# Stage Your Payload in Atlassian Confluence

## Background

While using Confluence as a Wiki, I discovered that the platform could be abused to stage payload in a trusted domain (i.e., api.media.atlassian.com). This blog provides a brief demonstration of how to accomplish this.

## Demo

To begin, create an account in Confluence and choose a unique site name.

{% hint style="info" %}
The site name can be anything you want because it will not be displayed in the phishing link.
{% endhint %}

<figure><img src="/files/xnWapfzPmahzAnNoDwg8" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/fCRUIACld3L7up9R4DXh" alt=""><figcaption></figcaption></figure>

Once the information has been confirmed, you will have to wait for the Cloud Confluence to be set up.

<figure><img src="/files/0BsdJPHoycAOatDzyHJC" alt=""><figcaption></figcaption></figure>

Once your site is ready, you can name your space whatever you want.

<figure><img src="/files/IM9zHbUfS23WoKSIqWh8" alt=""><figcaption></figcaption></figure>

Then, in the newly created space, find "ooo" (More actions) and choose "Files" from the "Attachments" menu.

<figure><img src="/files/x8bg98lNGggSPV1zpI98" alt=""><figcaption></figcaption></figure>

Once you are in the "Attachments" page, you can now upload your payload as attachment.

<figure><img src="/files/0on3UDu2T3FFHghEUcm6" alt=""><figcaption></figcaption></figure>

When you hover the uploaded file, you will see a link with similiar syntax as below:

[https://\[sitename\].atlassian.net/wiki/download/attachments/98512/mimikatz.exe](https://netero1010.atlassian.net/wiki/download/attachments/98512/mimikatz.exe?version=1\&amp;modificationDate=1669103594150\&amp;cacheVersion=1\&amp;api=v2)

<figure><img src="/files/HLs2WF5fepe4QENqznoL" alt=""><figcaption></figcaption></figure>

However, this link is inaccessible to the general public if your access permission in confluence space is in default setting.

When you click the link above and download the file, you may notice that the payload is actually hosted in another domain (api.media.atlassian.com), which is publicly accessible. It can be easily confirmed by inspecting the downloaded item in your browser or HTTP request/response.

<figure><img src="/files/wMIq0k9nI38Eh3hc6OlU" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
You could indeed use the above link (https\://\[sitename].atlassian.net/wiki/download/attachments/98512/mimikatz.exe) to deliver your malware in browser because it will redirect you from a trusted domain (\[sitename].atlassian.net) to another trusted domain (api.media.atlassian.com). However, you must change your space permissions and grant anonymous read access. Furthermore, changing the space access permission necessitates a paid or trial license.
{% endhint %}

<figure><img src="/files/6vgTPU7AusANuJuNXU9Z" alt=""><figcaption></figcaption></figure>

You should see the attachment link with a similar structure to the one below and this is the link that can be used in your red team operation.

```
https://api.media.atlassian.com/file/[File ID]/binary?token=[TOKEN]&client=[Client ID]&name=[File Name]
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.netero1010-securitylab.com/red-team/stage-your-payload-in-atlassian-confluence.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.