Available Trainings

If you just want to register for next training alerts, here’s the link!

• GoogleForm - OffenSkill Web Hacking Trainings - Registration

Teaching good practices and acquiring a deep knowledge for the technologies we use is a key component of the security & IT fields. It helps actors building more robust and secure websites, infrastructures, and tooling. This is why I’m more than convinced that teaching & practicing should be the first steps taken to improve the company’s security, the employee’s happiness, and their interest & ownership culture.

• All of these Talks and Workshops are available both in French and English
• The trainings content can be tweaked on demand, you can pick any language / framework
• Prices (500€ per day per trainee) are cut in half for NGO, Schools, and Students
• The trainings are remote by default, but if an individual or company can host the event, it’s even better!
• Feel free to get in touch (email in the registration form) for more information on the content and/or pricing !

Web Hacking lvl-10 | Introduction to Web Exploit Basics // Beginner friendly

• content: Initiation to Web Hacking, OWASP-like, Frontend, Backend, Recon
• duration: 2 to 5 days
• public: 4 to 12 folks

Web Hacking lvl-20 | Introduction to Web 0day Research // Confirmed hacker

• content: How to pick a Target, Create a lab, Tooling for Observability & Inrospection, Research Process, and Methodology
• duration: 2 to 3 days
• public: 4 to 12 folks
• note: more details on this twitter thread

Web Hacking lvl-30 | Advanced Web 0day Research // H4rdc0re team

• content: We pick a target or technology, and spend as long as we can ($$) breaking it together
• duration: 5+ days
• public: 4 to 6 folks
• note: The target can be one of your company product, an open source framework, or even a premium solution if you can provide (buy legally) the source code.

Why this guy? Are these trainings relevant anyway?

If you’re still wondering if it’s worth it, please have a look at my previous public talks:

2023

• Started streaming on Twitch: https://www.twitch.tv/thelaluka
• Records on youtube (FR with EN subs): https://www.youtube.com/@TheLaluka
• This takes a lot of time, but talks should still be a thing! :)

2022

• Php Introspection Applied To 0-Day Research - Rump-A-Rennes & GreHack - EN
  • https://youtu.be/ULUtXIptTM0
• Breaking WebPageTest for Fun & Smol Profit - DEFCON Meet Paris - EN
  • https://youtu.be/GtUwNKFCMi4
• 1001 RCE, 60 Remote Code Execution in 60 minutes - HitchHack - FR
  • https://youtu.be/Z9GN6cuggYQ
• Pentest Web 101 - Root-Me talks - FR
  • https://youtu.be/gPsm_Iz_yak
• Introducing pty4all - TheBlackSide Opening - FR
  • https://youtu.be/b694SGA3b_k
• Exploiting PulseSecureVPN through Guacamole & WebSocket pollution - RTFMeet - FR
  • https://youtu.be/FvfwCV9XQhs
• FUD reverse meterpreter in golang - Informal, with friends - FR
  • https://youtu.be/YNh0vgWOnAc

2021

• Podcast Hack’n’Speak - FR
  • https://podcasts.google.com/feed/aHR0cHM6Ly9h…
• Podcast SecHebdo - 14 Episodes covering weekly security issues - FR
  • https://www.comptoirsecu.fr/authors/laluka/
• What if you’re pwned during an offensive engagement? Blue team goes brrrr - BarbHack - FR
  • Not recorded

2018

• 1, 2, 3, PWNED (binary exploitation) - HitchHack
  • https://www.youtube.com/watch?v=hmt8M9YLwTg

So here are a few topics I am willing to cover, and how technical they can be pushed.

Source: Barbhack 2021 - What if you’re pwned during an offensive engagement? Blue team goes brrRRR - @TheLaluka

Past sessions

S01 | lvl-20 | 2023 January

Attendees:

• @Nishacid
• @d34dl0ck_
• @Vhelen_
• urukaiii

Findings:

• 2 RCEs full chain
• 1 Auth bypass (weak secret)
• 1 Privilege escalation
• 1 SQL injection
• 1 File read
• 2 File write
• 2 SSRF

S02 | lvl-20 | 2023 July

Attendees:

• @_Euzebius
• @luksecurity_
• @logiKnight
• ldv

Findings:

• 2 RCE post-auth
• 3 File write
• 1 SSTI Twig
• Phar unserialize trigger & gadget
• 1 File read