We present an enumeration procedure based on a template attack to recover the complete input text of a SHA-3 implementation on an 8-bit microprocessor from a single trace of a power-analysis side channel. This attack targets 600 bytes of triple-redundant internal state in each invocation of the permutation used by SHA-3. We first build templates that can generate for each of these bytes a rank table of all 256 candidates. The templates we obtained for our 8-bit target CPU nearly identified the correct value of most target bytes directly, rather than just gathering information about their Hamming weights. We then search the full intermediate state of the Keccak permutation to eliminate remaining uncertainties about the recovered byte values. From the resulting intermediate states we finally reconstruct both the input and output of SHA-3 and verify the output. In our experimental evaluation of this procedure we achieved success rates higher than 99%.