Solution Hackeuse soon at OrangeConSo, a bit late, but a TL;DR of the #sstic2025 :D
Kube scale me one more time – TL;DR:
(The demo is made on GCP, but it can affect other cloud providers such as AWS' EKS.)
The issue comes from:
- the creds of a deleted Node are still valid
- a node, when created, can provide its own providerID.
Thus, by using the autoscaling functions, it’s possible to priv esc from a machine (actually just having kubelet creds) to the admin of the K8S cluster.
https://github.com/padok-team/kne
——
Argo CD secret - TL;DR
Using misconfiguration of secrets, you can become an admin of the ArgoCD cluster.
Please review who can view the argocd-secret. Make sure only the Argo CD UI can access them. Disable the local admin if not needed.
https://www.ledger.com/argo-cd-security-misconfiguration-adventures
——
All the ways are going to DROP; TL;DR:
About BT Mesh 1.1, a really recent protocol. Any attacker in the mesh can create a fake route rule (in the forward table). This could remove some nodes from the network or intercept the communications between two nodes.
———
We Have A Deal: we provide the lego bricks, you build cool wireless attacks; TL;DR:
This talk is about why and how WHAD (a toolkit to implement radio attacks; whad.io) is made in a modular way, where each action is a brick, you linked to the others.
whad.io
———
Key recovery in ; TL;DR:
This famous MCU is composed of 2 cores: one for the user mode, the other for the radio. The radio firmware is encrypted and signed with an internal PKI. This core is also responsible for ingesting some AES keys for encryption (as a security computation unit, as a TPM or an HSM).
By using a race condition, we can dump and even rewrite the radio firmware from the user core.
Some days before the talk, they pushed a new firmware with a new update mechanism. It’s easier to bypass the update verification.
https://blog.xilokar.info/stm32wb55-fus-20.html
———
afl-cov-fast; TL;DR:
It’s a tool to create coverage information from AFL++ when we don’t have sources. It works for every runner (qemu, Frida, etc.) and covering data is able to be loaded in any reverse tool (via plugins).
https://github.com/airbus-seclab/afl-cov-fast
———
Pyrrha & friends; TL;DR:
Tool to increase the productivity in the reconnaissance phase of a file-based firmware (currently only executables). It gives usage data of the binaries and functions across the system.
https://github.com/quarkslab/pyrrha
———
Pwn a car entertainment system in 5 mins ; TL;DR:
Pentest of an entertainment system embedded in a used car that can be found in the wild. These cars are the FR state cars. The pentest is performed by an attacker being outside the car and without user interaction.
The rooting of the system has been realized by exploiting an old vulnerability in a totally different way than provided in the small disclosed details of the CVE.
The rooting of this system can result in the sending of CAN commands.
———
ID of MCU firmware; TL;DR:
How the file/libmagic db has been improved to identify the firmware of an MCU. Pushed in the upstream db of the file/libmagic.
Also, to know the exact chip targeted by the firmware, the chiprec.py script has been created.
https://github.com/erdnaxe/chiprec
—————————
Eurydice; TL;DR:
Web UI, solving a lot of issues regarding the file transfers to a classified environment via a network diode.
Only useful when you got a network diode :D
https://github.com/ANSSI-FR/eurydice
——————
WireGo; TL;DR:
A flexible plugin development framework for Wireshark. It has been created to develop a Wireshark dissector plugin faster when reversing a protocol.
https://github.com/quarkslab/wirego
———
APKPatcher; TL;DR:
Tool to quickly and reliably patch APK, add proxies and certificates, libraries, and much more.
NB: not apk-patcher, but apkpatcher (no dash)
https://apkpatcher.ci-yow.com/
https://gitlab.com/MadSquirrels/mobile/apkpatcher
———
hrtng; TL;DR:
Plugin IDA Pro to automate some recurring tasks when reversing (incl. vtables!)
https://github.com/KasperskyLab/hrtng
———
Windows Kernel Shadow Stack; TL;DR:
Analyze the implementation of the shadow stack in the Windows kernel.
It uses HVCI-like protection to render the shadow stack really read-only for the kernel and read-write in the secure kernel. It is well effective. This protects against the ROP, but, of course, not this JOP.
https://github.com/synacktiv/windows_kernel_shadow_stack
———
Windows network tooling; TL;DR:
Tool with Scapy to implement a secure and modern implementation of LDAP, DCE/RPC, and SMB. In a nutshell, like impacket, but with the modern Windows security, every SSP everywhere. So it does not fail each time we meet a secure configuration of a Windows env.
Merge in Scapy, except the DEC/RPC compiler, which is in another project : github.com/gpotter2/scapy-rpc
https://github.com/secdev/scapy
https://github.com/gpotter2/scapy-rpc
———
Mofos; TL;DR:
VM management, as Qubes OS, but with KVM/LibVirt
https://github.com/Synacktiv/mofos
———
Analysis of MS365 auth; TL;DR:
Deep analysis of the MS365 OAuth to try to LPE without the user noticing.
———
Feedback of PQC pentest; TL;DR:
Small feedback on how works some part of the PQC and how to pentest it.
To learn more, check the blog post of SynAcktiv
———
Quic; TL;DR:
There are some default implementations of the QUIC protocol, e.g., some values that should be truly random but are not random.
———
Soxy; TL;DR:
A reliable solution to forward network, files, copy-paste, etc. for RDP, Citrix, VMware Horizon, and XRDP. To transfer the soxy client, a solution has also been created.
https://github.com/airbus-seclab/soxy
———
UDP in proxychains and bbs; TL;DR:
How they implemented UDP in proxychains and some of its limitations. (A lot of error management is not implemented (yet))
BBS is like proxychains, but with routing, logging, and filtering. No UDP yet.
https://github.com/hc-syn/proxychains-ng/tree/udp-associate
https://github.com/synacktiv/bbs
———
SCCMSecret.py; TL;DR:
Test the SCCM access (including anonymous access) and extract files and configurations.
https://github.com/synacktiv/SCCMSecrets
———
What happens if I press here; TL;DR:
Feedback of pentesting industrial things
[FR] https://www.sstic.org/2025/presentation/retex_tests_industriels/
———
Random Factory reset; TL;DR:
There is a low (11 ppm here) but real risk of a conflict in the ACPI access in read only. Take care when dumping the configuration (including sysctl -a)!
———
Explainable AI in malware analysis; TL;DR:
Use the MalConv2 model to determine which function is malevolent or not, tracking off the biases. Dataset to complete.
Currently improving this model based on the capabilities (using mandiant CAPA)
https://github.com/glimps-re/xai-malconv2
https://github.com/FutureComputing4AI/MalConv2
Xilokar
just_nathan
sstic
Eric Dejouhanet
Aris Adamantiadis 
💲Paid