HTB Starting Point — Redeemer
Box info | OS: Ubuntu 20.04.2 LTS (Linux 5.4.0-77-generic) | Difficulty: Very Easy | Tier: 0 | Status: Starting Point Skills: Redis protocol, unauthenticated key-value store access, Redis CLI Pwned: 2026-04-27 TL;DR Redeemer runs Redis 5.0.7 on port 6379 with no authentication configured and bound to 0.0.0.0. A full TCP sweep is required to find it — the top-1000 scan returns nothing. Once connected, KEYS * lists four keys including one literally named flag. GET flag returns the hash. The box goes further for curious attackers: loading a rogue Redis module achieves RCE as redis user, but privilege escalation to root is fully blocked (patched OverlayFS, no SUID pkexec, no writable cron paths). The lesson: an unauthenticated Redis instance is a direct data exfiltration path and potentially a foothold — just make sure you actually scan all 65535 ports first. ...