The problem with most Linux cheatsheets

Most Linux command lists are either 10 commands that everyone already knows, or 200 commands with no context. This one sits in between. These are the commands I actually use day-to-day on Kali — for CTFs, pentesting, script debugging, and general system work. I've skipped the obvious ones (cd, mkdir, echo) and focused on the ones that took me a while to properly learn, with real examples of how I use them.

Navigation and file inspection

ls -la

The -l flag gives long format (permissions, owner, size, date). The -a shows hidden files (dotfiles). You need both. Always check for hidden files in CTF challenge directories — .htpasswd, .env, .git folders sitting there in plain sight.

ls -la /var/www/html/
ls -la ~/.ssh/

find

The most underrated command in Linux. Find files by name, type, permissions, owner, modification time — or any combination.

# Files modified in the last 24 hours
find /var/log -mtime -1 -type f

# SUID files — essential in privilege escalation
find / -perm -4000 2>/dev/null

# Find world-writable directories
find / -writable -type d 2>/dev/null

# Files owned by a specific user
find / -user www-data -type f 2>/dev/null

The 2>/dev/null redirects permission errors to silence so you only see results you can actually read.

less and tail

For log files: less lets you page through a large file without loading it all into memory. tail -f follows a log file in real time — essential when watching application output or monitoring a running process.

less /var/log/auth.log
tail -f /var/log/nginx/access.log
tail -n 100 /var/log/syslog   # last 100 lines

Text processing — the power trio

grep

Search for patterns in files or piped input. I use it constantly.

# Recursive search with line numbers
grep -rn "password" /var/www/ --include="*.php"

# Case-insensitive
grep -i "error" /var/log/app.log

# Invert match — show lines that DON'T match
grep -v "DEBUG" app.log

# Count matches
grep -c "Failed" /var/log/auth.log

# Show context around a match
grep -B2 -A2 "Exception" app.log

awk

awk processes text field by field. Default delimiter is whitespace. Once you get used to it, you reach for it constantly for log parsing.

# Print the 4th field (IP from auth.log)
awk '{print $4}' /var/log/auth.log

# Print lines where field 7 is "POST"
awk '$7 == "POST" {print $0}' access.log

# Sum file sizes from ls -l output
ls -l | awk '{sum += $5} END {print sum}'

sed

sed edits text streams. The most common use: find and replace.

# Replace all occurrences in a file (in-place)
sed -i 's/localhost/192.168.1.1/g' config.txt

# Delete lines matching a pattern
sed '/^#/d' config.txt   # remove comments

# Print only lines 10-20
sed -n '10,20p' file.txt

Process management

ps and grep combo

ps aux shows all running processes with user, PID, CPU%, memory%, and command. The real power is piping to grep.

ps aux | grep python
ps aux | grep -v root   # processes not running as root

# Find what's listening on a port
ps aux | grep $(lsof -ti :8080)

kill and pkill

kill -9 1234          # force kill by PID
pkill -f "python app.py"  # kill by process name pattern
killall nginx         # kill all processes with this name

jobs, bg, fg

When you start a long process and want to keep using the terminal: Ctrl+Z suspends it, bg resumes it in the background, fg brings it back to foreground. Append & to run a command directly in the background.

nmap -sV 10.10.10.1 &
jobs
fg %1

Permissions

chmod

chmod uses octal notation or symbolic notation. Octal is faster once you know it: 4=read, 2=write, 1=execute. Owner/Group/Others.

chmod 755 script.sh    # rwxr-xr-x
chmod 600 id_rsa       # rw------- (SSH key needs this)
chmod +x script.sh     # add execute for everyone
chmod u+s binary       # set SUID bit

sudo !!

The most useful trick: !! is shell shorthand for the last command. So sudo !! re-runs your last command as root. Saves constant retyping.

Networking commands

ss (replaces netstat)

ss is the modern replacement for netstat. The flags I use constantly:

ss -tulnp
# -t TCP  -u UDP  -l listening  -n numeric  -p show process

On a target machine during a pentest, this tells you what services are running and what ports they're on — including internal services not exposed to the network.

curl

curl is an HTTP client for the terminal. I use it for API testing, checking headers, and quickly testing endpoints.

# Check response headers
curl -I https://example.com

# POST JSON
curl -X POST -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"test"}' \
  http://target/api/login

# Follow redirects, show verbose output
curl -Lv http://target/

# Download a file
curl -o file.zip http://target/download

nc — netcat

Netcat is the Swiss army knife of networking. Connect to ports, set up listeners, transfer files.

# Test if a port is open
nc -zv 10.10.10.1 80

# Listen for a connection (reverse shell catcher)
nc -lvnp 4444

# Send a file
nc -w3 target 4444 < file.txt

Pipes and redirects — the glue

Pipes (|) pass output from one command as input to the next. Redirects (>, >>) send output to files. Combining these is where Linux becomes genuinely powerful.

# Count unique IPs hitting your server
cat access.log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20

# Find the 10 largest files
du -sh /* 2>/dev/null | sort -rh | head -10

# Search auth log for failed SSH attempts and count by IP
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn

A few that are specifically useful for security work

# Check for SUID binaries (privesc enumeration)
find / -perm -u=s -type f 2>/dev/null

# Check cron jobs
crontab -l
cat /etc/crontab
ls /etc/cron.*

# Check what files a user has access to
find / -user www-data 2>/dev/null

# Look for passwords in config files
grep -rn "password\|passwd\|secret\|key" /etc/ 2>/dev/null | grep -v "#"

# Check running services
systemctl list-units --type=service --state=running

Learn them by using them

The best way to learn these is not to read a list but to use them on real tasks. Run through a TryHackMe or HackTheBox machine and deliberately use the command-line tools instead of GUI alternatives. Check logs after running something. Parse output with grep and awk instead of scrolling. After a few weeks of daily use, these become muscle memory. That's the point — when you're in the middle of a pentest or debugging a crashed service at 2am, you want these to be automatic.