Uncover Hidden Passwords on Linux: From File Scans to Hash Cracking

Navigation

0 Preface

1 Password search – Filenames and file content

1.1 Finding interesting filenames

1.2 Finding interesting strings

2 Password search – Web files/Config files

2.1 Passwords in config files

2.2 Passwords in web files

3 Password search – Hidden files/folders

3.1 Passwords in hidden files/folders

3.2 Passwords in Bash history

3.3 SSH key passwords

4 Password search – MySQL

4.1 Password hashes in built‑in MySQL database

4.2 Password hashes in custom database – MD5

4.3 Password hashes in custom database – Base64

5 Password search – /var/backups folder

6 Password search – Password‑protected files

7 Automated password hunting – LinPEAS

0 Preface

In this article we explore techniques for hunting passwords on a target Linux machine as a means of lateral or vertical privilege escalation. We review common locations where passwords and password hashes are stored and demonstrate how to discover credentials in scripts, configuration files, filenames, and hash values.

It is common for users and even root to reuse passwords or leave them in readable locations.

Beyond obvious passwords, we can find password hashes or password‑protected files throughout the system. This article uses

Hashcat

and

John

for large‑scale cracking.

Whenever you discover a password on the system—whether during initial exploitation or post‑exploitation—you should test it against every possible user because password reuse is a widespread issue.

All examples use manual techniques, but at the end we also evaluate the automated tool LinPEAS.

1 Password search – Filenames and file content

The first step is to perform advanced searches for files whose names contain "password" and to search file contents for the string "password".

1.1 Finding interesting filenames

Before searching file contents, locate files whose names contain "password" or other interesting strings such as "config" or "php".

Use the following

find

command:

<code>find / -exec ls -lad $PWD/* "{}" 2&gt;/dev/null \; | grep -i -I "passw\|pwd"</code>

This exhaustive search checks the entire filesystem for filenames containing "passw" (covers passw, passwd, password) or "pwd" (another common abbreviation).

You can also use the

locate

command for faster results:

<code>locate 'passw'
locate 'pwd'
locate '*.php'</code>

locate

is fast because it searches a pre‑built index.

1.2 Finding interesting strings

Use

grep

to search the whole filesystem for strings like "PASSW", "PASSWD", "PASSWORD", or "PWD":

<code>grep --color=auto -rnw '/' -iIe "PASSW\|PASSWD\|PASSWORD\|PWD" --color=always 2&gt;/dev/null</code>

The output highlights matches in red, file paths in purple, and line numbers. Because the output can be massive, narrow the search to specific directories such as

/var/www

,

/tmp

,

/opt

, or

/home

:

<code>grep --color=auto -rnw -iIe "PASSW\|PASSWD\|PASSWORD\|PWD" --color=always 2&gt;/dev/null</code>

2 Password search – Web files/Config files

Credentials are often found in the webroot directory (

/var/www

), especially in configuration files that store database connection details.

2.1 Passwords in config files

Navigate to

/var/www/

and locate files like

config.php

:

Note that you may not always find a file named config.php ; look for any PHP file that might contain database credentials.

Inside

config.php

you might see clear‑text credentials such as:

<code>root:SuperS3cureP@ssw0rd</code>

These credentials allow MySQL access but not necessarily a root shell. Test with

su root

to see if they work.

<code>mysql -u root -p</code>

Successful MySQL login enables further enumeration of databases and tables.

2.2 Passwords in web files

WebDav password files are often stored as

htpasswd

hashes. Example file

passwd.dav

contains an Apache‑specific MD5 hash:

<code>$apr1$...</code>

Identify the associated user (e.g.,

devops

) and attempt to crack the hash with Hashcat:

<code>hashcat -h | grep -i '$apr'
# mode 1600 identified
hashcat -m 1600 ./webdav.hash /usr/share/wordlists/rockyou.txt -o cracked.dav</code>

The cracked password (

DeVeLoPeR712

) can be used to switch to the

devops

user.

3 Password search – Hidden files/folders

Hidden files and directories start with a dot (e.g.,

.bash_history

,

.ssh

). List them with

ls -la

:

<code>ls -la</code>

3.1 Passwords in hidden files/folders

Inspect hidden directories such as

.important

and files like

.password

that may contain passwords (e.g.,

Password123!

).

3.2 Passwords in Bash history

Review users'

.bash_history

files for commands that reveal credentials. For example, the

juggernaut

user’s history shows attempts to log into MySQL with root credentials.

3.3 SSH key passwords

Locate private keys (e.g.,

id_rsa

) in

.ssh

directories. If the key is unencrypted, it can be used directly; otherwise, convert it with

ssh2john

and crack with John:

<code>ssh2john juggernaut_id_rsa &gt; jugg.john
john jugg.john --wordlist=/usr/share/wordlists/rockyou.txt</code>

The cracked passphrase (

P@ssw0rd

) can be used to SSH into the target.

4 Password search – MySQL

After obtaining MySQL root credentials, enumerate databases:

<code>mysql -u root -p
show databases;</code>

Focus on the

mysql

database to retrieve user password hashes:

<code>use mysql;
select * from user;</code>

Validate hashes with

SELECT PASSWORD('SuperS3cureP@ssw0rd');

. Crack custom database hashes (MD5, Base64) with Hashcat or by decoding Base64 strings.

4.1 Built‑in MySQL password hashes

<code>hashcat -m 300 ./mysql.hash /usr/share/wordlists/rockyou.txt -o cracked.txt</code>

Resulting password:

letmein

.

4.2 Custom database – MD5 hashes

Identify MD5 hashes, then crack with mode 0:

<code>hashcat -m 0 ./webapp.hash /usr/share/wordlists/rockyou.txt -o webapp_cracked.txt</code>

Recovered passwords:

devops

(same as earlier) and

admin

(new password).

4.3 Custom database – Base64

Decode Base64 strings (e.g.,

SXNoYWxsbjB0YmVjcmFja2VkIQo=

) to obtain clear‑text passwords such as

Ishalln0tbecracked!

, which can be used for root login.

5 Password search – /var/backups folder

Inspect backup files for weak permissions or custom databases. Use

strings

on binary backups (e.g.,

pwds.db

) to extract Unix

$6$

SHA‑512 hashes, then crack with Hashcat mode 1800:

<code>hashcat -m 1800 ./shadow.hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou-75.txt -o shadow.cracked</code>

Recovered password can be used to elevate privileges.

6 Password search – Password‑protected files

Identify archives such as

backup.rar

owned by

devops

. Transfer the file via

nc

and extract with

unrar

. Since it is password‑protected, convert it with

rar2john

and crack:

<code>rar2john ./backup.rar &gt; john_rar
john john_rar --wordlist=/usr/share/wordlists/rockyou.txt</code>

Cracked password:

DeVeLoPeR712

. Use it to unzip the archive.

7 Automated password hunting – LinPEAS

Running

./linpeas.sh

enumerates many of the same files and credentials found manually, including

config.php

, hidden directories,

.bash_history

,

.ssh

keys, and backup databases. However, LinPEAS also produces noise, demonstrating that manual enumeration remains essential for thorough discovery.

LinPEAS is powerful but not a replacement for careful manual analysis.