HackTheBox ElElGamal Challenge

https://app.hackthebox.com/challenges/379
Description

After some minor warnings from IDS, you decide to check the logs to see if anything suspicious is happening. Surprised by what you see, you realise that one of your honeypots has been compromised with a cryptominer. As you look at the processes, you discover a backdoor attached to one of them. The backdoor retrieves the private key from the /key route of a C2. It establishes a session by sending an encrypted initilazation sequence. After the session is established, it waits for commands. The commands are encrypted and executed by the source code you found. Unfortunately, the IDS could not detect the request to /key and the machine was rebooted after the compromise, so the key cannot be found on the stack. Can you find out if any data was exfiltrated from the honeypot to mitigate future attacks?
Exploitation

#!/usr/bin/env python3
from Crypto.Util.number import bytes_to_long, long_to_bytes, inverse
import base64
import re

def decrypt_message(ciphertext: str, s: int, q: int) -> str:
    try:
        _, c2 = ciphertext.split("|")
        c2 = bytes_to_long(base64.b64decode(c2))
        m = (c2 * inverse(s, q)) % q
        return long_to_bytes(m).decode()
    except Exception as e:
        return f"[Decryption failed: {str(e)}]"

def main():
    q = 855098176053225973412431085960229957742579395452812393691307482513933863589834014555492084425723928938458815455293344705952604659276623264708067070331
    s = 804519413946339833036807676236425366393713828575772089253931453873946915064743259014634759406656096586184230449849670884334808422167611972326858050206
    ciphertexts = [
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|EtJdz4TGpsPRxpCfSU1EzHCdn7dwx/wM5ddhCA4PpiGZTUpytbe6qYbNgrtJNmB3aTGCMiaxFr1jQfjtonk=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|ApmwM0ox37numDswK1IMAD5I9sD1OLnV4hCEtv6+j/2kF0wIZeckbfZNas/wczb85jEhV8cmRpgRfOy8SYGu",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|zfdAT+azces+LVK57G+oYrdBA9/A30LMnAFhVG5T21jkLgDRayGHw1yilT90GJ9a0wSsfNbxsmJPqqo1B1U=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AhTIGaZxjVa/UARA76g2ECDoeAUvC0btVMnRo0/HxyS7E0MqmyyJcSttPf9kfGjbN06FrFj56NJrILbGf4K2",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|RHOqLQjEjbID7TyPTp+p/OOznHzyuNI9QaLj8F2/vAZpCDUK1//yFaJO78UwjjgzcQWY9yv2hkgY8ACge/c=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AQZrbR9r7dO+CdPHp8I4SgDP/0MOA0NkvWWcaDImB5HPhubKGbNS9OnNcs2ShdXXJ9+pygF7M1hBgIWWuZYR",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|exHMS0Jj51CnO2Ai2lES3P7Upsfvi33Km/GZ3I0XbAo2aqs4xnNoRaLtV0DwcjI/MgRar2UGSoPTt3oJGu0=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|2x692eZegFskxXnptM8btDeLb0S2foSlo1iKV09bNXWZUuIyzfcYrR3mX0SP9UBeNOz8eRFOwPy2K0Lyc2A=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|gQ83O8Sg19BC4HnMFEknUGHQGOMyGFRX22UUe1YB1yZtYx+aAq6n/4M0gl/GpWZvXURqfaERc25o9Tg2pFE=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|exHMS0Jj51CnO2Ai2lES3P7Upsfvi33Km/GZ3I0XbAo2aqs4xnNoRaLtV0DwcjI/MgRar2UGSoPTt3oJGu0=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AuCkgVY/lWBG5XFgfYwCNC9nOZjI2ncCHKfTcl2K2Ie5Bo6EaShdUsQP4rUMy4t5ZEK1cM0ZB+KdHfCZUiUQ",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|A6S0OgAtdvQ4YIheDtCHvgDCDoB+DV0jUnXzOSu2KV9nHu/zAn18M7ou8V25BsGiqW6IyDCPNFXTRHN4FtnP",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AiZ95CrjFfQQstT8aU+H1t9dUH4i7OlQ1nVkx8SmaTcIGXbZXghaFkOE07+4aK20BuUi3rRhxwjwFh7K5Zmq",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|Mp5n6bs2QtuyR6//cxsqQMzBoXhFqotQBZqeN44geBUHxDAmfw61rZ/GclXTy+SrWNDcM6vhOOTg28Sm6AQ=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|A6Mcdavba6LTd+t2mCiW38A5/1lYamiLLPkFIdjWsXvoIPPrE15R021C4wbaPKWTgXdtRwtDzBL6UxXdLIGe",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|A24NpCGdnRip3aKRE3HvBos6Fc7ywzStdsozn0OzvyLENqyD/IOVdLpW7RYXb1pSBxNrT/eOCjTR9tcHN4oy",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AXUFQXwvC9UmYYv+s4Fp4uZIvRJNsYTpo39EE454rqYJXSExNV/IzeDhq9HTFtyvSpe7tQ/m7iSn7GRBNfMH",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|Ab70nelzVaGrGSreMo7TE3I477UnXwdJnFhiwhKOUONkXFIJqwRPH4ntqtgHTJXIUb3l4IlXl0bDePN834aZ",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|KHShTHH+sId0qHwxjmTjn2J/jc3jVTZdc/9WQmsDHv9ecoMJrl6If7pF7kjdhyNPTTUtVSUChUWE67/xnUU=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|A+wzDdGTsLp8pFbwrG0AqBg3ZErY+Smq9HFV5DOzfcqPoctKhul5RjWlKQzxyF6PyogYc8oiGbzzyBEEvFR0",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AwnfyYhOeJOBGDewNw21q5h6rkqmklF3twyk6RfEw1kLlBxlVjkY/wa9RrH5UKQELFg3b9L6BHe9iz5Z4QtM",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|A1e13VqBQhTFFV0f53Up3gJdexBo1y8CxIuXUhfavnaOG60SDmpywm5qF6CsgdTQlOAPWOpvdzFb2dCbq+Gb",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|K1zTtrfRe/7m9zq2KLEx+TpCe6oDzKXowhWx/Qte+Pm1e8MCcCXyxZXGObSsPfV/LQwEr8/QMhBOtollXfA=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|Ahnm8a3aF3MpjcpMITSCF2/B82sIOhJlizpCv36pi3gJWxxUZOfBSeEuhQVXHRcZPB4zETnWRsXOpV0mlMCF",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AYBg6cwatQfYX/C77xd3gO+LGJaX38iNImpBJ8Uh2RVQOSQ/ZNa727ABEop14ASj2JYwHGV1YRfznGh+CzGE",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AmnmFxw/D1tDDGgeA88kCbkoplBsQkmbP0JJrIkyAC/Pjgz+ZEItIEpvhnY2CHPHJoC40dRaX09beLbZdjcn",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AqABsE2xVZ5n7pGxZmNJVHbo5NQCWKFM5+LlfBdUVHCJQswC+dl+iUE5s3Wf7WSerRHuSAAB1OlBGPUX0i4F",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|BC05EGpSllh0wVHiq8xKZ9XG6LS6wYP/nBaPVtTyl2z1UeNBivNlJ5/t+sM9H5q51B7H9J3lDw/w/lJrtWMT",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AgbGDeskwl6G9K9IsiESe/Sd5Hf/Fcy7wHLf6VEUGO1hzMtdy2UVRNWoPCZV0gM4l7kmfUfSwmKrGH8CORXS",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|+SoF4PFex5x0UnYa0EXb3oBbQ622fHyCNCA9+Lx1GYmVP9AtWUJpRXRC/TxsaMwtBwZV1iNg2xgISeU0Hro=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|ARvSDNTKA21WJuF2wJYmT/fHpwdA17ptvgZKWqPfaPkwDFFXMHibS/7r4Jd6SoQ7AwPOJe51TrVc25uoFPnb",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|A1dGzEQIwMFvsUgxkkusJij1wIfWdJkS6NhluzZkm9w/g9iA6DuXa73NdfKGW5HUYBv3p+zzjdy/9sB41ktd",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|hmbmiCbLKjFYa4YkYBVYxEY/RtJY9i7CnqsaZq5JBOorWolAVktFzEnMSkpbjlWNxAV0UbfoKEBkuW8FOmo=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|EI3rF7Eil+O+Q1ZnMLf3i2tml78mojCya4ddJVfuGDT5fOxgMfd3KokAQawpWH2XZXTjINmprN764RhmWbg=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AnTO1nIF7gCoaIIh+BZ8Rd8tH3pZQeHvgXYwpWxG2gqysFEFq4l364BVRnI7kM3zMSwFUzFbV2egqHgzWw2p",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|yx/r6WE8+zYUYEAgCzl30g7Nld0g/GJhKzUNzZ4auS9YVHSSAAbHN/+5vCCQiEh3J+JPIxmstjYveJZoLuk=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|qU3/SEDVdBlyZF4HwrBzYQDyqqwnBQG2bABUh9KPnwawixN47EhnemUJEq5QVA1+jT0ZmsFbi2T+XAyzdxA=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AvlVyNw8FpRvZwtB3Gq6BCB60zBdKzpL7EUN737p8WS7pGUBJC0O0MiLc5k0Vz80yLiQwOwbXtHVADoQ4nz7",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|Awm9WN3jiTex3fuDBElIyWPm4UoUCt1K2+N99GuQxJT+hOHgFlEHAsKcGxOIu5ZQHoPcR5ELv7kWbEf5KVLs",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|yx/r6WE8+zYUYEAgCzl30g7Nld0g/GJhKzUNzZ4auS9YVHSSAAbHN/+5vCCQiEh3J+JPIxmstjYveJZoLuk=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AZ2UTDvCOY9utPTr7/4N1DhlNgT/hB00aVANw60OJLMXW+xpbkoa6PH5DP3GKqOgUTw7QEZbJVUsu/kIpzIo",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|zcoCxUfT9ruiJVY1MipXLNhoXv1tQh5zaBE3M7QJOWzRPn5lMMEnQTRGjm0DabyyB8DGDWFiniMGI5/5pBE=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|yx/r6WE8+zYUYEAgCzl30g7Nld0g/GJhKzUNzZ4auS9YVHSSAAbHN/+5vCCQiEh3J+JPIxmstjYveJZoLuk=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|Ar3Kf8wSBKazztCh/ZUN8O/9c6Mb3GlhS/pkdW/R1lii+9suAvhF71TrlORl5zaKJgxYwpFEoWB2UVWSjSIs",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|At2fiWhVfIhl5b64S0Gt6VN23undOdTUxKtb9/fnjf+4dU76qu5CJg13qiy8KDFvSXtoLg732h1hpJYWtjZ+",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|ARPAb/qbCo2R0emUhbEd/DjGw2P6YXZUuj+BiD1burllUucNh1Hd3YXkH9gGyvcSPca0pOBa/Qhct6aV1s3F",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AjEcwHtXwrHxi0vXXvBZ8k24PrW7k9To/nAQcNOX+UbGmXTzwbUEFFixEdJUF7HViJA91luh1da9mOSRcj1I",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AXWLri4wwhHtSLu2B6Yl43lRxOkWA8QhgxCot/4Rlrf39DTiLvgTGUN7yFKEES5Uqqs0iDWTzrvLrTomrSwQ",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AhY1sFJfeqiTfUcuMwmLlTcFdB8KnFC4rDb21Z6YR6Yn8yXNE7fHcN58UNOJF5FzUFJJvR1n7wHso4PzZcbm",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AbvkqKFzC9dbZtD/mg0UGhQAa2iI9DfcuVHzGGzb8i+DqFiiLs3KwpSpGdadxyVBtc28VNA5XTnJr/LywwWG",
    ]
    for i, ct in enumerate(ciphertexts, 1):
        decrypted = decrypt_message(ct, s, q)
        print(f"{decrypted}")

if __name__ == "__main__":
    main()
Summary

ElElGamal: use the curve leak or invalid-curve path to recover the secret and decrypt the flag.