Fix unmatched refs

src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-cloud-sync.md

@@ -85,8 +85,8 @@ https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/i
 > 注意，目前无法根据属性（例如在 Cloud Sync 配置中）向已同步用户授予 Azure 或 EntraID 角色。但是，为了自动授予已同步用户权限，可能会将某些 **Entra ID groups from AD** 授予权限，这样这些组内的已同步用户也会获得这些权限，或者可能使用 **dynamic groups**，因此务必检查动态规则及潜在的滥用方式：
 > 
 > {{#ref}}
-> ../az-privilege-escalation/az-entraid-privesc/dynamic-groups.md
-> {{#endref}}
+../az-privilege-escalation/az-entraid-privesc/dynamic-groups.md
+{{#endref}}
 
 Regarding persistence [this blog post](https://tierzerosecurity.co.nz/2024/05/21/ms-entra-connect-sync-mothods.html) suggest that it's possible to use [**dnSpy**](https://github.com/dnSpy/dnSpy) to backdoor the dll **`Microsoft.Online.Passwordsynchronisation.dll`** located in **`C:\Program Files\Microsoft Azure AD Sync\Bin`** that is used by the Cloud Sync agent to perform the password synchronization making it exfiltrate the password hashes of the users being synchronized to a remote server. 这些哈希在类 **`PasswordHashGenerator`** 内生成，博客建议添加一些代码，使该类看起来像下面这样（注意 `use System.Net` 和 `WebClient` 用于外泄密码哈希）：
 ```csharp