https://app.hackthebox.com/challenges/316

Description

Wikipedia says "the Rabin cryptosystem has been mathematically proven to be computationally secure against a chosen-plaintext attack as long as the attacker cannot efficiently factor integers", so I created my own cool implementation.

Exploitation

#!/usr/bin/env python3

def main():
    with open('output.txt') as f:
        N = int(f.readline())
        remainder = int(f.readline())
        a, b, c = eval(f.readline())
    m1 = pow(2 * remainder, -1, N) * (c - a - remainder ** 2) % N  
    m = m1 + m1 + remainder
    print(bytes.fromhex(hex(m)[2:]).decode())

if __name__ == '__main__':
    main()

Summary

baby quick maffs: model the crypto leak, recover the missing secret, and decrypt the flag.