Solution de Cyrhades pour Carotte Radis Tomate

Dans le fichier carotte-radis-tomate.py nous avons des informations très intéressantes

import os
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad

key = os.urandom(32)
print(key)
# Des modulos sont effectué sur la clé
print("carotte = ", int.from_bytes(key) % 17488856370348678479)
print("radis   = ", int.from_bytes(key) % 16548497022403653709)
print("tomate  = ", int.from_bytes(key) % 17646308379662286151)
print("pomme   = ", int.from_bytes(key) % 14933475126425703583)
print("banane  = ", int.from_bytes(key) % 17256641469715966189)

flag = open("flag.txt", "rb").read()
E = AES.new(key, AES.MODE_ECB)
enc = E.encrypt(pad(flag, 16))
print(f"enc = {enc.hex()}")

Dans output.txt nous avons les résultats des différents modulos effectués sur notre clé.

carotte =  392278890668246705
radis   =  4588810924820033807
tomate  =  17164682861166542664
pomme   =  12928514648456294931
banane  =  5973470563196845286
enc = ****

Donc nous savons que :

k ≡ 392278890668246705 mod 17488856370348678479 (carotte)
k ≡ 4588810924820033807 mod 16548497022403653709 (radis)
k ≡ 17164682861166542664 mod 17646308379662286151 (tomate)
k ≡ 12928514648456294931 mod 14933475126425703583 (pomme)
k ≡ 5973470563196845286 mod 17256641469715966189 (banane)

On peut appliquer le Théorème des restes chinois (crt) pour retrouver la clé.

https://docs.sympy.org/latest/modules/ntheory.html#sympy.ntheory.modular.crt

from sympy.ntheory.modular import crt

n = [17488856370348678479,16548497022403653709,17646308379662286151,14933475126425703583,17256641469715966189]
a = [392278890668246705, 4588810924820033807, 17164682861166542664, 12928514648456294931, 5973470563196845286]

print(crt(n, a)) # (58537804506201655097879135670024677446002384165465965481902712238119765745741, 1316106368917251454661778746676189180644202040571921466778928351544899879450876198147232331445807)

Soit la clé : 58537804506201655097879135670024677446002384165465965481902712238119765745741

On a plus qu’à décoder la chaine enc

from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
from Crypto.Util.number import long_to_bytes

key = 58537804506201655097879135670024677446002384165465965481902712238119765745741
E = AES.new(long_to_bytes(key, 32), AES.MODE_ECB)
enc = bytes.fromhex("2da1dbe8c3a739d9c4a0dc29a27377fe8abc1c0feacc9475019c5954bbbf74dcedce7ed3dc3ba34fa14a9181d4d7ec0133ca96012b0a9f4aa93c42c61acbeae7640dd101a6d2db9ad4f3b8ccfe285e0d") 
print(E.decrypt(enc).decode())

On obtient le flag !