Multiple people left my team (a Red Team in the Netherlands, in a big company understanding that security is important). They leave because of personal things (family is far, family problems, etc; of course, we wish them the best). So, we are once again hiring!
Anyone’s interested?
The team is based in Amsterdam. Relocation should be ok (They relocated me). Language is English, no need of being in perfect in English.

Minorities preferred. (Currently I’m the only technical non-man, but, maybe we’ll be more soon!)

#jobalert #job #pentest #redteam #amsterdam

EDIT: no public job offer yet, but I’ll try to keep this post updated

I’m so excited! H2lab finally re-open their shop!   

https://shop.h2lab.org/en/

I scored 63 on the CTF Purity Test! https://ctfpuritytest.com https://ctfpuritytest.com/

Yeah, fair 😅

So, a bit late, but a TL;DR of the #sstic2025 :D

#sstic

Kube scale me one more time – TL;DR:

(The demo is made on GCP, but it can affect other cloud providers such as AWS' EKS.)

The issue comes from:
- the creds of a deleted Node are still valid
- a node, when created, can provide its own providerID.

Thus, by using the autoscaling functions, it’s possible to priv esc from a machine (actually just having kubelet creds) to the admin of the K8S cluster.

https://www.sstic.org/2025/presentation/kube_scale_me_one_more_time__exploiting_autoscalers_for_kubernetes_cluster_compromise/

https://github.com/padok-team/kne

——

Argo CD secret - TL;DR

Using misconfiguration of secrets, you can become an admin of the ArgoCD cluster.

Please review who can view the argocd-secret. Make sure only the Argo CD UI can access them. Disable the local admin if not needed.

https://www.ledger.com/argo-cd-security-misconfiguration-adventures

https://www.sstic.org/media/SSTIC2025/SSTIC-actes/argo_cd_secrets/SSTIC2025-Article-argo_cd_secrets-iooss.pdf

——

All the ways are going to DROP; TL;DR:

About BT Mesh 1.1, a really recent protocol. Any attacker in the mesh can create a fake route rule (in the forward table). This could remove some nodes from the network or intercept the communications between two nodes.

[FR] https://www.sstic.org/2025/presentation/tous_les_chemins_mnent__drop__une_valuation_de_la_scurit_dun_mcanisme_de_routage_du_bluetooth_mesh/

———

We Have A Deal: we provide the lego bricks, you build cool wireless attacks; TL;DR:

This talk is about why and how WHAD (a toolkit to implement radio attacks; whad.io) is made in a modular way, where each action is a brick, you linked to the others.

whad.io

https://github.com/whad-team

———

Key recovery in ; TL;DR:

This famous MCU is composed of 2 cores: one for the user mode, the other for the radio. The radio firmware is encrypted and signed with an internal PKI. This core is also responsible for ingesting some AES keys for encryption (as a security computation unit, as a TPM or an HSM).

By using a race condition, we can dump and even rewrite the radio firmware from the user core.

Some days before the talk, they pushed a new firmware with a new update mechanism. It’s easier to bypass the update verification.

https://blog.xilokar.info/stm32wb55-fus-20.html

———

afl-cov-fast; TL;DR:

It’s a tool to create coverage information from AFL++ when we don’t have sources. It works for every runner (qemu, Frida, etc.) and covering data is able to be loaded in any reverse tool (via plugins).

https://github.com/airbus-seclab/afl-cov-fast

———

Pyrrha & friends; TL;DR:

Tool to increase the productivity in the reconnaissance phase of a file-based firmware (currently only executables). It gives usage data of the binaries and functions across the system.

https://github.com/quarkslab/pyrrha

———

Pwn a car entertainment system in 5 mins ; TL;DR:

Pentest of an entertainment system embedded in a used car that can be found in the wild. These cars are the FR state cars. The pentest is performed by an attacker being outside the car and without user interaction.
The rooting of the system has been realized by exploiting an old vulnerability in a totally different way than provided in the small disclosed details of the CVE.
The rooting of this system can result in the sending of CAN commands.

[FR] https://www.sstic.org/media/SSTIC2025/SSTIC-actes/300_secondes_chrono__prise_de_contrle_dun_infodive/SSTIC2025-Article-300_secondes_chrono__prise_de_contrle_dun_infodivertissement_automobile__distance-bouffard_trebuchet.pdf

———

ID of MCU firmware; TL;DR:

How the file/libmagic db has been improved to identify the firmware of an MCU. Pushed in the upstream db of the file/libmagic.
Also, to know the exact chip targeted by the firmware, the chiprec.py script has been created.

https://github.com/erdnaxe/chiprec

—————————

Eurydice; TL;DR:

Web UI, solving a lot of issues regarding the file transfers to a classified environment via a network diode.

Only useful when you got a network diode :D

https://github.com/ANSSI-FR/eurydice

——————

WireGo; TL;DR:

A flexible plugin development framework for Wireshark. It has been created to develop a Wireshark dissector plugin faster when reversing a protocol.

https://github.com/quarkslab/wirego

———

APKPatcher; TL;DR:

Tool to quickly and reliably patch APK, add proxies and certificates, libraries, and much more.

NB: not apk-patcher, but apkpatcher (no dash)

https://apkpatcher.ci-yow.com/

https://gitlab.com/MadSquirrels/mobile/apkpatcher

———

hrtng; TL;DR:

Plugin IDA Pro to automate some recurring tasks when reversing (incl. vtables!)

https://github.com/KasperskyLab/hrtng

———

Windows Kernel Shadow Stack; TL;DR:

Analyze the implementation of the shadow stack in the Windows kernel.

It uses HVCI-like protection to render the shadow stack really read-only for the kernel and read-write in the secure kernel. It is well effective. This protects against the ROP, but, of course, not this JOP.

https://www.sstic.org/media/SSTIC2025/SSTIC-actes/windows_kernel_shadow_stack_mitigation/SSTIC2025-Article-windows_kernel_shadow_stack_mitigation-aulnette_jullian.pdf

https://github.com/synacktiv/windows_kernel_shadow_stack

https://www.synacktiv.com/sites/default/files/2025-06/sstic_windows_kernel_shadow_stack_mitigation.pdf

———

Windows network tooling; TL;DR:

Tool with Scapy to implement a secure and modern implementation of LDAP, DCE/RPC, and SMB. In a nutshell, like impacket, but with the modern Windows security, every SSP everywhere. So it does not fail each time we meet a secure configuration of a Windows env.
Merge in Scapy, except the DEC/RPC compiler, which is in another project : github.com/gpotter2/scapy-rpc

https://github.com/secdev/scapy

https://github.com/gpotter2/scapy-rpc

———

Mofos; TL;DR:

VM management, as Qubes OS, but with KVM/LibVirt

https://github.com/Synacktiv/mofos

———

Analysis of MS365 auth; TL;DR:

Deep analysis of the MS365 OAuth to try to LPE without the user noticing.

https://www.sstic.org/media/SSTIC2025/SSTIC-actes/les_politiques_dacces_conditionnel_azure_un_monde_/SSTIC2025-Slides-les_politiques_dacces_conditionnel_azure_un_monde_aux_mille_merveilles-barjole_barbe.pdf

———

Feedback of PQC pentest; TL;DR:

Small feedback on how works some part of the PQC and how to pentest it.

To learn more, check the blog post of SynAcktiv

[FR] https://www.sstic.org/2025/presentation/retour_dexprience_sur_la_monte_en_comptence_dun_cabinet_daudit_en_cryptographie_post-quantique/

———

Quic; TL;DR:

There are some default implementations of the QUIC protocol, e.g., some values that should be truly random but are not random.

[FR] https://www.sstic.org/media/SSTIC2025/SSTIC-actes/quic_from_rfc_into_the_wild/SSTIC2025-Article-quic_from_rfc_into_the_wild-huet-le-rumeur.pdf

———

Soxy; TL;DR:

A reliable solution to forward network, files, copy-paste, etc. for RDP, Citrix, VMware Horizon, and XRDP. To transfer the soxy client, a solution has also been created.

https://github.com/airbus-seclab/soxy

———

UDP in proxychains and bbs; TL;DR:

How they implemented UDP in proxychains and some of its limitations. (A lot of error management is not implemented (yet))
BBS is like proxychains, but with routing, logging, and filtering. No UDP yet.

https://github.com/hc-syn/proxychains-ng/tree/udp-associate

https://github.com/synacktiv/bbs

———

SCCMSecret.py; TL;DR:

Test the SCCM access (including anonymous access) and extract files and configurations.

https://github.com/synacktiv/SCCMSecrets

———

What happens if I press here; TL;DR:

Feedback of pentesting industrial things

[FR] https://www.sstic.org/2025/presentation/retex_tests_industriels/

———

Random Factory reset; TL;DR:

There is a low (11 ppm here) but real risk of a conflict in the ACPI access in read only. Take care when dumping the configuration (including sysctl -a)!

[FR] https://www.sstic.org/2025/presentation/investigation_aux_frontieres_du_systeme_cas_d_un_reset_factory_aleatoire/

———

Explainable AI in malware analysis; TL;DR:

Use the MalConv2 model to determine which function is malevolent or not, tracking off the biases. Dataset to complete.

Currently improving this model based on the capabilities (using mandiant CAPA)

https://github.com/glimps-re/xai-malconv2

https://github.com/FutureComputing4AI/MalConv2

https://github.com/mandiant/capa

https://www.sstic.org/media/SSTIC2025/SSTIC-actes/from_black_box_to_clear_insights_explainable_ai_in/SSTIC2025-Article-from_black_box_to_clear_insights_explainable_ai_in_malware_detection_with_malconv2-laigle_chesneau_salmon.pdf