0x7e7 Edition


Edition 2023

📅 12 MAI 2023
Sthack was first held in 2011. The event takes place in Bordeaux and was first an overnight security contest. It was born from the desire of its founders to have a local CTF and to combine security and epicurean lifestyle.
It now provides 24 hours of an interesting atmosphere for open discussions about security with speakers from all around the world.

Sthack is one of the main security event in Aquitaine (and France :D), with high quality line up of speakers !

9h - 18H

La cité du vin

20h - 6H

Les salons de la mairie


call for paper is open

Submit your talks : staff[at]sthack[dot]fr
9:00 - 9:45
Cité du vin
Time for cofee, "cannelés" and "chocolatines"
9:45 - 10:00
Cité du vin
We will try to write something :)
Slot 1
Cité du vin
For Science! - Using an Unimpressive Bug in EDK II To Do Some Fun Exploitation
EDK II is the public implementation of UEFI on which a large part of the OEMs rely to craft their own firmware. If a vulnerability were to be found in this project, it could become a huge problem as it could impact many devices. Or... It could be unimpressive and go totally unnoticed because nobody cares. ¯\_(ツ)_/¯ In this talk, we'll present a bug in EDK II which is difficult to leverage in real life but still quite fun to attack. We'll see how we can build an complete exploit solely based on the mechanisms that are present in the public implementation and how we can gain arbitrary code execution in SMM thanks to that.
Slot 2
Cité du vin
Post-quantum crypto is coming!
Should we care about quantum computers? What protocols could they break and not break? What is really "post-quantum crypto"? How reliable is it? Are standards already available? When will quantum computers become useful? This talk will attempt to provide answers to these questions, and more!
Slot 3
Cité du vin
Attaques DMA en pratique
Dans cette présentation nous présenterons le principe des attaques DMA (Direct Memory Access) permettant d'accéder à la mémoire RAM d'une machine (poste de travail, serveur, IoT...). L'objectif de la présentation est de détailler le fonctionnement de ces attaques, le matériel nécessaire afin d'être paré à toute situation et enfin les logiciels à utiliser. Enfin, la présentation se terminera par une présentation des contre-mesures permettant de se protéger contre ces attaques sur des OS modernes.
12:15 - 14:00
Drink and food
Of course there will be wine !
Slot 4
Cité du vin
Cyberviolences : état des lieux d'un phénomène répandu
Cyberviolences : état des lieux d'un phénomène répandu
Slot 5
Cité du vin
Trying to break randomness with statistics in less than 5minutes
Pwn2own is a bug bounty competition, many participants are present andonly the first participant gets a reward.It is important to be efficient in your research, a search time thatdoes not lead to exploitation will only be a waste of time.In this competition it is not necessary to be exhaustive but efficient,a vulnerability that cannot lead to a code execution should not beconsidered.To avoid falling into these traps we decided to target vulnerabilitieswith a high chance of leading to code execution and we wanted toindustrialize this research by automatizing it and allowing it toreproduce this search on any firmware.
Slot 6
Cité du vin
Network devices security: Identifying common attack vectors on modern network environments
Pierre Besombes
This talk will focus on the security of network devices. It will provide an overview of the different attack vectors that can be used to target network / packet processing devices, and hopefully help network and security professionals in building more accurate threat models and to better assess their security levels. The talk will also touch on how network devices work and identify some best practices for protecting against common attacks.
Slot 7
Cité du vin
A year of CLFS exploits
After a quick introduction to CLFS internals, vulnerabilities found in the wild will be described and how Microsoft patch them (and fail).Last but not least, we have identified two separate clusters of weaponized exploits that were likely developed by two separate developers, we will show the differences between these two clusters based on code artifacts / exploit strategy.

Cité du vin
Prepare your best rump !
20:00 - 6:00
Salon de la Mairie
Let's have some CTF tasks ! Beers and Food are waiting for you


"Capture the Flag" is a kind of compeon where people can practice offensive IT security. The "Flags" are passwords participants can obtain after having successfully exploited vulnerabilities in applications specifically developed for the challenge, they simulate confidential information. The Flags cost points, and the team that earns the most of point win the compeon.

At Sthack, teams are made up of 5 members max which fight for 12 hours. The points are calculated taking account of the teams that hack the challenge (Chall01 = 50*(NbTeams-NbTeamsThatSolvedChall01)). You can expect web applications, network forensic, reverse engineering, steganography and software exploitation.
Cité du vin
134 Quai de Bacalan, 33300 Bordeaux
Hotel de ville
Pl. Pey Berland, 33000 Bordeaux