Redeemer (Tier 0)

Description

• Tier -> 0

• Difficult -> Very Easy

• OS -> Linux

• Tags -> Redis / Vulnerability Assessment / Databases / Reconnaissance / Anonymous-Guest Access

https://app.hackthebox.com/starting-point?tier=0

Write-up

• I started doing an initial port scan using Nmap

nmap -p- -Pn --min-rate 2000 10.129.136.187

---

• With this and a little research, I answered the first questions

Answer: 6379

---

Answe: redis

---

Answer: In-memory Database

---

Answer: redis-cli

---

Answer: -h

---

Answer: info

---

• Then I did an exhaustive scan to get more information about the service running on the found port

nmap -p6379 -sVC 10.129.136.187

---

• With this and a little research, I answered the next questions

Answer: 5.0.7

---

Answer: select

---

• I found a Redis database, so I tried to get access to the database using the redis-cli utility and it worked successfully. Then, To get information about the database, I used the internal info command and got information from some of the keys that were configured

redis-cli -h 10.129.136.187

This result is snippet

---

• With this and a little research, I answered the next questions

Answer: 4

---

Answer: keys *

---

• I selected the index of the database to work with it, in this case 0 because the database name was db0 and was the first listed. Then, I listed the keys using the keys and specifying to select all of them

---

• I found an interesting entry named flag so I used the internal get command to retrieve its content and with this, I found the root flag

---

• With this, I got the root flag and pwned the machine

Answer: 03e1d2b376c37ab3f5319922053953eb