TLDR: XSS to exfilitrate admin cookie, bypass CSS with eval sink on included JS file.

Original writeup (https://jaquiez.github.io/Blog/UMASSCTF2022/#umassdining).