BLAHAJ
/
has-writeup
10
2
Fork 0
Code Releases Activity
has-writeup/aaaa/like-to-watch
History
xenia 805e1f3c21 like to watch 2020-05-26 19:42:52 -04:00
..
README.md like to watch 2020-05-26 19:42:52 -04:00
gpredict.png like to watch 2020-05-26 19:42:52 -04:00
kml1.png like to watch 2020-05-26 19:42:52 -04:00
kml2.png like to watch 2020-05-26 19:42:52 -04:00

README.md

I Like To Watch

Category: Astronomy, Astrophysics, Astrometry, Astrodynamics, AAAA Points (final): 37 Solves: 126

Fire up your Google Earth Pro and brush up on your KML tutorials, we're going to make it look at things!

Write-up

by haskal

A netcat endpoint is provided, and when you connect it provides the following info:

We've captured data from a satellite that shows a flag located at the base of the Washington
Monument.
The image was taken on March 26th, 2020, at 21:54:33
The satellite we used was: 

REDACT
1 13337U 98067A   20087.38052801 -.00000452  00000-0  00000+0 0  9995
2 13337  51.6460  33.2488 0005270  61.9928  83.3154 15.48919755219337

Use a Google Earth Pro KML file to 'Link' to http://18.191.77.141:26963/cgi-bin/HSCKML.py
and 'LookAt' that spot from where the satellite when it took the photo and get us that flag!

Additionally, an example KML file is provided

<?xml version="1.0" encoding="UTF-8"?>
<kml xmlns="http://www.opengis.net/kml/2.2">
  <Folder>
    <name>HackASatCompetition</name>
    <visibility>0</visibility>
    <open>0</open>
    <description>HackASatComp1</description>
    <NetworkLink>
      <name>View Centered Placemark</name>
      <visibility>0</visibility>
      <open>0</open>
      <description>This is where the satellite was located when we saw it.</description>
      <refreshVisibility>0</refreshVisibility>
      <flyToView>0</flyToView>
      <LookAt id="ID">
        <!-- specific to LookAt -->
        <longitude>FILL ME IN</longitude>            	<!-- kml:angle180 -->
        <latitude>FILL ME IN TOO</latitude>              	<!-- kml:angle90 -->
        <altitude>FILL ME IN AS WELL</altitude>              		<!-- double -->
        <heading>FILL IN THIS VALUE</heading>                <!-- kml:angle360 -->
        <tilt>FILL IN THIS VALUE TOO</tilt>                     <!-- kml:anglepos90 -->
        <range>FILL IN THIS VALUE ALSO</range>                     <!-- double -->
        <altitudeMode>clampToGround</altitudeMode>
      </LookAt>
      <Link>
        <href>http://FILL ME IN:FILL ME IN/cgi-bin/HSCKML.py</href>
        <refreshInterval>1</refreshInterval>
        <viewRefreshMode>onStop</viewRefreshMode>
        <viewRefreshTime>1</viewRefreshTime>
        <viewFormat>BBOX=[bboxWest],[bboxSouth],[bboxEast],[bboxNorth];
CAMERA=[lookatLon],[lookatLat],[lookatRange],[lookatTilt],[lookatHeading];
VIEW=[horizFov],[vertFov],[horizPixels],[vertPixels],[terrainEnabled]</viewFormat>
      </Link>
    </NetworkLink>
  </Folder>
</kml>

We can use gpredict to figure out where the satellite was by loading the TLE (one way is to create an http endpoint with the TLE in a txt file, and then add the URL in the gpredict settings). However, gpredict will refuse to load this TLE. It turns out the checksums are incorrect, and if we calculate them according to the TLE spec, we get these lines with fixed checksums

REDACT
1 13337U 98067A   20087.38052801 -.00000452  00000-0  00000+0 0  9992
2 13337  51.6460  33.2488 0005270  61.9928  83.3154 15.48919755219334

Now, gpredict loads the data (if not, close gpredict, clear the cache with rm ~/.config/Gpredict/satdata/*.sat, start gpredict, and select Update TLE data from network). The next step is to create a location for the washington monument. The monument is located at -77.0354,38.889100. Finally, use the gpredict time controller to pause real time, then set the time to March 26th, 2020 at 21:54:33.

Gpredict showing the satellite pass at that time

We can see that (in the ground reference frame) the satellite is at azimuth 35.52 degrees and elevation 58.18 degrees. Additionally, it has a line-of-sight range of 488 km.

To make our lives easier you can notice in Wireshark that Google Earth Pro simply makes HTTP requests to the given endpoint with parameters given in the KML file, like this

http://server/cgi-bin/HSCKML.py?BBOX=...;CAMERA=...;...

So we can use plain curl to avoid messing with the Google Earth Pro GUI a lot. We need the following parameters: the bounding box of the view, the camera parameters, and the view parameters.

For the bounding box, we create a reasonable box around the location of the washington monument

BBOX=-77.035378,38.889384,-77.035178,38.889584

For the camera parameters, we look directly at the base, but we need to provide a heading and tilt. The Google Earth KML reference has a handy diagram of the reference frame needed

KML docs showing the tilt parameter

KML docs showing the heading parameter

Since gpredict is in a ground reference frame, we need to add 180 to the azimuth to get the heading, and subtract 90 - elevation to get the tilt. With these calculations and the monument coordinates we have (note the range is in meters, not km, so we multiply by 1000)

CAMERA=-77.035278,38.889484,488000,31.82,215.18

Finally, for the view we chose some reasonable parameters that seemed to work. This part doesn't seem to be very important

VIEW=60,60,500,500,1

Putting it together, the full URL is

http://theserver/cgi-bin/HSCKML.py?BBOX=-77.035378,38.889384,-77.035178,38.889584;
CAMERA=-77.035278,38.889484,488000,31.82,215.18;VIEW=60,60,500,500,1

Requesting the URL reveals the flag

<?xml version="1.0" encoding="UTF-8"?>
<kml xmlns="http://www.opengis.net/kml/2.2">
<Placemark>
<name>CLICK FOR FLAG</name>
<description>flag{juliet71739hotel:GNeeb.....}</description>
<Point>
<coordinates>-77.0354,38.889100</coordinates>
</Point>
</Placemark>
</kml>

Resources and other writeups