DevCorp
In this chall we are given a log file of all the requests made to the Wordpress web page. Here is the access.log file.
I found this website that allowed me to look at the log file easily.
Looking at the end of the log file, we can see that some kind of LFI is done to get the /etc/passwd file:
We are searching for the CVE that the attacker is using and which sensitive file he exfiltrate. Looking at the duplicator_download parameter, we can find the backup file that we exported:
Now that we have the file, we need to find the CVE. Searching for CVE duplicator_download Wordpress showed me wpscan page about this CVE:
So the flag is obviously: Hero{CVE-2020-11738:/home/webuser/.ssh/id_rsa_backup}