📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
DAY 4 OF 100
100-Day Ethical Hacking Course
🔴 Day 4 — Linux File System for Hackers
Day 100 — Professional Pentester
04
When I first gained access to a Linux system during a penetration test, the first thing I did wasn’t run a fancy exploit. I typed ls / and looked at the directories. Because once you know where everything lives, the system tells you everything you need to know.
The Linux filesystem is not random. It follows a standard called the FHS (Filesystem Hierarchy Standard). Every directory has a specific purpose. Every sensitive file has a predictable location. Today you learn to read that map.
This lesson has two audiences and both of them are you — the student and the future professional. As a student, you need to navigate Kali comfortably and understand where your tools, configs, and files live. As a penetration tester, you need to know exactly where to look when you land on an unfamiliar Linux system. Same knowledge, two applications. Let’s build it.
📋 Day 4 Contents
- The FHS — Linux’s Master Plan
- The Root-Level Directories
- /etc — Configuration Files
- /home — User Directories
- /var — Logs & Variable Data
- /tmp — World-Writable Territory
- /proc — The Live System Window
- /usr, /bin, /sbin — Programs
- The Most Sensitive Files on Linux
- Day 4 Practical Task
The FHS — Linux’s Master Plan
Linux systems follow the Filesystem Hierarchy Standard (FHS) — an agreed-upon structure that defines where different types of files should live. This is why a file you find in /etc on an Ubuntu server, a Kali VM, and a Raspberry Pi all behave the same way. The standard applies across almost all Linux distributions.
Everything in Linux starts at / — called “root” (not to be confused with the root user). It’s the top of the directory tree. Every single file on a Linux system — regardless of what physical disk or partition it’s on — exists somewhere under /. There are no drive letters like Windows. One tree. Everything in it.
Linux Filesystem Tree — run: tree -L 1 /
/
├── etc ← System configuration files
├── home ← User home directories
├── var ← Logs, databases, mail, web data
├── tmp ← Temporary files — world-writable
├── proc ← Virtual filesystem — live kernel data
├── usr ← User programs, libraries, docs
├── bin ← Essential binaries (ls, cp, cat…)
├── sbin ← System binaries (for root/admin)
├── lib ← Shared libraries for /bin and /sbin
├── root ← Home directory for root user
├── dev ← Device files (disks, terminals, etc.)
├── mnt ← Mount points for external drives
├── opt ← Optional/third-party software
├── boot ← Bootloader, kernel images
└── sys ← Virtual filesystem — hardware info
Colour guide: red = critical config | green = user data | yellow = logs/variable | purple = world-writable | blue = live kernel data
Root-Level Directories — What Each One Does
Before we go deep into the most important directories, here is a clean reference for every root-level folder. I want you to understand the purpose of each one — not memorise the tree, but know instinctively where to look for any type of file.
Directory
Purpose
Security Relevance
/etc
System-wide configuration files
🔴 Highest — credentials, users, services
/home
User home folders (/home/username)
🟡 High — SSH keys, browser data, files
/var
Variable data — logs, databases, web
🟡 High — logs reveal activity, web files
/tmp
Temporary files — world-writable
🟣 Medium — tool upload staging area
/proc
Live kernel/process data (virtual)
🔵 Medium — enumerate processes, network
/root
Home directory of the root user
🔴 Critical — root’s files, history, keys
/usr
User programs and libraries
🔘 Low — installed tools, exploits here
/bin
Essential user binaries (ls, cat, cp)
🔘 Low — SUID check on these
/sbin
System admin binaries (root tools)
🔘 Low — check for unusual binaries
/dev
Device files (disks, terminals, null)
🔘 Low — /dev/null, /dev/random useful
/boot
Kernel and bootloader files
🔘 Low — kernel version fingerprinting
/opt
Optional third-party software
🔘 Low — sometimes holds custom apps
/etc Configuration Files — The Brain of the System
/etc stands for “et cetera” historically, but in practice it means system configuration. Almost every service, program, and system setting on a Linux machine is controlled by a plain text file somewhere in /etc. This is the first directory I check on any new system — it tells me everything about what’s running and how it’s configured.
Critical files in /etc — explore these in your Kali VM
User accounts — who exists on this system?
cat /etc/passwd
root❌0:0:root:/root:/bin/bash
kali❌1000:1000:Kali:/home/kali:/bin/bash
Format: username:password(x):UID:GID:comment:home:shell
“x” means password is in /etc/shadow
Password hashes — ROOT ACCESS REQUIRED
sudo cat /etc/shadow
root:$6$xyz…:19000:0:99999:7:::
Format: username#️⃣last_change:min:max:warn:…
$6$ = SHA-512 hash — if you capture this, you can crack it offline
Groups — who belongs to which group?
cat /etc/group
sudo❌27:kali ← kali user is in the sudo group (admin access)
Hostname resolution — local DNS overrides
cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
Attackers sometimes modify /etc/hosts to redirect traffic
Scheduled tasks running as root
cat /etc/crontab
ls /etc/cron.d/
ls /etc/cron.daily/
Every script here runs automatically — check for writable scripts!
SSH server configuration
cat /etc/ssh/sshd_config
PermitRootLogin yes ← This is a serious misconfiguration
PasswordAuthentication yes ← Allows password brute force
Network interfaces — static IP configuration
cat /etc/network/interfaces
cat /etc/resolv.conf # DNS servers configured
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)