Principal is a Linux box with a Java web application using pac4j for JWT authentication. I’ll exploit a vulnerability in pac4j-jwt that allows forging encrypted JWTs using only the server’s public RSA key, bypassing signature verification to access the admin dashboard. From there, I’ll find credentials in the settings and spray them against SSH to get a shell as svc-deploy. For root, I’ll abuse access to an SSH certificate authority private key to sign a certificate for the root principal and SSH in.

0xdf hacks stuff

A walkthrough of the HackTheBox machine 'Principal', a Linux box running a Java/Spring Boot web app using pac4j for JWT authentication. The exploit chain starts with CVE-2026-29000, a vulnerability in pac4j-jwt that allows forging encrypted JWTs (JWE) using only the server's RSA public key — bypassing signature verification by wrapping a PlainJWT (alg:none) inside a JWE. This grants admin dashboard access, where credentials are found in settings. Password spraying those credentials against SSH yields a shell as svc-deploy. Privilege escalation to root abuses access to an SSH certificate authority private key in /opt/principal/ssh, allowing signing a certificate for the root principal and SSHing in as root.

HTB: Principal