Pierre MARTIN
My name is Pierre Martin (pseudo Worty), I'm 24 and I've been doing cybersecurity for about 3 years. I take part in a lot of CTFs with the TheFlatNetworkSociety team and I specialize in the web category, mainly on the backend side.
Before becoming a pentester at Synacktiv, I did a lot of bug bounty on YesWeHack and HackerOne, and I had the opportunity to take part in the HackerOne world championship with the French team, where we finished third.
Moreover, I was twice in the French team for the ECSC competition organized every year.
I mainly do vulnerability research on opensource projects, on my own time or at work, notably with Rémi Matasse.
Session
Livewire is a full-stack framework for Laravel that streamlines the creation of
dynamic and interactive web interfaces by allowing developers to build
real-time features using PHP and Blade templates. In this talk, we will show
how to exploit the unmarshalling mechanism used by Livewire to instantiate
arbitrary objects in order to achieve remote command execution on
any Livewire instance as long as you are in possession of the APP_KEY of the
application. Additionally, we will present a new feature added to our publicly
available tool laravel-crypto-killer, which fully automates the generation of
the payload described during the presentation.