FROM alpine:3.20 ENV MYSQL_ROOT_PASSWORD=39gknzLD ENV MYSQL_DATABASE=app RUN apk update && apk upgrade && \ apk add --no-cache \ apache2 \ apache2-ssl \ curl \ vim \ bash \ supervisor \ openssh \ sudo \ php82 \ php82-mysqli \ php82-apache2 \ php82-session \ iputils \ shadow \ && rm -rf /var/cache/apk/* # the user players will need to have access as RUN useradd -m -s /bin/bash agent \ && echo "agent:secure" | chpasswd # apache2 config to change default 80 port to 8080 RUN sed -i 's/^Listen 80/Listen 8080/' /etc/apache2/httpd.conf && sed -i 's/80/8080/g' /etc/apache2/conf.d/*.conf || true # remove default apache2 index.html RUN rm -f /var/www/localhost/htdocs/index.html # enable php module in apache RUN echo "LoadModule php_module /usr/lib/apache2/mod_php82.so" > /etc/apache2/conf.d/php.conf # copy the app COPY ./www/ /var/www/localhost/htdocs/ # add ssh key otherwise it does not work RUN ssh-keygen -A # give upload permissions to the apache user RUN chown -R apache:apache /var/www/localhost/htdocs/confidential/uploads \ && chmod -R 755 /var/www/localhost/htdocs/confidential/uploads # give permissions to access the agent user to apache RUN usermod -aG agent apache && chmod 750 /home/agent RUN mkdir /var/run/sshd # (suggestion) # for the privesc, vim allowed to be ran with sudo without password # https://gtfobins.github.io/gtfobins/vim/ RUN echo 'agent ALL=(ALL) NOPASSWD: /usr/bin/vim, /usr/bin/sudo -l' > /etc/sudoers.d/agent \ && chmod 0440 /etc/sudoers.d/agent # copy the agent user creds and set 777 suid COPY ./config/creds.txt /home/agent/ RUN chmod 777 /home/agent/creds.txt # copy the secret codes and set suid COPY ./config/codes.txt /root/ RUN chown root:root /root/codes.txt RUN mkdir -p /run/httpd && chown apache:apache /run/httpd # 22 port -> ssh, 8080 port -> webserver EXPOSE 22 EXPOSE 8080 # config of supervisord to have both apache2 and sshd services running COPY config/supervisord.conf /etc/supervisor.d/httpd.ini # start supervisord CMD ["/usr/bin/supervisord", "-n", "-c", "/etc/supervisor.d/httpd.ini"]