My solution and writeup for the awesome Mythic Beasts challenge.
  • Python 51.8%
  • Shell 48.2%
Find a file
2026-05-30 14:03:50 +01:00
README.md Initial commit 2026-05-30 12:51:51 +01:00
run.sh Initial commit 2026-05-30 12:51:51 +01:00
step1.sh Initial commit 2026-05-30 12:51:51 +01:00
step2.py Initial commit 2026-05-30 12:51:51 +01:00
step3.sh Initial commit 2026-05-30 12:51:51 +01:00

Mythic Beasts Challenge

Here is my writeup and code used for the Mythic Beasts Challenge: http://jobs.mythic-beasts.com/

You can complete the challenge by simply running ./run.sh.

Step 1

On clicking the link to go to Step 1, I received a 505 error.

To identify the underlying issue, I ran:

$ curl -I http://jobs.mythic-beasts.com/step-1

which returned these lines of note:

HTTP/1.1 505 HTTP Version Not Supported
Upgrade: h2c
Connection: Upgrade

This indicates that only HTTP/2 (h2c) is supported.

Therefore, I switched to HTTP/2:

$ curl -I --http2 http://jobs.mythic-beasts.com/step-1

and got the following lines of note:

HTTP/1.1 101 Switching Protocols

HTTP/2 302
location: http://jobs.mythic-beasts.com/ukaig6ua6yieHo4o

On navigating to the indicated redirect location, you get Step 2.

I wrapped this up in ./step1.sh, which uses sed to extract just the location: value from the response headers and prints it to stdout.

Step 2

On navigating to the page, the problem seemed fairly straightforward - solve the quadratic.

Alas, even with the correct answer, I received the following message:

Right answer, but not fast enough.

On checking the page source, we can see that the form submits a POST request to the same page, and that the equation and secret change on each load.

Therefore, it was necessary to create a script to automate this process.

See ./step2.py, which takes the URL for Step 2 as an argument.

My initial hunch was to keep it simple and use Bash, but then I got tangled up in regex, so I switched to Python and used the BeautifulSoup4 library to make it less painful.

The script then parses the response and prints out the password (the 64-char hex string).

Step 3

This step clearly wanted me to send an e-mail, but I needed to figure out which server I needed to connect to.

From looking at the HTML, I could see 6186 included as a comment. Initially, I thought this might be the port.

Below this, there was a bunch of gibberish, but I knew that it would be there for a reason.

At first, my head went to encoding systems, but the string didn't match any of the common encoding systems that I am familiar with.

Then, I looked at ciphers. The first one that came to mind was the classic Caesar Cipher, but this didn't improve things.

Next I tried ROT13, which gave me:

Use of SRV Records for Locating Email Submission/Access Services

And what do you know, this is the title of RFC 6186!!

We need to send a message, so this was a clear hint that we needed to find the submission service for jobs.mythic-beasts.com.

There's an easy way to do that...

If we dig for the submission service record for jobs.mythic-beasts.com, we get:

$ dig +short srv _submission._tcp.jobs.mythic-beasts.com
0 1 <port> mail.jobs.mythic-beasts.com.

On running this a second time, I discovered that the port was volatile, so naturally another script was needed.

This time I stuck with trusty Bash, used awk to get the host and port (since the DNS record format is consistent), and fed them in to SWAKS to send an e-mail.

My first attempt was with:

swaks --to josh@quinlan.cloud \
    --from step-3@jobs.mythic-beasts.com \
    --server $HOST \
    --port $PORT \
    --auth LOGIN \
    --auth-user step-3@jobs.mythic-beasts.com \
    --auth-password 1b385bef69b17fbb8b2c7835f8da44a5e5e9f21c8246b493b54bf49ff07af00e \
    --tls \
    --header "Subject: Step 3 Submission" \
    --body "Step 3 complete."

But the 'MTA' didn't permit StartTLS and said 'Goodbye' to me, so I went with PLAIN.

This worked much better!

=== Trying mail.jobs.mythic-beasts.com.:28801...
=== Connected to mail.jobs.mythic-beasts.com..
<-  220 jobs.mythic-beasts.com
 -> EHLO fortress.local
<-  250-jobs.mythic-beasts.com says hello 1
<-  250 AUTH PLAIN
 -> AUTH PLAIN \0step-3@jobs.mythic-beasts.com\01b385bef69b17fbb8b2c7835f8da44a5e5e9f21c8246b493b54bf49ff07af00e
<-  235 login successful
 -> MAIL FROM:<step-3@jobs.mythic-beasts.com>
<-  250 OK
 -> RCPT TO:<josh@quinlan.cloud>
<-  250 we confess, this isn't really an MTA; but we have just sent you an email
 -> DATA
*** Remote host closed connection unexpectedly.

The final script is at ./step3.sh.

At this point, it should have been smooth sailing to the finish line, but alas - my own mail infrastructure greylisted the e-mail, so I had to sit and wait in trepidation...

disconnect from mx1.mythic-beasts.com[46.235.224.141] ehlo=2 starttls=1 mail=1 rcpt=1 data=0/1 quit=1 commands=6/7
4A8D23E6BE: milter-reject: END-OF-MESSAGE from mx1.mythic-beasts.com[46.235.224.141]: 4.7.1 Greylisted, please try again later; from=<root@jobs.mythic-beasts.com> to=<josh@quinlan.cloud> proto=ESMTP helo=<mx1.mythic-beasts.com>
4A8D23E6BE: message-id=<E1wT93K-007e1E-0s@jobs.mythic-beasts.com>
4A8D23E6BE: client=mx1.mythic-beasts.com[46.235.224.141]
Anonymous TLS connection established from mx1.mythic-beasts.com[46.235.224.141] to hermes.quinlan.cloud: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256
connect from mx1.mythic-beasts.com[46.235.224.141]
PASS NEW [46.235.224.141]:60055
addr 46.235.224.141 listed by domain list.dnswl.org as 127.0.5.1
Look up 46.235.224.141 on whitelist, result 200 DUNNO
CONNECT from [46.235.224.141]:60055 to [172.22.1.253]:25
disconnect from verify.mx1.mythic-beasts.com[93.93.131.176] ehlo=2 starttls=1 mail=1 rcpt=1 quit=1 commands=6
1ABAB3E6BE: client=verify.mx1.mythic-beasts.com[93.93.131.176]
Anonymous TLS connection established from verify.mx1.mythic-beasts.com[93.93.131.176] to hermes.quinlan.cloud: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256
connect from verify.mx1.mythic-beasts.com[93.93.131.176]

Gotta love Rspamd, right?!

And that's how I received your e-mail.