Description
The challenge exposes a PostgreSQL instance with a single table called flags. Connect with psql, list the relations, and dump the flag.
Setup
Connect using the supplied command: psql -h saturn.picoctf.net -p 51070 -U postgres pico (password postgres).
List the tables with \dt and note the flags table.
Select everything from the table, then verify the output matches picoCTF{...} before submitting.
psql -h saturn.picoctf.net -p 51070 -U postgres pico\dtSELECT * FROM flags;\copy flags TO flag.csv CSVgrep -oE 'picoCTF\{[^}]+\}' flag.csvSolution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
psql access with default credentials, so this is one SELECT away from the flag. If the connection rejects you with psql: error: connection to server ... password authentication failed, the credentials in the challenge prompt have been re-issued; reconnect with the new ones rather than guessing. The SQL Injection for CTF guide covers the actual injection cases (auth bypass, UNION, blind SQLi, sqlmap) for the picoCTF challenges that need them.Step 1
Enumerate relationsObservationI noticed the challenge exposed a live PostgreSQL port with default credentials, which meant I had an authenticated session and needed to discover what tables existed before I could query anything useful.\dtlists the available tables (onlyflags). The column of interest contains the picoCTF value.What didn't work first
Tried: Typing
\dtliterally into the terminal shell instead of inside the psql prompt.The backslash meta-commands only work inside psql after the
pico=#prompt appears. If you run\dtfrom your regular bash shell you will get a 'command not found' error or bash will try to interpret the backslash. You need to connect first withpsql -h ... -U postgres picoand then type\dtat the psql prompt.Tried: Running
SHOW TABLES;to list the tables instead of\dt.SHOW TABLES;is MySQL syntax and does not work in PostgreSQL - it returns an error. The psql meta-command\dtor the standard SQL querySELECT table_name FROM information_schema.tables WHERE table_schema = 'public';are the correct approaches for PostgreSQL.Learn more
psql is the official command-line client for PostgreSQL, one of the most widely used open-source relational databases. It supports both standard SQL and meta-commands (prefixed with
\) that are specific to psql.\dtlists all tables (relations) in the current database;\d tablenameshows a table's schema;\llists all databases.In this challenge, the database is intentionally exposed with default credentials (
postgres/postgres) - a critical misconfiguration seen in real-world environments. Default credentials on database servers are a top finding in penetration tests. Tools like Metasploit'spostgres_loginscanner and hydra automate credential testing against exposed database ports.PostgreSQL runs on port 5432 by default. During network recon, port scans with nmap flag open database ports, which are then probed for default or weak credentials. Once inside,
information_schema.tables(standard SQL) or\dt(psql-specific) quickly reveals the database structure.Step 2
Dump the flagObservationI noticed that\dtrevealed a table namedflags, which directly pointed to a simple SELECT query or client-side copy command as the final step to retrieve the picoCTF value.Either runTABLE flags;directly in psql or copy the table to a CSV and parse it locally with grep/cut.What didn't work first
Tried: Using
COPY flags TO 'flag.csv' CSV;(no backslash) instead of\copy flags TO flag.csv CSV.The server-side
COPYcommand (no backslash) requires the PostgreSQL server process to have write permission to that file path on the server, and typically requires superuser privileges. It will error with 'must be superuser to COPY to or from a file' or a permission denied. The client-side\copy(with backslash) writes the file on your local machine as the psql client user, which works without elevated privileges.Tried: Forgetting the semicolon and pressing Enter after
SELECT * FROM flags, then seeing the prompt change topico-#and thinking the command failed.PostgreSQL waits for a semicolon to end a statement. If you press Enter without one, the prompt changes from
=#to-#indicating it is waiting for more input. Just type a semicolon on the next line and press Enter to execute the query.Learn more
SELECT * FROM flags;is the most basic SQL query - it retrieves every row and column from the table.TABLE flags;is a PostgreSQL shorthand for the same thing. For larger tables, addLIMIT 10to preview the first 10 rows, orWHERE column LIKE '%picoCTF%'to filter.The
\copymeta-command exports query results to a local file (running client-side). This is distinct fromCOPY(no backslash), which runs server-side and requires superuser privileges to write to the server filesystem. Both support CSV, binary, and tab-delimited formats.In real incident response or data exfiltration scenarios, attackers with database access commonly use
SELECTto extract entire tables,pg_dumpto export the full database, orCOPY TOto write files to the server. Defense-in-depth means: don't expose database ports to the internet, use strong unique credentials, enable SSL, restrict user privileges with least privilege, and audit all connections via database logs.
Interactive tools
- SQL Injection Payload GeneratorGenerate SQL injection payloads for auth bypass, UNION extraction, blind SQLi, NoSQL operator injection, and sqlmap commands. Supports MySQL, PostgreSQL, SQLite, and MSSQL.
Flag
Reveal flag
picoCTF{L3arN_S0m3_5qL_t0d4Y_31fd...}
PostgreSQL’s meta-commands (`\dt`, `\copy`, etc.) make exploratory tasks like this very quick.