>/dev/nul# Intro - Creds may be found in config files, shell scripts, bash history, backup files, dbs, text files, or the like - config file types: - `.conf` - `.config` - `.xml` - `wp-config.php` - shell script file types: - `.sh` - `.bat` - `.cmd` - `.ps1` - `.vbs` - `.pl` - backup file types: - `.bak` - `.tmp` - db files types - `.sdb` - `gdb` - `.mdf` - `.pdb` - `.odb` - `.sql` - text file types: - `.txt` - `.md` - `.rtf` - `.doc` # WordPress Example - The `/var` directory typically stores the webroot for webservers - The webroot may contain db creds or other creds that can be used to further access - A common example is MySQL database credentials within WordPress configuration files ```bash grep 'DB_USER\|DB_PASSWORD' wp-config.php ``` - The spool or mail directories may also contain valuable information or creds - It is common to find creds stored in files in the webroot, for example, MySQL connection strings, WordPress config files, etc. ```bash find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null ``` # SSH Keys - Look for `id_rsa` - Also look in `known_hosts` for subsequent targets ```bash ls -al ~/.ssh ``` --- # Exercise - `ping` test ![[images/Pasted image 20260202194440.png]] - `nmap` scans ![[images/Pasted image 20260202194515.png]] ![[images/Pasted image 20260202194704.png]] - `ssh` with given creds - `htb-student:Academy_LLPE!` ![[images/Pasted image 20260202194522.png]] - Visit page ![[images/Pasted image 20260202194745.png]] ## Enum on Box - Initial enum battery ![[images/Pasted image 20260202194633.png]]![[images/Pasted image 20260202194648.png]] - `ls -al /home/htb-student` ![[images/Pasted image 20260202194918.png]] - move into `/var/www/html` and search `wp-config.php` for `db_user` and `db_password` ![[images/Pasted image 20260202195042.png]]