Hacking Wordpress Academy - Remote Code Execution (RCE) via the Theme Editor

I’ve been trying to figure this one out for 2 days now:

“Use the credentials for the admin user [admin:sunshine1] and upload a webshell to your target. Once you have access to the target, obtain the contents of the “flag.txt” file in the home directory for the “wp-user” directory.”

I’m stuck on the syntax using curl to grab the contents of the “/home/htb-###/flag.txt” file. Some help would be grateful!!!