## Steps 1. Test with given input and use Burp Suite to interceptAnd we can see that there's a `filename` section 2. The description mentioned that we are now located at `/usr/share/nginx/html/`, and flag is stored in ` /flag.txt`. So we can use `../` to travel to the upper layer. 3. We need to go back 4 layers to travel back to the home directory, so we need to modify the `filename` section to `../../../../flag.txt` (you can use more `../` if you want)And we'll get the flag ## Ref https://portswigger.net/web-security/file-path-traversal (That cover image gives a pretty clear idea I think)