#!/usr/bin/env python3
"""
═══════════════════════════════════════════════════════════════════════════════
                        🎯 PASTEBOARD XSS - FINAL SOLUTION
═══════════════════════════════════════════════════════════════════════════════

BREAKTHROUGH: Your friend identified the key - Chrome DevTools Protocol (CDP)!

═══════════════════════════════════════════════════════════════════════════════
📚 WHAT WE LEARNED
═══════════════════════════════════════════════════════════════════════════════

1. ✅ XSS via DOM Clobbering
   - Exploits app.js error handler
   - Injects arbitrary JavaScript via data: URI
   - CONFIRMED WORKING

2. ✅ Data Exfiltration Works
   - Can execute JS in bot context
   - Webhook receives requests
   - Can access basic browser APIs

3. ❌ Standard APIs Have Empty Data
   - document.cookie → empty
   - localStorage → empty  
   - window globals → no flag
   
4. ❓ WHERE IS THE FLAG?
   → THIS IS WHERE CDP COMES IN!

═══════════════════════════════════════════════════════════════════════════════
🔑 THE REAL EXPLOIT: Chrome DevTools Protocol (CDP)
═══════════════════════════════════════════════════════════════════════════════

The --no-sandbox flag isn't just about disabling sandboxing.
It enables access to Chrome's internal debugging capabilities!

ASIS CTF 2022 used the EXACT same technique:
https://www.kalmarunionen.dk/writeups/2022/asis/xtr/

What CDP Allows:
├── Access chrome:// internal URLs
├── Import Chrome DevTools modules (/devtools/main/main.js)
├── Execute CDP commands (Runtime.evaluate)
├── Read process.env (environment variables!)
├── Read arbitrary files via Node.js require('fs')
└── Bypass Same-Origin Policy for internal resources

═══════════════════════════════════════════════════════════════════════════════
💡 WHY FLAG IS NOT IN REGULAR APIs
═══════════════════════════════════════════════════════════════════════════════

The FLAG in bot.py is INTENTIONALLY unused in the source code!

It's a HINT that says: "The flag exists in the bot's Python process,
but you need CDP to access it from JavaScript"

On the remote server:
1. Dockerfile sets: ENV FLAG=uoftctf{real_flag}
2. Bot.py reads: FLAG = os.environ.get('FLAG')
3. JavaScript accesses via CDP: process.env.FLAG

═══════════════════════════════════════════════════════════════════════════════
🚀 EXPLOITATION CHAIN
═══════════════════════════════════════════════════════════════════════════════

Step 1: XSS Injection (DONE ✅)
├── Create paste with DOM clobbering payload
├── Trigger error to load malicious script
└── Execute arbitrary JavaScript in bot context

Step 2: CDP Access (TO TEST)
├── Check if --remote-debugging-port is open
├── OR navigate to chrome://inspect/#pages
├── OR import /devtools/main/main.js
└── Get access to CDP SendOverProtocol() function

Step 3: Read FLAG (FINAL PAYLOAD)
├── Use CDP Runtime.evaluate command
├── Execute: process.env.FLAG
├── OR execute: require('fs').readFileSync('/app/flag.txt')
└── Exfiltrate via fetch() to webhook

═══════════════════════════════════════════════════════════════════════════════
🧪 TESTING SEQUENCE
═══════════════════════════════════════════════════════════════════════════════

TEST 1: Check for Remote Debugging Port
File: CDP_EXPLOIT_2_debugging_port.py
Tests: http://localhost:9222/json
If open: You can send CDP commands directly via HTTP!

TEST 2: Check chrome:// URL Access  
File: CDP_EXPLOIT_3_chrome_urls.py
Tests: chrome://inspect/#pages, chrome://version, etc.
If accessible: Navigate to chrome://inspect to get DevTools

TEST 3: Try DevTools Import
File: CDP_EXPLOIT_4_devtools_import.py
Tests: import('/devtools/main/main.js')
If works: You have CDP SendOverProtocol() access!

TEST 4: Read Process Environment
File: CDP_EXPLOIT_6_process_env.py
Executes: process.env.FLAG via CDP
This should reveal the flag!

TEST 5: Read File System
File: CDP_EXPLOIT_5_read_file.py
Executes: require('fs').readFileSync('/app/flag.txt')
Alternative if FLAG is in a file

═══════════════════════════════════════════════════════════════════════════════
📋 READY-TO-USE PAYLOADS
═══════════════════════════════════════════════════════════════════════════════

1. Run: python CDP_MASTER_GUIDE.py
   This generates a master payload that tests all CDP vectors at once

2. Update webhook URL in the script

3. Copy the generated payload into a new paste

4. Report the paste to the bot

5. Check webhook for:
   - Open debugging ports
   - CDP access confirmation
   - process.env contents
   - THE FLAG!

═══════════════════════════════════════════════════════════════════════════════
🎓 KEY INSIGHTS
═══════════════════════════════════════════════════════════════════════════════

1. --no-sandbox is NOT just about file:// access
   → It's about enabling CDP for internal Chrome APIs

2. FLAG in bot.py is intentionally unused
   → It's a hint that flag is in process environment

3. "Solvable locally" means:
   → Same exploit works locally and remotely
   → But local FLAG = "uoftctf{fake_flag}"
   → Remote FLAG = actual challenge flag

4. ASIS CTF 2022 used identical technique
   → Import DevTools main.js
   → Use SendOverProtocol for CDP commands
   → Read files/env via Runtime.evaluate

5. This is why organizers said "working as intended"
   → The challenge IS about CDP exploitation
   → Not about basic cookie/localStorage theft

═══════════════════════════════════════════════════════════════════════════════
🔗 REFERENCES
═══════════════════════════════════════════════════════════════════════════════

ASIS CTF 2022 XTR Challenge Writeup:
https://www.kalmarunionen.dk/writeups/2022/asis/xtr/

Chrome DevTools Protocol Documentation:
https://chromedevtools.github.io/devtools-protocol/

Remote Debugging in Chrome:
https://developer.chrome.com/docs/devtools/remote-debugging

--no-sandbox Security Implications:
https://github.com/sickcodes/no-sandbox

═══════════════════════════════════════════════════════════════════════════════
✅ NEXT STEPS
═══════════════════════════════════════════════════════════════════════════════

1. [ ] Run CDP_MASTER_GUIDE.py to generate test payload
2. [ ] Update webhook URL in generated payload
3. [ ] Create paste with payload
4. [ ] Report to bot
5. [ ] Check webhook for CDP access confirmation
6. [ ] If CDP works, use CDP_EXPLOIT_6_process_env.py for final flag
7. [ ] Submit flag: uoftctf{...}

═══════════════════════════════════════════════════════════════════════════════

Good luck! The flag is waiting in process.env.FLAG 🚩
"""

print(__doc__)