Tags: wireshark binwalk
Rating: 5.0
This challenge involves binwalking a squashfs filesystem from TCP data in a pcap. We see this packet in the pcap:
Follow the TCP stream and some data being sent:
Conver it to "Raw" and wait for all of it to load before saving. Once that's done, let's run binwalk on it:
```console
$ binwalk data
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
9176178 0x8C0472 Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 17573585 bytes, 2603 inodes, blocksize: 131072 bytes, created: 2022-03-24 21:46:19
```
Let's extract it with `binwalk -e data`:
If you just do some quick enumeration, you'll see an `etc/banner` file (this exists because this the filesystem of TP-Link Router Firmware, which store their banner in `etc/banner`).