Rating:

```
$ cat clue.txt
Sentience is an abstract concept...
```

Notice that task theme is the Short Circuit movie.

Look for open ports

```
$ netstat -aepW
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 30920 - @?
```

The one listening is a unix socket in the abstract namespace (not bound to file system).

Scripting is available with `python`. And you can find a writable folder, if you need one.
`wget` is available to download scripts.

Connect to the socket, the address is `\x00?`:

```
_______ _____
| ___ \ / ___ \| | | |/\
| | | | | | | | | / \
| | | | | | |\ \/ / /\ \
| | | | |___| | \ / |__| |
|_| |_|\_____/ \/|______|
| |
_ _
| | _ (_)
____ ___ | | _ ___ | |_ _ ____ ___
/ ___) _ \| || \ / _ \| _)| |/ ___)/___)
| | | |_| | |_) ) |_| | |__| ( (___|___ |
|_| \___/|____/ \___/ \___)_|\____|___/
Tomorrow is Here.

Welcome to the Nova Robotics Satellite debug interface

> help
=-=>>>> Connected to Robot[5]["Nickname"]: J0hnny F1ve
Current functions: list, test, command. Use "help <cmd>" for more information.

> list
Function list is: help, list, test, command

> help command
Issue a command

> command
Error: missing argument. Supported commands are: access_code, self_destruct

> command self_destruct
:( .... I am ALIVE!

> command access_code
must supply unlock code

> command access_code 1337
ACCESS DENIED but a hint: you may need to watch a movie, youtube or otherwise obtain words.
```

Remember the theme? The access code used in the movie:

```
> command access_code 42721
Access gained. Number FIVE

> help
Current commands: list, test, command, execute, self_destruct, show, download, upload. Use "help <cmd>" for more information.
```

```
> help show
List a directory or the default folder

> show
novarobotics.j5v1.1.bin
novarobotics.j5v1.0.bin

> help upload
Upload listing and upload firmware update to the target directory

> upload novarobotics.j5v1.0.bin
Upload error: Malfunction
```

`show` and `upload` are vulnerable to path traversal:

```
> show ../../
/bin
/boot
/dev
/etc
/home
malfunction
malfunCTION
/nova
maLfucti0n
END firmware list: Malfunction detected

> upload ../../nova/
Upload Fatal: Gibson server returned: error! ../../nova/tmp/ is not empty

> upload ../../nova/tmp/
Upload Fatal: Gibson server returned:
.garbage/

> upload ../../nova/tmp/.garbage/
MalfUncTiON
novarobotics.j5_jailbroken.bin
```

We have found some firmware. Upload it into robot:

```
> help download
Download and stage a firmware update

> download ../../nova/tmp/.garbage/novarobotics.j5_jailbroken.bin
Download succeeded. Response is: update_staged.

> show
novarobotics.j5_jailbroken.bin

> help execute
Supply a firmware update related command

> execute update
----------------
Performing Firmware UpdaMalFucTiOn
M4lfuct1on
malfunction
Malfunction detected
Update error code: -2319
return string from robot:
fb{flag}
```