Challenge Description
Can you decrypt the message and get the flag?
Provide Files
We have been provided a public key, key.pub, and an encrypted flag, flag.enc:
$ cat key.pub
-----BEGIN PUBLIC KEY-----
MIIBHzANBgkqhkiG9w0BAQEFAAOCAQwAMIIBBwKBgQMwO3kPsUnaNAbUlaubn7ip
4pNEXjvUOxjvLwUhtybr6Ng4undLtSQPCPf7ygoUKh1KYeqXMpTmhKjRos3xioTy
23CZuOl3WIsLiRKSVYyqBc9d8rxjNMXuUIOiNO38ealcR4p44zfHI66INPuKmTG3
RQP/6p5hv1PYcWmErEeDewKBgGEXxgRIsTlFGrW2C2JXoSvakMCWD60eAH0W2PpD
qlqqOFD8JA5UFK0roQkOjhLWSVu8c6DLpWJQQlXHPqP702qIg/gx2o0bm4EzrCEJ
4gYo6Ax+U7q6TOWhQpiBHnC0ojE8kUoqMhfALpUaruTJ6zmj8IA1e1M6bMqVF8sr
lb/N
-----END PUBLIC KEY-----
$ cat flag.enc
�_�vc[��~�kZ�1�Ĩ�4�I�9V��^G���(�+3Lu"�T$���F0�VP�־j@������|j▒�������{¾�,�����YE������Xx��,��c�N&Hl2�Ӎ��[o��
Solution
Decrypting an encrypted file with only the public key is generally not possible, as the public key is intended for encrypting data, not decrypting it. However, this challenge seems specifically designed to test RSA weaknesses.
One potential vulnerability in RSA encryption is the use of small key sizes. If the key size used in the encryption process is too small, it may be possible to factor the public key and calculate the private key, which would allow you to decrypt the encrypted file.
Another potential vulnerability is the use of weak prime numbers in generating the public and private keys. If the prime numbers used in the key generation process are not sufficiently large or if they are not chosen randomly, it may be possible to calculate the private key from the public key.
We can use RsaCtfTool to try to retrieve the private key:
$ python3 ~/RsaCtfTool/RsaCtfTool.py --publickey key.pub --private --output key.priv
<SNIP>
Results for key.pub:
Private key :
-----BEGIN RSA PRIVATE KEY-----
MIICOQIBAAKBgQMwO3kPsUnaNAbUlaubn7ip4pNEXjvUOxjvLwUhtybr6Ng4undL
tSQPCPf7ygoUKh1KYeqXMpTmhKjRos3xioTy23CZuOl3WIsLiRKSVYyqBc9d8rxj
NMXuUIOiNO38ealcR4p44zfHI66INPuKmTG3RQP/6p5hv1PYcWmErEeDewKBgGEX
xgRIsTlFGrW2C2JXoSvakMCWD60eAH0W2PpDqlqqOFD8JA5UFK0roQkOjhLWSVu8
c6DLpWJQQlXHPqP702qIg/gx2o0bm4EzrCEJ4gYo6Ax+U7q6TOWhQpiBHnC0ojE8
kUoqMhfALpUaruTJ6zmj8IA1e1M6bMqVF8srlb/NAiBhwngxi+Cbie3YBogNzGJV
h10vAgw+i7cQqiiwEiPFNQJBAYXzr5r2KkHVjGcZNCLRAoXrzJjVhb7knZE5oEYo
nEI+h2gQSt1bavv3YVxhcisTVuNrlgQo58eGb4c9dtY2blMCQQIX2W9IbtJ26KzZ
C/5HPsVqgxWtuP5hN8OLf3ohhojr1NigJwc6o68dtKScaEQ5A33vmNpuWqKucecT
0HEVxuE5AiBhwngxi+Cbie3YBogNzGJVh10vAgw+i7cQqiiwEiPFNQIgYcJ4MYvg
m4nt2AaIDcxiVYddLwIMPou3EKoosBIjxTUCQQCnqbJMPEQHpg5lI6MQi8ixFRqo
+KwoBrwYfZlGEwZxdK2Ms0jgeta5jFFS11Fwk5+GyimnRzVcEbADJno/8BKe
-----END RSA PRIVATE KEY-----
Now that we have the private key, we can decrypt flag.enc using openssl:
$ openssl pkeyutl -in flag.enc -decrypt -inkey key.priv
HTB{*******Wi3n3rs_4tt4ck}
Note: A Wiener attack is a type of cryptanalytic attack that targets RSA encryption when a low private exponent is used. It is named after its inventor Michael J. Wiener. To prevent Wiener attacks, it is recommended to use large prime numbers when generating RSA keys and to avoid using a small private exponent.