picoCTF Solutions
PathPart of the Web Exploitation path · Step 4 of 5: SQL Injection
picoCTF 2022Web ExploitationMedium

SQL Direct picoCTF 2022 Solution

Published: July 20, 2023

Description

The challenge exposes a PostgreSQL instance with a single table called flags. Connect with psql, list the relations, and dump the flag.

Read the technique guide

Setup

Connect using the supplied command: psql -h saturn.picoctf.net -p 51070 -U postgres pico (password postgres).

List the tables with \dt and note the flags table.

Select everything from the table, then verify the output matches picoCTF{...} before submitting.

bash
psql -h saturn.picoctf.net -p 51070 -U postgres pico
bash
\dt
sql
SELECT * FROM flags;
bash
\copy flags TO flag.csv CSV
bash
grep -oE 'picoCTF\{[^}]+\}' flag.csv

Solution

Walk me through it
No injection here. The server hands you direct psql access with default credentials, so this is one SELECT away from the flag. If the connection rejects you with psql: error: connection to server ... password authentication failed, the credentials in the challenge prompt have been re-issued; reconnect with the new ones rather than guessing. The SQL Injection for CTF guide covers the actual injection cases (auth bypass, UNION, blind SQLi, sqlmap) for the picoCTF challenges that need them.
  1. Step 1Enumerate relations
    \dt lists the available tables (only flags). The column of interest contains the picoCTF value.
    Learn more

    psql is the official command-line client for PostgreSQL, one of the most widely used open-source relational databases. It supports both standard SQL and meta-commands (prefixed with \) that are specific to psql. \dt lists all tables (relations) in the current database; \d tablename shows a table's schema; \l lists all databases.

    In this challenge, the database is intentionally exposed with default credentials (postgres/postgres) - a critical misconfiguration seen in real-world environments. Default credentials on database servers are a top finding in penetration tests. Tools like Metasploit's postgres_login scanner and hydra automate credential testing against exposed database ports.

    PostgreSQL runs on port 5432 by default. During network recon, port scans with nmap flag open database ports, which are then probed for default or weak credentials. Once inside, information_schema.tables (standard SQL) or \dt (psql-specific) quickly reveals the database structure.

  2. Step 2Dump the flag
    Either run TABLE flags; directly in psql or copy the table to a CSV and parse it locally with grep/cut.
    Learn more

    SELECT * FROM flags; is the most basic SQL query - it retrieves every row and column from the table. TABLE flags; is a PostgreSQL shorthand for the same thing. For larger tables, add LIMIT 10 to preview the first 10 rows, or WHERE column LIKE '%picoCTF%' to filter.

    The \copy meta-command exports query results to a local file (running client-side). This is distinct from COPY (no backslash), which runs server-side and requires superuser privileges to write to the server filesystem. Both support CSV, binary, and tab-delimited formats.

    In real incident response or data exfiltration scenarios, attackers with database access commonly use SELECT to extract entire tables, pg_dump to export the full database, or COPY TO to write files to the server. Defense-in-depth means: don't expose database ports to the internet, use strong unique credentials, enable SSL, restrict user privileges with least privilege, and audit all connections via database logs.

Flag

picoCTF{L3arN_S0m3_5qL_t0d4Y_31fd...}

PostgreSQL’s meta-commands (`\dt`, `\copy`, etc.) make exploratory tasks like this very quick.

Want more picoCTF 2022 writeups?

Browse picoCTF 2022Full library

Useful tools for Web Exploitation

Related reading

Do these first

What to try next