htaccess

The site tells us that there are .htaccess files that configure the permissions for /one/flag.txt and /two/flag.txt.

First Part of the Flag:

The .htaccess file for /one/flag.txt looks like this:

RewriteEngine On
RewriteCond %{HTTP_HOST} !^localhost$
RewriteRule ".*" "-" [F]

That tells us if the Host header does not match the string 'localhost' the request is rewritten to be forbidden. Luckily we can simply set the Host header in our request to a value of our choice. Why not use 'localhost' then:

Second Part of the Flag:

Let's examine the second .htaccess file:

RewriteEngine On
RewriteCond %{THE_REQUEST} flag
RewriteRule ".*" "-" [F]

This has a similar structure but contains a server variable: 'THE_REQUEST. Official apache documentation states:

THE_REQUEST
    The full HTTP request line sent by the browser to the server (e.g., "GET /index.html HTTP/1.1"). This does not include any additional headers sent by the browser. This value has not been unescaped (decoded), unlike most other variables below.

This means we are not allowed to request anything that has the string 'flag' in it. Thus we simply replace the 'flag' part of the url by an URL encoded string

Full Flag

uctf{Sule_Dukol_waterfall}