Decrypt with RSA Public Key

I am reading through a report on the Linux/Edbury malware, and it includes the RSA public key used to decrypt a DNS TXT record, along with some example records and their decrypted contents. I am wanting to perform this operation myself but cannot work out how to decrypt using the public key. Several website cannot seem to decrypt using the public key given, and PHP cannot understand the key format, even when using RSA_public_decrypt.

php > $b = base64_decode("P999MR0e//emIov0Z2qtoKKKhFtb1F6l+zMxn9a3q2p18ZWeaTyPXMAlXDAQI3bz6pxmeQzGCuz1P1ms25AiPKGuqhZ+etJXVnjy9Ir4zc2UU3jyeFZhs7UEfGAcZut5LY9dt5tCJKhPhYwbz4s2ZixBVUWPbFDuODCJIi4L3fw=");
php > $d = '';
php > echo file_get_contents("pub.pem");
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAOadSGBGG9x/f1/U6KdwxfGzqSj5Bcy4aZpKv77uN4xYdS5HWmEub5Rj
nAvtKybupWb3AUWwN7UPIO+2R+v6hrF+Gh2apcs9I9G7VEBiToi2B6BiZ3Ly68kj
1ojemjtrG+g//Ckw/osESWweSWY4nJFKa5QJzT39ErUZim2FPDmvAgMBAAE=
-----END RSA PUBLIC KEY-----
php > openssl_public_decrypt($b,$d,file_get_contents('pub.pem'));
PHP Warning:  openssl_public_decrypt(): key parameter is not a valid public key in php shell code on line 1

I was then able to extract the exponent and modulus using this website, which gave:

exponent = 65537

modulus = 168035759425641708560180952719202232808157544797727790464247213618476179383712253107003583015178435839911886769263163903424281459625379125873822735102370865763929704190706996338108960579432721666779496862012535830896815985724121830861130439235763053507097455518214304803032061390442053402776406921786417516093

How do I decrypt the TXT record with the RSA public key, using any method?

Encrypted message (in base64): P999MR0e//emIov0Z2qtoKKKhFtb1F6l+zMxn9a 3q2p18ZWeaTyPXMAlXDAQI3bz6pxmeQzGCuz1P1 ms25AiPKGuqhZ+etJXVnjy9Ir4zc2UU3jyeFZhs 7UEfGAcZut5LY9dt5tCJKhPhYwbz4s2ZixBVUWP bFDuODCJIi4L3fw=

RSA Public Key:

-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAOadSGBGG9x/f1/U6KdwxfGzqSj5Bcy4aZpKv77uN4xYdS5HWmEub5Rj
nAvtKybupWb3AUWwN7UPIO+2R+v6hrF+Gh2apcs9I9G7VEBiToi2B6BiZ3Ly68kj
1ojemjtrG+g//Ckw/osESWweSWY4nJFKa5QJzT39ErUZim2FPDmvAgMBAAE=
-----END RSA PUBLIC KEY-----

1 answer

  • answered 2021-07-27 16:07 Topaco

    Encryption with the private key and decryption with the public key takes place only in the context of signing/verifying.
    In contrast, what is commonly referred to as encryption/decryption (for the purpose of confidentiality) uses the public key for encryption and the private key for decryption.
    Note that both processes generally cannot be converted into each other by exchanging the keys, since they use different paddings.

    Typically, when verifying, decryption is performed under the hood, only the result of the verification is returned outwards: true or false.
    openssl_public_decrypt(), however, supports a low level verification that explicitly allows decryption. If this is executed the resulting plaintext is:

    op3f1libgh.biz:3005980741:1622505600
    

    The corresponding PHP code is:

    $publicKey = "-----BEGIN PUBLIC KEY-----
    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDmnUhgRhvcf39f1OincMXxs6ko
    +QXMuGmaSr++7jeMWHUuR1phLm+UY5wL7Ssm7qVm9wFFsDe1DyDvtkfr+oaxfhod
    mqXLPSPRu1RAYk6ItgegYmdy8uvJI9aI3po7axvoP/wpMP6LBElsHklmOJyRSmuU
    Cc09/RK1GYpthTw5rwIDAQAB
    -----END PUBLIC KEY-----";
    
    $signature = base64_decode("P999MR0e//emIov0Z2qtoKKKhFtb1F6l+zMxn9a3q2p18ZWeaTyPXMAlXDAQI3bz6pxmeQzGCuz1P1ms25AiPKGuqhZ+etJXVnjy9Ir4zc2UU3jyeFZhs7UEfGAcZut5LY9dt5tCJKhPhYwbz4s2ZixBVUWPbFDuODCJIi4L3fw=");
            
    openssl_public_decrypt($signature, $decrypted, $publicKey, OPENSSL_PKCS1_PADDING);
    print($decrypted) . PHP_EOL; // op3f1libgh.biz:3005980741:1622505600
    

    Note that you specified the public key in PKCS#1 format and I converted it to X.509/SPKI format for the PHP code using openssl:

    openssl rsa -pubout -RSAPublicKey_in -in <path to pkcs#1 public key> -out <path to x.509/spki public key>
    

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum