Opening words by Sylvain Pasini, president of the Black Alps association, and general chair of #BlackAlps23.

What happens if you compromise a host in the target environment and all of your common tradecraft is no longer viable due to system hardening and patching? The ability to discover, triage, and exploit vulnerabilities on red team operations has become a critical skill set, especially for those targeting mature organizations. It opens many new avenues to build attack paths that otherwise would not be available with common techniques. Discovering new exploitable vulnerabilities on Windows systems, however, can be a daunting task. Many view it as a process that requires an immense amount of time, skill, and often plain old luck. Because of how critical this skillset is to our operations, we have invested an immense amount of time into honing our approach for identifying vulnerabilities that we can quickly leverage while constrained by time. This approach has continuously yielded exploitable vulnerabilities in both commercial and consumer applications in modern versions of Windows, primarily facilitating local privilege escalation (LPE) and remote code execution (RCE), but also providing novel methods of persistence and initial access. In this talk, we will share our heuristics for quickly triaging a host to identify potential vulnerabilities, discuss the common bug classes that we are hunting for, walk through their exploitation, and provide case studies of vulnerabilities that we’ve found on real world operations. After attending this talk, the audience will understand how to optimize their own vulnerability research process and how to exploit some of the most prevalent vulnerabilities we see in our work.

While performing a red team assessment, due to limited scope, we were forced to look for 0-day vulnerabilities on a Fortinet appliance. This talk describes how we found and exploited CVE-2023-27997, a pre-authentication remote code execution vulnerability affecting the VPN interface of Fortigate, affecting hundred of thousands of servers on the internet, and used it to completely compromise the company' intranet. It will cover the vulnerability research process from start to finish, starting from how to get a shell on a local appliance, our research logic, the bug and the exploit, and finally how to persist on the target despite reboots.

This talk presents `ghidriff`, a new open-source Python package that offers a command line binary diffing capability leveraging the power of Ghidra with a fresh take on the standard patch diffing workflow.

As seen in most security blog posts today, binary diffing tools are essential for reverse engineering, vulnerability research, and malware analysis as they identify added, deleted, and modified functions between two binaries. Matching functions across binaries is a challenging and asymmetric problem because of complex function relationships and the many changes that can occur after a simple change is introduced into the source of a binary. `ghidriff` overcomes this challenge by offering the latest function matching heuristics while also providing the user the ability to extend it with custom function correlation classes. Like other binary diffing solutions, the tool stands on the shoulders of giants (SRE tooling) to interpret a binary and provide a consistent and reliable approach to binary diffing. Unlike other tools, `ghidriff` offers a command line experience, simplifying the entire patch diffing workflow to only a single step, significantly reducing analysis time. Additionally, the results of the diff are rendered as beautiful markdown files that can be shared and hosted almost anywhere.

`ghidriff` is the open source tool security researchers need to quickly understand the latest patched vulnerabilities and easily share their next vulnerability writeup with the security community.

Quantum computing is often portrayed as an imminent threat, but what exactly is it all about? This presentation is designed for a wide audience of security professionals, and aims to address the most important questions.

We will first introduce the concept of quantum computing, describing the key notions of quantum speed-up and quantum parallelism, as well as the notions of universal computation, scalability, and quantum error correction.

We will then give an overview of quantum computing research, describing the leading companies in the space and their main achievements, such as factoring the number 15 into 3×5 (with high probability). We'll explain the difference between real quantum computing and simulated quantum computing, which is not always made very clear by the vendors.

We will explore the various ways in which quantum computing could impact TLS connections, VPN services, secure messaging, 4G/5G communications, database encryption, and blockchain platforms. This information aims to assist the audience in understanding how to manage risks differently for distinct applications.

Additionally, we will offer guidance on conducting and documenting a risk assessment for your organisation or clientele. Lastly, we will outline practical options for transitioning to post-quantum cryptography by examining the post-quantum offerings of technology companies, including cloud service providers, VPN service providers, and hardware manufacturers.

This presentation does not necessitate any prior knowledge of quantum physics or quantum mechanics, and may even include adorable kitten images

Achieving execution of your payloads in typical phishing or red-team scenarios, without being outright prevented, is a constantly moving goal post. It can be almost as frustrating as when you finally develop a payload that meets your needs, only for it to be prevented by a brittle detection logic soon thereafter - leaving you to start from square one.

In this talk, we will cover a variety of core principals we apply to our .NET payloads to increase longevity and effectiveness while decreasing burden associated with development and the build process. Topics spanning entropy-conscious obfuscation, runtime protection techniques, dynamic delivery of encryption keys, polymorphic build automation, and more will be covered. We will discuss additional options the .NET framework gives us for sideloading trusted .NET assemblies, to compliment more traditional sideloading techniques. Creating a repository of preferred techniques regarding shellcode injection and other important components of your payload will be discussed, as well as an approach for selecting from your collection of techniques for a plug n' play experience during the build process to best fit your offensive use-case. Finally, we will demonstrate how all of the concepts can be directly applied to payloads that fit a variety of use-cases: initial access, lateral movement, and more.

We hope to demonstrate that following a handful of OPSEC considerations, combined with the added trust of sideloading existing .NET assemblies, can ease the burden and lower the barrier to entry for effective .NET payload development.

Flutter, a popular cross-platform application development kit developed by Google, utilizes the Dart programming language. Dart is an object-oriented programming language with a C-style syntax and features like sound null safety. One of Flutter's key attractions is its ability to develop applications with a single codebase, which can be compiled for various mobile and non-mobile platforms.

While Flutter debug applications pose no difficulty to reverse, release applications are totally different: a nightmare. The challenges arise from several design choices: including default code obfuscation, the utilization of a virtual machine (VM), an evolving and undocumented executable format (Dart AOT snapshot), indirect access to objects and constants, dedicated registers, unique representation of Small Integers (SMI) and non-standard calling conventions.

In this talk, we delve into these challenges and provide techniques and analysis to overcome them. The centerpiece of the talk is a practical demonstration of reversing a Flutter CrackMe app. Initially, even strings remain elusive, and many disassemblers are completely lost. We work our way through the identification of significant functions, encryption loops, access to constants and disassembly of byte arrays. To accomplish this, we navigate between the code in the Dart SDK repository, Dart programs and the Flutter crackme app. We discover that Radare2 excels in recognizing function names (for Dart) and offering insightful assembly comments. JEB disassembler, on the other hand, proves invaluable in recovering the Object Pool, a Dart structure which provides access to objects and constants.

The mobile industry has always had a relationship with the hacking community and it has often been collaborative when it comes to protecting consumers.

This is the first time that the mobile industry has spoken about its work with the security research community which started with very informal relationships with hackers and developed into the world’s first cross-industry Coordinated Vulnerability Disclosure (CVD) scheme. The scheme that has run since 2017 has had 70 submissions affecting technologies used by the entire mobile industry. The resulting fixes have saved end users from major pain through the avoided exploitation of the disclosed vulnerabilities.

The speaker will take the audience on a journey through mobile hacking history from the industry’s point of view. Highlights include SS7 signalling attacks and rogue base stations through to femtocell hacks, LTE network breaches and lots of clever device hacking as well as some legendary names from the hacking world. The talk will focus on the technical details of the hacks, how we were able to address them as an industry; what went wrong and what we learnt along the way. The talk will also look at where we can go together in the future and what types of technology challenges and issues we expect to see.

Command-line obfuscation is one of the most common methods adversaries use to avoid detection. These methods include changing the case of letters in the paths to binaries, adding symbols that are ignored by the command-line interpreter, using homoglyphs or storing the arguments in variables and re-ordering them on the command-line, etc. Most security solutions use signatures to detect state-of-the-art malware requiring threat analysts to create an exhaustive enumeration of signatures for obfuscation techniques. Instead of signatures, we utilize an NLP approach that can generalize and detect previously unseen obfuscation techniques.

The proposed NLP method consists of two components, a tokenizer and a classifier. The tokenizer augments the command lines and transforms them into a low-dimensional representation without losing information about the underlying obfuscation technique. Since the command line has a different structure than natural language, the pre-trained classification model is fine-tuned on samples observed in the wild.

The experiments demonstrate that the approach yields high precision and recall with a small number of false positives. Additionally, it uncovered new hard-to-detect obfuscation techniques that rely on pre-installed software on the operating system. The novel detections include new strains of the Raspberry Robin worm on Windows 11 that use a highly obfuscated execution of wt.exe or Gamarue that uses rundll32.exe to execute its obfuscated payload.

VPN Always-On is a security control that can be deployed to mobile endpoints that remotely access corporate resources through VPN. It is designed to prevent data leaks and narrow attack surface of enrolled end-user equipment connected to untrusted networks. When it is enforced, the mobile device can only reach the VPN gateway and all connections are tunnelled.

We will review the relevant Windows API, the practicalities of this feature, look at popular VPN software and... bypass them with ridiculously complex exfil methods but also with unexpectedly trivial tricks. We will exploit design, implementation and configurations issues to circumvent this control in offensive scenarios. We will then learn how to fix or harden VPN Always-On deployment to further limit the risks posed by untrusted networks.

This talk is more than just the outcome of my technical research against one particular network security feature. It is an attempt to fully embrace the hacker spirit through the revolt against Control, the unreasonable time trying to understand the technological subtleties and finally the sharing of beautifully simple techniques to break free.

This original research has outcome that will give security practitioners (blue & red) tangible ways to attack & defend in the context of corporate VPN setups. I am not a security researcher but I would like to share my experience on this topic after years of penetration tests and red-teaming in mature environments.

Kubernetes (K8s) is a leading container orchestration platform, and it has revolutionized how we build, deploy, and manage containerized applications. However, with great powers comes great responsibilities. This research uncovers attackers' methods to infiltrate and remain undetected in a compromised K8s cluster.

Using real-world applications as examples, we delve into the various tactics, techniques, and procedures (TTPs) that attackers or malicious users can leverage to exploit your K8s cluster. A detailed examination of an attack scenario starts from the initial compromise of a pod. We illustrate many strategies to escalate privileges, from exploiting misconfigurations to leveraging software vulnerabilities. Subsequently, we analyze the steps involved in container escape, which enables an attacker to access the underlying node, effectively breaching the host. Furthermore, our analysis includes studying stealth techniques that allow attackers to remain undetected within your K8s cluster. Using sidecar containers, attackers can mask their activities and maintain persistence within the environment. We illustrate how such an attacker could escalate their privileges to eventually become a K8s cluster administrator, thus gaining complete control of the victim's environment.

Despite the grim picture painted by these potential attack vectors, we demonstrate that proactive detection and response strategies can significantly mitigate these risks. Using K8s' built-in security features and audit logs, we provide insights into identifying potential indicators of compromise (IoCs). As part of our mitigation strategies, we explore using runtime security tools such as Falco. Falco enables creating and deploying of rules that detect abnormal behavior within your K8s cluster. By detailing the implementation of such rules, we provide a robust guide to enhance the detection of and response to a broad array of potential attacks. The research aims to enhance the understanding of potential threats facing a Kubernetes environment and offers comprehensive guidelines on securing the K8s cluster. Understanding an attacker's modus operandi and the appropriate defense mechanisms are integral to maintaining a secure environment in the contemporary landscape of containerized applications and microservices.