I'm trying to solve a CTF problem relating to RSA encryption.
I can run a challenge binary that will read a flag from a file, the flag will match the following RegEx:
AB1234C\{[0-9a-f]{32}\}\n
So in total the flag is 42 bytes including the newline
The flag is then padded with random padding to a total of 128 bytes.
I can choose the public exponent e, as long as e>1. The binary will generate a random 2048 bit modulus using the python function Crypto.PublicKey.RSA.generate(bits=2048)
The binary will print out the modulus as well as the ciphertext of the encrypted padded flag.
I can run the binary multiple times, the modulus and padding will be different between each run.
I thought it could be related to Hastad's attack but that only appears to work for linear padding, and Coppersmith's short pad attack only works if you have two messages with random padding but encrypted with the same modulus, which I don't have here due to the fact that a different modulus is generated each time I run the binary.
I'm still a beginner when it comes to crypto so I might have been wrong about those attacks and may have missed something obvious.
I believe that the vulnerability could be relating to the size of the padding, as the padded message is only half of the length of the modulus.
I don't necessarily want the solution, but just a nudge in the right direction. Thanks.
