# baby_RSA

q1 : the server gave me
```
n = 185063385289091
e = 65537
ct = 55694727860139
```

n is too small so we can use factordb to get p , q
```
p = 16287317
q = 11362423
```

q2 :
```
n = 12347448648776893189566532619036563562480525660820263086702822672522098528734929074125965819944710650985212740765506206272168385990942482859944690513847960438837162763090832356777572036466407019256875307199111496998817558617131931111458443194115000444562077096351483370235071231398774800846778854148388513900052482628156850399468110278874042653969807262517330200217180503876129837759281408118590665789085541384771890179428393845354798537531187091427794887705974473631938190765328475090487140432877479904438492650145220684654503591690354167485580941256159270461045792982254129409195041570137614437640695994787420615401
e = 3
ct = 26480272848384180570411447917437668635135597564435407928130220812155801611065536704781892656033726277516148813916446180796750368332515779970289682282804676030149428215146347671350240386440440048832713595112882403831539777582778645411270433913301224819057222081543727263602678819745693540865806160910293144052079393615890645460901858988883318691997438568705602949652125

```
e is too small and we know that
plaintext = e root (((n * k + ciphertext ) ))
so we can use bruteforce
```python
from gmpy2 import iroot
for i in range(100000):
m , j = iroot((n * i + ct ) , e )
if j :
print(m)
```



q3 :
```
n = 73716843574352951236588243934248480698132624417496345851966682591574212605147077702330878612113346228865858282119350707786530411593816226713041914526177389179378211608498488931990100350808611832491922263600393791957710547676740875194991618016137166706547491415699492033815966939572751531498560879804859800461
e = 65537
ct = 41235449780929443384166147522020083683889749974005612902804345492422348056977414525436540920715243341085765115642708161070411267919671311047708984574587151797616127366342359285612956528102401417549506433811968845087980794462826978617650901152446775365531634707700598379517429824118845723086343262295388510539
```
but he gave another info , that is the q close to p .
then we can use factorization

Original writeup (https://github.com/diko-ct/write-ups/tree/main/nahamcon_ctf_2022/baby_RSA).