The challenge was infected with [XXE Injection](https://portswigger.net/web-security/xxe) .

Original writeup (https://gist.github.com/u0pattern/6d1d901c3a47fcd99d0ce09c87df18d0).