ok so I've been a red team operator for a while and every engagement is the same dance. drop in, run snaffler for files, lazagne for browsers, write some janky python on the fly for whatever cloud cli is on the box, end up with five output formats none of which talk to each other. drove me nuts. so I spent the last few months building the thing I actually wanted. it's called treasure hunter and im planning on keeping it open-source.
https://github.com/RyanWReid/treasure-hunter
it's one .exe. you put it on the target, it scans the disk against 581 patterns I tuned over months of "wait what is this file", pulls actual creds out of 27 apps (chrome/edge/firefox with dpapi, aws/azure/gcp/kubectl, filezilla, winscp, mremoteng, the password managers, db clients, git creds, slack tokens, scheduled tasks, gpp cpasswords still showing up in 2026 somehow, env vars, etc), then audits what it grabbed for reuse and weak passwords and which accounts look like admins, then optionally sprays them over smb to see what else opens up. the part I'm proudest of, honestly, is that it's pure stdlib + ctypes. no pip install. no powershell. no subprocess calls anywhere. 8.2mb single exe, fits on any usb. there's an --auto mode where you plug it in, walk away, come back, and it's encrypted+cleaned itself up. or you can drive it manually through an interactive console if you want to be careful.
I tested it on a win server 2022 box in my homelab. 100 findings, 37 working creds, 1.9 seconds. not bad. wrote 517 unit tests because I got burned early when a parser was returning garbage and the tests were happily green.
stuff I'd actually love feedback on:
what creds am I missing? every time I think I'm done someone goes "oh you don't grab X" and X turns out to be on every box.
opsec holes. I tried to be quiet but I know I have blind spots, that's just how it works.
if you've used snaffler/seatbelt/lazagne, where does this fall short. honest answers please, I'd rather hear it now.
would you actually run a "one tool does everything" thing on a real engagement, or is that a non-starter and you want separate tools you trust individually? genuinely don't know the answer here.
interactive console, keep it or kill it. nobody I've shown it to has a strong opinion which probably means it's not pulling its weight.
anyway. roast it. that's the only way it gets better.