ØxOPOSɆC

2024 Events

Jan 24, 2024

[0x696E69743234] - The Meet

Welcome to 2024!

We’re thrilled to kick off the year with our first meetup. Our commitment to sharing knowledge is as strong as our morning coffee, and we’re aiming for a stellar year that’s truly out of this world!

We have exciting news to share. Our very special guest, Jean-Francois Mousinho (@jemos), is all set to join us on stage, and this time, it’s for real! He will be sharing his expertise in chip development, shedding light on the ubiquitous presence of green boards in various domains, from silicon to security. Get ready for an insightful introduction to chip development, implementation, and vulnerabilities.

If that’s not enough excitement for you, hold on tight because Gustavo Pinto (@ArmySick) will be breaking down our classic Xmas Challenges. Be on the lookout for the final write-ups, and get ready to cheer on our top-performing players (we’ve got a few hidden gems up our sleeves).

Please remember this is an IRL event with no streams available. Before RSVP-ing, ensure you can attend and physically show up, as good logistics depend on it.

In the meantime, you can join our Slack chat (*) to discuss all kinds of hackish stuff and, of course, interact with other members. *https://bit.ly/3XbyGQu (+)

Hope to see you soon!

[Goals]

Learn something new, get to know other g33ks, and, the most important thing, have fun.

[Agenda]

[Challenge]

OPO Xmas CTF ‘23 is in town! (Last Call!)

URL: https://opoxmas23.armysi.cc/

PS: Get help on the usual channel #ch4llenges.

Feb 21, 2024

[0x4F766572313021] - The Meet

2024 got off to a flying start! A big thank you to everyone who attended our first meet-up of the year. Can you believe that 0xOPOSEC has been around for eight years already? Mind-boggling, to say the least. We’re thrilled to celebrate this fantastic milestone with all of you!

To kick off the festivities, we have Mario Lima (@comet) making his debut on stage. He’ll be guiding us through modern defenses, diving into topics like network intrusion detection systems, EDRs, and how attackers navigate through them successfully. But hold onto your hats; the fun isn’t over yet! Ricardo Almeida (@vibrio) is making a comeback to share his expertise and cunning techniques for exploiting Windows features to get a cmd line with elevated privileges. Don’t miss out on this unique opportunity!

Your support is like the secret sauce that makes 0xOPOSEC extra special. Let’s keep the learning, networking, and hacking party going for many moons to come!

In the meantime, you can join our Slack chat (*) to discuss all kinds of hackish stuff and, of course, interact with other members. *https://bit.ly/3XbyGQu (+)

Cheers!

[Goals]

Learn something new, get to know other g33ks, and, the most important thing, have fun.

[Agenda]

[Challenge]

Firewalls, packet filters, intrusion detection systems, and similar tools frequently struggle to differentiate between packets with malicious intent and those that are simply unconventional. If only a method existed to discern between these two scenarios.

Take a peek at this network dump (//pathonproject.com/network.pcap) and see if you can snag the flag. Remember, the flag format should be in the “ctf{…}” style and ping (@)simps0n with the solution.

Mar 26, 2024

[0x626F6F74686F6C65] - The Meet

What a blast we had at our last celebration! But you know what our core drive is – our community spirit! For the third meetup of the year, we’ve lined up a great set of speakers.

We are happy to announce that we will be welcoming Bruno Caseiro and Marco Carneiro to our stage for the first time ever! In what promises to be an eye-opening session, Bruno will be shedding light on race conditions - a bug class often neglected but known to cause high-impact bugs. By the end of his talk, we hope that identifying, detecting, and preventing these bugs will become second nature. Marco, on the other hand, will dig into the low-level realm in one of the most (in)famous exploits for Nvidia Tegra X1 that gave birth to an unpatchable vulnerability for Nintendo Switch and other devices; if you wonder how such exploit work or just passionate about the beautiful complexity of modern systems, you will not what to miss this talk.

Please remember this is an IRL event with no streams available. Before you RSVP, please make sure you can physically show up and attend. Smooth logistics depend on your presence!

In the meantime, you can join our Slack chat (*) to discuss all kinds of hackish stuff and, of course, interact with other members. *https://bit.ly/3XbyGQu (+)

Hope to see you soon!

[Goals]

Learn something new, get to know other g33ks, and, the most important thing, have fun.

[Agenda]

[Challenge]

URL: http://passgenerator.0d.al/

Good luck! Ping @nunohumberto with the flag{}!

Apr 23, 2024

[0x626C6F6F6D] - The Meet

Spring is in full bloom, and we’re thrilled to spring into action (no pun intended) with our fourth meeting of the year. The agenda is loaded with fresh and juicy topics that are sure to give your neurons a workout.

No more dilly-dallying; let’s cut to the chase. This time, drumroll, please; Miguel Oliveira (@datadrug) is going to step up to the stage once more, but now in his mad scientist mode. Did you know that we can use Helium in the data recovery process? Would you like to know about the latest developments in SSD recovery? If so, this will be the perfect opportunity to keep abreast. You are mistaken if you believe the previous talk is more than enough. Get ready to roll out the red carpet because Nuno Humberto (@nunohumberto) is joining us and bringing us a fine selection of security issues he uncovered during his wild explorations over the past few years. Prepare to learn and gain new insights and perspectives on your everyday technologies. Dig into what some inner works are and how the Devil is in the details when looking for impact.

Please remember this is an IRL event with no streams available. Before you RSVP, please make sure you can physically show up and attend. Smooth logistics depend on your presence!

In the meantime, you can join our Slack chat (*) to discuss all kinds of hackish stuff and, of course, interact with other members. *https://bit.ly/3XbyGQu (+)

Hope to see you soon!

[Goals]

Learn something new, get to know other g33ks, and, the most important thing, have fun.

[Agenda]

[Challenge]

Get Your Fix Now!

URL: http://madlabs.pw/

PS: Get help on the usual channel #ch4llenges and ping (@)SiMpS0N w/ the flag!

May 22, 2024

[0x2E2E2F2E2E2F76343034] - The Meet

Our past meetups were an absolute blast! We had a smorgasbord of topics to discuss and a diverse group of participants to share them with. We’re thrilled to be part of such a vibrant community and can’t wait to take our next gathering to the next level of awesomeness!

Our agenda is, as usual, packed with juicy stuff that will leave you wanting more. Get ready for a double dose of expertise as two of our rockstars spill the beans on their trade secrets once more!

This time, João Pedro Dias (@jpdias) will challenge us to tackle planned obsolescence. Far more than a posh word, this pesky issue is something we have to deal with all the time. Devices/Gadgets that stop working because the company shut down their services, ICS systems whose maintenance is a myth, and how the expenses of keeping them operational can drive you up the wall or how outdated software can be hacked to satisfy modern needs.

Pretty cool, right? However, Guilherme Scombatti (@scombatti) still has a refreshing Bug Bounty journey he wants to share with us. Get your notepads ready because you’ll get exclusive access to practical and proven tips as we deep-dive into some of the technical aspects you need to find and exploit vulnerabilities on a specific scope.

If ignorance is bliss, knowledge is power, and we’re sure you don’t want to miss this opportunity to boost your brain cells.

Please remember this is an IRL event with no streams available. Before you RSVP, please make sure you can physically show up and attend. Smooth logistics depend on your presence!

In the meantime, you can join our Slack chat (https://bit.ly/3XbyGQu) to discuss all kinds of hackish stuff and, of course, interact with other members.

Hope to see you soon!

[Goals]

Learn something new, get to know other g33ks, and, the most important thing, have fun.

[Agenda]

[Challenge]

In 1981 things were a little bit different but…

URL: http://madlabs.pw/

PS: Get help on the usual channel #ch4llenges and ping (@)SiMpS0N w/ the flag!

Jun 27, 2024

[0x496E666563746564] - The Meet

Our final gathering before the summer break has arrived. Before heading to the sunny season, jam-packed with international events that will surely give our emotions a run for their money, we hope you can squeeze in one more knowledge boost.

The agenda is locked in and will, no doubt, bring a smile to your face. Brace yourselves for a double dose of wisdom and wit as we proudly present our dynamic duo of speakers: Rodrigo Lima (@Pengrey) and Diogo Lemos (@Diogo Lemos)! Joining us for the first time, they’re all set to shake things up and bring some serious sparkle to the stage.

Get ready to dive into the world of Modern Malware Development with Rodrigo Lima (@Pengrey)! An unavoidable hot topic that’s making waves in the digital realm. Join us as we unravel the challenges and learn the nifty tricks for gaining the upper hand, as well as the latest in malware design. Let’s not skirt around the issue: it’s a controversial topic. But now is the perfect time to tackle it head-on if we want to come out on top.

On top of that, stay tuned as Diogo Lemos (@Diogo Lemos) sheds light on a conundrum that’s rattling modern software companies. From a real-world implementation POV, we’ll delve into the world of secret scanning tools — uncovering their implementation, perks, and the nitty-gritty of managing secrets across a large organization. We’ll also sprinkle in some tips and tricks on how to tweak and adjust all of this to widely used tooling.

Please remember this is an IRL event with no streams available. Before you RSVP, please make sure you can physically show up and attend. Smooth logistics depend on your presence!

In the meantime, you can join our Slack chat (https://bit.ly/3XbyGQu) to discuss all kinds of hackish stuff and, of course, interact with other members.

Hope to see you soon!

[Goals]

Learn something new, get to know other g33ks, and, the most important thing, have fun.

[Agenda]

[Challenge]

Once again, JP has stumbled upon what looks like a tantalizing leak from the mysterious CESOPOx0 group. Imagine the excitement—like discovering Gandalf’s lost spellbook or a secret blueprint to the Death Star. The secrets within could be real, but here’s the kicker: JP is holding the digital equivalent of a treasure map, and they have no clue how to read it.

Now’s the time to channel your inner hacker hero, put on your best digital Indiana Jones hat, and decode the mysteries. Who knows? Maybe you’ll uncover the Holy Grail of cyber secrets. Engage your curiosity, embrace the geekery, and may the force (and your hacking skills) be with you!

URL: https://pathonproject.com/0x496E666563746564/0xOPOSECLEAKS.7z

P.S. Remember, with great power comes great responsibility… and potentially some awesome bragging rights! So grab the flag{} and ping @darkcookie or @simps0n.

Sep 26, 2024

[0x636F6D656261636B] - The Meet

We hope you got a much needed R & R during this holiday break and had the chance to recharge for the last stretch of the year. We’ve cooked up an agenda that’s bound to make you get back in the game and ready to show off your skills.

Crafting a Summer Challenge as solid as Fort Knox is no small feat. Fear not; our resident veteran, Pedro Rodrigues, is here to spill all the juicy behind-the-scenes secrets. From networking and PKI to K8s and containers, he’s got the scoop on it all - including those classic ‘oops’ moments when a pesky misconfiguration or unexplained error rears its ugly head. Trust us, you won’t want to miss these insights straight from the trenches.

Next, get ready to hear from Gustavo Pinto, our Summer Challenge champion and well-known community legend. He’s been through the wringer with the entire Summer Challenge and is eager to share all his hard-earned wisdom. If you want to level up your CI/CD exploitation game, you’d be crazy to miss this action-packed session.

We already have a few master solvers, but nothing can quite match the sheer exhilaration of snatching that juicy flag. The best part is the challenge is still on, so if you think you’ve got what it takes, now’s your chance to put your skills to the ultimate test!

Please remember this is an IRL event with no streams available. Before you RSVP, please make sure you can physically show up and attend. Smooth logistics depend on your presence!

In the meantime, you can join our Slack chat (https://bit.ly/3XbyGQu) to discuss all kinds of hackish stuff and, of course, interact with other members.

Hope to see you soon!

[Goals]

Learn something new, get to know other g33ks, and, the most important thing, have fun.

[Agenda]

[Challenge]

Last Call for the Summer Challenge!

URL: https://oposec-summer.0x90.zone/

If you find yourself stuck or in need of hints, don’t hesitate to drop by the #ch4llenges Slack channel. We’ve got a helpful community ready to lend a hand!

Oct 22, 2024

[0x50574E5F46545721] - The Meet

Buckle up, folks! We’ve cooked up an autumn event to give you the boost to end the year on a high note and that’s bound to have you on the edge of your seat.

First up, we’ve got (@)Duarte Santos ready to take us on a wild ride into the world of shattered sandboxes. Are you a Python aficionado? Think those fancy sandboxes can keep you safe? Brace yourself as Duarte guides us to Remote Code Execution glory, breaking down key CVEs and showcasing the clever tricks that made it all possible.

There’s more! If you’re more of a corporate crusader and Active Directory is the backbone of your empire, get ready for a masterclass from Tiago Dias (@)td00k and Renato Cruz (@)b1tch0k3r. These two have been busy compromising AD domains using the Golden Certificate attack path, and they’re ready to spill all the juicy details. Be sure to grab your notepads.

Secure your spot now – this spooky bag of tricks is your ticket to leveling up your game in a big way.

In the meantime, you can join our Slack chat (https://bit.ly/3XbyGQu) to discuss all kinds of hackish stuff and, of course, interact with other members.

Hope to see you soon!

[Goals]

Learn something new, get to know other g33ks, and, the most important thing, have fun.

[Agenda]

[Challenge]

Somewhere in the environment variables, something’s lying low, waiting for the right moment to disrupt things; one wrong move and unexpected behavior could be triggered.

URL: http://butwhy.0d.al

Grab the flag{…} and ping @simps0n!

Nov 28, 2024

[0x454F4632303234] - The Meet

The holiday season is upon us, and as we wrap up another wild ride, we’re tipping our hats to all of you who’ve made every challenge and gathering memorable. Your dedication keeps raising the bar and pushing us forward. A big shoutout to our fantastic speakers and wicked challenge creators - you’re the heart and soul of this community, bringing us together, keeping us on our toes and ready for whatever the future holds.

We’ve got a killer lineup for the final gathering of the year. First up, Eunice Juliana Amorim (@0xbugphant), a long-time member, steps into show us how to make LLMs our partners in crime in identifying authorization issues - you know, that type of vulnerability that’s easy for humans to spot, but automating the process is a whole other beast. Get ready to embrace out-of-the-box thinking, as conventional MOs won’t quite cut it with this cunning task!

Next up, for our grand finale and needing no introduction, Pedro Vilaça (@fG) will take us down the rabbit hole of the latest Flare-On 2024 Challenge #5. This advanced reverse-engineering challenge digs deep into an application’s memory state by stripping it down to expose the nitty-gritty of an infamous backdoor, a few clever tricks will be employed to exploit it and achieve the challenge’s ultimate goal. If reverse engineering, shellcodes, and cryptography make your heart skip a beat, and you want to master some serious clever techniques, this is the ultimate master class you can’t afford to miss.

Just a friendly reminder: this is an in-person event. Before RSVPing, please double-check that you can attend and be there in person. Good logistics rely on it!

In the meantime, you can join our Slack chat (https://bit.ly/3XbyGQu) to discuss all kinds of hackish stuff and, of course, interact with other members.

Join us to close out 2024 with a bang - because nothing says “happy holidays” like breaking things.

[Goals]

Learn something new, get to know other g33ks, and, the most important thing, have fun.

[Agenda]

[Challenge]

We have received a groovy transmission from the past! 🎶 Can you hear the flag? Ping (@SiMpS0N) when you have it. Good luck! 🎵