BLAHAJ
/
has-writeup
10
2
Fork 0
Code Releases Activity

huge major cleanup for pdf generation

This commit is contained in:
xenia 2020-05-26 06:27:26 -04:00
parent b13d611ff6
commit 553522c799
11 changed files with 113 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Makefile
View File

@ -17,8 +17,9 @@ $(WRITEUP_PDF): $(DOCS_ALL) fonts.tex top.md
@echo "GEN writeup.md"
@mkdir build/ 2>/dev/null || true
@find . -mindepth 3 -iname '*.png' -exec cp {} build/ \;
@find . -mindepth 3 -iname '*.py' -exec cp {} build/ \;
@cp fonts.tex build/fonts.tex
@for md in top.md $(DOCS_ALL); do cat $$md; done > build/writeup.md
@for md in top.md $(DOCS_ALL); do cat $$md; printf "\n\n----------\n\n"; done > build/writeup.md
@echo "PDF writeup.pdf"
@cd build && pandoc -i writeup.md --pdf-engine=lualatex -o writeup.pdf
@cd build && pandoc -f markdown-implicit_figures -i writeup.md --pdf-engine=lualatex -o writeup.pdf
@cp build/writeup.pdf $@

8
aaaa/attitude-adjustment/README.md
View File

@ -53,7 +53,7 @@ Note that I threw in an inversion of the rotation matrix; this is because I shou
Then we just grabbed each challenge from the computer, aligned the sets, and spat the orientation of the satellite back at the server to get
```{.python}
TICKET = 'ticket{papa21503yankee:GGntHycE-_FqMqGbIoz7rKZD-MzEraoec3dRGU21ExVYGGYFLJQQlRLqNLWn8D4ghQ}'
TICKET = 'THE_TICKET'
r = tubes.remote.remote('attitude.satellitesabove.me', 5012)
r.send(TICKET+'\n')
time.sleep(0.5)
@ -73,6 +73,6 @@ The flag should get printed out on stdout by the final line.
```
## Resources and other writeups
- https://en.wikipedia.org/wiki/Orthogonal_Procrustes_problem
- https://en.wikipedia.org/wiki/Kabsch_algorithm
- https://github.com/charnley/rmsd/tree/master
- <https://en.wikipedia.org/wiki/Orthogonal_Procrustes_problem>
- <https://en.wikipedia.org/wiki/Kabsch_algorithm>
- <https://github.com/charnley/rmsd/tree/master>

6
aaaa/digital-filters-meh/README.md
View File

@ -99,7 +99,7 @@ Hook up to the server:
sep = ','
r = remote('filter.satellitesabove.me', 5014)
r.clean()
r.send('ticket{foxtrot78531papa:GLliqPNOiBYZl7OwLiZCOx2yfdmbyO6cdgrfcNRC8iMPcJgy0YQ_H1kBeWTloVB_-w}\n')
r.send('THE_TICKET')
time.sleep(0.1)
```
@ -134,7 +134,3 @@ while True:
```
When we see that string, the script jumps to `pwnlib.tubes`' interactive mode and we see the flag in the dumped buffer.
### Full code
```{.python include=meh.py}
```

16
aaaa/seeing-stars/README.md
View File

@ -53,6 +53,7 @@ return solve
We then automated this entire process using pwnlib to connect to the server and
read the data.
### Full code
```{.python include=seeing-stars.py}
```
@ -60,21 +61,6 @@ read the data.
Run it:
```
λ has-writeup/aaaa/seeing-stars python seeing-stars.py
b'flag{juliet73678uniform:GDy7YZdtCL9mcLgYuLceK_zwgwSAoT6ui5aMGo1IMYcic9tiI8EXUHLfQDcUsjjt5KqsIvOWUYeM8IS6631Vppw}\n'
Traceback (most recent call last):
File "seeing-stars.py", line 42, in <module>
rawdat = r.recvuntil('Enter', drop=True)
File "/usr/lib/python3.8/site-packages/pwnlib/tubes/tube.py", line 310, in recvuntil
res = self.recv(timeout=self.timeout)
File "/usr/lib/python3.8/site-packages/pwnlib/tubes/tube.py", line 82, in recv
return self._recv(numb, timeout) or b''
File "/usr/lib/python3.8/site-packages/pwnlib/tubes/tube.py", line 160, in _recv
if not self.buffer and not self._fillbuffer(timeout):
File "/usr/lib/python3.8/site-packages/pwnlib/tubes/tube.py", line 131, in _fillbuffer
data = self.recv_raw(self.buffer.get_fill_size())
File "/usr/lib/python3.8/site-packages/pwnlib/tubes/sock.py", line 56, in recv_raw
raise EOFError
EOFError
```
## Resources and other writeups

91
comms/56k/README.md
View File

@ -137,26 +137,28 @@ stuffing within the frame, since PPP will escape certain bytes with the `7d` pre
byte XOR `0x20`. Finally, the frame can be passed to scapy for analysis. This is a VERY lax
de-framer because sometimes frames seemed to not be started or terminated properly.
def decode(ch):
buf2 = b""
esc = False
```python
def decode(ch):
buf2 = b""
esc = False
for x in ch:
if x == 0x7e:
if buf2 != b"\xFF" and buf2 != b"":
print(PPP(buf2).__repr__())
buf2 = b""
esc = False
elif esc:
esc = False
buf2 += bytes([x^0x20])
elif x == 0x7d:
esc = True
else:
buf2 += bytes([x])
for x in ch:
if x == 0x7e:
if buf2 != b"\xFF" and buf2 != b"":
PPP(buf2).show()
buf2 = b""
esc = False
elif esc:
esc = False
buf2 += bytes([x^0x20])
elif x == 0x7d:
esc = True
else:
buf2 += bytes([x])
if len(buf2) > 0:
print(PPP(buf2).__repr__())
if len(buf2) > 0:
PPP(buf2).show()
```
(This code is really awful CTF code, please ignore the 200 awful spaghetti things I'm doing in this
snippet.)
@ -164,15 +166,56 @@ snippet.)
Now we can see what the packets mean. In particular, we spot these ones:
```
===================== CH 1
###[ HDLC ]###
address = 0xff
control = 0x3
###[ PPP Link Layer ]###
proto = Link Control Protocol
###[ PPP Link Control Protocol ]###
code = Configure-Ack
id = 0x2
len = 28
\options \
.....
|###[ PPP LCP Option ]###
| type = Authentication-protocol
| len = 5
| auth_protocol= Challenge-response authentication protocol
| algorithm = MS-CHAP
.....
<HDLC address=0xff control=0x3 |<PPP proto=Link Control Protocol |<PPP_LCP_Configure code=Configure-Ack id=0x2 len=28 options=[<PPP_LCP_ACCM_Option type=Async-Control-Character-Map len=6 accm=0 |>, <PPP_LCP_Auth_Protocol_Option type=Authentication-protocol len=5 auth_protocol=Challenge-response authentication protocol algorithm=MS-CHAP |>, <PPP_LCP_Magic_Number_Option type=Magic-number len=6 magic_number=77681304 |>, <PPP_LCP_Option type=Protocol-Field-Compression len=2 data='' |>, <PPP_LCP_Option type=Address-and-Control-Field-Compression len=2 data='' |>, <PPP_LCP_Callback_Option type=Callback len=3 operation=6 |>] |<Padding load='\xbe6' |>>>>
<PPP proto=Challenge Handshake Authentication Protocol |<PPP_CHAP_ChallengeResponse code=Response id=0x0 len=67 value_size=49 value=0000000000000000000000000000000000000000000000006c2e3af0f2f77602e9831310b56924f3428b05ad60c7a2b401 optional_name='rocketman2674' |<Padding load='c\x89' |>>>
###[ PPP Link Layer ]###
proto = Challenge Handshake Authentication Protocol
###[ PPP Challenge Handshake Authentication Protocol ]###
code = Response
id = 0x0
len = 67
value_size= 49
value = 0000000000000000000000000000000000000000000000006c2e3af0f2f7760
2e9831310b56924f3428b05ad60c7a2b401
optional_name= 'rocketman2674'
```
===================== CH 2
and
<PPP proto=Challenge Handshake Authentication Protocol |<PPP_CHAP_ChallengeResponse code=Challenge id=0x0 len=26 value_size=8 value=12810ab88c7f1c74 optional_name='GRNDSTTNA8F6C' |<Padding load='[\x1f' |>>>
<PPP proto=Challenge Handshake Authentication Protocol |<PPP_CHAP code=Success id=0x0 len=4 data='' |<Padding load='\x1e\xe6' |>>>
```
###[ PPP Link Layer ]###
proto = Challenge Handshake Authentication Protocol
###[ PPP Challenge Handshake Authentication Protocol ]###
code = Challenge
id = 0x0
len = 26
value_size= 8
value = 12810ab88c7f1c74
optional_name= 'GRNDSTTNA8F6C'
###[ PPP Link Layer ]###
proto = Challenge Handshake Authentication Protocol
###[ PPP Challenge Handshake Authentication Protocol ]###
code = Success
id = 0x0
len = 4
data = ''
```
We can see in this exchange that the client has negotiated `MS-CHAP` authentication and then

2
fonts.tex
View File

@ -15,4 +15,4 @@
\newunicodechar{}{\textsymbol{}}
\newunicodechar{}{\textsymbol{}}
\setmonofont{Noto Mono}
\setmonofont{Noto Mono}[Scale=0.9]

6
payload/leakycrypto/README.md
View File

@ -6,7 +6,7 @@ Many CPUs cache RAM accesses so as to speed up subsequent accesses to the same a
In the case of Leaky Crypto, a set of 100,000 plaintexts and corresponding encryption times is provided along with the first six bytes of the encryption key. We ran an analyzer program[^1] against these plaintexts to obtain the probable correlation between different indexes in the key with respect to the XOR product of those bytes with plaintext bytes. Per the above, the plaintexts and timing data provided enough information to derive the systems of equations which may be used to solve for key bytes, and the first 6 bytes of the key provided enough information to actually solve said systems of equations. Given the ambiguity of the low bits of each derived key byte, we obtained 2<sup>14</sup> partial keys with three unknown bytes each. Thus, we reduced the problem of guessing 2<sup>128</sup> bits to guessing only 2<sup>38</sup> bits. We fed our derived partial keys into [Hulk](https://github.com/pgarba/Hulk) to brute force the remaining bytes for each candidate partial key. After 30 minutes had passed, we successfully brute forced the key.
[^1]: ```python
```python
from itertools import combinations
import matplotlib.pyplot as plt
import numpy as np
@ -33,7 +33,7 @@ In the case of Leaky Crypto, a set of 100,000 plaintexts and corresponding encry
if __name__ == '__main__':
known_keybytes = bytes.fromhex("64c7072487f2")
secret_data = "c1a5fe7beb2c70bfab98926627dcff8b9671edc52441f89fa47797aa023f15f67907ee837b93cd9b194922ebb7c3ca3bd1cbfbc888efe147e80554047d82872fcee564c1bfd2e0a809568acb5cc08f4836a5f91f43b576a4ee1c6f097c15e1cd4056917fc51c1e5d8157409b11f1600d"
secret_data = "c1a5fe7beb2c70bfab98926627dcff8b9671edc52441....."
data = set()
with open("test.txt", "r") as fp:
@ -67,4 +67,4 @@ In the case of Leaky Crypto, a set of 100,000 plaintexts and corresponding encry
known_tly[j][i][c] = cnorm
guess_bytes(known_tly, known_keybytes, 4, tavg)
```
```

4
satellite-bus/bytes-away/README.md
View File

@ -65,7 +65,9 @@ at any actual telemetry.
```ruby
12.upto(212) { |off|
offset = off
cmd("MM PEEK_MEM with CCSDS_STREAMID 6280, CCSDS_SEQUENCE 49152, CCSDS_LENGTH 73, CCSDS_FUNCCODE 2, CCSDS_CHECKSUM 0, DATA_SIZE 8, MEM_TYPE 1, PAD_16 0, ADDR_OFFSET #{offset}, ADDR_SYMBOL_NAME 'KitToFlagPkt'")
cmd("MM PEEK_MEM with CCSDS_STREAMID 6280, CCSDS_SEQUENCE 49152, CCSDS_LENGTH 73, "
+ "CCSDS_FUNCCODE 2, CCSDS_CHECKSUM 0, DATA_SIZE 8, MEM_TYPE 1, PAD_16 0, "
+ "ADDR_OFFSET #{offset}, ADDR_SYMBOL_NAME 'KitToFlagPkt'")
}
```

67
satellite-bus/magic-bus/README.md
View File

@ -74,7 +74,8 @@ def decode_pkt(b):
field4 = to_hex(b[27:30])
if b[30] != ord('?'):
print('b[30] is not ?')
print(': 00:00:00 > {} {} {} @ {} {} {} ?'.format(field1, field1end, field2, field3, field3end, field4))
print(': 00:00:00 > {} {} {} @ {} {} {} ?'.format(field1, field1end, field2,
field3, field3end, field4))
elif b[0] == ord(';'):
print('delimiter') # end of previous packet?
else:
@ -138,8 +139,26 @@ tried, this was extremely unlikely.
We then tried reading the data sequentially from the buffer, from Juicy Data 00
to 04. Here's the entire string:
```
Juicy Data 00\x00\xc8\xf7\xeb\x15\x96=kp\\\xc9,^\xd5\xcf\\1\x99\x19w\x9a\xc6\xa9\x08e\x8dU\x92j7,\x00\xff#\xeb\x14\xb9)\x7f)\x85HV\xe3\x1d%?O\xbeY\xc6Juicy Data 01\x00R\x01\x1e{\x81G\x00\xc9\x9d\xe3\xe7\xc2#6\x81|\xfc\xd9\x9bk:\x1fh\xf05\xce\xddw5\xca\xdc\x87\xcc\xfa\x02MA\x02\x16\xdf\xe5\xfd\xa1\x083"\x84/\xfc\x1fJuicy Data 02\x00\xc0\x8f\xe7\x02\x91\xfd\xe1w\xfb\x82\x7f.\xa5\x04^\xa1#\xf9\xd7b\xfc\xfd\xd5\xcd\x00\xc0\xd4\xce\x86ahG\xf1OI\x82M*\xf9H\xacyvQ}\xd4\xf2\xa0\xcd\xc9Juicy Data 03\x00M\xae@\x9a\xd89\xe2\x85\xb2Y\xd6/-\xc9\xd0\xfb\x92\xd2\xc4Y\xaa[ B\xc6\xb5a\x93\xb3\xc6P\x01u\x90\x9bM\xca~\xd2|\xd7\xa9\xac\x04r|\xff\x04N\xc4Juicy Data 04\x00Z\x83%$\x01\xf8\xa0\xd8\xa1L\xdc\x13\xc8\xdc\x17\x17\xa0u\x10\xbf\xf2K\xa5%\xe8\x1e\x0cK\xe8\xf3
```hexdump
00000000: 4a75 6963 7920 4461 7461 2030 3000 c8f7 Juicy Data 00...
00000010: eb15 963d 6b70 5cc9 2c5e d5cf 5c31 9919 ...=kp\.,^..\1..
00000020: 779a c6a9 0865 8d55 926a 372c 00ff 23eb w....e.U.j7,..#.
00000030: 14b9 297f 2985 4856 e31d 2558 58be 59c6 ..).).HV..%XX.Y.
00000040: 4a75 6963 7920 4461 7461 2030 3100 5201 Juicy Data 01.R.
00000050: 1e7b 8147 00c9 9de3 e7c2 2336 817c fcd9 .{.G......#6.|..
00000060: 9b6b 3a1f 68f0 35ce dd77 35ca dc87 ccfa .k:.h.5..w5.....
00000070: 024d 4102 16df e5fd a108 3322 842f fc1f .MA.......3"./..
00000080: 4a75 6963 7920 4461 7461 2030 3200 c08f Juicy Data 02...
00000090: e702 91fd e177 fb82 7f2e a504 5ea1 23f9 .....w......^.#.
000000a0: d762 fcfd d5cd 00c0 d4ce 8661 6847 f14f .b.........ahG.O
000000b0: 4982 4d2a f948 ac79 7651 7dd4 f2a0 cdc9 I.M*.H.yvQ}.....
000000c0: 4a75 6963 7920 4461 7461 2030 3300 4dae Juicy Data 03.M.
000000d0: 409a d839 e285 b259 d62f 2dc9 d0fb 92d2 @..9...Y./-.....
000000e0: c459 aa5b 2042 c6b5 6193 b3c6 5001 7590 .Y.[ B..a...P.u.
000000f0: 9b4d ca7e d27c d7a9 ac04 727c ff04 4ec4 .M.~.|....r|..N.
00000100: 4a75 6963 7920 4461 7461 2030 3400 5a83 Juicy Data 04.Z.
00000110: 2524 01f8 a0d8 a14c dc13 c8dc 1717 a075 %$.....L.......u
00000120: 10bf f24b a525 e81e 0c4b e8f3 ...K.%...K..
```
Unfortunately, nothing meaningful was derived from this. There are a `{` and `}`
with bytes between them, but they aren't flag length.
@ -168,7 +187,7 @@ of the form of `^3b+00+00+XX+.` where XX<38 shuts it down, but only 37 enables
dump mode. This can probably be done with a fuzzer. Why has God abandoned us?
What accursed malfunction did we do to deserve this fate?
If you send the packet `^ca+00+44+79+20+44+61+74+61+20+30+31+00+52+01+1e+7b+81+47+00+c9+9d+e3+e7+c2+23+36+81+7c+fc+d9+9b+6b+3a+1f+68+f0+35+ce+dd+77+35+ca+dc+87+cc+.`,
If you send the packet `^ca+00+44+79+20+44+61+74+61+20+30+31+00+52+01+1e+7b+81+47+00+.....+87+cc+.`,
the same packet is sent back.
This means that the juice packets deliminated with `\xca` are actually instructions.
@ -181,7 +200,7 @@ By playing with the packet, the format appears to go:
With the inject:
```
b"^3b+00+00+37+."
b"^ca+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+."
b"^ca+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+00+....+00+00+."
```
we can query for everything in memory. And we did.
@ -191,43 +210,11 @@ we can query for everything in memory. And we did.
Run it:
```
λ has-writeup/satellite-bus/magic-bus python magic-bus.py master 2h ⬡
Injection: ^3b+00+00+37+.
b'^3a+00+00+3e+00+00+00+33+17+43+3c+0b+68+40+41+4e+dc+a0+c0+3e+6c+a0+40+c4+96+3f+c1+f8+fc+e6+3f+.'
START: 0000003317433c0b6840414edca0c03e6ca040c4963fc1f8fce63f
: 00:00:00 > 33:17:43:3c:b:68 @ 4e:dc:a0:c0:3e:6c:a0 @ c4:96 ? f8:fc:e6 ?
λ has-writeup/satellite-bus/magic-bus python magic-bus.py
....
b'^3b+00+00+3f+.'
ONCE CALL
delimiter
b'^3a+00+00+3f+00+00+00+38+94+53+40+c8+2e+40+41+01+3a+a0+c0+69+11+a1+40+7c+2e+40+c1+9b+1c+e6+3f+.'
ONCE: 00000038945340c82e4041013aa0c06911a1407c2e40c19b1ce63f
: 00:00:00 > 38:94:53:40:c8:2e @ 1:3a:a0:c0:69:11:a1 @ 7c:2e @ 9b:1c:e6 ?
b'^ca+00+44+79+20+44+61+74+61+20+30+31+00+52+01+1e+7b+81+47+00+c9+9d+e3+e7+c2+23+36+81+7c+fc+d9+9b+6b+3a+1f+68+f0+35+ce+dd+77+35+ca+dc+87+cc+.'
JUICE: b'\xca\x00Dy Data 01\x00R\x01\x1e{\x81G\x00\xc9\x9d\xe3\xe7\xc2#6\x81|\xfc\xd9\x9bk:\x1fh\xf05\xce\xddw5\xca\xdc\x87\xcc'
b'^3b+00+00+3e+.'
END CALL
delimiter
b'^3a+00+00+3e+00+00+00+ce+49+d5+3b+e9+6b+3f+41+8f+71+a0+c0+fa+72+a0+40+17+e5+3f+c1+51+0a+e7+3f+.'
INJECTING
END: 000000ce49d53be96b3f418f71a0c0fa72a04017e53fc1510ae73f
: 00:00:00 > ce:49:d5:3b:e9:6b ? 8f:71:a0:c0:fa:72:a0 @ 17:e5 ? 51:a:e7 ?
b'^3b+00+00+37+.'
SHUT DOWN SUCCESSFUL
INJECTING AGAIN
b'^ca+00+00+4a+75+69+63+79+20+44+61+74+61+20+30+30+00+c8+f7+eb+15+96+3d+6b+70+5c+c9+2c+5e+d5+cf+5c+31+99+19+77+9a+c6+a9+08+65+8d+55+92+6a+37+2c+00+ff+23+eb+14+b9+29+7f+29+85+48+56+e3+1d+25+3f+4f+be+59+c6+4a+75+69+63+79+20+44+61+74+61+20+30+31+00+52+01+1e+7b+81+47+00+c9+9d+e3+e7+c2+23+36+81+7c+fc+d9+9b+6b+3a+1f+68+f0+35+ce+dd+77+35+ca+dc+87+cc+fa+02+4d+41+02+16+df+e5+fd+a1+08+33+22+84+2f+fc+1f+4a+75+69+63+79+20+44+61+74+61+20+30+32+00+c0+8f+e7+02+91+fd+e1+77+fb+82+7f+2e+a5+04+5e+a1+23+f9+d7+62+fc+fd+d5+cd+00+c0+d4+ce+86+61+68+47+f1+4f+49+82+4d+2a+f9+48+ac+79+76+51+7d+d4+f2+a0+cd+c9+4a+75+69+63+79+20+44+61+74+61+20+30+33+00+4d+ae+40+9a+d8+39+e2+85+b2+59+d6+2f+2d+c9+d0+fb+92+d2+c4+59+aa+5b+20+42+c6+b5+61+93+b3+c6+50+01+75+90+9b+4d+ca+7e+d2+7c+d7+a9+ac+04+72+7c+ff+04+4e+c4+4a+75+69+63+79+20+44+61+74+61+20+30+34+00+5a+83+25+24+01+f8+a0+d8+a1+4c+dc+13+c8+dc+17+17+a0+75+10+bf+f2+4b+a5+25+e8+1e+0c+4b+e8+f3+23+42+76+48+66+77+40+06+4f+e1+53+2c+f4+1b+08+0c+32+a8+81+42+4a+75+69+63+79+20+44+61+74+61+20+30+35+00+2c+bb+86+6d+c2+d6+4e+15+02+43+30+0a+4f+63+b2+d0+a5+19+43+33+26+dc+a9+52+81+6a+65+1a+4e+bb+29+7b+76+af+e8+38+85+36+4d+66+6c+61+67+7b+6f+73+63+61+72+33+39+36+31+36+6b+69+6c+6f+3a+47+43+78+6d+68+4f+52+59+61+36+35+59+30+50+6d+52+74+46+6d+6c+46+53+42+6d+6e+76+49+6d+45+69+57+67+63+6f+47+32+70+6f+73+49+5f+6e+56+51+51+39+5a+4b+35+44+65+4b+76+56+53+76+69+6f+2d+4c+4c+2d+36+58+32+6a+66+52+46+77+39+42+34+58+71+34+6f+56+51+44+69+71+46+44+74+50+4d+7d+00+0d+70+a9+16+2e+df+4e+64+76+e3+91+15+87+6b+ad+72+22+af+71+ad+6c+91+9d+bd+3e+5e+34+67+.'
JUICE: b'\xca\x00\x00Juicy Data 00\x00\xc8\xf7\xeb\x15\x96=kp\\\xc9,^\xd5\xcf\\1\x99\x19w\x9a\xc6\xa9\x08e\x8dU\x92j7,\x00\xff#\xeb\x14\xb9)\x7f)\x85HV\xe3\x1d%?O\xbeY\xc6Juicy Data 01\x00R\x01\x1e{\x81G\x00\xc9\x9d\xe3\xe7\xc2#6\x81|\xfc\xd9\x9bk:\x1fh\xf05\xce\xddw5\xca\xdc\x87\xcc\xfa\x02MA\x02\x16\xdf\xe5\xfd\xa1\x083"\x84/\xfc\x1fJuicy Data 02\x00\xc0\x8f\xe7\x02\x91\xfd\xe1w\xfb\x82\x7f.\xa5\x04^\xa1#\xf9\xd7b\xfc\xfd\xd5\xcd\x00\xc0\xd4\xce\x86ahG\xf1OI\x82M*\xf9H\xacyvQ}\xd4\xf2\xa0\xcd\xc9Juicy Data 03\x00M\xae@\x9a\xd89\xe2\x85\xb2Y\xd6/-\xc9\xd0\xfb\x92\xd2\xc4Y\xaa[ B\xc6\xb5a\x93\xb3\xc6P\x01u\x90\x9bM\xca~\xd2|\xd7\xa9\xac\x04r|\xff\x04N\xc4Juicy Data 04\x00Z\x83%$\x01\xf8\xa0\xd8\xa1L\xdc\x13\xc8\xdc\x17\x17\xa0u\x10\xbf\xf2K\xa5%\xe8\x1e\x0cK\xe8\xf3#BvHfw@\x06O\xe1S,\xf4\x1b\x08\x0c2\xa8\x81BJuicy Data 05\x00,\xbb\x86m\xc2\xd6N\x15\x02C0\nOc\xb2\xd0\xa5\x19C3&\xdc\xa9R\x81je\x1aN\xbb){v\xaf\xe88\x856Mflag{oscar39616kilo:GCxmhORYa65Y0PmRtFmlFSBmnvImEiWgcoG2posI_nVQQ9ZK5DeKvVSvio-LL-6X2jfRFw9B4Xq4oVQDiqFDtPM}\x00\rp\xa9\x16.\xdfNdv\xe3\x91\x15\x87k\xadr"\xafq\xadl\x91\x9d\xbd>^4g'
JUICE: b'.....v\xaf\xe88\x856Mflag{oscar39616kilo:GCxmhORYa65Y0PmRtFmlFSBmnvImEiWg.....'
```
Hey look, a flag!

4
space/good-plan-great-plan/README.md
View File

@ -54,5 +54,5 @@ The rest of the strategy is pretty much just to use trial and error:
```
## Resources and other writeups
- http://gpredict.oz9aec.net/
- https://en.wikipedia.org/wiki/Two-line_element_set
- <http://gpredict.oz9aec.net/>
- <https://en.wikipedia.org/wiki/Two-line_element_set>

2
top.md
View File

@ -1,7 +1,7 @@
---
title: BLAHAJ
mainfont: Noto Serif
geometry: margin=0.3in
geometry: margin=0.7in
header-includes: |
\input{fonts.tex}