When I went to the challenge page the script complained about missing parameters (user and password missing xml parameter). So we tryed adding ?xml=YmxhaA==YmxhaA== (user and password must be base64 encoded) and an authetication error came out. After some testing a Xpath injection has been revealed in password parameter(may be also in user, didn’t test it). No chance to get the password with concatenating the queries so we must go blind. This is the script I used to extract flag:
The //User/ReportURL field was taken in /users.xml~ file (when you logged in successfully an HTML comment inform you about its existance).