picoCTF 2022 | SQL Direct Write-up

Challenge description

Connect to this PostgreSQL server and find the flag!

Category: Web Exploitation


You have to first launch the challenge instance to receive further instructions. For me, the first step is finding and installing PostgreSQL on my own machine.

Next, follow the provided instructions to log into the database server.

This being my first time using SQL, I fumbled around for a good while until I found the \? command.

From this, and with the help of only guides, I found a few useful commands for this challenge.

\d lists the tables on the database

This lets us know that there is a table named flag on this database. But how to get to it…

The command for us here is \copy, which I needed to look up the syntax for. This website provided it in great detail. Following the guide, I typed in \copy (SELECT * FROM flags) to '[your desired location]/flag.csv' with csv

Now to view the file and grab our flag!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: