Tags: litctf
Rating:
**crypto/encryption two ways | LITCTF 2025 writeup**
We’re getting XOR-leaky values for the same secret (flag) with each RSA prime, plus a normal RSA ciphertext. The generator that produced those values is short enough to read in one breath: it samples large primes p, q, chooses a random-looking flag, prints flag ^ p, flag ^ q, then prints the RSA public key and an RSA encryption of flag.
Connect; parse integers.
Compute t = A ^ B = p ^ q.
Factor N given t using the LSB→MSB backtracking described above.
Recover flag via XOR: flag = A ^ p (or B ^ q).
If formatting is weird, optionally decrypt RSA by computing d = e^-1 mod φ(N) and m = c^d mod N.
Please follow me on Medium to see the details of this solution.
