 What is going on YouTube? This is a video write-up for the challenge flipping bits from Square CTF. It covers a little bit of RSA and cryptography, so that's kind of why I wanted to showcase it, because this is an interesting technique that I don't think I've done a video on before. So this challenge prompt says, hey, you're going to be cracking an RSA message. You have two ciphertexts. The public key is E and N. However, E is just the E1. We have maybe a superscript here where it's not normally just the exponent in the modulus. Instead, we have an E1. This time, space radiation or whatever caused some bit flips, and the second ciphertext was encrypted to the faulty public key, E2. So we have two exponents. We have multiple exponents, and that's what is making this RSA challenge interesting. So can we recover to the plaintext? That's probably going to be the flag. Let's go ahead and work with this. We can download this file. I'm going to go ahead and copy the address, and then just W, get it into a folder that I'm working with. Everything in square CTF was a jar archive, so we can extract it with a jar XF. And now we have flipping bits.text available to us. Let's go ahead and open that up in, I forgot my extension, sublime text. Cool. And let's take this stuff and put it into a script that we can work with, call it ape.py. I'm using the file header plugin in sublime text, which is how it auto-filled that information at the top here. I'm just putting a sublime, sorry, shebang line here, and let's paste in just as a comment what we're working with. So we can start to make variables for all of these. Let's say C1 can equal that information, just a giant decimal number, same thing with C2. We have E1 and E2, which equal 13 and 15, and we have N, or the modulus. Okay. So normally we can just work with P's and Q's and factor N and stuff like that. This is a different challenge, right? Because we have two exponents. So I hadn't seen this before. I kind of wanted to know what I was doing. So I went ahead and Googled this kind of thing. I just simply tried to Google multiple exponents, RSA. And I found this stack exchange post that says, suppose we have two people, Smith and Jones, they have the same kind of problem that we're facing where N or the modulus is the same, but E is different for these two cases. We have known ciphertext CS and CJ, which is essentially RC1 and C2. And the individual who posted this question eventually solves it and notes that it's not any kind of homework or anything, it's just for practice, but he goes through and explains what his work really was and is. So let's look at these equations here. They're understanding that this is how you calculate the ciphertext for ciphertext 1 and 2, and he tries to use the extended Euclidean algorithm. So it looks like he's putting a constant A or a constant B, kind of a coefficient for E1 and E2 in this case, 9 and 13 for him. And then setting it equal to the greatest common denominator, which gives him answers A and B. So let's see how we can do that as well. What I'm going to end up doing is importing, oh, caps lock, holy cow, still caps lock. Let's do from crypto.util.number, import GCD, and we will need the modular inverse later, so let's take that as well. So let's try and understand that equation. We have E1 times A, which will be a variable that we create, plus E2 times B, which will be another variable that we create, and it should be equal to the greatest common denominator of E1 and E2. So let's actually try and brute force potential candidates for A and B because we can't really just solve this equation. We know GCD is going to evaluate to something and then we need to be able to determine what A and B are without having like another unknown in there, so not without having another equation to work with. So let's just brute force these or trying to figure out what they could be. Let's say for A in range like negative 20 to 20 perhaps, and you can expand that range as you'd like, but B can be negative 20 to 20 as well, and I'm using negative values because we see in the rest of his explanation, he is saying, okay, B is negative, so at least in his case, so I wanted to just include those and that's the numbers that I had chosen for when I solved this challenge originally. So let's test if E1 times A plus E2 times B is equal to the greatest common denominator of these. What we can do is we can print out A and B and see what we've got here. So I've got A being negative 8 and 7 and A being 7 and B being negative 6. I just say control B and sublime text to run that code. So let's go ahead and determine which one we want to use, right? Since in the explanation, beside over on the left-hand side here, the Stack Overflow post or the Stack Exchange post is B or the second coefficient that we're getting is negative, they can calculate with this procedure. So I'm going to go ahead and trust that, but if we wanted to, we can just jot these down. So let's say that A and B is equal to 7 and negative 6, so negative 6 being negative for B in this case. They say as B is negative, we can calculate I with C2 mod inverse of their N. So again, those numbers come from his problem, we're just adapting them to our problem. So let's say I can equal the inverse function that we're inheriting or importing from crypto-util number. It wants to inverse C2 in this case because CS is their C1 and CJ is their C2. So inverse C2 mod N, the modulus here, and now we've solved for I, right? We have a value, cool. And then we can determine what M is by working with these other variables, so M being the plaintext. Let's say CS, which is C1 in our case, mod to the power of, before we mod anything. I would have tried to put this in a power function because I don't like these straight exponents, but I think because we're doing some of these inverses here, you might be able to do something with it. Maybe it's inverse of that times the power function. Regardless, this is how I ended up solving it. I use C1 to the power of A multiplied by I, which we just calculated, to the power of negative B, and all of that mod N. So percent sign for mod, and then we can print out M, right? So we've got a value. Let's check it out in hex. And these values look like plausible hex characters that would lead us to an ASCII value, or actually trying to spell something out. So let's go ahead and carve out the 0x at the front and remove the L for long at the very, very end. And then we can go ahead and decode this, and just like that we have the flag. So let's go ahead and save this, get flag.py. We can run it, or mark it executable, get flag.py. Run it, redirect it to a flag.txt file so we can save it, and we can go ahead and mark that challenge as complete, and you can go ahead and submit the flag if you'd like. I thought this challenge was super duper cool. It's just not too hard, right? Not crazy hard, but neat in that it's a new trick for RSA. I hadn't seen this before, or at least if I have, I haven't documented it before. So I figured this would be a good opportunity to save this in my CTF Katana GitHub repository. If you haven't seen that, totally check it out. GitHub CTF Katana. It has a lot of resources for capture flag stuff, between ideas for how to approach a challenge, or tools for how to do specific things, or just references to things that you may not have seen before, but there's kind of a documentation archive for that kind of stuff. Definitely a good tool if you want to have that in your pocket. It's by no means complete, so please do feel free to put in pull requests and stuff like that, and add to some of the contents in the tools list. But I wanted to have this for multi-exponent RSA in there as well, and hey, we got some points for that too. Enjoying another capture flag competition. And before I go, I wanted to give a special shout out to the people that support me on Patreon. Thank you guys so much. I cannot say it enough. You're fantastic. You're the reason that this channel keeps going strong and helps honestly motivate me and inspire me, because lately I have sucked at getting video and content out to you guys. So thank you for your help and assistance. I'm grateful for the support. If you did like this video, please do like, comment, and subscribe. Oh, before I do this ending spiel reminder about the Patreon stuff, $1 a month on Patreon will give you a special shout out just like this at the end of every video. Whoa! Drag that window down. That was an accident. $5 a month on Patreon will give you early access to everything that is released on YouTube before it goes live. So I'm recording the Square CTF video before the end of Square CTF, and it wouldn't be fair for me to release it until the end of the game. So if you want a little bit of that, hey, behind the scenes, help stuff, get some love from John Hammond. I appreciate your support. Just $5 on Patreon. Thank you guys. And of course any other content that I create later than that is handy for you to have. Maybe. I don't know. Alright, enough of that crap. Please do join our Discord server. Link in the description. It is a cool community full of CTF players, programmers, and hackers. It's growing like crazy. I finally had to like... I feel bad about this because I didn't put in like rules before or moderators before. It was kind of just like an all-out frenzy. And it was bad. There was a... I don't know. Hopefully it is better now with a little bit of moderators or a little bit more police other than just me because I tend to fade away sometimes when I have like actual other life stuff and obligations to do and tend to. So I'm grateful for all of you that are part of that community and... I don't know. I just love it. I love you, etc. I love everything. I gotta go. I gotta end this video. Thanks for watching guys. I'll see you in the next one.