🔴 Hack The Box Starting Point: Redeemer Walkthrough

Welcome to the final walkthrough in our Hack The Box Starting Point Tier 0 series. If you completed Meow, Fawn, and Dancing, you've learned about telnet, FTP, and SMB enumeration. Now we're moving on to Redeemer, which introduces you to Redis—an in-memory database that's commonly exposed and misconfigured.

Redeemer completes Tier 0 by teaching you how to enumerate and interact with database services. You'll learn about Redis, NoSQL databases, and how exposed databases can lead to data breaches.

By the end of this post, you'll understand:

What Redis is and how it works
How to identify Redis services
How to connect to and interact with Redis
Database enumeration techniques
The risks of exposed databases
How to retrieve data from Redis

Let's get started.

🎯 The Objective

Redeemer is a very easy Linux machine that teaches Redis database enumeration and interaction. Your goal is to:

Connect to the HTB network and spawn the machine
Enumerate the target to find Redis running
Connect to the Redis server
Enumerate databases and keys
Retrieve the flag

What you'll learn:

Redis database basics
Port scanning and service identification
Redis client usage
Database enumeration
Key-value database concepts

Difficulty: Very Easy (Tier 0)

🔍 Initial Setup

Connecting to HTB Network

If you haven't already, connect to the HTB network using OpenVPN (or use Pwnbox). Make sure you're connected before proceeding.

Spawning the Machine

Go to the Starting Point page
Find the Redeemer machine
Click "Spawn Machine" — this starts the vulnerable VM
Wait a minute or two for it to boot up
Note the target IP address — you'll need this for all your commands

📡 Step 1: Reconnaissance

Verifying Connectivity with Ping

First, let's verify we can reach the target machine using ping:

ping -c 4 <target_ip>

Expected output:

PING <target_ip> (<target_ip>) 56(84) bytes of data.
64 bytes from <target_ip>: icmp_seq=1 ttl=63 time=XX ms
64 bytes from <target_ip>: icmp_seq=2 ttl=63 time=XX ms
64 bytes from <target_ip>: icmp_seq=3 ttl=63 time=XX ms
64 bytes from <target_ip>: icmp_seq=4 ttl=63 time=XX ms

--- <target_ip> ping statistics ---
4 packets transmitted, 4 received, 0% packet loss

If you see responses, you're connected!

🔍 Step 2: Port Scanning

Finding Open Ports with Nmap

Now let's scan for open ports using nmap:

nmap -sV <target_ip>

What this does:

nmap — Port scanning tool
-sV — Version detection (identifies service versions and OS)
<target_ip> — The target machine's IP address

Expected output:

Starting Nmap 7.94 ( https://nmap.org ) at 2026-02-01 12:00 UTC
Nmap scan report for <target_ip>
Host is up (0.XXs latency).
Not shown: 999 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
6379/tcp open  redis   Redis key-value store 5.0.7

What we learned:

Which TCP port is open on the machine? → Port 6379 is open
Which service is running on the port that is open on the machine? → redis is running

Understanding Redis

What is Redis? Redis (Remote Dictionary Server) is an open-source, in-memory data structure store. It's commonly used as a database, cache, and message broker.

What type of database is Redis? Choose from: (i) In-memory Database, (ii) Traditional Database → Redis is an In-memory Database.

Key characteristics of Redis:

In-memory storage — Data stored in RAM for fast access
Key-value store — Simple data model (key → value)
NoSQL database — Non-relational, doesn't use SQL
High performance — Extremely fast read/write operations
Persistence options — Can save data to disk (optional)
Multiple data types — Strings, lists, sets, hashes, etc.

Common use cases:

Caching (web applications, APIs)
Session storage
Real-time analytics
Message queues
Leaderboards and counters

Default port: Redis typically runs on port 6379 (chosen because it spells "MERZ" on a phone keypad, a reference to an old German TV show).

Security considerations:

Redis often runs without authentication by default
Should only be accessible from trusted networks
Exposed Redis instances can lead to:
- Data exposure
- Data manipulation
- Remote code execution (in some configurations)
- Cache poisoning attacks

🚨 Step 3: Redis Enumeration

Connecting to Redis

Now that we know Redis is running, let's connect to it. Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments. → redis-cli

The redis-cli command is the Redis command-line interface—a tool for interacting with Redis servers.

Which flag is used with the Redis command-line utility to specify the hostname? → -h

The command to connect to Redis is:

redis-cli -h <target_ip>

What this does:

redis-cli — Redis command-line interface
-h — Specify hostname (target IP address)
<target_ip> — Target machine IP address

Expected output:

<target_ip>:6379>

Success! We're connected to the Redis server. The :6379> prompt means we're in the Redis CLI and can run Redis commands.

Note: If Redis requires authentication, you'd use -a <password> flag, but this instance doesn't require authentication (which is the vulnerability).

Understanding Redis Commands

Once connected, you're in an interactive Redis shell. Redis commands are simple and follow patterns like:

COMMAND key [arguments]
Commands are case-insensitive (though convention uses uppercase)
Most commands return simple responses (strings, integers, arrays)

📊 Step 4: Gathering Server Information

Using the INFO Command

Once connected to a Redis server, which command is used to obtain the information and statistics about the Redis server? → info

Let's gather information about the Redis server:

INFO

What this does:

INFO — Returns information and statistics about the Redis server
Provides details about server, clients, memory, persistence, etc.

Expected output:

# Server
redis_version:5.0.7
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:...
redis_mode:standalone
os:Linux 5.4.0-74-generic x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:9.3.0
process_id:1
run_id:...
tcp_port:6379
uptime_in_seconds:...
uptime_in_days:...
hz:10
configured_hard_limit:...
client_recent_max_input_buffer:...
client_recent_max_output_buffer:...
...

What we learned:

What is the version of the Redis server being used on the target machine? → 5.0.7

Key information from INFO:

redis_version — Version number (important for vulnerability research)
os — Operating system
tcp_port — Port Redis is listening on
connected_clients — Number of connected clients
used_memory — Memory usage
keyspace — Number of databases and keys

Understanding Redis Versions

Redis 5.0.7 is from 2019. While not the latest, it's important to:

Check for known vulnerabilities in this version
Understand feature availability
Know compatibility with tools and exploits

Note: Always check Redis version during enumeration—older versions may have known vulnerabilities.

🗄️ Step 5: Database Selection

Understanding Redis Databases

Redis supports multiple databases (numbered 0-15 by default). Each database is independent and can contain different keys.

Which command is used to select the desired database in Redis? → select

The default database is 0. Let's make sure we're in database 0:

SELECT 0

What this does:

SELECT — Switches to the specified database
0 — Database index (0 is the default)

Expected output:

OK

Understanding Redis databases:

Databases are numbered starting from 0
Default is database 0
Each database is isolated (keys don't overlap)
You can have up to 16 databases (0-15) by default
Configuration can change the number of databases

🔑 Step 6: Enumerating Keys

Listing All Keys

Now let's see what keys are stored in this database. Which command is used to obtain all the keys in a database? → keys *

KEYS *

What this does:

KEYS — Lists keys matching a pattern
* — Wildcard pattern (matches all keys)

Expected output:

1) "flag"
2) "numbat"
3) "second"
4) "temp"

What we learned:

How many keys are present inside the database with index 0? → There are 4 keys:
1. flag — This is likely what we're looking for!
2. numbat
3. second
4. temp

Understanding Redis Keys

What are keys?

Keys are identifiers for values stored in Redis
Keys are strings (can contain any binary data)
Each key maps to a value (string, list, set, hash, etc.)
Keys are unique within a database

Key naming conventions:

Often use colons as separators: user:123:name
Descriptive names: flag, session:abc123
Can be any string

🏴 Step 7: Retrieving the Flag

Reading Key Values

Now let's retrieve the value of the flag key. The command to get a value is GET:

GET flag

What this does:

GET — Retrieves the value of a key
flag — The key name

Expected output:

"<flag_content>"

Success! You've found the flag. Copy this and submit it on the HTB platform to mark the machine as complete.

Exploring Other Keys

Let's also check the other keys to understand what's stored:

GET numbat
GET second
GET temp

These might contain additional information or just be example data. The important thing is we found the flag!

Exiting Redis

To exit the Redis CLI:

exit

Or press Ctrl+C or Ctrl+D.

✅ HTB Task Answers Summary

If you're working through HTB's questions, here are the answers:

Which TCP port is open on the machine? → 6379
Which service is running on the open port? → redis
What type of database is Redis? → In-memory Database
Which command-line utility interacts with Redis? → redis-cli
Which flag specifies the hostname? → -h
Which command obtains server information? → info
What is the Redis server version? → 5.0.7
Which command selects a database? → select
How many keys are in database 0? → 4
Which command lists all keys? → **keys ***

💡 Key Takeaways

What You Learned

Redis basics — In-memory database, port 6379, key-value store
Service identification — Recognizing Redis from port scans
Redis client usage — Connecting with redis-cli -h
Server enumeration — Using INFO to gather server details
Database navigation — Using SELECT to switch databases
Key enumeration — Using KEYS * to list all keys
Data retrieval — Using GET to read key values

Why This Matters in Real Penetration Testing

Exposed Redis instances are a common finding in:

Cloud environments (AWS, Azure, GCP)
Docker containers with exposed ports
Development and staging environments
Misconfigured production systems

What this teaches you:

Always check for exposed database services
Understand that databases shouldn't be publicly accessible
Know how to enumerate and interact with NoSQL databases
Recognize that default configurations are often insecure

In real assessments:

Exposed Redis instances often contain:
- Session data
- User credentials
- API keys and tokens
- Cached sensitive data
- Application configuration
- Personal information

Common Redis vulnerabilities:

No authentication (default configuration)
Exposed to internet (should be internal only)
Old versions with known vulnerabilities
Unrestricted commands (CONFIG, FLUSHALL, etc.)
Weak or default passwords

🔒 Security Lessons

For System Administrators

Never expose Redis to the internet:

Bind Redis to localhost (127.0.0.1) or internal IPs only
Use firewall rules to restrict access
Implement authentication: Set requirepass in redis.conf
Use SSL/TLS for remote connections (Redis 6+)
Regularly update Redis to latest version

Secure Redis configurations:

Enable authentication: requirepass <strong-password>
Disable dangerous commands: rename-command CONFIG ""
Bind to specific IPs: bind 127.0.0.1 (not 0.0.0.0)
Use Redis ACLs (Access Control Lists) for fine-grained permissions
Monitor Redis access logs

Best practices:

Run Redis in a private network/VPC
Use VPN or SSH tunneling for remote access
Implement network segmentation
Regular security assessments
Monitor for unauthorized access attempts

For Penetration Testers

This machine demonstrates:

The importance of thorough service enumeration
How to identify and interact with database services
Why exposed databases are critical findings
How to enumerate and extract data from Redis

In real assessments:

Always check for exposed database services (Redis, MongoDB, Elasticsearch, etc.)
Test for authentication requirements
Enumerate databases and keys
Look for sensitive data exposure
Document the risk: exposed database = potential data breach

Enumeration checklist:

Scan for common database ports (6379 Redis, 27017 MongoDB, 9200 Elasticsearch)
Attempt connection without authentication
Use INFO to gather server details
Enumerate databases (SELECT 0, SELECT 1, etc.)
List all keys (KEYS *)
Retrieve sensitive keys
Check for dangerous commands enabled
Test for remote code execution (if applicable)

🛠 Alternative Approaches

Using Nmap Redis Scripts

Nmap has built-in scripts for Redis enumeration:

nmap --script redis-info <target_ip> -p 6379

What this does:

--script redis-info — Gathers Redis server information
Can automate information gathering

Using redis-cli with Authentication

If Redis requires authentication:

redis-cli -h <target_ip> -a <password>

What this does:

-a — Authenticate with password
Useful if you've found credentials elsewhere

Using redis-cli with Non-Default Port

If Redis is on a non-default port:

redis-cli -h <target_ip> -p <port>

What this does:

-p — Specify port number
Default is 6379, but can be changed

Automated Redis Enumeration Scripts

Tools like redis-rogue-server can automate Redis enumeration and exploitation:

python3 redis-rogue-server.py --rhost <target_ip> --rport 6379

Warning: Only use on systems you own or have permission to test.

Checking Redis Configuration

If you have access, you can check Redis configuration:

CONFIG GET *

What this does:

CONFIG GET — Retrieves configuration parameters
* — Gets all configuration settings
Can reveal authentication settings, bind addresses, etc.

Note: This command may be disabled in secure configurations.

🚨 Common Issues

"Connection refused" or "Connection timed out"

Problem: Can't connect to Redis.

Solutions:

Make sure the machine is spawned
Verify you're connected to HTB network
Check that you're using the correct IP address
Wait for the machine to fully boot
Verify Redis is actually running on port 6379

"NOAUTH Authentication required"

Problem: Redis requires authentication.

Solutions:

Try common default passwords (redis, password, blank)
Look for credentials in configuration files or other services
Check if authentication can be bypassed (some versions have vulnerabilities)
This machine doesn't require authentication, so this shouldn't happen

"redis-cli: command not found"

Problem: redis-cli isn't installed.

Solution: Install Redis client tools:

Linux: sudo apt install redis-tools (Debian/Ubuntu) or sudo yum install redis (RHEL/CentOS)
macOS: brew install redis
Windows: Download from Redis downloads page

"ERR unknown command"

Problem: Command not recognized.

Solutions:

Check Redis version (some commands require newer versions)
Verify command syntax (Redis commands are case-insensitive but check spelling)
Use HELP command to see available commands
Check Redis documentation for your version

Keys not showing up

Problem: KEYS * returns empty or wrong database.

Solutions:

Make sure you're in the correct database (SELECT 0)
Check if keys exist in other databases (SELECT 1, SELECT 2, etc.)
Verify you have access to the database
Some Redis instances may have keys in non-default databases

📚 Additional Resources

Redis Documentation — Complete Redis documentation
Redis Commands Reference — All Redis commands
HTB Redeemer Machine Page — Official machine page
Redis Security Guide — Security best practices
Nmap Redis Scripts — Nmap Redis enumeration scripts

🎯 What's Next?

Congratulations! You've completed all four machines in Hack The Box Starting Point Tier 0:

✅ Meow — Telnet enumeration and weak credentials
✅ Fawn — FTP enumeration and anonymous access
✅ Dancing — SMB enumeration and network share access
✅ Redeemer — Redis enumeration and database interaction

What you've accomplished:

Learned basic enumeration techniques
Understood common service vulnerabilities
Practiced interacting with different protocols
Gained experience with penetration testing methodology

Next steps:

Continue with HTB Starting Point Tier 1 (requires VIP subscription)
Practice on other free HTB machines
Try TryHackMe rooms for more practice
Build your own lab environment
Study for certifications (OSCP, CEH, etc.)

📊 Completion Proof

I successfully completed Redeemer on June 14, 2025. You can verify the completion here.

Questions about Redeemer or Redis enumeration? Reach out directly:

Email: m1k3@msquarellc.net
Phone: (559) 670-3159
Schedule: Book a free consultation

M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice

🔴 Hack The Box Starting Point: Redeemer Walkthrough

🎯 The Objective

🔍 Initial Setup

Connecting to HTB Network

Spawning the Machine

📡 Step 1: Reconnaissance

Verifying Connectivity with Ping

🔍 Step 2: Port Scanning

Finding Open Ports with Nmap

Understanding Redis

🚨 Step 3: Redis Enumeration

Connecting to Redis

Understanding Redis Commands

📊 Step 4: Gathering Server Information

Using the INFO Command

Understanding Redis Versions

🗄️ Step 5: Database Selection

Understanding Redis Databases

🔑 Step 6: Enumerating Keys

Listing All Keys

Understanding Redis Keys

🏴 Step 7: Retrieving the Flag

Reading Key Values

Exploring Other Keys

Exiting Redis

✅ HTB Task Answers Summary

💡 Key Takeaways

What You Learned

Why This Matters in Real Penetration Testing

🔒 Security Lessons

For System Administrators

For Penetration Testers

🛠 Alternative Approaches

Using Nmap Redis Scripts

Using redis-cli with Authentication

Using redis-cli with Non-Default Port

Automated Redis Enumeration Scripts

Checking Redis Configuration

🚨 Common Issues

"Connection refused" or "Connection timed out"

"NOAUTH Authentication required"

"redis-cli: command not found"

"ERR unknown command"

Keys not showing up

📚 Additional Resources

🎯 What's Next?

📊 Completion Proof

Need Help With This?

More in Writeups & Research

Related Articles

Hack The Box Starting Point: Dancing Walkthrough

Hack The Box Starting Point: Fawn Walkthrough

Hack The Box Starting Point: Meow Walkthrough