Hack The Box - Redeemer (Redis)

#programming #pentest #hackthebox #security

I will cover solution steps of the "Redeemer" machine, which is part of the 'Starting Point' labs and has a difficulty rating of 'Very Easy'.

Introduction

Databases are a collection of organized information that can be easily accessed. In most environments, database systems are very important because they communicate information related to your sales transactions, product inventory, customer profiles and marketing activities.

There are different types of databases and one among them is Redis, which is an 'in-memory' database. In-memory databases are the ones that rely essentially on the primary memory for data storage (meaning that the database stores data in the server's RAM); in contrast to databases that store data on the disk or SSDs. In-memory databases like Redis are typically used to cache data that is frequently requested for quick retrieval. For example, if there is a website that returns some prices on the front page of the site. As the primary memory is significantly faster than the secondary memory, the data retrieval time in the case of 'in-memory' databases is very small, thus offering very efficient & minimal response times.

What is Redis?

Redis (REmote DIctionary Server) is an open-source advanced NoSQL key-value data store used as a database, cache, and message broker. The data is stored in a dictionary format having key-value pairs. It is typically used for short term storage of data that needs fast retrieval. Redis does backup data to hard drives to provide consistency. It's often referred to as a "Swiss Army knife" for developers because of its versatility.

In-memory databases like Redis are typically used to cache data that is frequently requested for quick retrieval. For Example, if there is a website that returns some prices on the front page of the site. The website may be written to first check if the needed prices are in Redis, and if not, then check the traditional database (like MySQL or MongoDB). When the value is loaded from the database, it is then stored in Redis for some shorter period of time (seconds or minutes or hours), to handle any similar requests that arrive during that timeframe. For a site with lots of traffic, this configuration allows for much faster retrieval for the majority of requests, while still having stable long term storage in the main database.

At its core, Redis is a key-value store, means data is stored like a dictionary. You have a key (like a label) and a value (the data itself). For example: key = "user:1:password", value = "P@ssw0rd123". Unlike simple key-value stores that only handle strings, Redis has built-in support for a variety of complex data structures, including strings, lists,sets,hashes,Sorted Sets, etc. For developers, Redis is a powerful tool for caching, session management, and real-time data. For a pentester, it's often a treasure chest left wide open.

The Super Simple Analogy: A Public Whiteboard. When you're scanning a target and you see port 6379 open, your brain should immediately think: "There's a public whiteboard here. Is the door unlocked? And what's written on it?"

A server configuration (requirepass) is used for setting up a password. The default is "no" and the port will listen for connections from ANYONE on the internet. This misconfiguration is extremely common. The developers just installed it and forgot to secure it.

The server

Redis runs as server-side software so its core functionality is in its server component. The server listens for connections from clients, programmatically or through the command-line interface.

The CLI

The command-line interface (CLI) is a powerful tool that gives you complete access to Redis’s data and its functionalities if you are developing a software or tool that needs to interact with it.

Database

The database is stored in the server's RAM to enable fast data access. Redis also writes the contents of the database to disk at varying intervals to persist it as a backup, in case of failure

redis-cli

To be able to interact remotely with the Redis server, we need to download the redis-cli utility using the following:

sudo apt install redis-tool

Alternatively, we can also connect to the Redis server using the netcat utility, but we will be using redis-cli in this write-up as it is more convenient to use.

P.S. The target was spawn more than once hence the article might have screenshots from different IP addresses in different networks but they represent the same target.

Check Hack the Box - Meow on how to connect to the VPN and spawn the machine.

TASK 1: Which TCP port is open on the machine? 6379

sudo nmap -p- -Pn <$IP> --min-rate 10000 -v
sudo nmap <$IP> -p- -sV
sudo nmap -p- <$IP>

TASK 2: Which service is running on the port that is open on the machine? redis
TASK 3: What type of database is Redis? Choose from the following options: (i) In-memory Database (ii) Traditional Database
TASK 4: Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments. redis-cli
TASK 5: Which flag is used with the Redis command-line utility to specify the hostname? -h

Connect to the redis-cli server :

redis-cli -h <$IP>

TASK 6: Once connected to a Redis server, which command is used to obtain the information and statistics about the Redis server? info

The keyspace section provides statistics on the main dictionary of each database. The statistics include the number of keys, and the number of keys with an expiration. In our case, under the Keyspace section, we can see that only one database exists with index 0.

TASK 7: What is the version of the Redis server being used on the target machine? 5.0.7

TASK 8: Which command is used to select the desired database in Redis? select

To select a database we can use select command

select 0

TASK 9: How many keys are present inside the database with index 0? 4

TASK 10: Which command is used to obtain all the keys in a database? *keys **

We can list all the keys present in the database using the command :

keys *

Submit Flag:
We can view the values stored for a corresponding key using the get command followed by the keynote. I used get flag to see the value of the key named flag. And Congratulations! We have successfully retrieved the flag value from the Redis database.