## Description#

By his grace, we have been successfully organizing nullcon, year on year and this is the Nullcon9. At this juncture we cannot forget what did he had said, the one panacea given by him…

In 2010 when we were all worried, how can we be successful with this first ever event…

He raised a toast in Shisha Cafe and said…. Whatever he said became our guiding principle. To preserve his message Jailer encrypted it in a file “encrypt.txt” and deleted the private key.

What we recovered were few public keys, and confession of few inmates tells us that they had crooked Jailer’s machine to produce repetitive numbers.

Given this dump of what we recovered… for 300 nullcoins we need to find out …
**What did he said?**

## Resolution#

There are 3 files in this challenge. The encrypted flag and 2 public keys:

```
-----BEGIN PUBLIC KEY-----
MCwwDQYJKoZIhvcNAQEBBQADGwAwGAIRAOeiuMWobft9fGsyIB23Q4sCAwEAAQ==
-----END PUBLIC KEY-----
-----BEGIN PUBLIC KEY-----
MCwwDQYJKoZIhvcNAQEBBQADGwAwGAIRAMlciLTeSYml/7kmx5RUToUCAwEAAQ==
-----END PUBLIC KEY-----
```

They both are pretty small and therefore very weak. After extraction of the exponent (e) and the modulus (n) of the first one, it’s time to check if there are known factors (p and q) for the modulus.

```
n = 307896566740839738127153373769666872203
e = 65537
```

Factordb.com already knows p and q, that’s great !

The next step is to calculate the private exponent (d). The script rsatools.py can do that given p and q:

```
$ rsatool.py -p 18240960538242393179 -q 16879405341365159057
Using (p, q) to initialise RSA instance
n = 307896566740839738127153373769666872203 (0xe7a2b8c5a86dfb7d7c6b32201db7438b)
e = 65537 (0x10001)
d = 146969319580598585939745007947033365985 (0x6e9142e7bebd3904c59f0edc03304de1)
p = 18240960538242393179 (0xfd24e8f6fbdb245b)
q = 16879405341365159057 (0xea3fb1ba1fe6c491)
```

The final step is to recreate the private key corresponding to this public key and attempt to decrypt the flag. It is not granted to work because the flag might not have been encrypted with the private keys corresponding to the 2 public keys given. But it costs nothing to try :

```
from Crypto.PublicKey import RSA
import base64
n = long(307896566740839738127153373769666872203)
e = long(65537)
p = long(18240960538242393179)
q = long(16879405341365159057)
d = long(146969319580598585939745007947033365985)
c = "SAJNJBq3cMcRI94jNL3LNA=="
key = RSA.construct((n,e,d))
b = base64.b64decode(c)
print "Plaintext : %s" % (key.decrypt(b))
```

Plaintext : BabaSaidJaiJugad

Well… That was way easier than expected for 300 points ! The other key wasn’t even needed ! What about the repetitive numbers mentioned in the description ?

The validation can be done with the flag: `hackim18{'BabaSaidJaiJugad'}`