Rating: 5.0

CBC-MAC extension attack, as well as sending two messages (one padded, one unpadded). To leak most of the final block.

```
m1 = "SEKAI"
c1 = query(m1)

m2 = pad("SEKAI")
c2 = query(m2)

m3 = "any message >= 16 bytes"
c3 = query(m3)

mForge = m2 || XOR(m3[:16, c1 || c2) || m3[16:]
cForge = c3
```

Original writeup (https://www.nevi.dev/2022/10/02/writeup-sekaictf-2022/#robust-cbc-cryptography).