XXE

Send authentication params as in GET query or as a raw input. Admin usually keep his flags in /etc/flags. You can also get an additional flag by authentication on the website.

Invalid password for login