Solution: Exposed .DS_Store in production

Tools Used:
Open the target site, and try to access the /.DS_Store/ file. Your browser will likely trigger a download of the file for you automatically.

Just like that, you have the file, now you just need to read it. The easiest way to solve this is to just use a tool to do the hard work for us - enter this Python .DS_Store parser.

Download Python .DS_Store parser, extract it and 'cd' to its directory. Run the below (replacing the directory location with the location of the .DS_Store file you just downloaded.)
python3 /Users/username/Downloads/DS_Store

The output will list all the files in the directory. Access the secret file in your browser to obtain the flag.