May 15 10:00 AM EDT
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
In the rush to adopt modern cloud architectures, organizations often prioritize velocity over security, leaving critical gaps in their infrastructure. This workshop bridges the gap between offensive exploitation and defensive engineering, using a real-world scenario deployed on Google Cloud Platform (GCP).
Participants will be given access to a "production-grade" environment managed with InfraStream, a manifest-driven infrastructure platform. Inside this environment lies a set of microservices written in Go, which appear functional but contain a critical flaw: a Server-Side Template Injection (SSTI) vulnerability. However, the infrastructure is hardened: The server runs in a scratch-based container with some very restrictive network rules that prevents both bind and reverse shell from being effective.
The workshop is divided into two phases:
The Red Team Phase: Attendees will get their hands dirty analyzing the Go server binary. The goal? Get a fully interactive shell on the underlying container. While the initial vulnerability is pretty simple to exploit, the real challenge here lies in leveraging it through the hardening, which will involve hooking the server's code and advanced shellcoding to implement a backdoor. The Blue Team Phase: Once the compromise is confirmed, we will switch gears to remediation. We will modify InfraStream's manifests to apply practical defense-in-depth strategies. The goal from here will be to implement additional defenses to prevent the process injection attack used in the red team phase.
By the end of this session, attendees will have a deep understanding of linux process injection techniques/hooking, techniques to leverage vulnerabilites in hardened infrastructure and how to leverage infrastructure-as-code to enforce security baselines that make even vulnerable applications resilient to attack. They will also learn specificities regarding Go reverse engineering and how to interact with Go code using assembly.
Participants must have the following equipment:
Linux(either native or VM), ghidra, python, basic dev tools(git, gcc, etc.), rust toolchain.
Ashley Manraj Chief Technology Officer, Pvotal Technologies Inc.
I’ve built my career at the intersection of security and speed. Today, as AI agents write our code, that intersection has become the most critical frontier in technology. The challenge is no longer creation, but control: how do we secure and maintain the autonomous systems built for us?
Through our work in secure digital transformation at Pvotal, we realized the answer wasn't just better tools, but a new foundation. We needed a control plane designed for this new era. This was the genesis of Infrastream.
Think of it as the factory floor for modern development. Developers and AI agents declare their "intent," and Infrastream's executors work to build and maintain that intent as a secure, compliant, and observable reality. Our mission is to make security an invisible, scalable, and simple-by-design layer, so teams can finally move at the speed of innovation without one off compromise.
Philippe Dugre(zer0x64) DevSecOps Engineer, Pvotal Technologies, NorthSec
Professional cryptography and assembly aficionado™ I've been in the field of offensive security testing for about 10 years. During that time, I worked primary on cryptography architectures and implementations for end2end password management, application penetration testing and modern cloud/IaC platform security engineering. I've been a challenge designer at Northsec since 2020. Most returning participants knows me for always using Rust and Webassembly in my challenges along with always coming up with over-the-top and outlandish reversing, pwning and cryptographic attack scenario. That, or they just know me as the emulator guy.