Rhome

Technical Walkthrough

Writeup

Challenge

• Name: Rhome
• Category: Crypto
• Difficulty: Easy
• Mode: hybrid

Summary

The service implements Diffie-Hellman, but it deliberately places the generator in a tiny subgroup. The modulus is generated as p = 2qr + 1 with q only 42 bits, and g = h^(2*r) mod p, so the public keys A and B live in the subgroup of order q. Factoring p-1 recovers q, and baby-step/giant-step recovers the exponent modulo q, which is enough to derive the shared secret and decrypt the AES-ECB flag ciphertext.

Artifact Inventory

• Original archive: files/a12c7355-a35e-4808-a203-839a95532bec.zip
• Extracted source: files/extracted/crypto_rhome/server.py
• Remote service: <TARGET>:32375
• Key evidence:

- analysis/source-audit.md

- analysis/solve-run-summary.json

- analysis/remote-transcript-redacted.txt

Analysis

server.py creates parameters as:

self.q = getPrime(42)
self.p = (2 * self.q * self.r) + 1
self.g = pow(self.h, 2 * self.r, self.p)

Since p - 1 = 2qr, exponentiating h by 2*r removes the large cofactor and leaves g in a subgroup whose order divides the 42-bit prime q. The service exposes:

p
g
A = g^a mod p
B = g^b mod p

It encrypts the flag with:

key = sha256(long_to_bytes(ss)).digest()[:16]
AES.new(key, <secret redacted>)

The attack is:

1. Factor (p - 1) / 2 to recover the small q.
2. Solve A = g^a mod p in the order-q subgroup with baby-step/giant-step.
3. Compute ss = B^a mod p.
4. Derive the AES key and decrypt the ciphertext.

RAG did not return useful Rhome-specific guidance, so the solve used the current source and remote transcript as evidence; see analysis/rag-records.md.

Solve

The reproducible solver is solve/solve.py.

It performs:

1. Connects to the remote service and requests parameters plus encrypted flag.
2. Uses Pollard Rho to recover the 42-bit subgroup factor q from p-1.
3. Uses baby-step/giant-step to recover a mod q.
4. Computes the shared secret as B^a mod p.
5. Decrypts the AES-ECB ciphertext.
6. Writes the raw flag candidate to loot/flag-candidate.txt.

The successful run is summarized in analysis/solve-run-summary.json. The harness captured the result into loot/flag.txt.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• A large prime modulus does not help if the generator is constrained to a small subgroup.
• In Diffie-Hellman, validate the generator order and public-key subgroup membership.
• A 42-bit discrete log is practical with baby-step/giant-step.
• Keep raw decrypted flags in loot/; store only summaries and hashes in analysis/.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Rhome
• Category: Crypto
• Difficulty: Easy
• Mode: hybrid
• Remote instance: <TARGET>:32375
• Start time: 2026-06-09T11:25:38Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• server.py exposes p, g, A, and B through menu option 1.
• Parameters are generated as p = 2qr + 1 where q is only a 42-bit prime.
• g = h^(2*r) mod p, so public keys live in the small subgroup whose order divides q.
• The shared secret can be recovered by factoring p-1 to recover q, solving A = g^a mod p in that subgroup, then computing B^a mod p.
• The flag ciphertext is AES-ECB with key SHA256(long_to_bytes(shared_secret))[:16].
• RAG did not return a useful Rhome-specific match; use source audit and live remote parameters as evidence.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Crypto
• Challenge: Rhome
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Audit server.py.
2. Identify Diffie-Hellman parameters generated as p = 2qr + 1 with q only 42 bits.
3. Identify g = h^(2*r) mod p, constraining public keys to the small subgroup of order q.
4. Query the remote service for p, g, A, B, and ciphertext.
5. Factor (p - 1) / 2 with Pollard Rho to recover the 42-bit q.
6. Use baby-step/giant-step to solve A = g^a mod p modulo q.
7. Compute B^a mod p, derive SHA256(long_to_bytes(shared_secret))[:16], and decrypt AES-ECB.
8. Store the raw flag under loot/ only.

Reusable Lessons

• Small-subgroup Diffie-Hellman can make an otherwise large modulus breakable.
• If p - 1 has a small factor and g is projected into that subgroup, BSGS over the small order is enough.
• Pollard Rho plus BSGS is practical for a 42-bit subgroup without Sage/SymPy.
• Store discrete-log exponents and shared secrets as hashes in analysis artifacts, not raw values.

Dead Ends

• RAG returned no useful Rhome-specific or matching small-subgroup DH memory. The solve used current source and live remote evidence.

Tool Quirks

• Local sympy, z3, sage, and pwntools were unavailable. Pure Python, sockets, and PyCryptodome were sufficient.
• Baby-step/giant-step for a 42-bit subgroup uses a few million table entries but completed quickly enough locally.

Evidence Paths

• analysis/source-audit.md
• analysis/checkpoint-analysis-20260609T112633261307Z-9d7cc7ea.md
• analysis/rag/rag-query-20260609T112642524135Z-6c969f14.txt
• analysis/rag-records.md
• analysis/evaluator-20260609T112854618618Z-e9b9a79b.md
• analysis/solve-run-summary.json
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches

Memory Summary

approval_required: true

Sanitized Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Crypto
• Challenge: Rhome
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Audit server.py.
2. Identify Diffie-Hellman parameters generated as p = 2qr + 1 with q only 42 bits.
3. Identify g = h^(2*r) mod p, constraining public keys to the small subgroup of order q.
4. Query the remote service for p, g, A, B, and ciphertext.
5. Factor (p - 1) / 2 with Pollard Rho to recover the 42-bit q.
6. Use baby-step/giant-step to solve A = g^a mod p modulo q.
7. Compute B^a mod p, derive SHA256(long_to_bytes(shared_secret))[:16], and decrypt AES-ECB.
8. Store the raw flag under loot/ only.

Reusable Lessons

• Small-subgroup Diffie-Hellman can make an otherwise large modulus breakable.
• If p - 1 has a small factor and g is projected into that subgroup, BSGS over the small order is enough.
• Pollard Rho plus BSGS is practical for a 42-bit subgroup without Sage/SymPy.
• Store discrete-log exponents and shared secrets as hashes in analysis artifacts, not raw values.

Dead Ends

• RAG returned no useful Rhome-specific or matching small-subgroup DH memory. The solve used current source and live remote evidence.

Tool Quirks

• Local sympy, z3, sage, and pwntools were unavailable. Pure Python, sockets, and PyCryptodome were sufficient.
• Baby-step/giant-step for a 42-bit subgroup uses a few million table entries but completed quickly enough locally.

Evidence Paths

• analysis/source-audit.md
• analysis/checkpoint-analysis-20260609T112633261307Z-9d7cc7ea.md
• analysis/rag/rag-query-20260609T112642524135Z-6c969f14.txt
• analysis/rag-records.md
• analysis/evaluator-20260609T112854618618Z-e9b9a79b.md
• analysis/solve-run-summary.json
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Notes

Notes

Scope

• Challenge: Rhome
• Category: Crypto
• Difficulty: Easy
• Mode: hybrid
• Remote instance: <TARGET>:32375
• Start time: 2026-06-09T11:25:38Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• server.py exposes p, g, A, and B through menu option 1.
• Parameters are generated as p = 2qr + 1 where q is only a 42-bit prime.
• g = h^(2*r) mod p, so public keys live in the small subgroup whose order divides q.
• The shared secret can be recovered by factoring p-1 to recover q, solving A = <REDACTED>, then computing B^a mod p`.
• The flag ciphertext is AES-ECB with key `SHA256(long_to_bytes(shared_secret))[: <REDACTED>
• RAG did not return a useful Rhome-specific match; use source audit and live remote parameters as evidence.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.