ProcMon - monitoring the process reveals that the executable indeed creates a temp file
Filters
ProcMon - Temp File
In order to capture the files, it is required to change the permissions of the Temp folder to disallow file deletions
To do this, we right-click the folder C:\Users\Matt\AppData\Local\Temp and under Properties -> Security -> Advanced -> cybervaca -> Disable inheritance -> Convert inherited permissions into explicit permissions on this object -> Edit -> Show advanced permissions, we deselect the Delete subfolders and files, and Delete checkboxes.
Run the app again
bat file
Two files are being dropped by the batch file and being deleted. Try to retrieve the content of the 2 files, by modifying the batch script and removing the deletion
Remove user part and del part. Also change echo $salida
x64dbg, navigate to Options -> Preferences, and uncheck everything except Exit Breakpoint
file -> open and select the restart-service.exe to import it and start the debugging. Once imported, we right click inside the CPU view and Follow in Memory Map
MAP and protection set to -RW--
double-click on it
Return to the Memory Map pane, then export the newly discovered mapped item from memory to a dump file by right-clicking on the address and selecting Dump Memory to File. Running strings on the exported file
use De4Dot to reverse .NET executables
Read the source code of the exported application by dragging and dropping it onto the DnSpy executable
A server has been reconfigured to run on port 1337 instead of 8000.
The login credentials for login in the client application are ****/*
The client attempts to connect to the server.fatty.htb subdomain
Below is showcased an example on how to approach DNS requests from applications in your favour. Verify the contents of the C:\Windows\System32\drivers\etc\hosts file where the IP 172.16.17.114 is pointed to fatty.htb and server.fatty.htb
fatty-client.jar is a Java Archive file, and its content can be extracted by right-clicking on it and selecting Extract files
set the port to 1337
secret is clarabibiclarabibiclarabibi.
Running the edited application will fail due to an SHA-256 digest mismatch. The JAR is signed, validating every file's SHA-256 hashes before running. These hashes are present in the file META-INF/MANIFEST.MF.
remove the hashes from META-INF/MANIFEST.MF and delete the 1.RSA and 1.SF files from the META-INF directory. The modified MANIFEST.MF should end with a new line.
Update and run the fatty-client.jar file by issuing the following commands.
Foothold
Profile -> Whoami
Path Traversal
Decompile the application using JD-GUI, by dragging and dropping the fatty-client-new.jar onto the jd-gui
Save the source code by pressing the Save All Sources option in jdgui. Decompress the fatty-client-new.jar.src.zip by right-clicking and selecting Extract files.
The file fatty-client-new.jar.src/htb/fatty/client/methods/Invoker.java handles the application features
showFiles function takes in one argument for the folder name and then sends the data to the server using the sendAndRecv() call. The file fatty-client-new.jar.src/htb/fatty/client/gui/ClientGuiTest.java sets the folder option
Replace the configs folder name with ..
Compile the ClientGuiTest.Java file
This generates several class files. Let's create a new folder and extract the contents of fatty-client.jar into it.
Navigate to the raw directory and decompress fatty-client-new-2.jar by right-clicking and selecting Extract Here
Navigate to the raw directory and decompress fatty-client-new-2.jar by right-clicking and selecting Extract Here. Overwrite any existing htb/fatty/client/gui/*.class files with updated class files.
Exploiting Web Vulnerabilities in Thick-Client Applications
Finally, we build the new JAR file.
Log in to the application and navigate to FileBrowser -> Config option
Listing the content of the start.sh file reveals that fatty-server.jar is running inside an Alpine Docker container.
Modify the open function in fatty-client-new.jar.src/htb/fatty/client/methods/Invoker.java to download the file fatty-server.jar
Rebuild the JAR file by following the same steps and log in again to the application. Then, navigate to FileBrowser -> Config, add the fatty-server.jar name in the input field, and click the Open button.
SQL Injection
Decompiling the fatty-server.jar using JD-GUI reveals the file htb/fatty/server/database/FattyDbSession.class that contains a checkLogin() function that handles the login functionality
The login button creates the new object ClientGuiTest.this.user for the User class. It then calls the setUsername() and setPassword() functions with the respective username and password values.
htb/fatty/shared/resources/user.java
Username isn't sanitized and is directly used in the SQL query, making it vulnerable to SQL injection.
The checkLogin function in htb/fatty/server/database/FattyDbSession.class writes the SQL exception to a log file.
To see the error, we need to edit the code in the fatty-client-new.jar.src/htb/fatty/client/gui/ClientGuiTest.java file as follows
error-log.txt
username in the login form is ' or '1'='1
The injection in the username field can be leveraged to create a fake user entry.
Modify the code in htb/fatty/shared/resources/User.java to submit the password as it is from the client application.
The jar file is not created (don't know why, but two .class file are generated): fatty-client-new.jar.src\htb\fatty\shared\resources\*.class
Copy the .class files to raw directory
Create jar file
Attempt to log in using the payload abc' UNION SELECT 1,'abc','a@b.com','abc','admin in the username field and the random text abc in the password field.
C:\> cat fatty-client\beans.xml
<SNIP>
<!-- Here we have an constructor based injection, where Spring injects required arguments inside the
constructor function. -->
<bean id="connectionContext" class = "htb.fatty.shared.connection.ConnectionContext">
<constructor-arg index="0" value = "server.fatty.htb"/>
<constructor-arg index="1" value = "8000"/>
</bean>
<!-- The next to beans use setter injection. For this kind of injection one needs to define an default
constructor for the object (no arguments) and one needs to define setter methods for the properties. -->
<bean id="trustedFatty" class = "htb.fatty.shared.connection.TrustedFatty">
<property name = "keystorePath" value = "fatty.p12"/>
</bean>
<bean id="secretHolder" class = "htb.fatty.shared.connection.SecretHolder">
<property name = "secret" value = "clarabibiclarabibiclarabibi"/>
</bean>
<SNIP>
C:\> cd .\fatty-client
C:\> jar -cmf .\META-INF\MANIFEST.MF ..\fatty-client-new.jar *
public String showFiles(String folder) throws MessageParseException, MessageBuildException, IOException {
String methodName = (new Object() {
}).getClass().getEnclosingMethod().getName();
logger.logInfo("[+] Method '" + methodName + "' was called by user '" + this.user.getUsername() + "'.");
if (AccessCheck.checkAccess(methodName, this.user))
return "Error: Method '" + methodName + "' is not allowed for this user account";
this.action = new ActionMessage(this.sessionID, "files");
this.action.addArgument(folder);
sendAndRecv();
if (this.response.hasError())
return "Error: Your action caused an error on the application server!";
return this.response.getContentAsString();
}
configs.addActionListener(new ActionListener() {
public void actionPerformed(ActionEvent e) {
String response = "";
ClientGuiTest.this.currentFolder = "configs";
try {
response = ClientGuiTest.this.invoker.showFiles("configs");
} catch (MessageBuildException|htb.fatty.shared.message.MessageParseException e1) {
JOptionPane.showMessageDialog(controlPanel, "Failure during message building/parsing.", "Error", 0);
} catch (IOException e2) {
JOptionPane.showMessageDialog(controlPanel, "Unable to contact the server. If this problem remains, please close and reopen the client.", "Error", 0);
}
textPane.setText(response);
}
});
