Rating:

# [CTF ANGSTROM] Write-Up - SSH (Crypto, 150)

## Description :
In an effort to follow good security practices, defund set up SSH keys for his server, which he connects to at ctf@web.angstromctf.com:3004. kmh11 managed to get the [public key](files/id_rsa.pub) and part of the [private key](files/id_rsa) . Help him ruin defund's life.

## Partie clé publique :

Une bonne ressource est disponible ici : ​https://security.stackexchange.com/questions/42268/how-do-i-get-the-rsa-bit-length-with-the-pubkey-and-openssl

L'explication est ici :

* 00 00 00 07 The length in bytes of the next field
* 73 73 68 2d 72 73 61 The key type (ASCII encoding of "ssh-rsa")
* 00 00 00 03 The length in bytes of the public exponent
* 01 00 01 The public exponent (usually 65537, as here)
* 00 00 01 01 The length in bytes of the modulus (here, 257)
* 00 c3 a3... The modulus

```BASH
echo -n "AAAAB3NzaC1yc2EAAAADAQABAAABAQC+XZWLCbIpHPC9NlEckVXiKfiujcyu4VUslmm4G1MqNjtPNHaUEoZ8z5LLQK3e9SAKBdze8JyNowmC+lQT2VL059s9pzlRn6t31XTeUjZslgOs6IfAy/MsUkfOwUIo6KcqpSVnmeVMQPOiLUZCza9eDdB3MxFY59hNuodW1TGku00ro+ecKZcvJ+uNC/nfgeLpzaI7Dd6tI8AKrr+g9Tgyd6Ihd3KanLXuWMRwGbbLMi1/uaQd86LVYt/SAvkGO15eUELP723c/kEjKGfhwSKo3MGM5R77uMxfm8DzKW8QkcowEO2FEnPUykBnV1PaiWrl/PoBWTp8hNUYxQPAruWB" | openssl base64 -d | hd
00000000 00 00 00 07 73 73 68 2d 72 73 61 00 00 00 03 01 |....ssh-rsa.....|
00000010 00 01 00 00 01 01 00 be 5d 95 8b 09 b2 29 1c f0 |........]....)..|
00000020 bd 36 51 1c 91 55 e2 29 f8 ae 8d cc ae e1 55 2c |.6Q..U.)......U,|
00000030 96 69 b8 1b 53 2a 36 3b 4f 34 76 94 12 86 7c cf |.i..S*6;O4v...|.|
00000040 92 cb 40 ad de f5 20 0a 05 dc de f0 9c 8d a3 09 |..@... .........|
00000050 82 fa 54 13 d9 52 f4 e7 db 3d a7 39 51 9f ab 77 |..T..R...=.9Q..w|
00000060 d5 74 de 52 36 6c 96 03 ac e8 87 c0 cb f3 2c 52 |.t.R6l........,R|
00000070 47 ce c1 42 28 e8 a7 2a a5 25 67 99 e5 4c 40 f3 |G..B(..*.%g..L@.|
00000080 a2 2d 46 42 cd af 5e 0d d0 77 33 11 58 e7 d8 4d |.-FB..^..w3.X..M|
00000090 ba 87 56 d5 31 a4 bb 4d 2b a3 e7 9c 29 97 2f 27 |..V.1..M+...)./'|
000000a0 eb 8d 0b f9 df 81 e2 e9 cd a2 3b 0d de ad 23 c0 |..........;...#.|
000000b0 0a ae bf a0 f5 38 32 77 a2 21 77 72 9a 9c b5 ee |.....82w.!wr....|
000000c0 58 c4 70 19 b6 cb 32 2d 7f b9 a4 1d f3 a2 d5 62 |X.p...2-.......b|
000000d0 df d2 02 f9 06 3b 5e 5e 50 42 cf ef 6d dc fe 41 |.....;^^PB..m..A|
000000e0 23 28 67 e1 c1 22 a8 dc c1 8c e5 1e fb b8 cc 5f |#(g.."........._|
000000f0 9b c0 f3 29 6f 10 91 ca 30 10 ed 85 12 73 d4 ca |...)o...0....s..|
00000100 40 67 57 53 da 89 6a e5 fc fa 01 59 3a 7c 84 d5 |@gWS..j....Y:|..|
00000110 18 c5 03 c0 ae e5 81 |.......|
00000117
```

Du coup, on détermine facilement notre **n** et notre **e** :
soit en hexadécimal :

* e = 0x10001
* n = 0xbe5d958b09b2291cf0bd36511c9155e229f8ae8dccaee1552c9669b81b532a363b4f34769412867ccf92cb40addef5200a05dcdef09c8da30982fa5413d952f4e7db3da739519fab77d574de52366c9603ace887c0cbf32c5247cec14228e8a72aa5256799e54c40f3a22d4642cdaf5e0dd077331158e7d84dba8756d531a4bb4d2ba3e79c29972f27eb8d0bf9df81e2e9cda23b0ddead23c00aaebfa0f5383277a22177729a9cb5ee58c47019b6cb322d7fb9a41df3a2d562dfd202f9063b5e5e5042cfef6ddcfe41232867e1c122a8dcc18ce51efbb8cc5f9bc0f3296f1091ca3010ed851273d4ca40675753da896ae5fcfa01593a7c84d518c503c0aee581

soit en décimal :

* e = 65537
* n = 24031426009258585415105324998970701655451460140660105245278171650878655493832570145520528674334486553204442446050601099312855866652174529838264749199630546148628121934849433734634042641132125007923761347962489974645002007692970466377879714666376153284839287915500514317384370204031902874952028757660051907008749997171513281852774870171717680368772057416440542176768196388565781131705261355090923059616730128088291078728643698870108958810166348296696671079733506691833466453747784418214869999275238860856569886383373280256273665811649081849561360513128165462438255912304945446909477593597880634673262567888241113884033

## Partie clé privée :

On a une clé privée partielle
```
...
????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????
YC2/ZTbmSZFL9t5Em+ic2ayw0nNUSI6XO7+3tcT9TABzh94t9YLhiDcCgYEA0LFZ
OUTgvmnWAkwGSo/6huQOu/7VmsM7OBdFntgotOJXALXFqCeT2PMXyWVc9/6ObUZj
z9LQUlT6mnzYwFrX4mPPOTY5nvCyjepQlSDA7w49yaRhXKCFRHmEieeFJqzrZoQG
????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????
...
```

Il faut aussi savoir à quelle taille de clé privée, nous avons à faire !!!

Mes tests se feront sur 3 tailles standards :

```BASH
openssl genrsa -out test1024.pem 1024
openssl genrsa -out test2048.pem 2048
openssl genrsa -out test4096.pem 4096
```

Nous avons donc dans notre cas une clé en 2048 en comparaison avec notre clé privée partielle.

Donc il faut passer par la notion d'ASN.1 pour comprendre à quoi correspond notre base64.
Pour parser en ASN.1 plusieurs possibilités, soit utiliser un des sites ci-dessous ou soit avec _openssl_ :

1. https://tls.mbed.org/kb/cryptography/asn1-key-structures-in-der-and-pem
2. http://phpseclib.sourceforge.net/x509/asn1parse.php

```BASH
openssl asn1parse -in test2048.pem

0:d=0 hl=4 l=1187 cons: SEQUENCE
4:d=1 hl=2 l= 1 prim: INTEGER :00
7:d=1 hl=4 l= 257 prim: INTEGER :00A68816CF564AD4B12CB5ACAA1CD0861B233443A408525A8476028EB6166F27E680A58E4F8C7B09C17371996FB35DE6E4592BE3B5AC4894E61C597F324E4E182EAD7AD9AA8CBE27F3BF57A3B330C07C0271FACA3DAF94647A46B895CD535303F87148216F820BB281059E8B404FD51D37369DD04DF57FFE5001FCF1A5585FE02B3A3F5FF3A1B3868FBD116C76F56D606BBF461708B386B210FDE417189F8A0436507461D87F3303F42388973B71580392A1D4DC90EDAA7F29A28336335F482E63B60DD663B65886B41B705BFFB481622D9AF1080746F6DE27A70BB5479CBF4F53A4D91E9CEA3D99ADD6A442E1F7945DAB0DC08CD1AC341BA0449198836AFDBA25
268:d=1 hl=2 l= 3 prim: INTEGER :010001
273:d=1 hl=4 l= 256 prim: INTEGER :12CBC76F4D7912BA90A64CBFC292D2A01B8019A658FE1A935AD27D1316432388C3BA6BEE94978A89582359431F4698F9EB0AA61FEA3B22FB39F5EC025C8E39F282C81BEB4109716EF488CAC43DDB6BE3C6C39CB20BB03F0B0212716E045A9957204A18E4021499E8301F2DEE6B544D80DEDC3F179D7EFDD03FF931B90CD97D6E94FC68FD0F9C8E89B312DE76724D2C37B58DE0DE29F78A3FFA6868DD70324F9066FF1F1484F8AD3EC259FC344B5AA1D885406328D4BF50F67B0CE861CB23D0FDB57353712032743AA2567EE452A8A8098D3713C1F43985720F1EE35A8ABB1C3D0E726B7DA717C65DD3E140B6B4AD79E570A7AB7927B871306DA6CD16CC5CE421
533:d=1 hl=3 l= 129 prim: INTEGER :00D32D3F8ECBD2B3D23CEBB01BFFEF4B34B09F4A4537A2EB505F33C8B1E867FD7878C867AFF72A8C3DE4529DA3853C02CFFF2F82724E8ADA12144568A151EB412438D22905CC423E15F7327411E453177E3E9E6AB620002E1A5EB6F03FC25329A7FED50AD6E8A7B780A2F95F6C78A9C15DA88360A5119783FBD180D3208DF9490D
665:d=1 hl=3 l= 129 prim: INTEGER :00C9E0F2D5277FA3134631615BBA7F7BDE4B43FA45C1ABC5A95FEE09E1A4A040951F92049F60283B18DC60A0D009C58254674B98FEF5398ACBE69573A20ED47EB97824FA4943FAED9810C0AF1B9DB003F011ED50E66B78E592438E95913F1C68F1A355A6E4682F6D13220C889401CCCAEC4C980408C6FE6F1EC309C124A7F03F79
797:d=1 hl=3 l= 128 prim: INTEGER :2707F8F45AA5D208ACABDF3BFD9CEBE88C3094D8A044E37B526D4ECDDB27C5488C02766FA69E5D975EE90A2BDC075079C32FB3CB8ECAC92D88439FE8192D03383FAC505ABAFB0F609DF4DC51264359574319A29D90E297A2D618B7E500F4C00145EF78766A3FFD81B01DA94E722AE60B7A86F5C8ECAC757F88A467E15F7C50CD
928:d=1 hl=3 l= 128 prim: INTEGER :423F2130B56F7B121E1CA23839B10FF2D87C0C2ACBED14460A86D0934D34913CDE494A5F0A6CE947B539B84BCC8915C5A0C7FC02DE71ED8C0FB4C7674CBA8A834E5BC40E3AD2A3191D963D603094CC1601AC00BA3C5645EF835FCCD10706C9A151DA0F9430642FC4F18D6F5C326303CC1B2E5F548A08806A75D243A145C2DEF1
1059:d=1 hl=3 l= 129 prim: INTEGER :00B2170D9A8CB3094DAB296D9833AD12CB920FD4580EBC261CE79C76B9BD303941DD4F753CC029AFB0F116A73B36A8D804A8A1B8F79E50C3BCEAA813339A42B6A252EF9041684D6BC72A9D5B8550D693BC743C668AB83981F109730142865E2B5480C3D8DB369C31A0681BCF9340EFB955BADDDEC53A01FE15074AE45F53DB668B

```

Les explications plus détaillées, en 2048 bits :

* n => marqueur:02 82 0, size : 101(donc 257)
* e => marqueur:02 , size : 03
* d => marqueur:02 82 0, size : 100 (donc 256)
* p => marqueur:02 81 , size : 81 (donc 129)
* q => marqueur:02 81 , size : 81 (donc 129)
* exp1 => marqueur:02 81 , size : 81 (donc 129)
* exp2 => marqueur:02 81 , size : 81 (donc 129)
* coef => marqueur:02 81 , size : 80 (donc 128)

Du coup, pour déterminer à quel paramètre nous avons à faire, je compare sur ma clé test2048.pem mais tronquée partiellement comme celle du challenge, je la nomme ici test2048_partial.pem.

```BASH
echo -n "Gl628D/CUymn/tUK1uint4Ci+V9seKnBXaiDYKURl4P70YDTII35SQ0CgYEAyeDy1Sd/oxNGMWFbun973ktD+kXBq8WpX+4J4aSgQJUfkgSfYCg7GNxgoNAJxYJUZ0uY/vU5isvmlXOiDtR+uXgk+klD+u2YEMCvG52wA/AR7VDma3jlkkOOlZE/HGjxo1Wm" | base64 -d |hd
00000000 1a 5e b6 f0 3f c2 53 29 a7 fe d5 0a d6 e8 a7 b7 |.^..?.S)........|
00000010 80 a2 f9 5f 6c 78 a9 c1 5d a8 83 60 a5 11 97 83 |..._lx..]..`....|
00000020 fb d1 80 d3 20 8d f9 49 0d 02 81 81 00 c9 e0 f2 |.... ..I........|
00000030 d5 27 7f a3 13 46 31 61 5b ba 7f 7b de 4b 43 fa |.'...F1a[..{.KC.|
00000040 45 c1 ab c5 a9 5f ee 09 e1 a4 a0 40 95 1f 92 04 |E...._.....@....|
00000050 9f 60 28 3b 18 dc 60 a0 d0 09 c5 82 54 67 4b 98 |.`(;..`.....TgK.|
00000060 fe f5 39 8a cb e6 95 73 a2 0e d4 7e b9 78 24 fa |..9....s...~.x$.|
00000070 49 43 fa ed 98 10 c0 af 1b 9d b0 03 f0 11 ed 50 |IC.............P|
00000080 e6 6b 78 e5 92 43 8e 95 91 3f 1c 68 f1 a3 55 a6 |.kx..C...?.h..U.|
00000090
```
je vois ici "**02 81 81** 00 c9 e0 f2" soit le début de 00c9e0f2, ce qui correspondait juste au-dessus à :
665:d=1 hl=3 l= 129 prim: INTEGER :00C9E0F2D5277FA3134631615BBA7F7BDE4B43FA45C1ABC5A95FEE09E1A4A040951F92049F60283B18DC60A0D009C58254674B98FEF5398ACBE69573A20ED47EB97824FA4943FAED9810C0AF1B9DB003F011ED50E66B78E592438E95913F1C68F1A355A6E4682F6D13220C889401CCCAEC4C980408C6FE6F1EC309C124A7F03F79

Verdict : Nous venons de trouver notre **q** de tronquer :

Notre clé privée partielle id_rsa :

```BASH
echo -n "YC2/ZTbmSZFL9t5Em+ic2ayw0nNUSI6XO7+3tcT9TABzh94t9YLhiDcCgYEA0LFZOUTgvmnWAkwGSo/6huQOu/7VmsM7OBdFntgotOJXALXFqCeT2PMXyWVc9/6ObUZjz9LQUlT6mnzYwFrX4mPPOTY5nvCyjepQlSDA7w49yaRhXKCFRHmEieeFJqzrZoQG" | base64 -d | hd
00000000 60 2d bf 65 36 e6 49 91 4b f6 de 44 9b e8 9c d9 |`-.e6.I.K..D....|
00000010 ac b0 d2 73 54 48 8e 97 3b bf b7 b5 c4 fd 4c 00 |...sTH..;.....L.|
00000020 73 87 de 2d f5 82 e1 88 37 02 81 81 00 d0 b1 59 |s..-....7......Y|
00000030 39 44 e0 be 69 d6 02 4c 06 4a 8f fa 86 e4 0e bb |9D..i..L.J......|
00000040 fe d5 9a c3 3b 38 17 45 9e d8 28 b4 e2 57 00 b5 |....;8.E..(..W..|
00000050 c5 a8 27 93 d8 f3 17 c9 65 5c f7 fe 8e 6d 46 63 |..'.....e\...mFc|
00000060 cf d2 d0 52 54 fa 9a 7c d8 c0 5a d7 e2 63 cf 39 |...RT..|..Z..c.9|
00000070 36 39 9e f0 b2 8d ea 50 95 20 c0 ef 0e 3d c9 a4 |69.....P. ...=..|
00000080 61 5c a0 85 44 79 84 89 e7 85 26 ac eb 66 84 06 |a\..Dy....&..f..|
00000090
```

On voit bien le marqueur **02 81 81**

q_ = 0xd0b1593944e0be69d6024c064a8ffa86e40ebbfed59ac33b3817459ed828b4e25700b5c5a82793d8f317c9655cf7fe8e6d4663cfd2d05254fa9a7cd8c05ad7e263cf3936399ef0b28dea509520c0ef0e3dc9a4615ca08544798489e78526aceb668406

## Partie attaque sur notre q_ tronqué :

En lisant cette ressource, ​https://www.di.ens.fr/~fouque/ens-rennes/coppersmith.pdf à la page 19, on en arrive à l'explication suivante :

1. À partir de qh, on déduit la début de la factorisation de p, car abs(n/q_approchée -p)<=p/qh (où q = 2^m*qh + r )
2. à partir de ces deux parties, via coppersmith, on en déduit p et q: on connait ph et qh, il reste juste à résoudre (2^m*qh + r)*(2^m'*ph + s) =n

Pour la partie du script, je remercie mon coéquipier francois pour son aide sur la création de ce dernier surtout sur la partie liée à Coppersmith ;-)

Le script est disponible ici [angryssh.sage](files/angryssh.sage)

Le résultat nous donne :

```BASH
sage angryssh.sage

solx= 4203288709542742729807188024283888845346823142720427022366890568812599
soly= 5477114057848791956097152061968561656135042340019554935987745340732423
163982139712862418555526520701188853132435025142588334581109287244065993155706892302449577647543501705795708316995057467949529976798218410513821698432879399377481736303821213515873396833696040164615779257072417113571942677691455176550027493593024586313878742269786944829130979576180492741390980797445630429239 146549045227354172989110651205310632574067392372993711861623526130946979713469625772410411197033006823693645223316947254702263484103463390279967082549781844195965622071604103417650285219901124684816890970225510506869249766243257198851929421990982433654502509027141033118789478594390852225097012248592818058247 0
p= 163982139712862418555526520701188853132435025142588334581109287244065993155706892302449577647543501705795708316995057467949529976798218410513821698432879399377481736303821213515873396833696040164615779257072417113571942677691455176550027493593024586313878742269786944829130979576180492741390980797445630429239
q= 146549045227354172989110651205310632574067392372993711861623526130946979713469625772410411197033006823693645223316947254702263484103463390279967082549781844195965622071604103417650285219901124684816890970225510506869249766243257198851929421990982433654502509027141033118789478594390852225097012248592818058247
n= 24031426009258585415105324998970701655451460140660105245278171650878655493832570145520528674334486553204442446050601099312855866652174529838264749199630546148628121934849433734634042641132125007923761347962489974645002007692970466377879714666376153284839287915500514317384370204031902874952028757660051907008749997171513281852774870171717680368772057416440542176768196388565781131705261355090923059616730128088291078728643698870108958810166348296696671079733506691833466453747784418214869999275238860856569886383373280256273665811649081849561360513128165462438255912304945446909477593597880634673262567888241113884033
e= 65537
d= 12371580666285844840628020204468811559169275579988880950767356353342309805246152313040223338623544590362157005772330599351762272990489593088075657617015350054298552053952500797607732497202446948171869083401840933435276603102875178374403523095791156685188408608588611815527583903960089279307971043146504894800765050931855114650482122025430358908917844272834112483590198140948797273463397261334588887876797701608166553338253551869036686172983819566127032758251900065288993763198926159545468108041884266621676343682039555099872618810035783018579796420000036035987169098184987127657567117692021119755510129859485111125229
1= 1
0
```

## Reconstruction de la clé privée :

Cette partie étant la moins difficile du challenge :-)

J'utilise simplement un outil tel que [Rsatool](​https://github.com/ius/rsatool)

```BASH
python rsatool.py -p 163982139712862418555526520701188853132435025142588334581109287244065993155706892302449577647543501705795708316995057467949529976798218410513821698432879399377481736303821213515873396833696040164615779257072417113571942677691455176550027493593024586313878742269786944829130979576180492741390980797445630429239 -q 146549045227354172989110651205310632574067392372993711861623526130946979713469625772410411197033006823693645223316947254702263484103463390279967082549781844195965622071604103417650285219901124684816890970225510506869249766243257198851929421990982433654502509027141033118789478594390852225097012248592818058247 -n 24031426009258585415105324998970701655451460140660105245278171650878655493832570145520528674334486553204442446050601099312855866652174529838264749199630546148628121934849433734634042641132125007923761347962489974645002007692970466377879714666376153284839287915500514317384370204031902874952028757660051907008749997171513281852774870171717680368772057416440542176768196388565781131705261355090923059616730128088291078728643698870108958810166348296696671079733506691833466453747784418214869999275238860856569886383373280256273665811649081849561360513128165462438255912304945446909477593597880634673262567888241113884033 -e 65537 -f PEM -o privkey.pem

python rsatool.py -p 163982139712862418555526520701188853132435025142588334581109287244065993155706892302449577647543501705795708316995057467949529976798218410513821698432879399377481736303821213515873396833696040164615779257072417113571942677691455176550027493593024586313878742269786944829130979576180492741390980797445630429239 -q 146549045227354172989110651205310632574067392372993711861623526130946979713469625772410411197033006823693645223316947254702263484103463390279967082549781844195965622071604103417650285219901124684816890970225510506869249766243257198851929421990982433654502509027141033118789478594390852225097012248592818058247 -n 24031426009258585415105324998970701655451460140660105245278171650878655493832570145520528674334486553204442446050601099312855866652174529838264749199630546148628121934849433734634042641132125007923761347962489974645002007692970466377879714666376153284839287915500514317384370204031902874952028757660051907008749997171513281852774870171717680368772057416440542176768196388565781131705261355090923059616730128088291078728643698870108958810166348296696671079733506691833466453747784418214869999275238860856569886383373280256273665811649081849561360513128165462438255912304945446909477593597880634673262567888241113884033 -e 65537 -f PEM -o privkey.pem
Using (p, q) to initialise RSA instance

n =
be5d958b09b2291cf0bd36511c9155e229f8ae8dccaee1552c9669b81b532a363b4f34769412867c
cf92cb40addef5200a05dcdef09c8da30982fa5413d952f4e7db3da739519fab77d574de52366c96
03ace887c0cbf32c5247cec14228e8a72aa5256799e54c40f3a22d4642cdaf5e0dd077331158e7d8
4dba8756d531a4bb4d2ba3e79c29972f27eb8d0bf9df81e2e9cda23b0ddead23c00aaebfa0f53832
77a22177729a9cb5ee58c47019b6cb322d7fb9a41df3a2d562dfd202f9063b5e5e5042cfef6ddcfe
41232867e1c122a8dcc18ce51efbb8cc5f9bc0f3296f1091ca3010ed851273d4ca40675753da896a
e5fcfa01593a7c84d518c503c0aee581

e = 65537 (0x10001)

d =
620075bb457b95d4d34ee586ae6957c87e090b7beeb2dd486712ec4c1ead1adf1e7b712bd6a10ee1
744f431a0228f512d076223617b2d0ebed3aa3bae3190faf0b2a003c75b2c2bb988ea882c7da42de
9bf7c922122c2cfd5542a87b2f9f35ded18281962b51338780a5ae1f2cc70d1023967db729a8167b
71d0a45a1c99590f3c4bfa59f6cb99808d1b8c4e5c0ca7feeec7f2c88f6cee0a343be1f1217c23c2
ec0e779740374cffda319dc8797a0b010a58b0ad79e33adc3ca088dcbf4fdb68da954c49b3aa693f
0e0545d6845e3413d720a2df5c98158e4b45d2bd6e2ea08672db20644ea9aec7c192c1087b970564
cd929d43e5ea32f1c1e19a266adb84ed

p =
e984b0820151d7ed6a86569073ea12e64d36fa33bc360082cd1e87ad0618f6dd6f0dbac674170c3d
11f1e8ea1208c48ee3c6313f7703138fc2d2dc8e94fdd4a427bd92a420de8a025d0423e80351acaa
2c92bfe5e11729602dbf6536e649914bf6de449be89cd9acb0d27354488e973bbfb7b5c4fd4c0073
87de2df582e18837

q =
d0b1593944e0be69d6024c064a8ffa86e40ebbfed59ac33b3817459ed828b4e25700b5c5a82793d8
f317c9655cf7fe8e6d4663cfd2d05254fa9a7cd8c05ad7e263cf3936399ef0b28dea509520c0ef0e
3dc9a4615ca08544798489e78526aceb668406cb284ebe0ee0120defe7405ffe7d76fb6bb469183c
b262822c9b6f3407

Saving PEM as privkey.pem
```

## The flag :

Avec la clé privée [private key](files/privkey.pem), nous nous connectons au serveur du challenge :

```BASH
ssh ctf@web.angstromctf.com -p 3004 -i privkey.pem
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
actf{ssh_keys_not_broken_enough}
Connection to web.angstromctf.com closed.
```

Le flag est : **actf{ssh_keys_not_broken_enough}**

By team Beers4Flags

```
________
| |
| #BFF |
|________|
_.._,_|,_
( | )
]~,"-.-~~[
.=] Beers ([
| ]) 4 ([
'=]) Flags [
|:: ' |
~~----~~
```

Original writeup (https://github.com/Beers4Flags/writeups/tree/master/2018/angstrom/crypto/ssh).
zteeedMarch 27, 2018, 12:52 a.m.

Bonjour
Je n'ai pas bien compris comment est obtenu ph a partir de qh dans le script angryssh.sage
Lorsque je lance le script en testant ph=n/qh/(2**232)/(2**232)-1 je ne trouve pas le même résultat que le ph qui est donné.
Je suis impatient de pouvoir comprendre.
Merci d'avance
zTeeed