Thick Client Applications

Thick client applications are the applications that are installed locally on our computers. Unlike thin client applications that run on a remote server and can be accessed through the web browser, these applications do not require internet access to run, and they perform better in processing power, memory, and storage capacity.

Characteristics of Thick Client Application

• Independent software.

• Working without internet access.

• Storing data locally.

• Less secure.

• Consuming more resources.

• More expensive.

---

Penetration Testing Steps

Information Gathering

CFF Explorer	Detect It Easy	Process Monitor	Strings

Client Side Attacks

Ghidra	IDA	OllyDbg	Radare2
dnSpy	x64dbg	JADX	Frida

Network Side Attacks

Wireshark	tcpdump	TCPView	Burp Suite

---

Example Scenario #1

1. We found the file C:\Apps\Restart-OracleService.exe

2. ProcMon from SysInternal shows this

1. Since a file is saved on \temp directory, we need to change the permission of the folder to forbid file deletion. C:\Users\Matt\AppData\Local\Temp and under Properties -> Security -> Advanced -> cybervaca -> Disable inheritance -> Convert inherited permissions into explicit permissions on this object -> Edit -> Show advanced permissions

1. A .bat file is saved

C:\Apps>dir C:\Users\cybervaca\AppData\Local\Temp\2

...SNIP...
04/03/2023  02:09 PM         1,730,212 6F39.bat
04/03/2023  02:09 PM                 0 6F39.tmp

1. The batch file contains this and we remove the del commands so we can see the contents of the oracle.txt, and monta.ps1.

@shift /0
@echo off

if %username% == matt goto correcto
if %username% == frankytech goto correcto
if %username% == ev4si0n goto correcto
goto error

:correcto
echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > c:\programdata\oracle.txt
echo AAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g >> c:\programdata\oracle.txt
<SNIP>
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> c:\programdata\oracle.txt

echo $salida = $null; $fichero = (Get-Content C:\ProgramData\oracle.txt) ; foreach ($linea in $fichero) {$salida += $linea }; $salida = $salida.Replace(" ",""); [System.IO.File]::WriteAllBytes("c:\programdata\restart-service.exe", [System.Convert]::FromBase64String($salida)) > c:\programdata\monta.ps1
powershell.exe -exec bypass -file c:\programdata\monta.ps1
del c:\programdata\monta.ps1
del c:\programdata\oracle.txt
c:\programdata\restart-service.exe
del c:\programdata\restart-service.exe

1. Execute the batch file to retrieve the monta.ps1

C:\>  cat C:\programdata\monta.ps1

$salida = $null; $fichero = (Get-Content C:\ProgramData\oracle.txt) ; foreach ($linea in $fichero) {$salida += $linea }; $salida = $salida.Replace(" ",""); [System.IO.File]::WriteAllBytes("c:\programdata\restart-service.exe", [System.Convert]::FromBase64String($salida))

1. Running .\restart-service.exe to check if we can see some promising stuff in the ProcMon

2. Start x64dbg and Options -> Preferences, and uncheck everything except Exit Breakpoint

3. file -> open and select the restart-service.exe

4. Upon reviewing the logs, we saw a particular interest is the map with a size of 0000000000003000 with a type of MAP and protection set to -RW--

1. We saw MZ which is a magic number indicating a MZ Executable so we right-click on the address and selecting Dump Memory to File

2. We can see that it is a dotnet executable

C:\> C:\TOOLS\Strings\strings64.exe .\restart-service_00000000001E0000.bin

<SNIP>
"#M
z\V
).NETFramework,Version=v4.0,Profile=Client
FrameworkDisplayName
.NET Framework 4 Client Profile
<SNIP>

1. We use De4DoT to convert it to its source code

de4dot v3.1.41592.3405

Detected Unknown Obfuscator (C:\Users\cybervaca\Desktop\restart-service_00000000001E0000.bin)
Cleaning C:\Users\cybervaca\Desktop\restart-service_00000000001E0000.bin
Renaming all obfuscated symbols
Saving C:\Users\cybervaca\Desktop\restart-service_00000000001E0000-cleaned.bin


Press any key to exit...

1. Using DNspy

Example Scenario #2 (Exploiting Web Vulnerabilities)

Recon Notes:

• Port was recently changed from 8000 to 1337

• Credentials were qtc:clarabibi

1. Opening the fatty-client.jar, we try to login but there is an error

1. Upon inspecting the traffic on wireshark, we can see that the app attempts to connect to server.fatty.htb so we add that to our /etc/hosts

1. Inspecting the traffic again, the client attempts to connect to port 8000 (so we need to change it to port 1337)

2. Right click > Extract Files

C:\> ls fatty-client\ -recurse | Select-String "8000" | Select Path, LineNumber | Format-List

Path       : C:\Users\cybervaca\Desktop\fatty-client\beans.xml
LineNumber : 13

1. Edit the port 8000 to 1337 but running the application will fail due to sha256 digest mismatch. The sha256 is located at META-INF/MANIFEST.MF

2. Remove the hashes in the META-INF/MANIFEST.MF

C:\> cat fatty-client\META-INF\MANIFEST.MF

Manifest-Version: 1.0
Archiver-Version: Plexus Archiver
Built-By: root
Sealed: True
Created-By: Apache Maven 3.3.9
Build-Jdk: 1.8.0_232
Main-Class: htb.fatty.client.run.Starter

Name: META-INF/maven/org.slf4j/slf4j-log4j12/pom.properties
SHA-256-Digest: miPHJ+Y50c4aqIcmsko7Z/hdj03XNhHx3C/pZbEp4Cw=

Name: org/springframework/jmx/export/metadata/ManagedOperationParamete
 r.class
SHA-256-Digest: h+JmFJqj0MnFbvd+LoFffOtcKcpbf/FD9h2AMOntcgw=
<SNIP>

C:\> cat fatty-client\META-INF\MANIFEST.MF

Manifest-Version: 1.0
Archiver-Version: Plexus Archiver
Built-By: root
Sealed: True
Created-By: Apache Maven 3.3.9
Build-Jdk: 1.8.0_232
Main-Class: htb.fatty.client.run.Starter

1. Delete 1.RSA and 1.SF files from the META-INF directory

2. Update and run the fatty-client.jar

C:\> cd .\fatty-client
C:\> jar -cmf .\META-INF\MANIFEST.MF ..\fatty-client-new.jar *

1. We can login now