Linux Command Cheat Sheet (2026): Every Command You’ll Actually Use
Linux commands are text-based instructions you type into the terminal to interact with the operating system. Navigating files, managing processes, and controlling the system directly, without a GUI in the way.
They matter because most people learning security pick up the concepts fast. How attacks work, what to look for, how to think through a box, but slow down the moment they hit a terminal with no menu to click through. Knowing the commands through a linux command cheat sheet is what closes that gap.
So here’s the cheat sheet I wish I’d had when I started working through the TryHackMe CTF Writeups & Walkthrough Roadmap. Bookmark it, pin it next to your monitor, so you don’t forget it next time.

Navigation and file basics
These are the ones you’ll be typing on autopilot within a week of starting the TryHackMe Tutorial Room.
| Command | What it does |
| pwd | Print the current working directory |
| ls -la | List everything, including hidden files, with details |
| cd ~ | Go home |
| cd – | Jump back to wherever you just were |
| cp file1 file2 | Copy a file |
| cp -r folder1/ folder2/ | Copy a folder and everything inside it |
| mv file1 file2 | Move or rename a file |
| rm -rf folder/ | Delete a folder and everything inside it, no undo, so be sure |
| mkdir -p a/b/c | Create nested folders in one shot |
| touch newfile.txt | Create an empty file |
| cat file.txt | Dump a file’s contents to screen |
| less file.txt | Scroll through a big file without loading the whole thing |
| head -n 20 file.txt | First 20 lines |
| tail -f logfile.log | Watch a log file update live |
| tree | Show a directory as a visual tree (install it if it’s missing, worth it) |
Quick one: what’s the actual difference between cat and less? cat prints everything at once, which is fine for a short file but a mess for anything long. less lets you scroll, search, and quit without your terminal filling up with 4,000 lines of log output.
File permissions
This is where most beginners trip up, including plenty of people working through our TryHackMe Learning Cyber Security Room guide.
| Command | What it does |
| chmod 755 script.sh | Owner gets read/write/execute, everyone else gets read/execute |
| chmod +x script.sh | Make a file executable |
| chown user:group file | Change who owns a file |
| chown -R user:group folder/ | Change ownership recursively |
| ls -l | See permissions, owner, and group |
| umask | Check the default permissions new files get |
| stat file.txt | See detailed metadata: permissions, timestamps, inode |
The numbers: 4 is read, 2 is write, 1 is execute. Add them up per role (owner, group, everyone else). 755 breaks down to rwxr-xr-x.
And the difference between 755 and 777? 777 gives everyone full read/write/execute access, which is almost never what you actually want. It’s the permission equivalent of leaving your front door open with a note that says “come on in.” Stick to 755 or 644 unless you have a specific reason not to.
Searching and text processing
Half of enumeration, on a CTF box or a real engagement, is just grep, cut, and awk stitched together. If you’ve worked through Module 03: OSINT and Attack Surface Mapping, you’ve already used a few of these to filter through recon output.
| Command | What it does |
| grep -r “password” /var/www | Recursively search for a string in a directory |
| grep -i | Case-insensitive search |
| grep -v | Invert the match, show lines that don’t match |
| find / -name “*.conf” 2>/dev/null | Find files by name, hide the permission-error noise |
| find / -perm -4000 2>/dev/null | Find SUID binaries, a classic privilege escalation check |
| find / -mtime -1 2>/dev/null | Find files modified in the last 24 hours, useful during forensics |
| locate filename | Fast file search using a pre-built index |
| awk ‘{print $1}’ file | Print the first column of a file |
| sed ‘s/old/new/g’ file | Find and replace text in a file |
| cut -d: -f1 /etc/passwd | Pull the first field from a colon-separated file |
| sort file.txt | uniq -c | Count unique lines |
| wc -l file.txt | Count lines |
| diff file1 file2 | Compare two files line by line |
Process and system management
| Command | What it does |
| ps aux | List everything running |
| top / htop | Live CPU and memory usage |
| kill -9 PID | Force-kill a process |
| pkill processname | Kill a process by name instead of PID |
| systemctl status service | Check on a service |
| systemctl restart service | Restart it |
| systemctl enable service | Make a service start on boot |
| uptime | How long the system’s been up, and current load |
| df -h | Disk space, human-readable |
| du -sh folder/ | Size of one specific folder |
| free -h | RAM usage |
| journalctl -xe | Check recent system logs when something’s gone wrong |
Should you use top or htop? top is on every Linux box by default, so it’s worth knowing. htop is easier to read and lets you scroll and kill processes with arrow keys instead of memorizing PIDs. Install it if it’s not already there.
Networking
If you’ve been through any of our Advent of Cyber networking days, Day 19’s Modbus and Nmap walkthrough is a good example, most of these will feel familiar already. And if you’re connecting to labs regularly, our TryHackMe OpenVPN guide for Linux covers the VPN side of this in more detail.
| Command | What it does |
| ip a | Show network interfaces and IPs (the modern ifconfig) |
| ping -c 4 host | Send 4 pings and stop |
| curl -I https://site.com | Grab just the HTTP headers from a URL |
| wget url | Download a file |
| netstat -tulnp | Show listening ports and what’s using them |
| ss -tulnp | Faster, modern replacement for netstat |
| nmap -sV -p- target | Full port scan with service and version detection |
| nc -lvnp 4444 | Open a listening port with netcat, a staple for reverse shells |
| ssh user@host | Connect to a remote box |
| scp file user@host:/path | Copy a file over SSH |
| rsync -avz source/ user@host:/dest/ | Sync files over SSH, faster than scp for repeated transfers |
| traceroute host | See the network path to a host, hop by hop |
| dig domain.com | Query DNS records for a domain |
Full documentation for every flag on these, nmap especially since it has dozens, lives on man7.org’s online man pages, worth bookmarking right alongside this page.

User and group management
| Command | What it does |
| whoami | Who you’re logged in as |
| id | Your user ID, group ID, and group memberships |
| sudo -l | What you’re allowed to run as another user, check this first on any new box |
| useradd -m newuser | Create a user with a home directory |
| passwd username | Change a password |
| su – username | Switch to another user’s shell |
| groups username | See what groups a user belongs to |
| usermod -aG sudo username | Add a user to the sudo group |
Package management
Distro matters here. Debian/Ubuntu-based systems (including Kali) use apt; Red Hat-based ones use dnf or the older yum.
| Command | What it does |
| apt update && apt upgrade | Refresh package lists and upgrade installed packages |
| apt install package | Install a package |
| apt remove package | Remove a package |
| apt search keyword | Search for a package by name |
| dnf install package | Same idea, Red Hat/Fedora/CentOS |
| dpkg -l | List all installed packages (Debian-based) |
Redirection, pipes, and environment variables
This is the part that actually turns individual commands into something powerful and makes the linux command cheat sheet even more useful.
| Command | What it does |
| command > file.txt | Send output to a file, overwriting it |
| command >> file.txt | Append output to a file instead of overwriting |
| command < file.txt | Feed a file in as input instead of typing it |
| command 2> file.txt | Send just the error output to a file |
| command 2>&1 | Redirect error output along with standard output |
| command > /dev/null 2>&1 | Throw away all output, useful in scripts |
| command1 | command2 | Pipe the output of one command into another |
| echo $PATH | See your shell’s executable search path |
| export VAR=value | Set an environment variable for the current session |
| env | List all current environment variables |
| unset VAR | Remove an environment variable |
| source ~/.bashrc | Reload your shell config after editing it |
Checksums and file integrity
Useful for confirming a downloaded tool hasn’t been tampered with, and for the kind of file-integrity checks that come up in digital forensics work. If you’ve read our guide on recovering lost files with data carving tools, this pairs naturally with that.
| Command | What it does |
| md5sum file | Generate an MD5 hash of a file |
| sha256sum file | Generate a SHA-256 hash (stronger, more commonly used today) |
| sha256sum -c checksums.txt | Verify a file against a list of known-good hashes |
| cmp file1 file2 | Check whether two files are byte-for-byte identical |
Text editors: nano, vi, and vim
You’ll edit config files and scripts directly in the terminal constantly, so it’s worth knowing at least one of these properly.
nano is the easiest to start with. Ctrl+O saves, Ctrl+X exits, and the shortcuts are printed at the bottom of the screen so you’re never guessing.
vi and vim are more powerful once you know them, but they work in modes, which trips up almost everyone at first. The essentials:
| Key | What it does |
| i | Enter insert mode so you can actually type |
| Esc | Leave insert mode and go back to command mode |
| :w | Save |
| :q | Quit |
| :wq | Save and quit |
| :q! | Quit without saving, useful when you’ve made a mess |
| dd | Delete the current line |
| yy | Copy the current line |
| p | Paste |
| /searchterm | Search the file for text |
If you only remember one thing about vim, make it :q!. Everyone gets stuck in vim at least once wondering how to get out, and that’s the command that saves you.
Terminal multiplexing with tmux and screen
This one gets skipped in a lot of cheat sheets, but it matters more than people realize once you’re working over SSH regularly. If your connection drops mid-session (or you close your laptop lid without thinking), whatever you were running dies with it, unless it’s inside a tmux or screen session.
| Command | What it does |
| tmux new -s mysession | Start a new named tmux session |
| tmux attach -t mysession | Reattach to a session after disconnecting |
| tmux ls | List active sessions |
| Ctrl+B then D | Detach from tmux without killing it |
| screen -S mysession | Start a new named screen session (the older alternative to tmux) |
| screen -r | Resume a detached screen session |
Getting help without leaving the terminal
| Command | What it does |
| man command | Full manual page for a command |
| command –help | Quick summary of flags, faster than the full man page |
| whatis command | One-line description of what a command does |
| apropos keyword | Search man page descriptions for a keyword when you don’t know the exact command name |
| which command | Show the full path of the command that would run |
| type command | Show whether something is a built-in, alias, or actual binary |
Basic firewall and security commands
Pairs well with the password-recovery side of things too. If you’ve read our LaZagne password recovery guide, a lot of the same investigative mindset applies here.
| Command | What it does |
| ufw status | Check firewall status (Ubuntu’s simplified firewall) |
| ufw allow 22 | Allow traffic on a specific port |
| ufw deny 23 | Block a specific port |
| iptables -L | List current firewall rules (lower-level, more control) |
| last | Show recent login history |
| who | See who’s currently logged in |
| w | Like who, but with what each user is currently doing |
Archives and compression
| Command | What it does |
| tar -czvf archive.tar.gz folder/ | Compress a folder into .tar.gz |
| tar -xzvf archive.tar.gz | Extract it |
| zip -r archive.zip folder/ | Compress into .zip |
| unzip archive.zip | Extract it |
The shortcuts that save you the most time
- history \| grep ssh, search your command history instead of scrolling forever
- !!, repeat the last command (great when you forgot sudo)
- Ctrl+R, reverse-search your history interactively
- Ctrl+C, kill whatever’s currently running in the foreground
- Ctrl+Z then bg, pause a process and send it to the background
- Ctrl+A / Ctrl+E, jump to the start or end of the line you’re typing
- alias ll=’ls -la’, stop typing the same flags a hundred times a day
- man command, when you genuinely don’t know, this is still the fastest answer
Do you actually need to memorize all of this? No, nobody does, not even people who’ve been doing this for years. What sticks is the stuff you use daily; the rest you’ll look on the linux command cheat sheet or Google in the moment, and that’s completely normal.
And if you’re wondering whether these commands work the same on macOS, mostly yes, since it’s Unix-based too, but a handful of flags (especially on find and sed) behave differently, so don’t be surprised if something that works on Linux throws an error on a Mac.

My two cents
I’ve spent the better part of eight years moving between SOC work, digital forensics, and incident response, and if I had to pick one habit from this whole list, it’s pwd. Not because it’s the most powerful command here, it’s the opposite, it’s almost embarrassingly simple, but I’ve watched experienced people run rm -rf against the wrong folder because they were one cd off from where they thought they were.
I still check where I am before doing anything destructive, every single time, and it’s saved me more than once. The rest of this list you’ll pick up naturally just by using it. That one’s worth making a habit on purpose.
Where to go from here
This Linux command cheat sheet covers what you’ll lean on daily, but the terminal has a lot more depth once you get into scripting, cron jobs, and shell pipelines. If you’re still building your foundation, our Cyber Security Roadmap 2026 lays out exactly where Linux fits into the bigger picture, and the TryHackMe Welcome Room walkthrough is a good next stop if you’d rather practice these commands in a real lab than just read about them.
Save this page. Next time you’re mid-walkthrough and blank on whether it’s chmod +x or chmod x+, you’ll know exactly where to look.