Stage Your Payload in Atlassian Confluence
23 November 2022
While using Confluence as a Wiki, I discovered that the platform could be abused to stage payload in a trusted domain (i.e., api.media.atlassian.com). This blog provides a brief demonstration of how to accomplish this.
To begin, create an account in Confluence and choose a unique site name.
The site name can be anything you want because it will not be displayed in the phishing link.
Once the information has been confirmed, you will have to wait for the Cloud Confluence to be set up.
Once your site is ready, you can name your space whatever you want.
Then, in the newly created space, find "ooo" (More actions) and choose "Files" from the "Attachments" menu.
Once you are in the "Attachments" page, you can now upload your payload as attachment.
When you hover the uploaded file, you will see a link with similiar syntax as below:
However, this link is inaccessible to the general public if your access permission in confluence space is in default setting.
When you click the link above and download the file, you may notice that the payload is actually hosted in another domain (api.media.atlassian.com), which is publicly accessible. It can be easily confirmed by inspecting the downloaded item in your browser or HTTP request/response.
You could indeed use the above link (https://[sitename].atlassian.net/wiki/download/attachments/98512/mimikatz.exe) to deliver your malware in browser because it will redirect you from a trusted domain ([sitename].atlassian.net) to another trusted domain (api.media.atlassian.com). However, you must change your space permissions and grant anonymous read access. Furthermore, changing the space access permission necessitates a paid or trial license.
You should see the attachment link with a similar structure to the one below and this is the link that can be used in your red team operation.
https://api.media.atlassian.com/file/[File ID]/binary?token=[TOKEN]&client=[Client ID]&name=[File Name]