picoCTF Solutions
picoCTF 2022Web ExploitationMedium

SQL Direct

Published: July 20, 2023Updated: December 9, 2025

Description

The challenge exposes a PostgreSQL instance with a single table called `flags`. Connect with psql, list the relations, and dump the flag.

Setup

Connect using the supplied command: `psql -h saturn.picoctf.net -p 51070 -U postgres pico` (password `postgres`).

List the tables with `\dt` and note the `flags` table.

Select everything from the table or copy it out for offline viewing.

psql -h saturn.picoctf.net -p 51070 -U postgres pico
\dt
SELECT * FROM flags;
\copy flags TO flag.csv CSV
grep -oE "picoCTF\{.*\}" flag.csv

Solution

  1. Step 1Enumerate relations
    `\dt` lists the available tables (only `flags`). The column of interest contains the picoCTF value.
  2. Step 2Dump the flag
    Either run `TABLE flags;` directly in psql or copy the table to a CSV and parse it locally with grep/cut.

Flag

picoCTF{L3arN_S0m3_5qL_t0d4Y_31fd...}

PostgreSQL’s meta-commands (`\dt`, `\copy`, etc.) make exploratory tasks like this very quick.