"Jamie, a big football fan, created his very first web site. Since it is so handy to have a publicly accessible web site, Jamie also stores a secret file on it, which he often needs to access from remote. Can you find this file?"
Accessing the site at the URL given shows us this page:
A good first step with web challenges is to use nikto to scan for common vulnerabilities - The result of the scan is shown below:
From this scan we can see that the website may be vulnerable to OSVDB-6694 (or CVE-2001-1446) - A vulnerability in which website hosts running Mac OSX leave .DS_Store files publicly accessible. These files contain information about the directory they are in, including contents.
Navigating to <Base URL>/.DS_Store provides us with the .DS_Store for the website's root folder.
We can use a .DS_Store reader such as this site (or with python using this module) to read the file, which gives us the following output:
css
img-publ
js
secret__stuff
The secret__stuff folder is most likely where we can find our flag. Navigating to this folder gives us a blank page but we can use the same DS_Store trick to find the directory listing for this folder, again using the same site gives us the following output:
personal_notes.txt
temp
Open <base_URL>/secret__stuff/personal_notes.txt and we are presented with our flag:
pactf{I-luv_my-M4C!!}