{"id":1979,"date":"2026-03-30T12:31:53","date_gmt":"2026-03-30T16:31:53","guid":{"rendered":"https:\/\/www.peteonsoftware.com\/?p=1979"},"modified":"2026-03-30T12:31:53","modified_gmt":"2026-03-30T16:31:53","slug":"hack-the-box-walkthrough-vantage","status":"publish","type":"post","link":"https:\/\/www.peteonsoftware.com\/index.php\/2026\/03\/30\/hack-the-box-walkthrough-vantage\/","title":{"rendered":"Hack the Box Walkthrough: Vantage"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/peteonsoftware.com\/images\/2026\/vantage_logo.png\" style=\"float:left;margin:.5rem;\" alt=\"HTB Vantage Logo\" title=\"HTB Vantage Logo\">Today, we&#8217;re tackling another Sherlock from HackTheBox called Vantage.  You can find the room <a href=\"https:\/\/app.hackthebox.com\/sherlocks\/Vantage?tab=play_sherlock\">here<\/a>.  Download the Vantage.zip from the page and use the password <em>hacktheblue<\/em> to unzip it.  Inside, you&#8217;ll find 2 .pcap files called <em>controller.2025-07-01.pcap<\/em> and <em>web-server.2025-07-01.pcap<\/em>.  We will use these to answer the 14 Task Questions on this challenge.  It is marked at &#8220;very easy&#8221;, but this does require some skill to pass it.  I admit that my Wireshark querying isn&#8217;t the best, so I am really enjoying this opportunity to practice and get better.  Our scenario is this:<\/p>\n<p><em>A small company moved some of its resources to a private cloud installation. The developers left the redirect to the dashboard on their web server. The security team got an email from the alleged attacker stating that the user data was leaked. It is up to you to investigate the situation.<\/em><\/p>\n<p>Let&#8217;s dig in.  I will say that I might not always take the best, most efficient way to find these answers, but I will find them honestly and in a way that hopefully you can repeat.  There are some questions when the answer could be found by a little brute force earlier in the process, but I wanted to try to have a methodology that would work in situations where brute force may not be practical (like real life situations).<\/p>\n<p><strong>Task 1: What tool did the attacker use to fuzz the web server ? (Format- include version e.g, nmap@7.80)<\/strong><\/p>\n<p>Because this question is asking about fuzzing a web server, I started by opening the <em>web-server.2025-07-01.pcap<\/em> file in Wireshark.  To fuzzing, we only care about http traffic.  So in the search bar in Wireshark, I just typed <em>http<\/em> and hit enter.  This returned 7482 of the 21650 total packets.  <\/p>\n<p><img decoding=\"async\" src=\"https:\/\/peteonsoftware.com\/images\/2026\/vantage_task1_query1.png\" alt=\"First search against the web server packet capture.\" title=\"First search against the web server packet capture.\"><\/p>\n<p>We can see a lot of requests and responses back to back.  If we go in the menu to Statistics -> Conversations -> TCP and check the IPv4 tab (there is nothing in IPv6), we see a TON of this traffic is coming from 117.200.21.26 and going to 157.230.81.229.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/peteonsoftware.com\/images\/2026\/vantage_task1_conversations.png\" alt=\"Task 1 TCP Conversation Statistics.\" title=\"Task 1 TCP Conversation Statistics.\"><\/p>\n<p>Next, I applied a filter of <em>http &#038;&#038; ip.src == 117.200.21.26<\/em> to see what that person is doing.  But we need the user agent.  You can dig through the packets and find what you want and <em>Right Click -> Apply as Column<\/em> and you&#8217;ll see that value for every request in the table.  But this is what I&#8217;m REALLY bad at.  I know the general makeup for network requests on the wire, but sometimes some things are hard to find.  Here&#8217;s an easy way to do the same thing.  Right Click in the Header of the results and choose <em>Column Preferences<\/em>.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/peteonsoftware.com\/images\/2026\/vantage_task1_newcolumn.png\" alt=\"Task 1 Adding a New Column Step 1.\" title=\"Task 1 Adding a New Column Step 1.\"><\/p>\n<p>Then click the Plus sign to add your custom column<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/peteonsoftware.com\/images\/2026\/vantage_task1_newcolumn_plus.png\" alt=\"Task 1 Adding a New Column Step 2.\" title=\"Task 1 Adding a New Column Step 2.\"><\/p>\n<p>A new column will appear titled &#8220;New Column&#8221; of type &#8220;Custom&#8221;. If you double click in each cell, you can edit.  Change your values to this and click <em>Apply<\/em> and <em>OK<\/em>.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/peteonsoftware.com\/images\/2026\/vantage_task1_newcolumn_values.png\" alt=\"Task 1 Adding a New Column Step 3.\" title=\"Task 1 Adding a New Column Step 3.\"><\/p>\n<p>This shows you the answer.  You can kind of skim down and see the same value over and over again of <em>Fuzz Faster U Fool v2.1.0-dev<\/em>.  The answer wants something with a mask of ****@*.*.*.  I happen to know that the popular fuzzing tool <em>ffuf<\/em> stands for &#8220;Fuzz Faster U Fool&#8221; (check out <a href=\"https:\/\/www.peteonsoftware.com\/index.php\/2024\/12\/24\/core-tools-to-know-ffuf\/\">my post I did<\/a> on <em>ffuf<\/em> for my Core Tools You Should Know series).  Using the abbreviation seems to meet that criteria and trying it completes the task.<\/p>\n<p><em><strong>Task 1 Answer: ffuf@2.1.0<\/strong><\/em><\/p>\n<p><strong>Task 2: Which subdomain did the attacker discover?<\/strong><\/p>\n<p>For this one, we already know that ffuf was being used to fuzz things.  What we care about were times when it returned <em>200 OK<\/em> or maybe even a redirect and not <em>404 Not Found<\/em>.  When I do that (using the IP we discovered above as the destination) with a filter like this<\/p>\n<pre>\r\nip.dst  == 117.200.21.26 &&  _ws.col.info == \"HTTP\/1.1 200 OK  (text\/html)\"\r\n<\/pre>\n<p>I get a bunch of results.  Most of them have a length of 596.<br \/>\n<img decoding=\"async\" src=\"https:\/\/peteonsoftware.com\/images\/2026\/vantage_task2_initialfilter.png\" alt=\"Task 2 Finding the Fuzz Results.\" title=\"Task 2 Finding the Fuzz Results.\"><\/p>\n<p>Let&#8217;s look for ones that don&#8217;t have that length.<\/p>\n<pre>\r\nip.dst  == 117.200.21.26 &&  _ws.col.info == \"HTTP\/1.1 200 OK  (text\/html)\" && frame.len != 596\r\n<\/pre>\n<p>That only gives me 12 and glancing at the first few, they all are hits to http:\/\/cloud.vantage.tech and then other paths.  So, there we go.<\/p>\n<p><em><strong>Task 2 Answer: cloud<\/strong><\/em><\/p>\n<p><strong>Task 3: How many login attempts did the attacker make before successfully logging in to the dashboard?<\/strong><\/p>\n<p>Okay.  First, what is the login URL?  We&#8217;d know already if this was truly ours, but looking at one of the 12 responses, I see a request to http:\/\/cloud.vantage.tech\/dashboard\/auth\/login\/.  So there we go.  Let&#8217;s dig in there.<\/p>\n<pre>\r\nip.dst  == 117.200.21.26 &&  http.request.uri == \"\/dashboard\/auth\/login\/\"\r\n<\/pre>\n<p>That attacker hitting that URI happened 4 times.  3 of them returned <em>200 OK<\/em> and one returned <em>302 Found<\/em>.  The 302 is the redirect to let them in.  That means they failed 3 times.<\/p>\n<p><em><strong>Task 3 Answer: 3<\/strong><\/em><\/p>\n<p><strong>Task 4: When did the attacker download the OpenStack API remote access config file? (UTC)<\/strong><br \/>\nSo, step one, what even is that?  What I do know is that a file was downloaded.  If we use Wireshark and choose File -> Export Objects -> HTTP, we get a list of objects in the capture.  Since this is a file and not a small HTML file, I clicked the Size header to sort by size descending.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/peteonsoftware.com\/images\/2026\/vantage_task4_objectlist.png\" alt=\"Task 4 Object List.\" title=\"Task 4 Object List.\"><\/p>\n<p>I scrolled down a little and there are 2 packets that are 1941 bytes each that have a filename of <em>openrc<\/em>.  They are packets 21256 and 21260.  Looking at those 2 packets, 20707 went from 10.116.0.4 to 10.116.0.3.  20711 went from 157.230.81.229 to our guy at 117.200.21.26. They also have the same timestamp on them, so we win either way.  I&#8217;m just showing the relevant part under Hypertext Transfer Protocol<\/p>\n<pre>\r\nHypertext Transfer Protocol, has 3 chunks (including last chunk)\r\n    HTTP\/1.1 200 OK\\r\\n\r\n        Response Version: HTTP\/1.1\r\n        Status Code: 200\r\n        [Status Code Description: OK]\r\n        Response Phrase: OK\r\n    Date: Tue, 01 Jul 2025 09:40:29 GMT\\r\\n\r\n    Server: Apache\/2.4.58 (Ubuntu)\\r\\n\r\n    Content-Disposition: attachment; filename=\"admin-openrc.sh\"\\r\\n\r\n<\/pre>\n<p><em><strong>Task 4 Answer: 2025-07-01 09:40:29<\/strong><\/em><\/p>\n<p><strong>Task 5: When did the attacker first interact with the API on controller node? (UTC)<\/strong><br \/>\nOkay, now we switch to opening the controller.2025-07-01.pcap file.  I added this filter and found the first HTTP request.<\/p>\n<pre>ip.src==117.200.21.26 && http<\/pre>\n<p>Within the Frame, we have this and it gives us the answer.<\/p>\n<pre>\r\nFrame 8490: Packet, 293 bytes on wire (2344 bits), 293 bytes captured (2344 bits)\r\n    Encapsulation type: Linux cooked-mode capture v2 (210)\r\n    Arrival Time: Jul  1, 2025 05:41:44.667723000 EDT\r\n    UTC Arrival Time: Jul  1, 2025 09:41:44.667723000 UTC\r\n    Epoch Arrival Time: 1751362904.667723000\r\n<\/pre>\n<p><em><strong>Task 5 Answer: 2025-07-01 09:41:44<\/strong><\/em><\/p>\n<p><strong>Task 6: What is the project id of the default project accessed by the attacker?<\/strong><br \/>\nThis is another one where if people from our company were doing the forensics, we&#8217;d already know how to look.  But you and I are guessing, so I made an assumption that the URL would have project in it and did this filter<\/p>\n<pre>\r\nip.src==117.200.21.26 && http.request.uri contains \"project\"\r\n<\/pre>\n<p>That gives me only 5 requests and one looks super obvious.  If I right-click on that one and choose Follow -> HTTP Stream we get this, which contains our answer.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/peteonsoftware.com\/images\/2026\/vantage_task6_initialfilter.png\" alt=\"Task 6 Initial Filter.\" title=\"Task 6 Initial Filter.\"><\/p>\n<pre>\r\nGET \/identity\/v3\/projects?domain_id=default&name=admin HTTP\/1.1\r\nHost: 134.209.71.220\r\nUser-Agent: openstacksdk\/4.6.0 keystoneauth1\/5.11.1 python-requests\/2.32.4 CPython\/3.13.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: application\/json\r\nConnection: keep-alive\r\nX-Auth-Token: gAAAAABoY67QSl3AarKC9p_FCUhm-zdlkNPcgfqpHncXtnKqPhHgH79XnHa-4IrDf4WlL8QpLiKIQOE8C4kq3Tv21nkTpzMAuGXwLZkEeexqQlLfUtyrhmGjKsFvflRlIEZb0A-1oQZLVzdk1021QkPqjVjFonIEIEBgH0oZll7xE2hp7Scnm2o\r\n\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Tue, 01 Jul 2025 09:48:01 GMT\r\nServer: Apache\/2.4.58 (Ubuntu)\r\nContent-Type: application\/json\r\nContent-Length: 476\r\nVary: X-Auth-Token\r\nx-openstack-request-id: req-14b6f50c-12f4-48f9-be96-898430e4fe66\r\nConnection: close\r\n\r\n{\"projects\": [{\"id\": \"9fb84977ff7c4a0baf0d5dbb57e235c7\", \"name\": \"admin\", \"domain_id\": \"default\", \"description\": \"Bootstrap project for initializing the cloud.\", \"enabled\": true, \"parent_id\": \"default\", \"is_domain\": false, \"tags\": [], \"options\": {}, \"links\": {\"self\": \"http:\/\/134.209.71.220\/identity\/v3\/projects\/9fb84977ff7c4a0baf0d5dbb57e235c7\"}}], \"links\": {\"next\": null, \"self\": \"http:\/\/134.209.71.220\/identity\/v3\/projects?domain_id=default&name=admin\", \"previous\": null}}\r\n<\/pre>\n<p><em><strong>Task 6 Answer: 9fb84977ff7c4a0baf0d5dbb57e235c7<\/strong><\/em><\/p>\n<p><strong>Task 7: Which OpenStack service provides authentication and authorization for the OpenStack API?<\/strong><br \/>\nI literally just Googled the question.  The answer came right up.<\/p>\n<p><em><strong>Task 7 Answer: keystone<\/strong><\/em><\/p>\n<p><strong>Task 8: What is the endpoint URL of the swift service?<\/strong><br \/>\nI have no idea what this is either.  This is another thing that if you worked for a company (or were even doing an investigation for a company that contracted you), you would have intel on this kind of thing.  As it is, I googled it, the AI overview included this<\/p>\n<pre>Structure: http:\/\/<controller-ip>:8080\/v1\/AUTH_<tenant_id><\/pre>\n<p>Okay, so I went into Statistics -> Http -> Requests.  I scanned down until I found the part hitting port 8080 with a <em>\/V1\/Auth<\/em> pattern and bingo.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/peteonsoftware.com\/images\/2026\/vantage_task8_swiftservice.png\" alt=\"Task 8 Statistics Http Requests.\" title=\"Task 8 Statistics Http Requests.\"><\/p>\n<p><em><strong>Task 8 Answer: http:\/\/134.209.71.220:8080\/v1\/AUTH_9fb84977ff7c4a0baf0d5dbb57e235c7<\/strong><\/em><\/p>\n<p><strong>Task 9: How many containers were discovered by the attacker?<\/strong><br \/>\nSo I did a filter of <em>http.request.uri == &#8220;\/v1\/AUTH_9fb84977ff7c4a0baf0d5dbb57e235c7?format=json&#8221;<\/em>.  This gave me 2 results.  I right clicked on the first one and chose <em>Follow -> HTTP Stream<\/em>.  I can see that the response back was <\/p>\n<pre>\r\n[{\"name\": \"dev-files\", \"count\": 0, \"bytes\": 0, \"last_modified\": \"2025-07-01T04:22:36.008860\", \"storage_policy\": \"Policy-0\"}, {\"name\": \"employee-data\", \"count\": 0, \"bytes\": 0, \"last_modified\": \"2025-07-01T04:22:28.334080\", \"storage_policy\": \"Policy-0\"}, {\"name\": \"user-data\", \"count\": 0, \"bytes\": 0, \"last_modified\": \"2025-07-01T04:22:07.707130\", \"storage_policy\": \"Policy-0\"}]\r\n<\/pre>\n<p>That represents 3 containers: dev-files, employee-data, and user-data.<\/p>\n<p><em><strong>Task 9 Answer: 3<\/strong><\/em><\/p>\n<p><strong>Task 10: When did the attacker download the sensitive user data file? (UTC)<\/strong><br \/>\nIf we look at the statistics again, we see a download of user-details.csv.  If I put the filter to <em>http.request.uri == &#8220;\/v1\/AUTH_9fb84977ff7c4a0baf0d5dbb57e235c7\/user-data\/user-details.csv&#8221;<\/em> and right click and chose <em>Follow -> HTTP Stream<\/em>, you can see the time.<\/p>\n<pre>\r\nHTTP\/1.1 200 OK\r\nContent-Type: text\/csv\r\nEtag: 2197a57085557424cefc95f85efb7499\r\nLast-Modified: Tue, 01 Jul 2025 04:31:31 GMT\r\nX-Timestamp: 1751344290.17360\r\nAccept-Ranges: bytes\r\nContent-Length: 1367\r\nX-Trans-Id: tx89c3d915d2c64b1c8cda1-006863ae33\r\nX-Openstack-Request-Id: tx89c3d915d2c64b1c8cda1-006863ae33\r\nDate: Tue, 01 Jul 2025 09:45:23 GMT\r\nConnection: keep-alive\r\n<\/pre>\n<p><em><strong>Task 10 Answer: 2025-07-01 09:45:23<\/strong><\/em><\/p>\n<p><strong>Task 11: How many user records are in the sensitive user data file?<\/strong><br \/>\nSame request, same stream window I have up from Task 10.  You can see the response has this file&#8217;s contents and I count 28 records.<\/p>\n<pre>\r\nFull Name,Email,Phone Number\r\nJohn Doe,john.doe@example.com,(123) 456-7890\r\nJane Smith,jane.smith@example.com,(234) 567-8901\r\nAlice Johnson,a.johnson@example.com,(345) 678-9012\r\nBob Brown,b.brown@example.com,(456) 789-0123\r\nCharlie Davis,c.davis@example.com,(567) 890-1234\r\nDiana Wilson,d.wilson@example.com,(678) 901-2345\r\nEthan Moore,e.moore@example.com,(789) 012-3456\r\nFiona Taylor,f.taylor@example.com,(890) 123-4567\r\nGeorge Wilson,g.wilson@example.com,(901) 234-5678\r\nHelen Adams,h.adams@example.com,(012) 345-6789\r\nIan Lee,i.lee@example.com,(123) 456-7890\r\nJulia Smith,j.smith@example.com,(234) 567-8901\r\nKevin Miller,k.miller@example.com,(345) 678-9012\r\nLaura Evans,l.evans@example.com,(456) 789-0123\r\nMichael Thomas,m.thomas@example.com,(567) 890-1234\r\nNatalie Wilson,n.wilson@example.com,(678) 901-2345\r\nOliver Johnson,o.johnson@example.com,(789) 012-3456\r\nPenny Davis,p.davis@example.com,(890) 123-4567\r\nQuinn Lee,q.lee@example.com,(901) 234-5678\r\nRachel Moore,r.moore@example.com,(012) 345-6789\r\nSimon Evans,s.evans@example.com,(123) 456-7890\r\nTara Wilson,t.wilson@example.com,(234) 567-8901\r\nUma Johnson,u.johnson@example.com,(345) 678-9012\r\nVivian Lee,v.lee@example.com,(456) 789-0123\r\nWilliam Thomas,w.thomas@example.com,(567) 890-1234\r\nXander Wilson,x.wilson@example.com,(678) 901-2345\r\nYara Johnson,y.johnson@example.com,(789) 012-3456\r\nZoe Lee,z.lee@example.com,(890) 123-4567\r\n<\/pre>\n<p><em><strong>Task 11 Answer: 28<\/strong><\/em><\/p>\n<p><strong>Task 12: For persistence, the attacker created a new user with admin privileges. What is the username of the new user?<\/strong><br \/>\nFor this one, I went back to the statistics with all of the URLs and made some assumptions.  This API seems fairly well-designed in a &#8220;discoverable&#8221; sense.  That means I expect a user will be created by issuing a POST to a URL that has <em>user<\/em> or <em>users<\/em> in it.  Glancing in my list, I see <em>\/identity\/v3\/users<\/em>, so I changed my filter to <em>http.request.uri == &#8220;\/identity\/v3\/users&#8221;<\/em> to see what we get.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/peteonsoftware.com\/images\/2026\/vantage_task12_initialquery.png\" alt=\"Task 12 Initial Query.\" title=\"Task 12 Initial Query.\"><\/p>\n<p>Here we can see a POST and a response of 201-CREATED.  That seems promising.  If we right click and <em>Follow -> HTTP Stream<\/em> on the post request, we get this with our user&#8217;s name.<\/p>\n<pre>\r\nPOST \/identity\/v3\/users HTTP\/1.1\r\nHost: 134.209.71.220\r\nUser-Agent: openstacksdk\/4.6.0 keystoneauth1\/5.11.1 python-requests\/2.32.4 CPython\/3.13.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\nX-Auth-Token: gAAAAABoY67QSl3AarKC9p_FCUhm-zdlkNPcgfqpHncXtnKqPhHgH79XnHa-4IrDf4WlL8QpLiKIQOE8C4kq3Tv21nkTpzMAuGXwLZkEeexqQlLfUtyrhmGjKsFvflRlIEZb0A-1oQZLVzdk1021QkPqjVjFonIEIEBgH0oZll7xE2hp7Scnm2o\r\nContent-Type: application\/json\r\nContent-Length: 130\r\n\r\n{\"user\": {\"password\": \"P@$$word\", \"enabled\": true, \"default_project_id\": \"9fb84977ff7c4a0baf0d5dbb57e235c7\", \"name\": \"jellibean\"}}\r\nHTTP\/1.1 201 CREATED\r\nDate: Tue, 01 Jul 2025 09:48:02 GMT\r\nServer: Apache\/2.4.58 (Ubuntu)\r\nContent-Type: application\/json\r\nContent-Length: 312\r\nVary: X-Auth-Token\r\nx-openstack-request-id: req-70234e40-c6b0-4192-b478-e5cd3732d419\r\nConnection: close\r\n\r\n{\"user\": {\"id\": \"c373da67a62b48f393c45dc071fa80b8\", \"name\": \"jellibean\", \"domain_id\": \"default\", \"enabled\": true, \"default_project_id\": \"9fb84977ff7c4a0baf0d5dbb57e235c7\", \"password_expires_at\": null, \"options\": {}, \"links\": {\"self\": \"http:\/\/134.209.71.220\/identity\/v3\/users\/c373da67a62b48f393c45dc071fa80b8\"}}}\r\n\r\n<\/pre>\n<p><em><strong>Task 12 Answer: jellibean<\/strong><\/em><\/p>\n<p><strong>Task 13: What is the password of the new user?<\/strong><br \/>\nLooking at the results in Task 12, we can see the password they set.<\/p>\n<p><em><strong>Task 13 Answer: P@$$word<\/strong><\/em><\/p>\n<p><strong>Task 14: What is MITRE tactic id of the technique in task 12?<\/strong><br \/>\nOkay.  This isn&#8217;t in the files at all and just requires some research.  What did Task 12 ask us?  It was about creating an account for user persistence (rather than trusting credentials you cracked \/ uncovered, or leaving a command and control mechanism, etc).  Let&#8217;s google that.  I found out that that is <a href=\"https:\/\/attack.mitre.org\/techniques\/T1136\/\">T1136<\/a>, but the answer wants a sub-technique.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/peteonsoftware.com\/images\/2026\/vantage_task14.png\" alt=\"Task 14 on MITRE Page.\" title=\"Task 14 on MITRE Page.\"><\/p>\n<p>This was a Cloud Account (it wasn&#8217;t local to a machine, nor was it on a domain, so this is the most obvious choice), so that makes our answer clear.<\/p>\n<p><em><strong>Task 14 Answer: T1136.003<\/strong><\/em><\/p>\n<p>And that&#8217;s it.  This is one of the longest of these that I&#8217;ve done.  There was a lot of explanations and steps and documentation, but hopefully you all stuck around and I made enough sense to follow along. <\/p>\n<p><img decoding=\"async\" src=\"https:\/\/peteonsoftware.com\/images\/2026\/vantage_pwned.png\" alt=\"Vantage Pwned\" title=\"Vantage Pwned\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today, we&#8217;re tackling another Sherlock from HackTheBox called Vantage. You can find the room here. Download the Vantage.zip from the page and use the password hacktheblue to unzip it. Inside, you&#8217;ll find 2 .pcap files &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[153],"tags":[159,141,142],"class_list":["post-1979","post","type-post","status-publish","format-standard","hentry","category-capture-the-flag","tag-blue-team","tag-information-security","tag-infosec"],"_links":{"self":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts\/1979","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/comments?post=1979"}],"version-history":[{"count":0,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts\/1979\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/media?parent=1979"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/categories?post=1979"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/tags?post=1979"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}