Credentials Harvesting

Clear-text Files

Real purpose of the technique

To find passwords or private keys written plainly in files, like a note with a password left on a table by someone forgetful.

How it works on real bounty targets

On bounty targets, employees save passwords in config files or command history, like a diary where they write secrets; the attacker searches and uses them to go deeper.

Main tools/commands + what they do

• type or cat: Shows the content of simple files.
• reg query HKLM /f password /t REG_SZ /s: Searches for passwords in the registry, like a drawer with hidden keys.
• reg query HKCU /f password /t REG_SZ /s: Same, but for the current user.

Quick PoC for reproduction (if I have shell)

1. Search in PowerShell history:

   Bash

   type C:\\Users\\USER\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt

2. Search in registry:

   Bash

   reg query HKLM /f password /t REG_SZ /s

Database Files

Real purpose of the technique

To find local databases with passwords or connections, like a treasure box full of keys.

How it works on real bounty targets

On bounty, apps save passwords in .db or .xml files; the attacker reads them to access other systems, like a thief finding a map to the safe.

Main tools/commands + what they do

• dir /s *.db: Searches for database files.