{"id":157,"date":"2023-02-09T13:21:42","date_gmt":"2023-02-09T12:21:42","guid":{"rendered":"https:\/\/babdcatha.net\/?p=157"},"modified":"2023-02-10T08:43:44","modified_gmt":"2023-02-10T07:43:44","slug":"hackthebox-stocker","status":"publish","type":"post","link":"https:\/\/babdcatha.net\/index.php\/2023\/02\/09\/hackthebox-stocker\/","title":{"rendered":"HackTheBox : Stocker"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Hello ! Today we are going to take a look at the <a href=\"https:\/\/app.hackthebox.com\/machines\/523\">Stocker<\/a> machine on HackTheBox. Here is a summary if you want to skip to some part of the exercise :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#first_contact\">First contact<\/a><\/li>\n\n\n\n<li><a href=\"#login_bypass\">Login Bypass<\/a><\/li>\n\n\n\n<li><a href=\"#getting_a_shell\">Getting a shell<\/a><\/li>\n\n\n\n<li><a href=\"#privilege_escalation\">Privilege escalation<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"first_contact\">First contact<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">As always, we are going to start by doing a simple nmap scan of the target, to know what kind of machine we have in front of us :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-1\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"471\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/nmap-1.png\" alt=\"\" class=\"wp-image-161\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/nmap-1.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/nmap-1-300x147.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/nmap-1-768x377.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Here, we can see an ssh server running on the machine, as well as a web server. If we try to access the webserver with Firefox, it redirects us to <a href=\"http:\/\/stocker.htb\">http:\/\/stocker.htb<\/a>, so let&#8217;s add this address to \/etc\/hosts and go back to Firefox :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-2\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"944\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/initial_site-1.png\" alt=\"\" class=\"wp-image-162\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/initial_site-1.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/initial_site-1-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/initial_site-1-768x754.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We are given a basic page for a company buying and selling various items, the page is not really interactive, there is no login nor contact options. Let&#8217;s try to see if there are any interesting directories on the website :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">gobuster dir -w=$wordlist -u=\"http:\/\/stocker.htb\"<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-3\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"490\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/gobuster_1.png\" alt=\"\" class=\"wp-image-163\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/gobuster_1.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/gobuster_1-300x153.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/gobuster_1-768x392.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Nothing out of the ordinary, so let&#8217;s try to find subdomains using virtual hosts with ffuf. When first using it, we see a lot of 301 codes, so let&#8217;s filter them. The final command is :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">ffuf -w $wordlist -H \"Host : FUZZ.stocker.htb\" -u \"http:\/\/stocker.htb\" -mc all -fc 301<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-4\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"589\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/ffuf.png\" alt=\"\" class=\"wp-image-164\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/ffuf.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/ffuf-300x184.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/ffuf-768x471.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Bingo, we found the subdomain <a href=\"http:\/\/dev.stocker.htb\">http:\/\/dev.stocker.htb<\/a>, we add it to \/etc\/hosts and visit the page, this is what we get :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-5\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"944\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/dev_login_page.png\" alt=\"\" class=\"wp-image-165\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/dev_login_page.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/dev_login_page-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/dev_login_page-768x754.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We are onto something, we&#8217;ll need to find a way to get behind this page.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"login_bypass\">Login bypass<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We are in front of a locked gate, since we haven&#8217;t found any credentials yet. Let&#8217;s see what is around on the website :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-6\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"584\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/gobuster_dev.png\" alt=\"\" class=\"wp-image-166\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/gobuster_dev.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/gobuster_dev-300x183.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/gobuster_dev-768x467.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">One page sticks out : <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">\/stock<\/mark>, but we cannot access it without being logged in. Brute forcing the login page did not result in a success, so we are going to try other methods, such as SQL injections. Unfortunately, running sqlmap tells us that the target might not be vulnerable :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-7\"><img loading=\"lazy\" decoding=\"async\" width=\"940\" height=\"64\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/sqlmap_not_injectable.png\" alt=\"\" class=\"wp-image-167\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/sqlmap_not_injectable.png 940w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/sqlmap_not_injectable-300x20.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/sqlmap_not_injectable-768x52.png 768w\" sizes=\"auto, (max-width: 940px) 100vw, 940px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Maybe the application is not vulnerable to SQL injections, or maybe the database is not an SQL database, but a NoSQL database ? Let&#8217;s try some NoSQL injections to maybe find out. We are going to make a dumb login request and analyze the request made to the server it to see where we can inject our parameters. Basic injections such as <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"wasm\" class=\"language-wasm\">username[$ne]=aaaa&amp;password[$ne]=aaaa<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">did not work, but, if we try to directly send a json object instead of form-data as the request was originally using, the injection works. Using this request :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"json\" class=\"language-json\">{\"username\": {\"$ne\":\"aaaa\"},\"password\":{\"$ne\":\"aaaa\"}}<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full wp-duotone-unset-8\"><img loading=\"lazy\" decoding=\"async\" width=\"545\" height=\"493\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/request_nosql.png\" alt=\"\" class=\"wp-image-175\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/request_nosql.png 545w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/request_nosql-300x271.png 300w\" sizes=\"auto, (max-width: 545px) 100vw, 545px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We are redirected to <a href=\"http:\/\/dev.stocker.htb\/stock\">http:\/\/dev.stocker.htb\/stock<\/a>, and we can now access the page without any error :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-9\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"944\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/login_bypassed.png\" alt=\"\" class=\"wp-image-176\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/login_bypassed.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/login_bypassed-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/login_bypassed-768x754.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s now look around the site to see what this subdomain really is.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"getting_a_shell\">Getting a shell<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This looks like the development version of a shopping website, probably the one the company is going to use once it is ready. There are a few test items, but one interesting thing we find when we try to order on the site is that there is an API behind it. If we order a few items, we have the possibility of viewing an order summary, which redirects us to <a href=\"http:\/\/dev.stocker.htb\/api\/po\/$order_id\">http:\/\/dev.stocker.htb\/api\/po\/$order_id<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-10\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"944\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/shopping_summary.png\" alt=\"\" class=\"wp-image-177\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/shopping_summary.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/shopping_summary-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/shopping_summary-768x754.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Trying to enumerate the API gives us the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">\/api\/products<\/mark> endpoint, but nothing really interesting comes out of it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The order summaries we can get through the api are pdf files created based on our orders. Maybe there is a way for us to manipulate this data in our orders to create interesting summaries.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When we order something, this is the request sent to the server :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-11\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"942\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/request_purchase.png\" alt=\"\" class=\"wp-image-181\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/request_purchase.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/request_purchase-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/request_purchase-768x754.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Out of the fields present here, some are likely to also be on the generated pdf, like <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">price<\/mark>, <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">title<\/mark> and <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">amount<\/mark>. What if we tried to inject something into the title field for example ?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Using this request :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-12\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"942\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/request_order_xss.png\" alt=\"\" class=\"wp-image-183\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/request_order_xss.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/request_order_xss-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/request_order_xss-768x754.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We get an error when we then try to access the order summary for the newly created order :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-13\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"245\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/xss_server_error.png\" alt=\"\" class=\"wp-image-184\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/xss_server_error.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/xss_server_error-300x76.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/xss_server_error-768x196.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We get an error, it looks like like our injection worked ! We can now inject HTML into these order summaries. Injecting a full JavaScript reverse shell does not seem to work, but we can instead inject iframes to access files on the server. For example, by injecting :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"markup\" class=\"language-markup\">&lt;iframe src='file:\/\/\/etc\/passwd' width='1000' height='1000'&gt;<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">We get access to the passwd file of the server :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-14\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"944\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/etc_passwd.png\" alt=\"\" class=\"wp-image-189\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/etc_passwd.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/etc_passwd-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/etc_passwd-768x754.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We discover that the website uses MongoDB, and we find one interesting user : <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">angoose<\/mark>. Asking for \/home\/angoose\/.ssh\/id_rsa doesn&#8217;t return anything, so this user probably hasn&#8217;t any ssh keys stored, or we can&#8217;t access them with the user we currently control (probably www-data). Trying to access the bash history doesn&#8217;t work either. One other interesting place to look into could be the site&#8217;s code, since the JavaScript behind the site probably needs authentication to connect to the database, they might be stored somewhere, and indeed, this is what we find here : <\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-15\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"944\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/index.js_blur.png\" alt=\"\" class=\"wp-image-192\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/index.js_blur.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/index.js_blur-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/index.js_blur-768x754.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Bingo, we find a passphrase for the database. We can&#8217;t connect to it ourselves, but maybe someone reused passwords for different applications. Let&#8217;s try to ssh as angoose with this passphrase :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-16\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"471\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/ssh_angoose_blur.png\" alt=\"\" class=\"wp-image-193\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/ssh_angoose_blur.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/ssh_angoose_blur-300x147.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/ssh_angoose_blur-768x377.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Yay, we are in, and we can read the user flag, now, it&#8217;s time to get root !<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"privilege_escalation\">Privilege escalation<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">One of the first thing we usually do when trying to escalate our privileges on any Linux machine is see if the user can use sudo and what it can do with it. Here, we find that we can use node to execute JavaScript code as root, as long as the .js file we want to execute matches \/usr\/local\/scripts\/*.js.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-17\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"471\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/sudo_l_node.png\" alt=\"\" class=\"wp-image-196\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/sudo_l_node.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/sudo_l_node-300x147.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/sudo_l_node-768x377.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">But, it appears that we cannot write anything to this folder. Fortunately for us, using wildcards is highly dangerous, since this means that we can use directory traversal to execute any .js file on the system. For example, \/usr\/local\/scripts\/..\/..\/..\/tmp\/shell.js matches \/usr\/local\/scripts\/*.js.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, we upload our shell to .tmp, and execute it as root :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">sudo node \/usr\/local\/scripts\/..\/..\/..\/tmp\/shell.js<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">On our listener, we get a root shell :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-18\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"471\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/root_shell_blur.png\" alt=\"\" class=\"wp-image-197\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/root_shell_blur.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/root_shell_blur-300x147.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/02\/root_shell_blur-768x377.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">And we can read the root flag ! We won this machine !<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As usual, I hope you had fun with this machine !<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hello ! Today we are going to take a look at the Stocker machine on HackTheBox. Here is a summary if you want to skip to some part of the exercise : First contact As always, we are going to start by doing a simple nmap scan of the target, to know what kind of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4],"tags":[7,16,17,19,18],"class_list":["post-157","post","type-post","status-publish","format-standard","hentry","category-writeups","tag-ffuf","tag-hackthebox","tag-nosql","tag-stocker","tag-subdomain"],"featured_image_src":null,"author_info":{"display_name":"BabdCatha","author_link":"https:\/\/babdcatha.net\/index.php\/author\/admin4804\/"},"_links":{"self":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/157","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/comments?post=157"}],"version-history":[{"count":25,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/157\/revisions"}],"predecessor-version":[{"id":202,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/157\/revisions\/202"}],"wp:attachment":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/media?parent=157"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/categories?post=157"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/tags?post=157"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}