CTFtime.org

real-baby-rsa

by ju.zotova / c00c00r00c00

Rating:

## This is a small solutions review of a problem "Baby_RSA" from Tokyo Western CTF

# Files
problem.py
output.txt

# Problem definition

problem.py

```python
flag = 'TWCTF{CENSORED}'

# Public Parameters

N = 36239973541558932215768154398027510542999295460598793991863043974317503405132258743580804101986195705838099875086956063357178601077684772324064096356684008573295186622116931603804539480260180369510754948354952843990891989516977978839158915835381010468654190434058825525303974958222956513586121683284362090515808508044283236502801777575604829177236616682941566165356433922623572630453807517714014758581695760621278985339321003215237271785789328502527807304614754314937458797885837846005142762002103727753034387997014140695908371141458803486809615038309524628617159265412467046813293232560959236865127539835290549091
e = 65537
flist=[]
# Encrypt the flag!
for char in flag:
flist.append(pow(ord(char), e, N))
```


Here is a data piece of "output.txt"

```python
print(flist)
```

[9073209977571176486825453267118351996016396235857623493182258724402523182425555398048461088180575997426276026776186441023571190870577545894667546140441145538176352391499376279774875943812941321565506013356240326235158415041323709138860753984228634160552040417002326854872319407516200542564071756611880349380322282130265915072405694912128104078505106072784722670288292878670301302909960910520529391182927036489958388823511447221117040898358990430312656065571576446469592472217394596577973531530126373565564994195530324540432367900449603179849204693929275999798234441199340509474634967526614647348655247823230784374, 35639404627961781906461142088755137025298630410895631726441472610366623418342364917283665767957562174282457589855677069495230225819581200731431201665184892116733696486682454477915290834433777530535524437371339472350901843618705506005661289326664321691979577977602624815055003117998229419500683672655441419257356643852257251251761502995787965709527112696847071565558861604427364918548619913860926470431333287513742767137365798593418198144415567391257323940575314966786015734312154108604715446101475223727342693907796501114753375280182345362719422538419079170715967729017805398797931366993519156066479380119809407749, ...]

Here is a discription how RSA works:

![png](https://github.com/c00c00r00c00/writeups/blob/master/TokyoWesterns%20CTF%205th%202019/real-baby-rsa/rsa.png?raw=true)

# Solution description

#### 1. Let's encode each "possible" simbol using public key (e, N), e is public exponent, N is modulus.
RSA: $$c = (unicode [m])^e mod (N)$$

```python
alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_{}' #ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890?,./<>?!@#$%^&*()-_=+
dictionaryRSA = {}

for char in alphabet:
dictionaryRSA[str(pow(ord(char), e, N))] = char

```

This is how our dictionary looks like:
```python
print(dictionaryRSA)
```

{'8039756180396402818033960239923473145686150984028744821388059114588151485537292149796913866199978422862651737232228389849691629240968066238877962028093286575650246355855437272615799537085859383380861156282433158508274532697395220972522490970824118480262302411620928071761310266610104998827671291575984605277374513331908993590772515955675049856058733058452152348393529399957756600922532875285030993213053887136711141806142283031801945035446945182165115513185975629915145345481577919122682503955071242283897537607380896224804901248019803404783728742533343512538383716598109574497231061322903509894668128804543534570': 'A', '25895935743782346003706465388357299495999498265530810710528216642884899687310536937638633837417363154822586800324091935766996592008195494163748724744018968957978035382330076230779217616947358158889160545974950009144804893383606930662369858807070496545325170919141266043409690927694203311692984804780232124069050839679538069198236198755682998601366406714879241541127908766028826399339248884006938215383485237113065329036316369029352382695048534440573200931589388307707004271260161777038461055496188131586128820437698749123971582639424276453270496539979269272102254759232658932191248472580461596072069717446778407231': 'B', ...}

#### 2. For each string into 'output' we find the decode simbol from the dictionaryRSA (variant 1)

```python
flag = ''

with open('C:/Users/Julia/Documents/CTF/1sep2019/real-baby-rsa-037dd23e2f3b23038ee248487817bc1ad6636e1057e671826bea4e03a9acc79e/real-baby-rsa/output', 'r') as f:
for line in f:
flag += dictionaryRSA[str(line.strip())]
#print(str(line.strip()))
#print(fstr)
print(flag)
```

Output is: TWCTF{padding_is_important}

Also, there is different solutions from other teams:

variant 2

![PNG](https://github.com/c00c00r00c00/writeups/blob/master/TokyoWesterns%20CTF%205th%202019/real-baby-rsa/solution2.PNG?raw=true)

variant 3

![PNG](https://github.com/c00c00r00c00/writeups/blob/master/TokyoWesterns%20CTF%205th%202019/real-baby-rsa/solution3.PNG?raw=true)

variant 4

![PNG](https://github.com/c00c00r00c00/writeups/blob/master/TokyoWesterns%20CTF%205th%202019/real-baby-rsa/solution4.PNG?raw=true)

variant 5

![png](https://github.com/c00c00r00c00/writeups/blob/master/TokyoWesterns%20CTF%205th%202019/real-baby-rsa/solution5.PNG?raw=true)

Original writeup (http://github.com/c00c00r00c00/writeups/tree/master/TokyoWesterns%20CTF%205th%202019/real-baby-rsa).

Comments