The big trick: Each byte of the flag was padded with 3 bytes of random data before going through the cipher.

But, the last 2 bytes of each input (aka, a random byte + flag byte) completely determine the last 2 bytes of each output.

All you need to do is build a table of all possible a random byte + flag byte combinations, and their cyphertexts.

Original writeup (https://gist.github.com/AshishMahto/6fee357a57b00bac4c3d0bd50a8bd07d).