I have written a lot about thick clients. However, I have not done more than a few practical examples that I can show my co-workers or anyone else asking questions. Recently, I came across the Damn Vulnerable Thick Client Application by SecVulture at https://github.com/secvulture/dvta.

I am not going to use the original version of the application. Someone has created a fork and added more protections. We will use this fork instead:

• https://github.com/nddmars/dvta

Neither fork's setup instructions worked for me. As a result, the first part is actually setting up the application and the necessary back-end in only one VM. But don't worry, we will do a bit of reverse engineering with dnSpy to fix an issue.

Thanks to SecVulture for creating the app and maintainers of the second repository for adding protections.

There are no instructions in the original repository at:

• https://github.com/secvulture/dvta

But author's has some post on Infosec Institute with setup and solutions at¹:

• https://resources.infosecinstitute.com/practical-thick-client-application-penetration-testing-using-damn-vulnerable-thick-client-app-part-1

The fork has a Word document file with pictures and setup instructions. I still could not make it work.

I know setup is boring and you want to "hack." But this is necessary to have fun later.

0. Ingredients and Price

Hint: Everything is free.

1. Windows 7 (or 10) VM. I used a 32-bit Windows 7 VM from https://modern.ie: Free.
2. Microsoft SQL Server 2008 Express: Free.
3. Microsoft SQL Server 2008 Management Studio Express: Free.
4. FileZilla FTP Server: Free.
5. Microsoft Sysinternals Suite: Free.
6. dnSpy: Free.

1. Get the Code and Binary

Download the whole repository as a zip file (because you don't want to install git on a disposable VM like me) from:

• https://github.com/nddmars/dvta

Extract it to a location of your choice. I named mine dvta-master.

2. Install Microsoft SQL Server 2008 Express

3. Install Microsoft SQL Server 2008 Management Studio Express

We need management studio to set up our database and tables.

4. Create the DVTA Database

Now we can use the management studio to create the database and populate it.

• Start SQL Server Management Studio and connect to the SQLExpress instance.
• Right-click on Databases to the left and select New Database.
• Enter DVTA in the database name and press OK. Don't change anything else. Only change the database name
• Right-click on DVTA under Databases and select New Query.
• To create the users table, enter this query and select Execute (note this is different from the original instructions, we are setting the id column to auto-increment by 1 starting from 0). Without auto-increment, registration will not work:

  1 2 3 4 5 6 7 8

  CREATE TABLE "users" ( "id" INT IDENTITY(0,1) NOT NULL, "username" VARCHAR(100) NOT NULL, "password" VARCHAR(100) NOT NULL, "email" VARCHAR(100) NULL DEFAULT NULL, "isadmin" INT NULL DEFAULT '0', PRIMARY KEY ("id") )

  Execute button is a bit hard to find
• Next create the expenses table (I have set the id column to auto-increment):

  1 2 3 4 5 6 7 8 9

  CREATE TABLE "expenses" ( "id" INT IDENTITY(0,1) NOT NULL, "email" VARCHAR(100) NOT NULL, "item" VARCHAR(100) NOT NULL, "price" VARCHAR(100) NOT NULL, "date" VARCHAR(100) NOT NULL, "time" VARCHAR(100) NULL DEFAULT NULL, PRIMARY KEY ("id") )

• Populate the users table with some test data. The non-admin users can be added through the application later but admin needs to be setup manually.

  1 2 3 4 5

  INSERT INTO dbo.users (username, password, email, isadmin) VALUES ('admin','admin123','[email protected]',1), ('rebecca','rebecca','[email protected]',0), ('raymond','raymond','[email protected]',0);

  Three test users added
• Now we can right click on dbo.users and select Select Top 1000 Rows to see the test data. Test users in the database
• Open SQL Server Configuration Manager and click on SQL Server Network Configuration > Protocols for SQLEXPRESS

5. Setup the FTP Server

There's no need to install XAMPP. Manually install and use FileZilla FTP server.

• Create a directory (this will be the FTP root directory), I named it dvta-ftp and put in on desktop.
• Download and install the Filezilla FTP server (or any other server of your choice).
  • https://filezilla-project.org/download.php?type=server0
• Use Edit (menu) > Users

Now our FTP server is ready and runs as a Windows service.

6. Modify DVTA to Connect to Our Local SQL Server

The binary is configured to look for the SQL and FTP servers at a hardcoded IP address. The SQL Server address is in the .NET config file (which is just an XML file).

• Open dvta-master\DVTA\DVTA\bin\Debug\DVTA.exe.config (by default extensions are hidden on Windows so the extension might not be visible).
  • Under appSettings change value of DBSERVER to 127.0.0.1\SQLEXPRESS. Modified config file
  • Note: The Release version in this fork has extra protections (the login button is disabled by default). We will use the Debug version for testing the connection to our SQL Server. Be sure to do the same for the Release build later.
• Now we can login with any of the test users and also register new users.
• Notes:
  • The Fetch Time button will return an error regardless. I think it is the cert pinning protection that we need to bypass later.

7. Fix the FTP Connectivity

Admin can backup server files to an FTP server. But the FTP's address is hardcoded. It's 192.168.56.110. We can see this in the source code at \dvta-master\DVTA\DVTA\Admin.cs (search for Upload("ftp://192.168.56.110", "dvta", "p@ssw0rd", @pathtodownload+"admin.csv");). We want to change it to localhost.

• We can fix it in different ways:
  1. Modify the source code and recompile the app. That involves installing Visual Studio and I don't wanna do that.
  2. Modify the binary with dnSpy.
  3. This is not the case here but if the application used a hostname, we could redirect using the hosts file. This is a common approach with real world software.

7.1 Use dnSpy to Modify the Hardcoded FTP Address

Let's assume we do not know the FTP address. That means we need to:

1. Discover the address.
2. Change the address in binary.

Discover the FTP Address

Use whatever method you are comfortable with. I used Procmon.

1. Start Procmon.
2. Run the application, login as admin and try to use the backup functionality.
3. Wait until you get the error message.
4. Set this filter in Procmon Process Name is DVTA.exe.
5. Remove all activities other than network by clicking on the buttons in the picture. Only keep the middle button enabled to display network activity. Hover over each button to see what it does
6. ???

7. Profit².

   FTP address discovered

Modify the Address in Binary

Now we can use dnSpy to modify this address in the application.

We setup DVTA in a VM and patched it to connect to our local FTP server. Now things are ready to go and we can start hacking the application. In the next post I will start working on the application.