cryptoProhard

Let's Decrypt Again

cryptohack

Task: an RSA signature server publishes one fixed SIGNATURE = DIGEST^D mod N (DIGEST is a 768-bit EMSA-PKCS1-v1.5/SHA-1 encoding). The attacker chooses a single composite modulus n (set once) and a per-claim exponent e, and must make pow(SIGNATURE,e,n) equal bytes_to_long(emsa(msg)) for three different message regexes — including a self-minted valid Bitcoin address — to collect three XOR shares of the flag. Solution: Desmedt–Odlyzko chosen-modulus forgery: build n = product of 9 smooth primes p=2m+1 where SIGNATURE is a QR generating the odd order-m subgroup and the m_i are pairwise coprime; for each pattern brute a message so D=emsa(msg) is a QR mod every p, recover e_i by Pohlig–Hellman discrete logs in each order-m subgroup combined by CRT, then XOR the three recovered shares to get the flag.

rsa crt signature_forgery discrete_log pohlig_hellman secret_sharing pkcs1_v15 quadratic_residue chosen_modulus desmedt_odlyzko bitcoin_address

pohlig_hellmandesmedt_odlyzko_forgerychosen_composite_modulusodd_order_subgroup_dlogcrt_exponent_recovery

$ ls tags/ techniques/

rsa crt signature_forgery discrete_log pohlig_hellman secret_sharing pkcs1_v15 quadratic_residue chosen_modulus desmedt_odlyzko bitcoin_address

pohlig_hellmandesmedt_odlyzko_forgerychosen_composite_modulusodd_order_subgroup_dlogcrt_exponent_recovery

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ cat writeup.md…

Sign in to access full writeups

Sign in to access full writeups

Similar writeups