window.location.hrefgives us the full URL of the browsing context,
document.body.innerHTMLgives us the page contents, and
/Secret_admin_cookie_panelendpoint and found that this page returned a
Set-Cookieheader for a new cookie with the HttpOnly flag set. This was the "admin cookie" we needed.
/flagendpoint, previously inaccessible without the appropriate cookie.