The attackers were trying to download the wp-config.php WordPress configuration file which contains database credentials and connection info, besides authentication unique keys, and salts.