Rating:

# Internetwache CTF 2016 : Oh Bob!

**Category:** Crypto

**Points:** 60

**Solves:** 167

**Description:**

> Description: Alice wants to send Bob a confidential message. They both remember the crypto lecture about RSA. So Bob uses openssl to create key pairs. Finally, Alice encrypts the message with Bobâ€™s public keys and sends it to Bob. Clever Eve was able to intercept it. Can you help Eve to decrypt the message?

> Attachment: [crypto60.zip](./crypto60.zip)

## Write-up

We are given 3 RSA public keys (bob.pub, bob2.pub, bob3.pub), and 3 secrets encrypted with openssl in secret.enc.

Our goal is to decrypt them to get the flag.

We first extracted the modulus and exponent from each of the 3 public keys using the following command

```sh

$ openssl rsa -pubin -inform PEM -text -noout < bob.pub

Modulus (228 bit):

0d:56:4b:97:8f:9d:23:35:04:95:8e:ed:8b:74:43:

73:28:1e:d1:41:8b:29:f1:ec:fa:80:93:d8:cf

Exponent: 65537 (0x10001)

```

(Thanks to stackoverflow and the answer to this question: http://stackoverflow.com/questions/3116907/rsa-get-exponent-and-modulus-given-a-public-key)

After repeating this for all keys and converting to decimal, we got the following 3 public key pairs:

bob.pub

```

n = 359567260516027240236814314071842368703501656647819140843316303878351

e = 65537

```

bob2.pub

```

n = 273308045849724059815624389388987562744527435578575831038939266472921

e = 65537

```

bob3.pub

```

n = 333146335555060589623326457744716213139646991731493272747695074955549

e = 65537

```

The moduli are relatively small, and can be factored in a few minutes using the Quadratic Sieve or GNFS algorithms (we used the Msieve program).

From p and q, we can then find phi(n) = (p-1)*(q-1) and the private exponent d = e^(-1) mod phi(n). We used WolframAlpha for the computations.

We now theoretically have all necessary data to decrypt the message, but our knowledge of the openssl file formats was somewhat limited

so we had to look around until we found this helpful tutorial on manually building RSA private keys from the parameters:

http://stackoverflow.com/questions/19850283/how-to-generate-rsa-keys-using-specific-input-numbers-in-openssl

From this we see that some additional data is required (openssl probably uses the Chinese Remainder Theorem optimization for RSA),

which we calculate as well with WolframAlpha. After all the parameters were calculated and stored in the right format, in the following files:

[private1](./private1)

[private2](./private2)

[private3](./private3)

The binary DER files were then generated using

```sh

$ openssl asn1parse -genconf private1 -out key1.der

0:d=0 hl=3 l= 154 cons: SEQUENCE

3:d=1 hl=2 l= 1 prim: INTEGER :00

6:d=1 hl=2 l= 29 prim: INTEGER :0D564B978F9D233504958EED8B744373281ED1418B29F1ECFA8093D8CF

37:d=1 hl=2 l= 3 prim: INTEGER :010001

42:d=1 hl=2 l= 29 prim: INTEGER :010266F631885301D037017A38F3B3196B3491CE1C97007055FD220001

73:d=1 hl=2 l= 15 prim: INTEGER :0375AC9161AD7E431EBDDF01E514CF

90:d=1 hl=2 l= 15 prim: INTEGER :03DAE2E1D28965D328B06D615DFC01

107:d=1 hl=2 l= 15 prim: INTEGER :01AFC69781B5210EFBD7B8F6A585C5

124:d=1 hl=2 l= 14 prim: INTEGER :105E58FE83F6E364B6606A100401

140:d=1 hl=2 l= 15 prim: INTEGER :CD8DEAFC5A1B933414DA0A5CCA95

```

to obtain the files

[key1.der](./key1.der)

[key2.der](./key2.der)

[key3.der](./key3.der)

The secrets are finally decrypted using the following command:

```sh

$ echo "DK9dt2MTybMqRz/N2RUMq2qauvqFIOnQ89mLjXY=" | base64 -D | openssl rsautl -keyform DER -inkey key1.der -decrypt

IW{WEAK_R

$ echo "CiLSeTUCCKkyNf8NVnifGKKS2FJ7VnWKnEdygXY=" | base64 -D | openssl rsautl -keyform DER -inkey key2.der -decrypt

SA_K3YS_4R

$ echo "AK/WPYsK5ECFsupuW98bCFKYUApgrQ6LTcm3KxY=" | base64 -D | openssl rsautl -keyform DER -inkey key3.der -decrypt

3_SO_BAD!}

```

(Notice that the order of the last two messages is inverted. The 3rd message was encrypted with key2, and the 2nd with key3).

After combining the 3 messages, we get the flag:

> IW{WEAK_RSA_K3YS_4R3_SO_BAD!}

# CTF-Writeups

Original writeup (https://github.com/ernacktob/CTF-Writeups/tree/master/Internetwache-CTF-2016/crypto60).