Firstly, I found the LFI ( local file iclude ) in http://xxexternalxx.sharkyctf.xyz/?xml=data.xml, so lets try to read some sensitive files like /etc/passwd.
The server returns a null page which means our wish are shattered. But something good is that the administrator have not hide the error report so that we can figure out why it doesn’t show the file.
According to the error, it seems the interface only accept a xml file location and returns the parsing result. Since we have no idea with file names are on the server, so we must cheat server with php://input or data://
Finally, we need to know the format that the server could parse by reading data.xml directly and we got:
<root> <data> 17/09/2019 the platform is now online, the fonctionnalities it contains will be audited by one of our society partenairs </data> </root>
Build our own payload to read file:
<?xml version="1.0"?> <!DOCTYPE GVI [<!ENTITY imagin SYSTEM "file:///etc/passwd" >]> <root><data>&imagin;</data> </root>
And read flag in /flag.txt.