RedStack
Boot-to-Breach red team lab on AWS. Mythic, Sliver, and Havoc C2 behind a production-style Apache redirector. Deployed via Terraform, to be used for training/self hosted environments.
Install / Use
/learn @BaddKharma/RedStackREADME
redStack: A Boot-to-Breach Lab Environment for Red Team Operators
[!NOTE] redStack is now feature complete and supports both public internet deployments and closed environments (HTB/VL/PG) that use OpenVPN. This is actively being tested and debugged, so please reach out with any issues or concerns.
[!IMPORTANT] redStack is not a tutorial on how to use C2 frameworks. It is an environment that removes the infrastructure hurdle so you can focus on learning. The lab gives you a fully configured, production-style red team setup out of the box (Boot-to-Breach). This lab is strictly for authorized training and lab environments only (HTB, VL, PG, self-hosted cyber ranges, personal lab VMs, etc.). It is not intended for use in real-world engagements or against targets you do not own and have explicit written permission to test.
[!CAUTION] AWS TOS: Use at your own risk
Hosting C2 infrastructure on AWS may raise concerns under the AWS Acceptable Use Policy. Before deploying, review the AUP and submit the AWS Penetration Testing / Simulated Events request form. This is the appropriate channel for notifying AWS that you are running security tooling on their infrastructure.
As long as you are using redStack exclusively for personal lab work and authorized training platforms (HTB, VL, PG, self-hosted cyber ranges, etc.), you are generally in the clear. A quick conversation with AWS customer support can confirm this and give you peace of mind specific to your account and usage pattern. To be safe, consider running redStack from a dedicated, single-purpose throwaway AWS account. One used solely for this lab so there is no risk to other workloads, billing alerts, or account standing.
Table of Contents
- Architecture Overview
- Part 0: Pre-Deployment Checklist
- Part 1: Initial Deployment
- Part 2: Verification
- Part 3: Apache Redirector Configuration
- Part 4: Mythic C2 Setup
- Part 5: Sliver C2 Setup
- Part 6: Havoc C2 Setup
- Part 7: Troubleshooting
- Post-Deployment Actions
- Success Criteria
- Part 8: External Target Environments (HTB/VL/PG)
- Step 8.1: Configure terraform.tfvars
- Step 8.2: Deploy and Obtain Your .ovpn File
- Step 8.3: Get the .ovpn File to the Redirector
- Step 8.4: Start the VPN Tunnel
- Step 8.4b: Get the VPN Interface IP for C2 Callbacks
- Step 8.5: Verify Connectivity from Internal Machines
- Step 8.6: Stop the VPN
- Important Notes
Architecture Overview
+----------------------------------------------------------------------+
| redStack Network Architecture |
+----------------------------------------------------------------------+
[ Operator ]
Browser / MobaXterm
|
HTTPS :443 | SSH :22
|
+------------------------------+------------------------------+
| TeamServer VPC (172.31.0.0/16) |
| +-----------------------------------------------------+ |
| | guacamole Elastic IP: <Public IP> | |
| | 172.31.x.x | |
| +--+----+----+----+-------------------------------+---+ |
| | | | | Guacamole-managed sessions | |
| SSH SSH SSH RDP | |
| | | | | | |
| +--+ +-+ +-+--+-+---------+ | |
| | | | | | | |
| v v v v v | |
| +------++------++------+ +------------+ | |
| |mythic||sliver||havoc | |WIN-OPERATOR| | |
| | || || | | | | |
| +------++------++------+ +------------+ | |
| ( no public IPs - internal only ) | |
+------------------------------+----------------------+-------+
|
VPC Peering: 172.31.0.0/16 <-> 10.60.0.0/16
- C2 callbacks: Apache proxy -> teamservers
|
+------------------------------+------------------------------+
| Redirector VPC (10.60.0.0/16) |
| +-----------------------------------------------------+ |
| | redirector Elastic IP: <Public IP> | |
| | 10.60.x.x | |
| | Apache :80/:443 (X-Request-ID + URI validation) | |
| | Decoy page served to unvalidated requests | |
| +-----------------------------------------------------+ |
+------------------------------+------------------------------+
^
|
public internet / cloud DNS
|
v
[ Public Internet Accessible Target Environments ]
Public Internet Environment (C2 Callback Flow):
[target / implant] --HTTPS/HTTP--> public internet / cloud DNS
--> redirector Elastic IP --> Apache (X-Request-ID + URI validation)
--> VPC peering --> mythic / sliver / havoc (172.31.x.x)
[!NOTE]
- All C2 servers have no public IPs. Reachable only through the redirector via VPC peering
- The redirector runs in its own isolated VPC, simulating an external provider
- Every lab machine has
/etc/hostsentries so all hostnames resolve across the environment- Requests without a valid
X-Request-IDheader receive a decoy CloudEdge CDN maintenance page- Only requests with a matching URI prefix and the correct header token are proxied to the correct C2 server
redirect.rulesblocks AV vendors and TOR exits (403)- Run
terraform output network_architectureto see the diagram populated with your actual IPs
Part 0: Pre-Deployment Checklist
Prerequisites
- [ ] AWS account with IAM credentials
- [ ] AWS CLI installed and configured
- [ ] Terraform >= 1.0 installed
- [ ] Your public IP obtained
- [ ] Repository cloned (see Step 0.1)
- [ ] SSH key pair created in AWS EC2 (see Step 0.4 below)
Step 0.1: Clone Repository & Install Tools
Clone the repository:
git clone https://github.com/BaddKharma/redStack.git
cd redStack
[!NOTE] All subsequent commands should be run from inside the `redStac
