Just found out that a big hosting provider saves a user's SQL and FTP password in a plain text file just at the parent folder of the normally accessible ftproot.
Using some linux commands you can
cat ../mysql_pw
cat ../ftp_password.txt
IT'S NOT EVEN ENCRYPTED OR HASHED
(This is tested on a minecraft server, would also work on other services)

@IllSlapU Yes it is. I made a plugin to execute linux commands from the minecraft server. Using the commands above i got this Information.

@IllSlapU i did a Runtime.getRuntime().exec ("chat command here");

@IllSlapU i coded it in Java Yes. Minecraft plugins only work with Java. It's not open source, i was just bored and tested around... but you could download the plugin if you want to (it's string and reflection obfuscated because I obfuscate everything i do)...
http://memez.de/jars/MCPlugins/...

@IllSlapU Holy this is creepy😂

Reminds me of the godaddy exploit I found.

Every hosting process used the "inetuser" account, which had 660 access to the hosted data, and there were multiple sites hosted on the same machine. Ergo, "inetuser" had the same rights to all hosted content on the machine.

With a php terminal script, I could browse (and modify) any site I wanted. Strangely enough, I also had some access to /etc configuration, and could have done basically anything I wanted, including running code on the machine.

It was dumb enough (and fixed fast enough, and silently) that I very much doubt it was a honeypot.