Certified Lead Pen Test Professional

Training

Correction Key for Exercises

Attention: This document aims to help the trainee understand the exercises.
Answers contained in this correction key are just examples of possible
answers. In some cases, other answers can be accurate.

www.pecb.com
 Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting

Exercise 1: Reasons to undertake penetration testing

Please read the following parts of the case study provided for this course:
• History of the business enterprise
• Main services

Basing yourself on this information, determine and explain the three greatest
advantages for implementing a programme of pro-active penetration testing. Also
please explain how these benefits could be measured.

Advantage 1) Allows the identification of risks before incidents occur and allows the
likelihood of the risk to be more accurately calculated. This will allow the organization
to focus security efforts in the right areas based on proven scenarios..........................
.......................................................................................................................................
How can the organization measure this advantage? Measuring security spending
against risk, measuring the number of actual security incidents (which should reduce
either in number or impact)............................................................................................
.......................................................................................................................................
.......................................................................................................................................

Advantage 2) Using pro-active penetration testing with suitable follow ups will allow
the organization to demonstrate compliance with key standards and legal
requirements, e.g. PCI-DSS, ISO/IEC 27001, and Data Protection Legislation. This
may also allow the organization to fulfil customer contractual requirements.................
.......................................................................................................................................
How can the organization measure this advantage? Results from compliance audits
and successful certifications, contract wins based on (partially on) security posture.....
.......................................................................................................................................
.......................................................................................................................................

Advantage 3) Reduced exposure to real world security attacks. By having an

environment formally tested it allows the organization to prepare for and be more
resilient to specific attacks.............................................................................................
.......................................................................................................................................

www.pecb.com
Page 2 of 22
 Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting

How can the organization measure this advantage? Number of incidents, severity of
the impact of such incidents, ability to recover from incidents more quickly..................
.......................................................................................................................................
.......................................................................................................................................

www.pecb.com
Page 3 of 22
 Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting

Exercise 2: Penetration Testing and Ethics

Please review the 5 scenarios below and state how you may respond to these
situations as a Lead Penetration Tester. Please justify your answer considering the
Ethical Principles discussed in this section. Prepare to discuss your answers during a
class discussion.

1. During the penetration test the a member of the IT team requests your permission
to use the notes you have collected and raw scan results to conduct a case study
exercise on penetration testing for their university studies. You have been
assured that the information will be sanitized and that no vulnerability details will
be shared externally.

Whilst the Lead Penetration tester should wish to be helpful and encourage interest
in the topic of security these details should not be simply shared in this way. The IT
team member should be advised that the report will be completed and circulated to
the authorized recipients. They should speak with the authorized recipient about
their intentions and the recipient can make a decision on what can be/should be
shared. The Lead Penetration tester is of course to give advice and general
information to the interested IT team member but must always be aware of the terms
of engagement with the organization.............................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................

2. The client has contracted the penetration testing team to amongst other systems
test a specific wireless network. According to the network design and architecture
documents there is only one wireless network that belongs to the client in the
building. You identify this network but also identify a number of other wireless
networks which have SSIDs very similar to the client’s name. You speak with the
client’s IT Manager and they tell you they know nothing about these other
networks but ask that you test them anyway as they want to know more about
what these networks are and the levels of security they offer.

It would not be ethical to simply launch tests on the other wireless networks unless 1)
the scope was adjusted and the authority to conduct these tests was documented

www.pecb.com
Page 4 of 22
 Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting

and formally signed off by the organization and 2) The organization can confirm that
these networks are indeed owned by them or are attached to the corporate network
(i.e. a rouge access point and not a wireless network belonging to an organization in
a neighboring building). Should the tester go ahead and perform such a test on a
verbal instruction they may end up accessing systems belonging to other
organizations who could be impacted and in the worst case could take legal action
against the test team......................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................

3. You identify during the testing that a number of servers appear to be running
unlicensed software. The IT Manager confirms that this is the case and advises
that the situation is due to budget constraints but that the software will be
correctly licensed as soon as the new annual budget is made available in the next
two months.

Careful consideration needs to be given in this scenario. This offence is not

necessarily a compulsorily notifiable illegal act (this depends on the territory always
be familiar with local law). In the first instance the tester should discuss this with the
relevant organizational representative. Following this the findings should be clearly
stated in the report along with details of any meetings held and planned actions that
were agreed. The report should be clear on the implications of failing to carry out
these actions and the implications of non-compliance. ................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................

www.pecb.com
Page 5 of 22
 Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting

4. You discover a large quantity of pornographic photos involving children on one of

the organization’s servers.

In this type of case, the penetration tester should usually alert the persons in charge
of security, human resources and/or legal resources in the organization. Depending
on the country’s legislation this situation maybe a compulsorily notifiable illegal act
and thus the penetration tester will be duty bound to report the situation to the
authorities. It should be noted that penetration tester is not an investigator (even if
they have such skills) and it is not the role of the tester to investigate or gather further
evidence. ......................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................

5. An ex-employee of an organization you are about to test contacts you to inform

you that this organization has several security problems that they are trying to
conceal before your penetration test. He states that they need a good clean report
to win a contract hence the motivation to conceal issues. This employee proposes
to send documentation to prove the facts he is putting forward.

The penetration tester must not base test plans on hearsay. The person probably has
score to settle with his former employer and therefore does not represent a reliable
source of information. In addition, the documents in his possession are, no doubt,
held in violation of his old work contract. In that case, the penetration tester should
politely refuse his help. The penetration tester should report this situation to the
client. It is the client’s decision whether they wish to investigate the matter further. In
terms of the testing a professional penetration tester will carry out the tests according
to the agreed and signed off scope. If such security problems do exist a
professionally executed test will deal identify such issues.............................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................

www.pecb.com
Page 6 of 22
 Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting

.......................................................................................................................................

6. Your client is an outsourcing company. You have been advised by the clients’
Head of IT before the test of a specific system that the testing has been
commissioned upon the demands of their customer. The Head of IT has stated
the number of vulnerabilities in the report and the severity of them will affect
whether their customer allows the new service to go live. She advises that failure
to go live will cost the outsourcing company a significant sum of money.

You conduct the test of the system and find multiple serious vulnerabilities. Upon
reviewing the report the Head of IT states that she is not happy with the number
of “high” findings and that this will have a negative impact when it is shown to
their customer. She asks if you would be willing to create a separate report for
their customer which would not include some of the issues (which she believes
are irrelevant to the customer) and would show some of the issues in a less
serious light.

Whilst a professional penetration testing team must support its direct client this does
not allow for the any of the test team to create reports which are knowingly
inaccurate, misleading or at worst fraudulent. It may be acceptable to create a
“customer facing” report which is layed out in a more business friendly manner
however it would not be acceptable to hide findings or change risk ratings unless the
test team genuinely believes that the original risk ratings were incorrect. If the
penetration testing team were to meet the request in this scenario they would be
leading an organization to a false sense of security which at best is unethical and at
worst could result in legal action being taken against the team in the event that an
incident occurred relating to a finding they deliberately omitted or downplayed............
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................

www.pecb.com
Page 7 of 22
 Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting

Asset1
Exercise:3Background Checking Service

Risk Impacts
scenarios Threat Vulnerability C I A

Direct impact on individuals including

Theft of documentation by disgruntled Lack of a clear process for handling passports stress and possible identity theft. Impact X
employees. and other forms of identity documents. on the business in terms of negative
publicity lost customers and potential legal
#1 action under Data Protection legislation.

Poor corporate network security, single factor Loss/theft of key records, deletion of key X X X
Hacking attack against the authentication, failure to identify key records, system disruption.
background checking web vulnerabilities within the application.
#2 application.

www.pecb.com
Page 8 of 22
 Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting

Asset1
Exercise:3Background Checking Service

Risk Impacts
scenarios Threat Vulnerability C I A

www.pecb.com
Page 9 of 22
 Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting

Asset 2 :Corporate Network and Servers

Risk Impacts
scenarios Threat Vulnerability C I A
#1 Unauthorized access going Lack of any Intrusion Detection Solution or Potential serious and prolonged attacks
undetected. proactive monitoring or log management. going undetected leading to loss of
confidentiality (information theft and
identity theft) or fraudulent activity. X X

Outlook Web Access on the main Microsoft
Exchange server and is enabled with an
internet facing URL however this is not
External attack using the Outlook protected or held in a clear DMZ.
#2 Web Access.
An attack against the Microsoft OWA site
could allowing onbound access to all key
corporate systems leading to system
outages, data theft and fraudulent activity. X X X

Asset 3 : Recruitment Service

www.pecb.com
Page 10 of 22
 Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting

Asset 2 :Corporate Network and Servers

Risk Impacts
scenarios Threat Vulnerability C I A
Risk Impacts
scenarios Threat Vulnerability C I A
Large number of personal records held in a Attack resulting in the theft of large X
#1 External attacker focused on identity database on a shared platform containing volumes of personal data. Potential
theft. security vulnerabilities. serious reputational damage and
associated legal action.

Insiders from branch offices Access from branch offices not controlled, poor Attack resulting in the theft of large
#2 accessing the database and copying authentication controls, lack of logging, lack of volumes of personal data. Ongoing X X
bulk data. clear authorization within the database. fraudulent activity.

System outage for prolonged periods X

Multiple Virtual Machines on one machine with leading to the organization being unable to
#3 Hardware failure no specific resilience controls in place. serve its customers. Possible reputational
damage and loss of customers to rivals.

www.pecb.com
Page 11 of 22
 Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting

Asset 2 :Corporate Network and Servers

Risk Impacts
scenarios Threat Vulnerability C I A

www.pecb.com
Page 12 of 22
 Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting

Exercise 4: Test Types

In groups please discuss and identify the advantages and disadvantages

of for each of the test types:
• White Box
• Black Box
• Grey Box
• Internal
• External
• Announced
• Unannounced

In what circumstances would you recommend these particular test

types?

White Box testing is designed where either the scenario to be

tested is to identify what an insider or person with valid (or stolen)
credentials could do once authenticated. White Box testing could
also be applied where a rigorous test of a specific system is
required. One advantage of a White Box test is to also reduce time
spent. For example if the purpose of the test is to identify what an
individual can do once they have credentials providing credentials
(rather than carrying out a Black Box test) will save time allow the
tester to focus on the key scenarios.

Black Box testing is useful if the organization want to identify what

a person(s) external to the organization without any insider
knowledge or credentials can do. Can an external person(s) gather
information about the organization, map the organizations network,
steal certain data etc. Black Box tests maybe technical (i.e. identify
if systems can be seen and then attacked) but equally involve
techniques such as social engineering or attempting to gain
physical access to buildings and information/systems.

Grey Box is a more comprehensive test where both White and

Black Box techniques are used. The purpose of this test is to look
at both scenarios of individuals with and without credentials. This
may also go further for example if the system being tested has
multiple levels of authentication then multiple credentials could be
used.
……………………………………………………………………………………
13
 Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting

……………………………………………………………………………An
Announced penetration test is conducted at a certain point in time
and all key staff are aware of the test. This reduces the risk of false
alarms (e.g. security incidents being identified and actions being
taken) and allows those involved in monitoring systems to see if
they can identify attacks etc.
……………………………………………………………………………………
………………………………………………………………………………An
Unannounced test is still authorized however key people may not
be aware the test is taking place. One key purpose of this approach
is to test the organizations ability to identify and address incidents
such as cyber-attacks, social engineering etc. For example when
attempting to gain unauthorized access to a system do the system
administrators notice, if so how do they react, is the reaction
successful and in-line with policy? Could the organization really
respond in the event of a real world attack?
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
…………….

14
 Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting

Exercise 5:

From the information provided in the case study, please provide a

proposed scope for the penetration test including details of the relevant
boundaries. The scope should add value but be limited where possible to
manage the associated costs.

For the first test I would propose that this should be conducted to cover:
An external test to identify if the DMZ and perimeter firewall can be
compromised
……………………………………………………………………………………
An external test of the Outlook Web Access configuration to identify if
this can be compromised leading to further attack vectors
……………………………………………………………………………………
An external test of the core website and applications and the mobile
applications looking for application vulnerabilities
……………………………………………………………………………………
An internal test of the VM server and underlying platform to identify if the
underlying platform can be compromised leading to compromise of all
VMs.
……………………………………………………………………………………
………………………………………………………………………………An
internal test from a sample of branch offices to test insider access to the
main candidate database. The physical security of the branch offices
could also be tested to identify if an individual could gain access and
then easy access to the network
……………………………………………………………………………………
A social engineering test aimed at the helpdesk and some user to
identify if credentials can be obtained (more sophisticated techniques
could be applied once the organization had basic awareness of social
engineering in place at an acceptable level
.……………………………………………………………………………………
Going forward specific application tests, tests of network infrastructure
could be conducted once the basic vulnerabilities are identified and
defined.
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
15
 Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting

……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
…….

Exercise 6: Mapping

In groups please map a public application such as www.pecb.org using all public
resources
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………

16
 Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting

Exercise 7: Burp Suite

In groups please map the attack surface and entry points of www.pecb.org using
BURP Suite

Discuss Scoping strategy based on your discoveries.

……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
…………………………………………..

Exercise 8: Web Application Vulnerabilities

In groups please run a web application scanner against our Web App VM using Nessus Web
App scanner option and more targeted scanning using Burp Scanner. If Burp licenses aren’t
available at the time, please run a DEMO from the trainer’s PC or run the VIDEO.

A more detailed Web Application Assessment is beyond the scope of this course and a more
specific Web Application Course will be delivered in the future to cover other more specific
vulnerabilities.
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………

17
 Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
…………………………………………………………

Exercise 9: Social Engineering

In groups please consider some scenarios where you may use social engineering in a
penetration test and explain the techniques you may use.

Exercise 10: Information gathering

Using tools such as google, Shodan and other public information sources please find
as much information as possible about PECB. In particular can you identify:

Details of physical locations

Details of where certain systems maybe hosted
Names of key individuals
Other useful information

Exercise 11: Corrective action plan

You have received a plan for corrective actions. Evaluate the adequacy of the proposed
corrective actions. If you agree with the corrective actions, explain why. If you disagree,
explain why and propose what you think would be adequate corrective actions.

1. A finding was raised because a Microsoft Windows server had over 12 months of
patches missing.

Proposed action plan: Organise a formal change to apply all relevant patches and
test accordingly.

Acceptable (If No please provide recommendation):

No whilst applying the patches may resolve the initial finding the organization should
look to implement a formal patch management process in order to reduce the risk of
recurrence going forward. If the organization fails to implement a formal patch
management policy there is a chance that a new vulnerability will be discovered
which could be exploited. There is a likely potential that such a new vulnerability
would occur before the re-visit of any future penetration test.........................................
.......................................................................................................................................
.......................................................................................................................................

18
 Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting

.......................................................................................................................................
.......................................................................................................................................

2. A finding has been raised because the tester could boot an internal PC into LINUX
using a CD and then override local security settings. They could also steal the
Windows SAM file and crack passwords offline.

Proposed action plan: Disable the ability to boot from the CD rom on the PC.

Acceptable (If No please provide recommendation):

No whilst this would make it more difficult for an attack to be conducted there is
nothing to prevent someone from booting the machine using removable media or via
the network card. In addition the BIOS settings will need to be adequately protected
to prevent these controls from being removed. If there is data stored on the hard disk
of the machine which needs protection consideration may also be given to applying
whole disk encryption to the hard disk. In the event of booting to an alternative
operating system the attacker maybe able to browse the hard disk but will not be able
to extract the data in a meaningful form (Caveat, this answer assumes a robust
industry approved product is used and also assumes a low level attack, attacks
against crypto systems themselves are beyond the scope of this answer). ..................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................

19
 Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting

3. A finding has been raised because the tester could access resources on the local
CITRIX server by using the command line. The CITRIX server was meant to host a
specific application and a standard user should not have access to the command
line. Through this the tester (with a standard user logon account) managed to
access a number of local files on the server which contained highly sensitive
information.

Proposed action plan: Disable the command line on the local CITRIX server.

Acceptable (If No please provide recommendation):

Disabling the command line will not help with this particular problem. The situation
implies that there is a serious misconfiguration in the CITRIX environment which
allows access to the underlying operating system. A good action plan should include
the examination of the configuration and the implementation of a configuration which
prevents an application user from being able to access any of the components of the
local operating system...................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................

4. A finding was raised because the penetration tester was able to obtain a number
of passwords through social engineering. The tester made telephone calls to a
number of users profiled through social networking sites, in the calls he posed as a
member of IT support stating the passwords were required for emergency support
work.

Proposed action plan: Send an email to all staff reminding them never to reveal
passwords to anyone including IT support.

Acceptable (If No please provide recommendation):

No this action may have a short term effect but will not provide ongoing awareness.
In addition to this the organization should consider ongoing awareness raising
through regular training, updates via various channels and regular testing. The
organization could consider regular social engineering tests which gradually become
more sophisticated as the level of awareness and vigilance amongst staff grows........
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
20
 Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting

.......................................................................................................................................

5. Several findings were raised because the penetration tester was able to gain
unauthorised access to a key office. Once in the building they were able to freely sit
at a desk, connect their machine and conduct a number of activities such as sniffing
local network traffic. During this sniffing exercise they captured credentials to a
number of key systems. When accessing the building they reported to the main
reception and claimed to be an IT support engineer. They were immediately sent to
the relevant floor of the office. They were then allowed through the main door of the
office by tail-gaiting a member of staff who had a key fob access card.

Proposed action plan: Several actions have been proposed by the client:

 Implement a procedure where all visitors to the main reception are reported to
a relevant contact in the office. The office contact will be required to collect
the visitor from reception hand them a visitors badge, check their ID and
escort them at all times.

 Send an email to all staff reminding them of the risks of tailgating.

 Implement MAC address filtering to prevent unauthorized machines from

connecting to the network.

Acceptable (If No please provide recommendation):

I agree with the first action this would greatly reduce the risk of an individual being
able to access the floor of the office. Adherence to this process could be reviewed
as part of the organizations internal audit activities.......................................................
As with question 4 sending an email alone would not be sufficient for long term
sustained behavioral change. Regular reminders through, training awareness
messages and clear communication should be established. In addition to
highlighting tailgating staff should be encouraged to challenge or report visitors they
do not recognize who are not wearing the relevant ID badges and who are not
appropriately supervised.
The suggestion of implementing MAC address filtering is very weak. MAC address
can be easily spoofed. Also this control does not resolve the issues of why
credentials could be captured on the network. As part of corrective action the
organization need to conduct a more complete review which covers the issues of
how to prevent credentials passing across the network in clear text and considers the
21
 Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting

implementation of Network Access Control to prevent the use of rogue machines on

the network. .................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
Exercise 12 – 14 Capture the Flag

Notes

…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
………………………………………………………………………………………………….

22