Exploiting Web Vulnerabilities in Thick-Client Applications

I’m doing the updated content, but cant follow the exercise because the fatty-server.jar doesn’t download in the desktop someone have an idea why?
here is the Invoker.java

this is when I try to download it

I think I follow every step and try others things like

String desktopPath = System.getProperty("user.home") + "/Desktop/fatty-server.jar";
String desktopPath = System.getProperty("C:\Users\cybervaca") + "\Desktop\fatty-server.jar";
String desktopPath = System.getProperty("C:\\Users\\cybervaca") + "\\Desktop\\fatty-server.jar";

Hmmm that’s odd. Mine did show the output to the screen but it still successfully downloaded it to the desktop…

tried it again and no results with the fatty-server.jar again :confused:

DM me your code and I’ll take a look

1 Like

thanks :slight_smile:

I am having the same issue

you can dm me if you still have the problem and I share you what it work for me
but you can try this, import at the top
import java.io.FileOutputStream;
import java.util.Properties;

and don’t forget to

javac -cp fatty-client-new.jar fatty-client-new.jar.src/htb/fatty/client/gui/ClientGuiTest.java
mv -Force fatty-client-new.jar.src/htb/fatty/client/gui/*.class raw/htb/fatty/client/gui/

and after modifying the invoker.java
javac -cp fatty-client-new.jar fatty-client-new.jar.src/htb/fatty/client/methods/Invoker.java
mv -Force fatty-client-new.jar.src/htb/fatty/client/methods/*.class raw/htb/fatty/client/methods/


do you still happen to have your code that worked. i can not get it to work

yes I’ll send it you

I have the same issue. I also tried to just skip that part and go to the SQL part but I can’t get that to work either. If anyone could give me some pointers I would really appreciate it! Thanks

Did you try the above that I shared?
To do the sql part you must have to do the download first

I was able to skip that part and just bypass the login for the client side. But I would like to do it right, so I will give your method a try in a bit. TBH I don’t really understand the client bypass either, same deal I could not get the examples to work from the module…

How did you solve the SQL Part? I was able to modify the client-side app and download succesfully the fatty-client.jar

But when I follow the same steps and modify the user.java file the code does not break, but also nothing happens. So I’m not pretty sure which are the fields one should replace. Since the server app asks for a getPassword and getUsername I only tried to touch all the parameters those functions returns. However, when I touch them and re-compile the code (already moving the .class files) nothing happens :l

By “nothing happens” I mean I cannot log as I did in the original app. So I succesfully modified the code, but no the way I wanted

Hi, i am also struggeling with this can’t get to work I did every thing as indicated but the server.jar file is not downloading. any other tips that you can give that might help

Hi, what did you do to bypass the on the client side?

Hi did you solve this issue? having the some problem as you

Ok, so for User.java this is how I did it:

1-. When you open the original code you will see multiple

public User(...)

definitions (do not confuse it with the public class User, otherwise the .java file will not compile when you run javac if you delete/replace it). What I did was, taking the portion of code for public User provided in the Academy I only replaced THE FIRST public User definition. I.e., I left all the other public User definitions that contained conditions like if (!hash) and this(999, ...); and also kept the public static User anonymousUser( ) function.

2-. Just replace all the setPassword function with the portion of code provided in the Academy and do not touch the rest of getUsername, getRoleName, etc, functions

3-. Compile the code with the javac command, move the generated file to the raw directory (just follow/repeat the steps of the Academy for the ClientGuiTest.java as shown at the beginning of the section), and move all the .class files generated when we compiled User.java with

mv -Force fatty-client-new.jar.src/htb/fatty/shared/resources/*.class raw/htb/fatty/shared/resources/

build the JAR file and you should be fine :slight_smile:


I’m stuck at this point as well, I tried what you wrote but I can’t download the file.
Could you give me another tips, please

Ippsec did a youtube video on fatty, i suggest you check it out. It really helped me and also taught me some extra tricks that i can use if i run in such apps again


Hi, Is there someon that managed to get the “Exploiting Web Vulnerabilities in Thick-Client Applications” working? I am stuck recompiling the .java class with “javac -cp fatty-client-new.jar fatty-client-new.jar.src/htb/fatty/client/gui/ClientGuiTest.java”. It trows a lot of errors and I think that does not compile it right because I can not start the new .jar file. Does somebody know how to mitigate the errors?

1 Like