Initial payloads such as ../../../etc/passwd were blocked. So we used curl and double URL-encoded the payloads; the web application decoded the URL-encoded string, left the remaining traversal sequences, and the backend processed it.
We were able to read the passwd file and solve the lab
