Rating:

First you had to load robots.txt to find secret parts of the website.One page on the site revealed the location of the secret key for jwt signing (i think it was todo.txt).

Robots.txt also revealed an api end point. You can only view if your host header is set to localhost. It an xml endpoint. You give it a variant name, and it sets a jwt cookie to modify the home page display, which lists all your variant guesses, and a settings structure that is in php serialization format.

Use XXE on the api to get the jwt secret key we were told about earlier. You can now modify cookie and re-sign.

now go to the log entrypoint (revealed from robots.txt). You need to set admin to true in the php serialized part of the jwt cookie to view it.

The error message implies there is a php .inc file you can directly download implementing a class that is perfect for an unsafe serialization attack.

Modify the jwt to do unsafe php unserialization to create a bad LogReader object that overrides the variable of what system command to execute. Tell it to do `cat flag.txt #`.

And that is the flag.