Breaking RSA
Hop in and break poorly implemented RSA using Fermat's factorization algorithm. - by hackerinthehouse
Last updated
Was this helpful?
Hop in and break poorly implemented RSA using Fermat's factorization algorithm. - by hackerinthehouse
Last updated
Was this helpful?
The following post by 0xb0b is licensed under
We start with a Nmap scan and find two open ports. SSH on port 22 and a web server on port 80.
We enumerate the directories of the web server using Gobuster, but only find one directory: development.
Visiting the index page doesn't reveal anything of interest.
On the /development page, we find an RSA public key and a log.txt.
The log only repeats what we already know from the challenge description and indicates the source of the algorithm. Furthermore, we can assume that SSH is enabled for root. So we already have the user when we generate the private key later and try to access SSH.
We download the public key.
To determine the length in bits of the public we can issue the following command:
The following source gives an example of how the parameters N and e can be taken from the public key using Python.
We just do it manually for now, but we will integrate it into the final script to answer all RSA-related questions.
We can extract N and e, allowing us to answer the first RSA-related question: the last 10 digits of N. Now things are really taking off.
The challenge description gives us a direct indication of how we can calculate p and q in this case of this weak implementation. We have to use Fermat's Factorization method. If we have p and q, we can calculate the private key d via the inverse of e.
In a recent analysis, it is found that an organization named JackFruit is using a deprecated cryptography library to generate their RSA keys. This library is known to implement RSA poorly. The two randomly selected prime numbers (
pandq) are very close to one another, making it possible for an attacker to generate the private key from the public key using Fermat's Factorization method.
A rough overview of Fermat's factorization can be found here.
Here is the snippet of pseudocode we have to implement:
To be able to calculate with the large values, we use gmpy2.
gmpy2 is an optimized, C-coded Python extension module that supports fast multiple-precision arithmetic. gmpy2 is based on the original gmpy module. gmpy2 adds support for correctly rounded multiple-precision real arithmetic (using the MPFR library) and complex arithmetic (using the MPC library).
Well, we now have almost everything together; we can calculate p and q using the Fermat factorization method. Using p, q, and e, we can calculate d. Also, we are able to get the difference between p and q. Now we just have to generate the private SSH key from our integer values of the parameters N, e, and d. The following source gives a short how-to:
Adding this snippet to our final script, for SSH key generation:
And here is the final Python-script:
After running our finished script, we can answer the questions about the last 10 digits of N, the difference between p and q, and get the private SSH key.
Lastly, we have to add the correct permissions to the key to log on the machine as root. In the home directory of root, we find the flag.
We know from the challenge that we are dealing with a weak RSA implementation. Our task will probably be to extract N and e from the public key in order to factorize N, getting p and q, and finally calculate d. The value d is the private key. If we have the parameters N, e, and d, we can generate the private SSH key and thus access the machine. Check out for a brief overview of RSA.
