# Dachshund Attacks

Category: Cryptography

AUTHOR: SARA

## Description
```
What if d is too small?
```

## Research

After connecting with netcat:
```
Welcome to my RSA challenge!
e: 24306145239119831891057822826171152463533310560588061481342282082293832877043229140944546638772209266341357024664926986499282658640654836421168385674155158010757034371368551464449266158342531284923781100460337336731237334995747794173427317983442414014866351103394165986951821807429589876087730750588747227475
n: 113879656614968219315002292792785016300283621066264891462746855897849984541260238077395872179414479414351940265337417733895597641292673333616687328592787030278301325411879910209868945485563446678554667658812834112484496059760537701323622763502114387050535004354955498047452244677269702789571760082735759416661
c: 33975267070546558291376396894156641020103607950277145572215677351937011883386332628721280056087182329858563172091251439777476221940648453840314586019058031879889240891587737579019948125735285606842093451632409848923515598366204079628214398453946777088376520333236232456361563632867701193232209996182065102638
```
Great, so we have pretty big values. Maybe the name of the challenge could help? Try Googling `Dachshund`. A dog that (Americans I think) call a Wiener dog (not kidding). Maybe this has something to do with RSA? Try googling `Wiener RSA`. You should find [this](https://en.wikipedia.org/wiki/Wiener%27s_attack) Wikipedia article. Nice! So maybe we can attack it? Then I searched for existing implementations of this attack in python and found [this](https://github.com/pablocelayes/rsa-wiener-attack/blob/master/RSAwienerHacker.py).

## Clone and edit

So just `git clone` the tool and edit the `RSAwienerHacker.py` source like so:
```py
if t!=-1 and (s+t)%2==0:
print("Hacked!")
print(d)
return d
```
Just let it print `d`. Then give the function the values and run:
```
d = 30478129286063770625826157267481725440648795386122572986908262146195842369909
```
Great, then I just ran these commands in the python interpreter:
```py
>>> d = 30478129286063770625826157267481725440648795386122572986908262146195842369909
>>> c = 19670829373448227336612091371853437715641143369845978105227955250203929596122162379586823049655885463258494241031020759090289294678934795410036506457875839111151900146085356632197127300732370877258215371139186168365001274223287909907133192431779175983967706830025744307582355098871766511313408031034363234933
>>> pow(c,d,n)
198614235373674103788888306985643587194108045477674049828581286653845845629
>>> from Crypto.Util.number import long_to_bytes
>>> long_to_bytes(198614235373674103788888306985643587194108045477674049828581286653845845629)
b'picoCTF{proving_wiener_5086186}'
```
There we go!

Original writeup (https://github.com/xnomas/PicoCTF-2021-Writeups/tree/main/Dachshund_Attacks).