ASIS 2015 Finals: Bodu (crypto175)

Reading time ~1 minute

We got an RSA public key (pub.key) encoded in PEM format and the encrypted flag (flag.enc).

These are the converted parameters:

e = 2385330119331689083455211591182934261439999376616463648565178544704114285540523381214630503109888606012730471130911882799269407391377516911847608047728411508873523338260985637241587680601172666919944195740711767256695758337633401530723721692604012809476068197687643054238649174648923555374972384090471828019
N = 2562256018798982275495595589518163432372017502243601864658538274705537914483947807120783733766118553254101235396521540936164219440561532997119915510314638089613615679231310858594698461124636943528101265406967445593951653796041336078776455339658353436309933716631455967769429086442266084993673779546522240901
c = 1624768965978244122218384915440259949773623052619109265384960524204099241405509334298217012073574245240140975823312659160847045035132501536939096089619077929998251251236783590255562951129897302725067655285503493676186062693350470482247124598766533755027440418713398509566189239815613916662987881029294277207

The public exponent is too large thus we can suspect that the private exponent is possible too small.

I tried to attack it with Wiener’s attack: with the following implementation, but it did not worked:

So I remembered other RSA attacks from previous CTFs and how much time this page helped me:

The last attack is the Boneh Durfee attack, which is you know BO-neh DU-rfee => BODU just like the challenge’s name, so I instantly know this will solve the challenge (also a lot of other teams are already solved it, so it should be not too hard challenge either).

Running budo.sage will give us the private exponent (d):

d = 89508186630638564513494386415865407147609702392949250864642625401059935751367507

The executing pow(c,d,N) in python give us the following plaintext:


Converting this to ASCII (for example with my javascript based conversion tools, hosted on will give us the flag (it is padded with PKCS v1.5 padding, but contrary to OAEP padding the flag is readable instantly):


GoogleCTF 2018 Quals: Web - BBS

Last weekend I played on the Google CTF 2018 Quals which was one of the best CTFs I played recently. They separated the easy challenges i...… Continue reading

0CTF 2017 Quals: Crypto challenges

Published on March 23, 2017

0CTF 2017 Quals: Choices (reverse, 297pts)

Published on March 23, 2017