Rating: 5.0
# babycrypto3
We are given a `pub.pem` file. Load it into pycryptodome and we see that the bit length of `n` is very small so it can be factorized. Using `msieve` we get the two factors `p` and `q` of `n`. Later on the CTF, that was doable with RSACTFTool since a kindered soul decided to publish the factorization on factordb. We can then decrypt with the following:
```python
from Crypto.PublicKey import RSA
from Crypto.Util.number import long_to_bytes, bytes_to_long
from Crypto.Cipher import AES, PKCS1_OAEP
from base64 import b64decode
from base64 import b64encode
with open('pvt.pem', 'r') as f:
key = RSA.import_key(f.read())
with open('ciphertext.txt', 'rb') as f:
cipher = bytes_to_long(f.read())
assert key.d == pow(key.e, -1, (key.p-1)*(key.q-1))
print(long_to_bytes(pow(cipher, key.d, key.n)))
```
We get the following string
```
\x02`g\xff\x85\x1e\xcd\xcba\xe5\x0b\x83\xa5\x15\xe3\x00Q0xPU0lORyBUSEUgRElTVEFOQ0UuCg==\n
```
We can see that there is some base64 at the end. When we decrypt that, we get something readble. Place that in the flag format and BINGO.
```python
# decrypt the b64 at the end and put it in the flag format afterwards
m = "Q0xPU0lORyBUSEUgRElTVEFOQ0UuCg=="
print(b64decode(m))
# LINECTF{CLOSING THE DISTANCE.}
```