Consider the following scenario: Alice has a secret key and public key pair for text-book RSA (denoted $\text{sk}$ and $\text{pk}$ respectively). Bob has an authentic copy of $\text{pk}$. The adversary has an authentic copy of $\text{pk}$.
Now, Bob wants to send his $\text{PIN}$ to Alice which is a four digit number. He encrypts as follows: First he chooses a nonce $N_0$ (a number chosen randomly from a very large domain). He then sends the encryption:
$c = N_0 \mathbin\| \operatorname{RSA}(\text{pk}, [\text{PIN}\mathbin\| N_0]) = N_0 \mathbin\| [\text{PIN} \mathbin\| N_0]^e \bmod N$ where $(e,N)$ is the RSA public key.
Otherwise said, he constructs the new message $“\text{PIN} \mathbin\| N_0”$ (you may assume that he is able to embed $[\text{PIN}\mathbin\|N_0]$ as a number in $\{1, 2, … , N-1\}$) and encrypts that using text-book RSA. He also sends the number $N_0$ to Alice “in the clear”.
Show an attack which allows the adversary to learn the $\text{PIN}$ using only an eavesdropping attack.
I'm just not sure how to even start with this problem. I understand that textbook rsa creates the ciphertext with $\operatorname{Enc}(e, m) = m^e\bmod N$, but I don't know how I would get the $\text{PIN}$ if I can't tamper with messages. Any help would be appreciated.
I tried to work some things out and I've come to a different problem. Since the PIN has a relatively small number of possibilities, could I just use a brute force attack? Since the adversary knows the ciphertext, e, N0, and has access to the public key I could just keep trying different PINS correct?