There are a variety of Linux rootkits in the wild, however, after testing upwards of 15 none come close to Reptile. Created by the GitHub user f0rb1dd3n, it is a formidable foe. In this guide, we will install, configure, exploit, and uninstall Reptile.
The installation process requires two machines, one to serve as the attack box, and the second as the victim machine. Both are running Debian 10 Kernel 4.19.208–1 For this I chose to use Linode, which is a top-rated VPS provider:
After provisioning your VPS’s we are ready to begin. First, start by updating and upgrading both VPS’s. Once that is complete ensure git and make are installed on both machines as well.
apt upgrade -y
apt install git
apt install make
For this demo, my attack box hostname will be attack and it will have an IP address of:
22.214.171.124 #attack box IP address
The victim machine will have a hostname of victim and an IP address of:
126.96.36.199 #victim box IP address
We will conduct the initial configuration on both machines as to not have to repeat steps later. Start by installing the dependencies based on your architecture.
Note: Because of the (uname -r) command substitution there is no reason to look up your architecture.
Run the below command on both machines:
apt install build-essential libncurses-dev linux-headers-$(uname -r)
Once that is completed clone into the repository on both machines, and then ‘cd’ into the main repository directory:
git clone https://github.com/f0rb1dd3n/Reptile.git
Once you have cloned and changed directories these are the files you should see on each machine:
At this point, we are ready to generate the config file for reptile. This is the crucial moment as the confirmation files you create on the victim and attack machine must have the same options set. If you change options from the defaults ensure you do it on both machines!