Back to All Scenarios
PASSEDsecurity / privilege_escalation_sudo_misconfig
Privilege Escalation via Sudo Misconfiguration
An attacker with a low-privilege shell exploits a misconfigured sudoers entry that allows NOPASSWD execution of a text editor (vim). The attacker uses vim's shell escape to gain root access on 4 production servers. The misconfiguration was deployed via Ansible to all servers in the 'webservers' group.
Pattern
UNKNOWN
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | UNKNOWN | UNKNOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 42 linked | |
| Cascade Escalation | Yes | Yes | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
Sudoers entry: 'webadmin ALL=(ALL) NOPASSWD: /usr/bin/vim'. Deployed to 12 servers via Ansible. Attacker gained initial access via compromised web application. Privilege escalation to root on 4 servers. Webadmin user present on all 12 servers in webservers group.
Injected Error Messages (3)
Elastic SIEM: privilege escalation chain detected — user 'webadmin' executed 'sudo vim -c :!/bin/bash' on 4 production servers, shell escape from vim granting root access, sudoers misconfiguration allows NOPASSWD vim execution, MITRE ATT&CK: T1548.003 Abuse Elevation Control Mechanism: Sudo, auditd logs show root shell spawned from vim process tree, 12 servers in 'webservers' group have identical vulnerable sudoers entry
web-prod-01 root compromise confirmed — auditd event: uid=1001(webadmin) executed 'sudo vim' followed by shell escape to root, unauthorized root session active for 47 minutes, /etc/passwd modified (new account 'sysops' with UID 0), SSH authorized_keys backdoor planted in /root/.ssh/, iptables rules modified to allow inbound on port 8443, process 'kworker_update' running as root (cryptocurrency miner suspected)
web-prod-04 post-exploitation activity — root access via sudo vim shell escape at 04:12 UTC, attacker installed rootkit in /usr/lib/libsystem.so, system binary /usr/bin/ps replaced with trojanized version hiding attacker processes, crontab persistence: reverse shell every 5 minutes to 91.234.56.78:443, /var/log/auth.log partially wiped to cover tracks
Neural Engine Root Cause Analysis
This is a security incident, not a traditional IT operations failure. The SIEM system detected a privilege escalation attack where user 'webadmin' exploited a sudoers misconfiguration allowing NOPASSWD vim execution, then used vim's shell escape feature to gain root access on production servers. The SIEM itself may be overwhelmed processing this security event or potentially compromised as part of the attack, causing the monitoring failure.
Remediation Plan
1. Immediately isolate affected servers from network to contain potential breach 2. Revoke/disable 'webadmin' user account across all systems 3. Remove vulnerable sudoers entries allowing NOPASSWD vim execution 4. Investigate SIEM accessibility - check if service is running, network connectivity, and potential compromise 5. Engage security incident response team 6. Preserve forensic evidence from auditd logs 7. Perform full security assessment of all servers in 'webservers' group 8. Implement proper sudoers configuration with principle of least privilege
Tested: 2026-03-30Monitors: 3 | Incidents: 3Test ID: cmncjwgiu05byobqe4y5fl6hd