Skip to main content
  1. Posts/

All-Army CyberStakes 4 - Cryptography (Headpiece Silver)

·501 words·3 mins
Table of Contents

This challenge provides us with a server to interact with at challenge.acictf.com:30151. (Your port number may differ) To get started, lets see what this server is about by connecting to it using ncat.

Based on this information given to us, this is clearly another RSA related challenge. The server provides us with the components for a public key, the public modulus N, and the public exponent e, which are:

N: 122298190177919866881639090045815514691491489519639425496178483984084352945237
e: 65537

If we can derive the private key from this public key, we will be able to decrypt the encrypted password they provided to us, which is: 985be9b7b845a1a09a916437d767c30ae8d7ad4987cb77b0602b04889f7c2301

Normally, computing the private key from just the public key is nearly impossible. However, what makes the key provided here different is in the key length. Most RSA keys are used today are 2048-bit keys, which are practically impossible for current computers to decrypt. But the key provided by the server is only around a 256-bit key, which is vastly weaker than what is needed for proper security. To fully compare the strengths of these two key lengths, we need to determine how many bits of security these keys would have. Since RSA is based on the factoring problem, brute-forcing an RSA key doesn’t require you to test all possible numbers, unlike AES where you’d need to check every possible key. So while AES-256 has 256-bit security, 2048-bit RSA key doesn’t have 2048-bit security.

According to NIST (p. 54), a 2048-bit RSA key only offers about 112-bit security. And while 256-bit RSA is so weak that it isn’t even considered in the NIST publication, this StackExchange question tells us that 256-bit RSA only offers around 46-bit security. Each extra bit of security makes a key twice as secure, so 256-bit RSA is twice as easy to break than a key with 47-bit security. Now compared to 2048-bit RSA, 256-bit RSA is about 73 quintillion times easier to break, or 73,786,976,294,838,206,464 times easier.

Now to how we can actually break the key. RsaCtfTool makes this task very easy. We can provide the public key components, N and e, and the ciphertext in decimal to this tool in order to quickly derive the private key and plaintext. (Note: It appears the challenge’s modulus is now in FactorDB, so RsaCtfTool isn’t conducting the full attack).

We can see the plaintext password at the end of the unciphered data: 4n1a5ebRFmtyysAe. By providing this password to the server, we can retrieve the flag: ACI{ad94502b4d2437193e9c3fed364}

Bonus Solution #

As it turns out, like many real-world systems, the challenge’s server has a misconfiguration vulnerability that allows you to skip all of this. What we didn’t check in the previous steps was the fourth option to test ciphertext. It appears that this was supposed to serve as a decryption oracle that decrypts whatever you provide it using the server’s private key. However, since the password ciphertext is encrypted with the public key, we are able to use this test function to simply have the server decrypt the password ciphertext itself.