I’m trying to get the flag for the Xpath Blind Exploitation topic in the Injection Attacks module and I simply can’t figure it out. I was able to figure out the XML schema and the number of nodes, as well as the name of the fields and their lengths. Then I wrote a python script to automate the process of getting those fields and was able to find all of values on those fields. However, none of them have the usual flag format and when I try to do HTB{value} where value is one of the fields I found during the data exfiltration step, the flag doesn’t work. The value even has the same number of characters an usual flag has (32 characters)!! I’m stuck. Any help would be very appreciated.
any luck?