The webpage serves your location to the spooky places via xml documents. Using a general XXE payload, such as
```
]><locationCheck>&xx;;</locationCheck>
```
we can have it dump the contents of the passwd file to us, which I guessed that's where the flag would be.

But we use the tag 'locationCheck' which can be seen in the request body when you press any of the buttons. By default I ask XML to serve up passwd file, but if that didn't work I would've tried other ones like dev/random.

Use Curl to have the server dump the flag for you.