CTFtime.org

babysign

by JaGoTu / WreckTheLine

Rating:

[Link to original writeup](https://wrecktheline.com/writeups/m0lecon-2021/#README__1_)

# babysign (71 solves, 88 points)
by Qyn

```
It's just a warmup, don't take it too seriously.

Author: mr96
```

We're given the source code of the signing server. With the fourth option, we can sign the `flag + msg` where we control the `msg`. The sign function just takes the last 32 bytes of `flag + msg`, throws it into sha256 and xors that with the first 32 bytes of `flag + msg`. It then uses this input to calculate the RSA signed value, `result^d mod N`:
```py
sign = pow(bytes_to_long(sha256(m[1]).digest())^bytes_to_long(m[0]), d, n)
```
We can simply reverse this by taking this result and do `pow(result, e, n)`. This will give us the xored result from before. We simply just need to xor it again with the `sha256` of our input, assuming `len(flag) <= 32`.

```py
from Crypto.Util.number import bytes_to_long, getStrongPrime, inverse,long_to_bytes
from hashlib import sha256
flagLeng = 24

N = 26520200839907055488316900583204285981096861449535524257579603735444426331226184269474825392935096863722852126610269098774369075650068933756649212271510912207692140738001791464019224867356444767663936263428540368608762519547695352714372772499512068858323845470385756463343301331688657568171139448599032845049772793164181880735755191266201572758136910165497495897432705474435202322032306872202910217339382027879038357022082284577350121565904195113734993556940514887057412280613496527742285807768927998107880174981931453581118627787927035630482255765205043939406988081270187323381301912680105462776748677828089931025201
e = 65537

enc = 0x5a9e5df27d97143f723258817c69f38ac5f95edc959f2e9861736412f3bec772db62c916dec57b5608162cb32f1b82e0900fa8d335cd03a0ee064746985b97ef552fea4aafbf6770fe3420dad0f7710481ad09fcb921682b7ea95b56b1415f48d1623d80fd28276ca63faab5c6eb45696f270a3e29e7a6be474f6fa7ddbaf13b8e75c0be9a3d45149ed3d031a74c3f3c6265c87df0b7bdc3939753093a8dfeefaf4ffac0727c75b1e3d3fc9c0aea187dee8eaf6fe31c79eb3fde9415834ac5abecd41a62b07cb5344e7c628c88123c948dc1b612e9d66eb017a0538a74b22f7afab1dd1d3ef67a9cb8cbd0a8406abce55bee029b10121d5aa5a81e1ca638e2c7

dec = pow(enc,e,N)

m = bytes_to_long(sha256(b"A"*32).digest())

from hashlib import sha256

print(long_to_bytes(dec ^ m))

#ptm{n07_3v3n_4_ch4ll3n63}
```

This will give us the flag:
`ptm{n07_3v3n_4_ch4ll3n63}`

Original writeup (https://wrecktheline.com/writeups/m0lecon-2021/#README__1_).

Comments