Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/BaddKharma/redStack/llms.txt

Use this file to discover all available pages before exploring further.

Mythic is a collaborative C2 framework with a modern web-based GUI accessible through a browser. It uses a Docker-based modular architecture where agents and C2 communication profiles are installed separately as containers, making it highly extensible. The Apollo agent and HTTP C2 profile are installed automatically during deployment — you do not need to install them manually.
The goal here is not to learn Mythic. The objective is to confirm the environment works end-to-end: get a Windows .exe beacon calling back through the redirector. Once you have a callback, the lab is proven functional. For full documentation, see the official Mythic docs.

Verify pre-installed services

SSH to the Mythic server (via Guacamole → Mythic Team Server (SSH)) and check that both the Apollo agent and HTTP C2 profile are running: 
cd /opt/Mythic
sudo ./mythic-cli status
Look for apollo and http under Installed Services. Both should show running.
If either service is missing, install it manually and restart Mythic:
cd /opt/Mythic
sudo ./mythic-cli install github https://github.com/MythicC2Profiles/http
sudo ./mythic-cli install github https://github.com/MythicAgents/apollo

sudo ./mythic-cli stop
sleep 10
sudo ./mythic-cli start

Access the Mythic UI

From the Windows workstation (via Guacamole RDP), open Chromium and navigate to: 
https://mythic:7443
Log in with:
  • Username: mythic_admin
  • Password: retrieve by running the following on the Mythic server:
sudo cat /opt/Mythic/.env | grep MYTHIC_ADMIN_PASSWORD

Verify the HTTP C2 profile

In the Mythic UI, navigate to Installed Services → C2 tab. The http profile should show:
  • Container Status: Online
  • C2 Server Status: Accepting Connections
If it shows Stopped, click Start Profile.

Generate an agent

The payload wizard has five steps. Navigate to Create Payload in the left sidebar.
1

Select target OS

Choose Windows.
2

Configure payload

Select Apollo as the agent. Set the build parameter:
ParameterValue
Output FormatWinExe (Windows Executable)
3

Select commands

Select all commands. At minimum, include: shell, download, upload, screenshot.
4

Configure C2 profile

In the dropdown, select http and click + INCLUDE PROFILE. Configure the fields that expand below:
FieldValue
callback_hosthttps://yourdomain.tld — or https://<REDIR_PUBLIC_IP> for closed/IP-only environments
callback_port443
callback_interval10
callback_jitter20
post_uricdn/media/stream/update — no leading /
headersAdd a row: KEY = X-Request-ID, VALUE = <token from terraform output deployment_info>
encrypted_exchange_checkLeave enabled (default)
The post_uri field must not have a leading /. The Apache redirector matches the /cdn/media/stream/ prefix and strips it before forwarding to Mythic, so Mythic sees the path without the prefix.
5

Build the payload

Click Next, enter a name (for example, apollo-training), then click Create Payload.Wait 30–60 seconds. A popup notifies you when the build is complete. Navigate to Payloads in the sidebar and click the green download icon.

Deploy the agent

The Mythic UI runs in the Windows workstation browser, so apollo.exe lands directly in C:\Users\Administrator\Downloads\ after you click the download icon. Open that folder in File Explorer and double-click apollo.exe to execute it.
Apollo is unobfuscated by default. To get the binary to your host:
  1. In Windows Explorer, right-click apollo.exeCompress to ZIP file.
  2. Open This PC → GuacShare on Guacamole RDP → Download and copy apollo.zip into it.
  3. In the Guacamole browser session, press Ctrl+Alt+Shift to open the sidebar, click Devices, then click apollo.zip to download it to your host.
Windows Defender and most AV solutions flag unobfuscated C2 agents on download or execution. Disable real-time protection or add your download folder as an exclusion before transferring the file to your host. Any target machine you run the agent on also needs AV disabled or exempted unless you are practicing evasion techniques.

Test the C2 session

After executing apollo.exe on the Windows workstation:
1

Confirm callback

In the Mythic UI, click the phone icon (top nav) to open Active Callbacks. A new row should appear within approximately 10 seconds showing WIN-OPERATOR, the administrator user, and the private IP.
2

Issue a test command

Click the callback’s ID button (blue = low integrity, red = high) to open the tasking pane. Type the following in the task input box:
shell whoami
Expected output: win-operator\administrator
3

Monitor redirector traffic

SSH to the redirector and tail the HTTPS access log to confirm traffic is flowing through:
sudo tail -f /var/log/apache2/redirector-ssl-access.log
Look for regular GET and POST requests to /cdn/media/stream/status and /cdn/media/stream/update.
The /cdn/media/stream/ URI prefix in redirector logs identifies Mythic traffic. The redirector strips this prefix before forwarding requests to Mythic on port 80.

Reference

Mythic C2 documentation

Official documentation for the Mythic C2 framework.

Apollo agent

Source and documentation for the Apollo Windows agent.

HTTP C2 profile

Source for the HTTP C2 communication profile.

Redirector security layers

How the Apache redirector validates headers and routes URI prefixes.