HackTheBox - Principal

IppSec · Beginner ·🔧 Backend Engineering ·3mo ago

Key Takeaways

The video demonstrates a cybersecurity challenge on HackTheBox, specifically the Principal box, using tools like nmap, python, and SSH, and exploiting vulnerabilities like pac4j jwt (CVE-2026-29000) to gain root access.

Full Transcript

What's going on YouTube? This is IPSC and today we'll be doing principle from hack the box which the main focus is a 10.0 CVE that came out last week within the Java library pack for JWT. Essentially there's a bug that allows for an unsigned JWT to pass validation. I found this pretty interesting as normally when I see the JT algorithm set to none, I find it unrealistic as you just didn't see this happening in the real world. At least I didn't. However, there's a weird bug within this library which actually makes it completely realistic and pretty cool. It probably went undetected for so long because it's buried in the JSON web encrypted token. So you have to go out of your way to set algorithm to none. Anyways, there's more that makes it interesting, but we'll talk about that in just a minute. Once we get into the website, you gain SSH credentials that get you onto the box. And looking at the SSH service configuration, you see it's uh configured to accept signed keys and the CA was left unprotected. So you can just sign a key and login as root. So with that being said, let's jump in. As always, we're going to start off with an end map. So - sc for default scripts, SV enumerate versions vv for double verb boost. This gives us things like the TTL OA upput all formats in the end map directory and call it principle and then the IP address of 101294.42. This can take some time to run, so I've already ran it. Looking at the results, we just have two ports open. The first one is SSH on port 22, and the banner tells us it's an Ubuntu server. We also have HTTP open on port 8080. It's running Jetty which is common in Java web applications. And we have some end mapap scripts running. We have the title that says principal internal platform login. It requested login. We have jetty here. See some more headers. Xpowered by pack 4J JWT 603. Now this isn't a common header. I think it's I added it for this challenge. Um this box is a newsworthy box. I built it around this exploit which is a recent CVE, but we'll dig into that in just a little bit. So let's go ahead and take a look at the web page. So I'm going to go to http 101294.42 port 8080 and we get the login page. So we see it's powered by pack 4j. Uh this is version 1220. If we try to log in so I'm going to do admin password and then let's go over and turn intercept on. Click sign in. Go over to burpuite. We can see it is requesting a API. So a lot of times I will just go to like slappi docs and things like that to see if we get any type of swagger information or things like that. I don't know if it's common in Java applications, but it's still something that's like worth a try, right? If we go to slash API, we need a bearer token. Um let's try docs. Still unauthorized. So nothing here. Uh we could look at the page source to see what it is built with. And one of the things I always like doing is looking at JavaScript because a lot of times they do leak sensitive information. And here we have some um extra endpoints the application can query that will become um important later on and especially like the structure of a JWT token. But let's go ahead and um go back and look at this library. Right. If we do pack 4J, I'm just going to go to Google and let's do pack 4j. Um, it's even trying to complete it to say JBT 603 because a lot of people were talking about this relatively recently. We go to this blog post with the CVE. They will talk a little bit about it. Um, essentially there is a somewhat odd but common mistake made where it's not going to validate the signature of the JWT. It's using JWE which I think is just a encrypted JWT. Um I don't think there's really anything special about it. However, here we see this sign JWT is not null. And then if it's not null, it goes and verifies it. But if we don't supply a signature, this whole step gets skipped and the verify never happens and it still creates the JWT profile. And you may be wondering like why this type of mistake happens. Um, a lot of times developers will do um, null checks before they do something because if this check wasn't here and then it got down to where it actually used the sign JWT right here, we would pass a null pointer into this config supports and that would probably cause a null pointer error which causes the application to crash. And depending how it's configured, that could take the whole web server down because it may just not auto restart. If it's in a thread, it may just recover gracefully. But if it's not in a thread, part of the main process, um, Tomcat could crash, right? So, null pointer checks are normally always tested. There should be a here, and that just says return signature um, not supplied. But because that's not here, if we craft a JWE token and just don't supply a signature, we'll pass validation and be able to forge anything we want. So, let's go ahead and start creating this um, token. So, I'm going to do touch exploit.py. Actually, we'll do touchcraft jWE.py and then open up Visual Studio Code and start writing this exploit, right? Um, I guess the first thing we'll have to do before we can even get to exploit is find where the um RSA key is going to be. So, sometimes it's in a well-known directory. Does it even say here wellknown? Yeah. Sometimes the JWKS is going to be in well-known jwks.json. We could try requesting that to see if it comes back. Uh we get a error message. We could try like robots.ext see if it's in there. It's not. But if we did look at the endpoints, we see there is an API to get the JWKS. So this is another way that it's commonly stored. And if we request this, we get the data here. And this is essentially just like the RSA public key used to encrypt JWTs. It can't decrypt them. It just can only encrypt and that's how clients use it. So let's go ahead and start this out. I'm going to let's copy this. I'll copy the slash. There we go. And go into our p u script. Uh let's just close that out. Close that. Let's do import requests. And I also want to import cis. So I can do um target is equal to cis.orgv one and URL it's not going to be API v1 it's going to be api o j jwks. So let's now do a response is equal to request.get and the URL um I'm going to call this JWKS URL. And there we go. JWKS URL. There's that. And then let's see. JKS data is equal to response.json. And let's just print this out to make sure we um have this right. So print f like that. There we go. Let's go here. Python 3 craft. Uh we have to do http 101294.42 I think it was. Uh port 8080. Uh let's see. CIS argv one. Oh, we specified HTTP here. Let's get rid of that. This makes it easier. There we go. And we get the JWB uh KS data. So, what we want to do now is grab the key. And it's only got one key here. So, I just want to grab the very first item here. So, I'm going to call this um key data. And we can say JWKs data. And I'm just going to do key zero like that. And we could also test it with key data like this. Okay. So let's see. Now we want to get the um public key out of this. So public key is equal to and I'm going to import um JWK I think we can do JBK JWK and give it key data. I think that is right. And if you're wondering how I did this the um first time I generally used AI and it guided me along the way. Uh we have to make this module JBK or not make it pull it. So Python 3 um - MVM.vm VM let's create this directory source VM bin activate and then pip 3 install request JWK and that's all we need right now is it just request uh we don't do a comma oh it's JW crypto not JWK JW crypto And this is from and we'll import JWK. There we go. That's the library could not match the version JW crypto. There we go. Yep, that's what I have. Okay, so we have installed request in JW crypto. That took longer than I wanted it to, but oh well. Uh, Python 3. Don't want to create the VM again list out of range. There we go. So now we have the public key so we can sign something that we create. Um, I'm going to create the JWT manually. And the main reason I'm doing that is because we're going to specify the algorithm to none. And I've had weird issues where just libraries nowadays never like us being able to do this. So I'm going to create a function real quick called create JWT segment and give it payload. And then we're just going to return. We got a B 64 encrypt something. Not encrypt um encode. So do import B 64 and let's just do B 64 URL safe encode payload encrypt and decode. That looks right. Um JDT tokens never have equal signs. So that's why we're doing a strip there. So now we can start creating this um thing. So, I'm going to do now is equal to um the time because we want to say when the JWT was created. I don't know if we actually have to do this, but it's in every single token I ever see. So, I always like adding it. So, let's do the header and we're going to call it create JWT segment. And all we want to do is um let's see I guess we can do it this way. algorithm none like that, right? That looks fine. We print header. This should just give me a string, right? Yep. So, this is just going to be the first part of the JWT that says there is no um signing algorithm because we have to pass that to be um null. So now we can do the payload. And that's going to be like this. And I'm going to leave it like this. This is going to um be a mistake because we actually have to specify additional information. If we read the JavaScript, we'd see it. But we're just going to leave this here so we can play with how to um debug it. Right? So now if I run this uh print we have to print this. This is the JWT, right? We just have the algorithm, the data, and then this would be the signature. We don't have anything here. So that's where um it's a null pointer. That is where is it? Right here. Um, so because we don't have a signature, we have just now um made a null pointer there. That probably was just confusing, but oh well. I hope it makes sense at the end. So now we have to create the JWE token. So from this JW crypto library, I'm going to call JWE. And what we want to do is uh JWE token is equal to JWE. And I'm going to put this on lines so it's easier for me to read protected algorithm. Okay, I think this is mostly right. we have to figure out is how the server is expecting it to be signed or the encryption algorithm. I don't know if we need this, but if we looked at the documentation, um they're encrypted with RSA OEP 256 and AS128 GCM. So, let's specify that actually. So, we can do this and then that. And I think we also need to add the kid. So we can say kid like that. Does this have anything? Let's see. We'll see if this works. I may be missing one field, but we will see. So let's just do a print on this. Um we'll say token is equal print like this. Send it. And now we have our token. So if we send this to the server, theoretically we should be able to log in. Now we have to figure out exactly how login are happening. If we looked at the um JavaScript, we can see it goes in session storage get item off token. So we could just try to do this. So if I go here, let's do storage session storage and we will create O. Oops, I hit enter too soon. oc token give it this value and I'm going to send this through burpuite. So let's just go burp on. I'm going to request dashboard and we get kicked back. So let's look at the request and burp to see if we get anything. So we go to this login dashboard and we just get unauthorized invalid or expired token and then we hit login and we come back. Um, it's not too much we can determine from this other than like a token was bad. One thing I like doing is just testing against the API directly because you may get different error messages and generally API error messages are more verbose than the front end. And we can see there's like a slappi users endpoint. So that's going to be the one I test against real quick. So let's just go here. We can request API users. Send it. We need a bearer token. So let's do authorization bearer. And then we got to grab that JWT. So we can grab this and invalid or expired token. So that's still the same error message we are getting. Um, let's see. We have algorithm wonder if we have if this piece is wrong. Let's see. I want to try something real quick. Protected is equal to JSON.dumps. We do it this way. We have to import JSON. Uh, something did not like it. I don't think we closed that out. There we go. Let's go ahead and run this again. Still unauthorized or expired token. I wonder if I'm doing something stupid. Like maybe this is B 64ing and putting a B before it. Let's go take a look at exactly what that looks like. So I'm going to grab this and let's just make sure it is what we expect. That looks fine. We have the like B 64 padding error, but that I mean is expected because we got rid of the equal signs. And that looks fine. I was expecting maybe see like a B and then the string, but this looks perfectly normal. Um, we calculated the expiration I think correctly 1075. Yep, that is 30,000 seconds ahead. Let's see. So, we get this JWT token. We do the Oh, we don't have the header there. Let's do JWT token like that. That is probably going to be it. Let's go ahead and craft it again and we will send this in. Okay, there we go. We have admin role required to access user management. Error forbidden. So, we have to figure out exactly what the admin role is. And that is where the um JavaScript source does help us. We don't have to like guess at anything because we have RO. It says one of RO admin, manager or user. We probably want to put RO admin. So, let's go back into our thing and let's see. I'm going to change this. I don't like doing like the raw strings there. Um, let's just make this a little bit better while we're here. Uh, let's do JSON.dumps like that. Subadmin. Now that looks much better. And then was it roll like this? I think that's all we need. Let's make this again. Copy. And we will put this in. And there we go. We have successfully authenticated against the endpoint. So now let's go back to our browser. And then I want to go into session storage because that's where it said it stored data. We're going to add then we'll change this to oc token. Put in the value. And now I'm going to make a request to dashboard and we get the page. So we can see there's a maintenance window SHCA rotation. So they use um SSH certificate um authority some failed login attempts. We have service deploy as a user. Let's see. We go to users. This is the endpoint we probably hit. We can see Sarah is admin. um service account for automated deployments. If we go into settings, we can see there is a encryption key which is deploy S sh now for um to um exclamation point. So let's go ahead and uh v password.txt put this in and I'm also going to go to user. We could run net exec and copy a list of all these users, but chances are um it's going to be a service account password. So, let's do um sh service deploy uh cat passwords, I guess. SSH service deploy at 10129 uh 4.42 I think was the IP address. And let's copy this. paste the password in and we get logged in. Awesome. So, the first thing I always do when I SSH as a user is check for pseudo rules. We don't have anything. And then whenever I exploit a web service, I normally try to go for the database to see if I can get other users passwords here. We're not seeing any MySQL or any database listening. So, let's go um take a look at the source, right? So, I'm going to do a PSF forest. I'm going to look for the Java process. And we can see it's running an opt principle. So if we go to op principle then we have a few directories we could go into it looks like app and ssh uh potentially ssh are we a member of deployers we are but I'm going to start with app because that's where the application's running and if I try to go into data we get permission denied uh we do have the source of the Java app it's left behind on the server so we can look at all the files here and the first thing I notice is data cedar And this is generally um a file I'd look at whenever I have source code because seed when you see the database you're just adding all the defaults. So we can see when the Java app starts up it's going to try to add all these users. So we can see admin and then it's going to add the password of this. So that's admin's password. Um service deploy we have no login service account. J Thompson we get a password. So, I would probably grab all of these passwords and then try to brute force a way in to see if there's any password reuse. Um, I'm also kind of curious where the database is stored. So, um, if we go into probably resources, right? Do we have one? Let's see. Find.gap-i setting. No. Okay. source main resources and then application.properties. That's the file I was looking for. We can see the H2 database is going to be stored in opt principle app data. So, we didn't have access to this directory. So, that's why we didn't find the database. And we can see the username is principal. And then we have the database password. But all this stuff doesn't really get us anything. It's just things I would check when I um exploit a server. So, let's go back to that op directory and go in principle. And we couldn't go in deploy, but we could go in SSH. If we look there, there is a um CA file. There is a readme that is just saying it is the key pair for SSH certificate automation. And this will likely let us um sign an SSH key and log in. Now, the only issue is um going to be if we can SSH as root. So, I'm going to go in the Etsy directory. Let's go SSH and let's see there is a backup file but it does oh we can read it. So what is in this um don't know gp-v and then gp dot it just looks like a basic backup. Um let's go into sh dconfigd. We can see a unique um file there 60dprincipal.com and we see enables public key password um we disable root login with the password and we have a trusted certificate um authority keys file and that's going over to this CA.pub. So this is pointing to where we can actually um sh like an authorized key thing so we can like limit who can use this but there's no limits on it. So as long as we um compromise the certificate authority which as long as we can read that private key then we can create keys as anyone. Um so let's do lsla and it looks like yes we can we are a member member of deployers so we can read that CA file. So let's see if we have any SSH keys created for us. So we'll do lsla and then look in our home directory. We don't. So let's just create a SSH key. So I'll do SH key gen. And I always like the format ed25519. That's just because it makes a really small key. And then I'm going to call it slashtemp slash um please subscribe. Uh we won't do a passphrase. So now we have an SSH key and temp. And we have to now sign the key. So I'll do sh key gen-help. And right off the top it looks like dash capital I the ticket identity dash S is going to be where the certificate authority key is. And then we can give it a principle which is going to be who this key is for. Right. So let's go ahead and do a SSH key genen- s. I'm going to do opt principal ssh ca. Um the identity this does not matter. Um the principle I'm going to give it as root and then uh we need -ashv for validity interval how long this key is good for. I'm going to give it 1 hour and then where that key is stored. So that's temp please subscribe.pub. There we go. So we have the key. We gave it the ID does not matter and it's valid from that time. So let's go into temp. I'm gonna do sh-ash i and then we can do um or key root at 127001 accept and we get logged in. Awesome. So that worked because the key has the principle of root. So when the server um views it, it says oh this key is valid for root and then lets us log in. Right? If this certificate I think if we just move this let's just move it to home and try to use this. It doesn't work right because we don't have that CA signing our key that says it is valid. So I'm going to move this back so we can move please subscribe back over to temp. So the key is valid. Let's just double check that. Awesome. Um let's see. I also I want to get a second SSH session. So let's do cat password and let's do a sh service deploy at 101294.42. Log in. And then let's just make sure this key works still. I know it does. There we go. So what I want to do is create a um a list of principles that can use this key. Right? So, let's do that by going to the sh config. So, etsy shdconfig.d, right? Yep. And then let's edit this principal.com. And we're going to give it the authorized principles file. And then I'm going to give it etsy sh principles and then percent you. And this is going to be the username. Right? So if I just save this and I'm going to make the Etsy sh principles and let's do a systemct ctl restart sh and I try shing again it asks me for a password and that is because um it tries to read the file principles root to get into the root user. This doesn't exist so there's no principle assigned to this key. If we put root here, save it. This now lets us in. We could put something that doesn't matter. So let's say IPSAC deployers test and let's try SSH again. It doesn't work. And that's because the key has the principal root assigned to it, not one of these three. So if we did an SH key genen sign principal shca uh again this field doesn't matter we just need it. Let's give it the principal IPSAC is going to be valid for one hour and we'll give it please subscribe.pub. There we go. So now we have signed that and we can log in and that's because our certificate is signed with um IPSAC right let's see if we can show this real quick um let's see how do we view this is the pub is this just SSL data that is not um is it sh key genen maybe dash capital L. No, what is it? I think we may need also a - F. It's not a certificate. Please subscribe-sert.pub. There we go. So, we can see the principal is IPSAC here. So, now the certificate lets us log in to any account that has IPSSE as their principal. And I think this is just a cool way to manage SSH authentication because it allows us to create temporary SSH keys. So if someone wants to access a server, I can say, "Hey, for this day, yes, you can have access to it." And then it automatically gets revoked. So it's not dependent on me for getting it. And also it lets us um create SSH keys that are valid for um multiple accounts and multiple places. You can do a lot of other configuration. If you want to learn more about SSH certificate authentication, check out the box resource by oxdf where a lot of it is dependent on these type of configurations. So that's gonna be the box. Hope you guys take uh enjoyed it. Take care. I will see you all next

Original Description

00:00 - Introduction 00:55 - Start of nmap 02:50 - Looking at the Javascript, which a lot of information about the webapp 03:10 - Looking at the pac4j jwt vulnerability (CVE-2026-29000) 05:30 - Looking for the JKS (RSA Public Key), going into the javascript and seeing there is an /api/auth/jwks endpoint 06:50 - Start of creating our python to create a forged JWE Token 15:00 - Troubleshooting our token, it isn't valid yet 18:30 - Crafted a valid token, now it is saying we have an invalid role, looking at the javascript to get the correct information 20:30 - Logged into the application, discovering a credential that lets us SSH into the box 22:30 - Poking at the source of the java app, finding more passwords but doesn't really help us 24:20 - Discovering a CA Private Key, with a note saying its valid for SSH, looking at SSH's config 25:50 - Generating a SSH Key, then signing it with the CA giving us the principal of "root" and logging in 28:30 - Little bit of extra information about SSH Key Signing, the AuthorizedPrincipalsFile
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

This video teaches viewers how to exploit vulnerabilities in web applications and gain root access using tools like nmap, python, and SSH. The challenge is set in the context of the HackTheBox Principal box, and the video demonstrates how to use pac4j jwt vulnerability (CVE-2026-29000) to forge a JWE Token and gain access to the application.

Key Takeaways
  1. Conduct network reconnaissance using nmap
  2. Look for vulnerabilities in the web application's javascript code
  3. Exploit the pac4j jwt vulnerability (CVE-2026-29000) to forge a JWE Token
  4. Use the forged token to gain access to the application
  5. Discover and exploit additional vulnerabilities to gain root access
💡 The pac4j jwt vulnerability (CVE-2026-29000) can be exploited to forge a JWE Token and gain access to the application, and SSH Key Signing can be used to gain root access.

Related Reads

Chapters (13)

Introduction
0:55 Start of nmap
2:50 Looking at the Javascript, which a lot of information about the webapp
3:10 Looking at the pac4j jwt vulnerability (CVE-2026-29000)
5:30 Looking for the JKS (RSA Public Key), going into the javascript and seeing the
6:50 Start of creating our python to create a forged JWE Token
15:00 Troubleshooting our token, it isn't valid yet
18:30 Crafted a valid token, now it is saying we have an invalid role, looking at th
20:30 Logged into the application, discovering a credential that lets us SSH into th
22:30 Poking at the source of the java app, finding more passwords but doesn't reall
24:20 Discovering a CA Private Key, with a note saying its valid for SSH, looking at
25:50 Generating a SSH Key, then signing it with the CA giving us the principal of "
28:30 Little bit of extra information about SSH Key Signing, the AuthorizedPrincipal
Up next
Indian Express Editorial Analysis by Chandan Sharma - 1 JULY 2026 | UPSC Current Affairs 2026
StudyIQ IAS
Watch →