Cryptography Challenge 6 - Broken Signer
Prompt
We’ve discovered Liber8tion’s remote signing service. You can request signatures on messages of your choice. We found an encrypted flag file as well. Can you exploit the service to obtain the private key and decrypt the flag? You can connect with the oracle from your machine with nc services.cityinthe.cloud 9999
Answers
Q1 (75 pts) - What is the decrypted flag?
SKY-BLCR-1486
Steps I Took
Started by connecting to the oracle on my cli
It gives the RSA public key - n,e Also have the encrypted flag file
And this point was the end of my knowledge so more AI to the rescue
It gave me this script for the exploit
import secrets
import math
n = 24185900854479483124139639947868654468404295463005690163597924325448300009045570441383964740057132913078531039638767750167800125967181981321549235084824581032006771848852762827070841769839059232803483885736621284259942021752060992064406728777599943724102542963095044719683468475603145579815896938051691879213233065729081973605194669665743465553449503470653769025313557244389804515486769491676722348419405338585914248767455749497193629997752538319993712158350752080701628545426951064668443120463371455412486176865947729444349424081848526231206816660690819791045325094074370968927894854483536022955003324855635126261083
e = 65537
c = 4397466382669079252834745579065690348029779098543146195116094941668027681917698975277261253525762132609863572105875511189108399801844024565866112898663414437297014800169731204228101878596721982586193890775898627757919457098249621881796489674757029240022094482264214193966479048089072788248625113773187303784120327042096152665398157120309343430976225379979318881500201938201512073084867013792376593505294036320367577184023456603439933620989682239669435239618945480520670562569754375747784130423605305080536999990289036140726837507358892794968322102220693027475515874207157929838506033900684777206072028934450823463849
while True:
r = secrets.randbelow(n - 2) + 2
if math.gcd(r, n) == 1:
break
c_blind = (c * pow(r, e, n)) % n
print("SEND THIS TO ORACLE (hex):")
print(hex(c_blind)[2:])
print()
print("SAVE THIS r VALUE:")
print(r)
print()
print("When the oracle replies with something like:")
print("sig = 0xABCDEF...")
print("paste only the hex digits after 0x")
print()
s_prime_hex = input("Paste oracle signature hex here: ").strip().lower()
if s_prime_hex.startswith("0x"):
s_prime_hex = s_prime_hex[2:]
if s_prime_hex.startswith("sig = "):
s_prime_hex = s_prime_hex.split("=", 1)[1].strip()
if s_prime_hex.startswith("0x"):
s_prime_hex = s_prime_hex[2:]
s_prime = int(s_prime_hex, 16)
m = (s_prime * pow(r, -1, n)) % n
h = hex(m)[2:]
if len(h) % 2:
h = "0" + h
pt = bytes.fromhex(h)
print("\nRAW BYTES:")
print(pt)
print("\nUTF-8:")
try:
print(pt.decode())
except Exception:
print("Could not decode directly")
print("\nHEX:")
print(h)
The script does an RSA Blinding attack which tricks the signer to decrypt
I do not really understand anything else other than it got the answer
