Rocket Ship Academy

This is a challenge from Cryptography section of Standcon 2021. The challenge provide you an encrypted text and a decryption oracle.

Statement

Oracle: a person or thing regarded as an infallible authority on something.

Do we have one of those here?

Observation

nc 20.198.209.142 55002

n = 28713861060269664738750366643692005259506136908655056179639217425583197574554447973231160653978619282257724174817620501171952399678336613579623457200245915238651440094340748801156613769029368470321990301966852117013965906921432063149557870215947779102271379045401055717328076704587456275922412353058165393431017383190462768697264479318814500386831539181226606687907716288755403501882964777226945618969523544086304198141691514006962139362755839186173293018008786806850251751867001183472265983779158724804246222967592623360253051026788255650245479317390395813598521064771519740064492047085895244210255045367012134822303
e = 65407
c = 24271970913605870477058691673665421041891421643875386114965037887542182141134452428681438316159565997541624920616647352299898879617839331955824339379919326896839387308116501586005748287514136562016777312751180308872084504396198800220393787012259962192906060066520073401219906641966387518303058071221338146070625846511712434704080385810977005415221510067727121876488407736404813474718723706965814310206013086904328607550331286001512631206968716298741411157502752764137308780895323046404851579695938738516851344335119699978728417312067644484972131942258495593549592394253530675057926082081284497095483558417847306676465
Enter ciphertext:

Well the first thing to try is just to spit back the ciphertext to the orcale.

But then we get this message

It can't be that easy, can it?

So the server might have prevented us to send back the generated ciphertext to the oracle.

Solution

To solve this, we just need to do a little bit of modification on the ciphertext given to us.

Since we know the public key – \(N,e\),

Just multiply the ciphertext by \(2^{e}\)

\[c_{1} = c \cdot 2^{e} \text{ (mod }N)\] \[c_{1} = m^{e} \cdot 2^{e} \text{ (mod }N)\] \[c_{1} = (m \cdot 2)^{e} \text{ (mod }N)\]

Send \(c_{1}\) to the decryption oracle and we will get \(m \cdot 2\)

Divide the message by 2 and we get the flag.

from pwn import *
from Crypto.Util.number import long_to_bytes

r = remote('20.198.209.142', 55002, level='debug')
r.recvuntil('= ')
n = int(r.recvline()[:-1])
r.recvuntil('= ')
e = int(r.recvline()[:-1])
r.recvuntil('= ')
c = int(r.recvline()[:-1])

r.sendline(str(c * pow(2,e,n)))
r.recvuntil(': ')
m = int(r.recvline()[:-1])//2
print(long_to_bytes(m))

flag : STC{ch0s3n_c1ph3rt3xt_d7b593cd54baba9e2ffa49215d33e4c657cf230a}

Updated: