This is one of the web challenge of CSAW17 event.
I wrote a little proxy program in NodeJS for my poems folder. Everyone wants to read flag.txt but I like it too much to share. http://web.chal.csaw.io:7311/?path=orange.txt
Looks like we have to find a LFI (Local File Inlcusion), we were able to get the index of the folder poems at the url http://web.chal.csaw.io:7311/?path=
So flag.txt here, it must be in parent folder, but each time we try to put .. in path parameters we got
WHOA THATS BANNED!!!!
So the idea was encoding, we used this tool http://2tap.com/javascript-percent-encoder/ to encode .., we try with :
http://web.chal.csaw.io:7311/?path=%2e%2e/flag.txt
But get the same error, but % seems not trigger the error, so we tried with double encoding %25%32%65%25%32%65 :
http://web.chal.csaw.io:7311/?path=%25%32%65%25%32%65/flag.txt
And we get the flag : flag{thank_you_based_orange_for_this_ctf_challenge}