We are given a challenge which contains a Sage script, which holds the following lines of code
nbits = 1024
e = 5
flag = open("flag.txt").read().strip()
assert len(flag) <= 64
m = Integer(int(flag.encode('hex'),16))
out = open("data.txt","w")
for i in range(e):
while True:
p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
ni = p*q
phi = (p-1)*(q-1)
if gcd(phi, e) == 1:
break
while True:
ai = randint(1,ni-1)
if gcd(ai, ni) == 1:
break
bi = randint(1,ni-1)
mi = ai*m + bi
ci = pow(mi, e, ni)
out.write(str(ai)+'\n')
out.write(str(bi)+'\n')
out.write(str(ci)+'\n')
out.write(str(ni)+'\n')
…along with a text file containing the encrypted flag. Let us first parse the file and put in a JSON structure
data = {'n' : [n0, n1, ...], 'a' : [a0, a1, ...], ...}
We see that the flag is encrypted several times, up to affine transformation. If we define a polynomial 
where
It is easy to construct 
![\phi_i = \frac{1}{N_i}\cdot \prod_k N_k \cdot [\prod_k N_k / N_i]^{-1}_{N_i}](https://s0.wp.com/latex.php?latex=%5Cphi_i+%3D+%5Cfrac%7B1%7D%7BN_i%7D%5Ccdot+%5Cprod_k+N_k+%5Ccdot+%5B%5Cprod_k+N_k+%2F+N_i%5D%5E%7B-1%7D_%7BN_i%7D&bg=ffffff&fg=000000&s=0 "\phi_i = \frac{1}{N_i}\cdot \prod_k N_k \cdot [\prod_k N_k / N_i]^{-1}_{N_i}")
using the Chinese Remainder Theorem. Clearly, 
p = data['n'][0] * data['n'][1] * data['n'][2] * data['n'][3] * data['n'][4]
PR. = PolynomialRing(Zmod(p))
f = 0
# compute the target polynomial
for i in range(0, 5):
q = p / data['n'][i]
qinv = inverse_mod(q, data['n'][i])
f = f + q * qinv * ((data['a'][i]*x + data['b'][i])^5 - data['c'][i])
# make f monic
f = f * inverse_mod(f[5], p)
print f.small_roots(X=2^512, beta=1)[0]
The code outputs the long integer representation of
PCTF{L1ne4r_P4dd1ng_w0nt_s4ve_Y0u_fr0m_H4s7ad!}
