Uncover Hidden Passwords on Linux: From File Scans to Hash Cracking

Navigation

0 Preface

1 Password search – Filenames and file content

1.1 Finding interesting filenames

1.2 Finding interesting strings

2 Password search – Web files/Config files

2.1 Passwords in config files

2.2 Passwords in web files

3 Password search – Hidden files/folders

3.1 Passwords in hidden files/folders

3.2 Passwords in Bash history

3.3 SSH key passwords

4 Password search – MySQL

4.1 Password hashes in built‑in MySQL database

4.2 Password hashes in custom database – MD5

4.3 Password hashes in custom database – Base64

5 Password search – /var/backups folder

6 Password search – Password‑protected files

7 Automated password hunting – LinPEAS

0 Preface

In this article we explore techniques for hunting passwords on a target Linux machine as a means of lateral or vertical privilege escalation. We review common locations where passwords and password hashes are stored and demonstrate how to discover credentials in scripts, configuration files, filenames, and hash values.

It is common for users and even root to reuse passwords or leave them in readable locations.

Beyond obvious passwords, we can find password hashes or password‑protected files throughout the system. This article uses Hashcat and John for large‑scale cracking.

Whenever you discover a password on the system—whether during initial exploitation or post‑exploitation—you should test it against every possible user because password reuse is a widespread issue.

All examples use manual techniques, but at the end we also evaluate the automated tool LinPEAS.

1 Password search – Filenames and file content

The first step is to perform advanced searches for files whose names contain "password" and to search file contents for the string "password".

1.1 Finding interesting filenames

Before searching file contents, locate files whose names contain "password" or other interesting strings such as "config" or "php".

Use the following find command:

find / -exec ls -lad $PWD/* "{}" 2>/dev/null \; | grep -i -I "passw\|pwd"

This exhaustive search checks the entire filesystem for filenames containing "passw" (covers passw, passwd, password) or "pwd" (another common abbreviation).

You can also use the locate command for faster results:

locate 'passw'
locate 'pwd'
locate '*.php'

locate

is fast because it searches a pre‑built index.

1.2 Finding interesting strings

Use grep to search the whole filesystem for strings like "PASSW", "PASSWD", "PASSWORD", or "PWD":

grep --color=auto -rnw '/' -iIe "PASSW\|PASSWD\|PASSWORD\|PWD" --color=always 2>/dev/null

The output highlights matches in red, file paths in purple, and line numbers. Because the output can be massive, narrow the search to specific directories such as /var/www, /tmp, /opt, or /home:

grep --color=auto -rnw -iIe "PASSW\|PASSWD\|PASSWORD\|PWD" --color=always 2>/dev/null

2 Password search – Web files/Config files

Credentials are often found in the webroot directory ( /var/www), especially in configuration files that store database connection details.

2.1 Passwords in config files

Navigate to /var/www/ and locate files like config.php:

Note that you may not always find a file named config.php ; look for any PHP file that might contain database credentials.

Inside config.php you might see clear‑text credentials such as: root:SuperS3cureP@ssw0rd These credentials allow MySQL access but not necessarily a root shell. Test with su root to see if they work. mysql -u root -p Successful MySQL login enables further enumeration of databases and tables.

2.2 Passwords in web files

WebDav password files are often stored as htpasswd hashes. Example file passwd.dav contains an Apache‑specific MD5 hash: $apr1$... Identify the associated user (e.g., devops) and attempt to crack the hash with Hashcat:

hashcat -h | grep -i '$apr'
# mode 1600 identified
hashcat -m 1600 ./webdav.hash /usr/share/wordlists/rockyou.txt -o cracked.dav

The cracked password ( DeVeLoPeR712) can be used to switch to the devops user.

3 Password search – Hidden files/folders

Hidden files and directories start with a dot (e.g., .bash_history, .ssh). List them with ls -la:

ls -la

3.1 Passwords in hidden files/folders

Inspect hidden directories such as .important and files like .password that may contain passwords (e.g., Password123!).

3.2 Passwords in Bash history

Review users' .bash_history files for commands that reveal credentials. For example, the juggernaut user’s history shows attempts to log into MySQL with root credentials.

3.3 SSH key passwords

Locate private keys (e.g., id_rsa) in .ssh directories. If the key is unencrypted, it can be used directly; otherwise, convert it with ssh2john and crack with John:

ssh2john juggernaut_id_rsa > jugg.john
john jugg.john --wordlist=/usr/share/wordlists/rockyou.txt

The cracked passphrase ( P@ssw0rd) can be used to SSH into the target.

4 Password search – MySQL

After obtaining MySQL root credentials, enumerate databases:

mysql -u root -p
show databases;

Focus on the mysql database to retrieve user password hashes:

use mysql;
select * from user;

Validate hashes with SELECT PASSWORD('SuperS3cureP@ssw0rd');. Crack custom database hashes (MD5, Base64) with Hashcat or by decoding Base64 strings.

4.1 Built‑in MySQL password hashes

hashcat -m 300 ./mysql.hash /usr/share/wordlists/rockyou.txt -o cracked.txt

Resulting password: letmein.

4.2 Custom database – MD5 hashes

Identify MD5 hashes, then crack with mode 0:

hashcat -m 0 ./webapp.hash /usr/share/wordlists/rockyou.txt -o webapp_cracked.txt

Recovered passwords: devops (same as earlier) and admin (new password).

4.3 Custom database – Base64

Decode Base64 strings (e.g., SXNoYWxsbjB0YmVjcmFja2VkIQo=) to obtain clear‑text passwords such as Ishalln0tbecracked!, which can be used for root login.

5 Password search – /var/backups folder

Inspect backup files for weak permissions or custom databases. Use strings on binary backups (e.g., pwds.db) to extract Unix $6$ SHA‑512 hashes, then crack with Hashcat mode 1800:

hashcat -m 1800 ./shadow.hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou-75.txt -o shadow.cracked

Recovered password can be used to elevate privileges.

6 Password search – Password‑protected files

Identify archives such as backup.rar owned by devops. Transfer the file via nc and extract with unrar. Since it is password‑protected, convert it with rar2john and crack:

rar2john ./backup.rar > john_rar
john john_rar --wordlist=/usr/share/wordlists/rockyou.txt

Cracked password: DeVeLoPeR712. Use it to unzip the archive.

7 Automated password hunting – LinPEAS

Running ./linpeas.sh enumerates many of the same files and credentials found manually, including config.php, hidden directories, .bash_history, .ssh keys, and backup databases. However, LinPEAS also produces noise, demonstrating that manual enumeration remains essential for thorough discovery.

LinPEAS is powerful but not a replacement for careful manual analysis.