This VM is straight-up vulnerable.
No hints this time and good luck!
The flag is in /flag/flag.txt
Download the VM
Here
Use ARP-SCAN to locate the IP Address of the VM to access the website.