# TLDR

RSA attack, then a blob Base64 encode img for web to get flag

# Thought

We have a really small e, I don't remember it clearly anyway, so google some thing like rsa small e attack which give you a page about:

"Multi-party RSA with Small e: Assuming e is constant between the messages and the message m is sent to at least e people, we can use the Chinese Remainder Theorem to retrieve".

It basically that we can calculate m^e mod n1*n2*n3 (as e is small, which make m^e < n1*n2*n3 mean m^e = m^e mod n1*n2*n3). And then calculate cube_root(m^e) to get m .
You could even try to cube_root(c1 + i*n1) and maybe m^e is small enough that it close to n1. But that not the case tho.

Atfer attack Multi-party RSA with Small e using Chinese Remainder Theorem result with this text

```python
b'This is your destination: "https://pastes.io/1yjswxlvl2"\n'
```

and we have

```txt
You think this is Gibbrish, but it's something different...
/9j/4AAQSkZJRgABAQAA...AooooAKKKKAP/Z
```

I think it is a image so i create a simple element then paste it into the website

```html

```

The flag is in the image `pearl{g00d_j0b_bu7_7h15_15_4_b4by_0n3}`

# Code

```python
#!/usr/bin/env python3

import libnum
from Crypto.Util.number import inverse, long_to_bytes, bytes_to_long

e = 3

n1 = 125267411676839013904356880992044234494446196964982422223130579882047339346910691451497681975351838034684254305738613386927222900898672184001345811471784343779083336010063097729870079645284178978512325038316112509718505547104307526489798594871208559607331790920412305711830820739308995357441030646151241475357
c1 = 53377681151597930200174280269480737905892580547675095951568028531545776989476273786562435486230550919422086944133253611872983670236114054374565938184593173194919064517779661178744278071496565181181705071524501841159717567250259220092464925447795412484629687708208662079791459184303259833667333882817260906165

n2 = 101985110329687359982214188967281711679876126442294375297547334583432698756724057183438691227371260175904715854057793173086301783390154807726779286131084537704721881438398569476214173211311977143694032174701007005033830070482491565424683664984059187439768982994371382763048098663670188786016786612348042190633
c2 = 86370003324603283962938004647941072863866893771153362222202759619566185050496089684606274416415418388916028237984708280964054009059814813483639010674182298294505525549842057730933691736372086557397211586739691237738757897947336698446258197604918828646265244195686107866422922575275382813594250335044143485624

n3 = 83259448903366278561128205003734328779222118906091604625605804813528274055482582431201682767294594942491788720967344243567819654813240542076250030802111361571504667752481579915864184180358691091092122509649590043074189547962292835856503625214027405901620103615424259796442446412031011575671410630232956892267
c3 = 25601241268900087228853235319569275926328919786631787991019848828558430219449358810095537362492238844266084660904521793373698736119824512458196492049138821633273765102576368573691391116632126183996786969554104441242376959688329346567745607825277943462236901478944551669406261301309719409165457168678763092118

# ============= Small e attack

for i in range(10):
val = libnum.nroot(c1 + i*n1, 3)
print(long_to_bytes(val))
val = libnum.nroot(c2 + i*n2, 3)
print(long_to_bytes(val))
val = libnum.nroot(c3 + i*n3, 3)
print(long_to_bytes(val))

# ================ Multi-party RSA with Small e

N = [n1, n2, n3]
C = [c1, c2, c3]

res = libnum.solve_crt(C, N)
val = libnum.nroot(res, 3)
print(long_to_bytes(val))
```