Tags: crypto bleichenbacher
Rating: 0
We are presented with a public key, a mechanism for getting some sort of token which we are told is some bit of data (presumably the flag) encrypted using the private key corresponding to the provided public key using RSA with PKCS#1_v1.5 padding. We are also provided with a mechanism to check if the token is correct. By providing a malformed version of one of the provided tokens to the token check utility, we discover that it responds with "Could not decrypt token". In reality, any number should be possible to decrypt using RSA, so this really means that the padding was incorrect.
In summary, we have an RSA/PKCS#1_v1.5 padding oracle and the corresponding public key. In 1998, Daniel Bleichenbacher published a paper on how to decrypt arbitrary RSA ciphertexts (even ones encrypted with a different padding scheme!) when we have these things available to us. The paper can be found here:
http://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf
Using an implementation of the algorithm presented in the paper based mostly on pybleach, we are able to decrypt the token, which simply contains a PKCS#1_v1.5-padded flag.