Tutorials & Guides

Linux Command Cheat Sheet (2026): Every Command You’ll Actually Use

Linux commands are text-based instructions you type into the terminal to interact with the operating system. Navigating files, managing processes, and controlling the system directly, without a GUI in the way.

They matter because most people learning security pick up the concepts fast. How attacks work, what to look for, how to think through a box, but slow down the moment they hit a terminal with no menu to click through. Knowing the commands through a linux command cheat sheet is what closes that gap.

So here’s the cheat sheet I wish I’d had when I started working through the TryHackMe CTF Writeups & Walkthrough Roadmap. Bookmark it, pin it next to your monitor, so you don’t forget it next time. 

Linux command cheat sheet showing common terminal commands for beginners

Navigation and file basics

These are the ones you’ll be typing on autopilot within a week of starting the TryHackMe Tutorial Room.

CommandWhat it does
pwdPrint the current working directory
ls -laList everything, including hidden files, with details
cd ~Go home
cd –Jump back to wherever you just were
cp file1 file2Copy a file
cp -r folder1/ folder2/Copy a folder and everything inside it
mv file1 file2Move or rename a file
rm -rf folder/Delete a folder and everything inside it, no undo, so be sure
mkdir -p a/b/cCreate nested folders in one shot
touch newfile.txtCreate an empty file
cat file.txtDump a file’s contents to screen
less file.txtScroll through a big file without loading the whole thing
head -n 20 file.txtFirst 20 lines
tail -f logfile.logWatch a log file update live
treeShow a directory as a visual tree (install it if it’s missing, worth it)

Quick one: what’s the actual difference between cat and less? cat prints everything at once, which is fine for a short file but a mess for anything long. less lets you scroll, search, and quit without your terminal filling up with 4,000 lines of log output.

File permissions

This is where most beginners trip up, including plenty of people working through our TryHackMe Learning Cyber Security Room guide.

CommandWhat it does
chmod 755 script.shOwner gets read/write/execute, everyone else gets read/execute
chmod +x script.shMake a file executable
chown user:group fileChange who owns a file
chown -R user:group folder/Change ownership recursively
ls -lSee permissions, owner, and group
umaskCheck the default permissions new files get
stat file.txtSee detailed metadata: permissions, timestamps, inode

The numbers: 4 is read, 2 is write, 1 is execute. Add them up per role (owner, group, everyone else). 755 breaks down to rwxr-xr-x.

And the difference between 755 and 777? 777 gives everyone full read/write/execute access, which is almost never what you actually want. It’s the permission equivalent of leaving your front door open with a note that says “come on in.” Stick to 755 or 644 unless you have a specific reason not to.

Searching and text processing

Half of enumeration, on a CTF box or a real engagement, is just grep, cut, and awk stitched together. If you’ve worked through Module 03: OSINT and Attack Surface Mapping, you’ve already used a few of these to filter through recon output.

CommandWhat it does
grep -r “password” /var/wwwRecursively search for a string in a directory
grep -iCase-insensitive search
grep -vInvert the match, show lines that don’t match
find / -name “*.conf” 2>/dev/nullFind files by name, hide the permission-error noise
find / -perm -4000 2>/dev/nullFind SUID binaries, a classic privilege escalation check
find / -mtime -1 2>/dev/nullFind files modified in the last 24 hours, useful during forensics
locate filenameFast file search using a pre-built index
awk ‘{print $1}’ filePrint the first column of a file
sed ‘s/old/new/g’ fileFind and replace text in a file
cut -d: -f1 /etc/passwdPull the first field from a colon-separated file
sort file.txt | uniq -cCount unique lines
wc -l file.txtCount lines
diff file1 file2Compare two files line by line

Process and system management

CommandWhat it does
ps auxList everything running
top / htopLive CPU and memory usage
kill -9 PIDForce-kill a process
pkill processnameKill a process by name instead of PID
systemctl status serviceCheck on a service
systemctl restart serviceRestart it
systemctl enable serviceMake a service start on boot
uptimeHow long the system’s been up, and current load
df -hDisk space, human-readable
du -sh folder/Size of one specific folder
free -hRAM usage
journalctl -xeCheck recent system logs when something’s gone wrong

Should you use top or htop? top is on every Linux box by default, so it’s worth knowing. htop is easier to read and lets you scroll and kill processes with arrow keys instead of memorizing PIDs. Install it if it’s not already there.

Networking

If you’ve been through any of our Advent of Cyber networking days, Day 19’s Modbus and Nmap walkthrough is a good example, most of these will feel familiar already. And if you’re connecting to labs regularly, our TryHackMe OpenVPN guide for Linux covers the VPN side of this in more detail.

CommandWhat it does
ip aShow network interfaces and IPs (the modern ifconfig)
ping -c 4 hostSend 4 pings and stop
curl -I https://site.comGrab just the HTTP headers from a URL
wget urlDownload a file
netstat -tulnpShow listening ports and what’s using them
ss -tulnpFaster, modern replacement for netstat
nmap -sV -p- targetFull port scan with service and version detection
nc -lvnp 4444Open a listening port with netcat, a staple for reverse shells
ssh user@hostConnect to a remote box
scp file user@host:/pathCopy a file over SSH
rsync -avz source/ user@host:/dest/Sync files over SSH, faster than scp for repeated transfers
traceroute hostSee the network path to a host, hop by hop
dig domain.comQuery DNS records for a domain

Full documentation for every flag on these, nmap especially since it has dozens, lives on man7.org’s online man pages, worth bookmarking right alongside this page.

Linux command cheat sheet showing common terminal commands for beginners

User and group management

CommandWhat it does
whoamiWho you’re logged in as
idYour user ID, group ID, and group memberships
sudo -lWhat you’re allowed to run as another user, check this first on any new box
useradd -m newuserCreate a user with a home directory
passwd usernameChange a password
su – usernameSwitch to another user’s shell
groups usernameSee what groups a user belongs to
usermod -aG sudo usernameAdd a user to the sudo group

Package management

Distro matters here. Debian/Ubuntu-based systems (including Kali) use apt; Red Hat-based ones use dnf or the older yum.

CommandWhat it does
apt update && apt upgradeRefresh package lists and upgrade installed packages
apt install packageInstall a package
apt remove packageRemove a package
apt search keywordSearch for a package by name
dnf install packageSame idea, Red Hat/Fedora/CentOS
dpkg -lList all installed packages (Debian-based)

Redirection, pipes, and environment variables

This is the part that actually turns individual commands into something powerful and makes the linux command cheat sheet even more useful.

CommandWhat it does
command > file.txtSend output to a file, overwriting it
command >> file.txtAppend output to a file instead of overwriting
command < file.txtFeed a file in as input instead of typing it
command 2> file.txtSend just the error output to a file
command 2>&1Redirect error output along with standard output
command > /dev/null 2>&1Throw away all output, useful in scripts
command1 | command2Pipe the output of one command into another
echo $PATHSee your shell’s executable search path
export VAR=valueSet an environment variable for the current session
envList all current environment variables
unset VARRemove an environment variable
source ~/.bashrcReload your shell config after editing it

Checksums and file integrity

Useful for confirming a downloaded tool hasn’t been tampered with, and for the kind of file-integrity checks that come up in digital forensics work. If you’ve read our guide on recovering lost files with data carving tools, this pairs naturally with that.

CommandWhat it does
md5sum fileGenerate an MD5 hash of a file
sha256sum fileGenerate a SHA-256 hash (stronger, more commonly used today)
sha256sum -c checksums.txtVerify a file against a list of known-good hashes
cmp file1 file2Check whether two files are byte-for-byte identical

Text editors: nano, vi, and vim

You’ll edit config files and scripts directly in the terminal constantly, so it’s worth knowing at least one of these properly.

nano is the easiest to start with. Ctrl+O saves, Ctrl+X exits, and the shortcuts are printed at the bottom of the screen so you’re never guessing.

vi and vim are more powerful once you know them, but they work in modes, which trips up almost everyone at first. The essentials:

KeyWhat it does
iEnter insert mode so you can actually type
EscLeave insert mode and go back to command mode
:wSave
:qQuit
:wqSave and quit
:q!Quit without saving, useful when you’ve made a mess
ddDelete the current line
yyCopy the current line
pPaste
/searchtermSearch the file for text

If you only remember one thing about vim, make it :q!. Everyone gets stuck in vim at least once wondering how to get out, and that’s the command that saves you.

Terminal multiplexing with tmux and screen

This one gets skipped in a lot of cheat sheets, but it matters more than people realize once you’re working over SSH regularly. If your connection drops mid-session (or you close your laptop lid without thinking), whatever you were running dies with it, unless it’s inside a tmux or screen session.

CommandWhat it does
tmux new -s mysessionStart a new named tmux session
tmux attach -t mysessionReattach to a session after disconnecting
tmux lsList active sessions
Ctrl+B then DDetach from tmux without killing it
screen -S mysessionStart a new named screen session (the older alternative to tmux)
screen -rResume a detached screen session

Getting help without leaving the terminal

CommandWhat it does
man commandFull manual page for a command
command –helpQuick summary of flags, faster than the full man page
whatis commandOne-line description of what a command does
apropos keywordSearch man page descriptions for a keyword when you don’t know the exact command name
which commandShow the full path of the command that would run
type commandShow whether something is a built-in, alias, or actual binary

Basic firewall and security commands

Pairs well with the password-recovery side of things too. If you’ve read our LaZagne password recovery guide, a lot of the same investigative mindset applies here.

CommandWhat it does
ufw statusCheck firewall status (Ubuntu’s simplified firewall)
ufw allow 22Allow traffic on a specific port
ufw deny 23Block a specific port
iptables -LList current firewall rules (lower-level, more control)
lastShow recent login history
whoSee who’s currently logged in
wLike who, but with what each user is currently doing

Archives and compression

CommandWhat it does
tar -czvf archive.tar.gz folder/Compress a folder into .tar.gz
tar -xzvf archive.tar.gzExtract it
zip -r archive.zip folder/Compress into .zip
unzip archive.zipExtract it

The shortcuts that save you the most time

  • history \| grep ssh, search your command history instead of scrolling forever
  • !!, repeat the last command (great when you forgot sudo)
  • Ctrl+R, reverse-search your history interactively
  • Ctrl+C, kill whatever’s currently running in the foreground
  • Ctrl+Z then bg, pause a process and send it to the background
  • Ctrl+A / Ctrl+E, jump to the start or end of the line you’re typing
  • alias ll=’ls -la’, stop typing the same flags a hundred times a day
  • man command, when you genuinely don’t know, this is still the fastest answer

Do you actually need to memorize all of this? No, nobody does, not even people who’ve been doing this for years. What sticks is the stuff you use daily; the rest you’ll look on the linux command cheat sheet or Google in the moment, and that’s completely normal.

And if you’re wondering whether these commands work the same on macOS, mostly yes, since it’s Unix-based too, but a handful of flags (especially on find and sed) behave differently, so don’t be surprised if something that works on Linux throws an error on a Mac.

Linux command cheat sheet showing common terminal commands for beginners

My two cents

I’ve spent the better part of eight years moving between SOC work, digital forensics, and incident response, and if I had to pick one habit from this whole list, it’s pwd. Not because it’s the most powerful command here, it’s the opposite, it’s almost embarrassingly simple, but I’ve watched experienced people run rm -rf against the wrong folder because they were one cd off from where they thought they were. 

I still check where I am before doing anything destructive, every single time, and it’s saved me more than once. The rest of this list you’ll pick up naturally just by using it. That one’s worth making a habit on purpose.

Where to go from here

This Linux command cheat sheet covers what you’ll lean on daily, but the terminal has a lot more depth once you get into scripting, cron jobs, and shell pipelines. If you’re still building your foundation, our Cyber Security Roadmap 2026 lays out exactly where Linux fits into the bigger picture, and the TryHackMe Welcome Room walkthrough is a good next stop if you’d rather practice these commands in a real lab than just read about them.

Save this page. Next time you’re mid-walkthrough and blank on whether it’s chmod +x or chmod x+, you’ll know exactly where to look.

Mehmood Ali

I am a Cybersecurity Consultant with over 8+ years of experience in SOC analyst, digital forensics, cloud security, network security, and incident response. With 20+ international certifications, I have successfully designed secure systems, led vulnerability assessments, and delivered key security projects. I am skilled at improving incident response times, mitigating threats, and ensuring compliance with ISO 27001 standards.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button