> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/password-attack/trick-0013.md).

# Password Reuse for Root Privilege Escalation

***

After gaining an initial shell, check common locations for configuration files that might contain credentials, such as web application directories. Sometimes, an entire archive file containing the application's source code might be exposed. For instance, an exposed archive file (e.g., `phpfiles.xz`) could contain the entire PHP source code of the application. If such a file is found and publicly accessible, it can be downloaded and extracted.

To extract such an archive, you might use a command like the following in a Linux environment:

```bash
tar -xvf phpfiles.xz
```

The extracted files can contain PHP source code and configuration files. Sensitive data that might be identified includes LDAP Credentials, Internal IPs, SMPP Credentials, and MySQL Credentials.

A common pattern is finding database credentials within these files. For example, by examining specific configuration files:

```bash
cat /var/www/html/fuel/application/config/database.php
```

If credentials (specifically passwords) are found, attempt to reuse them for system-level accounts, such as the `root` user.

```bash
su root
```

On Linux, privilege escalation can also be achieved via the `sudo` (Super User DO) command, which enables condition-based privilege elevation for user accounts. To use `sudo` privilege elevation, you simply precede the command with `sudo`, which will then execute the command as a super-user.

An example of using `sudo` to execute `ifconfig` as a super-user is:

```bash
sudo ifconfig
```

Another common method for authorized users to elevate privileges is via `setuid` or `setgid`, a special permission bit set on an executable that will allow it to run with elevated privileges, such as root, when executed.
