No Padding, No Problem

Problem

Oracles can be your best friend, they will decrypt anything, except the flag's ciphertext. How will you break it? Connect with nc mercury.picoctf.net 30048.

Solution

1. We can use a Chosen Plaintext Attack because there is no padding (indicated by the challenge name) and because we can obtain a pair of ciphertext and plain text.

2. This Cryptography StackExchange answer explains the math behind this attack and this other answer gives a general overview. zweisamkeit/RSHack will automatically perform the attack.

3. Launch RSHack with python3 ./rshack.py and choose 6. Chosen Plaintext Attack. Enter the requested information that is given by the challenge: -n 153317174058272550456436172449379299806606217553583761819287564877942534965046227344186058376803093993732545195006086816891944498697633187352196326580153807193033946265606650305982496810158441324600306024841309110972476195656440282902135076530067225540978713347941494454052999812070106156529492911343680242741 -e 65537 -c 17856665799347463433430880568845899354644746464433920082258619214879000598153275923217743069208871536178972863528995615460756303433973894149616582539818582439239784720267559459321138287482158169482468765162201663023135450768895056898831857379733724122898661531574080743044725582803949198990258704657232380979

4. Decrypt the output ciphertext (37059408608775406653278875603018311139510307136504672307865761675985156589489798839559188163928817978347370339638124833262152743672090581147412234838596461554223512297538748918111802748123952874981734233962360860833781482145874839293757683607729488658056554357895645071803058704036888058288942471423522328962) using the challenge to get 580550060391700078946913236734911770139931497702556153513487440893406629034802718534645538074938502890769425795379846471930.

5. Paste the decrypted text into RSHack to get the interpreted plaintext, aka the flag.

Flag

picoCTF{m4yb3_Th0se_m3s54g3s_4r3_difurrent_5052620}