(the entire TUCTF server vm is available here for you to try yourself!)

## Problem

We have set up this fancy automatic signing server! We also uses RSA authentication, so it’s super secure!

Note: the program accepts base 10 numbers

nc ip 54321

## Solution

We are given an adress to a server which will take in a base $10$ number, $p$, and spew out its signature under a secret key, (which is consistent through each connection). In order to obtain the flag, we must fabricate a signature of some given text (which is consistent through each connection as well) without knowledge of that secret key.

To recap, right now all we have been given is a function $S(p)$ which computes $p^d\pmod N$ and we need to find $S(p)$, where p is the decimal representation of the string

Great!!! So all we need to do is find the decimal representation of that string, let’s call it $q$, and pass it to the server to compute $S(q)$, aka it’s RSA digital signature.

Ha! If only it were that easy…

So clearly we’ll have to be a little more clever. To defeat this we will use a variation of a blinding attack (sort of). Lets have $N$ be the modulus used by the server, $q$ be the message for which we want to fabricate a signature, and $r$ be a divisor of $q$. The attack works as follows:

Determine $N$ by signing -1 and adding 1 to the result.

$$e\equiv 1\pmod 2 \iff (-1)^e\equiv N - 1\pmod N$$

Next, it is trivial to chose a factor of $q$, in this case we will chose $r=3$. We now must compute $r^\prime=S(r)$, and $q^\prime=S(q\div r)$.

This is all of the information we need to complete the attack. Finally, S(q) = r^\prime \times q^\prime \pmod N

And after passing $S(q)$ to the server, we get our flag.

# Proof

$t \mid q \implies q^d = ((q\div t)\times t)^d = (q\div t)^d \times t^d \pmod N$