Information Gathering

Recon is always crucial in any kind of pentest.

We will start with exploring all the functionalities of application just like a any normal user. Click all the buttons and check everything out.

You can follow this wonderful article for better understanding of each and every step.

How application is built?

First of all we will be using CFF explorer to identify the technology stack behind the application.

Tool Link: https://ntcore.com/files/ExplorerSuite.exe

It is very helpful to know in which programming language an application is built because some programming languages are prone to attacks like buffer overflow while some aren't.

For DVTA application it is 32 bit .net application written in visual studio .net.

On a side note .net application are easy to decompile.

Monitoring network traffic

It is important to check to which remote server a thick client application communicates to. So that we can later target that remote server too.

TcpView is one such tool in sysinternals suite to monitor all the connection that our host machine make over IPv4/IPv6 using TCP/UDP protocol.

Suite link: https://download.sysinternals.com/files/SysinternalsSuite.zip

WireShrak is another tool that you can use to monitor netwrok traffic of your machine from there you can filter all the traffic related to your machine.

Tool link: https://www.wireshark.org/download.html

For DVTA you will notice SQL and FTP connections in traffic once you run the application.

File system access by application

When an application runs it tries to access some files in system or try to create or delete some files we can monitor all such activity by any process or application we want using a tool called procmon.

Procmon is present inside sysinternal suite.

In procmon you can use filters to filter data related to only DVTA application.

It will show data related to:

1. Process started.

2. All the DLL(Dynamic Link library) loaded.

3. All the registry key accessed.

4. Files created, accessed on device.

You will notice that DVTA uses registry keys to manage users. Whether a user is logged in or not, email, username, password. Which means we can jump to that registry key and modify registry key values to get logged in as another user without knowing their password.

DVTA saving user info in registry keys

Review application config files

Check in which directory application binary is installed and if there is any config file present in same directory some time config files contain juicy information.