A walkthrough of the HackTheBox machine 'Principal', a Linux box running a Java/Spring Boot web app using pac4j for JWT authentication. The exploit chain starts with CVE-2026-29000, a vulnerability in pac4j-jwt that allows forging encrypted JWTs (JWE) using only the server's RSA public key — bypassing signature verification by wrapping a PlainJWT (alg:none) inside a JWE. This grants admin dashboard access, where credentials are found in settings. Password spraying those credentials against SSH yields a shell as svc-deploy. Privilege escalation to root abuses access to an SSH certificate authority private key in /opt/principal/ssh, allowing signing a certificate for the root principal and SSHing in as root.
Sort: