# It's Not My Fault 1

## Problem

What do you mean RSA with CRT has an attack that's not a fault attack? Connect with nc mercury.picoctf.net 26695. not_my_fault.py

## Solution

The first step of this problem is to get past the MD5 proof-of-work. We need to find a string that starts with a random 5 character long string and creates an MD5 hash that ends with a string of 6 random hex characters. This can be bruteforced with a simple script.

After we complete the md5 proof-of-work section, we are shown the public modulus and a clue, which is the public exponent. There is a function called

`get_flag`

that is called and will print the flag if we pass in`p+q`

in less than 15 minutes. The public exponent,`e`

, was generated using the two Chinese Remainder Theorem (CRT) exponents,`d_p`

and`d_q`

.`d_p`

is at most 20 bits (a number between 1 and 1048576).We can try to bruteforce

`d_p`

and thus find`p`

and`q`

using the approach discussed at Attacking RSA for fun and CTF points – part 4, which I found by searching "rsa crt small dp bruteforce". However, searching for "rsa crt attack -fault" finds this answer on MathOverflow, which discusses a much more complicated bruteforce that will execute much faster. This method is described on page 506 of Galbraith's book "Mathematics of Public Key Cryptography", where it is attributed to Pinch.In the solution script, I implement the above bruteforce using Python's

`multiprocessing`

module to run it on multiple threads because we only have 15 minutes. Without multiprocessing, it would take about 1h20m to run completely on my computer.Running the script produces the following output:

### Flag

`picoCTF{1_c4n'7_b3l13v3_17'5_n07_f4ul7_4774ck!!!}`

Last updated