# Tanuki
Level: Easy\
Points: 10\
Type: Daily Challenge
We have option to import decks
The thing that directly picks my eye is ability to import deck in XML format.
To gen an idea about the overall flow, I downloaded the provided sample json file and uploaded it.
```
{
"name": "Sample Deck",
"description": "A sample deck showing the import format for custom flashcards",
"category": "Example",
"cards": [
{
"front": "What is the capital of France?",
"back": "Paris - the city of lights and capital of France since 987 AD."
},
{
"front": "What programming language is this app built with?",
"back": "JavaScript - using Node.js for backend and React for frontend."
},
{
"front": "What is a flashcard?",
"back": "A flashcard is a learning tool that presents information on both sides, typically a question on one side and an answer on the other."
},
{
"front": "What does SRS stand for?",
"back": "Spaced Repetition System - a learning technique that uses increasing intervals of time between reviews of previously learned material."
},
{
"front": "How do you create a custom deck?",
"back": "Download this sample file, edit the name, description, category, and cards array with your own content, then upload it using the Import Deck feature."
}
]
}
```
Next, I tried to understand the XML import flow, for this I used deep seek to convert above json to XML
```
Sample DeckA sample deck showing the import format for custom flashcardsExampleWhat is the capital of France?Paris - the city of lights and capital of France since 987 AD.What programming language is this app built with?JavaScript - using Node.js for backend and React for frontend.What is a flashcard?A flashcard is a learning tool that presents information on both sides, typically a question on one side and an answer on the other.What does SRS stand for?Spaced Repetition System - a learning technique that uses increasing intervals of time between reviews of previously learned material.How do you create a custom deck?Download this sample file, edit the name, description, category, and cards array with your own content, then upload it using the Import Deck feature.
```
and it is successfully imported:\
Note: edit the file extension and content-type during upload
To make it easier to work with, I compacted the XML length, keeping card count to only one
From here I tried to use various XXE payload from
Default payload with `` gave some error which highlight, the backend XML parsers migh disable DTD processing by default because it's a major security risk. When DTD is disabled:
* `` declarations are ignored or cause errors
* External entities are never resolved
* The parser essentially says "I see this, but I'm not allowed to process it"
To bypass this I used `XInclude` payload from
### What is XInclude?
**XInclude (XML Inclusions)** is a W3C specification that allows XML documents to include content from external sources. It's a separate feature from XML's DTD-based external entities.
```
A sample deck showing the import format for custom flashcardsExampleWhat is the capital of France?Paris - the city of lights and capital of France since 987 AD.
```
Then I opened the imported dec
The payload works and loads the content of `/etc/passwd` \[Flag is somewhere else]
after little of search, I found the flag in current directory
