Vulnerable Labs & Applications
🧨 Vulnerable Labs & Applications for Thick Client Pentesting
1. Thick Client Pentest Lab by @nirolution
What it is: A Windows-based intentionally vulnerable desktop app written in .NET.
Includes:
Insecure file handling
Hardcoded credentials
Local privilege escalation
2. TCPT (Thick Client Pentesting Toolkit + Labs)
Comes with a vulnerable thick client app and detailed test scenarios:
Debugging
Memory tampering
Network interception
Ideal for use with Burp Suite + WinDbg.
3. OWASP Broken .NET Application
.NET-based Windows Forms app with multiple vulnerabilities:
Insecure cryptography
Deserialization
API abuses
Use with tools like dnSpy and ILSpy.
GitHub: https://github.com/OWASP/DevSlop
4. Juicy Potato + Vulnerable COM Applications
Use intentionally misconfigured COM objects to escalate privileges via token impersonation.
Lab VMs available for Windows privilege escalation.
5. Vulnerable Java RMI App
Test deserialization attacks and RCE on Java-based thick clients.
Great for: Ysoserial exploitation, insecure method exposure.
⚒️ Essential Tools for Thick Client Pentesting
Burp Suite (w/ invisible proxy)
Intercept app network traffic (HTTP, WebSocket, SOAP)
Fiddler
Intercept Windows/.NET or Java HTTPS
Wireshark / TCPView
Network protocol inspection, socket usage
Procmon / Process Hacker
File access, registry interaction, DLL loading
dnSpy / ILSpy
.NET decompilation, patching, debugging
Ghidra / x64dbg
Reverse engineering native Windows binaries
EchoMirage / mitmproxy
Hook socket APIs in thick clients
Frida
Runtime function hooking (C/C++/Java/.NET)
DotPeek
JetBrains .NET decompiler
AppLocker Bypass Tools
Test execution restrictions and DLL hijacking
🧪 Key Attack Surfaces in Thick Client Applications
Local Storage
Credential leakage, insecure encryption
Hardcoded Secrets
Extract API keys, JWTs, database passwords
DLL Hijacking
Load malicious DLLs from writable directories
Insecure Serialization
RCE via .NET BinaryFormatter, Java RMI
API Backends
Broken auth, IDOR, logic flaws
IPC / Named Pipes
Privilege escalation or command injection
Registry / Config Files
Find stored creds, manipulate app state
Debug Interfaces
Console/debug mode hidden in the app
Memory Manipulation
Change in-app values (license checks, pricing)
ClickOnce / MSI Installers
Tamper with pre-installed components
🎯 Thick Client Pentest Workflow
1
Identify Communication Protocols (HTTP/S, TCP, SOAP, RPC)
2
Set Up Interception via Burp, mitmproxy, or EchoMirage
3
Decompile App (e.g., dnSpy for .NET, JD-GUI for Java)
4
Analyze Storage (config files, SQLite DBs, registry)
5
Check API Calls for weak auth, IDOR, logic flaws
6
Search for Hardcoded Secrets in binaries or memory
7
Test Local Priv Esc (DLL hijack, token impersonation)
8
Report Findings clearly: local + network risks
🔐 Practice Targets on Real Platforms
🔹 TryHackMe
Room: “Windows Privilege Escalation” includes DLL hijacking and token impersonation — relevant to thick clients.
🔹 HackTheBox – Windows Machines
Many retired HTB Windows boxes simulate vulnerable desktop or enterprise apps.
Good for lateral movement via thick client exploitation.
🔹 PentesterLab Pro
Offers exercises like authentication bypass in serialized .NET apps and session management flaws in thick clients.
📚 Guides, Books & Cheatsheets
"Thick Client Penetration Testing Guide" (Payatu)
Detailed methodology
OWASP Testing Guide: Desktop Apps
Manual test cases
Pentestmonkey Cheatsheets
Credential reuse, encoding tricks
RE101 / Malware Unicorn
Reverse engineering basics for binary hacking
Adversary Simulation Tools (e.g., SharpRDP)
Lateral movement via thick client footholds
🧰 Want a Custom Thick Client Lab Setup?
I can help you create a virtual lab with:
✅ Windows VM + vulnerable .NET app ✅ Configured Burp + EchoMirage proxy ✅ Example serialization attack chains ✅ Reverse engineering tools (dnSpy, x64dbg, Ghidra)
6. WebGoat.NET (Unofficial .NET Port)
Adaptation of OWASP WebGoat for .NET environments.
Includes:
SQLi in desktop input fields
Weak file encryption
Misused Windows APIs
7. ThickClientApp-VulnLab (by s4n7h0)
Simulates vulnerable login forms, local file reads, and insecure serialization.
Covers:
File handling flaws
Format string injection
Debug logic left in production builds
8. TryHackMe – “Thick Client Pentesting” Room (Coming Soon)
Community-contributed content underway. Includes:
Desktop app recon
Protocol abuse
Binary analysis
Check roadmap or request early access.
⚔️ Advanced Tools for Thick Client Exploitation
AppSpector
Windows API monitoring for thick client behavior
WinDbg + Symbols
Kernel/user mode debugging of compiled thick clients
Binary Ninja (Free)
Reverse engineering with static analysis for complex binaries
GadgetInspector / ysoserial.net
Identify gadget chains for .NET deserialization
Reko Decompiler
Reverse C/C++ binaries when IDA/Ghidra struggle
EchoMirage
Inject into apps and intercept encrypted TCP/SSL traffic
MitmRelay
SSL MITM that works with thick clients ignoring cert errors
🧠 Real-World Techniques & Attack Scenarios
DLL Search Order Hijacking
Place malicious DLLs in writable folders like .\ or %APPDATA%
Insecure Clipboard Usage
Apps copy sensitive data (e.g., tokens, credentials) to clipboard
Debug Bypass via Hotkeys
F12 or CTRL+D opens hidden dev console or debug mode
Hidden Config Files
.ini, .xml, .config files hold API keys, passwords
Memory Patching (live)
Modify in-app variables like license status or flags
Local API Proxying
Modify localhost-bound API calls with Burp or mitmproxy
Unsafe Reflection
Dynamic method invocation opens RCE paths in .NET/Java
Loose UAC Config + AutoElevate
Escalate to SYSTEM via misconfigured manifest in app binary
🔥 Common Protocols in Thick Client Apps (for Testing)
HTTP/HTTPS
Burp, mitmproxy, Fiddler
SOAP/XML-RPC
Burp, SoapUI, wsimport
Protobuf / gRPC
Burp + Deserialization plugin, grpcurl
Named Pipes
PipeList, Impacket, PowerShell
TCP/UDP Sockets
Wireshark, EchoMirage, Netcat
Custom Binary Protocols
Wireshark (custom dissectors), Ghidra scripts
🧱 Fuzzing & Dynamic Testing Tools
Peach Fuzzer (Community)
Custom protocol fuzzing (Pro, legacy Windows support)
Boofuzz
Python-based fuzzing for socket-based protocols
AFL++ with QEMU
Fuzz compiled thick clients in instrumented mode
Frida + AFL
Hybrid dynamic fuzzing of function-level logic
Beacon (internal tools)
Test in-memory logic chains, price logic, etc. (ask me how to replicate this)
🧪 Hybrid Pentesting Scenarios (Desktop ↔ Web ↔ API)
Many thick clients are hybrid apps:
Electron.js apps (Slack, Discord, Teams)
C# front-end with REST API
Java thick client + HTTP backend
Electron
Node.js RCE, DevTools abuse, embedded secret extraction
.NET + REST
Hardcoded tokens, poor API auth, local storage abuse
Java Swing + RMI
Insecure RMI or deserialization for RCE
Browser Embeds
DOM-based XSS inside thick client browser wrapper
Cross-Context Auth
Replay tokens from mobile to desktop, or vice versa
📚 Deep-Dive Resources & Real-World Case Studies
Payatu’s Thick Client Hacking Series
Full methodology: https://payatu.com/blog/thick-client-pentest-series
PortSwigger: Testing thick clients
Advice for non-web pentesting
IronGeek’s Windows RE Notes
Great for COM, DLL, UAC bypass tips
F-Secure / NCC Case Studies
Corporate reports on thick client assessments
IOActive + BishopFox
Client-side attack case studies on financial/industrial apps
🧰 Want a Full Thick Client Pentest Toolkit?
I can generate a custom preconfigured Windows VM with:
✅ dnSpy, x64dbg, Ghidra, ILSpy, Burp, EchoMirage ✅ Sample .NET and Java apps with known vulnerabilities ✅ Testing scripts (e.g., DLL hijack templates, deserialization chains) ✅ Local API server mockups for replay attacks
Last updated
Was this helpful?