> For the complete documentation index, see [llms.txt](https://sgtdiddlywink.gitbook.io/htb/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sgtdiddlywink.gitbook.io/htb/machines/easy-machines/weak-rsa.md).

# Weak RSA

<figure><img src="/files/VVqR68Wh13LPpSExZ0RG" alt=""><figcaption></figcaption></figure>

{% file src="/files/fC3nBjCKdNIAgTFSuXO2" %}

Zip Password:

```
hackthebox
```

SHA256 HASH for File-->&#x20;

```
1cbf890e7a0fe8b404597b565da96c388e5653937631e2dc8710ede9d15bdb7d 
```

* Download and extract files from zip.
  * Use the password given to unzip.

<figure><img src="/files/PBHC4o8M9dzlryMafomb" alt=""><figcaption></figcaption></figure>

* We get two files.&#x20;
  * A ENC and a PUB file.
* Let's check out the PUB file.

```
cat [Path to key.pub]
```

<figure><img src="/files/sgZuYuHlOqHC2Dp8ca9r" alt=""><figcaption></figcaption></figure>

```
-----BEGIN PUBLIC KEY-----
MIIBHzANBgkqhkiG9w0BAQEFAAOCAQwAMIIBBwKBgQMwO3kPsUnaNAbUlaubn7ip
4pNEXjvUOxjvLwUhtybr6Ng4undLtSQPCPf7ygoUKh1KYeqXMpTmhKjRos3xioTy
23CZuOl3WIsLiRKSVYyqBc9d8rxjNMXuUIOiNO38ealcR4p44zfHI66INPuKmTG3
RQP/6p5hv1PYcWmErEeDewKBgGEXxgRIsTlFGrW2C2JXoSvakMCWD60eAH0W2PpD
qlqqOFD8JA5UFK0roQkOjhLWSVu8c6DLpWJQQlXHPqP702qIg/gx2o0bm4EzrCEJ
4gYo6Ax+U7q6TOWhQpiBHnC0ojE8kUoqMhfALpUaruTJ6zmj8IA1e1M6bMqVF8sr
lb/N
-----END PUBLIC KEY-----

```

* Looks like a simple public RSA key.
* Now let's check out the ENC file.

```
cat flag.enc
```

<figure><img src="/files/xMKle3ywh5Z3cGsnggLv" alt=""><figcaption></figcaption></figure>

* Looks like we get a bunch of gibberish which makes sense seeing as a `.enc` file means it was encrypted with some form of software.&#x20;
  * We'll have to try to figure out how to decrypt the file to see it.
* I'm going to use the `openss`l tool on kali to try to decrypt it.

```
openssl enc -aes-256-cbc -d in [Path to flag.enc] -out flag.decrypted
```

<figure><img src="/files/UPAnWPGZ6NhSinFY60vw" alt=""><figcaption></figcaption></figure>

* It asks me for a password so try giving it "`password`".
* It gives me back, bad magic number which is interesting. From what I know about magic numbers, they are the [Hex Signature](https://en.wikipedia.org/wiki/List_of_file_signatures) at the beginning of the binary file.
* Let's open it up the file in hexeditor which should be installed on Kali. If not, you can also use an [online resource](https://hexed.it/) to inspect the hex.
* Hededitor

<figure><img src="/files/Dcf54m27FyXoHrC9QiI4" alt=""><figcaption></figcaption></figure>

* [hexed.it](https://hexed.it/)

<figure><img src="/files/Kgj5qIfDsdwgA824InZr" alt=""><figcaption></figcaption></figure>

* As you can see the first four sets of hexadecimal are:

```
01 A2 5F EF
```

* Unfortunately, doing a quick Google search shows that these are not associated with any well-known set of magic numbers which would make sense if the whole file is encrypted.
* Based on the fact that we were given a public key tells me that this is an asymmetric algorithm. This means that the using `openssl` above was most likely not going to work since it was using `AES256` which is a symmetric algorithm.&#x20;
* Need to use [RsaCtfTool](https://github.com/RsaCtfTool/RsaCtfTool?ref=technicalciso.com) to create a private key from a public RSA key.

```
git clone https://github.com/RsaCtfTool/RsaCtfTool.git
sudo apt-get install libgmp3-dev libmpc-dev
cd RsaCtfTool
pip3 install -r "requirements.txt"
./RsaCtfTool.py
```

* Use command below to create RSA private key:

```
./RsaCtfTool.py --publickey [Path to public key] --private
```

<figure><img src="/files/Us5GBskbhlBRDoPLosk0" alt=""><figcaption></figcaption></figure>

* Create `key.priv` and copy over created private key.
* Then we need to run `openssl` to decrypt the file with the new private key.

```
openssl pkeyutl -decrypt -in [Path to encrypted file] -out myfile_decrypted.txt -inkey key.priv
```

* We can then `cat` the `myfile_decrypted.txt` for the flag.

```
cat myfile_decrypted.txt
```

* The final decrypted key is:

```
HTB{s1mpl3_Wi3n3rs_4tt4ck}
```

<figure><img src="/files/1WliuTSbxXNzLkPNjjT5" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://sgtdiddlywink.gitbook.io/htb/machines/easy-machines/weak-rsa.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
