The full challenge writeup can be found here.
TL;DR
- taking advantage of nonce repetition
- Collect pairs of ciphertexts and their tags encrypted under the same nonce
- Generate h(x) for each pair and find the root(s)
- Decide that the root that appeared the most times must be the correct value of H
- Profit!