Tags: cube-root rsa
Rating: 5.0
## Hastad
I think this was an **unintended vulnerability**, which the challenge designers failed to check.
Looking at the challenge name and the values that were given, it clearly looked like Hastad's Broadcast Attack which it was, but since the value of public key exponent was 3 ie. e = 3, we went on to check if the message really wrapped around the modulus or not (That is the first thing you need to check when e=3).
Also, there were 15 ciphertexts given, but only 7 were unique and the rest of them were simply repetitions of the 7 unique ones. So, we took the 7 ciphertexts and printed their corresponding plaintext using the following script:
```python
from Crypto.Util.number import *
import gmpy2
c = ['10652cdfaa86ddbee1409ac7ac327a0c848081ee6e3b110867085f1074755785b0a5a6a2343b791695c3e91fdb370d5b26be3b6d2fc449c7788bbb1ab67ddc361b4115010618e39c883449b757fc1624369b440236ee65', '10652cdfaa8c9ef24fc044b5fed749888632ad132bd412f22d9d905e6ffd27b288c22884b24fe130d83aaab9c2dc6e942418dff89d2b66a66e40900db9456813d70eb63d0c38697f89ff387969d3d40163376416270965', '10652cdfaa8ab16290cf92bacf31b23d6a0ea95c2ebd6eb8afe4f038d852a7f17e98f965f299b4d00126611d403c5208a145157ed1d71079fc558eaa888e993360fac35c7a816ad183190867b1b7580a2677cd6871aa65', '10652cdfaa875a9ac01e472ea5896c1d460410508b9a7c723b5ba904fb5b64d68a1e96254ba04b08c92d51f1fe6c3d6bb426e1ee8c61c8a6ff1eeab9e07f51d8057f2f0c54b27c7006539f7148484ff26a02e4cb1d3165', '10652cdfaa8210601d22f4a15aa380233420f9ee9a276d3ac8e05cfc4f6f515f78331e8e74484e8533221e88f78671dd08622e78233e458978a35036680d1c5caaba2fa3bce3b914ad48501a276d6a88adc16db282e065', '10652cdfaa8c2701b8bb7c11fc3218cc2d97cd4707f6de55637bc093f474d231b4d4fe8635261b8e4f772d0e51a25f8e713777a137be6f04e0d28ddd6ec0b852aaf357d33e08aed23e034fcd1ced38542fbeb5aa0eee65', '10652cdfaa8ab162128a955a58d3b780f2656800796eb70c345c56d7b8523d614ef4ca920471f56493c83ca48500033a0c0b31988ca6e66a76e0ed559b38616688941558b127260cdf70261822929efa0aa6b6d79d1665']
c = [int(i, 16) for i in c]
for i in c:
print long_to_bytes(gmpy2.iroot(i, 3)[0])
```
And got the following output:
```
flag{klkjlkjjuibnjgjcbskdfks}
flag{wh00ps_srry_4_br0adcast}
flag{sdgsdgsdfgsdfsdgfwegdsg}
flag{lplplplplpllplasdasdlpl}
flag{alfaadsaldhlawidjlxicli}
flag{vnmxsfwu382423423rfs3ss}
flag{sdflsdfhsdcuweuhckdufhk}
```
Voila! Got the flag: `flag{wh00ps_srry_4_br0adcast}`. I am still not sure if there were multiple solutions to the challenge, or this was an unintended vuln, it was anyway much easier to implement than the one mentioned in other writeups.
Thanks!