Rating:

tldr;
- server has a fixed private key which is used to encrypt the flag
- server accepts two different curves (secp224r1 and secp256r1) but uses only secp224r1 for its public key
- server checks that the client's public key point is on the curve it specifies
- server reduces client's public key coordinates modulo p224 before performing scalar multiplication with its private key to get the shared secret
- this allows for an invalid curve attack by choosing points on secp256r1 such that, when reduce modulo p224, have small order on the new curve that they lie on
- gather information about the private key in this way for many prime orders, then combine with CRT to recover the private key

[writeup](https://jsur.in/posts/2021-07-19-google-ctf-2021-crypto-writeups#tiramisu)

Original writeup (https://jsur.in/posts/2021-07-19-google-ctf-2021-crypto-writeups#tiramisu).