Philippe Dugre(zer0x64)

In the rush to adopt modern cloud architectures, organizations often prioritize velocity over security, leaving critical gaps in their infrastructure. This workshop bridges the gap between offensive exploitation and defensive engineering, using a real-world scenario deployed on Google Cloud Platform (GCP).

Participants will be given access to a "production-grade" environment managed with InfraStream, a manifest-driven infrastructure platform. Inside this environment lies a set of microservices written in Go, which appear functional but contain a critical flaw: a Server-Side Template Injection (SSTI) vulnerability. However, the infrastructure is hardened: The server runs in a scratch-based container with some very restrictive network rules that prevents both bind and reverse shell from being effective.

The workshop is divided into two phases:

The Red Team Phase: Attendees will get their hands dirty analyzing the Go server binary. The goal? Get a fully interactive shell on the underlying container. While the initial vulnerability is pretty simple to exploit, the real challenge here lies in leveraging it through the hardening, which will involve hooking the server's code and advanced shellcoding to implement a backdoor. The Blue Team Phase: Once the compromise is confirmed, we will switch gears to remediation. We will modify InfraStream's manifests to apply practical defense-in-depth strategies. The goal from here will be to implement additional defenses to prevent the process injection attack used in the red team phase.

By the end of this session, attendees will have a deep understanding of linux process injection techniques/hooking, techniques to leverage vulnerabilites in hardened infrastructure and how to leverage infrastructure-as-code to enforce security baselines that make even vulnerable applications resilient to attack. They will also learn specificities regarding Go reverse engineering and how to interact with Go code using assembly.