Mysterybox

Technical Walkthrough

Writeup

Challenge

• Name: Mysterybox
• Category: Crypto
• Difficulty: Medium
• Mode: hybrid

Summary

Mysterybox is a raw RSA signing-oracle challenge. The server hides the public key but exposes signing and verification. It refuses to sign one specific admin message residue, but the implementation is textbook RSA, so signatures remain multiplicative.

The solve recovers the hidden modulus from signature relations, then forges a valid signature for the blocked admin message by multiplying signatures for two allowed residues.

Artifact Inventory

• files/extracted/crypto_mysterybox/server.py: challenge source for the signing server.
• analysis/artifact-inventory.json: archive inventory.
• Remote service: <TARGET>:32087.

Analysis

The source in files/extracted/crypto_mysterybox/server.py shows:

• sign(message) = pow(message, d, n)
• verify(message, signature) checks pow(signature, e, n) == message
• n and e are hidden from the user
• signing is blocked only when msg % n == admin_message

Raw RSA is multiplicative:

sign(a) * sign(b) == sign(a * b) mod n

For signed messages a, b, and a*b, this means:

sign(a) * sign(b) - sign(a*b)

is a multiple of n. The solver asks for signatures on several small products and computes the GCD of those differences to recover the hidden modulus.

After recovering n, the solver chooses an allowed factor a = 2 and computes:

b = admin_message * inverse(a, n) mod n

The server signs both a and b, and multiplying those signatures modulo n creates a valid signature for the forbidden admin message.

The source-backed solve plan is in analysis/solve-plan.md. RAG was recorded as advisory and validated against current source before use.

Solve

Run:

python3 solve/solve.py <TARGET> 32087 --output loot/flag-candidate.txt

The script keeps all operations in one connection, because the server generates a fresh RSA keypair per process. It writes the admin verification response to loot/flag-candidate.txt; the harness then extracts the flag into loot/flag.txt.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• Hiding n does not protect textbook RSA signing if multiplicative signature relations are exposed.
• A “do not sign this exact message” check is insufficient when signatures for related residues are available.
• For remote crypto challenges with per-connection key generation, keep modulus recovery and forgery inside the same session.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Mysterybox
• Category: Crypto
• Difficulty: Medium
• Mode: hybrid
• Remote instance: <TARGET>:32087
• Start time: 2026-06-13T10:29:34Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Remote endpoint: <TARGET>:32087.
• The server uses raw RSA signatures and hides n/e.
• Multiplicative signature relations leak the hidden modulus via GCD.
• The forbidden admin message can be forged by signing two allowed residues whose product is congruent to the admin message.
• Raw flag is stored only at loot/flag.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Crypto
• Challenge: Mysterybox
• Difficulty: Medium
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. The service implements textbook RSA signing and verification while hiding n and e.
2. The sign oracle blocks only the exact forbidden admin residue.
3. The hidden modulus can be recovered from GCDs of multiplicative signature differences: sig(a) sig(b) - sig(ab).
4. After recovering n, choose an allowed factor a and compute b = target * inverse(a, n) mod n.
5. Multiplying sig(a) and sig(b) modulo n gives a valid signature for the forbidden target message.

Reusable Lessons

• Hiding an RSA modulus does not prevent recovery when raw signing exposes multiplicative relations.
• Direct forbidden-message checks do not stop blind multiplicative forgery in textbook RSA.
• If a remote service regenerates keys per process/session, perform modulus recovery and forgery on the same connection.

Dead Ends

• None material. The source-backed RSA multiplicativity path was direct.

Tool Quirks

• No heavy math tooling was required; Python math.gcd and modular inverse were enough.
• Solver writes raw remote flag response to loot/flag-candidate.txt and the harness extracts loot/flag.txt.

Evidence Paths

• files/extracted/crypto_mysterybox/server.py
• analysis/server.py.txt
• analysis/solve-plan.md
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes, sanitized technique only
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches