# Passwords and File Permissions

## Method 1: Stored Passwords (Plaintext Passwords)

### Enumeration

Passwords might be leaked through command line arguments. View terminal command history:

```bash
history
```

Or examine the `.bash_history` file:

```bash
cat ~/.bash_history | grep -i passw
```

{% hint style="info" %}
LinPEAS will find potential passwords as well.
{% endhint %}

## Method 2: Password Cracking (Password Hashes)

### Unshadow

If we have **read permission** on both `/etc/passwd` and `/etc/shadow`, then we can use `unshadow` to combines passwd and shadow files and crack the password. Unshadow:

```bash
unshadow passwd.txt shadow.txt > unshadowed.txt
```

### Hashcat

Search hash types in this table:

{% embed url="<https://hashcat.net/wiki/doku.php?id=example_hashes>" %}
example\_hashes - Hashcat
{% endembed %}

Suppose the hash starts with `$6$` which corresponds to hash mode 1800. Crack the unshadowed password hash in Windows machine:

```bash
./hashcat.exe -m 1800 unshadowed.txt rockyou.txt -O
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/passwords.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.