Redeemer
Recon
First nmap scan didn't return any results.
└─$ sudo nmap -sC -sV -oA nmap/nmap01 10.129.112.138
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-13 17:56 EDT
Nmap scan report for 10.129.112.138
Host is up (0.057s latency).
All 1000 scanned ports on 10.129.112.138 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.44 seconds
I'll scan again with -p- :)
10.129.112.138
| Port | State | Service | Version |
|---|---|---|---|
| 6379/tcp | open | redis | Redis key-value store 5.0.7 |
Enumeration
With only redis as an open port, I imagine that's the only way in. I haven't really used redis-cli ever before so I'll need to read some of their documentation.
└─$ redis-cli --help
redis-cli 7.0.7
Usage: redis-cli [OPTIONS] [cmd [arg [arg ...]]]
-h <hostname> Server hostname (default: 127.0.0.1).
-p <port> Server port (default: 6379).
-s <socket> Server socket (overrides hostname and port).
-a <password> Password to use when connecting to the server.
You can also use the REDISCLI_AUTH environment
variable to pass this password more safely
(if both are used, this argument takes precedence).
--user <username> Used to send ACL style 'AUTH username pass'. Needs -a.
--pass <password> Alias of -a for consistency with the new --user option.
---SNIP---
Connecting with no auth works, and using commands from https://lzone.de/cheat-sheet/Redis will yield some results.
└─$ redis-cli -h 10.129.112.138
10.129.112.138:6379> info
# Server
redis_version:*.*.7
---SNIP---
10.129.112.138:6379[1]> select 0
OK
10.129.112.138:6379> keys *
1) "numb"
2) "temp"
3) "flag"
4) "stor"
10.129.112.138:6379> GET "flag"
"03e****************53eb"
Summary
A little more interesting, as I don't have any experience using redis-cli!