I abuse a URL substitution flaw to reach an exposed dockerd TCP socket, then create a container with the host filesystem mounted to read the flag.
