π° Originally published on SecurityElites β the canonical, fully-updated version of this article.
DAY 4 OF 100
100-Day Ethical Hacking Course
π΄ Day 4 β Linux File System for Hackers
Day 100 β Professional Pentester
04
When I first gained access to a Linux system during a penetration test, the first thing I did wasnβt run a fancy exploit. I typed ls / and looked at the directories. Because once you know where everything lives, the system tells you everything you need to know.
The Linux filesystem is not random. It follows a standard called the FHS (Filesystem Hierarchy Standard). Every directory has a specific purpose. Every sensitive file has a predictable location. Today you learn to read that map.
This lesson has two audiences and both of them are you β the student and the future professional. As a student, you need to navigate Kali comfortably and understand where your tools, configs, and files live. As a penetration tester, you need to know exactly where to look when you land on an unfamiliar Linux system. Same knowledge, two applications. Letβs build it.
π Day 4 Contents
- The FHS β Linuxβs Master Plan
- The Root-Level Directories
- /etc β Configuration Files
- /home β User Directories
- /var β Logs & Variable Data
- /tmp β World-Writable Territory
- /proc β The Live System Window
- /usr, /bin, /sbin β Programs
- The Most Sensitive Files on Linux
- Day 4 Practical Task
The FHS β Linuxβs Master Plan
Linux systems follow the Filesystem Hierarchy Standard (FHS) β an agreed-upon structure that defines where different types of files should live. This is why a file you find in /etc on an Ubuntu server, a Kali VM, and a Raspberry Pi all behave the same way. The standard applies across almost all Linux distributions.
Everything in Linux starts at / β called βrootβ (not to be confused with the root user). Itβs the top of the directory tree. Every single file on a Linux system β regardless of what physical disk or partition itβs on β exists somewhere under /. There are no drive letters like Windows. One tree. Everything in it.
Linux Filesystem Tree β run: tree -L 1 /
/
βββ etc β System configuration files
βββ home β User home directories
βββ var β Logs, databases, mail, web data
βββ tmp β Temporary files β world-writable
βββ proc β Virtual filesystem β live kernel data
βββ usr β User programs, libraries, docs
βββ bin β Essential binaries (ls, cp, catβ¦)
βββ sbin β System binaries (for root/admin)
βββ lib β Shared libraries for /bin and /sbin
βββ root β Home directory for root user
βββ dev β Device files (disks, terminals, etc.)
βββ mnt β Mount points for external drives
βββ opt β Optional/third-party software
βββ boot β Bootloader, kernel images
βββ sys β Virtual filesystem β hardware info
Colour guide: red = critical config Β |Β green = user data Β |Β yellow = logs/variable Β |Β purple = world-writable Β |Β blue = live kernel data
Root-Level Directories β What Each One Does
Before we go deep into the most important directories, here is a clean reference for every root-level folder. I want you to understand the purpose of each one β not memorise the tree, but know instinctively where to look for any type of file.
Directory
Purpose
Security Relevance
/etc
System-wide configuration files
π΄ Highest β credentials, users, services
/home
User home folders (/home/username)
π‘ High β SSH keys, browser data, files
/var
Variable data β logs, databases, web
π‘ High β logs reveal activity, web files
/tmp
Temporary files β world-writable
π£ Medium β tool upload staging area
/proc
Live kernel/process data (virtual)
π΅ Medium β enumerate processes, network
/root
Home directory of the root user
π΄ Critical β rootβs files, history, keys
/usr
User programs and libraries
π Low β installed tools, exploits here
/bin
Essential user binaries (ls, cat, cp)
π Low β SUID check on these
/sbin
System admin binaries (root tools)
π Low β check for unusual binaries
/dev
Device files (disks, terminals, null)
π Low β /dev/null, /dev/random useful
/boot
Kernel and bootloader files
π Low β kernel version fingerprinting
/opt
Optional third-party software
π Low β sometimes holds custom apps
/etc Configuration Files β The Brain of the System
/etc stands for βet ceteraβ historically, but in practice it means system configuration. Almost every service, program, and system setting on a Linux machine is controlled by a plain text file somewhere in /etc. This is the first directory I check on any new system β it tells me everything about whatβs running and how itβs configured.
Critical files in /etc β explore these in your Kali VM
User accounts β who exists on this system?
cat /etc/passwd
rootβ0:0:root:/root:/bin/bash
kaliβ1000:1000:Kali:/home/kali:/bin/bash
Format: username:password(x):UID:GID:comment:home:shell
βxβ means password is in /etc/shadow
Password hashes β ROOT ACCESS REQUIRED
sudo cat /etc/shadow
root:$6$xyzβ¦:19000:0:99999:7:::
Format: username#οΈβ£last_change:min:max:warn:β¦
$6$ = SHA-512 hash β if you capture this, you can crack it offline
Groups β who belongs to which group?
cat /etc/group
sudoβ27:kali β kali user is in the sudo group (admin access)
Hostname resolution β local DNS overrides
cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
Attackers sometimes modify /etc/hosts to redirect traffic
Scheduled tasks running as root
cat /etc/crontab
ls /etc/cron.d/
ls /etc/cron.daily/
Every script here runs automatically β check for writable scripts!
SSH server configuration
cat /etc/ssh/sshd_config
PermitRootLogin yes β This is a serious misconfiguration
PasswordAuthentication yes β Allows password brute force
Network interfaces β static IP configuration
cat /etc/network/interfaces
cat /etc/resolv.conf # DNS servers configured
π Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites β
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)