Linux Filesystem
Filesystem Hierarchy
Section titled “Filesystem Hierarchy”Everything branches from / (root). The structure follows the FHS standard across most distros.
| Directory | Purpose | Notable contents |
|---|---|---|
/ | Root of the filesystem | Everything lives under here |
/etc | System configuration files | passwd, shadow, ssh/, crontab, hosts, fstab |
/var | Variable data (logs, caches, spools) | log/, www/, mail/, tmp/ |
/tmp | Temporary files (world-writable, cleared on reboot) | Scratch space for scripts, exploits, uploads |
/home | User home directories | ~/.ssh/, ~/.bashrc, ~/.bash_history |
/root | Root user’s home directory | Often has .bash_history, configs |
/opt | Optional/third-party software | Manually installed apps |
/usr | User binaries and libraries | bin/, sbin/, lib/, share/, local/ |
/bin | Essential user commands | ls, cp, cat, grep (often symlinked to /usr/bin) |
/sbin | Essential system commands | iptables, fdisk, mount (often symlinked to /usr/sbin) |
/dev | Device files | null, zero, random, sda, tty |
/proc | Virtual filesystem — process and kernel info | cpuinfo, meminfo, version, [PID]/ |
/sys | Virtual filesystem — hardware/driver info | Kernel parameters, device attributes |
/boot | Bootloader and kernel images | vmlinuz, grub/ |
/mnt | Temporary mount points | Manual mounts |
/media | Removable media mount points | USB drives, CDs |
/srv | Service data | Web server roots, FTP data |
/run | Runtime data since last boot | PID files, sockets |
Directories Worth Knowing for Recon / CTF
Section titled “Directories Worth Knowing for Recon / CTF”/etc — configuration goldmine
Section titled “/etc — configuration goldmine”cat /etc/passwd # User accounts (readable by all)cat /etc/shadow # Password hashes (root only)cat /etc/group # Groups and memberscat /etc/hostname # Machine namecat /etc/hosts # Static hostname mappingscat /etc/resolv.conf # DNS serverscat /etc/crontab # System cron jobsls -la /etc/cron.* # Cron directoriescat /etc/ssh/sshd_config # SSH server configcat /etc/fstab # Filesystem mounts (may reveal NFS shares)/var — logs and runtime data
Section titled “/var — logs and runtime data”ls /var/log/ # System logsls /var/www/ # Web server files (if web hosting)ls /var/spool/cron/ # Per-user crontabsls /var/mail/ # User mailboxesls /var/backups/ # Backup files/tmp and /dev/shm — world-writable scratch space
Section titled “/tmp and /dev/shm — world-writable scratch space”ls -la /tmp/ # Temp files — writable by anyonels -la /dev/shm/ # Shared memory — tmpfs, writable, in RAMBoth are useful for staging files during exploitation. /dev/shm is in memory (fast, no disk writes).
/proc — live system info
Section titled “/proc — live system info”cat /proc/version # Kernel versioncat /proc/cpuinfo # CPU infocat /proc/meminfo # Memory infocat /proc/net/tcp # Active TCP connections (hex-encoded)ls /proc/[0-9]*/ # Running processescat /proc/self/environ # Current process environment variablescat /proc/self/cmdline # Current process command line/home — user artifacts
Section titled “/home — user artifacts”ls -la /home/*/ # All user home dirscat /home/*/.bashrc # Shell configscat /home/*/.bash_history # Command historyls -la /home/*/.ssh/ # SSH keyscat /home/*/.ssh/authorized_keysQuick Filesystem Commands
Section titled “Quick Filesystem Commands”df -h # Disk usage by filesystemdu -sh /var/log/ # Size of a directorymount # Show mounted filesystemslsblk # Block devicesfindmnt # Show mount tree