Redeemer introduces Redis — a high-speed in-memory key-value store widely used for caching, session storage, and message brokering. When Redis is exposed on the network without authentication (a common misconfiguration), an attacker can dump all data stored in memory, enumerate the database, and in advanced scenarios even achieve remote code execution via config manipulation.
| Skill | Why it matters |
|---|---|
| Scanning non-standard ports | Redis default port (6379) is not in Nmap's top 1000 — full-range scans are essential |
| Redis CLI interaction | Direct database access without credentials on exposed instances |
| Key enumeration and data extraction | Cached data often contains session tokens, credentials, and PII |
| Redis data structures | Understanding strings, lists, hashes, and sets in a NoSQL context |
Redis runs on port 6379, which falls outside Nmap's default top-1000 ports. Always use -p- on HTB machines.
What you're seeing: Redis 5.0.7 on its default port. No authentication banner, no TLS. This version predates mandatory auth enforcement — it will accept unauthenticated connections by default.
info command dumps server metadata — OS, version, memory usage, connected clients, and persistence settings. This is valuable recon in a real engagement.| Command | What it does |
|---|---|
| info | Dump server information and statistics |
| info keyspace | Show databases and their key counts |
| select <db> | Switch to a specific database (0–15) |
| keys * | List all keys in the current database |
| get <key> | Retrieve the value of a string key |
| type <key> | Check the data type of a key (string, list, hash, set) |
| hgetall <key> | Get all fields of a hash key |
| lrange <key> 0 -1 | Get all elements of a list key |
| config get * | Read server configuration (useful for RCE via config set) |
| dbsize | Count keys in the current database |
Exposed Redis instances have caused some of the most significant cloud data breaches in recent years. A single unauthenticated connection can dump session tokens, API keys, and user data cached from an entire web application.
| Concept | Real-world relevance |
|---|---|
| Always scan all ports | Redis on 6379 is outside the default Nmap range — full port scans are non-negotiable |
| No-auth Redis = full data access | Every cached session, token, or object in memory is immediately readable |
| RCE via config manipulation | On writable Redis, CONFIG SET dir + CONFIG SET dbfilename + SAVE can write arbitrary files — including SSH authorized_keys or cron jobs |
| Cloud exposure risk | Redis bound to 0.0.0.0 with no auth and a misconfigured security group is a critical cloud finding |
