Introduction
This is my write-up for the Century PowerShell wargame from Under the Wire. I would like to extend my thanks to the Under the Wire team for providing these wargames for my own personal enjoyment and education.
Century - Level 0 -> Level 1
Pulling the data from the website so it is available. The only objective to this level is to connect to the wargame with the following information using PSRemoting/SSH.
- Domain: century.underthewire.tech
- SSH Port: 22
- Username: century1
- Password: century1
The goal of this level is to log into the game. To access the game, you will need to obtain the initial credentials via the #StartHere channel on our Slack. After obtaining the credentials, choose one of the two options below to connect to the server.
We recommend using SSH as PSRemoting is in the experimental state. No functionality is lost with SSH as you will be dropped into a PowerShell console.
Option One - SSH (Preferred Method)
- You will need a SSH client such as Putty. The host to which you need to connect is century.underthewire.tech, on port 22.
- When prompted, use the credentials for the applicable game find in the #StartHere Slack channel.
- You have successfully connected to the game server when your path changes to
[century.underthewire.tech]:.
Option Two - PSRemoting
Known Issues:
- Some users report connection errors when attempting to enter a PSSession.
- Some users may experience a “max user” error when going from level to level. This is due to a limitation from Microsoft with the number of concurrent users using PSRemoting. The error usually resolves itself within a few minutes.
You will need to import the server’s certificate and start a remote interactive session with the game server.
Open PowerShell on your system.
Copy and paste the below to import the certificate for the game server. Without this, you will not be able to connect to it.
$webRequest = [Net.WebRequest]::Create("https://games.underthewire.tech:5986/wsman")
try { $webRequest.GetResponse() } catch {}
$cert = $webRequest.ServicePoint.Certificate
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store -ArgumentList "Root", "CurrentUser"
$store.Open('ReadWrite')
$store.Add($cert)
$store.Close()
Test-WSMan -ComputerName games.underthewire.tech -port 5986 -UseSSL
- Copy and paste the below to initiate the connection to the game server. You will need to do this for each level you log into as well.
Enter-PSSession -ComputerName games.underthewire.tech -UseSSL -port 5986 -Credential (Get-Credential)
When prompted, use the credentials for the applicable game find in the #StartHere Slack channel.
You have successfully connected to the game server when your path changes to
[games.underthewire.tech]: PS C:\Users\century1\Documents>
Solution
SSH into the level using the password taken from the Heroku application.
Century - Level 1 -> Level 2
Level Goal
Below is the level goal that I pulled from the website.
The password for Century2 is the build version of the instance of PowerShell installed on this system.
NOTE:
- The format is as follows:
**.*.*****.**** - Include all periods
Solution
Simple solution. SSH into the box either using SSH or PuTTY and type in the following command to obtain the PowerShell version table. The objective is to look for the build version of the computer.
Build Version is below in the following code snippet.
PS C:\Users\century1\documents> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.14393.2791
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.2791
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
As said, the build version for PowerShell can be found in the BuildVersion parameter. BuildVersion for this system is 10.0.14393.2791, which is also the password to the next level - century2.
Password for the next level is below:
- Username: century2
- Password: 10.0.14393.2791
Century - Level 2 -> Level 3
Level Goal
Goal for the level can be found below.
The password for Century3 is the name of the built-in cmdlet that performs the wget like function within PowerShell PLUS the name of the file on the desktop.
NOTE:
- If the name of the cmdlet is “get-web” and the file on the desktop is named “1234”, the password would be “get-web1234”.
- The password will be lowercase no matter how it appears on the screen.
Solution
PS C:\Users\century2\documents> Get-Command *WebRequest*
CommandType Name Version Source
----------- ---- ------- ------
Cmdlet Clear-WebRequestTracingSetting 1.0.0.0 WebAdministration
Cmdlet Clear-WebRequestTracingSettings 1.0.0.0 WebAdministration
Cmdlet Disable-WebRequestTracing 1.0.0.0 WebAdministration
Cmdlet Enable-WebRequestTracing 1.0.0.0 WebAdministration
Cmdlet Get-WebRequest 1.0.0.0 WebAdministration
Cmdlet Invoke-WebRequest 3.1.0.0 Microsoft.PowerShell.Utility
PS C:\Users\century2\documents> ls ..\Desktop
Directory: C:\Users\century2\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/30/2018 3:29 AM 693 443
The username and password for century3.
- Username: century3
- Password: invoke-webrequest443
Century - Level 3 -> Level 4
Level Goal
The password for Century4 is the number of files on the desktop.
Solution
The goal of the level is to obtain a count of the number of files on the Desktop.
Time to get an idea of what is in the Desktop directory. Changed directories to the Desktop directory for the user and ran Get-ChildItem. Looks like there are a bunch of text files with a bunch of random names.
PS C:\Users\century3\desktop> Get-ChildItem -Path .
Directory: C:\Users\century3\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/30/2018 3:29 AM 33 countme1012
-a---- 8/30/2018 3:29 AM 33 countme1064
-a---- 8/30/2018 3:29 AM 33 countme1079
-a---- 8/30/2018 3:29 AM 33 countme1099
-a---- 8/30/2018 3:29 AM 33 countme1118
-a---- 8/30/2018 3:29 AM 33 countme1128
-a---- 8/30/2018 3:29 AM 33 countme1134
-a---- 8/30/2018 3:29 AM 33 countme1153
-a---- 8/30/2018 3:29 AM 33 countme1171
-a---- 8/30/2018 3:29 AM 33 countme1202
Now to expand on the previous Cmdlet. There is a way to pull this data by piping the command to the Measure-Object Cmdlet. This will count all the items that the Get-ChildItem command lists. To filter out any unnecessary items, I decided to filter the Count object output from the Measure-Object Cmdlet. The result to this command shows the count is 123.
PS C:\Users\century3\Desktop> Get-ChildItem -Path "." | Measure-Object | Select-Object Count
Count
-----
123
Below are the credentials to the next level.
- Username: century4
- Password: 123
Century - Level 4 -> Level 5
Level Goal
The password for Century5 is the name of the file within a directory on the desktop that has spaces in its name.
NOTE:
- The password will be lowercase no matter how it appears on the screen.
Solution
After sshing into the century4 account on the box it is time to investigate the new level goal. A simple Get-ChildItem of the Desktop directory shows a directory with spaces called Can You Open Me. Pretty simple solution to this.
PS C:\Users\century4\documents> Get-ChildItem ..\Desktop
Directory: C:\Users\century4\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 8/30/2018 3:29 AM Can You Open Me
To access the directory, you can put quotes around the directory. You can also let TAB completion do the work for you. In this case, the file in the Can You Open Me directory is named 61580. Therefore, so is the password.
PS C:\Users\century4\documents> Get-Content '..\Desktop\Can You Open Me\61580'
Great Work! Keep it up.
Below are the credentials for the next level.
- Username: century5
- Password: 61580
Century - Level 5 -> Level 6
Level Goal
The password for Century6 is the short name of the domain in which this system resides in PLUS the name of the file on the desktop.
NOTE:
- If the short name of the domain is “blob” and the file on the desktop is named “1234”, the password would be “blob1234”.
- The password will be lowercase no matter how it appears on the screen.
Solution
In this level, the goal is to find the short name of the domain of the system you have SSHed to and add the name of the file located on the Desktop.
Do accomplish this, I used the Get-ADDomain Cmdlet to obtain this information by looking at the Name and the NetBIOSName in the output. The values for these can be found below.
PS C:\Users\century5\documents> Get-ADDomain
AllowedDNSSuffixes : {}
ChildDomains : {}
ComputersContainer : CN=Computers,DC=underthewire,DC=tech
DeletedObjectsContainer : CN=Deleted Objects,DC=underthewire,DC=tech
DistinguishedName : DC=underthewire,DC=tech
DNSRoot : underthewire.tech
DomainControllersContainer : OU=Domain Controllers,DC=underthewire,DC=tech
DomainMode : Windows2016Domain
DomainSID : S-1-5-21-758131494-606461608-3556270690
ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=underthewire,DC=tech
Forest : underthewire.tech
InfrastructureMaster : utw.underthewire.tech
LastLogonReplicationInterval :
LinkedGroupPolicyObjects : {cn={ECB4A7C0-B4E1-41B1-9E89-161CFA679999},cn=policies,cn=system,DC=underthewire,DC=tech,
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=underthewire,DC=tech}
LostAndFoundContainer : CN=LostAndFound,DC=underthewire,DC=tech
ManagedBy :
Name : underthewire
NetBIOSName : underthewire
ObjectClass : domainDNS
ObjectGUID : bdccf3ad-b495-4d86-a94c-60f0d832e6f0
ParentDomain :
PDCEmulator : utw.underthewire.tech
PublicKeyRequiredPasswordRolling : True
QuotasContainer : CN=NTDS Quotas,DC=underthewire,DC=tech
ReadOnlyReplicaDirectoryServers : {}
ReplicaDirectoryServers : {utw.underthewire.tech}
RIDMaster : utw.underthewire.tech
SubordinateReferences : {DC=ForestDnsZones,DC=underthewire,DC=tech, DC=DomainDnsZones,DC=underthewire,DC=tech, CN=Configuration,DC=underthewire,DC=tech}
SystemsContainer : CN=System,DC=underthewire,DC=tech
UsersContainer : CN=Users,DC=underthewire,DC=tech
To finish it off, I listed the contents of the Desktop directory using the Get-ChildItem Cmdlet. Result of running this can be found below.
PS C:\Users\century5\documents> Get-ChildItem ..\Desktop\
Directory: C:\Users\century5\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/30/2018 3:29 AM 54 3347
Below are the credentials for the next level.
- Username: century6
- Password: underthewire3347
Century - Level 6 -> Level 7
The password for Century7 is the number of folders on the desktop.
Solution
So the goal for this challenge is to find the number of folder/directories on the Desktop.
With this one you can just use the Get-ChildItem Cmdlet and pipe it to the Measure-Object command. This will pull a listing of the Desktop’s contents and obtain a count of said contents. The output for this one liner can be found below.
PS C:\Users\century6\documents> Get-ChildItem ..\Desktop\ | Measure-Object
Count : 197
Average :
Sum :
Maximum :
Minimum :
Property :
Below are the credentials for the next level.
- Username: century7
- Password: 197
Century - Level 7 -> Level 8
The password for Century8 is in a readme file somewhere within the contacts, desktop, documents, downloads, favorites, music, or videos folder in the user’s profile.
NOTE:
- The password will be lowercase no matter how it appears on the screen.
Solution
Goal for the level is to find the Readme file within the specified directories above.
To find the Readme file, I just chose to use the -Recurse flag in the Get-ChildItem Cmdlet from Century7’s home directory.
The -Recurse flag in this Cmdlet will list the contents of the specified directories recursively. So, if there are files (not in hidden mode) in these directories, it will show them including the full path to the file.
In this case, the Readme file was in C:\Users\century7\Downloads.
PS C:\Users\century7> Get-ChildItem .\ -Recurse
Directory: C:\Users\century7
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 7/16/2016 1:23 PM Desktop
d-r--- 8/30/2018 3:10 AM Documents
d-r--- 8/30/2018 3:29 AM Downloads
d-r--- 7/16/2016 1:23 PM Favorites
d-r--- 7/16/2016 1:23 PM Links
d-r--- 7/16/2016 1:23 PM Music
d-r--- 7/16/2016 1:23 PM Pictures
d----- 7/16/2016 1:23 PM Saved Games
d-r--- 7/16/2016 1:23 PM Videos
Directory: C:\Users\century7\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/30/2018 3:29 AM 7 Readme
After finding that, you can just read it with the Get-Content Cmdlet and it will output the file’s contents.
PS C:\Users\century7> Get-Content -Path .\Downloads\Readme
7points
The credentials to the next level are below.
- Username: century8
- Password: 7points
Century - Level 8 -> Level 9
Level Goal
The password for Century9 is the number of unique entries within the file on the desktop.
Solution
The objective for this level is to count the number of unique words/entries in a file located on the Desktop.
First, I verified that the file was there. Using the Get-ChildItem Cmdlet, I checked the desktop and there is a file named unique.txt on the Desktop.
PS C:\Users\century8\documents> Get-ChildItem ..\Desktop
Directory: C:\Users\century8\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/30/2018 3:33 AM 15858 unique.txt
Now it’s time to get to work. To obtain the count of unique items in the unique.txt file, I read the file using the Get-Content Cmdlet and pipped it into the Get-Unique Cmdlet. This will sort through the items in the file and pick out unique entries. Finally, I used the Measure-Object Cmdlet to measure the count of unique entries.
The output of this one liner can be found below.
PS C:\Users\century8\documents> Get-Content ..\Desktop\unique.txt | Get-Unique | Measure-Object
Count : 696
Average :
Sum :
Maximum :
Minimum :
Property :
The credentials for the next level are below.
- Username: century9
- Password: 696
Century - Level 9 -> Level 10
Level Goal
The password for Century10 is the 161st word within the file on the desktop.
NOTE:
- The password will be lowercase no matter how it appears on the screen.
Solution
Based on the level goal, the password for Century10 is the 161st word within the file on the desktop. So, we will need to figure out how to iterate through the file and find word 161 in it.
First to start out by verifying the file’s location. It is indeed in the Desktop directory.
PS C:\Users\century9\documents> Get-ChildItem ..\Desktop
Directory: C:\Users\century9\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/30/2018 3:34 AM 2131 Word_File.txt
Attempted to utilize the command below, but that didn’t work. It will output the 161st index of the text file. When you open the file with Get-Content it just puts the file’s contents into one string. Attempting to look through this using an index, it just outputs one of the letters within the string. It is not looking through the individual words.
PS C:\Users\century9\documents> (Get-Content ..\Desktop\Word_File.txt)[161]
i
Needed to use Split() to make every word a substring before obtaining the index. The following command will take the string from the outputted file and it into an index. Considering that the first value in an index is zero, we need to subtract 161 by 1 to find the correct value.
PS C:\Users\century9\documents> (Get-Content ..\Desktop\Word_File.txt).Split() | Select-Object -Index (161 - 1)
peirid
The credentials to the next level can be found below.
- Username: century10
- Password: peirid
Century - Level 10 -> Level 11
The password for Century11 is the 10th and 8th word of the Windows Update service description combined PLUS the name of the file on the desktop.
NOTE:
- The password will be lowercase no matter how it appears on the screen.
- If the 10th and 8th word of the service description is “apple” and “juice” and the name of the file on the desktop is “88”, the password would be “applejuice88”.
Solution
Based on the level goal above, the password for Century11 is the 10th and the 8th word of the Windows Update Service’s description. It is also the name of the file on the desktop of the Century10 account. We have our goal, now let’s get started.
To find the solution to the problem I needed to do a little research on Windows Management Instrumentation (WMI) objects and how to obtain the data that I need. I decided to start with the Win32_Service class and bang on that for a little while.
Based on Microsoft’s documentation, the Win32_Service class represents a service on windows system. By utilizing the Get-WmiObject Cmdlet, we can obtain all the information we need from the Windows Update Service.
I feel that I need to explain the command below a little bit. First, I use the Get-WmiObject to query the Win32_Service class and filter out the wuauserv service. This is the Windows Update Service. Then, I pipe the output of that to Select-Object and Description to parse out the data from the description. Parse only the text data for the Description and I use the Split method of the System.String class to put the description into an array. Finally, I piped the data into Select-Object and selected index 10.
All this outputted one word from the description. Windows.
PS C:\Users\century10\documents> ((Get-WmiObject -Class Win32_Service -Filter "Name='wuauserv'" | Select-Object Description).Description).Split() | Select-Object -Index (10 - 1)
Windows
For the next word, I followed the same process and just replaced the index that I was pulling with 8. This outputted updates for the next word.
PS C:\Users\century10\documents> ((Get-WmiObject -Class Win32_Service -Filter "Name='wuauserv'" | Select-Object Description).Description).Split() | Select-Object -Index (8 - 1)
updates
Now for the last bit that I need, I obtained the child folders of the desktop using the Get-ChildItem command I put parentheses around the command so that it outputs the value of the Name property.
PS C:\Users\century10\documents> (Get-ChildItem ..\Desktop\).Name
110
Together all this data provides the string Windowsupdates110. Note that the password for these levels is all lower case. So, it will be windowsupdates110.
The password to the next level is below.
- Username: century11
- Password: windowsupdates110
Century - Level 11 -> Level 12
The password for Century12 is the name of the hidden file within the contacts, desktop, documents, downloads, favorites, music, or videos folder in the user’s profile.
NOTE:
- Exclude “desktop.ini”.
- The password will be lowercase no matter how it appears on the screen.
Solution
The objective for this level is to find the hidden file that is either located in the contacts, desktop, documents, downloads, favorites, music, or videos directories in the user profile.
The Under the Wire team hints that you will want to exclude the desktop.ini file. However, I just decided to search the Downloads directory for files with hidden mode on and I found the file.
PS C:\Users\century11> Get-Childitem -Path .\Downloads -Hidden
Directory: C:\Users\century11\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
--rh-- 8/30/2018 3:34 AM 30 secret_sauce
The credentials of the next level can be found below.
- Username: century12
- Password: secret_sauce
Century - Level 12 -> Level 13
The password for Century13 is the description of the computer designated as a Domain Controller within this domain PLUS the name of the file on the desktop.
NOTE:
- The password will be lowercase no matter how it appears on the screen.
- If the description “today_is” and the file on the desktop is named “_cool”, the password would be “today_is_cool”.
Solution
This one was fun. So, in this level the objective is to find the description of the Domain Controller and add the name of the file on the Desktop.
Honestly, I didn’t know the hostname for the Domain Controller. Had no clue. So, I used the Get-ADDomainController to obtain this information. If you look at the HostName and its value, you will see that the name for the Domain Controller is utw.underthewire.tech or just utw.
PS C:\Users\century12\documents> Get-ADDomainController
ComputerObjectDN : CN=UTW,OU=Domain Controllers,DC=underthewire,DC=tech
DefaultPartition : DC=underthewire,DC=tech
Domain : underthewire.tech
Enabled : True
Forest : underthewire.tech
HostName : utw.underthewire.tech
InvocationId : 09ee1897-2210-4ac9-989d-e19b4241e9c6
IPv4Address : 192.99.167.156
IPv6Address :
IsGlobalCatalog : True
IsReadOnly : False
LdapPort : 389
Name : UTW
NTDSSettingsObjectDN : CN=NTDS Settings,CN=UTW,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC
=underthewire,DC=tech
OperatingSystem : Windows Server 2016 Standard
OperatingSystemHotfix :
OperatingSystemServicePack :
OperatingSystemVersion : 10.0 (14393)
OperationMasterRoles : {SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster...}
Partitions : {DC=ForestDnsZones,DC=underthewire,DC=tech, DC=DomainDnsZones,DC=underthewire,DC=tech,
CN=Schema,CN=Configuration,DC=underthewire,DC=tech,
CN=Configuration,DC=underthewire,DC=tech...}
ServerObjectDN : CN=UTW,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=underthewire,DC=
tech
ServerObjectGuid : df17c8a3-dd76-438b-8ddf-b7ad3e624618
Site : Default-First-Site-Name
SslPort : 636
Now that I’ve found the name for the Domain Controller. It is time to search Active Directory with the Get-ADComputer Cmdlet. All you have to do is just specify that you want the Description property, and you get it. Output can be seen below.
PS C:\Users\century12\documents> Get-ADComputer -Identity UTW -Property Name,Description
Description : I_Authenticate
DistinguishedName : CN=UTW,OU=Domain Controllers,DC=underthewire,DC=tech
DNSHostName : utw.underthewire.tech
Enabled : True
Name : UTW
ObjectClass : computer
ObjectGUID : 5ca56844-bb73-4234-ac85-eed2d0d01a2e
SamAccountName : UTW$
SID : S-1-5-21-758131494-606461608-3556270690-1000
UserPrincipalName :
Now it is just time to obtain the name of the file on the Desktop. To accomplish this, I just listed the contents of the Desktop directory. Name of the file is _things.
PS C:\Users\century12\documents> Get-ChildItem ..\Desktop\
Directory: C:\Users\century12\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/30/2018 3:34 AM 30 _things
The crendentials for the next level can be found below.
- Username: century13
- Password: i_authenticate_things
Century - Level 13 -> Level 14
The password for Century14 is the number of words within the file on the desktop.
Solution
Based on the level goal, to obtain the password to Century14 you need to count the number of words in the file located on Century13’s Desktop.
First, check to see which file is on the Desktop. Using the Get-ChildItem command, we find out that the file’s name is countmywords.
PS C:\Users\century13\documents> Get-ChildItem ..\Desktop\
Directory: C:\Users\century13\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/30/2018 3:38 AM 7894 countmywords
Now that we know where the file is, it is time to play with it a little bit. When I attempted obtain the word count before, the Measure-Object Cmdlet didn’t measure all the words in the file. It just counted the string, which there is only 1 string in the array that Measure-Object is looking through.
PS C:\Users\century13\documents> Get-Content ..\Desktop\countmywords | Measure-Object
Count : 1
Average :
Sum :
Maximum :
Minimum :
Property :
Seems a little repedative, but I decided to just use Split() to put all of the individual words into an array. Then I counted the number of words that way. This worked, based on the output that is provided below.
PS C:\Users\century13\documents> (Get-Content ..\Desktop\countmywords).Split() | Measure-Object
Count : 755
Average :
Sum :
Maximum :
Minimum :
Property :
Credentials for then next level are below.
- Username: century14
- Password 775
Century - Level 14 -> Level 15
The password for Century15 is the number of times the word “polo” appears within the file on the desktop.
Solution
So, based on the level goal, the password to the Century15 user account is the number of times the word polo appears in the file on the desktop.
First order of business is to find the file. I issued the command below and that showed the file named countpolos on the Desktop.
PS C:\Users\century14\documents> Get-ChildItem ..\Desktop
Directory: C:\Users\century14\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/30/2018 11:24 PM 202900 countpolos
Now it is time to formulate a one liner that will get me this result. My go to is to just use the Get-Content Cmdlet and split countpolos contents into an array.
Then, when you need to pipe into Select-String and use the regex pattern ^polo. I needed to do it this way because PowerShell was recognizing words that had polo in it. It wasn’t working out to well. When you use a carrot ^ at the beginning of your string it will match the beginning of the line that has polo in it.
Once you use that to parse everything out, you can start measuring the count using the Measure-Object Cmdlet.
PS C:\Users\century14\documents> (Get-Content ..\Desktop\countpolos).Split() | Select-String -Pattern '^polo' | Measure-Object
Count : 153
Average :
Sum :
Maximum :
Minimum :
Property :
Credentials for the next level are below.
- Username: century15
- Password: 153
Century - Level 15
Level Goal
Below is the output when you reach level 15 in the project.
Congratulations!
You have successfully made it to the end!
Try your luck with other games brought to you by the Under the Wire team.
Thanks for playing!
Solution
Just login to the century15 user account using the credentials obtained in the previous level.
There is no solution needed for this level. The Wargame is complete. Again, I would like to thank the Under the Wire team for creating Century. I learned a lot from it.