I have bumped into this challenge from a well known CTF site. I don't want to make a reference to it because I don't want this to be a hint for anyone. And also to avoid giving out the source code of the challenge I will try to describe the code. The thing is that they provide a small script with a class that implements Textbook RSA (no padding or anything). On this script $e$ is predefined and is equal to 3, so $e=3$. The other RSA parameters, like $p$,$q$,$N$,$d$ etc. are newly generated according to the protocol each time you run the script. Cryptographic randomness is also present when required (e.g in the generation of $p$ and $q$). The library pycryptodome is used for the math and random operations. So the script is stateless except for the value of $e$. The point is that along with the file of the script they provide an encrypted form of the flag "presumably" with the script they provide. The content of the flag, of course, isn't the output of the script. But decrypting the encrypted flag with the script give the actual flag. Of course there needs to be property of the RSA exploited there since the script runs with random parameters except for $e$. My question is how can someone manipulate the ciphertext in order for the plaintext to be the same regardless of the parameters $p,q,N,d$?
PS : Of course $p$ and $q$ are random primes and $N$ is their product and $d$ is the multiplicative inverse of 3 in the subgroup of inverses of $N$.
