delighted to announce that my new zine "The Secret Rules of the Terminal" is out today!!

You can get it for $12 USD here: https://wizardzines.com/zines/terminal

it's happening! "The Secret Rules of the Terminal" is coming out tomorrow!

(update: it's out now!! you can get it here: https://wizardzines.com/zines/terminal/)

here's the table of contents:

So, a bit late, but a TL;DR of the #sstic2025 :D

#sstic

Kube scale me one more time – TL;DR:

(The demo is made on GCP, but it can affect other cloud providers such as AWS' EKS.)

The issue comes from:
- the creds of a deleted Node are still valid
- a node, when created, can provide its own providerID.

Thus, by using the autoscaling functions, it’s possible to priv esc from a machine (actually just having kubelet creds) to the admin of the K8S cluster.

https://www.sstic.org/2025/presentation/kube_scale_me_one_more_time__exploiting_autoscalers_for_kubernetes_cluster_compromise/

https://github.com/padok-team/kne

——

Argo CD secret - TL;DR

Using misconfiguration of secrets, you can become an admin of the ArgoCD cluster.

Please review who can view the argocd-secret. Make sure only the Argo CD UI can access them. Disable the local admin if not needed.

https://www.ledger.com/argo-cd-security-misconfiguration-adventures

https://www.sstic.org/media/SSTIC2025/SSTIC-actes/argo_cd_secrets/SSTIC2025-Article-argo_cd_secrets-iooss.pdf

——

All the ways are going to DROP; TL;DR:

About BT Mesh 1.1, a really recent protocol. Any attacker in the mesh can create a fake route rule (in the forward table). This could remove some nodes from the network or intercept the communications between two nodes.

[FR] https://www.sstic.org/2025/presentation/tous_les_chemins_mnent__drop__une_valuation_de_la_scurit_dun_mcanisme_de_routage_du_bluetooth_mesh/

———

We Have A Deal: we provide the lego bricks, you build cool wireless attacks; TL;DR:

This talk is about why and how WHAD (a toolkit to implement radio attacks; whad.io) is made in a modular way, where each action is a brick, you linked to the others.

whad.io

https://github.com/whad-team

———

Key recovery in ; TL;DR:

This famous MCU is composed of 2 cores: one for the user mode, the other for the radio. The radio firmware is encrypted and signed with an internal PKI. This core is also responsible for ingesting some AES keys for encryption (as a security computation unit, as a TPM or an HSM).

By using a race condition, we can dump and even rewrite the radio firmware from the user core.

Some days before the talk, they pushed a new firmware with a new update mechanism. It’s easier to bypass the update verification.

https://blog.xilokar.info/stm32wb55-fus-20.html

———

afl-cov-fast; TL;DR:

It’s a tool to create coverage information from AFL++ when we don’t have sources. It works for every runner (qemu, Frida, etc.) and covering data is able to be loaded in any reverse tool (via plugins).

https://github.com/airbus-seclab/afl-cov-fast

———

Pyrrha & friends; TL;DR:

Tool to increase the productivity in the reconnaissance phase of a file-based firmware (currently only executables). It gives usage data of the binaries and functions across the system.

https://github.com/quarkslab/pyrrha

———

Pwn a car entertainment system in 5 mins ; TL;DR:

Pentest of an entertainment system embedded in a used car that can be found in the wild. These cars are the FR state cars. The pentest is performed by an attacker being outside the car and without user interaction.
The rooting of the system has been realized by exploiting an old vulnerability in a totally different way than provided in the small disclosed details of the CVE.
The rooting of this system can result in the sending of CAN commands.

[FR] https://www.sstic.org/media/SSTIC2025/SSTIC-actes/300_secondes_chrono__prise_de_contrle_dun_infodive/SSTIC2025-Article-300_secondes_chrono__prise_de_contrle_dun_infodivertissement_automobile__distance-bouffard_trebuchet.pdf

———

ID of MCU firmware; TL;DR:

How the file/libmagic db has been improved to identify the firmware of an MCU. Pushed in the upstream db of the file/libmagic.
Also, to know the exact chip targeted by the firmware, the chiprec.py script has been created.

https://github.com/erdnaxe/chiprec

—————————

Eurydice; TL;DR:

Web UI, solving a lot of issues regarding the file transfers to a classified environment via a network diode.

Only useful when you got a network diode :D

https://github.com/ANSSI-FR/eurydice

——————

WireGo; TL;DR:

A flexible plugin development framework for Wireshark. It has been created to develop a Wireshark dissector plugin faster when reversing a protocol.

https://github.com/quarkslab/wirego

———

APKPatcher; TL;DR:

Tool to quickly and reliably patch APK, add proxies and certificates, libraries, and much more.

NB: not apk-patcher, but apkpatcher (no dash)

https://apkpatcher.ci-yow.com/

https://gitlab.com/MadSquirrels/mobile/apkpatcher

———

hrtng; TL;DR:

Plugin IDA Pro to automate some recurring tasks when reversing (incl. vtables!)

https://github.com/KasperskyLab/hrtng

———

Windows Kernel Shadow Stack; TL;DR:

Analyze the implementation of the shadow stack in the Windows kernel.

It uses HVCI-like protection to render the shadow stack really read-only for the kernel and read-write in the secure kernel. It is well effective. This protects against the ROP, but, of course, not this JOP.

https://www.sstic.org/media/SSTIC2025/SSTIC-actes/windows_kernel_shadow_stack_mitigation/SSTIC2025-Article-windows_kernel_shadow_stack_mitigation-aulnette_jullian.pdf

https://github.com/synacktiv/windows_kernel_shadow_stack

https://www.synacktiv.com/sites/default/files/2025-06/sstic_windows_kernel_shadow_stack_mitigation.pdf

———

Windows network tooling; TL;DR:

Tool with Scapy to implement a secure and modern implementation of LDAP, DCE/RPC, and SMB. In a nutshell, like impacket, but with the modern Windows security, every SSP everywhere. So it does not fail each time we meet a secure configuration of a Windows env.
Merge in Scapy, except the DEC/RPC compiler, which is in another project : github.com/gpotter2/scapy-rpc

https://github.com/secdev/scapy

https://github.com/gpotter2/scapy-rpc

———

Mofos; TL;DR:

VM management, as Qubes OS, but with KVM/LibVirt

https://github.com/Synacktiv/mofos

———

Analysis of MS365 auth; TL;DR:

Deep analysis of the MS365 OAuth to try to LPE without the user noticing.

https://www.sstic.org/media/SSTIC2025/SSTIC-actes/les_politiques_dacces_conditionnel_azure_un_monde_/SSTIC2025-Slides-les_politiques_dacces_conditionnel_azure_un_monde_aux_mille_merveilles-barjole_barbe.pdf

———

Feedback of PQC pentest; TL;DR:

Small feedback on how works some part of the PQC and how to pentest it.

To learn more, check the blog post of SynAcktiv

[FR] https://www.sstic.org/2025/presentation/retour_dexprience_sur_la_monte_en_comptence_dun_cabinet_daudit_en_cryptographie_post-quantique/

———

Quic; TL;DR:

There are some default implementations of the QUIC protocol, e.g., some values that should be truly random but are not random.

[FR] https://www.sstic.org/media/SSTIC2025/SSTIC-actes/quic_from_rfc_into_the_wild/SSTIC2025-Article-quic_from_rfc_into_the_wild-huet-le-rumeur.pdf

———

Soxy; TL;DR:

A reliable solution to forward network, files, copy-paste, etc. for RDP, Citrix, VMware Horizon, and XRDP. To transfer the soxy client, a solution has also been created.

https://github.com/airbus-seclab/soxy

———

UDP in proxychains and bbs; TL;DR:

How they implemented UDP in proxychains and some of its limitations. (A lot of error management is not implemented (yet))
BBS is like proxychains, but with routing, logging, and filtering. No UDP yet.

https://github.com/hc-syn/proxychains-ng/tree/udp-associate

https://github.com/synacktiv/bbs

———

SCCMSecret.py; TL;DR:

Test the SCCM access (including anonymous access) and extract files and configurations.

https://github.com/synacktiv/SCCMSecrets

———

What happens if I press here; TL;DR:

Feedback of pentesting industrial things

[FR] https://www.sstic.org/2025/presentation/retex_tests_industriels/

———

Random Factory reset; TL;DR:

There is a low (11 ppm here) but real risk of a conflict in the ACPI access in read only. Take care when dumping the configuration (including sysctl -a)!

[FR] https://www.sstic.org/2025/presentation/investigation_aux_frontieres_du_systeme_cas_d_un_reset_factory_aleatoire/

———

Explainable AI in malware analysis; TL;DR:

Use the MalConv2 model to determine which function is malevolent or not, tracking off the biases. Dataset to complete.

Currently improving this model based on the capabilities (using mandiant CAPA)

https://github.com/glimps-re/xai-malconv2

https://github.com/FutureComputing4AI/MalConv2

https://github.com/mandiant/capa

https://www.sstic.org/media/SSTIC2025/SSTIC-actes/from_black_box_to_clear_insights_explainable_ai_in/SSTIC2025-Article-from_black_box_to_clear_insights_explainable_ai_in_malware_detection_with_malconv2-laigle_chesneau_salmon.pdf

As one of the most popular IRC (Internet Relay Chat) clients, mIRC helped shape the culture of real-time online communities in the 1990s. With a friendly interface and customizable scripts, it introduced many to the power of group chat and global conversation.

While IRC is less prominent today, mIRC continues to support a dedicated base of developers, hobbyists, and open source communities.

Explore the history of your favorite websites with the Wayback Machine: https://web.archive.org/
🧵

@buherator cool! I hate to do this, but you might want to look at my rsbkb project: https://github.com/trou/rsbkb/
which includes related conversion/encoding tools.

@Xilokar ouais ublock origin sur firefox, ça reste le mieux. Peut-être une coïncidence alors :)

@Xilokar t'as ublock origin ?

Following @rcayre and @virtualabs talk at @sstic, WHAD version 1.2.8 is now available and fixes a lot of issues 🥳 !

If you're tempted to give WHAD a try, just follow the installation procedure 👉 https://whad.readthedocs.io/en/latest/install.html

Documentation and examples available on https://whad.readthedocs.io/en/latest/index.html

"How Compiler Explorer works in 2025" - using nsjail.dev:
https://xania.org/202506/how-compiler-explorer-works
@robertswiecki

@virtualabs @sstic et pour ceux qui ne pourront pas y être :

• https://streaming.sstic.org/ en direct
• https://www.sstic.org/2025/programme/ : les vidéos sur la page de chaque présentation, généralement dans la journée ou le lendemain

Really cool post by anematode on using AVX512 to build an optimized solver for Google's kCTF PoW:
https://anemato.de/blog/kctf-vdf

Also, I'm pretty sure I've said this before, but I'll say it again:

Part of your job as a senior is to tell your juniors about your fuckups. The embarrassing cringe reckless and lazy bullshit that you did when you were new, and the various times you brought down Prod. We ALL did it sometime. And then tell them: the moment you realized you fucked up, I know, the impulse is to try and cover it up, but don't do it. Come to the seniors you trust, and they'll help you unfuck it, and fight management tooth and claw like mamma and pappa bears to defend you from any shitheads in management. Because that's what our seniors did to us.

📹 Setting up a livestream isn’t easy. That’s why we turned to an expert: Sophia Tung.

See how this creative software engineer brought her signature mix of tech + chill to our new microfiche scanning livestream—now preserving government records in real time.

👉 https://blog.archive.org/2025/05/29/meet-sophia-tung-the-creative-force-behind-internet-archives-microfiche-scanning-livestream/

@via

Tu es une professionnelle (ou future) de la cyber, va au #sstic2025 et cherche à rencontrer quelques-unes de tes semblables, viens au womenATsstic, l’événement informel et non officiel « qui s’organise à la bonne franquette ».

📅 QUAND ?
Mercredi 4 juin de 18h à 19h (et plus si affinité, mais à 19h c’est le cocktail du SSTIC)

📍 OÙ ?
Je cherche un bar / café pas loin de la Halle Martenot
Ce serait plus simple si je savais combien de participantes nous seront.

Je vous tiens au courant pour le lieu ici.

INSCRIPTION:
https://framadate.org/hH2t9FcRtgEGmTWq

The DWARF debug format is well-known for debugging executables,
but it is also an effective format for sharing reverse engineering information
across various tools, such as IDA, BinaryNinja, Ghidra, and Radare2.

In this blog post, I introduce a new high-level API in LIEF that allows the
creation of DWARF files. Additionally, I present two plugins designed to export
program information from Ghidra and BinaryNinja into a DWARF file.

https://lief.re/blog/2025-05-27-dwarf-editor/

(Bonus: The blog post includes a DWARF file detailing my reverse engineering work on DroidGuard)

I think I have finally managed to articulate this very fundamental but slightly counterintuitive fact about how shell redirection works

This year, the opening keynote will be done by Tara Tarakiyee (@tarakiyee) of the Sovereign Tech Agency (@sovtechfund).

He will talk about open-source security, open-source software as a public (and critical) infrastructure, and the tragedy of the commons.

https://www.sstic.org/2025/presentation/ouverture_2025/

#sstic #sstic2025

I just published the fifth #Landlock newsletter! 🤓
- new kernel features: IPC scoping and audit logs
- kernel fixes
- library and talk updates
- new doc
- new open source Landlock users
- RHEL support
https://lore.kernel.org/landlock/20250519.ceihohf6a3uT@digikod.net/

@trou Hi there, yes I have been using Netvibes too. I found 1 similar rss reader, which looks good called Protopage
https://www.protopage.com

BlackHoodie will be back at
@recon this year ☺️ It'll be two days of Breaking Down Binaries: Introduction to Reverse Engineering & Malware Analysis by @bitmaize and
@sud0suw, registration is now open https://blackhoodie.re/recon/