This key was generated on a Debian system with the weak random seed vulnerability, where the only seed of randomness was the process ID. Looking at the fingerprint,
samuel@samaritan ~/projects/pactf % ssh-keygen -lf notso.pem
2048 SHA256:nvIH90xVEyG7AlAhLbmpzthDpjQPTkOIAF6q2k/Iruw no comment (RSA)
So the solution was to generate keys on a system with weak Debian binaries for all possible process IDs, and compare this fingerprint to the produced fingerprints. Below is the script to do so, using a pre-existing LD_PRELOADable library which overrides getpid to the content of the MAGICPID env variable:
#!/bin/bash
for i in {1..65535}; do
LD_PRELOAD=/getpid.so MAGICPID=$i ssh-keygen -t rsa -b 2048 -f /keys/$i -P '' -q;
done
This was done inside a chroot which has the weak ssh-keygen. After some time, the generated key for process ID 6487 had the same fingerprint as the given key:
samuel@samaritan ~/projects/pactf % ssh-keygen -lf 6487
2048 SHA256:nvIH90xVEyG7AlAhLbmpzthDpjQPTkOIAF6q2k/Iruw no comment (RSA)
Decrypting the given encrypted message,
samuel@samaritan ~/projects/pactf % openssl rsautl -inkey 6487 -in encrypted2.txt -decrypt -raw | strings
.OaP
q?$M
C4 e
yx92
D0n't_Always_TRusT_DaT_D3bian
And the flag is D0n't_Always_TRusT_DaT_D3bian.