For this challenge we get Python source code which is running on the server.
from Crypto.Util.number import *
import os
flag = bytes_to_long(b"wgmy{REDACTED}")
p = getStrongPrime(1024)
q = getStrongPrime(1024)
e = 0x557
n = p*q
phi = (p-1)*(q-1)
d = inverse(e,phi)
while True:
print("Choose an option below")
print("=======================")
print("1. Encrypt a message")
print("2. Decrypt a message")
print("3. Print encrypted flag")
print("4. Print flag")
print("5. Exit")
try:
option = input("Enter option: ")
if option == "1":
m = bytes_to_long(input("Enter message to encrypt: ").encode())
print(f"Encrypted message: {pow(m,e,n)}")
elif option == "2":
c = int(input("Enter ciphertext to decrypt: "))
if c % pow(flag,e,n) == 0 or flag % pow(c,d,n) == 0:
print("HACKER ALERT!!")
break
print(f"Decrypted message: {pow(c,d,n)}")
elif option == "3":
print(f"Encrypted flag: {pow(flag,e,n)}")
elif option == "4":
print("Revealing flag: ")
revealFlag()
elif option == "5":
print("Bye!!")
break
except Exception as e:
print("HACKER ALERT!!")
It implements classic RSA, with an encryption and decryption oracle. However, the decryption oracle imposes the following restrictions on the ciphertext: we cannot have c % pow(flag,e,n) == 0 or flag % pow(c,d,n) == 0
Background: In normal RSA decryption, the encrypted message is c=me, and decryption works because cd=(me)d=med=m since d = pow(e, -1, phi) (i.e. d is the inverse of e mod phi).
The first problem is that we do not even have the value of the modulus n. We can get it by encrypting two distinct plaintexts, say m1 and m2. Then our ciphertexts will be m1e(modn) and m2e(modn), which can also be expressed as m1e−k1n and m2e−k2n for some non-negative k1 and k2. Since we know m1e and m2e we can then obtain −k1n and −k2n, and taking the GCD of those will most likely give us n.
We can bypass the check by asking for the decryption of a value which is not c, but the decrypted plaintext allows us to find m easily. Once such example is c−1. The decryption would give us (c−1)d=c−d=(me)−d=m−ed=m−1. By taking the inverse of the decrypted plaintext we can get the flag. However it is worth noting that this solution may sometimes fail due to c not having an inverse mod n.