Skip to main content
redStack provisions two isolated AWS VPCs connected by VPC peering. The TeamServer VPC hosts all C2 servers and the operator workstation — none of which have public IPs. The Redirector VPC hosts the Apache redirector with a public Elastic IP, simulating an external VPS provider that receives implant callbacks and proxies valid traffic to the C2 backends.

Network diagram

+----------------------------------------------------------------------+
|                    redStack Network Architecture                     |
+----------------------------------------------------------------------+

                          [ Operator ]
                       Browser / MobaXterm
                               |
                   HTTPS :443  |  SSH :22
                               |
+------------------------------+------------------------------+
|               TeamServer VPC (10.50.0.0/16)                 |
|   +-----------------------------------------------------+   |
|   | guacamole               Elastic IP: <Public IP>     |   |
|   | 10.50.x.x                                           |   |
|   +--+----+----+----+-------------------------------+---+   |
|      |    |    |    |   Guacamole-managed sessions  |       |
|     SSH  SSH  SSH  RDP                              |       |
|      |    |    |    |                               |       |
|   +--+  +-+  +-+--+-+---------+                     |       |
|   |     |    |    |           |                     |       |
|   v     v    v    v           v                     |       |
| +------++------++------+  +------------+            |       |
| |mythic||sliver||havoc |  |WIN-OPERATOR|            |       |
| |      ||      ||      |  |            |            |       |
| +------++------++------+  +------------+            |       |
|        ( no public IPs - internal only )            |       |
+------------------------------+----------------------+-------+
                               |
           VPC Peering: 10.50.0.0/16 <-> 10.60.0.0/16
           - C2 callbacks: Apache proxy -> teamservers
                               |
+------------------------------+------------------------------+
|                Redirector VPC (10.60.0.0/16)                |
|   +-----------------------------------------------------+   |
|   | redirector              Elastic IP: <Public IP>     |   |
|   | 10.60.x.x                                           |   |
|   | Apache :80/:443 (X-Request-ID + URI validation)     |   |
|   | Decoy page served to unvalidated requests           |   |
|   +-----------------------------------------------------+   |
+------------------------------+------------------------------+
                               ^
                               |
                    public internet / cloud DNS
                               |
                               v
          [ Public Internet Accessible Target Environments ]

Public Internet Environment (C2 Callback Flow):
  [target / implant] --HTTPS/HTTP--> public internet / cloud DNS
  --> redirector Elastic IP --> Apache (X-Request-ID + URI validation)
  --> VPC peering --> mythic / sliver / havoc (10.50.x.x)

Dual-VPC design

The two-VPC layout is a deliberate architectural decision, not just a networking convenience.
CIDR: 10.50.0.0/16 (default; configurable via vpc_cidr)The TeamServer VPC hosts all C2 servers, the Guacamole portal, and the Windows workstation. No C2 server has a public IP address — they are reachable only from within the VPC or from the Redirector VPC over VPC peering.Guacamole is the single publicly-accessible instance in this VPC. Its Elastic IP is the operator’s entry point for browser-based access to all lab machines.An optional dedicated VPC is created by default (use_default_vpc = false). If you hit the AWS VPC limit, set use_default_vpc = true to place the lab into your account’s default VPC instead.

VPC peering

A single VPC peering connection links the two VPCs:
  • Route from Redirector VPC → TeamServer VPC (for proxied C2 callbacks)
  • Route from TeamServer VPC → Redirector VPC (for internal connectivity and management)
This peering is bidirectional and allows the redirector to forward validated implant traffic to Mythic, Sliver, or Havoc using their private IPs.

EC2 instances

redStack deploys six EC2 instances across the two VPCs.

TeamServer VPC instances

PropertyValue
Instance typet3.medium (default)
AMIDebian 12 (latest)
Public IPNone
EBS volume30 GB gp3, encrypted
Role tagc2-backend
Mythic is installed to /opt/Mythic with the Apollo agent and HTTP C2 profile pre-installed as Docker containers. The Mythic web UI is available internally on port 7443. Mythic auto-starts on boot by default (enable_mythic_autostart = true).The HTTP C2 port (80) on this instance is accessible only from the Redirector VPC CIDR (10.60.0.0/16) — not from the public internet.
PropertyValue
Instance typet3.small (default)
AMIDebian 12 (latest)
Public IPNone
EBS volume20 GB gp3, encrypted
Role tagc2-backend
The Sliver server binary is installed at boot and runs as a systemd service. The multiplexer listens on port 31337 (gRPC). A pre-generated C2 profile (redstack-c2-profile.json) with the correct X-Request-ID token is written to /home/admin/ during deployment — import it once per deployment with c2profiles import.
PropertyValue
Instance typet3.medium (default)
AMIDebian 12 (latest)
Public IPNone
EBS volume20 GB gp3, encrypted
Role tagc2-backend
Havoc is cloned from source and built at deploy time (Go + build dependencies installed automatically). The teamserver runs as a systemd service. The Havoc GUI client runs on the XFCE4 desktop, accessible via Guacamole VNC.
The Havoc build takes longer than other components. Wait at least 10 minutes after terraform apply before connecting to the Havoc server or desktop.
PropertyValue
Instance typet3.small (default)
AMIDebian 12 (latest)
Public IPElastic IP (persistent)
EBS volume20 GB gp3, encrypted
Role tagoperator-access
Apache Guacamole runs in Docker with a PostgreSQL backend. Seven connections are pre-configured at deploy time with the correct private IPs and credentials for every lab machine. The HTTPS portal is accessible at https://<GUAC_ELASTIC_IP>/guacamole.When enable_external_vpn = true, Guacamole also serves as the WireGuard client and MASQUERADE gateway for routing internal lab traffic through the OpenVPN tunnel on the redirector.
PropertyValue
Instance typet3.medium (default)
AMIWindows Server 2022 English Full Base (latest)
Public IPNone
EBS volume50 GB gp3, encrypted
Role tagoperator-workstation
The Windows workstation is accessed exclusively via Guacamole RDP. User data disables Windows Defender and the firewall, enables RDP, and installs Chromium, VS Code, MobaXterm, and 7-Zip. MobaXterm includes a pre-configured redStack Sessions folder with SSH sessions for every lab machine (Mythic C2 (SSH), Sliver C2 (SSH), Havoc C2 (SSH), Apache Redirector (SSH), Guacamole Server (SSH)).The Windows Administrator password is generated by AWS and decrypted automatically using your SSH private key (ssh_private_key_path). It is included in terraform output deployment_info.

Redirector VPC instance

PropertyValue
Instance typet3.micro (default)
AMIDebian 12 (latest)
Public IPElastic IP (persistent)
EBS volume20 GB gp3, encrypted
Role tagc2-redirector
The redirector runs Apache with mod_rewrite, mod_proxy, mod_proxy_http, mod_headers, and mod_ssl enabled. It is the only instance that accepts connections from the public internet on ports 80 and 443.SSH access (port 22) is restricted to localPub_ip only. HTTP/HTTPS is open to 0.0.0.0/0 for implant callbacks. All traffic from the TeamServer VPC CIDR is permitted for internal lab connectivity.

Traffic flow

Operator access flow

Operator (browser/MobaXterm)
  └── HTTPS :443 / SSH :22
        └── Guacamole Elastic IP (public)
              └── Guacamole-managed sessions
                    ├── SSH  → Mythic   (internal)
                    ├── SSH  → Sliver   (internal)
                    ├── SSH  → Havoc    (internal)
                    ├── SSH  → Redirector (internal)
                    ├── VNC  → Havoc desktop (XFCE4)
                    └── RDP  → WIN-OPERATOR (internal)

C2 callback flow

[Target / implant]
  └── HTTPS/HTTP → public internet / cloud DNS
        └── Redirector Elastic IP (Redirector VPC, 10.60.0.0/16)
              └── Apache: Layer 1 — redirect.rules (scanner/AV blocking)
                    └── Apache: Layer 2 — X-Request-ID header validation
                          └── Apache: Layer 3 — URI prefix routing
                                ├── /cdn/media/stream/    → Mythic  (10.50.x.x)
                                ├── /cloud/storage/objects/ → Sliver (10.50.x.x)
                                └── /edge/cache/assets/   → Havoc   (10.50.x.x)
Requests that fail any validation layer are served the CloudEdge CDN decoy maintenance page with an HTTP 200 response — making the redirector appear to be a legitimate CDN endpoint to scanners and automated tooling.

URI prefix routing table

URI prefixBackendPath forwarding
/cdn/media/stream/MythicPrefix stripped before forwarding
/cloud/storage/objects/SliverPrefix stripped before forwarding
/edge/cache/assets/HavocFull path preserved (Havoc validates URI in listener config)
URI prefixes are baked into implants at build time. Customize them with mythic_uri_prefix, sliver_uri_prefix, and havoc_uri_prefix in terraform.tfvars before running terraform apply. Changing them after deployment requires rebuilding all payloads.

Security design

IMDSv2 on all instances

Every EC2 instance enforces IMDSv2 (http_tokens = "required"). Requests to the instance metadata service must use the session-oriented token method — the older IMDSv1 path is blocked. This prevents SSRF attacks from abusing the metadata endpoint.

Encrypted EBS volumes

All root EBS volumes are encrypted at rest (encrypted = true). This applies to all six instances across both VPCs.

Security group rules

TeamServer VPC

  • Mythic HTTP/HTTPS: Redirector VPC CIDR only (10.60.0.0/16)
  • Sliver/Havoc: Internal VPC traffic only
  • Guacamole: HTTPS from localPub_ip; SSH from localPub_ip
  • Windows: RDP from internal VPC only (via Guacamole)
  • All instances: Full egress allowed

Redirector VPC

  • Port 22 (SSH): localPub_ip only
  • Port 80/443 (HTTP/HTTPS): 0.0.0.0/0 (implant callbacks)
  • All traffic from TeamServer VPC CIDR (VPC peering traffic)
  • Full egress allowed

Auto-generated credentials

All passwords are generated at deploy time by Terraform’s random_password resource:
  • Lab password — 16 characters, alphanumeric plus -_.~!@, used for SSH and Guacamole admin access across all Linux instances
  • Windows Administrator password — generated by AWS, decrypted automatically using ssh_private_key_path
  • C2 header token — 32-character hex token auto-generated by random_id if c2_header_value is not set
Retrieve all credentials and IPs after deployment: 
terraform output deployment_info

Hostname resolution

Terraform injects private IP addresses into the user data scripts for every instance. At boot, each machine writes the following entries to /etc/hosts (Linux) or C:\Windows\System32\drivers\etc\hosts (Windows): 
# redStack lab hosts
<guacamole_private_ip>    guac
<mythic_private_ip>       mythic
<sliver_private_ip>       sliver
<havoc_private_ip>        havoc
<redirector_private_ip>   redirector
<windows_private_ip>      win-operator
This means you can use hostnames instead of IPs from anywhere inside the lab. For example, from the Windows workstation: 
ping mythic
ssh admin@sliver
And from any Linux instance: 
curl -s http://mythic:80/health
ping redirector

OpenVPN mode (HTB / VulnLab / PG)

When enable_external_vpn = true, redStack adds a WireGuard tunnel between Guacamole and the redirector, and runs an OpenVPN client (ext-vpn.service) on the redirector. 
[Internal machine] → Guacamole (wg0: 10.100.0.2, MASQUERADE)
                         └── WireGuard tunnel (UDP 51820)
                               └── Redirector (wg0: 10.100.0.1)
                                     └── tun0 (OpenVPN, MASQUERADE)
                                           └── [CTF target network]
IP forwarding is enabled on both Guacamole and the redirector. source_dest_check is disabled on their ENIs to allow packet forwarding. The redirect-gateway option is filtered on the OpenVPN client to prevent it from overwriting the VPC peering routes that C2 callbacks depend on. WireGuard keys are generated on Guacamole at boot — no pre-deployment key exchange is required.
Run terraform output network_architecture after deployment to see this diagram populated with your actual Elastic IPs and private IPs.

Next steps

Prerequisites

Install the required tools and configure your AWS credentials before deploying.

Terraform variables

Review all configurable variables — VPC CIDRs, instance types, URI prefixes, and VPN settings.

Deploy

Run terraform apply and bring the full lab online.

Redirector security layers

Deep-dive into the three Apache security layers: redirect.rules, header validation, and URI routing.

Build docs developers (and LLMs) love

Get started for freeTalk to us