RSA Destroyer

March 10, 2024

Challenge description :

This destroyes the RSA cryptosystem.

Resolution :

So, we have two files which are :

output.txt

e = 65538
n = 444874973852804286630293120525019547982392964519934608680681255396764239795499482860997657663742247333836933457910503642061679607999128792657151145831533603267962151902191791568052924623477918783346790554917615006885807262798511378178431356140169891510484103567017335784087168191133679976921108092647227149255338118895695993606854195408940572577899625236666854544581041490770396755583819878794842828965377818593455075306655077757834318066860484956428681524881285058664687568640627516452658874124048546780999256640377399347893644988620246748059490751348919880389771785423781356133657866769589669296191804649195706447605778549172906037483
c = 95237912740655706597869523108017194269174342313145809624317482236690453533195825723998662803480781411928531102859302761153780930600026069381338457909962825300269319811329312349030179047249481841770850760719178786027583177746485281874469568361239865139247368477628439074063199551773499058148848583822114902905937101832069433266700866684389484684637264625534353716652481372979896491011990121581654120224008271898183948045975282945190669287662303053695007661315593832681112603350797162485915921143973984584370685793424167878687293688079969123983391456553965822470300435648090790538426859154898556069348437896975230111242040448169800372469

rsa_destroyer.py ```python from Crypto.Util.number import isPrime, bytes_to_long from Crypto.Random.random import getrandbits

Malware 1/3

March 10, 2024

Resolution :

First of all, we have a file ”snapshot.sav” wich is a memory dump. We know that this file contains a program which can encrypt ”/home/%USER%/Desktop/flag.txt”. That means it’s a linux memory dump. We need to find the username, the hostname and the command line which encrypts the flag. Let’s try to find command line with strings and key words using grep like malware,admin,fcsc and with fcsc we have an interesting output :

strings snapshot . sav | grep ”fcsc”
output :
    [ some strings ]
    forensics@fcsc2021: ~/Bureau
    [ some strings ]

This output looks like a shell command prompt so let’s try with forensics@fcsc2021: :

strings snapshot.sav | grep "forensics@fcsc2021:"
output :
    [ some lines ]
    forensics@fcsc2021:~/Bureau$  /bin/1 --client -i 192.168.56.103
    [ some lines ]

All lines look normal except this line : ”forensics@fcsc2021: /Bureau$ /bin/1 –client -i 192.168.56.103”. Moreover /bin/1 isn’t a current command… So we have our hostname : fcsc2021, our username : forensics and our command line : /bin/1 –client -i 192.168.56.103 ``` python3 -c “import hashlib;print(‘FCSC{‘+hashlib.sha256(b’forensics:fcsc2021:/bin/1 –client -i 192.168.56.103’).hexdigest()+’}’)”