Philippe Dugre(zer0x64) DevSecOps Engineer, Pvotal Technologies, NorthSec
Professional cryptography and assembly aficionado™ I've been in the field of offensive security testing for about 10 years. During that time, I worked primary on cryptography architectures and implementations for end2end password management, application penetration testing and modern cloud/IaC platform security engineering. I've been a challenge designer at Northsec since 2020. Most returning participants knows me for always using Rust and Webassembly in my challenges along with always coming up with over-the-top and outlandish reversing, pwning and cryptographic attack scenario. That, or they just know me as the emulator guy.
Workshop: Breaking and Hardening the Cloud: Advanced Hooking and Shellcoding in a Hardened Environment
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
In the rush to adopt modern cloud architectures, organizations often prioritize velocity over security, leaving critical gaps in their infrastructure. This workshop bridges the gap between offensive exploitation and defensive engineering, using a real-world scenario deployed on Google Cloud Platform (GCP).
Participants will be given access to a "production-grade" environment managed with InfraStream, a manifest-driven infrastructure platform. Inside this environment lies a set of microservices written in Go, which appear functional but contain a critical flaw: a Server-Side Template Injection (SSTI) vulnerability. However, the infrastructure is hardened: The server runs in a scratch-based container with some very restrictive network rules that prevents both bind and reverse shell from being effective.
The workshop is divided into two phases:
The Red Team Phase: Attendees will get their hands dirty analyzing the Go application code and crafting payloads to exploit the SSTI vulnerability. The goal? Get a fully interactive shell on the underlying container and attempt to pivot through the default GCP network to compromise adjacent services. While the initial vulnerability is pretty simple to exploit, the real challenge here lies in leveraging it through the hardening, which will involve hooking the server's code and advanced shellcoding to implement a backdoor. The Blue Team Phase: Once the compromise is confirmed, we will switch gears to remediation. We will modify InfraStream's manifests to apply practical defense-in-depth strategies. Participants will learn how to implement hardened docker runtime deployments, enforce strict network policies, and enable mTLS within the service mesh—effectively restricting the impacts of the RCE and limiting lateral movement. We will also fix the root cause that allowed the process hooking step to take place.
By the end of this session, attendees will understand the mechanics of Go template injection, advanced techniques to leverage vulnerabilites in hardened infrastructure and how to leverage infrastructure-as-code to enforce security baselines that make even vulnerable applications resilient to attack.