Skip to content
BLACKOUT

leHACK TRACKS

conferences TRACK View track >

27/06/2025

10:30 From HTML Injection to Full AWS Account Takeover: Discovering Critical Risks in PDF Generation EN From HTML Injection to Full AWS Account Takeover: Discovering Critical Risks in PDF Generation Modern web applications often provide features like PDF generation to enhance user experience, but these functionalities can inadvertently introduce critical vulnerabilities when improperly secured. During a recent penetration test, we identified a severe HTML injection vulnerability in the PDF file generation feature of two separate applications. Exploiting this weakness, we demonstrated the potential to perform Server-Side Request Forgery (SSRF) attacks, enabling access to internal files and sensitive application source code. This session provides a detailed, real-world example of how a seemingly minor vulnerability can have catastrophic consequences. It emphasizes the importance of secure development practices, robust cloud configurations, and proactive vulnerability mitigation. Attendees will walk away with practical strategies to strengthen their security posture, making this talk both educational and actionable. Raunak Parmar

Raunak Parmar
11:15 Up and Down Technique: Exposing Hidden Data from RAG Systems FR Up and Down Technique: Exposing Hidden Data from RAG Systems Retrieval-Augmented Generation (RAG) systems have revolutionized how LLMs (Large Language Models) access "additional" knowledge, powering everything from enterprise chatbots to cutting-edge research tools. However, their architecture, designed to integrate text chunks to give additional context to prompts, also opens the door to innovative data exfiltration techniques. In this talk, titled "Up and Down Technique: Exposing Hidden Data from RAG Systems", Pedro presents a technique he discovered that enables adversaries to systematically extract sensitive information from RAG applications via prompt injection. During this talk, we’ll deep dive into the internals of RAG systems by analyzing their architecture, embeddings, vector databases, and prompt anatomy. Pedro will demonstrate, using real-world examples, how attackers can exfiltrate data from documents via carefully crafted prompt injections. More importantly, the presentation will provide a set of comprehensive mitigation strategies. Designed for red teamers, bug bounty hunters, developers, CISOs, and cybersecurity enthusiasts, this talk bridges the gap between theoretical vulnerabilities and practical, actionable defense strategies, equipping security professionals with the knowledge they need to protect modern, AI-powered applications against emerging threats. Pedro Paniago

Pedro Paniago
14:00 Cache me if you can, smuggling payloads via browsers caching systems FR Cache me if you can, smuggling payloads via browsers caching systems Malware deployment is a critical stage during a red team exercise, as it allows redteam operators, if performed successfully, to gain access to a target’s internal network. For a while, the easiest way of delivering malwares was to send an email with an attachment, the malware itself. Although this technique still sometimes works, blue teams are monitoring it more and more, and numerous security tools were created to block such attachments. As such, it was necessary to find others ways of delivering malwares. This presentation introduces one, cache smuggling, which leverages browser caching mechanisms to bypass traditional security defenses and deliver malwares. Additionally, we will see that such mechanisms can be used to facilitate silent reconnaissance of internal networks as well as information gathering and, finally, how you can protect your company and yourself against it. Aurélien Chalot

Aurélien Chalot
14:45 Quantum computing demystified: A beginner’s guide and cybersecurity implications FR Quantum computing demystified: A beginner’s guide and cybersecurity implications This talk will give an understanding of basic quantum computing principles, the importance of PQC, the role of QKD in secure communications, and the transformative impact of quantum technologies on the cybersecurity landscape. We will overview the concepts of quantum computing, by providing a foundational understanding for beginners and explore the implications for cybersecurity. 1. Basics of quantum computing: explanation of key concepts: qubits, superposition, entanglement, quantum gates. 2. Introduction to quantum programming (Q#) with simple examples 3. Quantum computing and cybersecurity: - Post-Quantum Cryptography (PQC): - Quantum Key Distribution (QKD): 4. Quantum Attacks and Cybersecurity Implications: What is possible today an in the (near) future with the threat posed by quantum computers to current encryption standards? Robin Descamps

Robin Descamps

Robin is a consultant and ethical hacker leading and executing penetration testing, red & purple teaming, and security research projects for various clients, aiming to identify their cyber vulnerabilities and mitigate their risks. He contributed to improving the security of several companies, such as Deutsche Telekom, BMC Software, and Pydio, by uncovering and reporting multiple 0-day vulnerabilities. He recently got interest in quantum computing security, being involved in several related events. His classic background allows him to demistify quantum computing from a “classic hacker” point of view rather than a specialised researcher.
15:45 The Last Resort: Debugging Embedded Systems with Unconventional Methods FR The Last Resort: Debugging Embedded Systems with Unconventional Methods A debugger is always a valuable tool when searching for vulnerabilities, particularly in embedded systems where multiple peripherals may be involved. Most targets support either well-standardized debug protocols such as JTAG or SWD, or rely on proprietary alternatives. These debug ports are often locked to prevent unauthorized access. When locked, depending on the chip, it may still be possible to reactivate them by exploiting a bug. In rare cases where this is not possible, direct modification of the firmware may be an option. In such scenarios, an on-chip debugger can be implemented within the firmware itself. While potentially unstable, this type of debugger can be highly useful for firmware analysis and exploit development. This talk offers an overview of low-level concepts related to interrupts, followed by a detailed guide on building an on-chip debugger, addressing the various choices and challenges that may arise during the process. To begin with, a communication channel is required, preferably one that remains operational even during a debug interrupt. An initial breakpoint must be set on the target to trigger the debugger. A debug handler, ideally written in assembly, needs to be implemented and configured to listen for commands responsible for reading and writing memory and register contents. An intermediate server between GDB and the target must also be created. Several open-source skeletons are available to assist in this task. In addition, the talk places special emphasis on designing a lightweight debugger, as it is intended for embedded targets. It will therefore present techniques to keep the code as minimal and efficient as possible.

Vincent Lopes
16:30 Active Directory: Hall of Shame & Physical Pwnage FR Active Directory: Hall of Shame & Physical Pwnage Active Directory reste la cible numéro un des attaquants, et honnêtement... certaines configurations nous facilitent beaucoup trop la tâche. Dans ce talk, je vais partager une collection des pires erreurs de sécurité que j’ai rencontrées en Pentest. Au programme : un "Hall of Shame" des failles les plus ridicules, honteuses et dangereuses que l’on croise encore trop souvent : -DCSync pour tout le monde – Quand récupérer tous les hashes NTLM devient trivial -Password Policies from Hell – Des exigences tellement mauvaises qu’elles favorisent le cracking -Users’ Description WTF – Des creds en clair directement dans les champs AD -Old but Gold Protocols – NTLMv1, LDAP simple bind... du pain béni pour les attaquants -Service Accounts: The Backdoor Special – Comptes à privilèges cachés, souvent avec Kerberoasting offert -Delegation Disasters – Escalades absurdes via des délégations mal configurées -ADCS ESC1: The First Step to Total Control – Comment pwn AD avec des certificats mal configurés -Plaintext Passwords: Peak Shame – GPOs et scripts qui balancent des mots de passe en clair -GPOs That Shoot Themselves – Quand les admins se tirent une balle dans le pied Démo: Ski Resort Domain Admin Challenge Pour illustrer ces fails en action, je vous montrerai une attaque réel où l’on passe d’un simple accès sur le réseau à Domain Admin en quelques étapes, grâce à un cocktail de mauvaises configs et de relai NTLM. Bonus : "10-Minute Physical Intrusion Challenge" Parce qu’un AD mal sécurisé, c’est bien, mais si on peut aussi poser les mains sur le serveur en moins de 10 minutes, c’est encore mieux… Pourquoi ce talk ? Ce n’est pas un énième talk sur les bases d’AD. Ici, on va se moquer (gentiment) des pires fails qu’on voit en entreprise et montrer comment les exploiter efficacement. Objectif : fournir aux attaquants des techniques réelles et pragmatiques, et (pour les défenseurs dans la salle) leur donner envie de corriger ces erreurs critiques immédiatement. Nicolas Aunay

Nicolas Aunay
17:15 Keep-it-alived : Étude de la sécurité du protocole VRRP FR Keep-it-alived : Étude de la sécurité du protocole VRRP VRRP (Virtual Router Redundancy Protocol) est un protocole open standard conçu pour garantir la haute disponibilité des routeurs. Éprouvé et largement adopté, il est utilisé dans de nombreuses infrastructures réseau. Cependant, la question de sa sécurité est rarement abordée en profondeur dans les ressources disponibles en ligne. Par exemple, VRRPv2, encore très répandu aujourd'hui, propose deux modes d'authentification, dont l'un est facilement contournable. En revanche, dans VRRPv3, la fonctionnalité d'authentification a été supprimée, les auteurs du protocole estimant que la sécurité devait être gérée en amont. Dans cette présentation, j'examinerai les implications des choix de conception de VRRP en matière de sécurité et mettrai en évidence les vulnérabilités susceptibles d'en découler. Pour cela, je m'appuierai sur Keepalived, une implémentation open source populaire de VRRP. Enfin, je présenterai une faille de conception que j'ai découverte dans le protocole VRRP lui-même (RFC 9568), avec l'aide des mainteneurs du projet Keepalived. Cette vulnérabilité permet à un attaquant sur le même réseau d'usurper le rôle de routeur "master" en cas de conflit de priorité VRRP, même lorsque celle du routeur master légitime est au maximum (255). Elle a fait l'objet de l'erratum 8298, validé par l'IETF. Geoffrey Sauvageot-Berland

Geoffrey Sauvageot-Berland
17:45 Confessions of a Linux drama queen: When hackers are totally ruining your life EN Confessions of a Linux drama queen: When hackers are totally ruining your life It's one of those mornings. You just crushed your early workout, feeling all kinds of invincible, you're halfway through your first sip of coffee, mentally planning your day, when your SOC team drops a bombshell: Suspicious activity has been detected on a critical system. Suddenly, it's not the caffeine waking you up, it's sheer panic!! But let’s be real—cyber drama is inevitable. What separates the pros from the panicked is how we respond. In the Linux world, post-compromise activity isn’t just a mess; it’s a story waiting to be told. From tracking suspicious IPs and unexpected file creations to analyzing logs and identifying rogue services, our job is to piece together exactly what happened and how. Because let's face it, while trends come and go, resilience never goes out of style. Join me in this session as we turn the chaos into clarity and decode the drama, and maybe even add a little sparkle to incident response.  Melina Phillips

Melina Phillips
18:00 The imposter’s guide to Hacking (With DEMOs!) EN The imposter’s guide to Hacking (With DEMOs!) "Hear from a lifelong imposter who has been fooling people for decades! Watch examples of the no talent and lack of technical knowhow Hacks using just a credit card & imagination. See a new perspective on utilizing everyday devices & toys being repurposed with almost zero modification into attack tools. Marvel at the audacity of this speaker’s declaration of his right to be called a Hacker! Then strap in as you listen to this “pick me guy’s” virtue signaling rants on subjects that he can only be considered a tangible ally on at best! Try to make it to the end of his talk where he casts judgments & harsh critiques on a community & society that is failing so many of us with nonsense standards, unseen privileges & prejudiced expectations which are only there to appease gatekeepers & bullies whose insecurities fuel the toxicity in OUR community! Oh, and there will probably be some memes so yeah I'm sure that'll help!" Jayson E. Street

Jayson E. Street

28/06/2025

10:00 Beyond Scanners: How Hands-On Recon Led Me to My First €1K Bug FR Beyond Scanners: How Hands-On Recon Led Me to My First €1K Bug In this french-language talk, I’ll share how I uncovered a €1,000 vulnerability by combining a user’s perspective with targeted technical analysis—without relying on automated scanners like Nmap or FFUF. As a new bug hunter, I explored the application’s functionality like a real user, studied its code behavior, and tested custom scripts to zero in on overlooked entry points and subtle misconfigurations. I’ll show you how adopting a user-focused mindset, backed by hands-on experimentation and minimal tooling, can reveal high-value bugs that scanners often miss. Whether you’re just starting out or looking to refine your methods, come learn why manual recon remains one of the most powerful techniques in any bug hunter’s arsenal.

Gaëtan Herfray
10:45 DCOM Turns 20: Revisiting a Legacy Interface in the Modern Threatscape FR DCOM Turns 20: Revisiting a Legacy Interface in the Modern Threatscape Part of Windows operating system for over 20 years, DCOM (Distributed Component Object Model) has received a lot of attention from the security research community. Ranging from lateral movement and privilege escalation to persistence techniques, DCOM is an extremely versatile attack vector. Yet, its inner workings remains unknown to many security experts. To close this knowledge gap, we will take a deep dive into DCOM latest research works — including this year's many new contributions— through practical use cases and tooling. A comprehensive testing framework will eventually be presented, enabling security researchers to build upon these previous works more effectively. At last, we will discuss practical defensive strategies, along with key insights to help security analysts effectively detect and respond to DCOM-based abuse.

Julien Bedel
11:45 Espilon [Unknown bot net] FR Espilon [Unknown bot net] When you hear the term **“botnet”** mentioned during a regular chat with your friends at the local coffee shop, you think of compromised computers and massive infrastructures, don't you? Well... So was I, until I found myself down the rabbit hole I want to share with you. This talk will present another way to get bots netting. A tale of cheap ESP32 microcontrollers and custom firmware to establish a gprs connection to a command & control. Execute remote commands, do surveillance and eavesdropping, exfiltrate data, or even... triangulate Bluetooth signals... ! We built a custom C2 and firmware ourselves, because why not?? I've been told that's how we become *l33t hackers* _(ツ)_/¯ Because spending far too much time developing all this wasn't enough, we now invite you to this 45-minute course on why you shouldn't trust your ESP32 too much ;)

EUN0US
14:00 Hacking de jeux vidéo: Casser des jeux et protéger le sien! FR Hacking de jeux vidéo: Casser des jeux et protéger le sien! Le pentest de client lourd, ça ne vous fait pas rêver? Et si au lieu de cracker un quelconque logiciel industriel on développait plutôt un petit cheat? C'est le même principe! Tour d'horizon des différentes méthodes de hacking de jeux et focus sur l'édition de la mémoire d'un process avec Cheat Engine. Du simple remplacement de valeurs jusqu'au patching d'instructions avec l'"autoassembler" Et bien sûr présentation des différentes méthodes de protections de binaires... et de leurs limitations face à un hacker déterminé! Lucas Parsy

Lucas Parsy
14:45 Eastern Promises: Mobile VRP Lessons For Bug Hunters FR In the past few years, we've tried our hand at Vulnerability Reward Programs of all kinds of mobile vendors’ products and attack surfaces. Like many others, we’ve encountered as many misses as hits, learning valuable lessons from the mistakes we (and sometimes the vendors) have made. In this talk, we will focus on the takeaways from all this. Some of it has got to do with how to and not to select an attack surface or a product model, how to decide what to give up on and what to double down on, and how to make the best use of the decisions that vendors communicate and the security updates they publish. To keep the content technical, we’ll go back to our vault of Android vulnerabilities and discuss some of our past VRP submissions in the context of lessons to take from them. 

Laszlo Radnai

Laszlo Szapula (LaTsa)

Laszlo Szapula (LaTsa) started as an intern at TASZK Security Labs and is now a full time member of the vulnerability research team, where he converts Ghidra projects and Club Mates into reverse engineered code. He is focused on the low-level security of Android based smartphones, including the Android kernel, hypervisors, trustzones and basebands. As presenter, his experience includes delivering mobile exploitation trainings at conferences like OffensiveCon and Hardwear.io.
15:30 Fun with watches: hacking a 12€ smartwatch with Bluetooth Low Energy and 3 wires FR French company GiFi sold in 2024 and early 2025 a cheap smartwatch under its Homday Xpert brand, and we resisted as much as we could but in the end bought some of them to see what it was made of. In this talk, we will explore this smartwatch's internals, from tear-down to firmware extraction (using a weird technique exploiting a remote vulnerability combined with some electronics), to the analysis of the gathered files. We'll also dive into Chinese vendor JieLi system-on-chips and its related ecosystem, and reveal the truth no one really expected about this smartwatch (really, nobody ain't see this coming ?).

Virtualabs

Xilokar
16:30 The Art of Staying In: Unconventional Backdoors on Windows and Linux FR **What if a backdoor didn't need malware, a shell, or even a running process?** This talk explores **non-traditional backdooring techniques** — built not on binaries, but on behavior. We explore how attackers leverage **configuration, environmental trust, subtle logic chains, and latent system features** to build long-term, stealthy footholds using only native system features. No payloads, no daemons — just strategic misuse of what's already there. Rather than focusing on registry keys, cron jobs, or service hijacking, we frame persistence in terms of **core primitives**: the ability to **read**, **write**, **execute**, **leak**, **deliver**, or **trigger**. These primitives can be enabled entirely through subtle, often legitimate system features — shell not always required. Some implants exist purely in configuration. Others live only in memory, or activate only when specific, attacker-controlled conditions are met. These techniques don't rely on conventional malware — and often blend into backups, trust chains, or benign system behaviors. This talk is built from tested tradecraft, real red team operations, and exploratory research. 

M101
17:15 GPOParser: Automating Group Policies extraction to reveal security gaps FR Group Policy Objects (GPOs) are a set of configurations applied to users and computers within a Windows domain. They allow administrators to enforce security settings, software installations, scripts, and other system policies to ensure consistency and compliance within an organization. GPOs are a fundamental and critical component in the security management of Active Directory. The enumeration of these configurations can uncover opportunities for privilege escalation or lateral movement within an Active Directory environment. However, enumerating these configurations can prove to be tedious and time-consuming: understanding the various use cases and identifying the specific targets of these policies can be complex and labor-intensive. The goal of this talk is to present a tool that automates these tasks, along with the reasons justifying the creation of such a tool. After providing context on how GPOs function, a demonstration of the tool will be given. 

Wilfried Bécard
18:00 Modbus, APTs, and Other Ways Humanity is F**ing Up the Climate EN Let’s face it: The apocalypse is being debugged by idiots. Picture this: A state-sponsored hacker in a tracksuit hijacks a Modbus-connected dam in 1990s-era code. A disinfo bot army blames the resulting flood on “vegan energy policies.” Meanwhile, your smart thermostat becomes a pawn in a cyberwar over Arctic oil. Welcome to 2025, where climate action is getting hacked faster than your grandma’s Facebook. In this talk, we’ll explore: - APTs’ climate kill list: Energy grids, carbon capture labs, fusion reactors—all hacked via 1970s-era code. - Why Modbus is the cybersecurity equivalent of a flip phone—and why APTs love it. Geopolitical clown shows: - Russia’s “Dark Winter” playbook: How Sandworm hijacked Modbus to freeze European cities and spark a fossil fuel revival. - China’s “Silent Grid” ops: APT41’s attacks on solar farms and EV charging networks—and the shockingly simple Modbus flaws they exploited. - The Lazarus Greenwash: North Korea’s fake ESG ransomware targeting carbon credit markets. - Iran’s “Sandstorm”: Manipulating water treatment sensors to worsen droughts in rival nations. - Stupid human tricks: From AI-powered grid attacks to hacking disaster relief drones. - How to unf* the future**: Threat hunting for climate villains, securing OT systems with duct tape and hope, and why cyber hippies might save the world. You’ll walk away with: - APTs’ TTPs for OT attacks: From Modbus MITM to PLC bricking. - How to weaponize threat intel: Correlating geopolitical events with ICS vulnerabilities. - The Future of Climate Cyberwar: AI-Driven Attacks on Hydrogen Plants, Quantum Exploits, and Why COP30 Might Become a Hacker’s Playground (Hopefully Not!) Cybelle Oliveira

Cybelle Oliveira
19:00 Ah, I see, you’re a Domain Controller as well FR “They told me I could be anything I wanted—so I became a Domain Controller,” he said, with the dramatic flair of a villain revealing his masterstroke. --- Active Directory remains the beating heart of most enterprise environments. While lateral movement and privilege escalation have long been staples of security conferences, persistence techniques often fly under the radar. Among them, DCShadow stands out—a powerful yet underexplored method that has seen little evolution since its debut in 2018. This talk changes that. We’ll walk through the development of the first all-Python DCShadow proof-of-concept, a journey far more treacherous than it sounds. From protocol quirks to undocumented behaviors, this technical deep dive is packed with lessons learned, pitfalls encountered, and how they were overcome. Whether you’re a red teamer, blue teamer, researcher, or just someone fascinated by AD internals and offensive tooling, you’ll come away with a practical understanding of DCShadow and what it takes to bring a complex idea to life. Charlie Bromberg

Charlie Bromberg
19:45 Physical Security : What you don’t see… FR Comme pour le Pentest Cyber, une grande part de l'intrusion physique nécessaire à un RedTeam consiste en la préparation de l'intrusion. Alors que les technologies de protection évoluent (RF, RFID, serrures électroniques, caméras intégrant de l'IA...), les méthodes d'attaque et de Reverse Engineering évoluent aussi (Analyse mécanique, Osint, recherche de bases de données, mais également des méthodes plus poussées comme les scanners 3D ou les Rayons X). Lors de cette conférence, nous verrons essentiellement cette démarche de pré-intrusion, les méthodes de Reverse Engineering low-tech et high-tech afin de préparer au mieux une intrusion. Ces méthodes permettront de créer des outils et des approches adaptées à des serrures de bâtiment et de coffre fort, des systèmes d'organigramme ou encore des systèmes électroniques. Mr Jack

Mr Jack