INTRO

Welcome to our new article. today, we are going to create a password-protected web server. our web server will ask for username and password for every request to connect with the host. it will add an Authentication header to the request.  It is very important for a HTB beginner or any CTF beginner. because many CTFs have this kind of challenge.  we are not going to hack a protected web server, maybe some other day.

but before starting this tutorial, I would like to suggest you some previous post of mine.

what is HOST file

How To Host Multiple Websites On Localhost

Phishing Attack

Read it only, if you have time. you can also watch the Xampp (webserver) video on our youtube channel, Click Here.

 

REQUIREMENTS

Linux os(recommended)

apache webserver

knowledge of our previous post related to the apache webserver

 

STEPS

You may have seen some websites on tor has some kind of pop-up asking for the credential to visit the website. that’s what we are going to create. I think there might we some python script, that would do the same what I am going to do. you can search for it on google yourself.

Θ Go to /var/www/html/ and search for the templet which we have hosted in our previous article.

look, we are going to make the whole directory password protected not just a dir in that folder. however, you can customize it on your own.

Θ Now fire up your terminal and type this command:

htpasswd -c /etc/apache2/.htpasswd lucky

it is an apache tool that lets you create a .htpasswd file. some people generate this online, Click Here. after this, it will ask you for a password. by the way, we save all our configuration files in /etc folder.

If we look at the content of the file you create, lucky:$apr1$vv6sPmxH$nL3GWToL6eFmMgfVXUEGM.

Θ After that, we will have to edit our website config file. type these command:

cd /etc/apache2/sites-enabled/ & ls

Result:
biggy.in.conf@   lucky.net.conf@  king.loe.conf@                                     
egmake.in.conf@  redbus.conf@     bwapp.local.conf@                                  
biggy.in.conf@     egmake.in.conf@  lucky.net.conf@                                  
bwapp.local.conf@  king.loe.conf@   redbus.conf@

 

It will show you the configs of the websites that you have created before. like we created egmake.in in our previous article. and you must be wondering about &, I have used in the command. well, it is called Linux chaining. we will talk about it some other day.

Θ Open the config file which you want to edit. Add these following lines after the CustomLog line. your file will look like this after adding these lines.

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory "/var/www/egmake.in/">
AuthType Basic
AuthName "please enther creds: "
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</directory>

 

Θ Now, we will create a .htaccess file. this file makes a directory password protected.

first, go to /var/www/egmake.in the folder. and type this command:

gedit .htaccess

and paste these following lines there.

AuthType Basic
AuthName "please enther creds: "
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

save it. and restart your apache local webserver:

service apache2 restart

now just try to visit the egmake.in. if you have done everything right, it should ask you for authentication(credentials).


You can make authentication only for a dir by adding it into Directory tag.

For example:

<Directory "/var/www/egmake.in/testDir">

and apart from this, I have mention username as lucky and web dir as egmake.in. you can change it with your username and web dir.

you can even capture the request and see the difference between the authentication request and a normal request. it only adds an authentication header in the request.

 

Stay home, stay safe and keep reading our articles.

Thanks For Visiting.

LEAVE A REPLY

Please enter your comment!
Please enter your name here