RSA is really simple, there can't be any mistakes, right?
Solution
Given code below
#!/usr/bin/env -S python3 -uimport osfrom Crypto.Util.number import isPrime, bytes_to_longimport randomdefgetPrime(n_bits,verbose=False):whileTrue: a = random.getrandbits(n_bits)ifisPrime(a):return aelif verbose:print(f"Sadly, {a} was not prime")p =getPrime(1024, verbose=True)q =getPrime(1024)flag = os.getenv("flag","EPFL{fake_flag}").encode()n = p * qe =65537print(f"Ciphertext: {pow(bytes_to_long(flag), e, n)}")
getPrime function generate random number using random.getrandbits and if random number is prime it will be returned from the function. random.getrandbits is not secure random generator, we can predict next value if we have 624 * 32 bits number generated by getrandbits. So in this case, because we know random number generated from getrandbits we can regenerate the p and q and decrypt the ciphertext. Since randcrack need 32 bits value so we submit each value received from the server in 32 bit format. Here is my solve script