Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/BaddKharma/redStack/llms.txt

Use this file to discover all available pages before exploring further.

After terraform apply completes, two outputs are available. They contain everything you need to operate the lab: IP addresses, credentials, the C2 header token, URI routing table, and a full network diagram with actual IPs populated.
Save both outputs immediately after deployment. You will reference IPs, credentials, and the C2 header token throughout the lab.
terraform output deployment_info > redstack-info.txt
terraform output network_architecture >> redstack-info.txt

deployment_info

Full deployment details for every lab instance, including access URLs, IPs, credentials, and operational notes. 
terraform output deployment_info
The output is structured as numbered sections, one per lab component.

1. Guacamole access portal

The browser-based access portal for all internal lab instances. This is the primary entry point for operators.
FieldDescription
URLhttps://<public-ip>/guacamole — open in browser
Public IPElastic IP assigned to the Guacamole instance
Private IPInternal VPC IP
Usernameguacadmin
PasswordAuto-generated at deploy time (shown in output)
SSH (ext)ssh -i <key>.pem admin@<public-ip> — from your local machine
SSH (int)ssh admin@<private-ip> — from within the VPC
All internal instances (Mythic, Sliver, Havoc, Windows) are accessible through Guacamole using the connections pre-configured at deploy time. No manual Guacamole configuration is required.
The Mythic framework team server. Internal-only — no public IP is assigned.
FieldDescription
Web UIhttps://<private-ip>:7443 — accessible from Windows workstation or via SSH tunnel
Private IPInternal VPC IP
Usernameadmin
PasswordAuto-generated (shared across all lab instances)
SSH (int)ssh admin@<private-ip> — from within the VPC
Operator accessPort 7443 via the Windows workstation browser or Guacamole
Guacamole connectionMythic Team Server (SSH)
The Mythic web UI runs on port 7443 with a self-signed TLS certificate. Accept the certificate warning in your browser on first access.
The Sliver framework team server. Internal-only.
FieldDescription
Private IPInternal VPC IP
Usernameadmin
PasswordAuto-generated (shared across all lab instances)
SSH (int)ssh admin@<private-ip>
Operator port31337 (gRPC multiplexer)
Guacamole connectionSliver C2 Server (SSH)
Connect the Sliver client to port 31337 on the private IP from within the lab network.
The Havoc framework team server. Internal-only. Provides both SSH and VNC (graphical desktop) access.
FieldDescription
Private IPInternal VPC IP
Usernameadmin
PasswordAuto-generated (shared across all lab instances)
SSH (int)ssh admin@<private-ip>
Operator usernameoperator
Operator passwordAuto-generated (same shared password)
Guacamole connectionsHavoc C2 Desktop (VNC) | Havoc C2 Server (SSH)
The Havoc teamserver exposes a graphical Qt-based UI. Access it via VNC through Guacamole for the full desktop experience.
The public-facing Apache redirector. Routes C2 callbacks to the correct team server based on URI prefix and the C2 header token. Requests without the token are served a decoy page.
FieldDescription
Public IPElastic IP — this is the IP your payloads call back to
Private IPInternal VPC IP (Redirector VPC)
DomainCustom domain if configured; otherwise c2.example.com placeholder
Usernameadmin
PasswordAuto-generated (shared across all lab instances)
SSH (ext)ssh -i <key>.pem admin@<public-ip> — from your local machine
SSH (int)ssh admin@<private-ip> — from within the Redirector VPC
C2 HeaderX-Request-ID: <token> — required on all C2 callbacks
Decoy pageRequests without the header receive a CloudEdge CDN maintenance page
URI routing table (as configured by your *_uri_prefix variables):
URI prefixRouted to
/cdn/media/stream/Mythic C2 team server
/cloud/storage/objects/Sliver C2 server
/edge/cache/assets/Havoc C2 server
The C2 header token shown in this output must be embedded in all payloads. Requests that arrive without it are silently redirected to the decoy page — the C2 callback will fail.
This section appears only when enable_external_vpn = true. It describes the OpenVPN + WireGuard routing configuration for reaching HTB, VulnLab, or Proving Grounds targets.
FieldDescription
StatusENABLED
WireGuard serverRedirector private IP — WireGuard interface wg0 at 10.100.0.1
WireGuard clientGuacamole private IP — WireGuard interface wg0 at 10.100.0.2
Target CIDRsCIDR blocks routed through the tunnel (from external_vpn_cidrs)
VPN servicesudo systemctl {start|stop|status} ext-vpn (run on redirector)
WireGuard statussudo wg show (run on redirector or Guacamole)
Traffic path (internal machine to CTF target):
[Teamserver / Windows Operator]
  -> default VPC route
  -> Guacamole (wg0 gateway, MASQUERADE)
  -> WireGuard tunnel (UDP 51820)
  -> Redirector (wg0 server)
  -> tun0 (OpenVPN, MASQUERADE)
  -> CTF target
WireGuard keys are generated on Guacamole at boot — no pre-deployment key setup is required. The tunnel comes up automatically.
Quick start steps:
1

Upload the .ovpn file to the Windows workstation

Open the Guacamole sidebar (Ctrl+Alt+Shift) → Devices → upload your .ovpn file.
2

SCP the .ovpn to the redirector

From the Windows workstation:
scp lab.ovpn admin@<redirector-private-ip>:~/vpn/
3

Start the VPN service on the redirector

sudo systemctl start ext-vpn
4

Verify the WireGuard tunnel

Run on both the redirector and Guacamole — both should show the other as a peer with a recent handshake time:
sudo wg show
5

Verify routing from any internal machine

ping <ctf-target-ip>
The Windows operator workstation. Internal-only — accessed via RDP through Guacamole.
FieldDescription
Private IPInternal VPC IP
UsernameAdministrator
PasswordAuto-decrypted using ssh_private_key_path — shown in plain text in the output
AccessRDP via Guacamole
Guacamole connectionWindows Operator Workstation (RDP)
The Windows password is decrypted by Terraform using the private key at ssh_private_key_path. If the instance is not yet fully initialized when you run terraform output, you may see (not yet available) — wait a few minutes and run the output command again.

network_architecture

A text-based network diagram with actual IP addresses populated from the deployment. Use this to quickly understand the topology and verify traffic paths. 
terraform output network_architecture
The diagram shows:

VPC layout

VPC A — Team Server Infrastructure
  • Mythic, Sliver, Havoc (internal only)
  • Guacamole (public Elastic IP)
  • Windows Operator (internal only)
VPC B — Redirector Infrastructure
  • Apache Redirector (public Elastic IP)
VPC A and VPC B are connected via VPC peering.

Traffic flow

C2 callbacks are validated by URI prefix and the X-Request-ID header token:
  • <uri-prefix>/ → Redirector public IP → C2 team server private IP
  • No header → Decoy CloudEdge CDN maintenance page
If external VPN is enabled, the diagram also shows the WireGuard + OpenVPN routing path and the full list of routed CIDRs.
External VPN section (when enabled) additionally shows:
  • WireGuard tunnel path: internal machines → Guacamole → Redirector → CTF targets
  • Security configuration: source_dest_check disabled, double NAT (MASQUERADE on both hops), IP forwarding, and gateway filtering details

Saving outputs for offline reference

Both outputs contain all the information you need to operate the lab. Save them immediately after deployment. 
# Save deployment info and network diagram to a single file
terraform output deployment_info > redstack-info.txt
terraform output network_architecture >> redstack-info.txt
The outputs include plaintext credentials and the C2 header token. Treat redstack-info.txt as a sensitive file and store it accordingly.