Lab Icon

Red is Dead

Challenge 30 Jun 2025 Pro Exclusive Solution Available

Start the machine, hack the system, and find the hidden flags to complete this challenge and earn points!

1
Flags
5
Points
82%
Success Rate
Start Your Challenge
~1-2 min setup
Dedicated server
Private instance
Industry standard
This solution is for Flags Mode

This walkthrough explains how to hack the lab and capture the flags. For help with Learning Mode questions, use the Request Hint button next to each question.

Challenge

Solution Steps

0. Required Tools Installation

Before starting, you'll need to install the required tools:

Installing nmap:

# On Ubuntu/Debian:
sudo apt update
sudo apt install nmap

# On CentOS/RHEL/Fedora:
sudo yum install nmap
# or
sudo dnf install nmap

# On macOS:
brew install nmap

# On Windows:
# Download from https://nmap.org/download.html

Installing redis-cli:

# On Ubuntu/Debian:
sudo apt update
sudo apt install redis-tools

# On CentOS/RHEL/Fedora:
sudo yum install redis
# or
sudo dnf install redis

# On macOS:
brew install redis

# On Windows:
# Download from https://github.com/microsoftarchive/redis/releases
# or use WSL with Ubuntu

1. Understanding the Challenge

This challenge simulates a real-world penetration testing scenario where you need to discover and analyze an exposed service. The flag is hidden within a database service that needs to be discovered and exploited.

2. Network Reconnaissance

First, we need to discover what services are running on the target. In a real pentest, you would start with port scanning:

Step 2.1: Port Scanning

# Basic port scan to discover open ports (skip ping)
nmap -Pn -sS -p- <target-ip>

# Or scan common ports (skip ping)
nmap -Pn -sS -p 21,22,23,25,53,80,110,111,135,139,143,443,993,995,1723,3306,3389,5900,6379,8080 <target-ip>

# Service version detection (skip ping)
nmap -Pn -sV -p 6379 <target-ip>

Step 2.2: Service Discovery Results

After scanning, you would discover that port 6379 is open. Running a service version scan would reveal:

6379/tcp open  redis   Redis key-value store 7.4.4

3. Redis Service Analysis

Once you discover Redis is running, you need to understand what it is and how to interact with it:

Step 3.1: Understanding Redis

Redis is an in-memory data structure store that can be used as a database, cache, and message broker. It supports various data types including strings, hashes, lists, sets, and sorted sets.

Step 3.2: Connecting to Redis

# Connect to Redis using redis-cli
redis-cli -h <target-ip> -p 6379

# Or if authentication is required (not in this case)
redis-cli -h <target-ip> -p 6379 -a [password]

# Test the connection
PING
# Should return: PONG

4. Database Exploration

Once connected to Redis, start exploring the database structure:

Step 4.1: Basic Database Information

# Get Redis server information
INFO

# Check database statistics
INFO keyspace

# List all keys in the current database
KEYS *

Step 4.2: Exploring Different Databases

# Redis supports multiple databases (0-15)
# Switch to different databases
SELECT 0
SELECT 1
SELECT 2
# ... and so on

# Check each database for keys
KEYS *

5. Data Discovery and Analysis

After exploring, you'll find various keys in the database. Let's analyze them systematically:

Step 5.1: Analyzing String Data

# Get the value of a string key
GET secret_flag
# Returns: YmQ5NWNkNjktZjRjMS00OTkwLWIxNDYtYjEzNWM3MDRkY2Vk

# This looks like base64 encoded data

Step 5.2: Analyzing Hash Data

# Get all fields from the hash
HGETALL hidden_data
# Returns:
# part1 -> 62643935636436392d663463312d343939302d
# part2 -> 623134362d623133356337303464636564
# hint -> hex_encoded_flag_parts

# The hint reveals these are hex-encoded flag parts

Step 5.3: Analyzing List Data

# Get all elements from the list
LRANGE encoded_parts 0 -1
# Returns:
# YmQ5NWNkNjktZjRjMS00OTkwLWIxNDYtYjEzNWM3MDRkY2Vk
# 623134362d623133356337303464636564
# 62643935636436392d663463312d343939302d

Step 5.4: Analyzing Set Data

# Get all members from the set
SMEMBERS flag_pieces
# Returns:
# YmQ5NWNkNjktZjRjMS00OTkwLWIxNDYtYjEzNWM3MDRkY2Vk
# base64_encoded_flag
# bd95cd69-f4c1-4990-b146-b135c704dced

# Interesting! One of the set members looks like a UUID

6. Data Decoding

Now we need to decode the various encoded data we found:

Step 6.1: Base64 Decoding

# Decode the base64 string from secret_flag
echo "YmQ5NWNkNjktZjRjMS00OTkwLWIxNDYtYjEzNWM3MDRkY2Vk" | base64 -d
# Returns: bd95cd69-f4c1-4990-b146-b135c704dced

# This looks like a UUID! Let's verify it's the flag

Step 6.2: Hex Decoding (Alternative Path)

# Decode the hex parts from hidden_data
echo "62643935636436392d663463312d343939302d" | xxd -r -p
echo "623134362d623133356337303464636564" | xxd -r -p

# Combine the parts to form the complete flag

Step 6.3: Verification

We found the same UUID in the set data: bd95cd69-f4c1-4990-b146-b135c704dced

This confirms it's the correct flag!

7. Real-World Context

This scenario is realistic because:

  • Exposed Redis Instances - Redis servers are often left exposed without authentication
  • Default Port - Redis runs on port 6379 by default
  • Data Exposure - Unsecured Redis instances can contain sensitive data
  • Encoding - Real applications often encode sensitive data
  • Version Information - Redis 7.4.4 is a recent version, showing this could be a production system

8. Security Implications

Exposed Redis instances are a common security issue:

  • Data Breach - Unauthorized access to sensitive data
  • Data Manipulation - Ability to modify or delete data
  • Information Disclosure - Revealing application structure and data
  • Privilege Escalation - Access to session data, tokens, etc.

9. Prevention and Mitigation

To prevent Redis exposure:

  • Network Security - Use firewalls to restrict access
  • Authentication - Enable Redis authentication
  • Encryption - Use SSL/TLS for Redis connections
  • Access Control - Implement proper access controls
  • Monitoring - Monitor Redis access and usage

10. Advanced Redis Commands for Forensics

Useful commands for Redis forensics:

# Database information
INFO
INFO keyspace
INFO memory

# Key analysis
TYPE key_name
TTL key_name
OBJECT encoding key_name

# Pattern matching
KEYS pattern*
SCAN cursor

# Data inspection
DEBUG OBJECT key_name
MEMORY USAGE key_name

# Database switching
SELECT [0-15]

# Data type specific commands
# For strings: GET, STRLEN
# For hashes: HGET, HGETALL, HLEN
# For lists: LLEN, LRANGE, LINDEX
# For sets: SCARD, SMEMBERS, SISMEMBER

Flag

The flag is: bd95cd69-f4c1-4990-b146-b135c704dced

Learning Objectives

This challenge teaches:

  • Network reconnaissance and service discovery
  • Redis database structure and commands
  • Database forensics techniques
  • Data encoding and decoding methods
  • Multiple data type analysis
  • Real-world penetration testing scenarios
  • Data recovery and reconstruction
  • Security implications of exposed services
  • Incident response for database systems
  • Prevention and mitigation strategies