webProhard

Lab 354 — VaultAPI — JWT Authentication Bypass via JWE-Wrapped PlainJWT

hackadvisor

Task: Enterprise API management platform using JWE-encrypted JWT tokens (RSA-OAEP-256 + A256GCM wrapping RS256-signed JWTs) with pac4j-jwt library, goal is privilege escalation to admin. Solution: Exploit CVE-2026-29000 in pac4j-jwt — wrap a PlainJWT (alg:none) with admin claims and correct issuer inside JWE encrypted with the server's public key from JWKS, bypassing signature verification entirely.

$ ls tags/ techniques/

jwt authentication_bypass java none_algorithm token_forgery privilege_escalation decoy_flag spring_boot rsa_oaep jwks anti_bot_trap jwe pac4j cve_2026_29000 plaintext_jwt

decoy_flag_identificationcve_2026_29000_pac4j_plainjwt_bypassjwe_encryption_with_jwks_public_keyjwt_alg_none_signature_bypassprivilege_escalation_via_forged_claims

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 350 — VaultKeeper— hackadvisor
[web][Pro]Lab 114 — APIForge — JWT JKU Header Injection for Privilege Escalation— hackadvisor
[web][Pro]Lab 288 — VaultPay — 2FA Bypass via Pre-Authentication JWT— hackadvisor
[web][Pro]Lab 12 — NewsGrid — JWT Algorithm Confusion— hackadvisor
[web][Pro]Lab 262 — PulseBoard — JWT Signature Bypass via Google Sign-In— hackadvisor