{"id":367,"date":"2025-08-12T08:02:31","date_gmt":"2025-08-12T08:02:31","guid":{"rendered":"https:\/\/hackingwithj.com\/?p=367"},"modified":"2025-08-12T08:02:31","modified_gmt":"2025-08-12T08:02:31","slug":"phishing-myself","status":"publish","type":"post","link":"https:\/\/hackingwithj.com\/?p=367","title":{"rendered":"Phishing myself"},"content":{"rendered":"\n<p>One part of pentesting can involve Social Engineering attacks to get access to systems. That means you sometimes need to know how to run an effective phishing campaign \u2014 whether through email or even by phone (vishing).<\/p>\n\n\n\n<p>Over the last two weeks, I\u2019ve been diving into phishing via email, with my main target being\u2026 myself. The goal was simple: use OSINT to gather the info needed to craft a convincing email and trick <em>me<\/em> into clicking a malicious link. In this post, I\u2019ll walk through that OSINT process, the tools I used, and how I set them up.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>This blog post is for <strong>educational purposes only<\/strong>. Do not attempt this on systems or people without permission. In many countries, sending phishing emails without authorization is illegal.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">What Bad Phishing Emails Look Like<\/h2>\n\n\n\n<p>Before we write a <em>good<\/em> phishing email, it\u2019s important to understand what makes a <em>bad<\/em> one. Chances are, you\u2019ve already received a few in your inbox. Here\u2019s one I got recently:<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"570\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/Schermafbeelding-2025-08-12-093053-1024x570.png\" alt=\"\" class=\"wp-image-385\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/Schermafbeelding-2025-08-12-093053-1024x570.png 1024w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/Schermafbeelding-2025-08-12-093053-300x167.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/Schermafbeelding-2025-08-12-093053-768x428.png 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/Schermafbeelding-2025-08-12-093053.png 1487w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>This one\u2019s in Dutch (my native language), but phishing mistakes are universal. Let\u2019s break down what\u2019s wrong here:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Generic greeting<\/strong> \u2013 They just start with \u201cGefiliciteerd!\u201d If they really knew me, why not use my name? This screams \u201cmass mailing list.\u201d<\/li>\n\n\n\n<li><strong>Grammatical errors<\/strong> \u2013 Dutch is a tricky language, but still\u2026 at least run it through a spell checker.<\/li>\n\n\n\n<li><strong>Suspicious sender address<\/strong> \u2013 Always a red flag. At least try to make it <em>look<\/em> like the domain or company you\u2019re spoofing.<\/li>\n\n\n\n<li><strong>Mismatched URLs<\/strong> \u2013 They have multiple links that all point to completely unrelated sites. That\u2019s instant suspicion.<\/li>\n<\/ul>\n\n\n\n<p>Sometimes I wonder if these attackers are even trying \u2014 but if even 1 out of 10 million people click, it\u2019s still a \u201cwin\u201d for them.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Basic OSINT for Phishing<\/h2>\n\n\n\n<p>Now that we know what <em>not<\/em> to do, let\u2019s gather the info we need to craft a better phishing email. OSINT (Open Source Intelligence) is key here \u2014 the more you know about your target, the more believable your email will be. In my case, I\u2019m \u201cattacking\u201d my own blog, so I\u2019m looking for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Name<\/strong> of the target<\/li>\n\n\n\n<li><strong>Email address<\/strong><\/li>\n\n\n\n<li><strong>Type of blog software<\/strong> and <strong>plugins<\/strong> used<\/li>\n<\/ul>\n\n\n\n<p>Some quick tools and commands for that:<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-30651269208ad987f94192d1025a8e9c\"><code>wig &#91;url]                # Detects which CMS\/software the site is running  \nwpscan &#91;url] -e u         # Enumerates WordPress users  \ndig soa &#91;url]             # Looks up domain registration contact info  <\/code><\/pre>\n\n\n\n<p>Also, don\u2019t forget: sometimes the site\u2019s own contact page is the easiest place to find an email address.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Important<\/strong>: Stick to <em>passive<\/em> OSINT. You don\u2019t want to make noise that alerts your target or tips off security systems.<\/p>\n<\/blockquote>\n\n\n\n<p>Once we\u2019ve collected the basics, we can start crafting the phishing email. But we can\u2019t just send it from our real email address \u2014 we need it to look like it\u2019s coming from someone \u201cinside\u201d the organization. That\u2019s where some extra tooling comes in\u2026<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Tooling<\/h1>\n\n\n\n<p>There\u2019s a lot of tooling out there for phishing campaigns, but for this project I experimented with two: <strong>GoPhish<\/strong> and <strong>Evilginx<\/strong>. Before we can use them effectively, we need some infrastructure \u2014 namely a <strong>domain<\/strong>, a <strong>VPS<\/strong>, and ideally a <strong>Google Workspace (G Suite) account<\/strong> tied to that domain. That last one helps bypass some spam filters since the emails come from a domain that\u2019s considered more \u201ctrusted.\u201d<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Domain<\/h2>\n\n\n\n<p>SIn the bad phishing example earlier, the sender\u2019s domain looked nothing like the company it was impersonating. That\u2019s an immediate red flag. So, let\u2019s make it a bit more convincing using a few tricks:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Don\u2019t buy a blacklisted domain<\/strong><br>This will tank your email deliverability before you even begin. Always check using tools like <a class=\"\" href=\"https:\/\/mxtoolbox.com\/\">mxtoolbox.com<\/a>.<br><em>(Side note: the domain I bought for testing somehow landed on <strong>two<\/strong> blacklists already. Oops. Funny, but not ideal.)<\/em><\/li>\n\n\n\n<li><strong>Typosquatting (Domain Permutations)<\/strong><br>Register a domain with small spelling or character changes (e.g., <code>hackingwithi.com<\/code>). People often don\u2019t notice because our brains autocorrect when reading quickly.<\/li>\n\n\n\n<li><strong>Subdomain Spoofing via Hyphenation<\/strong><br>Instead of using something like <code>login.example.com<\/code> (which you can\u2019t buy), register <code>login-example.com<\/code>. The dash makes it look like a subdomain at first glance.<\/li>\n\n\n\n<li><strong>Alternative Top-Level Domains (TLDs)<\/strong><br>If the target uses <code>.com<\/code>, grab <code>.cam<\/code>, <code>.co<\/code>, <code>.biz<\/code>, etc. At a glance, many won\u2019t notice the difference.<\/li>\n<\/ul>\n\n\n\n<p>For my test, I went with <strong>hackingwithj.cam<\/strong> \u2014 and honestly, in a split second it\u2019s hard to spot the difference. Plus, it only cost me around \u20ac5, which was totally worth it.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Virtual Private Server (VPS)<\/h2>\n\n\n\n<p>Hosting everything on your own machine isn\u2019t the smartest move. A VPS keeps things isolated and lets you operate from the cloud. Any basic provider will work, as long as you have a public IP and stay within their terms of service. For example, <strong>DigitalOcean<\/strong> gives you free starting credit, which is perfect for spinning up a small droplet with basic specs. That\u2019s more than enough for a test project like this.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Programs<\/h2>\n\n\n\n<p>For this experiment, I picked two open-source tools designed specifically for phishing: <strong>GoPhish<\/strong> and <strong>Evilginx<\/strong>. Both are actively developed and feel polished, which is a big plus when you\u2019re learning. You might wonder why I didn\u2019t go with the <strong>Social Engineering Toolkit (SET)<\/strong> \u2014 mostly because it\u2019s more of an all-rounder, with a lot of modules I didn\u2019t need for this project. SET is great, but for email-based phishing specifically, I found GoPhish and Evilginx to be more focused. That said, I\u2019ll probably circle back to SET in the future for a deeper dive.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Setting everything up<\/h1>\n\n\n\n<p>Both tools work a little differently, so the setup process is also a bit different for each. But before we even touch GoPhish or Evilginx, we need to make sure our emails actually land in the inbox instead of vanishing into spam.<\/p>\n\n\n\n<p>Our domain is fairly new, and that means spam filters are not exactly our best friends yet. To boost our success rate, we can route our emails through a more \u201ctrusted\u201d sender \u2014 in this case, Google. This doesn\u2019t just make delivery easier, it also makes the whole thing look a lot more legitimate from the recipient\u2019s point of view. The process is straightforward:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to the Google Workspace <a href=\"https:\/\/admin.google.com\/\">signup<\/a> page.<\/li>\n\n\n\n<li>Create a trial account with your test domain (you can cancel it later to avoid charges).<\/li>\n\n\n\n<li>Choose a believable sender name like <code>IT-support@domain.com<\/code> or <code>admin@domain.com<\/code>.<\/li>\n\n\n\n<li>Add the required DNS records to verify the domain.<\/li>\n<\/ol>\n\n\n\n<p>Once your domain is verified, it\u2019s time to install <strong>GoPhish<\/strong> and <strong>Evilginx<\/strong>. I created an <strong><a href=\"https:\/\/github.com\/misterspicyj\/phishing\">installation script for both<\/a><\/strong> \u2014 this way, you don\u2019t have to manually edit configuration files, and it also automates the process of setting up a phishing campaign.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">GoPhish<\/h1>\n\n\n\n<p>GoPhish comes with a nice web interface that makes building phishing campaigns surprisingly easy. For my test, I wanted to phish myself (yes, really) and see how convincing I could make it.<\/p>\n\n\n\n<p>Since I know my own blog runs on WordPress, a fake WordPress login page seemed perfect. In GoPhish, creating this is simple \u2014 in the <em>Landing Pages<\/em> section, I clicked <strong>New Page<\/strong>, hit <strong>Import Site<\/strong>, and pointed it to the real login page.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"476\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-62-1024x476.png\" alt=\"\" class=\"wp-image-376\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-62-1024x476.png 1024w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-62-300x140.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-62-768x357.png 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-62-1536x715.png 1536w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-62.png 1580w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Now, I did run into one small problem: the login didn\u2019t actually work at first. Turns out, GoPhish doesn\u2019t like certain <code>&lt;script&gt;<\/code> tags in the page. Deleting them manually fixed it.<\/p>\n\n\n\n<p>Next, I needed to set up a sending profile for <code>hackingwithj.cam<\/code> so GoPhish could actually send my emails. I used my GSuite account for this, but had to configure an SMTP relay because Gmail was blocking the traffic. The quick fix was to tunnel it like this:<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-17618e2d09932604227aaf3341921bb2\"><code>ssh -N -R 2525:smtp-relay.gmail.com:587 root@<\/code><\/pre>\n\n\n\n<p>Then we can setup the sending profile as follows:<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"741\" height=\"659\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-63.png\" alt=\"\" class=\"wp-image-377\" style=\"width:614px;height:auto\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-63.png 741w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-63-300x267.png 300w\" sizes=\"auto, (max-width: 741px) 100vw, 741px\" \/><\/figure>\n\n\n\n<p>Then the only 2 things left to do: users &amp; email setup, for the first one you just have to do your OSINT good and for the second one we can use ChatGPT to With that in place, I just created the sending profile in GoPhish, added my test \u201cvictims\u201d (also me), and crafted the email. For the email body, ChatGPT is surprisingly handy \u2014 I asked it to write something like:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cThere\u2019s an issue with your WordPress plugin X. Please log in to fix it.\u201d<\/p>\n<\/blockquote>\n\n\n\n<p>From there, I tweaked it to make it sound natural and added some HTML styling so it matched my site. In my test, I ran a small campaign and added a screenshot here showing how the campaign captures info from the mailing list.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"560\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-64-1-1024x560.png\" alt=\"\" class=\"wp-image-379\" style=\"width:982px;height:auto\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-64-1-1024x560.png 1024w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-64-1-300x164.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-64-1-768x420.png 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-64-1-1536x839.png 1536w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-64-1.png 1583w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>What I like the most is the tracking feature \u2014 this can also help you confirm certain email addresses from the target, because you know they opened the email.<\/p>\n\n\n\n<p>While GoPhish gives you a polished interface and solid email tracking, it mainly focuses on capturing static credentials through fake login pages. But what if your target uses MFA or more advanced login protections?<\/p>\n\n\n\n<p>That\u2019s where Evilginx shines. Instead of just showing a fake page, it acts as a live proxy between the victim and the real site \u2014 capturing not only usernames and passwords but also multi-factor tokens in real time. Let\u2019s see how it works.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Evilginx<\/h1>\n\n\n\n<p>Evilginx works a bit differently from GoPhish. It doesn\u2019t bother with a fancy landing page editor \u2014 instead, its strength is acting as a man-in-the-middle proxy. And yes, it even rickrolls anyone who doesn\u2019t hit the exact URL. Running it is stupidly easy with my install script. Just execute it and it will spin up Evilginx with a default phishlet for a WordPress login page. You can swap it out for another phishlet easily, but if you just run it as-is, you\u2019ll have a working phishing URL in about a minute.<\/p>\n\n\n\n<p>Once you\u2019ve got the link, you can send it to your target (GSuite mail works well for avoiding spam) and start catching logins. Unlike a static fake page, Evilginx sits in between the victim and the real site \u2014 meaning you don\u2019t just grab their username and password, you can also capture MFA tokens and replay them.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"90\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-65-1024x90.png\" alt=\"\" class=\"wp-image-381\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-65-1024x90.png 1024w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-65-300x26.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-65-768x67.png 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-65.png 1223w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>This makes it <em>very<\/em> effective, because even if your victim is using a hardware key or an authenticator app, Evilginx can still hijack the live session. For my test, I pointed it at a demo WordPress site. The moment the victim logs in, Evilginx quietly stores their credentials and session cookies \u2014 no extra alerts, no obvious warnings in the browser.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"271\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-66-1024x271.png\" alt=\"\" class=\"wp-image-382\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-66-1024x271.png 1024w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-66-300x79.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-66-768x203.png 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/image-66.png 1524w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>This is a demo site<\/em><\/figcaption><\/figure>\n\n\n\n<p>It\u2019s so easy and lightweight to run that it feels almost unfair.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Final notes<\/h1>\n\n\n\n<p>Both tools are great in their own ways, and I really enjoyed the process of setting everything up and, yes, even phishing myself. It\u2019s a humbling experience \u2014 seeing firsthand how convincing a carefully crafted email and landing page can be, even when you know it\u2019s coming.<\/p>\n\n\n\n<p>The best email I wrote was this one:<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"513\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/Schermafbeelding-2025-08-12-091617-1024x513.png\" alt=\"\" class=\"wp-image-383\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/Schermafbeelding-2025-08-12-091617-1024x513.png 1024w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/Schermafbeelding-2025-08-12-091617-300x150.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/Schermafbeelding-2025-08-12-091617-768x385.png 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/Schermafbeelding-2025-08-12-091617-1536x770.png 1536w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/Schermafbeelding-2025-08-12-091617.png 1564w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Honestly, I think I didn\u2019t do too bad of a job. If you\u2019re not super tech-savvy or don\u2019t spend much time thinking about IT security and website details, it\u2019s easy to imagine falling for something like this. That\u2019s what makes phishing such a powerful and dangerous technique. So please, don\u2019t try to phish me \u2014 let\u2019s keep things ethical and safe! <\/p>\n\n\n\n<p>These experiments remind me how critical it is to stay vigilant about emails asking for credentials or urgent actions. Even if something looks familiar, a second look and some skepticism can go a long way.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Lessons learned<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Preparation is key:<\/strong> Setting up your domain and routing mail through a trusted sender like Google Workspace dramatically improves your email deliverability. Without it, your carefully crafted emails might never reach the inbox.<\/li>\n\n\n\n<li><strong>Attention to detail matters:<\/strong> When cloning real sites for phishing pages, small things like scripts or security features can break your setup. Taking the time to troubleshoot and tweak the pages is essential for a believable campaign.<\/li>\n\n\n\n<li><strong>Tracking is powerful:<\/strong> Features like GoPhish\u2019s email open tracking help verify that your target engaged with the email. This can be a valuable tool during penetration tests or awareness campaigns to measure impact.<\/li>\n\n\n\n<li><strong>MFA isn\u2019t a silver bullet:<\/strong> Evilginx shows that multi-factor authentication can still be bypassed with clever man-in-the-middle attacks. It\u2019s a reminder that security is about layers, not just a single control.<\/li>\n\n\n\n<li><strong>Ethics first:<\/strong> Running phishing campaigns \u2014 even on yourself \u2014 is a great learning tool. But it\u2019s critical to stay ethical and only test where you have explicit permission. The goal is to improve security, not exploit it.<\/li>\n<\/ul>\n\n\n\n<p>Overall, this hands-on approach helped me understand the nuances of phishing beyond just theory. Hopefully, sharing these insights will help you get a feel for the process too \u2014 and maybe inspire you to explore this side of security responsibly.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>One part of pentesting can involve Social Engineering attacks to get access to systems. That means you sometimes need to know how to run an effective phishing campaign \u2014 whether through email or even by phone (vishing). Over the last two weeks, I\u2019ve been diving into phishing via email, with my main target being\u2026 myself. [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[7,17,35],"tags":[36,37,39,38],"class_list":["post-367","post","type-post","status-publish","format-standard","hentry","category-realworld","category-tooling","category-training","tag-evilginx","tag-gopish","tag-osint","tag-pishing"],"_links":{"self":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/367","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=367"}],"version-history":[{"count":8,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/367\/revisions"}],"predecessor-version":[{"id":386,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/367\/revisions\/386"}],"wp:attachment":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}