Tags: wireshark binwalk 

Rating: 5.0

This challenge involves binwalking a squashfs filesystem from TCP data in a pcap. We see this packet in the pcap:

Follow the TCP stream and some data being sent:

Conver it to "Raw" and wait for all of it to load before saving. Once that's done, let's run binwalk on it:

```console
$ binwalk data

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
9176178 0x8C0472 Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 17573585 bytes, 2603 inodes, blocksize: 131072 bytes, created: 2022-03-24 21:46:19
```

Let's extract it with `binwalk -e data`:

If you just do some quick enumeration, you'll see an `etc/banner` file (this exists because this the filesystem of TP-Link Router Firmware, which store their banner in `etc/banner`).

Original writeup (https://github.com/NihilistPenguin/PatriotCTF2022-Writeups/blob/main/Forensics/Banner.md).