Recon

First we launch a nmap scan to know the open ports on machine and export the scan to a format we can filter with grep.

Then with a script programmed in bash, we extract the interesting ports discover on the scan.

So We know the ports, but we don't know the service and the version running on that port, How to known that?

We launch a more exhaustive nmap scan:

With the scan we obtain a service and the version and it's Redis

Vuln Redis

Redis is an open source (BSD licensed), in-memory data structure store used as a database, cache, message broker, and streaming engine.

Then investigate in your favorite browser about vulnerabilities on Redis or how to pentesting the port 6379.

Let's enumerate the with a namp script programmed in LUA:

Let's enumerate manual with netcat:

And we are inside the redis databases

Flag

The first thing we should have to do is type the command info to get some util information about the database and configurations.

But we can use specify keyspace to list only the databases on it.

We have only one database with 4 keys, to obtain more information list the keys:

and to list the flag only use the command get and the name of key:

And congratulations you have pwned the machine Redeemer.