> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-6/enumeration/information-gathering-enumeration-credentials.md).

# Credentials

## Credential Discovery (Mail File)

Accessing a user's mail spool file, typically located at `/var/mail/<username>`, can sometimes reveal credentials that were sent via email. The standard location for mail spool files is `/var/mail`, although `/var/spool/mail` is also a common location. If you have filesystem access with sufficient permissions to read a user's mail file (e.g., `/var/mail/jim`), examine its contents for sensitive information.

Files in `/var/spool/mail/` are mail spool files. You can read the file directly using a command like:

```bash
cat /var/mail/jim
```

Alternatively, for a user like `root`, the mail might be in `/var/spool/mail/root`. You can read it with:

```bash
cat /var/spool/mail/root
```

Look through the output for email contents that might contain usernames, passwords, or other secrets.
