25672 - Erlang Port
Source of this note
By running this code execution method you are running a node as well, as as long as you have the connection open, you can be exploited the same way you are exploiting the remote host.
π Overview
Erlang is a programming language designed around distributed computing and will have a network port that allows other Erlang nodes to join the cluster. The secret to join this cluster is called a cookie. Many applications that utilize Erlang will either use a weak cookie (RabbitMQ usesΒ rabbitΒ by default) or place the cookie in a configuration file that is not well protected. Some example Erlang applications are SolarWinds, RabbitMQ, and CouchDB.
π΅οΈββοΈ Exploitation Scenario
- Target Machine:
10.129.101.49 - Attacker Machine (Kali):
10.10.14.49 - Goal: Achieve a reverse shell instead of opening an application (e.g.,
calc.exe).
π Step 1: Locate or Guess the Erlang Cookie
Erlang uses a cookie as an authentication mechanism between nodes. It is stored in a file named .erlang.cookie.
π Common Locations:
- Linux:
~/.erlang.cookie - Windows:
C:\ProgramData\.erlang.cookie
If you have access to the target filesystem, retrieve the cookie and place it in your home directory on Kali:
If you donβt have direct file access, try common default values such as rabbit.
π Step 2: Identify the Erlang Node Name
The target Erlang node name typically follows the format:
For RabbitMQ, the cluster name is often rabbit. If unknown, it may be guessable. The hostname may be derived from the systemβs actual name. You can check DNS or /etc/hosts to resolve it.
Assuming:
- The cluster name is
rabbit - The hostname is
erlanghost
Then, the full node name would be:
π Step 3: Start an Erlang Node on Kali
First, install Erlang if it's not already installed:
Then, start an Erlang shell on your Kali machine:
π Step 4: Connect to the Target Erlang Node
Inside the Erlang shell, connect to the target (adjusting the node name as necessary):
If successful, you are now part of the Erlang cluster and can execute remote commands.
π Step 5: Achieve a Reverse Shell
Now, execute a command to get a reverse shell:
Before running the command, set up a listener on your Kali machine:
Once the payload executes, you should receive a reverse shell.
π Step 6: Exit the Erlang Shell
To exit the Erlang shell cleanly, use:
π Notes & Considerations
- Ensure your firewall allows incoming connections on port 4444.
- If the target is a Windows system, adjust the payload to use
cmd.exe /cand PowerShell techniques. - If the connection fails, confirm the cookie value and node name.
- Be cautious: As long as you maintain the connection, your own Kali machine can also be exploited.
π Windows Reverse Shell Alternative
If the target is a Windows machine, you can try this PowerShell reverse shell instead:
Set up the listener in Kali as before:
π Summary
| Step | Action |
|---|---|
| 1 | Find or guess the Erlang cookie (.erlang.cookie) |
| 2 | Identify the Erlang node name (rabbit@erlanghost) |
| 3 | Start an Erlang node on Kali (erl -sname kali) |
| 4 | Connect to the target (net_kernel:connect('rabbit@erlanghost').) |
| 5 | Execute reverse shell (erlang:spawn(...)) |
| 6 | Clean exit (init:stop().) |
π Additional Resources
This method provides remote command execution on an Erlang node by leveraging its distributed computing capabilities.
Last update: 2025-02-23 Created: February 23, 2025 21:12:05