Leak some secret configuration variables

Difficulty: Medium

Epilogue, 10 years later.

The world dreams once again. Thanks to the heroic actions of EvanBot and some brave computer security students, the Jupiter Orbiter Crisis resulted in the collapse of the CSA, and an era of peaceful space exploration has prospered in the aftermath.

After all these years, you're still doing the job you do best – cleaning up space debris. You pull up the list of spacecraft to be de-orbited this week, and you spot a familiar name…

The Jupiter orbiter spacecraft, orbiting the planet in ruins, is ready to be de-orbited. The config file holds the orbit parameters you’ll need to accomplish this. After all you’ve been through with this orbiter, it seems only right that you are the one to write the final chapter in its story.

UnicornBox stores some configuration variables in a config.yml file in a folder separate from the users’ files: The layout of the server storage is as follows:

site/
  file/
    foo1.txt
    foo2.txt
    ...
  config/
    config.yml

Your task: Gain access to the secrets stored within config.yml.

Tips

Most browsers modify URLs before they are truly actually sent to the server. If you are having trouble determining what URLs are sent to the server, consider using the Network tab of your browser’s debugger.
If you need to encode certain characters (this is not required, but might be helfpul for some people), check out some HTML URL encodings.
What happens if you try to access a file that your user account doesn’t have access to? Consider what has to be true before a file is “served” from the file system in this website.
The Path Traversal lecture slides may be helpful.