[0x526F756E64313021] - The Meet

After a vigorous start, it's time to celebrate 10 years of 0xOPOSEC, a full decade of knowledge sharing and community building. What began as a small group of security enthusiasts has grown into a space where ideas are challenged, experiences are exchanged, and skills are sharpened together. Let's celebrate the people, the conversations, and the collective effort that kept the community alive and thriving over the past ten years.

As usual, we've lined up a strong set of talks to kick things off. First up is Afonso Vitório (@g4uss), who will take us through the origins of the CVE program, from its early days to its current state, and where it's likely headed next. He'll also showcase a platform he's been developing to improve CVE education, aggregate vulnerability information, and support validation workflows. Whether you're on the red, blue, or any shade in between, this talk offers valuable insights for any security practitioner.

But wait, if you're looking to sharpen your offensive skills, Gustavo Pinto (@ArmySick) is back. Mostly known for his epic paths all the way to Domain Admin, Gustavo will this time shed light on a fundamental building block of modern offensive engagements. This talk will dive into Beacon Object Files (BOFs), what they are, why they've become state-of-the-art in C2 operations, and how to build, debug, and deploy your own. You'll also learn how to integrate BOFs with your favorite C2 framework or agent. If red team tooling and tradecraft are your thing, this is a session you won't want to miss.

Just a friendly reminder, this is an in-person event. Before RSVPing, please double-check that you can attend and be there in person. Good logistics rely on it!

In the meantime, you can join our Slack chat to discuss all kinds of hackish stuff and, of course, interact with other members.

Don't miss out. Your FOMO will be justified if you are looking to level up your security game.

[Goals]

Learn something new, get to know other g33ks, and, the most important thing, have fun.

[Agenda]

- "Celebrating 10 years of sharing!" (PT/EN) by Renato Rodrigues (@SiMpS0N)

- "CVEs: Past and Present and the future of CVE learning" (PT/EN) by Afonso Vitório (@g4uss)

- "regaBOF - Developing your stealthy Red Team tradecraft" (PT/EN) by Gustavo Pinto (@ArmySick)

[Challenge]

On my latest adventures, I've started learning C, so naturally I decided to build a better Nginx! To prove how fast and secure it is, I've hidden a secret value inside the server that no one should ever be able to uncover… or so I claim 😈 For the extra cautious, there's also a hardened version waiting for you.

You can test both versions here:

- Safe → https://0xoposec-http.challenges.apl3b.com/

- Extra Safe → https://0xoposec-http-hardened.challenges.apl3b.com/

Find the flag, ping @apl3b, and most importantly, have fun hacking!