> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-11/password-reuse/trick-0172.md).

# Password Reuse (Database Creds)

***

Find database credentials within a web application's configuration files, commonly located in `/var/www/html/`. Configuration files for web applications, such as `config.php` or `wp-config.php` for WordPress installations, are often located in the root of the web installation directory. These files are crucial as they contain database connection information, including the database name, username, password, and hostname. Credentials may be stored in plaintext within these files.

```bash
cat /var/www/html/config.php
```

Discovering database credentials (e.g., username 'rick', password 'REDACTED') in these files is frequent. If the password found matches one used for a system user account (potentially identified via `/etc/passwd`), attempt to authenticate as that user by reusing the discovered password. Password reuse is the use of the same password for different accounts or services. The more a password is used across different systems or applications, the more vulnerable it becomes; if a password is compromised on one service, attackers can potentially use it to gain access to other services where the same password is used.

To identify potential system users, the `/etc/passwd` file can be examined. This file contains a list of user accounts on a Linux system. Each line in the file represents a single user account and contains seven fields separated by colons. The `/etc/passwd` file lists all the users on the system and contains information like usernames, user IDs (UIDs), group IDs (GIDs), home directories, and default shells. While it doesn't directly contain password hashes (those are stored in `/etc/shadow`), it does contain usernames which are public. The `/etc/passwd` file is owned by the root user and typically has permissions of rw-r--r--, meaning all users can read the file. Adversaries may attempt to dump the contents of the `/etc/passwd` file to collect credentials by enumerating user accounts on the system.

If a matching username is found in `/etc/passwd` and the database password is known, the `su` command can be used to switch user contexts. By default, if no username is specified, `su` attempts to switch to the root user. You can use `su` to switch to any user on the system, provided you know that user’s password.

```bash
su rick
```
