Baseband exploitation is often considered the cream of the offensive security field. In the last decade, only a handful of such exploits were publicly released. As a result, many researchers view the ability to silently achieve code execution on a victim’s device by emulating a GSM (2G), 3G, LTE (4G), or 5G base station as a difficult objective.

In reality, baseband exploitation is not that challenging! By following a simple list of steps, a baseband platform can be quickly unlocked for research, debugging and exploitation.

In this course, students will learn our systematic approach to baseband security research: from setting up a fake base station using SDR and open-source BTS software, to obtaining and analysing mobile phone firmware and crash dumps, modifying BTS code to trigger bugs and deliver a payload, and finally reverse engineering radio protocols, hunting for vulnerabilities and exploiting them.

By the end of this heavily hands-on course, students will become familiar with two extremely common baseband platforms, Shannon and MediaTek, gain the skills to debug these and other baseband platforms, and learn about previously discovered bugs in basebands, and how they have been exploited.

Each student will be provided with a Software Defined Radio (SDR) board to emulate a base station, and a modern mobile phone to serve as a target.
Options will be available in the next step

This class is meant to show the approach an exploit developer or bug hunter should take in attacking a previously unknown component in the Windows kernel. The training is primarily focused around labs to teach the students what it takes to exploit a real-world vulnerability. This class focuses on exploiting CVE-2018-8611 on Windows 10 x64 1809 (RS5), a complex race condition that leads to a use-after-free on the non-paged kernel pool. The vulnerability is in the Kernel Transaction Manager (KTM) driver (tm.sys), a component that has not received much public scrutiny. Even though students will learn a lot about the KTM component, we focus on our approach for analyzing this component as a new kernel component that we had no prior knowledge about. The methodology can be reused for any other unknown kernel components a student may encounter in the future. We do not specifically focus on tricks or techniques for bypassing specific Windows versions mitigations, but rather on the thought process behind exploring functionality to find useful unmitigated code paths and also abusing the bug in ways that allow to build powerful primitives that would facilitate mitigation bypasses. The tools/VM we provide during this training are generic and can be reused after the class to assist exploiting other Windows kernel vulnerabilities.
Options will be available in the next step

Few publicly-known hacks have inspired the imagination of security researchers as much as exploits against IM (instant messaging) applications. 0-click attacks aimed against applications such as WhatsApp, iMessage, and Telegram have raised unprecedented interest and have often caused political turmoil.
Yet, in sharp contrast with the curiosity that IM exploitation generates, public information about this surface remains scant. This training is our bid to bridge the gap.

This course will provide students with the knowledge and hands-on experience in reverse engineering, vulnerability research, and exploitation of real-world IM applications. The target audience is advanced security professionals.
Options will be available in the next step

During this training, participants will discover the ecosystem and the fundamental bricks of the iOS operating system. They will discover the macOS toolchain used to deploy applications, and the debugging and diagnostic tools.

Participants will be teached fundamentals to reverse-engineer applications and system services: Objective-C internals, IPC mechanisms (XPC, NSXPC) and kernel APIs.
Practical examples and exercices built on iOS 17 will guide them all along the training. Hardware and software security measures unique to iOS will be covered, from both userland and kernel perspectives.
Options will be available in the next step

In this training, we get to know state-of-the-art code obfuscation techniques and look at how these complicate reverse engineering. Afterwards, we gradually familiarize ourselves with different deobfuscation techniques and use them to break obfuscation schemes in hands-on sessions. Thereby, participants will deepen their knowledge of program analysis and learn when and how (not) to use different techniques.
Options will be available in the next step

The browser training starts with a JavaScript crash course where we discuss several objects related to JavaScript and their implementations on a JavaScript engine. Next, we go over the commonalities of a browser's architecture, and look at the renderer and the sandbox, using Chrome as an example. Our emphasis is on the JavaScript engine in the renderer process. We develop a birds-eye understanding of it and observe how the peculiarities of the JavaScript language influence the design of a JIT compiler.

Important structures and key concepts such as Object shapes, SSA, IR, Inline Caches, and a few other fundamental concepts relevant to JavaScript engine exploitation are explained in detail. The course dives into the environment of v8, ranging from the execution pipeline to recent mitigations. Once the basics of browsers and JIT are laid out, we use a simple case study to illustrate a browser vulnerability. This is followed by an explanation of JavaScript exploitation primitives. Two real-world vulnerabilities are introduced, and the student is expected to solve simple challenges that will help in the understanding of the inner workings of the exploit. The course will emphasize the similarities and differences of the two vulnerabilities, with the first one serving as a foundation for the second. The challenges will be supported by the theory all along the course. Finally, a quick overview on fuzzing JavaScript engines and browser mitigations is covered.

After attending this fast-paced course, a student can expect to have dropped a foundational anchor on browser security research that enables them to further pursue its depths.
Options will be available in the next step

Active Directory and Azure are the heart of identity and access management for many companies and their ubiquity within information systems makes them prime targets during red team engagements. While their security is vastely explored within the public space, mature environments may prove more challenging for operators, requiring advanced exploitation techniques to lead the intrusion to its success. With a focus on hands-on practice (70%), this training will deepen your intrusion skills on modern and mature organizations, with discretion in mind. Each student will access an individual and realistic corporate network to study advanced techniques of reconnaissance, lateral movements, elevation of privileges, extraction of secrets and persistence, within Active Directory and Azure.
Options will be available in the next step

This class teaches you how hypervisors and hardware-assisted virtualization technologies work. You can use this knowledge to build your hacking hypervisors for research and to study, customize, and break existing hypervisors.

We achieve this by developing lightweight, UEFI module-based hypervisors using Intel VT-x and analyzing various advanced hypervisor applications, such as fuzzing and system hardening. The knowledge we acquire applies to kernel module (driver)- based hypervisors and AMD processors.

The class is hands-on oriented; we will spend 30-40% of the time with excesses.
Options will be available in the next step

Kernel exploitation on Android devices still presents a relatively new unexplored research area due to its diverse range of hardware options and hardware/software exploitation mitigations implemented by vendors or the Linux kernel itself. Similar to other operating systems, Android provides several common user-space exploitation mitigations and attacking the kernel is an appealing option to obtain full access on the device bypassing any user-space exploitation mitigations.
Options will be available in the next step