diff --git a/config/supervisord.conf b/config/supervisord.conf index c036691..385f9ba 100644 --- a/config/supervisord.conf +++ b/config/supervisord.conf @@ -1,10 +1,15 @@ [supervisord] nodaemon=true +user=root [program:sshd] command=/usr/sbin/sshd -D +autostart=true autorestart=true +priority=20 [program:apache2] -command=/usr/sbin/apache2ctl -D FOREGROUND +command=/usr/sbin/httpd -D FOREGROUND -f /etc/apache2/httpd.conf +autostart=true autorestart=true +priority=10 \ No newline at end of file diff --git a/docker/Dockerfile b/docker/Dockerfile index 92b9696..00d2b53 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,66 +1,68 @@ -FROM ubuntu:24.04 +FROM alpine:3.20 -ENV DEBIAN_FRONTEND=noninteractive ENV MYSQL_ROOT_PASSWORD=39gknzLD ENV MYSQL_DATABASE=app -RUN apt update && apt upgrade -y && \ - apt install -y \ +RUN apk update && apk upgrade && \ + apk add --no-cache \ apache2 \ + apache2-ssl \ curl \ - nano \ vim \ + bash \ supervisor \ - openssh-server \ + openssh \ sudo \ - php-mysql\ - cowsay \ - php \ - iputils-ping \ - && rm -rf /var/lib/apt/lists/* + php82 \ + php82-mysqli \ + php82-apache2 \ + php82-session \ + iputils \ + shadow \ + && rm -rf /var/cache/apk/* # the user players will need to have access as - RUN useradd -m -s /bin/bash agent \ && echo "agent:secure" | chpasswd # apache2 config to change default 80 port to 8080 -RUN sed -i 's/^Listen 80/Listen 8080/' /etc/apache2/ports.conf - -RUN sed -i 's///' /etc/apache2/sites-available/000-default.conf - +RUN sed -i 's/^Listen 80/Listen 8080/' /etc/apache2/httpd.conf && sed -i 's/80/8080/g' /etc/apache2/conf.d/*.conf || true # remove default apache2 index.html -RUN rm /var/www/html/index.html +RUN rm -f /var/www/localhost/htdocs/index.html -# enable php module -RUN ls /etc/apache2/mods-enabled/ -RUN a2enmod php* +# enable php module in apache + +RUN echo "LoadModule php_module /usr/lib/apache2/mod_php82.so" > /etc/apache2/conf.d/php.conf # copy the app -COPY ./www/ /var/www/html/ +COPY ./www/ /var/www/localhost/htdocs/ -# give upload permissions to the www-data user +# add ssh key otherwise it does not work -RUN chown -R www-data:www-data /var/www/html/confidential/uploads && chmod -R 755 /var/www/html/confidential/uploads +RUN ssh-keygen -A -# give permissions to access the agent user to www-data -RUN usermod -aG agent www-data && chmod 750 /home/agent +# give upload permissions to the apache user + +RUN chown -R apache:apache /var/www/localhost/htdocs/confidential/uploads \ + && chmod -R 755 /var/www/localhost/htdocs/confidential/uploads +# give permissions to access the agent user to apache + +RUN usermod -aG agent apache && chmod 750 /home/agent RUN mkdir /var/run/sshd # (suggestion) -# for the privesc, cowsay allowed to be ran with sudo without password -# https://gtfobins.github.io/gtfobins/cowsay/ +# for the privesc, vim allowed to be ran with sudo without password +# https://gtfobins.github.io/gtfobins/vim/ -RUN printf 'agent ALL=(ALL) NOPASSWD: /usr/games/cowsay, /usr/bin/sudo -l\n' > /etc/sudoers.d/agent && \ - chmod 0440 /etc/sudoers.d/agent && \ - visudo -cf /etc/sudoers.d/agent +RUN echo 'agent ALL=(ALL) NOPASSWD: /usr/bin/vim, /usr/bin/sudo -l' > /etc/sudoers.d/agent \ + && chmod 0440 /etc/sudoers.d/agent # copy the agent user creds and set 777 suid @@ -73,6 +75,8 @@ COPY ./config/codes.txt /root/ RUN chown root:root /root/codes.txt +RUN mkdir -p /run/httpd && chown apache:apache /run/httpd + # 22 port -> ssh, 8080 port -> webserver EXPOSE 22 @@ -80,8 +84,8 @@ EXPOSE 8080 # config of supervisord to have both apache2 and sshd services running -COPY config/supervisord.conf /etc/supervisor/conf.d/supervisord.conf +COPY config/supervisord.conf /etc/supervisor.d/httpd.ini # start supervisord -CMD ["/usr/bin/supervisord", "-n"] +CMD ["/usr/bin/supervisord", "-n", "-c", "/etc/supervisor.d/httpd.ini"] diff --git a/www/gallery.php b/www/gallery.php deleted file mode 100644 index d652182..0000000 --- a/www/gallery.php +++ /dev/null @@ -1,49 +0,0 @@ - - - - - - - Tux gallery ! - - - - - - -
-
-

Tux gallery

-

Tux is awesome ! So I made this extremely secure gallery app.

- - You can also add tux pictures to the gallery, first login and then you should be able to upload a new image of tux. - - First navigate to the upload.php page and upload your tux image from there! - -
-
- -
- - - - \ No newline at end of file