Solution Steps

0. Required Tools Installation

Before starting, you'll need to install the required tools:

Installing nmap:

# On Ubuntu/Debian:
sudo apt update
sudo apt install nmap

# On CentOS/RHEL/Fedora:
sudo yum install nmap
# or
sudo dnf install nmap

# On macOS:
brew install nmap

# On Windows:
# Download from https://nmap.org/download.html

Installing redis-cli:

# On Ubuntu/Debian:
sudo apt update
sudo apt install redis-tools

# On CentOS/RHEL/Fedora:
sudo yum install redis
# or
sudo dnf install redis

# On macOS:
brew install redis

# On Windows:
# Download from https://github.com/microsoftarchive/redis/releases
# or use WSL with Ubuntu

1. Understanding the Challenge

This challenge simulates a real-world penetration testing scenario where you need to discover and analyze an exposed service. The flag is hidden within a database service that needs to be discovered and exploited.

2. Network Reconnaissance

First, we need to discover what services are running on the target. In a real pentest, you would start with port scanning:

Step 2.1: Port Scanning

# Basic port scan to discover open ports (skip ping)
nmap -Pn -sS -p- <target-ip>

# Or scan common ports (skip ping)
nmap -Pn -sS -p 21,22,23,25,53,80,110,111,135,139,143,443,993,995,1723,3306,3389,5900,6379,8080 <target-ip>

# Service version detection (skip ping)
nmap -Pn -sV -p 6379 <target-ip>

Step 2.2: Service Discovery Results

After scanning, you would discover that port 6379 is open. Running a service version scan would reveal:

6379/tcp open  redis   Redis key-value store 7.4.4

3. Redis Service Analysis

Once you discover Redis is running, you need to understand what it is and how to interact with it:

Step 3.1: Understanding Redis

Redis is an in-memory data structure store that can be used as a database, cache, and message broker. It supports various data types including strings, hashes, lists, sets, and sorted sets.

Step 3.2: Connecting to Redis

# Connect to Redis using redis-cli
redis-cli -h <target-ip> -p 6379

# Or if authentication is required (not in this case)
redis-cli -h <target-ip> -p 6379 -a [password]

# Test the connection
PING
# Should return: PONG

4. Database Exploration

Once connected to Redis, start exploring the database structure:

Step 4.1: Basic Database Information

# Get Redis server information
INFO

# Check database statistics
INFO keyspace

# List all keys in the current database
KEYS *

Step 4.2: Exploring Different Databases

# Redis supports multiple databases (0-15)
# Switch to different databases
SELECT 0
SELECT 1
SELECT 2
# ... and so on

# Check each database for keys
KEYS *

5. Data Discovery and Analysis

After exploring, you'll find various keys in the database. Let's analyze them systematically:

Step 5.1: Analyzing String Data

# Get the value of a string key
GET secret_flag
# Returns: YmQ5NWNkNjktZjRjMS00OTkwLWIxNDYtYjEzNWM3MDRkY2Vk

# This looks like base64 encoded data

Step 5.2: Analyzing Hash Data

# Get all fields from the hash
HGETALL hidden_data
# Returns:
# part1 -> 62643935636436392d663463312d343939302d
# part2 -> 623134362d623133356337303464636564
# hint -> hex_encoded_flag_parts

# The hint reveals these are hex-encoded flag parts

Step 5.3: Analyzing List Data

# Get all elements from the list
LRANGE encoded_parts 0 -1
# Returns:
# YmQ5NWNkNjktZjRjMS00OTkwLWIxNDYtYjEzNWM3MDRkY2Vk
# 623134362d623133356337303464636564
# 62643935636436392d663463312d343939302d

Step 5.4: Analyzing Set Data

# Get all members from the set
SMEMBERS flag_pieces
# Returns:
# YmQ5NWNkNjktZjRjMS00OTkwLWIxNDYtYjEzNWM3MDRkY2Vk
# base64_encoded_flag
# bd95cd69-f4c1-4990-b146-b135c704dced

# Interesting! One of the set members looks like a UUID

6. Data Decoding

Now we need to decode the various encoded data we found:

Step 6.1: Base64 Decoding

# Decode the base64 string from secret_flag
echo "YmQ5NWNkNjktZjRjMS00OTkwLWIxNDYtYjEzNWM3MDRkY2Vk" | base64 -d
# Returns: bd95cd69-f4c1-4990-b146-b135c704dced

# This looks like a UUID! Let's verify it's the flag

Step 6.2: Hex Decoding (Alternative Path)

# Decode the hex parts from hidden_data
echo "62643935636436392d663463312d343939302d" | xxd -r -p
echo "623134362d623133356337303464636564" | xxd -r -p

# Combine the parts to form the complete flag

Step 6.3: Verification

We found the same UUID in the set data: bd95cd69-f4c1-4990-b146-b135c704dced

This confirms it's the correct flag!

7. Real-World Context

This scenario is realistic because:

• Exposed Redis Instances - Redis servers are often left exposed without authentication
• Default Port - Redis runs on port 6379 by default
• Data Exposure - Unsecured Redis instances can contain sensitive data
• Encoding - Real applications often encode sensitive data
• Version Information - Redis 7.4.4 is a recent version, showing this could be a production system

8. Security Implications

Exposed Redis instances are a common security issue:

• Data Breach - Unauthorized access to sensitive data
• Data Manipulation - Ability to modify or delete data
• Information Disclosure - Revealing application structure and data
• Privilege Escalation - Access to session data, tokens, etc.

9. Prevention and Mitigation

To prevent Redis exposure:

• Network Security - Use firewalls to restrict access
• Authentication - Enable Redis authentication
• Encryption - Use SSL/TLS for Redis connections
• Access Control - Implement proper access controls
• Monitoring - Monitor Redis access and usage

10. Advanced Redis Commands for Forensics

Useful commands for Redis forensics:

# Database information
INFO
INFO keyspace
INFO memory

# Key analysis
TYPE key_name
TTL key_name
OBJECT encoding key_name

# Pattern matching
KEYS pattern*
SCAN cursor

# Data inspection
DEBUG OBJECT key_name
MEMORY USAGE key_name

# Database switching
SELECT [0-15]

# Data type specific commands
# For strings: GET, STRLEN
# For hashes: HGET, HGETALL, HLEN
# For lists: LLEN, LRANGE, LINDEX
# For sets: SCARD, SMEMBERS, SISMEMBER

Flag

The flag is: bd95cd69-f4c1-4990-b146-b135c704dced

Learning Objectives

This challenge teaches:

• Network reconnaissance and service discovery
• Redis database structure and commands
• Database forensics techniques
• Data encoding and decoding methods
• Multiple data type analysis
• Real-world penetration testing scenarios
• Data recovery and reconstruction
• Security implications of exposed services
• Incident response for database systems
• Prevention and mitigation strategies