Uncover Hidden Passwords on Linux: From File Scans to Hash Cracking

Navigation

0. Introduction

1. Password Search – Filenames and File Content

1.1 Finding Interesting Filenames

1.2 Finding Interesting Strings

2. Password Search – Web Files/Config Files

2.1 Passwords in Config Files

2.2 Passwords in Web Files

3. Password Search – Hidden Files/Folders

3.1 Passwords in Hidden Files/Folders

3.2 Passwords in Bash History

3.3 SSH Key Passwords

4. Password Search – MySQL

4.1 Built‑in Database Password Hashes

4.2 Custom Database MD5 Hashes

4.3 Custom Database Base64 Hashes

5. Password Search – /var/backups Folder

6. Password Search – Password‑Protected Files

7. Automated Tool – LinPEAS

0. Introduction

In this article we explore techniques for hunting passwords on a target Linux machine as a means of lateral or vertical privilege escalation. We review various search methods and common storage locations, looking for credentials in scripts, configuration files, filenames, and hash values.

When you discover any password on the system—whether during initial exploitation or post‑exploitation—you should test it wherever possible, because password reuse is common.

We will use manual techniques throughout, and at the end demonstrate how the LinPEAS tool automates many of these searches.

1. Password Search – Filenames and File Content

The first step is to perform a broad search for files whose names contain the string "password" and also to search file contents for the same keyword.

1.1 Finding Interesting Filenames

Use find to locate files with names matching common password patterns:

find / -exec ls -lad $PWD/* "{}" 2>/dev/null \; | grep -i -I "passw\|pwd"

Or use the faster locate command:

locate 'passw'
locate 'pwd'
locate '*.php'

1.2 Finding Interesting Strings

Search file contents with grep for password‑related strings:

grep --color=auto -rnw '/' -iEe "PASSW\|PASSWD\|PASSWORD\|PWD" --color=always 2>/dev/null

Limit the search to specific directories for faster results:

cd /var/www /tmp /opt /home
grep --color=auto -rnw -iEe "PASSW\|PASSWD\|PASSWORD\|PWD" --color=always 2>/dev/null

2. Password Search – Web Files/Config Files

Credentials are often found in the webroot (usually /var/www), especially in PHP configuration files.

2.1 Passwords in Config Files

Navigate to /var/www and inspect files like config.php for plaintext credentials: cat /var/www/config.php Example discovered credentials: root:SuperS3cureP@ssw0rd These can be used to log into MySQL, though they may not be the system root password.

2.2 Passwords in Web Files

WebDav password files generated by htpasswd often contain Apache‑specific MD5 hashes (e.g., $apr1$...). Locate such files with find or locate, then crack them using Hashcat:

hashcat -m 1600 ./webdav.hash /usr/share/wordlists/rockyou.txt -o cracked.dav

Recovered credentials can be used for SSH or further MySQL enumeration.

3. Password Search – Hidden Files/Folders

Hidden items start with a dot (e.g., .bash_history, .ssh). List them with ls -la.

3.1 Passwords in Hidden Files/Folders

Example hidden directory .important contains a file .password with the value Password123!.

3.2 Passwords in Bash History

Examine users' .bash_history files for commands that reveal credentials. In the example, the user juggernaut executed MySQL commands with the root password.

3.3 SSH Key Passwords

Locate private keys (e.g., id_rsa) in .ssh directories. If the key is unencrypted, it can be used directly; otherwise, convert it with ssh2john and crack with John the Ripper:

ssh2john juggernaut_id_rsa > jugg.john
john jugg.john --wordlist=/usr/share/wordlists/rockyou.txt

Recovered passphrase ( P@ssw0rd) allows SSH login.

4. Password Search – MySQL

Using the discovered MySQL root credentials, log in and enumerate databases: mysql -u root -p Inspect the mysql.user table for password hashes. The root hash matches the known password; other user hashes can be extracted and cracked with Hashcat (mode 300 for MySQL hashes).

hashcat -m 300 ./mysql.hash /usr/share/wordlists/rockyou.txt -o cracked.txt

Custom databases (e.g., web_app) may store MD5 or Base64‑encoded passwords. Identify hash types with hash-identifier, then crack MD5 hashes (mode 0) or decode Base64 strings.

hashcat -m 0 ./webapp.hash /usr/share/wordlists/rockyou.txt -o webapp_cracked.txt
echo 'SXNoYWxsbjB0YmVjcmFja2VkIQo=' | base64 --decode

Decoded Base64 yields Ishalln0tbecracked!, which can be used for root login.

5. Password Search – /var/backups Folder

Backups may contain passwd, shadow, or SQLite databases. Extract strings from a SQLite backup ( pwds.db) to reveal Unix $6$ (SHA‑512) hashes, then crack with Hashcat (mode 1800):

hashcat -m 1800 ./shadow.hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou-75.txt -o shadow.cracked

6. Password Search – Password‑Protected Files

Identify protected archives (e.g., backup.rar) and retrieve them via netcat. Convert the RAR to a John‑compatible format and crack:

rar2john ./backup.rar > john_rar
john john_rar --wordlist=/usr/share/wordlists/rockyou.txt

Recovered password DeVeLoPeR712 allows extraction of the archive’s contents.

7. Automated Tool – LinPEAS

Running ./linpeas.sh enumerates many of the same items manually discovered, such as config files, hidden directories, SSH keys, and backup databases. While LinPEAS provides a quick overview, manual enumeration remains essential for thorough coverage.

LinPEAS excels at finding obvious credential files but may miss deeper or obfuscated data; combining automated tools with hands‑on investigation yields the best results.

Overall, the article demonstrates a comprehensive workflow for locating, extracting, and cracking credentials on a compromised Linux host, emphasizing the importance of exhaustive manual searches alongside automated enumeration.