ap @decoder_it Twitter profile

Pinned Tweet

ap

3 years

When (NTLM) relaying potatoes lead you to domain admin... A "permanent" 0day Privilege Escalation Vulnerability in Windows RPC Protocol ;-) cc @splinter_code Our writeup here:

7

374

689

Last Seen Profiles

@Maypearl_ISD

@conklinfisher

@jadabird

@LignaniLab_UCL

@godhote

@Kocaelispor

@q_buster

@viva_ang

@tanjirovhs

@Julieshiinjeri

@Rois_Kenny

@skasriel

@Penultim8

@pengen_stw

@otorihiki_91

@amoniikiyaa

@BltNi

@daimon_way

@proffwolff

@ruairithebitch

@ojedamelanie_

@Rafdoang13

@Elputaejercito

@Bill_Morneau

@KeysColm

@drizzyrami

@andrewscottelec

@MagnificoBaro

@MorrudoGaston

@Nero_Ryze

@RaymondMoore64

@JMB4wasHere

@carlefpaul

@adm1ra

@radon1014

@PAPSingapore

ap

@decoder_it

1 year

We did it again with #LocalPotato ! A not-so-common NTLM reflection attack allowing for arbitrary read/write. Basically EoP from user to SYSTEM. Tracked as #CVE -2023-21746 - Windows NTLM EoP Soon more details --> cc @splinter_code

13

282

747

ap

@decoder_it

5 years

Just uploaded the pdf slides of my talk "whoami /priv" @hackinparis #HIP19

GitHub - decoder-it/whoami-priv-Hackinparis2019: Slides from my talk in "Hackinparis" 2019 edition

Slides from my talk in "Hackinparis" 2019 edition. Contribute to decoder-it/whoami-priv-Hackinparis2019 development by creating an account on GitHub.

github.com

9

269

693

ap

@decoder_it

3 years

#remotepotato0 xsession is finally out! @splinter_code and me released it: Coerce and relay NTLM auth from any user in any session w/o session 0! Enjoy responsibly ;)

Release RemotePotato0 Cross Session Activation · antonioCoco/RemotePotato0

Added Cross session activation to activate a COM object in an arbitrary session. No more session 0 constraints needed. Session can be specified with the -s flag. Credits for the discovery to @tira...

github.com

5

353

672

ap

@decoder_it

2 years

Me and @splinter_code did it again 😜

24

109

654

ap

@decoder_it

4 months

Hello: I'm your ADCS server and I want to authenticate against you. My latest Post and PoC are out. You can read it here: Enjoy :)

Hello: I’m your ADCS server and I want to authenticate against you

In my exploration of all the components and configurations related to the Windows Active Directory Certification Services (ADCS), after the “deep dive” in Cert Publishers group, I decid…

decoder.cloud

13

238

594

ap

@decoder_it

2 years

We have just released a new version of our #JuicyPotatoNG tool to help red teamers/pentesters. Now you can bruteforce clsid's, find open ports and get interactive console. Check it out here: cc @splinter_code

GitHub - antonioCoco/JuicyPotatoNG: Another Windows Local Privilege Escalation from Service Account...

Another Windows Local Privilege Escalation from Service Account to System - GitHub - antonioCoco/JuicyPotatoNG: Another Windows Local Privilege Escalation from Service Account to System

github.com

9

184

456

ap

@decoder_it

2 months

"Hello: I'm your Domain Administrator and I want to authenticate against you". My #SilverPotato is out, check the blog post: 😃

Hello: I’m your Domain Admin and I want to authenticate against you

TL;DR (really?): Members of Distributed COM Users or Performance Log Users Groups can trigger from remote and relay the authentication of users connected on the target server, including Domain Cont…

decoder.cloud

11

207

422

ap

@decoder_it

5 years

I have just published this funny post: From iPhone to NT AUTHORITY\SYSTEM :-) cc @padovah4ck

7

175

380

ap

@decoder_it

4 years

From dropbox(updater) to NT AUTHORITY\SYSTEM

4

168

348

ap

@decoder_it

4 years

Abusing Group Policy Caching

In this post I will show you how I discovered a severe vulnerability in the so-called “Group Policy Caching” which was fixed (among other GP vulnerabilities) in CVE-2020-1317 A standard…

decoder.cloud

5

151

327

ap

@decoder_it

5 months

This is how a specific Group Policy configuration, enabling a security feature bypass, can lead to Privilege Escalation. Full details and examples in my latest blog post ;)

Do not trust this Group Policy!

Sometimes I think that starting with a hypothetical scenario can be better than immediately diving into the details of a vulnerability. This approach, in my opinion, provides crucial context for a …

decoder.cloud

8

111

323

ap

@decoder_it

5 years

CVE-2019-1322 as service user "sc config usosvc binpath= evil.exe" the easiest way eop from service user to system, worked for more than 1 year!

3

120

297

ap

@decoder_it

1 month

POC for #SilverPotato utilizing Kerberos relay vs SMB ;) Starting from @cube0x0 great krbrelay tool with extra layer of complexity to get the SilverPotato beast working.. Still in the rough but will publish soon :-)

4

77

291

ap

@decoder_it

2 years

We (really) did it again! :-) cc: @splinter_code

10

50

273

ap

@decoder_it

4 months

ADCS: Coercing NTLM Auth just for fun (or maybe for profit?)

18

48

263

ap

@decoder_it

9 months

A brief blog post exploring the potential exploitation of a misconfiguration in AD reflected in ADCS

From NTAuthCertificates to “Silver” Certificate

In a recent assessment, I found that a user without special privileges had the ability to make changes to the NTAuthCertificates object. This misconfiguration piqued my curiosity, as I wanted to un…

decoder.cloud

0

99

261

ap

@decoder_it

4 years

As promised, a short post on Hyper-V admin privesc: /cc @padovah4ck @mkolsek

From Hyper-V Admin to SYSTEM

Another episode of the series: From XXX to SYSTEM ! This time I will show you how it is possible to gain SYSTEM privileges on a Windows machine (a fully patched Win 10 in our case) with HYPER-V ena…

decoder.cloud

3

131

255

ap

@decoder_it

4 years

When ntuser.pol leads you to SYSTEM

This is a super short writeup following my previous post . My last sentence was a kind of provocation because I already knew that there were at least 2 “bypasses” for CVE-2020-1317. I d…

decoder.cloud

0

106

248

ap

@decoder_it

6 years

Elevating your privileges to get "Trusted Installer" in order to have full control over protected system files!

3

159

236

ap

@decoder_it

6 years

Just published this simple powershell (c# embeded) portforwarder script wich works even if you are not admin.

GitHub - decoder-it/psportfwd: a simple portforwarder in ps1 with embeded c# code

a simple portforwarder in ps1 with embeded c# code - decoder-it/psportfwd

github.com

3

126

222

ap

@decoder_it

3 years

If you compromise a Windows Service running as "Network Service" , keep in mind that you have write access to all the AD Computer Object properties. Enabling RBC Delegation is just one example for alternate privilege escalation paths ;-)

2

71

217

ap

@decoder_it

4 years

As promised, a short companion post & POC on @tiraniddo recent post

3

119

210

ap

@decoder_it

12 days

Just published a short blog post on abusing the SeRelabelPrivilege ;)

Abusing the SeRelabelPrivilege

In a recent assessment, it was found that a specific Group Poilcy granted via “User Right Assignments” the SeRelabelPrivilege to the built-in Users group and was applied on several comp…

decoder.cloud

2

87

206

ap

@decoder_it

5 years

So MS told me that they won't fix in this release the "vulnerability" in the checks of the "SeTokenCanImpersonate" routines, as suggested by me (), maybe in the next releases? Meantime, enjoy ;-)

Creating Windows Access Tokens

Some time ago I was playing with the STOPZilla exploit which is very interesting and educational because it shows how you can abuse from an arbitrary write from the userland into the kernel. In thi…

decoder.cloud

1

102

200

ap

@decoder_it

5 years

From arbitrary file overwrite to SYSTEM

3

97

199

ap

@decoder_it

15 days

Based on a recent finding, tried to understand on how to abuse the "SeRelabelPrivilege". Thanks to @tiraniddo post , I was able to perform an LPE in its simplest form. -> No security boundary violation ;)

4

59

201

ap

@decoder_it

2 years

If securing o365/azure ad/exchange online is your concern you may find these slides useful

Hands [off_on] MS cloud services.pdf

drive.google.com

0

67

195

ap

@decoder_it

7 months

My latest blog post diving into the world of Windows AD Cert Publishers group is out 🌐✨ Insights with a little bit of silver++ juice :-)

A “deep dive” in Cert Publishers Group

While writing my latest post, my attention was also drawn to the Cert Publishers group, which is associated with the Certificate service (ADCS) in an Active Directory Domain. I was wondering about …

decoder.cloud

4

68

187

ap

@decoder_it

6 years

Never rely on first command always try an alternative one ;-)

3

44

181

ap

@decoder_it

2 years

Active Directory Tip: check on regular basis users/computers with "usercertifcate" attribute count > 10, huge values could stop AD replication between DC's!

2

27

164

ap

@decoder_it

6 years

I'm releasing with @Giutro Juicy Potato, another Local Privilege Escalation tool from a Windows Service Accounts to SYSTEM by abusing the golden privileges ()

Juicy Potato (abusing the golden privileges)

Today me and my partner in crime Giuseppe, are releasing our small research with Windows impersonate privileges. The result is a tool named “Juicy Potato”, which is a kind of sequel of …

decoder.cloud

3

98

162

ap

@decoder_it

2 years

On of my favourite tools for performing AD initial reconnaissance/assessments: dir /s \\<fqn>\SYSVOL\<fqdn> | more

3

21

159

ap

@decoder_it

6 years

As promised.. my post & poc :-)

9

81

159

ap

@decoder_it

4 years

😂Ok yes! soon we'll publish a post & POC

Antonio Cocomazzi

@splinter_code

4 years

We made #JuicyPotato great again! Get the NT AUTHORITY\ @decoder_it privs again :D

6

139

401

2

31

160

ap

@decoder_it

1 year

The #LocalPotato exploit is still vulnerable to HTTP attacks and will not be fixed. Although this is an edge case, it is important to be aware of it and avoid situations that could leave you vulnerable cc @splinter_code

4

53

159

ap

@decoder_it

5 years

Demystifying Windows Service “permissions” configuration

2

59

145

ap

@decoder_it

5 years

9

43

139

ap

@decoder_it

6 years

The slides of my talk "whoami /priv" #RomHack2018 @cybersaiyanIT can be found here:

GitHub - decoder-it/whoami-priv: Slides from my talk "whoami /priv" at Romhack 2018

Slides from my talk "whoami /priv" at Romhack 2018 - decoder-it/whoami-priv

github.com

0

79

138

ap

@decoder_it

4 months

Inspired by @tiraniddo post on "sudo" for Windows, especially in his final statement ;)

1

36

139

ap

@decoder_it

5 months

Exploring a not-so-common method for local privilege escalation, starting from a regular user, with #RemotePotato0 and the help of (mis)configured ADCS cc @splinter_code 1/2

2

35

128

ap

@decoder_it

5 years

added quick & very dirty fix in order to bypass latest MS Defender definitions and new AMSI bypass by @_RastaMouse

GitHub - decoder-it/powershellveryless: Constrained Language Mode + AMSI bypass all in one

Constrained Language Mode + AMSI bypass all in one - decoder-it/powershellveryless

github.com

1

66

127

ap

@decoder_it

2 years

Group Policy Folder Redirection CVE-2021-26887

Two years ago (march 2020), I found this sort of “vulnerability” in Folder Redirection policy and reported it to MSRC. They acknowledged it with CVE-2021-26887 even if they did not real…

decoder.cloud

2

49

126

ap

@decoder_it

5 years

sshserver on Windows is cool for for accessing a remote shell, but somehow limited... no problem, from ssh launch a reverse/bind shell with runas, psexec or whatever calls CreateProcessWithLogon and you get a full shell ;-)

2

43

125

ap

@decoder_it

6 years

Abusing Token Privileges: seImpersonate+seCreateToken=SYSTEM @dronesec @breenmachine

0

78

122

ap

@decoder_it

4 years

Exploiting Feedback Hub in Windows 10

4

50

122

ap

@decoder_it

1 year

With "Azure AD cloud sync service account" it's even easier for a bad actor who already has high local privs on this machine to take over the AD domain, no need o extract the password like the MSOL_ account, just steal/impersonate the token ;)

0

42

121

ap

@decoder_it

2 months

Another intriguing aspect of #SilverPotato : slui.exe - sppui can be found running on an ADCS server, activated by an admin. A simple domain user could then remotely coerce and relay authentication of users logged into the ADCS server, normally high-privileged 😉

2

39

121

ap

@decoder_it

2 years

This is really bad, if you ever installed components of ArcSoft, check this:

3

29

117

ap

@decoder_it

6 years

The power of Backup Operators -> abusing SeBackupPrivilege :-)

6

50

111

ap

@decoder_it

5 years

#powershellveryless C# (CL +AMSI bypass), here the quick&dirty code:

GitHub - decoder-it/powershellveryless: Constrained Language Mode + AMSI bypass all in one

Constrained Language Mode + AMSI bypass all in one - decoder-it/powershellveryless

github.com

2

56

112

ap

@decoder_it

5 years

Windows Named Pipes & Impersonation

0

46

110

ap

@decoder_it

6 years

Getting SYSTEM with a standalone .ps1 script exploiting the "parent process" technique (no NTObjectManager modules)

Getting SYSTEM

In your red teaming or pentesting activities escalating to SYSTEM on a Windows box is always the desired objective. The SYSTEM user is a special operating system user with the highest privilege, m…

decoder.cloud

1

53

109

ap

@decoder_it

3 months

MSRC confirmed vulnerabilities I reported under code name #SilverPotato and #FakePotato . Hoping for a quick fix so I can disclose the findings ;)

3

17

108

ap

@decoder_it

5 years

My latest post about (ab)using the CreateToken privilege and recent additional MS checks bypass

Creating Windows Access Tokens

Some time ago I was playing with the STOPZilla exploit which is very interesting and educational because it shows how you can abuse from an arbitrary write from the userland into the kernel. In thi…

decoder.cloud

0

50

101

ap

@decoder_it

1 year

It seems that there are still other paths for exploiting #LocalPotato even after CVE-2023-21746 patch, right @splinter_code ? Waiting for next fix... ;)

2

26

104

ap

@decoder_it

4 years

Hands off my service account!

Windows service accounts are one of the preferred attack surface for privilege escalation. If you are able to compromise such an account, it is quite easy to get the highest privileges, mainly due …

decoder.cloud

0

40

103

ap

@decoder_it

6 years

Here () you can download the entire c# project of my stand alone version of the RottenPotato c++ net to come!

The lonely potato

Never heard about the “Rotten Potato”? If not, read this post written by the authors of this fantastic exploit before continuing: The mechanism is quite complex, it allows us to interc…

decoder.cloud

0

45

101

ap

@decoder_it

5 years

We have to update our Linux reverse shell cheat sheet with pwsh :)

2

24

94

ap

@decoder_it

8 months

I've just released my old and revisited tool for stealing and playing with Windows tokens.

GitHub - decoder-it/TokenStealer

Contribute to decoder-it/TokenStealer development by creating an account on GitHub.

github.com

0

32

95

ap

@decoder_it

2 years

Published a short blog post on how some stupid misconfigurations can lead to bad scenarios in GP processing

0

43

95

ap

@decoder_it

5 months

#DfsCoerce is still alive ;) I've created a custom version of original DfcCoerce-exe , with the added feature to specify alternate credentials for authentication if running on non-domain-joined machines or you need to execute it as a different user

GitHub - decoder-it/DFSCoerce-exe-2: DFSCoerce exe revisited version with custom authentication

DFSCoerce exe revisited version with custom authentication - decoder-it/DFSCoerce-exe-2

github.com

0

35

95

ap

@decoder_it

6 years

Weaponising the #rottenpotato to abuse COM objects other than BITS ;-)

1

35

85

ap

@decoder_it

4 months

#Localpotato HTTP version never disappoints. Even when your WebDAV share is mounted on a harmless folder. 😄

2

26

87

ap

@decoder_it

1 month

#SilverPotato works also with Kerberos using @tiraniddo I mentioned in my latest post trick 1/2

1

24

87

ap

@decoder_it

1 year

Short blog post on security issue in Windows group policy processing, fixed in CVE-2022-37955

EoP via Arbitrary File Write/Overwite in Group Policy Client “gpsvc” – CVE-2022-37955

Summary A standard domain user can exploit Arbitrary File Write/Overwrite with NT AUTHORITY\SYSTEM under certain circumstances if Group Policy “File Preference” is configured. I reported this findi…

decoder.cloud

2

42

86

ap

@decoder_it

4 years

Had fun playing with @tiraniddo fantastic ntobjectmanager :-)

The strange RPC interface (MS, are you trolling me?)

On a dark and stormy night, I was playing with Forshaw’s fantastic NTOBJECTMANGER library which, among the millions of things, is able to “disassemble” RPC servers and implement …

decoder.cloud

1

30

83

ap

@decoder_it

5 years

A simple powershell named pipe server with impersonation:

0

24

82

ap

@decoder_it

5 months

Here we go... 😅

5

7

76

ap

@decoder_it

2 years

Got the following CVE's in MS October patch Tuesday :) CVE-2022-37994 CVE-2022-37993 CVE-2022-37975

4

8

76

ap

@decoder_it

2 years

Slides from our talk "Relaying to Greatness ..." are available here @BlueHatIL

GitHub - decoder-it/bluehatil22: Slides from out talk at BH IL 2022

Slides from out talk at BH IL 2022. Contribute to decoder-it/bluehatil22 development by creating an account on GitHub.

github.com

1

34

76

ap

@decoder_it

1 year

What a surprise running in #JuicyPotatoNG the "clsid bruteforce" on windows 11/2022. Another CLSID impersonating SYSTEM and which does not require INTERACTIVE cc @splinter_code

3

13

76

ap

@decoder_it

3 years

Just another basic example of what you could do with Remotetepotato0 "cross session attack" (and ntlmrelayx). It's not all about getting domain admin and sitting in session 0 ... cc @splinter_code @tiraniddo

1

18

75

ap

@decoder_it

4 years

Symlinks via \RPC Control still work on latest Win10 Insider Preview

2

21

73

ap

@decoder_it

8 days

As expected, NTLM is now "deprecated." @splinter_code Was wondering what would have happened if we had discovered #LocalPotato after this article🤔

Features removed or no longer developed starting with Windows Server 2025 (preview)

Learn about the features and functionalities removed or no longer developed starting with Windows Server 2025.

learn.microsoft.com

1

14

73

ap

@decoder_it

5 years

Abusing GPO Permissions quick & dirty: grant yourself the Debug Privilege and immagine this on the Default Domain Controller Policy ... :-)

1

26

71

ap

@decoder_it

7 months

Unveiling a surprising twist: the silver certificate () now has an upgrade path to silver++, offering not just persistence, but a touch of privilege escalation! Stay tuned ;)

From NTAuthCertificates to “Silver” Certificate

In a recent assessment, I found that a user without special privileges had the ability to make changes to the NTAuthCertificates object. This misconfiguration piqued my curiosity, as I wanted to un…

decoder.cloud

4

24

69

ap

@decoder_it

4 years

From Hyper-V admin to full system compromise.. coming soon ;-) cc @padovah4ck

1

11

69

ap

@decoder_it

3 years

Following my "old" blog post , I have published the very quick & dirty "juicy_2" code , maybe useful when you have impersonation privs on newer versions of Windows 10 & Server 2019 cc @splinter_code @Giutro

GitHub - decoder-it/juicy_2: juicypotato for win10 > 1803 & win server 2019

juicypotato for win10 > 1803 & win server 2019. Contribute to decoder-it/juicy_2 development by creating an account on GitHub.

github.com

1

35

67

ap

@decoder_it

4 years

When a stupid oplock leads you to SYSTEM

As promised in my previous post, I’m going to show you the second method I found in order to circumvent CVE-2020-1317. Prerequisites Domain user has access to a domain joined Windows machineD…

decoder.cloud

1

33

67

ap

@decoder_it

3 months

I ♥️ this (parts of output omitted for obvious reasons) 😎

0

12

64

ap

@decoder_it

4 years

Just a simple poc for

James Forshaw

@tiraniddo

4 years

A quick blog post for Saturday evening, the unexpected consequence of LSA overloading one Logon Session ID for all service account tokens.

4

125

222

1

11

64

ap

@decoder_it

5 years

Combining @tiraniddo latest Microsoft LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition PE with DiagHub collector exploit -> from standard user to SYSTEM (tested on Win 10 1803)

2

26

64

ap

@decoder_it

3 years

The video of our talk (with @splinter_code ) at Hack In The Box (HITB) 2021 Amsterdam is out!

#HITB2021AMS D2T1 - The Rise Of Potatoes: Priv. Esc. In Windows...

Privilege escalation is a required step for an attacker in order to get full control of a system starting from a lower privileged access.In Windows there are...

www.youtube.com

0

31

63

ap

@decoder_it

1 month

See you at @WEareTROOPERS where I'll be talking about 10 years of Privilege Escalations in Windows using 'Potatoes' including the last juicy ones ;)

2

9

64

ap

@decoder_it

5 years

The world is full of idiots or idiot tools :-( "ModSecurity: (...) AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert("XSS")</script>',table_name FROM information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell('cat ../../../etc/passwd')#. "

5

16

61

ap

@decoder_it

3 months

I created another variant of our so-loved *potato family, the #FakePotato . But have to wait MSRC response before disclosing, hopefully soon ;)

2

11

61

ap

@decoder_it

2 years

Setting "ms-DS-MachineAccountQuota =0" will prevent all these funny RBCD<->*relay privilege escalations tricks without too much effort. Why should non admin users (even computer accounts) be able to add computers to an AD domain?

2

16

60

ap

@decoder_it

4 years

Really excited to speak about "WINDOWS PRIVILEGE ESCALATIONS: STILL ABUSING LOCAL SERVICE ACCOUNTS TO GET SYSTEM PRIVILEGES" at @HITBSecConf 2020 in Amsterdam on 23th April with my fellow mate @splinter_code !

Training + Conference Agenda - HITBSecConf2020 - Amsterdam

archive.conference.hitb.org

2

23

60

ap

@decoder_it

2 months

Carefully review the membership of AD domain "Distributed Com Users" or domain Performance Log Users" groups. Taking over the domain is sometimes one step away.. ;)

3

7

60

ap

@decoder_it

6 years

Custom version of C++ Rotten Potato along with some observations ;-)

Potatoes and tokens

I just finished playing with the Rotten Potato C# exploit in order to get it work standalone that the author @breenmachine released the C++ standalone version of “Rotten Potato”. H…

decoder.cloud

0

36

58

ap

@decoder_it

4 years

There is even a better place than 127.0.0.1 :-)

3

1

57

ap

@decoder_it

3 years

The ANONYMOUS_LOGON_LUID trick in creating access tokens () still works in windows 11 :)

Creating Windows Access Tokens

Some time ago I was playing with the STOPZilla exploit which is very interesting and educational because it shows how you can abuse from an arbitrary write from the userland into the kernel. In thi…

decoder.cloud

1

19

57

ap

@decoder_it

3 years

I'm an AV bypass noob so I think MS Defender should do a deeper inspection .. btw don't rely only on AV 's and patch #ProxyLogon (as usual)

1

12

58

ap

@decoder_it

3 years

Ok we have to admit, it was just an april's fool's day.. soon we will disclose a new *potato* exploit 💪

Antonio Cocomazzi

@splinter_code

3 years

We ( @decoder_it and I) have decided to stop any new research related to Potato exploits and to archive all current repositories. So... no more potatoes :(

8

5

32

5

8

57

ap

@decoder_it

3 years

Nothing special, just for fun: Nivida + Chrome=DLL Hijacking 😅

1

7

57

ap

@decoder_it

4 months

And of course, WebDAV bypasses Redirection Trust mitigation too (as long as w3wp won't be affected). Thanks to @splinter_code for the hint ;)

4

19

55

ap

@decoder_it

3 years

Did you know? Starting from MS November 2020 patch, it is no more possible to alter NTLM messages in relaying attacks even if SIGN flag is not set, now MIC seem to be always verified cc @splinter_code

1

24

54

ap

@decoder_it

4 years

The strange case of “open-ssh” in Windows Server 2019

1

27

53

ap

@decoder_it

4 years

@itm4n @cesarcer The impersonation game never ends! so we have: - Rotten/Juicy - RogueWinRM - Network Service / RPCSS token kidnapping - PrintSpoofer - RoguePotato - Chimicurri Reloaded - Juicy_2 if you have Impersonation privileges you are SYSTEM!

2

13

53