@GossiTheDog What exactly do you mean with "you can do it over the internet if you have access to any VM".
Do you mean there needs to be an attacker service running on the VM or that just having a service like a webserver running inside such a VM is enough? (As long as said webserver is accessible from external).
Also to what extend would such a service have to be compromised first?