Pwning Cloud Contexts: from Github token to compromising an entire GCP org

all right s you can hear me guys now let's go thank you guys for joining I really appreciate making it thus far um as you can see probably we had discussed my C perspective on uh laws compliance and data privacy relations in the cyber security space so um so as I mentioned we got to discuss laws compliance and regulations so I'm going to provide my C perspective but like of course you've seen a m next and hold on a second this is not actually about lws so for all the people have left thank you so much um this is actually about compounding Cloud context I'm going to share a hacker story on how I went from a DAT to open

access to compromise it a whole gcp organization um what i l introduction my name is a I go by the same on Twitter I work as the group vice president of security at noon it's a lead it's the leading e-commerce company in the Middle East um I'm a hacker by heart basically prior to noon I was hacking a lot in the bad bony I was going to live hacking events um but after that I joined noon U before noon actually I was also running some businesses but like I'm also passionate about business software engineering cyber security and everything in between so how this is started actually uh uh Nikita reached out to me on Twitter it

reached out to me six months ago on April so usually like what other speakers do 6 months before an event they probably have a 10 version of their slides and they probably wrote a lot of code to release some tools probably for the event what I thought I would be doing too 6 months ago was actually also like Rising a lot of code and preparing slides but was where was actually doing at the time is 4 days before the event I dropped 99 commits on a Saturday and I was just taking the first screenshots for my slides and I was working still on it on the flight on my way to besides um so yeah that was uh that was uh um how I

got into this event so why this work matters I have three reasons basically first reason is there's like public G BS I'm sure of you guys are familiar with it uh the problem around this is so many people actually are like unaware of the true risks of GCB token leaks or like any toking leaks generally so they report it to programs and they don't manage to escalate or um you know kind of improve the impacts of the reports so the second reason I want I want to discuss this today is I hacked into so many Cloud organization organizations and the reason is because they have like all the cloud Prov providers are built in a way that is um the IM system which

is responsible for rules and permission is so broken in such a way that it makes it easier for organizations to make mistakes and as a result of that you can see like there's a study from Google actually it says um 99 of cloud users they're like granted excessive permission and what this means for you guys probably if you are B hunting it means if you land on a token it's probably highly privileged already or you have a way to make it highly um I even mentioned that on a tweet where I was like if you just create a new project on gcp uh you add someone to that project you don't give him any access he already had access to

Cloud Vision API even if you don't give him any access which is crazy to me at least there's even another study from uh does Google actually have shed it says 60% which is 2344 60% plus of the confirmed token leaks on GitHub were actually equivalent of super admin and AD access which means like there is a 60% chance you land on a highly privileged account on on GitHub the third reason I want to discuss this today if you have a g of access to repositories for some you know like some organization there's a very high chance this token can actually lead to accessing the cloud as well and it it's it's mostly through o token extration

which is the main theme of our discussion today so I'm going to also discuss with you guys many ways you can hand for for gcp tokens there like so many techniques I'm going to share my stories some reports how I did that exactly uh there are sometimes I'm going to use interchangeably this talk which is there like some Cloud terms that may seem complicated to understand I'm just going to translate them into kind of Banting uh terms so project ID on gcp think of it as a project name service account email it's just an email or an account account impersonation is basically Accounting cover so if you just think of them this way like it's

going to be much easier to understand so now let's go to story time I'm going to discuss you guys how we went from a talken to compromise in an entire production gcp Cloud organization there are two disclaimers to make here first I have recreated a whole Lab because I'm not allowed to share the Target in any itable way directly or indirectly so I haveed the whole Lab I'm going to share all the PCS from that lab second all the PO expiration techniques we're going to discuss today you always need program permission to proceed do them so please don't just try to escalate your access without checking with the program um the timeline for the story is like this so

we got to start with a D token leak we're going to go and exfiltrate a gcp o token and then we're going to run a privilege escalation to the sing projects we we're going to jump to uat and then a lateral movement to production and then we're going to compromise the gcp organization so this was like the finding I came across and this is the flow I followed myself uh actually I created a visual guys you have no idea how much time it took me like the reason I had to do this because there's like so many request in b s like you guys going to get lost if if we don't have like a proper visual

for it so we have like two five five phases of the attack we start from get we jump to a Sean project then we jump to a u project then we compromise production then we have like uh the whole organization uh taken over so now we're going to enter phase one which is the o open extration um you know as usual it always starts with a stack notification um about like the to leaks so I have this channel I get reports on so many B Mony targets and some of you guys know I run like so many automation part of it is one of the uh tools that runs and monitor GitHub for token leaks I'm going

to show you guys by the end of the talk how I'm doing that exactly uh this tool is running every 10 minutes so you know like you got to be so quick CU otherwise some people would actually find this before you do so you know the best part this is actually costing me 0 to run on gcp and I think that's a whole different talk to to discuss how we do it exactly but it's just like choosing the right products on gcp so back to the Token leak we got this ination we check it out it's a GitHub token giv you access to run uh API calls to GitHub for some victim account then I use the CLI to use

that token I'm using here the the lab I mentioned so then we use this CLI we access the the account uh then we list the repos Series this this token has access to we can see it has access to besides build seion repository then I'm just going to go and clone that and list all the files we can see clearly there is a cloud build file before discussing how we're going to maliciously exploit that we just going to discuss this Cloud build because it's very important so Cloud B on generally on gcp but like Cloud providers it's a process where you push code to GitHub the there is a build on the cloud that picks it up and it builds a doer image

for it and it soures on the cloud so basically whenever someone pushes c a code to GitHub there is a loer m is being generated for that um now the interesting part is how we exploit that I decided to add the best script A malicious script you can see guys clearly that it's coring the M API and it fites a token it pipes it to an attacker control server and like we can't actually have this running without doing something else we can just add the script and push it to the victim account and then like we get a token usually you have to also edit the cloud build the file which we discussed earlier this is the glue

between gcp and GitHub it's the part that whenever you push a code it builds a Lo image for it so we now inject the scripts we have created at the beginning of this and the reason we do that is because we want we wanted to run first thing when the build process start so to summarize we added that malicious script we injected it in the cloud build Amplified now we can just go ahead and push our code changes and push them to GitHub so that the build process triggers if you want to see if you have access to the UI this is how the charges are going to look like you want to push it to a random Branch not the main one

because the organization would probably notice if it's on a random branch no one would actually notice um so once we pushed our code it's going to run right there and this ex filtration access soen because it triggers the build the build try to build the ler image and then it's going to run our scripts first and after that we get an access token and what we can do with access token we can take it start goinging gcp epis to do like further things with it so one thing to note here is once you get the access token it actually expires within one hour so you want to every time start like doing another commit to

Ping again such that the build triggers again and you get the fs again we get a fresh access to every time so yeah that's how up for phase one we started get the slack notification um we use the get to actually clone the repo we pushed am malicious code it got actually built the the build process was running on the San gcloud theion Cloud organization and we exfiltrated an access token for gcp that we can use later now entering phase two or privilege escalation oh so now that we have like a gcp off to token which is the do belongs to gcp there is actually a lot that we can do from here and as a first attempt

I'm just going to go and ask Google what is this token like who is this token there is kind of am my API we can call um it's user info you can just ping that give it the token you have and he's going to say hey I'm project number at Cloud Bill and I'm going to guys start labeling accounts like this because we got to use so many tokens and you're going to get l if I don't do do it this way so so now all we know is the token belongs to this account that starts with project name as Cloud next the question is if I have this token now what is what is the access it has actually like what

kind of access it has what we can do with it um there is an API for that where you can ask Google with which which access this account has but the problem with this API it requires a project name and we don't have the project name right we only have if you remember the project number which is the beginning of the account we expect tra so how we can use the project number to get the project name also there is an API for that on Google Cloud you can call this this first API you get the project name you add it to the second API and then you get the user permissions so this is what we're going

to do next we're just going to call using the project number you guys see we get the project name then we can take that project name Supply it to the next API to get what is the rules or permissions of the xfi created account but I wish life was that easy unfortunately we get uh permission denied because simply the token we have access to doesn't have permission to do that so what is the next attempt like what we got to do next so now we got to try a different B um attempt the second attempt is gcp actually has an interesting future I mean a very interesting one especially for you guys um it's called service

account impersonation and do you want to think of this in the in the perspective like b hin as taking over accounts you know in gcp if you have one of the permissions which is not considered like super high privilege if you have like a permission called token Creator rle you can decide to take over any account you want it may seem crazy to you guys because it is the case I mean most Cloud providers provide that um there's a permission that allows you to take over any account on your project so service account a can start acting on behalf of service account B to do things on cloud basically which means if our limited access service account a cannot do some

actions on gcp but it it can actually take over account with high privileges that can do that you know so um running with this there are like also a bunch of other permissions that allow you to do that I call this like a privilege escalation by Design in most St organizations so if you guys get any token on gcp or or ews you should know like most of the cases you can escalate your access so at dat a checkpoint I just want to revise what we did like so far we have a project number which is the first bit of the account we we we manag to exfiltrate remember coming from GitHub we have a project name besides

stage in and we have an or ID so the question now what can we do with this kind of information um there is like there some informations we know about gcp which is you can take a project number and predict that other accounts exist so I can just so I just can go and and say actually compute developer accounts exist these are called default service accounts and why I want to do that is the question um like why do I want to jump why do I want to create or construct this accounts because actually if you guys remember the future we discussed on gcp which allows you to take over other accounts I want to be

able to use my limited accounts that I exfiltrated to jump to these other accounts but the question is if I want to jump to from cloud build to compute developer why do I want to do that because actually I know a facts about gcp that this compute developer most of the times it has editor access editor access on gcp is like the equivalent for an admin access on anything else so I have limited access I'm trying to privilege escal my access to to editor which is highly privileged so that I can start like you know calling these apis I don't get access denied I don't get like other um you know four or three responses so now we know this in theory

how we can do it in practice what is the API we can call what is the API we can call to say I want to impersonate this account so this is where the generate access token apis comes very very handy because then you can call it you can simply say I want to I want to impersonate or take over this account and you can use the XEL traser token that we got earlier and it's going to give you the access token simply for the account you want to take over it looks like that on gcp which is I mean I don't know it's crazy for me at least um of course you need some permissions but

they are not like ra permissions so so now that we took this account like we have the access token for this account what is the next steps guys we're going to do simply we're going to copy it start using it here and we're going to start acting on of the target account so first thing I'm copying it and asking Google who am I what is this toen who it belongs to whom and it says oh you are compute developer so you guys can see we managed to escalate our access um to compute developer and compute developer I know it has editor most of the times sometimes organization change that so I want to check if you want to check what

access the account we were able to impersonate has actually you remember we called this API earlier we got access denied right I think now we have a highly privileged token that we can use and it just works you get all the accounts within the s project so now I just want to know what is the permission that my uh my token has which is compute developer you guys can see it has editor as I mentioned it's by default in gcp but sometimes people change it so we just double checked it's it has editor um I feel that's a success because we managed to go from a lower tier access to privilege aset uh privilege uh our

escalate our privileges to editor access which is really highly privileged so we authenticated as compute developer remember coming from the exfiltrated token and then we have editor access editor access has more than 7,000 permissions it's crazy number of permissions you can do pretty much everything on a project so yeah we basically compromised seion that's like phase one so to recap the phase two we if you remember guys we started from a GitHub access uh sorry Start From a slack notification GitHub token we created a malicious script it was triggered we extrated the token now we manag to account take over another email or like another account on the s project which is highly privileged and

we compromise stun um basically now we are entering pH three lateral movement from sing to U so now remember guys we are inside San but not with the first account we started with but with with another account that we've taken over we call it on DCP impersonation that we have impersonated so now the question is we are inside St and we have editor access what can we do more that's the first question you have so if you guys remember our project is named as besides s right does that ring any belt for you guys I mean the first question for me at least is if there is s probably there is prod probably there is

De probably there is so many other projects how can we move to these other projects is another question but like the first question I have is does our exfiltrated token or the token we've taken over have access to all these projects I mean that's the first question that we need to answer but like an even more important question what if this account doesn't have access to these projects can we find another way yes we can because you guys remember we can take over other accounts that may have access to these projects and this is what we going to do we're going to take every other account we can impersonate or take over and try access

in other projects so before that let's let's talk about something there's an option called cross project service accounts on gcp and how it works is you may have two projects a and B A and B and the accounts created on a actually may have access to B it's a future by the way it's not a b like Project B may decide to give access to an account in a to do something you know so at any given point of time you may have product a or like account a with access to two products or more and that's an interesting future because it brings me to the question of like what is the other gcp project that my exfiltrated

token can have access to or the ones I can take over can have access to so now we need to answer this question so far our recognisance on the project we have a San account we listed the other accounts but we know we don't know which account that may have access to other products right and this is the next this this is the next question we want to figure out so we don't know how to do that but there is only one way to do it it's braful as simple as it is there's way we can uh do like Bridge forcing I personally call it lateral movement Bridge forcing so we can use this if you

guys remember we have a way take over other accounts right how we can take this methodology of taking over taking over other accounts and then Bridge forcing our way to other projects this is the leral movements Bridge forcing so I created this diagram to make it clear for you guys so we started with Cloud build right remember we have the exfiltrated token this is the exfiltrated token we can go ahead take over all the accounts on SE and we can start asking production hey production can I send you an API request if we get to 200 we have access if you don't get to 200 or like access the night we don't have access it's as simple as that so

but the problem is now we are talking about one project how we can reforce this way like through so many projects especially that we don't know the names of the projects I'm just going to provide it Award lless right but the problem if you want to do this process manually you're going to end up with like 200 tabs on b s which I did actually I I'm going to show you guys I automated this process but like this is only I've done it because of for the lab but I personally when I was reporting this issue to the Target program I did all this manually and this crazy you don't want to do it actually so now we

want to create a script to automate this so after four RS and 150 tabs on repeater and 99 comments later I just deci to write some code for it and if we're going to run this you guys can see there's always a seion projects go into our Target projects and what it does is exactly what I show you in in the diagram it just targets all the s accounts take over them and send Epi request to the Target products so that's literally what's happening behind the scenes I'm just taking accounts send an AP request if I get access denied that's access denied if I get access I'm going to flag it here so so as I mentioned this is what we did

but remember we are not trying it only on production we're trying it on a wordless and this is the way we're going to do it which is the exfiltrated token is going to impersonate or take over other accounts because we we have the access to do that and then I going I'm going to take all the access open for these Target accounts try them on target projects if anythings to 100 I'm fine with that you know we have access basically so we that it again from say into production we have no access we done it again from s to your and we have access so I found this account you guys have no idea how many repac apps I have

to do to actually run this manually so now that we have this account you know we have the cloud run provisioning account what this means is the script is telling us hey you can actually start from your expirated token you can try uh impersonating or taking over this account and it's going to allow you to access U so that's what it says basically so now that we have access to s from s to U through this account which is cloud provisioning I'm just going to go and directly Target that and I'm going to create an access token for it using the API I showed you guys earlier which which returns to you an access token get the access token start using

it API requests move laterally to the at and then within U at I'm just going to list all the accounts do you guys know why I'm going to list all the accounts because again I want to Target them as well well and we're going to keep just doing that um so that's in theory but how it looks like in practice in terms of Epi requests so requesting access token is basically that the request I showed you guys earlier you go you provide it with the target service account you a Target um and it's going to give you back the access toen for it and we start using it so then we we use that here to

list all the accounts in the Target project which is uat so guys you can see now that we managed to access U run operations on it with a sing account so that's lateral movement I call this a success again because we managed to move from stage to U so as a e for phase three so we did lateral movements from SE 38 and again we're coming from GitHub exped the token escalated our access to editor then we listed all the accounts and then we started lateral movement bridge for S we found one account that can actually push us to the uat so now we are entering phase four the same process again lateral movements but

now from U to production so um the question becomes what is the other product you're going to access from it's the same question we asked earlier right from s so remember we have this account this account has access on S what we going to do next is again lateral movement Bas foring so impersonate all accounts run API call success or failure you decide which account has access and this is just one project we going to do it on so many projects this is basically what the script does it just goes run a loop on all the accounts run a loop to send API requests you get to 100 you get 43 so I'm running the script now but the

Target now is you can see the original project is uat and I'm running the target projects as a wordless so if you guys see we get Alpha cor payments apepi it it actually has access to production and again knowing this information I don't have to try every single API request manually I can just go directly and create an access token for this account that actually the script have provided us right create an access account for it take the access account uh access token account run it own production list all the other accounts to do the same process basically but like now how that looks like in practice we just create a token right we call the

generate access token API for the Target account on the path we get that token we copy it we use it next we list all the accounts and you can see guys that we are repeating the same process I call that a success again because we managed to move to production so a recap for phase 4 is literally repeating the phase three process but this time we move to to production the question now becomes is if you have production access which kind of other access you would seek right um there is actually a higher access than production which we're going to discuss which is or level if you know that gcp if you have or level access you

simply have access to all the projects so I'm not going to then Target oh like which project I'm going to move to I'm just going to go and say if I have or access level I can do anything across any projects I can even without having to bridgeforce I can even find the projects within the organization right so is there any higher access than production as it is if you guys remember these are the accounts we listed already in the production right so again the same thing but now for the AR level and what is the difference between AR level and and project level it's just the API you are calling I'm just going to go and

say the script is going to go and say and these accounts start calling the or level permissions like I'm just going to go and say hey can I list all the accounts at the or level and my token would say oh like you don't have access to do that and then I'm just say going to say I have no access right so we do that again and we figure out which account have access and you can see from besides Pro you can see I passed an argument which is the or ID we already have that and we got the organization owned right so you have shared VPC account and this has access at the level

um video can not Bel loed fortunately I have a PC for that but it's not showing I don't know why but yeah anyways so now that we have the so now that the script is saying that oh there is an account actually we can use to call apis at the or level I'm just going to do the same generate an access toen for that account get the access token start using it call or glev apis and we managed to get an owner actually that the account had an owner access the targets I was working on accounts had an owner access and I can do literally everything on that organization like literally everything um yeah that's ARA for phase

four phase five which is gcp organization compromise and we managed to compromise the organization as a recap for everything if you guys remember we started from GitHub it's a it's a GitHub token that's was leaked publicly right it has nothing to do with gcp right how could who could actually say that this would give you access to gcp and you can compromise an organization there is a lot about that stuff actually and honestly I have oversimplified it it's you can do like more than that it's much more complicated that you can do more than that um you can always escalate your access as I mentioned gcp is like or ews as well their rules and permissions IM

systems they are broken in a way that there is always excessive permissions on any account so if you find accounts you can always compromise them so yeah we started with the slack notification we pivoted to get you know push the malicious script we exp it out token we we had a privilege escalation to get editor listed all the accounts uh run lateral movements brid for in found one accounts that pushes us to U repeat the same process production repeat the same process organization level you know so guys now that you know like how to compromise uh gcps in on all token the the most interesting question from my perspective is how you actually find those begin with right um because

now you understand that if you if you find that gcp soen you can almost always run privilege escalations lateral movements you can do so many things so now like how to find them I'm going to share with you guys five different ways on you how you can handun for gcp TOs and first of one of them is command injection I mean obviously right like command injection you can do so much right but the question is how to look for them I see many people like they just run normal normal payloads actually you can find patterns sometimes like I don't know when I see for example a list within a string that's that's a candidate for eval people would run eval

on that many times if I see like uh a dictionary without within a string that's also another form to look for sometimes you would see function names within the value sometimes you would see object calls to classes that's also something that could probably run behind eel and these are like some patterns you could look for to actually R try try command injection p on because they usually run behind eval which is a straightforward command injection I found that actually in one of the targets you can see guys it's it's a blind command injection cuz I was running the listener I got the hit back but then like it doesn't show anything here of course so the payload was simply

I'm I'm doing the same thing that we did in the GitHub scripts earlier remember I just calling the metadata API but I'm piping that output and sending it to my uh attacker controlled server so this is how the request Lo like just simplifying it for you guys there a payment history API you um I mean parameter you just do o system you call the metadata send it to your attacker server and Hallelujah you get you get a ping back with with a token and you can take the token and do everything we did here you know so that's a very good entry point to look for um I see so many times like people really underestimat fuzzing so behind

like looking just for pattern you can fuzz your way to that stff you can just provide a word list with so many payload injection uh I mean command injection payloads and as of payloads but like you can change that to IP so that and you run it on a Target and there's so many times you can get to like for example the example I showed you guys earlier you can find it with fing I even mentioned that on Twitter I mentioned fing API is so underrated and I've seen many people they don't take it seriously and yeah it's kind of award also go to yourself right I'm now going to move to the second way to find or

tokens which again can allow you to do all these privilege descriptions service account leaks on GitHub you know but I believe this because I've seen so many organizations they just give serice accounts to all of the their employees and they have Prett easy access you know and the chances one of them is going to push it to G publicly is very high so I told you guys remember I'm running this G monitoring tool and uh it actually consumes one of the databases on gcps called f I'm just providing it a list with list of keywords so it does the search and Des scrapes GitHub and it looks for these keywords and you can see here of course

there's a Snapchat there's like PayPal there other things like there's so many the list is huge I'm just showing an example this is for example a signature to look for service accounts from GitHub and the script is doing exactly that and many times they found service account PL Tex on GitHub publicly and you see like there is a signature you can just look for it on GitHub how you can like now once you find this account this Json file how you can use it you can simply call gcloud or provide the credentials is going to give you access to that account then you can just pin the access token and again as I mentioned if you

have the O token you can do everything we've done earlier right so even Google mentioned they have observed some customers leaking that stuff publicly and and there is so many attackers picking up that stuff very quickly like on the spot I mean I tried this myself I tried to put a token there and see how he's going to get used and you know that's why you got to be so quick that's why I have the monitoring tool running every 10 minutes like you got to be so quick to finding that the true story is like when a Sur is Miss K injection that's a wide story at least from my perspective the context behind this is

you know guys if you want to call the metadata API on gcp you always need to provide this metadata flavor it wasn't the case a few years ago you know like once upon a time I've had instances where I found this for example like ssrf through a PDF Parts in um engine and you can just pass V1 beta one right and you can get the axis token again you can do everything with the aess toen but unfortunately Google have actually uh sold I mean fixed that they started requiring it now everywhere so this is the context but like there is something I've been fantasizing about sex for it's a short story that never happened and

this breaks my heart and the reason is for example when someone reported the i surf internally um firstly that's come to mind is this finding which is oh there is a COR injection in your lip right so so first thing I asked is did we try CF injection within the srf the idea is the following so you know I mentioned earlier in a normal request to the metadata you must add this header so you cannot just send this request you cannot get a hit back for the token just using this right so the way the idea is how about we just put an KF injection within an srf right you just use like the new Lion's characters

and hopefully he won want the request to be forward like that so that's an epic fail um unfortunately even within the the ver I showed you guys not only it was fixed in the the library itself but even python version most python uh recent versions they automatically have fixed that already and yeah because it's using HP client underneath so it's solved in most python versions even if you have an old your version so yeah that's uh the never met as k injection so that that's the end of set Story the fourth way I'm going to sh with you guys how to of course it's very hard but like if you have compromised hosts if you can

access some machines you can always Echo this variable which going to give you exactly the location of the service account and there are also like some SQ light caches for gcloud or gcp commands where actually it it caches the G the access tokens and the refresh tokens you can do always do all dance and you can always fure a new new access token the fifth way a lot of you guys know about JS leaks generally but like have you ever seen this a service account in a JS pile this is why you guys should probably always monitor JS files it's a very it's a treasure hunting kind of one of the best resources to find so so yeah these are

like the five ways I wanted to share with you guys today but hey Defenders I didn't forget about you guys um how to minimize the risk of lateral movement if you if you guys noticed this conversation I've had with someone internally you need to have proper alerting so I have created a lot of alerting around that such that I've noticed One account it was like really unusual it has some unusual usage and then I flagged it to our Dev seam and they were like oh actually that's just as we were testing so if you have like proper alerting you can always find that stuff if someone is trying to exploit it in your environment but like even better

than alerting you need to have proper defense in depth so this is where you need to ditch all the gon fe uh Jon key files you don't want to have them you could you could always use something called the workload identity um list privilege so instead of giving anyone editor access or owner access just create a custom rle with very specific limited permissions and assign it to devops assign it to developers assign it to everyone um of course there's also dangerous permissions you should avoid look if you guys if any of you guys are using gcp in your organization and you have editor onor viewer you have a job to do right now before anything else

like this is something for me it's nonnegotiable like you should never ever have in your organization anything that is editor owner viewer that's a laas way to do it to be honest so there are some other rules you want to avoid but sometimes you can't avoid them but like the first one editor viwer owner that's nonnegotiable um so yeah now links and resources some of the tools I used in this talk unfortunately the disclaimer here is it's very customized to the use case I was working on it's still buggy I'm I'm I'm going to have I'm going to share it with you guys I'd be happy to share it but I guess not going to be I expect

it's going to be work magically like for all the cases so that's the disclaimer the other one is getto Monitor I'll be happy to showare it with you guys as well um so some helpful gcp epis for reconnaissance I'm going to just attach them to these slides I'm not going to talk about them here so I'm skipping this and that was it guys thank you very much um yeah this such after that we ready was