CTFtime.org

Hot Dog

by st0ic3r / c0d3_h4cki05_

Tags: rsa crypto wiener hotdog 

Rating: 5.0

## **Hot Dog**
Given a file named hot_dog.txt which consists of the following n,e and c values.
n = 609983533322177402468580314139090006939877955334245068261469677806169434040069069770928535701086364941983428090933795745853896746458472620457491993499511798536747668197186857850887990812746855062415626715645223089415186093589721763366994454776521466115355580659841153428179997121984448771910872629371808169183

e = 387825392787200906676631198961098070912332865442137539919413714790310139653713077586557654409565459752133439009280843965856789151962860193830258244424149230046832475959852771134503754778007132465468717789936602755336332984790622132641288576440161244396963980583318569320681953570111708877198371377792396775817

c = 387550614803874258991642724003284418859467464692188062983793173435868573346772557240137839436544557982321847802344313679589173157662615464542092163712541321351682014606383820947825480748404154232812314611063946877021201178164920650694457922409859337200682155636299936841054496931525597635432090165889554207685

Here I found the vulnerability that the value of e is very large. So firstly I applied Wiener Attack, but I didn't get the flag. So I checked for the Wiener Variant Attack. Hence, I got the flag.
If you don't know the wiener variant attack here is the [reference](https://www.math.tugraz.at/~cecc08/abstracts/cecc08_abstract_20.pdf).
-----
And here is my exploit,

```
from sage.all import *
from Crypto.Util.number import *
n = 609983533322177402468580314139090006939877955334245068261469677806169434040069069770928535701086364941983428090933795745853896746458472620457491993499511798536747668197186857850887990812746855062415626715645223089415186093589721763366994454776521466115355580659841153428179997121984448771910872629371808169183
e = 387825392787200906676631198961098070912332865442137539919413714790310139653713077586557654409565459752133439009280843965856789151962860193830258244424149230046832475959852771134503754778007132465468717789936602755336332984790622132641288576440161244396963980583318569320681953570111708877198371377792396775817
c = 387550614803874258991642724003284418859467464692188062983793173435868573346772557240137839436544557982321847802344313679589173157662615464542092163712541321351682014606383820947825480748404154232812314611063946877021201178164920650694457922409859337200682155636299936841054496931525597635432090165889554207685

q0 = 1
lst = continued_fraction(Integer(e)/Integer(n))
conv = lst.convergents()
for i in conv:
k = i.numerator()
q1 = i.denominator()
for r in range(1):
for s in range(2):
d = r*q0 + s*q1
m = long_to_bytes(pow(c,d,n))
if "LLS" in m:
print m #Flag
break
else:
continue
q0 = q1
#flag is LLS{looks_like_weiners_on_the_barbecue}
```

**Flag is: LLS{looks_like_weiners_on_the_barbecue}**

Original writeup (https://www.zsquare.org/post/virseccon-ctf-2020-hot-dog-write-up).

Comments