HACKER SUMMER CAMP 2023 GUIDES — Part Four: Zero Gravity by RingZero
Welcome to the DCG 201 Guides for Hacker Summer Camp 2023! This is part of a series where we are going to cover all the various hacker conventions and shenanigans both In-Person & Digital! This year in 2023 somehow bigger than it was in 2022 and thus we will have a total of 15 guides spanning 3 Months of Hacker Insanity!
As more blog posts are uploaded, you will be able to jump through the guide via these links:
HACKER SUMMER CAMP 2023 — Part One: Surviving Las Vegas & Virtually Anywhere
HACKER SUMMER CAMP 2023 — Part Two: Capture The Flags & Hackathons
HACKER SUMMER CAMP 2023 — Part Three: SummerC0n
HACKER SUMMER CAMP 2023 — Part Four: Zero Gravity by RingZero
HACKER SUMMER CAMP 2023 — Part Five: The Diana Initiative
HACKER SUMMER CAMP 2023 — Part Six: BSides Las Vegas
HACKER SUMMER CAMP 2023 — Part Seven: Black Hat USA
HACKER SUMMER CAMP 2023 — Part Eight: SquadCon by Black Girls Hack
HACKER SUMMER CAMP 2023 — Part Nine: DEFCON 31
HACKER SUMMER CAMP 2023 — Part Ten: USENIX + SOUPS
HACKER SUMMER CAMP 2023 — Part Eleven: Chaos Computer Camp
HACKER SUMMER CAMP 2023 — Part Twelve: Wikimania 2023
HACKER SUMMER CAMP 2023 — Part Thirteen: HackCon XI
HACKER SUMMER CAMP 2023 — Part Fourteen: Blue Team Con
HACKER SUMMER CAMP 2023 — Part Fifteen: Hack Red Con
HACKER SUMMER CAMP 2023 — Part Sixteen: SIGS, EVENTS & PARTIES
Zero Gravity by RingZero
Date & Time:
In-Person & Virtual: Saturday, August 5th — Tuesday, August 8th
Location: The Palms Casino Resort (4321 West Flamingo Road, Las Vegas, NV 89103–3903)
Website: https://ringzer0.training/
Tickets: https://ringzer0.regfox.com/ringzer0-zer0gravity
Virtual Platform(s): N/A
Schedule: https://www.ringzer0.training/#instructors
Live Streams:
YouTube: N/A
Discord: N/A
Virtual Chat: Discord (Only For Ticket Holders)
Affordability: ringzer0 does their Virtual and In-Person ticket sales in tiers depending on how close to the confrence the ticket date is purchased. As of July 16th there is a two day training of $2,500 for 2-Day and $4,400 for 4-Day. This will increase to $2,900 to $4,800 respectively. Virtual trainings are now the same price as in-person ones. There will also be a number of FREE Trainings provided Virtually.
Code Of Conduct: TBA
Ringzer0 provides advanced, hands-on training designed for cybersecurity professionals. Our instructors are top industry experts who offer technical deep dives into a range of core issues, including vulnerability research, exploitation, malware analysis, red teaming and practical attacks.
Each class is laser-focused on a specific topic, to pack in as much learning, hands-on experience and instructor face time as possible. Ringzer0 gets students past the learning curve!
While other cons have a small session of Trainings during Hacker Summer Camp, ringzer0 is the only group that is dedicated to the craft. A four day intensive of hands-on-training with some of the top cybersecurity hackers in their fields, if you have serious money to spend (or you convince your job to) and you want to move from your current hax0r skillz to pure wizard, this is the place to be!
GROUP AND COMBO REGISTRATIONS DEALS
Organizations registering two or more participants for any of BACK2VEGAS trainings OR students taking back to back combos shall avail a discount of USD 200 PER TRAINING.
The registration system shall automatically apply the discounts when a group or a combo registration is made.
U.S. GOVERNMENT REGISTRATIONS
Please email us at info@ringzero.training and request our CAGE code.
PRICE QUOTES AND BANK TRANSFERS
Please email us at info@ringzero.training requesting price quote and bank transfer information.
CANCELLATION POLICY:
ZER0GRAVITY 2023: 60+ days before the event 75% of fees refunded; 45–60 days before event 50% refunded, less than 45 days 0% refunded. Course changes are allowed up to 14 days before event start (some restrictions will apply). Attendee changes can be accommodated up to 14 days prior to the event.
Note: In the event of a class cancellation, Ringzer0 will endeavor to offer transfer to another training at no additional charge.
COVID-19 PROTOCOLS
Effective Feb. 10, 2022, the State of Nevada has lifted mask mandates, including in resorts and casinos, restaurants, bars, showrooms and meeting spaces. Masks are still recommended for individuals who are not fully vaccinated, those with underlying health conditions and in healthcare facilities.
As of 12:01 am EDT May 12, 2023, noncitizen nonimmigrant air passengers no longer need to show proof of being fully vaccinated with an accepted COVID-19 vaccine to board a flight to the United States. See more information.
Please check the Visit Las Vegas official website for updates on Nevada State and county requirement changes.
ZERO GRAVITY VENUE
Discounted Rooms starting at $69/night*!
The discounted rates apply all the way through DEFCON weekend!
DCG 201 Zero Gravity by ringzer0 COURSE HIGHLIGHTS (PST)
These are some of the multi-day course training that stood out to us. Space is limited and this is not the full list so RSVP ASAP and look at the full list of training on their website: https://www.ringzer0.training/index.html#instructors
RETURN2WORKSHOPS — Free Workshops On Advanced Infosec Topics
07-DEC SCAPY, from S to Y!
Scapy ( http://www.scapy.net and https://github.com/secdev/scapy ) is a powerful Python-based interactive packet manipulation program and library. It can be used to forge or decode packets for a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more.
This workshop will describe its main features step by step, and will let you explore the following topics:
- Packets Manipulation
- Sending and Receiving Packets
- Visualization
- IPv6 and TLS Support
- Implementing a New Protocol
- Answering Machines
- Automaton
- Pipes
PREREQUISITES
- Linux (native or virtualized)
- Scapy freshly installed from github
15-DEC An introduction to ARM64 Assembly and Shellcode
An Introduction to ARM64 Assembly and Shellcode is a workshop for those interested in getting a quick start into the world of 64-bit ARM binary exploitation. ARM64 is in several ways vastly different than ARM32.
Participants will get to learn the key differences between ARM32 and ARM64 from an assembly language perspective, get some hands-on introduction to writing simple ARM64 assembly code, working with a debugging environment and concluding with writing their own ARM64 shellcode.
This workshop is a precursor to an all new training — The ARM64 Exploit Laboratory, which debuts at Ringzer0 RETUR23XPLOIT!
PREREQUISITES
- Linux system with Docker installed and running
- Working comfortably with the Unix command line
- Familiarity with GDB command line usage
Introduction to Cryptography
Cryptography is an indispensable tool for protecting information in computer systems, but choosing secure protocols and parameters can become quickly overwhelming. The workshop “Introduction to Cryptography” is an overview of the main cryptography concepts, including among others secure encryption and randomness. Advanced techniques like post-quantum cryptography and zero-knowledge proofs will also be touched upon.
PREREQUISITES
- None
POSTPONED VIRTUAL TRAINING
JUL 22–28 // VIRTUAL
This training was originally scheduled for our February event RETURN23XPLOIT. However due to unavoidable circumstances, this training has been postponed to July 2023. We are still accepting registrations for this training.
Python Programming for Hackers and Pentesters
Abstract
This is the official companion course to the popular book Black Hat Python, 2nd Edition from No Starch Press. This companion course has been updated for Python 3 and developed under the oversight and cooperation of the original Black Hat Python author Justin Seitz. The course aims to cover the major subject areas from Black Hat Python 2nd Edition in a hands-on format where students will learn by working on an extensive suite of labs and exercises in a guided manner to make the most of our time together. This course will be beneficial for students that are seasoned Python programmers as well as those newer to the field.
Only a basic understanding of Python is required to participate in the course. Students will be provided with a brief Python language basics tutorial that they can go through on their own prior to starting the course.
Key Learning Objectives
- Python basics and environment setup
- Basic Networking Tools
- Writing a Sniffer
- Owning the Network with Scapy
- Web Hackery
- Extending Burp Proxy
- Creating a Command and Control Framework
- Common Trojaning Tasks on Windows
- Data Exfiltration
- Privilege Escalation
Who Should Attend
- Penetration testers and hackers wanting to up their game with Python coding
Knowledge Prerequisites
Only a basic understanding of Python is required to participate in the course. Students will be provided with a brief Python language basics tutorial that they can go through on their own prior to starting the course.
Hardware Requirements
- A laptop with 8GB of RAM capable of running VMWare images provided by the course instructor
- 20GB of free hard disk space
Software Requirements
- Students will be responsible for installing a Python 3 language environment on their laptop using directions provided by the course instructor
- Students will need to have VMWare workstation (trial version will be fine) in order to run VMWare images produced with the latest version of the software
- Students should have administrative access on their laptop and the ability to disable antivirus and other security software
Karim Nathoo
Karim Nathoo is a freelance computer security consultant providing specialized security services to government, military and private sector clients. Karim has extensive experience in high assurance ethical hacking, incident response and security product evaluation, including the application of binary code analysis and reverse engineering. Karim has delivered professional services for international clients in Asia, Europe, Canada and the United States. Karim has experience ranging from working with R&D teams in cutting edge technical environments to providing executive level risk management briefings and proof of concept demonstrations.
Karim has performed security assurance and engineering engagements for organizations such as Apple, Microsoft, France Telecom, Cloakware Corporation, Creative Labs, Motorola, Verizon, Nokia, Philips Semiconductor, SONY BMG, SUN Microsystems, QNX Software Systems and numerous Canadian and US Government agencies.
Specialities: Penetration testing, code analysis, reverse engineering, software security evaluation, custom software development, malware analysis, incident response, product evaluation, and security engineering.
HYBRID IN-PERSON + ONLINE WORKSHOPS
This class is run a little different from most classes. We provide you purpose-built recorded lectures instead of trapping you in realtime with live-lectures. But fear not, the instructor is always right there eagerly waiting to mingle with the students and answer any questions you have. (The instructor really likes being asked questions. It shows you’re paying attention ;)). One of many benefits is that you can watch lectures at 2x speed and zoom ahead of the other students and get to the hands on labs quicker. Or if there’s bits of material you already know, you can just skip them and move on to the bits you don’t know! Another big benefit is that you get to take the full lectures and labs with you! That means if you forget stuff and then need it in 6 months, you can quickly re-bootstrap yourself! Or you can watch the class twice, to really grow those neural connections and cement it in your brain! And unlike live lectures, our lectures are always getting more factually accurate, by having any accidental errors edited out.
Because we give you all the lecture and lab materials and videos after class, what you’re really paying for is support from the instructor! So you’ll be entitled to keep asking up to 20 questions after class, with 1–2 hour turnaround answers (after accounting for time-zone differences.) This lets you keep productively working through the material if you run out of time at the conference. If you’d like to learn more about the benefits of this style of class delivery, please read this blog post.
TRAINING SCHEDULE
AUG 5 Saturday 9 am to 5 pm PST AUG 6 Sunday 9 am to 5 pm PST
AUG 7 Monday 9 am to 5 pm PST AUG 8 Tuesday 9 am to 5 pm PST
Labs and Discord Channel
24 x 7 throughout the class, and beyond!
x86–64 Assembly
Abstract
This class teaches you how to disassemble binaries, read x86–64 assembly language, and debug black-box binaries in WinDbg and GDB. This knowledge of assembly is the fundamental skill which is required to learn reverse engineering and vulnerability exploitation. Reverse engineering is in turn a fundamental skill which is required for malware analysis and vulnerability hunting.
If you’d like to take this class, the follow on x86–64 OS Internals class, and the follow on to that, the x86–64 Intel Firmware Attack & Defense class all sequentially, you can sign up for the x86–64 All You Can Learn Buffet class instead. Keep in mind that this is more than 4 days of content, so you’d need to pick and choose which stuff you want to focus on.
Prerequisite Knowledge
Complexity: Beginner
This class has minimal prerequisites. It just requires that you are comfortable with reading small (< 20 line) C programs, and have debugged C source code in the past.
Key Learning Objectives
- Learn the most common assembly instructions, which cover > 96%+ of all code found in most programs.
- Learn about the 16 Intel x86–64 general purpose registers + RFLAGS.
- Understand the at time confusing or counter-intuitive compiler-isms of both Microsoft Visual Studio, and GCC which lead to particular patterns in executables’ assembly.
- Learn to debug and analyze executables which you don’t have the source code for, in both WinDbg and GDB.
- Learning how to write C code and disassemble it to see what instructions were generated. But also learning how to write assembly to see how it behaves, or even raw bytes to see how the assembler and processor interprets it.
- Being comfortable with Reading The Fun Manual (RTFM!) to go seek out the most accurate details of how things work.
- Reverse engineer the black box Carnegie Mellon “Binary Bomb Lab”, which has changed the lives of so many students (the instructor included!) This is a major hands-on reverse engineering exercise (which can take anywhere from 2 hours to 2 weeks!) which has been shared the world over by thousands of students. This gives you something substantive to chew on even after class to really reinforce your understanding and capability to read assembly.
Hardware Requirements
- A PC or an x86 Mac (class won’t work with an M1 Mac!) capable of running 2 VMs at a time with ideally 4 GB of dedicated RAM per VM.
- Headphones for watching videos, (preferably over-ear so you’re not disturbed as the instructor is walking around the class answering individuals’ questions).
Software Requirements
- Administrator privileges to install virtualization software on your machine.
- A PC with VMWare Workstation or an x86 Mac with VMWare Fusion (the free “Player” versions are fine).
- ISO for installing 1 instance of x86–64 Windows 10 (30 day trial version is fine).
- ISO for installing Ubuntu Linux 20.04 (if you choose to learn the optional AT&T assembly syntax material).
- A link to a software setup guide will be sent before class, and the student should install before class to maximize time available for interaction with the instructor.
- Other software includes Visual Studio 2019, the Windows Software Development Kit (SDK), the Windows Driver Development Kit (WDK), and WinDbg.
- For the optional Linux material, it includes gcc and gdb.
Xeno Kovah
Xeno began leading Windows kernel-mode rootkit detection and defense research projects at MITRE in 2009, before moving into research on BIOS security in 2011. His team’s first public talks started appearing in 2013, which led to a flurry of presentations on BIOS-level vulnerabilities up through 2014. In 2015 he co-founded LegbaCore. And after presenting a firmware worm that could spread between Macs via Apple’s EFI-based BIOS and Thunderbolt Ethernet adapters, he ended up working for Apple. There he worked on securing all the lesser-known firmwares on Macs and peripherals — everything from 3rd party GPUs to SecureBoot for monitors! He worked on the x86-side of the T2 SecureBoot architecture, and his final project was leading the M1 SecureBoot architecture — being directly responsible for designing a system that could provide iOS-level security, while still allowing customer choice to trust arbitrary non-Apple code such as Linux bootloaders. He left Apple in Dec 2020 after the M1 Macs shipped, so he could work full time on OpenSecurityTraining2.
IN-PERSON TRAINING
BootPwn: Breaking Secure Boot by Experience
Abstract
Secure Boot is fundamental for assuring the authenticity of the Trusted Code Base (TCB) of embedded devices. Recent attacks on Secure Boot, on a wide variety of devices such as video game consoles and mobile phones, indicate that Secure Boot vulnerabilities are widespread.
The BootPwn experience puts you in the attacker’s seat in order to explore the attack surface of Secure Boot while identifying and exploiting interesting vulnerabilities applicable to real-world devices. Moreover, it’s hands-on, well-guided and driven by an exciting jeopardy-style format.
Your journey starts with achieving a comprehensive understanding of Secure Boot. You will learn how hardware and software are used to assure the integrity and confidentiality of the software of an embedded device. You will then use this understanding for identifying interesting vulnerabilities across the entire Secure Boot attack surface. You will be challenged to exploit these vulnerabilities using multiple realistic scenarios. All practical exercises are performed on our custom emulated attack platform which is based on publicly available code bases.
As an attacker, you will be able to:
- open the device and make physical modifications
- communicate with the internal and external interface
- program the external flash of the device
- perform hardware attacks like fault injection
You will be guided towards an interesting range attack vectors and vulnerabilities specific for Secure Boot, which can be leveraged for novel and creative exploits, allowing you to refine your skills to a new level.
Agenda
During the BootPwn experience we will cover the following topics:
Fundamentals
- Embedded devices
- Verification
- Decryption
Secure Boot
- Attack surface
- Real-world attacks
Identifying Secure Boot Vulnerabilities
- Design information
- Flash dumps
- Source code
- Binary code
Exploiting Secure Boot Vulnerabilities
- Insecure designs
- Vulnerable software
- Weak cryptography
- Incorrect cryptography
- Configuration issues
- Incorrect checks
- Insecure parsing
- Vulnerable hardware
Key Learning Objectives
The primary learning objectives of the BootPwn experience are to:
- Gain a thorough understanding of Secure Boot as implemented on modern devices
- Identify vulnerabilities across the Secure Boot attack surface
- Gain hands-on experience with exploiting Secure Boot specific vulnerabilities
Intended Audience
The BootPwn experience is intended for:
- Security Analysts and Researchers, interested in breaking Secure Boot on secure devices
- Security enthusiasts with an interest in embedded device security
- Software Security Developers/Architects interested in an acquiring an offensive perspective
Student Prerequisites
The following pre requisites catalyse the learning experience of BootPwn:
- have experience with Python/C programming
- have experience with the ARM architecture (AArch64)
- have an understanding of typical software vulnerabilities
- be familiar with reverse engineering (AArch64)
- be familiar with common cryptography (RSA, AES and SHA)
Don’t worry if you don’t meet all of the above expectations!
System requirements
- Any modern computer system with sufficient memory
- A modern browser (Chrome preferred)
- Virtualisation software (VMware preferred)
Student Deliverables
During the training you will get access to:
- a personal cloud based VM
- the exercise registry
- the exercise instructions
- the CTF server
To continue practicing after the training is completed:
- a personal offline VM
- a temporary token to access the exercise registry
- for downloading all training exercises in the offline VM
- a copy of the exercise instructions
Niek Timmers
Niek has been analyzing and testing the security of software and hardware of secure devices for over a decade. His interest is typically sparked by technologies where the hardware of the device is fundamentally part of the equation.
Practical Web Browser Fuzzing
Abstract
Web Browsers are one of the world’s most used and critical software. Using millions of lines of code, they handle, sanitize, and interpret all kinds of (untrusted) data from the web. To be honest, It’s impossible for developers to write such complex pieces of software (involving compilers, interpreters, and parsing libraries) without introducing any bugs.
As shown in the last years, fuzz testing is the most efficient and scalable testing technique to find software bugs. In this training, we will apply fuzzing to find critical vulnerabilities in different web browser implementations.
First, this course will give you all the prerequisites to understand modern web browsers’ architecture and significant components. Then, you will create and set up a testing environment allowing you to easily replay, debug, minimize and analyze existing issues, CVEs, and PoCs. Over dedicated modules, you will discover and fuzz the main browser components such as DOM, JS engines, JIT compilers, WebAssembly, and IPC. You will learn how to use famous tools (Honggfuzz, Domato, Dharma, Fuzzilli, Afl++) and create your custom fuzzers to apply different fuzzing techniques (coverage-guided, grammar-based, in-process fuzzing) to find vulnerabilities/bugs.
A lot of hands-on exercises will allow you to internalize concepts and techniques taught in class. This course will mainly focus on Google Chrome, Firefox, and WebKit/JSC.
Key Learning Objectives
- Discover the architecture and components of modern web browsers.
- Learn how to create a testing environment for browser fuzzing.
- Analyze existing CVEs, issues, and PoCs to learn from other researchers.
- Discover how to use and customize the most famous browser fuzzing tools.
- Learn how to replay, minimize and analyze crashes.
- Learn how to apply different fuzzing techniques against browser components.
Who Should Attend
This training is designed for security engineers, vulnerability researchers, bug bounty hunters, and anyone who wants to learn more about web browser internals and discover how to find critical bugs using different fuzzing techniques.
Prerequisites
- Familiarity with scripting (Python, Bash) and Linux.
- Familiarity with C/C++ and JavaScript.
- SKILL LEVEL: BEGINNER / INTERMEDIATE
Laptop Requirements
- A working laptop capable of running x86–64 virtual machines
- 8GB RAM required, at a minimum
- 80 GB free Hard disk space
- VirtualBox
- Administrator/root access MANDATORY
Patrick Ventuzelo
Patrick Ventuzelo is a French Independent Security Researcher specialized in vulnerability research, reverse engineering and program analysis. He is the creator of two trainings namely “WebAssembly Security” and “Rust Security”. Patrick is also the author of Octopus, an open-source security analysis tool supporting WebAssembly and multiple blockchain smart contract to help researchers perform closed-source bytecode analysis.
Previously, he worked for Quoscient GmbH, P1Security, the French Department Of Defense and Airbus D&S Cybersecurity.
Patrick has been speaker and trainer at various international conferences such as REcon Montreal/Brussels, Toorcon, hack.lu, NorthSec, FIRST, Microsoft DCC, SSTIC, BlackAlps, Devcon, etc.
Symbolic Execution with angr on Real-World Targets
Abstract
This is an 80% hands-on course with many demos, examples, exercises, and solutions. Exercises will be mostly x64 and ARM binaries for Linux, but we will also apply it to other architectures, such as MIPS and PowerPC. Although the theory behind symbolic execution is fascinating, we will only minimally cover it and will instead focus on the practical applications of angr.
Students are provided a preconfigured VM with all necessary tools and exercises. The instructor’s computer screen and voice will also be recorded during each day and provided for reference. Students can then review the recordings during the course and retain them for use afterwards.
Key Learning Objectives
- Students will have the ability to perform symbolic and concolic execution with angr
- Students have the ability to use manual and automated techniques with angr
- Students will know how to leverage angr’s strengths and complement its weaknesses
Detailed Syllabus
Background
- Symbolic execution / Concolic execution
- Bit vectors
- SMT/SAT solving
- Abstract syntax tree (AST) and DPLL algorithm
- Path explosion problem
Angr Usage and API
- API: loader, symbolic execution, solver engine
- Emulator: stepping, running, hooking
- Symbion and concolic execution: using debugger state with emulator
- Diassembly, decompilation, control-flow graphs
- Backward slicing
- VEX IR, PyVex, and libVEX
- Components: Capstone, Unicorn, claripy, Z3, valgrind
- Extending angr functionality
Plug-ins, Tools, and Workflow Integration
- Natural workflow of angr with IDA, Ghidra, qemu, pwntools and gdb
- Pypcode: library allowing symbolic execution of Ghidra’s p-code
- Plug-ins: Angry Ghidra, IDAngr, Jupyter’s Angry kernel
- angr’s GUI: angr-management
- Other plugins
Applications
- Malware deobfuscation
- identifying vulnerabilities and creating proof-of-concepts for vulnerabilities
- Crafting exploits
- General RE
Who Should Attend
This training is for people who are in the weeds, assessing binaries for vulnerabilities, crafting exploits, and reverse engineering malware.
Knowledge Prerequisites
This is an intermediate class. Students are expected to have experience with RE, VR, Linux, C, Python, and x86–64 assembly. Students are not expected to have any experience with symbolic execution, SMT, or angr.
Hardware Requirements
Students are expected to have their own computers which can run an x86–64 virtual machine.
- 50 GB of free hard disk space
- 4GB of RAM
- 4 Processor cores
Software Requirements
- VMware -or-
- Virtualbox
Jeremy Blackthorne
Jeremy Blackthorne @0xJeremy is a co-founder and instructor at the Boston Cybernetics Institute (BCI). Before BCI, he was a researcher in the Cyber System Assessments group at MIT Lincoln Laboratory. He was the co-creator and instructor for the Rensselaer Polytechnic Institute courses: Modern Binary Exploitation and Malware Analysis. Jeremy has published research at various academic and industry conferences. He served in the U.S. Marine Corps with three tours in Iraq and is an alumnus of RPISEC.
