## Exploit

1. Pages being fetched with a query parameter `page` (`http://10.0.2.15/?page=somePage`) expose the server to dot-dot-slash attack.
1. We get the flag by requesting `http://10.0.2.15/?page=../../../../../../../etc/passwd`

## Fix

[https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include]()

The problem is letting users directly input file names to be included/read. Such input must be sanitized, with for example a strict list of allowed values, or rejecting input containing `../`.