Problem

Oracles can be your best friend, they will decrypt anything, except the flag's ciphertext. How will you break it? Connect with nc mercury.picoctf.net 30048.

Solution

1. We can use a Chosen Plaintext Attack because there is no padding (indicated by the challenge name) and because we can obtain a pair of ciphertext and plain text.

2. This Cryptography StackExchange answer explains the math behind this attack and this other answer gives a general overview. zweisamkeit/RSHack will automatically perform the attack.

3. Launch RSHack with python3 ./rshack.py and choose 6. Chosen Plaintext Attack. Enter the requested information that is given by the challenge: -n 153317174058272550456436172449379299806606217553583761819287564877942534965046227344186058376803093993732545195006086816891944498697633187352196326580153807193033946265606650305982496810158441324600306024841309110972476195656440282902135076530067225540978713347941494454052999812070106156529492911343680242741 -e 65537 -c 17856665799347463433430880568845899354644746464433920082258619214879000598153275923217743069208871536178972863528995615460756303433973894149616582539818582439239784720267559459321138287482158169482468765162201663023135450768895056898831857379733724122898661531574080743044725582803949198990258704657232380979

4. Decrypt the output ciphertext (37059408608775406653278875603018311139510307136504672307865761675985156589489798839559188163928817978347370339638124833262152743672090581147412234838596461554223512297538748918111802748123952874981734233962360860833781482145874839293757683607729488658056554357895645071803058704036888058288942471423522328962) using the challenge to get 580550060391700078946913236734911770139931497702556153513487440893406629034802718534645538074938502890769425795379846471930.

5. Paste the decrypted text into RSHack to get the interpreted plaintext, aka the flag.

Flag

picoCTF{m4yb3_Th0se_m3s54g3s_4r3_difurrent_5052620}