Baby Time Capsule presents an RSA encryption service that uses a fixed small public exponent (e=5) and generates a fresh 1024-bit modulus for each encryption request, while always encrypting the same plaintext (the flag). This configuration is vulnerable to Hastad's broadcast attack: by collecting 5 ciphertexts under different moduli, the Chinese Remainder Theorem (CRT) recovers the exact value of m^5 (without modular reduction), and a simple integer fifth root yields the plaintext. This writeup covers the mathematical foundations of the attack, why it works, and the conditions under which RSA with small exponents becomes insecure.

The server code reveals the critical properties:

class TimeCapsule():
    def __init__(self, msg):
        self.msg = msg
        self.bit_size = 1024
        self.e = 5                          # small fixed exponent

    def _get_new_pubkey(self):
        while True:
            p = getPrime(self.bit_size // 2)  # 512-bit primes
            q = getPrime(self.bit_size // 2)
            n = p * q                         # 1024-bit modulus
            phi = (p - 1) * (q - 1)