Rating: 0

The implementation of Shamir's Secret sharing had a major flaw, where the polynomials are only calculated once and are reused for every character in the string. This revealed too much about the flag. Since we knew the first character(`'f'`), it was a lot more easier and we were able to decrypt the flag with just one part of the split.

So by just using the following part we can decrypt the flag:

```

"x": 3,

"y": [

183,

189,

178,

184,

204,

195,

132,

198,

196,

130,

191,

184,

176,

195,

133,

191,

181,

129,

190,

176,

130,

196,

176,

191,

129,

197,

176,

183,

198,

191,

206,

91

```

```

Let the polynomials be p and flag be f

So from Shamir's secret sharing:

y[i] = f[i] + x*p[0] + x*x*p[1] + x*x*x*p[2] ...

Substituting some values (knowing f[0] = 'f'):

183 = ord('f') + x*p[0] + x*x*p[1] ...

189 = f[1] + x*p[0] + x*x*p[1] ...

Now using some funky mathematics we can get f[1] = ord('l'), which seems to be correct

```

Now doing this quickly with a python script for all characters:

```

a = [183, 189, 178, 184, 204, 195, 132, 198, 196, 130, 191, 184, 176, 195, 133, 191, 181, 129, 190, 176, 130, 196, 176, 191, 129, 197, 176, 183, 198, 191, 206, 91]

flag = ""

for i in a:

flag += chr(i-183+ord('f'))

print flag

```

We get some random chars by using x = 2 split. That can be fixed by using `%255`.