Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/BaddKharma/redStack/llms.txt

Use this file to discover all available pages before exploring further.

Guacamole is your primary operator interface for the lab. Every machine in the redStack environment — Windows workstation, C2 servers, and the redirector — is reachable through a single browser tab. No VPN, no SSH keys, no local client software required. All credentials and IP addresses shown in this section come from: 
terraform output deployment_info
Save the output of terraform output deployment_info to a local file before starting. You will reference these IPs and credentials throughout every step of the lab.

Accessing the portal

Open the following URL in your browser, substituting your Guacamole Elastic IP from deployment_info: 
https://<GUAC_PUBLIC_IP>/guacamole
Guacamole uses a self-signed TLS certificate generated at deploy time. Your browser will show a certificate warning. Accept the exception to proceed — this is expected for lab infrastructure.
Log in with these credentials:
FieldValue
Usernameguacadmin
PasswordFrom terraform output deployment_infoGUACAMOLE ACCESS PORTAL → Password

Pre-configured connections

After logging in, the home screen shows seven pre-configured connections. Each one was created automatically by the Guacamole setup script using the private IPs and credentials from your Terraform deployment.

Windows Operator Workstation

Protocol: RDP — Port 3389Auto-connects with the Administrator account. Credentials are pre-filled. XFCE4 desktop loads in 10–30 seconds.

Mythic Team Server (SSH)

Protocol: SSH — Port 22Connects to the Mythic team server. Password auth — no key required. The Mythic web UI runs on port 7443.

Guacamole Server (SSH)

Protocol: SSH — Port 22Connects to the Guacamole host itself via its private IP. Useful for inspecting logs or restarting containers.

Apache Redirector (SSH)

Protocol: SSH — Port 22Connects to the Apache redirector. Use this connection to run Certbot, inspect logs, and review VirtualHost config.

Sliver C2 Server (SSH)

Protocol: SSH — Port 22Connects to the Sliver C2 server. Start the Sliver daemon and interactive console from here.

Havoc C2 Server (SSH)

Protocol: SSH — Port 22Connects to the Havoc team server. Use this to manage the Havoc teamserver daemon.

Havoc C2 Desktop (VNC)

Protocol: VNC — Port 5901Full XFCE4 graphical desktop on the Havoc server. The Havoc GUI client runs here and connects to the teamserver over localhost.
All SSH connections use password authentication. Credentials are pre-populated from the auto-generated lab password. You do not need to provide an SSH key to use any Guacamole connection.

Accessing the Windows workstation

1

Click Windows Operator Workstation

On the Guacamole home screen, click the Windows Operator Workstation tile. Guacamole immediately initiates an RDP session using pre-filled Administrator credentials — you are not prompted to enter a password.
2

Wait for the desktop to load

The Windows desktop takes 10–30 seconds to appear after the RDP connection is established. A black screen during this period is normal.
If the connection fails or the screen stays black after 30 seconds, wait 5 more minutes and try again. The Windows instance is the slowest component to initialize — user data scripts are still running in the background.
3

Verify installed tools

Once the desktop loads, confirm these tools are present:
ToolLocation
ChromiumDesktop shortcut / taskbar
VS CodeDesktop shortcut / taskbar
MobaXtermDesktop shortcut / taskbar
7-ZipRight-click context menu on any file
4

Open MobaXterm and verify SSH sessions

Open MobaXterm from the desktop or taskbar. In the left panel, expand the redStack Sessions folder. You will see pre-configured SSH sessions for all lab machines:
  • Mythic C2 (SSH)
  • Sliver C2 (SSH)
  • Havoc C2 (SSH)
  • Apache Redirector (SSH)
  • Guacamole Server (SSH)
These sessions connect using the auto-generated lab password — no key entry required.

Pre-configured hostname resolution

Every machine in the lab resolves all other machines by hostname. You never need to look up a private IP from deployment_info to connect between lab machines.
Hostnames are written to /etc/hosts on every Linux instance at deploy time:
cat /etc/hosts
You will see entries for all six machines (actual IPs depend on your vpc_cidr setting, default 10.50.0.0/16):
10.50.x.x   mythic
10.50.x.x   sliver
10.50.x.x   havoc
10.50.x.x   guac
10.60.x.x   redirector
10.50.x.x   win-operator

Connection reference

  • Protocol: RDP
  • Target: Windows private IP (internal)
  • Port: 3389
  • Username: Administrator
  • Password: Auto-filled from Terraform (decrypted using your .pem key)
  • Features: Drive sharing enabled (GuacShare appears as a network drive in Windows Explorer), server layout set to en-us-qwerty
  • Use for: Running agents, accessing the Mythic web UI, using MobaXterm, building and testing payloads
  • Protocol: SSH
  • Target: Mythic private IP (internal)
  • Port: 22
  • Username: admin
  • Password: Lab password from terraform output deployment_info
  • Color scheme: Green on black
  • Use for: Checking Mythic container status (sudo ./mythic-cli status), installing profiles and agents, reviewing logs
  • Protocol: SSH
  • Target: Guacamole private IP (internal, not localhost — guacd runs in Docker)
  • Port: 22
  • Username: admin
  • Password: Lab password from terraform output deployment_info
  • Use for: Inspecting Docker containers (docker ps), reviewing /var/log/user-data.log, restarting Nginx
  • Protocol: SSH
  • Target: Redirector private IP (cross-VPC via VPC peering)
  • Port: 22
  • Username: admin
  • Password: Lab password from terraform output deployment_info
  • Use for: Running Certbot for SSL, reviewing Apache logs, running test_redirector.sh, inspecting VirtualHost config
  • Protocol: SSH
  • Target: Sliver private IP (internal)
  • Port: 22
  • Username: admin
  • Password: Lab password from terraform output deployment_info
  • Use for: Running sliver-client, importing C2 profiles, starting listeners, generating implants
  • Protocol: SSH
  • Target: Havoc private IP (internal)
  • Port: 22
  • Username: admin
  • Password: Lab password from terraform output deployment_info
  • Use for: Building Havoc from source (first run), managing the teamserver daemon, reviewing logs
  • Protocol: VNC
  • Target: Havoc private IP (internal)
  • Port: 5901
  • Password: Lab password from terraform output deployment_info
  • Color depth: 24-bit
  • Use for: Running the Havoc GUI client to connect to the teamserver, managing listeners and demons from the graphical interface