Linux Fundamentals

Linux Fundamentals for Hackers

The command line skills every penetration tester uses every single day

18 min readUpdated 2026-04-18
#linux#bash#permissions#processes#filesystem
TL;DR
  • Nearly every hacking tool runs on Linux — the command line is your primary interface
  • File permissions (rwx) determine what you can read, write, and execute as which user
  • Processes, users, and groups are the core of Linux privilege management
  • Bash scripting turns repetitive manual steps into automated pipelines
  • Knowing where things live (/etc, /var, /home, /tmp) directly speeds up post-exploitation

The Filesystem Hierarchy

Linux organises everything under / (root). No drive letters — everything is a path.

DirectoryWhat lives thereWhy hackers care
/etcSystem config filesCredentials in /etc/passwd, /etc/shadow, service configs
/homeUser home directoriesSSH keys, bash history, saved credentials
/rootRoot's home directoryFlags, credentials, SSH keys
/var/logSystem logsAttack evidence — and victim's forensic trail
/tmpTemporary filesWorld-writable — good place to drop tools
/optOptional softwareThird-party apps, sometimes misconfigured
/procVirtual FS — running processes/proc/self/environ leaks env vars
/devDevice files/dev/null, /dev/random, shell tricks
/bin, /usr/binSystem binariesTools available to all users
/sbin, /usr/sbinAdmin binariesRestricted commands
bash
# Navigate the filesystem
ls -la /etc          # Long listing with hidden files
ls -lah /home        # Human-readable sizes
find / -name "*.conf" 2>/dev/null   # Find all config files
find / -perm -4000 2>/dev/null      # Find SUID binaries (privesc gold)

File Permissions — The Access Control System

Every file and directory has three permission sets: owner, group, others. Each set has read (r), write (w), execute (x).

-rwxr-xr-- root sudo /usr/bin/passwd
-
file type: - file, d directory, l symlink
rwx
owner: read + write + execute (full access)
r-x
group: read + execute
r--
others: read only
root
owner username
sudo
owner group
/usr/bin/passwd
file path

Numeric (Octal) Permissions

OctalBinaryPermissions
7111rwx — full access
6110rw- — read/write
5101r-x — read/execute
4100r-- — read only
0000--- — no access
bash
# Change permissions
chmod 755 script.sh       # rwxr-xr-x
chmod +x script.sh        # Add execute for all
chmod 600 id_rsa          # rw------- (SSH key must be this)

# Change ownership
chown user:group file.txt
chown root:root /etc/passwd

SUID / SGID / Sticky Bit

BitOn filesOn directories
SUID (4000)Run as file owner regardless of who executes
SGID (2000)Run as file groupFiles inherit group
Sticky (1000)Only owner can delete their own files (/tmp)
SUID = Privilege Escalation

A SUID binary owned by root runs as root regardless of who invokes it. find / -perm -4000 2>/dev/null is one of the first commands you run after getting a shell.

Users, Groups, and sudo

Linux users are identified by UID (User ID). Root = UID 0. System services use UIDs < 1000. Regular users start at 1000.

bash
# Who am I?
id                    # uid, gid, groups
whoami                # just the username
groups                # group memberships

# User information
cat /etc/passwd       # All accounts (username:x:uid:gid:info:home:shell)
cat /etc/shadow       # Password hashes (root-readable only)
cat /etc/group        # Group definitions

# Switch users
su - username         # Become username (needs their password)
sudo -l               # What can current user run as root?
sudo su               # Become root if sudo permits

`/etc/passwd` Format

root:x:0:0:root:/root:/bin/bash
root
username
x
password placeholder (x = hash stored in /etc/shadow)
0 (UID)
user ID — 0 is always root
0 (GID)
primary group ID
root (GECOS)
display name / comment field
/root
home directory
/bin/bash
login shell
TIP

If you can read /etc/shadow, you have password hashes for every account on the system. Feed them to hashcat with mode -m 1800 (sha512crypt).

Processes and Jobs

bash
# List running processes
ps aux              # All processes, full format
ps aux | grep nginx # Filter for specific process
pstree              # Process tree

# Real-time process monitor
top
htop               # Better version (may need install)

# Process management
kill PID            # Send SIGTERM (graceful stop)
kill -9 PID         # Send SIGKILL (immediate stop)
killall processname

# Background jobs
command &           # Run in background
jobs                # List background jobs
fg %1               # Bring job 1 to foreground
Ctrl+Z              # Suspend current process

Why Processes Matter in Pentesting

  • Cron jobs running as root with writable scripts = privilege escalation
  • Running services reveal what ports are open internally
  • Process environment variables sometimes contain credentials
bash
# Find cron jobs
cat /etc/crontab
ls -la /etc/cron*
crontab -l          # Current user's cron

# Check running services
systemctl list-units --type=service --state=running
netstat -tlnp       # Listening ports with PIDs (requires root for PIDs)
ss -tlnp            # Modern replacement for netstat

File Operations — Speed and Precision

bash
# Copy, move, delete
cp source dest
cp -r dir/ dest/    # Recursive copy
mv source dest      # Move / rename
rm file             # Delete
rm -rf dir/         # Delete directory recursively (no undo)

# Create
touch filename      # Create empty file / update timestamp
mkdir -p a/b/c      # Create nested directories

# Read files
cat file            # Print entire file
less file           # Paginated view
head -20 file       # First 20 lines
tail -20 file       # Last 20 lines
tail -f /var/log/syslog   # Follow live log updates

# Search within files
grep "password" /etc/*.conf
grep -r "api_key" /var/www/   # Recursive search
grep -i "admin" file.txt       # Case-insensitive
grep -v "^#" /etc/hosts        # Exclude comments

Text Processing — Your Data Pipeline

Combining tools with pipes is where Linux becomes powerful for hackers.

bash
# Pipes — output of one command > input of next
cat /etc/passwd | grep bash    # Find users with bash shell
ps aux | awk '{print $1}' | sort -u   # Unique list of process owners

# awk — column-based processing
cat /etc/passwd | awk -F: '{print $1, $3}'   # Username and UID
awk '{print $NF}' file.txt                    # Last column

# sed — stream editor
sed 's/foo/bar/g' file.txt     # Replace all 'foo' with 'bar'
sed '/^#/d' file.txt           # Delete comment lines

# sort and uniq
sort file.txt | uniq           # Remove duplicates
sort file.txt | uniq -c        # Count occurrences
sort -n numbers.txt            # Numeric sort

# cut — extract columns
cut -d: -f1 /etc/passwd        # First field, colon delimiter
cut -d, -f1,3 data.csv         # Fields 1 and 3

# tr — translate characters
echo "HELLO" | tr 'A-Z' 'a-z'  # Convert to lowercase

Networking Commands

bash
# Interface info
ip addr show       # IP addresses
ip link show       # Network interfaces
ifconfig           # Older syntax

# Connectivity
ping -c 4 8.8.8.8
curl -I https://target.com     # HTTP headers only
wget https://target.com/file   # Download file

# Open connections
netstat -antp      # All TCP connections with PIDs
ss -antp           # Modern netstat
lsof -i :80        # What's on port 80?

# DNS
nslookup target.com
dig target.com
host target.com

# Transfer files
scp file.txt user@host:/tmp/
scp user@host:/etc/passwd .
nc -lvnp 4444 > received.txt   # Receive via netcat
nc target 4444 < file.txt      # Send via netcat

Bash Scripting Essentials

Scripting automates the repetitive parts of a pentest.

bash
#!/bin/bash
# Make executable: chmod +x script.sh

# Variables
TARGET="192.168.1.0"
PORT=80

# Input
read -p "Enter target: " TARGET

# Conditionals
if [[ -f "/etc/shadow" ]]; then
  echo "Can read shadow file!"
fi

if [[ $UID -eq 0 ]]; then
  echo "Running as root"
else
  echo "Not root — UID: $UID"
fi

# Loops
for i in {1..254}; do
  ping -c 1 -W 1 192.168.1.$i &>/dev/null && echo "192.168.1.$i is alive"
done

# Command substitution
HOSTNAME=$(hostname)
USER_LIST=$(cat /etc/passwd | cut -d: -f1)

# Functions
check_port() {
  nc -zv $1 $2 2>/dev/null && echo "Port $2 open"
}
check_port 192.168.1.1 80

Shell Tricks That Save Time

bash
# History
history              # All previous commands
!!                   # Repeat last command
!ssh                 # Repeat last command starting with 'ssh'
Ctrl+R               # Reverse search through history

# Navigation shortcuts
Ctrl+A               # Jump to start of line
Ctrl+E               # Jump to end of line
Ctrl+W               # Delete last word
Alt+.                # Insert last argument of previous command

# Redirection
command > file.txt   # Redirect stdout (overwrite)
command >> file.txt  # Redirect stdout (append)
command 2> err.txt   # Redirect stderr
command 2>/dev/null  # Discard errors
command &> all.txt   # Redirect both stdout and stderr

# Here-doc — multiline input
cat << EOF
line one
line two
EOF

Operational Notes

  • Always use full paths in scripts$(which python3) not just python3. PATH may differ in cron or restricted shells.
  • `2>/dev/null` is your best friend. find / without it floods output with permission errors.
  • Bash vs sh#!/bin/bash gives you arrays, [[ ]], and process substitution. #!/bin/sh is POSIX-only. On some systems, sh is dash, not bash.
  • `tee` for logging: command | tee output.txt — prints to terminal AND saves to file simultaneously.
  • File descriptors after privilege escalation — if a root process has a file descriptor open, you can read it even without permissions: /proc/PID/fd/.

What to Read Next

  • How Networks Actually Work — understand the network layer that all these commands operate on
  • Post-Exploitation — Linux skills used in practice after gaining a shell
  • Reconnaissance — putting these tools to use in the information-gathering phase
← PreviousHow Networks Actually WorkNext →How Authentication Works
← back to knowledge base