1.0.61 Update Dockerfile for www

.build/database/Dockerfile

@@ -0,0 +1,14 @@
+# webpwnized/mutillidae:database
+
+# Start with latest version of MariaDB official image
+FROM mariadb:latest
+
+# Set environment variable for MySQL root password
+ENV MYSQL_ROOT_PASSWORD="mutillidae"
+
+# Combine apt-get commands and handle failures gracefully
+RUN apt-get update && \
+    apt-get -y upgrade && \
+    apt-get -y autoremove && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* || true

.build/database_admin/Dockerfile

@@ -0,0 +1,24 @@
+# webpwnized/mutillidae:database_admin
+
+# Start with phpmyadmin official image
+# Documentation: https://hub.docker.com/_/phpmyadmin
+FROM phpmyadmin:latest
+
+# The name of the database container
+ENV PMA_HOST="database"
+
+# Create credentials
+ENV MYSQL_ROOT_PASSWORD="mutillidae"
+ENV PMA_USER="root"
+ENV PMA_PASSWORD="mutillidae"
+
+# Try to patch the container but do not fail if patching fails
+# Remove the apt-get lists after installation
+RUN apt-get update && \
+    apt-get -y upgrade && \
+    apt-get -y autoremove && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* || true
+
+# Open port 80 to the webserver
+EXPOSE 80

.build/docker-compose.yml

@@ -0,0 +1,85 @@
+# Documentation: https://github.com/compose-spec/compose-spec/blob/master/spec.md
+# Purpose: Build local containers for the Mutillidae environment
+
+version: '3.7'
+services:
+
+  database:
+    container_name: database
+    image: webpwnized/mutillidae:database
+    build: 
+        context: ./database
+        dockerfile: Dockerfile
+    networks:
+      - datanet   
+
+  database_admin:
+    container_name: database_admin
+    depends_on:
+      - database
+    image: webpwnized/mutillidae:database_admin
+    build:
+        context: ./database_admin
+        dockerfile: Dockerfile
+    ports:
+      - 127.0.0.1:81:80
+    networks:
+      - datanet   
+
+# Port 8888 is for StackHawk to scan
+  www:
+    container_name: www
+    depends_on:
+      - database
+      - directory
+    image: webpwnized/mutillidae:www
+    build:
+        context: ./www
+        dockerfile: Dockerfile
+    ports:
+      - 127.0.0.1:80:80
+      - 127.0.0.1:8888:80
+      - 127.0.0.1:443:443
+      # - 127.0.0.2:80:80
+      # - 127.0.0.2:8888:80
+      # - 127.0.0.2:443:443
+    networks:
+      - datanet
+      - ldapnet
+
+  directory:
+    container_name: directory
+    image: webpwnized/mutillidae:ldap
+    build:
+        context: ./ldap
+        dockerfile: Dockerfile
+    volumes:
+      - ldap_data:/var/lib/ldap
+      - ldap_config:/etc/ldap/slapd.d
+    ports:
+      - 127.0.0.1:389:389
+    networks:
+      - ldapnet
+
+  directory_admin:
+    container_name: directory_admin
+    depends_on:
+      - directory
+    image: webpwnized/mutillidae:ldap_admin
+    build:
+        context: ./ldap_admin          
+        dockerfile: Dockerfile
+    ports:
+      - 127.0.0.1:82:80
+    networks:
+      - ldapnet
+
+# Volumes to persist data used by the LDAP server
+volumes:
+  ldap_data:
+  ldap_config:
+
+# Create network segments for the containers to use
+networks:
+    datanet:
+    ldapnet:

.build/ldap/Dockerfile

@@ -0,0 +1,25 @@
+# webpwnized/mutillidae:ldap
+
+# Not an official repo
+# Documentation: https://hub.docker.com/r/osixia/openldap
+# Source: https://github.com/osixia/docker-openldap
+# Uploading the Mutillidae LDIF data: ldapadd -c -x -D "cn=admin,dc=mutillidae,dc=localhost" -w mutillidae -H ldap:// -f mutillidae.ldif
+
+FROM osixia/openldap:latest
+
+# Set up the LDAP configuration
+ENV LDAP_ORGANISATION="Mutillidae Inc"
+ENV LDAP_DOMAIN="mutillidae.localhost"
+ENV LDAP_BASE_DN="dc=mutillidae,dc=localhost"
+ENV LDAP_ADMIN_PASSWORD="mutillidae"
+ENV LDAP_CONFIG_PASSWORD="mutillidae"
+ENV LDAP_TLS="false"
+
+# Commented out because patching caused issues
+# Patch the container
+# Remove the apt-get lists after installation
+# RUN apt-get update && \
+#    apt-get -y upgrade && \
+#    apt-get -y autoremove && \
+#    apt-get clean && \
+#    rm -rf /var/lib/apt/lists/*

.build/ldap/ldif/mutillidae.ldif

@@ -0,0 +1,97 @@
+version: 1
+
+dn: dc=mutillidae,dc=localhost
+objectClass: organization
+objectClass: dcObject
+objectClass: top
+dc: mutillidae
+o: mutillidae
+
+dn: cn=admin,dc=mutillidae,dc=localhost
+objectClass: organizationalRole
+objectClass: simpleSecurityObject
+cn: admin
+userPassword: {SSHA}jnKvM5dTUPJGYEwAiAqdHrEG/Yavkiyc
+description: LDAP administrator
+
+dn: ou=rooms,dc=mutillidae,dc=localhost
+objectClass: top
+objectClass: organizationalUnit
+ou: rooms
+
+dn: ou=users,dc=mutillidae,dc=localhost
+objectClass: top
+objectClass: organizationalUnit
+ou: users
+
+dn: ou=groups,dc=mutillidae,dc=localhost
+objectClass: top
+objectClass: organizationalUnit
+ou: groups
+
+dn: cn=1F104,ou=rooms,dc=mutillidae,dc=localhost
+objectClass: top
+objectClass: room
+cn: 1F104
+description: 1st Floor Conference Room
+roomNumber: 104
+
+dn: cn=2F204,ou=rooms,dc=mutillidae,dc=localhost
+objectClass: top
+objectClass: room
+cn: 2F204
+description: 2nd Floor Conference Room
+roomNumber: 204
+
+dn: cn=Joes Place,ou=rooms,dc=mutillidae,dc=localhost
+objectClass: top
+objectClass: room
+cn: Joes Place
+
+dn: cn=fred,ou=users,dc=mutillidae,dc=localhost
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: fred
+sn: mack
+uid: fred
+userPassword: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
+
+dn: cn=sally,ou=users,dc=mutillidae,dc=localhost
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: sally
+sn: up
+uid: sally
+userPassword: {SHA}cMzZAHM41tgd07YnFiG5z5qX6gA=
+
+dn: cn=jeremy,ou=users,dc=mutillidae,dc=localhost
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: jeremy
+sn: d
+uid: jeremy
+userPassword: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
+
+dn: cn=phinius,ou=users,dc=mutillidae,dc=localhost
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+cn: phinius
+sn: smith
+uid: phinius
+userPassword: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
+
+dn: cn=admins,ou=groups,dc=mutillidae,dc=localhost
+objectClass: top
+objectClass: groupOfNames
+cn: admins
+member: cn=jeremy,ou=users,dc=mutillidae,dc=localhost
+member: cn=fred,ou=users,dc=mutillidae,dc=localhost
+

.build/ldap_admin/Dockerfile

@@ -0,0 +1,22 @@
+# webpwnzied/mutillidae:ldap_admin
+
+# Not an official repo
+# Documentation: https://hub.docker.com/r/osixia/phpldapadmin
+FROM osixia/phpldapadmin:latest
+
+# The hostname of the ldap service configured in docker-compose.yml configuration
+ENV PHPLDAPADMIN_LDAP_HOSTS="directory"
+
+# Whether to use HTTPS (port 443) or HTTP (port 80) for web interface
+ENV PHPLDAPADMIN_HTTPS="false"
+
+# Try to patch the container but do not fail if patching fails
+# Remove the apt-get lists after installation
+RUN apt-get update && \
+    apt-get -y upgrade && \
+    apt-get -y autoremove && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* || true
+
+# Open port 80 through the firewall
+EXPOSE 80

.build/www/Dockerfile

@@ -0,0 +1,125 @@
+# Container image: webpwnized/mutillidae:www
+# From project root, build with: 
+#   docker build --file .build/www/Dockerfile --tag webpwnized/mutillidae:www .
+#       docker build: This is the command to build a Docker image.
+#       --file .build/www/Dockerfile: This specifies the path to the Dockerfile you want to use. In this case, it's .build/www/Dockerfile.
+#       --tag webpwnized/mutillidae:www: This tags the resulting Docker image with a name (webpwnized/mutillidae) and a tag (www).
+#       .: This is the build context. It indicates the directory to be used for the build process. The Docker daemon will send this directory's contents to the Docker engine. In this case, the dot represents the current directory.
+#
+# From project root, run with:
+#   docker-compose --file .build/docker-compose.yml up --detach
+#       docker-compose: This is the Docker Compose command-line tool used for managing multi-container Docker applications.
+#       --file .build/docker-compose.yml: This option (--file or -f) specifies the path to the docker-compose.yml file. In this case, it’s located at .build/docker-compose.yml.
+#       up: This subcommand tells Docker Compose to create and start the containers defined in the docker-compose.yml file. If the containers do not exist, they will be created. If they already exist, they will be started.
+#       --detach: This option (--detach or -d) runs the containers in the background (detached mode). When you use this option, Docker Compose will start the containers and return control to the terminal, allowing you to continue using it for other commands or tasks.
+
+# Start with recent version of PHP with Apache 
+# https://hub.docker.com/_/php?tab=tags&page=1&ordering=last_updated&name=apache
+FROM php:apache
+
+# Arguments with default values, but can be overidden
+ARG DATABASE_HOST="database"
+ARG DATABASE_USERNAME="root"
+ARG DATABASE_PASSWORD="mutillidae"
+ARG DATABASE_NAME="mutillidae"
+ARG DATABASE_PORT="3306"
+
+
+# ######################### #
+# Install software packages #
+# ######################### #
+
+# Update software packages
+# Install PHP requirements used by Mutillidae II: php-xml, php-mbstring, php-curl, php-mysql, php-ldap
+# Install nslookup to enable the command injection vulnerabilities
+# Install ntp package for Lab #12
+# Install ping package for Lab #13
+# Install git
+# Copy the mutillidae project to Apache web files directory
+# uninstall git
+# Patch the container
+# Remove the apt-get lists after installation
+# Add the user for Lab #17
+RUN apt-get update && \
+    apt-get install -y libldap2-dev && docker-php-ext-install ldap && \
+    apt-get install -y libxml2-dev && docker-php-ext-install xml && \
+    apt-get install -y libonig-dev && docker-php-ext-install mbstring && \
+    apt-get install -y libcurl4-openssl-dev && docker-php-ext-install curl && \ 
+    docker-php-ext-install mysqli && \
+    apt-get install -y dnsutils ntp iputils-ping git && \
+    cd /tmp && \
+    git clone https://github.com/webpwnized/mutillidae.git mutillidae && \
+    cp -r mutillidae/src /var/www/mutillidae && \
+    rm -rf /tmp/mutillidae && \ 
+    apt-get remove -y git && \
+    apt-get -y upgrade && \
+    apt-get -y autoremove && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* && \
+    useradd -M phinius -p 123456
+
+# #################################### #
+# Configure the PHP application server #
+# #################################### #
+# Use development version of the PHP ini file
+# Make PHP vulnerable to RFI again
+# Ensure the PHP server banner shows in the HTTP response
+RUN cp /usr/local/etc/php/php.ini-development /usr/local/etc/php/php.ini && \
+    sed -i 's/allow_url_include = Off/allow_url_include = On/g' /usr/local/etc/php/php.ini && \
+    sed -i 's/allow_url_fopen = Off/allow_url_fopen = On/g' /usr/local/etc/php/php.ini && \
+    sed -i 's/expose_php = Off/expose_php = On/g' /usr/local/etc/php/php.ini
+
+
+# ######################### #
+# Configure the application #
+# ######################### #
+
+# Remove the .htaccess file since the containers will use container network security rather than htaccess access control
+# Change the database configuration variables in the mutillidae project, allowing the user to override using build arguments
+RUN rm /var/www/mutillidae/.htaccess && \
+    sed -i "s/define('DB_HOST', '127.0.0.1');/define('DB_HOST', '$DATABASE_HOST');/" /var/www/mutillidae/includes/database-config.inc && \
+    sed -i "s/define('DB_USERNAME', 'root');/define('DB_USERNAME', '$DATABASE_USERNAME');/" /var/www/mutillidae/includes/database-config.inc && \
+    sed -i "s/define('DB_PASSWORD', 'mutillidae');/define('DB_PASSWORD', '$DATABASE_PASSWORD');/" /var/www/mutillidae/includes/database-config.inc && \
+    sed -i "s/define('DB_NAME', 'mutillidae');/define('DB_NAME', '$DATABASE_NAME');/" /var/www/mutillidae/includes/database-config.inc && \
+    sed -i "s/define('DB_PORT', 3306);/define('DB_PORT', $DATABASE_PORT);/" /var/www/mutillidae/includes/database-config.inc
+
+# ######################## #
+# Configure the web server #
+# ######################## #
+
+# Change the hostname of the ldap server to the docker ldap hostname
+# Copy the TLS certificate files from mutillidae into cert directories
+# Copy the host entries into the host file
+# Copy the Apache configuration from Mutillidae into Apache conf
+# Change the localhost references to listen on external network interfaces
+# Unlink access log and error log so the log files can be written in the container
+# Make sure access log and error log exist
+# Enable Apache TLS modules
+# Disable the default site because it intercepts calls to Mutillidae made by IP address
+# Enable the mutillidae site
+RUN sed -i 's/127.0.0.1/directory/' /var/www/mutillidae/includes/ldap-config.inc && \
+    cp /var/www/mutillidae/configuration/https-certificate/mutillidae-selfsigned.crt /etc/ssl/certs/mutillidae-selfsigned.crt  && \
+    cp /var/www/mutillidae/configuration/https-certificate/mutillidae-selfsigned.key /etc/ssl/private/mutillidae-selfsigned.key && \
+    mkdir /etc/apache2/conf/ && \
+    cp /var/www/mutillidae/configuration/apache-configuration/conf/error-pages.conf /etc/apache2/conf/error-pages.conf && \
+    cp /var/www/mutillidae/configuration/apache-configuration/conf/headers.conf /etc/apache2/conf/headers.conf && \
+    mkdir /etc/apache2/error-pages/ && \
+    cp /var/www/mutillidae/configuration/apache-configuration/error-pages/404.html /etc/apache2/error-pages/404.html && \
+    cp /var/www/mutillidae/configuration/apache-configuration/error-pages/oops.jpg /etc/apache2/error-pages/oops.jpg && \
+    cp /var/www/mutillidae/configuration/apache-configuration/conf-available/aliases.conf /etc/apache2/conf-available/aliases.conf && \
+    cp /var/www/mutillidae/configuration/apache-configuration/sites-available/mutillidae.conf /etc/apache2/sites-available/mutillidae.conf && \
+    sed -i 's/127.0.0.1/0.0.0.0/' /etc/apache2/sites-available/mutillidae.conf && \
+    sed -i 's/127.0.0.2/0.0.0.0/' /etc/apache2/sites-available/mutillidae.conf && \
+    unlink /var/log/apache2/access.log && \
+    unlink /var/log/apache2/error.log && \
+    touch /var/log/apache2/access.log && \
+    touch /var/log/apache2/error.log && \
+    a2enmod ssl && \
+    a2dissite 000-default && \
+    a2ensite mutillidae
+
+
+# Open ports 80,443 in the container firewall
+# This exposes HTTP and HTTPS
+EXPOSE 80
+EXPOSE 443