DEFCON 32 and BlackHat

DEFCON 32 Schedule/Links

A former professor of mine was kind enough to invite me to DEFCON + BlackHat this year. In a previous post, I highlighted my first time attending DEFCON, and now, I am gonna give a quick overview of my time at BlackHat (lucky me)! Sadly, I’m making this post months afterwards - so, forgive me for not going super in-depth.

DC32 Map

After much deliberation with another member of the group that traveled for the conference, we decided to stay at the Horseshoe Hotel + Casino. It was okay. Not great, but definitely better than my decision to stay at the Hilton Grand Vacations Club last year. Although I still had to walk to the monorail, it was inside and much closer - which made it much more comfortable.

A single day pass for the LV monorail is $13.45 USD and the 7-day is $57.50; it is cheaper to buy your passes online versus the physical kiosk at each station. If you are physically able and can take the occasional desert heat walking between locations, I highly recommend the monorail as an affordable means of travel. I used it last year as well, and, minus the random pass reading issues, it was a satisfying experience. LV Monorail.

If you cross the drop-off/valet entrance, there is a nice tourist shopping mall with water misters and plenty of food options. You could probably get some nice souvenirs there, but I didn’t check. I visited this nice boba and milk tea stand as well as the Walhburger. Both were okay experiences, but the Walhburger was kinda expensive for what you get.

Boba Menu #1 Boba Menu #1

BlackHat

For the entire week spent at the conferences, it begins with BlackHat and then DEFCON follows. In my opinion, BlackHat is the more formal and primarily “corporate” venue, which I think most would agree with. DEFCON is significantly cheaper and has more to offer as someone more interested in learning and researching. If you want to spend your departments budget and get free merch, by all means, attend BlackHat; I got something like 10+ free shirts, haha… If you had to pick one and it was coming from your own wallet, DEFCON is the choice. There are also many other camps/conferences/events happening that week as well that are worth attending. So, it would be better to attend those + DEFCON.

Apps like the Hacker Tracker make planning significantly easier:

HackerTracker

HackerTracker

As for actual content of the conference, I attended a mix of talks, parties, and demos. It was a very busy week.

  • All Your Secrets Belong to Us: Levaraging Firmware Bugs to Break TEEs
  • The Overlooked Attack Surface: Diving into Windows Client Components for RCE Vulnerabilities
  • Damn Vulnerable UEFI (DVUEFI): An Exploitation Toolkit and Learning Platform for Unveiling and Fixing UEFI…
  • SHAREM: Advanced Shellcode Analysis Framework
  • Laser Beams & Light Streams: Letting Hackers Go Pew Pew…
  • You’ve Already Been Hacked: What if There Is a Backdoor in Your UEFI OROM?
  • Overcoming State: Finding Baseband Vulnerabilities by Fuzzing Layer-2
  • From Interest to Insight: How to Identify and Explore Your Research Topic
  • ICSGoat: A Damn Vulnerable ICS Infrastructure
  • Breaking Barriers: PyFridas Simplified Pythonic Approach to Frida Scripting
  • Okami: Advanced Binary Fingerprinting for Malware Attribution and Code Sharing Detection
  • Locked Down but Not Out: Fighting the Hidden War in Your Bootloader
  • Uncovering Supply Chain Attack with Code Genome Framework
  • Bytecode Jiu-Jitsu: Choking Interpreters to Force Execution of Malicious Bytecode
  • The Ecosystem of SIM Swap
  • AntiDebugSeeker: Automatically Detect Anti-Debug to Simplify Debugging (IDA/Ghidra)
  • Use Your Spell Against You: Threat Prevention of Smart Contract Exploit By Reusing Opcode Trace
  • Break the Wall from Bottom: Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web…
  • Bypassing ARM’s Memory Tagging Extension with a Side-Channel Attack
  • PageJack: A Powerful Exploit Technique With Page-Level UAF
  • Attention Is All You Need for Semantics Detection: A Novel Transformer on Neural-Symbolic Approach
  • Remote, One-Click, Breaking through Smartphones via a Non Well-Known Remote Attack Surface
  • Locknote: Conclusions & Key Takeaways from BlackHat USA 2024

See the nitty gritty details here: BlackHat 2024 Briefings

And, all of that is a lot - but it’s the entire list of briefings and arsenal talks that I saved. Some I couldn’t attend because of overlapping times or adventuring into the swag business hall.

DEFCON 32

DEFCON was a lot more straightforward with less overlapping talks that I was interested in attending. And, I kinda feel bad for not listening to every speaker - but it is so much more convenient to prioritize the physical stuff (i.e., the various villages) instead of talks that you can watch from home on YouTube. Having said that, I’m also reminded that this was their first year at the new location. Which I think is much better than prior years because of everything being in one building. The maps are easier to read and there’s less to walk. On the other hand, it feels less personal and more like BlackHat, which could be a downer for some people.

Being in the new conference center came with it’s own challenges as well, you are farther from places to eat, it is a much longer walk from the monorail, and the track/briefings rooms were a little awkward. For instance, you couldn’t see what was being presented unless you were seated in the first few rows or the presenter used really big fonts and graphics. Hopefully, next year they will have bigger screens (projectors maybe) and also fix some of the audio issues.

Talks

Of the tracks/talks that I physically attended, there were few:

  • Mobile Mesh RF Network Exploitation: Getting the Tea from goTenna
  • Where’s the Money: Defeating ATM Disk Encryption
  • No Symbols When Reversing? No Problem: Bring Your Own
  • Listen to the whispers: web timing attacks that actually work
  • The XZ Backdoor Story: The Undercover Operation That Set the Internet on Fire
  • Atomic Honeypot: A MySQL Honeypot That Drops Shells
  • Defeating EDR Evading Malware with Memory Forensics
  • Sshamble: Unexpected Exposures in the Secure Shell
  • Xiaomi The Money - Our Toronto Pwn2Own Exploit and Behind The Scenes Story
  • Optical Espionage: Using Lasers to Hear Keystrokes Through Glass Windows
  • The Way To Android Root: Exploiting Your GPU On Smartphone
  • Breaching AWS Accounts Through Shadow Resources
  • Android App Usage and Cell Tower Location: Private. Sensitive. Available to Anyone?
  • Taming the Beast: Inside the Llama 3 Red Team Process
  • Outlook Unleashing RCE Chaos: CVE-2024-30103 & CVE-2024-38021
  • Leveraging private APNs for mobile network traffic analysis
  • Reverse Engineering MicroPython Frozen Modules: Data Structures, Reconstruction, and Reading Bytecode

There were plenty more of good talks - but, my plan was/is to go back through the HackerTracker and just make my own YouTube playlist.

Villages

My co-attendee and I spent most of our time on the second and third days in the Embedded Hacking Village. It was pretty fun and I wished I were better prepared. These past two times that I attended DEFCON, it was with my M1 Macbook which has been difficult. My homebrew installation is messed up and I mainly use proxmox VMs personally and for work - so I’m out of my element when attempting CTFs with my laptop. If you plan to participate, I highly recommend getting your workstation sorted out and prepared well beforehand. Having to mess with your system and waste time not doing CTFs can really bog your experience down.

As for the Embedded village itself, we had a great time and managed to rank 29th out of 127 teams. Not amazing, but it could have been worse considering we started on the second out of 2.5 days. Next year, I plan to start early on the first day and try to rank higher.

As for what challenges you can expect, there is mix of firmware and hardware challenges; but, primarily hardware. One of the easiest challenges, as an example, was to connect to this device:

github@nstarke - DLink DCS 930L

Essentially, you would issue a http request to the IP camera using the following:

curl 'http://$CAMERA_IP/setSystemCommand' -H 'Authorization: Basic $BASICAUTH_CREDS' -H 'Content-Type: application/x-www-form-urlencoded' --data 'ReplySuccessPage=docmd.htm &ReplyErrorPage=docmd.htm &SystemCommand=telnetd &ConfigSystemCommand=Save'

This causes the camera to start a telnetd session which can be connected to at port 23. Upon connecting you’ll see a root shell. At this point, we had to exfil several files to get the flag.

LiveOverflow

Besides, the village - I got to meet LiveOverflow. Really cool dude and love his YouTube channel.

Other Stuff

Besides the conferences, I got to explore the mini-Eiffel Tower, MeowWolf, and K1 racing. Also, the group ate at an italian place called, Capo’s Restaurant and Speakeasy. The food was great, but it was a little too crowded and loud for my tastes.

Also, FYI - these events are not for the walking faint of feet. I walked about ~45 miles the week of DEFCON and BlackHat.

Images from the trip:

Written on August 9, 2024