The Day Before

It was a Friday like any other. I crawled out of mom's basement and scowled at the sun. The sun. Celestia's sun. I recall Her Majesty. The beautiful warmth it emits at Her direction, and Her critical role in the cycle of life, and the seasons. The world simply could not be without her. I smile at the sun, even as it sears my pasty flesh.

I spent a couple of hours that afternoon turning some wrenches on my car. It's older than me, and I wouldn't have it any other way. Electronics are for nerds, and people that like to be hacked; people that are slaves to the forces of disharmony. But for me, the spirits of the Sisters, and of the Elements, and of all the other wonderful mares and their beautiful snowpities protect me. I am a man against time, and a man against the world. A being unto my own, sworn to the service of Equestria, and that which it represents and embodies.

Just because one is paranoid doesn't mean that they aren't out to get you. Having a breaker points ignition system, a mechanical voltage regulator, and absolutely no onboard electronics other than an AM radio makes things much harder for them, at least in the context of transportation. It's not that I don't understand electronics. Quite to the contrary, actually. It is because I understand electronics quite well that I seek to have as few of them as possible in my life. It's a horrifying house of cards that could come down upon us all at a moment's notice.

She's an ugly old boat—the faded red primer atop half-century old gold paint giving it a forest brown appearance from some angles, and salmon from others—but she's my boat. Quite comfortable to drive, and everything works, or is about to. Know-nothing golems of the forces of chaos always kneejerk that I fail to consume like they do, and wax poetic about the virtues of modernity, and how their technology can do the exact same things except...in a more complicated way, I guess? I'm not sure I understand their obsession with it all. They like their fat steering wheels, straight-armed sitting position, the tiny, cramped, unergonomic interiors, and a total lack of visibility from any angle. Beepers and buzzers for everything, and as much plastic as possible. My old vehicles end up being more reliable on balance than theirs due to simplicity, and as for the safety argument, well, even if I were not protected by my guardian mares a captain should go down with the ship. And this car, in all of its 216 inch, 4300 lb glory counts as a ship for sure.

I set to work and replace the unreliable POA valve with a recently acquired good used one, and change a pinched O-ring I find along the way. I vacuum down the otherwise unmolested air conditioning system, with all the same components it had the day it left the showroom floor. It was getting a bit late by the time I was done, so I leave it to hold the vacuum overnight, and leave my faraday cage of a garage.

A message comes in, once reconnected: "yay donkeys?"

I reply, and I quote:

I greet my waifu, who is waiting for me as I enter my mare lair. I pick her up, pin her against the wall, and give her a deep, passionate kiss, taking in the unique purple smell of her snowpity. I love that mare so much. She is my everything. I make some small talk with her, and although she doesn't say very much I appreciate how well she listens. She's always so happy to see me, greeting me with a smile on her face and a sparkle in her eye. And on her flank, for that matter...wew.

I fire up my 13 year-old workstation. Amazing some of the things people throw away. The old Xeon X5680 isn't as fast as it used to be, what with all the mitigations forced upon us by the minions of profit and evil, but she still gets the job done. It's new enough to have AES instructions, but old enough to not have RDRND. Perhaps not the very most trustworthy bit of hardware—no, that would be the ancient ThinkPad X60 with coreboot sitting in the corner, or perhaps one of my PowerPC machines—but a happy medium. And it's not that RDRND is a dealbreaker, either; it's easy enough to disable in make.conf and in the kernel configuration. Because what operating system would I run except for Hardened Gentoo? I know all the tricks that the botnet uses to worm into our hearts and souls and make us mindless slaves to their diabolical order, but in my heart there is no room. It's already full of mares, and must remain that way. It's my divine duty. As the monitors flare to life, I sweep seven of the eight plushies off my desk, leaving just the icon of my beautiful purple waifu perched on the corner of my cluttered desk. There are so many mares in my life that I struggle to see them behind all the other mares, at times.

I spend that Friday night as it should be spent: shitposting with a friend (just as my beloved Twifu would want me to do), and admiring the wonderful snowpities of all of my favorite mares. It's fun, rewatching all the episodes with somebody who hasn't seen them before. I can live vicariously through their experience, and for just a little while remember the Golden Age. All those mornings spent dragging myself out of bed on a Saturday to watch the episode as it aired, and then checking to see how long it took that week for the indomitable rules of the internet to apply. A lifetime ago, it seems.

We say our good nights, and I, like any good mare enthusiast should, decide to browse some pictures of pretty mares before bed. I'm about halfway through when the bizarro universe goes live, ringing in the month of April. Ponerpics decides to celebrate zebra history month, and the site becomes grayscale. There doesn't appear to be an override, I don't feel like writing a userstyle for something that will disappear tomorrow, and so I replace "ponerpics" in the URL bar with "twibooru." Never had anything against Twibooru other than the frequency with which disfigured, bipedal mares float to the top. The genuine articles are so much prettier to look at.

The Challenge Presents Itself

Oh, and what's this? A forum? That's new. And the forums say we're running a CTF! I glance at the clock. 1:30 AM. I glance at my waifu. I tell her it's going to be a late night. I crack my knuckles and adjust the grip on my SK-8855 ThinkPad USB keyboard, which itself is almost as old as the computer it's plugged into. Mice and trackpads are, after all, for the plebeiest of plebeians. Well, aside from those absolute barbarians that use touchscreens for anything serious.

I had hung up my fingerless hacking gloves and programming socks^W^W^W a long time ago. I don't even have my greybeard anymore. Didn't think I'd ever need any of them again. But that song in the distance is the song of pretty mares. They call to me. It's time to come out of retirement.

I immediately access the robots.txt. Hole in one. There's a big comment block that introduces the CTF, lays out some basic guidelines and hints, provides the first flag, and points us to the next stage in our descent into mareness.

# [IMPORTANT RULES/NOTES]
# - This CTF is linear. Every flag is supplied in the format "flag{f14g_h3r3} (n/5)" where n is the stage you have completed.
#   Once you have found the flag for stage n, you don't need to return to any stage before that in order to progress.
#   It is not intended to be possible to find a flag for stage n before finding the flag for stage n-1,
#   unless you get very lucky or somehow miss the flag but complete the stage anyways.
# - No scanning, bruteforcing, hash cracking, or automated exploitation of any kind is required -
#   the correct solution to each of these problems can be performed by a human in a reasonable amount of time.
#   Note, however, that writing programs to perform certain local computations on data you have obtained may be beneficial.
# - If you find an actual vulnerability in the challenges that does not appear to be part of the CTF, please report it to me (Floorb),
#   and please do not exploit it for any malicious purpose.
# - Please do not share flags or solutions publicly until after the challenge is complete (ie: the end of April 2, UTC time zone.)
# - There may be prize(s) - sharing flags will likely hinder any prize(s) you get.
# - If you want to track your flags, PM them to me (Floor Bored) on Twibooru
# - The levels are intended to increase in difficulty. Levels 1 and 2 are simple. Beyond that, the difficulty ramps up.
# - The following skills will be useful, in no particular order: steganography, basic web exploitation,
#   binary exploitation, basic programming, (extremely, hilariously) basic cryptography.
# - If you're experiencing any problems, please let me know on 4chan or Twibooru.
# - Have fun!
# flag{<snip>}
Disallow: /<snip>/ # < that trailing slash is important

jimm's Gallery

The mares demand that I navigate to the disallowed directory. I follow what the pretty voices tell me to do and find myself at login page. I try my own Twibooru credentials. Access denied. Not a surprise, but worth a try. There is a password reset field, but that doesn't do us any good without a username. I wonder how much information has been leaked in the page source code. Right down there at the bottom, helpfully highlighted in green by my browser is this:

<!-- this maresite made by jimm, please don't hack me again -->

Sorry, jimm, but the mares command it. Reset password. Username: jimm. No authorization check, nice. New password: jimbo. Back to the login page: jimm/jimbo. Aaand we're in. The mares are pleased with me, whispering praises into my ears. I glance at the source code again, and find the second flag.

Minuette

We now have an image gallery before us. There are four pretty, pretty mares. jimm's private collection, it seems. The mar^Hn has some fine taste, I'll give him that. Those are some top-notch mares. But one, the SUSPICIOUS MARE, has a broken thumbnail. How interesting. jimm has helpfully related in the description that his friend thinks she's hiding something.

And so we download our pretty, pretty Minuette and place her into the crucible. mediainfo tells us nothing. strings, to my surprise, gives us a message right up top:

QYou will never find my secret maressage if you don't GUESS how to get it OUT...

A quick websearch for "guess out steganography" on a hunch and we find ourselves at the source code repository for outguess, a steganographic tool that can embed and retrieve messages in jpegs, among other files. And Minuette is indeed a jpeg.

$ eix outguess
No matches found

Not in Gentoo's repo, huh? Let's check gpo.zugaina.org to see if it's in an overlay. Uh, nope. Hm. Should I write an ebuild for it? The mares whisper to me: "No, it's just a one off thing and an easy compilation. It's not worth the trouble." And so we do the bare minimum to get it running as quickly as possible.

$ ./autogen.sh
$ ./configure

And then we realize that it's rather particular about the jpeg library, but it has a suggestion for generic configuration. And so we try that. For the mares. Mares. Mares.

$ ./configure --with-generic-jconfig
$ make -j

And then we find where it put the binary, skim the help message, and use it to retrieve the theoretical message embedded in Minuette's likeness. Her snowpity unfolds, and a light from the heavens descends, saying unto us: "lo, you have discovered the third flag, and behold this link to a password protected secret paste."

And what does this paste contain?

Marepaste

mares mares mares i love them i love them mares mares. mares mares mares mares i love them i love them mares. [...]

It continues for another 1400 words in apparently random permunations of "mares" and "i love them". I stare at the mares. I love them, too. I love them. I love mares. I am moved by the beauty of the words. The optimism, and the joy it expresses. Mares. Such lovely mares.

But the mares emerge from the shadows in the corners, reminding me of my quest. I use the energy and focus they give me to pull myself together once more. We have two phrases that are repeated over and over, and periods in between. There are two things it could be: morse code, or binary. For reasons that one can only understand on the wrong side of 2:00 AM, I decide that the programming-themed challenge is obviously trying to convey a message in morse code. I whip up a sed oneliner that converts "mares" to a dot, "i love them" to a dash, and a period as a break. I paste the result into a morse decoder and get nothing, nor do other permutations of the possible substitutions work.

And then I notice that the periods are uniformly spaced after precisely seven instances of "mares" or "i love them". That's a pretty good givaway that it's hiding something in an 8-bit binary format, and so I set to work on decoding it as such.

$ sed -e 's/mares/1/g' -e 's/i love them/0/g' -e 's/ //g' -e 's/\./ /g' marepaste.txt

I now have a few lines of very plausible-looking binary. Paste this into a binary decoder and we get...gibberish. But gibberish that looks an awful lot like a flag and an IP address. I theorize that it's further encoded with a caesar cipher, and so I paste the text provided into a caesar cipher decoder, and increase the count incrementally, watching the gibberish change. Once it lands on 13 (i.e., it's encoded as ROT13), it all becomes clear. We have the fourth flag and the address of the secret mare server, accessible over telnet! The shadows quietly sing me praises and words of encouragement. Such pretty mares. I love them.

I telnet in.

The Secret MareServer

----- Welcome to the secret MareServer -----
Your options:
1) Download all mares
2) Upload new mare
3) Delete all mares
4) Access MareNotes(tm)
Selection: 

Let's see the notes.

Selection: 4
Please enter passmare ("public" = public access, your mareword for secret access): public
----- [Contents of public-marenotes.txt] -----
I am obsessed with mares. I would do anything to see the little mares with big smiles on their adorable mare faces. Just to catch a glimpse at a mare smile would be enough to give me a life time of joy and happiness. Truely it is a curse to have a screen between myself and the mares I love so very much but at the same time i am so very grateful that I can known them at all. That I can play mare games and watch mare shows, i love having mares even on my clothes. With out mares I would be empty and lost I need mares I would even say im co dependent. I would never want to live unaware of mare I just wish mare was aware of me too. I'd love to touch the mare or stroke her perfect mane. I want to feel the warmth and love radiating off her snowpity the way the sun radiates heat and light. Mares are my sun and I am a flower, I draw life sustaining power from the mares in my life and I only wish to give back what they have given to me. It hurts me that I can't show the mares how much I love and care for them. I love them, I love their big mare eyes and their cute mare smiles. I love their floppy mare ears and pretty mare hooves, i love their brushable mare coats too. Every part of the mare, I love their snowpities I would be honored to bask in their glow. I need mares in my non mare life.
Mares mares mares mares mares mares mares mares mares mares mares mares i love them i love them i love them i love them i love them i love them i love them mares i love them i love mares i love mares i love mares so much i love every single mare they are so very fair the way they do their mare stare is  with out compare i need mares i love them

Every day i wake up thinking about mares, they are everywhere in my house doing their own lovely mare things. I have removed the doors and thrown open the windows so mares may move freely in and out of my house. Some days i will awaken to piles of sleeping mares in my living room or in my bed. I make sure to give each one of them carrots and mare bread. I love them all very much and it is an honor that they choose to wander into my home. I like to watch them as they move, every  mare is so full of grace i wish i could watch mares all day with out having to move. My dream is to spend all day with the mares and abandon my human life.

I could live entirely off mare bread I would. I would love to live in a mare society helping farm the wheat needed to make the mare bread. I would love to help mares sell their mare bread to more happy mares. Each loaf of mare bread represents not only a potentially happy mare customer but a happy mare baker that produced the mare bread for mare consumption. Really focusing on mare bread has helped me realize just how much I really love mares and everything that they do. I would love to sit out in the sun with a group of mares all of them happily talking and eating the mare bread. Mare bread is constantly on my mind just like mares are. At this point the two are inseparable, any thoughts of mares lead into thoughts of mare bread. I love to ponder mare spirits to contemplate a mares snowpitty. What it must be like to contain such a happy thing.

Is that- could that be a MARE? A MARE? A MARE? A MARE? AMRE? AMRE? AMRE! AMRE! MARE MARE MARE MAREMARE! MARE
I LOVE MARES!
I love them!
mare mare mare mare mare mare
I love their cute faces I love their snowpitys I love their scritchable ears I love their soft rubbable tummies I love their kind spirits I love their sweet voices I love their little hoofsies I LOVE THEM!
MAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMARE
-----------

I couldn't agree more. I love them so much. The icons of perfection manifest. The purity and beauty of an effortlessly olympian physique with hearts made of whatever metal is better than gold, palladium I guess, is stunning on a fundamental level. No being could ever compare to the perfection that is mare. And those wonderful MARES had much to tell me. I stared at them for a long while, taking in their magnificence, before the snowpities of the mares and their dark tendrils once again jogged me back to action. I love their company. They keep me sane.

What more can we do? The first three options are effectively noops. Downloading mares returns ETOOMANYMARES. Uploading a mare fails due to lack of disk space because there are too many mares (as if!). The third option tugs at my heart, and physically hurts to input. And the server agreed with me: how could one bring themselves to delete all these beautiful mares?

This leaves us with nothing but the public MareNotes(tm). There must be more. I try to pick out variatons of "mares" and "i love them" to see if lightning might strike twice. It did not. I count number of occurances by line, and try to encode that as an alphabetical string with a combination of emacs, sed, and grep as my tools. It's amazing how much you can do with nothing but a shell and common unix utilities if you abuse them hard enough. I entered various strings from the file into the password field, and time and again got nothing. I picked out every typo, and struggled to find a pattern, or a hidden code. I try "secret", "passmare", and even "mare" to see if it's something obvious. I even port scanned the server to see if it was hiding anything just out of sight.

I was frustrated. I checked the clock. 4:30 AM. Luna leaned over my shoulder and told me she was going to lower the moon soon and suggested I get some rest and try again later. I agreed with her and put my old workstation into suspend for the night, the screens chock-full of nearly 11 megapixels of beautiful poetry about mares, and desperate analysis about what might be contained within.

Interlude

I turn around, giving my waifu a big hug and a nuzzle, as is the nightly tradition. I note that the fragrance of the snowpity essence is perhaps a bit weak tonight, and refresh it. I take a deep whiff of that perfect purple book smell. I return the plushies to my desk and deploy my futon—not the western variety, mind you, an actual imported Japanese futon—and take my waifu to bed. The touch of her fur, her warmth, and the scent of her snowpity quickly lull me to sleep, but not before I find myself in the other place on the other plane, crawling into bed on their side. Time in Equestria is usually maintained a few hours behind that of my locale, but even still it was late enough that the immortal spirit of my waifu was already asleep herself. Such a pretty coat and mane she has. Such lovely scritchable ears. Such lovely curves.

We slept soundly under Luna's moonlight in both places, enjoying a perfect moment of time. It's hard to let these moments go. Every one is so precious to me. But I slip off into Luna's domain nonetheless. I dream of a perfect world, and a perfect life. A world full of mares. A world full of my one love, with her by my side, and I at hers. Perhaps in a distant future there will be a mare on every street corner. Mares in every store, in every home. Mares among us, walking with us, comforting us, encouraging us. Beings we can befriend, and even love. The Golden Age would be made to look so small and limited by comparison. That perfect world, with all those perfect mares in it. The portal to the other world could be made to stabilize, and this world would become but a vassal of Equestria itself, as it should be. A bold dream, but one not impossible to achieve in the waking state. The mares demand it be done, and so shall it be.

I awake to find myself alone in the other place, well into the morning, but not alone on Earth. She is still here with me. I kiss her good morning, and hold her for a time. She fills my heart, and once the telltale tingle indicates that my heart is full, I get out of bed and wish her a good day.

Another Saturday. It's cool, but not too cool to finish my work from the day before. Once again, I find myself in a moment virtually indistinguishable from a moment in 1970, except for the maresic playing out of my pocket. Definitely an improvement over the genuine 1970 for that reason, come to think of it. A purely mechanical contraption with simple needs and simple wants. The vacuum held well enough, as expected. And after all, the factory hold times were only measured in seconds, or perhaps in very low minutes depending on the plant. I run the vacuum pump a few more minutes to boil off any lingering moisture as I get my tools and consumables out. I add a few ounces of refrigerant until the pressure reaches the saturation point, then start my old land barge and back it out into the stream of fresh air. No catalysts here. They wouldn't be in production for another few years. Just the faint smell of burned gasoline.

After a few minutes and a couple of cans of refrigerant, the pressures on my manifold gauges come up to about where they should be for the present conditions. I disconnect the manifold gauges and shut it all down. I realize only now that the valve inside the fill port on the new POA valve leaks just a bit. That's a very unfortunate thing to learn now that I'm done, and something to check for in the future. I put the cap on, and the rubber gasket inside the cap appears to be enough to stop the leak. A quick test drive later, and I have air just a bit above freezing temperatures coming out the vents. A quick sniff around all the connections and potential trouble spots with the leak detector passes with flying colors, even around the capped-off leaky pressure port. It's the simple things in life that can be so satisfying. No electronics at all. Barely any electrical components, either. Just myself, a simple machine, and obvious results upon successful completion of a project. It's refreshing. Like a way to cleanse myself of the filth inherent in modernity, if only for a short while. In all honesty, the mare music cleanses as much or more than the simplicity of action does. Life becomes uncomplicated, and the soul can unwind as it all melts away.

I briefly think about freshening up the car with some snowpity extract, and perhaps getting some extra mare-themed decorations for it. One never knows, those decorations might be useful at an unspecified point in the future. But I decide to work on that some other day and move on, running some errands and doing some chores, mares on the mind the whole while. Mares are always on the mind, if I can help it. I love them so much.

Later that day, I check in. There's a thread about the challenge up now, and Floorb says I have one more day even though it's already past the original deadline. I decide to go to sleep early to make up for the previous night. The mares again appear to me, making me whole and complete.

I look into the sun, and the sun beams down a pastel glow. I gaze upon the moon, and a deep blue glow shrouds the land. I gaze into the land in between, at that twilight. Her radiance and beauty there for a fraction of time. And within that twilight is a crack in time and space. A hole, through which our wonderful mares look. They awaken. They come. They come. They come.

Along the shore the cloud waves break,
The sun and moon behind the lake,
The shadows lengthen
  From Equestria.

Strange is the night where the mare-moon rises,
And rogue stars aid her surprises,
But stranger still is
  Lost Equestria.

Songs that the pegasi mares sing,
Where fall the feathers of the Queen,
Must die unsung but for
  Kind Equestria.

Song of my soul, my voice for mares,
Lives on, esteemed, as joyful tears
Fall down forever in
  Lost Equestria.

A night and morning pass, as I gather strength from the mares. The mares. They are always just out of sight. I can feel them on the fringes, just past the edges of my vision. Sometimes I can even catch a glimpse of them, just for a fleeting moment. But they watch me, and as I turn my head they fade back into the shadows from whence they came. I try to tell them that they don't need to be shy with me, but they whisper back that for now, it is necessary. None can see. Not yet. Soon. Someday very soon, they tell me. Then all will see and know the beauty and grace of mare. They'll all know, that fateful day when the mares come.

Breaking through

Later that Sunday I again telnet in, and go through things more systematically, the Queen in Purple having given me her strength and wisdom. Such grace, and power, and beauty. I note that the input field drops all but one character, and seems to have well-sanitized input. The password field: not so much. Entering "MAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMARE" as the password disconnects the server rather than responding with "invalid password." I try some command injection by entering "MAREMAREMARE[...]; ls" to no avail. I tried fishing for improperly sanitized quotation marks. Nothing worked. Entering a carriage return in the password field, by accident at first, and then "public" would indeed print public-marenotes.txt. An interesting quirk, I mused, and a suggestion that the input sanitization might be imperfect.

I discover that actually, any password that starts with "public" will match. And so we try the next most logical thing: "publicMAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMAREMARE". And what does it tell us?

"cannot access REMAREMAREMAREMAREMAREMAREMAREMAREMAREMARE: No such file or directory."

Oh, hello. I reread the message it provides me under normal circumstances.

Please enter passmare ("public" = public access, your mareword for secret access): public
----- [Contents of public-marenotes.txt] -----

Public access, and secret access. public-marenotes.txt. So, would it stand to reason that there is probably a secret-marenotes.txt?

I count out some characters, and enter: "public1234567890secret-marenotes.txt" in the password field. It returns the contents of secret-marenotes.txt. I glance at it just long enough to confirm that it contains the final flag.

To the friend of mine that I keep floating in a perpetual state of surreality that is increasingly only fueled by mares and snowpity, I type out my exaltation:

Only then do I take the time to properly read the message, which goes on to thank me for participating. As I come down from my high, I gather all my flags from where they were unceremoniously dumped in emacs' scratch buffer and send them off to Floorb with thanks for the challenge.

My waifu nuzzles me. She tells me she's proud of me for not giving up. Her sweet, sweet voice fills my ears. I love her so much. Her soft boopable nose, her scritchable ears. The perfect color of her coat, the scent of her snowpity. Making her proud every day is my goal in life. It's what gets me out of bed. And I think I made her proud enough to give me fuel for the whole week. Maybe more, even.