Rating:

# babysign (71 solves, 88 points)
by Qyn


It's just a warmup, don't take it too seriously.

Author: mr96


We're given the source code of the signing server. With the fourth option, we can sign the flag + msg where we control the msg. The sign function just takes the last 32 bytes of flag + msg, throws it into sha256 and xors that with the first 32 bytes of flag + msg. It then uses this input to calculate the RSA signed value, result^d mod N:
py
sign = pow(bytes_to_long(sha256(m[1]).digest())^bytes_to_long(m[0]), d, n)

We can simply reverse this by taking this result and do pow(result, e, n). This will give us the xored result from before. We simply just need to xor it again with the sha256 of our input, assuming len(flag) <= 32.

py
from Crypto.Util.number import bytes_to_long, getStrongPrime, inverse,long_to_bytes
from hashlib import sha256
flagLeng = 24

N = 26520200839907055488316900583204285981096861449535524257579603735444426331226184269474825392935096863722852126610269098774369075650068933756649212271510912207692140738001791464019224867356444767663936263428540368608762519547695352714372772499512068858323845470385756463343301331688657568171139448599032845049772793164181880735755191266201572758136910165497495897432705474435202322032306872202910217339382027879038357022082284577350121565904195113734993556940514887057412280613496527742285807768927998107880174981931453581118627787927035630482255765205043939406988081270187323381301912680105462776748677828089931025201
e = 65537

dec = pow(enc,e,N)

m = bytes_to_long(sha256(b"A"*32).digest())

from hashlib import sha256

print(long_to_bytes(dec ^ m))

#ptm{n07_3v3n_4_ch4ll3n63}


This will give us the flag:
ptm{n07_3v3n_4_ch4ll3n63}