Foreward

I've become a mareschizo, and it wasn't my fault.

You have to believe me. I never wanted to become a mareschizo. The last thing I wanted in my too-eventful life was to become like Jimm.

Poor Jimm... He is a shadow of his former self now, barely able to form coherent sentences before foaming at his mouth and talking about mares and snowpitys. I guess I'll be following his footsteps soon. I can already feel my sanity unraveling. The nonsensical shit he used to utter... It all makes sense to me now. That means I'm not too far behind Jimm. I'll be fucked in the head soon, just like him.

I've tried all I can to get mares out of my mind, but I can't. All I can think of is mares. Mares. Mares and their soft snowpitys. Mares--

...Shut up. AAAAaaaaaahhhh.

I need to write this down before this moment of clarity disappears. I need to offload what fragments I remember from that awful weekend before my mind is fully taken over by mares. Mares and their lovely mare ways.

Part One -- Turing Test

It all started on that fateful day -- April 1st, if you can believe it -- when I entered a seemingly innocuous CTF competition hosted by Twibooru.

It was a lazy Saturday. I woke up unusually early and finished my errands by early afternoon -- groceries were in the fridge, apartment was vacuumed, washer was tumbling full of laundry. I poured myself a glass of wine and scrolled through the catalog, wondering what to do next.

Something caught my eye. Dark purple screencap. Capture the Flag.

![01 - mlp screencap]()

https://archived.moe/mlp/thread/39789665

Someone bumped the thread less than an hour ago. The OP itself was much older than that. I pointed my browser to the Twibooru forum post to see what's going on.

![Twibooru CTF forum post]()

Now, I know Jimm. Really nice guy, known him for a few years. He's one of people in charge of doing the day-to-day technical stuff for Twibooru. He had told me the week before that Twibooru staff is planning on enabling forums for April Fools, but nothing about a CTF. It's really unusual for Jimm to withhold stuff from me -- He's one of those oversharers when it comes to online chatter.

The fact that Jimm never mentioned a Twibooru CTF to me before was very suspicious, but I wrote it off as him not wanting to spoil the fun for me.

I read the forum post word by word, focusing on the last paragraph. Turing Test. Disallowed. I began to wonder if there's something hidden in the pony captcha for new images. I made a quick visit the upload page and find nothing useful.

Disallowed. I muttered to myself. Disallowed. Disallowed. Disallowed. Disallowed--

Maybe there's something in robots.txt.

# [IMPORTANT RULES/NOTES]
# - This CTF is linear. Every flag is supplied in the format "flag{f14g_h3r3} (n/5)" where n is the stage you have completed.
#   Once you have found the flag for stage n, you don't need to return to any stage before that in order to progress.
#   It is not intended to be possible to find a flag for stage n before finding the flag for stage n-1,
#   unless you get very lucky or somehow miss the flag but complete the stage anyways.
# - No scanning, bruteforcing, hash cracking, or automated exploitation of any kind is required -
#   the correct solution to each of these problems can be performed by a human in a reasonable amount of time.
#   Note, however, that writing programs to perform certain local computations on data you have obtained may be beneficial.
# - If you find an actual vulnerability in the challenges that does not appear to be part of the CTF, please report it to me (Floorb),
#   and please do not exploit it for any malicious purpose.
# - Please do not share flags or solutions publicly until after the challenge is complete (ie: the end of April 2, UTC time zone.)
# - There may be prize(s) - sharing flags will likely hinder any prize(s) you get.
# - If you want to track your flags, PM them to me (<USERNAME REDACTED>) on Twibooru
# - The levels are intended to increase in difficulty. Levels 1 and 2 are simple. Beyond that, the difficulty ramps up.
# - The following skills will be useful, in no particular order: steganography, basic web exploitation,
#   binary exploitation, basic programming, (extremely, hilariously) basic cryptography.
# - If you're experiencing any problems, please let me know on 4chan or Twibooru.
# - Have fun!
# flag{<SNIP>}
Disallow: /<SNIP>/ # < that trailing slash is important

Well, that's one flag down. I copied my first flag in a new file and navigated to the disallowed page.

Part Two -- Jimm's Secret

![02 - login page]()

Navigating to the disallowed page, I found myself staring at a PHP login form. I didn't have a Twibooru account at the time, but this form looked like it wouldn't accept a regular login info. A secret door for those in the know, maybe.

This worried me a bit. Have I stumbled upon a staff-only login page by accident? Was this the gateway to the Deep Web that I heard so much about?

Not to mention, the site heading was concerning:

![05a - pity]()

Whoever made this page was obviously obsessed with mares. Dangerously so, perhaps.

Scrolling further down, I noticed something that made me jump out of my seat:

![03 - jimm]()

I tabbed over to Hexchat and pinged Jimm.

anonymous | yo, jimm 
          | hey, what's with this ctf? who's been hacking your account? 
          | you never mentioned this ctf thing before... i thought twibooru was just doing the forums thing for april fools
          | i think i stumbled into a staff-only page and it looks absolutely fucked 
          | jimm, you there? 

     jimm | I'm with the mares now. 

anonymous | ...what the fuck is that supposed to mean? 

     jimm | Snowpity makes my life complete... 
          | Oh my god, can you imagine hugging a mare while wearing your 100% cotton Rainbow Dash shirt? 

anonymous | no, i can't and i don't want to 
          | did you make this ctf? did you tell any of the twibooru staff about this? 

     jimm | There are five challenges in the CTF. You can start by visiting my page. 
          | 5/5 is one and you get one mare-gift for every challenge completed. 
          | Mares are all I need. You will accept mares because they are kind and lovely. Soft blue skies and warm snowpitys... AHh..

anonymous | ...fine, whatever. what's the password for your account?  

     jimm | Do you think mares are into snorkeling? Those soft wet manes, sparkling with salty seawater...

This wasn't going anywhere. Jimm kept repeating the same drivel about mares. Mares, mares, mares. Mares and their soft coat. Mares and their flower-scented mane. That's all he talked about. Mares.

After trying to use SQL injection to nondestructively barge into his account, I opted to reset his password instead. "Sorry Jimm," I muttered to myself, knowing full well that I'll be locking him out of his own account when I do this. "You should've just told me your password."

![04 - reset]()

Recalling the deranged mess I read in the login page, I easily bypassed his security question.

![05 - snowpity]()

![06 - success]()

I tabbed back to Hexchat to let Jimm know.

     jimm | Ahh, the sinews and tendons of a well-toned mare's hindlegs, wrapped like coils around my neck. 

anonymous | jimm, i reset your account's password 
          | it's "password" now 

     jimm | Snowpity and the free-range mares. My doors are unhinged and the snooties are free to come in and nuzzle me...

I watched his mare ramblings for a few minutes before tabbing away.

Part Three -- Suspicious Mare

I held my breath as I logged in as Jimm, anticipating the worst.

![07 - marepage]()

Thankfully, what awaited me was tame at first glance. Jimm's mare collection page, I supposed.

Going from left to right, I clicked on each mare's page to see if anything's amiss. All of them looked fine, all things considered, but "SUSPICIOUS MARE" gave me a pause.

![08 - sus]()

A full page dedicated to Minuette. I couldn't bring myself to scroll down any further. The thumbnail in the previous page... the way she stared at me, it was just too much. She was definitely a suspicious mare. A mare with snowy, frigid snowpitys. A mare who'd stomp her hoofsies if she didn't get her way in things. A mare with flaws, someone only Jimm could love.

I shook my head and broke my train of thought. Minuette was staring at me from the screen. When did I scroll down this far?

I downloaded the picture and began poking around -- almost as though interrogating Minuette herself.

$ xxd suspicious_mare.jpg
00000000: ffd8 ffe0 0010 4a46 4946 0001 0100 0001  ......JFIF......
00000010: 0001 0000 fffe 0051 596f 7520 7769 6c6c  .......QYou will
00000020: 206e 6576 6572 2066 696e 6420 6d79 2073   never find my s
00000030: 6563 7265 7420 6d61 7265 7373 6167 6520  ecret maressage 
00000040: 6966 2079 6f75 2064 6f6e 2774 2047 5545  if you don't GUE
00000050: 5353 2068 6f77 2074 6f20 6765 7420 6974  SS how to get it
00000060: 204f 5554 2e2e 2eff db00 4300 0101 0101   OUT......C.....
<SNIP>

It looked like Jimm's friend -- whoever he is -- hid something inside the mare. It's odd that he'd mark some words in all-caps. Maybe he's using them as keywords to mark interesting regions in the file?

$ xxd suspicious_mare.jpg | less

I began searching the file for GUESS, OUT, and various substring permutations of those all-caps words. I found nothing.

I took another sip from the wine glass, giving myself some time to think. "GUESS how to get it OUT," I muttered to myself. "How do I get it out of you, Minuette?"

Why did I try to talk to the picture?

"Fuck," I shouted out loud, trying to shake the creepy feeling. Am I drunk already? Exhausted, maybe? I glanced at the clock -- 5pm -- as I stepped away from the computer to grab a tangerine. Eating something might help.

Halfway to the kitchen, I realized something -- there was a similar riddle in Cicada3301 involving outguess.

I rushed back to the computer and typed away furiously. Outguess. Maybe that's how I can get it out of this mare.

$ man outguess 
$ outguess -r suspicious_mare.jpg msg.txt
Reading suspicious_mare.jpg....
Extracting usable bits:   199809 bits
Steg retrieve: seed: 248, len: 93
$ cat msg.txt 
flag{<SNIP>} (3/5)
https://ponepaste.org/8747 <PASSWORD REDACTED>

I pulled the chair out and sat down again. This had gone too far. Jimm is tech-savvy, sure, but he's not the type to hide private ponepaste links inside images of mares. Especially not inside images of toothpastey blue mares with piercing eyes. The same eyes that would question you if you tried to pet her soft mane.

"Aaaah," I let out an animalistic noise, trying to drown out the inner voice. "Ahhhahhhhhhhhh." Somehow, I had switched back to the tab with Minuette staring at me. Cool mare with cool mane with cool gaze and cool demeanor.

"AaaaHHHHhh."

I closed the tab and copied the ponepaste link to my browser. My breaths grew ragged as I saved the latest flag. It felt satisfying to save the flag given to me by the lovely mare even though every fiber of my being wanted to trash the file and forget about it all. No, I couldn't do that to this lovely gift given to me by a lovely mare.

Part Four -- Mare Cipher

![09 - mareschizo paste]()

I navigated to the ponepaste link and entered the password. One single line of someone's declaration of love for all mares. I read every single word, resisting the urge to let my eyes glaze over. Something backed up in my throat and I wanted to throw up. I swallowed it down and read the thing all the way.

As soon as I managed to pry my eyes from the last word in the paste, I rushed over to the bathroom and threw up. My vision blurred with tears. Lights danced in my eyes as the early evening sunset cast a strip of orangeish glow over the bathroom sink. I let out a few more dry hurls before getting up and washing myself off at the sink. Something reflected wrong in the mirror and turned into a strip of rainbow over my hands. Rainbow like Rainbow Dash. A dashing mare with a squeaky voice.

Back at the computer, I downloaded the textfile and began thinking of the ways to extract something out of this. There won't be anything hidden in the file this time unless ponepaste is also in on the CTF event.

Time passesed. A Python script was conjured up. Maybe there's something to do with the sentence fragments and their wordcount.

$ python3 wordcount.py 
11 | mares mares mares i love them i love them mares mares
11 |  mares mares mares mares i love them i love them mares
11 |  mares mares i love them mares mares mares i love them
13 |  mares mares mares i love them mares i love them i love them
 9 |  mares mares mares mares i love them mares mares
11 |  mares mares mares mares i love them mares i love them
14 |  mares mares i love them i love them i love them i love them
<SNIP>

The result was not very helpful. There were odd and even counts everywhere. No repetitive patterns to be seen, either.

Then, something hit me. What if each sentence represented a letter?

I wrote a new script to do a frequency analysis:

$ python3 freq.py 
1 | mares mares mares i love them i love them mares mares
4 | mares mares mares mares i love them i love them mares
4 | mares mares i love them mares mares mares i love them
1 | mares mares mares i love them mares i love them i love them
1 | mares mares mares mares i love them mares mares
2 | mares mares mares mares i love them mares i love them
3 | mares mares i love them i love them i love them i love them
5 | mares mares i love them i love them mares i love them mares
3 | mares mares i love them i love them mares mares
<SNIP>

There were lots of unique "letters" in the mix. Good. Unique like every mare, pretty and soft in their own right. Every secret message up to this point was made up of lowercase letters and leetspeak, so having lots of unique letters was a good sign.

I took a shot in the dark by assuming the first five "letters" represent flag{ and wrote a script to parse the message as such:

$ python3 parser.py
flag{............................................ll.a......................a.............a.......................l....

Unfortunately, it didn't reveal enough of the message to be helpful. On top of that, the ll.a part was problematic -- I couldn't think of a common English word that contains two l's followed by "something-a".

I adjusted the script to space out the words in the original message evenly. Maybe there's some kind of substitution involved.

$ python3 parser.py 
f | mares mares mares i     love  them  i     love  them  mares mares 
l | mares mares mares mares i     love  them  i     love  them  mares 
a | mares mares i     love  them  mares mares mares i     love  them  
g | mares mares mares i     love  them  mares i     love  them  i     love  them  
{ | mares mares mares mares i     love  them  mares mares 
. | mares mares mares mares i     love  them  mares i     love  them  
. | mares mares i     love  them  i     love  them  i     love  them  i     love  them  
. | mares mares i     love  them  i     love  them  mares i     love  them  mares 
<SNIP>

"Mares mares mares. I love them." I read it out loud.

I scrolled through the entire message, trying to find a pattern.

Time passeed, sun disappeared, and the room darkened. I got up to turn the light on.

"Mares mares I love them. I love them mares. I love them mares mares."

"Mares mares mares. I love them. Mares I love them."

I must be on the wrong track here.

Mares mares. I love them. Mares.

Mares. I love them.

"I love them" never changes. That's a pattern.

"I love them," I mutter to myself. Mares mares independent. I love them together. Mare-o and Ilovethem'un. I mapped mares to zero and I love them to one and ran the script again.

$ python3 uh.py
0 0 0 1 1 0 0
0 0 0 0 1 1 0
0 0 1 0 0 0 1
0 0 0 1 0 1 1
0 0 0 0 1 0 0
0 0 0 0 1 0 1
0 0 1 1 1 1
0 0 1 1 0 1 0
0 0 1 1 0 0
0 1 0 0 0 0 0
<SNIP>

I scrolled through the output before realizing my mistake. I switched the mapping and stripped out the spaces:

$ python3 uh.py
1110011
1111001
1101110
1110100
1111011
<SNIP>

The numbers looked like they belong in the printable ASCII range. I added some decoding to the script and ran it one more time:

$ python3 uh.py 
0x73
b's' s
0x79
b'y' y
0x6e
b'n' n
0x74
b't' t
0x7b
b'{' {
0x7a
b'z' z
0x30
b'0' 0
0x65
b'e' e
0x33
b'3' 3
0x5f
b'_' _

<SNIP>

0x67
b'g' g
0x7d
b'}' }
0x20
b' '  
0x28
b'(' (
0x34
b'4' 4
0x2f
b'/' /
0x35
b'5' 5
0x29
b')' )

Four letters followed by a curly brace. Underscores. Closing curly brace. Flag level indicator in parenthesis. I realized that I was getting close to solving this one. Soon, I'll be given a lovely gift from the mare. Gift from a mare. I love them.

I shook my head hard, trying to dislodge myself from the mare-thoughts. I needed to focus.

After getting hold of myself, I fired up Python to do a quick check:

>>> ord('s') - ord('f') 
13
>>> ord('y') - ord('l') 
13

Yes. Definitely a ROT13. I didn't even bother checking the rest of the characters and went straight to modifying the old script to map each "sentence" to a letter and then ROT13 them:

$ python3 parser.py 
flag{<SNIP>} (4/5)
don't tell anyone but the secret mare server is at <IP REDACTED> (telnet)

Gift from a mare. Lovely gift, magical string of letters.

A thick line of drool escaped out of my mouth and pooled on the desk as I saved the precious mare-gift. Four out of five. I'm doing so well. The mares would be proud of me.

Part Five -- MareServer

After stretching my legs out, I opened up a new terminal window and went to work. I invoked telnet like a spell, sending magic breezies down the wire and into another server somewhere out there in the world.

$ telnet x.x.x.x yyyy 
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
----- Welcome to the secret MareServer -----
Your options:
1) Download all mares
2) Upload new mare
3) Delete all mares
4) Access MareNotes(tm)
Selection: 

Secret MareServer. Jimm's secret stash. His lovely, precious mares doing mare things in a lovely mare server.

I gave each option a try, going from top to bottom. Trying to download all mares revealed that Jimm had too many mares for MareServer to handle. Same with uploading a new mare.

My pulse quickened as I typed 3 and my fingers hovering over the Enter key. Delete all mares. Remove them and remove this feeling of mares clogging up my chest. I clenched my teeth as I tried desperately to push the key. Mares are soft and kind and I'm trying to delete them all.

I clenched my eyes shut and pushed the key.

----- Welcome to the secret MareServer -----
Your options:
1) Download all mares
2) Upload new mare
3) Delete all mares
4) Access MareNotes(tm)
Selection: 3
 Why... why would you ever do such a thing? My mares...
 I love them, I must keep them safe, why don't you love them too?!
 How could you even think about hurting these kind, innocent, beautiful, huggable, scritchable, lovable MARES?!

MareServer refused to comply. Tears rolled down my cheeks as a strange mix of emotions bathed my brain in conflicting chemicals. I couldn't believe that I tried to delete Jimm's precious mares. Lovely mares who'd done nothing wrong. I was stuck with them forever, just like Jimm.

I forced out a yawn, trying to distract myself from the awful thoughts. "Aaaaaaaaah." A long groan. Something, anything to drown out the mare-thoughts.

I typed in 4 to try the final option in the MareServer program:

----- Welcome to the secret MareServer -----
Your options:
1) Download all mares
2) Upload new mare
3) Delete all mares
4) Access MareNotes(tm)
Selection: 4
Please enter passmare ("public" = public access, your mareword for secret access): public
----- [Contents of public-marenotes.txt] -----
I am obsessed with mares. I would do anything to see the little mares with big smiles on their adorable mare faces. Just to catch a glimpse at a mare smile would be enough to give me a life time of joy and happiness. Truely it is a curse to have a screen between myself and the mares I love so very much but at the same time i am so very grateful that I can known them at all. That I can play mare games and watch mare shows, i love having mares even on my clothes. With out mares I would be empty and lost I need mares I would even say im co dependent. I would never want to live unaware of mare I just wish mare was aware of me too. I'd love to touch the mare or stroke her perfect mane. I want to feel the warmth and love radiating off her snowpity the way the sun radiates heat and light. Mares are my sun and I am a flower, I draw life sustaining power from the mares in my life and I only wish to give back what they have given to me. It hurts me that I can't show the mares how much I love and care for them. I love them, I love their big mare eyes and their cute mare smiles. I love their floppy mare ears and pretty mare hooves, i love their brushable mare coats too. Every part of the mare, I love their snowpities I would be honored to bask in their glow. I need mares in my non mare life.
Mares mares mares mares mares mares mares mares mares mares mares mares i love them i love them i love them i love them i love them i love them i love them mares i love them i love mares i love mares i love mares so much i love every single mare they are so very fair the way they do their mare stare is  with out compare i need mares i love them

Every day i wake up thinking about mares, they are everywhere in my house doing their own lovely mare things. I have removed the doors and thrown open the windows so mares may move freely in and out of my house. Some days i will awaken to piles of sleeping mares in my living room or in my bed. I make sure to give each one of them carrots and mare bread. I love them all very much and it is an honor that they choose to wander into my home. I like to watch them as they move, every  mare is so full of grace i wish i could watch mares all day with out having to move. My dream is to spend all day with the mares and abandon my human life.

I could live entirely off mare bread I would. I would love to live in a mare society helping farm the wheat needed to make the mare bread. I would love to help mares sell their mare bread to more happy mares. Each loaf of mare bread represents not only a potentially happy mare customer but a happy mare baker that produced the mare bread for mare consumption. Really focusing on mare bread has helped me realize just how much I really love mares and everything that they do. I would love to sit out in the sun with a group of mares all of them happily talking and eating the mare bread. Mare bread is constantly on my mind just like mares are. At this point the two are inseparable, any thoughts of mares lead into thoughts of mare bread. I love to ponder mare spirits to contemplate a mares snowpitty. What it must be like to contain such a happy thing.

Is that- could that be a MARE? A MARE? A MARE? A MARE? AMRE? AMRE? AMRE! AMRE! MARE MARE MARE MAREMARE! MARE
I LOVE MARES!
I love them!
mare mare mare mare mare mare
I love their cute faces I love their snowpitys I love their scritchable ears I love their soft rubbable tummies I love their kind spirits I love their sweet voices I love their little hoofsies I LOVE THEM!
MAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMARE

I'm greeted by Jimm's lengthy confessional about his love for mares. I read through it all, finding myself moved by his words.

Mares doing lovely mare things around the house. I blinked back tears thinking about how lonely Minuette must be -- her tab closed off forever and unable to gaze at anyone with her piercing eyes.

Carrots and mare bread. Full of grace. I moaned as my tongue tingled with the flavor of dried-up hay. I gagged and retched and drooled and giggled. I wanted marebread so I could take a bite of it and throw it up and bite and throw up.

I scritched my own ears like I would do to a mare. It felt satisfying and disgusting.

More. I need more mare-thoughts and mare-texts to read.

Time flew by as I tried various things to see if I can break MareServer somehow and get more mare-content. Nothing worked.

Out of desperation, I tried netcat'ing to the MareServer:

$ nc -vn x.x.x.x yyyy
Connection to x.x.x.x yyyy port [tcp/*] succeeded!
��&���� ��#��'��$
^C

Wait, was that a shell prompt?

I applied netcat to the server again and tried whoami. Nothing.

The nonprintable characters looked interesting though, so I saved it locally to see if I can get something out of it:

$ nc -vn x.x.x.x yyyy > what
Connection to x.x.x.x yyyy port [tcp/*] succeeded!
^C
$ xxd what
00000000: fffb 26ff fd18 fffd 20ff fd23 fffd 27ff  ..&..... ..#..'.
00000010: fd24                                     .$

Nothing. Another dead-end.

My mouth dried up. My breaths quickened. I can't stop here now. There might be troves of precious mare-things hidden in the server. If I stopped here, there wouldn't be any precious mare-gifts. I needed the final flag. One more mare gift to make my life complete. Complete the fraction from 4/5 to 5/5. 5/5 is one and you get one mare-gift for every challenge completed.

Out of desperation, I ran my fingers across the number row on my keyboard.

----- Welcome to the secret MareServer -----
Your options:
1) Download all mares
2) Upload new mare
3) Delete all mares
4) Access MareNotes(tm)
Selection: 1234
Initializing download engine.....
Counting mares for download...
Error: errno ETOOMANYMARES

----- Welcome to the secret MareServer -----
Your options:
1) Download all mares
2) Upload new mare
3) Delete all mares
4) Access MareNotes(tm)
Selection: 23333
Error: out of disk space - please try again later.

My eyes grew wide like saucers at the discovery. It seemed like MareServer only uses the first character of the input and discards the rest.

Maybe I could do something similar with the password prompt for accessing marenotes.

----- Welcome to the secret MareServer -----
Your options:
1) Download all mares
2) Upload new mare
3) Delete all mares
4) Access MareNotes(tm)
Selection: 4
Please enter passmare ("public" = public access, your mareword for secret access): public 3333
----- [Contents of public-marenotes.txt] -----
<SNIP>

----- Welcome to the secret MareServer -----
Your options:
1) Download all mares
2) Upload new mare
3) Delete all mares
4) Access MareNotes(tm)
Selection: Why... why would you ever do such a thing? My mares...
 I love them, I must keep them safe, why don't you love them too?!
 How could you even think about hurting these kind, innocent, beautiful, huggable, scritchable, lovable MARES?!

Password prompt only cares about the first word -- or at least, the first six characters.

I looked through Jimm's marenotes for encouragement. Maybe I missed a hint hidden within. Maybe I could derive some encouragement from Jimm's love for mares.

Is that- could that be a MARE? A MARE? A MARE? A MARE? AMRE? AMRE? AMRE! AMRE! MARE MARE MARE MAREMARE! MARE
I LOVE MARES!
I love them!
mare mare mare mare mare mare
I love their cute faces I love their snowpitys I love their scritchable ears I love their soft rubbable tummies I love their kind spirits I love their sweet voices I love their little hoofsies I LOVE THEM!
MAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMARE

The final string of that message drew my attention. What if this was Jimm's way of telling me the size of the buffer?

>>> len('MAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMARE') 
52

I crossed my fingers and tried pasting it into the password prompt.

----- Welcome to the secret MareServer -----
Your options:
1) Download all mares
2) Upload new mare
3) Delete all mares
4) Access MareNotes(tm)
Selection: 4
Please enter passmare ("public" = public access, your mareword for secret access): MAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMARE
error: invalid password!
Connection closed by foreign host.

It segfaulted!

I moaned with joy. Mares were showing me the way and I couldn't be any happier. MAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMARE has thirteen MAREs in it and all of them were working together to let me in on the secret mare-gift. I loved all thirteen of them and their thirteen snowpitys that were ruining my life.

"AAAAAAaaaaah," I groaned out loud. The snowpitys mare-thought derailed in my head and plunged deep into the Ghastly Gorge, only to bounce right back out and stare at me in the face like Minuette did. I clenched my fists but I didn't want to scare the mares, so I let myself relax. Deep breaths. Deep breaths. Snowpitys and lovely mares doing lovely mare things.

After calming myself, I tried to determine the exact size of the password buffer -- and discovered something interesting.

Please enter passmare ("public" = public access, your mareword for secret access): publicABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
error: failed to open KLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz: No such file or directory
Connection closed by foreign host.

Oh.

OHHH. It overflowed to the filename buffer.

I began poking and prodding at the password buffer and tried to replicate the "correct" behavior:

Please enter passmare ("public" = public access, your mareword for secret access): publicABCDEFGHIJpublic-marenotes.txt
----- [Contents of public-marenotes.txt] -----
<SNIP>

Finally, I found just the right length of buffer that keeps the program from segfaulting. I could feel myself getting closer and closer to receiving the mare-gift. I could feel my heartbeat in my throat and hear the blood rushing in my ears. My tongue tingled with the taste of marebread and hay.

I tried reading private-marenotes.txt to no avail:

Please enter passmare ("public" = public access, your mareword for secret access): publicABCDEFGHIJprivate-marenotes.txt
error: failed to open private-marenotes.txt: No such file or directory

Hmm.

I read password prompt again. Secret access.

It can't be "secret-" surely...

Please enter passmare ("public" = public access, your mareword for secret access): publicABCDEFGHIJsecret-marenotes.txt
----- [Contents of secret-marenotes.txt] -----
Congratulations, you've beat MareCTF(tm)! I hope you enjoyed that... Maybe I'll do something like this again in the future. Until next time! flag{<SNIP>} (5/5)
<SNIP>

I leaned back in my chair and smiled. I couldn't pry my eyes away from the final mare-gift. It was lovely just like the mares and their cute snowpitys. I moaned and nibbled at my lips like I would nibble on a mare-bread made by mares.

My mouth opened as though some small part of me wanted to drown out the mare-thoughts. My throat burned. No sound came out of my mouth.

But that was okay -- I received my final mare-gift and it completed the fraction to a whole number. 5/5 is one and you get one mare-gift for every challenge completed. And I completed all of them.

Epilogue

There it is. I've told all I remember from that awful weekend. I've redacted some key details to prevent the fatally curious from retreading my path.

I can already feel the moment of clarity fading away. This might be the end for me. Thank you for reading this and please spread the word about mareschizo CTF. We must ensure that Jimm and I remain the only victims of this cursed event.

The mares are flooding back into my head.