Netero1010 Security Lab
  • whoami
    • About Me
  • Evasion
    • Indirect Syscall in CSharp
    • Alternative Process Injection
    • Execution of Remote VBA Script in Excel
  • Red Team
    • Microsoft Dev Tunnels as C2 Channel
    • Stage Your Payload in Atlassian Confluence
    • Citrix Application Through SOCKS Proxy
    • Revealing Excel Password Secrets Stored in Process Memory
    • Abuse SCCM Remote Control as Native VNC
  • DETECTION
    • DCSync Detection
    • Browser Credential Stealing Detection
Powered by GitBook
On this page
  • Background
  • Demo
  1. Red Team

Stage Your Payload in Atlassian Confluence

23 November 2022

PreviousMicrosoft Dev Tunnels as C2 ChannelNextCitrix Application Through SOCKS Proxy

Last updated 1 year ago

Background

While using Confluence as a Wiki, I discovered that the platform could be abused to stage payload in a trusted domain (i.e., api.media.atlassian.com). This blog provides a brief demonstration of how to accomplish this.

Demo

To begin, create an account in Confluence and choose a unique site name.

The site name can be anything you want because it will not be displayed in the phishing link.

Once the information has been confirmed, you will have to wait for the Cloud Confluence to be set up.

Once your site is ready, you can name your space whatever you want.

Then, in the newly created space, find "ooo" (More actions) and choose "Files" from the "Attachments" menu.

Once you are in the "Attachments" page, you can now upload your payload as attachment.

When you hover the uploaded file, you will see a link with similiar syntax as below:

However, this link is inaccessible to the general public if your access permission in confluence space is in default setting.

When you click the link above and download the file, you may notice that the payload is actually hosted in another domain (api.media.atlassian.com), which is publicly accessible. It can be easily confirmed by inspecting the downloaded item in your browser or HTTP request/response.

You could indeed use the above link (https://[sitename].atlassian.net/wiki/download/attachments/98512/mimikatz.exe) to deliver your malware in browser because it will redirect you from a trusted domain ([sitename].atlassian.net) to another trusted domain (api.media.atlassian.com). However, you must change your space permissions and grant anonymous read access. Furthermore, changing the space access permission necessitates a paid or trial license.

You should see the attachment link with a similar structure to the one below and this is the link that can be used in your red team operation.

https://api.media.atlassian.com/file/[File ID]/binary?token=[TOKEN]&client=[Client ID]&name=[File Name]

https://[sitename].atlassian.net/wiki/download/attachments/98512/mimikatz.exe