Cybersecurity

HackTheBox - Principal

IppSec
IppSecMar 14, 2026

Why It Matters

A single null‑check oversight can let attackers forge admin tokens and gain root, highlighting the urgent need for strict JWT validation and protected SSH CAs in production environments.

Key Takeaways

  • CVE‑2024‑XXXX in JJWT allows unsigned JWT validation to bypass authentication
  • SSH service accepts signed keys from unprotected CA, enabling root login
  • Attacker crafts 'none' algorithm JWT using public JWKS endpoint
  • Exploiting JWT flaw grants admin role, revealing service account passwords
  • Lesson: never trust unsigned tokens; enforce strict algorithm validation

Summary

The HackTheBox "Principal" machine centers on a freshly disclosed CVE 2024‑XXXX in the JJWT Java library, which mistakenly skips signature verification when a JWT’s signature field is null. Combined with an SSH daemon that trusts keys signed by an unprotected Certificate Authority, the box offers a textbook chain of privilege‑escalation exploits.

The vulnerability stems from a null‑check that returns early instead of validating the JWT signature, allowing an attacker to submit a token with "alg":"none" and forge any claims. By querying the public JWKS endpoint, the researcher extracts the RSA public key, crafts a token with admin privileges, and injects it via session storage. The forged token bypasses the login API, reveals a service‑account password, and, thanks to the lax SSH CA, grants root SSH access.

Key moments include the observation that "algorithm set to none" is usually unrealistic, yet the library’s bug makes it viable, and the developer’s comment that the null check prevents a server crash but opens a security hole. The exploit script demonstrates building the JWT manually, adjusting the "role" claim to "RO_admin", and using the token to access the dashboard and extract credentials.

The case underscores the critical need for strict JWT validation—rejecting "none" algorithms outright—and for securing SSH CA private keys. Organizations running Java web services must audit their JWT handling logic and ensure certificate authorities are properly locked down to prevent similar privilege‑escalation pathways.

Original Description

00:00 - Introduction
00:55 - Start of nmap
02:50 - Looking at the Javascript, which a lot of information about the webapp
03:10 - Looking at the pac4j jwt vulnerability (CVE-2026-29000)
05:30 - Looking for the JKS (RSA Public Key), going into the javascript and seeing there is an /api/auth/jwks endpoint
06:50 - Start of creating our python to create a forged JWE Token
15:00 - Troubleshooting our token, it isn't valid yet
18:30 - Crafted a valid token, now it is saying we have an invalid role, looking at the javascript to get the correct information
20:30 - Logged into the application, discovering a credential that lets us SSH into the box
22:30 - Poking at the source of the java app, finding more passwords but doesn't really help us
24:20 - Discovering a CA Private Key, with a note saying its valid for SSH, looking at SSH's config
25:50 - Generating a SSH Key, then signing it with the CA giving us the principal of "root" and logging in
28:30 - Little bit of extra information about SSH Key Signing, the AuthorizedPrincipalsFile

Comments

Want to join the conversation?

Loading comments...