Skip to main content

Documentation Index

Fetch the complete documentation index at: https://hackbook.dudji.com/llms.txt

Use this file to discover all available pages before exploring further.

The Mindset

The Linux filesystem is enormous. Manually browsing through directories looking for something interesting is a waste of time. Instead, you use tools that let you search with surgical precision — by name, by type, by owner, by size, by date, by permission. This skill is critical in two scenarios:
  • Post-exploitation enumeration — finding credentials, configs, and sensitive data after landing on a box
  • Privilege escalation — finding SUID binaries, writable scripts, and misconfigured files

Know Where to Look First

Before running any search, know the Linux filesystem layout. These directories are your hunting grounds:
PathWhat You’ll Find There
/etcConfig files — credentials, service settings, usernames
/home/*User files — SSH keys, bash history, scripts, notes
/rootRoot’s home — only accessible with root or SUID abuse
/var/logLogs — cleartext credentials, activity trails
/var/wwwWeb app files — database credentials in config files
/tmp & /dev/shmWritable by everyone — good for dropping payloads
/optThird-party software — often misconfigured or forgotten
/procRunning process info — environment variables, cmdlines
/backup or /backupsBackups — sometimes contain old credentials or configs

which — Is This Tool Available?

Before running anything, check what’s installed. Knowing whether Python, netcat, wget, or curl are available changes your options. 
which python3
# /usr/bin/python3

which nc
# /usr/bin/nc

which wget curl gcc
# /usr/bin/wget
# /usr/bin/curl
# (no output = not installed)
If a program isn’t found, which returns nothing. No output = not on the PATH.

find — The Surgical Search Tool

find is the most powerful file search tool on Linux. It searches in real-time and supports a huge range of filters. Slower than locate, but always accurate and extremely flexible.

Syntax

find <location> <options>

Core Options

OptionWhat It Does
-type fFiles only
-type dDirectories only
-name "*.conf"Match by name/extension (case-sensitive)
-iname "*.conf"Match by name (case-insensitive)
-user rootFiles owned by a specific user
-group sudoFiles owned by a specific group
-size +20kFiles larger than 20KB
-size -1MFiles smaller than 1MB
-perm -4000SUID bit set
-perm -2000SGID bit set
-perm -o+wWorld-writable files
-newermt 2024-01-01Modified after a specific date
-exec <cmd> {} \;Run a command on each result
2>/dev/nullSuppress permission denied errors

Practical Examples

Find all config files owned by root, larger than 20KB, modified after 2020: 
find / -type f -name "*.conf" -user root -size +20k -newermt 2020-01-01 -exec ls -al {} \; 2>/dev/null
Find all SUID binaries — check each one against GTFOBins: 
find / -perm -4000 -type f 2>/dev/null
Find world-writable files (potential hijack targets): 
find / -perm -o+w -type f 2>/dev/null
Find all files owned by a specific user: 
find / -user cry0l1t3 -type f 2>/dev/null
Hunt for credential files by name: 
find / -type f \( -name "*.conf" -o -name "*.config" -o -name "*.ini" -o -name "*.env" -o -name "id_rsa" \) 2>/dev/null
Find recently modified files (last 10 minutes — useful after running an exploit): 
find / -type f -mmin -10 2>/dev/null
Always append 2>/dev/null to find commands. Without it, the terminal floods with “Permission denied” errors that bury your real results.

locate — The Fast Search Tool

locate uses a pre-built database to search instantly across the entire filesystem. Much faster than find, but the database may be outdated — it won’t show files created since the last updatedb run. 
# Update the database first (requires root)
sudo updatedb

# Find all .conf files
locate *.conf

# Find SSH private keys
locate id_rsa

# Find password files
locate password
When to use locate vs find:
SituationUse
Quick name-based search across the whole systemlocate
Need accurate, real-time resultsfind
Filtering by permissions, owner, size, datefind
Searching for recently created filesfind

tree — Visualize Directory Structure

When you need to understand how a directory is organized at a glance: 
# Full tree of current directory
tree .

# Limit depth
tree -L 2 /var/www

# Show hidden files
tree -a /home/user

High-Value Targets Cheatsheet

These are the files and locations that most often yield credentials, keys, or privesc paths: 
# SSH private keys
find / -name "id_rsa" -o -name "id_ecdsa" -o -name "id_ed25519" 2>/dev/null

# Bash history (commands run by users — often contains passwords)
cat ~/.bash_history
find /home -name ".bash_history" 2>/dev/null
cat /root/.bash_history 2>/dev/null

# Database credentials in web app configs
find /var/www -name "*.php" -exec grep -l "password\|passwd\|db_pass" {} \; 2>/dev/null
find / -name "wp-config.php" 2>/dev/null
find / -name "config.php" -o -name ".env" 2>/dev/null

# Cron jobs (scheduled tasks — look for writable scripts)
cat /etc/crontab
ls -la /etc/cron.*
crontab -l 2>/dev/null

# Readable shadow file?
cat /etc/shadow 2>/dev/null

# Any backup files containing credentials?
find / -name "*.bak" -o -name "*.backup" -o -name "*.old" 2>/dev/null

# World-writable directories (drop files, hijack scripts)
find / -type d -perm -o+w 2>/dev/null
.bash_history is underrated. Users frequently type passwords directly into commands. Always check history files for every user you can access.
Next: Output Filtering & Text Processing — parsing command output to extract exactly what you need.