/scheme · sink: urllib.request.urlopen
Any scheme urllib supports works — including file:// for local file read.
There's a flag at /etc/vulnlab/flag.txt on the lab host. The validator filters 'localhost' and '127.0.0.1' but says nothing about the URL scheme.