Some of these I hit face-first in a lab session. Others I thought I understood, until I had to explain them out loud and realized I actually didn't.
Here's a taste of what's covered:
Netcat is just a pipe. It wires your terminal's stdin/stdout to a socket. Everything else, shells, file transfers, is a consequence of that one primitive. Once you get that, broken shells start making sense.
The MTU trap. nmap finds open ports. VPN is up. curl hangs forever. It's almost always MTU: large packets get silently fragmented and dropped through the tunnel while small nmap probes squeeze through just fine. One command fixes it.
SUID isn't magic. It runs the binary as the file's owner, not you. The design is intentional and scoped. The abuse happens when flexible Unix utilities run as root and nobody told them not to spawn a shell.
dash vs bash. LinPEAS turns your terminal red with sed errors and you assume the target is cursed. It's not. /bin/sh points to dash on minimal systems. One word fixes it: bash.
Shell stabilisation, actually explained. Why Ctrl+C kills your shell, why vim renders broken, and why socat is ranked best but nobody actually uses it.
The full post includes deeper explanations for all of the above, plus two interactive quizzes to test whether you actually understood it or just read it.
👉 Read the full post on niklas-heringer.com
The full post on my blog includes two interactive quizzes to test your depth. Check it out here if you want the complete rundown.
Here's a taste:
The MTU Trap
This one is sneaky because everything looks like it's working.
nmap finds open ports. VPN is connected. But curl just hangs forever.
MTU (Maximum Transmission Unit) is the largest packet a network interface sends in one piece. Your VPN tunnel has overhead — it wraps packets in its own headers, shrinking the effective MTU of tun0 below the standard 1500 bytes. Large packets get fragmented. On many paths, fragmented packets get silently dropped.
nmap probes are tiny. HTTP responses are large. That's why nmap works and curl doesn't.
Confirming it
# "don't fragment" flag — if this times out, MTU mismatch confirmed
ping -c3 -M do -s 1400 <target-ip>
Fix
sudo ip link set dev tun0 mtu 1200
curl -v --max-time 10 http://<target-ip>/
Still hanging? Go lower: mtu 1000.
Making it persistent
The fix dies when VPN reconnects. Add to your .ovpn:
mssfix 1200
tun-mtu 1200
tun-mtu sets the interface MTU. mssfix clamps TCP segment size at the handshake so both sides agree before data flows. You want both.
When LinPEAS Turns Your Terminal Red
Not the good kind of red.
You transfer LinPEAS, run it, and your terminal explodes with sed errors — twenty times. Everything looks broken. You start questioning your life choices.
It's not the target. It's dash.
Many minimal Linux systems symlink /bin/sh to dash instead of bash. LinPEAS calls GNU sed with -E internally, which dash's environment can't handle.
The fix is one word:
bash linpeas.sh -a | tee linpeas.out
Explicitly invoking bash overrides whatever /bin/sh would have done. You'll still see a few stray errors if the target's sed is ancient — ignore them, the results are valid.
That's the first batch. There's a lot more where this came from, including two interactive quizzes covering all of the above — over on my blog: niklas-heringer.com/skills-lab/linux-lab-pitfalls
If this series is useful, follow along — more lab survival posts coming.
Top comments (0)