Table of Contents

• Linux
  • Password Hash Files
  • History
  • Configuration Files
• Windows
  • Coinfiguration Files
  • Hash Files
  • Windows System Info

Linux

Password Hash Files

• passwd, shadow

  • Content - User passwod hashes
  • Features - SHA256Crypt hash
  • Location - /etc
  • Handle - unshadow <passfile> <shadowfile> then hashcat or john

History

• bash_history

  • Content - bash history
  • Features - may contain plain text credentials
  • Location - /home/<users>
  • Handle - cat

Configuration Files

• wp-config.php

  • Content - databases credentials
  • Features - contain plain text credentials
  • Location - wordpress root dir
  • Handle - cat

System Auth File

• system-auth

  • Content - auth settings
  • Location - /etc/pem.d/system-auth
  • Handle- cat

Block Brute Force

• fail2ban.conf

  • Content - block connection on connection fail
  • Location - /etc/fail2ban
  • Handle - cat

Proc

• /proc/self/cwd - contians every file of the current directory
• /proc/self/status - contains information about the current user running any kind of service
• /proc/self/environ - environment variables the server has; if user agent var is present, maybe you can modify your request's user agent to something like <?php echo 'hello'; ?> to see if code execution is available

Session Tmp File

• /tmp/sess_

Windows

Coinfiguration Files

• prod.dtsConfig

  • Content - SQL server property values
  • Features - May contain user credential

Hash Files

• SAM, SYSTEM

  • Content - User password hashes
  • Features - NTLM hash
  • Location - C:\Windows\System32\Config
  • Handle - samdump2 <systemfile> <samfile> then hashcat or john

• NTDS.dit

  • Content - Hashes that can be used for pass the hash attack
  • Features - NTLM hash
  • Location - C:\Windows\NTDS
  • Handle - psexec.py <domain>/administrator@<ip> -hashes <NTML-hash>:<NTLM-hash>

Windows System Info

• license.rtf

  • Content - System information and patch information
  • Location - C:\Windows\System32