This was a simple JSON-to-XML / XML-to-JSON converter. The challenge was categorized as “warmup”, so to my not-that-big surprise the most basic XXE vulnerability worked as expected:
I used the following code (written into Chrome’s console) to leak the flag:
This challenge was a VM implemented where every instruction was an emoji. For the first part of the challenge we had to reverse a flag ch...… Continue reading