# Passwords and File Permissions

## Method 1: Stored Passwords (Plaintext Passwords)

### Enumeration

Passwords might be leaked through command line arguments. View terminal command history:

```bash
history
```

Or examine the `.bash_history` file:

```bash
cat ~/.bash_history | grep -i passw
```

{% hint style="info" %}
LinPEAS will find potential passwords as well.
{% endhint %}

## Method 2: Password Cracking (Password Hashes)

### Unshadow

If we have **read permission** on both `/etc/passwd` and `/etc/shadow`, then we can use `unshadow` to combines passwd and shadow files and crack the password. Unshadow:

```bash
unshadow passwd.txt shadow.txt > unshadowed.txt
```

### Hashcat

Search hash types in this table:

{% embed url="<https://hashcat.net/wiki/doku.php?id=example_hashes>" %}
example\_hashes - Hashcat
{% endembed %}

Suppose the hash starts with `$6$` which corresponds to hash mode 1800. Crack the unshadowed password hash in Windows machine:

```bash
./hashcat.exe -m 1800 unshadowed.txt rockyou.txt -O
```