> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-6/credentials/filesystem-search/trick-0605.md).

# Discover Credentials in Archived Config File

***

After successfully extracting the contents of an archive (often a backup file), the next step is to systematically examine the extracted directories and files for configuration files. These files, such as `wp-config.php`, database configuration files (e.g., `database.yml`, `.env`), or application settings, frequently contain hardcoded credentials like usernames and passwords for databases, APIs, or other user accounts. The goal is to browse the extracted file structure, identify likely configuration files, read their contents, and extract any found credentials. For instance, you might find the password for user `xavi` within a `wp-config.php` file extracted from a WordPress backup.

Common configuration files and their credential formats include:

For WordPress, the `wp-config.php` file often contains database credentials defined using PHP constants:

```php
define( 'DB_NAME', 'database_name_here' );
define( 'DB_USER', 'username_here' );
define( 'DB_PASSWORD', 'password_here' );
define( 'DB_HOST', 'localhost' );
```

Ruby on Rails applications frequently use `database.yml` which is a YAML file structuring database connection details:

```yaml
development:
  adapter: postgresql
  encoding: unicode
  database: myapp_development
  pool: 5
  username: myapp
  password: my_password
  host: localhost
```

Many applications, especially those following the 12-factor app methodology, store configuration in `.env` files at the project root. These files use a simple key-value format:

```dotenv
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=laravel
DB_USERNAME=root
DB_PASSWORD=
APP_KEY=SomeRandomString
```

Other files like `.my.cnf` can also contain database credentials, particularly for MySQL clients:

```ini
[client]
user=root
password=password
```

Manually reviewing files can be time-consuming. Command-line tools can automate the search for common credential patterns within the extracted file structure. For example, you can use `grep` to search recursively for the string "password":

```bash
grep -r "password" /path/to/extracted/files/
```

Or, using `find` and `xargs` to search specifically within certain file types:

```bash
find /path/to/extracted/files/ -type f -name "*.conf" -print0 | xargs -0 grep "password"
```

To specifically target WordPress database passwords in PHP files:

```bash
find /path/to/extracted/files/ -type f -name "*.php" -print0 | xargs -0 grep "DB_PASSWORD"
```

For `.env` files:

```bash
find /path/to/extracted/files/ -type f -name ".env" -print0 | xargs -0 grep "DB_PASSWORD"
```

And for YAML configuration files like `database.yml`:

```bash
find /path/to/extracted/files/ -type f -name "*.yml" -print0 | xargs -0 grep "password"
```

These commands help quickly identify files containing potential credentials based on common naming conventions and patterns.
