By default, the server will bind to
7443with a self-signed certificate(unless otherwise configured). This IP is an alias meaning that it will be listening on all IPv4 addresses on the machine. Browse to either
https://127.0.0.1:7443if you’re on the same machine that’s running the server, or you can browse to any of the IPv4 addresses on the machine that’s running the server.
- Browse to the server with any modern web browser. You will be automatically redirected to the
/loginurl. This url is protected by
- The default username is
mythic_adminand the default password is randomized. The password is stored in
Mythic/.envafter first launch, but you can also view it with
sudo ./mythic-cli config get MYTHIC_ADMIN_PASSWORD. You can opt to set this before you initially start if you want (or you can change this later through the UI) by setting that environment variable before staring Mythic for the first time.
Mythic uses JSON Web Tokens (JWT) for authentication. When you use the browser (vs the API on the command line), Mythic stores your access and refresh tokens in a cookie as well as in the local session storage. This should be seamless as long as you leave the server running; however, the history of the refresh tokens is saved in memory. So, if you authenticate in the browser, then restart the server, you’ll have to sign in again.
If you're using Chrome and a self-signed certificate that's default generated by Mythic, you will probably see a warning like this when you try to connect:
This is fine and expected since we're not using a LetsEncrypt or a proper domain certificate. To get around this, simply click somewhere within the window and type
thisisunsafe. Your browser will now Temporarily accept the cert and allow you through.
At some point in the future, your browser will decide to remind you that you're using a self-signed certificate. Mythic cannot actually read this error message due to Chrome's security policies, but can detect that the error is different than a normal error. If this happens, Mythic will display a popup like:
When this happens, simply refresh your page. You'll be brought back to the same big warning page as the image above and you can type
thisisunsafeagain to continue your operations.