Tags: aes nonce-reuse aes-gcm 

Rating:

The program reuse the nonce for every message so it leaks the plain text (GCM use CTR for encryption so this is the same weakness as CTR). As we have an encryption oracle we just have to encrypt a message long enough and then xor with the flag.

```
flag = xor(known_plaintext, xor(encrypted_text, encrypted_flag))
```

The flag is `CCTF{____w0lveS____c4n____be____dan9er0uS____t0____p3oplE____!!!!!!}`

Original writeup (https://github.com/Y-CTF/writeups/tree/main/CryptoCTF2021/Wolf).