<a href="https://colab.research.google.com/github/GJ-007-sage/CTFs/blob/main/Polynomial_Fun_CTF.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

In [1]:
from sympy import cbrt

In [3]:
from sympy import cbrt

# Given ciphertext1 (in hex) and modulus (n)
c1 = int('181c5d1a2ce0141c5a1a4a2dc4e84286d4c308d8d1dac49ce80bf2aaadb978ac4feecabb5f7e08a5166ef002f96a6477f7f423893a28b4e669597429b8c85425f39618605cffd2698ab162903e6e957b5474764490b50594056dfb3d01ce1a3df5bd5d7bea4f5117a5443a10fcdebc3191c97ccbfcad6edda68c121f991a05c237926765', 16)
n = 22087832419565986427268363917810894541062483207261762193508970044650768811312686392195850751527300135215342753273285793650604515808742281578193812636838119346868541626468641365629075925706791154570861634755087596923946492447077346071402179652403109079126512759658482838653777885974742868784557801802724402274540195665776367414645344670252492037549644132490724527942104987623056047222187858087057702030560111758736415303393204221251167046834099441736337651100031671882520662432134759116648301483061929371138433092262181741668879404220827735988759531366988656404795071483497159626838620232927659615985141983241023806659

# Attempt cube root attack
plaintext_int = int(cbrt(c1))  # Convert to standard Python int

# Convert the integer plaintext to bytes
plaintext = plaintext_int.to_bytes((plaintext_int.bit_length() + 7) // 8, byteorder="big").decode(errors='ignore')

print("Recovered plaintext:", plaintext)

Recovered plaintext: tyroCTF{1_0nc3_kn3w_4_wr173r_n4m3d_fr4nkl1n}


This challenge seems to involve an RSA encryption vulnerability, particularly related to the absence of padding in the encryption process, and the manipulation of polynomials. Here's a breakdown of what seems important:

Key Aspects of the Problem:
RSA Encryption Without Padding:

The flag is encrypted directly using RSA without any padding (like OAEP or PKCS#1), which opens up potential vulnerabilities like textbook RSA attacks (e.g., small exponent attacks, common modulus attacks).
Public exponent e = 3, which might indicate susceptibility to attacks based on small public exponents.
Polynomial Evaluation:

A random polynomial is generated and evaluated at two different inputs provided by the user.
This could provide some insight into recovering the coefficients of the polynomial or, indirectly, some information about the modulus or ciphertext.
Two Ciphertexts:

Two ciphertexts are provided, and it appears that ciphertext2 is derived from applying the polynomial to the flag integer (int_2 is the polynomial evaluated at flag_int).
Potential Attack Strategies:
RSA Vulnerabilities:

Low Exponent Attack: Since e = 3, if the message (flag_int) is small enough, an attack like a cube root attack could be feasible. Essentially, if message^3 < n, you could recover the message by simply taking the cube root of the ciphertext.
Hastad’s Broadcast Attack: If multiple ciphertexts with the same plaintext are encrypted with the same exponent (e=3) but under different moduli, this attack can be used to recover the plaintext.
Polynomial Information:

Since the challenge involves a polynomial function and evaluates it at two points, it might be useful to try and deduce something about the relationship between x, y, and flag_int. If f(x) or f(y) provides a meaningful connection to flag_int, it could provide leverage for decryption.

Steps to Approach:
Analyze the Modulus and Ciphertexts:

Connect to the provided server, retrieve the modulus (n) and both ciphertexts, and try common RSA decryption techniques for small exponents (e=3).
Polynomial Analysis:

Try evaluating the polynomial at various points to see if there's a pattern that relates to the modulus or the flag integer (flag_int).
Use the values of f(x) and f(y) modulo n to reverse-engineer the polynomial or at least understand its role in the encryption process.
Check for Small Flag:

If the flag is small enough, taking cube roots of the ciphertext might reveal the plaintext directly.

Steps to Solve the Challenge:
Evaluate Polynomial at Two Points:

The server is asking for two inputs (x and y) to evaluate the polynomial at those points.
Provide any random integers for x and y and note down the results of f(x) and f(y).
Collect the Modulus and Ciphertexts:

After inputting x and y, the server will likely return two ciphertexts as well. Collect these along with the modulus n that has already been provided.
Understand Polynomial's Role:

Since ciphertext2 is derived from the polynomial evaluated at the flag_int (the flag encoded as an integer), the polynomial is manipulating flag_int in some way before encryption.
The challenge may be to reverse-engineer the polynomial or use the polynomial’s properties (evaluated at two points, x and y) to infer information about the flag.
RSA Decryption (Potential Low Exponent Attack):

With e = 3 and no padding, a cube root attack might work if the flag is small. Here's a Python snippet (above)

Step 2: Investigate the Polynomial's Role: The polynomial evaluations might suggest that f(x) relates to the flag, but more importantly, ciphertext2 is the encryption of the polynomial applied to flag_int.

With the results of f(x) and f(y) and the ciphertexts, you may be able to interpolate or deduce something about the relationship between the flag and the polynomial.

Polynomial Simplification: Since f(x) at x = 0 gives 7, it seems like the constant term of the polynomial is 7. With f(1) = 204, the rest of the polynomial might be linear or low-degree.

You can try recovering the coefficients of the polynomial using Lagrange interpolation or by simple manual inspection based on the small values returned.

Step 3: Use Relationship Between Ciphertexts: If you figure out the polynomial coefficients, you could infer the structure of f(flag_int) and relate it to ciphertext2. This could give you insights into recovering flag_int from ciphertext2 as well.