> In RSA, a small e value can be problematic, **but what about N**? Can you decrypt this? ## How RSA works 1. $c^d\equiv m (\mod n)$ 2. $m^e\equiv c (\mod n)$ 3. $d\equiv e^{-1} (\mod \phi(n))$ here $m$ is message(plaintext), and $c$ is ciphertext If $n$ is small, we can crack it (tool 1: https://www.dcode.fr/euler-totient tool 2: http://factordb.com/) and know what $p$ and $q$ are. After acquiring $p$ and $q$, we can calculate $\phi (n)=(p-1)(q-1)$, then calculate `d=pow(e,-1,phin)` using Python. ### proof of RSA  (source: https://drive.google.com/file/d/1EURAqSaG2Mn0w0j70rI0Ph100CzXANty/view) ## Writeup 1. Use FactorDB to get the value of $p$ and $q$  2. Use Python to decode it ```python= from Crypto.Util.number import * p=1593021310640923782355996681284584012117 q=521911930824021492581321351826927897005221 c=240986837130071017759137533082982207147971245672412893755780400885108149004760496 e=65537 n=p*q phin=p*q-p-q+1#(p*q-1)-(q-1)-(p-1) d=pow(e,-1,phin) m=pow(c,d,n) print(m) print(long_to_bytes(m)) ``` Output: ```shell ┌──(kali㉿kali)-[~] └─$ /bin/python /home/kali/code/rsa.py 13016382529449106065927291425342535437996222135352905256639592405461024281868413 b'picoCTF{sma11_N_n0_g0od_23540368}' ``` ### Easier way  note that *✔ P,Q computed with N (FactorDB database)* is mentioned