# DarkCON - 2021 ## Crypto - Take it easy "Take it easy" starts by finding the key of the zip file named "TRYME.zip". A "getkey.txt" file provides the following informations: ``` p = 147310848610710067833452759772211595299756697892124273309283511558003008852730467644332450478086759935097628336530735607168904129699752266056721879451840506481443745340509935333411835837548485362030793140972434873394072578851922470507387225635362369992377666988296887264210876834248525673247346510754984183551 ct = 43472086389850415096247084780348896011812363316852707174406536413629129 e = 3 ``` We understooding that "ct" is the Ciphered Text, "p" is obviously the product of two primes numbers and "e" is the encoding parameter of the RSA public key. As "e=3", the low exponent attack will be applied. In that case as e << p, it may possible that pow(msg,e,p) is equal to pow(msg,e) as pow(msg,e) < p. So, we will take the cubic root of the message: ``` from decimal import Decimal ct=Decimal("43472086389850415096247084780348896011812363316852707174406536413629129") msg=str(ct**(Decimal("1.0")/3)) >>>Decimal('351617240597289153278808.9981') ``` Then the last manual operation (note the upper rounding): ``` str(hex(351617240597289153278809))[2:-1].decode("hex") >>>'Ju5t_@_K3Y' ``` So we can now open "TRYME.zip" with **Ju5t_@_K3Y**. It contains two files "chall.py" and "cipher.txt". Chall.py ``` #!/usr/bin/env python3 from struct import pack, unpack flag = b'darkCON{XXXXXXXXXXXXXXXXXXX}' def Tup_Int(chunk): return unpack("I",chunk)[0] chunks = [flag[i*4:(i+1)*4] for i in range(len(flag)//4)] ciphertext = "" f = open('cipher.txt','w') for i in range(len(chunks) - 2): block = pack("I", Tup_Int(chunks[i]) ^ Tup_Int(chunks[i+2])) ciphertext = 'B' + str(i) + ' : ' + str(block) + '\n' f.write(ciphertext) ``` So we take the flag, chunk in set of 4 characters, and xor chunk[i] with chunk[i+2]. Thankfully, the flag format is given and we know that chunk[0]="dark" and chunk[1]="CON{". We know have all the information required to decipher it ! ``` chunks =[ b'\nQ&4', b"\x17'\x0e\x0f", b'1X5\r', b'072E', b'\x18\x00\x15/'] print(chunks) print(b'darkCON{}') import binascii key=[b"dark",b"CON{"] for i in range(len(chunks)): tmp=hex(int.from_bytes(chunks[i],"big")) print(tmp) k=(b"0x"+binascii.hexlify(key[i])).decode("ascii") print(k) print("---") res=hex(int(k,16)^int(tmp,16)) bytes_object = bytes.fromhex(str(res)[2:]) ascii_string = bytes_object.decode("ASCII") print(ascii_string) key.append(bytes(ascii_string,"ascii")) print("---") print(key) ``` The output is `[b'dark', b'CON{', b'n0T_', b'Th@t', b'_haR', b'd_r1', b'Ght}'] and the flag is ***darkCON{n0T_Th@t_haRd_r1Ght}*** ## Tony and James From the pdf file of the challenge, we get: `r0 =1251602129774106047963344349716052246200810608622833524786816688818258541877890956410282953590226589114551287285264273581561051261152783001366229253687592 ` The challenge file contains the following code: ``` #!/usr/bin/env python3 import random def get_seed(l): seed = 0 rand = random.getrandbits(l) raw = list() while rand > 0: rand = rand >> 1 seed += rand raw.append(rand) if len(raw) == l: return raw, seed else: return get_seed(l) def encrypt(m): l = len(m) raw, seed = get_seed(l) random.seed(seed) with open('encrypted.txt', 'w') as f: for i in range(l): r = random.randint(1, 2**512) if i == 0: print("r0 =",r) encoded = hex(r ^ m[i] ^ raw[i])[2:] f.write(f"F{i}: {encoded}\n") def main(): m = open('flag.txt').read() encrypt(m.encode()) if __name__=='__main__': main() ``` The analysis of the "encrypt" function indicates that we will play with seed number (ie it may not be so random...). The encryption is done by xoring "r" with "m[i]" with raw[i]. The "get_seed" function generates a random number, stores the successive division by 2 and forged the seed as the sum of all the divided values. Note, as we know "r0", we can recover the seed and decipher the message as we now have "r[i]", "msg[i]" and "raw[i]". As we control the seed, the "r[i]" are not anymore random ! ``` #!/usr/bin/env python3 import random r0 =1251602129774106047963344349716052246200810608622833524786816688818258541877890956410282953590226589114551287285264273581561051261152783001366229253687592 data=[ 0x17e5b42a8bea57da669427727314c1b5b50a7c11135d48d87fac2aa91c1e96a62c3e815724c0fd9fd338fa7d65e390525a1294fbaa2655e563657b5e699bb732, 0x8d0a0f04d961cb770b28101de8ec775ed16656d32b1e1f7c38b880633954550fc90f6ad1b73895ff65e2edc46e3413e7cc5b234ca2ff25c4eb52ab9a4964e86a, 0xbcf77a6a978c03b4c36ab21d93decf3f218b7f0716fb68276cc64b45754a954f113f8e42077683f793affdd9b9cdf82e0ba2a1428ca408f37694dc721500def, 0xfe42c2d038326f7fc6167eede667c164f85e9dafac7fadea6021bc1dca3f2c6450fb2f5dcd21fc93c352b59d9570abe8660b79ce990830e67a3624ea27a1f369, 0xb7b07abebdb05ed0129ae97f36fd394e74b3371024e2ba4474aee42d410a783dec0598cd1ef32d03234c5426256e966084c98f69bf9a6a1b7b37aad7bc45ffaf, 0x8ebad316ac19807114dedf2bcb3fb398500e978cd8ef7ccad2ac2e77728e729bb8732db6aaf82551d98f1fa0dfd5d38ecbe5e8c1a20bfe72daba8f22f5fa6371, 0x964188a77c0b800fb6a18b6e233f8a0c4185cce96f148d1f8114bf0865a89656d98475b170618861ce86a343ca682423dfcbb9d65285a7e4181089eab827ac6f, 0xd7732af5b47f66d22ce4dba419a4aa49309ea7b6ccac1bbce09186283b66611cbbfce808e4a428b8341564e702a2004a690df7c589bda8956e5b92db69e7b36d, 0xed5b0c69b240ee406df5e4ed7fe355408a307c4b5423546c99d6f5011e9b69de2c45227460bd5520da15ec3dcbab3f07c50ead4c1d4eb202a4a2764f5c3f9208, 0x116468b05dd6f53ae07c96e2f5e89eeda11cc17cff0a1659ae517ce7268bfbc31cc2bd368782476fdd96f067e6831891c5cc1c50df07d9d937dc9c45cdaac132, 0x10b0bec20c0a74bf9fb3fa17966ccddeda04f91923e9361ded969b5d16699174d184258f27d3f083dd1b382fa6f3ec228d053c593a4bef0adec487b5f4f98be2, 0x3a02d0ca2364d7b397b486fc73f8a73f3fa351e3367e28e70851e9af53d1235abb1567d4ddb47e63c7449ddfd3d5aecd7770bb5c15a72fbb69605757753ce1d, 0xd7c2a7f613dd92e811c28171e190b743bbfa0875931cbe7326cc5e72e45ce767f9854c9a70fbd93fd56a590ad3c6d16c1815a6f4595e7005ea3237835bbc3587, 0xb6bfbf43b10d1e98a5d2fe20dc3d805e0c3e4ed170ee3c6c3881c23f3d8ad10d043e17155abdf6d870dae209a64435c2de33d8181e805e675d8d5636395c43f8, 0x14405e18dcc3bf9dc143d0476d06e8c307cd3354ff19f81053627ac88cafe404c9d7552ac29ae90c8f3cd71d9a433722cb4b0aeff61ca581031c8abc32fa6d31, 0x93aaf3c9e80ed96a88d3b5c8234c6ff169db2a860a6c9a501f3ce1a78c87eb4177ffe30c35968ae91d7e75ec401b78d771edad4696da6392685607ca3ac42c0e, 0x6c50dcb1ddc1ee575e86971db3f14f00cb03ca8f457b9cbc4fa7a19466fdafc91b96e88f083ff80748eda149879b9b671b95cb79e2b09432c8f25819caf60ada, 0xb1d7efc822d3cea04cbc5324a78c9025b10a6412c237cdb4fea182336d9dc75e45e578f85b7c122ace5c2dc817a118f1245300f016bca14324577ec75e326a7b, 0x365fc095493db65e35ad3d17ab6bb4b9bc764f74fcf1d865b41d9636ca4ec7980a17a42b06f7888fd38554f3803371d2f9a709ca6591d7bb1a053c82abe9352a, 0xc2c9f3a7aa6752a69dabfdbeaa222bc205278bb7034bc6993875efcb3680e69c7c01a4432ec9d5e85484ba5dd291c6e630a352650c8ebf694ea40a8e12a1b32f, 0xdcb706df8883899c746efad75ff21e6d2be56a93386329c28ba7c1ac2d87b33ed1b103903396e304f48e3743a31b1e477aecc8a7dcb563509b3d69bf6621526c, 0x240b973fa722be5cedb366a3f3f36c3964d14cc273cde00f4834eb9c08acc3a0f38f500d37bc66893b26c94677da629cfca810fd84fc679ee2190480433e2a0f, 0xf79a9c1758da10c6363ec6e8a8f15af81eac25ae794597cd2928787a5ec7dc851a8278f473144d5269619822e37090d3f18318f5c67fc6bd9de9429c917851a4, 0x839025bc53a823c8a1c5a5d76c64b656122a1c89043070110de1b5ced0ea529e53dd5802d240e7bc511a0e79071e7b4214bafb5414f2ab62184d5677cc47b024, 0x2132673aeac17a2a2a1fbf3a8ab2436e654a0c5eed945fedce3bdfa8b5c4b89bf8840ad57aa97a669b4021cd3486d408310ef7ebf9bdd226d95fa5f98ff07023, 0xa3a17c8d8ef3b9358130a5fbf5b50f71060e66779e67fc6837e637ca51efcd9bdf02921c1c28e859ec1bdcbae45aede19782c3109c09fa4efc63a03e8ef53685, 0x121cf2f4c025f605d770eff32c0786774705577e325ffe7841c23d194f517bb9d3cb849992bdb2d89089cb320dfe9829e732ac96de0a0f99e683b08e30e2f0f3, 0x4c3c85a42e907ed36f724c3b70124ce5d2214bfb42ffe997cec22596e3129180339a4589b89824e00a9424a5308b6bad3aeb78ddceff1005ed5d53261fc12077, 0xbe08bb264014f63c1caceb07a92a8ad6aecb4d2a3268f73f5d3d53b1256f20ba15c64e00b43e8555d5424c99118d6a7db06fa63ae16b8fa75587f735c562a8fd, 0x9f985f7342103394f7e91ebddf3620461694f6ee07bd4c3129884a0069cf9bcf827123e1e647b6efc63bee1688a72a22af9017f13d4788ff71b78090c23422c2, 0x46421b56a4e97debd4c3e4f8d4b1575d7dbb9cd7f14978b81c673a71499dab7665bae198190554997621edeec45e687d0c0747714f302b2c48081313bcedb56f, 0xa400e922efde652354894da17396b9148ede9ff06584815ce27de846d7f30d9b2c42e5ce05f03aac3ac42561e5e1d618a2b6279291bf967297b1e45f0468987d, 0x94aa1a26e4ac93ae0b9195be95a365dbc190b03e90766658a4ad21bb0591d7b0ded29c44df528f9194e561970cb15266c300e864df4d0ebc315589990117c2ce, 0x287fa54e7d8bd73d3f7b96702a0baacb624fd7c3220fa13e7ff8c19ce547aab324f555affb90a61e97a785c0ea4ff627e2eda1e35a1124c05427fc5bdc1788a3, 0x95ee463c23d1146e86f9978a7dc390302127149c8b78c60316d11e57e215d629c7118c7104105fbd2fd1738e828390ec49f78f39c6bd2cb790d90395c5c0997f, 0x7d623aa01509d0380805a7b333f97ef8d9670d90c4f913c616d197d17714f026bd8c50ee571b8d38cc540cc24ff0ec601fedd0f54428eed48d8c3903868d6934, 0x832066a95dd7514b7a5b2aac82e90512fcadfc06c3d50b95a8e981a252b006b482fc8c8a1b85b79c8979d8d98856836a583b0fb295ddfbcb6a7a111f752a101d, 0x2297e2ae6f70d25069a16adac93d92696d0daf62930e4e870b457b12ff49d6776e77adbed5215d73c796ebf33e80b922b80a76e6a52e4612bc1b0facba47f4a6, 0x79186e494573075b2b1ca356523e7d123f260a25e32074ff90a31c5d9c993a87d3a9a81377f750bb9b00f57c76eceb54edfd82e7162344259d2b37a8a2d90ec5, 0x81859b0c047178bab149f7bfc5e4fd84a3b77f34c6b4af8210f9f22644ca9c6e2357f453c54f39984a97b38101f42d44928b29f5a66eae9d6620a09851b47d1e, 0x48dabebf34300f1527a002359f6d3c163ac592d9e8b5fb4b3f8abf66a0729311c46fa662fa2f7400e05d7c5d27515ade9cc08d2512368fc2e32410a59c9fb70f, 0x132769a2e99ba475a56d1260f34a352954c5be314fb4cf7f35a4a636eed5e1d3d756776119c1dd27f2dc75a06c078f179d551ee15f604b928d1b60d5fd7701c3, 0x77d58d49a7c9131f37b79e281e0bc74717f31e608d896c71d6c371b8029be344c0d261326eaffb0be5a4cde37483159f2d141a6865b29ad8e1ff7e514d87cfcc, 0x3fad5058ae8b0e1af806f10f344750f7793274076b3401481da3fd654db9c0f12cfcbca7578f835ed9b362a878c7b9b1a144b06a875cf893d6d52af0019ee697, 0x957877839a1d9091df2d611a2243f3a481c1aa2af3454738066530a732a658968c1bc77394a063c557f8da99972a7d824b4aa045dd287ba0ec9ceaa9d4e58aef, 0x971995976225cca200f7664298dfebc3d72a428d042dead744019a7c84f106821baa6c6dc096453cf3eaf3109c66d7b50e214de59e89e2b5c04c4d90626ede11, 0x27cb279b7ff24e62f98b77f75ebbbbe7c7fa31018e2d345aa21de2b8c56e8bfbb5c383b7cb98fc1a49c9d82f497b7a6a36d7acf94ee1a5d891ac7cb4bae56a72, 0x8ac5151ce5eaca335347fc76d7273ed1dc42722221ae27a85a3f8d095025ebe8f4e6ce5a5dea6a263175e4612b6d673307aee0da5b8aff94f8bace77b1b6f54, 0xef55689d6f3de7bfb109803a861aa25310cc9542ed31503fd8ea376d08f81d60af09402b142c2c2d13297f2f129d79aeabfb14a5553f25570322f58252487c23, 0x9937349c6aecc5c533fd1aee1f5e1ab4c7bfaf078d3f03f4b30a4b4e039052bfe6060fb1a1bb39d340145387910307761c5474a2c37fa6591920a513adff2c66, 0xe5839710f0f7fd77cd4880e185547f678653980b213c92dd7cbe10cf0da9315a998d2fe9c8c009060a954fd8a2cddf7a19b410970b8dbb56629eddade8ed9ee5, 0xfff4a1773df4e303411dbd103db2147d4f49eb2153e043848c72fb442855acd5f71321d246d21cb9a9b1ed79cc384994ff68aaf4e46ab5b3f4c94f2fb68d8441, 0x1a97ef902380ec2223a8a756ef3351d18230b620d3cef0c49596d24f762f047dc148b1e82ac3d1e94ca8702cbea5cbc0cdf841d3b23d062182580b2fce1624cb, 0xbe2118c7db2f8677f6906d2fe92697c86c72dd4644ef87afe0bcbb7d9ebb516a80259c708831fe7b85c5dfb0215665a7ec17bc7852a34addb9160a05b0b5a2c, 0x6c0e643a08ab186d2ad85a1b0346921ceac406326957d8e79f0f56c6a00f51b9d14693b364fa7be3bbee2e527e9bcb73e4260782577aeb777be27a3e296b5e03, 0xc1bb2f017d2c30e8c91295dc6784184799913c68cc7ee11f7cd328e25c94413dcba0cc7d92ec7b170db0bef34648ce90882a9fb5ff3ccbc8f4786286f124a4ff, 0xcf5a857feb8f483847a193977ed6532b5a3b3f6d4bfd3c21507f66ce18bcc987f3b104b1f3e657028d8ce7c87a6b1d5b327db2568cd209c8d343b67943620250, 0x4a2b2cdbdf3d70c98b3ad872548ce258b32607f370dfc32d030ebffa731720804e3f751597c0bb80cd878a0d4f8a4b7120f35536f2f8831f095786f543e476a5, 0x3f20ac7028148dcde2fa827fad44e3c4263483f7fa879a6f1e99367ea1a6a4da527ed234c968efcf9423872e47a2d94fcd20d847578ab5ff30a358902b1e2787, 0xedd001110c436c4ccc30e11b5c959be8105a6c58920d50c95e987e0f8cb76619db2c88aebda7b30735d64776ead85c1a71bcb0e5699a6e4286b050a141f5d8b2, 0x1e28e7ad45184e920fb58d14b7d699c901507f6eee8532a88936f90550fcf33f969d5a9e35ebd475714d43a0a663ac31733c0230b9e47cd7783407558cdc4402, 0xc174e180053198d2dded1ed14af14e475eb52d6138278c321026367a22b1ed4e4cf1c09f7d9e8c94d3c11044d474a85e46e5195f7463ece07ea45b4c79c096a5, 0x81983d3b4612607ad124083463d3718e1840ce56c386274354a761298c94c468393ae5d62a216ce16448a35c1570d06241665929dc723fdda7fdffe0b307b93b, 0x70c066054fe3e43dddd7eb7cf56ba5c7e25ff915ee8c6edf6fa2eb462aaa13f676d875be734a68628a54cd18a8e9503d41bc2535058d3ac3732807656730576a] def get_seed(l): seed = 0 rand = random.getrandbits(l) print(rand) raw = list() while rand > 0: rand = rand >> 1 seed += rand raw.append(rand) if len(raw) == l: return raw, seed else: return get_seed(l) def find_seed(l): seed=0 rand = 2*l raw = list() while rand > 0: rand = rand >> 1 seed += rand raw.append(rand) return raw, seed def decrypt(m): l = len(m) res="" raw,seed=find_seed(8926184294774128254) random.seed(seed) for i in range(l): r = random.randint(1, 2**512) if i == 0: print("r0 =",r) if r!=r0: print("failure") res+= chr(r ^ m[i] ^ raw[i]) print(res) def main(): decrypt(data) if __name__=='__main__': main() ``` and we find : ``` python3 wu.py r0 = 1251602129774106047963344349716052246200810608622833524786816688818258541877890956410282953590226589114551287285264273581561051261152783001366229253687592 darkCON{user_W4rm4ch1ne68_pass_W4RM4CH1N3R0X_t0ny_h4cked_4g41n!} ``` The flag is **darkCON{user_W4rm4ch1ne68_pass_W4RM4CH1N3R0X_t0ny_h4cked_4g41n!}** ## Rookie Choice In this challenge, we are provided with the following code: ``` #!/usr/bin/env python3 from Crypto.Cipher import ARC4 # pip3 install pycryptodome import os KEY = os.urandom(16) FLAG = "******************* REDUCTED *******************" menu = """ +--------- MENU ---------+ | | | [1] Show FLAG | | [2] Encrypt Something | | [3] Exit | | | +------------------------+ """ print(menu) while 1: choice = input("\n[?] Enter your choice: ") if choice == '1': cipher = ARC4.new(KEY) enc = cipher.encrypt(FLAG.encode()).hex() print(f"\n[+] Encrypted FLAG: {enc}") elif choice == '2': plaintext = input("\n[*] Enter Plaintext: ") cipher = ARC4.new(KEY) ciphertext = cipher.encrypt(plaintext.encode()).hex() print(f"[+] Your Ciphertext: {ciphertext}") else: print("\n:( See ya later!") exit(0) ``` A quick google search indiquates that RC4 is not secure, and generates a keystream that is to be xored with the plaintext. In this case, the same key is used for all ciphering execution meaning that if we know the couple (plaintext,cipheredtext) we can recover the ciphering key. Hopfully, examples are provided... and the encrypted flag by the way. ``` +--------- MENU ---------+ | | | [1] Show FLAG | | [2] Encrypt Something | | [3] Exit | | | +------------------------+ [?] Enter your choice: 1 [+] Encrypted FLAG: 385e95136bdb2a66baa0593e27b8df03228f1785ea9925c768d08b74b06bffe27bd17da1aed51c21342026bdacb173f8 [?] Enter your choice: 2 [*] Enter Plaintext: abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz [+] Your Ciphertext: 3d5d841c4df203758189060d7ba5ef0460c90faeae890dc621dfb563a03cc5f728d42794ae8a08102f2766acece427f3c6514fc7 [?] Enter your choice: 2 [*] Enter Plaintext: 0000000000000000000000000000000000000000000000000000000 [+] Your Ciphertext: 6c0fd74818a4542dd8d35d5126fbb044218b4ceaebcf4a8e6895e431f36890a17f8c7ecef5d6554e706727eeafa062b58119068d8e15b3 [?] Enter your choice: 2 [*] Enter Plaintext: Plaintext [+] Your Ciphertext: 0c53861146e001659c [?] Enter your choice: 2 [*] Enter Plaintext: Attack at dawn [+] Your Ciphertext: 1d4b93194bff447c9cc3090061a5 [?] Enter your choice: 3 :( See ya later! ``` We deduce the key by using the 3rd execution ("00000...","6c0fd..."): ``` # https://en.wikipedia.org/wiki/RC4 p1="0000000000000000000000000000000000000000000000000000000" c1="6c0fd74818a4542dd8d35d5126fbb044218b4ceaebcf4a8e6895e431f36890a17f8c7ecef5d6554e706727eeafa062b58119068d8e15b3" key=[] for i,elt in enumerate(p1): key.append(ord(elt)^int("0x"+c1[i*2:2*i+2],16)) print(key) flag="385e95136bdb2a66baa0593e27b8df03228f1785ea9925c768d08b74b06bffe27bd17da1aed51c21342026bdacb173f8" _flag="" for i in range(0,int(len(flag)/2),1): elt=key[i] _flag+=chr(elt^int("0x"+flag[i*2:2*i+2],16)) #print(_flag) print(_flag) ``` and we get the following output: ``` python3 wu.py [92, 63, 231, 120, 40, 148, 100, 29, 232, 227, 109, 97, 22, 203, 128, 116, 17, 187, 124, 218, 219, 255, 122, 190, 88, 165, 212, 1, 195, 88, 160, 145, 79, 188, 78, 254, 197, 230, 101, 126, 64, 87, 23, 222, 159, 144, 82, 133, 177, 41, 54, 189, 190, 37, 131] darkCON{RC4_1s_w34k_1f_y0u_us3_s4m3_k3y_tw1c3!!} ``` The flag is **darkCON{RC4_1s_w34k_1f_y0u_us3_s4m3_k3y_tw1c3!!}** ## La Casa De Tuple (L.C.D.T) In this case we have a readme file: ``` == name == Risk Security Analyst Alice Vs Eve == category == crypto == difficulty == medium == author == r3yc0n1c == description == La Casa De Tuple (L.C.D.T) is a Company in Spain which provides their own End-to-end encryption services and Alice got a job there. It was her first day and her boss told her to manage the **secrets** and encrypt the user data with their new End-to-end encryption system. You are Eve and you're hired to break into the system. Alice was so overconfident that she gave you everyone's keys. Can you break their new encryption system and read the chats? ``` We know Alice private Key: ``` Alice's private key: =================== n: 134871459832923860099882590902411996710996766501756653086495354300954191050110475349218593219906710987168729946490859346117437393705213066464123381634516073655104369957424501917959364716066521838138728063315157921217685558557422845878448233922585713677077217815414960315913375048754314176130997193108410703707 e: 65537 d: 19546349779408743507159083393977587389734764914989772052665408473846268620686776856842366882870347146743497520969378855752070133900119225861364479282918556646891456167647366904804199245738822376442388779257291859758735359459148377679538927373263135165396852614400167982261412234666697210259242937381901648593 ``` we know others public keys: ``` Alice: (65537,134871459832923860099882590902411996710996766501756653086495354300954191050110475349218593219906710987168729946490859346117437393705213066464123381634516073655104369957424501917959364716066521838138728063315157921217685558557422845878448233922585713677077217815414960315913375048754314176130997193108410703707) Bob: (68719476737,134871459832923860099882590902411996710996766501756653086495354300954191050110475349218593219906710987168729946490859346117437393705213066464123381634516073655104369957424501917959364716066521838138728063315157921217685558557422845878448233922585713677077217815414960315913375048754314176130997193108410703707) Charlie: (4294967297,134871459832923860099882590902411996710996766501756653086495354300954191050110475349218593219906710987168729946490859346117437393705213066464123381634516073655104369957424501917959364716066521838138728063315157921217685558557422845878448233922585713677077217815414960315913375048754314176130997193108410703707) Dan: (1048577,134871459832923860099882590902411996710996766501756653086495354300954191050110475349218593219906710987168729946490859346117437393705213066464123381634516073655104369957424501917959364716066521838138728063315157921217685558557422845878448233922585713677077217815414960315913375048754314176130997193108410703707) Erin: (16777217,134871459832923860099882590902411996710996766501756653086495354300954191050110475349218593219906710987168729946490859346117437393705213066464123381634516073655104369957424501917959364716066521838138728063315157921217685558557422845878448233922585713677077217815414960315913375048754314176130997193108410703707) ``` It smells RSA, they all share the same N=p*q, but not the same public exponent "e". But we know (e,d,N) from Alice, is it possible to factor N by knowing (e,d) ? Answer is "Yes". The following code do the job (the algoritm can be easily found on google and dedicated forums): Warning: not an optimal code ``` import binascii import random Alice= b'\xa5\x8f\x82\xf08\xeaH"7\x08:\x02^\xa1\x98\x86<^\x86\x8d\xd5o\xcb\x80\xa2+\x83\x8dQ\xf8\xf7\xf6)3\x15J\xa0s\xc6\xea_\xa3\x0c3\x8aB\xee\xee\xbb\xa4\xe7\xe4\xe9\x01P\x18J\x1e-H>\xff1I\xed\xfaN\x08\xcb\x8b3\xeb\x95\x174\xcb\xef\xe9x\xf7\xf9\xa2eV\x89\x80\x1c\x16`\xaf&\x17\xfa,\x95W\x17Oj\xf2\xba\xfb\xb3\xbe\xca\xe1\x16\xccZ\x16:L\xc4\x82\xbe\xc3\xeb,\xefTx\x83\xcd\xdbw\xf7\xe9\xb1' Bob= b'd\xd7\xa9i\x1f!I\xed\xbb\x811\x06\xa2\xb7\x9f\xc7\xdf\xb2L\x15\x10\xea~\x94\x85P\xa0U\xf9\x15v\xa2h\xe6\xb2\xfe\x1b\xdd\x01v\x1a\x85\x85\xc5\xd5\x9e{\x9e\x01&Xh$\xc5\xc4\xbb\x15\xb1\x89y\x94\xaa\xbb\x19P\x8a;u\xc6\\$9\n(\xfc\xccC\xb4\xba\x12UZ3\xdd\xaa\xd5\xa5\xc0{a\x1a?\xf5@\xf4\xfb}w\xb7&\xb2\xb1p\x89j\xd1\xc6\xc4g.g\x17j\x13\xde\x17\x0e\n$\xdcg\x02\x90\xc9\xff\x1a\xc9C' Charlie= b"\xab\xa8HX\xc0\xce\x10DLpm(1O\xbfW[\xf4\xfdm*\xc0\xb2\x14\x86\xa0`\x1fd\xdc\x8a\x86\x8f;Y\x16\xe0.\xea;)\xa9k\xff\xb2\x00F\xfaQ\xa4\xb2\xc4'I\xb3\x84[\xf52\xb1\xda.?\xf9\xd5.\\tZ\xcd*\t\xb6b\x13\xdf\x0eX\xbd\xe8\xf4B\x1d\x1aJ\x98U?#\xc9\x82\xe0W\xc5\xd2\xfb\xb1\xb8\x13C\x90\xad*m\x06\x95@\xcc\xb4\xf0\xdb\x9a\t\x85\x16\xed\xd3\x84\x18\x11\xe3\x90Z\xbd\xab\x1a\x0bE" Dan= b'\x84\x876\xa9\xaf\xdd\x11\xdd;c\x99\xeb(\x8d\xe1\xcf\tL\xcf\x12I\xc5\xb4\tl\xaf3\x8ak"a]\x11\x9bG\xf0\nL\x9f\xa0\xdc\xab\x0c\xeeD\x89\xc1\xb8\x15c\x93\xed)\x1d\xf8\xc2w\xb7\xea\xe2\xf5\xa4\x00*o\x13;\t\x11\xe4\xb5\n\xae{\xd9\x8f\x00\n\x96w\x90\xd8?m\xe9\x9b\x11\xd5\xda\xf9\xdb\x91\xce\xa3\xba$\xe8\xfe\xde\xd3YZT\x95\xb1\xf6\xfcrWh\xd8T\x07Q\xdb\x98\xf8\xc3y\xcd_,\xa3\xb23\x88\xbb\xa2' Erin= b'\x92?\xe0#\x01z\xf8\xa0\xe8c\xd8w\x9b\x19l\xa1\xba\xaf\xf5m2\x193\x96)\x13\x1c5\x12\xac\x9c\xba|\x19\xb8\xfe\xbe\xc8\xb7\xc0u\xe8{G\x0f\xfa\x9d\x9d\xc0\x01\xbe\x08\x16\x15(;U)pH\xc1 b\xa6FR\xef\xa3\x11\x80\xef\xda\x97\xc0\x9e\\\xeds3Y\xf9B{)>\xed\x97\xf9q\x99\xb4\xb8\xe9A\x9f\x9e\xc6\x9bs\x0f\x12\xcd\x82\xf8ad7qH\x7f\x12\x11\x07\xa5Ws`w*\x15\xa1e6\xb7\x03\xdb\xde\x8d' print("Alice") print(Alice.encode("hex")) n= 134871459832923860099882590902411996710996766501756653086495354300954191050110475349218593219906710987168729946490859346117437393705213066464123381634516073655104369957424501917959364716066521838138728063315157921217685558557422845878448233922585713677077217815414960315913375048754314176130997193108410703707 e= 65537 d= 19546349779408743507159083393977587389734764914989772052665408473846268620686776856842366882870347146743497520969378855752070133900119225861364479282918556646891456167647366904804199245738822376442388779257291859758735359459148377679538927373263135165396852614400167982261412234666697210259242937381901648593 msg=hex(pow(int("0x"+Alice.encode("hex"),16),d,n)) print(str(msg)[2:-1].decode("hex")) def pgcd(a,b): """pgcd(a,b): calcul du 'Plus Grand Commun Diviseur' entre les 2 nombres entiers a et b""" if b==0: return a else: r=a%b return pgcd(b,r) k=e*d-1 g=27 s=2 x=0 y=0 while 1: x=int(pow(g,k/s,n)) y=int(pgcd(x-1,n)) #print(int(x),int(y)) if x>1 and y>1: #print(x,y) break #print(k/s) if k/s==0: g=random.randint(1,n-1) s=2 s*=2 print(y) print(n/y) p=y q=n/y print((p,q)) #p=115 def bezout(a, b): ''' Calcule (u, v, p) tels que a*u + b*v = p et p = pgcd(a, b) ''' if a == 0 and b == 0: return (0, 0, 0) if b == 0: return (a/abs(a), 0, abs(a)) (u, v, p) = bezout(b, a%b) return (v, (u - v*(a/b)), p) def inv_modulo(x, m): ''' Calcule y dans [[0, m-1]] tel que x*y % abs(m) = 1 ''' (u, _, p) = bezout(x, m) if p == 1: return u%abs(m) else: raise Exception("%s et %s ne sont pas premiers entre eux" % (x, m)) e=68719476737 phi=(p-1)*(q-1) d=inv_modulo(e,phi) print("Bob") msg=hex(pow(int("0x"+Bob.encode("hex"),16),d,n)) print(str(msg)[2:-1].decode("hex")) e=4294967297 phi=(p-1)*(q-1) d=inv_modulo(e,phi) print("Charlie") msg=hex(pow(int("0x"+Charlie.encode("hex"),16),d,n)) print(str(msg)[2:-1].decode("hex")) e=1048577 phi=(p-1)*(q-1) d=inv_modulo(e,phi) print("Dan") msg=hex(pow(int("0x"+Dan.encode("hex"),16),d,n)) print(str(msg)[2:-1].decode("hex")) e=16777217 phi=(p-1)*(q-1) d=inv_modulo(e,phi) print("Erin") msg=hex(pow(int("0x"+Erin.encode("hex"),16),d,n)) print(str(msg)[2:-1].decode("hex")) ``` and we get: ``` Alice a58f82f038ea482237083a025ea198863c5e868dd56fcb80a22b838d51f8f7f62933154aa073c6ea5fa30c338a42eeeebba4e7e4e90150184a1e2d483eff3149edfa4e08cb8b33eb951734cbefe978f7f9a2655689801c1660af2617fa2c9557174f6af2bafbb3becae116cc5a163a4cc482bec3eb2cef547883cddb77f7e9b1 Hi everyone! Are you enjoing darkCON? (11635054504921733826196411324113633422484567025939176480557681377109499625813425045440075923029853047713076440712050521568931550034720072522577709065411181L, 11591820199541996689109613653787526255588052136591796590965030492566464176562040269220119399461110340988231294335751866203503669710592217665562209443382247L) Bob Hell yeah! Charlie, do you have the secret thing? Charlie Got it! darkCON{4m_I_n0t_supp0sed_t0_g1v3_d???} Dan [Sush]...[Sussshhh]... Eve Eve...Eve is there! Erin Nah...She doesn't even have our Private Keys ``` The flag is **darkCON{4m_I_n0t_supp0sed_t0_g1v3_d???}** That's all folks !!! Electro