## Solution script
```python=
from pwn import *
import binascii
r = remote('mercury.picoctf.net', 30048)
r.recvlines(4)
r.recvuntil(b'n: ')
n = int(r.recvline().strip())
r.recvuntil(b'e: ')
e = int(r.recvline().strip())
r.recvuntil(b'ciphertext: ')
c = int(r.recvline().strip())
# Calculate payload
payload = c * pow(2,e,n)
r.sendlineafter(b'Give me ciphertext to decrypt: ', str(payload))
r.recvuntil(b'Here you go: ')
doubled_plain = int(r.recvline().strip())
print("Doubled Plain:", doubled_plain)
# Calculate plain text
plain_hex = hex(doubled_plain // 2)[2:] # Remove '0x' prefix
plain_bytes = bytes.fromhex(plain_hex)
print("Plain Text Hex:", plain_hex)
print("Plain Text:", plain_bytes.decode())
r.close()
```
Note that $2^e$ has to be mod, or else it's going to be too big convert to string, and you'll receive error message like this:
```shell
ValueError: Exceeds the limit (4300 digits) for integer string conversion; use sys.set_int_max_str_digits() to increase the limit
```
## Output
```shell
┌──(kali㉿kali)-[~/code]
└─$ /bin/python /home/kali/code/nopadding.py
[+] Opening connection to mercury.picoctf.net on port 30048: Done
/home/kali/code/nopadding.py:18: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
r.sendlineafter(b'Give me ciphertext to decrypt: ', str(payload))
Doubled Plain: 580550060391700078946913236734911770139931497702556153513487440893406629034802718534645538074938502890769425795379846471930
Plain Text Hex: 7069636f4354467b6d347962335f54683073655f6d337335346733735f3472335f646966757272656e745f353035323632307d
Plain Text: picoCTF{m4yb3_Th0se_m3s54g3s_4r3_difurrent_5052620}
[*] Closed connection to mercury.picoctf.net port 30048
```
## Some ranting
After looking up what padding oracle is,
https://dotblogs.com.tw/kevintan1983/2010/10/05/18116
I thought I have to pad it with '\x0b', but that it's more related to bit flipping.
The "padding" here is more about **Homomorphic encryption**, in this case is
`encrypt(m1) * encrypt(m2) = ((m1**e) * (m2**e)) mod n = (m1 * m2)**e mod n = encrypt(m1 * m2)
`
Sign in with Wallet
Connect another wallet