Lab Objective: Redeemer is the fourth machine in the Starting Point Tier 0 series. The goal is to find the flag by exploiting a misconfigured Redis database server — a volatile, in-memory key-value store designed for caching and fast data retrieval.
Important Considerations
- Redis is an In-Memory Database — volatile, stored as simple key-value pairs, and designed for caching. The flag will be stored as a value inside a key.
- The key tool here is
redis-cli— a dedicated command-line client for the service. Install it with:sudo apt install redis-tools. - The primary risk — sensitive data services must never be accessible without authentication, even if running on a non-standard port.
Enumeration
We start with Nmap using nmap -p- -sV {targetIP}. The -p- flag scans all 65,535 TCP ports; -sV detects service versions.
Task 1 — Which TCP port is open on the machine?
Answer: 6379. Confirmed via Nmap.
Task 2 — Which service is running on that port?
Answer: Redis. Redis (REmote DIctionary Server) is an open-source NoSQL key-value data store used as a database, cache, and message broker.
Task 3 — What type of database is Redis?
Answer: In-memory Database. The database is stored in the server's RAM for fast data access.
Task 4 — Which command-line utility interacts with the Redis server?
Answer: redis-cli. It provides complete access to all Redis functionalities.
Establishing a Foothold
Task 5 — Which flag specifies the hostname when using redis-cli?
Answer: -h. Connect with: redis-cli -h {targetIP}.
Task 6 — Once connected, which command retrieves server information and statistics?
Answer: info.
Task 7 — What version of Redis is running on the target?
Answer: 5.0.7.
Task 8 — Which command selects a database in Redis?
Answer: select. Redis supports multiple databases indexed by number.
Task 9 — How many keys are present in database index 0?
Answer: 4.
Task 10 — Which command retrieves all keys in a database?
Answer: keys *. Use the get command on each key in turn — one of them will contain the flag.
Final Thoughts
- If a complex service is exposed, use its native client rather than generic tools.
- In a key-value store, critical data is often named obviously —
flag,password,secret. The exploitation path is simply: discover, select, retrieve. - The primary security lesson: sensitive data services must never be accessible without authentication, regardless of which port they run on.