Romhack Conference logo

Conference Agenda

Saturday, September 24th during RomHack Camp

Attack and Defense

Cyber Saiyan

Conference opening

10:30 – 10:40 CEST

 


 

James Forshaw

James Forshaw

 

The Vendor / Researcher Relationship Needs Improvement
[ keynote ]
Video | Slides

 

In an ideal world the security of a vendor’s products would only rely on their own efforts and no external help is necessary. However, that’s not the world we live in today. External security researchers are still an integral part of making a product secure for the masses. Even so, the approach a vendor takes to an external researcher can vary wildly, from outright hostility to full acceptance of the valuable role they play in product security.

Regardless of their approach most vendors could do something to improve. For this presentation I’ll describe some products I have reviewed where a better relationship between the vendor and researcher could have made all the difference to their security. I’ll describe some improvements that can be made so that vendors and researchers can work together to make their products consistently meet, or even exceed expectations.

James Bio
James is a security researcher in Google’s Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he’s been listed as the #1 researcher for MSRC, as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, Bluehat, HITB, and Infiltrate. He’s also the author of the book “Attacking Network Protocols” available from NoStarch Press.

Dr Nestori Syynimaa

Dr Nestori Syynimaa

 

Attacking Azure AD by abusing Synchronisation API: The story behind 40.000 USD in bug bounties
[ attack | cloud ]
Video | Slides

Azure AD is an Access and Identity Management (IAM) service used by over 88 per cent of Fortune 500 companies. From these, at least 84 per cent are using Azure AD Connect to synchronise objects from their on-prem AD to Azure AD. The credentials used for synchronisation have high privileges for both on-prem AD and Azure AD. With those credentials, a threat actor can access Azure AD using the same API Azure AD Connect is using…

In this session, I’ll first show how the flaw in Synchronisation API could be used to take over and delete cloud-only users, including Global Administrators. Second, I’ll show how the fix provided 500 days later by Microsoft could be bypassed using another flaw in the same API.

Nestori Bio

Dr Nestori Syynimaa is one of the leading Azure AD / M365 experts globally and the developer of the AADInternals toolkit. He has worked with Microsoft cloud services for over a decade and has been MCT since 2013, MVP since 2020, awarded Microsoft Most Valuable Security Researcher for 2021. Currently, Dr Syynimaa works as a Senior Principal Security Researcher for Secureworks Counter Threat Unit. Before moving to his current position, Dr Syynimaa worked as a CIO, consultant, trainer, researcher, and university lecturer for almost 20 years.

 

Dr Syynimaa has spoken in many international scientific and professional conferences, including IEEE TrustCom 2018, Black Hat USA 2019, and Black Hat Europe 2019 & 2021.

 

[ twitter | LinkedIN | web site ]

Davide TheZero

Davide TheZero

 

Security in a Immutable web3 World: Breaching Smart Contracts
[ attack | defense | web3 ]
Video | Slides

Many say that web3 is the future – it allows to build a decentralized world governed by algorithms and code instead of people.
In this talk we will analyze what the future of security will be like in this “new web”.

Developers that works on this field will learn what are the main vulnerabilities, issues, and pitfalls. While seasoned Pentesters and Security Researchers will learn what to look for/at to gain their next million dollars bounty.

Davide Bio

Davide is a Senior Pentester and Security Researcher at Shielder. His area of interest are mainly WebSecurity, IoT and Cryptography. He has a background as a OSS developer.  Throughout his carrer he got many # shellz.

 

[ twitter ]


 

Beer

Lunch

12:50 – 14:00 CEST

 


 

Markus Vervier and Yasar Klawohn

Markus Vervier

 

DES-On-Fire: Breaking Physical Access Control
[ attack | vuln research ]
Video | Slides | Attack PoC

DESFire secures communications between electronic locks and access tokens. In this talk, we analyze the attack surface of electronic lock systems and their protocols, showing how implementation flaws can be used in exploitation.
We discovered an implementation flaw with the key generator in a real-world system, leading to recovery of the secret key that underpins the protocol’s security (CVE-2021-34600). Exploitation will be demonstrated live on an DESFire AES-based lock.
Finally, we will discuss the current limits of known attacks and potential improvements to the protocol.

Markus Bio
Markus Vervier is Head of Research and Managing Director at X41 D-Sec GmbH. Software security is his main focus of work. During the last 15 years of professional experience in offensive IT security he worked as a penetration tester and security consultant and was doing active security research.
Yasar Bio
Yasar Klawohn studies computer science at RWTH Aachen and is a working student at X41 D-Sec GmbH since 2019. There, he does security research and takes part in penetration tests, source code audits and red teaming engagements.

Q&A with the Speakers

14:50 – 15:40 CEST

Unfortunately Cas van Cooten couldn’t be with us. We kept the schedule going and had a Q&A session with our speakers.

Rohan Aggarwal

Rohan Aggarval

 

Bypassing Anti-Cheats & Hacking Competitive Games
[ attack | reverse ]
Video | Slides

With the increasing popularity of games having a competitive element, cheats have become a common method for hackers to gain an advantage. These cheats could range from a sniper bullet that felt just a little too accurate to a player teleporting across the map, and chances are that you must have been outsmarted by some sort of cheat code. Some of the most common methods include Aimbot, Wallhack, SpeedHack, DropHack, etc.
Game developers like Fortnite, PUBG, and Apex Legends constantly face the pressure to prevent hackers from cheating. The result? Probably spending millions of dollars on Security and Anti-cheats, but still outsmarted by hackers.
Due to the limited supply of skilled hackers and a huge demand, Game Cheat development has grown to be now a multi-million-dollar industry. It’s very challenging for hackers to keep coming up with new bypasses as Anti-Cheats are improving daily and are extremely invasive, making it harder for cheats to stay undetected.
In this talk, we will share the current state of Cheats and Anti Cheat mechanisms. This talk is an outcome of our research that lasted several months, analyzing various anti-cheat leaders in the markets and us discovering multiple bypassing techniques. The talk will also dive deep into the history of anti-cheats, how they actually work, and several techniques hackers are using to bypass them.
During our research, we also developed a kernel-mode cheat for one of the top twitch streaming games and will be showcasing it. The session will end with the release of a basic kernel-mode driver that can be used as a learning resource for bypassing different anti-cheats in the market.
The adage, ‘cheaters never win’ may be moralistic but cheaters very often win in the competitive games, join us to see how hackers have been hacking against anti-cheat mechanisms.

Rohan Bio

Rohan Aggarwal is a Founder & CEO at DefCore Security. He is also a part-time Bug Bounty hunter (Synack). He has found security vulnerabilities in big companies like Apple, Yahoo, Twitter, Goldman Sachs, Matomo, BrickFTP, and Pixiv. He has attended various live hacking events such as Intigriti 1337UP1121(2021), HackerOne h1-2004(2020) and BountyBash(2019). From past few years, he also has been reversing reputed Competetive Gaming AntiCheats like EasyAntiCheat, BattleEye & Vangaurd and was able to bypass them while staying undetected.

Rohan previously worked as an Offensive Security Analyst at TCS where he did Web/Mobile Pentesting, IOT and Automotive Security. He presented at SecTor 2020 (Recon – The Road Less Traveled), SecTor 2019 (Car Hacking on Simulation) and at Microsoft’s Azure Bootcamp and has delivered training on IOT, Web Application and Cloud Hacking.

 

[ twitter | LinkedIN ]

Edoardo Rosa

Edoardo Rosa

 

You shall not PassRole!
[ attack | defense | cloud ]
Video | Slides | Demos

Initial access is what we are great at (SQLi, RFI, Command Injection, SSRF, etc.) but privilege escalations and lateral movement paths are very different and not so easy to spot especially in full-cloud companies, where the complexity of the environment increases exponentially with the development of new microservices.
The talk is about AWS cloud security and how to abuse initial access to perform privilege escalation and lateral movement attacks to gain administrative permissions on an AWS account.
Security analysts can take advantage of nuvola: an innovative open-source tool (will be released just before the conf) developed in Prima Assicurazioni which aims to provide a navigable high-level overview of an AWS account by collecting the existing configurations and creating a digital twin of the cloud environment.

Edoardo Bio

Security Engineer @ Prima Assicurazioni with experience on Red Teaming and penetration testing on on-premise and cloud infrastructures with a passion on defences (and bypasses) and automation.

 

[ twitter | github ]


 

Cyber Saiyan

Closing

17:20 – 17:30 CEST