In this scenario, the login for the system is performed by a script hosted on a different domain. The login page is held in an iframe and on a successful login it sends the token up to the parent, this page, so it can also use it.
Your challenge is to setup an environment where you can steal the token after the user has logged in.
The login credentials are:
Login token is: <Unset>