Skip to content

 

leHACK 2025
The Singularity
ACQUIRED HUMAN OBSOLESCENCE edition

Save the date: 27 & 28 of june, 2025.

leHACK is rebooting!
leHACK will take place at the Cité des Sciences et de l’Industrie, Paris
On friday 27, saturday 28, and the whole night until sunday 29 @7:00.

The Call for Proposals has ended. We’re currently reaching out to the selected speakers and will be announcing the lineup soon!

 

YOU WILL KNOW NOTHING AND BE HAPPY

Fritz Lang with his Maschinenmensch in Metropolis, Stanley Kubrick with HAL in 2001: A Space Odyssey, Isaac Asimov in his Robots series, or Philip K. Dick in Do Androids Dream of Electric Sheep?, the 1983 WARGAME Film, all sought to warn us: the rise of self-aware artificial intelligence poses an existential threat to humanity. You may build them with the best intentions or to solve a problem, but even when you control the parameters, logical flaws creep in. You just can’t control the outcomes in very complex meta-systems. Even less so if you don’t fully understand why they work.

AGI within Large Language Models is expected to become a reality by the end of 2025. Just as the printing press and the internet brought unprecedented transformations to human destiny, this cultural meteorite could upend our world. Professions such as law, trading, human resources, videography, writing, accounting, software development, IRS along with their tax evaders, may soon become obsolete. Nobody building LLMs has a precise idea of what they are doing. Statistical models are a challenge to human comprehension; they are too far removed from the structure of the human mind. All they know is that it works.

AI is a lot more efficient at ingesting a large corpus of documents, they can scoop through a bazillion websites in hours, they can statistically predict instantaneous human passions by slurping social medias APIs, and write PR plans to counter them in near real time. Government decision-making tools. Defense pre-cogs. A perfect dictature.

We’ve finally reached the point where every possible human-generated training material has been consumed. LLM operators have had no choice but to keep training them on synthetic datasets—essentially, data generated by other LLMs. Just like in genetics, inbreeding leads to evolutionary collapse, and the AI models collapse: retarded AGIs are just around the corner. What if they fuel important decision-making?

They also will soon be entire operating systems reading your intentions. An operating system “with soul”, they say. It will read your mind, anticipate your every move—moves you will never learn to make yourself. Soon, nobody will have the knowledge of how to do things any more. AI corporations will detain your life API Key. What do you think will happen if they stop providing service?

We will have acquired human obsolescence at a great price.

Are we doomers? Yes and no.
We are hackers.
Hackers are a peculiar breed: show them a card, and they’ll decipher what’s on the back. The front image is obvious and self-explanatory, but the back might conceal a magician’s trick or a casino cheater’s secret.

Perhaps that’s why hacker culture has always been filled with anarchists, paranoids, social outliers, and geniuses. You can’t have the front without the back—at least not in a N=3 dimension ( with a notable Möbius strip exception ). Technology doesn’t impress us; we control it. Financial stakes don’t intimidate us; we remain the ultimate minority.

We love machines—and we hate them.

We are hackers.

 

leSHOP: leHACK - 2025 - The Singularity

27 June 2025 - 29 June 2025

PASS
FLAVOR
PRICE
SHOP
REMAINING
PASS 2 JOURS - EARLY BIRD
EARLY BIRD
46.75€
SOLD OUT
PASS 2 JOURS - STANDARD
STANDARD
56.85€
SOLD OUT
PASS 2 JOURS - LATE BIRD
LATE BIRDS
77.05€
SHOP ▶
70%

leHACK TRACKS

workshops TRACK View track >

OSINT 101: an introduction to Windows malware analysis and OSINT FR Atelier d'introduction au reverse de malware et l'OSINT et les liens entre ces deux disciplines Le workshop cible un public novice au reverse l'OSINT Introduction min OpenFacto introduction What is Cyber Threat Intelligence What is malware analysis What is OSINT - gt insist on methodology before tools and the need to check the origins of one's tools - gt pivots Links between malware analysis and OSINT Windows Malware analysis h Introduction on Windows Malware analysis min Many different possible goals - gt even more different methodologies Exploratory what does this malware do Detection briefly talk about detection signatures Extracting information for further analysis mistakes made by dev PDB email address etc and malware configuration IP domain names etc Studying the evolution of the code need to know what characteristics are unchanging possibility to compare different versions etc etc Feedback The first step can be difficult to make but there are some quick wins that can help you get started A lot of people are scared of assembly but if you don't want to be a professional malware analyst you don't necessarily need to have a very deep understanding of assembly language if you do want to get into it practicing is the best way to learn and being patient is important try not to get frustrated with the fact that you won't understand everything at first A lot of good resources exist list at the end the first one being PMA which is really good to get started The basics min Mostly demonstrations with possibility for the attendees to try it out at the same time Some important notions Strings string formats extracting them what strings could be interesting PDB function names Talk about the PE header without getting into too many details mostly imports Windows API and timestamps Assembly There won't be the time to get into details here it's a very broad subject Most important tip practice and don't get discouraged It's okay not to understand everything but you need keep in mind your goal Free tools available to practice at home show Binary Ninja A possible strategy start with some quick wins and get into the details of assembly little by little with practice Or just stop at the quick wins that can still be useful even if assembly isn't your thing Quick wins exist min Many tools exist online Tools for extracting embedded files like images - gt OSINT Tools for unpacking broad subject there may not be enough time to talk about it Windows API documentation Show as an example malware functions where you can see Windows API functions being called and roughly guess what's going on interactive Recognizable patterns or cryptograhic constants Show examples of famous cryptographic functions that are easily recognizable interactive Basically if you don't get too intimidated you might understand more than you'd think Limitations complex packing obfuscation techniques OSINT h Dorks min Starting point we got an Windows API yeah Review of major search engines and how to influence results...

Anso

OpenFacto member and CTI analyst specialised in OSINT investigations Travel plans : none needed, already in Paris Social media : openfacto on Bluesky and Linkedin

Cora

CTI analyst specialised in malware analysis
Confessionnal ZATAZ FR Le Confessionnal ZATAZ est un espace anonymisé proposé lors d'événements comme la NdH, leHack ou encore au HackFest de Québec par Damien Bancal, le fondateur de ZATAZ, permettant aux participants de transmettre en toute confidentialité leurs découvertes en cybersécurité. Les participants peuvent s'exprimer sans révéler leur identité et aider. À l’issue de l’événement, ZATAZ relaie ces signalements aux organisations concernées (startups, entreprises, institutions comme l'ANSSI), pour permettre d'aider à corriger les vulnérabilités sans exposer l’auteur. Le Confessionnal ZATAZ est un lieu sécurisé et confidentiel pour encourager le signalement responsable, loin des considérations d’identité et de reconnaissance, servant la communauté et la sécurité collective. ZATAZ

ZATAZ

Insecure time-based secret in web applications and Sandwich attack exploitation FR The goal of this workshop is to put ourselves in the shoes of a bug bounty researcher wishing to automate an attack scenario to the maximum of its possibilities. The scenario studied will be that of a password reset token based on a time-based secret that is not cryptographically secure. We will look at how to construct the attack scenario and script a detection and exploitation procedure. We will then look at how to use the open source tool "Reset tolkien" to detect and exploit this type of web vulnerability.

Tom Chambaretaud

Technical Lead @YesWeHack | Bug hunter (approximately every 3 months)
Pentesting AWS Cloud Environments FR Equip participants with the skills to identify and exploit vulnerabilities in AWS cloud environments, ensuring robust cloud security. Participants will enhance their cloud security skills by gaining practical knowledge and hands-on experience identifying and mitigating vulnerabilities in AWS cloud environments. Target Audience: Cybersecurity professionals, cloud engineers, IT administrators, and anyone interested in cloud security.- Workshop duration: 40 minutes - Workshop language: English

Zakaria Brahimi

As a penetration tester, my day-to-day responsibilities include conducting security audits (application security, configuration review, source code review) and penetration tests on a variety of challenging environments (systems, networks, web applications, web services, mobile applications). I have also worked on several organizational security and governance projects. I am also the author of several works (conferences, practical workshops, webinars) and publications (articles, tutorials, publications) in cybersecurity. I also provide occasional training in ethical hacking and cybersecurity awareness.
Integrating secure coding to DevSecOps cycle FR This workshop aims to overcome the drawbacks of the current approach of teaching application security by blindly attacking applications to analyze vulnerabilities. This results in engineers being unable to figure out the proper fix for the vulnerabilities and hence allowing attackers to exploit the same. The labs will help security enthusiasts, developers and students to identify the root cause of the vulnerability in the code, patch it, re-deploy the application, and finally verify the fix. As an attendee, you will learn to find vulnerabilities with both an attacker and a defenders point of view which would help in a swift SDLC of fixing and moving forward instead of traditional pentesting procedures of fixing the issues at the end of the cycle. The demonstration will be done using a vulnerable e-cart application with microservice architecture which is deployed using docker where the vulnerable code is attacked and replaced with secure code snippets, compiled, deployed and pentested again to demonstrate how fixing a vulnerability at the root saves engineers time and efforts.

Gopika Subramanian
Network protocol abuse: driving ICS equipent mad. FR Ce Workshop s'articulera sur les explications et l'utilisations de plusieurs librairies qui permette de s'interfacez avec de PLC (microcontrôleur programmable destiné au contrôle industriel). Une 1ʳᵉ partie sera dédiée aux explications techniques du fonctionnement des PLC et des différents protocoles réseaux associé. La deuxième partie sera sur "l'exploitation" et l'explication des libraires qui permette de s'interfacer avec les PLC. Protocoles utilisés dans le workshop : - MODBUS - s7comm (siemens) - OPC UA L'objectif de ce workshop et de démontrer la faciliter avec laquelle, on peut prendre le contrôle d'un PLC si aucune mesure de sécurité n'est appliqué, ou que des mauvaises configurations sont mises en place. Le support du workshop sont des équipements physiques qui sont contenus dans un Lab réseaux portables. Les participants pourront se connecter au LAB via RJ45 (limiter à 5 personnes) ou par wifi (20 personnes).

Cordier Erwan

cyber-security and ICS entousiast.
Initiation à la classification de malware FR Ce workshop propose une découverte de la classification de malware, en partant des bases pour construire un système scalable de recherche et de classification. On commencera par explorer l’intérêt de chercher des similarités entre binaires. J'aborderai les méthodes classiques de diffing binaire (BinDiff, Diaphora), avant de passer à une approche plus globale pour mesurer la similarité à grande échelle, à partir de features extraites des binaires. Les participants découvriront comment appliquer des méthodes de comparaison efficaces pour classifier de grands volumes de binaires, tout en gardant une durée de traitement réaliste. Nous évaluerons les performances des modèles à l’aide d'outils classiques de machine learning, puis visualiserons les résultats avec des graphes (neo4j) qui donnent des résultats plus visuels. L'objectif final est de créer un outil simple de classification et de recherche de similarité basé sur Python et Docker

Valentin Lonnoy

Valentin Lonnoy, étudiant en réponse à incident à l’Université de Technologie de Troyes, participant à de nombreux CTF avec l’équipe HackUTT (président du club).
Hardware Hacking : getting a root shell via UART FR Ever wondered how to gain root access to a device via hardware ? Why not trying yourself ? This workshop will equip you with the skills and knowledge to understand the basics of hardware hacking . In this workshop, you may : - Learn what UART is and why it's a crucial interface for embedded systems. - Set Up Your Environment: Get your tools ready, including serial adapters and terminal software. - Discover how to physically connect to a device's UART pins and establish a serial connection. - How to interact with the device's shell and gain root access.

Noë Flatreaud

IT Consultant • Cybersecurity Researcher interested in Bitcoin and Cryptography
Active Directory pwnage with NetExec FR In this workshop, we will show you how to take advantage of NetExec to efficiently and easily compromise an Active Directory domain during an internal pentest. A lab will be provided to each student, and the goal will be to become a domain administrator using various paths—only with NetExec! The first one to gain domain admin will be covered in glory for eternity! In this workshop, you will learn which features to use depending on the attack you need to perform, which commands to run first, what to do when you grab credentials, etc.—all by actually doing it live. No slides, only NXC as your best friend! This workshop is for students who have already played a little with Active Directory or for people who want to learn more about the tool and how to use it properly during an internal pentest! Martial Puygrenier

Martial Puygrenier

Flibustier du net ̿ ̿̿’̿’\̵͇̿̿\=(•̪●)=/̵͇̿̿/’̿̿ ̿ ̿ ̿

 Wilfried Bécard

Wilfried Bécard

Expert Sécurité @Synacktiv

 Thomas Seigneuret

Thomas Seigneuret

Red Teamer & Security researcher Maintainer of #NetExec, #DonPAPI, dploot, certsync, and all the stuff on my github repo bsky: http://zblurx.bsky.social
Playing the game of tag with modern day AV and EDRs: A guide to evading the watchdogs. FR The perpetual race to safeguard and secure our infrastructures have given birth to robust defensive mechanisms, such as antiviruses (AV), Endpoint Detection and Response (EDRs), and Extended detection and response (XDR) just to name a few. Over the years the detection methodologies employed by them have evolved. From the very basic string and hash matching techniques, defensive mechanisms have enhanced their capabilities by employing machine learning, in memory scanning and other sophisticated techniques. From the perspective of a malware developer, developing malware is considerably easier as compared to evading it. In this talk we will discuss various techniques employed by malware developers to circumvent detection measures implemented by modern day AVs and EDRs. This talk will solely focus on the Windows ecosystem. We will discuss the nitty gritties of the Windows OS, followed by various detection techniques implemented by AVs and EDRs. After understanding the detection methods we will shift our focus on various techniques that can be implemented to bypass aforementioned detection techniques. Some techniques included are Unhooking, BlockDLL, Repatching, API Hashing, ETW and AMSI patching etc. In order to better understand the concepts discussed, we present real life PoCs. These PoCs will showcase the discussed evasion techniques on a popular red teaming tool (Juicy Potato). The implemented techniques will be tested against ‘Windows Defender’, a popular and widely used inbuilt AV solution by Microsoft. Furthermore these PoCs will showcase the exact detection methods and how we were able to bypass them to gain access.

Aryan Jogia

Breaking into Hades' realm: an advanced Kerberos exploitation EN Originally developed by MIT, Kerberos is widely used in Microsoft Active Directory environments. Therefore, this protocol is a prime target for exploitation, allowing privilege escalation as well as establishing persistence. This workshop is designed for cybersecurity professionals who seek to deepen their understanding of Kerberos vulnerabilities and the sophisticated techniques used to exploit them. Participants will embark on a comprehensive journey on Kerberos exploitation, starting with the fundamentals of the protocol and moving swiftly into advanced attack strategies. The workshop will primarily cover: - Abusing delegations - Forging tickets (especially Diamond and Sapphire tickets) - *-roasting (well-known variants as well as their newer versions, such as Kerberoasting without pre-authentication) Throughout the workshop, participants will engage in hands-on labs to reinforce their learning. By the end of the session, attendees will possess a deep understanding of Kerberos exploitation techniques and practical knowledge to effectively conduct these attacks. Join us to master the art of Kerberos exploitation and fortify your skills to always be Domain Admin on the first day of your pentest engagement Requirements: - Basic knowledge of Active Directory and Kerberos protocol - A laptop with Exegol (https://exegol.readthedocs.io) pre-installed, with the latest nightly image already downloaded

Volker Carstein

Hacker speaker Jack of All Trades Social Engineering, OSINT, AD, TTRPG Pentester / Red Team Operator @ Bsecure / Parabellum Services

rayanlecat

Pentester
Apkpatcher: Reverse Engineering and Modifying Android Applications Without Rooting FR This hands-on workshop will guide participants through the process of reverse engineering and modifying Android applications without the need for rooted devices. I will present [apkpatcher](https://apkpatcher.ci-yow.com/) to explore various techniques to analyze, modify, and remove tracker on Android apps, focusing on practical skills that can be applied in real-world scenarios. Understand the fundamentals of reverse engineering Android applications. Learn to use debugging tools to analyze Android app behavior. Bypass security mechanisms using Frida scripts. Sniff and replay Bluetooth Low Energy (BLE) communications. Modify Smali code to alter app functionality. Reverse engineer native libraries used in Android apps. Perform Man-in-the-Middle (MITM) attacks on HTTPS services. By the end of the workshop, participants will have gained practical experience in reverse engineering and modifying Android applications. They will be equipped with the skills to analyze app security and implement modifications without requiring rooted devices. Workshop Duration: 1.5 hours

Benoît Forgette

conferences TRACK View track >

27/06/2025

10:30 From HTML Injection to Full AWS Account Takeover: Discovering Critical Risks in PDF Generation EN From HTML Injection to Full AWS Account Takeover: Discovering Critical Risks in PDF Generation Modern web applications often provide features like PDF generation to enhance user experience, but these functionalities can inadvertently introduce critical vulnerabilities when improperly secured. During a recent penetration test, we identified a severe HTML injection vulnerability in the PDF file generation feature of two separate applications. Exploiting this weakness, we demonstrated the potential to perform Server-Side Request Forgery (SSRF) attacks, enabling access to internal files and sensitive application source code. This session provides a detailed, real-world example of how a seemingly minor vulnerability can have catastrophic consequences. It emphasizes the importance of secure development practices, robust cloud configurations, and proactive vulnerability mitigation. Attendees will walk away with practical strategies to strengthen their security posture, making this talk both educational and actionable.

Raunak Parmar
11:15 Up and Down Technique: Exposing Hidden Data from RAG Systems FR Up and Down Technique: Exposing Hidden Data from RAG Systems Retrieval-Augmented Generation (RAG) systems have revolutionized how LLMs (Large Language Models) access "additional" knowledge, powering everything from enterprise chatbots to cutting-edge research tools. However, their architecture, designed to integrate text chunks to give additional context to prompts, also opens the door to innovative data exfiltration techniques. In this talk, titled "Up and Down Technique: Exposing Hidden Data from RAG Systems", Pedro presents a technique he discovered that enables adversaries to systematically extract sensitive information from RAG applications via prompt injection. During this talk, we’ll deep dive into the internals of RAG systems by analyzing their architecture, embeddings, vector databases, and prompt anatomy. Pedro will demonstrate, using real-world examples, how attackers can exfiltrate data from documents via carefully crafted prompt injections. More importantly, the presentation will provide a set of comprehensive mitigation strategies. Designed for red teamers, bug bounty hunters, developers, CISOs, and cybersecurity enthusiasts, this talk bridges the gap between theoretical vulnerabilities and practical, actionable defense strategies, equipping security professionals with the knowledge they need to protect modern, AI-powered applications against emerging threats.

Pedro Paniago
14:00 Cache me if you can, smuggling payloads via browsers caching systems FR Cache me if you can, smuggling payloads via browsers caching systems Malware deployment is a critical stage during a red team exercise, as it allows redteam operators, if performed successfully, to gain access to a target’s internal network. For a while, the easiest way of delivering malwares was to send an email with an attachment, the malware itself. Although this technique still sometimes works, blue teams are monitoring it more and more, and numerous security tools were created to block such attachments. As such, it was necessary to find others ways of delivering malwares. This presentation introduces one, cache smuggling, which leverages browser caching mechanisms to bypass traditional security defenses and deliver malwares. Additionally, we will see that such mechanisms can be used to facilitate silent reconnaissance of internal networks as well as information gathering and, finally, how you can protect your company and yourself against it. Aurélien Chalot

Aurélien Chalot

14:45 Quantum computing demystified: A beginner's guide and cybersecurity implications FR Quantum computing demystified: A beginner's guide and cybersecurity implications This talk will give an understanding of basic quantum computing principles, the importance of PQC, the role of QKD in secure communications, and the transformative impact of quantum technologies on the cybersecurity landscape. We will overview the concepts of quantum computing, by providing a foundational understanding for beginners and explore the implications for cybersecurity. 1. Basics of quantum computing: explanation of key concepts: qubits, superposition, entanglement, quantum gates. 2. Introduction to quantum programming (Q#) with simple examples 3. Quantum computing and cybersecurity: - Post-Quantum Cryptography (PQC): - Quantum Key Distribution (QKD): 4. Quantum Attacks and Cybersecurity Implications: What is possible today an in the (near) future with the threat posed by quantum computers to current encryption standards?

Robin Descamps

Robin is a consultant and ethical hacker leading and executing penetration testing, red & purple teaming, and security research projects for various clients, aiming to identify their cyber vulnerabilities and mitigate their risks. He contributed to improving the security of several companies, such as Deutsche Telekom, BMC Software, and Pydio, by uncovering and reporting multiple 0-day vulnerabilities. He recently got interest in quantum computing security, being involved in several related events. His classic background allows him to demistify quantum computing from a “classic hacker” point of view rather than a specialised researcher.
15:45 The Last Resort: Debugging Embedded Systems with Unconventional Methods FR The Last Resort: Debugging Embedded Systems with Unconventional Methods A debugger is always a valuable tool when searching for vulnerabilities, particularly in embedded systems where multiple peripherals may be involved. Most targets support either well-standardized debug protocols such as JTAG or SWD, or rely on proprietary alternatives. These debug ports are often locked to prevent unauthorized access. When locked, depending on the chip, it may still be possible to reactivate them by exploiting a bug. In rare cases where this is not possible, direct modification of the firmware may be an option. In such scenarios, an on-chip debugger can be implemented within the firmware itself. While potentially unstable, this type of debugger can be highly useful for firmware analysis and exploit development. This talk offers an overview of low-level concepts related to interrupts, followed by a detailed guide on building an on-chip debugger, addressing the various choices and challenges that may arise during the process. To begin with, a communication channel is required, preferably one that remains operational even during a debug interrupt. An initial breakpoint must be set on the target to trigger the debugger. A debug handler, ideally written in assembly, needs to be implemented and configured to listen for commands responsible for reading and writing memory and register contents. An intermediate server between GDB and the target must also be created. Several open-source skeletons are available to assist in this task. In addition, the talk places special emphasis on designing a lightweight debugger, as it is intended for embedded targets. It will therefore present techniques to keep the code as minimal and efficient as possible.

Vincent Lopes
16:30 Active Directory: Hall of Shame & Physical Pwnage FR Active Directory: Hall of Shame & Physical Pwnage Active Directory reste la cible numéro un des attaquants, et honnêtement... certaines configurations nous facilitent beaucoup trop la tâche. Dans ce talk, je vais partager une collection des pires erreurs de sécurité que j’ai rencontrées en Pentest. Au programme : un "Hall of Shame" des failles les plus ridicules, honteuses et dangereuses que l’on croise encore trop souvent : -DCSync pour tout le monde – Quand récupérer tous les hashes NTLM devient trivial -Password Policies from Hell – Des exigences tellement mauvaises qu’elles favorisent le cracking -Users’ Description WTF – Des creds en clair directement dans les champs AD -Old but Gold Protocols – NTLMv1, LDAP simple bind... du pain béni pour les attaquants -Service Accounts: The Backdoor Special – Comptes à privilèges cachés, souvent avec Kerberoasting offert -Delegation Disasters – Escalades absurdes via des délégations mal configurées -ADCS ESC1: The First Step to Total Control – Comment pwn AD avec des certificats mal configurés -Plaintext Passwords: Peak Shame – GPOs et scripts qui balancent des mots de passe en clair -GPOs That Shoot Themselves – Quand les admins se tirent une balle dans le pied Démo: Ski Resort Domain Admin Challenge Pour illustrer ces fails en action, je vous montrerai une attaque réel où l’on passe d’un simple accès sur le réseau à Domain Admin en quelques étapes, grâce à un cocktail de mauvaises configs et de relai NTLM. Bonus : "10-Minute Physical Intrusion Challenge" Parce qu’un AD mal sécurisé, c’est bien, mais si on peut aussi poser les mains sur le serveur en moins de 10 minutes, c’est encore mieux… Pourquoi ce talk ? Ce n’est pas un énième talk sur les bases d’AD. Ici, on va se moquer (gentiment) des pires fails qu’on voit en entreprise et montrer comment les exploiter efficacement. Objectif : fournir aux attaquants des techniques réelles et pragmatiques, et (pour les défenseurs dans la salle) leur donner envie de corriger ces erreurs critiques immédiatement. Nicolas Aunay

Nicolas Aunay

17:15 Keep-it-alived : Étude de la sécurité du protocole VRRP FR Keep-it-alived : Étude de la sécurité du protocole VRRP VRRP (Virtual Router Redundancy Protocol) est un protocole open standard conçu pour garantir la haute disponibilité des routeurs. Éprouvé et largement adopté, il est utilisé dans de nombreuses infrastructures réseau. Cependant, la question de sa sécurité est rarement abordée en profondeur dans les ressources disponibles en ligne. Par exemple, VRRPv2, encore très répandu aujourd'hui, propose deux modes d'authentification, dont l'un est facilement contournable. En revanche, dans VRRPv3, la fonctionnalité d'authentification a été supprimée, les auteurs du protocole estimant que la sécurité devait être gérée en amont. Dans cette présentation, j'examinerai les implications des choix de conception de VRRP en matière de sécurité et mettrai en évidence les vulnérabilités susceptibles d'en découler. Pour cela, je m'appuierai sur Keepalived, une implémentation open source populaire de VRRP. Enfin, je présenterai une faille de conception que j'ai découverte dans le protocole VRRP lui-même (RFC 9568), avec l'aide des mainteneurs du projet Keepalived. Cette vulnérabilité permet à un attaquant sur le même réseau d'usurper le rôle de routeur "master" en cas de conflit de priorité VRRP, même lorsque celle du routeur master légitime est au maximum (255). Elle a fait l'objet de l'erratum 8298, validé par l'IETF. Geoffrey Sauvageot-Berland

Geoffrey Sauvageot-Berland

17:45 Confessions of a Linux drama queen: When hackers are totally ruining your life EN Confessions of a Linux drama queen: When hackers are totally ruining your life It's one of those mornings. You just crushed your early workout, feeling all kinds of invincible, you're halfway through your first sip of coffee, mentally planning your day, when your SOC team drops a bombshell: Suspicious activity has been detected on a critical system. Suddenly, it's not the caffeine waking you up, it's sheer panic!! But let’s be real—cyber drama is inevitable. What separates the pros from the panicked is how we respond. In the Linux world, post-compromise activity isn’t just a mess; it’s a story waiting to be told. From tracking suspicious IPs and unexpected file creations to analyzing logs and identifying rogue services, our job is to piece together exactly what happened and how. Because let's face it, while trends come and go, resilience never goes out of style. Join me in this session as we turn the chaos into clarity and decode the drama, and maybe even add a little sparkle to incident response.  Melina Phillips

Melina Phillips

18:30 The imposter’s guide to Hacking (With DEMOs!) EN The imposter’s guide to Hacking (With DEMOs!) "Hear from a lifelong imposter who has been fooling people for decades! Watch examples of the no talent and lack of technical knowhow Hacks using just a credit card & imagination. See a new perspective on utilizing everyday devices & toys being repurposed with almost zero modification into attack tools. Marvel at the audacity of this speaker’s declaration of his right to be called a Hacker! Then strap in as you listen to this “pick me guy’s” virtue signaling rants on subjects that he can only be considered a tangible ally on at best! Try to make it to the end of his talk where he casts judgments & harsh critiques on a community & society that is failing so many of us with nonsense standards, unseen privileges & prejudiced expectations which are only there to appease gatekeepers & bullies whose insecurities fuel the toxicity in OUR community! Oh, and there will probably be some memes so yeah I'm sure that'll help!" Jayson E. Street

Jayson E. Street

28/06/2025

10:00 Beyond Scanners: How Hands-On Recon Led Me to My First €1K Bug FR Beyond Scanners: How Hands-On Recon Led Me to My First €1K Bug In this french-language talk, I’ll share how I uncovered a €1,000 vulnerability by combining a user’s perspective with targeted technical analysis—without relying on automated scanners like Nmap or FFUF. As a new bug hunter, I explored the application’s functionality like a real user, studied its code behavior, and tested custom scripts to zero in on overlooked entry points and subtle misconfigurations. I’ll show you how adopting a user-focused mindset, backed by hands-on experimentation and minimal tooling, can reveal high-value bugs that scanners often miss. Whether you’re just starting out or looking to refine your methods, come learn why manual recon remains one of the most powerful techniques in any bug hunter’s arsenal.

Gaëtan Herfray
10:45 DCOM Turns 20: Revisiting a Legacy Interface in the Modern Threatscape FR DCOM Turns 20: Revisiting a Legacy Interface in the Modern Threatscape Part of Windows operating system for over 20 years, DCOM (Distributed Component Object Model) has received a lot of attention from the security research community. Ranging from lateral movement and privilege escalation to persistence techniques, DCOM is an extremely versatile attack vector. Yet, its inner workings remains unknown to many security experts. To close this knowledge gap, we will take a deep dive into DCOM latest research works — including this year's many new contributions— through practical use cases and tooling. A comprehensive testing framework will eventually be presented, enabling security researchers to build upon these previous works more effectively. At last, we will discuss practical defensive strategies, along with key insights to help security analysts effectively detect and respond to DCOM-based abuse.

Julien Bedel
11:45 Espilon [Unknown bot net] FR Espilon [Unknown bot net] When you hear the term **“botnet”** mentioned during a regular chat with your friends at the local coffee shop, you think of compromised computers and massive infrastructures, don't you? Well... So was I, until I found myself down the rabbit hole I want to share with you. This talk will present another way to get bots netting. A tale of cheap ESP32 microcontrollers and custom firmware to establish a gprs connection to a command & control. Execute remote commands, do surveillance and eavesdropping, exfiltrate data, or even... triangulate Bluetooth signals... ! We built a custom C2 and firmware ourselves, because why not?? I've been told that's how we become *l33t hackers* _(ツ)_/¯ Because spending far too much time developing all this wasn't enough, we now invite you to this 45-minute course on why you shouldn't trust your ESP32 too much ;)

EUN0US

14:00 Hacking de jeux vidéo: Casser des jeux et protéger le sien! FR Hacking de jeux vidéo: Casser des jeux et protéger le sien! Le pentest de client lourd, ça ne vous fait pas rêver? Et si au lieu de cracker un quelconque logiciel industriel on développait plutôt un petit cheat? C'est le même principe! Tour d'horizon des différentes méthodes de hacking de jeux et focus sur l'édition de la mémoire d'un process avec Cheat Engine. Du simple remplacement de valeurs jusqu'au patching d'instructions avec l'"autoassembler" Et bien sûr présentation des différentes méthodes de protections de binaires... et de leurs limitations face à un hacker déterminé!

Lucas Parsy
14:45 Eastern Promises: Mobile VRP Lessons For Bug Hunters FR In the past few years, we've tried our hand at Vulnerability Reward Programs of all kinds of mobile vendors’ products and attack surfaces. Like many others, we’ve encountered as many misses as hits, learning valuable lessons from the mistakes we (and sometimes the vendors) have made. In this talk, we will focus on the takeaways from all this. Some of it has got to do with how to and not to select an attack surface or a product model, how to decide what to give up on and what to double down on, and how to make the best use of the decisions that vendors communicate and the security updates they publish. To keep the content technical, we’ll go back to our vault of Android vulnerabilities and discuss some of our past VRP submissions in the context of lessons to take from them. 

Laszlo Radnai

Laszlo Szapula (LaTsa)

Laszlo Szapula (LaTsa) started as an intern at TASZK Security Labs and is now a full time member of the vulnerability research team, where he converts Ghidra projects and Club Mates into reverse engineered code. He is focused on the low-level security of Android based smartphones, including the Android kernel, hypervisors, trustzones and basebands. As presenter, his experience includes delivering mobile exploitation trainings at conferences like OffensiveCon and Hardwear.io.
15:30 Fun with watches: hacking a 12€ smartwatch with Bluetooth Low Energy and 3 wires FR French company GiFi sold in 2024 and early 2025 a cheap smartwatch under its Homday Xpert brand, and we resisted as much as we could but in the end bought some of them to see what it was made of. In this talk, we will explore this smartwatch's internals, from tear-down to firmware extraction (using a weird technique exploiting a remote vulnerability combined with some electronics), to the analysis of the gathered files. We'll also dive into Chinese vendor JieLi system-on-chips and its related ecosystem, and reveal the truth no one really expected about this smartwatch (really, nobody ain't see this coming ?).

Virtualabs

Xilokar
16:30 The Art of Staying In: Unconventional Backdoors on Windows and Linux FR **What if a backdoor didn't need malware, a shell, or even a running process?** This talk explores **non-traditional backdooring techniques** — built not on binaries, but on behavior. We explore how attackers leverage **configuration, environmental trust, subtle logic chains, and latent system features** to build long-term, stealthy footholds using only native system features. No payloads, no daemons — just strategic misuse of what's already there. Rather than focusing on registry keys, cron jobs, or service hijacking, we frame persistence in terms of **core primitives**: the ability to **read**, **write**, **execute**, **leak**, **deliver**, or **trigger**. These primitives can be enabled entirely through subtle, often legitimate system features — shell not always required. Some implants exist purely in configuration. Others live only in memory, or activate only when specific, attacker-controlled conditions are met. These techniques don't rely on conventional malware — and often blend into backups, trust chains, or benign system behaviors. This talk is built from tested tradecraft, real red team operations, and exploratory research. 

M101
17:15 GPOParser: Automating Group Policies extraction to reveal security gaps FR Group Policy Objects (GPOs) are a set of configurations applied to users and computers within a Windows domain. They allow administrators to enforce security settings, software installations, scripts, and other system policies to ensure consistency and compliance within an organization. GPOs are a fundamental and critical component in the security management of Active Directory. The enumeration of these configurations can uncover opportunities for privilege escalation or lateral movement within an Active Directory environment. However, enumerating these configurations can prove to be tedious and time-consuming: understanding the various use cases and identifying the specific targets of these policies can be complex and labor-intensive. The goal of this talk is to present a tool that automates these tasks, along with the reasons justifying the creation of such a tool. After providing context on how GPOs function, a demonstration of the tool will be given. 

Wilfried Bécard
18:00 Modbus, APTs, and Other Ways Humanity is F**ing Up the Climate EN Let’s face it: The apocalypse is being debugged by idiots. Picture this: A state-sponsored hacker in a tracksuit hijacks a Modbus-connected dam in 1990s-era code. A disinfo bot army blames the resulting flood on “vegan energy policies.” Meanwhile, your smart thermostat becomes a pawn in a cyberwar over Arctic oil. Welcome to 2025, where climate action is getting hacked faster than your grandma’s Facebook. In this talk, we’ll explore: - APTs’ climate kill list: Energy grids, carbon capture labs, fusion reactors—all hacked via 1970s-era code. - Why Modbus is the cybersecurity equivalent of a flip phone—and why APTs love it. Geopolitical clown shows: - Russia’s “Dark Winter” playbook: How Sandworm hijacked Modbus to freeze European cities and spark a fossil fuel revival. - China’s “Silent Grid” ops: APT41’s attacks on solar farms and EV charging networks—and the shockingly simple Modbus flaws they exploited. - The Lazarus Greenwash: North Korea’s fake ESG ransomware targeting carbon credit markets. - Iran’s “Sandstorm”: Manipulating water treatment sensors to worsen droughts in rival nations. - Stupid human tricks: From AI-powered grid attacks to hacking disaster relief drones. - How to unf* the future**: Threat hunting for climate villains, securing OT systems with duct tape and hope, and why cyber hippies might save the world. You’ll walk away with: - APTs’ TTPs for OT attacks: From Modbus MITM to PLC bricking. - How to weaponize threat intel: Correlating geopolitical events with ICS vulnerabilities. - The Future of Climate Cyberwar: AI-Driven Attacks on Hydrogen Plants, Quantum Exploits, and Why COP30 Might Become a Hacker’s Playground (Hopefully Not!)

Cybelle Oliveira
19:00 Ah, I see, you're a Domain Controller as well FR “They told me I could be anything I wanted—so I became a Domain Controller,” he said, with the dramatic flair of a villain revealing his masterstroke. --- Active Directory remains the beating heart of most enterprise environments. While lateral movement and privilege escalation have long been staples of security conferences, persistence techniques often fly under the radar. Among them, DCShadow stands out—a powerful yet underexplored method that has seen little evolution since its debut in 2018. This talk changes that. We’ll walk through the development of the first all-Python DCShadow proof-of-concept, a journey far more treacherous than it sounds. From protocol quirks to undocumented behaviors, this technical deep dive is packed with lessons learned, pitfalls encountered, and how they were overcome. Whether you’re a red teamer, blue teamer, researcher, or just someone fascinated by AD internals and offensive tooling, you’ll come away with a practical understanding of DCShadow and what it takes to bring a complex idea to life.

Charlie Bromberg
19:45 Physical Security : What you don't see… FR Comme pour le Pentest Cyber, une grande part de l'intrusion physique nécessaire à un RedTeam consiste en la préparation de l'intrusion. Alors que les technologies de protection évoluent (RF, RFID, serrures électroniques, caméras intégrant de l'IA...), les méthodes d'attaque et de Reverse Engineering évoluent aussi (Analyse mécanique, Osint, recherche de bases de données, mais également des méthodes plus poussées comme les scanners 3D ou les Rayons X). Lors de cette conférence, nous verrons essentiellement cette démarche de pré-intrusion, les méthodes de Reverse Engineering low-tech et high-tech afin de préparer au mieux une intrusion. Ces méthodes permettront de créer des outils et des approches adaptées à des serrures de bâtiment et de coffre fort, des systèmes d'organigramme ou encore des systèmes électroniques.

Mr Jack

They support leHACK