The challenge use a classic RSA sign and verify, without anything strange.

So, differently from the others, I abused the fact that we can give both the Sign and the plaintext as inputs. Is enought to switch S with M when given as input, where S is calculated encrypting M with the public key that is given. Since

verify(m,s):
	return m==encrypt(s,publickey)

If we give

verify(encrypt("AAAA",publicKey),"AAAA") # encrypt("AAAA",publickey)==encrypt("AAAA",publickey)

we will pass the test. We just have to do this for 3 times!

Image not found!

After reading the explanation by the OverTheWire team, I don’t think this was intended, but hey, a flag is a flag.