This video from NUS Greyhats should help you with this challenge. Basically, in the additive group of $\mathcal F_p$, the discrete logarithms are simply the inverses. Denote $a, b$ as the secret keys of Alice and Bob. The public key of Alice and Bob are given by $A = ag \mod p$ and $B = bg \mod p$ (it’s normally $g^a$, but we are working with addition here, hence). Hence, the secret key $a$ can be recovered by multiplying the multiplicative inverse of $g$ on both sides of $A = ag \mod p$.

The solution is unnecessary nuking of the challenge. We were given the Diffie-Hellman key exchange between Alice and Bob, with some flag encrypted using the shared secret from that session. We can easily verify that Bob is still reusing his secret b in the communication with us. There are two ways to solve this challenge. The most straightforward way is to use the value A from Alice as the generator $g’$ we sent, p as the prime in the Diffie-Hellman key exchange between Alice and Bob earlier, the value of A does not matter.

The idea may stem from this question on Crypto StackExchange. We use the same idea as the “nuke” solution in Static Client earlier. We will use some groups where the order is smooth, and thus we can efficiently use Pohlig-Hellman. We thus need to pick some weak primes that passes some checks on the server side. Some of the checks are the following: Using number in the form of $p^k$: this may not work (the solution in Static Client won’t work here) as there is some primality check on the server side.

The given link shows us an instance of ARC4, or the stream cipher version of the encryption scheme RC4. I do know beforehand that RC4 is deprecated because of some vulnerabilities, and there are no other apparent weakness to the way that the plaintext is generated from the ciphertext and iv. Also note that, as this is a symmetric stream cipher, encryption and decryption is the same xor operation on the keystream generated.

The description is mentioning something about Infinite Garble Extension, which is used in Telegram (searching the name of the Python class, aesige), hence the name “Paper Plane” - Telegram’s logo. The only observation needed to solve this challenge is that, decryption on a single block can be done without including the entire ciphertext. We only need the first block of ciphertext, and the m0 and c0 corresponding to that block. The very first block will have m0 and c0 provided, and consequent blocks will use the previous plaintext block decrypted for m0, and its corresponding ciphertext block for c0.