#!/usr/bin/env ruby

require 'rubygems'
require 'base32'
require 'pcap'
require 'pcap/pcaplet'
require 'net/dns'
require 'pp'

include Pcap

pcaplet = Pcaplet.new("-r dump.pcap")
def decode(txt)
  xs = txt.split('.')
  txt = xs[0,xs.size-2].join()
  bin = Base32.decode(txt)
# pp bin[0,6].unpack('SSS')
  bin[0,6] = ''
  return bin
end

harvesting = false
data_doc = ''
data_key = ''
seen = {}

pcaplet.each_packet do |pkt|
  next if !pkt.is_a? UDPPacket
  next if pkt.sport != 53  # Only look at answers

  req = Net::DNS::Packet::parse(pkt.udp_data)
  req.each_cname do |cn|
    bin = decode(cn)
    if (bin.include? '-----BEGIN PGP PUBLIC KEY BLOCK-----' or harvesting) and not seen[bin] then
      harvesting = !(bin.include? '-----END PGP PRIVATE KEY BLOCK-----')
      data_key += bin
      seen[bin] = true
    end
  end
  req.question.each do |q|
    bin = decode(cn)
    if (bin.include? 'START_OF_FILE' or harvesting) and not seen[bin] then
      harvesting = !(bin.include? 'END_OF_FILE')
      data_doc += bin
      seen[bin] = true
    end
  end
end

File.open('flag.docx.gpg', 'wb') do |f| f.write data_doc end
File.open('key', 'wb') do |f| f.write data_key end