TLDR

Recover plaintext[:16] via decrypting ciphertext[:16].

With all following blocks:

• Send b'\x00' * 16 to retrieve IV from result[16:] because padding makes plaintext look like b'\x00' * 32.
• Recover plaintext[16:32] and so on via ciphertext[16:32] ^ ciphertext[0:16] ^ iv, plaintext[32:48] = ciphertext[32:48] ^ ciphertext[16:32] ^ iv ...

Original writeup