HackASat 2020: Good Plan? Great Plan!

5 minute read

Category: Space and Things

Description: Help the Launchdotcom team perform a mission on their satellite to take a picture of a specific location on the ground. No hacking here, just good old fashion mission planning!

Connect to the challenge on mission.satellitesabove.me:5023. Using netcat, you might run nc mission.satellitesabove.me 5023

Write-up

by medarkus, nafod

This write-up is part of a larger post hosted over at our official blog.

On connection to the service, we’re presented with the following instructions:

##########################
Mission Planning Challenge
##########################
The current time is April 22, 2020 at midnight (2020-04-22T00:00:00Z).
We need to obtain images of the Iranian space port (35.234722 N 53.920833 E) with our satellite within the next 48 hours.
You must design a mission plan that obtains the images and downloads them within the time frame without causing any system failures on the spacecraft, or putting it at risk of continuing operations.
The spacecraft in question is USA 224 in the NORAD database with the following TLE:

1 37348U 11002A   20053.50800700  .00010600  00000-0  95354-4 0    09
2 37348  97.9000 166.7120 0540467 271.5258 235.8003 14.76330431    04

The TLE and all locations are already known by the simulator, and are provided for your information only.

Requirements
############
You need to obtain 120 MB of image data of the target location and downlink it to our ground station in Fairbanks, AK (64.977488 N 147.510697 W).
Your mission will begin at 2020-04-22T00:00:00Z and last 48 hours.
You are submitting a mission plan to a simulator that will ensure the mission plan will not put the spacecraft at risk, and will accomplish the desired objectives.

Mission Plan
############
Enter the mission plan into the interface, where each line corresponds to an entry.
You can copy/paste multiple lines at once into the interface.
The simulation runs once per minute, so all entries must have 00 for the seconds field.
Each line must be a timestamp followed by the mode with the format:

2020-04-22T00:00:00Z sun_point
YYYY-MM-DDThh:mm:00Z next_mode
...

The mission will run for it's full duration, regardless of when the image data if obtained.
You must ensure the bus survives the entire duration.

Mode Information
################
The bus has 4 possible modes:

- sun_point: Charges the batteries by pointing the panels at the sun.
- imaging: Trains the imager on the target location and begins capturing image data.
- data_downlink: Slews the spacecraft to point it's high bandwidth downlink transmitter at the ground station and transmits data to the station.
- wheel_desaturate: Desaturates the spacecraft reaction wheels using the on board magnetorquers.

Each mode dictates the entire state of the spacecraft.
The required inputs for each mode are already known by the mission planner.

Bus Information
###############
The onboard computer has 95 MB of storage.
All bus components are rated to operate effectively between 0 and 60 degrees Celsius.
The battery cannot fall below 10% capacity, or it will reduce the life of the spacecraft.
The reaction wheels have a maximum speed of 7000 RPM.
You will received telemetry from the spacecraft throughout the simulated mission duration.
You will need to monitor this telemetry to derive the behavior of each mode.

########################################################################

Please input mission plan in order by time.
Each line must be a timestamp followed by the mode with the format:

                    YYYY-MM-DDThh:mm:ssZ new_mode

Usage:

   run  -- Starts simulation
   plan -- Lists current plan entries
   exit -- Exits

Once your plan is executed, it will not be saved, so make note of your plan elsewhere.

We know the following:

  • We have 4 possible modes that dictate the state of the spacecraft

  • The challenge gives us the coordinates to the space sport (image target) and the ground station (downlink target)

  • We only have 95 MB of storage space, but we have to take and upload 120 MB of image data (this means we have to make at least 2 passes)

  • We have to monitor the telemetry and be careful not to let our components overheat/spin too fast

If we try to take an image of the space port during the wrong time, we recieve the following error:

Collected Data: 0 bytes
2020-04-23T00:03:00Z
Changing mode to: imaging
{'batt': {'percent': 91.4, 'temp': 29.300000000000036}, 'panels': {'illuminated': True}, 'comms': {'pwr': False, 'temp': 23.100000000000698}, 'obc': {'disk': 10, 'temp': 28.300000000000036}, 'adcs': {'mode': 'target_track', 'temp': 28.300000000000036, 'whl_rpm': [4673.178354093624, 4776.195651001402, 4810.625994904977], 'mag_pwr': [False, False, False]}, 'cam': {'pwr': True, 'temp': 28.100000000000698}}
Collected Data: 0 bytes
Mission Failed. ERROR: Target not in view. Cannot image.
[*] Got EOF while reading in interactive

This confirms that we cannot take our image until our spacecraft can actually see the Iranian space port. Fortunately, thanks to tooling PFS wrote for an earlier challenge, we were able to enumerate a list of timestamps of when our spacecraft would most likely have the target in its view.

After some trial and error, we were able to capture some data, but quickly realized you only have so many “ticks” to capture and upload data before the targets left the view of our spacecraft.

The challenge from here on out is basically more trial and error. Players will most likey encounter errors related to either the camera overheating or the RPM on the wheels spinning faster than 7000 RPM, which causes the mission to fail. If the mission fails, pay close attention the the timestamp of the last telemetry error message.

Solve Script

Dependencies

  • Python 3.6 (f-strings)
  • pwntools
    • python3 -m pip install --user pwn
#!/usr/bin/env python3
from pwn import *

context.log_level = 'debug'

# modes
SUN_POINT = 'sun_point'
IMAGING = 'imaging'
DATA_DOWNLINK = 'data_downlink'
WHEEL_DESATURATE = 'wheel_desaturate'
RUN = 'run'

def construct_plan(timestamp, mode):
    return f'{timestamp} {mode}'

host1 = 'mission.satellitesabove.me'
port1 = 5023
ticket = 'ticket{YOUR_TEAM_TICKET_HERE}'

p = remote(host1, port1)
p.recvuntil('Ticket please:\n')
p.sendline(ticket)
p.recvuntil('Once your plan is executed, it will not be saved, so make note of your plan elsewhere.\n')

p.sendline(construct_plan('2020-04-22T00:00:00Z', SUN_POINT))
p.sendline(construct_plan('2020-04-22T09:31:00Z', IMAGING))
p.sendline(construct_plan('2020-04-22T09:37:00Z', WHEEL_DESATURATE))
p.sendline(construct_plan('2020-04-22T10:00:00Z', SUN_POINT))
p.sendline(construct_plan('2020-04-23T00:00:00Z', DATA_DOWNLINK))
p.sendline(construct_plan('2020-04-23T00:05:00Z', SUN_POINT))
p.sendline(construct_plan('2020-04-23T09:51:00Z', IMAGING))
p.sendline(construct_plan('2020-04-23T09:58:00Z', WHEEL_DESATURATE))
p.sendline(construct_plan('2020-04-23T09:59:00Z', SUN_POINT))
p.sendline(construct_plan('2020-04-23T13:33:00Z', WHEEL_DESATURATE))
p.sendline(construct_plan('2020-04-23T18:40:00Z', SUN_POINT))
p.sendline(construct_plan('2020-04-23T22:46:00Z', DATA_DOWNLINK))
p.sendline(construct_plan('2020-04-23T22:51:00Z', SUN_POINT))

p.sendline(RUN)
p.interactive()

Flag

MISSION SUCCESS!!!
\            .       .                   .       .      .     .      .
\           .    .         .    .            .     ______
\       .           .             .               ////////
\                 .    .   ________   .  .      /////////     .    .
\            .            |.____.  /\\        ./////////    .
\     .                 .//      \\/  |\\     /////////
\        .       .    .//          \\ |  \\ /////////       .     .   .
\                     ||.    .    .| |  ///////// .     .
\      .    .         ||           | |//`,/////                .
\              .       \\\\        ./ //  /  \\/   .
\   .                    \\\\.___./ //\\` '   ,_\\     .     .
\           .           .     \\ //////\\ , /   \\                 .    .
\                        .    ///////// \\|  '  |    .
\       .        .          ///////// .   \\ _ /          .
\                         /////////                              .
\                  .   ./////////     .     .
\          .           --------   .                  ..             .
\   .               .        .         .                       .
\                         ________________________
\ ____________------------                        -------------_________
flag{quebec17372quebec:GGbkuxdQxne72Bis_qr5OEP0mSaKXj5Jg3cwI2eTkyBl8Lc_VzgYXu5FanKZ6FWWFBUbvw1-xQ5JWPlcBfEXGkQ}

Updated: