Credential Dumping - /etc/shadow File
The /etc/shadow file contains password hashes for all local users on Linux systems. By default, only accounts with root privileges are able to access this file.
Attackers who are able to crack any password hashes from this file can login with those credentials to appear like legitimate users. They can also exploit password re-use to move laterally to other systems.