picoCTF Solutions
PathPart of the Web Exploitation path · Step 4 of 5: SQL Injection
picoCTF 2022Web ExploitationMedium

SQL Direct

Published: July 20, 2023

Description

The challenge exposes a PostgreSQL instance with a single table called `flags`. Connect with psql, list the relations, and dump the flag.

Setup

Connect using the supplied command: `psql -h saturn.picoctf.net -p 51070 -U postgres pico` (password `postgres`).

List the tables with `\dt` and note the `flags` table.

Select everything from the table or copy it out for offline viewing.

psql -h saturn.picoctf.net -p 51070 -U postgres pico
\dt
SELECT * FROM flags;
\copy flags TO flag.csv CSV
grep -oE "picoCTF\{.*\}" flag.csv

Solution

The SQL Injection for CTF guide covers UNION-based extraction (used here) alongside auth bypass, blind SQLi, and sqlmap.
  1. Step 1Enumerate relations
    `\dt` lists the available tables (only `flags`). The column of interest contains the picoCTF value.
    Learn more

    psql is the official command-line client for PostgreSQL, one of the most widely used open-source relational databases. It supports both standard SQL and meta-commands (prefixed with \) that are specific to psql. \dt lists all tables (relations) in the current database; \d tablename shows a table's schema; \l lists all databases.

    In this challenge, the database is intentionally exposed with default credentials (postgres/postgres) - a critical misconfiguration seen in real-world environments. Default credentials on database servers are a top finding in penetration tests. Tools like Metasploit's postgres_login scanner and hydra automate credential testing against exposed database ports.

    PostgreSQL runs on port 5432 by default. During network recon, port scans with nmap flag open database ports, which are then probed for default or weak credentials. Once inside, information_schema.tables (standard SQL) or \dt (psql-specific) quickly reveals the database structure.

  2. Step 2Dump the flag
    Either run `TABLE flags;` directly in psql or copy the table to a CSV and parse it locally with grep/cut.
    Learn more

    SELECT * FROM flags; is the most basic SQL query - it retrieves every row and column from the table. TABLE flags; is a PostgreSQL shorthand for the same thing. For larger tables, add LIMIT 10 to preview the first 10 rows, or WHERE column LIKE '%picoCTF%' to filter.

    The \copy meta-command exports query results to a local file (running client-side). This is distinct from COPY (no backslash), which runs server-side and requires superuser privileges to write to the server filesystem. Both support CSV, binary, and tab-delimited formats.

    In real incident response or data exfiltration scenarios, attackers with database access commonly use SELECT to extract entire tables, pg_dump to export the full database, or COPY TO to write files to the server. Defense-in-depth means: don't expose database ports to the internet, use strong unique credentials, enable SSL, restrict user privileges with least privilege, and audit all connections via database logs.

Flag

picoCTF{L3arN_S0m3_5qL_t0d4Y_31fd...}

PostgreSQL’s meta-commands (`\dt`, `\copy`, etc.) make exploratory tasks like this very quick.

Want more picoCTF 2022 writeups?

Browse picoCTF 2022Full library

Useful tools for Web Exploitation

Related reading

Do these first

What to try next