-
Notifications
You must be signed in to change notification settings - Fork 1
FAQ
Some frequently asked questions!
A: Nope! We don't have access to the code of the Notion application, nor do we need it. The use of the Notion app in this project is completely legitimate in terms of the app's functionality. The "server" of this C2 is the unaltered, regular old Notion app itself. We have not altered the original Notion application in any way for this project. You issue commands through the server by typing notes into the notebook. Like you would if you were, ya know, taking regular notes.
The agent is a custom piece of software built from the ground up to interact with the Notion API. Again, this interaction is executed via completely legitimate developer API functionality. Whether you make API calls from the agent or a Python script or some weird Rube Goldberg in-house CI/CD mechanism, the API does not care where it comes from. As long as the calls are constructed correctly, you can submit API calls from basically anything.
So from both sides of the equation, you end up using the Notion app in accordance with its intended purpose (you type things into it) and you use a custom application to make API calls to the developer API. The fact that this thing can execute commands is incidental.
😈
A: Astute observation, straw-man questioner! When it's configured to do so, the agent calls the shell to open the host's web browser in app mode. In the Windows example, this makes Edge launch with a limited interface that hides its URL bar and other web browser features. This is a fascinating feature and we're surprised more malware doesn't make use of it.
So no, the actual Notion app isn't even launched when the agent kicks off. It's just Edge in app mode visiting the Notion homepage.
See the Host-based signature section of the OPSEC guide for more info on this nifty little trick.
(One could go so far as to say that Notion doesn't even need to be installed on the host at all to use this project, which would really be something.)
A: Generally speaking, this means that they are either set in a child block of another block or are evaluated as already having been run. To fix this, always make sure your command To-Do blocks are always set to the furthest left on the page that they can go (i.e., hit backspace a few times until it is at the very beginning of the left side margin). If that still doesn't work, simply delete and retype the commands. Copy/paste sometimes does not work for this purpose so if that's the case, type them all out by hand.
A: We made a whole page on that subject, check it out here.
A: Two answers here. One is that we may be in the process of adding it over time. But two is that we may have no plans to add it at all. We've already worked very hard to include core C2 features in this platform, with plans to add more. But we can't work on this full time and some features are simply too much of a time commitment to implement.
So if you have any recommendations, please consider submitting an issue! Treat it like Far Cry 3: look for jobs on the bulletin board. If you find a good issue that you think you can complete, code it up and submit a PR.
Full A: Read the blog post!
A: In min January 2022, I (HuskyHacks) discovered this about the Notion app. TL;DR: files added to a private Notion page are held in an S3 bucket and if you can get the link for that resource, you can send it to anyone and they can see it even if they don't have access to your notebook. This is basically an unlimited engine for high-trust phishing via S3 links! So that got the ball rolling on looking at the security aspects of Notion in the first place.
Then, Taggart formed a prototype POC for using the Notion API from a Python script. He did this on stream. It's a really good stream so check out parts I and II here and here. Many laughs were had by all.
But after the memes subsided, we realized that the general concept here was a LOTS (living off trusted sites) goldmine. So we rolled out on making the real deal. The first agent was going to be written in Nim but we hit some major roadblocks. Then we wrote the agent in Rust and it worked like a charm.