(the entire TUCTF server vm is available here for you to try yourself!)

Problem

We have set up this fancy automatic signing server!
We also uses RSA authentication, so it’s super secure!

Note: the program accepts base 10 numbers

nc ip 54321

Solution

We are given an adress to a server which will take in a base $10$ number, $p$, and
spew out its signature under a secret key, (which is consistent through each connection).
In order to obtain the flag, we must fabricate a signature of some given text (which is
consistent through each connection as well) without knowledge of that secret key.

To recap, right now all we have been given is a function $S(p)$ which computes
$p^d\pmod N$ and we need to find $S(p)$, where p is the decimal representation of the string

Great!!!
So all we need to do is find the decimal representation of that string, let’s call it $q$,
and pass it to the server to compute $S(q)$, aka it’s RSA digital signature.

Ha! If only it were that easy…

So clearly we’ll have to be a little more clever. To defeat this we
will use a variation of a blinding attack (sort of).
Lets have $N$ be the modulus used by the server, $q$ be the message for which we want to fabricate a signature, and $r$ be a divisor of $q$.
The attack works as follows:

Determine $N$ by signing -1 and adding 1 to the result.

$$e\equiv 1\pmod 2 \iff (-1)^e\equiv N - 1\pmod N$$

Next, it is trivial to chose a factor of , in this case we will chose .
We now must compute , and .

This is all of the information we need to complete the attack.
Finally, S(q) = r^\prime \times q^\prime \pmod N