xenia 805e1f3c21 | ||
---|---|---|
.. | ||
README.md | ||
gpredict.png | ||
kml1.png | ||
kml2.png |
README.md
I Like To Watch
Category: Astronomy, Astrophysics, Astrometry, Astrodynamics, AAAA Points (final): 37 Solves: 126
Fire up your Google Earth Pro and brush up on your KML tutorials, we're going to make it look at things!
Write-up
by haskal
A netcat endpoint is provided, and when you connect it provides the following info:
We've captured data from a satellite that shows a flag located at the base of the Washington
Monument.
The image was taken on March 26th, 2020, at 21:54:33
The satellite we used was:
REDACT
1 13337U 98067A 20087.38052801 -.00000452 00000-0 00000+0 0 9995
2 13337 51.6460 33.2488 0005270 61.9928 83.3154 15.48919755219337
Use a Google Earth Pro KML file to 'Link' to http://18.191.77.141:26963/cgi-bin/HSCKML.py
and 'LookAt' that spot from where the satellite when it took the photo and get us that flag!
Additionally, an example KML file is provided
<?xml version="1.0" encoding="UTF-8"?>
<kml xmlns="http://www.opengis.net/kml/2.2">
<Folder>
<name>HackASatCompetition</name>
<visibility>0</visibility>
<open>0</open>
<description>HackASatComp1</description>
<NetworkLink>
<name>View Centered Placemark</name>
<visibility>0</visibility>
<open>0</open>
<description>This is where the satellite was located when we saw it.</description>
<refreshVisibility>0</refreshVisibility>
<flyToView>0</flyToView>
<LookAt id="ID">
<!-- specific to LookAt -->
<longitude>FILL ME IN</longitude> <!-- kml:angle180 -->
<latitude>FILL ME IN TOO</latitude> <!-- kml:angle90 -->
<altitude>FILL ME IN AS WELL</altitude> <!-- double -->
<heading>FILL IN THIS VALUE</heading> <!-- kml:angle360 -->
<tilt>FILL IN THIS VALUE TOO</tilt> <!-- kml:anglepos90 -->
<range>FILL IN THIS VALUE ALSO</range> <!-- double -->
<altitudeMode>clampToGround</altitudeMode>
</LookAt>
<Link>
<href>http://FILL ME IN:FILL ME IN/cgi-bin/HSCKML.py</href>
<refreshInterval>1</refreshInterval>
<viewRefreshMode>onStop</viewRefreshMode>
<viewRefreshTime>1</viewRefreshTime>
<viewFormat>BBOX=[bboxWest],[bboxSouth],[bboxEast],[bboxNorth];
CAMERA=[lookatLon],[lookatLat],[lookatRange],[lookatTilt],[lookatHeading];
VIEW=[horizFov],[vertFov],[horizPixels],[vertPixels],[terrainEnabled]</viewFormat>
</Link>
</NetworkLink>
</Folder>
</kml>
We can use gpredict to figure out where the satellite was by loading the TLE (one way is to create an http endpoint with the TLE in a txt file, and then add the URL in the gpredict settings). However, gpredict will refuse to load this TLE. It turns out the checksums are incorrect, and if we calculate them according to the TLE spec, we get these lines with fixed checksums
REDACT
1 13337U 98067A 20087.38052801 -.00000452 00000-0 00000+0 0 9992
2 13337 51.6460 33.2488 0005270 61.9928 83.3154 15.48919755219334
Now, gpredict loads the data (if not, close gpredict, clear the cache with rm ~/.config/Gpredict/satdata/*.sat
, start gpredict, and select Update TLE data from network
). The
next step is to create a location for the washington monument. The monument is located at
-77.0354,38.889100. Finally, use the gpredict time controller to pause real time, then set the time
to March 26th, 2020 at 21:54:33.
We can see that (in the ground reference frame) the satellite is at azimuth 35.52 degrees and elevation 58.18 degrees. Additionally, it has a line-of-sight range of 488 km.
To make our lives easier you can notice in Wireshark that Google Earth Pro simply makes HTTP requests to the given endpoint with parameters given in the KML file, like this
http://server/cgi-bin/HSCKML.py?BBOX=...;CAMERA=...;...
So we can use plain curl to avoid messing with the Google Earth Pro GUI a lot. We need the following parameters: the bounding box of the view, the camera parameters, and the view parameters.
For the bounding box, we create a reasonable box around the location of the washington monument
BBOX=-77.035378,38.889384,-77.035178,38.889584
For the camera parameters, we look directly at the base, but we need to provide a heading and tilt. The Google Earth KML reference has a handy diagram of the reference frame needed
Since gpredict is in a ground reference frame, we need to add 180 to the azimuth to get the heading, and subtract 90 - elevation to get the tilt. With these calculations and the monument coordinates we have (note the range is in meters, not km, so we multiply by 1000)
CAMERA=-77.035278,38.889484,488000,31.82,215.18
Finally, for the view we chose some reasonable parameters that seemed to work. This part doesn't seem to be very important
VIEW=60,60,500,500,1
Putting it together, the full URL is
http://theserver/cgi-bin/HSCKML.py?BBOX=-77.035378,38.889384,-77.035178,38.889584;
CAMERA=-77.035278,38.889484,488000,31.82,215.18;VIEW=60,60,500,500,1
Requesting the URL reveals the flag
<?xml version="1.0" encoding="UTF-8"?>
<kml xmlns="http://www.opengis.net/kml/2.2">
<Placemark>
<name>CLICK FOR FLAG</name>
<description>flag{juliet71739hotel:GNeeb.....}</description>
<Point>
<coordinates>-77.0354,38.889100</coordinates>
</Point>
</Placemark>
</kml>