# Brainpan

<details>

<summary>Resources</summary>

Ghidra\_auto script: <https://github.com/Crypto-Cat/CTF/blob/main/auto_ghidra.py>

</details>

We run a `gobuster` scan on port 10000:

<figure><img src="/files/Qp9QAGRZb7E4DDLim3Ro" alt=""><figcaption></figcaption></figure>

We find the executable:

![](/files/zN9VAs7RUvJBF4zFUhCT)

We download the binary, and run `ghidra_auto`:

<figure><img src="/files/5kB4LUL624sLBl8xmXMe" alt=""><figcaption></figcaption></figure>

In `Ghidra`, we find the pseudocode for the main function:

<figure><img src="/files/YIUITGSD0ne8P4zWysCu" alt=""><figcaption></figcaption></figure>

Notice `local_408 == ACCES GRANTED`. We will search for this variable in the function, and we find it used here:

![](/files/eaXK1oApu6CULRBRmaGn)

We find this code snippet. Access is granted when `iVar == 0`, and `iVar` gets assigned from the `_get_reply()` function.

<figure><img src="/files/jTwOwFLdXZtXB0xEEvzs" alt=""><figcaption></figcaption></figure>

So we find out that the password is `shitstorm`, and the buffer size is 520.

Then, we check the architecture:

![](/files/3OSJbdJTjKACsuRVIb2r)

The `x86` signifies that the architecture is 32-bits.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eduw.gitbook.io/writeups/brainpan.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.