Misconfigured RSA
Oops i did it again!
Attachments
Recon
As is typical in RSA challenges, we are provided with a file containing the ciphertext, along with the RSA parameters N and E:
n = 148900953097814724338206947679223698832179691968218755697733749707084556942286184505525791780949441847197006147827388400754499224336852575956050210608024912280019773833889546324355353746095214275985515374968532505153145975517881297436944244066461866248895871696012367810254055557824874852294865749524482337551
e = 65537
c = 107217087223013352864419426588613439434708031699522027786711684217439431898186052583896596846379575153070982123347045493427454234913154021933229641985591412104222934496019950746514726800406326146713516918611779367873873294259462206805554572977819244626333164240237423211396727885901436510649294574529712562954
Factoring N using FactorDB reveals that it is actually a prime number, rather than a composite of two primes p and q, as required by RSA. This flaw makes the system trivially vulnerable, since we can directly compute φ(n) as n - 1 without needing to factor N.
Exploitation
To solve the challenge, we can use the following simple script:
from Crypto.Util.number import long_to_bytes, inverse
n = 148900953097814724338206947679223698832179691968218755697733749707084556942286184505525791780949441847197006147827388400754499224336852575956050210608024912280019773833889546324355353746095214275985515374968532505153145975517881297436944244066461866248895871696012367810254055557824874852294865749524482337551
e = 65537
c = 107217087223013352864419426588613439434708031699522027786711684217439431898186052583896596846379575153070982123347045493427454234913154021933229641985591412104222934496019950746514726800406326146713516918611779367873873294259462206805554572977819244626333164240237423211396727885901436510649294574529712562954
phi = n - 1
d = inverse(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))
Flag capture
Let’s run the script to obtain the flag:
$ python extract_flag.py
v1t{f3rm4t_l1ttl3_duck}