1. Serve payload to admin that makes second request to your server
2. Proxy second request through to `admin.zone443.dev`, works because admin page certificate has SAN wildcard `*.zone443.dev`
3. Exfil contents from second request, works because browser thinks it's same-origin

Original writeup (https://github.com/luker983/google-ctf-2021/tree/main/web/empty-ls).