The challenge starts with a URL:
http://web.chal.csaw.io:7311/?path=orange.txt

Based on the URL, you can tell that the server is using the variable path to get files.

You can abuse this to look around the filesystem, but there is a filtering system in place to stop you.

Use (double) URL encoding to get around that.

More detailed, original writeup:
https://github.com/ibnzterrell/ctf-write-ups/blob/master/CSAW_Quals_2017/Orangev1.md