1. Recover `n` as `gcd(m^e - encrypt(m))` for several small `m`.
2. Decrypt AES key using last byte provided by `decrypt` command.
3. Recover state of python's PRNG by collecting multiple IV from `encrypt` command.
4. Decrypt the flag using AES key and predicted IV.

Sage script: [https://gist.github.com/neex/27c272fdfb466db98db67e84ef093926](http://gist.github.com/neex/27c272fdfb466db98db67e84ef093926)