# ══════════════════════════════════════════════════════════
# ICOA Sandbox — Stable Competition Environment
# 110 system commands at locked versions (sleuthkit added v2.19.83)
# Same image on Mac / Linux / Windows (Docker)
# Image: icoa/sandbox:2026
# ══════════════════════════════════════════════════════════

FROM ubuntu:24.04

ENV DEBIAN_FRONTEND=noninteractive
ENV LANG=C.UTF-8

# ──────────────────────────────────────────────────────────
# [1/13] Editors & Terminal (5): vim nano tmux screen less
# ──────────────────────────────────────────────────────────
RUN apt-get update && apt-get install -y --no-install-recommends \
    vim nano tmux screen less \
    && rm -rf /var/lib/apt/lists/*

# ──────────────────────────────────────────────────────────
# [2/13] Compilers & Build (8): gcc g++ make as ld nasm cmake pkg-config
# ──────────────────────────────────────────────────────────
RUN apt-get update && apt-get install -y --no-install-recommends \
    gcc g++ make binutils nasm cmake pkg-config \
    && rm -rf /var/lib/apt/lists/*

# ──────────────────────────────────────────────────────────
# [3/13] Python 3.12 Runtime (3): python3 python3-pip python3-venv
# ──────────────────────────────────────────────────────────
RUN apt-get update && apt-get install -y --no-install-recommends \
    python3 python3-pip python3-venv \
    && rm -rf /var/lib/apt/lists/*

# ──────────────────────────────────────────────────────────
# [4/13] Networking (12): curl wget nc socat nmap ssh dig whois
#        ping traceroute tcpdump tshark
# ──────────────────────────────────────────────────────────
RUN apt-get update && apt-get install -y --no-install-recommends \
    curl wget netcat-openbsd socat nmap \
    openssh-client dnsutils whois \
    iputils-ping traceroute \
    tcpdump tshark \
    && rm -rf /var/lib/apt/lists/*

# ──────────────────────────────────────────────────────────
# [5/13] Debuggers & Tracing (5): gdb ltrace strace objdump readelf
# ──────────────────────────────────────────────────────────
RUN apt-get update && apt-get install -y --no-install-recommends \
    gdb ltrace strace \
    && rm -rf /var/lib/apt/lists/*

# ──────────────────────────────────────────────────────────
# [6/13] Reverse Engineering (4): radare2 r2 rabin2 upx
# ──────────────────────────────────────────────────────────
RUN apt-get update && apt-get install -y --no-install-recommends \
    radare2 upx \
    && rm -rf /var/lib/apt/lists/*

# ──────────────────────────────────────────────────────────
# [7/13] Forensics (8): binwalk foremost exiftool steghide strings file xxd
#        + sleuthkit (mmls fls icat blkcat img_stat istat ... 20+ sub-cmds)
#        sleuthkit aligns with picoCTF Primer disk-forensics chapter
# ──────────────────────────────────────────────────────────
RUN apt-get update && apt-get install -y --no-install-recommends \
    binwalk foremost exiftool steghide xxd file sleuthkit \
    && rm -rf /var/lib/apt/lists/*

# ──────────────────────────────────────────────────────────
# [8/13] Crypto & Password (4): john hashcat openssl gpg
# ──────────────────────────────────────────────────────────
RUN apt-get update && apt-get install -y --no-install-recommends \
    john hashcat openssl gpg \
    && rm -rf /var/lib/apt/lists/*

# ──────────────────────────────────────────────────────────
# [9/13] Data Processing (8): jq sqlite3 pdftotext base64 hexdump od sort uniq
# ──────────────────────────────────────────────────────────
RUN apt-get update && apt-get install -y --no-install-recommends \
    jq sqlite3 poppler-utils coreutils bsdmainutils \
    && rm -rf /var/lib/apt/lists/*

# ──────────────────────────────────────────────────────────
# [10/13] Archive (6): unzip zip tar gzip bzip2 xz
# ──────────────────────────────────────────────────────────
RUN apt-get update && apt-get install -y --no-install-recommends \
    unzip zip tar gzip bzip2 xz-utils \
    && rm -rf /var/lib/apt/lists/*

# ──────────────────────────────────────────────────────────
# [11/13] Core Unix (16): cat grep sed awk find head tail wc
#         diff patch chmod chown ln cp mv mkdir
#         (all from coreutils — pre-installed in Ubuntu)
# ──────────────────────────────────────────────────────────

# ──────────────────────────────────────────────────────────
# [12/13] Version Control (1): git
# ──────────────────────────────────────────────────────────
RUN apt-get update && apt-get install -y --no-install-recommends \
    git \
    && rm -rf /var/lib/apt/lists/*

# ──────────────────────────────────────────────────────────
# [13/13] Web Security (1): sqlmap
# ──────────────────────────────────────────────────────────
# Shared version-lock — single source of truth with src/commands/env.ts.
# pip -c constrains direct + transitive deps to the versions declared once
# in constraints.txt, so host setup and this image can never drift apart.
COPY constraints.txt /tmp/constraints.txt
RUN pip3 install --break-system-packages -c /tmp/constraints.txt sqlmap

# ══════════════════════════════════════════════════════════
# Python Libraries — ALL LOCKED VERSIONS (27 packages)
# ══════════════════════════════════════════════════════════
RUN pip3 install --break-system-packages -c /tmp/constraints.txt \
    pwntools==4.12.0 \
    pycryptodome==3.20.0 \
    requests==2.31.0 \
    beautifulsoup4==4.12.3 \
    z3-solver==4.13.0.0 \
    sympy==1.12 \
    gmpy2==2.3.0 \
    scapy==2.5.0 \
    pillow==10.2.0 \
    numpy==1.26.4 \
    pefile==2024.8.26 \
    capstone==5.0.6 \
    ropper==1.13.8 \
    ROPgadget==7.4 \
    one_gadget \
    seccomp-tools \
    pngcheck \
    uncompyle6==3.9.1 \
    rsactftool \
    angr \
    flask==3.0.0 \
    cryptography==42.0.0 \
    paramiko==3.4.0 \
    python-magic==0.4.27 \
    yara-python==4.5.0 \
    ipython

# ══════════════════════════════════════════════════════════
# GDB Enhancement — pwndbg (default) + bata24/gef (via `gdb-gef`)
# pwndbg loads in the default ~/.gdbinit; bata24/gef ships as a single file
# behind a wrapper because the two extensions clash if co-loaded. gdb-peda is
# deprecated and intentionally not installed.
# ══════════════════════════════════════════════════════════
RUN cd /opt && git clone https://github.com/pwndbg/pwndbg.git \
    && cd pwndbg && ./setup.sh
RUN wget -qO /root/.gef-bata24.py https://raw.githubusercontent.com/bata24/gef/master/gef.py \
    && printf '#!/bin/sh\nexec gdb -q -nx -ex "source /root/.gef-bata24.py" "$@"\n' > /usr/local/bin/gdb-gef \
    && chmod +x /usr/local/bin/gdb-gef

# Radare2 Ghidra plugin
RUN r2pm -i r2ghidra || true

# CyberChef CLI
RUN apt-get update && apt-get install -y --no-install-recommends nodejs npm \
    && npm install -g cyberchef-cli \
    && rm -rf /var/lib/apt/lists/*

# ══════════════════════════════════════════════════════════
# Lock down: remove package managers (anti-cheat)
# ══════════════════════════════════════════════════════════
RUN rm -f /usr/bin/apt-get /usr/bin/apt /usr/bin/pip3 /usr/bin/pip
RUN rm -f /usr/bin/npm /usr/bin/npx

# ══════════════════════════════════════════════════════════
# Environment
# ══════════════════════════════════════════════════════════
WORKDIR /home/competitor
RUN mkdir -p /home/competitor/challenges
CMD ["/bin/bash"]

# ══════════════════════════════════════════════════════════
# Command Count Summary:
#   Editors & Terminal:     5
#   Compilers & Build:      8
#   Python Runtime:         3
#   Networking:            12
#   Debuggers & Tracing:    5
#   Reverse Engineering:    4
#   Forensics:              8  (sleuthkit adds 20+ sub-binaries)
#   Crypto & Password:      4
#   Data Processing:        8
#   Archive:                6
#   Core Unix:             16
#   Version Control:        1
#   Web Security:           1
#   Python Libraries:      27
#   GDB/r2 Plugins:         2
#   ─────────────────────────
#   Total:                110
#
#   + 19 ICOA commands = 129 total
#
# Note: sleuthkit is a meta-package; counted as 1 here but
# installs mmls, fls, icat, blkcat, img_stat, istat, blkls,
# blkstat, blkcalc, ils, jls, jcat, srch_strings, sigfind,
# sorter, hfind, mactime, tsk_gettimes, tsk_recover,
# tsk_imageinfo, tsk_loaddb, ffind (~22 binaries).
# ══════════════════════════════════════════════════════════
