This required blind XPATH injection using a `starts-with` construct to test for our flag character by character.

1. We generate a list of printable characters to test for.
2. We start a loop, in which we test whether the flag starts with `CHTB{ + some_char`.
3. If it does, we add `some_char` to our known flag, and continue onto the next character
4. If we run through the whole list of printable characters, without finding a match, we assume we've found the end of the string.
5. We move onto the second part of the flag, but this time we have no knowledge of how it starts
6. Repeat the loop process, and terminate with the same condition as in 4.

Original writeup (https://kblagoev.com/blog/e-tree-cyberapocalypse-2021-ctf/).