ctf-writeup/AmateursCTF 2023/You get extra information 2
Muhammad Daffa 4adf31cf8b feat: added 0ByteCTF 2023 2023-08-21 23:33:04 +07:00
..
images feat: added AmateursCTF 2023 2023-07-20 08:02:45 +07:00
README.md feat: added 0ByteCTF 2023 2023-08-21 23:33:04 +07:00

README.md

You get extra information 2

You get more information! More complicated = more information right.

About the Challenge

We got 2 files, main.py and output.txt. Here is the content of main.py

from Crypto.Util.number import *
from flag import flag

p = getPrime(512)
q = getPrime(512)
n = p*q
e = 0x10001
extra_information = (n**2)*(p**3 + 5*(p+1)**2) + 5*n*q + q**2
ptxt = bytes_to_long(flag)
c = pow(ptxt, e, n)

with open('output.txt', 'w') as f:
    f.write(f"n: {n}\nc: {c}\ne: {e}\nextra_information: {extra_information}")

This is a basic RSA, but there is another variable called extract_information. And here is the content of output.txt

n: 95593382112797270045497836514999308524326160650345266525670495575191979116591752182138270308274446464071024826510473429700676303637674960212123982700153540490805215151070356646141514736282385755143090035980011032465519861526291865888128545478530962058792257703950616556136479933021373472378679162332202365371
c: 92084942302809419329882275131365664619817865820237979575321652348851871468885232665120732298048355621943772250718055278615366362227084559410831820721620242260588398786014654743749734106956509345330468686120026908164376320923131751798117799981744551407234489862207435686504148347452579942637697333568788391594
e: 65537
extra_information: 18247071175606431398122118602371784578875472790915317892207044424588309397797319375039984309368393267673885302107217184699052743790470091033147110959310433418937324145720036262540098007724458652548486534453030546582214242131458903058169536052488501597969216020092796160475487905223265691093061136660574497410399108890645909789835984721231354187679269066357591297035974333220513134895660609801438138623213711900681512310067292949714127564635579383633589101296120704659647911638787823818973909534106275908594589830353183557722172234952579827423906720754070119865452363350814918812923981729393142874903734028229195885438296963982680724071663211427931391032589901737528717167662646147224323491202696402122261699504048973334902281462240308032014697804531871922566779026958815207465755155123070196922127199447785648102152027431894178737946151518726929361221425189695069653652163012000609320105988830299015364692678902927254273154427301473090465612473379114039284029813071586214536353994345527805408387636097772645156970939979500155578289301143563369142329343932852167241705090287661795

How to Solve?

To solve this problem, we need to find the value of prime number first, p and q and then we can decode the encrypted flag. To find the value of p and q, i created a program that using Z3 package. Here is the program I used to find p and q

from z3 import *

# Define the variables
p, q = Ints('p q')

# Define the known values
n = 95593382112797270045497836514999308524326160650345266525670495575191979116591752182138270308274446464071024826510473429700676303637674960212123982700153540490805215151070356646141514736282385755143090035980011032465519861526291865888128545478530962058792257703950616556136479933021373472378679162332202365371
e = 0x10001
extra_information = 18247071175606431398122118602371784578875472790915317892207044424588309397797319375039984309368393267673885302107217184699052743790470091033147110959310433418937324145720036262540098007724458652548486534453030546582214242131458903058169536052488501597969216020092796160475487905223265691093061136660574497410399108890645909789835984721231354187679269066357591297035974333220513134895660609801438138623213711900681512310067292949714127564635579383633589101296120704659647911638787823818973909534106275908594589830353183557722172234952579827423906720754070119865452363350814918812923981729393142874903734028229195885438296963982680724071663211427931391032589901737528717167662646147224323491202696402122261699504048973334902281462240308032014697804531871922566779026958815207465755155123070196922127199447785648102152027431894178737946151518726929361221425189695069653652163012000609320105988830299015364692678902927254273154427301473090465612473379114039284029813071586214536353994345527805408387636097772645156970939979500155578289301143563369142329343932852167241705090287661795

# Define the constraints
constraints = [
    p * q == n,
    (n ** 2) * (p ** 3 + 5 * (p + 1) ** 2) + 5 * n * q + q ** 2 == extra_information
]

# Create a solver instance
solver = Solver()

# Add the constraints to the solver
solver.add(constraints)

# Check if the constraints are satisfiable
if solver.check() == sat:
    # Constraints are satisfiable, get the model
    model = solver.model()
    # Get the values of p and q from the model
    p_value = model[p].as_long()
    q_value = model[q].as_long()
    print(f"p = {p_value}")
    print(f"q = {q_value}")
else:
    print("Constraints are unsatisfiable.")

Run the program, and then you will got the value of p and q

pq

p = 12592515782077404137849236994955837609500154464782855076585955501637937872493619036975469814859697874798733737517472127306855726944300236711447248402640349
q = 7591285472030363593819309149475285775894683777302616308552541051471117604695830085885971123084425024738819800112718432254917427153283662301475561286492279

Because we got the prime number, now we can decode the flag. In this case im using X-RSA

flag

amateursCTF{omg_it's_my_favorite_epic_thing_where_it_looks_like_a_binomial!!}