Welcome back to another episode in our Linux Basics For Hackers series. If you’ve been following along (and I hope you have), you’ll remember that in our previous article, we started our journey of finding files in Linux using two brilliant little tools: which and locate.
In that part, we talked about how which is like asking, “Bhai, kaha rakha hai ye command?” and how locate is your phonebook, super fast, but a bit outdated if you don’t update it.
But what if you want full control over your search? Like Sherlock Holmes on a Linux machine, you need to search not just for filenames, but also for files owned by specific users, files of a particular type, or even take some action once you find them.
That’s where today’s star enters: the mighty find command.
- find – The Swiss Army Knife of File Hunting
- Narrow It Down: Search by User with -user
- Do Something When You Find It: -exec Flag
- Combining find with grep, xargs, and More
- Looking for Files by Type
- Bonus: Find Files Modified Recently
- Making It Practical — Example Use Cases for Hackers
- Real Talk – Why This Matters
- FAQs About the find Command in Linux
- Wrap-up
find – The Swiss Army Knife of File Hunting
If which is your compass and locate is your map, then find is your drone. It’s detailed, accurate, and works in real time. It doesn’t rely on a prebuilt database. It searches as it goes, and that gives us some serious power.
Let’s start simple:
find / -name passwd
This command will search from the root / directory for any file named exactly passwd. But brace yourself, it may take a while. Unlike locate, find actually walks through every directory, one by one.
Want something case-insensitive?
find / -iname passwd
Yep. Just add the i, and it stops being case-sensitive. Like grep -i, remember?
Narrow It Down: Search by User with -user
Sometimes during a pentest or CTF, you’re only interested in files owned by a particular user — say, apache or root.
find /var/www -user www-data
Boom. This lists all files under /var/www owned by www-data, which is often the user that Apache web server runs as.
Want to make it even more targeted?
find /var/www -user www-data -name "*.php"
Now we’re talking — all PHP files owned by www-data. Handy for finding web shells, right?
Do Something When You Find It: -exec Flag
Here’s where find becomes pure magic.
Imagine you’ve found 50 suspicious .log files, and now you want to see which ones are actually readable text files (not binary junk). Enter: -exec
find /tmp -name "*.log" -exec file {} \;
Let’s break it down:
-execallows you to run a command on the results.{}is a placeholder for each file thatfindreturns.\;ends the-execpart (yep, the backslash is needed to escape the semicolon).
So this command finds .log files and then runs the file command on each — which tells you what kind of file it is. Super useful!
Want to delete all .tmp files? Careful with this one:
find . -name "*.tmp" -exec rm -i {} \;
Always use -i (interactive) with rm until you’re 3000% sure. Don’t say I didn’t warn you 😬
Combining find with grep, xargs, and More
Okay, here’s a cool trick.
Let’s say you want to find all .conf files and then search for the word root inside them.
You could do:
find /etc -name "*.conf" | xargs grep root
What’s happening here?
findreturns a list of filesxargstakes that list and turns it into arguments forgrepgrep rootlooks inside those files for the wordroot
You can even do it without xargs, like so:
find /etc -name "*.conf" -exec grep root {} \;
But xargs is usually faster because it batches the input. Efficient, no?
Looking for Files by Type
Sometimes you only want to find files, not directories. Or maybe only symbolic links.
Use the -type flag:
-type f= regular file-type d= directory-type l= symlink
Example:
find /home -type f -name "*.sh"
This finds all .sh shell script files in /home and its subdirectories.
Bonus: Find Files Modified Recently
Here’s another juicy use-case. Want to find files modified in the last 2 days?
find /var/log -mtime -2
Want to find files accessed in the last hour?
find / -amin -60
Want files changed exactly 5 days ago?
find /etc -mtime 5
So many use-cases — from digital forensics to malware hunting.
Making It Practical — Example Use Cases for Hackers
Let’s stitch this all together:
Find all .php files in a web root owned by apache user:
find /var/www -user www-data -name "*.php"
Find files with SUID bit set — potential privilege escalation alert!
find / -perm -4000 2>/dev/null
Find recently added backdoors or web shells:
find /var/www -iname "*.php" -mtime -1
Find large suspicious files over 500MB:
find / -type f -size +500M 2>/dev/null
Yes, you can search by size too — +100k, -1G, and so on.
Real Talk – Why This Matters
Remember our journey so far?
- In the previous article, we learned to locate known files quickly using
whichandlocate - In this article, we learned how to find files intelligently, with filters and real-time searches using
find - And in the next article, we’ll look into system information gathering — how to extract vital system stats, check hardware, users, running services… all the stuff a hacker needs to understand a system deeply.
Together, these tools form the foundation of being Linux-fluent.
Finding files is not just about organization — it’s about control. When you control what you can find, you control what you can access, modify, or investigate.
FAQs About the find Command in Linux
Q: What’s the difference between find and locate?
A: locate is fast but uses an old database. find is slower but does real-time searches with way more control.
Q: How can I delete files using find?
A: Use -exec rm {} or pair with xargs rm, but be extremely careful — maybe test with echo first.
Q: Can find search by file size?
A: Yes! Use -size, e.g., -size +100M to find files larger than 100MB.
Q: How do I find hidden files?
A: Use -name ".*" but remember it’ll match . and .. too, so filter wisely.
Q: Why is my find command returning permission denied errors?
A: Add 2>/dev/null to suppress those errors, or use sudo if needed.
Wrap-up
Linux is vast. It’s complex. But it’s also logical — like a well-structured puzzle.
And tools like find help you uncover its layers with precision. The more you practise, the more intuitive it gets. So open your terminal, try out these commands, and start thinking like a digital detective.
Next up in this journey: System Information — where we go beyond the file system and explore the machine itself.
Until then, stay sharp, stay curious… and maybe make yourself a nice coffee ☕.
