Deep Dive into Clouded Waters: Penetration Testing and Security in DigitalOcean

okay so uh hello everybody Welcome to my talk and it's a pleasure to be here for the second year and it's always a pleasure to have you all fall asleep of boredom uh last year I did the presentation on uh Cloud penetration testing this year I'm coming with something different which is cloud penetration testing but this here is something that I've been working for the last I would say kind of six seven months uh which is a whole methodology on how to test uh digital lotion based infrastructures uh about yeah six or seven months earlier I decided to start with a small not so tasty Cloud providers that people don't give too much credit for but a lot of companies use them

because of many reasons most one of which and which is the most important is the price first of all this is me this one here uh I'm A Cloud researcher at permiso it's this one here and you've probably gotten some some shirts two and uh I've been working for them for the last five months this is the sixth one uh prior to that I've been working at the banking sector and the telecommunication sector and uh as a security engineer for for all of them and uh my main focus is uh Cloud penetration testing mostly AWS and Azure Port but of course uh just a lotion Auto uh so far we've seen uh penetration testing on cloud providers like this uh

like Acer AWS and TCP for many services that they have and they have a lot of services uh so the last time I checked AWS had more than 200 services so you know you can test all of them but the most important providers are these three and those are some of the stuff that have been uh tested if you don't have any knowledge of cloud impression testing or the fact that bless you the fact that cloud can be attacked here are some references uh the last one is or actually the this last three are books and they are some of the best books that I've read so you can you can look at them uh this one is AWS this one

is Asia and this one is aws2 but he has some of the best series so check the last one if you don't look at the other ones now this is the lotion this is the lotion uh first of all offers cheap vps's the the cheapest they have is 512 megabytes of Ram with one virtual CPU and uh if I'm not drunk 10 gigabytes of SSD uh storage for four dollars a month which is a great VPS for hacking I gotta say that but it's not so uh they call it a cheap platform I would say if you use light sail which practically has almost all the features that you will find on a droplet which is the their version of a

virtual machine you will not be you know you will not be spending any much more money than that but yes anything else is is cheaper they have several services not as much as other providers they have droplets which are basically your virtual machines K8 which is a kubernetes managed by them container registry which is again continuing radius 3 managed by them Cloud functions which is their version of Lambda for those people that have used AWS or uh Cloud functions for those people that use Azure so there are a code that is then uh when you trigger them now the difference here is that there is no event that the event based trigger like you do for Lambda but you can trigger

them yourself you know by by just accessing them they have the block storage now uh the block storage is just uh the same thing that you you will find on uh on AWS and Azure the the EBS for for uh yeah for AWS so those are just uh storage that are added extra or for the a certain certain machine uh they have networking they have spaces which is their version of buckets their version of cloud storage and of course manage databases uh they have their own API which is good and the vpcs which is uh something that is I wouldn't say a subnet but it's kind of the same as a subnet for for cloud for

the people that use cloud They Know It uh VPC can have many subnets so so it's it's kind of a network separation of your of all of your uh resources on cloud this is something that you will be finding on practically most of the cloud providers if not all and they also have it too they have 10 regions they used to have 14. four of them are not longer accepting resources so only 10 are are active though the other four are just there for the old resources that you might have set up prior now starting with reconnaissance and yes this is the watermark don't don't say anything uh so what you can find online are

spaces which as I said is their version of uh buckets uh they have the domain and droplets which can have a domain record assigned so that's how you you will be able to find them they have functions which can can be fine found sorry and they have the kubernetes node which has a public uh endpoint species are literally literally just AWS S3 used for them so it's they they literally use the that service they just use it with less features than the the normal AWS S3 so anything that will be done on the S3 accessing it with the with the API and they have a certain API only for that uh the bucket being public

the bucket name uh and the bucket itself uh just just needed to be globally the bucket name itself needed to be globally unique it's everything is inherited on this because it's literally an unnecessary bucket and you can so sorry sorry sorry as you can see here even the the response is practically the same as the S3 and you can see here it's an S3 Amazon S3 bucket the the same way as in AWS you have an endpoint which is the name and the region and there are two ways on how you can you can do that but is the result would will be the same and you will get uh one of three uh HTTP responses 200 if

the bucket exists and it's public so uh its content its contents are public and you will be finding a lot of them and there have been a lot of breaches just by this uh you will have a 403 if the bucket exists but it's uh its contents are not allowed by uh Anonymous access and 4040 if the bucket does not exist this is a good uh enumeration this is a good enumeration or yeah reconnaissance enumeration uh technique that you can do because you can literally just uh files for different names and try to to find the the buckets that are uh public also you will have to understand something there are a lot of cases that the name will be just the

domain especially when you configure them as website so you will have the name as the the domain as the name here and then everything else will be the the our endpoint has its own bucket so this is another way on how you can find sensitive information uh buckets uh sorry space is the same way as buckets allow for the ecls ecls are Access Control list so uh how the bucket itself and how each object is allowed so you can allow a bucket to list every file but each file will be private so you will not be able to to download it you will just find the the name of the of the file but not the

sorry here the name of the file but not access the file itself if you allow both of them to be public then yes you can download those files if a bucket is is configured as a website then you should mandatorily allow those files because as a website the the users need to access the the HTML files but for everything else it's best to to block them this is their way of doing something like a bucket policy because bucket policies do not exist here so you know just as I said allowing some files to not be downloaded while allowing others to be downloaded and you just allow the bucket to to list those names still even by

that you will be able to find a lot of information that you can later on escalate uh as I said you can you can allow uh buckets to be a website so uh it will host HTML CSS and JavaScript files practically everything that will be rendered by the browser only by the browser and uh when you do that you need to have a domain configured on your uh on your digital lotion and uh you you will assign an endpoint to that and this will be practically a cname for the for this host and also uh an SSL you can add your own or you can just ask one for uh for from lesson clip gray

headword fair is something that I found quite recently actually it's a it's a service that keeps all the non-public uh Storage Public cloud storage on AWS Azure and digital ocean so you will find any file you will find any endpoint that is known to be public and you can find a lot of a lot of information in this like let's say yeah so we check here I don't know if you can see that we check for test here and just by test you will see a lot of them and as you can see this one here is the is the sign of the digital lotion and you can hear the name here and the files and another good thing that gray

head Warfare does that uh some other you know Services don't is that they also check for the keyword on the key itself so you can find tests for the bucket for the bucket name or the space name uh and you can also find tests for the file name itself so if you want to check for a certain Target you can check for both both the things and find out where you can find information on them they also have an API which you can which you can use and you can automate Google Dorking is another uh way on how to find a lot of a lot of domains and then you can find the C names for them

foreign for those cases and it's something that has given me a lot of a lot of uh endpoints that I haven't been able to access with stuff like I don't know stop Lister because uh they will be uh giving you even hosts that so they will be giving you all the holes that a certificate is bought for if you are targeting a large company which has had many uh companies uh that they have outsourced services for uh you will most likely have one a certificate per domain because of a lot of illegal issues so you will be able to find a lot of a lot of endpoints for that and kubernetes which this is something

that was strange to me because kubernetes is not something that you need to necessarily have public I I would understand something like a container registry but kubernetes being able to have a public uh endpoint was strange but the good news is that it's a really large ID so it's it's not going to be easy to fast but you can find a subdomain that points to this and if you find that you will be able to also find the the ID of the kids which you can later on use on on the enumeration and the privileged escalation steps functions as I said they're the the the distillation version of lambdas they do not have a trigger based uh an event

based trigger sorry but you can trigger them yourself and they also have a public endpoint as you can see here uh it's the region there are some random characters they have something called the name space which is a container for many functions it's the package that you will be running the function name is a lot of stuff and if you run this uh you will be able to execute the code and you will find it you will have the return as a response from there uh I don't know if I've added this [Music] no okay no uh you can also access this using their own API key or publicly without a key by default you can access that without a

key so if you find the the URL you will be able to execute the code that's that's another reason why you should look for that and uh again Google Dorking helps a lot with that because since every air every URL will have that and you will check for the domain you will be able to find uh for example a cname record to a function which also has this URL and you will be able to to get a function which if it's allowed to be executed without uh a token you will be able to find the the execution point that you probably will be able to escalate to an rce or something but at least you will have you will have some

some information droplets as I said they you can assign a domain records to them and that's the best way you can track them because as we as we will see later the IP uh IPL is that they have do not specify the uh services and as you can see here the IP list will give you the all the IPS and the region for all of them but you will not you do not have the service as you have on other Cloud providers so you will not know what type of services uh you do you have I started a project a while ago and I'm all continuing on that it's just that it's harder to maintain on uh just

looking for uh domain uh domain records on each of those IPS and then trying to find uh uh C names for all the services that might have might be on one of those regions and try to find on which regions that they might be in and try to to you know link the service with IP range this is really hard to maintain because those are always updated so I don't think I will be able to to complete that but if somebody wants to that's the best way you can you can link a service to uh to an IP range on digital ocean so this is the the awesome recap that's how your those are practically what you

will be able to find if you search online on uh uh this lotion going on with the initial access now there are several vectors of initial access phishing is the first one uh you can utilize a lot of stuff for phishing you can never create your own phishing site which is I would say the best way for the second best way on on digital ocean uh you can get uh access to the droplets then you can find the the token from the droplet you can find the database password and you will be able to get the the sensitive information right away or you can find the the functions uh get access using the tokens and config files will which we'll be

seeing later on now for the fishing uh they have one way that I will show you later on uh one one cool way that you can use to fish but uh one thing that I don't have is a link between the token even if it's an admin token uh to the console so to the interface of the web interface so even if you are admin using the token you cannot use it to get access to the to the dashboard so vsync is your best bet to get to get access to that and what I do is I usually use the the alerts because the alerts are something that people will always open they will always

look for them and you can send something like this and you know they will look at that they will see that they will click on that and they will be able to so you can see here this you can see here all of them are you know just you can just add something to that and they you know when they open it they need to add the credentials and what I did this is a pitch done by me I'm I'm a Noob at front end so sorry I tried my best so this is something done by me I try to replicate it as best as I could and this is something that I saw when uh when you are on digital lotion

and a resource is not found or uh it's missing or your token is expired or something you will have same me this is Sammy this is a gif and you you will be looking at this and you have a link to go to to redirect you to the to the home page you can use all of them you can send them uh you know a login page they will add the credentials and then you can redirect them to your same even your custom save me and they will click on that and go to the web page everything will look normal now one thing that digital lotion does is that it allows you for 60 days to uh not add the

two-factor authentication so if they have been logged in Prior the moment they click on that they will be able to log into the to the dashboard and it will look completely normal to them so it's a good way to to fish them without them even knowing on how to do that is this Brute Force this is another thing that was you know uh strange to me they don't have any restriction for how many uh passwords you you add to the sh so you can literally do uh so I don't remember how many I did I don't remember how many I did sorry but I did a lot of them I'm not wrong is about my thought nine

thousand something like that so you know I I did a lot of a lot of them and still was able to to crack the password and there was no restriction for sh you can edit yourself but there is no restriction by them so you know you have to go and edit the sh file The Siege config file in order to to stop that which is again strange but it is going to be a good way plus every every drop press is run as root by default so uh you know the user at least well no matter what uh what OS or these trade is the API they have four apis this is the metadata if the if you have used Cloud

you will know this which is on 169 254 169254 uh and it's only accessible from inside the droplet and only for the droplet is not accessible you know publicly so you will only be able to access it from there you have the digitalocean API which we'll be looking at that is the space API which is literally AWS S3 API uh well what's the opposite of on steroid because you know that's what it is and they all over API which will be looking because this can be used as uh as a phishing the API can access all of them basically anything that is not a space that is not metadata and anything that will not lead

you to to the portal it has this format and that's all you know that's all you need to look at if you want to look for those at the source code that this is what you need to look for foreign you can find them here you can you can create them on your on the portal you can find them on source files you can find them on kubernetes and CRS config files we'll be looking at that you can find them on the consult history because the yes different from AWS you can just provide the token here and you will not be able to to create a profile for for that token you can just provide it so

finding that on uh on bash history will be you know will be useful and you can find them on functions and you will be able to find them on the environmental environmental variables or functions on apps and droplets uh as I said when you create a container registry you get a configuration file this one has a token which is a b64 of two uh distolution tokens and well it says here it's read only ordered right all uh read write because you select it yourself we will be looking at that later on and it's a read only and read write only for all the infrastructure not just container registry so if you find this you you and if you find the read write

you will be able to to get admin access uh this is just a simple code on how you can uh access that if you can see it's using bottle which is the AWS SDK the only difference is the end point here which is the region and the digitaloceanspaces.com and the access key doesn't have the usual format of a Kia or Asia but I say is the the temporary key so Ikea everything else is the same so the the authentication is different everything else is the same and these are everything that is allowed so those are allowed from the dashboard those are only allowed by uh the the API versioning is something that will be looking for and those are not allowed

now uh if you if you are able to find credentials on the spaces one thing that you should be able you should understand is that you don't have any limitations uh space uh space identity is the full access on all spaces so if you find that you get access to all the spaces you get access to all the sensitive information Within that account so if you are able to get that you are able to get practically all the information that they have there which okay yeah that's not the enumeration part sorry now the oauth's part the the fishing that I said uh since they do not have so uh this solution does not have uh the

idea of an IAM every identity has full access to everything since they do not have an idea of an IAM they do not have an idea of a cross account uh identity so the best way they do it is by using by utilizing uh something they call an oauth API which is uh their version of the application consent which if I may say it like this so the idea is you create an application with a redirect URL you have this URL that you will be sending and this token without the red part will only be a read token but if you also put the scope as read write when they accept that you get a token as

a read write token which is valid for 30 days but you also have a refresh token which I haven't found anywhere to be expiring so to be honest it might not expire at all I'm not sure if that you know if that's true but I haven't found any documentation that says when it does expire so I don't know about that and uh and everything is the same as in Asia uh access token and refresh token so it's it is the same process you get the access token you you uh access the digital lotion with it after 30 days you refresh your access token you get the second access token you continue with that so if you are able to do that you

get admin access to the API and you also get a token that can always be refreshed uh the container registry as I said this is where you choose your uh your scope as a leader did write and this is just us using that uh the best ways the best way I found on testing if a token is read ordered right is creating an sh key this H key is something that does not have any impact it does not cost anything so you can create you can delete if you do that you have uh uh read write token if you don't do that you only have any token so yeah and lastly as I said since you are able

to to to have access for 60 days if you find if you have physical physical access or weak access to to a machine you can just open the the cloud.distolution.com and you will have access to that on the enumeration side going back to the API uh going back to the sorry the space API uh since we said before we had some stuff that we were allowed to do now sorry this is very small but when I share the slides you it will be bigger uh these are everything that you are allowed to do so and since you have practically access to do every one of them without restrictions you can just create your own script that will execute now

this is from as far as I've seen the most important information and I wrote this script and I I get practically all the information like all the buckets all the bucket ACLS all the bucket objects I can tell download them if I want to I get all the if the bucket is a website if it's not practically even the even the version in which it's this one here which is the AWS and Pi extension digital oceans version of not allowing you to lose the file after it's deleted so if you enable versioning if a file is deleted you can still retrieve it now this is important because if you find the sensitive information that is being

deleted and it's not a deleted as a version then you can retrieve it so if you find some credentials or something you'll be able to to get that and the pre-signed URLs which are used will for get and put objects but get is the most important if you find one of them you can access the file if you don't you will be at least able to find the access key from that so you know it's something that it's worth looking for even if that one is is expired now uh say you have a digital lotion uh token from one of these methods what you would do is as I said just check if it's reloaded right just create an sh key it

will do no harm you will be able to either not create it or create it and delete it so it's not going to cause much much problem to the organization and you will know what what type of access you have for the container registry you can use the token on everything else or you can just log in using Docker to the registry you can just list the registry uh the container registries you can list the repos you can log in with Docker and you will be able to get the the image and after that you can also update the image put your own malware on it uh I don't know even even just getting it and

finding sensitive information you will still be able to do that previous privileged escalation now uh after this part there is not much that you can do to be honest since they do not have the idea of an IAM you either have all the access or you don't have access you know you you either uh are that mean or you're not admin and it's not much that you can do but one thing that I found one thing that I found is that if you get a read-only token you can look for the database you can just list the database and you'll be getting the password the plain text password for all the users yeah I have everything this is though though

this is only for uh everything except for uh mongodb so they have something against the SQL based databases but yes you will not be able to do that for so uh use I guess to be secure but yes sorry no no it's not it's not even on the console you cannot look at the mongodb password after you refresh the page you need to reset the password and another thing that you can look is that each password has this avns I don't know what that is a macronym for it starts with that and another and underscore so you can look for that on uh repos or on on your code so you know it's it's not bad to to look for

something like that and uh each database can uh no matter if you configure them to only be accessed publicly or not publicly each database has its own uh public node so you can also look for that you know probably you'll be able to find one no exfiltration for the expectation I haven't done much you know if you have console access you can you practically have everything what I try to to use uh mostly is adding everything to this to to a certain space especially if I have a space token and everything to a space and then download it from there usually the space and uh S3 based events are not so much look because there are a lot of

them so doing it like that is the best way to to get sensitive information even if they have something like uh I don't know a DLP which uh is there is no service for DLP on on installation if they have another third party doing for that another thing that that you can do is create a droplet and drop everything there in case you only have a digital ocean right token so do that and use sh2 to download the the files if you have already talk and just try harder try to escalate that and as for defenses this is the the last part so as we said what's wrong with this the lotion well you want to be an admin they

want you to be an admin too so you you get to be an admin and you get to be an admin and you get to be an admin so the idea of them is that you there is one super admin that can invite others and everything else is is just another minute that's all oh they give you just peace or just an S3 bucket and then some over privileged Keys uh DPI is not bad but again there are no identities uh there are no key vaults there is a service for hashicorps Vault but you have to pay extra for that or you can do it uh you know uh you can set it up yourself uh container registry has

practically full riddle for read write access to all the infrastructure uh the cloud functions are public and there are no credentials on metadata which is something that I that I didn't put here actually and if you get access to the user data which are the startup scripts you will not get uh credentials as normally but if droplets needs them you will probably find them on the environment variables I'm pretty sure you will be fine a little bit to find them on the on the environment variable so what you can do for them for the roles yet you can't do much you can just put MFA or I don't know just regularly change passwords for the for

the interface they do have their own MFA so they send the key to the to the email so they send the code to the email which you can you know send it back so I would recommend you also to Target the email in case you target the the uh the console for the over privileged uh try to not add them on accessible parts for the droplets uh droplets can also be accessed from the console you can do that it's going to be harder but it's uh you you will practically remove all the needs for the sh Keys being spread across all the admins for the public functions please use the various token that they do at least it's

going to be harder for them to to brute force that for the container Regis 3 yes yeah and for the database is use and for credentials on other places use password modes that's the best thing you can do that's how much digital ocean offers you so that's that's how much you can do with it so if you have to use that please at least do those also so sorry before I go on this uh I have practically told this to everybody that I've met but if in case I haven't met you uh my company is looking for some interns so if you want to you can contact me or Daniel born on uh it's so it's preferable to not be at work

momentarily and it's preferable to uh have some knowledge with other stuff with other stuff like a cloud Security even though it's not mandatory but it's preferable and uh programming with something like well python probably but even even another programming language will not be uh a bad thing because you can work with those two the idea is that you might need to automate some stuff so you you might need to do that better in case you you want to to apply uh contact Daniel or me send us a CV then we will you know continue with everything else and I started writing a book about one two months ago it's currently on the third chapter so I'm finishing the third

chapter I'm planning to finish it by the end of the summer hopefully and it will have a deeper dive on uh digital lotion also with a lot more exercises this is just you know this this was just a basic if you want to you can look at that and This is the End thank you do you have any questions [Applause] thank you as always very insightful for those that were yeah that attended like last year he also had a great presentation let me pass on the mic thank you blonde really interesting talk so I have a question um so do you have any idea how much of the traffic coming from digital ocean might be legitimate traffic that's a

good question because that's something we are looking for to add the company that I work for and uh no I don't have a statistic to be honest but yes digital lotion has been used a lot as uh as attackers vpss and if you if you go to Talos which checks for all the endpoints and the IPS and you put a digital ocean IP you will at the best have a neutral level of uh security because it's been used so much as attacker machines that even a normal distillation API will be you know will be at least at least neutral because they don't have the security to just say it's a normal even if they haven't

detected yet it's probably this is probably a hacker okay thank you so in terms of IP ranges like if we do DNS reverse lookup is there any common thing we can find out if it's like malicious traffic or legitimate traffic I can't say that because droplets by this themselves and those are the ones that are mostly used do not have an endpoint themselves like they do on AWS or Azure so in on AWS we have an endpoint on four drop list you do not have which is an indicator in itself because as far as I know this is the only service that does not have an endpoint so if you don't find uh if you

don't find one n is part of the Distortion IP list it's probably a droplet so this is one one way to to find it at least if they are using a droplet for that but uh finding if if a certain IP is used for malicious purposes just by looking at the name record or at the IPOs or it even the provider I don't think that's that's correct or anything but yes as I said the best way to find out is probably if if you don't get a reverse uh uh record a PTR record it's probably uh uh droplet and if you do get one and the record is a custom one that looks like a

custom one is again a droplet because those those are the only ones that do have that okay thank you thank you foreign do we have more questions yes okay thank you for your presentation thank you um so my question is uh from my experience I've seen that most of the companies that do actually use digitalocean are usually either startups or companies on a budget who don't like want to use the full featured Cloud yeah so what would your recommendation be should companies try to like Harden the security in this case or migrate to another cloud provider always considering that infrastructure migration is not an easy task thank you uh okay that's a good question uh migration is always as you said is

always hard to do because you know it's always costly if especially if they started with something uh yeah I would recommend them to at least limit the the usage of different accesses like uh tokens or the space credentials so if they if they only need right also already read access to something only user read I'm sorry very token don't don't use the read and write token because especially the companies that I've seen that use digitalocean are as you said one there are uh startups and two the people that manage them are usually devs which do not have the necessary knowledge not or not necessarily the the required knowledge when it comes to the system administrating stuff so they will

just put something and say okay this works you know and the the best way to do that is that is at least limit everything now there are some other services that are paid so they have Cloud Enix which checks for governance and checks for some misconfigurations that you have they have logging which you can which you can look uh so they have some services that do logging and they also have logging for the anything that is droplet droplet related action so they have if you look at the API they have that so even if they do use that and you know as I said I I would not recommend migrating until the very until the very last if they're at least

staying there they can at least log everything that is being that is being done there so it's it's better for them to even if something happens know how it happened or just be alerted immediately if that if that happens so yeah I don't know if I answered your question yeah yeah exactly so there's one more thing so uh considering that they are a startup and uh they will not utilize the API because most of the uh work they do we know that it's manual so we're we're uh we just got rid of the API token let's say uh now the problem is with the username password do they have like an SSO or something that uh can or they

don't offer assistance no no SSO no Federation I actually wanted to look at uh Federation from that and I looked at a lot of spaces a lot of places sorry and they don't have something neither necessary or or a federation so you can't do that even the MFE that they have as I said I've all they at least try to do it you know by using their own sudo MFA so as I said they send you a key to your email that you can you know you will let a six number uh one-time password that you can add and then you will be able to log in so that's how they they manage that that

aspect but aside from that I would recommend stronger passwords checking the the image and probably using a provider that uh provides you with MFA and the strong password policy at least you will be able to secure the image site so even if they find the password they will not be able to access that because they also need the email to do that and if they do that at least even if they use the same password for both the services uh since the email with the strong password policy will require you a strong password the second one will also you know yes they will also add the second one as a stronger password so that's kind of what I would recommend in this

case thank you you're welcome any other question okay let me just walk over there earn some calories a great presentation thank you what was your methodology that used during the reconnaissance phase uh specifically what tools did you use did you make your own scripts uh is that aside from Google door King which I don't know if you can call it automated because it's half manual and crt.sh everything else is just me looking at the DNS records and me looking at the URL and everything so me just creating the the service and looking at what can be found by that that's that's how I tried that uh and that's what I've been using for other services too because since you

will either have or not have an endpoint for that or you will have or not have an indicator over no scenes in in a service it's I would say a good way to to do it but I don't know if somebody else is using any other any other methodology plus since this was my account I knew what services I had when it comes to other people's accounts so they say you are hired to do a penetration testing for them using uh tools like I don't know sublister or a mask or something you know will help with uh with uh reconnaissance but uh when it comes to digital oceans uh specific or synth I would recommend

you just looking at uh what what is some what are some indicators on the services that they have like as I said the URL for functions or the uh the species uh endpoint name or the or looking for DNS records and then pointing you know just doing a reverse lookup and then looking if that is part of VIP space so you get the droplets so you you get the idea if it's distillation only I would recommend you that if it's uh foreign also other services and you want to at least filter them and know which ones are digital Ocean and which are which one aren't it's best to have everything then you know try to filter them as as

much as you can so yeah so you're welcome any other question I guess not thank you Leon once again thank you all thank you