## Exploit

1. Pages being fetched with a query parameter `page` (`http://10.0.2.15/?page=somePage`) expose the server to dot-dot-slash attack.
1. We get the flag by requesting `http://10.0.2.15/?page=../../../../../../../etc/passwd`

## Fix

The problem is letting users directly input files to be included/read. Such input must be sanitized, with for example a strict list of allowed values, or rejecting input containing `../`.