FROM ubuntu:22.04
ENV DEBIAN_FRONTEND=noninteractive

RUN apt-get update && apt-get install -y \
    openssh-server \
    mysql-server \
    python3 \
    net-tools \
    iproute2 \
    iputils-ping \
    cron \
    findutils \
    && rm -rf /var/lib/apt/lists/*

# ── SSH ──
RUN mkdir -p /var/run/sshd
RUN useradd -m -s /bin/bash dbadmin && echo 'dbadmin:Mysql@2024!' | chpasswd
RUN echo 'root:Toor_R00t!' | chpasswd
RUN sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/' /etc/ssh/sshd_config
RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
RUN sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config

# ── MySQL: bind en 0.0.0.0, root sin password, usuario con creds ──
RUN sed -i 's/^bind-address\s*=.*/bind-address = 0.0.0.0/' /etc/mysql/mysql.conf.d/mysqld.cnf || true
RUN sed -i 's/^mysqlx-bind-address\s*=.*/mysqlx-bind-address = 0.0.0.0/' /etc/mysql/mysql.conf.d/mysqld.cnf || true

# ── Flag ──
RUN echo "FLAG{file_upload_mysql_cron_pwn3d!}" > /root/flag.txt
RUN chmod 600 /root/flag.txt

# ── Cron job escribible por dbadmin (el vector de escalada) ──
RUN mkdir -p /opt/scripts
RUN echo '#!/bin/bash' > /opt/scripts/backup.sh && \
    echo '# DB backup script' >> /opt/scripts/backup.sh && \
    echo 'mysqldump -u root corp_db > /tmp/backup.sql 2>/dev/null' >> /opt/scripts/backup.sh && \
    echo 'echo "Backup completed: $(date)" >> /var/log/backup.log' >> /opt/scripts/backup.sh
# ← VULNERABILIDAD: el script es escribible por todos
RUN chmod 777 /opt/scripts/backup.sh

# Cron job ejecutado como root cada minuto
RUN echo "* * * * * root /opt/scripts/backup.sh" > /etc/cron.d/db-backup
RUN chmod 644 /etc/cron.d/db-backup

# ── Hint para dbadmin ──
RUN echo "Tareas programadas en /etc/cron.d/" > /home/dbadmin/hint.txt
RUN chown dbadmin:dbadmin /home/dbadmin/hint.txt

COPY init_db.sql /opt/init_db.sql
COPY start.sh /start.sh
RUN chmod +x /start.sh

EXPOSE 22 3306

CMD ["/start.sh"]
