Quick write-up because this first part of the RSA challenges at BKP this year was trivial. Writing up mostly as a way to show how automation can help you a lot when solving CTF challenges. Even on the level of Boston Key Party which, as I re-remembered this week, is a pretty damn hard CTF.

The clue states that we will have 5 ciphertexts and 10 potential public keys for which they have been encrypted. Our job is to decrypt just 3 of these ciphertexts to recover our plaintext! Here’s the file in question.

So a file containing key’s sounds like a suspect for some nice attacks. Let’s extract it and see what we’re working with.

root@kali:~/bkp/rsabuffet# tar xf rsa-buffet.tar.bz2 
root@kali:~/bkp/rsabuffet# ls -la
total 92
drwxr-xr-x  2 root root     4096 Feb 27 23:17 .
drwxr-xr-x 11 root root     4096 Feb 27 23:17 ..
-rw-r--r--  1 1000 inetsim  1139 Feb 25 09:19 ciphertext-1.bin
-rw-r--r--  1 1000 inetsim  1139 Feb 25 09:19 ciphertext-2.bin
-rw-r--r--  1 1000 inetsim  1139 Feb 25 09:19 ciphertext-3.bin
-rw-r--r--  1 1000 inetsim  1140 Feb 25 09:19 ciphertext-4.bin
-rw-r--r--  1 1000 inetsim  1139 Feb 25 09:19 ciphertext-5.bin
-rw-r--r--  1 1000 inetsim  1993 Feb 25 09:13 encrypt.py
-rw-r--r--  1 1000 inetsim   498 Feb 25 09:13 generate-plaintexts.py
-rw-r--r--  1 1000 inetsim   800 Feb 25 09:19 key-0.pem
-rw-r--r--  1 1000 inetsim   800 Feb 25 09:19 key-1.pem
-rw-r--r--  1 1000 inetsim   800 Feb 25 09:19 key-2.pem
-rw-r--r--  1 1000 inetsim  1491 Feb 25 09:19 key-3.pem
-rw-r--r--  1 1000 inetsim   800 Feb 25 09:19 key-4.pem
-rw-r--r--  1 1000 inetsim   800 Feb 25 09:19 key-5.pem
-rw-r--r--  1 1000 inetsim   800 Feb 25 09:19 key-6.pem
-rw-r--r--  1 1000 inetsim   800 Feb 25 09:19 key-7.pem
-rw-r--r--  1 1000 inetsim   800 Feb 25 09:19 key-8.pem
-rw-r--r--  1 1000 inetsim   800 Feb 25 09:19 key-9.pem
-rwxr--r--  1 root root    14842 Feb 27 23:17 rsa-buffet.tar.bz2

If we examine just the file size of the keys (*.pem files) we see one standout – key-3.pem is larger than the others. Let’s check it out.

root@kali:~/bkp/rsabuffet# openssl rsa -in key-3.pem -text -noout -pubin
Public-Key: (4096 bit)
Modulus:
    00:99:4a:5e:2c:23:03:b4:09:43:d9:b7:44:b5:70:
    9e:e6:01:fb:5c:4a:c3:00:cf:a4:4a:76:08:10:7a:
    74:d0:6a:c0:49:63:a3:f8:20:1f:a7:80:13:35:ed:
    d3:f3:23:09:04:25:92:4b:74:f6:ac:39:ee:af:f7:
    b4:a6:bc:aa:24:15:33:fd:5f:57:50:5b:38:86:68:
    f2:4d:8d:65:33:07:45:cc:51:5e:e1:b3:c9:60:16:
    b3:99:c3:5e:ef:ef:06:12:ba:ff:82:76:10:88:11:
    7b:07:e2:5f:92:63:f9:14:98:10:23:31:91:65:d2:
    09:c4:78:4b:c3:7a:92:ed:7f:ec:b4:70:31:7b:3f:
    de:53:43:cd:d9:aa:13:79:4b:74:83:18:92:cf:6e:
    a1:00:2d:7a:3f:76:0f:1b:b3:ed:fb:f6:27:3b:15:
    36:11:27:42:4f:17:12:89:2e:0c:6c:c7:59:b3:c6:
    90:da:8c:61:84:a9:0b:e6:48:6b:8f:25:c7:45:55:
    4c:0a:aa:44:57:64:58:9a:51:77:03:8a:67:cd:73:
    e6:6f:e1:b0:d5:59:e0:bb:be:3e:5b:8d:4a:ee:f7:
    2f:fa:87:4c:c1:61:10:bb:c1:35:c3:e9:92:8c:5f:
    ca:e7:37:81:5f:49:fb:02:3c:64:ed:a6:2a:d2:ed:
    7d:0d:32:24:96:17:dc:51:2d:c5:40:00:6c:0f:05:
    9b:2f:da:eb:3b:0a:e1:c2:b9:61:5d:b7:c8:3b:90:
    9e:22:27:19:45:17:36:e1:f0:7c:39:19:c3:96:5f:
    d9:d0:03:bd:88:13:ec:1e:9c:d5:40:fa:f7:f7:0f:
    72:fe:8f:0f:54:4b:2c:ab:51:a8:a0:62:86:5a:e4:
    f4:6a:05:30:b7:e1:1a:26:4d:71:7f:3c:f1:3b:60:
    18:d0:9d:e1:a0:c2:8e:a2:0c:ee:2a:67:11:da:5d:
    11:5f:d7:1c:09:6d:11:5c:13:f0:b5:e4:0d:94:69:
    6c:67:10:5c:2f:70:9a:e5:d2:fe:0a:c8:58:47:b3:
    c9:01:7a:ce:7d:b2:eb:00:d4:10:d9:d2:da:76:85:
    77:6a:80:99:47:2d:01:79:1c:57:81:0d:16:0a:bd:
    6c:9e:42:02:76:32:0e:b1:1b:80:a0:b2:f5:72:2e:
    20:e9:d8:82:2a:1d:14:3c:97:a6:3e:f8:17:33:e5:
    2f:26:3e:3a:7f:77:b6:90:0b:f9:5d:a2:15:54:4d:
    f5:1e:61:ec:c4:68:f0:37:a2:b3:9c:cf:15:3d:98:
    4b:32:a9:a4:ce:75:7b:bb:38:79:8c:e0:b0:80:f5:
    03:ce:1a:39:6d:47:e1:4c:c4:1b:f1:8e:34:ed:bd:
    91:37:eb
Exponent:
    38:0d:01:ed:b6:ec:c7:5e:51:05:6e:f6:0d:ec:80:
    7a:8c:17:35:6e:a6:64:4e:cf:62:c2:b8:57:63:f7:
    9f:a6:5f:1b:54:d4:ff:28:3f:bb:0b:0b:3e:6f:a5:
    71:86:c5:2b:ea:20:e0:96:36:8c:19:41:41:cd:ed:
    75:97:8b:be:14:d2:70:9d:20:14:56:01:d0:dd:6b:
    7e:2d:f0:dd:ed:42:a5:14:d2:98:c6:81:82:28:9b:
    82:41:aa:09:af:eb:e7:f3:d0:a1:87:a6:54:5b:89:
    a0:6c:ee:52:87:e8:25:72:64:e0:4b:d0:96:83:d9:
    b4:b3:b0:4f:2e:a8:67:82:d3:e3:79:e5:01:4f:f6:
    16:20:2c:78:ad:9b:08:01:b6:7e:ee:ea:af:3b:43:
    05:5a:6f:09:6c:9b:fb:11:9f:1b:57:c7:8c:6e:40:
    50:ac:f3:c9:67:7f:93:25:7a:2b:aa:b9:ff:bc:0f:
    56:2f:c6:4d:46:8d:63:9d:b0:90:cd:b6:26:10:12:
    68:fb:c2:86:c5:c9:84:5a:ba:fb:6c:06:fc:06:25:
    90:4c:cf:32:83:7f:b2:fd:5d:16:0d:f8:36:0b:33:
    fe:2f:a5:5f:b4:3f:d4:ba:0b:a6:9d:de:44:f7:2f:
    9e:06:50:9a:63:6e:c8:45:68:57:59:7b:9a:55:30:
    b4:3b:6c:2f:11:03:8c:9f:ce:71:d5:de:bd:7b:63:
    c7:fb:1d:af:7c:84:37:90:93:b1:f9:d8:f5:e1:d4:
    ab:5e:96:e4:87:c4:ac:4c:d1:62:97:67:a5:59:e0:
    fe:95:69:99:75:d3:b2:96:9f:bc:48:e6:c0:52:9b:
    42:e4:50:51:ac:5c:e9:98:b8:a7:77:25:12:dc:32:
    c4:89:02:a9:96:c3:fb:d3:15:96:7b:e6:a4:03:55:
    63:08:8f:3b:be:e7:9d:c3:24:fd:08:3b:2e:52:9f:
    2d:11:4b:ae:5e:6d:ea:53:dd:e3:e5:18:08:1a:4a:
    13:e6:96:b5:0e:d8:a5:1b:ac:56:53:53:a9:8a:6b:
    84:1f:ad:79:8e:97:01:50:62:99:56:a4:81:6b:1d:
    79:68:f6:5c:ef:e7:1b:19:20:73:41:2c:dd:69:c0:
    c2:22:19:a4:9c:58:91:e6:36:66:2a:e3:42:9c:a9:
    c2:a3:a2:9a:89:25:16:74:b3:7c:07:6f:66:24:4b:
    41:fb:22:8c:82:56:89:67:c0:94:0e:45:4f:49:74:
    f6:8d:18:63:f7:39:8d:dd:62:31:fa:e8:c7:ff:6f:
    83:fa:f3:1b:47:2e:75:ae:26:ce:d5:98:19:1b:0f:
    62:7d:c2:75:9e:2a:9a:86:0a:3e:3b:03:ca:f6:8a:
    ac:bf

Oh my! That’s a large exponent! What do we know about large RSA exponents ? If the public exponent is large, the private exponent must be small. We can attack this with attacks such as Wiener. But stop… BKP know this is a trivial CTF problem these days. It’s featured many times. Even in last year’s BKP. So how much is it going to help us and is there a better way?

Finally a live CTF I can try an experimental mode of my RsaCtfTool fork. I forked this tool some time back and added several attacks. Most recently I added an dodgy “multikey” mode. Today we’re in luck because I can try it out. All I need to do is install it and point it at this challenge!

root@kali:~/bkp/rsabuffet# git clone https://github.com/sourcekris/RsaCtfTool
Cloning into 'RsaCtfTool'...
remote: Counting objects: 157, done.
remote: Total 157 (delta 0), reused 0 (delta 0), pack-reused 157
Receiving objects: 100% (157/157), 1.67 MiB | 113.00 KiB/s, done.
Resolving deltas: 100% (67/67), done.

root@kali:~/bkp/rsabuffet/RsaCtfTool# ./RsaCtfTool.py --publickey ../"*.pem" --verbose --private
[*] Multikey mode is EXPERIMENTAL.
[*] Keys: ['../key-9.pem', '../key-1.pem', '../key-6.pem', '../key-2.pem', '../key-7.pem', '../key-0.pem', '../key-8.pem', '../key-4.pem', '../key-5.pem', '../key-3.pem']

[*] Attacking key: ../key-9.pem
[*] Performing hastads attack.
[*] Performing factordb attack.
[*] Performing pastctfprimes attack.
[*] Loaded 60 primes
[*] Performing noveltyprimes attack.
[*] Performing smallq attack.
[*] Performing wiener attack.
[*] Performing commonfactors attack.
[*] Performing fermat attack.
[*] Performing siqs attack.
[*] Warning: Modulus too large for SIQS attack module

[*] Attacking key: ../key-1.pem
[*] Performing hastads attack.
[*] Performing factordb attack.
[*] Performing pastctfprimes attack.
[*] Loaded 60 primes
[*] Performing noveltyprimes attack.
[*] Performing smallq attack.
[*] Performing wiener attack.
[*] Performing commonfactors attack.
[*] Performing fermat attack.
-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEAxP9IaxTNnDe5VvCP8Zyi+D26hlCcuEDNalqV8TUgCbGNHVa0
oP7A6VopypbK76pd7/cdausK2J7qrZCM7pNYK9cbLNfa9wmlS5jRY7UI0/0fCpcJ
+2nkmdG4q8UK86TLrnfAcERJM2E6RSlU+RrNr0YdajZANZIFYfeIXTDr3IK+NWDm
QohkuXFeFzTQE+I9+4wdpmL1zm2jcSQC+NpEXQykm5ux5Hq+7vWKY4XKP5650kAI
...
ekJF9bpxy6wEqHqvoiV/PywEt9aYCVPVSxeUTSjrDeVmYM1RWcFTH2ogEzEAannA
1tOhN3nnio+NIZX1ii1iO9ZR/d5CmuAJAoIBAQCXB2VjFC6AYnxy5IiWy/kcmSXj
hTV3nAy190vk0YSk9s0SiTnWrkCVubF9CGMc43M9fLMUhpmqBnT/EpJLITTrtoxd
FN+ZEWXxLIQ2nJNrKkLDUlukV3Z/bk3+mKIJa1DH8ct56YOvD/7sKH7CQTRFkRh7
abGLrHyLw3VQuNHxEKQ8ljABn6DUMQO2fg8xC4xj1McnadM6I6A8ivZy4opgaS4r
TMPEdtafKx+y3vV2lWeLXMg4pP2vBVuTxU2IAmA7WWnua/6NH3dDkxxk+15i6Hkb
NjdCEEA/W8TlZUEj1ZKasazEiEUc5ynfDe1HlSc5ItduTbMQKwsVZiRdCSuC
-----END RSA PRIVATE KEY-----

[*] Attacking key: ../key-6.pem
[*] Performing hastads attack.
[*] Performing factordb attack.
[*] Performing pastctfprimes attack.
[*] Loaded 60 primes
[*] Performing noveltyprimes attack.
[*] Performing smallq attack.
[*] Performing wiener attack.
[*] Performing commonfactors attack.
[*] Performing fermat attack.
[*] Performing siqs attack.
[*] Warning: Modulus too large for SIQS attack module

[*] Attacking key: ../key-2.pem
[*] Performing hastads attack.
[*] Performing factordb attack.
-----BEGIN RSA PRIVATE KEY-----
MIIIJQIBAAKCAgEAhphlSMArLWsEYadKCaXuTvoHiC1cYQvbFNG6METv/VVw5MUJ
0RasqZKjQs9S7QRj221GSKMBO6ghnDpysZmHliU90R7MU2CH5uW9IHwTh6+d9r+H
WrMZVW3MC61qkPAXRZdg7n0nT+YEbnWZOF92B9Ke0jVHdpXjNl/GufUnAYPpxMLB
GKpnbB2cvgaGRQfkMQ2FuMrP+fWj7tSHtx0tdbAJQ9ftqar1srtpJxYl3iRp1qfE
9QxO6sVLFgV5PMD3/pFnRS/1/vNkfJ7siGZzBzLAXcpMVvOTyi5h59dkQoIrnaVt
...
ZSe6nLUlopbSWZ+DWFX/mQtcK7LBVmdWCmnTym0dSUggy4KF8vTKswXgRXQiqnlU
xW4mqgIgT7OBLk/W6C11WPMR59de1vMg/jiQURvPc42W6WTDbFtONIbvm0Hyrp4O
26NIP4U+R8SHGWtNjZe6fl9aT9K60qm6aiPyz4HjdNm23n41wwb8ctXt3Khy+7zD
8gWlF7C7IPORwD28uuLBMI+ydElJe2mH7697oUmw2S+r2Fa4ofbasZC+P4GAohck
gtqdKy4kla8DlMoCCdgOwXIwtQIEdyhnBQ==
-----END RSA PRIVATE KEY-----

[*] Attacking key: ../key-7.pem
[*] Performing hastads attack.
[*] Performing factordb attack.
[*] Performing pastctfprimes attack.
[*] Loaded 60 primes
[*] Performing noveltyprimes attack.
[*] Performing smallq attack.
[*] Performing wiener attack.
[*] Performing commonfactors attack.
[*] Performing fermat attack.
[*] Performing siqs attack.
[*] Warning: Modulus too large for SIQS attack module

[*] Attacking key: ../key-0.pem
[*] Performing hastads attack.
[*] Performing factordb attack.
[*] Performing pastctfprimes attack.
[*] Loaded 60 primes
[*] Performing noveltyprimes attack.
[*] Performing smallq attack.
[*] Performing wiener attack.
[*] Performing commonfactors attack.
[*] Performing fermat attack.
[*] Performing siqs attack.
[*] Warning: Modulus too large for SIQS attack module

[*] Attacking key: ../key-8.pem
[*] Performing hastads attack.
[*] Performing factordb attack.
[*] Performing pastctfprimes attack.
[*] Loaded 60 primes
[*] Performing noveltyprimes attack.
[*] Performing smallq attack.
[*] Performing wiener attack.
[*] Performing commonfactors attack.
[*] Performing fermat attack.
[*] Performing siqs attack.
[*] Warning: Modulus too large for SIQS attack module

[*] Attacking key: ../key-4.pem
[*] Performing hastads attack.
[*] Performing factordb attack.
[*] Performing pastctfprimes attack.
[*] Loaded 60 primes
[*] Performing noveltyprimes attack.
[*] Performing smallq attack.
[*] Performing wiener attack.
[*] Performing commonfactors attack.
[*] Performing fermat attack.
[*] Performing siqs attack.
[*] Warning: Modulus too large for SIQS attack module

[*] Attacking key: ../key-5.pem
[*] Performing hastads attack.
[*] Performing factordb attack.
[*] Performing pastctfprimes attack.
[*] Loaded 60 primes
[*] Performing noveltyprimes attack.
[*] Performing smallq attack.
[*] Performing wiener attack.
[*] Performing commonfactors attack.
[*] Performing fermat attack.
[*] Performing siqs attack.
[*] Warning: Modulus too large for SIQS attack module

[*] Attacking key: ../key-3.pem
[*] Performing hastads attack.
[*] Performing factordb attack.
[*] Performing pastctfprimes attack.
[*] Loaded 60 primes
[*] Performing noveltyprimes attack.
[*] Performing smallq attack.
[*] Performing wiener attack.
-----BEGIN RSA PRIVATE KEY-----
MIIH4wIBAAKCAgEAmUpeLCMDtAlD2bdEtXCe5gH7XErDAM+kSnYIEHp00GrASWOj
+CAfp4ATNe3T8yMJBCWSS3T2rDnur/e0pryqJBUz/V9XUFs4hmjyTY1lMwdFzFFe
4bPJYBazmcNe7+8GErr/gnYQiBF7B+JfkmP5FJgQIzGRZdIJxHhLw3qS7X/stHAx
ez/eU0PN2aoTeUt0gxiSz26hAC16P3YPG7Pt+/YnOxU2ESdCTxcSiS4MbMdZs8aQ
2oxhhKkL5khrjyXHRVVMCqpEV2RYmlF3A4pnzXPmb+Gw1Vngu74+W41K7vcv+odM
wWEQu8E1w+mSjF/K5zeBX0n7Ajxk7aYq0u19DTIklhfcUS3FQABsDwWbL9rrOwrh
...
0gqHns/TpRQoYzMrGjnGkXmXD/CFXOqUGbfF6vJJvQKTjoX7iR5GrT74MFklh8VE
JtJm7zje0ilzUIieHGImq2P393bAqRGRU9ssvwnwFVuF0kquNEJ33JZk6Yimpoci
RlhXx3JoHdPBdUXDhB5xfzzZodo6s6JAggGR1hXa7LzFEEDGI/JHbMAiyFqLMgRR
/5OvnxwxxRBTY5FwTnaREvF+1T6wp6U+EU7in9tN6Cmx01ThJTojur25ZUCQmuFG
XIf01nQakFrOA5xh3KfZ+jDx0PHlAJnoMF1IdANccnwP1f0/uBFoMasNi67uedTe
kDk2ESJfSQ==
-----END RSA PRIVATE KEY-----
[*] Performing multi key attacks.
[*] Found common factor in modulus for ../key-6.pem and ../key-0.pem
28796899277235049975421947378568428888005019408631005870725337759187744546493409470582705210790627097597656481534493716225301660663533212040068163723937803169735485217437722947354732420098585958967033073629288721874028940705969141716032409906092583043329293532612601200186754187377338924379443611709918885185638934712580040042904995838353611699081350712817357237035507539201368300463060034856220488010509411264244138417348439340955309300128758040513940379009974696105387107481999359705587790254117489020540714253505694682552102843028243384677060490696214834957049391213864664165843655260698241682369402177091178720927
[*] Found common factor in modulus for ../key-0.pem and ../key-6.pem

Note I truncated some of the verbose output a little for brevity.

So out of that first pass we effectively:

  • Fully recovered key-1.pem’s private key using fermat factorization
  • Fully recovered key-2.pem’s private key from factordb
  • Fully recovered key-3.pem’s private key using the Wiener attack
  • Recovered a shared large prime of both key-0.pem and key-6.pem. My tool hasn’t fully fleshed out this functionality yet. It’s a rough draft :)

To recover both key-0 and key-6 private keys, we could save the new prime we got from the first pass into the pastctfprimes.txt file and re-run the script for those two keys like so:

root@kali:~/bkp/rsabuffet/RsaCtfTool# ./RsaCtfTool.py --publickey ../key-0.pem --private
-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEA168ysJPW4iS7ljqae8hzsud8as52Pn1sbdfR0RGChS9oS1A9
1y52lP3sRmivv2+QxK9GYqvuHDozxQ7FxSqMCpqvTQ8xYeu07nYioi/x+2e5MCPU
lDEwb/wBQBkbEHexFMyohNtMzdjR97sTHvMhtJBwA1SBYZIdKTpCYxiXCLoHVUUq
...
aQNO4a6g0as2bcQK3AE0QrY9PY6+ujcopKTDmGaZQHx2ryU9c0yy8cfPs+4prpVU
JmSd7oCEcGnjQXMyM0kibZ0Ow6uFJUm0Lzvs04EbpW2aPn+HEiAV65pLupbrVG6A
/U0ehyAdriJlxQPOe+aLWcli9kEnk2MZBIa2E9Ty0xQ+jWyJzI2Xg5/RiS7NKNPO
lUU3Zwr58kgYZp3R4KkGXe8VvlY5UbkgkkZvmJJS/kJwe4o+jMJz8wa4Zqm6
-----END RSA PRIVATE KEY-----

root@kali:~/bkp/rsabuffet/RsaCtfTool# ./RsaCtfTool.py --publickey ../key-6.pem --private
-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEAvA1N2e1ExEwhc6vTsCVAGzZoFtkT97QnG3Grze0hqw0EwvxX
ejE7eUJ1hF27iegVHPS9OCXpJAyI65OoJMqosLVjlg/8sS+8r82dOPvfh7E0OV0O
oxYYa+ryRwpTWh2jUpwAXLkGLw1D64579M15Qlpsq2WhXJBXE6vO2/SnFcRkZb7L
...
aQ3uIAXSUp/pUP62spE2ZyBACRDYhqaLnhOUP+vnD61DzvE1L1GFzXdpLitkE1D8
MpYS/nfBmZMeAwmwjUDDQBaozl78qQL2RoXqcb86X3TWEwTw22gs/ZhaUr9HlEjO
UNbZPbHnTki3uaU3KyUogHB9/OubnLu9NKdisSGusn4zAYkr3dw6EHnL8GxjGkHk
cI/lY0TZFhR/6EmXxtzgAMxwnb5H0TMRgfdCjmcnuxnHB5wCchX9wi8S5Roe
-----END RSA PRIVATE KEY-----

That’s 5/10 private keys fully recovered. The next stage of this challenge is to decrypt at least 3 ciphertext-N.bin files and recover the flag. Fortunately BKP team have documented how they built these ciphertexts very well. The provided encrypt.py has a handy decrypt() function:

def decrypt(private_key, ciphertext):
  if len(ciphertext) < 512 + 16: 
    return None
  msg_header = ciphertext[:512]
  msg_iv = ciphertext[512:512+16]
  msg_body = ciphertext[512+16:]
  try:
    symmetric_key = PKCS1_OAEP.new(private_key).decrypt(msg_header)
  except ValueError:
    return None
  if len(symmetric_key) != 32: 
    return None
  return AES.new(symmetric_key,
      mode=AES.MODE_CFB,
      IV=msg_iv).decrypt(msg_body)

Following that we need to use the Shamir secret sharing python module to convert the distributed secret into plaintext. Again the BKP team documented that in generate-plaintexts.py:

# pip install secretsharing
# https://github.com/blockstack/secret-sharing
from secretsharing import PlaintextToHexSecretSharer as SS

Pulling it all together I wrote this quick solver after saving all the recovered private keys into key-N.priv filename format:

from Crypto.Cipher import AES,PKCS1_OAEP
from Crypto.PublicKey import RSA
from secretsharing import PlaintextToHexSecretSharer as rs
import glob

def decrypt(private_key, ciphertext):
  if len(ciphertext) < 512 + 16:
    return None
  msg_header = ciphertext[:512]
  msg_iv = ciphertext[512:512+16]
  msg_body = ciphertext[512+16:]
  try:
    symmetric_key = PKCS1_OAEP.new(private_key).decrypt(msg_header)
  except ValueError:
    return None
  if len(symmetric_key) != 32:
    return None
  return AES.new(symmetric_key,
      mode=AES.MODE_CFB,
      IV=msg_iv).decrypt(msg_body)


if __name__=="__main__":
  cts = glob.glob('ciphertext-?.bin')
  keys = glob.glob('key-?.priv')

  secrets = []
  for k in keys:
     for c in cts:
        private_key = RSA.importKey(open(k).read())
        ciphertext = open(c,'rb').read()
        plaintext  = decrypt(private_key,ciphertext)
        
        if plaintext is not None:
           if 'Congrat' in plaintext:
              secrets = secrets + plaintext.splitlines()[1:]

  for sec1 in [x for x in secrets if '1-' in x]:
     for sec2 in [x for x in secrets if '4-' in x]:
        for sec3 in [x for x in secrets if '5-' in x]:
           rec = rs.recover_secret([sec1,sec2,sec3])
           if 'FLAG' in rec:
              print rec

Which gives us a nice result:

root@kali:~/bkp/rsa-buffet.orig# python dec.py
Three's the magic number!  FLAG{ndQzjRpnSP60NgWET6jX}

About The Author

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Close