{"id":18688757,"url":"https://github.com/noraj/sigsegv2.forensics_2","last_synced_at":"2026-02-14T07:03:05.466Z","repository":{"id":86822643,"uuid":"225726396","full_name":"noraj/SigSegV2.forensics_2","owner":"noraj","description":"A forensics challenge that was available during SigSegV2 CTF (2019)","archived":false,"fork":false,"pushed_at":"2019-12-03T22:28:51.000Z","size":1024,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-10-05T19:51:35.378Z","etag":null,"topics":["challenge","ctf","forensics","memory-dump","opensuse","rtfm","sigsegv2","volatility","volatility-profiles"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/noraj.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-12-03T22:06:09.000Z","updated_at":"2019-12-14T15:51:42.000Z","dependencies_parsed_at":"2023-07-17T20:49:27.042Z","dependency_job_id":null,"html_url":"https://github.com/noraj/SigSegV2.forensics_2","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/noraj/SigSegV2.forensics_2","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/noraj%2FSigSegV2.forensics_2","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/noraj%2FSigSegV2.forensics_2/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/noraj%2FSigSegV2.forensics_2/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/noraj%2FSigSegV2.forensics_2/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/noraj","download_url":"https://codeload.github.com/noraj/SigSegV2.forensics_2/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/noraj%2FSigSegV2.forensics_2/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29438984,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-14T05:24:35.651Z","status":"ssl_error","status_checked_at":"2026-02-14T05:24:34.830Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["challenge","ctf","forensics","memory-dump","opensuse","rtfm","sigsegv2","volatility","volatility-profiles"],"created_at":"2024-11-07T10:38:14.166Z","updated_at":"2026-02-14T07:03:05.450Z","avatar_url":"https://github.com/noraj.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Volatility profile creation + 10 basic questions\n\n## Version\n\nDate | Author | Contact | Version | Comment\n--- | --- | --- | --- | ---\n20/11/2019 | noraj (Alexandre ZANNI) | noraj#0833 on discord | 1.0 | Document creation\n\nInformation displayed for CTF players:\n\n+ **Name of the challenge** / **Nom du challenge**: `10 questions about my system`\n+ **Category** / **Catégorie**: `Forensics`\n+ **Internet**: not needed\n+ **Difficulty** / **Difficulté**: Medium / Moyen\n\n### Description\n\nAttach the memory dump. (https://github.com/noraj/SigSegV2.forensics_2/releases/download/v1.0/chall.raw)\n\n```\nInformation about the memory dump:\n\nopenSUSE Leap 15.1\n4.12.14-lp151.28.32-default (4.12.14-lp151.28.32.1)\n\nQuestion n°X \u003chere\u003e\n\nFlag format: sigsegv{sha1(flag)}\n\nauthor: [noraj](https://pwn.by/noraj/)\n```\n\n### Hints\n\n- Hint1: create volatility profile\n- Hint2: share the volatility profile\n\n## Integration\n\nAttach the memory dump.\n\n## Solving\n\n### Author solution\n\nI used [ctf-party](https://rubygems.org/gems/ctf-party) to generate flag quicker.\n\nHere is the config used:\n\n```ruby\n$ ctf_party_console\nirb(main):001:0\u003e String.flag = {prefix: 'sigsegv', digest: 'sha1'}\n```\n\n**Questions**\n\n#### 1 - command time\n\nWhat is the command that noraj used at `2019-11-19 22:57:38 UTC+0000`?\n\n~~~\n$ volatility --plugins=plugins/ --profile=LinuxopenSUSELeap151x64 -f chall.raw linux_bash | grep '2019-11-19 22:57:38 UTC+0000'\n...\n 1498 bash 2019-11-19 22:57:38 UTC+0000 python3 -m http.server 1337\n...\n~~~\n\n```ruby\nirb(main):002:0\u003e 'python3 -m http.server 1337'.flag\n=\u003e \"sigsegv{1d4893cc25cc5453be125227fb8ac34988c29ad0}\"\n```\n\n#### 2 - gcc version\n\nWhat is the gcc version used to compile the kernel? (full string)\n\n~~~\n$ volatility --plugins=plugins/ --profile=LinuxopenSUSELeap151x64 -f chall.raw linux_banner\nVolatility Foundation Volatility Framework 2.6.1\nLinux version 4.12.14-lp151.28.32-default (geeko@buildhost) (gcc version 7.4.1 20190905 [gcc-7-branch revision 275407] (SUSE Linux) ) #1 SMP Wed Nov 13 07:50:15 UTC 2019 (6e1aaad)\n~~~\n\n```ruby\nirb(main):002:0\u003e 'gcc version 7.4.1 20190905 [gcc-7-branch revision 275407] (SUSE Linux)'.flag\n=\u003e \"sigsegv{524993e05b0ded8e112a134c68d04b319de13423}\"\n```\n\n#### 3 - debug message\n\nWhat is the debug message at `1105416124.1`?\n\n~~~\n$ volatility --plugins=plugins/ --profile=LinuxopenSUSELeap151x64 -f chall.raw linux_dmesg | grep '1105416124.1'\nVolatility Foundation Volatility Framework 2.6.1\n[1105416124.1] Magic number: 11:134:907\n~~~\n\n```ruby\nirb(main):003:0\u003e 'Magic number: 11:134:907'.flag\n=\u003e \"sigsegv{77038af8d03d8b4cdb28e6e592b87a2c3195d1fe}\"\n```\n\n#### 4 - IP / MAC\n\nWhat is the IP address of eth0 and its MAC address? (concatenate the answer)\n\n~~~\n$ volatility --plugins=plugins/ --profile=LinuxopenSUSELeap151x64 -f chall.raw linux_ifconfig\nVolatility Foundation Volatility Framework 2.6.1\nInterface IP Address MAC Address Promiscous Mode\n---------------- -------------------- ------------------ ---------------\nlo 127.0.0.1 00:00:00:00:00:00 False\neth0 192.168.1.94 08:00:27:93:fe:6c False\nlo 127.0.0.1 00:00:00:00:00:00 False\n~~~\n\n```ruby\n'192.168.1.9408:00:27:93:fe:6c'.flag\n=\u003e \"sigsegv{cba34462a24124ada4e4882a4db5104b254343f8}\"\n```\n\n#### 5 - libraries\n\nWhat is the 3rd library loaded by sshd? (full path)\n\n~~~\n$ volatility --plugins=plugins/ --profile=LinuxopenSUSELeap151x64 -f chall.raw linux_library_list | grep sshd\nVolatility Foundation Volatility Framework 2.6.1\nsshd 1271 0x00007f0e8ec8a000 /usr/lib64/libgpg-error.so.0\nsshd 1271 0x00007f0e8eeaa000 /lib64/libresolv.so.2\nsshd 1271 0x00007f0e8f0c1000 /usr/lib64/libkeyutils.so.1\nsshd 1271 0x00007f0e8f2c5000 /usr/lib64/libkrb5support.so.0\nsshd 1271 0x00007f0e8f4d2000 /usr/lib64/libk5crypto.so.3\nsshd 1271 0x00007f0e8f704000 /lib64/libpthread.so.0\nsshd 1271 0x00007f0e8f922000 /usr/lib64/libgcrypt.so.20\nsshd 1271 0x00007f0e8fc3e000 /usr/lib64/liblz4.so.1\nsshd 1271 0x00007f0e8fe53000 /usr/lib64/liblzma.so.5\nsshd 1271 0x00007f0e9008d000 /lib64/librt.so.1\nsshd 1271 0x00007f0e90295000 /usr/lib64/libcap.so.2\nsshd 1271 0x00007f0e927e7000 /lib64/ld-linux-x86-64.so.2\nsshd 1271 0x00007f0e9049a000 /usr/lib64/libpcre.so.1\nsshd 1271 0x00007f0e90727000 /lib64/libdl.so.2\nsshd 1271 0x00007f0e9092b000 /lib64/libc.so.6\nsshd 1271 0x00007f0e90ce5000 /lib64/libcom_err.so.2\nsshd 1271 0x00007f0e90ee9000 /usr/lib64/libkrb5.so.3\nsshd 1271 0x00007f0e911c5000 /usr/lib64/libgssapi_krb5.so.2\nsshd 1271 0x00007f0e91411000 /lib64/libcrypt.so.1\nsshd 1271 0x00007f0e9164c000 /lib64/libz.so.1\nsshd 1271 0x00007f0e91863000 /lib64/libutil.so.1\nsshd 1271 0x00007f0e91a66000 /usr/lib64/libcrypto.so.1.1\nsshd 1271 0x00007f0e91ef4000 /usr/lib64/libsystemd.so.0\nsshd 1271 0x00007f0e92189000 /lib64/libselinux.so.1\nsshd 1271 0x00007f0e923b2000 /lib64/libpam.so.0\nsshd 1271 0x00007f0e925c1000 /usr/lib64/libaudit.so.1\nsshd 1271 0x00007ffda9814000 linux-vdso.so.1\n~~~\n\n```ruby\nirb(main):005:0\u003e '/usr/lib64/libkeyutils.so.1'.flag\n=\u003e \"sigsegv{bcf5ae7945ce4e711d11861ec2cc1f75efbe758b}\"\n```\n\n#### 6 - FS and mount\n\nWhat is the file system and mount options of `/tmp`? (concatenate the answer)\n\n~~~\n$ volatility --plugins=plugins/ --profile=LinuxopenSUSELeap151x64 -f chall.raw linux_mount\nVolatility Foundation Volatility Framework 2.6.1\ntmpfs /@/sys/fs/cgroup tmpfs ro,nosuid,nodev,noexec\nproc /@/proc proc rw,relatime,nosuid,nodev,noexec\ndevtmpfs /@/dev devtmpfs rw,nosuid\n/dev/sda2 /@/@/tmp/tmp btrfs rw,relatime\nsysfs /@/sys sysfs rw,relatime,nosuid,nodev,noexec\ncgroup /@/sys/fs/cgroup/perf_event cgroup rw,relatime,nosuid,nodev,noexec\nsystemd-1 /@/proc/sys/fs/binfmt_misc autofs rw,relatime\n...\n~~~\n\n```ruby\nirb(main):006:0\u003e 'btrfsrw,relatime'.flag\n=\u003e \"sigsegv{d27802b77f4a14b3745ab47aaa86cfdc3c231394}\"\n```\n\n#### 7 - UNIX socket\n\nWhat is the service name/pid of the process using UNIX socket 18707?\n\n```\n$ volatility --plugins=plugins/ --profile=LinuxopenSUSELeap151x64 -f chall.raw linux_netstat | grep 18707\nVolatility Foundation Volatility Framework 2.6.1\nUNIX 18707 wickedd-nanny/866\n```\n\n```ruby\nirb(main):007:0\u003e 'wickedd-nanny/866'.flag\n=\u003e \"sigsegv{6b95288247a023c860fe0848f3990cc25ce7d697}\"\n```\n\n#### 8 - ps\n\nWhat is the full command of pid 364?\n\n~~~\n$ volatility --plugins=plugins/ --profile=LinuxopenSUSELeap151x64 -f chall.raw linux_psaux -p 364\nVolatility Foundation Volatility Framework 2.6.1\nPid Uid Gid Arguments \n364 0 0 /usr/sbin/haveged -w 1024 -v 0 -F \n~~~\n\n```ruby\nirb(main):012:0\u003e '/usr/sbin/haveged -w 1024 -v 0 -F'.flag\n=\u003e \"sigsegv{4c0bed3d6381e2014d77a35e6931d604e4bd8ec1}\"\n```\n\n#### 9 - INVOCATION_ID\n\nWhat is the invocation id of bash?\n\n```\n$ volatility --plugins=plugins/ --profile=LinuxopenSUSELeap151x64 -f chall.raw linux_psenv -p 1498\nVolatility Foundation Volatility Framework 2.6.1\nName Pid Environment \nbash 1498 LANG= PATH=/usr/local/bin:/bin:/usr/bin INVOCATION_ID=d6dd8e717833428bac595d565958fdf4 TERM=linux JOURNAL_STREAM=9:21427 LANGUAGE= LC_CTYPE= LC_NUMERIC= LC_TIME= LC_COLLATE= LC_MONETARY= LC_MESSAGES= LC_PAPER= LC_NAME= LC_ADDRESS= LC_TELEPHONE= LC_MEASUREMENT= LC_IDENTIFICATION= HOME=/home/noraj USER=noraj SHELL=/bin/bash MAIL=/var/mail/noraj LOGNAME=noraj XDG_SESSION_ID=1 XDG_RUNTIME_DIR=/run/user/1000 XDG_SEAT=seat0 XDG_VTNR=1\n```\n\n```ruby\nirb(main):013:0\u003e 'd6dd8e717833428bac595d565958fdf4'.flag\n=\u003e \"sigsegv{a64603f7b14cdd948ab9f065befc350854e0a25d}\"\n```\n\n#### 10 - PPID\n\nWhat is the PPID of qmgr process?\n\n```\n$ volatility --plugins=plugins/ --profile=LinuxopenSUSELeap151x64 -f chall.raw linux_pstree\nVolatility Foundation Volatility Framework 2.6.1\nName Pid Uid \nsystemd 1 \n.systemd-journal 360 \n.haveged 364 \n.lvmetad 369 \n.systemd-udevd 376 \n.auditd 465 \n.dbus-daemon 668 499 \n.wickedd-auto4 675 \n.wickedd-dhcp4 676 \n.wickedd-dhcp6 678 \n.rsyslogd 722 \n.nscd 690 479 \n.systemd-logind 801 \n.wickedd 824 \n.wickedd-nanny 866 \n.iscsid 1236 \n.sshd 1271 \n.login 1314 \n..bash 1498 1000 \n.master 1368 \n..pickup 1370 51 \n..qmgr 1371 51 \n.cron 1381 \n.systemd 1492 1000 \n..(sd-pam) 1493 1000 \n[kthreadd] 2 \n.[kworker/0:0H] 4\n```\n\n```ruby\nirb(main):014:0\u003e '1368'.flag\n=\u003e \"sigsegv{570722b44ec7003126d686b70703051e72ff7408}\"\n```\n\n---\n\n**Profile**\n\n~~~\nopenSUSE Leap 15.1\n4.12.14-lp151.28.32-default (4.12.14-lp151.28.32.1)\n~~~\n\n#### (Dev)\n\nCreate a live memory dump with virtualbox:\n\n~~~\n$ VBoxManage debugvm 'openSUSE Leap 15.1' dumpvmcore --filename=chall.raw\n~~~\n\n#### Solution (create profile for volatility)\n\nDownload ISO:\n\n- [Direct download][3]\n- [Torrent][4]\n\nInstall the VM.\n\nInstall the right kernel version.\n\n~~~\n$ zypper info kernel-default\n# zypper in -f kernel-default-4.12.14-lp151.28.32.1\n~~~\n\nInstall `dwarfdump`, `gcc`/`make` and kernel headers as required in the [Volatility wiki][1].\nAlso install `zip` to be able to create the profiel archive.\n\n~~~\n# zypper update\n# zypper in libdwarf-tools kernel-default-devel zip\n# zypper install -t pattern devel_basis\n# reboot\n~~~\n\n[Creating vtypes][2]\n\n~~~\n$ cd /tmp\n$ git clone https://github.com/volatilityfoundation/volatility.git\n$ cd volatility/tools/linux\n$ make\n$ head module.dwarf\n~~~\n\n[Making the profile][5]\n\n~~~\n$ cd /tmp\n$ sudo zip openSUSELeap151.zip volatility/tools/linux/module.dwarf /boot/System.map-4.12.14-lp151.28.32-default\n~~~\n\nUse a bridge adapter or something and share the profile zip with a HTTP server:\n\n~~~\n$ python3 -m http.server 1337\n~~~\n\nAnd retrieve it on your CTF machine:\n\n~~~\n$ wget http://192.168.1.94:1337/openSUSELeap151.zip\n~~~\n\nPut the profile in any directory.\nThen search the profile name:\n\n~~~\n$ mkdir plugins\n$ mv openSUSELeap151.zip plugins\n$ volatility --plugins=plugins/ --info | grep openSUSELeap151\nVolatility Foundation Volatility Framework 2.6.1\nLinuxopenSUSELeap151x64 - A Profile for Linux openSUSELeap151 x64\n~~~\n\nSpecify it in volatility options for each module you want to run, for example:\n\n~~~\n$ volatility -f chall.raw --plugins=plugins/ --profile=LinuxopenSUSELeap151x64 pslist\n~~~\n\n\n[1]:https://github.com/volatilityfoundation/volatility/wiki/Linux#creating-a-new-profile\n[2]:https://github.com/volatilityfoundation/volatility/wiki/Linux#creating-vtypes\n[3]:https://download.opensuse.org/distribution/leap/15.1/iso/openSUSE-Leap-15.1-DVD-x86_64.iso\n[4]:https://download.opensuse.org/distribution/leap/15.1/iso/openSUSE-Leap-15.1-DVD-x86_64.iso.torrent\n[5]:https://github.com/volatilityfoundation/volatility/wiki/Linux#making-the-profile\n\n## SigSegV2\n\nA forensics challenge that was available during SigSegV2 CTF (2019).\n\n- Q1: 15 teams on 36 flaged this question.\n- Q2: 19 teams on 36 flaged this question.\n- Q3: 14 teams on 36 flaged this question.\n- Q4: 16 teams on 36 flaged this question.\n- Q5: 15 teams on 36 flaged this question.\n- Q6: 15 teams on 36 flaged this question.\n- Q7: 15 teams on 36 flaged this question.\n- Q8: 15 teams on 36 flaged this question.\n- Q9: 11 teams on 36 flaged this question.\n- Q10: 15 teams on 36 flaged this question.\n\n---\n\n**This part is not used, just archived.**\n\n~~~\nopenSUSE Leap 42.1\n4.1.39-56-default (4.1.39-56.1)\n~~~\n\n## Dev\n\nCreate a live memory dump with virtualbox:\n\n~~~\n$ VBoxManage debugvm 'openSUSE Leap 42.1' dumpvmcore --filename=chall.raw\n~~~\n\n## Solution\n\nDownload ISO:\n\n- [Direct download][3b]\n- [Torrent][4b]\n\nInstall the VM.\n\nInstall the right kernel version.\n\n~~~\n$ zypper info kernel-default\n# zypper in -f kernel-default-4.1.39-56.1\n~~~\n\nInstall `dwarfdump`, `gcc`/`make` and kernel headers as required in the [Volatility wiki][1b].\nAlso install `zip` to be able to create the profiel archive.\n\n~~~\n# zypper update\n# zypper in libdwarf-tools kernel-default-devel zip git\n# zypper install -t pattern devel_basis\n# reboot\n~~~\n\n[Creating vtypes][2b]\n\n~~~\n$ cd /tmp\n$ git clone https://github.com/volatilityfoundation/volatility.git\n$ cd volatility/tools/linux\n$ make\n$ head module.dwarf\n~~~\n\n[Making the profile][5b]\n\n~~~\n$ cd /tmp\n$ zip openSUSELeap421.zip volatility/tools/linux/module.dwarf /boot/System.map-4.1.39-56-default\n~~~\n\nUse a bridge adapter or something and share the profile zip with a HTTP server:\n\n~~~\n$ python3 -m http.server 1337\n~~~\n\nAnd retrieve it on your CTF machine:\n\n~~~\n$ wget http://192.168.1.94:1337/openSUSELeap421.zip\n~~~\n\nPut the profile in any directory.\nThen search the profile name:\n\n~~~\n$ mkdir plugins\n$ mv openSUSELeap151.zip plugins\n$ volatility --plugins=plugins/ --info | grep openSUSELeap421\nVolatility Foundation Volatility Framework 2.6.1\nLinuxopenSUSELeap421x64 - A Profile for Linux openSUSELeap421 x64\n~~~\n\nSpecify it in volatility options for each module you want to run, for example:\n\n~~~\n$ volatility -f chall421.raw --plugins=plugins/ --profile=LinuxopenSUSELeap421x64 pslist\n~~~\n\n\n[1b]:https://github.com/volatilityfoundation/volatility/wiki/Linux#creating-a-new-profile\n[2b]:https://github.com/volatilityfoundation/volatility/wiki/Linux#creating-vtypes\n[3b]:http://ftp5.gwdg.de/pub/opensuse/discontinued/distribution/leap/42.1/iso/openSUSE-Leap-42.1-DVD-x86_64.iso\n[4b]:http://ftp5.gwdg.de/pub/opensuse/discontinued/distribution/leap/42.1/iso/openSUSE-Leap-42.1-DVD-x86_64.iso.torrent\n[5b]:https://github.com/volatilityfoundation/volatility/wiki/Linux#making-the-profile\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnoraj%2Fsigsegv2.forensics_2","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnoraj%2Fsigsegv2.forensics_2","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnoraj%2Fsigsegv2.forensics_2/lists"}