PLACEHOLDER
leHACK Conferences tracks đ iCal đ± INSTALLABLE MOBILE WEB APP
leHACK conferences lineup are the talks taking place on the conference main stage. ( Amphithéatre Gaston Berger )
conferences TRACK
26/06/2026
L'Ă©cosystĂšme Microsoft Entra ID et Microsoft 365 est devenu en 2025-2026 l'Ă©picentre des compromissions cloud en entreprise. Les rapports sont unanimes : l'identitĂ© est le premier vecteur d'attaque, et les environnements M365 reprĂ©sentent la surface d'attaque la plus convoitĂ©e : des APT Ă©tatiques aux opĂ©rateurs de Phishing-as-a-Service. Le talk couvrira les techniques les plus rĂ©centes et impactantes, dont l'abus FOCI (Family of Client IDs), l'extraction de tokens OAuth depuis les caches Windows (TokenBroker, WAM, Azure CLI), le contournement des politiques MFA et Conditional Access, et les angles morts de la dĂ©tection. En fil rouge, une dĂ©monstration live d'OAuthBandit v2, outil open-source de post-exploitation spĂ©cialisĂ© dans l'extraction, la validation et l'exploitation de tokens Microsoft OAuth depuis des endpoints compromis : avec le release public de nouvelles fonctionnalitĂ©s avancĂ©es. Cette prĂ©sentation est un retour terrain brut. BasĂ©e sur des cas concrets de rĂ©ponse Ă incident et de missions offensives sur des tenants M365 compromis, elle dĂ©cortique les kill chains modernes observĂ©es en production : de l'accĂšs initial par phishing OAuth jusqu'Ă la prise de contrĂŽle complĂšte du tenant, en passant par le mouvement latĂ©ral cloud-to-cloud et la persistence invisible.. ainsi que dâautres surprises ... L'objectif : armer les dĂ©fenseurs avec la comprĂ©hension fine des TTPs modernes sur M365/Entra ID et des stratĂ©gies concrĂštes de dĂ©tection et de rĂ©ponse.
Kondah Hamza
Windows shortcut (.LNK) files remain a persistent threat vector. While simple bypasses like adding spaces exist, this session reveals undocumented techniques for deceptive payload delivery and execution. Weâll explore why these methods work, the black-box research methodology used to find them, and the defensive implications. We are also introducing an open-source tool for security teams to simulate and defend against these advanced LNK-based attacks. Â
Wietze Beukema
SAP is widely used by Fortune 500 companies and often underpins critical business processes, yet its attack surface is difficult to evaluate due to its proprietary nature. In this talk, I retrace how I approached that problem in practice: starting from a single thread and following it through reverse engineering, archive format internals, black-box fuzzing, and exploit development. Along the way, I show how that process led to multiple vulnerabilities across different SAP components, ranging from local privilege escalation to remote unauthenticated memory corruption. I also cover the practical role LLMs played during the research, as a tool for crash triage, root-cause analysis, and exploit development.
Tao Sauvage
placeholder
Placeholder, more to come.
WSO2 products (API Manager, Identity Server) are massively deployed across critical infrastructure (banking, insurance, defense, government) in France and worldwide. During offensive security engagements at Ambionics Security (LEXFO), we discovered over a dozen critical 0-day vulnerabilities in WSO2's shared Java codebase and achieved RCE on dozens of client instances across French organizations. The vulnerabilities span the full spectrum: authentication bypasses via path parameter confusion, full-control SSRF through a 2008-era legacy proxy, systemic CSRF on every SOAP administration service, account takeover via flawed password reset logic, and multiple RCE vectors through Siddhi Streaming SQL, H2 database UDFs, SQLite file-write to JSP webshell, and unsandboxed JavaScript execution in the JVM. But the real challenge came next. Facing a properly hardened deployment (management console firewalled off, no admin ports exposed, zero outbound connectivity), we chained 7 N-days into a single-request unauthenticated RCE through the only reachable endpoint: the API Gateway HTTPS port. The chain combines blind XXE, SSRF relay, HTTP request smuggling via CRLF injection in Axis2 headers, and privilege escalation into a reliable exploit against near-current WSO2 versions. Packed with Java web exploitation tricks, the talk concludes with a live demo: one request, seven vulnerabilities, a reverse shell.
Noel MACCARY
Espressif designs small, low-cost system-on-chips primarily intended for wireless connectivity such as Wi-Fi and Bluetooth Low Energy. These SoCs are widely used as the networking and control component in IoT and embedded products, handling external inputs, protocol parsing, and communication with the rest of the system. Espressif has publicly reported cumulative shipments on the order of one billion chips, with hundreds of millions of devices deployed in the field, making vulnerabilities in shared firmware components a product-scale security concern rather than an isolated implementation detail. In this talk, we present a set of real security vulnerabilities identified in Espressifâs software development kit (SDK) and USB stack. Rather than focusing on vulnerability counts, we explain how we deliberately filtered out noise to concentrate on issues that are reachable, cross trust boundaries, and have realistic security impact in shipped products. We briefly introduce the analysis approach that enabled this triage, including graph-based code exploration, backward slicing from security-sensitive operations, reachability and exploitability reasoning, and threat-model awareness. We then deep-dive into a USB vulnerability, walking through the vulnerable code path, violated assumptions, and attacker-controlled inputs. Where available, we present ongoing exploitation work and discuss the practical challenges and constraints of turning such bugs into reliable exploits on embedded targets. Finally, we connect these findings to real-world Espressif-based products, illustrating how low-level firmware vulnerabilities can propagate to product-level security risks. We conclude with lessons learned for embedded developers and security engineers on how to reason about exploitability, prioritization, and impact in modern IoT and embedded software stacks.
Maxime
Ramtine
Est ce que le reverse câest IDA, R2, Frida, Ghidra, QEMU, et bien dâautres ? Non, câest tout ça, et tout ça ce nâest pas le secret que lâon veut dĂ©couvrir, la DRM que lâon veut casser, ce nâest que le moyen. Aujourdâhui, aprĂšs Dexcalibur, et plus de 5 ans de dĂ©veloppement nous libĂ©rons en open source Reversense, une plateforme dâautomatisation du reverse qui crĂ©e une projection de votre application mobile ou votre binaire dans une reprĂ©sentation universelle interrogeable, analysable et exĂ©cutable. Reversense offre une interface graphique permettant de naviguer et analyser la projection de lâapplication, statiquement ou Ă travers les exĂ©cutions, ainsi que de nombreuses fonctionnalitĂ©s en dehors du champ des outils traditionnels : automatisation du parcours de lâinterface, gĂ©nĂ©ration et Ă©dition automatique des hooks Frida qui vont muter dâune exĂ©cution Ă lâautre, instrumentation cross-process ou cross-device, fuzzing inapp, gestion dâune ferme de tĂ©lĂ©phones, ⊠Le talk prĂ©sente lâoutil - lâidĂ©e et lâusage - mais surtout comment nous avons repensĂ© le mĂ©tier de reverser Ă une Ăšre oĂč le binaire est omniprĂ©sent, le temps pour reverser toujours plus rĂ©duit mais oĂč nous voulons garder du plaisir.
Georges-Bastien Michel (@FrenchYeti)
What if the backdoor phase required no code at all? Last year at leHack, I introduced a framework for reasoning about unconventional persistence â backdoors built from configuration and trust rather than malware. The audience asked for more demos, more operational reality. This talk delivers. Through live demonstrations on realistic environments, we show how subtle, codeless modifications to a system can create invisible conditions for future code execution â triggered later through channels no defender would think to suspect. No binary, no shell, no payload on disk. Just changes that look benign, pass audits, and wait patiently. Built from tested tradecraft, real red team operations, and ongoing research.
m101
Modified drone companion apps claiming to unlock FCC transmission modes are widely circulated among hobbyist communities, yet their internal mechanisms remain largely undocumented. This talk presents a reverse engineering case study of such a patched Android application, revealing how runtime instrumentation frameworksâspecifically Fridaâare embedded and abused to dynamically alter application behavior. Through differential APK analysis, deobfuscation of injected JavaScript Frida payloads, and inspection of native libraries, we uncover a full instrumentation pipeline designed to hook critical Java class methods to bypass regulatory constraints. The session concludes with a discussion on technical limitations, potential firmware-level barriers, and implications for mobile app integrity.
Valentin PICAL
Placeholder
27/06/2026
Fifteen years ago, compromising an organization could be as simple as walking through the front door with confidence, dropping a USB drive in a parking lot, or sending a poorly crafted phishing email. At NDH2K11, Jayson E. Street demonstrated just how easily organizations could be compromised using little more than human trust and a bit of creativity. Fast-forward fifteen years. The technology landscape has transformedâAI-generated voices can impersonate executives, phishing campaigns are automated at scale, and attackers now leverage OSINT and generative technologies that dramatically lower the barrier to entry. Yet despite this technological evolution, one uncomfortable truth remains: the fundamental weaknesses, attackers exploiting humans have not changed. In this retrospective talk, Jayson revisits real examples from his early work compromising banks and organizations through social engineering and physical infiltration, comparing them to modern attacks involving phishing, vishing, and AI-driven deception. Through stories, demonstrations, and lessons learned across more than a decade of adversarial testing, he shows how attackers continue to succeed not because of cutting-edge exploitsâbut because organizations still rely on the same fragile assumptions about trust, process, and human behavior. The session concludes by challenging the industryâs traditional approach to security validation and introduces a modern framework for adversarial simulation designed to help organizations experience real-world attacks safely before criminals deliver them for real. After fifteen years of evolving tools, tactics, and technology, the biggest lesson may be the simplest one: Attack methods change. Human nature does not.
Jayson E. Street
Squirrel.Windows est lâun des frameworks de mise Ă jour automatique les plus utilisĂ©s sur Windows. Il est notamment utilisĂ© par Discord, Slack, GitHub Desktop et de nombreuses applications Electron utilisĂ©es par des millions dâutilisateurs. Dans ce talk, je prĂ©sente les rĂ©sultats dâun audit de sĂ©curitĂ© complet du pipeline de mise Ă jour de Squirrel.Windows qui a rĂ©vĂ©lĂ© 8 vulnĂ©rabilitĂ©s affectant plusieurs couches du systĂšme de mise Ă jour. Cette recherche montre que plusieurs mĂ©canismes de sĂ©curitĂ© attendus dans un systĂšme dâauto-update moderne sont absents ou dĂ©faillants : absence de signature du manifest de mise Ă jour, vĂ©rification dâintĂ©gritĂ© circulaire des packages, absence de vĂ©rification Authenticode, vulnĂ©rabilitĂ©s Zip Slip permettant lâĂ©criture arbitraire de fichiers, parsing XML vulnĂ©rable aux attaques XXE et gestion dangereuse des rĂ©pertoires temporaires. En combinant ces failles, un attaquant capable dâintercepter le trafic de mise Ă jour peut compromettre entiĂšrement le processus dâupdate et atteindre une exĂ©cution de code Ă distance lors de lâinstallation dâune mise Ă jour. Le talk inclura plusieurs dĂ©monstrations pratiques montrant : - lâinjection dâun manifest de mise Ă jour malveillant dans un scĂ©nario MITM - lâexploitation dâun package .nupkg forgĂ© permettant de sortir du rĂ©pertoire de lâapplication - lâimpact dâautres vulnĂ©rabilitĂ©s comme XXE ou la vĂ©rification delta dĂ©faillante Nous terminerons par une analyse des erreurs de conception observĂ©es dans ce type de framework et des recommandations pour concevoir des systĂšmes de mise Ă jour sĂ©curisĂ©s.
Lucas Torres (Rooting)
n8n is an open-source workflow automation platform with AI agents, used by thousands of organizations worldwide. With more than 70,000 publicly accessible instances on Shodan and recent critical CVEs listed in CISA's Known Exploited Vulnerabilities catalog, it has become a high-value target for attackers. This talk first explores what attackers can do with leaked n8n credentials. Starting from real-world n8n JWT tokens exposed on GitHub, we found around 1,300 publicly reachable instances. Among those, 25% authenticated successfully, giving us a live dataset of production n8n instances to answer one question: what can an attacker do once inside? We built three attack chains to find out. First, we demonstrate Remote Code Execution leveraging real-world workflow abuse and existing CVEs, showing how n8n's legitimate execution capabilities turn into a direct shell. Second, we walk through credentials enumeration, extraction, and exfiltration: n8n instances store third-party API keys, OAuth tokens, and database credentials directly in workflows, making a single JWT a skeleton key to an organization's entire integration stack. Third, we reveal original cryptographic weaknesses in n8n's native secret handling, what we call n8ive crypto, exposing design flaws that allow offline secret recovery and privilege escalation. Beyond the practical attacks, this talk raises a broader question: when automation platforms become the central hub of modern infrastructure, an account compromise is now a launchpad for attacks across the entire stack Â
guedou
Souvent sous-estimĂ©e par les organisations, lâintrusion physique constitue pourtant un vecteur de compromission particuliĂšrement efficace, en dĂ©pit des investissements croissants dans les dispositifs techniques et humains. Cette confĂ©rence propose une analyse concrĂšte des mĂ©canismes qui mĂšnent au succĂšs ou Ă lâĂ©chec dâune intrusion physique, en sâappuyant sur des retours dâexpĂ©rience, des cas rĂ©els et des missions de red team. Nous examinerons les facteurs clĂ©s de rĂ©ussite, tels que lâingĂ©nierie sociale, les failles organisationnelles ou la surestimation des contrĂŽles techniques, ainsi que les Ă©lĂ©ments conduisant Ă lâĂ©chec : vigilance du personnel, procĂ©dures adaptĂ©es, culture de sĂ©curitĂ©, ou encore certaines limitations imposĂ©es par les clients. Lâobjectif est de dĂ©passer une vision purement technologique afin de mettre en lumiĂšre le rĂŽle central de lâhumain et des processus.
Joker2a
macOS has long been perceived as a low-risk platform, often treated as a secondary concern compared to Windows and Linux. That assumption no longer holds. As MacBooks become increasingly common in corporate environments, adversaries have followed, turning macOS into a viable and attractive target for real-world attacks. This talk presents a practical, research-driven analysis of the recent evolution of macOS malware. Through hands-on experiments and real techniques, it explores how modern threats achieve execution, fileless operation, persistence, and evasion by abusing native macOS components. As organizations continue to expand their macOS footprint, security strategies often lag behind. Many defensive teams remain heavily focused on Windows and Linux, leaving macOS environments under-monitored, under-tested, and misunderstood. In this talk, I will share my journey researching and developing macOS malware from an adversarial perspective. The session focuses on how attackers leverage legitimate macOS mechanisms to achieve: - Initial execution and in-memory (fileless) techniques - Persistence through native system components - Evasion of endpoint security and detection tools Each technique is demonstrated using real experiments, with analysis of macOS internals and the behavior of commonly deployed security solutions. Rather than theoretical concepts, the talk emphasizes how these attacks work in practice, and why many defenses fail to stop them. The presentation also addresses a persistent myth, especially common in the Brazilian security community, that macOS is inherently safer or âimmuneâ to malware. By examining real attack paths and defensive gaps, the session highlights the urgent need for improved detection strategies, visibility, and threat modeling on macOS. Attendees will learn: - How modern malware abuses internal macOS mechanisms - Real-world persistence techniques observed in active threats - How security tools react or fail, when faced with these attacks - Practical mitigation strategies to reduce exposure and improve detection This talk is intended for defenders, red teamers, malware researchers, and anyone interested in understanding how adversaries are actively adapting to the macOS ecosystem.
Zoziel Freire
This talk aims at reviewing and explaining in detail the technical Sighax exploit. The Nintendo 3DS, despite having layered security based on a strong chain of trust and a privilege split between two processors ARM11 and ARM9, implements improper validation of the RSA PKCS#1 v1.5 padding in the ARM9 bootrom code. This vulnerability, combined with a custom uncautious ASN.1 parser, makes it possible to bruteforce specific RSA signatures causing the signature's hash to be computed against itself on the stack, allowing to bypass a signature check. We will also discuss how this exploit, coupled with the design of Nintendo's FIRM file format, allows to dump the protected bottom half of the ARM9 bootrom, which is locked away by the time any firmware is loaded. The goal is to provide a clear overview of how a console can go from executing confined userland homebrew to cold boot, pre firmware persistence with full access over the console in just a few mistakes. We will go over the 3DS security architecture with its ARM9 / ARM11, the FIRM boot chain, the RSA PKCS#1 v1.5 padding implementation flaw, the ASN.1 parser mistakes and how "perfect" signatures were bruteforced to take advantage of these issues in order to sign any firmware stored in the console eMMCÂ Â
Cyprien Molinet (@cypelf)
Quand on pense au warez on pense jeux video , la suite adobe ou microsoft word. Mais il existe une autre scĂšne qui existe aussi depuis longtemps, c'est la scĂšne pour les logiciels de contrĂŽle-commande industrielle.
Ces logicielles sont les environnements de développement et d'interactions des systÚmes de contrÎle physique, de la programmations des automate industrielle, en bref, les logicielle qui font fonctionner notre monde industriel.
Nous allons essayer ici d'analyser ce marché via deux angles.
D'un cÎté une analyse technique en regardant certains crack keygen, mais aussi des tools contournant la sécurité intégrer des automate pour voir ce qu'ils font techniquement, et constater si leurs actions sont légitimes ou si ce n'est que du sucre de l'eaux et beaucoup de mallware.
D'un autre cÎté, la distribution, les vendeurs et les clients cible de ce dernier.
biero-el-corridor
Le protocole Bluetooth Low Energy et ses vulnĂ©rabilitĂ©s, tout le monde les connaĂźt car elles font rĂ©guliĂšrement la une des actualitĂ©s et 2026 n'a pas dĂ©rogĂ© Ă la rĂ©gle. MĂ©canisme d'appaĂźrage simplifiĂ© exploitable par des pirates, communications non-chiffrĂ©es laissant fuiter des informations sensibles, robots humanoĂŻdes compromis avec une injection de commande transmise par BLE, injection de flux audio dans des Ă©couteurs, autant de problĂšmes rĂ©vĂ©lĂ©s ces derniĂšres annĂ©es grĂące Ă de nombreux chercheurs en sĂ©curitĂ© et qui mettent Ă mal l'image ce protocole et des Ă©quipements qui l'emploient. Mais connaissez-vous vraiment *tous* les moyens Ă votre disposition permettant de compromettre de tels Ă©quipements ? Dans ce talk, nous allons aborder des aspects moins connus du protocole Bluetooth Low Energy et la maniĂšre dont ces derniers peuvent ĂȘtre exploitĂ©s pour compromettre l'intĂ©gritĂ© et la sĂ©curitĂ© d'Ă©quipements connectĂ©s. Certaines de ces techniques ont Ă©tĂ© dĂ©couvertes lors de l'analyse de diffĂ©rentes implĂ©mentations, voire directement lors de tests effectuĂ©s sur des Ă©quipements domotique ou des smartphones, d'autres sont trĂšs peu connues ou n'ont jamais Ă©tĂ© publiĂ©es Ă ce jour. Si vous ĂȘtes expert sur ce protocole de communication ou simple nĂ©ophyte curieux de dĂ©couvrir des attaques avancĂ©es, ce talk peut vous apprendre des choses assez surprenantes.
virtualabs
Les bases du piratage radio, comment aborder la sécurité RF, et pourquoi il est essentiel de comprendre son fonctionnement dans un monde de plus en plus connecté.
Beemo (Noë Flatreaud)
Les applications de âsmart cityâ promettent sĂ©curitĂ©, modernitĂ© et Ă©conomies dâĂ©nergie. Sur le papier, tout est parfaitement sous contrĂŽle. Dans la rĂ©alité⊠disons que câest plus lumineux que sĂ©curisĂ©. Cette prĂ©sentation propose lâanalyse dâune application mobile permettant de contrĂŽler lâĂ©clairage public, signaler des zones dangereuses et partager sa position avec des proches. Officiellement, le systĂšme est protĂ©gĂ©, restreint (et selon son crĂ©ateur :âimpiratableâ). Dans les faits, une comprĂ©hension mĂȘme modĂ©rĂ©e de son fonctionnement permet de contourner les restrictions gĂ©ographiques et dâactiver lâensemble des lampadaires dâune ville (voire de centaines de communes) sans la moindre authentification. sign Mais ce nâest quâun dĂ©but. Des failles critiques permettent Ă©galement dâidentifier des utilisateurs supposĂ©ment anonymes, de reconstituer leurs habitudes, dâaccĂ©der Ă des Ă©vĂ©nements privĂ©s et de manipuler le partage de position en temps rĂ©el. Ă travers une analyse technique rigoureuse et un certain sens de la nuance, ce talk met en lumiĂšre une vĂ©ritĂ© simple : annoncer une sĂ©curitĂ© avancĂ©e ne suffit pas Ă la rendre rĂ©elle.
MadSquirrel BenoĂźt Forgette
Avez-vous déjà tenté de vous infiltrer dans un événement hautement sécurisé ?
Probablement non â nous, si :).
Ă travers cette confĂ©rence, nous verrons comment les dispositifs de sĂ©curitĂ© de certains des plus grands Ă©vĂ©nements peuvent ĂȘtre contournĂ©s Ă lâaide de diffĂ©rentes mĂ©thodes, outils et techniques, allant de lâOSINT Ă lâingĂ©nierie sociale.
Ă partir de cas rĂ©els dâintrusions physiques, nous dĂ©cortiquerons leur architecture : pĂ©rimĂštres, zones dâaccĂšs, rĂŽles humains, accrĂ©ditations etcâŠ
Enfin, des démonstrations illustreront comment des dispositifs conçus pour protéger peuvent devenir exploitables dÚs lors que la validation repose sur des mécanismes humains.
SkyZe
Comment Ă©couter le rĂ©seau 3G avec ce que l'on a sous la main ? Avec un rĂ©cepteur TV, une antenne bricolĂ©, gr-gsm et simple_IMSI-catcher.py ! Â
