🧨 Vulnerable Labs & Applications for Thick Client Pentesting
1. Thick Client Pentest Lab by @nirolution
What it is: A Windows-based intentionally vulnerable desktop app written in .NET.
Includes:
Local privilege escalation
Comes with a vulnerable thick client app and detailed test scenarios:
Ideal for use with Burp Suite + WinDbg.
3. OWASP Broken .NET Application
.NET-based Windows Forms app with multiple vulnerabilities:
Use with tools like dnSpy and ILSpy.
Use intentionally misconfigured COM objects to escalate privileges via token impersonation .
Lab VMs available for Windows privilege escalation.
5. Vulnerable Java RMI App
Test deserialization attacks and RCE on Java-based thick clients.
Great for: Ysoserial exploitation, insecure method exposure.
Burp Suite (w/ invisible proxy)
Intercept app network traffic (HTTP, WebSocket, SOAP)
Intercept Windows/.NET or Java HTTPS
Network protocol inspection, socket usage
File access, registry interaction, DLL loading
.NET decompilation, patching, debugging
Reverse engineering native Windows binaries
Hook socket APIs in thick clients
Runtime function hooking (C/C++/Java/.NET)
JetBrains .NET decompiler
Test execution restrictions and DLL hijacking
🧪 Key Attack Surfaces in Thick Client Applications
Credential leakage, insecure encryption
Extract API keys, JWTs, database passwords
Load malicious DLLs from writable directories
RCE via .NET BinaryFormatter, Java RMI
Broken auth, IDOR, logic flaws
Privilege escalation or command injection
Find stored creds, manipulate app state
Console/debug mode hidden in the app
Change in-app values (license checks, pricing)
ClickOnce / MSI Installers
Tamper with pre-installed components
🎯 Thick Client Pentest Workflow
Identify Communication Protocols (HTTP/S, TCP, SOAP, RPC)
Set Up Interception via Burp, mitmproxy, or EchoMirage
Decompile App (e.g., dnSpy for .NET, JD-GUI for Java)
Analyze Storage (config files, SQLite DBs, registry)
Check API Calls for weak auth, IDOR, logic flaws
Search for Hardcoded Secrets in binaries or memory
Test Local Priv Esc (DLL hijack, token impersonation)
Report Findings clearly: local + network risks
Room: “Windows Privilege Escalation” includes DLL hijacking and token impersonation — relevant to thick clients.
🔹 HackTheBox – Windows Machines
Many retired HTB Windows boxes simulate vulnerable desktop or enterprise apps.
Good for lateral movement via thick client exploitation.
🔹 PentesterLab Pro
Offers exercises like authentication bypass in serialized .NET apps and session management flaws in thick clients.
📚 Guides, Books & Cheatsheets
"Thick Client Penetration Testing Guide" (Payatu)
OWASP Testing Guide: Desktop Apps
Pentestmonkey Cheatsheets
Credential reuse, encoding tricks
Reverse engineering basics for binary hacking
Adversary Simulation Tools (e.g., SharpRDP)
Lateral movement via thick client footholds
🧰 Want a Custom Thick Client Lab Setup?
I can help you create a virtual lab with:
✅ Windows VM + vulnerable .NET app
✅ Configured Burp + EchoMirage proxy
✅ Example serialization attack chains
✅ Reverse engineering tools (dnSpy, x64dbg, Ghidra)
6. WebGoat.NET (Unofficial .NET Port)
Adaptation of OWASP WebGoat for .NET environments.
Includes:
SQLi in desktop input fields
7. ThickClientApp-VulnLab (by s4n7h0)
Simulates vulnerable login forms, local file reads, and insecure serialization.
Covers:
Debug logic left in production builds
8. TryHackMe – “Thick Client Pentesting” Room (Coming Soon)
Community-contributed content underway. Includes:
Check roadmap or request early access.
Windows API monitoring for thick client behavior
Kernel/user mode debugging of compiled thick clients
Reverse engineering with static analysis for complex binaries
GadgetInspector / ysoserial.net
Identify gadget chains for .NET deserialization
Reverse C/C++ binaries when IDA/Ghidra struggle
Inject into apps and intercept encrypted TCP/SSL traffic
SSL MITM that works with thick clients ignoring cert errors
🧠 Real-World Techniques & Attack Scenarios
DLL Search Order Hijacking
Place malicious DLLs in writable folders like .\ or %APPDATA%
Apps copy sensitive data (e.g., tokens, credentials) to clipboard
F12 or CTRL+D opens hidden dev console or debug mode
.ini, .xml, .config files hold API keys, passwords
Modify in-app variables like license status or flags
Modify localhost-bound API calls with Burp or mitmproxy
Dynamic method invocation opens RCE paths in .NET/Java
Loose UAC Config + AutoElevate
Escalate to SYSTEM via misconfigured manifest in app binary
🔥 Common Protocols in Thick Client Apps (for Testing)
Protocol
Tools for Testing
Burp + Deserialization plugin, grpcurl
PipeList, Impacket, PowerShell
Wireshark, EchoMirage, Netcat
Wireshark (custom dissectors), Ghidra scripts
Custom protocol fuzzing (Pro, legacy Windows support)
Python-based fuzzing for socket-based protocols
Fuzz compiled thick clients in instrumented mode
Hybrid dynamic fuzzing of function-level logic
Test in-memory logic chains, price logic, etc. (ask me how to replicate this)
🧪 Hybrid Pentesting Scenarios (Desktop ↔ Web ↔ API)
Many thick clients are hybrid apps :
Electron.js apps (Slack, Discord, Teams)
C# front-end with REST API
Java thick client + HTTP backend
Hybrid Type
Exploits to Try
Node.js RCE, DevTools abuse, embedded secret extraction
Hardcoded tokens, poor API auth, local storage abuse
Insecure RMI or deserialization for RCE
DOM-based XSS inside thick client browser wrapper
Replay tokens from mobile to desktop, or vice versa
📚 Deep-Dive Resources & Real-World Case Studies
Payatu’s Thick Client Hacking Series
PortSwigger: Testing thick clients
Advice for non-web pentesting
IronGeek’s Windows RE Notes
Great for COM, DLL, UAC bypass tips
F-Secure / NCC Case Studies
Corporate reports on thick client assessments
Client-side attack case studies on financial/industrial apps
I can generate a custom preconfigured Windows VM with:
✅ dnSpy, x64dbg, Ghidra, ILSpy, Burp, EchoMirage
✅ Sample .NET and Java apps with known vulnerabilities
✅ Testing scripts (e.g., DLL hijack templates, deserialization chains)
✅ Local API server mockups for replay attacks
Last updated 6 months ago
