category : crypto
points : 233
solves : 39
This challenge has both AES and RSA encryption involve
decrypt function is obviously a RSA oracle, which can give us the last byte of decrypted message
Use RSA LSB oracle attack to decrypt the RSA encrypted AES key given by print_key
But print_flag does not give us IV, we can't find the top 16 bytes of the flag
For now, we only have ti#n_ora#le_c9630b129769330c9498858830f306d9}
iv = long_to_bytes(random.getrandbits(BLOCK_SIZE*8), 16)
iv in aes_encrypt is generated by random.getrandbits
In python2, random.getrandbits is implemented using mersenne-twister, which is not cryptographically secure pseudorandom number generator
Use https://github.com/kmyk/mersenne-twister-predictor this repo to predict the iv
TWCTF{L#B_de#r#pti#n_ora#le_c9630b129769330c9498858830f306d9}
這題有 AES 又有 RSA
decrypt 這個函式很明顯的是一個 RSA oracle 可以幫我們解密並給我們最後一個 byte
所以我們就直接作 RSA LSB oracle attack 找回 print_key 的 AES key
但是 print_flag 給的 AES encrypted flag 沒有給 IV 沒辦法解回 flag 的前 16 bytes
目前只有 ti#n_ora#le_c9630b129769330c9498858830f306d9}
iv = long_to_bytes(random.getrandbits(BLOCK_SIZE*8), 16)
不過他的 IV 是用 random.getrandbits 產生的
在 python2 random.getrandbits 內部是用 mersenne-twister 實作的
mersenne-twister 並不是 cryptographically secure pseudorandom number generator
直接用 https://github.com/kmyk/mersenne-twister-predictor 這個就可以預測出 IV
TWCTF{L#B_de#r#pti#n_ora#le_c9630b129769330c9498858830f306d9}