XSS Basics
XSS is an injection attack that places JavaScript in the output of a web application.
Stored vs. Reflected XSS
XSS can be either stored or reflected.
Stored XSS is XSS that is stored in a web app (usually in the database) and is presented to any user of the site.
Reflected XSS is XSS that takes advantage of a vulnerable GET parameter in order to produce a malicious link that can be sent to a particular user.
JavaScript
JavaScript is the language used for these attacks, as it can be embedded in HTML documents directly. Unfortunately, I do not know JavaScript, so I will defer that to W3 Schools' tutorial on the matter.
Identifying Injectable Inputs
In any case, you'll be attempting to simply write JavaScript into some input to a page, be it a GET parameter, form input, POST parameter, header value, etc etc. Get creative as you enumerate.
If you're able to see the output, and you can enter the following characters, the field may be vulnerable to XSS:
< > ' " { } ;
These are basic HTML special characters and are what's necessary to insert javascript onto a page.
A more extensive test would be to simply attempt a basic payload that throws an alert, like so:
<script>alert("XSS worked")</script>
If a popup appears saying "XSS worked", then the field is clearly vulnerable.
Here is a more comprehensive list of payloads that can be used to automate testing parameters for vulnerability.
Unfortunately...
XSS is not my strong suit. Since it generally relies on user input to compromise anything, it's not very common in the sorts of CTFs I play, and I'm not very good with JavaScript either, so there isn't much more for me to say on it. While I know the basics for spotting and remediating it, the actual sorts of things to do for writing malicious JavaScript in order to actually take advantage of XSS beyond a basic test is not something I know how to do.
I would instead point you to the Hacktricks article on the topic, as that is far more comprehensive than what I have on the topic.