1. On the site we have a form of authorization.
2. Via fuzzing, we find the file sitemap.xml.
3. In this file we have two directives with the path of the file: /creds/users.txt and /creds/pass.txt.
4. Using Burp Intuder we bruteforce the authorization form with these dictionaries.
5. Find valid login info - shrekop: VmU5gnXKYN2vLp48.
6. Log in to the site, and we see that we are logged in as a user.
7. Add admin=true parameter to GET request and send.

Flag: VishwaCTF{h1dd3n_P@raMs}.