining)
Completed Connect Scan at 10:30, 794.03s elapsed (65535 total ports)
Initiating Service scan at 10:30
Scanning 1 service on 10.129.184.94
Completed Service scan at 10:31, 6.30s elapsed (1 service on 1 host)
NSE: Script scanning 10.129.184.94.
Initiating NSE at 10:31
Completed NSE at 10:31, 0.01s elapsed
Initiating NSE at 10:31
Completed NSE at 10:31, 0.00s elapsed
Initiating NSE at 10:31
Completed NSE at 10:31, 0.00s elapsed
Nmap scan report for 10.129.184.94
Host is up (0.26s latency).
Not shown: 65534 closed ports
PORT     STATE SERVICE VERSION
6379/tcp open  redis   Redis key-value store 5.0.7

NSE: Script Post-scanning.
Initiating NSE at 10:31
Completed NSE at 10:31, 0.00s elapsed
Initiating NSE at 10:31
Completed NSE at 10:31, 0.00s elapsed
Initiating NSE at 10:31
Completed NSE at 10:31, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 800.78 seconds

Task 2:

Which service is running on the port that is open on the machine?

Answer: Above, you can see that the service that is running on port 6379 is redis.


Task 3:

What type of database is Redis? Choose from the following options: (i) In-memory Database, (ii) Traditional Database

Answer: Redis is a In-memory Database type of database.


Task 4:

Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments.

Answer: The command to interact with Redis server is redis-cli.


Task 5:

Which flag is used with the Redis command-line utility to specify the hostname?

Answer: The flag used with the Redis command-line utility to specify the hostname is -h.

After knowing the necessary commands to interact with the Redis server, I tried to connect to it using the following command:

redis-cli -h <your_IP_here> -p 6379

I was presented with the following:

Command:
redis-cli -h 10.129.184.94 -p 6379

10.129.184.94:6379> 

Task 6:

Once connected to a Redis server, which command is used to obtain the information and statistics about the Redis server?

Answer: To obtain information and statistics about Redis server we use the info command.

So, after knowing this, I displayed the information and statistics like so:

10.129.184.94:6379> info
# Server
redis_version:5.0.7
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:66bd629f924ac924
redis_mode:standalone
os:Linux 5.4.0-77-generic x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:9.3.0
process_id:752
run_id:5b47603f72260547c56e74be7ec9cd4ed7784ca8
tcp_port:6379
uptime_in_seconds:1443
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:11861618
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf

# Clients
connected_clients:1
client_recent_max_input_buffer:2
client_recent_max_output_buffer:0
blocked_clients:0

# Memory
used_memory:859624
used_memory_human:839.48K
used_memory_rss:5890048
used_memory_rss_human:5.62M
used_memory_peak:859624
used_memory_peak_human:839.48K
used_memory_peak_perc:100.00%
used_memory_overhead:846142
used_memory_startup:796224
used_memory_dataset:13482
used_memory_dataset_perc:21.26%
allocator_allocated:1590168
allocator_active:1937408
allocator_resident:9158656
total_system_memory:2084024320
total_system_memory_human:1.94G
used_memory_lua:41984
used_memory_lua_human:41.00K
used_memory_scripts:0
used_memory_scripts_human:0B
number_of_cached_scripts:0
maxmemory:0
maxmemory_human:0B
maxmemory_policy:noeviction
allocator_frag_ratio:1.22
allocator_frag_bytes:347240
allocator_rss_ratio:4.73
allocator_rss_bytes:7221248
rss_overhead_ratio:0.64
rss_overhead_bytes:-3268608
mem_fragmentation_ratio:7.20
mem_fragmentation_bytes:5072432
mem_not_counted_for_evict:0
mem_replication_backlog:0
mem_clients_slaves:0
mem_clients_normal:49694
mem_aof_buffer:0
mem_allocator:jemalloc-5.2.1
active_defrag_running:0
lazyfree_pending_objects:0

# Persistence
loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1689582676
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:0
rdb_current_bgsave_time_sec:-1
rdb_last_cow_size:421888
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
aof_last_cow_size:0

# Stats
total_connections_received:7
total_commands_processed:6
instantaneous_ops_per_sec:0
total_net_input_bytes:293
total_net_output_bytes:14778
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
expired_stale_perc:0.00
expired_time_cap_reached_count:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:244
migrate_cached_sockets:0
slave_expires_tracked_keys:0
active_defrag_hits:0
active_defrag_misses:0
active_defrag_key_hits:0
active_defrag_key_misses:0

# Replication
role:master
connected_slaves:0
master_replid:457e8dabe8222b8c4cefeb995ca7f6552e043c77
master_replid2:0000000000000000000000000000000000000000
master_repl_offset:0
second_repl_offset:-1
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0

# CPU
used_cpu_sys:0.473669
used_cpu_user:0.499506
used_cpu_sys_children:0.001040
used_cpu_user_children:0.000000

# Cluster
cluster_enabled:0

# Keyspace
db0:keys=4,expires=0,avg_ttl=0
10.129.184.94:6379>

Task 7:

What is the version of the Redis server being used on the target machine?

Answer: As you can see above, the version of the Redis server is 5.0.7.


Task 8:

Which command is used to select the desired database in Redis?

Answer: The command used to select the desired database is select.


Task 9:

How many keys are present inside the database with index 0?

Answer: There are 4 keys (You can see this below).


Task 10:

Which command is used to obtain all the keys in a database?

Answer: To obtain all the keys in a database we use the following command:

keys *

So, this is what I did and I was presented with following keys:

Image 1

Submit root flag:

As you can see in image 1, we have a key that seems interesting. That key is the “flag” key. Now we have to see the content of this key. To do that we have to use the following command:

get flag

Image 2

The flag is:

Show flag
03e1d2b376c37ab3f5319922053953eb


Thank you very much for reading!

Cheers,

SoBatista


Leave a Reply

Your email address will not be published. Required fields are marked *