Jump to content

u0m3

Active Members
  • Posts

    543
  • Joined

  • Last visited

  • Days Won

    25

Posts posted by u0m3

  1. The Encryptor

     

    Challenge-ul începe cu 2 fișiere: un executabil TheEncryptor.exe și un fișier binar encrypted.bin.

     

    Am început prin a rula executabilul, dintr-o consolă PowerShell, pentru a observa ce output generează.

    PS D:\tmp\ctf_rstcon_2020\reversing\the_encryptor> .\TheEncryptor.exe
    Enter a filename as an argument!
    PS D:\tmp\ctf_rstcon_2020\reversing\the_encryptor> .\TheEncryptor.exe .\dummy.txt
    TheEncryptor will begin encripting the file to "encrypted.bin"...
    Key generated: 2020-11-27-05
    The source plaintext file, .\dummy.txt, is open.
    The destination file, encrypted.bin, is open.
    A cryptographic provider has been acquired.
    An md5 hash object has been created.
    The password has been added to the hash.
    An encryption key is derived from the password hash.
    Memory has been allocated for the buffer.
    File encrypted successfully!
    PS D:\tmp\ctf_rstcon_2020\reversing\the_encryptor>

    Observații:

    1. necesită un parametru - o cale către un fișier ce urmează a fi cryptat.
    2. întotdeauna scrie în fișierul encrypted.bin - ceea ce poate fi o problemă
    3. Pare să folosească o parolă bazată pe data curentă (YYYY-MM-DD-dayofweek); aceasta este „trecută” prin MD5, iar din acest hash este derivată cheia de criptare

    A urmat o perioada de analiză în x64dbg și Ghidra. Aici am pierdut o grămadă de vreme datorită unui comportament ciudat: dacă input-ul (conținutul fișierului de intrare) este un singur caracter, output-ul este de de 129 bytes. Dacă are cineva idee de ce...

    Metodologia mea de testare

    Spoiler
    
    radu@heimdallr:/mnt/d/tmp/ctf_rstcon_2020/reversing/the_encryptor$ myStr='AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
    radu@heimdallr:/mnt/d/tmp/ctf_rstcon_2020/reversing/the_encryptor$ for n in {1..128} ; do echo -n ${myStr:0:n} | tee dummy.txt ; ./TheEncryptor.exe ./dummy.txt ; mv dummy.txt "$(printf '%03dA.txt' $n)" ; mv encrypted.bin "$(printf '%03dA.bin' $n)"; done
    
    

     

    Spoiler
    
    radu@heimdallr:/mnt/d/tmp/ctf_rstcon_2020/reversing/the_encryptor$ wc -c *.txt
       1 001A.txt
       2 002A.txt
       3 003A.txt
       4 004A.txt
       5 005A.txt
       6 006A.txt
       7 007A.txt
       8 008A.txt
       9 009A.txt
      10 010A.txt
      11 011A.txt
      12 012A.txt
      13 013A.txt
      14 014A.txt
      15 015A.txt
      16 016A.txt
      17 017A.txt
      18 018A.txt
      19 019A.txt
      20 020A.txt
      21 021A.txt
      22 022A.txt
      23 023A.txt
      24 024A.txt
      25 025A.txt
      26 026A.txt
      27 027A.txt
      28 028A.txt
      29 029A.txt
      30 030A.txt
      31 031A.txt
      32 032A.txt
      33 033A.txt
      34 034A.txt
      35 035A.txt
      36 036A.txt
      37 037A.txt
      38 038A.txt
      39 039A.txt
      40 040A.txt
      41 041A.txt
      42 042A.txt
      43 043A.txt
      44 044A.txt
      45 045A.txt
      46 046A.txt
      47 047A.txt
      48 048A.txt
      49 049A.txt
      50 050A.txt
      51 051A.txt
      52 052A.txt
      53 053A.txt
      54 054A.txt
      55 055A.txt
      56 056A.txt
      57 057A.txt
      58 058A.txt
      59 059A.txt
      60 060A.txt
      61 061A.txt
      62 062A.txt
      63 063A.txt
      64 064A.txt
      65 065A.txt
      66 066A.txt
      67 067A.txt
      68 068A.txt
      69 069A.txt
      70 070A.txt
      71 071A.txt
      72 072A.txt
      73 073A.txt
      74 074A.txt
      75 075A.txt
      76 076A.txt
      77 077A.txt
      78 078A.txt
      79 079A.txt
      80 080A.txt
      81 081A.txt
      82 082A.txt
      83 083A.txt
      84 084A.txt
      85 085A.txt
      86 086A.txt
      87 087A.txt
      88 088A.txt
      89 089A.txt
      90 090A.txt
      91 091A.txt
      92 092A.txt
      93 093A.txt
      94 094A.txt
      95 095A.txt
      96 096A.txt
      97 097A.txt
      98 098A.txt
      99 099A.txt
     100 100A.txt
     101 101A.txt
     102 102A.txt
     103 103A.txt
     104 104A.txt
     105 105A.txt
     106 106A.txt
     107 107A.txt
     108 108A.txt
     109 109A.txt
     110 110A.txt
     111 111A.txt
     112 112A.txt
     113 113A.txt
     114 114A.txt
     115 115A.txt
     116 116A.txt
     117 117A.txt
     118 118A.txt
     119 119A.txt
     120 120A.txt
     121 121A.txt
     122 122A.txt
     123 123A.txt
     124 124A.txt
     125 125A.txt
     126 126A.txt
     127 127A.txt
     128 128A.txt
    8256 total

     

    Spoiler
    
    radu@heimdallr:/mnt/d/tmp/ctf_rstcon_2020/reversing/the_encryptor$ wc -c *.bin
     129 001A.bin
       2 002A.bin
       3 003A.bin
       4 004A.bin
       5 005A.bin
       6 006A.bin
       7 007A.bin
       8 008A.bin
       9 009A.bin
      10 010A.bin
      11 011A.bin
      12 012A.bin
      13 013A.bin
      14 014A.bin
      15 015A.bin
      16 016A.bin
      17 017A.bin
      18 018A.bin
      19 019A.bin
      20 020A.bin
      21 021A.bin
      22 022A.bin
      23 023A.bin
      24 024A.bin
      25 025A.bin
      26 026A.bin
      27 027A.bin
      28 028A.bin
      29 029A.bin
      30 030A.bin
      31 031A.bin
      32 032A.bin
      33 033A.bin
      34 034A.bin
      35 035A.bin
      36 036A.bin
      37 037A.bin
      38 038A.bin
      39 039A.bin
      40 040A.bin
      41 041A.bin
      42 042A.bin
      43 043A.bin
      44 044A.bin
      45 045A.bin
      46 046A.bin
      47 047A.bin
      48 048A.bin
      49 049A.bin
      50 050A.bin
      51 051A.bin
      52 052A.bin
      53 053A.bin
      54 054A.bin
      55 055A.bin
      56 056A.bin
      57 057A.bin
      58 058A.bin
      59 059A.bin
      60 060A.bin
      61 061A.bin
      62 062A.bin
      63 063A.bin
      64 064A.bin
      65 065A.bin
      66 066A.bin
      67 067A.bin
      68 068A.bin
      69 069A.bin
      70 070A.bin
      71 071A.bin
      72 072A.bin
      73 073A.bin
      74 074A.bin
      75 075A.bin
      76 076A.bin
      77 077A.bin
      78 078A.bin
      79 079A.bin
      80 080A.bin
      81 081A.bin
      82 082A.bin
      83 083A.bin
      84 084A.bin
      85 085A.bin
      86 086A.bin
      87 087A.bin
      88 088A.bin
      89 089A.bin
      90 090A.bin
      91 091A.bin
      92 092A.bin
      93 093A.bin
      94 094A.bin
      95 095A.bin
      96 096A.bin
      97 097A.bin
      98 098A.bin
      99 099A.bin
     100 100A.bin
     101 101A.bin
     102 102A.bin
     103 103A.bin
     104 104A.bin
     105 105A.bin
     106 106A.bin
     107 107A.bin
     108 108A.bin
     109 109A.bin
     110 110A.bin
     111 111A.bin
     112 112A.bin
     113 113A.bin
     114 114A.bin
     115 115A.bin
     116 116A.bin
     117 117A.bin
     118 118A.bin
     119 119A.bin
     120 120A.bin
     121 121A.bin
     122 122A.bin
     123 123A.bin
     124 124A.bin
     125 125A.bin
     126 126A.bin
     127 127A.bin
     128 128A.bin
      69 encrypted - Copy.bin
      69 encrypted_original.bin
    8522 total

     

     

    De asemenea nu a ajutat cu nimic că în timpul testelor am uitat să salvez după ce am modificat conținutul fișierului dummy.txt.

     

    În ciuda acestor greșeli, am determinat parametrii apelurilor către funcțiile criptografice ca fiind:

    CryptAcquireContextA ( &hProvider, NULL, MS_ENHANCED_PROV /* = "Microsoft Enhanced Cryptographic Provider v1.0" */, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT | CRYPT_NEWKEYSET );
    CryptCreateHash ( hProvider, CALG_MD5, NULL, 0, &hHash );
    CryptHashData ( hHash, &bData, dwDataLen, 0 );
    CryptDeriveKey ( hProvider, CALG_RC4, hHash, 0x00800000 /* keyLen<<16 | dwFlags = 128 << 16 | 0 */, &hKey );
    CryptEncrypt ( hKey, NULL, TRUE, 0, &bData, &dwDataLen, 1008 )

     

    De aici avem aproape toate datele necesare pentru a decripta fișierul. Mai puțin parola.

    Așa că am scris un mic script python pentru a face bruteforce.

    Spoiler
    
    
    #!/usr/bin/env python3
    # -*- coding: utf-8 -*-
    
    import datetime
    # using python3-cryptodome from debian repos http://www.pycryptodome.org
    from Crypto.Hash import MD5
    from Crypto.Cipher import ARC4
    
    # encrypted.bin
    encrypted = bytes(bytearray([ 0x9C, 0xD6, 0xF5, 0x0A, 0x8B, 0xB5, 0x60, 0xF1, 0x75, 0x39, 0x3E, 0xCC, 0x39, 0x5D, 0xAC, 0xF2, 0x10, 0x3D, 0xC7, 0x14, 0xCE, 0x5F, 0x39, 0x73, 0x84, 0x22, 0x36, 0xFB, 0x7C, 0x75, 0x7A, 0xAC, 0xA9, 0xD8, 0x08, 0x90, 0x85, 0xF0, 0xEF, 0x94, 0x7F, 0xAD, 0x5D, 0x42, 0x46, 0x30, 0x2A, 0xC9, 0x1A, 0xB4, 0x37, 0x26, 0x0B, 0xD9, 0xAC, 0x81, 0xFC, 0x3F, 0x68, 0x98, 0x8B, 0x04, 0xC1, 0x52, 0xFD, 0xE6, 0x60, 0xE5, 0x7C ]))
    
    # fisierul nu putea fi generat dupa data concursului
    contest_date = datetime.datetime.fromisoformat("2020-11-20T12:00:00+02:00")
    for x in range(0, 31):  # mergem 31 de zile in urma
        t = contest_date - datetime.timedelta(days=x)
        hash_seed_str = f'{t.year:04d}-{t.month:02d}-{t.day:02d}-{t.isoweekday():02d}'
        hash_seed = hash_seed_str.encode()
        hash_ = MD5.new(hash_seed)
        cypher_ = ARC4.new(hash_.digest())
        plain = cypher_.decrypt(encrypted)
        print(f'{t} => {plain}')
        pass
    # ...
    # 2020-11-03 12:00:00+02:00 => b'RST{738CC8DFB55AEFFD7196BFD6B545D0424E475346A0EFD43A07A4312E7F77EF0B}'
    # ...

     

     

    • Upvote 4
  2. Mesajul de pe retea - IV

     

    Challenge-ul începe cu un fișier text, ce conține o listă de prăjituri/dulciuri/deserturi. Sincer, aici am avut foarte mult noroc, deoarece după ceva vreme de holbat la conținutul fișierului, mi-am adus aminte că am citit undeva, în urmă cu mai bine de un an, despre un proiect de stenografie ce permitea exfiltrarea datelor sub forma unui tabel cu scoruri de meciuri dintre echipe... sau așa îmi aminteam eu.

     

    După o scurtă sesiune de „Google”, am găsit repozitory-ul proiectului: https://github.com/TryCatchHCF/Cloakify/. Fiindu-mi prea lene să îl instalez în adevăratul sens al cuvântului, am copiat ce am avut nevoie într-un script propriu, et voila:

    Spoiler
    
    #!/usr/bin/env python3
    # -*- coding: utf-8 -*-
    
    # "inspired" by https://github.com/TryCatchHCF/Cloakify/blob/master/decloakify.py
    import base64
    
    array64 = list("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789/+=")
    wl = """
    honey
    jelly
    lollipop
    spumoni
    milkshake
    shortcake
    souffle
    flower
    fondant
    crunch
    pineapple
    marionberry
    lime
    pudding
    sugar
    caramel
    granita
    zest
    brittle
    liquer
    bun
    toffee
    ginger
    custard
    cookie
    sucker
    pistachio
    meringue
    eggs
    peach
    buttermilk
    turnover
    biscuits
    turtle
    puffs
    doughnut
    apricot
    nutmeg
    gingerbread
    cherry
    truffle
    turnovers
    licorice
    mousse
    muffins
    raspberry
    sorbet
    streusel
    candy
    torte
    syrup
    terrine
    curd
    hazelnut
    brownie
    strawberries
    blueberry
    coconut
    butterscotch
    cookies
    huckleberry
    icing
    walnut
    pie
    snickerdoodles
    cannoli
    marzipan
    cake
    compote
    bonbon
    glaze
    flan
    cane
    foster
    sherbet
    ganache
    cream
    buttercream
    jam
    cobbler
    tirimisu
    creme
    cupcake
    cinnamon
    mint
    vanilla
    éclair
    taffy
    orange
    almond
    rhubarb
    pastry
    brulee
    lemon
    cheesecake
    chocolate
    donut
    sundae
    peach pie
    shortbread
    frosting
    parfaits
    blackberry
    popsicle
    confection
    crepe
    macaroon
    """.strip().split("\n")
    enc = """
    sorbet
    marionberry
    cherry
    sorbet
    milkshake
    sucker
    gingerbread
    strawberries
    gingerbread
    brownie
    turnover
    pineapple
    truffle
    peach
    sorbet
    custard
    cherry
    crunch
    marionberry
    fondant
    terrine
    biscuits
    buttermilk
    ginger
    terrine
    biscuits
    terrine
    marionberry
    cherry
    peach
    cherry
    crunch
    syrup
    raspberry
    licorice
    strawberries
    gingerbread
    peach
    souffle
    cookie
    cherry
    crunch
    lollipop
    curd
    terrine
    raspberry
    pistachio
    custard
    syrup
    raspberry
    licorice
    sucker
    terrine
    raspberry
    pistachio
    coconut
    gingerbread
    peach
    doughnut
    crunch
    terrine
    raspberry
    licorice
    strawberries
    terrine
    peach
    souffle
    hazelnut
    terrine
    crunch
    buttermilk
    ginger
    terrine
    peach
    syrup
    cookie
    cherry
    crunch
    meringue
    crunch
    gingerbread
    peach
    turnover
    crunch
    cherry
    candy
    terrine
    flower
    cherry
    brownie
    mousse
    icing
    eggs
    souffle
    snickerdoodles
    snickerdoodles
    """.strip().split("\n")
    clear64 = ""
    
    for word in enc:
        clear64 +=  array64[ wl.index(word) ]
    
    print(base64.b64decode( clear64 ).decode())

     

     

    • Like 1
    • Upvote 3
  3. Mesajul de pe retea - III

     

    Challenge-ul începe cu un fișier zip. Acesta conține un singur fișier .txt, dar este protejat cu o parola din nefericire.

     

    Prima tentativă a fost un atac hashcat asupra parolei, dar acesta s-a dovedit ineficient. Ca atare sa ne îndreptăm atenția spre structura și fi conținutul fișierului zip (https://en.wikipedia.org/wiki/ZIP_(file_format)#Central_directory_file_header ca referință a formatului unui fișier zip).

     

    În descrierea challenge-ului suntem informați că nu vom descoperi flag-ul, ci vom descoperi o serie de bytes, a căror sumă sha256 constituie flag-ul.

    De asemenea, din analiza fișierului zip, putem observa că fișierul txt din interior conține doar 5 bytes, (cel mai probabil) insuficient pentru a conține un set de instrucțiuni. Ca atare putem presupune că acest fișier conține sursa hash-ului.

    Pe lângă dimensiunea fișierului txt, avem si suma crc32 a fișierului, înainte de compresie.

     

    Pornind de la unele premise putem scrie un mic script care sa execute un atac bruteforce asupra conținutului fișierului/sumei crc32:

    Spoiler
    
    
    #!/usr/bin/env python3
    # -*- coding: utf-8 -*-
    
    # "inspired" by https://ctf-wiki.github.io/ctf-wiki/misc/archive/zip/
    import binascii
    import base64
    import string
    import itertools
    import struct
    import datetime
    import hashlib
    
    alph = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/='
    
    lasttime = datetime.datetime.today()
    # stim ca fisierul arhivat are 5 bytes ca atare generam toate
    # aranjamentele de 5 elemente din alph, apoi calculam crc32
    # si il comparam cu crc32 al fisierului din zip.
    for x in itertools.product(list(alph), repeat=5):
        s = ''.join(x)
        st = s.encode()
        testcrc = binascii.crc32(st)
        if testcrc == 0x4659057E:   # luat manual din file.zip
            print(f'String is "{s}"')
            break    # am presupus ca nu avem de aface cu hash collision
        if datetime.datetime.today() >= datetime.timedelta(seconds=10) + lasttime:
            print(f'crc32("{s}") = {testcrc:#010x}')
            lasttime = datetime.datetime.today()
    m = hashlib.sha256()
    m.update(st)    # st = b'sarma'
    print(f'RST{{{m.hexdigest()}}}')
    # RST{71b0ec104b58dd251893f35aec5e528e8908af48c4409ce2edaac7f8e0d75de3}

     

     

    • Like 1
    • Upvote 3
  4. Abstract: Browsers are complicated enough to have attack surface beyond memory safety issues. This talk will look into injection flaws in the user interface of Mozilla Firefox, which is implemented in JS, HTML, and an XML-dialect called XUL. With an Cross-Site Scripting (XSS) in the user interface attackers can execute arbitrary code in the context of the main browser application process. This allows for cross-platform exploits of high reliability. The talk discusses past vulnerabilities and will also suggest mitigations that benefit Single Page Applications and other platforms that may suffer from DOM-based XSS, like Electron.

     

    Linkhttps://frederik-braun.com/firefox-ui-xss-leading-to-rce.html

    • Upvote 3
  5. Series Overview

    This series is intended for readers who are interested in reverse engineering, but have only opened a debugger a handful of times. If you have trouble with certain concepts of reverse engineering, tooling, disassembly or debugging then you’ve come to the right place. Starting from the ground up we’ll work our way to advanced topics that aid in automating the reversal process such as heuristic analysis using a disassembly engine, and return oriented programming. If you’re new it’s recommended you start from the first article and work your way through the series, as it’s meant to guide you through the intricacies of the architecture and operating system structures. This series does expect the reader to have prerequisite knowledge of a native programming language such as C, C++, Rust, etc. Native meaning compiled to a native machine language, as opposed to interpreted. I do not cover reverse engineering Java Byte Code. If you don’t have a background in a compiled programming language this series may be confusing and esoteric. Otherwise, you’re in good hands!

    This series is written for reverse engineering on a 64-bit Windows OS. Windows 10 will be the OS that the author is working in, and all examples will be relevant to Windows 10 and the Intel64/AMD64 architecture. You’ll certainly be able to take what you learn from this series and apply it to other architectures and operating systems, however, you’ll have to adapt to any changes present on those platforms. Also worth noting that I will address 64-bit Assembly in detail with a small subsection regarding 16-bit and 32-bit assembly to help solidify the readers understanding of x64 Assembly.

    All that being said, if you’re familiar with reverse engineering and interested in a specific topic then feel free to skip around, and visit the sections you find most interesting! It’s by no means linear, but if you’re starting out going in order will be much less confusing.

    Note: The documentation referenced will be the Intel and AMD SDM, among other books, articles, and blogs.

    I’ve decided for this series that, in order to reduce the length of my articles, I’m going to cover topics in their own separate post. They will be linked here so they’re easy to find from the main navigation bar on the left side of the site.

     

    Linkhttps://revers.engineering/applied-reverse-engineering-series/

    Via

     

    • Upvote 1
  6. Description:

    Quote

    Dow Jones Hammer is a multi-account cloud security tool for AWS. It identifies misconfigurations and insecure data exposures within most popular AWS resources, across all regions and accounts. It has near real-time reporting capabilities (e.g. JIRA, Slack) to provide quick feedback to engineers and can perform auto-remediation of some misconfigurations. This helps to protect products deployed on cloud by creating secure guardrails.

    Linkhttps://github.com/dowjones/hammer

    • Upvote 1
  7. Synopsis

    In external and red team engagements, we often come across different forms of IP based blocking. This prevents things like password brute forcing, password spraying, API rate limiting, and other forms of IP blocking like web application firewalls (WAFs). 

    IP blocking has always been a simple and common way of blocking potentially malicious traffic to a website. The general method of IP based blocking is to monitor for a certain type of request or behavior, and when it is found, disable access for the IP that the request or behavior came from.

    In this post, we walk through the need for and creation of a Burp Suite extension that we built in order to easily circumvent IP blocking.

     

    Sourcehttps://rhinosecuritylabs.com/aws/bypassing-ip-based-blocking-aws/

    • Upvote 2
  8. Ca sa va distrati putin si sa va gadilati paranoia https://iknowwhatyoudownload.com/en/peer/ (nu functioneaza decat cu IPv4).

     

    Parerea mea (total neavizata si lipsita de orice urma de importanta), daca vrei neaparat sa nu ai probleme, inchiriezi un server intr-un datancenter ce este intr-o tara cu legislatie mai laxa din acest punct de vedere (ideal ar fi si sediul acelei firme sa fie tot intr-o astfel de tara), si tii acolo clientul de torrents. Iar de acolo le iei prin ssh (scp/sftp).

     

    Daca ceea ce am prezentat mai sus suna prea complicat, o alta sugestie ar fi sa:

    • dezactivezi din clientul de torrent orice metoda de a descoperi peers/seeds in afara tracker-ului
    • activezi doar conexiuni securizate/criptate (desi nu sunt sigur ce impact ar avea asupra disponibilitatii seeds/peers)

    DISCLAIMER: Sunt Roman. Desi (probabil) nu stiu stiu despre ce e vorba, eu am o opinie puternica, si sunt sigur ca opinia mea e adevarul absolut, iar telul meu in viata, dat de la Ceruri, este sa conving restul lumii de adevarul meu.

    • Like 1
    • Upvote 2
  9. Title: Analysing RPC With Ghidra and Neo4j

     

    Synopsis: Hunting for new lateral movement techniques or interesting ways to execute code can be a nice way to sink some free time. With Windows spawning numerous RPC services on boot, finding unusual execution techniques is sometimes as simple as scratching just below the surface. And often the payoff far outweighs the time to discovery, with SOC or EDR vendors focusing on the more common published techniques, identifying a new way to introduce code execution on a host can throw a spanner in the works of the investigating team.

    In previous posts I've tried to look at different ways to mix up common attack signatures. Since working on posts exploring Mimikatz and lsass internals, I've had a few requests for information on how the demonstrated lsass DLL loading techniques were found, and how it may be possible to identify others. So in this post I wanted to present a workflow which I have found to be a useful when looking at Windows RPC method internals, and walk through some of the techniques I've used to minimise the grinding required to hunt for interesting vectors.

     

    Sourcehttps://blog.xpnsec.com/analysing-rpc-with-ghidra-neo4j/

    Via

     

    • Upvote 2
  10. 7 hours ago, edutu20 said:

    Ma simt darnic astazi asa ca:
    96f9a47964bfcfb599bc5664a09160db
    e682d696b374d6928047d2606bc6b87e
    088e2dc2b2cce2435d56f903669aca9d
    3 invitatii, care cum apuca, nu mai am altele, nu mai dau altele, nu voi mai da altele.
    Bafta!
    sddss.png

    Esti sinucigas...

    • Upvote 1
×
×
  • Create New...