Stage Your Payload in Atlassian Confluence
While using Confluence as a Wiki, I discovered that the platform could be abused to stage payload in a trusted domain (i.e., api.media.atlassian.com). This blog provides a brief demonstration of how to accomplish this.
To begin, create an account in Confluence and choose a unique site name.
Once the information has been confirmed, you will have to wait for the Cloud Confluence to be set up.
Once your site is ready, you can name your space whatever you want.
Then, in the newly created space, find "ooo" (More actions) and choose "Files" from the "Attachments" menu.
Once you are in the "Attachments" page, you can now upload your payload as attachment.
When you hover the uploaded file, you will see a link with similiar syntax as below:
However, this link is inaccessible to the general public if your access permission in confluence space is in default setting.
When you click the link above and download the file, you may notice that the payload is actually hosted in another domain (api.media.atlassian.com), which is publicly accessible. It can be easily confirmed by inspecting the downloaded item in your browser or HTTP request/response.
You should see the attachment link with a similar structure to the one below and this is the link that can be used in your red team operation.
https://api.media.atlassian.com/file/[File ID]/binary?token=[TOKEN]&client=[Client ID]&name=[File Name]