Skip to content

Home

Jump to bottom
HuskyHacks edited this page Feb 23, 2022 · 19 revisions

"Hey, you got your notetaking app in my C2!"

"Hey, you got your C2 in my notetaking app!"

OffensiveNotion

Want to document your red team operation, but think it's lame your notetaking application can't aid in your post-exploitation efforts? Now your notetaking app is your C2, with OffensiveNotion!

OffensiveNotion combines the capabilities of a post-exploitation agent with the power of the Notion notetaking application. The agent sends data to and receives commands from your Notion page. Your C2 traffic blends right in as the agent receives instructions and posts results via the Notion developer API. And when your blue team looks for evidence of shenanigans, none will be the wiser.

image

So What Can It Do?

With a little setup, you can...

  • Receive an agent check in to your notion page:

[pic]

  • Run shell commands:

[pic]

  • Stack up a bunch of commands to do initial check-in safety checks...

[pic]

  • ...and then execute them all:

[pic]

  • Document your findings as you go on the same page:

[pic]

  • Portscan another host or subnet:

[pic]

  • Elevate to the administrator context:

[pic]

  • Persist using one of many different methods:

[pic]

  • And, perform remote shellcode injection:

[pic]

Features

Setting Up A Listener Page

The "listener" is just a page in a Notion notebook. But you can set it up to catch the callbacks for your agents:

  1. Create your listener page. Add a new page to Notion, preferably in a notebook that's not being used for anything else:

  2. In the upper right corner, click "Share" and "Invite". Add your Notion Developer API account to this page:

  3. Copy the URL of your page down. If you're in the web browser Notion client, this can be taken from the URL of the page. In the desktop app, enter ctl-l to copy it to your clipboard.

  4. If your listener URL is:

https://www.notion.so/LISTENER-11223344556677889900112233445566

... then your parent page ID is the number after the name of the listener, split with hyphens into the following schema: 8-4-4-4-12. Meaning, your parent page ID would be: 11223344-5566-7788-9900-112233445566. This value is used to connect your agent to your listener, so keep track of it!

Clone this wiki locally