NullCon, LHE, and Berlin
• public
Table of contents
Today is the recap of the Nullcon Berlin 2025, especially about the LHE organized by YesWeHack.
Nullcon
I never attended this conference, and this time I was invited to participate at the LHE, so it was a nice opportunity to go back to Berlin.
The conference was at the Marriott Hotel and was quite tiny, to be honest. Looking at the price of the conference, I thought that it would be way bigger with more stands and stuff.
I didn't go to any talk at the end, as it was during the LHE, but I will probably look back at the replay talks, as some friends did a talk.
LHE
That was the second LHE by YesWeHack this year, and as I finished first at LeHack, I had the pressure to be good at this one as well. Also, this time, a lot of great hunters were there to compete, so it was very interesting.
As always, we get the target at the day of the event, this time it was TeamViewer. Pretty tough target, and huge, but very interesting to dig. I was with cosad3s to team up, and we started digging the app.
TeamViewer is a pretty wide target with a lot of features and rights, and roles. So digging all of them was impossible, so we split together to look at different parts of the app.
I first found a bug about a way to bypass something, without the right to. But it wasn't a real bug at the end, as something was enabled somewhere else. And that was the main issue of the target. Not knowing it properly finished us thinking about bugs that are not really a bugs. It was mostly the case for a lot of team.
I ended up finding an XSS somewhere, and that was the bug of the win as not a lot of bugs were found during the event. I worked during all the time of the event. It was from 10AM to 4PM the day after. The night wasn't long as I ended up looking for bugs on the bed instead of sleep.
Overall that was nice being with friends but the target was harden, I'm sure that with a whole week we would have found way more bugs but with two days, it was tough. At the end, I found some other low/medium bugs that helped gain more points for the leaderboard, finishing first for the second time.
Also a huge congrats to @yassine_eal who finished third, he started bug bounty on January and he is already pretty good.
As you can see, the points are very low compared to previous events, so not a lot of bugs were found this time.
It was sad for some other teams that found bugs, but as it was hard to manage rights and roles on the app, the TeamViewer team wasn't sure that it was a real flaw, and they didn't pay, otherwise I wouldn't win, as their bug was pretty huge, I'm sure you will be able to leverage it, Noam and Xel, to finally get paid.
I was also happy to help a little beginner Geluchat, who just started Bug Bounty, but unfortunately, he wasn't able to find his first bug. Maybe next time, don't lose hope 🫶
The triage team at YWH was still amazing and fast, and the teamviewer team was great as well, debugging with us and helping activate some features that were hard to understand.
I'm very happy that they gave us trophies this time; they will perfectly fit in my home.
Berlin
I love going to Berlin, this city is very beautiful. Especially this time being with friends, hunting together.
I'm coming back to Berlin in two weeks to see the Berlin Marathon, not doing it this year, but it will be great seeing it.
Now it's time to rest a bit and hunt a lot to prepare for the Asia v3 Trip in October.
