Skip to content

v1.4.0: "Toledo"
Compare
Choose a tag to compare
@mttaggart mttaggart released this 25 Aug 15:32
· 21 commits to main since this release
v1.4.0
3261794
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Welcome back! In v1.4.0, aka "Toledo", we wanted to add some much-needed features to ON.

ls

At long last, ls is now a native command! You can enumerate directories without needing to resort to the shell.

Cloud Upload

Finally! A way to exfiltrate data from the target. It turns out Notion has no native file upload capability. What the Notion app does in the background is hand the file off to S3, where it will eventually reside. So to get uploads working in OffensiveNotion, we've implemented cloud upload ourselves in 2 commands: s3upload and azupload, supporting S3 and Azure Blob Storage, respectively.

Now, to use these, there's a bit of preparation necessary and the commands require some sensitive information to be send to the agent. But we don't store that information in memory after the commands have been run. That makes the commands more verbose, but also more OPSEC safe.

azupload

Usage: azupload storage_account access_key container_name file

To use Azure Storage, you'll need to create an Azure Storage Account with public access enabled. Then a container that allows anonymous read. You don't technically have to do use anonymous read; it'll just make the links in ON easier to follow. But if you want to maintain better access control, the upload will still function.

s3upload

Usage: s3upload aws_access_key_id aws_secret_access_key region bucket_name file

For S3, you'll want to create an IAM user with S3 write permissions for a new bucket. The access key ID and secret access key are sent, along with the region, bucket name, and the file to upload. The file is set with an anonymous read ACL for ease of access, so beware of the URL and who is accessing it!

Assets 8
Loading